xref: /openbmc/linux/net/wireless/nl80211.c (revision e95770af) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2020 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
68 {
69 	struct cfg80211_registered_device *rdev;
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	ASSERT_RTNL();
78 
79 	if (!have_ifidx && !have_wdev_id)
80 		return ERR_PTR(-EINVAL);
81 
82 	if (have_ifidx)
83 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
84 	if (have_wdev_id) {
85 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
86 		wiphy_idx = wdev_id >> 32;
87 	}
88 
89 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
90 		struct wireless_dev *wdev;
91 
92 		if (wiphy_net(&rdev->wiphy) != netns)
93 			continue;
94 
95 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
96 			continue;
97 
98 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
99 			if (have_ifidx && wdev->netdev &&
100 			    wdev->netdev->ifindex == ifidx) {
101 				result = wdev;
102 				break;
103 			}
104 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
105 				result = wdev;
106 				break;
107 			}
108 		}
109 
110 		if (result)
111 			break;
112 	}
113 
114 	if (result)
115 		return result;
116 	return ERR_PTR(-ENODEV);
117 }
118 
119 static struct cfg80211_registered_device *
120 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
121 {
122 	struct cfg80211_registered_device *rdev = NULL, *tmp;
123 	struct net_device *netdev;
124 
125 	ASSERT_RTNL();
126 
127 	if (!attrs[NL80211_ATTR_WIPHY] &&
128 	    !attrs[NL80211_ATTR_IFINDEX] &&
129 	    !attrs[NL80211_ATTR_WDEV])
130 		return ERR_PTR(-EINVAL);
131 
132 	if (attrs[NL80211_ATTR_WIPHY])
133 		rdev = cfg80211_rdev_by_wiphy_idx(
134 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
135 
136 	if (attrs[NL80211_ATTR_WDEV]) {
137 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
138 		struct wireless_dev *wdev;
139 		bool found = false;
140 
141 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
142 		if (tmp) {
143 			/* make sure wdev exists */
144 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
145 				if (wdev->identifier != (u32)wdev_id)
146 					continue;
147 				found = true;
148 				break;
149 			}
150 
151 			if (!found)
152 				tmp = NULL;
153 
154 			if (rdev && tmp != rdev)
155 				return ERR_PTR(-EINVAL);
156 			rdev = tmp;
157 		}
158 	}
159 
160 	if (attrs[NL80211_ATTR_IFINDEX]) {
161 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
162 
163 		netdev = __dev_get_by_index(netns, ifindex);
164 		if (netdev) {
165 			if (netdev->ieee80211_ptr)
166 				tmp = wiphy_to_rdev(
167 					netdev->ieee80211_ptr->wiphy);
168 			else
169 				tmp = NULL;
170 
171 			/* not wireless device -- return error */
172 			if (!tmp)
173 				return ERR_PTR(-EINVAL);
174 
175 			/* mismatch -- return error */
176 			if (rdev && tmp != rdev)
177 				return ERR_PTR(-EINVAL);
178 
179 			rdev = tmp;
180 		}
181 	}
182 
183 	if (!rdev)
184 		return ERR_PTR(-ENODEV);
185 
186 	if (netns != wiphy_net(&rdev->wiphy))
187 		return ERR_PTR(-ENODEV);
188 
189 	return rdev;
190 }
191 
192 /*
193  * This function returns a pointer to the driver
194  * that the genl_info item that is passed refers to.
195  *
196  * The result of this can be a PTR_ERR and hence must
197  * be checked with IS_ERR() for errors.
198  */
199 static struct cfg80211_registered_device *
200 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
201 {
202 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
203 }
204 
205 static int validate_beacon_head(const struct nlattr *attr,
206 				struct netlink_ext_ack *extack)
207 {
208 	const u8 *data = nla_data(attr);
209 	unsigned int len = nla_len(attr);
210 	const struct element *elem;
211 	const struct ieee80211_mgmt *mgmt = (void *)data;
212 	unsigned int fixedlen = offsetof(struct ieee80211_mgmt,
213 					 u.beacon.variable);
214 
215 	if (len < fixedlen)
216 		goto err;
217 
218 	if (ieee80211_hdrlen(mgmt->frame_control) !=
219 	    offsetof(struct ieee80211_mgmt, u.beacon))
220 		goto err;
221 
222 	data += fixedlen;
223 	len -= fixedlen;
224 
225 	for_each_element(elem, data, len) {
226 		/* nothing */
227 	}
228 
229 	if (for_each_element_completed(elem, data, len))
230 		return 0;
231 
232 err:
233 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
234 	return -EINVAL;
235 }
236 
237 static int validate_ie_attr(const struct nlattr *attr,
238 			    struct netlink_ext_ack *extack)
239 {
240 	const u8 *data = nla_data(attr);
241 	unsigned int len = nla_len(attr);
242 	const struct element *elem;
243 
244 	for_each_element(elem, data, len) {
245 		/* nothing */
246 	}
247 
248 	if (for_each_element_completed(elem, data, len))
249 		return 0;
250 
251 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
252 	return -EINVAL;
253 }
254 
255 /* policy for the attributes */
256 static const struct nla_policy
257 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
258 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
259 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
260 					.len = U8_MAX },
261 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
262 					     .len = U8_MAX },
263 };
264 
265 static const struct nla_policy
266 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
267 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
268 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
269 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
270 		NLA_POLICY_MAX(NLA_U8, 15),
271 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
272 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
273 		NLA_POLICY_MAX(NLA_U8, 15),
274 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
275 		NLA_POLICY_MAX(NLA_U8, 31),
276 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
277 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
278 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
279 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
280 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
281 };
282 
283 static const struct nla_policy
284 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
285 	[NL80211_PMSR_TYPE_FTM] =
286 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
287 };
288 
289 static const struct nla_policy
290 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
291 	[NL80211_PMSR_REQ_ATTR_DATA] =
292 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
293 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
294 };
295 
296 static const struct nla_policy
297 nl80211_psmr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
298 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
299 	/*
300 	 * we could specify this again to be the top-level policy,
301 	 * but that would open us up to recursion problems ...
302 	 */
303 	[NL80211_PMSR_PEER_ATTR_CHAN] = { .type = NLA_NESTED },
304 	[NL80211_PMSR_PEER_ATTR_REQ] =
305 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
306 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
312 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
313 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
314 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
315 	[NL80211_PMSR_ATTR_PEERS] =
316 		NLA_POLICY_NESTED_ARRAY(nl80211_psmr_peer_attr_policy),
317 };
318 
319 static const struct nla_policy
320 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
321 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
322 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
323 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
324 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
325 };
326 
327 static const struct nla_policy
328 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
329 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
330 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
331 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
332 };
333 
334 static const struct nla_policy
335 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
336 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
337 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
338 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
339 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
340 	[NL80211_TID_CONFIG_ATTR_NOACK] =
341 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
342 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
343 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
344 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
345 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
346 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
347 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
348 };
349 
350 const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
351 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
352 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
353 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
354 				      .len = 20-1 },
355 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
356 
357 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
358 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
359 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
360 						NL80211_EDMG_CHANNELS_MIN,
361 						NL80211_EDMG_CHANNELS_MAX),
362 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
363 						NL80211_EDMG_BW_CONFIG_MIN,
364 						NL80211_EDMG_BW_CONFIG_MAX),
365 
366 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
367 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
368 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
369 
370 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
371 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
372 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
373 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
374 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
375 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
376 
377 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
378 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
379 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
380 
381 	[NL80211_ATTR_MAC] = { .type = NLA_EXACT_LEN_WARN, .len = ETH_ALEN },
382 	[NL80211_ATTR_PREV_BSSID] = {
383 		.type = NLA_EXACT_LEN_WARN,
384 		.len = ETH_ALEN
385 	},
386 
387 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
388 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
389 				    .len = WLAN_MAX_KEY_LEN },
390 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
391 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
392 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
393 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
394 	[NL80211_ATTR_KEY_TYPE] =
395 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
396 
397 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
398 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
399 	[NL80211_ATTR_BEACON_HEAD] =
400 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
401 				       IEEE80211_MAX_DATA_LEN),
402 	[NL80211_ATTR_BEACON_TAIL] =
403 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
404 				       IEEE80211_MAX_DATA_LEN),
405 	[NL80211_ATTR_STA_AID] =
406 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
407 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
408 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
409 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
410 					       .len = NL80211_MAX_SUPP_RATES },
411 	[NL80211_ATTR_STA_PLINK_ACTION] =
412 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
413 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
414 		NLA_POLICY_RANGE(NLA_U8,
415 				 NL80211_TX_POWER_AUTOMATIC,
416 				 NL80211_TX_POWER_FIXED),
417 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
418 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
419 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
420 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
421 				   .len = IEEE80211_MAX_MESH_ID_LEN },
422 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
423 
424 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
425 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
426 
427 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
428 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
429 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
430 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
431 					   .len = NL80211_MAX_SUPP_RATES },
432 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
433 
434 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
435 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
436 
437 	[NL80211_ATTR_HT_CAPABILITY] = {
438 		.type = NLA_EXACT_LEN_WARN,
439 		.len = NL80211_HT_CAPABILITY_LEN
440 	},
441 
442 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
443 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
444 						   validate_ie_attr,
445 						   IEEE80211_MAX_DATA_LEN),
446 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
447 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
448 
449 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
450 				.len = IEEE80211_MAX_SSID_LEN },
451 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
452 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
453 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
454 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
455 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
456 						  NL80211_MFP_NO,
457 						  NL80211_MFP_OPTIONAL),
458 	[NL80211_ATTR_STA_FLAGS2] = {
459 		.len = sizeof(struct nl80211_sta_flag_update),
460 	},
461 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
462 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
463 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
464 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
465 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
466 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
467 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
468 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
469 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
470 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
471 	[NL80211_ATTR_PMKID] = {
472 		.type = NLA_EXACT_LEN_WARN,
473 		.len = WLAN_PMKID_LEN
474 	},
475 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
476 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
477 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
478 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
479 				 .len = IEEE80211_MAX_DATA_LEN },
480 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
481 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
482 						   NL80211_PS_DISABLED,
483 						   NL80211_PS_ENABLED),
484 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
485 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
486 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
487 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
488 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
489 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
490 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
491 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
492 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
493 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
494 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
495 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
496 	[NL80211_ATTR_STA_PLINK_STATE] =
497 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
498 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
499 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
500 	[NL80211_ATTR_MESH_PEER_AID] =
501 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
502 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
503 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
504 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
505 	[NL80211_ATTR_HIDDEN_SSID] =
506 		NLA_POLICY_RANGE(NLA_U32,
507 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
508 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
509 	[NL80211_ATTR_IE_PROBE_RESP] =
510 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
511 				       IEEE80211_MAX_DATA_LEN),
512 	[NL80211_ATTR_IE_ASSOC_RESP] =
513 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
514 				       IEEE80211_MAX_DATA_LEN),
515 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
516 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
517 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
518 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
519 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
520 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
521 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
522 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
523 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
524 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
525 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
526 				      .len = IEEE80211_MAX_DATA_LEN },
527 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
528 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
529 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
530 		.len = NL80211_HT_CAPABILITY_LEN
531 	},
532 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
533 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
534 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
535 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
536 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
537 	[NL80211_ATTR_AUTH_DATA] = { .type = NLA_BINARY, },
538 	[NL80211_ATTR_VHT_CAPABILITY] = {
539 		.type = NLA_EXACT_LEN_WARN,
540 		.len = NL80211_VHT_CAPABILITY_LEN
541 	},
542 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
543 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
544 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
545 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
546 		NLA_POLICY_RANGE(NLA_U32,
547 				 NL80211_MESH_POWER_UNKNOWN + 1,
548 				 NL80211_MESH_POWER_MAX),
549 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
550 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
551 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
552 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
553 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
554 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
555 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
556 		.len = NL80211_VHT_CAPABILITY_LEN,
557 	},
558 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
559 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
560 				  .len = IEEE80211_MAX_DATA_LEN },
561 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
562 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] = { .type = NLA_U16 },
563 	[NL80211_ATTR_PEER_AID] =
564 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
565 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
566 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
567 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
568 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
569 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
570 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
571 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
572 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
573 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
574 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
575 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
576 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
577 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
578 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
579 	[NL80211_ATTR_MAC_HINT] = {
580 		.type = NLA_EXACT_LEN_WARN,
581 		.len = ETH_ALEN
582 	},
583 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
584 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
585 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
586 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
587 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
588 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
589 	[NL80211_ATTR_USER_PRIO] =
590 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
591 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
592 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
593 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
594 	[NL80211_ATTR_MAC_MASK] = {
595 		.type = NLA_EXACT_LEN_WARN,
596 		.len = ETH_ALEN
597 	},
598 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
599 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
600 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
601 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
602 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
603 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
604 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
605 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
606 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
607 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
608 	},
609 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = {
610 		.type = NLA_EXACT_LEN_WARN,
611 		.len = ETH_ALEN
612 	},
613 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
614 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
615 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
616 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
617 				    .len = FILS_MAX_KEK_LEN },
618 	[NL80211_ATTR_FILS_NONCES] = {
619 		.type = NLA_EXACT_LEN_WARN,
620 		.len = 2 * FILS_NONCE_LEN
621 	},
622 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
623 	[NL80211_ATTR_BSSID] = { .type = NLA_EXACT_LEN_WARN, .len = ETH_ALEN },
624 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
625 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
626 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
627 	},
628 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
629 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
630 					     .len = FILS_ERP_MAX_USERNAME_LEN },
631 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
632 					  .len = FILS_ERP_MAX_REALM_LEN },
633 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
634 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
635 					.len = FILS_ERP_MAX_RRK_LEN },
636 	[NL80211_ATTR_FILS_CACHE_ID] = { .type = NLA_EXACT_LEN_WARN, .len = 2 },
637 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
638 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
639 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
640 
641 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
642 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
643 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
644 	[NL80211_ATTR_HE_CAPABILITY] = { .type = NLA_BINARY,
645 					 .len = NL80211_HE_MAX_CAPABILITY_LEN },
646 
647 	[NL80211_ATTR_FTM_RESPONDER] =
648 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
649 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
650 	[NL80211_ATTR_PEER_MEASUREMENTS] =
651 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
652 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
653 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
654 					.len = SAE_PASSWORD_MAX_LEN },
655 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
656 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
657 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
658 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
659 	[NL80211_ATTR_TID_CONFIG] =
660 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
661 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
662 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
663 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
664 };
665 
666 /* policy for the key attributes */
667 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
668 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
669 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
670 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
671 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
672 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
673 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
674 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
675 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
676 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
677 };
678 
679 /* policy for the key default flags */
680 static const struct nla_policy
681 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
682 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
683 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
684 };
685 
686 #ifdef CONFIG_PM
687 /* policy for WoWLAN attributes */
688 static const struct nla_policy
689 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
690 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
691 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
692 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
693 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
694 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
695 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
696 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
697 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
698 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
699 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
700 };
701 
702 static const struct nla_policy
703 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
704 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
705 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
706 	[NL80211_WOWLAN_TCP_DST_MAC] = {
707 		.type = NLA_EXACT_LEN_WARN,
708 		.len = ETH_ALEN
709 	},
710 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
711 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
712 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .type = NLA_MIN_LEN, .len = 1 },
713 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
714 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
715 	},
716 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
717 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
718 	},
719 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
720 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .type = NLA_MIN_LEN, .len = 1 },
721 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .type = NLA_MIN_LEN, .len = 1 },
722 };
723 #endif /* CONFIG_PM */
724 
725 /* policy for coalesce rule attributes */
726 static const struct nla_policy
727 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
728 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
729 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
730 		NLA_POLICY_RANGE(NLA_U32,
731 				 NL80211_COALESCE_CONDITION_MATCH,
732 				 NL80211_COALESCE_CONDITION_NO_MATCH),
733 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
734 };
735 
736 /* policy for GTK rekey offload attributes */
737 static const struct nla_policy
738 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
739 	[NL80211_REKEY_DATA_KEK] = {
740 		.type = NLA_EXACT_LEN_WARN,
741 		.len = NL80211_KEK_LEN,
742 	},
743 	[NL80211_REKEY_DATA_KCK] = {
744 		.type = NLA_EXACT_LEN_WARN,
745 		.len = NL80211_KCK_LEN,
746 	},
747 	[NL80211_REKEY_DATA_REPLAY_CTR] = {
748 		.type = NLA_EXACT_LEN_WARN,
749 		.len = NL80211_REPLAY_CTR_LEN
750 	},
751 };
752 
753 static const struct nla_policy
754 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
755 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
756 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
757 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
758 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
759 };
760 
761 static const struct nla_policy
762 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
763 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
764 						 .len = IEEE80211_MAX_SSID_LEN },
765 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = {
766 		.type = NLA_EXACT_LEN_WARN,
767 		.len = ETH_ALEN
768 	},
769 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
770 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
771 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
772 };
773 
774 static const struct nla_policy
775 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
776 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
777 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
778 };
779 
780 static const struct nla_policy
781 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
782 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
783 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
784 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
785 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
786 	},
787 };
788 
789 /* policy for NAN function attributes */
790 static const struct nla_policy
791 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
792 	[NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
793 	[NL80211_NAN_FUNC_SERVICE_ID] = {
794 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
795 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
796 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
797 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
798 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
799 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
800 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = {
801 		.type = NLA_EXACT_LEN_WARN,
802 		.len = ETH_ALEN
803 	},
804 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
805 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
806 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
807 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
808 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
809 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
810 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
811 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
812 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
813 };
814 
815 /* policy for Service Response Filter attributes */
816 static const struct nla_policy
817 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
818 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
819 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
820 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
821 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
822 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
823 };
824 
825 /* policy for packet pattern attributes */
826 static const struct nla_policy
827 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
828 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
829 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
830 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
831 };
832 
833 int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
834 			      struct cfg80211_registered_device **rdev,
835 			      struct wireless_dev **wdev)
836 {
837 	int err;
838 
839 	if (!cb->args[0]) {
840 		struct nlattr **attrbuf;
841 
842 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
843 				  GFP_KERNEL);
844 		if (!attrbuf)
845 			return -ENOMEM;
846 
847 		err = nlmsg_parse_deprecated(cb->nlh,
848 					     GENL_HDRLEN + nl80211_fam.hdrsize,
849 					     attrbuf, nl80211_fam.maxattr,
850 					     nl80211_policy, NULL);
851 		if (err) {
852 			kfree(attrbuf);
853 			return err;
854 		}
855 
856 		*wdev = __cfg80211_wdev_from_attrs(sock_net(cb->skb->sk),
857 						   attrbuf);
858 		kfree(attrbuf);
859 		if (IS_ERR(*wdev))
860 			return PTR_ERR(*wdev);
861 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
862 		/* 0 is the first index - add 1 to parse only once */
863 		cb->args[0] = (*rdev)->wiphy_idx + 1;
864 		cb->args[1] = (*wdev)->identifier;
865 	} else {
866 		/* subtract the 1 again here */
867 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
868 		struct wireless_dev *tmp;
869 
870 		if (!wiphy)
871 			return -ENODEV;
872 		*rdev = wiphy_to_rdev(wiphy);
873 		*wdev = NULL;
874 
875 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
876 			if (tmp->identifier == cb->args[1]) {
877 				*wdev = tmp;
878 				break;
879 			}
880 		}
881 
882 		if (!*wdev)
883 			return -ENODEV;
884 	}
885 
886 	return 0;
887 }
888 
889 /* message building helper */
890 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
891 		     int flags, u8 cmd)
892 {
893 	/* since there is no private header just add the generic one */
894 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
895 }
896 
897 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
898 				     const struct ieee80211_reg_rule *rule)
899 {
900 	int j;
901 	struct nlattr *nl_wmm_rules =
902 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
903 
904 	if (!nl_wmm_rules)
905 		goto nla_put_failure;
906 
907 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
908 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
909 
910 		if (!nl_wmm_rule)
911 			goto nla_put_failure;
912 
913 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
914 				rule->wmm_rule.client[j].cw_min) ||
915 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
916 				rule->wmm_rule.client[j].cw_max) ||
917 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
918 			       rule->wmm_rule.client[j].aifsn) ||
919 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
920 			        rule->wmm_rule.client[j].cot))
921 			goto nla_put_failure;
922 
923 		nla_nest_end(msg, nl_wmm_rule);
924 	}
925 	nla_nest_end(msg, nl_wmm_rules);
926 
927 	return 0;
928 
929 nla_put_failure:
930 	return -ENOBUFS;
931 }
932 
933 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
934 				   struct ieee80211_channel *chan,
935 				   bool large)
936 {
937 	/* Some channels must be completely excluded from the
938 	 * list to protect old user-space tools from breaking
939 	 */
940 	if (!large && chan->flags &
941 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
942 		return 0;
943 
944 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
945 			chan->center_freq))
946 		goto nla_put_failure;
947 
948 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
949 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
950 		goto nla_put_failure;
951 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
952 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
953 			goto nla_put_failure;
954 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
955 			goto nla_put_failure;
956 	}
957 	if (chan->flags & IEEE80211_CHAN_RADAR) {
958 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
959 			goto nla_put_failure;
960 		if (large) {
961 			u32 time;
962 
963 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
964 
965 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
966 					chan->dfs_state))
967 				goto nla_put_failure;
968 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
969 					time))
970 				goto nla_put_failure;
971 			if (nla_put_u32(msg,
972 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
973 					chan->dfs_cac_ms))
974 				goto nla_put_failure;
975 		}
976 	}
977 
978 	if (large) {
979 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
980 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
981 			goto nla_put_failure;
982 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
983 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
984 			goto nla_put_failure;
985 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
986 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
987 			goto nla_put_failure;
988 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
989 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
990 			goto nla_put_failure;
991 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
992 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
993 			goto nla_put_failure;
994 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
995 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
996 			goto nla_put_failure;
997 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
998 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
999 			goto nla_put_failure;
1000 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1001 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1002 			goto nla_put_failure;
1003 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1004 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1005 			goto nla_put_failure;
1006 	}
1007 
1008 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1009 			DBM_TO_MBM(chan->max_power)))
1010 		goto nla_put_failure;
1011 
1012 	if (large) {
1013 		const struct ieee80211_reg_rule *rule =
1014 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1015 
1016 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1017 			if (nl80211_msg_put_wmm_rules(msg, rule))
1018 				goto nla_put_failure;
1019 		}
1020 	}
1021 
1022 	return 0;
1023 
1024  nla_put_failure:
1025 	return -ENOBUFS;
1026 }
1027 
1028 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1029 				  struct cfg80211_txq_stats *txqstats,
1030 				  int attrtype)
1031 {
1032 	struct nlattr *txqattr;
1033 
1034 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1035 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1036 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1037 		return false;						  \
1038 	} while (0)
1039 
1040 	txqattr = nla_nest_start_noflag(msg, attrtype);
1041 	if (!txqattr)
1042 		return false;
1043 
1044 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1045 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1046 	PUT_TXQVAL_U32(FLOWS, flows);
1047 	PUT_TXQVAL_U32(DROPS, drops);
1048 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1049 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1050 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1051 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1052 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1053 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1054 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1055 	nla_nest_end(msg, txqattr);
1056 
1057 #undef PUT_TXQVAL_U32
1058 	return true;
1059 }
1060 
1061 /* netlink command implementations */
1062 
1063 struct key_parse {
1064 	struct key_params p;
1065 	int idx;
1066 	int type;
1067 	bool def, defmgmt, defbeacon;
1068 	bool def_uni, def_multi;
1069 };
1070 
1071 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1072 				 struct key_parse *k)
1073 {
1074 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1075 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1076 					      nl80211_key_policy,
1077 					      info->extack);
1078 	if (err)
1079 		return err;
1080 
1081 	k->def = !!tb[NL80211_KEY_DEFAULT];
1082 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1083 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1084 
1085 	if (k->def) {
1086 		k->def_uni = true;
1087 		k->def_multi = true;
1088 	}
1089 	if (k->defmgmt || k->defbeacon)
1090 		k->def_multi = true;
1091 
1092 	if (tb[NL80211_KEY_IDX])
1093 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1094 
1095 	if (tb[NL80211_KEY_DATA]) {
1096 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1097 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1098 	}
1099 
1100 	if (tb[NL80211_KEY_SEQ]) {
1101 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1102 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1103 	}
1104 
1105 	if (tb[NL80211_KEY_CIPHER])
1106 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1107 
1108 	if (tb[NL80211_KEY_TYPE])
1109 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1110 
1111 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1112 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1113 
1114 		err = nla_parse_nested_deprecated(kdt,
1115 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1116 						  tb[NL80211_KEY_DEFAULT_TYPES],
1117 						  nl80211_key_default_policy,
1118 						  info->extack);
1119 		if (err)
1120 			return err;
1121 
1122 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1123 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1124 	}
1125 
1126 	if (tb[NL80211_KEY_MODE])
1127 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1128 
1129 	return 0;
1130 }
1131 
1132 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1133 {
1134 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1135 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1136 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1137 	}
1138 
1139 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1140 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1141 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1142 	}
1143 
1144 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1145 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1146 
1147 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1148 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1149 
1150 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1151 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1152 
1153 	if (k->def) {
1154 		k->def_uni = true;
1155 		k->def_multi = true;
1156 	}
1157 	if (k->defmgmt)
1158 		k->def_multi = true;
1159 
1160 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1161 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1162 
1163 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1164 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1165 		int err = nla_parse_nested_deprecated(kdt,
1166 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1167 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1168 						      nl80211_key_default_policy,
1169 						      info->extack);
1170 		if (err)
1171 			return err;
1172 
1173 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1174 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1175 	}
1176 
1177 	return 0;
1178 }
1179 
1180 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1181 {
1182 	int err;
1183 
1184 	memset(k, 0, sizeof(*k));
1185 	k->idx = -1;
1186 	k->type = -1;
1187 
1188 	if (info->attrs[NL80211_ATTR_KEY])
1189 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1190 	else
1191 		err = nl80211_parse_key_old(info, k);
1192 
1193 	if (err)
1194 		return err;
1195 
1196 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1197 	    (k->defbeacon ? 1 : 0) > 1) {
1198 		GENL_SET_ERR_MSG(info,
1199 				 "key with multiple default flags is invalid");
1200 		return -EINVAL;
1201 	}
1202 
1203 	if (k->defmgmt || k->defbeacon) {
1204 		if (k->def_uni || !k->def_multi) {
1205 			GENL_SET_ERR_MSG(info,
1206 					 "defmgmt/defbeacon key must be mcast");
1207 			return -EINVAL;
1208 		}
1209 	}
1210 
1211 	if (k->idx != -1) {
1212 		if (k->defmgmt) {
1213 			if (k->idx < 4 || k->idx > 5) {
1214 				GENL_SET_ERR_MSG(info,
1215 						 "defmgmt key idx not 4 or 5");
1216 				return -EINVAL;
1217 			}
1218 		} else if (k->defbeacon) {
1219 			if (k->idx < 6 || k->idx > 7) {
1220 				GENL_SET_ERR_MSG(info,
1221 						 "defbeacon key idx not 6 or 7");
1222 				return -EINVAL;
1223 			}
1224 		} else if (k->def) {
1225 			if (k->idx < 0 || k->idx > 3) {
1226 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1227 				return -EINVAL;
1228 			}
1229 		} else {
1230 			if (k->idx < 0 || k->idx > 7) {
1231 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1232 				return -EINVAL;
1233 			}
1234 		}
1235 	}
1236 
1237 	return 0;
1238 }
1239 
1240 static struct cfg80211_cached_keys *
1241 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1242 		       struct genl_info *info, bool *no_ht)
1243 {
1244 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1245 	struct key_parse parse;
1246 	struct nlattr *key;
1247 	struct cfg80211_cached_keys *result;
1248 	int rem, err, def = 0;
1249 	bool have_key = false;
1250 
1251 	nla_for_each_nested(key, keys, rem) {
1252 		have_key = true;
1253 		break;
1254 	}
1255 
1256 	if (!have_key)
1257 		return NULL;
1258 
1259 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1260 	if (!result)
1261 		return ERR_PTR(-ENOMEM);
1262 
1263 	result->def = -1;
1264 
1265 	nla_for_each_nested(key, keys, rem) {
1266 		memset(&parse, 0, sizeof(parse));
1267 		parse.idx = -1;
1268 
1269 		err = nl80211_parse_key_new(info, key, &parse);
1270 		if (err)
1271 			goto error;
1272 		err = -EINVAL;
1273 		if (!parse.p.key)
1274 			goto error;
1275 		if (parse.idx < 0 || parse.idx > 3) {
1276 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1277 			goto error;
1278 		}
1279 		if (parse.def) {
1280 			if (def) {
1281 				GENL_SET_ERR_MSG(info,
1282 						 "only one key can be default");
1283 				goto error;
1284 			}
1285 			def = 1;
1286 			result->def = parse.idx;
1287 			if (!parse.def_uni || !parse.def_multi)
1288 				goto error;
1289 		} else if (parse.defmgmt)
1290 			goto error;
1291 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1292 						     parse.idx, false, NULL);
1293 		if (err)
1294 			goto error;
1295 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1296 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1297 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1298 			err = -EINVAL;
1299 			goto error;
1300 		}
1301 		result->params[parse.idx].cipher = parse.p.cipher;
1302 		result->params[parse.idx].key_len = parse.p.key_len;
1303 		result->params[parse.idx].key = result->data[parse.idx];
1304 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1305 
1306 		/* must be WEP key if we got here */
1307 		if (no_ht)
1308 			*no_ht = true;
1309 	}
1310 
1311 	if (result->def < 0) {
1312 		err = -EINVAL;
1313 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1314 		goto error;
1315 	}
1316 
1317 	return result;
1318  error:
1319 	kfree(result);
1320 	return ERR_PTR(err);
1321 }
1322 
1323 static int nl80211_key_allowed(struct wireless_dev *wdev)
1324 {
1325 	ASSERT_WDEV_LOCK(wdev);
1326 
1327 	switch (wdev->iftype) {
1328 	case NL80211_IFTYPE_AP:
1329 	case NL80211_IFTYPE_AP_VLAN:
1330 	case NL80211_IFTYPE_P2P_GO:
1331 	case NL80211_IFTYPE_MESH_POINT:
1332 		break;
1333 	case NL80211_IFTYPE_ADHOC:
1334 	case NL80211_IFTYPE_STATION:
1335 	case NL80211_IFTYPE_P2P_CLIENT:
1336 		if (!wdev->current_bss)
1337 			return -ENOLINK;
1338 		break;
1339 	case NL80211_IFTYPE_UNSPECIFIED:
1340 	case NL80211_IFTYPE_OCB:
1341 	case NL80211_IFTYPE_MONITOR:
1342 	case NL80211_IFTYPE_NAN:
1343 	case NL80211_IFTYPE_P2P_DEVICE:
1344 	case NL80211_IFTYPE_WDS:
1345 	case NUM_NL80211_IFTYPES:
1346 		return -EINVAL;
1347 	}
1348 
1349 	return 0;
1350 }
1351 
1352 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1353 							struct nlattr *tb)
1354 {
1355 	struct ieee80211_channel *chan;
1356 
1357 	if (tb == NULL)
1358 		return NULL;
1359 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
1360 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1361 		return NULL;
1362 	return chan;
1363 }
1364 
1365 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1366 {
1367 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1368 	int i;
1369 
1370 	if (!nl_modes)
1371 		goto nla_put_failure;
1372 
1373 	i = 0;
1374 	while (ifmodes) {
1375 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1376 			goto nla_put_failure;
1377 		ifmodes >>= 1;
1378 		i++;
1379 	}
1380 
1381 	nla_nest_end(msg, nl_modes);
1382 	return 0;
1383 
1384 nla_put_failure:
1385 	return -ENOBUFS;
1386 }
1387 
1388 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1389 					  struct sk_buff *msg,
1390 					  bool large)
1391 {
1392 	struct nlattr *nl_combis;
1393 	int i, j;
1394 
1395 	nl_combis = nla_nest_start_noflag(msg,
1396 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1397 	if (!nl_combis)
1398 		goto nla_put_failure;
1399 
1400 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1401 		const struct ieee80211_iface_combination *c;
1402 		struct nlattr *nl_combi, *nl_limits;
1403 
1404 		c = &wiphy->iface_combinations[i];
1405 
1406 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1407 		if (!nl_combi)
1408 			goto nla_put_failure;
1409 
1410 		nl_limits = nla_nest_start_noflag(msg,
1411 						  NL80211_IFACE_COMB_LIMITS);
1412 		if (!nl_limits)
1413 			goto nla_put_failure;
1414 
1415 		for (j = 0; j < c->n_limits; j++) {
1416 			struct nlattr *nl_limit;
1417 
1418 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1419 			if (!nl_limit)
1420 				goto nla_put_failure;
1421 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1422 					c->limits[j].max))
1423 				goto nla_put_failure;
1424 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1425 						c->limits[j].types))
1426 				goto nla_put_failure;
1427 			nla_nest_end(msg, nl_limit);
1428 		}
1429 
1430 		nla_nest_end(msg, nl_limits);
1431 
1432 		if (c->beacon_int_infra_match &&
1433 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1434 			goto nla_put_failure;
1435 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1436 				c->num_different_channels) ||
1437 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1438 				c->max_interfaces))
1439 			goto nla_put_failure;
1440 		if (large &&
1441 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1442 				c->radar_detect_widths) ||
1443 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1444 				c->radar_detect_regions)))
1445 			goto nla_put_failure;
1446 		if (c->beacon_int_min_gcd &&
1447 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1448 				c->beacon_int_min_gcd))
1449 			goto nla_put_failure;
1450 
1451 		nla_nest_end(msg, nl_combi);
1452 	}
1453 
1454 	nla_nest_end(msg, nl_combis);
1455 
1456 	return 0;
1457 nla_put_failure:
1458 	return -ENOBUFS;
1459 }
1460 
1461 #ifdef CONFIG_PM
1462 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1463 					struct sk_buff *msg)
1464 {
1465 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1466 	struct nlattr *nl_tcp;
1467 
1468 	if (!tcp)
1469 		return 0;
1470 
1471 	nl_tcp = nla_nest_start_noflag(msg,
1472 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1473 	if (!nl_tcp)
1474 		return -ENOBUFS;
1475 
1476 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1477 			tcp->data_payload_max))
1478 		return -ENOBUFS;
1479 
1480 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1481 			tcp->data_payload_max))
1482 		return -ENOBUFS;
1483 
1484 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1485 		return -ENOBUFS;
1486 
1487 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1488 				sizeof(*tcp->tok), tcp->tok))
1489 		return -ENOBUFS;
1490 
1491 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1492 			tcp->data_interval_max))
1493 		return -ENOBUFS;
1494 
1495 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1496 			tcp->wake_payload_max))
1497 		return -ENOBUFS;
1498 
1499 	nla_nest_end(msg, nl_tcp);
1500 	return 0;
1501 }
1502 
1503 static int nl80211_send_wowlan(struct sk_buff *msg,
1504 			       struct cfg80211_registered_device *rdev,
1505 			       bool large)
1506 {
1507 	struct nlattr *nl_wowlan;
1508 
1509 	if (!rdev->wiphy.wowlan)
1510 		return 0;
1511 
1512 	nl_wowlan = nla_nest_start_noflag(msg,
1513 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1514 	if (!nl_wowlan)
1515 		return -ENOBUFS;
1516 
1517 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1518 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1519 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1520 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1521 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1522 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1523 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1524 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1525 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1526 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1527 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1528 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1529 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1530 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1531 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1532 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1533 		return -ENOBUFS;
1534 
1535 	if (rdev->wiphy.wowlan->n_patterns) {
1536 		struct nl80211_pattern_support pat = {
1537 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1538 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1539 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1540 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1541 		};
1542 
1543 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1544 			    sizeof(pat), &pat))
1545 			return -ENOBUFS;
1546 	}
1547 
1548 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1549 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1550 			rdev->wiphy.wowlan->max_nd_match_sets))
1551 		return -ENOBUFS;
1552 
1553 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1554 		return -ENOBUFS;
1555 
1556 	nla_nest_end(msg, nl_wowlan);
1557 
1558 	return 0;
1559 }
1560 #endif
1561 
1562 static int nl80211_send_coalesce(struct sk_buff *msg,
1563 				 struct cfg80211_registered_device *rdev)
1564 {
1565 	struct nl80211_coalesce_rule_support rule;
1566 
1567 	if (!rdev->wiphy.coalesce)
1568 		return 0;
1569 
1570 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1571 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1572 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1573 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1574 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1575 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1576 
1577 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1578 		return -ENOBUFS;
1579 
1580 	return 0;
1581 }
1582 
1583 static int
1584 nl80211_send_iftype_data(struct sk_buff *msg,
1585 			 const struct ieee80211_sband_iftype_data *iftdata)
1586 {
1587 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1588 
1589 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1590 				iftdata->types_mask))
1591 		return -ENOBUFS;
1592 
1593 	if (he_cap->has_he) {
1594 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1595 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1596 			    he_cap->he_cap_elem.mac_cap_info) ||
1597 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1598 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1599 			    he_cap->he_cap_elem.phy_cap_info) ||
1600 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1601 			    sizeof(he_cap->he_mcs_nss_supp),
1602 			    &he_cap->he_mcs_nss_supp) ||
1603 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1604 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1605 			return -ENOBUFS;
1606 	}
1607 
1608 	return 0;
1609 }
1610 
1611 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1612 				      struct ieee80211_supported_band *sband)
1613 {
1614 	struct nlattr *nl_rates, *nl_rate;
1615 	struct ieee80211_rate *rate;
1616 	int i;
1617 
1618 	/* add HT info */
1619 	if (sband->ht_cap.ht_supported &&
1620 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1621 		     sizeof(sband->ht_cap.mcs),
1622 		     &sband->ht_cap.mcs) ||
1623 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1624 			 sband->ht_cap.cap) ||
1625 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1626 			sband->ht_cap.ampdu_factor) ||
1627 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1628 			sband->ht_cap.ampdu_density)))
1629 		return -ENOBUFS;
1630 
1631 	/* add VHT info */
1632 	if (sband->vht_cap.vht_supported &&
1633 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1634 		     sizeof(sband->vht_cap.vht_mcs),
1635 		     &sband->vht_cap.vht_mcs) ||
1636 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1637 			 sband->vht_cap.cap)))
1638 		return -ENOBUFS;
1639 
1640 	if (sband->n_iftype_data) {
1641 		struct nlattr *nl_iftype_data =
1642 			nla_nest_start_noflag(msg,
1643 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1644 		int err;
1645 
1646 		if (!nl_iftype_data)
1647 			return -ENOBUFS;
1648 
1649 		for (i = 0; i < sband->n_iftype_data; i++) {
1650 			struct nlattr *iftdata;
1651 
1652 			iftdata = nla_nest_start_noflag(msg, i + 1);
1653 			if (!iftdata)
1654 				return -ENOBUFS;
1655 
1656 			err = nl80211_send_iftype_data(msg,
1657 						       &sband->iftype_data[i]);
1658 			if (err)
1659 				return err;
1660 
1661 			nla_nest_end(msg, iftdata);
1662 		}
1663 
1664 		nla_nest_end(msg, nl_iftype_data);
1665 	}
1666 
1667 	/* add EDMG info */
1668 	if (sband->edmg_cap.channels &&
1669 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1670 		       sband->edmg_cap.channels) ||
1671 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1672 		       sband->edmg_cap.bw_config)))
1673 
1674 		return -ENOBUFS;
1675 
1676 	/* add bitrates */
1677 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1678 	if (!nl_rates)
1679 		return -ENOBUFS;
1680 
1681 	for (i = 0; i < sband->n_bitrates; i++) {
1682 		nl_rate = nla_nest_start_noflag(msg, i);
1683 		if (!nl_rate)
1684 			return -ENOBUFS;
1685 
1686 		rate = &sband->bitrates[i];
1687 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1688 				rate->bitrate))
1689 			return -ENOBUFS;
1690 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1691 		    nla_put_flag(msg,
1692 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1693 			return -ENOBUFS;
1694 
1695 		nla_nest_end(msg, nl_rate);
1696 	}
1697 
1698 	nla_nest_end(msg, nl_rates);
1699 
1700 	return 0;
1701 }
1702 
1703 static int
1704 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1705 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1706 {
1707 	u16 stypes;
1708 	struct nlattr *nl_ftypes, *nl_ifs;
1709 	enum nl80211_iftype ift;
1710 	int i;
1711 
1712 	if (!mgmt_stypes)
1713 		return 0;
1714 
1715 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1716 	if (!nl_ifs)
1717 		return -ENOBUFS;
1718 
1719 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1720 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1721 		if (!nl_ftypes)
1722 			return -ENOBUFS;
1723 		i = 0;
1724 		stypes = mgmt_stypes[ift].tx;
1725 		while (stypes) {
1726 			if ((stypes & 1) &&
1727 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1728 					(i << 4) | IEEE80211_FTYPE_MGMT))
1729 				return -ENOBUFS;
1730 			stypes >>= 1;
1731 			i++;
1732 		}
1733 		nla_nest_end(msg, nl_ftypes);
1734 	}
1735 
1736 	nla_nest_end(msg, nl_ifs);
1737 
1738 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1739 	if (!nl_ifs)
1740 		return -ENOBUFS;
1741 
1742 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1743 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1744 		if (!nl_ftypes)
1745 			return -ENOBUFS;
1746 		i = 0;
1747 		stypes = mgmt_stypes[ift].rx;
1748 		while (stypes) {
1749 			if ((stypes & 1) &&
1750 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1751 					(i << 4) | IEEE80211_FTYPE_MGMT))
1752 				return -ENOBUFS;
1753 			stypes >>= 1;
1754 			i++;
1755 		}
1756 		nla_nest_end(msg, nl_ftypes);
1757 	}
1758 	nla_nest_end(msg, nl_ifs);
1759 
1760 	return 0;
1761 }
1762 
1763 #define CMD(op, n)							\
1764 	 do {								\
1765 		if (rdev->ops->op) {					\
1766 			i++;						\
1767 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1768 				goto nla_put_failure;			\
1769 		}							\
1770 	} while (0)
1771 
1772 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1773 					struct sk_buff *msg)
1774 {
1775 	int i = 0;
1776 
1777 	/*
1778 	 * do *NOT* add anything into this function, new things need to be
1779 	 * advertised only to new versions of userspace that can deal with
1780 	 * the split (and they can't possibly care about new features...
1781 	 */
1782 	CMD(add_virtual_intf, NEW_INTERFACE);
1783 	CMD(change_virtual_intf, SET_INTERFACE);
1784 	CMD(add_key, NEW_KEY);
1785 	CMD(start_ap, START_AP);
1786 	CMD(add_station, NEW_STATION);
1787 	CMD(add_mpath, NEW_MPATH);
1788 	CMD(update_mesh_config, SET_MESH_CONFIG);
1789 	CMD(change_bss, SET_BSS);
1790 	CMD(auth, AUTHENTICATE);
1791 	CMD(assoc, ASSOCIATE);
1792 	CMD(deauth, DEAUTHENTICATE);
1793 	CMD(disassoc, DISASSOCIATE);
1794 	CMD(join_ibss, JOIN_IBSS);
1795 	CMD(join_mesh, JOIN_MESH);
1796 	CMD(set_pmksa, SET_PMKSA);
1797 	CMD(del_pmksa, DEL_PMKSA);
1798 	CMD(flush_pmksa, FLUSH_PMKSA);
1799 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1800 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1801 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1802 	CMD(mgmt_tx, FRAME);
1803 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1804 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1805 		i++;
1806 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1807 			goto nla_put_failure;
1808 	}
1809 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1810 	    rdev->ops->join_mesh) {
1811 		i++;
1812 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1813 			goto nla_put_failure;
1814 	}
1815 	CMD(set_wds_peer, SET_WDS_PEER);
1816 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1817 		CMD(tdls_mgmt, TDLS_MGMT);
1818 		CMD(tdls_oper, TDLS_OPER);
1819 	}
1820 	if (rdev->wiphy.max_sched_scan_reqs)
1821 		CMD(sched_scan_start, START_SCHED_SCAN);
1822 	CMD(probe_client, PROBE_CLIENT);
1823 	CMD(set_noack_map, SET_NOACK_MAP);
1824 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1825 		i++;
1826 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1827 			goto nla_put_failure;
1828 	}
1829 	CMD(start_p2p_device, START_P2P_DEVICE);
1830 	CMD(set_mcast_rate, SET_MCAST_RATE);
1831 #ifdef CONFIG_NL80211_TESTMODE
1832 	CMD(testmode_cmd, TESTMODE);
1833 #endif
1834 
1835 	if (rdev->ops->connect || rdev->ops->auth) {
1836 		i++;
1837 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1838 			goto nla_put_failure;
1839 	}
1840 
1841 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1842 		i++;
1843 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1844 			goto nla_put_failure;
1845 	}
1846 
1847 	return i;
1848  nla_put_failure:
1849 	return -ENOBUFS;
1850 }
1851 
1852 static int
1853 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
1854 			   struct sk_buff *msg)
1855 {
1856 	struct nlattr *ftm;
1857 
1858 	if (!cap->ftm.supported)
1859 		return 0;
1860 
1861 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
1862 	if (!ftm)
1863 		return -ENOBUFS;
1864 
1865 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
1866 		return -ENOBUFS;
1867 	if (cap->ftm.non_asap &&
1868 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
1869 		return -ENOBUFS;
1870 	if (cap->ftm.request_lci &&
1871 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
1872 		return -ENOBUFS;
1873 	if (cap->ftm.request_civicloc &&
1874 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
1875 		return -ENOBUFS;
1876 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
1877 			cap->ftm.preambles))
1878 		return -ENOBUFS;
1879 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
1880 			cap->ftm.bandwidths))
1881 		return -ENOBUFS;
1882 	if (cap->ftm.max_bursts_exponent >= 0 &&
1883 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
1884 			cap->ftm.max_bursts_exponent))
1885 		return -ENOBUFS;
1886 	if (cap->ftm.max_ftms_per_burst &&
1887 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
1888 			cap->ftm.max_ftms_per_burst))
1889 		return -ENOBUFS;
1890 	if (cap->ftm.trigger_based &&
1891 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
1892 		return -ENOBUFS;
1893 	if (cap->ftm.non_trigger_based &&
1894 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
1895 		return -ENOBUFS;
1896 
1897 	nla_nest_end(msg, ftm);
1898 	return 0;
1899 }
1900 
1901 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
1902 				  struct sk_buff *msg)
1903 {
1904 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
1905 	struct nlattr *pmsr, *caps;
1906 
1907 	if (!cap)
1908 		return 0;
1909 
1910 	/*
1911 	 * we don't need to clean up anything here since the caller
1912 	 * will genlmsg_cancel() if we fail
1913 	 */
1914 
1915 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
1916 	if (!pmsr)
1917 		return -ENOBUFS;
1918 
1919 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
1920 		return -ENOBUFS;
1921 
1922 	if (cap->report_ap_tsf &&
1923 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
1924 		return -ENOBUFS;
1925 
1926 	if (cap->randomize_mac_addr &&
1927 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
1928 		return -ENOBUFS;
1929 
1930 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
1931 	if (!caps)
1932 		return -ENOBUFS;
1933 
1934 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
1935 		return -ENOBUFS;
1936 
1937 	nla_nest_end(msg, caps);
1938 	nla_nest_end(msg, pmsr);
1939 
1940 	return 0;
1941 }
1942 
1943 static int
1944 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
1945 			      struct sk_buff *msg)
1946 {
1947 	int i;
1948 	struct nlattr *nested, *nested_akms;
1949 	const struct wiphy_iftype_akm_suites *iftype_akms;
1950 
1951 	if (!rdev->wiphy.num_iftype_akm_suites ||
1952 	    !rdev->wiphy.iftype_akm_suites)
1953 		return 0;
1954 
1955 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
1956 	if (!nested)
1957 		return -ENOBUFS;
1958 
1959 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
1960 		nested_akms = nla_nest_start(msg, i + 1);
1961 		if (!nested_akms)
1962 			return -ENOBUFS;
1963 
1964 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
1965 
1966 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
1967 					iftype_akms->iftypes_mask))
1968 			return -ENOBUFS;
1969 
1970 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
1971 			    sizeof(u32) * iftype_akms->n_akm_suites,
1972 			    iftype_akms->akm_suites)) {
1973 			return -ENOBUFS;
1974 		}
1975 		nla_nest_end(msg, nested_akms);
1976 	}
1977 
1978 	nla_nest_end(msg, nested);
1979 
1980 	return 0;
1981 }
1982 
1983 static int
1984 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
1985 			       struct sk_buff *msg)
1986 {
1987 	struct nlattr *supp;
1988 
1989 	if (!rdev->wiphy.tid_config_support.vif &&
1990 	    !rdev->wiphy.tid_config_support.peer)
1991 		return 0;
1992 
1993 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
1994 	if (!supp)
1995 		return -ENOSPC;
1996 
1997 	if (rdev->wiphy.tid_config_support.vif &&
1998 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
1999 			      rdev->wiphy.tid_config_support.vif,
2000 			      NL80211_TID_CONFIG_ATTR_PAD))
2001 		goto fail;
2002 
2003 	if (rdev->wiphy.tid_config_support.peer &&
2004 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2005 			      rdev->wiphy.tid_config_support.peer,
2006 			      NL80211_TID_CONFIG_ATTR_PAD))
2007 		goto fail;
2008 
2009 	/* for now we just use the same value ... makes more sense */
2010 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2011 		       rdev->wiphy.tid_config_support.max_retry))
2012 		goto fail;
2013 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2014 		       rdev->wiphy.tid_config_support.max_retry))
2015 		goto fail;
2016 
2017 	nla_nest_end(msg, supp);
2018 
2019 	return 0;
2020 fail:
2021 	nla_nest_cancel(msg, supp);
2022 	return -ENOBUFS;
2023 }
2024 
2025 struct nl80211_dump_wiphy_state {
2026 	s64 filter_wiphy;
2027 	long start;
2028 	long split_start, band_start, chan_start, capa_start;
2029 	bool split;
2030 };
2031 
2032 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2033 			      enum nl80211_commands cmd,
2034 			      struct sk_buff *msg, u32 portid, u32 seq,
2035 			      int flags, struct nl80211_dump_wiphy_state *state)
2036 {
2037 	void *hdr;
2038 	struct nlattr *nl_bands, *nl_band;
2039 	struct nlattr *nl_freqs, *nl_freq;
2040 	struct nlattr *nl_cmds;
2041 	enum nl80211_band band;
2042 	struct ieee80211_channel *chan;
2043 	int i;
2044 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2045 				rdev->wiphy.mgmt_stypes;
2046 	u32 features;
2047 
2048 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2049 	if (!hdr)
2050 		return -ENOBUFS;
2051 
2052 	if (WARN_ON(!state))
2053 		return -EINVAL;
2054 
2055 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2056 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2057 			   wiphy_name(&rdev->wiphy)) ||
2058 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2059 			cfg80211_rdev_list_generation))
2060 		goto nla_put_failure;
2061 
2062 	if (cmd != NL80211_CMD_NEW_WIPHY)
2063 		goto finish;
2064 
2065 	switch (state->split_start) {
2066 	case 0:
2067 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2068 			       rdev->wiphy.retry_short) ||
2069 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2070 			       rdev->wiphy.retry_long) ||
2071 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2072 				rdev->wiphy.frag_threshold) ||
2073 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2074 				rdev->wiphy.rts_threshold) ||
2075 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2076 			       rdev->wiphy.coverage_class) ||
2077 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2078 			       rdev->wiphy.max_scan_ssids) ||
2079 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2080 			       rdev->wiphy.max_sched_scan_ssids) ||
2081 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2082 				rdev->wiphy.max_scan_ie_len) ||
2083 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2084 				rdev->wiphy.max_sched_scan_ie_len) ||
2085 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2086 			       rdev->wiphy.max_match_sets) ||
2087 		    nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2088 				rdev->wiphy.max_sched_scan_plans) ||
2089 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2090 				rdev->wiphy.max_sched_scan_plan_interval) ||
2091 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2092 				rdev->wiphy.max_sched_scan_plan_iterations))
2093 			goto nla_put_failure;
2094 
2095 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2096 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2097 			goto nla_put_failure;
2098 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2099 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2100 			goto nla_put_failure;
2101 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2102 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2103 			goto nla_put_failure;
2104 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2105 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2106 			goto nla_put_failure;
2107 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2108 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2109 			goto nla_put_failure;
2110 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2111 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2112 			goto nla_put_failure;
2113 		state->split_start++;
2114 		if (state->split)
2115 			break;
2116 		/* fall through */
2117 	case 1:
2118 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2119 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2120 			    rdev->wiphy.cipher_suites))
2121 			goto nla_put_failure;
2122 
2123 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2124 			       rdev->wiphy.max_num_pmkids))
2125 			goto nla_put_failure;
2126 
2127 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2128 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2129 			goto nla_put_failure;
2130 
2131 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2132 				rdev->wiphy.available_antennas_tx) ||
2133 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2134 				rdev->wiphy.available_antennas_rx))
2135 			goto nla_put_failure;
2136 
2137 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2138 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2139 				rdev->wiphy.probe_resp_offload))
2140 			goto nla_put_failure;
2141 
2142 		if ((rdev->wiphy.available_antennas_tx ||
2143 		     rdev->wiphy.available_antennas_rx) &&
2144 		    rdev->ops->get_antenna) {
2145 			u32 tx_ant = 0, rx_ant = 0;
2146 			int res;
2147 
2148 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2149 			if (!res) {
2150 				if (nla_put_u32(msg,
2151 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2152 						tx_ant) ||
2153 				    nla_put_u32(msg,
2154 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2155 						rx_ant))
2156 					goto nla_put_failure;
2157 			}
2158 		}
2159 
2160 		state->split_start++;
2161 		if (state->split)
2162 			break;
2163 		/* fall through */
2164 	case 2:
2165 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2166 					rdev->wiphy.interface_modes))
2167 				goto nla_put_failure;
2168 		state->split_start++;
2169 		if (state->split)
2170 			break;
2171 		/* fall through */
2172 	case 3:
2173 		nl_bands = nla_nest_start_noflag(msg,
2174 						 NL80211_ATTR_WIPHY_BANDS);
2175 		if (!nl_bands)
2176 			goto nla_put_failure;
2177 
2178 		for (band = state->band_start;
2179 		     band < NUM_NL80211_BANDS; band++) {
2180 			struct ieee80211_supported_band *sband;
2181 
2182 			sband = rdev->wiphy.bands[band];
2183 
2184 			if (!sband)
2185 				continue;
2186 
2187 			nl_band = nla_nest_start_noflag(msg, band);
2188 			if (!nl_band)
2189 				goto nla_put_failure;
2190 
2191 			switch (state->chan_start) {
2192 			case 0:
2193 				if (nl80211_send_band_rateinfo(msg, sband))
2194 					goto nla_put_failure;
2195 				state->chan_start++;
2196 				if (state->split)
2197 					break;
2198 				/* fall through */
2199 			default:
2200 				/* add frequencies */
2201 				nl_freqs = nla_nest_start_noflag(msg,
2202 								 NL80211_BAND_ATTR_FREQS);
2203 				if (!nl_freqs)
2204 					goto nla_put_failure;
2205 
2206 				for (i = state->chan_start - 1;
2207 				     i < sband->n_channels;
2208 				     i++) {
2209 					nl_freq = nla_nest_start_noflag(msg,
2210 									i);
2211 					if (!nl_freq)
2212 						goto nla_put_failure;
2213 
2214 					chan = &sband->channels[i];
2215 
2216 					if (nl80211_msg_put_channel(
2217 							msg, &rdev->wiphy, chan,
2218 							state->split))
2219 						goto nla_put_failure;
2220 
2221 					nla_nest_end(msg, nl_freq);
2222 					if (state->split)
2223 						break;
2224 				}
2225 				if (i < sband->n_channels)
2226 					state->chan_start = i + 2;
2227 				else
2228 					state->chan_start = 0;
2229 				nla_nest_end(msg, nl_freqs);
2230 			}
2231 
2232 			nla_nest_end(msg, nl_band);
2233 
2234 			if (state->split) {
2235 				/* start again here */
2236 				if (state->chan_start)
2237 					band--;
2238 				break;
2239 			}
2240 		}
2241 		nla_nest_end(msg, nl_bands);
2242 
2243 		if (band < NUM_NL80211_BANDS)
2244 			state->band_start = band + 1;
2245 		else
2246 			state->band_start = 0;
2247 
2248 		/* if bands & channels are done, continue outside */
2249 		if (state->band_start == 0 && state->chan_start == 0)
2250 			state->split_start++;
2251 		if (state->split)
2252 			break;
2253 		/* fall through */
2254 	case 4:
2255 		nl_cmds = nla_nest_start_noflag(msg,
2256 						NL80211_ATTR_SUPPORTED_COMMANDS);
2257 		if (!nl_cmds)
2258 			goto nla_put_failure;
2259 
2260 		i = nl80211_add_commands_unsplit(rdev, msg);
2261 		if (i < 0)
2262 			goto nla_put_failure;
2263 		if (state->split) {
2264 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2265 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2266 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2267 				CMD(channel_switch, CHANNEL_SWITCH);
2268 			CMD(set_qos_map, SET_QOS_MAP);
2269 			if (rdev->wiphy.features &
2270 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2271 				CMD(add_tx_ts, ADD_TX_TS);
2272 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2273 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2274 			CMD(update_ft_ies, UPDATE_FT_IES);
2275 		}
2276 #undef CMD
2277 
2278 		nla_nest_end(msg, nl_cmds);
2279 		state->split_start++;
2280 		if (state->split)
2281 			break;
2282 		/* fall through */
2283 	case 5:
2284 		if (rdev->ops->remain_on_channel &&
2285 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2286 		    nla_put_u32(msg,
2287 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2288 				rdev->wiphy.max_remain_on_channel_duration))
2289 			goto nla_put_failure;
2290 
2291 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2292 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2293 			goto nla_put_failure;
2294 
2295 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2296 			goto nla_put_failure;
2297 		state->split_start++;
2298 		if (state->split)
2299 			break;
2300 		/* fall through */
2301 	case 6:
2302 #ifdef CONFIG_PM
2303 		if (nl80211_send_wowlan(msg, rdev, state->split))
2304 			goto nla_put_failure;
2305 		state->split_start++;
2306 		if (state->split)
2307 			break;
2308 #else
2309 		state->split_start++;
2310 #endif
2311 		/* fall through */
2312 	case 7:
2313 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2314 					rdev->wiphy.software_iftypes))
2315 			goto nla_put_failure;
2316 
2317 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2318 						   state->split))
2319 			goto nla_put_failure;
2320 
2321 		state->split_start++;
2322 		if (state->split)
2323 			break;
2324 		/* fall through */
2325 	case 8:
2326 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2327 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2328 				rdev->wiphy.ap_sme_capa))
2329 			goto nla_put_failure;
2330 
2331 		features = rdev->wiphy.features;
2332 		/*
2333 		 * We can only add the per-channel limit information if the
2334 		 * dump is split, otherwise it makes it too big. Therefore
2335 		 * only advertise it in that case.
2336 		 */
2337 		if (state->split)
2338 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2339 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2340 			goto nla_put_failure;
2341 
2342 		if (rdev->wiphy.ht_capa_mod_mask &&
2343 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2344 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2345 			    rdev->wiphy.ht_capa_mod_mask))
2346 			goto nla_put_failure;
2347 
2348 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2349 		    rdev->wiphy.max_acl_mac_addrs &&
2350 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2351 				rdev->wiphy.max_acl_mac_addrs))
2352 			goto nla_put_failure;
2353 
2354 		/*
2355 		 * Any information below this point is only available to
2356 		 * applications that can deal with it being split. This
2357 		 * helps ensure that newly added capabilities don't break
2358 		 * older tools by overrunning their buffers.
2359 		 *
2360 		 * We still increment split_start so that in the split
2361 		 * case we'll continue with more data in the next round,
2362 		 * but break unconditionally so unsplit data stops here.
2363 		 */
2364 		state->split_start++;
2365 		break;
2366 	case 9:
2367 		if (rdev->wiphy.extended_capabilities &&
2368 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2369 			     rdev->wiphy.extended_capabilities_len,
2370 			     rdev->wiphy.extended_capabilities) ||
2371 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2372 			     rdev->wiphy.extended_capabilities_len,
2373 			     rdev->wiphy.extended_capabilities_mask)))
2374 			goto nla_put_failure;
2375 
2376 		if (rdev->wiphy.vht_capa_mod_mask &&
2377 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2378 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2379 			    rdev->wiphy.vht_capa_mod_mask))
2380 			goto nla_put_failure;
2381 
2382 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2383 			    rdev->wiphy.perm_addr))
2384 			goto nla_put_failure;
2385 
2386 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2387 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2388 			    rdev->wiphy.addr_mask))
2389 			goto nla_put_failure;
2390 
2391 		if (rdev->wiphy.n_addresses > 1) {
2392 			void *attr;
2393 
2394 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2395 			if (!attr)
2396 				goto nla_put_failure;
2397 
2398 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2399 				if (nla_put(msg, i + 1, ETH_ALEN,
2400 					    rdev->wiphy.addresses[i].addr))
2401 					goto nla_put_failure;
2402 
2403 			nla_nest_end(msg, attr);
2404 		}
2405 
2406 		state->split_start++;
2407 		break;
2408 	case 10:
2409 		if (nl80211_send_coalesce(msg, rdev))
2410 			goto nla_put_failure;
2411 
2412 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2413 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2414 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2415 			goto nla_put_failure;
2416 
2417 		if (rdev->wiphy.max_ap_assoc_sta &&
2418 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2419 				rdev->wiphy.max_ap_assoc_sta))
2420 			goto nla_put_failure;
2421 
2422 		state->split_start++;
2423 		break;
2424 	case 11:
2425 		if (rdev->wiphy.n_vendor_commands) {
2426 			const struct nl80211_vendor_cmd_info *info;
2427 			struct nlattr *nested;
2428 
2429 			nested = nla_nest_start_noflag(msg,
2430 						       NL80211_ATTR_VENDOR_DATA);
2431 			if (!nested)
2432 				goto nla_put_failure;
2433 
2434 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2435 				info = &rdev->wiphy.vendor_commands[i].info;
2436 				if (nla_put(msg, i + 1, sizeof(*info), info))
2437 					goto nla_put_failure;
2438 			}
2439 			nla_nest_end(msg, nested);
2440 		}
2441 
2442 		if (rdev->wiphy.n_vendor_events) {
2443 			const struct nl80211_vendor_cmd_info *info;
2444 			struct nlattr *nested;
2445 
2446 			nested = nla_nest_start_noflag(msg,
2447 						       NL80211_ATTR_VENDOR_EVENTS);
2448 			if (!nested)
2449 				goto nla_put_failure;
2450 
2451 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2452 				info = &rdev->wiphy.vendor_events[i];
2453 				if (nla_put(msg, i + 1, sizeof(*info), info))
2454 					goto nla_put_failure;
2455 			}
2456 			nla_nest_end(msg, nested);
2457 		}
2458 		state->split_start++;
2459 		break;
2460 	case 12:
2461 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2462 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2463 			       rdev->wiphy.max_num_csa_counters))
2464 			goto nla_put_failure;
2465 
2466 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2467 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2468 			goto nla_put_failure;
2469 
2470 		if (rdev->wiphy.max_sched_scan_reqs &&
2471 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2472 				rdev->wiphy.max_sched_scan_reqs))
2473 			goto nla_put_failure;
2474 
2475 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2476 			    sizeof(rdev->wiphy.ext_features),
2477 			    rdev->wiphy.ext_features))
2478 			goto nla_put_failure;
2479 
2480 		if (rdev->wiphy.bss_select_support) {
2481 			struct nlattr *nested;
2482 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2483 
2484 			nested = nla_nest_start_noflag(msg,
2485 						       NL80211_ATTR_BSS_SELECT);
2486 			if (!nested)
2487 				goto nla_put_failure;
2488 
2489 			i = 0;
2490 			while (bss_select_support) {
2491 				if ((bss_select_support & 1) &&
2492 				    nla_put_flag(msg, i))
2493 					goto nla_put_failure;
2494 				i++;
2495 				bss_select_support >>= 1;
2496 			}
2497 			nla_nest_end(msg, nested);
2498 		}
2499 
2500 		state->split_start++;
2501 		break;
2502 	case 13:
2503 		if (rdev->wiphy.num_iftype_ext_capab &&
2504 		    rdev->wiphy.iftype_ext_capab) {
2505 			struct nlattr *nested_ext_capab, *nested;
2506 
2507 			nested = nla_nest_start_noflag(msg,
2508 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2509 			if (!nested)
2510 				goto nla_put_failure;
2511 
2512 			for (i = state->capa_start;
2513 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2514 				const struct wiphy_iftype_ext_capab *capab;
2515 
2516 				capab = &rdev->wiphy.iftype_ext_capab[i];
2517 
2518 				nested_ext_capab = nla_nest_start_noflag(msg,
2519 									 i);
2520 				if (!nested_ext_capab ||
2521 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2522 						capab->iftype) ||
2523 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2524 					    capab->extended_capabilities_len,
2525 					    capab->extended_capabilities) ||
2526 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2527 					    capab->extended_capabilities_len,
2528 					    capab->extended_capabilities_mask))
2529 					goto nla_put_failure;
2530 
2531 				nla_nest_end(msg, nested_ext_capab);
2532 				if (state->split)
2533 					break;
2534 			}
2535 			nla_nest_end(msg, nested);
2536 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2537 				state->capa_start = i + 1;
2538 				break;
2539 			}
2540 		}
2541 
2542 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2543 				rdev->wiphy.nan_supported_bands))
2544 			goto nla_put_failure;
2545 
2546 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2547 					    NL80211_EXT_FEATURE_TXQS)) {
2548 			struct cfg80211_txq_stats txqstats = {};
2549 			int res;
2550 
2551 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2552 			if (!res &&
2553 			    !nl80211_put_txq_stats(msg, &txqstats,
2554 						   NL80211_ATTR_TXQ_STATS))
2555 				goto nla_put_failure;
2556 
2557 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2558 					rdev->wiphy.txq_limit))
2559 				goto nla_put_failure;
2560 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2561 					rdev->wiphy.txq_memory_limit))
2562 				goto nla_put_failure;
2563 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2564 					rdev->wiphy.txq_quantum))
2565 				goto nla_put_failure;
2566 		}
2567 
2568 		state->split_start++;
2569 		break;
2570 	case 14:
2571 		if (nl80211_send_pmsr_capa(rdev, msg))
2572 			goto nla_put_failure;
2573 
2574 		state->split_start++;
2575 		break;
2576 	case 15:
2577 		if (rdev->wiphy.akm_suites &&
2578 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2579 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2580 			    rdev->wiphy.akm_suites))
2581 			goto nla_put_failure;
2582 
2583 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2584 			goto nla_put_failure;
2585 
2586 		if (nl80211_put_tid_config_support(rdev, msg))
2587 			goto nla_put_failure;
2588 
2589 		/* done */
2590 		state->split_start = 0;
2591 		break;
2592 	}
2593  finish:
2594 	genlmsg_end(msg, hdr);
2595 	return 0;
2596 
2597  nla_put_failure:
2598 	genlmsg_cancel(msg, hdr);
2599 	return -EMSGSIZE;
2600 }
2601 
2602 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2603 				    struct netlink_callback *cb,
2604 				    struct nl80211_dump_wiphy_state *state)
2605 {
2606 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2607 	int ret;
2608 
2609 	if (!tb)
2610 		return -ENOMEM;
2611 
2612 	ret = nlmsg_parse_deprecated(cb->nlh,
2613 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2614 				     tb, nl80211_fam.maxattr,
2615 				     nl80211_policy, NULL);
2616 	/* ignore parse errors for backward compatibility */
2617 	if (ret) {
2618 		ret = 0;
2619 		goto out;
2620 	}
2621 
2622 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2623 	if (tb[NL80211_ATTR_WIPHY])
2624 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2625 	if (tb[NL80211_ATTR_WDEV])
2626 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2627 	if (tb[NL80211_ATTR_IFINDEX]) {
2628 		struct net_device *netdev;
2629 		struct cfg80211_registered_device *rdev;
2630 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2631 
2632 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2633 		if (!netdev) {
2634 			ret = -ENODEV;
2635 			goto out;
2636 		}
2637 		if (netdev->ieee80211_ptr) {
2638 			rdev = wiphy_to_rdev(
2639 				netdev->ieee80211_ptr->wiphy);
2640 			state->filter_wiphy = rdev->wiphy_idx;
2641 		}
2642 	}
2643 
2644 	ret = 0;
2645 out:
2646 	kfree(tb);
2647 	return ret;
2648 }
2649 
2650 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2651 {
2652 	int idx = 0, ret;
2653 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2654 	struct cfg80211_registered_device *rdev;
2655 
2656 	rtnl_lock();
2657 	if (!state) {
2658 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2659 		if (!state) {
2660 			rtnl_unlock();
2661 			return -ENOMEM;
2662 		}
2663 		state->filter_wiphy = -1;
2664 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2665 		if (ret) {
2666 			kfree(state);
2667 			rtnl_unlock();
2668 			return ret;
2669 		}
2670 		cb->args[0] = (long)state;
2671 	}
2672 
2673 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2674 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2675 			continue;
2676 		if (++idx <= state->start)
2677 			continue;
2678 		if (state->filter_wiphy != -1 &&
2679 		    state->filter_wiphy != rdev->wiphy_idx)
2680 			continue;
2681 		/* attempt to fit multiple wiphy data chunks into the skb */
2682 		do {
2683 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2684 						 skb,
2685 						 NETLINK_CB(cb->skb).portid,
2686 						 cb->nlh->nlmsg_seq,
2687 						 NLM_F_MULTI, state);
2688 			if (ret < 0) {
2689 				/*
2690 				 * If sending the wiphy data didn't fit (ENOBUFS
2691 				 * or EMSGSIZE returned), this SKB is still
2692 				 * empty (so it's not too big because another
2693 				 * wiphy dataset is already in the skb) and
2694 				 * we've not tried to adjust the dump allocation
2695 				 * yet ... then adjust the alloc size to be
2696 				 * bigger, and return 1 but with the empty skb.
2697 				 * This results in an empty message being RX'ed
2698 				 * in userspace, but that is ignored.
2699 				 *
2700 				 * We can then retry with the larger buffer.
2701 				 */
2702 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2703 				    !skb->len && !state->split &&
2704 				    cb->min_dump_alloc < 4096) {
2705 					cb->min_dump_alloc = 4096;
2706 					state->split_start = 0;
2707 					rtnl_unlock();
2708 					return 1;
2709 				}
2710 				idx--;
2711 				break;
2712 			}
2713 		} while (state->split_start > 0);
2714 		break;
2715 	}
2716 	rtnl_unlock();
2717 
2718 	state->start = idx;
2719 
2720 	return skb->len;
2721 }
2722 
2723 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2724 {
2725 	kfree((void *)cb->args[0]);
2726 	return 0;
2727 }
2728 
2729 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2730 {
2731 	struct sk_buff *msg;
2732 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2733 	struct nl80211_dump_wiphy_state state = {};
2734 
2735 	msg = nlmsg_new(4096, GFP_KERNEL);
2736 	if (!msg)
2737 		return -ENOMEM;
2738 
2739 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2740 			       info->snd_portid, info->snd_seq, 0,
2741 			       &state) < 0) {
2742 		nlmsg_free(msg);
2743 		return -ENOBUFS;
2744 	}
2745 
2746 	return genlmsg_reply(msg, info);
2747 }
2748 
2749 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2750 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2751 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2752 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2753 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2754 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2755 };
2756 
2757 static int parse_txq_params(struct nlattr *tb[],
2758 			    struct ieee80211_txq_params *txq_params)
2759 {
2760 	u8 ac;
2761 
2762 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2763 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2764 	    !tb[NL80211_TXQ_ATTR_AIFS])
2765 		return -EINVAL;
2766 
2767 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2768 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2769 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2770 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2771 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2772 
2773 	if (ac >= NL80211_NUM_ACS)
2774 		return -EINVAL;
2775 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2776 	return 0;
2777 }
2778 
2779 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2780 {
2781 	/*
2782 	 * You can only set the channel explicitly for WDS interfaces,
2783 	 * all others have their channel managed via their respective
2784 	 * "establish a connection" command (connect, join, ...)
2785 	 *
2786 	 * For AP/GO and mesh mode, the channel can be set with the
2787 	 * channel userspace API, but is only stored and passed to the
2788 	 * low-level driver when the AP starts or the mesh is joined.
2789 	 * This is for backward compatibility, userspace can also give
2790 	 * the channel in the start-ap or join-mesh commands instead.
2791 	 *
2792 	 * Monitors are special as they are normally slaved to
2793 	 * whatever else is going on, so they have their own special
2794 	 * operation to set the monitor channel if possible.
2795 	 */
2796 	return !wdev ||
2797 		wdev->iftype == NL80211_IFTYPE_AP ||
2798 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2799 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2800 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2801 }
2802 
2803 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2804 			  struct genl_info *info,
2805 			  struct cfg80211_chan_def *chandef)
2806 {
2807 	struct netlink_ext_ack *extack = info->extack;
2808 	struct nlattr **attrs = info->attrs;
2809 	u32 control_freq;
2810 
2811 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
2812 		return -EINVAL;
2813 
2814 	control_freq = nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]);
2815 
2816 	memset(chandef, 0, sizeof(*chandef));
2817 
2818 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
2819 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2820 	chandef->center_freq1 = control_freq;
2821 	chandef->center_freq2 = 0;
2822 
2823 	/* Primary channel not allowed */
2824 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
2825 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
2826 				    "Channel is disabled");
2827 		return -EINVAL;
2828 	}
2829 
2830 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2831 		enum nl80211_channel_type chantype;
2832 
2833 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2834 
2835 		switch (chantype) {
2836 		case NL80211_CHAN_NO_HT:
2837 		case NL80211_CHAN_HT20:
2838 		case NL80211_CHAN_HT40PLUS:
2839 		case NL80211_CHAN_HT40MINUS:
2840 			cfg80211_chandef_create(chandef, chandef->chan,
2841 						chantype);
2842 			/* user input for center_freq is incorrect */
2843 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
2844 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
2845 				NL_SET_ERR_MSG_ATTR(extack,
2846 						    attrs[NL80211_ATTR_CENTER_FREQ1],
2847 						    "bad center frequency 1");
2848 				return -EINVAL;
2849 			}
2850 			/* center_freq2 must be zero */
2851 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
2852 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
2853 				NL_SET_ERR_MSG_ATTR(extack,
2854 						    attrs[NL80211_ATTR_CENTER_FREQ2],
2855 						    "center frequency 2 can't be used");
2856 				return -EINVAL;
2857 			}
2858 			break;
2859 		default:
2860 			NL_SET_ERR_MSG_ATTR(extack,
2861 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
2862 					    "invalid channel type");
2863 			return -EINVAL;
2864 		}
2865 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2866 		chandef->width =
2867 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2868 		if (attrs[NL80211_ATTR_CENTER_FREQ1])
2869 			chandef->center_freq1 =
2870 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
2871 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
2872 			chandef->center_freq2 =
2873 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
2874 	}
2875 
2876 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
2877 		chandef->edmg.channels =
2878 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
2879 
2880 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
2881 			chandef->edmg.bw_config =
2882 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
2883 	} else {
2884 		chandef->edmg.bw_config = 0;
2885 		chandef->edmg.channels = 0;
2886 	}
2887 
2888 	if (!cfg80211_chandef_valid(chandef)) {
2889 		NL_SET_ERR_MSG(extack, "invalid channel definition");
2890 		return -EINVAL;
2891 	}
2892 
2893 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2894 				     IEEE80211_CHAN_DISABLED)) {
2895 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
2896 		return -EINVAL;
2897 	}
2898 
2899 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2900 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2901 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
2902 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
2903 		return -EINVAL;
2904 	}
2905 
2906 	return 0;
2907 }
2908 
2909 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2910 				 struct net_device *dev,
2911 				 struct genl_info *info)
2912 {
2913 	struct cfg80211_chan_def chandef;
2914 	int result;
2915 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2916 	struct wireless_dev *wdev = NULL;
2917 
2918 	if (dev)
2919 		wdev = dev->ieee80211_ptr;
2920 	if (!nl80211_can_set_dev_channel(wdev))
2921 		return -EOPNOTSUPP;
2922 	if (wdev)
2923 		iftype = wdev->iftype;
2924 
2925 	result = nl80211_parse_chandef(rdev, info, &chandef);
2926 	if (result)
2927 		return result;
2928 
2929 	switch (iftype) {
2930 	case NL80211_IFTYPE_AP:
2931 	case NL80211_IFTYPE_P2P_GO:
2932 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2933 						   iftype)) {
2934 			result = -EINVAL;
2935 			break;
2936 		}
2937 		if (wdev->beacon_interval) {
2938 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2939 			    !(rdev->wiphy.features &
2940 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2941 				result = -EBUSY;
2942 				break;
2943 			}
2944 
2945 			/* Only allow dynamic channel width changes */
2946 			if (chandef.chan != wdev->preset_chandef.chan) {
2947 				result = -EBUSY;
2948 				break;
2949 			}
2950 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2951 			if (result)
2952 				break;
2953 		}
2954 		wdev->preset_chandef = chandef;
2955 		result = 0;
2956 		break;
2957 	case NL80211_IFTYPE_MESH_POINT:
2958 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2959 		break;
2960 	case NL80211_IFTYPE_MONITOR:
2961 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2962 		break;
2963 	default:
2964 		result = -EINVAL;
2965 	}
2966 
2967 	return result;
2968 }
2969 
2970 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2971 {
2972 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2973 	struct net_device *netdev = info->user_ptr[1];
2974 
2975 	return __nl80211_set_channel(rdev, netdev, info);
2976 }
2977 
2978 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2979 {
2980 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2981 	struct net_device *dev = info->user_ptr[1];
2982 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2983 	const u8 *bssid;
2984 
2985 	if (!info->attrs[NL80211_ATTR_MAC])
2986 		return -EINVAL;
2987 
2988 	if (netif_running(dev))
2989 		return -EBUSY;
2990 
2991 	if (!rdev->ops->set_wds_peer)
2992 		return -EOPNOTSUPP;
2993 
2994 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2995 		return -EOPNOTSUPP;
2996 
2997 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2998 	return rdev_set_wds_peer(rdev, dev, bssid);
2999 }
3000 
3001 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3002 {
3003 	struct cfg80211_registered_device *rdev;
3004 	struct net_device *netdev = NULL;
3005 	struct wireless_dev *wdev;
3006 	int result = 0, rem_txq_params = 0;
3007 	struct nlattr *nl_txq_params;
3008 	u32 changed;
3009 	u8 retry_short = 0, retry_long = 0;
3010 	u32 frag_threshold = 0, rts_threshold = 0;
3011 	u8 coverage_class = 0;
3012 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3013 
3014 	ASSERT_RTNL();
3015 
3016 	/*
3017 	 * Try to find the wiphy and netdev. Normally this
3018 	 * function shouldn't need the netdev, but this is
3019 	 * done for backward compatibility -- previously
3020 	 * setting the channel was done per wiphy, but now
3021 	 * it is per netdev. Previous userland like hostapd
3022 	 * also passed a netdev to set_wiphy, so that it is
3023 	 * possible to let that go to the right netdev!
3024 	 */
3025 
3026 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3027 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3028 
3029 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3030 		if (netdev && netdev->ieee80211_ptr)
3031 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3032 		else
3033 			netdev = NULL;
3034 	}
3035 
3036 	if (!netdev) {
3037 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3038 						  info->attrs);
3039 		if (IS_ERR(rdev))
3040 			return PTR_ERR(rdev);
3041 		wdev = NULL;
3042 		netdev = NULL;
3043 		result = 0;
3044 	} else
3045 		wdev = netdev->ieee80211_ptr;
3046 
3047 	/*
3048 	 * end workaround code, by now the rdev is available
3049 	 * and locked, and wdev may or may not be NULL.
3050 	 */
3051 
3052 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3053 		result = cfg80211_dev_rename(
3054 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3055 
3056 	if (result)
3057 		return result;
3058 
3059 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3060 		struct ieee80211_txq_params txq_params;
3061 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3062 
3063 		if (!rdev->ops->set_txq_params)
3064 			return -EOPNOTSUPP;
3065 
3066 		if (!netdev)
3067 			return -EINVAL;
3068 
3069 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3070 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3071 			return -EINVAL;
3072 
3073 		if (!netif_running(netdev))
3074 			return -ENETDOWN;
3075 
3076 		nla_for_each_nested(nl_txq_params,
3077 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3078 				    rem_txq_params) {
3079 			result = nla_parse_nested_deprecated(tb,
3080 							     NL80211_TXQ_ATTR_MAX,
3081 							     nl_txq_params,
3082 							     txq_params_policy,
3083 							     info->extack);
3084 			if (result)
3085 				return result;
3086 			result = parse_txq_params(tb, &txq_params);
3087 			if (result)
3088 				return result;
3089 
3090 			result = rdev_set_txq_params(rdev, netdev,
3091 						     &txq_params);
3092 			if (result)
3093 				return result;
3094 		}
3095 	}
3096 
3097 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3098 		result = __nl80211_set_channel(
3099 			rdev,
3100 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3101 			info);
3102 		if (result)
3103 			return result;
3104 	}
3105 
3106 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3107 		struct wireless_dev *txp_wdev = wdev;
3108 		enum nl80211_tx_power_setting type;
3109 		int idx, mbm = 0;
3110 
3111 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3112 			txp_wdev = NULL;
3113 
3114 		if (!rdev->ops->set_tx_power)
3115 			return -EOPNOTSUPP;
3116 
3117 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3118 		type = nla_get_u32(info->attrs[idx]);
3119 
3120 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3121 		    (type != NL80211_TX_POWER_AUTOMATIC))
3122 			return -EINVAL;
3123 
3124 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3125 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3126 			mbm = nla_get_u32(info->attrs[idx]);
3127 		}
3128 
3129 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3130 		if (result)
3131 			return result;
3132 	}
3133 
3134 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3135 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3136 		u32 tx_ant, rx_ant;
3137 
3138 		if ((!rdev->wiphy.available_antennas_tx &&
3139 		     !rdev->wiphy.available_antennas_rx) ||
3140 		    !rdev->ops->set_antenna)
3141 			return -EOPNOTSUPP;
3142 
3143 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3144 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3145 
3146 		/* reject antenna configurations which don't match the
3147 		 * available antenna masks, except for the "all" mask */
3148 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3149 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
3150 			return -EINVAL;
3151 
3152 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3153 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3154 
3155 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3156 		if (result)
3157 			return result;
3158 	}
3159 
3160 	changed = 0;
3161 
3162 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3163 		retry_short = nla_get_u8(
3164 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3165 
3166 		changed |= WIPHY_PARAM_RETRY_SHORT;
3167 	}
3168 
3169 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3170 		retry_long = nla_get_u8(
3171 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3172 
3173 		changed |= WIPHY_PARAM_RETRY_LONG;
3174 	}
3175 
3176 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3177 		frag_threshold = nla_get_u32(
3178 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3179 		if (frag_threshold < 256)
3180 			return -EINVAL;
3181 
3182 		if (frag_threshold != (u32) -1) {
3183 			/*
3184 			 * Fragments (apart from the last one) are required to
3185 			 * have even length. Make the fragmentation code
3186 			 * simpler by stripping LSB should someone try to use
3187 			 * odd threshold value.
3188 			 */
3189 			frag_threshold &= ~0x1;
3190 		}
3191 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3192 	}
3193 
3194 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3195 		rts_threshold = nla_get_u32(
3196 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3197 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3198 	}
3199 
3200 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3201 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
3202 			return -EINVAL;
3203 
3204 		coverage_class = nla_get_u8(
3205 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3206 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3207 	}
3208 
3209 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3210 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
3211 			return -EOPNOTSUPP;
3212 
3213 		changed |= WIPHY_PARAM_DYN_ACK;
3214 	}
3215 
3216 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3217 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3218 					     NL80211_EXT_FEATURE_TXQS))
3219 			return -EOPNOTSUPP;
3220 		txq_limit = nla_get_u32(
3221 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3222 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3223 	}
3224 
3225 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3226 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3227 					     NL80211_EXT_FEATURE_TXQS))
3228 			return -EOPNOTSUPP;
3229 		txq_memory_limit = nla_get_u32(
3230 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3231 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3232 	}
3233 
3234 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3235 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3236 					     NL80211_EXT_FEATURE_TXQS))
3237 			return -EOPNOTSUPP;
3238 		txq_quantum = nla_get_u32(
3239 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3240 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3241 	}
3242 
3243 	if (changed) {
3244 		u8 old_retry_short, old_retry_long;
3245 		u32 old_frag_threshold, old_rts_threshold;
3246 		u8 old_coverage_class;
3247 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3248 
3249 		if (!rdev->ops->set_wiphy_params)
3250 			return -EOPNOTSUPP;
3251 
3252 		old_retry_short = rdev->wiphy.retry_short;
3253 		old_retry_long = rdev->wiphy.retry_long;
3254 		old_frag_threshold = rdev->wiphy.frag_threshold;
3255 		old_rts_threshold = rdev->wiphy.rts_threshold;
3256 		old_coverage_class = rdev->wiphy.coverage_class;
3257 		old_txq_limit = rdev->wiphy.txq_limit;
3258 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3259 		old_txq_quantum = rdev->wiphy.txq_quantum;
3260 
3261 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3262 			rdev->wiphy.retry_short = retry_short;
3263 		if (changed & WIPHY_PARAM_RETRY_LONG)
3264 			rdev->wiphy.retry_long = retry_long;
3265 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3266 			rdev->wiphy.frag_threshold = frag_threshold;
3267 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3268 			rdev->wiphy.rts_threshold = rts_threshold;
3269 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3270 			rdev->wiphy.coverage_class = coverage_class;
3271 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3272 			rdev->wiphy.txq_limit = txq_limit;
3273 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3274 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3275 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3276 			rdev->wiphy.txq_quantum = txq_quantum;
3277 
3278 		result = rdev_set_wiphy_params(rdev, changed);
3279 		if (result) {
3280 			rdev->wiphy.retry_short = old_retry_short;
3281 			rdev->wiphy.retry_long = old_retry_long;
3282 			rdev->wiphy.frag_threshold = old_frag_threshold;
3283 			rdev->wiphy.rts_threshold = old_rts_threshold;
3284 			rdev->wiphy.coverage_class = old_coverage_class;
3285 			rdev->wiphy.txq_limit = old_txq_limit;
3286 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3287 			rdev->wiphy.txq_quantum = old_txq_quantum;
3288 			return result;
3289 		}
3290 	}
3291 	return 0;
3292 }
3293 
3294 static int nl80211_send_chandef(struct sk_buff *msg,
3295 				const struct cfg80211_chan_def *chandef)
3296 {
3297 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3298 		return -EINVAL;
3299 
3300 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3301 			chandef->chan->center_freq))
3302 		return -ENOBUFS;
3303 	switch (chandef->width) {
3304 	case NL80211_CHAN_WIDTH_20_NOHT:
3305 	case NL80211_CHAN_WIDTH_20:
3306 	case NL80211_CHAN_WIDTH_40:
3307 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3308 				cfg80211_get_chandef_type(chandef)))
3309 			return -ENOBUFS;
3310 		break;
3311 	default:
3312 		break;
3313 	}
3314 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3315 		return -ENOBUFS;
3316 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3317 		return -ENOBUFS;
3318 	if (chandef->center_freq2 &&
3319 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3320 		return -ENOBUFS;
3321 	return 0;
3322 }
3323 
3324 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3325 			      struct cfg80211_registered_device *rdev,
3326 			      struct wireless_dev *wdev,
3327 			      enum nl80211_commands cmd)
3328 {
3329 	struct net_device *dev = wdev->netdev;
3330 	void *hdr;
3331 
3332 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3333 		cmd != NL80211_CMD_DEL_INTERFACE &&
3334 		cmd != NL80211_CMD_SET_INTERFACE);
3335 
3336 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3337 	if (!hdr)
3338 		return -1;
3339 
3340 	if (dev &&
3341 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3342 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3343 		goto nla_put_failure;
3344 
3345 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3346 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3347 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3348 			      NL80211_ATTR_PAD) ||
3349 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3350 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3351 			rdev->devlist_generation ^
3352 			(cfg80211_rdev_list_generation << 2)) ||
3353 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3354 		goto nla_put_failure;
3355 
3356 	if (rdev->ops->get_channel) {
3357 		int ret;
3358 		struct cfg80211_chan_def chandef = {};
3359 
3360 		ret = rdev_get_channel(rdev, wdev, &chandef);
3361 		if (ret == 0) {
3362 			if (nl80211_send_chandef(msg, &chandef))
3363 				goto nla_put_failure;
3364 		}
3365 	}
3366 
3367 	if (rdev->ops->get_tx_power) {
3368 		int dbm, ret;
3369 
3370 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3371 		if (ret == 0 &&
3372 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3373 				DBM_TO_MBM(dbm)))
3374 			goto nla_put_failure;
3375 	}
3376 
3377 	wdev_lock(wdev);
3378 	switch (wdev->iftype) {
3379 	case NL80211_IFTYPE_AP:
3380 		if (wdev->ssid_len &&
3381 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3382 			goto nla_put_failure_locked;
3383 		break;
3384 	case NL80211_IFTYPE_STATION:
3385 	case NL80211_IFTYPE_P2P_CLIENT:
3386 	case NL80211_IFTYPE_ADHOC: {
3387 		const u8 *ssid_ie;
3388 		if (!wdev->current_bss)
3389 			break;
3390 		rcu_read_lock();
3391 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3392 					       WLAN_EID_SSID);
3393 		if (ssid_ie &&
3394 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3395 			goto nla_put_failure_rcu_locked;
3396 		rcu_read_unlock();
3397 		break;
3398 		}
3399 	default:
3400 		/* nothing */
3401 		break;
3402 	}
3403 	wdev_unlock(wdev);
3404 
3405 	if (rdev->ops->get_txq_stats) {
3406 		struct cfg80211_txq_stats txqstats = {};
3407 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3408 
3409 		if (ret == 0 &&
3410 		    !nl80211_put_txq_stats(msg, &txqstats,
3411 					   NL80211_ATTR_TXQ_STATS))
3412 			goto nla_put_failure;
3413 	}
3414 
3415 	genlmsg_end(msg, hdr);
3416 	return 0;
3417 
3418  nla_put_failure_rcu_locked:
3419 	rcu_read_unlock();
3420  nla_put_failure_locked:
3421 	wdev_unlock(wdev);
3422  nla_put_failure:
3423 	genlmsg_cancel(msg, hdr);
3424 	return -EMSGSIZE;
3425 }
3426 
3427 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3428 {
3429 	int wp_idx = 0;
3430 	int if_idx = 0;
3431 	int wp_start = cb->args[0];
3432 	int if_start = cb->args[1];
3433 	int filter_wiphy = -1;
3434 	struct cfg80211_registered_device *rdev;
3435 	struct wireless_dev *wdev;
3436 	int ret;
3437 
3438 	rtnl_lock();
3439 	if (!cb->args[2]) {
3440 		struct nl80211_dump_wiphy_state state = {
3441 			.filter_wiphy = -1,
3442 		};
3443 
3444 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3445 		if (ret)
3446 			goto out_unlock;
3447 
3448 		filter_wiphy = state.filter_wiphy;
3449 
3450 		/*
3451 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3452 		 * value needed to determine that parsing is necessary.
3453 		 */
3454 		if (filter_wiphy >= 0)
3455 			cb->args[2] = filter_wiphy + 1;
3456 		else
3457 			cb->args[2] = -1;
3458 	} else if (cb->args[2] > 0) {
3459 		filter_wiphy = cb->args[2] - 1;
3460 	}
3461 
3462 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3463 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3464 			continue;
3465 		if (wp_idx < wp_start) {
3466 			wp_idx++;
3467 			continue;
3468 		}
3469 
3470 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3471 			continue;
3472 
3473 		if_idx = 0;
3474 
3475 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3476 			if (if_idx < if_start) {
3477 				if_idx++;
3478 				continue;
3479 			}
3480 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3481 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3482 					       rdev, wdev,
3483 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3484 				goto out;
3485 			}
3486 			if_idx++;
3487 		}
3488 
3489 		wp_idx++;
3490 	}
3491  out:
3492 	cb->args[0] = wp_idx;
3493 	cb->args[1] = if_idx;
3494 
3495 	ret = skb->len;
3496  out_unlock:
3497 	rtnl_unlock();
3498 
3499 	return ret;
3500 }
3501 
3502 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3503 {
3504 	struct sk_buff *msg;
3505 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3506 	struct wireless_dev *wdev = info->user_ptr[1];
3507 
3508 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3509 	if (!msg)
3510 		return -ENOMEM;
3511 
3512 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3513 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3514 		nlmsg_free(msg);
3515 		return -ENOBUFS;
3516 	}
3517 
3518 	return genlmsg_reply(msg, info);
3519 }
3520 
3521 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3522 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3523 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3524 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3525 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3526 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3527 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3528 };
3529 
3530 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3531 {
3532 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3533 	int flag;
3534 
3535 	*mntrflags = 0;
3536 
3537 	if (!nla)
3538 		return -EINVAL;
3539 
3540 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3541 		return -EINVAL;
3542 
3543 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3544 		if (flags[flag])
3545 			*mntrflags |= (1<<flag);
3546 
3547 	*mntrflags |= MONITOR_FLAG_CHANGED;
3548 
3549 	return 0;
3550 }
3551 
3552 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3553 				     enum nl80211_iftype type,
3554 				     struct genl_info *info,
3555 				     struct vif_params *params)
3556 {
3557 	bool change = false;
3558 	int err;
3559 
3560 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3561 		if (type != NL80211_IFTYPE_MONITOR)
3562 			return -EINVAL;
3563 
3564 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3565 					  &params->flags);
3566 		if (err)
3567 			return err;
3568 
3569 		change = true;
3570 	}
3571 
3572 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3573 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3574 		return -EOPNOTSUPP;
3575 
3576 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3577 		const u8 *mumimo_groups;
3578 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3579 
3580 		if (type != NL80211_IFTYPE_MONITOR)
3581 			return -EINVAL;
3582 
3583 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3584 			return -EOPNOTSUPP;
3585 
3586 		mumimo_groups =
3587 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3588 
3589 		/* bits 0 and 63 are reserved and must be zero */
3590 		if ((mumimo_groups[0] & BIT(0)) ||
3591 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3592 			return -EINVAL;
3593 
3594 		params->vht_mumimo_groups = mumimo_groups;
3595 		change = true;
3596 	}
3597 
3598 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3599 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3600 
3601 		if (type != NL80211_IFTYPE_MONITOR)
3602 			return -EINVAL;
3603 
3604 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3605 			return -EOPNOTSUPP;
3606 
3607 		params->vht_mumimo_follow_addr =
3608 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3609 		change = true;
3610 	}
3611 
3612 	return change ? 1 : 0;
3613 }
3614 
3615 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3616 			       struct net_device *netdev, u8 use_4addr,
3617 			       enum nl80211_iftype iftype)
3618 {
3619 	if (!use_4addr) {
3620 		if (netdev && netif_is_bridge_port(netdev))
3621 			return -EBUSY;
3622 		return 0;
3623 	}
3624 
3625 	switch (iftype) {
3626 	case NL80211_IFTYPE_AP_VLAN:
3627 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3628 			return 0;
3629 		break;
3630 	case NL80211_IFTYPE_STATION:
3631 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3632 			return 0;
3633 		break;
3634 	default:
3635 		break;
3636 	}
3637 
3638 	return -EOPNOTSUPP;
3639 }
3640 
3641 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3642 {
3643 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3644 	struct vif_params params;
3645 	int err;
3646 	enum nl80211_iftype otype, ntype;
3647 	struct net_device *dev = info->user_ptr[1];
3648 	bool change = false;
3649 
3650 	memset(&params, 0, sizeof(params));
3651 
3652 	otype = ntype = dev->ieee80211_ptr->iftype;
3653 
3654 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3655 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3656 		if (otype != ntype)
3657 			change = true;
3658 	}
3659 
3660 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3661 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3662 
3663 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3664 			return -EINVAL;
3665 		if (netif_running(dev))
3666 			return -EBUSY;
3667 
3668 		wdev_lock(wdev);
3669 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3670 			     IEEE80211_MAX_MESH_ID_LEN);
3671 		wdev->mesh_id_up_len =
3672 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3673 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3674 		       wdev->mesh_id_up_len);
3675 		wdev_unlock(wdev);
3676 	}
3677 
3678 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3679 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3680 		change = true;
3681 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3682 		if (err)
3683 			return err;
3684 	} else {
3685 		params.use_4addr = -1;
3686 	}
3687 
3688 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3689 	if (err < 0)
3690 		return err;
3691 	if (err > 0)
3692 		change = true;
3693 
3694 	if (change)
3695 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3696 	else
3697 		err = 0;
3698 
3699 	if (!err && params.use_4addr != -1)
3700 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3701 
3702 	if (change && !err) {
3703 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3704 
3705 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3706 	}
3707 
3708 	return err;
3709 }
3710 
3711 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3712 {
3713 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3714 	struct vif_params params;
3715 	struct wireless_dev *wdev;
3716 	struct sk_buff *msg;
3717 	int err;
3718 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3719 
3720 	/* to avoid failing a new interface creation due to pending removal */
3721 	cfg80211_destroy_ifaces(rdev);
3722 
3723 	memset(&params, 0, sizeof(params));
3724 
3725 	if (!info->attrs[NL80211_ATTR_IFNAME])
3726 		return -EINVAL;
3727 
3728 	if (info->attrs[NL80211_ATTR_IFTYPE])
3729 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3730 
3731 	if (!rdev->ops->add_virtual_intf)
3732 		return -EOPNOTSUPP;
3733 
3734 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3735 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3736 	    info->attrs[NL80211_ATTR_MAC]) {
3737 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3738 			   ETH_ALEN);
3739 		if (!is_valid_ether_addr(params.macaddr))
3740 			return -EADDRNOTAVAIL;
3741 	}
3742 
3743 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3744 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3745 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3746 		if (err)
3747 			return err;
3748 	}
3749 
3750 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
3751 		return -EOPNOTSUPP;
3752 
3753 	err = nl80211_parse_mon_options(rdev, type, info, &params);
3754 	if (err < 0)
3755 		return err;
3756 
3757 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3758 	if (!msg)
3759 		return -ENOMEM;
3760 
3761 	wdev = rdev_add_virtual_intf(rdev,
3762 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3763 				NET_NAME_USER, type, &params);
3764 	if (WARN_ON(!wdev)) {
3765 		nlmsg_free(msg);
3766 		return -EPROTO;
3767 	} else if (IS_ERR(wdev)) {
3768 		nlmsg_free(msg);
3769 		return PTR_ERR(wdev);
3770 	}
3771 
3772 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3773 		wdev->owner_nlportid = info->snd_portid;
3774 
3775 	switch (type) {
3776 	case NL80211_IFTYPE_MESH_POINT:
3777 		if (!info->attrs[NL80211_ATTR_MESH_ID])
3778 			break;
3779 		wdev_lock(wdev);
3780 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3781 			     IEEE80211_MAX_MESH_ID_LEN);
3782 		wdev->mesh_id_up_len =
3783 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3784 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3785 		       wdev->mesh_id_up_len);
3786 		wdev_unlock(wdev);
3787 		break;
3788 	case NL80211_IFTYPE_NAN:
3789 	case NL80211_IFTYPE_P2P_DEVICE:
3790 		/*
3791 		 * P2P Device and NAN do not have a netdev, so don't go
3792 		 * through the netdev notifier and must be added here
3793 		 */
3794 		cfg80211_init_wdev(rdev, wdev);
3795 		break;
3796 	default:
3797 		break;
3798 	}
3799 
3800 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3801 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3802 		nlmsg_free(msg);
3803 		return -ENOBUFS;
3804 	}
3805 
3806 	return genlmsg_reply(msg, info);
3807 }
3808 
3809 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3810 {
3811 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3812 	struct wireless_dev *wdev = info->user_ptr[1];
3813 
3814 	if (!rdev->ops->del_virtual_intf)
3815 		return -EOPNOTSUPP;
3816 
3817 	/*
3818 	 * If we remove a wireless device without a netdev then clear
3819 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
3820 	 * to check if it needs to do dev_put(). Otherwise it crashes
3821 	 * since the wdev has been freed, unlike with a netdev where
3822 	 * we need the dev_put() for the netdev to really be freed.
3823 	 */
3824 	if (!wdev->netdev)
3825 		info->user_ptr[1] = NULL;
3826 
3827 	return rdev_del_virtual_intf(rdev, wdev);
3828 }
3829 
3830 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3831 {
3832 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3833 	struct net_device *dev = info->user_ptr[1];
3834 	u16 noack_map;
3835 
3836 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3837 		return -EINVAL;
3838 
3839 	if (!rdev->ops->set_noack_map)
3840 		return -EOPNOTSUPP;
3841 
3842 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3843 
3844 	return rdev_set_noack_map(rdev, dev, noack_map);
3845 }
3846 
3847 struct get_key_cookie {
3848 	struct sk_buff *msg;
3849 	int error;
3850 	int idx;
3851 };
3852 
3853 static void get_key_callback(void *c, struct key_params *params)
3854 {
3855 	struct nlattr *key;
3856 	struct get_key_cookie *cookie = c;
3857 
3858 	if ((params->key &&
3859 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3860 		     params->key_len, params->key)) ||
3861 	    (params->seq &&
3862 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3863 		     params->seq_len, params->seq)) ||
3864 	    (params->cipher &&
3865 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3866 			 params->cipher)))
3867 		goto nla_put_failure;
3868 
3869 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
3870 	if (!key)
3871 		goto nla_put_failure;
3872 
3873 	if ((params->key &&
3874 	     nla_put(cookie->msg, NL80211_KEY_DATA,
3875 		     params->key_len, params->key)) ||
3876 	    (params->seq &&
3877 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
3878 		     params->seq_len, params->seq)) ||
3879 	    (params->cipher &&
3880 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3881 			 params->cipher)))
3882 		goto nla_put_failure;
3883 
3884 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
3885 		goto nla_put_failure;
3886 
3887 	nla_nest_end(cookie->msg, key);
3888 
3889 	return;
3890  nla_put_failure:
3891 	cookie->error = 1;
3892 }
3893 
3894 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3895 {
3896 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3897 	int err;
3898 	struct net_device *dev = info->user_ptr[1];
3899 	u8 key_idx = 0;
3900 	const u8 *mac_addr = NULL;
3901 	bool pairwise;
3902 	struct get_key_cookie cookie = {
3903 		.error = 0,
3904 	};
3905 	void *hdr;
3906 	struct sk_buff *msg;
3907 
3908 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
3909 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
3910 		if (key_idx > 5 &&
3911 		    !wiphy_ext_feature_isset(
3912 			    &rdev->wiphy,
3913 			    NL80211_EXT_FEATURE_BEACON_PROTECTION))
3914 			return -EINVAL;
3915 	}
3916 
3917 	if (info->attrs[NL80211_ATTR_MAC])
3918 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3919 
3920 	pairwise = !!mac_addr;
3921 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
3922 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
3923 
3924 		if (kt != NL80211_KEYTYPE_GROUP &&
3925 		    kt != NL80211_KEYTYPE_PAIRWISE)
3926 			return -EINVAL;
3927 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
3928 	}
3929 
3930 	if (!rdev->ops->get_key)
3931 		return -EOPNOTSUPP;
3932 
3933 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3934 		return -ENOENT;
3935 
3936 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3937 	if (!msg)
3938 		return -ENOMEM;
3939 
3940 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3941 			     NL80211_CMD_NEW_KEY);
3942 	if (!hdr)
3943 		goto nla_put_failure;
3944 
3945 	cookie.msg = msg;
3946 	cookie.idx = key_idx;
3947 
3948 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3949 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
3950 		goto nla_put_failure;
3951 	if (mac_addr &&
3952 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
3953 		goto nla_put_failure;
3954 
3955 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3956 			   get_key_callback);
3957 
3958 	if (err)
3959 		goto free_msg;
3960 
3961 	if (cookie.error)
3962 		goto nla_put_failure;
3963 
3964 	genlmsg_end(msg, hdr);
3965 	return genlmsg_reply(msg, info);
3966 
3967  nla_put_failure:
3968 	err = -ENOBUFS;
3969  free_msg:
3970 	nlmsg_free(msg);
3971 	return err;
3972 }
3973 
3974 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
3975 {
3976 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3977 	struct key_parse key;
3978 	int err;
3979 	struct net_device *dev = info->user_ptr[1];
3980 
3981 	err = nl80211_parse_key(info, &key);
3982 	if (err)
3983 		return err;
3984 
3985 	if (key.idx < 0)
3986 		return -EINVAL;
3987 
3988 	/* Only support setting default key and
3989 	 * Extended Key ID action NL80211_KEY_SET_TX.
3990 	 */
3991 	if (!key.def && !key.defmgmt && !key.defbeacon &&
3992 	    !(key.p.mode == NL80211_KEY_SET_TX))
3993 		return -EINVAL;
3994 
3995 	wdev_lock(dev->ieee80211_ptr);
3996 
3997 	if (key.def) {
3998 		if (!rdev->ops->set_default_key) {
3999 			err = -EOPNOTSUPP;
4000 			goto out;
4001 		}
4002 
4003 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4004 		if (err)
4005 			goto out;
4006 
4007 		err = rdev_set_default_key(rdev, dev, key.idx,
4008 						 key.def_uni, key.def_multi);
4009 
4010 		if (err)
4011 			goto out;
4012 
4013 #ifdef CONFIG_CFG80211_WEXT
4014 		dev->ieee80211_ptr->wext.default_key = key.idx;
4015 #endif
4016 	} else if (key.defmgmt) {
4017 		if (key.def_uni || !key.def_multi) {
4018 			err = -EINVAL;
4019 			goto out;
4020 		}
4021 
4022 		if (!rdev->ops->set_default_mgmt_key) {
4023 			err = -EOPNOTSUPP;
4024 			goto out;
4025 		}
4026 
4027 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4028 		if (err)
4029 			goto out;
4030 
4031 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4032 		if (err)
4033 			goto out;
4034 
4035 #ifdef CONFIG_CFG80211_WEXT
4036 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4037 #endif
4038 	} else if (key.defbeacon) {
4039 		if (key.def_uni || !key.def_multi) {
4040 			err = -EINVAL;
4041 			goto out;
4042 		}
4043 
4044 		if (!rdev->ops->set_default_beacon_key) {
4045 			err = -EOPNOTSUPP;
4046 			goto out;
4047 		}
4048 
4049 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4050 		if (err)
4051 			goto out;
4052 
4053 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4054 		if (err)
4055 			goto out;
4056 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4057 		   wiphy_ext_feature_isset(&rdev->wiphy,
4058 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4059 		u8 *mac_addr = NULL;
4060 
4061 		if (info->attrs[NL80211_ATTR_MAC])
4062 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4063 
4064 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4065 			err = -EINVAL;
4066 			goto out;
4067 		}
4068 
4069 		err = rdev_add_key(rdev, dev, key.idx,
4070 				   NL80211_KEYTYPE_PAIRWISE,
4071 				   mac_addr, &key.p);
4072 	} else {
4073 		err = -EINVAL;
4074 	}
4075  out:
4076 	wdev_unlock(dev->ieee80211_ptr);
4077 
4078 	return err;
4079 }
4080 
4081 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4082 {
4083 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4084 	int err;
4085 	struct net_device *dev = info->user_ptr[1];
4086 	struct key_parse key;
4087 	const u8 *mac_addr = NULL;
4088 
4089 	err = nl80211_parse_key(info, &key);
4090 	if (err)
4091 		return err;
4092 
4093 	if (!key.p.key) {
4094 		GENL_SET_ERR_MSG(info, "no key");
4095 		return -EINVAL;
4096 	}
4097 
4098 	if (info->attrs[NL80211_ATTR_MAC])
4099 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4100 
4101 	if (key.type == -1) {
4102 		if (mac_addr)
4103 			key.type = NL80211_KEYTYPE_PAIRWISE;
4104 		else
4105 			key.type = NL80211_KEYTYPE_GROUP;
4106 	}
4107 
4108 	/* for now */
4109 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4110 	    key.type != NL80211_KEYTYPE_GROUP) {
4111 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4112 		return -EINVAL;
4113 	}
4114 
4115 	if (key.type == NL80211_KEYTYPE_GROUP &&
4116 	    info->attrs[NL80211_ATTR_VLAN_ID])
4117 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4118 
4119 	if (!rdev->ops->add_key)
4120 		return -EOPNOTSUPP;
4121 
4122 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4123 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4124 					   mac_addr)) {
4125 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4126 		return -EINVAL;
4127 	}
4128 
4129 	wdev_lock(dev->ieee80211_ptr);
4130 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4131 	if (err)
4132 		GENL_SET_ERR_MSG(info, "key not allowed");
4133 	if (!err) {
4134 		err = rdev_add_key(rdev, dev, key.idx,
4135 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4136 				    mac_addr, &key.p);
4137 		if (err)
4138 			GENL_SET_ERR_MSG(info, "key addition failed");
4139 	}
4140 	wdev_unlock(dev->ieee80211_ptr);
4141 
4142 	return err;
4143 }
4144 
4145 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4146 {
4147 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4148 	int err;
4149 	struct net_device *dev = info->user_ptr[1];
4150 	u8 *mac_addr = NULL;
4151 	struct key_parse key;
4152 
4153 	err = nl80211_parse_key(info, &key);
4154 	if (err)
4155 		return err;
4156 
4157 	if (info->attrs[NL80211_ATTR_MAC])
4158 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4159 
4160 	if (key.type == -1) {
4161 		if (mac_addr)
4162 			key.type = NL80211_KEYTYPE_PAIRWISE;
4163 		else
4164 			key.type = NL80211_KEYTYPE_GROUP;
4165 	}
4166 
4167 	/* for now */
4168 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4169 	    key.type != NL80211_KEYTYPE_GROUP)
4170 		return -EINVAL;
4171 
4172 	if (!rdev->ops->del_key)
4173 		return -EOPNOTSUPP;
4174 
4175 	wdev_lock(dev->ieee80211_ptr);
4176 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4177 
4178 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4179 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4180 		err = -ENOENT;
4181 
4182 	if (!err)
4183 		err = rdev_del_key(rdev, dev, key.idx,
4184 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4185 				   mac_addr);
4186 
4187 #ifdef CONFIG_CFG80211_WEXT
4188 	if (!err) {
4189 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4190 			dev->ieee80211_ptr->wext.default_key = -1;
4191 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4192 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4193 	}
4194 #endif
4195 	wdev_unlock(dev->ieee80211_ptr);
4196 
4197 	return err;
4198 }
4199 
4200 /* This function returns an error or the number of nested attributes */
4201 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4202 {
4203 	struct nlattr *attr;
4204 	int n_entries = 0, tmp;
4205 
4206 	nla_for_each_nested(attr, nl_attr, tmp) {
4207 		if (nla_len(attr) != ETH_ALEN)
4208 			return -EINVAL;
4209 
4210 		n_entries++;
4211 	}
4212 
4213 	return n_entries;
4214 }
4215 
4216 /*
4217  * This function parses ACL information and allocates memory for ACL data.
4218  * On successful return, the calling function is responsible to free the
4219  * ACL buffer returned by this function.
4220  */
4221 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4222 						struct genl_info *info)
4223 {
4224 	enum nl80211_acl_policy acl_policy;
4225 	struct nlattr *attr;
4226 	struct cfg80211_acl_data *acl;
4227 	int i = 0, n_entries, tmp;
4228 
4229 	if (!wiphy->max_acl_mac_addrs)
4230 		return ERR_PTR(-EOPNOTSUPP);
4231 
4232 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4233 		return ERR_PTR(-EINVAL);
4234 
4235 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4236 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4237 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4238 		return ERR_PTR(-EINVAL);
4239 
4240 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4241 		return ERR_PTR(-EINVAL);
4242 
4243 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4244 	if (n_entries < 0)
4245 		return ERR_PTR(n_entries);
4246 
4247 	if (n_entries > wiphy->max_acl_mac_addrs)
4248 		return ERR_PTR(-ENOTSUPP);
4249 
4250 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4251 	if (!acl)
4252 		return ERR_PTR(-ENOMEM);
4253 
4254 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4255 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4256 		i++;
4257 	}
4258 
4259 	acl->n_acl_entries = n_entries;
4260 	acl->acl_policy = acl_policy;
4261 
4262 	return acl;
4263 }
4264 
4265 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4266 {
4267 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4268 	struct net_device *dev = info->user_ptr[1];
4269 	struct cfg80211_acl_data *acl;
4270 	int err;
4271 
4272 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4273 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4274 		return -EOPNOTSUPP;
4275 
4276 	if (!dev->ieee80211_ptr->beacon_interval)
4277 		return -EINVAL;
4278 
4279 	acl = parse_acl_data(&rdev->wiphy, info);
4280 	if (IS_ERR(acl))
4281 		return PTR_ERR(acl);
4282 
4283 	err = rdev_set_mac_acl(rdev, dev, acl);
4284 
4285 	kfree(acl);
4286 
4287 	return err;
4288 }
4289 
4290 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4291 			   u8 *rates, u8 rates_len)
4292 {
4293 	u8 i;
4294 	u32 mask = 0;
4295 
4296 	for (i = 0; i < rates_len; i++) {
4297 		int rate = (rates[i] & 0x7f) * 5;
4298 		int ridx;
4299 
4300 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4301 			struct ieee80211_rate *srate =
4302 				&sband->bitrates[ridx];
4303 			if (rate == srate->bitrate) {
4304 				mask |= 1 << ridx;
4305 				break;
4306 			}
4307 		}
4308 		if (ridx == sband->n_bitrates)
4309 			return 0; /* rate not found */
4310 	}
4311 
4312 	return mask;
4313 }
4314 
4315 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4316 			       u8 *rates, u8 rates_len,
4317 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4318 {
4319 	u8 i;
4320 
4321 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4322 
4323 	for (i = 0; i < rates_len; i++) {
4324 		int ridx, rbit;
4325 
4326 		ridx = rates[i] / 8;
4327 		rbit = BIT(rates[i] % 8);
4328 
4329 		/* check validity */
4330 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4331 			return false;
4332 
4333 		/* check availability */
4334 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4335 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4336 			mcs[ridx] |= rbit;
4337 		else
4338 			return false;
4339 	}
4340 
4341 	return true;
4342 }
4343 
4344 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4345 {
4346 	u16 mcs_mask = 0;
4347 
4348 	switch (vht_mcs_map) {
4349 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4350 		break;
4351 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4352 		mcs_mask = 0x00FF;
4353 		break;
4354 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4355 		mcs_mask = 0x01FF;
4356 		break;
4357 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4358 		mcs_mask = 0x03FF;
4359 		break;
4360 	default:
4361 		break;
4362 	}
4363 
4364 	return mcs_mask;
4365 }
4366 
4367 static void vht_build_mcs_mask(u16 vht_mcs_map,
4368 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4369 {
4370 	u8 nss;
4371 
4372 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4373 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4374 		vht_mcs_map >>= 2;
4375 	}
4376 }
4377 
4378 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4379 			     struct nl80211_txrate_vht *txrate,
4380 			     u16 mcs[NL80211_VHT_NSS_MAX])
4381 {
4382 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4383 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4384 	u8 i;
4385 
4386 	if (!sband->vht_cap.vht_supported)
4387 		return false;
4388 
4389 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4390 
4391 	/* Build vht_mcs_mask from VHT capabilities */
4392 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4393 
4394 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4395 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4396 			mcs[i] = txrate->mcs[i];
4397 		else
4398 			return false;
4399 	}
4400 
4401 	return true;
4402 }
4403 
4404 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
4405 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
4406 				    .len = NL80211_MAX_SUPP_RATES },
4407 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
4408 				.len = NL80211_MAX_SUPP_HT_RATES },
4409 	[NL80211_TXRATE_VHT] = {
4410 		.type = NLA_EXACT_LEN_WARN,
4411 		.len = sizeof(struct nl80211_txrate_vht),
4412 	},
4413 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
4414 };
4415 
4416 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4417 					 struct cfg80211_bitrate_mask *mask)
4418 {
4419 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4420 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4421 	int rem, i;
4422 	struct nlattr *tx_rates;
4423 	struct ieee80211_supported_band *sband;
4424 	u16 vht_tx_mcs_map;
4425 
4426 	memset(mask, 0, sizeof(*mask));
4427 	/* Default to all rates enabled */
4428 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4429 		sband = rdev->wiphy.bands[i];
4430 
4431 		if (!sband)
4432 			continue;
4433 
4434 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4435 		memcpy(mask->control[i].ht_mcs,
4436 		       sband->ht_cap.mcs.rx_mask,
4437 		       sizeof(mask->control[i].ht_mcs));
4438 
4439 		if (!sband->vht_cap.vht_supported)
4440 			continue;
4441 
4442 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4443 		vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4444 	}
4445 
4446 	/* if no rates are given set it back to the defaults */
4447 	if (!info->attrs[NL80211_ATTR_TX_RATES])
4448 		goto out;
4449 
4450 	/* The nested attribute uses enum nl80211_band as the index. This maps
4451 	 * directly to the enum nl80211_band values used in cfg80211.
4452 	 */
4453 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4454 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
4455 		enum nl80211_band band = nla_type(tx_rates);
4456 		int err;
4457 
4458 		if (band < 0 || band >= NUM_NL80211_BANDS)
4459 			return -EINVAL;
4460 		sband = rdev->wiphy.bands[band];
4461 		if (sband == NULL)
4462 			return -EINVAL;
4463 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4464 						  tx_rates,
4465 						  nl80211_txattr_policy,
4466 						  info->extack);
4467 		if (err)
4468 			return err;
4469 		if (tb[NL80211_TXRATE_LEGACY]) {
4470 			mask->control[band].legacy = rateset_to_mask(
4471 				sband,
4472 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4473 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4474 			if ((mask->control[band].legacy == 0) &&
4475 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4476 				return -EINVAL;
4477 		}
4478 		if (tb[NL80211_TXRATE_HT]) {
4479 			if (!ht_rateset_to_mask(
4480 					sband,
4481 					nla_data(tb[NL80211_TXRATE_HT]),
4482 					nla_len(tb[NL80211_TXRATE_HT]),
4483 					mask->control[band].ht_mcs))
4484 				return -EINVAL;
4485 		}
4486 		if (tb[NL80211_TXRATE_VHT]) {
4487 			if (!vht_set_mcs_mask(
4488 					sband,
4489 					nla_data(tb[NL80211_TXRATE_VHT]),
4490 					mask->control[band].vht_mcs))
4491 				return -EINVAL;
4492 		}
4493 		if (tb[NL80211_TXRATE_GI]) {
4494 			mask->control[band].gi =
4495 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4496 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4497 				return -EINVAL;
4498 		}
4499 
4500 		if (mask->control[band].legacy == 0) {
4501 			/* don't allow empty legacy rates if HT or VHT
4502 			 * are not even supported.
4503 			 */
4504 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4505 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
4506 				return -EINVAL;
4507 
4508 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4509 				if (mask->control[band].ht_mcs[i])
4510 					goto out;
4511 
4512 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4513 				if (mask->control[band].vht_mcs[i])
4514 					goto out;
4515 
4516 			/* legacy and mcs rates may not be both empty */
4517 			return -EINVAL;
4518 		}
4519 	}
4520 
4521 out:
4522 	return 0;
4523 }
4524 
4525 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4526 				   enum nl80211_band band,
4527 				   struct cfg80211_bitrate_mask *beacon_rate)
4528 {
4529 	u32 count_ht, count_vht, i;
4530 	u32 rate = beacon_rate->control[band].legacy;
4531 
4532 	/* Allow only one rate */
4533 	if (hweight32(rate) > 1)
4534 		return -EINVAL;
4535 
4536 	count_ht = 0;
4537 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4538 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4539 			return -EINVAL;
4540 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4541 			count_ht++;
4542 			if (count_ht > 1)
4543 				return -EINVAL;
4544 		}
4545 		if (count_ht && rate)
4546 			return -EINVAL;
4547 	}
4548 
4549 	count_vht = 0;
4550 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4551 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4552 			return -EINVAL;
4553 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4554 			count_vht++;
4555 			if (count_vht > 1)
4556 				return -EINVAL;
4557 		}
4558 		if (count_vht && rate)
4559 			return -EINVAL;
4560 	}
4561 
4562 	if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
4563 		return -EINVAL;
4564 
4565 	if (rate &&
4566 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4567 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4568 		return -EINVAL;
4569 	if (count_ht &&
4570 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4571 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
4572 		return -EINVAL;
4573 	if (count_vht &&
4574 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4575 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4576 		return -EINVAL;
4577 
4578 	return 0;
4579 }
4580 
4581 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4582 				struct nlattr *attrs[],
4583 				struct cfg80211_beacon_data *bcn)
4584 {
4585 	bool haveinfo = false;
4586 	int err;
4587 
4588 	memset(bcn, 0, sizeof(*bcn));
4589 
4590 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4591 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4592 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4593 		if (!bcn->head_len)
4594 			return -EINVAL;
4595 		haveinfo = true;
4596 	}
4597 
4598 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4599 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4600 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4601 		haveinfo = true;
4602 	}
4603 
4604 	if (!haveinfo)
4605 		return -EINVAL;
4606 
4607 	if (attrs[NL80211_ATTR_IE]) {
4608 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4609 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4610 	}
4611 
4612 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4613 		bcn->proberesp_ies =
4614 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4615 		bcn->proberesp_ies_len =
4616 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4617 	}
4618 
4619 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4620 		bcn->assocresp_ies =
4621 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4622 		bcn->assocresp_ies_len =
4623 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4624 	}
4625 
4626 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
4627 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
4628 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
4629 	}
4630 
4631 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
4632 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
4633 
4634 		err = nla_parse_nested_deprecated(tb,
4635 						  NL80211_FTM_RESP_ATTR_MAX,
4636 						  attrs[NL80211_ATTR_FTM_RESPONDER],
4637 						  NULL, NULL);
4638 		if (err)
4639 			return err;
4640 
4641 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
4642 		    wiphy_ext_feature_isset(&rdev->wiphy,
4643 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
4644 			bcn->ftm_responder = 1;
4645 		else
4646 			return -EOPNOTSUPP;
4647 
4648 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
4649 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
4650 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
4651 		}
4652 
4653 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
4654 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4655 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4656 		}
4657 	} else {
4658 		bcn->ftm_responder = -1;
4659 	}
4660 
4661 	return 0;
4662 }
4663 
4664 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
4665 				    struct ieee80211_he_obss_pd *he_obss_pd)
4666 {
4667 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
4668 	int err;
4669 
4670 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
4671 			       he_obss_pd_policy, NULL);
4672 	if (err)
4673 		return err;
4674 
4675 	if (!tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] ||
4676 	    !tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
4677 		return -EINVAL;
4678 
4679 	he_obss_pd->min_offset =
4680 		nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
4681 	he_obss_pd->max_offset =
4682 		nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
4683 
4684 	if (he_obss_pd->min_offset >= he_obss_pd->max_offset)
4685 		return -EINVAL;
4686 
4687 	he_obss_pd->enable = true;
4688 
4689 	return 0;
4690 }
4691 
4692 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
4693 				      struct cfg80211_he_bss_color *he_bss_color)
4694 {
4695 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
4696 	int err;
4697 
4698 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
4699 			       he_bss_color_policy, NULL);
4700 	if (err)
4701 		return err;
4702 
4703 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
4704 		return -EINVAL;
4705 
4706 	he_bss_color->color =
4707 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
4708 	he_bss_color->disabled =
4709 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
4710 	he_bss_color->partial =
4711 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
4712 
4713 	return 0;
4714 }
4715 
4716 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
4717 					    const u8 *rates)
4718 {
4719 	int i;
4720 
4721 	if (!rates)
4722 		return;
4723 
4724 	for (i = 0; i < rates[1]; i++) {
4725 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
4726 			params->ht_required = true;
4727 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
4728 			params->vht_required = true;
4729 	}
4730 }
4731 
4732 /*
4733  * Since the nl80211 API didn't include, from the beginning, attributes about
4734  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
4735  * benefit of drivers that rebuild IEs in the firmware.
4736  */
4737 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
4738 {
4739 	const struct cfg80211_beacon_data *bcn = &params->beacon;
4740 	size_t ies_len = bcn->tail_len;
4741 	const u8 *ies = bcn->tail;
4742 	const u8 *rates;
4743 	const u8 *cap;
4744 
4745 	rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
4746 	nl80211_check_ap_rate_selectors(params, rates);
4747 
4748 	rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
4749 	nl80211_check_ap_rate_selectors(params, rates);
4750 
4751 	cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
4752 	if (cap && cap[1] >= sizeof(*params->ht_cap))
4753 		params->ht_cap = (void *)(cap + 2);
4754 	cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
4755 	if (cap && cap[1] >= sizeof(*params->vht_cap))
4756 		params->vht_cap = (void *)(cap + 2);
4757 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
4758 	if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
4759 		params->he_cap = (void *)(cap + 3);
4760 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
4761 	if (cap && cap[1] >= sizeof(*params->he_oper) + 1)
4762 		params->he_oper = (void *)(cap + 3);
4763 }
4764 
4765 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
4766 				   struct cfg80211_ap_settings *params)
4767 {
4768 	struct wireless_dev *wdev;
4769 	bool ret = false;
4770 
4771 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4772 		if (wdev->iftype != NL80211_IFTYPE_AP &&
4773 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
4774 			continue;
4775 
4776 		if (!wdev->preset_chandef.chan)
4777 			continue;
4778 
4779 		params->chandef = wdev->preset_chandef;
4780 		ret = true;
4781 		break;
4782 	}
4783 
4784 	return ret;
4785 }
4786 
4787 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
4788 				    enum nl80211_auth_type auth_type,
4789 				    enum nl80211_commands cmd)
4790 {
4791 	if (auth_type > NL80211_AUTHTYPE_MAX)
4792 		return false;
4793 
4794 	switch (cmd) {
4795 	case NL80211_CMD_AUTHENTICATE:
4796 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4797 		    auth_type == NL80211_AUTHTYPE_SAE)
4798 			return false;
4799 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4800 					     NL80211_EXT_FEATURE_FILS_STA) &&
4801 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4802 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4803 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
4804 			return false;
4805 		return true;
4806 	case NL80211_CMD_CONNECT:
4807 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4808 		    !wiphy_ext_feature_isset(&rdev->wiphy,
4809 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
4810 		    auth_type == NL80211_AUTHTYPE_SAE)
4811 			return false;
4812 
4813 		/* FILS with SK PFS or PK not supported yet */
4814 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4815 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4816 			return false;
4817 		if (!wiphy_ext_feature_isset(
4818 			    &rdev->wiphy,
4819 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
4820 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
4821 			return false;
4822 		return true;
4823 	case NL80211_CMD_START_AP:
4824 		/* SAE not supported yet */
4825 		if (auth_type == NL80211_AUTHTYPE_SAE)
4826 			return false;
4827 		/* FILS not supported yet */
4828 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4829 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4830 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4831 			return false;
4832 		return true;
4833 	default:
4834 		return false;
4835 	}
4836 }
4837 
4838 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
4839 {
4840 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4841 	struct net_device *dev = info->user_ptr[1];
4842 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4843 	struct cfg80211_ap_settings params;
4844 	int err;
4845 
4846 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4847 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4848 		return -EOPNOTSUPP;
4849 
4850 	if (!rdev->ops->start_ap)
4851 		return -EOPNOTSUPP;
4852 
4853 	if (wdev->beacon_interval)
4854 		return -EALREADY;
4855 
4856 	memset(&params, 0, sizeof(params));
4857 
4858 	/* these are required for START_AP */
4859 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
4860 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
4861 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
4862 		return -EINVAL;
4863 
4864 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
4865 	if (err)
4866 		return err;
4867 
4868 	params.beacon_interval =
4869 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
4870 	params.dtim_period =
4871 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
4872 
4873 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
4874 					   params.beacon_interval);
4875 	if (err)
4876 		return err;
4877 
4878 	/*
4879 	 * In theory, some of these attributes should be required here
4880 	 * but since they were not used when the command was originally
4881 	 * added, keep them optional for old user space programs to let
4882 	 * them continue to work with drivers that do not need the
4883 	 * additional information -- drivers must check!
4884 	 */
4885 	if (info->attrs[NL80211_ATTR_SSID]) {
4886 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4887 		params.ssid_len =
4888 			nla_len(info->attrs[NL80211_ATTR_SSID]);
4889 		if (params.ssid_len == 0 ||
4890 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
4891 			return -EINVAL;
4892 	}
4893 
4894 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
4895 		params.hidden_ssid = nla_get_u32(
4896 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
4897 
4898 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
4899 
4900 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
4901 		params.auth_type = nla_get_u32(
4902 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
4903 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
4904 					     NL80211_CMD_START_AP))
4905 			return -EINVAL;
4906 	} else
4907 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
4908 
4909 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
4910 				      NL80211_MAX_NR_CIPHER_SUITES);
4911 	if (err)
4912 		return err;
4913 
4914 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
4915 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
4916 			return -EOPNOTSUPP;
4917 		params.inactivity_timeout = nla_get_u16(
4918 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
4919 	}
4920 
4921 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4922 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4923 			return -EINVAL;
4924 		params.p2p_ctwindow =
4925 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4926 		if (params.p2p_ctwindow != 0 &&
4927 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4928 			return -EINVAL;
4929 	}
4930 
4931 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4932 		u8 tmp;
4933 
4934 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4935 			return -EINVAL;
4936 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4937 		params.p2p_opp_ps = tmp;
4938 		if (params.p2p_opp_ps != 0 &&
4939 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4940 			return -EINVAL;
4941 	}
4942 
4943 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4944 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
4945 		if (err)
4946 			return err;
4947 	} else if (wdev->preset_chandef.chan) {
4948 		params.chandef = wdev->preset_chandef;
4949 	} else if (!nl80211_get_ap_channel(rdev, &params))
4950 		return -EINVAL;
4951 
4952 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
4953 					   wdev->iftype))
4954 		return -EINVAL;
4955 
4956 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
4957 		err = nl80211_parse_tx_bitrate_mask(info, &params.beacon_rate);
4958 		if (err)
4959 			return err;
4960 
4961 		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
4962 					      &params.beacon_rate);
4963 		if (err)
4964 			return err;
4965 	}
4966 
4967 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
4968 		params.smps_mode =
4969 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
4970 		switch (params.smps_mode) {
4971 		case NL80211_SMPS_OFF:
4972 			break;
4973 		case NL80211_SMPS_STATIC:
4974 			if (!(rdev->wiphy.features &
4975 			      NL80211_FEATURE_STATIC_SMPS))
4976 				return -EINVAL;
4977 			break;
4978 		case NL80211_SMPS_DYNAMIC:
4979 			if (!(rdev->wiphy.features &
4980 			      NL80211_FEATURE_DYNAMIC_SMPS))
4981 				return -EINVAL;
4982 			break;
4983 		default:
4984 			return -EINVAL;
4985 		}
4986 	} else {
4987 		params.smps_mode = NL80211_SMPS_OFF;
4988 	}
4989 
4990 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
4991 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
4992 		return -EOPNOTSUPP;
4993 
4994 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
4995 		params.acl = parse_acl_data(&rdev->wiphy, info);
4996 		if (IS_ERR(params.acl))
4997 			return PTR_ERR(params.acl);
4998 	}
4999 
5000 	params.twt_responder =
5001 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5002 
5003 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5004 		err = nl80211_parse_he_obss_pd(
5005 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5006 					&params.he_obss_pd);
5007 		goto out;
5008 	}
5009 
5010 	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5011 		err = nl80211_parse_he_bss_color(
5012 					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5013 					&params.he_bss_color);
5014 		if (err)
5015 			return err;
5016 	}
5017 
5018 	nl80211_calculate_ap_params(&params);
5019 
5020 	if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5021 		params.flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5022 
5023 	wdev_lock(wdev);
5024 	err = rdev_start_ap(rdev, dev, &params);
5025 	if (!err) {
5026 		wdev->preset_chandef = params.chandef;
5027 		wdev->beacon_interval = params.beacon_interval;
5028 		wdev->chandef = params.chandef;
5029 		wdev->ssid_len = params.ssid_len;
5030 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
5031 
5032 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5033 			wdev->conn_owner_nlportid = info->snd_portid;
5034 	}
5035 	wdev_unlock(wdev);
5036 
5037 out:
5038 	kfree(params.acl);
5039 
5040 	return err;
5041 }
5042 
5043 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5044 {
5045 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5046 	struct net_device *dev = info->user_ptr[1];
5047 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5048 	struct cfg80211_beacon_data params;
5049 	int err;
5050 
5051 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5052 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5053 		return -EOPNOTSUPP;
5054 
5055 	if (!rdev->ops->change_beacon)
5056 		return -EOPNOTSUPP;
5057 
5058 	if (!wdev->beacon_interval)
5059 		return -EINVAL;
5060 
5061 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5062 	if (err)
5063 		return err;
5064 
5065 	wdev_lock(wdev);
5066 	err = rdev_change_beacon(rdev, dev, &params);
5067 	wdev_unlock(wdev);
5068 
5069 	return err;
5070 }
5071 
5072 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5073 {
5074 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5075 	struct net_device *dev = info->user_ptr[1];
5076 
5077 	return cfg80211_stop_ap(rdev, dev, false);
5078 }
5079 
5080 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5081 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5082 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5083 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5084 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5085 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5086 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5087 };
5088 
5089 static int parse_station_flags(struct genl_info *info,
5090 			       enum nl80211_iftype iftype,
5091 			       struct station_parameters *params)
5092 {
5093 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5094 	struct nlattr *nla;
5095 	int flag;
5096 
5097 	/*
5098 	 * Try parsing the new attribute first so userspace
5099 	 * can specify both for older kernels.
5100 	 */
5101 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5102 	if (nla) {
5103 		struct nl80211_sta_flag_update *sta_flags;
5104 
5105 		sta_flags = nla_data(nla);
5106 		params->sta_flags_mask = sta_flags->mask;
5107 		params->sta_flags_set = sta_flags->set;
5108 		params->sta_flags_set &= params->sta_flags_mask;
5109 		if ((params->sta_flags_mask |
5110 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5111 			return -EINVAL;
5112 		return 0;
5113 	}
5114 
5115 	/* if present, parse the old attribute */
5116 
5117 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5118 	if (!nla)
5119 		return 0;
5120 
5121 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5122 		return -EINVAL;
5123 
5124 	/*
5125 	 * Only allow certain flags for interface types so that
5126 	 * other attributes are silently ignored. Remember that
5127 	 * this is backward compatibility code with old userspace
5128 	 * and shouldn't be hit in other cases anyway.
5129 	 */
5130 	switch (iftype) {
5131 	case NL80211_IFTYPE_AP:
5132 	case NL80211_IFTYPE_AP_VLAN:
5133 	case NL80211_IFTYPE_P2P_GO:
5134 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5135 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5136 					 BIT(NL80211_STA_FLAG_WME) |
5137 					 BIT(NL80211_STA_FLAG_MFP);
5138 		break;
5139 	case NL80211_IFTYPE_P2P_CLIENT:
5140 	case NL80211_IFTYPE_STATION:
5141 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5142 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5143 		break;
5144 	case NL80211_IFTYPE_MESH_POINT:
5145 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5146 					 BIT(NL80211_STA_FLAG_MFP) |
5147 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5148 		break;
5149 	default:
5150 		return -EINVAL;
5151 	}
5152 
5153 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5154 		if (flags[flag]) {
5155 			params->sta_flags_set |= (1<<flag);
5156 
5157 			/* no longer support new API additions in old API */
5158 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5159 				return -EINVAL;
5160 		}
5161 	}
5162 
5163 	return 0;
5164 }
5165 
5166 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5167 {
5168 	struct nlattr *rate;
5169 	u32 bitrate;
5170 	u16 bitrate_compat;
5171 	enum nl80211_rate_info rate_flg;
5172 
5173 	rate = nla_nest_start_noflag(msg, attr);
5174 	if (!rate)
5175 		return false;
5176 
5177 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5178 	bitrate = cfg80211_calculate_bitrate(info);
5179 	/* report 16-bit bitrate only if we can */
5180 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5181 	if (bitrate > 0 &&
5182 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5183 		return false;
5184 	if (bitrate_compat > 0 &&
5185 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5186 		return false;
5187 
5188 	switch (info->bw) {
5189 	case RATE_INFO_BW_5:
5190 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5191 		break;
5192 	case RATE_INFO_BW_10:
5193 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5194 		break;
5195 	default:
5196 		WARN_ON(1);
5197 		/* fall through */
5198 	case RATE_INFO_BW_20:
5199 		rate_flg = 0;
5200 		break;
5201 	case RATE_INFO_BW_40:
5202 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5203 		break;
5204 	case RATE_INFO_BW_80:
5205 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5206 		break;
5207 	case RATE_INFO_BW_160:
5208 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5209 		break;
5210 	case RATE_INFO_BW_HE_RU:
5211 		rate_flg = 0;
5212 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5213 	}
5214 
5215 	if (rate_flg && nla_put_flag(msg, rate_flg))
5216 		return false;
5217 
5218 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5219 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5220 			return false;
5221 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5222 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5223 			return false;
5224 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5225 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5226 			return false;
5227 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
5228 			return false;
5229 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5230 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5231 			return false;
5232 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
5233 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
5234 			return false;
5235 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
5236 			return false;
5237 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
5238 			return false;
5239 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
5240 			return false;
5241 		if (info->bw == RATE_INFO_BW_HE_RU &&
5242 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
5243 			       info->he_ru_alloc))
5244 			return false;
5245 	}
5246 
5247 	nla_nest_end(msg, rate);
5248 	return true;
5249 }
5250 
5251 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
5252 			       int id)
5253 {
5254 	void *attr;
5255 	int i = 0;
5256 
5257 	if (!mask)
5258 		return true;
5259 
5260 	attr = nla_nest_start_noflag(msg, id);
5261 	if (!attr)
5262 		return false;
5263 
5264 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
5265 		if (!(mask & BIT(i)))
5266 			continue;
5267 
5268 		if (nla_put_u8(msg, i, signal[i]))
5269 			return false;
5270 	}
5271 
5272 	nla_nest_end(msg, attr);
5273 
5274 	return true;
5275 }
5276 
5277 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
5278 				u32 seq, int flags,
5279 				struct cfg80211_registered_device *rdev,
5280 				struct net_device *dev,
5281 				const u8 *mac_addr, struct station_info *sinfo)
5282 {
5283 	void *hdr;
5284 	struct nlattr *sinfoattr, *bss_param;
5285 
5286 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
5287 	if (!hdr) {
5288 		cfg80211_sinfo_release_content(sinfo);
5289 		return -1;
5290 	}
5291 
5292 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5293 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
5294 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
5295 		goto nla_put_failure;
5296 
5297 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
5298 	if (!sinfoattr)
5299 		goto nla_put_failure;
5300 
5301 #define PUT_SINFO(attr, memb, type) do {				\
5302 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
5303 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5304 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
5305 			     sinfo->memb))				\
5306 		goto nla_put_failure;					\
5307 	} while (0)
5308 #define PUT_SINFO_U64(attr, memb) do {					\
5309 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5310 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
5311 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
5312 		goto nla_put_failure;					\
5313 	} while (0)
5314 
5315 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
5316 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
5317 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
5318 
5319 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
5320 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
5321 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
5322 			(u32)sinfo->rx_bytes))
5323 		goto nla_put_failure;
5324 
5325 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
5326 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
5327 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
5328 			(u32)sinfo->tx_bytes))
5329 		goto nla_put_failure;
5330 
5331 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
5332 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
5333 	PUT_SINFO(LLID, llid, u16);
5334 	PUT_SINFO(PLID, plid, u16);
5335 	PUT_SINFO(PLINK_STATE, plink_state, u8);
5336 	PUT_SINFO_U64(RX_DURATION, rx_duration);
5337 	PUT_SINFO_U64(TX_DURATION, tx_duration);
5338 
5339 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5340 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5341 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
5342 
5343 	switch (rdev->wiphy.signal_type) {
5344 	case CFG80211_SIGNAL_TYPE_MBM:
5345 		PUT_SINFO(SIGNAL, signal, u8);
5346 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
5347 		break;
5348 	default:
5349 		break;
5350 	}
5351 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
5352 		if (!nl80211_put_signal(msg, sinfo->chains,
5353 					sinfo->chain_signal,
5354 					NL80211_STA_INFO_CHAIN_SIGNAL))
5355 			goto nla_put_failure;
5356 	}
5357 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
5358 		if (!nl80211_put_signal(msg, sinfo->chains,
5359 					sinfo->chain_signal_avg,
5360 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
5361 			goto nla_put_failure;
5362 	}
5363 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
5364 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
5365 					  NL80211_STA_INFO_TX_BITRATE))
5366 			goto nla_put_failure;
5367 	}
5368 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
5369 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
5370 					  NL80211_STA_INFO_RX_BITRATE))
5371 			goto nla_put_failure;
5372 	}
5373 
5374 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
5375 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
5376 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
5377 	PUT_SINFO(TX_FAILED, tx_failed, u32);
5378 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
5379 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
5380 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
5381 	PUT_SINFO(LOCAL_PM, local_pm, u32);
5382 	PUT_SINFO(PEER_PM, peer_pm, u32);
5383 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
5384 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
5385 
5386 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
5387 		bss_param = nla_nest_start_noflag(msg,
5388 						  NL80211_STA_INFO_BSS_PARAM);
5389 		if (!bss_param)
5390 			goto nla_put_failure;
5391 
5392 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
5393 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
5394 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
5395 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
5396 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
5397 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
5398 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
5399 			       sinfo->bss_param.dtim_period) ||
5400 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
5401 				sinfo->bss_param.beacon_interval))
5402 			goto nla_put_failure;
5403 
5404 		nla_nest_end(msg, bss_param);
5405 	}
5406 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
5407 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
5408 		    sizeof(struct nl80211_sta_flag_update),
5409 		    &sinfo->sta_flags))
5410 		goto nla_put_failure;
5411 
5412 	PUT_SINFO_U64(T_OFFSET, t_offset);
5413 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
5414 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
5415 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
5416 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
5417 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
5418 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5419 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
5420 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
5421 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
5422 	}
5423 
5424 #undef PUT_SINFO
5425 #undef PUT_SINFO_U64
5426 
5427 	if (sinfo->pertid) {
5428 		struct nlattr *tidsattr;
5429 		int tid;
5430 
5431 		tidsattr = nla_nest_start_noflag(msg,
5432 						 NL80211_STA_INFO_TID_STATS);
5433 		if (!tidsattr)
5434 			goto nla_put_failure;
5435 
5436 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
5437 			struct cfg80211_tid_stats *tidstats;
5438 			struct nlattr *tidattr;
5439 
5440 			tidstats = &sinfo->pertid[tid];
5441 
5442 			if (!tidstats->filled)
5443 				continue;
5444 
5445 			tidattr = nla_nest_start_noflag(msg, tid + 1);
5446 			if (!tidattr)
5447 				goto nla_put_failure;
5448 
5449 #define PUT_TIDVAL_U64(attr, memb) do {					\
5450 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
5451 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
5452 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
5453 		goto nla_put_failure;					\
5454 	} while (0)
5455 
5456 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
5457 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
5458 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
5459 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
5460 
5461 #undef PUT_TIDVAL_U64
5462 			if ((tidstats->filled &
5463 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
5464 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
5465 						   NL80211_TID_STATS_TXQ_STATS))
5466 				goto nla_put_failure;
5467 
5468 			nla_nest_end(msg, tidattr);
5469 		}
5470 
5471 		nla_nest_end(msg, tidsattr);
5472 	}
5473 
5474 	nla_nest_end(msg, sinfoattr);
5475 
5476 	if (sinfo->assoc_req_ies_len &&
5477 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
5478 		    sinfo->assoc_req_ies))
5479 		goto nla_put_failure;
5480 
5481 	cfg80211_sinfo_release_content(sinfo);
5482 	genlmsg_end(msg, hdr);
5483 	return 0;
5484 
5485  nla_put_failure:
5486 	cfg80211_sinfo_release_content(sinfo);
5487 	genlmsg_cancel(msg, hdr);
5488 	return -EMSGSIZE;
5489 }
5490 
5491 static int nl80211_dump_station(struct sk_buff *skb,
5492 				struct netlink_callback *cb)
5493 {
5494 	struct station_info sinfo;
5495 	struct cfg80211_registered_device *rdev;
5496 	struct wireless_dev *wdev;
5497 	u8 mac_addr[ETH_ALEN];
5498 	int sta_idx = cb->args[2];
5499 	int err;
5500 
5501 	rtnl_lock();
5502 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5503 	if (err)
5504 		goto out_err;
5505 
5506 	if (!wdev->netdev) {
5507 		err = -EINVAL;
5508 		goto out_err;
5509 	}
5510 
5511 	if (!rdev->ops->dump_station) {
5512 		err = -EOPNOTSUPP;
5513 		goto out_err;
5514 	}
5515 
5516 	while (1) {
5517 		memset(&sinfo, 0, sizeof(sinfo));
5518 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
5519 					mac_addr, &sinfo);
5520 		if (err == -ENOENT)
5521 			break;
5522 		if (err)
5523 			goto out_err;
5524 
5525 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
5526 				NETLINK_CB(cb->skb).portid,
5527 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5528 				rdev, wdev->netdev, mac_addr,
5529 				&sinfo) < 0)
5530 			goto out;
5531 
5532 		sta_idx++;
5533 	}
5534 
5535  out:
5536 	cb->args[2] = sta_idx;
5537 	err = skb->len;
5538  out_err:
5539 	rtnl_unlock();
5540 
5541 	return err;
5542 }
5543 
5544 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
5545 {
5546 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5547 	struct net_device *dev = info->user_ptr[1];
5548 	struct station_info sinfo;
5549 	struct sk_buff *msg;
5550 	u8 *mac_addr = NULL;
5551 	int err;
5552 
5553 	memset(&sinfo, 0, sizeof(sinfo));
5554 
5555 	if (!info->attrs[NL80211_ATTR_MAC])
5556 		return -EINVAL;
5557 
5558 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5559 
5560 	if (!rdev->ops->get_station)
5561 		return -EOPNOTSUPP;
5562 
5563 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
5564 	if (err)
5565 		return err;
5566 
5567 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5568 	if (!msg) {
5569 		cfg80211_sinfo_release_content(&sinfo);
5570 		return -ENOMEM;
5571 	}
5572 
5573 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
5574 				 info->snd_portid, info->snd_seq, 0,
5575 				 rdev, dev, mac_addr, &sinfo) < 0) {
5576 		nlmsg_free(msg);
5577 		return -ENOBUFS;
5578 	}
5579 
5580 	return genlmsg_reply(msg, info);
5581 }
5582 
5583 int cfg80211_check_station_change(struct wiphy *wiphy,
5584 				  struct station_parameters *params,
5585 				  enum cfg80211_station_type statype)
5586 {
5587 	if (params->listen_interval != -1 &&
5588 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5589 		return -EINVAL;
5590 
5591 	if (params->support_p2p_ps != -1 &&
5592 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5593 		return -EINVAL;
5594 
5595 	if (params->aid &&
5596 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
5597 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5598 		return -EINVAL;
5599 
5600 	/* When you run into this, adjust the code below for the new flag */
5601 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5602 
5603 	switch (statype) {
5604 	case CFG80211_STA_MESH_PEER_KERNEL:
5605 	case CFG80211_STA_MESH_PEER_USER:
5606 		/*
5607 		 * No ignoring the TDLS flag here -- the userspace mesh
5608 		 * code doesn't have the bug of including TDLS in the
5609 		 * mask everywhere.
5610 		 */
5611 		if (params->sta_flags_mask &
5612 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5613 				  BIT(NL80211_STA_FLAG_MFP) |
5614 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
5615 			return -EINVAL;
5616 		break;
5617 	case CFG80211_STA_TDLS_PEER_SETUP:
5618 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5619 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5620 			return -EINVAL;
5621 		/* ignore since it can't change */
5622 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5623 		break;
5624 	default:
5625 		/* disallow mesh-specific things */
5626 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
5627 			return -EINVAL;
5628 		if (params->local_pm)
5629 			return -EINVAL;
5630 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5631 			return -EINVAL;
5632 	}
5633 
5634 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5635 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
5636 		/* TDLS can't be set, ... */
5637 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
5638 			return -EINVAL;
5639 		/*
5640 		 * ... but don't bother the driver with it. This works around
5641 		 * a hostapd/wpa_supplicant issue -- it always includes the
5642 		 * TLDS_PEER flag in the mask even for AP mode.
5643 		 */
5644 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5645 	}
5646 
5647 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5648 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5649 		/* reject other things that can't change */
5650 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
5651 			return -EINVAL;
5652 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
5653 			return -EINVAL;
5654 		if (params->supported_rates)
5655 			return -EINVAL;
5656 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
5657 		    params->he_capa)
5658 			return -EINVAL;
5659 	}
5660 
5661 	if (statype != CFG80211_STA_AP_CLIENT &&
5662 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5663 		if (params->vlan)
5664 			return -EINVAL;
5665 	}
5666 
5667 	switch (statype) {
5668 	case CFG80211_STA_AP_MLME_CLIENT:
5669 		/* Use this only for authorizing/unauthorizing a station */
5670 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
5671 			return -EOPNOTSUPP;
5672 		break;
5673 	case CFG80211_STA_AP_CLIENT:
5674 	case CFG80211_STA_AP_CLIENT_UNASSOC:
5675 		/* accept only the listed bits */
5676 		if (params->sta_flags_mask &
5677 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5678 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5679 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
5680 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5681 				  BIT(NL80211_STA_FLAG_WME) |
5682 				  BIT(NL80211_STA_FLAG_MFP)))
5683 			return -EINVAL;
5684 
5685 		/* but authenticated/associated only if driver handles it */
5686 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5687 		    params->sta_flags_mask &
5688 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5689 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
5690 			return -EINVAL;
5691 		break;
5692 	case CFG80211_STA_IBSS:
5693 	case CFG80211_STA_AP_STA:
5694 		/* reject any changes other than AUTHORIZED */
5695 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
5696 			return -EINVAL;
5697 		break;
5698 	case CFG80211_STA_TDLS_PEER_SETUP:
5699 		/* reject any changes other than AUTHORIZED or WME */
5700 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5701 					       BIT(NL80211_STA_FLAG_WME)))
5702 			return -EINVAL;
5703 		/* force (at least) rates when authorizing */
5704 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
5705 		    !params->supported_rates)
5706 			return -EINVAL;
5707 		break;
5708 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5709 		/* reject any changes */
5710 		return -EINVAL;
5711 	case CFG80211_STA_MESH_PEER_KERNEL:
5712 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5713 			return -EINVAL;
5714 		break;
5715 	case CFG80211_STA_MESH_PEER_USER:
5716 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
5717 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
5718 			return -EINVAL;
5719 		break;
5720 	}
5721 
5722 	/*
5723 	 * Older kernel versions ignored this attribute entirely, so don't
5724 	 * reject attempts to update it but mark it as unused instead so the
5725 	 * driver won't look at the data.
5726 	 */
5727 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
5728 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
5729 		params->opmode_notif_used = false;
5730 
5731 	return 0;
5732 }
5733 EXPORT_SYMBOL(cfg80211_check_station_change);
5734 
5735 /*
5736  * Get vlan interface making sure it is running and on the right wiphy.
5737  */
5738 static struct net_device *get_vlan(struct genl_info *info,
5739 				   struct cfg80211_registered_device *rdev)
5740 {
5741 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
5742 	struct net_device *v;
5743 	int ret;
5744 
5745 	if (!vlanattr)
5746 		return NULL;
5747 
5748 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
5749 	if (!v)
5750 		return ERR_PTR(-ENODEV);
5751 
5752 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
5753 		ret = -EINVAL;
5754 		goto error;
5755 	}
5756 
5757 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5758 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5759 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5760 		ret = -EINVAL;
5761 		goto error;
5762 	}
5763 
5764 	if (!netif_running(v)) {
5765 		ret = -ENETDOWN;
5766 		goto error;
5767 	}
5768 
5769 	return v;
5770  error:
5771 	dev_put(v);
5772 	return ERR_PTR(ret);
5773 }
5774 
5775 static const struct nla_policy
5776 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
5777 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
5778 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
5779 };
5780 
5781 static int nl80211_parse_sta_wme(struct genl_info *info,
5782 				 struct station_parameters *params)
5783 {
5784 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
5785 	struct nlattr *nla;
5786 	int err;
5787 
5788 	/* parse WME attributes if present */
5789 	if (!info->attrs[NL80211_ATTR_STA_WME])
5790 		return 0;
5791 
5792 	nla = info->attrs[NL80211_ATTR_STA_WME];
5793 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
5794 					  nl80211_sta_wme_policy,
5795 					  info->extack);
5796 	if (err)
5797 		return err;
5798 
5799 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
5800 		params->uapsd_queues = nla_get_u8(
5801 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
5802 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
5803 		return -EINVAL;
5804 
5805 	if (tb[NL80211_STA_WME_MAX_SP])
5806 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
5807 
5808 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
5809 		return -EINVAL;
5810 
5811 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
5812 
5813 	return 0;
5814 }
5815 
5816 static int nl80211_parse_sta_channel_info(struct genl_info *info,
5817 				      struct station_parameters *params)
5818 {
5819 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
5820 		params->supported_channels =
5821 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5822 		params->supported_channels_len =
5823 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5824 		/*
5825 		 * Need to include at least one (first channel, number of
5826 		 * channels) tuple for each subband, and must have proper
5827 		 * tuples for the rest of the data as well.
5828 		 */
5829 		if (params->supported_channels_len < 2)
5830 			return -EINVAL;
5831 		if (params->supported_channels_len % 2)
5832 			return -EINVAL;
5833 	}
5834 
5835 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
5836 		params->supported_oper_classes =
5837 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5838 		params->supported_oper_classes_len =
5839 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5840 		/*
5841 		 * The value of the Length field of the Supported Operating
5842 		 * Classes element is between 2 and 253.
5843 		 */
5844 		if (params->supported_oper_classes_len < 2 ||
5845 		    params->supported_oper_classes_len > 253)
5846 			return -EINVAL;
5847 	}
5848 	return 0;
5849 }
5850 
5851 static int nl80211_set_station_tdls(struct genl_info *info,
5852 				    struct station_parameters *params)
5853 {
5854 	int err;
5855 	/* Dummy STA entry gets updated once the peer capabilities are known */
5856 	if (info->attrs[NL80211_ATTR_PEER_AID])
5857 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5858 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5859 		params->ht_capa =
5860 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5861 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5862 		params->vht_capa =
5863 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5864 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5865 		params->he_capa =
5866 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5867 		params->he_capa_len =
5868 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5869 
5870 		if (params->he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5871 			return -EINVAL;
5872 	}
5873 
5874 	err = nl80211_parse_sta_channel_info(info, params);
5875 	if (err)
5876 		return err;
5877 
5878 	return nl80211_parse_sta_wme(info, params);
5879 }
5880 
5881 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
5882 					     struct station_parameters *params)
5883 {
5884 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5885 	int idx;
5886 
5887 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
5888 		if (!rdev->ops->set_tx_power ||
5889 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5890 					 NL80211_EXT_FEATURE_STA_TX_PWR))
5891 			return -EOPNOTSUPP;
5892 
5893 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
5894 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
5895 
5896 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
5897 			idx = NL80211_ATTR_STA_TX_POWER;
5898 
5899 			if (info->attrs[idx])
5900 				params->txpwr.power =
5901 					nla_get_s16(info->attrs[idx]);
5902 			else
5903 				return -EINVAL;
5904 		}
5905 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
5906 	}
5907 
5908 	return 0;
5909 }
5910 
5911 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
5912 {
5913 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5914 	struct net_device *dev = info->user_ptr[1];
5915 	struct station_parameters params;
5916 	u8 *mac_addr;
5917 	int err;
5918 
5919 	memset(&params, 0, sizeof(params));
5920 
5921 	if (!rdev->ops->change_station)
5922 		return -EOPNOTSUPP;
5923 
5924 	/*
5925 	 * AID and listen_interval properties can be set only for unassociated
5926 	 * station. Include these parameters here and will check them in
5927 	 * cfg80211_check_station_change().
5928 	 */
5929 	if (info->attrs[NL80211_ATTR_STA_AID])
5930 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5931 
5932 	if (info->attrs[NL80211_ATTR_VLAN_ID])
5933 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
5934 
5935 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5936 		params.listen_interval =
5937 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5938 	else
5939 		params.listen_interval = -1;
5940 
5941 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
5942 		params.support_p2p_ps =
5943 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5944 	else
5945 		params.support_p2p_ps = -1;
5946 
5947 	if (!info->attrs[NL80211_ATTR_MAC])
5948 		return -EINVAL;
5949 
5950 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5951 
5952 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
5953 		params.supported_rates =
5954 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5955 		params.supported_rates_len =
5956 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5957 	}
5958 
5959 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5960 		params.capability =
5961 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5962 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5963 	}
5964 
5965 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5966 		params.ext_capab =
5967 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5968 		params.ext_capab_len =
5969 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5970 	}
5971 
5972 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5973 		return -EINVAL;
5974 
5975 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5976 		params.plink_action =
5977 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5978 
5979 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
5980 		params.plink_state =
5981 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
5982 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
5983 			params.peer_aid = nla_get_u16(
5984 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
5985 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
5986 	}
5987 
5988 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
5989 		params.local_pm = nla_get_u32(
5990 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
5991 
5992 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5993 		params.opmode_notif_used = true;
5994 		params.opmode_notif =
5995 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5996 	}
5997 
5998 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
5999 		params.airtime_weight =
6000 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6001 
6002 	if (params.airtime_weight &&
6003 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6004 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6005 		return -EOPNOTSUPP;
6006 
6007 	err = nl80211_parse_sta_txpower_setting(info, &params);
6008 	if (err)
6009 		return err;
6010 
6011 	/* Include parameters for TDLS peer (will check later) */
6012 	err = nl80211_set_station_tdls(info, &params);
6013 	if (err)
6014 		return err;
6015 
6016 	params.vlan = get_vlan(info, rdev);
6017 	if (IS_ERR(params.vlan))
6018 		return PTR_ERR(params.vlan);
6019 
6020 	switch (dev->ieee80211_ptr->iftype) {
6021 	case NL80211_IFTYPE_AP:
6022 	case NL80211_IFTYPE_AP_VLAN:
6023 	case NL80211_IFTYPE_P2P_GO:
6024 	case NL80211_IFTYPE_P2P_CLIENT:
6025 	case NL80211_IFTYPE_STATION:
6026 	case NL80211_IFTYPE_ADHOC:
6027 	case NL80211_IFTYPE_MESH_POINT:
6028 		break;
6029 	default:
6030 		err = -EOPNOTSUPP;
6031 		goto out_put_vlan;
6032 	}
6033 
6034 	/* driver will call cfg80211_check_station_change() */
6035 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6036 
6037  out_put_vlan:
6038 	if (params.vlan)
6039 		dev_put(params.vlan);
6040 
6041 	return err;
6042 }
6043 
6044 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6045 {
6046 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6047 	int err;
6048 	struct net_device *dev = info->user_ptr[1];
6049 	struct station_parameters params;
6050 	u8 *mac_addr = NULL;
6051 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6052 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6053 
6054 	memset(&params, 0, sizeof(params));
6055 
6056 	if (!rdev->ops->add_station)
6057 		return -EOPNOTSUPP;
6058 
6059 	if (!info->attrs[NL80211_ATTR_MAC])
6060 		return -EINVAL;
6061 
6062 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6063 		return -EINVAL;
6064 
6065 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6066 		return -EINVAL;
6067 
6068 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6069 	    !info->attrs[NL80211_ATTR_PEER_AID])
6070 		return -EINVAL;
6071 
6072 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6073 	params.supported_rates =
6074 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6075 	params.supported_rates_len =
6076 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6077 	params.listen_interval =
6078 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6079 
6080 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6081 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6082 
6083 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6084 		params.support_p2p_ps =
6085 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6086 	} else {
6087 		/*
6088 		 * if not specified, assume it's supported for P2P GO interface,
6089 		 * and is NOT supported for AP interface
6090 		 */
6091 		params.support_p2p_ps =
6092 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6093 	}
6094 
6095 	if (info->attrs[NL80211_ATTR_PEER_AID])
6096 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6097 	else
6098 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6099 
6100 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6101 		params.capability =
6102 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6103 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6104 	}
6105 
6106 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6107 		params.ext_capab =
6108 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6109 		params.ext_capab_len =
6110 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6111 	}
6112 
6113 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6114 		params.ht_capa =
6115 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6116 
6117 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6118 		params.vht_capa =
6119 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6120 
6121 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6122 		params.he_capa =
6123 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6124 		params.he_capa_len =
6125 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6126 
6127 		/* max len is validated in nla policy */
6128 		if (params.he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
6129 			return -EINVAL;
6130 	}
6131 
6132 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6133 		params.opmode_notif_used = true;
6134 		params.opmode_notif =
6135 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6136 	}
6137 
6138 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6139 		params.plink_action =
6140 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6141 
6142 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6143 		params.airtime_weight =
6144 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6145 
6146 	if (params.airtime_weight &&
6147 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6148 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6149 		return -EOPNOTSUPP;
6150 
6151 	err = nl80211_parse_sta_txpower_setting(info, &params);
6152 	if (err)
6153 		return err;
6154 
6155 	err = nl80211_parse_sta_channel_info(info, &params);
6156 	if (err)
6157 		return err;
6158 
6159 	err = nl80211_parse_sta_wme(info, &params);
6160 	if (err)
6161 		return err;
6162 
6163 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6164 		return -EINVAL;
6165 
6166 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6167 	 * as userspace might just pass through the capabilities from the IEs
6168 	 * directly, rather than enforcing this restriction and returning an
6169 	 * error in this case.
6170 	 */
6171 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6172 		params.ht_capa = NULL;
6173 		params.vht_capa = NULL;
6174 
6175 		/* HE requires WME */
6176 		if (params.he_capa_len)
6177 			return -EINVAL;
6178 	}
6179 
6180 	/* When you run into this, adjust the code below for the new flag */
6181 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6182 
6183 	switch (dev->ieee80211_ptr->iftype) {
6184 	case NL80211_IFTYPE_AP:
6185 	case NL80211_IFTYPE_AP_VLAN:
6186 	case NL80211_IFTYPE_P2P_GO:
6187 		/* ignore WME attributes if iface/sta is not capable */
6188 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6189 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6190 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6191 
6192 		/* TDLS peers cannot be added */
6193 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6194 		    info->attrs[NL80211_ATTR_PEER_AID])
6195 			return -EINVAL;
6196 		/* but don't bother the driver with it */
6197 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6198 
6199 		/* allow authenticated/associated only if driver handles it */
6200 		if (!(rdev->wiphy.features &
6201 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6202 		    params.sta_flags_mask & auth_assoc)
6203 			return -EINVAL;
6204 
6205 		/* Older userspace, or userspace wanting to be compatible with
6206 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
6207 		 * and assoc flags in the mask, but assumes the station will be
6208 		 * added as associated anyway since this was the required driver
6209 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
6210 		 * introduced.
6211 		 * In order to not bother drivers with this quirk in the API
6212 		 * set the flags in both the mask and set for new stations in
6213 		 * this case.
6214 		 */
6215 		if (!(params.sta_flags_mask & auth_assoc)) {
6216 			params.sta_flags_mask |= auth_assoc;
6217 			params.sta_flags_set |= auth_assoc;
6218 		}
6219 
6220 		/* must be last in here for error handling */
6221 		params.vlan = get_vlan(info, rdev);
6222 		if (IS_ERR(params.vlan))
6223 			return PTR_ERR(params.vlan);
6224 		break;
6225 	case NL80211_IFTYPE_MESH_POINT:
6226 		/* ignore uAPSD data */
6227 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6228 
6229 		/* associated is disallowed */
6230 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
6231 			return -EINVAL;
6232 		/* TDLS peers cannot be added */
6233 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6234 		    info->attrs[NL80211_ATTR_PEER_AID])
6235 			return -EINVAL;
6236 		break;
6237 	case NL80211_IFTYPE_STATION:
6238 	case NL80211_IFTYPE_P2P_CLIENT:
6239 		/* ignore uAPSD data */
6240 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6241 
6242 		/* these are disallowed */
6243 		if (params.sta_flags_mask &
6244 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
6245 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
6246 			return -EINVAL;
6247 		/* Only TDLS peers can be added */
6248 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6249 			return -EINVAL;
6250 		/* Can only add if TDLS ... */
6251 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
6252 			return -EOPNOTSUPP;
6253 		/* ... with external setup is supported */
6254 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
6255 			return -EOPNOTSUPP;
6256 		/*
6257 		 * Older wpa_supplicant versions always mark the TDLS peer
6258 		 * as authorized, but it shouldn't yet be.
6259 		 */
6260 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
6261 		break;
6262 	default:
6263 		return -EOPNOTSUPP;
6264 	}
6265 
6266 	/* be aware of params.vlan when changing code here */
6267 
6268 	err = rdev_add_station(rdev, dev, mac_addr, &params);
6269 
6270 	if (params.vlan)
6271 		dev_put(params.vlan);
6272 	return err;
6273 }
6274 
6275 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
6276 {
6277 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6278 	struct net_device *dev = info->user_ptr[1];
6279 	struct station_del_parameters params;
6280 
6281 	memset(&params, 0, sizeof(params));
6282 
6283 	if (info->attrs[NL80211_ATTR_MAC])
6284 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
6285 
6286 	switch (dev->ieee80211_ptr->iftype) {
6287 	case NL80211_IFTYPE_AP:
6288 	case NL80211_IFTYPE_AP_VLAN:
6289 	case NL80211_IFTYPE_MESH_POINT:
6290 	case NL80211_IFTYPE_P2P_GO:
6291 		/* always accept these */
6292 		break;
6293 	case NL80211_IFTYPE_ADHOC:
6294 		/* conditionally accept */
6295 		if (wiphy_ext_feature_isset(&rdev->wiphy,
6296 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
6297 			break;
6298 		return -EINVAL;
6299 	default:
6300 		return -EINVAL;
6301 	}
6302 
6303 	if (!rdev->ops->del_station)
6304 		return -EOPNOTSUPP;
6305 
6306 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
6307 		params.subtype =
6308 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
6309 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
6310 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
6311 			return -EINVAL;
6312 	} else {
6313 		/* Default to Deauthentication frame */
6314 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
6315 	}
6316 
6317 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
6318 		params.reason_code =
6319 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6320 		if (params.reason_code == 0)
6321 			return -EINVAL; /* 0 is reserved */
6322 	} else {
6323 		/* Default to reason code 2 */
6324 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
6325 	}
6326 
6327 	return rdev_del_station(rdev, dev, &params);
6328 }
6329 
6330 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
6331 				int flags, struct net_device *dev,
6332 				u8 *dst, u8 *next_hop,
6333 				struct mpath_info *pinfo)
6334 {
6335 	void *hdr;
6336 	struct nlattr *pinfoattr;
6337 
6338 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
6339 	if (!hdr)
6340 		return -1;
6341 
6342 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6343 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
6344 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
6345 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
6346 		goto nla_put_failure;
6347 
6348 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
6349 	if (!pinfoattr)
6350 		goto nla_put_failure;
6351 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
6352 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
6353 			pinfo->frame_qlen))
6354 		goto nla_put_failure;
6355 	if (((pinfo->filled & MPATH_INFO_SN) &&
6356 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
6357 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
6358 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
6359 			 pinfo->metric)) ||
6360 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
6361 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
6362 			 pinfo->exptime)) ||
6363 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
6364 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
6365 			pinfo->flags)) ||
6366 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
6367 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
6368 			 pinfo->discovery_timeout)) ||
6369 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
6370 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
6371 			pinfo->discovery_retries)) ||
6372 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
6373 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
6374 			pinfo->hop_count)) ||
6375 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
6376 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
6377 			 pinfo->path_change_count)))
6378 		goto nla_put_failure;
6379 
6380 	nla_nest_end(msg, pinfoattr);
6381 
6382 	genlmsg_end(msg, hdr);
6383 	return 0;
6384 
6385  nla_put_failure:
6386 	genlmsg_cancel(msg, hdr);
6387 	return -EMSGSIZE;
6388 }
6389 
6390 static int nl80211_dump_mpath(struct sk_buff *skb,
6391 			      struct netlink_callback *cb)
6392 {
6393 	struct mpath_info pinfo;
6394 	struct cfg80211_registered_device *rdev;
6395 	struct wireless_dev *wdev;
6396 	u8 dst[ETH_ALEN];
6397 	u8 next_hop[ETH_ALEN];
6398 	int path_idx = cb->args[2];
6399 	int err;
6400 
6401 	rtnl_lock();
6402 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6403 	if (err)
6404 		goto out_err;
6405 
6406 	if (!rdev->ops->dump_mpath) {
6407 		err = -EOPNOTSUPP;
6408 		goto out_err;
6409 	}
6410 
6411 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6412 		err = -EOPNOTSUPP;
6413 		goto out_err;
6414 	}
6415 
6416 	while (1) {
6417 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
6418 				      next_hop, &pinfo);
6419 		if (err == -ENOENT)
6420 			break;
6421 		if (err)
6422 			goto out_err;
6423 
6424 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6425 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6426 				       wdev->netdev, dst, next_hop,
6427 				       &pinfo) < 0)
6428 			goto out;
6429 
6430 		path_idx++;
6431 	}
6432 
6433  out:
6434 	cb->args[2] = path_idx;
6435 	err = skb->len;
6436  out_err:
6437 	rtnl_unlock();
6438 	return err;
6439 }
6440 
6441 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
6442 {
6443 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6444 	int err;
6445 	struct net_device *dev = info->user_ptr[1];
6446 	struct mpath_info pinfo;
6447 	struct sk_buff *msg;
6448 	u8 *dst = NULL;
6449 	u8 next_hop[ETH_ALEN];
6450 
6451 	memset(&pinfo, 0, sizeof(pinfo));
6452 
6453 	if (!info->attrs[NL80211_ATTR_MAC])
6454 		return -EINVAL;
6455 
6456 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6457 
6458 	if (!rdev->ops->get_mpath)
6459 		return -EOPNOTSUPP;
6460 
6461 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6462 		return -EOPNOTSUPP;
6463 
6464 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
6465 	if (err)
6466 		return err;
6467 
6468 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6469 	if (!msg)
6470 		return -ENOMEM;
6471 
6472 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6473 				 dev, dst, next_hop, &pinfo) < 0) {
6474 		nlmsg_free(msg);
6475 		return -ENOBUFS;
6476 	}
6477 
6478 	return genlmsg_reply(msg, info);
6479 }
6480 
6481 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
6482 {
6483 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6484 	struct net_device *dev = info->user_ptr[1];
6485 	u8 *dst = NULL;
6486 	u8 *next_hop = NULL;
6487 
6488 	if (!info->attrs[NL80211_ATTR_MAC])
6489 		return -EINVAL;
6490 
6491 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6492 		return -EINVAL;
6493 
6494 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6495 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6496 
6497 	if (!rdev->ops->change_mpath)
6498 		return -EOPNOTSUPP;
6499 
6500 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6501 		return -EOPNOTSUPP;
6502 
6503 	return rdev_change_mpath(rdev, dev, dst, next_hop);
6504 }
6505 
6506 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
6507 {
6508 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6509 	struct net_device *dev = info->user_ptr[1];
6510 	u8 *dst = NULL;
6511 	u8 *next_hop = NULL;
6512 
6513 	if (!info->attrs[NL80211_ATTR_MAC])
6514 		return -EINVAL;
6515 
6516 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6517 		return -EINVAL;
6518 
6519 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6520 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6521 
6522 	if (!rdev->ops->add_mpath)
6523 		return -EOPNOTSUPP;
6524 
6525 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6526 		return -EOPNOTSUPP;
6527 
6528 	return rdev_add_mpath(rdev, dev, dst, next_hop);
6529 }
6530 
6531 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
6532 {
6533 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6534 	struct net_device *dev = info->user_ptr[1];
6535 	u8 *dst = NULL;
6536 
6537 	if (info->attrs[NL80211_ATTR_MAC])
6538 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6539 
6540 	if (!rdev->ops->del_mpath)
6541 		return -EOPNOTSUPP;
6542 
6543 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6544 		return -EOPNOTSUPP;
6545 
6546 	return rdev_del_mpath(rdev, dev, dst);
6547 }
6548 
6549 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
6550 {
6551 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6552 	int err;
6553 	struct net_device *dev = info->user_ptr[1];
6554 	struct mpath_info pinfo;
6555 	struct sk_buff *msg;
6556 	u8 *dst = NULL;
6557 	u8 mpp[ETH_ALEN];
6558 
6559 	memset(&pinfo, 0, sizeof(pinfo));
6560 
6561 	if (!info->attrs[NL80211_ATTR_MAC])
6562 		return -EINVAL;
6563 
6564 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6565 
6566 	if (!rdev->ops->get_mpp)
6567 		return -EOPNOTSUPP;
6568 
6569 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6570 		return -EOPNOTSUPP;
6571 
6572 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
6573 	if (err)
6574 		return err;
6575 
6576 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6577 	if (!msg)
6578 		return -ENOMEM;
6579 
6580 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6581 			       dev, dst, mpp, &pinfo) < 0) {
6582 		nlmsg_free(msg);
6583 		return -ENOBUFS;
6584 	}
6585 
6586 	return genlmsg_reply(msg, info);
6587 }
6588 
6589 static int nl80211_dump_mpp(struct sk_buff *skb,
6590 			    struct netlink_callback *cb)
6591 {
6592 	struct mpath_info pinfo;
6593 	struct cfg80211_registered_device *rdev;
6594 	struct wireless_dev *wdev;
6595 	u8 dst[ETH_ALEN];
6596 	u8 mpp[ETH_ALEN];
6597 	int path_idx = cb->args[2];
6598 	int err;
6599 
6600 	rtnl_lock();
6601 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6602 	if (err)
6603 		goto out_err;
6604 
6605 	if (!rdev->ops->dump_mpp) {
6606 		err = -EOPNOTSUPP;
6607 		goto out_err;
6608 	}
6609 
6610 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6611 		err = -EOPNOTSUPP;
6612 		goto out_err;
6613 	}
6614 
6615 	while (1) {
6616 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
6617 				    mpp, &pinfo);
6618 		if (err == -ENOENT)
6619 			break;
6620 		if (err)
6621 			goto out_err;
6622 
6623 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6624 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6625 				       wdev->netdev, dst, mpp,
6626 				       &pinfo) < 0)
6627 			goto out;
6628 
6629 		path_idx++;
6630 	}
6631 
6632  out:
6633 	cb->args[2] = path_idx;
6634 	err = skb->len;
6635  out_err:
6636 	rtnl_unlock();
6637 	return err;
6638 }
6639 
6640 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
6641 {
6642 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6643 	struct net_device *dev = info->user_ptr[1];
6644 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6645 	struct bss_parameters params;
6646 	int err;
6647 
6648 	memset(&params, 0, sizeof(params));
6649 	/* default to not changing parameters */
6650 	params.use_cts_prot = -1;
6651 	params.use_short_preamble = -1;
6652 	params.use_short_slot_time = -1;
6653 	params.ap_isolate = -1;
6654 	params.ht_opmode = -1;
6655 	params.p2p_ctwindow = -1;
6656 	params.p2p_opp_ps = -1;
6657 
6658 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
6659 		params.use_cts_prot =
6660 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
6661 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
6662 		params.use_short_preamble =
6663 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
6664 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
6665 		params.use_short_slot_time =
6666 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
6667 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6668 		params.basic_rates =
6669 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6670 		params.basic_rates_len =
6671 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6672 	}
6673 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
6674 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
6675 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
6676 		params.ht_opmode =
6677 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
6678 
6679 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6680 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6681 			return -EINVAL;
6682 		params.p2p_ctwindow =
6683 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6684 		if (params.p2p_ctwindow != 0 &&
6685 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
6686 			return -EINVAL;
6687 	}
6688 
6689 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6690 		u8 tmp;
6691 
6692 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6693 			return -EINVAL;
6694 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6695 		params.p2p_opp_ps = tmp;
6696 		if (params.p2p_opp_ps &&
6697 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
6698 			return -EINVAL;
6699 	}
6700 
6701 	if (!rdev->ops->change_bss)
6702 		return -EOPNOTSUPP;
6703 
6704 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6705 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6706 		return -EOPNOTSUPP;
6707 
6708 	wdev_lock(wdev);
6709 	err = rdev_change_bss(rdev, dev, &params);
6710 	wdev_unlock(wdev);
6711 
6712 	return err;
6713 }
6714 
6715 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
6716 {
6717 	char *data = NULL;
6718 	bool is_indoor;
6719 	enum nl80211_user_reg_hint_type user_reg_hint_type;
6720 	u32 owner_nlportid;
6721 
6722 	/*
6723 	 * You should only get this when cfg80211 hasn't yet initialized
6724 	 * completely when built-in to the kernel right between the time
6725 	 * window between nl80211_init() and regulatory_init(), if that is
6726 	 * even possible.
6727 	 */
6728 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
6729 		return -EINPROGRESS;
6730 
6731 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
6732 		user_reg_hint_type =
6733 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
6734 	else
6735 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
6736 
6737 	switch (user_reg_hint_type) {
6738 	case NL80211_USER_REG_HINT_USER:
6739 	case NL80211_USER_REG_HINT_CELL_BASE:
6740 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6741 			return -EINVAL;
6742 
6743 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6744 		return regulatory_hint_user(data, user_reg_hint_type);
6745 	case NL80211_USER_REG_HINT_INDOOR:
6746 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
6747 			owner_nlportid = info->snd_portid;
6748 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
6749 		} else {
6750 			owner_nlportid = 0;
6751 			is_indoor = true;
6752 		}
6753 
6754 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
6755 	default:
6756 		return -EINVAL;
6757 	}
6758 }
6759 
6760 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
6761 {
6762 	return reg_reload_regdb();
6763 }
6764 
6765 static int nl80211_get_mesh_config(struct sk_buff *skb,
6766 				   struct genl_info *info)
6767 {
6768 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6769 	struct net_device *dev = info->user_ptr[1];
6770 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6771 	struct mesh_config cur_params;
6772 	int err = 0;
6773 	void *hdr;
6774 	struct nlattr *pinfoattr;
6775 	struct sk_buff *msg;
6776 
6777 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6778 		return -EOPNOTSUPP;
6779 
6780 	if (!rdev->ops->get_mesh_config)
6781 		return -EOPNOTSUPP;
6782 
6783 	wdev_lock(wdev);
6784 	/* If not connected, get default parameters */
6785 	if (!wdev->mesh_id_len)
6786 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
6787 	else
6788 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
6789 	wdev_unlock(wdev);
6790 
6791 	if (err)
6792 		return err;
6793 
6794 	/* Draw up a netlink message to send back */
6795 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6796 	if (!msg)
6797 		return -ENOMEM;
6798 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6799 			     NL80211_CMD_GET_MESH_CONFIG);
6800 	if (!hdr)
6801 		goto out;
6802 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
6803 	if (!pinfoattr)
6804 		goto nla_put_failure;
6805 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6806 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
6807 			cur_params.dot11MeshRetryTimeout) ||
6808 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
6809 			cur_params.dot11MeshConfirmTimeout) ||
6810 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
6811 			cur_params.dot11MeshHoldingTimeout) ||
6812 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
6813 			cur_params.dot11MeshMaxPeerLinks) ||
6814 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
6815 		       cur_params.dot11MeshMaxRetries) ||
6816 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
6817 		       cur_params.dot11MeshTTL) ||
6818 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
6819 		       cur_params.element_ttl) ||
6820 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6821 		       cur_params.auto_open_plinks) ||
6822 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6823 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
6824 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6825 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
6826 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
6827 			cur_params.path_refresh_time) ||
6828 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6829 			cur_params.min_discovery_timeout) ||
6830 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6831 			cur_params.dot11MeshHWMPactivePathTimeout) ||
6832 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6833 			cur_params.dot11MeshHWMPpreqMinInterval) ||
6834 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6835 			cur_params.dot11MeshHWMPperrMinInterval) ||
6836 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6837 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
6838 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
6839 		       cur_params.dot11MeshHWMPRootMode) ||
6840 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6841 			cur_params.dot11MeshHWMPRannInterval) ||
6842 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6843 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
6844 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
6845 		       cur_params.dot11MeshForwarding) ||
6846 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
6847 			cur_params.rssi_threshold) ||
6848 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
6849 			cur_params.ht_opmode) ||
6850 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6851 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
6852 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6853 			cur_params.dot11MeshHWMProotInterval) ||
6854 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6855 			cur_params.dot11MeshHWMPconfirmationInterval) ||
6856 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
6857 			cur_params.power_mode) ||
6858 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
6859 			cur_params.dot11MeshAwakeWindowDuration) ||
6860 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
6861 			cur_params.plink_timeout) ||
6862 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
6863 		       cur_params.dot11MeshConnectedToMeshGate))
6864 		goto nla_put_failure;
6865 	nla_nest_end(msg, pinfoattr);
6866 	genlmsg_end(msg, hdr);
6867 	return genlmsg_reply(msg, info);
6868 
6869  nla_put_failure:
6870  out:
6871 	nlmsg_free(msg);
6872 	return -ENOBUFS;
6873 }
6874 
6875 static const struct nla_policy
6876 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
6877 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
6878 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6879 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
6880 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6881 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
6882 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6883 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
6884 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
6885 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
6886 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6887 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6888 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
6889 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
6890 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
6891 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
6892 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
6893 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
6894 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
6895 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
6896 		NLA_POLICY_MIN(NLA_U16, 1),
6897 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
6898 		NLA_POLICY_MIN(NLA_U16, 1),
6899 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
6900 		NLA_POLICY_MIN(NLA_U16, 1),
6901 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
6902 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
6903 		NLA_POLICY_MIN(NLA_U16, 1),
6904 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
6905 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
6906 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
6907 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
6908 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
6909 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
6910 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
6911 		NLA_POLICY_MIN(NLA_U16, 1),
6912 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
6913 		NLA_POLICY_MIN(NLA_U16, 1),
6914 	[NL80211_MESHCONF_POWER_MODE] =
6915 		NLA_POLICY_RANGE(NLA_U32,
6916 				 NL80211_MESH_POWER_ACTIVE,
6917 				 NL80211_MESH_POWER_MAX),
6918 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
6919 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
6920 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
6921 };
6922 
6923 static const struct nla_policy
6924 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
6925 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
6926 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
6927 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
6928 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
6929 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
6930 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
6931 	[NL80211_MESH_SETUP_IE] =
6932 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
6933 				       IEEE80211_MAX_DATA_LEN),
6934 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
6935 };
6936 
6937 static int nl80211_parse_mesh_config(struct genl_info *info,
6938 				     struct mesh_config *cfg,
6939 				     u32 *mask_out)
6940 {
6941 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
6942 	u32 mask = 0;
6943 	u16 ht_opmode;
6944 
6945 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
6946 do {									\
6947 	if (tb[attr]) {							\
6948 		cfg->param = fn(tb[attr]);				\
6949 		mask |= BIT((attr) - 1);				\
6950 	}								\
6951 } while (0)
6952 
6953 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
6954 		return -EINVAL;
6955 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
6956 		return -EINVAL;
6957 
6958 	/* This makes sure that there aren't more than 32 mesh config
6959 	 * parameters (otherwise our bitfield scheme would not work.) */
6960 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
6961 
6962 	/* Fill in the params struct */
6963 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
6964 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
6965 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
6966 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
6967 				  nla_get_u16);
6968 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
6969 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
6970 				  nla_get_u16);
6971 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
6972 				  NL80211_MESHCONF_MAX_PEER_LINKS,
6973 				  nla_get_u16);
6974 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
6975 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
6976 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
6977 				  NL80211_MESHCONF_TTL, nla_get_u8);
6978 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
6979 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
6980 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
6981 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6982 				  nla_get_u8);
6983 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
6984 				  mask,
6985 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6986 				  nla_get_u32);
6987 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
6988 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6989 				  nla_get_u8);
6990 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
6991 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
6992 				  nla_get_u32);
6993 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
6994 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
6995 		return -EINVAL;
6996 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
6997 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6998 				  nla_get_u16);
6999 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7000 				  mask,
7001 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7002 				  nla_get_u32);
7003 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7004 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7005 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7006 		return -EINVAL;
7007 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7008 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7009 				  nla_get_u16);
7010 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7011 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7012 				  nla_get_u16);
7013 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7014 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7015 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7016 				  nla_get_u16);
7017 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7018 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7019 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7020 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7021 				  nla_get_u16);
7022 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7023 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7024 				  nla_get_u8);
7025 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7026 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7027 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7028 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7029 				  nla_get_s32);
7030 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7031 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7032 				  nla_get_u8);
7033 	/*
7034 	 * Check HT operation mode based on
7035 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7036 	 */
7037 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7038 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7039 
7040 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7041 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7042 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7043 			return -EINVAL;
7044 
7045 		/* NON_HT_STA bit is reserved, but some programs set it */
7046 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7047 
7048 		cfg->ht_opmode = ht_opmode;
7049 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7050 	}
7051 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7052 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7053 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7054 				  nla_get_u32);
7055 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7056 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7057 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7058 		return -EINVAL;
7059 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7060 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7061 				  nla_get_u16);
7062 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7063 				  mask,
7064 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7065 				  nla_get_u16);
7066 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7067 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7068 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7069 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7070 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7071 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7072 	if (mask_out)
7073 		*mask_out = mask;
7074 
7075 	return 0;
7076 
7077 #undef FILL_IN_MESH_PARAM_IF_SET
7078 }
7079 
7080 static int nl80211_parse_mesh_setup(struct genl_info *info,
7081 				     struct mesh_setup *setup)
7082 {
7083 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7084 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7085 
7086 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7087 		return -EINVAL;
7088 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7089 		return -EINVAL;
7090 
7091 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7092 		setup->sync_method =
7093 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7094 		 IEEE80211_SYNC_METHOD_VENDOR :
7095 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7096 
7097 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7098 		setup->path_sel_proto =
7099 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7100 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7101 		 IEEE80211_PATH_PROTOCOL_HWMP;
7102 
7103 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7104 		setup->path_metric =
7105 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7106 		 IEEE80211_PATH_METRIC_VENDOR :
7107 		 IEEE80211_PATH_METRIC_AIRTIME;
7108 
7109 	if (tb[NL80211_MESH_SETUP_IE]) {
7110 		struct nlattr *ieattr =
7111 			tb[NL80211_MESH_SETUP_IE];
7112 		setup->ie = nla_data(ieattr);
7113 		setup->ie_len = nla_len(ieattr);
7114 	}
7115 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7116 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7117 		return -EINVAL;
7118 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7119 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7120 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7121 	if (setup->is_secure)
7122 		setup->user_mpm = true;
7123 
7124 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7125 		if (!setup->user_mpm)
7126 			return -EINVAL;
7127 		setup->auth_id =
7128 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7129 	}
7130 
7131 	return 0;
7132 }
7133 
7134 static int nl80211_update_mesh_config(struct sk_buff *skb,
7135 				      struct genl_info *info)
7136 {
7137 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7138 	struct net_device *dev = info->user_ptr[1];
7139 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7140 	struct mesh_config cfg;
7141 	u32 mask;
7142 	int err;
7143 
7144 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7145 		return -EOPNOTSUPP;
7146 
7147 	if (!rdev->ops->update_mesh_config)
7148 		return -EOPNOTSUPP;
7149 
7150 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7151 	if (err)
7152 		return err;
7153 
7154 	wdev_lock(wdev);
7155 	if (!wdev->mesh_id_len)
7156 		err = -ENOLINK;
7157 
7158 	if (!err)
7159 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7160 
7161 	wdev_unlock(wdev);
7162 
7163 	return err;
7164 }
7165 
7166 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7167 			      struct sk_buff *msg)
7168 {
7169 	struct nlattr *nl_reg_rules;
7170 	unsigned int i;
7171 
7172 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7173 	    (regdom->dfs_region &&
7174 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7175 		goto nla_put_failure;
7176 
7177 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7178 	if (!nl_reg_rules)
7179 		goto nla_put_failure;
7180 
7181 	for (i = 0; i < regdom->n_reg_rules; i++) {
7182 		struct nlattr *nl_reg_rule;
7183 		const struct ieee80211_reg_rule *reg_rule;
7184 		const struct ieee80211_freq_range *freq_range;
7185 		const struct ieee80211_power_rule *power_rule;
7186 		unsigned int max_bandwidth_khz;
7187 
7188 		reg_rule = &regdom->reg_rules[i];
7189 		freq_range = &reg_rule->freq_range;
7190 		power_rule = &reg_rule->power_rule;
7191 
7192 		nl_reg_rule = nla_nest_start_noflag(msg, i);
7193 		if (!nl_reg_rule)
7194 			goto nla_put_failure;
7195 
7196 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
7197 		if (!max_bandwidth_khz)
7198 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
7199 								  reg_rule);
7200 
7201 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
7202 				reg_rule->flags) ||
7203 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
7204 				freq_range->start_freq_khz) ||
7205 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
7206 				freq_range->end_freq_khz) ||
7207 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
7208 				max_bandwidth_khz) ||
7209 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
7210 				power_rule->max_antenna_gain) ||
7211 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
7212 				power_rule->max_eirp) ||
7213 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
7214 				reg_rule->dfs_cac_ms))
7215 			goto nla_put_failure;
7216 
7217 		nla_nest_end(msg, nl_reg_rule);
7218 	}
7219 
7220 	nla_nest_end(msg, nl_reg_rules);
7221 	return 0;
7222 
7223 nla_put_failure:
7224 	return -EMSGSIZE;
7225 }
7226 
7227 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
7228 {
7229 	const struct ieee80211_regdomain *regdom = NULL;
7230 	struct cfg80211_registered_device *rdev;
7231 	struct wiphy *wiphy = NULL;
7232 	struct sk_buff *msg;
7233 	void *hdr;
7234 
7235 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7236 	if (!msg)
7237 		return -ENOBUFS;
7238 
7239 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7240 			     NL80211_CMD_GET_REG);
7241 	if (!hdr)
7242 		goto put_failure;
7243 
7244 	if (info->attrs[NL80211_ATTR_WIPHY]) {
7245 		bool self_managed;
7246 
7247 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
7248 		if (IS_ERR(rdev)) {
7249 			nlmsg_free(msg);
7250 			return PTR_ERR(rdev);
7251 		}
7252 
7253 		wiphy = &rdev->wiphy;
7254 		self_managed = wiphy->regulatory_flags &
7255 			       REGULATORY_WIPHY_SELF_MANAGED;
7256 		regdom = get_wiphy_regdom(wiphy);
7257 
7258 		/* a self-managed-reg device must have a private regdom */
7259 		if (WARN_ON(!regdom && self_managed)) {
7260 			nlmsg_free(msg);
7261 			return -EINVAL;
7262 		}
7263 
7264 		if (regdom &&
7265 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7266 			goto nla_put_failure;
7267 	}
7268 
7269 	if (!wiphy && reg_last_request_cell_base() &&
7270 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7271 			NL80211_USER_REG_HINT_CELL_BASE))
7272 		goto nla_put_failure;
7273 
7274 	rcu_read_lock();
7275 
7276 	if (!regdom)
7277 		regdom = rcu_dereference(cfg80211_regdomain);
7278 
7279 	if (nl80211_put_regdom(regdom, msg))
7280 		goto nla_put_failure_rcu;
7281 
7282 	rcu_read_unlock();
7283 
7284 	genlmsg_end(msg, hdr);
7285 	return genlmsg_reply(msg, info);
7286 
7287 nla_put_failure_rcu:
7288 	rcu_read_unlock();
7289 nla_put_failure:
7290 put_failure:
7291 	nlmsg_free(msg);
7292 	return -EMSGSIZE;
7293 }
7294 
7295 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
7296 			       u32 seq, int flags, struct wiphy *wiphy,
7297 			       const struct ieee80211_regdomain *regdom)
7298 {
7299 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
7300 				   NL80211_CMD_GET_REG);
7301 
7302 	if (!hdr)
7303 		return -1;
7304 
7305 	genl_dump_check_consistent(cb, hdr);
7306 
7307 	if (nl80211_put_regdom(regdom, msg))
7308 		goto nla_put_failure;
7309 
7310 	if (!wiphy && reg_last_request_cell_base() &&
7311 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7312 			NL80211_USER_REG_HINT_CELL_BASE))
7313 		goto nla_put_failure;
7314 
7315 	if (wiphy &&
7316 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7317 		goto nla_put_failure;
7318 
7319 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
7320 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
7321 		goto nla_put_failure;
7322 
7323 	genlmsg_end(msg, hdr);
7324 	return 0;
7325 
7326 nla_put_failure:
7327 	genlmsg_cancel(msg, hdr);
7328 	return -EMSGSIZE;
7329 }
7330 
7331 static int nl80211_get_reg_dump(struct sk_buff *skb,
7332 				struct netlink_callback *cb)
7333 {
7334 	const struct ieee80211_regdomain *regdom = NULL;
7335 	struct cfg80211_registered_device *rdev;
7336 	int err, reg_idx, start = cb->args[2];
7337 
7338 	rtnl_lock();
7339 
7340 	if (cfg80211_regdomain && start == 0) {
7341 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7342 					  NLM_F_MULTI, NULL,
7343 					  rtnl_dereference(cfg80211_regdomain));
7344 		if (err < 0)
7345 			goto out_err;
7346 	}
7347 
7348 	/* the global regdom is idx 0 */
7349 	reg_idx = 1;
7350 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
7351 		regdom = get_wiphy_regdom(&rdev->wiphy);
7352 		if (!regdom)
7353 			continue;
7354 
7355 		if (++reg_idx <= start)
7356 			continue;
7357 
7358 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7359 					  NLM_F_MULTI, &rdev->wiphy, regdom);
7360 		if (err < 0) {
7361 			reg_idx--;
7362 			break;
7363 		}
7364 	}
7365 
7366 	cb->args[2] = reg_idx;
7367 	err = skb->len;
7368 out_err:
7369 	rtnl_unlock();
7370 	return err;
7371 }
7372 
7373 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
7374 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
7375 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
7376 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
7377 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
7378 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
7379 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
7380 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
7381 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
7382 };
7383 
7384 static int parse_reg_rule(struct nlattr *tb[],
7385 	struct ieee80211_reg_rule *reg_rule)
7386 {
7387 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
7388 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
7389 
7390 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
7391 		return -EINVAL;
7392 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
7393 		return -EINVAL;
7394 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
7395 		return -EINVAL;
7396 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
7397 		return -EINVAL;
7398 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
7399 		return -EINVAL;
7400 
7401 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
7402 
7403 	freq_range->start_freq_khz =
7404 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
7405 	freq_range->end_freq_khz =
7406 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
7407 	freq_range->max_bandwidth_khz =
7408 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
7409 
7410 	power_rule->max_eirp =
7411 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
7412 
7413 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
7414 		power_rule->max_antenna_gain =
7415 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
7416 
7417 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
7418 		reg_rule->dfs_cac_ms =
7419 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
7420 
7421 	return 0;
7422 }
7423 
7424 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
7425 {
7426 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
7427 	struct nlattr *nl_reg_rule;
7428 	char *alpha2;
7429 	int rem_reg_rules, r;
7430 	u32 num_rules = 0, rule_idx = 0;
7431 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
7432 	struct ieee80211_regdomain *rd;
7433 
7434 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7435 		return -EINVAL;
7436 
7437 	if (!info->attrs[NL80211_ATTR_REG_RULES])
7438 		return -EINVAL;
7439 
7440 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7441 
7442 	if (info->attrs[NL80211_ATTR_DFS_REGION])
7443 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
7444 
7445 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7446 			    rem_reg_rules) {
7447 		num_rules++;
7448 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
7449 			return -EINVAL;
7450 	}
7451 
7452 	if (!reg_is_valid_request(alpha2))
7453 		return -EINVAL;
7454 
7455 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
7456 	if (!rd)
7457 		return -ENOMEM;
7458 
7459 	rd->n_reg_rules = num_rules;
7460 	rd->alpha2[0] = alpha2[0];
7461 	rd->alpha2[1] = alpha2[1];
7462 
7463 	/*
7464 	 * Disable DFS master mode if the DFS region was
7465 	 * not supported or known on this kernel.
7466 	 */
7467 	if (reg_supported_dfs_region(dfs_region))
7468 		rd->dfs_region = dfs_region;
7469 
7470 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7471 			    rem_reg_rules) {
7472 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
7473 						nl_reg_rule, reg_rule_policy,
7474 						info->extack);
7475 		if (r)
7476 			goto bad_reg;
7477 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
7478 		if (r)
7479 			goto bad_reg;
7480 
7481 		rule_idx++;
7482 
7483 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
7484 			r = -EINVAL;
7485 			goto bad_reg;
7486 		}
7487 	}
7488 
7489 	/* set_regdom takes ownership of rd */
7490 	return set_regdom(rd, REGD_SOURCE_CRDA);
7491  bad_reg:
7492 	kfree(rd);
7493 	return r;
7494 }
7495 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
7496 
7497 static int validate_scan_freqs(struct nlattr *freqs)
7498 {
7499 	struct nlattr *attr1, *attr2;
7500 	int n_channels = 0, tmp1, tmp2;
7501 
7502 	nla_for_each_nested(attr1, freqs, tmp1)
7503 		if (nla_len(attr1) != sizeof(u32))
7504 			return 0;
7505 
7506 	nla_for_each_nested(attr1, freqs, tmp1) {
7507 		n_channels++;
7508 		/*
7509 		 * Some hardware has a limited channel list for
7510 		 * scanning, and it is pretty much nonsensical
7511 		 * to scan for a channel twice, so disallow that
7512 		 * and don't require drivers to check that the
7513 		 * channel list they get isn't longer than what
7514 		 * they can scan, as long as they can scan all
7515 		 * the channels they registered at once.
7516 		 */
7517 		nla_for_each_nested(attr2, freqs, tmp2)
7518 			if (attr1 != attr2 &&
7519 			    nla_get_u32(attr1) == nla_get_u32(attr2))
7520 				return 0;
7521 	}
7522 
7523 	return n_channels;
7524 }
7525 
7526 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
7527 {
7528 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
7529 }
7530 
7531 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
7532 			    struct cfg80211_bss_selection *bss_select)
7533 {
7534 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
7535 	struct nlattr *nest;
7536 	int err;
7537 	bool found = false;
7538 	int i;
7539 
7540 	/* only process one nested attribute */
7541 	nest = nla_data(nla);
7542 	if (!nla_ok(nest, nla_len(nest)))
7543 		return -EINVAL;
7544 
7545 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
7546 					  nest, nl80211_bss_select_policy,
7547 					  NULL);
7548 	if (err)
7549 		return err;
7550 
7551 	/* only one attribute may be given */
7552 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
7553 		if (attr[i]) {
7554 			if (found)
7555 				return -EINVAL;
7556 			found = true;
7557 		}
7558 	}
7559 
7560 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
7561 
7562 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
7563 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
7564 
7565 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
7566 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
7567 		bss_select->param.band_pref =
7568 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
7569 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
7570 			return -EINVAL;
7571 	}
7572 
7573 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
7574 		struct nl80211_bss_select_rssi_adjust *adj_param;
7575 
7576 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
7577 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
7578 		bss_select->param.adjust.band = adj_param->band;
7579 		bss_select->param.adjust.delta = adj_param->delta;
7580 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
7581 			return -EINVAL;
7582 	}
7583 
7584 	/* user-space did not provide behaviour attribute */
7585 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
7586 		return -EINVAL;
7587 
7588 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
7589 		return -EINVAL;
7590 
7591 	return 0;
7592 }
7593 
7594 int nl80211_parse_random_mac(struct nlattr **attrs,
7595 			     u8 *mac_addr, u8 *mac_addr_mask)
7596 {
7597 	int i;
7598 
7599 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
7600 		eth_zero_addr(mac_addr);
7601 		eth_zero_addr(mac_addr_mask);
7602 		mac_addr[0] = 0x2;
7603 		mac_addr_mask[0] = 0x3;
7604 
7605 		return 0;
7606 	}
7607 
7608 	/* need both or none */
7609 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
7610 		return -EINVAL;
7611 
7612 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
7613 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
7614 
7615 	/* don't allow or configure an mcast address */
7616 	if (!is_multicast_ether_addr(mac_addr_mask) ||
7617 	    is_multicast_ether_addr(mac_addr))
7618 		return -EINVAL;
7619 
7620 	/*
7621 	 * allow users to pass a MAC address that has bits set outside
7622 	 * of the mask, but don't bother drivers with having to deal
7623 	 * with such bits
7624 	 */
7625 	for (i = 0; i < ETH_ALEN; i++)
7626 		mac_addr[i] &= mac_addr_mask[i];
7627 
7628 	return 0;
7629 }
7630 
7631 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
7632 {
7633 	ASSERT_WDEV_LOCK(wdev);
7634 
7635 	if (!cfg80211_beaconing_iface_active(wdev))
7636 		return true;
7637 
7638 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
7639 		return true;
7640 
7641 	return regulatory_pre_cac_allowed(wdev->wiphy);
7642 }
7643 
7644 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
7645 				    enum nl80211_ext_feature_index feat)
7646 {
7647 	if (!(flags & flag))
7648 		return true;
7649 	if (wiphy_ext_feature_isset(wiphy, feat))
7650 		return true;
7651 	return false;
7652 }
7653 
7654 static int
7655 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
7656 			 void *request, struct nlattr **attrs,
7657 			 bool is_sched_scan)
7658 {
7659 	u8 *mac_addr, *mac_addr_mask;
7660 	u32 *flags;
7661 	enum nl80211_feature_flags randomness_flag;
7662 
7663 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
7664 		return 0;
7665 
7666 	if (is_sched_scan) {
7667 		struct cfg80211_sched_scan_request *req = request;
7668 
7669 		randomness_flag = wdev ?
7670 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
7671 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
7672 		flags = &req->flags;
7673 		mac_addr = req->mac_addr;
7674 		mac_addr_mask = req->mac_addr_mask;
7675 	} else {
7676 		struct cfg80211_scan_request *req = request;
7677 
7678 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
7679 		flags = &req->flags;
7680 		mac_addr = req->mac_addr;
7681 		mac_addr_mask = req->mac_addr_mask;
7682 	}
7683 
7684 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
7685 
7686 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
7687 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
7688 	    !nl80211_check_scan_feat(wiphy, *flags,
7689 				     NL80211_SCAN_FLAG_LOW_SPAN,
7690 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
7691 	    !nl80211_check_scan_feat(wiphy, *flags,
7692 				     NL80211_SCAN_FLAG_LOW_POWER,
7693 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
7694 	    !nl80211_check_scan_feat(wiphy, *flags,
7695 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
7696 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
7697 	    !nl80211_check_scan_feat(wiphy, *flags,
7698 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
7699 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
7700 	    !nl80211_check_scan_feat(wiphy, *flags,
7701 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
7702 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
7703 	    !nl80211_check_scan_feat(wiphy, *flags,
7704 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
7705 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
7706 	    !nl80211_check_scan_feat(wiphy, *flags,
7707 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
7708 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
7709 	    !nl80211_check_scan_feat(wiphy, *flags,
7710 				     NL80211_SCAN_FLAG_RANDOM_SN,
7711 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
7712 	    !nl80211_check_scan_feat(wiphy, *flags,
7713 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
7714 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
7715 		return -EOPNOTSUPP;
7716 
7717 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
7718 		int err;
7719 
7720 		if (!(wiphy->features & randomness_flag) ||
7721 		    (wdev && wdev->current_bss))
7722 			return -EOPNOTSUPP;
7723 
7724 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
7725 		if (err)
7726 			return err;
7727 	}
7728 
7729 	return 0;
7730 }
7731 
7732 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
7733 {
7734 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7735 	struct wireless_dev *wdev = info->user_ptr[1];
7736 	struct cfg80211_scan_request *request;
7737 	struct nlattr *attr;
7738 	struct wiphy *wiphy;
7739 	int err, tmp, n_ssids = 0, n_channels, i;
7740 	size_t ie_len;
7741 
7742 	wiphy = &rdev->wiphy;
7743 
7744 	if (wdev->iftype == NL80211_IFTYPE_NAN)
7745 		return -EOPNOTSUPP;
7746 
7747 	if (!rdev->ops->scan)
7748 		return -EOPNOTSUPP;
7749 
7750 	if (rdev->scan_req || rdev->scan_msg) {
7751 		err = -EBUSY;
7752 		goto unlock;
7753 	}
7754 
7755 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7756 		n_channels = validate_scan_freqs(
7757 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7758 		if (!n_channels) {
7759 			err = -EINVAL;
7760 			goto unlock;
7761 		}
7762 	} else {
7763 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7764 	}
7765 
7766 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
7767 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
7768 			n_ssids++;
7769 
7770 	if (n_ssids > wiphy->max_scan_ssids) {
7771 		err = -EINVAL;
7772 		goto unlock;
7773 	}
7774 
7775 	if (info->attrs[NL80211_ATTR_IE])
7776 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7777 	else
7778 		ie_len = 0;
7779 
7780 	if (ie_len > wiphy->max_scan_ie_len) {
7781 		err = -EINVAL;
7782 		goto unlock;
7783 	}
7784 
7785 	request = kzalloc(sizeof(*request)
7786 			+ sizeof(*request->ssids) * n_ssids
7787 			+ sizeof(*request->channels) * n_channels
7788 			+ ie_len, GFP_KERNEL);
7789 	if (!request) {
7790 		err = -ENOMEM;
7791 		goto unlock;
7792 	}
7793 
7794 	if (n_ssids)
7795 		request->ssids = (void *)&request->channels[n_channels];
7796 	request->n_ssids = n_ssids;
7797 	if (ie_len) {
7798 		if (n_ssids)
7799 			request->ie = (void *)(request->ssids + n_ssids);
7800 		else
7801 			request->ie = (void *)(request->channels + n_channels);
7802 	}
7803 
7804 	i = 0;
7805 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7806 		/* user specified, bail out if channel not found */
7807 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
7808 			struct ieee80211_channel *chan;
7809 
7810 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7811 
7812 			if (!chan) {
7813 				err = -EINVAL;
7814 				goto out_free;
7815 			}
7816 
7817 			/* ignore disabled channels */
7818 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7819 				continue;
7820 
7821 			request->channels[i] = chan;
7822 			i++;
7823 		}
7824 	} else {
7825 		enum nl80211_band band;
7826 
7827 		/* all channels */
7828 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7829 			int j;
7830 
7831 			if (!wiphy->bands[band])
7832 				continue;
7833 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7834 				struct ieee80211_channel *chan;
7835 
7836 				chan = &wiphy->bands[band]->channels[j];
7837 
7838 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7839 					continue;
7840 
7841 				request->channels[i] = chan;
7842 				i++;
7843 			}
7844 		}
7845 	}
7846 
7847 	if (!i) {
7848 		err = -EINVAL;
7849 		goto out_free;
7850 	}
7851 
7852 	request->n_channels = i;
7853 
7854 	wdev_lock(wdev);
7855 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
7856 		struct ieee80211_channel *chan;
7857 
7858 		if (request->n_channels != 1) {
7859 			wdev_unlock(wdev);
7860 			err = -EBUSY;
7861 			goto out_free;
7862 		}
7863 
7864 		chan = request->channels[0];
7865 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
7866 			wdev_unlock(wdev);
7867 			err = -EBUSY;
7868 			goto out_free;
7869 		}
7870 	}
7871 	wdev_unlock(wdev);
7872 
7873 	i = 0;
7874 	if (n_ssids) {
7875 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
7876 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7877 				err = -EINVAL;
7878 				goto out_free;
7879 			}
7880 			request->ssids[i].ssid_len = nla_len(attr);
7881 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
7882 			i++;
7883 		}
7884 	}
7885 
7886 	if (info->attrs[NL80211_ATTR_IE]) {
7887 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7888 		memcpy((void *)request->ie,
7889 		       nla_data(info->attrs[NL80211_ATTR_IE]),
7890 		       request->ie_len);
7891 	}
7892 
7893 	for (i = 0; i < NUM_NL80211_BANDS; i++)
7894 		if (wiphy->bands[i])
7895 			request->rates[i] =
7896 				(1 << wiphy->bands[i]->n_bitrates) - 1;
7897 
7898 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
7899 		nla_for_each_nested(attr,
7900 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
7901 				    tmp) {
7902 			enum nl80211_band band = nla_type(attr);
7903 
7904 			if (band < 0 || band >= NUM_NL80211_BANDS) {
7905 				err = -EINVAL;
7906 				goto out_free;
7907 			}
7908 
7909 			if (!wiphy->bands[band])
7910 				continue;
7911 
7912 			err = ieee80211_get_ratemask(wiphy->bands[band],
7913 						     nla_data(attr),
7914 						     nla_len(attr),
7915 						     &request->rates[band]);
7916 			if (err)
7917 				goto out_free;
7918 		}
7919 	}
7920 
7921 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
7922 		if (!wiphy_ext_feature_isset(wiphy,
7923 					NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
7924 			err = -EOPNOTSUPP;
7925 			goto out_free;
7926 		}
7927 
7928 		request->duration =
7929 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
7930 		request->duration_mandatory =
7931 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
7932 	}
7933 
7934 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
7935 				       false);
7936 	if (err)
7937 		goto out_free;
7938 
7939 	request->no_cck =
7940 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7941 
7942 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
7943 	 * BSSID to scan for. This was problematic because that same attribute
7944 	 * was already used for another purpose (local random MAC address). The
7945 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
7946 	 * compatibility with older userspace components, also use the
7947 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
7948 	 * the specific BSSID use case instead of the random MAC address
7949 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
7950 	 */
7951 	if (info->attrs[NL80211_ATTR_BSSID])
7952 		memcpy(request->bssid,
7953 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
7954 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
7955 		 info->attrs[NL80211_ATTR_MAC])
7956 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
7957 		       ETH_ALEN);
7958 	else
7959 		eth_broadcast_addr(request->bssid);
7960 
7961 	request->wdev = wdev;
7962 	request->wiphy = &rdev->wiphy;
7963 	request->scan_start = jiffies;
7964 
7965 	rdev->scan_req = request;
7966 	err = rdev_scan(rdev, request);
7967 
7968 	if (!err) {
7969 		nl80211_send_scan_start(rdev, wdev);
7970 		if (wdev->netdev)
7971 			dev_hold(wdev->netdev);
7972 	} else {
7973  out_free:
7974 		rdev->scan_req = NULL;
7975 		kfree(request);
7976 	}
7977 
7978  unlock:
7979 	return err;
7980 }
7981 
7982 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
7983 {
7984 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7985 	struct wireless_dev *wdev = info->user_ptr[1];
7986 
7987 	if (!rdev->ops->abort_scan)
7988 		return -EOPNOTSUPP;
7989 
7990 	if (rdev->scan_msg)
7991 		return 0;
7992 
7993 	if (!rdev->scan_req)
7994 		return -ENOENT;
7995 
7996 	rdev_abort_scan(rdev, wdev);
7997 	return 0;
7998 }
7999 
8000 static int
8001 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8002 			       struct cfg80211_sched_scan_request *request,
8003 			       struct nlattr **attrs)
8004 {
8005 	int tmp, err, i = 0;
8006 	struct nlattr *attr;
8007 
8008 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8009 		u32 interval;
8010 
8011 		/*
8012 		 * If scan plans are not specified,
8013 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8014 		 * case one scan plan will be set with the specified scan
8015 		 * interval and infinite number of iterations.
8016 		 */
8017 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8018 		if (!interval)
8019 			return -EINVAL;
8020 
8021 		request->scan_plans[0].interval =
8022 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8023 		if (!request->scan_plans[0].interval)
8024 			return -EINVAL;
8025 
8026 		if (request->scan_plans[0].interval >
8027 		    wiphy->max_sched_scan_plan_interval)
8028 			request->scan_plans[0].interval =
8029 				wiphy->max_sched_scan_plan_interval;
8030 
8031 		return 0;
8032 	}
8033 
8034 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8035 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8036 
8037 		if (WARN_ON(i >= n_plans))
8038 			return -EINVAL;
8039 
8040 		err = nla_parse_nested_deprecated(plan,
8041 						  NL80211_SCHED_SCAN_PLAN_MAX,
8042 						  attr, nl80211_plan_policy,
8043 						  NULL);
8044 		if (err)
8045 			return err;
8046 
8047 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8048 			return -EINVAL;
8049 
8050 		request->scan_plans[i].interval =
8051 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8052 		if (!request->scan_plans[i].interval ||
8053 		    request->scan_plans[i].interval >
8054 		    wiphy->max_sched_scan_plan_interval)
8055 			return -EINVAL;
8056 
8057 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8058 			request->scan_plans[i].iterations =
8059 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8060 			if (!request->scan_plans[i].iterations ||
8061 			    (request->scan_plans[i].iterations >
8062 			     wiphy->max_sched_scan_plan_iterations))
8063 				return -EINVAL;
8064 		} else if (i < n_plans - 1) {
8065 			/*
8066 			 * All scan plans but the last one must specify
8067 			 * a finite number of iterations
8068 			 */
8069 			return -EINVAL;
8070 		}
8071 
8072 		i++;
8073 	}
8074 
8075 	/*
8076 	 * The last scan plan must not specify the number of
8077 	 * iterations, it is supposed to run infinitely
8078 	 */
8079 	if (request->scan_plans[n_plans - 1].iterations)
8080 		return  -EINVAL;
8081 
8082 	return 0;
8083 }
8084 
8085 static int
8086 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8087 				       struct cfg80211_match_set *match_sets,
8088 				       struct nlattr *tb_band_rssi,
8089 				       s32 rssi_thold)
8090 {
8091 	struct nlattr *attr;
8092 	int i, tmp, ret = 0;
8093 
8094 	if (!wiphy_ext_feature_isset(wiphy,
8095 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8096 		if (tb_band_rssi)
8097 			ret = -EOPNOTSUPP;
8098 		else
8099 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8100 				match_sets->per_band_rssi_thold[i] =
8101 					NL80211_SCAN_RSSI_THOLD_OFF;
8102 		return ret;
8103 	}
8104 
8105 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8106 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8107 
8108 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8109 		enum nl80211_band band = nla_type(attr);
8110 
8111 		if (band < 0 || band >= NUM_NL80211_BANDS)
8112 			return -EINVAL;
8113 
8114 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8115 	}
8116 
8117 	return 0;
8118 }
8119 
8120 static struct cfg80211_sched_scan_request *
8121 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8122 			 struct nlattr **attrs, int max_match_sets)
8123 {
8124 	struct cfg80211_sched_scan_request *request;
8125 	struct nlattr *attr;
8126 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8127 	enum nl80211_band band;
8128 	size_t ie_len;
8129 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8130 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8131 
8132 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8133 		n_channels = validate_scan_freqs(
8134 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8135 		if (!n_channels)
8136 			return ERR_PTR(-EINVAL);
8137 	} else {
8138 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8139 	}
8140 
8141 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8142 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8143 				    tmp)
8144 			n_ssids++;
8145 
8146 	if (n_ssids > wiphy->max_sched_scan_ssids)
8147 		return ERR_PTR(-EINVAL);
8148 
8149 	/*
8150 	 * First, count the number of 'real' matchsets. Due to an issue with
8151 	 * the old implementation, matchsets containing only the RSSI attribute
8152 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8153 	 * RSSI for all matchsets, rather than their own matchset for reporting
8154 	 * all APs with a strong RSSI. This is needed to be compatible with
8155 	 * older userspace that treated a matchset with only the RSSI as the
8156 	 * global RSSI for all other matchsets - if there are other matchsets.
8157 	 */
8158 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8159 		nla_for_each_nested(attr,
8160 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8161 				    tmp) {
8162 			struct nlattr *rssi;
8163 
8164 			err = nla_parse_nested_deprecated(tb,
8165 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8166 							  attr,
8167 							  nl80211_match_policy,
8168 							  NULL);
8169 			if (err)
8170 				return ERR_PTR(err);
8171 
8172 			/* SSID and BSSID are mutually exclusive */
8173 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
8174 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
8175 				return ERR_PTR(-EINVAL);
8176 
8177 			/* add other standalone attributes here */
8178 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
8179 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
8180 				n_match_sets++;
8181 				continue;
8182 			}
8183 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8184 			if (rssi)
8185 				default_match_rssi = nla_get_s32(rssi);
8186 		}
8187 	}
8188 
8189 	/* However, if there's no other matchset, add the RSSI one */
8190 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
8191 		n_match_sets = 1;
8192 
8193 	if (n_match_sets > max_match_sets)
8194 		return ERR_PTR(-EINVAL);
8195 
8196 	if (attrs[NL80211_ATTR_IE])
8197 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
8198 	else
8199 		ie_len = 0;
8200 
8201 	if (ie_len > wiphy->max_sched_scan_ie_len)
8202 		return ERR_PTR(-EINVAL);
8203 
8204 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8205 		/*
8206 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
8207 		 * each scan plan already specifies its own interval
8208 		 */
8209 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8210 			return ERR_PTR(-EINVAL);
8211 
8212 		nla_for_each_nested(attr,
8213 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
8214 			n_plans++;
8215 	} else {
8216 		/*
8217 		 * The scan interval attribute is kept for backward
8218 		 * compatibility. If no scan plans are specified and sched scan
8219 		 * interval is specified, one scan plan will be set with this
8220 		 * scan interval and infinite number of iterations.
8221 		 */
8222 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8223 			return ERR_PTR(-EINVAL);
8224 
8225 		n_plans = 1;
8226 	}
8227 
8228 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
8229 		return ERR_PTR(-EINVAL);
8230 
8231 	if (!wiphy_ext_feature_isset(
8232 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
8233 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
8234 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
8235 		return ERR_PTR(-EINVAL);
8236 
8237 	request = kzalloc(sizeof(*request)
8238 			+ sizeof(*request->ssids) * n_ssids
8239 			+ sizeof(*request->match_sets) * n_match_sets
8240 			+ sizeof(*request->scan_plans) * n_plans
8241 			+ sizeof(*request->channels) * n_channels
8242 			+ ie_len, GFP_KERNEL);
8243 	if (!request)
8244 		return ERR_PTR(-ENOMEM);
8245 
8246 	if (n_ssids)
8247 		request->ssids = (void *)&request->channels[n_channels];
8248 	request->n_ssids = n_ssids;
8249 	if (ie_len) {
8250 		if (n_ssids)
8251 			request->ie = (void *)(request->ssids + n_ssids);
8252 		else
8253 			request->ie = (void *)(request->channels + n_channels);
8254 	}
8255 
8256 	if (n_match_sets) {
8257 		if (request->ie)
8258 			request->match_sets = (void *)(request->ie + ie_len);
8259 		else if (n_ssids)
8260 			request->match_sets =
8261 				(void *)(request->ssids + n_ssids);
8262 		else
8263 			request->match_sets =
8264 				(void *)(request->channels + n_channels);
8265 	}
8266 	request->n_match_sets = n_match_sets;
8267 
8268 	if (n_match_sets)
8269 		request->scan_plans = (void *)(request->match_sets +
8270 					       n_match_sets);
8271 	else if (request->ie)
8272 		request->scan_plans = (void *)(request->ie + ie_len);
8273 	else if (n_ssids)
8274 		request->scan_plans = (void *)(request->ssids + n_ssids);
8275 	else
8276 		request->scan_plans = (void *)(request->channels + n_channels);
8277 
8278 	request->n_scan_plans = n_plans;
8279 
8280 	i = 0;
8281 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8282 		/* user specified, bail out if channel not found */
8283 		nla_for_each_nested(attr,
8284 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
8285 				    tmp) {
8286 			struct ieee80211_channel *chan;
8287 
8288 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
8289 
8290 			if (!chan) {
8291 				err = -EINVAL;
8292 				goto out_free;
8293 			}
8294 
8295 			/* ignore disabled channels */
8296 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8297 				continue;
8298 
8299 			request->channels[i] = chan;
8300 			i++;
8301 		}
8302 	} else {
8303 		/* all channels */
8304 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8305 			int j;
8306 
8307 			if (!wiphy->bands[band])
8308 				continue;
8309 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8310 				struct ieee80211_channel *chan;
8311 
8312 				chan = &wiphy->bands[band]->channels[j];
8313 
8314 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8315 					continue;
8316 
8317 				request->channels[i] = chan;
8318 				i++;
8319 			}
8320 		}
8321 	}
8322 
8323 	if (!i) {
8324 		err = -EINVAL;
8325 		goto out_free;
8326 	}
8327 
8328 	request->n_channels = i;
8329 
8330 	i = 0;
8331 	if (n_ssids) {
8332 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8333 				    tmp) {
8334 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8335 				err = -EINVAL;
8336 				goto out_free;
8337 			}
8338 			request->ssids[i].ssid_len = nla_len(attr);
8339 			memcpy(request->ssids[i].ssid, nla_data(attr),
8340 			       nla_len(attr));
8341 			i++;
8342 		}
8343 	}
8344 
8345 	i = 0;
8346 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8347 		nla_for_each_nested(attr,
8348 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8349 				    tmp) {
8350 			struct nlattr *ssid, *bssid, *rssi;
8351 
8352 			err = nla_parse_nested_deprecated(tb,
8353 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8354 							  attr,
8355 							  nl80211_match_policy,
8356 							  NULL);
8357 			if (err)
8358 				goto out_free;
8359 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
8360 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
8361 
8362 			if (!ssid && !bssid) {
8363 				i++;
8364 				continue;
8365 			}
8366 
8367 			if (WARN_ON(i >= n_match_sets)) {
8368 				/* this indicates a programming error,
8369 				 * the loop above should have verified
8370 				 * things properly
8371 				 */
8372 				err = -EINVAL;
8373 				goto out_free;
8374 			}
8375 
8376 			if (ssid) {
8377 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
8378 					err = -EINVAL;
8379 					goto out_free;
8380 				}
8381 				memcpy(request->match_sets[i].ssid.ssid,
8382 				       nla_data(ssid), nla_len(ssid));
8383 				request->match_sets[i].ssid.ssid_len =
8384 					nla_len(ssid);
8385 			}
8386 			if (bssid) {
8387 				if (nla_len(bssid) != ETH_ALEN) {
8388 					err = -EINVAL;
8389 					goto out_free;
8390 				}
8391 				memcpy(request->match_sets[i].bssid,
8392 				       nla_data(bssid), ETH_ALEN);
8393 			}
8394 
8395 			/* special attribute - old implementation w/a */
8396 			request->match_sets[i].rssi_thold = default_match_rssi;
8397 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8398 			if (rssi)
8399 				request->match_sets[i].rssi_thold =
8400 					nla_get_s32(rssi);
8401 
8402 			/* Parse per band RSSI attribute */
8403 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
8404 				&request->match_sets[i],
8405 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
8406 				request->match_sets[i].rssi_thold);
8407 			if (err)
8408 				goto out_free;
8409 
8410 			i++;
8411 		}
8412 
8413 		/* there was no other matchset, so the RSSI one is alone */
8414 		if (i == 0 && n_match_sets)
8415 			request->match_sets[0].rssi_thold = default_match_rssi;
8416 
8417 		request->min_rssi_thold = INT_MAX;
8418 		for (i = 0; i < n_match_sets; i++)
8419 			request->min_rssi_thold =
8420 				min(request->match_sets[i].rssi_thold,
8421 				    request->min_rssi_thold);
8422 	} else {
8423 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
8424 	}
8425 
8426 	if (ie_len) {
8427 		request->ie_len = ie_len;
8428 		memcpy((void *)request->ie,
8429 		       nla_data(attrs[NL80211_ATTR_IE]),
8430 		       request->ie_len);
8431 	}
8432 
8433 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
8434 	if (err)
8435 		goto out_free;
8436 
8437 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
8438 		request->delay =
8439 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
8440 
8441 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
8442 		request->relative_rssi = nla_get_s8(
8443 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
8444 		request->relative_rssi_set = true;
8445 	}
8446 
8447 	if (request->relative_rssi_set &&
8448 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
8449 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
8450 
8451 		rssi_adjust = nla_data(
8452 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
8453 		request->rssi_adjust.band = rssi_adjust->band;
8454 		request->rssi_adjust.delta = rssi_adjust->delta;
8455 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
8456 			err = -EINVAL;
8457 			goto out_free;
8458 		}
8459 	}
8460 
8461 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
8462 	if (err)
8463 		goto out_free;
8464 
8465 	request->scan_start = jiffies;
8466 
8467 	return request;
8468 
8469 out_free:
8470 	kfree(request);
8471 	return ERR_PTR(err);
8472 }
8473 
8474 static int nl80211_start_sched_scan(struct sk_buff *skb,
8475 				    struct genl_info *info)
8476 {
8477 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8478 	struct net_device *dev = info->user_ptr[1];
8479 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8480 	struct cfg80211_sched_scan_request *sched_scan_req;
8481 	bool want_multi;
8482 	int err;
8483 
8484 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
8485 		return -EOPNOTSUPP;
8486 
8487 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
8488 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
8489 	if (err)
8490 		return err;
8491 
8492 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
8493 						  info->attrs,
8494 						  rdev->wiphy.max_match_sets);
8495 
8496 	err = PTR_ERR_OR_ZERO(sched_scan_req);
8497 	if (err)
8498 		goto out_err;
8499 
8500 	/* leave request id zero for legacy request
8501 	 * or if driver does not support multi-scheduled scan
8502 	 */
8503 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
8504 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
8505 
8506 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
8507 	if (err)
8508 		goto out_free;
8509 
8510 	sched_scan_req->dev = dev;
8511 	sched_scan_req->wiphy = &rdev->wiphy;
8512 
8513 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
8514 		sched_scan_req->owner_nlportid = info->snd_portid;
8515 
8516 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
8517 
8518 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
8519 	return 0;
8520 
8521 out_free:
8522 	kfree(sched_scan_req);
8523 out_err:
8524 	return err;
8525 }
8526 
8527 static int nl80211_stop_sched_scan(struct sk_buff *skb,
8528 				   struct genl_info *info)
8529 {
8530 	struct cfg80211_sched_scan_request *req;
8531 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8532 	u64 cookie;
8533 
8534 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
8535 		return -EOPNOTSUPP;
8536 
8537 	if (info->attrs[NL80211_ATTR_COOKIE]) {
8538 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8539 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
8540 	}
8541 
8542 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
8543 				     struct cfg80211_sched_scan_request,
8544 				     list);
8545 	if (!req || req->reqid ||
8546 	    (req->owner_nlportid &&
8547 	     req->owner_nlportid != info->snd_portid))
8548 		return -ENOENT;
8549 
8550 	return cfg80211_stop_sched_scan_req(rdev, req, false);
8551 }
8552 
8553 static int nl80211_start_radar_detection(struct sk_buff *skb,
8554 					 struct genl_info *info)
8555 {
8556 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8557 	struct net_device *dev = info->user_ptr[1];
8558 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8559 	struct wiphy *wiphy = wdev->wiphy;
8560 	struct cfg80211_chan_def chandef;
8561 	enum nl80211_dfs_regions dfs_region;
8562 	unsigned int cac_time_ms;
8563 	int err;
8564 
8565 	dfs_region = reg_get_dfs_region(wiphy);
8566 	if (dfs_region == NL80211_DFS_UNSET)
8567 		return -EINVAL;
8568 
8569 	err = nl80211_parse_chandef(rdev, info, &chandef);
8570 	if (err)
8571 		return err;
8572 
8573 	if (netif_carrier_ok(dev))
8574 		return -EBUSY;
8575 
8576 	if (wdev->cac_started)
8577 		return -EBUSY;
8578 
8579 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8580 	if (err < 0)
8581 		return err;
8582 
8583 	if (err == 0)
8584 		return -EINVAL;
8585 
8586 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
8587 		return -EINVAL;
8588 
8589 	/* CAC start is offloaded to HW and can't be started manually */
8590 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
8591 		return -EOPNOTSUPP;
8592 
8593 	if (!rdev->ops->start_radar_detection)
8594 		return -EOPNOTSUPP;
8595 
8596 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
8597 	if (WARN_ON(!cac_time_ms))
8598 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
8599 
8600 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
8601 	if (!err) {
8602 		wdev->chandef = chandef;
8603 		wdev->cac_started = true;
8604 		wdev->cac_start_time = jiffies;
8605 		wdev->cac_time_ms = cac_time_ms;
8606 	}
8607 	return err;
8608 }
8609 
8610 static int nl80211_notify_radar_detection(struct sk_buff *skb,
8611 					  struct genl_info *info)
8612 {
8613 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8614 	struct net_device *dev = info->user_ptr[1];
8615 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8616 	struct wiphy *wiphy = wdev->wiphy;
8617 	struct cfg80211_chan_def chandef;
8618 	enum nl80211_dfs_regions dfs_region;
8619 	int err;
8620 
8621 	dfs_region = reg_get_dfs_region(wiphy);
8622 	if (dfs_region == NL80211_DFS_UNSET) {
8623 		GENL_SET_ERR_MSG(info,
8624 				 "DFS Region is not set. Unexpected Radar indication");
8625 		return -EINVAL;
8626 	}
8627 
8628 	err = nl80211_parse_chandef(rdev, info, &chandef);
8629 	if (err) {
8630 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
8631 		return err;
8632 	}
8633 
8634 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8635 	if (err < 0) {
8636 		GENL_SET_ERR_MSG(info, "chandef is invalid");
8637 		return err;
8638 	}
8639 
8640 	if (err == 0) {
8641 		GENL_SET_ERR_MSG(info,
8642 				 "Unexpected Radar indication for chandef/iftype");
8643 		return -EINVAL;
8644 	}
8645 
8646 	/* Do not process this notification if radar is already detected
8647 	 * by kernel on this channel, and return success.
8648 	 */
8649 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
8650 		return 0;
8651 
8652 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
8653 
8654 	cfg80211_sched_dfs_chan_update(rdev);
8655 
8656 	rdev->radar_chandef = chandef;
8657 
8658 	/* Propagate this notification to other radios as well */
8659 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
8660 
8661 	return 0;
8662 }
8663 
8664 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
8665 {
8666 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8667 	struct net_device *dev = info->user_ptr[1];
8668 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8669 	struct cfg80211_csa_settings params;
8670 	/* csa_attrs is defined static to avoid waste of stack size - this
8671 	 * function is called under RTNL lock, so this should not be a problem.
8672 	 */
8673 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
8674 	int err;
8675 	bool need_new_beacon = false;
8676 	bool need_handle_dfs_flag = true;
8677 	int len, i;
8678 	u32 cs_count;
8679 
8680 	if (!rdev->ops->channel_switch ||
8681 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
8682 		return -EOPNOTSUPP;
8683 
8684 	switch (dev->ieee80211_ptr->iftype) {
8685 	case NL80211_IFTYPE_AP:
8686 	case NL80211_IFTYPE_P2P_GO:
8687 		need_new_beacon = true;
8688 		/* For all modes except AP the handle_dfs flag needs to be
8689 		 * supplied to tell the kernel that userspace will handle radar
8690 		 * events when they happen. Otherwise a switch to a channel
8691 		 * requiring DFS will be rejected.
8692 		 */
8693 		need_handle_dfs_flag = false;
8694 
8695 		/* useless if AP is not running */
8696 		if (!wdev->beacon_interval)
8697 			return -ENOTCONN;
8698 		break;
8699 	case NL80211_IFTYPE_ADHOC:
8700 		if (!wdev->ssid_len)
8701 			return -ENOTCONN;
8702 		break;
8703 	case NL80211_IFTYPE_MESH_POINT:
8704 		if (!wdev->mesh_id_len)
8705 			return -ENOTCONN;
8706 		break;
8707 	default:
8708 		return -EOPNOTSUPP;
8709 	}
8710 
8711 	memset(&params, 0, sizeof(params));
8712 	params.beacon_csa.ftm_responder = -1;
8713 
8714 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
8715 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
8716 		return -EINVAL;
8717 
8718 	/* only important for AP, IBSS and mesh create IEs internally */
8719 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
8720 		return -EINVAL;
8721 
8722 	/* Even though the attribute is u32, the specification says
8723 	 * u8, so let's make sure we don't overflow.
8724 	 */
8725 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
8726 	if (cs_count > 255)
8727 		return -EINVAL;
8728 
8729 	params.count = cs_count;
8730 
8731 	if (!need_new_beacon)
8732 		goto skip_beacons;
8733 
8734 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
8735 	if (err)
8736 		return err;
8737 
8738 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
8739 					  info->attrs[NL80211_ATTR_CSA_IES],
8740 					  nl80211_policy, info->extack);
8741 	if (err)
8742 		return err;
8743 
8744 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
8745 	if (err)
8746 		return err;
8747 
8748 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
8749 		return -EINVAL;
8750 
8751 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8752 	if (!len || (len % sizeof(u16)))
8753 		return -EINVAL;
8754 
8755 	params.n_counter_offsets_beacon = len / sizeof(u16);
8756 	if (rdev->wiphy.max_num_csa_counters &&
8757 	    (params.n_counter_offsets_beacon >
8758 	     rdev->wiphy.max_num_csa_counters))
8759 		return -EINVAL;
8760 
8761 	params.counter_offsets_beacon =
8762 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8763 
8764 	/* sanity checks - counters should fit and be the same */
8765 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
8766 		u16 offset = params.counter_offsets_beacon[i];
8767 
8768 		if (offset >= params.beacon_csa.tail_len)
8769 			return -EINVAL;
8770 
8771 		if (params.beacon_csa.tail[offset] != params.count)
8772 			return -EINVAL;
8773 	}
8774 
8775 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
8776 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8777 		if (!len || (len % sizeof(u16)))
8778 			return -EINVAL;
8779 
8780 		params.n_counter_offsets_presp = len / sizeof(u16);
8781 		if (rdev->wiphy.max_num_csa_counters &&
8782 		    (params.n_counter_offsets_presp >
8783 		     rdev->wiphy.max_num_csa_counters))
8784 			return -EINVAL;
8785 
8786 		params.counter_offsets_presp =
8787 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8788 
8789 		/* sanity checks - counters should fit and be the same */
8790 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
8791 			u16 offset = params.counter_offsets_presp[i];
8792 
8793 			if (offset >= params.beacon_csa.probe_resp_len)
8794 				return -EINVAL;
8795 
8796 			if (params.beacon_csa.probe_resp[offset] !=
8797 			    params.count)
8798 				return -EINVAL;
8799 		}
8800 	}
8801 
8802 skip_beacons:
8803 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
8804 	if (err)
8805 		return err;
8806 
8807 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
8808 					   wdev->iftype))
8809 		return -EINVAL;
8810 
8811 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
8812 					    &params.chandef,
8813 					    wdev->iftype);
8814 	if (err < 0)
8815 		return err;
8816 
8817 	if (err > 0) {
8818 		params.radar_required = true;
8819 		if (need_handle_dfs_flag &&
8820 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
8821 			return -EINVAL;
8822 		}
8823 	}
8824 
8825 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
8826 		params.block_tx = true;
8827 
8828 	wdev_lock(wdev);
8829 	err = rdev_channel_switch(rdev, dev, &params);
8830 	wdev_unlock(wdev);
8831 
8832 	return err;
8833 }
8834 
8835 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
8836 			    u32 seq, int flags,
8837 			    struct cfg80211_registered_device *rdev,
8838 			    struct wireless_dev *wdev,
8839 			    struct cfg80211_internal_bss *intbss)
8840 {
8841 	struct cfg80211_bss *res = &intbss->pub;
8842 	const struct cfg80211_bss_ies *ies;
8843 	void *hdr;
8844 	struct nlattr *bss;
8845 
8846 	ASSERT_WDEV_LOCK(wdev);
8847 
8848 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8849 			     NL80211_CMD_NEW_SCAN_RESULTS);
8850 	if (!hdr)
8851 		return -1;
8852 
8853 	genl_dump_check_consistent(cb, hdr);
8854 
8855 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
8856 		goto nla_put_failure;
8857 	if (wdev->netdev &&
8858 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
8859 		goto nla_put_failure;
8860 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
8861 			      NL80211_ATTR_PAD))
8862 		goto nla_put_failure;
8863 
8864 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
8865 	if (!bss)
8866 		goto nla_put_failure;
8867 	if ((!is_zero_ether_addr(res->bssid) &&
8868 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
8869 		goto nla_put_failure;
8870 
8871 	rcu_read_lock();
8872 	/* indicate whether we have probe response data or not */
8873 	if (rcu_access_pointer(res->proberesp_ies) &&
8874 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
8875 		goto fail_unlock_rcu;
8876 
8877 	/* this pointer prefers to be pointed to probe response data
8878 	 * but is always valid
8879 	 */
8880 	ies = rcu_dereference(res->ies);
8881 	if (ies) {
8882 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
8883 				      NL80211_BSS_PAD))
8884 			goto fail_unlock_rcu;
8885 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
8886 					ies->len, ies->data))
8887 			goto fail_unlock_rcu;
8888 	}
8889 
8890 	/* and this pointer is always (unless driver didn't know) beacon data */
8891 	ies = rcu_dereference(res->beacon_ies);
8892 	if (ies && ies->from_beacon) {
8893 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
8894 				      NL80211_BSS_PAD))
8895 			goto fail_unlock_rcu;
8896 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
8897 					ies->len, ies->data))
8898 			goto fail_unlock_rcu;
8899 	}
8900 	rcu_read_unlock();
8901 
8902 	if (res->beacon_interval &&
8903 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
8904 		goto nla_put_failure;
8905 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
8906 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
8907 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
8908 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
8909 			jiffies_to_msecs(jiffies - intbss->ts)))
8910 		goto nla_put_failure;
8911 
8912 	if (intbss->parent_tsf &&
8913 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
8914 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
8915 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
8916 		     intbss->parent_bssid)))
8917 		goto nla_put_failure;
8918 
8919 	if (intbss->ts_boottime &&
8920 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
8921 			      intbss->ts_boottime, NL80211_BSS_PAD))
8922 		goto nla_put_failure;
8923 
8924 	if (!nl80211_put_signal(msg, intbss->pub.chains,
8925 				intbss->pub.chain_signal,
8926 				NL80211_BSS_CHAIN_SIGNAL))
8927 		goto nla_put_failure;
8928 
8929 	switch (rdev->wiphy.signal_type) {
8930 	case CFG80211_SIGNAL_TYPE_MBM:
8931 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
8932 			goto nla_put_failure;
8933 		break;
8934 	case CFG80211_SIGNAL_TYPE_UNSPEC:
8935 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
8936 			goto nla_put_failure;
8937 		break;
8938 	default:
8939 		break;
8940 	}
8941 
8942 	switch (wdev->iftype) {
8943 	case NL80211_IFTYPE_P2P_CLIENT:
8944 	case NL80211_IFTYPE_STATION:
8945 		if (intbss == wdev->current_bss &&
8946 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8947 				NL80211_BSS_STATUS_ASSOCIATED))
8948 			goto nla_put_failure;
8949 		break;
8950 	case NL80211_IFTYPE_ADHOC:
8951 		if (intbss == wdev->current_bss &&
8952 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8953 				NL80211_BSS_STATUS_IBSS_JOINED))
8954 			goto nla_put_failure;
8955 		break;
8956 	default:
8957 		break;
8958 	}
8959 
8960 	nla_nest_end(msg, bss);
8961 
8962 	genlmsg_end(msg, hdr);
8963 	return 0;
8964 
8965  fail_unlock_rcu:
8966 	rcu_read_unlock();
8967  nla_put_failure:
8968 	genlmsg_cancel(msg, hdr);
8969 	return -EMSGSIZE;
8970 }
8971 
8972 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
8973 {
8974 	struct cfg80211_registered_device *rdev;
8975 	struct cfg80211_internal_bss *scan;
8976 	struct wireless_dev *wdev;
8977 	int start = cb->args[2], idx = 0;
8978 	int err;
8979 
8980 	rtnl_lock();
8981 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
8982 	if (err) {
8983 		rtnl_unlock();
8984 		return err;
8985 	}
8986 
8987 	wdev_lock(wdev);
8988 	spin_lock_bh(&rdev->bss_lock);
8989 
8990 	/*
8991 	 * dump_scan will be called multiple times to break up the scan results
8992 	 * into multiple messages.  It is unlikely that any more bss-es will be
8993 	 * expired after the first call, so only call only call this on the
8994 	 * first dump_scan invocation.
8995 	 */
8996 	if (start == 0)
8997 		cfg80211_bss_expire(rdev);
8998 
8999 	cb->seq = rdev->bss_generation;
9000 
9001 	list_for_each_entry(scan, &rdev->bss_list, list) {
9002 		if (++idx <= start)
9003 			continue;
9004 		if (nl80211_send_bss(skb, cb,
9005 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9006 				rdev, wdev, scan) < 0) {
9007 			idx--;
9008 			break;
9009 		}
9010 	}
9011 
9012 	spin_unlock_bh(&rdev->bss_lock);
9013 	wdev_unlock(wdev);
9014 
9015 	cb->args[2] = idx;
9016 	rtnl_unlock();
9017 
9018 	return skb->len;
9019 }
9020 
9021 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9022 			       int flags, struct net_device *dev,
9023 			       bool allow_radio_stats,
9024 			       struct survey_info *survey)
9025 {
9026 	void *hdr;
9027 	struct nlattr *infoattr;
9028 
9029 	/* skip radio stats if userspace didn't request them */
9030 	if (!survey->channel && !allow_radio_stats)
9031 		return 0;
9032 
9033 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9034 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9035 	if (!hdr)
9036 		return -ENOMEM;
9037 
9038 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9039 		goto nla_put_failure;
9040 
9041 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9042 	if (!infoattr)
9043 		goto nla_put_failure;
9044 
9045 	if (survey->channel &&
9046 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9047 			survey->channel->center_freq))
9048 		goto nla_put_failure;
9049 
9050 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9051 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9052 		goto nla_put_failure;
9053 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9054 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9055 		goto nla_put_failure;
9056 	if ((survey->filled & SURVEY_INFO_TIME) &&
9057 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9058 			survey->time, NL80211_SURVEY_INFO_PAD))
9059 		goto nla_put_failure;
9060 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9061 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9062 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9063 		goto nla_put_failure;
9064 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9065 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9066 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9067 		goto nla_put_failure;
9068 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9069 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9070 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9071 		goto nla_put_failure;
9072 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9073 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9074 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9075 		goto nla_put_failure;
9076 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9077 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9078 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9079 		goto nla_put_failure;
9080 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9081 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9082 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9083 		goto nla_put_failure;
9084 
9085 	nla_nest_end(msg, infoattr);
9086 
9087 	genlmsg_end(msg, hdr);
9088 	return 0;
9089 
9090  nla_put_failure:
9091 	genlmsg_cancel(msg, hdr);
9092 	return -EMSGSIZE;
9093 }
9094 
9095 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9096 {
9097 	struct nlattr **attrbuf;
9098 	struct survey_info survey;
9099 	struct cfg80211_registered_device *rdev;
9100 	struct wireless_dev *wdev;
9101 	int survey_idx = cb->args[2];
9102 	int res;
9103 	bool radio_stats;
9104 
9105 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9106 	if (!attrbuf)
9107 		return -ENOMEM;
9108 
9109 	rtnl_lock();
9110 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9111 	if (res)
9112 		goto out_err;
9113 
9114 	/* prepare_wdev_dump parsed the attributes */
9115 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
9116 
9117 	if (!wdev->netdev) {
9118 		res = -EINVAL;
9119 		goto out_err;
9120 	}
9121 
9122 	if (!rdev->ops->dump_survey) {
9123 		res = -EOPNOTSUPP;
9124 		goto out_err;
9125 	}
9126 
9127 	while (1) {
9128 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
9129 		if (res == -ENOENT)
9130 			break;
9131 		if (res)
9132 			goto out_err;
9133 
9134 		/* don't send disabled channels, but do send non-channel data */
9135 		if (survey.channel &&
9136 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
9137 			survey_idx++;
9138 			continue;
9139 		}
9140 
9141 		if (nl80211_send_survey(skb,
9142 				NETLINK_CB(cb->skb).portid,
9143 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9144 				wdev->netdev, radio_stats, &survey) < 0)
9145 			goto out;
9146 		survey_idx++;
9147 	}
9148 
9149  out:
9150 	cb->args[2] = survey_idx;
9151 	res = skb->len;
9152  out_err:
9153 	kfree(attrbuf);
9154 	rtnl_unlock();
9155 	return res;
9156 }
9157 
9158 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
9159 {
9160 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
9161 				  NL80211_WPA_VERSION_2 |
9162 				  NL80211_WPA_VERSION_3));
9163 }
9164 
9165 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
9166 {
9167 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9168 	struct net_device *dev = info->user_ptr[1];
9169 	struct ieee80211_channel *chan;
9170 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
9171 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
9172 	enum nl80211_auth_type auth_type;
9173 	struct key_parse key;
9174 	bool local_state_change;
9175 
9176 	if (!info->attrs[NL80211_ATTR_MAC])
9177 		return -EINVAL;
9178 
9179 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
9180 		return -EINVAL;
9181 
9182 	if (!info->attrs[NL80211_ATTR_SSID])
9183 		return -EINVAL;
9184 
9185 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
9186 		return -EINVAL;
9187 
9188 	err = nl80211_parse_key(info, &key);
9189 	if (err)
9190 		return err;
9191 
9192 	if (key.idx >= 0) {
9193 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
9194 			return -EINVAL;
9195 		if (!key.p.key || !key.p.key_len)
9196 			return -EINVAL;
9197 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
9198 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
9199 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
9200 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
9201 			return -EINVAL;
9202 		if (key.idx > 3)
9203 			return -EINVAL;
9204 	} else {
9205 		key.p.key_len = 0;
9206 		key.p.key = NULL;
9207 	}
9208 
9209 	if (key.idx >= 0) {
9210 		int i;
9211 		bool ok = false;
9212 
9213 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
9214 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
9215 				ok = true;
9216 				break;
9217 			}
9218 		}
9219 		if (!ok)
9220 			return -EINVAL;
9221 	}
9222 
9223 	if (!rdev->ops->auth)
9224 		return -EOPNOTSUPP;
9225 
9226 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9227 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9228 		return -EOPNOTSUPP;
9229 
9230 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9231 	chan = nl80211_get_valid_chan(&rdev->wiphy,
9232 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
9233 	if (!chan)
9234 		return -EINVAL;
9235 
9236 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9237 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9238 
9239 	if (info->attrs[NL80211_ATTR_IE]) {
9240 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9241 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9242 	}
9243 
9244 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9245 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
9246 		return -EINVAL;
9247 
9248 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
9249 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
9250 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
9251 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
9252 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
9253 		return -EINVAL;
9254 
9255 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
9256 		if (auth_type != NL80211_AUTHTYPE_SAE &&
9257 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
9258 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
9259 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
9260 			return -EINVAL;
9261 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
9262 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
9263 		/* need to include at least Auth Transaction and Status Code */
9264 		if (auth_data_len < 4)
9265 			return -EINVAL;
9266 	}
9267 
9268 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9269 
9270 	/*
9271 	 * Since we no longer track auth state, ignore
9272 	 * requests to only change local state.
9273 	 */
9274 	if (local_state_change)
9275 		return 0;
9276 
9277 	wdev_lock(dev->ieee80211_ptr);
9278 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
9279 				 ssid, ssid_len, ie, ie_len,
9280 				 key.p.key, key.p.key_len, key.idx,
9281 				 auth_data, auth_data_len);
9282 	wdev_unlock(dev->ieee80211_ptr);
9283 	return err;
9284 }
9285 
9286 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
9287 				     struct genl_info *info)
9288 {
9289 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9290 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
9291 		return -EINVAL;
9292 	}
9293 
9294 	if (!rdev->ops->tx_control_port ||
9295 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9296 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
9297 		return -EOPNOTSUPP;
9298 
9299 	return 0;
9300 }
9301 
9302 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
9303 				   struct genl_info *info,
9304 				   struct cfg80211_crypto_settings *settings,
9305 				   int cipher_limit)
9306 {
9307 	memset(settings, 0, sizeof(*settings));
9308 
9309 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
9310 
9311 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
9312 		u16 proto;
9313 
9314 		proto = nla_get_u16(
9315 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
9316 		settings->control_port_ethertype = cpu_to_be16(proto);
9317 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
9318 		    proto != ETH_P_PAE)
9319 			return -EINVAL;
9320 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
9321 			settings->control_port_no_encrypt = true;
9322 	} else
9323 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
9324 
9325 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9326 		int r = validate_pae_over_nl80211(rdev, info);
9327 
9328 		if (r < 0)
9329 			return r;
9330 
9331 		settings->control_port_over_nl80211 = true;
9332 
9333 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
9334 			settings->control_port_no_preauth = true;
9335 	}
9336 
9337 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
9338 		void *data;
9339 		int len, i;
9340 
9341 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9342 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9343 		settings->n_ciphers_pairwise = len / sizeof(u32);
9344 
9345 		if (len % sizeof(u32))
9346 			return -EINVAL;
9347 
9348 		if (settings->n_ciphers_pairwise > cipher_limit)
9349 			return -EINVAL;
9350 
9351 		memcpy(settings->ciphers_pairwise, data, len);
9352 
9353 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
9354 			if (!cfg80211_supported_cipher_suite(
9355 					&rdev->wiphy,
9356 					settings->ciphers_pairwise[i]))
9357 				return -EINVAL;
9358 	}
9359 
9360 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
9361 		settings->cipher_group =
9362 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
9363 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
9364 						     settings->cipher_group))
9365 			return -EINVAL;
9366 	}
9367 
9368 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
9369 		settings->wpa_versions =
9370 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
9371 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
9372 			return -EINVAL;
9373 	}
9374 
9375 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
9376 		void *data;
9377 		int len;
9378 
9379 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
9380 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
9381 		settings->n_akm_suites = len / sizeof(u32);
9382 
9383 		if (len % sizeof(u32))
9384 			return -EINVAL;
9385 
9386 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
9387 			return -EINVAL;
9388 
9389 		memcpy(settings->akm_suites, data, len);
9390 	}
9391 
9392 	if (info->attrs[NL80211_ATTR_PMK]) {
9393 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
9394 			return -EINVAL;
9395 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9396 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK))
9397 			return -EINVAL;
9398 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
9399 	}
9400 
9401 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
9402 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9403 					     NL80211_EXT_FEATURE_SAE_OFFLOAD))
9404 			return -EINVAL;
9405 		settings->sae_pwd =
9406 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9407 		settings->sae_pwd_len =
9408 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9409 	}
9410 
9411 	return 0;
9412 }
9413 
9414 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
9415 {
9416 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9417 	struct net_device *dev = info->user_ptr[1];
9418 	struct ieee80211_channel *chan;
9419 	struct cfg80211_assoc_request req = {};
9420 	const u8 *bssid, *ssid;
9421 	int err, ssid_len = 0;
9422 
9423 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9424 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9425 		return -EPERM;
9426 
9427 	if (!info->attrs[NL80211_ATTR_MAC] ||
9428 	    !info->attrs[NL80211_ATTR_SSID] ||
9429 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
9430 		return -EINVAL;
9431 
9432 	if (!rdev->ops->assoc)
9433 		return -EOPNOTSUPP;
9434 
9435 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9436 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9437 		return -EOPNOTSUPP;
9438 
9439 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9440 
9441 	chan = nl80211_get_valid_chan(&rdev->wiphy,
9442 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
9443 	if (!chan)
9444 		return -EINVAL;
9445 
9446 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9447 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9448 
9449 	if (info->attrs[NL80211_ATTR_IE]) {
9450 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9451 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9452 	}
9453 
9454 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9455 		enum nl80211_mfp mfp =
9456 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9457 		if (mfp == NL80211_MFP_REQUIRED)
9458 			req.use_mfp = true;
9459 		else if (mfp != NL80211_MFP_NO)
9460 			return -EINVAL;
9461 	}
9462 
9463 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
9464 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9465 
9466 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9467 		req.flags |= ASSOC_REQ_DISABLE_HT;
9468 
9469 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9470 		memcpy(&req.ht_capa_mask,
9471 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9472 		       sizeof(req.ht_capa_mask));
9473 
9474 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9475 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9476 			return -EINVAL;
9477 		memcpy(&req.ht_capa,
9478 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9479 		       sizeof(req.ht_capa));
9480 	}
9481 
9482 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9483 		req.flags |= ASSOC_REQ_DISABLE_VHT;
9484 
9485 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9486 		memcpy(&req.vht_capa_mask,
9487 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9488 		       sizeof(req.vht_capa_mask));
9489 
9490 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9491 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9492 			return -EINVAL;
9493 		memcpy(&req.vht_capa,
9494 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9495 		       sizeof(req.vht_capa));
9496 	}
9497 
9498 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9499 		if (!((rdev->wiphy.features &
9500 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9501 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9502 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9503 					     NL80211_EXT_FEATURE_RRM))
9504 			return -EINVAL;
9505 		req.flags |= ASSOC_REQ_USE_RRM;
9506 	}
9507 
9508 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
9509 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
9510 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
9511 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
9512 			return -EINVAL;
9513 		req.fils_nonces =
9514 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
9515 	}
9516 
9517 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
9518 	if (!err) {
9519 		wdev_lock(dev->ieee80211_ptr);
9520 
9521 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
9522 					  ssid, ssid_len, &req);
9523 
9524 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9525 			dev->ieee80211_ptr->conn_owner_nlportid =
9526 				info->snd_portid;
9527 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
9528 			       bssid, ETH_ALEN);
9529 		}
9530 
9531 		wdev_unlock(dev->ieee80211_ptr);
9532 	}
9533 
9534 	return err;
9535 }
9536 
9537 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
9538 {
9539 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9540 	struct net_device *dev = info->user_ptr[1];
9541 	const u8 *ie = NULL, *bssid;
9542 	int ie_len = 0, err;
9543 	u16 reason_code;
9544 	bool local_state_change;
9545 
9546 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9547 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9548 		return -EPERM;
9549 
9550 	if (!info->attrs[NL80211_ATTR_MAC])
9551 		return -EINVAL;
9552 
9553 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9554 		return -EINVAL;
9555 
9556 	if (!rdev->ops->deauth)
9557 		return -EOPNOTSUPP;
9558 
9559 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9560 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9561 		return -EOPNOTSUPP;
9562 
9563 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9564 
9565 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9566 	if (reason_code == 0) {
9567 		/* Reason Code 0 is reserved */
9568 		return -EINVAL;
9569 	}
9570 
9571 	if (info->attrs[NL80211_ATTR_IE]) {
9572 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9573 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9574 	}
9575 
9576 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9577 
9578 	wdev_lock(dev->ieee80211_ptr);
9579 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
9580 				   local_state_change);
9581 	wdev_unlock(dev->ieee80211_ptr);
9582 	return err;
9583 }
9584 
9585 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
9586 {
9587 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9588 	struct net_device *dev = info->user_ptr[1];
9589 	const u8 *ie = NULL, *bssid;
9590 	int ie_len = 0, err;
9591 	u16 reason_code;
9592 	bool local_state_change;
9593 
9594 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9595 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9596 		return -EPERM;
9597 
9598 	if (!info->attrs[NL80211_ATTR_MAC])
9599 		return -EINVAL;
9600 
9601 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9602 		return -EINVAL;
9603 
9604 	if (!rdev->ops->disassoc)
9605 		return -EOPNOTSUPP;
9606 
9607 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9608 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9609 		return -EOPNOTSUPP;
9610 
9611 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9612 
9613 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9614 	if (reason_code == 0) {
9615 		/* Reason Code 0 is reserved */
9616 		return -EINVAL;
9617 	}
9618 
9619 	if (info->attrs[NL80211_ATTR_IE]) {
9620 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9621 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9622 	}
9623 
9624 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9625 
9626 	wdev_lock(dev->ieee80211_ptr);
9627 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
9628 				     local_state_change);
9629 	wdev_unlock(dev->ieee80211_ptr);
9630 	return err;
9631 }
9632 
9633 static bool
9634 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
9635 			 int mcast_rate[NUM_NL80211_BANDS],
9636 			 int rateval)
9637 {
9638 	struct wiphy *wiphy = &rdev->wiphy;
9639 	bool found = false;
9640 	int band, i;
9641 
9642 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
9643 		struct ieee80211_supported_band *sband;
9644 
9645 		sband = wiphy->bands[band];
9646 		if (!sband)
9647 			continue;
9648 
9649 		for (i = 0; i < sband->n_bitrates; i++) {
9650 			if (sband->bitrates[i].bitrate == rateval) {
9651 				mcast_rate[band] = i + 1;
9652 				found = true;
9653 				break;
9654 			}
9655 		}
9656 	}
9657 
9658 	return found;
9659 }
9660 
9661 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
9662 {
9663 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9664 	struct net_device *dev = info->user_ptr[1];
9665 	struct cfg80211_ibss_params ibss;
9666 	struct wiphy *wiphy;
9667 	struct cfg80211_cached_keys *connkeys = NULL;
9668 	int err;
9669 
9670 	memset(&ibss, 0, sizeof(ibss));
9671 
9672 	if (!info->attrs[NL80211_ATTR_SSID] ||
9673 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9674 		return -EINVAL;
9675 
9676 	ibss.beacon_interval = 100;
9677 
9678 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
9679 		ibss.beacon_interval =
9680 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
9681 
9682 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
9683 					   ibss.beacon_interval);
9684 	if (err)
9685 		return err;
9686 
9687 	if (!rdev->ops->join_ibss)
9688 		return -EOPNOTSUPP;
9689 
9690 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9691 		return -EOPNOTSUPP;
9692 
9693 	wiphy = &rdev->wiphy;
9694 
9695 	if (info->attrs[NL80211_ATTR_MAC]) {
9696 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9697 
9698 		if (!is_valid_ether_addr(ibss.bssid))
9699 			return -EINVAL;
9700 	}
9701 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9702 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9703 
9704 	if (info->attrs[NL80211_ATTR_IE]) {
9705 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9706 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9707 	}
9708 
9709 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
9710 	if (err)
9711 		return err;
9712 
9713 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
9714 				     NL80211_IFTYPE_ADHOC))
9715 		return -EINVAL;
9716 
9717 	switch (ibss.chandef.width) {
9718 	case NL80211_CHAN_WIDTH_5:
9719 	case NL80211_CHAN_WIDTH_10:
9720 	case NL80211_CHAN_WIDTH_20_NOHT:
9721 		break;
9722 	case NL80211_CHAN_WIDTH_20:
9723 	case NL80211_CHAN_WIDTH_40:
9724 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9725 			return -EINVAL;
9726 		break;
9727 	case NL80211_CHAN_WIDTH_80:
9728 	case NL80211_CHAN_WIDTH_80P80:
9729 	case NL80211_CHAN_WIDTH_160:
9730 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9731 			return -EINVAL;
9732 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9733 					     NL80211_EXT_FEATURE_VHT_IBSS))
9734 			return -EINVAL;
9735 		break;
9736 	default:
9737 		return -EINVAL;
9738 	}
9739 
9740 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
9741 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
9742 
9743 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9744 		u8 *rates =
9745 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9746 		int n_rates =
9747 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9748 		struct ieee80211_supported_band *sband =
9749 			wiphy->bands[ibss.chandef.chan->band];
9750 
9751 		err = ieee80211_get_ratemask(sband, rates, n_rates,
9752 					     &ibss.basic_rates);
9753 		if (err)
9754 			return err;
9755 	}
9756 
9757 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9758 		memcpy(&ibss.ht_capa_mask,
9759 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9760 		       sizeof(ibss.ht_capa_mask));
9761 
9762 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9763 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9764 			return -EINVAL;
9765 		memcpy(&ibss.ht_capa,
9766 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9767 		       sizeof(ibss.ht_capa));
9768 	}
9769 
9770 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
9771 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
9772 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
9773 		return -EINVAL;
9774 
9775 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9776 		bool no_ht = false;
9777 
9778 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
9779 		if (IS_ERR(connkeys))
9780 			return PTR_ERR(connkeys);
9781 
9782 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
9783 		    no_ht) {
9784 			kzfree(connkeys);
9785 			return -EINVAL;
9786 		}
9787 	}
9788 
9789 	ibss.control_port =
9790 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
9791 
9792 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9793 		int r = validate_pae_over_nl80211(rdev, info);
9794 
9795 		if (r < 0) {
9796 			kzfree(connkeys);
9797 			return r;
9798 		}
9799 
9800 		ibss.control_port_over_nl80211 = true;
9801 	}
9802 
9803 	ibss.userspace_handles_dfs =
9804 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
9805 
9806 	wdev_lock(dev->ieee80211_ptr);
9807 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
9808 	if (err)
9809 		kzfree(connkeys);
9810 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9811 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9812 	wdev_unlock(dev->ieee80211_ptr);
9813 
9814 	return err;
9815 }
9816 
9817 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
9818 {
9819 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9820 	struct net_device *dev = info->user_ptr[1];
9821 
9822 	if (!rdev->ops->leave_ibss)
9823 		return -EOPNOTSUPP;
9824 
9825 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9826 		return -EOPNOTSUPP;
9827 
9828 	return cfg80211_leave_ibss(rdev, dev, false);
9829 }
9830 
9831 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
9832 {
9833 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9834 	struct net_device *dev = info->user_ptr[1];
9835 	int mcast_rate[NUM_NL80211_BANDS];
9836 	u32 nla_rate;
9837 	int err;
9838 
9839 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
9840 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
9841 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
9842 		return -EOPNOTSUPP;
9843 
9844 	if (!rdev->ops->set_mcast_rate)
9845 		return -EOPNOTSUPP;
9846 
9847 	memset(mcast_rate, 0, sizeof(mcast_rate));
9848 
9849 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
9850 		return -EINVAL;
9851 
9852 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
9853 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
9854 		return -EINVAL;
9855 
9856 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
9857 
9858 	return err;
9859 }
9860 
9861 static struct sk_buff *
9862 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
9863 			    struct wireless_dev *wdev, int approxlen,
9864 			    u32 portid, u32 seq, enum nl80211_commands cmd,
9865 			    enum nl80211_attrs attr,
9866 			    const struct nl80211_vendor_cmd_info *info,
9867 			    gfp_t gfp)
9868 {
9869 	struct sk_buff *skb;
9870 	void *hdr;
9871 	struct nlattr *data;
9872 
9873 	skb = nlmsg_new(approxlen + 100, gfp);
9874 	if (!skb)
9875 		return NULL;
9876 
9877 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
9878 	if (!hdr) {
9879 		kfree_skb(skb);
9880 		return NULL;
9881 	}
9882 
9883 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
9884 		goto nla_put_failure;
9885 
9886 	if (info) {
9887 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
9888 				info->vendor_id))
9889 			goto nla_put_failure;
9890 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
9891 				info->subcmd))
9892 			goto nla_put_failure;
9893 	}
9894 
9895 	if (wdev) {
9896 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
9897 				      wdev_id(wdev), NL80211_ATTR_PAD))
9898 			goto nla_put_failure;
9899 		if (wdev->netdev &&
9900 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
9901 				wdev->netdev->ifindex))
9902 			goto nla_put_failure;
9903 	}
9904 
9905 	data = nla_nest_start_noflag(skb, attr);
9906 	if (!data)
9907 		goto nla_put_failure;
9908 
9909 	((void **)skb->cb)[0] = rdev;
9910 	((void **)skb->cb)[1] = hdr;
9911 	((void **)skb->cb)[2] = data;
9912 
9913 	return skb;
9914 
9915  nla_put_failure:
9916 	kfree_skb(skb);
9917 	return NULL;
9918 }
9919 
9920 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
9921 					   struct wireless_dev *wdev,
9922 					   enum nl80211_commands cmd,
9923 					   enum nl80211_attrs attr,
9924 					   unsigned int portid,
9925 					   int vendor_event_idx,
9926 					   int approxlen, gfp_t gfp)
9927 {
9928 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9929 	const struct nl80211_vendor_cmd_info *info;
9930 
9931 	switch (cmd) {
9932 	case NL80211_CMD_TESTMODE:
9933 		if (WARN_ON(vendor_event_idx != -1))
9934 			return NULL;
9935 		info = NULL;
9936 		break;
9937 	case NL80211_CMD_VENDOR:
9938 		if (WARN_ON(vendor_event_idx < 0 ||
9939 			    vendor_event_idx >= wiphy->n_vendor_events))
9940 			return NULL;
9941 		info = &wiphy->vendor_events[vendor_event_idx];
9942 		break;
9943 	default:
9944 		WARN_ON(1);
9945 		return NULL;
9946 	}
9947 
9948 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
9949 					   cmd, attr, info, gfp);
9950 }
9951 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
9952 
9953 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
9954 {
9955 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9956 	void *hdr = ((void **)skb->cb)[1];
9957 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
9958 	struct nlattr *data = ((void **)skb->cb)[2];
9959 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
9960 
9961 	/* clear CB data for netlink core to own from now on */
9962 	memset(skb->cb, 0, sizeof(skb->cb));
9963 
9964 	nla_nest_end(skb, data);
9965 	genlmsg_end(skb, hdr);
9966 
9967 	if (nlhdr->nlmsg_pid) {
9968 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
9969 				nlhdr->nlmsg_pid);
9970 	} else {
9971 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
9972 			mcgrp = NL80211_MCGRP_VENDOR;
9973 
9974 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
9975 					skb, 0, mcgrp, gfp);
9976 	}
9977 }
9978 EXPORT_SYMBOL(__cfg80211_send_event_skb);
9979 
9980 #ifdef CONFIG_NL80211_TESTMODE
9981 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
9982 {
9983 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9984 	struct wireless_dev *wdev =
9985 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9986 	int err;
9987 
9988 	if (!rdev->ops->testmode_cmd)
9989 		return -EOPNOTSUPP;
9990 
9991 	if (IS_ERR(wdev)) {
9992 		err = PTR_ERR(wdev);
9993 		if (err != -EINVAL)
9994 			return err;
9995 		wdev = NULL;
9996 	} else if (wdev->wiphy != &rdev->wiphy) {
9997 		return -EINVAL;
9998 	}
9999 
10000 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10001 		return -EINVAL;
10002 
10003 	rdev->cur_cmd_info = info;
10004 	err = rdev_testmode_cmd(rdev, wdev,
10005 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10006 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10007 	rdev->cur_cmd_info = NULL;
10008 
10009 	return err;
10010 }
10011 
10012 static int nl80211_testmode_dump(struct sk_buff *skb,
10013 				 struct netlink_callback *cb)
10014 {
10015 	struct cfg80211_registered_device *rdev;
10016 	struct nlattr **attrbuf = NULL;
10017 	int err;
10018 	long phy_idx;
10019 	void *data = NULL;
10020 	int data_len = 0;
10021 
10022 	rtnl_lock();
10023 
10024 	if (cb->args[0]) {
10025 		/*
10026 		 * 0 is a valid index, but not valid for args[0],
10027 		 * so we need to offset by 1.
10028 		 */
10029 		phy_idx = cb->args[0] - 1;
10030 
10031 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10032 		if (!rdev) {
10033 			err = -ENOENT;
10034 			goto out_err;
10035 		}
10036 	} else {
10037 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10038 				  GFP_KERNEL);
10039 		if (!attrbuf) {
10040 			err = -ENOMEM;
10041 			goto out_err;
10042 		}
10043 
10044 		err = nlmsg_parse_deprecated(cb->nlh,
10045 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10046 					     attrbuf, nl80211_fam.maxattr,
10047 					     nl80211_policy, NULL);
10048 		if (err)
10049 			goto out_err;
10050 
10051 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10052 		if (IS_ERR(rdev)) {
10053 			err = PTR_ERR(rdev);
10054 			goto out_err;
10055 		}
10056 		phy_idx = rdev->wiphy_idx;
10057 
10058 		if (attrbuf[NL80211_ATTR_TESTDATA])
10059 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10060 	}
10061 
10062 	if (cb->args[1]) {
10063 		data = nla_data((void *)cb->args[1]);
10064 		data_len = nla_len((void *)cb->args[1]);
10065 	}
10066 
10067 	if (!rdev->ops->testmode_dump) {
10068 		err = -EOPNOTSUPP;
10069 		goto out_err;
10070 	}
10071 
10072 	while (1) {
10073 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10074 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10075 					   NL80211_CMD_TESTMODE);
10076 		struct nlattr *tmdata;
10077 
10078 		if (!hdr)
10079 			break;
10080 
10081 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
10082 			genlmsg_cancel(skb, hdr);
10083 			break;
10084 		}
10085 
10086 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
10087 		if (!tmdata) {
10088 			genlmsg_cancel(skb, hdr);
10089 			break;
10090 		}
10091 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
10092 		nla_nest_end(skb, tmdata);
10093 
10094 		if (err == -ENOBUFS || err == -ENOENT) {
10095 			genlmsg_cancel(skb, hdr);
10096 			break;
10097 		} else if (err) {
10098 			genlmsg_cancel(skb, hdr);
10099 			goto out_err;
10100 		}
10101 
10102 		genlmsg_end(skb, hdr);
10103 	}
10104 
10105 	err = skb->len;
10106 	/* see above */
10107 	cb->args[0] = phy_idx + 1;
10108  out_err:
10109 	kfree(attrbuf);
10110 	rtnl_unlock();
10111 	return err;
10112 }
10113 #endif
10114 
10115 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
10116 {
10117 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10118 	struct net_device *dev = info->user_ptr[1];
10119 	struct cfg80211_connect_params connect;
10120 	struct wiphy *wiphy;
10121 	struct cfg80211_cached_keys *connkeys = NULL;
10122 	int err;
10123 
10124 	memset(&connect, 0, sizeof(connect));
10125 
10126 	if (!info->attrs[NL80211_ATTR_SSID] ||
10127 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10128 		return -EINVAL;
10129 
10130 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10131 		connect.auth_type =
10132 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10133 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
10134 					     NL80211_CMD_CONNECT))
10135 			return -EINVAL;
10136 	} else
10137 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
10138 
10139 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
10140 
10141 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
10142 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10143 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
10144 		return -EINVAL;
10145 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
10146 
10147 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
10148 				      NL80211_MAX_NR_CIPHER_SUITES);
10149 	if (err)
10150 		return err;
10151 
10152 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10153 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10154 		return -EOPNOTSUPP;
10155 
10156 	wiphy = &rdev->wiphy;
10157 
10158 	connect.bg_scan_period = -1;
10159 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
10160 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
10161 		connect.bg_scan_period =
10162 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
10163 	}
10164 
10165 	if (info->attrs[NL80211_ATTR_MAC])
10166 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10167 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
10168 		connect.bssid_hint =
10169 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
10170 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10171 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10172 
10173 	if (info->attrs[NL80211_ATTR_IE]) {
10174 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10175 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10176 	}
10177 
10178 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10179 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10180 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
10181 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10182 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
10183 			return -EOPNOTSUPP;
10184 	} else {
10185 		connect.mfp = NL80211_MFP_NO;
10186 	}
10187 
10188 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10189 		connect.prev_bssid =
10190 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10191 
10192 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10193 		connect.channel = nl80211_get_valid_chan(
10194 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
10195 		if (!connect.channel)
10196 			return -EINVAL;
10197 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
10198 		connect.channel_hint = nl80211_get_valid_chan(
10199 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
10200 		if (!connect.channel_hint)
10201 			return -EINVAL;
10202 	}
10203 
10204 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
10205 		connect.edmg.channels =
10206 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
10207 
10208 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
10209 			connect.edmg.bw_config =
10210 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
10211 	}
10212 
10213 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10214 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
10215 		if (IS_ERR(connkeys))
10216 			return PTR_ERR(connkeys);
10217 	}
10218 
10219 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10220 		connect.flags |= ASSOC_REQ_DISABLE_HT;
10221 
10222 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10223 		memcpy(&connect.ht_capa_mask,
10224 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10225 		       sizeof(connect.ht_capa_mask));
10226 
10227 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10228 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
10229 			kzfree(connkeys);
10230 			return -EINVAL;
10231 		}
10232 		memcpy(&connect.ht_capa,
10233 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10234 		       sizeof(connect.ht_capa));
10235 	}
10236 
10237 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10238 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
10239 
10240 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10241 		memcpy(&connect.vht_capa_mask,
10242 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10243 		       sizeof(connect.vht_capa_mask));
10244 
10245 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10246 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
10247 			kzfree(connkeys);
10248 			return -EINVAL;
10249 		}
10250 		memcpy(&connect.vht_capa,
10251 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10252 		       sizeof(connect.vht_capa));
10253 	}
10254 
10255 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10256 		if (!((rdev->wiphy.features &
10257 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10258 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10259 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10260 					     NL80211_EXT_FEATURE_RRM)) {
10261 			kzfree(connkeys);
10262 			return -EINVAL;
10263 		}
10264 		connect.flags |= ASSOC_REQ_USE_RRM;
10265 	}
10266 
10267 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
10268 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
10269 		kzfree(connkeys);
10270 		return -EOPNOTSUPP;
10271 	}
10272 
10273 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
10274 		/* bss selection makes no sense if bssid is set */
10275 		if (connect.bssid) {
10276 			kzfree(connkeys);
10277 			return -EINVAL;
10278 		}
10279 
10280 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
10281 				       wiphy, &connect.bss_select);
10282 		if (err) {
10283 			kzfree(connkeys);
10284 			return err;
10285 		}
10286 	}
10287 
10288 	if (wiphy_ext_feature_isset(&rdev->wiphy,
10289 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
10290 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10291 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10292 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10293 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10294 		connect.fils_erp_username =
10295 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10296 		connect.fils_erp_username_len =
10297 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10298 		connect.fils_erp_realm =
10299 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10300 		connect.fils_erp_realm_len =
10301 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10302 		connect.fils_erp_next_seq_num =
10303 			nla_get_u16(
10304 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10305 		connect.fils_erp_rrk =
10306 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10307 		connect.fils_erp_rrk_len =
10308 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10309 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10310 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10311 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10312 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10313 		kzfree(connkeys);
10314 		return -EINVAL;
10315 	}
10316 
10317 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
10318 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10319 			kzfree(connkeys);
10320 			GENL_SET_ERR_MSG(info,
10321 					 "external auth requires connection ownership");
10322 			return -EINVAL;
10323 		}
10324 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
10325 	}
10326 
10327 	wdev_lock(dev->ieee80211_ptr);
10328 
10329 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
10330 			       connect.prev_bssid);
10331 	if (err)
10332 		kzfree(connkeys);
10333 
10334 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10335 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10336 		if (connect.bssid)
10337 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10338 			       connect.bssid, ETH_ALEN);
10339 		else
10340 			memset(dev->ieee80211_ptr->disconnect_bssid,
10341 			       0, ETH_ALEN);
10342 	}
10343 
10344 	wdev_unlock(dev->ieee80211_ptr);
10345 
10346 	return err;
10347 }
10348 
10349 static int nl80211_update_connect_params(struct sk_buff *skb,
10350 					 struct genl_info *info)
10351 {
10352 	struct cfg80211_connect_params connect = {};
10353 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10354 	struct net_device *dev = info->user_ptr[1];
10355 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10356 	bool fils_sk_offload;
10357 	u32 auth_type;
10358 	u32 changed = 0;
10359 	int ret;
10360 
10361 	if (!rdev->ops->update_connect_params)
10362 		return -EOPNOTSUPP;
10363 
10364 	if (info->attrs[NL80211_ATTR_IE]) {
10365 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10366 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10367 		changed |= UPDATE_ASSOC_IES;
10368 	}
10369 
10370 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
10371 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
10372 
10373 	/*
10374 	 * when driver supports fils-sk offload all attributes must be
10375 	 * provided. So the else covers "fils-sk-not-all" and
10376 	 * "no-fils-sk-any".
10377 	 */
10378 	if (fils_sk_offload &&
10379 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10380 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10381 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10382 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10383 		connect.fils_erp_username =
10384 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10385 		connect.fils_erp_username_len =
10386 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10387 		connect.fils_erp_realm =
10388 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10389 		connect.fils_erp_realm_len =
10390 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10391 		connect.fils_erp_next_seq_num =
10392 			nla_get_u16(
10393 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10394 		connect.fils_erp_rrk =
10395 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10396 		connect.fils_erp_rrk_len =
10397 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10398 		changed |= UPDATE_FILS_ERP_INFO;
10399 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10400 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10401 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10402 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10403 		return -EINVAL;
10404 	}
10405 
10406 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10407 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10408 		if (!nl80211_valid_auth_type(rdev, auth_type,
10409 					     NL80211_CMD_CONNECT))
10410 			return -EINVAL;
10411 
10412 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
10413 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
10414 			return -EINVAL;
10415 
10416 		connect.auth_type = auth_type;
10417 		changed |= UPDATE_AUTH_TYPE;
10418 	}
10419 
10420 	wdev_lock(dev->ieee80211_ptr);
10421 	if (!wdev->current_bss)
10422 		ret = -ENOLINK;
10423 	else
10424 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
10425 	wdev_unlock(dev->ieee80211_ptr);
10426 
10427 	return ret;
10428 }
10429 
10430 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
10431 {
10432 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10433 	struct net_device *dev = info->user_ptr[1];
10434 	u16 reason;
10435 	int ret;
10436 
10437 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10438 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10439 		return -EPERM;
10440 
10441 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10442 		reason = WLAN_REASON_DEAUTH_LEAVING;
10443 	else
10444 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10445 
10446 	if (reason == 0)
10447 		return -EINVAL;
10448 
10449 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10450 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10451 		return -EOPNOTSUPP;
10452 
10453 	wdev_lock(dev->ieee80211_ptr);
10454 	ret = cfg80211_disconnect(rdev, dev, reason, true);
10455 	wdev_unlock(dev->ieee80211_ptr);
10456 	return ret;
10457 }
10458 
10459 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
10460 {
10461 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10462 	struct net *net;
10463 	int err;
10464 
10465 	if (info->attrs[NL80211_ATTR_PID]) {
10466 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
10467 
10468 		net = get_net_ns_by_pid(pid);
10469 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
10470 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
10471 
10472 		net = get_net_ns_by_fd(fd);
10473 	} else {
10474 		return -EINVAL;
10475 	}
10476 
10477 	if (IS_ERR(net))
10478 		return PTR_ERR(net);
10479 
10480 	err = 0;
10481 
10482 	/* check if anything to do */
10483 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
10484 		err = cfg80211_switch_netns(rdev, net);
10485 
10486 	put_net(net);
10487 	return err;
10488 }
10489 
10490 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
10491 {
10492 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10493 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
10494 			struct cfg80211_pmksa *pmksa) = NULL;
10495 	struct net_device *dev = info->user_ptr[1];
10496 	struct cfg80211_pmksa pmksa;
10497 
10498 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
10499 
10500 	if (!info->attrs[NL80211_ATTR_PMKID])
10501 		return -EINVAL;
10502 
10503 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
10504 
10505 	if (info->attrs[NL80211_ATTR_MAC]) {
10506 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10507 	} else if (info->attrs[NL80211_ATTR_SSID] &&
10508 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
10509 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
10510 		    info->attrs[NL80211_ATTR_PMK])) {
10511 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10512 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10513 		pmksa.cache_id =
10514 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
10515 	} else {
10516 		return -EINVAL;
10517 	}
10518 	if (info->attrs[NL80211_ATTR_PMK]) {
10519 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10520 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
10521 	}
10522 
10523 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
10524 		pmksa.pmk_lifetime =
10525 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
10526 
10527 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
10528 		pmksa.pmk_reauth_threshold =
10529 			nla_get_u8(
10530 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
10531 
10532 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10533 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
10534 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
10535 	      wiphy_ext_feature_isset(&rdev->wiphy,
10536 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
10537 		return -EOPNOTSUPP;
10538 
10539 	switch (info->genlhdr->cmd) {
10540 	case NL80211_CMD_SET_PMKSA:
10541 		rdev_ops = rdev->ops->set_pmksa;
10542 		break;
10543 	case NL80211_CMD_DEL_PMKSA:
10544 		rdev_ops = rdev->ops->del_pmksa;
10545 		break;
10546 	default:
10547 		WARN_ON(1);
10548 		break;
10549 	}
10550 
10551 	if (!rdev_ops)
10552 		return -EOPNOTSUPP;
10553 
10554 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
10555 }
10556 
10557 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
10558 {
10559 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10560 	struct net_device *dev = info->user_ptr[1];
10561 
10562 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10563 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10564 		return -EOPNOTSUPP;
10565 
10566 	if (!rdev->ops->flush_pmksa)
10567 		return -EOPNOTSUPP;
10568 
10569 	return rdev_flush_pmksa(rdev, dev);
10570 }
10571 
10572 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
10573 {
10574 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10575 	struct net_device *dev = info->user_ptr[1];
10576 	u8 action_code, dialog_token;
10577 	u32 peer_capability = 0;
10578 	u16 status_code;
10579 	u8 *peer;
10580 	bool initiator;
10581 
10582 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10583 	    !rdev->ops->tdls_mgmt)
10584 		return -EOPNOTSUPP;
10585 
10586 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
10587 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
10588 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
10589 	    !info->attrs[NL80211_ATTR_IE] ||
10590 	    !info->attrs[NL80211_ATTR_MAC])
10591 		return -EINVAL;
10592 
10593 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10594 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
10595 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
10596 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
10597 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
10598 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
10599 		peer_capability =
10600 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
10601 
10602 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
10603 			      dialog_token, status_code, peer_capability,
10604 			      initiator,
10605 			      nla_data(info->attrs[NL80211_ATTR_IE]),
10606 			      nla_len(info->attrs[NL80211_ATTR_IE]));
10607 }
10608 
10609 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
10610 {
10611 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10612 	struct net_device *dev = info->user_ptr[1];
10613 	enum nl80211_tdls_operation operation;
10614 	u8 *peer;
10615 
10616 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10617 	    !rdev->ops->tdls_oper)
10618 		return -EOPNOTSUPP;
10619 
10620 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
10621 	    !info->attrs[NL80211_ATTR_MAC])
10622 		return -EINVAL;
10623 
10624 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
10625 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10626 
10627 	return rdev_tdls_oper(rdev, dev, peer, operation);
10628 }
10629 
10630 static int nl80211_remain_on_channel(struct sk_buff *skb,
10631 				     struct genl_info *info)
10632 {
10633 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10634 	struct wireless_dev *wdev = info->user_ptr[1];
10635 	struct cfg80211_chan_def chandef;
10636 	const struct cfg80211_chan_def *compat_chandef;
10637 	struct sk_buff *msg;
10638 	void *hdr;
10639 	u64 cookie;
10640 	u32 duration;
10641 	int err;
10642 
10643 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10644 	    !info->attrs[NL80211_ATTR_DURATION])
10645 		return -EINVAL;
10646 
10647 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10648 
10649 	if (!rdev->ops->remain_on_channel ||
10650 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
10651 		return -EOPNOTSUPP;
10652 
10653 	/*
10654 	 * We should be on that channel for at least a minimum amount of
10655 	 * time (10ms) but no longer than the driver supports.
10656 	 */
10657 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10658 	    duration > rdev->wiphy.max_remain_on_channel_duration)
10659 		return -EINVAL;
10660 
10661 	err = nl80211_parse_chandef(rdev, info, &chandef);
10662 	if (err)
10663 		return err;
10664 
10665 	wdev_lock(wdev);
10666 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
10667 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
10668 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
10669 							     &chandef);
10670 		if (compat_chandef != &chandef) {
10671 			wdev_unlock(wdev);
10672 			return -EBUSY;
10673 		}
10674 	}
10675 	wdev_unlock(wdev);
10676 
10677 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10678 	if (!msg)
10679 		return -ENOMEM;
10680 
10681 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10682 			     NL80211_CMD_REMAIN_ON_CHANNEL);
10683 	if (!hdr) {
10684 		err = -ENOBUFS;
10685 		goto free_msg;
10686 	}
10687 
10688 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
10689 				     duration, &cookie);
10690 
10691 	if (err)
10692 		goto free_msg;
10693 
10694 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10695 			      NL80211_ATTR_PAD))
10696 		goto nla_put_failure;
10697 
10698 	genlmsg_end(msg, hdr);
10699 
10700 	return genlmsg_reply(msg, info);
10701 
10702  nla_put_failure:
10703 	err = -ENOBUFS;
10704  free_msg:
10705 	nlmsg_free(msg);
10706 	return err;
10707 }
10708 
10709 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
10710 					    struct genl_info *info)
10711 {
10712 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10713 	struct wireless_dev *wdev = info->user_ptr[1];
10714 	u64 cookie;
10715 
10716 	if (!info->attrs[NL80211_ATTR_COOKIE])
10717 		return -EINVAL;
10718 
10719 	if (!rdev->ops->cancel_remain_on_channel)
10720 		return -EOPNOTSUPP;
10721 
10722 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10723 
10724 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
10725 }
10726 
10727 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
10728 				       struct genl_info *info)
10729 {
10730 	struct cfg80211_bitrate_mask mask;
10731 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10732 	struct net_device *dev = info->user_ptr[1];
10733 	int err;
10734 
10735 	if (!rdev->ops->set_bitrate_mask)
10736 		return -EOPNOTSUPP;
10737 
10738 	err = nl80211_parse_tx_bitrate_mask(info, &mask);
10739 	if (err)
10740 		return err;
10741 
10742 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
10743 }
10744 
10745 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
10746 {
10747 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10748 	struct wireless_dev *wdev = info->user_ptr[1];
10749 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
10750 
10751 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
10752 		return -EINVAL;
10753 
10754 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
10755 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
10756 
10757 	switch (wdev->iftype) {
10758 	case NL80211_IFTYPE_STATION:
10759 	case NL80211_IFTYPE_ADHOC:
10760 	case NL80211_IFTYPE_P2P_CLIENT:
10761 	case NL80211_IFTYPE_AP:
10762 	case NL80211_IFTYPE_AP_VLAN:
10763 	case NL80211_IFTYPE_MESH_POINT:
10764 	case NL80211_IFTYPE_P2P_GO:
10765 	case NL80211_IFTYPE_P2P_DEVICE:
10766 		break;
10767 	case NL80211_IFTYPE_NAN:
10768 	default:
10769 		return -EOPNOTSUPP;
10770 	}
10771 
10772 	/* not much point in registering if we can't reply */
10773 	if (!rdev->ops->mgmt_tx)
10774 		return -EOPNOTSUPP;
10775 
10776 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
10777 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
10778 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
10779 					   info->extack);
10780 }
10781 
10782 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
10783 {
10784 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10785 	struct wireless_dev *wdev = info->user_ptr[1];
10786 	struct cfg80211_chan_def chandef;
10787 	int err;
10788 	void *hdr = NULL;
10789 	u64 cookie;
10790 	struct sk_buff *msg = NULL;
10791 	struct cfg80211_mgmt_tx_params params = {
10792 		.dont_wait_for_ack =
10793 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
10794 	};
10795 
10796 	if (!info->attrs[NL80211_ATTR_FRAME])
10797 		return -EINVAL;
10798 
10799 	if (!rdev->ops->mgmt_tx)
10800 		return -EOPNOTSUPP;
10801 
10802 	switch (wdev->iftype) {
10803 	case NL80211_IFTYPE_P2P_DEVICE:
10804 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10805 			return -EINVAL;
10806 	case NL80211_IFTYPE_STATION:
10807 	case NL80211_IFTYPE_ADHOC:
10808 	case NL80211_IFTYPE_P2P_CLIENT:
10809 	case NL80211_IFTYPE_AP:
10810 	case NL80211_IFTYPE_AP_VLAN:
10811 	case NL80211_IFTYPE_MESH_POINT:
10812 	case NL80211_IFTYPE_P2P_GO:
10813 		break;
10814 	case NL80211_IFTYPE_NAN:
10815 	default:
10816 		return -EOPNOTSUPP;
10817 	}
10818 
10819 	if (info->attrs[NL80211_ATTR_DURATION]) {
10820 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10821 			return -EINVAL;
10822 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10823 
10824 		/*
10825 		 * We should wait on the channel for at least a minimum amount
10826 		 * of time (10ms) but no longer than the driver supports.
10827 		 */
10828 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10829 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
10830 			return -EINVAL;
10831 	}
10832 
10833 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
10834 
10835 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10836 		return -EINVAL;
10837 
10838 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10839 
10840 	/* get the channel if any has been specified, otherwise pass NULL to
10841 	 * the driver. The latter will use the current one
10842 	 */
10843 	chandef.chan = NULL;
10844 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10845 		err = nl80211_parse_chandef(rdev, info, &chandef);
10846 		if (err)
10847 			return err;
10848 	}
10849 
10850 	if (!chandef.chan && params.offchan)
10851 		return -EINVAL;
10852 
10853 	wdev_lock(wdev);
10854 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
10855 		wdev_unlock(wdev);
10856 		return -EBUSY;
10857 	}
10858 	wdev_unlock(wdev);
10859 
10860 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
10861 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
10862 
10863 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
10864 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10865 		int i;
10866 
10867 		if (len % sizeof(u16))
10868 			return -EINVAL;
10869 
10870 		params.n_csa_offsets = len / sizeof(u16);
10871 		params.csa_offsets =
10872 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10873 
10874 		/* check that all the offsets fit the frame */
10875 		for (i = 0; i < params.n_csa_offsets; i++) {
10876 			if (params.csa_offsets[i] >= params.len)
10877 				return -EINVAL;
10878 		}
10879 	}
10880 
10881 	if (!params.dont_wait_for_ack) {
10882 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10883 		if (!msg)
10884 			return -ENOMEM;
10885 
10886 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10887 				     NL80211_CMD_FRAME);
10888 		if (!hdr) {
10889 			err = -ENOBUFS;
10890 			goto free_msg;
10891 		}
10892 	}
10893 
10894 	params.chan = chandef.chan;
10895 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
10896 	if (err)
10897 		goto free_msg;
10898 
10899 	if (msg) {
10900 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10901 				      NL80211_ATTR_PAD))
10902 			goto nla_put_failure;
10903 
10904 		genlmsg_end(msg, hdr);
10905 		return genlmsg_reply(msg, info);
10906 	}
10907 
10908 	return 0;
10909 
10910  nla_put_failure:
10911 	err = -ENOBUFS;
10912  free_msg:
10913 	nlmsg_free(msg);
10914 	return err;
10915 }
10916 
10917 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
10918 {
10919 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10920 	struct wireless_dev *wdev = info->user_ptr[1];
10921 	u64 cookie;
10922 
10923 	if (!info->attrs[NL80211_ATTR_COOKIE])
10924 		return -EINVAL;
10925 
10926 	if (!rdev->ops->mgmt_tx_cancel_wait)
10927 		return -EOPNOTSUPP;
10928 
10929 	switch (wdev->iftype) {
10930 	case NL80211_IFTYPE_STATION:
10931 	case NL80211_IFTYPE_ADHOC:
10932 	case NL80211_IFTYPE_P2P_CLIENT:
10933 	case NL80211_IFTYPE_AP:
10934 	case NL80211_IFTYPE_AP_VLAN:
10935 	case NL80211_IFTYPE_P2P_GO:
10936 	case NL80211_IFTYPE_P2P_DEVICE:
10937 		break;
10938 	case NL80211_IFTYPE_NAN:
10939 	default:
10940 		return -EOPNOTSUPP;
10941 	}
10942 
10943 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10944 
10945 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
10946 }
10947 
10948 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
10949 {
10950 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10951 	struct wireless_dev *wdev;
10952 	struct net_device *dev = info->user_ptr[1];
10953 	u8 ps_state;
10954 	bool state;
10955 	int err;
10956 
10957 	if (!info->attrs[NL80211_ATTR_PS_STATE])
10958 		return -EINVAL;
10959 
10960 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
10961 
10962 	wdev = dev->ieee80211_ptr;
10963 
10964 	if (!rdev->ops->set_power_mgmt)
10965 		return -EOPNOTSUPP;
10966 
10967 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
10968 
10969 	if (state == wdev->ps)
10970 		return 0;
10971 
10972 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
10973 	if (!err)
10974 		wdev->ps = state;
10975 	return err;
10976 }
10977 
10978 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
10979 {
10980 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10981 	enum nl80211_ps_state ps_state;
10982 	struct wireless_dev *wdev;
10983 	struct net_device *dev = info->user_ptr[1];
10984 	struct sk_buff *msg;
10985 	void *hdr;
10986 	int err;
10987 
10988 	wdev = dev->ieee80211_ptr;
10989 
10990 	if (!rdev->ops->set_power_mgmt)
10991 		return -EOPNOTSUPP;
10992 
10993 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10994 	if (!msg)
10995 		return -ENOMEM;
10996 
10997 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10998 			     NL80211_CMD_GET_POWER_SAVE);
10999 	if (!hdr) {
11000 		err = -ENOBUFS;
11001 		goto free_msg;
11002 	}
11003 
11004 	if (wdev->ps)
11005 		ps_state = NL80211_PS_ENABLED;
11006 	else
11007 		ps_state = NL80211_PS_DISABLED;
11008 
11009 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11010 		goto nla_put_failure;
11011 
11012 	genlmsg_end(msg, hdr);
11013 	return genlmsg_reply(msg, info);
11014 
11015  nla_put_failure:
11016 	err = -ENOBUFS;
11017  free_msg:
11018 	nlmsg_free(msg);
11019 	return err;
11020 }
11021 
11022 static const struct nla_policy
11023 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11024 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11025 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11026 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11027 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11028 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11029 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11030 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11031 };
11032 
11033 static int nl80211_set_cqm_txe(struct genl_info *info,
11034 			       u32 rate, u32 pkts, u32 intvl)
11035 {
11036 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11037 	struct net_device *dev = info->user_ptr[1];
11038 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11039 
11040 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11041 		return -EINVAL;
11042 
11043 	if (!rdev->ops->set_cqm_txe_config)
11044 		return -EOPNOTSUPP;
11045 
11046 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11047 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11048 		return -EOPNOTSUPP;
11049 
11050 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
11051 }
11052 
11053 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
11054 				    struct net_device *dev)
11055 {
11056 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11057 	s32 last, low, high;
11058 	u32 hyst;
11059 	int i, n, low_index;
11060 	int err;
11061 
11062 	/* RSSI reporting disabled? */
11063 	if (!wdev->cqm_config)
11064 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
11065 
11066 	/*
11067 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
11068 	 * event has been received yet, we should receive an event after a
11069 	 * connection is established and enough beacons received to calculate
11070 	 * the average.
11071 	 */
11072 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
11073 	    rdev->ops->get_station) {
11074 		struct station_info sinfo = {};
11075 		u8 *mac_addr;
11076 
11077 		mac_addr = wdev->current_bss->pub.bssid;
11078 
11079 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
11080 		if (err)
11081 			return err;
11082 
11083 		cfg80211_sinfo_release_content(&sinfo);
11084 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
11085 			wdev->cqm_config->last_rssi_event_value =
11086 				(s8) sinfo.rx_beacon_signal_avg;
11087 	}
11088 
11089 	last = wdev->cqm_config->last_rssi_event_value;
11090 	hyst = wdev->cqm_config->rssi_hyst;
11091 	n = wdev->cqm_config->n_rssi_thresholds;
11092 
11093 	for (i = 0; i < n; i++) {
11094 		i = array_index_nospec(i, n);
11095 		if (last < wdev->cqm_config->rssi_thresholds[i])
11096 			break;
11097 	}
11098 
11099 	low_index = i - 1;
11100 	if (low_index >= 0) {
11101 		low_index = array_index_nospec(low_index, n);
11102 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
11103 	} else {
11104 		low = S32_MIN;
11105 	}
11106 	if (i < n) {
11107 		i = array_index_nospec(i, n);
11108 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
11109 	} else {
11110 		high = S32_MAX;
11111 	}
11112 
11113 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
11114 }
11115 
11116 static int nl80211_set_cqm_rssi(struct genl_info *info,
11117 				const s32 *thresholds, int n_thresholds,
11118 				u32 hysteresis)
11119 {
11120 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11121 	struct net_device *dev = info->user_ptr[1];
11122 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11123 	int i, err;
11124 	s32 prev = S32_MIN;
11125 
11126 	/* Check all values negative and sorted */
11127 	for (i = 0; i < n_thresholds; i++) {
11128 		if (thresholds[i] > 0 || thresholds[i] <= prev)
11129 			return -EINVAL;
11130 
11131 		prev = thresholds[i];
11132 	}
11133 
11134 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11135 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11136 		return -EOPNOTSUPP;
11137 
11138 	wdev_lock(wdev);
11139 	cfg80211_cqm_config_free(wdev);
11140 	wdev_unlock(wdev);
11141 
11142 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
11143 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
11144 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
11145 
11146 		return rdev_set_cqm_rssi_config(rdev, dev,
11147 						thresholds[0], hysteresis);
11148 	}
11149 
11150 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
11151 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
11152 		return -EOPNOTSUPP;
11153 
11154 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
11155 		n_thresholds = 0;
11156 
11157 	wdev_lock(wdev);
11158 	if (n_thresholds) {
11159 		struct cfg80211_cqm_config *cqm_config;
11160 
11161 		cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
11162 				     n_thresholds * sizeof(s32), GFP_KERNEL);
11163 		if (!cqm_config) {
11164 			err = -ENOMEM;
11165 			goto unlock;
11166 		}
11167 
11168 		cqm_config->rssi_hyst = hysteresis;
11169 		cqm_config->n_rssi_thresholds = n_thresholds;
11170 		memcpy(cqm_config->rssi_thresholds, thresholds,
11171 		       n_thresholds * sizeof(s32));
11172 
11173 		wdev->cqm_config = cqm_config;
11174 	}
11175 
11176 	err = cfg80211_cqm_rssi_update(rdev, dev);
11177 
11178 unlock:
11179 	wdev_unlock(wdev);
11180 
11181 	return err;
11182 }
11183 
11184 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
11185 {
11186 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
11187 	struct nlattr *cqm;
11188 	int err;
11189 
11190 	cqm = info->attrs[NL80211_ATTR_CQM];
11191 	if (!cqm)
11192 		return -EINVAL;
11193 
11194 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
11195 					  nl80211_attr_cqm_policy,
11196 					  info->extack);
11197 	if (err)
11198 		return err;
11199 
11200 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
11201 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
11202 		const s32 *thresholds =
11203 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11204 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11205 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
11206 
11207 		if (len % 4)
11208 			return -EINVAL;
11209 
11210 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
11211 					    hysteresis);
11212 	}
11213 
11214 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
11215 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
11216 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
11217 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
11218 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
11219 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
11220 
11221 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
11222 	}
11223 
11224 	return -EINVAL;
11225 }
11226 
11227 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
11228 {
11229 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11230 	struct net_device *dev = info->user_ptr[1];
11231 	struct ocb_setup setup = {};
11232 	int err;
11233 
11234 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11235 	if (err)
11236 		return err;
11237 
11238 	return cfg80211_join_ocb(rdev, dev, &setup);
11239 }
11240 
11241 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
11242 {
11243 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11244 	struct net_device *dev = info->user_ptr[1];
11245 
11246 	return cfg80211_leave_ocb(rdev, dev);
11247 }
11248 
11249 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
11250 {
11251 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11252 	struct net_device *dev = info->user_ptr[1];
11253 	struct mesh_config cfg;
11254 	struct mesh_setup setup;
11255 	int err;
11256 
11257 	/* start with default */
11258 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
11259 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
11260 
11261 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
11262 		/* and parse parameters if given */
11263 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
11264 		if (err)
11265 			return err;
11266 	}
11267 
11268 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
11269 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
11270 		return -EINVAL;
11271 
11272 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
11273 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
11274 
11275 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11276 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
11277 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11278 			return -EINVAL;
11279 
11280 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
11281 		setup.beacon_interval =
11282 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11283 
11284 		err = cfg80211_validate_beacon_int(rdev,
11285 						   NL80211_IFTYPE_MESH_POINT,
11286 						   setup.beacon_interval);
11287 		if (err)
11288 			return err;
11289 	}
11290 
11291 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
11292 		setup.dtim_period =
11293 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
11294 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
11295 			return -EINVAL;
11296 	}
11297 
11298 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
11299 		/* parse additional setup parameters if given */
11300 		err = nl80211_parse_mesh_setup(info, &setup);
11301 		if (err)
11302 			return err;
11303 	}
11304 
11305 	if (setup.user_mpm)
11306 		cfg.auto_open_plinks = false;
11307 
11308 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11309 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11310 		if (err)
11311 			return err;
11312 	} else {
11313 		/* __cfg80211_join_mesh() will sort it out */
11314 		setup.chandef.chan = NULL;
11315 	}
11316 
11317 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11318 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11319 		int n_rates =
11320 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11321 		struct ieee80211_supported_band *sband;
11322 
11323 		if (!setup.chandef.chan)
11324 			return -EINVAL;
11325 
11326 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
11327 
11328 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11329 					     &setup.basic_rates);
11330 		if (err)
11331 			return err;
11332 	}
11333 
11334 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
11335 		err = nl80211_parse_tx_bitrate_mask(info, &setup.beacon_rate);
11336 		if (err)
11337 			return err;
11338 
11339 		if (!setup.chandef.chan)
11340 			return -EINVAL;
11341 
11342 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
11343 					      &setup.beacon_rate);
11344 		if (err)
11345 			return err;
11346 	}
11347 
11348 	setup.userspace_handles_dfs =
11349 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11350 
11351 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11352 		int r = validate_pae_over_nl80211(rdev, info);
11353 
11354 		if (r < 0)
11355 			return r;
11356 
11357 		setup.control_port_over_nl80211 = true;
11358 	}
11359 
11360 	wdev_lock(dev->ieee80211_ptr);
11361 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
11362 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
11363 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11364 	wdev_unlock(dev->ieee80211_ptr);
11365 
11366 	return err;
11367 }
11368 
11369 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
11370 {
11371 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11372 	struct net_device *dev = info->user_ptr[1];
11373 
11374 	return cfg80211_leave_mesh(rdev, dev);
11375 }
11376 
11377 #ifdef CONFIG_PM
11378 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
11379 					struct cfg80211_registered_device *rdev)
11380 {
11381 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
11382 	struct nlattr *nl_pats, *nl_pat;
11383 	int i, pat_len;
11384 
11385 	if (!wowlan->n_patterns)
11386 		return 0;
11387 
11388 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
11389 	if (!nl_pats)
11390 		return -ENOBUFS;
11391 
11392 	for (i = 0; i < wowlan->n_patterns; i++) {
11393 		nl_pat = nla_nest_start_noflag(msg, i + 1);
11394 		if (!nl_pat)
11395 			return -ENOBUFS;
11396 		pat_len = wowlan->patterns[i].pattern_len;
11397 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
11398 			    wowlan->patterns[i].mask) ||
11399 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11400 			    wowlan->patterns[i].pattern) ||
11401 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11402 				wowlan->patterns[i].pkt_offset))
11403 			return -ENOBUFS;
11404 		nla_nest_end(msg, nl_pat);
11405 	}
11406 	nla_nest_end(msg, nl_pats);
11407 
11408 	return 0;
11409 }
11410 
11411 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
11412 				   struct cfg80211_wowlan_tcp *tcp)
11413 {
11414 	struct nlattr *nl_tcp;
11415 
11416 	if (!tcp)
11417 		return 0;
11418 
11419 	nl_tcp = nla_nest_start_noflag(msg,
11420 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
11421 	if (!nl_tcp)
11422 		return -ENOBUFS;
11423 
11424 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
11425 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
11426 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
11427 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
11428 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
11429 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
11430 		    tcp->payload_len, tcp->payload) ||
11431 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
11432 			tcp->data_interval) ||
11433 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
11434 		    tcp->wake_len, tcp->wake_data) ||
11435 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
11436 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
11437 		return -ENOBUFS;
11438 
11439 	if (tcp->payload_seq.len &&
11440 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
11441 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
11442 		return -ENOBUFS;
11443 
11444 	if (tcp->payload_tok.len &&
11445 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
11446 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
11447 		    &tcp->payload_tok))
11448 		return -ENOBUFS;
11449 
11450 	nla_nest_end(msg, nl_tcp);
11451 
11452 	return 0;
11453 }
11454 
11455 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
11456 				  struct cfg80211_sched_scan_request *req)
11457 {
11458 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
11459 	int i;
11460 
11461 	if (!req)
11462 		return 0;
11463 
11464 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
11465 	if (!nd)
11466 		return -ENOBUFS;
11467 
11468 	if (req->n_scan_plans == 1 &&
11469 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
11470 			req->scan_plans[0].interval * 1000))
11471 		return -ENOBUFS;
11472 
11473 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
11474 		return -ENOBUFS;
11475 
11476 	if (req->relative_rssi_set) {
11477 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
11478 
11479 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
11480 			       req->relative_rssi))
11481 			return -ENOBUFS;
11482 
11483 		rssi_adjust.band = req->rssi_adjust.band;
11484 		rssi_adjust.delta = req->rssi_adjust.delta;
11485 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
11486 			    sizeof(rssi_adjust), &rssi_adjust))
11487 			return -ENOBUFS;
11488 	}
11489 
11490 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
11491 	if (!freqs)
11492 		return -ENOBUFS;
11493 
11494 	for (i = 0; i < req->n_channels; i++) {
11495 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
11496 			return -ENOBUFS;
11497 	}
11498 
11499 	nla_nest_end(msg, freqs);
11500 
11501 	if (req->n_match_sets) {
11502 		matches = nla_nest_start_noflag(msg,
11503 						NL80211_ATTR_SCHED_SCAN_MATCH);
11504 		if (!matches)
11505 			return -ENOBUFS;
11506 
11507 		for (i = 0; i < req->n_match_sets; i++) {
11508 			match = nla_nest_start_noflag(msg, i);
11509 			if (!match)
11510 				return -ENOBUFS;
11511 
11512 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
11513 				    req->match_sets[i].ssid.ssid_len,
11514 				    req->match_sets[i].ssid.ssid))
11515 				return -ENOBUFS;
11516 			nla_nest_end(msg, match);
11517 		}
11518 		nla_nest_end(msg, matches);
11519 	}
11520 
11521 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
11522 	if (!scan_plans)
11523 		return -ENOBUFS;
11524 
11525 	for (i = 0; i < req->n_scan_plans; i++) {
11526 		scan_plan = nla_nest_start_noflag(msg, i + 1);
11527 		if (!scan_plan)
11528 			return -ENOBUFS;
11529 
11530 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
11531 				req->scan_plans[i].interval) ||
11532 		    (req->scan_plans[i].iterations &&
11533 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
11534 				 req->scan_plans[i].iterations)))
11535 			return -ENOBUFS;
11536 		nla_nest_end(msg, scan_plan);
11537 	}
11538 	nla_nest_end(msg, scan_plans);
11539 
11540 	nla_nest_end(msg, nd);
11541 
11542 	return 0;
11543 }
11544 
11545 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
11546 {
11547 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11548 	struct sk_buff *msg;
11549 	void *hdr;
11550 	u32 size = NLMSG_DEFAULT_SIZE;
11551 
11552 	if (!rdev->wiphy.wowlan)
11553 		return -EOPNOTSUPP;
11554 
11555 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
11556 		/* adjust size to have room for all the data */
11557 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
11558 			rdev->wiphy.wowlan_config->tcp->payload_len +
11559 			rdev->wiphy.wowlan_config->tcp->wake_len +
11560 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
11561 	}
11562 
11563 	msg = nlmsg_new(size, GFP_KERNEL);
11564 	if (!msg)
11565 		return -ENOMEM;
11566 
11567 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11568 			     NL80211_CMD_GET_WOWLAN);
11569 	if (!hdr)
11570 		goto nla_put_failure;
11571 
11572 	if (rdev->wiphy.wowlan_config) {
11573 		struct nlattr *nl_wowlan;
11574 
11575 		nl_wowlan = nla_nest_start_noflag(msg,
11576 						  NL80211_ATTR_WOWLAN_TRIGGERS);
11577 		if (!nl_wowlan)
11578 			goto nla_put_failure;
11579 
11580 		if ((rdev->wiphy.wowlan_config->any &&
11581 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
11582 		    (rdev->wiphy.wowlan_config->disconnect &&
11583 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
11584 		    (rdev->wiphy.wowlan_config->magic_pkt &&
11585 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
11586 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
11587 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
11588 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
11589 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
11590 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
11591 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
11592 		    (rdev->wiphy.wowlan_config->rfkill_release &&
11593 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
11594 			goto nla_put_failure;
11595 
11596 		if (nl80211_send_wowlan_patterns(msg, rdev))
11597 			goto nla_put_failure;
11598 
11599 		if (nl80211_send_wowlan_tcp(msg,
11600 					    rdev->wiphy.wowlan_config->tcp))
11601 			goto nla_put_failure;
11602 
11603 		if (nl80211_send_wowlan_nd(
11604 			    msg,
11605 			    rdev->wiphy.wowlan_config->nd_config))
11606 			goto nla_put_failure;
11607 
11608 		nla_nest_end(msg, nl_wowlan);
11609 	}
11610 
11611 	genlmsg_end(msg, hdr);
11612 	return genlmsg_reply(msg, info);
11613 
11614 nla_put_failure:
11615 	nlmsg_free(msg);
11616 	return -ENOBUFS;
11617 }
11618 
11619 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
11620 				    struct nlattr *attr,
11621 				    struct cfg80211_wowlan *trig)
11622 {
11623 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
11624 	struct cfg80211_wowlan_tcp *cfg;
11625 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
11626 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
11627 	u32 size;
11628 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
11629 	int err, port;
11630 
11631 	if (!rdev->wiphy.wowlan->tcp)
11632 		return -EINVAL;
11633 
11634 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
11635 					  nl80211_wowlan_tcp_policy, NULL);
11636 	if (err)
11637 		return err;
11638 
11639 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
11640 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
11641 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
11642 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
11643 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
11644 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
11645 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
11646 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
11647 		return -EINVAL;
11648 
11649 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
11650 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
11651 		return -EINVAL;
11652 
11653 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
11654 			rdev->wiphy.wowlan->tcp->data_interval_max ||
11655 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
11656 		return -EINVAL;
11657 
11658 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
11659 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
11660 		return -EINVAL;
11661 
11662 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
11663 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
11664 		return -EINVAL;
11665 
11666 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
11667 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11668 
11669 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11670 		tokens_size = tokln - sizeof(*tok);
11671 
11672 		if (!tok->len || tokens_size % tok->len)
11673 			return -EINVAL;
11674 		if (!rdev->wiphy.wowlan->tcp->tok)
11675 			return -EINVAL;
11676 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
11677 			return -EINVAL;
11678 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
11679 			return -EINVAL;
11680 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
11681 			return -EINVAL;
11682 		if (tok->offset + tok->len > data_size)
11683 			return -EINVAL;
11684 	}
11685 
11686 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
11687 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
11688 		if (!rdev->wiphy.wowlan->tcp->seq)
11689 			return -EINVAL;
11690 		if (seq->len == 0 || seq->len > 4)
11691 			return -EINVAL;
11692 		if (seq->len + seq->offset > data_size)
11693 			return -EINVAL;
11694 	}
11695 
11696 	size = sizeof(*cfg);
11697 	size += data_size;
11698 	size += wake_size + wake_mask_size;
11699 	size += tokens_size;
11700 
11701 	cfg = kzalloc(size, GFP_KERNEL);
11702 	if (!cfg)
11703 		return -ENOMEM;
11704 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
11705 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
11706 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
11707 	       ETH_ALEN);
11708 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
11709 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
11710 	else
11711 		port = 0;
11712 #ifdef CONFIG_INET
11713 	/* allocate a socket and port for it and use it */
11714 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
11715 			    IPPROTO_TCP, &cfg->sock, 1);
11716 	if (err) {
11717 		kfree(cfg);
11718 		return err;
11719 	}
11720 	if (inet_csk_get_port(cfg->sock->sk, port)) {
11721 		sock_release(cfg->sock);
11722 		kfree(cfg);
11723 		return -EADDRINUSE;
11724 	}
11725 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
11726 #else
11727 	if (!port) {
11728 		kfree(cfg);
11729 		return -EINVAL;
11730 	}
11731 	cfg->src_port = port;
11732 #endif
11733 
11734 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
11735 	cfg->payload_len = data_size;
11736 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
11737 	memcpy((void *)cfg->payload,
11738 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
11739 	       data_size);
11740 	if (seq)
11741 		cfg->payload_seq = *seq;
11742 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
11743 	cfg->wake_len = wake_size;
11744 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
11745 	memcpy((void *)cfg->wake_data,
11746 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
11747 	       wake_size);
11748 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
11749 			 data_size + wake_size;
11750 	memcpy((void *)cfg->wake_mask,
11751 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
11752 	       wake_mask_size);
11753 	if (tok) {
11754 		cfg->tokens_size = tokens_size;
11755 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
11756 	}
11757 
11758 	trig->tcp = cfg;
11759 
11760 	return 0;
11761 }
11762 
11763 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
11764 				   const struct wiphy_wowlan_support *wowlan,
11765 				   struct nlattr *attr,
11766 				   struct cfg80211_wowlan *trig)
11767 {
11768 	struct nlattr **tb;
11769 	int err;
11770 
11771 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
11772 	if (!tb)
11773 		return -ENOMEM;
11774 
11775 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
11776 		err = -EOPNOTSUPP;
11777 		goto out;
11778 	}
11779 
11780 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
11781 					  nl80211_policy, NULL);
11782 	if (err)
11783 		goto out;
11784 
11785 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
11786 						   wowlan->max_nd_match_sets);
11787 	err = PTR_ERR_OR_ZERO(trig->nd_config);
11788 	if (err)
11789 		trig->nd_config = NULL;
11790 
11791 out:
11792 	kfree(tb);
11793 	return err;
11794 }
11795 
11796 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
11797 {
11798 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11799 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
11800 	struct cfg80211_wowlan new_triggers = {};
11801 	struct cfg80211_wowlan *ntrig;
11802 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
11803 	int err, i;
11804 	bool prev_enabled = rdev->wiphy.wowlan_config;
11805 	bool regular = false;
11806 
11807 	if (!wowlan)
11808 		return -EOPNOTSUPP;
11809 
11810 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
11811 		cfg80211_rdev_free_wowlan(rdev);
11812 		rdev->wiphy.wowlan_config = NULL;
11813 		goto set_wakeup;
11814 	}
11815 
11816 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
11817 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
11818 					  nl80211_wowlan_policy, info->extack);
11819 	if (err)
11820 		return err;
11821 
11822 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
11823 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
11824 			return -EINVAL;
11825 		new_triggers.any = true;
11826 	}
11827 
11828 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
11829 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
11830 			return -EINVAL;
11831 		new_triggers.disconnect = true;
11832 		regular = true;
11833 	}
11834 
11835 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
11836 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
11837 			return -EINVAL;
11838 		new_triggers.magic_pkt = true;
11839 		regular = true;
11840 	}
11841 
11842 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
11843 		return -EINVAL;
11844 
11845 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
11846 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
11847 			return -EINVAL;
11848 		new_triggers.gtk_rekey_failure = true;
11849 		regular = true;
11850 	}
11851 
11852 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
11853 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
11854 			return -EINVAL;
11855 		new_triggers.eap_identity_req = true;
11856 		regular = true;
11857 	}
11858 
11859 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
11860 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
11861 			return -EINVAL;
11862 		new_triggers.four_way_handshake = true;
11863 		regular = true;
11864 	}
11865 
11866 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
11867 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
11868 			return -EINVAL;
11869 		new_triggers.rfkill_release = true;
11870 		regular = true;
11871 	}
11872 
11873 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
11874 		struct nlattr *pat;
11875 		int n_patterns = 0;
11876 		int rem, pat_len, mask_len, pkt_offset;
11877 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11878 
11879 		regular = true;
11880 
11881 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11882 				    rem)
11883 			n_patterns++;
11884 		if (n_patterns > wowlan->n_patterns)
11885 			return -EINVAL;
11886 
11887 		new_triggers.patterns = kcalloc(n_patterns,
11888 						sizeof(new_triggers.patterns[0]),
11889 						GFP_KERNEL);
11890 		if (!new_triggers.patterns)
11891 			return -ENOMEM;
11892 
11893 		new_triggers.n_patterns = n_patterns;
11894 		i = 0;
11895 
11896 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11897 				    rem) {
11898 			u8 *mask_pat;
11899 
11900 			err = nla_parse_nested_deprecated(pat_tb,
11901 							  MAX_NL80211_PKTPAT,
11902 							  pat,
11903 							  nl80211_packet_pattern_policy,
11904 							  info->extack);
11905 			if (err)
11906 				goto error;
11907 
11908 			err = -EINVAL;
11909 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
11910 			    !pat_tb[NL80211_PKTPAT_PATTERN])
11911 				goto error;
11912 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11913 			mask_len = DIV_ROUND_UP(pat_len, 8);
11914 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11915 				goto error;
11916 			if (pat_len > wowlan->pattern_max_len ||
11917 			    pat_len < wowlan->pattern_min_len)
11918 				goto error;
11919 
11920 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
11921 				pkt_offset = 0;
11922 			else
11923 				pkt_offset = nla_get_u32(
11924 					pat_tb[NL80211_PKTPAT_OFFSET]);
11925 			if (pkt_offset > wowlan->max_pkt_offset)
11926 				goto error;
11927 			new_triggers.patterns[i].pkt_offset = pkt_offset;
11928 
11929 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11930 			if (!mask_pat) {
11931 				err = -ENOMEM;
11932 				goto error;
11933 			}
11934 			new_triggers.patterns[i].mask = mask_pat;
11935 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11936 			       mask_len);
11937 			mask_pat += mask_len;
11938 			new_triggers.patterns[i].pattern = mask_pat;
11939 			new_triggers.patterns[i].pattern_len = pat_len;
11940 			memcpy(mask_pat,
11941 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11942 			       pat_len);
11943 			i++;
11944 		}
11945 	}
11946 
11947 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
11948 		regular = true;
11949 		err = nl80211_parse_wowlan_tcp(
11950 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
11951 			&new_triggers);
11952 		if (err)
11953 			goto error;
11954 	}
11955 
11956 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
11957 		regular = true;
11958 		err = nl80211_parse_wowlan_nd(
11959 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
11960 			&new_triggers);
11961 		if (err)
11962 			goto error;
11963 	}
11964 
11965 	/* The 'any' trigger means the device continues operating more or less
11966 	 * as in its normal operation mode and wakes up the host on most of the
11967 	 * normal interrupts (like packet RX, ...)
11968 	 * It therefore makes little sense to combine with the more constrained
11969 	 * wakeup trigger modes.
11970 	 */
11971 	if (new_triggers.any && regular) {
11972 		err = -EINVAL;
11973 		goto error;
11974 	}
11975 
11976 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
11977 	if (!ntrig) {
11978 		err = -ENOMEM;
11979 		goto error;
11980 	}
11981 	cfg80211_rdev_free_wowlan(rdev);
11982 	rdev->wiphy.wowlan_config = ntrig;
11983 
11984  set_wakeup:
11985 	if (rdev->ops->set_wakeup &&
11986 	    prev_enabled != !!rdev->wiphy.wowlan_config)
11987 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
11988 
11989 	return 0;
11990  error:
11991 	for (i = 0; i < new_triggers.n_patterns; i++)
11992 		kfree(new_triggers.patterns[i].mask);
11993 	kfree(new_triggers.patterns);
11994 	if (new_triggers.tcp && new_triggers.tcp->sock)
11995 		sock_release(new_triggers.tcp->sock);
11996 	kfree(new_triggers.tcp);
11997 	kfree(new_triggers.nd_config);
11998 	return err;
11999 }
12000 #endif
12001 
12002 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12003 				       struct cfg80211_registered_device *rdev)
12004 {
12005 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12006 	int i, j, pat_len;
12007 	struct cfg80211_coalesce_rules *rule;
12008 
12009 	if (!rdev->coalesce->n_rules)
12010 		return 0;
12011 
12012 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12013 	if (!nl_rules)
12014 		return -ENOBUFS;
12015 
12016 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12017 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12018 		if (!nl_rule)
12019 			return -ENOBUFS;
12020 
12021 		rule = &rdev->coalesce->rules[i];
12022 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12023 				rule->delay))
12024 			return -ENOBUFS;
12025 
12026 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12027 				rule->condition))
12028 			return -ENOBUFS;
12029 
12030 		nl_pats = nla_nest_start_noflag(msg,
12031 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12032 		if (!nl_pats)
12033 			return -ENOBUFS;
12034 
12035 		for (j = 0; j < rule->n_patterns; j++) {
12036 			nl_pat = nla_nest_start_noflag(msg, j + 1);
12037 			if (!nl_pat)
12038 				return -ENOBUFS;
12039 			pat_len = rule->patterns[j].pattern_len;
12040 			if (nla_put(msg, NL80211_PKTPAT_MASK,
12041 				    DIV_ROUND_UP(pat_len, 8),
12042 				    rule->patterns[j].mask) ||
12043 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12044 				    rule->patterns[j].pattern) ||
12045 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12046 					rule->patterns[j].pkt_offset))
12047 				return -ENOBUFS;
12048 			nla_nest_end(msg, nl_pat);
12049 		}
12050 		nla_nest_end(msg, nl_pats);
12051 		nla_nest_end(msg, nl_rule);
12052 	}
12053 	nla_nest_end(msg, nl_rules);
12054 
12055 	return 0;
12056 }
12057 
12058 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
12059 {
12060 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12061 	struct sk_buff *msg;
12062 	void *hdr;
12063 
12064 	if (!rdev->wiphy.coalesce)
12065 		return -EOPNOTSUPP;
12066 
12067 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12068 	if (!msg)
12069 		return -ENOMEM;
12070 
12071 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12072 			     NL80211_CMD_GET_COALESCE);
12073 	if (!hdr)
12074 		goto nla_put_failure;
12075 
12076 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
12077 		goto nla_put_failure;
12078 
12079 	genlmsg_end(msg, hdr);
12080 	return genlmsg_reply(msg, info);
12081 
12082 nla_put_failure:
12083 	nlmsg_free(msg);
12084 	return -ENOBUFS;
12085 }
12086 
12087 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
12088 {
12089 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
12090 	int i, j;
12091 	struct cfg80211_coalesce_rules *rule;
12092 
12093 	if (!coalesce)
12094 		return;
12095 
12096 	for (i = 0; i < coalesce->n_rules; i++) {
12097 		rule = &coalesce->rules[i];
12098 		for (j = 0; j < rule->n_patterns; j++)
12099 			kfree(rule->patterns[j].mask);
12100 		kfree(rule->patterns);
12101 	}
12102 	kfree(coalesce->rules);
12103 	kfree(coalesce);
12104 	rdev->coalesce = NULL;
12105 }
12106 
12107 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
12108 				       struct nlattr *rule,
12109 				       struct cfg80211_coalesce_rules *new_rule)
12110 {
12111 	int err, i;
12112 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12113 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
12114 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
12115 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12116 
12117 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
12118 					  rule, nl80211_coalesce_policy, NULL);
12119 	if (err)
12120 		return err;
12121 
12122 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
12123 		new_rule->delay =
12124 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
12125 	if (new_rule->delay > coalesce->max_delay)
12126 		return -EINVAL;
12127 
12128 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
12129 		new_rule->condition =
12130 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
12131 
12132 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
12133 		return -EINVAL;
12134 
12135 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12136 			    rem)
12137 		n_patterns++;
12138 	if (n_patterns > coalesce->n_patterns)
12139 		return -EINVAL;
12140 
12141 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
12142 				     GFP_KERNEL);
12143 	if (!new_rule->patterns)
12144 		return -ENOMEM;
12145 
12146 	new_rule->n_patterns = n_patterns;
12147 	i = 0;
12148 
12149 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12150 			    rem) {
12151 		u8 *mask_pat;
12152 
12153 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
12154 						  pat,
12155 						  nl80211_packet_pattern_policy,
12156 						  NULL);
12157 		if (err)
12158 			return err;
12159 
12160 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
12161 		    !pat_tb[NL80211_PKTPAT_PATTERN])
12162 			return -EINVAL;
12163 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12164 		mask_len = DIV_ROUND_UP(pat_len, 8);
12165 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12166 			return -EINVAL;
12167 		if (pat_len > coalesce->pattern_max_len ||
12168 		    pat_len < coalesce->pattern_min_len)
12169 			return -EINVAL;
12170 
12171 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
12172 			pkt_offset = 0;
12173 		else
12174 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
12175 		if (pkt_offset > coalesce->max_pkt_offset)
12176 			return -EINVAL;
12177 		new_rule->patterns[i].pkt_offset = pkt_offset;
12178 
12179 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12180 		if (!mask_pat)
12181 			return -ENOMEM;
12182 
12183 		new_rule->patterns[i].mask = mask_pat;
12184 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12185 		       mask_len);
12186 
12187 		mask_pat += mask_len;
12188 		new_rule->patterns[i].pattern = mask_pat;
12189 		new_rule->patterns[i].pattern_len = pat_len;
12190 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12191 		       pat_len);
12192 		i++;
12193 	}
12194 
12195 	return 0;
12196 }
12197 
12198 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
12199 {
12200 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12201 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12202 	struct cfg80211_coalesce new_coalesce = {};
12203 	struct cfg80211_coalesce *n_coalesce;
12204 	int err, rem_rule, n_rules = 0, i, j;
12205 	struct nlattr *rule;
12206 	struct cfg80211_coalesce_rules *tmp_rule;
12207 
12208 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
12209 		return -EOPNOTSUPP;
12210 
12211 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
12212 		cfg80211_rdev_free_coalesce(rdev);
12213 		rdev_set_coalesce(rdev, NULL);
12214 		return 0;
12215 	}
12216 
12217 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12218 			    rem_rule)
12219 		n_rules++;
12220 	if (n_rules > coalesce->n_rules)
12221 		return -EINVAL;
12222 
12223 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
12224 				     GFP_KERNEL);
12225 	if (!new_coalesce.rules)
12226 		return -ENOMEM;
12227 
12228 	new_coalesce.n_rules = n_rules;
12229 	i = 0;
12230 
12231 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12232 			    rem_rule) {
12233 		err = nl80211_parse_coalesce_rule(rdev, rule,
12234 						  &new_coalesce.rules[i]);
12235 		if (err)
12236 			goto error;
12237 
12238 		i++;
12239 	}
12240 
12241 	err = rdev_set_coalesce(rdev, &new_coalesce);
12242 	if (err)
12243 		goto error;
12244 
12245 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
12246 	if (!n_coalesce) {
12247 		err = -ENOMEM;
12248 		goto error;
12249 	}
12250 	cfg80211_rdev_free_coalesce(rdev);
12251 	rdev->coalesce = n_coalesce;
12252 
12253 	return 0;
12254 error:
12255 	for (i = 0; i < new_coalesce.n_rules; i++) {
12256 		tmp_rule = &new_coalesce.rules[i];
12257 		for (j = 0; j < tmp_rule->n_patterns; j++)
12258 			kfree(tmp_rule->patterns[j].mask);
12259 		kfree(tmp_rule->patterns);
12260 	}
12261 	kfree(new_coalesce.rules);
12262 
12263 	return err;
12264 }
12265 
12266 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
12267 {
12268 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12269 	struct net_device *dev = info->user_ptr[1];
12270 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12271 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
12272 	struct cfg80211_gtk_rekey_data rekey_data;
12273 	int err;
12274 
12275 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
12276 		return -EINVAL;
12277 
12278 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
12279 					  info->attrs[NL80211_ATTR_REKEY_DATA],
12280 					  nl80211_rekey_policy, info->extack);
12281 	if (err)
12282 		return err;
12283 
12284 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
12285 	    !tb[NL80211_REKEY_DATA_KCK])
12286 		return -EINVAL;
12287 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
12288 		return -ERANGE;
12289 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
12290 		return -ERANGE;
12291 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
12292 		return -ERANGE;
12293 
12294 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
12295 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
12296 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
12297 
12298 	wdev_lock(wdev);
12299 	if (!wdev->current_bss) {
12300 		err = -ENOTCONN;
12301 		goto out;
12302 	}
12303 
12304 	if (!rdev->ops->set_rekey_data) {
12305 		err = -EOPNOTSUPP;
12306 		goto out;
12307 	}
12308 
12309 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
12310  out:
12311 	wdev_unlock(wdev);
12312 	return err;
12313 }
12314 
12315 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
12316 					     struct genl_info *info)
12317 {
12318 	struct net_device *dev = info->user_ptr[1];
12319 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12320 
12321 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12322 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12323 		return -EINVAL;
12324 
12325 	if (wdev->ap_unexpected_nlportid)
12326 		return -EBUSY;
12327 
12328 	wdev->ap_unexpected_nlportid = info->snd_portid;
12329 	return 0;
12330 }
12331 
12332 static int nl80211_probe_client(struct sk_buff *skb,
12333 				struct genl_info *info)
12334 {
12335 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12336 	struct net_device *dev = info->user_ptr[1];
12337 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12338 	struct sk_buff *msg;
12339 	void *hdr;
12340 	const u8 *addr;
12341 	u64 cookie;
12342 	int err;
12343 
12344 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12345 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12346 		return -EOPNOTSUPP;
12347 
12348 	if (!info->attrs[NL80211_ATTR_MAC])
12349 		return -EINVAL;
12350 
12351 	if (!rdev->ops->probe_client)
12352 		return -EOPNOTSUPP;
12353 
12354 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12355 	if (!msg)
12356 		return -ENOMEM;
12357 
12358 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12359 			     NL80211_CMD_PROBE_CLIENT);
12360 	if (!hdr) {
12361 		err = -ENOBUFS;
12362 		goto free_msg;
12363 	}
12364 
12365 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12366 
12367 	err = rdev_probe_client(rdev, dev, addr, &cookie);
12368 	if (err)
12369 		goto free_msg;
12370 
12371 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12372 			      NL80211_ATTR_PAD))
12373 		goto nla_put_failure;
12374 
12375 	genlmsg_end(msg, hdr);
12376 
12377 	return genlmsg_reply(msg, info);
12378 
12379  nla_put_failure:
12380 	err = -ENOBUFS;
12381  free_msg:
12382 	nlmsg_free(msg);
12383 	return err;
12384 }
12385 
12386 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
12387 {
12388 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12389 	struct cfg80211_beacon_registration *reg, *nreg;
12390 	int rv;
12391 
12392 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
12393 		return -EOPNOTSUPP;
12394 
12395 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
12396 	if (!nreg)
12397 		return -ENOMEM;
12398 
12399 	/* First, check if already registered. */
12400 	spin_lock_bh(&rdev->beacon_registrations_lock);
12401 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
12402 		if (reg->nlportid == info->snd_portid) {
12403 			rv = -EALREADY;
12404 			goto out_err;
12405 		}
12406 	}
12407 	/* Add it to the list */
12408 	nreg->nlportid = info->snd_portid;
12409 	list_add(&nreg->list, &rdev->beacon_registrations);
12410 
12411 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12412 
12413 	return 0;
12414 out_err:
12415 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12416 	kfree(nreg);
12417 	return rv;
12418 }
12419 
12420 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
12421 {
12422 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12423 	struct wireless_dev *wdev = info->user_ptr[1];
12424 	int err;
12425 
12426 	if (!rdev->ops->start_p2p_device)
12427 		return -EOPNOTSUPP;
12428 
12429 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12430 		return -EOPNOTSUPP;
12431 
12432 	if (wdev_running(wdev))
12433 		return 0;
12434 
12435 	if (rfkill_blocked(rdev->rfkill))
12436 		return -ERFKILL;
12437 
12438 	err = rdev_start_p2p_device(rdev, wdev);
12439 	if (err)
12440 		return err;
12441 
12442 	wdev->is_running = true;
12443 	rdev->opencount++;
12444 
12445 	return 0;
12446 }
12447 
12448 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
12449 {
12450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12451 	struct wireless_dev *wdev = info->user_ptr[1];
12452 
12453 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12454 		return -EOPNOTSUPP;
12455 
12456 	if (!rdev->ops->stop_p2p_device)
12457 		return -EOPNOTSUPP;
12458 
12459 	cfg80211_stop_p2p_device(rdev, wdev);
12460 
12461 	return 0;
12462 }
12463 
12464 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
12465 {
12466 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12467 	struct wireless_dev *wdev = info->user_ptr[1];
12468 	struct cfg80211_nan_conf conf = {};
12469 	int err;
12470 
12471 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12472 		return -EOPNOTSUPP;
12473 
12474 	if (wdev_running(wdev))
12475 		return -EEXIST;
12476 
12477 	if (rfkill_blocked(rdev->rfkill))
12478 		return -ERFKILL;
12479 
12480 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
12481 		return -EINVAL;
12482 
12483 	conf.master_pref =
12484 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12485 
12486 	if (info->attrs[NL80211_ATTR_BANDS]) {
12487 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12488 
12489 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12490 			return -EOPNOTSUPP;
12491 
12492 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12493 			return -EINVAL;
12494 
12495 		conf.bands = bands;
12496 	}
12497 
12498 	err = rdev_start_nan(rdev, wdev, &conf);
12499 	if (err)
12500 		return err;
12501 
12502 	wdev->is_running = true;
12503 	rdev->opencount++;
12504 
12505 	return 0;
12506 }
12507 
12508 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
12509 {
12510 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12511 	struct wireless_dev *wdev = info->user_ptr[1];
12512 
12513 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12514 		return -EOPNOTSUPP;
12515 
12516 	cfg80211_stop_nan(rdev, wdev);
12517 
12518 	return 0;
12519 }
12520 
12521 static int validate_nan_filter(struct nlattr *filter_attr)
12522 {
12523 	struct nlattr *attr;
12524 	int len = 0, n_entries = 0, rem;
12525 
12526 	nla_for_each_nested(attr, filter_attr, rem) {
12527 		len += nla_len(attr);
12528 		n_entries++;
12529 	}
12530 
12531 	if (len >= U8_MAX)
12532 		return -EINVAL;
12533 
12534 	return n_entries;
12535 }
12536 
12537 static int handle_nan_filter(struct nlattr *attr_filter,
12538 			     struct cfg80211_nan_func *func,
12539 			     bool tx)
12540 {
12541 	struct nlattr *attr;
12542 	int n_entries, rem, i;
12543 	struct cfg80211_nan_func_filter *filter;
12544 
12545 	n_entries = validate_nan_filter(attr_filter);
12546 	if (n_entries < 0)
12547 		return n_entries;
12548 
12549 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
12550 
12551 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
12552 	if (!filter)
12553 		return -ENOMEM;
12554 
12555 	i = 0;
12556 	nla_for_each_nested(attr, attr_filter, rem) {
12557 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
12558 		filter[i].len = nla_len(attr);
12559 		i++;
12560 	}
12561 	if (tx) {
12562 		func->num_tx_filters = n_entries;
12563 		func->tx_filters = filter;
12564 	} else {
12565 		func->num_rx_filters = n_entries;
12566 		func->rx_filters = filter;
12567 	}
12568 
12569 	return 0;
12570 }
12571 
12572 static int nl80211_nan_add_func(struct sk_buff *skb,
12573 				struct genl_info *info)
12574 {
12575 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12576 	struct wireless_dev *wdev = info->user_ptr[1];
12577 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
12578 	struct cfg80211_nan_func *func;
12579 	struct sk_buff *msg = NULL;
12580 	void *hdr = NULL;
12581 	int err = 0;
12582 
12583 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12584 		return -EOPNOTSUPP;
12585 
12586 	if (!wdev_running(wdev))
12587 		return -ENOTCONN;
12588 
12589 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
12590 		return -EINVAL;
12591 
12592 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
12593 					  info->attrs[NL80211_ATTR_NAN_FUNC],
12594 					  nl80211_nan_func_policy,
12595 					  info->extack);
12596 	if (err)
12597 		return err;
12598 
12599 	func = kzalloc(sizeof(*func), GFP_KERNEL);
12600 	if (!func)
12601 		return -ENOMEM;
12602 
12603 	func->cookie = cfg80211_assign_cookie(rdev);
12604 
12605 	if (!tb[NL80211_NAN_FUNC_TYPE] ||
12606 	    nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]) > NL80211_NAN_FUNC_MAX_TYPE) {
12607 		err = -EINVAL;
12608 		goto out;
12609 	}
12610 
12611 
12612 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
12613 
12614 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
12615 		err = -EINVAL;
12616 		goto out;
12617 	}
12618 
12619 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
12620 	       sizeof(func->service_id));
12621 
12622 	func->close_range =
12623 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
12624 
12625 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
12626 		func->serv_spec_info_len =
12627 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
12628 		func->serv_spec_info =
12629 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
12630 				func->serv_spec_info_len,
12631 				GFP_KERNEL);
12632 		if (!func->serv_spec_info) {
12633 			err = -ENOMEM;
12634 			goto out;
12635 		}
12636 	}
12637 
12638 	if (tb[NL80211_NAN_FUNC_TTL])
12639 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
12640 
12641 	switch (func->type) {
12642 	case NL80211_NAN_FUNC_PUBLISH:
12643 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
12644 			err = -EINVAL;
12645 			goto out;
12646 		}
12647 
12648 		func->publish_type =
12649 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
12650 		func->publish_bcast =
12651 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
12652 
12653 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
12654 			func->publish_bcast) {
12655 			err = -EINVAL;
12656 			goto out;
12657 		}
12658 		break;
12659 	case NL80211_NAN_FUNC_SUBSCRIBE:
12660 		func->subscribe_active =
12661 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
12662 		break;
12663 	case NL80211_NAN_FUNC_FOLLOW_UP:
12664 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
12665 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
12666 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
12667 			err = -EINVAL;
12668 			goto out;
12669 		}
12670 
12671 		func->followup_id =
12672 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
12673 		func->followup_reqid =
12674 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
12675 		memcpy(func->followup_dest.addr,
12676 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
12677 		       sizeof(func->followup_dest.addr));
12678 		if (func->ttl) {
12679 			err = -EINVAL;
12680 			goto out;
12681 		}
12682 		break;
12683 	default:
12684 		err = -EINVAL;
12685 		goto out;
12686 	}
12687 
12688 	if (tb[NL80211_NAN_FUNC_SRF]) {
12689 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
12690 
12691 		err = nla_parse_nested_deprecated(srf_tb,
12692 						  NL80211_NAN_SRF_ATTR_MAX,
12693 						  tb[NL80211_NAN_FUNC_SRF],
12694 						  nl80211_nan_srf_policy,
12695 						  info->extack);
12696 		if (err)
12697 			goto out;
12698 
12699 		func->srf_include =
12700 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
12701 
12702 		if (srf_tb[NL80211_NAN_SRF_BF]) {
12703 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
12704 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
12705 				err = -EINVAL;
12706 				goto out;
12707 			}
12708 
12709 			func->srf_bf_len =
12710 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
12711 			func->srf_bf =
12712 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
12713 					func->srf_bf_len, GFP_KERNEL);
12714 			if (!func->srf_bf) {
12715 				err = -ENOMEM;
12716 				goto out;
12717 			}
12718 
12719 			func->srf_bf_idx =
12720 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
12721 		} else {
12722 			struct nlattr *attr, *mac_attr =
12723 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
12724 			int n_entries, rem, i = 0;
12725 
12726 			if (!mac_attr) {
12727 				err = -EINVAL;
12728 				goto out;
12729 			}
12730 
12731 			n_entries = validate_acl_mac_addrs(mac_attr);
12732 			if (n_entries <= 0) {
12733 				err = -EINVAL;
12734 				goto out;
12735 			}
12736 
12737 			func->srf_num_macs = n_entries;
12738 			func->srf_macs =
12739 				kcalloc(n_entries, sizeof(*func->srf_macs),
12740 					GFP_KERNEL);
12741 			if (!func->srf_macs) {
12742 				err = -ENOMEM;
12743 				goto out;
12744 			}
12745 
12746 			nla_for_each_nested(attr, mac_attr, rem)
12747 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
12748 				       sizeof(*func->srf_macs));
12749 		}
12750 	}
12751 
12752 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
12753 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
12754 					func, true);
12755 		if (err)
12756 			goto out;
12757 	}
12758 
12759 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
12760 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
12761 					func, false);
12762 		if (err)
12763 			goto out;
12764 	}
12765 
12766 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12767 	if (!msg) {
12768 		err = -ENOMEM;
12769 		goto out;
12770 	}
12771 
12772 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12773 			     NL80211_CMD_ADD_NAN_FUNCTION);
12774 	/* This can't really happen - we just allocated 4KB */
12775 	if (WARN_ON(!hdr)) {
12776 		err = -ENOMEM;
12777 		goto out;
12778 	}
12779 
12780 	err = rdev_add_nan_func(rdev, wdev, func);
12781 out:
12782 	if (err < 0) {
12783 		cfg80211_free_nan_func(func);
12784 		nlmsg_free(msg);
12785 		return err;
12786 	}
12787 
12788 	/* propagate the instance id and cookie to userspace  */
12789 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
12790 			      NL80211_ATTR_PAD))
12791 		goto nla_put_failure;
12792 
12793 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
12794 	if (!func_attr)
12795 		goto nla_put_failure;
12796 
12797 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
12798 		       func->instance_id))
12799 		goto nla_put_failure;
12800 
12801 	nla_nest_end(msg, func_attr);
12802 
12803 	genlmsg_end(msg, hdr);
12804 	return genlmsg_reply(msg, info);
12805 
12806 nla_put_failure:
12807 	nlmsg_free(msg);
12808 	return -ENOBUFS;
12809 }
12810 
12811 static int nl80211_nan_del_func(struct sk_buff *skb,
12812 			       struct genl_info *info)
12813 {
12814 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12815 	struct wireless_dev *wdev = info->user_ptr[1];
12816 	u64 cookie;
12817 
12818 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12819 		return -EOPNOTSUPP;
12820 
12821 	if (!wdev_running(wdev))
12822 		return -ENOTCONN;
12823 
12824 	if (!info->attrs[NL80211_ATTR_COOKIE])
12825 		return -EINVAL;
12826 
12827 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12828 
12829 	rdev_del_nan_func(rdev, wdev, cookie);
12830 
12831 	return 0;
12832 }
12833 
12834 static int nl80211_nan_change_config(struct sk_buff *skb,
12835 				     struct genl_info *info)
12836 {
12837 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12838 	struct wireless_dev *wdev = info->user_ptr[1];
12839 	struct cfg80211_nan_conf conf = {};
12840 	u32 changed = 0;
12841 
12842 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12843 		return -EOPNOTSUPP;
12844 
12845 	if (!wdev_running(wdev))
12846 		return -ENOTCONN;
12847 
12848 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
12849 		conf.master_pref =
12850 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12851 		if (conf.master_pref <= 1 || conf.master_pref == 255)
12852 			return -EINVAL;
12853 
12854 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
12855 	}
12856 
12857 	if (info->attrs[NL80211_ATTR_BANDS]) {
12858 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12859 
12860 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12861 			return -EOPNOTSUPP;
12862 
12863 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12864 			return -EINVAL;
12865 
12866 		conf.bands = bands;
12867 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
12868 	}
12869 
12870 	if (!changed)
12871 		return -EINVAL;
12872 
12873 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
12874 }
12875 
12876 void cfg80211_nan_match(struct wireless_dev *wdev,
12877 			struct cfg80211_nan_match_params *match, gfp_t gfp)
12878 {
12879 	struct wiphy *wiphy = wdev->wiphy;
12880 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12881 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
12882 	struct sk_buff *msg;
12883 	void *hdr;
12884 
12885 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
12886 		return;
12887 
12888 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12889 	if (!msg)
12890 		return;
12891 
12892 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
12893 	if (!hdr) {
12894 		nlmsg_free(msg);
12895 		return;
12896 	}
12897 
12898 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12899 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12900 					 wdev->netdev->ifindex)) ||
12901 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12902 			      NL80211_ATTR_PAD))
12903 		goto nla_put_failure;
12904 
12905 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
12906 			      NL80211_ATTR_PAD) ||
12907 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
12908 		goto nla_put_failure;
12909 
12910 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
12911 	if (!match_attr)
12912 		goto nla_put_failure;
12913 
12914 	local_func_attr = nla_nest_start_noflag(msg,
12915 						NL80211_NAN_MATCH_FUNC_LOCAL);
12916 	if (!local_func_attr)
12917 		goto nla_put_failure;
12918 
12919 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
12920 		goto nla_put_failure;
12921 
12922 	nla_nest_end(msg, local_func_attr);
12923 
12924 	peer_func_attr = nla_nest_start_noflag(msg,
12925 					       NL80211_NAN_MATCH_FUNC_PEER);
12926 	if (!peer_func_attr)
12927 		goto nla_put_failure;
12928 
12929 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
12930 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
12931 		goto nla_put_failure;
12932 
12933 	if (match->info && match->info_len &&
12934 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
12935 		    match->info))
12936 		goto nla_put_failure;
12937 
12938 	nla_nest_end(msg, peer_func_attr);
12939 	nla_nest_end(msg, match_attr);
12940 	genlmsg_end(msg, hdr);
12941 
12942 	if (!wdev->owner_nlportid)
12943 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12944 					msg, 0, NL80211_MCGRP_NAN, gfp);
12945 	else
12946 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12947 				wdev->owner_nlportid);
12948 
12949 	return;
12950 
12951 nla_put_failure:
12952 	nlmsg_free(msg);
12953 }
12954 EXPORT_SYMBOL(cfg80211_nan_match);
12955 
12956 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
12957 				  u8 inst_id,
12958 				  enum nl80211_nan_func_term_reason reason,
12959 				  u64 cookie, gfp_t gfp)
12960 {
12961 	struct wiphy *wiphy = wdev->wiphy;
12962 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12963 	struct sk_buff *msg;
12964 	struct nlattr *func_attr;
12965 	void *hdr;
12966 
12967 	if (WARN_ON(!inst_id))
12968 		return;
12969 
12970 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12971 	if (!msg)
12972 		return;
12973 
12974 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
12975 	if (!hdr) {
12976 		nlmsg_free(msg);
12977 		return;
12978 	}
12979 
12980 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12981 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12982 					 wdev->netdev->ifindex)) ||
12983 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12984 			      NL80211_ATTR_PAD))
12985 		goto nla_put_failure;
12986 
12987 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12988 			      NL80211_ATTR_PAD))
12989 		goto nla_put_failure;
12990 
12991 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
12992 	if (!func_attr)
12993 		goto nla_put_failure;
12994 
12995 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
12996 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
12997 		goto nla_put_failure;
12998 
12999 	nla_nest_end(msg, func_attr);
13000 	genlmsg_end(msg, hdr);
13001 
13002 	if (!wdev->owner_nlportid)
13003 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13004 					msg, 0, NL80211_MCGRP_NAN, gfp);
13005 	else
13006 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13007 				wdev->owner_nlportid);
13008 
13009 	return;
13010 
13011 nla_put_failure:
13012 	nlmsg_free(msg);
13013 }
13014 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13015 
13016 static int nl80211_get_protocol_features(struct sk_buff *skb,
13017 					 struct genl_info *info)
13018 {
13019 	void *hdr;
13020 	struct sk_buff *msg;
13021 
13022 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13023 	if (!msg)
13024 		return -ENOMEM;
13025 
13026 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13027 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
13028 	if (!hdr)
13029 		goto nla_put_failure;
13030 
13031 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
13032 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
13033 		goto nla_put_failure;
13034 
13035 	genlmsg_end(msg, hdr);
13036 	return genlmsg_reply(msg, info);
13037 
13038  nla_put_failure:
13039 	kfree_skb(msg);
13040 	return -ENOBUFS;
13041 }
13042 
13043 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
13044 {
13045 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13046 	struct cfg80211_update_ft_ies_params ft_params;
13047 	struct net_device *dev = info->user_ptr[1];
13048 
13049 	if (!rdev->ops->update_ft_ies)
13050 		return -EOPNOTSUPP;
13051 
13052 	if (!info->attrs[NL80211_ATTR_MDID] ||
13053 	    !info->attrs[NL80211_ATTR_IE])
13054 		return -EINVAL;
13055 
13056 	memset(&ft_params, 0, sizeof(ft_params));
13057 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
13058 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13059 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13060 
13061 	return rdev_update_ft_ies(rdev, dev, &ft_params);
13062 }
13063 
13064 static int nl80211_crit_protocol_start(struct sk_buff *skb,
13065 				       struct genl_info *info)
13066 {
13067 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13068 	struct wireless_dev *wdev = info->user_ptr[1];
13069 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
13070 	u16 duration;
13071 	int ret;
13072 
13073 	if (!rdev->ops->crit_proto_start)
13074 		return -EOPNOTSUPP;
13075 
13076 	if (WARN_ON(!rdev->ops->crit_proto_stop))
13077 		return -EINVAL;
13078 
13079 	if (rdev->crit_proto_nlportid)
13080 		return -EBUSY;
13081 
13082 	/* determine protocol if provided */
13083 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
13084 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
13085 
13086 	if (proto >= NUM_NL80211_CRIT_PROTO)
13087 		return -EINVAL;
13088 
13089 	/* timeout must be provided */
13090 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
13091 		return -EINVAL;
13092 
13093 	duration =
13094 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
13095 
13096 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
13097 		return -ERANGE;
13098 
13099 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
13100 	if (!ret)
13101 		rdev->crit_proto_nlportid = info->snd_portid;
13102 
13103 	return ret;
13104 }
13105 
13106 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
13107 				      struct genl_info *info)
13108 {
13109 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13110 	struct wireless_dev *wdev = info->user_ptr[1];
13111 
13112 	if (!rdev->ops->crit_proto_stop)
13113 		return -EOPNOTSUPP;
13114 
13115 	if (rdev->crit_proto_nlportid) {
13116 		rdev->crit_proto_nlportid = 0;
13117 		rdev_crit_proto_stop(rdev, wdev);
13118 	}
13119 	return 0;
13120 }
13121 
13122 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
13123 				       struct nlattr *attr,
13124 				       struct netlink_ext_ack *extack)
13125 {
13126 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
13127 		if (attr->nla_type & NLA_F_NESTED) {
13128 			NL_SET_ERR_MSG_ATTR(extack, attr,
13129 					    "unexpected nested data");
13130 			return -EINVAL;
13131 		}
13132 
13133 		return 0;
13134 	}
13135 
13136 	if (!(attr->nla_type & NLA_F_NESTED)) {
13137 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
13138 		return -EINVAL;
13139 	}
13140 
13141 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
13142 }
13143 
13144 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
13145 {
13146 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13147 	struct wireless_dev *wdev =
13148 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
13149 	int i, err;
13150 	u32 vid, subcmd;
13151 
13152 	if (!rdev->wiphy.vendor_commands)
13153 		return -EOPNOTSUPP;
13154 
13155 	if (IS_ERR(wdev)) {
13156 		err = PTR_ERR(wdev);
13157 		if (err != -EINVAL)
13158 			return err;
13159 		wdev = NULL;
13160 	} else if (wdev->wiphy != &rdev->wiphy) {
13161 		return -EINVAL;
13162 	}
13163 
13164 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
13165 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
13166 		return -EINVAL;
13167 
13168 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
13169 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
13170 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
13171 		const struct wiphy_vendor_command *vcmd;
13172 		void *data = NULL;
13173 		int len = 0;
13174 
13175 		vcmd = &rdev->wiphy.vendor_commands[i];
13176 
13177 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13178 			continue;
13179 
13180 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13181 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13182 			if (!wdev)
13183 				return -EINVAL;
13184 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13185 			    !wdev->netdev)
13186 				return -EINVAL;
13187 
13188 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13189 				if (!wdev_running(wdev))
13190 					return -ENETDOWN;
13191 			}
13192 
13193 			if (!vcmd->doit)
13194 				return -EOPNOTSUPP;
13195 		} else {
13196 			wdev = NULL;
13197 		}
13198 
13199 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
13200 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13201 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13202 
13203 			err = nl80211_vendor_check_policy(vcmd,
13204 					info->attrs[NL80211_ATTR_VENDOR_DATA],
13205 					info->extack);
13206 			if (err)
13207 				return err;
13208 		}
13209 
13210 		rdev->cur_cmd_info = info;
13211 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
13212 		rdev->cur_cmd_info = NULL;
13213 		return err;
13214 	}
13215 
13216 	return -EOPNOTSUPP;
13217 }
13218 
13219 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
13220 				       struct netlink_callback *cb,
13221 				       struct cfg80211_registered_device **rdev,
13222 				       struct wireless_dev **wdev)
13223 {
13224 	struct nlattr **attrbuf;
13225 	u32 vid, subcmd;
13226 	unsigned int i;
13227 	int vcmd_idx = -1;
13228 	int err;
13229 	void *data = NULL;
13230 	unsigned int data_len = 0;
13231 
13232 	if (cb->args[0]) {
13233 		/* subtract the 1 again here */
13234 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
13235 		struct wireless_dev *tmp;
13236 
13237 		if (!wiphy)
13238 			return -ENODEV;
13239 		*rdev = wiphy_to_rdev(wiphy);
13240 		*wdev = NULL;
13241 
13242 		if (cb->args[1]) {
13243 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
13244 				if (tmp->identifier == cb->args[1] - 1) {
13245 					*wdev = tmp;
13246 					break;
13247 				}
13248 			}
13249 		}
13250 
13251 		/* keep rtnl locked in successful case */
13252 		return 0;
13253 	}
13254 
13255 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
13256 	if (!attrbuf)
13257 		return -ENOMEM;
13258 
13259 	err = nlmsg_parse_deprecated(cb->nlh,
13260 				     GENL_HDRLEN + nl80211_fam.hdrsize,
13261 				     attrbuf, nl80211_fam.maxattr,
13262 				     nl80211_policy, NULL);
13263 	if (err)
13264 		goto out;
13265 
13266 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
13267 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
13268 		err = -EINVAL;
13269 		goto out;
13270 	}
13271 
13272 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
13273 	if (IS_ERR(*wdev))
13274 		*wdev = NULL;
13275 
13276 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13277 	if (IS_ERR(*rdev)) {
13278 		err = PTR_ERR(*rdev);
13279 		goto out;
13280 	}
13281 
13282 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
13283 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
13284 
13285 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
13286 		const struct wiphy_vendor_command *vcmd;
13287 
13288 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
13289 
13290 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13291 			continue;
13292 
13293 		if (!vcmd->dumpit) {
13294 			err = -EOPNOTSUPP;
13295 			goto out;
13296 		}
13297 
13298 		vcmd_idx = i;
13299 		break;
13300 	}
13301 
13302 	if (vcmd_idx < 0) {
13303 		err = -EOPNOTSUPP;
13304 		goto out;
13305 	}
13306 
13307 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
13308 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13309 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13310 
13311 		err = nl80211_vendor_check_policy(
13312 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
13313 				attrbuf[NL80211_ATTR_VENDOR_DATA],
13314 				cb->extack);
13315 		if (err)
13316 			goto out;
13317 	}
13318 
13319 	/* 0 is the first index - add 1 to parse only once */
13320 	cb->args[0] = (*rdev)->wiphy_idx + 1;
13321 	/* add 1 to know if it was NULL */
13322 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
13323 	cb->args[2] = vcmd_idx;
13324 	cb->args[3] = (unsigned long)data;
13325 	cb->args[4] = data_len;
13326 
13327 	/* keep rtnl locked in successful case */
13328 	err = 0;
13329 out:
13330 	kfree(attrbuf);
13331 	return err;
13332 }
13333 
13334 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
13335 				   struct netlink_callback *cb)
13336 {
13337 	struct cfg80211_registered_device *rdev;
13338 	struct wireless_dev *wdev;
13339 	unsigned int vcmd_idx;
13340 	const struct wiphy_vendor_command *vcmd;
13341 	void *data;
13342 	int data_len;
13343 	int err;
13344 	struct nlattr *vendor_data;
13345 
13346 	rtnl_lock();
13347 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
13348 	if (err)
13349 		goto out;
13350 
13351 	vcmd_idx = cb->args[2];
13352 	data = (void *)cb->args[3];
13353 	data_len = cb->args[4];
13354 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
13355 
13356 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13357 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13358 		if (!wdev) {
13359 			err = -EINVAL;
13360 			goto out;
13361 		}
13362 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13363 		    !wdev->netdev) {
13364 			err = -EINVAL;
13365 			goto out;
13366 		}
13367 
13368 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13369 			if (!wdev_running(wdev)) {
13370 				err = -ENETDOWN;
13371 				goto out;
13372 			}
13373 		}
13374 	}
13375 
13376 	while (1) {
13377 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13378 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13379 					   NL80211_CMD_VENDOR);
13380 		if (!hdr)
13381 			break;
13382 
13383 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13384 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
13385 					       wdev_id(wdev),
13386 					       NL80211_ATTR_PAD))) {
13387 			genlmsg_cancel(skb, hdr);
13388 			break;
13389 		}
13390 
13391 		vendor_data = nla_nest_start_noflag(skb,
13392 						    NL80211_ATTR_VENDOR_DATA);
13393 		if (!vendor_data) {
13394 			genlmsg_cancel(skb, hdr);
13395 			break;
13396 		}
13397 
13398 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
13399 				   (unsigned long *)&cb->args[5]);
13400 		nla_nest_end(skb, vendor_data);
13401 
13402 		if (err == -ENOBUFS || err == -ENOENT) {
13403 			genlmsg_cancel(skb, hdr);
13404 			break;
13405 		} else if (err) {
13406 			genlmsg_cancel(skb, hdr);
13407 			goto out;
13408 		}
13409 
13410 		genlmsg_end(skb, hdr);
13411 	}
13412 
13413 	err = skb->len;
13414  out:
13415 	rtnl_unlock();
13416 	return err;
13417 }
13418 
13419 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
13420 					   enum nl80211_commands cmd,
13421 					   enum nl80211_attrs attr,
13422 					   int approxlen)
13423 {
13424 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13425 
13426 	if (WARN_ON(!rdev->cur_cmd_info))
13427 		return NULL;
13428 
13429 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
13430 					   rdev->cur_cmd_info->snd_portid,
13431 					   rdev->cur_cmd_info->snd_seq,
13432 					   cmd, attr, NULL, GFP_KERNEL);
13433 }
13434 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
13435 
13436 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
13437 {
13438 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13439 	void *hdr = ((void **)skb->cb)[1];
13440 	struct nlattr *data = ((void **)skb->cb)[2];
13441 
13442 	/* clear CB data for netlink core to own from now on */
13443 	memset(skb->cb, 0, sizeof(skb->cb));
13444 
13445 	if (WARN_ON(!rdev->cur_cmd_info)) {
13446 		kfree_skb(skb);
13447 		return -EINVAL;
13448 	}
13449 
13450 	nla_nest_end(skb, data);
13451 	genlmsg_end(skb, hdr);
13452 	return genlmsg_reply(skb, rdev->cur_cmd_info);
13453 }
13454 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
13455 
13456 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
13457 {
13458 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13459 
13460 	if (WARN_ON(!rdev->cur_cmd_info))
13461 		return 0;
13462 
13463 	return rdev->cur_cmd_info->snd_portid;
13464 }
13465 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
13466 
13467 static int nl80211_set_qos_map(struct sk_buff *skb,
13468 			       struct genl_info *info)
13469 {
13470 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13471 	struct cfg80211_qos_map *qos_map = NULL;
13472 	struct net_device *dev = info->user_ptr[1];
13473 	u8 *pos, len, num_des, des_len, des;
13474 	int ret;
13475 
13476 	if (!rdev->ops->set_qos_map)
13477 		return -EOPNOTSUPP;
13478 
13479 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
13480 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
13481 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
13482 
13483 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
13484 		    len > IEEE80211_QOS_MAP_LEN_MAX)
13485 			return -EINVAL;
13486 
13487 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
13488 		if (!qos_map)
13489 			return -ENOMEM;
13490 
13491 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
13492 		if (num_des) {
13493 			des_len = num_des *
13494 				sizeof(struct cfg80211_dscp_exception);
13495 			memcpy(qos_map->dscp_exception, pos, des_len);
13496 			qos_map->num_des = num_des;
13497 			for (des = 0; des < num_des; des++) {
13498 				if (qos_map->dscp_exception[des].up > 7) {
13499 					kfree(qos_map);
13500 					return -EINVAL;
13501 				}
13502 			}
13503 			pos += des_len;
13504 		}
13505 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
13506 	}
13507 
13508 	wdev_lock(dev->ieee80211_ptr);
13509 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
13510 	if (!ret)
13511 		ret = rdev_set_qos_map(rdev, dev, qos_map);
13512 	wdev_unlock(dev->ieee80211_ptr);
13513 
13514 	kfree(qos_map);
13515 	return ret;
13516 }
13517 
13518 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
13519 {
13520 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13521 	struct net_device *dev = info->user_ptr[1];
13522 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13523 	const u8 *peer;
13524 	u8 tsid, up;
13525 	u16 admitted_time = 0;
13526 	int err;
13527 
13528 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
13529 		return -EOPNOTSUPP;
13530 
13531 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
13532 	    !info->attrs[NL80211_ATTR_USER_PRIO])
13533 		return -EINVAL;
13534 
13535 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13536 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
13537 
13538 	/* WMM uses TIDs 0-7 even for TSPEC */
13539 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
13540 		/* TODO: handle 802.11 TSPEC/admission control
13541 		 * need more attributes for that (e.g. BA session requirement);
13542 		 * change the WMM adminssion test above to allow both then
13543 		 */
13544 		return -EINVAL;
13545 	}
13546 
13547 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13548 
13549 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
13550 		admitted_time =
13551 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
13552 		if (!admitted_time)
13553 			return -EINVAL;
13554 	}
13555 
13556 	wdev_lock(wdev);
13557 	switch (wdev->iftype) {
13558 	case NL80211_IFTYPE_STATION:
13559 	case NL80211_IFTYPE_P2P_CLIENT:
13560 		if (wdev->current_bss)
13561 			break;
13562 		err = -ENOTCONN;
13563 		goto out;
13564 	default:
13565 		err = -EOPNOTSUPP;
13566 		goto out;
13567 	}
13568 
13569 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
13570 
13571  out:
13572 	wdev_unlock(wdev);
13573 	return err;
13574 }
13575 
13576 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
13577 {
13578 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13579 	struct net_device *dev = info->user_ptr[1];
13580 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13581 	const u8 *peer;
13582 	u8 tsid;
13583 	int err;
13584 
13585 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
13586 		return -EINVAL;
13587 
13588 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13589 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13590 
13591 	wdev_lock(wdev);
13592 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
13593 	wdev_unlock(wdev);
13594 
13595 	return err;
13596 }
13597 
13598 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
13599 				       struct genl_info *info)
13600 {
13601 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13602 	struct net_device *dev = info->user_ptr[1];
13603 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13604 	struct cfg80211_chan_def chandef = {};
13605 	const u8 *addr;
13606 	u8 oper_class;
13607 	int err;
13608 
13609 	if (!rdev->ops->tdls_channel_switch ||
13610 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13611 		return -EOPNOTSUPP;
13612 
13613 	switch (dev->ieee80211_ptr->iftype) {
13614 	case NL80211_IFTYPE_STATION:
13615 	case NL80211_IFTYPE_P2P_CLIENT:
13616 		break;
13617 	default:
13618 		return -EOPNOTSUPP;
13619 	}
13620 
13621 	if (!info->attrs[NL80211_ATTR_MAC] ||
13622 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
13623 		return -EINVAL;
13624 
13625 	err = nl80211_parse_chandef(rdev, info, &chandef);
13626 	if (err)
13627 		return err;
13628 
13629 	/*
13630 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
13631 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
13632 	 * specification is not defined for them.
13633 	 */
13634 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
13635 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
13636 	    chandef.width != NL80211_CHAN_WIDTH_20)
13637 		return -EINVAL;
13638 
13639 	/* we will be active on the TDLS link */
13640 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
13641 					   wdev->iftype))
13642 		return -EINVAL;
13643 
13644 	/* don't allow switching to DFS channels */
13645 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
13646 		return -EINVAL;
13647 
13648 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13649 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
13650 
13651 	wdev_lock(wdev);
13652 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
13653 	wdev_unlock(wdev);
13654 
13655 	return err;
13656 }
13657 
13658 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
13659 					      struct genl_info *info)
13660 {
13661 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13662 	struct net_device *dev = info->user_ptr[1];
13663 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13664 	const u8 *addr;
13665 
13666 	if (!rdev->ops->tdls_channel_switch ||
13667 	    !rdev->ops->tdls_cancel_channel_switch ||
13668 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13669 		return -EOPNOTSUPP;
13670 
13671 	switch (dev->ieee80211_ptr->iftype) {
13672 	case NL80211_IFTYPE_STATION:
13673 	case NL80211_IFTYPE_P2P_CLIENT:
13674 		break;
13675 	default:
13676 		return -EOPNOTSUPP;
13677 	}
13678 
13679 	if (!info->attrs[NL80211_ATTR_MAC])
13680 		return -EINVAL;
13681 
13682 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13683 
13684 	wdev_lock(wdev);
13685 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
13686 	wdev_unlock(wdev);
13687 
13688 	return 0;
13689 }
13690 
13691 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
13692 					    struct genl_info *info)
13693 {
13694 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13695 	struct net_device *dev = info->user_ptr[1];
13696 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13697 	const struct nlattr *nla;
13698 	bool enabled;
13699 
13700 	if (!rdev->ops->set_multicast_to_unicast)
13701 		return -EOPNOTSUPP;
13702 
13703 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13704 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13705 		return -EOPNOTSUPP;
13706 
13707 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
13708 	enabled = nla_get_flag(nla);
13709 
13710 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
13711 }
13712 
13713 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
13714 {
13715 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13716 	struct net_device *dev = info->user_ptr[1];
13717 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13718 	struct cfg80211_pmk_conf pmk_conf = {};
13719 	int ret;
13720 
13721 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13722 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13723 		return -EOPNOTSUPP;
13724 
13725 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13726 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13727 		return -EOPNOTSUPP;
13728 
13729 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
13730 		return -EINVAL;
13731 
13732 	wdev_lock(wdev);
13733 	if (!wdev->current_bss) {
13734 		ret = -ENOTCONN;
13735 		goto out;
13736 	}
13737 
13738 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13739 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
13740 		ret = -EINVAL;
13741 		goto out;
13742 	}
13743 
13744 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13745 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13746 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
13747 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
13748 		ret = -EINVAL;
13749 		goto out;
13750 	}
13751 
13752 	if (info->attrs[NL80211_ATTR_PMKR0_NAME]) {
13753 		int r0_name_len = nla_len(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13754 
13755 		if (r0_name_len != WLAN_PMK_NAME_LEN) {
13756 			ret = -EINVAL;
13757 			goto out;
13758 		}
13759 
13760 		pmk_conf.pmk_r0_name =
13761 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13762 	}
13763 
13764 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
13765 out:
13766 	wdev_unlock(wdev);
13767 	return ret;
13768 }
13769 
13770 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
13771 {
13772 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13773 	struct net_device *dev = info->user_ptr[1];
13774 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13775 	const u8 *aa;
13776 	int ret;
13777 
13778 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13779 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13780 		return -EOPNOTSUPP;
13781 
13782 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13783 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13784 		return -EOPNOTSUPP;
13785 
13786 	if (!info->attrs[NL80211_ATTR_MAC])
13787 		return -EINVAL;
13788 
13789 	wdev_lock(wdev);
13790 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13791 	ret = rdev_del_pmk(rdev, dev, aa);
13792 	wdev_unlock(wdev);
13793 
13794 	return ret;
13795 }
13796 
13797 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
13798 {
13799 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13800 	struct net_device *dev = info->user_ptr[1];
13801 	struct cfg80211_external_auth_params params;
13802 
13803 	if (!rdev->ops->external_auth)
13804 		return -EOPNOTSUPP;
13805 
13806 	if (!info->attrs[NL80211_ATTR_SSID] &&
13807 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
13808 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
13809 		return -EINVAL;
13810 
13811 	if (!info->attrs[NL80211_ATTR_BSSID])
13812 		return -EINVAL;
13813 
13814 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
13815 		return -EINVAL;
13816 
13817 	memset(&params, 0, sizeof(params));
13818 
13819 	if (info->attrs[NL80211_ATTR_SSID]) {
13820 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13821 		if (params.ssid.ssid_len == 0 ||
13822 		    params.ssid.ssid_len > IEEE80211_MAX_SSID_LEN)
13823 			return -EINVAL;
13824 		memcpy(params.ssid.ssid,
13825 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
13826 		       params.ssid.ssid_len);
13827 	}
13828 
13829 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
13830 	       ETH_ALEN);
13831 
13832 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13833 
13834 	if (info->attrs[NL80211_ATTR_PMKID])
13835 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13836 
13837 	return rdev_external_auth(rdev, dev, &params);
13838 }
13839 
13840 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
13841 {
13842 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13843 	struct net_device *dev = info->user_ptr[1];
13844 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13845 	const u8 *buf;
13846 	size_t len;
13847 	u8 *dest;
13848 	u16 proto;
13849 	bool noencrypt;
13850 	int err;
13851 
13852 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13853 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
13854 		return -EOPNOTSUPP;
13855 
13856 	if (!rdev->ops->tx_control_port)
13857 		return -EOPNOTSUPP;
13858 
13859 	if (!info->attrs[NL80211_ATTR_FRAME] ||
13860 	    !info->attrs[NL80211_ATTR_MAC] ||
13861 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
13862 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
13863 		return -EINVAL;
13864 	}
13865 
13866 	wdev_lock(wdev);
13867 
13868 	switch (wdev->iftype) {
13869 	case NL80211_IFTYPE_AP:
13870 	case NL80211_IFTYPE_P2P_GO:
13871 	case NL80211_IFTYPE_MESH_POINT:
13872 		break;
13873 	case NL80211_IFTYPE_ADHOC:
13874 	case NL80211_IFTYPE_STATION:
13875 	case NL80211_IFTYPE_P2P_CLIENT:
13876 		if (wdev->current_bss)
13877 			break;
13878 		err = -ENOTCONN;
13879 		goto out;
13880 	default:
13881 		err = -EOPNOTSUPP;
13882 		goto out;
13883 	}
13884 
13885 	wdev_unlock(wdev);
13886 
13887 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13888 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13889 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
13890 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
13891 	noencrypt =
13892 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
13893 
13894 	return rdev_tx_control_port(rdev, dev, buf, len,
13895 				    dest, cpu_to_be16(proto), noencrypt);
13896 
13897  out:
13898 	wdev_unlock(wdev);
13899 	return err;
13900 }
13901 
13902 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
13903 					   struct genl_info *info)
13904 {
13905 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13906 	struct net_device *dev = info->user_ptr[1];
13907 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13908 	struct cfg80211_ftm_responder_stats ftm_stats = {};
13909 	struct sk_buff *msg;
13910 	void *hdr;
13911 	struct nlattr *ftm_stats_attr;
13912 	int err;
13913 
13914 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
13915 		return -EOPNOTSUPP;
13916 
13917 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
13918 	if (err)
13919 		return err;
13920 
13921 	if (!ftm_stats.filled)
13922 		return -ENODATA;
13923 
13924 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13925 	if (!msg)
13926 		return -ENOMEM;
13927 
13928 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13929 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
13930 	if (!hdr)
13931 		goto nla_put_failure;
13932 
13933 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
13934 		goto nla_put_failure;
13935 
13936 	ftm_stats_attr = nla_nest_start_noflag(msg,
13937 					       NL80211_ATTR_FTM_RESPONDER_STATS);
13938 	if (!ftm_stats_attr)
13939 		goto nla_put_failure;
13940 
13941 #define SET_FTM(field, name, type)					 \
13942 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13943 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
13944 			     ftm_stats.field))				 \
13945 		goto nla_put_failure; } while (0)
13946 #define SET_FTM_U64(field, name)					 \
13947 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13948 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
13949 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
13950 		goto nla_put_failure; } while (0)
13951 
13952 	SET_FTM(success_num, SUCCESS_NUM, u32);
13953 	SET_FTM(partial_num, PARTIAL_NUM, u32);
13954 	SET_FTM(failed_num, FAILED_NUM, u32);
13955 	SET_FTM(asap_num, ASAP_NUM, u32);
13956 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
13957 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
13958 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
13959 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
13960 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
13961 #undef SET_FTM
13962 
13963 	nla_nest_end(msg, ftm_stats_attr);
13964 
13965 	genlmsg_end(msg, hdr);
13966 	return genlmsg_reply(msg, info);
13967 
13968 nla_put_failure:
13969 	nlmsg_free(msg);
13970 	return -ENOBUFS;
13971 }
13972 
13973 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
13974 {
13975 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13976 	struct cfg80211_update_owe_info owe_info;
13977 	struct net_device *dev = info->user_ptr[1];
13978 
13979 	if (!rdev->ops->update_owe_info)
13980 		return -EOPNOTSUPP;
13981 
13982 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
13983 	    !info->attrs[NL80211_ATTR_MAC])
13984 		return -EINVAL;
13985 
13986 	memset(&owe_info, 0, sizeof(owe_info));
13987 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13988 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
13989 
13990 	if (info->attrs[NL80211_ATTR_IE]) {
13991 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13992 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13993 	}
13994 
13995 	return rdev_update_owe_info(rdev, dev, &owe_info);
13996 }
13997 
13998 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
13999 {
14000 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14001 	struct net_device *dev = info->user_ptr[1];
14002 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14003 	struct station_info sinfo = {};
14004 	const u8 *buf;
14005 	size_t len;
14006 	u8 *dest;
14007 	int err;
14008 
14009 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14010 		return -EOPNOTSUPP;
14011 
14012 	if (!info->attrs[NL80211_ATTR_MAC] ||
14013 	    !info->attrs[NL80211_ATTR_FRAME]) {
14014 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14015 		return -EINVAL;
14016 	}
14017 
14018 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14019 		return -EOPNOTSUPP;
14020 
14021 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14022 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14023 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14024 
14025 	if (len < sizeof(struct ethhdr))
14026 		return -EINVAL;
14027 
14028 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14029 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14030 		return -EINVAL;
14031 
14032 	err = rdev_get_station(rdev, dev, dest, &sinfo);
14033 	if (err)
14034 		return err;
14035 
14036 	cfg80211_sinfo_release_content(&sinfo);
14037 
14038 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
14039 }
14040 
14041 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
14042 			  struct nlattr *attrs[], struct net_device *dev,
14043 			  struct cfg80211_tid_cfg *tid_conf,
14044 			  struct genl_info *info, const u8 *peer)
14045 {
14046 	struct netlink_ext_ack *extack = info->extack;
14047 	u64 mask;
14048 	int err;
14049 
14050 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
14051 		return -EINVAL;
14052 
14053 	tid_conf->config_override =
14054 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
14055 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
14056 
14057 	if (tid_conf->config_override) {
14058 		if (rdev->ops->reset_tid_config) {
14059 			err = rdev_reset_tid_config(rdev, dev, peer,
14060 						    tid_conf->tids);
14061 			/* If peer is there no other configuration will be
14062 			 * allowed
14063 			 */
14064 			if (err || peer)
14065 				return err;
14066 		} else {
14067 			return -EINVAL;
14068 		}
14069 	}
14070 
14071 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
14072 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
14073 		tid_conf->noack =
14074 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
14075 	}
14076 
14077 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
14078 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
14079 		tid_conf->retry_short =
14080 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
14081 
14082 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
14083 			return -EINVAL;
14084 	}
14085 
14086 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
14087 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
14088 		tid_conf->retry_long =
14089 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
14090 
14091 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
14092 			return -EINVAL;
14093 	}
14094 
14095 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
14096 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
14097 		tid_conf->ampdu =
14098 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
14099 	}
14100 
14101 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
14102 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
14103 		tid_conf->rtscts =
14104 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
14105 	}
14106 
14107 	if (peer)
14108 		mask = rdev->wiphy.tid_config_support.peer;
14109 	else
14110 		mask = rdev->wiphy.tid_config_support.vif;
14111 
14112 	if (tid_conf->mask & ~mask) {
14113 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
14114 		return -ENOTSUPP;
14115 	}
14116 
14117 	return 0;
14118 }
14119 
14120 static int nl80211_set_tid_config(struct sk_buff *skb,
14121 				  struct genl_info *info)
14122 {
14123 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14124 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
14125 	struct net_device *dev = info->user_ptr[1];
14126 	struct cfg80211_tid_config *tid_config;
14127 	struct nlattr *tid;
14128 	int conf_idx = 0, rem_conf;
14129 	int ret = -EINVAL;
14130 	u32 num_conf = 0;
14131 
14132 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
14133 		return -EINVAL;
14134 
14135 	if (!rdev->ops->set_tid_config)
14136 		return -EOPNOTSUPP;
14137 
14138 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14139 			    rem_conf)
14140 		num_conf++;
14141 
14142 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
14143 			     GFP_KERNEL);
14144 	if (!tid_config)
14145 		return -ENOMEM;
14146 
14147 	tid_config->n_tid_conf = num_conf;
14148 
14149 	if (info->attrs[NL80211_ATTR_MAC])
14150 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14151 
14152 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14153 			    rem_conf) {
14154 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
14155 				       tid, NULL, NULL);
14156 
14157 		if (ret)
14158 			goto bad_tid_conf;
14159 
14160 		ret = parse_tid_conf(rdev, attrs, dev,
14161 				     &tid_config->tid_conf[conf_idx],
14162 				     info, tid_config->peer);
14163 		if (ret)
14164 			goto bad_tid_conf;
14165 
14166 		conf_idx++;
14167 	}
14168 
14169 	ret = rdev_set_tid_config(rdev, dev, tid_config);
14170 
14171 bad_tid_conf:
14172 	kfree(tid_config);
14173 	return ret;
14174 }
14175 
14176 #define NL80211_FLAG_NEED_WIPHY		0x01
14177 #define NL80211_FLAG_NEED_NETDEV	0x02
14178 #define NL80211_FLAG_NEED_RTNL		0x04
14179 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
14180 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
14181 					 NL80211_FLAG_CHECK_NETDEV_UP)
14182 #define NL80211_FLAG_NEED_WDEV		0x10
14183 /* If a netdev is associated, it must be UP, P2P must be started */
14184 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
14185 					 NL80211_FLAG_CHECK_NETDEV_UP)
14186 #define NL80211_FLAG_CLEAR_SKB		0x20
14187 
14188 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
14189 			    struct genl_info *info)
14190 {
14191 	struct cfg80211_registered_device *rdev;
14192 	struct wireless_dev *wdev;
14193 	struct net_device *dev;
14194 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
14195 
14196 	if (rtnl)
14197 		rtnl_lock();
14198 
14199 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
14200 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
14201 		if (IS_ERR(rdev)) {
14202 			if (rtnl)
14203 				rtnl_unlock();
14204 			return PTR_ERR(rdev);
14205 		}
14206 		info->user_ptr[0] = rdev;
14207 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
14208 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14209 		ASSERT_RTNL();
14210 
14211 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
14212 						  info->attrs);
14213 		if (IS_ERR(wdev)) {
14214 			if (rtnl)
14215 				rtnl_unlock();
14216 			return PTR_ERR(wdev);
14217 		}
14218 
14219 		dev = wdev->netdev;
14220 		rdev = wiphy_to_rdev(wdev->wiphy);
14221 
14222 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
14223 			if (!dev) {
14224 				if (rtnl)
14225 					rtnl_unlock();
14226 				return -EINVAL;
14227 			}
14228 
14229 			info->user_ptr[1] = dev;
14230 		} else {
14231 			info->user_ptr[1] = wdev;
14232 		}
14233 
14234 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
14235 		    !wdev_running(wdev)) {
14236 			if (rtnl)
14237 				rtnl_unlock();
14238 			return -ENETDOWN;
14239 		}
14240 
14241 		if (dev)
14242 			dev_hold(dev);
14243 
14244 		info->user_ptr[0] = rdev;
14245 	}
14246 
14247 	return 0;
14248 }
14249 
14250 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
14251 			      struct genl_info *info)
14252 {
14253 	if (info->user_ptr[1]) {
14254 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14255 			struct wireless_dev *wdev = info->user_ptr[1];
14256 
14257 			if (wdev->netdev)
14258 				dev_put(wdev->netdev);
14259 		} else {
14260 			dev_put(info->user_ptr[1]);
14261 		}
14262 	}
14263 
14264 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
14265 		rtnl_unlock();
14266 
14267 	/* If needed, clear the netlink message payload from the SKB
14268 	 * as it might contain key data that shouldn't stick around on
14269 	 * the heap after the SKB is freed. The netlink message header
14270 	 * is still needed for further processing, so leave it intact.
14271 	 */
14272 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
14273 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
14274 
14275 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
14276 	}
14277 }
14278 
14279 static const struct genl_ops nl80211_ops[] = {
14280 	{
14281 		.cmd = NL80211_CMD_GET_WIPHY,
14282 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14283 		.doit = nl80211_get_wiphy,
14284 		.dumpit = nl80211_dump_wiphy,
14285 		.done = nl80211_dump_wiphy_done,
14286 		/* can be retrieved by unprivileged users */
14287 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14288 				  NL80211_FLAG_NEED_RTNL,
14289 	},
14290 	{
14291 		.cmd = NL80211_CMD_SET_WIPHY,
14292 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14293 		.doit = nl80211_set_wiphy,
14294 		.flags = GENL_UNS_ADMIN_PERM,
14295 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14296 	},
14297 	{
14298 		.cmd = NL80211_CMD_GET_INTERFACE,
14299 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14300 		.doit = nl80211_get_interface,
14301 		.dumpit = nl80211_dump_interface,
14302 		/* can be retrieved by unprivileged users */
14303 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14304 				  NL80211_FLAG_NEED_RTNL,
14305 	},
14306 	{
14307 		.cmd = NL80211_CMD_SET_INTERFACE,
14308 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14309 		.doit = nl80211_set_interface,
14310 		.flags = GENL_UNS_ADMIN_PERM,
14311 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14312 				  NL80211_FLAG_NEED_RTNL,
14313 	},
14314 	{
14315 		.cmd = NL80211_CMD_NEW_INTERFACE,
14316 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14317 		.doit = nl80211_new_interface,
14318 		.flags = GENL_UNS_ADMIN_PERM,
14319 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14320 				  NL80211_FLAG_NEED_RTNL,
14321 	},
14322 	{
14323 		.cmd = NL80211_CMD_DEL_INTERFACE,
14324 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14325 		.doit = nl80211_del_interface,
14326 		.flags = GENL_UNS_ADMIN_PERM,
14327 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14328 				  NL80211_FLAG_NEED_RTNL,
14329 	},
14330 	{
14331 		.cmd = NL80211_CMD_GET_KEY,
14332 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14333 		.doit = nl80211_get_key,
14334 		.flags = GENL_UNS_ADMIN_PERM,
14335 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14336 				  NL80211_FLAG_NEED_RTNL,
14337 	},
14338 	{
14339 		.cmd = NL80211_CMD_SET_KEY,
14340 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14341 		.doit = nl80211_set_key,
14342 		.flags = GENL_UNS_ADMIN_PERM,
14343 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14344 				  NL80211_FLAG_NEED_RTNL |
14345 				  NL80211_FLAG_CLEAR_SKB,
14346 	},
14347 	{
14348 		.cmd = NL80211_CMD_NEW_KEY,
14349 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14350 		.doit = nl80211_new_key,
14351 		.flags = GENL_UNS_ADMIN_PERM,
14352 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14353 				  NL80211_FLAG_NEED_RTNL |
14354 				  NL80211_FLAG_CLEAR_SKB,
14355 	},
14356 	{
14357 		.cmd = NL80211_CMD_DEL_KEY,
14358 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14359 		.doit = nl80211_del_key,
14360 		.flags = GENL_UNS_ADMIN_PERM,
14361 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14362 				  NL80211_FLAG_NEED_RTNL,
14363 	},
14364 	{
14365 		.cmd = NL80211_CMD_SET_BEACON,
14366 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14367 		.flags = GENL_UNS_ADMIN_PERM,
14368 		.doit = nl80211_set_beacon,
14369 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14370 				  NL80211_FLAG_NEED_RTNL,
14371 	},
14372 	{
14373 		.cmd = NL80211_CMD_START_AP,
14374 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14375 		.flags = GENL_UNS_ADMIN_PERM,
14376 		.doit = nl80211_start_ap,
14377 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14378 				  NL80211_FLAG_NEED_RTNL,
14379 	},
14380 	{
14381 		.cmd = NL80211_CMD_STOP_AP,
14382 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14383 		.flags = GENL_UNS_ADMIN_PERM,
14384 		.doit = nl80211_stop_ap,
14385 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14386 				  NL80211_FLAG_NEED_RTNL,
14387 	},
14388 	{
14389 		.cmd = NL80211_CMD_GET_STATION,
14390 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14391 		.doit = nl80211_get_station,
14392 		.dumpit = nl80211_dump_station,
14393 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14394 				  NL80211_FLAG_NEED_RTNL,
14395 	},
14396 	{
14397 		.cmd = NL80211_CMD_SET_STATION,
14398 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14399 		.doit = nl80211_set_station,
14400 		.flags = GENL_UNS_ADMIN_PERM,
14401 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14402 				  NL80211_FLAG_NEED_RTNL,
14403 	},
14404 	{
14405 		.cmd = NL80211_CMD_NEW_STATION,
14406 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14407 		.doit = nl80211_new_station,
14408 		.flags = GENL_UNS_ADMIN_PERM,
14409 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14410 				  NL80211_FLAG_NEED_RTNL,
14411 	},
14412 	{
14413 		.cmd = NL80211_CMD_DEL_STATION,
14414 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14415 		.doit = nl80211_del_station,
14416 		.flags = GENL_UNS_ADMIN_PERM,
14417 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14418 				  NL80211_FLAG_NEED_RTNL,
14419 	},
14420 	{
14421 		.cmd = NL80211_CMD_GET_MPATH,
14422 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14423 		.doit = nl80211_get_mpath,
14424 		.dumpit = nl80211_dump_mpath,
14425 		.flags = GENL_UNS_ADMIN_PERM,
14426 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14427 				  NL80211_FLAG_NEED_RTNL,
14428 	},
14429 	{
14430 		.cmd = NL80211_CMD_GET_MPP,
14431 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14432 		.doit = nl80211_get_mpp,
14433 		.dumpit = nl80211_dump_mpp,
14434 		.flags = GENL_UNS_ADMIN_PERM,
14435 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14436 				  NL80211_FLAG_NEED_RTNL,
14437 	},
14438 	{
14439 		.cmd = NL80211_CMD_SET_MPATH,
14440 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14441 		.doit = nl80211_set_mpath,
14442 		.flags = GENL_UNS_ADMIN_PERM,
14443 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14444 				  NL80211_FLAG_NEED_RTNL,
14445 	},
14446 	{
14447 		.cmd = NL80211_CMD_NEW_MPATH,
14448 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14449 		.doit = nl80211_new_mpath,
14450 		.flags = GENL_UNS_ADMIN_PERM,
14451 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14452 				  NL80211_FLAG_NEED_RTNL,
14453 	},
14454 	{
14455 		.cmd = NL80211_CMD_DEL_MPATH,
14456 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14457 		.doit = nl80211_del_mpath,
14458 		.flags = GENL_UNS_ADMIN_PERM,
14459 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14460 				  NL80211_FLAG_NEED_RTNL,
14461 	},
14462 	{
14463 		.cmd = NL80211_CMD_SET_BSS,
14464 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14465 		.doit = nl80211_set_bss,
14466 		.flags = GENL_UNS_ADMIN_PERM,
14467 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14468 				  NL80211_FLAG_NEED_RTNL,
14469 	},
14470 	{
14471 		.cmd = NL80211_CMD_GET_REG,
14472 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14473 		.doit = nl80211_get_reg_do,
14474 		.dumpit = nl80211_get_reg_dump,
14475 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14476 		/* can be retrieved by unprivileged users */
14477 	},
14478 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
14479 	{
14480 		.cmd = NL80211_CMD_SET_REG,
14481 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14482 		.doit = nl80211_set_reg,
14483 		.flags = GENL_ADMIN_PERM,
14484 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14485 	},
14486 #endif
14487 	{
14488 		.cmd = NL80211_CMD_REQ_SET_REG,
14489 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14490 		.doit = nl80211_req_set_reg,
14491 		.flags = GENL_ADMIN_PERM,
14492 	},
14493 	{
14494 		.cmd = NL80211_CMD_RELOAD_REGDB,
14495 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14496 		.doit = nl80211_reload_regdb,
14497 		.flags = GENL_ADMIN_PERM,
14498 	},
14499 	{
14500 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
14501 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14502 		.doit = nl80211_get_mesh_config,
14503 		/* can be retrieved by unprivileged users */
14504 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14505 				  NL80211_FLAG_NEED_RTNL,
14506 	},
14507 	{
14508 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
14509 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14510 		.doit = nl80211_update_mesh_config,
14511 		.flags = GENL_UNS_ADMIN_PERM,
14512 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14513 				  NL80211_FLAG_NEED_RTNL,
14514 	},
14515 	{
14516 		.cmd = NL80211_CMD_TRIGGER_SCAN,
14517 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14518 		.doit = nl80211_trigger_scan,
14519 		.flags = GENL_UNS_ADMIN_PERM,
14520 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14521 				  NL80211_FLAG_NEED_RTNL,
14522 	},
14523 	{
14524 		.cmd = NL80211_CMD_ABORT_SCAN,
14525 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14526 		.doit = nl80211_abort_scan,
14527 		.flags = GENL_UNS_ADMIN_PERM,
14528 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14529 				  NL80211_FLAG_NEED_RTNL,
14530 	},
14531 	{
14532 		.cmd = NL80211_CMD_GET_SCAN,
14533 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14534 		.dumpit = nl80211_dump_scan,
14535 	},
14536 	{
14537 		.cmd = NL80211_CMD_START_SCHED_SCAN,
14538 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14539 		.doit = nl80211_start_sched_scan,
14540 		.flags = GENL_UNS_ADMIN_PERM,
14541 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14542 				  NL80211_FLAG_NEED_RTNL,
14543 	},
14544 	{
14545 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
14546 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14547 		.doit = nl80211_stop_sched_scan,
14548 		.flags = GENL_UNS_ADMIN_PERM,
14549 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14550 				  NL80211_FLAG_NEED_RTNL,
14551 	},
14552 	{
14553 		.cmd = NL80211_CMD_AUTHENTICATE,
14554 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14555 		.doit = nl80211_authenticate,
14556 		.flags = GENL_UNS_ADMIN_PERM,
14557 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14558 				  NL80211_FLAG_NEED_RTNL |
14559 				  NL80211_FLAG_CLEAR_SKB,
14560 	},
14561 	{
14562 		.cmd = NL80211_CMD_ASSOCIATE,
14563 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14564 		.doit = nl80211_associate,
14565 		.flags = GENL_UNS_ADMIN_PERM,
14566 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14567 				  NL80211_FLAG_NEED_RTNL |
14568 				  NL80211_FLAG_CLEAR_SKB,
14569 	},
14570 	{
14571 		.cmd = NL80211_CMD_DEAUTHENTICATE,
14572 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14573 		.doit = nl80211_deauthenticate,
14574 		.flags = GENL_UNS_ADMIN_PERM,
14575 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14576 				  NL80211_FLAG_NEED_RTNL,
14577 	},
14578 	{
14579 		.cmd = NL80211_CMD_DISASSOCIATE,
14580 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14581 		.doit = nl80211_disassociate,
14582 		.flags = GENL_UNS_ADMIN_PERM,
14583 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14584 				  NL80211_FLAG_NEED_RTNL,
14585 	},
14586 	{
14587 		.cmd = NL80211_CMD_JOIN_IBSS,
14588 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14589 		.doit = nl80211_join_ibss,
14590 		.flags = GENL_UNS_ADMIN_PERM,
14591 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14592 				  NL80211_FLAG_NEED_RTNL,
14593 	},
14594 	{
14595 		.cmd = NL80211_CMD_LEAVE_IBSS,
14596 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14597 		.doit = nl80211_leave_ibss,
14598 		.flags = GENL_UNS_ADMIN_PERM,
14599 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14600 				  NL80211_FLAG_NEED_RTNL,
14601 	},
14602 #ifdef CONFIG_NL80211_TESTMODE
14603 	{
14604 		.cmd = NL80211_CMD_TESTMODE,
14605 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14606 		.doit = nl80211_testmode_do,
14607 		.dumpit = nl80211_testmode_dump,
14608 		.flags = GENL_UNS_ADMIN_PERM,
14609 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14610 				  NL80211_FLAG_NEED_RTNL,
14611 	},
14612 #endif
14613 	{
14614 		.cmd = NL80211_CMD_CONNECT,
14615 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14616 		.doit = nl80211_connect,
14617 		.flags = GENL_UNS_ADMIN_PERM,
14618 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14619 				  NL80211_FLAG_NEED_RTNL |
14620 				  NL80211_FLAG_CLEAR_SKB,
14621 	},
14622 	{
14623 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
14624 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14625 		.doit = nl80211_update_connect_params,
14626 		.flags = GENL_ADMIN_PERM,
14627 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14628 				  NL80211_FLAG_NEED_RTNL |
14629 				  NL80211_FLAG_CLEAR_SKB,
14630 	},
14631 	{
14632 		.cmd = NL80211_CMD_DISCONNECT,
14633 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14634 		.doit = nl80211_disconnect,
14635 		.flags = GENL_UNS_ADMIN_PERM,
14636 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14637 				  NL80211_FLAG_NEED_RTNL,
14638 	},
14639 	{
14640 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
14641 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14642 		.doit = nl80211_wiphy_netns,
14643 		.flags = GENL_UNS_ADMIN_PERM,
14644 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14645 				  NL80211_FLAG_NEED_RTNL,
14646 	},
14647 	{
14648 		.cmd = NL80211_CMD_GET_SURVEY,
14649 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14650 		.dumpit = nl80211_dump_survey,
14651 	},
14652 	{
14653 		.cmd = NL80211_CMD_SET_PMKSA,
14654 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14655 		.doit = nl80211_setdel_pmksa,
14656 		.flags = GENL_UNS_ADMIN_PERM,
14657 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14658 				  NL80211_FLAG_NEED_RTNL |
14659 				  NL80211_FLAG_CLEAR_SKB,
14660 	},
14661 	{
14662 		.cmd = NL80211_CMD_DEL_PMKSA,
14663 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14664 		.doit = nl80211_setdel_pmksa,
14665 		.flags = GENL_UNS_ADMIN_PERM,
14666 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14667 				  NL80211_FLAG_NEED_RTNL,
14668 	},
14669 	{
14670 		.cmd = NL80211_CMD_FLUSH_PMKSA,
14671 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14672 		.doit = nl80211_flush_pmksa,
14673 		.flags = GENL_UNS_ADMIN_PERM,
14674 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14675 				  NL80211_FLAG_NEED_RTNL,
14676 	},
14677 	{
14678 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
14679 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14680 		.doit = nl80211_remain_on_channel,
14681 		.flags = GENL_UNS_ADMIN_PERM,
14682 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14683 				  NL80211_FLAG_NEED_RTNL,
14684 	},
14685 	{
14686 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
14687 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14688 		.doit = nl80211_cancel_remain_on_channel,
14689 		.flags = GENL_UNS_ADMIN_PERM,
14690 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14691 				  NL80211_FLAG_NEED_RTNL,
14692 	},
14693 	{
14694 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
14695 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14696 		.doit = nl80211_set_tx_bitrate_mask,
14697 		.flags = GENL_UNS_ADMIN_PERM,
14698 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14699 				  NL80211_FLAG_NEED_RTNL,
14700 	},
14701 	{
14702 		.cmd = NL80211_CMD_REGISTER_FRAME,
14703 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14704 		.doit = nl80211_register_mgmt,
14705 		.flags = GENL_UNS_ADMIN_PERM,
14706 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14707 				  NL80211_FLAG_NEED_RTNL,
14708 	},
14709 	{
14710 		.cmd = NL80211_CMD_FRAME,
14711 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14712 		.doit = nl80211_tx_mgmt,
14713 		.flags = GENL_UNS_ADMIN_PERM,
14714 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14715 				  NL80211_FLAG_NEED_RTNL,
14716 	},
14717 	{
14718 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
14719 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14720 		.doit = nl80211_tx_mgmt_cancel_wait,
14721 		.flags = GENL_UNS_ADMIN_PERM,
14722 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14723 				  NL80211_FLAG_NEED_RTNL,
14724 	},
14725 	{
14726 		.cmd = NL80211_CMD_SET_POWER_SAVE,
14727 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14728 		.doit = nl80211_set_power_save,
14729 		.flags = GENL_UNS_ADMIN_PERM,
14730 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14731 				  NL80211_FLAG_NEED_RTNL,
14732 	},
14733 	{
14734 		.cmd = NL80211_CMD_GET_POWER_SAVE,
14735 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14736 		.doit = nl80211_get_power_save,
14737 		/* can be retrieved by unprivileged users */
14738 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14739 				  NL80211_FLAG_NEED_RTNL,
14740 	},
14741 	{
14742 		.cmd = NL80211_CMD_SET_CQM,
14743 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14744 		.doit = nl80211_set_cqm,
14745 		.flags = GENL_UNS_ADMIN_PERM,
14746 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14747 				  NL80211_FLAG_NEED_RTNL,
14748 	},
14749 	{
14750 		.cmd = NL80211_CMD_SET_CHANNEL,
14751 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14752 		.doit = nl80211_set_channel,
14753 		.flags = GENL_UNS_ADMIN_PERM,
14754 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14755 				  NL80211_FLAG_NEED_RTNL,
14756 	},
14757 	{
14758 		.cmd = NL80211_CMD_SET_WDS_PEER,
14759 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14760 		.doit = nl80211_set_wds_peer,
14761 		.flags = GENL_UNS_ADMIN_PERM,
14762 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14763 				  NL80211_FLAG_NEED_RTNL,
14764 	},
14765 	{
14766 		.cmd = NL80211_CMD_JOIN_MESH,
14767 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14768 		.doit = nl80211_join_mesh,
14769 		.flags = GENL_UNS_ADMIN_PERM,
14770 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14771 				  NL80211_FLAG_NEED_RTNL,
14772 	},
14773 	{
14774 		.cmd = NL80211_CMD_LEAVE_MESH,
14775 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14776 		.doit = nl80211_leave_mesh,
14777 		.flags = GENL_UNS_ADMIN_PERM,
14778 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14779 				  NL80211_FLAG_NEED_RTNL,
14780 	},
14781 	{
14782 		.cmd = NL80211_CMD_JOIN_OCB,
14783 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14784 		.doit = nl80211_join_ocb,
14785 		.flags = GENL_UNS_ADMIN_PERM,
14786 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14787 				  NL80211_FLAG_NEED_RTNL,
14788 	},
14789 	{
14790 		.cmd = NL80211_CMD_LEAVE_OCB,
14791 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14792 		.doit = nl80211_leave_ocb,
14793 		.flags = GENL_UNS_ADMIN_PERM,
14794 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14795 				  NL80211_FLAG_NEED_RTNL,
14796 	},
14797 #ifdef CONFIG_PM
14798 	{
14799 		.cmd = NL80211_CMD_GET_WOWLAN,
14800 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14801 		.doit = nl80211_get_wowlan,
14802 		/* can be retrieved by unprivileged users */
14803 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14804 				  NL80211_FLAG_NEED_RTNL,
14805 	},
14806 	{
14807 		.cmd = NL80211_CMD_SET_WOWLAN,
14808 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14809 		.doit = nl80211_set_wowlan,
14810 		.flags = GENL_UNS_ADMIN_PERM,
14811 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14812 				  NL80211_FLAG_NEED_RTNL,
14813 	},
14814 #endif
14815 	{
14816 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
14817 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14818 		.doit = nl80211_set_rekey_data,
14819 		.flags = GENL_UNS_ADMIN_PERM,
14820 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14821 				  NL80211_FLAG_NEED_RTNL |
14822 				  NL80211_FLAG_CLEAR_SKB,
14823 	},
14824 	{
14825 		.cmd = NL80211_CMD_TDLS_MGMT,
14826 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14827 		.doit = nl80211_tdls_mgmt,
14828 		.flags = GENL_UNS_ADMIN_PERM,
14829 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14830 				  NL80211_FLAG_NEED_RTNL,
14831 	},
14832 	{
14833 		.cmd = NL80211_CMD_TDLS_OPER,
14834 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14835 		.doit = nl80211_tdls_oper,
14836 		.flags = GENL_UNS_ADMIN_PERM,
14837 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14838 				  NL80211_FLAG_NEED_RTNL,
14839 	},
14840 	{
14841 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
14842 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14843 		.doit = nl80211_register_unexpected_frame,
14844 		.flags = GENL_UNS_ADMIN_PERM,
14845 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14846 				  NL80211_FLAG_NEED_RTNL,
14847 	},
14848 	{
14849 		.cmd = NL80211_CMD_PROBE_CLIENT,
14850 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14851 		.doit = nl80211_probe_client,
14852 		.flags = GENL_UNS_ADMIN_PERM,
14853 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14854 				  NL80211_FLAG_NEED_RTNL,
14855 	},
14856 	{
14857 		.cmd = NL80211_CMD_REGISTER_BEACONS,
14858 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14859 		.doit = nl80211_register_beacons,
14860 		.flags = GENL_UNS_ADMIN_PERM,
14861 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14862 				  NL80211_FLAG_NEED_RTNL,
14863 	},
14864 	{
14865 		.cmd = NL80211_CMD_SET_NOACK_MAP,
14866 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14867 		.doit = nl80211_set_noack_map,
14868 		.flags = GENL_UNS_ADMIN_PERM,
14869 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14870 				  NL80211_FLAG_NEED_RTNL,
14871 	},
14872 	{
14873 		.cmd = NL80211_CMD_START_P2P_DEVICE,
14874 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14875 		.doit = nl80211_start_p2p_device,
14876 		.flags = GENL_UNS_ADMIN_PERM,
14877 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14878 				  NL80211_FLAG_NEED_RTNL,
14879 	},
14880 	{
14881 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
14882 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14883 		.doit = nl80211_stop_p2p_device,
14884 		.flags = GENL_UNS_ADMIN_PERM,
14885 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14886 				  NL80211_FLAG_NEED_RTNL,
14887 	},
14888 	{
14889 		.cmd = NL80211_CMD_START_NAN,
14890 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14891 		.doit = nl80211_start_nan,
14892 		.flags = GENL_ADMIN_PERM,
14893 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14894 				  NL80211_FLAG_NEED_RTNL,
14895 	},
14896 	{
14897 		.cmd = NL80211_CMD_STOP_NAN,
14898 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14899 		.doit = nl80211_stop_nan,
14900 		.flags = GENL_ADMIN_PERM,
14901 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14902 				  NL80211_FLAG_NEED_RTNL,
14903 	},
14904 	{
14905 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
14906 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14907 		.doit = nl80211_nan_add_func,
14908 		.flags = GENL_ADMIN_PERM,
14909 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14910 				  NL80211_FLAG_NEED_RTNL,
14911 	},
14912 	{
14913 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
14914 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14915 		.doit = nl80211_nan_del_func,
14916 		.flags = GENL_ADMIN_PERM,
14917 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14918 				  NL80211_FLAG_NEED_RTNL,
14919 	},
14920 	{
14921 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
14922 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14923 		.doit = nl80211_nan_change_config,
14924 		.flags = GENL_ADMIN_PERM,
14925 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14926 				  NL80211_FLAG_NEED_RTNL,
14927 	},
14928 	{
14929 		.cmd = NL80211_CMD_SET_MCAST_RATE,
14930 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14931 		.doit = nl80211_set_mcast_rate,
14932 		.flags = GENL_UNS_ADMIN_PERM,
14933 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14934 				  NL80211_FLAG_NEED_RTNL,
14935 	},
14936 	{
14937 		.cmd = NL80211_CMD_SET_MAC_ACL,
14938 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14939 		.doit = nl80211_set_mac_acl,
14940 		.flags = GENL_UNS_ADMIN_PERM,
14941 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14942 				  NL80211_FLAG_NEED_RTNL,
14943 	},
14944 	{
14945 		.cmd = NL80211_CMD_RADAR_DETECT,
14946 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14947 		.doit = nl80211_start_radar_detection,
14948 		.flags = GENL_UNS_ADMIN_PERM,
14949 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14950 				  NL80211_FLAG_NEED_RTNL,
14951 	},
14952 	{
14953 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
14954 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14955 		.doit = nl80211_get_protocol_features,
14956 	},
14957 	{
14958 		.cmd = NL80211_CMD_UPDATE_FT_IES,
14959 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14960 		.doit = nl80211_update_ft_ies,
14961 		.flags = GENL_UNS_ADMIN_PERM,
14962 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14963 				  NL80211_FLAG_NEED_RTNL,
14964 	},
14965 	{
14966 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
14967 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14968 		.doit = nl80211_crit_protocol_start,
14969 		.flags = GENL_UNS_ADMIN_PERM,
14970 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14971 				  NL80211_FLAG_NEED_RTNL,
14972 	},
14973 	{
14974 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
14975 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14976 		.doit = nl80211_crit_protocol_stop,
14977 		.flags = GENL_UNS_ADMIN_PERM,
14978 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14979 				  NL80211_FLAG_NEED_RTNL,
14980 	},
14981 	{
14982 		.cmd = NL80211_CMD_GET_COALESCE,
14983 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14984 		.doit = nl80211_get_coalesce,
14985 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14986 				  NL80211_FLAG_NEED_RTNL,
14987 	},
14988 	{
14989 		.cmd = NL80211_CMD_SET_COALESCE,
14990 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14991 		.doit = nl80211_set_coalesce,
14992 		.flags = GENL_UNS_ADMIN_PERM,
14993 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14994 				  NL80211_FLAG_NEED_RTNL,
14995 	},
14996 	{
14997 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
14998 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14999 		.doit = nl80211_channel_switch,
15000 		.flags = GENL_UNS_ADMIN_PERM,
15001 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15002 				  NL80211_FLAG_NEED_RTNL,
15003 	},
15004 	{
15005 		.cmd = NL80211_CMD_VENDOR,
15006 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15007 		.doit = nl80211_vendor_cmd,
15008 		.dumpit = nl80211_vendor_cmd_dump,
15009 		.flags = GENL_UNS_ADMIN_PERM,
15010 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15011 				  NL80211_FLAG_NEED_RTNL |
15012 				  NL80211_FLAG_CLEAR_SKB,
15013 	},
15014 	{
15015 		.cmd = NL80211_CMD_SET_QOS_MAP,
15016 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15017 		.doit = nl80211_set_qos_map,
15018 		.flags = GENL_UNS_ADMIN_PERM,
15019 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15020 				  NL80211_FLAG_NEED_RTNL,
15021 	},
15022 	{
15023 		.cmd = NL80211_CMD_ADD_TX_TS,
15024 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15025 		.doit = nl80211_add_tx_ts,
15026 		.flags = GENL_UNS_ADMIN_PERM,
15027 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15028 				  NL80211_FLAG_NEED_RTNL,
15029 	},
15030 	{
15031 		.cmd = NL80211_CMD_DEL_TX_TS,
15032 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15033 		.doit = nl80211_del_tx_ts,
15034 		.flags = GENL_UNS_ADMIN_PERM,
15035 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15036 				  NL80211_FLAG_NEED_RTNL,
15037 	},
15038 	{
15039 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
15040 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15041 		.doit = nl80211_tdls_channel_switch,
15042 		.flags = GENL_UNS_ADMIN_PERM,
15043 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15044 				  NL80211_FLAG_NEED_RTNL,
15045 	},
15046 	{
15047 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
15048 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15049 		.doit = nl80211_tdls_cancel_channel_switch,
15050 		.flags = GENL_UNS_ADMIN_PERM,
15051 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15052 				  NL80211_FLAG_NEED_RTNL,
15053 	},
15054 	{
15055 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
15056 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15057 		.doit = nl80211_set_multicast_to_unicast,
15058 		.flags = GENL_UNS_ADMIN_PERM,
15059 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15060 				  NL80211_FLAG_NEED_RTNL,
15061 	},
15062 	{
15063 		.cmd = NL80211_CMD_SET_PMK,
15064 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15065 		.doit = nl80211_set_pmk,
15066 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15067 				  NL80211_FLAG_NEED_RTNL |
15068 				  NL80211_FLAG_CLEAR_SKB,
15069 	},
15070 	{
15071 		.cmd = NL80211_CMD_DEL_PMK,
15072 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15073 		.doit = nl80211_del_pmk,
15074 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15075 				  NL80211_FLAG_NEED_RTNL,
15076 	},
15077 	{
15078 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
15079 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15080 		.doit = nl80211_external_auth,
15081 		.flags = GENL_ADMIN_PERM,
15082 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15083 				  NL80211_FLAG_NEED_RTNL,
15084 	},
15085 	{
15086 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
15087 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15088 		.doit = nl80211_tx_control_port,
15089 		.flags = GENL_UNS_ADMIN_PERM,
15090 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15091 				  NL80211_FLAG_NEED_RTNL,
15092 	},
15093 	{
15094 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
15095 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15096 		.doit = nl80211_get_ftm_responder_stats,
15097 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15098 				  NL80211_FLAG_NEED_RTNL,
15099 	},
15100 	{
15101 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
15102 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15103 		.doit = nl80211_pmsr_start,
15104 		.flags = GENL_UNS_ADMIN_PERM,
15105 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15106 				  NL80211_FLAG_NEED_RTNL,
15107 	},
15108 	{
15109 		.cmd = NL80211_CMD_NOTIFY_RADAR,
15110 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15111 		.doit = nl80211_notify_radar_detection,
15112 		.flags = GENL_UNS_ADMIN_PERM,
15113 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15114 				  NL80211_FLAG_NEED_RTNL,
15115 	},
15116 	{
15117 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
15118 		.doit = nl80211_update_owe_info,
15119 		.flags = GENL_ADMIN_PERM,
15120 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15121 				  NL80211_FLAG_NEED_RTNL,
15122 	},
15123 	{
15124 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
15125 		.doit = nl80211_probe_mesh_link,
15126 		.flags = GENL_UNS_ADMIN_PERM,
15127 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15128 				  NL80211_FLAG_NEED_RTNL,
15129 	},
15130 	{
15131 		.cmd = NL80211_CMD_SET_TID_CONFIG,
15132 		.doit = nl80211_set_tid_config,
15133 		.flags = GENL_UNS_ADMIN_PERM,
15134 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15135 				  NL80211_FLAG_NEED_RTNL,
15136 	},
15137 };
15138 
15139 static struct genl_family nl80211_fam __ro_after_init = {
15140 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
15141 	.hdrsize = 0,			/* no private header */
15142 	.version = 1,			/* no particular meaning now */
15143 	.maxattr = NL80211_ATTR_MAX,
15144 	.policy = nl80211_policy,
15145 	.netnsok = true,
15146 	.pre_doit = nl80211_pre_doit,
15147 	.post_doit = nl80211_post_doit,
15148 	.module = THIS_MODULE,
15149 	.ops = nl80211_ops,
15150 	.n_ops = ARRAY_SIZE(nl80211_ops),
15151 	.mcgrps = nl80211_mcgrps,
15152 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
15153 	.parallel_ops = true,
15154 };
15155 
15156 /* notification functions */
15157 
15158 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
15159 			  enum nl80211_commands cmd)
15160 {
15161 	struct sk_buff *msg;
15162 	struct nl80211_dump_wiphy_state state = {};
15163 
15164 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
15165 		cmd != NL80211_CMD_DEL_WIPHY);
15166 
15167 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15168 	if (!msg)
15169 		return;
15170 
15171 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
15172 		nlmsg_free(msg);
15173 		return;
15174 	}
15175 
15176 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15177 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15178 }
15179 
15180 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
15181 				struct wireless_dev *wdev,
15182 				enum nl80211_commands cmd)
15183 {
15184 	struct sk_buff *msg;
15185 
15186 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15187 	if (!msg)
15188 		return;
15189 
15190 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
15191 		nlmsg_free(msg);
15192 		return;
15193 	}
15194 
15195 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15196 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15197 }
15198 
15199 static int nl80211_add_scan_req(struct sk_buff *msg,
15200 				struct cfg80211_registered_device *rdev)
15201 {
15202 	struct cfg80211_scan_request *req = rdev->scan_req;
15203 	struct nlattr *nest;
15204 	int i;
15205 
15206 	if (WARN_ON(!req))
15207 		return 0;
15208 
15209 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
15210 	if (!nest)
15211 		goto nla_put_failure;
15212 	for (i = 0; i < req->n_ssids; i++) {
15213 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
15214 			goto nla_put_failure;
15215 	}
15216 	nla_nest_end(msg, nest);
15217 
15218 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
15219 	if (!nest)
15220 		goto nla_put_failure;
15221 	for (i = 0; i < req->n_channels; i++) {
15222 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
15223 			goto nla_put_failure;
15224 	}
15225 	nla_nest_end(msg, nest);
15226 
15227 	if (req->ie &&
15228 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
15229 		goto nla_put_failure;
15230 
15231 	if (req->flags &&
15232 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
15233 		goto nla_put_failure;
15234 
15235 	if (req->info.scan_start_tsf &&
15236 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
15237 			       req->info.scan_start_tsf, NL80211_BSS_PAD) ||
15238 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
15239 		     req->info.tsf_bssid)))
15240 		goto nla_put_failure;
15241 
15242 	return 0;
15243  nla_put_failure:
15244 	return -ENOBUFS;
15245 }
15246 
15247 static int nl80211_prep_scan_msg(struct sk_buff *msg,
15248 				 struct cfg80211_registered_device *rdev,
15249 				 struct wireless_dev *wdev,
15250 				 u32 portid, u32 seq, int flags,
15251 				 u32 cmd)
15252 {
15253 	void *hdr;
15254 
15255 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
15256 	if (!hdr)
15257 		return -1;
15258 
15259 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15260 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15261 					 wdev->netdev->ifindex)) ||
15262 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15263 			      NL80211_ATTR_PAD))
15264 		goto nla_put_failure;
15265 
15266 	/* ignore errors and send incomplete event anyway */
15267 	nl80211_add_scan_req(msg, rdev);
15268 
15269 	genlmsg_end(msg, hdr);
15270 	return 0;
15271 
15272  nla_put_failure:
15273 	genlmsg_cancel(msg, hdr);
15274 	return -EMSGSIZE;
15275 }
15276 
15277 static int
15278 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
15279 			    struct cfg80211_sched_scan_request *req, u32 cmd)
15280 {
15281 	void *hdr;
15282 
15283 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15284 	if (!hdr)
15285 		return -1;
15286 
15287 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
15288 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
15289 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
15290 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
15291 			      NL80211_ATTR_PAD))
15292 		goto nla_put_failure;
15293 
15294 	genlmsg_end(msg, hdr);
15295 	return 0;
15296 
15297  nla_put_failure:
15298 	genlmsg_cancel(msg, hdr);
15299 	return -EMSGSIZE;
15300 }
15301 
15302 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
15303 			     struct wireless_dev *wdev)
15304 {
15305 	struct sk_buff *msg;
15306 
15307 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15308 	if (!msg)
15309 		return;
15310 
15311 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
15312 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
15313 		nlmsg_free(msg);
15314 		return;
15315 	}
15316 
15317 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15318 				NL80211_MCGRP_SCAN, GFP_KERNEL);
15319 }
15320 
15321 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
15322 				       struct wireless_dev *wdev, bool aborted)
15323 {
15324 	struct sk_buff *msg;
15325 
15326 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15327 	if (!msg)
15328 		return NULL;
15329 
15330 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
15331 				  aborted ? NL80211_CMD_SCAN_ABORTED :
15332 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
15333 		nlmsg_free(msg);
15334 		return NULL;
15335 	}
15336 
15337 	return msg;
15338 }
15339 
15340 /* send message created by nl80211_build_scan_msg() */
15341 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
15342 			   struct sk_buff *msg)
15343 {
15344 	if (!msg)
15345 		return;
15346 
15347 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15348 				NL80211_MCGRP_SCAN, GFP_KERNEL);
15349 }
15350 
15351 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
15352 {
15353 	struct sk_buff *msg;
15354 
15355 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15356 	if (!msg)
15357 		return;
15358 
15359 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
15360 		nlmsg_free(msg);
15361 		return;
15362 	}
15363 
15364 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
15365 				NL80211_MCGRP_SCAN, GFP_KERNEL);
15366 }
15367 
15368 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
15369 					  struct regulatory_request *request)
15370 {
15371 	/* Userspace can always count this one always being set */
15372 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
15373 		goto nla_put_failure;
15374 
15375 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
15376 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15377 			       NL80211_REGDOM_TYPE_WORLD))
15378 			goto nla_put_failure;
15379 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
15380 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15381 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
15382 			goto nla_put_failure;
15383 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
15384 		   request->intersect) {
15385 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15386 			       NL80211_REGDOM_TYPE_INTERSECTION))
15387 			goto nla_put_failure;
15388 	} else {
15389 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15390 			       NL80211_REGDOM_TYPE_COUNTRY) ||
15391 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
15392 				   request->alpha2))
15393 			goto nla_put_failure;
15394 	}
15395 
15396 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
15397 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
15398 
15399 		if (wiphy &&
15400 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
15401 			goto nla_put_failure;
15402 
15403 		if (wiphy &&
15404 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
15405 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
15406 			goto nla_put_failure;
15407 	}
15408 
15409 	return true;
15410 
15411 nla_put_failure:
15412 	return false;
15413 }
15414 
15415 /*
15416  * This can happen on global regulatory changes or device specific settings
15417  * based on custom regulatory domains.
15418  */
15419 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
15420 				     struct regulatory_request *request)
15421 {
15422 	struct sk_buff *msg;
15423 	void *hdr;
15424 
15425 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15426 	if (!msg)
15427 		return;
15428 
15429 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
15430 	if (!hdr)
15431 		goto nla_put_failure;
15432 
15433 	if (!nl80211_reg_change_event_fill(msg, request))
15434 		goto nla_put_failure;
15435 
15436 	genlmsg_end(msg, hdr);
15437 
15438 	rcu_read_lock();
15439 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
15440 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
15441 	rcu_read_unlock();
15442 
15443 	return;
15444 
15445 nla_put_failure:
15446 	nlmsg_free(msg);
15447 }
15448 
15449 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
15450 				    struct net_device *netdev,
15451 				    const u8 *buf, size_t len,
15452 				    enum nl80211_commands cmd, gfp_t gfp,
15453 				    int uapsd_queues, const u8 *req_ies,
15454 				    size_t req_ies_len)
15455 {
15456 	struct sk_buff *msg;
15457 	void *hdr;
15458 
15459 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
15460 	if (!msg)
15461 		return;
15462 
15463 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15464 	if (!hdr) {
15465 		nlmsg_free(msg);
15466 		return;
15467 	}
15468 
15469 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15470 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15471 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15472 	    (req_ies &&
15473 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
15474 		goto nla_put_failure;
15475 
15476 	if (uapsd_queues >= 0) {
15477 		struct nlattr *nla_wmm =
15478 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
15479 		if (!nla_wmm)
15480 			goto nla_put_failure;
15481 
15482 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
15483 			       uapsd_queues))
15484 			goto nla_put_failure;
15485 
15486 		nla_nest_end(msg, nla_wmm);
15487 	}
15488 
15489 	genlmsg_end(msg, hdr);
15490 
15491 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15492 				NL80211_MCGRP_MLME, gfp);
15493 	return;
15494 
15495  nla_put_failure:
15496 	nlmsg_free(msg);
15497 }
15498 
15499 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
15500 			  struct net_device *netdev, const u8 *buf,
15501 			  size_t len, gfp_t gfp)
15502 {
15503 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15504 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0);
15505 }
15506 
15507 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
15508 			   struct net_device *netdev, const u8 *buf,
15509 			   size_t len, gfp_t gfp, int uapsd_queues,
15510 			   const u8 *req_ies, size_t req_ies_len)
15511 {
15512 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15513 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
15514 				req_ies, req_ies_len);
15515 }
15516 
15517 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
15518 			 struct net_device *netdev, const u8 *buf,
15519 			 size_t len, gfp_t gfp)
15520 {
15521 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15522 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0);
15523 }
15524 
15525 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
15526 			   struct net_device *netdev, const u8 *buf,
15527 			   size_t len, gfp_t gfp)
15528 {
15529 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15530 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0);
15531 }
15532 
15533 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
15534 				  size_t len)
15535 {
15536 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15537 	struct wiphy *wiphy = wdev->wiphy;
15538 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15539 	const struct ieee80211_mgmt *mgmt = (void *)buf;
15540 	u32 cmd;
15541 
15542 	if (WARN_ON(len < 2))
15543 		return;
15544 
15545 	if (ieee80211_is_deauth(mgmt->frame_control))
15546 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
15547 	else
15548 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
15549 
15550 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
15551 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
15552 				NULL, 0);
15553 }
15554 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
15555 
15556 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
15557 				      struct net_device *netdev, int cmd,
15558 				      const u8 *addr, gfp_t gfp)
15559 {
15560 	struct sk_buff *msg;
15561 	void *hdr;
15562 
15563 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15564 	if (!msg)
15565 		return;
15566 
15567 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15568 	if (!hdr) {
15569 		nlmsg_free(msg);
15570 		return;
15571 	}
15572 
15573 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15574 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15575 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
15576 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
15577 		goto nla_put_failure;
15578 
15579 	genlmsg_end(msg, hdr);
15580 
15581 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15582 				NL80211_MCGRP_MLME, gfp);
15583 	return;
15584 
15585  nla_put_failure:
15586 	nlmsg_free(msg);
15587 }
15588 
15589 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
15590 			       struct net_device *netdev, const u8 *addr,
15591 			       gfp_t gfp)
15592 {
15593 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
15594 				  addr, gfp);
15595 }
15596 
15597 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
15598 				struct net_device *netdev, const u8 *addr,
15599 				gfp_t gfp)
15600 {
15601 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
15602 				  addr, gfp);
15603 }
15604 
15605 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
15606 				 struct net_device *netdev,
15607 				 struct cfg80211_connect_resp_params *cr,
15608 				 gfp_t gfp)
15609 {
15610 	struct sk_buff *msg;
15611 	void *hdr;
15612 
15613 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
15614 			cr->fils.kek_len + cr->fils.pmk_len +
15615 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
15616 	if (!msg)
15617 		return;
15618 
15619 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
15620 	if (!hdr) {
15621 		nlmsg_free(msg);
15622 		return;
15623 	}
15624 
15625 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15626 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15627 	    (cr->bssid &&
15628 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
15629 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
15630 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
15631 			cr->status) ||
15632 	    (cr->status < 0 &&
15633 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
15634 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
15635 			  cr->timeout_reason))) ||
15636 	    (cr->req_ie &&
15637 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
15638 	    (cr->resp_ie &&
15639 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
15640 		     cr->resp_ie)) ||
15641 	    (cr->fils.update_erp_next_seq_num &&
15642 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
15643 			 cr->fils.erp_next_seq_num)) ||
15644 	    (cr->status == WLAN_STATUS_SUCCESS &&
15645 	     ((cr->fils.kek &&
15646 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
15647 		       cr->fils.kek)) ||
15648 	      (cr->fils.pmk &&
15649 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
15650 	      (cr->fils.pmkid &&
15651 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
15652 		goto nla_put_failure;
15653 
15654 	genlmsg_end(msg, hdr);
15655 
15656 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15657 				NL80211_MCGRP_MLME, gfp);
15658 	return;
15659 
15660  nla_put_failure:
15661 	nlmsg_free(msg);
15662 }
15663 
15664 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
15665 			 struct net_device *netdev,
15666 			 struct cfg80211_roam_info *info, gfp_t gfp)
15667 {
15668 	struct sk_buff *msg;
15669 	void *hdr;
15670 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
15671 
15672 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
15673 			info->fils.kek_len + info->fils.pmk_len +
15674 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
15675 	if (!msg)
15676 		return;
15677 
15678 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
15679 	if (!hdr) {
15680 		nlmsg_free(msg);
15681 		return;
15682 	}
15683 
15684 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15685 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15686 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
15687 	    (info->req_ie &&
15688 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
15689 		     info->req_ie)) ||
15690 	    (info->resp_ie &&
15691 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
15692 		     info->resp_ie)) ||
15693 	    (info->fils.update_erp_next_seq_num &&
15694 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
15695 			 info->fils.erp_next_seq_num)) ||
15696 	    (info->fils.kek &&
15697 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
15698 		     info->fils.kek)) ||
15699 	    (info->fils.pmk &&
15700 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
15701 	    (info->fils.pmkid &&
15702 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
15703 		goto nla_put_failure;
15704 
15705 	genlmsg_end(msg, hdr);
15706 
15707 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15708 				NL80211_MCGRP_MLME, gfp);
15709 	return;
15710 
15711  nla_put_failure:
15712 	nlmsg_free(msg);
15713 }
15714 
15715 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
15716 				  struct net_device *netdev, const u8 *bssid)
15717 {
15718 	struct sk_buff *msg;
15719 	void *hdr;
15720 
15721 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15722 	if (!msg)
15723 		return;
15724 
15725 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
15726 	if (!hdr) {
15727 		nlmsg_free(msg);
15728 		return;
15729 	}
15730 
15731 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15732 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15733 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15734 		goto nla_put_failure;
15735 
15736 	genlmsg_end(msg, hdr);
15737 
15738 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15739 				NL80211_MCGRP_MLME, GFP_KERNEL);
15740 	return;
15741 
15742  nla_put_failure:
15743 	nlmsg_free(msg);
15744 }
15745 
15746 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
15747 			       struct net_device *netdev, u16 reason,
15748 			       const u8 *ie, size_t ie_len, bool from_ap)
15749 {
15750 	struct sk_buff *msg;
15751 	void *hdr;
15752 
15753 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
15754 	if (!msg)
15755 		return;
15756 
15757 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
15758 	if (!hdr) {
15759 		nlmsg_free(msg);
15760 		return;
15761 	}
15762 
15763 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15764 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15765 	    (reason &&
15766 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
15767 	    (from_ap &&
15768 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
15769 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
15770 		goto nla_put_failure;
15771 
15772 	genlmsg_end(msg, hdr);
15773 
15774 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15775 				NL80211_MCGRP_MLME, GFP_KERNEL);
15776 	return;
15777 
15778  nla_put_failure:
15779 	nlmsg_free(msg);
15780 }
15781 
15782 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
15783 			     struct net_device *netdev, const u8 *bssid,
15784 			     gfp_t gfp)
15785 {
15786 	struct sk_buff *msg;
15787 	void *hdr;
15788 
15789 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15790 	if (!msg)
15791 		return;
15792 
15793 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
15794 	if (!hdr) {
15795 		nlmsg_free(msg);
15796 		return;
15797 	}
15798 
15799 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15800 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15801 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15802 		goto nla_put_failure;
15803 
15804 	genlmsg_end(msg, hdr);
15805 
15806 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15807 				NL80211_MCGRP_MLME, gfp);
15808 	return;
15809 
15810  nla_put_failure:
15811 	nlmsg_free(msg);
15812 }
15813 
15814 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
15815 					const u8 *ie, u8 ie_len,
15816 					int sig_dbm, gfp_t gfp)
15817 {
15818 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15819 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15820 	struct sk_buff *msg;
15821 	void *hdr;
15822 
15823 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
15824 		return;
15825 
15826 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
15827 
15828 	msg = nlmsg_new(100 + ie_len, gfp);
15829 	if (!msg)
15830 		return;
15831 
15832 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
15833 	if (!hdr) {
15834 		nlmsg_free(msg);
15835 		return;
15836 	}
15837 
15838 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15839 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15840 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15841 	    (ie_len && ie &&
15842 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
15843 	    (sig_dbm &&
15844 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
15845 		goto nla_put_failure;
15846 
15847 	genlmsg_end(msg, hdr);
15848 
15849 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15850 				NL80211_MCGRP_MLME, gfp);
15851 	return;
15852 
15853  nla_put_failure:
15854 	nlmsg_free(msg);
15855 }
15856 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
15857 
15858 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
15859 				 struct net_device *netdev, const u8 *addr,
15860 				 enum nl80211_key_type key_type, int key_id,
15861 				 const u8 *tsc, gfp_t gfp)
15862 {
15863 	struct sk_buff *msg;
15864 	void *hdr;
15865 
15866 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15867 	if (!msg)
15868 		return;
15869 
15870 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
15871 	if (!hdr) {
15872 		nlmsg_free(msg);
15873 		return;
15874 	}
15875 
15876 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15877 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15878 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
15879 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
15880 	    (key_id != -1 &&
15881 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
15882 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
15883 		goto nla_put_failure;
15884 
15885 	genlmsg_end(msg, hdr);
15886 
15887 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15888 				NL80211_MCGRP_MLME, gfp);
15889 	return;
15890 
15891  nla_put_failure:
15892 	nlmsg_free(msg);
15893 }
15894 
15895 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
15896 				    struct ieee80211_channel *channel_before,
15897 				    struct ieee80211_channel *channel_after)
15898 {
15899 	struct sk_buff *msg;
15900 	void *hdr;
15901 	struct nlattr *nl_freq;
15902 
15903 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
15904 	if (!msg)
15905 		return;
15906 
15907 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
15908 	if (!hdr) {
15909 		nlmsg_free(msg);
15910 		return;
15911 	}
15912 
15913 	/*
15914 	 * Since we are applying the beacon hint to a wiphy we know its
15915 	 * wiphy_idx is valid
15916 	 */
15917 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
15918 		goto nla_put_failure;
15919 
15920 	/* Before */
15921 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
15922 	if (!nl_freq)
15923 		goto nla_put_failure;
15924 
15925 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
15926 		goto nla_put_failure;
15927 	nla_nest_end(msg, nl_freq);
15928 
15929 	/* After */
15930 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
15931 	if (!nl_freq)
15932 		goto nla_put_failure;
15933 
15934 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
15935 		goto nla_put_failure;
15936 	nla_nest_end(msg, nl_freq);
15937 
15938 	genlmsg_end(msg, hdr);
15939 
15940 	rcu_read_lock();
15941 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
15942 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
15943 	rcu_read_unlock();
15944 
15945 	return;
15946 
15947 nla_put_failure:
15948 	nlmsg_free(msg);
15949 }
15950 
15951 static void nl80211_send_remain_on_chan_event(
15952 	int cmd, struct cfg80211_registered_device *rdev,
15953 	struct wireless_dev *wdev, u64 cookie,
15954 	struct ieee80211_channel *chan,
15955 	unsigned int duration, gfp_t gfp)
15956 {
15957 	struct sk_buff *msg;
15958 	void *hdr;
15959 
15960 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15961 	if (!msg)
15962 		return;
15963 
15964 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15965 	if (!hdr) {
15966 		nlmsg_free(msg);
15967 		return;
15968 	}
15969 
15970 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15971 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15972 					 wdev->netdev->ifindex)) ||
15973 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15974 			      NL80211_ATTR_PAD) ||
15975 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
15976 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
15977 			NL80211_CHAN_NO_HT) ||
15978 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15979 			      NL80211_ATTR_PAD))
15980 		goto nla_put_failure;
15981 
15982 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
15983 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
15984 		goto nla_put_failure;
15985 
15986 	genlmsg_end(msg, hdr);
15987 
15988 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15989 				NL80211_MCGRP_MLME, gfp);
15990 	return;
15991 
15992  nla_put_failure:
15993 	nlmsg_free(msg);
15994 }
15995 
15996 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
15997 			       struct ieee80211_channel *chan,
15998 			       unsigned int duration, gfp_t gfp)
15999 {
16000 	struct wiphy *wiphy = wdev->wiphy;
16001 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16002 
16003 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
16004 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
16005 					  rdev, wdev, cookie, chan,
16006 					  duration, gfp);
16007 }
16008 EXPORT_SYMBOL(cfg80211_ready_on_channel);
16009 
16010 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
16011 					struct ieee80211_channel *chan,
16012 					gfp_t gfp)
16013 {
16014 	struct wiphy *wiphy = wdev->wiphy;
16015 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16016 
16017 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
16018 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
16019 					  rdev, wdev, cookie, chan, 0, gfp);
16020 }
16021 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
16022 
16023 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
16024 					struct ieee80211_channel *chan,
16025 					gfp_t gfp)
16026 {
16027 	struct wiphy *wiphy = wdev->wiphy;
16028 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16029 
16030 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
16031 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
16032 					  rdev, wdev, cookie, chan, 0, gfp);
16033 }
16034 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
16035 
16036 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
16037 		      struct station_info *sinfo, gfp_t gfp)
16038 {
16039 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16040 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16041 	struct sk_buff *msg;
16042 
16043 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
16044 
16045 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16046 	if (!msg)
16047 		return;
16048 
16049 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
16050 				 rdev, dev, mac_addr, sinfo) < 0) {
16051 		nlmsg_free(msg);
16052 		return;
16053 	}
16054 
16055 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16056 				NL80211_MCGRP_MLME, gfp);
16057 }
16058 EXPORT_SYMBOL(cfg80211_new_sta);
16059 
16060 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
16061 			    struct station_info *sinfo, gfp_t gfp)
16062 {
16063 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16064 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16065 	struct sk_buff *msg;
16066 	struct station_info empty_sinfo = {};
16067 
16068 	if (!sinfo)
16069 		sinfo = &empty_sinfo;
16070 
16071 	trace_cfg80211_del_sta(dev, mac_addr);
16072 
16073 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16074 	if (!msg) {
16075 		cfg80211_sinfo_release_content(sinfo);
16076 		return;
16077 	}
16078 
16079 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
16080 				 rdev, dev, mac_addr, sinfo) < 0) {
16081 		nlmsg_free(msg);
16082 		return;
16083 	}
16084 
16085 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16086 				NL80211_MCGRP_MLME, gfp);
16087 }
16088 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
16089 
16090 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
16091 			  enum nl80211_connect_failed_reason reason,
16092 			  gfp_t gfp)
16093 {
16094 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16095 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16096 	struct sk_buff *msg;
16097 	void *hdr;
16098 
16099 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
16100 	if (!msg)
16101 		return;
16102 
16103 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
16104 	if (!hdr) {
16105 		nlmsg_free(msg);
16106 		return;
16107 	}
16108 
16109 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16110 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
16111 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
16112 		goto nla_put_failure;
16113 
16114 	genlmsg_end(msg, hdr);
16115 
16116 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16117 				NL80211_MCGRP_MLME, gfp);
16118 	return;
16119 
16120  nla_put_failure:
16121 	nlmsg_free(msg);
16122 }
16123 EXPORT_SYMBOL(cfg80211_conn_failed);
16124 
16125 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
16126 				       const u8 *addr, gfp_t gfp)
16127 {
16128 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16129 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16130 	struct sk_buff *msg;
16131 	void *hdr;
16132 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
16133 
16134 	if (!nlportid)
16135 		return false;
16136 
16137 	msg = nlmsg_new(100, gfp);
16138 	if (!msg)
16139 		return true;
16140 
16141 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16142 	if (!hdr) {
16143 		nlmsg_free(msg);
16144 		return true;
16145 	}
16146 
16147 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16148 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16149 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16150 		goto nla_put_failure;
16151 
16152 	genlmsg_end(msg, hdr);
16153 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16154 	return true;
16155 
16156  nla_put_failure:
16157 	nlmsg_free(msg);
16158 	return true;
16159 }
16160 
16161 bool cfg80211_rx_spurious_frame(struct net_device *dev,
16162 				const u8 *addr, gfp_t gfp)
16163 {
16164 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16165 	bool ret;
16166 
16167 	trace_cfg80211_rx_spurious_frame(dev, addr);
16168 
16169 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16170 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
16171 		trace_cfg80211_return_bool(false);
16172 		return false;
16173 	}
16174 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
16175 					 addr, gfp);
16176 	trace_cfg80211_return_bool(ret);
16177 	return ret;
16178 }
16179 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
16180 
16181 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
16182 					const u8 *addr, gfp_t gfp)
16183 {
16184 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16185 	bool ret;
16186 
16187 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
16188 
16189 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16190 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
16191 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
16192 		trace_cfg80211_return_bool(false);
16193 		return false;
16194 	}
16195 	ret = __nl80211_unexpected_frame(dev,
16196 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
16197 					 addr, gfp);
16198 	trace_cfg80211_return_bool(ret);
16199 	return ret;
16200 }
16201 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
16202 
16203 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
16204 		      struct wireless_dev *wdev, u32 nlportid,
16205 		      int freq, int sig_dbm,
16206 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
16207 {
16208 	struct net_device *netdev = wdev->netdev;
16209 	struct sk_buff *msg;
16210 	void *hdr;
16211 
16212 	msg = nlmsg_new(100 + len, gfp);
16213 	if (!msg)
16214 		return -ENOMEM;
16215 
16216 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
16217 	if (!hdr) {
16218 		nlmsg_free(msg);
16219 		return -ENOMEM;
16220 	}
16221 
16222 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16223 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16224 					netdev->ifindex)) ||
16225 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16226 			      NL80211_ATTR_PAD) ||
16227 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
16228 	    (sig_dbm &&
16229 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
16230 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16231 	    (flags &&
16232 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
16233 		goto nla_put_failure;
16234 
16235 	genlmsg_end(msg, hdr);
16236 
16237 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16238 
16239  nla_put_failure:
16240 	nlmsg_free(msg);
16241 	return -ENOBUFS;
16242 }
16243 
16244 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
16245 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
16246 {
16247 	struct wiphy *wiphy = wdev->wiphy;
16248 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16249 	struct net_device *netdev = wdev->netdev;
16250 	struct sk_buff *msg;
16251 	void *hdr;
16252 
16253 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
16254 
16255 	msg = nlmsg_new(100 + len, gfp);
16256 	if (!msg)
16257 		return;
16258 
16259 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
16260 	if (!hdr) {
16261 		nlmsg_free(msg);
16262 		return;
16263 	}
16264 
16265 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16266 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16267 				   netdev->ifindex)) ||
16268 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16269 			      NL80211_ATTR_PAD) ||
16270 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16271 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16272 			      NL80211_ATTR_PAD) ||
16273 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
16274 		goto nla_put_failure;
16275 
16276 	genlmsg_end(msg, hdr);
16277 
16278 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16279 				NL80211_MCGRP_MLME, gfp);
16280 	return;
16281 
16282  nla_put_failure:
16283 	nlmsg_free(msg);
16284 }
16285 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
16286 
16287 static int __nl80211_rx_control_port(struct net_device *dev,
16288 				     struct sk_buff *skb,
16289 				     bool unencrypted, gfp_t gfp)
16290 {
16291 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16292 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16293 	struct ethhdr *ehdr = eth_hdr(skb);
16294 	const u8 *addr = ehdr->h_source;
16295 	u16 proto = be16_to_cpu(skb->protocol);
16296 	struct sk_buff *msg;
16297 	void *hdr;
16298 	struct nlattr *frame;
16299 
16300 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
16301 
16302 	if (!nlportid)
16303 		return -ENOENT;
16304 
16305 	msg = nlmsg_new(100 + skb->len, gfp);
16306 	if (!msg)
16307 		return -ENOMEM;
16308 
16309 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
16310 	if (!hdr) {
16311 		nlmsg_free(msg);
16312 		return -ENOBUFS;
16313 	}
16314 
16315 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16316 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16317 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16318 			      NL80211_ATTR_PAD) ||
16319 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16320 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
16321 	    (unencrypted && nla_put_flag(msg,
16322 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
16323 		goto nla_put_failure;
16324 
16325 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
16326 	if (!frame)
16327 		goto nla_put_failure;
16328 
16329 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
16330 	genlmsg_end(msg, hdr);
16331 
16332 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16333 
16334  nla_put_failure:
16335 	nlmsg_free(msg);
16336 	return -ENOBUFS;
16337 }
16338 
16339 bool cfg80211_rx_control_port(struct net_device *dev,
16340 			      struct sk_buff *skb, bool unencrypted)
16341 {
16342 	int ret;
16343 
16344 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
16345 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
16346 	trace_cfg80211_return_bool(ret == 0);
16347 	return ret == 0;
16348 }
16349 EXPORT_SYMBOL(cfg80211_rx_control_port);
16350 
16351 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
16352 					    const char *mac, gfp_t gfp)
16353 {
16354 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16355 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16356 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16357 	void **cb;
16358 
16359 	if (!msg)
16360 		return NULL;
16361 
16362 	cb = (void **)msg->cb;
16363 
16364 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
16365 	if (!cb[0]) {
16366 		nlmsg_free(msg);
16367 		return NULL;
16368 	}
16369 
16370 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16371 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
16372 		goto nla_put_failure;
16373 
16374 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
16375 		goto nla_put_failure;
16376 
16377 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
16378 	if (!cb[1])
16379 		goto nla_put_failure;
16380 
16381 	cb[2] = rdev;
16382 
16383 	return msg;
16384  nla_put_failure:
16385 	nlmsg_free(msg);
16386 	return NULL;
16387 }
16388 
16389 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
16390 {
16391 	void **cb = (void **)msg->cb;
16392 	struct cfg80211_registered_device *rdev = cb[2];
16393 
16394 	nla_nest_end(msg, cb[1]);
16395 	genlmsg_end(msg, cb[0]);
16396 
16397 	memset(msg->cb, 0, sizeof(msg->cb));
16398 
16399 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16400 				NL80211_MCGRP_MLME, gfp);
16401 }
16402 
16403 void cfg80211_cqm_rssi_notify(struct net_device *dev,
16404 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
16405 			      s32 rssi_level, gfp_t gfp)
16406 {
16407 	struct sk_buff *msg;
16408 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16409 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16410 
16411 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
16412 
16413 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
16414 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
16415 		return;
16416 
16417 	if (wdev->cqm_config) {
16418 		wdev->cqm_config->last_rssi_event_value = rssi_level;
16419 
16420 		cfg80211_cqm_rssi_update(rdev, dev);
16421 
16422 		if (rssi_level == 0)
16423 			rssi_level = wdev->cqm_config->last_rssi_event_value;
16424 	}
16425 
16426 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
16427 	if (!msg)
16428 		return;
16429 
16430 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
16431 			rssi_event))
16432 		goto nla_put_failure;
16433 
16434 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
16435 				      rssi_level))
16436 		goto nla_put_failure;
16437 
16438 	cfg80211_send_cqm(msg, gfp);
16439 
16440 	return;
16441 
16442  nla_put_failure:
16443 	nlmsg_free(msg);
16444 }
16445 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
16446 
16447 void cfg80211_cqm_txe_notify(struct net_device *dev,
16448 			     const u8 *peer, u32 num_packets,
16449 			     u32 rate, u32 intvl, gfp_t gfp)
16450 {
16451 	struct sk_buff *msg;
16452 
16453 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16454 	if (!msg)
16455 		return;
16456 
16457 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
16458 		goto nla_put_failure;
16459 
16460 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
16461 		goto nla_put_failure;
16462 
16463 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
16464 		goto nla_put_failure;
16465 
16466 	cfg80211_send_cqm(msg, gfp);
16467 	return;
16468 
16469  nla_put_failure:
16470 	nlmsg_free(msg);
16471 }
16472 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
16473 
16474 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
16475 				 const u8 *peer, u32 num_packets, gfp_t gfp)
16476 {
16477 	struct sk_buff *msg;
16478 
16479 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
16480 
16481 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16482 	if (!msg)
16483 		return;
16484 
16485 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
16486 		goto nla_put_failure;
16487 
16488 	cfg80211_send_cqm(msg, gfp);
16489 	return;
16490 
16491  nla_put_failure:
16492 	nlmsg_free(msg);
16493 }
16494 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
16495 
16496 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
16497 {
16498 	struct sk_buff *msg;
16499 
16500 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
16501 	if (!msg)
16502 		return;
16503 
16504 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
16505 		goto nla_put_failure;
16506 
16507 	cfg80211_send_cqm(msg, gfp);
16508 	return;
16509 
16510  nla_put_failure:
16511 	nlmsg_free(msg);
16512 }
16513 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
16514 
16515 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
16516 				     struct net_device *netdev, const u8 *bssid,
16517 				     const u8 *replay_ctr, gfp_t gfp)
16518 {
16519 	struct sk_buff *msg;
16520 	struct nlattr *rekey_attr;
16521 	void *hdr;
16522 
16523 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16524 	if (!msg)
16525 		return;
16526 
16527 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
16528 	if (!hdr) {
16529 		nlmsg_free(msg);
16530 		return;
16531 	}
16532 
16533 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16534 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16535 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16536 		goto nla_put_failure;
16537 
16538 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
16539 	if (!rekey_attr)
16540 		goto nla_put_failure;
16541 
16542 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
16543 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
16544 		goto nla_put_failure;
16545 
16546 	nla_nest_end(msg, rekey_attr);
16547 
16548 	genlmsg_end(msg, hdr);
16549 
16550 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16551 				NL80211_MCGRP_MLME, gfp);
16552 	return;
16553 
16554  nla_put_failure:
16555 	nlmsg_free(msg);
16556 }
16557 
16558 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
16559 			       const u8 *replay_ctr, gfp_t gfp)
16560 {
16561 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16562 	struct wiphy *wiphy = wdev->wiphy;
16563 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16564 
16565 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
16566 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
16567 }
16568 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
16569 
16570 static void
16571 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
16572 			       struct net_device *netdev, int index,
16573 			       const u8 *bssid, bool preauth, gfp_t gfp)
16574 {
16575 	struct sk_buff *msg;
16576 	struct nlattr *attr;
16577 	void *hdr;
16578 
16579 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16580 	if (!msg)
16581 		return;
16582 
16583 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
16584 	if (!hdr) {
16585 		nlmsg_free(msg);
16586 		return;
16587 	}
16588 
16589 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16590 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
16591 		goto nla_put_failure;
16592 
16593 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
16594 	if (!attr)
16595 		goto nla_put_failure;
16596 
16597 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
16598 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
16599 	    (preauth &&
16600 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
16601 		goto nla_put_failure;
16602 
16603 	nla_nest_end(msg, attr);
16604 
16605 	genlmsg_end(msg, hdr);
16606 
16607 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16608 				NL80211_MCGRP_MLME, gfp);
16609 	return;
16610 
16611  nla_put_failure:
16612 	nlmsg_free(msg);
16613 }
16614 
16615 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
16616 				     const u8 *bssid, bool preauth, gfp_t gfp)
16617 {
16618 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16619 	struct wiphy *wiphy = wdev->wiphy;
16620 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16621 
16622 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
16623 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
16624 }
16625 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
16626 
16627 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
16628 				     struct net_device *netdev,
16629 				     struct cfg80211_chan_def *chandef,
16630 				     gfp_t gfp,
16631 				     enum nl80211_commands notif,
16632 				     u8 count)
16633 {
16634 	struct sk_buff *msg;
16635 	void *hdr;
16636 
16637 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16638 	if (!msg)
16639 		return;
16640 
16641 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
16642 	if (!hdr) {
16643 		nlmsg_free(msg);
16644 		return;
16645 	}
16646 
16647 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
16648 		goto nla_put_failure;
16649 
16650 	if (nl80211_send_chandef(msg, chandef))
16651 		goto nla_put_failure;
16652 
16653 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
16654 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
16655 			goto nla_put_failure;
16656 
16657 	genlmsg_end(msg, hdr);
16658 
16659 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16660 				NL80211_MCGRP_MLME, gfp);
16661 	return;
16662 
16663  nla_put_failure:
16664 	nlmsg_free(msg);
16665 }
16666 
16667 void cfg80211_ch_switch_notify(struct net_device *dev,
16668 			       struct cfg80211_chan_def *chandef)
16669 {
16670 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16671 	struct wiphy *wiphy = wdev->wiphy;
16672 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16673 
16674 	ASSERT_WDEV_LOCK(wdev);
16675 
16676 	trace_cfg80211_ch_switch_notify(dev, chandef);
16677 
16678 	wdev->chandef = *chandef;
16679 	wdev->preset_chandef = *chandef;
16680 
16681 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
16682 	    !WARN_ON(!wdev->current_bss))
16683 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
16684 
16685 	cfg80211_sched_dfs_chan_update(rdev);
16686 
16687 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
16688 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
16689 }
16690 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
16691 
16692 void cfg80211_ch_switch_started_notify(struct net_device *dev,
16693 				       struct cfg80211_chan_def *chandef,
16694 				       u8 count)
16695 {
16696 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16697 	struct wiphy *wiphy = wdev->wiphy;
16698 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16699 
16700 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
16701 
16702 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
16703 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
16704 }
16705 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
16706 
16707 void
16708 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
16709 		     const struct cfg80211_chan_def *chandef,
16710 		     enum nl80211_radar_event event,
16711 		     struct net_device *netdev, gfp_t gfp)
16712 {
16713 	struct sk_buff *msg;
16714 	void *hdr;
16715 
16716 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16717 	if (!msg)
16718 		return;
16719 
16720 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
16721 	if (!hdr) {
16722 		nlmsg_free(msg);
16723 		return;
16724 	}
16725 
16726 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
16727 		goto nla_put_failure;
16728 
16729 	/* NOP and radar events don't need a netdev parameter */
16730 	if (netdev) {
16731 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
16732 
16733 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16734 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16735 				      NL80211_ATTR_PAD))
16736 			goto nla_put_failure;
16737 	}
16738 
16739 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
16740 		goto nla_put_failure;
16741 
16742 	if (nl80211_send_chandef(msg, chandef))
16743 		goto nla_put_failure;
16744 
16745 	genlmsg_end(msg, hdr);
16746 
16747 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16748 				NL80211_MCGRP_MLME, gfp);
16749 	return;
16750 
16751  nla_put_failure:
16752 	nlmsg_free(msg);
16753 }
16754 
16755 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
16756 				       struct sta_opmode_info *sta_opmode,
16757 				       gfp_t gfp)
16758 {
16759 	struct sk_buff *msg;
16760 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16761 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16762 	void *hdr;
16763 
16764 	if (WARN_ON(!mac))
16765 		return;
16766 
16767 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16768 	if (!msg)
16769 		return;
16770 
16771 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
16772 	if (!hdr) {
16773 		nlmsg_free(msg);
16774 		return;
16775 	}
16776 
16777 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
16778 		goto nla_put_failure;
16779 
16780 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
16781 		goto nla_put_failure;
16782 
16783 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
16784 		goto nla_put_failure;
16785 
16786 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
16787 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
16788 		goto nla_put_failure;
16789 
16790 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
16791 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
16792 		goto nla_put_failure;
16793 
16794 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
16795 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
16796 		goto nla_put_failure;
16797 
16798 	genlmsg_end(msg, hdr);
16799 
16800 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16801 				NL80211_MCGRP_MLME, gfp);
16802 
16803 	return;
16804 
16805 nla_put_failure:
16806 	nlmsg_free(msg);
16807 }
16808 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
16809 
16810 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
16811 			   u64 cookie, bool acked, s32 ack_signal,
16812 			   bool is_valid_ack_signal, gfp_t gfp)
16813 {
16814 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16815 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16816 	struct sk_buff *msg;
16817 	void *hdr;
16818 
16819 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
16820 
16821 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16822 
16823 	if (!msg)
16824 		return;
16825 
16826 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
16827 	if (!hdr) {
16828 		nlmsg_free(msg);
16829 		return;
16830 	}
16831 
16832 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16833 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16834 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16835 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16836 			      NL80211_ATTR_PAD) ||
16837 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
16838 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
16839 						ack_signal)))
16840 		goto nla_put_failure;
16841 
16842 	genlmsg_end(msg, hdr);
16843 
16844 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16845 				NL80211_MCGRP_MLME, gfp);
16846 	return;
16847 
16848  nla_put_failure:
16849 	nlmsg_free(msg);
16850 }
16851 EXPORT_SYMBOL(cfg80211_probe_status);
16852 
16853 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
16854 				 const u8 *frame, size_t len,
16855 				 int freq, int sig_dbm)
16856 {
16857 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16858 	struct sk_buff *msg;
16859 	void *hdr;
16860 	struct cfg80211_beacon_registration *reg;
16861 
16862 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
16863 
16864 	spin_lock_bh(&rdev->beacon_registrations_lock);
16865 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
16866 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
16867 		if (!msg) {
16868 			spin_unlock_bh(&rdev->beacon_registrations_lock);
16869 			return;
16870 		}
16871 
16872 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
16873 		if (!hdr)
16874 			goto nla_put_failure;
16875 
16876 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16877 		    (freq &&
16878 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
16879 		    (sig_dbm &&
16880 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
16881 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
16882 			goto nla_put_failure;
16883 
16884 		genlmsg_end(msg, hdr);
16885 
16886 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
16887 	}
16888 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16889 	return;
16890 
16891  nla_put_failure:
16892 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16893 	nlmsg_free(msg);
16894 }
16895 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
16896 
16897 #ifdef CONFIG_PM
16898 static int cfg80211_net_detect_results(struct sk_buff *msg,
16899 				       struct cfg80211_wowlan_wakeup *wakeup)
16900 {
16901 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
16902 	struct nlattr *nl_results, *nl_match, *nl_freqs;
16903 	int i, j;
16904 
16905 	nl_results = nla_nest_start_noflag(msg,
16906 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
16907 	if (!nl_results)
16908 		return -EMSGSIZE;
16909 
16910 	for (i = 0; i < nd->n_matches; i++) {
16911 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
16912 
16913 		nl_match = nla_nest_start_noflag(msg, i);
16914 		if (!nl_match)
16915 			break;
16916 
16917 		/* The SSID attribute is optional in nl80211, but for
16918 		 * simplicity reasons it's always present in the
16919 		 * cfg80211 structure.  If a driver can't pass the
16920 		 * SSID, that needs to be changed.  A zero length SSID
16921 		 * is still a valid SSID (wildcard), so it cannot be
16922 		 * used for this purpose.
16923 		 */
16924 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
16925 			    match->ssid.ssid)) {
16926 			nla_nest_cancel(msg, nl_match);
16927 			goto out;
16928 		}
16929 
16930 		if (match->n_channels) {
16931 			nl_freqs = nla_nest_start_noflag(msg,
16932 							 NL80211_ATTR_SCAN_FREQUENCIES);
16933 			if (!nl_freqs) {
16934 				nla_nest_cancel(msg, nl_match);
16935 				goto out;
16936 			}
16937 
16938 			for (j = 0; j < match->n_channels; j++) {
16939 				if (nla_put_u32(msg, j, match->channels[j])) {
16940 					nla_nest_cancel(msg, nl_freqs);
16941 					nla_nest_cancel(msg, nl_match);
16942 					goto out;
16943 				}
16944 			}
16945 
16946 			nla_nest_end(msg, nl_freqs);
16947 		}
16948 
16949 		nla_nest_end(msg, nl_match);
16950 	}
16951 
16952 out:
16953 	nla_nest_end(msg, nl_results);
16954 	return 0;
16955 }
16956 
16957 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
16958 				   struct cfg80211_wowlan_wakeup *wakeup,
16959 				   gfp_t gfp)
16960 {
16961 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16962 	struct sk_buff *msg;
16963 	void *hdr;
16964 	int size = 200;
16965 
16966 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
16967 
16968 	if (wakeup)
16969 		size += wakeup->packet_present_len;
16970 
16971 	msg = nlmsg_new(size, gfp);
16972 	if (!msg)
16973 		return;
16974 
16975 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
16976 	if (!hdr)
16977 		goto free_msg;
16978 
16979 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16980 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16981 			      NL80211_ATTR_PAD))
16982 		goto free_msg;
16983 
16984 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16985 					wdev->netdev->ifindex))
16986 		goto free_msg;
16987 
16988 	if (wakeup) {
16989 		struct nlattr *reasons;
16990 
16991 		reasons = nla_nest_start_noflag(msg,
16992 						NL80211_ATTR_WOWLAN_TRIGGERS);
16993 		if (!reasons)
16994 			goto free_msg;
16995 
16996 		if (wakeup->disconnect &&
16997 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
16998 			goto free_msg;
16999 		if (wakeup->magic_pkt &&
17000 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
17001 			goto free_msg;
17002 		if (wakeup->gtk_rekey_failure &&
17003 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
17004 			goto free_msg;
17005 		if (wakeup->eap_identity_req &&
17006 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
17007 			goto free_msg;
17008 		if (wakeup->four_way_handshake &&
17009 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
17010 			goto free_msg;
17011 		if (wakeup->rfkill_release &&
17012 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
17013 			goto free_msg;
17014 
17015 		if (wakeup->pattern_idx >= 0 &&
17016 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
17017 				wakeup->pattern_idx))
17018 			goto free_msg;
17019 
17020 		if (wakeup->tcp_match &&
17021 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
17022 			goto free_msg;
17023 
17024 		if (wakeup->tcp_connlost &&
17025 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
17026 			goto free_msg;
17027 
17028 		if (wakeup->tcp_nomoretokens &&
17029 		    nla_put_flag(msg,
17030 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
17031 			goto free_msg;
17032 
17033 		if (wakeup->packet) {
17034 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
17035 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
17036 
17037 			if (!wakeup->packet_80211) {
17038 				pkt_attr =
17039 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
17040 				len_attr =
17041 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
17042 			}
17043 
17044 			if (wakeup->packet_len &&
17045 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
17046 				goto free_msg;
17047 
17048 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
17049 				    wakeup->packet))
17050 				goto free_msg;
17051 		}
17052 
17053 		if (wakeup->net_detect &&
17054 		    cfg80211_net_detect_results(msg, wakeup))
17055 				goto free_msg;
17056 
17057 		nla_nest_end(msg, reasons);
17058 	}
17059 
17060 	genlmsg_end(msg, hdr);
17061 
17062 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17063 				NL80211_MCGRP_MLME, gfp);
17064 	return;
17065 
17066  free_msg:
17067 	nlmsg_free(msg);
17068 }
17069 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
17070 #endif
17071 
17072 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
17073 				enum nl80211_tdls_operation oper,
17074 				u16 reason_code, gfp_t gfp)
17075 {
17076 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17077 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17078 	struct sk_buff *msg;
17079 	void *hdr;
17080 
17081 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
17082 					 reason_code);
17083 
17084 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17085 	if (!msg)
17086 		return;
17087 
17088 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
17089 	if (!hdr) {
17090 		nlmsg_free(msg);
17091 		return;
17092 	}
17093 
17094 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17095 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17096 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
17097 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
17098 	    (reason_code > 0 &&
17099 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
17100 		goto nla_put_failure;
17101 
17102 	genlmsg_end(msg, hdr);
17103 
17104 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17105 				NL80211_MCGRP_MLME, gfp);
17106 	return;
17107 
17108  nla_put_failure:
17109 	nlmsg_free(msg);
17110 }
17111 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
17112 
17113 static int nl80211_netlink_notify(struct notifier_block * nb,
17114 				  unsigned long state,
17115 				  void *_notify)
17116 {
17117 	struct netlink_notify *notify = _notify;
17118 	struct cfg80211_registered_device *rdev;
17119 	struct wireless_dev *wdev;
17120 	struct cfg80211_beacon_registration *reg, *tmp;
17121 
17122 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
17123 		return NOTIFY_DONE;
17124 
17125 	rcu_read_lock();
17126 
17127 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
17128 		struct cfg80211_sched_scan_request *sched_scan_req;
17129 
17130 		list_for_each_entry_rcu(sched_scan_req,
17131 					&rdev->sched_scan_req_list,
17132 					list) {
17133 			if (sched_scan_req->owner_nlportid == notify->portid) {
17134 				sched_scan_req->nl_owner_dead = true;
17135 				schedule_work(&rdev->sched_scan_stop_wk);
17136 			}
17137 		}
17138 
17139 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
17140 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
17141 
17142 			if (wdev->owner_nlportid == notify->portid) {
17143 				wdev->nl_owner_dead = true;
17144 				schedule_work(&rdev->destroy_work);
17145 			} else if (wdev->conn_owner_nlportid == notify->portid) {
17146 				schedule_work(&wdev->disconnect_wk);
17147 			}
17148 
17149 			cfg80211_release_pmsr(wdev, notify->portid);
17150 		}
17151 
17152 		spin_lock_bh(&rdev->beacon_registrations_lock);
17153 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
17154 					 list) {
17155 			if (reg->nlportid == notify->portid) {
17156 				list_del(&reg->list);
17157 				kfree(reg);
17158 				break;
17159 			}
17160 		}
17161 		spin_unlock_bh(&rdev->beacon_registrations_lock);
17162 	}
17163 
17164 	rcu_read_unlock();
17165 
17166 	/*
17167 	 * It is possible that the user space process that is controlling the
17168 	 * indoor setting disappeared, so notify the regulatory core.
17169 	 */
17170 	regulatory_netlink_notify(notify->portid);
17171 	return NOTIFY_OK;
17172 }
17173 
17174 static struct notifier_block nl80211_netlink_notifier = {
17175 	.notifier_call = nl80211_netlink_notify,
17176 };
17177 
17178 void cfg80211_ft_event(struct net_device *netdev,
17179 		       struct cfg80211_ft_event_params *ft_event)
17180 {
17181 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
17182 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17183 	struct sk_buff *msg;
17184 	void *hdr;
17185 
17186 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
17187 
17188 	if (!ft_event->target_ap)
17189 		return;
17190 
17191 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
17192 			GFP_KERNEL);
17193 	if (!msg)
17194 		return;
17195 
17196 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
17197 	if (!hdr)
17198 		goto out;
17199 
17200 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17201 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17202 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
17203 		goto out;
17204 
17205 	if (ft_event->ies &&
17206 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
17207 		goto out;
17208 	if (ft_event->ric_ies &&
17209 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
17210 		    ft_event->ric_ies))
17211 		goto out;
17212 
17213 	genlmsg_end(msg, hdr);
17214 
17215 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17216 				NL80211_MCGRP_MLME, GFP_KERNEL);
17217 	return;
17218  out:
17219 	nlmsg_free(msg);
17220 }
17221 EXPORT_SYMBOL(cfg80211_ft_event);
17222 
17223 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
17224 {
17225 	struct cfg80211_registered_device *rdev;
17226 	struct sk_buff *msg;
17227 	void *hdr;
17228 	u32 nlportid;
17229 
17230 	rdev = wiphy_to_rdev(wdev->wiphy);
17231 	if (!rdev->crit_proto_nlportid)
17232 		return;
17233 
17234 	nlportid = rdev->crit_proto_nlportid;
17235 	rdev->crit_proto_nlportid = 0;
17236 
17237 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17238 	if (!msg)
17239 		return;
17240 
17241 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
17242 	if (!hdr)
17243 		goto nla_put_failure;
17244 
17245 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17246 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17247 			      NL80211_ATTR_PAD))
17248 		goto nla_put_failure;
17249 
17250 	genlmsg_end(msg, hdr);
17251 
17252 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17253 	return;
17254 
17255  nla_put_failure:
17256 	nlmsg_free(msg);
17257 }
17258 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
17259 
17260 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
17261 {
17262 	struct wiphy *wiphy = wdev->wiphy;
17263 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17264 	struct sk_buff *msg;
17265 	void *hdr;
17266 
17267 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17268 	if (!msg)
17269 		return;
17270 
17271 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
17272 	if (!hdr)
17273 		goto out;
17274 
17275 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17276 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
17277 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17278 			      NL80211_ATTR_PAD))
17279 		goto out;
17280 
17281 	genlmsg_end(msg, hdr);
17282 
17283 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
17284 				NL80211_MCGRP_MLME, GFP_KERNEL);
17285 	return;
17286  out:
17287 	nlmsg_free(msg);
17288 }
17289 
17290 int cfg80211_external_auth_request(struct net_device *dev,
17291 				   struct cfg80211_external_auth_params *params,
17292 				   gfp_t gfp)
17293 {
17294 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17295 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17296 	struct sk_buff *msg;
17297 	void *hdr;
17298 
17299 	if (!wdev->conn_owner_nlportid)
17300 		return -EINVAL;
17301 
17302 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17303 	if (!msg)
17304 		return -ENOMEM;
17305 
17306 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
17307 	if (!hdr)
17308 		goto nla_put_failure;
17309 
17310 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17311 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17312 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
17313 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
17314 			params->action) ||
17315 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
17316 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
17317 		    params->ssid.ssid))
17318 		goto nla_put_failure;
17319 
17320 	genlmsg_end(msg, hdr);
17321 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
17322 			wdev->conn_owner_nlportid);
17323 	return 0;
17324 
17325  nla_put_failure:
17326 	nlmsg_free(msg);
17327 	return -ENOBUFS;
17328 }
17329 EXPORT_SYMBOL(cfg80211_external_auth_request);
17330 
17331 void cfg80211_update_owe_info_event(struct net_device *netdev,
17332 				    struct cfg80211_update_owe_info *owe_info,
17333 				    gfp_t gfp)
17334 {
17335 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
17336 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17337 	struct sk_buff *msg;
17338 	void *hdr;
17339 
17340 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
17341 
17342 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17343 	if (!msg)
17344 		return;
17345 
17346 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
17347 	if (!hdr)
17348 		goto nla_put_failure;
17349 
17350 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17351 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17352 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
17353 		goto nla_put_failure;
17354 
17355 	if (!owe_info->ie_len ||
17356 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
17357 		goto nla_put_failure;
17358 
17359 	genlmsg_end(msg, hdr);
17360 
17361 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17362 				NL80211_MCGRP_MLME, gfp);
17363 	return;
17364 
17365 nla_put_failure:
17366 	genlmsg_cancel(msg, hdr);
17367 	nlmsg_free(msg);
17368 }
17369 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
17370 
17371 /* initialisation/exit functions */
17372 
17373 int __init nl80211_init(void)
17374 {
17375 	int err;
17376 
17377 	err = genl_register_family(&nl80211_fam);
17378 	if (err)
17379 		return err;
17380 
17381 	err = netlink_register_notifier(&nl80211_netlink_notifier);
17382 	if (err)
17383 		goto err_out;
17384 
17385 	return 0;
17386  err_out:
17387 	genl_unregister_family(&nl80211_fam);
17388 	return err;
17389 }
17390 
17391 void nl80211_exit(void)
17392 {
17393 	netlink_unregister_notifier(&nl80211_netlink_notifier);
17394 	genl_unregister_family(&nl80211_fam);
17395 }
17396