xref: /openbmc/linux/net/wireless/nl80211.c (revision ee8ec048) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2021 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 /* policy for the attributes */
289 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
290 
291 static const struct nla_policy
292 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
293 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
294 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
295 					.len = U8_MAX },
296 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
297 					     .len = U8_MAX },
298 };
299 
300 static const struct nla_policy
301 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
302 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
303 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
304 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
305 		NLA_POLICY_MAX(NLA_U8, 15),
306 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
307 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
308 		NLA_POLICY_MAX(NLA_U8, 15),
309 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
310 		NLA_POLICY_MAX(NLA_U8, 31),
311 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
312 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
313 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
314 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
315 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
316 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
317 };
318 
319 static const struct nla_policy
320 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
321 	[NL80211_PMSR_TYPE_FTM] =
322 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
323 };
324 
325 static const struct nla_policy
326 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
327 	[NL80211_PMSR_REQ_ATTR_DATA] =
328 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
329 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
330 };
331 
332 static const struct nla_policy
333 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
334 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
335 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
336 	[NL80211_PMSR_PEER_ATTR_REQ] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
338 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
344 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
345 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
346 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
347 	[NL80211_PMSR_ATTR_PEERS] =
348 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
349 };
350 
351 static const struct nla_policy
352 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
353 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
354 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
355 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
356 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
357 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
358 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
359 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
360 		NLA_POLICY_EXACT_LEN(8),
361 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
362 		NLA_POLICY_EXACT_LEN(8),
363 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
364 };
365 
366 static const struct nla_policy
367 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
368 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
369 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
370 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
371 };
372 
373 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
374 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
375 				    .len = NL80211_MAX_SUPP_RATES },
376 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
377 				.len = NL80211_MAX_SUPP_HT_RATES },
378 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
379 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
380 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
381 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
382 						   NL80211_RATE_INFO_HE_GI_0_8,
383 						   NL80211_RATE_INFO_HE_GI_3_2),
384 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
385 						   NL80211_RATE_INFO_HE_1XLTF,
386 						   NL80211_RATE_INFO_HE_4XLTF),
387 };
388 
389 static const struct nla_policy
390 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
391 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
392 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
393 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
394 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
395 	[NL80211_TID_CONFIG_ATTR_NOACK] =
396 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
397 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
398 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
399 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
400 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
401 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
402 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
403 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
404 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
405 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
406 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
407 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
408 			NLA_POLICY_NESTED(nl80211_txattr_policy),
409 };
410 
411 static const struct nla_policy
412 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
413 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
414 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
415 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
416 			NLA_POLICY_RANGE(NLA_BINARY,
417 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
418 					 IEEE80211_MAX_DATA_LEN),
419 };
420 
421 static const struct nla_policy
422 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
423 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
424 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
425 						       .len = IEEE80211_MAX_DATA_LEN }
426 };
427 
428 static const struct nla_policy
429 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
430 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
431 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
432 };
433 
434 static const struct nla_policy
435 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
436 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
437 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
438 };
439 
440 static const struct nla_policy
441 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
442 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
443 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
444 						NLA_POLICY_MIN(NLA_U8, 1),
445 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
446 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
447 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
448 };
449 
450 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
451 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
452 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
453 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
454 				      .len = 20-1 },
455 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
456 
457 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
458 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
459 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
460 						NL80211_EDMG_CHANNELS_MIN,
461 						NL80211_EDMG_CHANNELS_MAX),
462 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
463 						NL80211_EDMG_BW_CONFIG_MIN,
464 						NL80211_EDMG_BW_CONFIG_MAX),
465 
466 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
467 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
468 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
469 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
470 
471 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
472 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
473 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
474 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
475 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
476 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
477 
478 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
479 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
480 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
481 
482 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
483 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
484 
485 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
486 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
487 				    .len = WLAN_MAX_KEY_LEN },
488 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
489 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
490 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
491 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
492 	[NL80211_ATTR_KEY_TYPE] =
493 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
494 
495 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
496 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
497 	[NL80211_ATTR_BEACON_HEAD] =
498 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
499 				       IEEE80211_MAX_DATA_LEN),
500 	[NL80211_ATTR_BEACON_TAIL] =
501 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
502 				       IEEE80211_MAX_DATA_LEN),
503 	[NL80211_ATTR_STA_AID] =
504 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
505 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
506 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
507 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
508 					       .len = NL80211_MAX_SUPP_RATES },
509 	[NL80211_ATTR_STA_PLINK_ACTION] =
510 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
511 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
512 		NLA_POLICY_RANGE(NLA_U8,
513 				 NL80211_TX_POWER_AUTOMATIC,
514 				 NL80211_TX_POWER_FIXED),
515 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
516 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
517 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
518 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
519 				   .len = IEEE80211_MAX_MESH_ID_LEN },
520 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
521 
522 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
523 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
524 
525 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
526 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
527 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
528 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
529 					   .len = NL80211_MAX_SUPP_RATES },
530 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
531 
532 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
533 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
534 
535 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
536 
537 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
538 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
539 						   validate_ie_attr,
540 						   IEEE80211_MAX_DATA_LEN),
541 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
542 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
543 
544 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
545 				.len = IEEE80211_MAX_SSID_LEN },
546 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
547 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
548 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
549 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
550 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
551 						  NL80211_MFP_NO,
552 						  NL80211_MFP_OPTIONAL),
553 	[NL80211_ATTR_STA_FLAGS2] = {
554 		.len = sizeof(struct nl80211_sta_flag_update),
555 	},
556 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
557 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
558 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
559 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
560 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
561 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
562 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
563 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
564 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
565 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
566 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
567 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
568 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
569 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
570 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
571 				 .len = IEEE80211_MAX_DATA_LEN },
572 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
573 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
574 						   NL80211_PS_DISABLED,
575 						   NL80211_PS_ENABLED),
576 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
577 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
578 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
579 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
580 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
581 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
582 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
583 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
584 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
585 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
586 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
587 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
588 	[NL80211_ATTR_STA_PLINK_STATE] =
589 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
590 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
591 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
592 	[NL80211_ATTR_MESH_PEER_AID] =
593 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
594 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
595 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
596 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
597 	[NL80211_ATTR_HIDDEN_SSID] =
598 		NLA_POLICY_RANGE(NLA_U32,
599 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
600 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
601 	[NL80211_ATTR_IE_PROBE_RESP] =
602 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
603 				       IEEE80211_MAX_DATA_LEN),
604 	[NL80211_ATTR_IE_ASSOC_RESP] =
605 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
606 				       IEEE80211_MAX_DATA_LEN),
607 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
608 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
609 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
610 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
611 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
612 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
613 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
614 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
615 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
616 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
617 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
618 				      .len = IEEE80211_MAX_DATA_LEN },
619 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
620 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
621 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
622 		.len = NL80211_HT_CAPABILITY_LEN
623 	},
624 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
625 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
626 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
627 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
628 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
629 
630 	/* need to include at least Auth Transaction and Status Code */
631 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
632 
633 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
634 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
635 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
636 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
637 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
638 		NLA_POLICY_RANGE(NLA_U32,
639 				 NL80211_MESH_POWER_UNKNOWN + 1,
640 				 NL80211_MESH_POWER_MAX),
641 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
642 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
643 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
644 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
645 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
646 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
647 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
648 		.len = NL80211_VHT_CAPABILITY_LEN,
649 	},
650 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
651 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
652 				  .len = IEEE80211_MAX_DATA_LEN },
653 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
654 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
655 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
656 	[NL80211_ATTR_PEER_AID] =
657 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
658 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
659 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
660 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
661 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
662 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
663 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
664 	/*
665 	 * The value of the Length field of the Supported Operating
666 	 * Classes element is between 2 and 253.
667 	 */
668 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
669 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
670 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
671 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
672 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
673 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
674 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
675 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
676 						  IEEE80211_QOS_MAP_LEN_MIN,
677 						  IEEE80211_QOS_MAP_LEN_MAX),
678 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
679 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
680 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
681 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
682 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
683 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
684 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
685 	[NL80211_ATTR_USER_PRIO] =
686 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
687 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
688 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
689 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
690 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
691 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
692 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
693 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
694 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
695 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
696 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
697 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
698 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
699 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
700 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
701 	},
702 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
703 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
704 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
705 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
706 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
707 				    .len = FILS_MAX_KEK_LEN },
708 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
709 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
710 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
711 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
712 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
713 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
714 	},
715 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
716 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
717 					     .len = FILS_ERP_MAX_USERNAME_LEN },
718 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
719 					  .len = FILS_ERP_MAX_REALM_LEN },
720 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
721 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
722 					.len = FILS_ERP_MAX_RRK_LEN },
723 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
724 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
725 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
726 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
727 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
728 
729 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
730 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
731 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
732 	[NL80211_ATTR_HE_CAPABILITY] =
733 		NLA_POLICY_RANGE(NLA_BINARY,
734 				 NL80211_HE_MIN_CAPABILITY_LEN,
735 				 NL80211_HE_MAX_CAPABILITY_LEN),
736 	[NL80211_ATTR_FTM_RESPONDER] =
737 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
738 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
739 	[NL80211_ATTR_PEER_MEASUREMENTS] =
740 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
741 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
742 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
743 					.len = SAE_PASSWORD_MAX_LEN },
744 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
745 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
746 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
747 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
748 	[NL80211_ATTR_TID_CONFIG] =
749 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
750 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
751 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
752 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
753 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
754 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
755 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
756 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
757 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
758 	[NL80211_ATTR_FILS_DISCOVERY] =
759 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
760 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
761 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
762 	[NL80211_ATTR_S1G_CAPABILITY] =
763 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
764 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
765 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
766 	[NL80211_ATTR_SAE_PWE] =
767 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
768 				 NL80211_SAE_PWE_BOTH),
769 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
770 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
771 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
772 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
773 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
774 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
775 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
776 	[NL80211_ATTR_MBSSID_CONFIG] =
777 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
778 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
779 };
780 
781 /* policy for the key attributes */
782 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
783 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
784 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
785 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
786 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
787 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
788 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
789 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
790 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
791 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
792 };
793 
794 /* policy for the key default flags */
795 static const struct nla_policy
796 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
797 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
798 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
799 };
800 
801 #ifdef CONFIG_PM
802 /* policy for WoWLAN attributes */
803 static const struct nla_policy
804 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
805 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
806 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
807 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
808 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
809 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
810 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
811 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
812 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
813 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
814 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
815 };
816 
817 static const struct nla_policy
818 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
819 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
820 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
821 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
822 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
823 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
824 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
825 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
826 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
827 	},
828 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
829 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
830 	},
831 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
832 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
833 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
834 };
835 #endif /* CONFIG_PM */
836 
837 /* policy for coalesce rule attributes */
838 static const struct nla_policy
839 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
840 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
841 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
842 		NLA_POLICY_RANGE(NLA_U32,
843 				 NL80211_COALESCE_CONDITION_MATCH,
844 				 NL80211_COALESCE_CONDITION_NO_MATCH),
845 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
846 };
847 
848 /* policy for GTK rekey offload attributes */
849 static const struct nla_policy
850 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
851 	[NL80211_REKEY_DATA_KEK] = {
852 		.type = NLA_BINARY,
853 		.len = NL80211_KEK_EXT_LEN
854 	},
855 	[NL80211_REKEY_DATA_KCK] = {
856 		.type = NLA_BINARY,
857 		.len = NL80211_KCK_EXT_LEN
858 	},
859 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
860 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
861 };
862 
863 static const struct nla_policy
864 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
865 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
866 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
867 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
868 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
869 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
870 };
871 
872 static const struct nla_policy
873 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
874 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
875 						 .len = IEEE80211_MAX_SSID_LEN },
876 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
877 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
878 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
879 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
880 };
881 
882 static const struct nla_policy
883 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
884 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
885 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
886 };
887 
888 static const struct nla_policy
889 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
890 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
891 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
892 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
893 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
894 	},
895 };
896 
897 /* policy for NAN function attributes */
898 static const struct nla_policy
899 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
900 	[NL80211_NAN_FUNC_TYPE] =
901 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
902 	[NL80211_NAN_FUNC_SERVICE_ID] = {
903 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
904 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
905 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
906 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
907 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
908 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
909 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
910 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
911 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
912 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
913 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
914 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
915 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
916 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
917 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
918 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
919 };
920 
921 /* policy for Service Response Filter attributes */
922 static const struct nla_policy
923 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
924 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
925 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
926 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
927 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
928 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
929 };
930 
931 /* policy for packet pattern attributes */
932 static const struct nla_policy
933 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
934 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
935 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
936 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
937 };
938 
939 int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
940 			      struct cfg80211_registered_device **rdev,
941 			      struct wireless_dev **wdev)
942 {
943 	int err;
944 
945 	if (!cb->args[0]) {
946 		struct nlattr **attrbuf;
947 
948 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
949 				  GFP_KERNEL);
950 		if (!attrbuf)
951 			return -ENOMEM;
952 
953 		err = nlmsg_parse_deprecated(cb->nlh,
954 					     GENL_HDRLEN + nl80211_fam.hdrsize,
955 					     attrbuf, nl80211_fam.maxattr,
956 					     nl80211_policy, NULL);
957 		if (err) {
958 			kfree(attrbuf);
959 			return err;
960 		}
961 
962 		rtnl_lock();
963 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
964 						   attrbuf);
965 		kfree(attrbuf);
966 		if (IS_ERR(*wdev)) {
967 			rtnl_unlock();
968 			return PTR_ERR(*wdev);
969 		}
970 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
971 		mutex_lock(&(*rdev)->wiphy.mtx);
972 		rtnl_unlock();
973 		/* 0 is the first index - add 1 to parse only once */
974 		cb->args[0] = (*rdev)->wiphy_idx + 1;
975 		cb->args[1] = (*wdev)->identifier;
976 	} else {
977 		/* subtract the 1 again here */
978 		struct wiphy *wiphy;
979 		struct wireless_dev *tmp;
980 
981 		rtnl_lock();
982 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
983 		if (!wiphy) {
984 			rtnl_unlock();
985 			return -ENODEV;
986 		}
987 		*rdev = wiphy_to_rdev(wiphy);
988 		*wdev = NULL;
989 
990 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
991 			if (tmp->identifier == cb->args[1]) {
992 				*wdev = tmp;
993 				break;
994 			}
995 		}
996 
997 		if (!*wdev) {
998 			rtnl_unlock();
999 			return -ENODEV;
1000 		}
1001 		mutex_lock(&(*rdev)->wiphy.mtx);
1002 		rtnl_unlock();
1003 	}
1004 
1005 	return 0;
1006 }
1007 
1008 /* message building helper */
1009 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1010 		     int flags, u8 cmd)
1011 {
1012 	/* since there is no private header just add the generic one */
1013 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1014 }
1015 
1016 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1017 				     const struct ieee80211_reg_rule *rule)
1018 {
1019 	int j;
1020 	struct nlattr *nl_wmm_rules =
1021 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1022 
1023 	if (!nl_wmm_rules)
1024 		goto nla_put_failure;
1025 
1026 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1027 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1028 
1029 		if (!nl_wmm_rule)
1030 			goto nla_put_failure;
1031 
1032 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1033 				rule->wmm_rule.client[j].cw_min) ||
1034 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1035 				rule->wmm_rule.client[j].cw_max) ||
1036 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1037 			       rule->wmm_rule.client[j].aifsn) ||
1038 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1039 			        rule->wmm_rule.client[j].cot))
1040 			goto nla_put_failure;
1041 
1042 		nla_nest_end(msg, nl_wmm_rule);
1043 	}
1044 	nla_nest_end(msg, nl_wmm_rules);
1045 
1046 	return 0;
1047 
1048 nla_put_failure:
1049 	return -ENOBUFS;
1050 }
1051 
1052 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1053 				   struct ieee80211_channel *chan,
1054 				   bool large)
1055 {
1056 	/* Some channels must be completely excluded from the
1057 	 * list to protect old user-space tools from breaking
1058 	 */
1059 	if (!large && chan->flags &
1060 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1061 		return 0;
1062 	if (!large && chan->freq_offset)
1063 		return 0;
1064 
1065 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1066 			chan->center_freq))
1067 		goto nla_put_failure;
1068 
1069 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1070 		goto nla_put_failure;
1071 
1072 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1073 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1074 		goto nla_put_failure;
1075 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1076 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1077 			goto nla_put_failure;
1078 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1079 			goto nla_put_failure;
1080 	}
1081 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1082 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1083 			goto nla_put_failure;
1084 		if (large) {
1085 			u32 time;
1086 
1087 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1088 
1089 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1090 					chan->dfs_state))
1091 				goto nla_put_failure;
1092 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1093 					time))
1094 				goto nla_put_failure;
1095 			if (nla_put_u32(msg,
1096 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1097 					chan->dfs_cac_ms))
1098 				goto nla_put_failure;
1099 		}
1100 	}
1101 
1102 	if (large) {
1103 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1104 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1105 			goto nla_put_failure;
1106 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1107 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1108 			goto nla_put_failure;
1109 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1110 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1111 			goto nla_put_failure;
1112 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1113 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1114 			goto nla_put_failure;
1115 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1116 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1117 			goto nla_put_failure;
1118 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1119 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1120 			goto nla_put_failure;
1121 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1122 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1123 			goto nla_put_failure;
1124 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1125 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1126 			goto nla_put_failure;
1127 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1128 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1129 			goto nla_put_failure;
1130 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1131 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1132 			goto nla_put_failure;
1133 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1134 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1135 			goto nla_put_failure;
1136 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1137 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1138 			goto nla_put_failure;
1139 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1140 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1141 			goto nla_put_failure;
1142 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1143 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1144 			goto nla_put_failure;
1145 	}
1146 
1147 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1148 			DBM_TO_MBM(chan->max_power)))
1149 		goto nla_put_failure;
1150 
1151 	if (large) {
1152 		const struct ieee80211_reg_rule *rule =
1153 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1154 
1155 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1156 			if (nl80211_msg_put_wmm_rules(msg, rule))
1157 				goto nla_put_failure;
1158 		}
1159 	}
1160 
1161 	return 0;
1162 
1163  nla_put_failure:
1164 	return -ENOBUFS;
1165 }
1166 
1167 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1168 				  struct cfg80211_txq_stats *txqstats,
1169 				  int attrtype)
1170 {
1171 	struct nlattr *txqattr;
1172 
1173 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1174 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1175 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1176 		return false;						  \
1177 	} while (0)
1178 
1179 	txqattr = nla_nest_start_noflag(msg, attrtype);
1180 	if (!txqattr)
1181 		return false;
1182 
1183 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1184 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1185 	PUT_TXQVAL_U32(FLOWS, flows);
1186 	PUT_TXQVAL_U32(DROPS, drops);
1187 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1188 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1189 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1190 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1191 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1192 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1193 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1194 	nla_nest_end(msg, txqattr);
1195 
1196 #undef PUT_TXQVAL_U32
1197 	return true;
1198 }
1199 
1200 /* netlink command implementations */
1201 
1202 struct key_parse {
1203 	struct key_params p;
1204 	int idx;
1205 	int type;
1206 	bool def, defmgmt, defbeacon;
1207 	bool def_uni, def_multi;
1208 };
1209 
1210 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1211 				 struct key_parse *k)
1212 {
1213 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1214 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1215 					      nl80211_key_policy,
1216 					      info->extack);
1217 	if (err)
1218 		return err;
1219 
1220 	k->def = !!tb[NL80211_KEY_DEFAULT];
1221 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1222 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1223 
1224 	if (k->def) {
1225 		k->def_uni = true;
1226 		k->def_multi = true;
1227 	}
1228 	if (k->defmgmt || k->defbeacon)
1229 		k->def_multi = true;
1230 
1231 	if (tb[NL80211_KEY_IDX])
1232 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1233 
1234 	if (tb[NL80211_KEY_DATA]) {
1235 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1236 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1237 	}
1238 
1239 	if (tb[NL80211_KEY_SEQ]) {
1240 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1241 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1242 	}
1243 
1244 	if (tb[NL80211_KEY_CIPHER])
1245 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1246 
1247 	if (tb[NL80211_KEY_TYPE])
1248 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1249 
1250 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1251 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1252 
1253 		err = nla_parse_nested_deprecated(kdt,
1254 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1255 						  tb[NL80211_KEY_DEFAULT_TYPES],
1256 						  nl80211_key_default_policy,
1257 						  info->extack);
1258 		if (err)
1259 			return err;
1260 
1261 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1262 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1263 	}
1264 
1265 	if (tb[NL80211_KEY_MODE])
1266 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1267 
1268 	return 0;
1269 }
1270 
1271 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1272 {
1273 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1274 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1275 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1276 	}
1277 
1278 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1279 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1280 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1281 	}
1282 
1283 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1284 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1285 
1286 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1287 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1288 
1289 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1290 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1291 
1292 	if (k->def) {
1293 		k->def_uni = true;
1294 		k->def_multi = true;
1295 	}
1296 	if (k->defmgmt)
1297 		k->def_multi = true;
1298 
1299 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1300 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1301 
1302 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1303 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1304 		int err = nla_parse_nested_deprecated(kdt,
1305 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1306 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1307 						      nl80211_key_default_policy,
1308 						      info->extack);
1309 		if (err)
1310 			return err;
1311 
1312 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1313 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1314 	}
1315 
1316 	return 0;
1317 }
1318 
1319 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1320 {
1321 	int err;
1322 
1323 	memset(k, 0, sizeof(*k));
1324 	k->idx = -1;
1325 	k->type = -1;
1326 
1327 	if (info->attrs[NL80211_ATTR_KEY])
1328 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1329 	else
1330 		err = nl80211_parse_key_old(info, k);
1331 
1332 	if (err)
1333 		return err;
1334 
1335 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1336 	    (k->defbeacon ? 1 : 0) > 1) {
1337 		GENL_SET_ERR_MSG(info,
1338 				 "key with multiple default flags is invalid");
1339 		return -EINVAL;
1340 	}
1341 
1342 	if (k->defmgmt || k->defbeacon) {
1343 		if (k->def_uni || !k->def_multi) {
1344 			GENL_SET_ERR_MSG(info,
1345 					 "defmgmt/defbeacon key must be mcast");
1346 			return -EINVAL;
1347 		}
1348 	}
1349 
1350 	if (k->idx != -1) {
1351 		if (k->defmgmt) {
1352 			if (k->idx < 4 || k->idx > 5) {
1353 				GENL_SET_ERR_MSG(info,
1354 						 "defmgmt key idx not 4 or 5");
1355 				return -EINVAL;
1356 			}
1357 		} else if (k->defbeacon) {
1358 			if (k->idx < 6 || k->idx > 7) {
1359 				GENL_SET_ERR_MSG(info,
1360 						 "defbeacon key idx not 6 or 7");
1361 				return -EINVAL;
1362 			}
1363 		} else if (k->def) {
1364 			if (k->idx < 0 || k->idx > 3) {
1365 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1366 				return -EINVAL;
1367 			}
1368 		} else {
1369 			if (k->idx < 0 || k->idx > 7) {
1370 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1371 				return -EINVAL;
1372 			}
1373 		}
1374 	}
1375 
1376 	return 0;
1377 }
1378 
1379 static struct cfg80211_cached_keys *
1380 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1381 		       struct genl_info *info, bool *no_ht)
1382 {
1383 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1384 	struct key_parse parse;
1385 	struct nlattr *key;
1386 	struct cfg80211_cached_keys *result;
1387 	int rem, err, def = 0;
1388 	bool have_key = false;
1389 
1390 	nla_for_each_nested(key, keys, rem) {
1391 		have_key = true;
1392 		break;
1393 	}
1394 
1395 	if (!have_key)
1396 		return NULL;
1397 
1398 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1399 	if (!result)
1400 		return ERR_PTR(-ENOMEM);
1401 
1402 	result->def = -1;
1403 
1404 	nla_for_each_nested(key, keys, rem) {
1405 		memset(&parse, 0, sizeof(parse));
1406 		parse.idx = -1;
1407 
1408 		err = nl80211_parse_key_new(info, key, &parse);
1409 		if (err)
1410 			goto error;
1411 		err = -EINVAL;
1412 		if (!parse.p.key)
1413 			goto error;
1414 		if (parse.idx < 0 || parse.idx > 3) {
1415 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1416 			goto error;
1417 		}
1418 		if (parse.def) {
1419 			if (def) {
1420 				GENL_SET_ERR_MSG(info,
1421 						 "only one key can be default");
1422 				goto error;
1423 			}
1424 			def = 1;
1425 			result->def = parse.idx;
1426 			if (!parse.def_uni || !parse.def_multi)
1427 				goto error;
1428 		} else if (parse.defmgmt)
1429 			goto error;
1430 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1431 						     parse.idx, false, NULL);
1432 		if (err)
1433 			goto error;
1434 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1435 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1436 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1437 			err = -EINVAL;
1438 			goto error;
1439 		}
1440 		result->params[parse.idx].cipher = parse.p.cipher;
1441 		result->params[parse.idx].key_len = parse.p.key_len;
1442 		result->params[parse.idx].key = result->data[parse.idx];
1443 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1444 
1445 		/* must be WEP key if we got here */
1446 		if (no_ht)
1447 			*no_ht = true;
1448 	}
1449 
1450 	if (result->def < 0) {
1451 		err = -EINVAL;
1452 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1453 		goto error;
1454 	}
1455 
1456 	return result;
1457  error:
1458 	kfree(result);
1459 	return ERR_PTR(err);
1460 }
1461 
1462 static int nl80211_key_allowed(struct wireless_dev *wdev)
1463 {
1464 	ASSERT_WDEV_LOCK(wdev);
1465 
1466 	switch (wdev->iftype) {
1467 	case NL80211_IFTYPE_AP:
1468 	case NL80211_IFTYPE_AP_VLAN:
1469 	case NL80211_IFTYPE_P2P_GO:
1470 	case NL80211_IFTYPE_MESH_POINT:
1471 		break;
1472 	case NL80211_IFTYPE_ADHOC:
1473 	case NL80211_IFTYPE_STATION:
1474 	case NL80211_IFTYPE_P2P_CLIENT:
1475 		if (!wdev->current_bss)
1476 			return -ENOLINK;
1477 		break;
1478 	case NL80211_IFTYPE_UNSPECIFIED:
1479 	case NL80211_IFTYPE_OCB:
1480 	case NL80211_IFTYPE_MONITOR:
1481 	case NL80211_IFTYPE_NAN:
1482 	case NL80211_IFTYPE_P2P_DEVICE:
1483 	case NL80211_IFTYPE_WDS:
1484 	case NUM_NL80211_IFTYPES:
1485 		return -EINVAL;
1486 	}
1487 
1488 	return 0;
1489 }
1490 
1491 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1492 							u32 freq)
1493 {
1494 	struct ieee80211_channel *chan;
1495 
1496 	chan = ieee80211_get_channel_khz(wiphy, freq);
1497 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1498 		return NULL;
1499 	return chan;
1500 }
1501 
1502 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1503 {
1504 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1505 	int i;
1506 
1507 	if (!nl_modes)
1508 		goto nla_put_failure;
1509 
1510 	i = 0;
1511 	while (ifmodes) {
1512 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1513 			goto nla_put_failure;
1514 		ifmodes >>= 1;
1515 		i++;
1516 	}
1517 
1518 	nla_nest_end(msg, nl_modes);
1519 	return 0;
1520 
1521 nla_put_failure:
1522 	return -ENOBUFS;
1523 }
1524 
1525 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1526 					  struct sk_buff *msg,
1527 					  bool large)
1528 {
1529 	struct nlattr *nl_combis;
1530 	int i, j;
1531 
1532 	nl_combis = nla_nest_start_noflag(msg,
1533 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1534 	if (!nl_combis)
1535 		goto nla_put_failure;
1536 
1537 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1538 		const struct ieee80211_iface_combination *c;
1539 		struct nlattr *nl_combi, *nl_limits;
1540 
1541 		c = &wiphy->iface_combinations[i];
1542 
1543 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1544 		if (!nl_combi)
1545 			goto nla_put_failure;
1546 
1547 		nl_limits = nla_nest_start_noflag(msg,
1548 						  NL80211_IFACE_COMB_LIMITS);
1549 		if (!nl_limits)
1550 			goto nla_put_failure;
1551 
1552 		for (j = 0; j < c->n_limits; j++) {
1553 			struct nlattr *nl_limit;
1554 
1555 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1556 			if (!nl_limit)
1557 				goto nla_put_failure;
1558 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1559 					c->limits[j].max))
1560 				goto nla_put_failure;
1561 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1562 						c->limits[j].types))
1563 				goto nla_put_failure;
1564 			nla_nest_end(msg, nl_limit);
1565 		}
1566 
1567 		nla_nest_end(msg, nl_limits);
1568 
1569 		if (c->beacon_int_infra_match &&
1570 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1571 			goto nla_put_failure;
1572 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1573 				c->num_different_channels) ||
1574 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1575 				c->max_interfaces))
1576 			goto nla_put_failure;
1577 		if (large &&
1578 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1579 				c->radar_detect_widths) ||
1580 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1581 				c->radar_detect_regions)))
1582 			goto nla_put_failure;
1583 		if (c->beacon_int_min_gcd &&
1584 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1585 				c->beacon_int_min_gcd))
1586 			goto nla_put_failure;
1587 
1588 		nla_nest_end(msg, nl_combi);
1589 	}
1590 
1591 	nla_nest_end(msg, nl_combis);
1592 
1593 	return 0;
1594 nla_put_failure:
1595 	return -ENOBUFS;
1596 }
1597 
1598 #ifdef CONFIG_PM
1599 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1600 					struct sk_buff *msg)
1601 {
1602 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1603 	struct nlattr *nl_tcp;
1604 
1605 	if (!tcp)
1606 		return 0;
1607 
1608 	nl_tcp = nla_nest_start_noflag(msg,
1609 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1610 	if (!nl_tcp)
1611 		return -ENOBUFS;
1612 
1613 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1614 			tcp->data_payload_max))
1615 		return -ENOBUFS;
1616 
1617 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1618 			tcp->data_payload_max))
1619 		return -ENOBUFS;
1620 
1621 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1622 		return -ENOBUFS;
1623 
1624 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1625 				sizeof(*tcp->tok), tcp->tok))
1626 		return -ENOBUFS;
1627 
1628 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1629 			tcp->data_interval_max))
1630 		return -ENOBUFS;
1631 
1632 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1633 			tcp->wake_payload_max))
1634 		return -ENOBUFS;
1635 
1636 	nla_nest_end(msg, nl_tcp);
1637 	return 0;
1638 }
1639 
1640 static int nl80211_send_wowlan(struct sk_buff *msg,
1641 			       struct cfg80211_registered_device *rdev,
1642 			       bool large)
1643 {
1644 	struct nlattr *nl_wowlan;
1645 
1646 	if (!rdev->wiphy.wowlan)
1647 		return 0;
1648 
1649 	nl_wowlan = nla_nest_start_noflag(msg,
1650 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1651 	if (!nl_wowlan)
1652 		return -ENOBUFS;
1653 
1654 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1655 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1656 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1657 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1658 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1659 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1660 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1661 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1662 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1663 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1664 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1665 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1666 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1667 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1668 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1669 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1670 		return -ENOBUFS;
1671 
1672 	if (rdev->wiphy.wowlan->n_patterns) {
1673 		struct nl80211_pattern_support pat = {
1674 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1675 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1676 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1677 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1678 		};
1679 
1680 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1681 			    sizeof(pat), &pat))
1682 			return -ENOBUFS;
1683 	}
1684 
1685 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1686 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1687 			rdev->wiphy.wowlan->max_nd_match_sets))
1688 		return -ENOBUFS;
1689 
1690 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1691 		return -ENOBUFS;
1692 
1693 	nla_nest_end(msg, nl_wowlan);
1694 
1695 	return 0;
1696 }
1697 #endif
1698 
1699 static int nl80211_send_coalesce(struct sk_buff *msg,
1700 				 struct cfg80211_registered_device *rdev)
1701 {
1702 	struct nl80211_coalesce_rule_support rule;
1703 
1704 	if (!rdev->wiphy.coalesce)
1705 		return 0;
1706 
1707 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1708 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1709 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1710 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1711 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1712 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1713 
1714 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1715 		return -ENOBUFS;
1716 
1717 	return 0;
1718 }
1719 
1720 static int
1721 nl80211_send_iftype_data(struct sk_buff *msg,
1722 			 const struct ieee80211_supported_band *sband,
1723 			 const struct ieee80211_sband_iftype_data *iftdata)
1724 {
1725 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1726 
1727 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1728 				iftdata->types_mask))
1729 		return -ENOBUFS;
1730 
1731 	if (he_cap->has_he) {
1732 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1733 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1734 			    he_cap->he_cap_elem.mac_cap_info) ||
1735 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1736 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1737 			    he_cap->he_cap_elem.phy_cap_info) ||
1738 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1739 			    sizeof(he_cap->he_mcs_nss_supp),
1740 			    &he_cap->he_mcs_nss_supp) ||
1741 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1742 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1743 			return -ENOBUFS;
1744 	}
1745 
1746 	if (sband->band == NL80211_BAND_6GHZ &&
1747 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1748 		    sizeof(iftdata->he_6ghz_capa),
1749 		    &iftdata->he_6ghz_capa))
1750 		return -ENOBUFS;
1751 
1752 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1753 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1754 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1755 		return -ENOBUFS;
1756 
1757 	return 0;
1758 }
1759 
1760 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1761 				      struct ieee80211_supported_band *sband,
1762 				      bool large)
1763 {
1764 	struct nlattr *nl_rates, *nl_rate;
1765 	struct ieee80211_rate *rate;
1766 	int i;
1767 
1768 	/* add HT info */
1769 	if (sband->ht_cap.ht_supported &&
1770 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1771 		     sizeof(sband->ht_cap.mcs),
1772 		     &sband->ht_cap.mcs) ||
1773 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1774 			 sband->ht_cap.cap) ||
1775 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1776 			sband->ht_cap.ampdu_factor) ||
1777 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1778 			sband->ht_cap.ampdu_density)))
1779 		return -ENOBUFS;
1780 
1781 	/* add VHT info */
1782 	if (sband->vht_cap.vht_supported &&
1783 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1784 		     sizeof(sband->vht_cap.vht_mcs),
1785 		     &sband->vht_cap.vht_mcs) ||
1786 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1787 			 sband->vht_cap.cap)))
1788 		return -ENOBUFS;
1789 
1790 	if (large && sband->n_iftype_data) {
1791 		struct nlattr *nl_iftype_data =
1792 			nla_nest_start_noflag(msg,
1793 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1794 		int err;
1795 
1796 		if (!nl_iftype_data)
1797 			return -ENOBUFS;
1798 
1799 		for (i = 0; i < sband->n_iftype_data; i++) {
1800 			struct nlattr *iftdata;
1801 
1802 			iftdata = nla_nest_start_noflag(msg, i + 1);
1803 			if (!iftdata)
1804 				return -ENOBUFS;
1805 
1806 			err = nl80211_send_iftype_data(msg, sband,
1807 						       &sband->iftype_data[i]);
1808 			if (err)
1809 				return err;
1810 
1811 			nla_nest_end(msg, iftdata);
1812 		}
1813 
1814 		nla_nest_end(msg, nl_iftype_data);
1815 	}
1816 
1817 	/* add EDMG info */
1818 	if (large && sband->edmg_cap.channels &&
1819 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1820 		       sband->edmg_cap.channels) ||
1821 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1822 		       sband->edmg_cap.bw_config)))
1823 
1824 		return -ENOBUFS;
1825 
1826 	/* add bitrates */
1827 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1828 	if (!nl_rates)
1829 		return -ENOBUFS;
1830 
1831 	for (i = 0; i < sband->n_bitrates; i++) {
1832 		nl_rate = nla_nest_start_noflag(msg, i);
1833 		if (!nl_rate)
1834 			return -ENOBUFS;
1835 
1836 		rate = &sband->bitrates[i];
1837 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1838 				rate->bitrate))
1839 			return -ENOBUFS;
1840 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1841 		    nla_put_flag(msg,
1842 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1843 			return -ENOBUFS;
1844 
1845 		nla_nest_end(msg, nl_rate);
1846 	}
1847 
1848 	nla_nest_end(msg, nl_rates);
1849 
1850 	return 0;
1851 }
1852 
1853 static int
1854 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1855 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1856 {
1857 	u16 stypes;
1858 	struct nlattr *nl_ftypes, *nl_ifs;
1859 	enum nl80211_iftype ift;
1860 	int i;
1861 
1862 	if (!mgmt_stypes)
1863 		return 0;
1864 
1865 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1866 	if (!nl_ifs)
1867 		return -ENOBUFS;
1868 
1869 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1870 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1871 		if (!nl_ftypes)
1872 			return -ENOBUFS;
1873 		i = 0;
1874 		stypes = mgmt_stypes[ift].tx;
1875 		while (stypes) {
1876 			if ((stypes & 1) &&
1877 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1878 					(i << 4) | IEEE80211_FTYPE_MGMT))
1879 				return -ENOBUFS;
1880 			stypes >>= 1;
1881 			i++;
1882 		}
1883 		nla_nest_end(msg, nl_ftypes);
1884 	}
1885 
1886 	nla_nest_end(msg, nl_ifs);
1887 
1888 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1889 	if (!nl_ifs)
1890 		return -ENOBUFS;
1891 
1892 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1893 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1894 		if (!nl_ftypes)
1895 			return -ENOBUFS;
1896 		i = 0;
1897 		stypes = mgmt_stypes[ift].rx;
1898 		while (stypes) {
1899 			if ((stypes & 1) &&
1900 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1901 					(i << 4) | IEEE80211_FTYPE_MGMT))
1902 				return -ENOBUFS;
1903 			stypes >>= 1;
1904 			i++;
1905 		}
1906 		nla_nest_end(msg, nl_ftypes);
1907 	}
1908 	nla_nest_end(msg, nl_ifs);
1909 
1910 	return 0;
1911 }
1912 
1913 #define CMD(op, n)							\
1914 	 do {								\
1915 		if (rdev->ops->op) {					\
1916 			i++;						\
1917 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1918 				goto nla_put_failure;			\
1919 		}							\
1920 	} while (0)
1921 
1922 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1923 					struct sk_buff *msg)
1924 {
1925 	int i = 0;
1926 
1927 	/*
1928 	 * do *NOT* add anything into this function, new things need to be
1929 	 * advertised only to new versions of userspace that can deal with
1930 	 * the split (and they can't possibly care about new features...
1931 	 */
1932 	CMD(add_virtual_intf, NEW_INTERFACE);
1933 	CMD(change_virtual_intf, SET_INTERFACE);
1934 	CMD(add_key, NEW_KEY);
1935 	CMD(start_ap, START_AP);
1936 	CMD(add_station, NEW_STATION);
1937 	CMD(add_mpath, NEW_MPATH);
1938 	CMD(update_mesh_config, SET_MESH_CONFIG);
1939 	CMD(change_bss, SET_BSS);
1940 	CMD(auth, AUTHENTICATE);
1941 	CMD(assoc, ASSOCIATE);
1942 	CMD(deauth, DEAUTHENTICATE);
1943 	CMD(disassoc, DISASSOCIATE);
1944 	CMD(join_ibss, JOIN_IBSS);
1945 	CMD(join_mesh, JOIN_MESH);
1946 	CMD(set_pmksa, SET_PMKSA);
1947 	CMD(del_pmksa, DEL_PMKSA);
1948 	CMD(flush_pmksa, FLUSH_PMKSA);
1949 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1950 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1951 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1952 	CMD(mgmt_tx, FRAME);
1953 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1954 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1955 		i++;
1956 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1957 			goto nla_put_failure;
1958 	}
1959 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1960 	    rdev->ops->join_mesh) {
1961 		i++;
1962 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1963 			goto nla_put_failure;
1964 	}
1965 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1966 		CMD(tdls_mgmt, TDLS_MGMT);
1967 		CMD(tdls_oper, TDLS_OPER);
1968 	}
1969 	if (rdev->wiphy.max_sched_scan_reqs)
1970 		CMD(sched_scan_start, START_SCHED_SCAN);
1971 	CMD(probe_client, PROBE_CLIENT);
1972 	CMD(set_noack_map, SET_NOACK_MAP);
1973 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1974 		i++;
1975 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1976 			goto nla_put_failure;
1977 	}
1978 	CMD(start_p2p_device, START_P2P_DEVICE);
1979 	CMD(set_mcast_rate, SET_MCAST_RATE);
1980 #ifdef CONFIG_NL80211_TESTMODE
1981 	CMD(testmode_cmd, TESTMODE);
1982 #endif
1983 
1984 	if (rdev->ops->connect || rdev->ops->auth) {
1985 		i++;
1986 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1987 			goto nla_put_failure;
1988 	}
1989 
1990 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1991 		i++;
1992 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1993 			goto nla_put_failure;
1994 	}
1995 
1996 	return i;
1997  nla_put_failure:
1998 	return -ENOBUFS;
1999 }
2000 
2001 static int
2002 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2003 			   struct sk_buff *msg)
2004 {
2005 	struct nlattr *ftm;
2006 
2007 	if (!cap->ftm.supported)
2008 		return 0;
2009 
2010 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2011 	if (!ftm)
2012 		return -ENOBUFS;
2013 
2014 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2015 		return -ENOBUFS;
2016 	if (cap->ftm.non_asap &&
2017 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2018 		return -ENOBUFS;
2019 	if (cap->ftm.request_lci &&
2020 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2021 		return -ENOBUFS;
2022 	if (cap->ftm.request_civicloc &&
2023 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2024 		return -ENOBUFS;
2025 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2026 			cap->ftm.preambles))
2027 		return -ENOBUFS;
2028 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2029 			cap->ftm.bandwidths))
2030 		return -ENOBUFS;
2031 	if (cap->ftm.max_bursts_exponent >= 0 &&
2032 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2033 			cap->ftm.max_bursts_exponent))
2034 		return -ENOBUFS;
2035 	if (cap->ftm.max_ftms_per_burst &&
2036 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2037 			cap->ftm.max_ftms_per_burst))
2038 		return -ENOBUFS;
2039 	if (cap->ftm.trigger_based &&
2040 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2041 		return -ENOBUFS;
2042 	if (cap->ftm.non_trigger_based &&
2043 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2044 		return -ENOBUFS;
2045 
2046 	nla_nest_end(msg, ftm);
2047 	return 0;
2048 }
2049 
2050 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2051 				  struct sk_buff *msg)
2052 {
2053 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2054 	struct nlattr *pmsr, *caps;
2055 
2056 	if (!cap)
2057 		return 0;
2058 
2059 	/*
2060 	 * we don't need to clean up anything here since the caller
2061 	 * will genlmsg_cancel() if we fail
2062 	 */
2063 
2064 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2065 	if (!pmsr)
2066 		return -ENOBUFS;
2067 
2068 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2069 		return -ENOBUFS;
2070 
2071 	if (cap->report_ap_tsf &&
2072 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2073 		return -ENOBUFS;
2074 
2075 	if (cap->randomize_mac_addr &&
2076 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2077 		return -ENOBUFS;
2078 
2079 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2080 	if (!caps)
2081 		return -ENOBUFS;
2082 
2083 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2084 		return -ENOBUFS;
2085 
2086 	nla_nest_end(msg, caps);
2087 	nla_nest_end(msg, pmsr);
2088 
2089 	return 0;
2090 }
2091 
2092 static int
2093 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2094 			      struct sk_buff *msg)
2095 {
2096 	int i;
2097 	struct nlattr *nested, *nested_akms;
2098 	const struct wiphy_iftype_akm_suites *iftype_akms;
2099 
2100 	if (!rdev->wiphy.num_iftype_akm_suites ||
2101 	    !rdev->wiphy.iftype_akm_suites)
2102 		return 0;
2103 
2104 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2105 	if (!nested)
2106 		return -ENOBUFS;
2107 
2108 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2109 		nested_akms = nla_nest_start(msg, i + 1);
2110 		if (!nested_akms)
2111 			return -ENOBUFS;
2112 
2113 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2114 
2115 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2116 					iftype_akms->iftypes_mask))
2117 			return -ENOBUFS;
2118 
2119 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2120 			    sizeof(u32) * iftype_akms->n_akm_suites,
2121 			    iftype_akms->akm_suites)) {
2122 			return -ENOBUFS;
2123 		}
2124 		nla_nest_end(msg, nested_akms);
2125 	}
2126 
2127 	nla_nest_end(msg, nested);
2128 
2129 	return 0;
2130 }
2131 
2132 static int
2133 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2134 			       struct sk_buff *msg)
2135 {
2136 	struct nlattr *supp;
2137 
2138 	if (!rdev->wiphy.tid_config_support.vif &&
2139 	    !rdev->wiphy.tid_config_support.peer)
2140 		return 0;
2141 
2142 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2143 	if (!supp)
2144 		return -ENOSPC;
2145 
2146 	if (rdev->wiphy.tid_config_support.vif &&
2147 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2148 			      rdev->wiphy.tid_config_support.vif,
2149 			      NL80211_TID_CONFIG_ATTR_PAD))
2150 		goto fail;
2151 
2152 	if (rdev->wiphy.tid_config_support.peer &&
2153 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2154 			      rdev->wiphy.tid_config_support.peer,
2155 			      NL80211_TID_CONFIG_ATTR_PAD))
2156 		goto fail;
2157 
2158 	/* for now we just use the same value ... makes more sense */
2159 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2160 		       rdev->wiphy.tid_config_support.max_retry))
2161 		goto fail;
2162 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2163 		       rdev->wiphy.tid_config_support.max_retry))
2164 		goto fail;
2165 
2166 	nla_nest_end(msg, supp);
2167 
2168 	return 0;
2169 fail:
2170 	nla_nest_cancel(msg, supp);
2171 	return -ENOBUFS;
2172 }
2173 
2174 static int
2175 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2176 		      struct sk_buff *msg)
2177 {
2178 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2179 	u8 num_freq_ranges;
2180 	int i;
2181 
2182 	if (!rdev->wiphy.sar_capa)
2183 		return 0;
2184 
2185 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2186 
2187 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2188 	if (!sar_capa)
2189 		return -ENOSPC;
2190 
2191 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2192 		goto fail;
2193 
2194 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2195 	if (!specs)
2196 		goto fail;
2197 
2198 	/* report supported freq_ranges */
2199 	for (i = 0; i < num_freq_ranges; i++) {
2200 		sub_freq_range = nla_nest_start(msg, i + 1);
2201 		if (!sub_freq_range)
2202 			goto fail;
2203 
2204 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2205 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2206 			goto fail;
2207 
2208 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2209 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2210 			goto fail;
2211 
2212 		nla_nest_end(msg, sub_freq_range);
2213 	}
2214 
2215 	nla_nest_end(msg, specs);
2216 	nla_nest_end(msg, sar_capa);
2217 
2218 	return 0;
2219 fail:
2220 	nla_nest_cancel(msg, sar_capa);
2221 	return -ENOBUFS;
2222 }
2223 
2224 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2225 {
2226 	struct nlattr *config;
2227 
2228 	if (!wiphy->mbssid_max_interfaces)
2229 		return 0;
2230 
2231 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2232 	if (!config)
2233 		return -ENOBUFS;
2234 
2235 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2236 		       wiphy->mbssid_max_interfaces))
2237 		goto fail;
2238 
2239 	if (wiphy->ema_max_profile_periodicity &&
2240 	    nla_put_u8(msg,
2241 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2242 		       wiphy->ema_max_profile_periodicity))
2243 		goto fail;
2244 
2245 	nla_nest_end(msg, config);
2246 	return 0;
2247 
2248 fail:
2249 	nla_nest_cancel(msg, config);
2250 	return -ENOBUFS;
2251 }
2252 
2253 struct nl80211_dump_wiphy_state {
2254 	s64 filter_wiphy;
2255 	long start;
2256 	long split_start, band_start, chan_start, capa_start;
2257 	bool split;
2258 };
2259 
2260 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2261 			      enum nl80211_commands cmd,
2262 			      struct sk_buff *msg, u32 portid, u32 seq,
2263 			      int flags, struct nl80211_dump_wiphy_state *state)
2264 {
2265 	void *hdr;
2266 	struct nlattr *nl_bands, *nl_band;
2267 	struct nlattr *nl_freqs, *nl_freq;
2268 	struct nlattr *nl_cmds;
2269 	enum nl80211_band band;
2270 	struct ieee80211_channel *chan;
2271 	int i;
2272 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2273 				rdev->wiphy.mgmt_stypes;
2274 	u32 features;
2275 
2276 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2277 	if (!hdr)
2278 		return -ENOBUFS;
2279 
2280 	if (WARN_ON(!state))
2281 		return -EINVAL;
2282 
2283 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2284 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2285 			   wiphy_name(&rdev->wiphy)) ||
2286 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2287 			cfg80211_rdev_list_generation))
2288 		goto nla_put_failure;
2289 
2290 	if (cmd != NL80211_CMD_NEW_WIPHY)
2291 		goto finish;
2292 
2293 	switch (state->split_start) {
2294 	case 0:
2295 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2296 			       rdev->wiphy.retry_short) ||
2297 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2298 			       rdev->wiphy.retry_long) ||
2299 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2300 				rdev->wiphy.frag_threshold) ||
2301 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2302 				rdev->wiphy.rts_threshold) ||
2303 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2304 			       rdev->wiphy.coverage_class) ||
2305 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2306 			       rdev->wiphy.max_scan_ssids) ||
2307 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2308 			       rdev->wiphy.max_sched_scan_ssids) ||
2309 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2310 				rdev->wiphy.max_scan_ie_len) ||
2311 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2312 				rdev->wiphy.max_sched_scan_ie_len) ||
2313 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2314 			       rdev->wiphy.max_match_sets))
2315 			goto nla_put_failure;
2316 
2317 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2318 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2319 			goto nla_put_failure;
2320 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2321 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2322 			goto nla_put_failure;
2323 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2324 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2325 			goto nla_put_failure;
2326 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2327 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2328 			goto nla_put_failure;
2329 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2330 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2331 			goto nla_put_failure;
2332 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2333 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2334 			goto nla_put_failure;
2335 		state->split_start++;
2336 		if (state->split)
2337 			break;
2338 		fallthrough;
2339 	case 1:
2340 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2341 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2342 			    rdev->wiphy.cipher_suites))
2343 			goto nla_put_failure;
2344 
2345 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2346 			       rdev->wiphy.max_num_pmkids))
2347 			goto nla_put_failure;
2348 
2349 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2350 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2351 			goto nla_put_failure;
2352 
2353 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2354 				rdev->wiphy.available_antennas_tx) ||
2355 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2356 				rdev->wiphy.available_antennas_rx))
2357 			goto nla_put_failure;
2358 
2359 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2360 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2361 				rdev->wiphy.probe_resp_offload))
2362 			goto nla_put_failure;
2363 
2364 		if ((rdev->wiphy.available_antennas_tx ||
2365 		     rdev->wiphy.available_antennas_rx) &&
2366 		    rdev->ops->get_antenna) {
2367 			u32 tx_ant = 0, rx_ant = 0;
2368 			int res;
2369 
2370 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2371 			if (!res) {
2372 				if (nla_put_u32(msg,
2373 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2374 						tx_ant) ||
2375 				    nla_put_u32(msg,
2376 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2377 						rx_ant))
2378 					goto nla_put_failure;
2379 			}
2380 		}
2381 
2382 		state->split_start++;
2383 		if (state->split)
2384 			break;
2385 		fallthrough;
2386 	case 2:
2387 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2388 					rdev->wiphy.interface_modes))
2389 				goto nla_put_failure;
2390 		state->split_start++;
2391 		if (state->split)
2392 			break;
2393 		fallthrough;
2394 	case 3:
2395 		nl_bands = nla_nest_start_noflag(msg,
2396 						 NL80211_ATTR_WIPHY_BANDS);
2397 		if (!nl_bands)
2398 			goto nla_put_failure;
2399 
2400 		for (band = state->band_start;
2401 		     band < (state->split ?
2402 				NUM_NL80211_BANDS :
2403 				NL80211_BAND_60GHZ + 1);
2404 		     band++) {
2405 			struct ieee80211_supported_band *sband;
2406 
2407 			/* omit higher bands for ancient software */
2408 			if (band > NL80211_BAND_5GHZ && !state->split)
2409 				break;
2410 
2411 			sband = rdev->wiphy.bands[band];
2412 
2413 			if (!sband)
2414 				continue;
2415 
2416 			nl_band = nla_nest_start_noflag(msg, band);
2417 			if (!nl_band)
2418 				goto nla_put_failure;
2419 
2420 			switch (state->chan_start) {
2421 			case 0:
2422 				if (nl80211_send_band_rateinfo(msg, sband,
2423 							       state->split))
2424 					goto nla_put_failure;
2425 				state->chan_start++;
2426 				if (state->split)
2427 					break;
2428 				fallthrough;
2429 			default:
2430 				/* add frequencies */
2431 				nl_freqs = nla_nest_start_noflag(msg,
2432 								 NL80211_BAND_ATTR_FREQS);
2433 				if (!nl_freqs)
2434 					goto nla_put_failure;
2435 
2436 				for (i = state->chan_start - 1;
2437 				     i < sband->n_channels;
2438 				     i++) {
2439 					nl_freq = nla_nest_start_noflag(msg,
2440 									i);
2441 					if (!nl_freq)
2442 						goto nla_put_failure;
2443 
2444 					chan = &sband->channels[i];
2445 
2446 					if (nl80211_msg_put_channel(
2447 							msg, &rdev->wiphy, chan,
2448 							state->split))
2449 						goto nla_put_failure;
2450 
2451 					nla_nest_end(msg, nl_freq);
2452 					if (state->split)
2453 						break;
2454 				}
2455 				if (i < sband->n_channels)
2456 					state->chan_start = i + 2;
2457 				else
2458 					state->chan_start = 0;
2459 				nla_nest_end(msg, nl_freqs);
2460 			}
2461 
2462 			nla_nest_end(msg, nl_band);
2463 
2464 			if (state->split) {
2465 				/* start again here */
2466 				if (state->chan_start)
2467 					band--;
2468 				break;
2469 			}
2470 		}
2471 		nla_nest_end(msg, nl_bands);
2472 
2473 		if (band < NUM_NL80211_BANDS)
2474 			state->band_start = band + 1;
2475 		else
2476 			state->band_start = 0;
2477 
2478 		/* if bands & channels are done, continue outside */
2479 		if (state->band_start == 0 && state->chan_start == 0)
2480 			state->split_start++;
2481 		if (state->split)
2482 			break;
2483 		fallthrough;
2484 	case 4:
2485 		nl_cmds = nla_nest_start_noflag(msg,
2486 						NL80211_ATTR_SUPPORTED_COMMANDS);
2487 		if (!nl_cmds)
2488 			goto nla_put_failure;
2489 
2490 		i = nl80211_add_commands_unsplit(rdev, msg);
2491 		if (i < 0)
2492 			goto nla_put_failure;
2493 		if (state->split) {
2494 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2495 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2496 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2497 				CMD(channel_switch, CHANNEL_SWITCH);
2498 			CMD(set_qos_map, SET_QOS_MAP);
2499 			if (rdev->wiphy.features &
2500 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2501 				CMD(add_tx_ts, ADD_TX_TS);
2502 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2503 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2504 			CMD(update_ft_ies, UPDATE_FT_IES);
2505 			if (rdev->wiphy.sar_capa)
2506 				CMD(set_sar_specs, SET_SAR_SPECS);
2507 		}
2508 #undef CMD
2509 
2510 		nla_nest_end(msg, nl_cmds);
2511 		state->split_start++;
2512 		if (state->split)
2513 			break;
2514 		fallthrough;
2515 	case 5:
2516 		if (rdev->ops->remain_on_channel &&
2517 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2518 		    nla_put_u32(msg,
2519 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2520 				rdev->wiphy.max_remain_on_channel_duration))
2521 			goto nla_put_failure;
2522 
2523 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2524 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2525 			goto nla_put_failure;
2526 
2527 		state->split_start++;
2528 		if (state->split)
2529 			break;
2530 		fallthrough;
2531 	case 6:
2532 #ifdef CONFIG_PM
2533 		if (nl80211_send_wowlan(msg, rdev, state->split))
2534 			goto nla_put_failure;
2535 		state->split_start++;
2536 		if (state->split)
2537 			break;
2538 #else
2539 		state->split_start++;
2540 #endif
2541 		fallthrough;
2542 	case 7:
2543 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2544 					rdev->wiphy.software_iftypes))
2545 			goto nla_put_failure;
2546 
2547 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2548 						   state->split))
2549 			goto nla_put_failure;
2550 
2551 		state->split_start++;
2552 		if (state->split)
2553 			break;
2554 		fallthrough;
2555 	case 8:
2556 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2557 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2558 				rdev->wiphy.ap_sme_capa))
2559 			goto nla_put_failure;
2560 
2561 		features = rdev->wiphy.features;
2562 		/*
2563 		 * We can only add the per-channel limit information if the
2564 		 * dump is split, otherwise it makes it too big. Therefore
2565 		 * only advertise it in that case.
2566 		 */
2567 		if (state->split)
2568 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2569 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2570 			goto nla_put_failure;
2571 
2572 		if (rdev->wiphy.ht_capa_mod_mask &&
2573 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2574 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2575 			    rdev->wiphy.ht_capa_mod_mask))
2576 			goto nla_put_failure;
2577 
2578 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2579 		    rdev->wiphy.max_acl_mac_addrs &&
2580 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2581 				rdev->wiphy.max_acl_mac_addrs))
2582 			goto nla_put_failure;
2583 
2584 		/*
2585 		 * Any information below this point is only available to
2586 		 * applications that can deal with it being split. This
2587 		 * helps ensure that newly added capabilities don't break
2588 		 * older tools by overrunning their buffers.
2589 		 *
2590 		 * We still increment split_start so that in the split
2591 		 * case we'll continue with more data in the next round,
2592 		 * but break unconditionally so unsplit data stops here.
2593 		 */
2594 		if (state->split)
2595 			state->split_start++;
2596 		else
2597 			state->split_start = 0;
2598 		break;
2599 	case 9:
2600 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2601 			goto nla_put_failure;
2602 
2603 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2604 				rdev->wiphy.max_sched_scan_plans) ||
2605 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2606 				rdev->wiphy.max_sched_scan_plan_interval) ||
2607 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2608 				rdev->wiphy.max_sched_scan_plan_iterations))
2609 			goto nla_put_failure;
2610 
2611 		if (rdev->wiphy.extended_capabilities &&
2612 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2613 			     rdev->wiphy.extended_capabilities_len,
2614 			     rdev->wiphy.extended_capabilities) ||
2615 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2616 			     rdev->wiphy.extended_capabilities_len,
2617 			     rdev->wiphy.extended_capabilities_mask)))
2618 			goto nla_put_failure;
2619 
2620 		if (rdev->wiphy.vht_capa_mod_mask &&
2621 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2622 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2623 			    rdev->wiphy.vht_capa_mod_mask))
2624 			goto nla_put_failure;
2625 
2626 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2627 			    rdev->wiphy.perm_addr))
2628 			goto nla_put_failure;
2629 
2630 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2631 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2632 			    rdev->wiphy.addr_mask))
2633 			goto nla_put_failure;
2634 
2635 		if (rdev->wiphy.n_addresses > 1) {
2636 			void *attr;
2637 
2638 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2639 			if (!attr)
2640 				goto nla_put_failure;
2641 
2642 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2643 				if (nla_put(msg, i + 1, ETH_ALEN,
2644 					    rdev->wiphy.addresses[i].addr))
2645 					goto nla_put_failure;
2646 
2647 			nla_nest_end(msg, attr);
2648 		}
2649 
2650 		state->split_start++;
2651 		break;
2652 	case 10:
2653 		if (nl80211_send_coalesce(msg, rdev))
2654 			goto nla_put_failure;
2655 
2656 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2657 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2658 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2659 			goto nla_put_failure;
2660 
2661 		if (rdev->wiphy.max_ap_assoc_sta &&
2662 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2663 				rdev->wiphy.max_ap_assoc_sta))
2664 			goto nla_put_failure;
2665 
2666 		state->split_start++;
2667 		break;
2668 	case 11:
2669 		if (rdev->wiphy.n_vendor_commands) {
2670 			const struct nl80211_vendor_cmd_info *info;
2671 			struct nlattr *nested;
2672 
2673 			nested = nla_nest_start_noflag(msg,
2674 						       NL80211_ATTR_VENDOR_DATA);
2675 			if (!nested)
2676 				goto nla_put_failure;
2677 
2678 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2679 				info = &rdev->wiphy.vendor_commands[i].info;
2680 				if (nla_put(msg, i + 1, sizeof(*info), info))
2681 					goto nla_put_failure;
2682 			}
2683 			nla_nest_end(msg, nested);
2684 		}
2685 
2686 		if (rdev->wiphy.n_vendor_events) {
2687 			const struct nl80211_vendor_cmd_info *info;
2688 			struct nlattr *nested;
2689 
2690 			nested = nla_nest_start_noflag(msg,
2691 						       NL80211_ATTR_VENDOR_EVENTS);
2692 			if (!nested)
2693 				goto nla_put_failure;
2694 
2695 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2696 				info = &rdev->wiphy.vendor_events[i];
2697 				if (nla_put(msg, i + 1, sizeof(*info), info))
2698 					goto nla_put_failure;
2699 			}
2700 			nla_nest_end(msg, nested);
2701 		}
2702 		state->split_start++;
2703 		break;
2704 	case 12:
2705 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2706 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2707 			       rdev->wiphy.max_num_csa_counters))
2708 			goto nla_put_failure;
2709 
2710 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2711 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2712 			goto nla_put_failure;
2713 
2714 		if (rdev->wiphy.max_sched_scan_reqs &&
2715 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2716 				rdev->wiphy.max_sched_scan_reqs))
2717 			goto nla_put_failure;
2718 
2719 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2720 			    sizeof(rdev->wiphy.ext_features),
2721 			    rdev->wiphy.ext_features))
2722 			goto nla_put_failure;
2723 
2724 		if (rdev->wiphy.bss_select_support) {
2725 			struct nlattr *nested;
2726 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2727 
2728 			nested = nla_nest_start_noflag(msg,
2729 						       NL80211_ATTR_BSS_SELECT);
2730 			if (!nested)
2731 				goto nla_put_failure;
2732 
2733 			i = 0;
2734 			while (bss_select_support) {
2735 				if ((bss_select_support & 1) &&
2736 				    nla_put_flag(msg, i))
2737 					goto nla_put_failure;
2738 				i++;
2739 				bss_select_support >>= 1;
2740 			}
2741 			nla_nest_end(msg, nested);
2742 		}
2743 
2744 		state->split_start++;
2745 		break;
2746 	case 13:
2747 		if (rdev->wiphy.num_iftype_ext_capab &&
2748 		    rdev->wiphy.iftype_ext_capab) {
2749 			struct nlattr *nested_ext_capab, *nested;
2750 
2751 			nested = nla_nest_start_noflag(msg,
2752 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2753 			if (!nested)
2754 				goto nla_put_failure;
2755 
2756 			for (i = state->capa_start;
2757 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2758 				const struct wiphy_iftype_ext_capab *capab;
2759 
2760 				capab = &rdev->wiphy.iftype_ext_capab[i];
2761 
2762 				nested_ext_capab = nla_nest_start_noflag(msg,
2763 									 i);
2764 				if (!nested_ext_capab ||
2765 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2766 						capab->iftype) ||
2767 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2768 					    capab->extended_capabilities_len,
2769 					    capab->extended_capabilities) ||
2770 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2771 					    capab->extended_capabilities_len,
2772 					    capab->extended_capabilities_mask))
2773 					goto nla_put_failure;
2774 
2775 				nla_nest_end(msg, nested_ext_capab);
2776 				if (state->split)
2777 					break;
2778 			}
2779 			nla_nest_end(msg, nested);
2780 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2781 				state->capa_start = i + 1;
2782 				break;
2783 			}
2784 		}
2785 
2786 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2787 				rdev->wiphy.nan_supported_bands))
2788 			goto nla_put_failure;
2789 
2790 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2791 					    NL80211_EXT_FEATURE_TXQS)) {
2792 			struct cfg80211_txq_stats txqstats = {};
2793 			int res;
2794 
2795 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2796 			if (!res &&
2797 			    !nl80211_put_txq_stats(msg, &txqstats,
2798 						   NL80211_ATTR_TXQ_STATS))
2799 				goto nla_put_failure;
2800 
2801 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2802 					rdev->wiphy.txq_limit))
2803 				goto nla_put_failure;
2804 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2805 					rdev->wiphy.txq_memory_limit))
2806 				goto nla_put_failure;
2807 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2808 					rdev->wiphy.txq_quantum))
2809 				goto nla_put_failure;
2810 		}
2811 
2812 		state->split_start++;
2813 		break;
2814 	case 14:
2815 		if (nl80211_send_pmsr_capa(rdev, msg))
2816 			goto nla_put_failure;
2817 
2818 		state->split_start++;
2819 		break;
2820 	case 15:
2821 		if (rdev->wiphy.akm_suites &&
2822 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2823 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2824 			    rdev->wiphy.akm_suites))
2825 			goto nla_put_failure;
2826 
2827 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2828 			goto nla_put_failure;
2829 
2830 		if (nl80211_put_tid_config_support(rdev, msg))
2831 			goto nla_put_failure;
2832 		state->split_start++;
2833 		break;
2834 	case 16:
2835 		if (nl80211_put_sar_specs(rdev, msg))
2836 			goto nla_put_failure;
2837 
2838 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2839 			goto nla_put_failure;
2840 
2841 		/* done */
2842 		state->split_start = 0;
2843 		break;
2844 	}
2845  finish:
2846 	genlmsg_end(msg, hdr);
2847 	return 0;
2848 
2849  nla_put_failure:
2850 	genlmsg_cancel(msg, hdr);
2851 	return -EMSGSIZE;
2852 }
2853 
2854 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2855 				    struct netlink_callback *cb,
2856 				    struct nl80211_dump_wiphy_state *state)
2857 {
2858 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2859 	int ret;
2860 
2861 	if (!tb)
2862 		return -ENOMEM;
2863 
2864 	ret = nlmsg_parse_deprecated(cb->nlh,
2865 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2866 				     tb, nl80211_fam.maxattr,
2867 				     nl80211_policy, NULL);
2868 	/* ignore parse errors for backward compatibility */
2869 	if (ret) {
2870 		ret = 0;
2871 		goto out;
2872 	}
2873 
2874 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2875 	if (tb[NL80211_ATTR_WIPHY])
2876 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2877 	if (tb[NL80211_ATTR_WDEV])
2878 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2879 	if (tb[NL80211_ATTR_IFINDEX]) {
2880 		struct net_device *netdev;
2881 		struct cfg80211_registered_device *rdev;
2882 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2883 
2884 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2885 		if (!netdev) {
2886 			ret = -ENODEV;
2887 			goto out;
2888 		}
2889 		if (netdev->ieee80211_ptr) {
2890 			rdev = wiphy_to_rdev(
2891 				netdev->ieee80211_ptr->wiphy);
2892 			state->filter_wiphy = rdev->wiphy_idx;
2893 		}
2894 	}
2895 
2896 	ret = 0;
2897 out:
2898 	kfree(tb);
2899 	return ret;
2900 }
2901 
2902 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2903 {
2904 	int idx = 0, ret;
2905 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2906 	struct cfg80211_registered_device *rdev;
2907 
2908 	rtnl_lock();
2909 	if (!state) {
2910 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2911 		if (!state) {
2912 			rtnl_unlock();
2913 			return -ENOMEM;
2914 		}
2915 		state->filter_wiphy = -1;
2916 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2917 		if (ret) {
2918 			kfree(state);
2919 			rtnl_unlock();
2920 			return ret;
2921 		}
2922 		cb->args[0] = (long)state;
2923 	}
2924 
2925 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2926 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2927 			continue;
2928 		if (++idx <= state->start)
2929 			continue;
2930 		if (state->filter_wiphy != -1 &&
2931 		    state->filter_wiphy != rdev->wiphy_idx)
2932 			continue;
2933 		/* attempt to fit multiple wiphy data chunks into the skb */
2934 		do {
2935 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2936 						 skb,
2937 						 NETLINK_CB(cb->skb).portid,
2938 						 cb->nlh->nlmsg_seq,
2939 						 NLM_F_MULTI, state);
2940 			if (ret < 0) {
2941 				/*
2942 				 * If sending the wiphy data didn't fit (ENOBUFS
2943 				 * or EMSGSIZE returned), this SKB is still
2944 				 * empty (so it's not too big because another
2945 				 * wiphy dataset is already in the skb) and
2946 				 * we've not tried to adjust the dump allocation
2947 				 * yet ... then adjust the alloc size to be
2948 				 * bigger, and return 1 but with the empty skb.
2949 				 * This results in an empty message being RX'ed
2950 				 * in userspace, but that is ignored.
2951 				 *
2952 				 * We can then retry with the larger buffer.
2953 				 */
2954 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2955 				    !skb->len && !state->split &&
2956 				    cb->min_dump_alloc < 4096) {
2957 					cb->min_dump_alloc = 4096;
2958 					state->split_start = 0;
2959 					rtnl_unlock();
2960 					return 1;
2961 				}
2962 				idx--;
2963 				break;
2964 			}
2965 		} while (state->split_start > 0);
2966 		break;
2967 	}
2968 	rtnl_unlock();
2969 
2970 	state->start = idx;
2971 
2972 	return skb->len;
2973 }
2974 
2975 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2976 {
2977 	kfree((void *)cb->args[0]);
2978 	return 0;
2979 }
2980 
2981 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2982 {
2983 	struct sk_buff *msg;
2984 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2985 	struct nl80211_dump_wiphy_state state = {};
2986 
2987 	msg = nlmsg_new(4096, GFP_KERNEL);
2988 	if (!msg)
2989 		return -ENOMEM;
2990 
2991 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2992 			       info->snd_portid, info->snd_seq, 0,
2993 			       &state) < 0) {
2994 		nlmsg_free(msg);
2995 		return -ENOBUFS;
2996 	}
2997 
2998 	return genlmsg_reply(msg, info);
2999 }
3000 
3001 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3002 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3003 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3004 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3005 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3006 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3007 };
3008 
3009 static int parse_txq_params(struct nlattr *tb[],
3010 			    struct ieee80211_txq_params *txq_params)
3011 {
3012 	u8 ac;
3013 
3014 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3015 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3016 	    !tb[NL80211_TXQ_ATTR_AIFS])
3017 		return -EINVAL;
3018 
3019 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3020 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3021 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3022 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3023 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3024 
3025 	if (ac >= NL80211_NUM_ACS)
3026 		return -EINVAL;
3027 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3028 	return 0;
3029 }
3030 
3031 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3032 {
3033 	/*
3034 	 * You can only set the channel explicitly for some interfaces,
3035 	 * most have their channel managed via their respective
3036 	 * "establish a connection" command (connect, join, ...)
3037 	 *
3038 	 * For AP/GO and mesh mode, the channel can be set with the
3039 	 * channel userspace API, but is only stored and passed to the
3040 	 * low-level driver when the AP starts or the mesh is joined.
3041 	 * This is for backward compatibility, userspace can also give
3042 	 * the channel in the start-ap or join-mesh commands instead.
3043 	 *
3044 	 * Monitors are special as they are normally slaved to
3045 	 * whatever else is going on, so they have their own special
3046 	 * operation to set the monitor channel if possible.
3047 	 */
3048 	return !wdev ||
3049 		wdev->iftype == NL80211_IFTYPE_AP ||
3050 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3051 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3052 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3053 }
3054 
3055 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3056 			  struct genl_info *info,
3057 			  struct cfg80211_chan_def *chandef)
3058 {
3059 	struct netlink_ext_ack *extack = info->extack;
3060 	struct nlattr **attrs = info->attrs;
3061 	u32 control_freq;
3062 
3063 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
3064 		return -EINVAL;
3065 
3066 	control_freq = MHZ_TO_KHZ(
3067 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3068 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3069 		control_freq +=
3070 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3071 
3072 	memset(chandef, 0, sizeof(*chandef));
3073 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3074 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3075 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3076 	chandef->freq1_offset = control_freq % 1000;
3077 	chandef->center_freq2 = 0;
3078 
3079 	/* Primary channel not allowed */
3080 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3081 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3082 				    "Channel is disabled");
3083 		return -EINVAL;
3084 	}
3085 
3086 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3087 		enum nl80211_channel_type chantype;
3088 
3089 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3090 
3091 		switch (chantype) {
3092 		case NL80211_CHAN_NO_HT:
3093 		case NL80211_CHAN_HT20:
3094 		case NL80211_CHAN_HT40PLUS:
3095 		case NL80211_CHAN_HT40MINUS:
3096 			cfg80211_chandef_create(chandef, chandef->chan,
3097 						chantype);
3098 			/* user input for center_freq is incorrect */
3099 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3100 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3101 				NL_SET_ERR_MSG_ATTR(extack,
3102 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3103 						    "bad center frequency 1");
3104 				return -EINVAL;
3105 			}
3106 			/* center_freq2 must be zero */
3107 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3108 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3109 				NL_SET_ERR_MSG_ATTR(extack,
3110 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3111 						    "center frequency 2 can't be used");
3112 				return -EINVAL;
3113 			}
3114 			break;
3115 		default:
3116 			NL_SET_ERR_MSG_ATTR(extack,
3117 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3118 					    "invalid channel type");
3119 			return -EINVAL;
3120 		}
3121 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3122 		chandef->width =
3123 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3124 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3125 			chandef->center_freq1 =
3126 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3127 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3128 				chandef->freq1_offset = nla_get_u32(
3129 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3130 			else
3131 				chandef->freq1_offset = 0;
3132 		}
3133 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3134 			chandef->center_freq2 =
3135 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3136 	}
3137 
3138 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3139 		chandef->edmg.channels =
3140 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3141 
3142 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3143 			chandef->edmg.bw_config =
3144 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3145 	} else {
3146 		chandef->edmg.bw_config = 0;
3147 		chandef->edmg.channels = 0;
3148 	}
3149 
3150 	if (!cfg80211_chandef_valid(chandef)) {
3151 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3152 		return -EINVAL;
3153 	}
3154 
3155 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3156 				     IEEE80211_CHAN_DISABLED)) {
3157 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3158 		return -EINVAL;
3159 	}
3160 
3161 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3162 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3163 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3164 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3165 		return -EINVAL;
3166 	}
3167 
3168 	return 0;
3169 }
3170 
3171 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3172 				 struct net_device *dev,
3173 				 struct genl_info *info)
3174 {
3175 	struct cfg80211_chan_def chandef;
3176 	int result;
3177 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3178 	struct wireless_dev *wdev = NULL;
3179 
3180 	if (dev)
3181 		wdev = dev->ieee80211_ptr;
3182 	if (!nl80211_can_set_dev_channel(wdev))
3183 		return -EOPNOTSUPP;
3184 	if (wdev)
3185 		iftype = wdev->iftype;
3186 
3187 	result = nl80211_parse_chandef(rdev, info, &chandef);
3188 	if (result)
3189 		return result;
3190 
3191 	switch (iftype) {
3192 	case NL80211_IFTYPE_AP:
3193 	case NL80211_IFTYPE_P2P_GO:
3194 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3195 						   iftype)) {
3196 			result = -EINVAL;
3197 			break;
3198 		}
3199 		if (wdev->beacon_interval) {
3200 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3201 			    !(rdev->wiphy.features &
3202 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
3203 				result = -EBUSY;
3204 				break;
3205 			}
3206 
3207 			/* Only allow dynamic channel width changes */
3208 			if (chandef.chan != wdev->preset_chandef.chan) {
3209 				result = -EBUSY;
3210 				break;
3211 			}
3212 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
3213 			if (result)
3214 				break;
3215 		}
3216 		wdev->preset_chandef = chandef;
3217 		result = 0;
3218 		break;
3219 	case NL80211_IFTYPE_MESH_POINT:
3220 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3221 		break;
3222 	case NL80211_IFTYPE_MONITOR:
3223 		result = cfg80211_set_monitor_channel(rdev, &chandef);
3224 		break;
3225 	default:
3226 		result = -EINVAL;
3227 	}
3228 
3229 	return result;
3230 }
3231 
3232 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3233 {
3234 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3235 	struct net_device *netdev = info->user_ptr[1];
3236 
3237 	return __nl80211_set_channel(rdev, netdev, info);
3238 }
3239 
3240 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3241 {
3242 	struct cfg80211_registered_device *rdev = NULL;
3243 	struct net_device *netdev = NULL;
3244 	struct wireless_dev *wdev;
3245 	int result = 0, rem_txq_params = 0;
3246 	struct nlattr *nl_txq_params;
3247 	u32 changed;
3248 	u8 retry_short = 0, retry_long = 0;
3249 	u32 frag_threshold = 0, rts_threshold = 0;
3250 	u8 coverage_class = 0;
3251 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3252 
3253 	rtnl_lock();
3254 	/*
3255 	 * Try to find the wiphy and netdev. Normally this
3256 	 * function shouldn't need the netdev, but this is
3257 	 * done for backward compatibility -- previously
3258 	 * setting the channel was done per wiphy, but now
3259 	 * it is per netdev. Previous userland like hostapd
3260 	 * also passed a netdev to set_wiphy, so that it is
3261 	 * possible to let that go to the right netdev!
3262 	 */
3263 
3264 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3265 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3266 
3267 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3268 		if (netdev && netdev->ieee80211_ptr)
3269 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3270 		else
3271 			netdev = NULL;
3272 	}
3273 
3274 	if (!netdev) {
3275 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3276 						  info->attrs);
3277 		if (IS_ERR(rdev)) {
3278 			rtnl_unlock();
3279 			return PTR_ERR(rdev);
3280 		}
3281 		wdev = NULL;
3282 		netdev = NULL;
3283 		result = 0;
3284 	} else
3285 		wdev = netdev->ieee80211_ptr;
3286 
3287 	wiphy_lock(&rdev->wiphy);
3288 
3289 	/*
3290 	 * end workaround code, by now the rdev is available
3291 	 * and locked, and wdev may or may not be NULL.
3292 	 */
3293 
3294 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3295 		result = cfg80211_dev_rename(
3296 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3297 	rtnl_unlock();
3298 
3299 	if (result)
3300 		goto out;
3301 
3302 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3303 		struct ieee80211_txq_params txq_params;
3304 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3305 
3306 		if (!rdev->ops->set_txq_params) {
3307 			result = -EOPNOTSUPP;
3308 			goto out;
3309 		}
3310 
3311 		if (!netdev) {
3312 			result = -EINVAL;
3313 			goto out;
3314 		}
3315 
3316 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3317 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3318 			result = -EINVAL;
3319 			goto out;
3320 		}
3321 
3322 		if (!netif_running(netdev)) {
3323 			result = -ENETDOWN;
3324 			goto out;
3325 		}
3326 
3327 		nla_for_each_nested(nl_txq_params,
3328 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3329 				    rem_txq_params) {
3330 			result = nla_parse_nested_deprecated(tb,
3331 							     NL80211_TXQ_ATTR_MAX,
3332 							     nl_txq_params,
3333 							     txq_params_policy,
3334 							     info->extack);
3335 			if (result)
3336 				goto out;
3337 			result = parse_txq_params(tb, &txq_params);
3338 			if (result)
3339 				goto out;
3340 
3341 			result = rdev_set_txq_params(rdev, netdev,
3342 						     &txq_params);
3343 			if (result)
3344 				goto out;
3345 		}
3346 	}
3347 
3348 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3349 		result = __nl80211_set_channel(
3350 			rdev,
3351 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3352 			info);
3353 		if (result)
3354 			goto out;
3355 	}
3356 
3357 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3358 		struct wireless_dev *txp_wdev = wdev;
3359 		enum nl80211_tx_power_setting type;
3360 		int idx, mbm = 0;
3361 
3362 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3363 			txp_wdev = NULL;
3364 
3365 		if (!rdev->ops->set_tx_power) {
3366 			result = -EOPNOTSUPP;
3367 			goto out;
3368 		}
3369 
3370 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3371 		type = nla_get_u32(info->attrs[idx]);
3372 
3373 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3374 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3375 			result = -EINVAL;
3376 			goto out;
3377 		}
3378 
3379 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3380 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3381 			mbm = nla_get_u32(info->attrs[idx]);
3382 		}
3383 
3384 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3385 		if (result)
3386 			goto out;
3387 	}
3388 
3389 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3390 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3391 		u32 tx_ant, rx_ant;
3392 
3393 		if ((!rdev->wiphy.available_antennas_tx &&
3394 		     !rdev->wiphy.available_antennas_rx) ||
3395 		    !rdev->ops->set_antenna) {
3396 			result = -EOPNOTSUPP;
3397 			goto out;
3398 		}
3399 
3400 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3401 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3402 
3403 		/* reject antenna configurations which don't match the
3404 		 * available antenna masks, except for the "all" mask */
3405 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3406 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3407 			result = -EINVAL;
3408 			goto out;
3409 		}
3410 
3411 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3412 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3413 
3414 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3415 		if (result)
3416 			goto out;
3417 	}
3418 
3419 	changed = 0;
3420 
3421 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3422 		retry_short = nla_get_u8(
3423 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3424 
3425 		changed |= WIPHY_PARAM_RETRY_SHORT;
3426 	}
3427 
3428 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3429 		retry_long = nla_get_u8(
3430 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3431 
3432 		changed |= WIPHY_PARAM_RETRY_LONG;
3433 	}
3434 
3435 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3436 		frag_threshold = nla_get_u32(
3437 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3438 		if (frag_threshold < 256) {
3439 			result = -EINVAL;
3440 			goto out;
3441 		}
3442 
3443 		if (frag_threshold != (u32) -1) {
3444 			/*
3445 			 * Fragments (apart from the last one) are required to
3446 			 * have even length. Make the fragmentation code
3447 			 * simpler by stripping LSB should someone try to use
3448 			 * odd threshold value.
3449 			 */
3450 			frag_threshold &= ~0x1;
3451 		}
3452 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3453 	}
3454 
3455 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3456 		rts_threshold = nla_get_u32(
3457 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3458 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3459 	}
3460 
3461 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3462 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3463 			result = -EINVAL;
3464 			goto out;
3465 		}
3466 
3467 		coverage_class = nla_get_u8(
3468 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3469 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3470 	}
3471 
3472 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3473 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3474 			result = -EOPNOTSUPP;
3475 			goto out;
3476 		}
3477 
3478 		changed |= WIPHY_PARAM_DYN_ACK;
3479 	}
3480 
3481 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3482 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3483 					     NL80211_EXT_FEATURE_TXQS)) {
3484 			result = -EOPNOTSUPP;
3485 			goto out;
3486 		}
3487 		txq_limit = nla_get_u32(
3488 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3489 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3490 	}
3491 
3492 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3493 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3494 					     NL80211_EXT_FEATURE_TXQS)) {
3495 			result = -EOPNOTSUPP;
3496 			goto out;
3497 		}
3498 		txq_memory_limit = nla_get_u32(
3499 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3500 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3501 	}
3502 
3503 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3504 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3505 					     NL80211_EXT_FEATURE_TXQS)) {
3506 			result = -EOPNOTSUPP;
3507 			goto out;
3508 		}
3509 		txq_quantum = nla_get_u32(
3510 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3511 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3512 	}
3513 
3514 	if (changed) {
3515 		u8 old_retry_short, old_retry_long;
3516 		u32 old_frag_threshold, old_rts_threshold;
3517 		u8 old_coverage_class;
3518 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3519 
3520 		if (!rdev->ops->set_wiphy_params) {
3521 			result = -EOPNOTSUPP;
3522 			goto out;
3523 		}
3524 
3525 		old_retry_short = rdev->wiphy.retry_short;
3526 		old_retry_long = rdev->wiphy.retry_long;
3527 		old_frag_threshold = rdev->wiphy.frag_threshold;
3528 		old_rts_threshold = rdev->wiphy.rts_threshold;
3529 		old_coverage_class = rdev->wiphy.coverage_class;
3530 		old_txq_limit = rdev->wiphy.txq_limit;
3531 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3532 		old_txq_quantum = rdev->wiphy.txq_quantum;
3533 
3534 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3535 			rdev->wiphy.retry_short = retry_short;
3536 		if (changed & WIPHY_PARAM_RETRY_LONG)
3537 			rdev->wiphy.retry_long = retry_long;
3538 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3539 			rdev->wiphy.frag_threshold = frag_threshold;
3540 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3541 			rdev->wiphy.rts_threshold = rts_threshold;
3542 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3543 			rdev->wiphy.coverage_class = coverage_class;
3544 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3545 			rdev->wiphy.txq_limit = txq_limit;
3546 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3547 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3548 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3549 			rdev->wiphy.txq_quantum = txq_quantum;
3550 
3551 		result = rdev_set_wiphy_params(rdev, changed);
3552 		if (result) {
3553 			rdev->wiphy.retry_short = old_retry_short;
3554 			rdev->wiphy.retry_long = old_retry_long;
3555 			rdev->wiphy.frag_threshold = old_frag_threshold;
3556 			rdev->wiphy.rts_threshold = old_rts_threshold;
3557 			rdev->wiphy.coverage_class = old_coverage_class;
3558 			rdev->wiphy.txq_limit = old_txq_limit;
3559 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3560 			rdev->wiphy.txq_quantum = old_txq_quantum;
3561 			goto out;
3562 		}
3563 	}
3564 
3565 	result = 0;
3566 
3567 out:
3568 	wiphy_unlock(&rdev->wiphy);
3569 	return result;
3570 }
3571 
3572 static int nl80211_send_chandef(struct sk_buff *msg,
3573 				const struct cfg80211_chan_def *chandef)
3574 {
3575 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3576 		return -EINVAL;
3577 
3578 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3579 			chandef->chan->center_freq))
3580 		return -ENOBUFS;
3581 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3582 			chandef->chan->freq_offset))
3583 		return -ENOBUFS;
3584 	switch (chandef->width) {
3585 	case NL80211_CHAN_WIDTH_20_NOHT:
3586 	case NL80211_CHAN_WIDTH_20:
3587 	case NL80211_CHAN_WIDTH_40:
3588 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3589 				cfg80211_get_chandef_type(chandef)))
3590 			return -ENOBUFS;
3591 		break;
3592 	default:
3593 		break;
3594 	}
3595 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3596 		return -ENOBUFS;
3597 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3598 		return -ENOBUFS;
3599 	if (chandef->center_freq2 &&
3600 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3601 		return -ENOBUFS;
3602 	return 0;
3603 }
3604 
3605 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3606 			      struct cfg80211_registered_device *rdev,
3607 			      struct wireless_dev *wdev,
3608 			      enum nl80211_commands cmd)
3609 {
3610 	struct net_device *dev = wdev->netdev;
3611 	void *hdr;
3612 
3613 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3614 		cmd != NL80211_CMD_DEL_INTERFACE &&
3615 		cmd != NL80211_CMD_SET_INTERFACE);
3616 
3617 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3618 	if (!hdr)
3619 		return -1;
3620 
3621 	if (dev &&
3622 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3623 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3624 		goto nla_put_failure;
3625 
3626 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3627 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3628 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3629 			      NL80211_ATTR_PAD) ||
3630 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3631 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3632 			rdev->devlist_generation ^
3633 			(cfg80211_rdev_list_generation << 2)) ||
3634 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3635 		goto nla_put_failure;
3636 
3637 	if (rdev->ops->get_channel) {
3638 		int ret;
3639 		struct cfg80211_chan_def chandef = {};
3640 
3641 		ret = rdev_get_channel(rdev, wdev, &chandef);
3642 		if (ret == 0) {
3643 			if (nl80211_send_chandef(msg, &chandef))
3644 				goto nla_put_failure;
3645 		}
3646 	}
3647 
3648 	if (rdev->ops->get_tx_power) {
3649 		int dbm, ret;
3650 
3651 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3652 		if (ret == 0 &&
3653 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3654 				DBM_TO_MBM(dbm)))
3655 			goto nla_put_failure;
3656 	}
3657 
3658 	wdev_lock(wdev);
3659 	switch (wdev->iftype) {
3660 	case NL80211_IFTYPE_AP:
3661 		if (wdev->ssid_len &&
3662 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3663 			goto nla_put_failure_locked;
3664 		break;
3665 	case NL80211_IFTYPE_STATION:
3666 	case NL80211_IFTYPE_P2P_CLIENT:
3667 	case NL80211_IFTYPE_ADHOC: {
3668 		const u8 *ssid_ie;
3669 		if (!wdev->current_bss)
3670 			break;
3671 		rcu_read_lock();
3672 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3673 					       WLAN_EID_SSID);
3674 		if (ssid_ie &&
3675 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3676 			goto nla_put_failure_rcu_locked;
3677 		rcu_read_unlock();
3678 		break;
3679 		}
3680 	default:
3681 		/* nothing */
3682 		break;
3683 	}
3684 	wdev_unlock(wdev);
3685 
3686 	if (rdev->ops->get_txq_stats) {
3687 		struct cfg80211_txq_stats txqstats = {};
3688 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3689 
3690 		if (ret == 0 &&
3691 		    !nl80211_put_txq_stats(msg, &txqstats,
3692 					   NL80211_ATTR_TXQ_STATS))
3693 			goto nla_put_failure;
3694 	}
3695 
3696 	genlmsg_end(msg, hdr);
3697 	return 0;
3698 
3699  nla_put_failure_rcu_locked:
3700 	rcu_read_unlock();
3701  nla_put_failure_locked:
3702 	wdev_unlock(wdev);
3703  nla_put_failure:
3704 	genlmsg_cancel(msg, hdr);
3705 	return -EMSGSIZE;
3706 }
3707 
3708 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3709 {
3710 	int wp_idx = 0;
3711 	int if_idx = 0;
3712 	int wp_start = cb->args[0];
3713 	int if_start = cb->args[1];
3714 	int filter_wiphy = -1;
3715 	struct cfg80211_registered_device *rdev;
3716 	struct wireless_dev *wdev;
3717 	int ret;
3718 
3719 	rtnl_lock();
3720 	if (!cb->args[2]) {
3721 		struct nl80211_dump_wiphy_state state = {
3722 			.filter_wiphy = -1,
3723 		};
3724 
3725 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3726 		if (ret)
3727 			goto out_unlock;
3728 
3729 		filter_wiphy = state.filter_wiphy;
3730 
3731 		/*
3732 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3733 		 * value needed to determine that parsing is necessary.
3734 		 */
3735 		if (filter_wiphy >= 0)
3736 			cb->args[2] = filter_wiphy + 1;
3737 		else
3738 			cb->args[2] = -1;
3739 	} else if (cb->args[2] > 0) {
3740 		filter_wiphy = cb->args[2] - 1;
3741 	}
3742 
3743 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3744 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3745 			continue;
3746 		if (wp_idx < wp_start) {
3747 			wp_idx++;
3748 			continue;
3749 		}
3750 
3751 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3752 			continue;
3753 
3754 		if_idx = 0;
3755 
3756 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3757 			if (if_idx < if_start) {
3758 				if_idx++;
3759 				continue;
3760 			}
3761 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3762 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3763 					       rdev, wdev,
3764 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3765 				goto out;
3766 			}
3767 			if_idx++;
3768 		}
3769 
3770 		wp_idx++;
3771 	}
3772  out:
3773 	cb->args[0] = wp_idx;
3774 	cb->args[1] = if_idx;
3775 
3776 	ret = skb->len;
3777  out_unlock:
3778 	rtnl_unlock();
3779 
3780 	return ret;
3781 }
3782 
3783 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3784 {
3785 	struct sk_buff *msg;
3786 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3787 	struct wireless_dev *wdev = info->user_ptr[1];
3788 
3789 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3790 	if (!msg)
3791 		return -ENOMEM;
3792 
3793 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3794 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3795 		nlmsg_free(msg);
3796 		return -ENOBUFS;
3797 	}
3798 
3799 	return genlmsg_reply(msg, info);
3800 }
3801 
3802 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3803 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3804 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3805 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3806 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3807 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3808 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3809 };
3810 
3811 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3812 {
3813 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3814 	int flag;
3815 
3816 	*mntrflags = 0;
3817 
3818 	if (!nla)
3819 		return -EINVAL;
3820 
3821 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3822 		return -EINVAL;
3823 
3824 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3825 		if (flags[flag])
3826 			*mntrflags |= (1<<flag);
3827 
3828 	*mntrflags |= MONITOR_FLAG_CHANGED;
3829 
3830 	return 0;
3831 }
3832 
3833 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3834 				     enum nl80211_iftype type,
3835 				     struct genl_info *info,
3836 				     struct vif_params *params)
3837 {
3838 	bool change = false;
3839 	int err;
3840 
3841 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3842 		if (type != NL80211_IFTYPE_MONITOR)
3843 			return -EINVAL;
3844 
3845 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3846 					  &params->flags);
3847 		if (err)
3848 			return err;
3849 
3850 		change = true;
3851 	}
3852 
3853 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3854 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3855 		return -EOPNOTSUPP;
3856 
3857 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3858 		const u8 *mumimo_groups;
3859 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3860 
3861 		if (type != NL80211_IFTYPE_MONITOR)
3862 			return -EINVAL;
3863 
3864 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3865 			return -EOPNOTSUPP;
3866 
3867 		mumimo_groups =
3868 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3869 
3870 		/* bits 0 and 63 are reserved and must be zero */
3871 		if ((mumimo_groups[0] & BIT(0)) ||
3872 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3873 			return -EINVAL;
3874 
3875 		params->vht_mumimo_groups = mumimo_groups;
3876 		change = true;
3877 	}
3878 
3879 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3880 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3881 
3882 		if (type != NL80211_IFTYPE_MONITOR)
3883 			return -EINVAL;
3884 
3885 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3886 			return -EOPNOTSUPP;
3887 
3888 		params->vht_mumimo_follow_addr =
3889 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3890 		change = true;
3891 	}
3892 
3893 	return change ? 1 : 0;
3894 }
3895 
3896 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3897 			       struct net_device *netdev, u8 use_4addr,
3898 			       enum nl80211_iftype iftype)
3899 {
3900 	if (!use_4addr) {
3901 		if (netdev && netif_is_bridge_port(netdev))
3902 			return -EBUSY;
3903 		return 0;
3904 	}
3905 
3906 	switch (iftype) {
3907 	case NL80211_IFTYPE_AP_VLAN:
3908 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3909 			return 0;
3910 		break;
3911 	case NL80211_IFTYPE_STATION:
3912 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3913 			return 0;
3914 		break;
3915 	default:
3916 		break;
3917 	}
3918 
3919 	return -EOPNOTSUPP;
3920 }
3921 
3922 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3923 {
3924 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3925 	struct vif_params params;
3926 	int err;
3927 	enum nl80211_iftype otype, ntype;
3928 	struct net_device *dev = info->user_ptr[1];
3929 	bool change = false;
3930 
3931 	memset(&params, 0, sizeof(params));
3932 
3933 	otype = ntype = dev->ieee80211_ptr->iftype;
3934 
3935 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3936 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3937 		if (otype != ntype)
3938 			change = true;
3939 	}
3940 
3941 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3942 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3943 
3944 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3945 			return -EINVAL;
3946 		if (netif_running(dev))
3947 			return -EBUSY;
3948 
3949 		wdev_lock(wdev);
3950 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3951 			     IEEE80211_MAX_MESH_ID_LEN);
3952 		wdev->mesh_id_up_len =
3953 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3954 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3955 		       wdev->mesh_id_up_len);
3956 		wdev_unlock(wdev);
3957 	}
3958 
3959 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3960 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3961 		change = true;
3962 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3963 		if (err)
3964 			return err;
3965 	} else {
3966 		params.use_4addr = -1;
3967 	}
3968 
3969 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3970 	if (err < 0)
3971 		return err;
3972 	if (err > 0)
3973 		change = true;
3974 
3975 	if (change)
3976 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3977 	else
3978 		err = 0;
3979 
3980 	if (!err && params.use_4addr != -1)
3981 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3982 
3983 	if (change && !err) {
3984 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3985 
3986 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3987 	}
3988 
3989 	return err;
3990 }
3991 
3992 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3993 {
3994 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3995 	struct vif_params params;
3996 	struct wireless_dev *wdev;
3997 	struct sk_buff *msg;
3998 	int err;
3999 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4000 
4001 	memset(&params, 0, sizeof(params));
4002 
4003 	if (!info->attrs[NL80211_ATTR_IFNAME])
4004 		return -EINVAL;
4005 
4006 	if (info->attrs[NL80211_ATTR_IFTYPE])
4007 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4008 
4009 	if (!rdev->ops->add_virtual_intf)
4010 		return -EOPNOTSUPP;
4011 
4012 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4013 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4014 	    info->attrs[NL80211_ATTR_MAC]) {
4015 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4016 			   ETH_ALEN);
4017 		if (!is_valid_ether_addr(params.macaddr))
4018 			return -EADDRNOTAVAIL;
4019 	}
4020 
4021 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4022 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4023 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4024 		if (err)
4025 			return err;
4026 	}
4027 
4028 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4029 		return -EOPNOTSUPP;
4030 
4031 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4032 	if (err < 0)
4033 		return err;
4034 
4035 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4036 	if (!msg)
4037 		return -ENOMEM;
4038 
4039 	wdev = rdev_add_virtual_intf(rdev,
4040 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4041 				NET_NAME_USER, type, &params);
4042 	if (WARN_ON(!wdev)) {
4043 		nlmsg_free(msg);
4044 		return -EPROTO;
4045 	} else if (IS_ERR(wdev)) {
4046 		nlmsg_free(msg);
4047 		return PTR_ERR(wdev);
4048 	}
4049 
4050 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4051 		wdev->owner_nlportid = info->snd_portid;
4052 
4053 	switch (type) {
4054 	case NL80211_IFTYPE_MESH_POINT:
4055 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4056 			break;
4057 		wdev_lock(wdev);
4058 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4059 			     IEEE80211_MAX_MESH_ID_LEN);
4060 		wdev->mesh_id_up_len =
4061 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4062 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4063 		       wdev->mesh_id_up_len);
4064 		wdev_unlock(wdev);
4065 		break;
4066 	case NL80211_IFTYPE_NAN:
4067 	case NL80211_IFTYPE_P2P_DEVICE:
4068 		/*
4069 		 * P2P Device and NAN do not have a netdev, so don't go
4070 		 * through the netdev notifier and must be added here
4071 		 */
4072 		cfg80211_init_wdev(wdev);
4073 		cfg80211_register_wdev(rdev, wdev);
4074 		break;
4075 	default:
4076 		break;
4077 	}
4078 
4079 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4080 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4081 		nlmsg_free(msg);
4082 		return -ENOBUFS;
4083 	}
4084 
4085 	return genlmsg_reply(msg, info);
4086 }
4087 
4088 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4089 {
4090 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4091 	int ret;
4092 
4093 	/* to avoid failing a new interface creation due to pending removal */
4094 	cfg80211_destroy_ifaces(rdev);
4095 
4096 	wiphy_lock(&rdev->wiphy);
4097 	ret = _nl80211_new_interface(skb, info);
4098 	wiphy_unlock(&rdev->wiphy);
4099 
4100 	return ret;
4101 }
4102 
4103 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4104 {
4105 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4106 	struct wireless_dev *wdev = info->user_ptr[1];
4107 
4108 	if (!rdev->ops->del_virtual_intf)
4109 		return -EOPNOTSUPP;
4110 
4111 	/*
4112 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4113 	 * reach 0, and thus the rdev cannot be deleted.
4114 	 *
4115 	 * We need to do it for the dev_close(), since that will call
4116 	 * the netdev notifiers, and we need to acquire the mutex there
4117 	 * but don't know if we get there from here or from some other
4118 	 * place (e.g. "ip link set ... down").
4119 	 */
4120 	mutex_unlock(&rdev->wiphy.mtx);
4121 
4122 	/*
4123 	 * If we remove a wireless device without a netdev then clear
4124 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4125 	 * to check if it needs to do dev_put(). Otherwise it crashes
4126 	 * since the wdev has been freed, unlike with a netdev where
4127 	 * we need the dev_put() for the netdev to really be freed.
4128 	 */
4129 	if (!wdev->netdev)
4130 		info->user_ptr[1] = NULL;
4131 	else
4132 		dev_close(wdev->netdev);
4133 
4134 	mutex_lock(&rdev->wiphy.mtx);
4135 
4136 	return rdev_del_virtual_intf(rdev, wdev);
4137 }
4138 
4139 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4140 {
4141 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4142 	struct net_device *dev = info->user_ptr[1];
4143 	u16 noack_map;
4144 
4145 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4146 		return -EINVAL;
4147 
4148 	if (!rdev->ops->set_noack_map)
4149 		return -EOPNOTSUPP;
4150 
4151 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4152 
4153 	return rdev_set_noack_map(rdev, dev, noack_map);
4154 }
4155 
4156 struct get_key_cookie {
4157 	struct sk_buff *msg;
4158 	int error;
4159 	int idx;
4160 };
4161 
4162 static void get_key_callback(void *c, struct key_params *params)
4163 {
4164 	struct nlattr *key;
4165 	struct get_key_cookie *cookie = c;
4166 
4167 	if ((params->key &&
4168 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4169 		     params->key_len, params->key)) ||
4170 	    (params->seq &&
4171 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4172 		     params->seq_len, params->seq)) ||
4173 	    (params->cipher &&
4174 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4175 			 params->cipher)))
4176 		goto nla_put_failure;
4177 
4178 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4179 	if (!key)
4180 		goto nla_put_failure;
4181 
4182 	if ((params->key &&
4183 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4184 		     params->key_len, params->key)) ||
4185 	    (params->seq &&
4186 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4187 		     params->seq_len, params->seq)) ||
4188 	    (params->cipher &&
4189 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4190 			 params->cipher)))
4191 		goto nla_put_failure;
4192 
4193 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4194 		goto nla_put_failure;
4195 
4196 	nla_nest_end(cookie->msg, key);
4197 
4198 	return;
4199  nla_put_failure:
4200 	cookie->error = 1;
4201 }
4202 
4203 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4204 {
4205 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4206 	int err;
4207 	struct net_device *dev = info->user_ptr[1];
4208 	u8 key_idx = 0;
4209 	const u8 *mac_addr = NULL;
4210 	bool pairwise;
4211 	struct get_key_cookie cookie = {
4212 		.error = 0,
4213 	};
4214 	void *hdr;
4215 	struct sk_buff *msg;
4216 	bool bigtk_support = false;
4217 
4218 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4219 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4220 		bigtk_support = true;
4221 
4222 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4223 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4224 	    wiphy_ext_feature_isset(&rdev->wiphy,
4225 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4226 		bigtk_support = true;
4227 
4228 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4229 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4230 
4231 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4232 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4233 			return -EINVAL;
4234 		}
4235 	}
4236 
4237 	if (info->attrs[NL80211_ATTR_MAC])
4238 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4239 
4240 	pairwise = !!mac_addr;
4241 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4242 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4243 
4244 		if (kt != NL80211_KEYTYPE_GROUP &&
4245 		    kt != NL80211_KEYTYPE_PAIRWISE)
4246 			return -EINVAL;
4247 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4248 	}
4249 
4250 	if (!rdev->ops->get_key)
4251 		return -EOPNOTSUPP;
4252 
4253 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4254 		return -ENOENT;
4255 
4256 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4257 	if (!msg)
4258 		return -ENOMEM;
4259 
4260 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4261 			     NL80211_CMD_NEW_KEY);
4262 	if (!hdr)
4263 		goto nla_put_failure;
4264 
4265 	cookie.msg = msg;
4266 	cookie.idx = key_idx;
4267 
4268 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4269 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4270 		goto nla_put_failure;
4271 	if (mac_addr &&
4272 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4273 		goto nla_put_failure;
4274 
4275 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4276 			   get_key_callback);
4277 
4278 	if (err)
4279 		goto free_msg;
4280 
4281 	if (cookie.error)
4282 		goto nla_put_failure;
4283 
4284 	genlmsg_end(msg, hdr);
4285 	return genlmsg_reply(msg, info);
4286 
4287  nla_put_failure:
4288 	err = -ENOBUFS;
4289  free_msg:
4290 	nlmsg_free(msg);
4291 	return err;
4292 }
4293 
4294 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4295 {
4296 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4297 	struct key_parse key;
4298 	int err;
4299 	struct net_device *dev = info->user_ptr[1];
4300 
4301 	err = nl80211_parse_key(info, &key);
4302 	if (err)
4303 		return err;
4304 
4305 	if (key.idx < 0)
4306 		return -EINVAL;
4307 
4308 	/* Only support setting default key and
4309 	 * Extended Key ID action NL80211_KEY_SET_TX.
4310 	 */
4311 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4312 	    !(key.p.mode == NL80211_KEY_SET_TX))
4313 		return -EINVAL;
4314 
4315 	wdev_lock(dev->ieee80211_ptr);
4316 
4317 	if (key.def) {
4318 		if (!rdev->ops->set_default_key) {
4319 			err = -EOPNOTSUPP;
4320 			goto out;
4321 		}
4322 
4323 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4324 		if (err)
4325 			goto out;
4326 
4327 		err = rdev_set_default_key(rdev, dev, key.idx,
4328 						 key.def_uni, key.def_multi);
4329 
4330 		if (err)
4331 			goto out;
4332 
4333 #ifdef CONFIG_CFG80211_WEXT
4334 		dev->ieee80211_ptr->wext.default_key = key.idx;
4335 #endif
4336 	} else if (key.defmgmt) {
4337 		if (key.def_uni || !key.def_multi) {
4338 			err = -EINVAL;
4339 			goto out;
4340 		}
4341 
4342 		if (!rdev->ops->set_default_mgmt_key) {
4343 			err = -EOPNOTSUPP;
4344 			goto out;
4345 		}
4346 
4347 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4348 		if (err)
4349 			goto out;
4350 
4351 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4352 		if (err)
4353 			goto out;
4354 
4355 #ifdef CONFIG_CFG80211_WEXT
4356 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4357 #endif
4358 	} else if (key.defbeacon) {
4359 		if (key.def_uni || !key.def_multi) {
4360 			err = -EINVAL;
4361 			goto out;
4362 		}
4363 
4364 		if (!rdev->ops->set_default_beacon_key) {
4365 			err = -EOPNOTSUPP;
4366 			goto out;
4367 		}
4368 
4369 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4370 		if (err)
4371 			goto out;
4372 
4373 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4374 		if (err)
4375 			goto out;
4376 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4377 		   wiphy_ext_feature_isset(&rdev->wiphy,
4378 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4379 		u8 *mac_addr = NULL;
4380 
4381 		if (info->attrs[NL80211_ATTR_MAC])
4382 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4383 
4384 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4385 			err = -EINVAL;
4386 			goto out;
4387 		}
4388 
4389 		err = rdev_add_key(rdev, dev, key.idx,
4390 				   NL80211_KEYTYPE_PAIRWISE,
4391 				   mac_addr, &key.p);
4392 	} else {
4393 		err = -EINVAL;
4394 	}
4395  out:
4396 	wdev_unlock(dev->ieee80211_ptr);
4397 
4398 	return err;
4399 }
4400 
4401 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4402 {
4403 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4404 	int err;
4405 	struct net_device *dev = info->user_ptr[1];
4406 	struct key_parse key;
4407 	const u8 *mac_addr = NULL;
4408 
4409 	err = nl80211_parse_key(info, &key);
4410 	if (err)
4411 		return err;
4412 
4413 	if (!key.p.key) {
4414 		GENL_SET_ERR_MSG(info, "no key");
4415 		return -EINVAL;
4416 	}
4417 
4418 	if (info->attrs[NL80211_ATTR_MAC])
4419 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4420 
4421 	if (key.type == -1) {
4422 		if (mac_addr)
4423 			key.type = NL80211_KEYTYPE_PAIRWISE;
4424 		else
4425 			key.type = NL80211_KEYTYPE_GROUP;
4426 	}
4427 
4428 	/* for now */
4429 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4430 	    key.type != NL80211_KEYTYPE_GROUP) {
4431 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4432 		return -EINVAL;
4433 	}
4434 
4435 	if (key.type == NL80211_KEYTYPE_GROUP &&
4436 	    info->attrs[NL80211_ATTR_VLAN_ID])
4437 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4438 
4439 	if (!rdev->ops->add_key)
4440 		return -EOPNOTSUPP;
4441 
4442 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4443 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4444 					   mac_addr)) {
4445 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4446 		return -EINVAL;
4447 	}
4448 
4449 	wdev_lock(dev->ieee80211_ptr);
4450 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4451 	if (err)
4452 		GENL_SET_ERR_MSG(info, "key not allowed");
4453 	if (!err) {
4454 		err = rdev_add_key(rdev, dev, key.idx,
4455 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4456 				    mac_addr, &key.p);
4457 		if (err)
4458 			GENL_SET_ERR_MSG(info, "key addition failed");
4459 	}
4460 	wdev_unlock(dev->ieee80211_ptr);
4461 
4462 	return err;
4463 }
4464 
4465 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4466 {
4467 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4468 	int err;
4469 	struct net_device *dev = info->user_ptr[1];
4470 	u8 *mac_addr = NULL;
4471 	struct key_parse key;
4472 
4473 	err = nl80211_parse_key(info, &key);
4474 	if (err)
4475 		return err;
4476 
4477 	if (info->attrs[NL80211_ATTR_MAC])
4478 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4479 
4480 	if (key.type == -1) {
4481 		if (mac_addr)
4482 			key.type = NL80211_KEYTYPE_PAIRWISE;
4483 		else
4484 			key.type = NL80211_KEYTYPE_GROUP;
4485 	}
4486 
4487 	/* for now */
4488 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4489 	    key.type != NL80211_KEYTYPE_GROUP)
4490 		return -EINVAL;
4491 
4492 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4493 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4494 		return -EINVAL;
4495 
4496 	if (!rdev->ops->del_key)
4497 		return -EOPNOTSUPP;
4498 
4499 	wdev_lock(dev->ieee80211_ptr);
4500 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4501 
4502 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4503 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4504 		err = -ENOENT;
4505 
4506 	if (!err)
4507 		err = rdev_del_key(rdev, dev, key.idx,
4508 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4509 				   mac_addr);
4510 
4511 #ifdef CONFIG_CFG80211_WEXT
4512 	if (!err) {
4513 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4514 			dev->ieee80211_ptr->wext.default_key = -1;
4515 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4516 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4517 	}
4518 #endif
4519 	wdev_unlock(dev->ieee80211_ptr);
4520 
4521 	return err;
4522 }
4523 
4524 /* This function returns an error or the number of nested attributes */
4525 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4526 {
4527 	struct nlattr *attr;
4528 	int n_entries = 0, tmp;
4529 
4530 	nla_for_each_nested(attr, nl_attr, tmp) {
4531 		if (nla_len(attr) != ETH_ALEN)
4532 			return -EINVAL;
4533 
4534 		n_entries++;
4535 	}
4536 
4537 	return n_entries;
4538 }
4539 
4540 /*
4541  * This function parses ACL information and allocates memory for ACL data.
4542  * On successful return, the calling function is responsible to free the
4543  * ACL buffer returned by this function.
4544  */
4545 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4546 						struct genl_info *info)
4547 {
4548 	enum nl80211_acl_policy acl_policy;
4549 	struct nlattr *attr;
4550 	struct cfg80211_acl_data *acl;
4551 	int i = 0, n_entries, tmp;
4552 
4553 	if (!wiphy->max_acl_mac_addrs)
4554 		return ERR_PTR(-EOPNOTSUPP);
4555 
4556 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4557 		return ERR_PTR(-EINVAL);
4558 
4559 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4560 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4561 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4562 		return ERR_PTR(-EINVAL);
4563 
4564 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4565 		return ERR_PTR(-EINVAL);
4566 
4567 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4568 	if (n_entries < 0)
4569 		return ERR_PTR(n_entries);
4570 
4571 	if (n_entries > wiphy->max_acl_mac_addrs)
4572 		return ERR_PTR(-ENOTSUPP);
4573 
4574 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4575 	if (!acl)
4576 		return ERR_PTR(-ENOMEM);
4577 
4578 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4579 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4580 		i++;
4581 	}
4582 
4583 	acl->n_acl_entries = n_entries;
4584 	acl->acl_policy = acl_policy;
4585 
4586 	return acl;
4587 }
4588 
4589 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4590 {
4591 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4592 	struct net_device *dev = info->user_ptr[1];
4593 	struct cfg80211_acl_data *acl;
4594 	int err;
4595 
4596 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4597 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4598 		return -EOPNOTSUPP;
4599 
4600 	if (!dev->ieee80211_ptr->beacon_interval)
4601 		return -EINVAL;
4602 
4603 	acl = parse_acl_data(&rdev->wiphy, info);
4604 	if (IS_ERR(acl))
4605 		return PTR_ERR(acl);
4606 
4607 	err = rdev_set_mac_acl(rdev, dev, acl);
4608 
4609 	kfree(acl);
4610 
4611 	return err;
4612 }
4613 
4614 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4615 			   u8 *rates, u8 rates_len)
4616 {
4617 	u8 i;
4618 	u32 mask = 0;
4619 
4620 	for (i = 0; i < rates_len; i++) {
4621 		int rate = (rates[i] & 0x7f) * 5;
4622 		int ridx;
4623 
4624 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4625 			struct ieee80211_rate *srate =
4626 				&sband->bitrates[ridx];
4627 			if (rate == srate->bitrate) {
4628 				mask |= 1 << ridx;
4629 				break;
4630 			}
4631 		}
4632 		if (ridx == sband->n_bitrates)
4633 			return 0; /* rate not found */
4634 	}
4635 
4636 	return mask;
4637 }
4638 
4639 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4640 			       u8 *rates, u8 rates_len,
4641 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4642 {
4643 	u8 i;
4644 
4645 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4646 
4647 	for (i = 0; i < rates_len; i++) {
4648 		int ridx, rbit;
4649 
4650 		ridx = rates[i] / 8;
4651 		rbit = BIT(rates[i] % 8);
4652 
4653 		/* check validity */
4654 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4655 			return false;
4656 
4657 		/* check availability */
4658 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4659 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4660 			mcs[ridx] |= rbit;
4661 		else
4662 			return false;
4663 	}
4664 
4665 	return true;
4666 }
4667 
4668 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4669 {
4670 	u16 mcs_mask = 0;
4671 
4672 	switch (vht_mcs_map) {
4673 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4674 		break;
4675 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4676 		mcs_mask = 0x00FF;
4677 		break;
4678 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4679 		mcs_mask = 0x01FF;
4680 		break;
4681 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4682 		mcs_mask = 0x03FF;
4683 		break;
4684 	default:
4685 		break;
4686 	}
4687 
4688 	return mcs_mask;
4689 }
4690 
4691 static void vht_build_mcs_mask(u16 vht_mcs_map,
4692 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4693 {
4694 	u8 nss;
4695 
4696 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4697 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4698 		vht_mcs_map >>= 2;
4699 	}
4700 }
4701 
4702 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4703 			     struct nl80211_txrate_vht *txrate,
4704 			     u16 mcs[NL80211_VHT_NSS_MAX])
4705 {
4706 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4707 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4708 	u8 i;
4709 
4710 	if (!sband->vht_cap.vht_supported)
4711 		return false;
4712 
4713 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4714 
4715 	/* Build vht_mcs_mask from VHT capabilities */
4716 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4717 
4718 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4719 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4720 			mcs[i] = txrate->mcs[i];
4721 		else
4722 			return false;
4723 	}
4724 
4725 	return true;
4726 }
4727 
4728 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4729 {
4730 	switch (he_mcs_map) {
4731 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4732 		return 0;
4733 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4734 		return 0x00FF;
4735 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4736 		return 0x03FF;
4737 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4738 		return 0xFFF;
4739 	default:
4740 		break;
4741 	}
4742 	return 0;
4743 }
4744 
4745 static void he_build_mcs_mask(u16 he_mcs_map,
4746 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4747 {
4748 	u8 nss;
4749 
4750 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4751 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4752 		he_mcs_map >>= 2;
4753 	}
4754 }
4755 
4756 static u16 he_get_txmcsmap(struct genl_info *info,
4757 			   const struct ieee80211_sta_he_cap *he_cap)
4758 {
4759 	struct net_device *dev = info->user_ptr[1];
4760 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4761 	__le16	tx_mcs;
4762 
4763 	switch (wdev->chandef.width) {
4764 	case NL80211_CHAN_WIDTH_80P80:
4765 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4766 		break;
4767 	case NL80211_CHAN_WIDTH_160:
4768 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4769 		break;
4770 	default:
4771 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4772 		break;
4773 	}
4774 	return le16_to_cpu(tx_mcs);
4775 }
4776 
4777 static bool he_set_mcs_mask(struct genl_info *info,
4778 			    struct wireless_dev *wdev,
4779 			    struct ieee80211_supported_band *sband,
4780 			    struct nl80211_txrate_he *txrate,
4781 			    u16 mcs[NL80211_HE_NSS_MAX])
4782 {
4783 	const struct ieee80211_sta_he_cap *he_cap;
4784 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4785 	u16 tx_mcs_map = 0;
4786 	u8 i;
4787 
4788 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4789 	if (!he_cap)
4790 		return false;
4791 
4792 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4793 
4794 	tx_mcs_map = he_get_txmcsmap(info, he_cap);
4795 
4796 	/* Build he_mcs_mask from HE capabilities */
4797 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4798 
4799 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4800 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4801 			mcs[i] = txrate->mcs[i];
4802 		else
4803 			return false;
4804 	}
4805 
4806 	return true;
4807 }
4808 
4809 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4810 					 struct nlattr *attrs[],
4811 					 enum nl80211_attrs attr,
4812 					 struct cfg80211_bitrate_mask *mask,
4813 					 struct net_device *dev,
4814 					 bool default_all_enabled)
4815 {
4816 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4817 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4818 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4819 	int rem, i;
4820 	struct nlattr *tx_rates;
4821 	struct ieee80211_supported_band *sband;
4822 	u16 vht_tx_mcs_map, he_tx_mcs_map;
4823 
4824 	memset(mask, 0, sizeof(*mask));
4825 	/* Default to all rates enabled */
4826 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4827 		const struct ieee80211_sta_he_cap *he_cap;
4828 
4829 		if (!default_all_enabled)
4830 			break;
4831 
4832 		sband = rdev->wiphy.bands[i];
4833 
4834 		if (!sband)
4835 			continue;
4836 
4837 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4838 		memcpy(mask->control[i].ht_mcs,
4839 		       sband->ht_cap.mcs.rx_mask,
4840 		       sizeof(mask->control[i].ht_mcs));
4841 
4842 		if (sband->vht_cap.vht_supported) {
4843 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4844 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4845 		}
4846 
4847 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4848 		if (!he_cap)
4849 			continue;
4850 
4851 		he_tx_mcs_map = he_get_txmcsmap(info, he_cap);
4852 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
4853 
4854 		mask->control[i].he_gi = 0xFF;
4855 		mask->control[i].he_ltf = 0xFF;
4856 	}
4857 
4858 	/* if no rates are given set it back to the defaults */
4859 	if (!attrs[attr])
4860 		goto out;
4861 
4862 	/* The nested attribute uses enum nl80211_band as the index. This maps
4863 	 * directly to the enum nl80211_band values used in cfg80211.
4864 	 */
4865 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4866 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
4867 		enum nl80211_band band = nla_type(tx_rates);
4868 		int err;
4869 
4870 		if (band < 0 || band >= NUM_NL80211_BANDS)
4871 			return -EINVAL;
4872 		sband = rdev->wiphy.bands[band];
4873 		if (sband == NULL)
4874 			return -EINVAL;
4875 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4876 						  tx_rates,
4877 						  nl80211_txattr_policy,
4878 						  info->extack);
4879 		if (err)
4880 			return err;
4881 		if (tb[NL80211_TXRATE_LEGACY]) {
4882 			mask->control[band].legacy = rateset_to_mask(
4883 				sband,
4884 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4885 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4886 			if ((mask->control[band].legacy == 0) &&
4887 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4888 				return -EINVAL;
4889 		}
4890 		if (tb[NL80211_TXRATE_HT]) {
4891 			if (!ht_rateset_to_mask(
4892 					sband,
4893 					nla_data(tb[NL80211_TXRATE_HT]),
4894 					nla_len(tb[NL80211_TXRATE_HT]),
4895 					mask->control[band].ht_mcs))
4896 				return -EINVAL;
4897 		}
4898 
4899 		if (tb[NL80211_TXRATE_VHT]) {
4900 			if (!vht_set_mcs_mask(
4901 					sband,
4902 					nla_data(tb[NL80211_TXRATE_VHT]),
4903 					mask->control[band].vht_mcs))
4904 				return -EINVAL;
4905 		}
4906 
4907 		if (tb[NL80211_TXRATE_GI]) {
4908 			mask->control[band].gi =
4909 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4910 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4911 				return -EINVAL;
4912 		}
4913 		if (tb[NL80211_TXRATE_HE] &&
4914 		    !he_set_mcs_mask(info, wdev, sband,
4915 				     nla_data(tb[NL80211_TXRATE_HE]),
4916 				     mask->control[band].he_mcs))
4917 			return -EINVAL;
4918 
4919 		if (tb[NL80211_TXRATE_HE_GI])
4920 			mask->control[band].he_gi =
4921 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
4922 		if (tb[NL80211_TXRATE_HE_LTF])
4923 			mask->control[band].he_ltf =
4924 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
4925 
4926 		if (mask->control[band].legacy == 0) {
4927 			/* don't allow empty legacy rates if HT, VHT or HE
4928 			 * are not even supported.
4929 			 */
4930 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4931 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
4932 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
4933 				return -EINVAL;
4934 
4935 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4936 				if (mask->control[band].ht_mcs[i])
4937 					goto out;
4938 
4939 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4940 				if (mask->control[band].vht_mcs[i])
4941 					goto out;
4942 
4943 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
4944 				if (mask->control[band].he_mcs[i])
4945 					goto out;
4946 
4947 			/* legacy and mcs rates may not be both empty */
4948 			return -EINVAL;
4949 		}
4950 	}
4951 
4952 out:
4953 	return 0;
4954 }
4955 
4956 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4957 				   enum nl80211_band band,
4958 				   struct cfg80211_bitrate_mask *beacon_rate)
4959 {
4960 	u32 count_ht, count_vht, count_he, i;
4961 	u32 rate = beacon_rate->control[band].legacy;
4962 
4963 	/* Allow only one rate */
4964 	if (hweight32(rate) > 1)
4965 		return -EINVAL;
4966 
4967 	count_ht = 0;
4968 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4969 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4970 			return -EINVAL;
4971 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4972 			count_ht++;
4973 			if (count_ht > 1)
4974 				return -EINVAL;
4975 		}
4976 		if (count_ht && rate)
4977 			return -EINVAL;
4978 	}
4979 
4980 	count_vht = 0;
4981 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4982 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4983 			return -EINVAL;
4984 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4985 			count_vht++;
4986 			if (count_vht > 1)
4987 				return -EINVAL;
4988 		}
4989 		if (count_vht && rate)
4990 			return -EINVAL;
4991 	}
4992 
4993 	count_he = 0;
4994 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4995 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
4996 			return -EINVAL;
4997 		} else if (beacon_rate->control[band].he_mcs[i]) {
4998 			count_he++;
4999 			if (count_he > 1)
5000 				return -EINVAL;
5001 		}
5002 		if (count_he && rate)
5003 			return -EINVAL;
5004 	}
5005 
5006 	if ((count_ht && count_vht && count_he) ||
5007 	    (!rate && !count_ht && !count_vht && !count_he))
5008 		return -EINVAL;
5009 
5010 	if (rate &&
5011 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5012 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5013 		return -EINVAL;
5014 	if (count_ht &&
5015 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5016 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5017 		return -EINVAL;
5018 	if (count_vht &&
5019 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5020 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5021 		return -EINVAL;
5022 	if (count_he &&
5023 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5024 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5025 		return -EINVAL;
5026 
5027 	return 0;
5028 }
5029 
5030 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5031 				       struct net_device *dev,
5032 				       struct nlattr *attrs,
5033 				       struct cfg80211_mbssid_config *config,
5034 				       u8 num_elems)
5035 {
5036 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5037 
5038 	if (!wiphy->mbssid_max_interfaces)
5039 		return -EOPNOTSUPP;
5040 
5041 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5042 			     NULL) ||
5043 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5044 		return -EINVAL;
5045 
5046 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5047 	if (config->ema) {
5048 		if (!wiphy->ema_max_profile_periodicity)
5049 			return -EOPNOTSUPP;
5050 
5051 		if (num_elems > wiphy->ema_max_profile_periodicity)
5052 			return -EINVAL;
5053 	}
5054 
5055 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5056 	if (config->index >= wiphy->mbssid_max_interfaces ||
5057 	    (!config->index && !num_elems))
5058 		return -EINVAL;
5059 
5060 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5061 		u32 tx_ifindex =
5062 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5063 
5064 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5065 		    (config->index && tx_ifindex == dev->ifindex))
5066 			return -EINVAL;
5067 
5068 		if (tx_ifindex != dev->ifindex) {
5069 			struct net_device *tx_netdev =
5070 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5071 
5072 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5073 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5074 			    tx_netdev->ieee80211_ptr->iftype !=
5075 							NL80211_IFTYPE_AP) {
5076 				dev_put(tx_netdev);
5077 				return -EINVAL;
5078 			}
5079 
5080 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5081 		} else {
5082 			config->tx_wdev = dev->ieee80211_ptr;
5083 		}
5084 	} else if (!config->index) {
5085 		config->tx_wdev = dev->ieee80211_ptr;
5086 	} else {
5087 		return -EINVAL;
5088 	}
5089 
5090 	return 0;
5091 }
5092 
5093 static struct cfg80211_mbssid_elems *
5094 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5095 {
5096 	struct nlattr *nl_elems;
5097 	struct cfg80211_mbssid_elems *elems;
5098 	int rem_elems;
5099 	u8 i = 0, num_elems = 0;
5100 
5101 	if (!wiphy->mbssid_max_interfaces)
5102 		return ERR_PTR(-EINVAL);
5103 
5104 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5105 		num_elems++;
5106 
5107 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5108 	if (!elems)
5109 		return ERR_PTR(-ENOMEM);
5110 
5111 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5112 		elems->elem[i].data = nla_data(nl_elems);
5113 		elems->elem[i].len = nla_len(nl_elems);
5114 		i++;
5115 	}
5116 	elems->cnt = num_elems;
5117 	return elems;
5118 }
5119 
5120 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5121 				struct nlattr *attrs[],
5122 				struct cfg80211_beacon_data *bcn)
5123 {
5124 	bool haveinfo = false;
5125 	int err;
5126 
5127 	memset(bcn, 0, sizeof(*bcn));
5128 
5129 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5130 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5131 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5132 		if (!bcn->head_len)
5133 			return -EINVAL;
5134 		haveinfo = true;
5135 	}
5136 
5137 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5138 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5139 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5140 		haveinfo = true;
5141 	}
5142 
5143 	if (!haveinfo)
5144 		return -EINVAL;
5145 
5146 	if (attrs[NL80211_ATTR_IE]) {
5147 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5148 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5149 	}
5150 
5151 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5152 		bcn->proberesp_ies =
5153 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5154 		bcn->proberesp_ies_len =
5155 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5156 	}
5157 
5158 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5159 		bcn->assocresp_ies =
5160 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5161 		bcn->assocresp_ies_len =
5162 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5163 	}
5164 
5165 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5166 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5167 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5168 	}
5169 
5170 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5171 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5172 
5173 		err = nla_parse_nested_deprecated(tb,
5174 						  NL80211_FTM_RESP_ATTR_MAX,
5175 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5176 						  NULL, NULL);
5177 		if (err)
5178 			return err;
5179 
5180 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5181 		    wiphy_ext_feature_isset(&rdev->wiphy,
5182 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5183 			bcn->ftm_responder = 1;
5184 		else
5185 			return -EOPNOTSUPP;
5186 
5187 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5188 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5189 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5190 		}
5191 
5192 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5193 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5194 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5195 		}
5196 	} else {
5197 		bcn->ftm_responder = -1;
5198 	}
5199 
5200 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5201 		struct cfg80211_mbssid_elems *mbssid =
5202 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5203 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5204 
5205 		if (IS_ERR(mbssid))
5206 			return PTR_ERR(mbssid);
5207 
5208 		bcn->mbssid_ies = mbssid;
5209 	}
5210 
5211 	return 0;
5212 }
5213 
5214 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5215 				    struct ieee80211_he_obss_pd *he_obss_pd)
5216 {
5217 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5218 	int err;
5219 
5220 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5221 			       he_obss_pd_policy, NULL);
5222 	if (err)
5223 		return err;
5224 
5225 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5226 		return -EINVAL;
5227 
5228 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5229 
5230 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5231 		he_obss_pd->min_offset =
5232 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5233 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5234 		he_obss_pd->max_offset =
5235 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5236 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5237 		he_obss_pd->non_srg_max_offset =
5238 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5239 
5240 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5241 		return -EINVAL;
5242 
5243 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5244 		memcpy(he_obss_pd->bss_color_bitmap,
5245 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5246 		       sizeof(he_obss_pd->bss_color_bitmap));
5247 
5248 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5249 		memcpy(he_obss_pd->partial_bssid_bitmap,
5250 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5251 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5252 
5253 	he_obss_pd->enable = true;
5254 
5255 	return 0;
5256 }
5257 
5258 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5259 				      struct cfg80211_he_bss_color *he_bss_color)
5260 {
5261 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5262 	int err;
5263 
5264 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5265 			       he_bss_color_policy, NULL);
5266 	if (err)
5267 		return err;
5268 
5269 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5270 		return -EINVAL;
5271 
5272 	he_bss_color->color =
5273 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5274 	he_bss_color->enabled =
5275 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5276 	he_bss_color->partial =
5277 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5278 
5279 	return 0;
5280 }
5281 
5282 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5283 					struct nlattr *attrs,
5284 					struct cfg80211_ap_settings *params)
5285 {
5286 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5287 	int ret;
5288 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5289 
5290 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5291 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5292 		return -EINVAL;
5293 
5294 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5295 			       NULL, NULL);
5296 	if (ret)
5297 		return ret;
5298 
5299 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5300 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5301 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5302 		return -EINVAL;
5303 
5304 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5305 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5306 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5307 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5308 
5309 	return 0;
5310 }
5311 
5312 static int
5313 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5314 				     struct nlattr *attrs,
5315 				     struct cfg80211_ap_settings *params)
5316 {
5317 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5318 	int ret;
5319 	struct cfg80211_unsol_bcast_probe_resp *presp =
5320 					&params->unsol_bcast_probe_resp;
5321 
5322 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5323 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5324 		return -EINVAL;
5325 
5326 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5327 			       attrs, NULL, NULL);
5328 	if (ret)
5329 		return ret;
5330 
5331 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5332 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5333 		return -EINVAL;
5334 
5335 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5336 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5337 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5338 	return 0;
5339 }
5340 
5341 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5342 					    const struct element *rates)
5343 {
5344 	int i;
5345 
5346 	if (!rates)
5347 		return;
5348 
5349 	for (i = 0; i < rates->datalen; i++) {
5350 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5351 			params->ht_required = true;
5352 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5353 			params->vht_required = true;
5354 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5355 			params->he_required = true;
5356 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5357 			params->sae_h2e_required = true;
5358 	}
5359 }
5360 
5361 /*
5362  * Since the nl80211 API didn't include, from the beginning, attributes about
5363  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5364  * benefit of drivers that rebuild IEs in the firmware.
5365  */
5366 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5367 {
5368 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5369 	size_t ies_len = bcn->tail_len;
5370 	const u8 *ies = bcn->tail;
5371 	const struct element *rates;
5372 	const struct element *cap;
5373 
5374 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5375 	nl80211_check_ap_rate_selectors(params, rates);
5376 
5377 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5378 	nl80211_check_ap_rate_selectors(params, rates);
5379 
5380 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5381 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5382 		params->ht_cap = (void *)cap->data;
5383 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5384 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5385 		params->vht_cap = (void *)cap->data;
5386 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5387 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5388 		params->he_cap = (void *)(cap->data + 1);
5389 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5390 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5391 		params->he_oper = (void *)(cap->data + 1);
5392 }
5393 
5394 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5395 				   struct cfg80211_ap_settings *params)
5396 {
5397 	struct wireless_dev *wdev;
5398 	bool ret = false;
5399 
5400 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5401 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5402 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5403 			continue;
5404 
5405 		if (!wdev->preset_chandef.chan)
5406 			continue;
5407 
5408 		params->chandef = wdev->preset_chandef;
5409 		ret = true;
5410 		break;
5411 	}
5412 
5413 	return ret;
5414 }
5415 
5416 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5417 				    enum nl80211_auth_type auth_type,
5418 				    enum nl80211_commands cmd)
5419 {
5420 	if (auth_type > NL80211_AUTHTYPE_MAX)
5421 		return false;
5422 
5423 	switch (cmd) {
5424 	case NL80211_CMD_AUTHENTICATE:
5425 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5426 		    auth_type == NL80211_AUTHTYPE_SAE)
5427 			return false;
5428 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5429 					     NL80211_EXT_FEATURE_FILS_STA) &&
5430 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5431 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5432 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5433 			return false;
5434 		return true;
5435 	case NL80211_CMD_CONNECT:
5436 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5437 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5438 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5439 		    auth_type == NL80211_AUTHTYPE_SAE)
5440 			return false;
5441 
5442 		/* FILS with SK PFS or PK not supported yet */
5443 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5444 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5445 			return false;
5446 		if (!wiphy_ext_feature_isset(
5447 			    &rdev->wiphy,
5448 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5449 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5450 			return false;
5451 		return true;
5452 	case NL80211_CMD_START_AP:
5453 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5454 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5455 		    auth_type == NL80211_AUTHTYPE_SAE)
5456 			return false;
5457 		/* FILS not supported yet */
5458 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5459 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5460 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5461 			return false;
5462 		return true;
5463 	default:
5464 		return false;
5465 	}
5466 }
5467 
5468 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5469 {
5470 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5471 	struct net_device *dev = info->user_ptr[1];
5472 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5473 	struct cfg80211_ap_settings *params;
5474 	int err;
5475 
5476 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5477 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5478 		return -EOPNOTSUPP;
5479 
5480 	if (!rdev->ops->start_ap)
5481 		return -EOPNOTSUPP;
5482 
5483 	if (wdev->beacon_interval)
5484 		return -EALREADY;
5485 
5486 	/* these are required for START_AP */
5487 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5488 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5489 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5490 		return -EINVAL;
5491 
5492 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5493 	if (!params)
5494 		return -ENOMEM;
5495 
5496 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon);
5497 	if (err)
5498 		goto out;
5499 
5500 	params->beacon_interval =
5501 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5502 	params->dtim_period =
5503 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5504 
5505 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5506 					   params->beacon_interval);
5507 	if (err)
5508 		goto out;
5509 
5510 	/*
5511 	 * In theory, some of these attributes should be required here
5512 	 * but since they were not used when the command was originally
5513 	 * added, keep them optional for old user space programs to let
5514 	 * them continue to work with drivers that do not need the
5515 	 * additional information -- drivers must check!
5516 	 */
5517 	if (info->attrs[NL80211_ATTR_SSID]) {
5518 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5519 		params->ssid_len =
5520 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5521 		if (params->ssid_len == 0) {
5522 			err = -EINVAL;
5523 			goto out;
5524 		}
5525 	}
5526 
5527 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5528 		params->hidden_ssid = nla_get_u32(
5529 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5530 
5531 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5532 
5533 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5534 		params->auth_type = nla_get_u32(
5535 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5536 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5537 					     NL80211_CMD_START_AP)) {
5538 			err = -EINVAL;
5539 			goto out;
5540 		}
5541 	} else
5542 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5543 
5544 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
5545 				      NL80211_MAX_NR_CIPHER_SUITES);
5546 	if (err)
5547 		goto out;
5548 
5549 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5550 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
5551 			err = -EOPNOTSUPP;
5552 			goto out;
5553 		}
5554 		params->inactivity_timeout = nla_get_u16(
5555 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5556 	}
5557 
5558 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5559 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5560 			err = -EINVAL;
5561 			goto out;
5562 		}
5563 		params->p2p_ctwindow =
5564 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5565 		if (params->p2p_ctwindow != 0 &&
5566 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
5567 			err = -EINVAL;
5568 			goto out;
5569 		}
5570 	}
5571 
5572 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5573 		u8 tmp;
5574 
5575 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5576 			err = -EINVAL;
5577 			goto out;
5578 		}
5579 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5580 		params->p2p_opp_ps = tmp;
5581 		if (params->p2p_opp_ps != 0 &&
5582 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
5583 			err = -EINVAL;
5584 			goto out;
5585 		}
5586 	}
5587 
5588 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5589 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
5590 		if (err)
5591 			goto out;
5592 	} else if (wdev->preset_chandef.chan) {
5593 		params->chandef = wdev->preset_chandef;
5594 	} else if (!nl80211_get_ap_channel(rdev, params)) {
5595 		err = -EINVAL;
5596 		goto out;
5597 	}
5598 
5599 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
5600 					   wdev->iftype)) {
5601 		err = -EINVAL;
5602 		goto out;
5603 	}
5604 
5605 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5606 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5607 						    NL80211_ATTR_TX_RATES,
5608 						    &params->beacon_rate,
5609 						    dev, false);
5610 		if (err)
5611 			goto out;
5612 
5613 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
5614 					      &params->beacon_rate);
5615 		if (err)
5616 			goto out;
5617 	}
5618 
5619 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5620 		params->smps_mode =
5621 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5622 		switch (params->smps_mode) {
5623 		case NL80211_SMPS_OFF:
5624 			break;
5625 		case NL80211_SMPS_STATIC:
5626 			if (!(rdev->wiphy.features &
5627 			      NL80211_FEATURE_STATIC_SMPS)) {
5628 				err = -EINVAL;
5629 				goto out;
5630 			}
5631 			break;
5632 		case NL80211_SMPS_DYNAMIC:
5633 			if (!(rdev->wiphy.features &
5634 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
5635 				err = -EINVAL;
5636 				goto out;
5637 			}
5638 			break;
5639 		default:
5640 			err = -EINVAL;
5641 			goto out;
5642 		}
5643 	} else {
5644 		params->smps_mode = NL80211_SMPS_OFF;
5645 	}
5646 
5647 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5648 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
5649 		err = -EOPNOTSUPP;
5650 		goto out;
5651 	}
5652 
5653 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5654 		params->acl = parse_acl_data(&rdev->wiphy, info);
5655 		if (IS_ERR(params->acl)) {
5656 			err = PTR_ERR(params->acl);
5657 			params->acl = NULL;
5658 			goto out;
5659 		}
5660 	}
5661 
5662 	params->twt_responder =
5663 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5664 
5665 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5666 		err = nl80211_parse_he_obss_pd(
5667 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5668 					&params->he_obss_pd);
5669 		if (err)
5670 			goto out;
5671 	}
5672 
5673 	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5674 		err = nl80211_parse_he_bss_color(
5675 					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5676 					&params->he_bss_color);
5677 		if (err)
5678 			goto out;
5679 	}
5680 
5681 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5682 		err = nl80211_parse_fils_discovery(rdev,
5683 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5684 						   params);
5685 		if (err)
5686 			goto out;
5687 	}
5688 
5689 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5690 		err = nl80211_parse_unsol_bcast_probe_resp(
5691 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5692 			params);
5693 		if (err)
5694 			goto out;
5695 	}
5696 
5697 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
5698 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
5699 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
5700 						  &params->mbssid_config,
5701 						  params->beacon.mbssid_ies ?
5702 							params->beacon.mbssid_ies->cnt :
5703 							0);
5704 		if (err)
5705 			goto out;
5706 	}
5707 
5708 	nl80211_calculate_ap_params(params);
5709 
5710 	if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5711 		params->flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5712 
5713 	wdev_lock(wdev);
5714 	err = rdev_start_ap(rdev, dev, params);
5715 	if (!err) {
5716 		wdev->preset_chandef = params->chandef;
5717 		wdev->beacon_interval = params->beacon_interval;
5718 		wdev->chandef = params->chandef;
5719 		wdev->ssid_len = params->ssid_len;
5720 		memcpy(wdev->ssid, params->ssid, wdev->ssid_len);
5721 
5722 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5723 			wdev->conn_owner_nlportid = info->snd_portid;
5724 	}
5725 	wdev_unlock(wdev);
5726 
5727 out:
5728 	kfree(params->acl);
5729 	kfree(params->beacon.mbssid_ies);
5730 	if (params->mbssid_config.tx_wdev &&
5731 	    params->mbssid_config.tx_wdev->netdev &&
5732 	    params->mbssid_config.tx_wdev->netdev != dev)
5733 		dev_put(params->mbssid_config.tx_wdev->netdev);
5734 	kfree(params);
5735 
5736 	return err;
5737 }
5738 
5739 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5740 {
5741 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5742 	struct net_device *dev = info->user_ptr[1];
5743 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5744 	struct cfg80211_beacon_data params;
5745 	int err;
5746 
5747 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5748 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5749 		return -EOPNOTSUPP;
5750 
5751 	if (!rdev->ops->change_beacon)
5752 		return -EOPNOTSUPP;
5753 
5754 	if (!wdev->beacon_interval)
5755 		return -EINVAL;
5756 
5757 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5758 	if (err)
5759 		goto out;
5760 
5761 	wdev_lock(wdev);
5762 	err = rdev_change_beacon(rdev, dev, &params);
5763 	wdev_unlock(wdev);
5764 
5765 out:
5766 	kfree(params.mbssid_ies);
5767 	return err;
5768 }
5769 
5770 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5771 {
5772 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5773 	struct net_device *dev = info->user_ptr[1];
5774 
5775 	return cfg80211_stop_ap(rdev, dev, false);
5776 }
5777 
5778 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5779 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5780 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5781 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5782 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5783 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5784 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5785 };
5786 
5787 static int parse_station_flags(struct genl_info *info,
5788 			       enum nl80211_iftype iftype,
5789 			       struct station_parameters *params)
5790 {
5791 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5792 	struct nlattr *nla;
5793 	int flag;
5794 
5795 	/*
5796 	 * Try parsing the new attribute first so userspace
5797 	 * can specify both for older kernels.
5798 	 */
5799 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5800 	if (nla) {
5801 		struct nl80211_sta_flag_update *sta_flags;
5802 
5803 		sta_flags = nla_data(nla);
5804 		params->sta_flags_mask = sta_flags->mask;
5805 		params->sta_flags_set = sta_flags->set;
5806 		params->sta_flags_set &= params->sta_flags_mask;
5807 		if ((params->sta_flags_mask |
5808 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5809 			return -EINVAL;
5810 		return 0;
5811 	}
5812 
5813 	/* if present, parse the old attribute */
5814 
5815 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5816 	if (!nla)
5817 		return 0;
5818 
5819 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5820 		return -EINVAL;
5821 
5822 	/*
5823 	 * Only allow certain flags for interface types so that
5824 	 * other attributes are silently ignored. Remember that
5825 	 * this is backward compatibility code with old userspace
5826 	 * and shouldn't be hit in other cases anyway.
5827 	 */
5828 	switch (iftype) {
5829 	case NL80211_IFTYPE_AP:
5830 	case NL80211_IFTYPE_AP_VLAN:
5831 	case NL80211_IFTYPE_P2P_GO:
5832 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5833 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5834 					 BIT(NL80211_STA_FLAG_WME) |
5835 					 BIT(NL80211_STA_FLAG_MFP);
5836 		break;
5837 	case NL80211_IFTYPE_P2P_CLIENT:
5838 	case NL80211_IFTYPE_STATION:
5839 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5840 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5841 		break;
5842 	case NL80211_IFTYPE_MESH_POINT:
5843 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5844 					 BIT(NL80211_STA_FLAG_MFP) |
5845 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5846 		break;
5847 	default:
5848 		return -EINVAL;
5849 	}
5850 
5851 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5852 		if (flags[flag]) {
5853 			params->sta_flags_set |= (1<<flag);
5854 
5855 			/* no longer support new API additions in old API */
5856 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5857 				return -EINVAL;
5858 		}
5859 	}
5860 
5861 	return 0;
5862 }
5863 
5864 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5865 {
5866 	struct nlattr *rate;
5867 	u32 bitrate;
5868 	u16 bitrate_compat;
5869 	enum nl80211_rate_info rate_flg;
5870 
5871 	rate = nla_nest_start_noflag(msg, attr);
5872 	if (!rate)
5873 		return false;
5874 
5875 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5876 	bitrate = cfg80211_calculate_bitrate(info);
5877 	/* report 16-bit bitrate only if we can */
5878 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5879 	if (bitrate > 0 &&
5880 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5881 		return false;
5882 	if (bitrate_compat > 0 &&
5883 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5884 		return false;
5885 
5886 	switch (info->bw) {
5887 	case RATE_INFO_BW_5:
5888 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5889 		break;
5890 	case RATE_INFO_BW_10:
5891 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5892 		break;
5893 	default:
5894 		WARN_ON(1);
5895 		fallthrough;
5896 	case RATE_INFO_BW_20:
5897 		rate_flg = 0;
5898 		break;
5899 	case RATE_INFO_BW_40:
5900 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5901 		break;
5902 	case RATE_INFO_BW_80:
5903 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5904 		break;
5905 	case RATE_INFO_BW_160:
5906 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5907 		break;
5908 	case RATE_INFO_BW_HE_RU:
5909 		rate_flg = 0;
5910 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5911 	}
5912 
5913 	if (rate_flg && nla_put_flag(msg, rate_flg))
5914 		return false;
5915 
5916 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5917 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5918 			return false;
5919 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5920 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5921 			return false;
5922 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5923 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5924 			return false;
5925 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
5926 			return false;
5927 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5928 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5929 			return false;
5930 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
5931 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
5932 			return false;
5933 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
5934 			return false;
5935 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
5936 			return false;
5937 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
5938 			return false;
5939 		if (info->bw == RATE_INFO_BW_HE_RU &&
5940 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
5941 			       info->he_ru_alloc))
5942 			return false;
5943 	}
5944 
5945 	nla_nest_end(msg, rate);
5946 	return true;
5947 }
5948 
5949 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
5950 			       int id)
5951 {
5952 	void *attr;
5953 	int i = 0;
5954 
5955 	if (!mask)
5956 		return true;
5957 
5958 	attr = nla_nest_start_noflag(msg, id);
5959 	if (!attr)
5960 		return false;
5961 
5962 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
5963 		if (!(mask & BIT(i)))
5964 			continue;
5965 
5966 		if (nla_put_u8(msg, i, signal[i]))
5967 			return false;
5968 	}
5969 
5970 	nla_nest_end(msg, attr);
5971 
5972 	return true;
5973 }
5974 
5975 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
5976 				u32 seq, int flags,
5977 				struct cfg80211_registered_device *rdev,
5978 				struct net_device *dev,
5979 				const u8 *mac_addr, struct station_info *sinfo)
5980 {
5981 	void *hdr;
5982 	struct nlattr *sinfoattr, *bss_param;
5983 
5984 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
5985 	if (!hdr) {
5986 		cfg80211_sinfo_release_content(sinfo);
5987 		return -1;
5988 	}
5989 
5990 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5991 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
5992 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
5993 		goto nla_put_failure;
5994 
5995 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
5996 	if (!sinfoattr)
5997 		goto nla_put_failure;
5998 
5999 #define PUT_SINFO(attr, memb, type) do {				\
6000 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6001 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6002 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6003 			     sinfo->memb))				\
6004 		goto nla_put_failure;					\
6005 	} while (0)
6006 #define PUT_SINFO_U64(attr, memb) do {					\
6007 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6008 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6009 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6010 		goto nla_put_failure;					\
6011 	} while (0)
6012 
6013 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6014 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6015 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6016 
6017 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6018 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6019 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6020 			(u32)sinfo->rx_bytes))
6021 		goto nla_put_failure;
6022 
6023 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6024 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6025 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6026 			(u32)sinfo->tx_bytes))
6027 		goto nla_put_failure;
6028 
6029 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6030 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6031 	PUT_SINFO(LLID, llid, u16);
6032 	PUT_SINFO(PLID, plid, u16);
6033 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6034 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6035 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6036 
6037 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6038 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6039 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6040 
6041 	switch (rdev->wiphy.signal_type) {
6042 	case CFG80211_SIGNAL_TYPE_MBM:
6043 		PUT_SINFO(SIGNAL, signal, u8);
6044 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6045 		break;
6046 	default:
6047 		break;
6048 	}
6049 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6050 		if (!nl80211_put_signal(msg, sinfo->chains,
6051 					sinfo->chain_signal,
6052 					NL80211_STA_INFO_CHAIN_SIGNAL))
6053 			goto nla_put_failure;
6054 	}
6055 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6056 		if (!nl80211_put_signal(msg, sinfo->chains,
6057 					sinfo->chain_signal_avg,
6058 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6059 			goto nla_put_failure;
6060 	}
6061 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6062 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6063 					  NL80211_STA_INFO_TX_BITRATE))
6064 			goto nla_put_failure;
6065 	}
6066 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6067 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6068 					  NL80211_STA_INFO_RX_BITRATE))
6069 			goto nla_put_failure;
6070 	}
6071 
6072 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6073 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6074 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6075 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6076 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6077 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6078 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6079 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6080 	PUT_SINFO(PEER_PM, peer_pm, u32);
6081 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6082 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6083 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6084 
6085 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6086 		bss_param = nla_nest_start_noflag(msg,
6087 						  NL80211_STA_INFO_BSS_PARAM);
6088 		if (!bss_param)
6089 			goto nla_put_failure;
6090 
6091 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6092 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6093 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6094 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6095 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6096 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6097 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6098 			       sinfo->bss_param.dtim_period) ||
6099 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6100 				sinfo->bss_param.beacon_interval))
6101 			goto nla_put_failure;
6102 
6103 		nla_nest_end(msg, bss_param);
6104 	}
6105 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6106 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6107 		    sizeof(struct nl80211_sta_flag_update),
6108 		    &sinfo->sta_flags))
6109 		goto nla_put_failure;
6110 
6111 	PUT_SINFO_U64(T_OFFSET, t_offset);
6112 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6113 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6114 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6115 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6116 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6117 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6118 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6119 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6120 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6121 	}
6122 
6123 #undef PUT_SINFO
6124 #undef PUT_SINFO_U64
6125 
6126 	if (sinfo->pertid) {
6127 		struct nlattr *tidsattr;
6128 		int tid;
6129 
6130 		tidsattr = nla_nest_start_noflag(msg,
6131 						 NL80211_STA_INFO_TID_STATS);
6132 		if (!tidsattr)
6133 			goto nla_put_failure;
6134 
6135 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6136 			struct cfg80211_tid_stats *tidstats;
6137 			struct nlattr *tidattr;
6138 
6139 			tidstats = &sinfo->pertid[tid];
6140 
6141 			if (!tidstats->filled)
6142 				continue;
6143 
6144 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6145 			if (!tidattr)
6146 				goto nla_put_failure;
6147 
6148 #define PUT_TIDVAL_U64(attr, memb) do {					\
6149 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6150 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6151 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6152 		goto nla_put_failure;					\
6153 	} while (0)
6154 
6155 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6156 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6157 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6158 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6159 
6160 #undef PUT_TIDVAL_U64
6161 			if ((tidstats->filled &
6162 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6163 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6164 						   NL80211_TID_STATS_TXQ_STATS))
6165 				goto nla_put_failure;
6166 
6167 			nla_nest_end(msg, tidattr);
6168 		}
6169 
6170 		nla_nest_end(msg, tidsattr);
6171 	}
6172 
6173 	nla_nest_end(msg, sinfoattr);
6174 
6175 	if (sinfo->assoc_req_ies_len &&
6176 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6177 		    sinfo->assoc_req_ies))
6178 		goto nla_put_failure;
6179 
6180 	cfg80211_sinfo_release_content(sinfo);
6181 	genlmsg_end(msg, hdr);
6182 	return 0;
6183 
6184  nla_put_failure:
6185 	cfg80211_sinfo_release_content(sinfo);
6186 	genlmsg_cancel(msg, hdr);
6187 	return -EMSGSIZE;
6188 }
6189 
6190 static int nl80211_dump_station(struct sk_buff *skb,
6191 				struct netlink_callback *cb)
6192 {
6193 	struct station_info sinfo;
6194 	struct cfg80211_registered_device *rdev;
6195 	struct wireless_dev *wdev;
6196 	u8 mac_addr[ETH_ALEN];
6197 	int sta_idx = cb->args[2];
6198 	int err;
6199 
6200 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6201 	if (err)
6202 		return err;
6203 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6204 	__acquire(&rdev->wiphy.mtx);
6205 
6206 	if (!wdev->netdev) {
6207 		err = -EINVAL;
6208 		goto out_err;
6209 	}
6210 
6211 	if (!rdev->ops->dump_station) {
6212 		err = -EOPNOTSUPP;
6213 		goto out_err;
6214 	}
6215 
6216 	while (1) {
6217 		memset(&sinfo, 0, sizeof(sinfo));
6218 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6219 					mac_addr, &sinfo);
6220 		if (err == -ENOENT)
6221 			break;
6222 		if (err)
6223 			goto out_err;
6224 
6225 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6226 				NETLINK_CB(cb->skb).portid,
6227 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6228 				rdev, wdev->netdev, mac_addr,
6229 				&sinfo) < 0)
6230 			goto out;
6231 
6232 		sta_idx++;
6233 	}
6234 
6235  out:
6236 	cb->args[2] = sta_idx;
6237 	err = skb->len;
6238  out_err:
6239 	wiphy_unlock(&rdev->wiphy);
6240 
6241 	return err;
6242 }
6243 
6244 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6245 {
6246 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6247 	struct net_device *dev = info->user_ptr[1];
6248 	struct station_info sinfo;
6249 	struct sk_buff *msg;
6250 	u8 *mac_addr = NULL;
6251 	int err;
6252 
6253 	memset(&sinfo, 0, sizeof(sinfo));
6254 
6255 	if (!info->attrs[NL80211_ATTR_MAC])
6256 		return -EINVAL;
6257 
6258 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6259 
6260 	if (!rdev->ops->get_station)
6261 		return -EOPNOTSUPP;
6262 
6263 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6264 	if (err)
6265 		return err;
6266 
6267 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6268 	if (!msg) {
6269 		cfg80211_sinfo_release_content(&sinfo);
6270 		return -ENOMEM;
6271 	}
6272 
6273 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6274 				 info->snd_portid, info->snd_seq, 0,
6275 				 rdev, dev, mac_addr, &sinfo) < 0) {
6276 		nlmsg_free(msg);
6277 		return -ENOBUFS;
6278 	}
6279 
6280 	return genlmsg_reply(msg, info);
6281 }
6282 
6283 int cfg80211_check_station_change(struct wiphy *wiphy,
6284 				  struct station_parameters *params,
6285 				  enum cfg80211_station_type statype)
6286 {
6287 	if (params->listen_interval != -1 &&
6288 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6289 		return -EINVAL;
6290 
6291 	if (params->support_p2p_ps != -1 &&
6292 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6293 		return -EINVAL;
6294 
6295 	if (params->aid &&
6296 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6297 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6298 		return -EINVAL;
6299 
6300 	/* When you run into this, adjust the code below for the new flag */
6301 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6302 
6303 	switch (statype) {
6304 	case CFG80211_STA_MESH_PEER_KERNEL:
6305 	case CFG80211_STA_MESH_PEER_USER:
6306 		/*
6307 		 * No ignoring the TDLS flag here -- the userspace mesh
6308 		 * code doesn't have the bug of including TDLS in the
6309 		 * mask everywhere.
6310 		 */
6311 		if (params->sta_flags_mask &
6312 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6313 				  BIT(NL80211_STA_FLAG_MFP) |
6314 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6315 			return -EINVAL;
6316 		break;
6317 	case CFG80211_STA_TDLS_PEER_SETUP:
6318 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6319 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6320 			return -EINVAL;
6321 		/* ignore since it can't change */
6322 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6323 		break;
6324 	default:
6325 		/* disallow mesh-specific things */
6326 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6327 			return -EINVAL;
6328 		if (params->local_pm)
6329 			return -EINVAL;
6330 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6331 			return -EINVAL;
6332 	}
6333 
6334 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6335 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6336 		/* TDLS can't be set, ... */
6337 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6338 			return -EINVAL;
6339 		/*
6340 		 * ... but don't bother the driver with it. This works around
6341 		 * a hostapd/wpa_supplicant issue -- it always includes the
6342 		 * TLDS_PEER flag in the mask even for AP mode.
6343 		 */
6344 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6345 	}
6346 
6347 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6348 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6349 		/* reject other things that can't change */
6350 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6351 			return -EINVAL;
6352 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6353 			return -EINVAL;
6354 		if (params->supported_rates)
6355 			return -EINVAL;
6356 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
6357 		    params->he_capa)
6358 			return -EINVAL;
6359 	}
6360 
6361 	if (statype != CFG80211_STA_AP_CLIENT &&
6362 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6363 		if (params->vlan)
6364 			return -EINVAL;
6365 	}
6366 
6367 	switch (statype) {
6368 	case CFG80211_STA_AP_MLME_CLIENT:
6369 		/* Use this only for authorizing/unauthorizing a station */
6370 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6371 			return -EOPNOTSUPP;
6372 		break;
6373 	case CFG80211_STA_AP_CLIENT:
6374 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6375 		/* accept only the listed bits */
6376 		if (params->sta_flags_mask &
6377 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6378 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6379 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6380 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6381 				  BIT(NL80211_STA_FLAG_WME) |
6382 				  BIT(NL80211_STA_FLAG_MFP)))
6383 			return -EINVAL;
6384 
6385 		/* but authenticated/associated only if driver handles it */
6386 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6387 		    params->sta_flags_mask &
6388 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6389 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6390 			return -EINVAL;
6391 		break;
6392 	case CFG80211_STA_IBSS:
6393 	case CFG80211_STA_AP_STA:
6394 		/* reject any changes other than AUTHORIZED */
6395 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6396 			return -EINVAL;
6397 		break;
6398 	case CFG80211_STA_TDLS_PEER_SETUP:
6399 		/* reject any changes other than AUTHORIZED or WME */
6400 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6401 					       BIT(NL80211_STA_FLAG_WME)))
6402 			return -EINVAL;
6403 		/* force (at least) rates when authorizing */
6404 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6405 		    !params->supported_rates)
6406 			return -EINVAL;
6407 		break;
6408 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6409 		/* reject any changes */
6410 		return -EINVAL;
6411 	case CFG80211_STA_MESH_PEER_KERNEL:
6412 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6413 			return -EINVAL;
6414 		break;
6415 	case CFG80211_STA_MESH_PEER_USER:
6416 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6417 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6418 			return -EINVAL;
6419 		break;
6420 	}
6421 
6422 	/*
6423 	 * Older kernel versions ignored this attribute entirely, so don't
6424 	 * reject attempts to update it but mark it as unused instead so the
6425 	 * driver won't look at the data.
6426 	 */
6427 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6428 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6429 		params->opmode_notif_used = false;
6430 
6431 	return 0;
6432 }
6433 EXPORT_SYMBOL(cfg80211_check_station_change);
6434 
6435 /*
6436  * Get vlan interface making sure it is running and on the right wiphy.
6437  */
6438 static struct net_device *get_vlan(struct genl_info *info,
6439 				   struct cfg80211_registered_device *rdev)
6440 {
6441 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6442 	struct net_device *v;
6443 	int ret;
6444 
6445 	if (!vlanattr)
6446 		return NULL;
6447 
6448 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6449 	if (!v)
6450 		return ERR_PTR(-ENODEV);
6451 
6452 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6453 		ret = -EINVAL;
6454 		goto error;
6455 	}
6456 
6457 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6458 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6459 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6460 		ret = -EINVAL;
6461 		goto error;
6462 	}
6463 
6464 	if (!netif_running(v)) {
6465 		ret = -ENETDOWN;
6466 		goto error;
6467 	}
6468 
6469 	return v;
6470  error:
6471 	dev_put(v);
6472 	return ERR_PTR(ret);
6473 }
6474 
6475 static const struct nla_policy
6476 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
6477 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
6478 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
6479 };
6480 
6481 static int nl80211_parse_sta_wme(struct genl_info *info,
6482 				 struct station_parameters *params)
6483 {
6484 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6485 	struct nlattr *nla;
6486 	int err;
6487 
6488 	/* parse WME attributes if present */
6489 	if (!info->attrs[NL80211_ATTR_STA_WME])
6490 		return 0;
6491 
6492 	nla = info->attrs[NL80211_ATTR_STA_WME];
6493 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6494 					  nl80211_sta_wme_policy,
6495 					  info->extack);
6496 	if (err)
6497 		return err;
6498 
6499 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6500 		params->uapsd_queues = nla_get_u8(
6501 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6502 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6503 		return -EINVAL;
6504 
6505 	if (tb[NL80211_STA_WME_MAX_SP])
6506 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6507 
6508 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6509 		return -EINVAL;
6510 
6511 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6512 
6513 	return 0;
6514 }
6515 
6516 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6517 				      struct station_parameters *params)
6518 {
6519 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6520 		params->supported_channels =
6521 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6522 		params->supported_channels_len =
6523 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6524 		/*
6525 		 * Need to include at least one (first channel, number of
6526 		 * channels) tuple for each subband (checked in policy),
6527 		 * and must have proper tuples for the rest of the data as well.
6528 		 */
6529 		if (params->supported_channels_len % 2)
6530 			return -EINVAL;
6531 	}
6532 
6533 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6534 		params->supported_oper_classes =
6535 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6536 		params->supported_oper_classes_len =
6537 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6538 	}
6539 	return 0;
6540 }
6541 
6542 static int nl80211_set_station_tdls(struct genl_info *info,
6543 				    struct station_parameters *params)
6544 {
6545 	int err;
6546 	/* Dummy STA entry gets updated once the peer capabilities are known */
6547 	if (info->attrs[NL80211_ATTR_PEER_AID])
6548 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6549 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6550 		params->ht_capa =
6551 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6552 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6553 		params->vht_capa =
6554 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6555 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6556 		params->he_capa =
6557 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6558 		params->he_capa_len =
6559 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6560 	}
6561 
6562 	err = nl80211_parse_sta_channel_info(info, params);
6563 	if (err)
6564 		return err;
6565 
6566 	return nl80211_parse_sta_wme(info, params);
6567 }
6568 
6569 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6570 					     struct station_parameters *params)
6571 {
6572 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6573 	int idx;
6574 
6575 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6576 		if (!rdev->ops->set_tx_power ||
6577 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6578 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6579 			return -EOPNOTSUPP;
6580 
6581 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6582 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6583 
6584 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6585 			idx = NL80211_ATTR_STA_TX_POWER;
6586 
6587 			if (info->attrs[idx])
6588 				params->txpwr.power =
6589 					nla_get_s16(info->attrs[idx]);
6590 			else
6591 				return -EINVAL;
6592 		}
6593 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6594 	}
6595 
6596 	return 0;
6597 }
6598 
6599 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6600 {
6601 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6602 	struct net_device *dev = info->user_ptr[1];
6603 	struct station_parameters params;
6604 	u8 *mac_addr;
6605 	int err;
6606 
6607 	memset(&params, 0, sizeof(params));
6608 
6609 	if (!rdev->ops->change_station)
6610 		return -EOPNOTSUPP;
6611 
6612 	/*
6613 	 * AID and listen_interval properties can be set only for unassociated
6614 	 * station. Include these parameters here and will check them in
6615 	 * cfg80211_check_station_change().
6616 	 */
6617 	if (info->attrs[NL80211_ATTR_STA_AID])
6618 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6619 
6620 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6621 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6622 
6623 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6624 		params.listen_interval =
6625 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6626 	else
6627 		params.listen_interval = -1;
6628 
6629 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6630 		params.support_p2p_ps =
6631 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6632 	else
6633 		params.support_p2p_ps = -1;
6634 
6635 	if (!info->attrs[NL80211_ATTR_MAC])
6636 		return -EINVAL;
6637 
6638 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6639 
6640 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6641 		params.supported_rates =
6642 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6643 		params.supported_rates_len =
6644 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6645 	}
6646 
6647 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6648 		params.capability =
6649 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6650 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6651 	}
6652 
6653 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6654 		params.ext_capab =
6655 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6656 		params.ext_capab_len =
6657 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6658 	}
6659 
6660 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6661 		return -EINVAL;
6662 
6663 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6664 		params.plink_action =
6665 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6666 
6667 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6668 		params.plink_state =
6669 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6670 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6671 			params.peer_aid = nla_get_u16(
6672 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6673 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6674 	}
6675 
6676 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6677 		params.local_pm = nla_get_u32(
6678 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6679 
6680 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6681 		params.opmode_notif_used = true;
6682 		params.opmode_notif =
6683 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6684 	}
6685 
6686 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6687 		params.he_6ghz_capa =
6688 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6689 
6690 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6691 		params.airtime_weight =
6692 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6693 
6694 	if (params.airtime_weight &&
6695 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6696 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6697 		return -EOPNOTSUPP;
6698 
6699 	err = nl80211_parse_sta_txpower_setting(info, &params);
6700 	if (err)
6701 		return err;
6702 
6703 	/* Include parameters for TDLS peer (will check later) */
6704 	err = nl80211_set_station_tdls(info, &params);
6705 	if (err)
6706 		return err;
6707 
6708 	params.vlan = get_vlan(info, rdev);
6709 	if (IS_ERR(params.vlan))
6710 		return PTR_ERR(params.vlan);
6711 
6712 	switch (dev->ieee80211_ptr->iftype) {
6713 	case NL80211_IFTYPE_AP:
6714 	case NL80211_IFTYPE_AP_VLAN:
6715 	case NL80211_IFTYPE_P2P_GO:
6716 	case NL80211_IFTYPE_P2P_CLIENT:
6717 	case NL80211_IFTYPE_STATION:
6718 	case NL80211_IFTYPE_ADHOC:
6719 	case NL80211_IFTYPE_MESH_POINT:
6720 		break;
6721 	default:
6722 		err = -EOPNOTSUPP;
6723 		goto out_put_vlan;
6724 	}
6725 
6726 	/* driver will call cfg80211_check_station_change() */
6727 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6728 
6729  out_put_vlan:
6730 	dev_put(params.vlan);
6731 
6732 	return err;
6733 }
6734 
6735 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6736 {
6737 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6738 	int err;
6739 	struct net_device *dev = info->user_ptr[1];
6740 	struct station_parameters params;
6741 	u8 *mac_addr = NULL;
6742 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6743 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6744 
6745 	memset(&params, 0, sizeof(params));
6746 
6747 	if (!rdev->ops->add_station)
6748 		return -EOPNOTSUPP;
6749 
6750 	if (!info->attrs[NL80211_ATTR_MAC])
6751 		return -EINVAL;
6752 
6753 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6754 		return -EINVAL;
6755 
6756 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6757 		return -EINVAL;
6758 
6759 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6760 	    !info->attrs[NL80211_ATTR_PEER_AID])
6761 		return -EINVAL;
6762 
6763 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6764 	params.supported_rates =
6765 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6766 	params.supported_rates_len =
6767 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6768 	params.listen_interval =
6769 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6770 
6771 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6772 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6773 
6774 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6775 		params.support_p2p_ps =
6776 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6777 	} else {
6778 		/*
6779 		 * if not specified, assume it's supported for P2P GO interface,
6780 		 * and is NOT supported for AP interface
6781 		 */
6782 		params.support_p2p_ps =
6783 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6784 	}
6785 
6786 	if (info->attrs[NL80211_ATTR_PEER_AID])
6787 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6788 	else
6789 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6790 
6791 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6792 		params.capability =
6793 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6794 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6795 	}
6796 
6797 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6798 		params.ext_capab =
6799 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6800 		params.ext_capab_len =
6801 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6802 	}
6803 
6804 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6805 		params.ht_capa =
6806 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6807 
6808 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6809 		params.vht_capa =
6810 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6811 
6812 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6813 		params.he_capa =
6814 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6815 		params.he_capa_len =
6816 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6817 	}
6818 
6819 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6820 		params.he_6ghz_capa =
6821 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6822 
6823 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6824 		params.opmode_notif_used = true;
6825 		params.opmode_notif =
6826 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6827 	}
6828 
6829 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6830 		params.plink_action =
6831 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6832 
6833 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6834 		params.airtime_weight =
6835 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6836 
6837 	if (params.airtime_weight &&
6838 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6839 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6840 		return -EOPNOTSUPP;
6841 
6842 	err = nl80211_parse_sta_txpower_setting(info, &params);
6843 	if (err)
6844 		return err;
6845 
6846 	err = nl80211_parse_sta_channel_info(info, &params);
6847 	if (err)
6848 		return err;
6849 
6850 	err = nl80211_parse_sta_wme(info, &params);
6851 	if (err)
6852 		return err;
6853 
6854 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6855 		return -EINVAL;
6856 
6857 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6858 	 * as userspace might just pass through the capabilities from the IEs
6859 	 * directly, rather than enforcing this restriction and returning an
6860 	 * error in this case.
6861 	 */
6862 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6863 		params.ht_capa = NULL;
6864 		params.vht_capa = NULL;
6865 
6866 		/* HE requires WME */
6867 		if (params.he_capa_len || params.he_6ghz_capa)
6868 			return -EINVAL;
6869 	}
6870 
6871 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
6872 	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
6873 		return -EINVAL;
6874 
6875 	/* When you run into this, adjust the code below for the new flag */
6876 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6877 
6878 	switch (dev->ieee80211_ptr->iftype) {
6879 	case NL80211_IFTYPE_AP:
6880 	case NL80211_IFTYPE_AP_VLAN:
6881 	case NL80211_IFTYPE_P2P_GO:
6882 		/* ignore WME attributes if iface/sta is not capable */
6883 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6884 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6885 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6886 
6887 		/* TDLS peers cannot be added */
6888 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6889 		    info->attrs[NL80211_ATTR_PEER_AID])
6890 			return -EINVAL;
6891 		/* but don't bother the driver with it */
6892 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6893 
6894 		/* allow authenticated/associated only if driver handles it */
6895 		if (!(rdev->wiphy.features &
6896 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6897 		    params.sta_flags_mask & auth_assoc)
6898 			return -EINVAL;
6899 
6900 		/* Older userspace, or userspace wanting to be compatible with
6901 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
6902 		 * and assoc flags in the mask, but assumes the station will be
6903 		 * added as associated anyway since this was the required driver
6904 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
6905 		 * introduced.
6906 		 * In order to not bother drivers with this quirk in the API
6907 		 * set the flags in both the mask and set for new stations in
6908 		 * this case.
6909 		 */
6910 		if (!(params.sta_flags_mask & auth_assoc)) {
6911 			params.sta_flags_mask |= auth_assoc;
6912 			params.sta_flags_set |= auth_assoc;
6913 		}
6914 
6915 		/* must be last in here for error handling */
6916 		params.vlan = get_vlan(info, rdev);
6917 		if (IS_ERR(params.vlan))
6918 			return PTR_ERR(params.vlan);
6919 		break;
6920 	case NL80211_IFTYPE_MESH_POINT:
6921 		/* ignore uAPSD data */
6922 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6923 
6924 		/* associated is disallowed */
6925 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
6926 			return -EINVAL;
6927 		/* TDLS peers cannot be added */
6928 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6929 		    info->attrs[NL80211_ATTR_PEER_AID])
6930 			return -EINVAL;
6931 		break;
6932 	case NL80211_IFTYPE_STATION:
6933 	case NL80211_IFTYPE_P2P_CLIENT:
6934 		/* ignore uAPSD data */
6935 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6936 
6937 		/* these are disallowed */
6938 		if (params.sta_flags_mask &
6939 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
6940 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
6941 			return -EINVAL;
6942 		/* Only TDLS peers can be added */
6943 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6944 			return -EINVAL;
6945 		/* Can only add if TDLS ... */
6946 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
6947 			return -EOPNOTSUPP;
6948 		/* ... with external setup is supported */
6949 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
6950 			return -EOPNOTSUPP;
6951 		/*
6952 		 * Older wpa_supplicant versions always mark the TDLS peer
6953 		 * as authorized, but it shouldn't yet be.
6954 		 */
6955 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
6956 		break;
6957 	default:
6958 		return -EOPNOTSUPP;
6959 	}
6960 
6961 	/* be aware of params.vlan when changing code here */
6962 
6963 	err = rdev_add_station(rdev, dev, mac_addr, &params);
6964 
6965 	dev_put(params.vlan);
6966 	return err;
6967 }
6968 
6969 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
6970 {
6971 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6972 	struct net_device *dev = info->user_ptr[1];
6973 	struct station_del_parameters params;
6974 
6975 	memset(&params, 0, sizeof(params));
6976 
6977 	if (info->attrs[NL80211_ATTR_MAC])
6978 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
6979 
6980 	switch (dev->ieee80211_ptr->iftype) {
6981 	case NL80211_IFTYPE_AP:
6982 	case NL80211_IFTYPE_AP_VLAN:
6983 	case NL80211_IFTYPE_MESH_POINT:
6984 	case NL80211_IFTYPE_P2P_GO:
6985 		/* always accept these */
6986 		break;
6987 	case NL80211_IFTYPE_ADHOC:
6988 		/* conditionally accept */
6989 		if (wiphy_ext_feature_isset(&rdev->wiphy,
6990 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
6991 			break;
6992 		return -EINVAL;
6993 	default:
6994 		return -EINVAL;
6995 	}
6996 
6997 	if (!rdev->ops->del_station)
6998 		return -EOPNOTSUPP;
6999 
7000 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7001 		params.subtype =
7002 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7003 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7004 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7005 			return -EINVAL;
7006 	} else {
7007 		/* Default to Deauthentication frame */
7008 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7009 	}
7010 
7011 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7012 		params.reason_code =
7013 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7014 		if (params.reason_code == 0)
7015 			return -EINVAL; /* 0 is reserved */
7016 	} else {
7017 		/* Default to reason code 2 */
7018 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7019 	}
7020 
7021 	return rdev_del_station(rdev, dev, &params);
7022 }
7023 
7024 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7025 				int flags, struct net_device *dev,
7026 				u8 *dst, u8 *next_hop,
7027 				struct mpath_info *pinfo)
7028 {
7029 	void *hdr;
7030 	struct nlattr *pinfoattr;
7031 
7032 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7033 	if (!hdr)
7034 		return -1;
7035 
7036 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7037 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7038 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7039 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7040 		goto nla_put_failure;
7041 
7042 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7043 	if (!pinfoattr)
7044 		goto nla_put_failure;
7045 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7046 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7047 			pinfo->frame_qlen))
7048 		goto nla_put_failure;
7049 	if (((pinfo->filled & MPATH_INFO_SN) &&
7050 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7051 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7052 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7053 			 pinfo->metric)) ||
7054 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7055 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7056 			 pinfo->exptime)) ||
7057 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7058 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7059 			pinfo->flags)) ||
7060 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7061 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7062 			 pinfo->discovery_timeout)) ||
7063 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7064 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7065 			pinfo->discovery_retries)) ||
7066 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7067 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7068 			pinfo->hop_count)) ||
7069 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7070 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7071 			 pinfo->path_change_count)))
7072 		goto nla_put_failure;
7073 
7074 	nla_nest_end(msg, pinfoattr);
7075 
7076 	genlmsg_end(msg, hdr);
7077 	return 0;
7078 
7079  nla_put_failure:
7080 	genlmsg_cancel(msg, hdr);
7081 	return -EMSGSIZE;
7082 }
7083 
7084 static int nl80211_dump_mpath(struct sk_buff *skb,
7085 			      struct netlink_callback *cb)
7086 {
7087 	struct mpath_info pinfo;
7088 	struct cfg80211_registered_device *rdev;
7089 	struct wireless_dev *wdev;
7090 	u8 dst[ETH_ALEN];
7091 	u8 next_hop[ETH_ALEN];
7092 	int path_idx = cb->args[2];
7093 	int err;
7094 
7095 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
7096 	if (err)
7097 		return err;
7098 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7099 	__acquire(&rdev->wiphy.mtx);
7100 
7101 	if (!rdev->ops->dump_mpath) {
7102 		err = -EOPNOTSUPP;
7103 		goto out_err;
7104 	}
7105 
7106 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7107 		err = -EOPNOTSUPP;
7108 		goto out_err;
7109 	}
7110 
7111 	while (1) {
7112 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7113 				      next_hop, &pinfo);
7114 		if (err == -ENOENT)
7115 			break;
7116 		if (err)
7117 			goto out_err;
7118 
7119 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7120 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7121 				       wdev->netdev, dst, next_hop,
7122 				       &pinfo) < 0)
7123 			goto out;
7124 
7125 		path_idx++;
7126 	}
7127 
7128  out:
7129 	cb->args[2] = path_idx;
7130 	err = skb->len;
7131  out_err:
7132 	wiphy_unlock(&rdev->wiphy);
7133 	return err;
7134 }
7135 
7136 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7137 {
7138 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7139 	int err;
7140 	struct net_device *dev = info->user_ptr[1];
7141 	struct mpath_info pinfo;
7142 	struct sk_buff *msg;
7143 	u8 *dst = NULL;
7144 	u8 next_hop[ETH_ALEN];
7145 
7146 	memset(&pinfo, 0, sizeof(pinfo));
7147 
7148 	if (!info->attrs[NL80211_ATTR_MAC])
7149 		return -EINVAL;
7150 
7151 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7152 
7153 	if (!rdev->ops->get_mpath)
7154 		return -EOPNOTSUPP;
7155 
7156 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7157 		return -EOPNOTSUPP;
7158 
7159 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7160 	if (err)
7161 		return err;
7162 
7163 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7164 	if (!msg)
7165 		return -ENOMEM;
7166 
7167 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7168 				 dev, dst, next_hop, &pinfo) < 0) {
7169 		nlmsg_free(msg);
7170 		return -ENOBUFS;
7171 	}
7172 
7173 	return genlmsg_reply(msg, info);
7174 }
7175 
7176 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7177 {
7178 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7179 	struct net_device *dev = info->user_ptr[1];
7180 	u8 *dst = NULL;
7181 	u8 *next_hop = NULL;
7182 
7183 	if (!info->attrs[NL80211_ATTR_MAC])
7184 		return -EINVAL;
7185 
7186 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7187 		return -EINVAL;
7188 
7189 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7190 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7191 
7192 	if (!rdev->ops->change_mpath)
7193 		return -EOPNOTSUPP;
7194 
7195 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7196 		return -EOPNOTSUPP;
7197 
7198 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7199 }
7200 
7201 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7202 {
7203 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7204 	struct net_device *dev = info->user_ptr[1];
7205 	u8 *dst = NULL;
7206 	u8 *next_hop = NULL;
7207 
7208 	if (!info->attrs[NL80211_ATTR_MAC])
7209 		return -EINVAL;
7210 
7211 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7212 		return -EINVAL;
7213 
7214 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7215 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7216 
7217 	if (!rdev->ops->add_mpath)
7218 		return -EOPNOTSUPP;
7219 
7220 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7221 		return -EOPNOTSUPP;
7222 
7223 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7224 }
7225 
7226 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7227 {
7228 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7229 	struct net_device *dev = info->user_ptr[1];
7230 	u8 *dst = NULL;
7231 
7232 	if (info->attrs[NL80211_ATTR_MAC])
7233 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7234 
7235 	if (!rdev->ops->del_mpath)
7236 		return -EOPNOTSUPP;
7237 
7238 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7239 		return -EOPNOTSUPP;
7240 
7241 	return rdev_del_mpath(rdev, dev, dst);
7242 }
7243 
7244 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7245 {
7246 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7247 	int err;
7248 	struct net_device *dev = info->user_ptr[1];
7249 	struct mpath_info pinfo;
7250 	struct sk_buff *msg;
7251 	u8 *dst = NULL;
7252 	u8 mpp[ETH_ALEN];
7253 
7254 	memset(&pinfo, 0, sizeof(pinfo));
7255 
7256 	if (!info->attrs[NL80211_ATTR_MAC])
7257 		return -EINVAL;
7258 
7259 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7260 
7261 	if (!rdev->ops->get_mpp)
7262 		return -EOPNOTSUPP;
7263 
7264 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7265 		return -EOPNOTSUPP;
7266 
7267 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7268 	if (err)
7269 		return err;
7270 
7271 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7272 	if (!msg)
7273 		return -ENOMEM;
7274 
7275 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7276 			       dev, dst, mpp, &pinfo) < 0) {
7277 		nlmsg_free(msg);
7278 		return -ENOBUFS;
7279 	}
7280 
7281 	return genlmsg_reply(msg, info);
7282 }
7283 
7284 static int nl80211_dump_mpp(struct sk_buff *skb,
7285 			    struct netlink_callback *cb)
7286 {
7287 	struct mpath_info pinfo;
7288 	struct cfg80211_registered_device *rdev;
7289 	struct wireless_dev *wdev;
7290 	u8 dst[ETH_ALEN];
7291 	u8 mpp[ETH_ALEN];
7292 	int path_idx = cb->args[2];
7293 	int err;
7294 
7295 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
7296 	if (err)
7297 		return err;
7298 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7299 	__acquire(&rdev->wiphy.mtx);
7300 
7301 	if (!rdev->ops->dump_mpp) {
7302 		err = -EOPNOTSUPP;
7303 		goto out_err;
7304 	}
7305 
7306 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7307 		err = -EOPNOTSUPP;
7308 		goto out_err;
7309 	}
7310 
7311 	while (1) {
7312 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7313 				    mpp, &pinfo);
7314 		if (err == -ENOENT)
7315 			break;
7316 		if (err)
7317 			goto out_err;
7318 
7319 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7320 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7321 				       wdev->netdev, dst, mpp,
7322 				       &pinfo) < 0)
7323 			goto out;
7324 
7325 		path_idx++;
7326 	}
7327 
7328  out:
7329 	cb->args[2] = path_idx;
7330 	err = skb->len;
7331  out_err:
7332 	wiphy_unlock(&rdev->wiphy);
7333 	return err;
7334 }
7335 
7336 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7337 {
7338 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7339 	struct net_device *dev = info->user_ptr[1];
7340 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7341 	struct bss_parameters params;
7342 	int err;
7343 
7344 	memset(&params, 0, sizeof(params));
7345 	/* default to not changing parameters */
7346 	params.use_cts_prot = -1;
7347 	params.use_short_preamble = -1;
7348 	params.use_short_slot_time = -1;
7349 	params.ap_isolate = -1;
7350 	params.ht_opmode = -1;
7351 	params.p2p_ctwindow = -1;
7352 	params.p2p_opp_ps = -1;
7353 
7354 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7355 		params.use_cts_prot =
7356 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7357 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7358 		params.use_short_preamble =
7359 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7360 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7361 		params.use_short_slot_time =
7362 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7363 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7364 		params.basic_rates =
7365 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7366 		params.basic_rates_len =
7367 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7368 	}
7369 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7370 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7371 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7372 		params.ht_opmode =
7373 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7374 
7375 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7376 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7377 			return -EINVAL;
7378 		params.p2p_ctwindow =
7379 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7380 		if (params.p2p_ctwindow != 0 &&
7381 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7382 			return -EINVAL;
7383 	}
7384 
7385 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7386 		u8 tmp;
7387 
7388 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7389 			return -EINVAL;
7390 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7391 		params.p2p_opp_ps = tmp;
7392 		if (params.p2p_opp_ps &&
7393 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7394 			return -EINVAL;
7395 	}
7396 
7397 	if (!rdev->ops->change_bss)
7398 		return -EOPNOTSUPP;
7399 
7400 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7401 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7402 		return -EOPNOTSUPP;
7403 
7404 	wdev_lock(wdev);
7405 	err = rdev_change_bss(rdev, dev, &params);
7406 	wdev_unlock(wdev);
7407 
7408 	return err;
7409 }
7410 
7411 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7412 {
7413 	char *data = NULL;
7414 	bool is_indoor;
7415 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7416 	u32 owner_nlportid;
7417 
7418 	/*
7419 	 * You should only get this when cfg80211 hasn't yet initialized
7420 	 * completely when built-in to the kernel right between the time
7421 	 * window between nl80211_init() and regulatory_init(), if that is
7422 	 * even possible.
7423 	 */
7424 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7425 		return -EINPROGRESS;
7426 
7427 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7428 		user_reg_hint_type =
7429 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7430 	else
7431 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7432 
7433 	switch (user_reg_hint_type) {
7434 	case NL80211_USER_REG_HINT_USER:
7435 	case NL80211_USER_REG_HINT_CELL_BASE:
7436 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7437 			return -EINVAL;
7438 
7439 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7440 		return regulatory_hint_user(data, user_reg_hint_type);
7441 	case NL80211_USER_REG_HINT_INDOOR:
7442 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7443 			owner_nlportid = info->snd_portid;
7444 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7445 		} else {
7446 			owner_nlportid = 0;
7447 			is_indoor = true;
7448 		}
7449 
7450 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7451 	default:
7452 		return -EINVAL;
7453 	}
7454 }
7455 
7456 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7457 {
7458 	return reg_reload_regdb();
7459 }
7460 
7461 static int nl80211_get_mesh_config(struct sk_buff *skb,
7462 				   struct genl_info *info)
7463 {
7464 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7465 	struct net_device *dev = info->user_ptr[1];
7466 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7467 	struct mesh_config cur_params;
7468 	int err = 0;
7469 	void *hdr;
7470 	struct nlattr *pinfoattr;
7471 	struct sk_buff *msg;
7472 
7473 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7474 		return -EOPNOTSUPP;
7475 
7476 	if (!rdev->ops->get_mesh_config)
7477 		return -EOPNOTSUPP;
7478 
7479 	wdev_lock(wdev);
7480 	/* If not connected, get default parameters */
7481 	if (!wdev->mesh_id_len)
7482 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7483 	else
7484 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7485 	wdev_unlock(wdev);
7486 
7487 	if (err)
7488 		return err;
7489 
7490 	/* Draw up a netlink message to send back */
7491 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7492 	if (!msg)
7493 		return -ENOMEM;
7494 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7495 			     NL80211_CMD_GET_MESH_CONFIG);
7496 	if (!hdr)
7497 		goto out;
7498 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7499 	if (!pinfoattr)
7500 		goto nla_put_failure;
7501 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7502 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7503 			cur_params.dot11MeshRetryTimeout) ||
7504 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7505 			cur_params.dot11MeshConfirmTimeout) ||
7506 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7507 			cur_params.dot11MeshHoldingTimeout) ||
7508 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7509 			cur_params.dot11MeshMaxPeerLinks) ||
7510 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7511 		       cur_params.dot11MeshMaxRetries) ||
7512 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7513 		       cur_params.dot11MeshTTL) ||
7514 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7515 		       cur_params.element_ttl) ||
7516 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7517 		       cur_params.auto_open_plinks) ||
7518 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7519 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7520 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7521 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7522 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7523 			cur_params.path_refresh_time) ||
7524 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7525 			cur_params.min_discovery_timeout) ||
7526 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7527 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7528 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7529 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7530 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7531 			cur_params.dot11MeshHWMPperrMinInterval) ||
7532 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7533 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7534 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7535 		       cur_params.dot11MeshHWMPRootMode) ||
7536 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7537 			cur_params.dot11MeshHWMPRannInterval) ||
7538 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7539 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7540 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7541 		       cur_params.dot11MeshForwarding) ||
7542 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7543 			cur_params.rssi_threshold) ||
7544 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7545 			cur_params.ht_opmode) ||
7546 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7547 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7548 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7549 			cur_params.dot11MeshHWMProotInterval) ||
7550 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7551 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7552 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7553 			cur_params.power_mode) ||
7554 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7555 			cur_params.dot11MeshAwakeWindowDuration) ||
7556 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7557 			cur_params.plink_timeout) ||
7558 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7559 		       cur_params.dot11MeshConnectedToMeshGate) ||
7560 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7561 		       cur_params.dot11MeshNolearn) ||
7562 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7563 		       cur_params.dot11MeshConnectedToAuthServer))
7564 		goto nla_put_failure;
7565 	nla_nest_end(msg, pinfoattr);
7566 	genlmsg_end(msg, hdr);
7567 	return genlmsg_reply(msg, info);
7568 
7569  nla_put_failure:
7570  out:
7571 	nlmsg_free(msg);
7572 	return -ENOBUFS;
7573 }
7574 
7575 static const struct nla_policy
7576 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7577 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7578 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7579 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7580 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7581 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7582 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7583 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7584 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7585 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7586 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7587 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7588 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7589 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7590 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7591 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7592 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7593 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7594 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7595 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7596 		NLA_POLICY_MIN(NLA_U16, 1),
7597 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7598 		NLA_POLICY_MIN(NLA_U16, 1),
7599 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7600 		NLA_POLICY_MIN(NLA_U16, 1),
7601 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7602 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7603 		NLA_POLICY_MIN(NLA_U16, 1),
7604 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7605 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7606 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7607 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7608 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7609 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7610 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7611 		NLA_POLICY_MIN(NLA_U16, 1),
7612 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7613 		NLA_POLICY_MIN(NLA_U16, 1),
7614 	[NL80211_MESHCONF_POWER_MODE] =
7615 		NLA_POLICY_RANGE(NLA_U32,
7616 				 NL80211_MESH_POWER_ACTIVE,
7617 				 NL80211_MESH_POWER_MAX),
7618 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7619 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7620 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7621 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7622 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7623 };
7624 
7625 static const struct nla_policy
7626 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7627 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7628 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7629 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7630 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7631 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7632 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7633 	[NL80211_MESH_SETUP_IE] =
7634 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7635 				       IEEE80211_MAX_DATA_LEN),
7636 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7637 };
7638 
7639 static int nl80211_parse_mesh_config(struct genl_info *info,
7640 				     struct mesh_config *cfg,
7641 				     u32 *mask_out)
7642 {
7643 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7644 	u32 mask = 0;
7645 	u16 ht_opmode;
7646 
7647 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7648 do {									\
7649 	if (tb[attr]) {							\
7650 		cfg->param = fn(tb[attr]);				\
7651 		mask |= BIT((attr) - 1);				\
7652 	}								\
7653 } while (0)
7654 
7655 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7656 		return -EINVAL;
7657 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7658 		return -EINVAL;
7659 
7660 	/* This makes sure that there aren't more than 32 mesh config
7661 	 * parameters (otherwise our bitfield scheme would not work.) */
7662 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7663 
7664 	/* Fill in the params struct */
7665 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7666 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7667 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7668 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7669 				  nla_get_u16);
7670 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7671 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7672 				  nla_get_u16);
7673 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7674 				  NL80211_MESHCONF_MAX_PEER_LINKS,
7675 				  nla_get_u16);
7676 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7677 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7678 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7679 				  NL80211_MESHCONF_TTL, nla_get_u8);
7680 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7681 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7682 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7683 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7684 				  nla_get_u8);
7685 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7686 				  mask,
7687 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7688 				  nla_get_u32);
7689 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7690 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7691 				  nla_get_u8);
7692 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7693 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7694 				  nla_get_u32);
7695 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7696 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7697 		return -EINVAL;
7698 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7699 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7700 				  nla_get_u16);
7701 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7702 				  mask,
7703 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7704 				  nla_get_u32);
7705 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7706 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7707 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7708 		return -EINVAL;
7709 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7710 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7711 				  nla_get_u16);
7712 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7713 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7714 				  nla_get_u16);
7715 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7716 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7717 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7718 				  nla_get_u16);
7719 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7720 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7721 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7722 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7723 				  nla_get_u16);
7724 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7725 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7726 				  nla_get_u8);
7727 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7728 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7729 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7730 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7731 				  nla_get_s32);
7732 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7733 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7734 				  nla_get_u8);
7735 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7736 				  NL80211_MESHCONF_CONNECTED_TO_AS,
7737 				  nla_get_u8);
7738 	/*
7739 	 * Check HT operation mode based on
7740 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7741 	 */
7742 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7743 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7744 
7745 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7746 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7747 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7748 			return -EINVAL;
7749 
7750 		/* NON_HT_STA bit is reserved, but some programs set it */
7751 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7752 
7753 		cfg->ht_opmode = ht_opmode;
7754 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7755 	}
7756 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7757 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7758 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7759 				  nla_get_u32);
7760 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7761 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7762 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7763 		return -EINVAL;
7764 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7765 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7766 				  nla_get_u16);
7767 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7768 				  mask,
7769 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7770 				  nla_get_u16);
7771 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7772 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7773 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7774 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7775 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7776 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7777 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
7778 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
7779 	if (mask_out)
7780 		*mask_out = mask;
7781 
7782 	return 0;
7783 
7784 #undef FILL_IN_MESH_PARAM_IF_SET
7785 }
7786 
7787 static int nl80211_parse_mesh_setup(struct genl_info *info,
7788 				     struct mesh_setup *setup)
7789 {
7790 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7791 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7792 
7793 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7794 		return -EINVAL;
7795 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7796 		return -EINVAL;
7797 
7798 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7799 		setup->sync_method =
7800 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7801 		 IEEE80211_SYNC_METHOD_VENDOR :
7802 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7803 
7804 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7805 		setup->path_sel_proto =
7806 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7807 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7808 		 IEEE80211_PATH_PROTOCOL_HWMP;
7809 
7810 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7811 		setup->path_metric =
7812 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7813 		 IEEE80211_PATH_METRIC_VENDOR :
7814 		 IEEE80211_PATH_METRIC_AIRTIME;
7815 
7816 	if (tb[NL80211_MESH_SETUP_IE]) {
7817 		struct nlattr *ieattr =
7818 			tb[NL80211_MESH_SETUP_IE];
7819 		setup->ie = nla_data(ieattr);
7820 		setup->ie_len = nla_len(ieattr);
7821 	}
7822 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7823 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7824 		return -EINVAL;
7825 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7826 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7827 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7828 	if (setup->is_secure)
7829 		setup->user_mpm = true;
7830 
7831 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7832 		if (!setup->user_mpm)
7833 			return -EINVAL;
7834 		setup->auth_id =
7835 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7836 	}
7837 
7838 	return 0;
7839 }
7840 
7841 static int nl80211_update_mesh_config(struct sk_buff *skb,
7842 				      struct genl_info *info)
7843 {
7844 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7845 	struct net_device *dev = info->user_ptr[1];
7846 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7847 	struct mesh_config cfg;
7848 	u32 mask;
7849 	int err;
7850 
7851 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7852 		return -EOPNOTSUPP;
7853 
7854 	if (!rdev->ops->update_mesh_config)
7855 		return -EOPNOTSUPP;
7856 
7857 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7858 	if (err)
7859 		return err;
7860 
7861 	wdev_lock(wdev);
7862 	if (!wdev->mesh_id_len)
7863 		err = -ENOLINK;
7864 
7865 	if (!err)
7866 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7867 
7868 	wdev_unlock(wdev);
7869 
7870 	return err;
7871 }
7872 
7873 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7874 			      struct sk_buff *msg)
7875 {
7876 	struct nlattr *nl_reg_rules;
7877 	unsigned int i;
7878 
7879 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7880 	    (regdom->dfs_region &&
7881 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7882 		goto nla_put_failure;
7883 
7884 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7885 	if (!nl_reg_rules)
7886 		goto nla_put_failure;
7887 
7888 	for (i = 0; i < regdom->n_reg_rules; i++) {
7889 		struct nlattr *nl_reg_rule;
7890 		const struct ieee80211_reg_rule *reg_rule;
7891 		const struct ieee80211_freq_range *freq_range;
7892 		const struct ieee80211_power_rule *power_rule;
7893 		unsigned int max_bandwidth_khz;
7894 
7895 		reg_rule = &regdom->reg_rules[i];
7896 		freq_range = &reg_rule->freq_range;
7897 		power_rule = &reg_rule->power_rule;
7898 
7899 		nl_reg_rule = nla_nest_start_noflag(msg, i);
7900 		if (!nl_reg_rule)
7901 			goto nla_put_failure;
7902 
7903 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
7904 		if (!max_bandwidth_khz)
7905 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
7906 								  reg_rule);
7907 
7908 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
7909 				reg_rule->flags) ||
7910 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
7911 				freq_range->start_freq_khz) ||
7912 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
7913 				freq_range->end_freq_khz) ||
7914 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
7915 				max_bandwidth_khz) ||
7916 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
7917 				power_rule->max_antenna_gain) ||
7918 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
7919 				power_rule->max_eirp) ||
7920 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
7921 				reg_rule->dfs_cac_ms))
7922 			goto nla_put_failure;
7923 
7924 		nla_nest_end(msg, nl_reg_rule);
7925 	}
7926 
7927 	nla_nest_end(msg, nl_reg_rules);
7928 	return 0;
7929 
7930 nla_put_failure:
7931 	return -EMSGSIZE;
7932 }
7933 
7934 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
7935 {
7936 	const struct ieee80211_regdomain *regdom = NULL;
7937 	struct cfg80211_registered_device *rdev;
7938 	struct wiphy *wiphy = NULL;
7939 	struct sk_buff *msg;
7940 	void *hdr;
7941 
7942 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7943 	if (!msg)
7944 		return -ENOBUFS;
7945 
7946 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7947 			     NL80211_CMD_GET_REG);
7948 	if (!hdr)
7949 		goto put_failure;
7950 
7951 	rtnl_lock();
7952 
7953 	if (info->attrs[NL80211_ATTR_WIPHY]) {
7954 		bool self_managed;
7955 
7956 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
7957 		if (IS_ERR(rdev)) {
7958 			nlmsg_free(msg);
7959 			rtnl_unlock();
7960 			return PTR_ERR(rdev);
7961 		}
7962 
7963 		wiphy = &rdev->wiphy;
7964 		self_managed = wiphy->regulatory_flags &
7965 			       REGULATORY_WIPHY_SELF_MANAGED;
7966 		regdom = get_wiphy_regdom(wiphy);
7967 
7968 		/* a self-managed-reg device must have a private regdom */
7969 		if (WARN_ON(!regdom && self_managed)) {
7970 			nlmsg_free(msg);
7971 			rtnl_unlock();
7972 			return -EINVAL;
7973 		}
7974 
7975 		if (regdom &&
7976 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7977 			goto nla_put_failure;
7978 	}
7979 
7980 	if (!wiphy && reg_last_request_cell_base() &&
7981 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7982 			NL80211_USER_REG_HINT_CELL_BASE))
7983 		goto nla_put_failure;
7984 
7985 	rcu_read_lock();
7986 
7987 	if (!regdom)
7988 		regdom = rcu_dereference(cfg80211_regdomain);
7989 
7990 	if (nl80211_put_regdom(regdom, msg))
7991 		goto nla_put_failure_rcu;
7992 
7993 	rcu_read_unlock();
7994 
7995 	genlmsg_end(msg, hdr);
7996 	rtnl_unlock();
7997 	return genlmsg_reply(msg, info);
7998 
7999 nla_put_failure_rcu:
8000 	rcu_read_unlock();
8001 nla_put_failure:
8002 	rtnl_unlock();
8003 put_failure:
8004 	nlmsg_free(msg);
8005 	return -EMSGSIZE;
8006 }
8007 
8008 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8009 			       u32 seq, int flags, struct wiphy *wiphy,
8010 			       const struct ieee80211_regdomain *regdom)
8011 {
8012 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8013 				   NL80211_CMD_GET_REG);
8014 
8015 	if (!hdr)
8016 		return -1;
8017 
8018 	genl_dump_check_consistent(cb, hdr);
8019 
8020 	if (nl80211_put_regdom(regdom, msg))
8021 		goto nla_put_failure;
8022 
8023 	if (!wiphy && reg_last_request_cell_base() &&
8024 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8025 			NL80211_USER_REG_HINT_CELL_BASE))
8026 		goto nla_put_failure;
8027 
8028 	if (wiphy &&
8029 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8030 		goto nla_put_failure;
8031 
8032 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8033 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8034 		goto nla_put_failure;
8035 
8036 	genlmsg_end(msg, hdr);
8037 	return 0;
8038 
8039 nla_put_failure:
8040 	genlmsg_cancel(msg, hdr);
8041 	return -EMSGSIZE;
8042 }
8043 
8044 static int nl80211_get_reg_dump(struct sk_buff *skb,
8045 				struct netlink_callback *cb)
8046 {
8047 	const struct ieee80211_regdomain *regdom = NULL;
8048 	struct cfg80211_registered_device *rdev;
8049 	int err, reg_idx, start = cb->args[2];
8050 
8051 	rtnl_lock();
8052 
8053 	if (cfg80211_regdomain && start == 0) {
8054 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8055 					  NLM_F_MULTI, NULL,
8056 					  rtnl_dereference(cfg80211_regdomain));
8057 		if (err < 0)
8058 			goto out_err;
8059 	}
8060 
8061 	/* the global regdom is idx 0 */
8062 	reg_idx = 1;
8063 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
8064 		regdom = get_wiphy_regdom(&rdev->wiphy);
8065 		if (!regdom)
8066 			continue;
8067 
8068 		if (++reg_idx <= start)
8069 			continue;
8070 
8071 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8072 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8073 		if (err < 0) {
8074 			reg_idx--;
8075 			break;
8076 		}
8077 	}
8078 
8079 	cb->args[2] = reg_idx;
8080 	err = skb->len;
8081 out_err:
8082 	rtnl_unlock();
8083 	return err;
8084 }
8085 
8086 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8087 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8088 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8089 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8090 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8091 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8092 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8093 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8094 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8095 };
8096 
8097 static int parse_reg_rule(struct nlattr *tb[],
8098 	struct ieee80211_reg_rule *reg_rule)
8099 {
8100 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8101 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8102 
8103 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8104 		return -EINVAL;
8105 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8106 		return -EINVAL;
8107 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8108 		return -EINVAL;
8109 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8110 		return -EINVAL;
8111 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8112 		return -EINVAL;
8113 
8114 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8115 
8116 	freq_range->start_freq_khz =
8117 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8118 	freq_range->end_freq_khz =
8119 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8120 	freq_range->max_bandwidth_khz =
8121 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8122 
8123 	power_rule->max_eirp =
8124 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8125 
8126 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8127 		power_rule->max_antenna_gain =
8128 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8129 
8130 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8131 		reg_rule->dfs_cac_ms =
8132 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8133 
8134 	return 0;
8135 }
8136 
8137 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8138 {
8139 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8140 	struct nlattr *nl_reg_rule;
8141 	char *alpha2;
8142 	int rem_reg_rules, r;
8143 	u32 num_rules = 0, rule_idx = 0;
8144 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8145 	struct ieee80211_regdomain *rd;
8146 
8147 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8148 		return -EINVAL;
8149 
8150 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8151 		return -EINVAL;
8152 
8153 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8154 
8155 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8156 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8157 
8158 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8159 			    rem_reg_rules) {
8160 		num_rules++;
8161 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8162 			return -EINVAL;
8163 	}
8164 
8165 	rtnl_lock();
8166 	if (!reg_is_valid_request(alpha2)) {
8167 		r = -EINVAL;
8168 		goto out;
8169 	}
8170 
8171 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8172 	if (!rd) {
8173 		r = -ENOMEM;
8174 		goto out;
8175 	}
8176 
8177 	rd->n_reg_rules = num_rules;
8178 	rd->alpha2[0] = alpha2[0];
8179 	rd->alpha2[1] = alpha2[1];
8180 
8181 	/*
8182 	 * Disable DFS master mode if the DFS region was
8183 	 * not supported or known on this kernel.
8184 	 */
8185 	if (reg_supported_dfs_region(dfs_region))
8186 		rd->dfs_region = dfs_region;
8187 
8188 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8189 			    rem_reg_rules) {
8190 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8191 						nl_reg_rule, reg_rule_policy,
8192 						info->extack);
8193 		if (r)
8194 			goto bad_reg;
8195 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8196 		if (r)
8197 			goto bad_reg;
8198 
8199 		rule_idx++;
8200 
8201 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8202 			r = -EINVAL;
8203 			goto bad_reg;
8204 		}
8205 	}
8206 
8207 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8208 	/* set_regdom takes ownership of rd */
8209 	rd = NULL;
8210  bad_reg:
8211 	kfree(rd);
8212  out:
8213 	rtnl_unlock();
8214 	return r;
8215 }
8216 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8217 
8218 static int validate_scan_freqs(struct nlattr *freqs)
8219 {
8220 	struct nlattr *attr1, *attr2;
8221 	int n_channels = 0, tmp1, tmp2;
8222 
8223 	nla_for_each_nested(attr1, freqs, tmp1)
8224 		if (nla_len(attr1) != sizeof(u32))
8225 			return 0;
8226 
8227 	nla_for_each_nested(attr1, freqs, tmp1) {
8228 		n_channels++;
8229 		/*
8230 		 * Some hardware has a limited channel list for
8231 		 * scanning, and it is pretty much nonsensical
8232 		 * to scan for a channel twice, so disallow that
8233 		 * and don't require drivers to check that the
8234 		 * channel list they get isn't longer than what
8235 		 * they can scan, as long as they can scan all
8236 		 * the channels they registered at once.
8237 		 */
8238 		nla_for_each_nested(attr2, freqs, tmp2)
8239 			if (attr1 != attr2 &&
8240 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8241 				return 0;
8242 	}
8243 
8244 	return n_channels;
8245 }
8246 
8247 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8248 {
8249 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8250 }
8251 
8252 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8253 			    struct cfg80211_bss_selection *bss_select)
8254 {
8255 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8256 	struct nlattr *nest;
8257 	int err;
8258 	bool found = false;
8259 	int i;
8260 
8261 	/* only process one nested attribute */
8262 	nest = nla_data(nla);
8263 	if (!nla_ok(nest, nla_len(nest)))
8264 		return -EINVAL;
8265 
8266 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8267 					  nest, nl80211_bss_select_policy,
8268 					  NULL);
8269 	if (err)
8270 		return err;
8271 
8272 	/* only one attribute may be given */
8273 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8274 		if (attr[i]) {
8275 			if (found)
8276 				return -EINVAL;
8277 			found = true;
8278 		}
8279 	}
8280 
8281 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8282 
8283 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8284 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8285 
8286 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8287 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8288 		bss_select->param.band_pref =
8289 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8290 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8291 			return -EINVAL;
8292 	}
8293 
8294 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8295 		struct nl80211_bss_select_rssi_adjust *adj_param;
8296 
8297 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8298 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8299 		bss_select->param.adjust.band = adj_param->band;
8300 		bss_select->param.adjust.delta = adj_param->delta;
8301 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8302 			return -EINVAL;
8303 	}
8304 
8305 	/* user-space did not provide behaviour attribute */
8306 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8307 		return -EINVAL;
8308 
8309 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8310 		return -EINVAL;
8311 
8312 	return 0;
8313 }
8314 
8315 int nl80211_parse_random_mac(struct nlattr **attrs,
8316 			     u8 *mac_addr, u8 *mac_addr_mask)
8317 {
8318 	int i;
8319 
8320 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8321 		eth_zero_addr(mac_addr);
8322 		eth_zero_addr(mac_addr_mask);
8323 		mac_addr[0] = 0x2;
8324 		mac_addr_mask[0] = 0x3;
8325 
8326 		return 0;
8327 	}
8328 
8329 	/* need both or none */
8330 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8331 		return -EINVAL;
8332 
8333 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8334 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8335 
8336 	/* don't allow or configure an mcast address */
8337 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8338 	    is_multicast_ether_addr(mac_addr))
8339 		return -EINVAL;
8340 
8341 	/*
8342 	 * allow users to pass a MAC address that has bits set outside
8343 	 * of the mask, but don't bother drivers with having to deal
8344 	 * with such bits
8345 	 */
8346 	for (i = 0; i < ETH_ALEN; i++)
8347 		mac_addr[i] &= mac_addr_mask[i];
8348 
8349 	return 0;
8350 }
8351 
8352 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
8353 {
8354 	ASSERT_WDEV_LOCK(wdev);
8355 
8356 	if (!cfg80211_beaconing_iface_active(wdev))
8357 		return true;
8358 
8359 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
8360 		return true;
8361 
8362 	return regulatory_pre_cac_allowed(wdev->wiphy);
8363 }
8364 
8365 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8366 				    enum nl80211_ext_feature_index feat)
8367 {
8368 	if (!(flags & flag))
8369 		return true;
8370 	if (wiphy_ext_feature_isset(wiphy, feat))
8371 		return true;
8372 	return false;
8373 }
8374 
8375 static int
8376 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8377 			 void *request, struct nlattr **attrs,
8378 			 bool is_sched_scan)
8379 {
8380 	u8 *mac_addr, *mac_addr_mask;
8381 	u32 *flags;
8382 	enum nl80211_feature_flags randomness_flag;
8383 
8384 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8385 		return 0;
8386 
8387 	if (is_sched_scan) {
8388 		struct cfg80211_sched_scan_request *req = request;
8389 
8390 		randomness_flag = wdev ?
8391 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8392 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8393 		flags = &req->flags;
8394 		mac_addr = req->mac_addr;
8395 		mac_addr_mask = req->mac_addr_mask;
8396 	} else {
8397 		struct cfg80211_scan_request *req = request;
8398 
8399 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8400 		flags = &req->flags;
8401 		mac_addr = req->mac_addr;
8402 		mac_addr_mask = req->mac_addr_mask;
8403 	}
8404 
8405 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8406 
8407 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8408 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8409 	    !nl80211_check_scan_feat(wiphy, *flags,
8410 				     NL80211_SCAN_FLAG_LOW_SPAN,
8411 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8412 	    !nl80211_check_scan_feat(wiphy, *flags,
8413 				     NL80211_SCAN_FLAG_LOW_POWER,
8414 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8415 	    !nl80211_check_scan_feat(wiphy, *flags,
8416 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8417 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8418 	    !nl80211_check_scan_feat(wiphy, *flags,
8419 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8420 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8421 	    !nl80211_check_scan_feat(wiphy, *flags,
8422 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8423 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8424 	    !nl80211_check_scan_feat(wiphy, *flags,
8425 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8426 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8427 	    !nl80211_check_scan_feat(wiphy, *flags,
8428 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8429 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8430 	    !nl80211_check_scan_feat(wiphy, *flags,
8431 				     NL80211_SCAN_FLAG_RANDOM_SN,
8432 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8433 	    !nl80211_check_scan_feat(wiphy, *flags,
8434 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8435 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8436 		return -EOPNOTSUPP;
8437 
8438 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8439 		int err;
8440 
8441 		if (!(wiphy->features & randomness_flag) ||
8442 		    (wdev && wdev->current_bss))
8443 			return -EOPNOTSUPP;
8444 
8445 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8446 		if (err)
8447 			return err;
8448 	}
8449 
8450 	return 0;
8451 }
8452 
8453 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8454 {
8455 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8456 	struct wireless_dev *wdev = info->user_ptr[1];
8457 	struct cfg80211_scan_request *request;
8458 	struct nlattr *scan_freqs = NULL;
8459 	bool scan_freqs_khz = false;
8460 	struct nlattr *attr;
8461 	struct wiphy *wiphy;
8462 	int err, tmp, n_ssids = 0, n_channels, i;
8463 	size_t ie_len;
8464 
8465 	wiphy = &rdev->wiphy;
8466 
8467 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8468 		return -EOPNOTSUPP;
8469 
8470 	if (!rdev->ops->scan)
8471 		return -EOPNOTSUPP;
8472 
8473 	if (rdev->scan_req || rdev->scan_msg)
8474 		return -EBUSY;
8475 
8476 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8477 		if (!wiphy_ext_feature_isset(wiphy,
8478 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8479 			return -EOPNOTSUPP;
8480 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8481 		scan_freqs_khz = true;
8482 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8483 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8484 
8485 	if (scan_freqs) {
8486 		n_channels = validate_scan_freqs(scan_freqs);
8487 		if (!n_channels)
8488 			return -EINVAL;
8489 	} else {
8490 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8491 	}
8492 
8493 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8494 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8495 			n_ssids++;
8496 
8497 	if (n_ssids > wiphy->max_scan_ssids)
8498 		return -EINVAL;
8499 
8500 	if (info->attrs[NL80211_ATTR_IE])
8501 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8502 	else
8503 		ie_len = 0;
8504 
8505 	if (ie_len > wiphy->max_scan_ie_len)
8506 		return -EINVAL;
8507 
8508 	request = kzalloc(sizeof(*request)
8509 			+ sizeof(*request->ssids) * n_ssids
8510 			+ sizeof(*request->channels) * n_channels
8511 			+ ie_len, GFP_KERNEL);
8512 	if (!request)
8513 		return -ENOMEM;
8514 
8515 	if (n_ssids)
8516 		request->ssids = (void *)&request->channels[n_channels];
8517 	request->n_ssids = n_ssids;
8518 	if (ie_len) {
8519 		if (n_ssids)
8520 			request->ie = (void *)(request->ssids + n_ssids);
8521 		else
8522 			request->ie = (void *)(request->channels + n_channels);
8523 	}
8524 
8525 	i = 0;
8526 	if (scan_freqs) {
8527 		/* user specified, bail out if channel not found */
8528 		nla_for_each_nested(attr, scan_freqs, tmp) {
8529 			struct ieee80211_channel *chan;
8530 			int freq = nla_get_u32(attr);
8531 
8532 			if (!scan_freqs_khz)
8533 				freq = MHZ_TO_KHZ(freq);
8534 
8535 			chan = ieee80211_get_channel_khz(wiphy, freq);
8536 			if (!chan) {
8537 				err = -EINVAL;
8538 				goto out_free;
8539 			}
8540 
8541 			/* ignore disabled channels */
8542 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8543 				continue;
8544 
8545 			request->channels[i] = chan;
8546 			i++;
8547 		}
8548 	} else {
8549 		enum nl80211_band band;
8550 
8551 		/* all channels */
8552 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8553 			int j;
8554 
8555 			if (!wiphy->bands[band])
8556 				continue;
8557 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8558 				struct ieee80211_channel *chan;
8559 
8560 				chan = &wiphy->bands[band]->channels[j];
8561 
8562 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8563 					continue;
8564 
8565 				request->channels[i] = chan;
8566 				i++;
8567 			}
8568 		}
8569 	}
8570 
8571 	if (!i) {
8572 		err = -EINVAL;
8573 		goto out_free;
8574 	}
8575 
8576 	request->n_channels = i;
8577 
8578 	wdev_lock(wdev);
8579 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
8580 		struct ieee80211_channel *chan;
8581 
8582 		if (request->n_channels != 1) {
8583 			wdev_unlock(wdev);
8584 			err = -EBUSY;
8585 			goto out_free;
8586 		}
8587 
8588 		chan = request->channels[0];
8589 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
8590 			wdev_unlock(wdev);
8591 			err = -EBUSY;
8592 			goto out_free;
8593 		}
8594 	}
8595 	wdev_unlock(wdev);
8596 
8597 	i = 0;
8598 	if (n_ssids) {
8599 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8600 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8601 				err = -EINVAL;
8602 				goto out_free;
8603 			}
8604 			request->ssids[i].ssid_len = nla_len(attr);
8605 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8606 			i++;
8607 		}
8608 	}
8609 
8610 	if (info->attrs[NL80211_ATTR_IE]) {
8611 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8612 		memcpy((void *)request->ie,
8613 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8614 		       request->ie_len);
8615 	}
8616 
8617 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8618 		if (wiphy->bands[i])
8619 			request->rates[i] =
8620 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8621 
8622 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8623 		nla_for_each_nested(attr,
8624 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8625 				    tmp) {
8626 			enum nl80211_band band = nla_type(attr);
8627 
8628 			if (band < 0 || band >= NUM_NL80211_BANDS) {
8629 				err = -EINVAL;
8630 				goto out_free;
8631 			}
8632 
8633 			if (!wiphy->bands[band])
8634 				continue;
8635 
8636 			err = ieee80211_get_ratemask(wiphy->bands[band],
8637 						     nla_data(attr),
8638 						     nla_len(attr),
8639 						     &request->rates[band]);
8640 			if (err)
8641 				goto out_free;
8642 		}
8643 	}
8644 
8645 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8646 		request->duration =
8647 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8648 		request->duration_mandatory =
8649 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8650 	}
8651 
8652 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8653 				       false);
8654 	if (err)
8655 		goto out_free;
8656 
8657 	request->no_cck =
8658 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8659 
8660 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8661 	 * BSSID to scan for. This was problematic because that same attribute
8662 	 * was already used for another purpose (local random MAC address). The
8663 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8664 	 * compatibility with older userspace components, also use the
8665 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8666 	 * the specific BSSID use case instead of the random MAC address
8667 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8668 	 */
8669 	if (info->attrs[NL80211_ATTR_BSSID])
8670 		memcpy(request->bssid,
8671 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8672 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8673 		 info->attrs[NL80211_ATTR_MAC])
8674 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8675 		       ETH_ALEN);
8676 	else
8677 		eth_broadcast_addr(request->bssid);
8678 
8679 	request->wdev = wdev;
8680 	request->wiphy = &rdev->wiphy;
8681 	request->scan_start = jiffies;
8682 
8683 	rdev->scan_req = request;
8684 	err = cfg80211_scan(rdev);
8685 
8686 	if (err)
8687 		goto out_free;
8688 
8689 	nl80211_send_scan_start(rdev, wdev);
8690 	dev_hold(wdev->netdev);
8691 
8692 	return 0;
8693 
8694  out_free:
8695 	rdev->scan_req = NULL;
8696 	kfree(request);
8697 
8698 	return err;
8699 }
8700 
8701 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8702 {
8703 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8704 	struct wireless_dev *wdev = info->user_ptr[1];
8705 
8706 	if (!rdev->ops->abort_scan)
8707 		return -EOPNOTSUPP;
8708 
8709 	if (rdev->scan_msg)
8710 		return 0;
8711 
8712 	if (!rdev->scan_req)
8713 		return -ENOENT;
8714 
8715 	rdev_abort_scan(rdev, wdev);
8716 	return 0;
8717 }
8718 
8719 static int
8720 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8721 			       struct cfg80211_sched_scan_request *request,
8722 			       struct nlattr **attrs)
8723 {
8724 	int tmp, err, i = 0;
8725 	struct nlattr *attr;
8726 
8727 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8728 		u32 interval;
8729 
8730 		/*
8731 		 * If scan plans are not specified,
8732 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8733 		 * case one scan plan will be set with the specified scan
8734 		 * interval and infinite number of iterations.
8735 		 */
8736 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8737 		if (!interval)
8738 			return -EINVAL;
8739 
8740 		request->scan_plans[0].interval =
8741 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8742 		if (!request->scan_plans[0].interval)
8743 			return -EINVAL;
8744 
8745 		if (request->scan_plans[0].interval >
8746 		    wiphy->max_sched_scan_plan_interval)
8747 			request->scan_plans[0].interval =
8748 				wiphy->max_sched_scan_plan_interval;
8749 
8750 		return 0;
8751 	}
8752 
8753 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8754 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8755 
8756 		if (WARN_ON(i >= n_plans))
8757 			return -EINVAL;
8758 
8759 		err = nla_parse_nested_deprecated(plan,
8760 						  NL80211_SCHED_SCAN_PLAN_MAX,
8761 						  attr, nl80211_plan_policy,
8762 						  NULL);
8763 		if (err)
8764 			return err;
8765 
8766 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8767 			return -EINVAL;
8768 
8769 		request->scan_plans[i].interval =
8770 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8771 		if (!request->scan_plans[i].interval ||
8772 		    request->scan_plans[i].interval >
8773 		    wiphy->max_sched_scan_plan_interval)
8774 			return -EINVAL;
8775 
8776 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8777 			request->scan_plans[i].iterations =
8778 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8779 			if (!request->scan_plans[i].iterations ||
8780 			    (request->scan_plans[i].iterations >
8781 			     wiphy->max_sched_scan_plan_iterations))
8782 				return -EINVAL;
8783 		} else if (i < n_plans - 1) {
8784 			/*
8785 			 * All scan plans but the last one must specify
8786 			 * a finite number of iterations
8787 			 */
8788 			return -EINVAL;
8789 		}
8790 
8791 		i++;
8792 	}
8793 
8794 	/*
8795 	 * The last scan plan must not specify the number of
8796 	 * iterations, it is supposed to run infinitely
8797 	 */
8798 	if (request->scan_plans[n_plans - 1].iterations)
8799 		return  -EINVAL;
8800 
8801 	return 0;
8802 }
8803 
8804 static int
8805 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8806 				       struct cfg80211_match_set *match_sets,
8807 				       struct nlattr *tb_band_rssi,
8808 				       s32 rssi_thold)
8809 {
8810 	struct nlattr *attr;
8811 	int i, tmp, ret = 0;
8812 
8813 	if (!wiphy_ext_feature_isset(wiphy,
8814 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8815 		if (tb_band_rssi)
8816 			ret = -EOPNOTSUPP;
8817 		else
8818 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8819 				match_sets->per_band_rssi_thold[i] =
8820 					NL80211_SCAN_RSSI_THOLD_OFF;
8821 		return ret;
8822 	}
8823 
8824 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8825 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8826 
8827 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8828 		enum nl80211_band band = nla_type(attr);
8829 
8830 		if (band < 0 || band >= NUM_NL80211_BANDS)
8831 			return -EINVAL;
8832 
8833 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8834 	}
8835 
8836 	return 0;
8837 }
8838 
8839 static struct cfg80211_sched_scan_request *
8840 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8841 			 struct nlattr **attrs, int max_match_sets)
8842 {
8843 	struct cfg80211_sched_scan_request *request;
8844 	struct nlattr *attr;
8845 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8846 	enum nl80211_band band;
8847 	size_t ie_len;
8848 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8849 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8850 
8851 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8852 		n_channels = validate_scan_freqs(
8853 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8854 		if (!n_channels)
8855 			return ERR_PTR(-EINVAL);
8856 	} else {
8857 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8858 	}
8859 
8860 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8861 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8862 				    tmp)
8863 			n_ssids++;
8864 
8865 	if (n_ssids > wiphy->max_sched_scan_ssids)
8866 		return ERR_PTR(-EINVAL);
8867 
8868 	/*
8869 	 * First, count the number of 'real' matchsets. Due to an issue with
8870 	 * the old implementation, matchsets containing only the RSSI attribute
8871 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8872 	 * RSSI for all matchsets, rather than their own matchset for reporting
8873 	 * all APs with a strong RSSI. This is needed to be compatible with
8874 	 * older userspace that treated a matchset with only the RSSI as the
8875 	 * global RSSI for all other matchsets - if there are other matchsets.
8876 	 */
8877 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8878 		nla_for_each_nested(attr,
8879 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8880 				    tmp) {
8881 			struct nlattr *rssi;
8882 
8883 			err = nla_parse_nested_deprecated(tb,
8884 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8885 							  attr,
8886 							  nl80211_match_policy,
8887 							  NULL);
8888 			if (err)
8889 				return ERR_PTR(err);
8890 
8891 			/* SSID and BSSID are mutually exclusive */
8892 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
8893 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
8894 				return ERR_PTR(-EINVAL);
8895 
8896 			/* add other standalone attributes here */
8897 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
8898 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
8899 				n_match_sets++;
8900 				continue;
8901 			}
8902 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8903 			if (rssi)
8904 				default_match_rssi = nla_get_s32(rssi);
8905 		}
8906 	}
8907 
8908 	/* However, if there's no other matchset, add the RSSI one */
8909 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
8910 		n_match_sets = 1;
8911 
8912 	if (n_match_sets > max_match_sets)
8913 		return ERR_PTR(-EINVAL);
8914 
8915 	if (attrs[NL80211_ATTR_IE])
8916 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
8917 	else
8918 		ie_len = 0;
8919 
8920 	if (ie_len > wiphy->max_sched_scan_ie_len)
8921 		return ERR_PTR(-EINVAL);
8922 
8923 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8924 		/*
8925 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
8926 		 * each scan plan already specifies its own interval
8927 		 */
8928 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8929 			return ERR_PTR(-EINVAL);
8930 
8931 		nla_for_each_nested(attr,
8932 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
8933 			n_plans++;
8934 	} else {
8935 		/*
8936 		 * The scan interval attribute is kept for backward
8937 		 * compatibility. If no scan plans are specified and sched scan
8938 		 * interval is specified, one scan plan will be set with this
8939 		 * scan interval and infinite number of iterations.
8940 		 */
8941 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8942 			return ERR_PTR(-EINVAL);
8943 
8944 		n_plans = 1;
8945 	}
8946 
8947 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
8948 		return ERR_PTR(-EINVAL);
8949 
8950 	if (!wiphy_ext_feature_isset(
8951 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
8952 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
8953 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
8954 		return ERR_PTR(-EINVAL);
8955 
8956 	request = kzalloc(sizeof(*request)
8957 			+ sizeof(*request->ssids) * n_ssids
8958 			+ sizeof(*request->match_sets) * n_match_sets
8959 			+ sizeof(*request->scan_plans) * n_plans
8960 			+ sizeof(*request->channels) * n_channels
8961 			+ ie_len, GFP_KERNEL);
8962 	if (!request)
8963 		return ERR_PTR(-ENOMEM);
8964 
8965 	if (n_ssids)
8966 		request->ssids = (void *)&request->channels[n_channels];
8967 	request->n_ssids = n_ssids;
8968 	if (ie_len) {
8969 		if (n_ssids)
8970 			request->ie = (void *)(request->ssids + n_ssids);
8971 		else
8972 			request->ie = (void *)(request->channels + n_channels);
8973 	}
8974 
8975 	if (n_match_sets) {
8976 		if (request->ie)
8977 			request->match_sets = (void *)(request->ie + ie_len);
8978 		else if (n_ssids)
8979 			request->match_sets =
8980 				(void *)(request->ssids + n_ssids);
8981 		else
8982 			request->match_sets =
8983 				(void *)(request->channels + n_channels);
8984 	}
8985 	request->n_match_sets = n_match_sets;
8986 
8987 	if (n_match_sets)
8988 		request->scan_plans = (void *)(request->match_sets +
8989 					       n_match_sets);
8990 	else if (request->ie)
8991 		request->scan_plans = (void *)(request->ie + ie_len);
8992 	else if (n_ssids)
8993 		request->scan_plans = (void *)(request->ssids + n_ssids);
8994 	else
8995 		request->scan_plans = (void *)(request->channels + n_channels);
8996 
8997 	request->n_scan_plans = n_plans;
8998 
8999 	i = 0;
9000 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9001 		/* user specified, bail out if channel not found */
9002 		nla_for_each_nested(attr,
9003 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9004 				    tmp) {
9005 			struct ieee80211_channel *chan;
9006 
9007 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9008 
9009 			if (!chan) {
9010 				err = -EINVAL;
9011 				goto out_free;
9012 			}
9013 
9014 			/* ignore disabled channels */
9015 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9016 				continue;
9017 
9018 			request->channels[i] = chan;
9019 			i++;
9020 		}
9021 	} else {
9022 		/* all channels */
9023 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9024 			int j;
9025 
9026 			if (!wiphy->bands[band])
9027 				continue;
9028 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9029 				struct ieee80211_channel *chan;
9030 
9031 				chan = &wiphy->bands[band]->channels[j];
9032 
9033 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9034 					continue;
9035 
9036 				request->channels[i] = chan;
9037 				i++;
9038 			}
9039 		}
9040 	}
9041 
9042 	if (!i) {
9043 		err = -EINVAL;
9044 		goto out_free;
9045 	}
9046 
9047 	request->n_channels = i;
9048 
9049 	i = 0;
9050 	if (n_ssids) {
9051 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9052 				    tmp) {
9053 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9054 				err = -EINVAL;
9055 				goto out_free;
9056 			}
9057 			request->ssids[i].ssid_len = nla_len(attr);
9058 			memcpy(request->ssids[i].ssid, nla_data(attr),
9059 			       nla_len(attr));
9060 			i++;
9061 		}
9062 	}
9063 
9064 	i = 0;
9065 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9066 		nla_for_each_nested(attr,
9067 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9068 				    tmp) {
9069 			struct nlattr *ssid, *bssid, *rssi;
9070 
9071 			err = nla_parse_nested_deprecated(tb,
9072 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9073 							  attr,
9074 							  nl80211_match_policy,
9075 							  NULL);
9076 			if (err)
9077 				goto out_free;
9078 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9079 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9080 
9081 			if (!ssid && !bssid) {
9082 				i++;
9083 				continue;
9084 			}
9085 
9086 			if (WARN_ON(i >= n_match_sets)) {
9087 				/* this indicates a programming error,
9088 				 * the loop above should have verified
9089 				 * things properly
9090 				 */
9091 				err = -EINVAL;
9092 				goto out_free;
9093 			}
9094 
9095 			if (ssid) {
9096 				memcpy(request->match_sets[i].ssid.ssid,
9097 				       nla_data(ssid), nla_len(ssid));
9098 				request->match_sets[i].ssid.ssid_len =
9099 					nla_len(ssid);
9100 			}
9101 			if (bssid)
9102 				memcpy(request->match_sets[i].bssid,
9103 				       nla_data(bssid), ETH_ALEN);
9104 
9105 			/* special attribute - old implementation w/a */
9106 			request->match_sets[i].rssi_thold = default_match_rssi;
9107 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9108 			if (rssi)
9109 				request->match_sets[i].rssi_thold =
9110 					nla_get_s32(rssi);
9111 
9112 			/* Parse per band RSSI attribute */
9113 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9114 				&request->match_sets[i],
9115 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9116 				request->match_sets[i].rssi_thold);
9117 			if (err)
9118 				goto out_free;
9119 
9120 			i++;
9121 		}
9122 
9123 		/* there was no other matchset, so the RSSI one is alone */
9124 		if (i == 0 && n_match_sets)
9125 			request->match_sets[0].rssi_thold = default_match_rssi;
9126 
9127 		request->min_rssi_thold = INT_MAX;
9128 		for (i = 0; i < n_match_sets; i++)
9129 			request->min_rssi_thold =
9130 				min(request->match_sets[i].rssi_thold,
9131 				    request->min_rssi_thold);
9132 	} else {
9133 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9134 	}
9135 
9136 	if (ie_len) {
9137 		request->ie_len = ie_len;
9138 		memcpy((void *)request->ie,
9139 		       nla_data(attrs[NL80211_ATTR_IE]),
9140 		       request->ie_len);
9141 	}
9142 
9143 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9144 	if (err)
9145 		goto out_free;
9146 
9147 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9148 		request->delay =
9149 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9150 
9151 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9152 		request->relative_rssi = nla_get_s8(
9153 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9154 		request->relative_rssi_set = true;
9155 	}
9156 
9157 	if (request->relative_rssi_set &&
9158 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9159 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9160 
9161 		rssi_adjust = nla_data(
9162 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9163 		request->rssi_adjust.band = rssi_adjust->band;
9164 		request->rssi_adjust.delta = rssi_adjust->delta;
9165 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9166 			err = -EINVAL;
9167 			goto out_free;
9168 		}
9169 	}
9170 
9171 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9172 	if (err)
9173 		goto out_free;
9174 
9175 	request->scan_start = jiffies;
9176 
9177 	return request;
9178 
9179 out_free:
9180 	kfree(request);
9181 	return ERR_PTR(err);
9182 }
9183 
9184 static int nl80211_start_sched_scan(struct sk_buff *skb,
9185 				    struct genl_info *info)
9186 {
9187 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9188 	struct net_device *dev = info->user_ptr[1];
9189 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9190 	struct cfg80211_sched_scan_request *sched_scan_req;
9191 	bool want_multi;
9192 	int err;
9193 
9194 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9195 		return -EOPNOTSUPP;
9196 
9197 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9198 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9199 	if (err)
9200 		return err;
9201 
9202 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9203 						  info->attrs,
9204 						  rdev->wiphy.max_match_sets);
9205 
9206 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9207 	if (err)
9208 		goto out_err;
9209 
9210 	/* leave request id zero for legacy request
9211 	 * or if driver does not support multi-scheduled scan
9212 	 */
9213 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9214 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9215 
9216 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9217 	if (err)
9218 		goto out_free;
9219 
9220 	sched_scan_req->dev = dev;
9221 	sched_scan_req->wiphy = &rdev->wiphy;
9222 
9223 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9224 		sched_scan_req->owner_nlportid = info->snd_portid;
9225 
9226 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9227 
9228 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9229 	return 0;
9230 
9231 out_free:
9232 	kfree(sched_scan_req);
9233 out_err:
9234 	return err;
9235 }
9236 
9237 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9238 				   struct genl_info *info)
9239 {
9240 	struct cfg80211_sched_scan_request *req;
9241 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9242 	u64 cookie;
9243 
9244 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9245 		return -EOPNOTSUPP;
9246 
9247 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9248 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9249 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9250 	}
9251 
9252 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9253 				     struct cfg80211_sched_scan_request,
9254 				     list);
9255 	if (!req || req->reqid ||
9256 	    (req->owner_nlportid &&
9257 	     req->owner_nlportid != info->snd_portid))
9258 		return -ENOENT;
9259 
9260 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9261 }
9262 
9263 static int nl80211_start_radar_detection(struct sk_buff *skb,
9264 					 struct genl_info *info)
9265 {
9266 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9267 	struct net_device *dev = info->user_ptr[1];
9268 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9269 	struct wiphy *wiphy = wdev->wiphy;
9270 	struct cfg80211_chan_def chandef;
9271 	enum nl80211_dfs_regions dfs_region;
9272 	unsigned int cac_time_ms;
9273 	int err;
9274 
9275 	dfs_region = reg_get_dfs_region(wiphy);
9276 	if (dfs_region == NL80211_DFS_UNSET)
9277 		return -EINVAL;
9278 
9279 	err = nl80211_parse_chandef(rdev, info, &chandef);
9280 	if (err)
9281 		return err;
9282 
9283 	if (netif_carrier_ok(dev))
9284 		return -EBUSY;
9285 
9286 	if (wdev->cac_started)
9287 		return -EBUSY;
9288 
9289 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9290 	if (err < 0)
9291 		return err;
9292 
9293 	if (err == 0)
9294 		return -EINVAL;
9295 
9296 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
9297 		return -EINVAL;
9298 
9299 	/* CAC start is offloaded to HW and can't be started manually */
9300 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
9301 		return -EOPNOTSUPP;
9302 
9303 	if (!rdev->ops->start_radar_detection)
9304 		return -EOPNOTSUPP;
9305 
9306 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9307 	if (WARN_ON(!cac_time_ms))
9308 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9309 
9310 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9311 	if (!err) {
9312 		wdev->chandef = chandef;
9313 		wdev->cac_started = true;
9314 		wdev->cac_start_time = jiffies;
9315 		wdev->cac_time_ms = cac_time_ms;
9316 	}
9317 	return err;
9318 }
9319 
9320 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9321 					  struct genl_info *info)
9322 {
9323 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9324 	struct net_device *dev = info->user_ptr[1];
9325 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9326 	struct wiphy *wiphy = wdev->wiphy;
9327 	struct cfg80211_chan_def chandef;
9328 	enum nl80211_dfs_regions dfs_region;
9329 	int err;
9330 
9331 	dfs_region = reg_get_dfs_region(wiphy);
9332 	if (dfs_region == NL80211_DFS_UNSET) {
9333 		GENL_SET_ERR_MSG(info,
9334 				 "DFS Region is not set. Unexpected Radar indication");
9335 		return -EINVAL;
9336 	}
9337 
9338 	err = nl80211_parse_chandef(rdev, info, &chandef);
9339 	if (err) {
9340 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9341 		return err;
9342 	}
9343 
9344 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9345 	if (err < 0) {
9346 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9347 		return err;
9348 	}
9349 
9350 	if (err == 0) {
9351 		GENL_SET_ERR_MSG(info,
9352 				 "Unexpected Radar indication for chandef/iftype");
9353 		return -EINVAL;
9354 	}
9355 
9356 	/* Do not process this notification if radar is already detected
9357 	 * by kernel on this channel, and return success.
9358 	 */
9359 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9360 		return 0;
9361 
9362 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9363 
9364 	cfg80211_sched_dfs_chan_update(rdev);
9365 
9366 	rdev->radar_chandef = chandef;
9367 
9368 	/* Propagate this notification to other radios as well */
9369 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9370 
9371 	return 0;
9372 }
9373 
9374 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9375 {
9376 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9377 	struct net_device *dev = info->user_ptr[1];
9378 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9379 	struct cfg80211_csa_settings params;
9380 	struct nlattr **csa_attrs = NULL;
9381 	int err;
9382 	bool need_new_beacon = false;
9383 	bool need_handle_dfs_flag = true;
9384 	int len, i;
9385 	u32 cs_count;
9386 
9387 	if (!rdev->ops->channel_switch ||
9388 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9389 		return -EOPNOTSUPP;
9390 
9391 	switch (dev->ieee80211_ptr->iftype) {
9392 	case NL80211_IFTYPE_AP:
9393 	case NL80211_IFTYPE_P2P_GO:
9394 		need_new_beacon = true;
9395 		/* For all modes except AP the handle_dfs flag needs to be
9396 		 * supplied to tell the kernel that userspace will handle radar
9397 		 * events when they happen. Otherwise a switch to a channel
9398 		 * requiring DFS will be rejected.
9399 		 */
9400 		need_handle_dfs_flag = false;
9401 
9402 		/* useless if AP is not running */
9403 		if (!wdev->beacon_interval)
9404 			return -ENOTCONN;
9405 		break;
9406 	case NL80211_IFTYPE_ADHOC:
9407 		if (!wdev->ssid_len)
9408 			return -ENOTCONN;
9409 		break;
9410 	case NL80211_IFTYPE_MESH_POINT:
9411 		if (!wdev->mesh_id_len)
9412 			return -ENOTCONN;
9413 		break;
9414 	default:
9415 		return -EOPNOTSUPP;
9416 	}
9417 
9418 	memset(&params, 0, sizeof(params));
9419 	params.beacon_csa.ftm_responder = -1;
9420 
9421 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9422 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9423 		return -EINVAL;
9424 
9425 	/* only important for AP, IBSS and mesh create IEs internally */
9426 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9427 		return -EINVAL;
9428 
9429 	/* Even though the attribute is u32, the specification says
9430 	 * u8, so let's make sure we don't overflow.
9431 	 */
9432 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9433 	if (cs_count > 255)
9434 		return -EINVAL;
9435 
9436 	params.count = cs_count;
9437 
9438 	if (!need_new_beacon)
9439 		goto skip_beacons;
9440 
9441 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9442 	if (err)
9443 		goto free;
9444 
9445 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
9446 			    GFP_KERNEL);
9447 	if (!csa_attrs) {
9448 		err = -ENOMEM;
9449 		goto free;
9450 	}
9451 
9452 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9453 					  info->attrs[NL80211_ATTR_CSA_IES],
9454 					  nl80211_policy, info->extack);
9455 	if (err)
9456 		goto free;
9457 
9458 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9459 	if (err)
9460 		goto free;
9461 
9462 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
9463 		err = -EINVAL;
9464 		goto free;
9465 	}
9466 
9467 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9468 	if (!len || (len % sizeof(u16))) {
9469 		err = -EINVAL;
9470 		goto free;
9471 	}
9472 
9473 	params.n_counter_offsets_beacon = len / sizeof(u16);
9474 	if (rdev->wiphy.max_num_csa_counters &&
9475 	    (params.n_counter_offsets_beacon >
9476 	     rdev->wiphy.max_num_csa_counters)) {
9477 		err = -EINVAL;
9478 		goto free;
9479 	}
9480 
9481 	params.counter_offsets_beacon =
9482 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9483 
9484 	/* sanity checks - counters should fit and be the same */
9485 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9486 		u16 offset = params.counter_offsets_beacon[i];
9487 
9488 		if (offset >= params.beacon_csa.tail_len) {
9489 			err = -EINVAL;
9490 			goto free;
9491 		}
9492 
9493 		if (params.beacon_csa.tail[offset] != params.count) {
9494 			err = -EINVAL;
9495 			goto free;
9496 		}
9497 	}
9498 
9499 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9500 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9501 		if (!len || (len % sizeof(u16))) {
9502 			err = -EINVAL;
9503 			goto free;
9504 		}
9505 
9506 		params.n_counter_offsets_presp = len / sizeof(u16);
9507 		if (rdev->wiphy.max_num_csa_counters &&
9508 		    (params.n_counter_offsets_presp >
9509 		     rdev->wiphy.max_num_csa_counters)) {
9510 			err = -EINVAL;
9511 			goto free;
9512 		}
9513 
9514 		params.counter_offsets_presp =
9515 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9516 
9517 		/* sanity checks - counters should fit and be the same */
9518 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9519 			u16 offset = params.counter_offsets_presp[i];
9520 
9521 			if (offset >= params.beacon_csa.probe_resp_len) {
9522 				err = -EINVAL;
9523 				goto free;
9524 			}
9525 
9526 			if (params.beacon_csa.probe_resp[offset] !=
9527 			    params.count) {
9528 				err = -EINVAL;
9529 				goto free;
9530 			}
9531 		}
9532 	}
9533 
9534 skip_beacons:
9535 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9536 	if (err)
9537 		goto free;
9538 
9539 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9540 					   wdev->iftype)) {
9541 		err = -EINVAL;
9542 		goto free;
9543 	}
9544 
9545 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9546 					    &params.chandef,
9547 					    wdev->iftype);
9548 	if (err < 0)
9549 		goto free;
9550 
9551 	if (err > 0) {
9552 		params.radar_required = true;
9553 		if (need_handle_dfs_flag &&
9554 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9555 			err = -EINVAL;
9556 			goto free;
9557 		}
9558 	}
9559 
9560 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9561 		params.block_tx = true;
9562 
9563 	wdev_lock(wdev);
9564 	err = rdev_channel_switch(rdev, dev, &params);
9565 	wdev_unlock(wdev);
9566 
9567 free:
9568 	kfree(params.beacon_after.mbssid_ies);
9569 	kfree(params.beacon_csa.mbssid_ies);
9570 	kfree(csa_attrs);
9571 	return err;
9572 }
9573 
9574 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9575 			    u32 seq, int flags,
9576 			    struct cfg80211_registered_device *rdev,
9577 			    struct wireless_dev *wdev,
9578 			    struct cfg80211_internal_bss *intbss)
9579 {
9580 	struct cfg80211_bss *res = &intbss->pub;
9581 	const struct cfg80211_bss_ies *ies;
9582 	void *hdr;
9583 	struct nlattr *bss;
9584 
9585 	ASSERT_WDEV_LOCK(wdev);
9586 
9587 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9588 			     NL80211_CMD_NEW_SCAN_RESULTS);
9589 	if (!hdr)
9590 		return -1;
9591 
9592 	genl_dump_check_consistent(cb, hdr);
9593 
9594 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9595 		goto nla_put_failure;
9596 	if (wdev->netdev &&
9597 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9598 		goto nla_put_failure;
9599 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9600 			      NL80211_ATTR_PAD))
9601 		goto nla_put_failure;
9602 
9603 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9604 	if (!bss)
9605 		goto nla_put_failure;
9606 	if ((!is_zero_ether_addr(res->bssid) &&
9607 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9608 		goto nla_put_failure;
9609 
9610 	rcu_read_lock();
9611 	/* indicate whether we have probe response data or not */
9612 	if (rcu_access_pointer(res->proberesp_ies) &&
9613 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9614 		goto fail_unlock_rcu;
9615 
9616 	/* this pointer prefers to be pointed to probe response data
9617 	 * but is always valid
9618 	 */
9619 	ies = rcu_dereference(res->ies);
9620 	if (ies) {
9621 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9622 				      NL80211_BSS_PAD))
9623 			goto fail_unlock_rcu;
9624 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9625 					ies->len, ies->data))
9626 			goto fail_unlock_rcu;
9627 	}
9628 
9629 	/* and this pointer is always (unless driver didn't know) beacon data */
9630 	ies = rcu_dereference(res->beacon_ies);
9631 	if (ies && ies->from_beacon) {
9632 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9633 				      NL80211_BSS_PAD))
9634 			goto fail_unlock_rcu;
9635 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9636 					ies->len, ies->data))
9637 			goto fail_unlock_rcu;
9638 	}
9639 	rcu_read_unlock();
9640 
9641 	if (res->beacon_interval &&
9642 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9643 		goto nla_put_failure;
9644 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9645 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9646 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9647 			res->channel->freq_offset) ||
9648 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9649 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9650 			jiffies_to_msecs(jiffies - intbss->ts)))
9651 		goto nla_put_failure;
9652 
9653 	if (intbss->parent_tsf &&
9654 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9655 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9656 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9657 		     intbss->parent_bssid)))
9658 		goto nla_put_failure;
9659 
9660 	if (intbss->ts_boottime &&
9661 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9662 			      intbss->ts_boottime, NL80211_BSS_PAD))
9663 		goto nla_put_failure;
9664 
9665 	if (!nl80211_put_signal(msg, intbss->pub.chains,
9666 				intbss->pub.chain_signal,
9667 				NL80211_BSS_CHAIN_SIGNAL))
9668 		goto nla_put_failure;
9669 
9670 	switch (rdev->wiphy.signal_type) {
9671 	case CFG80211_SIGNAL_TYPE_MBM:
9672 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9673 			goto nla_put_failure;
9674 		break;
9675 	case CFG80211_SIGNAL_TYPE_UNSPEC:
9676 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9677 			goto nla_put_failure;
9678 		break;
9679 	default:
9680 		break;
9681 	}
9682 
9683 	switch (wdev->iftype) {
9684 	case NL80211_IFTYPE_P2P_CLIENT:
9685 	case NL80211_IFTYPE_STATION:
9686 		if (intbss == wdev->current_bss &&
9687 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9688 				NL80211_BSS_STATUS_ASSOCIATED))
9689 			goto nla_put_failure;
9690 		break;
9691 	case NL80211_IFTYPE_ADHOC:
9692 		if (intbss == wdev->current_bss &&
9693 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9694 				NL80211_BSS_STATUS_IBSS_JOINED))
9695 			goto nla_put_failure;
9696 		break;
9697 	default:
9698 		break;
9699 	}
9700 
9701 	nla_nest_end(msg, bss);
9702 
9703 	genlmsg_end(msg, hdr);
9704 	return 0;
9705 
9706  fail_unlock_rcu:
9707 	rcu_read_unlock();
9708  nla_put_failure:
9709 	genlmsg_cancel(msg, hdr);
9710 	return -EMSGSIZE;
9711 }
9712 
9713 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
9714 {
9715 	struct cfg80211_registered_device *rdev;
9716 	struct cfg80211_internal_bss *scan;
9717 	struct wireless_dev *wdev;
9718 	int start = cb->args[2], idx = 0;
9719 	int err;
9720 
9721 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9722 	if (err)
9723 		return err;
9724 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9725 	__acquire(&rdev->wiphy.mtx);
9726 
9727 	wdev_lock(wdev);
9728 	spin_lock_bh(&rdev->bss_lock);
9729 
9730 	/*
9731 	 * dump_scan will be called multiple times to break up the scan results
9732 	 * into multiple messages.  It is unlikely that any more bss-es will be
9733 	 * expired after the first call, so only call only call this on the
9734 	 * first dump_scan invocation.
9735 	 */
9736 	if (start == 0)
9737 		cfg80211_bss_expire(rdev);
9738 
9739 	cb->seq = rdev->bss_generation;
9740 
9741 	list_for_each_entry(scan, &rdev->bss_list, list) {
9742 		if (++idx <= start)
9743 			continue;
9744 		if (nl80211_send_bss(skb, cb,
9745 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9746 				rdev, wdev, scan) < 0) {
9747 			idx--;
9748 			break;
9749 		}
9750 	}
9751 
9752 	spin_unlock_bh(&rdev->bss_lock);
9753 	wdev_unlock(wdev);
9754 
9755 	cb->args[2] = idx;
9756 	wiphy_unlock(&rdev->wiphy);
9757 
9758 	return skb->len;
9759 }
9760 
9761 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9762 			       int flags, struct net_device *dev,
9763 			       bool allow_radio_stats,
9764 			       struct survey_info *survey)
9765 {
9766 	void *hdr;
9767 	struct nlattr *infoattr;
9768 
9769 	/* skip radio stats if userspace didn't request them */
9770 	if (!survey->channel && !allow_radio_stats)
9771 		return 0;
9772 
9773 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9774 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9775 	if (!hdr)
9776 		return -ENOMEM;
9777 
9778 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9779 		goto nla_put_failure;
9780 
9781 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9782 	if (!infoattr)
9783 		goto nla_put_failure;
9784 
9785 	if (survey->channel &&
9786 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9787 			survey->channel->center_freq))
9788 		goto nla_put_failure;
9789 
9790 	if (survey->channel && survey->channel->freq_offset &&
9791 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
9792 			survey->channel->freq_offset))
9793 		goto nla_put_failure;
9794 
9795 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9796 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9797 		goto nla_put_failure;
9798 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9799 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9800 		goto nla_put_failure;
9801 	if ((survey->filled & SURVEY_INFO_TIME) &&
9802 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9803 			survey->time, NL80211_SURVEY_INFO_PAD))
9804 		goto nla_put_failure;
9805 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9806 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9807 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9808 		goto nla_put_failure;
9809 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9810 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9811 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9812 		goto nla_put_failure;
9813 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9814 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9815 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9816 		goto nla_put_failure;
9817 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9818 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9819 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9820 		goto nla_put_failure;
9821 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9822 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9823 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9824 		goto nla_put_failure;
9825 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9826 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9827 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9828 		goto nla_put_failure;
9829 
9830 	nla_nest_end(msg, infoattr);
9831 
9832 	genlmsg_end(msg, hdr);
9833 	return 0;
9834 
9835  nla_put_failure:
9836 	genlmsg_cancel(msg, hdr);
9837 	return -EMSGSIZE;
9838 }
9839 
9840 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9841 {
9842 	struct nlattr **attrbuf;
9843 	struct survey_info survey;
9844 	struct cfg80211_registered_device *rdev;
9845 	struct wireless_dev *wdev;
9846 	int survey_idx = cb->args[2];
9847 	int res;
9848 	bool radio_stats;
9849 
9850 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9851 	if (!attrbuf)
9852 		return -ENOMEM;
9853 
9854 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9855 	if (res) {
9856 		kfree(attrbuf);
9857 		return res;
9858 	}
9859 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9860 	__acquire(&rdev->wiphy.mtx);
9861 
9862 	/* prepare_wdev_dump parsed the attributes */
9863 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
9864 
9865 	if (!wdev->netdev) {
9866 		res = -EINVAL;
9867 		goto out_err;
9868 	}
9869 
9870 	if (!rdev->ops->dump_survey) {
9871 		res = -EOPNOTSUPP;
9872 		goto out_err;
9873 	}
9874 
9875 	while (1) {
9876 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
9877 		if (res == -ENOENT)
9878 			break;
9879 		if (res)
9880 			goto out_err;
9881 
9882 		/* don't send disabled channels, but do send non-channel data */
9883 		if (survey.channel &&
9884 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
9885 			survey_idx++;
9886 			continue;
9887 		}
9888 
9889 		if (nl80211_send_survey(skb,
9890 				NETLINK_CB(cb->skb).portid,
9891 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9892 				wdev->netdev, radio_stats, &survey) < 0)
9893 			goto out;
9894 		survey_idx++;
9895 	}
9896 
9897  out:
9898 	cb->args[2] = survey_idx;
9899 	res = skb->len;
9900  out_err:
9901 	kfree(attrbuf);
9902 	wiphy_unlock(&rdev->wiphy);
9903 	return res;
9904 }
9905 
9906 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
9907 {
9908 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
9909 				  NL80211_WPA_VERSION_2 |
9910 				  NL80211_WPA_VERSION_3));
9911 }
9912 
9913 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
9914 {
9915 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9916 	struct net_device *dev = info->user_ptr[1];
9917 	struct ieee80211_channel *chan;
9918 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
9919 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
9920 	enum nl80211_auth_type auth_type;
9921 	struct key_parse key;
9922 	bool local_state_change;
9923 	u32 freq;
9924 
9925 	if (!info->attrs[NL80211_ATTR_MAC])
9926 		return -EINVAL;
9927 
9928 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
9929 		return -EINVAL;
9930 
9931 	if (!info->attrs[NL80211_ATTR_SSID])
9932 		return -EINVAL;
9933 
9934 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
9935 		return -EINVAL;
9936 
9937 	err = nl80211_parse_key(info, &key);
9938 	if (err)
9939 		return err;
9940 
9941 	if (key.idx >= 0) {
9942 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
9943 			return -EINVAL;
9944 		if (!key.p.key || !key.p.key_len)
9945 			return -EINVAL;
9946 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
9947 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
9948 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
9949 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
9950 			return -EINVAL;
9951 		if (key.idx > 3)
9952 			return -EINVAL;
9953 	} else {
9954 		key.p.key_len = 0;
9955 		key.p.key = NULL;
9956 	}
9957 
9958 	if (key.idx >= 0) {
9959 		int i;
9960 		bool ok = false;
9961 
9962 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
9963 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
9964 				ok = true;
9965 				break;
9966 			}
9967 		}
9968 		if (!ok)
9969 			return -EINVAL;
9970 	}
9971 
9972 	if (!rdev->ops->auth)
9973 		return -EOPNOTSUPP;
9974 
9975 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9976 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9977 		return -EOPNOTSUPP;
9978 
9979 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9980 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
9981 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
9982 		freq +=
9983 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
9984 
9985 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
9986 	if (!chan)
9987 		return -EINVAL;
9988 
9989 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9990 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9991 
9992 	if (info->attrs[NL80211_ATTR_IE]) {
9993 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9994 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9995 	}
9996 
9997 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9998 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
9999 		return -EINVAL;
10000 
10001 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10002 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10003 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10004 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10005 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10006 		return -EINVAL;
10007 
10008 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10009 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10010 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10011 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10012 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10013 			return -EINVAL;
10014 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10015 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10016 	}
10017 
10018 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10019 
10020 	/*
10021 	 * Since we no longer track auth state, ignore
10022 	 * requests to only change local state.
10023 	 */
10024 	if (local_state_change)
10025 		return 0;
10026 
10027 	wdev_lock(dev->ieee80211_ptr);
10028 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
10029 				 ssid, ssid_len, ie, ie_len,
10030 				 key.p.key, key.p.key_len, key.idx,
10031 				 auth_data, auth_data_len);
10032 	wdev_unlock(dev->ieee80211_ptr);
10033 	return err;
10034 }
10035 
10036 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10037 				     struct genl_info *info)
10038 {
10039 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10040 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10041 		return -EINVAL;
10042 	}
10043 
10044 	if (!rdev->ops->tx_control_port ||
10045 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10046 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10047 		return -EOPNOTSUPP;
10048 
10049 	return 0;
10050 }
10051 
10052 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10053 				   struct genl_info *info,
10054 				   struct cfg80211_crypto_settings *settings,
10055 				   int cipher_limit)
10056 {
10057 	memset(settings, 0, sizeof(*settings));
10058 
10059 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10060 
10061 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10062 		u16 proto;
10063 
10064 		proto = nla_get_u16(
10065 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10066 		settings->control_port_ethertype = cpu_to_be16(proto);
10067 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10068 		    proto != ETH_P_PAE)
10069 			return -EINVAL;
10070 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10071 			settings->control_port_no_encrypt = true;
10072 	} else
10073 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10074 
10075 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10076 		int r = validate_pae_over_nl80211(rdev, info);
10077 
10078 		if (r < 0)
10079 			return r;
10080 
10081 		settings->control_port_over_nl80211 = true;
10082 
10083 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10084 			settings->control_port_no_preauth = true;
10085 	}
10086 
10087 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10088 		void *data;
10089 		int len, i;
10090 
10091 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10092 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10093 		settings->n_ciphers_pairwise = len / sizeof(u32);
10094 
10095 		if (len % sizeof(u32))
10096 			return -EINVAL;
10097 
10098 		if (settings->n_ciphers_pairwise > cipher_limit)
10099 			return -EINVAL;
10100 
10101 		memcpy(settings->ciphers_pairwise, data, len);
10102 
10103 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10104 			if (!cfg80211_supported_cipher_suite(
10105 					&rdev->wiphy,
10106 					settings->ciphers_pairwise[i]))
10107 				return -EINVAL;
10108 	}
10109 
10110 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10111 		settings->cipher_group =
10112 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10113 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10114 						     settings->cipher_group))
10115 			return -EINVAL;
10116 	}
10117 
10118 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10119 		settings->wpa_versions =
10120 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10121 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10122 			return -EINVAL;
10123 	}
10124 
10125 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10126 		void *data;
10127 		int len;
10128 
10129 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10130 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10131 		settings->n_akm_suites = len / sizeof(u32);
10132 
10133 		if (len % sizeof(u32))
10134 			return -EINVAL;
10135 
10136 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
10137 			return -EINVAL;
10138 
10139 		memcpy(settings->akm_suites, data, len);
10140 	}
10141 
10142 	if (info->attrs[NL80211_ATTR_PMK]) {
10143 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10144 			return -EINVAL;
10145 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10146 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10147 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10148 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10149 			return -EINVAL;
10150 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10151 	}
10152 
10153 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10154 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10155 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10156 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10157 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10158 			return -EINVAL;
10159 		settings->sae_pwd =
10160 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10161 		settings->sae_pwd_len =
10162 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10163 	}
10164 
10165 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10166 		settings->sae_pwe =
10167 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10168 	else
10169 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10170 
10171 	return 0;
10172 }
10173 
10174 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10175 {
10176 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10177 	struct net_device *dev = info->user_ptr[1];
10178 	struct ieee80211_channel *chan;
10179 	struct cfg80211_assoc_request req = {};
10180 	const u8 *bssid, *ssid;
10181 	int err, ssid_len = 0;
10182 	u32 freq;
10183 
10184 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10185 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10186 		return -EPERM;
10187 
10188 	if (!info->attrs[NL80211_ATTR_MAC] ||
10189 	    !info->attrs[NL80211_ATTR_SSID] ||
10190 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
10191 		return -EINVAL;
10192 
10193 	if (!rdev->ops->assoc)
10194 		return -EOPNOTSUPP;
10195 
10196 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10197 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10198 		return -EOPNOTSUPP;
10199 
10200 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10201 
10202 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10203 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10204 		freq +=
10205 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10206 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10207 	if (!chan)
10208 		return -EINVAL;
10209 
10210 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10211 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10212 
10213 	if (info->attrs[NL80211_ATTR_IE]) {
10214 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10215 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10216 	}
10217 
10218 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10219 		enum nl80211_mfp mfp =
10220 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10221 		if (mfp == NL80211_MFP_REQUIRED)
10222 			req.use_mfp = true;
10223 		else if (mfp != NL80211_MFP_NO)
10224 			return -EINVAL;
10225 	}
10226 
10227 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10228 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10229 
10230 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10231 		req.flags |= ASSOC_REQ_DISABLE_HT;
10232 
10233 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10234 		memcpy(&req.ht_capa_mask,
10235 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10236 		       sizeof(req.ht_capa_mask));
10237 
10238 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10239 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10240 			return -EINVAL;
10241 		memcpy(&req.ht_capa,
10242 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10243 		       sizeof(req.ht_capa));
10244 	}
10245 
10246 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10247 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10248 
10249 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10250 		req.flags |= ASSOC_REQ_DISABLE_HE;
10251 
10252 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10253 		memcpy(&req.vht_capa_mask,
10254 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10255 		       sizeof(req.vht_capa_mask));
10256 
10257 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10258 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10259 			return -EINVAL;
10260 		memcpy(&req.vht_capa,
10261 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10262 		       sizeof(req.vht_capa));
10263 	}
10264 
10265 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10266 		if (!((rdev->wiphy.features &
10267 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10268 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10269 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10270 					     NL80211_EXT_FEATURE_RRM))
10271 			return -EINVAL;
10272 		req.flags |= ASSOC_REQ_USE_RRM;
10273 	}
10274 
10275 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10276 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10277 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10278 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10279 			return -EINVAL;
10280 		req.fils_nonces =
10281 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10282 	}
10283 
10284 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10285 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10286 			return -EINVAL;
10287 		memcpy(&req.s1g_capa_mask,
10288 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10289 		       sizeof(req.s1g_capa_mask));
10290 	}
10291 
10292 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10293 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10294 			return -EINVAL;
10295 		memcpy(&req.s1g_capa,
10296 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10297 		       sizeof(req.s1g_capa));
10298 	}
10299 
10300 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
10301 	if (!err) {
10302 		wdev_lock(dev->ieee80211_ptr);
10303 
10304 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
10305 					  ssid, ssid_len, &req);
10306 
10307 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10308 			dev->ieee80211_ptr->conn_owner_nlportid =
10309 				info->snd_portid;
10310 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10311 			       bssid, ETH_ALEN);
10312 		}
10313 
10314 		wdev_unlock(dev->ieee80211_ptr);
10315 	}
10316 
10317 	return err;
10318 }
10319 
10320 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
10321 {
10322 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10323 	struct net_device *dev = info->user_ptr[1];
10324 	const u8 *ie = NULL, *bssid;
10325 	int ie_len = 0, err;
10326 	u16 reason_code;
10327 	bool local_state_change;
10328 
10329 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10330 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10331 		return -EPERM;
10332 
10333 	if (!info->attrs[NL80211_ATTR_MAC])
10334 		return -EINVAL;
10335 
10336 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10337 		return -EINVAL;
10338 
10339 	if (!rdev->ops->deauth)
10340 		return -EOPNOTSUPP;
10341 
10342 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10343 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10344 		return -EOPNOTSUPP;
10345 
10346 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10347 
10348 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10349 	if (reason_code == 0) {
10350 		/* Reason Code 0 is reserved */
10351 		return -EINVAL;
10352 	}
10353 
10354 	if (info->attrs[NL80211_ATTR_IE]) {
10355 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10356 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10357 	}
10358 
10359 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10360 
10361 	wdev_lock(dev->ieee80211_ptr);
10362 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
10363 				   local_state_change);
10364 	wdev_unlock(dev->ieee80211_ptr);
10365 	return err;
10366 }
10367 
10368 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
10369 {
10370 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10371 	struct net_device *dev = info->user_ptr[1];
10372 	const u8 *ie = NULL, *bssid;
10373 	int ie_len = 0, err;
10374 	u16 reason_code;
10375 	bool local_state_change;
10376 
10377 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10378 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10379 		return -EPERM;
10380 
10381 	if (!info->attrs[NL80211_ATTR_MAC])
10382 		return -EINVAL;
10383 
10384 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10385 		return -EINVAL;
10386 
10387 	if (!rdev->ops->disassoc)
10388 		return -EOPNOTSUPP;
10389 
10390 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10391 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10392 		return -EOPNOTSUPP;
10393 
10394 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10395 
10396 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10397 	if (reason_code == 0) {
10398 		/* Reason Code 0 is reserved */
10399 		return -EINVAL;
10400 	}
10401 
10402 	if (info->attrs[NL80211_ATTR_IE]) {
10403 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10404 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10405 	}
10406 
10407 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10408 
10409 	wdev_lock(dev->ieee80211_ptr);
10410 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
10411 				     local_state_change);
10412 	wdev_unlock(dev->ieee80211_ptr);
10413 	return err;
10414 }
10415 
10416 static bool
10417 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
10418 			 int mcast_rate[NUM_NL80211_BANDS],
10419 			 int rateval)
10420 {
10421 	struct wiphy *wiphy = &rdev->wiphy;
10422 	bool found = false;
10423 	int band, i;
10424 
10425 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
10426 		struct ieee80211_supported_band *sband;
10427 
10428 		sband = wiphy->bands[band];
10429 		if (!sband)
10430 			continue;
10431 
10432 		for (i = 0; i < sband->n_bitrates; i++) {
10433 			if (sband->bitrates[i].bitrate == rateval) {
10434 				mcast_rate[band] = i + 1;
10435 				found = true;
10436 				break;
10437 			}
10438 		}
10439 	}
10440 
10441 	return found;
10442 }
10443 
10444 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
10445 {
10446 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10447 	struct net_device *dev = info->user_ptr[1];
10448 	struct cfg80211_ibss_params ibss;
10449 	struct wiphy *wiphy;
10450 	struct cfg80211_cached_keys *connkeys = NULL;
10451 	int err;
10452 
10453 	memset(&ibss, 0, sizeof(ibss));
10454 
10455 	if (!info->attrs[NL80211_ATTR_SSID] ||
10456 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10457 		return -EINVAL;
10458 
10459 	ibss.beacon_interval = 100;
10460 
10461 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
10462 		ibss.beacon_interval =
10463 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10464 
10465 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
10466 					   ibss.beacon_interval);
10467 	if (err)
10468 		return err;
10469 
10470 	if (!rdev->ops->join_ibss)
10471 		return -EOPNOTSUPP;
10472 
10473 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10474 		return -EOPNOTSUPP;
10475 
10476 	wiphy = &rdev->wiphy;
10477 
10478 	if (info->attrs[NL80211_ATTR_MAC]) {
10479 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10480 
10481 		if (!is_valid_ether_addr(ibss.bssid))
10482 			return -EINVAL;
10483 	}
10484 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10485 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10486 
10487 	if (info->attrs[NL80211_ATTR_IE]) {
10488 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10489 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10490 	}
10491 
10492 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
10493 	if (err)
10494 		return err;
10495 
10496 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
10497 				     NL80211_IFTYPE_ADHOC))
10498 		return -EINVAL;
10499 
10500 	switch (ibss.chandef.width) {
10501 	case NL80211_CHAN_WIDTH_5:
10502 	case NL80211_CHAN_WIDTH_10:
10503 	case NL80211_CHAN_WIDTH_20_NOHT:
10504 		break;
10505 	case NL80211_CHAN_WIDTH_20:
10506 	case NL80211_CHAN_WIDTH_40:
10507 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10508 			return -EINVAL;
10509 		break;
10510 	case NL80211_CHAN_WIDTH_80:
10511 	case NL80211_CHAN_WIDTH_80P80:
10512 	case NL80211_CHAN_WIDTH_160:
10513 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10514 			return -EINVAL;
10515 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10516 					     NL80211_EXT_FEATURE_VHT_IBSS))
10517 			return -EINVAL;
10518 		break;
10519 	default:
10520 		return -EINVAL;
10521 	}
10522 
10523 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
10524 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
10525 
10526 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10527 		u8 *rates =
10528 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10529 		int n_rates =
10530 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10531 		struct ieee80211_supported_band *sband =
10532 			wiphy->bands[ibss.chandef.chan->band];
10533 
10534 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10535 					     &ibss.basic_rates);
10536 		if (err)
10537 			return err;
10538 	}
10539 
10540 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10541 		memcpy(&ibss.ht_capa_mask,
10542 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10543 		       sizeof(ibss.ht_capa_mask));
10544 
10545 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10546 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10547 			return -EINVAL;
10548 		memcpy(&ibss.ht_capa,
10549 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10550 		       sizeof(ibss.ht_capa));
10551 	}
10552 
10553 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10554 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
10555 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10556 		return -EINVAL;
10557 
10558 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10559 		bool no_ht = false;
10560 
10561 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
10562 		if (IS_ERR(connkeys))
10563 			return PTR_ERR(connkeys);
10564 
10565 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
10566 		    no_ht) {
10567 			kfree_sensitive(connkeys);
10568 			return -EINVAL;
10569 		}
10570 	}
10571 
10572 	ibss.control_port =
10573 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
10574 
10575 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10576 		int r = validate_pae_over_nl80211(rdev, info);
10577 
10578 		if (r < 0) {
10579 			kfree_sensitive(connkeys);
10580 			return r;
10581 		}
10582 
10583 		ibss.control_port_over_nl80211 = true;
10584 	}
10585 
10586 	ibss.userspace_handles_dfs =
10587 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10588 
10589 	wdev_lock(dev->ieee80211_ptr);
10590 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
10591 	if (err)
10592 		kfree_sensitive(connkeys);
10593 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10594 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10595 	wdev_unlock(dev->ieee80211_ptr);
10596 
10597 	return err;
10598 }
10599 
10600 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
10601 {
10602 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10603 	struct net_device *dev = info->user_ptr[1];
10604 
10605 	if (!rdev->ops->leave_ibss)
10606 		return -EOPNOTSUPP;
10607 
10608 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10609 		return -EOPNOTSUPP;
10610 
10611 	return cfg80211_leave_ibss(rdev, dev, false);
10612 }
10613 
10614 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
10615 {
10616 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10617 	struct net_device *dev = info->user_ptr[1];
10618 	int mcast_rate[NUM_NL80211_BANDS];
10619 	u32 nla_rate;
10620 	int err;
10621 
10622 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
10623 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
10624 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
10625 		return -EOPNOTSUPP;
10626 
10627 	if (!rdev->ops->set_mcast_rate)
10628 		return -EOPNOTSUPP;
10629 
10630 	memset(mcast_rate, 0, sizeof(mcast_rate));
10631 
10632 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
10633 		return -EINVAL;
10634 
10635 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
10636 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
10637 		return -EINVAL;
10638 
10639 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
10640 
10641 	return err;
10642 }
10643 
10644 static struct sk_buff *
10645 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
10646 			    struct wireless_dev *wdev, int approxlen,
10647 			    u32 portid, u32 seq, enum nl80211_commands cmd,
10648 			    enum nl80211_attrs attr,
10649 			    const struct nl80211_vendor_cmd_info *info,
10650 			    gfp_t gfp)
10651 {
10652 	struct sk_buff *skb;
10653 	void *hdr;
10654 	struct nlattr *data;
10655 
10656 	skb = nlmsg_new(approxlen + 100, gfp);
10657 	if (!skb)
10658 		return NULL;
10659 
10660 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
10661 	if (!hdr) {
10662 		kfree_skb(skb);
10663 		return NULL;
10664 	}
10665 
10666 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10667 		goto nla_put_failure;
10668 
10669 	if (info) {
10670 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
10671 				info->vendor_id))
10672 			goto nla_put_failure;
10673 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
10674 				info->subcmd))
10675 			goto nla_put_failure;
10676 	}
10677 
10678 	if (wdev) {
10679 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10680 				      wdev_id(wdev), NL80211_ATTR_PAD))
10681 			goto nla_put_failure;
10682 		if (wdev->netdev &&
10683 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
10684 				wdev->netdev->ifindex))
10685 			goto nla_put_failure;
10686 	}
10687 
10688 	data = nla_nest_start_noflag(skb, attr);
10689 	if (!data)
10690 		goto nla_put_failure;
10691 
10692 	((void **)skb->cb)[0] = rdev;
10693 	((void **)skb->cb)[1] = hdr;
10694 	((void **)skb->cb)[2] = data;
10695 
10696 	return skb;
10697 
10698  nla_put_failure:
10699 	kfree_skb(skb);
10700 	return NULL;
10701 }
10702 
10703 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
10704 					   struct wireless_dev *wdev,
10705 					   enum nl80211_commands cmd,
10706 					   enum nl80211_attrs attr,
10707 					   unsigned int portid,
10708 					   int vendor_event_idx,
10709 					   int approxlen, gfp_t gfp)
10710 {
10711 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10712 	const struct nl80211_vendor_cmd_info *info;
10713 
10714 	switch (cmd) {
10715 	case NL80211_CMD_TESTMODE:
10716 		if (WARN_ON(vendor_event_idx != -1))
10717 			return NULL;
10718 		info = NULL;
10719 		break;
10720 	case NL80211_CMD_VENDOR:
10721 		if (WARN_ON(vendor_event_idx < 0 ||
10722 			    vendor_event_idx >= wiphy->n_vendor_events))
10723 			return NULL;
10724 		info = &wiphy->vendor_events[vendor_event_idx];
10725 		break;
10726 	default:
10727 		WARN_ON(1);
10728 		return NULL;
10729 	}
10730 
10731 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
10732 					   cmd, attr, info, gfp);
10733 }
10734 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
10735 
10736 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
10737 {
10738 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10739 	void *hdr = ((void **)skb->cb)[1];
10740 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
10741 	struct nlattr *data = ((void **)skb->cb)[2];
10742 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
10743 
10744 	/* clear CB data for netlink core to own from now on */
10745 	memset(skb->cb, 0, sizeof(skb->cb));
10746 
10747 	nla_nest_end(skb, data);
10748 	genlmsg_end(skb, hdr);
10749 
10750 	if (nlhdr->nlmsg_pid) {
10751 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
10752 				nlhdr->nlmsg_pid);
10753 	} else {
10754 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
10755 			mcgrp = NL80211_MCGRP_VENDOR;
10756 
10757 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
10758 					skb, 0, mcgrp, gfp);
10759 	}
10760 }
10761 EXPORT_SYMBOL(__cfg80211_send_event_skb);
10762 
10763 #ifdef CONFIG_NL80211_TESTMODE
10764 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
10765 {
10766 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10767 	struct wireless_dev *wdev;
10768 	int err;
10769 
10770 	lockdep_assert_held(&rdev->wiphy.mtx);
10771 
10772 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
10773 					  info->attrs);
10774 
10775 	if (!rdev->ops->testmode_cmd)
10776 		return -EOPNOTSUPP;
10777 
10778 	if (IS_ERR(wdev)) {
10779 		err = PTR_ERR(wdev);
10780 		if (err != -EINVAL)
10781 			return err;
10782 		wdev = NULL;
10783 	} else if (wdev->wiphy != &rdev->wiphy) {
10784 		return -EINVAL;
10785 	}
10786 
10787 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10788 		return -EINVAL;
10789 
10790 	rdev->cur_cmd_info = info;
10791 	err = rdev_testmode_cmd(rdev, wdev,
10792 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10793 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10794 	rdev->cur_cmd_info = NULL;
10795 
10796 	return err;
10797 }
10798 
10799 static int nl80211_testmode_dump(struct sk_buff *skb,
10800 				 struct netlink_callback *cb)
10801 {
10802 	struct cfg80211_registered_device *rdev;
10803 	struct nlattr **attrbuf = NULL;
10804 	int err;
10805 	long phy_idx;
10806 	void *data = NULL;
10807 	int data_len = 0;
10808 
10809 	rtnl_lock();
10810 
10811 	if (cb->args[0]) {
10812 		/*
10813 		 * 0 is a valid index, but not valid for args[0],
10814 		 * so we need to offset by 1.
10815 		 */
10816 		phy_idx = cb->args[0] - 1;
10817 
10818 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10819 		if (!rdev) {
10820 			err = -ENOENT;
10821 			goto out_err;
10822 		}
10823 	} else {
10824 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10825 				  GFP_KERNEL);
10826 		if (!attrbuf) {
10827 			err = -ENOMEM;
10828 			goto out_err;
10829 		}
10830 
10831 		err = nlmsg_parse_deprecated(cb->nlh,
10832 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10833 					     attrbuf, nl80211_fam.maxattr,
10834 					     nl80211_policy, NULL);
10835 		if (err)
10836 			goto out_err;
10837 
10838 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10839 		if (IS_ERR(rdev)) {
10840 			err = PTR_ERR(rdev);
10841 			goto out_err;
10842 		}
10843 		phy_idx = rdev->wiphy_idx;
10844 
10845 		if (attrbuf[NL80211_ATTR_TESTDATA])
10846 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10847 	}
10848 
10849 	if (cb->args[1]) {
10850 		data = nla_data((void *)cb->args[1]);
10851 		data_len = nla_len((void *)cb->args[1]);
10852 	}
10853 
10854 	if (!rdev->ops->testmode_dump) {
10855 		err = -EOPNOTSUPP;
10856 		goto out_err;
10857 	}
10858 
10859 	while (1) {
10860 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10861 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10862 					   NL80211_CMD_TESTMODE);
10863 		struct nlattr *tmdata;
10864 
10865 		if (!hdr)
10866 			break;
10867 
10868 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
10869 			genlmsg_cancel(skb, hdr);
10870 			break;
10871 		}
10872 
10873 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
10874 		if (!tmdata) {
10875 			genlmsg_cancel(skb, hdr);
10876 			break;
10877 		}
10878 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
10879 		nla_nest_end(skb, tmdata);
10880 
10881 		if (err == -ENOBUFS || err == -ENOENT) {
10882 			genlmsg_cancel(skb, hdr);
10883 			break;
10884 		} else if (err) {
10885 			genlmsg_cancel(skb, hdr);
10886 			goto out_err;
10887 		}
10888 
10889 		genlmsg_end(skb, hdr);
10890 	}
10891 
10892 	err = skb->len;
10893 	/* see above */
10894 	cb->args[0] = phy_idx + 1;
10895  out_err:
10896 	kfree(attrbuf);
10897 	rtnl_unlock();
10898 	return err;
10899 }
10900 #endif
10901 
10902 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
10903 {
10904 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10905 	struct net_device *dev = info->user_ptr[1];
10906 	struct cfg80211_connect_params connect;
10907 	struct wiphy *wiphy;
10908 	struct cfg80211_cached_keys *connkeys = NULL;
10909 	u32 freq = 0;
10910 	int err;
10911 
10912 	memset(&connect, 0, sizeof(connect));
10913 
10914 	if (!info->attrs[NL80211_ATTR_SSID] ||
10915 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10916 		return -EINVAL;
10917 
10918 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10919 		connect.auth_type =
10920 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10921 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
10922 					     NL80211_CMD_CONNECT))
10923 			return -EINVAL;
10924 	} else
10925 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
10926 
10927 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
10928 
10929 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
10930 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10931 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
10932 		return -EINVAL;
10933 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
10934 
10935 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
10936 				      NL80211_MAX_NR_CIPHER_SUITES);
10937 	if (err)
10938 		return err;
10939 
10940 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10941 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10942 		return -EOPNOTSUPP;
10943 
10944 	wiphy = &rdev->wiphy;
10945 
10946 	connect.bg_scan_period = -1;
10947 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
10948 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
10949 		connect.bg_scan_period =
10950 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
10951 	}
10952 
10953 	if (info->attrs[NL80211_ATTR_MAC])
10954 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10955 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
10956 		connect.bssid_hint =
10957 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
10958 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10959 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10960 
10961 	if (info->attrs[NL80211_ATTR_IE]) {
10962 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10963 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10964 	}
10965 
10966 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10967 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10968 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
10969 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10970 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
10971 			return -EOPNOTSUPP;
10972 	} else {
10973 		connect.mfp = NL80211_MFP_NO;
10974 	}
10975 
10976 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10977 		connect.prev_bssid =
10978 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10979 
10980 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
10981 		freq = MHZ_TO_KHZ(nla_get_u32(
10982 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10983 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10984 		freq +=
10985 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10986 
10987 	if (freq) {
10988 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
10989 		if (!connect.channel)
10990 			return -EINVAL;
10991 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
10992 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
10993 		freq = MHZ_TO_KHZ(freq);
10994 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
10995 		if (!connect.channel_hint)
10996 			return -EINVAL;
10997 	}
10998 
10999 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11000 		connect.edmg.channels =
11001 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11002 
11003 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11004 			connect.edmg.bw_config =
11005 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11006 	}
11007 
11008 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11009 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11010 		if (IS_ERR(connkeys))
11011 			return PTR_ERR(connkeys);
11012 	}
11013 
11014 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11015 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11016 
11017 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11018 		memcpy(&connect.ht_capa_mask,
11019 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11020 		       sizeof(connect.ht_capa_mask));
11021 
11022 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11023 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11024 			kfree_sensitive(connkeys);
11025 			return -EINVAL;
11026 		}
11027 		memcpy(&connect.ht_capa,
11028 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11029 		       sizeof(connect.ht_capa));
11030 	}
11031 
11032 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11033 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11034 
11035 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11036 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11037 
11038 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11039 		memcpy(&connect.vht_capa_mask,
11040 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11041 		       sizeof(connect.vht_capa_mask));
11042 
11043 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11044 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11045 			kfree_sensitive(connkeys);
11046 			return -EINVAL;
11047 		}
11048 		memcpy(&connect.vht_capa,
11049 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11050 		       sizeof(connect.vht_capa));
11051 	}
11052 
11053 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11054 		if (!((rdev->wiphy.features &
11055 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11056 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11057 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11058 					     NL80211_EXT_FEATURE_RRM)) {
11059 			kfree_sensitive(connkeys);
11060 			return -EINVAL;
11061 		}
11062 		connect.flags |= ASSOC_REQ_USE_RRM;
11063 	}
11064 
11065 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11066 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11067 		kfree_sensitive(connkeys);
11068 		return -EOPNOTSUPP;
11069 	}
11070 
11071 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11072 		/* bss selection makes no sense if bssid is set */
11073 		if (connect.bssid) {
11074 			kfree_sensitive(connkeys);
11075 			return -EINVAL;
11076 		}
11077 
11078 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11079 				       wiphy, &connect.bss_select);
11080 		if (err) {
11081 			kfree_sensitive(connkeys);
11082 			return err;
11083 		}
11084 	}
11085 
11086 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11087 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11088 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11089 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11090 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11091 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11092 		connect.fils_erp_username =
11093 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11094 		connect.fils_erp_username_len =
11095 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11096 		connect.fils_erp_realm =
11097 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11098 		connect.fils_erp_realm_len =
11099 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11100 		connect.fils_erp_next_seq_num =
11101 			nla_get_u16(
11102 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11103 		connect.fils_erp_rrk =
11104 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11105 		connect.fils_erp_rrk_len =
11106 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11107 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11108 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11109 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11110 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11111 		kfree_sensitive(connkeys);
11112 		return -EINVAL;
11113 	}
11114 
11115 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
11116 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11117 			kfree_sensitive(connkeys);
11118 			GENL_SET_ERR_MSG(info,
11119 					 "external auth requires connection ownership");
11120 			return -EINVAL;
11121 		}
11122 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
11123 	}
11124 
11125 	wdev_lock(dev->ieee80211_ptr);
11126 
11127 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
11128 			       connect.prev_bssid);
11129 	if (err)
11130 		kfree_sensitive(connkeys);
11131 
11132 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11133 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11134 		if (connect.bssid)
11135 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11136 			       connect.bssid, ETH_ALEN);
11137 		else
11138 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
11139 	}
11140 
11141 	wdev_unlock(dev->ieee80211_ptr);
11142 
11143 	return err;
11144 }
11145 
11146 static int nl80211_update_connect_params(struct sk_buff *skb,
11147 					 struct genl_info *info)
11148 {
11149 	struct cfg80211_connect_params connect = {};
11150 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11151 	struct net_device *dev = info->user_ptr[1];
11152 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11153 	bool fils_sk_offload;
11154 	u32 auth_type;
11155 	u32 changed = 0;
11156 	int ret;
11157 
11158 	if (!rdev->ops->update_connect_params)
11159 		return -EOPNOTSUPP;
11160 
11161 	if (info->attrs[NL80211_ATTR_IE]) {
11162 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11163 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11164 		changed |= UPDATE_ASSOC_IES;
11165 	}
11166 
11167 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
11168 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
11169 
11170 	/*
11171 	 * when driver supports fils-sk offload all attributes must be
11172 	 * provided. So the else covers "fils-sk-not-all" and
11173 	 * "no-fils-sk-any".
11174 	 */
11175 	if (fils_sk_offload &&
11176 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11177 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11178 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11179 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11180 		connect.fils_erp_username =
11181 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11182 		connect.fils_erp_username_len =
11183 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11184 		connect.fils_erp_realm =
11185 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11186 		connect.fils_erp_realm_len =
11187 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11188 		connect.fils_erp_next_seq_num =
11189 			nla_get_u16(
11190 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11191 		connect.fils_erp_rrk =
11192 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11193 		connect.fils_erp_rrk_len =
11194 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11195 		changed |= UPDATE_FILS_ERP_INFO;
11196 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11197 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11198 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11199 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11200 		return -EINVAL;
11201 	}
11202 
11203 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11204 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11205 		if (!nl80211_valid_auth_type(rdev, auth_type,
11206 					     NL80211_CMD_CONNECT))
11207 			return -EINVAL;
11208 
11209 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
11210 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
11211 			return -EINVAL;
11212 
11213 		connect.auth_type = auth_type;
11214 		changed |= UPDATE_AUTH_TYPE;
11215 	}
11216 
11217 	wdev_lock(dev->ieee80211_ptr);
11218 	if (!wdev->current_bss)
11219 		ret = -ENOLINK;
11220 	else
11221 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
11222 	wdev_unlock(dev->ieee80211_ptr);
11223 
11224 	return ret;
11225 }
11226 
11227 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11228 {
11229 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11230 	struct net_device *dev = info->user_ptr[1];
11231 	u16 reason;
11232 	int ret;
11233 
11234 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11235 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11236 		return -EPERM;
11237 
11238 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11239 		reason = WLAN_REASON_DEAUTH_LEAVING;
11240 	else
11241 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11242 
11243 	if (reason == 0)
11244 		return -EINVAL;
11245 
11246 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11247 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11248 		return -EOPNOTSUPP;
11249 
11250 	wdev_lock(dev->ieee80211_ptr);
11251 	ret = cfg80211_disconnect(rdev, dev, reason, true);
11252 	wdev_unlock(dev->ieee80211_ptr);
11253 	return ret;
11254 }
11255 
11256 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
11257 {
11258 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11259 	struct net *net;
11260 	int err;
11261 
11262 	if (info->attrs[NL80211_ATTR_PID]) {
11263 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
11264 
11265 		net = get_net_ns_by_pid(pid);
11266 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
11267 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
11268 
11269 		net = get_net_ns_by_fd(fd);
11270 	} else {
11271 		return -EINVAL;
11272 	}
11273 
11274 	if (IS_ERR(net))
11275 		return PTR_ERR(net);
11276 
11277 	err = 0;
11278 
11279 	/* check if anything to do */
11280 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
11281 		err = cfg80211_switch_netns(rdev, net);
11282 
11283 	put_net(net);
11284 	return err;
11285 }
11286 
11287 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
11288 {
11289 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11290 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
11291 			struct cfg80211_pmksa *pmksa) = NULL;
11292 	struct net_device *dev = info->user_ptr[1];
11293 	struct cfg80211_pmksa pmksa;
11294 
11295 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
11296 
11297 	if (!info->attrs[NL80211_ATTR_PMKID])
11298 		return -EINVAL;
11299 
11300 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
11301 
11302 	if (info->attrs[NL80211_ATTR_MAC]) {
11303 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11304 	} else if (info->attrs[NL80211_ATTR_SSID] &&
11305 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
11306 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
11307 		    info->attrs[NL80211_ATTR_PMK])) {
11308 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11309 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11310 		pmksa.cache_id =
11311 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
11312 	} else {
11313 		return -EINVAL;
11314 	}
11315 	if (info->attrs[NL80211_ATTR_PMK]) {
11316 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11317 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
11318 	}
11319 
11320 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
11321 		pmksa.pmk_lifetime =
11322 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
11323 
11324 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
11325 		pmksa.pmk_reauth_threshold =
11326 			nla_get_u8(
11327 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
11328 
11329 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11330 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
11331 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
11332 	      wiphy_ext_feature_isset(&rdev->wiphy,
11333 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
11334 		return -EOPNOTSUPP;
11335 
11336 	switch (info->genlhdr->cmd) {
11337 	case NL80211_CMD_SET_PMKSA:
11338 		rdev_ops = rdev->ops->set_pmksa;
11339 		break;
11340 	case NL80211_CMD_DEL_PMKSA:
11341 		rdev_ops = rdev->ops->del_pmksa;
11342 		break;
11343 	default:
11344 		WARN_ON(1);
11345 		break;
11346 	}
11347 
11348 	if (!rdev_ops)
11349 		return -EOPNOTSUPP;
11350 
11351 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
11352 }
11353 
11354 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
11355 {
11356 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11357 	struct net_device *dev = info->user_ptr[1];
11358 
11359 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11360 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11361 		return -EOPNOTSUPP;
11362 
11363 	if (!rdev->ops->flush_pmksa)
11364 		return -EOPNOTSUPP;
11365 
11366 	return rdev_flush_pmksa(rdev, dev);
11367 }
11368 
11369 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
11370 {
11371 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11372 	struct net_device *dev = info->user_ptr[1];
11373 	u8 action_code, dialog_token;
11374 	u32 peer_capability = 0;
11375 	u16 status_code;
11376 	u8 *peer;
11377 	bool initiator;
11378 
11379 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11380 	    !rdev->ops->tdls_mgmt)
11381 		return -EOPNOTSUPP;
11382 
11383 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
11384 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
11385 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
11386 	    !info->attrs[NL80211_ATTR_IE] ||
11387 	    !info->attrs[NL80211_ATTR_MAC])
11388 		return -EINVAL;
11389 
11390 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11391 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
11392 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
11393 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
11394 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
11395 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
11396 		peer_capability =
11397 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
11398 
11399 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
11400 			      dialog_token, status_code, peer_capability,
11401 			      initiator,
11402 			      nla_data(info->attrs[NL80211_ATTR_IE]),
11403 			      nla_len(info->attrs[NL80211_ATTR_IE]));
11404 }
11405 
11406 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
11407 {
11408 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11409 	struct net_device *dev = info->user_ptr[1];
11410 	enum nl80211_tdls_operation operation;
11411 	u8 *peer;
11412 
11413 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11414 	    !rdev->ops->tdls_oper)
11415 		return -EOPNOTSUPP;
11416 
11417 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
11418 	    !info->attrs[NL80211_ATTR_MAC])
11419 		return -EINVAL;
11420 
11421 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
11422 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11423 
11424 	return rdev_tdls_oper(rdev, dev, peer, operation);
11425 }
11426 
11427 static int nl80211_remain_on_channel(struct sk_buff *skb,
11428 				     struct genl_info *info)
11429 {
11430 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11431 	struct wireless_dev *wdev = info->user_ptr[1];
11432 	struct cfg80211_chan_def chandef;
11433 	const struct cfg80211_chan_def *compat_chandef;
11434 	struct sk_buff *msg;
11435 	void *hdr;
11436 	u64 cookie;
11437 	u32 duration;
11438 	int err;
11439 
11440 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11441 	    !info->attrs[NL80211_ATTR_DURATION])
11442 		return -EINVAL;
11443 
11444 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11445 
11446 	if (!rdev->ops->remain_on_channel ||
11447 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
11448 		return -EOPNOTSUPP;
11449 
11450 	/*
11451 	 * We should be on that channel for at least a minimum amount of
11452 	 * time (10ms) but no longer than the driver supports.
11453 	 */
11454 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11455 	    duration > rdev->wiphy.max_remain_on_channel_duration)
11456 		return -EINVAL;
11457 
11458 	err = nl80211_parse_chandef(rdev, info, &chandef);
11459 	if (err)
11460 		return err;
11461 
11462 	wdev_lock(wdev);
11463 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
11464 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
11465 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
11466 							     &chandef);
11467 		if (compat_chandef != &chandef) {
11468 			wdev_unlock(wdev);
11469 			return -EBUSY;
11470 		}
11471 	}
11472 	wdev_unlock(wdev);
11473 
11474 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11475 	if (!msg)
11476 		return -ENOMEM;
11477 
11478 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11479 			     NL80211_CMD_REMAIN_ON_CHANNEL);
11480 	if (!hdr) {
11481 		err = -ENOBUFS;
11482 		goto free_msg;
11483 	}
11484 
11485 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
11486 				     duration, &cookie);
11487 
11488 	if (err)
11489 		goto free_msg;
11490 
11491 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11492 			      NL80211_ATTR_PAD))
11493 		goto nla_put_failure;
11494 
11495 	genlmsg_end(msg, hdr);
11496 
11497 	return genlmsg_reply(msg, info);
11498 
11499  nla_put_failure:
11500 	err = -ENOBUFS;
11501  free_msg:
11502 	nlmsg_free(msg);
11503 	return err;
11504 }
11505 
11506 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
11507 					    struct genl_info *info)
11508 {
11509 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11510 	struct wireless_dev *wdev = info->user_ptr[1];
11511 	u64 cookie;
11512 
11513 	if (!info->attrs[NL80211_ATTR_COOKIE])
11514 		return -EINVAL;
11515 
11516 	if (!rdev->ops->cancel_remain_on_channel)
11517 		return -EOPNOTSUPP;
11518 
11519 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11520 
11521 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
11522 }
11523 
11524 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
11525 				       struct genl_info *info)
11526 {
11527 	struct cfg80211_bitrate_mask mask;
11528 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11529 	struct net_device *dev = info->user_ptr[1];
11530 	int err;
11531 
11532 	if (!rdev->ops->set_bitrate_mask)
11533 		return -EOPNOTSUPP;
11534 
11535 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11536 					    NL80211_ATTR_TX_RATES, &mask,
11537 					    dev, true);
11538 	if (err)
11539 		return err;
11540 
11541 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
11542 }
11543 
11544 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
11545 {
11546 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11547 	struct wireless_dev *wdev = info->user_ptr[1];
11548 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
11549 
11550 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
11551 		return -EINVAL;
11552 
11553 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
11554 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
11555 
11556 	switch (wdev->iftype) {
11557 	case NL80211_IFTYPE_STATION:
11558 	case NL80211_IFTYPE_ADHOC:
11559 	case NL80211_IFTYPE_P2P_CLIENT:
11560 	case NL80211_IFTYPE_AP:
11561 	case NL80211_IFTYPE_AP_VLAN:
11562 	case NL80211_IFTYPE_MESH_POINT:
11563 	case NL80211_IFTYPE_P2P_GO:
11564 	case NL80211_IFTYPE_P2P_DEVICE:
11565 		break;
11566 	case NL80211_IFTYPE_NAN:
11567 	default:
11568 		return -EOPNOTSUPP;
11569 	}
11570 
11571 	/* not much point in registering if we can't reply */
11572 	if (!rdev->ops->mgmt_tx)
11573 		return -EOPNOTSUPP;
11574 
11575 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
11576 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11577 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
11578 		GENL_SET_ERR_MSG(info,
11579 				 "multicast RX registrations are not supported");
11580 		return -EOPNOTSUPP;
11581 	}
11582 
11583 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
11584 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11585 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11586 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
11587 					   info->extack);
11588 }
11589 
11590 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
11591 {
11592 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11593 	struct wireless_dev *wdev = info->user_ptr[1];
11594 	struct cfg80211_chan_def chandef;
11595 	int err;
11596 	void *hdr = NULL;
11597 	u64 cookie;
11598 	struct sk_buff *msg = NULL;
11599 	struct cfg80211_mgmt_tx_params params = {
11600 		.dont_wait_for_ack =
11601 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
11602 	};
11603 
11604 	if (!info->attrs[NL80211_ATTR_FRAME])
11605 		return -EINVAL;
11606 
11607 	if (!rdev->ops->mgmt_tx)
11608 		return -EOPNOTSUPP;
11609 
11610 	switch (wdev->iftype) {
11611 	case NL80211_IFTYPE_P2P_DEVICE:
11612 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11613 			return -EINVAL;
11614 		break;
11615 	case NL80211_IFTYPE_STATION:
11616 	case NL80211_IFTYPE_ADHOC:
11617 	case NL80211_IFTYPE_P2P_CLIENT:
11618 	case NL80211_IFTYPE_AP:
11619 	case NL80211_IFTYPE_AP_VLAN:
11620 	case NL80211_IFTYPE_MESH_POINT:
11621 	case NL80211_IFTYPE_P2P_GO:
11622 		break;
11623 	case NL80211_IFTYPE_NAN:
11624 	default:
11625 		return -EOPNOTSUPP;
11626 	}
11627 
11628 	if (info->attrs[NL80211_ATTR_DURATION]) {
11629 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11630 			return -EINVAL;
11631 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11632 
11633 		/*
11634 		 * We should wait on the channel for at least a minimum amount
11635 		 * of time (10ms) but no longer than the driver supports.
11636 		 */
11637 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11638 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
11639 			return -EINVAL;
11640 	}
11641 
11642 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
11643 
11644 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11645 		return -EINVAL;
11646 
11647 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11648 
11649 	/* get the channel if any has been specified, otherwise pass NULL to
11650 	 * the driver. The latter will use the current one
11651 	 */
11652 	chandef.chan = NULL;
11653 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11654 		err = nl80211_parse_chandef(rdev, info, &chandef);
11655 		if (err)
11656 			return err;
11657 	}
11658 
11659 	if (!chandef.chan && params.offchan)
11660 		return -EINVAL;
11661 
11662 	wdev_lock(wdev);
11663 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
11664 		wdev_unlock(wdev);
11665 		return -EBUSY;
11666 	}
11667 	wdev_unlock(wdev);
11668 
11669 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
11670 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
11671 
11672 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
11673 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11674 		int i;
11675 
11676 		if (len % sizeof(u16))
11677 			return -EINVAL;
11678 
11679 		params.n_csa_offsets = len / sizeof(u16);
11680 		params.csa_offsets =
11681 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11682 
11683 		/* check that all the offsets fit the frame */
11684 		for (i = 0; i < params.n_csa_offsets; i++) {
11685 			if (params.csa_offsets[i] >= params.len)
11686 				return -EINVAL;
11687 		}
11688 	}
11689 
11690 	if (!params.dont_wait_for_ack) {
11691 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11692 		if (!msg)
11693 			return -ENOMEM;
11694 
11695 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11696 				     NL80211_CMD_FRAME);
11697 		if (!hdr) {
11698 			err = -ENOBUFS;
11699 			goto free_msg;
11700 		}
11701 	}
11702 
11703 	params.chan = chandef.chan;
11704 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
11705 	if (err)
11706 		goto free_msg;
11707 
11708 	if (msg) {
11709 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11710 				      NL80211_ATTR_PAD))
11711 			goto nla_put_failure;
11712 
11713 		genlmsg_end(msg, hdr);
11714 		return genlmsg_reply(msg, info);
11715 	}
11716 
11717 	return 0;
11718 
11719  nla_put_failure:
11720 	err = -ENOBUFS;
11721  free_msg:
11722 	nlmsg_free(msg);
11723 	return err;
11724 }
11725 
11726 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
11727 {
11728 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11729 	struct wireless_dev *wdev = info->user_ptr[1];
11730 	u64 cookie;
11731 
11732 	if (!info->attrs[NL80211_ATTR_COOKIE])
11733 		return -EINVAL;
11734 
11735 	if (!rdev->ops->mgmt_tx_cancel_wait)
11736 		return -EOPNOTSUPP;
11737 
11738 	switch (wdev->iftype) {
11739 	case NL80211_IFTYPE_STATION:
11740 	case NL80211_IFTYPE_ADHOC:
11741 	case NL80211_IFTYPE_P2P_CLIENT:
11742 	case NL80211_IFTYPE_AP:
11743 	case NL80211_IFTYPE_AP_VLAN:
11744 	case NL80211_IFTYPE_P2P_GO:
11745 	case NL80211_IFTYPE_P2P_DEVICE:
11746 		break;
11747 	case NL80211_IFTYPE_NAN:
11748 	default:
11749 		return -EOPNOTSUPP;
11750 	}
11751 
11752 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11753 
11754 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
11755 }
11756 
11757 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
11758 {
11759 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11760 	struct wireless_dev *wdev;
11761 	struct net_device *dev = info->user_ptr[1];
11762 	u8 ps_state;
11763 	bool state;
11764 	int err;
11765 
11766 	if (!info->attrs[NL80211_ATTR_PS_STATE])
11767 		return -EINVAL;
11768 
11769 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
11770 
11771 	wdev = dev->ieee80211_ptr;
11772 
11773 	if (!rdev->ops->set_power_mgmt)
11774 		return -EOPNOTSUPP;
11775 
11776 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
11777 
11778 	if (state == wdev->ps)
11779 		return 0;
11780 
11781 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
11782 	if (!err)
11783 		wdev->ps = state;
11784 	return err;
11785 }
11786 
11787 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
11788 {
11789 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11790 	enum nl80211_ps_state ps_state;
11791 	struct wireless_dev *wdev;
11792 	struct net_device *dev = info->user_ptr[1];
11793 	struct sk_buff *msg;
11794 	void *hdr;
11795 	int err;
11796 
11797 	wdev = dev->ieee80211_ptr;
11798 
11799 	if (!rdev->ops->set_power_mgmt)
11800 		return -EOPNOTSUPP;
11801 
11802 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11803 	if (!msg)
11804 		return -ENOMEM;
11805 
11806 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11807 			     NL80211_CMD_GET_POWER_SAVE);
11808 	if (!hdr) {
11809 		err = -ENOBUFS;
11810 		goto free_msg;
11811 	}
11812 
11813 	if (wdev->ps)
11814 		ps_state = NL80211_PS_ENABLED;
11815 	else
11816 		ps_state = NL80211_PS_DISABLED;
11817 
11818 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11819 		goto nla_put_failure;
11820 
11821 	genlmsg_end(msg, hdr);
11822 	return genlmsg_reply(msg, info);
11823 
11824  nla_put_failure:
11825 	err = -ENOBUFS;
11826  free_msg:
11827 	nlmsg_free(msg);
11828 	return err;
11829 }
11830 
11831 static const struct nla_policy
11832 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11833 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11834 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11835 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11836 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11837 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11838 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11839 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11840 };
11841 
11842 static int nl80211_set_cqm_txe(struct genl_info *info,
11843 			       u32 rate, u32 pkts, u32 intvl)
11844 {
11845 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11846 	struct net_device *dev = info->user_ptr[1];
11847 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11848 
11849 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11850 		return -EINVAL;
11851 
11852 	if (!rdev->ops->set_cqm_txe_config)
11853 		return -EOPNOTSUPP;
11854 
11855 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11856 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11857 		return -EOPNOTSUPP;
11858 
11859 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
11860 }
11861 
11862 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
11863 				    struct net_device *dev)
11864 {
11865 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11866 	s32 last, low, high;
11867 	u32 hyst;
11868 	int i, n, low_index;
11869 	int err;
11870 
11871 	/* RSSI reporting disabled? */
11872 	if (!wdev->cqm_config)
11873 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
11874 
11875 	/*
11876 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
11877 	 * event has been received yet, we should receive an event after a
11878 	 * connection is established and enough beacons received to calculate
11879 	 * the average.
11880 	 */
11881 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
11882 	    rdev->ops->get_station) {
11883 		struct station_info sinfo = {};
11884 		u8 *mac_addr;
11885 
11886 		mac_addr = wdev->current_bss->pub.bssid;
11887 
11888 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
11889 		if (err)
11890 			return err;
11891 
11892 		cfg80211_sinfo_release_content(&sinfo);
11893 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
11894 			wdev->cqm_config->last_rssi_event_value =
11895 				(s8) sinfo.rx_beacon_signal_avg;
11896 	}
11897 
11898 	last = wdev->cqm_config->last_rssi_event_value;
11899 	hyst = wdev->cqm_config->rssi_hyst;
11900 	n = wdev->cqm_config->n_rssi_thresholds;
11901 
11902 	for (i = 0; i < n; i++) {
11903 		i = array_index_nospec(i, n);
11904 		if (last < wdev->cqm_config->rssi_thresholds[i])
11905 			break;
11906 	}
11907 
11908 	low_index = i - 1;
11909 	if (low_index >= 0) {
11910 		low_index = array_index_nospec(low_index, n);
11911 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
11912 	} else {
11913 		low = S32_MIN;
11914 	}
11915 	if (i < n) {
11916 		i = array_index_nospec(i, n);
11917 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
11918 	} else {
11919 		high = S32_MAX;
11920 	}
11921 
11922 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
11923 }
11924 
11925 static int nl80211_set_cqm_rssi(struct genl_info *info,
11926 				const s32 *thresholds, int n_thresholds,
11927 				u32 hysteresis)
11928 {
11929 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11930 	struct net_device *dev = info->user_ptr[1];
11931 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11932 	int i, err;
11933 	s32 prev = S32_MIN;
11934 
11935 	/* Check all values negative and sorted */
11936 	for (i = 0; i < n_thresholds; i++) {
11937 		if (thresholds[i] > 0 || thresholds[i] <= prev)
11938 			return -EINVAL;
11939 
11940 		prev = thresholds[i];
11941 	}
11942 
11943 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11944 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11945 		return -EOPNOTSUPP;
11946 
11947 	wdev_lock(wdev);
11948 	cfg80211_cqm_config_free(wdev);
11949 	wdev_unlock(wdev);
11950 
11951 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
11952 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
11953 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
11954 
11955 		return rdev_set_cqm_rssi_config(rdev, dev,
11956 						thresholds[0], hysteresis);
11957 	}
11958 
11959 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
11960 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
11961 		return -EOPNOTSUPP;
11962 
11963 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
11964 		n_thresholds = 0;
11965 
11966 	wdev_lock(wdev);
11967 	if (n_thresholds) {
11968 		struct cfg80211_cqm_config *cqm_config;
11969 
11970 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
11971 						 n_thresholds),
11972 				     GFP_KERNEL);
11973 		if (!cqm_config) {
11974 			err = -ENOMEM;
11975 			goto unlock;
11976 		}
11977 
11978 		cqm_config->rssi_hyst = hysteresis;
11979 		cqm_config->n_rssi_thresholds = n_thresholds;
11980 		memcpy(cqm_config->rssi_thresholds, thresholds,
11981 		       flex_array_size(cqm_config, rssi_thresholds,
11982 				       n_thresholds));
11983 
11984 		wdev->cqm_config = cqm_config;
11985 	}
11986 
11987 	err = cfg80211_cqm_rssi_update(rdev, dev);
11988 
11989 unlock:
11990 	wdev_unlock(wdev);
11991 
11992 	return err;
11993 }
11994 
11995 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
11996 {
11997 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
11998 	struct nlattr *cqm;
11999 	int err;
12000 
12001 	cqm = info->attrs[NL80211_ATTR_CQM];
12002 	if (!cqm)
12003 		return -EINVAL;
12004 
12005 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12006 					  nl80211_attr_cqm_policy,
12007 					  info->extack);
12008 	if (err)
12009 		return err;
12010 
12011 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12012 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12013 		const s32 *thresholds =
12014 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12015 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12016 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12017 
12018 		if (len % 4)
12019 			return -EINVAL;
12020 
12021 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12022 					    hysteresis);
12023 	}
12024 
12025 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12026 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12027 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12028 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12029 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12030 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12031 
12032 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12033 	}
12034 
12035 	return -EINVAL;
12036 }
12037 
12038 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12039 {
12040 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12041 	struct net_device *dev = info->user_ptr[1];
12042 	struct ocb_setup setup = {};
12043 	int err;
12044 
12045 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12046 	if (err)
12047 		return err;
12048 
12049 	return cfg80211_join_ocb(rdev, dev, &setup);
12050 }
12051 
12052 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12053 {
12054 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12055 	struct net_device *dev = info->user_ptr[1];
12056 
12057 	return cfg80211_leave_ocb(rdev, dev);
12058 }
12059 
12060 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12061 {
12062 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12063 	struct net_device *dev = info->user_ptr[1];
12064 	struct mesh_config cfg;
12065 	struct mesh_setup setup;
12066 	int err;
12067 
12068 	/* start with default */
12069 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
12070 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
12071 
12072 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
12073 		/* and parse parameters if given */
12074 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
12075 		if (err)
12076 			return err;
12077 	}
12078 
12079 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
12080 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
12081 		return -EINVAL;
12082 
12083 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
12084 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
12085 
12086 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12087 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
12088 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12089 			return -EINVAL;
12090 
12091 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
12092 		setup.beacon_interval =
12093 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12094 
12095 		err = cfg80211_validate_beacon_int(rdev,
12096 						   NL80211_IFTYPE_MESH_POINT,
12097 						   setup.beacon_interval);
12098 		if (err)
12099 			return err;
12100 	}
12101 
12102 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
12103 		setup.dtim_period =
12104 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
12105 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
12106 			return -EINVAL;
12107 	}
12108 
12109 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
12110 		/* parse additional setup parameters if given */
12111 		err = nl80211_parse_mesh_setup(info, &setup);
12112 		if (err)
12113 			return err;
12114 	}
12115 
12116 	if (setup.user_mpm)
12117 		cfg.auto_open_plinks = false;
12118 
12119 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12120 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12121 		if (err)
12122 			return err;
12123 	} else {
12124 		/* __cfg80211_join_mesh() will sort it out */
12125 		setup.chandef.chan = NULL;
12126 	}
12127 
12128 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12129 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12130 		int n_rates =
12131 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12132 		struct ieee80211_supported_band *sband;
12133 
12134 		if (!setup.chandef.chan)
12135 			return -EINVAL;
12136 
12137 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
12138 
12139 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12140 					     &setup.basic_rates);
12141 		if (err)
12142 			return err;
12143 	}
12144 
12145 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
12146 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12147 						    NL80211_ATTR_TX_RATES,
12148 						    &setup.beacon_rate,
12149 						    dev, false);
12150 		if (err)
12151 			return err;
12152 
12153 		if (!setup.chandef.chan)
12154 			return -EINVAL;
12155 
12156 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
12157 					      &setup.beacon_rate);
12158 		if (err)
12159 			return err;
12160 	}
12161 
12162 	setup.userspace_handles_dfs =
12163 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12164 
12165 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12166 		int r = validate_pae_over_nl80211(rdev, info);
12167 
12168 		if (r < 0)
12169 			return r;
12170 
12171 		setup.control_port_over_nl80211 = true;
12172 	}
12173 
12174 	wdev_lock(dev->ieee80211_ptr);
12175 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
12176 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
12177 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12178 	wdev_unlock(dev->ieee80211_ptr);
12179 
12180 	return err;
12181 }
12182 
12183 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
12184 {
12185 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12186 	struct net_device *dev = info->user_ptr[1];
12187 
12188 	return cfg80211_leave_mesh(rdev, dev);
12189 }
12190 
12191 #ifdef CONFIG_PM
12192 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
12193 					struct cfg80211_registered_device *rdev)
12194 {
12195 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
12196 	struct nlattr *nl_pats, *nl_pat;
12197 	int i, pat_len;
12198 
12199 	if (!wowlan->n_patterns)
12200 		return 0;
12201 
12202 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
12203 	if (!nl_pats)
12204 		return -ENOBUFS;
12205 
12206 	for (i = 0; i < wowlan->n_patterns; i++) {
12207 		nl_pat = nla_nest_start_noflag(msg, i + 1);
12208 		if (!nl_pat)
12209 			return -ENOBUFS;
12210 		pat_len = wowlan->patterns[i].pattern_len;
12211 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
12212 			    wowlan->patterns[i].mask) ||
12213 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12214 			    wowlan->patterns[i].pattern) ||
12215 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12216 				wowlan->patterns[i].pkt_offset))
12217 			return -ENOBUFS;
12218 		nla_nest_end(msg, nl_pat);
12219 	}
12220 	nla_nest_end(msg, nl_pats);
12221 
12222 	return 0;
12223 }
12224 
12225 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
12226 				   struct cfg80211_wowlan_tcp *tcp)
12227 {
12228 	struct nlattr *nl_tcp;
12229 
12230 	if (!tcp)
12231 		return 0;
12232 
12233 	nl_tcp = nla_nest_start_noflag(msg,
12234 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
12235 	if (!nl_tcp)
12236 		return -ENOBUFS;
12237 
12238 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
12239 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
12240 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
12241 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
12242 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
12243 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
12244 		    tcp->payload_len, tcp->payload) ||
12245 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
12246 			tcp->data_interval) ||
12247 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
12248 		    tcp->wake_len, tcp->wake_data) ||
12249 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
12250 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
12251 		return -ENOBUFS;
12252 
12253 	if (tcp->payload_seq.len &&
12254 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
12255 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
12256 		return -ENOBUFS;
12257 
12258 	if (tcp->payload_tok.len &&
12259 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
12260 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
12261 		    &tcp->payload_tok))
12262 		return -ENOBUFS;
12263 
12264 	nla_nest_end(msg, nl_tcp);
12265 
12266 	return 0;
12267 }
12268 
12269 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
12270 				  struct cfg80211_sched_scan_request *req)
12271 {
12272 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
12273 	int i;
12274 
12275 	if (!req)
12276 		return 0;
12277 
12278 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
12279 	if (!nd)
12280 		return -ENOBUFS;
12281 
12282 	if (req->n_scan_plans == 1 &&
12283 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
12284 			req->scan_plans[0].interval * 1000))
12285 		return -ENOBUFS;
12286 
12287 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
12288 		return -ENOBUFS;
12289 
12290 	if (req->relative_rssi_set) {
12291 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
12292 
12293 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
12294 			       req->relative_rssi))
12295 			return -ENOBUFS;
12296 
12297 		rssi_adjust.band = req->rssi_adjust.band;
12298 		rssi_adjust.delta = req->rssi_adjust.delta;
12299 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
12300 			    sizeof(rssi_adjust), &rssi_adjust))
12301 			return -ENOBUFS;
12302 	}
12303 
12304 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
12305 	if (!freqs)
12306 		return -ENOBUFS;
12307 
12308 	for (i = 0; i < req->n_channels; i++) {
12309 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
12310 			return -ENOBUFS;
12311 	}
12312 
12313 	nla_nest_end(msg, freqs);
12314 
12315 	if (req->n_match_sets) {
12316 		matches = nla_nest_start_noflag(msg,
12317 						NL80211_ATTR_SCHED_SCAN_MATCH);
12318 		if (!matches)
12319 			return -ENOBUFS;
12320 
12321 		for (i = 0; i < req->n_match_sets; i++) {
12322 			match = nla_nest_start_noflag(msg, i);
12323 			if (!match)
12324 				return -ENOBUFS;
12325 
12326 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
12327 				    req->match_sets[i].ssid.ssid_len,
12328 				    req->match_sets[i].ssid.ssid))
12329 				return -ENOBUFS;
12330 			nla_nest_end(msg, match);
12331 		}
12332 		nla_nest_end(msg, matches);
12333 	}
12334 
12335 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
12336 	if (!scan_plans)
12337 		return -ENOBUFS;
12338 
12339 	for (i = 0; i < req->n_scan_plans; i++) {
12340 		scan_plan = nla_nest_start_noflag(msg, i + 1);
12341 		if (!scan_plan)
12342 			return -ENOBUFS;
12343 
12344 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
12345 				req->scan_plans[i].interval) ||
12346 		    (req->scan_plans[i].iterations &&
12347 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
12348 				 req->scan_plans[i].iterations)))
12349 			return -ENOBUFS;
12350 		nla_nest_end(msg, scan_plan);
12351 	}
12352 	nla_nest_end(msg, scan_plans);
12353 
12354 	nla_nest_end(msg, nd);
12355 
12356 	return 0;
12357 }
12358 
12359 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
12360 {
12361 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12362 	struct sk_buff *msg;
12363 	void *hdr;
12364 	u32 size = NLMSG_DEFAULT_SIZE;
12365 
12366 	if (!rdev->wiphy.wowlan)
12367 		return -EOPNOTSUPP;
12368 
12369 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
12370 		/* adjust size to have room for all the data */
12371 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
12372 			rdev->wiphy.wowlan_config->tcp->payload_len +
12373 			rdev->wiphy.wowlan_config->tcp->wake_len +
12374 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
12375 	}
12376 
12377 	msg = nlmsg_new(size, GFP_KERNEL);
12378 	if (!msg)
12379 		return -ENOMEM;
12380 
12381 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12382 			     NL80211_CMD_GET_WOWLAN);
12383 	if (!hdr)
12384 		goto nla_put_failure;
12385 
12386 	if (rdev->wiphy.wowlan_config) {
12387 		struct nlattr *nl_wowlan;
12388 
12389 		nl_wowlan = nla_nest_start_noflag(msg,
12390 						  NL80211_ATTR_WOWLAN_TRIGGERS);
12391 		if (!nl_wowlan)
12392 			goto nla_put_failure;
12393 
12394 		if ((rdev->wiphy.wowlan_config->any &&
12395 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
12396 		    (rdev->wiphy.wowlan_config->disconnect &&
12397 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
12398 		    (rdev->wiphy.wowlan_config->magic_pkt &&
12399 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
12400 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
12401 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
12402 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
12403 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
12404 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
12405 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
12406 		    (rdev->wiphy.wowlan_config->rfkill_release &&
12407 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
12408 			goto nla_put_failure;
12409 
12410 		if (nl80211_send_wowlan_patterns(msg, rdev))
12411 			goto nla_put_failure;
12412 
12413 		if (nl80211_send_wowlan_tcp(msg,
12414 					    rdev->wiphy.wowlan_config->tcp))
12415 			goto nla_put_failure;
12416 
12417 		if (nl80211_send_wowlan_nd(
12418 			    msg,
12419 			    rdev->wiphy.wowlan_config->nd_config))
12420 			goto nla_put_failure;
12421 
12422 		nla_nest_end(msg, nl_wowlan);
12423 	}
12424 
12425 	genlmsg_end(msg, hdr);
12426 	return genlmsg_reply(msg, info);
12427 
12428 nla_put_failure:
12429 	nlmsg_free(msg);
12430 	return -ENOBUFS;
12431 }
12432 
12433 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
12434 				    struct nlattr *attr,
12435 				    struct cfg80211_wowlan *trig)
12436 {
12437 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
12438 	struct cfg80211_wowlan_tcp *cfg;
12439 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
12440 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
12441 	u32 size;
12442 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
12443 	int err, port;
12444 
12445 	if (!rdev->wiphy.wowlan->tcp)
12446 		return -EINVAL;
12447 
12448 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
12449 					  nl80211_wowlan_tcp_policy, NULL);
12450 	if (err)
12451 		return err;
12452 
12453 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
12454 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
12455 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
12456 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
12457 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
12458 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
12459 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
12460 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
12461 		return -EINVAL;
12462 
12463 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
12464 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
12465 		return -EINVAL;
12466 
12467 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
12468 			rdev->wiphy.wowlan->tcp->data_interval_max ||
12469 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
12470 		return -EINVAL;
12471 
12472 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
12473 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
12474 		return -EINVAL;
12475 
12476 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
12477 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
12478 		return -EINVAL;
12479 
12480 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
12481 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12482 
12483 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12484 		tokens_size = tokln - sizeof(*tok);
12485 
12486 		if (!tok->len || tokens_size % tok->len)
12487 			return -EINVAL;
12488 		if (!rdev->wiphy.wowlan->tcp->tok)
12489 			return -EINVAL;
12490 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
12491 			return -EINVAL;
12492 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
12493 			return -EINVAL;
12494 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
12495 			return -EINVAL;
12496 		if (tok->offset + tok->len > data_size)
12497 			return -EINVAL;
12498 	}
12499 
12500 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
12501 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
12502 		if (!rdev->wiphy.wowlan->tcp->seq)
12503 			return -EINVAL;
12504 		if (seq->len == 0 || seq->len > 4)
12505 			return -EINVAL;
12506 		if (seq->len + seq->offset > data_size)
12507 			return -EINVAL;
12508 	}
12509 
12510 	size = sizeof(*cfg);
12511 	size += data_size;
12512 	size += wake_size + wake_mask_size;
12513 	size += tokens_size;
12514 
12515 	cfg = kzalloc(size, GFP_KERNEL);
12516 	if (!cfg)
12517 		return -ENOMEM;
12518 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
12519 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
12520 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
12521 	       ETH_ALEN);
12522 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
12523 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
12524 	else
12525 		port = 0;
12526 #ifdef CONFIG_INET
12527 	/* allocate a socket and port for it and use it */
12528 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
12529 			    IPPROTO_TCP, &cfg->sock, 1);
12530 	if (err) {
12531 		kfree(cfg);
12532 		return err;
12533 	}
12534 	if (inet_csk_get_port(cfg->sock->sk, port)) {
12535 		sock_release(cfg->sock);
12536 		kfree(cfg);
12537 		return -EADDRINUSE;
12538 	}
12539 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
12540 #else
12541 	if (!port) {
12542 		kfree(cfg);
12543 		return -EINVAL;
12544 	}
12545 	cfg->src_port = port;
12546 #endif
12547 
12548 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
12549 	cfg->payload_len = data_size;
12550 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
12551 	memcpy((void *)cfg->payload,
12552 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
12553 	       data_size);
12554 	if (seq)
12555 		cfg->payload_seq = *seq;
12556 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
12557 	cfg->wake_len = wake_size;
12558 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
12559 	memcpy((void *)cfg->wake_data,
12560 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
12561 	       wake_size);
12562 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
12563 			 data_size + wake_size;
12564 	memcpy((void *)cfg->wake_mask,
12565 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
12566 	       wake_mask_size);
12567 	if (tok) {
12568 		cfg->tokens_size = tokens_size;
12569 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
12570 	}
12571 
12572 	trig->tcp = cfg;
12573 
12574 	return 0;
12575 }
12576 
12577 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
12578 				   const struct wiphy_wowlan_support *wowlan,
12579 				   struct nlattr *attr,
12580 				   struct cfg80211_wowlan *trig)
12581 {
12582 	struct nlattr **tb;
12583 	int err;
12584 
12585 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
12586 	if (!tb)
12587 		return -ENOMEM;
12588 
12589 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
12590 		err = -EOPNOTSUPP;
12591 		goto out;
12592 	}
12593 
12594 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
12595 					  nl80211_policy, NULL);
12596 	if (err)
12597 		goto out;
12598 
12599 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
12600 						   wowlan->max_nd_match_sets);
12601 	err = PTR_ERR_OR_ZERO(trig->nd_config);
12602 	if (err)
12603 		trig->nd_config = NULL;
12604 
12605 out:
12606 	kfree(tb);
12607 	return err;
12608 }
12609 
12610 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
12611 {
12612 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12613 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
12614 	struct cfg80211_wowlan new_triggers = {};
12615 	struct cfg80211_wowlan *ntrig;
12616 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
12617 	int err, i;
12618 	bool prev_enabled = rdev->wiphy.wowlan_config;
12619 	bool regular = false;
12620 
12621 	if (!wowlan)
12622 		return -EOPNOTSUPP;
12623 
12624 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
12625 		cfg80211_rdev_free_wowlan(rdev);
12626 		rdev->wiphy.wowlan_config = NULL;
12627 		goto set_wakeup;
12628 	}
12629 
12630 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
12631 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
12632 					  nl80211_wowlan_policy, info->extack);
12633 	if (err)
12634 		return err;
12635 
12636 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
12637 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
12638 			return -EINVAL;
12639 		new_triggers.any = true;
12640 	}
12641 
12642 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
12643 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
12644 			return -EINVAL;
12645 		new_triggers.disconnect = true;
12646 		regular = true;
12647 	}
12648 
12649 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
12650 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
12651 			return -EINVAL;
12652 		new_triggers.magic_pkt = true;
12653 		regular = true;
12654 	}
12655 
12656 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
12657 		return -EINVAL;
12658 
12659 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
12660 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
12661 			return -EINVAL;
12662 		new_triggers.gtk_rekey_failure = true;
12663 		regular = true;
12664 	}
12665 
12666 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
12667 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
12668 			return -EINVAL;
12669 		new_triggers.eap_identity_req = true;
12670 		regular = true;
12671 	}
12672 
12673 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
12674 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
12675 			return -EINVAL;
12676 		new_triggers.four_way_handshake = true;
12677 		regular = true;
12678 	}
12679 
12680 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
12681 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
12682 			return -EINVAL;
12683 		new_triggers.rfkill_release = true;
12684 		regular = true;
12685 	}
12686 
12687 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
12688 		struct nlattr *pat;
12689 		int n_patterns = 0;
12690 		int rem, pat_len, mask_len, pkt_offset;
12691 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12692 
12693 		regular = true;
12694 
12695 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12696 				    rem)
12697 			n_patterns++;
12698 		if (n_patterns > wowlan->n_patterns)
12699 			return -EINVAL;
12700 
12701 		new_triggers.patterns = kcalloc(n_patterns,
12702 						sizeof(new_triggers.patterns[0]),
12703 						GFP_KERNEL);
12704 		if (!new_triggers.patterns)
12705 			return -ENOMEM;
12706 
12707 		new_triggers.n_patterns = n_patterns;
12708 		i = 0;
12709 
12710 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12711 				    rem) {
12712 			u8 *mask_pat;
12713 
12714 			err = nla_parse_nested_deprecated(pat_tb,
12715 							  MAX_NL80211_PKTPAT,
12716 							  pat,
12717 							  nl80211_packet_pattern_policy,
12718 							  info->extack);
12719 			if (err)
12720 				goto error;
12721 
12722 			err = -EINVAL;
12723 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
12724 			    !pat_tb[NL80211_PKTPAT_PATTERN])
12725 				goto error;
12726 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12727 			mask_len = DIV_ROUND_UP(pat_len, 8);
12728 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12729 				goto error;
12730 			if (pat_len > wowlan->pattern_max_len ||
12731 			    pat_len < wowlan->pattern_min_len)
12732 				goto error;
12733 
12734 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
12735 				pkt_offset = 0;
12736 			else
12737 				pkt_offset = nla_get_u32(
12738 					pat_tb[NL80211_PKTPAT_OFFSET]);
12739 			if (pkt_offset > wowlan->max_pkt_offset)
12740 				goto error;
12741 			new_triggers.patterns[i].pkt_offset = pkt_offset;
12742 
12743 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12744 			if (!mask_pat) {
12745 				err = -ENOMEM;
12746 				goto error;
12747 			}
12748 			new_triggers.patterns[i].mask = mask_pat;
12749 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12750 			       mask_len);
12751 			mask_pat += mask_len;
12752 			new_triggers.patterns[i].pattern = mask_pat;
12753 			new_triggers.patterns[i].pattern_len = pat_len;
12754 			memcpy(mask_pat,
12755 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12756 			       pat_len);
12757 			i++;
12758 		}
12759 	}
12760 
12761 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
12762 		regular = true;
12763 		err = nl80211_parse_wowlan_tcp(
12764 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
12765 			&new_triggers);
12766 		if (err)
12767 			goto error;
12768 	}
12769 
12770 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
12771 		regular = true;
12772 		err = nl80211_parse_wowlan_nd(
12773 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
12774 			&new_triggers);
12775 		if (err)
12776 			goto error;
12777 	}
12778 
12779 	/* The 'any' trigger means the device continues operating more or less
12780 	 * as in its normal operation mode and wakes up the host on most of the
12781 	 * normal interrupts (like packet RX, ...)
12782 	 * It therefore makes little sense to combine with the more constrained
12783 	 * wakeup trigger modes.
12784 	 */
12785 	if (new_triggers.any && regular) {
12786 		err = -EINVAL;
12787 		goto error;
12788 	}
12789 
12790 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
12791 	if (!ntrig) {
12792 		err = -ENOMEM;
12793 		goto error;
12794 	}
12795 	cfg80211_rdev_free_wowlan(rdev);
12796 	rdev->wiphy.wowlan_config = ntrig;
12797 
12798  set_wakeup:
12799 	if (rdev->ops->set_wakeup &&
12800 	    prev_enabled != !!rdev->wiphy.wowlan_config)
12801 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
12802 
12803 	return 0;
12804  error:
12805 	for (i = 0; i < new_triggers.n_patterns; i++)
12806 		kfree(new_triggers.patterns[i].mask);
12807 	kfree(new_triggers.patterns);
12808 	if (new_triggers.tcp && new_triggers.tcp->sock)
12809 		sock_release(new_triggers.tcp->sock);
12810 	kfree(new_triggers.tcp);
12811 	kfree(new_triggers.nd_config);
12812 	return err;
12813 }
12814 #endif
12815 
12816 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12817 				       struct cfg80211_registered_device *rdev)
12818 {
12819 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12820 	int i, j, pat_len;
12821 	struct cfg80211_coalesce_rules *rule;
12822 
12823 	if (!rdev->coalesce->n_rules)
12824 		return 0;
12825 
12826 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12827 	if (!nl_rules)
12828 		return -ENOBUFS;
12829 
12830 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12831 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12832 		if (!nl_rule)
12833 			return -ENOBUFS;
12834 
12835 		rule = &rdev->coalesce->rules[i];
12836 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12837 				rule->delay))
12838 			return -ENOBUFS;
12839 
12840 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12841 				rule->condition))
12842 			return -ENOBUFS;
12843 
12844 		nl_pats = nla_nest_start_noflag(msg,
12845 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12846 		if (!nl_pats)
12847 			return -ENOBUFS;
12848 
12849 		for (j = 0; j < rule->n_patterns; j++) {
12850 			nl_pat = nla_nest_start_noflag(msg, j + 1);
12851 			if (!nl_pat)
12852 				return -ENOBUFS;
12853 			pat_len = rule->patterns[j].pattern_len;
12854 			if (nla_put(msg, NL80211_PKTPAT_MASK,
12855 				    DIV_ROUND_UP(pat_len, 8),
12856 				    rule->patterns[j].mask) ||
12857 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12858 				    rule->patterns[j].pattern) ||
12859 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12860 					rule->patterns[j].pkt_offset))
12861 				return -ENOBUFS;
12862 			nla_nest_end(msg, nl_pat);
12863 		}
12864 		nla_nest_end(msg, nl_pats);
12865 		nla_nest_end(msg, nl_rule);
12866 	}
12867 	nla_nest_end(msg, nl_rules);
12868 
12869 	return 0;
12870 }
12871 
12872 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
12873 {
12874 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12875 	struct sk_buff *msg;
12876 	void *hdr;
12877 
12878 	if (!rdev->wiphy.coalesce)
12879 		return -EOPNOTSUPP;
12880 
12881 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12882 	if (!msg)
12883 		return -ENOMEM;
12884 
12885 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12886 			     NL80211_CMD_GET_COALESCE);
12887 	if (!hdr)
12888 		goto nla_put_failure;
12889 
12890 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
12891 		goto nla_put_failure;
12892 
12893 	genlmsg_end(msg, hdr);
12894 	return genlmsg_reply(msg, info);
12895 
12896 nla_put_failure:
12897 	nlmsg_free(msg);
12898 	return -ENOBUFS;
12899 }
12900 
12901 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
12902 {
12903 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
12904 	int i, j;
12905 	struct cfg80211_coalesce_rules *rule;
12906 
12907 	if (!coalesce)
12908 		return;
12909 
12910 	for (i = 0; i < coalesce->n_rules; i++) {
12911 		rule = &coalesce->rules[i];
12912 		for (j = 0; j < rule->n_patterns; j++)
12913 			kfree(rule->patterns[j].mask);
12914 		kfree(rule->patterns);
12915 	}
12916 	kfree(coalesce->rules);
12917 	kfree(coalesce);
12918 	rdev->coalesce = NULL;
12919 }
12920 
12921 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
12922 				       struct nlattr *rule,
12923 				       struct cfg80211_coalesce_rules *new_rule)
12924 {
12925 	int err, i;
12926 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12927 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
12928 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
12929 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12930 
12931 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
12932 					  rule, nl80211_coalesce_policy, NULL);
12933 	if (err)
12934 		return err;
12935 
12936 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
12937 		new_rule->delay =
12938 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
12939 	if (new_rule->delay > coalesce->max_delay)
12940 		return -EINVAL;
12941 
12942 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
12943 		new_rule->condition =
12944 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
12945 
12946 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
12947 		return -EINVAL;
12948 
12949 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12950 			    rem)
12951 		n_patterns++;
12952 	if (n_patterns > coalesce->n_patterns)
12953 		return -EINVAL;
12954 
12955 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
12956 				     GFP_KERNEL);
12957 	if (!new_rule->patterns)
12958 		return -ENOMEM;
12959 
12960 	new_rule->n_patterns = n_patterns;
12961 	i = 0;
12962 
12963 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12964 			    rem) {
12965 		u8 *mask_pat;
12966 
12967 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
12968 						  pat,
12969 						  nl80211_packet_pattern_policy,
12970 						  NULL);
12971 		if (err)
12972 			return err;
12973 
12974 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
12975 		    !pat_tb[NL80211_PKTPAT_PATTERN])
12976 			return -EINVAL;
12977 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12978 		mask_len = DIV_ROUND_UP(pat_len, 8);
12979 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12980 			return -EINVAL;
12981 		if (pat_len > coalesce->pattern_max_len ||
12982 		    pat_len < coalesce->pattern_min_len)
12983 			return -EINVAL;
12984 
12985 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
12986 			pkt_offset = 0;
12987 		else
12988 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
12989 		if (pkt_offset > coalesce->max_pkt_offset)
12990 			return -EINVAL;
12991 		new_rule->patterns[i].pkt_offset = pkt_offset;
12992 
12993 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12994 		if (!mask_pat)
12995 			return -ENOMEM;
12996 
12997 		new_rule->patterns[i].mask = mask_pat;
12998 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12999 		       mask_len);
13000 
13001 		mask_pat += mask_len;
13002 		new_rule->patterns[i].pattern = mask_pat;
13003 		new_rule->patterns[i].pattern_len = pat_len;
13004 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13005 		       pat_len);
13006 		i++;
13007 	}
13008 
13009 	return 0;
13010 }
13011 
13012 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13013 {
13014 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13015 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13016 	struct cfg80211_coalesce new_coalesce = {};
13017 	struct cfg80211_coalesce *n_coalesce;
13018 	int err, rem_rule, n_rules = 0, i, j;
13019 	struct nlattr *rule;
13020 	struct cfg80211_coalesce_rules *tmp_rule;
13021 
13022 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13023 		return -EOPNOTSUPP;
13024 
13025 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13026 		cfg80211_rdev_free_coalesce(rdev);
13027 		rdev_set_coalesce(rdev, NULL);
13028 		return 0;
13029 	}
13030 
13031 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13032 			    rem_rule)
13033 		n_rules++;
13034 	if (n_rules > coalesce->n_rules)
13035 		return -EINVAL;
13036 
13037 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13038 				     GFP_KERNEL);
13039 	if (!new_coalesce.rules)
13040 		return -ENOMEM;
13041 
13042 	new_coalesce.n_rules = n_rules;
13043 	i = 0;
13044 
13045 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13046 			    rem_rule) {
13047 		err = nl80211_parse_coalesce_rule(rdev, rule,
13048 						  &new_coalesce.rules[i]);
13049 		if (err)
13050 			goto error;
13051 
13052 		i++;
13053 	}
13054 
13055 	err = rdev_set_coalesce(rdev, &new_coalesce);
13056 	if (err)
13057 		goto error;
13058 
13059 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13060 	if (!n_coalesce) {
13061 		err = -ENOMEM;
13062 		goto error;
13063 	}
13064 	cfg80211_rdev_free_coalesce(rdev);
13065 	rdev->coalesce = n_coalesce;
13066 
13067 	return 0;
13068 error:
13069 	for (i = 0; i < new_coalesce.n_rules; i++) {
13070 		tmp_rule = &new_coalesce.rules[i];
13071 		for (j = 0; j < tmp_rule->n_patterns; j++)
13072 			kfree(tmp_rule->patterns[j].mask);
13073 		kfree(tmp_rule->patterns);
13074 	}
13075 	kfree(new_coalesce.rules);
13076 
13077 	return err;
13078 }
13079 
13080 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
13081 {
13082 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13083 	struct net_device *dev = info->user_ptr[1];
13084 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13085 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
13086 	struct cfg80211_gtk_rekey_data rekey_data = {};
13087 	int err;
13088 
13089 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
13090 		return -EINVAL;
13091 
13092 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
13093 					  info->attrs[NL80211_ATTR_REKEY_DATA],
13094 					  nl80211_rekey_policy, info->extack);
13095 	if (err)
13096 		return err;
13097 
13098 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
13099 	    !tb[NL80211_REKEY_DATA_KCK])
13100 		return -EINVAL;
13101 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
13102 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13103 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
13104 		return -ERANGE;
13105 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
13106 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13107 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
13108 		return -ERANGE;
13109 
13110 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
13111 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
13112 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
13113 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
13114 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
13115 	if (tb[NL80211_REKEY_DATA_AKM])
13116 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
13117 
13118 	wdev_lock(wdev);
13119 	if (!wdev->current_bss) {
13120 		err = -ENOTCONN;
13121 		goto out;
13122 	}
13123 
13124 	if (!rdev->ops->set_rekey_data) {
13125 		err = -EOPNOTSUPP;
13126 		goto out;
13127 	}
13128 
13129 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
13130  out:
13131 	wdev_unlock(wdev);
13132 	return err;
13133 }
13134 
13135 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
13136 					     struct genl_info *info)
13137 {
13138 	struct net_device *dev = info->user_ptr[1];
13139 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13140 
13141 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13142 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13143 		return -EINVAL;
13144 
13145 	if (wdev->ap_unexpected_nlportid)
13146 		return -EBUSY;
13147 
13148 	wdev->ap_unexpected_nlportid = info->snd_portid;
13149 	return 0;
13150 }
13151 
13152 static int nl80211_probe_client(struct sk_buff *skb,
13153 				struct genl_info *info)
13154 {
13155 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13156 	struct net_device *dev = info->user_ptr[1];
13157 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13158 	struct sk_buff *msg;
13159 	void *hdr;
13160 	const u8 *addr;
13161 	u64 cookie;
13162 	int err;
13163 
13164 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13165 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13166 		return -EOPNOTSUPP;
13167 
13168 	if (!info->attrs[NL80211_ATTR_MAC])
13169 		return -EINVAL;
13170 
13171 	if (!rdev->ops->probe_client)
13172 		return -EOPNOTSUPP;
13173 
13174 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13175 	if (!msg)
13176 		return -ENOMEM;
13177 
13178 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13179 			     NL80211_CMD_PROBE_CLIENT);
13180 	if (!hdr) {
13181 		err = -ENOBUFS;
13182 		goto free_msg;
13183 	}
13184 
13185 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13186 
13187 	err = rdev_probe_client(rdev, dev, addr, &cookie);
13188 	if (err)
13189 		goto free_msg;
13190 
13191 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13192 			      NL80211_ATTR_PAD))
13193 		goto nla_put_failure;
13194 
13195 	genlmsg_end(msg, hdr);
13196 
13197 	return genlmsg_reply(msg, info);
13198 
13199  nla_put_failure:
13200 	err = -ENOBUFS;
13201  free_msg:
13202 	nlmsg_free(msg);
13203 	return err;
13204 }
13205 
13206 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
13207 {
13208 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13209 	struct cfg80211_beacon_registration *reg, *nreg;
13210 	int rv;
13211 
13212 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
13213 		return -EOPNOTSUPP;
13214 
13215 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
13216 	if (!nreg)
13217 		return -ENOMEM;
13218 
13219 	/* First, check if already registered. */
13220 	spin_lock_bh(&rdev->beacon_registrations_lock);
13221 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13222 		if (reg->nlportid == info->snd_portid) {
13223 			rv = -EALREADY;
13224 			goto out_err;
13225 		}
13226 	}
13227 	/* Add it to the list */
13228 	nreg->nlportid = info->snd_portid;
13229 	list_add(&nreg->list, &rdev->beacon_registrations);
13230 
13231 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13232 
13233 	return 0;
13234 out_err:
13235 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13236 	kfree(nreg);
13237 	return rv;
13238 }
13239 
13240 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
13241 {
13242 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13243 	struct wireless_dev *wdev = info->user_ptr[1];
13244 	int err;
13245 
13246 	if (!rdev->ops->start_p2p_device)
13247 		return -EOPNOTSUPP;
13248 
13249 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13250 		return -EOPNOTSUPP;
13251 
13252 	if (wdev_running(wdev))
13253 		return 0;
13254 
13255 	if (rfkill_blocked(rdev->wiphy.rfkill))
13256 		return -ERFKILL;
13257 
13258 	err = rdev_start_p2p_device(rdev, wdev);
13259 	if (err)
13260 		return err;
13261 
13262 	wdev->is_running = true;
13263 	rdev->opencount++;
13264 
13265 	return 0;
13266 }
13267 
13268 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
13269 {
13270 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13271 	struct wireless_dev *wdev = info->user_ptr[1];
13272 
13273 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13274 		return -EOPNOTSUPP;
13275 
13276 	if (!rdev->ops->stop_p2p_device)
13277 		return -EOPNOTSUPP;
13278 
13279 	cfg80211_stop_p2p_device(rdev, wdev);
13280 
13281 	return 0;
13282 }
13283 
13284 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
13285 {
13286 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13287 	struct wireless_dev *wdev = info->user_ptr[1];
13288 	struct cfg80211_nan_conf conf = {};
13289 	int err;
13290 
13291 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13292 		return -EOPNOTSUPP;
13293 
13294 	if (wdev_running(wdev))
13295 		return -EEXIST;
13296 
13297 	if (rfkill_blocked(rdev->wiphy.rfkill))
13298 		return -ERFKILL;
13299 
13300 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
13301 		return -EINVAL;
13302 
13303 	conf.master_pref =
13304 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13305 
13306 	if (info->attrs[NL80211_ATTR_BANDS]) {
13307 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13308 
13309 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13310 			return -EOPNOTSUPP;
13311 
13312 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13313 			return -EINVAL;
13314 
13315 		conf.bands = bands;
13316 	}
13317 
13318 	err = rdev_start_nan(rdev, wdev, &conf);
13319 	if (err)
13320 		return err;
13321 
13322 	wdev->is_running = true;
13323 	rdev->opencount++;
13324 
13325 	return 0;
13326 }
13327 
13328 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
13329 {
13330 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13331 	struct wireless_dev *wdev = info->user_ptr[1];
13332 
13333 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13334 		return -EOPNOTSUPP;
13335 
13336 	cfg80211_stop_nan(rdev, wdev);
13337 
13338 	return 0;
13339 }
13340 
13341 static int validate_nan_filter(struct nlattr *filter_attr)
13342 {
13343 	struct nlattr *attr;
13344 	int len = 0, n_entries = 0, rem;
13345 
13346 	nla_for_each_nested(attr, filter_attr, rem) {
13347 		len += nla_len(attr);
13348 		n_entries++;
13349 	}
13350 
13351 	if (len >= U8_MAX)
13352 		return -EINVAL;
13353 
13354 	return n_entries;
13355 }
13356 
13357 static int handle_nan_filter(struct nlattr *attr_filter,
13358 			     struct cfg80211_nan_func *func,
13359 			     bool tx)
13360 {
13361 	struct nlattr *attr;
13362 	int n_entries, rem, i;
13363 	struct cfg80211_nan_func_filter *filter;
13364 
13365 	n_entries = validate_nan_filter(attr_filter);
13366 	if (n_entries < 0)
13367 		return n_entries;
13368 
13369 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
13370 
13371 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
13372 	if (!filter)
13373 		return -ENOMEM;
13374 
13375 	i = 0;
13376 	nla_for_each_nested(attr, attr_filter, rem) {
13377 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
13378 		filter[i].len = nla_len(attr);
13379 		i++;
13380 	}
13381 	if (tx) {
13382 		func->num_tx_filters = n_entries;
13383 		func->tx_filters = filter;
13384 	} else {
13385 		func->num_rx_filters = n_entries;
13386 		func->rx_filters = filter;
13387 	}
13388 
13389 	return 0;
13390 }
13391 
13392 static int nl80211_nan_add_func(struct sk_buff *skb,
13393 				struct genl_info *info)
13394 {
13395 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13396 	struct wireless_dev *wdev = info->user_ptr[1];
13397 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
13398 	struct cfg80211_nan_func *func;
13399 	struct sk_buff *msg = NULL;
13400 	void *hdr = NULL;
13401 	int err = 0;
13402 
13403 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13404 		return -EOPNOTSUPP;
13405 
13406 	if (!wdev_running(wdev))
13407 		return -ENOTCONN;
13408 
13409 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
13410 		return -EINVAL;
13411 
13412 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
13413 					  info->attrs[NL80211_ATTR_NAN_FUNC],
13414 					  nl80211_nan_func_policy,
13415 					  info->extack);
13416 	if (err)
13417 		return err;
13418 
13419 	func = kzalloc(sizeof(*func), GFP_KERNEL);
13420 	if (!func)
13421 		return -ENOMEM;
13422 
13423 	func->cookie = cfg80211_assign_cookie(rdev);
13424 
13425 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
13426 		err = -EINVAL;
13427 		goto out;
13428 	}
13429 
13430 
13431 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
13432 
13433 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
13434 		err = -EINVAL;
13435 		goto out;
13436 	}
13437 
13438 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
13439 	       sizeof(func->service_id));
13440 
13441 	func->close_range =
13442 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
13443 
13444 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
13445 		func->serv_spec_info_len =
13446 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
13447 		func->serv_spec_info =
13448 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
13449 				func->serv_spec_info_len,
13450 				GFP_KERNEL);
13451 		if (!func->serv_spec_info) {
13452 			err = -ENOMEM;
13453 			goto out;
13454 		}
13455 	}
13456 
13457 	if (tb[NL80211_NAN_FUNC_TTL])
13458 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
13459 
13460 	switch (func->type) {
13461 	case NL80211_NAN_FUNC_PUBLISH:
13462 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
13463 			err = -EINVAL;
13464 			goto out;
13465 		}
13466 
13467 		func->publish_type =
13468 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
13469 		func->publish_bcast =
13470 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
13471 
13472 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
13473 			func->publish_bcast) {
13474 			err = -EINVAL;
13475 			goto out;
13476 		}
13477 		break;
13478 	case NL80211_NAN_FUNC_SUBSCRIBE:
13479 		func->subscribe_active =
13480 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
13481 		break;
13482 	case NL80211_NAN_FUNC_FOLLOW_UP:
13483 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
13484 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
13485 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
13486 			err = -EINVAL;
13487 			goto out;
13488 		}
13489 
13490 		func->followup_id =
13491 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
13492 		func->followup_reqid =
13493 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
13494 		memcpy(func->followup_dest.addr,
13495 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
13496 		       sizeof(func->followup_dest.addr));
13497 		if (func->ttl) {
13498 			err = -EINVAL;
13499 			goto out;
13500 		}
13501 		break;
13502 	default:
13503 		err = -EINVAL;
13504 		goto out;
13505 	}
13506 
13507 	if (tb[NL80211_NAN_FUNC_SRF]) {
13508 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
13509 
13510 		err = nla_parse_nested_deprecated(srf_tb,
13511 						  NL80211_NAN_SRF_ATTR_MAX,
13512 						  tb[NL80211_NAN_FUNC_SRF],
13513 						  nl80211_nan_srf_policy,
13514 						  info->extack);
13515 		if (err)
13516 			goto out;
13517 
13518 		func->srf_include =
13519 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
13520 
13521 		if (srf_tb[NL80211_NAN_SRF_BF]) {
13522 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
13523 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
13524 				err = -EINVAL;
13525 				goto out;
13526 			}
13527 
13528 			func->srf_bf_len =
13529 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
13530 			func->srf_bf =
13531 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
13532 					func->srf_bf_len, GFP_KERNEL);
13533 			if (!func->srf_bf) {
13534 				err = -ENOMEM;
13535 				goto out;
13536 			}
13537 
13538 			func->srf_bf_idx =
13539 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
13540 		} else {
13541 			struct nlattr *attr, *mac_attr =
13542 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
13543 			int n_entries, rem, i = 0;
13544 
13545 			if (!mac_attr) {
13546 				err = -EINVAL;
13547 				goto out;
13548 			}
13549 
13550 			n_entries = validate_acl_mac_addrs(mac_attr);
13551 			if (n_entries <= 0) {
13552 				err = -EINVAL;
13553 				goto out;
13554 			}
13555 
13556 			func->srf_num_macs = n_entries;
13557 			func->srf_macs =
13558 				kcalloc(n_entries, sizeof(*func->srf_macs),
13559 					GFP_KERNEL);
13560 			if (!func->srf_macs) {
13561 				err = -ENOMEM;
13562 				goto out;
13563 			}
13564 
13565 			nla_for_each_nested(attr, mac_attr, rem)
13566 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
13567 				       sizeof(*func->srf_macs));
13568 		}
13569 	}
13570 
13571 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
13572 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
13573 					func, true);
13574 		if (err)
13575 			goto out;
13576 	}
13577 
13578 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
13579 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
13580 					func, false);
13581 		if (err)
13582 			goto out;
13583 	}
13584 
13585 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13586 	if (!msg) {
13587 		err = -ENOMEM;
13588 		goto out;
13589 	}
13590 
13591 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13592 			     NL80211_CMD_ADD_NAN_FUNCTION);
13593 	/* This can't really happen - we just allocated 4KB */
13594 	if (WARN_ON(!hdr)) {
13595 		err = -ENOMEM;
13596 		goto out;
13597 	}
13598 
13599 	err = rdev_add_nan_func(rdev, wdev, func);
13600 out:
13601 	if (err < 0) {
13602 		cfg80211_free_nan_func(func);
13603 		nlmsg_free(msg);
13604 		return err;
13605 	}
13606 
13607 	/* propagate the instance id and cookie to userspace  */
13608 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
13609 			      NL80211_ATTR_PAD))
13610 		goto nla_put_failure;
13611 
13612 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13613 	if (!func_attr)
13614 		goto nla_put_failure;
13615 
13616 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
13617 		       func->instance_id))
13618 		goto nla_put_failure;
13619 
13620 	nla_nest_end(msg, func_attr);
13621 
13622 	genlmsg_end(msg, hdr);
13623 	return genlmsg_reply(msg, info);
13624 
13625 nla_put_failure:
13626 	nlmsg_free(msg);
13627 	return -ENOBUFS;
13628 }
13629 
13630 static int nl80211_nan_del_func(struct sk_buff *skb,
13631 			       struct genl_info *info)
13632 {
13633 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13634 	struct wireless_dev *wdev = info->user_ptr[1];
13635 	u64 cookie;
13636 
13637 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13638 		return -EOPNOTSUPP;
13639 
13640 	if (!wdev_running(wdev))
13641 		return -ENOTCONN;
13642 
13643 	if (!info->attrs[NL80211_ATTR_COOKIE])
13644 		return -EINVAL;
13645 
13646 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13647 
13648 	rdev_del_nan_func(rdev, wdev, cookie);
13649 
13650 	return 0;
13651 }
13652 
13653 static int nl80211_nan_change_config(struct sk_buff *skb,
13654 				     struct genl_info *info)
13655 {
13656 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13657 	struct wireless_dev *wdev = info->user_ptr[1];
13658 	struct cfg80211_nan_conf conf = {};
13659 	u32 changed = 0;
13660 
13661 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13662 		return -EOPNOTSUPP;
13663 
13664 	if (!wdev_running(wdev))
13665 		return -ENOTCONN;
13666 
13667 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
13668 		conf.master_pref =
13669 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13670 		if (conf.master_pref <= 1 || conf.master_pref == 255)
13671 			return -EINVAL;
13672 
13673 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
13674 	}
13675 
13676 	if (info->attrs[NL80211_ATTR_BANDS]) {
13677 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13678 
13679 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13680 			return -EOPNOTSUPP;
13681 
13682 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13683 			return -EINVAL;
13684 
13685 		conf.bands = bands;
13686 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
13687 	}
13688 
13689 	if (!changed)
13690 		return -EINVAL;
13691 
13692 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
13693 }
13694 
13695 void cfg80211_nan_match(struct wireless_dev *wdev,
13696 			struct cfg80211_nan_match_params *match, gfp_t gfp)
13697 {
13698 	struct wiphy *wiphy = wdev->wiphy;
13699 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13700 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
13701 	struct sk_buff *msg;
13702 	void *hdr;
13703 
13704 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
13705 		return;
13706 
13707 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13708 	if (!msg)
13709 		return;
13710 
13711 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
13712 	if (!hdr) {
13713 		nlmsg_free(msg);
13714 		return;
13715 	}
13716 
13717 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13718 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13719 					 wdev->netdev->ifindex)) ||
13720 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13721 			      NL80211_ATTR_PAD))
13722 		goto nla_put_failure;
13723 
13724 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
13725 			      NL80211_ATTR_PAD) ||
13726 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
13727 		goto nla_put_failure;
13728 
13729 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
13730 	if (!match_attr)
13731 		goto nla_put_failure;
13732 
13733 	local_func_attr = nla_nest_start_noflag(msg,
13734 						NL80211_NAN_MATCH_FUNC_LOCAL);
13735 	if (!local_func_attr)
13736 		goto nla_put_failure;
13737 
13738 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
13739 		goto nla_put_failure;
13740 
13741 	nla_nest_end(msg, local_func_attr);
13742 
13743 	peer_func_attr = nla_nest_start_noflag(msg,
13744 					       NL80211_NAN_MATCH_FUNC_PEER);
13745 	if (!peer_func_attr)
13746 		goto nla_put_failure;
13747 
13748 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
13749 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
13750 		goto nla_put_failure;
13751 
13752 	if (match->info && match->info_len &&
13753 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
13754 		    match->info))
13755 		goto nla_put_failure;
13756 
13757 	nla_nest_end(msg, peer_func_attr);
13758 	nla_nest_end(msg, match_attr);
13759 	genlmsg_end(msg, hdr);
13760 
13761 	if (!wdev->owner_nlportid)
13762 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13763 					msg, 0, NL80211_MCGRP_NAN, gfp);
13764 	else
13765 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13766 				wdev->owner_nlportid);
13767 
13768 	return;
13769 
13770 nla_put_failure:
13771 	nlmsg_free(msg);
13772 }
13773 EXPORT_SYMBOL(cfg80211_nan_match);
13774 
13775 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
13776 				  u8 inst_id,
13777 				  enum nl80211_nan_func_term_reason reason,
13778 				  u64 cookie, gfp_t gfp)
13779 {
13780 	struct wiphy *wiphy = wdev->wiphy;
13781 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13782 	struct sk_buff *msg;
13783 	struct nlattr *func_attr;
13784 	void *hdr;
13785 
13786 	if (WARN_ON(!inst_id))
13787 		return;
13788 
13789 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13790 	if (!msg)
13791 		return;
13792 
13793 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
13794 	if (!hdr) {
13795 		nlmsg_free(msg);
13796 		return;
13797 	}
13798 
13799 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13800 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13801 					 wdev->netdev->ifindex)) ||
13802 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13803 			      NL80211_ATTR_PAD))
13804 		goto nla_put_failure;
13805 
13806 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13807 			      NL80211_ATTR_PAD))
13808 		goto nla_put_failure;
13809 
13810 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13811 	if (!func_attr)
13812 		goto nla_put_failure;
13813 
13814 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
13815 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
13816 		goto nla_put_failure;
13817 
13818 	nla_nest_end(msg, func_attr);
13819 	genlmsg_end(msg, hdr);
13820 
13821 	if (!wdev->owner_nlportid)
13822 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13823 					msg, 0, NL80211_MCGRP_NAN, gfp);
13824 	else
13825 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13826 				wdev->owner_nlportid);
13827 
13828 	return;
13829 
13830 nla_put_failure:
13831 	nlmsg_free(msg);
13832 }
13833 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13834 
13835 static int nl80211_get_protocol_features(struct sk_buff *skb,
13836 					 struct genl_info *info)
13837 {
13838 	void *hdr;
13839 	struct sk_buff *msg;
13840 
13841 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13842 	if (!msg)
13843 		return -ENOMEM;
13844 
13845 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13846 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
13847 	if (!hdr)
13848 		goto nla_put_failure;
13849 
13850 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
13851 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
13852 		goto nla_put_failure;
13853 
13854 	genlmsg_end(msg, hdr);
13855 	return genlmsg_reply(msg, info);
13856 
13857  nla_put_failure:
13858 	kfree_skb(msg);
13859 	return -ENOBUFS;
13860 }
13861 
13862 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
13863 {
13864 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13865 	struct cfg80211_update_ft_ies_params ft_params;
13866 	struct net_device *dev = info->user_ptr[1];
13867 
13868 	if (!rdev->ops->update_ft_ies)
13869 		return -EOPNOTSUPP;
13870 
13871 	if (!info->attrs[NL80211_ATTR_MDID] ||
13872 	    !info->attrs[NL80211_ATTR_IE])
13873 		return -EINVAL;
13874 
13875 	memset(&ft_params, 0, sizeof(ft_params));
13876 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
13877 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13878 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13879 
13880 	return rdev_update_ft_ies(rdev, dev, &ft_params);
13881 }
13882 
13883 static int nl80211_crit_protocol_start(struct sk_buff *skb,
13884 				       struct genl_info *info)
13885 {
13886 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13887 	struct wireless_dev *wdev = info->user_ptr[1];
13888 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
13889 	u16 duration;
13890 	int ret;
13891 
13892 	if (!rdev->ops->crit_proto_start)
13893 		return -EOPNOTSUPP;
13894 
13895 	if (WARN_ON(!rdev->ops->crit_proto_stop))
13896 		return -EINVAL;
13897 
13898 	if (rdev->crit_proto_nlportid)
13899 		return -EBUSY;
13900 
13901 	/* determine protocol if provided */
13902 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
13903 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
13904 
13905 	if (proto >= NUM_NL80211_CRIT_PROTO)
13906 		return -EINVAL;
13907 
13908 	/* timeout must be provided */
13909 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
13910 		return -EINVAL;
13911 
13912 	duration =
13913 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
13914 
13915 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
13916 	if (!ret)
13917 		rdev->crit_proto_nlportid = info->snd_portid;
13918 
13919 	return ret;
13920 }
13921 
13922 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
13923 				      struct genl_info *info)
13924 {
13925 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13926 	struct wireless_dev *wdev = info->user_ptr[1];
13927 
13928 	if (!rdev->ops->crit_proto_stop)
13929 		return -EOPNOTSUPP;
13930 
13931 	if (rdev->crit_proto_nlportid) {
13932 		rdev->crit_proto_nlportid = 0;
13933 		rdev_crit_proto_stop(rdev, wdev);
13934 	}
13935 	return 0;
13936 }
13937 
13938 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
13939 				       struct nlattr *attr,
13940 				       struct netlink_ext_ack *extack)
13941 {
13942 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
13943 		if (attr->nla_type & NLA_F_NESTED) {
13944 			NL_SET_ERR_MSG_ATTR(extack, attr,
13945 					    "unexpected nested data");
13946 			return -EINVAL;
13947 		}
13948 
13949 		return 0;
13950 	}
13951 
13952 	if (!(attr->nla_type & NLA_F_NESTED)) {
13953 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
13954 		return -EINVAL;
13955 	}
13956 
13957 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
13958 }
13959 
13960 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
13961 {
13962 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13963 	struct wireless_dev *wdev =
13964 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
13965 					   info->attrs);
13966 	int i, err;
13967 	u32 vid, subcmd;
13968 
13969 	if (!rdev->wiphy.vendor_commands)
13970 		return -EOPNOTSUPP;
13971 
13972 	if (IS_ERR(wdev)) {
13973 		err = PTR_ERR(wdev);
13974 		if (err != -EINVAL)
13975 			return err;
13976 		wdev = NULL;
13977 	} else if (wdev->wiphy != &rdev->wiphy) {
13978 		return -EINVAL;
13979 	}
13980 
13981 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
13982 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
13983 		return -EINVAL;
13984 
13985 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
13986 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
13987 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
13988 		const struct wiphy_vendor_command *vcmd;
13989 		void *data = NULL;
13990 		int len = 0;
13991 
13992 		vcmd = &rdev->wiphy.vendor_commands[i];
13993 
13994 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13995 			continue;
13996 
13997 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13998 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13999 			if (!wdev)
14000 				return -EINVAL;
14001 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14002 			    !wdev->netdev)
14003 				return -EINVAL;
14004 
14005 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14006 				if (!wdev_running(wdev))
14007 					return -ENETDOWN;
14008 			}
14009 		} else {
14010 			wdev = NULL;
14011 		}
14012 
14013 		if (!vcmd->doit)
14014 			return -EOPNOTSUPP;
14015 
14016 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14017 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14018 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14019 
14020 			err = nl80211_vendor_check_policy(vcmd,
14021 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14022 					info->extack);
14023 			if (err)
14024 				return err;
14025 		}
14026 
14027 		rdev->cur_cmd_info = info;
14028 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14029 		rdev->cur_cmd_info = NULL;
14030 		return err;
14031 	}
14032 
14033 	return -EOPNOTSUPP;
14034 }
14035 
14036 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14037 				       struct netlink_callback *cb,
14038 				       struct cfg80211_registered_device **rdev,
14039 				       struct wireless_dev **wdev)
14040 {
14041 	struct nlattr **attrbuf;
14042 	u32 vid, subcmd;
14043 	unsigned int i;
14044 	int vcmd_idx = -1;
14045 	int err;
14046 	void *data = NULL;
14047 	unsigned int data_len = 0;
14048 
14049 	if (cb->args[0]) {
14050 		/* subtract the 1 again here */
14051 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
14052 		struct wireless_dev *tmp;
14053 
14054 		if (!wiphy)
14055 			return -ENODEV;
14056 		*rdev = wiphy_to_rdev(wiphy);
14057 		*wdev = NULL;
14058 
14059 		if (cb->args[1]) {
14060 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
14061 				if (tmp->identifier == cb->args[1] - 1) {
14062 					*wdev = tmp;
14063 					break;
14064 				}
14065 			}
14066 		}
14067 
14068 		/* keep rtnl locked in successful case */
14069 		return 0;
14070 	}
14071 
14072 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
14073 	if (!attrbuf)
14074 		return -ENOMEM;
14075 
14076 	err = nlmsg_parse_deprecated(cb->nlh,
14077 				     GENL_HDRLEN + nl80211_fam.hdrsize,
14078 				     attrbuf, nl80211_fam.maxattr,
14079 				     nl80211_policy, NULL);
14080 	if (err)
14081 		goto out;
14082 
14083 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
14084 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
14085 		err = -EINVAL;
14086 		goto out;
14087 	}
14088 
14089 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
14090 	if (IS_ERR(*wdev))
14091 		*wdev = NULL;
14092 
14093 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
14094 	if (IS_ERR(*rdev)) {
14095 		err = PTR_ERR(*rdev);
14096 		goto out;
14097 	}
14098 
14099 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
14100 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
14101 
14102 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
14103 		const struct wiphy_vendor_command *vcmd;
14104 
14105 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
14106 
14107 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14108 			continue;
14109 
14110 		if (!vcmd->dumpit) {
14111 			err = -EOPNOTSUPP;
14112 			goto out;
14113 		}
14114 
14115 		vcmd_idx = i;
14116 		break;
14117 	}
14118 
14119 	if (vcmd_idx < 0) {
14120 		err = -EOPNOTSUPP;
14121 		goto out;
14122 	}
14123 
14124 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
14125 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14126 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14127 
14128 		err = nl80211_vendor_check_policy(
14129 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
14130 				attrbuf[NL80211_ATTR_VENDOR_DATA],
14131 				cb->extack);
14132 		if (err)
14133 			goto out;
14134 	}
14135 
14136 	/* 0 is the first index - add 1 to parse only once */
14137 	cb->args[0] = (*rdev)->wiphy_idx + 1;
14138 	/* add 1 to know if it was NULL */
14139 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
14140 	cb->args[2] = vcmd_idx;
14141 	cb->args[3] = (unsigned long)data;
14142 	cb->args[4] = data_len;
14143 
14144 	/* keep rtnl locked in successful case */
14145 	err = 0;
14146 out:
14147 	kfree(attrbuf);
14148 	return err;
14149 }
14150 
14151 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
14152 				   struct netlink_callback *cb)
14153 {
14154 	struct cfg80211_registered_device *rdev;
14155 	struct wireless_dev *wdev;
14156 	unsigned int vcmd_idx;
14157 	const struct wiphy_vendor_command *vcmd;
14158 	void *data;
14159 	int data_len;
14160 	int err;
14161 	struct nlattr *vendor_data;
14162 
14163 	rtnl_lock();
14164 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
14165 	if (err)
14166 		goto out;
14167 
14168 	vcmd_idx = cb->args[2];
14169 	data = (void *)cb->args[3];
14170 	data_len = cb->args[4];
14171 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
14172 
14173 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14174 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14175 		if (!wdev) {
14176 			err = -EINVAL;
14177 			goto out;
14178 		}
14179 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14180 		    !wdev->netdev) {
14181 			err = -EINVAL;
14182 			goto out;
14183 		}
14184 
14185 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14186 			if (!wdev_running(wdev)) {
14187 				err = -ENETDOWN;
14188 				goto out;
14189 			}
14190 		}
14191 	}
14192 
14193 	while (1) {
14194 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
14195 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
14196 					   NL80211_CMD_VENDOR);
14197 		if (!hdr)
14198 			break;
14199 
14200 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14201 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
14202 					       wdev_id(wdev),
14203 					       NL80211_ATTR_PAD))) {
14204 			genlmsg_cancel(skb, hdr);
14205 			break;
14206 		}
14207 
14208 		vendor_data = nla_nest_start_noflag(skb,
14209 						    NL80211_ATTR_VENDOR_DATA);
14210 		if (!vendor_data) {
14211 			genlmsg_cancel(skb, hdr);
14212 			break;
14213 		}
14214 
14215 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
14216 				   (unsigned long *)&cb->args[5]);
14217 		nla_nest_end(skb, vendor_data);
14218 
14219 		if (err == -ENOBUFS || err == -ENOENT) {
14220 			genlmsg_cancel(skb, hdr);
14221 			break;
14222 		} else if (err <= 0) {
14223 			genlmsg_cancel(skb, hdr);
14224 			goto out;
14225 		}
14226 
14227 		genlmsg_end(skb, hdr);
14228 	}
14229 
14230 	err = skb->len;
14231  out:
14232 	rtnl_unlock();
14233 	return err;
14234 }
14235 
14236 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
14237 					   enum nl80211_commands cmd,
14238 					   enum nl80211_attrs attr,
14239 					   int approxlen)
14240 {
14241 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14242 
14243 	if (WARN_ON(!rdev->cur_cmd_info))
14244 		return NULL;
14245 
14246 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
14247 					   rdev->cur_cmd_info->snd_portid,
14248 					   rdev->cur_cmd_info->snd_seq,
14249 					   cmd, attr, NULL, GFP_KERNEL);
14250 }
14251 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
14252 
14253 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
14254 {
14255 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
14256 	void *hdr = ((void **)skb->cb)[1];
14257 	struct nlattr *data = ((void **)skb->cb)[2];
14258 
14259 	/* clear CB data for netlink core to own from now on */
14260 	memset(skb->cb, 0, sizeof(skb->cb));
14261 
14262 	if (WARN_ON(!rdev->cur_cmd_info)) {
14263 		kfree_skb(skb);
14264 		return -EINVAL;
14265 	}
14266 
14267 	nla_nest_end(skb, data);
14268 	genlmsg_end(skb, hdr);
14269 	return genlmsg_reply(skb, rdev->cur_cmd_info);
14270 }
14271 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
14272 
14273 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
14274 {
14275 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14276 
14277 	if (WARN_ON(!rdev->cur_cmd_info))
14278 		return 0;
14279 
14280 	return rdev->cur_cmd_info->snd_portid;
14281 }
14282 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
14283 
14284 static int nl80211_set_qos_map(struct sk_buff *skb,
14285 			       struct genl_info *info)
14286 {
14287 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14288 	struct cfg80211_qos_map *qos_map = NULL;
14289 	struct net_device *dev = info->user_ptr[1];
14290 	u8 *pos, len, num_des, des_len, des;
14291 	int ret;
14292 
14293 	if (!rdev->ops->set_qos_map)
14294 		return -EOPNOTSUPP;
14295 
14296 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
14297 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
14298 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
14299 
14300 		if (len % 2)
14301 			return -EINVAL;
14302 
14303 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
14304 		if (!qos_map)
14305 			return -ENOMEM;
14306 
14307 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
14308 		if (num_des) {
14309 			des_len = num_des *
14310 				sizeof(struct cfg80211_dscp_exception);
14311 			memcpy(qos_map->dscp_exception, pos, des_len);
14312 			qos_map->num_des = num_des;
14313 			for (des = 0; des < num_des; des++) {
14314 				if (qos_map->dscp_exception[des].up > 7) {
14315 					kfree(qos_map);
14316 					return -EINVAL;
14317 				}
14318 			}
14319 			pos += des_len;
14320 		}
14321 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
14322 	}
14323 
14324 	wdev_lock(dev->ieee80211_ptr);
14325 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
14326 	if (!ret)
14327 		ret = rdev_set_qos_map(rdev, dev, qos_map);
14328 	wdev_unlock(dev->ieee80211_ptr);
14329 
14330 	kfree(qos_map);
14331 	return ret;
14332 }
14333 
14334 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
14335 {
14336 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14337 	struct net_device *dev = info->user_ptr[1];
14338 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14339 	const u8 *peer;
14340 	u8 tsid, up;
14341 	u16 admitted_time = 0;
14342 	int err;
14343 
14344 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
14345 		return -EOPNOTSUPP;
14346 
14347 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
14348 	    !info->attrs[NL80211_ATTR_USER_PRIO])
14349 		return -EINVAL;
14350 
14351 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14352 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
14353 
14354 	/* WMM uses TIDs 0-7 even for TSPEC */
14355 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
14356 		/* TODO: handle 802.11 TSPEC/admission control
14357 		 * need more attributes for that (e.g. BA session requirement);
14358 		 * change the WMM adminssion test above to allow both then
14359 		 */
14360 		return -EINVAL;
14361 	}
14362 
14363 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14364 
14365 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
14366 		admitted_time =
14367 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
14368 		if (!admitted_time)
14369 			return -EINVAL;
14370 	}
14371 
14372 	wdev_lock(wdev);
14373 	switch (wdev->iftype) {
14374 	case NL80211_IFTYPE_STATION:
14375 	case NL80211_IFTYPE_P2P_CLIENT:
14376 		if (wdev->current_bss)
14377 			break;
14378 		err = -ENOTCONN;
14379 		goto out;
14380 	default:
14381 		err = -EOPNOTSUPP;
14382 		goto out;
14383 	}
14384 
14385 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
14386 
14387  out:
14388 	wdev_unlock(wdev);
14389 	return err;
14390 }
14391 
14392 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
14393 {
14394 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14395 	struct net_device *dev = info->user_ptr[1];
14396 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14397 	const u8 *peer;
14398 	u8 tsid;
14399 	int err;
14400 
14401 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
14402 		return -EINVAL;
14403 
14404 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14405 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14406 
14407 	wdev_lock(wdev);
14408 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
14409 	wdev_unlock(wdev);
14410 
14411 	return err;
14412 }
14413 
14414 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
14415 				       struct genl_info *info)
14416 {
14417 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14418 	struct net_device *dev = info->user_ptr[1];
14419 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14420 	struct cfg80211_chan_def chandef = {};
14421 	const u8 *addr;
14422 	u8 oper_class;
14423 	int err;
14424 
14425 	if (!rdev->ops->tdls_channel_switch ||
14426 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14427 		return -EOPNOTSUPP;
14428 
14429 	switch (dev->ieee80211_ptr->iftype) {
14430 	case NL80211_IFTYPE_STATION:
14431 	case NL80211_IFTYPE_P2P_CLIENT:
14432 		break;
14433 	default:
14434 		return -EOPNOTSUPP;
14435 	}
14436 
14437 	if (!info->attrs[NL80211_ATTR_MAC] ||
14438 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
14439 		return -EINVAL;
14440 
14441 	err = nl80211_parse_chandef(rdev, info, &chandef);
14442 	if (err)
14443 		return err;
14444 
14445 	/*
14446 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
14447 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
14448 	 * specification is not defined for them.
14449 	 */
14450 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
14451 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
14452 	    chandef.width != NL80211_CHAN_WIDTH_20)
14453 		return -EINVAL;
14454 
14455 	/* we will be active on the TDLS link */
14456 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
14457 					   wdev->iftype))
14458 		return -EINVAL;
14459 
14460 	/* don't allow switching to DFS channels */
14461 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
14462 		return -EINVAL;
14463 
14464 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14465 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
14466 
14467 	wdev_lock(wdev);
14468 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
14469 	wdev_unlock(wdev);
14470 
14471 	return err;
14472 }
14473 
14474 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
14475 					      struct genl_info *info)
14476 {
14477 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14478 	struct net_device *dev = info->user_ptr[1];
14479 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14480 	const u8 *addr;
14481 
14482 	if (!rdev->ops->tdls_channel_switch ||
14483 	    !rdev->ops->tdls_cancel_channel_switch ||
14484 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14485 		return -EOPNOTSUPP;
14486 
14487 	switch (dev->ieee80211_ptr->iftype) {
14488 	case NL80211_IFTYPE_STATION:
14489 	case NL80211_IFTYPE_P2P_CLIENT:
14490 		break;
14491 	default:
14492 		return -EOPNOTSUPP;
14493 	}
14494 
14495 	if (!info->attrs[NL80211_ATTR_MAC])
14496 		return -EINVAL;
14497 
14498 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14499 
14500 	wdev_lock(wdev);
14501 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
14502 	wdev_unlock(wdev);
14503 
14504 	return 0;
14505 }
14506 
14507 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
14508 					    struct genl_info *info)
14509 {
14510 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14511 	struct net_device *dev = info->user_ptr[1];
14512 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14513 	const struct nlattr *nla;
14514 	bool enabled;
14515 
14516 	if (!rdev->ops->set_multicast_to_unicast)
14517 		return -EOPNOTSUPP;
14518 
14519 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14520 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14521 		return -EOPNOTSUPP;
14522 
14523 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
14524 	enabled = nla_get_flag(nla);
14525 
14526 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
14527 }
14528 
14529 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
14530 {
14531 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14532 	struct net_device *dev = info->user_ptr[1];
14533 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14534 	struct cfg80211_pmk_conf pmk_conf = {};
14535 	int ret;
14536 
14537 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14538 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14539 		return -EOPNOTSUPP;
14540 
14541 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14542 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14543 		return -EOPNOTSUPP;
14544 
14545 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
14546 		return -EINVAL;
14547 
14548 	wdev_lock(wdev);
14549 	if (!wdev->current_bss) {
14550 		ret = -ENOTCONN;
14551 		goto out;
14552 	}
14553 
14554 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14555 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
14556 		ret = -EINVAL;
14557 		goto out;
14558 	}
14559 
14560 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
14561 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
14562 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
14563 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
14564 		ret = -EINVAL;
14565 		goto out;
14566 	}
14567 
14568 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
14569 		pmk_conf.pmk_r0_name =
14570 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
14571 
14572 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
14573 out:
14574 	wdev_unlock(wdev);
14575 	return ret;
14576 }
14577 
14578 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
14579 {
14580 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14581 	struct net_device *dev = info->user_ptr[1];
14582 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14583 	const u8 *aa;
14584 	int ret;
14585 
14586 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14587 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14588 		return -EOPNOTSUPP;
14589 
14590 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14591 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14592 		return -EOPNOTSUPP;
14593 
14594 	if (!info->attrs[NL80211_ATTR_MAC])
14595 		return -EINVAL;
14596 
14597 	wdev_lock(wdev);
14598 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14599 	ret = rdev_del_pmk(rdev, dev, aa);
14600 	wdev_unlock(wdev);
14601 
14602 	return ret;
14603 }
14604 
14605 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
14606 {
14607 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14608 	struct net_device *dev = info->user_ptr[1];
14609 	struct cfg80211_external_auth_params params;
14610 
14611 	if (!rdev->ops->external_auth)
14612 		return -EOPNOTSUPP;
14613 
14614 	if (!info->attrs[NL80211_ATTR_SSID] &&
14615 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
14616 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
14617 		return -EINVAL;
14618 
14619 	if (!info->attrs[NL80211_ATTR_BSSID])
14620 		return -EINVAL;
14621 
14622 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
14623 		return -EINVAL;
14624 
14625 	memset(&params, 0, sizeof(params));
14626 
14627 	if (info->attrs[NL80211_ATTR_SSID]) {
14628 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14629 		if (params.ssid.ssid_len == 0)
14630 			return -EINVAL;
14631 		memcpy(params.ssid.ssid,
14632 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
14633 		       params.ssid.ssid_len);
14634 	}
14635 
14636 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
14637 	       ETH_ALEN);
14638 
14639 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14640 
14641 	if (info->attrs[NL80211_ATTR_PMKID])
14642 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14643 
14644 	return rdev_external_auth(rdev, dev, &params);
14645 }
14646 
14647 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
14648 {
14649 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
14650 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14651 	struct net_device *dev = info->user_ptr[1];
14652 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14653 	const u8 *buf;
14654 	size_t len;
14655 	u8 *dest;
14656 	u16 proto;
14657 	bool noencrypt;
14658 	u64 cookie = 0;
14659 	int err;
14660 
14661 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14662 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
14663 		return -EOPNOTSUPP;
14664 
14665 	if (!rdev->ops->tx_control_port)
14666 		return -EOPNOTSUPP;
14667 
14668 	if (!info->attrs[NL80211_ATTR_FRAME] ||
14669 	    !info->attrs[NL80211_ATTR_MAC] ||
14670 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
14671 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
14672 		return -EINVAL;
14673 	}
14674 
14675 	wdev_lock(wdev);
14676 
14677 	switch (wdev->iftype) {
14678 	case NL80211_IFTYPE_AP:
14679 	case NL80211_IFTYPE_P2P_GO:
14680 	case NL80211_IFTYPE_MESH_POINT:
14681 		break;
14682 	case NL80211_IFTYPE_ADHOC:
14683 	case NL80211_IFTYPE_STATION:
14684 	case NL80211_IFTYPE_P2P_CLIENT:
14685 		if (wdev->current_bss)
14686 			break;
14687 		err = -ENOTCONN;
14688 		goto out;
14689 	default:
14690 		err = -EOPNOTSUPP;
14691 		goto out;
14692 	}
14693 
14694 	wdev_unlock(wdev);
14695 
14696 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14697 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14698 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14699 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
14700 	noencrypt =
14701 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
14702 
14703 	err = rdev_tx_control_port(rdev, dev, buf, len,
14704 				   dest, cpu_to_be16(proto), noencrypt,
14705 				   dont_wait_for_ack ? NULL : &cookie);
14706 	if (!err && !dont_wait_for_ack)
14707 		nl_set_extack_cookie_u64(info->extack, cookie);
14708 	return err;
14709  out:
14710 	wdev_unlock(wdev);
14711 	return err;
14712 }
14713 
14714 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
14715 					   struct genl_info *info)
14716 {
14717 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14718 	struct net_device *dev = info->user_ptr[1];
14719 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14720 	struct cfg80211_ftm_responder_stats ftm_stats = {};
14721 	struct sk_buff *msg;
14722 	void *hdr;
14723 	struct nlattr *ftm_stats_attr;
14724 	int err;
14725 
14726 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
14727 		return -EOPNOTSUPP;
14728 
14729 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
14730 	if (err)
14731 		return err;
14732 
14733 	if (!ftm_stats.filled)
14734 		return -ENODATA;
14735 
14736 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14737 	if (!msg)
14738 		return -ENOMEM;
14739 
14740 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14741 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
14742 	if (!hdr)
14743 		goto nla_put_failure;
14744 
14745 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
14746 		goto nla_put_failure;
14747 
14748 	ftm_stats_attr = nla_nest_start_noflag(msg,
14749 					       NL80211_ATTR_FTM_RESPONDER_STATS);
14750 	if (!ftm_stats_attr)
14751 		goto nla_put_failure;
14752 
14753 #define SET_FTM(field, name, type)					 \
14754 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14755 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
14756 			     ftm_stats.field))				 \
14757 		goto nla_put_failure; } while (0)
14758 #define SET_FTM_U64(field, name)					 \
14759 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14760 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
14761 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
14762 		goto nla_put_failure; } while (0)
14763 
14764 	SET_FTM(success_num, SUCCESS_NUM, u32);
14765 	SET_FTM(partial_num, PARTIAL_NUM, u32);
14766 	SET_FTM(failed_num, FAILED_NUM, u32);
14767 	SET_FTM(asap_num, ASAP_NUM, u32);
14768 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
14769 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
14770 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
14771 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
14772 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
14773 #undef SET_FTM
14774 
14775 	nla_nest_end(msg, ftm_stats_attr);
14776 
14777 	genlmsg_end(msg, hdr);
14778 	return genlmsg_reply(msg, info);
14779 
14780 nla_put_failure:
14781 	nlmsg_free(msg);
14782 	return -ENOBUFS;
14783 }
14784 
14785 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
14786 {
14787 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14788 	struct cfg80211_update_owe_info owe_info;
14789 	struct net_device *dev = info->user_ptr[1];
14790 
14791 	if (!rdev->ops->update_owe_info)
14792 		return -EOPNOTSUPP;
14793 
14794 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
14795 	    !info->attrs[NL80211_ATTR_MAC])
14796 		return -EINVAL;
14797 
14798 	memset(&owe_info, 0, sizeof(owe_info));
14799 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14800 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
14801 
14802 	if (info->attrs[NL80211_ATTR_IE]) {
14803 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14804 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14805 	}
14806 
14807 	return rdev_update_owe_info(rdev, dev, &owe_info);
14808 }
14809 
14810 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14811 {
14812 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14813 	struct net_device *dev = info->user_ptr[1];
14814 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14815 	struct station_info sinfo = {};
14816 	const u8 *buf;
14817 	size_t len;
14818 	u8 *dest;
14819 	int err;
14820 
14821 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14822 		return -EOPNOTSUPP;
14823 
14824 	if (!info->attrs[NL80211_ATTR_MAC] ||
14825 	    !info->attrs[NL80211_ATTR_FRAME]) {
14826 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14827 		return -EINVAL;
14828 	}
14829 
14830 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14831 		return -EOPNOTSUPP;
14832 
14833 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14834 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14835 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14836 
14837 	if (len < sizeof(struct ethhdr))
14838 		return -EINVAL;
14839 
14840 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14841 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14842 		return -EINVAL;
14843 
14844 	err = rdev_get_station(rdev, dev, dest, &sinfo);
14845 	if (err)
14846 		return err;
14847 
14848 	cfg80211_sinfo_release_content(&sinfo);
14849 
14850 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
14851 }
14852 
14853 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
14854 			  struct nlattr *attrs[], struct net_device *dev,
14855 			  struct cfg80211_tid_cfg *tid_conf,
14856 			  struct genl_info *info, const u8 *peer)
14857 {
14858 	struct netlink_ext_ack *extack = info->extack;
14859 	u64 mask;
14860 	int err;
14861 
14862 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
14863 		return -EINVAL;
14864 
14865 	tid_conf->config_override =
14866 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
14867 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
14868 
14869 	if (tid_conf->config_override) {
14870 		if (rdev->ops->reset_tid_config) {
14871 			err = rdev_reset_tid_config(rdev, dev, peer,
14872 						    tid_conf->tids);
14873 			if (err)
14874 				return err;
14875 		} else {
14876 			return -EINVAL;
14877 		}
14878 	}
14879 
14880 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
14881 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
14882 		tid_conf->noack =
14883 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
14884 	}
14885 
14886 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
14887 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
14888 		tid_conf->retry_short =
14889 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
14890 
14891 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
14892 			return -EINVAL;
14893 	}
14894 
14895 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
14896 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
14897 		tid_conf->retry_long =
14898 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
14899 
14900 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
14901 			return -EINVAL;
14902 	}
14903 
14904 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
14905 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
14906 		tid_conf->ampdu =
14907 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
14908 	}
14909 
14910 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
14911 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
14912 		tid_conf->rtscts =
14913 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
14914 	}
14915 
14916 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
14917 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
14918 		tid_conf->amsdu =
14919 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
14920 	}
14921 
14922 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
14923 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
14924 
14925 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
14926 
14927 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
14928 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
14929 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
14930 						    &tid_conf->txrate_mask, dev,
14931 						    true);
14932 			if (err)
14933 				return err;
14934 
14935 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
14936 		}
14937 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
14938 	}
14939 
14940 	if (peer)
14941 		mask = rdev->wiphy.tid_config_support.peer;
14942 	else
14943 		mask = rdev->wiphy.tid_config_support.vif;
14944 
14945 	if (tid_conf->mask & ~mask) {
14946 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
14947 		return -ENOTSUPP;
14948 	}
14949 
14950 	return 0;
14951 }
14952 
14953 static int nl80211_set_tid_config(struct sk_buff *skb,
14954 				  struct genl_info *info)
14955 {
14956 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14957 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
14958 	struct net_device *dev = info->user_ptr[1];
14959 	struct cfg80211_tid_config *tid_config;
14960 	struct nlattr *tid;
14961 	int conf_idx = 0, rem_conf;
14962 	int ret = -EINVAL;
14963 	u32 num_conf = 0;
14964 
14965 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
14966 		return -EINVAL;
14967 
14968 	if (!rdev->ops->set_tid_config)
14969 		return -EOPNOTSUPP;
14970 
14971 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14972 			    rem_conf)
14973 		num_conf++;
14974 
14975 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
14976 			     GFP_KERNEL);
14977 	if (!tid_config)
14978 		return -ENOMEM;
14979 
14980 	tid_config->n_tid_conf = num_conf;
14981 
14982 	if (info->attrs[NL80211_ATTR_MAC])
14983 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14984 
14985 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14986 			    rem_conf) {
14987 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
14988 				       tid, NULL, NULL);
14989 
14990 		if (ret)
14991 			goto bad_tid_conf;
14992 
14993 		ret = parse_tid_conf(rdev, attrs, dev,
14994 				     &tid_config->tid_conf[conf_idx],
14995 				     info, tid_config->peer);
14996 		if (ret)
14997 			goto bad_tid_conf;
14998 
14999 		conf_idx++;
15000 	}
15001 
15002 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15003 
15004 bad_tid_conf:
15005 	kfree(tid_config);
15006 	return ret;
15007 }
15008 
15009 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15010 {
15011 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15012 	struct cfg80211_color_change_settings params = {};
15013 	struct net_device *dev = info->user_ptr[1];
15014 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15015 	struct nlattr **tb;
15016 	u16 offset;
15017 	int err;
15018 
15019 	if (!rdev->ops->color_change)
15020 		return -EOPNOTSUPP;
15021 
15022 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15023 				     NL80211_EXT_FEATURE_BSS_COLOR))
15024 		return -EOPNOTSUPP;
15025 
15026 	if (wdev->iftype != NL80211_IFTYPE_AP)
15027 		return -EOPNOTSUPP;
15028 
15029 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15030 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15031 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15032 		return -EINVAL;
15033 
15034 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15035 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
15036 
15037 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next);
15038 	if (err)
15039 		return err;
15040 
15041 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
15042 	if (!tb)
15043 		return -ENOMEM;
15044 
15045 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
15046 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
15047 			       nl80211_policy, info->extack);
15048 	if (err)
15049 		goto out;
15050 
15051 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change);
15052 	if (err)
15053 		goto out;
15054 
15055 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
15056 		err = -EINVAL;
15057 		goto out;
15058 	}
15059 
15060 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
15061 		err = -EINVAL;
15062 		goto out;
15063 	}
15064 
15065 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
15066 	if (offset >= params.beacon_color_change.tail_len) {
15067 		err = -EINVAL;
15068 		goto out;
15069 	}
15070 
15071 	if (params.beacon_color_change.tail[offset] != params.count) {
15072 		err = -EINVAL;
15073 		goto out;
15074 	}
15075 
15076 	params.counter_offset_beacon = offset;
15077 
15078 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
15079 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
15080 		    sizeof(u16)) {
15081 			err = -EINVAL;
15082 			goto out;
15083 		}
15084 
15085 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
15086 		if (offset >= params.beacon_color_change.probe_resp_len) {
15087 			err = -EINVAL;
15088 			goto out;
15089 		}
15090 
15091 		if (params.beacon_color_change.probe_resp[offset] !=
15092 		    params.count) {
15093 			err = -EINVAL;
15094 			goto out;
15095 		}
15096 
15097 		params.counter_offset_presp = offset;
15098 	}
15099 
15100 	wdev_lock(wdev);
15101 	err = rdev_color_change(rdev, dev, &params);
15102 	wdev_unlock(wdev);
15103 
15104 out:
15105 	kfree(params.beacon_next.mbssid_ies);
15106 	kfree(params.beacon_color_change.mbssid_ies);
15107 	kfree(tb);
15108 	return err;
15109 }
15110 
15111 static int nl80211_set_fils_aad(struct sk_buff *skb,
15112 				struct genl_info *info)
15113 {
15114 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15115 	struct net_device *dev = info->user_ptr[1];
15116 	struct cfg80211_fils_aad fils_aad = {};
15117 	u8 *nonces;
15118 
15119 	if (!info->attrs[NL80211_ATTR_MAC] ||
15120 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
15121 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
15122 		return -EINVAL;
15123 
15124 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15125 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
15126 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
15127 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
15128 	fils_aad.snonce = nonces;
15129 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
15130 
15131 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
15132 }
15133 
15134 #define NL80211_FLAG_NEED_WIPHY		0x01
15135 #define NL80211_FLAG_NEED_NETDEV	0x02
15136 #define NL80211_FLAG_NEED_RTNL		0x04
15137 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
15138 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
15139 					 NL80211_FLAG_CHECK_NETDEV_UP)
15140 #define NL80211_FLAG_NEED_WDEV		0x10
15141 /* If a netdev is associated, it must be UP, P2P must be started */
15142 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
15143 					 NL80211_FLAG_CHECK_NETDEV_UP)
15144 #define NL80211_FLAG_CLEAR_SKB		0x20
15145 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
15146 
15147 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
15148 			    struct genl_info *info)
15149 {
15150 	struct cfg80211_registered_device *rdev = NULL;
15151 	struct wireless_dev *wdev;
15152 	struct net_device *dev;
15153 
15154 	rtnl_lock();
15155 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
15156 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
15157 		if (IS_ERR(rdev)) {
15158 			rtnl_unlock();
15159 			return PTR_ERR(rdev);
15160 		}
15161 		info->user_ptr[0] = rdev;
15162 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
15163 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15164 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
15165 						  info->attrs);
15166 		if (IS_ERR(wdev)) {
15167 			rtnl_unlock();
15168 			return PTR_ERR(wdev);
15169 		}
15170 
15171 		dev = wdev->netdev;
15172 		rdev = wiphy_to_rdev(wdev->wiphy);
15173 
15174 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
15175 			if (!dev) {
15176 				rtnl_unlock();
15177 				return -EINVAL;
15178 			}
15179 
15180 			info->user_ptr[1] = dev;
15181 		} else {
15182 			info->user_ptr[1] = wdev;
15183 		}
15184 
15185 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
15186 		    !wdev_running(wdev)) {
15187 			rtnl_unlock();
15188 			return -ENETDOWN;
15189 		}
15190 
15191 		dev_hold(dev);
15192 		info->user_ptr[0] = rdev;
15193 	}
15194 
15195 	if (rdev && !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15196 		wiphy_lock(&rdev->wiphy);
15197 		/* we keep the mutex locked until post_doit */
15198 		__release(&rdev->wiphy.mtx);
15199 	}
15200 	if (!(ops->internal_flags & NL80211_FLAG_NEED_RTNL))
15201 		rtnl_unlock();
15202 
15203 	return 0;
15204 }
15205 
15206 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
15207 			      struct genl_info *info)
15208 {
15209 	if (info->user_ptr[1]) {
15210 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15211 			struct wireless_dev *wdev = info->user_ptr[1];
15212 
15213 			dev_put(wdev->netdev);
15214 		} else {
15215 			dev_put(info->user_ptr[1]);
15216 		}
15217 	}
15218 
15219 	if (info->user_ptr[0] &&
15220 	    !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15221 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
15222 
15223 		/* we kept the mutex locked since pre_doit */
15224 		__acquire(&rdev->wiphy.mtx);
15225 		wiphy_unlock(&rdev->wiphy);
15226 	}
15227 
15228 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
15229 		rtnl_unlock();
15230 
15231 	/* If needed, clear the netlink message payload from the SKB
15232 	 * as it might contain key data that shouldn't stick around on
15233 	 * the heap after the SKB is freed. The netlink message header
15234 	 * is still needed for further processing, so leave it intact.
15235 	 */
15236 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
15237 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
15238 
15239 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
15240 	}
15241 }
15242 
15243 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
15244 				     struct cfg80211_sar_specs *sar_specs,
15245 				     struct nlattr *spec[], int index)
15246 {
15247 	u32 range_index, i;
15248 
15249 	if (!sar_specs || !spec)
15250 		return -EINVAL;
15251 
15252 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
15253 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
15254 		return -EINVAL;
15255 
15256 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
15257 
15258 	/* check if range_index exceeds num_freq_ranges */
15259 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
15260 		return -EINVAL;
15261 
15262 	/* check if range_index duplicates */
15263 	for (i = 0; i < index; i++) {
15264 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
15265 			return -EINVAL;
15266 	}
15267 
15268 	sar_specs->sub_specs[index].power =
15269 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
15270 
15271 	sar_specs->sub_specs[index].freq_range_index = range_index;
15272 
15273 	return 0;
15274 }
15275 
15276 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
15277 {
15278 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15279 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
15280 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
15281 	struct cfg80211_sar_specs *sar_spec;
15282 	enum nl80211_sar_type type;
15283 	struct nlattr *spec_list;
15284 	u32 specs;
15285 	int rem, err;
15286 
15287 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
15288 		return -EOPNOTSUPP;
15289 
15290 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
15291 		return -EINVAL;
15292 
15293 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
15294 			 info->attrs[NL80211_ATTR_SAR_SPEC],
15295 			 NULL, NULL);
15296 
15297 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
15298 		return -EINVAL;
15299 
15300 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
15301 	if (type != rdev->wiphy.sar_capa->type)
15302 		return -EINVAL;
15303 
15304 	specs = 0;
15305 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
15306 		specs++;
15307 
15308 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
15309 		return -EINVAL;
15310 
15311 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
15312 	if (!sar_spec)
15313 		return -ENOMEM;
15314 
15315 	sar_spec->type = type;
15316 	specs = 0;
15317 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
15318 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
15319 				 spec_list, NULL, NULL);
15320 
15321 		switch (type) {
15322 		case NL80211_SAR_TYPE_POWER:
15323 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
15324 						      spec, specs)) {
15325 				err = -EINVAL;
15326 				goto error;
15327 			}
15328 			break;
15329 		default:
15330 			err = -EINVAL;
15331 			goto error;
15332 		}
15333 		specs++;
15334 	}
15335 
15336 	sar_spec->num_sub_specs = specs;
15337 
15338 	rdev->cur_cmd_info = info;
15339 	err = rdev_set_sar_specs(rdev, sar_spec);
15340 	rdev->cur_cmd_info = NULL;
15341 error:
15342 	kfree(sar_spec);
15343 	return err;
15344 }
15345 
15346 static const struct genl_ops nl80211_ops[] = {
15347 	{
15348 		.cmd = NL80211_CMD_GET_WIPHY,
15349 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15350 		.doit = nl80211_get_wiphy,
15351 		.dumpit = nl80211_dump_wiphy,
15352 		.done = nl80211_dump_wiphy_done,
15353 		/* can be retrieved by unprivileged users */
15354 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15355 	},
15356 };
15357 
15358 static const struct genl_small_ops nl80211_small_ops[] = {
15359 	{
15360 		.cmd = NL80211_CMD_SET_WIPHY,
15361 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15362 		.doit = nl80211_set_wiphy,
15363 		.flags = GENL_UNS_ADMIN_PERM,
15364 	},
15365 	{
15366 		.cmd = NL80211_CMD_GET_INTERFACE,
15367 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15368 		.doit = nl80211_get_interface,
15369 		.dumpit = nl80211_dump_interface,
15370 		/* can be retrieved by unprivileged users */
15371 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15372 	},
15373 	{
15374 		.cmd = NL80211_CMD_SET_INTERFACE,
15375 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15376 		.doit = nl80211_set_interface,
15377 		.flags = GENL_UNS_ADMIN_PERM,
15378 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15379 				  NL80211_FLAG_NEED_RTNL,
15380 	},
15381 	{
15382 		.cmd = NL80211_CMD_NEW_INTERFACE,
15383 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15384 		.doit = nl80211_new_interface,
15385 		.flags = GENL_UNS_ADMIN_PERM,
15386 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15387 				  NL80211_FLAG_NEED_RTNL |
15388 				  /* we take the wiphy mutex later ourselves */
15389 				  NL80211_FLAG_NO_WIPHY_MTX,
15390 	},
15391 	{
15392 		.cmd = NL80211_CMD_DEL_INTERFACE,
15393 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15394 		.doit = nl80211_del_interface,
15395 		.flags = GENL_UNS_ADMIN_PERM,
15396 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15397 				  NL80211_FLAG_NEED_RTNL,
15398 	},
15399 	{
15400 		.cmd = NL80211_CMD_GET_KEY,
15401 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15402 		.doit = nl80211_get_key,
15403 		.flags = GENL_UNS_ADMIN_PERM,
15404 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15405 	},
15406 	{
15407 		.cmd = NL80211_CMD_SET_KEY,
15408 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15409 		.doit = nl80211_set_key,
15410 		.flags = GENL_UNS_ADMIN_PERM,
15411 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15412 				  NL80211_FLAG_CLEAR_SKB,
15413 	},
15414 	{
15415 		.cmd = NL80211_CMD_NEW_KEY,
15416 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15417 		.doit = nl80211_new_key,
15418 		.flags = GENL_UNS_ADMIN_PERM,
15419 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15420 				  NL80211_FLAG_CLEAR_SKB,
15421 	},
15422 	{
15423 		.cmd = NL80211_CMD_DEL_KEY,
15424 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15425 		.doit = nl80211_del_key,
15426 		.flags = GENL_UNS_ADMIN_PERM,
15427 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15428 	},
15429 	{
15430 		.cmd = NL80211_CMD_SET_BEACON,
15431 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15432 		.flags = GENL_UNS_ADMIN_PERM,
15433 		.doit = nl80211_set_beacon,
15434 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15435 	},
15436 	{
15437 		.cmd = NL80211_CMD_START_AP,
15438 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15439 		.flags = GENL_UNS_ADMIN_PERM,
15440 		.doit = nl80211_start_ap,
15441 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15442 	},
15443 	{
15444 		.cmd = NL80211_CMD_STOP_AP,
15445 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15446 		.flags = GENL_UNS_ADMIN_PERM,
15447 		.doit = nl80211_stop_ap,
15448 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15449 	},
15450 	{
15451 		.cmd = NL80211_CMD_GET_STATION,
15452 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15453 		.doit = nl80211_get_station,
15454 		.dumpit = nl80211_dump_station,
15455 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15456 	},
15457 	{
15458 		.cmd = NL80211_CMD_SET_STATION,
15459 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15460 		.doit = nl80211_set_station,
15461 		.flags = GENL_UNS_ADMIN_PERM,
15462 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15463 	},
15464 	{
15465 		.cmd = NL80211_CMD_NEW_STATION,
15466 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15467 		.doit = nl80211_new_station,
15468 		.flags = GENL_UNS_ADMIN_PERM,
15469 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15470 	},
15471 	{
15472 		.cmd = NL80211_CMD_DEL_STATION,
15473 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15474 		.doit = nl80211_del_station,
15475 		.flags = GENL_UNS_ADMIN_PERM,
15476 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15477 	},
15478 	{
15479 		.cmd = NL80211_CMD_GET_MPATH,
15480 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15481 		.doit = nl80211_get_mpath,
15482 		.dumpit = nl80211_dump_mpath,
15483 		.flags = GENL_UNS_ADMIN_PERM,
15484 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15485 	},
15486 	{
15487 		.cmd = NL80211_CMD_GET_MPP,
15488 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15489 		.doit = nl80211_get_mpp,
15490 		.dumpit = nl80211_dump_mpp,
15491 		.flags = GENL_UNS_ADMIN_PERM,
15492 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15493 	},
15494 	{
15495 		.cmd = NL80211_CMD_SET_MPATH,
15496 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15497 		.doit = nl80211_set_mpath,
15498 		.flags = GENL_UNS_ADMIN_PERM,
15499 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15500 	},
15501 	{
15502 		.cmd = NL80211_CMD_NEW_MPATH,
15503 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15504 		.doit = nl80211_new_mpath,
15505 		.flags = GENL_UNS_ADMIN_PERM,
15506 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15507 	},
15508 	{
15509 		.cmd = NL80211_CMD_DEL_MPATH,
15510 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15511 		.doit = nl80211_del_mpath,
15512 		.flags = GENL_UNS_ADMIN_PERM,
15513 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15514 	},
15515 	{
15516 		.cmd = NL80211_CMD_SET_BSS,
15517 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15518 		.doit = nl80211_set_bss,
15519 		.flags = GENL_UNS_ADMIN_PERM,
15520 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15521 	},
15522 	{
15523 		.cmd = NL80211_CMD_GET_REG,
15524 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15525 		.doit = nl80211_get_reg_do,
15526 		.dumpit = nl80211_get_reg_dump,
15527 		.internal_flags = 0,
15528 		/* can be retrieved by unprivileged users */
15529 	},
15530 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
15531 	{
15532 		.cmd = NL80211_CMD_SET_REG,
15533 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15534 		.doit = nl80211_set_reg,
15535 		.flags = GENL_ADMIN_PERM,
15536 		.internal_flags = 0,
15537 	},
15538 #endif
15539 	{
15540 		.cmd = NL80211_CMD_REQ_SET_REG,
15541 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15542 		.doit = nl80211_req_set_reg,
15543 		.flags = GENL_ADMIN_PERM,
15544 	},
15545 	{
15546 		.cmd = NL80211_CMD_RELOAD_REGDB,
15547 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15548 		.doit = nl80211_reload_regdb,
15549 		.flags = GENL_ADMIN_PERM,
15550 	},
15551 	{
15552 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
15553 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15554 		.doit = nl80211_get_mesh_config,
15555 		/* can be retrieved by unprivileged users */
15556 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15557 	},
15558 	{
15559 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
15560 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15561 		.doit = nl80211_update_mesh_config,
15562 		.flags = GENL_UNS_ADMIN_PERM,
15563 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15564 	},
15565 	{
15566 		.cmd = NL80211_CMD_TRIGGER_SCAN,
15567 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15568 		.doit = nl80211_trigger_scan,
15569 		.flags = GENL_UNS_ADMIN_PERM,
15570 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15571 	},
15572 	{
15573 		.cmd = NL80211_CMD_ABORT_SCAN,
15574 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15575 		.doit = nl80211_abort_scan,
15576 		.flags = GENL_UNS_ADMIN_PERM,
15577 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15578 	},
15579 	{
15580 		.cmd = NL80211_CMD_GET_SCAN,
15581 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15582 		.dumpit = nl80211_dump_scan,
15583 	},
15584 	{
15585 		.cmd = NL80211_CMD_START_SCHED_SCAN,
15586 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15587 		.doit = nl80211_start_sched_scan,
15588 		.flags = GENL_UNS_ADMIN_PERM,
15589 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15590 	},
15591 	{
15592 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
15593 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15594 		.doit = nl80211_stop_sched_scan,
15595 		.flags = GENL_UNS_ADMIN_PERM,
15596 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15597 	},
15598 	{
15599 		.cmd = NL80211_CMD_AUTHENTICATE,
15600 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15601 		.doit = nl80211_authenticate,
15602 		.flags = GENL_UNS_ADMIN_PERM,
15603 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15604 				  0 |
15605 				  NL80211_FLAG_CLEAR_SKB,
15606 	},
15607 	{
15608 		.cmd = NL80211_CMD_ASSOCIATE,
15609 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15610 		.doit = nl80211_associate,
15611 		.flags = GENL_UNS_ADMIN_PERM,
15612 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15613 				  0 |
15614 				  NL80211_FLAG_CLEAR_SKB,
15615 	},
15616 	{
15617 		.cmd = NL80211_CMD_DEAUTHENTICATE,
15618 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15619 		.doit = nl80211_deauthenticate,
15620 		.flags = GENL_UNS_ADMIN_PERM,
15621 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15622 	},
15623 	{
15624 		.cmd = NL80211_CMD_DISASSOCIATE,
15625 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15626 		.doit = nl80211_disassociate,
15627 		.flags = GENL_UNS_ADMIN_PERM,
15628 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15629 	},
15630 	{
15631 		.cmd = NL80211_CMD_JOIN_IBSS,
15632 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15633 		.doit = nl80211_join_ibss,
15634 		.flags = GENL_UNS_ADMIN_PERM,
15635 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15636 	},
15637 	{
15638 		.cmd = NL80211_CMD_LEAVE_IBSS,
15639 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15640 		.doit = nl80211_leave_ibss,
15641 		.flags = GENL_UNS_ADMIN_PERM,
15642 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15643 	},
15644 #ifdef CONFIG_NL80211_TESTMODE
15645 	{
15646 		.cmd = NL80211_CMD_TESTMODE,
15647 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15648 		.doit = nl80211_testmode_do,
15649 		.dumpit = nl80211_testmode_dump,
15650 		.flags = GENL_UNS_ADMIN_PERM,
15651 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15652 	},
15653 #endif
15654 	{
15655 		.cmd = NL80211_CMD_CONNECT,
15656 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15657 		.doit = nl80211_connect,
15658 		.flags = GENL_UNS_ADMIN_PERM,
15659 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15660 				  0 |
15661 				  NL80211_FLAG_CLEAR_SKB,
15662 	},
15663 	{
15664 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
15665 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15666 		.doit = nl80211_update_connect_params,
15667 		.flags = GENL_ADMIN_PERM,
15668 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15669 				  0 |
15670 				  NL80211_FLAG_CLEAR_SKB,
15671 	},
15672 	{
15673 		.cmd = NL80211_CMD_DISCONNECT,
15674 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15675 		.doit = nl80211_disconnect,
15676 		.flags = GENL_UNS_ADMIN_PERM,
15677 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15678 	},
15679 	{
15680 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
15681 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15682 		.doit = nl80211_wiphy_netns,
15683 		.flags = GENL_UNS_ADMIN_PERM,
15684 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15685 				  NL80211_FLAG_NEED_RTNL |
15686 				  NL80211_FLAG_NO_WIPHY_MTX,
15687 	},
15688 	{
15689 		.cmd = NL80211_CMD_GET_SURVEY,
15690 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15691 		.dumpit = nl80211_dump_survey,
15692 	},
15693 	{
15694 		.cmd = NL80211_CMD_SET_PMKSA,
15695 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15696 		.doit = nl80211_setdel_pmksa,
15697 		.flags = GENL_UNS_ADMIN_PERM,
15698 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15699 				  0 |
15700 				  NL80211_FLAG_CLEAR_SKB,
15701 	},
15702 	{
15703 		.cmd = NL80211_CMD_DEL_PMKSA,
15704 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15705 		.doit = nl80211_setdel_pmksa,
15706 		.flags = GENL_UNS_ADMIN_PERM,
15707 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15708 	},
15709 	{
15710 		.cmd = NL80211_CMD_FLUSH_PMKSA,
15711 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15712 		.doit = nl80211_flush_pmksa,
15713 		.flags = GENL_UNS_ADMIN_PERM,
15714 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15715 	},
15716 	{
15717 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
15718 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15719 		.doit = nl80211_remain_on_channel,
15720 		.flags = GENL_UNS_ADMIN_PERM,
15721 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15722 	},
15723 	{
15724 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15725 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15726 		.doit = nl80211_cancel_remain_on_channel,
15727 		.flags = GENL_UNS_ADMIN_PERM,
15728 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15729 	},
15730 	{
15731 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
15732 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15733 		.doit = nl80211_set_tx_bitrate_mask,
15734 		.flags = GENL_UNS_ADMIN_PERM,
15735 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15736 	},
15737 	{
15738 		.cmd = NL80211_CMD_REGISTER_FRAME,
15739 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15740 		.doit = nl80211_register_mgmt,
15741 		.flags = GENL_UNS_ADMIN_PERM,
15742 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15743 	},
15744 	{
15745 		.cmd = NL80211_CMD_FRAME,
15746 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15747 		.doit = nl80211_tx_mgmt,
15748 		.flags = GENL_UNS_ADMIN_PERM,
15749 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15750 	},
15751 	{
15752 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
15753 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15754 		.doit = nl80211_tx_mgmt_cancel_wait,
15755 		.flags = GENL_UNS_ADMIN_PERM,
15756 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15757 	},
15758 	{
15759 		.cmd = NL80211_CMD_SET_POWER_SAVE,
15760 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15761 		.doit = nl80211_set_power_save,
15762 		.flags = GENL_UNS_ADMIN_PERM,
15763 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15764 	},
15765 	{
15766 		.cmd = NL80211_CMD_GET_POWER_SAVE,
15767 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15768 		.doit = nl80211_get_power_save,
15769 		/* can be retrieved by unprivileged users */
15770 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15771 	},
15772 	{
15773 		.cmd = NL80211_CMD_SET_CQM,
15774 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15775 		.doit = nl80211_set_cqm,
15776 		.flags = GENL_UNS_ADMIN_PERM,
15777 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15778 	},
15779 	{
15780 		.cmd = NL80211_CMD_SET_CHANNEL,
15781 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15782 		.doit = nl80211_set_channel,
15783 		.flags = GENL_UNS_ADMIN_PERM,
15784 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15785 	},
15786 	{
15787 		.cmd = NL80211_CMD_JOIN_MESH,
15788 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15789 		.doit = nl80211_join_mesh,
15790 		.flags = GENL_UNS_ADMIN_PERM,
15791 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15792 	},
15793 	{
15794 		.cmd = NL80211_CMD_LEAVE_MESH,
15795 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15796 		.doit = nl80211_leave_mesh,
15797 		.flags = GENL_UNS_ADMIN_PERM,
15798 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15799 	},
15800 	{
15801 		.cmd = NL80211_CMD_JOIN_OCB,
15802 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15803 		.doit = nl80211_join_ocb,
15804 		.flags = GENL_UNS_ADMIN_PERM,
15805 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15806 	},
15807 	{
15808 		.cmd = NL80211_CMD_LEAVE_OCB,
15809 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15810 		.doit = nl80211_leave_ocb,
15811 		.flags = GENL_UNS_ADMIN_PERM,
15812 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15813 	},
15814 #ifdef CONFIG_PM
15815 	{
15816 		.cmd = NL80211_CMD_GET_WOWLAN,
15817 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15818 		.doit = nl80211_get_wowlan,
15819 		/* can be retrieved by unprivileged users */
15820 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15821 	},
15822 	{
15823 		.cmd = NL80211_CMD_SET_WOWLAN,
15824 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15825 		.doit = nl80211_set_wowlan,
15826 		.flags = GENL_UNS_ADMIN_PERM,
15827 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15828 	},
15829 #endif
15830 	{
15831 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
15832 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15833 		.doit = nl80211_set_rekey_data,
15834 		.flags = GENL_UNS_ADMIN_PERM,
15835 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15836 				  0 |
15837 				  NL80211_FLAG_CLEAR_SKB,
15838 	},
15839 	{
15840 		.cmd = NL80211_CMD_TDLS_MGMT,
15841 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15842 		.doit = nl80211_tdls_mgmt,
15843 		.flags = GENL_UNS_ADMIN_PERM,
15844 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15845 	},
15846 	{
15847 		.cmd = NL80211_CMD_TDLS_OPER,
15848 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15849 		.doit = nl80211_tdls_oper,
15850 		.flags = GENL_UNS_ADMIN_PERM,
15851 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15852 	},
15853 	{
15854 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
15855 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15856 		.doit = nl80211_register_unexpected_frame,
15857 		.flags = GENL_UNS_ADMIN_PERM,
15858 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15859 	},
15860 	{
15861 		.cmd = NL80211_CMD_PROBE_CLIENT,
15862 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15863 		.doit = nl80211_probe_client,
15864 		.flags = GENL_UNS_ADMIN_PERM,
15865 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15866 	},
15867 	{
15868 		.cmd = NL80211_CMD_REGISTER_BEACONS,
15869 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15870 		.doit = nl80211_register_beacons,
15871 		.flags = GENL_UNS_ADMIN_PERM,
15872 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15873 	},
15874 	{
15875 		.cmd = NL80211_CMD_SET_NOACK_MAP,
15876 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15877 		.doit = nl80211_set_noack_map,
15878 		.flags = GENL_UNS_ADMIN_PERM,
15879 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15880 	},
15881 	{
15882 		.cmd = NL80211_CMD_START_P2P_DEVICE,
15883 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15884 		.doit = nl80211_start_p2p_device,
15885 		.flags = GENL_UNS_ADMIN_PERM,
15886 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15887 				  NL80211_FLAG_NEED_RTNL,
15888 	},
15889 	{
15890 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
15891 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15892 		.doit = nl80211_stop_p2p_device,
15893 		.flags = GENL_UNS_ADMIN_PERM,
15894 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15895 				  NL80211_FLAG_NEED_RTNL,
15896 	},
15897 	{
15898 		.cmd = NL80211_CMD_START_NAN,
15899 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15900 		.doit = nl80211_start_nan,
15901 		.flags = GENL_ADMIN_PERM,
15902 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15903 				  NL80211_FLAG_NEED_RTNL,
15904 	},
15905 	{
15906 		.cmd = NL80211_CMD_STOP_NAN,
15907 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15908 		.doit = nl80211_stop_nan,
15909 		.flags = GENL_ADMIN_PERM,
15910 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15911 				  NL80211_FLAG_NEED_RTNL,
15912 	},
15913 	{
15914 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
15915 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15916 		.doit = nl80211_nan_add_func,
15917 		.flags = GENL_ADMIN_PERM,
15918 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15919 	},
15920 	{
15921 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
15922 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15923 		.doit = nl80211_nan_del_func,
15924 		.flags = GENL_ADMIN_PERM,
15925 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15926 	},
15927 	{
15928 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
15929 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15930 		.doit = nl80211_nan_change_config,
15931 		.flags = GENL_ADMIN_PERM,
15932 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15933 	},
15934 	{
15935 		.cmd = NL80211_CMD_SET_MCAST_RATE,
15936 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15937 		.doit = nl80211_set_mcast_rate,
15938 		.flags = GENL_UNS_ADMIN_PERM,
15939 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15940 	},
15941 	{
15942 		.cmd = NL80211_CMD_SET_MAC_ACL,
15943 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15944 		.doit = nl80211_set_mac_acl,
15945 		.flags = GENL_UNS_ADMIN_PERM,
15946 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15947 	},
15948 	{
15949 		.cmd = NL80211_CMD_RADAR_DETECT,
15950 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15951 		.doit = nl80211_start_radar_detection,
15952 		.flags = GENL_UNS_ADMIN_PERM,
15953 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15954 	},
15955 	{
15956 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
15957 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15958 		.doit = nl80211_get_protocol_features,
15959 	},
15960 	{
15961 		.cmd = NL80211_CMD_UPDATE_FT_IES,
15962 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15963 		.doit = nl80211_update_ft_ies,
15964 		.flags = GENL_UNS_ADMIN_PERM,
15965 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15966 	},
15967 	{
15968 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
15969 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15970 		.doit = nl80211_crit_protocol_start,
15971 		.flags = GENL_UNS_ADMIN_PERM,
15972 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15973 	},
15974 	{
15975 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
15976 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15977 		.doit = nl80211_crit_protocol_stop,
15978 		.flags = GENL_UNS_ADMIN_PERM,
15979 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15980 	},
15981 	{
15982 		.cmd = NL80211_CMD_GET_COALESCE,
15983 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15984 		.doit = nl80211_get_coalesce,
15985 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15986 	},
15987 	{
15988 		.cmd = NL80211_CMD_SET_COALESCE,
15989 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15990 		.doit = nl80211_set_coalesce,
15991 		.flags = GENL_UNS_ADMIN_PERM,
15992 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15993 	},
15994 	{
15995 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
15996 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15997 		.doit = nl80211_channel_switch,
15998 		.flags = GENL_UNS_ADMIN_PERM,
15999 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16000 	},
16001 	{
16002 		.cmd = NL80211_CMD_VENDOR,
16003 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16004 		.doit = nl80211_vendor_cmd,
16005 		.dumpit = nl80211_vendor_cmd_dump,
16006 		.flags = GENL_UNS_ADMIN_PERM,
16007 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16008 				  0 |
16009 				  NL80211_FLAG_CLEAR_SKB,
16010 	},
16011 	{
16012 		.cmd = NL80211_CMD_SET_QOS_MAP,
16013 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16014 		.doit = nl80211_set_qos_map,
16015 		.flags = GENL_UNS_ADMIN_PERM,
16016 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16017 	},
16018 	{
16019 		.cmd = NL80211_CMD_ADD_TX_TS,
16020 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16021 		.doit = nl80211_add_tx_ts,
16022 		.flags = GENL_UNS_ADMIN_PERM,
16023 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16024 	},
16025 	{
16026 		.cmd = NL80211_CMD_DEL_TX_TS,
16027 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16028 		.doit = nl80211_del_tx_ts,
16029 		.flags = GENL_UNS_ADMIN_PERM,
16030 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16031 	},
16032 	{
16033 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
16034 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16035 		.doit = nl80211_tdls_channel_switch,
16036 		.flags = GENL_UNS_ADMIN_PERM,
16037 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16038 	},
16039 	{
16040 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
16041 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16042 		.doit = nl80211_tdls_cancel_channel_switch,
16043 		.flags = GENL_UNS_ADMIN_PERM,
16044 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16045 	},
16046 	{
16047 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
16048 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16049 		.doit = nl80211_set_multicast_to_unicast,
16050 		.flags = GENL_UNS_ADMIN_PERM,
16051 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16052 	},
16053 	{
16054 		.cmd = NL80211_CMD_SET_PMK,
16055 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16056 		.doit = nl80211_set_pmk,
16057 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16058 				  0 |
16059 				  NL80211_FLAG_CLEAR_SKB,
16060 	},
16061 	{
16062 		.cmd = NL80211_CMD_DEL_PMK,
16063 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16064 		.doit = nl80211_del_pmk,
16065 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16066 	},
16067 	{
16068 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
16069 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16070 		.doit = nl80211_external_auth,
16071 		.flags = GENL_ADMIN_PERM,
16072 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16073 	},
16074 	{
16075 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
16076 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16077 		.doit = nl80211_tx_control_port,
16078 		.flags = GENL_UNS_ADMIN_PERM,
16079 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16080 	},
16081 	{
16082 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
16083 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16084 		.doit = nl80211_get_ftm_responder_stats,
16085 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16086 	},
16087 	{
16088 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
16089 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16090 		.doit = nl80211_pmsr_start,
16091 		.flags = GENL_UNS_ADMIN_PERM,
16092 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16093 	},
16094 	{
16095 		.cmd = NL80211_CMD_NOTIFY_RADAR,
16096 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16097 		.doit = nl80211_notify_radar_detection,
16098 		.flags = GENL_UNS_ADMIN_PERM,
16099 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16100 	},
16101 	{
16102 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
16103 		.doit = nl80211_update_owe_info,
16104 		.flags = GENL_ADMIN_PERM,
16105 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16106 	},
16107 	{
16108 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
16109 		.doit = nl80211_probe_mesh_link,
16110 		.flags = GENL_UNS_ADMIN_PERM,
16111 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16112 	},
16113 	{
16114 		.cmd = NL80211_CMD_SET_TID_CONFIG,
16115 		.doit = nl80211_set_tid_config,
16116 		.flags = GENL_UNS_ADMIN_PERM,
16117 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16118 	},
16119 	{
16120 		.cmd = NL80211_CMD_SET_SAR_SPECS,
16121 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16122 		.doit = nl80211_set_sar_specs,
16123 		.flags = GENL_UNS_ADMIN_PERM,
16124 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16125 				  NL80211_FLAG_NEED_RTNL,
16126 	},
16127 	{
16128 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
16129 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16130 		.doit = nl80211_color_change,
16131 		.flags = GENL_UNS_ADMIN_PERM,
16132 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16133 				  NL80211_FLAG_NEED_RTNL,
16134 	},
16135 	{
16136 		.cmd = NL80211_CMD_SET_FILS_AAD,
16137 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16138 		.doit = nl80211_set_fils_aad,
16139 		.flags = GENL_UNS_ADMIN_PERM,
16140 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16141 	},
16142 };
16143 
16144 static struct genl_family nl80211_fam __ro_after_init = {
16145 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
16146 	.hdrsize = 0,			/* no private header */
16147 	.version = 1,			/* no particular meaning now */
16148 	.maxattr = NL80211_ATTR_MAX,
16149 	.policy = nl80211_policy,
16150 	.netnsok = true,
16151 	.pre_doit = nl80211_pre_doit,
16152 	.post_doit = nl80211_post_doit,
16153 	.module = THIS_MODULE,
16154 	.ops = nl80211_ops,
16155 	.n_ops = ARRAY_SIZE(nl80211_ops),
16156 	.small_ops = nl80211_small_ops,
16157 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
16158 	.mcgrps = nl80211_mcgrps,
16159 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
16160 	.parallel_ops = true,
16161 };
16162 
16163 /* notification functions */
16164 
16165 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
16166 			  enum nl80211_commands cmd)
16167 {
16168 	struct sk_buff *msg;
16169 	struct nl80211_dump_wiphy_state state = {};
16170 
16171 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
16172 		cmd != NL80211_CMD_DEL_WIPHY);
16173 
16174 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16175 	if (!msg)
16176 		return;
16177 
16178 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
16179 		nlmsg_free(msg);
16180 		return;
16181 	}
16182 
16183 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16184 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16185 }
16186 
16187 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
16188 				struct wireless_dev *wdev,
16189 				enum nl80211_commands cmd)
16190 {
16191 	struct sk_buff *msg;
16192 
16193 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16194 	if (!msg)
16195 		return;
16196 
16197 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
16198 		nlmsg_free(msg);
16199 		return;
16200 	}
16201 
16202 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16203 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16204 }
16205 
16206 static int nl80211_add_scan_req(struct sk_buff *msg,
16207 				struct cfg80211_registered_device *rdev)
16208 {
16209 	struct cfg80211_scan_request *req = rdev->scan_req;
16210 	struct nlattr *nest;
16211 	int i;
16212 	struct cfg80211_scan_info *info;
16213 
16214 	if (WARN_ON(!req))
16215 		return 0;
16216 
16217 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
16218 	if (!nest)
16219 		goto nla_put_failure;
16220 	for (i = 0; i < req->n_ssids; i++) {
16221 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
16222 			goto nla_put_failure;
16223 	}
16224 	nla_nest_end(msg, nest);
16225 
16226 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
16227 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
16228 		if (!nest)
16229 			goto nla_put_failure;
16230 		for (i = 0; i < req->n_channels; i++) {
16231 			if (nla_put_u32(msg, i,
16232 				   ieee80211_channel_to_khz(req->channels[i])))
16233 				goto nla_put_failure;
16234 		}
16235 		nla_nest_end(msg, nest);
16236 	} else {
16237 		nest = nla_nest_start_noflag(msg,
16238 					     NL80211_ATTR_SCAN_FREQUENCIES);
16239 		if (!nest)
16240 			goto nla_put_failure;
16241 		for (i = 0; i < req->n_channels; i++) {
16242 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
16243 				goto nla_put_failure;
16244 		}
16245 		nla_nest_end(msg, nest);
16246 	}
16247 
16248 	if (req->ie &&
16249 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
16250 		goto nla_put_failure;
16251 
16252 	if (req->flags &&
16253 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
16254 		goto nla_put_failure;
16255 
16256 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
16257 		&rdev->scan_req->info;
16258 	if (info->scan_start_tsf &&
16259 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
16260 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
16261 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
16262 		     info->tsf_bssid)))
16263 		goto nla_put_failure;
16264 
16265 	return 0;
16266  nla_put_failure:
16267 	return -ENOBUFS;
16268 }
16269 
16270 static int nl80211_prep_scan_msg(struct sk_buff *msg,
16271 				 struct cfg80211_registered_device *rdev,
16272 				 struct wireless_dev *wdev,
16273 				 u32 portid, u32 seq, int flags,
16274 				 u32 cmd)
16275 {
16276 	void *hdr;
16277 
16278 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
16279 	if (!hdr)
16280 		return -1;
16281 
16282 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16283 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16284 					 wdev->netdev->ifindex)) ||
16285 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16286 			      NL80211_ATTR_PAD))
16287 		goto nla_put_failure;
16288 
16289 	/* ignore errors and send incomplete event anyway */
16290 	nl80211_add_scan_req(msg, rdev);
16291 
16292 	genlmsg_end(msg, hdr);
16293 	return 0;
16294 
16295  nla_put_failure:
16296 	genlmsg_cancel(msg, hdr);
16297 	return -EMSGSIZE;
16298 }
16299 
16300 static int
16301 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
16302 			    struct cfg80211_sched_scan_request *req, u32 cmd)
16303 {
16304 	void *hdr;
16305 
16306 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16307 	if (!hdr)
16308 		return -1;
16309 
16310 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
16311 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
16312 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
16313 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
16314 			      NL80211_ATTR_PAD))
16315 		goto nla_put_failure;
16316 
16317 	genlmsg_end(msg, hdr);
16318 	return 0;
16319 
16320  nla_put_failure:
16321 	genlmsg_cancel(msg, hdr);
16322 	return -EMSGSIZE;
16323 }
16324 
16325 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
16326 			     struct wireless_dev *wdev)
16327 {
16328 	struct sk_buff *msg;
16329 
16330 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16331 	if (!msg)
16332 		return;
16333 
16334 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16335 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
16336 		nlmsg_free(msg);
16337 		return;
16338 	}
16339 
16340 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16341 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16342 }
16343 
16344 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
16345 				       struct wireless_dev *wdev, bool aborted)
16346 {
16347 	struct sk_buff *msg;
16348 
16349 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16350 	if (!msg)
16351 		return NULL;
16352 
16353 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16354 				  aborted ? NL80211_CMD_SCAN_ABORTED :
16355 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
16356 		nlmsg_free(msg);
16357 		return NULL;
16358 	}
16359 
16360 	return msg;
16361 }
16362 
16363 /* send message created by nl80211_build_scan_msg() */
16364 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
16365 			   struct sk_buff *msg)
16366 {
16367 	if (!msg)
16368 		return;
16369 
16370 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16371 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16372 }
16373 
16374 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
16375 {
16376 	struct sk_buff *msg;
16377 
16378 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16379 	if (!msg)
16380 		return;
16381 
16382 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
16383 		nlmsg_free(msg);
16384 		return;
16385 	}
16386 
16387 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
16388 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16389 }
16390 
16391 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
16392 					  struct regulatory_request *request)
16393 {
16394 	/* Userspace can always count this one always being set */
16395 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
16396 		goto nla_put_failure;
16397 
16398 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
16399 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16400 			       NL80211_REGDOM_TYPE_WORLD))
16401 			goto nla_put_failure;
16402 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
16403 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16404 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
16405 			goto nla_put_failure;
16406 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
16407 		   request->intersect) {
16408 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16409 			       NL80211_REGDOM_TYPE_INTERSECTION))
16410 			goto nla_put_failure;
16411 	} else {
16412 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16413 			       NL80211_REGDOM_TYPE_COUNTRY) ||
16414 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
16415 				   request->alpha2))
16416 			goto nla_put_failure;
16417 	}
16418 
16419 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
16420 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
16421 
16422 		if (wiphy &&
16423 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
16424 			goto nla_put_failure;
16425 
16426 		if (wiphy &&
16427 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
16428 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
16429 			goto nla_put_failure;
16430 	}
16431 
16432 	return true;
16433 
16434 nla_put_failure:
16435 	return false;
16436 }
16437 
16438 /*
16439  * This can happen on global regulatory changes or device specific settings
16440  * based on custom regulatory domains.
16441  */
16442 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
16443 				     struct regulatory_request *request)
16444 {
16445 	struct sk_buff *msg;
16446 	void *hdr;
16447 
16448 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16449 	if (!msg)
16450 		return;
16451 
16452 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
16453 	if (!hdr)
16454 		goto nla_put_failure;
16455 
16456 	if (!nl80211_reg_change_event_fill(msg, request))
16457 		goto nla_put_failure;
16458 
16459 	genlmsg_end(msg, hdr);
16460 
16461 	rcu_read_lock();
16462 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16463 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16464 	rcu_read_unlock();
16465 
16466 	return;
16467 
16468 nla_put_failure:
16469 	nlmsg_free(msg);
16470 }
16471 
16472 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
16473 				    struct net_device *netdev,
16474 				    const u8 *buf, size_t len,
16475 				    enum nl80211_commands cmd, gfp_t gfp,
16476 				    int uapsd_queues, const u8 *req_ies,
16477 				    size_t req_ies_len, bool reconnect)
16478 {
16479 	struct sk_buff *msg;
16480 	void *hdr;
16481 
16482 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
16483 	if (!msg)
16484 		return;
16485 
16486 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16487 	if (!hdr) {
16488 		nlmsg_free(msg);
16489 		return;
16490 	}
16491 
16492 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16493 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16494 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16495 	    (req_ies &&
16496 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
16497 		goto nla_put_failure;
16498 
16499 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
16500 		goto nla_put_failure;
16501 
16502 	if (uapsd_queues >= 0) {
16503 		struct nlattr *nla_wmm =
16504 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
16505 		if (!nla_wmm)
16506 			goto nla_put_failure;
16507 
16508 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
16509 			       uapsd_queues))
16510 			goto nla_put_failure;
16511 
16512 		nla_nest_end(msg, nla_wmm);
16513 	}
16514 
16515 	genlmsg_end(msg, hdr);
16516 
16517 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16518 				NL80211_MCGRP_MLME, gfp);
16519 	return;
16520 
16521  nla_put_failure:
16522 	nlmsg_free(msg);
16523 }
16524 
16525 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
16526 			  struct net_device *netdev, const u8 *buf,
16527 			  size_t len, gfp_t gfp)
16528 {
16529 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16530 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
16531 				false);
16532 }
16533 
16534 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
16535 			   struct net_device *netdev, const u8 *buf,
16536 			   size_t len, gfp_t gfp, int uapsd_queues,
16537 			   const u8 *req_ies, size_t req_ies_len)
16538 {
16539 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16540 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
16541 				req_ies, req_ies_len, false);
16542 }
16543 
16544 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
16545 			 struct net_device *netdev, const u8 *buf,
16546 			 size_t len, bool reconnect, gfp_t gfp)
16547 {
16548 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16549 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
16550 				reconnect);
16551 }
16552 
16553 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
16554 			   struct net_device *netdev, const u8 *buf,
16555 			   size_t len, bool reconnect, gfp_t gfp)
16556 {
16557 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16558 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
16559 				reconnect);
16560 }
16561 
16562 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
16563 				  size_t len)
16564 {
16565 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16566 	struct wiphy *wiphy = wdev->wiphy;
16567 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16568 	const struct ieee80211_mgmt *mgmt = (void *)buf;
16569 	u32 cmd;
16570 
16571 	if (WARN_ON(len < 2))
16572 		return;
16573 
16574 	if (ieee80211_is_deauth(mgmt->frame_control)) {
16575 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
16576 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
16577 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
16578 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
16579 		if (wdev->unprot_beacon_reported &&
16580 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
16581 			return;
16582 		cmd = NL80211_CMD_UNPROT_BEACON;
16583 		wdev->unprot_beacon_reported = jiffies;
16584 	} else {
16585 		return;
16586 	}
16587 
16588 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
16589 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
16590 				NULL, 0, false);
16591 }
16592 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
16593 
16594 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
16595 				      struct net_device *netdev, int cmd,
16596 				      const u8 *addr, gfp_t gfp)
16597 {
16598 	struct sk_buff *msg;
16599 	void *hdr;
16600 
16601 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16602 	if (!msg)
16603 		return;
16604 
16605 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16606 	if (!hdr) {
16607 		nlmsg_free(msg);
16608 		return;
16609 	}
16610 
16611 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16612 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16613 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16614 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16615 		goto nla_put_failure;
16616 
16617 	genlmsg_end(msg, hdr);
16618 
16619 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16620 				NL80211_MCGRP_MLME, gfp);
16621 	return;
16622 
16623  nla_put_failure:
16624 	nlmsg_free(msg);
16625 }
16626 
16627 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
16628 			       struct net_device *netdev, const u8 *addr,
16629 			       gfp_t gfp)
16630 {
16631 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
16632 				  addr, gfp);
16633 }
16634 
16635 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
16636 				struct net_device *netdev, const u8 *addr,
16637 				gfp_t gfp)
16638 {
16639 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
16640 				  addr, gfp);
16641 }
16642 
16643 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
16644 				 struct net_device *netdev,
16645 				 struct cfg80211_connect_resp_params *cr,
16646 				 gfp_t gfp)
16647 {
16648 	struct sk_buff *msg;
16649 	void *hdr;
16650 
16651 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
16652 			cr->fils.kek_len + cr->fils.pmk_len +
16653 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16654 	if (!msg)
16655 		return;
16656 
16657 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
16658 	if (!hdr) {
16659 		nlmsg_free(msg);
16660 		return;
16661 	}
16662 
16663 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16664 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16665 	    (cr->bssid &&
16666 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
16667 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
16668 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
16669 			cr->status) ||
16670 	    (cr->status < 0 &&
16671 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16672 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
16673 			  cr->timeout_reason))) ||
16674 	    (cr->req_ie &&
16675 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
16676 	    (cr->resp_ie &&
16677 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
16678 		     cr->resp_ie)) ||
16679 	    (cr->fils.update_erp_next_seq_num &&
16680 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16681 			 cr->fils.erp_next_seq_num)) ||
16682 	    (cr->status == WLAN_STATUS_SUCCESS &&
16683 	     ((cr->fils.kek &&
16684 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
16685 		       cr->fils.kek)) ||
16686 	      (cr->fils.pmk &&
16687 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
16688 	      (cr->fils.pmkid &&
16689 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
16690 		goto nla_put_failure;
16691 
16692 	genlmsg_end(msg, hdr);
16693 
16694 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16695 				NL80211_MCGRP_MLME, gfp);
16696 	return;
16697 
16698  nla_put_failure:
16699 	nlmsg_free(msg);
16700 }
16701 
16702 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
16703 			 struct net_device *netdev,
16704 			 struct cfg80211_roam_info *info, gfp_t gfp)
16705 {
16706 	struct sk_buff *msg;
16707 	void *hdr;
16708 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
16709 
16710 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
16711 			info->fils.kek_len + info->fils.pmk_len +
16712 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16713 	if (!msg)
16714 		return;
16715 
16716 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
16717 	if (!hdr) {
16718 		nlmsg_free(msg);
16719 		return;
16720 	}
16721 
16722 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16723 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16724 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
16725 	    (info->req_ie &&
16726 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
16727 		     info->req_ie)) ||
16728 	    (info->resp_ie &&
16729 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
16730 		     info->resp_ie)) ||
16731 	    (info->fils.update_erp_next_seq_num &&
16732 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16733 			 info->fils.erp_next_seq_num)) ||
16734 	    (info->fils.kek &&
16735 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
16736 		     info->fils.kek)) ||
16737 	    (info->fils.pmk &&
16738 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
16739 	    (info->fils.pmkid &&
16740 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
16741 		goto nla_put_failure;
16742 
16743 	genlmsg_end(msg, hdr);
16744 
16745 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16746 				NL80211_MCGRP_MLME, gfp);
16747 	return;
16748 
16749  nla_put_failure:
16750 	nlmsg_free(msg);
16751 }
16752 
16753 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
16754 				  struct net_device *netdev, const u8 *bssid)
16755 {
16756 	struct sk_buff *msg;
16757 	void *hdr;
16758 
16759 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16760 	if (!msg)
16761 		return;
16762 
16763 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
16764 	if (!hdr) {
16765 		nlmsg_free(msg);
16766 		return;
16767 	}
16768 
16769 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16770 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16771 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16772 		goto nla_put_failure;
16773 
16774 	genlmsg_end(msg, hdr);
16775 
16776 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16777 				NL80211_MCGRP_MLME, GFP_KERNEL);
16778 	return;
16779 
16780  nla_put_failure:
16781 	nlmsg_free(msg);
16782 }
16783 
16784 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
16785 			       struct net_device *netdev, u16 reason,
16786 			       const u8 *ie, size_t ie_len, bool from_ap)
16787 {
16788 	struct sk_buff *msg;
16789 	void *hdr;
16790 
16791 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
16792 	if (!msg)
16793 		return;
16794 
16795 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
16796 	if (!hdr) {
16797 		nlmsg_free(msg);
16798 		return;
16799 	}
16800 
16801 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16802 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16803 	    (reason &&
16804 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
16805 	    (from_ap &&
16806 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
16807 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
16808 		goto nla_put_failure;
16809 
16810 	genlmsg_end(msg, hdr);
16811 
16812 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16813 				NL80211_MCGRP_MLME, GFP_KERNEL);
16814 	return;
16815 
16816  nla_put_failure:
16817 	nlmsg_free(msg);
16818 }
16819 
16820 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
16821 			     struct net_device *netdev, const u8 *bssid,
16822 			     gfp_t gfp)
16823 {
16824 	struct sk_buff *msg;
16825 	void *hdr;
16826 
16827 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16828 	if (!msg)
16829 		return;
16830 
16831 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
16832 	if (!hdr) {
16833 		nlmsg_free(msg);
16834 		return;
16835 	}
16836 
16837 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16838 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16839 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16840 		goto nla_put_failure;
16841 
16842 	genlmsg_end(msg, hdr);
16843 
16844 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16845 				NL80211_MCGRP_MLME, gfp);
16846 	return;
16847 
16848  nla_put_failure:
16849 	nlmsg_free(msg);
16850 }
16851 
16852 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
16853 					const u8 *ie, u8 ie_len,
16854 					int sig_dbm, gfp_t gfp)
16855 {
16856 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16857 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16858 	struct sk_buff *msg;
16859 	void *hdr;
16860 
16861 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
16862 		return;
16863 
16864 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
16865 
16866 	msg = nlmsg_new(100 + ie_len, gfp);
16867 	if (!msg)
16868 		return;
16869 
16870 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
16871 	if (!hdr) {
16872 		nlmsg_free(msg);
16873 		return;
16874 	}
16875 
16876 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16877 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16878 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16879 	    (ie_len && ie &&
16880 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
16881 	    (sig_dbm &&
16882 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
16883 		goto nla_put_failure;
16884 
16885 	genlmsg_end(msg, hdr);
16886 
16887 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16888 				NL80211_MCGRP_MLME, gfp);
16889 	return;
16890 
16891  nla_put_failure:
16892 	nlmsg_free(msg);
16893 }
16894 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
16895 
16896 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
16897 				 struct net_device *netdev, const u8 *addr,
16898 				 enum nl80211_key_type key_type, int key_id,
16899 				 const u8 *tsc, gfp_t gfp)
16900 {
16901 	struct sk_buff *msg;
16902 	void *hdr;
16903 
16904 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16905 	if (!msg)
16906 		return;
16907 
16908 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
16909 	if (!hdr) {
16910 		nlmsg_free(msg);
16911 		return;
16912 	}
16913 
16914 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16915 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16916 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
16917 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
16918 	    (key_id != -1 &&
16919 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
16920 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
16921 		goto nla_put_failure;
16922 
16923 	genlmsg_end(msg, hdr);
16924 
16925 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16926 				NL80211_MCGRP_MLME, gfp);
16927 	return;
16928 
16929  nla_put_failure:
16930 	nlmsg_free(msg);
16931 }
16932 
16933 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
16934 				    struct ieee80211_channel *channel_before,
16935 				    struct ieee80211_channel *channel_after)
16936 {
16937 	struct sk_buff *msg;
16938 	void *hdr;
16939 	struct nlattr *nl_freq;
16940 
16941 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
16942 	if (!msg)
16943 		return;
16944 
16945 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
16946 	if (!hdr) {
16947 		nlmsg_free(msg);
16948 		return;
16949 	}
16950 
16951 	/*
16952 	 * Since we are applying the beacon hint to a wiphy we know its
16953 	 * wiphy_idx is valid
16954 	 */
16955 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
16956 		goto nla_put_failure;
16957 
16958 	/* Before */
16959 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
16960 	if (!nl_freq)
16961 		goto nla_put_failure;
16962 
16963 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
16964 		goto nla_put_failure;
16965 	nla_nest_end(msg, nl_freq);
16966 
16967 	/* After */
16968 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
16969 	if (!nl_freq)
16970 		goto nla_put_failure;
16971 
16972 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
16973 		goto nla_put_failure;
16974 	nla_nest_end(msg, nl_freq);
16975 
16976 	genlmsg_end(msg, hdr);
16977 
16978 	rcu_read_lock();
16979 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16980 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16981 	rcu_read_unlock();
16982 
16983 	return;
16984 
16985 nla_put_failure:
16986 	nlmsg_free(msg);
16987 }
16988 
16989 static void nl80211_send_remain_on_chan_event(
16990 	int cmd, struct cfg80211_registered_device *rdev,
16991 	struct wireless_dev *wdev, u64 cookie,
16992 	struct ieee80211_channel *chan,
16993 	unsigned int duration, gfp_t gfp)
16994 {
16995 	struct sk_buff *msg;
16996 	void *hdr;
16997 
16998 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16999 	if (!msg)
17000 		return;
17001 
17002 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17003 	if (!hdr) {
17004 		nlmsg_free(msg);
17005 		return;
17006 	}
17007 
17008 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17009 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17010 					 wdev->netdev->ifindex)) ||
17011 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17012 			      NL80211_ATTR_PAD) ||
17013 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
17014 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
17015 			NL80211_CHAN_NO_HT) ||
17016 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17017 			      NL80211_ATTR_PAD))
17018 		goto nla_put_failure;
17019 
17020 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
17021 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
17022 		goto nla_put_failure;
17023 
17024 	genlmsg_end(msg, hdr);
17025 
17026 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17027 				NL80211_MCGRP_MLME, gfp);
17028 	return;
17029 
17030  nla_put_failure:
17031 	nlmsg_free(msg);
17032 }
17033 
17034 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
17035 			       struct ieee80211_channel *chan,
17036 			       unsigned int duration, gfp_t gfp)
17037 {
17038 	struct wiphy *wiphy = wdev->wiphy;
17039 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17040 
17041 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
17042 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
17043 					  rdev, wdev, cookie, chan,
17044 					  duration, gfp);
17045 }
17046 EXPORT_SYMBOL(cfg80211_ready_on_channel);
17047 
17048 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
17049 					struct ieee80211_channel *chan,
17050 					gfp_t gfp)
17051 {
17052 	struct wiphy *wiphy = wdev->wiphy;
17053 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17054 
17055 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
17056 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17057 					  rdev, wdev, cookie, chan, 0, gfp);
17058 }
17059 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
17060 
17061 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
17062 					struct ieee80211_channel *chan,
17063 					gfp_t gfp)
17064 {
17065 	struct wiphy *wiphy = wdev->wiphy;
17066 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17067 
17068 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
17069 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
17070 					  rdev, wdev, cookie, chan, 0, gfp);
17071 }
17072 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
17073 
17074 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
17075 		      struct station_info *sinfo, gfp_t gfp)
17076 {
17077 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17078 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17079 	struct sk_buff *msg;
17080 
17081 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
17082 
17083 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17084 	if (!msg)
17085 		return;
17086 
17087 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
17088 				 rdev, dev, mac_addr, sinfo) < 0) {
17089 		nlmsg_free(msg);
17090 		return;
17091 	}
17092 
17093 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17094 				NL80211_MCGRP_MLME, gfp);
17095 }
17096 EXPORT_SYMBOL(cfg80211_new_sta);
17097 
17098 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
17099 			    struct station_info *sinfo, gfp_t gfp)
17100 {
17101 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17102 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17103 	struct sk_buff *msg;
17104 	struct station_info empty_sinfo = {};
17105 
17106 	if (!sinfo)
17107 		sinfo = &empty_sinfo;
17108 
17109 	trace_cfg80211_del_sta(dev, mac_addr);
17110 
17111 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17112 	if (!msg) {
17113 		cfg80211_sinfo_release_content(sinfo);
17114 		return;
17115 	}
17116 
17117 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
17118 				 rdev, dev, mac_addr, sinfo) < 0) {
17119 		nlmsg_free(msg);
17120 		return;
17121 	}
17122 
17123 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17124 				NL80211_MCGRP_MLME, gfp);
17125 }
17126 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
17127 
17128 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
17129 			  enum nl80211_connect_failed_reason reason,
17130 			  gfp_t gfp)
17131 {
17132 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17133 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17134 	struct sk_buff *msg;
17135 	void *hdr;
17136 
17137 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
17138 	if (!msg)
17139 		return;
17140 
17141 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
17142 	if (!hdr) {
17143 		nlmsg_free(msg);
17144 		return;
17145 	}
17146 
17147 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17148 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
17149 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
17150 		goto nla_put_failure;
17151 
17152 	genlmsg_end(msg, hdr);
17153 
17154 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17155 				NL80211_MCGRP_MLME, gfp);
17156 	return;
17157 
17158  nla_put_failure:
17159 	nlmsg_free(msg);
17160 }
17161 EXPORT_SYMBOL(cfg80211_conn_failed);
17162 
17163 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
17164 				       const u8 *addr, gfp_t gfp)
17165 {
17166 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17167 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17168 	struct sk_buff *msg;
17169 	void *hdr;
17170 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
17171 
17172 	if (!nlportid)
17173 		return false;
17174 
17175 	msg = nlmsg_new(100, gfp);
17176 	if (!msg)
17177 		return true;
17178 
17179 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17180 	if (!hdr) {
17181 		nlmsg_free(msg);
17182 		return true;
17183 	}
17184 
17185 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17186 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17187 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17188 		goto nla_put_failure;
17189 
17190 	genlmsg_end(msg, hdr);
17191 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17192 	return true;
17193 
17194  nla_put_failure:
17195 	nlmsg_free(msg);
17196 	return true;
17197 }
17198 
17199 bool cfg80211_rx_spurious_frame(struct net_device *dev,
17200 				const u8 *addr, gfp_t gfp)
17201 {
17202 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17203 	bool ret;
17204 
17205 	trace_cfg80211_rx_spurious_frame(dev, addr);
17206 
17207 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17208 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
17209 		trace_cfg80211_return_bool(false);
17210 		return false;
17211 	}
17212 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
17213 					 addr, gfp);
17214 	trace_cfg80211_return_bool(ret);
17215 	return ret;
17216 }
17217 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
17218 
17219 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
17220 					const u8 *addr, gfp_t gfp)
17221 {
17222 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17223 	bool ret;
17224 
17225 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
17226 
17227 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17228 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
17229 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
17230 		trace_cfg80211_return_bool(false);
17231 		return false;
17232 	}
17233 	ret = __nl80211_unexpected_frame(dev,
17234 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
17235 					 addr, gfp);
17236 	trace_cfg80211_return_bool(ret);
17237 	return ret;
17238 }
17239 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
17240 
17241 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
17242 		      struct wireless_dev *wdev, u32 nlportid,
17243 		      int freq, int sig_dbm,
17244 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
17245 {
17246 	struct net_device *netdev = wdev->netdev;
17247 	struct sk_buff *msg;
17248 	void *hdr;
17249 
17250 	msg = nlmsg_new(100 + len, gfp);
17251 	if (!msg)
17252 		return -ENOMEM;
17253 
17254 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17255 	if (!hdr) {
17256 		nlmsg_free(msg);
17257 		return -ENOMEM;
17258 	}
17259 
17260 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17261 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17262 					netdev->ifindex)) ||
17263 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17264 			      NL80211_ATTR_PAD) ||
17265 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
17266 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
17267 	    (sig_dbm &&
17268 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17269 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17270 	    (flags &&
17271 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
17272 		goto nla_put_failure;
17273 
17274 	genlmsg_end(msg, hdr);
17275 
17276 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17277 
17278  nla_put_failure:
17279 	nlmsg_free(msg);
17280 	return -ENOBUFS;
17281 }
17282 
17283 static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
17284 				    const u8 *buf, size_t len, bool ack,
17285 				    gfp_t gfp, enum nl80211_commands command)
17286 {
17287 	struct wiphy *wiphy = wdev->wiphy;
17288 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17289 	struct net_device *netdev = wdev->netdev;
17290 	struct sk_buff *msg;
17291 	void *hdr;
17292 
17293 	if (command == NL80211_CMD_FRAME_TX_STATUS)
17294 		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
17295 	else
17296 		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
17297 
17298 	msg = nlmsg_new(100 + len, gfp);
17299 	if (!msg)
17300 		return;
17301 
17302 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
17303 	if (!hdr) {
17304 		nlmsg_free(msg);
17305 		return;
17306 	}
17307 
17308 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17309 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17310 				   netdev->ifindex)) ||
17311 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17312 			      NL80211_ATTR_PAD) ||
17313 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17314 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17315 			      NL80211_ATTR_PAD) ||
17316 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
17317 		goto nla_put_failure;
17318 
17319 	genlmsg_end(msg, hdr);
17320 
17321 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17322 				NL80211_MCGRP_MLME, gfp);
17323 	return;
17324 
17325 nla_put_failure:
17326 	nlmsg_free(msg);
17327 }
17328 
17329 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
17330 				     const u8 *buf, size_t len, bool ack,
17331 				     gfp_t gfp)
17332 {
17333 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17334 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
17335 }
17336 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
17337 
17338 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
17339 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
17340 {
17341 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17342 				NL80211_CMD_FRAME_TX_STATUS);
17343 }
17344 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
17345 
17346 static int __nl80211_rx_control_port(struct net_device *dev,
17347 				     struct sk_buff *skb,
17348 				     bool unencrypted, gfp_t gfp)
17349 {
17350 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17351 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17352 	struct ethhdr *ehdr = eth_hdr(skb);
17353 	const u8 *addr = ehdr->h_source;
17354 	u16 proto = be16_to_cpu(skb->protocol);
17355 	struct sk_buff *msg;
17356 	void *hdr;
17357 	struct nlattr *frame;
17358 
17359 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
17360 
17361 	if (!nlportid)
17362 		return -ENOENT;
17363 
17364 	msg = nlmsg_new(100 + skb->len, gfp);
17365 	if (!msg)
17366 		return -ENOMEM;
17367 
17368 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
17369 	if (!hdr) {
17370 		nlmsg_free(msg);
17371 		return -ENOBUFS;
17372 	}
17373 
17374 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17375 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17376 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17377 			      NL80211_ATTR_PAD) ||
17378 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17379 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
17380 	    (unencrypted && nla_put_flag(msg,
17381 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
17382 		goto nla_put_failure;
17383 
17384 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
17385 	if (!frame)
17386 		goto nla_put_failure;
17387 
17388 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
17389 	genlmsg_end(msg, hdr);
17390 
17391 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17392 
17393  nla_put_failure:
17394 	nlmsg_free(msg);
17395 	return -ENOBUFS;
17396 }
17397 
17398 bool cfg80211_rx_control_port(struct net_device *dev,
17399 			      struct sk_buff *skb, bool unencrypted)
17400 {
17401 	int ret;
17402 
17403 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
17404 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
17405 	trace_cfg80211_return_bool(ret == 0);
17406 	return ret == 0;
17407 }
17408 EXPORT_SYMBOL(cfg80211_rx_control_port);
17409 
17410 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
17411 					    const char *mac, gfp_t gfp)
17412 {
17413 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17414 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17415 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17416 	void **cb;
17417 
17418 	if (!msg)
17419 		return NULL;
17420 
17421 	cb = (void **)msg->cb;
17422 
17423 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
17424 	if (!cb[0]) {
17425 		nlmsg_free(msg);
17426 		return NULL;
17427 	}
17428 
17429 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17430 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17431 		goto nla_put_failure;
17432 
17433 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17434 		goto nla_put_failure;
17435 
17436 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
17437 	if (!cb[1])
17438 		goto nla_put_failure;
17439 
17440 	cb[2] = rdev;
17441 
17442 	return msg;
17443  nla_put_failure:
17444 	nlmsg_free(msg);
17445 	return NULL;
17446 }
17447 
17448 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
17449 {
17450 	void **cb = (void **)msg->cb;
17451 	struct cfg80211_registered_device *rdev = cb[2];
17452 
17453 	nla_nest_end(msg, cb[1]);
17454 	genlmsg_end(msg, cb[0]);
17455 
17456 	memset(msg->cb, 0, sizeof(msg->cb));
17457 
17458 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17459 				NL80211_MCGRP_MLME, gfp);
17460 }
17461 
17462 void cfg80211_cqm_rssi_notify(struct net_device *dev,
17463 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
17464 			      s32 rssi_level, gfp_t gfp)
17465 {
17466 	struct sk_buff *msg;
17467 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17468 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17469 
17470 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
17471 
17472 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
17473 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
17474 		return;
17475 
17476 	if (wdev->cqm_config) {
17477 		wdev->cqm_config->last_rssi_event_value = rssi_level;
17478 
17479 		cfg80211_cqm_rssi_update(rdev, dev);
17480 
17481 		if (rssi_level == 0)
17482 			rssi_level = wdev->cqm_config->last_rssi_event_value;
17483 	}
17484 
17485 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17486 	if (!msg)
17487 		return;
17488 
17489 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
17490 			rssi_event))
17491 		goto nla_put_failure;
17492 
17493 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
17494 				      rssi_level))
17495 		goto nla_put_failure;
17496 
17497 	cfg80211_send_cqm(msg, gfp);
17498 
17499 	return;
17500 
17501  nla_put_failure:
17502 	nlmsg_free(msg);
17503 }
17504 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
17505 
17506 void cfg80211_cqm_txe_notify(struct net_device *dev,
17507 			     const u8 *peer, u32 num_packets,
17508 			     u32 rate, u32 intvl, gfp_t gfp)
17509 {
17510 	struct sk_buff *msg;
17511 
17512 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17513 	if (!msg)
17514 		return;
17515 
17516 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
17517 		goto nla_put_failure;
17518 
17519 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
17520 		goto nla_put_failure;
17521 
17522 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
17523 		goto nla_put_failure;
17524 
17525 	cfg80211_send_cqm(msg, gfp);
17526 	return;
17527 
17528  nla_put_failure:
17529 	nlmsg_free(msg);
17530 }
17531 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
17532 
17533 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
17534 				 const u8 *peer, u32 num_packets, gfp_t gfp)
17535 {
17536 	struct sk_buff *msg;
17537 
17538 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
17539 
17540 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17541 	if (!msg)
17542 		return;
17543 
17544 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
17545 		goto nla_put_failure;
17546 
17547 	cfg80211_send_cqm(msg, gfp);
17548 	return;
17549 
17550  nla_put_failure:
17551 	nlmsg_free(msg);
17552 }
17553 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
17554 
17555 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
17556 {
17557 	struct sk_buff *msg;
17558 
17559 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17560 	if (!msg)
17561 		return;
17562 
17563 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
17564 		goto nla_put_failure;
17565 
17566 	cfg80211_send_cqm(msg, gfp);
17567 	return;
17568 
17569  nla_put_failure:
17570 	nlmsg_free(msg);
17571 }
17572 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
17573 
17574 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
17575 				     struct net_device *netdev, const u8 *bssid,
17576 				     const u8 *replay_ctr, gfp_t gfp)
17577 {
17578 	struct sk_buff *msg;
17579 	struct nlattr *rekey_attr;
17580 	void *hdr;
17581 
17582 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17583 	if (!msg)
17584 		return;
17585 
17586 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
17587 	if (!hdr) {
17588 		nlmsg_free(msg);
17589 		return;
17590 	}
17591 
17592 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17593 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17594 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17595 		goto nla_put_failure;
17596 
17597 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
17598 	if (!rekey_attr)
17599 		goto nla_put_failure;
17600 
17601 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
17602 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
17603 		goto nla_put_failure;
17604 
17605 	nla_nest_end(msg, rekey_attr);
17606 
17607 	genlmsg_end(msg, hdr);
17608 
17609 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17610 				NL80211_MCGRP_MLME, gfp);
17611 	return;
17612 
17613  nla_put_failure:
17614 	nlmsg_free(msg);
17615 }
17616 
17617 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
17618 			       const u8 *replay_ctr, gfp_t gfp)
17619 {
17620 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17621 	struct wiphy *wiphy = wdev->wiphy;
17622 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17623 
17624 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
17625 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
17626 }
17627 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
17628 
17629 static void
17630 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
17631 			       struct net_device *netdev, int index,
17632 			       const u8 *bssid, bool preauth, gfp_t gfp)
17633 {
17634 	struct sk_buff *msg;
17635 	struct nlattr *attr;
17636 	void *hdr;
17637 
17638 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17639 	if (!msg)
17640 		return;
17641 
17642 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
17643 	if (!hdr) {
17644 		nlmsg_free(msg);
17645 		return;
17646 	}
17647 
17648 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17649 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17650 		goto nla_put_failure;
17651 
17652 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
17653 	if (!attr)
17654 		goto nla_put_failure;
17655 
17656 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
17657 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
17658 	    (preauth &&
17659 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
17660 		goto nla_put_failure;
17661 
17662 	nla_nest_end(msg, attr);
17663 
17664 	genlmsg_end(msg, hdr);
17665 
17666 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17667 				NL80211_MCGRP_MLME, gfp);
17668 	return;
17669 
17670  nla_put_failure:
17671 	nlmsg_free(msg);
17672 }
17673 
17674 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
17675 				     const u8 *bssid, bool preauth, gfp_t gfp)
17676 {
17677 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17678 	struct wiphy *wiphy = wdev->wiphy;
17679 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17680 
17681 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
17682 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
17683 }
17684 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
17685 
17686 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
17687 				     struct net_device *netdev,
17688 				     struct cfg80211_chan_def *chandef,
17689 				     gfp_t gfp,
17690 				     enum nl80211_commands notif,
17691 				     u8 count, bool quiet)
17692 {
17693 	struct sk_buff *msg;
17694 	void *hdr;
17695 
17696 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17697 	if (!msg)
17698 		return;
17699 
17700 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
17701 	if (!hdr) {
17702 		nlmsg_free(msg);
17703 		return;
17704 	}
17705 
17706 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17707 		goto nla_put_failure;
17708 
17709 	if (nl80211_send_chandef(msg, chandef))
17710 		goto nla_put_failure;
17711 
17712 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
17713 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
17714 			goto nla_put_failure;
17715 		if (quiet &&
17716 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
17717 			goto nla_put_failure;
17718 	}
17719 
17720 	genlmsg_end(msg, hdr);
17721 
17722 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17723 				NL80211_MCGRP_MLME, gfp);
17724 	return;
17725 
17726  nla_put_failure:
17727 	nlmsg_free(msg);
17728 }
17729 
17730 void cfg80211_ch_switch_notify(struct net_device *dev,
17731 			       struct cfg80211_chan_def *chandef)
17732 {
17733 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17734 	struct wiphy *wiphy = wdev->wiphy;
17735 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17736 
17737 	ASSERT_WDEV_LOCK(wdev);
17738 
17739 	trace_cfg80211_ch_switch_notify(dev, chandef);
17740 
17741 	wdev->chandef = *chandef;
17742 	wdev->preset_chandef = *chandef;
17743 
17744 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
17745 	    !WARN_ON(!wdev->current_bss))
17746 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
17747 
17748 	cfg80211_sched_dfs_chan_update(rdev);
17749 
17750 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17751 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
17752 }
17753 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
17754 
17755 void cfg80211_ch_switch_started_notify(struct net_device *dev,
17756 				       struct cfg80211_chan_def *chandef,
17757 				       u8 count, bool quiet)
17758 {
17759 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17760 	struct wiphy *wiphy = wdev->wiphy;
17761 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17762 
17763 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
17764 
17765 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17766 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
17767 				 count, quiet);
17768 }
17769 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
17770 
17771 int cfg80211_bss_color_notify(struct net_device *dev, gfp_t gfp,
17772 			      enum nl80211_commands cmd, u8 count,
17773 			      u64 color_bitmap)
17774 {
17775 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17776 	struct wiphy *wiphy = wdev->wiphy;
17777 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17778 	struct sk_buff *msg;
17779 	void *hdr;
17780 
17781 	ASSERT_WDEV_LOCK(wdev);
17782 
17783 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
17784 
17785 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17786 	if (!msg)
17787 		return -ENOMEM;
17788 
17789 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17790 	if (!hdr)
17791 		goto nla_put_failure;
17792 
17793 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17794 		goto nla_put_failure;
17795 
17796 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
17797 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
17798 		goto nla_put_failure;
17799 
17800 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
17801 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
17802 			      color_bitmap, NL80211_ATTR_PAD))
17803 		goto nla_put_failure;
17804 
17805 	genlmsg_end(msg, hdr);
17806 
17807 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
17808 				       msg, 0, NL80211_MCGRP_MLME, gfp);
17809 
17810 nla_put_failure:
17811 	nlmsg_free(msg);
17812 	return -EINVAL;
17813 }
17814 EXPORT_SYMBOL(cfg80211_bss_color_notify);
17815 
17816 void
17817 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
17818 		     const struct cfg80211_chan_def *chandef,
17819 		     enum nl80211_radar_event event,
17820 		     struct net_device *netdev, gfp_t gfp)
17821 {
17822 	struct sk_buff *msg;
17823 	void *hdr;
17824 
17825 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17826 	if (!msg)
17827 		return;
17828 
17829 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
17830 	if (!hdr) {
17831 		nlmsg_free(msg);
17832 		return;
17833 	}
17834 
17835 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17836 		goto nla_put_failure;
17837 
17838 	/* NOP and radar events don't need a netdev parameter */
17839 	if (netdev) {
17840 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
17841 
17842 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17843 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17844 				      NL80211_ATTR_PAD))
17845 			goto nla_put_failure;
17846 	}
17847 
17848 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
17849 		goto nla_put_failure;
17850 
17851 	if (nl80211_send_chandef(msg, chandef))
17852 		goto nla_put_failure;
17853 
17854 	genlmsg_end(msg, hdr);
17855 
17856 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17857 				NL80211_MCGRP_MLME, gfp);
17858 	return;
17859 
17860  nla_put_failure:
17861 	nlmsg_free(msg);
17862 }
17863 
17864 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
17865 				       struct sta_opmode_info *sta_opmode,
17866 				       gfp_t gfp)
17867 {
17868 	struct sk_buff *msg;
17869 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17870 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17871 	void *hdr;
17872 
17873 	if (WARN_ON(!mac))
17874 		return;
17875 
17876 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17877 	if (!msg)
17878 		return;
17879 
17880 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
17881 	if (!hdr) {
17882 		nlmsg_free(msg);
17883 		return;
17884 	}
17885 
17886 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17887 		goto nla_put_failure;
17888 
17889 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17890 		goto nla_put_failure;
17891 
17892 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17893 		goto nla_put_failure;
17894 
17895 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
17896 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
17897 		goto nla_put_failure;
17898 
17899 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
17900 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
17901 		goto nla_put_failure;
17902 
17903 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
17904 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
17905 		goto nla_put_failure;
17906 
17907 	genlmsg_end(msg, hdr);
17908 
17909 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17910 				NL80211_MCGRP_MLME, gfp);
17911 
17912 	return;
17913 
17914 nla_put_failure:
17915 	nlmsg_free(msg);
17916 }
17917 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
17918 
17919 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
17920 			   u64 cookie, bool acked, s32 ack_signal,
17921 			   bool is_valid_ack_signal, gfp_t gfp)
17922 {
17923 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17924 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17925 	struct sk_buff *msg;
17926 	void *hdr;
17927 
17928 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
17929 
17930 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17931 
17932 	if (!msg)
17933 		return;
17934 
17935 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
17936 	if (!hdr) {
17937 		nlmsg_free(msg);
17938 		return;
17939 	}
17940 
17941 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17942 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17943 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17944 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17945 			      NL80211_ATTR_PAD) ||
17946 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
17947 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
17948 						ack_signal)))
17949 		goto nla_put_failure;
17950 
17951 	genlmsg_end(msg, hdr);
17952 
17953 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17954 				NL80211_MCGRP_MLME, gfp);
17955 	return;
17956 
17957  nla_put_failure:
17958 	nlmsg_free(msg);
17959 }
17960 EXPORT_SYMBOL(cfg80211_probe_status);
17961 
17962 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
17963 				     size_t len, int freq, int sig_dbm)
17964 {
17965 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17966 	struct sk_buff *msg;
17967 	void *hdr;
17968 	struct cfg80211_beacon_registration *reg;
17969 
17970 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
17971 
17972 	spin_lock_bh(&rdev->beacon_registrations_lock);
17973 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
17974 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
17975 		if (!msg) {
17976 			spin_unlock_bh(&rdev->beacon_registrations_lock);
17977 			return;
17978 		}
17979 
17980 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17981 		if (!hdr)
17982 			goto nla_put_failure;
17983 
17984 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17985 		    (freq &&
17986 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
17987 				  KHZ_TO_MHZ(freq)) ||
17988 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
17989 				  freq % 1000))) ||
17990 		    (sig_dbm &&
17991 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17992 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
17993 			goto nla_put_failure;
17994 
17995 		genlmsg_end(msg, hdr);
17996 
17997 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
17998 	}
17999 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18000 	return;
18001 
18002  nla_put_failure:
18003 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18004 	nlmsg_free(msg);
18005 }
18006 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
18007 
18008 #ifdef CONFIG_PM
18009 static int cfg80211_net_detect_results(struct sk_buff *msg,
18010 				       struct cfg80211_wowlan_wakeup *wakeup)
18011 {
18012 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
18013 	struct nlattr *nl_results, *nl_match, *nl_freqs;
18014 	int i, j;
18015 
18016 	nl_results = nla_nest_start_noflag(msg,
18017 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
18018 	if (!nl_results)
18019 		return -EMSGSIZE;
18020 
18021 	for (i = 0; i < nd->n_matches; i++) {
18022 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
18023 
18024 		nl_match = nla_nest_start_noflag(msg, i);
18025 		if (!nl_match)
18026 			break;
18027 
18028 		/* The SSID attribute is optional in nl80211, but for
18029 		 * simplicity reasons it's always present in the
18030 		 * cfg80211 structure.  If a driver can't pass the
18031 		 * SSID, that needs to be changed.  A zero length SSID
18032 		 * is still a valid SSID (wildcard), so it cannot be
18033 		 * used for this purpose.
18034 		 */
18035 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
18036 			    match->ssid.ssid)) {
18037 			nla_nest_cancel(msg, nl_match);
18038 			goto out;
18039 		}
18040 
18041 		if (match->n_channels) {
18042 			nl_freqs = nla_nest_start_noflag(msg,
18043 							 NL80211_ATTR_SCAN_FREQUENCIES);
18044 			if (!nl_freqs) {
18045 				nla_nest_cancel(msg, nl_match);
18046 				goto out;
18047 			}
18048 
18049 			for (j = 0; j < match->n_channels; j++) {
18050 				if (nla_put_u32(msg, j, match->channels[j])) {
18051 					nla_nest_cancel(msg, nl_freqs);
18052 					nla_nest_cancel(msg, nl_match);
18053 					goto out;
18054 				}
18055 			}
18056 
18057 			nla_nest_end(msg, nl_freqs);
18058 		}
18059 
18060 		nla_nest_end(msg, nl_match);
18061 	}
18062 
18063 out:
18064 	nla_nest_end(msg, nl_results);
18065 	return 0;
18066 }
18067 
18068 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
18069 				   struct cfg80211_wowlan_wakeup *wakeup,
18070 				   gfp_t gfp)
18071 {
18072 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18073 	struct sk_buff *msg;
18074 	void *hdr;
18075 	int size = 200;
18076 
18077 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
18078 
18079 	if (wakeup)
18080 		size += wakeup->packet_present_len;
18081 
18082 	msg = nlmsg_new(size, gfp);
18083 	if (!msg)
18084 		return;
18085 
18086 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
18087 	if (!hdr)
18088 		goto free_msg;
18089 
18090 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18091 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18092 			      NL80211_ATTR_PAD))
18093 		goto free_msg;
18094 
18095 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18096 					wdev->netdev->ifindex))
18097 		goto free_msg;
18098 
18099 	if (wakeup) {
18100 		struct nlattr *reasons;
18101 
18102 		reasons = nla_nest_start_noflag(msg,
18103 						NL80211_ATTR_WOWLAN_TRIGGERS);
18104 		if (!reasons)
18105 			goto free_msg;
18106 
18107 		if (wakeup->disconnect &&
18108 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
18109 			goto free_msg;
18110 		if (wakeup->magic_pkt &&
18111 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
18112 			goto free_msg;
18113 		if (wakeup->gtk_rekey_failure &&
18114 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
18115 			goto free_msg;
18116 		if (wakeup->eap_identity_req &&
18117 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
18118 			goto free_msg;
18119 		if (wakeup->four_way_handshake &&
18120 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
18121 			goto free_msg;
18122 		if (wakeup->rfkill_release &&
18123 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
18124 			goto free_msg;
18125 
18126 		if (wakeup->pattern_idx >= 0 &&
18127 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
18128 				wakeup->pattern_idx))
18129 			goto free_msg;
18130 
18131 		if (wakeup->tcp_match &&
18132 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
18133 			goto free_msg;
18134 
18135 		if (wakeup->tcp_connlost &&
18136 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
18137 			goto free_msg;
18138 
18139 		if (wakeup->tcp_nomoretokens &&
18140 		    nla_put_flag(msg,
18141 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
18142 			goto free_msg;
18143 
18144 		if (wakeup->packet) {
18145 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
18146 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
18147 
18148 			if (!wakeup->packet_80211) {
18149 				pkt_attr =
18150 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
18151 				len_attr =
18152 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
18153 			}
18154 
18155 			if (wakeup->packet_len &&
18156 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
18157 				goto free_msg;
18158 
18159 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
18160 				    wakeup->packet))
18161 				goto free_msg;
18162 		}
18163 
18164 		if (wakeup->net_detect &&
18165 		    cfg80211_net_detect_results(msg, wakeup))
18166 				goto free_msg;
18167 
18168 		nla_nest_end(msg, reasons);
18169 	}
18170 
18171 	genlmsg_end(msg, hdr);
18172 
18173 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18174 				NL80211_MCGRP_MLME, gfp);
18175 	return;
18176 
18177  free_msg:
18178 	nlmsg_free(msg);
18179 }
18180 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
18181 #endif
18182 
18183 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
18184 				enum nl80211_tdls_operation oper,
18185 				u16 reason_code, gfp_t gfp)
18186 {
18187 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18188 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18189 	struct sk_buff *msg;
18190 	void *hdr;
18191 
18192 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
18193 					 reason_code);
18194 
18195 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18196 	if (!msg)
18197 		return;
18198 
18199 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
18200 	if (!hdr) {
18201 		nlmsg_free(msg);
18202 		return;
18203 	}
18204 
18205 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18206 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18207 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
18208 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
18209 	    (reason_code > 0 &&
18210 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
18211 		goto nla_put_failure;
18212 
18213 	genlmsg_end(msg, hdr);
18214 
18215 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18216 				NL80211_MCGRP_MLME, gfp);
18217 	return;
18218 
18219  nla_put_failure:
18220 	nlmsg_free(msg);
18221 }
18222 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
18223 
18224 static int nl80211_netlink_notify(struct notifier_block * nb,
18225 				  unsigned long state,
18226 				  void *_notify)
18227 {
18228 	struct netlink_notify *notify = _notify;
18229 	struct cfg80211_registered_device *rdev;
18230 	struct wireless_dev *wdev;
18231 	struct cfg80211_beacon_registration *reg, *tmp;
18232 
18233 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
18234 		return NOTIFY_DONE;
18235 
18236 	rcu_read_lock();
18237 
18238 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
18239 		struct cfg80211_sched_scan_request *sched_scan_req;
18240 
18241 		list_for_each_entry_rcu(sched_scan_req,
18242 					&rdev->sched_scan_req_list,
18243 					list) {
18244 			if (sched_scan_req->owner_nlportid == notify->portid) {
18245 				sched_scan_req->nl_owner_dead = true;
18246 				schedule_work(&rdev->sched_scan_stop_wk);
18247 			}
18248 		}
18249 
18250 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
18251 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
18252 
18253 			if (wdev->owner_nlportid == notify->portid) {
18254 				wdev->nl_owner_dead = true;
18255 				schedule_work(&rdev->destroy_work);
18256 			} else if (wdev->conn_owner_nlportid == notify->portid) {
18257 				schedule_work(&wdev->disconnect_wk);
18258 			}
18259 
18260 			cfg80211_release_pmsr(wdev, notify->portid);
18261 		}
18262 
18263 		spin_lock_bh(&rdev->beacon_registrations_lock);
18264 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
18265 					 list) {
18266 			if (reg->nlportid == notify->portid) {
18267 				list_del(&reg->list);
18268 				kfree(reg);
18269 				break;
18270 			}
18271 		}
18272 		spin_unlock_bh(&rdev->beacon_registrations_lock);
18273 	}
18274 
18275 	rcu_read_unlock();
18276 
18277 	/*
18278 	 * It is possible that the user space process that is controlling the
18279 	 * indoor setting disappeared, so notify the regulatory core.
18280 	 */
18281 	regulatory_netlink_notify(notify->portid);
18282 	return NOTIFY_OK;
18283 }
18284 
18285 static struct notifier_block nl80211_netlink_notifier = {
18286 	.notifier_call = nl80211_netlink_notify,
18287 };
18288 
18289 void cfg80211_ft_event(struct net_device *netdev,
18290 		       struct cfg80211_ft_event_params *ft_event)
18291 {
18292 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18293 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18294 	struct sk_buff *msg;
18295 	void *hdr;
18296 
18297 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
18298 
18299 	if (!ft_event->target_ap)
18300 		return;
18301 
18302 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
18303 			GFP_KERNEL);
18304 	if (!msg)
18305 		return;
18306 
18307 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
18308 	if (!hdr)
18309 		goto out;
18310 
18311 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18312 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18313 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
18314 		goto out;
18315 
18316 	if (ft_event->ies &&
18317 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
18318 		goto out;
18319 	if (ft_event->ric_ies &&
18320 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
18321 		    ft_event->ric_ies))
18322 		goto out;
18323 
18324 	genlmsg_end(msg, hdr);
18325 
18326 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18327 				NL80211_MCGRP_MLME, GFP_KERNEL);
18328 	return;
18329  out:
18330 	nlmsg_free(msg);
18331 }
18332 EXPORT_SYMBOL(cfg80211_ft_event);
18333 
18334 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
18335 {
18336 	struct cfg80211_registered_device *rdev;
18337 	struct sk_buff *msg;
18338 	void *hdr;
18339 	u32 nlportid;
18340 
18341 	rdev = wiphy_to_rdev(wdev->wiphy);
18342 	if (!rdev->crit_proto_nlportid)
18343 		return;
18344 
18345 	nlportid = rdev->crit_proto_nlportid;
18346 	rdev->crit_proto_nlportid = 0;
18347 
18348 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18349 	if (!msg)
18350 		return;
18351 
18352 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
18353 	if (!hdr)
18354 		goto nla_put_failure;
18355 
18356 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18357 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18358 			      NL80211_ATTR_PAD))
18359 		goto nla_put_failure;
18360 
18361 	genlmsg_end(msg, hdr);
18362 
18363 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18364 	return;
18365 
18366  nla_put_failure:
18367 	nlmsg_free(msg);
18368 }
18369 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
18370 
18371 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
18372 {
18373 	struct wiphy *wiphy = wdev->wiphy;
18374 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18375 	struct sk_buff *msg;
18376 	void *hdr;
18377 
18378 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18379 	if (!msg)
18380 		return;
18381 
18382 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
18383 	if (!hdr)
18384 		goto out;
18385 
18386 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18387 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
18388 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18389 			      NL80211_ATTR_PAD))
18390 		goto out;
18391 
18392 	genlmsg_end(msg, hdr);
18393 
18394 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
18395 				NL80211_MCGRP_MLME, GFP_KERNEL);
18396 	return;
18397  out:
18398 	nlmsg_free(msg);
18399 }
18400 
18401 int cfg80211_external_auth_request(struct net_device *dev,
18402 				   struct cfg80211_external_auth_params *params,
18403 				   gfp_t gfp)
18404 {
18405 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18406 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18407 	struct sk_buff *msg;
18408 	void *hdr;
18409 
18410 	if (!wdev->conn_owner_nlportid)
18411 		return -EINVAL;
18412 
18413 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18414 	if (!msg)
18415 		return -ENOMEM;
18416 
18417 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
18418 	if (!hdr)
18419 		goto nla_put_failure;
18420 
18421 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18422 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18423 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
18424 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
18425 			params->action) ||
18426 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
18427 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
18428 		    params->ssid.ssid))
18429 		goto nla_put_failure;
18430 
18431 	genlmsg_end(msg, hdr);
18432 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
18433 			wdev->conn_owner_nlportid);
18434 	return 0;
18435 
18436  nla_put_failure:
18437 	nlmsg_free(msg);
18438 	return -ENOBUFS;
18439 }
18440 EXPORT_SYMBOL(cfg80211_external_auth_request);
18441 
18442 void cfg80211_update_owe_info_event(struct net_device *netdev,
18443 				    struct cfg80211_update_owe_info *owe_info,
18444 				    gfp_t gfp)
18445 {
18446 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18447 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18448 	struct sk_buff *msg;
18449 	void *hdr;
18450 
18451 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
18452 
18453 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18454 	if (!msg)
18455 		return;
18456 
18457 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
18458 	if (!hdr)
18459 		goto nla_put_failure;
18460 
18461 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18462 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18463 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
18464 		goto nla_put_failure;
18465 
18466 	if (!owe_info->ie_len ||
18467 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
18468 		goto nla_put_failure;
18469 
18470 	genlmsg_end(msg, hdr);
18471 
18472 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18473 				NL80211_MCGRP_MLME, gfp);
18474 	return;
18475 
18476 nla_put_failure:
18477 	genlmsg_cancel(msg, hdr);
18478 	nlmsg_free(msg);
18479 }
18480 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
18481 
18482 /* initialisation/exit functions */
18483 
18484 int __init nl80211_init(void)
18485 {
18486 	int err;
18487 
18488 	err = genl_register_family(&nl80211_fam);
18489 	if (err)
18490 		return err;
18491 
18492 	err = netlink_register_notifier(&nl80211_netlink_notifier);
18493 	if (err)
18494 		goto err_out;
18495 
18496 	return 0;
18497  err_out:
18498 	genl_unregister_family(&nl80211_fam);
18499 	return err;
18500 }
18501 
18502 void nl80211_exit(void)
18503 {
18504 	netlink_unregister_notifier(&nl80211_netlink_notifier);
18505 	genl_unregister_family(&nl80211_fam);
18506 }
18507