xref: /openbmc/linux/net/wireless/nl80211.c (revision fbb6b31a) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2022 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319 		NLA_POLICY_MAX(NLA_U8, 31),
320 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
460 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
461 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
462 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
463 				      .len = 20-1 },
464 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
465 
466 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
467 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
468 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
469 						NL80211_EDMG_CHANNELS_MIN,
470 						NL80211_EDMG_CHANNELS_MAX),
471 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
472 						NL80211_EDMG_BW_CONFIG_MIN,
473 						NL80211_EDMG_BW_CONFIG_MAX),
474 
475 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
476 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
477 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
478 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
479 
480 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
481 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
482 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
483 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
484 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
485 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
486 
487 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
488 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
489 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
490 
491 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
492 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
493 
494 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
495 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
496 				    .len = WLAN_MAX_KEY_LEN },
497 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
498 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
499 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
500 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
501 	[NL80211_ATTR_KEY_TYPE] =
502 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
503 
504 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
505 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
506 	[NL80211_ATTR_BEACON_HEAD] =
507 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
508 				       IEEE80211_MAX_DATA_LEN),
509 	[NL80211_ATTR_BEACON_TAIL] =
510 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
511 				       IEEE80211_MAX_DATA_LEN),
512 	[NL80211_ATTR_STA_AID] =
513 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
514 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
515 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
516 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
517 					       .len = NL80211_MAX_SUPP_RATES },
518 	[NL80211_ATTR_STA_PLINK_ACTION] =
519 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
520 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
521 		NLA_POLICY_RANGE(NLA_U8,
522 				 NL80211_TX_POWER_AUTOMATIC,
523 				 NL80211_TX_POWER_FIXED),
524 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
525 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
526 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
527 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
528 				   .len = IEEE80211_MAX_MESH_ID_LEN },
529 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
530 
531 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
532 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
533 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
534 
535 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
536 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
537 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
538 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
539 					   .len = NL80211_MAX_SUPP_RATES },
540 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
541 
542 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
543 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
544 
545 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
546 
547 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
548 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
549 						   validate_ie_attr,
550 						   IEEE80211_MAX_DATA_LEN),
551 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
552 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
553 
554 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
555 				.len = IEEE80211_MAX_SSID_LEN },
556 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
557 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
558 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
559 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
560 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
561 						  NL80211_MFP_NO,
562 						  NL80211_MFP_OPTIONAL),
563 	[NL80211_ATTR_STA_FLAGS2] = {
564 		.len = sizeof(struct nl80211_sta_flag_update),
565 	},
566 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
567 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
568 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
569 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
570 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
571 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
572 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
573 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
574 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
575 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
576 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
577 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
578 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
579 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
580 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
581 				 .len = IEEE80211_MAX_DATA_LEN },
582 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
583 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
584 						   NL80211_PS_DISABLED,
585 						   NL80211_PS_ENABLED),
586 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
587 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
588 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
589 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
590 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
591 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
592 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
593 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
594 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
595 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
596 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
597 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
598 	[NL80211_ATTR_STA_PLINK_STATE] =
599 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
600 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
601 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
602 	[NL80211_ATTR_MESH_PEER_AID] =
603 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
604 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
605 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
606 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
607 	[NL80211_ATTR_HIDDEN_SSID] =
608 		NLA_POLICY_RANGE(NLA_U32,
609 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
610 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
611 	[NL80211_ATTR_IE_PROBE_RESP] =
612 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
613 				       IEEE80211_MAX_DATA_LEN),
614 	[NL80211_ATTR_IE_ASSOC_RESP] =
615 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
616 				       IEEE80211_MAX_DATA_LEN),
617 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
618 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
619 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
620 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
621 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
622 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
623 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
624 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
625 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
626 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
627 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
628 				      .len = IEEE80211_MAX_DATA_LEN },
629 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
630 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
631 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
632 		.len = NL80211_HT_CAPABILITY_LEN
633 	},
634 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
635 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
636 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
637 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
638 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
639 
640 	/* need to include at least Auth Transaction and Status Code */
641 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
642 
643 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
644 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
645 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
646 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
647 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
648 		NLA_POLICY_RANGE(NLA_U32,
649 				 NL80211_MESH_POWER_UNKNOWN + 1,
650 				 NL80211_MESH_POWER_MAX),
651 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
652 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
653 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
654 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
655 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
656 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
657 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
658 		.len = NL80211_VHT_CAPABILITY_LEN,
659 	},
660 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
661 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
662 				  .len = IEEE80211_MAX_DATA_LEN },
663 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
664 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
665 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
666 	[NL80211_ATTR_PEER_AID] =
667 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
668 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
669 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
670 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
671 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
672 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
673 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
674 	/*
675 	 * The value of the Length field of the Supported Operating
676 	 * Classes element is between 2 and 253.
677 	 */
678 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
679 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
680 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
681 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
682 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
683 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
684 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
685 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
686 						  IEEE80211_QOS_MAP_LEN_MIN,
687 						  IEEE80211_QOS_MAP_LEN_MAX),
688 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
689 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
690 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
691 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
692 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
693 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
694 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
695 	[NL80211_ATTR_USER_PRIO] =
696 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
697 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
698 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
699 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
700 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
701 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
702 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
703 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
704 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
705 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
706 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
707 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
708 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
709 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
710 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
711 	},
712 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
713 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
714 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
715 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
716 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
717 				    .len = FILS_MAX_KEK_LEN },
718 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
719 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
720 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
721 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
722 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
723 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
724 	},
725 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
726 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
727 					     .len = FILS_ERP_MAX_USERNAME_LEN },
728 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
729 					  .len = FILS_ERP_MAX_REALM_LEN },
730 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
731 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
732 					.len = FILS_ERP_MAX_RRK_LEN },
733 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
734 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
735 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
736 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
737 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
738 
739 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
740 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
741 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
742 	[NL80211_ATTR_HE_CAPABILITY] =
743 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
744 				       NL80211_HE_MAX_CAPABILITY_LEN),
745 	[NL80211_ATTR_FTM_RESPONDER] =
746 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
747 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
748 	[NL80211_ATTR_PEER_MEASUREMENTS] =
749 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
750 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
751 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
752 					.len = SAE_PASSWORD_MAX_LEN },
753 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
754 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
755 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
756 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
757 	[NL80211_ATTR_TID_CONFIG] =
758 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
759 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
760 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
761 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
762 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
763 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
764 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
765 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
766 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
767 	[NL80211_ATTR_FILS_DISCOVERY] =
768 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
769 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
770 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
771 	[NL80211_ATTR_S1G_CAPABILITY] =
772 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
773 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
774 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
775 	[NL80211_ATTR_SAE_PWE] =
776 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
777 				 NL80211_SAE_PWE_BOTH),
778 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
779 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
780 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
781 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
782 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
783 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
784 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
785 	[NL80211_ATTR_MBSSID_CONFIG] =
786 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
787 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
788 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
789 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
790 	[NL80211_ATTR_EHT_CAPABILITY] =
791 		NLA_POLICY_RANGE(NLA_BINARY,
792 				 NL80211_EHT_MIN_CAPABILITY_LEN,
793 				 NL80211_EHT_MAX_CAPABILITY_LEN),
794 };
795 
796 /* policy for the key attributes */
797 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
798 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
799 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
800 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
801 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
802 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
803 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
804 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
805 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
806 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
807 };
808 
809 /* policy for the key default flags */
810 static const struct nla_policy
811 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
812 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
813 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
814 };
815 
816 #ifdef CONFIG_PM
817 /* policy for WoWLAN attributes */
818 static const struct nla_policy
819 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
820 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
821 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
822 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
823 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
824 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
825 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
826 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
827 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
828 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
829 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
830 };
831 
832 static const struct nla_policy
833 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
834 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
835 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
836 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
837 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
838 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
839 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
840 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
841 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
842 	},
843 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
844 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
845 	},
846 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
847 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
848 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
849 };
850 #endif /* CONFIG_PM */
851 
852 /* policy for coalesce rule attributes */
853 static const struct nla_policy
854 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
855 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
856 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
857 		NLA_POLICY_RANGE(NLA_U32,
858 				 NL80211_COALESCE_CONDITION_MATCH,
859 				 NL80211_COALESCE_CONDITION_NO_MATCH),
860 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
861 };
862 
863 /* policy for GTK rekey offload attributes */
864 static const struct nla_policy
865 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
866 	[NL80211_REKEY_DATA_KEK] = {
867 		.type = NLA_BINARY,
868 		.len = NL80211_KEK_EXT_LEN
869 	},
870 	[NL80211_REKEY_DATA_KCK] = {
871 		.type = NLA_BINARY,
872 		.len = NL80211_KCK_EXT_LEN
873 	},
874 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
875 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
876 };
877 
878 static const struct nla_policy
879 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
880 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
881 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
882 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
883 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
884 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
885 };
886 
887 static const struct nla_policy
888 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
889 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
890 						 .len = IEEE80211_MAX_SSID_LEN },
891 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
892 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
893 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
894 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
895 };
896 
897 static const struct nla_policy
898 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
899 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
900 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
901 };
902 
903 static const struct nla_policy
904 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
905 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
906 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
907 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
908 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
909 	},
910 };
911 
912 /* policy for NAN function attributes */
913 static const struct nla_policy
914 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
915 	[NL80211_NAN_FUNC_TYPE] =
916 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
917 	[NL80211_NAN_FUNC_SERVICE_ID] = {
918 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
919 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
920 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
921 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
922 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
923 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
924 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
925 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
926 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
927 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
928 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
929 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
930 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
931 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
932 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
933 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
934 };
935 
936 /* policy for Service Response Filter attributes */
937 static const struct nla_policy
938 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
939 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
940 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
941 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
942 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
943 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
944 };
945 
946 /* policy for packet pattern attributes */
947 static const struct nla_policy
948 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
949 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
950 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
951 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
952 };
953 
954 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
955 				     struct cfg80211_registered_device **rdev,
956 				     struct wireless_dev **wdev,
957 				     struct nlattr **attrbuf)
958 {
959 	int err;
960 
961 	if (!cb->args[0]) {
962 		struct nlattr **attrbuf_free = NULL;
963 
964 		if (!attrbuf) {
965 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
966 					  GFP_KERNEL);
967 			if (!attrbuf)
968 				return -ENOMEM;
969 			attrbuf_free = attrbuf;
970 		}
971 
972 		err = nlmsg_parse_deprecated(cb->nlh,
973 					     GENL_HDRLEN + nl80211_fam.hdrsize,
974 					     attrbuf, nl80211_fam.maxattr,
975 					     nl80211_policy, NULL);
976 		if (err) {
977 			kfree(attrbuf_free);
978 			return err;
979 		}
980 
981 		rtnl_lock();
982 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
983 						   attrbuf);
984 		kfree(attrbuf_free);
985 		if (IS_ERR(*wdev)) {
986 			rtnl_unlock();
987 			return PTR_ERR(*wdev);
988 		}
989 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
990 		mutex_lock(&(*rdev)->wiphy.mtx);
991 		rtnl_unlock();
992 		/* 0 is the first index - add 1 to parse only once */
993 		cb->args[0] = (*rdev)->wiphy_idx + 1;
994 		cb->args[1] = (*wdev)->identifier;
995 	} else {
996 		/* subtract the 1 again here */
997 		struct wiphy *wiphy;
998 		struct wireless_dev *tmp;
999 
1000 		rtnl_lock();
1001 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1002 		if (!wiphy) {
1003 			rtnl_unlock();
1004 			return -ENODEV;
1005 		}
1006 		*rdev = wiphy_to_rdev(wiphy);
1007 		*wdev = NULL;
1008 
1009 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1010 			if (tmp->identifier == cb->args[1]) {
1011 				*wdev = tmp;
1012 				break;
1013 			}
1014 		}
1015 
1016 		if (!*wdev) {
1017 			rtnl_unlock();
1018 			return -ENODEV;
1019 		}
1020 		mutex_lock(&(*rdev)->wiphy.mtx);
1021 		rtnl_unlock();
1022 	}
1023 
1024 	return 0;
1025 }
1026 
1027 /* message building helper */
1028 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1029 		     int flags, u8 cmd)
1030 {
1031 	/* since there is no private header just add the generic one */
1032 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1033 }
1034 
1035 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1036 				     const struct ieee80211_reg_rule *rule)
1037 {
1038 	int j;
1039 	struct nlattr *nl_wmm_rules =
1040 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1041 
1042 	if (!nl_wmm_rules)
1043 		goto nla_put_failure;
1044 
1045 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1046 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1047 
1048 		if (!nl_wmm_rule)
1049 			goto nla_put_failure;
1050 
1051 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1052 				rule->wmm_rule.client[j].cw_min) ||
1053 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1054 				rule->wmm_rule.client[j].cw_max) ||
1055 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1056 			       rule->wmm_rule.client[j].aifsn) ||
1057 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1058 			        rule->wmm_rule.client[j].cot))
1059 			goto nla_put_failure;
1060 
1061 		nla_nest_end(msg, nl_wmm_rule);
1062 	}
1063 	nla_nest_end(msg, nl_wmm_rules);
1064 
1065 	return 0;
1066 
1067 nla_put_failure:
1068 	return -ENOBUFS;
1069 }
1070 
1071 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1072 				   struct ieee80211_channel *chan,
1073 				   bool large)
1074 {
1075 	/* Some channels must be completely excluded from the
1076 	 * list to protect old user-space tools from breaking
1077 	 */
1078 	if (!large && chan->flags &
1079 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1080 		return 0;
1081 	if (!large && chan->freq_offset)
1082 		return 0;
1083 
1084 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1085 			chan->center_freq))
1086 		goto nla_put_failure;
1087 
1088 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1089 		goto nla_put_failure;
1090 
1091 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1092 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1093 		goto nla_put_failure;
1094 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1095 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1096 			goto nla_put_failure;
1097 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1098 			goto nla_put_failure;
1099 	}
1100 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1101 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1102 			goto nla_put_failure;
1103 		if (large) {
1104 			u32 time;
1105 
1106 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1107 
1108 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1109 					chan->dfs_state))
1110 				goto nla_put_failure;
1111 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1112 					time))
1113 				goto nla_put_failure;
1114 			if (nla_put_u32(msg,
1115 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1116 					chan->dfs_cac_ms))
1117 				goto nla_put_failure;
1118 		}
1119 	}
1120 
1121 	if (large) {
1122 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1123 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1124 			goto nla_put_failure;
1125 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1126 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1127 			goto nla_put_failure;
1128 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1129 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1130 			goto nla_put_failure;
1131 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1132 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1133 			goto nla_put_failure;
1134 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1135 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1136 			goto nla_put_failure;
1137 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1138 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1139 			goto nla_put_failure;
1140 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1141 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1142 			goto nla_put_failure;
1143 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1144 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1145 			goto nla_put_failure;
1146 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1147 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1148 			goto nla_put_failure;
1149 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1150 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1151 			goto nla_put_failure;
1152 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1153 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1154 			goto nla_put_failure;
1155 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1156 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1157 			goto nla_put_failure;
1158 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1159 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1160 			goto nla_put_failure;
1161 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1162 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1163 			goto nla_put_failure;
1164 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1165 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1166 			goto nla_put_failure;
1167 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1168 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1169 			goto nla_put_failure;
1170 	}
1171 
1172 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1173 			DBM_TO_MBM(chan->max_power)))
1174 		goto nla_put_failure;
1175 
1176 	if (large) {
1177 		const struct ieee80211_reg_rule *rule =
1178 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1179 
1180 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1181 			if (nl80211_msg_put_wmm_rules(msg, rule))
1182 				goto nla_put_failure;
1183 		}
1184 	}
1185 
1186 	return 0;
1187 
1188  nla_put_failure:
1189 	return -ENOBUFS;
1190 }
1191 
1192 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1193 				  struct cfg80211_txq_stats *txqstats,
1194 				  int attrtype)
1195 {
1196 	struct nlattr *txqattr;
1197 
1198 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1199 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1200 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1201 		return false;						  \
1202 	} while (0)
1203 
1204 	txqattr = nla_nest_start_noflag(msg, attrtype);
1205 	if (!txqattr)
1206 		return false;
1207 
1208 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1209 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1210 	PUT_TXQVAL_U32(FLOWS, flows);
1211 	PUT_TXQVAL_U32(DROPS, drops);
1212 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1213 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1214 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1215 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1216 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1217 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1218 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1219 	nla_nest_end(msg, txqattr);
1220 
1221 #undef PUT_TXQVAL_U32
1222 	return true;
1223 }
1224 
1225 /* netlink command implementations */
1226 
1227 struct key_parse {
1228 	struct key_params p;
1229 	int idx;
1230 	int type;
1231 	bool def, defmgmt, defbeacon;
1232 	bool def_uni, def_multi;
1233 };
1234 
1235 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1236 				 struct key_parse *k)
1237 {
1238 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1239 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1240 					      nl80211_key_policy,
1241 					      info->extack);
1242 	if (err)
1243 		return err;
1244 
1245 	k->def = !!tb[NL80211_KEY_DEFAULT];
1246 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1247 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1248 
1249 	if (k->def) {
1250 		k->def_uni = true;
1251 		k->def_multi = true;
1252 	}
1253 	if (k->defmgmt || k->defbeacon)
1254 		k->def_multi = true;
1255 
1256 	if (tb[NL80211_KEY_IDX])
1257 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1258 
1259 	if (tb[NL80211_KEY_DATA]) {
1260 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1261 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1262 	}
1263 
1264 	if (tb[NL80211_KEY_SEQ]) {
1265 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1266 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1267 	}
1268 
1269 	if (tb[NL80211_KEY_CIPHER])
1270 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1271 
1272 	if (tb[NL80211_KEY_TYPE])
1273 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1274 
1275 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1276 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1277 
1278 		err = nla_parse_nested_deprecated(kdt,
1279 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1280 						  tb[NL80211_KEY_DEFAULT_TYPES],
1281 						  nl80211_key_default_policy,
1282 						  info->extack);
1283 		if (err)
1284 			return err;
1285 
1286 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1287 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1288 	}
1289 
1290 	if (tb[NL80211_KEY_MODE])
1291 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1292 
1293 	return 0;
1294 }
1295 
1296 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1297 {
1298 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1299 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1300 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1301 	}
1302 
1303 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1304 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1305 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1306 	}
1307 
1308 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1309 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1310 
1311 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1312 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1313 
1314 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1315 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1316 
1317 	if (k->def) {
1318 		k->def_uni = true;
1319 		k->def_multi = true;
1320 	}
1321 	if (k->defmgmt)
1322 		k->def_multi = true;
1323 
1324 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1325 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1326 
1327 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1328 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1329 		int err = nla_parse_nested_deprecated(kdt,
1330 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1331 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1332 						      nl80211_key_default_policy,
1333 						      info->extack);
1334 		if (err)
1335 			return err;
1336 
1337 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1338 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1339 	}
1340 
1341 	return 0;
1342 }
1343 
1344 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1345 {
1346 	int err;
1347 
1348 	memset(k, 0, sizeof(*k));
1349 	k->idx = -1;
1350 	k->type = -1;
1351 
1352 	if (info->attrs[NL80211_ATTR_KEY])
1353 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1354 	else
1355 		err = nl80211_parse_key_old(info, k);
1356 
1357 	if (err)
1358 		return err;
1359 
1360 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1361 	    (k->defbeacon ? 1 : 0) > 1) {
1362 		GENL_SET_ERR_MSG(info,
1363 				 "key with multiple default flags is invalid");
1364 		return -EINVAL;
1365 	}
1366 
1367 	if (k->defmgmt || k->defbeacon) {
1368 		if (k->def_uni || !k->def_multi) {
1369 			GENL_SET_ERR_MSG(info,
1370 					 "defmgmt/defbeacon key must be mcast");
1371 			return -EINVAL;
1372 		}
1373 	}
1374 
1375 	if (k->idx != -1) {
1376 		if (k->defmgmt) {
1377 			if (k->idx < 4 || k->idx > 5) {
1378 				GENL_SET_ERR_MSG(info,
1379 						 "defmgmt key idx not 4 or 5");
1380 				return -EINVAL;
1381 			}
1382 		} else if (k->defbeacon) {
1383 			if (k->idx < 6 || k->idx > 7) {
1384 				GENL_SET_ERR_MSG(info,
1385 						 "defbeacon key idx not 6 or 7");
1386 				return -EINVAL;
1387 			}
1388 		} else if (k->def) {
1389 			if (k->idx < 0 || k->idx > 3) {
1390 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1391 				return -EINVAL;
1392 			}
1393 		} else {
1394 			if (k->idx < 0 || k->idx > 7) {
1395 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1396 				return -EINVAL;
1397 			}
1398 		}
1399 	}
1400 
1401 	return 0;
1402 }
1403 
1404 static struct cfg80211_cached_keys *
1405 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1406 		       struct genl_info *info, bool *no_ht)
1407 {
1408 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1409 	struct key_parse parse;
1410 	struct nlattr *key;
1411 	struct cfg80211_cached_keys *result;
1412 	int rem, err, def = 0;
1413 	bool have_key = false;
1414 
1415 	nla_for_each_nested(key, keys, rem) {
1416 		have_key = true;
1417 		break;
1418 	}
1419 
1420 	if (!have_key)
1421 		return NULL;
1422 
1423 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1424 	if (!result)
1425 		return ERR_PTR(-ENOMEM);
1426 
1427 	result->def = -1;
1428 
1429 	nla_for_each_nested(key, keys, rem) {
1430 		memset(&parse, 0, sizeof(parse));
1431 		parse.idx = -1;
1432 
1433 		err = nl80211_parse_key_new(info, key, &parse);
1434 		if (err)
1435 			goto error;
1436 		err = -EINVAL;
1437 		if (!parse.p.key)
1438 			goto error;
1439 		if (parse.idx < 0 || parse.idx > 3) {
1440 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1441 			goto error;
1442 		}
1443 		if (parse.def) {
1444 			if (def) {
1445 				GENL_SET_ERR_MSG(info,
1446 						 "only one key can be default");
1447 				goto error;
1448 			}
1449 			def = 1;
1450 			result->def = parse.idx;
1451 			if (!parse.def_uni || !parse.def_multi)
1452 				goto error;
1453 		} else if (parse.defmgmt)
1454 			goto error;
1455 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1456 						     parse.idx, false, NULL);
1457 		if (err)
1458 			goto error;
1459 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1460 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1461 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1462 			err = -EINVAL;
1463 			goto error;
1464 		}
1465 		result->params[parse.idx].cipher = parse.p.cipher;
1466 		result->params[parse.idx].key_len = parse.p.key_len;
1467 		result->params[parse.idx].key = result->data[parse.idx];
1468 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1469 
1470 		/* must be WEP key if we got here */
1471 		if (no_ht)
1472 			*no_ht = true;
1473 	}
1474 
1475 	if (result->def < 0) {
1476 		err = -EINVAL;
1477 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1478 		goto error;
1479 	}
1480 
1481 	return result;
1482  error:
1483 	kfree(result);
1484 	return ERR_PTR(err);
1485 }
1486 
1487 static int nl80211_key_allowed(struct wireless_dev *wdev)
1488 {
1489 	ASSERT_WDEV_LOCK(wdev);
1490 
1491 	switch (wdev->iftype) {
1492 	case NL80211_IFTYPE_AP:
1493 	case NL80211_IFTYPE_AP_VLAN:
1494 	case NL80211_IFTYPE_P2P_GO:
1495 	case NL80211_IFTYPE_MESH_POINT:
1496 		break;
1497 	case NL80211_IFTYPE_ADHOC:
1498 	case NL80211_IFTYPE_STATION:
1499 	case NL80211_IFTYPE_P2P_CLIENT:
1500 		if (!wdev->current_bss)
1501 			return -ENOLINK;
1502 		break;
1503 	case NL80211_IFTYPE_UNSPECIFIED:
1504 	case NL80211_IFTYPE_OCB:
1505 	case NL80211_IFTYPE_MONITOR:
1506 	case NL80211_IFTYPE_NAN:
1507 	case NL80211_IFTYPE_P2P_DEVICE:
1508 	case NL80211_IFTYPE_WDS:
1509 	case NUM_NL80211_IFTYPES:
1510 		return -EINVAL;
1511 	}
1512 
1513 	return 0;
1514 }
1515 
1516 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1517 							u32 freq)
1518 {
1519 	struct ieee80211_channel *chan;
1520 
1521 	chan = ieee80211_get_channel_khz(wiphy, freq);
1522 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1523 		return NULL;
1524 	return chan;
1525 }
1526 
1527 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1528 {
1529 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1530 	int i;
1531 
1532 	if (!nl_modes)
1533 		goto nla_put_failure;
1534 
1535 	i = 0;
1536 	while (ifmodes) {
1537 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1538 			goto nla_put_failure;
1539 		ifmodes >>= 1;
1540 		i++;
1541 	}
1542 
1543 	nla_nest_end(msg, nl_modes);
1544 	return 0;
1545 
1546 nla_put_failure:
1547 	return -ENOBUFS;
1548 }
1549 
1550 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1551 					  struct sk_buff *msg,
1552 					  bool large)
1553 {
1554 	struct nlattr *nl_combis;
1555 	int i, j;
1556 
1557 	nl_combis = nla_nest_start_noflag(msg,
1558 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1559 	if (!nl_combis)
1560 		goto nla_put_failure;
1561 
1562 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1563 		const struct ieee80211_iface_combination *c;
1564 		struct nlattr *nl_combi, *nl_limits;
1565 
1566 		c = &wiphy->iface_combinations[i];
1567 
1568 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1569 		if (!nl_combi)
1570 			goto nla_put_failure;
1571 
1572 		nl_limits = nla_nest_start_noflag(msg,
1573 						  NL80211_IFACE_COMB_LIMITS);
1574 		if (!nl_limits)
1575 			goto nla_put_failure;
1576 
1577 		for (j = 0; j < c->n_limits; j++) {
1578 			struct nlattr *nl_limit;
1579 
1580 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1581 			if (!nl_limit)
1582 				goto nla_put_failure;
1583 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1584 					c->limits[j].max))
1585 				goto nla_put_failure;
1586 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1587 						c->limits[j].types))
1588 				goto nla_put_failure;
1589 			nla_nest_end(msg, nl_limit);
1590 		}
1591 
1592 		nla_nest_end(msg, nl_limits);
1593 
1594 		if (c->beacon_int_infra_match &&
1595 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1596 			goto nla_put_failure;
1597 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1598 				c->num_different_channels) ||
1599 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1600 				c->max_interfaces))
1601 			goto nla_put_failure;
1602 		if (large &&
1603 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1604 				c->radar_detect_widths) ||
1605 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1606 				c->radar_detect_regions)))
1607 			goto nla_put_failure;
1608 		if (c->beacon_int_min_gcd &&
1609 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1610 				c->beacon_int_min_gcd))
1611 			goto nla_put_failure;
1612 
1613 		nla_nest_end(msg, nl_combi);
1614 	}
1615 
1616 	nla_nest_end(msg, nl_combis);
1617 
1618 	return 0;
1619 nla_put_failure:
1620 	return -ENOBUFS;
1621 }
1622 
1623 #ifdef CONFIG_PM
1624 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1625 					struct sk_buff *msg)
1626 {
1627 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1628 	struct nlattr *nl_tcp;
1629 
1630 	if (!tcp)
1631 		return 0;
1632 
1633 	nl_tcp = nla_nest_start_noflag(msg,
1634 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1635 	if (!nl_tcp)
1636 		return -ENOBUFS;
1637 
1638 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1639 			tcp->data_payload_max))
1640 		return -ENOBUFS;
1641 
1642 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1643 			tcp->data_payload_max))
1644 		return -ENOBUFS;
1645 
1646 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1647 		return -ENOBUFS;
1648 
1649 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1650 				sizeof(*tcp->tok), tcp->tok))
1651 		return -ENOBUFS;
1652 
1653 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1654 			tcp->data_interval_max))
1655 		return -ENOBUFS;
1656 
1657 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1658 			tcp->wake_payload_max))
1659 		return -ENOBUFS;
1660 
1661 	nla_nest_end(msg, nl_tcp);
1662 	return 0;
1663 }
1664 
1665 static int nl80211_send_wowlan(struct sk_buff *msg,
1666 			       struct cfg80211_registered_device *rdev,
1667 			       bool large)
1668 {
1669 	struct nlattr *nl_wowlan;
1670 
1671 	if (!rdev->wiphy.wowlan)
1672 		return 0;
1673 
1674 	nl_wowlan = nla_nest_start_noflag(msg,
1675 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1676 	if (!nl_wowlan)
1677 		return -ENOBUFS;
1678 
1679 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1680 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1681 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1682 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1683 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1684 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1685 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1686 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1687 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1688 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1689 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1690 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1691 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1692 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1693 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1694 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1695 		return -ENOBUFS;
1696 
1697 	if (rdev->wiphy.wowlan->n_patterns) {
1698 		struct nl80211_pattern_support pat = {
1699 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1700 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1701 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1702 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1703 		};
1704 
1705 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1706 			    sizeof(pat), &pat))
1707 			return -ENOBUFS;
1708 	}
1709 
1710 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1711 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1712 			rdev->wiphy.wowlan->max_nd_match_sets))
1713 		return -ENOBUFS;
1714 
1715 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1716 		return -ENOBUFS;
1717 
1718 	nla_nest_end(msg, nl_wowlan);
1719 
1720 	return 0;
1721 }
1722 #endif
1723 
1724 static int nl80211_send_coalesce(struct sk_buff *msg,
1725 				 struct cfg80211_registered_device *rdev)
1726 {
1727 	struct nl80211_coalesce_rule_support rule;
1728 
1729 	if (!rdev->wiphy.coalesce)
1730 		return 0;
1731 
1732 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1733 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1734 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1735 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1736 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1737 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1738 
1739 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1740 		return -ENOBUFS;
1741 
1742 	return 0;
1743 }
1744 
1745 static int
1746 nl80211_send_iftype_data(struct sk_buff *msg,
1747 			 const struct ieee80211_supported_band *sband,
1748 			 const struct ieee80211_sband_iftype_data *iftdata)
1749 {
1750 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1751 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1752 
1753 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1754 				iftdata->types_mask))
1755 		return -ENOBUFS;
1756 
1757 	if (he_cap->has_he) {
1758 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1759 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1760 			    he_cap->he_cap_elem.mac_cap_info) ||
1761 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1762 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1763 			    he_cap->he_cap_elem.phy_cap_info) ||
1764 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1765 			    sizeof(he_cap->he_mcs_nss_supp),
1766 			    &he_cap->he_mcs_nss_supp) ||
1767 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1768 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1769 			return -ENOBUFS;
1770 	}
1771 
1772 	if (eht_cap->has_eht && he_cap->has_he) {
1773 		u8 mcs_nss_size, ppe_thresh_size;
1774 		u16 ppe_thres_hdr;
1775 
1776 		mcs_nss_size =
1777 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1778 						   &eht_cap->eht_cap_elem);
1779 
1780 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1781 		ppe_thresh_size =
1782 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1783 					       eht_cap->eht_cap_elem.phy_cap_info);
1784 
1785 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1786 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1787 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1788 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1789 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1790 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1791 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1792 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1793 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1794 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1795 			return -ENOBUFS;
1796 	}
1797 
1798 	if (sband->band == NL80211_BAND_6GHZ &&
1799 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1800 		    sizeof(iftdata->he_6ghz_capa),
1801 		    &iftdata->he_6ghz_capa))
1802 		return -ENOBUFS;
1803 
1804 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1805 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1806 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1807 		return -ENOBUFS;
1808 
1809 	return 0;
1810 }
1811 
1812 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1813 				      struct ieee80211_supported_band *sband,
1814 				      bool large)
1815 {
1816 	struct nlattr *nl_rates, *nl_rate;
1817 	struct ieee80211_rate *rate;
1818 	int i;
1819 
1820 	/* add HT info */
1821 	if (sband->ht_cap.ht_supported &&
1822 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1823 		     sizeof(sband->ht_cap.mcs),
1824 		     &sband->ht_cap.mcs) ||
1825 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1826 			 sband->ht_cap.cap) ||
1827 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1828 			sband->ht_cap.ampdu_factor) ||
1829 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1830 			sband->ht_cap.ampdu_density)))
1831 		return -ENOBUFS;
1832 
1833 	/* add VHT info */
1834 	if (sband->vht_cap.vht_supported &&
1835 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1836 		     sizeof(sband->vht_cap.vht_mcs),
1837 		     &sband->vht_cap.vht_mcs) ||
1838 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1839 			 sband->vht_cap.cap)))
1840 		return -ENOBUFS;
1841 
1842 	if (large && sband->n_iftype_data) {
1843 		struct nlattr *nl_iftype_data =
1844 			nla_nest_start_noflag(msg,
1845 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1846 		int err;
1847 
1848 		if (!nl_iftype_data)
1849 			return -ENOBUFS;
1850 
1851 		for (i = 0; i < sband->n_iftype_data; i++) {
1852 			struct nlattr *iftdata;
1853 
1854 			iftdata = nla_nest_start_noflag(msg, i + 1);
1855 			if (!iftdata)
1856 				return -ENOBUFS;
1857 
1858 			err = nl80211_send_iftype_data(msg, sband,
1859 						       &sband->iftype_data[i]);
1860 			if (err)
1861 				return err;
1862 
1863 			nla_nest_end(msg, iftdata);
1864 		}
1865 
1866 		nla_nest_end(msg, nl_iftype_data);
1867 	}
1868 
1869 	/* add EDMG info */
1870 	if (large && sband->edmg_cap.channels &&
1871 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1872 		       sband->edmg_cap.channels) ||
1873 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1874 		       sband->edmg_cap.bw_config)))
1875 
1876 		return -ENOBUFS;
1877 
1878 	/* add bitrates */
1879 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1880 	if (!nl_rates)
1881 		return -ENOBUFS;
1882 
1883 	for (i = 0; i < sband->n_bitrates; i++) {
1884 		nl_rate = nla_nest_start_noflag(msg, i);
1885 		if (!nl_rate)
1886 			return -ENOBUFS;
1887 
1888 		rate = &sband->bitrates[i];
1889 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1890 				rate->bitrate))
1891 			return -ENOBUFS;
1892 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1893 		    nla_put_flag(msg,
1894 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1895 			return -ENOBUFS;
1896 
1897 		nla_nest_end(msg, nl_rate);
1898 	}
1899 
1900 	nla_nest_end(msg, nl_rates);
1901 
1902 	return 0;
1903 }
1904 
1905 static int
1906 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1907 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1908 {
1909 	u16 stypes;
1910 	struct nlattr *nl_ftypes, *nl_ifs;
1911 	enum nl80211_iftype ift;
1912 	int i;
1913 
1914 	if (!mgmt_stypes)
1915 		return 0;
1916 
1917 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1918 	if (!nl_ifs)
1919 		return -ENOBUFS;
1920 
1921 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1922 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1923 		if (!nl_ftypes)
1924 			return -ENOBUFS;
1925 		i = 0;
1926 		stypes = mgmt_stypes[ift].tx;
1927 		while (stypes) {
1928 			if ((stypes & 1) &&
1929 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1930 					(i << 4) | IEEE80211_FTYPE_MGMT))
1931 				return -ENOBUFS;
1932 			stypes >>= 1;
1933 			i++;
1934 		}
1935 		nla_nest_end(msg, nl_ftypes);
1936 	}
1937 
1938 	nla_nest_end(msg, nl_ifs);
1939 
1940 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1941 	if (!nl_ifs)
1942 		return -ENOBUFS;
1943 
1944 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1945 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1946 		if (!nl_ftypes)
1947 			return -ENOBUFS;
1948 		i = 0;
1949 		stypes = mgmt_stypes[ift].rx;
1950 		while (stypes) {
1951 			if ((stypes & 1) &&
1952 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1953 					(i << 4) | IEEE80211_FTYPE_MGMT))
1954 				return -ENOBUFS;
1955 			stypes >>= 1;
1956 			i++;
1957 		}
1958 		nla_nest_end(msg, nl_ftypes);
1959 	}
1960 	nla_nest_end(msg, nl_ifs);
1961 
1962 	return 0;
1963 }
1964 
1965 #define CMD(op, n)							\
1966 	 do {								\
1967 		if (rdev->ops->op) {					\
1968 			i++;						\
1969 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1970 				goto nla_put_failure;			\
1971 		}							\
1972 	} while (0)
1973 
1974 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1975 					struct sk_buff *msg)
1976 {
1977 	int i = 0;
1978 
1979 	/*
1980 	 * do *NOT* add anything into this function, new things need to be
1981 	 * advertised only to new versions of userspace that can deal with
1982 	 * the split (and they can't possibly care about new features...
1983 	 */
1984 	CMD(add_virtual_intf, NEW_INTERFACE);
1985 	CMD(change_virtual_intf, SET_INTERFACE);
1986 	CMD(add_key, NEW_KEY);
1987 	CMD(start_ap, START_AP);
1988 	CMD(add_station, NEW_STATION);
1989 	CMD(add_mpath, NEW_MPATH);
1990 	CMD(update_mesh_config, SET_MESH_CONFIG);
1991 	CMD(change_bss, SET_BSS);
1992 	CMD(auth, AUTHENTICATE);
1993 	CMD(assoc, ASSOCIATE);
1994 	CMD(deauth, DEAUTHENTICATE);
1995 	CMD(disassoc, DISASSOCIATE);
1996 	CMD(join_ibss, JOIN_IBSS);
1997 	CMD(join_mesh, JOIN_MESH);
1998 	CMD(set_pmksa, SET_PMKSA);
1999 	CMD(del_pmksa, DEL_PMKSA);
2000 	CMD(flush_pmksa, FLUSH_PMKSA);
2001 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2002 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2003 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2004 	CMD(mgmt_tx, FRAME);
2005 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2006 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2007 		i++;
2008 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2009 			goto nla_put_failure;
2010 	}
2011 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2012 	    rdev->ops->join_mesh) {
2013 		i++;
2014 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2015 			goto nla_put_failure;
2016 	}
2017 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2018 		CMD(tdls_mgmt, TDLS_MGMT);
2019 		CMD(tdls_oper, TDLS_OPER);
2020 	}
2021 	if (rdev->wiphy.max_sched_scan_reqs)
2022 		CMD(sched_scan_start, START_SCHED_SCAN);
2023 	CMD(probe_client, PROBE_CLIENT);
2024 	CMD(set_noack_map, SET_NOACK_MAP);
2025 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2026 		i++;
2027 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2028 			goto nla_put_failure;
2029 	}
2030 	CMD(start_p2p_device, START_P2P_DEVICE);
2031 	CMD(set_mcast_rate, SET_MCAST_RATE);
2032 #ifdef CONFIG_NL80211_TESTMODE
2033 	CMD(testmode_cmd, TESTMODE);
2034 #endif
2035 
2036 	if (rdev->ops->connect || rdev->ops->auth) {
2037 		i++;
2038 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2039 			goto nla_put_failure;
2040 	}
2041 
2042 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2043 		i++;
2044 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2045 			goto nla_put_failure;
2046 	}
2047 
2048 	return i;
2049  nla_put_failure:
2050 	return -ENOBUFS;
2051 }
2052 
2053 static int
2054 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2055 			   struct sk_buff *msg)
2056 {
2057 	struct nlattr *ftm;
2058 
2059 	if (!cap->ftm.supported)
2060 		return 0;
2061 
2062 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2063 	if (!ftm)
2064 		return -ENOBUFS;
2065 
2066 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2067 		return -ENOBUFS;
2068 	if (cap->ftm.non_asap &&
2069 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2070 		return -ENOBUFS;
2071 	if (cap->ftm.request_lci &&
2072 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2073 		return -ENOBUFS;
2074 	if (cap->ftm.request_civicloc &&
2075 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2076 		return -ENOBUFS;
2077 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2078 			cap->ftm.preambles))
2079 		return -ENOBUFS;
2080 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2081 			cap->ftm.bandwidths))
2082 		return -ENOBUFS;
2083 	if (cap->ftm.max_bursts_exponent >= 0 &&
2084 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2085 			cap->ftm.max_bursts_exponent))
2086 		return -ENOBUFS;
2087 	if (cap->ftm.max_ftms_per_burst &&
2088 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2089 			cap->ftm.max_ftms_per_burst))
2090 		return -ENOBUFS;
2091 	if (cap->ftm.trigger_based &&
2092 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2093 		return -ENOBUFS;
2094 	if (cap->ftm.non_trigger_based &&
2095 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2096 		return -ENOBUFS;
2097 
2098 	nla_nest_end(msg, ftm);
2099 	return 0;
2100 }
2101 
2102 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2103 				  struct sk_buff *msg)
2104 {
2105 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2106 	struct nlattr *pmsr, *caps;
2107 
2108 	if (!cap)
2109 		return 0;
2110 
2111 	/*
2112 	 * we don't need to clean up anything here since the caller
2113 	 * will genlmsg_cancel() if we fail
2114 	 */
2115 
2116 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2117 	if (!pmsr)
2118 		return -ENOBUFS;
2119 
2120 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2121 		return -ENOBUFS;
2122 
2123 	if (cap->report_ap_tsf &&
2124 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2125 		return -ENOBUFS;
2126 
2127 	if (cap->randomize_mac_addr &&
2128 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2129 		return -ENOBUFS;
2130 
2131 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2132 	if (!caps)
2133 		return -ENOBUFS;
2134 
2135 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2136 		return -ENOBUFS;
2137 
2138 	nla_nest_end(msg, caps);
2139 	nla_nest_end(msg, pmsr);
2140 
2141 	return 0;
2142 }
2143 
2144 static int
2145 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2146 			      struct sk_buff *msg)
2147 {
2148 	int i;
2149 	struct nlattr *nested, *nested_akms;
2150 	const struct wiphy_iftype_akm_suites *iftype_akms;
2151 
2152 	if (!rdev->wiphy.num_iftype_akm_suites ||
2153 	    !rdev->wiphy.iftype_akm_suites)
2154 		return 0;
2155 
2156 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2157 	if (!nested)
2158 		return -ENOBUFS;
2159 
2160 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2161 		nested_akms = nla_nest_start(msg, i + 1);
2162 		if (!nested_akms)
2163 			return -ENOBUFS;
2164 
2165 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2166 
2167 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2168 					iftype_akms->iftypes_mask))
2169 			return -ENOBUFS;
2170 
2171 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2172 			    sizeof(u32) * iftype_akms->n_akm_suites,
2173 			    iftype_akms->akm_suites)) {
2174 			return -ENOBUFS;
2175 		}
2176 		nla_nest_end(msg, nested_akms);
2177 	}
2178 
2179 	nla_nest_end(msg, nested);
2180 
2181 	return 0;
2182 }
2183 
2184 static int
2185 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2186 			       struct sk_buff *msg)
2187 {
2188 	struct nlattr *supp;
2189 
2190 	if (!rdev->wiphy.tid_config_support.vif &&
2191 	    !rdev->wiphy.tid_config_support.peer)
2192 		return 0;
2193 
2194 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2195 	if (!supp)
2196 		return -ENOSPC;
2197 
2198 	if (rdev->wiphy.tid_config_support.vif &&
2199 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2200 			      rdev->wiphy.tid_config_support.vif,
2201 			      NL80211_TID_CONFIG_ATTR_PAD))
2202 		goto fail;
2203 
2204 	if (rdev->wiphy.tid_config_support.peer &&
2205 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2206 			      rdev->wiphy.tid_config_support.peer,
2207 			      NL80211_TID_CONFIG_ATTR_PAD))
2208 		goto fail;
2209 
2210 	/* for now we just use the same value ... makes more sense */
2211 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2212 		       rdev->wiphy.tid_config_support.max_retry))
2213 		goto fail;
2214 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2215 		       rdev->wiphy.tid_config_support.max_retry))
2216 		goto fail;
2217 
2218 	nla_nest_end(msg, supp);
2219 
2220 	return 0;
2221 fail:
2222 	nla_nest_cancel(msg, supp);
2223 	return -ENOBUFS;
2224 }
2225 
2226 static int
2227 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2228 		      struct sk_buff *msg)
2229 {
2230 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2231 	u8 num_freq_ranges;
2232 	int i;
2233 
2234 	if (!rdev->wiphy.sar_capa)
2235 		return 0;
2236 
2237 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2238 
2239 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2240 	if (!sar_capa)
2241 		return -ENOSPC;
2242 
2243 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2244 		goto fail;
2245 
2246 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2247 	if (!specs)
2248 		goto fail;
2249 
2250 	/* report supported freq_ranges */
2251 	for (i = 0; i < num_freq_ranges; i++) {
2252 		sub_freq_range = nla_nest_start(msg, i + 1);
2253 		if (!sub_freq_range)
2254 			goto fail;
2255 
2256 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2257 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2258 			goto fail;
2259 
2260 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2261 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2262 			goto fail;
2263 
2264 		nla_nest_end(msg, sub_freq_range);
2265 	}
2266 
2267 	nla_nest_end(msg, specs);
2268 	nla_nest_end(msg, sar_capa);
2269 
2270 	return 0;
2271 fail:
2272 	nla_nest_cancel(msg, sar_capa);
2273 	return -ENOBUFS;
2274 }
2275 
2276 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2277 {
2278 	struct nlattr *config;
2279 
2280 	if (!wiphy->mbssid_max_interfaces)
2281 		return 0;
2282 
2283 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2284 	if (!config)
2285 		return -ENOBUFS;
2286 
2287 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2288 		       wiphy->mbssid_max_interfaces))
2289 		goto fail;
2290 
2291 	if (wiphy->ema_max_profile_periodicity &&
2292 	    nla_put_u8(msg,
2293 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2294 		       wiphy->ema_max_profile_periodicity))
2295 		goto fail;
2296 
2297 	nla_nest_end(msg, config);
2298 	return 0;
2299 
2300 fail:
2301 	nla_nest_cancel(msg, config);
2302 	return -ENOBUFS;
2303 }
2304 
2305 struct nl80211_dump_wiphy_state {
2306 	s64 filter_wiphy;
2307 	long start;
2308 	long split_start, band_start, chan_start, capa_start;
2309 	bool split;
2310 };
2311 
2312 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2313 			      enum nl80211_commands cmd,
2314 			      struct sk_buff *msg, u32 portid, u32 seq,
2315 			      int flags, struct nl80211_dump_wiphy_state *state)
2316 {
2317 	void *hdr;
2318 	struct nlattr *nl_bands, *nl_band;
2319 	struct nlattr *nl_freqs, *nl_freq;
2320 	struct nlattr *nl_cmds;
2321 	enum nl80211_band band;
2322 	struct ieee80211_channel *chan;
2323 	int i;
2324 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2325 				rdev->wiphy.mgmt_stypes;
2326 	u32 features;
2327 
2328 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2329 	if (!hdr)
2330 		return -ENOBUFS;
2331 
2332 	if (WARN_ON(!state))
2333 		return -EINVAL;
2334 
2335 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2336 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2337 			   wiphy_name(&rdev->wiphy)) ||
2338 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2339 			cfg80211_rdev_list_generation))
2340 		goto nla_put_failure;
2341 
2342 	if (cmd != NL80211_CMD_NEW_WIPHY)
2343 		goto finish;
2344 
2345 	switch (state->split_start) {
2346 	case 0:
2347 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2348 			       rdev->wiphy.retry_short) ||
2349 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2350 			       rdev->wiphy.retry_long) ||
2351 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2352 				rdev->wiphy.frag_threshold) ||
2353 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2354 				rdev->wiphy.rts_threshold) ||
2355 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2356 			       rdev->wiphy.coverage_class) ||
2357 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2358 			       rdev->wiphy.max_scan_ssids) ||
2359 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2360 			       rdev->wiphy.max_sched_scan_ssids) ||
2361 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2362 				rdev->wiphy.max_scan_ie_len) ||
2363 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2364 				rdev->wiphy.max_sched_scan_ie_len) ||
2365 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2366 			       rdev->wiphy.max_match_sets))
2367 			goto nla_put_failure;
2368 
2369 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2370 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2371 			goto nla_put_failure;
2372 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2373 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2374 			goto nla_put_failure;
2375 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2376 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2377 			goto nla_put_failure;
2378 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2379 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2380 			goto nla_put_failure;
2381 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2382 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2383 			goto nla_put_failure;
2384 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2385 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2386 			goto nla_put_failure;
2387 		state->split_start++;
2388 		if (state->split)
2389 			break;
2390 		fallthrough;
2391 	case 1:
2392 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2393 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2394 			    rdev->wiphy.cipher_suites))
2395 			goto nla_put_failure;
2396 
2397 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2398 			       rdev->wiphy.max_num_pmkids))
2399 			goto nla_put_failure;
2400 
2401 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2402 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2403 			goto nla_put_failure;
2404 
2405 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2406 				rdev->wiphy.available_antennas_tx) ||
2407 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2408 				rdev->wiphy.available_antennas_rx))
2409 			goto nla_put_failure;
2410 
2411 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2412 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2413 				rdev->wiphy.probe_resp_offload))
2414 			goto nla_put_failure;
2415 
2416 		if ((rdev->wiphy.available_antennas_tx ||
2417 		     rdev->wiphy.available_antennas_rx) &&
2418 		    rdev->ops->get_antenna) {
2419 			u32 tx_ant = 0, rx_ant = 0;
2420 			int res;
2421 
2422 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2423 			if (!res) {
2424 				if (nla_put_u32(msg,
2425 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2426 						tx_ant) ||
2427 				    nla_put_u32(msg,
2428 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2429 						rx_ant))
2430 					goto nla_put_failure;
2431 			}
2432 		}
2433 
2434 		state->split_start++;
2435 		if (state->split)
2436 			break;
2437 		fallthrough;
2438 	case 2:
2439 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2440 					rdev->wiphy.interface_modes))
2441 				goto nla_put_failure;
2442 		state->split_start++;
2443 		if (state->split)
2444 			break;
2445 		fallthrough;
2446 	case 3:
2447 		nl_bands = nla_nest_start_noflag(msg,
2448 						 NL80211_ATTR_WIPHY_BANDS);
2449 		if (!nl_bands)
2450 			goto nla_put_failure;
2451 
2452 		for (band = state->band_start;
2453 		     band < (state->split ?
2454 				NUM_NL80211_BANDS :
2455 				NL80211_BAND_60GHZ + 1);
2456 		     band++) {
2457 			struct ieee80211_supported_band *sband;
2458 
2459 			/* omit higher bands for ancient software */
2460 			if (band > NL80211_BAND_5GHZ && !state->split)
2461 				break;
2462 
2463 			sband = rdev->wiphy.bands[band];
2464 
2465 			if (!sband)
2466 				continue;
2467 
2468 			nl_band = nla_nest_start_noflag(msg, band);
2469 			if (!nl_band)
2470 				goto nla_put_failure;
2471 
2472 			switch (state->chan_start) {
2473 			case 0:
2474 				if (nl80211_send_band_rateinfo(msg, sband,
2475 							       state->split))
2476 					goto nla_put_failure;
2477 				state->chan_start++;
2478 				if (state->split)
2479 					break;
2480 				fallthrough;
2481 			default:
2482 				/* add frequencies */
2483 				nl_freqs = nla_nest_start_noflag(msg,
2484 								 NL80211_BAND_ATTR_FREQS);
2485 				if (!nl_freqs)
2486 					goto nla_put_failure;
2487 
2488 				for (i = state->chan_start - 1;
2489 				     i < sband->n_channels;
2490 				     i++) {
2491 					nl_freq = nla_nest_start_noflag(msg,
2492 									i);
2493 					if (!nl_freq)
2494 						goto nla_put_failure;
2495 
2496 					chan = &sband->channels[i];
2497 
2498 					if (nl80211_msg_put_channel(
2499 							msg, &rdev->wiphy, chan,
2500 							state->split))
2501 						goto nla_put_failure;
2502 
2503 					nla_nest_end(msg, nl_freq);
2504 					if (state->split)
2505 						break;
2506 				}
2507 				if (i < sband->n_channels)
2508 					state->chan_start = i + 2;
2509 				else
2510 					state->chan_start = 0;
2511 				nla_nest_end(msg, nl_freqs);
2512 			}
2513 
2514 			nla_nest_end(msg, nl_band);
2515 
2516 			if (state->split) {
2517 				/* start again here */
2518 				if (state->chan_start)
2519 					band--;
2520 				break;
2521 			}
2522 		}
2523 		nla_nest_end(msg, nl_bands);
2524 
2525 		if (band < NUM_NL80211_BANDS)
2526 			state->band_start = band + 1;
2527 		else
2528 			state->band_start = 0;
2529 
2530 		/* if bands & channels are done, continue outside */
2531 		if (state->band_start == 0 && state->chan_start == 0)
2532 			state->split_start++;
2533 		if (state->split)
2534 			break;
2535 		fallthrough;
2536 	case 4:
2537 		nl_cmds = nla_nest_start_noflag(msg,
2538 						NL80211_ATTR_SUPPORTED_COMMANDS);
2539 		if (!nl_cmds)
2540 			goto nla_put_failure;
2541 
2542 		i = nl80211_add_commands_unsplit(rdev, msg);
2543 		if (i < 0)
2544 			goto nla_put_failure;
2545 		if (state->split) {
2546 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2547 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2548 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2549 				CMD(channel_switch, CHANNEL_SWITCH);
2550 			CMD(set_qos_map, SET_QOS_MAP);
2551 			if (rdev->wiphy.features &
2552 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2553 				CMD(add_tx_ts, ADD_TX_TS);
2554 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2555 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2556 			CMD(update_ft_ies, UPDATE_FT_IES);
2557 			if (rdev->wiphy.sar_capa)
2558 				CMD(set_sar_specs, SET_SAR_SPECS);
2559 		}
2560 #undef CMD
2561 
2562 		nla_nest_end(msg, nl_cmds);
2563 		state->split_start++;
2564 		if (state->split)
2565 			break;
2566 		fallthrough;
2567 	case 5:
2568 		if (rdev->ops->remain_on_channel &&
2569 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2570 		    nla_put_u32(msg,
2571 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2572 				rdev->wiphy.max_remain_on_channel_duration))
2573 			goto nla_put_failure;
2574 
2575 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2576 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2577 			goto nla_put_failure;
2578 
2579 		state->split_start++;
2580 		if (state->split)
2581 			break;
2582 		fallthrough;
2583 	case 6:
2584 #ifdef CONFIG_PM
2585 		if (nl80211_send_wowlan(msg, rdev, state->split))
2586 			goto nla_put_failure;
2587 		state->split_start++;
2588 		if (state->split)
2589 			break;
2590 #else
2591 		state->split_start++;
2592 #endif
2593 		fallthrough;
2594 	case 7:
2595 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2596 					rdev->wiphy.software_iftypes))
2597 			goto nla_put_failure;
2598 
2599 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2600 						   state->split))
2601 			goto nla_put_failure;
2602 
2603 		state->split_start++;
2604 		if (state->split)
2605 			break;
2606 		fallthrough;
2607 	case 8:
2608 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2609 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2610 				rdev->wiphy.ap_sme_capa))
2611 			goto nla_put_failure;
2612 
2613 		features = rdev->wiphy.features;
2614 		/*
2615 		 * We can only add the per-channel limit information if the
2616 		 * dump is split, otherwise it makes it too big. Therefore
2617 		 * only advertise it in that case.
2618 		 */
2619 		if (state->split)
2620 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2621 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2622 			goto nla_put_failure;
2623 
2624 		if (rdev->wiphy.ht_capa_mod_mask &&
2625 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2626 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2627 			    rdev->wiphy.ht_capa_mod_mask))
2628 			goto nla_put_failure;
2629 
2630 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2631 		    rdev->wiphy.max_acl_mac_addrs &&
2632 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2633 				rdev->wiphy.max_acl_mac_addrs))
2634 			goto nla_put_failure;
2635 
2636 		/*
2637 		 * Any information below this point is only available to
2638 		 * applications that can deal with it being split. This
2639 		 * helps ensure that newly added capabilities don't break
2640 		 * older tools by overrunning their buffers.
2641 		 *
2642 		 * We still increment split_start so that in the split
2643 		 * case we'll continue with more data in the next round,
2644 		 * but break unconditionally so unsplit data stops here.
2645 		 */
2646 		if (state->split)
2647 			state->split_start++;
2648 		else
2649 			state->split_start = 0;
2650 		break;
2651 	case 9:
2652 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2653 			goto nla_put_failure;
2654 
2655 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2656 				rdev->wiphy.max_sched_scan_plans) ||
2657 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2658 				rdev->wiphy.max_sched_scan_plan_interval) ||
2659 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2660 				rdev->wiphy.max_sched_scan_plan_iterations))
2661 			goto nla_put_failure;
2662 
2663 		if (rdev->wiphy.extended_capabilities &&
2664 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2665 			     rdev->wiphy.extended_capabilities_len,
2666 			     rdev->wiphy.extended_capabilities) ||
2667 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2668 			     rdev->wiphy.extended_capabilities_len,
2669 			     rdev->wiphy.extended_capabilities_mask)))
2670 			goto nla_put_failure;
2671 
2672 		if (rdev->wiphy.vht_capa_mod_mask &&
2673 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2674 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2675 			    rdev->wiphy.vht_capa_mod_mask))
2676 			goto nla_put_failure;
2677 
2678 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2679 			    rdev->wiphy.perm_addr))
2680 			goto nla_put_failure;
2681 
2682 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2683 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2684 			    rdev->wiphy.addr_mask))
2685 			goto nla_put_failure;
2686 
2687 		if (rdev->wiphy.n_addresses > 1) {
2688 			void *attr;
2689 
2690 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2691 			if (!attr)
2692 				goto nla_put_failure;
2693 
2694 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2695 				if (nla_put(msg, i + 1, ETH_ALEN,
2696 					    rdev->wiphy.addresses[i].addr))
2697 					goto nla_put_failure;
2698 
2699 			nla_nest_end(msg, attr);
2700 		}
2701 
2702 		state->split_start++;
2703 		break;
2704 	case 10:
2705 		if (nl80211_send_coalesce(msg, rdev))
2706 			goto nla_put_failure;
2707 
2708 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2709 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2710 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2711 			goto nla_put_failure;
2712 
2713 		if (rdev->wiphy.max_ap_assoc_sta &&
2714 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2715 				rdev->wiphy.max_ap_assoc_sta))
2716 			goto nla_put_failure;
2717 
2718 		state->split_start++;
2719 		break;
2720 	case 11:
2721 		if (rdev->wiphy.n_vendor_commands) {
2722 			const struct nl80211_vendor_cmd_info *info;
2723 			struct nlattr *nested;
2724 
2725 			nested = nla_nest_start_noflag(msg,
2726 						       NL80211_ATTR_VENDOR_DATA);
2727 			if (!nested)
2728 				goto nla_put_failure;
2729 
2730 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2731 				info = &rdev->wiphy.vendor_commands[i].info;
2732 				if (nla_put(msg, i + 1, sizeof(*info), info))
2733 					goto nla_put_failure;
2734 			}
2735 			nla_nest_end(msg, nested);
2736 		}
2737 
2738 		if (rdev->wiphy.n_vendor_events) {
2739 			const struct nl80211_vendor_cmd_info *info;
2740 			struct nlattr *nested;
2741 
2742 			nested = nla_nest_start_noflag(msg,
2743 						       NL80211_ATTR_VENDOR_EVENTS);
2744 			if (!nested)
2745 				goto nla_put_failure;
2746 
2747 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2748 				info = &rdev->wiphy.vendor_events[i];
2749 				if (nla_put(msg, i + 1, sizeof(*info), info))
2750 					goto nla_put_failure;
2751 			}
2752 			nla_nest_end(msg, nested);
2753 		}
2754 		state->split_start++;
2755 		break;
2756 	case 12:
2757 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2758 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2759 			       rdev->wiphy.max_num_csa_counters))
2760 			goto nla_put_failure;
2761 
2762 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2763 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2764 			goto nla_put_failure;
2765 
2766 		if (rdev->wiphy.max_sched_scan_reqs &&
2767 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2768 				rdev->wiphy.max_sched_scan_reqs))
2769 			goto nla_put_failure;
2770 
2771 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2772 			    sizeof(rdev->wiphy.ext_features),
2773 			    rdev->wiphy.ext_features))
2774 			goto nla_put_failure;
2775 
2776 		if (rdev->wiphy.bss_select_support) {
2777 			struct nlattr *nested;
2778 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2779 
2780 			nested = nla_nest_start_noflag(msg,
2781 						       NL80211_ATTR_BSS_SELECT);
2782 			if (!nested)
2783 				goto nla_put_failure;
2784 
2785 			i = 0;
2786 			while (bss_select_support) {
2787 				if ((bss_select_support & 1) &&
2788 				    nla_put_flag(msg, i))
2789 					goto nla_put_failure;
2790 				i++;
2791 				bss_select_support >>= 1;
2792 			}
2793 			nla_nest_end(msg, nested);
2794 		}
2795 
2796 		state->split_start++;
2797 		break;
2798 	case 13:
2799 		if (rdev->wiphy.num_iftype_ext_capab &&
2800 		    rdev->wiphy.iftype_ext_capab) {
2801 			struct nlattr *nested_ext_capab, *nested;
2802 
2803 			nested = nla_nest_start_noflag(msg,
2804 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2805 			if (!nested)
2806 				goto nla_put_failure;
2807 
2808 			for (i = state->capa_start;
2809 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2810 				const struct wiphy_iftype_ext_capab *capab;
2811 
2812 				capab = &rdev->wiphy.iftype_ext_capab[i];
2813 
2814 				nested_ext_capab = nla_nest_start_noflag(msg,
2815 									 i);
2816 				if (!nested_ext_capab ||
2817 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2818 						capab->iftype) ||
2819 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2820 					    capab->extended_capabilities_len,
2821 					    capab->extended_capabilities) ||
2822 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2823 					    capab->extended_capabilities_len,
2824 					    capab->extended_capabilities_mask))
2825 					goto nla_put_failure;
2826 
2827 				nla_nest_end(msg, nested_ext_capab);
2828 				if (state->split)
2829 					break;
2830 			}
2831 			nla_nest_end(msg, nested);
2832 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2833 				state->capa_start = i + 1;
2834 				break;
2835 			}
2836 		}
2837 
2838 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2839 				rdev->wiphy.nan_supported_bands))
2840 			goto nla_put_failure;
2841 
2842 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2843 					    NL80211_EXT_FEATURE_TXQS)) {
2844 			struct cfg80211_txq_stats txqstats = {};
2845 			int res;
2846 
2847 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2848 			if (!res &&
2849 			    !nl80211_put_txq_stats(msg, &txqstats,
2850 						   NL80211_ATTR_TXQ_STATS))
2851 				goto nla_put_failure;
2852 
2853 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2854 					rdev->wiphy.txq_limit))
2855 				goto nla_put_failure;
2856 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2857 					rdev->wiphy.txq_memory_limit))
2858 				goto nla_put_failure;
2859 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2860 					rdev->wiphy.txq_quantum))
2861 				goto nla_put_failure;
2862 		}
2863 
2864 		state->split_start++;
2865 		break;
2866 	case 14:
2867 		if (nl80211_send_pmsr_capa(rdev, msg))
2868 			goto nla_put_failure;
2869 
2870 		state->split_start++;
2871 		break;
2872 	case 15:
2873 		if (rdev->wiphy.akm_suites &&
2874 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2875 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2876 			    rdev->wiphy.akm_suites))
2877 			goto nla_put_failure;
2878 
2879 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2880 			goto nla_put_failure;
2881 
2882 		if (nl80211_put_tid_config_support(rdev, msg))
2883 			goto nla_put_failure;
2884 		state->split_start++;
2885 		break;
2886 	case 16:
2887 		if (nl80211_put_sar_specs(rdev, msg))
2888 			goto nla_put_failure;
2889 
2890 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2891 			goto nla_put_failure;
2892 
2893 		/* done */
2894 		state->split_start = 0;
2895 		break;
2896 	}
2897  finish:
2898 	genlmsg_end(msg, hdr);
2899 	return 0;
2900 
2901  nla_put_failure:
2902 	genlmsg_cancel(msg, hdr);
2903 	return -EMSGSIZE;
2904 }
2905 
2906 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2907 				    struct netlink_callback *cb,
2908 				    struct nl80211_dump_wiphy_state *state)
2909 {
2910 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2911 	int ret;
2912 
2913 	if (!tb)
2914 		return -ENOMEM;
2915 
2916 	ret = nlmsg_parse_deprecated(cb->nlh,
2917 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2918 				     tb, nl80211_fam.maxattr,
2919 				     nl80211_policy, NULL);
2920 	/* ignore parse errors for backward compatibility */
2921 	if (ret) {
2922 		ret = 0;
2923 		goto out;
2924 	}
2925 
2926 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2927 	if (tb[NL80211_ATTR_WIPHY])
2928 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2929 	if (tb[NL80211_ATTR_WDEV])
2930 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2931 	if (tb[NL80211_ATTR_IFINDEX]) {
2932 		struct net_device *netdev;
2933 		struct cfg80211_registered_device *rdev;
2934 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2935 
2936 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2937 		if (!netdev) {
2938 			ret = -ENODEV;
2939 			goto out;
2940 		}
2941 		if (netdev->ieee80211_ptr) {
2942 			rdev = wiphy_to_rdev(
2943 				netdev->ieee80211_ptr->wiphy);
2944 			state->filter_wiphy = rdev->wiphy_idx;
2945 		}
2946 	}
2947 
2948 	ret = 0;
2949 out:
2950 	kfree(tb);
2951 	return ret;
2952 }
2953 
2954 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2955 {
2956 	int idx = 0, ret;
2957 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2958 	struct cfg80211_registered_device *rdev;
2959 
2960 	rtnl_lock();
2961 	if (!state) {
2962 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2963 		if (!state) {
2964 			rtnl_unlock();
2965 			return -ENOMEM;
2966 		}
2967 		state->filter_wiphy = -1;
2968 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2969 		if (ret) {
2970 			kfree(state);
2971 			rtnl_unlock();
2972 			return ret;
2973 		}
2974 		cb->args[0] = (long)state;
2975 	}
2976 
2977 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2978 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2979 			continue;
2980 		if (++idx <= state->start)
2981 			continue;
2982 		if (state->filter_wiphy != -1 &&
2983 		    state->filter_wiphy != rdev->wiphy_idx)
2984 			continue;
2985 		/* attempt to fit multiple wiphy data chunks into the skb */
2986 		do {
2987 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2988 						 skb,
2989 						 NETLINK_CB(cb->skb).portid,
2990 						 cb->nlh->nlmsg_seq,
2991 						 NLM_F_MULTI, state);
2992 			if (ret < 0) {
2993 				/*
2994 				 * If sending the wiphy data didn't fit (ENOBUFS
2995 				 * or EMSGSIZE returned), this SKB is still
2996 				 * empty (so it's not too big because another
2997 				 * wiphy dataset is already in the skb) and
2998 				 * we've not tried to adjust the dump allocation
2999 				 * yet ... then adjust the alloc size to be
3000 				 * bigger, and return 1 but with the empty skb.
3001 				 * This results in an empty message being RX'ed
3002 				 * in userspace, but that is ignored.
3003 				 *
3004 				 * We can then retry with the larger buffer.
3005 				 */
3006 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3007 				    !skb->len && !state->split &&
3008 				    cb->min_dump_alloc < 4096) {
3009 					cb->min_dump_alloc = 4096;
3010 					state->split_start = 0;
3011 					rtnl_unlock();
3012 					return 1;
3013 				}
3014 				idx--;
3015 				break;
3016 			}
3017 		} while (state->split_start > 0);
3018 		break;
3019 	}
3020 	rtnl_unlock();
3021 
3022 	state->start = idx;
3023 
3024 	return skb->len;
3025 }
3026 
3027 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3028 {
3029 	kfree((void *)cb->args[0]);
3030 	return 0;
3031 }
3032 
3033 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3034 {
3035 	struct sk_buff *msg;
3036 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3037 	struct nl80211_dump_wiphy_state state = {};
3038 
3039 	msg = nlmsg_new(4096, GFP_KERNEL);
3040 	if (!msg)
3041 		return -ENOMEM;
3042 
3043 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3044 			       info->snd_portid, info->snd_seq, 0,
3045 			       &state) < 0) {
3046 		nlmsg_free(msg);
3047 		return -ENOBUFS;
3048 	}
3049 
3050 	return genlmsg_reply(msg, info);
3051 }
3052 
3053 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3054 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3055 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3056 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3057 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3058 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3059 };
3060 
3061 static int parse_txq_params(struct nlattr *tb[],
3062 			    struct ieee80211_txq_params *txq_params)
3063 {
3064 	u8 ac;
3065 
3066 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3067 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3068 	    !tb[NL80211_TXQ_ATTR_AIFS])
3069 		return -EINVAL;
3070 
3071 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3072 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3073 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3074 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3075 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3076 
3077 	if (ac >= NL80211_NUM_ACS)
3078 		return -EINVAL;
3079 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3080 	return 0;
3081 }
3082 
3083 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3084 {
3085 	/*
3086 	 * You can only set the channel explicitly for some interfaces,
3087 	 * most have their channel managed via their respective
3088 	 * "establish a connection" command (connect, join, ...)
3089 	 *
3090 	 * For AP/GO and mesh mode, the channel can be set with the
3091 	 * channel userspace API, but is only stored and passed to the
3092 	 * low-level driver when the AP starts or the mesh is joined.
3093 	 * This is for backward compatibility, userspace can also give
3094 	 * the channel in the start-ap or join-mesh commands instead.
3095 	 *
3096 	 * Monitors are special as they are normally slaved to
3097 	 * whatever else is going on, so they have their own special
3098 	 * operation to set the monitor channel if possible.
3099 	 */
3100 	return !wdev ||
3101 		wdev->iftype == NL80211_IFTYPE_AP ||
3102 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3103 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3104 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3105 }
3106 
3107 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3108 			  struct genl_info *info,
3109 			  struct cfg80211_chan_def *chandef)
3110 {
3111 	struct netlink_ext_ack *extack = info->extack;
3112 	struct nlattr **attrs = info->attrs;
3113 	u32 control_freq;
3114 
3115 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
3116 		return -EINVAL;
3117 
3118 	control_freq = MHZ_TO_KHZ(
3119 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3120 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3121 		control_freq +=
3122 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3123 
3124 	memset(chandef, 0, sizeof(*chandef));
3125 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3126 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3127 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3128 	chandef->freq1_offset = control_freq % 1000;
3129 	chandef->center_freq2 = 0;
3130 
3131 	/* Primary channel not allowed */
3132 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3133 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3134 				    "Channel is disabled");
3135 		return -EINVAL;
3136 	}
3137 
3138 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3139 		enum nl80211_channel_type chantype;
3140 
3141 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3142 
3143 		switch (chantype) {
3144 		case NL80211_CHAN_NO_HT:
3145 		case NL80211_CHAN_HT20:
3146 		case NL80211_CHAN_HT40PLUS:
3147 		case NL80211_CHAN_HT40MINUS:
3148 			cfg80211_chandef_create(chandef, chandef->chan,
3149 						chantype);
3150 			/* user input for center_freq is incorrect */
3151 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3152 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3153 				NL_SET_ERR_MSG_ATTR(extack,
3154 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3155 						    "bad center frequency 1");
3156 				return -EINVAL;
3157 			}
3158 			/* center_freq2 must be zero */
3159 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3160 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3161 				NL_SET_ERR_MSG_ATTR(extack,
3162 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3163 						    "center frequency 2 can't be used");
3164 				return -EINVAL;
3165 			}
3166 			break;
3167 		default:
3168 			NL_SET_ERR_MSG_ATTR(extack,
3169 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3170 					    "invalid channel type");
3171 			return -EINVAL;
3172 		}
3173 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3174 		chandef->width =
3175 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3176 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3177 			/* User input error for channel width doesn't match channel  */
3178 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3179 				NL_SET_ERR_MSG_ATTR(extack,
3180 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3181 						    "bad channel width");
3182 				return -EINVAL;
3183 			}
3184 		}
3185 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3186 			chandef->center_freq1 =
3187 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3188 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3189 				chandef->freq1_offset = nla_get_u32(
3190 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3191 			else
3192 				chandef->freq1_offset = 0;
3193 		}
3194 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3195 			chandef->center_freq2 =
3196 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3197 	}
3198 
3199 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3200 		chandef->edmg.channels =
3201 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3202 
3203 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3204 			chandef->edmg.bw_config =
3205 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3206 	} else {
3207 		chandef->edmg.bw_config = 0;
3208 		chandef->edmg.channels = 0;
3209 	}
3210 
3211 	if (!cfg80211_chandef_valid(chandef)) {
3212 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3213 		return -EINVAL;
3214 	}
3215 
3216 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3217 				     IEEE80211_CHAN_DISABLED)) {
3218 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3219 		return -EINVAL;
3220 	}
3221 
3222 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3223 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3224 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3225 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3226 		return -EINVAL;
3227 	}
3228 
3229 	return 0;
3230 }
3231 
3232 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3233 				 struct net_device *dev,
3234 				 struct genl_info *info)
3235 {
3236 	struct cfg80211_chan_def chandef;
3237 	int result;
3238 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3239 	struct wireless_dev *wdev = NULL;
3240 
3241 	if (dev)
3242 		wdev = dev->ieee80211_ptr;
3243 	if (!nl80211_can_set_dev_channel(wdev))
3244 		return -EOPNOTSUPP;
3245 	if (wdev)
3246 		iftype = wdev->iftype;
3247 
3248 	result = nl80211_parse_chandef(rdev, info, &chandef);
3249 	if (result)
3250 		return result;
3251 
3252 	switch (iftype) {
3253 	case NL80211_IFTYPE_AP:
3254 	case NL80211_IFTYPE_P2P_GO:
3255 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3256 						   iftype)) {
3257 			result = -EINVAL;
3258 			break;
3259 		}
3260 		if (wdev->beacon_interval) {
3261 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3262 			    !(rdev->wiphy.features &
3263 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
3264 				result = -EBUSY;
3265 				break;
3266 			}
3267 
3268 			/* Only allow dynamic channel width changes */
3269 			if (chandef.chan != wdev->preset_chandef.chan) {
3270 				result = -EBUSY;
3271 				break;
3272 			}
3273 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
3274 			if (result)
3275 				break;
3276 		}
3277 		wdev->preset_chandef = chandef;
3278 		result = 0;
3279 		break;
3280 	case NL80211_IFTYPE_MESH_POINT:
3281 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3282 		break;
3283 	case NL80211_IFTYPE_MONITOR:
3284 		result = cfg80211_set_monitor_channel(rdev, &chandef);
3285 		break;
3286 	default:
3287 		result = -EINVAL;
3288 	}
3289 
3290 	return result;
3291 }
3292 
3293 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3294 {
3295 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3296 	struct net_device *netdev = info->user_ptr[1];
3297 
3298 	return __nl80211_set_channel(rdev, netdev, info);
3299 }
3300 
3301 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3302 {
3303 	struct cfg80211_registered_device *rdev = NULL;
3304 	struct net_device *netdev = NULL;
3305 	struct wireless_dev *wdev;
3306 	int result = 0, rem_txq_params = 0;
3307 	struct nlattr *nl_txq_params;
3308 	u32 changed;
3309 	u8 retry_short = 0, retry_long = 0;
3310 	u32 frag_threshold = 0, rts_threshold = 0;
3311 	u8 coverage_class = 0;
3312 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3313 
3314 	rtnl_lock();
3315 	/*
3316 	 * Try to find the wiphy and netdev. Normally this
3317 	 * function shouldn't need the netdev, but this is
3318 	 * done for backward compatibility -- previously
3319 	 * setting the channel was done per wiphy, but now
3320 	 * it is per netdev. Previous userland like hostapd
3321 	 * also passed a netdev to set_wiphy, so that it is
3322 	 * possible to let that go to the right netdev!
3323 	 */
3324 
3325 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3326 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3327 
3328 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3329 		if (netdev && netdev->ieee80211_ptr)
3330 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3331 		else
3332 			netdev = NULL;
3333 	}
3334 
3335 	if (!netdev) {
3336 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3337 						  info->attrs);
3338 		if (IS_ERR(rdev)) {
3339 			rtnl_unlock();
3340 			return PTR_ERR(rdev);
3341 		}
3342 		wdev = NULL;
3343 		netdev = NULL;
3344 		result = 0;
3345 	} else
3346 		wdev = netdev->ieee80211_ptr;
3347 
3348 	wiphy_lock(&rdev->wiphy);
3349 
3350 	/*
3351 	 * end workaround code, by now the rdev is available
3352 	 * and locked, and wdev may or may not be NULL.
3353 	 */
3354 
3355 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3356 		result = cfg80211_dev_rename(
3357 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3358 	rtnl_unlock();
3359 
3360 	if (result)
3361 		goto out;
3362 
3363 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3364 		struct ieee80211_txq_params txq_params;
3365 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3366 
3367 		if (!rdev->ops->set_txq_params) {
3368 			result = -EOPNOTSUPP;
3369 			goto out;
3370 		}
3371 
3372 		if (!netdev) {
3373 			result = -EINVAL;
3374 			goto out;
3375 		}
3376 
3377 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3378 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3379 			result = -EINVAL;
3380 			goto out;
3381 		}
3382 
3383 		if (!netif_running(netdev)) {
3384 			result = -ENETDOWN;
3385 			goto out;
3386 		}
3387 
3388 		nla_for_each_nested(nl_txq_params,
3389 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3390 				    rem_txq_params) {
3391 			result = nla_parse_nested_deprecated(tb,
3392 							     NL80211_TXQ_ATTR_MAX,
3393 							     nl_txq_params,
3394 							     txq_params_policy,
3395 							     info->extack);
3396 			if (result)
3397 				goto out;
3398 			result = parse_txq_params(tb, &txq_params);
3399 			if (result)
3400 				goto out;
3401 
3402 			result = rdev_set_txq_params(rdev, netdev,
3403 						     &txq_params);
3404 			if (result)
3405 				goto out;
3406 		}
3407 	}
3408 
3409 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3410 		result = __nl80211_set_channel(
3411 			rdev,
3412 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3413 			info);
3414 		if (result)
3415 			goto out;
3416 	}
3417 
3418 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3419 		struct wireless_dev *txp_wdev = wdev;
3420 		enum nl80211_tx_power_setting type;
3421 		int idx, mbm = 0;
3422 
3423 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3424 			txp_wdev = NULL;
3425 
3426 		if (!rdev->ops->set_tx_power) {
3427 			result = -EOPNOTSUPP;
3428 			goto out;
3429 		}
3430 
3431 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3432 		type = nla_get_u32(info->attrs[idx]);
3433 
3434 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3435 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3436 			result = -EINVAL;
3437 			goto out;
3438 		}
3439 
3440 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3441 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3442 			mbm = nla_get_u32(info->attrs[idx]);
3443 		}
3444 
3445 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3446 		if (result)
3447 			goto out;
3448 	}
3449 
3450 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3451 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3452 		u32 tx_ant, rx_ant;
3453 
3454 		if ((!rdev->wiphy.available_antennas_tx &&
3455 		     !rdev->wiphy.available_antennas_rx) ||
3456 		    !rdev->ops->set_antenna) {
3457 			result = -EOPNOTSUPP;
3458 			goto out;
3459 		}
3460 
3461 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3462 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3463 
3464 		/* reject antenna configurations which don't match the
3465 		 * available antenna masks, except for the "all" mask */
3466 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3467 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3468 			result = -EINVAL;
3469 			goto out;
3470 		}
3471 
3472 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3473 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3474 
3475 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3476 		if (result)
3477 			goto out;
3478 	}
3479 
3480 	changed = 0;
3481 
3482 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3483 		retry_short = nla_get_u8(
3484 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3485 
3486 		changed |= WIPHY_PARAM_RETRY_SHORT;
3487 	}
3488 
3489 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3490 		retry_long = nla_get_u8(
3491 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3492 
3493 		changed |= WIPHY_PARAM_RETRY_LONG;
3494 	}
3495 
3496 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3497 		frag_threshold = nla_get_u32(
3498 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3499 		if (frag_threshold < 256) {
3500 			result = -EINVAL;
3501 			goto out;
3502 		}
3503 
3504 		if (frag_threshold != (u32) -1) {
3505 			/*
3506 			 * Fragments (apart from the last one) are required to
3507 			 * have even length. Make the fragmentation code
3508 			 * simpler by stripping LSB should someone try to use
3509 			 * odd threshold value.
3510 			 */
3511 			frag_threshold &= ~0x1;
3512 		}
3513 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3514 	}
3515 
3516 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3517 		rts_threshold = nla_get_u32(
3518 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3519 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3520 	}
3521 
3522 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3523 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3524 			result = -EINVAL;
3525 			goto out;
3526 		}
3527 
3528 		coverage_class = nla_get_u8(
3529 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3530 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3531 	}
3532 
3533 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3534 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3535 			result = -EOPNOTSUPP;
3536 			goto out;
3537 		}
3538 
3539 		changed |= WIPHY_PARAM_DYN_ACK;
3540 	}
3541 
3542 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3543 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3544 					     NL80211_EXT_FEATURE_TXQS)) {
3545 			result = -EOPNOTSUPP;
3546 			goto out;
3547 		}
3548 		txq_limit = nla_get_u32(
3549 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3550 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3551 	}
3552 
3553 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3554 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3555 					     NL80211_EXT_FEATURE_TXQS)) {
3556 			result = -EOPNOTSUPP;
3557 			goto out;
3558 		}
3559 		txq_memory_limit = nla_get_u32(
3560 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3561 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3562 	}
3563 
3564 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3565 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3566 					     NL80211_EXT_FEATURE_TXQS)) {
3567 			result = -EOPNOTSUPP;
3568 			goto out;
3569 		}
3570 		txq_quantum = nla_get_u32(
3571 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3572 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3573 	}
3574 
3575 	if (changed) {
3576 		u8 old_retry_short, old_retry_long;
3577 		u32 old_frag_threshold, old_rts_threshold;
3578 		u8 old_coverage_class;
3579 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3580 
3581 		if (!rdev->ops->set_wiphy_params) {
3582 			result = -EOPNOTSUPP;
3583 			goto out;
3584 		}
3585 
3586 		old_retry_short = rdev->wiphy.retry_short;
3587 		old_retry_long = rdev->wiphy.retry_long;
3588 		old_frag_threshold = rdev->wiphy.frag_threshold;
3589 		old_rts_threshold = rdev->wiphy.rts_threshold;
3590 		old_coverage_class = rdev->wiphy.coverage_class;
3591 		old_txq_limit = rdev->wiphy.txq_limit;
3592 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3593 		old_txq_quantum = rdev->wiphy.txq_quantum;
3594 
3595 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3596 			rdev->wiphy.retry_short = retry_short;
3597 		if (changed & WIPHY_PARAM_RETRY_LONG)
3598 			rdev->wiphy.retry_long = retry_long;
3599 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3600 			rdev->wiphy.frag_threshold = frag_threshold;
3601 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3602 			rdev->wiphy.rts_threshold = rts_threshold;
3603 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3604 			rdev->wiphy.coverage_class = coverage_class;
3605 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3606 			rdev->wiphy.txq_limit = txq_limit;
3607 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3608 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3609 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3610 			rdev->wiphy.txq_quantum = txq_quantum;
3611 
3612 		result = rdev_set_wiphy_params(rdev, changed);
3613 		if (result) {
3614 			rdev->wiphy.retry_short = old_retry_short;
3615 			rdev->wiphy.retry_long = old_retry_long;
3616 			rdev->wiphy.frag_threshold = old_frag_threshold;
3617 			rdev->wiphy.rts_threshold = old_rts_threshold;
3618 			rdev->wiphy.coverage_class = old_coverage_class;
3619 			rdev->wiphy.txq_limit = old_txq_limit;
3620 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3621 			rdev->wiphy.txq_quantum = old_txq_quantum;
3622 			goto out;
3623 		}
3624 	}
3625 
3626 	result = 0;
3627 
3628 out:
3629 	wiphy_unlock(&rdev->wiphy);
3630 	return result;
3631 }
3632 
3633 static int nl80211_send_chandef(struct sk_buff *msg,
3634 				const struct cfg80211_chan_def *chandef)
3635 {
3636 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3637 		return -EINVAL;
3638 
3639 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3640 			chandef->chan->center_freq))
3641 		return -ENOBUFS;
3642 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3643 			chandef->chan->freq_offset))
3644 		return -ENOBUFS;
3645 	switch (chandef->width) {
3646 	case NL80211_CHAN_WIDTH_20_NOHT:
3647 	case NL80211_CHAN_WIDTH_20:
3648 	case NL80211_CHAN_WIDTH_40:
3649 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3650 				cfg80211_get_chandef_type(chandef)))
3651 			return -ENOBUFS;
3652 		break;
3653 	default:
3654 		break;
3655 	}
3656 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3657 		return -ENOBUFS;
3658 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3659 		return -ENOBUFS;
3660 	if (chandef->center_freq2 &&
3661 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3662 		return -ENOBUFS;
3663 	return 0;
3664 }
3665 
3666 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3667 			      struct cfg80211_registered_device *rdev,
3668 			      struct wireless_dev *wdev,
3669 			      enum nl80211_commands cmd)
3670 {
3671 	struct net_device *dev = wdev->netdev;
3672 	void *hdr;
3673 
3674 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3675 		cmd != NL80211_CMD_DEL_INTERFACE &&
3676 		cmd != NL80211_CMD_SET_INTERFACE);
3677 
3678 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3679 	if (!hdr)
3680 		return -1;
3681 
3682 	if (dev &&
3683 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3684 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3685 		goto nla_put_failure;
3686 
3687 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3688 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3689 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3690 			      NL80211_ATTR_PAD) ||
3691 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3692 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3693 			rdev->devlist_generation ^
3694 			(cfg80211_rdev_list_generation << 2)) ||
3695 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3696 		goto nla_put_failure;
3697 
3698 	if (rdev->ops->get_channel) {
3699 		int ret;
3700 		struct cfg80211_chan_def chandef = {};
3701 
3702 		ret = rdev_get_channel(rdev, wdev, &chandef);
3703 		if (ret == 0) {
3704 			if (nl80211_send_chandef(msg, &chandef))
3705 				goto nla_put_failure;
3706 		}
3707 	}
3708 
3709 	if (rdev->ops->get_tx_power) {
3710 		int dbm, ret;
3711 
3712 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3713 		if (ret == 0 &&
3714 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3715 				DBM_TO_MBM(dbm)))
3716 			goto nla_put_failure;
3717 	}
3718 
3719 	wdev_lock(wdev);
3720 	switch (wdev->iftype) {
3721 	case NL80211_IFTYPE_AP:
3722 		if (wdev->ssid_len &&
3723 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3724 			goto nla_put_failure_locked;
3725 		break;
3726 	case NL80211_IFTYPE_STATION:
3727 	case NL80211_IFTYPE_P2P_CLIENT:
3728 	case NL80211_IFTYPE_ADHOC: {
3729 		const struct element *ssid_elem;
3730 
3731 		if (!wdev->current_bss)
3732 			break;
3733 		rcu_read_lock();
3734 		ssid_elem = ieee80211_bss_get_elem(&wdev->current_bss->pub,
3735 						   WLAN_EID_SSID);
3736 		if (ssid_elem &&
3737 		    nla_put(msg, NL80211_ATTR_SSID, ssid_elem->datalen,
3738 			    ssid_elem->data))
3739 			goto nla_put_failure_rcu_locked;
3740 		rcu_read_unlock();
3741 		break;
3742 		}
3743 	default:
3744 		/* nothing */
3745 		break;
3746 	}
3747 	wdev_unlock(wdev);
3748 
3749 	if (rdev->ops->get_txq_stats) {
3750 		struct cfg80211_txq_stats txqstats = {};
3751 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3752 
3753 		if (ret == 0 &&
3754 		    !nl80211_put_txq_stats(msg, &txqstats,
3755 					   NL80211_ATTR_TXQ_STATS))
3756 			goto nla_put_failure;
3757 	}
3758 
3759 	genlmsg_end(msg, hdr);
3760 	return 0;
3761 
3762  nla_put_failure_rcu_locked:
3763 	rcu_read_unlock();
3764  nla_put_failure_locked:
3765 	wdev_unlock(wdev);
3766  nla_put_failure:
3767 	genlmsg_cancel(msg, hdr);
3768 	return -EMSGSIZE;
3769 }
3770 
3771 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3772 {
3773 	int wp_idx = 0;
3774 	int if_idx = 0;
3775 	int wp_start = cb->args[0];
3776 	int if_start = cb->args[1];
3777 	int filter_wiphy = -1;
3778 	struct cfg80211_registered_device *rdev;
3779 	struct wireless_dev *wdev;
3780 	int ret;
3781 
3782 	rtnl_lock();
3783 	if (!cb->args[2]) {
3784 		struct nl80211_dump_wiphy_state state = {
3785 			.filter_wiphy = -1,
3786 		};
3787 
3788 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3789 		if (ret)
3790 			goto out_unlock;
3791 
3792 		filter_wiphy = state.filter_wiphy;
3793 
3794 		/*
3795 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3796 		 * value needed to determine that parsing is necessary.
3797 		 */
3798 		if (filter_wiphy >= 0)
3799 			cb->args[2] = filter_wiphy + 1;
3800 		else
3801 			cb->args[2] = -1;
3802 	} else if (cb->args[2] > 0) {
3803 		filter_wiphy = cb->args[2] - 1;
3804 	}
3805 
3806 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3807 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3808 			continue;
3809 		if (wp_idx < wp_start) {
3810 			wp_idx++;
3811 			continue;
3812 		}
3813 
3814 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3815 			continue;
3816 
3817 		if_idx = 0;
3818 
3819 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3820 			if (if_idx < if_start) {
3821 				if_idx++;
3822 				continue;
3823 			}
3824 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3825 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3826 					       rdev, wdev,
3827 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3828 				goto out;
3829 			}
3830 			if_idx++;
3831 		}
3832 
3833 		wp_idx++;
3834 	}
3835  out:
3836 	cb->args[0] = wp_idx;
3837 	cb->args[1] = if_idx;
3838 
3839 	ret = skb->len;
3840  out_unlock:
3841 	rtnl_unlock();
3842 
3843 	return ret;
3844 }
3845 
3846 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3847 {
3848 	struct sk_buff *msg;
3849 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3850 	struct wireless_dev *wdev = info->user_ptr[1];
3851 
3852 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3853 	if (!msg)
3854 		return -ENOMEM;
3855 
3856 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3857 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3858 		nlmsg_free(msg);
3859 		return -ENOBUFS;
3860 	}
3861 
3862 	return genlmsg_reply(msg, info);
3863 }
3864 
3865 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3866 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3867 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3868 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3869 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3870 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3871 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3872 };
3873 
3874 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3875 {
3876 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3877 	int flag;
3878 
3879 	*mntrflags = 0;
3880 
3881 	if (!nla)
3882 		return -EINVAL;
3883 
3884 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3885 		return -EINVAL;
3886 
3887 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3888 		if (flags[flag])
3889 			*mntrflags |= (1<<flag);
3890 
3891 	*mntrflags |= MONITOR_FLAG_CHANGED;
3892 
3893 	return 0;
3894 }
3895 
3896 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3897 				     enum nl80211_iftype type,
3898 				     struct genl_info *info,
3899 				     struct vif_params *params)
3900 {
3901 	bool change = false;
3902 	int err;
3903 
3904 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3905 		if (type != NL80211_IFTYPE_MONITOR)
3906 			return -EINVAL;
3907 
3908 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3909 					  &params->flags);
3910 		if (err)
3911 			return err;
3912 
3913 		change = true;
3914 	}
3915 
3916 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3917 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3918 		return -EOPNOTSUPP;
3919 
3920 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3921 		const u8 *mumimo_groups;
3922 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3923 
3924 		if (type != NL80211_IFTYPE_MONITOR)
3925 			return -EINVAL;
3926 
3927 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3928 			return -EOPNOTSUPP;
3929 
3930 		mumimo_groups =
3931 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3932 
3933 		/* bits 0 and 63 are reserved and must be zero */
3934 		if ((mumimo_groups[0] & BIT(0)) ||
3935 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3936 			return -EINVAL;
3937 
3938 		params->vht_mumimo_groups = mumimo_groups;
3939 		change = true;
3940 	}
3941 
3942 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3943 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3944 
3945 		if (type != NL80211_IFTYPE_MONITOR)
3946 			return -EINVAL;
3947 
3948 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3949 			return -EOPNOTSUPP;
3950 
3951 		params->vht_mumimo_follow_addr =
3952 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3953 		change = true;
3954 	}
3955 
3956 	return change ? 1 : 0;
3957 }
3958 
3959 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3960 			       struct net_device *netdev, u8 use_4addr,
3961 			       enum nl80211_iftype iftype)
3962 {
3963 	if (!use_4addr) {
3964 		if (netdev && netif_is_bridge_port(netdev))
3965 			return -EBUSY;
3966 		return 0;
3967 	}
3968 
3969 	switch (iftype) {
3970 	case NL80211_IFTYPE_AP_VLAN:
3971 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3972 			return 0;
3973 		break;
3974 	case NL80211_IFTYPE_STATION:
3975 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3976 			return 0;
3977 		break;
3978 	default:
3979 		break;
3980 	}
3981 
3982 	return -EOPNOTSUPP;
3983 }
3984 
3985 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3986 {
3987 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3988 	struct vif_params params;
3989 	int err;
3990 	enum nl80211_iftype otype, ntype;
3991 	struct net_device *dev = info->user_ptr[1];
3992 	bool change = false;
3993 
3994 	memset(&params, 0, sizeof(params));
3995 
3996 	otype = ntype = dev->ieee80211_ptr->iftype;
3997 
3998 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3999 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4000 		if (otype != ntype)
4001 			change = true;
4002 	}
4003 
4004 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4005 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4006 
4007 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4008 			return -EINVAL;
4009 		if (netif_running(dev))
4010 			return -EBUSY;
4011 
4012 		wdev_lock(wdev);
4013 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4014 			     IEEE80211_MAX_MESH_ID_LEN);
4015 		wdev->mesh_id_up_len =
4016 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4017 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4018 		       wdev->mesh_id_up_len);
4019 		wdev_unlock(wdev);
4020 	}
4021 
4022 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4023 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4024 		change = true;
4025 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4026 		if (err)
4027 			return err;
4028 	} else {
4029 		params.use_4addr = -1;
4030 	}
4031 
4032 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4033 	if (err < 0)
4034 		return err;
4035 	if (err > 0)
4036 		change = true;
4037 
4038 	if (change)
4039 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4040 	else
4041 		err = 0;
4042 
4043 	if (!err && params.use_4addr != -1)
4044 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4045 
4046 	if (change && !err) {
4047 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4048 
4049 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4050 	}
4051 
4052 	return err;
4053 }
4054 
4055 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4056 {
4057 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4058 	struct vif_params params;
4059 	struct wireless_dev *wdev;
4060 	struct sk_buff *msg;
4061 	int err;
4062 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4063 
4064 	memset(&params, 0, sizeof(params));
4065 
4066 	if (!info->attrs[NL80211_ATTR_IFNAME])
4067 		return -EINVAL;
4068 
4069 	if (info->attrs[NL80211_ATTR_IFTYPE])
4070 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4071 
4072 	if (!rdev->ops->add_virtual_intf)
4073 		return -EOPNOTSUPP;
4074 
4075 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4076 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4077 	    info->attrs[NL80211_ATTR_MAC]) {
4078 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4079 			   ETH_ALEN);
4080 		if (!is_valid_ether_addr(params.macaddr))
4081 			return -EADDRNOTAVAIL;
4082 	}
4083 
4084 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4085 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4086 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4087 		if (err)
4088 			return err;
4089 	}
4090 
4091 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4092 		return -EOPNOTSUPP;
4093 
4094 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4095 	if (err < 0)
4096 		return err;
4097 
4098 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4099 	if (!msg)
4100 		return -ENOMEM;
4101 
4102 	wdev = rdev_add_virtual_intf(rdev,
4103 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4104 				NET_NAME_USER, type, &params);
4105 	if (WARN_ON(!wdev)) {
4106 		nlmsg_free(msg);
4107 		return -EPROTO;
4108 	} else if (IS_ERR(wdev)) {
4109 		nlmsg_free(msg);
4110 		return PTR_ERR(wdev);
4111 	}
4112 
4113 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4114 		wdev->owner_nlportid = info->snd_portid;
4115 
4116 	switch (type) {
4117 	case NL80211_IFTYPE_MESH_POINT:
4118 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4119 			break;
4120 		wdev_lock(wdev);
4121 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4122 			     IEEE80211_MAX_MESH_ID_LEN);
4123 		wdev->mesh_id_up_len =
4124 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4125 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4126 		       wdev->mesh_id_up_len);
4127 		wdev_unlock(wdev);
4128 		break;
4129 	case NL80211_IFTYPE_NAN:
4130 	case NL80211_IFTYPE_P2P_DEVICE:
4131 		/*
4132 		 * P2P Device and NAN do not have a netdev, so don't go
4133 		 * through the netdev notifier and must be added here
4134 		 */
4135 		cfg80211_init_wdev(wdev);
4136 		cfg80211_register_wdev(rdev, wdev);
4137 		break;
4138 	default:
4139 		break;
4140 	}
4141 
4142 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4143 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4144 		nlmsg_free(msg);
4145 		return -ENOBUFS;
4146 	}
4147 
4148 	return genlmsg_reply(msg, info);
4149 }
4150 
4151 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4152 {
4153 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4154 	int ret;
4155 
4156 	/* to avoid failing a new interface creation due to pending removal */
4157 	cfg80211_destroy_ifaces(rdev);
4158 
4159 	wiphy_lock(&rdev->wiphy);
4160 	ret = _nl80211_new_interface(skb, info);
4161 	wiphy_unlock(&rdev->wiphy);
4162 
4163 	return ret;
4164 }
4165 
4166 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4167 {
4168 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4169 	struct wireless_dev *wdev = info->user_ptr[1];
4170 
4171 	if (!rdev->ops->del_virtual_intf)
4172 		return -EOPNOTSUPP;
4173 
4174 	/*
4175 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4176 	 * reach 0, and thus the rdev cannot be deleted.
4177 	 *
4178 	 * We need to do it for the dev_close(), since that will call
4179 	 * the netdev notifiers, and we need to acquire the mutex there
4180 	 * but don't know if we get there from here or from some other
4181 	 * place (e.g. "ip link set ... down").
4182 	 */
4183 	mutex_unlock(&rdev->wiphy.mtx);
4184 
4185 	/*
4186 	 * If we remove a wireless device without a netdev then clear
4187 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4188 	 * to check if it needs to do dev_put(). Otherwise it crashes
4189 	 * since the wdev has been freed, unlike with a netdev where
4190 	 * we need the dev_put() for the netdev to really be freed.
4191 	 */
4192 	if (!wdev->netdev)
4193 		info->user_ptr[1] = NULL;
4194 	else
4195 		dev_close(wdev->netdev);
4196 
4197 	mutex_lock(&rdev->wiphy.mtx);
4198 
4199 	return rdev_del_virtual_intf(rdev, wdev);
4200 }
4201 
4202 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4203 {
4204 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4205 	struct net_device *dev = info->user_ptr[1];
4206 	u16 noack_map;
4207 
4208 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4209 		return -EINVAL;
4210 
4211 	if (!rdev->ops->set_noack_map)
4212 		return -EOPNOTSUPP;
4213 
4214 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4215 
4216 	return rdev_set_noack_map(rdev, dev, noack_map);
4217 }
4218 
4219 struct get_key_cookie {
4220 	struct sk_buff *msg;
4221 	int error;
4222 	int idx;
4223 };
4224 
4225 static void get_key_callback(void *c, struct key_params *params)
4226 {
4227 	struct nlattr *key;
4228 	struct get_key_cookie *cookie = c;
4229 
4230 	if ((params->key &&
4231 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4232 		     params->key_len, params->key)) ||
4233 	    (params->seq &&
4234 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4235 		     params->seq_len, params->seq)) ||
4236 	    (params->cipher &&
4237 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4238 			 params->cipher)))
4239 		goto nla_put_failure;
4240 
4241 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4242 	if (!key)
4243 		goto nla_put_failure;
4244 
4245 	if ((params->key &&
4246 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4247 		     params->key_len, params->key)) ||
4248 	    (params->seq &&
4249 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4250 		     params->seq_len, params->seq)) ||
4251 	    (params->cipher &&
4252 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4253 			 params->cipher)))
4254 		goto nla_put_failure;
4255 
4256 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4257 		goto nla_put_failure;
4258 
4259 	nla_nest_end(cookie->msg, key);
4260 
4261 	return;
4262  nla_put_failure:
4263 	cookie->error = 1;
4264 }
4265 
4266 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4267 {
4268 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4269 	int err;
4270 	struct net_device *dev = info->user_ptr[1];
4271 	u8 key_idx = 0;
4272 	const u8 *mac_addr = NULL;
4273 	bool pairwise;
4274 	struct get_key_cookie cookie = {
4275 		.error = 0,
4276 	};
4277 	void *hdr;
4278 	struct sk_buff *msg;
4279 	bool bigtk_support = false;
4280 
4281 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4282 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4283 		bigtk_support = true;
4284 
4285 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4286 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4287 	    wiphy_ext_feature_isset(&rdev->wiphy,
4288 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4289 		bigtk_support = true;
4290 
4291 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4292 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4293 
4294 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4295 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4296 			return -EINVAL;
4297 		}
4298 	}
4299 
4300 	if (info->attrs[NL80211_ATTR_MAC])
4301 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4302 
4303 	pairwise = !!mac_addr;
4304 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4305 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4306 
4307 		if (kt != NL80211_KEYTYPE_GROUP &&
4308 		    kt != NL80211_KEYTYPE_PAIRWISE)
4309 			return -EINVAL;
4310 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4311 	}
4312 
4313 	if (!rdev->ops->get_key)
4314 		return -EOPNOTSUPP;
4315 
4316 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4317 		return -ENOENT;
4318 
4319 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4320 	if (!msg)
4321 		return -ENOMEM;
4322 
4323 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4324 			     NL80211_CMD_NEW_KEY);
4325 	if (!hdr)
4326 		goto nla_put_failure;
4327 
4328 	cookie.msg = msg;
4329 	cookie.idx = key_idx;
4330 
4331 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4332 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4333 		goto nla_put_failure;
4334 	if (mac_addr &&
4335 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4336 		goto nla_put_failure;
4337 
4338 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4339 			   get_key_callback);
4340 
4341 	if (err)
4342 		goto free_msg;
4343 
4344 	if (cookie.error)
4345 		goto nla_put_failure;
4346 
4347 	genlmsg_end(msg, hdr);
4348 	return genlmsg_reply(msg, info);
4349 
4350  nla_put_failure:
4351 	err = -ENOBUFS;
4352  free_msg:
4353 	nlmsg_free(msg);
4354 	return err;
4355 }
4356 
4357 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4358 {
4359 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4360 	struct key_parse key;
4361 	int err;
4362 	struct net_device *dev = info->user_ptr[1];
4363 
4364 	err = nl80211_parse_key(info, &key);
4365 	if (err)
4366 		return err;
4367 
4368 	if (key.idx < 0)
4369 		return -EINVAL;
4370 
4371 	/* Only support setting default key and
4372 	 * Extended Key ID action NL80211_KEY_SET_TX.
4373 	 */
4374 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4375 	    !(key.p.mode == NL80211_KEY_SET_TX))
4376 		return -EINVAL;
4377 
4378 	wdev_lock(dev->ieee80211_ptr);
4379 
4380 	if (key.def) {
4381 		if (!rdev->ops->set_default_key) {
4382 			err = -EOPNOTSUPP;
4383 			goto out;
4384 		}
4385 
4386 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4387 		if (err)
4388 			goto out;
4389 
4390 		err = rdev_set_default_key(rdev, dev, key.idx,
4391 						 key.def_uni, key.def_multi);
4392 
4393 		if (err)
4394 			goto out;
4395 
4396 #ifdef CONFIG_CFG80211_WEXT
4397 		dev->ieee80211_ptr->wext.default_key = key.idx;
4398 #endif
4399 	} else if (key.defmgmt) {
4400 		if (key.def_uni || !key.def_multi) {
4401 			err = -EINVAL;
4402 			goto out;
4403 		}
4404 
4405 		if (!rdev->ops->set_default_mgmt_key) {
4406 			err = -EOPNOTSUPP;
4407 			goto out;
4408 		}
4409 
4410 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4411 		if (err)
4412 			goto out;
4413 
4414 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4415 		if (err)
4416 			goto out;
4417 
4418 #ifdef CONFIG_CFG80211_WEXT
4419 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4420 #endif
4421 	} else if (key.defbeacon) {
4422 		if (key.def_uni || !key.def_multi) {
4423 			err = -EINVAL;
4424 			goto out;
4425 		}
4426 
4427 		if (!rdev->ops->set_default_beacon_key) {
4428 			err = -EOPNOTSUPP;
4429 			goto out;
4430 		}
4431 
4432 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4433 		if (err)
4434 			goto out;
4435 
4436 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4437 		if (err)
4438 			goto out;
4439 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4440 		   wiphy_ext_feature_isset(&rdev->wiphy,
4441 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4442 		u8 *mac_addr = NULL;
4443 
4444 		if (info->attrs[NL80211_ATTR_MAC])
4445 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4446 
4447 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4448 			err = -EINVAL;
4449 			goto out;
4450 		}
4451 
4452 		err = rdev_add_key(rdev, dev, key.idx,
4453 				   NL80211_KEYTYPE_PAIRWISE,
4454 				   mac_addr, &key.p);
4455 	} else {
4456 		err = -EINVAL;
4457 	}
4458  out:
4459 	wdev_unlock(dev->ieee80211_ptr);
4460 
4461 	return err;
4462 }
4463 
4464 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4465 {
4466 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4467 	int err;
4468 	struct net_device *dev = info->user_ptr[1];
4469 	struct key_parse key;
4470 	const u8 *mac_addr = NULL;
4471 
4472 	err = nl80211_parse_key(info, &key);
4473 	if (err)
4474 		return err;
4475 
4476 	if (!key.p.key) {
4477 		GENL_SET_ERR_MSG(info, "no key");
4478 		return -EINVAL;
4479 	}
4480 
4481 	if (info->attrs[NL80211_ATTR_MAC])
4482 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4483 
4484 	if (key.type == -1) {
4485 		if (mac_addr)
4486 			key.type = NL80211_KEYTYPE_PAIRWISE;
4487 		else
4488 			key.type = NL80211_KEYTYPE_GROUP;
4489 	}
4490 
4491 	/* for now */
4492 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4493 	    key.type != NL80211_KEYTYPE_GROUP) {
4494 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4495 		return -EINVAL;
4496 	}
4497 
4498 	if (key.type == NL80211_KEYTYPE_GROUP &&
4499 	    info->attrs[NL80211_ATTR_VLAN_ID])
4500 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4501 
4502 	if (!rdev->ops->add_key)
4503 		return -EOPNOTSUPP;
4504 
4505 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4506 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4507 					   mac_addr)) {
4508 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4509 		return -EINVAL;
4510 	}
4511 
4512 	wdev_lock(dev->ieee80211_ptr);
4513 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4514 	if (err)
4515 		GENL_SET_ERR_MSG(info, "key not allowed");
4516 	if (!err) {
4517 		err = rdev_add_key(rdev, dev, key.idx,
4518 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4519 				    mac_addr, &key.p);
4520 		if (err)
4521 			GENL_SET_ERR_MSG(info, "key addition failed");
4522 	}
4523 	wdev_unlock(dev->ieee80211_ptr);
4524 
4525 	return err;
4526 }
4527 
4528 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4529 {
4530 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4531 	int err;
4532 	struct net_device *dev = info->user_ptr[1];
4533 	u8 *mac_addr = NULL;
4534 	struct key_parse key;
4535 
4536 	err = nl80211_parse_key(info, &key);
4537 	if (err)
4538 		return err;
4539 
4540 	if (info->attrs[NL80211_ATTR_MAC])
4541 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4542 
4543 	if (key.type == -1) {
4544 		if (mac_addr)
4545 			key.type = NL80211_KEYTYPE_PAIRWISE;
4546 		else
4547 			key.type = NL80211_KEYTYPE_GROUP;
4548 	}
4549 
4550 	/* for now */
4551 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4552 	    key.type != NL80211_KEYTYPE_GROUP)
4553 		return -EINVAL;
4554 
4555 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4556 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4557 		return -EINVAL;
4558 
4559 	if (!rdev->ops->del_key)
4560 		return -EOPNOTSUPP;
4561 
4562 	wdev_lock(dev->ieee80211_ptr);
4563 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4564 
4565 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4566 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4567 		err = -ENOENT;
4568 
4569 	if (!err)
4570 		err = rdev_del_key(rdev, dev, key.idx,
4571 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4572 				   mac_addr);
4573 
4574 #ifdef CONFIG_CFG80211_WEXT
4575 	if (!err) {
4576 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4577 			dev->ieee80211_ptr->wext.default_key = -1;
4578 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4579 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4580 	}
4581 #endif
4582 	wdev_unlock(dev->ieee80211_ptr);
4583 
4584 	return err;
4585 }
4586 
4587 /* This function returns an error or the number of nested attributes */
4588 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4589 {
4590 	struct nlattr *attr;
4591 	int n_entries = 0, tmp;
4592 
4593 	nla_for_each_nested(attr, nl_attr, tmp) {
4594 		if (nla_len(attr) != ETH_ALEN)
4595 			return -EINVAL;
4596 
4597 		n_entries++;
4598 	}
4599 
4600 	return n_entries;
4601 }
4602 
4603 /*
4604  * This function parses ACL information and allocates memory for ACL data.
4605  * On successful return, the calling function is responsible to free the
4606  * ACL buffer returned by this function.
4607  */
4608 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4609 						struct genl_info *info)
4610 {
4611 	enum nl80211_acl_policy acl_policy;
4612 	struct nlattr *attr;
4613 	struct cfg80211_acl_data *acl;
4614 	int i = 0, n_entries, tmp;
4615 
4616 	if (!wiphy->max_acl_mac_addrs)
4617 		return ERR_PTR(-EOPNOTSUPP);
4618 
4619 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4620 		return ERR_PTR(-EINVAL);
4621 
4622 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4623 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4624 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4625 		return ERR_PTR(-EINVAL);
4626 
4627 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4628 		return ERR_PTR(-EINVAL);
4629 
4630 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4631 	if (n_entries < 0)
4632 		return ERR_PTR(n_entries);
4633 
4634 	if (n_entries > wiphy->max_acl_mac_addrs)
4635 		return ERR_PTR(-ENOTSUPP);
4636 
4637 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4638 	if (!acl)
4639 		return ERR_PTR(-ENOMEM);
4640 
4641 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4642 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4643 		i++;
4644 	}
4645 
4646 	acl->n_acl_entries = n_entries;
4647 	acl->acl_policy = acl_policy;
4648 
4649 	return acl;
4650 }
4651 
4652 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4653 {
4654 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4655 	struct net_device *dev = info->user_ptr[1];
4656 	struct cfg80211_acl_data *acl;
4657 	int err;
4658 
4659 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4660 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4661 		return -EOPNOTSUPP;
4662 
4663 	if (!dev->ieee80211_ptr->beacon_interval)
4664 		return -EINVAL;
4665 
4666 	acl = parse_acl_data(&rdev->wiphy, info);
4667 	if (IS_ERR(acl))
4668 		return PTR_ERR(acl);
4669 
4670 	err = rdev_set_mac_acl(rdev, dev, acl);
4671 
4672 	kfree(acl);
4673 
4674 	return err;
4675 }
4676 
4677 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4678 			   u8 *rates, u8 rates_len)
4679 {
4680 	u8 i;
4681 	u32 mask = 0;
4682 
4683 	for (i = 0; i < rates_len; i++) {
4684 		int rate = (rates[i] & 0x7f) * 5;
4685 		int ridx;
4686 
4687 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4688 			struct ieee80211_rate *srate =
4689 				&sband->bitrates[ridx];
4690 			if (rate == srate->bitrate) {
4691 				mask |= 1 << ridx;
4692 				break;
4693 			}
4694 		}
4695 		if (ridx == sband->n_bitrates)
4696 			return 0; /* rate not found */
4697 	}
4698 
4699 	return mask;
4700 }
4701 
4702 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4703 			       u8 *rates, u8 rates_len,
4704 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4705 {
4706 	u8 i;
4707 
4708 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4709 
4710 	for (i = 0; i < rates_len; i++) {
4711 		int ridx, rbit;
4712 
4713 		ridx = rates[i] / 8;
4714 		rbit = BIT(rates[i] % 8);
4715 
4716 		/* check validity */
4717 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4718 			return false;
4719 
4720 		/* check availability */
4721 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4722 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4723 			mcs[ridx] |= rbit;
4724 		else
4725 			return false;
4726 	}
4727 
4728 	return true;
4729 }
4730 
4731 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4732 {
4733 	u16 mcs_mask = 0;
4734 
4735 	switch (vht_mcs_map) {
4736 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4737 		break;
4738 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4739 		mcs_mask = 0x00FF;
4740 		break;
4741 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4742 		mcs_mask = 0x01FF;
4743 		break;
4744 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4745 		mcs_mask = 0x03FF;
4746 		break;
4747 	default:
4748 		break;
4749 	}
4750 
4751 	return mcs_mask;
4752 }
4753 
4754 static void vht_build_mcs_mask(u16 vht_mcs_map,
4755 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4756 {
4757 	u8 nss;
4758 
4759 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4760 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4761 		vht_mcs_map >>= 2;
4762 	}
4763 }
4764 
4765 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4766 			     struct nl80211_txrate_vht *txrate,
4767 			     u16 mcs[NL80211_VHT_NSS_MAX])
4768 {
4769 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4770 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4771 	u8 i;
4772 
4773 	if (!sband->vht_cap.vht_supported)
4774 		return false;
4775 
4776 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4777 
4778 	/* Build vht_mcs_mask from VHT capabilities */
4779 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4780 
4781 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4782 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4783 			mcs[i] = txrate->mcs[i];
4784 		else
4785 			return false;
4786 	}
4787 
4788 	return true;
4789 }
4790 
4791 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4792 {
4793 	switch (he_mcs_map) {
4794 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4795 		return 0;
4796 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4797 		return 0x00FF;
4798 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4799 		return 0x03FF;
4800 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4801 		return 0xFFF;
4802 	default:
4803 		break;
4804 	}
4805 	return 0;
4806 }
4807 
4808 static void he_build_mcs_mask(u16 he_mcs_map,
4809 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4810 {
4811 	u8 nss;
4812 
4813 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4814 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4815 		he_mcs_map >>= 2;
4816 	}
4817 }
4818 
4819 static u16 he_get_txmcsmap(struct genl_info *info,
4820 			   const struct ieee80211_sta_he_cap *he_cap)
4821 {
4822 	struct net_device *dev = info->user_ptr[1];
4823 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4824 	__le16	tx_mcs;
4825 
4826 	switch (wdev->chandef.width) {
4827 	case NL80211_CHAN_WIDTH_80P80:
4828 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4829 		break;
4830 	case NL80211_CHAN_WIDTH_160:
4831 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4832 		break;
4833 	default:
4834 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4835 		break;
4836 	}
4837 	return le16_to_cpu(tx_mcs);
4838 }
4839 
4840 static bool he_set_mcs_mask(struct genl_info *info,
4841 			    struct wireless_dev *wdev,
4842 			    struct ieee80211_supported_band *sband,
4843 			    struct nl80211_txrate_he *txrate,
4844 			    u16 mcs[NL80211_HE_NSS_MAX])
4845 {
4846 	const struct ieee80211_sta_he_cap *he_cap;
4847 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4848 	u16 tx_mcs_map = 0;
4849 	u8 i;
4850 
4851 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4852 	if (!he_cap)
4853 		return false;
4854 
4855 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4856 
4857 	tx_mcs_map = he_get_txmcsmap(info, he_cap);
4858 
4859 	/* Build he_mcs_mask from HE capabilities */
4860 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4861 
4862 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4863 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4864 			mcs[i] = txrate->mcs[i];
4865 		else
4866 			return false;
4867 	}
4868 
4869 	return true;
4870 }
4871 
4872 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4873 					 struct nlattr *attrs[],
4874 					 enum nl80211_attrs attr,
4875 					 struct cfg80211_bitrate_mask *mask,
4876 					 struct net_device *dev,
4877 					 bool default_all_enabled)
4878 {
4879 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4880 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4881 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4882 	int rem, i;
4883 	struct nlattr *tx_rates;
4884 	struct ieee80211_supported_band *sband;
4885 	u16 vht_tx_mcs_map, he_tx_mcs_map;
4886 
4887 	memset(mask, 0, sizeof(*mask));
4888 	/* Default to all rates enabled */
4889 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4890 		const struct ieee80211_sta_he_cap *he_cap;
4891 
4892 		if (!default_all_enabled)
4893 			break;
4894 
4895 		sband = rdev->wiphy.bands[i];
4896 
4897 		if (!sband)
4898 			continue;
4899 
4900 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4901 		memcpy(mask->control[i].ht_mcs,
4902 		       sband->ht_cap.mcs.rx_mask,
4903 		       sizeof(mask->control[i].ht_mcs));
4904 
4905 		if (sband->vht_cap.vht_supported) {
4906 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4907 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4908 		}
4909 
4910 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4911 		if (!he_cap)
4912 			continue;
4913 
4914 		he_tx_mcs_map = he_get_txmcsmap(info, he_cap);
4915 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
4916 
4917 		mask->control[i].he_gi = 0xFF;
4918 		mask->control[i].he_ltf = 0xFF;
4919 	}
4920 
4921 	/* if no rates are given set it back to the defaults */
4922 	if (!attrs[attr])
4923 		goto out;
4924 
4925 	/* The nested attribute uses enum nl80211_band as the index. This maps
4926 	 * directly to the enum nl80211_band values used in cfg80211.
4927 	 */
4928 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4929 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
4930 		enum nl80211_band band = nla_type(tx_rates);
4931 		int err;
4932 
4933 		if (band < 0 || band >= NUM_NL80211_BANDS)
4934 			return -EINVAL;
4935 		sband = rdev->wiphy.bands[band];
4936 		if (sband == NULL)
4937 			return -EINVAL;
4938 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4939 						  tx_rates,
4940 						  nl80211_txattr_policy,
4941 						  info->extack);
4942 		if (err)
4943 			return err;
4944 		if (tb[NL80211_TXRATE_LEGACY]) {
4945 			mask->control[band].legacy = rateset_to_mask(
4946 				sband,
4947 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4948 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4949 			if ((mask->control[band].legacy == 0) &&
4950 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4951 				return -EINVAL;
4952 		}
4953 		if (tb[NL80211_TXRATE_HT]) {
4954 			if (!ht_rateset_to_mask(
4955 					sband,
4956 					nla_data(tb[NL80211_TXRATE_HT]),
4957 					nla_len(tb[NL80211_TXRATE_HT]),
4958 					mask->control[band].ht_mcs))
4959 				return -EINVAL;
4960 		}
4961 
4962 		if (tb[NL80211_TXRATE_VHT]) {
4963 			if (!vht_set_mcs_mask(
4964 					sband,
4965 					nla_data(tb[NL80211_TXRATE_VHT]),
4966 					mask->control[band].vht_mcs))
4967 				return -EINVAL;
4968 		}
4969 
4970 		if (tb[NL80211_TXRATE_GI]) {
4971 			mask->control[band].gi =
4972 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4973 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4974 				return -EINVAL;
4975 		}
4976 		if (tb[NL80211_TXRATE_HE] &&
4977 		    !he_set_mcs_mask(info, wdev, sband,
4978 				     nla_data(tb[NL80211_TXRATE_HE]),
4979 				     mask->control[band].he_mcs))
4980 			return -EINVAL;
4981 
4982 		if (tb[NL80211_TXRATE_HE_GI])
4983 			mask->control[band].he_gi =
4984 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
4985 		if (tb[NL80211_TXRATE_HE_LTF])
4986 			mask->control[band].he_ltf =
4987 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
4988 
4989 		if (mask->control[band].legacy == 0) {
4990 			/* don't allow empty legacy rates if HT, VHT or HE
4991 			 * are not even supported.
4992 			 */
4993 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4994 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
4995 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
4996 				return -EINVAL;
4997 
4998 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4999 				if (mask->control[band].ht_mcs[i])
5000 					goto out;
5001 
5002 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5003 				if (mask->control[band].vht_mcs[i])
5004 					goto out;
5005 
5006 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5007 				if (mask->control[band].he_mcs[i])
5008 					goto out;
5009 
5010 			/* legacy and mcs rates may not be both empty */
5011 			return -EINVAL;
5012 		}
5013 	}
5014 
5015 out:
5016 	return 0;
5017 }
5018 
5019 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5020 				   enum nl80211_band band,
5021 				   struct cfg80211_bitrate_mask *beacon_rate)
5022 {
5023 	u32 count_ht, count_vht, count_he, i;
5024 	u32 rate = beacon_rate->control[band].legacy;
5025 
5026 	/* Allow only one rate */
5027 	if (hweight32(rate) > 1)
5028 		return -EINVAL;
5029 
5030 	count_ht = 0;
5031 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5032 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5033 			return -EINVAL;
5034 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5035 			count_ht++;
5036 			if (count_ht > 1)
5037 				return -EINVAL;
5038 		}
5039 		if (count_ht && rate)
5040 			return -EINVAL;
5041 	}
5042 
5043 	count_vht = 0;
5044 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5045 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5046 			return -EINVAL;
5047 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5048 			count_vht++;
5049 			if (count_vht > 1)
5050 				return -EINVAL;
5051 		}
5052 		if (count_vht && rate)
5053 			return -EINVAL;
5054 	}
5055 
5056 	count_he = 0;
5057 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5058 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5059 			return -EINVAL;
5060 		} else if (beacon_rate->control[band].he_mcs[i]) {
5061 			count_he++;
5062 			if (count_he > 1)
5063 				return -EINVAL;
5064 		}
5065 		if (count_he && rate)
5066 			return -EINVAL;
5067 	}
5068 
5069 	if ((count_ht && count_vht && count_he) ||
5070 	    (!rate && !count_ht && !count_vht && !count_he))
5071 		return -EINVAL;
5072 
5073 	if (rate &&
5074 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5075 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5076 		return -EINVAL;
5077 	if (count_ht &&
5078 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5079 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5080 		return -EINVAL;
5081 	if (count_vht &&
5082 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5083 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5084 		return -EINVAL;
5085 	if (count_he &&
5086 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5087 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5088 		return -EINVAL;
5089 
5090 	return 0;
5091 }
5092 
5093 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5094 				       struct net_device *dev,
5095 				       struct nlattr *attrs,
5096 				       struct cfg80211_mbssid_config *config,
5097 				       u8 num_elems)
5098 {
5099 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5100 
5101 	if (!wiphy->mbssid_max_interfaces)
5102 		return -EOPNOTSUPP;
5103 
5104 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5105 			     NULL) ||
5106 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5107 		return -EINVAL;
5108 
5109 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5110 	if (config->ema) {
5111 		if (!wiphy->ema_max_profile_periodicity)
5112 			return -EOPNOTSUPP;
5113 
5114 		if (num_elems > wiphy->ema_max_profile_periodicity)
5115 			return -EINVAL;
5116 	}
5117 
5118 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5119 	if (config->index >= wiphy->mbssid_max_interfaces ||
5120 	    (!config->index && !num_elems))
5121 		return -EINVAL;
5122 
5123 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5124 		u32 tx_ifindex =
5125 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5126 
5127 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5128 		    (config->index && tx_ifindex == dev->ifindex))
5129 			return -EINVAL;
5130 
5131 		if (tx_ifindex != dev->ifindex) {
5132 			struct net_device *tx_netdev =
5133 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5134 
5135 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5136 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5137 			    tx_netdev->ieee80211_ptr->iftype !=
5138 							NL80211_IFTYPE_AP) {
5139 				dev_put(tx_netdev);
5140 				return -EINVAL;
5141 			}
5142 
5143 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5144 		} else {
5145 			config->tx_wdev = dev->ieee80211_ptr;
5146 		}
5147 	} else if (!config->index) {
5148 		config->tx_wdev = dev->ieee80211_ptr;
5149 	} else {
5150 		return -EINVAL;
5151 	}
5152 
5153 	return 0;
5154 }
5155 
5156 static struct cfg80211_mbssid_elems *
5157 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5158 {
5159 	struct nlattr *nl_elems;
5160 	struct cfg80211_mbssid_elems *elems;
5161 	int rem_elems;
5162 	u8 i = 0, num_elems = 0;
5163 
5164 	if (!wiphy->mbssid_max_interfaces)
5165 		return ERR_PTR(-EINVAL);
5166 
5167 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5168 		num_elems++;
5169 
5170 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5171 	if (!elems)
5172 		return ERR_PTR(-ENOMEM);
5173 
5174 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5175 		elems->elem[i].data = nla_data(nl_elems);
5176 		elems->elem[i].len = nla_len(nl_elems);
5177 		i++;
5178 	}
5179 	elems->cnt = num_elems;
5180 	return elems;
5181 }
5182 
5183 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5184 				struct nlattr *attrs[],
5185 				struct cfg80211_beacon_data *bcn)
5186 {
5187 	bool haveinfo = false;
5188 	int err;
5189 
5190 	memset(bcn, 0, sizeof(*bcn));
5191 
5192 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5193 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5194 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5195 		if (!bcn->head_len)
5196 			return -EINVAL;
5197 		haveinfo = true;
5198 	}
5199 
5200 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5201 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5202 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5203 		haveinfo = true;
5204 	}
5205 
5206 	if (!haveinfo)
5207 		return -EINVAL;
5208 
5209 	if (attrs[NL80211_ATTR_IE]) {
5210 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5211 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5212 	}
5213 
5214 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5215 		bcn->proberesp_ies =
5216 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5217 		bcn->proberesp_ies_len =
5218 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5219 	}
5220 
5221 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5222 		bcn->assocresp_ies =
5223 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5224 		bcn->assocresp_ies_len =
5225 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5226 	}
5227 
5228 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5229 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5230 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5231 	}
5232 
5233 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5234 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5235 
5236 		err = nla_parse_nested_deprecated(tb,
5237 						  NL80211_FTM_RESP_ATTR_MAX,
5238 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5239 						  NULL, NULL);
5240 		if (err)
5241 			return err;
5242 
5243 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5244 		    wiphy_ext_feature_isset(&rdev->wiphy,
5245 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5246 			bcn->ftm_responder = 1;
5247 		else
5248 			return -EOPNOTSUPP;
5249 
5250 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5251 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5252 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5253 		}
5254 
5255 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5256 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5257 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5258 		}
5259 	} else {
5260 		bcn->ftm_responder = -1;
5261 	}
5262 
5263 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5264 		struct cfg80211_mbssid_elems *mbssid =
5265 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5266 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5267 
5268 		if (IS_ERR(mbssid))
5269 			return PTR_ERR(mbssid);
5270 
5271 		bcn->mbssid_ies = mbssid;
5272 	}
5273 
5274 	return 0;
5275 }
5276 
5277 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5278 				    struct ieee80211_he_obss_pd *he_obss_pd)
5279 {
5280 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5281 	int err;
5282 
5283 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5284 			       he_obss_pd_policy, NULL);
5285 	if (err)
5286 		return err;
5287 
5288 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5289 		return -EINVAL;
5290 
5291 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5292 
5293 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5294 		he_obss_pd->min_offset =
5295 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5296 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5297 		he_obss_pd->max_offset =
5298 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5299 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5300 		he_obss_pd->non_srg_max_offset =
5301 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5302 
5303 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5304 		return -EINVAL;
5305 
5306 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5307 		memcpy(he_obss_pd->bss_color_bitmap,
5308 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5309 		       sizeof(he_obss_pd->bss_color_bitmap));
5310 
5311 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5312 		memcpy(he_obss_pd->partial_bssid_bitmap,
5313 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5314 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5315 
5316 	he_obss_pd->enable = true;
5317 
5318 	return 0;
5319 }
5320 
5321 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5322 				      struct cfg80211_he_bss_color *he_bss_color)
5323 {
5324 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5325 	int err;
5326 
5327 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5328 			       he_bss_color_policy, NULL);
5329 	if (err)
5330 		return err;
5331 
5332 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5333 		return -EINVAL;
5334 
5335 	he_bss_color->color =
5336 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5337 	he_bss_color->enabled =
5338 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5339 	he_bss_color->partial =
5340 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5341 
5342 	return 0;
5343 }
5344 
5345 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5346 					struct nlattr *attrs,
5347 					struct cfg80211_ap_settings *params)
5348 {
5349 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5350 	int ret;
5351 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5352 
5353 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5354 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5355 		return -EINVAL;
5356 
5357 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5358 			       NULL, NULL);
5359 	if (ret)
5360 		return ret;
5361 
5362 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5363 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5364 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5365 		return -EINVAL;
5366 
5367 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5368 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5369 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5370 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5371 
5372 	return 0;
5373 }
5374 
5375 static int
5376 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5377 				     struct nlattr *attrs,
5378 				     struct cfg80211_ap_settings *params)
5379 {
5380 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5381 	int ret;
5382 	struct cfg80211_unsol_bcast_probe_resp *presp =
5383 					&params->unsol_bcast_probe_resp;
5384 
5385 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5386 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5387 		return -EINVAL;
5388 
5389 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5390 			       attrs, NULL, NULL);
5391 	if (ret)
5392 		return ret;
5393 
5394 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5395 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5396 		return -EINVAL;
5397 
5398 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5399 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5400 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5401 	return 0;
5402 }
5403 
5404 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5405 					    const struct element *rates)
5406 {
5407 	int i;
5408 
5409 	if (!rates)
5410 		return;
5411 
5412 	for (i = 0; i < rates->datalen; i++) {
5413 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5414 			params->ht_required = true;
5415 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5416 			params->vht_required = true;
5417 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5418 			params->he_required = true;
5419 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5420 			params->sae_h2e_required = true;
5421 	}
5422 }
5423 
5424 /*
5425  * Since the nl80211 API didn't include, from the beginning, attributes about
5426  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5427  * benefit of drivers that rebuild IEs in the firmware.
5428  */
5429 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5430 {
5431 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5432 	size_t ies_len = bcn->tail_len;
5433 	const u8 *ies = bcn->tail;
5434 	const struct element *rates;
5435 	const struct element *cap;
5436 
5437 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5438 	nl80211_check_ap_rate_selectors(params, rates);
5439 
5440 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5441 	nl80211_check_ap_rate_selectors(params, rates);
5442 
5443 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5444 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5445 		params->ht_cap = (void *)cap->data;
5446 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5447 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5448 		params->vht_cap = (void *)cap->data;
5449 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5450 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5451 		params->he_cap = (void *)(cap->data + 1);
5452 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5453 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5454 		params->he_oper = (void *)(cap->data + 1);
5455 }
5456 
5457 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5458 				   struct cfg80211_ap_settings *params)
5459 {
5460 	struct wireless_dev *wdev;
5461 	bool ret = false;
5462 
5463 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5464 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5465 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5466 			continue;
5467 
5468 		if (!wdev->preset_chandef.chan)
5469 			continue;
5470 
5471 		params->chandef = wdev->preset_chandef;
5472 		ret = true;
5473 		break;
5474 	}
5475 
5476 	return ret;
5477 }
5478 
5479 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5480 				    enum nl80211_auth_type auth_type,
5481 				    enum nl80211_commands cmd)
5482 {
5483 	if (auth_type > NL80211_AUTHTYPE_MAX)
5484 		return false;
5485 
5486 	switch (cmd) {
5487 	case NL80211_CMD_AUTHENTICATE:
5488 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5489 		    auth_type == NL80211_AUTHTYPE_SAE)
5490 			return false;
5491 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5492 					     NL80211_EXT_FEATURE_FILS_STA) &&
5493 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5494 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5495 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5496 			return false;
5497 		return true;
5498 	case NL80211_CMD_CONNECT:
5499 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5500 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5501 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5502 		    auth_type == NL80211_AUTHTYPE_SAE)
5503 			return false;
5504 
5505 		/* FILS with SK PFS or PK not supported yet */
5506 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5507 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5508 			return false;
5509 		if (!wiphy_ext_feature_isset(
5510 			    &rdev->wiphy,
5511 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5512 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5513 			return false;
5514 		return true;
5515 	case NL80211_CMD_START_AP:
5516 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5517 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5518 		    auth_type == NL80211_AUTHTYPE_SAE)
5519 			return false;
5520 		/* FILS not supported yet */
5521 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5522 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5523 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5524 			return false;
5525 		return true;
5526 	default:
5527 		return false;
5528 	}
5529 }
5530 
5531 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5532 {
5533 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5534 	struct net_device *dev = info->user_ptr[1];
5535 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5536 	struct cfg80211_ap_settings *params;
5537 	int err;
5538 
5539 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5540 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5541 		return -EOPNOTSUPP;
5542 
5543 	if (!rdev->ops->start_ap)
5544 		return -EOPNOTSUPP;
5545 
5546 	if (wdev->beacon_interval)
5547 		return -EALREADY;
5548 
5549 	/* these are required for START_AP */
5550 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5551 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5552 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5553 		return -EINVAL;
5554 
5555 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5556 	if (!params)
5557 		return -ENOMEM;
5558 
5559 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon);
5560 	if (err)
5561 		goto out;
5562 
5563 	params->beacon_interval =
5564 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5565 	params->dtim_period =
5566 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5567 
5568 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5569 					   params->beacon_interval);
5570 	if (err)
5571 		goto out;
5572 
5573 	/*
5574 	 * In theory, some of these attributes should be required here
5575 	 * but since they were not used when the command was originally
5576 	 * added, keep them optional for old user space programs to let
5577 	 * them continue to work with drivers that do not need the
5578 	 * additional information -- drivers must check!
5579 	 */
5580 	if (info->attrs[NL80211_ATTR_SSID]) {
5581 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5582 		params->ssid_len =
5583 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5584 		if (params->ssid_len == 0) {
5585 			err = -EINVAL;
5586 			goto out;
5587 		}
5588 	}
5589 
5590 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5591 		params->hidden_ssid = nla_get_u32(
5592 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5593 
5594 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5595 
5596 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5597 		params->auth_type = nla_get_u32(
5598 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5599 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5600 					     NL80211_CMD_START_AP)) {
5601 			err = -EINVAL;
5602 			goto out;
5603 		}
5604 	} else
5605 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5606 
5607 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
5608 				      NL80211_MAX_NR_CIPHER_SUITES);
5609 	if (err)
5610 		goto out;
5611 
5612 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5613 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
5614 			err = -EOPNOTSUPP;
5615 			goto out;
5616 		}
5617 		params->inactivity_timeout = nla_get_u16(
5618 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5619 	}
5620 
5621 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5622 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5623 			err = -EINVAL;
5624 			goto out;
5625 		}
5626 		params->p2p_ctwindow =
5627 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5628 		if (params->p2p_ctwindow != 0 &&
5629 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
5630 			err = -EINVAL;
5631 			goto out;
5632 		}
5633 	}
5634 
5635 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5636 		u8 tmp;
5637 
5638 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5639 			err = -EINVAL;
5640 			goto out;
5641 		}
5642 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5643 		params->p2p_opp_ps = tmp;
5644 		if (params->p2p_opp_ps != 0 &&
5645 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
5646 			err = -EINVAL;
5647 			goto out;
5648 		}
5649 	}
5650 
5651 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5652 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
5653 		if (err)
5654 			goto out;
5655 	} else if (wdev->preset_chandef.chan) {
5656 		params->chandef = wdev->preset_chandef;
5657 	} else if (!nl80211_get_ap_channel(rdev, params)) {
5658 		err = -EINVAL;
5659 		goto out;
5660 	}
5661 
5662 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
5663 					   wdev->iftype)) {
5664 		err = -EINVAL;
5665 		goto out;
5666 	}
5667 
5668 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5669 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5670 						    NL80211_ATTR_TX_RATES,
5671 						    &params->beacon_rate,
5672 						    dev, false);
5673 		if (err)
5674 			goto out;
5675 
5676 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
5677 					      &params->beacon_rate);
5678 		if (err)
5679 			goto out;
5680 	}
5681 
5682 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5683 		params->smps_mode =
5684 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5685 		switch (params->smps_mode) {
5686 		case NL80211_SMPS_OFF:
5687 			break;
5688 		case NL80211_SMPS_STATIC:
5689 			if (!(rdev->wiphy.features &
5690 			      NL80211_FEATURE_STATIC_SMPS)) {
5691 				err = -EINVAL;
5692 				goto out;
5693 			}
5694 			break;
5695 		case NL80211_SMPS_DYNAMIC:
5696 			if (!(rdev->wiphy.features &
5697 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
5698 				err = -EINVAL;
5699 				goto out;
5700 			}
5701 			break;
5702 		default:
5703 			err = -EINVAL;
5704 			goto out;
5705 		}
5706 	} else {
5707 		params->smps_mode = NL80211_SMPS_OFF;
5708 	}
5709 
5710 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5711 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
5712 		err = -EOPNOTSUPP;
5713 		goto out;
5714 	}
5715 
5716 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5717 		params->acl = parse_acl_data(&rdev->wiphy, info);
5718 		if (IS_ERR(params->acl)) {
5719 			err = PTR_ERR(params->acl);
5720 			params->acl = NULL;
5721 			goto out;
5722 		}
5723 	}
5724 
5725 	params->twt_responder =
5726 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5727 
5728 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5729 		err = nl80211_parse_he_obss_pd(
5730 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5731 					&params->he_obss_pd);
5732 		if (err)
5733 			goto out;
5734 	}
5735 
5736 	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5737 		err = nl80211_parse_he_bss_color(
5738 					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5739 					&params->he_bss_color);
5740 		if (err)
5741 			goto out;
5742 	}
5743 
5744 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5745 		err = nl80211_parse_fils_discovery(rdev,
5746 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5747 						   params);
5748 		if (err)
5749 			goto out;
5750 	}
5751 
5752 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5753 		err = nl80211_parse_unsol_bcast_probe_resp(
5754 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5755 			params);
5756 		if (err)
5757 			goto out;
5758 	}
5759 
5760 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
5761 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
5762 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
5763 						  &params->mbssid_config,
5764 						  params->beacon.mbssid_ies ?
5765 							params->beacon.mbssid_ies->cnt :
5766 							0);
5767 		if (err)
5768 			goto out;
5769 	}
5770 
5771 	nl80211_calculate_ap_params(params);
5772 
5773 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
5774 		params->flags = nla_get_u32(
5775 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
5776 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5777 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5778 
5779 	wdev_lock(wdev);
5780 	err = rdev_start_ap(rdev, dev, params);
5781 	if (!err) {
5782 		wdev->preset_chandef = params->chandef;
5783 		wdev->beacon_interval = params->beacon_interval;
5784 		wdev->chandef = params->chandef;
5785 		wdev->ssid_len = params->ssid_len;
5786 		memcpy(wdev->ssid, params->ssid, wdev->ssid_len);
5787 
5788 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5789 			wdev->conn_owner_nlportid = info->snd_portid;
5790 	}
5791 	wdev_unlock(wdev);
5792 
5793 out:
5794 	kfree(params->acl);
5795 	kfree(params->beacon.mbssid_ies);
5796 	if (params->mbssid_config.tx_wdev &&
5797 	    params->mbssid_config.tx_wdev->netdev &&
5798 	    params->mbssid_config.tx_wdev->netdev != dev)
5799 		dev_put(params->mbssid_config.tx_wdev->netdev);
5800 	kfree(params);
5801 
5802 	return err;
5803 }
5804 
5805 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5806 {
5807 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5808 	struct net_device *dev = info->user_ptr[1];
5809 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5810 	struct cfg80211_beacon_data params;
5811 	int err;
5812 
5813 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5814 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5815 		return -EOPNOTSUPP;
5816 
5817 	if (!rdev->ops->change_beacon)
5818 		return -EOPNOTSUPP;
5819 
5820 	if (!wdev->beacon_interval)
5821 		return -EINVAL;
5822 
5823 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5824 	if (err)
5825 		goto out;
5826 
5827 	wdev_lock(wdev);
5828 	err = rdev_change_beacon(rdev, dev, &params);
5829 	wdev_unlock(wdev);
5830 
5831 out:
5832 	kfree(params.mbssid_ies);
5833 	return err;
5834 }
5835 
5836 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5837 {
5838 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5839 	struct net_device *dev = info->user_ptr[1];
5840 
5841 	return cfg80211_stop_ap(rdev, dev, false);
5842 }
5843 
5844 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5845 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5846 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5847 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5848 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5849 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5850 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5851 };
5852 
5853 static int parse_station_flags(struct genl_info *info,
5854 			       enum nl80211_iftype iftype,
5855 			       struct station_parameters *params)
5856 {
5857 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5858 	struct nlattr *nla;
5859 	int flag;
5860 
5861 	/*
5862 	 * Try parsing the new attribute first so userspace
5863 	 * can specify both for older kernels.
5864 	 */
5865 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5866 	if (nla) {
5867 		struct nl80211_sta_flag_update *sta_flags;
5868 
5869 		sta_flags = nla_data(nla);
5870 		params->sta_flags_mask = sta_flags->mask;
5871 		params->sta_flags_set = sta_flags->set;
5872 		params->sta_flags_set &= params->sta_flags_mask;
5873 		if ((params->sta_flags_mask |
5874 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5875 			return -EINVAL;
5876 		return 0;
5877 	}
5878 
5879 	/* if present, parse the old attribute */
5880 
5881 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5882 	if (!nla)
5883 		return 0;
5884 
5885 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5886 		return -EINVAL;
5887 
5888 	/*
5889 	 * Only allow certain flags for interface types so that
5890 	 * other attributes are silently ignored. Remember that
5891 	 * this is backward compatibility code with old userspace
5892 	 * and shouldn't be hit in other cases anyway.
5893 	 */
5894 	switch (iftype) {
5895 	case NL80211_IFTYPE_AP:
5896 	case NL80211_IFTYPE_AP_VLAN:
5897 	case NL80211_IFTYPE_P2P_GO:
5898 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5899 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5900 					 BIT(NL80211_STA_FLAG_WME) |
5901 					 BIT(NL80211_STA_FLAG_MFP);
5902 		break;
5903 	case NL80211_IFTYPE_P2P_CLIENT:
5904 	case NL80211_IFTYPE_STATION:
5905 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5906 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5907 		break;
5908 	case NL80211_IFTYPE_MESH_POINT:
5909 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5910 					 BIT(NL80211_STA_FLAG_MFP) |
5911 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5912 		break;
5913 	default:
5914 		return -EINVAL;
5915 	}
5916 
5917 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5918 		if (flags[flag]) {
5919 			params->sta_flags_set |= (1<<flag);
5920 
5921 			/* no longer support new API additions in old API */
5922 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5923 				return -EINVAL;
5924 		}
5925 	}
5926 
5927 	return 0;
5928 }
5929 
5930 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5931 {
5932 	struct nlattr *rate;
5933 	u32 bitrate;
5934 	u16 bitrate_compat;
5935 	enum nl80211_rate_info rate_flg;
5936 
5937 	rate = nla_nest_start_noflag(msg, attr);
5938 	if (!rate)
5939 		return false;
5940 
5941 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5942 	bitrate = cfg80211_calculate_bitrate(info);
5943 	/* report 16-bit bitrate only if we can */
5944 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5945 	if (bitrate > 0 &&
5946 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5947 		return false;
5948 	if (bitrate_compat > 0 &&
5949 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5950 		return false;
5951 
5952 	switch (info->bw) {
5953 	case RATE_INFO_BW_5:
5954 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5955 		break;
5956 	case RATE_INFO_BW_10:
5957 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5958 		break;
5959 	default:
5960 		WARN_ON(1);
5961 		fallthrough;
5962 	case RATE_INFO_BW_20:
5963 		rate_flg = 0;
5964 		break;
5965 	case RATE_INFO_BW_40:
5966 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5967 		break;
5968 	case RATE_INFO_BW_80:
5969 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5970 		break;
5971 	case RATE_INFO_BW_160:
5972 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5973 		break;
5974 	case RATE_INFO_BW_HE_RU:
5975 		rate_flg = 0;
5976 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5977 		break;
5978 	case RATE_INFO_BW_320:
5979 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
5980 		break;
5981 	case RATE_INFO_BW_EHT_RU:
5982 		rate_flg = 0;
5983 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
5984 		break;
5985 	}
5986 
5987 	if (rate_flg && nla_put_flag(msg, rate_flg))
5988 		return false;
5989 
5990 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5991 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5992 			return false;
5993 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5994 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5995 			return false;
5996 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5997 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5998 			return false;
5999 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6000 			return false;
6001 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6002 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6003 			return false;
6004 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6005 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6006 			return false;
6007 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6008 			return false;
6009 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6010 			return false;
6011 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6012 			return false;
6013 		if (info->bw == RATE_INFO_BW_HE_RU &&
6014 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6015 			       info->he_ru_alloc))
6016 			return false;
6017 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6018 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6019 			return false;
6020 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6021 			return false;
6022 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6023 			return false;
6024 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6025 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6026 			       info->eht_ru_alloc))
6027 			return false;
6028 	}
6029 
6030 	nla_nest_end(msg, rate);
6031 	return true;
6032 }
6033 
6034 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6035 			       int id)
6036 {
6037 	void *attr;
6038 	int i = 0;
6039 
6040 	if (!mask)
6041 		return true;
6042 
6043 	attr = nla_nest_start_noflag(msg, id);
6044 	if (!attr)
6045 		return false;
6046 
6047 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6048 		if (!(mask & BIT(i)))
6049 			continue;
6050 
6051 		if (nla_put_u8(msg, i, signal[i]))
6052 			return false;
6053 	}
6054 
6055 	nla_nest_end(msg, attr);
6056 
6057 	return true;
6058 }
6059 
6060 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6061 				u32 seq, int flags,
6062 				struct cfg80211_registered_device *rdev,
6063 				struct net_device *dev,
6064 				const u8 *mac_addr, struct station_info *sinfo)
6065 {
6066 	void *hdr;
6067 	struct nlattr *sinfoattr, *bss_param;
6068 
6069 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6070 	if (!hdr) {
6071 		cfg80211_sinfo_release_content(sinfo);
6072 		return -1;
6073 	}
6074 
6075 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6076 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6077 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6078 		goto nla_put_failure;
6079 
6080 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6081 	if (!sinfoattr)
6082 		goto nla_put_failure;
6083 
6084 #define PUT_SINFO(attr, memb, type) do {				\
6085 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6086 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6087 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6088 			     sinfo->memb))				\
6089 		goto nla_put_failure;					\
6090 	} while (0)
6091 #define PUT_SINFO_U64(attr, memb) do {					\
6092 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6093 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6094 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6095 		goto nla_put_failure;					\
6096 	} while (0)
6097 
6098 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6099 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6100 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6101 
6102 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6103 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6104 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6105 			(u32)sinfo->rx_bytes))
6106 		goto nla_put_failure;
6107 
6108 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6109 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6110 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6111 			(u32)sinfo->tx_bytes))
6112 		goto nla_put_failure;
6113 
6114 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6115 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6116 	PUT_SINFO(LLID, llid, u16);
6117 	PUT_SINFO(PLID, plid, u16);
6118 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6119 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6120 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6121 
6122 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6123 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6124 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6125 
6126 	switch (rdev->wiphy.signal_type) {
6127 	case CFG80211_SIGNAL_TYPE_MBM:
6128 		PUT_SINFO(SIGNAL, signal, u8);
6129 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6130 		break;
6131 	default:
6132 		break;
6133 	}
6134 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6135 		if (!nl80211_put_signal(msg, sinfo->chains,
6136 					sinfo->chain_signal,
6137 					NL80211_STA_INFO_CHAIN_SIGNAL))
6138 			goto nla_put_failure;
6139 	}
6140 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6141 		if (!nl80211_put_signal(msg, sinfo->chains,
6142 					sinfo->chain_signal_avg,
6143 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6144 			goto nla_put_failure;
6145 	}
6146 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6147 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6148 					  NL80211_STA_INFO_TX_BITRATE))
6149 			goto nla_put_failure;
6150 	}
6151 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6152 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6153 					  NL80211_STA_INFO_RX_BITRATE))
6154 			goto nla_put_failure;
6155 	}
6156 
6157 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6158 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6159 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6160 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6161 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6162 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6163 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6164 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6165 	PUT_SINFO(PEER_PM, peer_pm, u32);
6166 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6167 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6168 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6169 
6170 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6171 		bss_param = nla_nest_start_noflag(msg,
6172 						  NL80211_STA_INFO_BSS_PARAM);
6173 		if (!bss_param)
6174 			goto nla_put_failure;
6175 
6176 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6177 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6178 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6179 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6180 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6181 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6182 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6183 			       sinfo->bss_param.dtim_period) ||
6184 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6185 				sinfo->bss_param.beacon_interval))
6186 			goto nla_put_failure;
6187 
6188 		nla_nest_end(msg, bss_param);
6189 	}
6190 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6191 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6192 		    sizeof(struct nl80211_sta_flag_update),
6193 		    &sinfo->sta_flags))
6194 		goto nla_put_failure;
6195 
6196 	PUT_SINFO_U64(T_OFFSET, t_offset);
6197 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6198 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6199 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6200 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6201 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6202 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6203 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6204 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6205 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6206 	}
6207 
6208 #undef PUT_SINFO
6209 #undef PUT_SINFO_U64
6210 
6211 	if (sinfo->pertid) {
6212 		struct nlattr *tidsattr;
6213 		int tid;
6214 
6215 		tidsattr = nla_nest_start_noflag(msg,
6216 						 NL80211_STA_INFO_TID_STATS);
6217 		if (!tidsattr)
6218 			goto nla_put_failure;
6219 
6220 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6221 			struct cfg80211_tid_stats *tidstats;
6222 			struct nlattr *tidattr;
6223 
6224 			tidstats = &sinfo->pertid[tid];
6225 
6226 			if (!tidstats->filled)
6227 				continue;
6228 
6229 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6230 			if (!tidattr)
6231 				goto nla_put_failure;
6232 
6233 #define PUT_TIDVAL_U64(attr, memb) do {					\
6234 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6235 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6236 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6237 		goto nla_put_failure;					\
6238 	} while (0)
6239 
6240 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6241 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6242 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6243 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6244 
6245 #undef PUT_TIDVAL_U64
6246 			if ((tidstats->filled &
6247 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6248 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6249 						   NL80211_TID_STATS_TXQ_STATS))
6250 				goto nla_put_failure;
6251 
6252 			nla_nest_end(msg, tidattr);
6253 		}
6254 
6255 		nla_nest_end(msg, tidsattr);
6256 	}
6257 
6258 	nla_nest_end(msg, sinfoattr);
6259 
6260 	if (sinfo->assoc_req_ies_len &&
6261 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6262 		    sinfo->assoc_req_ies))
6263 		goto nla_put_failure;
6264 
6265 	cfg80211_sinfo_release_content(sinfo);
6266 	genlmsg_end(msg, hdr);
6267 	return 0;
6268 
6269  nla_put_failure:
6270 	cfg80211_sinfo_release_content(sinfo);
6271 	genlmsg_cancel(msg, hdr);
6272 	return -EMSGSIZE;
6273 }
6274 
6275 static int nl80211_dump_station(struct sk_buff *skb,
6276 				struct netlink_callback *cb)
6277 {
6278 	struct station_info sinfo;
6279 	struct cfg80211_registered_device *rdev;
6280 	struct wireless_dev *wdev;
6281 	u8 mac_addr[ETH_ALEN];
6282 	int sta_idx = cb->args[2];
6283 	int err;
6284 
6285 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6286 	if (err)
6287 		return err;
6288 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6289 	__acquire(&rdev->wiphy.mtx);
6290 
6291 	if (!wdev->netdev) {
6292 		err = -EINVAL;
6293 		goto out_err;
6294 	}
6295 
6296 	if (!rdev->ops->dump_station) {
6297 		err = -EOPNOTSUPP;
6298 		goto out_err;
6299 	}
6300 
6301 	while (1) {
6302 		memset(&sinfo, 0, sizeof(sinfo));
6303 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6304 					mac_addr, &sinfo);
6305 		if (err == -ENOENT)
6306 			break;
6307 		if (err)
6308 			goto out_err;
6309 
6310 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6311 				NETLINK_CB(cb->skb).portid,
6312 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6313 				rdev, wdev->netdev, mac_addr,
6314 				&sinfo) < 0)
6315 			goto out;
6316 
6317 		sta_idx++;
6318 	}
6319 
6320  out:
6321 	cb->args[2] = sta_idx;
6322 	err = skb->len;
6323  out_err:
6324 	wiphy_unlock(&rdev->wiphy);
6325 
6326 	return err;
6327 }
6328 
6329 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6330 {
6331 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6332 	struct net_device *dev = info->user_ptr[1];
6333 	struct station_info sinfo;
6334 	struct sk_buff *msg;
6335 	u8 *mac_addr = NULL;
6336 	int err;
6337 
6338 	memset(&sinfo, 0, sizeof(sinfo));
6339 
6340 	if (!info->attrs[NL80211_ATTR_MAC])
6341 		return -EINVAL;
6342 
6343 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6344 
6345 	if (!rdev->ops->get_station)
6346 		return -EOPNOTSUPP;
6347 
6348 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6349 	if (err)
6350 		return err;
6351 
6352 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6353 	if (!msg) {
6354 		cfg80211_sinfo_release_content(&sinfo);
6355 		return -ENOMEM;
6356 	}
6357 
6358 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6359 				 info->snd_portid, info->snd_seq, 0,
6360 				 rdev, dev, mac_addr, &sinfo) < 0) {
6361 		nlmsg_free(msg);
6362 		return -ENOBUFS;
6363 	}
6364 
6365 	return genlmsg_reply(msg, info);
6366 }
6367 
6368 int cfg80211_check_station_change(struct wiphy *wiphy,
6369 				  struct station_parameters *params,
6370 				  enum cfg80211_station_type statype)
6371 {
6372 	if (params->listen_interval != -1 &&
6373 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6374 		return -EINVAL;
6375 
6376 	if (params->support_p2p_ps != -1 &&
6377 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6378 		return -EINVAL;
6379 
6380 	if (params->aid &&
6381 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6382 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6383 		return -EINVAL;
6384 
6385 	/* When you run into this, adjust the code below for the new flag */
6386 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6387 
6388 	switch (statype) {
6389 	case CFG80211_STA_MESH_PEER_KERNEL:
6390 	case CFG80211_STA_MESH_PEER_USER:
6391 		/*
6392 		 * No ignoring the TDLS flag here -- the userspace mesh
6393 		 * code doesn't have the bug of including TDLS in the
6394 		 * mask everywhere.
6395 		 */
6396 		if (params->sta_flags_mask &
6397 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6398 				  BIT(NL80211_STA_FLAG_MFP) |
6399 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6400 			return -EINVAL;
6401 		break;
6402 	case CFG80211_STA_TDLS_PEER_SETUP:
6403 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6404 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6405 			return -EINVAL;
6406 		/* ignore since it can't change */
6407 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6408 		break;
6409 	default:
6410 		/* disallow mesh-specific things */
6411 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6412 			return -EINVAL;
6413 		if (params->local_pm)
6414 			return -EINVAL;
6415 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6416 			return -EINVAL;
6417 	}
6418 
6419 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6420 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6421 		/* TDLS can't be set, ... */
6422 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6423 			return -EINVAL;
6424 		/*
6425 		 * ... but don't bother the driver with it. This works around
6426 		 * a hostapd/wpa_supplicant issue -- it always includes the
6427 		 * TLDS_PEER flag in the mask even for AP mode.
6428 		 */
6429 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6430 	}
6431 
6432 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6433 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6434 		/* reject other things that can't change */
6435 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6436 			return -EINVAL;
6437 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6438 			return -EINVAL;
6439 		if (params->supported_rates)
6440 			return -EINVAL;
6441 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
6442 		    params->he_capa || params->eht_capa)
6443 			return -EINVAL;
6444 	}
6445 
6446 	if (statype != CFG80211_STA_AP_CLIENT &&
6447 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6448 		if (params->vlan)
6449 			return -EINVAL;
6450 	}
6451 
6452 	switch (statype) {
6453 	case CFG80211_STA_AP_MLME_CLIENT:
6454 		/* Use this only for authorizing/unauthorizing a station */
6455 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6456 			return -EOPNOTSUPP;
6457 		break;
6458 	case CFG80211_STA_AP_CLIENT:
6459 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6460 		/* accept only the listed bits */
6461 		if (params->sta_flags_mask &
6462 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6463 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6464 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6465 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6466 				  BIT(NL80211_STA_FLAG_WME) |
6467 				  BIT(NL80211_STA_FLAG_MFP)))
6468 			return -EINVAL;
6469 
6470 		/* but authenticated/associated only if driver handles it */
6471 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6472 		    params->sta_flags_mask &
6473 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6474 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6475 			return -EINVAL;
6476 		break;
6477 	case CFG80211_STA_IBSS:
6478 	case CFG80211_STA_AP_STA:
6479 		/* reject any changes other than AUTHORIZED */
6480 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6481 			return -EINVAL;
6482 		break;
6483 	case CFG80211_STA_TDLS_PEER_SETUP:
6484 		/* reject any changes other than AUTHORIZED or WME */
6485 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6486 					       BIT(NL80211_STA_FLAG_WME)))
6487 			return -EINVAL;
6488 		/* force (at least) rates when authorizing */
6489 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6490 		    !params->supported_rates)
6491 			return -EINVAL;
6492 		break;
6493 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6494 		/* reject any changes */
6495 		return -EINVAL;
6496 	case CFG80211_STA_MESH_PEER_KERNEL:
6497 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6498 			return -EINVAL;
6499 		break;
6500 	case CFG80211_STA_MESH_PEER_USER:
6501 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6502 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6503 			return -EINVAL;
6504 		break;
6505 	}
6506 
6507 	/*
6508 	 * Older kernel versions ignored this attribute entirely, so don't
6509 	 * reject attempts to update it but mark it as unused instead so the
6510 	 * driver won't look at the data.
6511 	 */
6512 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6513 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6514 		params->opmode_notif_used = false;
6515 
6516 	return 0;
6517 }
6518 EXPORT_SYMBOL(cfg80211_check_station_change);
6519 
6520 /*
6521  * Get vlan interface making sure it is running and on the right wiphy.
6522  */
6523 static struct net_device *get_vlan(struct genl_info *info,
6524 				   struct cfg80211_registered_device *rdev)
6525 {
6526 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6527 	struct net_device *v;
6528 	int ret;
6529 
6530 	if (!vlanattr)
6531 		return NULL;
6532 
6533 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6534 	if (!v)
6535 		return ERR_PTR(-ENODEV);
6536 
6537 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6538 		ret = -EINVAL;
6539 		goto error;
6540 	}
6541 
6542 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6543 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6544 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6545 		ret = -EINVAL;
6546 		goto error;
6547 	}
6548 
6549 	if (!netif_running(v)) {
6550 		ret = -ENETDOWN;
6551 		goto error;
6552 	}
6553 
6554 	return v;
6555  error:
6556 	dev_put(v);
6557 	return ERR_PTR(ret);
6558 }
6559 
6560 static const struct nla_policy
6561 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
6562 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
6563 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
6564 };
6565 
6566 static int nl80211_parse_sta_wme(struct genl_info *info,
6567 				 struct station_parameters *params)
6568 {
6569 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6570 	struct nlattr *nla;
6571 	int err;
6572 
6573 	/* parse WME attributes if present */
6574 	if (!info->attrs[NL80211_ATTR_STA_WME])
6575 		return 0;
6576 
6577 	nla = info->attrs[NL80211_ATTR_STA_WME];
6578 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6579 					  nl80211_sta_wme_policy,
6580 					  info->extack);
6581 	if (err)
6582 		return err;
6583 
6584 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6585 		params->uapsd_queues = nla_get_u8(
6586 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6587 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6588 		return -EINVAL;
6589 
6590 	if (tb[NL80211_STA_WME_MAX_SP])
6591 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6592 
6593 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6594 		return -EINVAL;
6595 
6596 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6597 
6598 	return 0;
6599 }
6600 
6601 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6602 				      struct station_parameters *params)
6603 {
6604 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6605 		params->supported_channels =
6606 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6607 		params->supported_channels_len =
6608 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6609 		/*
6610 		 * Need to include at least one (first channel, number of
6611 		 * channels) tuple for each subband (checked in policy),
6612 		 * and must have proper tuples for the rest of the data as well.
6613 		 */
6614 		if (params->supported_channels_len % 2)
6615 			return -EINVAL;
6616 	}
6617 
6618 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6619 		params->supported_oper_classes =
6620 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6621 		params->supported_oper_classes_len =
6622 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6623 	}
6624 	return 0;
6625 }
6626 
6627 static int nl80211_set_station_tdls(struct genl_info *info,
6628 				    struct station_parameters *params)
6629 {
6630 	int err;
6631 	/* Dummy STA entry gets updated once the peer capabilities are known */
6632 	if (info->attrs[NL80211_ATTR_PEER_AID])
6633 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6634 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6635 		params->ht_capa =
6636 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6637 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6638 		params->vht_capa =
6639 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6640 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6641 		params->he_capa =
6642 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6643 		params->he_capa_len =
6644 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6645 
6646 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6647 			params->eht_capa =
6648 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6649 			params->eht_capa_len =
6650 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6651 
6652 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_capa,
6653 							(const u8 *)params->eht_capa,
6654 							params->eht_capa_len))
6655 				return -EINVAL;
6656 		}
6657 	}
6658 
6659 	err = nl80211_parse_sta_channel_info(info, params);
6660 	if (err)
6661 		return err;
6662 
6663 	return nl80211_parse_sta_wme(info, params);
6664 }
6665 
6666 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6667 					     struct station_parameters *params)
6668 {
6669 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6670 	int idx;
6671 
6672 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6673 		if (!rdev->ops->set_tx_power ||
6674 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6675 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6676 			return -EOPNOTSUPP;
6677 
6678 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6679 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6680 
6681 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6682 			idx = NL80211_ATTR_STA_TX_POWER;
6683 
6684 			if (info->attrs[idx])
6685 				params->txpwr.power =
6686 					nla_get_s16(info->attrs[idx]);
6687 			else
6688 				return -EINVAL;
6689 		}
6690 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6691 	}
6692 
6693 	return 0;
6694 }
6695 
6696 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6697 {
6698 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6699 	struct net_device *dev = info->user_ptr[1];
6700 	struct station_parameters params;
6701 	u8 *mac_addr;
6702 	int err;
6703 
6704 	memset(&params, 0, sizeof(params));
6705 
6706 	if (!rdev->ops->change_station)
6707 		return -EOPNOTSUPP;
6708 
6709 	/*
6710 	 * AID and listen_interval properties can be set only for unassociated
6711 	 * station. Include these parameters here and will check them in
6712 	 * cfg80211_check_station_change().
6713 	 */
6714 	if (info->attrs[NL80211_ATTR_STA_AID])
6715 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6716 
6717 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6718 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6719 
6720 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6721 		params.listen_interval =
6722 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6723 	else
6724 		params.listen_interval = -1;
6725 
6726 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6727 		params.support_p2p_ps =
6728 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6729 	else
6730 		params.support_p2p_ps = -1;
6731 
6732 	if (!info->attrs[NL80211_ATTR_MAC])
6733 		return -EINVAL;
6734 
6735 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6736 
6737 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6738 		params.supported_rates =
6739 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6740 		params.supported_rates_len =
6741 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6742 	}
6743 
6744 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6745 		params.capability =
6746 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6747 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6748 	}
6749 
6750 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6751 		params.ext_capab =
6752 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6753 		params.ext_capab_len =
6754 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6755 	}
6756 
6757 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6758 		return -EINVAL;
6759 
6760 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6761 		params.plink_action =
6762 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6763 
6764 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6765 		params.plink_state =
6766 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6767 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6768 			params.peer_aid = nla_get_u16(
6769 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6770 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6771 	}
6772 
6773 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6774 		params.local_pm = nla_get_u32(
6775 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6776 
6777 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6778 		params.opmode_notif_used = true;
6779 		params.opmode_notif =
6780 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6781 	}
6782 
6783 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6784 		params.he_6ghz_capa =
6785 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6786 
6787 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6788 		params.airtime_weight =
6789 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6790 
6791 	if (params.airtime_weight &&
6792 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6793 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6794 		return -EOPNOTSUPP;
6795 
6796 	err = nl80211_parse_sta_txpower_setting(info, &params);
6797 	if (err)
6798 		return err;
6799 
6800 	/* Include parameters for TDLS peer (will check later) */
6801 	err = nl80211_set_station_tdls(info, &params);
6802 	if (err)
6803 		return err;
6804 
6805 	params.vlan = get_vlan(info, rdev);
6806 	if (IS_ERR(params.vlan))
6807 		return PTR_ERR(params.vlan);
6808 
6809 	switch (dev->ieee80211_ptr->iftype) {
6810 	case NL80211_IFTYPE_AP:
6811 	case NL80211_IFTYPE_AP_VLAN:
6812 	case NL80211_IFTYPE_P2P_GO:
6813 	case NL80211_IFTYPE_P2P_CLIENT:
6814 	case NL80211_IFTYPE_STATION:
6815 	case NL80211_IFTYPE_ADHOC:
6816 	case NL80211_IFTYPE_MESH_POINT:
6817 		break;
6818 	default:
6819 		err = -EOPNOTSUPP;
6820 		goto out_put_vlan;
6821 	}
6822 
6823 	/* driver will call cfg80211_check_station_change() */
6824 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6825 
6826  out_put_vlan:
6827 	dev_put(params.vlan);
6828 
6829 	return err;
6830 }
6831 
6832 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6833 {
6834 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6835 	int err;
6836 	struct net_device *dev = info->user_ptr[1];
6837 	struct station_parameters params;
6838 	u8 *mac_addr = NULL;
6839 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6840 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6841 
6842 	memset(&params, 0, sizeof(params));
6843 
6844 	if (!rdev->ops->add_station)
6845 		return -EOPNOTSUPP;
6846 
6847 	if (!info->attrs[NL80211_ATTR_MAC])
6848 		return -EINVAL;
6849 
6850 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6851 		return -EINVAL;
6852 
6853 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6854 		return -EINVAL;
6855 
6856 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6857 	    !info->attrs[NL80211_ATTR_PEER_AID])
6858 		return -EINVAL;
6859 
6860 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6861 	params.supported_rates =
6862 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6863 	params.supported_rates_len =
6864 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6865 	params.listen_interval =
6866 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6867 
6868 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6869 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6870 
6871 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6872 		params.support_p2p_ps =
6873 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6874 	} else {
6875 		/*
6876 		 * if not specified, assume it's supported for P2P GO interface,
6877 		 * and is NOT supported for AP interface
6878 		 */
6879 		params.support_p2p_ps =
6880 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6881 	}
6882 
6883 	if (info->attrs[NL80211_ATTR_PEER_AID])
6884 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6885 	else
6886 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6887 
6888 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6889 		params.capability =
6890 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6891 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6892 	}
6893 
6894 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6895 		params.ext_capab =
6896 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6897 		params.ext_capab_len =
6898 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6899 	}
6900 
6901 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6902 		params.ht_capa =
6903 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6904 
6905 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6906 		params.vht_capa =
6907 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6908 
6909 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6910 		params.he_capa =
6911 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6912 		params.he_capa_len =
6913 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6914 
6915 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6916 			params.eht_capa =
6917 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6918 			params.eht_capa_len =
6919 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6920 
6921 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
6922 							(const u8 *)params.eht_capa,
6923 							params.eht_capa_len))
6924 				return -EINVAL;
6925 		}
6926 	}
6927 
6928 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6929 		params.he_6ghz_capa =
6930 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6931 
6932 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6933 		params.opmode_notif_used = true;
6934 		params.opmode_notif =
6935 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6936 	}
6937 
6938 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6939 		params.plink_action =
6940 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6941 
6942 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6943 		params.airtime_weight =
6944 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6945 
6946 	if (params.airtime_weight &&
6947 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6948 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6949 		return -EOPNOTSUPP;
6950 
6951 	err = nl80211_parse_sta_txpower_setting(info, &params);
6952 	if (err)
6953 		return err;
6954 
6955 	err = nl80211_parse_sta_channel_info(info, &params);
6956 	if (err)
6957 		return err;
6958 
6959 	err = nl80211_parse_sta_wme(info, &params);
6960 	if (err)
6961 		return err;
6962 
6963 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6964 		return -EINVAL;
6965 
6966 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6967 	 * as userspace might just pass through the capabilities from the IEs
6968 	 * directly, rather than enforcing this restriction and returning an
6969 	 * error in this case.
6970 	 */
6971 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6972 		params.ht_capa = NULL;
6973 		params.vht_capa = NULL;
6974 
6975 		/* HE and EHT require WME */
6976 		if (params.he_capa_len || params.he_6ghz_capa ||
6977 		    params.eht_capa_len)
6978 			return -EINVAL;
6979 	}
6980 
6981 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
6982 	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
6983 		return -EINVAL;
6984 
6985 	/* When you run into this, adjust the code below for the new flag */
6986 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6987 
6988 	switch (dev->ieee80211_ptr->iftype) {
6989 	case NL80211_IFTYPE_AP:
6990 	case NL80211_IFTYPE_AP_VLAN:
6991 	case NL80211_IFTYPE_P2P_GO:
6992 		/* ignore WME attributes if iface/sta is not capable */
6993 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6994 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6995 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6996 
6997 		/* TDLS peers cannot be added */
6998 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6999 		    info->attrs[NL80211_ATTR_PEER_AID])
7000 			return -EINVAL;
7001 		/* but don't bother the driver with it */
7002 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7003 
7004 		/* allow authenticated/associated only if driver handles it */
7005 		if (!(rdev->wiphy.features &
7006 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7007 		    params.sta_flags_mask & auth_assoc)
7008 			return -EINVAL;
7009 
7010 		/* Older userspace, or userspace wanting to be compatible with
7011 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7012 		 * and assoc flags in the mask, but assumes the station will be
7013 		 * added as associated anyway since this was the required driver
7014 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7015 		 * introduced.
7016 		 * In order to not bother drivers with this quirk in the API
7017 		 * set the flags in both the mask and set for new stations in
7018 		 * this case.
7019 		 */
7020 		if (!(params.sta_flags_mask & auth_assoc)) {
7021 			params.sta_flags_mask |= auth_assoc;
7022 			params.sta_flags_set |= auth_assoc;
7023 		}
7024 
7025 		/* must be last in here for error handling */
7026 		params.vlan = get_vlan(info, rdev);
7027 		if (IS_ERR(params.vlan))
7028 			return PTR_ERR(params.vlan);
7029 		break;
7030 	case NL80211_IFTYPE_MESH_POINT:
7031 		/* ignore uAPSD data */
7032 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7033 
7034 		/* associated is disallowed */
7035 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7036 			return -EINVAL;
7037 		/* TDLS peers cannot be added */
7038 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7039 		    info->attrs[NL80211_ATTR_PEER_AID])
7040 			return -EINVAL;
7041 		break;
7042 	case NL80211_IFTYPE_STATION:
7043 	case NL80211_IFTYPE_P2P_CLIENT:
7044 		/* ignore uAPSD data */
7045 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7046 
7047 		/* these are disallowed */
7048 		if (params.sta_flags_mask &
7049 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7050 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7051 			return -EINVAL;
7052 		/* Only TDLS peers can be added */
7053 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7054 			return -EINVAL;
7055 		/* Can only add if TDLS ... */
7056 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7057 			return -EOPNOTSUPP;
7058 		/* ... with external setup is supported */
7059 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7060 			return -EOPNOTSUPP;
7061 		/*
7062 		 * Older wpa_supplicant versions always mark the TDLS peer
7063 		 * as authorized, but it shouldn't yet be.
7064 		 */
7065 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7066 		break;
7067 	default:
7068 		return -EOPNOTSUPP;
7069 	}
7070 
7071 	/* be aware of params.vlan when changing code here */
7072 
7073 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7074 
7075 	dev_put(params.vlan);
7076 	return err;
7077 }
7078 
7079 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7080 {
7081 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7082 	struct net_device *dev = info->user_ptr[1];
7083 	struct station_del_parameters params;
7084 
7085 	memset(&params, 0, sizeof(params));
7086 
7087 	if (info->attrs[NL80211_ATTR_MAC])
7088 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7089 
7090 	switch (dev->ieee80211_ptr->iftype) {
7091 	case NL80211_IFTYPE_AP:
7092 	case NL80211_IFTYPE_AP_VLAN:
7093 	case NL80211_IFTYPE_MESH_POINT:
7094 	case NL80211_IFTYPE_P2P_GO:
7095 		/* always accept these */
7096 		break;
7097 	case NL80211_IFTYPE_ADHOC:
7098 		/* conditionally accept */
7099 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7100 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7101 			break;
7102 		return -EINVAL;
7103 	default:
7104 		return -EINVAL;
7105 	}
7106 
7107 	if (!rdev->ops->del_station)
7108 		return -EOPNOTSUPP;
7109 
7110 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7111 		params.subtype =
7112 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7113 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7114 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7115 			return -EINVAL;
7116 	} else {
7117 		/* Default to Deauthentication frame */
7118 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7119 	}
7120 
7121 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7122 		params.reason_code =
7123 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7124 		if (params.reason_code == 0)
7125 			return -EINVAL; /* 0 is reserved */
7126 	} else {
7127 		/* Default to reason code 2 */
7128 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7129 	}
7130 
7131 	return rdev_del_station(rdev, dev, &params);
7132 }
7133 
7134 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7135 				int flags, struct net_device *dev,
7136 				u8 *dst, u8 *next_hop,
7137 				struct mpath_info *pinfo)
7138 {
7139 	void *hdr;
7140 	struct nlattr *pinfoattr;
7141 
7142 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7143 	if (!hdr)
7144 		return -1;
7145 
7146 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7147 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7148 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7149 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7150 		goto nla_put_failure;
7151 
7152 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7153 	if (!pinfoattr)
7154 		goto nla_put_failure;
7155 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7156 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7157 			pinfo->frame_qlen))
7158 		goto nla_put_failure;
7159 	if (((pinfo->filled & MPATH_INFO_SN) &&
7160 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7161 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7162 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7163 			 pinfo->metric)) ||
7164 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7165 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7166 			 pinfo->exptime)) ||
7167 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7168 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7169 			pinfo->flags)) ||
7170 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7171 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7172 			 pinfo->discovery_timeout)) ||
7173 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7174 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7175 			pinfo->discovery_retries)) ||
7176 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7177 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7178 			pinfo->hop_count)) ||
7179 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7180 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7181 			 pinfo->path_change_count)))
7182 		goto nla_put_failure;
7183 
7184 	nla_nest_end(msg, pinfoattr);
7185 
7186 	genlmsg_end(msg, hdr);
7187 	return 0;
7188 
7189  nla_put_failure:
7190 	genlmsg_cancel(msg, hdr);
7191 	return -EMSGSIZE;
7192 }
7193 
7194 static int nl80211_dump_mpath(struct sk_buff *skb,
7195 			      struct netlink_callback *cb)
7196 {
7197 	struct mpath_info pinfo;
7198 	struct cfg80211_registered_device *rdev;
7199 	struct wireless_dev *wdev;
7200 	u8 dst[ETH_ALEN];
7201 	u8 next_hop[ETH_ALEN];
7202 	int path_idx = cb->args[2];
7203 	int err;
7204 
7205 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7206 	if (err)
7207 		return err;
7208 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7209 	__acquire(&rdev->wiphy.mtx);
7210 
7211 	if (!rdev->ops->dump_mpath) {
7212 		err = -EOPNOTSUPP;
7213 		goto out_err;
7214 	}
7215 
7216 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7217 		err = -EOPNOTSUPP;
7218 		goto out_err;
7219 	}
7220 
7221 	while (1) {
7222 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7223 				      next_hop, &pinfo);
7224 		if (err == -ENOENT)
7225 			break;
7226 		if (err)
7227 			goto out_err;
7228 
7229 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7230 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7231 				       wdev->netdev, dst, next_hop,
7232 				       &pinfo) < 0)
7233 			goto out;
7234 
7235 		path_idx++;
7236 	}
7237 
7238  out:
7239 	cb->args[2] = path_idx;
7240 	err = skb->len;
7241  out_err:
7242 	wiphy_unlock(&rdev->wiphy);
7243 	return err;
7244 }
7245 
7246 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7247 {
7248 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7249 	int err;
7250 	struct net_device *dev = info->user_ptr[1];
7251 	struct mpath_info pinfo;
7252 	struct sk_buff *msg;
7253 	u8 *dst = NULL;
7254 	u8 next_hop[ETH_ALEN];
7255 
7256 	memset(&pinfo, 0, sizeof(pinfo));
7257 
7258 	if (!info->attrs[NL80211_ATTR_MAC])
7259 		return -EINVAL;
7260 
7261 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7262 
7263 	if (!rdev->ops->get_mpath)
7264 		return -EOPNOTSUPP;
7265 
7266 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7267 		return -EOPNOTSUPP;
7268 
7269 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7270 	if (err)
7271 		return err;
7272 
7273 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7274 	if (!msg)
7275 		return -ENOMEM;
7276 
7277 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7278 				 dev, dst, next_hop, &pinfo) < 0) {
7279 		nlmsg_free(msg);
7280 		return -ENOBUFS;
7281 	}
7282 
7283 	return genlmsg_reply(msg, info);
7284 }
7285 
7286 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7287 {
7288 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7289 	struct net_device *dev = info->user_ptr[1];
7290 	u8 *dst = NULL;
7291 	u8 *next_hop = NULL;
7292 
7293 	if (!info->attrs[NL80211_ATTR_MAC])
7294 		return -EINVAL;
7295 
7296 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7297 		return -EINVAL;
7298 
7299 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7300 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7301 
7302 	if (!rdev->ops->change_mpath)
7303 		return -EOPNOTSUPP;
7304 
7305 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7306 		return -EOPNOTSUPP;
7307 
7308 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7309 }
7310 
7311 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7312 {
7313 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7314 	struct net_device *dev = info->user_ptr[1];
7315 	u8 *dst = NULL;
7316 	u8 *next_hop = NULL;
7317 
7318 	if (!info->attrs[NL80211_ATTR_MAC])
7319 		return -EINVAL;
7320 
7321 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7322 		return -EINVAL;
7323 
7324 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7325 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7326 
7327 	if (!rdev->ops->add_mpath)
7328 		return -EOPNOTSUPP;
7329 
7330 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7331 		return -EOPNOTSUPP;
7332 
7333 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7334 }
7335 
7336 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7337 {
7338 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7339 	struct net_device *dev = info->user_ptr[1];
7340 	u8 *dst = NULL;
7341 
7342 	if (info->attrs[NL80211_ATTR_MAC])
7343 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7344 
7345 	if (!rdev->ops->del_mpath)
7346 		return -EOPNOTSUPP;
7347 
7348 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7349 		return -EOPNOTSUPP;
7350 
7351 	return rdev_del_mpath(rdev, dev, dst);
7352 }
7353 
7354 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7355 {
7356 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7357 	int err;
7358 	struct net_device *dev = info->user_ptr[1];
7359 	struct mpath_info pinfo;
7360 	struct sk_buff *msg;
7361 	u8 *dst = NULL;
7362 	u8 mpp[ETH_ALEN];
7363 
7364 	memset(&pinfo, 0, sizeof(pinfo));
7365 
7366 	if (!info->attrs[NL80211_ATTR_MAC])
7367 		return -EINVAL;
7368 
7369 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7370 
7371 	if (!rdev->ops->get_mpp)
7372 		return -EOPNOTSUPP;
7373 
7374 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7375 		return -EOPNOTSUPP;
7376 
7377 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7378 	if (err)
7379 		return err;
7380 
7381 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7382 	if (!msg)
7383 		return -ENOMEM;
7384 
7385 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7386 			       dev, dst, mpp, &pinfo) < 0) {
7387 		nlmsg_free(msg);
7388 		return -ENOBUFS;
7389 	}
7390 
7391 	return genlmsg_reply(msg, info);
7392 }
7393 
7394 static int nl80211_dump_mpp(struct sk_buff *skb,
7395 			    struct netlink_callback *cb)
7396 {
7397 	struct mpath_info pinfo;
7398 	struct cfg80211_registered_device *rdev;
7399 	struct wireless_dev *wdev;
7400 	u8 dst[ETH_ALEN];
7401 	u8 mpp[ETH_ALEN];
7402 	int path_idx = cb->args[2];
7403 	int err;
7404 
7405 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7406 	if (err)
7407 		return err;
7408 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7409 	__acquire(&rdev->wiphy.mtx);
7410 
7411 	if (!rdev->ops->dump_mpp) {
7412 		err = -EOPNOTSUPP;
7413 		goto out_err;
7414 	}
7415 
7416 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7417 		err = -EOPNOTSUPP;
7418 		goto out_err;
7419 	}
7420 
7421 	while (1) {
7422 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7423 				    mpp, &pinfo);
7424 		if (err == -ENOENT)
7425 			break;
7426 		if (err)
7427 			goto out_err;
7428 
7429 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7430 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7431 				       wdev->netdev, dst, mpp,
7432 				       &pinfo) < 0)
7433 			goto out;
7434 
7435 		path_idx++;
7436 	}
7437 
7438  out:
7439 	cb->args[2] = path_idx;
7440 	err = skb->len;
7441  out_err:
7442 	wiphy_unlock(&rdev->wiphy);
7443 	return err;
7444 }
7445 
7446 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7447 {
7448 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7449 	struct net_device *dev = info->user_ptr[1];
7450 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7451 	struct bss_parameters params;
7452 	int err;
7453 
7454 	memset(&params, 0, sizeof(params));
7455 	/* default to not changing parameters */
7456 	params.use_cts_prot = -1;
7457 	params.use_short_preamble = -1;
7458 	params.use_short_slot_time = -1;
7459 	params.ap_isolate = -1;
7460 	params.ht_opmode = -1;
7461 	params.p2p_ctwindow = -1;
7462 	params.p2p_opp_ps = -1;
7463 
7464 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7465 		params.use_cts_prot =
7466 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7467 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7468 		params.use_short_preamble =
7469 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7470 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7471 		params.use_short_slot_time =
7472 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7473 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7474 		params.basic_rates =
7475 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7476 		params.basic_rates_len =
7477 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7478 	}
7479 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7480 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7481 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7482 		params.ht_opmode =
7483 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7484 
7485 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7486 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7487 			return -EINVAL;
7488 		params.p2p_ctwindow =
7489 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7490 		if (params.p2p_ctwindow != 0 &&
7491 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7492 			return -EINVAL;
7493 	}
7494 
7495 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7496 		u8 tmp;
7497 
7498 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7499 			return -EINVAL;
7500 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7501 		params.p2p_opp_ps = tmp;
7502 		if (params.p2p_opp_ps &&
7503 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7504 			return -EINVAL;
7505 	}
7506 
7507 	if (!rdev->ops->change_bss)
7508 		return -EOPNOTSUPP;
7509 
7510 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7511 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7512 		return -EOPNOTSUPP;
7513 
7514 	wdev_lock(wdev);
7515 	err = rdev_change_bss(rdev, dev, &params);
7516 	wdev_unlock(wdev);
7517 
7518 	return err;
7519 }
7520 
7521 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7522 {
7523 	char *data = NULL;
7524 	bool is_indoor;
7525 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7526 	u32 owner_nlportid;
7527 
7528 	/*
7529 	 * You should only get this when cfg80211 hasn't yet initialized
7530 	 * completely when built-in to the kernel right between the time
7531 	 * window between nl80211_init() and regulatory_init(), if that is
7532 	 * even possible.
7533 	 */
7534 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7535 		return -EINPROGRESS;
7536 
7537 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7538 		user_reg_hint_type =
7539 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7540 	else
7541 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7542 
7543 	switch (user_reg_hint_type) {
7544 	case NL80211_USER_REG_HINT_USER:
7545 	case NL80211_USER_REG_HINT_CELL_BASE:
7546 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7547 			return -EINVAL;
7548 
7549 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7550 		return regulatory_hint_user(data, user_reg_hint_type);
7551 	case NL80211_USER_REG_HINT_INDOOR:
7552 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7553 			owner_nlportid = info->snd_portid;
7554 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7555 		} else {
7556 			owner_nlportid = 0;
7557 			is_indoor = true;
7558 		}
7559 
7560 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7561 	default:
7562 		return -EINVAL;
7563 	}
7564 }
7565 
7566 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7567 {
7568 	return reg_reload_regdb();
7569 }
7570 
7571 static int nl80211_get_mesh_config(struct sk_buff *skb,
7572 				   struct genl_info *info)
7573 {
7574 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7575 	struct net_device *dev = info->user_ptr[1];
7576 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7577 	struct mesh_config cur_params;
7578 	int err = 0;
7579 	void *hdr;
7580 	struct nlattr *pinfoattr;
7581 	struct sk_buff *msg;
7582 
7583 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7584 		return -EOPNOTSUPP;
7585 
7586 	if (!rdev->ops->get_mesh_config)
7587 		return -EOPNOTSUPP;
7588 
7589 	wdev_lock(wdev);
7590 	/* If not connected, get default parameters */
7591 	if (!wdev->mesh_id_len)
7592 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7593 	else
7594 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7595 	wdev_unlock(wdev);
7596 
7597 	if (err)
7598 		return err;
7599 
7600 	/* Draw up a netlink message to send back */
7601 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7602 	if (!msg)
7603 		return -ENOMEM;
7604 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7605 			     NL80211_CMD_GET_MESH_CONFIG);
7606 	if (!hdr)
7607 		goto out;
7608 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7609 	if (!pinfoattr)
7610 		goto nla_put_failure;
7611 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7612 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7613 			cur_params.dot11MeshRetryTimeout) ||
7614 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7615 			cur_params.dot11MeshConfirmTimeout) ||
7616 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7617 			cur_params.dot11MeshHoldingTimeout) ||
7618 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7619 			cur_params.dot11MeshMaxPeerLinks) ||
7620 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7621 		       cur_params.dot11MeshMaxRetries) ||
7622 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7623 		       cur_params.dot11MeshTTL) ||
7624 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7625 		       cur_params.element_ttl) ||
7626 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7627 		       cur_params.auto_open_plinks) ||
7628 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7629 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7630 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7631 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7632 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7633 			cur_params.path_refresh_time) ||
7634 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7635 			cur_params.min_discovery_timeout) ||
7636 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7637 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7638 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7639 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7640 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7641 			cur_params.dot11MeshHWMPperrMinInterval) ||
7642 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7643 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7644 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7645 		       cur_params.dot11MeshHWMPRootMode) ||
7646 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7647 			cur_params.dot11MeshHWMPRannInterval) ||
7648 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7649 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7650 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7651 		       cur_params.dot11MeshForwarding) ||
7652 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7653 			cur_params.rssi_threshold) ||
7654 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7655 			cur_params.ht_opmode) ||
7656 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7657 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7658 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7659 			cur_params.dot11MeshHWMProotInterval) ||
7660 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7661 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7662 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7663 			cur_params.power_mode) ||
7664 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7665 			cur_params.dot11MeshAwakeWindowDuration) ||
7666 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7667 			cur_params.plink_timeout) ||
7668 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7669 		       cur_params.dot11MeshConnectedToMeshGate) ||
7670 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7671 		       cur_params.dot11MeshNolearn) ||
7672 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7673 		       cur_params.dot11MeshConnectedToAuthServer))
7674 		goto nla_put_failure;
7675 	nla_nest_end(msg, pinfoattr);
7676 	genlmsg_end(msg, hdr);
7677 	return genlmsg_reply(msg, info);
7678 
7679  nla_put_failure:
7680  out:
7681 	nlmsg_free(msg);
7682 	return -ENOBUFS;
7683 }
7684 
7685 static const struct nla_policy
7686 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7687 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7688 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7689 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7690 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7691 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7692 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7693 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7694 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7695 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7696 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7697 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7698 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7699 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7700 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7701 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7702 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7703 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7704 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7705 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7706 		NLA_POLICY_MIN(NLA_U16, 1),
7707 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7708 		NLA_POLICY_MIN(NLA_U16, 1),
7709 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7710 		NLA_POLICY_MIN(NLA_U16, 1),
7711 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7712 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7713 		NLA_POLICY_MIN(NLA_U16, 1),
7714 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7715 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7716 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7717 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7718 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7719 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7720 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7721 		NLA_POLICY_MIN(NLA_U16, 1),
7722 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7723 		NLA_POLICY_MIN(NLA_U16, 1),
7724 	[NL80211_MESHCONF_POWER_MODE] =
7725 		NLA_POLICY_RANGE(NLA_U32,
7726 				 NL80211_MESH_POWER_ACTIVE,
7727 				 NL80211_MESH_POWER_MAX),
7728 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7729 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7730 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7731 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7732 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7733 };
7734 
7735 static const struct nla_policy
7736 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7737 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7738 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7739 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7740 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7741 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7742 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7743 	[NL80211_MESH_SETUP_IE] =
7744 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7745 				       IEEE80211_MAX_DATA_LEN),
7746 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7747 };
7748 
7749 static int nl80211_parse_mesh_config(struct genl_info *info,
7750 				     struct mesh_config *cfg,
7751 				     u32 *mask_out)
7752 {
7753 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7754 	u32 mask = 0;
7755 	u16 ht_opmode;
7756 
7757 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7758 do {									\
7759 	if (tb[attr]) {							\
7760 		cfg->param = fn(tb[attr]);				\
7761 		mask |= BIT((attr) - 1);				\
7762 	}								\
7763 } while (0)
7764 
7765 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7766 		return -EINVAL;
7767 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7768 		return -EINVAL;
7769 
7770 	/* This makes sure that there aren't more than 32 mesh config
7771 	 * parameters (otherwise our bitfield scheme would not work.) */
7772 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7773 
7774 	/* Fill in the params struct */
7775 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7776 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7777 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7778 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7779 				  nla_get_u16);
7780 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7781 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7782 				  nla_get_u16);
7783 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7784 				  NL80211_MESHCONF_MAX_PEER_LINKS,
7785 				  nla_get_u16);
7786 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7787 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7788 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7789 				  NL80211_MESHCONF_TTL, nla_get_u8);
7790 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7791 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7792 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7793 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7794 				  nla_get_u8);
7795 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7796 				  mask,
7797 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7798 				  nla_get_u32);
7799 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7800 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7801 				  nla_get_u8);
7802 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7803 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7804 				  nla_get_u32);
7805 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7806 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7807 		return -EINVAL;
7808 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7809 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7810 				  nla_get_u16);
7811 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7812 				  mask,
7813 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7814 				  nla_get_u32);
7815 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7816 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7817 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7818 		return -EINVAL;
7819 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7820 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7821 				  nla_get_u16);
7822 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7823 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7824 				  nla_get_u16);
7825 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7826 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7827 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7828 				  nla_get_u16);
7829 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7830 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7831 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7832 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7833 				  nla_get_u16);
7834 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7835 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7836 				  nla_get_u8);
7837 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7838 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7839 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7840 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7841 				  nla_get_s32);
7842 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7843 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7844 				  nla_get_u8);
7845 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7846 				  NL80211_MESHCONF_CONNECTED_TO_AS,
7847 				  nla_get_u8);
7848 	/*
7849 	 * Check HT operation mode based on
7850 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7851 	 */
7852 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7853 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7854 
7855 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7856 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7857 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7858 			return -EINVAL;
7859 
7860 		/* NON_HT_STA bit is reserved, but some programs set it */
7861 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7862 
7863 		cfg->ht_opmode = ht_opmode;
7864 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7865 	}
7866 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7867 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7868 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7869 				  nla_get_u32);
7870 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7871 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7872 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7873 		return -EINVAL;
7874 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7875 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7876 				  nla_get_u16);
7877 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7878 				  mask,
7879 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7880 				  nla_get_u16);
7881 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7882 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7883 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7884 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7885 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7886 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7887 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
7888 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
7889 	if (mask_out)
7890 		*mask_out = mask;
7891 
7892 	return 0;
7893 
7894 #undef FILL_IN_MESH_PARAM_IF_SET
7895 }
7896 
7897 static int nl80211_parse_mesh_setup(struct genl_info *info,
7898 				     struct mesh_setup *setup)
7899 {
7900 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7901 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7902 
7903 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7904 		return -EINVAL;
7905 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7906 		return -EINVAL;
7907 
7908 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7909 		setup->sync_method =
7910 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7911 		 IEEE80211_SYNC_METHOD_VENDOR :
7912 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7913 
7914 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7915 		setup->path_sel_proto =
7916 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7917 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7918 		 IEEE80211_PATH_PROTOCOL_HWMP;
7919 
7920 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7921 		setup->path_metric =
7922 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7923 		 IEEE80211_PATH_METRIC_VENDOR :
7924 		 IEEE80211_PATH_METRIC_AIRTIME;
7925 
7926 	if (tb[NL80211_MESH_SETUP_IE]) {
7927 		struct nlattr *ieattr =
7928 			tb[NL80211_MESH_SETUP_IE];
7929 		setup->ie = nla_data(ieattr);
7930 		setup->ie_len = nla_len(ieattr);
7931 	}
7932 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7933 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7934 		return -EINVAL;
7935 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7936 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7937 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7938 	if (setup->is_secure)
7939 		setup->user_mpm = true;
7940 
7941 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7942 		if (!setup->user_mpm)
7943 			return -EINVAL;
7944 		setup->auth_id =
7945 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7946 	}
7947 
7948 	return 0;
7949 }
7950 
7951 static int nl80211_update_mesh_config(struct sk_buff *skb,
7952 				      struct genl_info *info)
7953 {
7954 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7955 	struct net_device *dev = info->user_ptr[1];
7956 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7957 	struct mesh_config cfg;
7958 	u32 mask;
7959 	int err;
7960 
7961 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7962 		return -EOPNOTSUPP;
7963 
7964 	if (!rdev->ops->update_mesh_config)
7965 		return -EOPNOTSUPP;
7966 
7967 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7968 	if (err)
7969 		return err;
7970 
7971 	wdev_lock(wdev);
7972 	if (!wdev->mesh_id_len)
7973 		err = -ENOLINK;
7974 
7975 	if (!err)
7976 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7977 
7978 	wdev_unlock(wdev);
7979 
7980 	return err;
7981 }
7982 
7983 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7984 			      struct sk_buff *msg)
7985 {
7986 	struct nlattr *nl_reg_rules;
7987 	unsigned int i;
7988 
7989 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7990 	    (regdom->dfs_region &&
7991 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7992 		goto nla_put_failure;
7993 
7994 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7995 	if (!nl_reg_rules)
7996 		goto nla_put_failure;
7997 
7998 	for (i = 0; i < regdom->n_reg_rules; i++) {
7999 		struct nlattr *nl_reg_rule;
8000 		const struct ieee80211_reg_rule *reg_rule;
8001 		const struct ieee80211_freq_range *freq_range;
8002 		const struct ieee80211_power_rule *power_rule;
8003 		unsigned int max_bandwidth_khz;
8004 
8005 		reg_rule = &regdom->reg_rules[i];
8006 		freq_range = &reg_rule->freq_range;
8007 		power_rule = &reg_rule->power_rule;
8008 
8009 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8010 		if (!nl_reg_rule)
8011 			goto nla_put_failure;
8012 
8013 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8014 		if (!max_bandwidth_khz)
8015 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8016 								  reg_rule);
8017 
8018 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8019 				reg_rule->flags) ||
8020 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8021 				freq_range->start_freq_khz) ||
8022 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8023 				freq_range->end_freq_khz) ||
8024 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8025 				max_bandwidth_khz) ||
8026 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8027 				power_rule->max_antenna_gain) ||
8028 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8029 				power_rule->max_eirp) ||
8030 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8031 				reg_rule->dfs_cac_ms))
8032 			goto nla_put_failure;
8033 
8034 		nla_nest_end(msg, nl_reg_rule);
8035 	}
8036 
8037 	nla_nest_end(msg, nl_reg_rules);
8038 	return 0;
8039 
8040 nla_put_failure:
8041 	return -EMSGSIZE;
8042 }
8043 
8044 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8045 {
8046 	const struct ieee80211_regdomain *regdom = NULL;
8047 	struct cfg80211_registered_device *rdev;
8048 	struct wiphy *wiphy = NULL;
8049 	struct sk_buff *msg;
8050 	int err = -EMSGSIZE;
8051 	void *hdr;
8052 
8053 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8054 	if (!msg)
8055 		return -ENOBUFS;
8056 
8057 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8058 			     NL80211_CMD_GET_REG);
8059 	if (!hdr)
8060 		goto put_failure;
8061 
8062 	rtnl_lock();
8063 
8064 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8065 		bool self_managed;
8066 
8067 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8068 		if (IS_ERR(rdev)) {
8069 			err = PTR_ERR(rdev);
8070 			goto nla_put_failure;
8071 		}
8072 
8073 		wiphy = &rdev->wiphy;
8074 		self_managed = wiphy->regulatory_flags &
8075 			       REGULATORY_WIPHY_SELF_MANAGED;
8076 
8077 		rcu_read_lock();
8078 
8079 		regdom = get_wiphy_regdom(wiphy);
8080 
8081 		/* a self-managed-reg device must have a private regdom */
8082 		if (WARN_ON(!regdom && self_managed)) {
8083 			err = -EINVAL;
8084 			goto nla_put_failure_rcu;
8085 		}
8086 
8087 		if (regdom &&
8088 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8089 			goto nla_put_failure_rcu;
8090 	} else {
8091 		rcu_read_lock();
8092 	}
8093 
8094 	if (!wiphy && reg_last_request_cell_base() &&
8095 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8096 			NL80211_USER_REG_HINT_CELL_BASE))
8097 		goto nla_put_failure_rcu;
8098 
8099 	if (!regdom)
8100 		regdom = rcu_dereference(cfg80211_regdomain);
8101 
8102 	if (nl80211_put_regdom(regdom, msg))
8103 		goto nla_put_failure_rcu;
8104 
8105 	rcu_read_unlock();
8106 
8107 	genlmsg_end(msg, hdr);
8108 	rtnl_unlock();
8109 	return genlmsg_reply(msg, info);
8110 
8111 nla_put_failure_rcu:
8112 	rcu_read_unlock();
8113 nla_put_failure:
8114 	rtnl_unlock();
8115 put_failure:
8116 	nlmsg_free(msg);
8117 	return err;
8118 }
8119 
8120 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8121 			       u32 seq, int flags, struct wiphy *wiphy,
8122 			       const struct ieee80211_regdomain *regdom)
8123 {
8124 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8125 				   NL80211_CMD_GET_REG);
8126 
8127 	if (!hdr)
8128 		return -1;
8129 
8130 	genl_dump_check_consistent(cb, hdr);
8131 
8132 	if (nl80211_put_regdom(regdom, msg))
8133 		goto nla_put_failure;
8134 
8135 	if (!wiphy && reg_last_request_cell_base() &&
8136 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8137 			NL80211_USER_REG_HINT_CELL_BASE))
8138 		goto nla_put_failure;
8139 
8140 	if (wiphy &&
8141 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8142 		goto nla_put_failure;
8143 
8144 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8145 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8146 		goto nla_put_failure;
8147 
8148 	genlmsg_end(msg, hdr);
8149 	return 0;
8150 
8151 nla_put_failure:
8152 	genlmsg_cancel(msg, hdr);
8153 	return -EMSGSIZE;
8154 }
8155 
8156 static int nl80211_get_reg_dump(struct sk_buff *skb,
8157 				struct netlink_callback *cb)
8158 {
8159 	const struct ieee80211_regdomain *regdom = NULL;
8160 	struct cfg80211_registered_device *rdev;
8161 	int err, reg_idx, start = cb->args[2];
8162 
8163 	rcu_read_lock();
8164 
8165 	if (cfg80211_regdomain && start == 0) {
8166 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8167 					  NLM_F_MULTI, NULL,
8168 					  rcu_dereference(cfg80211_regdomain));
8169 		if (err < 0)
8170 			goto out_err;
8171 	}
8172 
8173 	/* the global regdom is idx 0 */
8174 	reg_idx = 1;
8175 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8176 		regdom = get_wiphy_regdom(&rdev->wiphy);
8177 		if (!regdom)
8178 			continue;
8179 
8180 		if (++reg_idx <= start)
8181 			continue;
8182 
8183 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8184 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8185 		if (err < 0) {
8186 			reg_idx--;
8187 			break;
8188 		}
8189 	}
8190 
8191 	cb->args[2] = reg_idx;
8192 	err = skb->len;
8193 out_err:
8194 	rcu_read_unlock();
8195 	return err;
8196 }
8197 
8198 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8199 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8200 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8201 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8202 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8203 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8204 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8205 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8206 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8207 };
8208 
8209 static int parse_reg_rule(struct nlattr *tb[],
8210 	struct ieee80211_reg_rule *reg_rule)
8211 {
8212 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8213 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8214 
8215 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8216 		return -EINVAL;
8217 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8218 		return -EINVAL;
8219 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8220 		return -EINVAL;
8221 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8222 		return -EINVAL;
8223 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8224 		return -EINVAL;
8225 
8226 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8227 
8228 	freq_range->start_freq_khz =
8229 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8230 	freq_range->end_freq_khz =
8231 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8232 	freq_range->max_bandwidth_khz =
8233 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8234 
8235 	power_rule->max_eirp =
8236 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8237 
8238 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8239 		power_rule->max_antenna_gain =
8240 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8241 
8242 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8243 		reg_rule->dfs_cac_ms =
8244 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8245 
8246 	return 0;
8247 }
8248 
8249 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8250 {
8251 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8252 	struct nlattr *nl_reg_rule;
8253 	char *alpha2;
8254 	int rem_reg_rules, r;
8255 	u32 num_rules = 0, rule_idx = 0;
8256 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8257 	struct ieee80211_regdomain *rd;
8258 
8259 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8260 		return -EINVAL;
8261 
8262 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8263 		return -EINVAL;
8264 
8265 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8266 
8267 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8268 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8269 
8270 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8271 			    rem_reg_rules) {
8272 		num_rules++;
8273 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8274 			return -EINVAL;
8275 	}
8276 
8277 	rtnl_lock();
8278 	if (!reg_is_valid_request(alpha2)) {
8279 		r = -EINVAL;
8280 		goto out;
8281 	}
8282 
8283 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8284 	if (!rd) {
8285 		r = -ENOMEM;
8286 		goto out;
8287 	}
8288 
8289 	rd->n_reg_rules = num_rules;
8290 	rd->alpha2[0] = alpha2[0];
8291 	rd->alpha2[1] = alpha2[1];
8292 
8293 	/*
8294 	 * Disable DFS master mode if the DFS region was
8295 	 * not supported or known on this kernel.
8296 	 */
8297 	if (reg_supported_dfs_region(dfs_region))
8298 		rd->dfs_region = dfs_region;
8299 
8300 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8301 			    rem_reg_rules) {
8302 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8303 						nl_reg_rule, reg_rule_policy,
8304 						info->extack);
8305 		if (r)
8306 			goto bad_reg;
8307 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8308 		if (r)
8309 			goto bad_reg;
8310 
8311 		rule_idx++;
8312 
8313 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8314 			r = -EINVAL;
8315 			goto bad_reg;
8316 		}
8317 	}
8318 
8319 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8320 	/* set_regdom takes ownership of rd */
8321 	rd = NULL;
8322  bad_reg:
8323 	kfree(rd);
8324  out:
8325 	rtnl_unlock();
8326 	return r;
8327 }
8328 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8329 
8330 static int validate_scan_freqs(struct nlattr *freqs)
8331 {
8332 	struct nlattr *attr1, *attr2;
8333 	int n_channels = 0, tmp1, tmp2;
8334 
8335 	nla_for_each_nested(attr1, freqs, tmp1)
8336 		if (nla_len(attr1) != sizeof(u32))
8337 			return 0;
8338 
8339 	nla_for_each_nested(attr1, freqs, tmp1) {
8340 		n_channels++;
8341 		/*
8342 		 * Some hardware has a limited channel list for
8343 		 * scanning, and it is pretty much nonsensical
8344 		 * to scan for a channel twice, so disallow that
8345 		 * and don't require drivers to check that the
8346 		 * channel list they get isn't longer than what
8347 		 * they can scan, as long as they can scan all
8348 		 * the channels they registered at once.
8349 		 */
8350 		nla_for_each_nested(attr2, freqs, tmp2)
8351 			if (attr1 != attr2 &&
8352 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8353 				return 0;
8354 	}
8355 
8356 	return n_channels;
8357 }
8358 
8359 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8360 {
8361 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8362 }
8363 
8364 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8365 			    struct cfg80211_bss_selection *bss_select)
8366 {
8367 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8368 	struct nlattr *nest;
8369 	int err;
8370 	bool found = false;
8371 	int i;
8372 
8373 	/* only process one nested attribute */
8374 	nest = nla_data(nla);
8375 	if (!nla_ok(nest, nla_len(nest)))
8376 		return -EINVAL;
8377 
8378 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8379 					  nest, nl80211_bss_select_policy,
8380 					  NULL);
8381 	if (err)
8382 		return err;
8383 
8384 	/* only one attribute may be given */
8385 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8386 		if (attr[i]) {
8387 			if (found)
8388 				return -EINVAL;
8389 			found = true;
8390 		}
8391 	}
8392 
8393 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8394 
8395 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8396 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8397 
8398 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8399 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8400 		bss_select->param.band_pref =
8401 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8402 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8403 			return -EINVAL;
8404 	}
8405 
8406 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8407 		struct nl80211_bss_select_rssi_adjust *adj_param;
8408 
8409 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8410 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8411 		bss_select->param.adjust.band = adj_param->band;
8412 		bss_select->param.adjust.delta = adj_param->delta;
8413 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8414 			return -EINVAL;
8415 	}
8416 
8417 	/* user-space did not provide behaviour attribute */
8418 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8419 		return -EINVAL;
8420 
8421 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8422 		return -EINVAL;
8423 
8424 	return 0;
8425 }
8426 
8427 int nl80211_parse_random_mac(struct nlattr **attrs,
8428 			     u8 *mac_addr, u8 *mac_addr_mask)
8429 {
8430 	int i;
8431 
8432 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8433 		eth_zero_addr(mac_addr);
8434 		eth_zero_addr(mac_addr_mask);
8435 		mac_addr[0] = 0x2;
8436 		mac_addr_mask[0] = 0x3;
8437 
8438 		return 0;
8439 	}
8440 
8441 	/* need both or none */
8442 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8443 		return -EINVAL;
8444 
8445 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8446 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8447 
8448 	/* don't allow or configure an mcast address */
8449 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8450 	    is_multicast_ether_addr(mac_addr))
8451 		return -EINVAL;
8452 
8453 	/*
8454 	 * allow users to pass a MAC address that has bits set outside
8455 	 * of the mask, but don't bother drivers with having to deal
8456 	 * with such bits
8457 	 */
8458 	for (i = 0; i < ETH_ALEN; i++)
8459 		mac_addr[i] &= mac_addr_mask[i];
8460 
8461 	return 0;
8462 }
8463 
8464 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
8465 {
8466 	ASSERT_WDEV_LOCK(wdev);
8467 
8468 	if (!cfg80211_beaconing_iface_active(wdev))
8469 		return true;
8470 
8471 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
8472 		return true;
8473 
8474 	return regulatory_pre_cac_allowed(wdev->wiphy);
8475 }
8476 
8477 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8478 				    enum nl80211_ext_feature_index feat)
8479 {
8480 	if (!(flags & flag))
8481 		return true;
8482 	if (wiphy_ext_feature_isset(wiphy, feat))
8483 		return true;
8484 	return false;
8485 }
8486 
8487 static int
8488 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8489 			 void *request, struct nlattr **attrs,
8490 			 bool is_sched_scan)
8491 {
8492 	u8 *mac_addr, *mac_addr_mask;
8493 	u32 *flags;
8494 	enum nl80211_feature_flags randomness_flag;
8495 
8496 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8497 		return 0;
8498 
8499 	if (is_sched_scan) {
8500 		struct cfg80211_sched_scan_request *req = request;
8501 
8502 		randomness_flag = wdev ?
8503 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8504 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8505 		flags = &req->flags;
8506 		mac_addr = req->mac_addr;
8507 		mac_addr_mask = req->mac_addr_mask;
8508 	} else {
8509 		struct cfg80211_scan_request *req = request;
8510 
8511 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8512 		flags = &req->flags;
8513 		mac_addr = req->mac_addr;
8514 		mac_addr_mask = req->mac_addr_mask;
8515 	}
8516 
8517 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8518 
8519 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8520 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8521 	    !nl80211_check_scan_feat(wiphy, *flags,
8522 				     NL80211_SCAN_FLAG_LOW_SPAN,
8523 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8524 	    !nl80211_check_scan_feat(wiphy, *flags,
8525 				     NL80211_SCAN_FLAG_LOW_POWER,
8526 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8527 	    !nl80211_check_scan_feat(wiphy, *flags,
8528 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8529 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8530 	    !nl80211_check_scan_feat(wiphy, *flags,
8531 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8532 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8533 	    !nl80211_check_scan_feat(wiphy, *flags,
8534 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8535 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8536 	    !nl80211_check_scan_feat(wiphy, *flags,
8537 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8538 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8539 	    !nl80211_check_scan_feat(wiphy, *flags,
8540 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8541 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8542 	    !nl80211_check_scan_feat(wiphy, *flags,
8543 				     NL80211_SCAN_FLAG_RANDOM_SN,
8544 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8545 	    !nl80211_check_scan_feat(wiphy, *flags,
8546 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8547 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8548 		return -EOPNOTSUPP;
8549 
8550 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8551 		int err;
8552 
8553 		if (!(wiphy->features & randomness_flag) ||
8554 		    (wdev && wdev->current_bss))
8555 			return -EOPNOTSUPP;
8556 
8557 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8558 		if (err)
8559 			return err;
8560 	}
8561 
8562 	return 0;
8563 }
8564 
8565 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8566 {
8567 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8568 	struct wireless_dev *wdev = info->user_ptr[1];
8569 	struct cfg80211_scan_request *request;
8570 	struct nlattr *scan_freqs = NULL;
8571 	bool scan_freqs_khz = false;
8572 	struct nlattr *attr;
8573 	struct wiphy *wiphy;
8574 	int err, tmp, n_ssids = 0, n_channels, i;
8575 	size_t ie_len;
8576 
8577 	wiphy = &rdev->wiphy;
8578 
8579 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8580 		return -EOPNOTSUPP;
8581 
8582 	if (!rdev->ops->scan)
8583 		return -EOPNOTSUPP;
8584 
8585 	if (rdev->scan_req || rdev->scan_msg)
8586 		return -EBUSY;
8587 
8588 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8589 		if (!wiphy_ext_feature_isset(wiphy,
8590 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8591 			return -EOPNOTSUPP;
8592 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8593 		scan_freqs_khz = true;
8594 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8595 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8596 
8597 	if (scan_freqs) {
8598 		n_channels = validate_scan_freqs(scan_freqs);
8599 		if (!n_channels)
8600 			return -EINVAL;
8601 	} else {
8602 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8603 	}
8604 
8605 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8606 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8607 			n_ssids++;
8608 
8609 	if (n_ssids > wiphy->max_scan_ssids)
8610 		return -EINVAL;
8611 
8612 	if (info->attrs[NL80211_ATTR_IE])
8613 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8614 	else
8615 		ie_len = 0;
8616 
8617 	if (ie_len > wiphy->max_scan_ie_len)
8618 		return -EINVAL;
8619 
8620 	request = kzalloc(sizeof(*request)
8621 			+ sizeof(*request->ssids) * n_ssids
8622 			+ sizeof(*request->channels) * n_channels
8623 			+ ie_len, GFP_KERNEL);
8624 	if (!request)
8625 		return -ENOMEM;
8626 
8627 	if (n_ssids)
8628 		request->ssids = (void *)&request->channels[n_channels];
8629 	request->n_ssids = n_ssids;
8630 	if (ie_len) {
8631 		if (n_ssids)
8632 			request->ie = (void *)(request->ssids + n_ssids);
8633 		else
8634 			request->ie = (void *)(request->channels + n_channels);
8635 	}
8636 
8637 	i = 0;
8638 	if (scan_freqs) {
8639 		/* user specified, bail out if channel not found */
8640 		nla_for_each_nested(attr, scan_freqs, tmp) {
8641 			struct ieee80211_channel *chan;
8642 			int freq = nla_get_u32(attr);
8643 
8644 			if (!scan_freqs_khz)
8645 				freq = MHZ_TO_KHZ(freq);
8646 
8647 			chan = ieee80211_get_channel_khz(wiphy, freq);
8648 			if (!chan) {
8649 				err = -EINVAL;
8650 				goto out_free;
8651 			}
8652 
8653 			/* ignore disabled channels */
8654 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8655 				continue;
8656 
8657 			request->channels[i] = chan;
8658 			i++;
8659 		}
8660 	} else {
8661 		enum nl80211_band band;
8662 
8663 		/* all channels */
8664 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8665 			int j;
8666 
8667 			if (!wiphy->bands[band])
8668 				continue;
8669 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8670 				struct ieee80211_channel *chan;
8671 
8672 				chan = &wiphy->bands[band]->channels[j];
8673 
8674 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8675 					continue;
8676 
8677 				request->channels[i] = chan;
8678 				i++;
8679 			}
8680 		}
8681 	}
8682 
8683 	if (!i) {
8684 		err = -EINVAL;
8685 		goto out_free;
8686 	}
8687 
8688 	request->n_channels = i;
8689 
8690 	wdev_lock(wdev);
8691 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
8692 		struct ieee80211_channel *chan;
8693 
8694 		if (request->n_channels != 1) {
8695 			wdev_unlock(wdev);
8696 			err = -EBUSY;
8697 			goto out_free;
8698 		}
8699 
8700 		chan = request->channels[0];
8701 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
8702 			wdev_unlock(wdev);
8703 			err = -EBUSY;
8704 			goto out_free;
8705 		}
8706 	}
8707 	wdev_unlock(wdev);
8708 
8709 	i = 0;
8710 	if (n_ssids) {
8711 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8712 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8713 				err = -EINVAL;
8714 				goto out_free;
8715 			}
8716 			request->ssids[i].ssid_len = nla_len(attr);
8717 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8718 			i++;
8719 		}
8720 	}
8721 
8722 	if (info->attrs[NL80211_ATTR_IE]) {
8723 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8724 		memcpy((void *)request->ie,
8725 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8726 		       request->ie_len);
8727 	}
8728 
8729 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8730 		if (wiphy->bands[i])
8731 			request->rates[i] =
8732 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8733 
8734 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8735 		nla_for_each_nested(attr,
8736 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8737 				    tmp) {
8738 			enum nl80211_band band = nla_type(attr);
8739 
8740 			if (band < 0 || band >= NUM_NL80211_BANDS) {
8741 				err = -EINVAL;
8742 				goto out_free;
8743 			}
8744 
8745 			if (!wiphy->bands[band])
8746 				continue;
8747 
8748 			err = ieee80211_get_ratemask(wiphy->bands[band],
8749 						     nla_data(attr),
8750 						     nla_len(attr),
8751 						     &request->rates[band]);
8752 			if (err)
8753 				goto out_free;
8754 		}
8755 	}
8756 
8757 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8758 		request->duration =
8759 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8760 		request->duration_mandatory =
8761 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8762 	}
8763 
8764 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8765 				       false);
8766 	if (err)
8767 		goto out_free;
8768 
8769 	request->no_cck =
8770 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8771 
8772 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8773 	 * BSSID to scan for. This was problematic because that same attribute
8774 	 * was already used for another purpose (local random MAC address). The
8775 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8776 	 * compatibility with older userspace components, also use the
8777 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8778 	 * the specific BSSID use case instead of the random MAC address
8779 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8780 	 */
8781 	if (info->attrs[NL80211_ATTR_BSSID])
8782 		memcpy(request->bssid,
8783 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8784 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8785 		 info->attrs[NL80211_ATTR_MAC])
8786 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8787 		       ETH_ALEN);
8788 	else
8789 		eth_broadcast_addr(request->bssid);
8790 
8791 	request->wdev = wdev;
8792 	request->wiphy = &rdev->wiphy;
8793 	request->scan_start = jiffies;
8794 
8795 	rdev->scan_req = request;
8796 	err = cfg80211_scan(rdev);
8797 
8798 	if (err)
8799 		goto out_free;
8800 
8801 	nl80211_send_scan_start(rdev, wdev);
8802 	dev_hold(wdev->netdev);
8803 
8804 	return 0;
8805 
8806  out_free:
8807 	rdev->scan_req = NULL;
8808 	kfree(request);
8809 
8810 	return err;
8811 }
8812 
8813 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8814 {
8815 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8816 	struct wireless_dev *wdev = info->user_ptr[1];
8817 
8818 	if (!rdev->ops->abort_scan)
8819 		return -EOPNOTSUPP;
8820 
8821 	if (rdev->scan_msg)
8822 		return 0;
8823 
8824 	if (!rdev->scan_req)
8825 		return -ENOENT;
8826 
8827 	rdev_abort_scan(rdev, wdev);
8828 	return 0;
8829 }
8830 
8831 static int
8832 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8833 			       struct cfg80211_sched_scan_request *request,
8834 			       struct nlattr **attrs)
8835 {
8836 	int tmp, err, i = 0;
8837 	struct nlattr *attr;
8838 
8839 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8840 		u32 interval;
8841 
8842 		/*
8843 		 * If scan plans are not specified,
8844 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8845 		 * case one scan plan will be set with the specified scan
8846 		 * interval and infinite number of iterations.
8847 		 */
8848 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8849 		if (!interval)
8850 			return -EINVAL;
8851 
8852 		request->scan_plans[0].interval =
8853 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8854 		if (!request->scan_plans[0].interval)
8855 			return -EINVAL;
8856 
8857 		if (request->scan_plans[0].interval >
8858 		    wiphy->max_sched_scan_plan_interval)
8859 			request->scan_plans[0].interval =
8860 				wiphy->max_sched_scan_plan_interval;
8861 
8862 		return 0;
8863 	}
8864 
8865 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8866 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8867 
8868 		if (WARN_ON(i >= n_plans))
8869 			return -EINVAL;
8870 
8871 		err = nla_parse_nested_deprecated(plan,
8872 						  NL80211_SCHED_SCAN_PLAN_MAX,
8873 						  attr, nl80211_plan_policy,
8874 						  NULL);
8875 		if (err)
8876 			return err;
8877 
8878 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8879 			return -EINVAL;
8880 
8881 		request->scan_plans[i].interval =
8882 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8883 		if (!request->scan_plans[i].interval ||
8884 		    request->scan_plans[i].interval >
8885 		    wiphy->max_sched_scan_plan_interval)
8886 			return -EINVAL;
8887 
8888 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8889 			request->scan_plans[i].iterations =
8890 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8891 			if (!request->scan_plans[i].iterations ||
8892 			    (request->scan_plans[i].iterations >
8893 			     wiphy->max_sched_scan_plan_iterations))
8894 				return -EINVAL;
8895 		} else if (i < n_plans - 1) {
8896 			/*
8897 			 * All scan plans but the last one must specify
8898 			 * a finite number of iterations
8899 			 */
8900 			return -EINVAL;
8901 		}
8902 
8903 		i++;
8904 	}
8905 
8906 	/*
8907 	 * The last scan plan must not specify the number of
8908 	 * iterations, it is supposed to run infinitely
8909 	 */
8910 	if (request->scan_plans[n_plans - 1].iterations)
8911 		return  -EINVAL;
8912 
8913 	return 0;
8914 }
8915 
8916 static int
8917 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8918 				       struct cfg80211_match_set *match_sets,
8919 				       struct nlattr *tb_band_rssi,
8920 				       s32 rssi_thold)
8921 {
8922 	struct nlattr *attr;
8923 	int i, tmp, ret = 0;
8924 
8925 	if (!wiphy_ext_feature_isset(wiphy,
8926 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8927 		if (tb_band_rssi)
8928 			ret = -EOPNOTSUPP;
8929 		else
8930 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8931 				match_sets->per_band_rssi_thold[i] =
8932 					NL80211_SCAN_RSSI_THOLD_OFF;
8933 		return ret;
8934 	}
8935 
8936 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8937 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8938 
8939 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8940 		enum nl80211_band band = nla_type(attr);
8941 
8942 		if (band < 0 || band >= NUM_NL80211_BANDS)
8943 			return -EINVAL;
8944 
8945 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8946 	}
8947 
8948 	return 0;
8949 }
8950 
8951 static struct cfg80211_sched_scan_request *
8952 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8953 			 struct nlattr **attrs, int max_match_sets)
8954 {
8955 	struct cfg80211_sched_scan_request *request;
8956 	struct nlattr *attr;
8957 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8958 	enum nl80211_band band;
8959 	size_t ie_len;
8960 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8961 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8962 
8963 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8964 		n_channels = validate_scan_freqs(
8965 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8966 		if (!n_channels)
8967 			return ERR_PTR(-EINVAL);
8968 	} else {
8969 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8970 	}
8971 
8972 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8973 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8974 				    tmp)
8975 			n_ssids++;
8976 
8977 	if (n_ssids > wiphy->max_sched_scan_ssids)
8978 		return ERR_PTR(-EINVAL);
8979 
8980 	/*
8981 	 * First, count the number of 'real' matchsets. Due to an issue with
8982 	 * the old implementation, matchsets containing only the RSSI attribute
8983 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8984 	 * RSSI for all matchsets, rather than their own matchset for reporting
8985 	 * all APs with a strong RSSI. This is needed to be compatible with
8986 	 * older userspace that treated a matchset with only the RSSI as the
8987 	 * global RSSI for all other matchsets - if there are other matchsets.
8988 	 */
8989 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8990 		nla_for_each_nested(attr,
8991 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8992 				    tmp) {
8993 			struct nlattr *rssi;
8994 
8995 			err = nla_parse_nested_deprecated(tb,
8996 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8997 							  attr,
8998 							  nl80211_match_policy,
8999 							  NULL);
9000 			if (err)
9001 				return ERR_PTR(err);
9002 
9003 			/* SSID and BSSID are mutually exclusive */
9004 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9005 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9006 				return ERR_PTR(-EINVAL);
9007 
9008 			/* add other standalone attributes here */
9009 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9010 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9011 				n_match_sets++;
9012 				continue;
9013 			}
9014 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9015 			if (rssi)
9016 				default_match_rssi = nla_get_s32(rssi);
9017 		}
9018 	}
9019 
9020 	/* However, if there's no other matchset, add the RSSI one */
9021 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9022 		n_match_sets = 1;
9023 
9024 	if (n_match_sets > max_match_sets)
9025 		return ERR_PTR(-EINVAL);
9026 
9027 	if (attrs[NL80211_ATTR_IE])
9028 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9029 	else
9030 		ie_len = 0;
9031 
9032 	if (ie_len > wiphy->max_sched_scan_ie_len)
9033 		return ERR_PTR(-EINVAL);
9034 
9035 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9036 		/*
9037 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9038 		 * each scan plan already specifies its own interval
9039 		 */
9040 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9041 			return ERR_PTR(-EINVAL);
9042 
9043 		nla_for_each_nested(attr,
9044 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9045 			n_plans++;
9046 	} else {
9047 		/*
9048 		 * The scan interval attribute is kept for backward
9049 		 * compatibility. If no scan plans are specified and sched scan
9050 		 * interval is specified, one scan plan will be set with this
9051 		 * scan interval and infinite number of iterations.
9052 		 */
9053 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9054 			return ERR_PTR(-EINVAL);
9055 
9056 		n_plans = 1;
9057 	}
9058 
9059 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9060 		return ERR_PTR(-EINVAL);
9061 
9062 	if (!wiphy_ext_feature_isset(
9063 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9064 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9065 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9066 		return ERR_PTR(-EINVAL);
9067 
9068 	request = kzalloc(sizeof(*request)
9069 			+ sizeof(*request->ssids) * n_ssids
9070 			+ sizeof(*request->match_sets) * n_match_sets
9071 			+ sizeof(*request->scan_plans) * n_plans
9072 			+ sizeof(*request->channels) * n_channels
9073 			+ ie_len, GFP_KERNEL);
9074 	if (!request)
9075 		return ERR_PTR(-ENOMEM);
9076 
9077 	if (n_ssids)
9078 		request->ssids = (void *)&request->channels[n_channels];
9079 	request->n_ssids = n_ssids;
9080 	if (ie_len) {
9081 		if (n_ssids)
9082 			request->ie = (void *)(request->ssids + n_ssids);
9083 		else
9084 			request->ie = (void *)(request->channels + n_channels);
9085 	}
9086 
9087 	if (n_match_sets) {
9088 		if (request->ie)
9089 			request->match_sets = (void *)(request->ie + ie_len);
9090 		else if (n_ssids)
9091 			request->match_sets =
9092 				(void *)(request->ssids + n_ssids);
9093 		else
9094 			request->match_sets =
9095 				(void *)(request->channels + n_channels);
9096 	}
9097 	request->n_match_sets = n_match_sets;
9098 
9099 	if (n_match_sets)
9100 		request->scan_plans = (void *)(request->match_sets +
9101 					       n_match_sets);
9102 	else if (request->ie)
9103 		request->scan_plans = (void *)(request->ie + ie_len);
9104 	else if (n_ssids)
9105 		request->scan_plans = (void *)(request->ssids + n_ssids);
9106 	else
9107 		request->scan_plans = (void *)(request->channels + n_channels);
9108 
9109 	request->n_scan_plans = n_plans;
9110 
9111 	i = 0;
9112 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9113 		/* user specified, bail out if channel not found */
9114 		nla_for_each_nested(attr,
9115 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9116 				    tmp) {
9117 			struct ieee80211_channel *chan;
9118 
9119 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9120 
9121 			if (!chan) {
9122 				err = -EINVAL;
9123 				goto out_free;
9124 			}
9125 
9126 			/* ignore disabled channels */
9127 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9128 				continue;
9129 
9130 			request->channels[i] = chan;
9131 			i++;
9132 		}
9133 	} else {
9134 		/* all channels */
9135 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9136 			int j;
9137 
9138 			if (!wiphy->bands[band])
9139 				continue;
9140 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9141 				struct ieee80211_channel *chan;
9142 
9143 				chan = &wiphy->bands[band]->channels[j];
9144 
9145 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9146 					continue;
9147 
9148 				request->channels[i] = chan;
9149 				i++;
9150 			}
9151 		}
9152 	}
9153 
9154 	if (!i) {
9155 		err = -EINVAL;
9156 		goto out_free;
9157 	}
9158 
9159 	request->n_channels = i;
9160 
9161 	i = 0;
9162 	if (n_ssids) {
9163 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9164 				    tmp) {
9165 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9166 				err = -EINVAL;
9167 				goto out_free;
9168 			}
9169 			request->ssids[i].ssid_len = nla_len(attr);
9170 			memcpy(request->ssids[i].ssid, nla_data(attr),
9171 			       nla_len(attr));
9172 			i++;
9173 		}
9174 	}
9175 
9176 	i = 0;
9177 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9178 		nla_for_each_nested(attr,
9179 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9180 				    tmp) {
9181 			struct nlattr *ssid, *bssid, *rssi;
9182 
9183 			err = nla_parse_nested_deprecated(tb,
9184 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9185 							  attr,
9186 							  nl80211_match_policy,
9187 							  NULL);
9188 			if (err)
9189 				goto out_free;
9190 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9191 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9192 
9193 			if (!ssid && !bssid) {
9194 				i++;
9195 				continue;
9196 			}
9197 
9198 			if (WARN_ON(i >= n_match_sets)) {
9199 				/* this indicates a programming error,
9200 				 * the loop above should have verified
9201 				 * things properly
9202 				 */
9203 				err = -EINVAL;
9204 				goto out_free;
9205 			}
9206 
9207 			if (ssid) {
9208 				memcpy(request->match_sets[i].ssid.ssid,
9209 				       nla_data(ssid), nla_len(ssid));
9210 				request->match_sets[i].ssid.ssid_len =
9211 					nla_len(ssid);
9212 			}
9213 			if (bssid)
9214 				memcpy(request->match_sets[i].bssid,
9215 				       nla_data(bssid), ETH_ALEN);
9216 
9217 			/* special attribute - old implementation w/a */
9218 			request->match_sets[i].rssi_thold = default_match_rssi;
9219 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9220 			if (rssi)
9221 				request->match_sets[i].rssi_thold =
9222 					nla_get_s32(rssi);
9223 
9224 			/* Parse per band RSSI attribute */
9225 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9226 				&request->match_sets[i],
9227 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9228 				request->match_sets[i].rssi_thold);
9229 			if (err)
9230 				goto out_free;
9231 
9232 			i++;
9233 		}
9234 
9235 		/* there was no other matchset, so the RSSI one is alone */
9236 		if (i == 0 && n_match_sets)
9237 			request->match_sets[0].rssi_thold = default_match_rssi;
9238 
9239 		request->min_rssi_thold = INT_MAX;
9240 		for (i = 0; i < n_match_sets; i++)
9241 			request->min_rssi_thold =
9242 				min(request->match_sets[i].rssi_thold,
9243 				    request->min_rssi_thold);
9244 	} else {
9245 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9246 	}
9247 
9248 	if (ie_len) {
9249 		request->ie_len = ie_len;
9250 		memcpy((void *)request->ie,
9251 		       nla_data(attrs[NL80211_ATTR_IE]),
9252 		       request->ie_len);
9253 	}
9254 
9255 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9256 	if (err)
9257 		goto out_free;
9258 
9259 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9260 		request->delay =
9261 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9262 
9263 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9264 		request->relative_rssi = nla_get_s8(
9265 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9266 		request->relative_rssi_set = true;
9267 	}
9268 
9269 	if (request->relative_rssi_set &&
9270 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9271 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9272 
9273 		rssi_adjust = nla_data(
9274 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9275 		request->rssi_adjust.band = rssi_adjust->band;
9276 		request->rssi_adjust.delta = rssi_adjust->delta;
9277 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9278 			err = -EINVAL;
9279 			goto out_free;
9280 		}
9281 	}
9282 
9283 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9284 	if (err)
9285 		goto out_free;
9286 
9287 	request->scan_start = jiffies;
9288 
9289 	return request;
9290 
9291 out_free:
9292 	kfree(request);
9293 	return ERR_PTR(err);
9294 }
9295 
9296 static int nl80211_start_sched_scan(struct sk_buff *skb,
9297 				    struct genl_info *info)
9298 {
9299 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9300 	struct net_device *dev = info->user_ptr[1];
9301 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9302 	struct cfg80211_sched_scan_request *sched_scan_req;
9303 	bool want_multi;
9304 	int err;
9305 
9306 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9307 		return -EOPNOTSUPP;
9308 
9309 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9310 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9311 	if (err)
9312 		return err;
9313 
9314 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9315 						  info->attrs,
9316 						  rdev->wiphy.max_match_sets);
9317 
9318 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9319 	if (err)
9320 		goto out_err;
9321 
9322 	/* leave request id zero for legacy request
9323 	 * or if driver does not support multi-scheduled scan
9324 	 */
9325 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9326 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9327 
9328 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9329 	if (err)
9330 		goto out_free;
9331 
9332 	sched_scan_req->dev = dev;
9333 	sched_scan_req->wiphy = &rdev->wiphy;
9334 
9335 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9336 		sched_scan_req->owner_nlportid = info->snd_portid;
9337 
9338 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9339 
9340 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9341 	return 0;
9342 
9343 out_free:
9344 	kfree(sched_scan_req);
9345 out_err:
9346 	return err;
9347 }
9348 
9349 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9350 				   struct genl_info *info)
9351 {
9352 	struct cfg80211_sched_scan_request *req;
9353 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9354 	u64 cookie;
9355 
9356 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9357 		return -EOPNOTSUPP;
9358 
9359 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9360 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9361 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9362 	}
9363 
9364 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9365 				     struct cfg80211_sched_scan_request,
9366 				     list);
9367 	if (!req || req->reqid ||
9368 	    (req->owner_nlportid &&
9369 	     req->owner_nlportid != info->snd_portid))
9370 		return -ENOENT;
9371 
9372 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9373 }
9374 
9375 static int nl80211_start_radar_detection(struct sk_buff *skb,
9376 					 struct genl_info *info)
9377 {
9378 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9379 	struct net_device *dev = info->user_ptr[1];
9380 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9381 	struct wiphy *wiphy = wdev->wiphy;
9382 	struct cfg80211_chan_def chandef;
9383 	enum nl80211_dfs_regions dfs_region;
9384 	unsigned int cac_time_ms;
9385 	int err = -EINVAL;
9386 
9387 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9388 
9389 	wiphy_lock(wiphy);
9390 
9391 	dfs_region = reg_get_dfs_region(wiphy);
9392 	if (dfs_region == NL80211_DFS_UNSET)
9393 		goto unlock;
9394 
9395 	err = nl80211_parse_chandef(rdev, info, &chandef);
9396 	if (err)
9397 		goto unlock;
9398 
9399 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9400 	if (err < 0)
9401 		goto unlock;
9402 
9403 	if (err == 0) {
9404 		err = -EINVAL;
9405 		goto unlock;
9406 	}
9407 
9408 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9409 		err = -EINVAL;
9410 		goto unlock;
9411 	}
9412 
9413 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9414 		err = cfg80211_start_background_radar_detection(rdev, wdev,
9415 								&chandef);
9416 		goto unlock;
9417 	}
9418 
9419 	if (netif_carrier_ok(dev)) {
9420 		err = -EBUSY;
9421 		goto unlock;
9422 	}
9423 
9424 	if (wdev->cac_started) {
9425 		err = -EBUSY;
9426 		goto unlock;
9427 	}
9428 
9429 	/* CAC start is offloaded to HW and can't be started manually */
9430 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
9431 		err = -EOPNOTSUPP;
9432 		goto unlock;
9433 	}
9434 
9435 	if (!rdev->ops->start_radar_detection) {
9436 		err = -EOPNOTSUPP;
9437 		goto unlock;
9438 	}
9439 
9440 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9441 	if (WARN_ON(!cac_time_ms))
9442 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9443 
9444 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9445 	if (!err) {
9446 		wdev->chandef = chandef;
9447 		wdev->cac_started = true;
9448 		wdev->cac_start_time = jiffies;
9449 		wdev->cac_time_ms = cac_time_ms;
9450 	}
9451 unlock:
9452 	wiphy_unlock(wiphy);
9453 
9454 	return err;
9455 }
9456 
9457 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9458 					  struct genl_info *info)
9459 {
9460 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9461 	struct net_device *dev = info->user_ptr[1];
9462 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9463 	struct wiphy *wiphy = wdev->wiphy;
9464 	struct cfg80211_chan_def chandef;
9465 	enum nl80211_dfs_regions dfs_region;
9466 	int err;
9467 
9468 	dfs_region = reg_get_dfs_region(wiphy);
9469 	if (dfs_region == NL80211_DFS_UNSET) {
9470 		GENL_SET_ERR_MSG(info,
9471 				 "DFS Region is not set. Unexpected Radar indication");
9472 		return -EINVAL;
9473 	}
9474 
9475 	err = nl80211_parse_chandef(rdev, info, &chandef);
9476 	if (err) {
9477 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9478 		return err;
9479 	}
9480 
9481 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9482 	if (err < 0) {
9483 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9484 		return err;
9485 	}
9486 
9487 	if (err == 0) {
9488 		GENL_SET_ERR_MSG(info,
9489 				 "Unexpected Radar indication for chandef/iftype");
9490 		return -EINVAL;
9491 	}
9492 
9493 	/* Do not process this notification if radar is already detected
9494 	 * by kernel on this channel, and return success.
9495 	 */
9496 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9497 		return 0;
9498 
9499 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9500 
9501 	cfg80211_sched_dfs_chan_update(rdev);
9502 
9503 	rdev->radar_chandef = chandef;
9504 
9505 	/* Propagate this notification to other radios as well */
9506 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9507 
9508 	return 0;
9509 }
9510 
9511 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9512 {
9513 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9514 	struct net_device *dev = info->user_ptr[1];
9515 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9516 	struct cfg80211_csa_settings params;
9517 	struct nlattr **csa_attrs = NULL;
9518 	int err;
9519 	bool need_new_beacon = false;
9520 	bool need_handle_dfs_flag = true;
9521 	int len, i;
9522 	u32 cs_count;
9523 
9524 	if (!rdev->ops->channel_switch ||
9525 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9526 		return -EOPNOTSUPP;
9527 
9528 	switch (dev->ieee80211_ptr->iftype) {
9529 	case NL80211_IFTYPE_AP:
9530 	case NL80211_IFTYPE_P2P_GO:
9531 		need_new_beacon = true;
9532 		/* For all modes except AP the handle_dfs flag needs to be
9533 		 * supplied to tell the kernel that userspace will handle radar
9534 		 * events when they happen. Otherwise a switch to a channel
9535 		 * requiring DFS will be rejected.
9536 		 */
9537 		need_handle_dfs_flag = false;
9538 
9539 		/* useless if AP is not running */
9540 		if (!wdev->beacon_interval)
9541 			return -ENOTCONN;
9542 		break;
9543 	case NL80211_IFTYPE_ADHOC:
9544 		if (!wdev->ssid_len)
9545 			return -ENOTCONN;
9546 		break;
9547 	case NL80211_IFTYPE_MESH_POINT:
9548 		if (!wdev->mesh_id_len)
9549 			return -ENOTCONN;
9550 		break;
9551 	default:
9552 		return -EOPNOTSUPP;
9553 	}
9554 
9555 	memset(&params, 0, sizeof(params));
9556 	params.beacon_csa.ftm_responder = -1;
9557 
9558 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9559 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9560 		return -EINVAL;
9561 
9562 	/* only important for AP, IBSS and mesh create IEs internally */
9563 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9564 		return -EINVAL;
9565 
9566 	/* Even though the attribute is u32, the specification says
9567 	 * u8, so let's make sure we don't overflow.
9568 	 */
9569 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9570 	if (cs_count > 255)
9571 		return -EINVAL;
9572 
9573 	params.count = cs_count;
9574 
9575 	if (!need_new_beacon)
9576 		goto skip_beacons;
9577 
9578 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9579 	if (err)
9580 		goto free;
9581 
9582 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
9583 			    GFP_KERNEL);
9584 	if (!csa_attrs) {
9585 		err = -ENOMEM;
9586 		goto free;
9587 	}
9588 
9589 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9590 					  info->attrs[NL80211_ATTR_CSA_IES],
9591 					  nl80211_policy, info->extack);
9592 	if (err)
9593 		goto free;
9594 
9595 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9596 	if (err)
9597 		goto free;
9598 
9599 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
9600 		err = -EINVAL;
9601 		goto free;
9602 	}
9603 
9604 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9605 	if (!len || (len % sizeof(u16))) {
9606 		err = -EINVAL;
9607 		goto free;
9608 	}
9609 
9610 	params.n_counter_offsets_beacon = len / sizeof(u16);
9611 	if (rdev->wiphy.max_num_csa_counters &&
9612 	    (params.n_counter_offsets_beacon >
9613 	     rdev->wiphy.max_num_csa_counters)) {
9614 		err = -EINVAL;
9615 		goto free;
9616 	}
9617 
9618 	params.counter_offsets_beacon =
9619 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9620 
9621 	/* sanity checks - counters should fit and be the same */
9622 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9623 		u16 offset = params.counter_offsets_beacon[i];
9624 
9625 		if (offset >= params.beacon_csa.tail_len) {
9626 			err = -EINVAL;
9627 			goto free;
9628 		}
9629 
9630 		if (params.beacon_csa.tail[offset] != params.count) {
9631 			err = -EINVAL;
9632 			goto free;
9633 		}
9634 	}
9635 
9636 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9637 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9638 		if (!len || (len % sizeof(u16))) {
9639 			err = -EINVAL;
9640 			goto free;
9641 		}
9642 
9643 		params.n_counter_offsets_presp = len / sizeof(u16);
9644 		if (rdev->wiphy.max_num_csa_counters &&
9645 		    (params.n_counter_offsets_presp >
9646 		     rdev->wiphy.max_num_csa_counters)) {
9647 			err = -EINVAL;
9648 			goto free;
9649 		}
9650 
9651 		params.counter_offsets_presp =
9652 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9653 
9654 		/* sanity checks - counters should fit and be the same */
9655 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9656 			u16 offset = params.counter_offsets_presp[i];
9657 
9658 			if (offset >= params.beacon_csa.probe_resp_len) {
9659 				err = -EINVAL;
9660 				goto free;
9661 			}
9662 
9663 			if (params.beacon_csa.probe_resp[offset] !=
9664 			    params.count) {
9665 				err = -EINVAL;
9666 				goto free;
9667 			}
9668 		}
9669 	}
9670 
9671 skip_beacons:
9672 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9673 	if (err)
9674 		goto free;
9675 
9676 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9677 					   wdev->iftype)) {
9678 		err = -EINVAL;
9679 		goto free;
9680 	}
9681 
9682 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9683 					    &params.chandef,
9684 					    wdev->iftype);
9685 	if (err < 0)
9686 		goto free;
9687 
9688 	if (err > 0) {
9689 		params.radar_required = true;
9690 		if (need_handle_dfs_flag &&
9691 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9692 			err = -EINVAL;
9693 			goto free;
9694 		}
9695 	}
9696 
9697 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9698 		params.block_tx = true;
9699 
9700 	wdev_lock(wdev);
9701 	err = rdev_channel_switch(rdev, dev, &params);
9702 	wdev_unlock(wdev);
9703 
9704 free:
9705 	kfree(params.beacon_after.mbssid_ies);
9706 	kfree(params.beacon_csa.mbssid_ies);
9707 	kfree(csa_attrs);
9708 	return err;
9709 }
9710 
9711 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9712 			    u32 seq, int flags,
9713 			    struct cfg80211_registered_device *rdev,
9714 			    struct wireless_dev *wdev,
9715 			    struct cfg80211_internal_bss *intbss)
9716 {
9717 	struct cfg80211_bss *res = &intbss->pub;
9718 	const struct cfg80211_bss_ies *ies;
9719 	void *hdr;
9720 	struct nlattr *bss;
9721 
9722 	ASSERT_WDEV_LOCK(wdev);
9723 
9724 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9725 			     NL80211_CMD_NEW_SCAN_RESULTS);
9726 	if (!hdr)
9727 		return -1;
9728 
9729 	genl_dump_check_consistent(cb, hdr);
9730 
9731 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9732 		goto nla_put_failure;
9733 	if (wdev->netdev &&
9734 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9735 		goto nla_put_failure;
9736 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9737 			      NL80211_ATTR_PAD))
9738 		goto nla_put_failure;
9739 
9740 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9741 	if (!bss)
9742 		goto nla_put_failure;
9743 	if ((!is_zero_ether_addr(res->bssid) &&
9744 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9745 		goto nla_put_failure;
9746 
9747 	rcu_read_lock();
9748 	/* indicate whether we have probe response data or not */
9749 	if (rcu_access_pointer(res->proberesp_ies) &&
9750 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9751 		goto fail_unlock_rcu;
9752 
9753 	/* this pointer prefers to be pointed to probe response data
9754 	 * but is always valid
9755 	 */
9756 	ies = rcu_dereference(res->ies);
9757 	if (ies) {
9758 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9759 				      NL80211_BSS_PAD))
9760 			goto fail_unlock_rcu;
9761 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9762 					ies->len, ies->data))
9763 			goto fail_unlock_rcu;
9764 	}
9765 
9766 	/* and this pointer is always (unless driver didn't know) beacon data */
9767 	ies = rcu_dereference(res->beacon_ies);
9768 	if (ies && ies->from_beacon) {
9769 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9770 				      NL80211_BSS_PAD))
9771 			goto fail_unlock_rcu;
9772 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9773 					ies->len, ies->data))
9774 			goto fail_unlock_rcu;
9775 	}
9776 	rcu_read_unlock();
9777 
9778 	if (res->beacon_interval &&
9779 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9780 		goto nla_put_failure;
9781 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9782 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9783 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9784 			res->channel->freq_offset) ||
9785 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9786 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9787 			jiffies_to_msecs(jiffies - intbss->ts)))
9788 		goto nla_put_failure;
9789 
9790 	if (intbss->parent_tsf &&
9791 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9792 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9793 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9794 		     intbss->parent_bssid)))
9795 		goto nla_put_failure;
9796 
9797 	if (intbss->ts_boottime &&
9798 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9799 			      intbss->ts_boottime, NL80211_BSS_PAD))
9800 		goto nla_put_failure;
9801 
9802 	if (!nl80211_put_signal(msg, intbss->pub.chains,
9803 				intbss->pub.chain_signal,
9804 				NL80211_BSS_CHAIN_SIGNAL))
9805 		goto nla_put_failure;
9806 
9807 	switch (rdev->wiphy.signal_type) {
9808 	case CFG80211_SIGNAL_TYPE_MBM:
9809 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9810 			goto nla_put_failure;
9811 		break;
9812 	case CFG80211_SIGNAL_TYPE_UNSPEC:
9813 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9814 			goto nla_put_failure;
9815 		break;
9816 	default:
9817 		break;
9818 	}
9819 
9820 	switch (wdev->iftype) {
9821 	case NL80211_IFTYPE_P2P_CLIENT:
9822 	case NL80211_IFTYPE_STATION:
9823 		if (intbss == wdev->current_bss &&
9824 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9825 				NL80211_BSS_STATUS_ASSOCIATED))
9826 			goto nla_put_failure;
9827 		break;
9828 	case NL80211_IFTYPE_ADHOC:
9829 		if (intbss == wdev->current_bss &&
9830 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9831 				NL80211_BSS_STATUS_IBSS_JOINED))
9832 			goto nla_put_failure;
9833 		break;
9834 	default:
9835 		break;
9836 	}
9837 
9838 	nla_nest_end(msg, bss);
9839 
9840 	genlmsg_end(msg, hdr);
9841 	return 0;
9842 
9843  fail_unlock_rcu:
9844 	rcu_read_unlock();
9845  nla_put_failure:
9846 	genlmsg_cancel(msg, hdr);
9847 	return -EMSGSIZE;
9848 }
9849 
9850 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
9851 {
9852 	struct cfg80211_registered_device *rdev;
9853 	struct cfg80211_internal_bss *scan;
9854 	struct wireless_dev *wdev;
9855 	int start = cb->args[2], idx = 0;
9856 	int err;
9857 
9858 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9859 	if (err)
9860 		return err;
9861 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9862 	__acquire(&rdev->wiphy.mtx);
9863 
9864 	wdev_lock(wdev);
9865 	spin_lock_bh(&rdev->bss_lock);
9866 
9867 	/*
9868 	 * dump_scan will be called multiple times to break up the scan results
9869 	 * into multiple messages.  It is unlikely that any more bss-es will be
9870 	 * expired after the first call, so only call only call this on the
9871 	 * first dump_scan invocation.
9872 	 */
9873 	if (start == 0)
9874 		cfg80211_bss_expire(rdev);
9875 
9876 	cb->seq = rdev->bss_generation;
9877 
9878 	list_for_each_entry(scan, &rdev->bss_list, list) {
9879 		if (++idx <= start)
9880 			continue;
9881 		if (nl80211_send_bss(skb, cb,
9882 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9883 				rdev, wdev, scan) < 0) {
9884 			idx--;
9885 			break;
9886 		}
9887 	}
9888 
9889 	spin_unlock_bh(&rdev->bss_lock);
9890 	wdev_unlock(wdev);
9891 
9892 	cb->args[2] = idx;
9893 	wiphy_unlock(&rdev->wiphy);
9894 
9895 	return skb->len;
9896 }
9897 
9898 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9899 			       int flags, struct net_device *dev,
9900 			       bool allow_radio_stats,
9901 			       struct survey_info *survey)
9902 {
9903 	void *hdr;
9904 	struct nlattr *infoattr;
9905 
9906 	/* skip radio stats if userspace didn't request them */
9907 	if (!survey->channel && !allow_radio_stats)
9908 		return 0;
9909 
9910 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9911 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9912 	if (!hdr)
9913 		return -ENOMEM;
9914 
9915 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9916 		goto nla_put_failure;
9917 
9918 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9919 	if (!infoattr)
9920 		goto nla_put_failure;
9921 
9922 	if (survey->channel &&
9923 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9924 			survey->channel->center_freq))
9925 		goto nla_put_failure;
9926 
9927 	if (survey->channel && survey->channel->freq_offset &&
9928 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
9929 			survey->channel->freq_offset))
9930 		goto nla_put_failure;
9931 
9932 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9933 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9934 		goto nla_put_failure;
9935 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9936 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9937 		goto nla_put_failure;
9938 	if ((survey->filled & SURVEY_INFO_TIME) &&
9939 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9940 			survey->time, NL80211_SURVEY_INFO_PAD))
9941 		goto nla_put_failure;
9942 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9943 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9944 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9945 		goto nla_put_failure;
9946 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9947 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9948 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9949 		goto nla_put_failure;
9950 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9951 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9952 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9953 		goto nla_put_failure;
9954 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9955 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9956 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9957 		goto nla_put_failure;
9958 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9959 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9960 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9961 		goto nla_put_failure;
9962 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9963 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9964 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9965 		goto nla_put_failure;
9966 
9967 	nla_nest_end(msg, infoattr);
9968 
9969 	genlmsg_end(msg, hdr);
9970 	return 0;
9971 
9972  nla_put_failure:
9973 	genlmsg_cancel(msg, hdr);
9974 	return -EMSGSIZE;
9975 }
9976 
9977 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9978 {
9979 	struct nlattr **attrbuf;
9980 	struct survey_info survey;
9981 	struct cfg80211_registered_device *rdev;
9982 	struct wireless_dev *wdev;
9983 	int survey_idx = cb->args[2];
9984 	int res;
9985 	bool radio_stats;
9986 
9987 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9988 	if (!attrbuf)
9989 		return -ENOMEM;
9990 
9991 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
9992 	if (res) {
9993 		kfree(attrbuf);
9994 		return res;
9995 	}
9996 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9997 	__acquire(&rdev->wiphy.mtx);
9998 
9999 	/* prepare_wdev_dump parsed the attributes */
10000 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10001 
10002 	if (!wdev->netdev) {
10003 		res = -EINVAL;
10004 		goto out_err;
10005 	}
10006 
10007 	if (!rdev->ops->dump_survey) {
10008 		res = -EOPNOTSUPP;
10009 		goto out_err;
10010 	}
10011 
10012 	while (1) {
10013 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10014 		if (res == -ENOENT)
10015 			break;
10016 		if (res)
10017 			goto out_err;
10018 
10019 		/* don't send disabled channels, but do send non-channel data */
10020 		if (survey.channel &&
10021 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10022 			survey_idx++;
10023 			continue;
10024 		}
10025 
10026 		if (nl80211_send_survey(skb,
10027 				NETLINK_CB(cb->skb).portid,
10028 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10029 				wdev->netdev, radio_stats, &survey) < 0)
10030 			goto out;
10031 		survey_idx++;
10032 	}
10033 
10034  out:
10035 	cb->args[2] = survey_idx;
10036 	res = skb->len;
10037  out_err:
10038 	kfree(attrbuf);
10039 	wiphy_unlock(&rdev->wiphy);
10040 	return res;
10041 }
10042 
10043 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10044 {
10045 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10046 				  NL80211_WPA_VERSION_2 |
10047 				  NL80211_WPA_VERSION_3));
10048 }
10049 
10050 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10051 {
10052 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10053 	struct net_device *dev = info->user_ptr[1];
10054 	struct ieee80211_channel *chan;
10055 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
10056 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
10057 	enum nl80211_auth_type auth_type;
10058 	struct key_parse key;
10059 	bool local_state_change;
10060 	u32 freq;
10061 
10062 	if (!info->attrs[NL80211_ATTR_MAC])
10063 		return -EINVAL;
10064 
10065 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10066 		return -EINVAL;
10067 
10068 	if (!info->attrs[NL80211_ATTR_SSID])
10069 		return -EINVAL;
10070 
10071 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10072 		return -EINVAL;
10073 
10074 	err = nl80211_parse_key(info, &key);
10075 	if (err)
10076 		return err;
10077 
10078 	if (key.idx >= 0) {
10079 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10080 			return -EINVAL;
10081 		if (!key.p.key || !key.p.key_len)
10082 			return -EINVAL;
10083 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10084 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10085 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10086 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10087 			return -EINVAL;
10088 		if (key.idx > 3)
10089 			return -EINVAL;
10090 	} else {
10091 		key.p.key_len = 0;
10092 		key.p.key = NULL;
10093 	}
10094 
10095 	if (key.idx >= 0) {
10096 		int i;
10097 		bool ok = false;
10098 
10099 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10100 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10101 				ok = true;
10102 				break;
10103 			}
10104 		}
10105 		if (!ok)
10106 			return -EINVAL;
10107 	}
10108 
10109 	if (!rdev->ops->auth)
10110 		return -EOPNOTSUPP;
10111 
10112 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10113 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10114 		return -EOPNOTSUPP;
10115 
10116 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10117 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10118 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10119 		freq +=
10120 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10121 
10122 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10123 	if (!chan)
10124 		return -EINVAL;
10125 
10126 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10127 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10128 
10129 	if (info->attrs[NL80211_ATTR_IE]) {
10130 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10131 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10132 	}
10133 
10134 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10135 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10136 		return -EINVAL;
10137 
10138 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10139 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10140 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10141 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10142 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10143 		return -EINVAL;
10144 
10145 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10146 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10147 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10148 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10149 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10150 			return -EINVAL;
10151 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10152 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10153 	}
10154 
10155 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10156 
10157 	/*
10158 	 * Since we no longer track auth state, ignore
10159 	 * requests to only change local state.
10160 	 */
10161 	if (local_state_change)
10162 		return 0;
10163 
10164 	wdev_lock(dev->ieee80211_ptr);
10165 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
10166 				 ssid, ssid_len, ie, ie_len,
10167 				 key.p.key, key.p.key_len, key.idx,
10168 				 auth_data, auth_data_len);
10169 	wdev_unlock(dev->ieee80211_ptr);
10170 	return err;
10171 }
10172 
10173 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10174 				     struct genl_info *info)
10175 {
10176 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10177 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10178 		return -EINVAL;
10179 	}
10180 
10181 	if (!rdev->ops->tx_control_port ||
10182 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10183 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10184 		return -EOPNOTSUPP;
10185 
10186 	return 0;
10187 }
10188 
10189 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10190 				   struct genl_info *info,
10191 				   struct cfg80211_crypto_settings *settings,
10192 				   int cipher_limit)
10193 {
10194 	memset(settings, 0, sizeof(*settings));
10195 
10196 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10197 
10198 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10199 		u16 proto;
10200 
10201 		proto = nla_get_u16(
10202 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10203 		settings->control_port_ethertype = cpu_to_be16(proto);
10204 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10205 		    proto != ETH_P_PAE)
10206 			return -EINVAL;
10207 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10208 			settings->control_port_no_encrypt = true;
10209 	} else
10210 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10211 
10212 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10213 		int r = validate_pae_over_nl80211(rdev, info);
10214 
10215 		if (r < 0)
10216 			return r;
10217 
10218 		settings->control_port_over_nl80211 = true;
10219 
10220 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10221 			settings->control_port_no_preauth = true;
10222 	}
10223 
10224 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10225 		void *data;
10226 		int len, i;
10227 
10228 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10229 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10230 		settings->n_ciphers_pairwise = len / sizeof(u32);
10231 
10232 		if (len % sizeof(u32))
10233 			return -EINVAL;
10234 
10235 		if (settings->n_ciphers_pairwise > cipher_limit)
10236 			return -EINVAL;
10237 
10238 		memcpy(settings->ciphers_pairwise, data, len);
10239 
10240 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10241 			if (!cfg80211_supported_cipher_suite(
10242 					&rdev->wiphy,
10243 					settings->ciphers_pairwise[i]))
10244 				return -EINVAL;
10245 	}
10246 
10247 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10248 		settings->cipher_group =
10249 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10250 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10251 						     settings->cipher_group))
10252 			return -EINVAL;
10253 	}
10254 
10255 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10256 		settings->wpa_versions =
10257 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10258 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10259 			return -EINVAL;
10260 	}
10261 
10262 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10263 		void *data;
10264 		int len;
10265 
10266 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10267 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10268 		settings->n_akm_suites = len / sizeof(u32);
10269 
10270 		if (len % sizeof(u32))
10271 			return -EINVAL;
10272 
10273 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
10274 			return -EINVAL;
10275 
10276 		memcpy(settings->akm_suites, data, len);
10277 	}
10278 
10279 	if (info->attrs[NL80211_ATTR_PMK]) {
10280 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10281 			return -EINVAL;
10282 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10283 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10284 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10285 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10286 			return -EINVAL;
10287 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10288 	}
10289 
10290 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10291 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10292 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10293 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10294 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10295 			return -EINVAL;
10296 		settings->sae_pwd =
10297 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10298 		settings->sae_pwd_len =
10299 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10300 	}
10301 
10302 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10303 		settings->sae_pwe =
10304 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10305 	else
10306 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10307 
10308 	return 0;
10309 }
10310 
10311 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10312 {
10313 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10314 	struct net_device *dev = info->user_ptr[1];
10315 	struct ieee80211_channel *chan;
10316 	struct cfg80211_assoc_request req = {};
10317 	const u8 *bssid, *ssid;
10318 	int err, ssid_len = 0;
10319 	u32 freq;
10320 
10321 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10322 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10323 		return -EPERM;
10324 
10325 	if (!info->attrs[NL80211_ATTR_MAC] ||
10326 	    !info->attrs[NL80211_ATTR_SSID] ||
10327 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
10328 		return -EINVAL;
10329 
10330 	if (!rdev->ops->assoc)
10331 		return -EOPNOTSUPP;
10332 
10333 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10334 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10335 		return -EOPNOTSUPP;
10336 
10337 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10338 
10339 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10340 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10341 		freq +=
10342 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10343 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10344 	if (!chan)
10345 		return -EINVAL;
10346 
10347 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10348 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10349 
10350 	if (info->attrs[NL80211_ATTR_IE]) {
10351 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10352 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10353 	}
10354 
10355 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10356 		enum nl80211_mfp mfp =
10357 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10358 		if (mfp == NL80211_MFP_REQUIRED)
10359 			req.use_mfp = true;
10360 		else if (mfp != NL80211_MFP_NO)
10361 			return -EINVAL;
10362 	}
10363 
10364 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10365 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10366 
10367 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10368 		req.flags |= ASSOC_REQ_DISABLE_HT;
10369 
10370 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10371 		memcpy(&req.ht_capa_mask,
10372 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10373 		       sizeof(req.ht_capa_mask));
10374 
10375 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10376 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10377 			return -EINVAL;
10378 		memcpy(&req.ht_capa,
10379 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10380 		       sizeof(req.ht_capa));
10381 	}
10382 
10383 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10384 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10385 
10386 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10387 		req.flags |= ASSOC_REQ_DISABLE_HE;
10388 
10389 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10390 		memcpy(&req.vht_capa_mask,
10391 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10392 		       sizeof(req.vht_capa_mask));
10393 
10394 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10395 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10396 			return -EINVAL;
10397 		memcpy(&req.vht_capa,
10398 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10399 		       sizeof(req.vht_capa));
10400 	}
10401 
10402 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10403 		if (!((rdev->wiphy.features &
10404 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10405 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10406 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10407 					     NL80211_EXT_FEATURE_RRM))
10408 			return -EINVAL;
10409 		req.flags |= ASSOC_REQ_USE_RRM;
10410 	}
10411 
10412 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10413 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10414 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10415 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10416 			return -EINVAL;
10417 		req.fils_nonces =
10418 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10419 	}
10420 
10421 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10422 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10423 			return -EINVAL;
10424 		memcpy(&req.s1g_capa_mask,
10425 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10426 		       sizeof(req.s1g_capa_mask));
10427 	}
10428 
10429 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10430 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10431 			return -EINVAL;
10432 		memcpy(&req.s1g_capa,
10433 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10434 		       sizeof(req.s1g_capa));
10435 	}
10436 
10437 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
10438 	if (!err) {
10439 		wdev_lock(dev->ieee80211_ptr);
10440 
10441 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
10442 					  ssid, ssid_len, &req);
10443 
10444 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10445 			dev->ieee80211_ptr->conn_owner_nlportid =
10446 				info->snd_portid;
10447 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10448 			       bssid, ETH_ALEN);
10449 		}
10450 
10451 		wdev_unlock(dev->ieee80211_ptr);
10452 	}
10453 
10454 	return err;
10455 }
10456 
10457 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
10458 {
10459 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10460 	struct net_device *dev = info->user_ptr[1];
10461 	const u8 *ie = NULL, *bssid;
10462 	int ie_len = 0, err;
10463 	u16 reason_code;
10464 	bool local_state_change;
10465 
10466 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10467 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10468 		return -EPERM;
10469 
10470 	if (!info->attrs[NL80211_ATTR_MAC])
10471 		return -EINVAL;
10472 
10473 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10474 		return -EINVAL;
10475 
10476 	if (!rdev->ops->deauth)
10477 		return -EOPNOTSUPP;
10478 
10479 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10480 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10481 		return -EOPNOTSUPP;
10482 
10483 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10484 
10485 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10486 	if (reason_code == 0) {
10487 		/* Reason Code 0 is reserved */
10488 		return -EINVAL;
10489 	}
10490 
10491 	if (info->attrs[NL80211_ATTR_IE]) {
10492 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10493 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10494 	}
10495 
10496 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10497 
10498 	wdev_lock(dev->ieee80211_ptr);
10499 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
10500 				   local_state_change);
10501 	wdev_unlock(dev->ieee80211_ptr);
10502 	return err;
10503 }
10504 
10505 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
10506 {
10507 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10508 	struct net_device *dev = info->user_ptr[1];
10509 	const u8 *ie = NULL, *bssid;
10510 	int ie_len = 0, err;
10511 	u16 reason_code;
10512 	bool local_state_change;
10513 
10514 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10515 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10516 		return -EPERM;
10517 
10518 	if (!info->attrs[NL80211_ATTR_MAC])
10519 		return -EINVAL;
10520 
10521 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10522 		return -EINVAL;
10523 
10524 	if (!rdev->ops->disassoc)
10525 		return -EOPNOTSUPP;
10526 
10527 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10528 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10529 		return -EOPNOTSUPP;
10530 
10531 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10532 
10533 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10534 	if (reason_code == 0) {
10535 		/* Reason Code 0 is reserved */
10536 		return -EINVAL;
10537 	}
10538 
10539 	if (info->attrs[NL80211_ATTR_IE]) {
10540 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10541 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10542 	}
10543 
10544 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10545 
10546 	wdev_lock(dev->ieee80211_ptr);
10547 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
10548 				     local_state_change);
10549 	wdev_unlock(dev->ieee80211_ptr);
10550 	return err;
10551 }
10552 
10553 static bool
10554 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
10555 			 int mcast_rate[NUM_NL80211_BANDS],
10556 			 int rateval)
10557 {
10558 	struct wiphy *wiphy = &rdev->wiphy;
10559 	bool found = false;
10560 	int band, i;
10561 
10562 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
10563 		struct ieee80211_supported_band *sband;
10564 
10565 		sband = wiphy->bands[band];
10566 		if (!sband)
10567 			continue;
10568 
10569 		for (i = 0; i < sband->n_bitrates; i++) {
10570 			if (sband->bitrates[i].bitrate == rateval) {
10571 				mcast_rate[band] = i + 1;
10572 				found = true;
10573 				break;
10574 			}
10575 		}
10576 	}
10577 
10578 	return found;
10579 }
10580 
10581 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
10582 {
10583 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10584 	struct net_device *dev = info->user_ptr[1];
10585 	struct cfg80211_ibss_params ibss;
10586 	struct wiphy *wiphy;
10587 	struct cfg80211_cached_keys *connkeys = NULL;
10588 	int err;
10589 
10590 	memset(&ibss, 0, sizeof(ibss));
10591 
10592 	if (!info->attrs[NL80211_ATTR_SSID] ||
10593 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10594 		return -EINVAL;
10595 
10596 	ibss.beacon_interval = 100;
10597 
10598 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
10599 		ibss.beacon_interval =
10600 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10601 
10602 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
10603 					   ibss.beacon_interval);
10604 	if (err)
10605 		return err;
10606 
10607 	if (!rdev->ops->join_ibss)
10608 		return -EOPNOTSUPP;
10609 
10610 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10611 		return -EOPNOTSUPP;
10612 
10613 	wiphy = &rdev->wiphy;
10614 
10615 	if (info->attrs[NL80211_ATTR_MAC]) {
10616 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10617 
10618 		if (!is_valid_ether_addr(ibss.bssid))
10619 			return -EINVAL;
10620 	}
10621 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10622 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10623 
10624 	if (info->attrs[NL80211_ATTR_IE]) {
10625 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10626 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10627 	}
10628 
10629 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
10630 	if (err)
10631 		return err;
10632 
10633 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
10634 				     NL80211_IFTYPE_ADHOC))
10635 		return -EINVAL;
10636 
10637 	switch (ibss.chandef.width) {
10638 	case NL80211_CHAN_WIDTH_5:
10639 	case NL80211_CHAN_WIDTH_10:
10640 	case NL80211_CHAN_WIDTH_20_NOHT:
10641 		break;
10642 	case NL80211_CHAN_WIDTH_20:
10643 	case NL80211_CHAN_WIDTH_40:
10644 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10645 			return -EINVAL;
10646 		break;
10647 	case NL80211_CHAN_WIDTH_80:
10648 	case NL80211_CHAN_WIDTH_80P80:
10649 	case NL80211_CHAN_WIDTH_160:
10650 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10651 			return -EINVAL;
10652 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10653 					     NL80211_EXT_FEATURE_VHT_IBSS))
10654 			return -EINVAL;
10655 		break;
10656 	case NL80211_CHAN_WIDTH_320:
10657 		return -EINVAL;
10658 	default:
10659 		return -EINVAL;
10660 	}
10661 
10662 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
10663 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
10664 
10665 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10666 		u8 *rates =
10667 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10668 		int n_rates =
10669 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10670 		struct ieee80211_supported_band *sband =
10671 			wiphy->bands[ibss.chandef.chan->band];
10672 
10673 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10674 					     &ibss.basic_rates);
10675 		if (err)
10676 			return err;
10677 	}
10678 
10679 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10680 		memcpy(&ibss.ht_capa_mask,
10681 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10682 		       sizeof(ibss.ht_capa_mask));
10683 
10684 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10685 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10686 			return -EINVAL;
10687 		memcpy(&ibss.ht_capa,
10688 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10689 		       sizeof(ibss.ht_capa));
10690 	}
10691 
10692 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10693 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
10694 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10695 		return -EINVAL;
10696 
10697 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10698 		bool no_ht = false;
10699 
10700 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
10701 		if (IS_ERR(connkeys))
10702 			return PTR_ERR(connkeys);
10703 
10704 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
10705 		    no_ht) {
10706 			kfree_sensitive(connkeys);
10707 			return -EINVAL;
10708 		}
10709 	}
10710 
10711 	ibss.control_port =
10712 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
10713 
10714 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10715 		int r = validate_pae_over_nl80211(rdev, info);
10716 
10717 		if (r < 0) {
10718 			kfree_sensitive(connkeys);
10719 			return r;
10720 		}
10721 
10722 		ibss.control_port_over_nl80211 = true;
10723 	}
10724 
10725 	ibss.userspace_handles_dfs =
10726 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10727 
10728 	wdev_lock(dev->ieee80211_ptr);
10729 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
10730 	if (err)
10731 		kfree_sensitive(connkeys);
10732 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10733 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10734 	wdev_unlock(dev->ieee80211_ptr);
10735 
10736 	return err;
10737 }
10738 
10739 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
10740 {
10741 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10742 	struct net_device *dev = info->user_ptr[1];
10743 
10744 	if (!rdev->ops->leave_ibss)
10745 		return -EOPNOTSUPP;
10746 
10747 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10748 		return -EOPNOTSUPP;
10749 
10750 	return cfg80211_leave_ibss(rdev, dev, false);
10751 }
10752 
10753 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
10754 {
10755 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10756 	struct net_device *dev = info->user_ptr[1];
10757 	int mcast_rate[NUM_NL80211_BANDS];
10758 	u32 nla_rate;
10759 	int err;
10760 
10761 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
10762 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
10763 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
10764 		return -EOPNOTSUPP;
10765 
10766 	if (!rdev->ops->set_mcast_rate)
10767 		return -EOPNOTSUPP;
10768 
10769 	memset(mcast_rate, 0, sizeof(mcast_rate));
10770 
10771 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
10772 		return -EINVAL;
10773 
10774 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
10775 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
10776 		return -EINVAL;
10777 
10778 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
10779 
10780 	return err;
10781 }
10782 
10783 static struct sk_buff *
10784 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
10785 			    struct wireless_dev *wdev, int approxlen,
10786 			    u32 portid, u32 seq, enum nl80211_commands cmd,
10787 			    enum nl80211_attrs attr,
10788 			    const struct nl80211_vendor_cmd_info *info,
10789 			    gfp_t gfp)
10790 {
10791 	struct sk_buff *skb;
10792 	void *hdr;
10793 	struct nlattr *data;
10794 
10795 	skb = nlmsg_new(approxlen + 100, gfp);
10796 	if (!skb)
10797 		return NULL;
10798 
10799 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
10800 	if (!hdr) {
10801 		kfree_skb(skb);
10802 		return NULL;
10803 	}
10804 
10805 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10806 		goto nla_put_failure;
10807 
10808 	if (info) {
10809 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
10810 				info->vendor_id))
10811 			goto nla_put_failure;
10812 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
10813 				info->subcmd))
10814 			goto nla_put_failure;
10815 	}
10816 
10817 	if (wdev) {
10818 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10819 				      wdev_id(wdev), NL80211_ATTR_PAD))
10820 			goto nla_put_failure;
10821 		if (wdev->netdev &&
10822 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
10823 				wdev->netdev->ifindex))
10824 			goto nla_put_failure;
10825 	}
10826 
10827 	data = nla_nest_start_noflag(skb, attr);
10828 	if (!data)
10829 		goto nla_put_failure;
10830 
10831 	((void **)skb->cb)[0] = rdev;
10832 	((void **)skb->cb)[1] = hdr;
10833 	((void **)skb->cb)[2] = data;
10834 
10835 	return skb;
10836 
10837  nla_put_failure:
10838 	kfree_skb(skb);
10839 	return NULL;
10840 }
10841 
10842 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
10843 					   struct wireless_dev *wdev,
10844 					   enum nl80211_commands cmd,
10845 					   enum nl80211_attrs attr,
10846 					   unsigned int portid,
10847 					   int vendor_event_idx,
10848 					   int approxlen, gfp_t gfp)
10849 {
10850 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10851 	const struct nl80211_vendor_cmd_info *info;
10852 
10853 	switch (cmd) {
10854 	case NL80211_CMD_TESTMODE:
10855 		if (WARN_ON(vendor_event_idx != -1))
10856 			return NULL;
10857 		info = NULL;
10858 		break;
10859 	case NL80211_CMD_VENDOR:
10860 		if (WARN_ON(vendor_event_idx < 0 ||
10861 			    vendor_event_idx >= wiphy->n_vendor_events))
10862 			return NULL;
10863 		info = &wiphy->vendor_events[vendor_event_idx];
10864 		break;
10865 	default:
10866 		WARN_ON(1);
10867 		return NULL;
10868 	}
10869 
10870 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
10871 					   cmd, attr, info, gfp);
10872 }
10873 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
10874 
10875 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
10876 {
10877 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10878 	void *hdr = ((void **)skb->cb)[1];
10879 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
10880 	struct nlattr *data = ((void **)skb->cb)[2];
10881 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
10882 
10883 	/* clear CB data for netlink core to own from now on */
10884 	memset(skb->cb, 0, sizeof(skb->cb));
10885 
10886 	nla_nest_end(skb, data);
10887 	genlmsg_end(skb, hdr);
10888 
10889 	if (nlhdr->nlmsg_pid) {
10890 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
10891 				nlhdr->nlmsg_pid);
10892 	} else {
10893 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
10894 			mcgrp = NL80211_MCGRP_VENDOR;
10895 
10896 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
10897 					skb, 0, mcgrp, gfp);
10898 	}
10899 }
10900 EXPORT_SYMBOL(__cfg80211_send_event_skb);
10901 
10902 #ifdef CONFIG_NL80211_TESTMODE
10903 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
10904 {
10905 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10906 	struct wireless_dev *wdev;
10907 	int err;
10908 
10909 	lockdep_assert_held(&rdev->wiphy.mtx);
10910 
10911 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
10912 					  info->attrs);
10913 
10914 	if (!rdev->ops->testmode_cmd)
10915 		return -EOPNOTSUPP;
10916 
10917 	if (IS_ERR(wdev)) {
10918 		err = PTR_ERR(wdev);
10919 		if (err != -EINVAL)
10920 			return err;
10921 		wdev = NULL;
10922 	} else if (wdev->wiphy != &rdev->wiphy) {
10923 		return -EINVAL;
10924 	}
10925 
10926 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10927 		return -EINVAL;
10928 
10929 	rdev->cur_cmd_info = info;
10930 	err = rdev_testmode_cmd(rdev, wdev,
10931 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10932 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10933 	rdev->cur_cmd_info = NULL;
10934 
10935 	return err;
10936 }
10937 
10938 static int nl80211_testmode_dump(struct sk_buff *skb,
10939 				 struct netlink_callback *cb)
10940 {
10941 	struct cfg80211_registered_device *rdev;
10942 	struct nlattr **attrbuf = NULL;
10943 	int err;
10944 	long phy_idx;
10945 	void *data = NULL;
10946 	int data_len = 0;
10947 
10948 	rtnl_lock();
10949 
10950 	if (cb->args[0]) {
10951 		/*
10952 		 * 0 is a valid index, but not valid for args[0],
10953 		 * so we need to offset by 1.
10954 		 */
10955 		phy_idx = cb->args[0] - 1;
10956 
10957 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10958 		if (!rdev) {
10959 			err = -ENOENT;
10960 			goto out_err;
10961 		}
10962 	} else {
10963 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10964 				  GFP_KERNEL);
10965 		if (!attrbuf) {
10966 			err = -ENOMEM;
10967 			goto out_err;
10968 		}
10969 
10970 		err = nlmsg_parse_deprecated(cb->nlh,
10971 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10972 					     attrbuf, nl80211_fam.maxattr,
10973 					     nl80211_policy, NULL);
10974 		if (err)
10975 			goto out_err;
10976 
10977 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10978 		if (IS_ERR(rdev)) {
10979 			err = PTR_ERR(rdev);
10980 			goto out_err;
10981 		}
10982 		phy_idx = rdev->wiphy_idx;
10983 
10984 		if (attrbuf[NL80211_ATTR_TESTDATA])
10985 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10986 	}
10987 
10988 	if (cb->args[1]) {
10989 		data = nla_data((void *)cb->args[1]);
10990 		data_len = nla_len((void *)cb->args[1]);
10991 	}
10992 
10993 	if (!rdev->ops->testmode_dump) {
10994 		err = -EOPNOTSUPP;
10995 		goto out_err;
10996 	}
10997 
10998 	while (1) {
10999 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11000 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11001 					   NL80211_CMD_TESTMODE);
11002 		struct nlattr *tmdata;
11003 
11004 		if (!hdr)
11005 			break;
11006 
11007 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11008 			genlmsg_cancel(skb, hdr);
11009 			break;
11010 		}
11011 
11012 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11013 		if (!tmdata) {
11014 			genlmsg_cancel(skb, hdr);
11015 			break;
11016 		}
11017 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11018 		nla_nest_end(skb, tmdata);
11019 
11020 		if (err == -ENOBUFS || err == -ENOENT) {
11021 			genlmsg_cancel(skb, hdr);
11022 			break;
11023 		} else if (err) {
11024 			genlmsg_cancel(skb, hdr);
11025 			goto out_err;
11026 		}
11027 
11028 		genlmsg_end(skb, hdr);
11029 	}
11030 
11031 	err = skb->len;
11032 	/* see above */
11033 	cb->args[0] = phy_idx + 1;
11034  out_err:
11035 	kfree(attrbuf);
11036 	rtnl_unlock();
11037 	return err;
11038 }
11039 #endif
11040 
11041 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11042 {
11043 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11044 	struct net_device *dev = info->user_ptr[1];
11045 	struct cfg80211_connect_params connect;
11046 	struct wiphy *wiphy;
11047 	struct cfg80211_cached_keys *connkeys = NULL;
11048 	u32 freq = 0;
11049 	int err;
11050 
11051 	memset(&connect, 0, sizeof(connect));
11052 
11053 	if (!info->attrs[NL80211_ATTR_SSID] ||
11054 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11055 		return -EINVAL;
11056 
11057 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11058 		connect.auth_type =
11059 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11060 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11061 					     NL80211_CMD_CONNECT))
11062 			return -EINVAL;
11063 	} else
11064 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11065 
11066 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11067 
11068 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11069 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11070 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11071 		return -EINVAL;
11072 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11073 
11074 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11075 				      NL80211_MAX_NR_CIPHER_SUITES);
11076 	if (err)
11077 		return err;
11078 
11079 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11080 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11081 		return -EOPNOTSUPP;
11082 
11083 	wiphy = &rdev->wiphy;
11084 
11085 	connect.bg_scan_period = -1;
11086 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11087 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11088 		connect.bg_scan_period =
11089 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11090 	}
11091 
11092 	if (info->attrs[NL80211_ATTR_MAC])
11093 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11094 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11095 		connect.bssid_hint =
11096 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11097 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11098 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11099 
11100 	if (info->attrs[NL80211_ATTR_IE]) {
11101 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11102 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11103 	}
11104 
11105 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11106 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11107 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11108 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11109 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11110 			return -EOPNOTSUPP;
11111 	} else {
11112 		connect.mfp = NL80211_MFP_NO;
11113 	}
11114 
11115 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11116 		connect.prev_bssid =
11117 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11118 
11119 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11120 		freq = MHZ_TO_KHZ(nla_get_u32(
11121 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11122 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11123 		freq +=
11124 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11125 
11126 	if (freq) {
11127 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11128 		if (!connect.channel)
11129 			return -EINVAL;
11130 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11131 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11132 		freq = MHZ_TO_KHZ(freq);
11133 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11134 		if (!connect.channel_hint)
11135 			return -EINVAL;
11136 	}
11137 
11138 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11139 		connect.edmg.channels =
11140 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11141 
11142 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11143 			connect.edmg.bw_config =
11144 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11145 	}
11146 
11147 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11148 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11149 		if (IS_ERR(connkeys))
11150 			return PTR_ERR(connkeys);
11151 	}
11152 
11153 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11154 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11155 
11156 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11157 		memcpy(&connect.ht_capa_mask,
11158 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11159 		       sizeof(connect.ht_capa_mask));
11160 
11161 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11162 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11163 			kfree_sensitive(connkeys);
11164 			return -EINVAL;
11165 		}
11166 		memcpy(&connect.ht_capa,
11167 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11168 		       sizeof(connect.ht_capa));
11169 	}
11170 
11171 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11172 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11173 
11174 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11175 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11176 
11177 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11178 		memcpy(&connect.vht_capa_mask,
11179 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11180 		       sizeof(connect.vht_capa_mask));
11181 
11182 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11183 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11184 			kfree_sensitive(connkeys);
11185 			return -EINVAL;
11186 		}
11187 		memcpy(&connect.vht_capa,
11188 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11189 		       sizeof(connect.vht_capa));
11190 	}
11191 
11192 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11193 		if (!((rdev->wiphy.features &
11194 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11195 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11196 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11197 					     NL80211_EXT_FEATURE_RRM)) {
11198 			kfree_sensitive(connkeys);
11199 			return -EINVAL;
11200 		}
11201 		connect.flags |= ASSOC_REQ_USE_RRM;
11202 	}
11203 
11204 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11205 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11206 		kfree_sensitive(connkeys);
11207 		return -EOPNOTSUPP;
11208 	}
11209 
11210 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11211 		/* bss selection makes no sense if bssid is set */
11212 		if (connect.bssid) {
11213 			kfree_sensitive(connkeys);
11214 			return -EINVAL;
11215 		}
11216 
11217 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11218 				       wiphy, &connect.bss_select);
11219 		if (err) {
11220 			kfree_sensitive(connkeys);
11221 			return err;
11222 		}
11223 	}
11224 
11225 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11226 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11227 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11228 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11229 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11230 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11231 		connect.fils_erp_username =
11232 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11233 		connect.fils_erp_username_len =
11234 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11235 		connect.fils_erp_realm =
11236 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11237 		connect.fils_erp_realm_len =
11238 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11239 		connect.fils_erp_next_seq_num =
11240 			nla_get_u16(
11241 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11242 		connect.fils_erp_rrk =
11243 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11244 		connect.fils_erp_rrk_len =
11245 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11246 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11247 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11248 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11249 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11250 		kfree_sensitive(connkeys);
11251 		return -EINVAL;
11252 	}
11253 
11254 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
11255 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11256 			kfree_sensitive(connkeys);
11257 			GENL_SET_ERR_MSG(info,
11258 					 "external auth requires connection ownership");
11259 			return -EINVAL;
11260 		}
11261 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
11262 	}
11263 
11264 	wdev_lock(dev->ieee80211_ptr);
11265 
11266 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
11267 			       connect.prev_bssid);
11268 	if (err)
11269 		kfree_sensitive(connkeys);
11270 
11271 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11272 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11273 		if (connect.bssid)
11274 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11275 			       connect.bssid, ETH_ALEN);
11276 		else
11277 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
11278 	}
11279 
11280 	wdev_unlock(dev->ieee80211_ptr);
11281 
11282 	return err;
11283 }
11284 
11285 static int nl80211_update_connect_params(struct sk_buff *skb,
11286 					 struct genl_info *info)
11287 {
11288 	struct cfg80211_connect_params connect = {};
11289 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11290 	struct net_device *dev = info->user_ptr[1];
11291 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11292 	bool fils_sk_offload;
11293 	u32 auth_type;
11294 	u32 changed = 0;
11295 	int ret;
11296 
11297 	if (!rdev->ops->update_connect_params)
11298 		return -EOPNOTSUPP;
11299 
11300 	if (info->attrs[NL80211_ATTR_IE]) {
11301 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11302 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11303 		changed |= UPDATE_ASSOC_IES;
11304 	}
11305 
11306 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
11307 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
11308 
11309 	/*
11310 	 * when driver supports fils-sk offload all attributes must be
11311 	 * provided. So the else covers "fils-sk-not-all" and
11312 	 * "no-fils-sk-any".
11313 	 */
11314 	if (fils_sk_offload &&
11315 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11316 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11317 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11318 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11319 		connect.fils_erp_username =
11320 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11321 		connect.fils_erp_username_len =
11322 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11323 		connect.fils_erp_realm =
11324 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11325 		connect.fils_erp_realm_len =
11326 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11327 		connect.fils_erp_next_seq_num =
11328 			nla_get_u16(
11329 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11330 		connect.fils_erp_rrk =
11331 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11332 		connect.fils_erp_rrk_len =
11333 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11334 		changed |= UPDATE_FILS_ERP_INFO;
11335 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11336 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11337 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11338 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11339 		return -EINVAL;
11340 	}
11341 
11342 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11343 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11344 		if (!nl80211_valid_auth_type(rdev, auth_type,
11345 					     NL80211_CMD_CONNECT))
11346 			return -EINVAL;
11347 
11348 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
11349 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
11350 			return -EINVAL;
11351 
11352 		connect.auth_type = auth_type;
11353 		changed |= UPDATE_AUTH_TYPE;
11354 	}
11355 
11356 	wdev_lock(dev->ieee80211_ptr);
11357 	if (!wdev->current_bss)
11358 		ret = -ENOLINK;
11359 	else
11360 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
11361 	wdev_unlock(dev->ieee80211_ptr);
11362 
11363 	return ret;
11364 }
11365 
11366 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11367 {
11368 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11369 	struct net_device *dev = info->user_ptr[1];
11370 	u16 reason;
11371 	int ret;
11372 
11373 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11374 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11375 		return -EPERM;
11376 
11377 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11378 		reason = WLAN_REASON_DEAUTH_LEAVING;
11379 	else
11380 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11381 
11382 	if (reason == 0)
11383 		return -EINVAL;
11384 
11385 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11386 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11387 		return -EOPNOTSUPP;
11388 
11389 	wdev_lock(dev->ieee80211_ptr);
11390 	ret = cfg80211_disconnect(rdev, dev, reason, true);
11391 	wdev_unlock(dev->ieee80211_ptr);
11392 	return ret;
11393 }
11394 
11395 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
11396 {
11397 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11398 	struct net *net;
11399 	int err;
11400 
11401 	if (info->attrs[NL80211_ATTR_PID]) {
11402 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
11403 
11404 		net = get_net_ns_by_pid(pid);
11405 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
11406 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
11407 
11408 		net = get_net_ns_by_fd(fd);
11409 	} else {
11410 		return -EINVAL;
11411 	}
11412 
11413 	if (IS_ERR(net))
11414 		return PTR_ERR(net);
11415 
11416 	err = 0;
11417 
11418 	/* check if anything to do */
11419 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
11420 		err = cfg80211_switch_netns(rdev, net);
11421 
11422 	put_net(net);
11423 	return err;
11424 }
11425 
11426 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
11427 {
11428 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11429 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
11430 			struct cfg80211_pmksa *pmksa) = NULL;
11431 	struct net_device *dev = info->user_ptr[1];
11432 	struct cfg80211_pmksa pmksa;
11433 
11434 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
11435 
11436 	if (!info->attrs[NL80211_ATTR_PMKID])
11437 		return -EINVAL;
11438 
11439 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
11440 
11441 	if (info->attrs[NL80211_ATTR_MAC]) {
11442 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11443 	} else if (info->attrs[NL80211_ATTR_SSID] &&
11444 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
11445 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
11446 		    info->attrs[NL80211_ATTR_PMK])) {
11447 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11448 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11449 		pmksa.cache_id =
11450 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
11451 	} else {
11452 		return -EINVAL;
11453 	}
11454 	if (info->attrs[NL80211_ATTR_PMK]) {
11455 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11456 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
11457 	}
11458 
11459 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
11460 		pmksa.pmk_lifetime =
11461 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
11462 
11463 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
11464 		pmksa.pmk_reauth_threshold =
11465 			nla_get_u8(
11466 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
11467 
11468 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11469 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
11470 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
11471 	      wiphy_ext_feature_isset(&rdev->wiphy,
11472 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
11473 		return -EOPNOTSUPP;
11474 
11475 	switch (info->genlhdr->cmd) {
11476 	case NL80211_CMD_SET_PMKSA:
11477 		rdev_ops = rdev->ops->set_pmksa;
11478 		break;
11479 	case NL80211_CMD_DEL_PMKSA:
11480 		rdev_ops = rdev->ops->del_pmksa;
11481 		break;
11482 	default:
11483 		WARN_ON(1);
11484 		break;
11485 	}
11486 
11487 	if (!rdev_ops)
11488 		return -EOPNOTSUPP;
11489 
11490 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
11491 }
11492 
11493 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
11494 {
11495 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11496 	struct net_device *dev = info->user_ptr[1];
11497 
11498 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11499 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11500 		return -EOPNOTSUPP;
11501 
11502 	if (!rdev->ops->flush_pmksa)
11503 		return -EOPNOTSUPP;
11504 
11505 	return rdev_flush_pmksa(rdev, dev);
11506 }
11507 
11508 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
11509 {
11510 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11511 	struct net_device *dev = info->user_ptr[1];
11512 	u8 action_code, dialog_token;
11513 	u32 peer_capability = 0;
11514 	u16 status_code;
11515 	u8 *peer;
11516 	bool initiator;
11517 
11518 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11519 	    !rdev->ops->tdls_mgmt)
11520 		return -EOPNOTSUPP;
11521 
11522 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
11523 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
11524 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
11525 	    !info->attrs[NL80211_ATTR_IE] ||
11526 	    !info->attrs[NL80211_ATTR_MAC])
11527 		return -EINVAL;
11528 
11529 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11530 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
11531 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
11532 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
11533 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
11534 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
11535 		peer_capability =
11536 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
11537 
11538 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
11539 			      dialog_token, status_code, peer_capability,
11540 			      initiator,
11541 			      nla_data(info->attrs[NL80211_ATTR_IE]),
11542 			      nla_len(info->attrs[NL80211_ATTR_IE]));
11543 }
11544 
11545 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
11546 {
11547 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11548 	struct net_device *dev = info->user_ptr[1];
11549 	enum nl80211_tdls_operation operation;
11550 	u8 *peer;
11551 
11552 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11553 	    !rdev->ops->tdls_oper)
11554 		return -EOPNOTSUPP;
11555 
11556 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
11557 	    !info->attrs[NL80211_ATTR_MAC])
11558 		return -EINVAL;
11559 
11560 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
11561 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11562 
11563 	return rdev_tdls_oper(rdev, dev, peer, operation);
11564 }
11565 
11566 static int nl80211_remain_on_channel(struct sk_buff *skb,
11567 				     struct genl_info *info)
11568 {
11569 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11570 	struct wireless_dev *wdev = info->user_ptr[1];
11571 	struct cfg80211_chan_def chandef;
11572 	const struct cfg80211_chan_def *compat_chandef;
11573 	struct sk_buff *msg;
11574 	void *hdr;
11575 	u64 cookie;
11576 	u32 duration;
11577 	int err;
11578 
11579 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11580 	    !info->attrs[NL80211_ATTR_DURATION])
11581 		return -EINVAL;
11582 
11583 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11584 
11585 	if (!rdev->ops->remain_on_channel ||
11586 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
11587 		return -EOPNOTSUPP;
11588 
11589 	/*
11590 	 * We should be on that channel for at least a minimum amount of
11591 	 * time (10ms) but no longer than the driver supports.
11592 	 */
11593 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11594 	    duration > rdev->wiphy.max_remain_on_channel_duration)
11595 		return -EINVAL;
11596 
11597 	err = nl80211_parse_chandef(rdev, info, &chandef);
11598 	if (err)
11599 		return err;
11600 
11601 	wdev_lock(wdev);
11602 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
11603 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
11604 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
11605 							     &chandef);
11606 		if (compat_chandef != &chandef) {
11607 			wdev_unlock(wdev);
11608 			return -EBUSY;
11609 		}
11610 	}
11611 	wdev_unlock(wdev);
11612 
11613 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11614 	if (!msg)
11615 		return -ENOMEM;
11616 
11617 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11618 			     NL80211_CMD_REMAIN_ON_CHANNEL);
11619 	if (!hdr) {
11620 		err = -ENOBUFS;
11621 		goto free_msg;
11622 	}
11623 
11624 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
11625 				     duration, &cookie);
11626 
11627 	if (err)
11628 		goto free_msg;
11629 
11630 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11631 			      NL80211_ATTR_PAD))
11632 		goto nla_put_failure;
11633 
11634 	genlmsg_end(msg, hdr);
11635 
11636 	return genlmsg_reply(msg, info);
11637 
11638  nla_put_failure:
11639 	err = -ENOBUFS;
11640  free_msg:
11641 	nlmsg_free(msg);
11642 	return err;
11643 }
11644 
11645 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
11646 					    struct genl_info *info)
11647 {
11648 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11649 	struct wireless_dev *wdev = info->user_ptr[1];
11650 	u64 cookie;
11651 
11652 	if (!info->attrs[NL80211_ATTR_COOKIE])
11653 		return -EINVAL;
11654 
11655 	if (!rdev->ops->cancel_remain_on_channel)
11656 		return -EOPNOTSUPP;
11657 
11658 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11659 
11660 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
11661 }
11662 
11663 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
11664 				       struct genl_info *info)
11665 {
11666 	struct cfg80211_bitrate_mask mask;
11667 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11668 	struct net_device *dev = info->user_ptr[1];
11669 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11670 	int err;
11671 
11672 	if (!rdev->ops->set_bitrate_mask)
11673 		return -EOPNOTSUPP;
11674 
11675 	wdev_lock(wdev);
11676 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11677 					    NL80211_ATTR_TX_RATES, &mask,
11678 					    dev, true);
11679 	if (err)
11680 		goto out;
11681 
11682 	err = rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
11683 out:
11684 	wdev_unlock(wdev);
11685 	return err;
11686 }
11687 
11688 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
11689 {
11690 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11691 	struct wireless_dev *wdev = info->user_ptr[1];
11692 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
11693 
11694 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
11695 		return -EINVAL;
11696 
11697 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
11698 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
11699 
11700 	switch (wdev->iftype) {
11701 	case NL80211_IFTYPE_STATION:
11702 	case NL80211_IFTYPE_ADHOC:
11703 	case NL80211_IFTYPE_P2P_CLIENT:
11704 	case NL80211_IFTYPE_AP:
11705 	case NL80211_IFTYPE_AP_VLAN:
11706 	case NL80211_IFTYPE_MESH_POINT:
11707 	case NL80211_IFTYPE_P2P_GO:
11708 	case NL80211_IFTYPE_P2P_DEVICE:
11709 		break;
11710 	case NL80211_IFTYPE_NAN:
11711 	default:
11712 		return -EOPNOTSUPP;
11713 	}
11714 
11715 	/* not much point in registering if we can't reply */
11716 	if (!rdev->ops->mgmt_tx)
11717 		return -EOPNOTSUPP;
11718 
11719 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
11720 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11721 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
11722 		GENL_SET_ERR_MSG(info,
11723 				 "multicast RX registrations are not supported");
11724 		return -EOPNOTSUPP;
11725 	}
11726 
11727 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
11728 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11729 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11730 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
11731 					   info->extack);
11732 }
11733 
11734 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
11735 {
11736 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11737 	struct wireless_dev *wdev = info->user_ptr[1];
11738 	struct cfg80211_chan_def chandef;
11739 	int err;
11740 	void *hdr = NULL;
11741 	u64 cookie;
11742 	struct sk_buff *msg = NULL;
11743 	struct cfg80211_mgmt_tx_params params = {
11744 		.dont_wait_for_ack =
11745 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
11746 	};
11747 
11748 	if (!info->attrs[NL80211_ATTR_FRAME])
11749 		return -EINVAL;
11750 
11751 	if (!rdev->ops->mgmt_tx)
11752 		return -EOPNOTSUPP;
11753 
11754 	switch (wdev->iftype) {
11755 	case NL80211_IFTYPE_P2P_DEVICE:
11756 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11757 			return -EINVAL;
11758 		break;
11759 	case NL80211_IFTYPE_STATION:
11760 	case NL80211_IFTYPE_ADHOC:
11761 	case NL80211_IFTYPE_P2P_CLIENT:
11762 	case NL80211_IFTYPE_AP:
11763 	case NL80211_IFTYPE_AP_VLAN:
11764 	case NL80211_IFTYPE_MESH_POINT:
11765 	case NL80211_IFTYPE_P2P_GO:
11766 		break;
11767 	case NL80211_IFTYPE_NAN:
11768 	default:
11769 		return -EOPNOTSUPP;
11770 	}
11771 
11772 	if (info->attrs[NL80211_ATTR_DURATION]) {
11773 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11774 			return -EINVAL;
11775 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11776 
11777 		/*
11778 		 * We should wait on the channel for at least a minimum amount
11779 		 * of time (10ms) but no longer than the driver supports.
11780 		 */
11781 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11782 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
11783 			return -EINVAL;
11784 	}
11785 
11786 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
11787 
11788 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11789 		return -EINVAL;
11790 
11791 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11792 
11793 	/* get the channel if any has been specified, otherwise pass NULL to
11794 	 * the driver. The latter will use the current one
11795 	 */
11796 	chandef.chan = NULL;
11797 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11798 		err = nl80211_parse_chandef(rdev, info, &chandef);
11799 		if (err)
11800 			return err;
11801 	}
11802 
11803 	if (!chandef.chan && params.offchan)
11804 		return -EINVAL;
11805 
11806 	wdev_lock(wdev);
11807 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
11808 		wdev_unlock(wdev);
11809 		return -EBUSY;
11810 	}
11811 	wdev_unlock(wdev);
11812 
11813 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
11814 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
11815 
11816 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
11817 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11818 		int i;
11819 
11820 		if (len % sizeof(u16))
11821 			return -EINVAL;
11822 
11823 		params.n_csa_offsets = len / sizeof(u16);
11824 		params.csa_offsets =
11825 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11826 
11827 		/* check that all the offsets fit the frame */
11828 		for (i = 0; i < params.n_csa_offsets; i++) {
11829 			if (params.csa_offsets[i] >= params.len)
11830 				return -EINVAL;
11831 		}
11832 	}
11833 
11834 	if (!params.dont_wait_for_ack) {
11835 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11836 		if (!msg)
11837 			return -ENOMEM;
11838 
11839 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11840 				     NL80211_CMD_FRAME);
11841 		if (!hdr) {
11842 			err = -ENOBUFS;
11843 			goto free_msg;
11844 		}
11845 	}
11846 
11847 	params.chan = chandef.chan;
11848 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
11849 	if (err)
11850 		goto free_msg;
11851 
11852 	if (msg) {
11853 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11854 				      NL80211_ATTR_PAD))
11855 			goto nla_put_failure;
11856 
11857 		genlmsg_end(msg, hdr);
11858 		return genlmsg_reply(msg, info);
11859 	}
11860 
11861 	return 0;
11862 
11863  nla_put_failure:
11864 	err = -ENOBUFS;
11865  free_msg:
11866 	nlmsg_free(msg);
11867 	return err;
11868 }
11869 
11870 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
11871 {
11872 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11873 	struct wireless_dev *wdev = info->user_ptr[1];
11874 	u64 cookie;
11875 
11876 	if (!info->attrs[NL80211_ATTR_COOKIE])
11877 		return -EINVAL;
11878 
11879 	if (!rdev->ops->mgmt_tx_cancel_wait)
11880 		return -EOPNOTSUPP;
11881 
11882 	switch (wdev->iftype) {
11883 	case NL80211_IFTYPE_STATION:
11884 	case NL80211_IFTYPE_ADHOC:
11885 	case NL80211_IFTYPE_P2P_CLIENT:
11886 	case NL80211_IFTYPE_AP:
11887 	case NL80211_IFTYPE_AP_VLAN:
11888 	case NL80211_IFTYPE_P2P_GO:
11889 	case NL80211_IFTYPE_P2P_DEVICE:
11890 		break;
11891 	case NL80211_IFTYPE_NAN:
11892 	default:
11893 		return -EOPNOTSUPP;
11894 	}
11895 
11896 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11897 
11898 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
11899 }
11900 
11901 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
11902 {
11903 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11904 	struct wireless_dev *wdev;
11905 	struct net_device *dev = info->user_ptr[1];
11906 	u8 ps_state;
11907 	bool state;
11908 	int err;
11909 
11910 	if (!info->attrs[NL80211_ATTR_PS_STATE])
11911 		return -EINVAL;
11912 
11913 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
11914 
11915 	wdev = dev->ieee80211_ptr;
11916 
11917 	if (!rdev->ops->set_power_mgmt)
11918 		return -EOPNOTSUPP;
11919 
11920 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
11921 
11922 	if (state == wdev->ps)
11923 		return 0;
11924 
11925 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
11926 	if (!err)
11927 		wdev->ps = state;
11928 	return err;
11929 }
11930 
11931 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
11932 {
11933 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11934 	enum nl80211_ps_state ps_state;
11935 	struct wireless_dev *wdev;
11936 	struct net_device *dev = info->user_ptr[1];
11937 	struct sk_buff *msg;
11938 	void *hdr;
11939 	int err;
11940 
11941 	wdev = dev->ieee80211_ptr;
11942 
11943 	if (!rdev->ops->set_power_mgmt)
11944 		return -EOPNOTSUPP;
11945 
11946 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11947 	if (!msg)
11948 		return -ENOMEM;
11949 
11950 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11951 			     NL80211_CMD_GET_POWER_SAVE);
11952 	if (!hdr) {
11953 		err = -ENOBUFS;
11954 		goto free_msg;
11955 	}
11956 
11957 	if (wdev->ps)
11958 		ps_state = NL80211_PS_ENABLED;
11959 	else
11960 		ps_state = NL80211_PS_DISABLED;
11961 
11962 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11963 		goto nla_put_failure;
11964 
11965 	genlmsg_end(msg, hdr);
11966 	return genlmsg_reply(msg, info);
11967 
11968  nla_put_failure:
11969 	err = -ENOBUFS;
11970  free_msg:
11971 	nlmsg_free(msg);
11972 	return err;
11973 }
11974 
11975 static const struct nla_policy
11976 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11977 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11978 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11979 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11980 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11981 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11982 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11983 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11984 };
11985 
11986 static int nl80211_set_cqm_txe(struct genl_info *info,
11987 			       u32 rate, u32 pkts, u32 intvl)
11988 {
11989 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11990 	struct net_device *dev = info->user_ptr[1];
11991 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11992 
11993 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11994 		return -EINVAL;
11995 
11996 	if (!rdev->ops->set_cqm_txe_config)
11997 		return -EOPNOTSUPP;
11998 
11999 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12000 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12001 		return -EOPNOTSUPP;
12002 
12003 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12004 }
12005 
12006 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12007 				    struct net_device *dev)
12008 {
12009 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12010 	s32 last, low, high;
12011 	u32 hyst;
12012 	int i, n, low_index;
12013 	int err;
12014 
12015 	/* RSSI reporting disabled? */
12016 	if (!wdev->cqm_config)
12017 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12018 
12019 	/*
12020 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12021 	 * event has been received yet, we should receive an event after a
12022 	 * connection is established and enough beacons received to calculate
12023 	 * the average.
12024 	 */
12025 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
12026 	    rdev->ops->get_station) {
12027 		struct station_info sinfo = {};
12028 		u8 *mac_addr;
12029 
12030 		mac_addr = wdev->current_bss->pub.bssid;
12031 
12032 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12033 		if (err)
12034 			return err;
12035 
12036 		cfg80211_sinfo_release_content(&sinfo);
12037 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12038 			wdev->cqm_config->last_rssi_event_value =
12039 				(s8) sinfo.rx_beacon_signal_avg;
12040 	}
12041 
12042 	last = wdev->cqm_config->last_rssi_event_value;
12043 	hyst = wdev->cqm_config->rssi_hyst;
12044 	n = wdev->cqm_config->n_rssi_thresholds;
12045 
12046 	for (i = 0; i < n; i++) {
12047 		i = array_index_nospec(i, n);
12048 		if (last < wdev->cqm_config->rssi_thresholds[i])
12049 			break;
12050 	}
12051 
12052 	low_index = i - 1;
12053 	if (low_index >= 0) {
12054 		low_index = array_index_nospec(low_index, n);
12055 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
12056 	} else {
12057 		low = S32_MIN;
12058 	}
12059 	if (i < n) {
12060 		i = array_index_nospec(i, n);
12061 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
12062 	} else {
12063 		high = S32_MAX;
12064 	}
12065 
12066 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12067 }
12068 
12069 static int nl80211_set_cqm_rssi(struct genl_info *info,
12070 				const s32 *thresholds, int n_thresholds,
12071 				u32 hysteresis)
12072 {
12073 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12074 	struct net_device *dev = info->user_ptr[1];
12075 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12076 	int i, err;
12077 	s32 prev = S32_MIN;
12078 
12079 	/* Check all values negative and sorted */
12080 	for (i = 0; i < n_thresholds; i++) {
12081 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12082 			return -EINVAL;
12083 
12084 		prev = thresholds[i];
12085 	}
12086 
12087 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12088 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12089 		return -EOPNOTSUPP;
12090 
12091 	wdev_lock(wdev);
12092 	cfg80211_cqm_config_free(wdev);
12093 	wdev_unlock(wdev);
12094 
12095 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
12096 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
12097 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12098 
12099 		return rdev_set_cqm_rssi_config(rdev, dev,
12100 						thresholds[0], hysteresis);
12101 	}
12102 
12103 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12104 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
12105 		return -EOPNOTSUPP;
12106 
12107 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12108 		n_thresholds = 0;
12109 
12110 	wdev_lock(wdev);
12111 	if (n_thresholds) {
12112 		struct cfg80211_cqm_config *cqm_config;
12113 
12114 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12115 						 n_thresholds),
12116 				     GFP_KERNEL);
12117 		if (!cqm_config) {
12118 			err = -ENOMEM;
12119 			goto unlock;
12120 		}
12121 
12122 		cqm_config->rssi_hyst = hysteresis;
12123 		cqm_config->n_rssi_thresholds = n_thresholds;
12124 		memcpy(cqm_config->rssi_thresholds, thresholds,
12125 		       flex_array_size(cqm_config, rssi_thresholds,
12126 				       n_thresholds));
12127 
12128 		wdev->cqm_config = cqm_config;
12129 	}
12130 
12131 	err = cfg80211_cqm_rssi_update(rdev, dev);
12132 
12133 unlock:
12134 	wdev_unlock(wdev);
12135 
12136 	return err;
12137 }
12138 
12139 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12140 {
12141 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12142 	struct nlattr *cqm;
12143 	int err;
12144 
12145 	cqm = info->attrs[NL80211_ATTR_CQM];
12146 	if (!cqm)
12147 		return -EINVAL;
12148 
12149 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12150 					  nl80211_attr_cqm_policy,
12151 					  info->extack);
12152 	if (err)
12153 		return err;
12154 
12155 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12156 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12157 		const s32 *thresholds =
12158 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12159 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12160 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12161 
12162 		if (len % 4)
12163 			return -EINVAL;
12164 
12165 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12166 					    hysteresis);
12167 	}
12168 
12169 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12170 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12171 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12172 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12173 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12174 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12175 
12176 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12177 	}
12178 
12179 	return -EINVAL;
12180 }
12181 
12182 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12183 {
12184 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12185 	struct net_device *dev = info->user_ptr[1];
12186 	struct ocb_setup setup = {};
12187 	int err;
12188 
12189 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12190 	if (err)
12191 		return err;
12192 
12193 	return cfg80211_join_ocb(rdev, dev, &setup);
12194 }
12195 
12196 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12197 {
12198 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12199 	struct net_device *dev = info->user_ptr[1];
12200 
12201 	return cfg80211_leave_ocb(rdev, dev);
12202 }
12203 
12204 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12205 {
12206 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12207 	struct net_device *dev = info->user_ptr[1];
12208 	struct mesh_config cfg;
12209 	struct mesh_setup setup;
12210 	int err;
12211 
12212 	/* start with default */
12213 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
12214 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
12215 
12216 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
12217 		/* and parse parameters if given */
12218 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
12219 		if (err)
12220 			return err;
12221 	}
12222 
12223 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
12224 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
12225 		return -EINVAL;
12226 
12227 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
12228 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
12229 
12230 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12231 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
12232 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12233 			return -EINVAL;
12234 
12235 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
12236 		setup.beacon_interval =
12237 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12238 
12239 		err = cfg80211_validate_beacon_int(rdev,
12240 						   NL80211_IFTYPE_MESH_POINT,
12241 						   setup.beacon_interval);
12242 		if (err)
12243 			return err;
12244 	}
12245 
12246 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
12247 		setup.dtim_period =
12248 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
12249 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
12250 			return -EINVAL;
12251 	}
12252 
12253 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
12254 		/* parse additional setup parameters if given */
12255 		err = nl80211_parse_mesh_setup(info, &setup);
12256 		if (err)
12257 			return err;
12258 	}
12259 
12260 	if (setup.user_mpm)
12261 		cfg.auto_open_plinks = false;
12262 
12263 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12264 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12265 		if (err)
12266 			return err;
12267 	} else {
12268 		/* __cfg80211_join_mesh() will sort it out */
12269 		setup.chandef.chan = NULL;
12270 	}
12271 
12272 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12273 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12274 		int n_rates =
12275 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12276 		struct ieee80211_supported_band *sband;
12277 
12278 		if (!setup.chandef.chan)
12279 			return -EINVAL;
12280 
12281 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
12282 
12283 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12284 					     &setup.basic_rates);
12285 		if (err)
12286 			return err;
12287 	}
12288 
12289 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
12290 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12291 						    NL80211_ATTR_TX_RATES,
12292 						    &setup.beacon_rate,
12293 						    dev, false);
12294 		if (err)
12295 			return err;
12296 
12297 		if (!setup.chandef.chan)
12298 			return -EINVAL;
12299 
12300 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
12301 					      &setup.beacon_rate);
12302 		if (err)
12303 			return err;
12304 	}
12305 
12306 	setup.userspace_handles_dfs =
12307 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12308 
12309 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12310 		int r = validate_pae_over_nl80211(rdev, info);
12311 
12312 		if (r < 0)
12313 			return r;
12314 
12315 		setup.control_port_over_nl80211 = true;
12316 	}
12317 
12318 	wdev_lock(dev->ieee80211_ptr);
12319 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
12320 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
12321 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12322 	wdev_unlock(dev->ieee80211_ptr);
12323 
12324 	return err;
12325 }
12326 
12327 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
12328 {
12329 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12330 	struct net_device *dev = info->user_ptr[1];
12331 
12332 	return cfg80211_leave_mesh(rdev, dev);
12333 }
12334 
12335 #ifdef CONFIG_PM
12336 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
12337 					struct cfg80211_registered_device *rdev)
12338 {
12339 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
12340 	struct nlattr *nl_pats, *nl_pat;
12341 	int i, pat_len;
12342 
12343 	if (!wowlan->n_patterns)
12344 		return 0;
12345 
12346 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
12347 	if (!nl_pats)
12348 		return -ENOBUFS;
12349 
12350 	for (i = 0; i < wowlan->n_patterns; i++) {
12351 		nl_pat = nla_nest_start_noflag(msg, i + 1);
12352 		if (!nl_pat)
12353 			return -ENOBUFS;
12354 		pat_len = wowlan->patterns[i].pattern_len;
12355 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
12356 			    wowlan->patterns[i].mask) ||
12357 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12358 			    wowlan->patterns[i].pattern) ||
12359 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12360 				wowlan->patterns[i].pkt_offset))
12361 			return -ENOBUFS;
12362 		nla_nest_end(msg, nl_pat);
12363 	}
12364 	nla_nest_end(msg, nl_pats);
12365 
12366 	return 0;
12367 }
12368 
12369 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
12370 				   struct cfg80211_wowlan_tcp *tcp)
12371 {
12372 	struct nlattr *nl_tcp;
12373 
12374 	if (!tcp)
12375 		return 0;
12376 
12377 	nl_tcp = nla_nest_start_noflag(msg,
12378 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
12379 	if (!nl_tcp)
12380 		return -ENOBUFS;
12381 
12382 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
12383 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
12384 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
12385 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
12386 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
12387 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
12388 		    tcp->payload_len, tcp->payload) ||
12389 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
12390 			tcp->data_interval) ||
12391 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
12392 		    tcp->wake_len, tcp->wake_data) ||
12393 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
12394 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
12395 		return -ENOBUFS;
12396 
12397 	if (tcp->payload_seq.len &&
12398 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
12399 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
12400 		return -ENOBUFS;
12401 
12402 	if (tcp->payload_tok.len &&
12403 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
12404 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
12405 		    &tcp->payload_tok))
12406 		return -ENOBUFS;
12407 
12408 	nla_nest_end(msg, nl_tcp);
12409 
12410 	return 0;
12411 }
12412 
12413 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
12414 				  struct cfg80211_sched_scan_request *req)
12415 {
12416 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
12417 	int i;
12418 
12419 	if (!req)
12420 		return 0;
12421 
12422 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
12423 	if (!nd)
12424 		return -ENOBUFS;
12425 
12426 	if (req->n_scan_plans == 1 &&
12427 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
12428 			req->scan_plans[0].interval * 1000))
12429 		return -ENOBUFS;
12430 
12431 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
12432 		return -ENOBUFS;
12433 
12434 	if (req->relative_rssi_set) {
12435 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
12436 
12437 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
12438 			       req->relative_rssi))
12439 			return -ENOBUFS;
12440 
12441 		rssi_adjust.band = req->rssi_adjust.band;
12442 		rssi_adjust.delta = req->rssi_adjust.delta;
12443 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
12444 			    sizeof(rssi_adjust), &rssi_adjust))
12445 			return -ENOBUFS;
12446 	}
12447 
12448 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
12449 	if (!freqs)
12450 		return -ENOBUFS;
12451 
12452 	for (i = 0; i < req->n_channels; i++) {
12453 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
12454 			return -ENOBUFS;
12455 	}
12456 
12457 	nla_nest_end(msg, freqs);
12458 
12459 	if (req->n_match_sets) {
12460 		matches = nla_nest_start_noflag(msg,
12461 						NL80211_ATTR_SCHED_SCAN_MATCH);
12462 		if (!matches)
12463 			return -ENOBUFS;
12464 
12465 		for (i = 0; i < req->n_match_sets; i++) {
12466 			match = nla_nest_start_noflag(msg, i);
12467 			if (!match)
12468 				return -ENOBUFS;
12469 
12470 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
12471 				    req->match_sets[i].ssid.ssid_len,
12472 				    req->match_sets[i].ssid.ssid))
12473 				return -ENOBUFS;
12474 			nla_nest_end(msg, match);
12475 		}
12476 		nla_nest_end(msg, matches);
12477 	}
12478 
12479 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
12480 	if (!scan_plans)
12481 		return -ENOBUFS;
12482 
12483 	for (i = 0; i < req->n_scan_plans; i++) {
12484 		scan_plan = nla_nest_start_noflag(msg, i + 1);
12485 		if (!scan_plan)
12486 			return -ENOBUFS;
12487 
12488 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
12489 				req->scan_plans[i].interval) ||
12490 		    (req->scan_plans[i].iterations &&
12491 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
12492 				 req->scan_plans[i].iterations)))
12493 			return -ENOBUFS;
12494 		nla_nest_end(msg, scan_plan);
12495 	}
12496 	nla_nest_end(msg, scan_plans);
12497 
12498 	nla_nest_end(msg, nd);
12499 
12500 	return 0;
12501 }
12502 
12503 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
12504 {
12505 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12506 	struct sk_buff *msg;
12507 	void *hdr;
12508 	u32 size = NLMSG_DEFAULT_SIZE;
12509 
12510 	if (!rdev->wiphy.wowlan)
12511 		return -EOPNOTSUPP;
12512 
12513 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
12514 		/* adjust size to have room for all the data */
12515 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
12516 			rdev->wiphy.wowlan_config->tcp->payload_len +
12517 			rdev->wiphy.wowlan_config->tcp->wake_len +
12518 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
12519 	}
12520 
12521 	msg = nlmsg_new(size, GFP_KERNEL);
12522 	if (!msg)
12523 		return -ENOMEM;
12524 
12525 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12526 			     NL80211_CMD_GET_WOWLAN);
12527 	if (!hdr)
12528 		goto nla_put_failure;
12529 
12530 	if (rdev->wiphy.wowlan_config) {
12531 		struct nlattr *nl_wowlan;
12532 
12533 		nl_wowlan = nla_nest_start_noflag(msg,
12534 						  NL80211_ATTR_WOWLAN_TRIGGERS);
12535 		if (!nl_wowlan)
12536 			goto nla_put_failure;
12537 
12538 		if ((rdev->wiphy.wowlan_config->any &&
12539 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
12540 		    (rdev->wiphy.wowlan_config->disconnect &&
12541 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
12542 		    (rdev->wiphy.wowlan_config->magic_pkt &&
12543 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
12544 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
12545 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
12546 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
12547 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
12548 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
12549 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
12550 		    (rdev->wiphy.wowlan_config->rfkill_release &&
12551 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
12552 			goto nla_put_failure;
12553 
12554 		if (nl80211_send_wowlan_patterns(msg, rdev))
12555 			goto nla_put_failure;
12556 
12557 		if (nl80211_send_wowlan_tcp(msg,
12558 					    rdev->wiphy.wowlan_config->tcp))
12559 			goto nla_put_failure;
12560 
12561 		if (nl80211_send_wowlan_nd(
12562 			    msg,
12563 			    rdev->wiphy.wowlan_config->nd_config))
12564 			goto nla_put_failure;
12565 
12566 		nla_nest_end(msg, nl_wowlan);
12567 	}
12568 
12569 	genlmsg_end(msg, hdr);
12570 	return genlmsg_reply(msg, info);
12571 
12572 nla_put_failure:
12573 	nlmsg_free(msg);
12574 	return -ENOBUFS;
12575 }
12576 
12577 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
12578 				    struct nlattr *attr,
12579 				    struct cfg80211_wowlan *trig)
12580 {
12581 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
12582 	struct cfg80211_wowlan_tcp *cfg;
12583 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
12584 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
12585 	u32 size;
12586 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
12587 	int err, port;
12588 
12589 	if (!rdev->wiphy.wowlan->tcp)
12590 		return -EINVAL;
12591 
12592 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
12593 					  nl80211_wowlan_tcp_policy, NULL);
12594 	if (err)
12595 		return err;
12596 
12597 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
12598 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
12599 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
12600 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
12601 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
12602 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
12603 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
12604 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
12605 		return -EINVAL;
12606 
12607 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
12608 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
12609 		return -EINVAL;
12610 
12611 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
12612 			rdev->wiphy.wowlan->tcp->data_interval_max ||
12613 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
12614 		return -EINVAL;
12615 
12616 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
12617 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
12618 		return -EINVAL;
12619 
12620 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
12621 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
12622 		return -EINVAL;
12623 
12624 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
12625 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12626 
12627 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12628 		tokens_size = tokln - sizeof(*tok);
12629 
12630 		if (!tok->len || tokens_size % tok->len)
12631 			return -EINVAL;
12632 		if (!rdev->wiphy.wowlan->tcp->tok)
12633 			return -EINVAL;
12634 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
12635 			return -EINVAL;
12636 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
12637 			return -EINVAL;
12638 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
12639 			return -EINVAL;
12640 		if (tok->offset + tok->len > data_size)
12641 			return -EINVAL;
12642 	}
12643 
12644 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
12645 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
12646 		if (!rdev->wiphy.wowlan->tcp->seq)
12647 			return -EINVAL;
12648 		if (seq->len == 0 || seq->len > 4)
12649 			return -EINVAL;
12650 		if (seq->len + seq->offset > data_size)
12651 			return -EINVAL;
12652 	}
12653 
12654 	size = sizeof(*cfg);
12655 	size += data_size;
12656 	size += wake_size + wake_mask_size;
12657 	size += tokens_size;
12658 
12659 	cfg = kzalloc(size, GFP_KERNEL);
12660 	if (!cfg)
12661 		return -ENOMEM;
12662 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
12663 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
12664 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
12665 	       ETH_ALEN);
12666 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
12667 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
12668 	else
12669 		port = 0;
12670 #ifdef CONFIG_INET
12671 	/* allocate a socket and port for it and use it */
12672 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
12673 			    IPPROTO_TCP, &cfg->sock, 1);
12674 	if (err) {
12675 		kfree(cfg);
12676 		return err;
12677 	}
12678 	if (inet_csk_get_port(cfg->sock->sk, port)) {
12679 		sock_release(cfg->sock);
12680 		kfree(cfg);
12681 		return -EADDRINUSE;
12682 	}
12683 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
12684 #else
12685 	if (!port) {
12686 		kfree(cfg);
12687 		return -EINVAL;
12688 	}
12689 	cfg->src_port = port;
12690 #endif
12691 
12692 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
12693 	cfg->payload_len = data_size;
12694 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
12695 	memcpy((void *)cfg->payload,
12696 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
12697 	       data_size);
12698 	if (seq)
12699 		cfg->payload_seq = *seq;
12700 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
12701 	cfg->wake_len = wake_size;
12702 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
12703 	memcpy((void *)cfg->wake_data,
12704 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
12705 	       wake_size);
12706 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
12707 			 data_size + wake_size;
12708 	memcpy((void *)cfg->wake_mask,
12709 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
12710 	       wake_mask_size);
12711 	if (tok) {
12712 		cfg->tokens_size = tokens_size;
12713 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
12714 	}
12715 
12716 	trig->tcp = cfg;
12717 
12718 	return 0;
12719 }
12720 
12721 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
12722 				   const struct wiphy_wowlan_support *wowlan,
12723 				   struct nlattr *attr,
12724 				   struct cfg80211_wowlan *trig)
12725 {
12726 	struct nlattr **tb;
12727 	int err;
12728 
12729 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
12730 	if (!tb)
12731 		return -ENOMEM;
12732 
12733 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
12734 		err = -EOPNOTSUPP;
12735 		goto out;
12736 	}
12737 
12738 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
12739 					  nl80211_policy, NULL);
12740 	if (err)
12741 		goto out;
12742 
12743 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
12744 						   wowlan->max_nd_match_sets);
12745 	err = PTR_ERR_OR_ZERO(trig->nd_config);
12746 	if (err)
12747 		trig->nd_config = NULL;
12748 
12749 out:
12750 	kfree(tb);
12751 	return err;
12752 }
12753 
12754 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
12755 {
12756 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12757 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
12758 	struct cfg80211_wowlan new_triggers = {};
12759 	struct cfg80211_wowlan *ntrig;
12760 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
12761 	int err, i;
12762 	bool prev_enabled = rdev->wiphy.wowlan_config;
12763 	bool regular = false;
12764 
12765 	if (!wowlan)
12766 		return -EOPNOTSUPP;
12767 
12768 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
12769 		cfg80211_rdev_free_wowlan(rdev);
12770 		rdev->wiphy.wowlan_config = NULL;
12771 		goto set_wakeup;
12772 	}
12773 
12774 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
12775 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
12776 					  nl80211_wowlan_policy, info->extack);
12777 	if (err)
12778 		return err;
12779 
12780 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
12781 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
12782 			return -EINVAL;
12783 		new_triggers.any = true;
12784 	}
12785 
12786 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
12787 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
12788 			return -EINVAL;
12789 		new_triggers.disconnect = true;
12790 		regular = true;
12791 	}
12792 
12793 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
12794 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
12795 			return -EINVAL;
12796 		new_triggers.magic_pkt = true;
12797 		regular = true;
12798 	}
12799 
12800 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
12801 		return -EINVAL;
12802 
12803 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
12804 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
12805 			return -EINVAL;
12806 		new_triggers.gtk_rekey_failure = true;
12807 		regular = true;
12808 	}
12809 
12810 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
12811 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
12812 			return -EINVAL;
12813 		new_triggers.eap_identity_req = true;
12814 		regular = true;
12815 	}
12816 
12817 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
12818 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
12819 			return -EINVAL;
12820 		new_triggers.four_way_handshake = true;
12821 		regular = true;
12822 	}
12823 
12824 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
12825 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
12826 			return -EINVAL;
12827 		new_triggers.rfkill_release = true;
12828 		regular = true;
12829 	}
12830 
12831 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
12832 		struct nlattr *pat;
12833 		int n_patterns = 0;
12834 		int rem, pat_len, mask_len, pkt_offset;
12835 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12836 
12837 		regular = true;
12838 
12839 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12840 				    rem)
12841 			n_patterns++;
12842 		if (n_patterns > wowlan->n_patterns)
12843 			return -EINVAL;
12844 
12845 		new_triggers.patterns = kcalloc(n_patterns,
12846 						sizeof(new_triggers.patterns[0]),
12847 						GFP_KERNEL);
12848 		if (!new_triggers.patterns)
12849 			return -ENOMEM;
12850 
12851 		new_triggers.n_patterns = n_patterns;
12852 		i = 0;
12853 
12854 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12855 				    rem) {
12856 			u8 *mask_pat;
12857 
12858 			err = nla_parse_nested_deprecated(pat_tb,
12859 							  MAX_NL80211_PKTPAT,
12860 							  pat,
12861 							  nl80211_packet_pattern_policy,
12862 							  info->extack);
12863 			if (err)
12864 				goto error;
12865 
12866 			err = -EINVAL;
12867 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
12868 			    !pat_tb[NL80211_PKTPAT_PATTERN])
12869 				goto error;
12870 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12871 			mask_len = DIV_ROUND_UP(pat_len, 8);
12872 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12873 				goto error;
12874 			if (pat_len > wowlan->pattern_max_len ||
12875 			    pat_len < wowlan->pattern_min_len)
12876 				goto error;
12877 
12878 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
12879 				pkt_offset = 0;
12880 			else
12881 				pkt_offset = nla_get_u32(
12882 					pat_tb[NL80211_PKTPAT_OFFSET]);
12883 			if (pkt_offset > wowlan->max_pkt_offset)
12884 				goto error;
12885 			new_triggers.patterns[i].pkt_offset = pkt_offset;
12886 
12887 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12888 			if (!mask_pat) {
12889 				err = -ENOMEM;
12890 				goto error;
12891 			}
12892 			new_triggers.patterns[i].mask = mask_pat;
12893 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12894 			       mask_len);
12895 			mask_pat += mask_len;
12896 			new_triggers.patterns[i].pattern = mask_pat;
12897 			new_triggers.patterns[i].pattern_len = pat_len;
12898 			memcpy(mask_pat,
12899 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12900 			       pat_len);
12901 			i++;
12902 		}
12903 	}
12904 
12905 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
12906 		regular = true;
12907 		err = nl80211_parse_wowlan_tcp(
12908 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
12909 			&new_triggers);
12910 		if (err)
12911 			goto error;
12912 	}
12913 
12914 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
12915 		regular = true;
12916 		err = nl80211_parse_wowlan_nd(
12917 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
12918 			&new_triggers);
12919 		if (err)
12920 			goto error;
12921 	}
12922 
12923 	/* The 'any' trigger means the device continues operating more or less
12924 	 * as in its normal operation mode and wakes up the host on most of the
12925 	 * normal interrupts (like packet RX, ...)
12926 	 * It therefore makes little sense to combine with the more constrained
12927 	 * wakeup trigger modes.
12928 	 */
12929 	if (new_triggers.any && regular) {
12930 		err = -EINVAL;
12931 		goto error;
12932 	}
12933 
12934 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
12935 	if (!ntrig) {
12936 		err = -ENOMEM;
12937 		goto error;
12938 	}
12939 	cfg80211_rdev_free_wowlan(rdev);
12940 	rdev->wiphy.wowlan_config = ntrig;
12941 
12942  set_wakeup:
12943 	if (rdev->ops->set_wakeup &&
12944 	    prev_enabled != !!rdev->wiphy.wowlan_config)
12945 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
12946 
12947 	return 0;
12948  error:
12949 	for (i = 0; i < new_triggers.n_patterns; i++)
12950 		kfree(new_triggers.patterns[i].mask);
12951 	kfree(new_triggers.patterns);
12952 	if (new_triggers.tcp && new_triggers.tcp->sock)
12953 		sock_release(new_triggers.tcp->sock);
12954 	kfree(new_triggers.tcp);
12955 	kfree(new_triggers.nd_config);
12956 	return err;
12957 }
12958 #endif
12959 
12960 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12961 				       struct cfg80211_registered_device *rdev)
12962 {
12963 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12964 	int i, j, pat_len;
12965 	struct cfg80211_coalesce_rules *rule;
12966 
12967 	if (!rdev->coalesce->n_rules)
12968 		return 0;
12969 
12970 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12971 	if (!nl_rules)
12972 		return -ENOBUFS;
12973 
12974 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12975 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12976 		if (!nl_rule)
12977 			return -ENOBUFS;
12978 
12979 		rule = &rdev->coalesce->rules[i];
12980 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12981 				rule->delay))
12982 			return -ENOBUFS;
12983 
12984 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12985 				rule->condition))
12986 			return -ENOBUFS;
12987 
12988 		nl_pats = nla_nest_start_noflag(msg,
12989 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12990 		if (!nl_pats)
12991 			return -ENOBUFS;
12992 
12993 		for (j = 0; j < rule->n_patterns; j++) {
12994 			nl_pat = nla_nest_start_noflag(msg, j + 1);
12995 			if (!nl_pat)
12996 				return -ENOBUFS;
12997 			pat_len = rule->patterns[j].pattern_len;
12998 			if (nla_put(msg, NL80211_PKTPAT_MASK,
12999 				    DIV_ROUND_UP(pat_len, 8),
13000 				    rule->patterns[j].mask) ||
13001 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13002 				    rule->patterns[j].pattern) ||
13003 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13004 					rule->patterns[j].pkt_offset))
13005 				return -ENOBUFS;
13006 			nla_nest_end(msg, nl_pat);
13007 		}
13008 		nla_nest_end(msg, nl_pats);
13009 		nla_nest_end(msg, nl_rule);
13010 	}
13011 	nla_nest_end(msg, nl_rules);
13012 
13013 	return 0;
13014 }
13015 
13016 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13017 {
13018 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13019 	struct sk_buff *msg;
13020 	void *hdr;
13021 
13022 	if (!rdev->wiphy.coalesce)
13023 		return -EOPNOTSUPP;
13024 
13025 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13026 	if (!msg)
13027 		return -ENOMEM;
13028 
13029 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13030 			     NL80211_CMD_GET_COALESCE);
13031 	if (!hdr)
13032 		goto nla_put_failure;
13033 
13034 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13035 		goto nla_put_failure;
13036 
13037 	genlmsg_end(msg, hdr);
13038 	return genlmsg_reply(msg, info);
13039 
13040 nla_put_failure:
13041 	nlmsg_free(msg);
13042 	return -ENOBUFS;
13043 }
13044 
13045 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13046 {
13047 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13048 	int i, j;
13049 	struct cfg80211_coalesce_rules *rule;
13050 
13051 	if (!coalesce)
13052 		return;
13053 
13054 	for (i = 0; i < coalesce->n_rules; i++) {
13055 		rule = &coalesce->rules[i];
13056 		for (j = 0; j < rule->n_patterns; j++)
13057 			kfree(rule->patterns[j].mask);
13058 		kfree(rule->patterns);
13059 	}
13060 	kfree(coalesce->rules);
13061 	kfree(coalesce);
13062 	rdev->coalesce = NULL;
13063 }
13064 
13065 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13066 				       struct nlattr *rule,
13067 				       struct cfg80211_coalesce_rules *new_rule)
13068 {
13069 	int err, i;
13070 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13071 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13072 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13073 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13074 
13075 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13076 					  rule, nl80211_coalesce_policy, NULL);
13077 	if (err)
13078 		return err;
13079 
13080 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13081 		new_rule->delay =
13082 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13083 	if (new_rule->delay > coalesce->max_delay)
13084 		return -EINVAL;
13085 
13086 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13087 		new_rule->condition =
13088 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13089 
13090 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13091 		return -EINVAL;
13092 
13093 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13094 			    rem)
13095 		n_patterns++;
13096 	if (n_patterns > coalesce->n_patterns)
13097 		return -EINVAL;
13098 
13099 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13100 				     GFP_KERNEL);
13101 	if (!new_rule->patterns)
13102 		return -ENOMEM;
13103 
13104 	new_rule->n_patterns = n_patterns;
13105 	i = 0;
13106 
13107 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13108 			    rem) {
13109 		u8 *mask_pat;
13110 
13111 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13112 						  pat,
13113 						  nl80211_packet_pattern_policy,
13114 						  NULL);
13115 		if (err)
13116 			return err;
13117 
13118 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13119 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13120 			return -EINVAL;
13121 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13122 		mask_len = DIV_ROUND_UP(pat_len, 8);
13123 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13124 			return -EINVAL;
13125 		if (pat_len > coalesce->pattern_max_len ||
13126 		    pat_len < coalesce->pattern_min_len)
13127 			return -EINVAL;
13128 
13129 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13130 			pkt_offset = 0;
13131 		else
13132 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13133 		if (pkt_offset > coalesce->max_pkt_offset)
13134 			return -EINVAL;
13135 		new_rule->patterns[i].pkt_offset = pkt_offset;
13136 
13137 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13138 		if (!mask_pat)
13139 			return -ENOMEM;
13140 
13141 		new_rule->patterns[i].mask = mask_pat;
13142 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13143 		       mask_len);
13144 
13145 		mask_pat += mask_len;
13146 		new_rule->patterns[i].pattern = mask_pat;
13147 		new_rule->patterns[i].pattern_len = pat_len;
13148 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13149 		       pat_len);
13150 		i++;
13151 	}
13152 
13153 	return 0;
13154 }
13155 
13156 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13157 {
13158 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13159 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13160 	struct cfg80211_coalesce new_coalesce = {};
13161 	struct cfg80211_coalesce *n_coalesce;
13162 	int err, rem_rule, n_rules = 0, i, j;
13163 	struct nlattr *rule;
13164 	struct cfg80211_coalesce_rules *tmp_rule;
13165 
13166 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13167 		return -EOPNOTSUPP;
13168 
13169 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13170 		cfg80211_rdev_free_coalesce(rdev);
13171 		rdev_set_coalesce(rdev, NULL);
13172 		return 0;
13173 	}
13174 
13175 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13176 			    rem_rule)
13177 		n_rules++;
13178 	if (n_rules > coalesce->n_rules)
13179 		return -EINVAL;
13180 
13181 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13182 				     GFP_KERNEL);
13183 	if (!new_coalesce.rules)
13184 		return -ENOMEM;
13185 
13186 	new_coalesce.n_rules = n_rules;
13187 	i = 0;
13188 
13189 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13190 			    rem_rule) {
13191 		err = nl80211_parse_coalesce_rule(rdev, rule,
13192 						  &new_coalesce.rules[i]);
13193 		if (err)
13194 			goto error;
13195 
13196 		i++;
13197 	}
13198 
13199 	err = rdev_set_coalesce(rdev, &new_coalesce);
13200 	if (err)
13201 		goto error;
13202 
13203 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13204 	if (!n_coalesce) {
13205 		err = -ENOMEM;
13206 		goto error;
13207 	}
13208 	cfg80211_rdev_free_coalesce(rdev);
13209 	rdev->coalesce = n_coalesce;
13210 
13211 	return 0;
13212 error:
13213 	for (i = 0; i < new_coalesce.n_rules; i++) {
13214 		tmp_rule = &new_coalesce.rules[i];
13215 		for (j = 0; j < tmp_rule->n_patterns; j++)
13216 			kfree(tmp_rule->patterns[j].mask);
13217 		kfree(tmp_rule->patterns);
13218 	}
13219 	kfree(new_coalesce.rules);
13220 
13221 	return err;
13222 }
13223 
13224 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
13225 {
13226 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13227 	struct net_device *dev = info->user_ptr[1];
13228 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13229 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
13230 	struct cfg80211_gtk_rekey_data rekey_data = {};
13231 	int err;
13232 
13233 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
13234 		return -EINVAL;
13235 
13236 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
13237 					  info->attrs[NL80211_ATTR_REKEY_DATA],
13238 					  nl80211_rekey_policy, info->extack);
13239 	if (err)
13240 		return err;
13241 
13242 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
13243 	    !tb[NL80211_REKEY_DATA_KCK])
13244 		return -EINVAL;
13245 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
13246 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13247 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
13248 		return -ERANGE;
13249 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
13250 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13251 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
13252 		return -ERANGE;
13253 
13254 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
13255 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
13256 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
13257 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
13258 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
13259 	if (tb[NL80211_REKEY_DATA_AKM])
13260 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
13261 
13262 	wdev_lock(wdev);
13263 	if (!wdev->current_bss) {
13264 		err = -ENOTCONN;
13265 		goto out;
13266 	}
13267 
13268 	if (!rdev->ops->set_rekey_data) {
13269 		err = -EOPNOTSUPP;
13270 		goto out;
13271 	}
13272 
13273 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
13274  out:
13275 	wdev_unlock(wdev);
13276 	return err;
13277 }
13278 
13279 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
13280 					     struct genl_info *info)
13281 {
13282 	struct net_device *dev = info->user_ptr[1];
13283 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13284 
13285 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13286 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13287 		return -EINVAL;
13288 
13289 	if (wdev->ap_unexpected_nlportid)
13290 		return -EBUSY;
13291 
13292 	wdev->ap_unexpected_nlportid = info->snd_portid;
13293 	return 0;
13294 }
13295 
13296 static int nl80211_probe_client(struct sk_buff *skb,
13297 				struct genl_info *info)
13298 {
13299 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13300 	struct net_device *dev = info->user_ptr[1];
13301 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13302 	struct sk_buff *msg;
13303 	void *hdr;
13304 	const u8 *addr;
13305 	u64 cookie;
13306 	int err;
13307 
13308 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13309 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13310 		return -EOPNOTSUPP;
13311 
13312 	if (!info->attrs[NL80211_ATTR_MAC])
13313 		return -EINVAL;
13314 
13315 	if (!rdev->ops->probe_client)
13316 		return -EOPNOTSUPP;
13317 
13318 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13319 	if (!msg)
13320 		return -ENOMEM;
13321 
13322 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13323 			     NL80211_CMD_PROBE_CLIENT);
13324 	if (!hdr) {
13325 		err = -ENOBUFS;
13326 		goto free_msg;
13327 	}
13328 
13329 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13330 
13331 	err = rdev_probe_client(rdev, dev, addr, &cookie);
13332 	if (err)
13333 		goto free_msg;
13334 
13335 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13336 			      NL80211_ATTR_PAD))
13337 		goto nla_put_failure;
13338 
13339 	genlmsg_end(msg, hdr);
13340 
13341 	return genlmsg_reply(msg, info);
13342 
13343  nla_put_failure:
13344 	err = -ENOBUFS;
13345  free_msg:
13346 	nlmsg_free(msg);
13347 	return err;
13348 }
13349 
13350 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
13351 {
13352 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13353 	struct cfg80211_beacon_registration *reg, *nreg;
13354 	int rv;
13355 
13356 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
13357 		return -EOPNOTSUPP;
13358 
13359 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
13360 	if (!nreg)
13361 		return -ENOMEM;
13362 
13363 	/* First, check if already registered. */
13364 	spin_lock_bh(&rdev->beacon_registrations_lock);
13365 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13366 		if (reg->nlportid == info->snd_portid) {
13367 			rv = -EALREADY;
13368 			goto out_err;
13369 		}
13370 	}
13371 	/* Add it to the list */
13372 	nreg->nlportid = info->snd_portid;
13373 	list_add(&nreg->list, &rdev->beacon_registrations);
13374 
13375 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13376 
13377 	return 0;
13378 out_err:
13379 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13380 	kfree(nreg);
13381 	return rv;
13382 }
13383 
13384 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
13385 {
13386 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13387 	struct wireless_dev *wdev = info->user_ptr[1];
13388 	int err;
13389 
13390 	if (!rdev->ops->start_p2p_device)
13391 		return -EOPNOTSUPP;
13392 
13393 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13394 		return -EOPNOTSUPP;
13395 
13396 	if (wdev_running(wdev))
13397 		return 0;
13398 
13399 	if (rfkill_blocked(rdev->wiphy.rfkill))
13400 		return -ERFKILL;
13401 
13402 	err = rdev_start_p2p_device(rdev, wdev);
13403 	if (err)
13404 		return err;
13405 
13406 	wdev->is_running = true;
13407 	rdev->opencount++;
13408 
13409 	return 0;
13410 }
13411 
13412 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
13413 {
13414 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13415 	struct wireless_dev *wdev = info->user_ptr[1];
13416 
13417 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13418 		return -EOPNOTSUPP;
13419 
13420 	if (!rdev->ops->stop_p2p_device)
13421 		return -EOPNOTSUPP;
13422 
13423 	cfg80211_stop_p2p_device(rdev, wdev);
13424 
13425 	return 0;
13426 }
13427 
13428 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
13429 {
13430 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13431 	struct wireless_dev *wdev = info->user_ptr[1];
13432 	struct cfg80211_nan_conf conf = {};
13433 	int err;
13434 
13435 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13436 		return -EOPNOTSUPP;
13437 
13438 	if (wdev_running(wdev))
13439 		return -EEXIST;
13440 
13441 	if (rfkill_blocked(rdev->wiphy.rfkill))
13442 		return -ERFKILL;
13443 
13444 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
13445 		return -EINVAL;
13446 
13447 	conf.master_pref =
13448 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13449 
13450 	if (info->attrs[NL80211_ATTR_BANDS]) {
13451 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13452 
13453 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13454 			return -EOPNOTSUPP;
13455 
13456 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13457 			return -EINVAL;
13458 
13459 		conf.bands = bands;
13460 	}
13461 
13462 	err = rdev_start_nan(rdev, wdev, &conf);
13463 	if (err)
13464 		return err;
13465 
13466 	wdev->is_running = true;
13467 	rdev->opencount++;
13468 
13469 	return 0;
13470 }
13471 
13472 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
13473 {
13474 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13475 	struct wireless_dev *wdev = info->user_ptr[1];
13476 
13477 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13478 		return -EOPNOTSUPP;
13479 
13480 	cfg80211_stop_nan(rdev, wdev);
13481 
13482 	return 0;
13483 }
13484 
13485 static int validate_nan_filter(struct nlattr *filter_attr)
13486 {
13487 	struct nlattr *attr;
13488 	int len = 0, n_entries = 0, rem;
13489 
13490 	nla_for_each_nested(attr, filter_attr, rem) {
13491 		len += nla_len(attr);
13492 		n_entries++;
13493 	}
13494 
13495 	if (len >= U8_MAX)
13496 		return -EINVAL;
13497 
13498 	return n_entries;
13499 }
13500 
13501 static int handle_nan_filter(struct nlattr *attr_filter,
13502 			     struct cfg80211_nan_func *func,
13503 			     bool tx)
13504 {
13505 	struct nlattr *attr;
13506 	int n_entries, rem, i;
13507 	struct cfg80211_nan_func_filter *filter;
13508 
13509 	n_entries = validate_nan_filter(attr_filter);
13510 	if (n_entries < 0)
13511 		return n_entries;
13512 
13513 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
13514 
13515 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
13516 	if (!filter)
13517 		return -ENOMEM;
13518 
13519 	i = 0;
13520 	nla_for_each_nested(attr, attr_filter, rem) {
13521 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
13522 		if (!filter[i].filter)
13523 			goto err;
13524 
13525 		filter[i].len = nla_len(attr);
13526 		i++;
13527 	}
13528 	if (tx) {
13529 		func->num_tx_filters = n_entries;
13530 		func->tx_filters = filter;
13531 	} else {
13532 		func->num_rx_filters = n_entries;
13533 		func->rx_filters = filter;
13534 	}
13535 
13536 	return 0;
13537 
13538 err:
13539 	i = 0;
13540 	nla_for_each_nested(attr, attr_filter, rem) {
13541 		kfree(filter[i].filter);
13542 		i++;
13543 	}
13544 	kfree(filter);
13545 	return -ENOMEM;
13546 }
13547 
13548 static int nl80211_nan_add_func(struct sk_buff *skb,
13549 				struct genl_info *info)
13550 {
13551 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13552 	struct wireless_dev *wdev = info->user_ptr[1];
13553 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
13554 	struct cfg80211_nan_func *func;
13555 	struct sk_buff *msg = NULL;
13556 	void *hdr = NULL;
13557 	int err = 0;
13558 
13559 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13560 		return -EOPNOTSUPP;
13561 
13562 	if (!wdev_running(wdev))
13563 		return -ENOTCONN;
13564 
13565 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
13566 		return -EINVAL;
13567 
13568 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
13569 					  info->attrs[NL80211_ATTR_NAN_FUNC],
13570 					  nl80211_nan_func_policy,
13571 					  info->extack);
13572 	if (err)
13573 		return err;
13574 
13575 	func = kzalloc(sizeof(*func), GFP_KERNEL);
13576 	if (!func)
13577 		return -ENOMEM;
13578 
13579 	func->cookie = cfg80211_assign_cookie(rdev);
13580 
13581 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
13582 		err = -EINVAL;
13583 		goto out;
13584 	}
13585 
13586 
13587 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
13588 
13589 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
13590 		err = -EINVAL;
13591 		goto out;
13592 	}
13593 
13594 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
13595 	       sizeof(func->service_id));
13596 
13597 	func->close_range =
13598 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
13599 
13600 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
13601 		func->serv_spec_info_len =
13602 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
13603 		func->serv_spec_info =
13604 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
13605 				func->serv_spec_info_len,
13606 				GFP_KERNEL);
13607 		if (!func->serv_spec_info) {
13608 			err = -ENOMEM;
13609 			goto out;
13610 		}
13611 	}
13612 
13613 	if (tb[NL80211_NAN_FUNC_TTL])
13614 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
13615 
13616 	switch (func->type) {
13617 	case NL80211_NAN_FUNC_PUBLISH:
13618 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
13619 			err = -EINVAL;
13620 			goto out;
13621 		}
13622 
13623 		func->publish_type =
13624 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
13625 		func->publish_bcast =
13626 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
13627 
13628 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
13629 			func->publish_bcast) {
13630 			err = -EINVAL;
13631 			goto out;
13632 		}
13633 		break;
13634 	case NL80211_NAN_FUNC_SUBSCRIBE:
13635 		func->subscribe_active =
13636 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
13637 		break;
13638 	case NL80211_NAN_FUNC_FOLLOW_UP:
13639 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
13640 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
13641 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
13642 			err = -EINVAL;
13643 			goto out;
13644 		}
13645 
13646 		func->followup_id =
13647 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
13648 		func->followup_reqid =
13649 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
13650 		memcpy(func->followup_dest.addr,
13651 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
13652 		       sizeof(func->followup_dest.addr));
13653 		if (func->ttl) {
13654 			err = -EINVAL;
13655 			goto out;
13656 		}
13657 		break;
13658 	default:
13659 		err = -EINVAL;
13660 		goto out;
13661 	}
13662 
13663 	if (tb[NL80211_NAN_FUNC_SRF]) {
13664 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
13665 
13666 		err = nla_parse_nested_deprecated(srf_tb,
13667 						  NL80211_NAN_SRF_ATTR_MAX,
13668 						  tb[NL80211_NAN_FUNC_SRF],
13669 						  nl80211_nan_srf_policy,
13670 						  info->extack);
13671 		if (err)
13672 			goto out;
13673 
13674 		func->srf_include =
13675 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
13676 
13677 		if (srf_tb[NL80211_NAN_SRF_BF]) {
13678 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
13679 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
13680 				err = -EINVAL;
13681 				goto out;
13682 			}
13683 
13684 			func->srf_bf_len =
13685 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
13686 			func->srf_bf =
13687 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
13688 					func->srf_bf_len, GFP_KERNEL);
13689 			if (!func->srf_bf) {
13690 				err = -ENOMEM;
13691 				goto out;
13692 			}
13693 
13694 			func->srf_bf_idx =
13695 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
13696 		} else {
13697 			struct nlattr *attr, *mac_attr =
13698 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
13699 			int n_entries, rem, i = 0;
13700 
13701 			if (!mac_attr) {
13702 				err = -EINVAL;
13703 				goto out;
13704 			}
13705 
13706 			n_entries = validate_acl_mac_addrs(mac_attr);
13707 			if (n_entries <= 0) {
13708 				err = -EINVAL;
13709 				goto out;
13710 			}
13711 
13712 			func->srf_num_macs = n_entries;
13713 			func->srf_macs =
13714 				kcalloc(n_entries, sizeof(*func->srf_macs),
13715 					GFP_KERNEL);
13716 			if (!func->srf_macs) {
13717 				err = -ENOMEM;
13718 				goto out;
13719 			}
13720 
13721 			nla_for_each_nested(attr, mac_attr, rem)
13722 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
13723 				       sizeof(*func->srf_macs));
13724 		}
13725 	}
13726 
13727 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
13728 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
13729 					func, true);
13730 		if (err)
13731 			goto out;
13732 	}
13733 
13734 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
13735 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
13736 					func, false);
13737 		if (err)
13738 			goto out;
13739 	}
13740 
13741 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13742 	if (!msg) {
13743 		err = -ENOMEM;
13744 		goto out;
13745 	}
13746 
13747 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13748 			     NL80211_CMD_ADD_NAN_FUNCTION);
13749 	/* This can't really happen - we just allocated 4KB */
13750 	if (WARN_ON(!hdr)) {
13751 		err = -ENOMEM;
13752 		goto out;
13753 	}
13754 
13755 	err = rdev_add_nan_func(rdev, wdev, func);
13756 out:
13757 	if (err < 0) {
13758 		cfg80211_free_nan_func(func);
13759 		nlmsg_free(msg);
13760 		return err;
13761 	}
13762 
13763 	/* propagate the instance id and cookie to userspace  */
13764 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
13765 			      NL80211_ATTR_PAD))
13766 		goto nla_put_failure;
13767 
13768 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13769 	if (!func_attr)
13770 		goto nla_put_failure;
13771 
13772 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
13773 		       func->instance_id))
13774 		goto nla_put_failure;
13775 
13776 	nla_nest_end(msg, func_attr);
13777 
13778 	genlmsg_end(msg, hdr);
13779 	return genlmsg_reply(msg, info);
13780 
13781 nla_put_failure:
13782 	nlmsg_free(msg);
13783 	return -ENOBUFS;
13784 }
13785 
13786 static int nl80211_nan_del_func(struct sk_buff *skb,
13787 			       struct genl_info *info)
13788 {
13789 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13790 	struct wireless_dev *wdev = info->user_ptr[1];
13791 	u64 cookie;
13792 
13793 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13794 		return -EOPNOTSUPP;
13795 
13796 	if (!wdev_running(wdev))
13797 		return -ENOTCONN;
13798 
13799 	if (!info->attrs[NL80211_ATTR_COOKIE])
13800 		return -EINVAL;
13801 
13802 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13803 
13804 	rdev_del_nan_func(rdev, wdev, cookie);
13805 
13806 	return 0;
13807 }
13808 
13809 static int nl80211_nan_change_config(struct sk_buff *skb,
13810 				     struct genl_info *info)
13811 {
13812 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13813 	struct wireless_dev *wdev = info->user_ptr[1];
13814 	struct cfg80211_nan_conf conf = {};
13815 	u32 changed = 0;
13816 
13817 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13818 		return -EOPNOTSUPP;
13819 
13820 	if (!wdev_running(wdev))
13821 		return -ENOTCONN;
13822 
13823 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
13824 		conf.master_pref =
13825 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13826 		if (conf.master_pref <= 1 || conf.master_pref == 255)
13827 			return -EINVAL;
13828 
13829 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
13830 	}
13831 
13832 	if (info->attrs[NL80211_ATTR_BANDS]) {
13833 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13834 
13835 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13836 			return -EOPNOTSUPP;
13837 
13838 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13839 			return -EINVAL;
13840 
13841 		conf.bands = bands;
13842 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
13843 	}
13844 
13845 	if (!changed)
13846 		return -EINVAL;
13847 
13848 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
13849 }
13850 
13851 void cfg80211_nan_match(struct wireless_dev *wdev,
13852 			struct cfg80211_nan_match_params *match, gfp_t gfp)
13853 {
13854 	struct wiphy *wiphy = wdev->wiphy;
13855 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13856 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
13857 	struct sk_buff *msg;
13858 	void *hdr;
13859 
13860 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
13861 		return;
13862 
13863 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13864 	if (!msg)
13865 		return;
13866 
13867 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
13868 	if (!hdr) {
13869 		nlmsg_free(msg);
13870 		return;
13871 	}
13872 
13873 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13874 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13875 					 wdev->netdev->ifindex)) ||
13876 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13877 			      NL80211_ATTR_PAD))
13878 		goto nla_put_failure;
13879 
13880 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
13881 			      NL80211_ATTR_PAD) ||
13882 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
13883 		goto nla_put_failure;
13884 
13885 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
13886 	if (!match_attr)
13887 		goto nla_put_failure;
13888 
13889 	local_func_attr = nla_nest_start_noflag(msg,
13890 						NL80211_NAN_MATCH_FUNC_LOCAL);
13891 	if (!local_func_attr)
13892 		goto nla_put_failure;
13893 
13894 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
13895 		goto nla_put_failure;
13896 
13897 	nla_nest_end(msg, local_func_attr);
13898 
13899 	peer_func_attr = nla_nest_start_noflag(msg,
13900 					       NL80211_NAN_MATCH_FUNC_PEER);
13901 	if (!peer_func_attr)
13902 		goto nla_put_failure;
13903 
13904 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
13905 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
13906 		goto nla_put_failure;
13907 
13908 	if (match->info && match->info_len &&
13909 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
13910 		    match->info))
13911 		goto nla_put_failure;
13912 
13913 	nla_nest_end(msg, peer_func_attr);
13914 	nla_nest_end(msg, match_attr);
13915 	genlmsg_end(msg, hdr);
13916 
13917 	if (!wdev->owner_nlportid)
13918 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13919 					msg, 0, NL80211_MCGRP_NAN, gfp);
13920 	else
13921 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13922 				wdev->owner_nlportid);
13923 
13924 	return;
13925 
13926 nla_put_failure:
13927 	nlmsg_free(msg);
13928 }
13929 EXPORT_SYMBOL(cfg80211_nan_match);
13930 
13931 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
13932 				  u8 inst_id,
13933 				  enum nl80211_nan_func_term_reason reason,
13934 				  u64 cookie, gfp_t gfp)
13935 {
13936 	struct wiphy *wiphy = wdev->wiphy;
13937 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13938 	struct sk_buff *msg;
13939 	struct nlattr *func_attr;
13940 	void *hdr;
13941 
13942 	if (WARN_ON(!inst_id))
13943 		return;
13944 
13945 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13946 	if (!msg)
13947 		return;
13948 
13949 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
13950 	if (!hdr) {
13951 		nlmsg_free(msg);
13952 		return;
13953 	}
13954 
13955 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13956 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13957 					 wdev->netdev->ifindex)) ||
13958 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13959 			      NL80211_ATTR_PAD))
13960 		goto nla_put_failure;
13961 
13962 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13963 			      NL80211_ATTR_PAD))
13964 		goto nla_put_failure;
13965 
13966 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13967 	if (!func_attr)
13968 		goto nla_put_failure;
13969 
13970 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
13971 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
13972 		goto nla_put_failure;
13973 
13974 	nla_nest_end(msg, func_attr);
13975 	genlmsg_end(msg, hdr);
13976 
13977 	if (!wdev->owner_nlportid)
13978 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13979 					msg, 0, NL80211_MCGRP_NAN, gfp);
13980 	else
13981 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13982 				wdev->owner_nlportid);
13983 
13984 	return;
13985 
13986 nla_put_failure:
13987 	nlmsg_free(msg);
13988 }
13989 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13990 
13991 static int nl80211_get_protocol_features(struct sk_buff *skb,
13992 					 struct genl_info *info)
13993 {
13994 	void *hdr;
13995 	struct sk_buff *msg;
13996 
13997 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13998 	if (!msg)
13999 		return -ENOMEM;
14000 
14001 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14002 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14003 	if (!hdr)
14004 		goto nla_put_failure;
14005 
14006 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14007 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14008 		goto nla_put_failure;
14009 
14010 	genlmsg_end(msg, hdr);
14011 	return genlmsg_reply(msg, info);
14012 
14013  nla_put_failure:
14014 	kfree_skb(msg);
14015 	return -ENOBUFS;
14016 }
14017 
14018 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14019 {
14020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14021 	struct cfg80211_update_ft_ies_params ft_params;
14022 	struct net_device *dev = info->user_ptr[1];
14023 
14024 	if (!rdev->ops->update_ft_ies)
14025 		return -EOPNOTSUPP;
14026 
14027 	if (!info->attrs[NL80211_ATTR_MDID] ||
14028 	    !info->attrs[NL80211_ATTR_IE])
14029 		return -EINVAL;
14030 
14031 	memset(&ft_params, 0, sizeof(ft_params));
14032 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14033 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14034 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14035 
14036 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14037 }
14038 
14039 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14040 				       struct genl_info *info)
14041 {
14042 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14043 	struct wireless_dev *wdev = info->user_ptr[1];
14044 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14045 	u16 duration;
14046 	int ret;
14047 
14048 	if (!rdev->ops->crit_proto_start)
14049 		return -EOPNOTSUPP;
14050 
14051 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14052 		return -EINVAL;
14053 
14054 	if (rdev->crit_proto_nlportid)
14055 		return -EBUSY;
14056 
14057 	/* determine protocol if provided */
14058 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14059 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14060 
14061 	if (proto >= NUM_NL80211_CRIT_PROTO)
14062 		return -EINVAL;
14063 
14064 	/* timeout must be provided */
14065 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14066 		return -EINVAL;
14067 
14068 	duration =
14069 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14070 
14071 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14072 	if (!ret)
14073 		rdev->crit_proto_nlportid = info->snd_portid;
14074 
14075 	return ret;
14076 }
14077 
14078 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14079 				      struct genl_info *info)
14080 {
14081 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14082 	struct wireless_dev *wdev = info->user_ptr[1];
14083 
14084 	if (!rdev->ops->crit_proto_stop)
14085 		return -EOPNOTSUPP;
14086 
14087 	if (rdev->crit_proto_nlportid) {
14088 		rdev->crit_proto_nlportid = 0;
14089 		rdev_crit_proto_stop(rdev, wdev);
14090 	}
14091 	return 0;
14092 }
14093 
14094 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14095 				       struct nlattr *attr,
14096 				       struct netlink_ext_ack *extack)
14097 {
14098 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14099 		if (attr->nla_type & NLA_F_NESTED) {
14100 			NL_SET_ERR_MSG_ATTR(extack, attr,
14101 					    "unexpected nested data");
14102 			return -EINVAL;
14103 		}
14104 
14105 		return 0;
14106 	}
14107 
14108 	if (!(attr->nla_type & NLA_F_NESTED)) {
14109 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14110 		return -EINVAL;
14111 	}
14112 
14113 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14114 }
14115 
14116 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14117 {
14118 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14119 	struct wireless_dev *wdev =
14120 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14121 					   info->attrs);
14122 	int i, err;
14123 	u32 vid, subcmd;
14124 
14125 	if (!rdev->wiphy.vendor_commands)
14126 		return -EOPNOTSUPP;
14127 
14128 	if (IS_ERR(wdev)) {
14129 		err = PTR_ERR(wdev);
14130 		if (err != -EINVAL)
14131 			return err;
14132 		wdev = NULL;
14133 	} else if (wdev->wiphy != &rdev->wiphy) {
14134 		return -EINVAL;
14135 	}
14136 
14137 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14138 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14139 		return -EINVAL;
14140 
14141 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14142 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14143 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14144 		const struct wiphy_vendor_command *vcmd;
14145 		void *data = NULL;
14146 		int len = 0;
14147 
14148 		vcmd = &rdev->wiphy.vendor_commands[i];
14149 
14150 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14151 			continue;
14152 
14153 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14154 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14155 			if (!wdev)
14156 				return -EINVAL;
14157 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14158 			    !wdev->netdev)
14159 				return -EINVAL;
14160 
14161 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14162 				if (!wdev_running(wdev))
14163 					return -ENETDOWN;
14164 			}
14165 		} else {
14166 			wdev = NULL;
14167 		}
14168 
14169 		if (!vcmd->doit)
14170 			return -EOPNOTSUPP;
14171 
14172 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14173 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14174 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14175 
14176 			err = nl80211_vendor_check_policy(vcmd,
14177 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14178 					info->extack);
14179 			if (err)
14180 				return err;
14181 		}
14182 
14183 		rdev->cur_cmd_info = info;
14184 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14185 		rdev->cur_cmd_info = NULL;
14186 		return err;
14187 	}
14188 
14189 	return -EOPNOTSUPP;
14190 }
14191 
14192 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14193 				       struct netlink_callback *cb,
14194 				       struct cfg80211_registered_device **rdev,
14195 				       struct wireless_dev **wdev)
14196 {
14197 	struct nlattr **attrbuf;
14198 	u32 vid, subcmd;
14199 	unsigned int i;
14200 	int vcmd_idx = -1;
14201 	int err;
14202 	void *data = NULL;
14203 	unsigned int data_len = 0;
14204 
14205 	if (cb->args[0]) {
14206 		/* subtract the 1 again here */
14207 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
14208 		struct wireless_dev *tmp;
14209 
14210 		if (!wiphy)
14211 			return -ENODEV;
14212 		*rdev = wiphy_to_rdev(wiphy);
14213 		*wdev = NULL;
14214 
14215 		if (cb->args[1]) {
14216 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
14217 				if (tmp->identifier == cb->args[1] - 1) {
14218 					*wdev = tmp;
14219 					break;
14220 				}
14221 			}
14222 		}
14223 
14224 		/* keep rtnl locked in successful case */
14225 		return 0;
14226 	}
14227 
14228 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
14229 	if (!attrbuf)
14230 		return -ENOMEM;
14231 
14232 	err = nlmsg_parse_deprecated(cb->nlh,
14233 				     GENL_HDRLEN + nl80211_fam.hdrsize,
14234 				     attrbuf, nl80211_fam.maxattr,
14235 				     nl80211_policy, NULL);
14236 	if (err)
14237 		goto out;
14238 
14239 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
14240 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
14241 		err = -EINVAL;
14242 		goto out;
14243 	}
14244 
14245 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
14246 	if (IS_ERR(*wdev))
14247 		*wdev = NULL;
14248 
14249 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
14250 	if (IS_ERR(*rdev)) {
14251 		err = PTR_ERR(*rdev);
14252 		goto out;
14253 	}
14254 
14255 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
14256 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
14257 
14258 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
14259 		const struct wiphy_vendor_command *vcmd;
14260 
14261 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
14262 
14263 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14264 			continue;
14265 
14266 		if (!vcmd->dumpit) {
14267 			err = -EOPNOTSUPP;
14268 			goto out;
14269 		}
14270 
14271 		vcmd_idx = i;
14272 		break;
14273 	}
14274 
14275 	if (vcmd_idx < 0) {
14276 		err = -EOPNOTSUPP;
14277 		goto out;
14278 	}
14279 
14280 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
14281 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14282 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14283 
14284 		err = nl80211_vendor_check_policy(
14285 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
14286 				attrbuf[NL80211_ATTR_VENDOR_DATA],
14287 				cb->extack);
14288 		if (err)
14289 			goto out;
14290 	}
14291 
14292 	/* 0 is the first index - add 1 to parse only once */
14293 	cb->args[0] = (*rdev)->wiphy_idx + 1;
14294 	/* add 1 to know if it was NULL */
14295 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
14296 	cb->args[2] = vcmd_idx;
14297 	cb->args[3] = (unsigned long)data;
14298 	cb->args[4] = data_len;
14299 
14300 	/* keep rtnl locked in successful case */
14301 	err = 0;
14302 out:
14303 	kfree(attrbuf);
14304 	return err;
14305 }
14306 
14307 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
14308 				   struct netlink_callback *cb)
14309 {
14310 	struct cfg80211_registered_device *rdev;
14311 	struct wireless_dev *wdev;
14312 	unsigned int vcmd_idx;
14313 	const struct wiphy_vendor_command *vcmd;
14314 	void *data;
14315 	int data_len;
14316 	int err;
14317 	struct nlattr *vendor_data;
14318 
14319 	rtnl_lock();
14320 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
14321 	if (err)
14322 		goto out;
14323 
14324 	vcmd_idx = cb->args[2];
14325 	data = (void *)cb->args[3];
14326 	data_len = cb->args[4];
14327 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
14328 
14329 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14330 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14331 		if (!wdev) {
14332 			err = -EINVAL;
14333 			goto out;
14334 		}
14335 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14336 		    !wdev->netdev) {
14337 			err = -EINVAL;
14338 			goto out;
14339 		}
14340 
14341 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14342 			if (!wdev_running(wdev)) {
14343 				err = -ENETDOWN;
14344 				goto out;
14345 			}
14346 		}
14347 	}
14348 
14349 	while (1) {
14350 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
14351 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
14352 					   NL80211_CMD_VENDOR);
14353 		if (!hdr)
14354 			break;
14355 
14356 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14357 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
14358 					       wdev_id(wdev),
14359 					       NL80211_ATTR_PAD))) {
14360 			genlmsg_cancel(skb, hdr);
14361 			break;
14362 		}
14363 
14364 		vendor_data = nla_nest_start_noflag(skb,
14365 						    NL80211_ATTR_VENDOR_DATA);
14366 		if (!vendor_data) {
14367 			genlmsg_cancel(skb, hdr);
14368 			break;
14369 		}
14370 
14371 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
14372 				   (unsigned long *)&cb->args[5]);
14373 		nla_nest_end(skb, vendor_data);
14374 
14375 		if (err == -ENOBUFS || err == -ENOENT) {
14376 			genlmsg_cancel(skb, hdr);
14377 			break;
14378 		} else if (err <= 0) {
14379 			genlmsg_cancel(skb, hdr);
14380 			goto out;
14381 		}
14382 
14383 		genlmsg_end(skb, hdr);
14384 	}
14385 
14386 	err = skb->len;
14387  out:
14388 	rtnl_unlock();
14389 	return err;
14390 }
14391 
14392 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
14393 					   enum nl80211_commands cmd,
14394 					   enum nl80211_attrs attr,
14395 					   int approxlen)
14396 {
14397 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14398 
14399 	if (WARN_ON(!rdev->cur_cmd_info))
14400 		return NULL;
14401 
14402 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
14403 					   rdev->cur_cmd_info->snd_portid,
14404 					   rdev->cur_cmd_info->snd_seq,
14405 					   cmd, attr, NULL, GFP_KERNEL);
14406 }
14407 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
14408 
14409 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
14410 {
14411 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
14412 	void *hdr = ((void **)skb->cb)[1];
14413 	struct nlattr *data = ((void **)skb->cb)[2];
14414 
14415 	/* clear CB data for netlink core to own from now on */
14416 	memset(skb->cb, 0, sizeof(skb->cb));
14417 
14418 	if (WARN_ON(!rdev->cur_cmd_info)) {
14419 		kfree_skb(skb);
14420 		return -EINVAL;
14421 	}
14422 
14423 	nla_nest_end(skb, data);
14424 	genlmsg_end(skb, hdr);
14425 	return genlmsg_reply(skb, rdev->cur_cmd_info);
14426 }
14427 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
14428 
14429 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
14430 {
14431 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14432 
14433 	if (WARN_ON(!rdev->cur_cmd_info))
14434 		return 0;
14435 
14436 	return rdev->cur_cmd_info->snd_portid;
14437 }
14438 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
14439 
14440 static int nl80211_set_qos_map(struct sk_buff *skb,
14441 			       struct genl_info *info)
14442 {
14443 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14444 	struct cfg80211_qos_map *qos_map = NULL;
14445 	struct net_device *dev = info->user_ptr[1];
14446 	u8 *pos, len, num_des, des_len, des;
14447 	int ret;
14448 
14449 	if (!rdev->ops->set_qos_map)
14450 		return -EOPNOTSUPP;
14451 
14452 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
14453 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
14454 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
14455 
14456 		if (len % 2)
14457 			return -EINVAL;
14458 
14459 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
14460 		if (!qos_map)
14461 			return -ENOMEM;
14462 
14463 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
14464 		if (num_des) {
14465 			des_len = num_des *
14466 				sizeof(struct cfg80211_dscp_exception);
14467 			memcpy(qos_map->dscp_exception, pos, des_len);
14468 			qos_map->num_des = num_des;
14469 			for (des = 0; des < num_des; des++) {
14470 				if (qos_map->dscp_exception[des].up > 7) {
14471 					kfree(qos_map);
14472 					return -EINVAL;
14473 				}
14474 			}
14475 			pos += des_len;
14476 		}
14477 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
14478 	}
14479 
14480 	wdev_lock(dev->ieee80211_ptr);
14481 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
14482 	if (!ret)
14483 		ret = rdev_set_qos_map(rdev, dev, qos_map);
14484 	wdev_unlock(dev->ieee80211_ptr);
14485 
14486 	kfree(qos_map);
14487 	return ret;
14488 }
14489 
14490 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
14491 {
14492 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14493 	struct net_device *dev = info->user_ptr[1];
14494 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14495 	const u8 *peer;
14496 	u8 tsid, up;
14497 	u16 admitted_time = 0;
14498 	int err;
14499 
14500 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
14501 		return -EOPNOTSUPP;
14502 
14503 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
14504 	    !info->attrs[NL80211_ATTR_USER_PRIO])
14505 		return -EINVAL;
14506 
14507 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14508 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
14509 
14510 	/* WMM uses TIDs 0-7 even for TSPEC */
14511 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
14512 		/* TODO: handle 802.11 TSPEC/admission control
14513 		 * need more attributes for that (e.g. BA session requirement);
14514 		 * change the WMM adminssion test above to allow both then
14515 		 */
14516 		return -EINVAL;
14517 	}
14518 
14519 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14520 
14521 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
14522 		admitted_time =
14523 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
14524 		if (!admitted_time)
14525 			return -EINVAL;
14526 	}
14527 
14528 	wdev_lock(wdev);
14529 	switch (wdev->iftype) {
14530 	case NL80211_IFTYPE_STATION:
14531 	case NL80211_IFTYPE_P2P_CLIENT:
14532 		if (wdev->current_bss)
14533 			break;
14534 		err = -ENOTCONN;
14535 		goto out;
14536 	default:
14537 		err = -EOPNOTSUPP;
14538 		goto out;
14539 	}
14540 
14541 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
14542 
14543  out:
14544 	wdev_unlock(wdev);
14545 	return err;
14546 }
14547 
14548 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
14549 {
14550 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14551 	struct net_device *dev = info->user_ptr[1];
14552 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14553 	const u8 *peer;
14554 	u8 tsid;
14555 	int err;
14556 
14557 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
14558 		return -EINVAL;
14559 
14560 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14561 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14562 
14563 	wdev_lock(wdev);
14564 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
14565 	wdev_unlock(wdev);
14566 
14567 	return err;
14568 }
14569 
14570 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
14571 				       struct genl_info *info)
14572 {
14573 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14574 	struct net_device *dev = info->user_ptr[1];
14575 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14576 	struct cfg80211_chan_def chandef = {};
14577 	const u8 *addr;
14578 	u8 oper_class;
14579 	int err;
14580 
14581 	if (!rdev->ops->tdls_channel_switch ||
14582 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14583 		return -EOPNOTSUPP;
14584 
14585 	switch (dev->ieee80211_ptr->iftype) {
14586 	case NL80211_IFTYPE_STATION:
14587 	case NL80211_IFTYPE_P2P_CLIENT:
14588 		break;
14589 	default:
14590 		return -EOPNOTSUPP;
14591 	}
14592 
14593 	if (!info->attrs[NL80211_ATTR_MAC] ||
14594 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
14595 		return -EINVAL;
14596 
14597 	err = nl80211_parse_chandef(rdev, info, &chandef);
14598 	if (err)
14599 		return err;
14600 
14601 	/*
14602 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
14603 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
14604 	 * specification is not defined for them.
14605 	 */
14606 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
14607 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
14608 	    chandef.width != NL80211_CHAN_WIDTH_20)
14609 		return -EINVAL;
14610 
14611 	/* we will be active on the TDLS link */
14612 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
14613 					   wdev->iftype))
14614 		return -EINVAL;
14615 
14616 	/* don't allow switching to DFS channels */
14617 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
14618 		return -EINVAL;
14619 
14620 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14621 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
14622 
14623 	wdev_lock(wdev);
14624 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
14625 	wdev_unlock(wdev);
14626 
14627 	return err;
14628 }
14629 
14630 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
14631 					      struct genl_info *info)
14632 {
14633 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14634 	struct net_device *dev = info->user_ptr[1];
14635 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14636 	const u8 *addr;
14637 
14638 	if (!rdev->ops->tdls_channel_switch ||
14639 	    !rdev->ops->tdls_cancel_channel_switch ||
14640 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14641 		return -EOPNOTSUPP;
14642 
14643 	switch (dev->ieee80211_ptr->iftype) {
14644 	case NL80211_IFTYPE_STATION:
14645 	case NL80211_IFTYPE_P2P_CLIENT:
14646 		break;
14647 	default:
14648 		return -EOPNOTSUPP;
14649 	}
14650 
14651 	if (!info->attrs[NL80211_ATTR_MAC])
14652 		return -EINVAL;
14653 
14654 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14655 
14656 	wdev_lock(wdev);
14657 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
14658 	wdev_unlock(wdev);
14659 
14660 	return 0;
14661 }
14662 
14663 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
14664 					    struct genl_info *info)
14665 {
14666 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14667 	struct net_device *dev = info->user_ptr[1];
14668 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14669 	const struct nlattr *nla;
14670 	bool enabled;
14671 
14672 	if (!rdev->ops->set_multicast_to_unicast)
14673 		return -EOPNOTSUPP;
14674 
14675 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14676 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14677 		return -EOPNOTSUPP;
14678 
14679 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
14680 	enabled = nla_get_flag(nla);
14681 
14682 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
14683 }
14684 
14685 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
14686 {
14687 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14688 	struct net_device *dev = info->user_ptr[1];
14689 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14690 	struct cfg80211_pmk_conf pmk_conf = {};
14691 	int ret;
14692 
14693 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14694 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14695 		return -EOPNOTSUPP;
14696 
14697 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14698 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14699 		return -EOPNOTSUPP;
14700 
14701 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
14702 		return -EINVAL;
14703 
14704 	wdev_lock(wdev);
14705 	if (!wdev->current_bss) {
14706 		ret = -ENOTCONN;
14707 		goto out;
14708 	}
14709 
14710 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14711 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
14712 		ret = -EINVAL;
14713 		goto out;
14714 	}
14715 
14716 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
14717 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
14718 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
14719 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
14720 		ret = -EINVAL;
14721 		goto out;
14722 	}
14723 
14724 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
14725 		pmk_conf.pmk_r0_name =
14726 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
14727 
14728 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
14729 out:
14730 	wdev_unlock(wdev);
14731 	return ret;
14732 }
14733 
14734 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
14735 {
14736 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14737 	struct net_device *dev = info->user_ptr[1];
14738 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14739 	const u8 *aa;
14740 	int ret;
14741 
14742 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14743 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14744 		return -EOPNOTSUPP;
14745 
14746 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14747 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14748 		return -EOPNOTSUPP;
14749 
14750 	if (!info->attrs[NL80211_ATTR_MAC])
14751 		return -EINVAL;
14752 
14753 	wdev_lock(wdev);
14754 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14755 	ret = rdev_del_pmk(rdev, dev, aa);
14756 	wdev_unlock(wdev);
14757 
14758 	return ret;
14759 }
14760 
14761 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
14762 {
14763 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14764 	struct net_device *dev = info->user_ptr[1];
14765 	struct cfg80211_external_auth_params params;
14766 
14767 	if (!rdev->ops->external_auth)
14768 		return -EOPNOTSUPP;
14769 
14770 	if (!info->attrs[NL80211_ATTR_SSID] &&
14771 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
14772 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
14773 		return -EINVAL;
14774 
14775 	if (!info->attrs[NL80211_ATTR_BSSID])
14776 		return -EINVAL;
14777 
14778 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
14779 		return -EINVAL;
14780 
14781 	memset(&params, 0, sizeof(params));
14782 
14783 	if (info->attrs[NL80211_ATTR_SSID]) {
14784 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14785 		if (params.ssid.ssid_len == 0)
14786 			return -EINVAL;
14787 		memcpy(params.ssid.ssid,
14788 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
14789 		       params.ssid.ssid_len);
14790 	}
14791 
14792 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
14793 	       ETH_ALEN);
14794 
14795 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14796 
14797 	if (info->attrs[NL80211_ATTR_PMKID])
14798 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14799 
14800 	return rdev_external_auth(rdev, dev, &params);
14801 }
14802 
14803 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
14804 {
14805 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
14806 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14807 	struct net_device *dev = info->user_ptr[1];
14808 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14809 	const u8 *buf;
14810 	size_t len;
14811 	u8 *dest;
14812 	u16 proto;
14813 	bool noencrypt;
14814 	u64 cookie = 0;
14815 	int err;
14816 
14817 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14818 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
14819 		return -EOPNOTSUPP;
14820 
14821 	if (!rdev->ops->tx_control_port)
14822 		return -EOPNOTSUPP;
14823 
14824 	if (!info->attrs[NL80211_ATTR_FRAME] ||
14825 	    !info->attrs[NL80211_ATTR_MAC] ||
14826 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
14827 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
14828 		return -EINVAL;
14829 	}
14830 
14831 	wdev_lock(wdev);
14832 
14833 	switch (wdev->iftype) {
14834 	case NL80211_IFTYPE_AP:
14835 	case NL80211_IFTYPE_P2P_GO:
14836 	case NL80211_IFTYPE_MESH_POINT:
14837 		break;
14838 	case NL80211_IFTYPE_ADHOC:
14839 	case NL80211_IFTYPE_STATION:
14840 	case NL80211_IFTYPE_P2P_CLIENT:
14841 		if (wdev->current_bss)
14842 			break;
14843 		err = -ENOTCONN;
14844 		goto out;
14845 	default:
14846 		err = -EOPNOTSUPP;
14847 		goto out;
14848 	}
14849 
14850 	wdev_unlock(wdev);
14851 
14852 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14853 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14854 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14855 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
14856 	noencrypt =
14857 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
14858 
14859 	err = rdev_tx_control_port(rdev, dev, buf, len,
14860 				   dest, cpu_to_be16(proto), noencrypt,
14861 				   dont_wait_for_ack ? NULL : &cookie);
14862 	if (!err && !dont_wait_for_ack)
14863 		nl_set_extack_cookie_u64(info->extack, cookie);
14864 	return err;
14865  out:
14866 	wdev_unlock(wdev);
14867 	return err;
14868 }
14869 
14870 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
14871 					   struct genl_info *info)
14872 {
14873 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14874 	struct net_device *dev = info->user_ptr[1];
14875 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14876 	struct cfg80211_ftm_responder_stats ftm_stats = {};
14877 	struct sk_buff *msg;
14878 	void *hdr;
14879 	struct nlattr *ftm_stats_attr;
14880 	int err;
14881 
14882 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
14883 		return -EOPNOTSUPP;
14884 
14885 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
14886 	if (err)
14887 		return err;
14888 
14889 	if (!ftm_stats.filled)
14890 		return -ENODATA;
14891 
14892 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14893 	if (!msg)
14894 		return -ENOMEM;
14895 
14896 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14897 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
14898 	if (!hdr)
14899 		goto nla_put_failure;
14900 
14901 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
14902 		goto nla_put_failure;
14903 
14904 	ftm_stats_attr = nla_nest_start_noflag(msg,
14905 					       NL80211_ATTR_FTM_RESPONDER_STATS);
14906 	if (!ftm_stats_attr)
14907 		goto nla_put_failure;
14908 
14909 #define SET_FTM(field, name, type)					 \
14910 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14911 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
14912 			     ftm_stats.field))				 \
14913 		goto nla_put_failure; } while (0)
14914 #define SET_FTM_U64(field, name)					 \
14915 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14916 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
14917 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
14918 		goto nla_put_failure; } while (0)
14919 
14920 	SET_FTM(success_num, SUCCESS_NUM, u32);
14921 	SET_FTM(partial_num, PARTIAL_NUM, u32);
14922 	SET_FTM(failed_num, FAILED_NUM, u32);
14923 	SET_FTM(asap_num, ASAP_NUM, u32);
14924 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
14925 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
14926 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
14927 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
14928 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
14929 #undef SET_FTM
14930 
14931 	nla_nest_end(msg, ftm_stats_attr);
14932 
14933 	genlmsg_end(msg, hdr);
14934 	return genlmsg_reply(msg, info);
14935 
14936 nla_put_failure:
14937 	nlmsg_free(msg);
14938 	return -ENOBUFS;
14939 }
14940 
14941 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
14942 {
14943 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14944 	struct cfg80211_update_owe_info owe_info;
14945 	struct net_device *dev = info->user_ptr[1];
14946 
14947 	if (!rdev->ops->update_owe_info)
14948 		return -EOPNOTSUPP;
14949 
14950 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
14951 	    !info->attrs[NL80211_ATTR_MAC])
14952 		return -EINVAL;
14953 
14954 	memset(&owe_info, 0, sizeof(owe_info));
14955 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14956 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
14957 
14958 	if (info->attrs[NL80211_ATTR_IE]) {
14959 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14960 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14961 	}
14962 
14963 	return rdev_update_owe_info(rdev, dev, &owe_info);
14964 }
14965 
14966 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14967 {
14968 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14969 	struct net_device *dev = info->user_ptr[1];
14970 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14971 	struct station_info sinfo = {};
14972 	const u8 *buf;
14973 	size_t len;
14974 	u8 *dest;
14975 	int err;
14976 
14977 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14978 		return -EOPNOTSUPP;
14979 
14980 	if (!info->attrs[NL80211_ATTR_MAC] ||
14981 	    !info->attrs[NL80211_ATTR_FRAME]) {
14982 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14983 		return -EINVAL;
14984 	}
14985 
14986 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14987 		return -EOPNOTSUPP;
14988 
14989 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14990 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14991 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14992 
14993 	if (len < sizeof(struct ethhdr))
14994 		return -EINVAL;
14995 
14996 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14997 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14998 		return -EINVAL;
14999 
15000 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15001 	if (err)
15002 		return err;
15003 
15004 	cfg80211_sinfo_release_content(&sinfo);
15005 
15006 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15007 }
15008 
15009 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15010 			  struct nlattr *attrs[], struct net_device *dev,
15011 			  struct cfg80211_tid_cfg *tid_conf,
15012 			  struct genl_info *info, const u8 *peer)
15013 {
15014 	struct netlink_ext_ack *extack = info->extack;
15015 	u64 mask;
15016 	int err;
15017 
15018 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15019 		return -EINVAL;
15020 
15021 	tid_conf->config_override =
15022 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15023 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15024 
15025 	if (tid_conf->config_override) {
15026 		if (rdev->ops->reset_tid_config) {
15027 			err = rdev_reset_tid_config(rdev, dev, peer,
15028 						    tid_conf->tids);
15029 			if (err)
15030 				return err;
15031 		} else {
15032 			return -EINVAL;
15033 		}
15034 	}
15035 
15036 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15037 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15038 		tid_conf->noack =
15039 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15040 	}
15041 
15042 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15043 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15044 		tid_conf->retry_short =
15045 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15046 
15047 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15048 			return -EINVAL;
15049 	}
15050 
15051 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15052 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15053 		tid_conf->retry_long =
15054 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15055 
15056 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15057 			return -EINVAL;
15058 	}
15059 
15060 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15061 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15062 		tid_conf->ampdu =
15063 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15064 	}
15065 
15066 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15067 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15068 		tid_conf->rtscts =
15069 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15070 	}
15071 
15072 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15073 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15074 		tid_conf->amsdu =
15075 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15076 	}
15077 
15078 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15079 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15080 
15081 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15082 
15083 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15084 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15085 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15086 						    &tid_conf->txrate_mask, dev,
15087 						    true);
15088 			if (err)
15089 				return err;
15090 
15091 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15092 		}
15093 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15094 	}
15095 
15096 	if (peer)
15097 		mask = rdev->wiphy.tid_config_support.peer;
15098 	else
15099 		mask = rdev->wiphy.tid_config_support.vif;
15100 
15101 	if (tid_conf->mask & ~mask) {
15102 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15103 		return -ENOTSUPP;
15104 	}
15105 
15106 	return 0;
15107 }
15108 
15109 static int nl80211_set_tid_config(struct sk_buff *skb,
15110 				  struct genl_info *info)
15111 {
15112 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15113 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15114 	struct net_device *dev = info->user_ptr[1];
15115 	struct cfg80211_tid_config *tid_config;
15116 	struct nlattr *tid;
15117 	int conf_idx = 0, rem_conf;
15118 	int ret = -EINVAL;
15119 	u32 num_conf = 0;
15120 
15121 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15122 		return -EINVAL;
15123 
15124 	if (!rdev->ops->set_tid_config)
15125 		return -EOPNOTSUPP;
15126 
15127 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15128 			    rem_conf)
15129 		num_conf++;
15130 
15131 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15132 			     GFP_KERNEL);
15133 	if (!tid_config)
15134 		return -ENOMEM;
15135 
15136 	tid_config->n_tid_conf = num_conf;
15137 
15138 	if (info->attrs[NL80211_ATTR_MAC])
15139 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15140 
15141 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15142 			    rem_conf) {
15143 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15144 				       tid, NULL, NULL);
15145 
15146 		if (ret)
15147 			goto bad_tid_conf;
15148 
15149 		ret = parse_tid_conf(rdev, attrs, dev,
15150 				     &tid_config->tid_conf[conf_idx],
15151 				     info, tid_config->peer);
15152 		if (ret)
15153 			goto bad_tid_conf;
15154 
15155 		conf_idx++;
15156 	}
15157 
15158 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15159 
15160 bad_tid_conf:
15161 	kfree(tid_config);
15162 	return ret;
15163 }
15164 
15165 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15166 {
15167 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15168 	struct cfg80211_color_change_settings params = {};
15169 	struct net_device *dev = info->user_ptr[1];
15170 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15171 	struct nlattr **tb;
15172 	u16 offset;
15173 	int err;
15174 
15175 	if (!rdev->ops->color_change)
15176 		return -EOPNOTSUPP;
15177 
15178 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15179 				     NL80211_EXT_FEATURE_BSS_COLOR))
15180 		return -EOPNOTSUPP;
15181 
15182 	if (wdev->iftype != NL80211_IFTYPE_AP)
15183 		return -EOPNOTSUPP;
15184 
15185 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15186 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15187 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15188 		return -EINVAL;
15189 
15190 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15191 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
15192 
15193 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next);
15194 	if (err)
15195 		return err;
15196 
15197 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
15198 	if (!tb)
15199 		return -ENOMEM;
15200 
15201 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
15202 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
15203 			       nl80211_policy, info->extack);
15204 	if (err)
15205 		goto out;
15206 
15207 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change);
15208 	if (err)
15209 		goto out;
15210 
15211 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
15212 		err = -EINVAL;
15213 		goto out;
15214 	}
15215 
15216 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
15217 		err = -EINVAL;
15218 		goto out;
15219 	}
15220 
15221 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
15222 	if (offset >= params.beacon_color_change.tail_len) {
15223 		err = -EINVAL;
15224 		goto out;
15225 	}
15226 
15227 	if (params.beacon_color_change.tail[offset] != params.count) {
15228 		err = -EINVAL;
15229 		goto out;
15230 	}
15231 
15232 	params.counter_offset_beacon = offset;
15233 
15234 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
15235 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
15236 		    sizeof(u16)) {
15237 			err = -EINVAL;
15238 			goto out;
15239 		}
15240 
15241 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
15242 		if (offset >= params.beacon_color_change.probe_resp_len) {
15243 			err = -EINVAL;
15244 			goto out;
15245 		}
15246 
15247 		if (params.beacon_color_change.probe_resp[offset] !=
15248 		    params.count) {
15249 			err = -EINVAL;
15250 			goto out;
15251 		}
15252 
15253 		params.counter_offset_presp = offset;
15254 	}
15255 
15256 	wdev_lock(wdev);
15257 	err = rdev_color_change(rdev, dev, &params);
15258 	wdev_unlock(wdev);
15259 
15260 out:
15261 	kfree(params.beacon_next.mbssid_ies);
15262 	kfree(params.beacon_color_change.mbssid_ies);
15263 	kfree(tb);
15264 	return err;
15265 }
15266 
15267 static int nl80211_set_fils_aad(struct sk_buff *skb,
15268 				struct genl_info *info)
15269 {
15270 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15271 	struct net_device *dev = info->user_ptr[1];
15272 	struct cfg80211_fils_aad fils_aad = {};
15273 	u8 *nonces;
15274 
15275 	if (!info->attrs[NL80211_ATTR_MAC] ||
15276 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
15277 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
15278 		return -EINVAL;
15279 
15280 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15281 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
15282 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
15283 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
15284 	fils_aad.snonce = nonces;
15285 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
15286 
15287 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
15288 }
15289 
15290 #define NL80211_FLAG_NEED_WIPHY		0x01
15291 #define NL80211_FLAG_NEED_NETDEV	0x02
15292 #define NL80211_FLAG_NEED_RTNL		0x04
15293 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
15294 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
15295 					 NL80211_FLAG_CHECK_NETDEV_UP)
15296 #define NL80211_FLAG_NEED_WDEV		0x10
15297 /* If a netdev is associated, it must be UP, P2P must be started */
15298 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
15299 					 NL80211_FLAG_CHECK_NETDEV_UP)
15300 #define NL80211_FLAG_CLEAR_SKB		0x20
15301 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
15302 
15303 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
15304 			    struct genl_info *info)
15305 {
15306 	struct cfg80211_registered_device *rdev = NULL;
15307 	struct wireless_dev *wdev;
15308 	struct net_device *dev;
15309 
15310 	rtnl_lock();
15311 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
15312 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
15313 		if (IS_ERR(rdev)) {
15314 			rtnl_unlock();
15315 			return PTR_ERR(rdev);
15316 		}
15317 		info->user_ptr[0] = rdev;
15318 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
15319 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15320 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
15321 						  info->attrs);
15322 		if (IS_ERR(wdev)) {
15323 			rtnl_unlock();
15324 			return PTR_ERR(wdev);
15325 		}
15326 
15327 		dev = wdev->netdev;
15328 		rdev = wiphy_to_rdev(wdev->wiphy);
15329 
15330 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
15331 			if (!dev) {
15332 				rtnl_unlock();
15333 				return -EINVAL;
15334 			}
15335 
15336 			info->user_ptr[1] = dev;
15337 		} else {
15338 			info->user_ptr[1] = wdev;
15339 		}
15340 
15341 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
15342 		    !wdev_running(wdev)) {
15343 			rtnl_unlock();
15344 			return -ENETDOWN;
15345 		}
15346 
15347 		dev_hold(dev);
15348 		info->user_ptr[0] = rdev;
15349 	}
15350 
15351 	if (rdev && !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15352 		wiphy_lock(&rdev->wiphy);
15353 		/* we keep the mutex locked until post_doit */
15354 		__release(&rdev->wiphy.mtx);
15355 	}
15356 	if (!(ops->internal_flags & NL80211_FLAG_NEED_RTNL))
15357 		rtnl_unlock();
15358 
15359 	return 0;
15360 }
15361 
15362 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
15363 			      struct genl_info *info)
15364 {
15365 	if (info->user_ptr[1]) {
15366 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15367 			struct wireless_dev *wdev = info->user_ptr[1];
15368 
15369 			dev_put(wdev->netdev);
15370 		} else {
15371 			dev_put(info->user_ptr[1]);
15372 		}
15373 	}
15374 
15375 	if (info->user_ptr[0] &&
15376 	    !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15377 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
15378 
15379 		/* we kept the mutex locked since pre_doit */
15380 		__acquire(&rdev->wiphy.mtx);
15381 		wiphy_unlock(&rdev->wiphy);
15382 	}
15383 
15384 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
15385 		rtnl_unlock();
15386 
15387 	/* If needed, clear the netlink message payload from the SKB
15388 	 * as it might contain key data that shouldn't stick around on
15389 	 * the heap after the SKB is freed. The netlink message header
15390 	 * is still needed for further processing, so leave it intact.
15391 	 */
15392 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
15393 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
15394 
15395 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
15396 	}
15397 }
15398 
15399 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
15400 				     struct cfg80211_sar_specs *sar_specs,
15401 				     struct nlattr *spec[], int index)
15402 {
15403 	u32 range_index, i;
15404 
15405 	if (!sar_specs || !spec)
15406 		return -EINVAL;
15407 
15408 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
15409 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
15410 		return -EINVAL;
15411 
15412 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
15413 
15414 	/* check if range_index exceeds num_freq_ranges */
15415 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
15416 		return -EINVAL;
15417 
15418 	/* check if range_index duplicates */
15419 	for (i = 0; i < index; i++) {
15420 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
15421 			return -EINVAL;
15422 	}
15423 
15424 	sar_specs->sub_specs[index].power =
15425 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
15426 
15427 	sar_specs->sub_specs[index].freq_range_index = range_index;
15428 
15429 	return 0;
15430 }
15431 
15432 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
15433 {
15434 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15435 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
15436 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
15437 	struct cfg80211_sar_specs *sar_spec;
15438 	enum nl80211_sar_type type;
15439 	struct nlattr *spec_list;
15440 	u32 specs;
15441 	int rem, err;
15442 
15443 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
15444 		return -EOPNOTSUPP;
15445 
15446 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
15447 		return -EINVAL;
15448 
15449 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
15450 			 info->attrs[NL80211_ATTR_SAR_SPEC],
15451 			 NULL, NULL);
15452 
15453 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
15454 		return -EINVAL;
15455 
15456 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
15457 	if (type != rdev->wiphy.sar_capa->type)
15458 		return -EINVAL;
15459 
15460 	specs = 0;
15461 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
15462 		specs++;
15463 
15464 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
15465 		return -EINVAL;
15466 
15467 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
15468 	if (!sar_spec)
15469 		return -ENOMEM;
15470 
15471 	sar_spec->type = type;
15472 	specs = 0;
15473 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
15474 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
15475 				 spec_list, NULL, NULL);
15476 
15477 		switch (type) {
15478 		case NL80211_SAR_TYPE_POWER:
15479 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
15480 						      spec, specs)) {
15481 				err = -EINVAL;
15482 				goto error;
15483 			}
15484 			break;
15485 		default:
15486 			err = -EINVAL;
15487 			goto error;
15488 		}
15489 		specs++;
15490 	}
15491 
15492 	sar_spec->num_sub_specs = specs;
15493 
15494 	rdev->cur_cmd_info = info;
15495 	err = rdev_set_sar_specs(rdev, sar_spec);
15496 	rdev->cur_cmd_info = NULL;
15497 error:
15498 	kfree(sar_spec);
15499 	return err;
15500 }
15501 
15502 static const struct genl_ops nl80211_ops[] = {
15503 	{
15504 		.cmd = NL80211_CMD_GET_WIPHY,
15505 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15506 		.doit = nl80211_get_wiphy,
15507 		.dumpit = nl80211_dump_wiphy,
15508 		.done = nl80211_dump_wiphy_done,
15509 		/* can be retrieved by unprivileged users */
15510 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15511 	},
15512 };
15513 
15514 static const struct genl_small_ops nl80211_small_ops[] = {
15515 	{
15516 		.cmd = NL80211_CMD_SET_WIPHY,
15517 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15518 		.doit = nl80211_set_wiphy,
15519 		.flags = GENL_UNS_ADMIN_PERM,
15520 	},
15521 	{
15522 		.cmd = NL80211_CMD_GET_INTERFACE,
15523 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15524 		.doit = nl80211_get_interface,
15525 		.dumpit = nl80211_dump_interface,
15526 		/* can be retrieved by unprivileged users */
15527 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15528 	},
15529 	{
15530 		.cmd = NL80211_CMD_SET_INTERFACE,
15531 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15532 		.doit = nl80211_set_interface,
15533 		.flags = GENL_UNS_ADMIN_PERM,
15534 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15535 				  NL80211_FLAG_NEED_RTNL,
15536 	},
15537 	{
15538 		.cmd = NL80211_CMD_NEW_INTERFACE,
15539 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15540 		.doit = nl80211_new_interface,
15541 		.flags = GENL_UNS_ADMIN_PERM,
15542 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15543 				  NL80211_FLAG_NEED_RTNL |
15544 				  /* we take the wiphy mutex later ourselves */
15545 				  NL80211_FLAG_NO_WIPHY_MTX,
15546 	},
15547 	{
15548 		.cmd = NL80211_CMD_DEL_INTERFACE,
15549 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15550 		.doit = nl80211_del_interface,
15551 		.flags = GENL_UNS_ADMIN_PERM,
15552 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15553 				  NL80211_FLAG_NEED_RTNL,
15554 	},
15555 	{
15556 		.cmd = NL80211_CMD_GET_KEY,
15557 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15558 		.doit = nl80211_get_key,
15559 		.flags = GENL_UNS_ADMIN_PERM,
15560 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15561 	},
15562 	{
15563 		.cmd = NL80211_CMD_SET_KEY,
15564 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15565 		.doit = nl80211_set_key,
15566 		.flags = GENL_UNS_ADMIN_PERM,
15567 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15568 				  NL80211_FLAG_CLEAR_SKB,
15569 	},
15570 	{
15571 		.cmd = NL80211_CMD_NEW_KEY,
15572 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15573 		.doit = nl80211_new_key,
15574 		.flags = GENL_UNS_ADMIN_PERM,
15575 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15576 				  NL80211_FLAG_CLEAR_SKB,
15577 	},
15578 	{
15579 		.cmd = NL80211_CMD_DEL_KEY,
15580 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15581 		.doit = nl80211_del_key,
15582 		.flags = GENL_UNS_ADMIN_PERM,
15583 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15584 	},
15585 	{
15586 		.cmd = NL80211_CMD_SET_BEACON,
15587 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15588 		.flags = GENL_UNS_ADMIN_PERM,
15589 		.doit = nl80211_set_beacon,
15590 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15591 	},
15592 	{
15593 		.cmd = NL80211_CMD_START_AP,
15594 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15595 		.flags = GENL_UNS_ADMIN_PERM,
15596 		.doit = nl80211_start_ap,
15597 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15598 	},
15599 	{
15600 		.cmd = NL80211_CMD_STOP_AP,
15601 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15602 		.flags = GENL_UNS_ADMIN_PERM,
15603 		.doit = nl80211_stop_ap,
15604 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15605 	},
15606 	{
15607 		.cmd = NL80211_CMD_GET_STATION,
15608 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15609 		.doit = nl80211_get_station,
15610 		.dumpit = nl80211_dump_station,
15611 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15612 	},
15613 	{
15614 		.cmd = NL80211_CMD_SET_STATION,
15615 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15616 		.doit = nl80211_set_station,
15617 		.flags = GENL_UNS_ADMIN_PERM,
15618 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15619 	},
15620 	{
15621 		.cmd = NL80211_CMD_NEW_STATION,
15622 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15623 		.doit = nl80211_new_station,
15624 		.flags = GENL_UNS_ADMIN_PERM,
15625 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15626 	},
15627 	{
15628 		.cmd = NL80211_CMD_DEL_STATION,
15629 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15630 		.doit = nl80211_del_station,
15631 		.flags = GENL_UNS_ADMIN_PERM,
15632 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15633 	},
15634 	{
15635 		.cmd = NL80211_CMD_GET_MPATH,
15636 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15637 		.doit = nl80211_get_mpath,
15638 		.dumpit = nl80211_dump_mpath,
15639 		.flags = GENL_UNS_ADMIN_PERM,
15640 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15641 	},
15642 	{
15643 		.cmd = NL80211_CMD_GET_MPP,
15644 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15645 		.doit = nl80211_get_mpp,
15646 		.dumpit = nl80211_dump_mpp,
15647 		.flags = GENL_UNS_ADMIN_PERM,
15648 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15649 	},
15650 	{
15651 		.cmd = NL80211_CMD_SET_MPATH,
15652 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15653 		.doit = nl80211_set_mpath,
15654 		.flags = GENL_UNS_ADMIN_PERM,
15655 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15656 	},
15657 	{
15658 		.cmd = NL80211_CMD_NEW_MPATH,
15659 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15660 		.doit = nl80211_new_mpath,
15661 		.flags = GENL_UNS_ADMIN_PERM,
15662 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15663 	},
15664 	{
15665 		.cmd = NL80211_CMD_DEL_MPATH,
15666 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15667 		.doit = nl80211_del_mpath,
15668 		.flags = GENL_UNS_ADMIN_PERM,
15669 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15670 	},
15671 	{
15672 		.cmd = NL80211_CMD_SET_BSS,
15673 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15674 		.doit = nl80211_set_bss,
15675 		.flags = GENL_UNS_ADMIN_PERM,
15676 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15677 	},
15678 	{
15679 		.cmd = NL80211_CMD_GET_REG,
15680 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15681 		.doit = nl80211_get_reg_do,
15682 		.dumpit = nl80211_get_reg_dump,
15683 		.internal_flags = 0,
15684 		/* can be retrieved by unprivileged users */
15685 	},
15686 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
15687 	{
15688 		.cmd = NL80211_CMD_SET_REG,
15689 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15690 		.doit = nl80211_set_reg,
15691 		.flags = GENL_ADMIN_PERM,
15692 		.internal_flags = 0,
15693 	},
15694 #endif
15695 	{
15696 		.cmd = NL80211_CMD_REQ_SET_REG,
15697 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15698 		.doit = nl80211_req_set_reg,
15699 		.flags = GENL_ADMIN_PERM,
15700 	},
15701 	{
15702 		.cmd = NL80211_CMD_RELOAD_REGDB,
15703 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15704 		.doit = nl80211_reload_regdb,
15705 		.flags = GENL_ADMIN_PERM,
15706 	},
15707 	{
15708 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
15709 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15710 		.doit = nl80211_get_mesh_config,
15711 		/* can be retrieved by unprivileged users */
15712 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15713 	},
15714 	{
15715 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
15716 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15717 		.doit = nl80211_update_mesh_config,
15718 		.flags = GENL_UNS_ADMIN_PERM,
15719 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15720 	},
15721 	{
15722 		.cmd = NL80211_CMD_TRIGGER_SCAN,
15723 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15724 		.doit = nl80211_trigger_scan,
15725 		.flags = GENL_UNS_ADMIN_PERM,
15726 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15727 	},
15728 	{
15729 		.cmd = NL80211_CMD_ABORT_SCAN,
15730 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15731 		.doit = nl80211_abort_scan,
15732 		.flags = GENL_UNS_ADMIN_PERM,
15733 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15734 	},
15735 	{
15736 		.cmd = NL80211_CMD_GET_SCAN,
15737 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15738 		.dumpit = nl80211_dump_scan,
15739 	},
15740 	{
15741 		.cmd = NL80211_CMD_START_SCHED_SCAN,
15742 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15743 		.doit = nl80211_start_sched_scan,
15744 		.flags = GENL_UNS_ADMIN_PERM,
15745 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15746 	},
15747 	{
15748 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
15749 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15750 		.doit = nl80211_stop_sched_scan,
15751 		.flags = GENL_UNS_ADMIN_PERM,
15752 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15753 	},
15754 	{
15755 		.cmd = NL80211_CMD_AUTHENTICATE,
15756 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15757 		.doit = nl80211_authenticate,
15758 		.flags = GENL_UNS_ADMIN_PERM,
15759 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15760 				  0 |
15761 				  NL80211_FLAG_CLEAR_SKB,
15762 	},
15763 	{
15764 		.cmd = NL80211_CMD_ASSOCIATE,
15765 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15766 		.doit = nl80211_associate,
15767 		.flags = GENL_UNS_ADMIN_PERM,
15768 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15769 				  0 |
15770 				  NL80211_FLAG_CLEAR_SKB,
15771 	},
15772 	{
15773 		.cmd = NL80211_CMD_DEAUTHENTICATE,
15774 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15775 		.doit = nl80211_deauthenticate,
15776 		.flags = GENL_UNS_ADMIN_PERM,
15777 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15778 	},
15779 	{
15780 		.cmd = NL80211_CMD_DISASSOCIATE,
15781 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15782 		.doit = nl80211_disassociate,
15783 		.flags = GENL_UNS_ADMIN_PERM,
15784 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15785 	},
15786 	{
15787 		.cmd = NL80211_CMD_JOIN_IBSS,
15788 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15789 		.doit = nl80211_join_ibss,
15790 		.flags = GENL_UNS_ADMIN_PERM,
15791 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15792 	},
15793 	{
15794 		.cmd = NL80211_CMD_LEAVE_IBSS,
15795 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15796 		.doit = nl80211_leave_ibss,
15797 		.flags = GENL_UNS_ADMIN_PERM,
15798 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15799 	},
15800 #ifdef CONFIG_NL80211_TESTMODE
15801 	{
15802 		.cmd = NL80211_CMD_TESTMODE,
15803 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15804 		.doit = nl80211_testmode_do,
15805 		.dumpit = nl80211_testmode_dump,
15806 		.flags = GENL_UNS_ADMIN_PERM,
15807 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15808 	},
15809 #endif
15810 	{
15811 		.cmd = NL80211_CMD_CONNECT,
15812 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15813 		.doit = nl80211_connect,
15814 		.flags = GENL_UNS_ADMIN_PERM,
15815 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15816 				  0 |
15817 				  NL80211_FLAG_CLEAR_SKB,
15818 	},
15819 	{
15820 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
15821 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15822 		.doit = nl80211_update_connect_params,
15823 		.flags = GENL_ADMIN_PERM,
15824 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15825 				  0 |
15826 				  NL80211_FLAG_CLEAR_SKB,
15827 	},
15828 	{
15829 		.cmd = NL80211_CMD_DISCONNECT,
15830 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15831 		.doit = nl80211_disconnect,
15832 		.flags = GENL_UNS_ADMIN_PERM,
15833 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15834 	},
15835 	{
15836 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
15837 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15838 		.doit = nl80211_wiphy_netns,
15839 		.flags = GENL_UNS_ADMIN_PERM,
15840 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15841 				  NL80211_FLAG_NEED_RTNL |
15842 				  NL80211_FLAG_NO_WIPHY_MTX,
15843 	},
15844 	{
15845 		.cmd = NL80211_CMD_GET_SURVEY,
15846 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15847 		.dumpit = nl80211_dump_survey,
15848 	},
15849 	{
15850 		.cmd = NL80211_CMD_SET_PMKSA,
15851 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15852 		.doit = nl80211_setdel_pmksa,
15853 		.flags = GENL_UNS_ADMIN_PERM,
15854 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15855 				  0 |
15856 				  NL80211_FLAG_CLEAR_SKB,
15857 	},
15858 	{
15859 		.cmd = NL80211_CMD_DEL_PMKSA,
15860 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15861 		.doit = nl80211_setdel_pmksa,
15862 		.flags = GENL_UNS_ADMIN_PERM,
15863 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15864 	},
15865 	{
15866 		.cmd = NL80211_CMD_FLUSH_PMKSA,
15867 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15868 		.doit = nl80211_flush_pmksa,
15869 		.flags = GENL_UNS_ADMIN_PERM,
15870 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15871 	},
15872 	{
15873 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
15874 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15875 		.doit = nl80211_remain_on_channel,
15876 		.flags = GENL_UNS_ADMIN_PERM,
15877 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15878 	},
15879 	{
15880 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15881 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15882 		.doit = nl80211_cancel_remain_on_channel,
15883 		.flags = GENL_UNS_ADMIN_PERM,
15884 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15885 	},
15886 	{
15887 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
15888 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15889 		.doit = nl80211_set_tx_bitrate_mask,
15890 		.flags = GENL_UNS_ADMIN_PERM,
15891 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15892 	},
15893 	{
15894 		.cmd = NL80211_CMD_REGISTER_FRAME,
15895 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15896 		.doit = nl80211_register_mgmt,
15897 		.flags = GENL_UNS_ADMIN_PERM,
15898 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15899 	},
15900 	{
15901 		.cmd = NL80211_CMD_FRAME,
15902 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15903 		.doit = nl80211_tx_mgmt,
15904 		.flags = GENL_UNS_ADMIN_PERM,
15905 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15906 	},
15907 	{
15908 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
15909 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15910 		.doit = nl80211_tx_mgmt_cancel_wait,
15911 		.flags = GENL_UNS_ADMIN_PERM,
15912 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15913 	},
15914 	{
15915 		.cmd = NL80211_CMD_SET_POWER_SAVE,
15916 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15917 		.doit = nl80211_set_power_save,
15918 		.flags = GENL_UNS_ADMIN_PERM,
15919 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15920 	},
15921 	{
15922 		.cmd = NL80211_CMD_GET_POWER_SAVE,
15923 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15924 		.doit = nl80211_get_power_save,
15925 		/* can be retrieved by unprivileged users */
15926 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15927 	},
15928 	{
15929 		.cmd = NL80211_CMD_SET_CQM,
15930 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15931 		.doit = nl80211_set_cqm,
15932 		.flags = GENL_UNS_ADMIN_PERM,
15933 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15934 	},
15935 	{
15936 		.cmd = NL80211_CMD_SET_CHANNEL,
15937 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15938 		.doit = nl80211_set_channel,
15939 		.flags = GENL_UNS_ADMIN_PERM,
15940 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15941 	},
15942 	{
15943 		.cmd = NL80211_CMD_JOIN_MESH,
15944 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15945 		.doit = nl80211_join_mesh,
15946 		.flags = GENL_UNS_ADMIN_PERM,
15947 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15948 	},
15949 	{
15950 		.cmd = NL80211_CMD_LEAVE_MESH,
15951 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15952 		.doit = nl80211_leave_mesh,
15953 		.flags = GENL_UNS_ADMIN_PERM,
15954 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15955 	},
15956 	{
15957 		.cmd = NL80211_CMD_JOIN_OCB,
15958 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15959 		.doit = nl80211_join_ocb,
15960 		.flags = GENL_UNS_ADMIN_PERM,
15961 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15962 	},
15963 	{
15964 		.cmd = NL80211_CMD_LEAVE_OCB,
15965 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15966 		.doit = nl80211_leave_ocb,
15967 		.flags = GENL_UNS_ADMIN_PERM,
15968 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15969 	},
15970 #ifdef CONFIG_PM
15971 	{
15972 		.cmd = NL80211_CMD_GET_WOWLAN,
15973 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15974 		.doit = nl80211_get_wowlan,
15975 		/* can be retrieved by unprivileged users */
15976 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15977 	},
15978 	{
15979 		.cmd = NL80211_CMD_SET_WOWLAN,
15980 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15981 		.doit = nl80211_set_wowlan,
15982 		.flags = GENL_UNS_ADMIN_PERM,
15983 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15984 	},
15985 #endif
15986 	{
15987 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
15988 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15989 		.doit = nl80211_set_rekey_data,
15990 		.flags = GENL_UNS_ADMIN_PERM,
15991 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15992 				  0 |
15993 				  NL80211_FLAG_CLEAR_SKB,
15994 	},
15995 	{
15996 		.cmd = NL80211_CMD_TDLS_MGMT,
15997 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15998 		.doit = nl80211_tdls_mgmt,
15999 		.flags = GENL_UNS_ADMIN_PERM,
16000 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16001 	},
16002 	{
16003 		.cmd = NL80211_CMD_TDLS_OPER,
16004 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16005 		.doit = nl80211_tdls_oper,
16006 		.flags = GENL_UNS_ADMIN_PERM,
16007 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16008 	},
16009 	{
16010 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
16011 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16012 		.doit = nl80211_register_unexpected_frame,
16013 		.flags = GENL_UNS_ADMIN_PERM,
16014 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16015 	},
16016 	{
16017 		.cmd = NL80211_CMD_PROBE_CLIENT,
16018 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16019 		.doit = nl80211_probe_client,
16020 		.flags = GENL_UNS_ADMIN_PERM,
16021 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16022 	},
16023 	{
16024 		.cmd = NL80211_CMD_REGISTER_BEACONS,
16025 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16026 		.doit = nl80211_register_beacons,
16027 		.flags = GENL_UNS_ADMIN_PERM,
16028 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16029 	},
16030 	{
16031 		.cmd = NL80211_CMD_SET_NOACK_MAP,
16032 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16033 		.doit = nl80211_set_noack_map,
16034 		.flags = GENL_UNS_ADMIN_PERM,
16035 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16036 	},
16037 	{
16038 		.cmd = NL80211_CMD_START_P2P_DEVICE,
16039 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16040 		.doit = nl80211_start_p2p_device,
16041 		.flags = GENL_UNS_ADMIN_PERM,
16042 		.internal_flags = NL80211_FLAG_NEED_WDEV |
16043 				  NL80211_FLAG_NEED_RTNL,
16044 	},
16045 	{
16046 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
16047 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16048 		.doit = nl80211_stop_p2p_device,
16049 		.flags = GENL_UNS_ADMIN_PERM,
16050 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
16051 				  NL80211_FLAG_NEED_RTNL,
16052 	},
16053 	{
16054 		.cmd = NL80211_CMD_START_NAN,
16055 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16056 		.doit = nl80211_start_nan,
16057 		.flags = GENL_ADMIN_PERM,
16058 		.internal_flags = NL80211_FLAG_NEED_WDEV |
16059 				  NL80211_FLAG_NEED_RTNL,
16060 	},
16061 	{
16062 		.cmd = NL80211_CMD_STOP_NAN,
16063 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16064 		.doit = nl80211_stop_nan,
16065 		.flags = GENL_ADMIN_PERM,
16066 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
16067 				  NL80211_FLAG_NEED_RTNL,
16068 	},
16069 	{
16070 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
16071 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16072 		.doit = nl80211_nan_add_func,
16073 		.flags = GENL_ADMIN_PERM,
16074 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16075 	},
16076 	{
16077 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
16078 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16079 		.doit = nl80211_nan_del_func,
16080 		.flags = GENL_ADMIN_PERM,
16081 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16082 	},
16083 	{
16084 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
16085 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16086 		.doit = nl80211_nan_change_config,
16087 		.flags = GENL_ADMIN_PERM,
16088 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16089 	},
16090 	{
16091 		.cmd = NL80211_CMD_SET_MCAST_RATE,
16092 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16093 		.doit = nl80211_set_mcast_rate,
16094 		.flags = GENL_UNS_ADMIN_PERM,
16095 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16096 	},
16097 	{
16098 		.cmd = NL80211_CMD_SET_MAC_ACL,
16099 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16100 		.doit = nl80211_set_mac_acl,
16101 		.flags = GENL_UNS_ADMIN_PERM,
16102 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16103 	},
16104 	{
16105 		.cmd = NL80211_CMD_RADAR_DETECT,
16106 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16107 		.doit = nl80211_start_radar_detection,
16108 		.flags = GENL_UNS_ADMIN_PERM,
16109 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16110 				  NL80211_FLAG_NO_WIPHY_MTX,
16111 	},
16112 	{
16113 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
16114 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16115 		.doit = nl80211_get_protocol_features,
16116 	},
16117 	{
16118 		.cmd = NL80211_CMD_UPDATE_FT_IES,
16119 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16120 		.doit = nl80211_update_ft_ies,
16121 		.flags = GENL_UNS_ADMIN_PERM,
16122 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16123 	},
16124 	{
16125 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
16126 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16127 		.doit = nl80211_crit_protocol_start,
16128 		.flags = GENL_UNS_ADMIN_PERM,
16129 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16130 	},
16131 	{
16132 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
16133 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16134 		.doit = nl80211_crit_protocol_stop,
16135 		.flags = GENL_UNS_ADMIN_PERM,
16136 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16137 	},
16138 	{
16139 		.cmd = NL80211_CMD_GET_COALESCE,
16140 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16141 		.doit = nl80211_get_coalesce,
16142 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16143 	},
16144 	{
16145 		.cmd = NL80211_CMD_SET_COALESCE,
16146 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16147 		.doit = nl80211_set_coalesce,
16148 		.flags = GENL_UNS_ADMIN_PERM,
16149 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16150 	},
16151 	{
16152 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
16153 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16154 		.doit = nl80211_channel_switch,
16155 		.flags = GENL_UNS_ADMIN_PERM,
16156 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16157 	},
16158 	{
16159 		.cmd = NL80211_CMD_VENDOR,
16160 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16161 		.doit = nl80211_vendor_cmd,
16162 		.dumpit = nl80211_vendor_cmd_dump,
16163 		.flags = GENL_UNS_ADMIN_PERM,
16164 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16165 				  0 |
16166 				  NL80211_FLAG_CLEAR_SKB,
16167 	},
16168 	{
16169 		.cmd = NL80211_CMD_SET_QOS_MAP,
16170 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16171 		.doit = nl80211_set_qos_map,
16172 		.flags = GENL_UNS_ADMIN_PERM,
16173 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16174 	},
16175 	{
16176 		.cmd = NL80211_CMD_ADD_TX_TS,
16177 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16178 		.doit = nl80211_add_tx_ts,
16179 		.flags = GENL_UNS_ADMIN_PERM,
16180 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16181 	},
16182 	{
16183 		.cmd = NL80211_CMD_DEL_TX_TS,
16184 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16185 		.doit = nl80211_del_tx_ts,
16186 		.flags = GENL_UNS_ADMIN_PERM,
16187 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16188 	},
16189 	{
16190 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
16191 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16192 		.doit = nl80211_tdls_channel_switch,
16193 		.flags = GENL_UNS_ADMIN_PERM,
16194 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16195 	},
16196 	{
16197 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
16198 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16199 		.doit = nl80211_tdls_cancel_channel_switch,
16200 		.flags = GENL_UNS_ADMIN_PERM,
16201 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16202 	},
16203 	{
16204 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
16205 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16206 		.doit = nl80211_set_multicast_to_unicast,
16207 		.flags = GENL_UNS_ADMIN_PERM,
16208 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16209 	},
16210 	{
16211 		.cmd = NL80211_CMD_SET_PMK,
16212 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16213 		.doit = nl80211_set_pmk,
16214 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16215 				  0 |
16216 				  NL80211_FLAG_CLEAR_SKB,
16217 	},
16218 	{
16219 		.cmd = NL80211_CMD_DEL_PMK,
16220 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16221 		.doit = nl80211_del_pmk,
16222 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16223 	},
16224 	{
16225 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
16226 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16227 		.doit = nl80211_external_auth,
16228 		.flags = GENL_ADMIN_PERM,
16229 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16230 	},
16231 	{
16232 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
16233 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16234 		.doit = nl80211_tx_control_port,
16235 		.flags = GENL_UNS_ADMIN_PERM,
16236 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16237 	},
16238 	{
16239 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
16240 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16241 		.doit = nl80211_get_ftm_responder_stats,
16242 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16243 	},
16244 	{
16245 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
16246 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16247 		.doit = nl80211_pmsr_start,
16248 		.flags = GENL_UNS_ADMIN_PERM,
16249 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16250 	},
16251 	{
16252 		.cmd = NL80211_CMD_NOTIFY_RADAR,
16253 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16254 		.doit = nl80211_notify_radar_detection,
16255 		.flags = GENL_UNS_ADMIN_PERM,
16256 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16257 	},
16258 	{
16259 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
16260 		.doit = nl80211_update_owe_info,
16261 		.flags = GENL_ADMIN_PERM,
16262 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16263 	},
16264 	{
16265 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
16266 		.doit = nl80211_probe_mesh_link,
16267 		.flags = GENL_UNS_ADMIN_PERM,
16268 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16269 	},
16270 	{
16271 		.cmd = NL80211_CMD_SET_TID_CONFIG,
16272 		.doit = nl80211_set_tid_config,
16273 		.flags = GENL_UNS_ADMIN_PERM,
16274 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16275 	},
16276 	{
16277 		.cmd = NL80211_CMD_SET_SAR_SPECS,
16278 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16279 		.doit = nl80211_set_sar_specs,
16280 		.flags = GENL_UNS_ADMIN_PERM,
16281 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16282 				  NL80211_FLAG_NEED_RTNL,
16283 	},
16284 	{
16285 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
16286 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16287 		.doit = nl80211_color_change,
16288 		.flags = GENL_UNS_ADMIN_PERM,
16289 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16290 				  NL80211_FLAG_NEED_RTNL,
16291 	},
16292 	{
16293 		.cmd = NL80211_CMD_SET_FILS_AAD,
16294 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16295 		.doit = nl80211_set_fils_aad,
16296 		.flags = GENL_UNS_ADMIN_PERM,
16297 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16298 	},
16299 };
16300 
16301 static struct genl_family nl80211_fam __ro_after_init = {
16302 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
16303 	.hdrsize = 0,			/* no private header */
16304 	.version = 1,			/* no particular meaning now */
16305 	.maxattr = NL80211_ATTR_MAX,
16306 	.policy = nl80211_policy,
16307 	.netnsok = true,
16308 	.pre_doit = nl80211_pre_doit,
16309 	.post_doit = nl80211_post_doit,
16310 	.module = THIS_MODULE,
16311 	.ops = nl80211_ops,
16312 	.n_ops = ARRAY_SIZE(nl80211_ops),
16313 	.small_ops = nl80211_small_ops,
16314 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
16315 	.mcgrps = nl80211_mcgrps,
16316 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
16317 	.parallel_ops = true,
16318 };
16319 
16320 /* notification functions */
16321 
16322 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
16323 			  enum nl80211_commands cmd)
16324 {
16325 	struct sk_buff *msg;
16326 	struct nl80211_dump_wiphy_state state = {};
16327 
16328 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
16329 		cmd != NL80211_CMD_DEL_WIPHY);
16330 
16331 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16332 	if (!msg)
16333 		return;
16334 
16335 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
16336 		nlmsg_free(msg);
16337 		return;
16338 	}
16339 
16340 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16341 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16342 }
16343 
16344 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
16345 				struct wireless_dev *wdev,
16346 				enum nl80211_commands cmd)
16347 {
16348 	struct sk_buff *msg;
16349 
16350 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16351 	if (!msg)
16352 		return;
16353 
16354 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
16355 		nlmsg_free(msg);
16356 		return;
16357 	}
16358 
16359 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16360 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16361 }
16362 
16363 static int nl80211_add_scan_req(struct sk_buff *msg,
16364 				struct cfg80211_registered_device *rdev)
16365 {
16366 	struct cfg80211_scan_request *req = rdev->scan_req;
16367 	struct nlattr *nest;
16368 	int i;
16369 	struct cfg80211_scan_info *info;
16370 
16371 	if (WARN_ON(!req))
16372 		return 0;
16373 
16374 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
16375 	if (!nest)
16376 		goto nla_put_failure;
16377 	for (i = 0; i < req->n_ssids; i++) {
16378 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
16379 			goto nla_put_failure;
16380 	}
16381 	nla_nest_end(msg, nest);
16382 
16383 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
16384 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
16385 		if (!nest)
16386 			goto nla_put_failure;
16387 		for (i = 0; i < req->n_channels; i++) {
16388 			if (nla_put_u32(msg, i,
16389 				   ieee80211_channel_to_khz(req->channels[i])))
16390 				goto nla_put_failure;
16391 		}
16392 		nla_nest_end(msg, nest);
16393 	} else {
16394 		nest = nla_nest_start_noflag(msg,
16395 					     NL80211_ATTR_SCAN_FREQUENCIES);
16396 		if (!nest)
16397 			goto nla_put_failure;
16398 		for (i = 0; i < req->n_channels; i++) {
16399 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
16400 				goto nla_put_failure;
16401 		}
16402 		nla_nest_end(msg, nest);
16403 	}
16404 
16405 	if (req->ie &&
16406 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
16407 		goto nla_put_failure;
16408 
16409 	if (req->flags &&
16410 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
16411 		goto nla_put_failure;
16412 
16413 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
16414 		&rdev->scan_req->info;
16415 	if (info->scan_start_tsf &&
16416 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
16417 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
16418 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
16419 		     info->tsf_bssid)))
16420 		goto nla_put_failure;
16421 
16422 	return 0;
16423  nla_put_failure:
16424 	return -ENOBUFS;
16425 }
16426 
16427 static int nl80211_prep_scan_msg(struct sk_buff *msg,
16428 				 struct cfg80211_registered_device *rdev,
16429 				 struct wireless_dev *wdev,
16430 				 u32 portid, u32 seq, int flags,
16431 				 u32 cmd)
16432 {
16433 	void *hdr;
16434 
16435 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
16436 	if (!hdr)
16437 		return -1;
16438 
16439 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16440 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16441 					 wdev->netdev->ifindex)) ||
16442 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16443 			      NL80211_ATTR_PAD))
16444 		goto nla_put_failure;
16445 
16446 	/* ignore errors and send incomplete event anyway */
16447 	nl80211_add_scan_req(msg, rdev);
16448 
16449 	genlmsg_end(msg, hdr);
16450 	return 0;
16451 
16452  nla_put_failure:
16453 	genlmsg_cancel(msg, hdr);
16454 	return -EMSGSIZE;
16455 }
16456 
16457 static int
16458 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
16459 			    struct cfg80211_sched_scan_request *req, u32 cmd)
16460 {
16461 	void *hdr;
16462 
16463 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16464 	if (!hdr)
16465 		return -1;
16466 
16467 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
16468 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
16469 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
16470 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
16471 			      NL80211_ATTR_PAD))
16472 		goto nla_put_failure;
16473 
16474 	genlmsg_end(msg, hdr);
16475 	return 0;
16476 
16477  nla_put_failure:
16478 	genlmsg_cancel(msg, hdr);
16479 	return -EMSGSIZE;
16480 }
16481 
16482 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
16483 			     struct wireless_dev *wdev)
16484 {
16485 	struct sk_buff *msg;
16486 
16487 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16488 	if (!msg)
16489 		return;
16490 
16491 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16492 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
16493 		nlmsg_free(msg);
16494 		return;
16495 	}
16496 
16497 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16498 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16499 }
16500 
16501 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
16502 				       struct wireless_dev *wdev, bool aborted)
16503 {
16504 	struct sk_buff *msg;
16505 
16506 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16507 	if (!msg)
16508 		return NULL;
16509 
16510 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16511 				  aborted ? NL80211_CMD_SCAN_ABORTED :
16512 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
16513 		nlmsg_free(msg);
16514 		return NULL;
16515 	}
16516 
16517 	return msg;
16518 }
16519 
16520 /* send message created by nl80211_build_scan_msg() */
16521 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
16522 			   struct sk_buff *msg)
16523 {
16524 	if (!msg)
16525 		return;
16526 
16527 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16528 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16529 }
16530 
16531 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
16532 {
16533 	struct sk_buff *msg;
16534 
16535 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16536 	if (!msg)
16537 		return;
16538 
16539 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
16540 		nlmsg_free(msg);
16541 		return;
16542 	}
16543 
16544 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
16545 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16546 }
16547 
16548 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
16549 					  struct regulatory_request *request)
16550 {
16551 	/* Userspace can always count this one always being set */
16552 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
16553 		goto nla_put_failure;
16554 
16555 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
16556 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16557 			       NL80211_REGDOM_TYPE_WORLD))
16558 			goto nla_put_failure;
16559 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
16560 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16561 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
16562 			goto nla_put_failure;
16563 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
16564 		   request->intersect) {
16565 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16566 			       NL80211_REGDOM_TYPE_INTERSECTION))
16567 			goto nla_put_failure;
16568 	} else {
16569 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16570 			       NL80211_REGDOM_TYPE_COUNTRY) ||
16571 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
16572 				   request->alpha2))
16573 			goto nla_put_failure;
16574 	}
16575 
16576 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
16577 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
16578 
16579 		if (wiphy &&
16580 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
16581 			goto nla_put_failure;
16582 
16583 		if (wiphy &&
16584 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
16585 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
16586 			goto nla_put_failure;
16587 	}
16588 
16589 	return true;
16590 
16591 nla_put_failure:
16592 	return false;
16593 }
16594 
16595 /*
16596  * This can happen on global regulatory changes or device specific settings
16597  * based on custom regulatory domains.
16598  */
16599 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
16600 				     struct regulatory_request *request)
16601 {
16602 	struct sk_buff *msg;
16603 	void *hdr;
16604 
16605 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16606 	if (!msg)
16607 		return;
16608 
16609 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
16610 	if (!hdr)
16611 		goto nla_put_failure;
16612 
16613 	if (!nl80211_reg_change_event_fill(msg, request))
16614 		goto nla_put_failure;
16615 
16616 	genlmsg_end(msg, hdr);
16617 
16618 	rcu_read_lock();
16619 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16620 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16621 	rcu_read_unlock();
16622 
16623 	return;
16624 
16625 nla_put_failure:
16626 	nlmsg_free(msg);
16627 }
16628 
16629 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
16630 				    struct net_device *netdev,
16631 				    const u8 *buf, size_t len,
16632 				    enum nl80211_commands cmd, gfp_t gfp,
16633 				    int uapsd_queues, const u8 *req_ies,
16634 				    size_t req_ies_len, bool reconnect)
16635 {
16636 	struct sk_buff *msg;
16637 	void *hdr;
16638 
16639 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
16640 	if (!msg)
16641 		return;
16642 
16643 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16644 	if (!hdr) {
16645 		nlmsg_free(msg);
16646 		return;
16647 	}
16648 
16649 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16650 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16651 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16652 	    (req_ies &&
16653 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
16654 		goto nla_put_failure;
16655 
16656 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
16657 		goto nla_put_failure;
16658 
16659 	if (uapsd_queues >= 0) {
16660 		struct nlattr *nla_wmm =
16661 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
16662 		if (!nla_wmm)
16663 			goto nla_put_failure;
16664 
16665 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
16666 			       uapsd_queues))
16667 			goto nla_put_failure;
16668 
16669 		nla_nest_end(msg, nla_wmm);
16670 	}
16671 
16672 	genlmsg_end(msg, hdr);
16673 
16674 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16675 				NL80211_MCGRP_MLME, gfp);
16676 	return;
16677 
16678  nla_put_failure:
16679 	nlmsg_free(msg);
16680 }
16681 
16682 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
16683 			  struct net_device *netdev, const u8 *buf,
16684 			  size_t len, gfp_t gfp)
16685 {
16686 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16687 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
16688 				false);
16689 }
16690 
16691 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
16692 			   struct net_device *netdev, const u8 *buf,
16693 			   size_t len, gfp_t gfp, int uapsd_queues,
16694 			   const u8 *req_ies, size_t req_ies_len)
16695 {
16696 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16697 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
16698 				req_ies, req_ies_len, false);
16699 }
16700 
16701 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
16702 			 struct net_device *netdev, const u8 *buf,
16703 			 size_t len, bool reconnect, gfp_t gfp)
16704 {
16705 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16706 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
16707 				reconnect);
16708 }
16709 
16710 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
16711 			   struct net_device *netdev, const u8 *buf,
16712 			   size_t len, bool reconnect, gfp_t gfp)
16713 {
16714 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16715 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
16716 				reconnect);
16717 }
16718 
16719 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
16720 				  size_t len)
16721 {
16722 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16723 	struct wiphy *wiphy = wdev->wiphy;
16724 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16725 	const struct ieee80211_mgmt *mgmt = (void *)buf;
16726 	u32 cmd;
16727 
16728 	if (WARN_ON(len < 2))
16729 		return;
16730 
16731 	if (ieee80211_is_deauth(mgmt->frame_control)) {
16732 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
16733 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
16734 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
16735 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
16736 		if (wdev->unprot_beacon_reported &&
16737 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
16738 			return;
16739 		cmd = NL80211_CMD_UNPROT_BEACON;
16740 		wdev->unprot_beacon_reported = jiffies;
16741 	} else {
16742 		return;
16743 	}
16744 
16745 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
16746 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
16747 				NULL, 0, false);
16748 }
16749 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
16750 
16751 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
16752 				      struct net_device *netdev, int cmd,
16753 				      const u8 *addr, gfp_t gfp)
16754 {
16755 	struct sk_buff *msg;
16756 	void *hdr;
16757 
16758 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16759 	if (!msg)
16760 		return;
16761 
16762 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16763 	if (!hdr) {
16764 		nlmsg_free(msg);
16765 		return;
16766 	}
16767 
16768 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16769 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16770 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16771 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16772 		goto nla_put_failure;
16773 
16774 	genlmsg_end(msg, hdr);
16775 
16776 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16777 				NL80211_MCGRP_MLME, gfp);
16778 	return;
16779 
16780  nla_put_failure:
16781 	nlmsg_free(msg);
16782 }
16783 
16784 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
16785 			       struct net_device *netdev, const u8 *addr,
16786 			       gfp_t gfp)
16787 {
16788 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
16789 				  addr, gfp);
16790 }
16791 
16792 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
16793 				struct net_device *netdev, const u8 *addr,
16794 				gfp_t gfp)
16795 {
16796 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
16797 				  addr, gfp);
16798 }
16799 
16800 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
16801 				 struct net_device *netdev,
16802 				 struct cfg80211_connect_resp_params *cr,
16803 				 gfp_t gfp)
16804 {
16805 	struct sk_buff *msg;
16806 	void *hdr;
16807 
16808 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
16809 			cr->fils.kek_len + cr->fils.pmk_len +
16810 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16811 	if (!msg)
16812 		return;
16813 
16814 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
16815 	if (!hdr) {
16816 		nlmsg_free(msg);
16817 		return;
16818 	}
16819 
16820 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16821 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16822 	    (cr->bssid &&
16823 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
16824 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
16825 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
16826 			cr->status) ||
16827 	    (cr->status < 0 &&
16828 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16829 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
16830 			  cr->timeout_reason))) ||
16831 	    (cr->req_ie &&
16832 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
16833 	    (cr->resp_ie &&
16834 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
16835 		     cr->resp_ie)) ||
16836 	    (cr->fils.update_erp_next_seq_num &&
16837 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16838 			 cr->fils.erp_next_seq_num)) ||
16839 	    (cr->status == WLAN_STATUS_SUCCESS &&
16840 	     ((cr->fils.kek &&
16841 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
16842 		       cr->fils.kek)) ||
16843 	      (cr->fils.pmk &&
16844 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
16845 	      (cr->fils.pmkid &&
16846 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
16847 		goto nla_put_failure;
16848 
16849 	genlmsg_end(msg, hdr);
16850 
16851 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16852 				NL80211_MCGRP_MLME, gfp);
16853 	return;
16854 
16855  nla_put_failure:
16856 	nlmsg_free(msg);
16857 }
16858 
16859 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
16860 			 struct net_device *netdev,
16861 			 struct cfg80211_roam_info *info, gfp_t gfp)
16862 {
16863 	struct sk_buff *msg;
16864 	void *hdr;
16865 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
16866 
16867 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
16868 			info->fils.kek_len + info->fils.pmk_len +
16869 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16870 	if (!msg)
16871 		return;
16872 
16873 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
16874 	if (!hdr) {
16875 		nlmsg_free(msg);
16876 		return;
16877 	}
16878 
16879 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16880 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16881 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
16882 	    (info->req_ie &&
16883 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
16884 		     info->req_ie)) ||
16885 	    (info->resp_ie &&
16886 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
16887 		     info->resp_ie)) ||
16888 	    (info->fils.update_erp_next_seq_num &&
16889 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16890 			 info->fils.erp_next_seq_num)) ||
16891 	    (info->fils.kek &&
16892 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
16893 		     info->fils.kek)) ||
16894 	    (info->fils.pmk &&
16895 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
16896 	    (info->fils.pmkid &&
16897 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
16898 		goto nla_put_failure;
16899 
16900 	genlmsg_end(msg, hdr);
16901 
16902 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16903 				NL80211_MCGRP_MLME, gfp);
16904 	return;
16905 
16906  nla_put_failure:
16907 	nlmsg_free(msg);
16908 }
16909 
16910 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
16911 				  struct net_device *netdev, const u8 *bssid)
16912 {
16913 	struct sk_buff *msg;
16914 	void *hdr;
16915 
16916 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16917 	if (!msg)
16918 		return;
16919 
16920 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
16921 	if (!hdr) {
16922 		nlmsg_free(msg);
16923 		return;
16924 	}
16925 
16926 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16927 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16928 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16929 		goto nla_put_failure;
16930 
16931 	genlmsg_end(msg, hdr);
16932 
16933 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16934 				NL80211_MCGRP_MLME, GFP_KERNEL);
16935 	return;
16936 
16937  nla_put_failure:
16938 	nlmsg_free(msg);
16939 }
16940 
16941 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
16942 			       struct net_device *netdev, u16 reason,
16943 			       const u8 *ie, size_t ie_len, bool from_ap)
16944 {
16945 	struct sk_buff *msg;
16946 	void *hdr;
16947 
16948 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
16949 	if (!msg)
16950 		return;
16951 
16952 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
16953 	if (!hdr) {
16954 		nlmsg_free(msg);
16955 		return;
16956 	}
16957 
16958 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16959 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16960 	    (reason &&
16961 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
16962 	    (from_ap &&
16963 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
16964 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
16965 		goto nla_put_failure;
16966 
16967 	genlmsg_end(msg, hdr);
16968 
16969 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16970 				NL80211_MCGRP_MLME, GFP_KERNEL);
16971 	return;
16972 
16973  nla_put_failure:
16974 	nlmsg_free(msg);
16975 }
16976 
16977 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
16978 			     struct net_device *netdev, const u8 *bssid,
16979 			     gfp_t gfp)
16980 {
16981 	struct sk_buff *msg;
16982 	void *hdr;
16983 
16984 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16985 	if (!msg)
16986 		return;
16987 
16988 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
16989 	if (!hdr) {
16990 		nlmsg_free(msg);
16991 		return;
16992 	}
16993 
16994 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16995 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16996 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16997 		goto nla_put_failure;
16998 
16999 	genlmsg_end(msg, hdr);
17000 
17001 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17002 				NL80211_MCGRP_MLME, gfp);
17003 	return;
17004 
17005  nla_put_failure:
17006 	nlmsg_free(msg);
17007 }
17008 
17009 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
17010 					const u8 *ie, u8 ie_len,
17011 					int sig_dbm, gfp_t gfp)
17012 {
17013 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17014 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17015 	struct sk_buff *msg;
17016 	void *hdr;
17017 
17018 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
17019 		return;
17020 
17021 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
17022 
17023 	msg = nlmsg_new(100 + ie_len, gfp);
17024 	if (!msg)
17025 		return;
17026 
17027 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
17028 	if (!hdr) {
17029 		nlmsg_free(msg);
17030 		return;
17031 	}
17032 
17033 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17034 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17035 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17036 	    (ie_len && ie &&
17037 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
17038 	    (sig_dbm &&
17039 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
17040 		goto nla_put_failure;
17041 
17042 	genlmsg_end(msg, hdr);
17043 
17044 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17045 				NL80211_MCGRP_MLME, gfp);
17046 	return;
17047 
17048  nla_put_failure:
17049 	nlmsg_free(msg);
17050 }
17051 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
17052 
17053 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
17054 				 struct net_device *netdev, const u8 *addr,
17055 				 enum nl80211_key_type key_type, int key_id,
17056 				 const u8 *tsc, gfp_t gfp)
17057 {
17058 	struct sk_buff *msg;
17059 	void *hdr;
17060 
17061 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17062 	if (!msg)
17063 		return;
17064 
17065 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
17066 	if (!hdr) {
17067 		nlmsg_free(msg);
17068 		return;
17069 	}
17070 
17071 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17072 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17073 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
17074 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
17075 	    (key_id != -1 &&
17076 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
17077 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
17078 		goto nla_put_failure;
17079 
17080 	genlmsg_end(msg, hdr);
17081 
17082 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17083 				NL80211_MCGRP_MLME, gfp);
17084 	return;
17085 
17086  nla_put_failure:
17087 	nlmsg_free(msg);
17088 }
17089 
17090 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
17091 				    struct ieee80211_channel *channel_before,
17092 				    struct ieee80211_channel *channel_after)
17093 {
17094 	struct sk_buff *msg;
17095 	void *hdr;
17096 	struct nlattr *nl_freq;
17097 
17098 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
17099 	if (!msg)
17100 		return;
17101 
17102 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
17103 	if (!hdr) {
17104 		nlmsg_free(msg);
17105 		return;
17106 	}
17107 
17108 	/*
17109 	 * Since we are applying the beacon hint to a wiphy we know its
17110 	 * wiphy_idx is valid
17111 	 */
17112 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
17113 		goto nla_put_failure;
17114 
17115 	/* Before */
17116 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
17117 	if (!nl_freq)
17118 		goto nla_put_failure;
17119 
17120 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
17121 		goto nla_put_failure;
17122 	nla_nest_end(msg, nl_freq);
17123 
17124 	/* After */
17125 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
17126 	if (!nl_freq)
17127 		goto nla_put_failure;
17128 
17129 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
17130 		goto nla_put_failure;
17131 	nla_nest_end(msg, nl_freq);
17132 
17133 	genlmsg_end(msg, hdr);
17134 
17135 	rcu_read_lock();
17136 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17137 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17138 	rcu_read_unlock();
17139 
17140 	return;
17141 
17142 nla_put_failure:
17143 	nlmsg_free(msg);
17144 }
17145 
17146 static void nl80211_send_remain_on_chan_event(
17147 	int cmd, struct cfg80211_registered_device *rdev,
17148 	struct wireless_dev *wdev, u64 cookie,
17149 	struct ieee80211_channel *chan,
17150 	unsigned int duration, gfp_t gfp)
17151 {
17152 	struct sk_buff *msg;
17153 	void *hdr;
17154 
17155 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17156 	if (!msg)
17157 		return;
17158 
17159 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17160 	if (!hdr) {
17161 		nlmsg_free(msg);
17162 		return;
17163 	}
17164 
17165 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17166 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17167 					 wdev->netdev->ifindex)) ||
17168 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17169 			      NL80211_ATTR_PAD) ||
17170 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
17171 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
17172 			NL80211_CHAN_NO_HT) ||
17173 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17174 			      NL80211_ATTR_PAD))
17175 		goto nla_put_failure;
17176 
17177 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
17178 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
17179 		goto nla_put_failure;
17180 
17181 	genlmsg_end(msg, hdr);
17182 
17183 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17184 				NL80211_MCGRP_MLME, gfp);
17185 	return;
17186 
17187  nla_put_failure:
17188 	nlmsg_free(msg);
17189 }
17190 
17191 void cfg80211_assoc_comeback(struct net_device *netdev,
17192 			     struct cfg80211_bss *bss, u32 timeout)
17193 {
17194 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
17195 	struct wiphy *wiphy = wdev->wiphy;
17196 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17197 	struct sk_buff *msg;
17198 	void *hdr;
17199 
17200 	trace_cfg80211_assoc_comeback(wdev, bss->bssid, timeout);
17201 
17202 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17203 	if (!msg)
17204 		return;
17205 
17206 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
17207 	if (!hdr) {
17208 		nlmsg_free(msg);
17209 		return;
17210 	}
17211 
17212 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17213 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17214 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bss->bssid) ||
17215 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
17216 		goto nla_put_failure;
17217 
17218 	genlmsg_end(msg, hdr);
17219 
17220 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17221 				NL80211_MCGRP_MLME, GFP_KERNEL);
17222 	return;
17223 
17224  nla_put_failure:
17225 	nlmsg_free(msg);
17226 }
17227 EXPORT_SYMBOL(cfg80211_assoc_comeback);
17228 
17229 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
17230 			       struct ieee80211_channel *chan,
17231 			       unsigned int duration, gfp_t gfp)
17232 {
17233 	struct wiphy *wiphy = wdev->wiphy;
17234 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17235 
17236 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
17237 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
17238 					  rdev, wdev, cookie, chan,
17239 					  duration, gfp);
17240 }
17241 EXPORT_SYMBOL(cfg80211_ready_on_channel);
17242 
17243 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
17244 					struct ieee80211_channel *chan,
17245 					gfp_t gfp)
17246 {
17247 	struct wiphy *wiphy = wdev->wiphy;
17248 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17249 
17250 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
17251 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17252 					  rdev, wdev, cookie, chan, 0, gfp);
17253 }
17254 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
17255 
17256 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
17257 					struct ieee80211_channel *chan,
17258 					gfp_t gfp)
17259 {
17260 	struct wiphy *wiphy = wdev->wiphy;
17261 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17262 
17263 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
17264 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
17265 					  rdev, wdev, cookie, chan, 0, gfp);
17266 }
17267 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
17268 
17269 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
17270 		      struct station_info *sinfo, gfp_t gfp)
17271 {
17272 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17273 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17274 	struct sk_buff *msg;
17275 
17276 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
17277 
17278 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17279 	if (!msg)
17280 		return;
17281 
17282 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
17283 				 rdev, dev, mac_addr, sinfo) < 0) {
17284 		nlmsg_free(msg);
17285 		return;
17286 	}
17287 
17288 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17289 				NL80211_MCGRP_MLME, gfp);
17290 }
17291 EXPORT_SYMBOL(cfg80211_new_sta);
17292 
17293 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
17294 			    struct station_info *sinfo, gfp_t gfp)
17295 {
17296 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17297 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17298 	struct sk_buff *msg;
17299 	struct station_info empty_sinfo = {};
17300 
17301 	if (!sinfo)
17302 		sinfo = &empty_sinfo;
17303 
17304 	trace_cfg80211_del_sta(dev, mac_addr);
17305 
17306 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17307 	if (!msg) {
17308 		cfg80211_sinfo_release_content(sinfo);
17309 		return;
17310 	}
17311 
17312 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
17313 				 rdev, dev, mac_addr, sinfo) < 0) {
17314 		nlmsg_free(msg);
17315 		return;
17316 	}
17317 
17318 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17319 				NL80211_MCGRP_MLME, gfp);
17320 }
17321 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
17322 
17323 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
17324 			  enum nl80211_connect_failed_reason reason,
17325 			  gfp_t gfp)
17326 {
17327 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17328 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17329 	struct sk_buff *msg;
17330 	void *hdr;
17331 
17332 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
17333 	if (!msg)
17334 		return;
17335 
17336 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
17337 	if (!hdr) {
17338 		nlmsg_free(msg);
17339 		return;
17340 	}
17341 
17342 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17343 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
17344 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
17345 		goto nla_put_failure;
17346 
17347 	genlmsg_end(msg, hdr);
17348 
17349 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17350 				NL80211_MCGRP_MLME, gfp);
17351 	return;
17352 
17353  nla_put_failure:
17354 	nlmsg_free(msg);
17355 }
17356 EXPORT_SYMBOL(cfg80211_conn_failed);
17357 
17358 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
17359 				       const u8 *addr, gfp_t gfp)
17360 {
17361 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17362 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17363 	struct sk_buff *msg;
17364 	void *hdr;
17365 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
17366 
17367 	if (!nlportid)
17368 		return false;
17369 
17370 	msg = nlmsg_new(100, gfp);
17371 	if (!msg)
17372 		return true;
17373 
17374 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17375 	if (!hdr) {
17376 		nlmsg_free(msg);
17377 		return true;
17378 	}
17379 
17380 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17381 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17382 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17383 		goto nla_put_failure;
17384 
17385 	genlmsg_end(msg, hdr);
17386 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17387 	return true;
17388 
17389  nla_put_failure:
17390 	nlmsg_free(msg);
17391 	return true;
17392 }
17393 
17394 bool cfg80211_rx_spurious_frame(struct net_device *dev,
17395 				const u8 *addr, gfp_t gfp)
17396 {
17397 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17398 	bool ret;
17399 
17400 	trace_cfg80211_rx_spurious_frame(dev, addr);
17401 
17402 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17403 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
17404 		trace_cfg80211_return_bool(false);
17405 		return false;
17406 	}
17407 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
17408 					 addr, gfp);
17409 	trace_cfg80211_return_bool(ret);
17410 	return ret;
17411 }
17412 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
17413 
17414 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
17415 					const u8 *addr, gfp_t gfp)
17416 {
17417 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17418 	bool ret;
17419 
17420 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
17421 
17422 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17423 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
17424 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
17425 		trace_cfg80211_return_bool(false);
17426 		return false;
17427 	}
17428 	ret = __nl80211_unexpected_frame(dev,
17429 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
17430 					 addr, gfp);
17431 	trace_cfg80211_return_bool(ret);
17432 	return ret;
17433 }
17434 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
17435 
17436 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
17437 		      struct wireless_dev *wdev, u32 nlportid,
17438 		      int freq, int sig_dbm,
17439 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
17440 {
17441 	struct net_device *netdev = wdev->netdev;
17442 	struct sk_buff *msg;
17443 	void *hdr;
17444 
17445 	msg = nlmsg_new(100 + len, gfp);
17446 	if (!msg)
17447 		return -ENOMEM;
17448 
17449 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17450 	if (!hdr) {
17451 		nlmsg_free(msg);
17452 		return -ENOMEM;
17453 	}
17454 
17455 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17456 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17457 					netdev->ifindex)) ||
17458 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17459 			      NL80211_ATTR_PAD) ||
17460 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
17461 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
17462 	    (sig_dbm &&
17463 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17464 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17465 	    (flags &&
17466 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
17467 		goto nla_put_failure;
17468 
17469 	genlmsg_end(msg, hdr);
17470 
17471 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17472 
17473  nla_put_failure:
17474 	nlmsg_free(msg);
17475 	return -ENOBUFS;
17476 }
17477 
17478 static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
17479 				    const u8 *buf, size_t len, bool ack,
17480 				    gfp_t gfp, enum nl80211_commands command)
17481 {
17482 	struct wiphy *wiphy = wdev->wiphy;
17483 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17484 	struct net_device *netdev = wdev->netdev;
17485 	struct sk_buff *msg;
17486 	void *hdr;
17487 
17488 	if (command == NL80211_CMD_FRAME_TX_STATUS)
17489 		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
17490 	else
17491 		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
17492 
17493 	msg = nlmsg_new(100 + len, gfp);
17494 	if (!msg)
17495 		return;
17496 
17497 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
17498 	if (!hdr) {
17499 		nlmsg_free(msg);
17500 		return;
17501 	}
17502 
17503 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17504 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17505 				   netdev->ifindex)) ||
17506 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17507 			      NL80211_ATTR_PAD) ||
17508 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17509 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17510 			      NL80211_ATTR_PAD) ||
17511 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
17512 		goto nla_put_failure;
17513 
17514 	genlmsg_end(msg, hdr);
17515 
17516 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17517 				NL80211_MCGRP_MLME, gfp);
17518 	return;
17519 
17520 nla_put_failure:
17521 	nlmsg_free(msg);
17522 }
17523 
17524 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
17525 				     const u8 *buf, size_t len, bool ack,
17526 				     gfp_t gfp)
17527 {
17528 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17529 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
17530 }
17531 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
17532 
17533 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
17534 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
17535 {
17536 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17537 				NL80211_CMD_FRAME_TX_STATUS);
17538 }
17539 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
17540 
17541 static int __nl80211_rx_control_port(struct net_device *dev,
17542 				     struct sk_buff *skb,
17543 				     bool unencrypted, gfp_t gfp)
17544 {
17545 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17546 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17547 	struct ethhdr *ehdr = eth_hdr(skb);
17548 	const u8 *addr = ehdr->h_source;
17549 	u16 proto = be16_to_cpu(skb->protocol);
17550 	struct sk_buff *msg;
17551 	void *hdr;
17552 	struct nlattr *frame;
17553 
17554 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
17555 
17556 	if (!nlportid)
17557 		return -ENOENT;
17558 
17559 	msg = nlmsg_new(100 + skb->len, gfp);
17560 	if (!msg)
17561 		return -ENOMEM;
17562 
17563 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
17564 	if (!hdr) {
17565 		nlmsg_free(msg);
17566 		return -ENOBUFS;
17567 	}
17568 
17569 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17570 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17571 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17572 			      NL80211_ATTR_PAD) ||
17573 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17574 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
17575 	    (unencrypted && nla_put_flag(msg,
17576 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
17577 		goto nla_put_failure;
17578 
17579 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
17580 	if (!frame)
17581 		goto nla_put_failure;
17582 
17583 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
17584 	genlmsg_end(msg, hdr);
17585 
17586 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17587 
17588  nla_put_failure:
17589 	nlmsg_free(msg);
17590 	return -ENOBUFS;
17591 }
17592 
17593 bool cfg80211_rx_control_port(struct net_device *dev,
17594 			      struct sk_buff *skb, bool unencrypted)
17595 {
17596 	int ret;
17597 
17598 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
17599 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
17600 	trace_cfg80211_return_bool(ret == 0);
17601 	return ret == 0;
17602 }
17603 EXPORT_SYMBOL(cfg80211_rx_control_port);
17604 
17605 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
17606 					    const char *mac, gfp_t gfp)
17607 {
17608 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17609 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17610 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17611 	void **cb;
17612 
17613 	if (!msg)
17614 		return NULL;
17615 
17616 	cb = (void **)msg->cb;
17617 
17618 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
17619 	if (!cb[0]) {
17620 		nlmsg_free(msg);
17621 		return NULL;
17622 	}
17623 
17624 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17625 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17626 		goto nla_put_failure;
17627 
17628 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17629 		goto nla_put_failure;
17630 
17631 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
17632 	if (!cb[1])
17633 		goto nla_put_failure;
17634 
17635 	cb[2] = rdev;
17636 
17637 	return msg;
17638  nla_put_failure:
17639 	nlmsg_free(msg);
17640 	return NULL;
17641 }
17642 
17643 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
17644 {
17645 	void **cb = (void **)msg->cb;
17646 	struct cfg80211_registered_device *rdev = cb[2];
17647 
17648 	nla_nest_end(msg, cb[1]);
17649 	genlmsg_end(msg, cb[0]);
17650 
17651 	memset(msg->cb, 0, sizeof(msg->cb));
17652 
17653 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17654 				NL80211_MCGRP_MLME, gfp);
17655 }
17656 
17657 void cfg80211_cqm_rssi_notify(struct net_device *dev,
17658 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
17659 			      s32 rssi_level, gfp_t gfp)
17660 {
17661 	struct sk_buff *msg;
17662 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17663 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17664 
17665 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
17666 
17667 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
17668 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
17669 		return;
17670 
17671 	if (wdev->cqm_config) {
17672 		wdev->cqm_config->last_rssi_event_value = rssi_level;
17673 
17674 		cfg80211_cqm_rssi_update(rdev, dev);
17675 
17676 		if (rssi_level == 0)
17677 			rssi_level = wdev->cqm_config->last_rssi_event_value;
17678 	}
17679 
17680 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17681 	if (!msg)
17682 		return;
17683 
17684 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
17685 			rssi_event))
17686 		goto nla_put_failure;
17687 
17688 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
17689 				      rssi_level))
17690 		goto nla_put_failure;
17691 
17692 	cfg80211_send_cqm(msg, gfp);
17693 
17694 	return;
17695 
17696  nla_put_failure:
17697 	nlmsg_free(msg);
17698 }
17699 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
17700 
17701 void cfg80211_cqm_txe_notify(struct net_device *dev,
17702 			     const u8 *peer, u32 num_packets,
17703 			     u32 rate, u32 intvl, gfp_t gfp)
17704 {
17705 	struct sk_buff *msg;
17706 
17707 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17708 	if (!msg)
17709 		return;
17710 
17711 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
17712 		goto nla_put_failure;
17713 
17714 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
17715 		goto nla_put_failure;
17716 
17717 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
17718 		goto nla_put_failure;
17719 
17720 	cfg80211_send_cqm(msg, gfp);
17721 	return;
17722 
17723  nla_put_failure:
17724 	nlmsg_free(msg);
17725 }
17726 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
17727 
17728 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
17729 				 const u8 *peer, u32 num_packets, gfp_t gfp)
17730 {
17731 	struct sk_buff *msg;
17732 
17733 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
17734 
17735 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17736 	if (!msg)
17737 		return;
17738 
17739 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
17740 		goto nla_put_failure;
17741 
17742 	cfg80211_send_cqm(msg, gfp);
17743 	return;
17744 
17745  nla_put_failure:
17746 	nlmsg_free(msg);
17747 }
17748 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
17749 
17750 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
17751 {
17752 	struct sk_buff *msg;
17753 
17754 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17755 	if (!msg)
17756 		return;
17757 
17758 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
17759 		goto nla_put_failure;
17760 
17761 	cfg80211_send_cqm(msg, gfp);
17762 	return;
17763 
17764  nla_put_failure:
17765 	nlmsg_free(msg);
17766 }
17767 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
17768 
17769 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
17770 				     struct net_device *netdev, const u8 *bssid,
17771 				     const u8 *replay_ctr, gfp_t gfp)
17772 {
17773 	struct sk_buff *msg;
17774 	struct nlattr *rekey_attr;
17775 	void *hdr;
17776 
17777 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17778 	if (!msg)
17779 		return;
17780 
17781 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
17782 	if (!hdr) {
17783 		nlmsg_free(msg);
17784 		return;
17785 	}
17786 
17787 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17788 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17789 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17790 		goto nla_put_failure;
17791 
17792 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
17793 	if (!rekey_attr)
17794 		goto nla_put_failure;
17795 
17796 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
17797 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
17798 		goto nla_put_failure;
17799 
17800 	nla_nest_end(msg, rekey_attr);
17801 
17802 	genlmsg_end(msg, hdr);
17803 
17804 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17805 				NL80211_MCGRP_MLME, gfp);
17806 	return;
17807 
17808  nla_put_failure:
17809 	nlmsg_free(msg);
17810 }
17811 
17812 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
17813 			       const u8 *replay_ctr, gfp_t gfp)
17814 {
17815 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17816 	struct wiphy *wiphy = wdev->wiphy;
17817 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17818 
17819 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
17820 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
17821 }
17822 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
17823 
17824 static void
17825 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
17826 			       struct net_device *netdev, int index,
17827 			       const u8 *bssid, bool preauth, gfp_t gfp)
17828 {
17829 	struct sk_buff *msg;
17830 	struct nlattr *attr;
17831 	void *hdr;
17832 
17833 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17834 	if (!msg)
17835 		return;
17836 
17837 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
17838 	if (!hdr) {
17839 		nlmsg_free(msg);
17840 		return;
17841 	}
17842 
17843 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17844 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17845 		goto nla_put_failure;
17846 
17847 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
17848 	if (!attr)
17849 		goto nla_put_failure;
17850 
17851 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
17852 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
17853 	    (preauth &&
17854 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
17855 		goto nla_put_failure;
17856 
17857 	nla_nest_end(msg, attr);
17858 
17859 	genlmsg_end(msg, hdr);
17860 
17861 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17862 				NL80211_MCGRP_MLME, gfp);
17863 	return;
17864 
17865  nla_put_failure:
17866 	nlmsg_free(msg);
17867 }
17868 
17869 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
17870 				     const u8 *bssid, bool preauth, gfp_t gfp)
17871 {
17872 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17873 	struct wiphy *wiphy = wdev->wiphy;
17874 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17875 
17876 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
17877 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
17878 }
17879 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
17880 
17881 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
17882 				     struct net_device *netdev,
17883 				     struct cfg80211_chan_def *chandef,
17884 				     gfp_t gfp,
17885 				     enum nl80211_commands notif,
17886 				     u8 count, bool quiet)
17887 {
17888 	struct sk_buff *msg;
17889 	void *hdr;
17890 
17891 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17892 	if (!msg)
17893 		return;
17894 
17895 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
17896 	if (!hdr) {
17897 		nlmsg_free(msg);
17898 		return;
17899 	}
17900 
17901 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17902 		goto nla_put_failure;
17903 
17904 	if (nl80211_send_chandef(msg, chandef))
17905 		goto nla_put_failure;
17906 
17907 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
17908 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
17909 			goto nla_put_failure;
17910 		if (quiet &&
17911 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
17912 			goto nla_put_failure;
17913 	}
17914 
17915 	genlmsg_end(msg, hdr);
17916 
17917 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17918 				NL80211_MCGRP_MLME, gfp);
17919 	return;
17920 
17921  nla_put_failure:
17922 	nlmsg_free(msg);
17923 }
17924 
17925 void cfg80211_ch_switch_notify(struct net_device *dev,
17926 			       struct cfg80211_chan_def *chandef)
17927 {
17928 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17929 	struct wiphy *wiphy = wdev->wiphy;
17930 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17931 
17932 	ASSERT_WDEV_LOCK(wdev);
17933 
17934 	trace_cfg80211_ch_switch_notify(dev, chandef);
17935 
17936 	wdev->chandef = *chandef;
17937 	wdev->preset_chandef = *chandef;
17938 
17939 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
17940 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
17941 	    !WARN_ON(!wdev->current_bss))
17942 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
17943 
17944 	cfg80211_sched_dfs_chan_update(rdev);
17945 
17946 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17947 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
17948 }
17949 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
17950 
17951 void cfg80211_ch_switch_started_notify(struct net_device *dev,
17952 				       struct cfg80211_chan_def *chandef,
17953 				       u8 count, bool quiet)
17954 {
17955 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17956 	struct wiphy *wiphy = wdev->wiphy;
17957 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17958 
17959 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
17960 
17961 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17962 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
17963 				 count, quiet);
17964 }
17965 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
17966 
17967 int cfg80211_bss_color_notify(struct net_device *dev, gfp_t gfp,
17968 			      enum nl80211_commands cmd, u8 count,
17969 			      u64 color_bitmap)
17970 {
17971 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17972 	struct wiphy *wiphy = wdev->wiphy;
17973 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17974 	struct sk_buff *msg;
17975 	void *hdr;
17976 
17977 	ASSERT_WDEV_LOCK(wdev);
17978 
17979 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
17980 
17981 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17982 	if (!msg)
17983 		return -ENOMEM;
17984 
17985 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17986 	if (!hdr)
17987 		goto nla_put_failure;
17988 
17989 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17990 		goto nla_put_failure;
17991 
17992 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
17993 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
17994 		goto nla_put_failure;
17995 
17996 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
17997 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
17998 			      color_bitmap, NL80211_ATTR_PAD))
17999 		goto nla_put_failure;
18000 
18001 	genlmsg_end(msg, hdr);
18002 
18003 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
18004 				       msg, 0, NL80211_MCGRP_MLME, gfp);
18005 
18006 nla_put_failure:
18007 	nlmsg_free(msg);
18008 	return -EINVAL;
18009 }
18010 EXPORT_SYMBOL(cfg80211_bss_color_notify);
18011 
18012 void
18013 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
18014 		     const struct cfg80211_chan_def *chandef,
18015 		     enum nl80211_radar_event event,
18016 		     struct net_device *netdev, gfp_t gfp)
18017 {
18018 	struct sk_buff *msg;
18019 	void *hdr;
18020 
18021 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18022 	if (!msg)
18023 		return;
18024 
18025 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
18026 	if (!hdr) {
18027 		nlmsg_free(msg);
18028 		return;
18029 	}
18030 
18031 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
18032 		goto nla_put_failure;
18033 
18034 	/* NOP and radar events don't need a netdev parameter */
18035 	if (netdev) {
18036 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
18037 
18038 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18039 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18040 				      NL80211_ATTR_PAD))
18041 			goto nla_put_failure;
18042 	}
18043 
18044 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
18045 		goto nla_put_failure;
18046 
18047 	if (nl80211_send_chandef(msg, chandef))
18048 		goto nla_put_failure;
18049 
18050 	genlmsg_end(msg, hdr);
18051 
18052 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18053 				NL80211_MCGRP_MLME, gfp);
18054 	return;
18055 
18056  nla_put_failure:
18057 	nlmsg_free(msg);
18058 }
18059 
18060 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
18061 				       struct sta_opmode_info *sta_opmode,
18062 				       gfp_t gfp)
18063 {
18064 	struct sk_buff *msg;
18065 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18066 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18067 	void *hdr;
18068 
18069 	if (WARN_ON(!mac))
18070 		return;
18071 
18072 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18073 	if (!msg)
18074 		return;
18075 
18076 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
18077 	if (!hdr) {
18078 		nlmsg_free(msg);
18079 		return;
18080 	}
18081 
18082 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
18083 		goto nla_put_failure;
18084 
18085 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18086 		goto nla_put_failure;
18087 
18088 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
18089 		goto nla_put_failure;
18090 
18091 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
18092 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
18093 		goto nla_put_failure;
18094 
18095 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
18096 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
18097 		goto nla_put_failure;
18098 
18099 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
18100 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
18101 		goto nla_put_failure;
18102 
18103 	genlmsg_end(msg, hdr);
18104 
18105 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18106 				NL80211_MCGRP_MLME, gfp);
18107 
18108 	return;
18109 
18110 nla_put_failure:
18111 	nlmsg_free(msg);
18112 }
18113 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
18114 
18115 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
18116 			   u64 cookie, bool acked, s32 ack_signal,
18117 			   bool is_valid_ack_signal, gfp_t gfp)
18118 {
18119 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18120 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18121 	struct sk_buff *msg;
18122 	void *hdr;
18123 
18124 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
18125 
18126 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18127 
18128 	if (!msg)
18129 		return;
18130 
18131 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
18132 	if (!hdr) {
18133 		nlmsg_free(msg);
18134 		return;
18135 	}
18136 
18137 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18138 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18139 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18140 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18141 			      NL80211_ATTR_PAD) ||
18142 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18143 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
18144 						ack_signal)))
18145 		goto nla_put_failure;
18146 
18147 	genlmsg_end(msg, hdr);
18148 
18149 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18150 				NL80211_MCGRP_MLME, gfp);
18151 	return;
18152 
18153  nla_put_failure:
18154 	nlmsg_free(msg);
18155 }
18156 EXPORT_SYMBOL(cfg80211_probe_status);
18157 
18158 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
18159 				     size_t len, int freq, int sig_dbm)
18160 {
18161 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18162 	struct sk_buff *msg;
18163 	void *hdr;
18164 	struct cfg80211_beacon_registration *reg;
18165 
18166 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
18167 
18168 	spin_lock_bh(&rdev->beacon_registrations_lock);
18169 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
18170 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
18171 		if (!msg) {
18172 			spin_unlock_bh(&rdev->beacon_registrations_lock);
18173 			return;
18174 		}
18175 
18176 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18177 		if (!hdr)
18178 			goto nla_put_failure;
18179 
18180 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18181 		    (freq &&
18182 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
18183 				  KHZ_TO_MHZ(freq)) ||
18184 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
18185 				  freq % 1000))) ||
18186 		    (sig_dbm &&
18187 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
18188 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
18189 			goto nla_put_failure;
18190 
18191 		genlmsg_end(msg, hdr);
18192 
18193 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
18194 	}
18195 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18196 	return;
18197 
18198  nla_put_failure:
18199 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18200 	nlmsg_free(msg);
18201 }
18202 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
18203 
18204 #ifdef CONFIG_PM
18205 static int cfg80211_net_detect_results(struct sk_buff *msg,
18206 				       struct cfg80211_wowlan_wakeup *wakeup)
18207 {
18208 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
18209 	struct nlattr *nl_results, *nl_match, *nl_freqs;
18210 	int i, j;
18211 
18212 	nl_results = nla_nest_start_noflag(msg,
18213 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
18214 	if (!nl_results)
18215 		return -EMSGSIZE;
18216 
18217 	for (i = 0; i < nd->n_matches; i++) {
18218 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
18219 
18220 		nl_match = nla_nest_start_noflag(msg, i);
18221 		if (!nl_match)
18222 			break;
18223 
18224 		/* The SSID attribute is optional in nl80211, but for
18225 		 * simplicity reasons it's always present in the
18226 		 * cfg80211 structure.  If a driver can't pass the
18227 		 * SSID, that needs to be changed.  A zero length SSID
18228 		 * is still a valid SSID (wildcard), so it cannot be
18229 		 * used for this purpose.
18230 		 */
18231 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
18232 			    match->ssid.ssid)) {
18233 			nla_nest_cancel(msg, nl_match);
18234 			goto out;
18235 		}
18236 
18237 		if (match->n_channels) {
18238 			nl_freqs = nla_nest_start_noflag(msg,
18239 							 NL80211_ATTR_SCAN_FREQUENCIES);
18240 			if (!nl_freqs) {
18241 				nla_nest_cancel(msg, nl_match);
18242 				goto out;
18243 			}
18244 
18245 			for (j = 0; j < match->n_channels; j++) {
18246 				if (nla_put_u32(msg, j, match->channels[j])) {
18247 					nla_nest_cancel(msg, nl_freqs);
18248 					nla_nest_cancel(msg, nl_match);
18249 					goto out;
18250 				}
18251 			}
18252 
18253 			nla_nest_end(msg, nl_freqs);
18254 		}
18255 
18256 		nla_nest_end(msg, nl_match);
18257 	}
18258 
18259 out:
18260 	nla_nest_end(msg, nl_results);
18261 	return 0;
18262 }
18263 
18264 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
18265 				   struct cfg80211_wowlan_wakeup *wakeup,
18266 				   gfp_t gfp)
18267 {
18268 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18269 	struct sk_buff *msg;
18270 	void *hdr;
18271 	int size = 200;
18272 
18273 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
18274 
18275 	if (wakeup)
18276 		size += wakeup->packet_present_len;
18277 
18278 	msg = nlmsg_new(size, gfp);
18279 	if (!msg)
18280 		return;
18281 
18282 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
18283 	if (!hdr)
18284 		goto free_msg;
18285 
18286 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18287 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18288 			      NL80211_ATTR_PAD))
18289 		goto free_msg;
18290 
18291 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18292 					wdev->netdev->ifindex))
18293 		goto free_msg;
18294 
18295 	if (wakeup) {
18296 		struct nlattr *reasons;
18297 
18298 		reasons = nla_nest_start_noflag(msg,
18299 						NL80211_ATTR_WOWLAN_TRIGGERS);
18300 		if (!reasons)
18301 			goto free_msg;
18302 
18303 		if (wakeup->disconnect &&
18304 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
18305 			goto free_msg;
18306 		if (wakeup->magic_pkt &&
18307 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
18308 			goto free_msg;
18309 		if (wakeup->gtk_rekey_failure &&
18310 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
18311 			goto free_msg;
18312 		if (wakeup->eap_identity_req &&
18313 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
18314 			goto free_msg;
18315 		if (wakeup->four_way_handshake &&
18316 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
18317 			goto free_msg;
18318 		if (wakeup->rfkill_release &&
18319 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
18320 			goto free_msg;
18321 
18322 		if (wakeup->pattern_idx >= 0 &&
18323 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
18324 				wakeup->pattern_idx))
18325 			goto free_msg;
18326 
18327 		if (wakeup->tcp_match &&
18328 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
18329 			goto free_msg;
18330 
18331 		if (wakeup->tcp_connlost &&
18332 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
18333 			goto free_msg;
18334 
18335 		if (wakeup->tcp_nomoretokens &&
18336 		    nla_put_flag(msg,
18337 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
18338 			goto free_msg;
18339 
18340 		if (wakeup->packet) {
18341 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
18342 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
18343 
18344 			if (!wakeup->packet_80211) {
18345 				pkt_attr =
18346 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
18347 				len_attr =
18348 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
18349 			}
18350 
18351 			if (wakeup->packet_len &&
18352 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
18353 				goto free_msg;
18354 
18355 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
18356 				    wakeup->packet))
18357 				goto free_msg;
18358 		}
18359 
18360 		if (wakeup->net_detect &&
18361 		    cfg80211_net_detect_results(msg, wakeup))
18362 				goto free_msg;
18363 
18364 		nla_nest_end(msg, reasons);
18365 	}
18366 
18367 	genlmsg_end(msg, hdr);
18368 
18369 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18370 				NL80211_MCGRP_MLME, gfp);
18371 	return;
18372 
18373  free_msg:
18374 	nlmsg_free(msg);
18375 }
18376 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
18377 #endif
18378 
18379 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
18380 				enum nl80211_tdls_operation oper,
18381 				u16 reason_code, gfp_t gfp)
18382 {
18383 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18384 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18385 	struct sk_buff *msg;
18386 	void *hdr;
18387 
18388 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
18389 					 reason_code);
18390 
18391 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18392 	if (!msg)
18393 		return;
18394 
18395 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
18396 	if (!hdr) {
18397 		nlmsg_free(msg);
18398 		return;
18399 	}
18400 
18401 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18402 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18403 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
18404 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
18405 	    (reason_code > 0 &&
18406 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
18407 		goto nla_put_failure;
18408 
18409 	genlmsg_end(msg, hdr);
18410 
18411 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18412 				NL80211_MCGRP_MLME, gfp);
18413 	return;
18414 
18415  nla_put_failure:
18416 	nlmsg_free(msg);
18417 }
18418 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
18419 
18420 static int nl80211_netlink_notify(struct notifier_block * nb,
18421 				  unsigned long state,
18422 				  void *_notify)
18423 {
18424 	struct netlink_notify *notify = _notify;
18425 	struct cfg80211_registered_device *rdev;
18426 	struct wireless_dev *wdev;
18427 	struct cfg80211_beacon_registration *reg, *tmp;
18428 
18429 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
18430 		return NOTIFY_DONE;
18431 
18432 	rcu_read_lock();
18433 
18434 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
18435 		struct cfg80211_sched_scan_request *sched_scan_req;
18436 
18437 		list_for_each_entry_rcu(sched_scan_req,
18438 					&rdev->sched_scan_req_list,
18439 					list) {
18440 			if (sched_scan_req->owner_nlportid == notify->portid) {
18441 				sched_scan_req->nl_owner_dead = true;
18442 				schedule_work(&rdev->sched_scan_stop_wk);
18443 			}
18444 		}
18445 
18446 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
18447 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
18448 
18449 			if (wdev->owner_nlportid == notify->portid) {
18450 				wdev->nl_owner_dead = true;
18451 				schedule_work(&rdev->destroy_work);
18452 			} else if (wdev->conn_owner_nlportid == notify->portid) {
18453 				schedule_work(&wdev->disconnect_wk);
18454 			}
18455 
18456 			cfg80211_release_pmsr(wdev, notify->portid);
18457 		}
18458 
18459 		spin_lock_bh(&rdev->beacon_registrations_lock);
18460 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
18461 					 list) {
18462 			if (reg->nlportid == notify->portid) {
18463 				list_del(&reg->list);
18464 				kfree(reg);
18465 				break;
18466 			}
18467 		}
18468 		spin_unlock_bh(&rdev->beacon_registrations_lock);
18469 	}
18470 
18471 	rcu_read_unlock();
18472 
18473 	/*
18474 	 * It is possible that the user space process that is controlling the
18475 	 * indoor setting disappeared, so notify the regulatory core.
18476 	 */
18477 	regulatory_netlink_notify(notify->portid);
18478 	return NOTIFY_OK;
18479 }
18480 
18481 static struct notifier_block nl80211_netlink_notifier = {
18482 	.notifier_call = nl80211_netlink_notify,
18483 };
18484 
18485 void cfg80211_ft_event(struct net_device *netdev,
18486 		       struct cfg80211_ft_event_params *ft_event)
18487 {
18488 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18489 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18490 	struct sk_buff *msg;
18491 	void *hdr;
18492 
18493 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
18494 
18495 	if (!ft_event->target_ap)
18496 		return;
18497 
18498 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
18499 			GFP_KERNEL);
18500 	if (!msg)
18501 		return;
18502 
18503 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
18504 	if (!hdr)
18505 		goto out;
18506 
18507 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18508 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18509 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
18510 		goto out;
18511 
18512 	if (ft_event->ies &&
18513 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
18514 		goto out;
18515 	if (ft_event->ric_ies &&
18516 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
18517 		    ft_event->ric_ies))
18518 		goto out;
18519 
18520 	genlmsg_end(msg, hdr);
18521 
18522 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18523 				NL80211_MCGRP_MLME, GFP_KERNEL);
18524 	return;
18525  out:
18526 	nlmsg_free(msg);
18527 }
18528 EXPORT_SYMBOL(cfg80211_ft_event);
18529 
18530 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
18531 {
18532 	struct cfg80211_registered_device *rdev;
18533 	struct sk_buff *msg;
18534 	void *hdr;
18535 	u32 nlportid;
18536 
18537 	rdev = wiphy_to_rdev(wdev->wiphy);
18538 	if (!rdev->crit_proto_nlportid)
18539 		return;
18540 
18541 	nlportid = rdev->crit_proto_nlportid;
18542 	rdev->crit_proto_nlportid = 0;
18543 
18544 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18545 	if (!msg)
18546 		return;
18547 
18548 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
18549 	if (!hdr)
18550 		goto nla_put_failure;
18551 
18552 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18553 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18554 			      NL80211_ATTR_PAD))
18555 		goto nla_put_failure;
18556 
18557 	genlmsg_end(msg, hdr);
18558 
18559 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18560 	return;
18561 
18562  nla_put_failure:
18563 	nlmsg_free(msg);
18564 }
18565 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
18566 
18567 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
18568 {
18569 	struct wiphy *wiphy = wdev->wiphy;
18570 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18571 	struct sk_buff *msg;
18572 	void *hdr;
18573 
18574 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18575 	if (!msg)
18576 		return;
18577 
18578 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
18579 	if (!hdr)
18580 		goto out;
18581 
18582 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18583 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
18584 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18585 			      NL80211_ATTR_PAD))
18586 		goto out;
18587 
18588 	genlmsg_end(msg, hdr);
18589 
18590 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
18591 				NL80211_MCGRP_MLME, GFP_KERNEL);
18592 	return;
18593  out:
18594 	nlmsg_free(msg);
18595 }
18596 
18597 int cfg80211_external_auth_request(struct net_device *dev,
18598 				   struct cfg80211_external_auth_params *params,
18599 				   gfp_t gfp)
18600 {
18601 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18602 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18603 	struct sk_buff *msg;
18604 	void *hdr;
18605 
18606 	if (!wdev->conn_owner_nlportid)
18607 		return -EINVAL;
18608 
18609 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18610 	if (!msg)
18611 		return -ENOMEM;
18612 
18613 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
18614 	if (!hdr)
18615 		goto nla_put_failure;
18616 
18617 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18618 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18619 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
18620 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
18621 			params->action) ||
18622 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
18623 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
18624 		    params->ssid.ssid))
18625 		goto nla_put_failure;
18626 
18627 	genlmsg_end(msg, hdr);
18628 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
18629 			wdev->conn_owner_nlportid);
18630 	return 0;
18631 
18632  nla_put_failure:
18633 	nlmsg_free(msg);
18634 	return -ENOBUFS;
18635 }
18636 EXPORT_SYMBOL(cfg80211_external_auth_request);
18637 
18638 void cfg80211_update_owe_info_event(struct net_device *netdev,
18639 				    struct cfg80211_update_owe_info *owe_info,
18640 				    gfp_t gfp)
18641 {
18642 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18643 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18644 	struct sk_buff *msg;
18645 	void *hdr;
18646 
18647 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
18648 
18649 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18650 	if (!msg)
18651 		return;
18652 
18653 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
18654 	if (!hdr)
18655 		goto nla_put_failure;
18656 
18657 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18658 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18659 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
18660 		goto nla_put_failure;
18661 
18662 	if (!owe_info->ie_len ||
18663 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
18664 		goto nla_put_failure;
18665 
18666 	genlmsg_end(msg, hdr);
18667 
18668 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18669 				NL80211_MCGRP_MLME, gfp);
18670 	return;
18671 
18672 nla_put_failure:
18673 	genlmsg_cancel(msg, hdr);
18674 	nlmsg_free(msg);
18675 }
18676 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
18677 
18678 /* initialisation/exit functions */
18679 
18680 int __init nl80211_init(void)
18681 {
18682 	int err;
18683 
18684 	err = genl_register_family(&nl80211_fam);
18685 	if (err)
18686 		return err;
18687 
18688 	err = netlink_register_notifier(&nl80211_netlink_notifier);
18689 	if (err)
18690 		goto err_out;
18691 
18692 	return 0;
18693  err_out:
18694 	genl_unregister_family(&nl80211_fam);
18695 	return err;
18696 }
18697 
18698 void nl80211_exit(void)
18699 {
18700 	netlink_unregister_notifier(&nl80211_netlink_notifier);
18701 	genl_unregister_family(&nl80211_fam);
18702 }
18703