xref: /kernel/linux/linux-5.10/net/wireless/nl80211.c (revision 8c2ecf20) 
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * This is the new netlink-based wireless configuration interface.
4 *
5 * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6 * Copyright 2013-2014  Intel Mobile Communications GmbH
7 * Copyright 2015-2017	Intel Deutschland GmbH
8 * Copyright (C) 2018-2021 Intel Corporation
9 */
10
11#include <linux/if.h>
12#include <linux/module.h>
13#include <linux/err.h>
14#include <linux/slab.h>
15#include <linux/list.h>
16#include <linux/if_ether.h>
17#include <linux/ieee80211.h>
18#include <linux/nl80211.h>
19#include <linux/rtnetlink.h>
20#include <linux/netlink.h>
21#include <linux/nospec.h>
22#include <linux/etherdevice.h>
23#include <linux/if_vlan.h>
24#include <net/net_namespace.h>
25#include <net/genetlink.h>
26#include <net/cfg80211.h>
27#include <net/sock.h>
28#include <net/inet_connection_sock.h>
29#include "core.h"
30#include "nl80211.h"
31#include "reg.h"
32#include "rdev-ops.h"
33
34static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35				   struct genl_info *info,
36				   struct cfg80211_crypto_settings *settings,
37				   int cipher_limit);
38
39/* the netlink family */
40static struct genl_family nl80211_fam;
41
42/* multicast groups */
43enum nl80211_multicast_groups {
44	NL80211_MCGRP_CONFIG,
45	NL80211_MCGRP_SCAN,
46	NL80211_MCGRP_REGULATORY,
47	NL80211_MCGRP_MLME,
48	NL80211_MCGRP_VENDOR,
49	NL80211_MCGRP_NAN,
50	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51};
52
53static const struct genl_multicast_group nl80211_mcgrps[] = {
54	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60#ifdef CONFIG_NL80211_TESTMODE
61	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62#endif
63};
64
65/* returns ERR_PTR values */
66static struct wireless_dev *
67__cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
68{
69	struct cfg80211_registered_device *rdev;
70	struct wireless_dev *result = NULL;
71	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73	u64 wdev_id;
74	int wiphy_idx = -1;
75	int ifidx = -1;
76
77	ASSERT_RTNL();
78
79	if (!have_ifidx && !have_wdev_id)
80		return ERR_PTR(-EINVAL);
81
82	if (have_ifidx)
83		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
84	if (have_wdev_id) {
85		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
86		wiphy_idx = wdev_id >> 32;
87	}
88
89	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
90		struct wireless_dev *wdev;
91
92		if (wiphy_net(&rdev->wiphy) != netns)
93			continue;
94
95		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
96			continue;
97
98		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
99			if (have_ifidx && wdev->netdev &&
100			    wdev->netdev->ifindex == ifidx) {
101				result = wdev;
102				break;
103			}
104			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
105				result = wdev;
106				break;
107			}
108		}
109
110		if (result)
111			break;
112	}
113
114	if (result)
115		return result;
116	return ERR_PTR(-ENODEV);
117}
118
119static struct cfg80211_registered_device *
120__cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
121{
122	struct cfg80211_registered_device *rdev = NULL, *tmp;
123	struct net_device *netdev;
124
125	ASSERT_RTNL();
126
127	if (!attrs[NL80211_ATTR_WIPHY] &&
128	    !attrs[NL80211_ATTR_IFINDEX] &&
129	    !attrs[NL80211_ATTR_WDEV])
130		return ERR_PTR(-EINVAL);
131
132	if (attrs[NL80211_ATTR_WIPHY])
133		rdev = cfg80211_rdev_by_wiphy_idx(
134				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
135
136	if (attrs[NL80211_ATTR_WDEV]) {
137		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
138		struct wireless_dev *wdev;
139		bool found = false;
140
141		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
142		if (tmp) {
143			/* make sure wdev exists */
144			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
145				if (wdev->identifier != (u32)wdev_id)
146					continue;
147				found = true;
148				break;
149			}
150
151			if (!found)
152				tmp = NULL;
153
154			if (rdev && tmp != rdev)
155				return ERR_PTR(-EINVAL);
156			rdev = tmp;
157		}
158	}
159
160	if (attrs[NL80211_ATTR_IFINDEX]) {
161		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
162
163		netdev = __dev_get_by_index(netns, ifindex);
164		if (netdev) {
165			if (netdev->ieee80211_ptr)
166				tmp = wiphy_to_rdev(
167					netdev->ieee80211_ptr->wiphy);
168			else
169				tmp = NULL;
170
171			/* not wireless device -- return error */
172			if (!tmp)
173				return ERR_PTR(-EINVAL);
174
175			/* mismatch -- return error */
176			if (rdev && tmp != rdev)
177				return ERR_PTR(-EINVAL);
178
179			rdev = tmp;
180		}
181	}
182
183	if (!rdev)
184		return ERR_PTR(-ENODEV);
185
186	if (netns != wiphy_net(&rdev->wiphy))
187		return ERR_PTR(-ENODEV);
188
189	return rdev;
190}
191
192/*
193 * This function returns a pointer to the driver
194 * that the genl_info item that is passed refers to.
195 *
196 * The result of this can be a PTR_ERR and hence must
197 * be checked with IS_ERR() for errors.
198 */
199static struct cfg80211_registered_device *
200cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
201{
202	return __cfg80211_rdev_from_attrs(netns, info->attrs);
203}
204
205static int validate_beacon_head(const struct nlattr *attr,
206				struct netlink_ext_ack *extack)
207{
208	const u8 *data = nla_data(attr);
209	unsigned int len = nla_len(attr);
210	const struct element *elem;
211	const struct ieee80211_mgmt *mgmt = (void *)data;
212	unsigned int fixedlen, hdrlen;
213	bool s1g_bcn;
214
215	if (len < offsetofend(typeof(*mgmt), frame_control))
216		goto err;
217
218	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
219	if (s1g_bcn) {
220		fixedlen = offsetof(struct ieee80211_ext,
221				    u.s1g_beacon.variable);
222		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
223	} else {
224		fixedlen = offsetof(struct ieee80211_mgmt,
225				    u.beacon.variable);
226		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
227	}
228
229	if (len < fixedlen)
230		goto err;
231
232	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
233		goto err;
234
235	data += fixedlen;
236	len -= fixedlen;
237
238	for_each_element(elem, data, len) {
239		/* nothing */
240	}
241
242	if (for_each_element_completed(elem, data, len))
243		return 0;
244
245err:
246	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
247	return -EINVAL;
248}
249
250static int validate_ie_attr(const struct nlattr *attr,
251			    struct netlink_ext_ack *extack)
252{
253	const u8 *data = nla_data(attr);
254	unsigned int len = nla_len(attr);
255	const struct element *elem;
256
257	for_each_element(elem, data, len) {
258		/* nothing */
259	}
260
261	if (for_each_element_completed(elem, data, len))
262		return 0;
263
264	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
265	return -EINVAL;
266}
267
268/* policy for the attributes */
269static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
270
271static const struct nla_policy
272nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
273	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
274	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
275					.len = U8_MAX },
276	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
277					     .len = U8_MAX },
278};
279
280static const struct nla_policy
281nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
282	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
283	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
284	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
285		NLA_POLICY_MAX(NLA_U8, 15),
286	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
287	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
288		NLA_POLICY_MAX(NLA_U8, 15),
289	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
290		NLA_POLICY_MAX(NLA_U8, 31),
291	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
292	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
293	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
294	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
295	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
296};
297
298static const struct nla_policy
299nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
300	[NL80211_PMSR_TYPE_FTM] =
301		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
302};
303
304static const struct nla_policy
305nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
306	[NL80211_PMSR_REQ_ATTR_DATA] =
307		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
308	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
309};
310
311static const struct nla_policy
312nl80211_psmr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
313	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
314	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
315	[NL80211_PMSR_PEER_ATTR_REQ] =
316		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
317	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
318};
319
320static const struct nla_policy
321nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
322	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
323	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
324	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
325	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
326	[NL80211_PMSR_ATTR_PEERS] =
327		NLA_POLICY_NESTED_ARRAY(nl80211_psmr_peer_attr_policy),
328};
329
330static const struct nla_policy
331he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
332	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
333		NLA_POLICY_RANGE(NLA_U8, 1, 20),
334	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
335		NLA_POLICY_RANGE(NLA_U8, 1, 20),
336	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
337		NLA_POLICY_RANGE(NLA_U8, 1, 20),
338	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
339		NLA_POLICY_EXACT_LEN(8),
340	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
341		NLA_POLICY_EXACT_LEN(8),
342	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
343};
344
345static const struct nla_policy
346he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
347	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
348	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
349	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
350};
351
352static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
353	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
354				    .len = NL80211_MAX_SUPP_RATES },
355	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
356				.len = NL80211_MAX_SUPP_HT_RATES },
357	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
358	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
359	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
360	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
361						   NL80211_RATE_INFO_HE_GI_0_8,
362						   NL80211_RATE_INFO_HE_GI_3_2),
363	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
364						   NL80211_RATE_INFO_HE_1XLTF,
365						   NL80211_RATE_INFO_HE_4XLTF),
366};
367
368static const struct nla_policy
369nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
370	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
371	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
372	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
373	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
374	[NL80211_TID_CONFIG_ATTR_NOACK] =
375			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
376	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
377	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
378	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
379			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
380	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
381			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
382	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
383			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
384	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
385			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
386	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
387			NLA_POLICY_NESTED(nl80211_txattr_policy),
388};
389
390static const struct nla_policy
391nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
392	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
393	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
394	NLA_POLICY_RANGE(NLA_BINARY,
395			 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
396			 IEEE80211_MAX_DATA_LEN),
397};
398
399static const struct nla_policy
400nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
401	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
402	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
403						       .len = IEEE80211_MAX_DATA_LEN }
404};
405
406static struct netlink_range_validation q_range = {
407	.max = INT_MAX,
408};
409
410static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
411	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
412	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
413	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
414				      .len = 20-1 },
415	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
416
417	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
418	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
419	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
420						NL80211_EDMG_CHANNELS_MIN,
421						NL80211_EDMG_CHANNELS_MAX),
422	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
423						NL80211_EDMG_BW_CONFIG_MIN,
424						NL80211_EDMG_BW_CONFIG_MAX),
425
426	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
427	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
428	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
429	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
430
431	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
432	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
433	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
434	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
435	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
436	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
437
438	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
439	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
440	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
441
442	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
443	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
444
445	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
446	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
447				    .len = WLAN_MAX_KEY_LEN },
448	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
449	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
450	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
451	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
452	[NL80211_ATTR_KEY_TYPE] =
453		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
454
455	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
456	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
457	[NL80211_ATTR_BEACON_HEAD] =
458		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
459				       IEEE80211_MAX_DATA_LEN),
460	[NL80211_ATTR_BEACON_TAIL] =
461		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
462				       IEEE80211_MAX_DATA_LEN),
463	[NL80211_ATTR_STA_AID] =
464		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
465	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
466	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
467	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
468					       .len = NL80211_MAX_SUPP_RATES },
469	[NL80211_ATTR_STA_PLINK_ACTION] =
470		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
471	[NL80211_ATTR_STA_TX_POWER_SETTING] =
472		NLA_POLICY_RANGE(NLA_U8,
473				 NL80211_TX_POWER_AUTOMATIC,
474				 NL80211_TX_POWER_FIXED),
475	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
476	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
477	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
478	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
479				   .len = IEEE80211_MAX_MESH_ID_LEN },
480	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
481
482	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
483	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
484	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
485
486	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
487	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
488	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
489	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
490					   .len = NL80211_MAX_SUPP_RATES },
491	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
492
493	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
494	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
495
496	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
497
498	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
499	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
500						   validate_ie_attr,
501						   IEEE80211_MAX_DATA_LEN),
502	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
503	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
504
505	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
506				.len = IEEE80211_MAX_SSID_LEN },
507	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
508	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
509	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
510	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
511	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
512						  NL80211_MFP_NO,
513						  NL80211_MFP_OPTIONAL),
514	[NL80211_ATTR_STA_FLAGS2] = {
515		.len = sizeof(struct nl80211_sta_flag_update),
516	},
517	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
518	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
519	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
520	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
521	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
522	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
523	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
524	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
525	[NL80211_ATTR_PID] = { .type = NLA_U32 },
526	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
527	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
528	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
529	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
530	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
531	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
532				 .len = IEEE80211_MAX_DATA_LEN },
533	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
534	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
535						   NL80211_PS_DISABLED,
536						   NL80211_PS_ENABLED),
537	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
538	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
539	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
540	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
541	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
542	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
543	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
544	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
545	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
546	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
547	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
548	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
549	[NL80211_ATTR_STA_PLINK_STATE] =
550		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
551	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
552	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
553	[NL80211_ATTR_MESH_PEER_AID] =
554		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
555	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
556	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
557	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
558	[NL80211_ATTR_HIDDEN_SSID] =
559		NLA_POLICY_RANGE(NLA_U32,
560				 NL80211_HIDDEN_SSID_NOT_IN_USE,
561				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
562	[NL80211_ATTR_IE_PROBE_RESP] =
563		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
564				       IEEE80211_MAX_DATA_LEN),
565	[NL80211_ATTR_IE_ASSOC_RESP] =
566		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
567				       IEEE80211_MAX_DATA_LEN),
568	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
569	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
570	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
571	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
572	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
573	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
574	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
575	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
576	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
577	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
578	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
579				      .len = IEEE80211_MAX_DATA_LEN },
580	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
581	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
582	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
583		.len = NL80211_HT_CAPABILITY_LEN
584	},
585	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
586	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
587	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
588	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
589	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
590
591	/* need to include at least Auth Transaction and Status Code */
592	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
593
594	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
595	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
596	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
597	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
598	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
599		NLA_POLICY_RANGE(NLA_U32,
600				 NL80211_MESH_POWER_UNKNOWN + 1,
601				 NL80211_MESH_POWER_MAX),
602	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
603	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
604	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
605	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
606	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
607	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
608	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
609		.len = NL80211_VHT_CAPABILITY_LEN,
610	},
611	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
612	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
613				  .len = IEEE80211_MAX_DATA_LEN },
614	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
615	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
616		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
617	[NL80211_ATTR_PEER_AID] =
618		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
619	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
620	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
621	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
622	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
623	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
624	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
625	/*
626	 * The value of the Length field of the Supported Operating
627	 * Classes element is between 2 and 253.
628	 */
629	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
630		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
631	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
632	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
633	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
634	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
635	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
636	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
637						  IEEE80211_QOS_MAP_LEN_MIN,
638						  IEEE80211_QOS_MAP_LEN_MAX),
639	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
640	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
641	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
642	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
643	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
644	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
645	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
646	[NL80211_ATTR_USER_PRIO] =
647		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
648	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
649	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
650	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
651	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
652	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
653	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
654	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
655	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
656	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
657	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
658	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
659		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
660	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
661		.len = VHT_MUMIMO_GROUPS_DATA_LEN
662	},
663	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
664	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
665	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
666	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
667	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
668				    .len = FILS_MAX_KEK_LEN },
669	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
670	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
671	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
672	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
673	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
674		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
675	},
676	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
677	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
678					     .len = FILS_ERP_MAX_USERNAME_LEN },
679	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
680					  .len = FILS_ERP_MAX_REALM_LEN },
681	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
682	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
683					.len = FILS_ERP_MAX_RRK_LEN },
684	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
685	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
686	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
687	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
688	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
689
690	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
691	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
692	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
693	[NL80211_ATTR_HE_CAPABILITY] =
694		NLA_POLICY_RANGE(NLA_BINARY,
695				 NL80211_HE_MIN_CAPABILITY_LEN,
696				 NL80211_HE_MAX_CAPABILITY_LEN),
697	[NL80211_ATTR_FTM_RESPONDER] =
698		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
699	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
700	[NL80211_ATTR_PEER_MEASUREMENTS] =
701		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
702	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
703	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
704					.len = SAE_PASSWORD_MAX_LEN },
705	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
706	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
707	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
708	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
709	[NL80211_ATTR_TID_CONFIG] =
710		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
711	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
712	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
713	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
714	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
715	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
716	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
717	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
718		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
719	[NL80211_ATTR_FILS_DISCOVERY] =
720		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
721	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
722		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
723	[NL80211_ATTR_S1G_CAPABILITY] =
724		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
725	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
726		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
727};
728
729/* policy for the key attributes */
730static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
731	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
732	[NL80211_KEY_IDX] = { .type = NLA_U8 },
733	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
734	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
735	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
736	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
737	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
738	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
739	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
740};
741
742/* policy for the key default flags */
743static const struct nla_policy
744nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
745	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
746	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
747};
748
749#ifdef CONFIG_PM
750/* policy for WoWLAN attributes */
751static const struct nla_policy
752nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
753	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
754	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
755	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
756	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
757	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
758	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
759	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
760	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
761	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
762	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
763};
764
765static const struct nla_policy
766nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
767	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
768	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
769	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
770	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
771	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
772	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
773	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
774		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
775	},
776	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
777		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
778	},
779	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
780	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
781	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
782};
783#endif /* CONFIG_PM */
784
785/* policy for coalesce rule attributes */
786static const struct nla_policy
787nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
788	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
789	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
790		NLA_POLICY_RANGE(NLA_U32,
791				 NL80211_COALESCE_CONDITION_MATCH,
792				 NL80211_COALESCE_CONDITION_NO_MATCH),
793	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
794};
795
796/* policy for GTK rekey offload attributes */
797static const struct nla_policy
798nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
799	[NL80211_REKEY_DATA_KEK] = {
800		.type = NLA_BINARY,
801		.len = NL80211_KEK_EXT_LEN
802	},
803	[NL80211_REKEY_DATA_KCK] = {
804		.type = NLA_BINARY,
805		.len = NL80211_KCK_EXT_LEN
806	},
807	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
808	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
809};
810
811static const struct nla_policy
812nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
813	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
814	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
815	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
816	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
817};
818
819static const struct nla_policy
820nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
821	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
822						 .len = IEEE80211_MAX_SSID_LEN },
823	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
824	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
825	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
826		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
827};
828
829static const struct nla_policy
830nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
831	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
832	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
833};
834
835static const struct nla_policy
836nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
837	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
838	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
839	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
840		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
841	},
842};
843
844/* policy for NAN function attributes */
845static const struct nla_policy
846nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
847	[NL80211_NAN_FUNC_TYPE] =
848		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
849	[NL80211_NAN_FUNC_SERVICE_ID] = {
850				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
851	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
852	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
853	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
854	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
855	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
856	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
857	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
858	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
859	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
860			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
861	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
862	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
863	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
864	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
865	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
866};
867
868/* policy for Service Response Filter attributes */
869static const struct nla_policy
870nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
871	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
872	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
873				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
874	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
875	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
876};
877
878/* policy for packet pattern attributes */
879static const struct nla_policy
880nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
881	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
882	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
883	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
884};
885
886int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
887			      struct cfg80211_registered_device **rdev,
888			      struct wireless_dev **wdev)
889{
890	int err;
891
892	if (!cb->args[0]) {
893		struct nlattr **attrbuf;
894
895		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
896				  GFP_KERNEL);
897		if (!attrbuf)
898			return -ENOMEM;
899
900		err = nlmsg_parse_deprecated(cb->nlh,
901					     GENL_HDRLEN + nl80211_fam.hdrsize,
902					     attrbuf, nl80211_fam.maxattr,
903					     nl80211_policy, NULL);
904		if (err) {
905			kfree(attrbuf);
906			return err;
907		}
908
909		*wdev = __cfg80211_wdev_from_attrs(sock_net(cb->skb->sk),
910						   attrbuf);
911		kfree(attrbuf);
912		if (IS_ERR(*wdev))
913			return PTR_ERR(*wdev);
914		*rdev = wiphy_to_rdev((*wdev)->wiphy);
915		/* 0 is the first index - add 1 to parse only once */
916		cb->args[0] = (*rdev)->wiphy_idx + 1;
917		cb->args[1] = (*wdev)->identifier;
918	} else {
919		/* subtract the 1 again here */
920		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
921		struct wireless_dev *tmp;
922
923		if (!wiphy)
924			return -ENODEV;
925		*rdev = wiphy_to_rdev(wiphy);
926		*wdev = NULL;
927
928		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
929			if (tmp->identifier == cb->args[1]) {
930				*wdev = tmp;
931				break;
932			}
933		}
934
935		if (!*wdev)
936			return -ENODEV;
937	}
938
939	return 0;
940}
941
942/* message building helper */
943void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
944		     int flags, u8 cmd)
945{
946	/* since there is no private header just add the generic one */
947	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
948}
949
950static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
951				     const struct ieee80211_reg_rule *rule)
952{
953	int j;
954	struct nlattr *nl_wmm_rules =
955		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
956
957	if (!nl_wmm_rules)
958		goto nla_put_failure;
959
960	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
961		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
962
963		if (!nl_wmm_rule)
964			goto nla_put_failure;
965
966		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
967				rule->wmm_rule.client[j].cw_min) ||
968		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
969				rule->wmm_rule.client[j].cw_max) ||
970		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
971			       rule->wmm_rule.client[j].aifsn) ||
972		    nla_put_u16(msg, NL80211_WMMR_TXOP,
973			        rule->wmm_rule.client[j].cot))
974			goto nla_put_failure;
975
976		nla_nest_end(msg, nl_wmm_rule);
977	}
978	nla_nest_end(msg, nl_wmm_rules);
979
980	return 0;
981
982nla_put_failure:
983	return -ENOBUFS;
984}
985
986static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
987				   struct ieee80211_channel *chan,
988				   bool large)
989{
990	/* Some channels must be completely excluded from the
991	 * list to protect old user-space tools from breaking
992	 */
993	if (!large && chan->flags &
994	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
995		return 0;
996	if (!large && chan->freq_offset)
997		return 0;
998
999	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1000			chan->center_freq))
1001		goto nla_put_failure;
1002
1003	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1004		goto nla_put_failure;
1005
1006	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1007	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1008		goto nla_put_failure;
1009	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1010		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1011			goto nla_put_failure;
1012		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1013			goto nla_put_failure;
1014	}
1015	if (chan->flags & IEEE80211_CHAN_RADAR) {
1016		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1017			goto nla_put_failure;
1018		if (large) {
1019			u32 time;
1020
1021			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1022
1023			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1024					chan->dfs_state))
1025				goto nla_put_failure;
1026			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1027					time))
1028				goto nla_put_failure;
1029			if (nla_put_u32(msg,
1030					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1031					chan->dfs_cac_ms))
1032				goto nla_put_failure;
1033		}
1034	}
1035
1036	if (large) {
1037		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1038		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1039			goto nla_put_failure;
1040		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1041		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1042			goto nla_put_failure;
1043		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1044		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1045			goto nla_put_failure;
1046		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1047		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1048			goto nla_put_failure;
1049		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1050		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1051			goto nla_put_failure;
1052		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1053		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1054			goto nla_put_failure;
1055		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1056		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1057			goto nla_put_failure;
1058		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1059		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1060			goto nla_put_failure;
1061		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1062		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1063			goto nla_put_failure;
1064		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1065		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1066			goto nla_put_failure;
1067		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1068		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1069			goto nla_put_failure;
1070		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1071		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1072			goto nla_put_failure;
1073		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1074		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1075			goto nla_put_failure;
1076		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1077		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1078			goto nla_put_failure;
1079	}
1080
1081	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1082			DBM_TO_MBM(chan->max_power)))
1083		goto nla_put_failure;
1084
1085	if (large) {
1086		const struct ieee80211_reg_rule *rule =
1087			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1088
1089		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1090			if (nl80211_msg_put_wmm_rules(msg, rule))
1091				goto nla_put_failure;
1092		}
1093	}
1094
1095	return 0;
1096
1097 nla_put_failure:
1098	return -ENOBUFS;
1099}
1100
1101static bool nl80211_put_txq_stats(struct sk_buff *msg,
1102				  struct cfg80211_txq_stats *txqstats,
1103				  int attrtype)
1104{
1105	struct nlattr *txqattr;
1106
1107#define PUT_TXQVAL_U32(attr, memb) do {					  \
1108	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1109	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1110		return false;						  \
1111	} while (0)
1112
1113	txqattr = nla_nest_start_noflag(msg, attrtype);
1114	if (!txqattr)
1115		return false;
1116
1117	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1118	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1119	PUT_TXQVAL_U32(FLOWS, flows);
1120	PUT_TXQVAL_U32(DROPS, drops);
1121	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1122	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1123	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1124	PUT_TXQVAL_U32(COLLISIONS, collisions);
1125	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1126	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1127	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1128	nla_nest_end(msg, txqattr);
1129
1130#undef PUT_TXQVAL_U32
1131	return true;
1132}
1133
1134/* netlink command implementations */
1135
1136struct key_parse {
1137	struct key_params p;
1138	int idx;
1139	int type;
1140	bool def, defmgmt, defbeacon;
1141	bool def_uni, def_multi;
1142};
1143
1144static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1145				 struct key_parse *k)
1146{
1147	struct nlattr *tb[NL80211_KEY_MAX + 1];
1148	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1149					      nl80211_key_policy,
1150					      info->extack);
1151	if (err)
1152		return err;
1153
1154	k->def = !!tb[NL80211_KEY_DEFAULT];
1155	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1156	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1157
1158	if (k->def) {
1159		k->def_uni = true;
1160		k->def_multi = true;
1161	}
1162	if (k->defmgmt || k->defbeacon)
1163		k->def_multi = true;
1164
1165	if (tb[NL80211_KEY_IDX])
1166		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1167
1168	if (tb[NL80211_KEY_DATA]) {
1169		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1170		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1171	}
1172
1173	if (tb[NL80211_KEY_SEQ]) {
1174		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1175		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1176	}
1177
1178	if (tb[NL80211_KEY_CIPHER])
1179		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1180
1181	if (tb[NL80211_KEY_TYPE])
1182		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1183
1184	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1185		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1186
1187		err = nla_parse_nested_deprecated(kdt,
1188						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1189						  tb[NL80211_KEY_DEFAULT_TYPES],
1190						  nl80211_key_default_policy,
1191						  info->extack);
1192		if (err)
1193			return err;
1194
1195		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1196		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1197	}
1198
1199	if (tb[NL80211_KEY_MODE])
1200		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1201
1202	return 0;
1203}
1204
1205static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1206{
1207	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1208		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1209		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1210	}
1211
1212	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1213		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1214		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1215	}
1216
1217	if (info->attrs[NL80211_ATTR_KEY_IDX])
1218		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1219
1220	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1221		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1222
1223	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1224	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1225
1226	if (k->def) {
1227		k->def_uni = true;
1228		k->def_multi = true;
1229	}
1230	if (k->defmgmt)
1231		k->def_multi = true;
1232
1233	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1234		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1235
1236	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1237		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1238		int err = nla_parse_nested_deprecated(kdt,
1239						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1240						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1241						      nl80211_key_default_policy,
1242						      info->extack);
1243		if (err)
1244			return err;
1245
1246		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1247		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1248	}
1249
1250	return 0;
1251}
1252
1253static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1254{
1255	int err;
1256
1257	memset(k, 0, sizeof(*k));
1258	k->idx = -1;
1259	k->type = -1;
1260
1261	if (info->attrs[NL80211_ATTR_KEY])
1262		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1263	else
1264		err = nl80211_parse_key_old(info, k);
1265
1266	if (err)
1267		return err;
1268
1269	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1270	    (k->defbeacon ? 1 : 0) > 1) {
1271		GENL_SET_ERR_MSG(info,
1272				 "key with multiple default flags is invalid");
1273		return -EINVAL;
1274	}
1275
1276	if (k->defmgmt || k->defbeacon) {
1277		if (k->def_uni || !k->def_multi) {
1278			GENL_SET_ERR_MSG(info,
1279					 "defmgmt/defbeacon key must be mcast");
1280			return -EINVAL;
1281		}
1282	}
1283
1284	if (k->idx != -1) {
1285		if (k->defmgmt) {
1286			if (k->idx < 4 || k->idx > 5) {
1287				GENL_SET_ERR_MSG(info,
1288						 "defmgmt key idx not 4 or 5");
1289				return -EINVAL;
1290			}
1291		} else if (k->defbeacon) {
1292			if (k->idx < 6 || k->idx > 7) {
1293				GENL_SET_ERR_MSG(info,
1294						 "defbeacon key idx not 6 or 7");
1295				return -EINVAL;
1296			}
1297		} else if (k->def) {
1298			if (k->idx < 0 || k->idx > 3) {
1299				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1300				return -EINVAL;
1301			}
1302		} else {
1303			if (k->idx < 0 || k->idx > 7) {
1304				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1305				return -EINVAL;
1306			}
1307		}
1308	}
1309
1310	return 0;
1311}
1312
1313static struct cfg80211_cached_keys *
1314nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1315		       struct genl_info *info, bool *no_ht)
1316{
1317	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1318	struct key_parse parse;
1319	struct nlattr *key;
1320	struct cfg80211_cached_keys *result;
1321	int rem, err, def = 0;
1322	bool have_key = false;
1323
1324	nla_for_each_nested(key, keys, rem) {
1325		have_key = true;
1326		break;
1327	}
1328
1329	if (!have_key)
1330		return NULL;
1331
1332	result = kzalloc(sizeof(*result), GFP_KERNEL);
1333	if (!result)
1334		return ERR_PTR(-ENOMEM);
1335
1336	result->def = -1;
1337
1338	nla_for_each_nested(key, keys, rem) {
1339		memset(&parse, 0, sizeof(parse));
1340		parse.idx = -1;
1341
1342		err = nl80211_parse_key_new(info, key, &parse);
1343		if (err)
1344			goto error;
1345		err = -EINVAL;
1346		if (!parse.p.key)
1347			goto error;
1348		if (parse.idx < 0 || parse.idx > 3) {
1349			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1350			goto error;
1351		}
1352		if (parse.def) {
1353			if (def) {
1354				GENL_SET_ERR_MSG(info,
1355						 "only one key can be default");
1356				goto error;
1357			}
1358			def = 1;
1359			result->def = parse.idx;
1360			if (!parse.def_uni || !parse.def_multi)
1361				goto error;
1362		} else if (parse.defmgmt)
1363			goto error;
1364		err = cfg80211_validate_key_settings(rdev, &parse.p,
1365						     parse.idx, false, NULL);
1366		if (err)
1367			goto error;
1368		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1369		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1370			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1371			err = -EINVAL;
1372			goto error;
1373		}
1374		result->params[parse.idx].cipher = parse.p.cipher;
1375		result->params[parse.idx].key_len = parse.p.key_len;
1376		result->params[parse.idx].key = result->data[parse.idx];
1377		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1378
1379		/* must be WEP key if we got here */
1380		if (no_ht)
1381			*no_ht = true;
1382	}
1383
1384	if (result->def < 0) {
1385		err = -EINVAL;
1386		GENL_SET_ERR_MSG(info, "need a default/TX key");
1387		goto error;
1388	}
1389
1390	return result;
1391 error:
1392	kfree(result);
1393	return ERR_PTR(err);
1394}
1395
1396static int nl80211_key_allowed(struct wireless_dev *wdev)
1397{
1398	ASSERT_WDEV_LOCK(wdev);
1399
1400	switch (wdev->iftype) {
1401	case NL80211_IFTYPE_AP:
1402	case NL80211_IFTYPE_AP_VLAN:
1403	case NL80211_IFTYPE_P2P_GO:
1404	case NL80211_IFTYPE_MESH_POINT:
1405		break;
1406	case NL80211_IFTYPE_ADHOC:
1407	case NL80211_IFTYPE_STATION:
1408	case NL80211_IFTYPE_P2P_CLIENT:
1409		if (!wdev->current_bss)
1410			return -ENOLINK;
1411		break;
1412	case NL80211_IFTYPE_UNSPECIFIED:
1413	case NL80211_IFTYPE_OCB:
1414	case NL80211_IFTYPE_MONITOR:
1415	case NL80211_IFTYPE_NAN:
1416	case NL80211_IFTYPE_P2P_DEVICE:
1417	case NL80211_IFTYPE_WDS:
1418	case NUM_NL80211_IFTYPES:
1419		return -EINVAL;
1420	}
1421
1422	return 0;
1423}
1424
1425static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1426							u32 freq)
1427{
1428	struct ieee80211_channel *chan;
1429
1430	chan = ieee80211_get_channel_khz(wiphy, freq);
1431	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1432		return NULL;
1433	return chan;
1434}
1435
1436static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1437{
1438	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1439	int i;
1440
1441	if (!nl_modes)
1442		goto nla_put_failure;
1443
1444	i = 0;
1445	while (ifmodes) {
1446		if ((ifmodes & 1) && nla_put_flag(msg, i))
1447			goto nla_put_failure;
1448		ifmodes >>= 1;
1449		i++;
1450	}
1451
1452	nla_nest_end(msg, nl_modes);
1453	return 0;
1454
1455nla_put_failure:
1456	return -ENOBUFS;
1457}
1458
1459static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1460					  struct sk_buff *msg,
1461					  bool large)
1462{
1463	struct nlattr *nl_combis;
1464	int i, j;
1465
1466	nl_combis = nla_nest_start_noflag(msg,
1467					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1468	if (!nl_combis)
1469		goto nla_put_failure;
1470
1471	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1472		const struct ieee80211_iface_combination *c;
1473		struct nlattr *nl_combi, *nl_limits;
1474
1475		c = &wiphy->iface_combinations[i];
1476
1477		nl_combi = nla_nest_start_noflag(msg, i + 1);
1478		if (!nl_combi)
1479			goto nla_put_failure;
1480
1481		nl_limits = nla_nest_start_noflag(msg,
1482						  NL80211_IFACE_COMB_LIMITS);
1483		if (!nl_limits)
1484			goto nla_put_failure;
1485
1486		for (j = 0; j < c->n_limits; j++) {
1487			struct nlattr *nl_limit;
1488
1489			nl_limit = nla_nest_start_noflag(msg, j + 1);
1490			if (!nl_limit)
1491				goto nla_put_failure;
1492			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1493					c->limits[j].max))
1494				goto nla_put_failure;
1495			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1496						c->limits[j].types))
1497				goto nla_put_failure;
1498			nla_nest_end(msg, nl_limit);
1499		}
1500
1501		nla_nest_end(msg, nl_limits);
1502
1503		if (c->beacon_int_infra_match &&
1504		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1505			goto nla_put_failure;
1506		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1507				c->num_different_channels) ||
1508		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1509				c->max_interfaces))
1510			goto nla_put_failure;
1511		if (large &&
1512		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1513				c->radar_detect_widths) ||
1514		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1515				c->radar_detect_regions)))
1516			goto nla_put_failure;
1517		if (c->beacon_int_min_gcd &&
1518		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1519				c->beacon_int_min_gcd))
1520			goto nla_put_failure;
1521
1522		nla_nest_end(msg, nl_combi);
1523	}
1524
1525	nla_nest_end(msg, nl_combis);
1526
1527	return 0;
1528nla_put_failure:
1529	return -ENOBUFS;
1530}
1531
1532#ifdef CONFIG_PM
1533static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1534					struct sk_buff *msg)
1535{
1536	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1537	struct nlattr *nl_tcp;
1538
1539	if (!tcp)
1540		return 0;
1541
1542	nl_tcp = nla_nest_start_noflag(msg,
1543				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1544	if (!nl_tcp)
1545		return -ENOBUFS;
1546
1547	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1548			tcp->data_payload_max))
1549		return -ENOBUFS;
1550
1551	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1552			tcp->data_payload_max))
1553		return -ENOBUFS;
1554
1555	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1556		return -ENOBUFS;
1557
1558	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1559				sizeof(*tcp->tok), tcp->tok))
1560		return -ENOBUFS;
1561
1562	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1563			tcp->data_interval_max))
1564		return -ENOBUFS;
1565
1566	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1567			tcp->wake_payload_max))
1568		return -ENOBUFS;
1569
1570	nla_nest_end(msg, nl_tcp);
1571	return 0;
1572}
1573
1574static int nl80211_send_wowlan(struct sk_buff *msg,
1575			       struct cfg80211_registered_device *rdev,
1576			       bool large)
1577{
1578	struct nlattr *nl_wowlan;
1579
1580	if (!rdev->wiphy.wowlan)
1581		return 0;
1582
1583	nl_wowlan = nla_nest_start_noflag(msg,
1584					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1585	if (!nl_wowlan)
1586		return -ENOBUFS;
1587
1588	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1589	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1590	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1591	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1592	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1593	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1594	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1595	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1596	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1597	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1598	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1599	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1600	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1601	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1602	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1603	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1604		return -ENOBUFS;
1605
1606	if (rdev->wiphy.wowlan->n_patterns) {
1607		struct nl80211_pattern_support pat = {
1608			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1609			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1610			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1611			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1612		};
1613
1614		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1615			    sizeof(pat), &pat))
1616			return -ENOBUFS;
1617	}
1618
1619	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1620	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1621			rdev->wiphy.wowlan->max_nd_match_sets))
1622		return -ENOBUFS;
1623
1624	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1625		return -ENOBUFS;
1626
1627	nla_nest_end(msg, nl_wowlan);
1628
1629	return 0;
1630}
1631#endif
1632
1633static int nl80211_send_coalesce(struct sk_buff *msg,
1634				 struct cfg80211_registered_device *rdev)
1635{
1636	struct nl80211_coalesce_rule_support rule;
1637
1638	if (!rdev->wiphy.coalesce)
1639		return 0;
1640
1641	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1642	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1643	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1644	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1645	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1646	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1647
1648	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1649		return -ENOBUFS;
1650
1651	return 0;
1652}
1653
1654static int
1655nl80211_send_iftype_data(struct sk_buff *msg,
1656			 const struct ieee80211_supported_band *sband,
1657			 const struct ieee80211_sband_iftype_data *iftdata)
1658{
1659	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1660
1661	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1662				iftdata->types_mask))
1663		return -ENOBUFS;
1664
1665	if (he_cap->has_he) {
1666		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1667			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1668			    he_cap->he_cap_elem.mac_cap_info) ||
1669		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1670			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1671			    he_cap->he_cap_elem.phy_cap_info) ||
1672		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1673			    sizeof(he_cap->he_mcs_nss_supp),
1674			    &he_cap->he_mcs_nss_supp) ||
1675		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1676			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1677			return -ENOBUFS;
1678	}
1679
1680	if (sband->band == NL80211_BAND_6GHZ &&
1681	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1682		    sizeof(iftdata->he_6ghz_capa),
1683		    &iftdata->he_6ghz_capa))
1684		return -ENOBUFS;
1685
1686	return 0;
1687}
1688
1689static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1690				      struct ieee80211_supported_band *sband,
1691				      bool large)
1692{
1693	struct nlattr *nl_rates, *nl_rate;
1694	struct ieee80211_rate *rate;
1695	int i;
1696
1697	/* add HT info */
1698	if (sband->ht_cap.ht_supported &&
1699	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1700		     sizeof(sband->ht_cap.mcs),
1701		     &sband->ht_cap.mcs) ||
1702	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1703			 sband->ht_cap.cap) ||
1704	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1705			sband->ht_cap.ampdu_factor) ||
1706	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1707			sband->ht_cap.ampdu_density)))
1708		return -ENOBUFS;
1709
1710	/* add VHT info */
1711	if (sband->vht_cap.vht_supported &&
1712	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1713		     sizeof(sband->vht_cap.vht_mcs),
1714		     &sband->vht_cap.vht_mcs) ||
1715	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1716			 sband->vht_cap.cap)))
1717		return -ENOBUFS;
1718
1719	if (large && sband->n_iftype_data) {
1720		struct nlattr *nl_iftype_data =
1721			nla_nest_start_noflag(msg,
1722					      NL80211_BAND_ATTR_IFTYPE_DATA);
1723		int err;
1724
1725		if (!nl_iftype_data)
1726			return -ENOBUFS;
1727
1728		for (i = 0; i < sband->n_iftype_data; i++) {
1729			struct nlattr *iftdata;
1730
1731			iftdata = nla_nest_start_noflag(msg, i + 1);
1732			if (!iftdata)
1733				return -ENOBUFS;
1734
1735			err = nl80211_send_iftype_data(msg, sband,
1736						       &sband->iftype_data[i]);
1737			if (err)
1738				return err;
1739
1740			nla_nest_end(msg, iftdata);
1741		}
1742
1743		nla_nest_end(msg, nl_iftype_data);
1744	}
1745
1746	/* add EDMG info */
1747	if (large && sband->edmg_cap.channels &&
1748	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1749		       sband->edmg_cap.channels) ||
1750	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1751		       sband->edmg_cap.bw_config)))
1752
1753		return -ENOBUFS;
1754
1755	/* add bitrates */
1756	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1757	if (!nl_rates)
1758		return -ENOBUFS;
1759
1760	for (i = 0; i < sband->n_bitrates; i++) {
1761		nl_rate = nla_nest_start_noflag(msg, i);
1762		if (!nl_rate)
1763			return -ENOBUFS;
1764
1765		rate = &sband->bitrates[i];
1766		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1767				rate->bitrate))
1768			return -ENOBUFS;
1769		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1770		    nla_put_flag(msg,
1771				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1772			return -ENOBUFS;
1773
1774		nla_nest_end(msg, nl_rate);
1775	}
1776
1777	nla_nest_end(msg, nl_rates);
1778
1779	return 0;
1780}
1781
1782static int
1783nl80211_send_mgmt_stypes(struct sk_buff *msg,
1784			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1785{
1786	u16 stypes;
1787	struct nlattr *nl_ftypes, *nl_ifs;
1788	enum nl80211_iftype ift;
1789	int i;
1790
1791	if (!mgmt_stypes)
1792		return 0;
1793
1794	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1795	if (!nl_ifs)
1796		return -ENOBUFS;
1797
1798	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1799		nl_ftypes = nla_nest_start_noflag(msg, ift);
1800		if (!nl_ftypes)
1801			return -ENOBUFS;
1802		i = 0;
1803		stypes = mgmt_stypes[ift].tx;
1804		while (stypes) {
1805			if ((stypes & 1) &&
1806			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1807					(i << 4) | IEEE80211_FTYPE_MGMT))
1808				return -ENOBUFS;
1809			stypes >>= 1;
1810			i++;
1811		}
1812		nla_nest_end(msg, nl_ftypes);
1813	}
1814
1815	nla_nest_end(msg, nl_ifs);
1816
1817	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1818	if (!nl_ifs)
1819		return -ENOBUFS;
1820
1821	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1822		nl_ftypes = nla_nest_start_noflag(msg, ift);
1823		if (!nl_ftypes)
1824			return -ENOBUFS;
1825		i = 0;
1826		stypes = mgmt_stypes[ift].rx;
1827		while (stypes) {
1828			if ((stypes & 1) &&
1829			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1830					(i << 4) | IEEE80211_FTYPE_MGMT))
1831				return -ENOBUFS;
1832			stypes >>= 1;
1833			i++;
1834		}
1835		nla_nest_end(msg, nl_ftypes);
1836	}
1837	nla_nest_end(msg, nl_ifs);
1838
1839	return 0;
1840}
1841
1842#define CMD(op, n)							\
1843	 do {								\
1844		if (rdev->ops->op) {					\
1845			i++;						\
1846			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1847				goto nla_put_failure;			\
1848		}							\
1849	} while (0)
1850
1851static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1852					struct sk_buff *msg)
1853{
1854	int i = 0;
1855
1856	/*
1857	 * do *NOT* add anything into this function, new things need to be
1858	 * advertised only to new versions of userspace that can deal with
1859	 * the split (and they can't possibly care about new features...
1860	 */
1861	CMD(add_virtual_intf, NEW_INTERFACE);
1862	CMD(change_virtual_intf, SET_INTERFACE);
1863	CMD(add_key, NEW_KEY);
1864	CMD(start_ap, START_AP);
1865	CMD(add_station, NEW_STATION);
1866	CMD(add_mpath, NEW_MPATH);
1867	CMD(update_mesh_config, SET_MESH_CONFIG);
1868	CMD(change_bss, SET_BSS);
1869	CMD(auth, AUTHENTICATE);
1870	CMD(assoc, ASSOCIATE);
1871	CMD(deauth, DEAUTHENTICATE);
1872	CMD(disassoc, DISASSOCIATE);
1873	CMD(join_ibss, JOIN_IBSS);
1874	CMD(join_mesh, JOIN_MESH);
1875	CMD(set_pmksa, SET_PMKSA);
1876	CMD(del_pmksa, DEL_PMKSA);
1877	CMD(flush_pmksa, FLUSH_PMKSA);
1878	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1879		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1880	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1881	CMD(mgmt_tx, FRAME);
1882	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1883	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1884		i++;
1885		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1886			goto nla_put_failure;
1887	}
1888	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1889	    rdev->ops->join_mesh) {
1890		i++;
1891		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1892			goto nla_put_failure;
1893	}
1894	CMD(set_wds_peer, SET_WDS_PEER);
1895	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1896		CMD(tdls_mgmt, TDLS_MGMT);
1897		CMD(tdls_oper, TDLS_OPER);
1898	}
1899	if (rdev->wiphy.max_sched_scan_reqs)
1900		CMD(sched_scan_start, START_SCHED_SCAN);
1901	CMD(probe_client, PROBE_CLIENT);
1902	CMD(set_noack_map, SET_NOACK_MAP);
1903	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1904		i++;
1905		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1906			goto nla_put_failure;
1907	}
1908	CMD(start_p2p_device, START_P2P_DEVICE);
1909	CMD(set_mcast_rate, SET_MCAST_RATE);
1910#ifdef CONFIG_NL80211_TESTMODE
1911	CMD(testmode_cmd, TESTMODE);
1912#endif
1913
1914	if (rdev->ops->connect || rdev->ops->auth) {
1915		i++;
1916		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1917			goto nla_put_failure;
1918	}
1919
1920	if (rdev->ops->disconnect || rdev->ops->deauth) {
1921		i++;
1922		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1923			goto nla_put_failure;
1924	}
1925
1926	return i;
1927 nla_put_failure:
1928	return -ENOBUFS;
1929}
1930
1931static int
1932nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
1933			   struct sk_buff *msg)
1934{
1935	struct nlattr *ftm;
1936
1937	if (!cap->ftm.supported)
1938		return 0;
1939
1940	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
1941	if (!ftm)
1942		return -ENOBUFS;
1943
1944	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
1945		return -ENOBUFS;
1946	if (cap->ftm.non_asap &&
1947	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
1948		return -ENOBUFS;
1949	if (cap->ftm.request_lci &&
1950	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
1951		return -ENOBUFS;
1952	if (cap->ftm.request_civicloc &&
1953	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
1954		return -ENOBUFS;
1955	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
1956			cap->ftm.preambles))
1957		return -ENOBUFS;
1958	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
1959			cap->ftm.bandwidths))
1960		return -ENOBUFS;
1961	if (cap->ftm.max_bursts_exponent >= 0 &&
1962	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
1963			cap->ftm.max_bursts_exponent))
1964		return -ENOBUFS;
1965	if (cap->ftm.max_ftms_per_burst &&
1966	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
1967			cap->ftm.max_ftms_per_burst))
1968		return -ENOBUFS;
1969	if (cap->ftm.trigger_based &&
1970	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
1971		return -ENOBUFS;
1972	if (cap->ftm.non_trigger_based &&
1973	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
1974		return -ENOBUFS;
1975
1976	nla_nest_end(msg, ftm);
1977	return 0;
1978}
1979
1980static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
1981				  struct sk_buff *msg)
1982{
1983	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
1984	struct nlattr *pmsr, *caps;
1985
1986	if (!cap)
1987		return 0;
1988
1989	/*
1990	 * we don't need to clean up anything here since the caller
1991	 * will genlmsg_cancel() if we fail
1992	 */
1993
1994	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
1995	if (!pmsr)
1996		return -ENOBUFS;
1997
1998	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
1999		return -ENOBUFS;
2000
2001	if (cap->report_ap_tsf &&
2002	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2003		return -ENOBUFS;
2004
2005	if (cap->randomize_mac_addr &&
2006	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2007		return -ENOBUFS;
2008
2009	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2010	if (!caps)
2011		return -ENOBUFS;
2012
2013	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2014		return -ENOBUFS;
2015
2016	nla_nest_end(msg, caps);
2017	nla_nest_end(msg, pmsr);
2018
2019	return 0;
2020}
2021
2022static int
2023nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2024			      struct sk_buff *msg)
2025{
2026	int i;
2027	struct nlattr *nested, *nested_akms;
2028	const struct wiphy_iftype_akm_suites *iftype_akms;
2029
2030	if (!rdev->wiphy.num_iftype_akm_suites ||
2031	    !rdev->wiphy.iftype_akm_suites)
2032		return 0;
2033
2034	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2035	if (!nested)
2036		return -ENOBUFS;
2037
2038	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2039		nested_akms = nla_nest_start(msg, i + 1);
2040		if (!nested_akms)
2041			return -ENOBUFS;
2042
2043		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2044
2045		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2046					iftype_akms->iftypes_mask))
2047			return -ENOBUFS;
2048
2049		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2050			    sizeof(u32) * iftype_akms->n_akm_suites,
2051			    iftype_akms->akm_suites)) {
2052			return -ENOBUFS;
2053		}
2054		nla_nest_end(msg, nested_akms);
2055	}
2056
2057	nla_nest_end(msg, nested);
2058
2059	return 0;
2060}
2061
2062static int
2063nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2064			       struct sk_buff *msg)
2065{
2066	struct nlattr *supp;
2067
2068	if (!rdev->wiphy.tid_config_support.vif &&
2069	    !rdev->wiphy.tid_config_support.peer)
2070		return 0;
2071
2072	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2073	if (!supp)
2074		return -ENOSPC;
2075
2076	if (rdev->wiphy.tid_config_support.vif &&
2077	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2078			      rdev->wiphy.tid_config_support.vif,
2079			      NL80211_TID_CONFIG_ATTR_PAD))
2080		goto fail;
2081
2082	if (rdev->wiphy.tid_config_support.peer &&
2083	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2084			      rdev->wiphy.tid_config_support.peer,
2085			      NL80211_TID_CONFIG_ATTR_PAD))
2086		goto fail;
2087
2088	/* for now we just use the same value ... makes more sense */
2089	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2090		       rdev->wiphy.tid_config_support.max_retry))
2091		goto fail;
2092	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2093		       rdev->wiphy.tid_config_support.max_retry))
2094		goto fail;
2095
2096	nla_nest_end(msg, supp);
2097
2098	return 0;
2099fail:
2100	nla_nest_cancel(msg, supp);
2101	return -ENOBUFS;
2102}
2103
2104struct nl80211_dump_wiphy_state {
2105	s64 filter_wiphy;
2106	long start;
2107	long split_start, band_start, chan_start, capa_start;
2108	bool split;
2109};
2110
2111static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2112			      enum nl80211_commands cmd,
2113			      struct sk_buff *msg, u32 portid, u32 seq,
2114			      int flags, struct nl80211_dump_wiphy_state *state)
2115{
2116	void *hdr;
2117	struct nlattr *nl_bands, *nl_band;
2118	struct nlattr *nl_freqs, *nl_freq;
2119	struct nlattr *nl_cmds;
2120	enum nl80211_band band;
2121	struct ieee80211_channel *chan;
2122	int i;
2123	const struct ieee80211_txrx_stypes *mgmt_stypes =
2124				rdev->wiphy.mgmt_stypes;
2125	u32 features;
2126
2127	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2128	if (!hdr)
2129		return -ENOBUFS;
2130
2131	if (WARN_ON(!state))
2132		return -EINVAL;
2133
2134	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2135	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2136			   wiphy_name(&rdev->wiphy)) ||
2137	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2138			cfg80211_rdev_list_generation))
2139		goto nla_put_failure;
2140
2141	if (cmd != NL80211_CMD_NEW_WIPHY)
2142		goto finish;
2143
2144	switch (state->split_start) {
2145	case 0:
2146		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2147			       rdev->wiphy.retry_short) ||
2148		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2149			       rdev->wiphy.retry_long) ||
2150		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2151				rdev->wiphy.frag_threshold) ||
2152		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2153				rdev->wiphy.rts_threshold) ||
2154		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2155			       rdev->wiphy.coverage_class) ||
2156		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2157			       rdev->wiphy.max_scan_ssids) ||
2158		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2159			       rdev->wiphy.max_sched_scan_ssids) ||
2160		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2161				rdev->wiphy.max_scan_ie_len) ||
2162		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2163				rdev->wiphy.max_sched_scan_ie_len) ||
2164		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2165			       rdev->wiphy.max_match_sets))
2166			goto nla_put_failure;
2167
2168		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2169		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2170			goto nla_put_failure;
2171		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2172		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2173			goto nla_put_failure;
2174		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2175		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2176			goto nla_put_failure;
2177		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2178		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2179			goto nla_put_failure;
2180		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2181		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2182			goto nla_put_failure;
2183		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2184		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2185			goto nla_put_failure;
2186		state->split_start++;
2187		if (state->split)
2188			break;
2189		fallthrough;
2190	case 1:
2191		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2192			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2193			    rdev->wiphy.cipher_suites))
2194			goto nla_put_failure;
2195
2196		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2197			       rdev->wiphy.max_num_pmkids))
2198			goto nla_put_failure;
2199
2200		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2201		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2202			goto nla_put_failure;
2203
2204		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2205				rdev->wiphy.available_antennas_tx) ||
2206		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2207				rdev->wiphy.available_antennas_rx))
2208			goto nla_put_failure;
2209
2210		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2211		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2212				rdev->wiphy.probe_resp_offload))
2213			goto nla_put_failure;
2214
2215		if ((rdev->wiphy.available_antennas_tx ||
2216		     rdev->wiphy.available_antennas_rx) &&
2217		    rdev->ops->get_antenna) {
2218			u32 tx_ant = 0, rx_ant = 0;
2219			int res;
2220
2221			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2222			if (!res) {
2223				if (nla_put_u32(msg,
2224						NL80211_ATTR_WIPHY_ANTENNA_TX,
2225						tx_ant) ||
2226				    nla_put_u32(msg,
2227						NL80211_ATTR_WIPHY_ANTENNA_RX,
2228						rx_ant))
2229					goto nla_put_failure;
2230			}
2231		}
2232
2233		state->split_start++;
2234		if (state->split)
2235			break;
2236		fallthrough;
2237	case 2:
2238		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2239					rdev->wiphy.interface_modes))
2240				goto nla_put_failure;
2241		state->split_start++;
2242		if (state->split)
2243			break;
2244		fallthrough;
2245	case 3:
2246		nl_bands = nla_nest_start_noflag(msg,
2247						 NL80211_ATTR_WIPHY_BANDS);
2248		if (!nl_bands)
2249			goto nla_put_failure;
2250
2251		for (band = state->band_start;
2252		     band < NUM_NL80211_BANDS; band++) {
2253			struct ieee80211_supported_band *sband;
2254
2255			/* omit higher bands for ancient software */
2256			if (band > NL80211_BAND_5GHZ && !state->split)
2257				break;
2258
2259			sband = rdev->wiphy.bands[band];
2260
2261			if (!sband)
2262				continue;
2263
2264			nl_band = nla_nest_start_noflag(msg, band);
2265			if (!nl_band)
2266				goto nla_put_failure;
2267
2268			switch (state->chan_start) {
2269			case 0:
2270				if (nl80211_send_band_rateinfo(msg, sband,
2271							       state->split))
2272					goto nla_put_failure;
2273				state->chan_start++;
2274				if (state->split)
2275					break;
2276				fallthrough;
2277			default:
2278				/* add frequencies */
2279				nl_freqs = nla_nest_start_noflag(msg,
2280								 NL80211_BAND_ATTR_FREQS);
2281				if (!nl_freqs)
2282					goto nla_put_failure;
2283
2284				for (i = state->chan_start - 1;
2285				     i < sband->n_channels;
2286				     i++) {
2287					nl_freq = nla_nest_start_noflag(msg,
2288									i);
2289					if (!nl_freq)
2290						goto nla_put_failure;
2291
2292					chan = &sband->channels[i];
2293
2294					if (nl80211_msg_put_channel(
2295							msg, &rdev->wiphy, chan,
2296							state->split))
2297						goto nla_put_failure;
2298
2299					nla_nest_end(msg, nl_freq);
2300					if (state->split)
2301						break;
2302				}
2303				if (i < sband->n_channels)
2304					state->chan_start = i + 2;
2305				else
2306					state->chan_start = 0;
2307				nla_nest_end(msg, nl_freqs);
2308			}
2309
2310			nla_nest_end(msg, nl_band);
2311
2312			if (state->split) {
2313				/* start again here */
2314				if (state->chan_start)
2315					band--;
2316				break;
2317			}
2318		}
2319		nla_nest_end(msg, nl_bands);
2320
2321		if (band < NUM_NL80211_BANDS)
2322			state->band_start = band + 1;
2323		else
2324			state->band_start = 0;
2325
2326		/* if bands & channels are done, continue outside */
2327		if (state->band_start == 0 && state->chan_start == 0)
2328			state->split_start++;
2329		if (state->split)
2330			break;
2331		fallthrough;
2332	case 4:
2333		nl_cmds = nla_nest_start_noflag(msg,
2334						NL80211_ATTR_SUPPORTED_COMMANDS);
2335		if (!nl_cmds)
2336			goto nla_put_failure;
2337
2338		i = nl80211_add_commands_unsplit(rdev, msg);
2339		if (i < 0)
2340			goto nla_put_failure;
2341		if (state->split) {
2342			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2343			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2344			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2345				CMD(channel_switch, CHANNEL_SWITCH);
2346			CMD(set_qos_map, SET_QOS_MAP);
2347			if (rdev->wiphy.features &
2348					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2349				CMD(add_tx_ts, ADD_TX_TS);
2350			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2351			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2352			CMD(update_ft_ies, UPDATE_FT_IES);
2353		}
2354#undef CMD
2355
2356		nla_nest_end(msg, nl_cmds);
2357		state->split_start++;
2358		if (state->split)
2359			break;
2360		fallthrough;
2361	case 5:
2362		if (rdev->ops->remain_on_channel &&
2363		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2364		    nla_put_u32(msg,
2365				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2366				rdev->wiphy.max_remain_on_channel_duration))
2367			goto nla_put_failure;
2368
2369		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2370		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2371			goto nla_put_failure;
2372
2373		state->split_start++;
2374		if (state->split)
2375			break;
2376		fallthrough;
2377	case 6:
2378#ifdef CONFIG_PM
2379		if (nl80211_send_wowlan(msg, rdev, state->split))
2380			goto nla_put_failure;
2381		state->split_start++;
2382		if (state->split)
2383			break;
2384#else
2385		state->split_start++;
2386#endif
2387		fallthrough;
2388	case 7:
2389		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2390					rdev->wiphy.software_iftypes))
2391			goto nla_put_failure;
2392
2393		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2394						   state->split))
2395			goto nla_put_failure;
2396
2397		state->split_start++;
2398		if (state->split)
2399			break;
2400		fallthrough;
2401	case 8:
2402		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2403		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2404				rdev->wiphy.ap_sme_capa))
2405			goto nla_put_failure;
2406
2407		features = rdev->wiphy.features;
2408		/*
2409		 * We can only add the per-channel limit information if the
2410		 * dump is split, otherwise it makes it too big. Therefore
2411		 * only advertise it in that case.
2412		 */
2413		if (state->split)
2414			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2415		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2416			goto nla_put_failure;
2417
2418		if (rdev->wiphy.ht_capa_mod_mask &&
2419		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2420			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2421			    rdev->wiphy.ht_capa_mod_mask))
2422			goto nla_put_failure;
2423
2424		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2425		    rdev->wiphy.max_acl_mac_addrs &&
2426		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2427				rdev->wiphy.max_acl_mac_addrs))
2428			goto nla_put_failure;
2429
2430		/*
2431		 * Any information below this point is only available to
2432		 * applications that can deal with it being split. This
2433		 * helps ensure that newly added capabilities don't break
2434		 * older tools by overrunning their buffers.
2435		 *
2436		 * We still increment split_start so that in the split
2437		 * case we'll continue with more data in the next round,
2438		 * but break unconditionally so unsplit data stops here.
2439		 */
2440		if (state->split)
2441			state->split_start++;
2442		else
2443			state->split_start = 0;
2444		break;
2445	case 9:
2446		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2447			goto nla_put_failure;
2448
2449		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2450				rdev->wiphy.max_sched_scan_plans) ||
2451		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2452				rdev->wiphy.max_sched_scan_plan_interval) ||
2453		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2454				rdev->wiphy.max_sched_scan_plan_iterations))
2455			goto nla_put_failure;
2456
2457		if (rdev->wiphy.extended_capabilities &&
2458		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2459			     rdev->wiphy.extended_capabilities_len,
2460			     rdev->wiphy.extended_capabilities) ||
2461		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2462			     rdev->wiphy.extended_capabilities_len,
2463			     rdev->wiphy.extended_capabilities_mask)))
2464			goto nla_put_failure;
2465
2466		if (rdev->wiphy.vht_capa_mod_mask &&
2467		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2468			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2469			    rdev->wiphy.vht_capa_mod_mask))
2470			goto nla_put_failure;
2471
2472		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2473			    rdev->wiphy.perm_addr))
2474			goto nla_put_failure;
2475
2476		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2477		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2478			    rdev->wiphy.addr_mask))
2479			goto nla_put_failure;
2480
2481		if (rdev->wiphy.n_addresses > 1) {
2482			void *attr;
2483
2484			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2485			if (!attr)
2486				goto nla_put_failure;
2487
2488			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2489				if (nla_put(msg, i + 1, ETH_ALEN,
2490					    rdev->wiphy.addresses[i].addr))
2491					goto nla_put_failure;
2492
2493			nla_nest_end(msg, attr);
2494		}
2495
2496		state->split_start++;
2497		break;
2498	case 10:
2499		if (nl80211_send_coalesce(msg, rdev))
2500			goto nla_put_failure;
2501
2502		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2503		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2504		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2505			goto nla_put_failure;
2506
2507		if (rdev->wiphy.max_ap_assoc_sta &&
2508		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2509				rdev->wiphy.max_ap_assoc_sta))
2510			goto nla_put_failure;
2511
2512		state->split_start++;
2513		break;
2514	case 11:
2515		if (rdev->wiphy.n_vendor_commands) {
2516			const struct nl80211_vendor_cmd_info *info;
2517			struct nlattr *nested;
2518
2519			nested = nla_nest_start_noflag(msg,
2520						       NL80211_ATTR_VENDOR_DATA);
2521			if (!nested)
2522				goto nla_put_failure;
2523
2524			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2525				info = &rdev->wiphy.vendor_commands[i].info;
2526				if (nla_put(msg, i + 1, sizeof(*info), info))
2527					goto nla_put_failure;
2528			}
2529			nla_nest_end(msg, nested);
2530		}
2531
2532		if (rdev->wiphy.n_vendor_events) {
2533			const struct nl80211_vendor_cmd_info *info;
2534			struct nlattr *nested;
2535
2536			nested = nla_nest_start_noflag(msg,
2537						       NL80211_ATTR_VENDOR_EVENTS);
2538			if (!nested)
2539				goto nla_put_failure;
2540
2541			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2542				info = &rdev->wiphy.vendor_events[i];
2543				if (nla_put(msg, i + 1, sizeof(*info), info))
2544					goto nla_put_failure;
2545			}
2546			nla_nest_end(msg, nested);
2547		}
2548		state->split_start++;
2549		break;
2550	case 12:
2551		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2552		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2553			       rdev->wiphy.max_num_csa_counters))
2554			goto nla_put_failure;
2555
2556		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2557		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2558			goto nla_put_failure;
2559
2560		if (rdev->wiphy.max_sched_scan_reqs &&
2561		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2562				rdev->wiphy.max_sched_scan_reqs))
2563			goto nla_put_failure;
2564
2565		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2566			    sizeof(rdev->wiphy.ext_features),
2567			    rdev->wiphy.ext_features))
2568			goto nla_put_failure;
2569
2570		if (rdev->wiphy.bss_select_support) {
2571			struct nlattr *nested;
2572			u32 bss_select_support = rdev->wiphy.bss_select_support;
2573
2574			nested = nla_nest_start_noflag(msg,
2575						       NL80211_ATTR_BSS_SELECT);
2576			if (!nested)
2577				goto nla_put_failure;
2578
2579			i = 0;
2580			while (bss_select_support) {
2581				if ((bss_select_support & 1) &&
2582				    nla_put_flag(msg, i))
2583					goto nla_put_failure;
2584				i++;
2585				bss_select_support >>= 1;
2586			}
2587			nla_nest_end(msg, nested);
2588		}
2589
2590		state->split_start++;
2591		break;
2592	case 13:
2593		if (rdev->wiphy.num_iftype_ext_capab &&
2594		    rdev->wiphy.iftype_ext_capab) {
2595			struct nlattr *nested_ext_capab, *nested;
2596
2597			nested = nla_nest_start_noflag(msg,
2598						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2599			if (!nested)
2600				goto nla_put_failure;
2601
2602			for (i = state->capa_start;
2603			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2604				const struct wiphy_iftype_ext_capab *capab;
2605
2606				capab = &rdev->wiphy.iftype_ext_capab[i];
2607
2608				nested_ext_capab = nla_nest_start_noflag(msg,
2609									 i);
2610				if (!nested_ext_capab ||
2611				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2612						capab->iftype) ||
2613				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2614					    capab->extended_capabilities_len,
2615					    capab->extended_capabilities) ||
2616				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2617					    capab->extended_capabilities_len,
2618					    capab->extended_capabilities_mask))
2619					goto nla_put_failure;
2620
2621				nla_nest_end(msg, nested_ext_capab);
2622				if (state->split)
2623					break;
2624			}
2625			nla_nest_end(msg, nested);
2626			if (i < rdev->wiphy.num_iftype_ext_capab) {
2627				state->capa_start = i + 1;
2628				break;
2629			}
2630		}
2631
2632		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2633				rdev->wiphy.nan_supported_bands))
2634			goto nla_put_failure;
2635
2636		if (wiphy_ext_feature_isset(&rdev->wiphy,
2637					    NL80211_EXT_FEATURE_TXQS)) {
2638			struct cfg80211_txq_stats txqstats = {};
2639			int res;
2640
2641			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2642			if (!res &&
2643			    !nl80211_put_txq_stats(msg, &txqstats,
2644						   NL80211_ATTR_TXQ_STATS))
2645				goto nla_put_failure;
2646
2647			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2648					rdev->wiphy.txq_limit))
2649				goto nla_put_failure;
2650			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2651					rdev->wiphy.txq_memory_limit))
2652				goto nla_put_failure;
2653			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2654					rdev->wiphy.txq_quantum))
2655				goto nla_put_failure;
2656		}
2657
2658		state->split_start++;
2659		break;
2660	case 14:
2661		if (nl80211_send_pmsr_capa(rdev, msg))
2662			goto nla_put_failure;
2663
2664		state->split_start++;
2665		break;
2666	case 15:
2667		if (rdev->wiphy.akm_suites &&
2668		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2669			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2670			    rdev->wiphy.akm_suites))
2671			goto nla_put_failure;
2672
2673		if (nl80211_put_iftype_akm_suites(rdev, msg))
2674			goto nla_put_failure;
2675
2676		if (nl80211_put_tid_config_support(rdev, msg))
2677			goto nla_put_failure;
2678
2679		/* done */
2680		state->split_start = 0;
2681		break;
2682	}
2683 finish:
2684	genlmsg_end(msg, hdr);
2685	return 0;
2686
2687 nla_put_failure:
2688	genlmsg_cancel(msg, hdr);
2689	return -EMSGSIZE;
2690}
2691
2692static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2693				    struct netlink_callback *cb,
2694				    struct nl80211_dump_wiphy_state *state)
2695{
2696	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2697	int ret;
2698
2699	if (!tb)
2700		return -ENOMEM;
2701
2702	ret = nlmsg_parse_deprecated(cb->nlh,
2703				     GENL_HDRLEN + nl80211_fam.hdrsize,
2704				     tb, nl80211_fam.maxattr,
2705				     nl80211_policy, NULL);
2706	/* ignore parse errors for backward compatibility */
2707	if (ret) {
2708		ret = 0;
2709		goto out;
2710	}
2711
2712	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2713	if (tb[NL80211_ATTR_WIPHY])
2714		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2715	if (tb[NL80211_ATTR_WDEV])
2716		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2717	if (tb[NL80211_ATTR_IFINDEX]) {
2718		struct net_device *netdev;
2719		struct cfg80211_registered_device *rdev;
2720		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2721
2722		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2723		if (!netdev) {
2724			ret = -ENODEV;
2725			goto out;
2726		}
2727		if (netdev->ieee80211_ptr) {
2728			rdev = wiphy_to_rdev(
2729				netdev->ieee80211_ptr->wiphy);
2730			state->filter_wiphy = rdev->wiphy_idx;
2731		}
2732	}
2733
2734	ret = 0;
2735out:
2736	kfree(tb);
2737	return ret;
2738}
2739
2740static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2741{
2742	int idx = 0, ret;
2743	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2744	struct cfg80211_registered_device *rdev;
2745
2746	rtnl_lock();
2747	if (!state) {
2748		state = kzalloc(sizeof(*state), GFP_KERNEL);
2749		if (!state) {
2750			rtnl_unlock();
2751			return -ENOMEM;
2752		}
2753		state->filter_wiphy = -1;
2754		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2755		if (ret) {
2756			kfree(state);
2757			rtnl_unlock();
2758			return ret;
2759		}
2760		cb->args[0] = (long)state;
2761	}
2762
2763	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2764		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2765			continue;
2766		if (++idx <= state->start)
2767			continue;
2768		if (state->filter_wiphy != -1 &&
2769		    state->filter_wiphy != rdev->wiphy_idx)
2770			continue;
2771		/* attempt to fit multiple wiphy data chunks into the skb */
2772		do {
2773			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2774						 skb,
2775						 NETLINK_CB(cb->skb).portid,
2776						 cb->nlh->nlmsg_seq,
2777						 NLM_F_MULTI, state);
2778			if (ret < 0) {
2779				/*
2780				 * If sending the wiphy data didn't fit (ENOBUFS
2781				 * or EMSGSIZE returned), this SKB is still
2782				 * empty (so it's not too big because another
2783				 * wiphy dataset is already in the skb) and
2784				 * we've not tried to adjust the dump allocation
2785				 * yet ... then adjust the alloc size to be
2786				 * bigger, and return 1 but with the empty skb.
2787				 * This results in an empty message being RX'ed
2788				 * in userspace, but that is ignored.
2789				 *
2790				 * We can then retry with the larger buffer.
2791				 */
2792				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2793				    !skb->len && !state->split &&
2794				    cb->min_dump_alloc < 4096) {
2795					cb->min_dump_alloc = 4096;
2796					state->split_start = 0;
2797					rtnl_unlock();
2798					return 1;
2799				}
2800				idx--;
2801				break;
2802			}
2803		} while (state->split_start > 0);
2804		break;
2805	}
2806	rtnl_unlock();
2807
2808	state->start = idx;
2809
2810	return skb->len;
2811}
2812
2813static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2814{
2815	kfree((void *)cb->args[0]);
2816	return 0;
2817}
2818
2819static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2820{
2821	struct sk_buff *msg;
2822	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2823	struct nl80211_dump_wiphy_state state = {};
2824
2825	msg = nlmsg_new(4096, GFP_KERNEL);
2826	if (!msg)
2827		return -ENOMEM;
2828
2829	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2830			       info->snd_portid, info->snd_seq, 0,
2831			       &state) < 0) {
2832		nlmsg_free(msg);
2833		return -ENOBUFS;
2834	}
2835
2836	return genlmsg_reply(msg, info);
2837}
2838
2839static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2840	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2841	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2842	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2843	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2844	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2845};
2846
2847static int parse_txq_params(struct nlattr *tb[],
2848			    struct ieee80211_txq_params *txq_params)
2849{
2850	u8 ac;
2851
2852	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2853	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2854	    !tb[NL80211_TXQ_ATTR_AIFS])
2855		return -EINVAL;
2856
2857	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2858	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2859	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2860	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2861	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2862
2863	if (ac >= NL80211_NUM_ACS)
2864		return -EINVAL;
2865	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2866	return 0;
2867}
2868
2869static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2870{
2871	/*
2872	 * You can only set the channel explicitly for WDS interfaces,
2873	 * all others have their channel managed via their respective
2874	 * "establish a connection" command (connect, join, ...)
2875	 *
2876	 * For AP/GO and mesh mode, the channel can be set with the
2877	 * channel userspace API, but is only stored and passed to the
2878	 * low-level driver when the AP starts or the mesh is joined.
2879	 * This is for backward compatibility, userspace can also give
2880	 * the channel in the start-ap or join-mesh commands instead.
2881	 *
2882	 * Monitors are special as they are normally slaved to
2883	 * whatever else is going on, so they have their own special
2884	 * operation to set the monitor channel if possible.
2885	 */
2886	return !wdev ||
2887		wdev->iftype == NL80211_IFTYPE_AP ||
2888		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2889		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2890		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2891}
2892
2893int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2894			  struct genl_info *info,
2895			  struct cfg80211_chan_def *chandef)
2896{
2897	struct netlink_ext_ack *extack = info->extack;
2898	struct nlattr **attrs = info->attrs;
2899	u32 control_freq;
2900
2901	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
2902		return -EINVAL;
2903
2904	control_freq = MHZ_TO_KHZ(
2905			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
2906	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
2907		control_freq +=
2908		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
2909
2910	memset(chandef, 0, sizeof(*chandef));
2911	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
2912	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2913	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
2914	chandef->freq1_offset = control_freq % 1000;
2915	chandef->center_freq2 = 0;
2916
2917	/* Primary channel not allowed */
2918	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
2919		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
2920				    "Channel is disabled");
2921		return -EINVAL;
2922	}
2923
2924	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2925		enum nl80211_channel_type chantype;
2926
2927		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2928
2929		switch (chantype) {
2930		case NL80211_CHAN_NO_HT:
2931		case NL80211_CHAN_HT20:
2932		case NL80211_CHAN_HT40PLUS:
2933		case NL80211_CHAN_HT40MINUS:
2934			cfg80211_chandef_create(chandef, chandef->chan,
2935						chantype);
2936			/* user input for center_freq is incorrect */
2937			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
2938			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
2939				NL_SET_ERR_MSG_ATTR(extack,
2940						    attrs[NL80211_ATTR_CENTER_FREQ1],
2941						    "bad center frequency 1");
2942				return -EINVAL;
2943			}
2944			/* center_freq2 must be zero */
2945			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
2946			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
2947				NL_SET_ERR_MSG_ATTR(extack,
2948						    attrs[NL80211_ATTR_CENTER_FREQ2],
2949						    "center frequency 2 can't be used");
2950				return -EINVAL;
2951			}
2952			break;
2953		default:
2954			NL_SET_ERR_MSG_ATTR(extack,
2955					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
2956					    "invalid channel type");
2957			return -EINVAL;
2958		}
2959	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2960		chandef->width =
2961			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2962		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
2963			/* User input error for channel width doesn't match channel  */
2964			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
2965				NL_SET_ERR_MSG_ATTR(extack,
2966						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
2967						    "bad channel width");
2968				return -EINVAL;
2969			}
2970		}
2971		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
2972			chandef->center_freq1 =
2973				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
2974			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
2975				chandef->freq1_offset = nla_get_u32(
2976				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
2977			else
2978				chandef->freq1_offset = 0;
2979		}
2980		if (attrs[NL80211_ATTR_CENTER_FREQ2])
2981			chandef->center_freq2 =
2982				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
2983	}
2984
2985	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
2986		chandef->edmg.channels =
2987		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
2988
2989		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
2990			chandef->edmg.bw_config =
2991		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
2992	} else {
2993		chandef->edmg.bw_config = 0;
2994		chandef->edmg.channels = 0;
2995	}
2996
2997	if (!cfg80211_chandef_valid(chandef)) {
2998		NL_SET_ERR_MSG(extack, "invalid channel definition");
2999		return -EINVAL;
3000	}
3001
3002	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3003				     IEEE80211_CHAN_DISABLED)) {
3004		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3005		return -EINVAL;
3006	}
3007
3008	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3009	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3010	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3011		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3012		return -EINVAL;
3013	}
3014
3015	return 0;
3016}
3017
3018static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3019				 struct net_device *dev,
3020				 struct genl_info *info)
3021{
3022	struct cfg80211_chan_def chandef;
3023	int result;
3024	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3025	struct wireless_dev *wdev = NULL;
3026
3027	if (dev)
3028		wdev = dev->ieee80211_ptr;
3029	if (!nl80211_can_set_dev_channel(wdev))
3030		return -EOPNOTSUPP;
3031	if (wdev)
3032		iftype = wdev->iftype;
3033
3034	result = nl80211_parse_chandef(rdev, info, &chandef);
3035	if (result)
3036		return result;
3037
3038	switch (iftype) {
3039	case NL80211_IFTYPE_AP:
3040	case NL80211_IFTYPE_P2P_GO:
3041		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3042						   iftype)) {
3043			result = -EINVAL;
3044			break;
3045		}
3046		if (wdev->beacon_interval) {
3047			if (!dev || !rdev->ops->set_ap_chanwidth ||
3048			    !(rdev->wiphy.features &
3049			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
3050				result = -EBUSY;
3051				break;
3052			}
3053
3054			/* Only allow dynamic channel width changes */
3055			if (chandef.chan != wdev->preset_chandef.chan) {
3056				result = -EBUSY;
3057				break;
3058			}
3059			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
3060			if (result)
3061				break;
3062		}
3063		wdev->preset_chandef = chandef;
3064		result = 0;
3065		break;
3066	case NL80211_IFTYPE_MESH_POINT:
3067		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3068		break;
3069	case NL80211_IFTYPE_MONITOR:
3070		result = cfg80211_set_monitor_channel(rdev, &chandef);
3071		break;
3072	default:
3073		result = -EINVAL;
3074	}
3075
3076	return result;
3077}
3078
3079static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3080{
3081	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3082	struct net_device *netdev = info->user_ptr[1];
3083
3084	return __nl80211_set_channel(rdev, netdev, info);
3085}
3086
3087static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
3088{
3089	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3090	struct net_device *dev = info->user_ptr[1];
3091	struct wireless_dev *wdev = dev->ieee80211_ptr;
3092	const u8 *bssid;
3093
3094	if (!info->attrs[NL80211_ATTR_MAC])
3095		return -EINVAL;
3096
3097	if (netif_running(dev))
3098		return -EBUSY;
3099
3100	if (!rdev->ops->set_wds_peer)
3101		return -EOPNOTSUPP;
3102
3103	if (wdev->iftype != NL80211_IFTYPE_WDS)
3104		return -EOPNOTSUPP;
3105
3106	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
3107	return rdev_set_wds_peer(rdev, dev, bssid);
3108}
3109
3110static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3111{
3112	struct cfg80211_registered_device *rdev;
3113	struct net_device *netdev = NULL;
3114	struct wireless_dev *wdev;
3115	int result = 0, rem_txq_params = 0;
3116	struct nlattr *nl_txq_params;
3117	u32 changed;
3118	u8 retry_short = 0, retry_long = 0;
3119	u32 frag_threshold = 0, rts_threshold = 0;
3120	u8 coverage_class = 0;
3121	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3122
3123	ASSERT_RTNL();
3124
3125	/*
3126	 * Try to find the wiphy and netdev. Normally this
3127	 * function shouldn't need the netdev, but this is
3128	 * done for backward compatibility -- previously
3129	 * setting the channel was done per wiphy, but now
3130	 * it is per netdev. Previous userland like hostapd
3131	 * also passed a netdev to set_wiphy, so that it is
3132	 * possible to let that go to the right netdev!
3133	 */
3134
3135	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3136		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3137
3138		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3139		if (netdev && netdev->ieee80211_ptr)
3140			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3141		else
3142			netdev = NULL;
3143	}
3144
3145	if (!netdev) {
3146		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3147						  info->attrs);
3148		if (IS_ERR(rdev))
3149			return PTR_ERR(rdev);
3150		wdev = NULL;
3151		netdev = NULL;
3152		result = 0;
3153	} else
3154		wdev = netdev->ieee80211_ptr;
3155
3156	/*
3157	 * end workaround code, by now the rdev is available
3158	 * and locked, and wdev may or may not be NULL.
3159	 */
3160
3161	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3162		result = cfg80211_dev_rename(
3163			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3164
3165	if (result)
3166		return result;
3167
3168	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3169		struct ieee80211_txq_params txq_params;
3170		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3171
3172		if (!rdev->ops->set_txq_params)
3173			return -EOPNOTSUPP;
3174
3175		if (!netdev)
3176			return -EINVAL;
3177
3178		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3179		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3180			return -EINVAL;
3181
3182		if (!netif_running(netdev))
3183			return -ENETDOWN;
3184
3185		nla_for_each_nested(nl_txq_params,
3186				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3187				    rem_txq_params) {
3188			result = nla_parse_nested_deprecated(tb,
3189							     NL80211_TXQ_ATTR_MAX,
3190							     nl_txq_params,
3191							     txq_params_policy,
3192							     info->extack);
3193			if (result)
3194				return result;
3195			result = parse_txq_params(tb, &txq_params);
3196			if (result)
3197				return result;
3198
3199			result = rdev_set_txq_params(rdev, netdev,
3200						     &txq_params);
3201			if (result)
3202				return result;
3203		}
3204	}
3205
3206	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3207		result = __nl80211_set_channel(
3208			rdev,
3209			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3210			info);
3211		if (result)
3212			return result;
3213	}
3214
3215	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3216		struct wireless_dev *txp_wdev = wdev;
3217		enum nl80211_tx_power_setting type;
3218		int idx, mbm = 0;
3219
3220		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3221			txp_wdev = NULL;
3222
3223		if (!rdev->ops->set_tx_power)
3224			return -EOPNOTSUPP;
3225
3226		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3227		type = nla_get_u32(info->attrs[idx]);
3228
3229		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3230		    (type != NL80211_TX_POWER_AUTOMATIC))
3231			return -EINVAL;
3232
3233		if (type != NL80211_TX_POWER_AUTOMATIC) {
3234			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3235			mbm = nla_get_u32(info->attrs[idx]);
3236		}
3237
3238		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3239		if (result)
3240			return result;
3241	}
3242
3243	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3244	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3245		u32 tx_ant, rx_ant;
3246
3247		if ((!rdev->wiphy.available_antennas_tx &&
3248		     !rdev->wiphy.available_antennas_rx) ||
3249		    !rdev->ops->set_antenna)
3250			return -EOPNOTSUPP;
3251
3252		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3253		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3254
3255		/* reject antenna configurations which don't match the
3256		 * available antenna masks, except for the "all" mask */
3257		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3258		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
3259			return -EINVAL;
3260
3261		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3262		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3263
3264		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3265		if (result)
3266			return result;
3267	}
3268
3269	changed = 0;
3270
3271	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3272		retry_short = nla_get_u8(
3273			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3274
3275		changed |= WIPHY_PARAM_RETRY_SHORT;
3276	}
3277
3278	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3279		retry_long = nla_get_u8(
3280			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3281
3282		changed |= WIPHY_PARAM_RETRY_LONG;
3283	}
3284
3285	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3286		frag_threshold = nla_get_u32(
3287			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3288		if (frag_threshold < 256)
3289			return -EINVAL;
3290
3291		if (frag_threshold != (u32) -1) {
3292			/*
3293			 * Fragments (apart from the last one) are required to
3294			 * have even length. Make the fragmentation code
3295			 * simpler by stripping LSB should someone try to use
3296			 * odd threshold value.
3297			 */
3298			frag_threshold &= ~0x1;
3299		}
3300		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3301	}
3302
3303	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3304		rts_threshold = nla_get_u32(
3305			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3306		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3307	}
3308
3309	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3310		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
3311			return -EINVAL;
3312
3313		coverage_class = nla_get_u8(
3314			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3315		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3316	}
3317
3318	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3319		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
3320			return -EOPNOTSUPP;
3321
3322		changed |= WIPHY_PARAM_DYN_ACK;
3323	}
3324
3325	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3326		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3327					     NL80211_EXT_FEATURE_TXQS))
3328			return -EOPNOTSUPP;
3329		txq_limit = nla_get_u32(
3330			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3331		changed |= WIPHY_PARAM_TXQ_LIMIT;
3332	}
3333
3334	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3335		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3336					     NL80211_EXT_FEATURE_TXQS))
3337			return -EOPNOTSUPP;
3338		txq_memory_limit = nla_get_u32(
3339			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3340		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3341	}
3342
3343	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3344		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3345					     NL80211_EXT_FEATURE_TXQS))
3346			return -EOPNOTSUPP;
3347		txq_quantum = nla_get_u32(
3348			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3349		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3350	}
3351
3352	if (changed) {
3353		u8 old_retry_short, old_retry_long;
3354		u32 old_frag_threshold, old_rts_threshold;
3355		u8 old_coverage_class;
3356		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3357
3358		if (!rdev->ops->set_wiphy_params)
3359			return -EOPNOTSUPP;
3360
3361		old_retry_short = rdev->wiphy.retry_short;
3362		old_retry_long = rdev->wiphy.retry_long;
3363		old_frag_threshold = rdev->wiphy.frag_threshold;
3364		old_rts_threshold = rdev->wiphy.rts_threshold;
3365		old_coverage_class = rdev->wiphy.coverage_class;
3366		old_txq_limit = rdev->wiphy.txq_limit;
3367		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3368		old_txq_quantum = rdev->wiphy.txq_quantum;
3369
3370		if (changed & WIPHY_PARAM_RETRY_SHORT)
3371			rdev->wiphy.retry_short = retry_short;
3372		if (changed & WIPHY_PARAM_RETRY_LONG)
3373			rdev->wiphy.retry_long = retry_long;
3374		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3375			rdev->wiphy.frag_threshold = frag_threshold;
3376		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3377			rdev->wiphy.rts_threshold = rts_threshold;
3378		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3379			rdev->wiphy.coverage_class = coverage_class;
3380		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3381			rdev->wiphy.txq_limit = txq_limit;
3382		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3383			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3384		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3385			rdev->wiphy.txq_quantum = txq_quantum;
3386
3387		result = rdev_set_wiphy_params(rdev, changed);
3388		if (result) {
3389			rdev->wiphy.retry_short = old_retry_short;
3390			rdev->wiphy.retry_long = old_retry_long;
3391			rdev->wiphy.frag_threshold = old_frag_threshold;
3392			rdev->wiphy.rts_threshold = old_rts_threshold;
3393			rdev->wiphy.coverage_class = old_coverage_class;
3394			rdev->wiphy.txq_limit = old_txq_limit;
3395			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3396			rdev->wiphy.txq_quantum = old_txq_quantum;
3397			return result;
3398		}
3399	}
3400	return 0;
3401}
3402
3403static int nl80211_send_chandef(struct sk_buff *msg,
3404				const struct cfg80211_chan_def *chandef)
3405{
3406	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3407		return -EINVAL;
3408
3409	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3410			chandef->chan->center_freq))
3411		return -ENOBUFS;
3412	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3413			chandef->chan->freq_offset))
3414		return -ENOBUFS;
3415	switch (chandef->width) {
3416	case NL80211_CHAN_WIDTH_20_NOHT:
3417	case NL80211_CHAN_WIDTH_20:
3418	case NL80211_CHAN_WIDTH_40:
3419		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3420				cfg80211_get_chandef_type(chandef)))
3421			return -ENOBUFS;
3422		break;
3423	default:
3424		break;
3425	}
3426	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3427		return -ENOBUFS;
3428	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3429		return -ENOBUFS;
3430	if (chandef->center_freq2 &&
3431	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3432		return -ENOBUFS;
3433	return 0;
3434}
3435
3436static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3437			      struct cfg80211_registered_device *rdev,
3438			      struct wireless_dev *wdev,
3439			      enum nl80211_commands cmd)
3440{
3441	struct net_device *dev = wdev->netdev;
3442	void *hdr;
3443
3444	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3445		cmd != NL80211_CMD_DEL_INTERFACE &&
3446		cmd != NL80211_CMD_SET_INTERFACE);
3447
3448	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3449	if (!hdr)
3450		return -1;
3451
3452	if (dev &&
3453	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3454	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3455		goto nla_put_failure;
3456
3457	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3458	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3459	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3460			      NL80211_ATTR_PAD) ||
3461	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3462	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3463			rdev->devlist_generation ^
3464			(cfg80211_rdev_list_generation << 2)) ||
3465	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3466		goto nla_put_failure;
3467
3468	if (rdev->ops->get_channel) {
3469		int ret;
3470		struct cfg80211_chan_def chandef = {};
3471
3472		ret = rdev_get_channel(rdev, wdev, &chandef);
3473		if (ret == 0) {
3474			if (nl80211_send_chandef(msg, &chandef))
3475				goto nla_put_failure;
3476		}
3477	}
3478
3479	if (rdev->ops->get_tx_power) {
3480		int dbm, ret;
3481
3482		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3483		if (ret == 0 &&
3484		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3485				DBM_TO_MBM(dbm)))
3486			goto nla_put_failure;
3487	}
3488
3489	wdev_lock(wdev);
3490	switch (wdev->iftype) {
3491	case NL80211_IFTYPE_AP:
3492	case NL80211_IFTYPE_P2P_GO:
3493		if (wdev->ssid_len &&
3494		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3495			goto nla_put_failure_locked;
3496		break;
3497	case NL80211_IFTYPE_STATION:
3498	case NL80211_IFTYPE_P2P_CLIENT:
3499	case NL80211_IFTYPE_ADHOC: {
3500		const u8 *ssid_ie;
3501		if (!wdev->current_bss)
3502			break;
3503		rcu_read_lock();
3504		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3505					       WLAN_EID_SSID);
3506		if (ssid_ie &&
3507		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3508			goto nla_put_failure_rcu_locked;
3509		rcu_read_unlock();
3510		break;
3511		}
3512	default:
3513		/* nothing */
3514		break;
3515	}
3516	wdev_unlock(wdev);
3517
3518	if (rdev->ops->get_txq_stats) {
3519		struct cfg80211_txq_stats txqstats = {};
3520		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3521
3522		if (ret == 0 &&
3523		    !nl80211_put_txq_stats(msg, &txqstats,
3524					   NL80211_ATTR_TXQ_STATS))
3525			goto nla_put_failure;
3526	}
3527
3528	genlmsg_end(msg, hdr);
3529	return 0;
3530
3531 nla_put_failure_rcu_locked:
3532	rcu_read_unlock();
3533 nla_put_failure_locked:
3534	wdev_unlock(wdev);
3535 nla_put_failure:
3536	genlmsg_cancel(msg, hdr);
3537	return -EMSGSIZE;
3538}
3539
3540static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3541{
3542	int wp_idx = 0;
3543	int if_idx = 0;
3544	int wp_start = cb->args[0];
3545	int if_start = cb->args[1];
3546	int filter_wiphy = -1;
3547	struct cfg80211_registered_device *rdev;
3548	struct wireless_dev *wdev;
3549	int ret;
3550
3551	rtnl_lock();
3552	if (!cb->args[2]) {
3553		struct nl80211_dump_wiphy_state state = {
3554			.filter_wiphy = -1,
3555		};
3556
3557		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3558		if (ret)
3559			goto out_unlock;
3560
3561		filter_wiphy = state.filter_wiphy;
3562
3563		/*
3564		 * if filtering, set cb->args[2] to +1 since 0 is the default
3565		 * value needed to determine that parsing is necessary.
3566		 */
3567		if (filter_wiphy >= 0)
3568			cb->args[2] = filter_wiphy + 1;
3569		else
3570			cb->args[2] = -1;
3571	} else if (cb->args[2] > 0) {
3572		filter_wiphy = cb->args[2] - 1;
3573	}
3574
3575	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3576		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3577			continue;
3578		if (wp_idx < wp_start) {
3579			wp_idx++;
3580			continue;
3581		}
3582
3583		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3584			continue;
3585
3586		if_idx = 0;
3587
3588		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3589			if (if_idx < if_start) {
3590				if_idx++;
3591				continue;
3592			}
3593			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3594					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3595					       rdev, wdev,
3596					       NL80211_CMD_NEW_INTERFACE) < 0) {
3597				goto out;
3598			}
3599			if_idx++;
3600		}
3601
3602		wp_idx++;
3603	}
3604 out:
3605	cb->args[0] = wp_idx;
3606	cb->args[1] = if_idx;
3607
3608	ret = skb->len;
3609 out_unlock:
3610	rtnl_unlock();
3611
3612	return ret;
3613}
3614
3615static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3616{
3617	struct sk_buff *msg;
3618	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3619	struct wireless_dev *wdev = info->user_ptr[1];
3620
3621	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3622	if (!msg)
3623		return -ENOMEM;
3624
3625	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3626			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3627		nlmsg_free(msg);
3628		return -ENOBUFS;
3629	}
3630
3631	return genlmsg_reply(msg, info);
3632}
3633
3634static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3635	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3636	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3637	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3638	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3639	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3640	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3641};
3642
3643static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3644{
3645	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3646	int flag;
3647
3648	*mntrflags = 0;
3649
3650	if (!nla)
3651		return -EINVAL;
3652
3653	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3654		return -EINVAL;
3655
3656	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3657		if (flags[flag])
3658			*mntrflags |= (1<<flag);
3659
3660	*mntrflags |= MONITOR_FLAG_CHANGED;
3661
3662	return 0;
3663}
3664
3665static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3666				     enum nl80211_iftype type,
3667				     struct genl_info *info,
3668				     struct vif_params *params)
3669{
3670	bool change = false;
3671	int err;
3672
3673	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3674		if (type != NL80211_IFTYPE_MONITOR)
3675			return -EINVAL;
3676
3677		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3678					  &params->flags);
3679		if (err)
3680			return err;
3681
3682		change = true;
3683	}
3684
3685	if (params->flags & MONITOR_FLAG_ACTIVE &&
3686	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3687		return -EOPNOTSUPP;
3688
3689	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3690		const u8 *mumimo_groups;
3691		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3692
3693		if (type != NL80211_IFTYPE_MONITOR)
3694			return -EINVAL;
3695
3696		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3697			return -EOPNOTSUPP;
3698
3699		mumimo_groups =
3700			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3701
3702		/* bits 0 and 63 are reserved and must be zero */
3703		if ((mumimo_groups[0] & BIT(0)) ||
3704		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3705			return -EINVAL;
3706
3707		params->vht_mumimo_groups = mumimo_groups;
3708		change = true;
3709	}
3710
3711	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3712		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3713
3714		if (type != NL80211_IFTYPE_MONITOR)
3715			return -EINVAL;
3716
3717		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3718			return -EOPNOTSUPP;
3719
3720		params->vht_mumimo_follow_addr =
3721			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3722		change = true;
3723	}
3724
3725	return change ? 1 : 0;
3726}
3727
3728static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3729			       struct net_device *netdev, u8 use_4addr,
3730			       enum nl80211_iftype iftype)
3731{
3732	if (!use_4addr) {
3733		if (netdev && netif_is_bridge_port(netdev))
3734			return -EBUSY;
3735		return 0;
3736	}
3737
3738	switch (iftype) {
3739	case NL80211_IFTYPE_AP_VLAN:
3740		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3741			return 0;
3742		break;
3743	case NL80211_IFTYPE_STATION:
3744		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3745			return 0;
3746		break;
3747	default:
3748		break;
3749	}
3750
3751	return -EOPNOTSUPP;
3752}
3753
3754static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3755{
3756	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3757	struct vif_params params;
3758	int err;
3759	enum nl80211_iftype otype, ntype;
3760	struct net_device *dev = info->user_ptr[1];
3761	bool change = false;
3762
3763	memset(&params, 0, sizeof(params));
3764
3765	otype = ntype = dev->ieee80211_ptr->iftype;
3766
3767	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3768		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3769		if (otype != ntype)
3770			change = true;
3771	}
3772
3773	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3774		struct wireless_dev *wdev = dev->ieee80211_ptr;
3775
3776		if (ntype != NL80211_IFTYPE_MESH_POINT)
3777			return -EINVAL;
3778		if (otype != NL80211_IFTYPE_MESH_POINT)
3779			return -EINVAL;
3780		if (netif_running(dev))
3781			return -EBUSY;
3782
3783		wdev_lock(wdev);
3784		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3785			     IEEE80211_MAX_MESH_ID_LEN);
3786		wdev->mesh_id_up_len =
3787			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3788		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3789		       wdev->mesh_id_up_len);
3790		wdev_unlock(wdev);
3791	}
3792
3793	if (info->attrs[NL80211_ATTR_4ADDR]) {
3794		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3795		change = true;
3796		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3797		if (err)
3798			return err;
3799	} else {
3800		params.use_4addr = -1;
3801	}
3802
3803	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3804	if (err < 0)
3805		return err;
3806	if (err > 0)
3807		change = true;
3808
3809	if (change)
3810		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3811	else
3812		err = 0;
3813
3814	if (!err && params.use_4addr != -1)
3815		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3816
3817	if (change && !err) {
3818		struct wireless_dev *wdev = dev->ieee80211_ptr;
3819
3820		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3821	}
3822
3823	return err;
3824}
3825
3826static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3827{
3828	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3829	struct vif_params params;
3830	struct wireless_dev *wdev;
3831	struct sk_buff *msg;
3832	int err;
3833	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3834
3835	/* to avoid failing a new interface creation due to pending removal */
3836	cfg80211_destroy_ifaces(rdev);
3837
3838	memset(&params, 0, sizeof(params));
3839
3840	if (!info->attrs[NL80211_ATTR_IFNAME])
3841		return -EINVAL;
3842
3843	if (info->attrs[NL80211_ATTR_IFTYPE])
3844		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3845
3846	if (!rdev->ops->add_virtual_intf)
3847		return -EOPNOTSUPP;
3848
3849	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3850	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3851	    info->attrs[NL80211_ATTR_MAC]) {
3852		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3853			   ETH_ALEN);
3854		if (!is_valid_ether_addr(params.macaddr))
3855			return -EADDRNOTAVAIL;
3856	}
3857
3858	if (info->attrs[NL80211_ATTR_4ADDR]) {
3859		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3860		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3861		if (err)
3862			return err;
3863	}
3864
3865	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
3866		return -EOPNOTSUPP;
3867
3868	err = nl80211_parse_mon_options(rdev, type, info, &params);
3869	if (err < 0)
3870		return err;
3871
3872	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3873	if (!msg)
3874		return -ENOMEM;
3875
3876	wdev = rdev_add_virtual_intf(rdev,
3877				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3878				NET_NAME_USER, type, &params);
3879	if (WARN_ON(!wdev)) {
3880		nlmsg_free(msg);
3881		return -EPROTO;
3882	} else if (IS_ERR(wdev)) {
3883		nlmsg_free(msg);
3884		return PTR_ERR(wdev);
3885	}
3886
3887	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3888		wdev->owner_nlportid = info->snd_portid;
3889
3890	switch (type) {
3891	case NL80211_IFTYPE_MESH_POINT:
3892		if (!info->attrs[NL80211_ATTR_MESH_ID])
3893			break;
3894		wdev_lock(wdev);
3895		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3896			     IEEE80211_MAX_MESH_ID_LEN);
3897		wdev->mesh_id_up_len =
3898			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3899		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3900		       wdev->mesh_id_up_len);
3901		wdev_unlock(wdev);
3902		break;
3903	case NL80211_IFTYPE_NAN:
3904	case NL80211_IFTYPE_P2P_DEVICE:
3905		/*
3906		 * P2P Device and NAN do not have a netdev, so don't go
3907		 * through the netdev notifier and must be added here
3908		 */
3909		cfg80211_init_wdev(wdev);
3910		cfg80211_register_wdev(rdev, wdev);
3911		break;
3912	default:
3913		break;
3914	}
3915
3916	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3917			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3918		nlmsg_free(msg);
3919		return -ENOBUFS;
3920	}
3921
3922	return genlmsg_reply(msg, info);
3923}
3924
3925static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3926{
3927	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3928	struct wireless_dev *wdev = info->user_ptr[1];
3929
3930	if (!rdev->ops->del_virtual_intf)
3931		return -EOPNOTSUPP;
3932
3933	/*
3934	 * If we remove a wireless device without a netdev then clear
3935	 * user_ptr[1] so that nl80211_post_doit won't dereference it
3936	 * to check if it needs to do dev_put(). Otherwise it crashes
3937	 * since the wdev has been freed, unlike with a netdev where
3938	 * we need the dev_put() for the netdev to really be freed.
3939	 */
3940	if (!wdev->netdev)
3941		info->user_ptr[1] = NULL;
3942
3943	return rdev_del_virtual_intf(rdev, wdev);
3944}
3945
3946static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3947{
3948	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3949	struct net_device *dev = info->user_ptr[1];
3950	u16 noack_map;
3951
3952	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3953		return -EINVAL;
3954
3955	if (!rdev->ops->set_noack_map)
3956		return -EOPNOTSUPP;
3957
3958	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3959
3960	return rdev_set_noack_map(rdev, dev, noack_map);
3961}
3962
3963struct get_key_cookie {
3964	struct sk_buff *msg;
3965	int error;
3966	int idx;
3967};
3968
3969static void get_key_callback(void *c, struct key_params *params)
3970{
3971	struct nlattr *key;
3972	struct get_key_cookie *cookie = c;
3973
3974	if ((params->key &&
3975	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3976		     params->key_len, params->key)) ||
3977	    (params->seq &&
3978	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3979		     params->seq_len, params->seq)) ||
3980	    (params->cipher &&
3981	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3982			 params->cipher)))
3983		goto nla_put_failure;
3984
3985	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
3986	if (!key)
3987		goto nla_put_failure;
3988
3989	if ((params->key &&
3990	     nla_put(cookie->msg, NL80211_KEY_DATA,
3991		     params->key_len, params->key)) ||
3992	    (params->seq &&
3993	     nla_put(cookie->msg, NL80211_KEY_SEQ,
3994		     params->seq_len, params->seq)) ||
3995	    (params->cipher &&
3996	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3997			 params->cipher)))
3998		goto nla_put_failure;
3999
4000	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4001		goto nla_put_failure;
4002
4003	nla_nest_end(cookie->msg, key);
4004
4005	return;
4006 nla_put_failure:
4007	cookie->error = 1;
4008}
4009
4010static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4011{
4012	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4013	int err;
4014	struct net_device *dev = info->user_ptr[1];
4015	u8 key_idx = 0;
4016	const u8 *mac_addr = NULL;
4017	bool pairwise;
4018	struct get_key_cookie cookie = {
4019		.error = 0,
4020	};
4021	void *hdr;
4022	struct sk_buff *msg;
4023	bool bigtk_support = false;
4024
4025	if (wiphy_ext_feature_isset(&rdev->wiphy,
4026				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4027		bigtk_support = true;
4028
4029	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4030	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4031	    wiphy_ext_feature_isset(&rdev->wiphy,
4032				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4033		bigtk_support = true;
4034
4035	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4036		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4037
4038		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4039			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4040			return -EINVAL;
4041		}
4042	}
4043
4044	if (info->attrs[NL80211_ATTR_MAC])
4045		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4046
4047	pairwise = !!mac_addr;
4048	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4049		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4050
4051		if (kt != NL80211_KEYTYPE_GROUP &&
4052		    kt != NL80211_KEYTYPE_PAIRWISE)
4053			return -EINVAL;
4054		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4055	}
4056
4057	if (!rdev->ops->get_key)
4058		return -EOPNOTSUPP;
4059
4060	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4061		return -ENOENT;
4062
4063	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4064	if (!msg)
4065		return -ENOMEM;
4066
4067	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4068			     NL80211_CMD_NEW_KEY);
4069	if (!hdr)
4070		goto nla_put_failure;
4071
4072	cookie.msg = msg;
4073	cookie.idx = key_idx;
4074
4075	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4076	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4077		goto nla_put_failure;
4078	if (mac_addr &&
4079	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4080		goto nla_put_failure;
4081
4082	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4083			   get_key_callback);
4084
4085	if (err)
4086		goto free_msg;
4087
4088	if (cookie.error)
4089		goto nla_put_failure;
4090
4091	genlmsg_end(msg, hdr);
4092	return genlmsg_reply(msg, info);
4093
4094 nla_put_failure:
4095	err = -ENOBUFS;
4096 free_msg:
4097	nlmsg_free(msg);
4098	return err;
4099}
4100
4101static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4102{
4103	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4104	struct key_parse key;
4105	int err;
4106	struct net_device *dev = info->user_ptr[1];
4107
4108	err = nl80211_parse_key(info, &key);
4109	if (err)
4110		return err;
4111
4112	if (key.idx < 0)
4113		return -EINVAL;
4114
4115	/* Only support setting default key and
4116	 * Extended Key ID action NL80211_KEY_SET_TX.
4117	 */
4118	if (!key.def && !key.defmgmt && !key.defbeacon &&
4119	    !(key.p.mode == NL80211_KEY_SET_TX))
4120		return -EINVAL;
4121
4122	wdev_lock(dev->ieee80211_ptr);
4123
4124	if (key.def) {
4125		if (!rdev->ops->set_default_key) {
4126			err = -EOPNOTSUPP;
4127			goto out;
4128		}
4129
4130		err = nl80211_key_allowed(dev->ieee80211_ptr);
4131		if (err)
4132			goto out;
4133
4134		err = rdev_set_default_key(rdev, dev, key.idx,
4135						 key.def_uni, key.def_multi);
4136
4137		if (err)
4138			goto out;
4139
4140#ifdef CONFIG_CFG80211_WEXT
4141		dev->ieee80211_ptr->wext.default_key = key.idx;
4142#endif
4143	} else if (key.defmgmt) {
4144		if (key.def_uni || !key.def_multi) {
4145			err = -EINVAL;
4146			goto out;
4147		}
4148
4149		if (!rdev->ops->set_default_mgmt_key) {
4150			err = -EOPNOTSUPP;
4151			goto out;
4152		}
4153
4154		err = nl80211_key_allowed(dev->ieee80211_ptr);
4155		if (err)
4156			goto out;
4157
4158		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4159		if (err)
4160			goto out;
4161
4162#ifdef CONFIG_CFG80211_WEXT
4163		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4164#endif
4165	} else if (key.defbeacon) {
4166		if (key.def_uni || !key.def_multi) {
4167			err = -EINVAL;
4168			goto out;
4169		}
4170
4171		if (!rdev->ops->set_default_beacon_key) {
4172			err = -EOPNOTSUPP;
4173			goto out;
4174		}
4175
4176		err = nl80211_key_allowed(dev->ieee80211_ptr);
4177		if (err)
4178			goto out;
4179
4180		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4181		if (err)
4182			goto out;
4183	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4184		   wiphy_ext_feature_isset(&rdev->wiphy,
4185					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4186		u8 *mac_addr = NULL;
4187
4188		if (info->attrs[NL80211_ATTR_MAC])
4189			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4190
4191		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4192			err = -EINVAL;
4193			goto out;
4194		}
4195
4196		err = rdev_add_key(rdev, dev, key.idx,
4197				   NL80211_KEYTYPE_PAIRWISE,
4198				   mac_addr, &key.p);
4199	} else {
4200		err = -EINVAL;
4201	}
4202 out:
4203	wdev_unlock(dev->ieee80211_ptr);
4204
4205	return err;
4206}
4207
4208static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4209{
4210	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4211	int err;
4212	struct net_device *dev = info->user_ptr[1];
4213	struct key_parse key;
4214	const u8 *mac_addr = NULL;
4215
4216	err = nl80211_parse_key(info, &key);
4217	if (err)
4218		return err;
4219
4220	if (!key.p.key) {
4221		GENL_SET_ERR_MSG(info, "no key");
4222		return -EINVAL;
4223	}
4224
4225	if (info->attrs[NL80211_ATTR_MAC])
4226		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4227
4228	if (key.type == -1) {
4229		if (mac_addr)
4230			key.type = NL80211_KEYTYPE_PAIRWISE;
4231		else
4232			key.type = NL80211_KEYTYPE_GROUP;
4233	}
4234
4235	/* for now */
4236	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4237	    key.type != NL80211_KEYTYPE_GROUP) {
4238		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4239		return -EINVAL;
4240	}
4241
4242	if (key.type == NL80211_KEYTYPE_GROUP &&
4243	    info->attrs[NL80211_ATTR_VLAN_ID])
4244		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4245
4246	if (!rdev->ops->add_key)
4247		return -EOPNOTSUPP;
4248
4249	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4250					   key.type == NL80211_KEYTYPE_PAIRWISE,
4251					   mac_addr)) {
4252		GENL_SET_ERR_MSG(info, "key setting validation failed");
4253		return -EINVAL;
4254	}
4255
4256	wdev_lock(dev->ieee80211_ptr);
4257	err = nl80211_key_allowed(dev->ieee80211_ptr);
4258	if (err)
4259		GENL_SET_ERR_MSG(info, "key not allowed");
4260	if (!err) {
4261		err = rdev_add_key(rdev, dev, key.idx,
4262				   key.type == NL80211_KEYTYPE_PAIRWISE,
4263				    mac_addr, &key.p);
4264		if (err)
4265			GENL_SET_ERR_MSG(info, "key addition failed");
4266	}
4267	wdev_unlock(dev->ieee80211_ptr);
4268
4269	return err;
4270}
4271
4272static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4273{
4274	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4275	int err;
4276	struct net_device *dev = info->user_ptr[1];
4277	u8 *mac_addr = NULL;
4278	struct key_parse key;
4279
4280	err = nl80211_parse_key(info, &key);
4281	if (err)
4282		return err;
4283
4284	if (info->attrs[NL80211_ATTR_MAC])
4285		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4286
4287	if (key.type == -1) {
4288		if (mac_addr)
4289			key.type = NL80211_KEYTYPE_PAIRWISE;
4290		else
4291			key.type = NL80211_KEYTYPE_GROUP;
4292	}
4293
4294	/* for now */
4295	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4296	    key.type != NL80211_KEYTYPE_GROUP)
4297		return -EINVAL;
4298
4299	if (!cfg80211_valid_key_idx(rdev, key.idx,
4300				    key.type == NL80211_KEYTYPE_PAIRWISE))
4301		return -EINVAL;
4302
4303	if (!rdev->ops->del_key)
4304		return -EOPNOTSUPP;
4305
4306	wdev_lock(dev->ieee80211_ptr);
4307	err = nl80211_key_allowed(dev->ieee80211_ptr);
4308
4309	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4310	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4311		err = -ENOENT;
4312
4313	if (!err)
4314		err = rdev_del_key(rdev, dev, key.idx,
4315				   key.type == NL80211_KEYTYPE_PAIRWISE,
4316				   mac_addr);
4317
4318#ifdef CONFIG_CFG80211_WEXT
4319	if (!err) {
4320		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4321			dev->ieee80211_ptr->wext.default_key = -1;
4322		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4323			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4324	}
4325#endif
4326	wdev_unlock(dev->ieee80211_ptr);
4327
4328	return err;
4329}
4330
4331/* This function returns an error or the number of nested attributes */
4332static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4333{
4334	struct nlattr *attr;
4335	int n_entries = 0, tmp;
4336
4337	nla_for_each_nested(attr, nl_attr, tmp) {
4338		if (nla_len(attr) != ETH_ALEN)
4339			return -EINVAL;
4340
4341		n_entries++;
4342	}
4343
4344	return n_entries;
4345}
4346
4347/*
4348 * This function parses ACL information and allocates memory for ACL data.
4349 * On successful return, the calling function is responsible to free the
4350 * ACL buffer returned by this function.
4351 */
4352static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4353						struct genl_info *info)
4354{
4355	enum nl80211_acl_policy acl_policy;
4356	struct nlattr *attr;
4357	struct cfg80211_acl_data *acl;
4358	int i = 0, n_entries, tmp;
4359
4360	if (!wiphy->max_acl_mac_addrs)
4361		return ERR_PTR(-EOPNOTSUPP);
4362
4363	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4364		return ERR_PTR(-EINVAL);
4365
4366	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4367	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4368	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4369		return ERR_PTR(-EINVAL);
4370
4371	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4372		return ERR_PTR(-EINVAL);
4373
4374	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4375	if (n_entries < 0)
4376		return ERR_PTR(n_entries);
4377
4378	if (n_entries > wiphy->max_acl_mac_addrs)
4379		return ERR_PTR(-ENOTSUPP);
4380
4381	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4382	if (!acl)
4383		return ERR_PTR(-ENOMEM);
4384
4385	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4386		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4387		i++;
4388	}
4389
4390	acl->n_acl_entries = n_entries;
4391	acl->acl_policy = acl_policy;
4392
4393	return acl;
4394}
4395
4396static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4397{
4398	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4399	struct net_device *dev = info->user_ptr[1];
4400	struct cfg80211_acl_data *acl;
4401	int err;
4402
4403	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4404	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4405		return -EOPNOTSUPP;
4406
4407	if (!dev->ieee80211_ptr->beacon_interval)
4408		return -EINVAL;
4409
4410	acl = parse_acl_data(&rdev->wiphy, info);
4411	if (IS_ERR(acl))
4412		return PTR_ERR(acl);
4413
4414	err = rdev_set_mac_acl(rdev, dev, acl);
4415
4416	kfree(acl);
4417
4418	return err;
4419}
4420
4421static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4422			   u8 *rates, u8 rates_len)
4423{
4424	u8 i;
4425	u32 mask = 0;
4426
4427	for (i = 0; i < rates_len; i++) {
4428		int rate = (rates[i] & 0x7f) * 5;
4429		int ridx;
4430
4431		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4432			struct ieee80211_rate *srate =
4433				&sband->bitrates[ridx];
4434			if (rate == srate->bitrate) {
4435				mask |= 1 << ridx;
4436				break;
4437			}
4438		}
4439		if (ridx == sband->n_bitrates)
4440			return 0; /* rate not found */
4441	}
4442
4443	return mask;
4444}
4445
4446static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4447			       u8 *rates, u8 rates_len,
4448			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4449{
4450	u8 i;
4451
4452	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4453
4454	for (i = 0; i < rates_len; i++) {
4455		int ridx, rbit;
4456
4457		ridx = rates[i] / 8;
4458		rbit = BIT(rates[i] % 8);
4459
4460		/* check validity */
4461		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4462			return false;
4463
4464		/* check availability */
4465		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4466		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4467			mcs[ridx] |= rbit;
4468		else
4469			return false;
4470	}
4471
4472	return true;
4473}
4474
4475static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4476{
4477	u16 mcs_mask = 0;
4478
4479	switch (vht_mcs_map) {
4480	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4481		break;
4482	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4483		mcs_mask = 0x00FF;
4484		break;
4485	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4486		mcs_mask = 0x01FF;
4487		break;
4488	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4489		mcs_mask = 0x03FF;
4490		break;
4491	default:
4492		break;
4493	}
4494
4495	return mcs_mask;
4496}
4497
4498static void vht_build_mcs_mask(u16 vht_mcs_map,
4499			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4500{
4501	u8 nss;
4502
4503	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4504		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4505		vht_mcs_map >>= 2;
4506	}
4507}
4508
4509static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4510			     struct nl80211_txrate_vht *txrate,
4511			     u16 mcs[NL80211_VHT_NSS_MAX])
4512{
4513	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4514	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4515	u8 i;
4516
4517	if (!sband->vht_cap.vht_supported)
4518		return false;
4519
4520	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4521
4522	/* Build vht_mcs_mask from VHT capabilities */
4523	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4524
4525	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4526		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4527			mcs[i] = txrate->mcs[i];
4528		else
4529			return false;
4530	}
4531
4532	return true;
4533}
4534
4535static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4536{
4537	switch (he_mcs_map) {
4538	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4539		return 0;
4540	case IEEE80211_HE_MCS_SUPPORT_0_7:
4541		return 0x00FF;
4542	case IEEE80211_HE_MCS_SUPPORT_0_9:
4543		return 0x03FF;
4544	case IEEE80211_HE_MCS_SUPPORT_0_11:
4545		return 0xFFF;
4546	default:
4547		break;
4548	}
4549	return 0;
4550}
4551
4552static void he_build_mcs_mask(u16 he_mcs_map,
4553			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4554{
4555	u8 nss;
4556
4557	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4558		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4559		he_mcs_map >>= 2;
4560	}
4561}
4562
4563static u16 he_get_txmcsmap(struct genl_info *info,
4564			   const struct ieee80211_sta_he_cap *he_cap)
4565{
4566	struct net_device *dev = info->user_ptr[1];
4567	struct wireless_dev *wdev = dev->ieee80211_ptr;
4568	__le16	tx_mcs;
4569
4570	switch (wdev->chandef.width) {
4571	case NL80211_CHAN_WIDTH_80P80:
4572		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4573		break;
4574	case NL80211_CHAN_WIDTH_160:
4575		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4576		break;
4577	default:
4578		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4579		break;
4580	}
4581	return le16_to_cpu(tx_mcs);
4582}
4583
4584static bool he_set_mcs_mask(struct genl_info *info,
4585			    struct wireless_dev *wdev,
4586			    struct ieee80211_supported_band *sband,
4587			    struct nl80211_txrate_he *txrate,
4588			    u16 mcs[NL80211_HE_NSS_MAX])
4589{
4590	const struct ieee80211_sta_he_cap *he_cap;
4591	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4592	u16 tx_mcs_map = 0;
4593	u8 i;
4594
4595	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4596	if (!he_cap)
4597		return false;
4598
4599	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4600
4601	tx_mcs_map = he_get_txmcsmap(info, he_cap);
4602
4603	/* Build he_mcs_mask from HE capabilities */
4604	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4605
4606	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4607		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4608			mcs[i] = txrate->mcs[i];
4609		else
4610			return false;
4611	}
4612
4613	return true;
4614}
4615
4616static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4617					 struct nlattr *attrs[],
4618					 enum nl80211_attrs attr,
4619					 struct cfg80211_bitrate_mask *mask,
4620					 struct net_device *dev)
4621{
4622	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4623	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4624	struct wireless_dev *wdev = dev->ieee80211_ptr;
4625	int rem, i;
4626	struct nlattr *tx_rates;
4627	struct ieee80211_supported_band *sband;
4628	u16 vht_tx_mcs_map, he_tx_mcs_map;
4629
4630	memset(mask, 0, sizeof(*mask));
4631	/* Default to all rates enabled */
4632	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4633		const struct ieee80211_sta_he_cap *he_cap;
4634
4635		sband = rdev->wiphy.bands[i];
4636
4637		if (!sband)
4638			continue;
4639
4640		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4641		memcpy(mask->control[i].ht_mcs,
4642		       sband->ht_cap.mcs.rx_mask,
4643		       sizeof(mask->control[i].ht_mcs));
4644
4645		if (sband->vht_cap.vht_supported) {
4646			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4647			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4648		}
4649
4650		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4651		if (!he_cap)
4652			continue;
4653
4654		he_tx_mcs_map = he_get_txmcsmap(info, he_cap);
4655		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
4656
4657		mask->control[i].he_gi = 0xFF;
4658		mask->control[i].he_ltf = 0xFF;
4659	}
4660
4661	/* if no rates are given set it back to the defaults */
4662	if (!attrs[attr])
4663		goto out;
4664
4665	/* The nested attribute uses enum nl80211_band as the index. This maps
4666	 * directly to the enum nl80211_band values used in cfg80211.
4667	 */
4668	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4669	nla_for_each_nested(tx_rates, attrs[attr], rem) {
4670		enum nl80211_band band = nla_type(tx_rates);
4671		int err;
4672
4673		if (band < 0 || band >= NUM_NL80211_BANDS)
4674			return -EINVAL;
4675		sband = rdev->wiphy.bands[band];
4676		if (sband == NULL)
4677			return -EINVAL;
4678		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4679						  tx_rates,
4680						  nl80211_txattr_policy,
4681						  info->extack);
4682		if (err)
4683			return err;
4684		if (tb[NL80211_TXRATE_LEGACY]) {
4685			mask->control[band].legacy = rateset_to_mask(
4686				sband,
4687				nla_data(tb[NL80211_TXRATE_LEGACY]),
4688				nla_len(tb[NL80211_TXRATE_LEGACY]));
4689			if ((mask->control[band].legacy == 0) &&
4690			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4691				return -EINVAL;
4692		}
4693		if (tb[NL80211_TXRATE_HT]) {
4694			if (!ht_rateset_to_mask(
4695					sband,
4696					nla_data(tb[NL80211_TXRATE_HT]),
4697					nla_len(tb[NL80211_TXRATE_HT]),
4698					mask->control[band].ht_mcs))
4699				return -EINVAL;
4700		}
4701		if (tb[NL80211_TXRATE_VHT]) {
4702			if (!vht_set_mcs_mask(
4703					sband,
4704					nla_data(tb[NL80211_TXRATE_VHT]),
4705					mask->control[band].vht_mcs))
4706				return -EINVAL;
4707		}
4708		if (tb[NL80211_TXRATE_GI]) {
4709			mask->control[band].gi =
4710				nla_get_u8(tb[NL80211_TXRATE_GI]);
4711			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4712				return -EINVAL;
4713		}
4714		if (tb[NL80211_TXRATE_HE] &&
4715		    !he_set_mcs_mask(info, wdev, sband,
4716				     nla_data(tb[NL80211_TXRATE_HE]),
4717				     mask->control[band].he_mcs))
4718			return -EINVAL;
4719		if (tb[NL80211_TXRATE_HE_GI])
4720			mask->control[band].he_gi =
4721				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
4722		if (tb[NL80211_TXRATE_HE_LTF])
4723			mask->control[band].he_ltf =
4724				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
4725
4726		if (mask->control[band].legacy == 0) {
4727			/* don't allow empty legacy rates if HT, VHT or HE
4728			 * are not even supported.
4729			 */
4730			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4731			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
4732			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
4733				return -EINVAL;
4734
4735			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4736				if (mask->control[band].ht_mcs[i])
4737					goto out;
4738
4739			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4740				if (mask->control[band].vht_mcs[i])
4741					goto out;
4742
4743			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
4744				if (mask->control[band].he_mcs[i])
4745					goto out;
4746
4747			/* legacy and mcs rates may not be both empty */
4748			return -EINVAL;
4749		}
4750	}
4751
4752out:
4753	return 0;
4754}
4755
4756static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4757				   enum nl80211_band band,
4758				   struct cfg80211_bitrate_mask *beacon_rate)
4759{
4760	u32 count_ht, count_vht, i;
4761	u32 rate = beacon_rate->control[band].legacy;
4762
4763	/* Allow only one rate */
4764	if (hweight32(rate) > 1)
4765		return -EINVAL;
4766
4767	count_ht = 0;
4768	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4769		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4770			return -EINVAL;
4771		} else if (beacon_rate->control[band].ht_mcs[i]) {
4772			count_ht++;
4773			if (count_ht > 1)
4774				return -EINVAL;
4775		}
4776		if (count_ht && rate)
4777			return -EINVAL;
4778	}
4779
4780	count_vht = 0;
4781	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4782		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4783			return -EINVAL;
4784		} else if (beacon_rate->control[band].vht_mcs[i]) {
4785			count_vht++;
4786			if (count_vht > 1)
4787				return -EINVAL;
4788		}
4789		if (count_vht && rate)
4790			return -EINVAL;
4791	}
4792
4793	if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
4794		return -EINVAL;
4795
4796	if (rate &&
4797	    !wiphy_ext_feature_isset(&rdev->wiphy,
4798				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4799		return -EINVAL;
4800	if (count_ht &&
4801	    !wiphy_ext_feature_isset(&rdev->wiphy,
4802				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
4803		return -EINVAL;
4804	if (count_vht &&
4805	    !wiphy_ext_feature_isset(&rdev->wiphy,
4806				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4807		return -EINVAL;
4808
4809	return 0;
4810}
4811
4812static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4813				struct nlattr *attrs[],
4814				struct cfg80211_beacon_data *bcn)
4815{
4816	bool haveinfo = false;
4817	int err;
4818
4819	memset(bcn, 0, sizeof(*bcn));
4820
4821	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4822		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4823		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4824		if (!bcn->head_len)
4825			return -EINVAL;
4826		haveinfo = true;
4827	}
4828
4829	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4830		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4831		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4832		haveinfo = true;
4833	}
4834
4835	if (!haveinfo)
4836		return -EINVAL;
4837
4838	if (attrs[NL80211_ATTR_IE]) {
4839		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4840		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4841	}
4842
4843	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4844		bcn->proberesp_ies =
4845			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4846		bcn->proberesp_ies_len =
4847			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4848	}
4849
4850	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4851		bcn->assocresp_ies =
4852			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4853		bcn->assocresp_ies_len =
4854			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4855	}
4856
4857	if (attrs[NL80211_ATTR_PROBE_RESP]) {
4858		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
4859		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
4860	}
4861
4862	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
4863		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
4864
4865		err = nla_parse_nested_deprecated(tb,
4866						  NL80211_FTM_RESP_ATTR_MAX,
4867						  attrs[NL80211_ATTR_FTM_RESPONDER],
4868						  NULL, NULL);
4869		if (err)
4870			return err;
4871
4872		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
4873		    wiphy_ext_feature_isset(&rdev->wiphy,
4874					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
4875			bcn->ftm_responder = 1;
4876		else
4877			return -EOPNOTSUPP;
4878
4879		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
4880			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
4881			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
4882		}
4883
4884		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
4885			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4886			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4887		}
4888	} else {
4889		bcn->ftm_responder = -1;
4890	}
4891
4892	return 0;
4893}
4894
4895static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
4896				    struct ieee80211_he_obss_pd *he_obss_pd)
4897{
4898	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
4899	int err;
4900
4901	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
4902			       he_obss_pd_policy, NULL);
4903	if (err)
4904		return err;
4905
4906	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
4907		return -EINVAL;
4908
4909	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
4910
4911	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
4912		he_obss_pd->min_offset =
4913			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
4914	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
4915		he_obss_pd->max_offset =
4916			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
4917	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
4918		he_obss_pd->non_srg_max_offset =
4919			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
4920
4921	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
4922		return -EINVAL;
4923
4924	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
4925		memcpy(he_obss_pd->bss_color_bitmap,
4926		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
4927		       sizeof(he_obss_pd->bss_color_bitmap));
4928
4929	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
4930		memcpy(he_obss_pd->partial_bssid_bitmap,
4931		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
4932		       sizeof(he_obss_pd->partial_bssid_bitmap));
4933
4934	he_obss_pd->enable = true;
4935
4936	return 0;
4937}
4938
4939static int nl80211_parse_he_bss_color(struct nlattr *attrs,
4940				      struct cfg80211_he_bss_color *he_bss_color)
4941{
4942	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
4943	int err;
4944
4945	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
4946			       he_bss_color_policy, NULL);
4947	if (err)
4948		return err;
4949
4950	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
4951		return -EINVAL;
4952
4953	he_bss_color->color =
4954		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
4955	he_bss_color->enabled =
4956		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
4957	he_bss_color->partial =
4958		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
4959
4960	return 0;
4961}
4962
4963static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
4964					struct nlattr *attrs,
4965					struct cfg80211_ap_settings *params)
4966{
4967	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
4968	int ret;
4969	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
4970
4971	if (!wiphy_ext_feature_isset(&rdev->wiphy,
4972				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
4973		return -EINVAL;
4974
4975	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
4976			       NULL, NULL);
4977	if (ret)
4978		return ret;
4979
4980	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
4981	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
4982	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
4983		return -EINVAL;
4984
4985	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
4986	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
4987	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
4988	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
4989
4990	return 0;
4991}
4992
4993static int
4994nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
4995				     struct nlattr *attrs,
4996				     struct cfg80211_ap_settings *params)
4997{
4998	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
4999	int ret;
5000	struct cfg80211_unsol_bcast_probe_resp *presp =
5001					&params->unsol_bcast_probe_resp;
5002
5003	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5004				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5005		return -EINVAL;
5006
5007	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5008			       attrs, NULL, NULL);
5009	if (ret)
5010		return ret;
5011
5012	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5013	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5014		return -EINVAL;
5015
5016	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5017	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5018	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5019	return 0;
5020}
5021
5022static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5023					    const u8 *rates)
5024{
5025	int i;
5026
5027	if (!rates)
5028		return;
5029
5030	for (i = 0; i < rates[1]; i++) {
5031		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5032			params->ht_required = true;
5033		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5034			params->vht_required = true;
5035		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5036			params->he_required = true;
5037	}
5038}
5039
5040/*
5041 * Since the nl80211 API didn't include, from the beginning, attributes about
5042 * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5043 * benefit of drivers that rebuild IEs in the firmware.
5044 */
5045static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5046{
5047	const struct cfg80211_beacon_data *bcn = &params->beacon;
5048	size_t ies_len = bcn->tail_len;
5049	const u8 *ies = bcn->tail;
5050	const u8 *rates;
5051	const u8 *cap;
5052
5053	rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
5054	nl80211_check_ap_rate_selectors(params, rates);
5055
5056	rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5057	nl80211_check_ap_rate_selectors(params, rates);
5058
5059	cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5060	if (cap && cap[1] >= sizeof(*params->ht_cap))
5061		params->ht_cap = (void *)(cap + 2);
5062	cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5063	if (cap && cap[1] >= sizeof(*params->vht_cap))
5064		params->vht_cap = (void *)(cap + 2);
5065	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5066	if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
5067		params->he_cap = (void *)(cap + 3);
5068	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5069	if (cap && cap[1] >= sizeof(*params->he_oper) + 1)
5070		params->he_oper = (void *)(cap + 3);
5071}
5072
5073static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5074				   struct cfg80211_ap_settings *params)
5075{
5076	struct wireless_dev *wdev;
5077	bool ret = false;
5078
5079	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5080		if (wdev->iftype != NL80211_IFTYPE_AP &&
5081		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5082			continue;
5083
5084		if (!wdev->preset_chandef.chan)
5085			continue;
5086
5087		params->chandef = wdev->preset_chandef;
5088		ret = true;
5089		break;
5090	}
5091
5092	return ret;
5093}
5094
5095static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5096				    enum nl80211_auth_type auth_type,
5097				    enum nl80211_commands cmd)
5098{
5099	if (auth_type > NL80211_AUTHTYPE_MAX)
5100		return false;
5101
5102	switch (cmd) {
5103	case NL80211_CMD_AUTHENTICATE:
5104		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5105		    auth_type == NL80211_AUTHTYPE_SAE)
5106			return false;
5107		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5108					     NL80211_EXT_FEATURE_FILS_STA) &&
5109		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5110		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5111		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5112			return false;
5113		return true;
5114	case NL80211_CMD_CONNECT:
5115		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5116		    !wiphy_ext_feature_isset(&rdev->wiphy,
5117					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5118		    auth_type == NL80211_AUTHTYPE_SAE)
5119			return false;
5120
5121		/* FILS with SK PFS or PK not supported yet */
5122		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5123		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5124			return false;
5125		if (!wiphy_ext_feature_isset(
5126			    &rdev->wiphy,
5127			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5128		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5129			return false;
5130		return true;
5131	case NL80211_CMD_START_AP:
5132		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5133					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5134		    auth_type == NL80211_AUTHTYPE_SAE)
5135			return false;
5136		/* FILS not supported yet */
5137		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5138		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5139		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5140			return false;
5141		return true;
5142	default:
5143		return false;
5144	}
5145}
5146
5147static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5148{
5149	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5150	struct net_device *dev = info->user_ptr[1];
5151	struct wireless_dev *wdev = dev->ieee80211_ptr;
5152	struct cfg80211_ap_settings params;
5153	int err;
5154
5155	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5156	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5157		return -EOPNOTSUPP;
5158
5159	if (!rdev->ops->start_ap)
5160		return -EOPNOTSUPP;
5161
5162	if (wdev->beacon_interval)
5163		return -EALREADY;
5164
5165	memset(&params, 0, sizeof(params));
5166
5167	/* these are required for START_AP */
5168	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5169	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5170	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5171		return -EINVAL;
5172
5173	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
5174	if (err)
5175		return err;
5176
5177	params.beacon_interval =
5178		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5179	params.dtim_period =
5180		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5181
5182	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5183					   params.beacon_interval);
5184	if (err)
5185		return err;
5186
5187	/*
5188	 * In theory, some of these attributes should be required here
5189	 * but since they were not used when the command was originally
5190	 * added, keep them optional for old user space programs to let
5191	 * them continue to work with drivers that do not need the
5192	 * additional information -- drivers must check!
5193	 */
5194	if (info->attrs[NL80211_ATTR_SSID]) {
5195		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5196		params.ssid_len =
5197			nla_len(info->attrs[NL80211_ATTR_SSID]);
5198		if (params.ssid_len == 0)
5199			return -EINVAL;
5200	}
5201
5202	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5203		params.hidden_ssid = nla_get_u32(
5204			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5205
5206	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5207
5208	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5209		params.auth_type = nla_get_u32(
5210			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5211		if (!nl80211_valid_auth_type(rdev, params.auth_type,
5212					     NL80211_CMD_START_AP))
5213			return -EINVAL;
5214	} else
5215		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5216
5217	err = nl80211_crypto_settings(rdev, info, &params.crypto,
5218				      NL80211_MAX_NR_CIPHER_SUITES);
5219	if (err)
5220		return err;
5221
5222	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5223		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
5224			return -EOPNOTSUPP;
5225		params.inactivity_timeout = nla_get_u16(
5226			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5227	}
5228
5229	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5230		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5231			return -EINVAL;
5232		params.p2p_ctwindow =
5233			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5234		if (params.p2p_ctwindow != 0 &&
5235		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
5236			return -EINVAL;
5237	}
5238
5239	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5240		u8 tmp;
5241
5242		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5243			return -EINVAL;
5244		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5245		params.p2p_opp_ps = tmp;
5246		if (params.p2p_opp_ps != 0 &&
5247		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
5248			return -EINVAL;
5249	}
5250
5251	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5252		err = nl80211_parse_chandef(rdev, info, &params.chandef);
5253		if (err)
5254			return err;
5255	} else if (wdev->preset_chandef.chan) {
5256		params.chandef = wdev->preset_chandef;
5257	} else if (!nl80211_get_ap_channel(rdev, &params))
5258		return -EINVAL;
5259
5260	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
5261					   wdev->iftype))
5262		return -EINVAL;
5263
5264	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5265		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5266						    NL80211_ATTR_TX_RATES,
5267						    &params.beacon_rate,
5268						    dev);
5269		if (err)
5270			return err;
5271
5272		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
5273					      &params.beacon_rate);
5274		if (err)
5275			return err;
5276	}
5277
5278	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5279		params.smps_mode =
5280			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5281		switch (params.smps_mode) {
5282		case NL80211_SMPS_OFF:
5283			break;
5284		case NL80211_SMPS_STATIC:
5285			if (!(rdev->wiphy.features &
5286			      NL80211_FEATURE_STATIC_SMPS))
5287				return -EINVAL;
5288			break;
5289		case NL80211_SMPS_DYNAMIC:
5290			if (!(rdev->wiphy.features &
5291			      NL80211_FEATURE_DYNAMIC_SMPS))
5292				return -EINVAL;
5293			break;
5294		default:
5295			return -EINVAL;
5296		}
5297	} else {
5298		params.smps_mode = NL80211_SMPS_OFF;
5299	}
5300
5301	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5302	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
5303		return -EOPNOTSUPP;
5304
5305	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5306		params.acl = parse_acl_data(&rdev->wiphy, info);
5307		if (IS_ERR(params.acl))
5308			return PTR_ERR(params.acl);
5309	}
5310
5311	params.twt_responder =
5312		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5313
5314	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5315		err = nl80211_parse_he_obss_pd(
5316					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5317					&params.he_obss_pd);
5318		if (err)
5319			goto out;
5320	}
5321
5322	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5323		err = nl80211_parse_he_bss_color(
5324					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5325					&params.he_bss_color);
5326		if (err)
5327			goto out;
5328	}
5329
5330	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5331		err = nl80211_parse_fils_discovery(rdev,
5332						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5333						   &params);
5334		if (err)
5335			goto out;
5336	}
5337
5338	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5339		err = nl80211_parse_unsol_bcast_probe_resp(
5340			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5341			&params);
5342		if (err)
5343			goto out;
5344	}
5345
5346	nl80211_calculate_ap_params(&params);
5347
5348	if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5349		params.flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5350
5351	wdev_lock(wdev);
5352	err = rdev_start_ap(rdev, dev, &params);
5353	if (!err) {
5354		wdev->preset_chandef = params.chandef;
5355		wdev->beacon_interval = params.beacon_interval;
5356		wdev->chandef = params.chandef;
5357		wdev->ssid_len = params.ssid_len;
5358		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
5359
5360		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5361			wdev->conn_owner_nlportid = info->snd_portid;
5362	}
5363	wdev_unlock(wdev);
5364
5365out:
5366	kfree(params.acl);
5367
5368	return err;
5369}
5370
5371static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5372{
5373	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5374	struct net_device *dev = info->user_ptr[1];
5375	struct wireless_dev *wdev = dev->ieee80211_ptr;
5376	struct cfg80211_beacon_data params;
5377	int err;
5378
5379	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5380	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5381		return -EOPNOTSUPP;
5382
5383	if (!rdev->ops->change_beacon)
5384		return -EOPNOTSUPP;
5385
5386	if (!wdev->beacon_interval)
5387		return -EINVAL;
5388
5389	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5390	if (err)
5391		return err;
5392
5393	wdev_lock(wdev);
5394	err = rdev_change_beacon(rdev, dev, &params);
5395	wdev_unlock(wdev);
5396
5397	return err;
5398}
5399
5400static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5401{
5402	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5403	struct net_device *dev = info->user_ptr[1];
5404
5405	return cfg80211_stop_ap(rdev, dev, false);
5406}
5407
5408static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5409	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5410	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5411	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5412	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5413	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5414	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5415};
5416
5417static int parse_station_flags(struct genl_info *info,
5418			       enum nl80211_iftype iftype,
5419			       struct station_parameters *params)
5420{
5421	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5422	struct nlattr *nla;
5423	int flag;
5424
5425	/*
5426	 * Try parsing the new attribute first so userspace
5427	 * can specify both for older kernels.
5428	 */
5429	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5430	if (nla) {
5431		struct nl80211_sta_flag_update *sta_flags;
5432
5433		sta_flags = nla_data(nla);
5434		params->sta_flags_mask = sta_flags->mask;
5435		params->sta_flags_set = sta_flags->set;
5436		params->sta_flags_set &= params->sta_flags_mask;
5437		if ((params->sta_flags_mask |
5438		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5439			return -EINVAL;
5440		return 0;
5441	}
5442
5443	/* if present, parse the old attribute */
5444
5445	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5446	if (!nla)
5447		return 0;
5448
5449	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5450		return -EINVAL;
5451
5452	/*
5453	 * Only allow certain flags for interface types so that
5454	 * other attributes are silently ignored. Remember that
5455	 * this is backward compatibility code with old userspace
5456	 * and shouldn't be hit in other cases anyway.
5457	 */
5458	switch (iftype) {
5459	case NL80211_IFTYPE_AP:
5460	case NL80211_IFTYPE_AP_VLAN:
5461	case NL80211_IFTYPE_P2P_GO:
5462		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5463					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5464					 BIT(NL80211_STA_FLAG_WME) |
5465					 BIT(NL80211_STA_FLAG_MFP);
5466		break;
5467	case NL80211_IFTYPE_P2P_CLIENT:
5468	case NL80211_IFTYPE_STATION:
5469		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5470					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5471		break;
5472	case NL80211_IFTYPE_MESH_POINT:
5473		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5474					 BIT(NL80211_STA_FLAG_MFP) |
5475					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5476		break;
5477	default:
5478		return -EINVAL;
5479	}
5480
5481	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5482		if (flags[flag]) {
5483			params->sta_flags_set |= (1<<flag);
5484
5485			/* no longer support new API additions in old API */
5486			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5487				return -EINVAL;
5488		}
5489	}
5490
5491	return 0;
5492}
5493
5494bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5495{
5496	struct nlattr *rate;
5497	u32 bitrate;
5498	u16 bitrate_compat;
5499	enum nl80211_rate_info rate_flg;
5500
5501	rate = nla_nest_start_noflag(msg, attr);
5502	if (!rate)
5503		return false;
5504
5505	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5506	bitrate = cfg80211_calculate_bitrate(info);
5507	/* report 16-bit bitrate only if we can */
5508	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5509	if (bitrate > 0 &&
5510	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5511		return false;
5512	if (bitrate_compat > 0 &&
5513	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5514		return false;
5515
5516	switch (info->bw) {
5517	case RATE_INFO_BW_5:
5518		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5519		break;
5520	case RATE_INFO_BW_10:
5521		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5522		break;
5523	default:
5524		WARN_ON(1);
5525		fallthrough;
5526	case RATE_INFO_BW_20:
5527		rate_flg = 0;
5528		break;
5529	case RATE_INFO_BW_40:
5530		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5531		break;
5532	case RATE_INFO_BW_80:
5533		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5534		break;
5535	case RATE_INFO_BW_160:
5536		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5537		break;
5538	case RATE_INFO_BW_HE_RU:
5539		rate_flg = 0;
5540		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5541	}
5542
5543	if (rate_flg && nla_put_flag(msg, rate_flg))
5544		return false;
5545
5546	if (info->flags & RATE_INFO_FLAGS_MCS) {
5547		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5548			return false;
5549		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5550		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5551			return false;
5552	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5553		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5554			return false;
5555		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
5556			return false;
5557		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5558		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5559			return false;
5560	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
5561		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
5562			return false;
5563		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
5564			return false;
5565		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
5566			return false;
5567		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
5568			return false;
5569		if (info->bw == RATE_INFO_BW_HE_RU &&
5570		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
5571			       info->he_ru_alloc))
5572			return false;
5573	}
5574
5575	nla_nest_end(msg, rate);
5576	return true;
5577}
5578
5579static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
5580			       int id)
5581{
5582	void *attr;
5583	int i = 0;
5584
5585	if (!mask)
5586		return true;
5587
5588	attr = nla_nest_start_noflag(msg, id);
5589	if (!attr)
5590		return false;
5591
5592	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
5593		if (!(mask & BIT(i)))
5594			continue;
5595
5596		if (nla_put_u8(msg, i, signal[i]))
5597			return false;
5598	}
5599
5600	nla_nest_end(msg, attr);
5601
5602	return true;
5603}
5604
5605static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
5606				u32 seq, int flags,
5607				struct cfg80211_registered_device *rdev,
5608				struct net_device *dev,
5609				const u8 *mac_addr, struct station_info *sinfo)
5610{
5611	void *hdr;
5612	struct nlattr *sinfoattr, *bss_param;
5613
5614	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
5615	if (!hdr) {
5616		cfg80211_sinfo_release_content(sinfo);
5617		return -1;
5618	}
5619
5620	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5621	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
5622	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
5623		goto nla_put_failure;
5624
5625	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
5626	if (!sinfoattr)
5627		goto nla_put_failure;
5628
5629#define PUT_SINFO(attr, memb, type) do {				\
5630	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
5631	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5632	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
5633			     sinfo->memb))				\
5634		goto nla_put_failure;					\
5635	} while (0)
5636#define PUT_SINFO_U64(attr, memb) do {					\
5637	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5638	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
5639			      sinfo->memb, NL80211_STA_INFO_PAD))	\
5640		goto nla_put_failure;					\
5641	} while (0)
5642
5643	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
5644	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
5645	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
5646
5647	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
5648			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
5649	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
5650			(u32)sinfo->rx_bytes))
5651		goto nla_put_failure;
5652
5653	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
5654			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
5655	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
5656			(u32)sinfo->tx_bytes))
5657		goto nla_put_failure;
5658
5659	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
5660	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
5661	PUT_SINFO(LLID, llid, u16);
5662	PUT_SINFO(PLID, plid, u16);
5663	PUT_SINFO(PLINK_STATE, plink_state, u8);
5664	PUT_SINFO_U64(RX_DURATION, rx_duration);
5665	PUT_SINFO_U64(TX_DURATION, tx_duration);
5666
5667	if (wiphy_ext_feature_isset(&rdev->wiphy,
5668				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5669		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
5670
5671	switch (rdev->wiphy.signal_type) {
5672	case CFG80211_SIGNAL_TYPE_MBM:
5673		PUT_SINFO(SIGNAL, signal, u8);
5674		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
5675		break;
5676	default:
5677		break;
5678	}
5679	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
5680		if (!nl80211_put_signal(msg, sinfo->chains,
5681					sinfo->chain_signal,
5682					NL80211_STA_INFO_CHAIN_SIGNAL))
5683			goto nla_put_failure;
5684	}
5685	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
5686		if (!nl80211_put_signal(msg, sinfo->chains,
5687					sinfo->chain_signal_avg,
5688					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
5689			goto nla_put_failure;
5690	}
5691	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
5692		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
5693					  NL80211_STA_INFO_TX_BITRATE))
5694			goto nla_put_failure;
5695	}
5696	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
5697		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
5698					  NL80211_STA_INFO_RX_BITRATE))
5699			goto nla_put_failure;
5700	}
5701
5702	PUT_SINFO(RX_PACKETS, rx_packets, u32);
5703	PUT_SINFO(TX_PACKETS, tx_packets, u32);
5704	PUT_SINFO(TX_RETRIES, tx_retries, u32);
5705	PUT_SINFO(TX_FAILED, tx_failed, u32);
5706	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
5707	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
5708	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
5709	PUT_SINFO(LOCAL_PM, local_pm, u32);
5710	PUT_SINFO(PEER_PM, peer_pm, u32);
5711	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
5712	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
5713	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
5714
5715	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
5716		bss_param = nla_nest_start_noflag(msg,
5717						  NL80211_STA_INFO_BSS_PARAM);
5718		if (!bss_param)
5719			goto nla_put_failure;
5720
5721		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
5722		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
5723		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
5724		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
5725		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
5726		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
5727		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
5728			       sinfo->bss_param.dtim_period) ||
5729		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
5730				sinfo->bss_param.beacon_interval))
5731			goto nla_put_failure;
5732
5733		nla_nest_end(msg, bss_param);
5734	}
5735	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
5736	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
5737		    sizeof(struct nl80211_sta_flag_update),
5738		    &sinfo->sta_flags))
5739		goto nla_put_failure;
5740
5741	PUT_SINFO_U64(T_OFFSET, t_offset);
5742	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
5743	PUT_SINFO_U64(BEACON_RX, rx_beacon);
5744	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
5745	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
5746	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
5747	if (wiphy_ext_feature_isset(&rdev->wiphy,
5748				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
5749		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
5750		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
5751	}
5752
5753#undef PUT_SINFO
5754#undef PUT_SINFO_U64
5755
5756	if (sinfo->pertid) {
5757		struct nlattr *tidsattr;
5758		int tid;
5759
5760		tidsattr = nla_nest_start_noflag(msg,
5761						 NL80211_STA_INFO_TID_STATS);
5762		if (!tidsattr)
5763			goto nla_put_failure;
5764
5765		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
5766			struct cfg80211_tid_stats *tidstats;
5767			struct nlattr *tidattr;
5768
5769			tidstats = &sinfo->pertid[tid];
5770
5771			if (!tidstats->filled)
5772				continue;
5773
5774			tidattr = nla_nest_start_noflag(msg, tid + 1);
5775			if (!tidattr)
5776				goto nla_put_failure;
5777
5778#define PUT_TIDVAL_U64(attr, memb) do {					\
5779	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
5780	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
5781			      tidstats->memb, NL80211_TID_STATS_PAD))	\
5782		goto nla_put_failure;					\
5783	} while (0)
5784
5785			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
5786			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
5787			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
5788			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
5789
5790#undef PUT_TIDVAL_U64
5791			if ((tidstats->filled &
5792			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
5793			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
5794						   NL80211_TID_STATS_TXQ_STATS))
5795				goto nla_put_failure;
5796
5797			nla_nest_end(msg, tidattr);
5798		}
5799
5800		nla_nest_end(msg, tidsattr);
5801	}
5802
5803	nla_nest_end(msg, sinfoattr);
5804
5805	if (sinfo->assoc_req_ies_len &&
5806	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
5807		    sinfo->assoc_req_ies))
5808		goto nla_put_failure;
5809
5810	cfg80211_sinfo_release_content(sinfo);
5811	genlmsg_end(msg, hdr);
5812	return 0;
5813
5814 nla_put_failure:
5815	cfg80211_sinfo_release_content(sinfo);
5816	genlmsg_cancel(msg, hdr);
5817	return -EMSGSIZE;
5818}
5819
5820static int nl80211_dump_station(struct sk_buff *skb,
5821				struct netlink_callback *cb)
5822{
5823	struct station_info sinfo;
5824	struct cfg80211_registered_device *rdev;
5825	struct wireless_dev *wdev;
5826	u8 mac_addr[ETH_ALEN];
5827	int sta_idx = cb->args[2];
5828	int err;
5829
5830	rtnl_lock();
5831	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5832	if (err)
5833		goto out_err;
5834
5835	if (!wdev->netdev) {
5836		err = -EINVAL;
5837		goto out_err;
5838	}
5839
5840	if (!rdev->ops->dump_station) {
5841		err = -EOPNOTSUPP;
5842		goto out_err;
5843	}
5844
5845	while (1) {
5846		memset(&sinfo, 0, sizeof(sinfo));
5847		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
5848					mac_addr, &sinfo);
5849		if (err == -ENOENT)
5850			break;
5851		if (err)
5852			goto out_err;
5853
5854		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
5855				NETLINK_CB(cb->skb).portid,
5856				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5857				rdev, wdev->netdev, mac_addr,
5858				&sinfo) < 0)
5859			goto out;
5860
5861		sta_idx++;
5862	}
5863
5864 out:
5865	cb->args[2] = sta_idx;
5866	err = skb->len;
5867 out_err:
5868	rtnl_unlock();
5869
5870	return err;
5871}
5872
5873static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
5874{
5875	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5876	struct net_device *dev = info->user_ptr[1];
5877	struct station_info sinfo;
5878	struct sk_buff *msg;
5879	u8 *mac_addr = NULL;
5880	int err;
5881
5882	memset(&sinfo, 0, sizeof(sinfo));
5883
5884	if (!info->attrs[NL80211_ATTR_MAC])
5885		return -EINVAL;
5886
5887	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5888
5889	if (!rdev->ops->get_station)
5890		return -EOPNOTSUPP;
5891
5892	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
5893	if (err)
5894		return err;
5895
5896	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5897	if (!msg) {
5898		cfg80211_sinfo_release_content(&sinfo);
5899		return -ENOMEM;
5900	}
5901
5902	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
5903				 info->snd_portid, info->snd_seq, 0,
5904				 rdev, dev, mac_addr, &sinfo) < 0) {
5905		nlmsg_free(msg);
5906		return -ENOBUFS;
5907	}
5908
5909	return genlmsg_reply(msg, info);
5910}
5911
5912int cfg80211_check_station_change(struct wiphy *wiphy,
5913				  struct station_parameters *params,
5914				  enum cfg80211_station_type statype)
5915{
5916	if (params->listen_interval != -1 &&
5917	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5918		return -EINVAL;
5919
5920	if (params->support_p2p_ps != -1 &&
5921	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5922		return -EINVAL;
5923
5924	if (params->aid &&
5925	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
5926	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5927		return -EINVAL;
5928
5929	/* When you run into this, adjust the code below for the new flag */
5930	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5931
5932	switch (statype) {
5933	case CFG80211_STA_MESH_PEER_KERNEL:
5934	case CFG80211_STA_MESH_PEER_USER:
5935		/*
5936		 * No ignoring the TDLS flag here -- the userspace mesh
5937		 * code doesn't have the bug of including TDLS in the
5938		 * mask everywhere.
5939		 */
5940		if (params->sta_flags_mask &
5941				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5942				  BIT(NL80211_STA_FLAG_MFP) |
5943				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
5944			return -EINVAL;
5945		break;
5946	case CFG80211_STA_TDLS_PEER_SETUP:
5947	case CFG80211_STA_TDLS_PEER_ACTIVE:
5948		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5949			return -EINVAL;
5950		/* ignore since it can't change */
5951		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5952		break;
5953	default:
5954		/* disallow mesh-specific things */
5955		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
5956			return -EINVAL;
5957		if (params->local_pm)
5958			return -EINVAL;
5959		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5960			return -EINVAL;
5961	}
5962
5963	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5964	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
5965		/* TDLS can't be set, ... */
5966		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
5967			return -EINVAL;
5968		/*
5969		 * ... but don't bother the driver with it. This works around
5970		 * a hostapd/wpa_supplicant issue -- it always includes the
5971		 * TLDS_PEER flag in the mask even for AP mode.
5972		 */
5973		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5974	}
5975
5976	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5977	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5978		/* reject other things that can't change */
5979		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
5980			return -EINVAL;
5981		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
5982			return -EINVAL;
5983		if (params->supported_rates)
5984			return -EINVAL;
5985		if (params->ext_capab || params->ht_capa || params->vht_capa ||
5986		    params->he_capa)
5987			return -EINVAL;
5988	}
5989
5990	if (statype != CFG80211_STA_AP_CLIENT &&
5991	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5992		if (params->vlan)
5993			return -EINVAL;
5994	}
5995
5996	switch (statype) {
5997	case CFG80211_STA_AP_MLME_CLIENT:
5998		/* Use this only for authorizing/unauthorizing a station */
5999		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6000			return -EOPNOTSUPP;
6001		break;
6002	case CFG80211_STA_AP_CLIENT:
6003	case CFG80211_STA_AP_CLIENT_UNASSOC:
6004		/* accept only the listed bits */
6005		if (params->sta_flags_mask &
6006				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6007				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6008				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6009				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6010				  BIT(NL80211_STA_FLAG_WME) |
6011				  BIT(NL80211_STA_FLAG_MFP)))
6012			return -EINVAL;
6013
6014		/* but authenticated/associated only if driver handles it */
6015		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6016		    params->sta_flags_mask &
6017				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6018				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6019			return -EINVAL;
6020		break;
6021	case CFG80211_STA_IBSS:
6022	case CFG80211_STA_AP_STA:
6023		/* reject any changes other than AUTHORIZED */
6024		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6025			return -EINVAL;
6026		break;
6027	case CFG80211_STA_TDLS_PEER_SETUP:
6028		/* reject any changes other than AUTHORIZED or WME */
6029		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6030					       BIT(NL80211_STA_FLAG_WME)))
6031			return -EINVAL;
6032		/* force (at least) rates when authorizing */
6033		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6034		    !params->supported_rates)
6035			return -EINVAL;
6036		break;
6037	case CFG80211_STA_TDLS_PEER_ACTIVE:
6038		/* reject any changes */
6039		return -EINVAL;
6040	case CFG80211_STA_MESH_PEER_KERNEL:
6041		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6042			return -EINVAL;
6043		break;
6044	case CFG80211_STA_MESH_PEER_USER:
6045		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6046		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6047			return -EINVAL;
6048		break;
6049	}
6050
6051	/*
6052	 * Older kernel versions ignored this attribute entirely, so don't
6053	 * reject attempts to update it but mark it as unused instead so the
6054	 * driver won't look at the data.
6055	 */
6056	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6057	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6058		params->opmode_notif_used = false;
6059
6060	return 0;
6061}
6062EXPORT_SYMBOL(cfg80211_check_station_change);
6063
6064/*
6065 * Get vlan interface making sure it is running and on the right wiphy.
6066 */
6067static struct net_device *get_vlan(struct genl_info *info,
6068				   struct cfg80211_registered_device *rdev)
6069{
6070	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6071	struct net_device *v;
6072	int ret;
6073
6074	if (!vlanattr)
6075		return NULL;
6076
6077	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6078	if (!v)
6079		return ERR_PTR(-ENODEV);
6080
6081	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6082		ret = -EINVAL;
6083		goto error;
6084	}
6085
6086	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6087	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6088	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6089		ret = -EINVAL;
6090		goto error;
6091	}
6092
6093	if (!netif_running(v)) {
6094		ret = -ENETDOWN;
6095		goto error;
6096	}
6097
6098	return v;
6099 error:
6100	dev_put(v);
6101	return ERR_PTR(ret);
6102}
6103
6104static const struct nla_policy
6105nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
6106	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
6107	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
6108};
6109
6110static int nl80211_parse_sta_wme(struct genl_info *info,
6111				 struct station_parameters *params)
6112{
6113	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6114	struct nlattr *nla;
6115	int err;
6116
6117	/* parse WME attributes if present */
6118	if (!info->attrs[NL80211_ATTR_STA_WME])
6119		return 0;
6120
6121	nla = info->attrs[NL80211_ATTR_STA_WME];
6122	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6123					  nl80211_sta_wme_policy,
6124					  info->extack);
6125	if (err)
6126		return err;
6127
6128	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6129		params->uapsd_queues = nla_get_u8(
6130			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6131	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6132		return -EINVAL;
6133
6134	if (tb[NL80211_STA_WME_MAX_SP])
6135		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6136
6137	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6138		return -EINVAL;
6139
6140	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6141
6142	return 0;
6143}
6144
6145static int nl80211_parse_sta_channel_info(struct genl_info *info,
6146				      struct station_parameters *params)
6147{
6148	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6149		params->supported_channels =
6150		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6151		params->supported_channels_len =
6152		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6153		/*
6154		 * Need to include at least one (first channel, number of
6155		 * channels) tuple for each subband (checked in policy),
6156		 * and must have proper tuples for the rest of the data as well.
6157		 */
6158		if (params->supported_channels_len % 2)
6159			return -EINVAL;
6160	}
6161
6162	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6163		params->supported_oper_classes =
6164		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6165		params->supported_oper_classes_len =
6166		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6167	}
6168	return 0;
6169}
6170
6171static int nl80211_set_station_tdls(struct genl_info *info,
6172				    struct station_parameters *params)
6173{
6174	int err;
6175	/* Dummy STA entry gets updated once the peer capabilities are known */
6176	if (info->attrs[NL80211_ATTR_PEER_AID])
6177		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6178	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6179		params->ht_capa =
6180			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6181	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6182		params->vht_capa =
6183			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6184	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6185		params->he_capa =
6186			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6187		params->he_capa_len =
6188			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6189	}
6190
6191	err = nl80211_parse_sta_channel_info(info, params);
6192	if (err)
6193		return err;
6194
6195	return nl80211_parse_sta_wme(info, params);
6196}
6197
6198static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6199					     struct station_parameters *params)
6200{
6201	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6202	int idx;
6203
6204	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6205		if (!rdev->ops->set_tx_power ||
6206		    !wiphy_ext_feature_isset(&rdev->wiphy,
6207					 NL80211_EXT_FEATURE_STA_TX_PWR))
6208			return -EOPNOTSUPP;
6209
6210		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6211		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6212
6213		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6214			idx = NL80211_ATTR_STA_TX_POWER;
6215
6216			if (info->attrs[idx])
6217				params->txpwr.power =
6218					nla_get_s16(info->attrs[idx]);
6219			else
6220				return -EINVAL;
6221		}
6222		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6223	}
6224
6225	return 0;
6226}
6227
6228static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6229{
6230	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6231	struct net_device *dev = info->user_ptr[1];
6232	struct station_parameters params;
6233	u8 *mac_addr;
6234	int err;
6235
6236	memset(&params, 0, sizeof(params));
6237
6238	if (!rdev->ops->change_station)
6239		return -EOPNOTSUPP;
6240
6241	/*
6242	 * AID and listen_interval properties can be set only for unassociated
6243	 * station. Include these parameters here and will check them in
6244	 * cfg80211_check_station_change().
6245	 */
6246	if (info->attrs[NL80211_ATTR_STA_AID])
6247		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6248
6249	if (info->attrs[NL80211_ATTR_VLAN_ID])
6250		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6251
6252	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6253		params.listen_interval =
6254		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6255	else
6256		params.listen_interval = -1;
6257
6258	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6259		params.support_p2p_ps =
6260			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6261	else
6262		params.support_p2p_ps = -1;
6263
6264	if (!info->attrs[NL80211_ATTR_MAC])
6265		return -EINVAL;
6266
6267	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6268
6269	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6270		params.supported_rates =
6271			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6272		params.supported_rates_len =
6273			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6274	}
6275
6276	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6277		params.capability =
6278			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6279		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6280	}
6281
6282	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6283		params.ext_capab =
6284			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6285		params.ext_capab_len =
6286			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6287	}
6288
6289	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6290		return -EINVAL;
6291
6292	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6293		params.plink_action =
6294			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6295
6296	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6297		params.plink_state =
6298			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6299		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6300			params.peer_aid = nla_get_u16(
6301				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6302		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6303	}
6304
6305	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6306		params.local_pm = nla_get_u32(
6307			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6308
6309	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6310		params.opmode_notif_used = true;
6311		params.opmode_notif =
6312			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6313	}
6314
6315	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6316		params.he_6ghz_capa =
6317			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6318
6319	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6320		params.airtime_weight =
6321			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6322
6323	if (params.airtime_weight &&
6324	    !wiphy_ext_feature_isset(&rdev->wiphy,
6325				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6326		return -EOPNOTSUPP;
6327
6328	err = nl80211_parse_sta_txpower_setting(info, &params);
6329	if (err)
6330		return err;
6331
6332	/* Include parameters for TDLS peer (will check later) */
6333	err = nl80211_set_station_tdls(info, &params);
6334	if (err)
6335		return err;
6336
6337	params.vlan = get_vlan(info, rdev);
6338	if (IS_ERR(params.vlan))
6339		return PTR_ERR(params.vlan);
6340
6341	switch (dev->ieee80211_ptr->iftype) {
6342	case NL80211_IFTYPE_AP:
6343	case NL80211_IFTYPE_AP_VLAN:
6344	case NL80211_IFTYPE_P2P_GO:
6345	case NL80211_IFTYPE_P2P_CLIENT:
6346	case NL80211_IFTYPE_STATION:
6347	case NL80211_IFTYPE_ADHOC:
6348	case NL80211_IFTYPE_MESH_POINT:
6349		break;
6350	default:
6351		err = -EOPNOTSUPP;
6352		goto out_put_vlan;
6353	}
6354
6355	/* driver will call cfg80211_check_station_change() */
6356	err = rdev_change_station(rdev, dev, mac_addr, &params);
6357
6358 out_put_vlan:
6359	if (params.vlan)
6360		dev_put(params.vlan);
6361
6362	return err;
6363}
6364
6365static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6366{
6367	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6368	int err;
6369	struct net_device *dev = info->user_ptr[1];
6370	struct station_parameters params;
6371	u8 *mac_addr = NULL;
6372	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6373			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6374
6375	memset(&params, 0, sizeof(params));
6376
6377	if (!rdev->ops->add_station)
6378		return -EOPNOTSUPP;
6379
6380	if (!info->attrs[NL80211_ATTR_MAC])
6381		return -EINVAL;
6382
6383	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6384		return -EINVAL;
6385
6386	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6387		return -EINVAL;
6388
6389	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6390	    !info->attrs[NL80211_ATTR_PEER_AID])
6391		return -EINVAL;
6392
6393	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6394	params.supported_rates =
6395		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6396	params.supported_rates_len =
6397		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6398	params.listen_interval =
6399		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6400
6401	if (info->attrs[NL80211_ATTR_VLAN_ID])
6402		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6403
6404	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6405		params.support_p2p_ps =
6406			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6407	} else {
6408		/*
6409		 * if not specified, assume it's supported for P2P GO interface,
6410		 * and is NOT supported for AP interface
6411		 */
6412		params.support_p2p_ps =
6413			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6414	}
6415
6416	if (info->attrs[NL80211_ATTR_PEER_AID])
6417		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6418	else
6419		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6420
6421	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6422		params.capability =
6423			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6424		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6425	}
6426
6427	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6428		params.ext_capab =
6429			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6430		params.ext_capab_len =
6431			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6432	}
6433
6434	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6435		params.ht_capa =
6436			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6437
6438	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6439		params.vht_capa =
6440			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6441
6442	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6443		params.he_capa =
6444			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6445		params.he_capa_len =
6446			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6447	}
6448
6449	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6450		params.he_6ghz_capa =
6451			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6452
6453	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6454		params.opmode_notif_used = true;
6455		params.opmode_notif =
6456			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6457	}
6458
6459	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6460		params.plink_action =
6461			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6462
6463	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6464		params.airtime_weight =
6465			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6466
6467	if (params.airtime_weight &&
6468	    !wiphy_ext_feature_isset(&rdev->wiphy,
6469				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6470		return -EOPNOTSUPP;
6471
6472	err = nl80211_parse_sta_txpower_setting(info, &params);
6473	if (err)
6474		return err;
6475
6476	err = nl80211_parse_sta_channel_info(info, &params);
6477	if (err)
6478		return err;
6479
6480	err = nl80211_parse_sta_wme(info, &params);
6481	if (err)
6482		return err;
6483
6484	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6485		return -EINVAL;
6486
6487	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6488	 * as userspace might just pass through the capabilities from the IEs
6489	 * directly, rather than enforcing this restriction and returning an
6490	 * error in this case.
6491	 */
6492	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6493		params.ht_capa = NULL;
6494		params.vht_capa = NULL;
6495
6496		/* HE requires WME */
6497		if (params.he_capa_len || params.he_6ghz_capa)
6498			return -EINVAL;
6499	}
6500
6501	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
6502	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
6503		return -EINVAL;
6504
6505	/* When you run into this, adjust the code below for the new flag */
6506	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6507
6508	switch (dev->ieee80211_ptr->iftype) {
6509	case NL80211_IFTYPE_AP:
6510	case NL80211_IFTYPE_AP_VLAN:
6511	case NL80211_IFTYPE_P2P_GO:
6512		/* ignore WME attributes if iface/sta is not capable */
6513		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6514		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6515			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6516
6517		/* TDLS peers cannot be added */
6518		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6519		    info->attrs[NL80211_ATTR_PEER_AID])
6520			return -EINVAL;
6521		/* but don't bother the driver with it */
6522		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6523
6524		/* allow authenticated/associated only if driver handles it */
6525		if (!(rdev->wiphy.features &
6526				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6527		    params.sta_flags_mask & auth_assoc)
6528			return -EINVAL;
6529
6530		/* Older userspace, or userspace wanting to be compatible with
6531		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
6532		 * and assoc flags in the mask, but assumes the station will be
6533		 * added as associated anyway since this was the required driver
6534		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
6535		 * introduced.
6536		 * In order to not bother drivers with this quirk in the API
6537		 * set the flags in both the mask and set for new stations in
6538		 * this case.
6539		 */
6540		if (!(params.sta_flags_mask & auth_assoc)) {
6541			params.sta_flags_mask |= auth_assoc;
6542			params.sta_flags_set |= auth_assoc;
6543		}
6544
6545		/* must be last in here for error handling */
6546		params.vlan = get_vlan(info, rdev);
6547		if (IS_ERR(params.vlan))
6548			return PTR_ERR(params.vlan);
6549		break;
6550	case NL80211_IFTYPE_MESH_POINT:
6551		/* ignore uAPSD data */
6552		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6553
6554		/* associated is disallowed */
6555		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
6556			return -EINVAL;
6557		/* TDLS peers cannot be added */
6558		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6559		    info->attrs[NL80211_ATTR_PEER_AID])
6560			return -EINVAL;
6561		break;
6562	case NL80211_IFTYPE_STATION:
6563	case NL80211_IFTYPE_P2P_CLIENT:
6564		/* ignore uAPSD data */
6565		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6566
6567		/* these are disallowed */
6568		if (params.sta_flags_mask &
6569				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
6570				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
6571			return -EINVAL;
6572		/* Only TDLS peers can be added */
6573		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6574			return -EINVAL;
6575		/* Can only add if TDLS ... */
6576		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
6577			return -EOPNOTSUPP;
6578		/* ... with external setup is supported */
6579		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
6580			return -EOPNOTSUPP;
6581		/*
6582		 * Older wpa_supplicant versions always mark the TDLS peer
6583		 * as authorized, but it shouldn't yet be.
6584		 */
6585		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
6586		break;
6587	default:
6588		return -EOPNOTSUPP;
6589	}
6590
6591	/* be aware of params.vlan when changing code here */
6592
6593	err = rdev_add_station(rdev, dev, mac_addr, &params);
6594
6595	if (params.vlan)
6596		dev_put(params.vlan);
6597	return err;
6598}
6599
6600static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
6601{
6602	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6603	struct net_device *dev = info->user_ptr[1];
6604	struct station_del_parameters params;
6605
6606	memset(&params, 0, sizeof(params));
6607
6608	if (info->attrs[NL80211_ATTR_MAC])
6609		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
6610
6611	switch (dev->ieee80211_ptr->iftype) {
6612	case NL80211_IFTYPE_AP:
6613	case NL80211_IFTYPE_AP_VLAN:
6614	case NL80211_IFTYPE_MESH_POINT:
6615	case NL80211_IFTYPE_P2P_GO:
6616		/* always accept these */
6617		break;
6618	case NL80211_IFTYPE_ADHOC:
6619		/* conditionally accept */
6620		if (wiphy_ext_feature_isset(&rdev->wiphy,
6621					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
6622			break;
6623		return -EINVAL;
6624	default:
6625		return -EINVAL;
6626	}
6627
6628	if (!rdev->ops->del_station)
6629		return -EOPNOTSUPP;
6630
6631	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
6632		params.subtype =
6633			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
6634		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
6635		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
6636			return -EINVAL;
6637	} else {
6638		/* Default to Deauthentication frame */
6639		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
6640	}
6641
6642	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
6643		params.reason_code =
6644			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6645		if (params.reason_code == 0)
6646			return -EINVAL; /* 0 is reserved */
6647	} else {
6648		/* Default to reason code 2 */
6649		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
6650	}
6651
6652	return rdev_del_station(rdev, dev, &params);
6653}
6654
6655static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
6656				int flags, struct net_device *dev,
6657				u8 *dst, u8 *next_hop,
6658				struct mpath_info *pinfo)
6659{
6660	void *hdr;
6661	struct nlattr *pinfoattr;
6662
6663	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
6664	if (!hdr)
6665		return -1;
6666
6667	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6668	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
6669	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
6670	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
6671		goto nla_put_failure;
6672
6673	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
6674	if (!pinfoattr)
6675		goto nla_put_failure;
6676	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
6677	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
6678			pinfo->frame_qlen))
6679		goto nla_put_failure;
6680	if (((pinfo->filled & MPATH_INFO_SN) &&
6681	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
6682	    ((pinfo->filled & MPATH_INFO_METRIC) &&
6683	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
6684			 pinfo->metric)) ||
6685	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
6686	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
6687			 pinfo->exptime)) ||
6688	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
6689	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
6690			pinfo->flags)) ||
6691	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
6692	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
6693			 pinfo->discovery_timeout)) ||
6694	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
6695	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
6696			pinfo->discovery_retries)) ||
6697	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
6698	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
6699			pinfo->hop_count)) ||
6700	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
6701	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
6702			 pinfo->path_change_count)))
6703		goto nla_put_failure;
6704
6705	nla_nest_end(msg, pinfoattr);
6706
6707	genlmsg_end(msg, hdr);
6708	return 0;
6709
6710 nla_put_failure:
6711	genlmsg_cancel(msg, hdr);
6712	return -EMSGSIZE;
6713}
6714
6715static int nl80211_dump_mpath(struct sk_buff *skb,
6716			      struct netlink_callback *cb)
6717{
6718	struct mpath_info pinfo;
6719	struct cfg80211_registered_device *rdev;
6720	struct wireless_dev *wdev;
6721	u8 dst[ETH_ALEN];
6722	u8 next_hop[ETH_ALEN];
6723	int path_idx = cb->args[2];
6724	int err;
6725
6726	rtnl_lock();
6727	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6728	if (err)
6729		goto out_err;
6730
6731	if (!rdev->ops->dump_mpath) {
6732		err = -EOPNOTSUPP;
6733		goto out_err;
6734	}
6735
6736	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6737		err = -EOPNOTSUPP;
6738		goto out_err;
6739	}
6740
6741	while (1) {
6742		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
6743				      next_hop, &pinfo);
6744		if (err == -ENOENT)
6745			break;
6746		if (err)
6747			goto out_err;
6748
6749		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6750				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6751				       wdev->netdev, dst, next_hop,
6752				       &pinfo) < 0)
6753			goto out;
6754
6755		path_idx++;
6756	}
6757
6758 out:
6759	cb->args[2] = path_idx;
6760	err = skb->len;
6761 out_err:
6762	rtnl_unlock();
6763	return err;
6764}
6765
6766static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
6767{
6768	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6769	int err;
6770	struct net_device *dev = info->user_ptr[1];
6771	struct mpath_info pinfo;
6772	struct sk_buff *msg;
6773	u8 *dst = NULL;
6774	u8 next_hop[ETH_ALEN];
6775
6776	memset(&pinfo, 0, sizeof(pinfo));
6777
6778	if (!info->attrs[NL80211_ATTR_MAC])
6779		return -EINVAL;
6780
6781	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6782
6783	if (!rdev->ops->get_mpath)
6784		return -EOPNOTSUPP;
6785
6786	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6787		return -EOPNOTSUPP;
6788
6789	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
6790	if (err)
6791		return err;
6792
6793	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6794	if (!msg)
6795		return -ENOMEM;
6796
6797	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6798				 dev, dst, next_hop, &pinfo) < 0) {
6799		nlmsg_free(msg);
6800		return -ENOBUFS;
6801	}
6802
6803	return genlmsg_reply(msg, info);
6804}
6805
6806static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
6807{
6808	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6809	struct net_device *dev = info->user_ptr[1];
6810	u8 *dst = NULL;
6811	u8 *next_hop = NULL;
6812
6813	if (!info->attrs[NL80211_ATTR_MAC])
6814		return -EINVAL;
6815
6816	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6817		return -EINVAL;
6818
6819	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6820	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6821
6822	if (!rdev->ops->change_mpath)
6823		return -EOPNOTSUPP;
6824
6825	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6826		return -EOPNOTSUPP;
6827
6828	return rdev_change_mpath(rdev, dev, dst, next_hop);
6829}
6830
6831static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
6832{
6833	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6834	struct net_device *dev = info->user_ptr[1];
6835	u8 *dst = NULL;
6836	u8 *next_hop = NULL;
6837
6838	if (!info->attrs[NL80211_ATTR_MAC])
6839		return -EINVAL;
6840
6841	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6842		return -EINVAL;
6843
6844	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6845	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6846
6847	if (!rdev->ops->add_mpath)
6848		return -EOPNOTSUPP;
6849
6850	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6851		return -EOPNOTSUPP;
6852
6853	return rdev_add_mpath(rdev, dev, dst, next_hop);
6854}
6855
6856static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
6857{
6858	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6859	struct net_device *dev = info->user_ptr[1];
6860	u8 *dst = NULL;
6861
6862	if (info->attrs[NL80211_ATTR_MAC])
6863		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6864
6865	if (!rdev->ops->del_mpath)
6866		return -EOPNOTSUPP;
6867
6868	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6869		return -EOPNOTSUPP;
6870
6871	return rdev_del_mpath(rdev, dev, dst);
6872}
6873
6874static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
6875{
6876	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6877	int err;
6878	struct net_device *dev = info->user_ptr[1];
6879	struct mpath_info pinfo;
6880	struct sk_buff *msg;
6881	u8 *dst = NULL;
6882	u8 mpp[ETH_ALEN];
6883
6884	memset(&pinfo, 0, sizeof(pinfo));
6885
6886	if (!info->attrs[NL80211_ATTR_MAC])
6887		return -EINVAL;
6888
6889	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6890
6891	if (!rdev->ops->get_mpp)
6892		return -EOPNOTSUPP;
6893
6894	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6895		return -EOPNOTSUPP;
6896
6897	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
6898	if (err)
6899		return err;
6900
6901	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6902	if (!msg)
6903		return -ENOMEM;
6904
6905	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6906			       dev, dst, mpp, &pinfo) < 0) {
6907		nlmsg_free(msg);
6908		return -ENOBUFS;
6909	}
6910
6911	return genlmsg_reply(msg, info);
6912}
6913
6914static int nl80211_dump_mpp(struct sk_buff *skb,
6915			    struct netlink_callback *cb)
6916{
6917	struct mpath_info pinfo;
6918	struct cfg80211_registered_device *rdev;
6919	struct wireless_dev *wdev;
6920	u8 dst[ETH_ALEN];
6921	u8 mpp[ETH_ALEN];
6922	int path_idx = cb->args[2];
6923	int err;
6924
6925	rtnl_lock();
6926	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6927	if (err)
6928		goto out_err;
6929
6930	if (!rdev->ops->dump_mpp) {
6931		err = -EOPNOTSUPP;
6932		goto out_err;
6933	}
6934
6935	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6936		err = -EOPNOTSUPP;
6937		goto out_err;
6938	}
6939
6940	while (1) {
6941		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
6942				    mpp, &pinfo);
6943		if (err == -ENOENT)
6944			break;
6945		if (err)
6946			goto out_err;
6947
6948		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6949				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6950				       wdev->netdev, dst, mpp,
6951				       &pinfo) < 0)
6952			goto out;
6953
6954		path_idx++;
6955	}
6956
6957 out:
6958	cb->args[2] = path_idx;
6959	err = skb->len;
6960 out_err:
6961	rtnl_unlock();
6962	return err;
6963}
6964
6965static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
6966{
6967	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6968	struct net_device *dev = info->user_ptr[1];
6969	struct wireless_dev *wdev = dev->ieee80211_ptr;
6970	struct bss_parameters params;
6971	int err;
6972
6973	memset(&params, 0, sizeof(params));
6974	/* default to not changing parameters */
6975	params.use_cts_prot = -1;
6976	params.use_short_preamble = -1;
6977	params.use_short_slot_time = -1;
6978	params.ap_isolate = -1;
6979	params.ht_opmode = -1;
6980	params.p2p_ctwindow = -1;
6981	params.p2p_opp_ps = -1;
6982
6983	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
6984		params.use_cts_prot =
6985		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
6986	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
6987		params.use_short_preamble =
6988		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
6989	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
6990		params.use_short_slot_time =
6991		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
6992	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6993		params.basic_rates =
6994			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6995		params.basic_rates_len =
6996			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6997	}
6998	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
6999		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7000	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7001		params.ht_opmode =
7002			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7003
7004	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7005		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7006			return -EINVAL;
7007		params.p2p_ctwindow =
7008			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7009		if (params.p2p_ctwindow != 0 &&
7010		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7011			return -EINVAL;
7012	}
7013
7014	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7015		u8 tmp;
7016
7017		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7018			return -EINVAL;
7019		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7020		params.p2p_opp_ps = tmp;
7021		if (params.p2p_opp_ps &&
7022		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7023			return -EINVAL;
7024	}
7025
7026	if (!rdev->ops->change_bss)
7027		return -EOPNOTSUPP;
7028
7029	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7030	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7031		return -EOPNOTSUPP;
7032
7033	wdev_lock(wdev);
7034	err = rdev_change_bss(rdev, dev, &params);
7035	wdev_unlock(wdev);
7036
7037	return err;
7038}
7039
7040static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7041{
7042	char *data = NULL;
7043	bool is_indoor;
7044	enum nl80211_user_reg_hint_type user_reg_hint_type;
7045	u32 owner_nlportid;
7046
7047	/*
7048	 * You should only get this when cfg80211 hasn't yet initialized
7049	 * completely when built-in to the kernel right between the time
7050	 * window between nl80211_init() and regulatory_init(), if that is
7051	 * even possible.
7052	 */
7053	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7054		return -EINPROGRESS;
7055
7056	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7057		user_reg_hint_type =
7058		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7059	else
7060		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7061
7062	switch (user_reg_hint_type) {
7063	case NL80211_USER_REG_HINT_USER:
7064	case NL80211_USER_REG_HINT_CELL_BASE:
7065		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7066			return -EINVAL;
7067
7068		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7069		return regulatory_hint_user(data, user_reg_hint_type);
7070	case NL80211_USER_REG_HINT_INDOOR:
7071		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7072			owner_nlportid = info->snd_portid;
7073			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7074		} else {
7075			owner_nlportid = 0;
7076			is_indoor = true;
7077		}
7078
7079		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7080	default:
7081		return -EINVAL;
7082	}
7083}
7084
7085static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7086{
7087	return reg_reload_regdb();
7088}
7089
7090static int nl80211_get_mesh_config(struct sk_buff *skb,
7091				   struct genl_info *info)
7092{
7093	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7094	struct net_device *dev = info->user_ptr[1];
7095	struct wireless_dev *wdev = dev->ieee80211_ptr;
7096	struct mesh_config cur_params;
7097	int err = 0;
7098	void *hdr;
7099	struct nlattr *pinfoattr;
7100	struct sk_buff *msg;
7101
7102	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7103		return -EOPNOTSUPP;
7104
7105	if (!rdev->ops->get_mesh_config)
7106		return -EOPNOTSUPP;
7107
7108	wdev_lock(wdev);
7109	/* If not connected, get default parameters */
7110	if (!wdev->mesh_id_len)
7111		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7112	else
7113		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7114	wdev_unlock(wdev);
7115
7116	if (err)
7117		return err;
7118
7119	/* Draw up a netlink message to send back */
7120	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7121	if (!msg)
7122		return -ENOMEM;
7123	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7124			     NL80211_CMD_GET_MESH_CONFIG);
7125	if (!hdr)
7126		goto out;
7127	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7128	if (!pinfoattr)
7129		goto nla_put_failure;
7130	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7131	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7132			cur_params.dot11MeshRetryTimeout) ||
7133	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7134			cur_params.dot11MeshConfirmTimeout) ||
7135	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7136			cur_params.dot11MeshHoldingTimeout) ||
7137	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7138			cur_params.dot11MeshMaxPeerLinks) ||
7139	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7140		       cur_params.dot11MeshMaxRetries) ||
7141	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7142		       cur_params.dot11MeshTTL) ||
7143	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7144		       cur_params.element_ttl) ||
7145	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7146		       cur_params.auto_open_plinks) ||
7147	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7148			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7149	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7150		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7151	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7152			cur_params.path_refresh_time) ||
7153	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7154			cur_params.min_discovery_timeout) ||
7155	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7156			cur_params.dot11MeshHWMPactivePathTimeout) ||
7157	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7158			cur_params.dot11MeshHWMPpreqMinInterval) ||
7159	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7160			cur_params.dot11MeshHWMPperrMinInterval) ||
7161	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7162			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7163	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7164		       cur_params.dot11MeshHWMPRootMode) ||
7165	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7166			cur_params.dot11MeshHWMPRannInterval) ||
7167	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7168		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7169	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7170		       cur_params.dot11MeshForwarding) ||
7171	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7172			cur_params.rssi_threshold) ||
7173	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7174			cur_params.ht_opmode) ||
7175	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7176			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7177	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7178			cur_params.dot11MeshHWMProotInterval) ||
7179	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7180			cur_params.dot11MeshHWMPconfirmationInterval) ||
7181	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7182			cur_params.power_mode) ||
7183	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7184			cur_params.dot11MeshAwakeWindowDuration) ||
7185	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7186			cur_params.plink_timeout) ||
7187	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7188		       cur_params.dot11MeshConnectedToMeshGate) ||
7189	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7190		       cur_params.dot11MeshNolearn) ||
7191	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7192		       cur_params.dot11MeshConnectedToAuthServer))
7193		goto nla_put_failure;
7194	nla_nest_end(msg, pinfoattr);
7195	genlmsg_end(msg, hdr);
7196	return genlmsg_reply(msg, info);
7197
7198 nla_put_failure:
7199 out:
7200	nlmsg_free(msg);
7201	return -ENOBUFS;
7202}
7203
7204static const struct nla_policy
7205nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7206	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7207		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7208	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7209		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7210	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7211		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7212	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7213		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7214	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7215	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7216	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7217	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7218	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7219		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7220	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7221	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7222	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7223	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7224	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7225		NLA_POLICY_MIN(NLA_U16, 1),
7226	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7227		NLA_POLICY_MIN(NLA_U16, 1),
7228	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7229		NLA_POLICY_MIN(NLA_U16, 1),
7230	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7231	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7232		NLA_POLICY_MIN(NLA_U16, 1),
7233	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7234	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7235	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7236		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7237	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7238	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7239	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7240		NLA_POLICY_MIN(NLA_U16, 1),
7241	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7242		NLA_POLICY_MIN(NLA_U16, 1),
7243	[NL80211_MESHCONF_POWER_MODE] =
7244		NLA_POLICY_RANGE(NLA_U32,
7245				 NL80211_MESH_POWER_ACTIVE,
7246				 NL80211_MESH_POWER_MAX),
7247	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7248	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7249	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7250	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7251	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7252};
7253
7254static const struct nla_policy
7255	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7256	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7257	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7258	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7259	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7260	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7261	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7262	[NL80211_MESH_SETUP_IE] =
7263		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7264				       IEEE80211_MAX_DATA_LEN),
7265	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7266};
7267
7268static int nl80211_parse_mesh_config(struct genl_info *info,
7269				     struct mesh_config *cfg,
7270				     u32 *mask_out)
7271{
7272	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7273	u32 mask = 0;
7274	u16 ht_opmode;
7275
7276#define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7277do {									\
7278	if (tb[attr]) {							\
7279		cfg->param = fn(tb[attr]);				\
7280		mask |= BIT((attr) - 1);				\
7281	}								\
7282} while (0)
7283
7284	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7285		return -EINVAL;
7286	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7287		return -EINVAL;
7288
7289	/* This makes sure that there aren't more than 32 mesh config
7290	 * parameters (otherwise our bitfield scheme would not work.) */
7291	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7292
7293	/* Fill in the params struct */
7294	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7295				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7296	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7297				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7298				  nla_get_u16);
7299	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7300				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7301				  nla_get_u16);
7302	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7303				  NL80211_MESHCONF_MAX_PEER_LINKS,
7304				  nla_get_u16);
7305	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7306				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7307	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7308				  NL80211_MESHCONF_TTL, nla_get_u8);
7309	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7310				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7311	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7312				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7313				  nla_get_u8);
7314	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7315				  mask,
7316				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7317				  nla_get_u32);
7318	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7319				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7320				  nla_get_u8);
7321	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7322				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7323				  nla_get_u32);
7324	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7325	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7326		return -EINVAL;
7327	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7328				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7329				  nla_get_u16);
7330	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7331				  mask,
7332				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7333				  nla_get_u32);
7334	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7335	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7336	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7337		return -EINVAL;
7338	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7339				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7340				  nla_get_u16);
7341	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7342				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7343				  nla_get_u16);
7344	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7345				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7346				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7347				  nla_get_u16);
7348	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7349				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7350	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7351				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7352				  nla_get_u16);
7353	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7354				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7355				  nla_get_u8);
7356	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7357				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7358	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7359				  NL80211_MESHCONF_RSSI_THRESHOLD,
7360				  nla_get_s32);
7361	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7362				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7363				  nla_get_u8);
7364	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7365				  NL80211_MESHCONF_CONNECTED_TO_AS,
7366				  nla_get_u8);
7367	/*
7368	 * Check HT operation mode based on
7369	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7370	 */
7371	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7372		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7373
7374		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7375				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7376				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7377			return -EINVAL;
7378
7379		/* NON_HT_STA bit is reserved, but some programs set it */
7380		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7381
7382		cfg->ht_opmode = ht_opmode;
7383		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7384	}
7385	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7386				  dot11MeshHWMPactivePathToRootTimeout, mask,
7387				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7388				  nla_get_u32);
7389	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7390	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7391	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7392		return -EINVAL;
7393	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7394				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7395				  nla_get_u16);
7396	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7397				  mask,
7398				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7399				  nla_get_u16);
7400	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7401				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7402	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7403				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7404	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7405				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7406	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
7407				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
7408	if (mask_out)
7409		*mask_out = mask;
7410
7411	return 0;
7412
7413#undef FILL_IN_MESH_PARAM_IF_SET
7414}
7415
7416static int nl80211_parse_mesh_setup(struct genl_info *info,
7417				     struct mesh_setup *setup)
7418{
7419	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7420	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7421
7422	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7423		return -EINVAL;
7424	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7425		return -EINVAL;
7426
7427	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7428		setup->sync_method =
7429		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7430		 IEEE80211_SYNC_METHOD_VENDOR :
7431		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7432
7433	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7434		setup->path_sel_proto =
7435		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7436		 IEEE80211_PATH_PROTOCOL_VENDOR :
7437		 IEEE80211_PATH_PROTOCOL_HWMP;
7438
7439	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7440		setup->path_metric =
7441		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7442		 IEEE80211_PATH_METRIC_VENDOR :
7443		 IEEE80211_PATH_METRIC_AIRTIME;
7444
7445	if (tb[NL80211_MESH_SETUP_IE]) {
7446		struct nlattr *ieattr =
7447			tb[NL80211_MESH_SETUP_IE];
7448		setup->ie = nla_data(ieattr);
7449		setup->ie_len = nla_len(ieattr);
7450	}
7451	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7452	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7453		return -EINVAL;
7454	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7455	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7456	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7457	if (setup->is_secure)
7458		setup->user_mpm = true;
7459
7460	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7461		if (!setup->user_mpm)
7462			return -EINVAL;
7463		setup->auth_id =
7464			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7465	}
7466
7467	return 0;
7468}
7469
7470static int nl80211_update_mesh_config(struct sk_buff *skb,
7471				      struct genl_info *info)
7472{
7473	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7474	struct net_device *dev = info->user_ptr[1];
7475	struct wireless_dev *wdev = dev->ieee80211_ptr;
7476	struct mesh_config cfg = {};
7477	u32 mask;
7478	int err;
7479
7480	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7481		return -EOPNOTSUPP;
7482
7483	if (!rdev->ops->update_mesh_config)
7484		return -EOPNOTSUPP;
7485
7486	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7487	if (err)
7488		return err;
7489
7490	wdev_lock(wdev);
7491	if (!wdev->mesh_id_len)
7492		err = -ENOLINK;
7493
7494	if (!err)
7495		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7496
7497	wdev_unlock(wdev);
7498
7499	return err;
7500}
7501
7502static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7503			      struct sk_buff *msg)
7504{
7505	struct nlattr *nl_reg_rules;
7506	unsigned int i;
7507
7508	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7509	    (regdom->dfs_region &&
7510	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7511		goto nla_put_failure;
7512
7513	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7514	if (!nl_reg_rules)
7515		goto nla_put_failure;
7516
7517	for (i = 0; i < regdom->n_reg_rules; i++) {
7518		struct nlattr *nl_reg_rule;
7519		const struct ieee80211_reg_rule *reg_rule;
7520		const struct ieee80211_freq_range *freq_range;
7521		const struct ieee80211_power_rule *power_rule;
7522		unsigned int max_bandwidth_khz;
7523
7524		reg_rule = &regdom->reg_rules[i];
7525		freq_range = &reg_rule->freq_range;
7526		power_rule = &reg_rule->power_rule;
7527
7528		nl_reg_rule = nla_nest_start_noflag(msg, i);
7529		if (!nl_reg_rule)
7530			goto nla_put_failure;
7531
7532		max_bandwidth_khz = freq_range->max_bandwidth_khz;
7533		if (!max_bandwidth_khz)
7534			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
7535								  reg_rule);
7536
7537		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
7538				reg_rule->flags) ||
7539		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
7540				freq_range->start_freq_khz) ||
7541		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
7542				freq_range->end_freq_khz) ||
7543		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
7544				max_bandwidth_khz) ||
7545		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
7546				power_rule->max_antenna_gain) ||
7547		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
7548				power_rule->max_eirp) ||
7549		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
7550				reg_rule->dfs_cac_ms))
7551			goto nla_put_failure;
7552
7553		nla_nest_end(msg, nl_reg_rule);
7554	}
7555
7556	nla_nest_end(msg, nl_reg_rules);
7557	return 0;
7558
7559nla_put_failure:
7560	return -EMSGSIZE;
7561}
7562
7563static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
7564{
7565	const struct ieee80211_regdomain *regdom = NULL;
7566	struct cfg80211_registered_device *rdev;
7567	struct wiphy *wiphy = NULL;
7568	struct sk_buff *msg;
7569	void *hdr;
7570
7571	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7572	if (!msg)
7573		return -ENOBUFS;
7574
7575	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7576			     NL80211_CMD_GET_REG);
7577	if (!hdr)
7578		goto put_failure;
7579
7580	if (info->attrs[NL80211_ATTR_WIPHY]) {
7581		bool self_managed;
7582
7583		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
7584		if (IS_ERR(rdev)) {
7585			nlmsg_free(msg);
7586			return PTR_ERR(rdev);
7587		}
7588
7589		wiphy = &rdev->wiphy;
7590		self_managed = wiphy->regulatory_flags &
7591			       REGULATORY_WIPHY_SELF_MANAGED;
7592		regdom = get_wiphy_regdom(wiphy);
7593
7594		/* a self-managed-reg device must have a private regdom */
7595		if (WARN_ON(!regdom && self_managed)) {
7596			nlmsg_free(msg);
7597			return -EINVAL;
7598		}
7599
7600		if (regdom &&
7601		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7602			goto nla_put_failure;
7603	}
7604
7605	if (!wiphy && reg_last_request_cell_base() &&
7606	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7607			NL80211_USER_REG_HINT_CELL_BASE))
7608		goto nla_put_failure;
7609
7610	rcu_read_lock();
7611
7612	if (!regdom)
7613		regdom = rcu_dereference(cfg80211_regdomain);
7614
7615	if (nl80211_put_regdom(regdom, msg))
7616		goto nla_put_failure_rcu;
7617
7618	rcu_read_unlock();
7619
7620	genlmsg_end(msg, hdr);
7621	return genlmsg_reply(msg, info);
7622
7623nla_put_failure_rcu:
7624	rcu_read_unlock();
7625nla_put_failure:
7626put_failure:
7627	nlmsg_free(msg);
7628	return -EMSGSIZE;
7629}
7630
7631static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
7632			       u32 seq, int flags, struct wiphy *wiphy,
7633			       const struct ieee80211_regdomain *regdom)
7634{
7635	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
7636				   NL80211_CMD_GET_REG);
7637
7638	if (!hdr)
7639		return -1;
7640
7641	genl_dump_check_consistent(cb, hdr);
7642
7643	if (nl80211_put_regdom(regdom, msg))
7644		goto nla_put_failure;
7645
7646	if (!wiphy && reg_last_request_cell_base() &&
7647	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7648			NL80211_USER_REG_HINT_CELL_BASE))
7649		goto nla_put_failure;
7650
7651	if (wiphy &&
7652	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7653		goto nla_put_failure;
7654
7655	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
7656	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
7657		goto nla_put_failure;
7658
7659	genlmsg_end(msg, hdr);
7660	return 0;
7661
7662nla_put_failure:
7663	genlmsg_cancel(msg, hdr);
7664	return -EMSGSIZE;
7665}
7666
7667static int nl80211_get_reg_dump(struct sk_buff *skb,
7668				struct netlink_callback *cb)
7669{
7670	const struct ieee80211_regdomain *regdom = NULL;
7671	struct cfg80211_registered_device *rdev;
7672	int err, reg_idx, start = cb->args[2];
7673
7674	rtnl_lock();
7675
7676	if (cfg80211_regdomain && start == 0) {
7677		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7678					  NLM_F_MULTI, NULL,
7679					  rtnl_dereference(cfg80211_regdomain));
7680		if (err < 0)
7681			goto out_err;
7682	}
7683
7684	/* the global regdom is idx 0 */
7685	reg_idx = 1;
7686	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
7687		regdom = get_wiphy_regdom(&rdev->wiphy);
7688		if (!regdom)
7689			continue;
7690
7691		if (++reg_idx <= start)
7692			continue;
7693
7694		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7695					  NLM_F_MULTI, &rdev->wiphy, regdom);
7696		if (err < 0) {
7697			reg_idx--;
7698			break;
7699		}
7700	}
7701
7702	cb->args[2] = reg_idx;
7703	err = skb->len;
7704out_err:
7705	rtnl_unlock();
7706	return err;
7707}
7708
7709#ifdef CONFIG_CFG80211_CRDA_SUPPORT
7710static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
7711	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
7712	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
7713	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
7714	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
7715	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
7716	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
7717	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
7718};
7719
7720static int parse_reg_rule(struct nlattr *tb[],
7721	struct ieee80211_reg_rule *reg_rule)
7722{
7723	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
7724	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
7725
7726	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
7727		return -EINVAL;
7728	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
7729		return -EINVAL;
7730	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
7731		return -EINVAL;
7732	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
7733		return -EINVAL;
7734	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
7735		return -EINVAL;
7736
7737	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
7738
7739	freq_range->start_freq_khz =
7740		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
7741	freq_range->end_freq_khz =
7742		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
7743	freq_range->max_bandwidth_khz =
7744		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
7745
7746	power_rule->max_eirp =
7747		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
7748
7749	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
7750		power_rule->max_antenna_gain =
7751			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
7752
7753	if (tb[NL80211_ATTR_DFS_CAC_TIME])
7754		reg_rule->dfs_cac_ms =
7755			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
7756
7757	return 0;
7758}
7759
7760static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
7761{
7762	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
7763	struct nlattr *nl_reg_rule;
7764	char *alpha2;
7765	int rem_reg_rules, r;
7766	u32 num_rules = 0, rule_idx = 0;
7767	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
7768	struct ieee80211_regdomain *rd;
7769
7770	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7771		return -EINVAL;
7772
7773	if (!info->attrs[NL80211_ATTR_REG_RULES])
7774		return -EINVAL;
7775
7776	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7777
7778	if (info->attrs[NL80211_ATTR_DFS_REGION])
7779		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
7780
7781	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7782			    rem_reg_rules) {
7783		num_rules++;
7784		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
7785			return -EINVAL;
7786	}
7787
7788	if (!reg_is_valid_request(alpha2))
7789		return -EINVAL;
7790
7791	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
7792	if (!rd)
7793		return -ENOMEM;
7794
7795	rd->n_reg_rules = num_rules;
7796	rd->alpha2[0] = alpha2[0];
7797	rd->alpha2[1] = alpha2[1];
7798
7799	/*
7800	 * Disable DFS master mode if the DFS region was
7801	 * not supported or known on this kernel.
7802	 */
7803	if (reg_supported_dfs_region(dfs_region))
7804		rd->dfs_region = dfs_region;
7805
7806	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7807			    rem_reg_rules) {
7808		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
7809						nl_reg_rule, reg_rule_policy,
7810						info->extack);
7811		if (r)
7812			goto bad_reg;
7813		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
7814		if (r)
7815			goto bad_reg;
7816
7817		rule_idx++;
7818
7819		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
7820			r = -EINVAL;
7821			goto bad_reg;
7822		}
7823	}
7824
7825	/* set_regdom takes ownership of rd */
7826	return set_regdom(rd, REGD_SOURCE_CRDA);
7827 bad_reg:
7828	kfree(rd);
7829	return r;
7830}
7831#endif /* CONFIG_CFG80211_CRDA_SUPPORT */
7832
7833static int validate_scan_freqs(struct nlattr *freqs)
7834{
7835	struct nlattr *attr1, *attr2;
7836	int n_channels = 0, tmp1, tmp2;
7837
7838	nla_for_each_nested(attr1, freqs, tmp1)
7839		if (nla_len(attr1) != sizeof(u32))
7840			return 0;
7841
7842	nla_for_each_nested(attr1, freqs, tmp1) {
7843		n_channels++;
7844		/*
7845		 * Some hardware has a limited channel list for
7846		 * scanning, and it is pretty much nonsensical
7847		 * to scan for a channel twice, so disallow that
7848		 * and don't require drivers to check that the
7849		 * channel list they get isn't longer than what
7850		 * they can scan, as long as they can scan all
7851		 * the channels they registered at once.
7852		 */
7853		nla_for_each_nested(attr2, freqs, tmp2)
7854			if (attr1 != attr2 &&
7855			    nla_get_u32(attr1) == nla_get_u32(attr2))
7856				return 0;
7857	}
7858
7859	return n_channels;
7860}
7861
7862static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
7863{
7864	return b < NUM_NL80211_BANDS && wiphy->bands[b];
7865}
7866
7867static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
7868			    struct cfg80211_bss_selection *bss_select)
7869{
7870	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
7871	struct nlattr *nest;
7872	int err;
7873	bool found = false;
7874	int i;
7875
7876	/* only process one nested attribute */
7877	nest = nla_data(nla);
7878	if (!nla_ok(nest, nla_len(nest)))
7879		return -EINVAL;
7880
7881	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
7882					  nest, nl80211_bss_select_policy,
7883					  NULL);
7884	if (err)
7885		return err;
7886
7887	/* only one attribute may be given */
7888	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
7889		if (attr[i]) {
7890			if (found)
7891				return -EINVAL;
7892			found = true;
7893		}
7894	}
7895
7896	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
7897
7898	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
7899		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
7900
7901	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
7902		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
7903		bss_select->param.band_pref =
7904			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
7905		if (!is_band_valid(wiphy, bss_select->param.band_pref))
7906			return -EINVAL;
7907	}
7908
7909	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
7910		struct nl80211_bss_select_rssi_adjust *adj_param;
7911
7912		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
7913		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
7914		bss_select->param.adjust.band = adj_param->band;
7915		bss_select->param.adjust.delta = adj_param->delta;
7916		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
7917			return -EINVAL;
7918	}
7919
7920	/* user-space did not provide behaviour attribute */
7921	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
7922		return -EINVAL;
7923
7924	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
7925		return -EINVAL;
7926
7927	return 0;
7928}
7929
7930int nl80211_parse_random_mac(struct nlattr **attrs,
7931			     u8 *mac_addr, u8 *mac_addr_mask)
7932{
7933	int i;
7934
7935	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
7936		eth_zero_addr(mac_addr);
7937		eth_zero_addr(mac_addr_mask);
7938		mac_addr[0] = 0x2;
7939		mac_addr_mask[0] = 0x3;
7940
7941		return 0;
7942	}
7943
7944	/* need both or none */
7945	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
7946		return -EINVAL;
7947
7948	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
7949	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
7950
7951	/* don't allow or configure an mcast address */
7952	if (!is_multicast_ether_addr(mac_addr_mask) ||
7953	    is_multicast_ether_addr(mac_addr))
7954		return -EINVAL;
7955
7956	/*
7957	 * allow users to pass a MAC address that has bits set outside
7958	 * of the mask, but don't bother drivers with having to deal
7959	 * with such bits
7960	 */
7961	for (i = 0; i < ETH_ALEN; i++)
7962		mac_addr[i] &= mac_addr_mask[i];
7963
7964	return 0;
7965}
7966
7967static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
7968{
7969	ASSERT_WDEV_LOCK(wdev);
7970
7971	if (!cfg80211_beaconing_iface_active(wdev))
7972		return true;
7973
7974	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
7975		return true;
7976
7977	return regulatory_pre_cac_allowed(wdev->wiphy);
7978}
7979
7980static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
7981				    enum nl80211_ext_feature_index feat)
7982{
7983	if (!(flags & flag))
7984		return true;
7985	if (wiphy_ext_feature_isset(wiphy, feat))
7986		return true;
7987	return false;
7988}
7989
7990static int
7991nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
7992			 void *request, struct nlattr **attrs,
7993			 bool is_sched_scan)
7994{
7995	u8 *mac_addr, *mac_addr_mask;
7996	u32 *flags;
7997	enum nl80211_feature_flags randomness_flag;
7998
7999	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8000		return 0;
8001
8002	if (is_sched_scan) {
8003		struct cfg80211_sched_scan_request *req = request;
8004
8005		randomness_flag = wdev ?
8006				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8007				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8008		flags = &req->flags;
8009		mac_addr = req->mac_addr;
8010		mac_addr_mask = req->mac_addr_mask;
8011	} else {
8012		struct cfg80211_scan_request *req = request;
8013
8014		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8015		flags = &req->flags;
8016		mac_addr = req->mac_addr;
8017		mac_addr_mask = req->mac_addr_mask;
8018	}
8019
8020	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8021
8022	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8023	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8024	    !nl80211_check_scan_feat(wiphy, *flags,
8025				     NL80211_SCAN_FLAG_LOW_SPAN,
8026				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8027	    !nl80211_check_scan_feat(wiphy, *flags,
8028				     NL80211_SCAN_FLAG_LOW_POWER,
8029				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8030	    !nl80211_check_scan_feat(wiphy, *flags,
8031				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8032				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8033	    !nl80211_check_scan_feat(wiphy, *flags,
8034				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8035				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8036	    !nl80211_check_scan_feat(wiphy, *flags,
8037				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8038				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8039	    !nl80211_check_scan_feat(wiphy, *flags,
8040				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8041				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8042	    !nl80211_check_scan_feat(wiphy, *flags,
8043				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8044				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8045	    !nl80211_check_scan_feat(wiphy, *flags,
8046				     NL80211_SCAN_FLAG_RANDOM_SN,
8047				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8048	    !nl80211_check_scan_feat(wiphy, *flags,
8049				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8050				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8051		return -EOPNOTSUPP;
8052
8053	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8054		int err;
8055
8056		if (!(wiphy->features & randomness_flag) ||
8057		    (wdev && wdev->current_bss))
8058			return -EOPNOTSUPP;
8059
8060		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8061		if (err)
8062			return err;
8063	}
8064
8065	return 0;
8066}
8067
8068static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8069{
8070	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8071	struct wireless_dev *wdev = info->user_ptr[1];
8072	struct cfg80211_scan_request *request;
8073	struct nlattr *scan_freqs = NULL;
8074	bool scan_freqs_khz = false;
8075	struct nlattr *attr;
8076	struct wiphy *wiphy;
8077	int err, tmp, n_ssids = 0, n_channels, i;
8078	size_t ie_len;
8079
8080	wiphy = &rdev->wiphy;
8081
8082	if (wdev->iftype == NL80211_IFTYPE_NAN)
8083		return -EOPNOTSUPP;
8084
8085	if (!rdev->ops->scan)
8086		return -EOPNOTSUPP;
8087
8088	if (rdev->scan_req || rdev->scan_msg)
8089		return -EBUSY;
8090
8091	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8092		if (!wiphy_ext_feature_isset(wiphy,
8093					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8094			return -EOPNOTSUPP;
8095		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8096		scan_freqs_khz = true;
8097	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8098		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8099
8100	if (scan_freqs) {
8101		n_channels = validate_scan_freqs(scan_freqs);
8102		if (!n_channels)
8103			return -EINVAL;
8104	} else {
8105		n_channels = ieee80211_get_num_supported_channels(wiphy);
8106	}
8107
8108	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8109		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8110			n_ssids++;
8111
8112	if (n_ssids > wiphy->max_scan_ssids)
8113		return -EINVAL;
8114
8115	if (info->attrs[NL80211_ATTR_IE])
8116		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8117	else
8118		ie_len = 0;
8119
8120	if (ie_len > wiphy->max_scan_ie_len)
8121		return -EINVAL;
8122
8123	request = kzalloc(sizeof(*request)
8124			+ sizeof(*request->ssids) * n_ssids
8125			+ sizeof(*request->channels) * n_channels
8126			+ ie_len, GFP_KERNEL);
8127	if (!request)
8128		return -ENOMEM;
8129
8130	if (n_ssids)
8131		request->ssids = (void *)&request->channels[n_channels];
8132	request->n_ssids = n_ssids;
8133	if (ie_len) {
8134		if (n_ssids)
8135			request->ie = (void *)(request->ssids + n_ssids);
8136		else
8137			request->ie = (void *)(request->channels + n_channels);
8138	}
8139
8140	i = 0;
8141	if (scan_freqs) {
8142		/* user specified, bail out if channel not found */
8143		nla_for_each_nested(attr, scan_freqs, tmp) {
8144			struct ieee80211_channel *chan;
8145			int freq = nla_get_u32(attr);
8146
8147			if (!scan_freqs_khz)
8148				freq = MHZ_TO_KHZ(freq);
8149
8150			chan = ieee80211_get_channel_khz(wiphy, freq);
8151			if (!chan) {
8152				err = -EINVAL;
8153				goto out_free;
8154			}
8155
8156			/* ignore disabled channels */
8157			if (chan->flags & IEEE80211_CHAN_DISABLED)
8158				continue;
8159
8160			request->channels[i] = chan;
8161			i++;
8162		}
8163	} else {
8164		enum nl80211_band band;
8165
8166		/* all channels */
8167		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8168			int j;
8169
8170			if (!wiphy->bands[band])
8171				continue;
8172			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8173				struct ieee80211_channel *chan;
8174
8175				chan = &wiphy->bands[band]->channels[j];
8176
8177				if (chan->flags & IEEE80211_CHAN_DISABLED)
8178					continue;
8179
8180				request->channels[i] = chan;
8181				i++;
8182			}
8183		}
8184	}
8185
8186	if (!i) {
8187		err = -EINVAL;
8188		goto out_free;
8189	}
8190
8191	request->n_channels = i;
8192
8193	wdev_lock(wdev);
8194	if (!cfg80211_off_channel_oper_allowed(wdev)) {
8195		struct ieee80211_channel *chan;
8196
8197		if (request->n_channels != 1) {
8198			wdev_unlock(wdev);
8199			err = -EBUSY;
8200			goto out_free;
8201		}
8202
8203		chan = request->channels[0];
8204		if (chan->center_freq != wdev->chandef.chan->center_freq) {
8205			wdev_unlock(wdev);
8206			err = -EBUSY;
8207			goto out_free;
8208		}
8209	}
8210	wdev_unlock(wdev);
8211
8212	i = 0;
8213	if (n_ssids) {
8214		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8215			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8216				err = -EINVAL;
8217				goto out_free;
8218			}
8219			request->ssids[i].ssid_len = nla_len(attr);
8220			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8221			i++;
8222		}
8223	}
8224
8225	if (info->attrs[NL80211_ATTR_IE]) {
8226		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8227		memcpy((void *)request->ie,
8228		       nla_data(info->attrs[NL80211_ATTR_IE]),
8229		       request->ie_len);
8230	}
8231
8232	for (i = 0; i < NUM_NL80211_BANDS; i++)
8233		if (wiphy->bands[i])
8234			request->rates[i] =
8235				(1 << wiphy->bands[i]->n_bitrates) - 1;
8236
8237	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8238		nla_for_each_nested(attr,
8239				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8240				    tmp) {
8241			enum nl80211_band band = nla_type(attr);
8242
8243			if (band < 0 || band >= NUM_NL80211_BANDS) {
8244				err = -EINVAL;
8245				goto out_free;
8246			}
8247
8248			if (!wiphy->bands[band])
8249				continue;
8250
8251			err = ieee80211_get_ratemask(wiphy->bands[band],
8252						     nla_data(attr),
8253						     nla_len(attr),
8254						     &request->rates[band]);
8255			if (err)
8256				goto out_free;
8257		}
8258	}
8259
8260	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8261		if (!wiphy_ext_feature_isset(wiphy,
8262					NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
8263			err = -EOPNOTSUPP;
8264			goto out_free;
8265		}
8266
8267		request->duration =
8268			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8269		request->duration_mandatory =
8270			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8271	}
8272
8273	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8274				       false);
8275	if (err)
8276		goto out_free;
8277
8278	request->no_cck =
8279		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8280
8281	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8282	 * BSSID to scan for. This was problematic because that same attribute
8283	 * was already used for another purpose (local random MAC address). The
8284	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8285	 * compatibility with older userspace components, also use the
8286	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8287	 * the specific BSSID use case instead of the random MAC address
8288	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8289	 */
8290	if (info->attrs[NL80211_ATTR_BSSID])
8291		memcpy(request->bssid,
8292		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8293	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8294		 info->attrs[NL80211_ATTR_MAC])
8295		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8296		       ETH_ALEN);
8297	else
8298		eth_broadcast_addr(request->bssid);
8299
8300	request->wdev = wdev;
8301	request->wiphy = &rdev->wiphy;
8302	request->scan_start = jiffies;
8303
8304	rdev->scan_req = request;
8305	err = cfg80211_scan(rdev);
8306
8307	if (err)
8308		goto out_free;
8309
8310	nl80211_send_scan_start(rdev, wdev);
8311	if (wdev->netdev)
8312		dev_hold(wdev->netdev);
8313
8314	return 0;
8315
8316 out_free:
8317	rdev->scan_req = NULL;
8318	kfree(request);
8319
8320	return err;
8321}
8322
8323static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8324{
8325	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8326	struct wireless_dev *wdev = info->user_ptr[1];
8327
8328	if (!rdev->ops->abort_scan)
8329		return -EOPNOTSUPP;
8330
8331	if (rdev->scan_msg)
8332		return 0;
8333
8334	if (!rdev->scan_req)
8335		return -ENOENT;
8336
8337	rdev_abort_scan(rdev, wdev);
8338	return 0;
8339}
8340
8341static int
8342nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8343			       struct cfg80211_sched_scan_request *request,
8344			       struct nlattr **attrs)
8345{
8346	int tmp, err, i = 0;
8347	struct nlattr *attr;
8348
8349	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8350		u32 interval;
8351
8352		/*
8353		 * If scan plans are not specified,
8354		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8355		 * case one scan plan will be set with the specified scan
8356		 * interval and infinite number of iterations.
8357		 */
8358		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8359		if (!interval)
8360			return -EINVAL;
8361
8362		request->scan_plans[0].interval =
8363			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8364		if (!request->scan_plans[0].interval)
8365			return -EINVAL;
8366
8367		if (request->scan_plans[0].interval >
8368		    wiphy->max_sched_scan_plan_interval)
8369			request->scan_plans[0].interval =
8370				wiphy->max_sched_scan_plan_interval;
8371
8372		return 0;
8373	}
8374
8375	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8376		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8377
8378		if (WARN_ON(i >= n_plans))
8379			return -EINVAL;
8380
8381		err = nla_parse_nested_deprecated(plan,
8382						  NL80211_SCHED_SCAN_PLAN_MAX,
8383						  attr, nl80211_plan_policy,
8384						  NULL);
8385		if (err)
8386			return err;
8387
8388		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8389			return -EINVAL;
8390
8391		request->scan_plans[i].interval =
8392			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8393		if (!request->scan_plans[i].interval ||
8394		    request->scan_plans[i].interval >
8395		    wiphy->max_sched_scan_plan_interval)
8396			return -EINVAL;
8397
8398		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8399			request->scan_plans[i].iterations =
8400				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8401			if (!request->scan_plans[i].iterations ||
8402			    (request->scan_plans[i].iterations >
8403			     wiphy->max_sched_scan_plan_iterations))
8404				return -EINVAL;
8405		} else if (i < n_plans - 1) {
8406			/*
8407			 * All scan plans but the last one must specify
8408			 * a finite number of iterations
8409			 */
8410			return -EINVAL;
8411		}
8412
8413		i++;
8414	}
8415
8416	/*
8417	 * The last scan plan must not specify the number of
8418	 * iterations, it is supposed to run infinitely
8419	 */
8420	if (request->scan_plans[n_plans - 1].iterations)
8421		return  -EINVAL;
8422
8423	return 0;
8424}
8425
8426static int
8427nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8428				       struct cfg80211_match_set *match_sets,
8429				       struct nlattr *tb_band_rssi,
8430				       s32 rssi_thold)
8431{
8432	struct nlattr *attr;
8433	int i, tmp, ret = 0;
8434
8435	if (!wiphy_ext_feature_isset(wiphy,
8436		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8437		if (tb_band_rssi)
8438			ret = -EOPNOTSUPP;
8439		else
8440			for (i = 0; i < NUM_NL80211_BANDS; i++)
8441				match_sets->per_band_rssi_thold[i] =
8442					NL80211_SCAN_RSSI_THOLD_OFF;
8443		return ret;
8444	}
8445
8446	for (i = 0; i < NUM_NL80211_BANDS; i++)
8447		match_sets->per_band_rssi_thold[i] = rssi_thold;
8448
8449	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8450		enum nl80211_band band = nla_type(attr);
8451
8452		if (band < 0 || band >= NUM_NL80211_BANDS)
8453			return -EINVAL;
8454
8455		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8456	}
8457
8458	return 0;
8459}
8460
8461static struct cfg80211_sched_scan_request *
8462nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8463			 struct nlattr **attrs, int max_match_sets)
8464{
8465	struct cfg80211_sched_scan_request *request;
8466	struct nlattr *attr;
8467	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8468	enum nl80211_band band;
8469	size_t ie_len;
8470	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8471	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8472
8473	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8474		n_channels = validate_scan_freqs(
8475				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8476		if (!n_channels)
8477			return ERR_PTR(-EINVAL);
8478	} else {
8479		n_channels = ieee80211_get_num_supported_channels(wiphy);
8480	}
8481
8482	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8483		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8484				    tmp)
8485			n_ssids++;
8486
8487	if (n_ssids > wiphy->max_sched_scan_ssids)
8488		return ERR_PTR(-EINVAL);
8489
8490	/*
8491	 * First, count the number of 'real' matchsets. Due to an issue with
8492	 * the old implementation, matchsets containing only the RSSI attribute
8493	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8494	 * RSSI for all matchsets, rather than their own matchset for reporting
8495	 * all APs with a strong RSSI. This is needed to be compatible with
8496	 * older userspace that treated a matchset with only the RSSI as the
8497	 * global RSSI for all other matchsets - if there are other matchsets.
8498	 */
8499	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8500		nla_for_each_nested(attr,
8501				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8502				    tmp) {
8503			struct nlattr *rssi;
8504
8505			err = nla_parse_nested_deprecated(tb,
8506							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8507							  attr,
8508							  nl80211_match_policy,
8509							  NULL);
8510			if (err)
8511				return ERR_PTR(err);
8512
8513			/* SSID and BSSID are mutually exclusive */
8514			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
8515			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
8516				return ERR_PTR(-EINVAL);
8517
8518			/* add other standalone attributes here */
8519			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
8520			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
8521				n_match_sets++;
8522				continue;
8523			}
8524			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8525			if (rssi)
8526				default_match_rssi = nla_get_s32(rssi);
8527		}
8528	}
8529
8530	/* However, if there's no other matchset, add the RSSI one */
8531	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
8532		n_match_sets = 1;
8533
8534	if (n_match_sets > max_match_sets)
8535		return ERR_PTR(-EINVAL);
8536
8537	if (attrs[NL80211_ATTR_IE])
8538		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
8539	else
8540		ie_len = 0;
8541
8542	if (ie_len > wiphy->max_sched_scan_ie_len)
8543		return ERR_PTR(-EINVAL);
8544
8545	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8546		/*
8547		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
8548		 * each scan plan already specifies its own interval
8549		 */
8550		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8551			return ERR_PTR(-EINVAL);
8552
8553		nla_for_each_nested(attr,
8554				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
8555			n_plans++;
8556	} else {
8557		/*
8558		 * The scan interval attribute is kept for backward
8559		 * compatibility. If no scan plans are specified and sched scan
8560		 * interval is specified, one scan plan will be set with this
8561		 * scan interval and infinite number of iterations.
8562		 */
8563		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8564			return ERR_PTR(-EINVAL);
8565
8566		n_plans = 1;
8567	}
8568
8569	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
8570		return ERR_PTR(-EINVAL);
8571
8572	if (!wiphy_ext_feature_isset(
8573		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
8574	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
8575	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
8576		return ERR_PTR(-EINVAL);
8577
8578	request = kzalloc(sizeof(*request)
8579			+ sizeof(*request->ssids) * n_ssids
8580			+ sizeof(*request->match_sets) * n_match_sets
8581			+ sizeof(*request->scan_plans) * n_plans
8582			+ sizeof(*request->channels) * n_channels
8583			+ ie_len, GFP_KERNEL);
8584	if (!request)
8585		return ERR_PTR(-ENOMEM);
8586
8587	if (n_ssids)
8588		request->ssids = (void *)&request->channels[n_channels];
8589	request->n_ssids = n_ssids;
8590	if (ie_len) {
8591		if (n_ssids)
8592			request->ie = (void *)(request->ssids + n_ssids);
8593		else
8594			request->ie = (void *)(request->channels + n_channels);
8595	}
8596
8597	if (n_match_sets) {
8598		if (request->ie)
8599			request->match_sets = (void *)(request->ie + ie_len);
8600		else if (n_ssids)
8601			request->match_sets =
8602				(void *)(request->ssids + n_ssids);
8603		else
8604			request->match_sets =
8605				(void *)(request->channels + n_channels);
8606	}
8607	request->n_match_sets = n_match_sets;
8608
8609	if (n_match_sets)
8610		request->scan_plans = (void *)(request->match_sets +
8611					       n_match_sets);
8612	else if (request->ie)
8613		request->scan_plans = (void *)(request->ie + ie_len);
8614	else if (n_ssids)
8615		request->scan_plans = (void *)(request->ssids + n_ssids);
8616	else
8617		request->scan_plans = (void *)(request->channels + n_channels);
8618
8619	request->n_scan_plans = n_plans;
8620
8621	i = 0;
8622	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8623		/* user specified, bail out if channel not found */
8624		nla_for_each_nested(attr,
8625				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
8626				    tmp) {
8627			struct ieee80211_channel *chan;
8628
8629			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
8630
8631			if (!chan) {
8632				err = -EINVAL;
8633				goto out_free;
8634			}
8635
8636			/* ignore disabled channels */
8637			if (chan->flags & IEEE80211_CHAN_DISABLED)
8638				continue;
8639
8640			request->channels[i] = chan;
8641			i++;
8642		}
8643	} else {
8644		/* all channels */
8645		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8646			int j;
8647
8648			if (!wiphy->bands[band])
8649				continue;
8650			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8651				struct ieee80211_channel *chan;
8652
8653				chan = &wiphy->bands[band]->channels[j];
8654
8655				if (chan->flags & IEEE80211_CHAN_DISABLED)
8656					continue;
8657
8658				request->channels[i] = chan;
8659				i++;
8660			}
8661		}
8662	}
8663
8664	if (!i) {
8665		err = -EINVAL;
8666		goto out_free;
8667	}
8668
8669	request->n_channels = i;
8670
8671	i = 0;
8672	if (n_ssids) {
8673		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8674				    tmp) {
8675			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8676				err = -EINVAL;
8677				goto out_free;
8678			}
8679			request->ssids[i].ssid_len = nla_len(attr);
8680			memcpy(request->ssids[i].ssid, nla_data(attr),
8681			       nla_len(attr));
8682			i++;
8683		}
8684	}
8685
8686	i = 0;
8687	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8688		nla_for_each_nested(attr,
8689				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8690				    tmp) {
8691			struct nlattr *ssid, *bssid, *rssi;
8692
8693			err = nla_parse_nested_deprecated(tb,
8694							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8695							  attr,
8696							  nl80211_match_policy,
8697							  NULL);
8698			if (err)
8699				goto out_free;
8700			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
8701			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
8702
8703			if (!ssid && !bssid) {
8704				i++;
8705				continue;
8706			}
8707
8708			if (WARN_ON(i >= n_match_sets)) {
8709				/* this indicates a programming error,
8710				 * the loop above should have verified
8711				 * things properly
8712				 */
8713				err = -EINVAL;
8714				goto out_free;
8715			}
8716
8717			if (ssid) {
8718				memcpy(request->match_sets[i].ssid.ssid,
8719				       nla_data(ssid), nla_len(ssid));
8720				request->match_sets[i].ssid.ssid_len =
8721					nla_len(ssid);
8722			}
8723			if (bssid)
8724				memcpy(request->match_sets[i].bssid,
8725				       nla_data(bssid), ETH_ALEN);
8726
8727			/* special attribute - old implementation w/a */
8728			request->match_sets[i].rssi_thold = default_match_rssi;
8729			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8730			if (rssi)
8731				request->match_sets[i].rssi_thold =
8732					nla_get_s32(rssi);
8733
8734			/* Parse per band RSSI attribute */
8735			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
8736				&request->match_sets[i],
8737				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
8738				request->match_sets[i].rssi_thold);
8739			if (err)
8740				goto out_free;
8741
8742			i++;
8743		}
8744
8745		/* there was no other matchset, so the RSSI one is alone */
8746		if (i == 0 && n_match_sets)
8747			request->match_sets[0].rssi_thold = default_match_rssi;
8748
8749		request->min_rssi_thold = INT_MAX;
8750		for (i = 0; i < n_match_sets; i++)
8751			request->min_rssi_thold =
8752				min(request->match_sets[i].rssi_thold,
8753				    request->min_rssi_thold);
8754	} else {
8755		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
8756	}
8757
8758	if (ie_len) {
8759		request->ie_len = ie_len;
8760		memcpy((void *)request->ie,
8761		       nla_data(attrs[NL80211_ATTR_IE]),
8762		       request->ie_len);
8763	}
8764
8765	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
8766	if (err)
8767		goto out_free;
8768
8769	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
8770		request->delay =
8771			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
8772
8773	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
8774		request->relative_rssi = nla_get_s8(
8775			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
8776		request->relative_rssi_set = true;
8777	}
8778
8779	if (request->relative_rssi_set &&
8780	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
8781		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
8782
8783		rssi_adjust = nla_data(
8784			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
8785		request->rssi_adjust.band = rssi_adjust->band;
8786		request->rssi_adjust.delta = rssi_adjust->delta;
8787		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
8788			err = -EINVAL;
8789			goto out_free;
8790		}
8791	}
8792
8793	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
8794	if (err)
8795		goto out_free;
8796
8797	request->scan_start = jiffies;
8798
8799	return request;
8800
8801out_free:
8802	kfree(request);
8803	return ERR_PTR(err);
8804}
8805
8806static int nl80211_start_sched_scan(struct sk_buff *skb,
8807				    struct genl_info *info)
8808{
8809	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8810	struct net_device *dev = info->user_ptr[1];
8811	struct wireless_dev *wdev = dev->ieee80211_ptr;
8812	struct cfg80211_sched_scan_request *sched_scan_req;
8813	bool want_multi;
8814	int err;
8815
8816	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
8817		return -EOPNOTSUPP;
8818
8819	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
8820	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
8821	if (err)
8822		return err;
8823
8824	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
8825						  info->attrs,
8826						  rdev->wiphy.max_match_sets);
8827
8828	err = PTR_ERR_OR_ZERO(sched_scan_req);
8829	if (err)
8830		goto out_err;
8831
8832	/* leave request id zero for legacy request
8833	 * or if driver does not support multi-scheduled scan
8834	 */
8835	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
8836		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
8837
8838	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
8839	if (err)
8840		goto out_free;
8841
8842	sched_scan_req->dev = dev;
8843	sched_scan_req->wiphy = &rdev->wiphy;
8844
8845	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
8846		sched_scan_req->owner_nlportid = info->snd_portid;
8847
8848	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
8849
8850	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
8851	return 0;
8852
8853out_free:
8854	kfree(sched_scan_req);
8855out_err:
8856	return err;
8857}
8858
8859static int nl80211_stop_sched_scan(struct sk_buff *skb,
8860				   struct genl_info *info)
8861{
8862	struct cfg80211_sched_scan_request *req;
8863	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8864	u64 cookie;
8865
8866	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
8867		return -EOPNOTSUPP;
8868
8869	if (info->attrs[NL80211_ATTR_COOKIE]) {
8870		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8871		return __cfg80211_stop_sched_scan(rdev, cookie, false);
8872	}
8873
8874	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
8875				     struct cfg80211_sched_scan_request,
8876				     list);
8877	if (!req || req->reqid ||
8878	    (req->owner_nlportid &&
8879	     req->owner_nlportid != info->snd_portid))
8880		return -ENOENT;
8881
8882	return cfg80211_stop_sched_scan_req(rdev, req, false);
8883}
8884
8885static int nl80211_start_radar_detection(struct sk_buff *skb,
8886					 struct genl_info *info)
8887{
8888	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8889	struct net_device *dev = info->user_ptr[1];
8890	struct wireless_dev *wdev = dev->ieee80211_ptr;
8891	struct wiphy *wiphy = wdev->wiphy;
8892	struct cfg80211_chan_def chandef;
8893	enum nl80211_dfs_regions dfs_region;
8894	unsigned int cac_time_ms;
8895	int err;
8896
8897	dfs_region = reg_get_dfs_region(wiphy);
8898	if (dfs_region == NL80211_DFS_UNSET)
8899		return -EINVAL;
8900
8901	err = nl80211_parse_chandef(rdev, info, &chandef);
8902	if (err)
8903		return err;
8904
8905	if (netif_carrier_ok(dev))
8906		return -EBUSY;
8907
8908	if (wdev->cac_started)
8909		return -EBUSY;
8910
8911	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8912	if (err < 0)
8913		return err;
8914
8915	if (err == 0)
8916		return -EINVAL;
8917
8918	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
8919		return -EINVAL;
8920
8921	/* CAC start is offloaded to HW and can't be started manually */
8922	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
8923		return -EOPNOTSUPP;
8924
8925	if (!rdev->ops->start_radar_detection)
8926		return -EOPNOTSUPP;
8927
8928	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
8929	if (WARN_ON(!cac_time_ms))
8930		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
8931
8932	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
8933	if (!err) {
8934		wdev->chandef = chandef;
8935		wdev->cac_started = true;
8936		wdev->cac_start_time = jiffies;
8937		wdev->cac_time_ms = cac_time_ms;
8938	}
8939	return err;
8940}
8941
8942static int nl80211_notify_radar_detection(struct sk_buff *skb,
8943					  struct genl_info *info)
8944{
8945	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8946	struct net_device *dev = info->user_ptr[1];
8947	struct wireless_dev *wdev = dev->ieee80211_ptr;
8948	struct wiphy *wiphy = wdev->wiphy;
8949	struct cfg80211_chan_def chandef;
8950	enum nl80211_dfs_regions dfs_region;
8951	int err;
8952
8953	dfs_region = reg_get_dfs_region(wiphy);
8954	if (dfs_region == NL80211_DFS_UNSET) {
8955		GENL_SET_ERR_MSG(info,
8956				 "DFS Region is not set. Unexpected Radar indication");
8957		return -EINVAL;
8958	}
8959
8960	err = nl80211_parse_chandef(rdev, info, &chandef);
8961	if (err) {
8962		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
8963		return err;
8964	}
8965
8966	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8967	if (err < 0) {
8968		GENL_SET_ERR_MSG(info, "chandef is invalid");
8969		return err;
8970	}
8971
8972	if (err == 0) {
8973		GENL_SET_ERR_MSG(info,
8974				 "Unexpected Radar indication for chandef/iftype");
8975		return -EINVAL;
8976	}
8977
8978	/* Do not process this notification if radar is already detected
8979	 * by kernel on this channel, and return success.
8980	 */
8981	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
8982		return 0;
8983
8984	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
8985
8986	cfg80211_sched_dfs_chan_update(rdev);
8987
8988	rdev->radar_chandef = chandef;
8989
8990	/* Propagate this notification to other radios as well */
8991	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
8992
8993	return 0;
8994}
8995
8996static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
8997{
8998	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8999	struct net_device *dev = info->user_ptr[1];
9000	struct wireless_dev *wdev = dev->ieee80211_ptr;
9001	struct cfg80211_csa_settings params;
9002	/* csa_attrs is defined static to avoid waste of stack size - this
9003	 * function is called under RTNL lock, so this should not be a problem.
9004	 */
9005	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
9006	int err;
9007	bool need_new_beacon = false;
9008	bool need_handle_dfs_flag = true;
9009	int len, i;
9010	u32 cs_count;
9011
9012	if (!rdev->ops->channel_switch ||
9013	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9014		return -EOPNOTSUPP;
9015
9016	switch (dev->ieee80211_ptr->iftype) {
9017	case NL80211_IFTYPE_AP:
9018	case NL80211_IFTYPE_P2P_GO:
9019		need_new_beacon = true;
9020		/* For all modes except AP the handle_dfs flag needs to be
9021		 * supplied to tell the kernel that userspace will handle radar
9022		 * events when they happen. Otherwise a switch to a channel
9023		 * requiring DFS will be rejected.
9024		 */
9025		need_handle_dfs_flag = false;
9026
9027		/* useless if AP is not running */
9028		if (!wdev->beacon_interval)
9029			return -ENOTCONN;
9030		break;
9031	case NL80211_IFTYPE_ADHOC:
9032		if (!wdev->ssid_len)
9033			return -ENOTCONN;
9034		break;
9035	case NL80211_IFTYPE_MESH_POINT:
9036		if (!wdev->mesh_id_len)
9037			return -ENOTCONN;
9038		break;
9039	default:
9040		return -EOPNOTSUPP;
9041	}
9042
9043	memset(&params, 0, sizeof(params));
9044	params.beacon_csa.ftm_responder = -1;
9045
9046	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9047	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9048		return -EINVAL;
9049
9050	/* only important for AP, IBSS and mesh create IEs internally */
9051	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9052		return -EINVAL;
9053
9054	/* Even though the attribute is u32, the specification says
9055	 * u8, so let's make sure we don't overflow.
9056	 */
9057	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9058	if (cs_count > 255)
9059		return -EINVAL;
9060
9061	params.count = cs_count;
9062
9063	if (!need_new_beacon)
9064		goto skip_beacons;
9065
9066	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9067	if (err)
9068		return err;
9069
9070	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9071					  info->attrs[NL80211_ATTR_CSA_IES],
9072					  nl80211_policy, info->extack);
9073	if (err)
9074		return err;
9075
9076	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9077	if (err)
9078		return err;
9079
9080	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON])
9081		return -EINVAL;
9082
9083	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9084	if (!len || (len % sizeof(u16)))
9085		return -EINVAL;
9086
9087	params.n_counter_offsets_beacon = len / sizeof(u16);
9088	if (rdev->wiphy.max_num_csa_counters &&
9089	    (params.n_counter_offsets_beacon >
9090	     rdev->wiphy.max_num_csa_counters))
9091		return -EINVAL;
9092
9093	params.counter_offsets_beacon =
9094		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9095
9096	/* sanity checks - counters should fit and be the same */
9097	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9098		u16 offset = params.counter_offsets_beacon[i];
9099
9100		if (offset >= params.beacon_csa.tail_len)
9101			return -EINVAL;
9102
9103		if (params.beacon_csa.tail[offset] != params.count)
9104			return -EINVAL;
9105	}
9106
9107	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9108		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9109		if (!len || (len % sizeof(u16)))
9110			return -EINVAL;
9111
9112		params.n_counter_offsets_presp = len / sizeof(u16);
9113		if (rdev->wiphy.max_num_csa_counters &&
9114		    (params.n_counter_offsets_presp >
9115		     rdev->wiphy.max_num_csa_counters))
9116			return -EINVAL;
9117
9118		params.counter_offsets_presp =
9119			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9120
9121		/* sanity checks - counters should fit and be the same */
9122		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9123			u16 offset = params.counter_offsets_presp[i];
9124
9125			if (offset >= params.beacon_csa.probe_resp_len)
9126				return -EINVAL;
9127
9128			if (params.beacon_csa.probe_resp[offset] !=
9129			    params.count)
9130				return -EINVAL;
9131		}
9132	}
9133
9134skip_beacons:
9135	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9136	if (err)
9137		return err;
9138
9139	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9140					   wdev->iftype))
9141		return -EINVAL;
9142
9143	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9144					    &params.chandef,
9145					    wdev->iftype);
9146	if (err < 0)
9147		return err;
9148
9149	if (err > 0) {
9150		params.radar_required = true;
9151		if (need_handle_dfs_flag &&
9152		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9153			return -EINVAL;
9154		}
9155	}
9156
9157	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9158		params.block_tx = true;
9159
9160	wdev_lock(wdev);
9161	err = rdev_channel_switch(rdev, dev, &params);
9162	wdev_unlock(wdev);
9163
9164	return err;
9165}
9166
9167static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9168			    u32 seq, int flags,
9169			    struct cfg80211_registered_device *rdev,
9170			    struct wireless_dev *wdev,
9171			    struct cfg80211_internal_bss *intbss)
9172{
9173	struct cfg80211_bss *res = &intbss->pub;
9174	const struct cfg80211_bss_ies *ies;
9175	void *hdr;
9176	struct nlattr *bss;
9177
9178	ASSERT_WDEV_LOCK(wdev);
9179
9180	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9181			     NL80211_CMD_NEW_SCAN_RESULTS);
9182	if (!hdr)
9183		return -1;
9184
9185	genl_dump_check_consistent(cb, hdr);
9186
9187	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9188		goto nla_put_failure;
9189	if (wdev->netdev &&
9190	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9191		goto nla_put_failure;
9192	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9193			      NL80211_ATTR_PAD))
9194		goto nla_put_failure;
9195
9196	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9197	if (!bss)
9198		goto nla_put_failure;
9199	if ((!is_zero_ether_addr(res->bssid) &&
9200	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9201		goto nla_put_failure;
9202
9203	rcu_read_lock();
9204	/* indicate whether we have probe response data or not */
9205	if (rcu_access_pointer(res->proberesp_ies) &&
9206	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9207		goto fail_unlock_rcu;
9208
9209	/* this pointer prefers to be pointed to probe response data
9210	 * but is always valid
9211	 */
9212	ies = rcu_dereference(res->ies);
9213	if (ies) {
9214		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9215				      NL80211_BSS_PAD))
9216			goto fail_unlock_rcu;
9217		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9218					ies->len, ies->data))
9219			goto fail_unlock_rcu;
9220	}
9221
9222	/* and this pointer is always (unless driver didn't know) beacon data */
9223	ies = rcu_dereference(res->beacon_ies);
9224	if (ies && ies->from_beacon) {
9225		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9226				      NL80211_BSS_PAD))
9227			goto fail_unlock_rcu;
9228		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9229					ies->len, ies->data))
9230			goto fail_unlock_rcu;
9231	}
9232	rcu_read_unlock();
9233
9234	if (res->beacon_interval &&
9235	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9236		goto nla_put_failure;
9237	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9238	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9239	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9240			res->channel->freq_offset) ||
9241	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9242	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9243			jiffies_to_msecs(jiffies - intbss->ts)))
9244		goto nla_put_failure;
9245
9246	if (intbss->parent_tsf &&
9247	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9248			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9249	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9250		     intbss->parent_bssid)))
9251		goto nla_put_failure;
9252
9253	if (intbss->ts_boottime &&
9254	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9255			      intbss->ts_boottime, NL80211_BSS_PAD))
9256		goto nla_put_failure;
9257
9258	if (!nl80211_put_signal(msg, intbss->pub.chains,
9259				intbss->pub.chain_signal,
9260				NL80211_BSS_CHAIN_SIGNAL))
9261		goto nla_put_failure;
9262
9263	switch (rdev->wiphy.signal_type) {
9264	case CFG80211_SIGNAL_TYPE_MBM:
9265		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9266			goto nla_put_failure;
9267		break;
9268	case CFG80211_SIGNAL_TYPE_UNSPEC:
9269		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9270			goto nla_put_failure;
9271		break;
9272	default:
9273		break;
9274	}
9275
9276	switch (wdev->iftype) {
9277	case NL80211_IFTYPE_P2P_CLIENT:
9278	case NL80211_IFTYPE_STATION:
9279		if (intbss == wdev->current_bss &&
9280		    nla_put_u32(msg, NL80211_BSS_STATUS,
9281				NL80211_BSS_STATUS_ASSOCIATED))
9282			goto nla_put_failure;
9283		break;
9284	case NL80211_IFTYPE_ADHOC:
9285		if (intbss == wdev->current_bss &&
9286		    nla_put_u32(msg, NL80211_BSS_STATUS,
9287				NL80211_BSS_STATUS_IBSS_JOINED))
9288			goto nla_put_failure;
9289		break;
9290	default:
9291		break;
9292	}
9293
9294	nla_nest_end(msg, bss);
9295
9296	genlmsg_end(msg, hdr);
9297	return 0;
9298
9299 fail_unlock_rcu:
9300	rcu_read_unlock();
9301 nla_put_failure:
9302	genlmsg_cancel(msg, hdr);
9303	return -EMSGSIZE;
9304}
9305
9306static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
9307{
9308	struct cfg80211_registered_device *rdev;
9309	struct cfg80211_internal_bss *scan;
9310	struct wireless_dev *wdev;
9311	int start = cb->args[2], idx = 0;
9312	int err;
9313
9314	rtnl_lock();
9315	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9316	if (err) {
9317		rtnl_unlock();
9318		return err;
9319	}
9320
9321	wdev_lock(wdev);
9322	spin_lock_bh(&rdev->bss_lock);
9323
9324	/*
9325	 * dump_scan will be called multiple times to break up the scan results
9326	 * into multiple messages.  It is unlikely that any more bss-es will be
9327	 * expired after the first call, so only call only call this on the
9328	 * first dump_scan invocation.
9329	 */
9330	if (start == 0)
9331		cfg80211_bss_expire(rdev);
9332
9333	cb->seq = rdev->bss_generation;
9334
9335	list_for_each_entry(scan, &rdev->bss_list, list) {
9336		if (++idx <= start)
9337			continue;
9338		if (nl80211_send_bss(skb, cb,
9339				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9340				rdev, wdev, scan) < 0) {
9341			idx--;
9342			break;
9343		}
9344	}
9345
9346	spin_unlock_bh(&rdev->bss_lock);
9347	wdev_unlock(wdev);
9348
9349	cb->args[2] = idx;
9350	rtnl_unlock();
9351
9352	return skb->len;
9353}
9354
9355static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9356			       int flags, struct net_device *dev,
9357			       bool allow_radio_stats,
9358			       struct survey_info *survey)
9359{
9360	void *hdr;
9361	struct nlattr *infoattr;
9362
9363	/* skip radio stats if userspace didn't request them */
9364	if (!survey->channel && !allow_radio_stats)
9365		return 0;
9366
9367	hdr = nl80211hdr_put(msg, portid, seq, flags,
9368			     NL80211_CMD_NEW_SURVEY_RESULTS);
9369	if (!hdr)
9370		return -ENOMEM;
9371
9372	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9373		goto nla_put_failure;
9374
9375	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9376	if (!infoattr)
9377		goto nla_put_failure;
9378
9379	if (survey->channel &&
9380	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9381			survey->channel->center_freq))
9382		goto nla_put_failure;
9383
9384	if (survey->channel && survey->channel->freq_offset &&
9385	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
9386			survey->channel->freq_offset))
9387		goto nla_put_failure;
9388
9389	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9390	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9391		goto nla_put_failure;
9392	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9393	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9394		goto nla_put_failure;
9395	if ((survey->filled & SURVEY_INFO_TIME) &&
9396	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9397			survey->time, NL80211_SURVEY_INFO_PAD))
9398		goto nla_put_failure;
9399	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9400	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9401			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9402		goto nla_put_failure;
9403	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9404	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9405			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9406		goto nla_put_failure;
9407	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9408	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9409			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9410		goto nla_put_failure;
9411	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9412	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9413			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9414		goto nla_put_failure;
9415	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9416	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9417			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9418		goto nla_put_failure;
9419	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9420	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9421			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9422		goto nla_put_failure;
9423
9424	nla_nest_end(msg, infoattr);
9425
9426	genlmsg_end(msg, hdr);
9427	return 0;
9428
9429 nla_put_failure:
9430	genlmsg_cancel(msg, hdr);
9431	return -EMSGSIZE;
9432}
9433
9434static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9435{
9436	struct nlattr **attrbuf;
9437	struct survey_info survey;
9438	struct cfg80211_registered_device *rdev;
9439	struct wireless_dev *wdev;
9440	int survey_idx = cb->args[2];
9441	int res;
9442	bool radio_stats;
9443
9444	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9445	if (!attrbuf)
9446		return -ENOMEM;
9447
9448	rtnl_lock();
9449	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9450	if (res)
9451		goto out_err;
9452
9453	/* prepare_wdev_dump parsed the attributes */
9454	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
9455
9456	if (!wdev->netdev) {
9457		res = -EINVAL;
9458		goto out_err;
9459	}
9460
9461	if (!rdev->ops->dump_survey) {
9462		res = -EOPNOTSUPP;
9463		goto out_err;
9464	}
9465
9466	while (1) {
9467		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
9468		if (res == -ENOENT)
9469			break;
9470		if (res)
9471			goto out_err;
9472
9473		/* don't send disabled channels, but do send non-channel data */
9474		if (survey.channel &&
9475		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
9476			survey_idx++;
9477			continue;
9478		}
9479
9480		if (nl80211_send_survey(skb,
9481				NETLINK_CB(cb->skb).portid,
9482				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9483				wdev->netdev, radio_stats, &survey) < 0)
9484			goto out;
9485		survey_idx++;
9486	}
9487
9488 out:
9489	cb->args[2] = survey_idx;
9490	res = skb->len;
9491 out_err:
9492	kfree(attrbuf);
9493	rtnl_unlock();
9494	return res;
9495}
9496
9497static bool nl80211_valid_wpa_versions(u32 wpa_versions)
9498{
9499	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
9500				  NL80211_WPA_VERSION_2 |
9501				  NL80211_WPA_VERSION_3));
9502}
9503
9504static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
9505{
9506	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9507	struct net_device *dev = info->user_ptr[1];
9508	struct ieee80211_channel *chan;
9509	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
9510	int err, ssid_len, ie_len = 0, auth_data_len = 0;
9511	enum nl80211_auth_type auth_type;
9512	struct key_parse key;
9513	bool local_state_change;
9514	u32 freq;
9515
9516	if (!info->attrs[NL80211_ATTR_MAC])
9517		return -EINVAL;
9518
9519	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
9520		return -EINVAL;
9521
9522	if (!info->attrs[NL80211_ATTR_SSID])
9523		return -EINVAL;
9524
9525	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
9526		return -EINVAL;
9527
9528	err = nl80211_parse_key(info, &key);
9529	if (err)
9530		return err;
9531
9532	if (key.idx >= 0) {
9533		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
9534			return -EINVAL;
9535		if (!key.p.key || !key.p.key_len)
9536			return -EINVAL;
9537		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
9538		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
9539		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
9540		     key.p.key_len != WLAN_KEY_LEN_WEP104))
9541			return -EINVAL;
9542		if (key.idx > 3)
9543			return -EINVAL;
9544	} else {
9545		key.p.key_len = 0;
9546		key.p.key = NULL;
9547	}
9548
9549	if (key.idx >= 0) {
9550		int i;
9551		bool ok = false;
9552
9553		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
9554			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
9555				ok = true;
9556				break;
9557			}
9558		}
9559		if (!ok)
9560			return -EINVAL;
9561	}
9562
9563	if (!rdev->ops->auth)
9564		return -EOPNOTSUPP;
9565
9566	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9567	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9568		return -EOPNOTSUPP;
9569
9570	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9571	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
9572	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
9573		freq +=
9574		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
9575
9576	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
9577	if (!chan)
9578		return -EINVAL;
9579
9580	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9581	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9582
9583	if (info->attrs[NL80211_ATTR_IE]) {
9584		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9585		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9586	}
9587
9588	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9589	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
9590		return -EINVAL;
9591
9592	if ((auth_type == NL80211_AUTHTYPE_SAE ||
9593	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
9594	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
9595	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
9596	    !info->attrs[NL80211_ATTR_AUTH_DATA])
9597		return -EINVAL;
9598
9599	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
9600		if (auth_type != NL80211_AUTHTYPE_SAE &&
9601		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
9602		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
9603		    auth_type != NL80211_AUTHTYPE_FILS_PK)
9604			return -EINVAL;
9605		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
9606		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
9607	}
9608
9609	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9610
9611	/*
9612	 * Since we no longer track auth state, ignore
9613	 * requests to only change local state.
9614	 */
9615	if (local_state_change)
9616		return 0;
9617
9618	wdev_lock(dev->ieee80211_ptr);
9619	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
9620				 ssid, ssid_len, ie, ie_len,
9621				 key.p.key, key.p.key_len, key.idx,
9622				 auth_data, auth_data_len);
9623	wdev_unlock(dev->ieee80211_ptr);
9624	return err;
9625}
9626
9627static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
9628				     struct genl_info *info)
9629{
9630	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9631		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
9632		return -EINVAL;
9633	}
9634
9635	if (!rdev->ops->tx_control_port ||
9636	    !wiphy_ext_feature_isset(&rdev->wiphy,
9637				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
9638		return -EOPNOTSUPP;
9639
9640	return 0;
9641}
9642
9643static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
9644				   struct genl_info *info,
9645				   struct cfg80211_crypto_settings *settings,
9646				   int cipher_limit)
9647{
9648	memset(settings, 0, sizeof(*settings));
9649
9650	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
9651
9652	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
9653		u16 proto;
9654
9655		proto = nla_get_u16(
9656			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
9657		settings->control_port_ethertype = cpu_to_be16(proto);
9658		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
9659		    proto != ETH_P_PAE)
9660			return -EINVAL;
9661		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
9662			settings->control_port_no_encrypt = true;
9663	} else
9664		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
9665
9666	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9667		int r = validate_pae_over_nl80211(rdev, info);
9668
9669		if (r < 0)
9670			return r;
9671
9672		settings->control_port_over_nl80211 = true;
9673
9674		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
9675			settings->control_port_no_preauth = true;
9676	}
9677
9678	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
9679		void *data;
9680		int len, i;
9681
9682		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9683		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9684		settings->n_ciphers_pairwise = len / sizeof(u32);
9685
9686		if (len % sizeof(u32))
9687			return -EINVAL;
9688
9689		if (settings->n_ciphers_pairwise > cipher_limit)
9690			return -EINVAL;
9691
9692		memcpy(settings->ciphers_pairwise, data, len);
9693
9694		for (i = 0; i < settings->n_ciphers_pairwise; i++)
9695			if (!cfg80211_supported_cipher_suite(
9696					&rdev->wiphy,
9697					settings->ciphers_pairwise[i]))
9698				return -EINVAL;
9699	}
9700
9701	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
9702		settings->cipher_group =
9703			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
9704		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
9705						     settings->cipher_group))
9706			return -EINVAL;
9707	}
9708
9709	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
9710		settings->wpa_versions =
9711			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
9712		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
9713			return -EINVAL;
9714	}
9715
9716	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
9717		void *data;
9718		int len;
9719
9720		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
9721		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
9722		settings->n_akm_suites = len / sizeof(u32);
9723
9724		if (len % sizeof(u32))
9725			return -EINVAL;
9726
9727		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
9728			return -EINVAL;
9729
9730		memcpy(settings->akm_suites, data, len);
9731	}
9732
9733	if (info->attrs[NL80211_ATTR_PMK]) {
9734		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
9735			return -EINVAL;
9736		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9737					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
9738		    !wiphy_ext_feature_isset(&rdev->wiphy,
9739					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
9740			return -EINVAL;
9741		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
9742	}
9743
9744	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
9745		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9746					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
9747		    !wiphy_ext_feature_isset(&rdev->wiphy,
9748					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
9749			return -EINVAL;
9750		settings->sae_pwd =
9751			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9752		settings->sae_pwd_len =
9753			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9754	}
9755
9756	return 0;
9757}
9758
9759static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
9760{
9761	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9762	struct net_device *dev = info->user_ptr[1];
9763	struct ieee80211_channel *chan;
9764	struct cfg80211_assoc_request req = {};
9765	const u8 *bssid, *ssid;
9766	int err, ssid_len = 0;
9767	u32 freq;
9768
9769	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9770	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9771		return -EPERM;
9772
9773	if (!info->attrs[NL80211_ATTR_MAC] ||
9774	    !info->attrs[NL80211_ATTR_SSID] ||
9775	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
9776		return -EINVAL;
9777
9778	if (!rdev->ops->assoc)
9779		return -EOPNOTSUPP;
9780
9781	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9782	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9783		return -EOPNOTSUPP;
9784
9785	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9786
9787	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
9788	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
9789		freq +=
9790		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
9791	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
9792	if (!chan)
9793		return -EINVAL;
9794
9795	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9796	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9797
9798	if (info->attrs[NL80211_ATTR_IE]) {
9799		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9800		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9801	}
9802
9803	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9804		enum nl80211_mfp mfp =
9805			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9806		if (mfp == NL80211_MFP_REQUIRED)
9807			req.use_mfp = true;
9808		else if (mfp != NL80211_MFP_NO)
9809			return -EINVAL;
9810	}
9811
9812	if (info->attrs[NL80211_ATTR_PREV_BSSID])
9813		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9814
9815	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9816		req.flags |= ASSOC_REQ_DISABLE_HT;
9817
9818	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9819		memcpy(&req.ht_capa_mask,
9820		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9821		       sizeof(req.ht_capa_mask));
9822
9823	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9824		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9825			return -EINVAL;
9826		memcpy(&req.ht_capa,
9827		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9828		       sizeof(req.ht_capa));
9829	}
9830
9831	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9832		req.flags |= ASSOC_REQ_DISABLE_VHT;
9833
9834	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9835		memcpy(&req.vht_capa_mask,
9836		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9837		       sizeof(req.vht_capa_mask));
9838
9839	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9840		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9841			return -EINVAL;
9842		memcpy(&req.vht_capa,
9843		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9844		       sizeof(req.vht_capa));
9845	}
9846
9847	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9848		if (!((rdev->wiphy.features &
9849			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9850		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9851		    !wiphy_ext_feature_isset(&rdev->wiphy,
9852					     NL80211_EXT_FEATURE_RRM))
9853			return -EINVAL;
9854		req.flags |= ASSOC_REQ_USE_RRM;
9855	}
9856
9857	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
9858		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
9859		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
9860		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
9861			return -EINVAL;
9862		req.fils_nonces =
9863			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
9864	}
9865
9866	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
9867		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
9868			return -EINVAL;
9869		memcpy(&req.s1g_capa_mask,
9870		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
9871		       sizeof(req.s1g_capa_mask));
9872	}
9873
9874	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
9875		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
9876			return -EINVAL;
9877		memcpy(&req.s1g_capa,
9878		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
9879		       sizeof(req.s1g_capa));
9880	}
9881
9882	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
9883	if (!err) {
9884		wdev_lock(dev->ieee80211_ptr);
9885
9886		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
9887					  ssid, ssid_len, &req);
9888
9889		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9890			dev->ieee80211_ptr->conn_owner_nlportid =
9891				info->snd_portid;
9892			memcpy(dev->ieee80211_ptr->disconnect_bssid,
9893			       bssid, ETH_ALEN);
9894		}
9895
9896		wdev_unlock(dev->ieee80211_ptr);
9897	}
9898
9899	return err;
9900}
9901
9902static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
9903{
9904	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9905	struct net_device *dev = info->user_ptr[1];
9906	const u8 *ie = NULL, *bssid;
9907	int ie_len = 0, err;
9908	u16 reason_code;
9909	bool local_state_change;
9910
9911	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9912	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9913		return -EPERM;
9914
9915	if (!info->attrs[NL80211_ATTR_MAC])
9916		return -EINVAL;
9917
9918	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9919		return -EINVAL;
9920
9921	if (!rdev->ops->deauth)
9922		return -EOPNOTSUPP;
9923
9924	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9925	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9926		return -EOPNOTSUPP;
9927
9928	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9929
9930	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9931	if (reason_code == 0) {
9932		/* Reason Code 0 is reserved */
9933		return -EINVAL;
9934	}
9935
9936	if (info->attrs[NL80211_ATTR_IE]) {
9937		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9938		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9939	}
9940
9941	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9942
9943	wdev_lock(dev->ieee80211_ptr);
9944	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
9945				   local_state_change);
9946	wdev_unlock(dev->ieee80211_ptr);
9947	return err;
9948}
9949
9950static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
9951{
9952	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9953	struct net_device *dev = info->user_ptr[1];
9954	const u8 *ie = NULL, *bssid;
9955	int ie_len = 0, err;
9956	u16 reason_code;
9957	bool local_state_change;
9958
9959	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9960	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9961		return -EPERM;
9962
9963	if (!info->attrs[NL80211_ATTR_MAC])
9964		return -EINVAL;
9965
9966	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9967		return -EINVAL;
9968
9969	if (!rdev->ops->disassoc)
9970		return -EOPNOTSUPP;
9971
9972	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9973	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9974		return -EOPNOTSUPP;
9975
9976	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9977
9978	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9979	if (reason_code == 0) {
9980		/* Reason Code 0 is reserved */
9981		return -EINVAL;
9982	}
9983
9984	if (info->attrs[NL80211_ATTR_IE]) {
9985		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9986		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9987	}
9988
9989	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9990
9991	wdev_lock(dev->ieee80211_ptr);
9992	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
9993				     local_state_change);
9994	wdev_unlock(dev->ieee80211_ptr);
9995	return err;
9996}
9997
9998static bool
9999nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
10000			 int mcast_rate[NUM_NL80211_BANDS],
10001			 int rateval)
10002{
10003	struct wiphy *wiphy = &rdev->wiphy;
10004	bool found = false;
10005	int band, i;
10006
10007	for (band = 0; band < NUM_NL80211_BANDS; band++) {
10008		struct ieee80211_supported_band *sband;
10009
10010		sband = wiphy->bands[band];
10011		if (!sband)
10012			continue;
10013
10014		for (i = 0; i < sband->n_bitrates; i++) {
10015			if (sband->bitrates[i].bitrate == rateval) {
10016				mcast_rate[band] = i + 1;
10017				found = true;
10018				break;
10019			}
10020		}
10021	}
10022
10023	return found;
10024}
10025
10026static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
10027{
10028	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10029	struct net_device *dev = info->user_ptr[1];
10030	struct cfg80211_ibss_params ibss;
10031	struct wiphy *wiphy;
10032	struct cfg80211_cached_keys *connkeys = NULL;
10033	int err;
10034
10035	memset(&ibss, 0, sizeof(ibss));
10036
10037	if (!info->attrs[NL80211_ATTR_SSID] ||
10038	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10039		return -EINVAL;
10040
10041	ibss.beacon_interval = 100;
10042
10043	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
10044		ibss.beacon_interval =
10045			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10046
10047	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
10048					   ibss.beacon_interval);
10049	if (err)
10050		return err;
10051
10052	if (!rdev->ops->join_ibss)
10053		return -EOPNOTSUPP;
10054
10055	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10056		return -EOPNOTSUPP;
10057
10058	wiphy = &rdev->wiphy;
10059
10060	if (info->attrs[NL80211_ATTR_MAC]) {
10061		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10062
10063		if (!is_valid_ether_addr(ibss.bssid))
10064			return -EINVAL;
10065	}
10066	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10067	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10068
10069	if (info->attrs[NL80211_ATTR_IE]) {
10070		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10071		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10072	}
10073
10074	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
10075	if (err)
10076		return err;
10077
10078	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
10079				     NL80211_IFTYPE_ADHOC))
10080		return -EINVAL;
10081
10082	switch (ibss.chandef.width) {
10083	case NL80211_CHAN_WIDTH_5:
10084	case NL80211_CHAN_WIDTH_10:
10085	case NL80211_CHAN_WIDTH_20_NOHT:
10086		break;
10087	case NL80211_CHAN_WIDTH_20:
10088	case NL80211_CHAN_WIDTH_40:
10089		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10090			return -EINVAL;
10091		break;
10092	case NL80211_CHAN_WIDTH_80:
10093	case NL80211_CHAN_WIDTH_80P80:
10094	case NL80211_CHAN_WIDTH_160:
10095		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10096			return -EINVAL;
10097		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10098					     NL80211_EXT_FEATURE_VHT_IBSS))
10099			return -EINVAL;
10100		break;
10101	default:
10102		return -EINVAL;
10103	}
10104
10105	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
10106	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
10107
10108	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10109		u8 *rates =
10110			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10111		int n_rates =
10112			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10113		struct ieee80211_supported_band *sband =
10114			wiphy->bands[ibss.chandef.chan->band];
10115
10116		err = ieee80211_get_ratemask(sband, rates, n_rates,
10117					     &ibss.basic_rates);
10118		if (err)
10119			return err;
10120	}
10121
10122	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10123		memcpy(&ibss.ht_capa_mask,
10124		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10125		       sizeof(ibss.ht_capa_mask));
10126
10127	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10128		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10129			return -EINVAL;
10130		memcpy(&ibss.ht_capa,
10131		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10132		       sizeof(ibss.ht_capa));
10133	}
10134
10135	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10136	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
10137			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10138		return -EINVAL;
10139
10140	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10141		bool no_ht = false;
10142
10143		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
10144		if (IS_ERR(connkeys))
10145			return PTR_ERR(connkeys);
10146
10147		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
10148		    no_ht) {
10149			kfree_sensitive(connkeys);
10150			return -EINVAL;
10151		}
10152	}
10153
10154	ibss.control_port =
10155		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
10156
10157	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10158		int r = validate_pae_over_nl80211(rdev, info);
10159
10160		if (r < 0) {
10161			kfree_sensitive(connkeys);
10162			return r;
10163		}
10164
10165		ibss.control_port_over_nl80211 = true;
10166	}
10167
10168	ibss.userspace_handles_dfs =
10169		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10170
10171	wdev_lock(dev->ieee80211_ptr);
10172	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
10173	if (err)
10174		kfree_sensitive(connkeys);
10175	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10176		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10177	wdev_unlock(dev->ieee80211_ptr);
10178
10179	return err;
10180}
10181
10182static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
10183{
10184	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10185	struct net_device *dev = info->user_ptr[1];
10186
10187	if (!rdev->ops->leave_ibss)
10188		return -EOPNOTSUPP;
10189
10190	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10191		return -EOPNOTSUPP;
10192
10193	return cfg80211_leave_ibss(rdev, dev, false);
10194}
10195
10196static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
10197{
10198	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10199	struct net_device *dev = info->user_ptr[1];
10200	int mcast_rate[NUM_NL80211_BANDS];
10201	u32 nla_rate;
10202	int err;
10203
10204	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
10205	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
10206	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
10207		return -EOPNOTSUPP;
10208
10209	if (!rdev->ops->set_mcast_rate)
10210		return -EOPNOTSUPP;
10211
10212	memset(mcast_rate, 0, sizeof(mcast_rate));
10213
10214	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
10215		return -EINVAL;
10216
10217	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
10218	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
10219		return -EINVAL;
10220
10221	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
10222
10223	return err;
10224}
10225
10226static struct sk_buff *
10227__cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
10228			    struct wireless_dev *wdev, int approxlen,
10229			    u32 portid, u32 seq, enum nl80211_commands cmd,
10230			    enum nl80211_attrs attr,
10231			    const struct nl80211_vendor_cmd_info *info,
10232			    gfp_t gfp)
10233{
10234	struct sk_buff *skb;
10235	void *hdr;
10236	struct nlattr *data;
10237
10238	skb = nlmsg_new(approxlen + 100, gfp);
10239	if (!skb)
10240		return NULL;
10241
10242	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
10243	if (!hdr) {
10244		kfree_skb(skb);
10245		return NULL;
10246	}
10247
10248	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10249		goto nla_put_failure;
10250
10251	if (info) {
10252		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
10253				info->vendor_id))
10254			goto nla_put_failure;
10255		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
10256				info->subcmd))
10257			goto nla_put_failure;
10258	}
10259
10260	if (wdev) {
10261		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10262				      wdev_id(wdev), NL80211_ATTR_PAD))
10263			goto nla_put_failure;
10264		if (wdev->netdev &&
10265		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
10266				wdev->netdev->ifindex))
10267			goto nla_put_failure;
10268	}
10269
10270	data = nla_nest_start_noflag(skb, attr);
10271	if (!data)
10272		goto nla_put_failure;
10273
10274	((void **)skb->cb)[0] = rdev;
10275	((void **)skb->cb)[1] = hdr;
10276	((void **)skb->cb)[2] = data;
10277
10278	return skb;
10279
10280 nla_put_failure:
10281	kfree_skb(skb);
10282	return NULL;
10283}
10284
10285struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
10286					   struct wireless_dev *wdev,
10287					   enum nl80211_commands cmd,
10288					   enum nl80211_attrs attr,
10289					   unsigned int portid,
10290					   int vendor_event_idx,
10291					   int approxlen, gfp_t gfp)
10292{
10293	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10294	const struct nl80211_vendor_cmd_info *info;
10295
10296	switch (cmd) {
10297	case NL80211_CMD_TESTMODE:
10298		if (WARN_ON(vendor_event_idx != -1))
10299			return NULL;
10300		info = NULL;
10301		break;
10302	case NL80211_CMD_VENDOR:
10303		if (WARN_ON(vendor_event_idx < 0 ||
10304			    vendor_event_idx >= wiphy->n_vendor_events))
10305			return NULL;
10306		info = &wiphy->vendor_events[vendor_event_idx];
10307		break;
10308	default:
10309		WARN_ON(1);
10310		return NULL;
10311	}
10312
10313	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
10314					   cmd, attr, info, gfp);
10315}
10316EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
10317
10318void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
10319{
10320	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10321	void *hdr = ((void **)skb->cb)[1];
10322	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
10323	struct nlattr *data = ((void **)skb->cb)[2];
10324	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
10325
10326	/* clear CB data for netlink core to own from now on */
10327	memset(skb->cb, 0, sizeof(skb->cb));
10328
10329	nla_nest_end(skb, data);
10330	genlmsg_end(skb, hdr);
10331
10332	if (nlhdr->nlmsg_pid) {
10333		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
10334				nlhdr->nlmsg_pid);
10335	} else {
10336		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
10337			mcgrp = NL80211_MCGRP_VENDOR;
10338
10339		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
10340					skb, 0, mcgrp, gfp);
10341	}
10342}
10343EXPORT_SYMBOL(__cfg80211_send_event_skb);
10344
10345#ifdef CONFIG_NL80211_TESTMODE
10346static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
10347{
10348	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10349	struct wireless_dev *wdev =
10350		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
10351	int err;
10352
10353	if (!rdev->ops->testmode_cmd)
10354		return -EOPNOTSUPP;
10355
10356	if (IS_ERR(wdev)) {
10357		err = PTR_ERR(wdev);
10358		if (err != -EINVAL)
10359			return err;
10360		wdev = NULL;
10361	} else if (wdev->wiphy != &rdev->wiphy) {
10362		return -EINVAL;
10363	}
10364
10365	if (!info->attrs[NL80211_ATTR_TESTDATA])
10366		return -EINVAL;
10367
10368	rdev->cur_cmd_info = info;
10369	err = rdev_testmode_cmd(rdev, wdev,
10370				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10371				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10372	rdev->cur_cmd_info = NULL;
10373
10374	return err;
10375}
10376
10377static int nl80211_testmode_dump(struct sk_buff *skb,
10378				 struct netlink_callback *cb)
10379{
10380	struct cfg80211_registered_device *rdev;
10381	struct nlattr **attrbuf = NULL;
10382	int err;
10383	long phy_idx;
10384	void *data = NULL;
10385	int data_len = 0;
10386
10387	rtnl_lock();
10388
10389	if (cb->args[0]) {
10390		/*
10391		 * 0 is a valid index, but not valid for args[0],
10392		 * so we need to offset by 1.
10393		 */
10394		phy_idx = cb->args[0] - 1;
10395
10396		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10397		if (!rdev) {
10398			err = -ENOENT;
10399			goto out_err;
10400		}
10401	} else {
10402		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10403				  GFP_KERNEL);
10404		if (!attrbuf) {
10405			err = -ENOMEM;
10406			goto out_err;
10407		}
10408
10409		err = nlmsg_parse_deprecated(cb->nlh,
10410					     GENL_HDRLEN + nl80211_fam.hdrsize,
10411					     attrbuf, nl80211_fam.maxattr,
10412					     nl80211_policy, NULL);
10413		if (err)
10414			goto out_err;
10415
10416		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10417		if (IS_ERR(rdev)) {
10418			err = PTR_ERR(rdev);
10419			goto out_err;
10420		}
10421		phy_idx = rdev->wiphy_idx;
10422
10423		if (attrbuf[NL80211_ATTR_TESTDATA])
10424			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10425	}
10426
10427	if (cb->args[1]) {
10428		data = nla_data((void *)cb->args[1]);
10429		data_len = nla_len((void *)cb->args[1]);
10430	}
10431
10432	if (!rdev->ops->testmode_dump) {
10433		err = -EOPNOTSUPP;
10434		goto out_err;
10435	}
10436
10437	while (1) {
10438		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10439					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10440					   NL80211_CMD_TESTMODE);
10441		struct nlattr *tmdata;
10442
10443		if (!hdr)
10444			break;
10445
10446		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
10447			genlmsg_cancel(skb, hdr);
10448			break;
10449		}
10450
10451		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
10452		if (!tmdata) {
10453			genlmsg_cancel(skb, hdr);
10454			break;
10455		}
10456		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
10457		nla_nest_end(skb, tmdata);
10458
10459		if (err == -ENOBUFS || err == -ENOENT) {
10460			genlmsg_cancel(skb, hdr);
10461			break;
10462		} else if (err) {
10463			genlmsg_cancel(skb, hdr);
10464			goto out_err;
10465		}
10466
10467		genlmsg_end(skb, hdr);
10468	}
10469
10470	err = skb->len;
10471	/* see above */
10472	cb->args[0] = phy_idx + 1;
10473 out_err:
10474	kfree(attrbuf);
10475	rtnl_unlock();
10476	return err;
10477}
10478#endif
10479
10480static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
10481{
10482	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10483	struct net_device *dev = info->user_ptr[1];
10484	struct cfg80211_connect_params connect;
10485	struct wiphy *wiphy;
10486	struct cfg80211_cached_keys *connkeys = NULL;
10487	u32 freq = 0;
10488	int err;
10489
10490	memset(&connect, 0, sizeof(connect));
10491
10492	if (!info->attrs[NL80211_ATTR_SSID] ||
10493	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10494		return -EINVAL;
10495
10496	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10497		connect.auth_type =
10498			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10499		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
10500					     NL80211_CMD_CONNECT))
10501			return -EINVAL;
10502	} else
10503		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
10504
10505	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
10506
10507	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
10508	    !wiphy_ext_feature_isset(&rdev->wiphy,
10509				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
10510		return -EINVAL;
10511	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
10512
10513	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
10514				      NL80211_MAX_NR_CIPHER_SUITES);
10515	if (err)
10516		return err;
10517
10518	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10519	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10520		return -EOPNOTSUPP;
10521
10522	wiphy = &rdev->wiphy;
10523
10524	connect.bg_scan_period = -1;
10525	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
10526		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
10527		connect.bg_scan_period =
10528			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
10529	}
10530
10531	if (info->attrs[NL80211_ATTR_MAC])
10532		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10533	else if (info->attrs[NL80211_ATTR_MAC_HINT])
10534		connect.bssid_hint =
10535			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
10536	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10537	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10538
10539	if (info->attrs[NL80211_ATTR_IE]) {
10540		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10541		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10542	}
10543
10544	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10545		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10546		if (connect.mfp == NL80211_MFP_OPTIONAL &&
10547		    !wiphy_ext_feature_isset(&rdev->wiphy,
10548					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
10549			return -EOPNOTSUPP;
10550	} else {
10551		connect.mfp = NL80211_MFP_NO;
10552	}
10553
10554	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10555		connect.prev_bssid =
10556			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10557
10558	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
10559		freq = MHZ_TO_KHZ(nla_get_u32(
10560					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10561	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10562		freq +=
10563		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10564
10565	if (freq) {
10566		connect.channel = nl80211_get_valid_chan(wiphy, freq);
10567		if (!connect.channel)
10568			return -EINVAL;
10569	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
10570		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
10571		freq = MHZ_TO_KHZ(freq);
10572		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
10573		if (!connect.channel_hint)
10574			return -EINVAL;
10575	}
10576
10577	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
10578		connect.edmg.channels =
10579		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
10580
10581		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
10582			connect.edmg.bw_config =
10583				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
10584	}
10585
10586	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10587		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
10588		if (IS_ERR(connkeys))
10589			return PTR_ERR(connkeys);
10590	}
10591
10592	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10593		connect.flags |= ASSOC_REQ_DISABLE_HT;
10594
10595	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10596		memcpy(&connect.ht_capa_mask,
10597		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10598		       sizeof(connect.ht_capa_mask));
10599
10600	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10601		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
10602			kfree_sensitive(connkeys);
10603			return -EINVAL;
10604		}
10605		memcpy(&connect.ht_capa,
10606		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10607		       sizeof(connect.ht_capa));
10608	}
10609
10610	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10611		connect.flags |= ASSOC_REQ_DISABLE_VHT;
10612
10613	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10614		memcpy(&connect.vht_capa_mask,
10615		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10616		       sizeof(connect.vht_capa_mask));
10617
10618	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10619		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
10620			kfree_sensitive(connkeys);
10621			return -EINVAL;
10622		}
10623		memcpy(&connect.vht_capa,
10624		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10625		       sizeof(connect.vht_capa));
10626	}
10627
10628	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10629		if (!((rdev->wiphy.features &
10630			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10631		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10632		    !wiphy_ext_feature_isset(&rdev->wiphy,
10633					     NL80211_EXT_FEATURE_RRM)) {
10634			kfree_sensitive(connkeys);
10635			return -EINVAL;
10636		}
10637		connect.flags |= ASSOC_REQ_USE_RRM;
10638	}
10639
10640	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
10641	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
10642		kfree_sensitive(connkeys);
10643		return -EOPNOTSUPP;
10644	}
10645
10646	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
10647		/* bss selection makes no sense if bssid is set */
10648		if (connect.bssid) {
10649			kfree_sensitive(connkeys);
10650			return -EINVAL;
10651		}
10652
10653		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
10654				       wiphy, &connect.bss_select);
10655		if (err) {
10656			kfree_sensitive(connkeys);
10657			return err;
10658		}
10659	}
10660
10661	if (wiphy_ext_feature_isset(&rdev->wiphy,
10662				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
10663	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10664	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10665	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10666	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10667		connect.fils_erp_username =
10668			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10669		connect.fils_erp_username_len =
10670			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10671		connect.fils_erp_realm =
10672			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10673		connect.fils_erp_realm_len =
10674			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10675		connect.fils_erp_next_seq_num =
10676			nla_get_u16(
10677			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10678		connect.fils_erp_rrk =
10679			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10680		connect.fils_erp_rrk_len =
10681			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10682	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10683		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10684		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10685		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10686		kfree_sensitive(connkeys);
10687		return -EINVAL;
10688	}
10689
10690	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
10691		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10692			kfree_sensitive(connkeys);
10693			GENL_SET_ERR_MSG(info,
10694					 "external auth requires connection ownership");
10695			return -EINVAL;
10696		}
10697		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
10698	}
10699
10700	wdev_lock(dev->ieee80211_ptr);
10701
10702	err = cfg80211_connect(rdev, dev, &connect, connkeys,
10703			       connect.prev_bssid);
10704	if (err)
10705		kfree_sensitive(connkeys);
10706
10707	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10708		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10709		if (connect.bssid)
10710			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10711			       connect.bssid, ETH_ALEN);
10712		else
10713			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
10714	}
10715
10716	wdev_unlock(dev->ieee80211_ptr);
10717
10718	return err;
10719}
10720
10721static int nl80211_update_connect_params(struct sk_buff *skb,
10722					 struct genl_info *info)
10723{
10724	struct cfg80211_connect_params connect = {};
10725	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10726	struct net_device *dev = info->user_ptr[1];
10727	struct wireless_dev *wdev = dev->ieee80211_ptr;
10728	bool fils_sk_offload;
10729	u32 auth_type;
10730	u32 changed = 0;
10731	int ret;
10732
10733	if (!rdev->ops->update_connect_params)
10734		return -EOPNOTSUPP;
10735
10736	if (info->attrs[NL80211_ATTR_IE]) {
10737		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10738		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10739		changed |= UPDATE_ASSOC_IES;
10740	}
10741
10742	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
10743						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
10744
10745	/*
10746	 * when driver supports fils-sk offload all attributes must be
10747	 * provided. So the else covers "fils-sk-not-all" and
10748	 * "no-fils-sk-any".
10749	 */
10750	if (fils_sk_offload &&
10751	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10752	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10753	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10754	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10755		connect.fils_erp_username =
10756			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10757		connect.fils_erp_username_len =
10758			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10759		connect.fils_erp_realm =
10760			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10761		connect.fils_erp_realm_len =
10762			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10763		connect.fils_erp_next_seq_num =
10764			nla_get_u16(
10765			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10766		connect.fils_erp_rrk =
10767			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10768		connect.fils_erp_rrk_len =
10769			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10770		changed |= UPDATE_FILS_ERP_INFO;
10771	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10772		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10773		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10774		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10775		return -EINVAL;
10776	}
10777
10778	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10779		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10780		if (!nl80211_valid_auth_type(rdev, auth_type,
10781					     NL80211_CMD_CONNECT))
10782			return -EINVAL;
10783
10784		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
10785		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
10786			return -EINVAL;
10787
10788		connect.auth_type = auth_type;
10789		changed |= UPDATE_AUTH_TYPE;
10790	}
10791
10792	wdev_lock(dev->ieee80211_ptr);
10793	if (!wdev->current_bss)
10794		ret = -ENOLINK;
10795	else
10796		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
10797	wdev_unlock(dev->ieee80211_ptr);
10798
10799	return ret;
10800}
10801
10802static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
10803{
10804	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10805	struct net_device *dev = info->user_ptr[1];
10806	u16 reason;
10807	int ret;
10808
10809	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10810	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10811		return -EPERM;
10812
10813	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10814		reason = WLAN_REASON_DEAUTH_LEAVING;
10815	else
10816		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10817
10818	if (reason == 0)
10819		return -EINVAL;
10820
10821	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10822	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10823		return -EOPNOTSUPP;
10824
10825	wdev_lock(dev->ieee80211_ptr);
10826	ret = cfg80211_disconnect(rdev, dev, reason, true);
10827	wdev_unlock(dev->ieee80211_ptr);
10828	return ret;
10829}
10830
10831static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
10832{
10833	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10834	struct net *net;
10835	int err;
10836
10837	if (info->attrs[NL80211_ATTR_PID]) {
10838		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
10839
10840		net = get_net_ns_by_pid(pid);
10841	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
10842		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
10843
10844		net = get_net_ns_by_fd(fd);
10845	} else {
10846		return -EINVAL;
10847	}
10848
10849	if (IS_ERR(net))
10850		return PTR_ERR(net);
10851
10852	err = 0;
10853
10854	/* check if anything to do */
10855	if (!net_eq(wiphy_net(&rdev->wiphy), net))
10856		err = cfg80211_switch_netns(rdev, net);
10857
10858	put_net(net);
10859	return err;
10860}
10861
10862static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
10863{
10864	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10865	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
10866			struct cfg80211_pmksa *pmksa) = NULL;
10867	struct net_device *dev = info->user_ptr[1];
10868	struct cfg80211_pmksa pmksa;
10869
10870	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
10871
10872	if (!info->attrs[NL80211_ATTR_PMKID])
10873		return -EINVAL;
10874
10875	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
10876
10877	if (info->attrs[NL80211_ATTR_MAC]) {
10878		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10879	} else if (info->attrs[NL80211_ATTR_SSID] &&
10880		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
10881		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
10882		    info->attrs[NL80211_ATTR_PMK])) {
10883		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10884		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10885		pmksa.cache_id =
10886			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
10887	} else {
10888		return -EINVAL;
10889	}
10890	if (info->attrs[NL80211_ATTR_PMK]) {
10891		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10892		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
10893	}
10894
10895	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
10896		pmksa.pmk_lifetime =
10897			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
10898
10899	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
10900		pmksa.pmk_reauth_threshold =
10901			nla_get_u8(
10902				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
10903
10904	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10905	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
10906	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
10907	      wiphy_ext_feature_isset(&rdev->wiphy,
10908				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
10909		return -EOPNOTSUPP;
10910
10911	switch (info->genlhdr->cmd) {
10912	case NL80211_CMD_SET_PMKSA:
10913		rdev_ops = rdev->ops->set_pmksa;
10914		break;
10915	case NL80211_CMD_DEL_PMKSA:
10916		rdev_ops = rdev->ops->del_pmksa;
10917		break;
10918	default:
10919		WARN_ON(1);
10920		break;
10921	}
10922
10923	if (!rdev_ops)
10924		return -EOPNOTSUPP;
10925
10926	return rdev_ops(&rdev->wiphy, dev, &pmksa);
10927}
10928
10929static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
10930{
10931	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10932	struct net_device *dev = info->user_ptr[1];
10933
10934	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10935	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10936		return -EOPNOTSUPP;
10937
10938	if (!rdev->ops->flush_pmksa)
10939		return -EOPNOTSUPP;
10940
10941	return rdev_flush_pmksa(rdev, dev);
10942}
10943
10944static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
10945{
10946	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10947	struct net_device *dev = info->user_ptr[1];
10948	u8 action_code, dialog_token;
10949	u32 peer_capability = 0;
10950	u16 status_code;
10951	u8 *peer;
10952	bool initiator;
10953
10954	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10955	    !rdev->ops->tdls_mgmt)
10956		return -EOPNOTSUPP;
10957
10958	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
10959	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
10960	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
10961	    !info->attrs[NL80211_ATTR_IE] ||
10962	    !info->attrs[NL80211_ATTR_MAC])
10963		return -EINVAL;
10964
10965	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10966	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
10967	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
10968	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
10969	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
10970	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
10971		peer_capability =
10972			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
10973
10974	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
10975			      dialog_token, status_code, peer_capability,
10976			      initiator,
10977			      nla_data(info->attrs[NL80211_ATTR_IE]),
10978			      nla_len(info->attrs[NL80211_ATTR_IE]));
10979}
10980
10981static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
10982{
10983	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10984	struct net_device *dev = info->user_ptr[1];
10985	enum nl80211_tdls_operation operation;
10986	u8 *peer;
10987
10988	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10989	    !rdev->ops->tdls_oper)
10990		return -EOPNOTSUPP;
10991
10992	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
10993	    !info->attrs[NL80211_ATTR_MAC])
10994		return -EINVAL;
10995
10996	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
10997	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10998
10999	return rdev_tdls_oper(rdev, dev, peer, operation);
11000}
11001
11002static int nl80211_remain_on_channel(struct sk_buff *skb,
11003				     struct genl_info *info)
11004{
11005	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11006	struct wireless_dev *wdev = info->user_ptr[1];
11007	struct cfg80211_chan_def chandef;
11008	const struct cfg80211_chan_def *compat_chandef;
11009	struct sk_buff *msg;
11010	void *hdr;
11011	u64 cookie;
11012	u32 duration;
11013	int err;
11014
11015	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11016	    !info->attrs[NL80211_ATTR_DURATION])
11017		return -EINVAL;
11018
11019	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11020
11021	if (!rdev->ops->remain_on_channel ||
11022	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
11023		return -EOPNOTSUPP;
11024
11025	/*
11026	 * We should be on that channel for at least a minimum amount of
11027	 * time (10ms) but no longer than the driver supports.
11028	 */
11029	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11030	    duration > rdev->wiphy.max_remain_on_channel_duration)
11031		return -EINVAL;
11032
11033	err = nl80211_parse_chandef(rdev, info, &chandef);
11034	if (err)
11035		return err;
11036
11037	wdev_lock(wdev);
11038	if (!cfg80211_off_channel_oper_allowed(wdev) &&
11039	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
11040		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
11041							     &chandef);
11042		if (compat_chandef != &chandef) {
11043			wdev_unlock(wdev);
11044			return -EBUSY;
11045		}
11046	}
11047	wdev_unlock(wdev);
11048
11049	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11050	if (!msg)
11051		return -ENOMEM;
11052
11053	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11054			     NL80211_CMD_REMAIN_ON_CHANNEL);
11055	if (!hdr) {
11056		err = -ENOBUFS;
11057		goto free_msg;
11058	}
11059
11060	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
11061				     duration, &cookie);
11062
11063	if (err)
11064		goto free_msg;
11065
11066	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11067			      NL80211_ATTR_PAD))
11068		goto nla_put_failure;
11069
11070	genlmsg_end(msg, hdr);
11071
11072	return genlmsg_reply(msg, info);
11073
11074 nla_put_failure:
11075	err = -ENOBUFS;
11076 free_msg:
11077	nlmsg_free(msg);
11078	return err;
11079}
11080
11081static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
11082					    struct genl_info *info)
11083{
11084	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11085	struct wireless_dev *wdev = info->user_ptr[1];
11086	u64 cookie;
11087
11088	if (!info->attrs[NL80211_ATTR_COOKIE])
11089		return -EINVAL;
11090
11091	if (!rdev->ops->cancel_remain_on_channel)
11092		return -EOPNOTSUPP;
11093
11094	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11095
11096	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
11097}
11098
11099static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
11100				       struct genl_info *info)
11101{
11102	struct cfg80211_bitrate_mask mask;
11103	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11104	struct net_device *dev = info->user_ptr[1];
11105	struct wireless_dev *wdev = dev->ieee80211_ptr;
11106	int err;
11107
11108	if (!rdev->ops->set_bitrate_mask)
11109		return -EOPNOTSUPP;
11110
11111	wdev_lock(wdev);
11112	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11113					    NL80211_ATTR_TX_RATES, &mask,
11114					    dev);
11115	if (err)
11116		goto out;
11117
11118	err = rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
11119out:
11120	wdev_unlock(wdev);
11121	return err;
11122}
11123
11124static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
11125{
11126	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11127	struct wireless_dev *wdev = info->user_ptr[1];
11128	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
11129
11130	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
11131		return -EINVAL;
11132
11133	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
11134		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
11135
11136	switch (wdev->iftype) {
11137	case NL80211_IFTYPE_STATION:
11138	case NL80211_IFTYPE_ADHOC:
11139	case NL80211_IFTYPE_P2P_CLIENT:
11140	case NL80211_IFTYPE_AP:
11141	case NL80211_IFTYPE_AP_VLAN:
11142	case NL80211_IFTYPE_MESH_POINT:
11143	case NL80211_IFTYPE_P2P_GO:
11144	case NL80211_IFTYPE_P2P_DEVICE:
11145		break;
11146	case NL80211_IFTYPE_NAN:
11147	default:
11148		return -EOPNOTSUPP;
11149	}
11150
11151	/* not much point in registering if we can't reply */
11152	if (!rdev->ops->mgmt_tx)
11153		return -EOPNOTSUPP;
11154
11155	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
11156	    !wiphy_ext_feature_isset(&rdev->wiphy,
11157				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
11158		GENL_SET_ERR_MSG(info,
11159				 "multicast RX registrations are not supported");
11160		return -EOPNOTSUPP;
11161	}
11162
11163	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
11164					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11165					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11166					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
11167					   info->extack);
11168}
11169
11170static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
11171{
11172	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11173	struct wireless_dev *wdev = info->user_ptr[1];
11174	struct cfg80211_chan_def chandef;
11175	int err;
11176	void *hdr = NULL;
11177	u64 cookie;
11178	struct sk_buff *msg = NULL;
11179	struct cfg80211_mgmt_tx_params params = {
11180		.dont_wait_for_ack =
11181			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
11182	};
11183
11184	if (!info->attrs[NL80211_ATTR_FRAME])
11185		return -EINVAL;
11186
11187	if (!rdev->ops->mgmt_tx)
11188		return -EOPNOTSUPP;
11189
11190	switch (wdev->iftype) {
11191	case NL80211_IFTYPE_P2P_DEVICE:
11192		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11193			return -EINVAL;
11194	case NL80211_IFTYPE_STATION:
11195	case NL80211_IFTYPE_ADHOC:
11196	case NL80211_IFTYPE_P2P_CLIENT:
11197	case NL80211_IFTYPE_AP:
11198	case NL80211_IFTYPE_AP_VLAN:
11199	case NL80211_IFTYPE_MESH_POINT:
11200	case NL80211_IFTYPE_P2P_GO:
11201		break;
11202	case NL80211_IFTYPE_NAN:
11203	default:
11204		return -EOPNOTSUPP;
11205	}
11206
11207	if (info->attrs[NL80211_ATTR_DURATION]) {
11208		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11209			return -EINVAL;
11210		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11211
11212		/*
11213		 * We should wait on the channel for at least a minimum amount
11214		 * of time (10ms) but no longer than the driver supports.
11215		 */
11216		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11217		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
11218			return -EINVAL;
11219	}
11220
11221	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
11222
11223	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11224		return -EINVAL;
11225
11226	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11227
11228	/* get the channel if any has been specified, otherwise pass NULL to
11229	 * the driver. The latter will use the current one
11230	 */
11231	chandef.chan = NULL;
11232	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11233		err = nl80211_parse_chandef(rdev, info, &chandef);
11234		if (err)
11235			return err;
11236	}
11237
11238	if (!chandef.chan && params.offchan)
11239		return -EINVAL;
11240
11241	wdev_lock(wdev);
11242	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
11243		wdev_unlock(wdev);
11244		return -EBUSY;
11245	}
11246	wdev_unlock(wdev);
11247
11248	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
11249	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
11250
11251	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
11252		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11253		int i;
11254
11255		if (len % sizeof(u16))
11256			return -EINVAL;
11257
11258		params.n_csa_offsets = len / sizeof(u16);
11259		params.csa_offsets =
11260			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11261
11262		/* check that all the offsets fit the frame */
11263		for (i = 0; i < params.n_csa_offsets; i++) {
11264			if (params.csa_offsets[i] >= params.len)
11265				return -EINVAL;
11266		}
11267	}
11268
11269	if (!params.dont_wait_for_ack) {
11270		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11271		if (!msg)
11272			return -ENOMEM;
11273
11274		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11275				     NL80211_CMD_FRAME);
11276		if (!hdr) {
11277			err = -ENOBUFS;
11278			goto free_msg;
11279		}
11280	}
11281
11282	params.chan = chandef.chan;
11283	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
11284	if (err)
11285		goto free_msg;
11286
11287	if (msg) {
11288		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11289				      NL80211_ATTR_PAD))
11290			goto nla_put_failure;
11291
11292		genlmsg_end(msg, hdr);
11293		return genlmsg_reply(msg, info);
11294	}
11295
11296	return 0;
11297
11298 nla_put_failure:
11299	err = -ENOBUFS;
11300 free_msg:
11301	nlmsg_free(msg);
11302	return err;
11303}
11304
11305static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
11306{
11307	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11308	struct wireless_dev *wdev = info->user_ptr[1];
11309	u64 cookie;
11310
11311	if (!info->attrs[NL80211_ATTR_COOKIE])
11312		return -EINVAL;
11313
11314	if (!rdev->ops->mgmt_tx_cancel_wait)
11315		return -EOPNOTSUPP;
11316
11317	switch (wdev->iftype) {
11318	case NL80211_IFTYPE_STATION:
11319	case NL80211_IFTYPE_ADHOC:
11320	case NL80211_IFTYPE_P2P_CLIENT:
11321	case NL80211_IFTYPE_AP:
11322	case NL80211_IFTYPE_AP_VLAN:
11323	case NL80211_IFTYPE_P2P_GO:
11324	case NL80211_IFTYPE_P2P_DEVICE:
11325		break;
11326	case NL80211_IFTYPE_NAN:
11327	default:
11328		return -EOPNOTSUPP;
11329	}
11330
11331	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11332
11333	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
11334}
11335
11336static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
11337{
11338	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11339	struct wireless_dev *wdev;
11340	struct net_device *dev = info->user_ptr[1];
11341	u8 ps_state;
11342	bool state;
11343	int err;
11344
11345	if (!info->attrs[NL80211_ATTR_PS_STATE])
11346		return -EINVAL;
11347
11348	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
11349
11350	wdev = dev->ieee80211_ptr;
11351
11352	if (!rdev->ops->set_power_mgmt)
11353		return -EOPNOTSUPP;
11354
11355	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
11356
11357	if (state == wdev->ps)
11358		return 0;
11359
11360	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
11361	if (!err)
11362		wdev->ps = state;
11363	return err;
11364}
11365
11366static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
11367{
11368	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11369	enum nl80211_ps_state ps_state;
11370	struct wireless_dev *wdev;
11371	struct net_device *dev = info->user_ptr[1];
11372	struct sk_buff *msg;
11373	void *hdr;
11374	int err;
11375
11376	wdev = dev->ieee80211_ptr;
11377
11378	if (!rdev->ops->set_power_mgmt)
11379		return -EOPNOTSUPP;
11380
11381	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11382	if (!msg)
11383		return -ENOMEM;
11384
11385	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11386			     NL80211_CMD_GET_POWER_SAVE);
11387	if (!hdr) {
11388		err = -ENOBUFS;
11389		goto free_msg;
11390	}
11391
11392	if (wdev->ps)
11393		ps_state = NL80211_PS_ENABLED;
11394	else
11395		ps_state = NL80211_PS_DISABLED;
11396
11397	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11398		goto nla_put_failure;
11399
11400	genlmsg_end(msg, hdr);
11401	return genlmsg_reply(msg, info);
11402
11403 nla_put_failure:
11404	err = -ENOBUFS;
11405 free_msg:
11406	nlmsg_free(msg);
11407	return err;
11408}
11409
11410static const struct nla_policy
11411nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11412	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11413	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11414	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11415	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11416	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11417	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11418	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11419};
11420
11421static int nl80211_set_cqm_txe(struct genl_info *info,
11422			       u32 rate, u32 pkts, u32 intvl)
11423{
11424	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11425	struct net_device *dev = info->user_ptr[1];
11426	struct wireless_dev *wdev = dev->ieee80211_ptr;
11427
11428	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11429		return -EINVAL;
11430
11431	if (!rdev->ops->set_cqm_txe_config)
11432		return -EOPNOTSUPP;
11433
11434	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11435	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11436		return -EOPNOTSUPP;
11437
11438	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
11439}
11440
11441static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
11442				    struct net_device *dev)
11443{
11444	struct wireless_dev *wdev = dev->ieee80211_ptr;
11445	s32 last, low, high;
11446	u32 hyst;
11447	int i, n, low_index;
11448	int err;
11449
11450	/* RSSI reporting disabled? */
11451	if (!wdev->cqm_config)
11452		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
11453
11454	/*
11455	 * Obtain current RSSI value if possible, if not and no RSSI threshold
11456	 * event has been received yet, we should receive an event after a
11457	 * connection is established and enough beacons received to calculate
11458	 * the average.
11459	 */
11460	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
11461	    rdev->ops->get_station) {
11462		struct station_info sinfo = {};
11463		u8 *mac_addr;
11464
11465		mac_addr = wdev->current_bss->pub.bssid;
11466
11467		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
11468		if (err)
11469			return err;
11470
11471		cfg80211_sinfo_release_content(&sinfo);
11472		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
11473			wdev->cqm_config->last_rssi_event_value =
11474				(s8) sinfo.rx_beacon_signal_avg;
11475	}
11476
11477	last = wdev->cqm_config->last_rssi_event_value;
11478	hyst = wdev->cqm_config->rssi_hyst;
11479	n = wdev->cqm_config->n_rssi_thresholds;
11480
11481	for (i = 0; i < n; i++) {
11482		i = array_index_nospec(i, n);
11483		if (last < wdev->cqm_config->rssi_thresholds[i])
11484			break;
11485	}
11486
11487	low_index = i - 1;
11488	if (low_index >= 0) {
11489		low_index = array_index_nospec(low_index, n);
11490		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
11491	} else {
11492		low = S32_MIN;
11493	}
11494	if (i < n) {
11495		i = array_index_nospec(i, n);
11496		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
11497	} else {
11498		high = S32_MAX;
11499	}
11500
11501	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
11502}
11503
11504static int nl80211_set_cqm_rssi(struct genl_info *info,
11505				const s32 *thresholds, int n_thresholds,
11506				u32 hysteresis)
11507{
11508	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11509	struct net_device *dev = info->user_ptr[1];
11510	struct wireless_dev *wdev = dev->ieee80211_ptr;
11511	int i, err;
11512	s32 prev = S32_MIN;
11513
11514	/* Check all values negative and sorted */
11515	for (i = 0; i < n_thresholds; i++) {
11516		if (thresholds[i] > 0 || thresholds[i] <= prev)
11517			return -EINVAL;
11518
11519		prev = thresholds[i];
11520	}
11521
11522	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11523	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11524		return -EOPNOTSUPP;
11525
11526	wdev_lock(wdev);
11527	cfg80211_cqm_config_free(wdev);
11528	wdev_unlock(wdev);
11529
11530	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
11531		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
11532			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
11533
11534		return rdev_set_cqm_rssi_config(rdev, dev,
11535						thresholds[0], hysteresis);
11536	}
11537
11538	if (!wiphy_ext_feature_isset(&rdev->wiphy,
11539				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
11540		return -EOPNOTSUPP;
11541
11542	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
11543		n_thresholds = 0;
11544
11545	wdev_lock(wdev);
11546	if (n_thresholds) {
11547		struct cfg80211_cqm_config *cqm_config;
11548
11549		cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
11550				     n_thresholds * sizeof(s32), GFP_KERNEL);
11551		if (!cqm_config) {
11552			err = -ENOMEM;
11553			goto unlock;
11554		}
11555
11556		cqm_config->rssi_hyst = hysteresis;
11557		cqm_config->n_rssi_thresholds = n_thresholds;
11558		memcpy(cqm_config->rssi_thresholds, thresholds,
11559		       n_thresholds * sizeof(s32));
11560
11561		wdev->cqm_config = cqm_config;
11562	}
11563
11564	err = cfg80211_cqm_rssi_update(rdev, dev);
11565
11566unlock:
11567	wdev_unlock(wdev);
11568
11569	return err;
11570}
11571
11572static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
11573{
11574	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
11575	struct nlattr *cqm;
11576	int err;
11577
11578	cqm = info->attrs[NL80211_ATTR_CQM];
11579	if (!cqm)
11580		return -EINVAL;
11581
11582	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
11583					  nl80211_attr_cqm_policy,
11584					  info->extack);
11585	if (err)
11586		return err;
11587
11588	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
11589	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
11590		const s32 *thresholds =
11591			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11592		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11593		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
11594
11595		if (len % 4)
11596			return -EINVAL;
11597
11598		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
11599					    hysteresis);
11600	}
11601
11602	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
11603	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
11604	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
11605		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
11606		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
11607		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
11608
11609		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
11610	}
11611
11612	return -EINVAL;
11613}
11614
11615static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
11616{
11617	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11618	struct net_device *dev = info->user_ptr[1];
11619	struct ocb_setup setup = {};
11620	int err;
11621
11622	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11623	if (err)
11624		return err;
11625
11626	return cfg80211_join_ocb(rdev, dev, &setup);
11627}
11628
11629static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
11630{
11631	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11632	struct net_device *dev = info->user_ptr[1];
11633
11634	return cfg80211_leave_ocb(rdev, dev);
11635}
11636
11637static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
11638{
11639	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11640	struct net_device *dev = info->user_ptr[1];
11641	struct mesh_config cfg;
11642	struct mesh_setup setup;
11643	int err;
11644
11645	/* start with default */
11646	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
11647	memcpy(&setup, &default_mesh_setup, sizeof(setup));
11648
11649	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
11650		/* and parse parameters if given */
11651		err = nl80211_parse_mesh_config(info, &cfg, NULL);
11652		if (err)
11653			return err;
11654	}
11655
11656	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
11657	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
11658		return -EINVAL;
11659
11660	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
11661	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
11662
11663	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11664	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
11665			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11666			return -EINVAL;
11667
11668	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
11669		setup.beacon_interval =
11670			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11671
11672		err = cfg80211_validate_beacon_int(rdev,
11673						   NL80211_IFTYPE_MESH_POINT,
11674						   setup.beacon_interval);
11675		if (err)
11676			return err;
11677	}
11678
11679	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
11680		setup.dtim_period =
11681			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
11682		if (setup.dtim_period < 1 || setup.dtim_period > 100)
11683			return -EINVAL;
11684	}
11685
11686	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
11687		/* parse additional setup parameters if given */
11688		err = nl80211_parse_mesh_setup(info, &setup);
11689		if (err)
11690			return err;
11691	}
11692
11693	if (setup.user_mpm)
11694		cfg.auto_open_plinks = false;
11695
11696	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11697		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11698		if (err)
11699			return err;
11700	} else {
11701		/* __cfg80211_join_mesh() will sort it out */
11702		setup.chandef.chan = NULL;
11703	}
11704
11705	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11706		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11707		int n_rates =
11708			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11709		struct ieee80211_supported_band *sband;
11710
11711		if (!setup.chandef.chan)
11712			return -EINVAL;
11713
11714		sband = rdev->wiphy.bands[setup.chandef.chan->band];
11715
11716		err = ieee80211_get_ratemask(sband, rates, n_rates,
11717					     &setup.basic_rates);
11718		if (err)
11719			return err;
11720	}
11721
11722	if (info->attrs[NL80211_ATTR_TX_RATES]) {
11723		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11724						    NL80211_ATTR_TX_RATES,
11725						    &setup.beacon_rate,
11726						    dev);
11727		if (err)
11728			return err;
11729
11730		if (!setup.chandef.chan)
11731			return -EINVAL;
11732
11733		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
11734					      &setup.beacon_rate);
11735		if (err)
11736			return err;
11737	}
11738
11739	setup.userspace_handles_dfs =
11740		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11741
11742	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11743		int r = validate_pae_over_nl80211(rdev, info);
11744
11745		if (r < 0)
11746			return r;
11747
11748		setup.control_port_over_nl80211 = true;
11749	}
11750
11751	wdev_lock(dev->ieee80211_ptr);
11752	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
11753	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
11754		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11755	wdev_unlock(dev->ieee80211_ptr);
11756
11757	return err;
11758}
11759
11760static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
11761{
11762	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11763	struct net_device *dev = info->user_ptr[1];
11764
11765	return cfg80211_leave_mesh(rdev, dev);
11766}
11767
11768#ifdef CONFIG_PM
11769static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
11770					struct cfg80211_registered_device *rdev)
11771{
11772	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
11773	struct nlattr *nl_pats, *nl_pat;
11774	int i, pat_len;
11775
11776	if (!wowlan->n_patterns)
11777		return 0;
11778
11779	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
11780	if (!nl_pats)
11781		return -ENOBUFS;
11782
11783	for (i = 0; i < wowlan->n_patterns; i++) {
11784		nl_pat = nla_nest_start_noflag(msg, i + 1);
11785		if (!nl_pat)
11786			return -ENOBUFS;
11787		pat_len = wowlan->patterns[i].pattern_len;
11788		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
11789			    wowlan->patterns[i].mask) ||
11790		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11791			    wowlan->patterns[i].pattern) ||
11792		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11793				wowlan->patterns[i].pkt_offset))
11794			return -ENOBUFS;
11795		nla_nest_end(msg, nl_pat);
11796	}
11797	nla_nest_end(msg, nl_pats);
11798
11799	return 0;
11800}
11801
11802static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
11803				   struct cfg80211_wowlan_tcp *tcp)
11804{
11805	struct nlattr *nl_tcp;
11806
11807	if (!tcp)
11808		return 0;
11809
11810	nl_tcp = nla_nest_start_noflag(msg,
11811				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
11812	if (!nl_tcp)
11813		return -ENOBUFS;
11814
11815	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
11816	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
11817	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
11818	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
11819	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
11820	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
11821		    tcp->payload_len, tcp->payload) ||
11822	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
11823			tcp->data_interval) ||
11824	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
11825		    tcp->wake_len, tcp->wake_data) ||
11826	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
11827		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
11828		return -ENOBUFS;
11829
11830	if (tcp->payload_seq.len &&
11831	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
11832		    sizeof(tcp->payload_seq), &tcp->payload_seq))
11833		return -ENOBUFS;
11834
11835	if (tcp->payload_tok.len &&
11836	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
11837		    sizeof(tcp->payload_tok) + tcp->tokens_size,
11838		    &tcp->payload_tok))
11839		return -ENOBUFS;
11840
11841	nla_nest_end(msg, nl_tcp);
11842
11843	return 0;
11844}
11845
11846static int nl80211_send_wowlan_nd(struct sk_buff *msg,
11847				  struct cfg80211_sched_scan_request *req)
11848{
11849	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
11850	int i;
11851
11852	if (!req)
11853		return 0;
11854
11855	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
11856	if (!nd)
11857		return -ENOBUFS;
11858
11859	if (req->n_scan_plans == 1 &&
11860	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
11861			req->scan_plans[0].interval * 1000))
11862		return -ENOBUFS;
11863
11864	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
11865		return -ENOBUFS;
11866
11867	if (req->relative_rssi_set) {
11868		struct nl80211_bss_select_rssi_adjust rssi_adjust;
11869
11870		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
11871			       req->relative_rssi))
11872			return -ENOBUFS;
11873
11874		rssi_adjust.band = req->rssi_adjust.band;
11875		rssi_adjust.delta = req->rssi_adjust.delta;
11876		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
11877			    sizeof(rssi_adjust), &rssi_adjust))
11878			return -ENOBUFS;
11879	}
11880
11881	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
11882	if (!freqs)
11883		return -ENOBUFS;
11884
11885	for (i = 0; i < req->n_channels; i++) {
11886		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
11887			return -ENOBUFS;
11888	}
11889
11890	nla_nest_end(msg, freqs);
11891
11892	if (req->n_match_sets) {
11893		matches = nla_nest_start_noflag(msg,
11894						NL80211_ATTR_SCHED_SCAN_MATCH);
11895		if (!matches)
11896			return -ENOBUFS;
11897
11898		for (i = 0; i < req->n_match_sets; i++) {
11899			match = nla_nest_start_noflag(msg, i);
11900			if (!match)
11901				return -ENOBUFS;
11902
11903			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
11904				    req->match_sets[i].ssid.ssid_len,
11905				    req->match_sets[i].ssid.ssid))
11906				return -ENOBUFS;
11907			nla_nest_end(msg, match);
11908		}
11909		nla_nest_end(msg, matches);
11910	}
11911
11912	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
11913	if (!scan_plans)
11914		return -ENOBUFS;
11915
11916	for (i = 0; i < req->n_scan_plans; i++) {
11917		scan_plan = nla_nest_start_noflag(msg, i + 1);
11918		if (!scan_plan)
11919			return -ENOBUFS;
11920
11921		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
11922				req->scan_plans[i].interval) ||
11923		    (req->scan_plans[i].iterations &&
11924		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
11925				 req->scan_plans[i].iterations)))
11926			return -ENOBUFS;
11927		nla_nest_end(msg, scan_plan);
11928	}
11929	nla_nest_end(msg, scan_plans);
11930
11931	nla_nest_end(msg, nd);
11932
11933	return 0;
11934}
11935
11936static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
11937{
11938	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11939	struct sk_buff *msg;
11940	void *hdr;
11941	u32 size = NLMSG_DEFAULT_SIZE;
11942
11943	if (!rdev->wiphy.wowlan)
11944		return -EOPNOTSUPP;
11945
11946	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
11947		/* adjust size to have room for all the data */
11948		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
11949			rdev->wiphy.wowlan_config->tcp->payload_len +
11950			rdev->wiphy.wowlan_config->tcp->wake_len +
11951			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
11952	}
11953
11954	msg = nlmsg_new(size, GFP_KERNEL);
11955	if (!msg)
11956		return -ENOMEM;
11957
11958	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11959			     NL80211_CMD_GET_WOWLAN);
11960	if (!hdr)
11961		goto nla_put_failure;
11962
11963	if (rdev->wiphy.wowlan_config) {
11964		struct nlattr *nl_wowlan;
11965
11966		nl_wowlan = nla_nest_start_noflag(msg,
11967						  NL80211_ATTR_WOWLAN_TRIGGERS);
11968		if (!nl_wowlan)
11969			goto nla_put_failure;
11970
11971		if ((rdev->wiphy.wowlan_config->any &&
11972		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
11973		    (rdev->wiphy.wowlan_config->disconnect &&
11974		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
11975		    (rdev->wiphy.wowlan_config->magic_pkt &&
11976		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
11977		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
11978		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
11979		    (rdev->wiphy.wowlan_config->eap_identity_req &&
11980		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
11981		    (rdev->wiphy.wowlan_config->four_way_handshake &&
11982		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
11983		    (rdev->wiphy.wowlan_config->rfkill_release &&
11984		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
11985			goto nla_put_failure;
11986
11987		if (nl80211_send_wowlan_patterns(msg, rdev))
11988			goto nla_put_failure;
11989
11990		if (nl80211_send_wowlan_tcp(msg,
11991					    rdev->wiphy.wowlan_config->tcp))
11992			goto nla_put_failure;
11993
11994		if (nl80211_send_wowlan_nd(
11995			    msg,
11996			    rdev->wiphy.wowlan_config->nd_config))
11997			goto nla_put_failure;
11998
11999		nla_nest_end(msg, nl_wowlan);
12000	}
12001
12002	genlmsg_end(msg, hdr);
12003	return genlmsg_reply(msg, info);
12004
12005nla_put_failure:
12006	nlmsg_free(msg);
12007	return -ENOBUFS;
12008}
12009
12010static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
12011				    struct nlattr *attr,
12012				    struct cfg80211_wowlan *trig)
12013{
12014	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
12015	struct cfg80211_wowlan_tcp *cfg;
12016	struct nl80211_wowlan_tcp_data_token *tok = NULL;
12017	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
12018	u32 size;
12019	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
12020	int err, port;
12021
12022	if (!rdev->wiphy.wowlan->tcp)
12023		return -EINVAL;
12024
12025	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
12026					  nl80211_wowlan_tcp_policy, NULL);
12027	if (err)
12028		return err;
12029
12030	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
12031	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
12032	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
12033	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
12034	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
12035	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
12036	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
12037	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
12038		return -EINVAL;
12039
12040	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
12041	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
12042		return -EINVAL;
12043
12044	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
12045			rdev->wiphy.wowlan->tcp->data_interval_max ||
12046	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
12047		return -EINVAL;
12048
12049	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
12050	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
12051		return -EINVAL;
12052
12053	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
12054	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
12055		return -EINVAL;
12056
12057	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
12058		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12059
12060		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12061		tokens_size = tokln - sizeof(*tok);
12062
12063		if (!tok->len || tokens_size % tok->len)
12064			return -EINVAL;
12065		if (!rdev->wiphy.wowlan->tcp->tok)
12066			return -EINVAL;
12067		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
12068			return -EINVAL;
12069		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
12070			return -EINVAL;
12071		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
12072			return -EINVAL;
12073		if (tok->offset + tok->len > data_size)
12074			return -EINVAL;
12075	}
12076
12077	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
12078		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
12079		if (!rdev->wiphy.wowlan->tcp->seq)
12080			return -EINVAL;
12081		if (seq->len == 0 || seq->len > 4)
12082			return -EINVAL;
12083		if (seq->len + seq->offset > data_size)
12084			return -EINVAL;
12085	}
12086
12087	size = sizeof(*cfg);
12088	size += data_size;
12089	size += wake_size + wake_mask_size;
12090	size += tokens_size;
12091
12092	cfg = kzalloc(size, GFP_KERNEL);
12093	if (!cfg)
12094		return -ENOMEM;
12095	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
12096	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
12097	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
12098	       ETH_ALEN);
12099	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
12100		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
12101	else
12102		port = 0;
12103#ifdef CONFIG_INET
12104	/* allocate a socket and port for it and use it */
12105	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
12106			    IPPROTO_TCP, &cfg->sock, 1);
12107	if (err) {
12108		kfree(cfg);
12109		return err;
12110	}
12111	if (inet_csk_get_port(cfg->sock->sk, port)) {
12112		sock_release(cfg->sock);
12113		kfree(cfg);
12114		return -EADDRINUSE;
12115	}
12116	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
12117#else
12118	if (!port) {
12119		kfree(cfg);
12120		return -EINVAL;
12121	}
12122	cfg->src_port = port;
12123#endif
12124
12125	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
12126	cfg->payload_len = data_size;
12127	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
12128	memcpy((void *)cfg->payload,
12129	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
12130	       data_size);
12131	if (seq)
12132		cfg->payload_seq = *seq;
12133	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
12134	cfg->wake_len = wake_size;
12135	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
12136	memcpy((void *)cfg->wake_data,
12137	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
12138	       wake_size);
12139	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
12140			 data_size + wake_size;
12141	memcpy((void *)cfg->wake_mask,
12142	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
12143	       wake_mask_size);
12144	if (tok) {
12145		cfg->tokens_size = tokens_size;
12146		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
12147	}
12148
12149	trig->tcp = cfg;
12150
12151	return 0;
12152}
12153
12154static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
12155				   const struct wiphy_wowlan_support *wowlan,
12156				   struct nlattr *attr,
12157				   struct cfg80211_wowlan *trig)
12158{
12159	struct nlattr **tb;
12160	int err;
12161
12162	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
12163	if (!tb)
12164		return -ENOMEM;
12165
12166	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
12167		err = -EOPNOTSUPP;
12168		goto out;
12169	}
12170
12171	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
12172					  nl80211_policy, NULL);
12173	if (err)
12174		goto out;
12175
12176	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
12177						   wowlan->max_nd_match_sets);
12178	err = PTR_ERR_OR_ZERO(trig->nd_config);
12179	if (err)
12180		trig->nd_config = NULL;
12181
12182out:
12183	kfree(tb);
12184	return err;
12185}
12186
12187static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
12188{
12189	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12190	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
12191	struct cfg80211_wowlan new_triggers = {};
12192	struct cfg80211_wowlan *ntrig;
12193	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
12194	int err, i;
12195	bool prev_enabled = rdev->wiphy.wowlan_config;
12196	bool regular = false;
12197
12198	if (!wowlan)
12199		return -EOPNOTSUPP;
12200
12201	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
12202		cfg80211_rdev_free_wowlan(rdev);
12203		rdev->wiphy.wowlan_config = NULL;
12204		goto set_wakeup;
12205	}
12206
12207	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
12208					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
12209					  nl80211_wowlan_policy, info->extack);
12210	if (err)
12211		return err;
12212
12213	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
12214		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
12215			return -EINVAL;
12216		new_triggers.any = true;
12217	}
12218
12219	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
12220		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
12221			return -EINVAL;
12222		new_triggers.disconnect = true;
12223		regular = true;
12224	}
12225
12226	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
12227		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
12228			return -EINVAL;
12229		new_triggers.magic_pkt = true;
12230		regular = true;
12231	}
12232
12233	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
12234		return -EINVAL;
12235
12236	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
12237		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
12238			return -EINVAL;
12239		new_triggers.gtk_rekey_failure = true;
12240		regular = true;
12241	}
12242
12243	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
12244		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
12245			return -EINVAL;
12246		new_triggers.eap_identity_req = true;
12247		regular = true;
12248	}
12249
12250	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
12251		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
12252			return -EINVAL;
12253		new_triggers.four_way_handshake = true;
12254		regular = true;
12255	}
12256
12257	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
12258		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
12259			return -EINVAL;
12260		new_triggers.rfkill_release = true;
12261		regular = true;
12262	}
12263
12264	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
12265		struct nlattr *pat;
12266		int n_patterns = 0;
12267		int rem, pat_len, mask_len, pkt_offset;
12268		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12269
12270		regular = true;
12271
12272		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12273				    rem)
12274			n_patterns++;
12275		if (n_patterns > wowlan->n_patterns)
12276			return -EINVAL;
12277
12278		new_triggers.patterns = kcalloc(n_patterns,
12279						sizeof(new_triggers.patterns[0]),
12280						GFP_KERNEL);
12281		if (!new_triggers.patterns)
12282			return -ENOMEM;
12283
12284		new_triggers.n_patterns = n_patterns;
12285		i = 0;
12286
12287		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12288				    rem) {
12289			u8 *mask_pat;
12290
12291			err = nla_parse_nested_deprecated(pat_tb,
12292							  MAX_NL80211_PKTPAT,
12293							  pat,
12294							  nl80211_packet_pattern_policy,
12295							  info->extack);
12296			if (err)
12297				goto error;
12298
12299			err = -EINVAL;
12300			if (!pat_tb[NL80211_PKTPAT_MASK] ||
12301			    !pat_tb[NL80211_PKTPAT_PATTERN])
12302				goto error;
12303			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12304			mask_len = DIV_ROUND_UP(pat_len, 8);
12305			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12306				goto error;
12307			if (pat_len > wowlan->pattern_max_len ||
12308			    pat_len < wowlan->pattern_min_len)
12309				goto error;
12310
12311			if (!pat_tb[NL80211_PKTPAT_OFFSET])
12312				pkt_offset = 0;
12313			else
12314				pkt_offset = nla_get_u32(
12315					pat_tb[NL80211_PKTPAT_OFFSET]);
12316			if (pkt_offset > wowlan->max_pkt_offset)
12317				goto error;
12318			new_triggers.patterns[i].pkt_offset = pkt_offset;
12319
12320			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12321			if (!mask_pat) {
12322				err = -ENOMEM;
12323				goto error;
12324			}
12325			new_triggers.patterns[i].mask = mask_pat;
12326			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12327			       mask_len);
12328			mask_pat += mask_len;
12329			new_triggers.patterns[i].pattern = mask_pat;
12330			new_triggers.patterns[i].pattern_len = pat_len;
12331			memcpy(mask_pat,
12332			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12333			       pat_len);
12334			i++;
12335		}
12336	}
12337
12338	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
12339		regular = true;
12340		err = nl80211_parse_wowlan_tcp(
12341			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
12342			&new_triggers);
12343		if (err)
12344			goto error;
12345	}
12346
12347	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
12348		regular = true;
12349		err = nl80211_parse_wowlan_nd(
12350			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
12351			&new_triggers);
12352		if (err)
12353			goto error;
12354	}
12355
12356	/* The 'any' trigger means the device continues operating more or less
12357	 * as in its normal operation mode and wakes up the host on most of the
12358	 * normal interrupts (like packet RX, ...)
12359	 * It therefore makes little sense to combine with the more constrained
12360	 * wakeup trigger modes.
12361	 */
12362	if (new_triggers.any && regular) {
12363		err = -EINVAL;
12364		goto error;
12365	}
12366
12367	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
12368	if (!ntrig) {
12369		err = -ENOMEM;
12370		goto error;
12371	}
12372	cfg80211_rdev_free_wowlan(rdev);
12373	rdev->wiphy.wowlan_config = ntrig;
12374
12375 set_wakeup:
12376	if (rdev->ops->set_wakeup &&
12377	    prev_enabled != !!rdev->wiphy.wowlan_config)
12378		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
12379
12380	return 0;
12381 error:
12382	for (i = 0; i < new_triggers.n_patterns; i++)
12383		kfree(new_triggers.patterns[i].mask);
12384	kfree(new_triggers.patterns);
12385	if (new_triggers.tcp && new_triggers.tcp->sock)
12386		sock_release(new_triggers.tcp->sock);
12387	kfree(new_triggers.tcp);
12388	kfree(new_triggers.nd_config);
12389	return err;
12390}
12391#endif
12392
12393static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12394				       struct cfg80211_registered_device *rdev)
12395{
12396	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12397	int i, j, pat_len;
12398	struct cfg80211_coalesce_rules *rule;
12399
12400	if (!rdev->coalesce->n_rules)
12401		return 0;
12402
12403	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12404	if (!nl_rules)
12405		return -ENOBUFS;
12406
12407	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12408		nl_rule = nla_nest_start_noflag(msg, i + 1);
12409		if (!nl_rule)
12410			return -ENOBUFS;
12411
12412		rule = &rdev->coalesce->rules[i];
12413		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12414				rule->delay))
12415			return -ENOBUFS;
12416
12417		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12418				rule->condition))
12419			return -ENOBUFS;
12420
12421		nl_pats = nla_nest_start_noflag(msg,
12422						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12423		if (!nl_pats)
12424			return -ENOBUFS;
12425
12426		for (j = 0; j < rule->n_patterns; j++) {
12427			nl_pat = nla_nest_start_noflag(msg, j + 1);
12428			if (!nl_pat)
12429				return -ENOBUFS;
12430			pat_len = rule->patterns[j].pattern_len;
12431			if (nla_put(msg, NL80211_PKTPAT_MASK,
12432				    DIV_ROUND_UP(pat_len, 8),
12433				    rule->patterns[j].mask) ||
12434			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12435				    rule->patterns[j].pattern) ||
12436			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12437					rule->patterns[j].pkt_offset))
12438				return -ENOBUFS;
12439			nla_nest_end(msg, nl_pat);
12440		}
12441		nla_nest_end(msg, nl_pats);
12442		nla_nest_end(msg, nl_rule);
12443	}
12444	nla_nest_end(msg, nl_rules);
12445
12446	return 0;
12447}
12448
12449static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
12450{
12451	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12452	struct sk_buff *msg;
12453	void *hdr;
12454
12455	if (!rdev->wiphy.coalesce)
12456		return -EOPNOTSUPP;
12457
12458	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12459	if (!msg)
12460		return -ENOMEM;
12461
12462	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12463			     NL80211_CMD_GET_COALESCE);
12464	if (!hdr)
12465		goto nla_put_failure;
12466
12467	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
12468		goto nla_put_failure;
12469
12470	genlmsg_end(msg, hdr);
12471	return genlmsg_reply(msg, info);
12472
12473nla_put_failure:
12474	nlmsg_free(msg);
12475	return -ENOBUFS;
12476}
12477
12478void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
12479{
12480	struct cfg80211_coalesce *coalesce = rdev->coalesce;
12481	int i, j;
12482	struct cfg80211_coalesce_rules *rule;
12483
12484	if (!coalesce)
12485		return;
12486
12487	for (i = 0; i < coalesce->n_rules; i++) {
12488		rule = &coalesce->rules[i];
12489		for (j = 0; j < rule->n_patterns; j++)
12490			kfree(rule->patterns[j].mask);
12491		kfree(rule->patterns);
12492	}
12493	kfree(coalesce->rules);
12494	kfree(coalesce);
12495	rdev->coalesce = NULL;
12496}
12497
12498static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
12499				       struct nlattr *rule,
12500				       struct cfg80211_coalesce_rules *new_rule)
12501{
12502	int err, i;
12503	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12504	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
12505	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
12506	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12507
12508	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
12509					  rule, nl80211_coalesce_policy, NULL);
12510	if (err)
12511		return err;
12512
12513	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
12514		new_rule->delay =
12515			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
12516	if (new_rule->delay > coalesce->max_delay)
12517		return -EINVAL;
12518
12519	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
12520		new_rule->condition =
12521			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
12522
12523	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
12524		return -EINVAL;
12525
12526	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12527			    rem)
12528		n_patterns++;
12529	if (n_patterns > coalesce->n_patterns)
12530		return -EINVAL;
12531
12532	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
12533				     GFP_KERNEL);
12534	if (!new_rule->patterns)
12535		return -ENOMEM;
12536
12537	new_rule->n_patterns = n_patterns;
12538	i = 0;
12539
12540	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12541			    rem) {
12542		u8 *mask_pat;
12543
12544		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
12545						  pat,
12546						  nl80211_packet_pattern_policy,
12547						  NULL);
12548		if (err)
12549			return err;
12550
12551		if (!pat_tb[NL80211_PKTPAT_MASK] ||
12552		    !pat_tb[NL80211_PKTPAT_PATTERN])
12553			return -EINVAL;
12554		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12555		mask_len = DIV_ROUND_UP(pat_len, 8);
12556		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12557			return -EINVAL;
12558		if (pat_len > coalesce->pattern_max_len ||
12559		    pat_len < coalesce->pattern_min_len)
12560			return -EINVAL;
12561
12562		if (!pat_tb[NL80211_PKTPAT_OFFSET])
12563			pkt_offset = 0;
12564		else
12565			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
12566		if (pkt_offset > coalesce->max_pkt_offset)
12567			return -EINVAL;
12568		new_rule->patterns[i].pkt_offset = pkt_offset;
12569
12570		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12571		if (!mask_pat)
12572			return -ENOMEM;
12573
12574		new_rule->patterns[i].mask = mask_pat;
12575		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12576		       mask_len);
12577
12578		mask_pat += mask_len;
12579		new_rule->patterns[i].pattern = mask_pat;
12580		new_rule->patterns[i].pattern_len = pat_len;
12581		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12582		       pat_len);
12583		i++;
12584	}
12585
12586	return 0;
12587}
12588
12589static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
12590{
12591	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12592	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12593	struct cfg80211_coalesce new_coalesce = {};
12594	struct cfg80211_coalesce *n_coalesce;
12595	int err, rem_rule, n_rules = 0, i, j;
12596	struct nlattr *rule;
12597	struct cfg80211_coalesce_rules *tmp_rule;
12598
12599	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
12600		return -EOPNOTSUPP;
12601
12602	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
12603		cfg80211_rdev_free_coalesce(rdev);
12604		rdev_set_coalesce(rdev, NULL);
12605		return 0;
12606	}
12607
12608	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12609			    rem_rule)
12610		n_rules++;
12611	if (n_rules > coalesce->n_rules)
12612		return -EINVAL;
12613
12614	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
12615				     GFP_KERNEL);
12616	if (!new_coalesce.rules)
12617		return -ENOMEM;
12618
12619	new_coalesce.n_rules = n_rules;
12620	i = 0;
12621
12622	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12623			    rem_rule) {
12624		err = nl80211_parse_coalesce_rule(rdev, rule,
12625						  &new_coalesce.rules[i]);
12626		if (err)
12627			goto error;
12628
12629		i++;
12630	}
12631
12632	err = rdev_set_coalesce(rdev, &new_coalesce);
12633	if (err)
12634		goto error;
12635
12636	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
12637	if (!n_coalesce) {
12638		err = -ENOMEM;
12639		goto error;
12640	}
12641	cfg80211_rdev_free_coalesce(rdev);
12642	rdev->coalesce = n_coalesce;
12643
12644	return 0;
12645error:
12646	for (i = 0; i < new_coalesce.n_rules; i++) {
12647		tmp_rule = &new_coalesce.rules[i];
12648		if (!tmp_rule)
12649			continue;
12650		for (j = 0; j < tmp_rule->n_patterns; j++)
12651			kfree(tmp_rule->patterns[j].mask);
12652		kfree(tmp_rule->patterns);
12653	}
12654	kfree(new_coalesce.rules);
12655
12656	return err;
12657}
12658
12659static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
12660{
12661	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12662	struct net_device *dev = info->user_ptr[1];
12663	struct wireless_dev *wdev = dev->ieee80211_ptr;
12664	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
12665	struct cfg80211_gtk_rekey_data rekey_data = {};
12666	int err;
12667
12668	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
12669		return -EINVAL;
12670
12671	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
12672					  info->attrs[NL80211_ATTR_REKEY_DATA],
12673					  nl80211_rekey_policy, info->extack);
12674	if (err)
12675		return err;
12676
12677	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
12678	    !tb[NL80211_REKEY_DATA_KCK])
12679		return -EINVAL;
12680	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
12681	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
12682	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
12683		return -ERANGE;
12684	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
12685	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
12686	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN))
12687		return -ERANGE;
12688
12689	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
12690	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
12691	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
12692	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
12693	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
12694	if (tb[NL80211_REKEY_DATA_AKM])
12695		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
12696
12697	wdev_lock(wdev);
12698	if (!wdev->current_bss) {
12699		err = -ENOTCONN;
12700		goto out;
12701	}
12702
12703	if (!rdev->ops->set_rekey_data) {
12704		err = -EOPNOTSUPP;
12705		goto out;
12706	}
12707
12708	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
12709 out:
12710	wdev_unlock(wdev);
12711	return err;
12712}
12713
12714static int nl80211_register_unexpected_frame(struct sk_buff *skb,
12715					     struct genl_info *info)
12716{
12717	struct net_device *dev = info->user_ptr[1];
12718	struct wireless_dev *wdev = dev->ieee80211_ptr;
12719
12720	if (wdev->iftype != NL80211_IFTYPE_AP &&
12721	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12722		return -EINVAL;
12723
12724	if (wdev->ap_unexpected_nlportid)
12725		return -EBUSY;
12726
12727	wdev->ap_unexpected_nlportid = info->snd_portid;
12728	return 0;
12729}
12730
12731static int nl80211_probe_client(struct sk_buff *skb,
12732				struct genl_info *info)
12733{
12734	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12735	struct net_device *dev = info->user_ptr[1];
12736	struct wireless_dev *wdev = dev->ieee80211_ptr;
12737	struct sk_buff *msg;
12738	void *hdr;
12739	const u8 *addr;
12740	u64 cookie;
12741	int err;
12742
12743	if (wdev->iftype != NL80211_IFTYPE_AP &&
12744	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12745		return -EOPNOTSUPP;
12746
12747	if (!info->attrs[NL80211_ATTR_MAC])
12748		return -EINVAL;
12749
12750	if (!rdev->ops->probe_client)
12751		return -EOPNOTSUPP;
12752
12753	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12754	if (!msg)
12755		return -ENOMEM;
12756
12757	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12758			     NL80211_CMD_PROBE_CLIENT);
12759	if (!hdr) {
12760		err = -ENOBUFS;
12761		goto free_msg;
12762	}
12763
12764	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12765
12766	err = rdev_probe_client(rdev, dev, addr, &cookie);
12767	if (err)
12768		goto free_msg;
12769
12770	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12771			      NL80211_ATTR_PAD))
12772		goto nla_put_failure;
12773
12774	genlmsg_end(msg, hdr);
12775
12776	return genlmsg_reply(msg, info);
12777
12778 nla_put_failure:
12779	err = -ENOBUFS;
12780 free_msg:
12781	nlmsg_free(msg);
12782	return err;
12783}
12784
12785static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
12786{
12787	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12788	struct cfg80211_beacon_registration *reg, *nreg;
12789	int rv;
12790
12791	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
12792		return -EOPNOTSUPP;
12793
12794	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
12795	if (!nreg)
12796		return -ENOMEM;
12797
12798	/* First, check if already registered. */
12799	spin_lock_bh(&rdev->beacon_registrations_lock);
12800	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
12801		if (reg->nlportid == info->snd_portid) {
12802			rv = -EALREADY;
12803			goto out_err;
12804		}
12805	}
12806	/* Add it to the list */
12807	nreg->nlportid = info->snd_portid;
12808	list_add(&nreg->list, &rdev->beacon_registrations);
12809
12810	spin_unlock_bh(&rdev->beacon_registrations_lock);
12811
12812	return 0;
12813out_err:
12814	spin_unlock_bh(&rdev->beacon_registrations_lock);
12815	kfree(nreg);
12816	return rv;
12817}
12818
12819static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
12820{
12821	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12822	struct wireless_dev *wdev = info->user_ptr[1];
12823	int err;
12824
12825	if (!rdev->ops->start_p2p_device)
12826		return -EOPNOTSUPP;
12827
12828	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12829		return -EOPNOTSUPP;
12830
12831	if (wdev_running(wdev))
12832		return 0;
12833
12834	if (rfkill_blocked(rdev->rfkill))
12835		return -ERFKILL;
12836
12837	err = rdev_start_p2p_device(rdev, wdev);
12838	if (err)
12839		return err;
12840
12841	wdev->is_running = true;
12842	rdev->opencount++;
12843
12844	return 0;
12845}
12846
12847static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
12848{
12849	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12850	struct wireless_dev *wdev = info->user_ptr[1];
12851
12852	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12853		return -EOPNOTSUPP;
12854
12855	if (!rdev->ops->stop_p2p_device)
12856		return -EOPNOTSUPP;
12857
12858	cfg80211_stop_p2p_device(rdev, wdev);
12859
12860	return 0;
12861}
12862
12863static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
12864{
12865	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12866	struct wireless_dev *wdev = info->user_ptr[1];
12867	struct cfg80211_nan_conf conf = {};
12868	int err;
12869
12870	if (wdev->iftype != NL80211_IFTYPE_NAN)
12871		return -EOPNOTSUPP;
12872
12873	if (wdev_running(wdev))
12874		return -EEXIST;
12875
12876	if (rfkill_blocked(rdev->rfkill))
12877		return -ERFKILL;
12878
12879	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
12880		return -EINVAL;
12881
12882	conf.master_pref =
12883		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12884
12885	if (info->attrs[NL80211_ATTR_BANDS]) {
12886		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12887
12888		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12889			return -EOPNOTSUPP;
12890
12891		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12892			return -EINVAL;
12893
12894		conf.bands = bands;
12895	}
12896
12897	err = rdev_start_nan(rdev, wdev, &conf);
12898	if (err)
12899		return err;
12900
12901	wdev->is_running = true;
12902	rdev->opencount++;
12903
12904	return 0;
12905}
12906
12907static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
12908{
12909	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12910	struct wireless_dev *wdev = info->user_ptr[1];
12911
12912	if (wdev->iftype != NL80211_IFTYPE_NAN)
12913		return -EOPNOTSUPP;
12914
12915	cfg80211_stop_nan(rdev, wdev);
12916
12917	return 0;
12918}
12919
12920static int validate_nan_filter(struct nlattr *filter_attr)
12921{
12922	struct nlattr *attr;
12923	int len = 0, n_entries = 0, rem;
12924
12925	nla_for_each_nested(attr, filter_attr, rem) {
12926		len += nla_len(attr);
12927		n_entries++;
12928	}
12929
12930	if (len >= U8_MAX)
12931		return -EINVAL;
12932
12933	return n_entries;
12934}
12935
12936static int handle_nan_filter(struct nlattr *attr_filter,
12937			     struct cfg80211_nan_func *func,
12938			     bool tx)
12939{
12940	struct nlattr *attr;
12941	int n_entries, rem, i;
12942	struct cfg80211_nan_func_filter *filter;
12943
12944	n_entries = validate_nan_filter(attr_filter);
12945	if (n_entries < 0)
12946		return n_entries;
12947
12948	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
12949
12950	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
12951	if (!filter)
12952		return -ENOMEM;
12953
12954	i = 0;
12955	nla_for_each_nested(attr, attr_filter, rem) {
12956		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
12957		if (!filter[i].filter)
12958			goto err;
12959
12960		filter[i].len = nla_len(attr);
12961		i++;
12962	}
12963	if (tx) {
12964		func->num_tx_filters = n_entries;
12965		func->tx_filters = filter;
12966	} else {
12967		func->num_rx_filters = n_entries;
12968		func->rx_filters = filter;
12969	}
12970
12971	return 0;
12972
12973err:
12974	i = 0;
12975	nla_for_each_nested(attr, attr_filter, rem) {
12976		kfree(filter[i].filter);
12977		i++;
12978	}
12979	kfree(filter);
12980	return -ENOMEM;
12981}
12982
12983static int nl80211_nan_add_func(struct sk_buff *skb,
12984				struct genl_info *info)
12985{
12986	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12987	struct wireless_dev *wdev = info->user_ptr[1];
12988	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
12989	struct cfg80211_nan_func *func;
12990	struct sk_buff *msg = NULL;
12991	void *hdr = NULL;
12992	int err = 0;
12993
12994	if (wdev->iftype != NL80211_IFTYPE_NAN)
12995		return -EOPNOTSUPP;
12996
12997	if (!wdev_running(wdev))
12998		return -ENOTCONN;
12999
13000	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
13001		return -EINVAL;
13002
13003	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
13004					  info->attrs[NL80211_ATTR_NAN_FUNC],
13005					  nl80211_nan_func_policy,
13006					  info->extack);
13007	if (err)
13008		return err;
13009
13010	func = kzalloc(sizeof(*func), GFP_KERNEL);
13011	if (!func)
13012		return -ENOMEM;
13013
13014	func->cookie = cfg80211_assign_cookie(rdev);
13015
13016	if (!tb[NL80211_NAN_FUNC_TYPE]) {
13017		err = -EINVAL;
13018		goto out;
13019	}
13020
13021
13022	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
13023
13024	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
13025		err = -EINVAL;
13026		goto out;
13027	}
13028
13029	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
13030	       sizeof(func->service_id));
13031
13032	func->close_range =
13033		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
13034
13035	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
13036		func->serv_spec_info_len =
13037			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
13038		func->serv_spec_info =
13039			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
13040				func->serv_spec_info_len,
13041				GFP_KERNEL);
13042		if (!func->serv_spec_info) {
13043			err = -ENOMEM;
13044			goto out;
13045		}
13046	}
13047
13048	if (tb[NL80211_NAN_FUNC_TTL])
13049		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
13050
13051	switch (func->type) {
13052	case NL80211_NAN_FUNC_PUBLISH:
13053		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
13054			err = -EINVAL;
13055			goto out;
13056		}
13057
13058		func->publish_type =
13059			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
13060		func->publish_bcast =
13061			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
13062
13063		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
13064			func->publish_bcast) {
13065			err = -EINVAL;
13066			goto out;
13067		}
13068		break;
13069	case NL80211_NAN_FUNC_SUBSCRIBE:
13070		func->subscribe_active =
13071			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
13072		break;
13073	case NL80211_NAN_FUNC_FOLLOW_UP:
13074		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
13075		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
13076		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
13077			err = -EINVAL;
13078			goto out;
13079		}
13080
13081		func->followup_id =
13082			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
13083		func->followup_reqid =
13084			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
13085		memcpy(func->followup_dest.addr,
13086		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
13087		       sizeof(func->followup_dest.addr));
13088		if (func->ttl) {
13089			err = -EINVAL;
13090			goto out;
13091		}
13092		break;
13093	default:
13094		err = -EINVAL;
13095		goto out;
13096	}
13097
13098	if (tb[NL80211_NAN_FUNC_SRF]) {
13099		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
13100
13101		err = nla_parse_nested_deprecated(srf_tb,
13102						  NL80211_NAN_SRF_ATTR_MAX,
13103						  tb[NL80211_NAN_FUNC_SRF],
13104						  nl80211_nan_srf_policy,
13105						  info->extack);
13106		if (err)
13107			goto out;
13108
13109		func->srf_include =
13110			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
13111
13112		if (srf_tb[NL80211_NAN_SRF_BF]) {
13113			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
13114			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
13115				err = -EINVAL;
13116				goto out;
13117			}
13118
13119			func->srf_bf_len =
13120				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
13121			func->srf_bf =
13122				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
13123					func->srf_bf_len, GFP_KERNEL);
13124			if (!func->srf_bf) {
13125				err = -ENOMEM;
13126				goto out;
13127			}
13128
13129			func->srf_bf_idx =
13130				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
13131		} else {
13132			struct nlattr *attr, *mac_attr =
13133				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
13134			int n_entries, rem, i = 0;
13135
13136			if (!mac_attr) {
13137				err = -EINVAL;
13138				goto out;
13139			}
13140
13141			n_entries = validate_acl_mac_addrs(mac_attr);
13142			if (n_entries <= 0) {
13143				err = -EINVAL;
13144				goto out;
13145			}
13146
13147			func->srf_num_macs = n_entries;
13148			func->srf_macs =
13149				kcalloc(n_entries, sizeof(*func->srf_macs),
13150					GFP_KERNEL);
13151			if (!func->srf_macs) {
13152				err = -ENOMEM;
13153				goto out;
13154			}
13155
13156			nla_for_each_nested(attr, mac_attr, rem)
13157				memcpy(func->srf_macs[i++].addr, nla_data(attr),
13158				       sizeof(*func->srf_macs));
13159		}
13160	}
13161
13162	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
13163		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
13164					func, true);
13165		if (err)
13166			goto out;
13167	}
13168
13169	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
13170		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
13171					func, false);
13172		if (err)
13173			goto out;
13174	}
13175
13176	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13177	if (!msg) {
13178		err = -ENOMEM;
13179		goto out;
13180	}
13181
13182	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13183			     NL80211_CMD_ADD_NAN_FUNCTION);
13184	/* This can't really happen - we just allocated 4KB */
13185	if (WARN_ON(!hdr)) {
13186		err = -ENOMEM;
13187		goto out;
13188	}
13189
13190	err = rdev_add_nan_func(rdev, wdev, func);
13191out:
13192	if (err < 0) {
13193		cfg80211_free_nan_func(func);
13194		nlmsg_free(msg);
13195		return err;
13196	}
13197
13198	/* propagate the instance id and cookie to userspace  */
13199	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
13200			      NL80211_ATTR_PAD))
13201		goto nla_put_failure;
13202
13203	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13204	if (!func_attr)
13205		goto nla_put_failure;
13206
13207	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
13208		       func->instance_id))
13209		goto nla_put_failure;
13210
13211	nla_nest_end(msg, func_attr);
13212
13213	genlmsg_end(msg, hdr);
13214	return genlmsg_reply(msg, info);
13215
13216nla_put_failure:
13217	nlmsg_free(msg);
13218	return -ENOBUFS;
13219}
13220
13221static int nl80211_nan_del_func(struct sk_buff *skb,
13222			       struct genl_info *info)
13223{
13224	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13225	struct wireless_dev *wdev = info->user_ptr[1];
13226	u64 cookie;
13227
13228	if (wdev->iftype != NL80211_IFTYPE_NAN)
13229		return -EOPNOTSUPP;
13230
13231	if (!wdev_running(wdev))
13232		return -ENOTCONN;
13233
13234	if (!info->attrs[NL80211_ATTR_COOKIE])
13235		return -EINVAL;
13236
13237	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13238
13239	rdev_del_nan_func(rdev, wdev, cookie);
13240
13241	return 0;
13242}
13243
13244static int nl80211_nan_change_config(struct sk_buff *skb,
13245				     struct genl_info *info)
13246{
13247	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13248	struct wireless_dev *wdev = info->user_ptr[1];
13249	struct cfg80211_nan_conf conf = {};
13250	u32 changed = 0;
13251
13252	if (wdev->iftype != NL80211_IFTYPE_NAN)
13253		return -EOPNOTSUPP;
13254
13255	if (!wdev_running(wdev))
13256		return -ENOTCONN;
13257
13258	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
13259		conf.master_pref =
13260			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13261		if (conf.master_pref <= 1 || conf.master_pref == 255)
13262			return -EINVAL;
13263
13264		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
13265	}
13266
13267	if (info->attrs[NL80211_ATTR_BANDS]) {
13268		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13269
13270		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13271			return -EOPNOTSUPP;
13272
13273		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13274			return -EINVAL;
13275
13276		conf.bands = bands;
13277		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
13278	}
13279
13280	if (!changed)
13281		return -EINVAL;
13282
13283	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
13284}
13285
13286void cfg80211_nan_match(struct wireless_dev *wdev,
13287			struct cfg80211_nan_match_params *match, gfp_t gfp)
13288{
13289	struct wiphy *wiphy = wdev->wiphy;
13290	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13291	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
13292	struct sk_buff *msg;
13293	void *hdr;
13294
13295	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
13296		return;
13297
13298	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13299	if (!msg)
13300		return;
13301
13302	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
13303	if (!hdr) {
13304		nlmsg_free(msg);
13305		return;
13306	}
13307
13308	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13309	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13310					 wdev->netdev->ifindex)) ||
13311	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13312			      NL80211_ATTR_PAD))
13313		goto nla_put_failure;
13314
13315	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
13316			      NL80211_ATTR_PAD) ||
13317	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
13318		goto nla_put_failure;
13319
13320	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
13321	if (!match_attr)
13322		goto nla_put_failure;
13323
13324	local_func_attr = nla_nest_start_noflag(msg,
13325						NL80211_NAN_MATCH_FUNC_LOCAL);
13326	if (!local_func_attr)
13327		goto nla_put_failure;
13328
13329	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
13330		goto nla_put_failure;
13331
13332	nla_nest_end(msg, local_func_attr);
13333
13334	peer_func_attr = nla_nest_start_noflag(msg,
13335					       NL80211_NAN_MATCH_FUNC_PEER);
13336	if (!peer_func_attr)
13337		goto nla_put_failure;
13338
13339	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
13340	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
13341		goto nla_put_failure;
13342
13343	if (match->info && match->info_len &&
13344	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
13345		    match->info))
13346		goto nla_put_failure;
13347
13348	nla_nest_end(msg, peer_func_attr);
13349	nla_nest_end(msg, match_attr);
13350	genlmsg_end(msg, hdr);
13351
13352	if (!wdev->owner_nlportid)
13353		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13354					msg, 0, NL80211_MCGRP_NAN, gfp);
13355	else
13356		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13357				wdev->owner_nlportid);
13358
13359	return;
13360
13361nla_put_failure:
13362	nlmsg_free(msg);
13363}
13364EXPORT_SYMBOL(cfg80211_nan_match);
13365
13366void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
13367				  u8 inst_id,
13368				  enum nl80211_nan_func_term_reason reason,
13369				  u64 cookie, gfp_t gfp)
13370{
13371	struct wiphy *wiphy = wdev->wiphy;
13372	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13373	struct sk_buff *msg;
13374	struct nlattr *func_attr;
13375	void *hdr;
13376
13377	if (WARN_ON(!inst_id))
13378		return;
13379
13380	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13381	if (!msg)
13382		return;
13383
13384	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
13385	if (!hdr) {
13386		nlmsg_free(msg);
13387		return;
13388	}
13389
13390	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13391	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13392					 wdev->netdev->ifindex)) ||
13393	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13394			      NL80211_ATTR_PAD))
13395		goto nla_put_failure;
13396
13397	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13398			      NL80211_ATTR_PAD))
13399		goto nla_put_failure;
13400
13401	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13402	if (!func_attr)
13403		goto nla_put_failure;
13404
13405	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
13406	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
13407		goto nla_put_failure;
13408
13409	nla_nest_end(msg, func_attr);
13410	genlmsg_end(msg, hdr);
13411
13412	if (!wdev->owner_nlportid)
13413		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13414					msg, 0, NL80211_MCGRP_NAN, gfp);
13415	else
13416		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13417				wdev->owner_nlportid);
13418
13419	return;
13420
13421nla_put_failure:
13422	nlmsg_free(msg);
13423}
13424EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13425
13426static int nl80211_get_protocol_features(struct sk_buff *skb,
13427					 struct genl_info *info)
13428{
13429	void *hdr;
13430	struct sk_buff *msg;
13431
13432	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13433	if (!msg)
13434		return -ENOMEM;
13435
13436	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13437			     NL80211_CMD_GET_PROTOCOL_FEATURES);
13438	if (!hdr)
13439		goto nla_put_failure;
13440
13441	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
13442			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
13443		goto nla_put_failure;
13444
13445	genlmsg_end(msg, hdr);
13446	return genlmsg_reply(msg, info);
13447
13448 nla_put_failure:
13449	kfree_skb(msg);
13450	return -ENOBUFS;
13451}
13452
13453static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
13454{
13455	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13456	struct cfg80211_update_ft_ies_params ft_params;
13457	struct net_device *dev = info->user_ptr[1];
13458
13459	if (!rdev->ops->update_ft_ies)
13460		return -EOPNOTSUPP;
13461
13462	if (!info->attrs[NL80211_ATTR_MDID] ||
13463	    !info->attrs[NL80211_ATTR_IE])
13464		return -EINVAL;
13465
13466	memset(&ft_params, 0, sizeof(ft_params));
13467	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
13468	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13469	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13470
13471	return rdev_update_ft_ies(rdev, dev, &ft_params);
13472}
13473
13474static int nl80211_crit_protocol_start(struct sk_buff *skb,
13475				       struct genl_info *info)
13476{
13477	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13478	struct wireless_dev *wdev = info->user_ptr[1];
13479	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
13480	u16 duration;
13481	int ret;
13482
13483	if (!rdev->ops->crit_proto_start)
13484		return -EOPNOTSUPP;
13485
13486	if (WARN_ON(!rdev->ops->crit_proto_stop))
13487		return -EINVAL;
13488
13489	if (rdev->crit_proto_nlportid)
13490		return -EBUSY;
13491
13492	/* determine protocol if provided */
13493	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
13494		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
13495
13496	if (proto >= NUM_NL80211_CRIT_PROTO)
13497		return -EINVAL;
13498
13499	/* timeout must be provided */
13500	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
13501		return -EINVAL;
13502
13503	duration =
13504		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
13505
13506	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
13507	if (!ret)
13508		rdev->crit_proto_nlportid = info->snd_portid;
13509
13510	return ret;
13511}
13512
13513static int nl80211_crit_protocol_stop(struct sk_buff *skb,
13514				      struct genl_info *info)
13515{
13516	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13517	struct wireless_dev *wdev = info->user_ptr[1];
13518
13519	if (!rdev->ops->crit_proto_stop)
13520		return -EOPNOTSUPP;
13521
13522	if (rdev->crit_proto_nlportid) {
13523		rdev->crit_proto_nlportid = 0;
13524		rdev_crit_proto_stop(rdev, wdev);
13525	}
13526	return 0;
13527}
13528
13529static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
13530				       struct nlattr *attr,
13531				       struct netlink_ext_ack *extack)
13532{
13533	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
13534		if (attr->nla_type & NLA_F_NESTED) {
13535			NL_SET_ERR_MSG_ATTR(extack, attr,
13536					    "unexpected nested data");
13537			return -EINVAL;
13538		}
13539
13540		return 0;
13541	}
13542
13543	if (!(attr->nla_type & NLA_F_NESTED)) {
13544		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
13545		return -EINVAL;
13546	}
13547
13548	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
13549}
13550
13551static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
13552{
13553	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13554	struct wireless_dev *wdev =
13555		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
13556	int i, err;
13557	u32 vid, subcmd;
13558
13559	if (!rdev->wiphy.vendor_commands)
13560		return -EOPNOTSUPP;
13561
13562	if (IS_ERR(wdev)) {
13563		err = PTR_ERR(wdev);
13564		if (err != -EINVAL)
13565			return err;
13566		wdev = NULL;
13567	} else if (wdev->wiphy != &rdev->wiphy) {
13568		return -EINVAL;
13569	}
13570
13571	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
13572	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
13573		return -EINVAL;
13574
13575	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
13576	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
13577	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
13578		const struct wiphy_vendor_command *vcmd;
13579		void *data = NULL;
13580		int len = 0;
13581
13582		vcmd = &rdev->wiphy.vendor_commands[i];
13583
13584		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13585			continue;
13586
13587		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13588				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13589			if (!wdev)
13590				return -EINVAL;
13591			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13592			    !wdev->netdev)
13593				return -EINVAL;
13594
13595			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13596				if (!wdev_running(wdev))
13597					return -ENETDOWN;
13598			}
13599		} else {
13600			wdev = NULL;
13601		}
13602
13603		if (!vcmd->doit)
13604			return -EOPNOTSUPP;
13605
13606		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
13607			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13608			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13609
13610			err = nl80211_vendor_check_policy(vcmd,
13611					info->attrs[NL80211_ATTR_VENDOR_DATA],
13612					info->extack);
13613			if (err)
13614				return err;
13615		}
13616
13617		rdev->cur_cmd_info = info;
13618		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
13619		rdev->cur_cmd_info = NULL;
13620		return err;
13621	}
13622
13623	return -EOPNOTSUPP;
13624}
13625
13626static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
13627				       struct netlink_callback *cb,
13628				       struct cfg80211_registered_device **rdev,
13629				       struct wireless_dev **wdev)
13630{
13631	struct nlattr **attrbuf;
13632	u32 vid, subcmd;
13633	unsigned int i;
13634	int vcmd_idx = -1;
13635	int err;
13636	void *data = NULL;
13637	unsigned int data_len = 0;
13638
13639	if (cb->args[0]) {
13640		/* subtract the 1 again here */
13641		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
13642		struct wireless_dev *tmp;
13643
13644		if (!wiphy)
13645			return -ENODEV;
13646		*rdev = wiphy_to_rdev(wiphy);
13647		*wdev = NULL;
13648
13649		if (cb->args[1]) {
13650			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
13651				if (tmp->identifier == cb->args[1] - 1) {
13652					*wdev = tmp;
13653					break;
13654				}
13655			}
13656		}
13657
13658		/* keep rtnl locked in successful case */
13659		return 0;
13660	}
13661
13662	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
13663	if (!attrbuf)
13664		return -ENOMEM;
13665
13666	err = nlmsg_parse_deprecated(cb->nlh,
13667				     GENL_HDRLEN + nl80211_fam.hdrsize,
13668				     attrbuf, nl80211_fam.maxattr,
13669				     nl80211_policy, NULL);
13670	if (err)
13671		goto out;
13672
13673	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
13674	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
13675		err = -EINVAL;
13676		goto out;
13677	}
13678
13679	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
13680	if (IS_ERR(*wdev))
13681		*wdev = NULL;
13682
13683	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13684	if (IS_ERR(*rdev)) {
13685		err = PTR_ERR(*rdev);
13686		goto out;
13687	}
13688
13689	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
13690	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
13691
13692	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
13693		const struct wiphy_vendor_command *vcmd;
13694
13695		vcmd = &(*rdev)->wiphy.vendor_commands[i];
13696
13697		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13698			continue;
13699
13700		if (!vcmd->dumpit) {
13701			err = -EOPNOTSUPP;
13702			goto out;
13703		}
13704
13705		vcmd_idx = i;
13706		break;
13707	}
13708
13709	if (vcmd_idx < 0) {
13710		err = -EOPNOTSUPP;
13711		goto out;
13712	}
13713
13714	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
13715		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13716		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13717
13718		err = nl80211_vendor_check_policy(
13719				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
13720				attrbuf[NL80211_ATTR_VENDOR_DATA],
13721				cb->extack);
13722		if (err)
13723			goto out;
13724	}
13725
13726	/* 0 is the first index - add 1 to parse only once */
13727	cb->args[0] = (*rdev)->wiphy_idx + 1;
13728	/* add 1 to know if it was NULL */
13729	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
13730	cb->args[2] = vcmd_idx;
13731	cb->args[3] = (unsigned long)data;
13732	cb->args[4] = data_len;
13733
13734	/* keep rtnl locked in successful case */
13735	err = 0;
13736out:
13737	kfree(attrbuf);
13738	return err;
13739}
13740
13741static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
13742				   struct netlink_callback *cb)
13743{
13744	struct cfg80211_registered_device *rdev;
13745	struct wireless_dev *wdev;
13746	unsigned int vcmd_idx;
13747	const struct wiphy_vendor_command *vcmd;
13748	void *data;
13749	int data_len;
13750	int err;
13751	struct nlattr *vendor_data;
13752
13753	rtnl_lock();
13754	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
13755	if (err)
13756		goto out;
13757
13758	vcmd_idx = cb->args[2];
13759	data = (void *)cb->args[3];
13760	data_len = cb->args[4];
13761	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
13762
13763	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13764			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13765		if (!wdev) {
13766			err = -EINVAL;
13767			goto out;
13768		}
13769		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13770		    !wdev->netdev) {
13771			err = -EINVAL;
13772			goto out;
13773		}
13774
13775		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13776			if (!wdev_running(wdev)) {
13777				err = -ENETDOWN;
13778				goto out;
13779			}
13780		}
13781	}
13782
13783	while (1) {
13784		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13785					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13786					   NL80211_CMD_VENDOR);
13787		if (!hdr)
13788			break;
13789
13790		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13791		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
13792					       wdev_id(wdev),
13793					       NL80211_ATTR_PAD))) {
13794			genlmsg_cancel(skb, hdr);
13795			break;
13796		}
13797
13798		vendor_data = nla_nest_start_noflag(skb,
13799						    NL80211_ATTR_VENDOR_DATA);
13800		if (!vendor_data) {
13801			genlmsg_cancel(skb, hdr);
13802			break;
13803		}
13804
13805		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
13806				   (unsigned long *)&cb->args[5]);
13807		nla_nest_end(skb, vendor_data);
13808
13809		if (err == -ENOBUFS || err == -ENOENT) {
13810			genlmsg_cancel(skb, hdr);
13811			break;
13812		} else if (err <= 0) {
13813			genlmsg_cancel(skb, hdr);
13814			goto out;
13815		}
13816
13817		genlmsg_end(skb, hdr);
13818	}
13819
13820	err = skb->len;
13821 out:
13822	rtnl_unlock();
13823	return err;
13824}
13825
13826struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
13827					   enum nl80211_commands cmd,
13828					   enum nl80211_attrs attr,
13829					   int approxlen)
13830{
13831	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13832
13833	if (WARN_ON(!rdev->cur_cmd_info))
13834		return NULL;
13835
13836	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
13837					   rdev->cur_cmd_info->snd_portid,
13838					   rdev->cur_cmd_info->snd_seq,
13839					   cmd, attr, NULL, GFP_KERNEL);
13840}
13841EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
13842
13843int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
13844{
13845	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13846	void *hdr = ((void **)skb->cb)[1];
13847	struct nlattr *data = ((void **)skb->cb)[2];
13848
13849	/* clear CB data for netlink core to own from now on */
13850	memset(skb->cb, 0, sizeof(skb->cb));
13851
13852	if (WARN_ON(!rdev->cur_cmd_info)) {
13853		kfree_skb(skb);
13854		return -EINVAL;
13855	}
13856
13857	nla_nest_end(skb, data);
13858	genlmsg_end(skb, hdr);
13859	return genlmsg_reply(skb, rdev->cur_cmd_info);
13860}
13861EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
13862
13863unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
13864{
13865	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13866
13867	if (WARN_ON(!rdev->cur_cmd_info))
13868		return 0;
13869
13870	return rdev->cur_cmd_info->snd_portid;
13871}
13872EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
13873
13874static int nl80211_set_qos_map(struct sk_buff *skb,
13875			       struct genl_info *info)
13876{
13877	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13878	struct cfg80211_qos_map *qos_map = NULL;
13879	struct net_device *dev = info->user_ptr[1];
13880	u8 *pos, len, num_des, des_len, des;
13881	int ret;
13882
13883	if (!rdev->ops->set_qos_map)
13884		return -EOPNOTSUPP;
13885
13886	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
13887		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
13888		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
13889
13890		if (len % 2)
13891			return -EINVAL;
13892
13893		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
13894		if (!qos_map)
13895			return -ENOMEM;
13896
13897		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
13898		if (num_des) {
13899			des_len = num_des *
13900				sizeof(struct cfg80211_dscp_exception);
13901			memcpy(qos_map->dscp_exception, pos, des_len);
13902			qos_map->num_des = num_des;
13903			for (des = 0; des < num_des; des++) {
13904				if (qos_map->dscp_exception[des].up > 7) {
13905					kfree(qos_map);
13906					return -EINVAL;
13907				}
13908			}
13909			pos += des_len;
13910		}
13911		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
13912	}
13913
13914	wdev_lock(dev->ieee80211_ptr);
13915	ret = nl80211_key_allowed(dev->ieee80211_ptr);
13916	if (!ret)
13917		ret = rdev_set_qos_map(rdev, dev, qos_map);
13918	wdev_unlock(dev->ieee80211_ptr);
13919
13920	kfree(qos_map);
13921	return ret;
13922}
13923
13924static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
13925{
13926	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13927	struct net_device *dev = info->user_ptr[1];
13928	struct wireless_dev *wdev = dev->ieee80211_ptr;
13929	const u8 *peer;
13930	u8 tsid, up;
13931	u16 admitted_time = 0;
13932	int err;
13933
13934	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
13935		return -EOPNOTSUPP;
13936
13937	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
13938	    !info->attrs[NL80211_ATTR_USER_PRIO])
13939		return -EINVAL;
13940
13941	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13942	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
13943
13944	/* WMM uses TIDs 0-7 even for TSPEC */
13945	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
13946		/* TODO: handle 802.11 TSPEC/admission control
13947		 * need more attributes for that (e.g. BA session requirement);
13948		 * change the WMM adminssion test above to allow both then
13949		 */
13950		return -EINVAL;
13951	}
13952
13953	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13954
13955	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
13956		admitted_time =
13957			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
13958		if (!admitted_time)
13959			return -EINVAL;
13960	}
13961
13962	wdev_lock(wdev);
13963	switch (wdev->iftype) {
13964	case NL80211_IFTYPE_STATION:
13965	case NL80211_IFTYPE_P2P_CLIENT:
13966		if (wdev->current_bss)
13967			break;
13968		err = -ENOTCONN;
13969		goto out;
13970	default:
13971		err = -EOPNOTSUPP;
13972		goto out;
13973	}
13974
13975	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
13976
13977 out:
13978	wdev_unlock(wdev);
13979	return err;
13980}
13981
13982static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
13983{
13984	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13985	struct net_device *dev = info->user_ptr[1];
13986	struct wireless_dev *wdev = dev->ieee80211_ptr;
13987	const u8 *peer;
13988	u8 tsid;
13989	int err;
13990
13991	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
13992		return -EINVAL;
13993
13994	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13995	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13996
13997	wdev_lock(wdev);
13998	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
13999	wdev_unlock(wdev);
14000
14001	return err;
14002}
14003
14004static int nl80211_tdls_channel_switch(struct sk_buff *skb,
14005				       struct genl_info *info)
14006{
14007	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14008	struct net_device *dev = info->user_ptr[1];
14009	struct wireless_dev *wdev = dev->ieee80211_ptr;
14010	struct cfg80211_chan_def chandef = {};
14011	const u8 *addr;
14012	u8 oper_class;
14013	int err;
14014
14015	if (!rdev->ops->tdls_channel_switch ||
14016	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14017		return -EOPNOTSUPP;
14018
14019	switch (dev->ieee80211_ptr->iftype) {
14020	case NL80211_IFTYPE_STATION:
14021	case NL80211_IFTYPE_P2P_CLIENT:
14022		break;
14023	default:
14024		return -EOPNOTSUPP;
14025	}
14026
14027	if (!info->attrs[NL80211_ATTR_MAC] ||
14028	    !info->attrs[NL80211_ATTR_OPER_CLASS])
14029		return -EINVAL;
14030
14031	err = nl80211_parse_chandef(rdev, info, &chandef);
14032	if (err)
14033		return err;
14034
14035	/*
14036	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
14037	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
14038	 * specification is not defined for them.
14039	 */
14040	if (chandef.chan->band == NL80211_BAND_2GHZ &&
14041	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
14042	    chandef.width != NL80211_CHAN_WIDTH_20)
14043		return -EINVAL;
14044
14045	/* we will be active on the TDLS link */
14046	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
14047					   wdev->iftype))
14048		return -EINVAL;
14049
14050	/* don't allow switching to DFS channels */
14051	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
14052		return -EINVAL;
14053
14054	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14055	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
14056
14057	wdev_lock(wdev);
14058	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
14059	wdev_unlock(wdev);
14060
14061	return err;
14062}
14063
14064static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
14065					      struct genl_info *info)
14066{
14067	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14068	struct net_device *dev = info->user_ptr[1];
14069	struct wireless_dev *wdev = dev->ieee80211_ptr;
14070	const u8 *addr;
14071
14072	if (!rdev->ops->tdls_channel_switch ||
14073	    !rdev->ops->tdls_cancel_channel_switch ||
14074	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14075		return -EOPNOTSUPP;
14076
14077	switch (dev->ieee80211_ptr->iftype) {
14078	case NL80211_IFTYPE_STATION:
14079	case NL80211_IFTYPE_P2P_CLIENT:
14080		break;
14081	default:
14082		return -EOPNOTSUPP;
14083	}
14084
14085	if (!info->attrs[NL80211_ATTR_MAC])
14086		return -EINVAL;
14087
14088	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14089
14090	wdev_lock(wdev);
14091	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
14092	wdev_unlock(wdev);
14093
14094	return 0;
14095}
14096
14097static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
14098					    struct genl_info *info)
14099{
14100	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14101	struct net_device *dev = info->user_ptr[1];
14102	struct wireless_dev *wdev = dev->ieee80211_ptr;
14103	const struct nlattr *nla;
14104	bool enabled;
14105
14106	if (!rdev->ops->set_multicast_to_unicast)
14107		return -EOPNOTSUPP;
14108
14109	if (wdev->iftype != NL80211_IFTYPE_AP &&
14110	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14111		return -EOPNOTSUPP;
14112
14113	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
14114	enabled = nla_get_flag(nla);
14115
14116	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
14117}
14118
14119static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
14120{
14121	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14122	struct net_device *dev = info->user_ptr[1];
14123	struct wireless_dev *wdev = dev->ieee80211_ptr;
14124	struct cfg80211_pmk_conf pmk_conf = {};
14125	int ret;
14126
14127	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14128	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14129		return -EOPNOTSUPP;
14130
14131	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14132				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14133		return -EOPNOTSUPP;
14134
14135	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
14136		return -EINVAL;
14137
14138	wdev_lock(wdev);
14139	if (!wdev->current_bss) {
14140		ret = -ENOTCONN;
14141		goto out;
14142	}
14143
14144	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14145	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
14146		ret = -EINVAL;
14147		goto out;
14148	}
14149
14150	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
14151	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
14152	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
14153	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
14154		ret = -EINVAL;
14155		goto out;
14156	}
14157
14158	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
14159		pmk_conf.pmk_r0_name =
14160			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
14161
14162	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
14163out:
14164	wdev_unlock(wdev);
14165	return ret;
14166}
14167
14168static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
14169{
14170	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14171	struct net_device *dev = info->user_ptr[1];
14172	struct wireless_dev *wdev = dev->ieee80211_ptr;
14173	const u8 *aa;
14174	int ret;
14175
14176	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14177	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14178		return -EOPNOTSUPP;
14179
14180	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14181				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14182		return -EOPNOTSUPP;
14183
14184	if (!info->attrs[NL80211_ATTR_MAC])
14185		return -EINVAL;
14186
14187	wdev_lock(wdev);
14188	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14189	ret = rdev_del_pmk(rdev, dev, aa);
14190	wdev_unlock(wdev);
14191
14192	return ret;
14193}
14194
14195static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
14196{
14197	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14198	struct net_device *dev = info->user_ptr[1];
14199	struct cfg80211_external_auth_params params;
14200
14201	if (!rdev->ops->external_auth)
14202		return -EOPNOTSUPP;
14203
14204	if (!info->attrs[NL80211_ATTR_SSID] &&
14205	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
14206	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
14207		return -EINVAL;
14208
14209	if (!info->attrs[NL80211_ATTR_BSSID])
14210		return -EINVAL;
14211
14212	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
14213		return -EINVAL;
14214
14215	memset(&params, 0, sizeof(params));
14216
14217	if (info->attrs[NL80211_ATTR_SSID]) {
14218		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14219		if (params.ssid.ssid_len == 0)
14220			return -EINVAL;
14221		memcpy(params.ssid.ssid,
14222		       nla_data(info->attrs[NL80211_ATTR_SSID]),
14223		       params.ssid.ssid_len);
14224	}
14225
14226	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
14227	       ETH_ALEN);
14228
14229	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14230
14231	if (info->attrs[NL80211_ATTR_PMKID])
14232		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14233
14234	return rdev_external_auth(rdev, dev, &params);
14235}
14236
14237static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
14238{
14239	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
14240	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14241	struct net_device *dev = info->user_ptr[1];
14242	struct wireless_dev *wdev = dev->ieee80211_ptr;
14243	const u8 *buf;
14244	size_t len;
14245	u8 *dest;
14246	u16 proto;
14247	bool noencrypt;
14248	u64 cookie = 0;
14249	int err;
14250
14251	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14252				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
14253		return -EOPNOTSUPP;
14254
14255	if (!rdev->ops->tx_control_port)
14256		return -EOPNOTSUPP;
14257
14258	if (!info->attrs[NL80211_ATTR_FRAME] ||
14259	    !info->attrs[NL80211_ATTR_MAC] ||
14260	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
14261		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
14262		return -EINVAL;
14263	}
14264
14265	wdev_lock(wdev);
14266
14267	switch (wdev->iftype) {
14268	case NL80211_IFTYPE_AP:
14269	case NL80211_IFTYPE_P2P_GO:
14270	case NL80211_IFTYPE_MESH_POINT:
14271		break;
14272	case NL80211_IFTYPE_ADHOC:
14273	case NL80211_IFTYPE_STATION:
14274	case NL80211_IFTYPE_P2P_CLIENT:
14275		if (wdev->current_bss)
14276			break;
14277		err = -ENOTCONN;
14278		goto out;
14279	default:
14280		err = -EOPNOTSUPP;
14281		goto out;
14282	}
14283
14284	wdev_unlock(wdev);
14285
14286	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14287	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14288	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14289	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
14290	noencrypt =
14291		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
14292
14293	err = rdev_tx_control_port(rdev, dev, buf, len,
14294				   dest, cpu_to_be16(proto), noencrypt,
14295				   dont_wait_for_ack ? NULL : &cookie);
14296	if (!err && !dont_wait_for_ack)
14297		nl_set_extack_cookie_u64(info->extack, cookie);
14298	return err;
14299 out:
14300	wdev_unlock(wdev);
14301	return err;
14302}
14303
14304static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
14305					   struct genl_info *info)
14306{
14307	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14308	struct net_device *dev = info->user_ptr[1];
14309	struct wireless_dev *wdev = dev->ieee80211_ptr;
14310	struct cfg80211_ftm_responder_stats ftm_stats = {};
14311	struct sk_buff *msg;
14312	void *hdr;
14313	struct nlattr *ftm_stats_attr;
14314	int err;
14315
14316	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
14317		return -EOPNOTSUPP;
14318
14319	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
14320	if (err)
14321		return err;
14322
14323	if (!ftm_stats.filled)
14324		return -ENODATA;
14325
14326	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14327	if (!msg)
14328		return -ENOMEM;
14329
14330	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14331			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
14332	if (!hdr)
14333		goto nla_put_failure;
14334
14335	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
14336		goto nla_put_failure;
14337
14338	ftm_stats_attr = nla_nest_start_noflag(msg,
14339					       NL80211_ATTR_FTM_RESPONDER_STATS);
14340	if (!ftm_stats_attr)
14341		goto nla_put_failure;
14342
14343#define SET_FTM(field, name, type)					 \
14344	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14345	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
14346			     ftm_stats.field))				 \
14347		goto nla_put_failure; } while (0)
14348#define SET_FTM_U64(field, name)					 \
14349	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14350	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
14351			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
14352		goto nla_put_failure; } while (0)
14353
14354	SET_FTM(success_num, SUCCESS_NUM, u32);
14355	SET_FTM(partial_num, PARTIAL_NUM, u32);
14356	SET_FTM(failed_num, FAILED_NUM, u32);
14357	SET_FTM(asap_num, ASAP_NUM, u32);
14358	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
14359	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
14360	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
14361	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
14362	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
14363#undef SET_FTM
14364
14365	nla_nest_end(msg, ftm_stats_attr);
14366
14367	genlmsg_end(msg, hdr);
14368	return genlmsg_reply(msg, info);
14369
14370nla_put_failure:
14371	nlmsg_free(msg);
14372	return -ENOBUFS;
14373}
14374
14375static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
14376{
14377	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14378	struct cfg80211_update_owe_info owe_info;
14379	struct net_device *dev = info->user_ptr[1];
14380
14381	if (!rdev->ops->update_owe_info)
14382		return -EOPNOTSUPP;
14383
14384	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
14385	    !info->attrs[NL80211_ATTR_MAC])
14386		return -EINVAL;
14387
14388	memset(&owe_info, 0, sizeof(owe_info));
14389	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14390	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
14391
14392	if (info->attrs[NL80211_ATTR_IE]) {
14393		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14394		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14395	}
14396
14397	return rdev_update_owe_info(rdev, dev, &owe_info);
14398}
14399
14400static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14401{
14402	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14403	struct net_device *dev = info->user_ptr[1];
14404	struct wireless_dev *wdev = dev->ieee80211_ptr;
14405	struct station_info sinfo = {};
14406	const u8 *buf;
14407	size_t len;
14408	u8 *dest;
14409	int err;
14410
14411	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14412		return -EOPNOTSUPP;
14413
14414	if (!info->attrs[NL80211_ATTR_MAC] ||
14415	    !info->attrs[NL80211_ATTR_FRAME]) {
14416		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14417		return -EINVAL;
14418	}
14419
14420	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14421		return -EOPNOTSUPP;
14422
14423	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14424	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14425	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14426
14427	if (len < sizeof(struct ethhdr))
14428		return -EINVAL;
14429
14430	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14431	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14432		return -EINVAL;
14433
14434	err = rdev_get_station(rdev, dev, dest, &sinfo);
14435	if (err)
14436		return err;
14437
14438	cfg80211_sinfo_release_content(&sinfo);
14439
14440	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
14441}
14442
14443static int parse_tid_conf(struct cfg80211_registered_device *rdev,
14444			  struct nlattr *attrs[], struct net_device *dev,
14445			  struct cfg80211_tid_cfg *tid_conf,
14446			  struct genl_info *info, const u8 *peer)
14447{
14448	struct netlink_ext_ack *extack = info->extack;
14449	u64 mask;
14450	int err;
14451
14452	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
14453		return -EINVAL;
14454
14455	tid_conf->config_override =
14456			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
14457	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
14458
14459	if (tid_conf->config_override) {
14460		if (rdev->ops->reset_tid_config) {
14461			err = rdev_reset_tid_config(rdev, dev, peer,
14462						    tid_conf->tids);
14463			if (err)
14464				return err;
14465		} else {
14466			return -EINVAL;
14467		}
14468	}
14469
14470	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
14471		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
14472		tid_conf->noack =
14473			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
14474	}
14475
14476	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
14477		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
14478		tid_conf->retry_short =
14479			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
14480
14481		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
14482			return -EINVAL;
14483	}
14484
14485	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
14486		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
14487		tid_conf->retry_long =
14488			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
14489
14490		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
14491			return -EINVAL;
14492	}
14493
14494	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
14495		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
14496		tid_conf->ampdu =
14497			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
14498	}
14499
14500	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
14501		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
14502		tid_conf->rtscts =
14503			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
14504	}
14505
14506	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
14507		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
14508		tid_conf->amsdu =
14509			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
14510	}
14511
14512	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
14513		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
14514
14515		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
14516
14517		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
14518			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
14519			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
14520						    &tid_conf->txrate_mask, dev);
14521			if (err)
14522				return err;
14523
14524			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
14525		}
14526		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
14527	}
14528
14529	if (peer)
14530		mask = rdev->wiphy.tid_config_support.peer;
14531	else
14532		mask = rdev->wiphy.tid_config_support.vif;
14533
14534	if (tid_conf->mask & ~mask) {
14535		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
14536		return -ENOTSUPP;
14537	}
14538
14539	return 0;
14540}
14541
14542static int nl80211_set_tid_config(struct sk_buff *skb,
14543				  struct genl_info *info)
14544{
14545	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14546	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
14547	struct net_device *dev = info->user_ptr[1];
14548	struct cfg80211_tid_config *tid_config;
14549	struct nlattr *tid;
14550	int conf_idx = 0, rem_conf;
14551	int ret = -EINVAL;
14552	u32 num_conf = 0;
14553
14554	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
14555		return -EINVAL;
14556
14557	if (!rdev->ops->set_tid_config)
14558		return -EOPNOTSUPP;
14559
14560	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14561			    rem_conf)
14562		num_conf++;
14563
14564	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
14565			     GFP_KERNEL);
14566	if (!tid_config)
14567		return -ENOMEM;
14568
14569	tid_config->n_tid_conf = num_conf;
14570
14571	if (info->attrs[NL80211_ATTR_MAC])
14572		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14573
14574	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14575			    rem_conf) {
14576		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
14577				       tid, NULL, NULL);
14578
14579		if (ret)
14580			goto bad_tid_conf;
14581
14582		ret = parse_tid_conf(rdev, attrs, dev,
14583				     &tid_config->tid_conf[conf_idx],
14584				     info, tid_config->peer);
14585		if (ret)
14586			goto bad_tid_conf;
14587
14588		conf_idx++;
14589	}
14590
14591	ret = rdev_set_tid_config(rdev, dev, tid_config);
14592
14593bad_tid_conf:
14594	kfree(tid_config);
14595	return ret;
14596}
14597
14598#define NL80211_FLAG_NEED_WIPHY		0x01
14599#define NL80211_FLAG_NEED_NETDEV	0x02
14600#define NL80211_FLAG_NEED_RTNL		0x04
14601#define NL80211_FLAG_CHECK_NETDEV_UP	0x08
14602#define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
14603					 NL80211_FLAG_CHECK_NETDEV_UP)
14604#define NL80211_FLAG_NEED_WDEV		0x10
14605/* If a netdev is associated, it must be UP, P2P must be started */
14606#define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
14607					 NL80211_FLAG_CHECK_NETDEV_UP)
14608#define NL80211_FLAG_CLEAR_SKB		0x20
14609
14610static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
14611			    struct genl_info *info)
14612{
14613	struct cfg80211_registered_device *rdev;
14614	struct wireless_dev *wdev;
14615	struct net_device *dev;
14616	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
14617
14618	if (rtnl)
14619		rtnl_lock();
14620
14621	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
14622		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
14623		if (IS_ERR(rdev)) {
14624			if (rtnl)
14625				rtnl_unlock();
14626			return PTR_ERR(rdev);
14627		}
14628		info->user_ptr[0] = rdev;
14629	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
14630		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14631		ASSERT_RTNL();
14632
14633		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
14634						  info->attrs);
14635		if (IS_ERR(wdev)) {
14636			if (rtnl)
14637				rtnl_unlock();
14638			return PTR_ERR(wdev);
14639		}
14640
14641		dev = wdev->netdev;
14642		rdev = wiphy_to_rdev(wdev->wiphy);
14643
14644		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
14645			if (!dev) {
14646				if (rtnl)
14647					rtnl_unlock();
14648				return -EINVAL;
14649			}
14650
14651			info->user_ptr[1] = dev;
14652		} else {
14653			info->user_ptr[1] = wdev;
14654		}
14655
14656		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
14657		    !wdev_running(wdev)) {
14658			if (rtnl)
14659				rtnl_unlock();
14660			return -ENETDOWN;
14661		}
14662
14663		if (dev)
14664			dev_hold(dev);
14665
14666		info->user_ptr[0] = rdev;
14667	}
14668
14669	return 0;
14670}
14671
14672static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
14673			      struct genl_info *info)
14674{
14675	if (info->user_ptr[1]) {
14676		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14677			struct wireless_dev *wdev = info->user_ptr[1];
14678
14679			if (wdev->netdev)
14680				dev_put(wdev->netdev);
14681		} else {
14682			dev_put(info->user_ptr[1]);
14683		}
14684	}
14685
14686	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
14687		rtnl_unlock();
14688
14689	/* If needed, clear the netlink message payload from the SKB
14690	 * as it might contain key data that shouldn't stick around on
14691	 * the heap after the SKB is freed. The netlink message header
14692	 * is still needed for further processing, so leave it intact.
14693	 */
14694	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
14695		struct nlmsghdr *nlh = nlmsg_hdr(skb);
14696
14697		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
14698	}
14699}
14700
14701static const struct genl_ops nl80211_ops[] = {
14702	{
14703		.cmd = NL80211_CMD_GET_WIPHY,
14704		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14705		.doit = nl80211_get_wiphy,
14706		.dumpit = nl80211_dump_wiphy,
14707		.done = nl80211_dump_wiphy_done,
14708		/* can be retrieved by unprivileged users */
14709		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14710				  NL80211_FLAG_NEED_RTNL,
14711	},
14712};
14713
14714static const struct genl_small_ops nl80211_small_ops[] = {
14715	{
14716		.cmd = NL80211_CMD_SET_WIPHY,
14717		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14718		.doit = nl80211_set_wiphy,
14719		.flags = GENL_UNS_ADMIN_PERM,
14720		.internal_flags = NL80211_FLAG_NEED_RTNL,
14721	},
14722	{
14723		.cmd = NL80211_CMD_GET_INTERFACE,
14724		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14725		.doit = nl80211_get_interface,
14726		.dumpit = nl80211_dump_interface,
14727		/* can be retrieved by unprivileged users */
14728		.internal_flags = NL80211_FLAG_NEED_WDEV |
14729				  NL80211_FLAG_NEED_RTNL,
14730	},
14731	{
14732		.cmd = NL80211_CMD_SET_INTERFACE,
14733		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14734		.doit = nl80211_set_interface,
14735		.flags = GENL_UNS_ADMIN_PERM,
14736		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14737				  NL80211_FLAG_NEED_RTNL,
14738	},
14739	{
14740		.cmd = NL80211_CMD_NEW_INTERFACE,
14741		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14742		.doit = nl80211_new_interface,
14743		.flags = GENL_UNS_ADMIN_PERM,
14744		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14745				  NL80211_FLAG_NEED_RTNL,
14746	},
14747	{
14748		.cmd = NL80211_CMD_DEL_INTERFACE,
14749		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14750		.doit = nl80211_del_interface,
14751		.flags = GENL_UNS_ADMIN_PERM,
14752		.internal_flags = NL80211_FLAG_NEED_WDEV |
14753				  NL80211_FLAG_NEED_RTNL,
14754	},
14755	{
14756		.cmd = NL80211_CMD_GET_KEY,
14757		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14758		.doit = nl80211_get_key,
14759		.flags = GENL_UNS_ADMIN_PERM,
14760		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14761				  NL80211_FLAG_NEED_RTNL,
14762	},
14763	{
14764		.cmd = NL80211_CMD_SET_KEY,
14765		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14766		.doit = nl80211_set_key,
14767		.flags = GENL_UNS_ADMIN_PERM,
14768		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14769				  NL80211_FLAG_NEED_RTNL |
14770				  NL80211_FLAG_CLEAR_SKB,
14771	},
14772	{
14773		.cmd = NL80211_CMD_NEW_KEY,
14774		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14775		.doit = nl80211_new_key,
14776		.flags = GENL_UNS_ADMIN_PERM,
14777		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14778				  NL80211_FLAG_NEED_RTNL |
14779				  NL80211_FLAG_CLEAR_SKB,
14780	},
14781	{
14782		.cmd = NL80211_CMD_DEL_KEY,
14783		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14784		.doit = nl80211_del_key,
14785		.flags = GENL_UNS_ADMIN_PERM,
14786		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14787				  NL80211_FLAG_NEED_RTNL,
14788	},
14789	{
14790		.cmd = NL80211_CMD_SET_BEACON,
14791		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14792		.flags = GENL_UNS_ADMIN_PERM,
14793		.doit = nl80211_set_beacon,
14794		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14795				  NL80211_FLAG_NEED_RTNL,
14796	},
14797	{
14798		.cmd = NL80211_CMD_START_AP,
14799		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14800		.flags = GENL_UNS_ADMIN_PERM,
14801		.doit = nl80211_start_ap,
14802		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14803				  NL80211_FLAG_NEED_RTNL,
14804	},
14805	{
14806		.cmd = NL80211_CMD_STOP_AP,
14807		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14808		.flags = GENL_UNS_ADMIN_PERM,
14809		.doit = nl80211_stop_ap,
14810		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14811				  NL80211_FLAG_NEED_RTNL,
14812	},
14813	{
14814		.cmd = NL80211_CMD_GET_STATION,
14815		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14816		.doit = nl80211_get_station,
14817		.dumpit = nl80211_dump_station,
14818		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14819				  NL80211_FLAG_NEED_RTNL,
14820	},
14821	{
14822		.cmd = NL80211_CMD_SET_STATION,
14823		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14824		.doit = nl80211_set_station,
14825		.flags = GENL_UNS_ADMIN_PERM,
14826		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14827				  NL80211_FLAG_NEED_RTNL,
14828	},
14829	{
14830		.cmd = NL80211_CMD_NEW_STATION,
14831		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14832		.doit = nl80211_new_station,
14833		.flags = GENL_UNS_ADMIN_PERM,
14834		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14835				  NL80211_FLAG_NEED_RTNL,
14836	},
14837	{
14838		.cmd = NL80211_CMD_DEL_STATION,
14839		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14840		.doit = nl80211_del_station,
14841		.flags = GENL_UNS_ADMIN_PERM,
14842		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14843				  NL80211_FLAG_NEED_RTNL,
14844	},
14845	{
14846		.cmd = NL80211_CMD_GET_MPATH,
14847		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14848		.doit = nl80211_get_mpath,
14849		.dumpit = nl80211_dump_mpath,
14850		.flags = GENL_UNS_ADMIN_PERM,
14851		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14852				  NL80211_FLAG_NEED_RTNL,
14853	},
14854	{
14855		.cmd = NL80211_CMD_GET_MPP,
14856		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14857		.doit = nl80211_get_mpp,
14858		.dumpit = nl80211_dump_mpp,
14859		.flags = GENL_UNS_ADMIN_PERM,
14860		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14861				  NL80211_FLAG_NEED_RTNL,
14862	},
14863	{
14864		.cmd = NL80211_CMD_SET_MPATH,
14865		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14866		.doit = nl80211_set_mpath,
14867		.flags = GENL_UNS_ADMIN_PERM,
14868		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14869				  NL80211_FLAG_NEED_RTNL,
14870	},
14871	{
14872		.cmd = NL80211_CMD_NEW_MPATH,
14873		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14874		.doit = nl80211_new_mpath,
14875		.flags = GENL_UNS_ADMIN_PERM,
14876		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14877				  NL80211_FLAG_NEED_RTNL,
14878	},
14879	{
14880		.cmd = NL80211_CMD_DEL_MPATH,
14881		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14882		.doit = nl80211_del_mpath,
14883		.flags = GENL_UNS_ADMIN_PERM,
14884		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14885				  NL80211_FLAG_NEED_RTNL,
14886	},
14887	{
14888		.cmd = NL80211_CMD_SET_BSS,
14889		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14890		.doit = nl80211_set_bss,
14891		.flags = GENL_UNS_ADMIN_PERM,
14892		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14893				  NL80211_FLAG_NEED_RTNL,
14894	},
14895	{
14896		.cmd = NL80211_CMD_GET_REG,
14897		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14898		.doit = nl80211_get_reg_do,
14899		.dumpit = nl80211_get_reg_dump,
14900		.internal_flags = NL80211_FLAG_NEED_RTNL,
14901		/* can be retrieved by unprivileged users */
14902	},
14903#ifdef CONFIG_CFG80211_CRDA_SUPPORT
14904	{
14905		.cmd = NL80211_CMD_SET_REG,
14906		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14907		.doit = nl80211_set_reg,
14908		.flags = GENL_ADMIN_PERM,
14909		.internal_flags = NL80211_FLAG_NEED_RTNL,
14910	},
14911#endif
14912	{
14913		.cmd = NL80211_CMD_REQ_SET_REG,
14914		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14915		.doit = nl80211_req_set_reg,
14916		.flags = GENL_ADMIN_PERM,
14917	},
14918	{
14919		.cmd = NL80211_CMD_RELOAD_REGDB,
14920		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14921		.doit = nl80211_reload_regdb,
14922		.flags = GENL_ADMIN_PERM,
14923	},
14924	{
14925		.cmd = NL80211_CMD_GET_MESH_CONFIG,
14926		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14927		.doit = nl80211_get_mesh_config,
14928		/* can be retrieved by unprivileged users */
14929		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14930				  NL80211_FLAG_NEED_RTNL,
14931	},
14932	{
14933		.cmd = NL80211_CMD_SET_MESH_CONFIG,
14934		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14935		.doit = nl80211_update_mesh_config,
14936		.flags = GENL_UNS_ADMIN_PERM,
14937		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14938				  NL80211_FLAG_NEED_RTNL,
14939	},
14940	{
14941		.cmd = NL80211_CMD_TRIGGER_SCAN,
14942		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14943		.doit = nl80211_trigger_scan,
14944		.flags = GENL_UNS_ADMIN_PERM,
14945		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14946				  NL80211_FLAG_NEED_RTNL,
14947	},
14948	{
14949		.cmd = NL80211_CMD_ABORT_SCAN,
14950		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14951		.doit = nl80211_abort_scan,
14952		.flags = GENL_UNS_ADMIN_PERM,
14953		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14954				  NL80211_FLAG_NEED_RTNL,
14955	},
14956	{
14957		.cmd = NL80211_CMD_GET_SCAN,
14958		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14959		.dumpit = nl80211_dump_scan,
14960	},
14961	{
14962		.cmd = NL80211_CMD_START_SCHED_SCAN,
14963		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14964		.doit = nl80211_start_sched_scan,
14965		.flags = GENL_UNS_ADMIN_PERM,
14966		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14967				  NL80211_FLAG_NEED_RTNL,
14968	},
14969	{
14970		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
14971		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14972		.doit = nl80211_stop_sched_scan,
14973		.flags = GENL_UNS_ADMIN_PERM,
14974		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14975				  NL80211_FLAG_NEED_RTNL,
14976	},
14977	{
14978		.cmd = NL80211_CMD_AUTHENTICATE,
14979		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14980		.doit = nl80211_authenticate,
14981		.flags = GENL_UNS_ADMIN_PERM,
14982		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14983				  NL80211_FLAG_NEED_RTNL |
14984				  NL80211_FLAG_CLEAR_SKB,
14985	},
14986	{
14987		.cmd = NL80211_CMD_ASSOCIATE,
14988		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14989		.doit = nl80211_associate,
14990		.flags = GENL_UNS_ADMIN_PERM,
14991		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14992				  NL80211_FLAG_NEED_RTNL |
14993				  NL80211_FLAG_CLEAR_SKB,
14994	},
14995	{
14996		.cmd = NL80211_CMD_DEAUTHENTICATE,
14997		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14998		.doit = nl80211_deauthenticate,
14999		.flags = GENL_UNS_ADMIN_PERM,
15000		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15001				  NL80211_FLAG_NEED_RTNL,
15002	},
15003	{
15004		.cmd = NL80211_CMD_DISASSOCIATE,
15005		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15006		.doit = nl80211_disassociate,
15007		.flags = GENL_UNS_ADMIN_PERM,
15008		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15009				  NL80211_FLAG_NEED_RTNL,
15010	},
15011	{
15012		.cmd = NL80211_CMD_JOIN_IBSS,
15013		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15014		.doit = nl80211_join_ibss,
15015		.flags = GENL_UNS_ADMIN_PERM,
15016		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15017				  NL80211_FLAG_NEED_RTNL,
15018	},
15019	{
15020		.cmd = NL80211_CMD_LEAVE_IBSS,
15021		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15022		.doit = nl80211_leave_ibss,
15023		.flags = GENL_UNS_ADMIN_PERM,
15024		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15025				  NL80211_FLAG_NEED_RTNL,
15026	},
15027#ifdef CONFIG_NL80211_TESTMODE
15028	{
15029		.cmd = NL80211_CMD_TESTMODE,
15030		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15031		.doit = nl80211_testmode_do,
15032		.dumpit = nl80211_testmode_dump,
15033		.flags = GENL_UNS_ADMIN_PERM,
15034		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15035				  NL80211_FLAG_NEED_RTNL,
15036	},
15037#endif
15038	{
15039		.cmd = NL80211_CMD_CONNECT,
15040		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15041		.doit = nl80211_connect,
15042		.flags = GENL_UNS_ADMIN_PERM,
15043		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15044				  NL80211_FLAG_NEED_RTNL |
15045				  NL80211_FLAG_CLEAR_SKB,
15046	},
15047	{
15048		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
15049		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15050		.doit = nl80211_update_connect_params,
15051		.flags = GENL_ADMIN_PERM,
15052		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15053				  NL80211_FLAG_NEED_RTNL |
15054				  NL80211_FLAG_CLEAR_SKB,
15055	},
15056	{
15057		.cmd = NL80211_CMD_DISCONNECT,
15058		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15059		.doit = nl80211_disconnect,
15060		.flags = GENL_UNS_ADMIN_PERM,
15061		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15062				  NL80211_FLAG_NEED_RTNL,
15063	},
15064	{
15065		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
15066		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15067		.doit = nl80211_wiphy_netns,
15068		.flags = GENL_UNS_ADMIN_PERM,
15069		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15070				  NL80211_FLAG_NEED_RTNL,
15071	},
15072	{
15073		.cmd = NL80211_CMD_GET_SURVEY,
15074		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15075		.dumpit = nl80211_dump_survey,
15076	},
15077	{
15078		.cmd = NL80211_CMD_SET_PMKSA,
15079		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15080		.doit = nl80211_setdel_pmksa,
15081		.flags = GENL_UNS_ADMIN_PERM,
15082		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15083				  NL80211_FLAG_NEED_RTNL |
15084				  NL80211_FLAG_CLEAR_SKB,
15085	},
15086	{
15087		.cmd = NL80211_CMD_DEL_PMKSA,
15088		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15089		.doit = nl80211_setdel_pmksa,
15090		.flags = GENL_UNS_ADMIN_PERM,
15091		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15092				  NL80211_FLAG_NEED_RTNL,
15093	},
15094	{
15095		.cmd = NL80211_CMD_FLUSH_PMKSA,
15096		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15097		.doit = nl80211_flush_pmksa,
15098		.flags = GENL_UNS_ADMIN_PERM,
15099		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15100				  NL80211_FLAG_NEED_RTNL,
15101	},
15102	{
15103		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
15104		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15105		.doit = nl80211_remain_on_channel,
15106		.flags = GENL_UNS_ADMIN_PERM,
15107		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15108				  NL80211_FLAG_NEED_RTNL,
15109	},
15110	{
15111		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15112		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15113		.doit = nl80211_cancel_remain_on_channel,
15114		.flags = GENL_UNS_ADMIN_PERM,
15115		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15116				  NL80211_FLAG_NEED_RTNL,
15117	},
15118	{
15119		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
15120		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15121		.doit = nl80211_set_tx_bitrate_mask,
15122		.flags = GENL_UNS_ADMIN_PERM,
15123		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15124				  NL80211_FLAG_NEED_RTNL,
15125	},
15126	{
15127		.cmd = NL80211_CMD_REGISTER_FRAME,
15128		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15129		.doit = nl80211_register_mgmt,
15130		.flags = GENL_UNS_ADMIN_PERM,
15131		.internal_flags = NL80211_FLAG_NEED_WDEV |
15132				  NL80211_FLAG_NEED_RTNL,
15133	},
15134	{
15135		.cmd = NL80211_CMD_FRAME,
15136		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15137		.doit = nl80211_tx_mgmt,
15138		.flags = GENL_UNS_ADMIN_PERM,
15139		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15140				  NL80211_FLAG_NEED_RTNL,
15141	},
15142	{
15143		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
15144		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15145		.doit = nl80211_tx_mgmt_cancel_wait,
15146		.flags = GENL_UNS_ADMIN_PERM,
15147		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15148				  NL80211_FLAG_NEED_RTNL,
15149	},
15150	{
15151		.cmd = NL80211_CMD_SET_POWER_SAVE,
15152		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15153		.doit = nl80211_set_power_save,
15154		.flags = GENL_UNS_ADMIN_PERM,
15155		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15156				  NL80211_FLAG_NEED_RTNL,
15157	},
15158	{
15159		.cmd = NL80211_CMD_GET_POWER_SAVE,
15160		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15161		.doit = nl80211_get_power_save,
15162		/* can be retrieved by unprivileged users */
15163		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15164				  NL80211_FLAG_NEED_RTNL,
15165	},
15166	{
15167		.cmd = NL80211_CMD_SET_CQM,
15168		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15169		.doit = nl80211_set_cqm,
15170		.flags = GENL_UNS_ADMIN_PERM,
15171		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15172				  NL80211_FLAG_NEED_RTNL,
15173	},
15174	{
15175		.cmd = NL80211_CMD_SET_CHANNEL,
15176		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15177		.doit = nl80211_set_channel,
15178		.flags = GENL_UNS_ADMIN_PERM,
15179		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15180				  NL80211_FLAG_NEED_RTNL,
15181	},
15182	{
15183		.cmd = NL80211_CMD_SET_WDS_PEER,
15184		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15185		.doit = nl80211_set_wds_peer,
15186		.flags = GENL_UNS_ADMIN_PERM,
15187		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15188				  NL80211_FLAG_NEED_RTNL,
15189	},
15190	{
15191		.cmd = NL80211_CMD_JOIN_MESH,
15192		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15193		.doit = nl80211_join_mesh,
15194		.flags = GENL_UNS_ADMIN_PERM,
15195		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15196				  NL80211_FLAG_NEED_RTNL,
15197	},
15198	{
15199		.cmd = NL80211_CMD_LEAVE_MESH,
15200		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15201		.doit = nl80211_leave_mesh,
15202		.flags = GENL_UNS_ADMIN_PERM,
15203		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15204				  NL80211_FLAG_NEED_RTNL,
15205	},
15206	{
15207		.cmd = NL80211_CMD_JOIN_OCB,
15208		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15209		.doit = nl80211_join_ocb,
15210		.flags = GENL_UNS_ADMIN_PERM,
15211		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15212				  NL80211_FLAG_NEED_RTNL,
15213	},
15214	{
15215		.cmd = NL80211_CMD_LEAVE_OCB,
15216		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15217		.doit = nl80211_leave_ocb,
15218		.flags = GENL_UNS_ADMIN_PERM,
15219		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15220				  NL80211_FLAG_NEED_RTNL,
15221	},
15222#ifdef CONFIG_PM
15223	{
15224		.cmd = NL80211_CMD_GET_WOWLAN,
15225		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15226		.doit = nl80211_get_wowlan,
15227		/* can be retrieved by unprivileged users */
15228		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15229				  NL80211_FLAG_NEED_RTNL,
15230	},
15231	{
15232		.cmd = NL80211_CMD_SET_WOWLAN,
15233		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15234		.doit = nl80211_set_wowlan,
15235		.flags = GENL_UNS_ADMIN_PERM,
15236		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15237				  NL80211_FLAG_NEED_RTNL,
15238	},
15239#endif
15240	{
15241		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
15242		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15243		.doit = nl80211_set_rekey_data,
15244		.flags = GENL_UNS_ADMIN_PERM,
15245		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15246				  NL80211_FLAG_NEED_RTNL |
15247				  NL80211_FLAG_CLEAR_SKB,
15248	},
15249	{
15250		.cmd = NL80211_CMD_TDLS_MGMT,
15251		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15252		.doit = nl80211_tdls_mgmt,
15253		.flags = GENL_UNS_ADMIN_PERM,
15254		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15255				  NL80211_FLAG_NEED_RTNL,
15256	},
15257	{
15258		.cmd = NL80211_CMD_TDLS_OPER,
15259		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15260		.doit = nl80211_tdls_oper,
15261		.flags = GENL_UNS_ADMIN_PERM,
15262		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15263				  NL80211_FLAG_NEED_RTNL,
15264	},
15265	{
15266		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
15267		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15268		.doit = nl80211_register_unexpected_frame,
15269		.flags = GENL_UNS_ADMIN_PERM,
15270		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15271				  NL80211_FLAG_NEED_RTNL,
15272	},
15273	{
15274		.cmd = NL80211_CMD_PROBE_CLIENT,
15275		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15276		.doit = nl80211_probe_client,
15277		.flags = GENL_UNS_ADMIN_PERM,
15278		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15279				  NL80211_FLAG_NEED_RTNL,
15280	},
15281	{
15282		.cmd = NL80211_CMD_REGISTER_BEACONS,
15283		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15284		.doit = nl80211_register_beacons,
15285		.flags = GENL_UNS_ADMIN_PERM,
15286		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15287				  NL80211_FLAG_NEED_RTNL,
15288	},
15289	{
15290		.cmd = NL80211_CMD_SET_NOACK_MAP,
15291		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15292		.doit = nl80211_set_noack_map,
15293		.flags = GENL_UNS_ADMIN_PERM,
15294		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15295				  NL80211_FLAG_NEED_RTNL,
15296	},
15297	{
15298		.cmd = NL80211_CMD_START_P2P_DEVICE,
15299		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15300		.doit = nl80211_start_p2p_device,
15301		.flags = GENL_UNS_ADMIN_PERM,
15302		.internal_flags = NL80211_FLAG_NEED_WDEV |
15303				  NL80211_FLAG_NEED_RTNL,
15304	},
15305	{
15306		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
15307		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15308		.doit = nl80211_stop_p2p_device,
15309		.flags = GENL_UNS_ADMIN_PERM,
15310		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15311				  NL80211_FLAG_NEED_RTNL,
15312	},
15313	{
15314		.cmd = NL80211_CMD_START_NAN,
15315		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15316		.doit = nl80211_start_nan,
15317		.flags = GENL_ADMIN_PERM,
15318		.internal_flags = NL80211_FLAG_NEED_WDEV |
15319				  NL80211_FLAG_NEED_RTNL,
15320	},
15321	{
15322		.cmd = NL80211_CMD_STOP_NAN,
15323		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15324		.doit = nl80211_stop_nan,
15325		.flags = GENL_ADMIN_PERM,
15326		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15327				  NL80211_FLAG_NEED_RTNL,
15328	},
15329	{
15330		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
15331		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15332		.doit = nl80211_nan_add_func,
15333		.flags = GENL_ADMIN_PERM,
15334		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15335				  NL80211_FLAG_NEED_RTNL,
15336	},
15337	{
15338		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
15339		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15340		.doit = nl80211_nan_del_func,
15341		.flags = GENL_ADMIN_PERM,
15342		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15343				  NL80211_FLAG_NEED_RTNL,
15344	},
15345	{
15346		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
15347		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15348		.doit = nl80211_nan_change_config,
15349		.flags = GENL_ADMIN_PERM,
15350		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15351				  NL80211_FLAG_NEED_RTNL,
15352	},
15353	{
15354		.cmd = NL80211_CMD_SET_MCAST_RATE,
15355		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15356		.doit = nl80211_set_mcast_rate,
15357		.flags = GENL_UNS_ADMIN_PERM,
15358		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15359				  NL80211_FLAG_NEED_RTNL,
15360	},
15361	{
15362		.cmd = NL80211_CMD_SET_MAC_ACL,
15363		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15364		.doit = nl80211_set_mac_acl,
15365		.flags = GENL_UNS_ADMIN_PERM,
15366		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15367				  NL80211_FLAG_NEED_RTNL,
15368	},
15369	{
15370		.cmd = NL80211_CMD_RADAR_DETECT,
15371		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15372		.doit = nl80211_start_radar_detection,
15373		.flags = GENL_UNS_ADMIN_PERM,
15374		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15375				  NL80211_FLAG_NEED_RTNL,
15376	},
15377	{
15378		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
15379		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15380		.doit = nl80211_get_protocol_features,
15381	},
15382	{
15383		.cmd = NL80211_CMD_UPDATE_FT_IES,
15384		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15385		.doit = nl80211_update_ft_ies,
15386		.flags = GENL_UNS_ADMIN_PERM,
15387		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15388				  NL80211_FLAG_NEED_RTNL,
15389	},
15390	{
15391		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
15392		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15393		.doit = nl80211_crit_protocol_start,
15394		.flags = GENL_UNS_ADMIN_PERM,
15395		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15396				  NL80211_FLAG_NEED_RTNL,
15397	},
15398	{
15399		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
15400		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15401		.doit = nl80211_crit_protocol_stop,
15402		.flags = GENL_UNS_ADMIN_PERM,
15403		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15404				  NL80211_FLAG_NEED_RTNL,
15405	},
15406	{
15407		.cmd = NL80211_CMD_GET_COALESCE,
15408		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15409		.doit = nl80211_get_coalesce,
15410		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15411				  NL80211_FLAG_NEED_RTNL,
15412	},
15413	{
15414		.cmd = NL80211_CMD_SET_COALESCE,
15415		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15416		.doit = nl80211_set_coalesce,
15417		.flags = GENL_UNS_ADMIN_PERM,
15418		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15419				  NL80211_FLAG_NEED_RTNL,
15420	},
15421	{
15422		.cmd = NL80211_CMD_CHANNEL_SWITCH,
15423		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15424		.doit = nl80211_channel_switch,
15425		.flags = GENL_UNS_ADMIN_PERM,
15426		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15427				  NL80211_FLAG_NEED_RTNL,
15428	},
15429	{
15430		.cmd = NL80211_CMD_VENDOR,
15431		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15432		.doit = nl80211_vendor_cmd,
15433		.dumpit = nl80211_vendor_cmd_dump,
15434		.flags = GENL_UNS_ADMIN_PERM,
15435		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15436				  NL80211_FLAG_NEED_RTNL |
15437				  NL80211_FLAG_CLEAR_SKB,
15438	},
15439	{
15440		.cmd = NL80211_CMD_SET_QOS_MAP,
15441		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15442		.doit = nl80211_set_qos_map,
15443		.flags = GENL_UNS_ADMIN_PERM,
15444		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15445				  NL80211_FLAG_NEED_RTNL,
15446	},
15447	{
15448		.cmd = NL80211_CMD_ADD_TX_TS,
15449		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15450		.doit = nl80211_add_tx_ts,
15451		.flags = GENL_UNS_ADMIN_PERM,
15452		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15453				  NL80211_FLAG_NEED_RTNL,
15454	},
15455	{
15456		.cmd = NL80211_CMD_DEL_TX_TS,
15457		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15458		.doit = nl80211_del_tx_ts,
15459		.flags = GENL_UNS_ADMIN_PERM,
15460		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15461				  NL80211_FLAG_NEED_RTNL,
15462	},
15463	{
15464		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
15465		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15466		.doit = nl80211_tdls_channel_switch,
15467		.flags = GENL_UNS_ADMIN_PERM,
15468		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15469				  NL80211_FLAG_NEED_RTNL,
15470	},
15471	{
15472		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
15473		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15474		.doit = nl80211_tdls_cancel_channel_switch,
15475		.flags = GENL_UNS_ADMIN_PERM,
15476		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15477				  NL80211_FLAG_NEED_RTNL,
15478	},
15479	{
15480		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
15481		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15482		.doit = nl80211_set_multicast_to_unicast,
15483		.flags = GENL_UNS_ADMIN_PERM,
15484		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15485				  NL80211_FLAG_NEED_RTNL,
15486	},
15487	{
15488		.cmd = NL80211_CMD_SET_PMK,
15489		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15490		.doit = nl80211_set_pmk,
15491		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15492				  NL80211_FLAG_NEED_RTNL |
15493				  NL80211_FLAG_CLEAR_SKB,
15494	},
15495	{
15496		.cmd = NL80211_CMD_DEL_PMK,
15497		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15498		.doit = nl80211_del_pmk,
15499		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15500				  NL80211_FLAG_NEED_RTNL,
15501	},
15502	{
15503		.cmd = NL80211_CMD_EXTERNAL_AUTH,
15504		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15505		.doit = nl80211_external_auth,
15506		.flags = GENL_ADMIN_PERM,
15507		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15508				  NL80211_FLAG_NEED_RTNL,
15509	},
15510	{
15511		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
15512		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15513		.doit = nl80211_tx_control_port,
15514		.flags = GENL_UNS_ADMIN_PERM,
15515		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15516				  NL80211_FLAG_NEED_RTNL,
15517	},
15518	{
15519		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
15520		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15521		.doit = nl80211_get_ftm_responder_stats,
15522		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15523				  NL80211_FLAG_NEED_RTNL,
15524	},
15525	{
15526		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
15527		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15528		.doit = nl80211_pmsr_start,
15529		.flags = GENL_UNS_ADMIN_PERM,
15530		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15531				  NL80211_FLAG_NEED_RTNL,
15532	},
15533	{
15534		.cmd = NL80211_CMD_NOTIFY_RADAR,
15535		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15536		.doit = nl80211_notify_radar_detection,
15537		.flags = GENL_UNS_ADMIN_PERM,
15538		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15539				  NL80211_FLAG_NEED_RTNL,
15540	},
15541	{
15542		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
15543		.doit = nl80211_update_owe_info,
15544		.flags = GENL_ADMIN_PERM,
15545		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15546				  NL80211_FLAG_NEED_RTNL,
15547	},
15548	{
15549		.cmd = NL80211_CMD_PROBE_MESH_LINK,
15550		.doit = nl80211_probe_mesh_link,
15551		.flags = GENL_UNS_ADMIN_PERM,
15552		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15553				  NL80211_FLAG_NEED_RTNL,
15554	},
15555	{
15556		.cmd = NL80211_CMD_SET_TID_CONFIG,
15557		.doit = nl80211_set_tid_config,
15558		.flags = GENL_UNS_ADMIN_PERM,
15559		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15560				  NL80211_FLAG_NEED_RTNL,
15561	},
15562};
15563
15564static struct genl_family nl80211_fam __ro_after_init = {
15565	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
15566	.hdrsize = 0,			/* no private header */
15567	.version = 1,			/* no particular meaning now */
15568	.maxattr = NL80211_ATTR_MAX,
15569	.policy = nl80211_policy,
15570	.netnsok = true,
15571	.pre_doit = nl80211_pre_doit,
15572	.post_doit = nl80211_post_doit,
15573	.module = THIS_MODULE,
15574	.ops = nl80211_ops,
15575	.n_ops = ARRAY_SIZE(nl80211_ops),
15576	.small_ops = nl80211_small_ops,
15577	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
15578	.mcgrps = nl80211_mcgrps,
15579	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
15580	.parallel_ops = true,
15581};
15582
15583/* notification functions */
15584
15585void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
15586			  enum nl80211_commands cmd)
15587{
15588	struct sk_buff *msg;
15589	struct nl80211_dump_wiphy_state state = {};
15590
15591	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
15592		cmd != NL80211_CMD_DEL_WIPHY);
15593
15594	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15595	if (!msg)
15596		return;
15597
15598	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
15599		nlmsg_free(msg);
15600		return;
15601	}
15602
15603	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15604				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15605}
15606
15607void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
15608				struct wireless_dev *wdev,
15609				enum nl80211_commands cmd)
15610{
15611	struct sk_buff *msg;
15612
15613	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15614	if (!msg)
15615		return;
15616
15617	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
15618		nlmsg_free(msg);
15619		return;
15620	}
15621
15622	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15623				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15624}
15625
15626static int nl80211_add_scan_req(struct sk_buff *msg,
15627				struct cfg80211_registered_device *rdev)
15628{
15629	struct cfg80211_scan_request *req = rdev->scan_req;
15630	struct nlattr *nest;
15631	int i;
15632	struct cfg80211_scan_info *info;
15633
15634	if (WARN_ON(!req))
15635		return 0;
15636
15637	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
15638	if (!nest)
15639		goto nla_put_failure;
15640	for (i = 0; i < req->n_ssids; i++) {
15641		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
15642			goto nla_put_failure;
15643	}
15644	nla_nest_end(msg, nest);
15645
15646	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
15647		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
15648		if (!nest)
15649			goto nla_put_failure;
15650		for (i = 0; i < req->n_channels; i++) {
15651			if (nla_put_u32(msg, i,
15652				   ieee80211_channel_to_khz(req->channels[i])))
15653				goto nla_put_failure;
15654		}
15655		nla_nest_end(msg, nest);
15656	} else {
15657		nest = nla_nest_start_noflag(msg,
15658					     NL80211_ATTR_SCAN_FREQUENCIES);
15659		if (!nest)
15660			goto nla_put_failure;
15661		for (i = 0; i < req->n_channels; i++) {
15662			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
15663				goto nla_put_failure;
15664		}
15665		nla_nest_end(msg, nest);
15666	}
15667
15668	if (req->ie &&
15669	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
15670		goto nla_put_failure;
15671
15672	if (req->flags &&
15673	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
15674		goto nla_put_failure;
15675
15676	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
15677		&rdev->scan_req->info;
15678	if (info->scan_start_tsf &&
15679	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
15680			       info->scan_start_tsf, NL80211_BSS_PAD) ||
15681	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
15682		     info->tsf_bssid)))
15683		goto nla_put_failure;
15684
15685	return 0;
15686 nla_put_failure:
15687	return -ENOBUFS;
15688}
15689
15690static int nl80211_prep_scan_msg(struct sk_buff *msg,
15691				 struct cfg80211_registered_device *rdev,
15692				 struct wireless_dev *wdev,
15693				 u32 portid, u32 seq, int flags,
15694				 u32 cmd)
15695{
15696	void *hdr;
15697
15698	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
15699	if (!hdr)
15700		return -1;
15701
15702	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15703	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15704					 wdev->netdev->ifindex)) ||
15705	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15706			      NL80211_ATTR_PAD))
15707		goto nla_put_failure;
15708
15709	/* ignore errors and send incomplete event anyway */
15710	nl80211_add_scan_req(msg, rdev);
15711
15712	genlmsg_end(msg, hdr);
15713	return 0;
15714
15715 nla_put_failure:
15716	genlmsg_cancel(msg, hdr);
15717	return -EMSGSIZE;
15718}
15719
15720static int
15721nl80211_prep_sched_scan_msg(struct sk_buff *msg,
15722			    struct cfg80211_sched_scan_request *req, u32 cmd)
15723{
15724	void *hdr;
15725
15726	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15727	if (!hdr)
15728		return -1;
15729
15730	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
15731			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
15732	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
15733	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
15734			      NL80211_ATTR_PAD))
15735		goto nla_put_failure;
15736
15737	genlmsg_end(msg, hdr);
15738	return 0;
15739
15740 nla_put_failure:
15741	genlmsg_cancel(msg, hdr);
15742	return -EMSGSIZE;
15743}
15744
15745void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
15746			     struct wireless_dev *wdev)
15747{
15748	struct sk_buff *msg;
15749
15750	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15751	if (!msg)
15752		return;
15753
15754	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
15755				  NL80211_CMD_TRIGGER_SCAN) < 0) {
15756		nlmsg_free(msg);
15757		return;
15758	}
15759
15760	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15761				NL80211_MCGRP_SCAN, GFP_KERNEL);
15762}
15763
15764struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
15765				       struct wireless_dev *wdev, bool aborted)
15766{
15767	struct sk_buff *msg;
15768
15769	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15770	if (!msg)
15771		return NULL;
15772
15773	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
15774				  aborted ? NL80211_CMD_SCAN_ABORTED :
15775					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
15776		nlmsg_free(msg);
15777		return NULL;
15778	}
15779
15780	return msg;
15781}
15782
15783/* send message created by nl80211_build_scan_msg() */
15784void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
15785			   struct sk_buff *msg)
15786{
15787	if (!msg)
15788		return;
15789
15790	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15791				NL80211_MCGRP_SCAN, GFP_KERNEL);
15792}
15793
15794void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
15795{
15796	struct sk_buff *msg;
15797
15798	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15799	if (!msg)
15800		return;
15801
15802	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
15803		nlmsg_free(msg);
15804		return;
15805	}
15806
15807	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
15808				NL80211_MCGRP_SCAN, GFP_KERNEL);
15809}
15810
15811static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
15812					  struct regulatory_request *request)
15813{
15814	/* Userspace can always count this one always being set */
15815	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
15816		goto nla_put_failure;
15817
15818	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
15819		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15820			       NL80211_REGDOM_TYPE_WORLD))
15821			goto nla_put_failure;
15822	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
15823		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15824			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
15825			goto nla_put_failure;
15826	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
15827		   request->intersect) {
15828		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15829			       NL80211_REGDOM_TYPE_INTERSECTION))
15830			goto nla_put_failure;
15831	} else {
15832		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15833			       NL80211_REGDOM_TYPE_COUNTRY) ||
15834		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
15835				   request->alpha2))
15836			goto nla_put_failure;
15837	}
15838
15839	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
15840		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
15841
15842		if (wiphy &&
15843		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
15844			goto nla_put_failure;
15845
15846		if (wiphy &&
15847		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
15848		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
15849			goto nla_put_failure;
15850	}
15851
15852	return true;
15853
15854nla_put_failure:
15855	return false;
15856}
15857
15858/*
15859 * This can happen on global regulatory changes or device specific settings
15860 * based on custom regulatory domains.
15861 */
15862void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
15863				     struct regulatory_request *request)
15864{
15865	struct sk_buff *msg;
15866	void *hdr;
15867
15868	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15869	if (!msg)
15870		return;
15871
15872	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
15873	if (!hdr)
15874		goto nla_put_failure;
15875
15876	if (!nl80211_reg_change_event_fill(msg, request))
15877		goto nla_put_failure;
15878
15879	genlmsg_end(msg, hdr);
15880
15881	rcu_read_lock();
15882	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
15883				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
15884	rcu_read_unlock();
15885
15886	return;
15887
15888nla_put_failure:
15889	nlmsg_free(msg);
15890}
15891
15892static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
15893				    struct net_device *netdev,
15894				    const u8 *buf, size_t len,
15895				    enum nl80211_commands cmd, gfp_t gfp,
15896				    int uapsd_queues, const u8 *req_ies,
15897				    size_t req_ies_len)
15898{
15899	struct sk_buff *msg;
15900	void *hdr;
15901
15902	msg = nlmsg_new(100 + len + req_ies_len, gfp);
15903	if (!msg)
15904		return;
15905
15906	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15907	if (!hdr) {
15908		nlmsg_free(msg);
15909		return;
15910	}
15911
15912	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15913	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15914	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15915	    (req_ies &&
15916	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
15917		goto nla_put_failure;
15918
15919	if (uapsd_queues >= 0) {
15920		struct nlattr *nla_wmm =
15921			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
15922		if (!nla_wmm)
15923			goto nla_put_failure;
15924
15925		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
15926			       uapsd_queues))
15927			goto nla_put_failure;
15928
15929		nla_nest_end(msg, nla_wmm);
15930	}
15931
15932	genlmsg_end(msg, hdr);
15933
15934	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15935				NL80211_MCGRP_MLME, gfp);
15936	return;
15937
15938 nla_put_failure:
15939	nlmsg_free(msg);
15940}
15941
15942void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
15943			  struct net_device *netdev, const u8 *buf,
15944			  size_t len, gfp_t gfp)
15945{
15946	nl80211_send_mlme_event(rdev, netdev, buf, len,
15947				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0);
15948}
15949
15950void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
15951			   struct net_device *netdev, const u8 *buf,
15952			   size_t len, gfp_t gfp, int uapsd_queues,
15953			   const u8 *req_ies, size_t req_ies_len)
15954{
15955	nl80211_send_mlme_event(rdev, netdev, buf, len,
15956				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
15957				req_ies, req_ies_len);
15958}
15959
15960void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
15961			 struct net_device *netdev, const u8 *buf,
15962			 size_t len, gfp_t gfp)
15963{
15964	nl80211_send_mlme_event(rdev, netdev, buf, len,
15965				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0);
15966}
15967
15968void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
15969			   struct net_device *netdev, const u8 *buf,
15970			   size_t len, gfp_t gfp)
15971{
15972	nl80211_send_mlme_event(rdev, netdev, buf, len,
15973				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0);
15974}
15975
15976void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
15977				  size_t len)
15978{
15979	struct wireless_dev *wdev = dev->ieee80211_ptr;
15980	struct wiphy *wiphy = wdev->wiphy;
15981	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15982	const struct ieee80211_mgmt *mgmt = (void *)buf;
15983	u32 cmd;
15984
15985	if (WARN_ON(len < 2))
15986		return;
15987
15988	if (ieee80211_is_deauth(mgmt->frame_control)) {
15989		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
15990	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
15991		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
15992	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
15993		if (wdev->unprot_beacon_reported &&
15994		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
15995			return;
15996		cmd = NL80211_CMD_UNPROT_BEACON;
15997		wdev->unprot_beacon_reported = jiffies;
15998	} else {
15999		return;
16000	}
16001
16002	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
16003	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
16004				NULL, 0);
16005}
16006EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
16007
16008static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
16009				      struct net_device *netdev, int cmd,
16010				      const u8 *addr, gfp_t gfp)
16011{
16012	struct sk_buff *msg;
16013	void *hdr;
16014
16015	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16016	if (!msg)
16017		return;
16018
16019	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16020	if (!hdr) {
16021		nlmsg_free(msg);
16022		return;
16023	}
16024
16025	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16026	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16027	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16028	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16029		goto nla_put_failure;
16030
16031	genlmsg_end(msg, hdr);
16032
16033	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16034				NL80211_MCGRP_MLME, gfp);
16035	return;
16036
16037 nla_put_failure:
16038	nlmsg_free(msg);
16039}
16040
16041void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
16042			       struct net_device *netdev, const u8 *addr,
16043			       gfp_t gfp)
16044{
16045	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
16046				  addr, gfp);
16047}
16048
16049void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
16050				struct net_device *netdev, const u8 *addr,
16051				gfp_t gfp)
16052{
16053	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
16054				  addr, gfp);
16055}
16056
16057void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
16058				 struct net_device *netdev,
16059				 struct cfg80211_connect_resp_params *cr,
16060				 gfp_t gfp)
16061{
16062	struct sk_buff *msg;
16063	void *hdr;
16064
16065	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
16066			cr->fils.kek_len + cr->fils.pmk_len +
16067			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16068	if (!msg)
16069		return;
16070
16071	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
16072	if (!hdr) {
16073		nlmsg_free(msg);
16074		return;
16075	}
16076
16077	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16078	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16079	    (cr->bssid &&
16080	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
16081	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
16082			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
16083			cr->status) ||
16084	    (cr->status < 0 &&
16085	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16086	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
16087			  cr->timeout_reason))) ||
16088	    (cr->req_ie &&
16089	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
16090	    (cr->resp_ie &&
16091	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
16092		     cr->resp_ie)) ||
16093	    (cr->fils.update_erp_next_seq_num &&
16094	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16095			 cr->fils.erp_next_seq_num)) ||
16096	    (cr->status == WLAN_STATUS_SUCCESS &&
16097	     ((cr->fils.kek &&
16098	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
16099		       cr->fils.kek)) ||
16100	      (cr->fils.pmk &&
16101	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
16102	      (cr->fils.pmkid &&
16103	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
16104		goto nla_put_failure;
16105
16106	genlmsg_end(msg, hdr);
16107
16108	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16109				NL80211_MCGRP_MLME, gfp);
16110	return;
16111
16112 nla_put_failure:
16113	nlmsg_free(msg);
16114}
16115
16116void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
16117			 struct net_device *netdev,
16118			 struct cfg80211_roam_info *info, gfp_t gfp)
16119{
16120	struct sk_buff *msg;
16121	void *hdr;
16122	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
16123
16124	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
16125			info->fils.kek_len + info->fils.pmk_len +
16126			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16127	if (!msg)
16128		return;
16129
16130	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
16131	if (!hdr) {
16132		nlmsg_free(msg);
16133		return;
16134	}
16135
16136	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16137	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16138	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
16139	    (info->req_ie &&
16140	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
16141		     info->req_ie)) ||
16142	    (info->resp_ie &&
16143	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
16144		     info->resp_ie)) ||
16145	    (info->fils.update_erp_next_seq_num &&
16146	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16147			 info->fils.erp_next_seq_num)) ||
16148	    (info->fils.kek &&
16149	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
16150		     info->fils.kek)) ||
16151	    (info->fils.pmk &&
16152	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
16153	    (info->fils.pmkid &&
16154	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
16155		goto nla_put_failure;
16156
16157	genlmsg_end(msg, hdr);
16158
16159	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16160				NL80211_MCGRP_MLME, gfp);
16161	return;
16162
16163 nla_put_failure:
16164	nlmsg_free(msg);
16165}
16166
16167void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
16168				  struct net_device *netdev, const u8 *bssid)
16169{
16170	struct sk_buff *msg;
16171	void *hdr;
16172
16173	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16174	if (!msg)
16175		return;
16176
16177	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
16178	if (!hdr) {
16179		nlmsg_free(msg);
16180		return;
16181	}
16182
16183	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16184	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16185	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16186		goto nla_put_failure;
16187
16188	genlmsg_end(msg, hdr);
16189
16190	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16191				NL80211_MCGRP_MLME, GFP_KERNEL);
16192	return;
16193
16194 nla_put_failure:
16195	nlmsg_free(msg);
16196}
16197
16198void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
16199			       struct net_device *netdev, u16 reason,
16200			       const u8 *ie, size_t ie_len, bool from_ap)
16201{
16202	struct sk_buff *msg;
16203	void *hdr;
16204
16205	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
16206	if (!msg)
16207		return;
16208
16209	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
16210	if (!hdr) {
16211		nlmsg_free(msg);
16212		return;
16213	}
16214
16215	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16216	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16217	    (reason &&
16218	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
16219	    (from_ap &&
16220	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
16221	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
16222		goto nla_put_failure;
16223
16224	genlmsg_end(msg, hdr);
16225
16226	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16227				NL80211_MCGRP_MLME, GFP_KERNEL);
16228	return;
16229
16230 nla_put_failure:
16231	nlmsg_free(msg);
16232}
16233
16234void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
16235			     struct net_device *netdev, const u8 *bssid,
16236			     gfp_t gfp)
16237{
16238	struct sk_buff *msg;
16239	void *hdr;
16240
16241	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16242	if (!msg)
16243		return;
16244
16245	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
16246	if (!hdr) {
16247		nlmsg_free(msg);
16248		return;
16249	}
16250
16251	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16252	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16253	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16254		goto nla_put_failure;
16255
16256	genlmsg_end(msg, hdr);
16257
16258	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16259				NL80211_MCGRP_MLME, gfp);
16260	return;
16261
16262 nla_put_failure:
16263	nlmsg_free(msg);
16264}
16265
16266void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
16267					const u8 *ie, u8 ie_len,
16268					int sig_dbm, gfp_t gfp)
16269{
16270	struct wireless_dev *wdev = dev->ieee80211_ptr;
16271	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16272	struct sk_buff *msg;
16273	void *hdr;
16274
16275	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
16276		return;
16277
16278	trace_cfg80211_notify_new_peer_candidate(dev, addr);
16279
16280	msg = nlmsg_new(100 + ie_len, gfp);
16281	if (!msg)
16282		return;
16283
16284	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
16285	if (!hdr) {
16286		nlmsg_free(msg);
16287		return;
16288	}
16289
16290	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16291	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16292	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16293	    (ie_len && ie &&
16294	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
16295	    (sig_dbm &&
16296	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
16297		goto nla_put_failure;
16298
16299	genlmsg_end(msg, hdr);
16300
16301	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16302				NL80211_MCGRP_MLME, gfp);
16303	return;
16304
16305 nla_put_failure:
16306	nlmsg_free(msg);
16307}
16308EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
16309
16310void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
16311				 struct net_device *netdev, const u8 *addr,
16312				 enum nl80211_key_type key_type, int key_id,
16313				 const u8 *tsc, gfp_t gfp)
16314{
16315	struct sk_buff *msg;
16316	void *hdr;
16317
16318	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16319	if (!msg)
16320		return;
16321
16322	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
16323	if (!hdr) {
16324		nlmsg_free(msg);
16325		return;
16326	}
16327
16328	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16329	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16330	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
16331	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
16332	    (key_id != -1 &&
16333	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
16334	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
16335		goto nla_put_failure;
16336
16337	genlmsg_end(msg, hdr);
16338
16339	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16340				NL80211_MCGRP_MLME, gfp);
16341	return;
16342
16343 nla_put_failure:
16344	nlmsg_free(msg);
16345}
16346
16347void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
16348				    struct ieee80211_channel *channel_before,
16349				    struct ieee80211_channel *channel_after)
16350{
16351	struct sk_buff *msg;
16352	void *hdr;
16353	struct nlattr *nl_freq;
16354
16355	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
16356	if (!msg)
16357		return;
16358
16359	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
16360	if (!hdr) {
16361		nlmsg_free(msg);
16362		return;
16363	}
16364
16365	/*
16366	 * Since we are applying the beacon hint to a wiphy we know its
16367	 * wiphy_idx is valid
16368	 */
16369	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
16370		goto nla_put_failure;
16371
16372	/* Before */
16373	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
16374	if (!nl_freq)
16375		goto nla_put_failure;
16376
16377	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
16378		goto nla_put_failure;
16379	nla_nest_end(msg, nl_freq);
16380
16381	/* After */
16382	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
16383	if (!nl_freq)
16384		goto nla_put_failure;
16385
16386	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
16387		goto nla_put_failure;
16388	nla_nest_end(msg, nl_freq);
16389
16390	genlmsg_end(msg, hdr);
16391
16392	rcu_read_lock();
16393	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16394				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16395	rcu_read_unlock();
16396
16397	return;
16398
16399nla_put_failure:
16400	nlmsg_free(msg);
16401}
16402
16403static void nl80211_send_remain_on_chan_event(
16404	int cmd, struct cfg80211_registered_device *rdev,
16405	struct wireless_dev *wdev, u64 cookie,
16406	struct ieee80211_channel *chan,
16407	unsigned int duration, gfp_t gfp)
16408{
16409	struct sk_buff *msg;
16410	void *hdr;
16411
16412	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16413	if (!msg)
16414		return;
16415
16416	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16417	if (!hdr) {
16418		nlmsg_free(msg);
16419		return;
16420	}
16421
16422	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16423	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16424					 wdev->netdev->ifindex)) ||
16425	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16426			      NL80211_ATTR_PAD) ||
16427	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
16428	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
16429			NL80211_CHAN_NO_HT) ||
16430	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16431			      NL80211_ATTR_PAD))
16432		goto nla_put_failure;
16433
16434	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
16435	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
16436		goto nla_put_failure;
16437
16438	genlmsg_end(msg, hdr);
16439
16440	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16441				NL80211_MCGRP_MLME, gfp);
16442	return;
16443
16444 nla_put_failure:
16445	nlmsg_free(msg);
16446}
16447
16448void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
16449			       struct ieee80211_channel *chan,
16450			       unsigned int duration, gfp_t gfp)
16451{
16452	struct wiphy *wiphy = wdev->wiphy;
16453	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16454
16455	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
16456	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
16457					  rdev, wdev, cookie, chan,
16458					  duration, gfp);
16459}
16460EXPORT_SYMBOL(cfg80211_ready_on_channel);
16461
16462void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
16463					struct ieee80211_channel *chan,
16464					gfp_t gfp)
16465{
16466	struct wiphy *wiphy = wdev->wiphy;
16467	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16468
16469	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
16470	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
16471					  rdev, wdev, cookie, chan, 0, gfp);
16472}
16473EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
16474
16475void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
16476					struct ieee80211_channel *chan,
16477					gfp_t gfp)
16478{
16479	struct wiphy *wiphy = wdev->wiphy;
16480	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16481
16482	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
16483	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
16484					  rdev, wdev, cookie, chan, 0, gfp);
16485}
16486EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
16487
16488void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
16489		      struct station_info *sinfo, gfp_t gfp)
16490{
16491	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16492	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16493	struct sk_buff *msg;
16494
16495	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
16496
16497	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16498	if (!msg)
16499		return;
16500
16501	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
16502				 rdev, dev, mac_addr, sinfo) < 0) {
16503		nlmsg_free(msg);
16504		return;
16505	}
16506
16507	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16508				NL80211_MCGRP_MLME, gfp);
16509}
16510EXPORT_SYMBOL(cfg80211_new_sta);
16511
16512void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
16513			    struct station_info *sinfo, gfp_t gfp)
16514{
16515	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16516	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16517	struct sk_buff *msg;
16518	struct station_info empty_sinfo = {};
16519
16520	if (!sinfo)
16521		sinfo = &empty_sinfo;
16522
16523	trace_cfg80211_del_sta(dev, mac_addr);
16524
16525	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16526	if (!msg) {
16527		cfg80211_sinfo_release_content(sinfo);
16528		return;
16529	}
16530
16531	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
16532				 rdev, dev, mac_addr, sinfo) < 0) {
16533		nlmsg_free(msg);
16534		return;
16535	}
16536
16537	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16538				NL80211_MCGRP_MLME, gfp);
16539}
16540EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
16541
16542void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
16543			  enum nl80211_connect_failed_reason reason,
16544			  gfp_t gfp)
16545{
16546	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16547	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16548	struct sk_buff *msg;
16549	void *hdr;
16550
16551	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
16552	if (!msg)
16553		return;
16554
16555	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
16556	if (!hdr) {
16557		nlmsg_free(msg);
16558		return;
16559	}
16560
16561	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16562	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
16563	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
16564		goto nla_put_failure;
16565
16566	genlmsg_end(msg, hdr);
16567
16568	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16569				NL80211_MCGRP_MLME, gfp);
16570	return;
16571
16572 nla_put_failure:
16573	nlmsg_free(msg);
16574}
16575EXPORT_SYMBOL(cfg80211_conn_failed);
16576
16577static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
16578				       const u8 *addr, gfp_t gfp)
16579{
16580	struct wireless_dev *wdev = dev->ieee80211_ptr;
16581	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16582	struct sk_buff *msg;
16583	void *hdr;
16584	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
16585
16586	if (!nlportid)
16587		return false;
16588
16589	msg = nlmsg_new(100, gfp);
16590	if (!msg)
16591		return true;
16592
16593	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16594	if (!hdr) {
16595		nlmsg_free(msg);
16596		return true;
16597	}
16598
16599	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16600	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16601	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16602		goto nla_put_failure;
16603
16604	genlmsg_end(msg, hdr);
16605	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16606	return true;
16607
16608 nla_put_failure:
16609	nlmsg_free(msg);
16610	return true;
16611}
16612
16613bool cfg80211_rx_spurious_frame(struct net_device *dev,
16614				const u8 *addr, gfp_t gfp)
16615{
16616	struct wireless_dev *wdev = dev->ieee80211_ptr;
16617	bool ret;
16618
16619	trace_cfg80211_rx_spurious_frame(dev, addr);
16620
16621	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16622		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
16623		trace_cfg80211_return_bool(false);
16624		return false;
16625	}
16626	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
16627					 addr, gfp);
16628	trace_cfg80211_return_bool(ret);
16629	return ret;
16630}
16631EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
16632
16633bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
16634					const u8 *addr, gfp_t gfp)
16635{
16636	struct wireless_dev *wdev = dev->ieee80211_ptr;
16637	bool ret;
16638
16639	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
16640
16641	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16642		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
16643		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
16644		trace_cfg80211_return_bool(false);
16645		return false;
16646	}
16647	ret = __nl80211_unexpected_frame(dev,
16648					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
16649					 addr, gfp);
16650	trace_cfg80211_return_bool(ret);
16651	return ret;
16652}
16653EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
16654
16655int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
16656		      struct wireless_dev *wdev, u32 nlportid,
16657		      int freq, int sig_dbm,
16658		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
16659{
16660	struct net_device *netdev = wdev->netdev;
16661	struct sk_buff *msg;
16662	void *hdr;
16663
16664	msg = nlmsg_new(100 + len, gfp);
16665	if (!msg)
16666		return -ENOMEM;
16667
16668	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
16669	if (!hdr) {
16670		nlmsg_free(msg);
16671		return -ENOMEM;
16672	}
16673
16674	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16675	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16676					netdev->ifindex)) ||
16677	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16678			      NL80211_ATTR_PAD) ||
16679	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
16680	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
16681	    (sig_dbm &&
16682	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
16683	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16684	    (flags &&
16685	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
16686		goto nla_put_failure;
16687
16688	genlmsg_end(msg, hdr);
16689
16690	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16691
16692 nla_put_failure:
16693	nlmsg_free(msg);
16694	return -ENOBUFS;
16695}
16696
16697static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
16698				    const u8 *buf, size_t len, bool ack,
16699				    gfp_t gfp, enum nl80211_commands command)
16700{
16701	struct wiphy *wiphy = wdev->wiphy;
16702	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16703	struct net_device *netdev = wdev->netdev;
16704	struct sk_buff *msg;
16705	void *hdr;
16706
16707	if (command == NL80211_CMD_FRAME_TX_STATUS)
16708		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
16709	else
16710		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
16711
16712	msg = nlmsg_new(100 + len, gfp);
16713	if (!msg)
16714		return;
16715
16716	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
16717	if (!hdr) {
16718		nlmsg_free(msg);
16719		return;
16720	}
16721
16722	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16723	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16724				   netdev->ifindex)) ||
16725	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16726			      NL80211_ATTR_PAD) ||
16727	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16728	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16729			      NL80211_ATTR_PAD) ||
16730	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
16731		goto nla_put_failure;
16732
16733	genlmsg_end(msg, hdr);
16734
16735	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16736				NL80211_MCGRP_MLME, gfp);
16737	return;
16738
16739nla_put_failure:
16740	nlmsg_free(msg);
16741}
16742
16743void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
16744				     const u8 *buf, size_t len, bool ack,
16745				     gfp_t gfp)
16746{
16747	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
16748				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
16749}
16750EXPORT_SYMBOL(cfg80211_control_port_tx_status);
16751
16752void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
16753			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
16754{
16755	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
16756				NL80211_CMD_FRAME_TX_STATUS);
16757}
16758EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
16759
16760static int __nl80211_rx_control_port(struct net_device *dev,
16761				     struct sk_buff *skb,
16762				     bool unencrypted, gfp_t gfp)
16763{
16764	struct wireless_dev *wdev = dev->ieee80211_ptr;
16765	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16766	struct ethhdr *ehdr = eth_hdr(skb);
16767	const u8 *addr = ehdr->h_source;
16768	u16 proto = be16_to_cpu(skb->protocol);
16769	struct sk_buff *msg;
16770	void *hdr;
16771	struct nlattr *frame;
16772
16773	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
16774
16775	if (!nlportid)
16776		return -ENOENT;
16777
16778	msg = nlmsg_new(100 + skb->len, gfp);
16779	if (!msg)
16780		return -ENOMEM;
16781
16782	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
16783	if (!hdr) {
16784		nlmsg_free(msg);
16785		return -ENOBUFS;
16786	}
16787
16788	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16789	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16790	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16791			      NL80211_ATTR_PAD) ||
16792	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16793	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
16794	    (unencrypted && nla_put_flag(msg,
16795					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
16796		goto nla_put_failure;
16797
16798	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
16799	if (!frame)
16800		goto nla_put_failure;
16801
16802	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
16803	genlmsg_end(msg, hdr);
16804
16805	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16806
16807 nla_put_failure:
16808	nlmsg_free(msg);
16809	return -ENOBUFS;
16810}
16811
16812bool cfg80211_rx_control_port(struct net_device *dev,
16813			      struct sk_buff *skb, bool unencrypted)
16814{
16815	int ret;
16816
16817	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
16818	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
16819	trace_cfg80211_return_bool(ret == 0);
16820	return ret == 0;
16821}
16822EXPORT_SYMBOL(cfg80211_rx_control_port);
16823
16824static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
16825					    const char *mac, gfp_t gfp)
16826{
16827	struct wireless_dev *wdev = dev->ieee80211_ptr;
16828	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16829	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16830	void **cb;
16831
16832	if (!msg)
16833		return NULL;
16834
16835	cb = (void **)msg->cb;
16836
16837	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
16838	if (!cb[0]) {
16839		nlmsg_free(msg);
16840		return NULL;
16841	}
16842
16843	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16844	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
16845		goto nla_put_failure;
16846
16847	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
16848		goto nla_put_failure;
16849
16850	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
16851	if (!cb[1])
16852		goto nla_put_failure;
16853
16854	cb[2] = rdev;
16855
16856	return msg;
16857 nla_put_failure:
16858	nlmsg_free(msg);
16859	return NULL;
16860}
16861
16862static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
16863{
16864	void **cb = (void **)msg->cb;
16865	struct cfg80211_registered_device *rdev = cb[2];
16866
16867	nla_nest_end(msg, cb[1]);
16868	genlmsg_end(msg, cb[0]);
16869
16870	memset(msg->cb, 0, sizeof(msg->cb));
16871
16872	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16873				NL80211_MCGRP_MLME, gfp);
16874}
16875
16876void cfg80211_cqm_rssi_notify(struct net_device *dev,
16877			      enum nl80211_cqm_rssi_threshold_event rssi_event,
16878			      s32 rssi_level, gfp_t gfp)
16879{
16880	struct sk_buff *msg;
16881	struct wireless_dev *wdev = dev->ieee80211_ptr;
16882	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16883
16884	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
16885
16886	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
16887		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
16888		return;
16889
16890	if (wdev->cqm_config) {
16891		wdev->cqm_config->last_rssi_event_value = rssi_level;
16892
16893		cfg80211_cqm_rssi_update(rdev, dev);
16894
16895		if (rssi_level == 0)
16896			rssi_level = wdev->cqm_config->last_rssi_event_value;
16897	}
16898
16899	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
16900	if (!msg)
16901		return;
16902
16903	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
16904			rssi_event))
16905		goto nla_put_failure;
16906
16907	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
16908				      rssi_level))
16909		goto nla_put_failure;
16910
16911	cfg80211_send_cqm(msg, gfp);
16912
16913	return;
16914
16915 nla_put_failure:
16916	nlmsg_free(msg);
16917}
16918EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
16919
16920void cfg80211_cqm_txe_notify(struct net_device *dev,
16921			     const u8 *peer, u32 num_packets,
16922			     u32 rate, u32 intvl, gfp_t gfp)
16923{
16924	struct sk_buff *msg;
16925
16926	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16927	if (!msg)
16928		return;
16929
16930	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
16931		goto nla_put_failure;
16932
16933	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
16934		goto nla_put_failure;
16935
16936	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
16937		goto nla_put_failure;
16938
16939	cfg80211_send_cqm(msg, gfp);
16940	return;
16941
16942 nla_put_failure:
16943	nlmsg_free(msg);
16944}
16945EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
16946
16947void cfg80211_cqm_pktloss_notify(struct net_device *dev,
16948				 const u8 *peer, u32 num_packets, gfp_t gfp)
16949{
16950	struct sk_buff *msg;
16951
16952	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
16953
16954	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16955	if (!msg)
16956		return;
16957
16958	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
16959		goto nla_put_failure;
16960
16961	cfg80211_send_cqm(msg, gfp);
16962	return;
16963
16964 nla_put_failure:
16965	nlmsg_free(msg);
16966}
16967EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
16968
16969void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
16970{
16971	struct sk_buff *msg;
16972
16973	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
16974	if (!msg)
16975		return;
16976
16977	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
16978		goto nla_put_failure;
16979
16980	cfg80211_send_cqm(msg, gfp);
16981	return;
16982
16983 nla_put_failure:
16984	nlmsg_free(msg);
16985}
16986EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
16987
16988static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
16989				     struct net_device *netdev, const u8 *bssid,
16990				     const u8 *replay_ctr, gfp_t gfp)
16991{
16992	struct sk_buff *msg;
16993	struct nlattr *rekey_attr;
16994	void *hdr;
16995
16996	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16997	if (!msg)
16998		return;
16999
17000	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
17001	if (!hdr) {
17002		nlmsg_free(msg);
17003		return;
17004	}
17005
17006	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17007	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17008	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17009		goto nla_put_failure;
17010
17011	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
17012	if (!rekey_attr)
17013		goto nla_put_failure;
17014
17015	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
17016		    NL80211_REPLAY_CTR_LEN, replay_ctr))
17017		goto nla_put_failure;
17018
17019	nla_nest_end(msg, rekey_attr);
17020
17021	genlmsg_end(msg, hdr);
17022
17023	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17024				NL80211_MCGRP_MLME, gfp);
17025	return;
17026
17027 nla_put_failure:
17028	nlmsg_free(msg);
17029}
17030
17031void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
17032			       const u8 *replay_ctr, gfp_t gfp)
17033{
17034	struct wireless_dev *wdev = dev->ieee80211_ptr;
17035	struct wiphy *wiphy = wdev->wiphy;
17036	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17037
17038	trace_cfg80211_gtk_rekey_notify(dev, bssid);
17039	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
17040}
17041EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
17042
17043static void
17044nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
17045			       struct net_device *netdev, int index,
17046			       const u8 *bssid, bool preauth, gfp_t gfp)
17047{
17048	struct sk_buff *msg;
17049	struct nlattr *attr;
17050	void *hdr;
17051
17052	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17053	if (!msg)
17054		return;
17055
17056	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
17057	if (!hdr) {
17058		nlmsg_free(msg);
17059		return;
17060	}
17061
17062	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17063	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17064		goto nla_put_failure;
17065
17066	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
17067	if (!attr)
17068		goto nla_put_failure;
17069
17070	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
17071	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
17072	    (preauth &&
17073	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
17074		goto nla_put_failure;
17075
17076	nla_nest_end(msg, attr);
17077
17078	genlmsg_end(msg, hdr);
17079
17080	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17081				NL80211_MCGRP_MLME, gfp);
17082	return;
17083
17084 nla_put_failure:
17085	nlmsg_free(msg);
17086}
17087
17088void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
17089				     const u8 *bssid, bool preauth, gfp_t gfp)
17090{
17091	struct wireless_dev *wdev = dev->ieee80211_ptr;
17092	struct wiphy *wiphy = wdev->wiphy;
17093	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17094
17095	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
17096	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
17097}
17098EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
17099
17100static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
17101				     struct net_device *netdev,
17102				     struct cfg80211_chan_def *chandef,
17103				     gfp_t gfp,
17104				     enum nl80211_commands notif,
17105				     u8 count)
17106{
17107	struct sk_buff *msg;
17108	void *hdr;
17109
17110	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17111	if (!msg)
17112		return;
17113
17114	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
17115	if (!hdr) {
17116		nlmsg_free(msg);
17117		return;
17118	}
17119
17120	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17121		goto nla_put_failure;
17122
17123	if (nl80211_send_chandef(msg, chandef))
17124		goto nla_put_failure;
17125
17126	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
17127	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
17128			goto nla_put_failure;
17129
17130	genlmsg_end(msg, hdr);
17131
17132	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17133				NL80211_MCGRP_MLME, gfp);
17134	return;
17135
17136 nla_put_failure:
17137	nlmsg_free(msg);
17138}
17139
17140void cfg80211_ch_switch_notify(struct net_device *dev,
17141			       struct cfg80211_chan_def *chandef)
17142{
17143	struct wireless_dev *wdev = dev->ieee80211_ptr;
17144	struct wiphy *wiphy = wdev->wiphy;
17145	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17146
17147	ASSERT_WDEV_LOCK(wdev);
17148
17149	trace_cfg80211_ch_switch_notify(dev, chandef);
17150
17151	wdev->chandef = *chandef;
17152	wdev->preset_chandef = *chandef;
17153
17154	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
17155	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
17156	    !WARN_ON(!wdev->current_bss))
17157		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
17158
17159	cfg80211_sched_dfs_chan_update(rdev);
17160
17161	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17162				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
17163}
17164EXPORT_SYMBOL(cfg80211_ch_switch_notify);
17165
17166void cfg80211_ch_switch_started_notify(struct net_device *dev,
17167				       struct cfg80211_chan_def *chandef,
17168				       u8 count)
17169{
17170	struct wireless_dev *wdev = dev->ieee80211_ptr;
17171	struct wiphy *wiphy = wdev->wiphy;
17172	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17173
17174	trace_cfg80211_ch_switch_started_notify(dev, chandef);
17175
17176	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17177				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
17178}
17179EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
17180
17181void
17182nl80211_radar_notify(struct cfg80211_registered_device *rdev,
17183		     const struct cfg80211_chan_def *chandef,
17184		     enum nl80211_radar_event event,
17185		     struct net_device *netdev, gfp_t gfp)
17186{
17187	struct sk_buff *msg;
17188	void *hdr;
17189
17190	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17191	if (!msg)
17192		return;
17193
17194	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
17195	if (!hdr) {
17196		nlmsg_free(msg);
17197		return;
17198	}
17199
17200	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17201		goto nla_put_failure;
17202
17203	/* NOP and radar events don't need a netdev parameter */
17204	if (netdev) {
17205		struct wireless_dev *wdev = netdev->ieee80211_ptr;
17206
17207		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17208		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17209				      NL80211_ATTR_PAD))
17210			goto nla_put_failure;
17211	}
17212
17213	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
17214		goto nla_put_failure;
17215
17216	if (nl80211_send_chandef(msg, chandef))
17217		goto nla_put_failure;
17218
17219	genlmsg_end(msg, hdr);
17220
17221	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17222				NL80211_MCGRP_MLME, gfp);
17223	return;
17224
17225 nla_put_failure:
17226	nlmsg_free(msg);
17227}
17228
17229void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
17230				       struct sta_opmode_info *sta_opmode,
17231				       gfp_t gfp)
17232{
17233	struct sk_buff *msg;
17234	struct wireless_dev *wdev = dev->ieee80211_ptr;
17235	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17236	void *hdr;
17237
17238	if (WARN_ON(!mac))
17239		return;
17240
17241	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17242	if (!msg)
17243		return;
17244
17245	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
17246	if (!hdr) {
17247		nlmsg_free(msg);
17248		return;
17249	}
17250
17251	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17252		goto nla_put_failure;
17253
17254	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17255		goto nla_put_failure;
17256
17257	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17258		goto nla_put_failure;
17259
17260	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
17261	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
17262		goto nla_put_failure;
17263
17264	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
17265	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
17266		goto nla_put_failure;
17267
17268	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
17269	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
17270		goto nla_put_failure;
17271
17272	genlmsg_end(msg, hdr);
17273
17274	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17275				NL80211_MCGRP_MLME, gfp);
17276
17277	return;
17278
17279nla_put_failure:
17280	nlmsg_free(msg);
17281}
17282EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
17283
17284void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
17285			   u64 cookie, bool acked, s32 ack_signal,
17286			   bool is_valid_ack_signal, gfp_t gfp)
17287{
17288	struct wireless_dev *wdev = dev->ieee80211_ptr;
17289	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17290	struct sk_buff *msg;
17291	void *hdr;
17292
17293	trace_cfg80211_probe_status(dev, addr, cookie, acked);
17294
17295	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17296
17297	if (!msg)
17298		return;
17299
17300	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
17301	if (!hdr) {
17302		nlmsg_free(msg);
17303		return;
17304	}
17305
17306	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17307	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17308	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17309	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17310			      NL80211_ATTR_PAD) ||
17311	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
17312	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
17313						ack_signal)))
17314		goto nla_put_failure;
17315
17316	genlmsg_end(msg, hdr);
17317
17318	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17319				NL80211_MCGRP_MLME, gfp);
17320	return;
17321
17322 nla_put_failure:
17323	nlmsg_free(msg);
17324}
17325EXPORT_SYMBOL(cfg80211_probe_status);
17326
17327void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
17328				     size_t len, int freq, int sig_dbm)
17329{
17330	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17331	struct sk_buff *msg;
17332	void *hdr;
17333	struct cfg80211_beacon_registration *reg;
17334
17335	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
17336
17337	spin_lock_bh(&rdev->beacon_registrations_lock);
17338	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
17339		msg = nlmsg_new(len + 100, GFP_ATOMIC);
17340		if (!msg) {
17341			spin_unlock_bh(&rdev->beacon_registrations_lock);
17342			return;
17343		}
17344
17345		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17346		if (!hdr)
17347			goto nla_put_failure;
17348
17349		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17350		    (freq &&
17351		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
17352				  KHZ_TO_MHZ(freq)) ||
17353		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
17354				  freq % 1000))) ||
17355		    (sig_dbm &&
17356		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17357		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
17358			goto nla_put_failure;
17359
17360		genlmsg_end(msg, hdr);
17361
17362		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
17363	}
17364	spin_unlock_bh(&rdev->beacon_registrations_lock);
17365	return;
17366
17367 nla_put_failure:
17368	spin_unlock_bh(&rdev->beacon_registrations_lock);
17369	nlmsg_free(msg);
17370}
17371EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
17372
17373#ifdef CONFIG_PM
17374static int cfg80211_net_detect_results(struct sk_buff *msg,
17375				       struct cfg80211_wowlan_wakeup *wakeup)
17376{
17377	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
17378	struct nlattr *nl_results, *nl_match, *nl_freqs;
17379	int i, j;
17380
17381	nl_results = nla_nest_start_noflag(msg,
17382					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
17383	if (!nl_results)
17384		return -EMSGSIZE;
17385
17386	for (i = 0; i < nd->n_matches; i++) {
17387		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
17388
17389		nl_match = nla_nest_start_noflag(msg, i);
17390		if (!nl_match)
17391			break;
17392
17393		/* The SSID attribute is optional in nl80211, but for
17394		 * simplicity reasons it's always present in the
17395		 * cfg80211 structure.  If a driver can't pass the
17396		 * SSID, that needs to be changed.  A zero length SSID
17397		 * is still a valid SSID (wildcard), so it cannot be
17398		 * used for this purpose.
17399		 */
17400		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
17401			    match->ssid.ssid)) {
17402			nla_nest_cancel(msg, nl_match);
17403			goto out;
17404		}
17405
17406		if (match->n_channels) {
17407			nl_freqs = nla_nest_start_noflag(msg,
17408							 NL80211_ATTR_SCAN_FREQUENCIES);
17409			if (!nl_freqs) {
17410				nla_nest_cancel(msg, nl_match);
17411				goto out;
17412			}
17413
17414			for (j = 0; j < match->n_channels; j++) {
17415				if (nla_put_u32(msg, j, match->channels[j])) {
17416					nla_nest_cancel(msg, nl_freqs);
17417					nla_nest_cancel(msg, nl_match);
17418					goto out;
17419				}
17420			}
17421
17422			nla_nest_end(msg, nl_freqs);
17423		}
17424
17425		nla_nest_end(msg, nl_match);
17426	}
17427
17428out:
17429	nla_nest_end(msg, nl_results);
17430	return 0;
17431}
17432
17433void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
17434				   struct cfg80211_wowlan_wakeup *wakeup,
17435				   gfp_t gfp)
17436{
17437	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17438	struct sk_buff *msg;
17439	void *hdr;
17440	int size = 200;
17441
17442	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
17443
17444	if (wakeup)
17445		size += wakeup->packet_present_len;
17446
17447	msg = nlmsg_new(size, gfp);
17448	if (!msg)
17449		return;
17450
17451	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
17452	if (!hdr)
17453		goto free_msg;
17454
17455	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17456	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17457			      NL80211_ATTR_PAD))
17458		goto free_msg;
17459
17460	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17461					wdev->netdev->ifindex))
17462		goto free_msg;
17463
17464	if (wakeup) {
17465		struct nlattr *reasons;
17466
17467		reasons = nla_nest_start_noflag(msg,
17468						NL80211_ATTR_WOWLAN_TRIGGERS);
17469		if (!reasons)
17470			goto free_msg;
17471
17472		if (wakeup->disconnect &&
17473		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
17474			goto free_msg;
17475		if (wakeup->magic_pkt &&
17476		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
17477			goto free_msg;
17478		if (wakeup->gtk_rekey_failure &&
17479		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
17480			goto free_msg;
17481		if (wakeup->eap_identity_req &&
17482		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
17483			goto free_msg;
17484		if (wakeup->four_way_handshake &&
17485		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
17486			goto free_msg;
17487		if (wakeup->rfkill_release &&
17488		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
17489			goto free_msg;
17490
17491		if (wakeup->pattern_idx >= 0 &&
17492		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
17493				wakeup->pattern_idx))
17494			goto free_msg;
17495
17496		if (wakeup->tcp_match &&
17497		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
17498			goto free_msg;
17499
17500		if (wakeup->tcp_connlost &&
17501		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
17502			goto free_msg;
17503
17504		if (wakeup->tcp_nomoretokens &&
17505		    nla_put_flag(msg,
17506				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
17507			goto free_msg;
17508
17509		if (wakeup->packet) {
17510			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
17511			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
17512
17513			if (!wakeup->packet_80211) {
17514				pkt_attr =
17515					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
17516				len_attr =
17517					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
17518			}
17519
17520			if (wakeup->packet_len &&
17521			    nla_put_u32(msg, len_attr, wakeup->packet_len))
17522				goto free_msg;
17523
17524			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
17525				    wakeup->packet))
17526				goto free_msg;
17527		}
17528
17529		if (wakeup->net_detect &&
17530		    cfg80211_net_detect_results(msg, wakeup))
17531				goto free_msg;
17532
17533		nla_nest_end(msg, reasons);
17534	}
17535
17536	genlmsg_end(msg, hdr);
17537
17538	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17539				NL80211_MCGRP_MLME, gfp);
17540	return;
17541
17542 free_msg:
17543	nlmsg_free(msg);
17544}
17545EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
17546#endif
17547
17548void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
17549				enum nl80211_tdls_operation oper,
17550				u16 reason_code, gfp_t gfp)
17551{
17552	struct wireless_dev *wdev = dev->ieee80211_ptr;
17553	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17554	struct sk_buff *msg;
17555	void *hdr;
17556
17557	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
17558					 reason_code);
17559
17560	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17561	if (!msg)
17562		return;
17563
17564	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
17565	if (!hdr) {
17566		nlmsg_free(msg);
17567		return;
17568	}
17569
17570	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17571	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17572	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
17573	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
17574	    (reason_code > 0 &&
17575	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
17576		goto nla_put_failure;
17577
17578	genlmsg_end(msg, hdr);
17579
17580	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17581				NL80211_MCGRP_MLME, gfp);
17582	return;
17583
17584 nla_put_failure:
17585	nlmsg_free(msg);
17586}
17587EXPORT_SYMBOL(cfg80211_tdls_oper_request);
17588
17589static int nl80211_netlink_notify(struct notifier_block * nb,
17590				  unsigned long state,
17591				  void *_notify)
17592{
17593	struct netlink_notify *notify = _notify;
17594	struct cfg80211_registered_device *rdev;
17595	struct wireless_dev *wdev;
17596	struct cfg80211_beacon_registration *reg, *tmp;
17597
17598	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
17599		return NOTIFY_DONE;
17600
17601	rcu_read_lock();
17602
17603	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
17604		struct cfg80211_sched_scan_request *sched_scan_req;
17605
17606		list_for_each_entry_rcu(sched_scan_req,
17607					&rdev->sched_scan_req_list,
17608					list) {
17609			if (sched_scan_req->owner_nlportid == notify->portid) {
17610				sched_scan_req->nl_owner_dead = true;
17611				schedule_work(&rdev->sched_scan_stop_wk);
17612			}
17613		}
17614
17615		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
17616			cfg80211_mlme_unregister_socket(wdev, notify->portid);
17617
17618			if (wdev->owner_nlportid == notify->portid) {
17619				wdev->nl_owner_dead = true;
17620				schedule_work(&rdev->destroy_work);
17621			} else if (wdev->conn_owner_nlportid == notify->portid) {
17622				schedule_work(&wdev->disconnect_wk);
17623			}
17624
17625			cfg80211_release_pmsr(wdev, notify->portid);
17626		}
17627
17628		spin_lock_bh(&rdev->beacon_registrations_lock);
17629		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
17630					 list) {
17631			if (reg->nlportid == notify->portid) {
17632				list_del(&reg->list);
17633				kfree(reg);
17634				break;
17635			}
17636		}
17637		spin_unlock_bh(&rdev->beacon_registrations_lock);
17638	}
17639
17640	rcu_read_unlock();
17641
17642	/*
17643	 * It is possible that the user space process that is controlling the
17644	 * indoor setting disappeared, so notify the regulatory core.
17645	 */
17646	regulatory_netlink_notify(notify->portid);
17647	return NOTIFY_OK;
17648}
17649
17650static struct notifier_block nl80211_netlink_notifier = {
17651	.notifier_call = nl80211_netlink_notify,
17652};
17653
17654void cfg80211_ft_event(struct net_device *netdev,
17655		       struct cfg80211_ft_event_params *ft_event)
17656{
17657	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
17658	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17659	struct sk_buff *msg;
17660	void *hdr;
17661
17662	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
17663
17664	if (!ft_event->target_ap)
17665		return;
17666
17667	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
17668			GFP_KERNEL);
17669	if (!msg)
17670		return;
17671
17672	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
17673	if (!hdr)
17674		goto out;
17675
17676	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17677	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17678	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
17679		goto out;
17680
17681	if (ft_event->ies &&
17682	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
17683		goto out;
17684	if (ft_event->ric_ies &&
17685	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
17686		    ft_event->ric_ies))
17687		goto out;
17688
17689	genlmsg_end(msg, hdr);
17690
17691	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17692				NL80211_MCGRP_MLME, GFP_KERNEL);
17693	return;
17694 out:
17695	nlmsg_free(msg);
17696}
17697EXPORT_SYMBOL(cfg80211_ft_event);
17698
17699void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
17700{
17701	struct cfg80211_registered_device *rdev;
17702	struct sk_buff *msg;
17703	void *hdr;
17704	u32 nlportid;
17705
17706	rdev = wiphy_to_rdev(wdev->wiphy);
17707	if (!rdev->crit_proto_nlportid)
17708		return;
17709
17710	nlportid = rdev->crit_proto_nlportid;
17711	rdev->crit_proto_nlportid = 0;
17712
17713	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17714	if (!msg)
17715		return;
17716
17717	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
17718	if (!hdr)
17719		goto nla_put_failure;
17720
17721	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17722	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17723			      NL80211_ATTR_PAD))
17724		goto nla_put_failure;
17725
17726	genlmsg_end(msg, hdr);
17727
17728	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17729	return;
17730
17731 nla_put_failure:
17732	nlmsg_free(msg);
17733}
17734EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
17735
17736void nl80211_send_ap_stopped(struct wireless_dev *wdev)
17737{
17738	struct wiphy *wiphy = wdev->wiphy;
17739	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17740	struct sk_buff *msg;
17741	void *hdr;
17742
17743	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17744	if (!msg)
17745		return;
17746
17747	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
17748	if (!hdr)
17749		goto out;
17750
17751	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17752	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
17753	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17754			      NL80211_ATTR_PAD))
17755		goto out;
17756
17757	genlmsg_end(msg, hdr);
17758
17759	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
17760				NL80211_MCGRP_MLME, GFP_KERNEL);
17761	return;
17762 out:
17763	nlmsg_free(msg);
17764}
17765
17766int cfg80211_external_auth_request(struct net_device *dev,
17767				   struct cfg80211_external_auth_params *params,
17768				   gfp_t gfp)
17769{
17770	struct wireless_dev *wdev = dev->ieee80211_ptr;
17771	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17772	struct sk_buff *msg;
17773	void *hdr;
17774
17775	if (!wdev->conn_owner_nlportid)
17776		return -EINVAL;
17777
17778	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17779	if (!msg)
17780		return -ENOMEM;
17781
17782	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
17783	if (!hdr)
17784		goto nla_put_failure;
17785
17786	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17787	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17788	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
17789	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
17790			params->action) ||
17791	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
17792	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
17793		    params->ssid.ssid))
17794		goto nla_put_failure;
17795
17796	genlmsg_end(msg, hdr);
17797	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
17798			wdev->conn_owner_nlportid);
17799	return 0;
17800
17801 nla_put_failure:
17802	nlmsg_free(msg);
17803	return -ENOBUFS;
17804}
17805EXPORT_SYMBOL(cfg80211_external_auth_request);
17806
17807void cfg80211_update_owe_info_event(struct net_device *netdev,
17808				    struct cfg80211_update_owe_info *owe_info,
17809				    gfp_t gfp)
17810{
17811	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
17812	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17813	struct sk_buff *msg;
17814	void *hdr;
17815
17816	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
17817
17818	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17819	if (!msg)
17820		return;
17821
17822	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
17823	if (!hdr)
17824		goto nla_put_failure;
17825
17826	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17827	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17828	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
17829		goto nla_put_failure;
17830
17831	if (!owe_info->ie_len ||
17832	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
17833		goto nla_put_failure;
17834
17835	genlmsg_end(msg, hdr);
17836
17837	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17838				NL80211_MCGRP_MLME, gfp);
17839	return;
17840
17841nla_put_failure:
17842	genlmsg_cancel(msg, hdr);
17843	nlmsg_free(msg);
17844}
17845EXPORT_SYMBOL(cfg80211_update_owe_info_event);
17846
17847/* initialisation/exit functions */
17848
17849int __init nl80211_init(void)
17850{
17851	int err;
17852
17853	err = genl_register_family(&nl80211_fam);
17854	if (err)
17855		return err;
17856
17857	err = netlink_register_notifier(&nl80211_netlink_notifier);
17858	if (err)
17859		goto err_out;
17860
17861	return 0;
17862 err_out:
17863	genl_unregister_family(&nl80211_fam);
17864	return err;
17865}
17866
17867void nl80211_exit(void)
17868{
17869	netlink_unregister_notifier(&nl80211_netlink_notifier);
17870	genl_unregister_family(&nl80211_fam);
17871}
17872