xref: /kernel/linux/linux-6.6/net/wireless/nl80211.c (revision 62306a36) 
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * This is the new netlink-based wireless configuration interface.
4 *
5 * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6 * Copyright 2013-2014  Intel Mobile Communications GmbH
7 * Copyright 2015-2017	Intel Deutschland GmbH
8 * Copyright (C) 2018-2023 Intel Corporation
9 */
10
11#include <linux/if.h>
12#include <linux/module.h>
13#include <linux/err.h>
14#include <linux/slab.h>
15#include <linux/list.h>
16#include <linux/if_ether.h>
17#include <linux/ieee80211.h>
18#include <linux/nl80211.h>
19#include <linux/rtnetlink.h>
20#include <linux/netlink.h>
21#include <linux/nospec.h>
22#include <linux/etherdevice.h>
23#include <linux/if_vlan.h>
24#include <net/net_namespace.h>
25#include <net/genetlink.h>
26#include <net/cfg80211.h>
27#include <net/sock.h>
28#include <net/inet_connection_sock.h>
29#include "core.h"
30#include "nl80211.h"
31#include "reg.h"
32#include "rdev-ops.h"
33
34static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35				   struct genl_info *info,
36				   struct cfg80211_crypto_settings *settings,
37				   int cipher_limit);
38
39/* the netlink family */
40static struct genl_family nl80211_fam;
41
42/* multicast groups */
43enum nl80211_multicast_groups {
44	NL80211_MCGRP_CONFIG,
45	NL80211_MCGRP_SCAN,
46	NL80211_MCGRP_REGULATORY,
47	NL80211_MCGRP_MLME,
48	NL80211_MCGRP_VENDOR,
49	NL80211_MCGRP_NAN,
50	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51};
52
53static const struct genl_multicast_group nl80211_mcgrps[] = {
54	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60#ifdef CONFIG_NL80211_TESTMODE
61	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62#endif
63};
64
65/* returns ERR_PTR values */
66static struct wireless_dev *
67__cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68			   struct net *netns, struct nlattr **attrs)
69{
70	struct wireless_dev *result = NULL;
71	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73	u64 wdev_id = 0;
74	int wiphy_idx = -1;
75	int ifidx = -1;
76
77	if (!have_ifidx && !have_wdev_id)
78		return ERR_PTR(-EINVAL);
79
80	if (have_ifidx)
81		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82	if (have_wdev_id) {
83		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84		wiphy_idx = wdev_id >> 32;
85	}
86
87	if (rdev) {
88		struct wireless_dev *wdev;
89
90		lockdep_assert_held(&rdev->wiphy.mtx);
91
92		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93			if (have_ifidx && wdev->netdev &&
94			    wdev->netdev->ifindex == ifidx) {
95				result = wdev;
96				break;
97			}
98			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99				result = wdev;
100				break;
101			}
102		}
103
104		return result ?: ERR_PTR(-ENODEV);
105	}
106
107	ASSERT_RTNL();
108
109	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110		struct wireless_dev *wdev;
111
112		if (wiphy_net(&rdev->wiphy) != netns)
113			continue;
114
115		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116			continue;
117
118		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119			if (have_ifidx && wdev->netdev &&
120			    wdev->netdev->ifindex == ifidx) {
121				result = wdev;
122				break;
123			}
124			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125				result = wdev;
126				break;
127			}
128		}
129
130		if (result)
131			break;
132	}
133
134	if (result)
135		return result;
136	return ERR_PTR(-ENODEV);
137}
138
139static struct cfg80211_registered_device *
140__cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141{
142	struct cfg80211_registered_device *rdev = NULL, *tmp;
143	struct net_device *netdev;
144
145	ASSERT_RTNL();
146
147	if (!attrs[NL80211_ATTR_WIPHY] &&
148	    !attrs[NL80211_ATTR_IFINDEX] &&
149	    !attrs[NL80211_ATTR_WDEV])
150		return ERR_PTR(-EINVAL);
151
152	if (attrs[NL80211_ATTR_WIPHY])
153		rdev = cfg80211_rdev_by_wiphy_idx(
154				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155
156	if (attrs[NL80211_ATTR_WDEV]) {
157		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158		struct wireless_dev *wdev;
159		bool found = false;
160
161		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162		if (tmp) {
163			/* make sure wdev exists */
164			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165				if (wdev->identifier != (u32)wdev_id)
166					continue;
167				found = true;
168				break;
169			}
170
171			if (!found)
172				tmp = NULL;
173
174			if (rdev && tmp != rdev)
175				return ERR_PTR(-EINVAL);
176			rdev = tmp;
177		}
178	}
179
180	if (attrs[NL80211_ATTR_IFINDEX]) {
181		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182
183		netdev = __dev_get_by_index(netns, ifindex);
184		if (netdev) {
185			if (netdev->ieee80211_ptr)
186				tmp = wiphy_to_rdev(
187					netdev->ieee80211_ptr->wiphy);
188			else
189				tmp = NULL;
190
191			/* not wireless device -- return error */
192			if (!tmp)
193				return ERR_PTR(-EINVAL);
194
195			/* mismatch -- return error */
196			if (rdev && tmp != rdev)
197				return ERR_PTR(-EINVAL);
198
199			rdev = tmp;
200		}
201	}
202
203	if (!rdev)
204		return ERR_PTR(-ENODEV);
205
206	if (netns != wiphy_net(&rdev->wiphy))
207		return ERR_PTR(-ENODEV);
208
209	return rdev;
210}
211
212/*
213 * This function returns a pointer to the driver
214 * that the genl_info item that is passed refers to.
215 *
216 * The result of this can be a PTR_ERR and hence must
217 * be checked with IS_ERR() for errors.
218 */
219static struct cfg80211_registered_device *
220cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221{
222	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223}
224
225static int validate_beacon_head(const struct nlattr *attr,
226				struct netlink_ext_ack *extack)
227{
228	const u8 *data = nla_data(attr);
229	unsigned int len = nla_len(attr);
230	const struct element *elem;
231	const struct ieee80211_mgmt *mgmt = (void *)data;
232	unsigned int fixedlen, hdrlen;
233	bool s1g_bcn;
234
235	if (len < offsetofend(typeof(*mgmt), frame_control))
236		goto err;
237
238	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239	if (s1g_bcn) {
240		fixedlen = offsetof(struct ieee80211_ext,
241				    u.s1g_beacon.variable);
242		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243	} else {
244		fixedlen = offsetof(struct ieee80211_mgmt,
245				    u.beacon.variable);
246		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247	}
248
249	if (len < fixedlen)
250		goto err;
251
252	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253		goto err;
254
255	data += fixedlen;
256	len -= fixedlen;
257
258	for_each_element(elem, data, len) {
259		/* nothing */
260	}
261
262	if (for_each_element_completed(elem, data, len))
263		return 0;
264
265err:
266	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267	return -EINVAL;
268}
269
270static int validate_ie_attr(const struct nlattr *attr,
271			    struct netlink_ext_ack *extack)
272{
273	const u8 *data = nla_data(attr);
274	unsigned int len = nla_len(attr);
275	const struct element *elem;
276
277	for_each_element(elem, data, len) {
278		/* nothing */
279	}
280
281	if (for_each_element_completed(elem, data, len))
282		return 0;
283
284	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285	return -EINVAL;
286}
287
288static int validate_he_capa(const struct nlattr *attr,
289			    struct netlink_ext_ack *extack)
290{
291	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292		return -EINVAL;
293
294	return 0;
295}
296
297/* policy for the attributes */
298static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299
300static const struct nla_policy
301nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304					.len = U8_MAX },
305	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306					     .len = U8_MAX },
307};
308
309static const struct nla_policy
310nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314		NLA_POLICY_MAX(NLA_U8, 15),
315	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317		NLA_POLICY_MAX(NLA_U8, 15),
318	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319		NLA_POLICY_MAX(NLA_U8, 31),
320	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
327};
328
329static const struct nla_policy
330nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
331	[NL80211_PMSR_TYPE_FTM] =
332		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
333};
334
335static const struct nla_policy
336nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
337	[NL80211_PMSR_REQ_ATTR_DATA] =
338		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
339	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
340};
341
342static const struct nla_policy
343nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
344	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
345	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
346	[NL80211_PMSR_PEER_ATTR_REQ] =
347		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
348	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
349};
350
351static const struct nla_policy
352nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
353	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
354	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
355	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
356	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
357	[NL80211_PMSR_ATTR_PEERS] =
358		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
359};
360
361static const struct nla_policy
362he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
363	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
364		NLA_POLICY_RANGE(NLA_U8, 1, 20),
365	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
366		NLA_POLICY_RANGE(NLA_U8, 1, 20),
367	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
368		NLA_POLICY_RANGE(NLA_U8, 1, 20),
369	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
370		NLA_POLICY_EXACT_LEN(8),
371	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
372		NLA_POLICY_EXACT_LEN(8),
373	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
374};
375
376static const struct nla_policy
377he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
378	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
379	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
380	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
381};
382
383static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
384	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
385				    .len = NL80211_MAX_SUPP_RATES },
386	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
387				.len = NL80211_MAX_SUPP_HT_RATES },
388	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
389	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
390	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
391	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
392						   NL80211_RATE_INFO_HE_GI_0_8,
393						   NL80211_RATE_INFO_HE_GI_3_2),
394	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
395						   NL80211_RATE_INFO_HE_1XLTF,
396						   NL80211_RATE_INFO_HE_4XLTF),
397};
398
399static const struct nla_policy
400nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
401	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
402	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
403	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
404	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
405	[NL80211_TID_CONFIG_ATTR_NOACK] =
406			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
407	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
408	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
409	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
410			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
411	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
412			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
413	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
414			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
415	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
416			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
417	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
418			NLA_POLICY_NESTED(nl80211_txattr_policy),
419};
420
421static const struct nla_policy
422nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
423	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
424	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
425	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
426			NLA_POLICY_RANGE(NLA_BINARY,
427					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
428					 IEEE80211_MAX_DATA_LEN),
429};
430
431static const struct nla_policy
432nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
433	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
434	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
435						       .len = IEEE80211_MAX_DATA_LEN }
436};
437
438static const struct nla_policy
439sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
440	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
441	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
442};
443
444static const struct nla_policy
445sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
446	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
447	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
448};
449
450static const struct nla_policy
451nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
452	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
453	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
454						NLA_POLICY_MIN(NLA_U8, 1),
455	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
456	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
457	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
458};
459
460static const struct nla_policy
461nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
462	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
463	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
464};
465
466static struct netlink_range_validation nl80211_punct_bitmap_range = {
467	.min = 0,
468	.max = 0xffff,
469};
470
471static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
472	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
473	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
474	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
475				      .len = 20-1 },
476	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
477
478	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
479	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
480	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
481						NL80211_EDMG_CHANNELS_MIN,
482						NL80211_EDMG_CHANNELS_MAX),
483	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
484						NL80211_EDMG_BW_CONFIG_MIN,
485						NL80211_EDMG_BW_CONFIG_MAX),
486
487	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
488	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
489	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
490	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
491
492	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
493	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
494	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
495	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
496	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
497	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
498
499	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
500	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
501	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
502
503	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
504	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
505
506	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
507	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
508				    .len = WLAN_MAX_KEY_LEN },
509	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
510	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
511	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
512	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
513	[NL80211_ATTR_KEY_TYPE] =
514		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
515
516	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
517	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
518	[NL80211_ATTR_BEACON_HEAD] =
519		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
520				       IEEE80211_MAX_DATA_LEN),
521	[NL80211_ATTR_BEACON_TAIL] =
522		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
523				       IEEE80211_MAX_DATA_LEN),
524	[NL80211_ATTR_STA_AID] =
525		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
526	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
527	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
528	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
529					       .len = NL80211_MAX_SUPP_RATES },
530	[NL80211_ATTR_STA_PLINK_ACTION] =
531		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
532	[NL80211_ATTR_STA_TX_POWER_SETTING] =
533		NLA_POLICY_RANGE(NLA_U8,
534				 NL80211_TX_POWER_AUTOMATIC,
535				 NL80211_TX_POWER_FIXED),
536	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
537	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
538	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
539	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
540				   .len = IEEE80211_MAX_MESH_ID_LEN },
541	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
542
543	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
544	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
545	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
546
547	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
548	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
549	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
550	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
551					   .len = NL80211_MAX_SUPP_RATES },
552	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
553
554	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
555	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
556
557	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
558
559	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
560	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
561						   validate_ie_attr,
562						   IEEE80211_MAX_DATA_LEN),
563	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
564	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
565
566	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
567				.len = IEEE80211_MAX_SSID_LEN },
568	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
569	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
570	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
571	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
572	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
573						  NL80211_MFP_NO,
574						  NL80211_MFP_OPTIONAL),
575	[NL80211_ATTR_STA_FLAGS2] =
576		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
577	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
578	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
579	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
580	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
581	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
582	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
583	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
584	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
585	[NL80211_ATTR_PID] = { .type = NLA_U32 },
586	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
587	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
588	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
589	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
590	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
591	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
592				 .len = IEEE80211_MAX_DATA_LEN },
593	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
594	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
595						   NL80211_PS_DISABLED,
596						   NL80211_PS_ENABLED),
597	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
598	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
599	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
600	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
601	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
602	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
603	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
604	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
605	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
606	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
607	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
608	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
609	[NL80211_ATTR_STA_PLINK_STATE] =
610		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
611	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
612	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
613	[NL80211_ATTR_MESH_PEER_AID] =
614		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
615	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
616	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
617	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
618	[NL80211_ATTR_HIDDEN_SSID] =
619		NLA_POLICY_RANGE(NLA_U32,
620				 NL80211_HIDDEN_SSID_NOT_IN_USE,
621				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
622	[NL80211_ATTR_IE_PROBE_RESP] =
623		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
624				       IEEE80211_MAX_DATA_LEN),
625	[NL80211_ATTR_IE_ASSOC_RESP] =
626		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
627				       IEEE80211_MAX_DATA_LEN),
628	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
629	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
630	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
631	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
632	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
633	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
634	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
635	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
636	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
637	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
638	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
639	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
640				      .len = IEEE80211_MAX_DATA_LEN },
641	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
642	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
643	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
644		.len = NL80211_HT_CAPABILITY_LEN
645	},
646	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
647	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
648	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
649	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
650	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
651
652	/* need to include at least Auth Transaction and Status Code */
653	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
654
655	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
656	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
657	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
658	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
659	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
660		NLA_POLICY_RANGE(NLA_U32,
661				 NL80211_MESH_POWER_UNKNOWN + 1,
662				 NL80211_MESH_POWER_MAX),
663	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
664	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
665	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
666	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
667	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
668	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
669	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
670		.len = NL80211_VHT_CAPABILITY_LEN,
671	},
672	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
673	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
674				  .len = IEEE80211_MAX_DATA_LEN },
675	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
676	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
677		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
678	[NL80211_ATTR_PEER_AID] =
679		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
680	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
681	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
682	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
683	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
684	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
685	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
686	/*
687	 * The value of the Length field of the Supported Operating
688	 * Classes element is between 2 and 253.
689	 */
690	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
691		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
692	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
693	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
694	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
695	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
696	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
697	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
698						  IEEE80211_QOS_MAP_LEN_MIN,
699						  IEEE80211_QOS_MAP_LEN_MAX),
700	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
701	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
702	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
703	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
704	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
705	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
706	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
707	[NL80211_ATTR_USER_PRIO] =
708		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
709	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
710	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
711	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
712	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
713	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
714	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
715	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
716	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
717	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
718	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
719	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
720		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
721	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
722		.len = VHT_MUMIMO_GROUPS_DATA_LEN
723	},
724	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
725	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
726	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
727	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
728	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
729				    .len = FILS_MAX_KEK_LEN },
730	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
731	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
732	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
733	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
734	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
735		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
736	},
737	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
738	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
739					     .len = FILS_ERP_MAX_USERNAME_LEN },
740	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
741					  .len = FILS_ERP_MAX_REALM_LEN },
742	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
743	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
744					.len = FILS_ERP_MAX_RRK_LEN },
745	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
746	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
747	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
748	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
749	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
750
751	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
752	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
753	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
754	[NL80211_ATTR_HE_CAPABILITY] =
755		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
756				       NL80211_HE_MAX_CAPABILITY_LEN),
757	[NL80211_ATTR_FTM_RESPONDER] =
758		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
759	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
760	[NL80211_ATTR_PEER_MEASUREMENTS] =
761		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
762	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
763	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
764					.len = SAE_PASSWORD_MAX_LEN },
765	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
766	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
767	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
768	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
769	[NL80211_ATTR_TID_CONFIG] =
770		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
771	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
772	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
773	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
774	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
775	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
776	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
777	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
778		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
779	[NL80211_ATTR_FILS_DISCOVERY] =
780		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
781	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
782		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
783	[NL80211_ATTR_S1G_CAPABILITY] =
784		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
785	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
786		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
787	[NL80211_ATTR_SAE_PWE] =
788		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
789				 NL80211_SAE_PWE_BOTH),
790	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
791	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
792	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
793	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
794	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
795	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
796	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
797	[NL80211_ATTR_MBSSID_CONFIG] =
798			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
799	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
800	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
801	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
802	[NL80211_ATTR_EHT_CAPABILITY] =
803		NLA_POLICY_RANGE(NLA_BINARY,
804				 NL80211_EHT_MIN_CAPABILITY_LEN,
805				 NL80211_EHT_MAX_CAPABILITY_LEN),
806	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
807	[NL80211_ATTR_MLO_LINKS] =
808		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
809	[NL80211_ATTR_MLO_LINK_ID] =
810		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
811	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
812	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
813	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
814	[NL80211_ATTR_PUNCT_BITMAP] =
815		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
816
817	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
818	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
819	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
820	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
821};
822
823/* policy for the key attributes */
824static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
825	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
826	[NL80211_KEY_IDX] = { .type = NLA_U8 },
827	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
828	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
829	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
830	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
831	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
832	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
833	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
834};
835
836/* policy for the key default flags */
837static const struct nla_policy
838nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
839	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
840	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
841};
842
843#ifdef CONFIG_PM
844/* policy for WoWLAN attributes */
845static const struct nla_policy
846nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
847	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
848	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
849	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
850	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
851	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
852	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
853	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
854	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
855	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
856	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
857};
858
859static const struct nla_policy
860nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
861	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
862	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
863	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
864	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
865	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
866	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
867	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
868		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
869	},
870	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
871		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
872	},
873	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
874	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
875	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
876};
877#endif /* CONFIG_PM */
878
879/* policy for coalesce rule attributes */
880static const struct nla_policy
881nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
882	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
883	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
884		NLA_POLICY_RANGE(NLA_U32,
885				 NL80211_COALESCE_CONDITION_MATCH,
886				 NL80211_COALESCE_CONDITION_NO_MATCH),
887	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
888};
889
890/* policy for GTK rekey offload attributes */
891static const struct nla_policy
892nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
893	[NL80211_REKEY_DATA_KEK] = {
894		.type = NLA_BINARY,
895		.len = NL80211_KEK_EXT_LEN
896	},
897	[NL80211_REKEY_DATA_KCK] = {
898		.type = NLA_BINARY,
899		.len = NL80211_KCK_EXT_LEN_32
900	},
901	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
902	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
903};
904
905static const struct nla_policy
906nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
907	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
908	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
909	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
910	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
911	[NL80211_BAND_LC]    = { .type = NLA_S32 },
912};
913
914static const struct nla_policy
915nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
916	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
917						 .len = IEEE80211_MAX_SSID_LEN },
918	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
919	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
920	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
921		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
922};
923
924static const struct nla_policy
925nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
926	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
927	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
928};
929
930static const struct nla_policy
931nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
932	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
933	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
934	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
935		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
936	},
937};
938
939/* policy for NAN function attributes */
940static const struct nla_policy
941nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
942	[NL80211_NAN_FUNC_TYPE] =
943		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
944	[NL80211_NAN_FUNC_SERVICE_ID] = {
945				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
946	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
947	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
948	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
949	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
950	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
951	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
952	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
953	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
954	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
955			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
956	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
957	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
958	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
959	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
960	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
961};
962
963/* policy for Service Response Filter attributes */
964static const struct nla_policy
965nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
966	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
967	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
968				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
969	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
970	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
971};
972
973/* policy for packet pattern attributes */
974static const struct nla_policy
975nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
976	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
977	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
978	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
979};
980
981static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
982				     struct cfg80211_registered_device **rdev,
983				     struct wireless_dev **wdev,
984				     struct nlattr **attrbuf)
985{
986	int err;
987
988	if (!cb->args[0]) {
989		struct nlattr **attrbuf_free = NULL;
990
991		if (!attrbuf) {
992			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
993					  GFP_KERNEL);
994			if (!attrbuf)
995				return -ENOMEM;
996			attrbuf_free = attrbuf;
997		}
998
999		err = nlmsg_parse_deprecated(cb->nlh,
1000					     GENL_HDRLEN + nl80211_fam.hdrsize,
1001					     attrbuf, nl80211_fam.maxattr,
1002					     nl80211_policy, NULL);
1003		if (err) {
1004			kfree(attrbuf_free);
1005			return err;
1006		}
1007
1008		rtnl_lock();
1009		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1010						   attrbuf);
1011		kfree(attrbuf_free);
1012		if (IS_ERR(*wdev)) {
1013			rtnl_unlock();
1014			return PTR_ERR(*wdev);
1015		}
1016		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1017		mutex_lock(&(*rdev)->wiphy.mtx);
1018		rtnl_unlock();
1019		/* 0 is the first index - add 1 to parse only once */
1020		cb->args[0] = (*rdev)->wiphy_idx + 1;
1021		cb->args[1] = (*wdev)->identifier;
1022	} else {
1023		/* subtract the 1 again here */
1024		struct wiphy *wiphy;
1025		struct wireless_dev *tmp;
1026
1027		rtnl_lock();
1028		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1029		if (!wiphy) {
1030			rtnl_unlock();
1031			return -ENODEV;
1032		}
1033		*rdev = wiphy_to_rdev(wiphy);
1034		*wdev = NULL;
1035
1036		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1037			if (tmp->identifier == cb->args[1]) {
1038				*wdev = tmp;
1039				break;
1040			}
1041		}
1042
1043		if (!*wdev) {
1044			rtnl_unlock();
1045			return -ENODEV;
1046		}
1047		mutex_lock(&(*rdev)->wiphy.mtx);
1048		rtnl_unlock();
1049	}
1050
1051	return 0;
1052}
1053
1054/* message building helper */
1055void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1056		     int flags, u8 cmd)
1057{
1058	/* since there is no private header just add the generic one */
1059	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1060}
1061
1062static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1063				     const struct ieee80211_reg_rule *rule)
1064{
1065	int j;
1066	struct nlattr *nl_wmm_rules =
1067		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1068
1069	if (!nl_wmm_rules)
1070		goto nla_put_failure;
1071
1072	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1073		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1074
1075		if (!nl_wmm_rule)
1076			goto nla_put_failure;
1077
1078		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1079				rule->wmm_rule.client[j].cw_min) ||
1080		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1081				rule->wmm_rule.client[j].cw_max) ||
1082		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1083			       rule->wmm_rule.client[j].aifsn) ||
1084		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1085			        rule->wmm_rule.client[j].cot))
1086			goto nla_put_failure;
1087
1088		nla_nest_end(msg, nl_wmm_rule);
1089	}
1090	nla_nest_end(msg, nl_wmm_rules);
1091
1092	return 0;
1093
1094nla_put_failure:
1095	return -ENOBUFS;
1096}
1097
1098static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1099				   struct ieee80211_channel *chan,
1100				   bool large)
1101{
1102	/* Some channels must be completely excluded from the
1103	 * list to protect old user-space tools from breaking
1104	 */
1105	if (!large && chan->flags &
1106	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1107		return 0;
1108	if (!large && chan->freq_offset)
1109		return 0;
1110
1111	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1112			chan->center_freq))
1113		goto nla_put_failure;
1114
1115	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1116		goto nla_put_failure;
1117
1118	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1119	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1120		goto nla_put_failure;
1121	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1122		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1123			goto nla_put_failure;
1124		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1125			goto nla_put_failure;
1126	}
1127	if (chan->flags & IEEE80211_CHAN_RADAR) {
1128		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1129			goto nla_put_failure;
1130		if (large) {
1131			u32 time;
1132
1133			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1134
1135			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1136					chan->dfs_state))
1137				goto nla_put_failure;
1138			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1139					time))
1140				goto nla_put_failure;
1141			if (nla_put_u32(msg,
1142					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1143					chan->dfs_cac_ms))
1144				goto nla_put_failure;
1145		}
1146	}
1147
1148	if (large) {
1149		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1150		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1151			goto nla_put_failure;
1152		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1153		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1154			goto nla_put_failure;
1155		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1156		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1157			goto nla_put_failure;
1158		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1159		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1160			goto nla_put_failure;
1161		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1162		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1163			goto nla_put_failure;
1164		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1165		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1166			goto nla_put_failure;
1167		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1168		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1169			goto nla_put_failure;
1170		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1171		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1172			goto nla_put_failure;
1173		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1174		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1175			goto nla_put_failure;
1176		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1177		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1178			goto nla_put_failure;
1179		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1180		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1181			goto nla_put_failure;
1182		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1183		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1184			goto nla_put_failure;
1185		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1186		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1187			goto nla_put_failure;
1188		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1189		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1190			goto nla_put_failure;
1191		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1192		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1193			goto nla_put_failure;
1194		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1195		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1196			goto nla_put_failure;
1197	}
1198
1199	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1200			DBM_TO_MBM(chan->max_power)))
1201		goto nla_put_failure;
1202
1203	if (large) {
1204		const struct ieee80211_reg_rule *rule =
1205			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1206
1207		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1208			if (nl80211_msg_put_wmm_rules(msg, rule))
1209				goto nla_put_failure;
1210		}
1211	}
1212
1213	return 0;
1214
1215 nla_put_failure:
1216	return -ENOBUFS;
1217}
1218
1219static bool nl80211_put_txq_stats(struct sk_buff *msg,
1220				  struct cfg80211_txq_stats *txqstats,
1221				  int attrtype)
1222{
1223	struct nlattr *txqattr;
1224
1225#define PUT_TXQVAL_U32(attr, memb) do {					  \
1226	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1227	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1228		return false;						  \
1229	} while (0)
1230
1231	txqattr = nla_nest_start_noflag(msg, attrtype);
1232	if (!txqattr)
1233		return false;
1234
1235	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1236	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1237	PUT_TXQVAL_U32(FLOWS, flows);
1238	PUT_TXQVAL_U32(DROPS, drops);
1239	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1240	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1241	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1242	PUT_TXQVAL_U32(COLLISIONS, collisions);
1243	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1244	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1245	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1246	nla_nest_end(msg, txqattr);
1247
1248#undef PUT_TXQVAL_U32
1249	return true;
1250}
1251
1252/* netlink command implementations */
1253
1254/**
1255 * nl80211_link_id - return link ID
1256 * @attrs: attributes to look at
1257 *
1258 * Returns: the link ID or 0 if not given
1259 *
1260 * Note this function doesn't do any validation of the link
1261 * ID validity wrt. links that were actually added, so it must
1262 * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1263 * or if additional validation is done.
1264 */
1265static unsigned int nl80211_link_id(struct nlattr **attrs)
1266{
1267	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1268
1269	if (!linkid)
1270		return 0;
1271
1272	return nla_get_u8(linkid);
1273}
1274
1275static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1276{
1277	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1278
1279	if (!linkid)
1280		return -1;
1281
1282	return nla_get_u8(linkid);
1283}
1284
1285struct key_parse {
1286	struct key_params p;
1287	int idx;
1288	int type;
1289	bool def, defmgmt, defbeacon;
1290	bool def_uni, def_multi;
1291};
1292
1293static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1294				 struct key_parse *k)
1295{
1296	struct nlattr *tb[NL80211_KEY_MAX + 1];
1297	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1298					      nl80211_key_policy,
1299					      info->extack);
1300	if (err)
1301		return err;
1302
1303	k->def = !!tb[NL80211_KEY_DEFAULT];
1304	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1305	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1306
1307	if (k->def) {
1308		k->def_uni = true;
1309		k->def_multi = true;
1310	}
1311	if (k->defmgmt || k->defbeacon)
1312		k->def_multi = true;
1313
1314	if (tb[NL80211_KEY_IDX])
1315		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1316
1317	if (tb[NL80211_KEY_DATA]) {
1318		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1319		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1320	}
1321
1322	if (tb[NL80211_KEY_SEQ]) {
1323		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1324		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1325	}
1326
1327	if (tb[NL80211_KEY_CIPHER])
1328		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1329
1330	if (tb[NL80211_KEY_TYPE])
1331		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1332
1333	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1334		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1335
1336		err = nla_parse_nested_deprecated(kdt,
1337						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1338						  tb[NL80211_KEY_DEFAULT_TYPES],
1339						  nl80211_key_default_policy,
1340						  info->extack);
1341		if (err)
1342			return err;
1343
1344		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1345		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1346	}
1347
1348	if (tb[NL80211_KEY_MODE])
1349		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1350
1351	return 0;
1352}
1353
1354static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1355{
1356	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1357		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1358		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1359	}
1360
1361	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1362		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1363		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1364	}
1365
1366	if (info->attrs[NL80211_ATTR_KEY_IDX])
1367		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1368
1369	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1370		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1371
1372	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1373	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1374
1375	if (k->def) {
1376		k->def_uni = true;
1377		k->def_multi = true;
1378	}
1379	if (k->defmgmt)
1380		k->def_multi = true;
1381
1382	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1383		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1384
1385	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1386		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1387		int err = nla_parse_nested_deprecated(kdt,
1388						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1389						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1390						      nl80211_key_default_policy,
1391						      info->extack);
1392		if (err)
1393			return err;
1394
1395		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1396		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1397	}
1398
1399	return 0;
1400}
1401
1402static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1403{
1404	int err;
1405
1406	memset(k, 0, sizeof(*k));
1407	k->idx = -1;
1408	k->type = -1;
1409
1410	if (info->attrs[NL80211_ATTR_KEY])
1411		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1412	else
1413		err = nl80211_parse_key_old(info, k);
1414
1415	if (err)
1416		return err;
1417
1418	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1419	    (k->defbeacon ? 1 : 0) > 1) {
1420		GENL_SET_ERR_MSG(info,
1421				 "key with multiple default flags is invalid");
1422		return -EINVAL;
1423	}
1424
1425	if (k->defmgmt || k->defbeacon) {
1426		if (k->def_uni || !k->def_multi) {
1427			GENL_SET_ERR_MSG(info,
1428					 "defmgmt/defbeacon key must be mcast");
1429			return -EINVAL;
1430		}
1431	}
1432
1433	if (k->idx != -1) {
1434		if (k->defmgmt) {
1435			if (k->idx < 4 || k->idx > 5) {
1436				GENL_SET_ERR_MSG(info,
1437						 "defmgmt key idx not 4 or 5");
1438				return -EINVAL;
1439			}
1440		} else if (k->defbeacon) {
1441			if (k->idx < 6 || k->idx > 7) {
1442				GENL_SET_ERR_MSG(info,
1443						 "defbeacon key idx not 6 or 7");
1444				return -EINVAL;
1445			}
1446		} else if (k->def) {
1447			if (k->idx < 0 || k->idx > 3) {
1448				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1449				return -EINVAL;
1450			}
1451		} else {
1452			if (k->idx < 0 || k->idx > 7) {
1453				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1454				return -EINVAL;
1455			}
1456		}
1457	}
1458
1459	return 0;
1460}
1461
1462static struct cfg80211_cached_keys *
1463nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1464		       struct genl_info *info, bool *no_ht)
1465{
1466	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1467	struct key_parse parse;
1468	struct nlattr *key;
1469	struct cfg80211_cached_keys *result;
1470	int rem, err, def = 0;
1471	bool have_key = false;
1472
1473	nla_for_each_nested(key, keys, rem) {
1474		have_key = true;
1475		break;
1476	}
1477
1478	if (!have_key)
1479		return NULL;
1480
1481	result = kzalloc(sizeof(*result), GFP_KERNEL);
1482	if (!result)
1483		return ERR_PTR(-ENOMEM);
1484
1485	result->def = -1;
1486
1487	nla_for_each_nested(key, keys, rem) {
1488		memset(&parse, 0, sizeof(parse));
1489		parse.idx = -1;
1490
1491		err = nl80211_parse_key_new(info, key, &parse);
1492		if (err)
1493			goto error;
1494		err = -EINVAL;
1495		if (!parse.p.key)
1496			goto error;
1497		if (parse.idx < 0 || parse.idx > 3) {
1498			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1499			goto error;
1500		}
1501		if (parse.def) {
1502			if (def) {
1503				GENL_SET_ERR_MSG(info,
1504						 "only one key can be default");
1505				goto error;
1506			}
1507			def = 1;
1508			result->def = parse.idx;
1509			if (!parse.def_uni || !parse.def_multi)
1510				goto error;
1511		} else if (parse.defmgmt)
1512			goto error;
1513		err = cfg80211_validate_key_settings(rdev, &parse.p,
1514						     parse.idx, false, NULL);
1515		if (err)
1516			goto error;
1517		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1518		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1519			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1520			err = -EINVAL;
1521			goto error;
1522		}
1523		result->params[parse.idx].cipher = parse.p.cipher;
1524		result->params[parse.idx].key_len = parse.p.key_len;
1525		result->params[parse.idx].key = result->data[parse.idx];
1526		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1527
1528		/* must be WEP key if we got here */
1529		if (no_ht)
1530			*no_ht = true;
1531	}
1532
1533	if (result->def < 0) {
1534		err = -EINVAL;
1535		GENL_SET_ERR_MSG(info, "need a default/TX key");
1536		goto error;
1537	}
1538
1539	return result;
1540 error:
1541	kfree(result);
1542	return ERR_PTR(err);
1543}
1544
1545static int nl80211_key_allowed(struct wireless_dev *wdev)
1546{
1547	ASSERT_WDEV_LOCK(wdev);
1548
1549	switch (wdev->iftype) {
1550	case NL80211_IFTYPE_AP:
1551	case NL80211_IFTYPE_AP_VLAN:
1552	case NL80211_IFTYPE_P2P_GO:
1553	case NL80211_IFTYPE_MESH_POINT:
1554		break;
1555	case NL80211_IFTYPE_ADHOC:
1556		if (wdev->u.ibss.current_bss)
1557			return 0;
1558		return -ENOLINK;
1559	case NL80211_IFTYPE_STATION:
1560	case NL80211_IFTYPE_P2P_CLIENT:
1561		if (wdev->connected)
1562			return 0;
1563		return -ENOLINK;
1564	case NL80211_IFTYPE_NAN:
1565		if (wiphy_ext_feature_isset(wdev->wiphy,
1566					    NL80211_EXT_FEATURE_SECURE_NAN))
1567			return 0;
1568		return -EINVAL;
1569	case NL80211_IFTYPE_UNSPECIFIED:
1570	case NL80211_IFTYPE_OCB:
1571	case NL80211_IFTYPE_MONITOR:
1572	case NL80211_IFTYPE_P2P_DEVICE:
1573	case NL80211_IFTYPE_WDS:
1574	case NUM_NL80211_IFTYPES:
1575		return -EINVAL;
1576	}
1577
1578	return 0;
1579}
1580
1581static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1582							u32 freq)
1583{
1584	struct ieee80211_channel *chan;
1585
1586	chan = ieee80211_get_channel_khz(wiphy, freq);
1587	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1588		return NULL;
1589	return chan;
1590}
1591
1592static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1593{
1594	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1595	int i;
1596
1597	if (!nl_modes)
1598		goto nla_put_failure;
1599
1600	i = 0;
1601	while (ifmodes) {
1602		if ((ifmodes & 1) && nla_put_flag(msg, i))
1603			goto nla_put_failure;
1604		ifmodes >>= 1;
1605		i++;
1606	}
1607
1608	nla_nest_end(msg, nl_modes);
1609	return 0;
1610
1611nla_put_failure:
1612	return -ENOBUFS;
1613}
1614
1615static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1616					  struct sk_buff *msg,
1617					  bool large)
1618{
1619	struct nlattr *nl_combis;
1620	int i, j;
1621
1622	nl_combis = nla_nest_start_noflag(msg,
1623					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1624	if (!nl_combis)
1625		goto nla_put_failure;
1626
1627	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1628		const struct ieee80211_iface_combination *c;
1629		struct nlattr *nl_combi, *nl_limits;
1630
1631		c = &wiphy->iface_combinations[i];
1632
1633		nl_combi = nla_nest_start_noflag(msg, i + 1);
1634		if (!nl_combi)
1635			goto nla_put_failure;
1636
1637		nl_limits = nla_nest_start_noflag(msg,
1638						  NL80211_IFACE_COMB_LIMITS);
1639		if (!nl_limits)
1640			goto nla_put_failure;
1641
1642		for (j = 0; j < c->n_limits; j++) {
1643			struct nlattr *nl_limit;
1644
1645			nl_limit = nla_nest_start_noflag(msg, j + 1);
1646			if (!nl_limit)
1647				goto nla_put_failure;
1648			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1649					c->limits[j].max))
1650				goto nla_put_failure;
1651			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1652						c->limits[j].types))
1653				goto nla_put_failure;
1654			nla_nest_end(msg, nl_limit);
1655		}
1656
1657		nla_nest_end(msg, nl_limits);
1658
1659		if (c->beacon_int_infra_match &&
1660		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1661			goto nla_put_failure;
1662		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1663				c->num_different_channels) ||
1664		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1665				c->max_interfaces))
1666			goto nla_put_failure;
1667		if (large &&
1668		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1669				c->radar_detect_widths) ||
1670		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1671				c->radar_detect_regions)))
1672			goto nla_put_failure;
1673		if (c->beacon_int_min_gcd &&
1674		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1675				c->beacon_int_min_gcd))
1676			goto nla_put_failure;
1677
1678		nla_nest_end(msg, nl_combi);
1679	}
1680
1681	nla_nest_end(msg, nl_combis);
1682
1683	return 0;
1684nla_put_failure:
1685	return -ENOBUFS;
1686}
1687
1688#ifdef CONFIG_PM
1689static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1690					struct sk_buff *msg)
1691{
1692	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1693	struct nlattr *nl_tcp;
1694
1695	if (!tcp)
1696		return 0;
1697
1698	nl_tcp = nla_nest_start_noflag(msg,
1699				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1700	if (!nl_tcp)
1701		return -ENOBUFS;
1702
1703	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1704			tcp->data_payload_max))
1705		return -ENOBUFS;
1706
1707	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1708			tcp->data_payload_max))
1709		return -ENOBUFS;
1710
1711	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1712		return -ENOBUFS;
1713
1714	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1715				sizeof(*tcp->tok), tcp->tok))
1716		return -ENOBUFS;
1717
1718	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1719			tcp->data_interval_max))
1720		return -ENOBUFS;
1721
1722	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1723			tcp->wake_payload_max))
1724		return -ENOBUFS;
1725
1726	nla_nest_end(msg, nl_tcp);
1727	return 0;
1728}
1729
1730static int nl80211_send_wowlan(struct sk_buff *msg,
1731			       struct cfg80211_registered_device *rdev,
1732			       bool large)
1733{
1734	struct nlattr *nl_wowlan;
1735
1736	if (!rdev->wiphy.wowlan)
1737		return 0;
1738
1739	nl_wowlan = nla_nest_start_noflag(msg,
1740					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1741	if (!nl_wowlan)
1742		return -ENOBUFS;
1743
1744	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1745	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1746	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1747	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1748	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1749	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1750	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1751	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1752	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1753	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1754	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1755	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1756	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1757	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1758	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1759	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1760		return -ENOBUFS;
1761
1762	if (rdev->wiphy.wowlan->n_patterns) {
1763		struct nl80211_pattern_support pat = {
1764			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1765			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1766			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1767			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1768		};
1769
1770		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1771			    sizeof(pat), &pat))
1772			return -ENOBUFS;
1773	}
1774
1775	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1776	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1777			rdev->wiphy.wowlan->max_nd_match_sets))
1778		return -ENOBUFS;
1779
1780	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1781		return -ENOBUFS;
1782
1783	nla_nest_end(msg, nl_wowlan);
1784
1785	return 0;
1786}
1787#endif
1788
1789static int nl80211_send_coalesce(struct sk_buff *msg,
1790				 struct cfg80211_registered_device *rdev)
1791{
1792	struct nl80211_coalesce_rule_support rule;
1793
1794	if (!rdev->wiphy.coalesce)
1795		return 0;
1796
1797	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1798	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1799	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1800	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1801	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1802	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1803
1804	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1805		return -ENOBUFS;
1806
1807	return 0;
1808}
1809
1810static int
1811nl80211_send_iftype_data(struct sk_buff *msg,
1812			 const struct ieee80211_supported_band *sband,
1813			 const struct ieee80211_sband_iftype_data *iftdata)
1814{
1815	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1816	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1817
1818	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1819				iftdata->types_mask))
1820		return -ENOBUFS;
1821
1822	if (he_cap->has_he) {
1823		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1824			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1825			    he_cap->he_cap_elem.mac_cap_info) ||
1826		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1827			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1828			    he_cap->he_cap_elem.phy_cap_info) ||
1829		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1830			    sizeof(he_cap->he_mcs_nss_supp),
1831			    &he_cap->he_mcs_nss_supp) ||
1832		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1833			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1834			return -ENOBUFS;
1835	}
1836
1837	if (eht_cap->has_eht && he_cap->has_he) {
1838		u8 mcs_nss_size, ppe_thresh_size;
1839		u16 ppe_thres_hdr;
1840		bool is_ap;
1841
1842		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1843			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1844
1845		mcs_nss_size =
1846			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1847						   &eht_cap->eht_cap_elem,
1848						   is_ap);
1849
1850		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1851		ppe_thresh_size =
1852			ieee80211_eht_ppe_size(ppe_thres_hdr,
1853					       eht_cap->eht_cap_elem.phy_cap_info);
1854
1855		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1856			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1857			    eht_cap->eht_cap_elem.mac_cap_info) ||
1858		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1859			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1860			    eht_cap->eht_cap_elem.phy_cap_info) ||
1861		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1862			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1863		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1864			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1865			return -ENOBUFS;
1866	}
1867
1868	if (sband->band == NL80211_BAND_6GHZ &&
1869	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1870		    sizeof(iftdata->he_6ghz_capa),
1871		    &iftdata->he_6ghz_capa))
1872		return -ENOBUFS;
1873
1874	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1875	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1876		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1877		return -ENOBUFS;
1878
1879	return 0;
1880}
1881
1882static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1883				      struct ieee80211_supported_band *sband,
1884				      bool large)
1885{
1886	struct nlattr *nl_rates, *nl_rate;
1887	struct ieee80211_rate *rate;
1888	int i;
1889
1890	/* add HT info */
1891	if (sband->ht_cap.ht_supported &&
1892	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1893		     sizeof(sband->ht_cap.mcs),
1894		     &sband->ht_cap.mcs) ||
1895	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1896			 sband->ht_cap.cap) ||
1897	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1898			sband->ht_cap.ampdu_factor) ||
1899	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1900			sband->ht_cap.ampdu_density)))
1901		return -ENOBUFS;
1902
1903	/* add VHT info */
1904	if (sband->vht_cap.vht_supported &&
1905	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1906		     sizeof(sband->vht_cap.vht_mcs),
1907		     &sband->vht_cap.vht_mcs) ||
1908	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1909			 sband->vht_cap.cap)))
1910		return -ENOBUFS;
1911
1912	if (large && sband->n_iftype_data) {
1913		struct nlattr *nl_iftype_data =
1914			nla_nest_start_noflag(msg,
1915					      NL80211_BAND_ATTR_IFTYPE_DATA);
1916		int err;
1917
1918		if (!nl_iftype_data)
1919			return -ENOBUFS;
1920
1921		for (i = 0; i < sband->n_iftype_data; i++) {
1922			struct nlattr *iftdata;
1923
1924			iftdata = nla_nest_start_noflag(msg, i + 1);
1925			if (!iftdata)
1926				return -ENOBUFS;
1927
1928			err = nl80211_send_iftype_data(msg, sband,
1929						       &sband->iftype_data[i]);
1930			if (err)
1931				return err;
1932
1933			nla_nest_end(msg, iftdata);
1934		}
1935
1936		nla_nest_end(msg, nl_iftype_data);
1937	}
1938
1939	/* add EDMG info */
1940	if (large && sband->edmg_cap.channels &&
1941	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1942		       sband->edmg_cap.channels) ||
1943	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1944		       sband->edmg_cap.bw_config)))
1945
1946		return -ENOBUFS;
1947
1948	/* add bitrates */
1949	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1950	if (!nl_rates)
1951		return -ENOBUFS;
1952
1953	for (i = 0; i < sband->n_bitrates; i++) {
1954		nl_rate = nla_nest_start_noflag(msg, i);
1955		if (!nl_rate)
1956			return -ENOBUFS;
1957
1958		rate = &sband->bitrates[i];
1959		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1960				rate->bitrate))
1961			return -ENOBUFS;
1962		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1963		    nla_put_flag(msg,
1964				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1965			return -ENOBUFS;
1966
1967		nla_nest_end(msg, nl_rate);
1968	}
1969
1970	nla_nest_end(msg, nl_rates);
1971
1972	/* S1G capabilities */
1973	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
1974	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
1975		     sizeof(sband->s1g_cap.cap),
1976		     sband->s1g_cap.cap) ||
1977	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
1978		     sizeof(sband->s1g_cap.nss_mcs),
1979		     sband->s1g_cap.nss_mcs)))
1980		return -ENOBUFS;
1981
1982	return 0;
1983}
1984
1985static int
1986nl80211_send_mgmt_stypes(struct sk_buff *msg,
1987			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1988{
1989	u16 stypes;
1990	struct nlattr *nl_ftypes, *nl_ifs;
1991	enum nl80211_iftype ift;
1992	int i;
1993
1994	if (!mgmt_stypes)
1995		return 0;
1996
1997	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1998	if (!nl_ifs)
1999		return -ENOBUFS;
2000
2001	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2002		nl_ftypes = nla_nest_start_noflag(msg, ift);
2003		if (!nl_ftypes)
2004			return -ENOBUFS;
2005		i = 0;
2006		stypes = mgmt_stypes[ift].tx;
2007		while (stypes) {
2008			if ((stypes & 1) &&
2009			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2010					(i << 4) | IEEE80211_FTYPE_MGMT))
2011				return -ENOBUFS;
2012			stypes >>= 1;
2013			i++;
2014		}
2015		nla_nest_end(msg, nl_ftypes);
2016	}
2017
2018	nla_nest_end(msg, nl_ifs);
2019
2020	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2021	if (!nl_ifs)
2022		return -ENOBUFS;
2023
2024	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2025		nl_ftypes = nla_nest_start_noflag(msg, ift);
2026		if (!nl_ftypes)
2027			return -ENOBUFS;
2028		i = 0;
2029		stypes = mgmt_stypes[ift].rx;
2030		while (stypes) {
2031			if ((stypes & 1) &&
2032			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2033					(i << 4) | IEEE80211_FTYPE_MGMT))
2034				return -ENOBUFS;
2035			stypes >>= 1;
2036			i++;
2037		}
2038		nla_nest_end(msg, nl_ftypes);
2039	}
2040	nla_nest_end(msg, nl_ifs);
2041
2042	return 0;
2043}
2044
2045#define CMD(op, n)							\
2046	 do {								\
2047		if (rdev->ops->op) {					\
2048			i++;						\
2049			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2050				goto nla_put_failure;			\
2051		}							\
2052	} while (0)
2053
2054static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2055					struct sk_buff *msg)
2056{
2057	int i = 0;
2058
2059	/*
2060	 * do *NOT* add anything into this function, new things need to be
2061	 * advertised only to new versions of userspace that can deal with
2062	 * the split (and they can't possibly care about new features...
2063	 */
2064	CMD(add_virtual_intf, NEW_INTERFACE);
2065	CMD(change_virtual_intf, SET_INTERFACE);
2066	CMD(add_key, NEW_KEY);
2067	CMD(start_ap, START_AP);
2068	CMD(add_station, NEW_STATION);
2069	CMD(add_mpath, NEW_MPATH);
2070	CMD(update_mesh_config, SET_MESH_CONFIG);
2071	CMD(change_bss, SET_BSS);
2072	CMD(auth, AUTHENTICATE);
2073	CMD(assoc, ASSOCIATE);
2074	CMD(deauth, DEAUTHENTICATE);
2075	CMD(disassoc, DISASSOCIATE);
2076	CMD(join_ibss, JOIN_IBSS);
2077	CMD(join_mesh, JOIN_MESH);
2078	CMD(set_pmksa, SET_PMKSA);
2079	CMD(del_pmksa, DEL_PMKSA);
2080	CMD(flush_pmksa, FLUSH_PMKSA);
2081	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2082		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2083	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2084	CMD(mgmt_tx, FRAME);
2085	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2086	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2087		i++;
2088		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2089			goto nla_put_failure;
2090	}
2091	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2092	    rdev->ops->join_mesh) {
2093		i++;
2094		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2095			goto nla_put_failure;
2096	}
2097	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2098		CMD(tdls_mgmt, TDLS_MGMT);
2099		CMD(tdls_oper, TDLS_OPER);
2100	}
2101	if (rdev->wiphy.max_sched_scan_reqs)
2102		CMD(sched_scan_start, START_SCHED_SCAN);
2103	CMD(probe_client, PROBE_CLIENT);
2104	CMD(set_noack_map, SET_NOACK_MAP);
2105	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2106		i++;
2107		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2108			goto nla_put_failure;
2109	}
2110	CMD(start_p2p_device, START_P2P_DEVICE);
2111	CMD(set_mcast_rate, SET_MCAST_RATE);
2112#ifdef CONFIG_NL80211_TESTMODE
2113	CMD(testmode_cmd, TESTMODE);
2114#endif
2115
2116	if (rdev->ops->connect || rdev->ops->auth) {
2117		i++;
2118		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2119			goto nla_put_failure;
2120	}
2121
2122	if (rdev->ops->disconnect || rdev->ops->deauth) {
2123		i++;
2124		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2125			goto nla_put_failure;
2126	}
2127
2128	return i;
2129 nla_put_failure:
2130	return -ENOBUFS;
2131}
2132
2133static int
2134nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2135			   struct sk_buff *msg)
2136{
2137	struct nlattr *ftm;
2138
2139	if (!cap->ftm.supported)
2140		return 0;
2141
2142	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2143	if (!ftm)
2144		return -ENOBUFS;
2145
2146	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2147		return -ENOBUFS;
2148	if (cap->ftm.non_asap &&
2149	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2150		return -ENOBUFS;
2151	if (cap->ftm.request_lci &&
2152	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2153		return -ENOBUFS;
2154	if (cap->ftm.request_civicloc &&
2155	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2156		return -ENOBUFS;
2157	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2158			cap->ftm.preambles))
2159		return -ENOBUFS;
2160	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2161			cap->ftm.bandwidths))
2162		return -ENOBUFS;
2163	if (cap->ftm.max_bursts_exponent >= 0 &&
2164	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2165			cap->ftm.max_bursts_exponent))
2166		return -ENOBUFS;
2167	if (cap->ftm.max_ftms_per_burst &&
2168	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2169			cap->ftm.max_ftms_per_burst))
2170		return -ENOBUFS;
2171	if (cap->ftm.trigger_based &&
2172	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2173		return -ENOBUFS;
2174	if (cap->ftm.non_trigger_based &&
2175	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2176		return -ENOBUFS;
2177
2178	nla_nest_end(msg, ftm);
2179	return 0;
2180}
2181
2182static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2183				  struct sk_buff *msg)
2184{
2185	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2186	struct nlattr *pmsr, *caps;
2187
2188	if (!cap)
2189		return 0;
2190
2191	/*
2192	 * we don't need to clean up anything here since the caller
2193	 * will genlmsg_cancel() if we fail
2194	 */
2195
2196	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2197	if (!pmsr)
2198		return -ENOBUFS;
2199
2200	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2201		return -ENOBUFS;
2202
2203	if (cap->report_ap_tsf &&
2204	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2205		return -ENOBUFS;
2206
2207	if (cap->randomize_mac_addr &&
2208	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2209		return -ENOBUFS;
2210
2211	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2212	if (!caps)
2213		return -ENOBUFS;
2214
2215	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2216		return -ENOBUFS;
2217
2218	nla_nest_end(msg, caps);
2219	nla_nest_end(msg, pmsr);
2220
2221	return 0;
2222}
2223
2224static int
2225nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2226			      struct sk_buff *msg)
2227{
2228	int i;
2229	struct nlattr *nested, *nested_akms;
2230	const struct wiphy_iftype_akm_suites *iftype_akms;
2231
2232	if (!rdev->wiphy.num_iftype_akm_suites ||
2233	    !rdev->wiphy.iftype_akm_suites)
2234		return 0;
2235
2236	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2237	if (!nested)
2238		return -ENOBUFS;
2239
2240	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2241		nested_akms = nla_nest_start(msg, i + 1);
2242		if (!nested_akms)
2243			return -ENOBUFS;
2244
2245		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2246
2247		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2248					iftype_akms->iftypes_mask))
2249			return -ENOBUFS;
2250
2251		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2252			    sizeof(u32) * iftype_akms->n_akm_suites,
2253			    iftype_akms->akm_suites)) {
2254			return -ENOBUFS;
2255		}
2256		nla_nest_end(msg, nested_akms);
2257	}
2258
2259	nla_nest_end(msg, nested);
2260
2261	return 0;
2262}
2263
2264static int
2265nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2266			       struct sk_buff *msg)
2267{
2268	struct nlattr *supp;
2269
2270	if (!rdev->wiphy.tid_config_support.vif &&
2271	    !rdev->wiphy.tid_config_support.peer)
2272		return 0;
2273
2274	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2275	if (!supp)
2276		return -ENOSPC;
2277
2278	if (rdev->wiphy.tid_config_support.vif &&
2279	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2280			      rdev->wiphy.tid_config_support.vif,
2281			      NL80211_TID_CONFIG_ATTR_PAD))
2282		goto fail;
2283
2284	if (rdev->wiphy.tid_config_support.peer &&
2285	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2286			      rdev->wiphy.tid_config_support.peer,
2287			      NL80211_TID_CONFIG_ATTR_PAD))
2288		goto fail;
2289
2290	/* for now we just use the same value ... makes more sense */
2291	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2292		       rdev->wiphy.tid_config_support.max_retry))
2293		goto fail;
2294	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2295		       rdev->wiphy.tid_config_support.max_retry))
2296		goto fail;
2297
2298	nla_nest_end(msg, supp);
2299
2300	return 0;
2301fail:
2302	nla_nest_cancel(msg, supp);
2303	return -ENOBUFS;
2304}
2305
2306static int
2307nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2308		      struct sk_buff *msg)
2309{
2310	struct nlattr *sar_capa, *specs, *sub_freq_range;
2311	u8 num_freq_ranges;
2312	int i;
2313
2314	if (!rdev->wiphy.sar_capa)
2315		return 0;
2316
2317	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2318
2319	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2320	if (!sar_capa)
2321		return -ENOSPC;
2322
2323	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2324		goto fail;
2325
2326	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2327	if (!specs)
2328		goto fail;
2329
2330	/* report supported freq_ranges */
2331	for (i = 0; i < num_freq_ranges; i++) {
2332		sub_freq_range = nla_nest_start(msg, i + 1);
2333		if (!sub_freq_range)
2334			goto fail;
2335
2336		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2337				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2338			goto fail;
2339
2340		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2341				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2342			goto fail;
2343
2344		nla_nest_end(msg, sub_freq_range);
2345	}
2346
2347	nla_nest_end(msg, specs);
2348	nla_nest_end(msg, sar_capa);
2349
2350	return 0;
2351fail:
2352	nla_nest_cancel(msg, sar_capa);
2353	return -ENOBUFS;
2354}
2355
2356static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2357{
2358	struct nlattr *config;
2359
2360	if (!wiphy->mbssid_max_interfaces)
2361		return 0;
2362
2363	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2364	if (!config)
2365		return -ENOBUFS;
2366
2367	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2368		       wiphy->mbssid_max_interfaces))
2369		goto fail;
2370
2371	if (wiphy->ema_max_profile_periodicity &&
2372	    nla_put_u8(msg,
2373		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2374		       wiphy->ema_max_profile_periodicity))
2375		goto fail;
2376
2377	nla_nest_end(msg, config);
2378	return 0;
2379
2380fail:
2381	nla_nest_cancel(msg, config);
2382	return -ENOBUFS;
2383}
2384
2385struct nl80211_dump_wiphy_state {
2386	s64 filter_wiphy;
2387	long start;
2388	long split_start, band_start, chan_start, capa_start;
2389	bool split;
2390};
2391
2392static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2393			      enum nl80211_commands cmd,
2394			      struct sk_buff *msg, u32 portid, u32 seq,
2395			      int flags, struct nl80211_dump_wiphy_state *state)
2396{
2397	void *hdr;
2398	struct nlattr *nl_bands, *nl_band;
2399	struct nlattr *nl_freqs, *nl_freq;
2400	struct nlattr *nl_cmds;
2401	enum nl80211_band band;
2402	struct ieee80211_channel *chan;
2403	int i;
2404	const struct ieee80211_txrx_stypes *mgmt_stypes =
2405				rdev->wiphy.mgmt_stypes;
2406	u32 features;
2407
2408	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2409	if (!hdr)
2410		return -ENOBUFS;
2411
2412	if (WARN_ON(!state))
2413		return -EINVAL;
2414
2415	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2416	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2417			   wiphy_name(&rdev->wiphy)) ||
2418	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2419			cfg80211_rdev_list_generation))
2420		goto nla_put_failure;
2421
2422	if (cmd != NL80211_CMD_NEW_WIPHY)
2423		goto finish;
2424
2425	switch (state->split_start) {
2426	case 0:
2427		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2428			       rdev->wiphy.retry_short) ||
2429		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2430			       rdev->wiphy.retry_long) ||
2431		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2432				rdev->wiphy.frag_threshold) ||
2433		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2434				rdev->wiphy.rts_threshold) ||
2435		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2436			       rdev->wiphy.coverage_class) ||
2437		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2438			       rdev->wiphy.max_scan_ssids) ||
2439		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2440			       rdev->wiphy.max_sched_scan_ssids) ||
2441		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2442				rdev->wiphy.max_scan_ie_len) ||
2443		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2444				rdev->wiphy.max_sched_scan_ie_len) ||
2445		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2446			       rdev->wiphy.max_match_sets))
2447			goto nla_put_failure;
2448
2449		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2450		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2451			goto nla_put_failure;
2452		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2453		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2454			goto nla_put_failure;
2455		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2456		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2457			goto nla_put_failure;
2458		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2459		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2460			goto nla_put_failure;
2461		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2462		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2463			goto nla_put_failure;
2464		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2465		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2466			goto nla_put_failure;
2467		state->split_start++;
2468		if (state->split)
2469			break;
2470		fallthrough;
2471	case 1:
2472		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2473			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2474			    rdev->wiphy.cipher_suites))
2475			goto nla_put_failure;
2476
2477		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2478			       rdev->wiphy.max_num_pmkids))
2479			goto nla_put_failure;
2480
2481		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2482		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2483			goto nla_put_failure;
2484
2485		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2486				rdev->wiphy.available_antennas_tx) ||
2487		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2488				rdev->wiphy.available_antennas_rx))
2489			goto nla_put_failure;
2490
2491		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2492		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2493				rdev->wiphy.probe_resp_offload))
2494			goto nla_put_failure;
2495
2496		if ((rdev->wiphy.available_antennas_tx ||
2497		     rdev->wiphy.available_antennas_rx) &&
2498		    rdev->ops->get_antenna) {
2499			u32 tx_ant = 0, rx_ant = 0;
2500			int res;
2501
2502			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2503			if (!res) {
2504				if (nla_put_u32(msg,
2505						NL80211_ATTR_WIPHY_ANTENNA_TX,
2506						tx_ant) ||
2507				    nla_put_u32(msg,
2508						NL80211_ATTR_WIPHY_ANTENNA_RX,
2509						rx_ant))
2510					goto nla_put_failure;
2511			}
2512		}
2513
2514		state->split_start++;
2515		if (state->split)
2516			break;
2517		fallthrough;
2518	case 2:
2519		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2520					rdev->wiphy.interface_modes))
2521				goto nla_put_failure;
2522		state->split_start++;
2523		if (state->split)
2524			break;
2525		fallthrough;
2526	case 3:
2527		nl_bands = nla_nest_start_noflag(msg,
2528						 NL80211_ATTR_WIPHY_BANDS);
2529		if (!nl_bands)
2530			goto nla_put_failure;
2531
2532		for (band = state->band_start;
2533		     band < (state->split ?
2534				NUM_NL80211_BANDS :
2535				NL80211_BAND_60GHZ + 1);
2536		     band++) {
2537			struct ieee80211_supported_band *sband;
2538
2539			/* omit higher bands for ancient software */
2540			if (band > NL80211_BAND_5GHZ && !state->split)
2541				break;
2542
2543			sband = rdev->wiphy.bands[band];
2544
2545			if (!sband)
2546				continue;
2547
2548			nl_band = nla_nest_start_noflag(msg, band);
2549			if (!nl_band)
2550				goto nla_put_failure;
2551
2552			switch (state->chan_start) {
2553			case 0:
2554				if (nl80211_send_band_rateinfo(msg, sband,
2555							       state->split))
2556					goto nla_put_failure;
2557				state->chan_start++;
2558				if (state->split)
2559					break;
2560				fallthrough;
2561			default:
2562				/* add frequencies */
2563				nl_freqs = nla_nest_start_noflag(msg,
2564								 NL80211_BAND_ATTR_FREQS);
2565				if (!nl_freqs)
2566					goto nla_put_failure;
2567
2568				for (i = state->chan_start - 1;
2569				     i < sband->n_channels;
2570				     i++) {
2571					nl_freq = nla_nest_start_noflag(msg,
2572									i);
2573					if (!nl_freq)
2574						goto nla_put_failure;
2575
2576					chan = &sband->channels[i];
2577
2578					if (nl80211_msg_put_channel(
2579							msg, &rdev->wiphy, chan,
2580							state->split))
2581						goto nla_put_failure;
2582
2583					nla_nest_end(msg, nl_freq);
2584					if (state->split)
2585						break;
2586				}
2587				if (i < sband->n_channels)
2588					state->chan_start = i + 2;
2589				else
2590					state->chan_start = 0;
2591				nla_nest_end(msg, nl_freqs);
2592			}
2593
2594			nla_nest_end(msg, nl_band);
2595
2596			if (state->split) {
2597				/* start again here */
2598				if (state->chan_start)
2599					band--;
2600				break;
2601			}
2602		}
2603		nla_nest_end(msg, nl_bands);
2604
2605		if (band < NUM_NL80211_BANDS)
2606			state->band_start = band + 1;
2607		else
2608			state->band_start = 0;
2609
2610		/* if bands & channels are done, continue outside */
2611		if (state->band_start == 0 && state->chan_start == 0)
2612			state->split_start++;
2613		if (state->split)
2614			break;
2615		fallthrough;
2616	case 4:
2617		nl_cmds = nla_nest_start_noflag(msg,
2618						NL80211_ATTR_SUPPORTED_COMMANDS);
2619		if (!nl_cmds)
2620			goto nla_put_failure;
2621
2622		i = nl80211_add_commands_unsplit(rdev, msg);
2623		if (i < 0)
2624			goto nla_put_failure;
2625		if (state->split) {
2626			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2627			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2628			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2629				CMD(channel_switch, CHANNEL_SWITCH);
2630			CMD(set_qos_map, SET_QOS_MAP);
2631			if (rdev->wiphy.features &
2632					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2633				CMD(add_tx_ts, ADD_TX_TS);
2634			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2635			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2636			CMD(update_ft_ies, UPDATE_FT_IES);
2637			if (rdev->wiphy.sar_capa)
2638				CMD(set_sar_specs, SET_SAR_SPECS);
2639		}
2640#undef CMD
2641
2642		nla_nest_end(msg, nl_cmds);
2643		state->split_start++;
2644		if (state->split)
2645			break;
2646		fallthrough;
2647	case 5:
2648		if (rdev->ops->remain_on_channel &&
2649		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2650		    nla_put_u32(msg,
2651				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2652				rdev->wiphy.max_remain_on_channel_duration))
2653			goto nla_put_failure;
2654
2655		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2656		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2657			goto nla_put_failure;
2658
2659		state->split_start++;
2660		if (state->split)
2661			break;
2662		fallthrough;
2663	case 6:
2664#ifdef CONFIG_PM
2665		if (nl80211_send_wowlan(msg, rdev, state->split))
2666			goto nla_put_failure;
2667		state->split_start++;
2668		if (state->split)
2669			break;
2670#else
2671		state->split_start++;
2672#endif
2673		fallthrough;
2674	case 7:
2675		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2676					rdev->wiphy.software_iftypes))
2677			goto nla_put_failure;
2678
2679		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2680						   state->split))
2681			goto nla_put_failure;
2682
2683		state->split_start++;
2684		if (state->split)
2685			break;
2686		fallthrough;
2687	case 8:
2688		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2689		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2690				rdev->wiphy.ap_sme_capa))
2691			goto nla_put_failure;
2692
2693		features = rdev->wiphy.features;
2694		/*
2695		 * We can only add the per-channel limit information if the
2696		 * dump is split, otherwise it makes it too big. Therefore
2697		 * only advertise it in that case.
2698		 */
2699		if (state->split)
2700			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2701		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2702			goto nla_put_failure;
2703
2704		if (rdev->wiphy.ht_capa_mod_mask &&
2705		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2706			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2707			    rdev->wiphy.ht_capa_mod_mask))
2708			goto nla_put_failure;
2709
2710		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2711		    rdev->wiphy.max_acl_mac_addrs &&
2712		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2713				rdev->wiphy.max_acl_mac_addrs))
2714			goto nla_put_failure;
2715
2716		/*
2717		 * Any information below this point is only available to
2718		 * applications that can deal with it being split. This
2719		 * helps ensure that newly added capabilities don't break
2720		 * older tools by overrunning their buffers.
2721		 *
2722		 * We still increment split_start so that in the split
2723		 * case we'll continue with more data in the next round,
2724		 * but break unconditionally so unsplit data stops here.
2725		 */
2726		if (state->split)
2727			state->split_start++;
2728		else
2729			state->split_start = 0;
2730		break;
2731	case 9:
2732		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2733			goto nla_put_failure;
2734
2735		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2736				rdev->wiphy.max_sched_scan_plans) ||
2737		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2738				rdev->wiphy.max_sched_scan_plan_interval) ||
2739		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2740				rdev->wiphy.max_sched_scan_plan_iterations))
2741			goto nla_put_failure;
2742
2743		if (rdev->wiphy.extended_capabilities &&
2744		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2745			     rdev->wiphy.extended_capabilities_len,
2746			     rdev->wiphy.extended_capabilities) ||
2747		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2748			     rdev->wiphy.extended_capabilities_len,
2749			     rdev->wiphy.extended_capabilities_mask)))
2750			goto nla_put_failure;
2751
2752		if (rdev->wiphy.vht_capa_mod_mask &&
2753		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2754			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2755			    rdev->wiphy.vht_capa_mod_mask))
2756			goto nla_put_failure;
2757
2758		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2759			    rdev->wiphy.perm_addr))
2760			goto nla_put_failure;
2761
2762		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2763		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2764			    rdev->wiphy.addr_mask))
2765			goto nla_put_failure;
2766
2767		if (rdev->wiphy.n_addresses > 1) {
2768			void *attr;
2769
2770			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2771			if (!attr)
2772				goto nla_put_failure;
2773
2774			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2775				if (nla_put(msg, i + 1, ETH_ALEN,
2776					    rdev->wiphy.addresses[i].addr))
2777					goto nla_put_failure;
2778
2779			nla_nest_end(msg, attr);
2780		}
2781
2782		state->split_start++;
2783		break;
2784	case 10:
2785		if (nl80211_send_coalesce(msg, rdev))
2786			goto nla_put_failure;
2787
2788		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2789		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2790		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2791			goto nla_put_failure;
2792
2793		if (rdev->wiphy.max_ap_assoc_sta &&
2794		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2795				rdev->wiphy.max_ap_assoc_sta))
2796			goto nla_put_failure;
2797
2798		state->split_start++;
2799		break;
2800	case 11:
2801		if (rdev->wiphy.n_vendor_commands) {
2802			const struct nl80211_vendor_cmd_info *info;
2803			struct nlattr *nested;
2804
2805			nested = nla_nest_start_noflag(msg,
2806						       NL80211_ATTR_VENDOR_DATA);
2807			if (!nested)
2808				goto nla_put_failure;
2809
2810			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2811				info = &rdev->wiphy.vendor_commands[i].info;
2812				if (nla_put(msg, i + 1, sizeof(*info), info))
2813					goto nla_put_failure;
2814			}
2815			nla_nest_end(msg, nested);
2816		}
2817
2818		if (rdev->wiphy.n_vendor_events) {
2819			const struct nl80211_vendor_cmd_info *info;
2820			struct nlattr *nested;
2821
2822			nested = nla_nest_start_noflag(msg,
2823						       NL80211_ATTR_VENDOR_EVENTS);
2824			if (!nested)
2825				goto nla_put_failure;
2826
2827			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2828				info = &rdev->wiphy.vendor_events[i];
2829				if (nla_put(msg, i + 1, sizeof(*info), info))
2830					goto nla_put_failure;
2831			}
2832			nla_nest_end(msg, nested);
2833		}
2834		state->split_start++;
2835		break;
2836	case 12:
2837		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2838		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2839			       rdev->wiphy.max_num_csa_counters))
2840			goto nla_put_failure;
2841
2842		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2843		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2844			goto nla_put_failure;
2845
2846		if (rdev->wiphy.max_sched_scan_reqs &&
2847		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2848				rdev->wiphy.max_sched_scan_reqs))
2849			goto nla_put_failure;
2850
2851		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2852			    sizeof(rdev->wiphy.ext_features),
2853			    rdev->wiphy.ext_features))
2854			goto nla_put_failure;
2855
2856		if (rdev->wiphy.bss_select_support) {
2857			struct nlattr *nested;
2858			u32 bss_select_support = rdev->wiphy.bss_select_support;
2859
2860			nested = nla_nest_start_noflag(msg,
2861						       NL80211_ATTR_BSS_SELECT);
2862			if (!nested)
2863				goto nla_put_failure;
2864
2865			i = 0;
2866			while (bss_select_support) {
2867				if ((bss_select_support & 1) &&
2868				    nla_put_flag(msg, i))
2869					goto nla_put_failure;
2870				i++;
2871				bss_select_support >>= 1;
2872			}
2873			nla_nest_end(msg, nested);
2874		}
2875
2876		state->split_start++;
2877		break;
2878	case 13:
2879		if (rdev->wiphy.num_iftype_ext_capab &&
2880		    rdev->wiphy.iftype_ext_capab) {
2881			struct nlattr *nested_ext_capab, *nested;
2882
2883			nested = nla_nest_start_noflag(msg,
2884						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2885			if (!nested)
2886				goto nla_put_failure;
2887
2888			for (i = state->capa_start;
2889			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2890				const struct wiphy_iftype_ext_capab *capab;
2891
2892				capab = &rdev->wiphy.iftype_ext_capab[i];
2893
2894				nested_ext_capab = nla_nest_start_noflag(msg,
2895									 i);
2896				if (!nested_ext_capab ||
2897				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2898						capab->iftype) ||
2899				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2900					    capab->extended_capabilities_len,
2901					    capab->extended_capabilities) ||
2902				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2903					    capab->extended_capabilities_len,
2904					    capab->extended_capabilities_mask))
2905					goto nla_put_failure;
2906
2907				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
2908				    (nla_put_u16(msg,
2909						 NL80211_ATTR_EML_CAPABILITY,
2910						 capab->eml_capabilities) ||
2911				     nla_put_u16(msg,
2912						 NL80211_ATTR_MLD_CAPA_AND_OPS,
2913						 capab->mld_capa_and_ops)))
2914					goto nla_put_failure;
2915
2916				nla_nest_end(msg, nested_ext_capab);
2917				if (state->split)
2918					break;
2919			}
2920			nla_nest_end(msg, nested);
2921			if (i < rdev->wiphy.num_iftype_ext_capab) {
2922				state->capa_start = i + 1;
2923				break;
2924			}
2925		}
2926
2927		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2928				rdev->wiphy.nan_supported_bands))
2929			goto nla_put_failure;
2930
2931		if (wiphy_ext_feature_isset(&rdev->wiphy,
2932					    NL80211_EXT_FEATURE_TXQS)) {
2933			struct cfg80211_txq_stats txqstats = {};
2934			int res;
2935
2936			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2937			if (!res &&
2938			    !nl80211_put_txq_stats(msg, &txqstats,
2939						   NL80211_ATTR_TXQ_STATS))
2940				goto nla_put_failure;
2941
2942			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2943					rdev->wiphy.txq_limit))
2944				goto nla_put_failure;
2945			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2946					rdev->wiphy.txq_memory_limit))
2947				goto nla_put_failure;
2948			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2949					rdev->wiphy.txq_quantum))
2950				goto nla_put_failure;
2951		}
2952
2953		state->split_start++;
2954		break;
2955	case 14:
2956		if (nl80211_send_pmsr_capa(rdev, msg))
2957			goto nla_put_failure;
2958
2959		state->split_start++;
2960		break;
2961	case 15:
2962		if (rdev->wiphy.akm_suites &&
2963		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2964			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2965			    rdev->wiphy.akm_suites))
2966			goto nla_put_failure;
2967
2968		if (nl80211_put_iftype_akm_suites(rdev, msg))
2969			goto nla_put_failure;
2970
2971		if (nl80211_put_tid_config_support(rdev, msg))
2972			goto nla_put_failure;
2973		state->split_start++;
2974		break;
2975	case 16:
2976		if (nl80211_put_sar_specs(rdev, msg))
2977			goto nla_put_failure;
2978
2979		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2980			goto nla_put_failure;
2981
2982		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
2983				rdev->wiphy.max_num_akm_suites))
2984			goto nla_put_failure;
2985
2986		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
2987			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
2988
2989		if (rdev->wiphy.hw_timestamp_max_peers &&
2990		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
2991				rdev->wiphy.hw_timestamp_max_peers))
2992			goto nla_put_failure;
2993
2994		/* done */
2995		state->split_start = 0;
2996		break;
2997	}
2998 finish:
2999	genlmsg_end(msg, hdr);
3000	return 0;
3001
3002 nla_put_failure:
3003	genlmsg_cancel(msg, hdr);
3004	return -EMSGSIZE;
3005}
3006
3007static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3008				    struct netlink_callback *cb,
3009				    struct nl80211_dump_wiphy_state *state)
3010{
3011	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3012	int ret;
3013
3014	if (!tb)
3015		return -ENOMEM;
3016
3017	ret = nlmsg_parse_deprecated(cb->nlh,
3018				     GENL_HDRLEN + nl80211_fam.hdrsize,
3019				     tb, nl80211_fam.maxattr,
3020				     nl80211_policy, NULL);
3021	/* ignore parse errors for backward compatibility */
3022	if (ret) {
3023		ret = 0;
3024		goto out;
3025	}
3026
3027	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3028	if (tb[NL80211_ATTR_WIPHY])
3029		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3030	if (tb[NL80211_ATTR_WDEV])
3031		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3032	if (tb[NL80211_ATTR_IFINDEX]) {
3033		struct net_device *netdev;
3034		struct cfg80211_registered_device *rdev;
3035		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3036
3037		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3038		if (!netdev) {
3039			ret = -ENODEV;
3040			goto out;
3041		}
3042		if (netdev->ieee80211_ptr) {
3043			rdev = wiphy_to_rdev(
3044				netdev->ieee80211_ptr->wiphy);
3045			state->filter_wiphy = rdev->wiphy_idx;
3046		}
3047	}
3048
3049	ret = 0;
3050out:
3051	kfree(tb);
3052	return ret;
3053}
3054
3055static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3056{
3057	int idx = 0, ret;
3058	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3059	struct cfg80211_registered_device *rdev;
3060
3061	rtnl_lock();
3062	if (!state) {
3063		state = kzalloc(sizeof(*state), GFP_KERNEL);
3064		if (!state) {
3065			rtnl_unlock();
3066			return -ENOMEM;
3067		}
3068		state->filter_wiphy = -1;
3069		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3070		if (ret) {
3071			kfree(state);
3072			rtnl_unlock();
3073			return ret;
3074		}
3075		cb->args[0] = (long)state;
3076	}
3077
3078	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3079		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3080			continue;
3081		if (++idx <= state->start)
3082			continue;
3083		if (state->filter_wiphy != -1 &&
3084		    state->filter_wiphy != rdev->wiphy_idx)
3085			continue;
3086		wiphy_lock(&rdev->wiphy);
3087		/* attempt to fit multiple wiphy data chunks into the skb */
3088		do {
3089			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3090						 skb,
3091						 NETLINK_CB(cb->skb).portid,
3092						 cb->nlh->nlmsg_seq,
3093						 NLM_F_MULTI, state);
3094			if (ret < 0) {
3095				/*
3096				 * If sending the wiphy data didn't fit (ENOBUFS
3097				 * or EMSGSIZE returned), this SKB is still
3098				 * empty (so it's not too big because another
3099				 * wiphy dataset is already in the skb) and
3100				 * we've not tried to adjust the dump allocation
3101				 * yet ... then adjust the alloc size to be
3102				 * bigger, and return 1 but with the empty skb.
3103				 * This results in an empty message being RX'ed
3104				 * in userspace, but that is ignored.
3105				 *
3106				 * We can then retry with the larger buffer.
3107				 */
3108				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3109				    !skb->len && !state->split &&
3110				    cb->min_dump_alloc < 4096) {
3111					cb->min_dump_alloc = 4096;
3112					state->split_start = 0;
3113					wiphy_unlock(&rdev->wiphy);
3114					rtnl_unlock();
3115					return 1;
3116				}
3117				idx--;
3118				break;
3119			}
3120		} while (state->split_start > 0);
3121		wiphy_unlock(&rdev->wiphy);
3122		break;
3123	}
3124	rtnl_unlock();
3125
3126	state->start = idx;
3127
3128	return skb->len;
3129}
3130
3131static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3132{
3133	kfree((void *)cb->args[0]);
3134	return 0;
3135}
3136
3137static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3138{
3139	struct sk_buff *msg;
3140	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3141	struct nl80211_dump_wiphy_state state = {};
3142
3143	msg = nlmsg_new(4096, GFP_KERNEL);
3144	if (!msg)
3145		return -ENOMEM;
3146
3147	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3148			       info->snd_portid, info->snd_seq, 0,
3149			       &state) < 0) {
3150		nlmsg_free(msg);
3151		return -ENOBUFS;
3152	}
3153
3154	return genlmsg_reply(msg, info);
3155}
3156
3157static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3158	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3159	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3160	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3161	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3162	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3163};
3164
3165static int parse_txq_params(struct nlattr *tb[],
3166			    struct ieee80211_txq_params *txq_params)
3167{
3168	u8 ac;
3169
3170	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3171	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3172	    !tb[NL80211_TXQ_ATTR_AIFS])
3173		return -EINVAL;
3174
3175	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3176	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3177	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3178	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3179	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3180
3181	if (ac >= NL80211_NUM_ACS)
3182		return -EINVAL;
3183	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3184	return 0;
3185}
3186
3187static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3188{
3189	/*
3190	 * You can only set the channel explicitly for some interfaces,
3191	 * most have their channel managed via their respective
3192	 * "establish a connection" command (connect, join, ...)
3193	 *
3194	 * For AP/GO and mesh mode, the channel can be set with the
3195	 * channel userspace API, but is only stored and passed to the
3196	 * low-level driver when the AP starts or the mesh is joined.
3197	 * This is for backward compatibility, userspace can also give
3198	 * the channel in the start-ap or join-mesh commands instead.
3199	 *
3200	 * Monitors are special as they are normally slaved to
3201	 * whatever else is going on, so they have their own special
3202	 * operation to set the monitor channel if possible.
3203	 */
3204	return !wdev ||
3205		wdev->iftype == NL80211_IFTYPE_AP ||
3206		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3207		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3208		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3209}
3210
3211static int nl80211_parse_punct_bitmap(struct cfg80211_registered_device *rdev,
3212				      struct genl_info *info,
3213				      const struct cfg80211_chan_def *chandef,
3214				      u16 *punct_bitmap)
3215{
3216	if (!wiphy_ext_feature_isset(&rdev->wiphy, NL80211_EXT_FEATURE_PUNCT))
3217		return -EINVAL;
3218
3219	*punct_bitmap = nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3220	if (!cfg80211_valid_disable_subchannel_bitmap(punct_bitmap, chandef))
3221		return -EINVAL;
3222
3223	return 0;
3224}
3225
3226int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3227			  struct genl_info *info,
3228			  struct cfg80211_chan_def *chandef)
3229{
3230	struct netlink_ext_ack *extack = info->extack;
3231	struct nlattr **attrs = info->attrs;
3232	u32 control_freq;
3233
3234	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3235		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3236				    "Frequency is missing");
3237		return -EINVAL;
3238	}
3239
3240	control_freq = MHZ_TO_KHZ(
3241			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3242	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3243		control_freq +=
3244		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3245
3246	memset(chandef, 0, sizeof(*chandef));
3247	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3248	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3249	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3250	chandef->freq1_offset = control_freq % 1000;
3251	chandef->center_freq2 = 0;
3252
3253	/* Primary channel not allowed */
3254	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3255		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3256				    "Channel is disabled");
3257		return -EINVAL;
3258	}
3259
3260	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3261		enum nl80211_channel_type chantype;
3262
3263		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3264
3265		switch (chantype) {
3266		case NL80211_CHAN_NO_HT:
3267		case NL80211_CHAN_HT20:
3268		case NL80211_CHAN_HT40PLUS:
3269		case NL80211_CHAN_HT40MINUS:
3270			cfg80211_chandef_create(chandef, chandef->chan,
3271						chantype);
3272			/* user input for center_freq is incorrect */
3273			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3274			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3275				NL_SET_ERR_MSG_ATTR(extack,
3276						    attrs[NL80211_ATTR_CENTER_FREQ1],
3277						    "bad center frequency 1");
3278				return -EINVAL;
3279			}
3280			/* center_freq2 must be zero */
3281			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3282			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3283				NL_SET_ERR_MSG_ATTR(extack,
3284						    attrs[NL80211_ATTR_CENTER_FREQ2],
3285						    "center frequency 2 can't be used");
3286				return -EINVAL;
3287			}
3288			break;
3289		default:
3290			NL_SET_ERR_MSG_ATTR(extack,
3291					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3292					    "invalid channel type");
3293			return -EINVAL;
3294		}
3295	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3296		chandef->width =
3297			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3298		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3299			/* User input error for channel width doesn't match channel  */
3300			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3301				NL_SET_ERR_MSG_ATTR(extack,
3302						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3303						    "bad channel width");
3304				return -EINVAL;
3305			}
3306		}
3307		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3308			chandef->center_freq1 =
3309				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3310			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3311				chandef->freq1_offset = nla_get_u32(
3312				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3313			else
3314				chandef->freq1_offset = 0;
3315		}
3316		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3317			chandef->center_freq2 =
3318				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3319	}
3320
3321	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3322		chandef->edmg.channels =
3323		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3324
3325		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3326			chandef->edmg.bw_config =
3327		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3328	} else {
3329		chandef->edmg.bw_config = 0;
3330		chandef->edmg.channels = 0;
3331	}
3332
3333	if (!cfg80211_chandef_valid(chandef)) {
3334		NL_SET_ERR_MSG(extack, "invalid channel definition");
3335		return -EINVAL;
3336	}
3337
3338	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3339				     IEEE80211_CHAN_DISABLED)) {
3340		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3341		return -EINVAL;
3342	}
3343
3344	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3345	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3346	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3347		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3348		return -EINVAL;
3349	}
3350
3351	return 0;
3352}
3353
3354static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3355				 struct net_device *dev,
3356				 struct genl_info *info,
3357				 int _link_id)
3358{
3359	struct cfg80211_chan_def chandef;
3360	int result;
3361	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3362	struct wireless_dev *wdev = NULL;
3363	int link_id = _link_id;
3364
3365	if (dev)
3366		wdev = dev->ieee80211_ptr;
3367	if (!nl80211_can_set_dev_channel(wdev))
3368		return -EOPNOTSUPP;
3369	if (wdev)
3370		iftype = wdev->iftype;
3371
3372	if (link_id < 0) {
3373		if (wdev && wdev->valid_links)
3374			return -EINVAL;
3375		link_id = 0;
3376	}
3377
3378	result = nl80211_parse_chandef(rdev, info, &chandef);
3379	if (result)
3380		return result;
3381
3382	switch (iftype) {
3383	case NL80211_IFTYPE_AP:
3384	case NL80211_IFTYPE_P2P_GO:
3385		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3386						   iftype))
3387			return -EINVAL;
3388		if (wdev->links[link_id].ap.beacon_interval) {
3389			struct ieee80211_channel *cur_chan;
3390
3391			if (!dev || !rdev->ops->set_ap_chanwidth ||
3392			    !(rdev->wiphy.features &
3393			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3394				return -EBUSY;
3395
3396			/* Only allow dynamic channel width changes */
3397			cur_chan = wdev->links[link_id].ap.chandef.chan;
3398			if (chandef.chan != cur_chan)
3399				return -EBUSY;
3400
3401			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3402						       &chandef);
3403			if (result)
3404				return result;
3405			wdev->links[link_id].ap.chandef = chandef;
3406		} else {
3407			wdev->u.ap.preset_chandef = chandef;
3408		}
3409		return 0;
3410	case NL80211_IFTYPE_MESH_POINT:
3411		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3412	case NL80211_IFTYPE_MONITOR:
3413		return cfg80211_set_monitor_channel(rdev, &chandef);
3414	default:
3415		break;
3416	}
3417
3418	return -EINVAL;
3419}
3420
3421static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3422{
3423	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3424	int link_id = nl80211_link_id_or_invalid(info->attrs);
3425	struct net_device *netdev = info->user_ptr[1];
3426	int ret;
3427
3428	wdev_lock(netdev->ieee80211_ptr);
3429	ret = __nl80211_set_channel(rdev, netdev, info, link_id);
3430	wdev_unlock(netdev->ieee80211_ptr);
3431
3432	return ret;
3433}
3434
3435static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3436{
3437	struct cfg80211_registered_device *rdev = NULL;
3438	struct net_device *netdev = NULL;
3439	struct wireless_dev *wdev;
3440	int result = 0, rem_txq_params = 0;
3441	struct nlattr *nl_txq_params;
3442	u32 changed;
3443	u8 retry_short = 0, retry_long = 0;
3444	u32 frag_threshold = 0, rts_threshold = 0;
3445	u8 coverage_class = 0;
3446	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3447
3448	rtnl_lock();
3449	/*
3450	 * Try to find the wiphy and netdev. Normally this
3451	 * function shouldn't need the netdev, but this is
3452	 * done for backward compatibility -- previously
3453	 * setting the channel was done per wiphy, but now
3454	 * it is per netdev. Previous userland like hostapd
3455	 * also passed a netdev to set_wiphy, so that it is
3456	 * possible to let that go to the right netdev!
3457	 */
3458
3459	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3460		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3461
3462		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3463		if (netdev && netdev->ieee80211_ptr)
3464			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3465		else
3466			netdev = NULL;
3467	}
3468
3469	if (!netdev) {
3470		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3471						  info->attrs);
3472		if (IS_ERR(rdev)) {
3473			rtnl_unlock();
3474			return PTR_ERR(rdev);
3475		}
3476		wdev = NULL;
3477		netdev = NULL;
3478		result = 0;
3479	} else
3480		wdev = netdev->ieee80211_ptr;
3481
3482	wiphy_lock(&rdev->wiphy);
3483
3484	/*
3485	 * end workaround code, by now the rdev is available
3486	 * and locked, and wdev may or may not be NULL.
3487	 */
3488
3489	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3490		result = cfg80211_dev_rename(
3491			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3492	rtnl_unlock();
3493
3494	if (result)
3495		goto out;
3496
3497	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3498		struct ieee80211_txq_params txq_params;
3499		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3500
3501		if (!rdev->ops->set_txq_params) {
3502			result = -EOPNOTSUPP;
3503			goto out;
3504		}
3505
3506		if (!netdev) {
3507			result = -EINVAL;
3508			goto out;
3509		}
3510
3511		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3512		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3513			result = -EINVAL;
3514			goto out;
3515		}
3516
3517		if (!netif_running(netdev)) {
3518			result = -ENETDOWN;
3519			goto out;
3520		}
3521
3522		nla_for_each_nested(nl_txq_params,
3523				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3524				    rem_txq_params) {
3525			result = nla_parse_nested_deprecated(tb,
3526							     NL80211_TXQ_ATTR_MAX,
3527							     nl_txq_params,
3528							     txq_params_policy,
3529							     info->extack);
3530			if (result)
3531				goto out;
3532			result = parse_txq_params(tb, &txq_params);
3533			if (result)
3534				goto out;
3535
3536			txq_params.link_id =
3537				nl80211_link_id_or_invalid(info->attrs);
3538
3539			wdev_lock(netdev->ieee80211_ptr);
3540			if (txq_params.link_id >= 0 &&
3541			    !(netdev->ieee80211_ptr->valid_links &
3542			      BIT(txq_params.link_id)))
3543				result = -ENOLINK;
3544			else if (txq_params.link_id >= 0 &&
3545				 !netdev->ieee80211_ptr->valid_links)
3546				result = -EINVAL;
3547			else
3548				result = rdev_set_txq_params(rdev, netdev,
3549							     &txq_params);
3550			wdev_unlock(netdev->ieee80211_ptr);
3551			if (result)
3552				goto out;
3553		}
3554	}
3555
3556	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3557		int link_id = nl80211_link_id_or_invalid(info->attrs);
3558
3559		if (wdev) {
3560			wdev_lock(wdev);
3561			result = __nl80211_set_channel(
3562				rdev,
3563				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3564				info, link_id);
3565			wdev_unlock(wdev);
3566		} else {
3567			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3568		}
3569
3570		if (result)
3571			goto out;
3572	}
3573
3574	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3575		struct wireless_dev *txp_wdev = wdev;
3576		enum nl80211_tx_power_setting type;
3577		int idx, mbm = 0;
3578
3579		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3580			txp_wdev = NULL;
3581
3582		if (!rdev->ops->set_tx_power) {
3583			result = -EOPNOTSUPP;
3584			goto out;
3585		}
3586
3587		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3588		type = nla_get_u32(info->attrs[idx]);
3589
3590		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3591		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3592			result = -EINVAL;
3593			goto out;
3594		}
3595
3596		if (type != NL80211_TX_POWER_AUTOMATIC) {
3597			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3598			mbm = nla_get_u32(info->attrs[idx]);
3599		}
3600
3601		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3602		if (result)
3603			goto out;
3604	}
3605
3606	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3607	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3608		u32 tx_ant, rx_ant;
3609
3610		if ((!rdev->wiphy.available_antennas_tx &&
3611		     !rdev->wiphy.available_antennas_rx) ||
3612		    !rdev->ops->set_antenna) {
3613			result = -EOPNOTSUPP;
3614			goto out;
3615		}
3616
3617		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3618		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3619
3620		/* reject antenna configurations which don't match the
3621		 * available antenna masks, except for the "all" mask */
3622		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3623		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3624			result = -EINVAL;
3625			goto out;
3626		}
3627
3628		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3629		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3630
3631		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3632		if (result)
3633			goto out;
3634	}
3635
3636	changed = 0;
3637
3638	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3639		retry_short = nla_get_u8(
3640			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3641
3642		changed |= WIPHY_PARAM_RETRY_SHORT;
3643	}
3644
3645	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3646		retry_long = nla_get_u8(
3647			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3648
3649		changed |= WIPHY_PARAM_RETRY_LONG;
3650	}
3651
3652	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3653		frag_threshold = nla_get_u32(
3654			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3655		if (frag_threshold < 256) {
3656			result = -EINVAL;
3657			goto out;
3658		}
3659
3660		if (frag_threshold != (u32) -1) {
3661			/*
3662			 * Fragments (apart from the last one) are required to
3663			 * have even length. Make the fragmentation code
3664			 * simpler by stripping LSB should someone try to use
3665			 * odd threshold value.
3666			 */
3667			frag_threshold &= ~0x1;
3668		}
3669		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3670	}
3671
3672	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3673		rts_threshold = nla_get_u32(
3674			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3675		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3676	}
3677
3678	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3679		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3680			result = -EINVAL;
3681			goto out;
3682		}
3683
3684		coverage_class = nla_get_u8(
3685			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3686		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3687	}
3688
3689	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3690		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3691			result = -EOPNOTSUPP;
3692			goto out;
3693		}
3694
3695		changed |= WIPHY_PARAM_DYN_ACK;
3696	}
3697
3698	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3699		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3700					     NL80211_EXT_FEATURE_TXQS)) {
3701			result = -EOPNOTSUPP;
3702			goto out;
3703		}
3704		txq_limit = nla_get_u32(
3705			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3706		changed |= WIPHY_PARAM_TXQ_LIMIT;
3707	}
3708
3709	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3710		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3711					     NL80211_EXT_FEATURE_TXQS)) {
3712			result = -EOPNOTSUPP;
3713			goto out;
3714		}
3715		txq_memory_limit = nla_get_u32(
3716			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3717		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3718	}
3719
3720	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3721		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3722					     NL80211_EXT_FEATURE_TXQS)) {
3723			result = -EOPNOTSUPP;
3724			goto out;
3725		}
3726		txq_quantum = nla_get_u32(
3727			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3728		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3729	}
3730
3731	if (changed) {
3732		u8 old_retry_short, old_retry_long;
3733		u32 old_frag_threshold, old_rts_threshold;
3734		u8 old_coverage_class;
3735		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3736
3737		if (!rdev->ops->set_wiphy_params) {
3738			result = -EOPNOTSUPP;
3739			goto out;
3740		}
3741
3742		old_retry_short = rdev->wiphy.retry_short;
3743		old_retry_long = rdev->wiphy.retry_long;
3744		old_frag_threshold = rdev->wiphy.frag_threshold;
3745		old_rts_threshold = rdev->wiphy.rts_threshold;
3746		old_coverage_class = rdev->wiphy.coverage_class;
3747		old_txq_limit = rdev->wiphy.txq_limit;
3748		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3749		old_txq_quantum = rdev->wiphy.txq_quantum;
3750
3751		if (changed & WIPHY_PARAM_RETRY_SHORT)
3752			rdev->wiphy.retry_short = retry_short;
3753		if (changed & WIPHY_PARAM_RETRY_LONG)
3754			rdev->wiphy.retry_long = retry_long;
3755		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3756			rdev->wiphy.frag_threshold = frag_threshold;
3757		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3758			rdev->wiphy.rts_threshold = rts_threshold;
3759		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3760			rdev->wiphy.coverage_class = coverage_class;
3761		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3762			rdev->wiphy.txq_limit = txq_limit;
3763		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3764			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3765		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3766			rdev->wiphy.txq_quantum = txq_quantum;
3767
3768		result = rdev_set_wiphy_params(rdev, changed);
3769		if (result) {
3770			rdev->wiphy.retry_short = old_retry_short;
3771			rdev->wiphy.retry_long = old_retry_long;
3772			rdev->wiphy.frag_threshold = old_frag_threshold;
3773			rdev->wiphy.rts_threshold = old_rts_threshold;
3774			rdev->wiphy.coverage_class = old_coverage_class;
3775			rdev->wiphy.txq_limit = old_txq_limit;
3776			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3777			rdev->wiphy.txq_quantum = old_txq_quantum;
3778			goto out;
3779		}
3780	}
3781
3782	result = 0;
3783
3784out:
3785	wiphy_unlock(&rdev->wiphy);
3786	return result;
3787}
3788
3789int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
3790{
3791	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3792		return -EINVAL;
3793
3794	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3795			chandef->chan->center_freq))
3796		return -ENOBUFS;
3797	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3798			chandef->chan->freq_offset))
3799		return -ENOBUFS;
3800	switch (chandef->width) {
3801	case NL80211_CHAN_WIDTH_20_NOHT:
3802	case NL80211_CHAN_WIDTH_20:
3803	case NL80211_CHAN_WIDTH_40:
3804		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3805				cfg80211_get_chandef_type(chandef)))
3806			return -ENOBUFS;
3807		break;
3808	default:
3809		break;
3810	}
3811	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3812		return -ENOBUFS;
3813	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3814		return -ENOBUFS;
3815	if (chandef->center_freq2 &&
3816	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3817		return -ENOBUFS;
3818	return 0;
3819}
3820EXPORT_SYMBOL(nl80211_send_chandef);
3821
3822static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3823			      struct cfg80211_registered_device *rdev,
3824			      struct wireless_dev *wdev,
3825			      enum nl80211_commands cmd)
3826{
3827	struct net_device *dev = wdev->netdev;
3828	void *hdr;
3829
3830	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3831		cmd != NL80211_CMD_DEL_INTERFACE &&
3832		cmd != NL80211_CMD_SET_INTERFACE);
3833
3834	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3835	if (!hdr)
3836		return -1;
3837
3838	if (dev &&
3839	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3840	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3841		goto nla_put_failure;
3842
3843	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3844	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3845	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3846			      NL80211_ATTR_PAD) ||
3847	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3848	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3849			rdev->devlist_generation ^
3850			(cfg80211_rdev_list_generation << 2)) ||
3851	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3852		goto nla_put_failure;
3853
3854	if (rdev->ops->get_channel && !wdev->valid_links) {
3855		struct cfg80211_chan_def chandef = {};
3856		int ret;
3857
3858		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
3859		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3860			goto nla_put_failure;
3861	}
3862
3863	if (rdev->ops->get_tx_power) {
3864		int dbm, ret;
3865
3866		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3867		if (ret == 0 &&
3868		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3869				DBM_TO_MBM(dbm)))
3870			goto nla_put_failure;
3871	}
3872
3873	wdev_lock(wdev);
3874	switch (wdev->iftype) {
3875	case NL80211_IFTYPE_AP:
3876	case NL80211_IFTYPE_P2P_GO:
3877		if (wdev->u.ap.ssid_len &&
3878		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
3879			    wdev->u.ap.ssid))
3880			goto nla_put_failure_locked;
3881		break;
3882	case NL80211_IFTYPE_STATION:
3883	case NL80211_IFTYPE_P2P_CLIENT:
3884		if (wdev->u.client.ssid_len &&
3885		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
3886			    wdev->u.client.ssid))
3887			goto nla_put_failure_locked;
3888		break;
3889	case NL80211_IFTYPE_ADHOC:
3890		if (wdev->u.ibss.ssid_len &&
3891		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
3892			    wdev->u.ibss.ssid))
3893			goto nla_put_failure_locked;
3894		break;
3895	default:
3896		/* nothing */
3897		break;
3898	}
3899	wdev_unlock(wdev);
3900
3901	if (rdev->ops->get_txq_stats) {
3902		struct cfg80211_txq_stats txqstats = {};
3903		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3904
3905		if (ret == 0 &&
3906		    !nl80211_put_txq_stats(msg, &txqstats,
3907					   NL80211_ATTR_TXQ_STATS))
3908			goto nla_put_failure;
3909	}
3910
3911	if (wdev->valid_links) {
3912		unsigned int link_id;
3913		struct nlattr *links = nla_nest_start(msg,
3914						      NL80211_ATTR_MLO_LINKS);
3915
3916		if (!links)
3917			goto nla_put_failure;
3918
3919		for_each_valid_link(wdev, link_id) {
3920			struct nlattr *link = nla_nest_start(msg, link_id + 1);
3921			struct cfg80211_chan_def chandef = {};
3922			int ret;
3923
3924			if (!link)
3925				goto nla_put_failure;
3926
3927			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
3928				goto nla_put_failure;
3929			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3930				    wdev->links[link_id].addr))
3931				goto nla_put_failure;
3932
3933			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
3934			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3935				goto nla_put_failure;
3936
3937			nla_nest_end(msg, link);
3938		}
3939
3940		nla_nest_end(msg, links);
3941	}
3942
3943	genlmsg_end(msg, hdr);
3944	return 0;
3945
3946 nla_put_failure_locked:
3947	wdev_unlock(wdev);
3948 nla_put_failure:
3949	genlmsg_cancel(msg, hdr);
3950	return -EMSGSIZE;
3951}
3952
3953static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3954{
3955	int wp_idx = 0;
3956	int if_idx = 0;
3957	int wp_start = cb->args[0];
3958	int if_start = cb->args[1];
3959	int filter_wiphy = -1;
3960	struct cfg80211_registered_device *rdev;
3961	struct wireless_dev *wdev;
3962	int ret;
3963
3964	rtnl_lock();
3965	if (!cb->args[2]) {
3966		struct nl80211_dump_wiphy_state state = {
3967			.filter_wiphy = -1,
3968		};
3969
3970		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3971		if (ret)
3972			goto out_unlock;
3973
3974		filter_wiphy = state.filter_wiphy;
3975
3976		/*
3977		 * if filtering, set cb->args[2] to +1 since 0 is the default
3978		 * value needed to determine that parsing is necessary.
3979		 */
3980		if (filter_wiphy >= 0)
3981			cb->args[2] = filter_wiphy + 1;
3982		else
3983			cb->args[2] = -1;
3984	} else if (cb->args[2] > 0) {
3985		filter_wiphy = cb->args[2] - 1;
3986	}
3987
3988	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3989		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3990			continue;
3991		if (wp_idx < wp_start) {
3992			wp_idx++;
3993			continue;
3994		}
3995
3996		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3997			continue;
3998
3999		if_idx = 0;
4000
4001		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4002			if (if_idx < if_start) {
4003				if_idx++;
4004				continue;
4005			}
4006			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4007					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4008					       rdev, wdev,
4009					       NL80211_CMD_NEW_INTERFACE) < 0) {
4010				goto out;
4011			}
4012			if_idx++;
4013		}
4014
4015		if_start = 0;
4016		wp_idx++;
4017	}
4018 out:
4019	cb->args[0] = wp_idx;
4020	cb->args[1] = if_idx;
4021
4022	ret = skb->len;
4023 out_unlock:
4024	rtnl_unlock();
4025
4026	return ret;
4027}
4028
4029static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4030{
4031	struct sk_buff *msg;
4032	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4033	struct wireless_dev *wdev = info->user_ptr[1];
4034
4035	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4036	if (!msg)
4037		return -ENOMEM;
4038
4039	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4040			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4041		nlmsg_free(msg);
4042		return -ENOBUFS;
4043	}
4044
4045	return genlmsg_reply(msg, info);
4046}
4047
4048static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4049	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4050	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4051	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4052	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4053	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4054	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4055};
4056
4057static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4058{
4059	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4060	int flag;
4061
4062	*mntrflags = 0;
4063
4064	if (!nla)
4065		return -EINVAL;
4066
4067	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4068		return -EINVAL;
4069
4070	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4071		if (flags[flag])
4072			*mntrflags |= (1<<flag);
4073
4074	*mntrflags |= MONITOR_FLAG_CHANGED;
4075
4076	return 0;
4077}
4078
4079static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4080				     enum nl80211_iftype type,
4081				     struct genl_info *info,
4082				     struct vif_params *params)
4083{
4084	bool change = false;
4085	int err;
4086
4087	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4088		if (type != NL80211_IFTYPE_MONITOR)
4089			return -EINVAL;
4090
4091		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4092					  &params->flags);
4093		if (err)
4094			return err;
4095
4096		change = true;
4097	}
4098
4099	if (params->flags & MONITOR_FLAG_ACTIVE &&
4100	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4101		return -EOPNOTSUPP;
4102
4103	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4104		const u8 *mumimo_groups;
4105		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4106
4107		if (type != NL80211_IFTYPE_MONITOR)
4108			return -EINVAL;
4109
4110		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4111			return -EOPNOTSUPP;
4112
4113		mumimo_groups =
4114			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4115
4116		/* bits 0 and 63 are reserved and must be zero */
4117		if ((mumimo_groups[0] & BIT(0)) ||
4118		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4119			return -EINVAL;
4120
4121		params->vht_mumimo_groups = mumimo_groups;
4122		change = true;
4123	}
4124
4125	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4126		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4127
4128		if (type != NL80211_IFTYPE_MONITOR)
4129			return -EINVAL;
4130
4131		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4132			return -EOPNOTSUPP;
4133
4134		params->vht_mumimo_follow_addr =
4135			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4136		change = true;
4137	}
4138
4139	return change ? 1 : 0;
4140}
4141
4142static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4143			       struct net_device *netdev, u8 use_4addr,
4144			       enum nl80211_iftype iftype)
4145{
4146	if (!use_4addr) {
4147		if (netdev && netif_is_bridge_port(netdev))
4148			return -EBUSY;
4149		return 0;
4150	}
4151
4152	switch (iftype) {
4153	case NL80211_IFTYPE_AP_VLAN:
4154		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4155			return 0;
4156		break;
4157	case NL80211_IFTYPE_STATION:
4158		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4159			return 0;
4160		break;
4161	default:
4162		break;
4163	}
4164
4165	return -EOPNOTSUPP;
4166}
4167
4168static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4169{
4170	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4171	struct vif_params params;
4172	int err;
4173	enum nl80211_iftype otype, ntype;
4174	struct net_device *dev = info->user_ptr[1];
4175	bool change = false;
4176
4177	memset(&params, 0, sizeof(params));
4178
4179	otype = ntype = dev->ieee80211_ptr->iftype;
4180
4181	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4182		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4183		if (otype != ntype)
4184			change = true;
4185	}
4186
4187	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4188		struct wireless_dev *wdev = dev->ieee80211_ptr;
4189
4190		if (ntype != NL80211_IFTYPE_MESH_POINT)
4191			return -EINVAL;
4192		if (otype != NL80211_IFTYPE_MESH_POINT)
4193			return -EINVAL;
4194		if (netif_running(dev))
4195			return -EBUSY;
4196
4197		wdev_lock(wdev);
4198		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4199			     IEEE80211_MAX_MESH_ID_LEN);
4200		wdev->u.mesh.id_up_len =
4201			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4202		memcpy(wdev->u.mesh.id,
4203		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4204		       wdev->u.mesh.id_up_len);
4205		wdev_unlock(wdev);
4206	}
4207
4208	if (info->attrs[NL80211_ATTR_4ADDR]) {
4209		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4210		change = true;
4211		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4212		if (err)
4213			return err;
4214	} else {
4215		params.use_4addr = -1;
4216	}
4217
4218	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4219	if (err < 0)
4220		return err;
4221	if (err > 0)
4222		change = true;
4223
4224	if (change)
4225		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4226	else
4227		err = 0;
4228
4229	if (!err && params.use_4addr != -1)
4230		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4231
4232	if (change && !err) {
4233		struct wireless_dev *wdev = dev->ieee80211_ptr;
4234
4235		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4236	}
4237
4238	return err;
4239}
4240
4241static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4242{
4243	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4244	struct vif_params params;
4245	struct wireless_dev *wdev;
4246	struct sk_buff *msg;
4247	int err;
4248	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4249
4250	memset(&params, 0, sizeof(params));
4251
4252	if (!info->attrs[NL80211_ATTR_IFNAME])
4253		return -EINVAL;
4254
4255	if (info->attrs[NL80211_ATTR_IFTYPE])
4256		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4257
4258	if (!rdev->ops->add_virtual_intf)
4259		return -EOPNOTSUPP;
4260
4261	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4262	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4263	    info->attrs[NL80211_ATTR_MAC]) {
4264		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4265			   ETH_ALEN);
4266		if (!is_valid_ether_addr(params.macaddr))
4267			return -EADDRNOTAVAIL;
4268	}
4269
4270	if (info->attrs[NL80211_ATTR_4ADDR]) {
4271		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4272		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4273		if (err)
4274			return err;
4275	}
4276
4277	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4278		return -EOPNOTSUPP;
4279
4280	err = nl80211_parse_mon_options(rdev, type, info, &params);
4281	if (err < 0)
4282		return err;
4283
4284	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4285	if (!msg)
4286		return -ENOMEM;
4287
4288	wdev = rdev_add_virtual_intf(rdev,
4289				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4290				NET_NAME_USER, type, &params);
4291	if (WARN_ON(!wdev)) {
4292		nlmsg_free(msg);
4293		return -EPROTO;
4294	} else if (IS_ERR(wdev)) {
4295		nlmsg_free(msg);
4296		return PTR_ERR(wdev);
4297	}
4298
4299	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4300		wdev->owner_nlportid = info->snd_portid;
4301
4302	switch (type) {
4303	case NL80211_IFTYPE_MESH_POINT:
4304		if (!info->attrs[NL80211_ATTR_MESH_ID])
4305			break;
4306		wdev_lock(wdev);
4307		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4308			     IEEE80211_MAX_MESH_ID_LEN);
4309		wdev->u.mesh.id_up_len =
4310			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4311		memcpy(wdev->u.mesh.id,
4312		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4313		       wdev->u.mesh.id_up_len);
4314		wdev_unlock(wdev);
4315		break;
4316	case NL80211_IFTYPE_NAN:
4317	case NL80211_IFTYPE_P2P_DEVICE:
4318		/*
4319		 * P2P Device and NAN do not have a netdev, so don't go
4320		 * through the netdev notifier and must be added here
4321		 */
4322		cfg80211_init_wdev(wdev);
4323		cfg80211_register_wdev(rdev, wdev);
4324		break;
4325	default:
4326		break;
4327	}
4328
4329	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4330			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4331		nlmsg_free(msg);
4332		return -ENOBUFS;
4333	}
4334
4335	return genlmsg_reply(msg, info);
4336}
4337
4338static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4339{
4340	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4341	int ret;
4342
4343	/* to avoid failing a new interface creation due to pending removal */
4344	cfg80211_destroy_ifaces(rdev);
4345
4346	wiphy_lock(&rdev->wiphy);
4347	ret = _nl80211_new_interface(skb, info);
4348	wiphy_unlock(&rdev->wiphy);
4349
4350	return ret;
4351}
4352
4353static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4354{
4355	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4356	struct wireless_dev *wdev = info->user_ptr[1];
4357
4358	if (!rdev->ops->del_virtual_intf)
4359		return -EOPNOTSUPP;
4360
4361	/*
4362	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4363	 * reach 0, and thus the rdev cannot be deleted.
4364	 *
4365	 * We need to do it for the dev_close(), since that will call
4366	 * the netdev notifiers, and we need to acquire the mutex there
4367	 * but don't know if we get there from here or from some other
4368	 * place (e.g. "ip link set ... down").
4369	 */
4370	mutex_unlock(&rdev->wiphy.mtx);
4371
4372	/*
4373	 * If we remove a wireless device without a netdev then clear
4374	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4375	 * to check if it needs to do dev_put(). Otherwise it crashes
4376	 * since the wdev has been freed, unlike with a netdev where
4377	 * we need the dev_put() for the netdev to really be freed.
4378	 */
4379	if (!wdev->netdev)
4380		info->user_ptr[1] = NULL;
4381	else
4382		dev_close(wdev->netdev);
4383
4384	mutex_lock(&rdev->wiphy.mtx);
4385
4386	return cfg80211_remove_virtual_intf(rdev, wdev);
4387}
4388
4389static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4390{
4391	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4392	struct net_device *dev = info->user_ptr[1];
4393	u16 noack_map;
4394
4395	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4396		return -EINVAL;
4397
4398	if (!rdev->ops->set_noack_map)
4399		return -EOPNOTSUPP;
4400
4401	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4402
4403	return rdev_set_noack_map(rdev, dev, noack_map);
4404}
4405
4406static int nl80211_validate_key_link_id(struct genl_info *info,
4407					struct wireless_dev *wdev,
4408					int link_id, bool pairwise)
4409{
4410	if (pairwise) {
4411		if (link_id != -1) {
4412			GENL_SET_ERR_MSG(info,
4413					 "link ID not allowed for pairwise key");
4414			return -EINVAL;
4415		}
4416
4417		return 0;
4418	}
4419
4420	if (wdev->valid_links) {
4421		if (link_id == -1) {
4422			GENL_SET_ERR_MSG(info,
4423					 "link ID must for MLO group key");
4424			return -EINVAL;
4425		}
4426		if (!(wdev->valid_links & BIT(link_id))) {
4427			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4428			return -EINVAL;
4429		}
4430	} else if (link_id != -1) {
4431		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4432		return -EINVAL;
4433	}
4434
4435	return 0;
4436}
4437
4438struct get_key_cookie {
4439	struct sk_buff *msg;
4440	int error;
4441	int idx;
4442};
4443
4444static void get_key_callback(void *c, struct key_params *params)
4445{
4446	struct nlattr *key;
4447	struct get_key_cookie *cookie = c;
4448
4449	if ((params->key &&
4450	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4451		     params->key_len, params->key)) ||
4452	    (params->seq &&
4453	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4454		     params->seq_len, params->seq)) ||
4455	    (params->cipher &&
4456	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4457			 params->cipher)))
4458		goto nla_put_failure;
4459
4460	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4461	if (!key)
4462		goto nla_put_failure;
4463
4464	if ((params->key &&
4465	     nla_put(cookie->msg, NL80211_KEY_DATA,
4466		     params->key_len, params->key)) ||
4467	    (params->seq &&
4468	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4469		     params->seq_len, params->seq)) ||
4470	    (params->cipher &&
4471	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4472			 params->cipher)))
4473		goto nla_put_failure;
4474
4475	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4476		goto nla_put_failure;
4477
4478	nla_nest_end(cookie->msg, key);
4479
4480	return;
4481 nla_put_failure:
4482	cookie->error = 1;
4483}
4484
4485static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4486{
4487	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4488	int err;
4489	struct net_device *dev = info->user_ptr[1];
4490	u8 key_idx = 0;
4491	const u8 *mac_addr = NULL;
4492	bool pairwise;
4493	struct get_key_cookie cookie = {
4494		.error = 0,
4495	};
4496	void *hdr;
4497	struct sk_buff *msg;
4498	bool bigtk_support = false;
4499	int link_id = nl80211_link_id_or_invalid(info->attrs);
4500	struct wireless_dev *wdev = dev->ieee80211_ptr;
4501
4502	if (wiphy_ext_feature_isset(&rdev->wiphy,
4503				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4504		bigtk_support = true;
4505
4506	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4507	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4508	    wiphy_ext_feature_isset(&rdev->wiphy,
4509				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4510		bigtk_support = true;
4511
4512	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4513		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4514
4515		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4516			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4517			return -EINVAL;
4518		}
4519	}
4520
4521	if (info->attrs[NL80211_ATTR_MAC])
4522		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4523
4524	pairwise = !!mac_addr;
4525	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4526		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4527
4528		if (kt != NL80211_KEYTYPE_GROUP &&
4529		    kt != NL80211_KEYTYPE_PAIRWISE)
4530			return -EINVAL;
4531		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4532	}
4533
4534	if (!rdev->ops->get_key)
4535		return -EOPNOTSUPP;
4536
4537	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4538		return -ENOENT;
4539
4540	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4541	if (!msg)
4542		return -ENOMEM;
4543
4544	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4545			     NL80211_CMD_NEW_KEY);
4546	if (!hdr)
4547		goto nla_put_failure;
4548
4549	cookie.msg = msg;
4550	cookie.idx = key_idx;
4551
4552	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4553	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4554		goto nla_put_failure;
4555	if (mac_addr &&
4556	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4557		goto nla_put_failure;
4558
4559	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4560	if (err)
4561		goto free_msg;
4562
4563	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4564			   &cookie, get_key_callback);
4565
4566	if (err)
4567		goto free_msg;
4568
4569	if (cookie.error)
4570		goto nla_put_failure;
4571
4572	genlmsg_end(msg, hdr);
4573	return genlmsg_reply(msg, info);
4574
4575 nla_put_failure:
4576	err = -ENOBUFS;
4577 free_msg:
4578	nlmsg_free(msg);
4579	return err;
4580}
4581
4582static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4583{
4584	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4585	struct key_parse key;
4586	int err;
4587	struct net_device *dev = info->user_ptr[1];
4588	int link_id = nl80211_link_id_or_invalid(info->attrs);
4589	struct wireless_dev *wdev = dev->ieee80211_ptr;
4590
4591	err = nl80211_parse_key(info, &key);
4592	if (err)
4593		return err;
4594
4595	if (key.idx < 0)
4596		return -EINVAL;
4597
4598	/* Only support setting default key and
4599	 * Extended Key ID action NL80211_KEY_SET_TX.
4600	 */
4601	if (!key.def && !key.defmgmt && !key.defbeacon &&
4602	    !(key.p.mode == NL80211_KEY_SET_TX))
4603		return -EINVAL;
4604
4605	wdev_lock(wdev);
4606
4607	if (key.def) {
4608		if (!rdev->ops->set_default_key) {
4609			err = -EOPNOTSUPP;
4610			goto out;
4611		}
4612
4613		err = nl80211_key_allowed(wdev);
4614		if (err)
4615			goto out;
4616
4617		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4618		if (err)
4619			goto out;
4620
4621		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4622					   key.def_uni, key.def_multi);
4623
4624		if (err)
4625			goto out;
4626
4627#ifdef CONFIG_CFG80211_WEXT
4628		wdev->wext.default_key = key.idx;
4629#endif
4630	} else if (key.defmgmt) {
4631		if (key.def_uni || !key.def_multi) {
4632			err = -EINVAL;
4633			goto out;
4634		}
4635
4636		if (!rdev->ops->set_default_mgmt_key) {
4637			err = -EOPNOTSUPP;
4638			goto out;
4639		}
4640
4641		err = nl80211_key_allowed(wdev);
4642		if (err)
4643			goto out;
4644
4645		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4646		if (err)
4647			goto out;
4648
4649		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4650		if (err)
4651			goto out;
4652
4653#ifdef CONFIG_CFG80211_WEXT
4654		wdev->wext.default_mgmt_key = key.idx;
4655#endif
4656	} else if (key.defbeacon) {
4657		if (key.def_uni || !key.def_multi) {
4658			err = -EINVAL;
4659			goto out;
4660		}
4661
4662		if (!rdev->ops->set_default_beacon_key) {
4663			err = -EOPNOTSUPP;
4664			goto out;
4665		}
4666
4667		err = nl80211_key_allowed(wdev);
4668		if (err)
4669			goto out;
4670
4671		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4672		if (err)
4673			goto out;
4674
4675		err = rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4676		if (err)
4677			goto out;
4678	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4679		   wiphy_ext_feature_isset(&rdev->wiphy,
4680					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4681		u8 *mac_addr = NULL;
4682
4683		if (info->attrs[NL80211_ATTR_MAC])
4684			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4685
4686		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4687			err = -EINVAL;
4688			goto out;
4689		}
4690
4691		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4692		if (err)
4693			goto out;
4694
4695		err = rdev_add_key(rdev, dev, link_id, key.idx,
4696				   NL80211_KEYTYPE_PAIRWISE,
4697				   mac_addr, &key.p);
4698	} else {
4699		err = -EINVAL;
4700	}
4701 out:
4702	wdev_unlock(wdev);
4703
4704	return err;
4705}
4706
4707static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4708{
4709	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4710	int err;
4711	struct net_device *dev = info->user_ptr[1];
4712	struct key_parse key;
4713	const u8 *mac_addr = NULL;
4714	int link_id = nl80211_link_id_or_invalid(info->attrs);
4715	struct wireless_dev *wdev = dev->ieee80211_ptr;
4716
4717	err = nl80211_parse_key(info, &key);
4718	if (err)
4719		return err;
4720
4721	if (!key.p.key) {
4722		GENL_SET_ERR_MSG(info, "no key");
4723		return -EINVAL;
4724	}
4725
4726	if (info->attrs[NL80211_ATTR_MAC])
4727		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4728
4729	if (key.type == -1) {
4730		if (mac_addr)
4731			key.type = NL80211_KEYTYPE_PAIRWISE;
4732		else
4733			key.type = NL80211_KEYTYPE_GROUP;
4734	}
4735
4736	/* for now */
4737	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4738	    key.type != NL80211_KEYTYPE_GROUP) {
4739		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4740		return -EINVAL;
4741	}
4742
4743	if (key.type == NL80211_KEYTYPE_GROUP &&
4744	    info->attrs[NL80211_ATTR_VLAN_ID])
4745		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4746
4747	if (!rdev->ops->add_key)
4748		return -EOPNOTSUPP;
4749
4750	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4751					   key.type == NL80211_KEYTYPE_PAIRWISE,
4752					   mac_addr)) {
4753		GENL_SET_ERR_MSG(info, "key setting validation failed");
4754		return -EINVAL;
4755	}
4756
4757	wdev_lock(wdev);
4758	err = nl80211_key_allowed(wdev);
4759	if (err)
4760		GENL_SET_ERR_MSG(info, "key not allowed");
4761
4762	if (!err)
4763		err = nl80211_validate_key_link_id(info, wdev, link_id,
4764				key.type == NL80211_KEYTYPE_PAIRWISE);
4765
4766	if (!err) {
4767		err = rdev_add_key(rdev, dev, link_id, key.idx,
4768				   key.type == NL80211_KEYTYPE_PAIRWISE,
4769				    mac_addr, &key.p);
4770		if (err)
4771			GENL_SET_ERR_MSG(info, "key addition failed");
4772	}
4773	wdev_unlock(wdev);
4774
4775	return err;
4776}
4777
4778static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4779{
4780	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4781	int err;
4782	struct net_device *dev = info->user_ptr[1];
4783	u8 *mac_addr = NULL;
4784	struct key_parse key;
4785	int link_id = nl80211_link_id_or_invalid(info->attrs);
4786	struct wireless_dev *wdev = dev->ieee80211_ptr;
4787
4788	err = nl80211_parse_key(info, &key);
4789	if (err)
4790		return err;
4791
4792	if (info->attrs[NL80211_ATTR_MAC])
4793		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4794
4795	if (key.type == -1) {
4796		if (mac_addr)
4797			key.type = NL80211_KEYTYPE_PAIRWISE;
4798		else
4799			key.type = NL80211_KEYTYPE_GROUP;
4800	}
4801
4802	/* for now */
4803	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4804	    key.type != NL80211_KEYTYPE_GROUP)
4805		return -EINVAL;
4806
4807	if (!cfg80211_valid_key_idx(rdev, key.idx,
4808				    key.type == NL80211_KEYTYPE_PAIRWISE))
4809		return -EINVAL;
4810
4811	if (!rdev->ops->del_key)
4812		return -EOPNOTSUPP;
4813
4814	wdev_lock(wdev);
4815	err = nl80211_key_allowed(wdev);
4816
4817	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4818	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4819		err = -ENOENT;
4820
4821	if (!err)
4822		err = nl80211_validate_key_link_id(info, wdev, link_id,
4823				key.type == NL80211_KEYTYPE_PAIRWISE);
4824
4825	if (!err)
4826		err = rdev_del_key(rdev, dev, link_id, key.idx,
4827				   key.type == NL80211_KEYTYPE_PAIRWISE,
4828				   mac_addr);
4829
4830#ifdef CONFIG_CFG80211_WEXT
4831	if (!err) {
4832		if (key.idx == wdev->wext.default_key)
4833			wdev->wext.default_key = -1;
4834		else if (key.idx == wdev->wext.default_mgmt_key)
4835			wdev->wext.default_mgmt_key = -1;
4836	}
4837#endif
4838	wdev_unlock(wdev);
4839
4840	return err;
4841}
4842
4843/* This function returns an error or the number of nested attributes */
4844static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4845{
4846	struct nlattr *attr;
4847	int n_entries = 0, tmp;
4848
4849	nla_for_each_nested(attr, nl_attr, tmp) {
4850		if (nla_len(attr) != ETH_ALEN)
4851			return -EINVAL;
4852
4853		n_entries++;
4854	}
4855
4856	return n_entries;
4857}
4858
4859/*
4860 * This function parses ACL information and allocates memory for ACL data.
4861 * On successful return, the calling function is responsible to free the
4862 * ACL buffer returned by this function.
4863 */
4864static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4865						struct genl_info *info)
4866{
4867	enum nl80211_acl_policy acl_policy;
4868	struct nlattr *attr;
4869	struct cfg80211_acl_data *acl;
4870	int i = 0, n_entries, tmp;
4871
4872	if (!wiphy->max_acl_mac_addrs)
4873		return ERR_PTR(-EOPNOTSUPP);
4874
4875	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4876		return ERR_PTR(-EINVAL);
4877
4878	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4879	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4880	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4881		return ERR_PTR(-EINVAL);
4882
4883	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4884		return ERR_PTR(-EINVAL);
4885
4886	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4887	if (n_entries < 0)
4888		return ERR_PTR(n_entries);
4889
4890	if (n_entries > wiphy->max_acl_mac_addrs)
4891		return ERR_PTR(-ENOTSUPP);
4892
4893	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4894	if (!acl)
4895		return ERR_PTR(-ENOMEM);
4896	acl->n_acl_entries = n_entries;
4897
4898	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4899		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4900		i++;
4901	}
4902	acl->acl_policy = acl_policy;
4903
4904	return acl;
4905}
4906
4907static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4908{
4909	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4910	struct net_device *dev = info->user_ptr[1];
4911	struct cfg80211_acl_data *acl;
4912	int err;
4913
4914	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4915	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4916		return -EOPNOTSUPP;
4917
4918	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
4919		return -EINVAL;
4920
4921	acl = parse_acl_data(&rdev->wiphy, info);
4922	if (IS_ERR(acl))
4923		return PTR_ERR(acl);
4924
4925	err = rdev_set_mac_acl(rdev, dev, acl);
4926
4927	kfree(acl);
4928
4929	return err;
4930}
4931
4932static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4933			   u8 *rates, u8 rates_len)
4934{
4935	u8 i;
4936	u32 mask = 0;
4937
4938	for (i = 0; i < rates_len; i++) {
4939		int rate = (rates[i] & 0x7f) * 5;
4940		int ridx;
4941
4942		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4943			struct ieee80211_rate *srate =
4944				&sband->bitrates[ridx];
4945			if (rate == srate->bitrate) {
4946				mask |= 1 << ridx;
4947				break;
4948			}
4949		}
4950		if (ridx == sband->n_bitrates)
4951			return 0; /* rate not found */
4952	}
4953
4954	return mask;
4955}
4956
4957static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4958			       u8 *rates, u8 rates_len,
4959			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4960{
4961	u8 i;
4962
4963	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4964
4965	for (i = 0; i < rates_len; i++) {
4966		int ridx, rbit;
4967
4968		ridx = rates[i] / 8;
4969		rbit = BIT(rates[i] % 8);
4970
4971		/* check validity */
4972		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4973			return false;
4974
4975		/* check availability */
4976		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4977		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4978			mcs[ridx] |= rbit;
4979		else
4980			return false;
4981	}
4982
4983	return true;
4984}
4985
4986static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4987{
4988	u16 mcs_mask = 0;
4989
4990	switch (vht_mcs_map) {
4991	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4992		break;
4993	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4994		mcs_mask = 0x00FF;
4995		break;
4996	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4997		mcs_mask = 0x01FF;
4998		break;
4999	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5000		mcs_mask = 0x03FF;
5001		break;
5002	default:
5003		break;
5004	}
5005
5006	return mcs_mask;
5007}
5008
5009static void vht_build_mcs_mask(u16 vht_mcs_map,
5010			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5011{
5012	u8 nss;
5013
5014	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5015		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5016		vht_mcs_map >>= 2;
5017	}
5018}
5019
5020static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5021			     struct nl80211_txrate_vht *txrate,
5022			     u16 mcs[NL80211_VHT_NSS_MAX])
5023{
5024	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5025	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5026	u8 i;
5027
5028	if (!sband->vht_cap.vht_supported)
5029		return false;
5030
5031	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5032
5033	/* Build vht_mcs_mask from VHT capabilities */
5034	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5035
5036	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5037		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5038			mcs[i] = txrate->mcs[i];
5039		else
5040			return false;
5041	}
5042
5043	return true;
5044}
5045
5046static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5047{
5048	switch (he_mcs_map) {
5049	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5050		return 0;
5051	case IEEE80211_HE_MCS_SUPPORT_0_7:
5052		return 0x00FF;
5053	case IEEE80211_HE_MCS_SUPPORT_0_9:
5054		return 0x03FF;
5055	case IEEE80211_HE_MCS_SUPPORT_0_11:
5056		return 0xFFF;
5057	default:
5058		break;
5059	}
5060	return 0;
5061}
5062
5063static void he_build_mcs_mask(u16 he_mcs_map,
5064			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5065{
5066	u8 nss;
5067
5068	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5069		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5070		he_mcs_map >>= 2;
5071	}
5072}
5073
5074static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5075			   const struct ieee80211_sta_he_cap *he_cap)
5076{
5077	struct net_device *dev = info->user_ptr[1];
5078	struct wireless_dev *wdev = dev->ieee80211_ptr;
5079	struct cfg80211_chan_def *chandef;
5080	__le16 tx_mcs;
5081
5082	chandef = wdev_chandef(wdev, link_id);
5083	if (!chandef) {
5084		/*
5085		 * This is probably broken, but we never maintained
5086		 * a chandef in these cases, so it always was.
5087		 */
5088		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5089	}
5090
5091	switch (chandef->width) {
5092	case NL80211_CHAN_WIDTH_80P80:
5093		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5094		break;
5095	case NL80211_CHAN_WIDTH_160:
5096		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5097		break;
5098	default:
5099		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5100		break;
5101	}
5102
5103	return le16_to_cpu(tx_mcs);
5104}
5105
5106static bool he_set_mcs_mask(struct genl_info *info,
5107			    struct wireless_dev *wdev,
5108			    struct ieee80211_supported_band *sband,
5109			    struct nl80211_txrate_he *txrate,
5110			    u16 mcs[NL80211_HE_NSS_MAX],
5111			    unsigned int link_id)
5112{
5113	const struct ieee80211_sta_he_cap *he_cap;
5114	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5115	u16 tx_mcs_map = 0;
5116	u8 i;
5117
5118	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5119	if (!he_cap)
5120		return false;
5121
5122	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5123
5124	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5125
5126	/* Build he_mcs_mask from HE capabilities */
5127	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5128
5129	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5130		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5131			mcs[i] = txrate->mcs[i];
5132		else
5133			return false;
5134	}
5135
5136	return true;
5137}
5138
5139static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5140					 struct nlattr *attrs[],
5141					 enum nl80211_attrs attr,
5142					 struct cfg80211_bitrate_mask *mask,
5143					 struct net_device *dev,
5144					 bool default_all_enabled,
5145					 unsigned int link_id)
5146{
5147	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5148	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5149	struct wireless_dev *wdev = dev->ieee80211_ptr;
5150	int rem, i;
5151	struct nlattr *tx_rates;
5152	struct ieee80211_supported_band *sband;
5153	u16 vht_tx_mcs_map, he_tx_mcs_map;
5154
5155	memset(mask, 0, sizeof(*mask));
5156	/* Default to all rates enabled */
5157	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5158		const struct ieee80211_sta_he_cap *he_cap;
5159
5160		if (!default_all_enabled)
5161			break;
5162
5163		sband = rdev->wiphy.bands[i];
5164
5165		if (!sband)
5166			continue;
5167
5168		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5169		memcpy(mask->control[i].ht_mcs,
5170		       sband->ht_cap.mcs.rx_mask,
5171		       sizeof(mask->control[i].ht_mcs));
5172
5173		if (sband->vht_cap.vht_supported) {
5174			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5175			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5176		}
5177
5178		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5179		if (!he_cap)
5180			continue;
5181
5182		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5183		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5184
5185		mask->control[i].he_gi = 0xFF;
5186		mask->control[i].he_ltf = 0xFF;
5187	}
5188
5189	/* if no rates are given set it back to the defaults */
5190	if (!attrs[attr])
5191		goto out;
5192
5193	/* The nested attribute uses enum nl80211_band as the index. This maps
5194	 * directly to the enum nl80211_band values used in cfg80211.
5195	 */
5196	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5197	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5198		enum nl80211_band band = nla_type(tx_rates);
5199		int err;
5200
5201		if (band < 0 || band >= NUM_NL80211_BANDS)
5202			return -EINVAL;
5203		sband = rdev->wiphy.bands[band];
5204		if (sband == NULL)
5205			return -EINVAL;
5206		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5207						  tx_rates,
5208						  nl80211_txattr_policy,
5209						  info->extack);
5210		if (err)
5211			return err;
5212		if (tb[NL80211_TXRATE_LEGACY]) {
5213			mask->control[band].legacy = rateset_to_mask(
5214				sband,
5215				nla_data(tb[NL80211_TXRATE_LEGACY]),
5216				nla_len(tb[NL80211_TXRATE_LEGACY]));
5217			if ((mask->control[band].legacy == 0) &&
5218			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5219				return -EINVAL;
5220		}
5221		if (tb[NL80211_TXRATE_HT]) {
5222			if (!ht_rateset_to_mask(
5223					sband,
5224					nla_data(tb[NL80211_TXRATE_HT]),
5225					nla_len(tb[NL80211_TXRATE_HT]),
5226					mask->control[band].ht_mcs))
5227				return -EINVAL;
5228		}
5229
5230		if (tb[NL80211_TXRATE_VHT]) {
5231			if (!vht_set_mcs_mask(
5232					sband,
5233					nla_data(tb[NL80211_TXRATE_VHT]),
5234					mask->control[band].vht_mcs))
5235				return -EINVAL;
5236		}
5237
5238		if (tb[NL80211_TXRATE_GI]) {
5239			mask->control[band].gi =
5240				nla_get_u8(tb[NL80211_TXRATE_GI]);
5241			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5242				return -EINVAL;
5243		}
5244		if (tb[NL80211_TXRATE_HE] &&
5245		    !he_set_mcs_mask(info, wdev, sband,
5246				     nla_data(tb[NL80211_TXRATE_HE]),
5247				     mask->control[band].he_mcs,
5248				     link_id))
5249			return -EINVAL;
5250
5251		if (tb[NL80211_TXRATE_HE_GI])
5252			mask->control[band].he_gi =
5253				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5254		if (tb[NL80211_TXRATE_HE_LTF])
5255			mask->control[band].he_ltf =
5256				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5257
5258		if (mask->control[band].legacy == 0) {
5259			/* don't allow empty legacy rates if HT, VHT or HE
5260			 * are not even supported.
5261			 */
5262			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5263			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5264			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5265				return -EINVAL;
5266
5267			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5268				if (mask->control[band].ht_mcs[i])
5269					goto out;
5270
5271			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5272				if (mask->control[band].vht_mcs[i])
5273					goto out;
5274
5275			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5276				if (mask->control[band].he_mcs[i])
5277					goto out;
5278
5279			/* legacy and mcs rates may not be both empty */
5280			return -EINVAL;
5281		}
5282	}
5283
5284out:
5285	return 0;
5286}
5287
5288static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5289				   enum nl80211_band band,
5290				   struct cfg80211_bitrate_mask *beacon_rate)
5291{
5292	u32 count_ht, count_vht, count_he, i;
5293	u32 rate = beacon_rate->control[band].legacy;
5294
5295	/* Allow only one rate */
5296	if (hweight32(rate) > 1)
5297		return -EINVAL;
5298
5299	count_ht = 0;
5300	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5301		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5302			return -EINVAL;
5303		} else if (beacon_rate->control[band].ht_mcs[i]) {
5304			count_ht++;
5305			if (count_ht > 1)
5306				return -EINVAL;
5307		}
5308		if (count_ht && rate)
5309			return -EINVAL;
5310	}
5311
5312	count_vht = 0;
5313	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5314		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5315			return -EINVAL;
5316		} else if (beacon_rate->control[band].vht_mcs[i]) {
5317			count_vht++;
5318			if (count_vht > 1)
5319				return -EINVAL;
5320		}
5321		if (count_vht && rate)
5322			return -EINVAL;
5323	}
5324
5325	count_he = 0;
5326	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5327		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5328			return -EINVAL;
5329		} else if (beacon_rate->control[band].he_mcs[i]) {
5330			count_he++;
5331			if (count_he > 1)
5332				return -EINVAL;
5333		}
5334		if (count_he && rate)
5335			return -EINVAL;
5336	}
5337
5338	if ((count_ht && count_vht && count_he) ||
5339	    (!rate && !count_ht && !count_vht && !count_he))
5340		return -EINVAL;
5341
5342	if (rate &&
5343	    !wiphy_ext_feature_isset(&rdev->wiphy,
5344				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5345		return -EINVAL;
5346	if (count_ht &&
5347	    !wiphy_ext_feature_isset(&rdev->wiphy,
5348				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5349		return -EINVAL;
5350	if (count_vht &&
5351	    !wiphy_ext_feature_isset(&rdev->wiphy,
5352				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5353		return -EINVAL;
5354	if (count_he &&
5355	    !wiphy_ext_feature_isset(&rdev->wiphy,
5356				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5357		return -EINVAL;
5358
5359	return 0;
5360}
5361
5362static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5363				       struct net_device *dev,
5364				       struct nlattr *attrs,
5365				       struct cfg80211_mbssid_config *config,
5366				       u8 num_elems)
5367{
5368	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5369
5370	if (!wiphy->mbssid_max_interfaces)
5371		return -EOPNOTSUPP;
5372
5373	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5374			     NULL) ||
5375	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5376		return -EINVAL;
5377
5378	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5379	if (config->ema) {
5380		if (!wiphy->ema_max_profile_periodicity)
5381			return -EOPNOTSUPP;
5382
5383		if (num_elems > wiphy->ema_max_profile_periodicity)
5384			return -EINVAL;
5385	}
5386
5387	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5388	if (config->index >= wiphy->mbssid_max_interfaces ||
5389	    (!config->index && !num_elems))
5390		return -EINVAL;
5391
5392	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5393		u32 tx_ifindex =
5394			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5395
5396		if ((!config->index && tx_ifindex != dev->ifindex) ||
5397		    (config->index && tx_ifindex == dev->ifindex))
5398			return -EINVAL;
5399
5400		if (tx_ifindex != dev->ifindex) {
5401			struct net_device *tx_netdev =
5402				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5403
5404			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5405			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5406			    tx_netdev->ieee80211_ptr->iftype !=
5407							NL80211_IFTYPE_AP) {
5408				dev_put(tx_netdev);
5409				return -EINVAL;
5410			}
5411
5412			config->tx_wdev = tx_netdev->ieee80211_ptr;
5413		} else {
5414			config->tx_wdev = dev->ieee80211_ptr;
5415		}
5416	} else if (!config->index) {
5417		config->tx_wdev = dev->ieee80211_ptr;
5418	} else {
5419		return -EINVAL;
5420	}
5421
5422	return 0;
5423}
5424
5425static struct cfg80211_mbssid_elems *
5426nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5427{
5428	struct nlattr *nl_elems;
5429	struct cfg80211_mbssid_elems *elems;
5430	int rem_elems;
5431	u8 i = 0, num_elems = 0;
5432
5433	if (!wiphy->mbssid_max_interfaces)
5434		return ERR_PTR(-EINVAL);
5435
5436	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5437		if (num_elems >= 255)
5438			return ERR_PTR(-EINVAL);
5439		num_elems++;
5440	}
5441
5442	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5443	if (!elems)
5444		return ERR_PTR(-ENOMEM);
5445	elems->cnt = num_elems;
5446
5447	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5448		elems->elem[i].data = nla_data(nl_elems);
5449		elems->elem[i].len = nla_len(nl_elems);
5450		i++;
5451	}
5452	return elems;
5453}
5454
5455static struct cfg80211_rnr_elems *
5456nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5457			struct netlink_ext_ack *extack)
5458{
5459	struct nlattr *nl_elems;
5460	struct cfg80211_rnr_elems *elems;
5461	int rem_elems;
5462	u8 i = 0, num_elems = 0;
5463
5464	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5465		int ret;
5466
5467		ret = validate_ie_attr(nl_elems, extack);
5468		if (ret)
5469			return ERR_PTR(ret);
5470
5471		num_elems++;
5472	}
5473
5474	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5475	if (!elems)
5476		return ERR_PTR(-ENOMEM);
5477	elems->cnt = num_elems;
5478
5479	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5480		elems->elem[i].data = nla_data(nl_elems);
5481		elems->elem[i].len = nla_len(nl_elems);
5482		i++;
5483	}
5484	return elems;
5485}
5486
5487static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5488				      struct cfg80211_he_bss_color *he_bss_color)
5489{
5490	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5491	int err;
5492
5493	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5494			       he_bss_color_policy, NULL);
5495	if (err)
5496		return err;
5497
5498	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5499		return -EINVAL;
5500
5501	he_bss_color->color =
5502		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5503	he_bss_color->enabled =
5504		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5505	he_bss_color->partial =
5506		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5507
5508	return 0;
5509}
5510
5511static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5512				struct nlattr *attrs[],
5513				struct cfg80211_beacon_data *bcn,
5514				struct netlink_ext_ack *extack)
5515{
5516	bool haveinfo = false;
5517	int err;
5518
5519	memset(bcn, 0, sizeof(*bcn));
5520
5521	bcn->link_id = nl80211_link_id(attrs);
5522
5523	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5524		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5525		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5526		if (!bcn->head_len)
5527			return -EINVAL;
5528		haveinfo = true;
5529	}
5530
5531	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5532		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5533		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5534		haveinfo = true;
5535	}
5536
5537	if (!haveinfo)
5538		return -EINVAL;
5539
5540	if (attrs[NL80211_ATTR_IE]) {
5541		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5542		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5543	}
5544
5545	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5546		bcn->proberesp_ies =
5547			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5548		bcn->proberesp_ies_len =
5549			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5550	}
5551
5552	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5553		bcn->assocresp_ies =
5554			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5555		bcn->assocresp_ies_len =
5556			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5557	}
5558
5559	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5560		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5561		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5562	}
5563
5564	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5565		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5566
5567		err = nla_parse_nested_deprecated(tb,
5568						  NL80211_FTM_RESP_ATTR_MAX,
5569						  attrs[NL80211_ATTR_FTM_RESPONDER],
5570						  NULL, NULL);
5571		if (err)
5572			return err;
5573
5574		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5575		    wiphy_ext_feature_isset(&rdev->wiphy,
5576					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5577			bcn->ftm_responder = 1;
5578		else
5579			return -EOPNOTSUPP;
5580
5581		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5582			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5583			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5584		}
5585
5586		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5587			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5588			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5589		}
5590	} else {
5591		bcn->ftm_responder = -1;
5592	}
5593
5594	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5595		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5596						 &bcn->he_bss_color);
5597		if (err)
5598			return err;
5599		bcn->he_bss_color_valid = true;
5600	}
5601
5602	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5603		struct cfg80211_mbssid_elems *mbssid =
5604			nl80211_parse_mbssid_elems(&rdev->wiphy,
5605						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5606
5607		if (IS_ERR(mbssid))
5608			return PTR_ERR(mbssid);
5609
5610		bcn->mbssid_ies = mbssid;
5611
5612		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5613			struct cfg80211_rnr_elems *rnr =
5614				nl80211_parse_rnr_elems(&rdev->wiphy,
5615							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5616							extack);
5617
5618			if (IS_ERR(rnr))
5619				return PTR_ERR(rnr);
5620
5621			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5622				return -EINVAL;
5623
5624			bcn->rnr_ies = rnr;
5625		}
5626	}
5627
5628	return 0;
5629}
5630
5631static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5632				    struct ieee80211_he_obss_pd *he_obss_pd)
5633{
5634	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5635	int err;
5636
5637	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5638			       he_obss_pd_policy, NULL);
5639	if (err)
5640		return err;
5641
5642	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5643		return -EINVAL;
5644
5645	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5646
5647	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5648		he_obss_pd->min_offset =
5649			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5650	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5651		he_obss_pd->max_offset =
5652			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5653	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5654		he_obss_pd->non_srg_max_offset =
5655			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5656
5657	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5658		return -EINVAL;
5659
5660	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5661		memcpy(he_obss_pd->bss_color_bitmap,
5662		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5663		       sizeof(he_obss_pd->bss_color_bitmap));
5664
5665	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5666		memcpy(he_obss_pd->partial_bssid_bitmap,
5667		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5668		       sizeof(he_obss_pd->partial_bssid_bitmap));
5669
5670	he_obss_pd->enable = true;
5671
5672	return 0;
5673}
5674
5675static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5676					struct nlattr *attrs,
5677					struct cfg80211_ap_settings *params)
5678{
5679	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5680	int ret;
5681	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5682
5683	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5684				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5685		return -EINVAL;
5686
5687	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5688			       NULL, NULL);
5689	if (ret)
5690		return ret;
5691
5692	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5693	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5694	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5695		return -EINVAL;
5696
5697	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5698	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5699	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5700	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5701
5702	return 0;
5703}
5704
5705static int
5706nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5707				     struct nlattr *attrs,
5708				     struct cfg80211_ap_settings *params)
5709{
5710	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5711	int ret;
5712	struct cfg80211_unsol_bcast_probe_resp *presp =
5713					&params->unsol_bcast_probe_resp;
5714
5715	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5716				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5717		return -EINVAL;
5718
5719	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5720			       attrs, NULL, NULL);
5721	if (ret)
5722		return ret;
5723
5724	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5725	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5726		return -EINVAL;
5727
5728	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5729	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5730	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5731	return 0;
5732}
5733
5734static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5735					    const struct element *rates)
5736{
5737	int i;
5738
5739	if (!rates)
5740		return;
5741
5742	for (i = 0; i < rates->datalen; i++) {
5743		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5744			params->ht_required = true;
5745		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5746			params->vht_required = true;
5747		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5748			params->he_required = true;
5749		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5750			params->sae_h2e_required = true;
5751	}
5752}
5753
5754/*
5755 * Since the nl80211 API didn't include, from the beginning, attributes about
5756 * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5757 * benefit of drivers that rebuild IEs in the firmware.
5758 */
5759static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5760{
5761	const struct cfg80211_beacon_data *bcn = &params->beacon;
5762	size_t ies_len = bcn->tail_len;
5763	const u8 *ies = bcn->tail;
5764	const struct element *rates;
5765	const struct element *cap;
5766
5767	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5768	nl80211_check_ap_rate_selectors(params, rates);
5769
5770	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5771	nl80211_check_ap_rate_selectors(params, rates);
5772
5773	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5774	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5775		params->ht_cap = (void *)cap->data;
5776	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5777	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5778		params->vht_cap = (void *)cap->data;
5779	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5780	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5781		params->he_cap = (void *)(cap->data + 1);
5782	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5783	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5784		params->he_oper = (void *)(cap->data + 1);
5785	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5786	if (cap) {
5787		if (!cap->datalen)
5788			return -EINVAL;
5789		params->eht_cap = (void *)(cap->data + 1);
5790		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5791						(const u8 *)params->eht_cap,
5792						cap->datalen - 1, true))
5793			return -EINVAL;
5794	}
5795	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5796	if (cap) {
5797		if (!cap->datalen)
5798			return -EINVAL;
5799		params->eht_oper = (void *)(cap->data + 1);
5800		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5801						cap->datalen - 1))
5802			return -EINVAL;
5803	}
5804	return 0;
5805}
5806
5807static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5808				   struct cfg80211_ap_settings *params)
5809{
5810	struct wireless_dev *wdev;
5811
5812	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5813		if (wdev->iftype != NL80211_IFTYPE_AP &&
5814		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5815			continue;
5816
5817		if (!wdev->u.ap.preset_chandef.chan)
5818			continue;
5819
5820		params->chandef = wdev->u.ap.preset_chandef;
5821		return true;
5822	}
5823
5824	return false;
5825}
5826
5827static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5828				    enum nl80211_auth_type auth_type,
5829				    enum nl80211_commands cmd)
5830{
5831	if (auth_type > NL80211_AUTHTYPE_MAX)
5832		return false;
5833
5834	switch (cmd) {
5835	case NL80211_CMD_AUTHENTICATE:
5836		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5837		    auth_type == NL80211_AUTHTYPE_SAE)
5838			return false;
5839		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5840					     NL80211_EXT_FEATURE_FILS_STA) &&
5841		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5842		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5843		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5844			return false;
5845		return true;
5846	case NL80211_CMD_CONNECT:
5847		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5848		    !wiphy_ext_feature_isset(&rdev->wiphy,
5849					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5850		    auth_type == NL80211_AUTHTYPE_SAE)
5851			return false;
5852
5853		/* FILS with SK PFS or PK not supported yet */
5854		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5855		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5856			return false;
5857		if (!wiphy_ext_feature_isset(
5858			    &rdev->wiphy,
5859			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5860		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5861			return false;
5862		return true;
5863	case NL80211_CMD_START_AP:
5864		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5865					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5866		    auth_type == NL80211_AUTHTYPE_SAE)
5867			return false;
5868		/* FILS not supported yet */
5869		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5870		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5871		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5872			return false;
5873		return true;
5874	default:
5875		return false;
5876	}
5877}
5878
5879static void nl80211_send_ap_started(struct wireless_dev *wdev,
5880				    unsigned int link_id)
5881{
5882	struct wiphy *wiphy = wdev->wiphy;
5883	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
5884	struct sk_buff *msg;
5885	void *hdr;
5886
5887	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5888	if (!msg)
5889		return;
5890
5891	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
5892	if (!hdr)
5893		goto out;
5894
5895	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
5896	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
5897	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
5898			      NL80211_ATTR_PAD) ||
5899	    (wdev->u.ap.ssid_len &&
5900	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
5901		     wdev->u.ap.ssid)) ||
5902	    (wdev->valid_links &&
5903	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
5904		goto out;
5905
5906	genlmsg_end(msg, hdr);
5907
5908	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
5909				NL80211_MCGRP_MLME, GFP_KERNEL);
5910	return;
5911out:
5912	nlmsg_free(msg);
5913}
5914
5915static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
5916{
5917	struct ieee80211_channel *channel = params->chandef.chan;
5918
5919	if ((params->he_cap ||  params->he_oper) &&
5920	    (channel->flags & IEEE80211_CHAN_NO_HE))
5921		return -EOPNOTSUPP;
5922
5923	if ((params->eht_cap || params->eht_oper) &&
5924	    (channel->flags & IEEE80211_CHAN_NO_EHT))
5925		return -EOPNOTSUPP;
5926
5927	return 0;
5928}
5929
5930static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5931{
5932	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5933	unsigned int link_id = nl80211_link_id(info->attrs);
5934	struct net_device *dev = info->user_ptr[1];
5935	struct wireless_dev *wdev = dev->ieee80211_ptr;
5936	struct cfg80211_ap_settings *params;
5937	int err;
5938
5939	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5940	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5941		return -EOPNOTSUPP;
5942
5943	if (!rdev->ops->start_ap)
5944		return -EOPNOTSUPP;
5945
5946	if (wdev->links[link_id].ap.beacon_interval)
5947		return -EALREADY;
5948
5949	/* these are required for START_AP */
5950	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5951	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5952	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5953		return -EINVAL;
5954
5955	params = kzalloc(sizeof(*params), GFP_KERNEL);
5956	if (!params)
5957		return -ENOMEM;
5958
5959	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
5960				   info->extack);
5961	if (err)
5962		goto out;
5963
5964	params->beacon_interval =
5965		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5966	params->dtim_period =
5967		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5968
5969	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5970					   params->beacon_interval);
5971	if (err)
5972		goto out;
5973
5974	/*
5975	 * In theory, some of these attributes should be required here
5976	 * but since they were not used when the command was originally
5977	 * added, keep them optional for old user space programs to let
5978	 * them continue to work with drivers that do not need the
5979	 * additional information -- drivers must check!
5980	 */
5981	if (info->attrs[NL80211_ATTR_SSID]) {
5982		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5983		params->ssid_len =
5984			nla_len(info->attrs[NL80211_ATTR_SSID]);
5985		if (params->ssid_len == 0) {
5986			err = -EINVAL;
5987			goto out;
5988		}
5989
5990		if (wdev->u.ap.ssid_len &&
5991		    (wdev->u.ap.ssid_len != params->ssid_len ||
5992		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
5993			/* require identical SSID for MLO */
5994			err = -EINVAL;
5995			goto out;
5996		}
5997	} else if (wdev->valid_links) {
5998		/* require SSID for MLO */
5999		err = -EINVAL;
6000		goto out;
6001	}
6002
6003	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6004		params->hidden_ssid = nla_get_u32(
6005			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6006
6007	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6008
6009	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6010		params->auth_type = nla_get_u32(
6011			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6012		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6013					     NL80211_CMD_START_AP)) {
6014			err = -EINVAL;
6015			goto out;
6016		}
6017	} else
6018		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6019
6020	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6021				      NL80211_MAX_NR_CIPHER_SUITES);
6022	if (err)
6023		goto out;
6024
6025	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6026		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6027			err = -EOPNOTSUPP;
6028			goto out;
6029		}
6030		params->inactivity_timeout = nla_get_u16(
6031			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6032	}
6033
6034	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6035		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6036			err = -EINVAL;
6037			goto out;
6038		}
6039		params->p2p_ctwindow =
6040			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6041		if (params->p2p_ctwindow != 0 &&
6042		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6043			err = -EINVAL;
6044			goto out;
6045		}
6046	}
6047
6048	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6049		u8 tmp;
6050
6051		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6052			err = -EINVAL;
6053			goto out;
6054		}
6055		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6056		params->p2p_opp_ps = tmp;
6057		if (params->p2p_opp_ps != 0 &&
6058		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6059			err = -EINVAL;
6060			goto out;
6061		}
6062	}
6063
6064	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6065		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6066		if (err)
6067			goto out;
6068	} else if (wdev->valid_links) {
6069		/* with MLD need to specify the channel configuration */
6070		err = -EINVAL;
6071		goto out;
6072	} else if (wdev->u.ap.preset_chandef.chan) {
6073		params->chandef = wdev->u.ap.preset_chandef;
6074	} else if (!nl80211_get_ap_channel(rdev, params)) {
6075		err = -EINVAL;
6076		goto out;
6077	}
6078
6079	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
6080		err = nl80211_parse_punct_bitmap(rdev, info,
6081						 &params->chandef,
6082						 &params->punct_bitmap);
6083		if (err)
6084			goto out;
6085	}
6086
6087	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
6088					   wdev->iftype)) {
6089		err = -EINVAL;
6090		goto out;
6091	}
6092
6093	wdev_lock(wdev);
6094
6095	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6096		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6097						    NL80211_ATTR_TX_RATES,
6098						    &params->beacon_rate,
6099						    dev, false, link_id);
6100		if (err)
6101			goto out_unlock;
6102
6103		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6104					      &params->beacon_rate);
6105		if (err)
6106			goto out_unlock;
6107	}
6108
6109	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
6110		params->smps_mode =
6111			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
6112		switch (params->smps_mode) {
6113		case NL80211_SMPS_OFF:
6114			break;
6115		case NL80211_SMPS_STATIC:
6116			if (!(rdev->wiphy.features &
6117			      NL80211_FEATURE_STATIC_SMPS)) {
6118				err = -EINVAL;
6119				goto out_unlock;
6120			}
6121			break;
6122		case NL80211_SMPS_DYNAMIC:
6123			if (!(rdev->wiphy.features &
6124			      NL80211_FEATURE_DYNAMIC_SMPS)) {
6125				err = -EINVAL;
6126				goto out_unlock;
6127			}
6128			break;
6129		default:
6130			err = -EINVAL;
6131			goto out_unlock;
6132		}
6133	} else {
6134		params->smps_mode = NL80211_SMPS_OFF;
6135	}
6136
6137	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6138	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6139		err = -EOPNOTSUPP;
6140		goto out_unlock;
6141	}
6142
6143	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6144		params->acl = parse_acl_data(&rdev->wiphy, info);
6145		if (IS_ERR(params->acl)) {
6146			err = PTR_ERR(params->acl);
6147			params->acl = NULL;
6148			goto out_unlock;
6149		}
6150	}
6151
6152	params->twt_responder =
6153		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6154
6155	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6156		err = nl80211_parse_he_obss_pd(
6157					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6158					&params->he_obss_pd);
6159		if (err)
6160			goto out_unlock;
6161	}
6162
6163	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6164		err = nl80211_parse_fils_discovery(rdev,
6165						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6166						   params);
6167		if (err)
6168			goto out_unlock;
6169	}
6170
6171	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6172		err = nl80211_parse_unsol_bcast_probe_resp(
6173			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6174			params);
6175		if (err)
6176			goto out_unlock;
6177	}
6178
6179	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6180		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6181						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6182						  &params->mbssid_config,
6183						  params->beacon.mbssid_ies ?
6184							params->beacon.mbssid_ies->cnt :
6185							0);
6186		if (err)
6187			goto out_unlock;
6188	}
6189
6190	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6191		err = -EINVAL;
6192		goto out_unlock;
6193	}
6194
6195	err = nl80211_calculate_ap_params(params);
6196	if (err)
6197		goto out_unlock;
6198
6199	err = nl80211_validate_ap_phy_operation(params);
6200	if (err)
6201		goto out_unlock;
6202
6203	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6204		params->flags = nla_get_u32(
6205			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6206	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6207		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6208
6209	if (wdev->conn_owner_nlportid &&
6210	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6211	    wdev->conn_owner_nlportid != info->snd_portid) {
6212		err = -EINVAL;
6213		goto out_unlock;
6214	}
6215
6216	/* FIXME: validate MLO/link-id against driver capabilities */
6217
6218	err = rdev_start_ap(rdev, dev, params);
6219	if (!err) {
6220		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6221		wdev->links[link_id].ap.chandef = params->chandef;
6222		wdev->u.ap.ssid_len = params->ssid_len;
6223		memcpy(wdev->u.ap.ssid, params->ssid,
6224		       params->ssid_len);
6225
6226		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6227			wdev->conn_owner_nlportid = info->snd_portid;
6228
6229		nl80211_send_ap_started(wdev, link_id);
6230	}
6231out_unlock:
6232	wdev_unlock(wdev);
6233out:
6234	kfree(params->acl);
6235	kfree(params->beacon.mbssid_ies);
6236	if (params->mbssid_config.tx_wdev &&
6237	    params->mbssid_config.tx_wdev->netdev &&
6238	    params->mbssid_config.tx_wdev->netdev != dev)
6239		dev_put(params->mbssid_config.tx_wdev->netdev);
6240	kfree(params->beacon.rnr_ies);
6241	kfree(params);
6242
6243	return err;
6244}
6245
6246static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6247{
6248	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6249	unsigned int link_id = nl80211_link_id(info->attrs);
6250	struct net_device *dev = info->user_ptr[1];
6251	struct wireless_dev *wdev = dev->ieee80211_ptr;
6252	struct cfg80211_beacon_data params;
6253	int err;
6254
6255	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6256	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6257		return -EOPNOTSUPP;
6258
6259	if (!rdev->ops->change_beacon)
6260		return -EOPNOTSUPP;
6261
6262	if (!wdev->links[link_id].ap.beacon_interval)
6263		return -EINVAL;
6264
6265	err = nl80211_parse_beacon(rdev, info->attrs, &params, info->extack);
6266	if (err)
6267		goto out;
6268
6269	wdev_lock(wdev);
6270	err = rdev_change_beacon(rdev, dev, &params);
6271	wdev_unlock(wdev);
6272
6273out:
6274	kfree(params.mbssid_ies);
6275	kfree(params.rnr_ies);
6276	return err;
6277}
6278
6279static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6280{
6281	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6282	unsigned int link_id = nl80211_link_id(info->attrs);
6283	struct net_device *dev = info->user_ptr[1];
6284
6285	return cfg80211_stop_ap(rdev, dev, link_id, false);
6286}
6287
6288static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6289	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6290	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6291	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6292	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6293	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6294	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6295};
6296
6297static int parse_station_flags(struct genl_info *info,
6298			       enum nl80211_iftype iftype,
6299			       struct station_parameters *params)
6300{
6301	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6302	struct nlattr *nla;
6303	int flag;
6304
6305	/*
6306	 * Try parsing the new attribute first so userspace
6307	 * can specify both for older kernels.
6308	 */
6309	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6310	if (nla) {
6311		struct nl80211_sta_flag_update *sta_flags;
6312
6313		sta_flags = nla_data(nla);
6314		params->sta_flags_mask = sta_flags->mask;
6315		params->sta_flags_set = sta_flags->set;
6316		params->sta_flags_set &= params->sta_flags_mask;
6317		if ((params->sta_flags_mask |
6318		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6319			return -EINVAL;
6320		return 0;
6321	}
6322
6323	/* if present, parse the old attribute */
6324
6325	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6326	if (!nla)
6327		return 0;
6328
6329	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6330		return -EINVAL;
6331
6332	/*
6333	 * Only allow certain flags for interface types so that
6334	 * other attributes are silently ignored. Remember that
6335	 * this is backward compatibility code with old userspace
6336	 * and shouldn't be hit in other cases anyway.
6337	 */
6338	switch (iftype) {
6339	case NL80211_IFTYPE_AP:
6340	case NL80211_IFTYPE_AP_VLAN:
6341	case NL80211_IFTYPE_P2P_GO:
6342		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6343					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6344					 BIT(NL80211_STA_FLAG_WME) |
6345					 BIT(NL80211_STA_FLAG_MFP);
6346		break;
6347	case NL80211_IFTYPE_P2P_CLIENT:
6348	case NL80211_IFTYPE_STATION:
6349		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6350					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6351		break;
6352	case NL80211_IFTYPE_MESH_POINT:
6353		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6354					 BIT(NL80211_STA_FLAG_MFP) |
6355					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6356		break;
6357	default:
6358		return -EINVAL;
6359	}
6360
6361	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6362		if (flags[flag]) {
6363			params->sta_flags_set |= (1<<flag);
6364
6365			/* no longer support new API additions in old API */
6366			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6367				return -EINVAL;
6368		}
6369	}
6370
6371	return 0;
6372}
6373
6374bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6375{
6376	struct nlattr *rate;
6377	u32 bitrate;
6378	u16 bitrate_compat;
6379	enum nl80211_rate_info rate_flg;
6380
6381	rate = nla_nest_start_noflag(msg, attr);
6382	if (!rate)
6383		return false;
6384
6385	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6386	bitrate = cfg80211_calculate_bitrate(info);
6387	/* report 16-bit bitrate only if we can */
6388	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6389	if (bitrate > 0 &&
6390	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6391		return false;
6392	if (bitrate_compat > 0 &&
6393	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6394		return false;
6395
6396	switch (info->bw) {
6397	case RATE_INFO_BW_1:
6398		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6399		break;
6400	case RATE_INFO_BW_2:
6401		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6402		break;
6403	case RATE_INFO_BW_4:
6404		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6405		break;
6406	case RATE_INFO_BW_5:
6407		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6408		break;
6409	case RATE_INFO_BW_8:
6410		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6411		break;
6412	case RATE_INFO_BW_10:
6413		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6414		break;
6415	case RATE_INFO_BW_16:
6416		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6417		break;
6418	default:
6419		WARN_ON(1);
6420		fallthrough;
6421	case RATE_INFO_BW_20:
6422		rate_flg = 0;
6423		break;
6424	case RATE_INFO_BW_40:
6425		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6426		break;
6427	case RATE_INFO_BW_80:
6428		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6429		break;
6430	case RATE_INFO_BW_160:
6431		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6432		break;
6433	case RATE_INFO_BW_HE_RU:
6434		rate_flg = 0;
6435		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6436		break;
6437	case RATE_INFO_BW_320:
6438		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6439		break;
6440	case RATE_INFO_BW_EHT_RU:
6441		rate_flg = 0;
6442		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6443		break;
6444	}
6445
6446	if (rate_flg && nla_put_flag(msg, rate_flg))
6447		return false;
6448
6449	if (info->flags & RATE_INFO_FLAGS_MCS) {
6450		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6451			return false;
6452		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6453		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6454			return false;
6455	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6456		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6457			return false;
6458		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6459			return false;
6460		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6461		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6462			return false;
6463	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6464		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6465			return false;
6466		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6467			return false;
6468		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6469			return false;
6470		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6471			return false;
6472		if (info->bw == RATE_INFO_BW_HE_RU &&
6473		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6474			       info->he_ru_alloc))
6475			return false;
6476	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6477		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6478			return false;
6479		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6480			return false;
6481		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6482		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6483			return false;
6484	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6485		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6486			return false;
6487		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6488			return false;
6489		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6490			return false;
6491		if (info->bw == RATE_INFO_BW_EHT_RU &&
6492		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6493			       info->eht_ru_alloc))
6494			return false;
6495	}
6496
6497	nla_nest_end(msg, rate);
6498	return true;
6499}
6500
6501static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6502			       int id)
6503{
6504	void *attr;
6505	int i = 0;
6506
6507	if (!mask)
6508		return true;
6509
6510	attr = nla_nest_start_noflag(msg, id);
6511	if (!attr)
6512		return false;
6513
6514	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6515		if (!(mask & BIT(i)))
6516			continue;
6517
6518		if (nla_put_u8(msg, i, signal[i]))
6519			return false;
6520	}
6521
6522	nla_nest_end(msg, attr);
6523
6524	return true;
6525}
6526
6527static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6528				u32 seq, int flags,
6529				struct cfg80211_registered_device *rdev,
6530				struct net_device *dev,
6531				const u8 *mac_addr, struct station_info *sinfo)
6532{
6533	void *hdr;
6534	struct nlattr *sinfoattr, *bss_param;
6535
6536	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6537	if (!hdr) {
6538		cfg80211_sinfo_release_content(sinfo);
6539		return -1;
6540	}
6541
6542	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6543	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6544	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6545		goto nla_put_failure;
6546
6547	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6548	if (!sinfoattr)
6549		goto nla_put_failure;
6550
6551#define PUT_SINFO(attr, memb, type) do {				\
6552	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6553	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6554	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6555			     sinfo->memb))				\
6556		goto nla_put_failure;					\
6557	} while (0)
6558#define PUT_SINFO_U64(attr, memb) do {					\
6559	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6560	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6561			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6562		goto nla_put_failure;					\
6563	} while (0)
6564
6565	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6566	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6567	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6568
6569	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6570			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6571	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6572			(u32)sinfo->rx_bytes))
6573		goto nla_put_failure;
6574
6575	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6576			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6577	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6578			(u32)sinfo->tx_bytes))
6579		goto nla_put_failure;
6580
6581	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6582	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6583	PUT_SINFO(LLID, llid, u16);
6584	PUT_SINFO(PLID, plid, u16);
6585	PUT_SINFO(PLINK_STATE, plink_state, u8);
6586	PUT_SINFO_U64(RX_DURATION, rx_duration);
6587	PUT_SINFO_U64(TX_DURATION, tx_duration);
6588
6589	if (wiphy_ext_feature_isset(&rdev->wiphy,
6590				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6591		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6592
6593	switch (rdev->wiphy.signal_type) {
6594	case CFG80211_SIGNAL_TYPE_MBM:
6595		PUT_SINFO(SIGNAL, signal, u8);
6596		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6597		break;
6598	default:
6599		break;
6600	}
6601	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6602		if (!nl80211_put_signal(msg, sinfo->chains,
6603					sinfo->chain_signal,
6604					NL80211_STA_INFO_CHAIN_SIGNAL))
6605			goto nla_put_failure;
6606	}
6607	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6608		if (!nl80211_put_signal(msg, sinfo->chains,
6609					sinfo->chain_signal_avg,
6610					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6611			goto nla_put_failure;
6612	}
6613	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6614		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6615					  NL80211_STA_INFO_TX_BITRATE))
6616			goto nla_put_failure;
6617	}
6618	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6619		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6620					  NL80211_STA_INFO_RX_BITRATE))
6621			goto nla_put_failure;
6622	}
6623
6624	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6625	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6626	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6627	PUT_SINFO(TX_FAILED, tx_failed, u32);
6628	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6629	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6630	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6631	PUT_SINFO(LOCAL_PM, local_pm, u32);
6632	PUT_SINFO(PEER_PM, peer_pm, u32);
6633	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6634	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6635	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6636
6637	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6638		bss_param = nla_nest_start_noflag(msg,
6639						  NL80211_STA_INFO_BSS_PARAM);
6640		if (!bss_param)
6641			goto nla_put_failure;
6642
6643		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6644		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6645		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6646		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6647		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6648		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6649		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6650			       sinfo->bss_param.dtim_period) ||
6651		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6652				sinfo->bss_param.beacon_interval))
6653			goto nla_put_failure;
6654
6655		nla_nest_end(msg, bss_param);
6656	}
6657	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6658	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6659		    sizeof(struct nl80211_sta_flag_update),
6660		    &sinfo->sta_flags))
6661		goto nla_put_failure;
6662
6663	PUT_SINFO_U64(T_OFFSET, t_offset);
6664	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6665	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6666	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6667	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6668	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6669	if (wiphy_ext_feature_isset(&rdev->wiphy,
6670				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6671		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6672		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6673	}
6674
6675#undef PUT_SINFO
6676#undef PUT_SINFO_U64
6677
6678	if (sinfo->pertid) {
6679		struct nlattr *tidsattr;
6680		int tid;
6681
6682		tidsattr = nla_nest_start_noflag(msg,
6683						 NL80211_STA_INFO_TID_STATS);
6684		if (!tidsattr)
6685			goto nla_put_failure;
6686
6687		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6688			struct cfg80211_tid_stats *tidstats;
6689			struct nlattr *tidattr;
6690
6691			tidstats = &sinfo->pertid[tid];
6692
6693			if (!tidstats->filled)
6694				continue;
6695
6696			tidattr = nla_nest_start_noflag(msg, tid + 1);
6697			if (!tidattr)
6698				goto nla_put_failure;
6699
6700#define PUT_TIDVAL_U64(attr, memb) do {					\
6701	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6702	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6703			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6704		goto nla_put_failure;					\
6705	} while (0)
6706
6707			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6708			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6709			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6710			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6711
6712#undef PUT_TIDVAL_U64
6713			if ((tidstats->filled &
6714			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6715			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6716						   NL80211_TID_STATS_TXQ_STATS))
6717				goto nla_put_failure;
6718
6719			nla_nest_end(msg, tidattr);
6720		}
6721
6722		nla_nest_end(msg, tidsattr);
6723	}
6724
6725	nla_nest_end(msg, sinfoattr);
6726
6727	if (sinfo->assoc_req_ies_len &&
6728	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6729		    sinfo->assoc_req_ies))
6730		goto nla_put_failure;
6731
6732	if (sinfo->assoc_resp_ies_len &&
6733	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6734		    sinfo->assoc_resp_ies))
6735		goto nla_put_failure;
6736
6737	if (sinfo->mlo_params_valid) {
6738		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6739			       sinfo->assoc_link_id))
6740			goto nla_put_failure;
6741
6742		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6743		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6744			    sinfo->mld_addr))
6745			goto nla_put_failure;
6746	}
6747
6748	cfg80211_sinfo_release_content(sinfo);
6749	genlmsg_end(msg, hdr);
6750	return 0;
6751
6752 nla_put_failure:
6753	cfg80211_sinfo_release_content(sinfo);
6754	genlmsg_cancel(msg, hdr);
6755	return -EMSGSIZE;
6756}
6757
6758static int nl80211_dump_station(struct sk_buff *skb,
6759				struct netlink_callback *cb)
6760{
6761	struct station_info sinfo;
6762	struct cfg80211_registered_device *rdev;
6763	struct wireless_dev *wdev;
6764	u8 mac_addr[ETH_ALEN];
6765	int sta_idx = cb->args[2];
6766	int err;
6767
6768	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6769	if (err)
6770		return err;
6771	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6772	__acquire(&rdev->wiphy.mtx);
6773
6774	if (!wdev->netdev) {
6775		err = -EINVAL;
6776		goto out_err;
6777	}
6778
6779	if (!rdev->ops->dump_station) {
6780		err = -EOPNOTSUPP;
6781		goto out_err;
6782	}
6783
6784	while (1) {
6785		memset(&sinfo, 0, sizeof(sinfo));
6786		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6787					mac_addr, &sinfo);
6788		if (err == -ENOENT)
6789			break;
6790		if (err)
6791			goto out_err;
6792
6793		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6794				NETLINK_CB(cb->skb).portid,
6795				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6796				rdev, wdev->netdev, mac_addr,
6797				&sinfo) < 0)
6798			goto out;
6799
6800		sta_idx++;
6801	}
6802
6803 out:
6804	cb->args[2] = sta_idx;
6805	err = skb->len;
6806 out_err:
6807	wiphy_unlock(&rdev->wiphy);
6808
6809	return err;
6810}
6811
6812static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6813{
6814	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6815	struct net_device *dev = info->user_ptr[1];
6816	struct station_info sinfo;
6817	struct sk_buff *msg;
6818	u8 *mac_addr = NULL;
6819	int err;
6820
6821	memset(&sinfo, 0, sizeof(sinfo));
6822
6823	if (!info->attrs[NL80211_ATTR_MAC])
6824		return -EINVAL;
6825
6826	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6827
6828	if (!rdev->ops->get_station)
6829		return -EOPNOTSUPP;
6830
6831	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6832	if (err)
6833		return err;
6834
6835	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6836	if (!msg) {
6837		cfg80211_sinfo_release_content(&sinfo);
6838		return -ENOMEM;
6839	}
6840
6841	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6842				 info->snd_portid, info->snd_seq, 0,
6843				 rdev, dev, mac_addr, &sinfo) < 0) {
6844		nlmsg_free(msg);
6845		return -ENOBUFS;
6846	}
6847
6848	return genlmsg_reply(msg, info);
6849}
6850
6851int cfg80211_check_station_change(struct wiphy *wiphy,
6852				  struct station_parameters *params,
6853				  enum cfg80211_station_type statype)
6854{
6855	if (params->listen_interval != -1 &&
6856	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6857		return -EINVAL;
6858
6859	if (params->support_p2p_ps != -1 &&
6860	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6861		return -EINVAL;
6862
6863	if (params->aid &&
6864	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6865	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6866		return -EINVAL;
6867
6868	/* When you run into this, adjust the code below for the new flag */
6869	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6870
6871	switch (statype) {
6872	case CFG80211_STA_MESH_PEER_KERNEL:
6873	case CFG80211_STA_MESH_PEER_USER:
6874		/*
6875		 * No ignoring the TDLS flag here -- the userspace mesh
6876		 * code doesn't have the bug of including TDLS in the
6877		 * mask everywhere.
6878		 */
6879		if (params->sta_flags_mask &
6880				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6881				  BIT(NL80211_STA_FLAG_MFP) |
6882				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6883			return -EINVAL;
6884		break;
6885	case CFG80211_STA_TDLS_PEER_SETUP:
6886	case CFG80211_STA_TDLS_PEER_ACTIVE:
6887		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6888			return -EINVAL;
6889		/* ignore since it can't change */
6890		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6891		break;
6892	default:
6893		/* disallow mesh-specific things */
6894		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6895			return -EINVAL;
6896		if (params->local_pm)
6897			return -EINVAL;
6898		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6899			return -EINVAL;
6900	}
6901
6902	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6903	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6904		/* TDLS can't be set, ... */
6905		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6906			return -EINVAL;
6907		/*
6908		 * ... but don't bother the driver with it. This works around
6909		 * a hostapd/wpa_supplicant issue -- it always includes the
6910		 * TLDS_PEER flag in the mask even for AP mode.
6911		 */
6912		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6913	}
6914
6915	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6916	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6917		/* reject other things that can't change */
6918		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6919			return -EINVAL;
6920		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6921			return -EINVAL;
6922		if (params->link_sta_params.supported_rates)
6923			return -EINVAL;
6924		if (params->ext_capab || params->link_sta_params.ht_capa ||
6925		    params->link_sta_params.vht_capa ||
6926		    params->link_sta_params.he_capa ||
6927		    params->link_sta_params.eht_capa)
6928			return -EINVAL;
6929	}
6930
6931	if (statype != CFG80211_STA_AP_CLIENT &&
6932	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6933		if (params->vlan)
6934			return -EINVAL;
6935	}
6936
6937	switch (statype) {
6938	case CFG80211_STA_AP_MLME_CLIENT:
6939		/* Use this only for authorizing/unauthorizing a station */
6940		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6941			return -EOPNOTSUPP;
6942		break;
6943	case CFG80211_STA_AP_CLIENT:
6944	case CFG80211_STA_AP_CLIENT_UNASSOC:
6945		/* accept only the listed bits */
6946		if (params->sta_flags_mask &
6947				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6948				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6949				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6950				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6951				  BIT(NL80211_STA_FLAG_WME) |
6952				  BIT(NL80211_STA_FLAG_MFP)))
6953			return -EINVAL;
6954
6955		/* but authenticated/associated only if driver handles it */
6956		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6957		    params->sta_flags_mask &
6958				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6959				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6960			return -EINVAL;
6961		break;
6962	case CFG80211_STA_IBSS:
6963	case CFG80211_STA_AP_STA:
6964		/* reject any changes other than AUTHORIZED */
6965		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6966			return -EINVAL;
6967		break;
6968	case CFG80211_STA_TDLS_PEER_SETUP:
6969		/* reject any changes other than AUTHORIZED or WME */
6970		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6971					       BIT(NL80211_STA_FLAG_WME)))
6972			return -EINVAL;
6973		/* force (at least) rates when authorizing */
6974		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6975		    !params->link_sta_params.supported_rates)
6976			return -EINVAL;
6977		break;
6978	case CFG80211_STA_TDLS_PEER_ACTIVE:
6979		/* reject any changes */
6980		return -EINVAL;
6981	case CFG80211_STA_MESH_PEER_KERNEL:
6982		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6983			return -EINVAL;
6984		break;
6985	case CFG80211_STA_MESH_PEER_USER:
6986		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6987		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6988			return -EINVAL;
6989		break;
6990	}
6991
6992	/*
6993	 * Older kernel versions ignored this attribute entirely, so don't
6994	 * reject attempts to update it but mark it as unused instead so the
6995	 * driver won't look at the data.
6996	 */
6997	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6998	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6999		params->link_sta_params.opmode_notif_used = false;
7000
7001	return 0;
7002}
7003EXPORT_SYMBOL(cfg80211_check_station_change);
7004
7005/*
7006 * Get vlan interface making sure it is running and on the right wiphy.
7007 */
7008static struct net_device *get_vlan(struct genl_info *info,
7009				   struct cfg80211_registered_device *rdev)
7010{
7011	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
7012	struct net_device *v;
7013	int ret;
7014
7015	if (!vlanattr)
7016		return NULL;
7017
7018	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
7019	if (!v)
7020		return ERR_PTR(-ENODEV);
7021
7022	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
7023		ret = -EINVAL;
7024		goto error;
7025	}
7026
7027	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7028	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7029	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7030		ret = -EINVAL;
7031		goto error;
7032	}
7033
7034	if (!netif_running(v)) {
7035		ret = -ENETDOWN;
7036		goto error;
7037	}
7038
7039	return v;
7040 error:
7041	dev_put(v);
7042	return ERR_PTR(ret);
7043}
7044
7045static int nl80211_parse_sta_wme(struct genl_info *info,
7046				 struct station_parameters *params)
7047{
7048	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7049	struct nlattr *nla;
7050	int err;
7051
7052	/* parse WME attributes if present */
7053	if (!info->attrs[NL80211_ATTR_STA_WME])
7054		return 0;
7055
7056	nla = info->attrs[NL80211_ATTR_STA_WME];
7057	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7058					  nl80211_sta_wme_policy,
7059					  info->extack);
7060	if (err)
7061		return err;
7062
7063	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7064		params->uapsd_queues = nla_get_u8(
7065			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7066	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7067		return -EINVAL;
7068
7069	if (tb[NL80211_STA_WME_MAX_SP])
7070		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7071
7072	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7073		return -EINVAL;
7074
7075	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7076
7077	return 0;
7078}
7079
7080static int nl80211_parse_sta_channel_info(struct genl_info *info,
7081				      struct station_parameters *params)
7082{
7083	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7084		params->supported_channels =
7085		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7086		params->supported_channels_len =
7087		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7088		/*
7089		 * Need to include at least one (first channel, number of
7090		 * channels) tuple for each subband (checked in policy),
7091		 * and must have proper tuples for the rest of the data as well.
7092		 */
7093		if (params->supported_channels_len % 2)
7094			return -EINVAL;
7095	}
7096
7097	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7098		params->supported_oper_classes =
7099		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7100		params->supported_oper_classes_len =
7101		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7102	}
7103	return 0;
7104}
7105
7106static int nl80211_set_station_tdls(struct genl_info *info,
7107				    struct station_parameters *params)
7108{
7109	int err;
7110	/* Dummy STA entry gets updated once the peer capabilities are known */
7111	if (info->attrs[NL80211_ATTR_PEER_AID])
7112		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7113	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7114		params->link_sta_params.ht_capa =
7115			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7116	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7117		params->link_sta_params.vht_capa =
7118			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7119	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7120		params->link_sta_params.he_capa =
7121			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7122		params->link_sta_params.he_capa_len =
7123			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7124
7125		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7126			params->link_sta_params.eht_capa =
7127				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7128			params->link_sta_params.eht_capa_len =
7129				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7130
7131			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7132							(const u8 *)params->link_sta_params.eht_capa,
7133							params->link_sta_params.eht_capa_len,
7134							false))
7135				return -EINVAL;
7136		}
7137	}
7138
7139	err = nl80211_parse_sta_channel_info(info, params);
7140	if (err)
7141		return err;
7142
7143	return nl80211_parse_sta_wme(info, params);
7144}
7145
7146static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7147					     struct sta_txpwr *txpwr,
7148					     bool *txpwr_set)
7149{
7150	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7151	int idx;
7152
7153	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7154		if (!rdev->ops->set_tx_power ||
7155		    !wiphy_ext_feature_isset(&rdev->wiphy,
7156					 NL80211_EXT_FEATURE_STA_TX_PWR))
7157			return -EOPNOTSUPP;
7158
7159		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7160		txpwr->type = nla_get_u8(info->attrs[idx]);
7161
7162		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7163			idx = NL80211_ATTR_STA_TX_POWER;
7164
7165			if (info->attrs[idx])
7166				txpwr->power = nla_get_s16(info->attrs[idx]);
7167			else
7168				return -EINVAL;
7169		}
7170
7171		*txpwr_set = true;
7172	} else {
7173		*txpwr_set = false;
7174	}
7175
7176	return 0;
7177}
7178
7179static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7180{
7181	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7182	struct net_device *dev = info->user_ptr[1];
7183	struct station_parameters params;
7184	u8 *mac_addr;
7185	int err;
7186
7187	memset(&params, 0, sizeof(params));
7188
7189	if (!rdev->ops->change_station)
7190		return -EOPNOTSUPP;
7191
7192	/*
7193	 * AID and listen_interval properties can be set only for unassociated
7194	 * station. Include these parameters here and will check them in
7195	 * cfg80211_check_station_change().
7196	 */
7197	if (info->attrs[NL80211_ATTR_STA_AID])
7198		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7199
7200	if (info->attrs[NL80211_ATTR_VLAN_ID])
7201		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7202
7203	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7204		params.listen_interval =
7205		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7206	else
7207		params.listen_interval = -1;
7208
7209	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7210		params.support_p2p_ps =
7211			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7212	else
7213		params.support_p2p_ps = -1;
7214
7215	if (!info->attrs[NL80211_ATTR_MAC])
7216		return -EINVAL;
7217
7218	params.link_sta_params.link_id =
7219		nl80211_link_id_or_invalid(info->attrs);
7220
7221	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7222		/* If MLD_ADDR attribute is set then this is an MLD station
7223		 * and the MLD_ADDR attribute holds the MLD address and the
7224		 * MAC attribute holds for the LINK address.
7225		 * In that case, the link_id is also expected to be valid.
7226		 */
7227		if (params.link_sta_params.link_id < 0)
7228			return -EINVAL;
7229
7230		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7231		params.link_sta_params.mld_mac = mac_addr;
7232		params.link_sta_params.link_mac =
7233			nla_data(info->attrs[NL80211_ATTR_MAC]);
7234		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7235			return -EINVAL;
7236	} else {
7237		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7238	}
7239
7240
7241	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7242		params.link_sta_params.supported_rates =
7243			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7244		params.link_sta_params.supported_rates_len =
7245			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7246	}
7247
7248	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7249		params.capability =
7250			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7251		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7252	}
7253
7254	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7255		params.ext_capab =
7256			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7257		params.ext_capab_len =
7258			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7259	}
7260
7261	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7262		return -EINVAL;
7263
7264	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7265		params.plink_action =
7266			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7267
7268	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7269		params.plink_state =
7270			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7271		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7272			params.peer_aid = nla_get_u16(
7273				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7274		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7275	}
7276
7277	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7278		params.local_pm = nla_get_u32(
7279			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7280
7281	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7282		params.link_sta_params.opmode_notif_used = true;
7283		params.link_sta_params.opmode_notif =
7284			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7285	}
7286
7287	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7288		params.link_sta_params.he_6ghz_capa =
7289			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7290
7291	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7292		params.airtime_weight =
7293			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7294
7295	if (params.airtime_weight &&
7296	    !wiphy_ext_feature_isset(&rdev->wiphy,
7297				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7298		return -EOPNOTSUPP;
7299
7300	err = nl80211_parse_sta_txpower_setting(info,
7301						&params.link_sta_params.txpwr,
7302						&params.link_sta_params.txpwr_set);
7303	if (err)
7304		return err;
7305
7306	/* Include parameters for TDLS peer (will check later) */
7307	err = nl80211_set_station_tdls(info, &params);
7308	if (err)
7309		return err;
7310
7311	params.vlan = get_vlan(info, rdev);
7312	if (IS_ERR(params.vlan))
7313		return PTR_ERR(params.vlan);
7314
7315	switch (dev->ieee80211_ptr->iftype) {
7316	case NL80211_IFTYPE_AP:
7317	case NL80211_IFTYPE_AP_VLAN:
7318	case NL80211_IFTYPE_P2P_GO:
7319	case NL80211_IFTYPE_P2P_CLIENT:
7320	case NL80211_IFTYPE_STATION:
7321	case NL80211_IFTYPE_ADHOC:
7322	case NL80211_IFTYPE_MESH_POINT:
7323		break;
7324	default:
7325		err = -EOPNOTSUPP;
7326		goto out_put_vlan;
7327	}
7328
7329	/* driver will call cfg80211_check_station_change() */
7330	wdev_lock(dev->ieee80211_ptr);
7331	err = rdev_change_station(rdev, dev, mac_addr, &params);
7332	wdev_unlock(dev->ieee80211_ptr);
7333
7334 out_put_vlan:
7335	dev_put(params.vlan);
7336
7337	return err;
7338}
7339
7340static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7341{
7342	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7343	int err;
7344	struct net_device *dev = info->user_ptr[1];
7345	struct wireless_dev *wdev = dev->ieee80211_ptr;
7346	struct station_parameters params;
7347	u8 *mac_addr = NULL;
7348	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7349			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7350
7351	memset(&params, 0, sizeof(params));
7352
7353	if (!rdev->ops->add_station)
7354		return -EOPNOTSUPP;
7355
7356	if (!info->attrs[NL80211_ATTR_MAC])
7357		return -EINVAL;
7358
7359	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7360		return -EINVAL;
7361
7362	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7363		return -EINVAL;
7364
7365	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7366	    !info->attrs[NL80211_ATTR_PEER_AID])
7367		return -EINVAL;
7368
7369	params.link_sta_params.link_id =
7370		nl80211_link_id_or_invalid(info->attrs);
7371
7372	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7373		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7374		params.link_sta_params.mld_mac = mac_addr;
7375		params.link_sta_params.link_mac =
7376			nla_data(info->attrs[NL80211_ATTR_MAC]);
7377		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7378			return -EINVAL;
7379	} else {
7380		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7381	}
7382
7383	params.link_sta_params.supported_rates =
7384		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7385	params.link_sta_params.supported_rates_len =
7386		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7387	params.listen_interval =
7388		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7389
7390	if (info->attrs[NL80211_ATTR_VLAN_ID])
7391		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7392
7393	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7394		params.support_p2p_ps =
7395			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7396	} else {
7397		/*
7398		 * if not specified, assume it's supported for P2P GO interface,
7399		 * and is NOT supported for AP interface
7400		 */
7401		params.support_p2p_ps =
7402			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7403	}
7404
7405	if (info->attrs[NL80211_ATTR_PEER_AID])
7406		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7407	else
7408		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7409
7410	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7411		params.capability =
7412			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7413		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7414	}
7415
7416	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7417		params.ext_capab =
7418			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7419		params.ext_capab_len =
7420			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7421	}
7422
7423	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7424		params.link_sta_params.ht_capa =
7425			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7426
7427	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7428		params.link_sta_params.vht_capa =
7429			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7430
7431	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7432		params.link_sta_params.he_capa =
7433			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7434		params.link_sta_params.he_capa_len =
7435			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7436
7437		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7438			params.link_sta_params.eht_capa =
7439				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7440			params.link_sta_params.eht_capa_len =
7441				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7442
7443			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7444							(const u8 *)params.link_sta_params.eht_capa,
7445							params.link_sta_params.eht_capa_len,
7446							false))
7447				return -EINVAL;
7448		}
7449	}
7450
7451	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7452		params.link_sta_params.he_6ghz_capa =
7453			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7454
7455	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7456		params.link_sta_params.opmode_notif_used = true;
7457		params.link_sta_params.opmode_notif =
7458			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7459	}
7460
7461	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7462		params.plink_action =
7463			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7464
7465	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7466		params.airtime_weight =
7467			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7468
7469	if (params.airtime_weight &&
7470	    !wiphy_ext_feature_isset(&rdev->wiphy,
7471				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7472		return -EOPNOTSUPP;
7473
7474	err = nl80211_parse_sta_txpower_setting(info,
7475						&params.link_sta_params.txpwr,
7476						&params.link_sta_params.txpwr_set);
7477	if (err)
7478		return err;
7479
7480	err = nl80211_parse_sta_channel_info(info, &params);
7481	if (err)
7482		return err;
7483
7484	err = nl80211_parse_sta_wme(info, &params);
7485	if (err)
7486		return err;
7487
7488	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7489		return -EINVAL;
7490
7491	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7492	 * as userspace might just pass through the capabilities from the IEs
7493	 * directly, rather than enforcing this restriction and returning an
7494	 * error in this case.
7495	 */
7496	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7497		params.link_sta_params.ht_capa = NULL;
7498		params.link_sta_params.vht_capa = NULL;
7499
7500		/* HE and EHT require WME */
7501		if (params.link_sta_params.he_capa_len ||
7502		    params.link_sta_params.he_6ghz_capa ||
7503		    params.link_sta_params.eht_capa_len)
7504			return -EINVAL;
7505	}
7506
7507	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7508	if (params.link_sta_params.he_6ghz_capa &&
7509	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7510		return -EINVAL;
7511
7512	/* When you run into this, adjust the code below for the new flag */
7513	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
7514
7515	switch (dev->ieee80211_ptr->iftype) {
7516	case NL80211_IFTYPE_AP:
7517	case NL80211_IFTYPE_AP_VLAN:
7518	case NL80211_IFTYPE_P2P_GO:
7519		/* ignore WME attributes if iface/sta is not capable */
7520		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7521		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7522			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7523
7524		/* TDLS peers cannot be added */
7525		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7526		    info->attrs[NL80211_ATTR_PEER_AID])
7527			return -EINVAL;
7528		/* but don't bother the driver with it */
7529		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7530
7531		/* allow authenticated/associated only if driver handles it */
7532		if (!(rdev->wiphy.features &
7533				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7534		    params.sta_flags_mask & auth_assoc)
7535			return -EINVAL;
7536
7537		/* Older userspace, or userspace wanting to be compatible with
7538		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7539		 * and assoc flags in the mask, but assumes the station will be
7540		 * added as associated anyway since this was the required driver
7541		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7542		 * introduced.
7543		 * In order to not bother drivers with this quirk in the API
7544		 * set the flags in both the mask and set for new stations in
7545		 * this case.
7546		 */
7547		if (!(params.sta_flags_mask & auth_assoc)) {
7548			params.sta_flags_mask |= auth_assoc;
7549			params.sta_flags_set |= auth_assoc;
7550		}
7551
7552		/* must be last in here for error handling */
7553		params.vlan = get_vlan(info, rdev);
7554		if (IS_ERR(params.vlan))
7555			return PTR_ERR(params.vlan);
7556		break;
7557	case NL80211_IFTYPE_MESH_POINT:
7558		/* ignore uAPSD data */
7559		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7560
7561		/* associated is disallowed */
7562		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7563			return -EINVAL;
7564		/* TDLS peers cannot be added */
7565		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7566		    info->attrs[NL80211_ATTR_PEER_AID])
7567			return -EINVAL;
7568		break;
7569	case NL80211_IFTYPE_STATION:
7570	case NL80211_IFTYPE_P2P_CLIENT:
7571		/* ignore uAPSD data */
7572		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7573
7574		/* these are disallowed */
7575		if (params.sta_flags_mask &
7576				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7577				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7578			return -EINVAL;
7579		/* Only TDLS peers can be added */
7580		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7581			return -EINVAL;
7582		/* Can only add if TDLS ... */
7583		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7584			return -EOPNOTSUPP;
7585		/* ... with external setup is supported */
7586		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7587			return -EOPNOTSUPP;
7588		/*
7589		 * Older wpa_supplicant versions always mark the TDLS peer
7590		 * as authorized, but it shouldn't yet be.
7591		 */
7592		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7593		break;
7594	default:
7595		return -EOPNOTSUPP;
7596	}
7597
7598	/* be aware of params.vlan when changing code here */
7599
7600	wdev_lock(dev->ieee80211_ptr);
7601	if (wdev->valid_links) {
7602		if (params.link_sta_params.link_id < 0) {
7603			err = -EINVAL;
7604			goto out;
7605		}
7606		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7607			err = -ENOLINK;
7608			goto out;
7609		}
7610	} else {
7611		if (params.link_sta_params.link_id >= 0) {
7612			err = -EINVAL;
7613			goto out;
7614		}
7615	}
7616	err = rdev_add_station(rdev, dev, mac_addr, &params);
7617out:
7618	wdev_unlock(dev->ieee80211_ptr);
7619	dev_put(params.vlan);
7620	return err;
7621}
7622
7623static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7624{
7625	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7626	struct net_device *dev = info->user_ptr[1];
7627	struct station_del_parameters params;
7628	int ret;
7629
7630	memset(&params, 0, sizeof(params));
7631
7632	if (info->attrs[NL80211_ATTR_MAC])
7633		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7634
7635	switch (dev->ieee80211_ptr->iftype) {
7636	case NL80211_IFTYPE_AP:
7637	case NL80211_IFTYPE_AP_VLAN:
7638	case NL80211_IFTYPE_MESH_POINT:
7639	case NL80211_IFTYPE_P2P_GO:
7640		/* always accept these */
7641		break;
7642	case NL80211_IFTYPE_ADHOC:
7643		/* conditionally accept */
7644		if (wiphy_ext_feature_isset(&rdev->wiphy,
7645					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7646			break;
7647		return -EINVAL;
7648	default:
7649		return -EINVAL;
7650	}
7651
7652	if (!rdev->ops->del_station)
7653		return -EOPNOTSUPP;
7654
7655	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7656		params.subtype =
7657			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7658		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7659		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7660			return -EINVAL;
7661	} else {
7662		/* Default to Deauthentication frame */
7663		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7664	}
7665
7666	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7667		params.reason_code =
7668			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7669		if (params.reason_code == 0)
7670			return -EINVAL; /* 0 is reserved */
7671	} else {
7672		/* Default to reason code 2 */
7673		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7674	}
7675
7676	wdev_lock(dev->ieee80211_ptr);
7677	ret = rdev_del_station(rdev, dev, &params);
7678	wdev_unlock(dev->ieee80211_ptr);
7679
7680	return ret;
7681}
7682
7683static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7684				int flags, struct net_device *dev,
7685				u8 *dst, u8 *next_hop,
7686				struct mpath_info *pinfo)
7687{
7688	void *hdr;
7689	struct nlattr *pinfoattr;
7690
7691	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7692	if (!hdr)
7693		return -1;
7694
7695	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7696	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7697	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7698	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7699		goto nla_put_failure;
7700
7701	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7702	if (!pinfoattr)
7703		goto nla_put_failure;
7704	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7705	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7706			pinfo->frame_qlen))
7707		goto nla_put_failure;
7708	if (((pinfo->filled & MPATH_INFO_SN) &&
7709	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7710	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7711	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7712			 pinfo->metric)) ||
7713	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7714	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7715			 pinfo->exptime)) ||
7716	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7717	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7718			pinfo->flags)) ||
7719	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7720	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7721			 pinfo->discovery_timeout)) ||
7722	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7723	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7724			pinfo->discovery_retries)) ||
7725	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7726	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7727			pinfo->hop_count)) ||
7728	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7729	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7730			 pinfo->path_change_count)))
7731		goto nla_put_failure;
7732
7733	nla_nest_end(msg, pinfoattr);
7734
7735	genlmsg_end(msg, hdr);
7736	return 0;
7737
7738 nla_put_failure:
7739	genlmsg_cancel(msg, hdr);
7740	return -EMSGSIZE;
7741}
7742
7743static int nl80211_dump_mpath(struct sk_buff *skb,
7744			      struct netlink_callback *cb)
7745{
7746	struct mpath_info pinfo;
7747	struct cfg80211_registered_device *rdev;
7748	struct wireless_dev *wdev;
7749	u8 dst[ETH_ALEN];
7750	u8 next_hop[ETH_ALEN];
7751	int path_idx = cb->args[2];
7752	int err;
7753
7754	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7755	if (err)
7756		return err;
7757	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7758	__acquire(&rdev->wiphy.mtx);
7759
7760	if (!rdev->ops->dump_mpath) {
7761		err = -EOPNOTSUPP;
7762		goto out_err;
7763	}
7764
7765	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7766		err = -EOPNOTSUPP;
7767		goto out_err;
7768	}
7769
7770	while (1) {
7771		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7772				      next_hop, &pinfo);
7773		if (err == -ENOENT)
7774			break;
7775		if (err)
7776			goto out_err;
7777
7778		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7779				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7780				       wdev->netdev, dst, next_hop,
7781				       &pinfo) < 0)
7782			goto out;
7783
7784		path_idx++;
7785	}
7786
7787 out:
7788	cb->args[2] = path_idx;
7789	err = skb->len;
7790 out_err:
7791	wiphy_unlock(&rdev->wiphy);
7792	return err;
7793}
7794
7795static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7796{
7797	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7798	int err;
7799	struct net_device *dev = info->user_ptr[1];
7800	struct mpath_info pinfo;
7801	struct sk_buff *msg;
7802	u8 *dst = NULL;
7803	u8 next_hop[ETH_ALEN];
7804
7805	memset(&pinfo, 0, sizeof(pinfo));
7806
7807	if (!info->attrs[NL80211_ATTR_MAC])
7808		return -EINVAL;
7809
7810	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7811
7812	if (!rdev->ops->get_mpath)
7813		return -EOPNOTSUPP;
7814
7815	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7816		return -EOPNOTSUPP;
7817
7818	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7819	if (err)
7820		return err;
7821
7822	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7823	if (!msg)
7824		return -ENOMEM;
7825
7826	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7827				 dev, dst, next_hop, &pinfo) < 0) {
7828		nlmsg_free(msg);
7829		return -ENOBUFS;
7830	}
7831
7832	return genlmsg_reply(msg, info);
7833}
7834
7835static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7836{
7837	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7838	struct net_device *dev = info->user_ptr[1];
7839	u8 *dst = NULL;
7840	u8 *next_hop = NULL;
7841
7842	if (!info->attrs[NL80211_ATTR_MAC])
7843		return -EINVAL;
7844
7845	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7846		return -EINVAL;
7847
7848	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7849	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7850
7851	if (!rdev->ops->change_mpath)
7852		return -EOPNOTSUPP;
7853
7854	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7855		return -EOPNOTSUPP;
7856
7857	return rdev_change_mpath(rdev, dev, dst, next_hop);
7858}
7859
7860static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7861{
7862	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7863	struct net_device *dev = info->user_ptr[1];
7864	u8 *dst = NULL;
7865	u8 *next_hop = NULL;
7866
7867	if (!info->attrs[NL80211_ATTR_MAC])
7868		return -EINVAL;
7869
7870	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7871		return -EINVAL;
7872
7873	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7874	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7875
7876	if (!rdev->ops->add_mpath)
7877		return -EOPNOTSUPP;
7878
7879	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7880		return -EOPNOTSUPP;
7881
7882	return rdev_add_mpath(rdev, dev, dst, next_hop);
7883}
7884
7885static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7886{
7887	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7888	struct net_device *dev = info->user_ptr[1];
7889	u8 *dst = NULL;
7890
7891	if (info->attrs[NL80211_ATTR_MAC])
7892		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7893
7894	if (!rdev->ops->del_mpath)
7895		return -EOPNOTSUPP;
7896
7897	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7898		return -EOPNOTSUPP;
7899
7900	return rdev_del_mpath(rdev, dev, dst);
7901}
7902
7903static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7904{
7905	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7906	int err;
7907	struct net_device *dev = info->user_ptr[1];
7908	struct mpath_info pinfo;
7909	struct sk_buff *msg;
7910	u8 *dst = NULL;
7911	u8 mpp[ETH_ALEN];
7912
7913	memset(&pinfo, 0, sizeof(pinfo));
7914
7915	if (!info->attrs[NL80211_ATTR_MAC])
7916		return -EINVAL;
7917
7918	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7919
7920	if (!rdev->ops->get_mpp)
7921		return -EOPNOTSUPP;
7922
7923	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7924		return -EOPNOTSUPP;
7925
7926	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7927	if (err)
7928		return err;
7929
7930	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7931	if (!msg)
7932		return -ENOMEM;
7933
7934	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7935			       dev, dst, mpp, &pinfo) < 0) {
7936		nlmsg_free(msg);
7937		return -ENOBUFS;
7938	}
7939
7940	return genlmsg_reply(msg, info);
7941}
7942
7943static int nl80211_dump_mpp(struct sk_buff *skb,
7944			    struct netlink_callback *cb)
7945{
7946	struct mpath_info pinfo;
7947	struct cfg80211_registered_device *rdev;
7948	struct wireless_dev *wdev;
7949	u8 dst[ETH_ALEN];
7950	u8 mpp[ETH_ALEN];
7951	int path_idx = cb->args[2];
7952	int err;
7953
7954	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7955	if (err)
7956		return err;
7957	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7958	__acquire(&rdev->wiphy.mtx);
7959
7960	if (!rdev->ops->dump_mpp) {
7961		err = -EOPNOTSUPP;
7962		goto out_err;
7963	}
7964
7965	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7966		err = -EOPNOTSUPP;
7967		goto out_err;
7968	}
7969
7970	while (1) {
7971		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7972				    mpp, &pinfo);
7973		if (err == -ENOENT)
7974			break;
7975		if (err)
7976			goto out_err;
7977
7978		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7979				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7980				       wdev->netdev, dst, mpp,
7981				       &pinfo) < 0)
7982			goto out;
7983
7984		path_idx++;
7985	}
7986
7987 out:
7988	cb->args[2] = path_idx;
7989	err = skb->len;
7990 out_err:
7991	wiphy_unlock(&rdev->wiphy);
7992	return err;
7993}
7994
7995static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7996{
7997	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7998	struct net_device *dev = info->user_ptr[1];
7999	struct wireless_dev *wdev = dev->ieee80211_ptr;
8000	struct bss_parameters params;
8001	int err;
8002
8003	memset(&params, 0, sizeof(params));
8004	params.link_id = nl80211_link_id_or_invalid(info->attrs);
8005	/* default to not changing parameters */
8006	params.use_cts_prot = -1;
8007	params.use_short_preamble = -1;
8008	params.use_short_slot_time = -1;
8009	params.ap_isolate = -1;
8010	params.ht_opmode = -1;
8011	params.p2p_ctwindow = -1;
8012	params.p2p_opp_ps = -1;
8013
8014	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
8015		params.use_cts_prot =
8016		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
8017	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
8018		params.use_short_preamble =
8019		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
8020	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
8021		params.use_short_slot_time =
8022		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
8023	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8024		params.basic_rates =
8025			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8026		params.basic_rates_len =
8027			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8028	}
8029	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8030		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8031	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8032		params.ht_opmode =
8033			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8034
8035	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8036		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8037			return -EINVAL;
8038		params.p2p_ctwindow =
8039			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8040		if (params.p2p_ctwindow != 0 &&
8041		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8042			return -EINVAL;
8043	}
8044
8045	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8046		u8 tmp;
8047
8048		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8049			return -EINVAL;
8050		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8051		params.p2p_opp_ps = tmp;
8052		if (params.p2p_opp_ps &&
8053		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8054			return -EINVAL;
8055	}
8056
8057	if (!rdev->ops->change_bss)
8058		return -EOPNOTSUPP;
8059
8060	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8061	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8062		return -EOPNOTSUPP;
8063
8064	wdev_lock(wdev);
8065	err = rdev_change_bss(rdev, dev, &params);
8066	wdev_unlock(wdev);
8067
8068	return err;
8069}
8070
8071static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8072{
8073	char *data = NULL;
8074	bool is_indoor;
8075	enum nl80211_user_reg_hint_type user_reg_hint_type;
8076	u32 owner_nlportid;
8077
8078	/*
8079	 * You should only get this when cfg80211 hasn't yet initialized
8080	 * completely when built-in to the kernel right between the time
8081	 * window between nl80211_init() and regulatory_init(), if that is
8082	 * even possible.
8083	 */
8084	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8085		return -EINPROGRESS;
8086
8087	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
8088		user_reg_hint_type =
8089		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
8090	else
8091		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
8092
8093	switch (user_reg_hint_type) {
8094	case NL80211_USER_REG_HINT_USER:
8095	case NL80211_USER_REG_HINT_CELL_BASE:
8096		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8097			return -EINVAL;
8098
8099		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8100		return regulatory_hint_user(data, user_reg_hint_type);
8101	case NL80211_USER_REG_HINT_INDOOR:
8102		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8103			owner_nlportid = info->snd_portid;
8104			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8105		} else {
8106			owner_nlportid = 0;
8107			is_indoor = true;
8108		}
8109
8110		return regulatory_hint_indoor(is_indoor, owner_nlportid);
8111	default:
8112		return -EINVAL;
8113	}
8114}
8115
8116static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8117{
8118	return reg_reload_regdb();
8119}
8120
8121static int nl80211_get_mesh_config(struct sk_buff *skb,
8122				   struct genl_info *info)
8123{
8124	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8125	struct net_device *dev = info->user_ptr[1];
8126	struct wireless_dev *wdev = dev->ieee80211_ptr;
8127	struct mesh_config cur_params;
8128	int err = 0;
8129	void *hdr;
8130	struct nlattr *pinfoattr;
8131	struct sk_buff *msg;
8132
8133	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8134		return -EOPNOTSUPP;
8135
8136	if (!rdev->ops->get_mesh_config)
8137		return -EOPNOTSUPP;
8138
8139	wdev_lock(wdev);
8140	/* If not connected, get default parameters */
8141	if (!wdev->u.mesh.id_len)
8142		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8143	else
8144		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8145	wdev_unlock(wdev);
8146
8147	if (err)
8148		return err;
8149
8150	/* Draw up a netlink message to send back */
8151	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8152	if (!msg)
8153		return -ENOMEM;
8154	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8155			     NL80211_CMD_GET_MESH_CONFIG);
8156	if (!hdr)
8157		goto out;
8158	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8159	if (!pinfoattr)
8160		goto nla_put_failure;
8161	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8162	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8163			cur_params.dot11MeshRetryTimeout) ||
8164	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8165			cur_params.dot11MeshConfirmTimeout) ||
8166	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8167			cur_params.dot11MeshHoldingTimeout) ||
8168	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8169			cur_params.dot11MeshMaxPeerLinks) ||
8170	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8171		       cur_params.dot11MeshMaxRetries) ||
8172	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8173		       cur_params.dot11MeshTTL) ||
8174	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8175		       cur_params.element_ttl) ||
8176	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8177		       cur_params.auto_open_plinks) ||
8178	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8179			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8180	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8181		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8182	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8183			cur_params.path_refresh_time) ||
8184	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8185			cur_params.min_discovery_timeout) ||
8186	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8187			cur_params.dot11MeshHWMPactivePathTimeout) ||
8188	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8189			cur_params.dot11MeshHWMPpreqMinInterval) ||
8190	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8191			cur_params.dot11MeshHWMPperrMinInterval) ||
8192	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8193			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8194	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8195		       cur_params.dot11MeshHWMPRootMode) ||
8196	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8197			cur_params.dot11MeshHWMPRannInterval) ||
8198	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8199		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8200	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8201		       cur_params.dot11MeshForwarding) ||
8202	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8203			cur_params.rssi_threshold) ||
8204	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8205			cur_params.ht_opmode) ||
8206	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8207			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8208	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8209			cur_params.dot11MeshHWMProotInterval) ||
8210	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8211			cur_params.dot11MeshHWMPconfirmationInterval) ||
8212	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8213			cur_params.power_mode) ||
8214	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8215			cur_params.dot11MeshAwakeWindowDuration) ||
8216	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8217			cur_params.plink_timeout) ||
8218	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8219		       cur_params.dot11MeshConnectedToMeshGate) ||
8220	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8221		       cur_params.dot11MeshNolearn) ||
8222	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8223		       cur_params.dot11MeshConnectedToAuthServer))
8224		goto nla_put_failure;
8225	nla_nest_end(msg, pinfoattr);
8226	genlmsg_end(msg, hdr);
8227	return genlmsg_reply(msg, info);
8228
8229 nla_put_failure:
8230 out:
8231	nlmsg_free(msg);
8232	return -ENOBUFS;
8233}
8234
8235static const struct nla_policy
8236nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8237	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8238		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8239	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8240		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8241	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8242		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8243	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8244		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8245	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8246	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8247	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8248	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8249	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8250		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8251	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8252	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8253	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8254	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8255	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8256		NLA_POLICY_MIN(NLA_U16, 1),
8257	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8258		NLA_POLICY_MIN(NLA_U16, 1),
8259	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8260		NLA_POLICY_MIN(NLA_U16, 1),
8261	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8262	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8263		NLA_POLICY_MIN(NLA_U16, 1),
8264	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8265	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8266	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8267		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8268	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8269	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8270	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8271		NLA_POLICY_MIN(NLA_U16, 1),
8272	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8273		NLA_POLICY_MIN(NLA_U16, 1),
8274	[NL80211_MESHCONF_POWER_MODE] =
8275		NLA_POLICY_RANGE(NLA_U32,
8276				 NL80211_MESH_POWER_ACTIVE,
8277				 NL80211_MESH_POWER_MAX),
8278	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8279	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8280	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8281	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8282	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8283};
8284
8285static const struct nla_policy
8286	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8287	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8288	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8289	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8290	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8291	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8292	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8293	[NL80211_MESH_SETUP_IE] =
8294		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8295				       IEEE80211_MAX_DATA_LEN),
8296	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8297};
8298
8299static int nl80211_parse_mesh_config(struct genl_info *info,
8300				     struct mesh_config *cfg,
8301				     u32 *mask_out)
8302{
8303	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8304	u32 mask = 0;
8305	u16 ht_opmode;
8306
8307#define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8308do {									\
8309	if (tb[attr]) {							\
8310		cfg->param = fn(tb[attr]);				\
8311		mask |= BIT((attr) - 1);				\
8312	}								\
8313} while (0)
8314
8315	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8316		return -EINVAL;
8317	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8318		return -EINVAL;
8319
8320	/* This makes sure that there aren't more than 32 mesh config
8321	 * parameters (otherwise our bitfield scheme would not work.) */
8322	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8323
8324	/* Fill in the params struct */
8325	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8326				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8327	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8328				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8329				  nla_get_u16);
8330	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8331				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8332				  nla_get_u16);
8333	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8334				  NL80211_MESHCONF_MAX_PEER_LINKS,
8335				  nla_get_u16);
8336	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8337				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8338	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8339				  NL80211_MESHCONF_TTL, nla_get_u8);
8340	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8341				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8342	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8343				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8344				  nla_get_u8);
8345	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8346				  mask,
8347				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8348				  nla_get_u32);
8349	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8350				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8351				  nla_get_u8);
8352	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8353				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8354				  nla_get_u32);
8355	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8356	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8357		return -EINVAL;
8358	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8359				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8360				  nla_get_u16);
8361	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8362				  mask,
8363				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8364				  nla_get_u32);
8365	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8366	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8367	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8368		return -EINVAL;
8369	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8370				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8371				  nla_get_u16);
8372	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8373				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8374				  nla_get_u16);
8375	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8376				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8377				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8378				  nla_get_u16);
8379	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8380				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8381	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8382				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8383				  nla_get_u16);
8384	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8385				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8386				  nla_get_u8);
8387	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8388				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8389	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8390				  NL80211_MESHCONF_RSSI_THRESHOLD,
8391				  nla_get_s32);
8392	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8393				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8394				  nla_get_u8);
8395	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8396				  NL80211_MESHCONF_CONNECTED_TO_AS,
8397				  nla_get_u8);
8398	/*
8399	 * Check HT operation mode based on
8400	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8401	 */
8402	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8403		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8404
8405		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8406				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8407				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8408			return -EINVAL;
8409
8410		/* NON_HT_STA bit is reserved, but some programs set it */
8411		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8412
8413		cfg->ht_opmode = ht_opmode;
8414		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8415	}
8416	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8417				  dot11MeshHWMPactivePathToRootTimeout, mask,
8418				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8419				  nla_get_u32);
8420	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8421	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8422	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8423		return -EINVAL;
8424	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8425				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8426				  nla_get_u16);
8427	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8428				  mask,
8429				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8430				  nla_get_u16);
8431	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8432				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8433	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8434				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8435	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8436				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8437	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8438				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8439	if (mask_out)
8440		*mask_out = mask;
8441
8442	return 0;
8443
8444#undef FILL_IN_MESH_PARAM_IF_SET
8445}
8446
8447static int nl80211_parse_mesh_setup(struct genl_info *info,
8448				     struct mesh_setup *setup)
8449{
8450	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8451	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8452
8453	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8454		return -EINVAL;
8455	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8456		return -EINVAL;
8457
8458	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8459		setup->sync_method =
8460		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8461		 IEEE80211_SYNC_METHOD_VENDOR :
8462		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8463
8464	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8465		setup->path_sel_proto =
8466		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8467		 IEEE80211_PATH_PROTOCOL_VENDOR :
8468		 IEEE80211_PATH_PROTOCOL_HWMP;
8469
8470	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8471		setup->path_metric =
8472		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8473		 IEEE80211_PATH_METRIC_VENDOR :
8474		 IEEE80211_PATH_METRIC_AIRTIME;
8475
8476	if (tb[NL80211_MESH_SETUP_IE]) {
8477		struct nlattr *ieattr =
8478			tb[NL80211_MESH_SETUP_IE];
8479		setup->ie = nla_data(ieattr);
8480		setup->ie_len = nla_len(ieattr);
8481	}
8482	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8483	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8484		return -EINVAL;
8485	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8486	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8487	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8488	if (setup->is_secure)
8489		setup->user_mpm = true;
8490
8491	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8492		if (!setup->user_mpm)
8493			return -EINVAL;
8494		setup->auth_id =
8495			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8496	}
8497
8498	return 0;
8499}
8500
8501static int nl80211_update_mesh_config(struct sk_buff *skb,
8502				      struct genl_info *info)
8503{
8504	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8505	struct net_device *dev = info->user_ptr[1];
8506	struct wireless_dev *wdev = dev->ieee80211_ptr;
8507	struct mesh_config cfg = {};
8508	u32 mask;
8509	int err;
8510
8511	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8512		return -EOPNOTSUPP;
8513
8514	if (!rdev->ops->update_mesh_config)
8515		return -EOPNOTSUPP;
8516
8517	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8518	if (err)
8519		return err;
8520
8521	wdev_lock(wdev);
8522	if (!wdev->u.mesh.id_len)
8523		err = -ENOLINK;
8524
8525	if (!err)
8526		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8527
8528	wdev_unlock(wdev);
8529
8530	return err;
8531}
8532
8533static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8534			      struct sk_buff *msg)
8535{
8536	struct nlattr *nl_reg_rules;
8537	unsigned int i;
8538
8539	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8540	    (regdom->dfs_region &&
8541	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8542		goto nla_put_failure;
8543
8544	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8545	if (!nl_reg_rules)
8546		goto nla_put_failure;
8547
8548	for (i = 0; i < regdom->n_reg_rules; i++) {
8549		struct nlattr *nl_reg_rule;
8550		const struct ieee80211_reg_rule *reg_rule;
8551		const struct ieee80211_freq_range *freq_range;
8552		const struct ieee80211_power_rule *power_rule;
8553		unsigned int max_bandwidth_khz;
8554
8555		reg_rule = &regdom->reg_rules[i];
8556		freq_range = &reg_rule->freq_range;
8557		power_rule = &reg_rule->power_rule;
8558
8559		nl_reg_rule = nla_nest_start_noflag(msg, i);
8560		if (!nl_reg_rule)
8561			goto nla_put_failure;
8562
8563		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8564		if (!max_bandwidth_khz)
8565			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8566								  reg_rule);
8567
8568		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8569				reg_rule->flags) ||
8570		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8571				freq_range->start_freq_khz) ||
8572		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8573				freq_range->end_freq_khz) ||
8574		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8575				max_bandwidth_khz) ||
8576		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8577				power_rule->max_antenna_gain) ||
8578		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8579				power_rule->max_eirp) ||
8580		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8581				reg_rule->dfs_cac_ms))
8582			goto nla_put_failure;
8583
8584		nla_nest_end(msg, nl_reg_rule);
8585	}
8586
8587	nla_nest_end(msg, nl_reg_rules);
8588	return 0;
8589
8590nla_put_failure:
8591	return -EMSGSIZE;
8592}
8593
8594static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8595{
8596	const struct ieee80211_regdomain *regdom = NULL;
8597	struct cfg80211_registered_device *rdev;
8598	struct wiphy *wiphy = NULL;
8599	struct sk_buff *msg;
8600	int err = -EMSGSIZE;
8601	void *hdr;
8602
8603	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8604	if (!msg)
8605		return -ENOBUFS;
8606
8607	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8608			     NL80211_CMD_GET_REG);
8609	if (!hdr)
8610		goto put_failure;
8611
8612	rtnl_lock();
8613
8614	if (info->attrs[NL80211_ATTR_WIPHY]) {
8615		bool self_managed;
8616
8617		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8618		if (IS_ERR(rdev)) {
8619			err = PTR_ERR(rdev);
8620			goto nla_put_failure;
8621		}
8622
8623		wiphy = &rdev->wiphy;
8624		self_managed = wiphy->regulatory_flags &
8625			       REGULATORY_WIPHY_SELF_MANAGED;
8626
8627		rcu_read_lock();
8628
8629		regdom = get_wiphy_regdom(wiphy);
8630
8631		/* a self-managed-reg device must have a private regdom */
8632		if (WARN_ON(!regdom && self_managed)) {
8633			err = -EINVAL;
8634			goto nla_put_failure_rcu;
8635		}
8636
8637		if (regdom &&
8638		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8639			goto nla_put_failure_rcu;
8640	} else {
8641		rcu_read_lock();
8642	}
8643
8644	if (!wiphy && reg_last_request_cell_base() &&
8645	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8646			NL80211_USER_REG_HINT_CELL_BASE))
8647		goto nla_put_failure_rcu;
8648
8649	if (!regdom)
8650		regdom = rcu_dereference(cfg80211_regdomain);
8651
8652	if (nl80211_put_regdom(regdom, msg))
8653		goto nla_put_failure_rcu;
8654
8655	rcu_read_unlock();
8656
8657	genlmsg_end(msg, hdr);
8658	rtnl_unlock();
8659	return genlmsg_reply(msg, info);
8660
8661nla_put_failure_rcu:
8662	rcu_read_unlock();
8663nla_put_failure:
8664	rtnl_unlock();
8665put_failure:
8666	nlmsg_free(msg);
8667	return err;
8668}
8669
8670static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8671			       u32 seq, int flags, struct wiphy *wiphy,
8672			       const struct ieee80211_regdomain *regdom)
8673{
8674	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8675				   NL80211_CMD_GET_REG);
8676
8677	if (!hdr)
8678		return -1;
8679
8680	genl_dump_check_consistent(cb, hdr);
8681
8682	if (nl80211_put_regdom(regdom, msg))
8683		goto nla_put_failure;
8684
8685	if (!wiphy && reg_last_request_cell_base() &&
8686	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8687			NL80211_USER_REG_HINT_CELL_BASE))
8688		goto nla_put_failure;
8689
8690	if (wiphy &&
8691	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8692		goto nla_put_failure;
8693
8694	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8695	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8696		goto nla_put_failure;
8697
8698	genlmsg_end(msg, hdr);
8699	return 0;
8700
8701nla_put_failure:
8702	genlmsg_cancel(msg, hdr);
8703	return -EMSGSIZE;
8704}
8705
8706static int nl80211_get_reg_dump(struct sk_buff *skb,
8707				struct netlink_callback *cb)
8708{
8709	const struct ieee80211_regdomain *regdom = NULL;
8710	struct cfg80211_registered_device *rdev;
8711	int err, reg_idx, start = cb->args[2];
8712
8713	rcu_read_lock();
8714
8715	if (cfg80211_regdomain && start == 0) {
8716		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8717					  NLM_F_MULTI, NULL,
8718					  rcu_dereference(cfg80211_regdomain));
8719		if (err < 0)
8720			goto out_err;
8721	}
8722
8723	/* the global regdom is idx 0 */
8724	reg_idx = 1;
8725	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8726		regdom = get_wiphy_regdom(&rdev->wiphy);
8727		if (!regdom)
8728			continue;
8729
8730		if (++reg_idx <= start)
8731			continue;
8732
8733		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8734					  NLM_F_MULTI, &rdev->wiphy, regdom);
8735		if (err < 0) {
8736			reg_idx--;
8737			break;
8738		}
8739	}
8740
8741	cb->args[2] = reg_idx;
8742	err = skb->len;
8743out_err:
8744	rcu_read_unlock();
8745	return err;
8746}
8747
8748#ifdef CONFIG_CFG80211_CRDA_SUPPORT
8749static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8750	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8751	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8752	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8753	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8754	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8755	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8756	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8757};
8758
8759static int parse_reg_rule(struct nlattr *tb[],
8760	struct ieee80211_reg_rule *reg_rule)
8761{
8762	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8763	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8764
8765	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8766		return -EINVAL;
8767	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8768		return -EINVAL;
8769	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8770		return -EINVAL;
8771	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8772		return -EINVAL;
8773	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8774		return -EINVAL;
8775
8776	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8777
8778	freq_range->start_freq_khz =
8779		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8780	freq_range->end_freq_khz =
8781		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8782	freq_range->max_bandwidth_khz =
8783		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8784
8785	power_rule->max_eirp =
8786		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8787
8788	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8789		power_rule->max_antenna_gain =
8790			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8791
8792	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8793		reg_rule->dfs_cac_ms =
8794			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8795
8796	return 0;
8797}
8798
8799static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8800{
8801	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8802	struct nlattr *nl_reg_rule;
8803	char *alpha2;
8804	int rem_reg_rules, r;
8805	u32 num_rules = 0, rule_idx = 0;
8806	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8807	struct ieee80211_regdomain *rd;
8808
8809	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8810		return -EINVAL;
8811
8812	if (!info->attrs[NL80211_ATTR_REG_RULES])
8813		return -EINVAL;
8814
8815	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8816
8817	if (info->attrs[NL80211_ATTR_DFS_REGION])
8818		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8819
8820	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8821			    rem_reg_rules) {
8822		num_rules++;
8823		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8824			return -EINVAL;
8825	}
8826
8827	rtnl_lock();
8828	if (!reg_is_valid_request(alpha2)) {
8829		r = -EINVAL;
8830		goto out;
8831	}
8832
8833	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8834	if (!rd) {
8835		r = -ENOMEM;
8836		goto out;
8837	}
8838
8839	rd->n_reg_rules = num_rules;
8840	rd->alpha2[0] = alpha2[0];
8841	rd->alpha2[1] = alpha2[1];
8842
8843	/*
8844	 * Disable DFS master mode if the DFS region was
8845	 * not supported or known on this kernel.
8846	 */
8847	if (reg_supported_dfs_region(dfs_region))
8848		rd->dfs_region = dfs_region;
8849
8850	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8851			    rem_reg_rules) {
8852		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8853						nl_reg_rule, reg_rule_policy,
8854						info->extack);
8855		if (r)
8856			goto bad_reg;
8857		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8858		if (r)
8859			goto bad_reg;
8860
8861		rule_idx++;
8862
8863		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8864			r = -EINVAL;
8865			goto bad_reg;
8866		}
8867	}
8868
8869	r = set_regdom(rd, REGD_SOURCE_CRDA);
8870	/* set_regdom takes ownership of rd */
8871	rd = NULL;
8872 bad_reg:
8873	kfree(rd);
8874 out:
8875	rtnl_unlock();
8876	return r;
8877}
8878#endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8879
8880static int validate_scan_freqs(struct nlattr *freqs)
8881{
8882	struct nlattr *attr1, *attr2;
8883	int n_channels = 0, tmp1, tmp2;
8884
8885	nla_for_each_nested(attr1, freqs, tmp1)
8886		if (nla_len(attr1) != sizeof(u32))
8887			return 0;
8888
8889	nla_for_each_nested(attr1, freqs, tmp1) {
8890		n_channels++;
8891		/*
8892		 * Some hardware has a limited channel list for
8893		 * scanning, and it is pretty much nonsensical
8894		 * to scan for a channel twice, so disallow that
8895		 * and don't require drivers to check that the
8896		 * channel list they get isn't longer than what
8897		 * they can scan, as long as they can scan all
8898		 * the channels they registered at once.
8899		 */
8900		nla_for_each_nested(attr2, freqs, tmp2)
8901			if (attr1 != attr2 &&
8902			    nla_get_u32(attr1) == nla_get_u32(attr2))
8903				return 0;
8904	}
8905
8906	return n_channels;
8907}
8908
8909static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8910{
8911	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8912}
8913
8914static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8915			    struct cfg80211_bss_selection *bss_select)
8916{
8917	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8918	struct nlattr *nest;
8919	int err;
8920	bool found = false;
8921	int i;
8922
8923	/* only process one nested attribute */
8924	nest = nla_data(nla);
8925	if (!nla_ok(nest, nla_len(nest)))
8926		return -EINVAL;
8927
8928	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8929					  nest, nl80211_bss_select_policy,
8930					  NULL);
8931	if (err)
8932		return err;
8933
8934	/* only one attribute may be given */
8935	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8936		if (attr[i]) {
8937			if (found)
8938				return -EINVAL;
8939			found = true;
8940		}
8941	}
8942
8943	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8944
8945	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8946		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8947
8948	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8949		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8950		bss_select->param.band_pref =
8951			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8952		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8953			return -EINVAL;
8954	}
8955
8956	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8957		struct nl80211_bss_select_rssi_adjust *adj_param;
8958
8959		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8960		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8961		bss_select->param.adjust.band = adj_param->band;
8962		bss_select->param.adjust.delta = adj_param->delta;
8963		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8964			return -EINVAL;
8965	}
8966
8967	/* user-space did not provide behaviour attribute */
8968	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8969		return -EINVAL;
8970
8971	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8972		return -EINVAL;
8973
8974	return 0;
8975}
8976
8977int nl80211_parse_random_mac(struct nlattr **attrs,
8978			     u8 *mac_addr, u8 *mac_addr_mask)
8979{
8980	int i;
8981
8982	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8983		eth_zero_addr(mac_addr);
8984		eth_zero_addr(mac_addr_mask);
8985		mac_addr[0] = 0x2;
8986		mac_addr_mask[0] = 0x3;
8987
8988		return 0;
8989	}
8990
8991	/* need both or none */
8992	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8993		return -EINVAL;
8994
8995	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8996	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8997
8998	/* don't allow or configure an mcast address */
8999	if (!is_multicast_ether_addr(mac_addr_mask) ||
9000	    is_multicast_ether_addr(mac_addr))
9001		return -EINVAL;
9002
9003	/*
9004	 * allow users to pass a MAC address that has bits set outside
9005	 * of the mask, but don't bother drivers with having to deal
9006	 * with such bits
9007	 */
9008	for (i = 0; i < ETH_ALEN; i++)
9009		mac_addr[i] &= mac_addr_mask[i];
9010
9011	return 0;
9012}
9013
9014static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
9015					      struct ieee80211_channel *chan)
9016{
9017	unsigned int link_id;
9018	bool all_ok = true;
9019
9020	ASSERT_WDEV_LOCK(wdev);
9021
9022	if (!cfg80211_beaconing_iface_active(wdev))
9023		return true;
9024
9025	/*
9026	 * FIXME: check if we have a free HW resource/link for chan
9027	 *
9028	 * This, as well as the FIXME below, requires knowing the link
9029	 * capabilities of the hardware.
9030	 */
9031
9032	/* we cannot leave radar channels */
9033	for_each_valid_link(wdev, link_id) {
9034		struct cfg80211_chan_def *chandef;
9035
9036		chandef = wdev_chandef(wdev, link_id);
9037		if (!chandef || !chandef->chan)
9038			continue;
9039
9040		/*
9041		 * FIXME: don't require all_ok, but rather check only the
9042		 *	  correct HW resource/link onto which 'chan' falls,
9043		 *	  as only that link leaves the channel for doing
9044		 *	  the off-channel operation.
9045		 */
9046
9047		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
9048			all_ok = false;
9049	}
9050
9051	if (all_ok)
9052		return true;
9053
9054	return regulatory_pre_cac_allowed(wdev->wiphy);
9055}
9056
9057static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9058				    enum nl80211_ext_feature_index feat)
9059{
9060	if (!(flags & flag))
9061		return true;
9062	if (wiphy_ext_feature_isset(wiphy, feat))
9063		return true;
9064	return false;
9065}
9066
9067static int
9068nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9069			 void *request, struct nlattr **attrs,
9070			 bool is_sched_scan)
9071{
9072	u8 *mac_addr, *mac_addr_mask;
9073	u32 *flags;
9074	enum nl80211_feature_flags randomness_flag;
9075
9076	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9077		return 0;
9078
9079	if (is_sched_scan) {
9080		struct cfg80211_sched_scan_request *req = request;
9081
9082		randomness_flag = wdev ?
9083				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9084				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
9085		flags = &req->flags;
9086		mac_addr = req->mac_addr;
9087		mac_addr_mask = req->mac_addr_mask;
9088	} else {
9089		struct cfg80211_scan_request *req = request;
9090
9091		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
9092		flags = &req->flags;
9093		mac_addr = req->mac_addr;
9094		mac_addr_mask = req->mac_addr_mask;
9095	}
9096
9097	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9098
9099	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9100	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9101	    !nl80211_check_scan_feat(wiphy, *flags,
9102				     NL80211_SCAN_FLAG_LOW_SPAN,
9103				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9104	    !nl80211_check_scan_feat(wiphy, *flags,
9105				     NL80211_SCAN_FLAG_LOW_POWER,
9106				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9107	    !nl80211_check_scan_feat(wiphy, *flags,
9108				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9109				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9110	    !nl80211_check_scan_feat(wiphy, *flags,
9111				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9112				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9113	    !nl80211_check_scan_feat(wiphy, *flags,
9114				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9115				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9116	    !nl80211_check_scan_feat(wiphy, *flags,
9117				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9118				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9119	    !nl80211_check_scan_feat(wiphy, *flags,
9120				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9121				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9122	    !nl80211_check_scan_feat(wiphy, *flags,
9123				     NL80211_SCAN_FLAG_RANDOM_SN,
9124				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9125	    !nl80211_check_scan_feat(wiphy, *flags,
9126				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9127				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9128		return -EOPNOTSUPP;
9129
9130	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9131		int err;
9132
9133		if (!(wiphy->features & randomness_flag) ||
9134		    (wdev && wdev->connected))
9135			return -EOPNOTSUPP;
9136
9137		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9138		if (err)
9139			return err;
9140	}
9141
9142	return 0;
9143}
9144
9145static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9146{
9147	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9148	struct wireless_dev *wdev = info->user_ptr[1];
9149	struct cfg80211_scan_request *request;
9150	struct nlattr *scan_freqs = NULL;
9151	bool scan_freqs_khz = false;
9152	struct nlattr *attr;
9153	struct wiphy *wiphy;
9154	int err, tmp, n_ssids = 0, n_channels, i;
9155	size_t ie_len, size;
9156
9157	wiphy = &rdev->wiphy;
9158
9159	if (wdev->iftype == NL80211_IFTYPE_NAN)
9160		return -EOPNOTSUPP;
9161
9162	if (!rdev->ops->scan)
9163		return -EOPNOTSUPP;
9164
9165	if (rdev->scan_req || rdev->scan_msg)
9166		return -EBUSY;
9167
9168	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9169		if (!wiphy_ext_feature_isset(wiphy,
9170					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9171			return -EOPNOTSUPP;
9172		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9173		scan_freqs_khz = true;
9174	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9175		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9176
9177	if (scan_freqs) {
9178		n_channels = validate_scan_freqs(scan_freqs);
9179		if (!n_channels)
9180			return -EINVAL;
9181	} else {
9182		n_channels = ieee80211_get_num_supported_channels(wiphy);
9183	}
9184
9185	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9186		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9187			n_ssids++;
9188
9189	if (n_ssids > wiphy->max_scan_ssids)
9190		return -EINVAL;
9191
9192	if (info->attrs[NL80211_ATTR_IE])
9193		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9194	else
9195		ie_len = 0;
9196
9197	if (ie_len > wiphy->max_scan_ie_len)
9198		return -EINVAL;
9199
9200	size = struct_size(request, channels, n_channels);
9201	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9202	size = size_add(size, ie_len);
9203	request = kzalloc(size, GFP_KERNEL);
9204	if (!request)
9205		return -ENOMEM;
9206
9207	if (n_ssids)
9208		request->ssids = (void *)&request->channels[n_channels];
9209	request->n_ssids = n_ssids;
9210	if (ie_len) {
9211		if (n_ssids)
9212			request->ie = (void *)(request->ssids + n_ssids);
9213		else
9214			request->ie = (void *)(request->channels + n_channels);
9215	}
9216
9217	i = 0;
9218	if (scan_freqs) {
9219		/* user specified, bail out if channel not found */
9220		nla_for_each_nested(attr, scan_freqs, tmp) {
9221			struct ieee80211_channel *chan;
9222			int freq = nla_get_u32(attr);
9223
9224			if (!scan_freqs_khz)
9225				freq = MHZ_TO_KHZ(freq);
9226
9227			chan = ieee80211_get_channel_khz(wiphy, freq);
9228			if (!chan) {
9229				err = -EINVAL;
9230				goto out_free;
9231			}
9232
9233			/* ignore disabled channels */
9234			if (chan->flags & IEEE80211_CHAN_DISABLED)
9235				continue;
9236
9237			request->channels[i] = chan;
9238			i++;
9239		}
9240	} else {
9241		enum nl80211_band band;
9242
9243		/* all channels */
9244		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9245			int j;
9246
9247			if (!wiphy->bands[band])
9248				continue;
9249			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9250				struct ieee80211_channel *chan;
9251
9252				chan = &wiphy->bands[band]->channels[j];
9253
9254				if (chan->flags & IEEE80211_CHAN_DISABLED)
9255					continue;
9256
9257				request->channels[i] = chan;
9258				i++;
9259			}
9260		}
9261	}
9262
9263	if (!i) {
9264		err = -EINVAL;
9265		goto out_free;
9266	}
9267
9268	request->n_channels = i;
9269
9270	wdev_lock(wdev);
9271	for (i = 0; i < request->n_channels; i++) {
9272		struct ieee80211_channel *chan = request->channels[i];
9273
9274		/* if we can go off-channel to the target channel we're good */
9275		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9276			continue;
9277
9278		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9279			wdev_unlock(wdev);
9280			err = -EBUSY;
9281			goto out_free;
9282		}
9283	}
9284	wdev_unlock(wdev);
9285
9286	i = 0;
9287	if (n_ssids) {
9288		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9289			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9290				err = -EINVAL;
9291				goto out_free;
9292			}
9293			request->ssids[i].ssid_len = nla_len(attr);
9294			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9295			i++;
9296		}
9297	}
9298
9299	if (info->attrs[NL80211_ATTR_IE]) {
9300		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9301		memcpy((void *)request->ie,
9302		       nla_data(info->attrs[NL80211_ATTR_IE]),
9303		       request->ie_len);
9304	}
9305
9306	for (i = 0; i < NUM_NL80211_BANDS; i++)
9307		if (wiphy->bands[i])
9308			request->rates[i] =
9309				(1 << wiphy->bands[i]->n_bitrates) - 1;
9310
9311	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9312		nla_for_each_nested(attr,
9313				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9314				    tmp) {
9315			enum nl80211_band band = nla_type(attr);
9316
9317			if (band < 0 || band >= NUM_NL80211_BANDS) {
9318				err = -EINVAL;
9319				goto out_free;
9320			}
9321
9322			if (!wiphy->bands[band])
9323				continue;
9324
9325			err = ieee80211_get_ratemask(wiphy->bands[band],
9326						     nla_data(attr),
9327						     nla_len(attr),
9328						     &request->rates[band]);
9329			if (err)
9330				goto out_free;
9331		}
9332	}
9333
9334	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9335		request->duration =
9336			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9337		request->duration_mandatory =
9338			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9339	}
9340
9341	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9342				       false);
9343	if (err)
9344		goto out_free;
9345
9346	request->no_cck =
9347		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9348
9349	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9350	 * BSSID to scan for. This was problematic because that same attribute
9351	 * was already used for another purpose (local random MAC address). The
9352	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9353	 * compatibility with older userspace components, also use the
9354	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9355	 * the specific BSSID use case instead of the random MAC address
9356	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9357	 */
9358	if (info->attrs[NL80211_ATTR_BSSID])
9359		memcpy(request->bssid,
9360		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9361	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9362		 info->attrs[NL80211_ATTR_MAC])
9363		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9364		       ETH_ALEN);
9365	else
9366		eth_broadcast_addr(request->bssid);
9367
9368	request->wdev = wdev;
9369	request->wiphy = &rdev->wiphy;
9370	request->scan_start = jiffies;
9371
9372	rdev->scan_req = request;
9373	err = cfg80211_scan(rdev);
9374
9375	if (err)
9376		goto out_free;
9377
9378	nl80211_send_scan_start(rdev, wdev);
9379	dev_hold(wdev->netdev);
9380
9381	return 0;
9382
9383 out_free:
9384	rdev->scan_req = NULL;
9385	kfree(request);
9386
9387	return err;
9388}
9389
9390static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9391{
9392	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9393	struct wireless_dev *wdev = info->user_ptr[1];
9394
9395	if (!rdev->ops->abort_scan)
9396		return -EOPNOTSUPP;
9397
9398	if (rdev->scan_msg)
9399		return 0;
9400
9401	if (!rdev->scan_req)
9402		return -ENOENT;
9403
9404	rdev_abort_scan(rdev, wdev);
9405	return 0;
9406}
9407
9408static int
9409nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9410			       struct cfg80211_sched_scan_request *request,
9411			       struct nlattr **attrs)
9412{
9413	int tmp, err, i = 0;
9414	struct nlattr *attr;
9415
9416	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9417		u32 interval;
9418
9419		/*
9420		 * If scan plans are not specified,
9421		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9422		 * case one scan plan will be set with the specified scan
9423		 * interval and infinite number of iterations.
9424		 */
9425		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9426		if (!interval)
9427			return -EINVAL;
9428
9429		request->scan_plans[0].interval =
9430			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9431		if (!request->scan_plans[0].interval)
9432			return -EINVAL;
9433
9434		if (request->scan_plans[0].interval >
9435		    wiphy->max_sched_scan_plan_interval)
9436			request->scan_plans[0].interval =
9437				wiphy->max_sched_scan_plan_interval;
9438
9439		return 0;
9440	}
9441
9442	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9443		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9444
9445		if (WARN_ON(i >= n_plans))
9446			return -EINVAL;
9447
9448		err = nla_parse_nested_deprecated(plan,
9449						  NL80211_SCHED_SCAN_PLAN_MAX,
9450						  attr, nl80211_plan_policy,
9451						  NULL);
9452		if (err)
9453			return err;
9454
9455		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9456			return -EINVAL;
9457
9458		request->scan_plans[i].interval =
9459			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9460		if (!request->scan_plans[i].interval ||
9461		    request->scan_plans[i].interval >
9462		    wiphy->max_sched_scan_plan_interval)
9463			return -EINVAL;
9464
9465		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9466			request->scan_plans[i].iterations =
9467				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9468			if (!request->scan_plans[i].iterations ||
9469			    (request->scan_plans[i].iterations >
9470			     wiphy->max_sched_scan_plan_iterations))
9471				return -EINVAL;
9472		} else if (i < n_plans - 1) {
9473			/*
9474			 * All scan plans but the last one must specify
9475			 * a finite number of iterations
9476			 */
9477			return -EINVAL;
9478		}
9479
9480		i++;
9481	}
9482
9483	/*
9484	 * The last scan plan must not specify the number of
9485	 * iterations, it is supposed to run infinitely
9486	 */
9487	if (request->scan_plans[n_plans - 1].iterations)
9488		return  -EINVAL;
9489
9490	return 0;
9491}
9492
9493static int
9494nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
9495				       struct cfg80211_match_set *match_sets,
9496				       struct nlattr *tb_band_rssi,
9497				       s32 rssi_thold)
9498{
9499	struct nlattr *attr;
9500	int i, tmp, ret = 0;
9501
9502	if (!wiphy_ext_feature_isset(wiphy,
9503		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
9504		if (tb_band_rssi)
9505			ret = -EOPNOTSUPP;
9506		else
9507			for (i = 0; i < NUM_NL80211_BANDS; i++)
9508				match_sets->per_band_rssi_thold[i] =
9509					NL80211_SCAN_RSSI_THOLD_OFF;
9510		return ret;
9511	}
9512
9513	for (i = 0; i < NUM_NL80211_BANDS; i++)
9514		match_sets->per_band_rssi_thold[i] = rssi_thold;
9515
9516	nla_for_each_nested(attr, tb_band_rssi, tmp) {
9517		enum nl80211_band band = nla_type(attr);
9518
9519		if (band < 0 || band >= NUM_NL80211_BANDS)
9520			return -EINVAL;
9521
9522		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
9523	}
9524
9525	return 0;
9526}
9527
9528static struct cfg80211_sched_scan_request *
9529nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9530			 struct nlattr **attrs, int max_match_sets)
9531{
9532	struct cfg80211_sched_scan_request *request;
9533	struct nlattr *attr;
9534	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9535	enum nl80211_band band;
9536	size_t ie_len, size;
9537	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9538	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9539
9540	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9541		n_channels = validate_scan_freqs(
9542				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9543		if (!n_channels)
9544			return ERR_PTR(-EINVAL);
9545	} else {
9546		n_channels = ieee80211_get_num_supported_channels(wiphy);
9547	}
9548
9549	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9550		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9551				    tmp)
9552			n_ssids++;
9553
9554	if (n_ssids > wiphy->max_sched_scan_ssids)
9555		return ERR_PTR(-EINVAL);
9556
9557	/*
9558	 * First, count the number of 'real' matchsets. Due to an issue with
9559	 * the old implementation, matchsets containing only the RSSI attribute
9560	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9561	 * RSSI for all matchsets, rather than their own matchset for reporting
9562	 * all APs with a strong RSSI. This is needed to be compatible with
9563	 * older userspace that treated a matchset with only the RSSI as the
9564	 * global RSSI for all other matchsets - if there are other matchsets.
9565	 */
9566	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9567		nla_for_each_nested(attr,
9568				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9569				    tmp) {
9570			struct nlattr *rssi;
9571
9572			err = nla_parse_nested_deprecated(tb,
9573							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9574							  attr,
9575							  nl80211_match_policy,
9576							  NULL);
9577			if (err)
9578				return ERR_PTR(err);
9579
9580			/* SSID and BSSID are mutually exclusive */
9581			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9582			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9583				return ERR_PTR(-EINVAL);
9584
9585			/* add other standalone attributes here */
9586			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9587			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9588				n_match_sets++;
9589				continue;
9590			}
9591			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9592			if (rssi)
9593				default_match_rssi = nla_get_s32(rssi);
9594		}
9595	}
9596
9597	/* However, if there's no other matchset, add the RSSI one */
9598	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9599		n_match_sets = 1;
9600
9601	if (n_match_sets > max_match_sets)
9602		return ERR_PTR(-EINVAL);
9603
9604	if (attrs[NL80211_ATTR_IE])
9605		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9606	else
9607		ie_len = 0;
9608
9609	if (ie_len > wiphy->max_sched_scan_ie_len)
9610		return ERR_PTR(-EINVAL);
9611
9612	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9613		/*
9614		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9615		 * each scan plan already specifies its own interval
9616		 */
9617		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9618			return ERR_PTR(-EINVAL);
9619
9620		nla_for_each_nested(attr,
9621				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9622			n_plans++;
9623	} else {
9624		/*
9625		 * The scan interval attribute is kept for backward
9626		 * compatibility. If no scan plans are specified and sched scan
9627		 * interval is specified, one scan plan will be set with this
9628		 * scan interval and infinite number of iterations.
9629		 */
9630		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9631			return ERR_PTR(-EINVAL);
9632
9633		n_plans = 1;
9634	}
9635
9636	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9637		return ERR_PTR(-EINVAL);
9638
9639	if (!wiphy_ext_feature_isset(
9640		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9641	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9642	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9643		return ERR_PTR(-EINVAL);
9644
9645	size = struct_size(request, channels, n_channels);
9646	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9647	size = size_add(size, array_size(sizeof(*request->match_sets),
9648					 n_match_sets));
9649	size = size_add(size, array_size(sizeof(*request->scan_plans),
9650					 n_plans));
9651	size = size_add(size, ie_len);
9652	request = kzalloc(size, GFP_KERNEL);
9653	if (!request)
9654		return ERR_PTR(-ENOMEM);
9655
9656	if (n_ssids)
9657		request->ssids = (void *)&request->channels[n_channels];
9658	request->n_ssids = n_ssids;
9659	if (ie_len) {
9660		if (n_ssids)
9661			request->ie = (void *)(request->ssids + n_ssids);
9662		else
9663			request->ie = (void *)(request->channels + n_channels);
9664	}
9665
9666	if (n_match_sets) {
9667		if (request->ie)
9668			request->match_sets = (void *)(request->ie + ie_len);
9669		else if (n_ssids)
9670			request->match_sets =
9671				(void *)(request->ssids + n_ssids);
9672		else
9673			request->match_sets =
9674				(void *)(request->channels + n_channels);
9675	}
9676	request->n_match_sets = n_match_sets;
9677
9678	if (n_match_sets)
9679		request->scan_plans = (void *)(request->match_sets +
9680					       n_match_sets);
9681	else if (request->ie)
9682		request->scan_plans = (void *)(request->ie + ie_len);
9683	else if (n_ssids)
9684		request->scan_plans = (void *)(request->ssids + n_ssids);
9685	else
9686		request->scan_plans = (void *)(request->channels + n_channels);
9687
9688	request->n_scan_plans = n_plans;
9689
9690	i = 0;
9691	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9692		/* user specified, bail out if channel not found */
9693		nla_for_each_nested(attr,
9694				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9695				    tmp) {
9696			struct ieee80211_channel *chan;
9697
9698			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9699
9700			if (!chan) {
9701				err = -EINVAL;
9702				goto out_free;
9703			}
9704
9705			/* ignore disabled channels */
9706			if (chan->flags & IEEE80211_CHAN_DISABLED)
9707				continue;
9708
9709			request->channels[i] = chan;
9710			i++;
9711		}
9712	} else {
9713		/* all channels */
9714		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9715			int j;
9716
9717			if (!wiphy->bands[band])
9718				continue;
9719			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9720				struct ieee80211_channel *chan;
9721
9722				chan = &wiphy->bands[band]->channels[j];
9723
9724				if (chan->flags & IEEE80211_CHAN_DISABLED)
9725					continue;
9726
9727				request->channels[i] = chan;
9728				i++;
9729			}
9730		}
9731	}
9732
9733	if (!i) {
9734		err = -EINVAL;
9735		goto out_free;
9736	}
9737
9738	request->n_channels = i;
9739
9740	i = 0;
9741	if (n_ssids) {
9742		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9743				    tmp) {
9744			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9745				err = -EINVAL;
9746				goto out_free;
9747			}
9748			request->ssids[i].ssid_len = nla_len(attr);
9749			memcpy(request->ssids[i].ssid, nla_data(attr),
9750			       nla_len(attr));
9751			i++;
9752		}
9753	}
9754
9755	i = 0;
9756	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9757		nla_for_each_nested(attr,
9758				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9759				    tmp) {
9760			struct nlattr *ssid, *bssid, *rssi;
9761
9762			err = nla_parse_nested_deprecated(tb,
9763							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9764							  attr,
9765							  nl80211_match_policy,
9766							  NULL);
9767			if (err)
9768				goto out_free;
9769			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9770			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9771
9772			if (!ssid && !bssid) {
9773				i++;
9774				continue;
9775			}
9776
9777			if (WARN_ON(i >= n_match_sets)) {
9778				/* this indicates a programming error,
9779				 * the loop above should have verified
9780				 * things properly
9781				 */
9782				err = -EINVAL;
9783				goto out_free;
9784			}
9785
9786			if (ssid) {
9787				memcpy(request->match_sets[i].ssid.ssid,
9788				       nla_data(ssid), nla_len(ssid));
9789				request->match_sets[i].ssid.ssid_len =
9790					nla_len(ssid);
9791			}
9792			if (bssid)
9793				memcpy(request->match_sets[i].bssid,
9794				       nla_data(bssid), ETH_ALEN);
9795
9796			/* special attribute - old implementation w/a */
9797			request->match_sets[i].rssi_thold = default_match_rssi;
9798			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9799			if (rssi)
9800				request->match_sets[i].rssi_thold =
9801					nla_get_s32(rssi);
9802
9803			/* Parse per band RSSI attribute */
9804			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9805				&request->match_sets[i],
9806				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9807				request->match_sets[i].rssi_thold);
9808			if (err)
9809				goto out_free;
9810
9811			i++;
9812		}
9813
9814		/* there was no other matchset, so the RSSI one is alone */
9815		if (i == 0 && n_match_sets)
9816			request->match_sets[0].rssi_thold = default_match_rssi;
9817
9818		request->min_rssi_thold = INT_MAX;
9819		for (i = 0; i < n_match_sets; i++)
9820			request->min_rssi_thold =
9821				min(request->match_sets[i].rssi_thold,
9822				    request->min_rssi_thold);
9823	} else {
9824		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9825	}
9826
9827	if (ie_len) {
9828		request->ie_len = ie_len;
9829		memcpy((void *)request->ie,
9830		       nla_data(attrs[NL80211_ATTR_IE]),
9831		       request->ie_len);
9832	}
9833
9834	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9835	if (err)
9836		goto out_free;
9837
9838	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9839		request->delay =
9840			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9841
9842	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9843		request->relative_rssi = nla_get_s8(
9844			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9845		request->relative_rssi_set = true;
9846	}
9847
9848	if (request->relative_rssi_set &&
9849	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9850		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9851
9852		rssi_adjust = nla_data(
9853			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9854		request->rssi_adjust.band = rssi_adjust->band;
9855		request->rssi_adjust.delta = rssi_adjust->delta;
9856		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9857			err = -EINVAL;
9858			goto out_free;
9859		}
9860	}
9861
9862	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9863	if (err)
9864		goto out_free;
9865
9866	request->scan_start = jiffies;
9867
9868	return request;
9869
9870out_free:
9871	kfree(request);
9872	return ERR_PTR(err);
9873}
9874
9875static int nl80211_start_sched_scan(struct sk_buff *skb,
9876				    struct genl_info *info)
9877{
9878	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9879	struct net_device *dev = info->user_ptr[1];
9880	struct wireless_dev *wdev = dev->ieee80211_ptr;
9881	struct cfg80211_sched_scan_request *sched_scan_req;
9882	bool want_multi;
9883	int err;
9884
9885	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9886		return -EOPNOTSUPP;
9887
9888	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9889	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9890	if (err)
9891		return err;
9892
9893	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9894						  info->attrs,
9895						  rdev->wiphy.max_match_sets);
9896
9897	err = PTR_ERR_OR_ZERO(sched_scan_req);
9898	if (err)
9899		goto out_err;
9900
9901	/* leave request id zero for legacy request
9902	 * or if driver does not support multi-scheduled scan
9903	 */
9904	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9905		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9906
9907	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9908	if (err)
9909		goto out_free;
9910
9911	sched_scan_req->dev = dev;
9912	sched_scan_req->wiphy = &rdev->wiphy;
9913
9914	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9915		sched_scan_req->owner_nlportid = info->snd_portid;
9916
9917	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9918
9919	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9920	return 0;
9921
9922out_free:
9923	kfree(sched_scan_req);
9924out_err:
9925	return err;
9926}
9927
9928static int nl80211_stop_sched_scan(struct sk_buff *skb,
9929				   struct genl_info *info)
9930{
9931	struct cfg80211_sched_scan_request *req;
9932	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9933	u64 cookie;
9934
9935	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9936		return -EOPNOTSUPP;
9937
9938	if (info->attrs[NL80211_ATTR_COOKIE]) {
9939		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9940		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9941	}
9942
9943	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9944				     struct cfg80211_sched_scan_request,
9945				     list);
9946	if (!req || req->reqid ||
9947	    (req->owner_nlportid &&
9948	     req->owner_nlportid != info->snd_portid))
9949		return -ENOENT;
9950
9951	return cfg80211_stop_sched_scan_req(rdev, req, false);
9952}
9953
9954static int nl80211_start_radar_detection(struct sk_buff *skb,
9955					 struct genl_info *info)
9956{
9957	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9958	struct net_device *dev = info->user_ptr[1];
9959	struct wireless_dev *wdev = dev->ieee80211_ptr;
9960	struct wiphy *wiphy = wdev->wiphy;
9961	struct cfg80211_chan_def chandef;
9962	enum nl80211_dfs_regions dfs_region;
9963	unsigned int cac_time_ms;
9964	int err = -EINVAL;
9965
9966	flush_delayed_work(&rdev->dfs_update_channels_wk);
9967
9968	wiphy_lock(wiphy);
9969
9970	dfs_region = reg_get_dfs_region(wiphy);
9971	if (dfs_region == NL80211_DFS_UNSET)
9972		goto unlock;
9973
9974	err = nl80211_parse_chandef(rdev, info, &chandef);
9975	if (err)
9976		goto unlock;
9977
9978	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9979	if (err < 0)
9980		goto unlock;
9981
9982	if (err == 0) {
9983		err = -EINVAL;
9984		goto unlock;
9985	}
9986
9987	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9988		err = -EINVAL;
9989		goto unlock;
9990	}
9991
9992	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9993		err = cfg80211_start_background_radar_detection(rdev, wdev,
9994								&chandef);
9995		goto unlock;
9996	}
9997
9998	if (netif_carrier_ok(dev)) {
9999		err = -EBUSY;
10000		goto unlock;
10001	}
10002
10003	if (wdev->cac_started) {
10004		err = -EBUSY;
10005		goto unlock;
10006	}
10007
10008	/* CAC start is offloaded to HW and can't be started manually */
10009	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
10010		err = -EOPNOTSUPP;
10011		goto unlock;
10012	}
10013
10014	if (!rdev->ops->start_radar_detection) {
10015		err = -EOPNOTSUPP;
10016		goto unlock;
10017	}
10018
10019	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
10020	if (WARN_ON(!cac_time_ms))
10021		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
10022
10023	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
10024	if (!err) {
10025		wdev->links[0].ap.chandef = chandef;
10026		wdev->cac_started = true;
10027		wdev->cac_start_time = jiffies;
10028		wdev->cac_time_ms = cac_time_ms;
10029	}
10030unlock:
10031	wiphy_unlock(wiphy);
10032
10033	return err;
10034}
10035
10036static int nl80211_notify_radar_detection(struct sk_buff *skb,
10037					  struct genl_info *info)
10038{
10039	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10040	struct net_device *dev = info->user_ptr[1];
10041	struct wireless_dev *wdev = dev->ieee80211_ptr;
10042	struct wiphy *wiphy = wdev->wiphy;
10043	struct cfg80211_chan_def chandef;
10044	enum nl80211_dfs_regions dfs_region;
10045	int err;
10046
10047	dfs_region = reg_get_dfs_region(wiphy);
10048	if (dfs_region == NL80211_DFS_UNSET) {
10049		GENL_SET_ERR_MSG(info,
10050				 "DFS Region is not set. Unexpected Radar indication");
10051		return -EINVAL;
10052	}
10053
10054	err = nl80211_parse_chandef(rdev, info, &chandef);
10055	if (err) {
10056		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10057		return err;
10058	}
10059
10060	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10061	if (err < 0) {
10062		GENL_SET_ERR_MSG(info, "chandef is invalid");
10063		return err;
10064	}
10065
10066	if (err == 0) {
10067		GENL_SET_ERR_MSG(info,
10068				 "Unexpected Radar indication for chandef/iftype");
10069		return -EINVAL;
10070	}
10071
10072	/* Do not process this notification if radar is already detected
10073	 * by kernel on this channel, and return success.
10074	 */
10075	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10076		return 0;
10077
10078	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10079
10080	cfg80211_sched_dfs_chan_update(rdev);
10081
10082	rdev->radar_chandef = chandef;
10083
10084	/* Propagate this notification to other radios as well */
10085	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10086
10087	return 0;
10088}
10089
10090static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10091{
10092	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10093	unsigned int link_id = nl80211_link_id(info->attrs);
10094	struct net_device *dev = info->user_ptr[1];
10095	struct wireless_dev *wdev = dev->ieee80211_ptr;
10096	struct cfg80211_csa_settings params;
10097	struct nlattr **csa_attrs = NULL;
10098	int err;
10099	bool need_new_beacon = false;
10100	bool need_handle_dfs_flag = true;
10101	int len, i;
10102	u32 cs_count;
10103
10104	if (!rdev->ops->channel_switch ||
10105	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10106		return -EOPNOTSUPP;
10107
10108	switch (dev->ieee80211_ptr->iftype) {
10109	case NL80211_IFTYPE_AP:
10110	case NL80211_IFTYPE_P2P_GO:
10111		need_new_beacon = true;
10112		/* For all modes except AP the handle_dfs flag needs to be
10113		 * supplied to tell the kernel that userspace will handle radar
10114		 * events when they happen. Otherwise a switch to a channel
10115		 * requiring DFS will be rejected.
10116		 */
10117		need_handle_dfs_flag = false;
10118
10119		/* useless if AP is not running */
10120		if (!wdev->links[link_id].ap.beacon_interval)
10121			return -ENOTCONN;
10122		break;
10123	case NL80211_IFTYPE_ADHOC:
10124		if (!wdev->u.ibss.ssid_len)
10125			return -ENOTCONN;
10126		break;
10127	case NL80211_IFTYPE_MESH_POINT:
10128		if (!wdev->u.mesh.id_len)
10129			return -ENOTCONN;
10130		break;
10131	default:
10132		return -EOPNOTSUPP;
10133	}
10134
10135	memset(&params, 0, sizeof(params));
10136	params.beacon_csa.ftm_responder = -1;
10137
10138	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10139	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10140		return -EINVAL;
10141
10142	/* only important for AP, IBSS and mesh create IEs internally */
10143	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10144		return -EINVAL;
10145
10146	/* Even though the attribute is u32, the specification says
10147	 * u8, so let's make sure we don't overflow.
10148	 */
10149	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10150	if (cs_count > 255)
10151		return -EINVAL;
10152
10153	params.count = cs_count;
10154
10155	if (!need_new_beacon)
10156		goto skip_beacons;
10157
10158	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10159				   info->extack);
10160	if (err)
10161		goto free;
10162
10163	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10164			    GFP_KERNEL);
10165	if (!csa_attrs) {
10166		err = -ENOMEM;
10167		goto free;
10168	}
10169
10170	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10171					  info->attrs[NL80211_ATTR_CSA_IES],
10172					  nl80211_policy, info->extack);
10173	if (err)
10174		goto free;
10175
10176	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10177				   info->extack);
10178	if (err)
10179		goto free;
10180
10181	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10182		err = -EINVAL;
10183		goto free;
10184	}
10185
10186	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
10187	if (!len || (len % sizeof(u16))) {
10188		err = -EINVAL;
10189		goto free;
10190	}
10191
10192	params.n_counter_offsets_beacon = len / sizeof(u16);
10193	if (rdev->wiphy.max_num_csa_counters &&
10194	    (params.n_counter_offsets_beacon >
10195	     rdev->wiphy.max_num_csa_counters)) {
10196		err = -EINVAL;
10197		goto free;
10198	}
10199
10200	params.counter_offsets_beacon =
10201		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
10202
10203	/* sanity checks - counters should fit and be the same */
10204	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
10205		u16 offset = params.counter_offsets_beacon[i];
10206
10207		if (offset >= params.beacon_csa.tail_len) {
10208			err = -EINVAL;
10209			goto free;
10210		}
10211
10212		if (params.beacon_csa.tail[offset] != params.count) {
10213			err = -EINVAL;
10214			goto free;
10215		}
10216	}
10217
10218	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
10219		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
10220		if (!len || (len % sizeof(u16))) {
10221			err = -EINVAL;
10222			goto free;
10223		}
10224
10225		params.n_counter_offsets_presp = len / sizeof(u16);
10226		if (rdev->wiphy.max_num_csa_counters &&
10227		    (params.n_counter_offsets_presp >
10228		     rdev->wiphy.max_num_csa_counters)) {
10229			err = -EINVAL;
10230			goto free;
10231		}
10232
10233		params.counter_offsets_presp =
10234			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
10235
10236		/* sanity checks - counters should fit and be the same */
10237		for (i = 0; i < params.n_counter_offsets_presp; i++) {
10238			u16 offset = params.counter_offsets_presp[i];
10239
10240			if (offset >= params.beacon_csa.probe_resp_len) {
10241				err = -EINVAL;
10242				goto free;
10243			}
10244
10245			if (params.beacon_csa.probe_resp[offset] !=
10246			    params.count) {
10247				err = -EINVAL;
10248				goto free;
10249			}
10250		}
10251	}
10252
10253skip_beacons:
10254	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10255	if (err)
10256		goto free;
10257
10258	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10259					   wdev->iftype)) {
10260		err = -EINVAL;
10261		goto free;
10262	}
10263
10264	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10265					    &params.chandef,
10266					    wdev->iftype);
10267	if (err < 0)
10268		goto free;
10269
10270	if (err > 0) {
10271		params.radar_required = true;
10272		if (need_handle_dfs_flag &&
10273		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10274			err = -EINVAL;
10275			goto free;
10276		}
10277	}
10278
10279	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10280		params.block_tx = true;
10281
10282	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
10283		err = nl80211_parse_punct_bitmap(rdev, info,
10284						 &params.chandef,
10285						 &params.punct_bitmap);
10286		if (err)
10287			goto free;
10288	}
10289
10290	wdev_lock(wdev);
10291	err = rdev_channel_switch(rdev, dev, &params);
10292	wdev_unlock(wdev);
10293
10294free:
10295	kfree(params.beacon_after.mbssid_ies);
10296	kfree(params.beacon_csa.mbssid_ies);
10297	kfree(params.beacon_after.rnr_ies);
10298	kfree(params.beacon_csa.rnr_ies);
10299	kfree(csa_attrs);
10300	return err;
10301}
10302
10303static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10304			    u32 seq, int flags,
10305			    struct cfg80211_registered_device *rdev,
10306			    struct wireless_dev *wdev,
10307			    struct cfg80211_internal_bss *intbss)
10308{
10309	struct cfg80211_bss *res = &intbss->pub;
10310	const struct cfg80211_bss_ies *ies;
10311	unsigned int link_id;
10312	void *hdr;
10313	struct nlattr *bss;
10314
10315	ASSERT_WDEV_LOCK(wdev);
10316
10317	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10318			     NL80211_CMD_NEW_SCAN_RESULTS);
10319	if (!hdr)
10320		return -1;
10321
10322	genl_dump_check_consistent(cb, hdr);
10323
10324	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10325		goto nla_put_failure;
10326	if (wdev->netdev &&
10327	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10328		goto nla_put_failure;
10329	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10330			      NL80211_ATTR_PAD))
10331		goto nla_put_failure;
10332
10333	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10334	if (!bss)
10335		goto nla_put_failure;
10336	if ((!is_zero_ether_addr(res->bssid) &&
10337	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10338		goto nla_put_failure;
10339
10340	rcu_read_lock();
10341	/* indicate whether we have probe response data or not */
10342	if (rcu_access_pointer(res->proberesp_ies) &&
10343	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10344		goto fail_unlock_rcu;
10345
10346	/* this pointer prefers to be pointed to probe response data
10347	 * but is always valid
10348	 */
10349	ies = rcu_dereference(res->ies);
10350	if (ies) {
10351		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10352				      NL80211_BSS_PAD))
10353			goto fail_unlock_rcu;
10354		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10355					ies->len, ies->data))
10356			goto fail_unlock_rcu;
10357	}
10358
10359	/* and this pointer is always (unless driver didn't know) beacon data */
10360	ies = rcu_dereference(res->beacon_ies);
10361	if (ies && ies->from_beacon) {
10362		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10363				      NL80211_BSS_PAD))
10364			goto fail_unlock_rcu;
10365		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10366					ies->len, ies->data))
10367			goto fail_unlock_rcu;
10368	}
10369	rcu_read_unlock();
10370
10371	if (res->beacon_interval &&
10372	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10373		goto nla_put_failure;
10374	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10375	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10376	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10377			res->channel->freq_offset) ||
10378	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
10379	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10380			jiffies_to_msecs(jiffies - intbss->ts)))
10381		goto nla_put_failure;
10382
10383	if (intbss->parent_tsf &&
10384	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10385			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10386	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10387		     intbss->parent_bssid)))
10388		goto nla_put_failure;
10389
10390	if (intbss->ts_boottime &&
10391	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10392			      intbss->ts_boottime, NL80211_BSS_PAD))
10393		goto nla_put_failure;
10394
10395	if (!nl80211_put_signal(msg, intbss->pub.chains,
10396				intbss->pub.chain_signal,
10397				NL80211_BSS_CHAIN_SIGNAL))
10398		goto nla_put_failure;
10399
10400	switch (rdev->wiphy.signal_type) {
10401	case CFG80211_SIGNAL_TYPE_MBM:
10402		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
10403			goto nla_put_failure;
10404		break;
10405	case CFG80211_SIGNAL_TYPE_UNSPEC:
10406		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
10407			goto nla_put_failure;
10408		break;
10409	default:
10410		break;
10411	}
10412
10413	switch (wdev->iftype) {
10414	case NL80211_IFTYPE_P2P_CLIENT:
10415	case NL80211_IFTYPE_STATION:
10416		for_each_valid_link(wdev, link_id) {
10417			if (intbss == wdev->links[link_id].client.current_bss &&
10418			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10419					 NL80211_BSS_STATUS_ASSOCIATED) ||
10420			     (wdev->valid_links &&
10421			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10422					  link_id) ||
10423			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10424				       wdev->u.client.connected_addr)))))
10425				goto nla_put_failure;
10426		}
10427		break;
10428	case NL80211_IFTYPE_ADHOC:
10429		if (intbss == wdev->u.ibss.current_bss &&
10430		    nla_put_u32(msg, NL80211_BSS_STATUS,
10431				NL80211_BSS_STATUS_IBSS_JOINED))
10432			goto nla_put_failure;
10433		break;
10434	default:
10435		break;
10436	}
10437
10438	nla_nest_end(msg, bss);
10439
10440	genlmsg_end(msg, hdr);
10441	return 0;
10442
10443 fail_unlock_rcu:
10444	rcu_read_unlock();
10445 nla_put_failure:
10446	genlmsg_cancel(msg, hdr);
10447	return -EMSGSIZE;
10448}
10449
10450static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10451{
10452	struct cfg80211_registered_device *rdev;
10453	struct cfg80211_internal_bss *scan;
10454	struct wireless_dev *wdev;
10455	int start = cb->args[2], idx = 0;
10456	int err;
10457
10458	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
10459	if (err)
10460		return err;
10461	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10462	__acquire(&rdev->wiphy.mtx);
10463
10464	wdev_lock(wdev);
10465	spin_lock_bh(&rdev->bss_lock);
10466
10467	/*
10468	 * dump_scan will be called multiple times to break up the scan results
10469	 * into multiple messages.  It is unlikely that any more bss-es will be
10470	 * expired after the first call, so only call only call this on the
10471	 * first dump_scan invocation.
10472	 */
10473	if (start == 0)
10474		cfg80211_bss_expire(rdev);
10475
10476	cb->seq = rdev->bss_generation;
10477
10478	list_for_each_entry(scan, &rdev->bss_list, list) {
10479		if (++idx <= start)
10480			continue;
10481		if (nl80211_send_bss(skb, cb,
10482				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10483				rdev, wdev, scan) < 0) {
10484			idx--;
10485			break;
10486		}
10487	}
10488
10489	spin_unlock_bh(&rdev->bss_lock);
10490	wdev_unlock(wdev);
10491
10492	cb->args[2] = idx;
10493	wiphy_unlock(&rdev->wiphy);
10494
10495	return skb->len;
10496}
10497
10498static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10499			       int flags, struct net_device *dev,
10500			       bool allow_radio_stats,
10501			       struct survey_info *survey)
10502{
10503	void *hdr;
10504	struct nlattr *infoattr;
10505
10506	/* skip radio stats if userspace didn't request them */
10507	if (!survey->channel && !allow_radio_stats)
10508		return 0;
10509
10510	hdr = nl80211hdr_put(msg, portid, seq, flags,
10511			     NL80211_CMD_NEW_SURVEY_RESULTS);
10512	if (!hdr)
10513		return -ENOMEM;
10514
10515	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10516		goto nla_put_failure;
10517
10518	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10519	if (!infoattr)
10520		goto nla_put_failure;
10521
10522	if (survey->channel &&
10523	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10524			survey->channel->center_freq))
10525		goto nla_put_failure;
10526
10527	if (survey->channel && survey->channel->freq_offset &&
10528	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10529			survey->channel->freq_offset))
10530		goto nla_put_failure;
10531
10532	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10533	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10534		goto nla_put_failure;
10535	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10536	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10537		goto nla_put_failure;
10538	if ((survey->filled & SURVEY_INFO_TIME) &&
10539	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10540			survey->time, NL80211_SURVEY_INFO_PAD))
10541		goto nla_put_failure;
10542	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10543	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10544			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10545		goto nla_put_failure;
10546	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10547	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10548			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10549		goto nla_put_failure;
10550	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10551	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10552			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10553		goto nla_put_failure;
10554	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10555	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10556			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10557		goto nla_put_failure;
10558	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10559	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10560			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10561		goto nla_put_failure;
10562	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10563	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10564			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10565		goto nla_put_failure;
10566
10567	nla_nest_end(msg, infoattr);
10568
10569	genlmsg_end(msg, hdr);
10570	return 0;
10571
10572 nla_put_failure:
10573	genlmsg_cancel(msg, hdr);
10574	return -EMSGSIZE;
10575}
10576
10577static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10578{
10579	struct nlattr **attrbuf;
10580	struct survey_info survey;
10581	struct cfg80211_registered_device *rdev;
10582	struct wireless_dev *wdev;
10583	int survey_idx = cb->args[2];
10584	int res;
10585	bool radio_stats;
10586
10587	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10588	if (!attrbuf)
10589		return -ENOMEM;
10590
10591	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10592	if (res) {
10593		kfree(attrbuf);
10594		return res;
10595	}
10596	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10597	__acquire(&rdev->wiphy.mtx);
10598
10599	/* prepare_wdev_dump parsed the attributes */
10600	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10601
10602	if (!wdev->netdev) {
10603		res = -EINVAL;
10604		goto out_err;
10605	}
10606
10607	if (!rdev->ops->dump_survey) {
10608		res = -EOPNOTSUPP;
10609		goto out_err;
10610	}
10611
10612	while (1) {
10613		wdev_lock(wdev);
10614		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10615		wdev_unlock(wdev);
10616		if (res == -ENOENT)
10617			break;
10618		if (res)
10619			goto out_err;
10620
10621		/* don't send disabled channels, but do send non-channel data */
10622		if (survey.channel &&
10623		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10624			survey_idx++;
10625			continue;
10626		}
10627
10628		if (nl80211_send_survey(skb,
10629				NETLINK_CB(cb->skb).portid,
10630				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10631				wdev->netdev, radio_stats, &survey) < 0)
10632			goto out;
10633		survey_idx++;
10634	}
10635
10636 out:
10637	cb->args[2] = survey_idx;
10638	res = skb->len;
10639 out_err:
10640	kfree(attrbuf);
10641	wiphy_unlock(&rdev->wiphy);
10642	return res;
10643}
10644
10645static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10646{
10647	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10648				  NL80211_WPA_VERSION_2 |
10649				  NL80211_WPA_VERSION_3));
10650}
10651
10652static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10653{
10654	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10655	struct net_device *dev = info->user_ptr[1];
10656	struct ieee80211_channel *chan;
10657	const u8 *bssid, *ssid;
10658	int err, ssid_len;
10659	enum nl80211_auth_type auth_type;
10660	struct key_parse key;
10661	bool local_state_change;
10662	struct cfg80211_auth_request req = {};
10663	u32 freq;
10664
10665	if (!info->attrs[NL80211_ATTR_MAC])
10666		return -EINVAL;
10667
10668	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10669		return -EINVAL;
10670
10671	if (!info->attrs[NL80211_ATTR_SSID])
10672		return -EINVAL;
10673
10674	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10675		return -EINVAL;
10676
10677	err = nl80211_parse_key(info, &key);
10678	if (err)
10679		return err;
10680
10681	if (key.idx >= 0) {
10682		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10683			return -EINVAL;
10684		if (!key.p.key || !key.p.key_len)
10685			return -EINVAL;
10686		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10687		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10688		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10689		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10690			return -EINVAL;
10691		if (key.idx > 3)
10692			return -EINVAL;
10693	} else {
10694		key.p.key_len = 0;
10695		key.p.key = NULL;
10696	}
10697
10698	if (key.idx >= 0) {
10699		int i;
10700		bool ok = false;
10701
10702		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10703			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10704				ok = true;
10705				break;
10706			}
10707		}
10708		if (!ok)
10709			return -EINVAL;
10710	}
10711
10712	if (!rdev->ops->auth)
10713		return -EOPNOTSUPP;
10714
10715	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10716	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10717		return -EOPNOTSUPP;
10718
10719	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10720	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10721	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10722		freq +=
10723		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10724
10725	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10726	if (!chan)
10727		return -EINVAL;
10728
10729	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10730	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10731
10732	if (info->attrs[NL80211_ATTR_IE]) {
10733		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10734		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10735	}
10736
10737	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10738	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10739		return -EINVAL;
10740
10741	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10742	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10743	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10744	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10745	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10746		return -EINVAL;
10747
10748	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10749		if (auth_type != NL80211_AUTHTYPE_SAE &&
10750		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10751		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10752		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10753			return -EINVAL;
10754		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10755		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10756	}
10757
10758	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10759
10760	/*
10761	 * Since we no longer track auth state, ignore
10762	 * requests to only change local state.
10763	 */
10764	if (local_state_change)
10765		return 0;
10766
10767	req.auth_type = auth_type;
10768	req.key = key.p.key;
10769	req.key_len = key.p.key_len;
10770	req.key_idx = key.idx;
10771	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10772	if (req.link_id >= 0) {
10773		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10774			return -EINVAL;
10775		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10776			return -EINVAL;
10777		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10778		if (!is_valid_ether_addr(req.ap_mld_addr))
10779			return -EINVAL;
10780	}
10781
10782	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10783				   IEEE80211_BSS_TYPE_ESS,
10784				   IEEE80211_PRIVACY_ANY);
10785	if (!req.bss)
10786		return -ENOENT;
10787
10788	wdev_lock(dev->ieee80211_ptr);
10789	err = cfg80211_mlme_auth(rdev, dev, &req);
10790	wdev_unlock(dev->ieee80211_ptr);
10791
10792	cfg80211_put_bss(&rdev->wiphy, req.bss);
10793
10794	return err;
10795}
10796
10797static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10798				     struct genl_info *info)
10799{
10800	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10801		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10802		return -EINVAL;
10803	}
10804
10805	if (!rdev->ops->tx_control_port ||
10806	    !wiphy_ext_feature_isset(&rdev->wiphy,
10807				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10808		return -EOPNOTSUPP;
10809
10810	return 0;
10811}
10812
10813static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10814				   struct genl_info *info,
10815				   struct cfg80211_crypto_settings *settings,
10816				   int cipher_limit)
10817{
10818	memset(settings, 0, sizeof(*settings));
10819
10820	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10821
10822	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10823		u16 proto;
10824
10825		proto = nla_get_u16(
10826			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10827		settings->control_port_ethertype = cpu_to_be16(proto);
10828		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10829		    proto != ETH_P_PAE)
10830			return -EINVAL;
10831		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10832			settings->control_port_no_encrypt = true;
10833	} else
10834		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10835
10836	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10837		int r = validate_pae_over_nl80211(rdev, info);
10838
10839		if (r < 0)
10840			return r;
10841
10842		settings->control_port_over_nl80211 = true;
10843
10844		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10845			settings->control_port_no_preauth = true;
10846	}
10847
10848	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10849		void *data;
10850		int len, i;
10851
10852		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10853		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10854		settings->n_ciphers_pairwise = len / sizeof(u32);
10855
10856		if (len % sizeof(u32))
10857			return -EINVAL;
10858
10859		if (settings->n_ciphers_pairwise > cipher_limit)
10860			return -EINVAL;
10861
10862		memcpy(settings->ciphers_pairwise, data, len);
10863
10864		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10865			if (!cfg80211_supported_cipher_suite(
10866					&rdev->wiphy,
10867					settings->ciphers_pairwise[i]))
10868				return -EINVAL;
10869	}
10870
10871	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10872		settings->cipher_group =
10873			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10874		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10875						     settings->cipher_group))
10876			return -EINVAL;
10877	}
10878
10879	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10880		settings->wpa_versions =
10881			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10882		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10883			return -EINVAL;
10884	}
10885
10886	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10887		void *data;
10888		int len;
10889
10890		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10891		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10892		settings->n_akm_suites = len / sizeof(u32);
10893
10894		if (len % sizeof(u32))
10895			return -EINVAL;
10896
10897		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
10898			return -EINVAL;
10899
10900		memcpy(settings->akm_suites, data, len);
10901	}
10902
10903	if (info->attrs[NL80211_ATTR_PMK]) {
10904		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10905			return -EINVAL;
10906		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10907					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10908		    !wiphy_ext_feature_isset(&rdev->wiphy,
10909					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10910			return -EINVAL;
10911		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10912	}
10913
10914	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10915		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10916					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10917		    !wiphy_ext_feature_isset(&rdev->wiphy,
10918					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10919			return -EINVAL;
10920		settings->sae_pwd =
10921			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10922		settings->sae_pwd_len =
10923			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10924	}
10925
10926	if (info->attrs[NL80211_ATTR_SAE_PWE])
10927		settings->sae_pwe =
10928			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10929	else
10930		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10931
10932	return 0;
10933}
10934
10935static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
10936					      const u8 *ssid, int ssid_len,
10937					      struct nlattr **attrs)
10938{
10939	struct ieee80211_channel *chan;
10940	struct cfg80211_bss *bss;
10941	const u8 *bssid;
10942	u32 freq;
10943
10944	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
10945		return ERR_PTR(-EINVAL);
10946
10947	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
10948
10949	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
10950	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10951		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10952
10953	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10954	if (!chan)
10955		return ERR_PTR(-EINVAL);
10956
10957	bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid,
10958			       ssid, ssid_len,
10959			       IEEE80211_BSS_TYPE_ESS,
10960			       IEEE80211_PRIVACY_ANY);
10961	if (!bss)
10962		return ERR_PTR(-ENOENT);
10963
10964	return bss;
10965}
10966
10967static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10968{
10969	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10970	struct net_device *dev = info->user_ptr[1];
10971	struct cfg80211_assoc_request req = {};
10972	struct nlattr **attrs = NULL;
10973	const u8 *ap_addr, *ssid;
10974	unsigned int link_id;
10975	int err, ssid_len;
10976
10977	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10978	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10979		return -EPERM;
10980
10981	if (!info->attrs[NL80211_ATTR_SSID])
10982		return -EINVAL;
10983
10984	if (!rdev->ops->assoc)
10985		return -EOPNOTSUPP;
10986
10987	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10988	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10989		return -EOPNOTSUPP;
10990
10991	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10992	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10993
10994	if (info->attrs[NL80211_ATTR_IE]) {
10995		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10996		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10997
10998		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
10999					   req.ie, req.ie_len)) {
11000			GENL_SET_ERR_MSG(info,
11001					 "non-inheritance makes no sense");
11002			return -EINVAL;
11003		}
11004	}
11005
11006	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11007		enum nl80211_mfp mfp =
11008			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11009		if (mfp == NL80211_MFP_REQUIRED)
11010			req.use_mfp = true;
11011		else if (mfp != NL80211_MFP_NO)
11012			return -EINVAL;
11013	}
11014
11015	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11016		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11017
11018	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11019		req.flags |= ASSOC_REQ_DISABLE_HT;
11020
11021	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11022		memcpy(&req.ht_capa_mask,
11023		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11024		       sizeof(req.ht_capa_mask));
11025
11026	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11027		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11028			return -EINVAL;
11029		memcpy(&req.ht_capa,
11030		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11031		       sizeof(req.ht_capa));
11032	}
11033
11034	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11035		req.flags |= ASSOC_REQ_DISABLE_VHT;
11036
11037	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11038		req.flags |= ASSOC_REQ_DISABLE_HE;
11039
11040	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11041		req.flags |= ASSOC_REQ_DISABLE_EHT;
11042
11043	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11044		memcpy(&req.vht_capa_mask,
11045		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11046		       sizeof(req.vht_capa_mask));
11047
11048	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11049		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11050			return -EINVAL;
11051		memcpy(&req.vht_capa,
11052		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11053		       sizeof(req.vht_capa));
11054	}
11055
11056	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11057		if (!((rdev->wiphy.features &
11058			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11059		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11060		    !wiphy_ext_feature_isset(&rdev->wiphy,
11061					     NL80211_EXT_FEATURE_RRM))
11062			return -EINVAL;
11063		req.flags |= ASSOC_REQ_USE_RRM;
11064	}
11065
11066	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11067		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11068		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11069		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11070			return -EINVAL;
11071		req.fils_nonces =
11072			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11073	}
11074
11075	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11076		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11077			return -EINVAL;
11078		memcpy(&req.s1g_capa_mask,
11079		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11080		       sizeof(req.s1g_capa_mask));
11081	}
11082
11083	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11084		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11085			return -EINVAL;
11086		memcpy(&req.s1g_capa,
11087		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11088		       sizeof(req.s1g_capa));
11089	}
11090
11091	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11092
11093	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11094		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
11095		struct nlattr *link;
11096		int rem = 0;
11097
11098		if (req.link_id < 0)
11099			return -EINVAL;
11100
11101		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11102			return -EINVAL;
11103
11104		if (info->attrs[NL80211_ATTR_MAC] ||
11105		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11106		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11107			return -EINVAL;
11108
11109		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11110		ap_addr = req.ap_mld_addr;
11111
11112		attrs = kzalloc(attrsize, GFP_KERNEL);
11113		if (!attrs)
11114			return -ENOMEM;
11115
11116		nla_for_each_nested(link,
11117				    info->attrs[NL80211_ATTR_MLO_LINKS],
11118				    rem) {
11119			memset(attrs, 0, attrsize);
11120
11121			nla_parse_nested(attrs, NL80211_ATTR_MAX,
11122					 link, NULL, NULL);
11123
11124			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11125				err = -EINVAL;
11126				goto free;
11127			}
11128
11129			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11130			/* cannot use the same link ID again */
11131			if (req.links[link_id].bss) {
11132				err = -EINVAL;
11133				goto free;
11134			}
11135			req.links[link_id].bss =
11136				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs);
11137			if (IS_ERR(req.links[link_id].bss)) {
11138				err = PTR_ERR(req.links[link_id].bss);
11139				req.links[link_id].bss = NULL;
11140				goto free;
11141			}
11142
11143			if (attrs[NL80211_ATTR_IE]) {
11144				req.links[link_id].elems =
11145					nla_data(attrs[NL80211_ATTR_IE]);
11146				req.links[link_id].elems_len =
11147					nla_len(attrs[NL80211_ATTR_IE]);
11148
11149				if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11150						       req.links[link_id].elems,
11151						       req.links[link_id].elems_len)) {
11152					GENL_SET_ERR_MSG(info,
11153							 "cannot deal with fragmentation");
11154					err = -EINVAL;
11155					goto free;
11156				}
11157
11158				if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11159							   req.links[link_id].elems,
11160							   req.links[link_id].elems_len)) {
11161					GENL_SET_ERR_MSG(info,
11162							 "cannot deal with non-inheritance");
11163					err = -EINVAL;
11164					goto free;
11165				}
11166			}
11167
11168			req.links[link_id].disabled =
11169				nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
11170		}
11171
11172		if (!req.links[req.link_id].bss) {
11173			err = -EINVAL;
11174			goto free;
11175		}
11176
11177		if (req.links[req.link_id].elems_len) {
11178			GENL_SET_ERR_MSG(info,
11179					 "cannot have per-link elems on assoc link");
11180			err = -EINVAL;
11181			goto free;
11182		}
11183
11184		if (req.links[req.link_id].disabled) {
11185			GENL_SET_ERR_MSG(info,
11186					 "cannot have assoc link disabled");
11187			err = -EINVAL;
11188			goto free;
11189		}
11190
11191		kfree(attrs);
11192		attrs = NULL;
11193	} else {
11194		if (req.link_id >= 0)
11195			return -EINVAL;
11196
11197		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs);
11198		if (IS_ERR(req.bss))
11199			return PTR_ERR(req.bss);
11200		ap_addr = req.bss->bssid;
11201	}
11202
11203	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11204	if (!err) {
11205		wdev_lock(dev->ieee80211_ptr);
11206
11207		err = cfg80211_mlme_assoc(rdev, dev, &req);
11208
11209		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11210			dev->ieee80211_ptr->conn_owner_nlportid =
11211				info->snd_portid;
11212			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11213			       ap_addr, ETH_ALEN);
11214		}
11215
11216		wdev_unlock(dev->ieee80211_ptr);
11217	}
11218
11219free:
11220	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11221		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11222	cfg80211_put_bss(&rdev->wiphy, req.bss);
11223	kfree(attrs);
11224
11225	return err;
11226}
11227
11228static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11229{
11230	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11231	struct net_device *dev = info->user_ptr[1];
11232	const u8 *ie = NULL, *bssid;
11233	int ie_len = 0, err;
11234	u16 reason_code;
11235	bool local_state_change;
11236
11237	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11238	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11239		return -EPERM;
11240
11241	if (!info->attrs[NL80211_ATTR_MAC])
11242		return -EINVAL;
11243
11244	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11245		return -EINVAL;
11246
11247	if (!rdev->ops->deauth)
11248		return -EOPNOTSUPP;
11249
11250	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11251	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11252		return -EOPNOTSUPP;
11253
11254	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11255
11256	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11257	if (reason_code == 0) {
11258		/* Reason Code 0 is reserved */
11259		return -EINVAL;
11260	}
11261
11262	if (info->attrs[NL80211_ATTR_IE]) {
11263		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11264		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11265	}
11266
11267	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11268
11269	wdev_lock(dev->ieee80211_ptr);
11270	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11271				   local_state_change);
11272	wdev_unlock(dev->ieee80211_ptr);
11273	return err;
11274}
11275
11276static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11277{
11278	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11279	struct net_device *dev = info->user_ptr[1];
11280	const u8 *ie = NULL, *bssid;
11281	int ie_len = 0, err;
11282	u16 reason_code;
11283	bool local_state_change;
11284
11285	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11286	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11287		return -EPERM;
11288
11289	if (!info->attrs[NL80211_ATTR_MAC])
11290		return -EINVAL;
11291
11292	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11293		return -EINVAL;
11294
11295	if (!rdev->ops->disassoc)
11296		return -EOPNOTSUPP;
11297
11298	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11299	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11300		return -EOPNOTSUPP;
11301
11302	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11303
11304	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11305	if (reason_code == 0) {
11306		/* Reason Code 0 is reserved */
11307		return -EINVAL;
11308	}
11309
11310	if (info->attrs[NL80211_ATTR_IE]) {
11311		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11312		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11313	}
11314
11315	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11316
11317	wdev_lock(dev->ieee80211_ptr);
11318	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11319				     local_state_change);
11320	wdev_unlock(dev->ieee80211_ptr);
11321	return err;
11322}
11323
11324static bool
11325nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11326			 int mcast_rate[NUM_NL80211_BANDS],
11327			 int rateval)
11328{
11329	struct wiphy *wiphy = &rdev->wiphy;
11330	bool found = false;
11331	int band, i;
11332
11333	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11334		struct ieee80211_supported_band *sband;
11335
11336		sband = wiphy->bands[band];
11337		if (!sband)
11338			continue;
11339
11340		for (i = 0; i < sband->n_bitrates; i++) {
11341			if (sband->bitrates[i].bitrate == rateval) {
11342				mcast_rate[band] = i + 1;
11343				found = true;
11344				break;
11345			}
11346		}
11347	}
11348
11349	return found;
11350}
11351
11352static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11353{
11354	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11355	struct net_device *dev = info->user_ptr[1];
11356	struct cfg80211_ibss_params ibss;
11357	struct wiphy *wiphy;
11358	struct cfg80211_cached_keys *connkeys = NULL;
11359	int err;
11360
11361	memset(&ibss, 0, sizeof(ibss));
11362
11363	if (!info->attrs[NL80211_ATTR_SSID] ||
11364	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11365		return -EINVAL;
11366
11367	ibss.beacon_interval = 100;
11368
11369	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11370		ibss.beacon_interval =
11371			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11372
11373	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11374					   ibss.beacon_interval);
11375	if (err)
11376		return err;
11377
11378	if (!rdev->ops->join_ibss)
11379		return -EOPNOTSUPP;
11380
11381	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11382		return -EOPNOTSUPP;
11383
11384	wiphy = &rdev->wiphy;
11385
11386	if (info->attrs[NL80211_ATTR_MAC]) {
11387		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11388
11389		if (!is_valid_ether_addr(ibss.bssid))
11390			return -EINVAL;
11391	}
11392	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11393	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11394
11395	if (info->attrs[NL80211_ATTR_IE]) {
11396		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11397		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11398	}
11399
11400	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11401	if (err)
11402		return err;
11403
11404	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11405				     NL80211_IFTYPE_ADHOC))
11406		return -EINVAL;
11407
11408	switch (ibss.chandef.width) {
11409	case NL80211_CHAN_WIDTH_5:
11410	case NL80211_CHAN_WIDTH_10:
11411	case NL80211_CHAN_WIDTH_20_NOHT:
11412		break;
11413	case NL80211_CHAN_WIDTH_20:
11414	case NL80211_CHAN_WIDTH_40:
11415		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11416			return -EINVAL;
11417		break;
11418	case NL80211_CHAN_WIDTH_80:
11419	case NL80211_CHAN_WIDTH_80P80:
11420	case NL80211_CHAN_WIDTH_160:
11421		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11422			return -EINVAL;
11423		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11424					     NL80211_EXT_FEATURE_VHT_IBSS))
11425			return -EINVAL;
11426		break;
11427	case NL80211_CHAN_WIDTH_320:
11428		return -EINVAL;
11429	default:
11430		return -EINVAL;
11431	}
11432
11433	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11434	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11435
11436	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11437		u8 *rates =
11438			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11439		int n_rates =
11440			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11441		struct ieee80211_supported_band *sband =
11442			wiphy->bands[ibss.chandef.chan->band];
11443
11444		err = ieee80211_get_ratemask(sband, rates, n_rates,
11445					     &ibss.basic_rates);
11446		if (err)
11447			return err;
11448	}
11449
11450	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11451		memcpy(&ibss.ht_capa_mask,
11452		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11453		       sizeof(ibss.ht_capa_mask));
11454
11455	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11456		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11457			return -EINVAL;
11458		memcpy(&ibss.ht_capa,
11459		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11460		       sizeof(ibss.ht_capa));
11461	}
11462
11463	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11464	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11465			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11466		return -EINVAL;
11467
11468	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11469		bool no_ht = false;
11470
11471		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11472		if (IS_ERR(connkeys))
11473			return PTR_ERR(connkeys);
11474
11475		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11476		    no_ht) {
11477			kfree_sensitive(connkeys);
11478			return -EINVAL;
11479		}
11480	}
11481
11482	ibss.control_port =
11483		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11484
11485	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11486		int r = validate_pae_over_nl80211(rdev, info);
11487
11488		if (r < 0) {
11489			kfree_sensitive(connkeys);
11490			return r;
11491		}
11492
11493		ibss.control_port_over_nl80211 = true;
11494	}
11495
11496	ibss.userspace_handles_dfs =
11497		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11498
11499	wdev_lock(dev->ieee80211_ptr);
11500	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11501	if (err)
11502		kfree_sensitive(connkeys);
11503	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11504		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11505	wdev_unlock(dev->ieee80211_ptr);
11506
11507	return err;
11508}
11509
11510static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11511{
11512	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11513	struct net_device *dev = info->user_ptr[1];
11514
11515	if (!rdev->ops->leave_ibss)
11516		return -EOPNOTSUPP;
11517
11518	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11519		return -EOPNOTSUPP;
11520
11521	return cfg80211_leave_ibss(rdev, dev, false);
11522}
11523
11524static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11525{
11526	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11527	struct net_device *dev = info->user_ptr[1];
11528	int mcast_rate[NUM_NL80211_BANDS];
11529	u32 nla_rate;
11530
11531	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11532	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11533	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11534		return -EOPNOTSUPP;
11535
11536	if (!rdev->ops->set_mcast_rate)
11537		return -EOPNOTSUPP;
11538
11539	memset(mcast_rate, 0, sizeof(mcast_rate));
11540
11541	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11542		return -EINVAL;
11543
11544	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11545	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11546		return -EINVAL;
11547
11548	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11549}
11550
11551static struct sk_buff *
11552__cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11553			    struct wireless_dev *wdev, int approxlen,
11554			    u32 portid, u32 seq, enum nl80211_commands cmd,
11555			    enum nl80211_attrs attr,
11556			    const struct nl80211_vendor_cmd_info *info,
11557			    gfp_t gfp)
11558{
11559	struct sk_buff *skb;
11560	void *hdr;
11561	struct nlattr *data;
11562
11563	skb = nlmsg_new(approxlen + 100, gfp);
11564	if (!skb)
11565		return NULL;
11566
11567	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11568	if (!hdr) {
11569		kfree_skb(skb);
11570		return NULL;
11571	}
11572
11573	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11574		goto nla_put_failure;
11575
11576	if (info) {
11577		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11578				info->vendor_id))
11579			goto nla_put_failure;
11580		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11581				info->subcmd))
11582			goto nla_put_failure;
11583	}
11584
11585	if (wdev) {
11586		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11587				      wdev_id(wdev), NL80211_ATTR_PAD))
11588			goto nla_put_failure;
11589		if (wdev->netdev &&
11590		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11591				wdev->netdev->ifindex))
11592			goto nla_put_failure;
11593	}
11594
11595	data = nla_nest_start_noflag(skb, attr);
11596	if (!data)
11597		goto nla_put_failure;
11598
11599	((void **)skb->cb)[0] = rdev;
11600	((void **)skb->cb)[1] = hdr;
11601	((void **)skb->cb)[2] = data;
11602
11603	return skb;
11604
11605 nla_put_failure:
11606	kfree_skb(skb);
11607	return NULL;
11608}
11609
11610struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11611					   struct wireless_dev *wdev,
11612					   enum nl80211_commands cmd,
11613					   enum nl80211_attrs attr,
11614					   unsigned int portid,
11615					   int vendor_event_idx,
11616					   int approxlen, gfp_t gfp)
11617{
11618	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11619	const struct nl80211_vendor_cmd_info *info;
11620
11621	switch (cmd) {
11622	case NL80211_CMD_TESTMODE:
11623		if (WARN_ON(vendor_event_idx != -1))
11624			return NULL;
11625		info = NULL;
11626		break;
11627	case NL80211_CMD_VENDOR:
11628		if (WARN_ON(vendor_event_idx < 0 ||
11629			    vendor_event_idx >= wiphy->n_vendor_events))
11630			return NULL;
11631		info = &wiphy->vendor_events[vendor_event_idx];
11632		break;
11633	default:
11634		WARN_ON(1);
11635		return NULL;
11636	}
11637
11638	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11639					   cmd, attr, info, gfp);
11640}
11641EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11642
11643void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11644{
11645	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11646	void *hdr = ((void **)skb->cb)[1];
11647	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11648	struct nlattr *data = ((void **)skb->cb)[2];
11649	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11650
11651	/* clear CB data for netlink core to own from now on */
11652	memset(skb->cb, 0, sizeof(skb->cb));
11653
11654	nla_nest_end(skb, data);
11655	genlmsg_end(skb, hdr);
11656
11657	if (nlhdr->nlmsg_pid) {
11658		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11659				nlhdr->nlmsg_pid);
11660	} else {
11661		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11662			mcgrp = NL80211_MCGRP_VENDOR;
11663
11664		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11665					skb, 0, mcgrp, gfp);
11666	}
11667}
11668EXPORT_SYMBOL(__cfg80211_send_event_skb);
11669
11670#ifdef CONFIG_NL80211_TESTMODE
11671static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11672{
11673	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11674	struct wireless_dev *wdev;
11675	int err;
11676
11677	lockdep_assert_held(&rdev->wiphy.mtx);
11678
11679	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11680					  info->attrs);
11681
11682	if (!rdev->ops->testmode_cmd)
11683		return -EOPNOTSUPP;
11684
11685	if (IS_ERR(wdev)) {
11686		err = PTR_ERR(wdev);
11687		if (err != -EINVAL)
11688			return err;
11689		wdev = NULL;
11690	} else if (wdev->wiphy != &rdev->wiphy) {
11691		return -EINVAL;
11692	}
11693
11694	if (!info->attrs[NL80211_ATTR_TESTDATA])
11695		return -EINVAL;
11696
11697	rdev->cur_cmd_info = info;
11698	err = rdev_testmode_cmd(rdev, wdev,
11699				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11700				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11701	rdev->cur_cmd_info = NULL;
11702
11703	return err;
11704}
11705
11706static int nl80211_testmode_dump(struct sk_buff *skb,
11707				 struct netlink_callback *cb)
11708{
11709	struct cfg80211_registered_device *rdev;
11710	struct nlattr **attrbuf = NULL;
11711	int err;
11712	long phy_idx;
11713	void *data = NULL;
11714	int data_len = 0;
11715
11716	rtnl_lock();
11717
11718	if (cb->args[0]) {
11719		/*
11720		 * 0 is a valid index, but not valid for args[0],
11721		 * so we need to offset by 1.
11722		 */
11723		phy_idx = cb->args[0] - 1;
11724
11725		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11726		if (!rdev) {
11727			err = -ENOENT;
11728			goto out_err;
11729		}
11730	} else {
11731		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11732				  GFP_KERNEL);
11733		if (!attrbuf) {
11734			err = -ENOMEM;
11735			goto out_err;
11736		}
11737
11738		err = nlmsg_parse_deprecated(cb->nlh,
11739					     GENL_HDRLEN + nl80211_fam.hdrsize,
11740					     attrbuf, nl80211_fam.maxattr,
11741					     nl80211_policy, NULL);
11742		if (err)
11743			goto out_err;
11744
11745		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11746		if (IS_ERR(rdev)) {
11747			err = PTR_ERR(rdev);
11748			goto out_err;
11749		}
11750		phy_idx = rdev->wiphy_idx;
11751
11752		if (attrbuf[NL80211_ATTR_TESTDATA])
11753			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11754	}
11755
11756	if (cb->args[1]) {
11757		data = nla_data((void *)cb->args[1]);
11758		data_len = nla_len((void *)cb->args[1]);
11759	}
11760
11761	if (!rdev->ops->testmode_dump) {
11762		err = -EOPNOTSUPP;
11763		goto out_err;
11764	}
11765
11766	while (1) {
11767		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11768					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11769					   NL80211_CMD_TESTMODE);
11770		struct nlattr *tmdata;
11771
11772		if (!hdr)
11773			break;
11774
11775		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11776			genlmsg_cancel(skb, hdr);
11777			break;
11778		}
11779
11780		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11781		if (!tmdata) {
11782			genlmsg_cancel(skb, hdr);
11783			break;
11784		}
11785		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11786		nla_nest_end(skb, tmdata);
11787
11788		if (err == -ENOBUFS || err == -ENOENT) {
11789			genlmsg_cancel(skb, hdr);
11790			break;
11791		} else if (err) {
11792			genlmsg_cancel(skb, hdr);
11793			goto out_err;
11794		}
11795
11796		genlmsg_end(skb, hdr);
11797	}
11798
11799	err = skb->len;
11800	/* see above */
11801	cb->args[0] = phy_idx + 1;
11802 out_err:
11803	kfree(attrbuf);
11804	rtnl_unlock();
11805	return err;
11806}
11807#endif
11808
11809static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11810{
11811	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11812	struct net_device *dev = info->user_ptr[1];
11813	struct cfg80211_connect_params connect;
11814	struct wiphy *wiphy;
11815	struct cfg80211_cached_keys *connkeys = NULL;
11816	u32 freq = 0;
11817	int err;
11818
11819	memset(&connect, 0, sizeof(connect));
11820
11821	if (!info->attrs[NL80211_ATTR_SSID] ||
11822	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11823		return -EINVAL;
11824
11825	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11826		connect.auth_type =
11827			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11828		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11829					     NL80211_CMD_CONNECT))
11830			return -EINVAL;
11831	} else
11832		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11833
11834	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11835
11836	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11837	    !wiphy_ext_feature_isset(&rdev->wiphy,
11838				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11839		return -EINVAL;
11840	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11841
11842	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11843				      NL80211_MAX_NR_CIPHER_SUITES);
11844	if (err)
11845		return err;
11846
11847	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11848	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11849		return -EOPNOTSUPP;
11850
11851	wiphy = &rdev->wiphy;
11852
11853	connect.bg_scan_period = -1;
11854	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11855		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11856		connect.bg_scan_period =
11857			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11858	}
11859
11860	if (info->attrs[NL80211_ATTR_MAC])
11861		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11862	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11863		connect.bssid_hint =
11864			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11865	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11866	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11867
11868	if (info->attrs[NL80211_ATTR_IE]) {
11869		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11870		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11871	}
11872
11873	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11874		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11875		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11876		    !wiphy_ext_feature_isset(&rdev->wiphy,
11877					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11878			return -EOPNOTSUPP;
11879	} else {
11880		connect.mfp = NL80211_MFP_NO;
11881	}
11882
11883	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11884		connect.prev_bssid =
11885			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11886
11887	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11888		freq = MHZ_TO_KHZ(nla_get_u32(
11889					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11890	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11891		freq +=
11892		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11893
11894	if (freq) {
11895		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11896		if (!connect.channel)
11897			return -EINVAL;
11898	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11899		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11900		freq = MHZ_TO_KHZ(freq);
11901		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11902		if (!connect.channel_hint)
11903			return -EINVAL;
11904	}
11905
11906	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11907		connect.edmg.channels =
11908		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11909
11910		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11911			connect.edmg.bw_config =
11912				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11913	}
11914
11915	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11916		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11917		if (IS_ERR(connkeys))
11918			return PTR_ERR(connkeys);
11919	}
11920
11921	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11922		connect.flags |= ASSOC_REQ_DISABLE_HT;
11923
11924	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11925		memcpy(&connect.ht_capa_mask,
11926		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11927		       sizeof(connect.ht_capa_mask));
11928
11929	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11930		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11931			kfree_sensitive(connkeys);
11932			return -EINVAL;
11933		}
11934		memcpy(&connect.ht_capa,
11935		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11936		       sizeof(connect.ht_capa));
11937	}
11938
11939	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11940		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11941
11942	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11943		connect.flags |= ASSOC_REQ_DISABLE_HE;
11944
11945	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11946		connect.flags |= ASSOC_REQ_DISABLE_EHT;
11947
11948	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11949		memcpy(&connect.vht_capa_mask,
11950		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11951		       sizeof(connect.vht_capa_mask));
11952
11953	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11954		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11955			kfree_sensitive(connkeys);
11956			return -EINVAL;
11957		}
11958		memcpy(&connect.vht_capa,
11959		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11960		       sizeof(connect.vht_capa));
11961	}
11962
11963	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11964		if (!((rdev->wiphy.features &
11965			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11966		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11967		    !wiphy_ext_feature_isset(&rdev->wiphy,
11968					     NL80211_EXT_FEATURE_RRM)) {
11969			kfree_sensitive(connkeys);
11970			return -EINVAL;
11971		}
11972		connect.flags |= ASSOC_REQ_USE_RRM;
11973	}
11974
11975	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11976	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11977		kfree_sensitive(connkeys);
11978		return -EOPNOTSUPP;
11979	}
11980
11981	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11982		/* bss selection makes no sense if bssid is set */
11983		if (connect.bssid) {
11984			kfree_sensitive(connkeys);
11985			return -EINVAL;
11986		}
11987
11988		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11989				       wiphy, &connect.bss_select);
11990		if (err) {
11991			kfree_sensitive(connkeys);
11992			return err;
11993		}
11994	}
11995
11996	if (wiphy_ext_feature_isset(&rdev->wiphy,
11997				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11998	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11999	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12000	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12001	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12002		connect.fils_erp_username =
12003			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12004		connect.fils_erp_username_len =
12005			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12006		connect.fils_erp_realm =
12007			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12008		connect.fils_erp_realm_len =
12009			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12010		connect.fils_erp_next_seq_num =
12011			nla_get_u16(
12012			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12013		connect.fils_erp_rrk =
12014			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12015		connect.fils_erp_rrk_len =
12016			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12017	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12018		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12019		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12020		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12021		kfree_sensitive(connkeys);
12022		return -EINVAL;
12023	}
12024
12025	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
12026		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12027			kfree_sensitive(connkeys);
12028			GENL_SET_ERR_MSG(info,
12029					 "external auth requires connection ownership");
12030			return -EINVAL;
12031		}
12032		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
12033	}
12034
12035	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12036		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12037
12038	wdev_lock(dev->ieee80211_ptr);
12039
12040	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12041			       connect.prev_bssid);
12042	if (err)
12043		kfree_sensitive(connkeys);
12044
12045	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12046		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12047		if (connect.bssid)
12048			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12049			       connect.bssid, ETH_ALEN);
12050		else
12051			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12052	}
12053
12054	wdev_unlock(dev->ieee80211_ptr);
12055
12056	return err;
12057}
12058
12059static int nl80211_update_connect_params(struct sk_buff *skb,
12060					 struct genl_info *info)
12061{
12062	struct cfg80211_connect_params connect = {};
12063	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12064	struct net_device *dev = info->user_ptr[1];
12065	struct wireless_dev *wdev = dev->ieee80211_ptr;
12066	bool fils_sk_offload;
12067	u32 auth_type;
12068	u32 changed = 0;
12069	int ret;
12070
12071	if (!rdev->ops->update_connect_params)
12072		return -EOPNOTSUPP;
12073
12074	if (info->attrs[NL80211_ATTR_IE]) {
12075		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12076		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12077		changed |= UPDATE_ASSOC_IES;
12078	}
12079
12080	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12081						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12082
12083	/*
12084	 * when driver supports fils-sk offload all attributes must be
12085	 * provided. So the else covers "fils-sk-not-all" and
12086	 * "no-fils-sk-any".
12087	 */
12088	if (fils_sk_offload &&
12089	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12090	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12091	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12092	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12093		connect.fils_erp_username =
12094			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12095		connect.fils_erp_username_len =
12096			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12097		connect.fils_erp_realm =
12098			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12099		connect.fils_erp_realm_len =
12100			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12101		connect.fils_erp_next_seq_num =
12102			nla_get_u16(
12103			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12104		connect.fils_erp_rrk =
12105			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12106		connect.fils_erp_rrk_len =
12107			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12108		changed |= UPDATE_FILS_ERP_INFO;
12109	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12110		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12111		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12112		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12113		return -EINVAL;
12114	}
12115
12116	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12117		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12118		if (!nl80211_valid_auth_type(rdev, auth_type,
12119					     NL80211_CMD_CONNECT))
12120			return -EINVAL;
12121
12122		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12123		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12124			return -EINVAL;
12125
12126		connect.auth_type = auth_type;
12127		changed |= UPDATE_AUTH_TYPE;
12128	}
12129
12130	wdev_lock(dev->ieee80211_ptr);
12131	if (!wdev->connected)
12132		ret = -ENOLINK;
12133	else
12134		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
12135	wdev_unlock(dev->ieee80211_ptr);
12136
12137	return ret;
12138}
12139
12140static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12141{
12142	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12143	struct net_device *dev = info->user_ptr[1];
12144	u16 reason;
12145	int ret;
12146
12147	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12148	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12149		return -EPERM;
12150
12151	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12152		reason = WLAN_REASON_DEAUTH_LEAVING;
12153	else
12154		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12155
12156	if (reason == 0)
12157		return -EINVAL;
12158
12159	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12160	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12161		return -EOPNOTSUPP;
12162
12163	wdev_lock(dev->ieee80211_ptr);
12164	ret = cfg80211_disconnect(rdev, dev, reason, true);
12165	wdev_unlock(dev->ieee80211_ptr);
12166	return ret;
12167}
12168
12169static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12170{
12171	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12172	struct net *net;
12173	int err;
12174
12175	if (info->attrs[NL80211_ATTR_PID]) {
12176		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12177
12178		net = get_net_ns_by_pid(pid);
12179	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12180		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12181
12182		net = get_net_ns_by_fd(fd);
12183	} else {
12184		return -EINVAL;
12185	}
12186
12187	if (IS_ERR(net))
12188		return PTR_ERR(net);
12189
12190	err = 0;
12191
12192	/* check if anything to do */
12193	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12194		err = cfg80211_switch_netns(rdev, net);
12195
12196	put_net(net);
12197	return err;
12198}
12199
12200static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
12201{
12202	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12203	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
12204			struct cfg80211_pmksa *pmksa) = NULL;
12205	struct net_device *dev = info->user_ptr[1];
12206	struct cfg80211_pmksa pmksa;
12207
12208	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12209
12210	if (!info->attrs[NL80211_ATTR_PMKID])
12211		return -EINVAL;
12212
12213	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12214
12215	if (info->attrs[NL80211_ATTR_MAC]) {
12216		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12217	} else if (info->attrs[NL80211_ATTR_SSID] &&
12218		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12219		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
12220		    info->attrs[NL80211_ATTR_PMK])) {
12221		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12222		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12223		pmksa.cache_id =
12224			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12225	} else {
12226		return -EINVAL;
12227	}
12228	if (info->attrs[NL80211_ATTR_PMK]) {
12229		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12230		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12231	}
12232
12233	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12234		pmksa.pmk_lifetime =
12235			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12236
12237	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12238		pmksa.pmk_reauth_threshold =
12239			nla_get_u8(
12240				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12241
12242	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12243	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12244	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
12245	      wiphy_ext_feature_isset(&rdev->wiphy,
12246				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
12247		return -EOPNOTSUPP;
12248
12249	switch (info->genlhdr->cmd) {
12250	case NL80211_CMD_SET_PMKSA:
12251		rdev_ops = rdev->ops->set_pmksa;
12252		break;
12253	case NL80211_CMD_DEL_PMKSA:
12254		rdev_ops = rdev->ops->del_pmksa;
12255		break;
12256	default:
12257		WARN_ON(1);
12258		break;
12259	}
12260
12261	if (!rdev_ops)
12262		return -EOPNOTSUPP;
12263
12264	return rdev_ops(&rdev->wiphy, dev, &pmksa);
12265}
12266
12267static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12268{
12269	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12270	struct net_device *dev = info->user_ptr[1];
12271
12272	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12273	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12274		return -EOPNOTSUPP;
12275
12276	if (!rdev->ops->flush_pmksa)
12277		return -EOPNOTSUPP;
12278
12279	return rdev_flush_pmksa(rdev, dev);
12280}
12281
12282static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12283{
12284	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12285	struct net_device *dev = info->user_ptr[1];
12286	u8 action_code, dialog_token;
12287	u32 peer_capability = 0;
12288	u16 status_code;
12289	u8 *peer;
12290	int link_id;
12291	bool initiator;
12292
12293	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12294	    !rdev->ops->tdls_mgmt)
12295		return -EOPNOTSUPP;
12296
12297	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12298	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12299	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12300	    !info->attrs[NL80211_ATTR_IE] ||
12301	    !info->attrs[NL80211_ATTR_MAC])
12302		return -EINVAL;
12303
12304	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12305	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12306	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12307	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12308	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12309	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12310		peer_capability =
12311			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12312	link_id = nl80211_link_id_or_invalid(info->attrs);
12313
12314	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
12315			      dialog_token, status_code, peer_capability,
12316			      initiator,
12317			      nla_data(info->attrs[NL80211_ATTR_IE]),
12318			      nla_len(info->attrs[NL80211_ATTR_IE]));
12319}
12320
12321static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12322{
12323	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12324	struct net_device *dev = info->user_ptr[1];
12325	enum nl80211_tdls_operation operation;
12326	u8 *peer;
12327
12328	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12329	    !rdev->ops->tdls_oper)
12330		return -EOPNOTSUPP;
12331
12332	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12333	    !info->attrs[NL80211_ATTR_MAC])
12334		return -EINVAL;
12335
12336	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12337	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12338
12339	return rdev_tdls_oper(rdev, dev, peer, operation);
12340}
12341
12342static int nl80211_remain_on_channel(struct sk_buff *skb,
12343				     struct genl_info *info)
12344{
12345	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12346	unsigned int link_id = nl80211_link_id(info->attrs);
12347	struct wireless_dev *wdev = info->user_ptr[1];
12348	struct cfg80211_chan_def chandef;
12349	struct sk_buff *msg;
12350	void *hdr;
12351	u64 cookie;
12352	u32 duration;
12353	int err;
12354
12355	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12356	    !info->attrs[NL80211_ATTR_DURATION])
12357		return -EINVAL;
12358
12359	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12360
12361	if (!rdev->ops->remain_on_channel ||
12362	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12363		return -EOPNOTSUPP;
12364
12365	/*
12366	 * We should be on that channel for at least a minimum amount of
12367	 * time (10ms) but no longer than the driver supports.
12368	 */
12369	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12370	    duration > rdev->wiphy.max_remain_on_channel_duration)
12371		return -EINVAL;
12372
12373	err = nl80211_parse_chandef(rdev, info, &chandef);
12374	if (err)
12375		return err;
12376
12377	wdev_lock(wdev);
12378	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12379		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12380
12381		oper_chandef = wdev_chandef(wdev, link_id);
12382
12383		if (WARN_ON(!oper_chandef)) {
12384			/* cannot happen since we must beacon to get here */
12385			WARN_ON(1);
12386			wdev_unlock(wdev);
12387			return -EBUSY;
12388		}
12389
12390		/* note: returns first one if identical chandefs */
12391		compat_chandef = cfg80211_chandef_compatible(&chandef,
12392							     oper_chandef);
12393
12394		if (compat_chandef != &chandef) {
12395			wdev_unlock(wdev);
12396			return -EBUSY;
12397		}
12398	}
12399	wdev_unlock(wdev);
12400
12401	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12402	if (!msg)
12403		return -ENOMEM;
12404
12405	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12406			     NL80211_CMD_REMAIN_ON_CHANNEL);
12407	if (!hdr) {
12408		err = -ENOBUFS;
12409		goto free_msg;
12410	}
12411
12412	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12413				     duration, &cookie);
12414
12415	if (err)
12416		goto free_msg;
12417
12418	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12419			      NL80211_ATTR_PAD))
12420		goto nla_put_failure;
12421
12422	genlmsg_end(msg, hdr);
12423
12424	return genlmsg_reply(msg, info);
12425
12426 nla_put_failure:
12427	err = -ENOBUFS;
12428 free_msg:
12429	nlmsg_free(msg);
12430	return err;
12431}
12432
12433static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12434					    struct genl_info *info)
12435{
12436	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12437	struct wireless_dev *wdev = info->user_ptr[1];
12438	u64 cookie;
12439
12440	if (!info->attrs[NL80211_ATTR_COOKIE])
12441		return -EINVAL;
12442
12443	if (!rdev->ops->cancel_remain_on_channel)
12444		return -EOPNOTSUPP;
12445
12446	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12447
12448	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12449}
12450
12451static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12452				       struct genl_info *info)
12453{
12454	struct cfg80211_bitrate_mask mask;
12455	unsigned int link_id = nl80211_link_id(info->attrs);
12456	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12457	struct net_device *dev = info->user_ptr[1];
12458	struct wireless_dev *wdev = dev->ieee80211_ptr;
12459	int err;
12460
12461	if (!rdev->ops->set_bitrate_mask)
12462		return -EOPNOTSUPP;
12463
12464	wdev_lock(wdev);
12465	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12466					    NL80211_ATTR_TX_RATES, &mask,
12467					    dev, true, link_id);
12468	if (err)
12469		goto out;
12470
12471	err = rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12472out:
12473	wdev_unlock(wdev);
12474	return err;
12475}
12476
12477static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12478{
12479	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12480	struct wireless_dev *wdev = info->user_ptr[1];
12481	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12482
12483	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12484		return -EINVAL;
12485
12486	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12487		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12488
12489	switch (wdev->iftype) {
12490	case NL80211_IFTYPE_STATION:
12491	case NL80211_IFTYPE_ADHOC:
12492	case NL80211_IFTYPE_P2P_CLIENT:
12493	case NL80211_IFTYPE_AP:
12494	case NL80211_IFTYPE_AP_VLAN:
12495	case NL80211_IFTYPE_MESH_POINT:
12496	case NL80211_IFTYPE_P2P_GO:
12497	case NL80211_IFTYPE_P2P_DEVICE:
12498		break;
12499	case NL80211_IFTYPE_NAN:
12500		if (!wiphy_ext_feature_isset(wdev->wiphy,
12501					     NL80211_EXT_FEATURE_SECURE_NAN))
12502			return -EOPNOTSUPP;
12503		break;
12504	default:
12505		return -EOPNOTSUPP;
12506	}
12507
12508	/* not much point in registering if we can't reply */
12509	if (!rdev->ops->mgmt_tx)
12510		return -EOPNOTSUPP;
12511
12512	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12513	    !wiphy_ext_feature_isset(&rdev->wiphy,
12514				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12515		GENL_SET_ERR_MSG(info,
12516				 "multicast RX registrations are not supported");
12517		return -EOPNOTSUPP;
12518	}
12519
12520	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12521					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12522					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12523					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12524					   info->extack);
12525}
12526
12527static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12528{
12529	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12530	struct wireless_dev *wdev = info->user_ptr[1];
12531	struct cfg80211_chan_def chandef;
12532	int err;
12533	void *hdr = NULL;
12534	u64 cookie;
12535	struct sk_buff *msg = NULL;
12536	struct cfg80211_mgmt_tx_params params = {
12537		.dont_wait_for_ack =
12538			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12539	};
12540
12541	if (!info->attrs[NL80211_ATTR_FRAME])
12542		return -EINVAL;
12543
12544	if (!rdev->ops->mgmt_tx)
12545		return -EOPNOTSUPP;
12546
12547	switch (wdev->iftype) {
12548	case NL80211_IFTYPE_P2P_DEVICE:
12549		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12550			return -EINVAL;
12551		break;
12552	case NL80211_IFTYPE_STATION:
12553	case NL80211_IFTYPE_ADHOC:
12554	case NL80211_IFTYPE_P2P_CLIENT:
12555	case NL80211_IFTYPE_AP:
12556	case NL80211_IFTYPE_AP_VLAN:
12557	case NL80211_IFTYPE_MESH_POINT:
12558	case NL80211_IFTYPE_P2P_GO:
12559		break;
12560	case NL80211_IFTYPE_NAN:
12561		if (!wiphy_ext_feature_isset(wdev->wiphy,
12562					     NL80211_EXT_FEATURE_SECURE_NAN))
12563			return -EOPNOTSUPP;
12564		break;
12565	default:
12566		return -EOPNOTSUPP;
12567	}
12568
12569	if (info->attrs[NL80211_ATTR_DURATION]) {
12570		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12571			return -EINVAL;
12572		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12573
12574		/*
12575		 * We should wait on the channel for at least a minimum amount
12576		 * of time (10ms) but no longer than the driver supports.
12577		 */
12578		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12579		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12580			return -EINVAL;
12581	}
12582
12583	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12584
12585	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12586		return -EINVAL;
12587
12588	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12589
12590	/* get the channel if any has been specified, otherwise pass NULL to
12591	 * the driver. The latter will use the current one
12592	 */
12593	chandef.chan = NULL;
12594	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12595		err = nl80211_parse_chandef(rdev, info, &chandef);
12596		if (err)
12597			return err;
12598	}
12599
12600	if (!chandef.chan && params.offchan)
12601		return -EINVAL;
12602
12603	wdev_lock(wdev);
12604	if (params.offchan &&
12605	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12606		wdev_unlock(wdev);
12607		return -EBUSY;
12608	}
12609
12610	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12611	/*
12612	 * This now races due to the unlock, but we cannot check
12613	 * the valid links for the _station_ anyway, so that's up
12614	 * to the driver.
12615	 */
12616	if (params.link_id >= 0 &&
12617	    !(wdev->valid_links & BIT(params.link_id))) {
12618		wdev_unlock(wdev);
12619		return -EINVAL;
12620	}
12621	wdev_unlock(wdev);
12622
12623	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12624	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12625
12626	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
12627		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12628		int i;
12629
12630		if (len % sizeof(u16))
12631			return -EINVAL;
12632
12633		params.n_csa_offsets = len / sizeof(u16);
12634		params.csa_offsets =
12635			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12636
12637		/* check that all the offsets fit the frame */
12638		for (i = 0; i < params.n_csa_offsets; i++) {
12639			if (params.csa_offsets[i] >= params.len)
12640				return -EINVAL;
12641		}
12642	}
12643
12644	if (!params.dont_wait_for_ack) {
12645		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12646		if (!msg)
12647			return -ENOMEM;
12648
12649		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12650				     NL80211_CMD_FRAME);
12651		if (!hdr) {
12652			err = -ENOBUFS;
12653			goto free_msg;
12654		}
12655	}
12656
12657	params.chan = chandef.chan;
12658	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12659	if (err)
12660		goto free_msg;
12661
12662	if (msg) {
12663		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12664				      NL80211_ATTR_PAD))
12665			goto nla_put_failure;
12666
12667		genlmsg_end(msg, hdr);
12668		return genlmsg_reply(msg, info);
12669	}
12670
12671	return 0;
12672
12673 nla_put_failure:
12674	err = -ENOBUFS;
12675 free_msg:
12676	nlmsg_free(msg);
12677	return err;
12678}
12679
12680static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12681{
12682	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12683	struct wireless_dev *wdev = info->user_ptr[1];
12684	u64 cookie;
12685
12686	if (!info->attrs[NL80211_ATTR_COOKIE])
12687		return -EINVAL;
12688
12689	if (!rdev->ops->mgmt_tx_cancel_wait)
12690		return -EOPNOTSUPP;
12691
12692	switch (wdev->iftype) {
12693	case NL80211_IFTYPE_STATION:
12694	case NL80211_IFTYPE_ADHOC:
12695	case NL80211_IFTYPE_P2P_CLIENT:
12696	case NL80211_IFTYPE_AP:
12697	case NL80211_IFTYPE_AP_VLAN:
12698	case NL80211_IFTYPE_P2P_GO:
12699	case NL80211_IFTYPE_P2P_DEVICE:
12700		break;
12701	case NL80211_IFTYPE_NAN:
12702		if (!wiphy_ext_feature_isset(wdev->wiphy,
12703					     NL80211_EXT_FEATURE_SECURE_NAN))
12704			return -EOPNOTSUPP;
12705		break;
12706	default:
12707		return -EOPNOTSUPP;
12708	}
12709
12710	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12711
12712	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12713}
12714
12715static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12716{
12717	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12718	struct wireless_dev *wdev;
12719	struct net_device *dev = info->user_ptr[1];
12720	u8 ps_state;
12721	bool state;
12722	int err;
12723
12724	if (!info->attrs[NL80211_ATTR_PS_STATE])
12725		return -EINVAL;
12726
12727	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12728
12729	wdev = dev->ieee80211_ptr;
12730
12731	if (!rdev->ops->set_power_mgmt)
12732		return -EOPNOTSUPP;
12733
12734	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12735
12736	if (state == wdev->ps)
12737		return 0;
12738
12739	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12740	if (!err)
12741		wdev->ps = state;
12742	return err;
12743}
12744
12745static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12746{
12747	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12748	enum nl80211_ps_state ps_state;
12749	struct wireless_dev *wdev;
12750	struct net_device *dev = info->user_ptr[1];
12751	struct sk_buff *msg;
12752	void *hdr;
12753	int err;
12754
12755	wdev = dev->ieee80211_ptr;
12756
12757	if (!rdev->ops->set_power_mgmt)
12758		return -EOPNOTSUPP;
12759
12760	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12761	if (!msg)
12762		return -ENOMEM;
12763
12764	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12765			     NL80211_CMD_GET_POWER_SAVE);
12766	if (!hdr) {
12767		err = -ENOBUFS;
12768		goto free_msg;
12769	}
12770
12771	if (wdev->ps)
12772		ps_state = NL80211_PS_ENABLED;
12773	else
12774		ps_state = NL80211_PS_DISABLED;
12775
12776	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12777		goto nla_put_failure;
12778
12779	genlmsg_end(msg, hdr);
12780	return genlmsg_reply(msg, info);
12781
12782 nla_put_failure:
12783	err = -ENOBUFS;
12784 free_msg:
12785	nlmsg_free(msg);
12786	return err;
12787}
12788
12789static const struct nla_policy
12790nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12791	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12792	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12793	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12794	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12795	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12796	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12797	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12798};
12799
12800static int nl80211_set_cqm_txe(struct genl_info *info,
12801			       u32 rate, u32 pkts, u32 intvl)
12802{
12803	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12804	struct net_device *dev = info->user_ptr[1];
12805	struct wireless_dev *wdev = dev->ieee80211_ptr;
12806
12807	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12808		return -EINVAL;
12809
12810	if (!rdev->ops->set_cqm_txe_config)
12811		return -EOPNOTSUPP;
12812
12813	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12814	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12815		return -EOPNOTSUPP;
12816
12817	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12818}
12819
12820static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12821				    struct net_device *dev,
12822				    struct cfg80211_cqm_config *cqm_config)
12823{
12824	struct wireless_dev *wdev = dev->ieee80211_ptr;
12825	s32 last, low, high;
12826	u32 hyst;
12827	int i, n, low_index;
12828	int err;
12829
12830	/*
12831	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12832	 * event has been received yet, we should receive an event after a
12833	 * connection is established and enough beacons received to calculate
12834	 * the average.
12835	 */
12836	if (!cqm_config->last_rssi_event_value &&
12837	    wdev->links[0].client.current_bss &&
12838	    rdev->ops->get_station) {
12839		struct station_info sinfo = {};
12840		u8 *mac_addr;
12841
12842		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
12843
12844		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12845		if (err)
12846			return err;
12847
12848		cfg80211_sinfo_release_content(&sinfo);
12849		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12850			cqm_config->last_rssi_event_value =
12851				(s8) sinfo.rx_beacon_signal_avg;
12852	}
12853
12854	last = cqm_config->last_rssi_event_value;
12855	hyst = cqm_config->rssi_hyst;
12856	n = cqm_config->n_rssi_thresholds;
12857
12858	for (i = 0; i < n; i++) {
12859		i = array_index_nospec(i, n);
12860		if (last < cqm_config->rssi_thresholds[i])
12861			break;
12862	}
12863
12864	low_index = i - 1;
12865	if (low_index >= 0) {
12866		low_index = array_index_nospec(low_index, n);
12867		low = cqm_config->rssi_thresholds[low_index] - hyst;
12868	} else {
12869		low = S32_MIN;
12870	}
12871	if (i < n) {
12872		i = array_index_nospec(i, n);
12873		high = cqm_config->rssi_thresholds[i] + hyst - 1;
12874	} else {
12875		high = S32_MAX;
12876	}
12877
12878	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12879}
12880
12881static int nl80211_set_cqm_rssi(struct genl_info *info,
12882				const s32 *thresholds, int n_thresholds,
12883				u32 hysteresis)
12884{
12885	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12886	struct cfg80211_cqm_config *cqm_config = NULL, *old;
12887	struct net_device *dev = info->user_ptr[1];
12888	struct wireless_dev *wdev = dev->ieee80211_ptr;
12889	int i, err;
12890	s32 prev = S32_MIN;
12891
12892	/* Check all values negative and sorted */
12893	for (i = 0; i < n_thresholds; i++) {
12894		if (thresholds[i] > 0 || thresholds[i] <= prev)
12895			return -EINVAL;
12896
12897		prev = thresholds[i];
12898	}
12899
12900	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12901	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12902		return -EOPNOTSUPP;
12903
12904	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12905		n_thresholds = 0;
12906
12907	wdev_lock(wdev);
12908	old = rcu_dereference_protected(wdev->cqm_config,
12909					lockdep_is_held(&wdev->mtx));
12910
12911	/* if already disabled just succeed */
12912	if (!n_thresholds && !old) {
12913		err = 0;
12914		goto unlock;
12915	}
12916
12917	if (n_thresholds > 1) {
12918		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12919					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
12920		    !rdev->ops->set_cqm_rssi_range_config) {
12921			err = -EOPNOTSUPP;
12922			goto unlock;
12923		}
12924	} else {
12925		if (!rdev->ops->set_cqm_rssi_config) {
12926			err = -EOPNOTSUPP;
12927			goto unlock;
12928		}
12929	}
12930
12931	if (n_thresholds) {
12932		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12933						 n_thresholds),
12934				     GFP_KERNEL);
12935		if (!cqm_config) {
12936			err = -ENOMEM;
12937			goto unlock;
12938		}
12939
12940		cqm_config->rssi_hyst = hysteresis;
12941		cqm_config->n_rssi_thresholds = n_thresholds;
12942		memcpy(cqm_config->rssi_thresholds, thresholds,
12943		       flex_array_size(cqm_config, rssi_thresholds,
12944				       n_thresholds));
12945		cqm_config->use_range_api = n_thresholds > 1 ||
12946					    !rdev->ops->set_cqm_rssi_config;
12947
12948		rcu_assign_pointer(wdev->cqm_config, cqm_config);
12949
12950		if (cqm_config->use_range_api)
12951			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
12952		else
12953			err = rdev_set_cqm_rssi_config(rdev, dev,
12954						       thresholds[0],
12955						       hysteresis);
12956	} else {
12957		RCU_INIT_POINTER(wdev->cqm_config, NULL);
12958		/* if enabled as range also disable via range */
12959		if (old->use_range_api)
12960			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12961		else
12962			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12963	}
12964
12965	if (err) {
12966		rcu_assign_pointer(wdev->cqm_config, old);
12967		kfree_rcu(cqm_config, rcu_head);
12968	} else {
12969		kfree_rcu(old, rcu_head);
12970	}
12971unlock:
12972	wdev_unlock(wdev);
12973
12974	return err;
12975}
12976
12977static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12978{
12979	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12980	struct nlattr *cqm;
12981	int err;
12982
12983	cqm = info->attrs[NL80211_ATTR_CQM];
12984	if (!cqm)
12985		return -EINVAL;
12986
12987	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12988					  nl80211_attr_cqm_policy,
12989					  info->extack);
12990	if (err)
12991		return err;
12992
12993	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12994	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12995		const s32 *thresholds =
12996			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12997		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12998		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12999
13000		if (len % 4)
13001			return -EINVAL;
13002
13003		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
13004					    hysteresis);
13005	}
13006
13007	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
13008	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
13009	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
13010		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
13011		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
13012		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
13013
13014		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
13015	}
13016
13017	return -EINVAL;
13018}
13019
13020static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
13021{
13022	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13023	struct net_device *dev = info->user_ptr[1];
13024	struct ocb_setup setup = {};
13025	int err;
13026
13027	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13028	if (err)
13029		return err;
13030
13031	return cfg80211_join_ocb(rdev, dev, &setup);
13032}
13033
13034static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
13035{
13036	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13037	struct net_device *dev = info->user_ptr[1];
13038
13039	return cfg80211_leave_ocb(rdev, dev);
13040}
13041
13042static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
13043{
13044	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13045	struct net_device *dev = info->user_ptr[1];
13046	struct mesh_config cfg;
13047	struct mesh_setup setup;
13048	int err;
13049
13050	/* start with default */
13051	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
13052	memcpy(&setup, &default_mesh_setup, sizeof(setup));
13053
13054	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
13055		/* and parse parameters if given */
13056		err = nl80211_parse_mesh_config(info, &cfg, NULL);
13057		if (err)
13058			return err;
13059	}
13060
13061	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13062	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13063		return -EINVAL;
13064
13065	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13066	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13067
13068	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13069	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13070			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13071			return -EINVAL;
13072
13073	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13074		setup.beacon_interval =
13075			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13076
13077		err = cfg80211_validate_beacon_int(rdev,
13078						   NL80211_IFTYPE_MESH_POINT,
13079						   setup.beacon_interval);
13080		if (err)
13081			return err;
13082	}
13083
13084	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13085		setup.dtim_period =
13086			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13087		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13088			return -EINVAL;
13089	}
13090
13091	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13092		/* parse additional setup parameters if given */
13093		err = nl80211_parse_mesh_setup(info, &setup);
13094		if (err)
13095			return err;
13096	}
13097
13098	if (setup.user_mpm)
13099		cfg.auto_open_plinks = false;
13100
13101	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13102		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13103		if (err)
13104			return err;
13105	} else {
13106		/* __cfg80211_join_mesh() will sort it out */
13107		setup.chandef.chan = NULL;
13108	}
13109
13110	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13111		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13112		int n_rates =
13113			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13114		struct ieee80211_supported_band *sband;
13115
13116		if (!setup.chandef.chan)
13117			return -EINVAL;
13118
13119		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13120
13121		err = ieee80211_get_ratemask(sband, rates, n_rates,
13122					     &setup.basic_rates);
13123		if (err)
13124			return err;
13125	}
13126
13127	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13128		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13129						    NL80211_ATTR_TX_RATES,
13130						    &setup.beacon_rate,
13131						    dev, false, 0);
13132		if (err)
13133			return err;
13134
13135		if (!setup.chandef.chan)
13136			return -EINVAL;
13137
13138		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13139					      &setup.beacon_rate);
13140		if (err)
13141			return err;
13142	}
13143
13144	setup.userspace_handles_dfs =
13145		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13146
13147	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13148		int r = validate_pae_over_nl80211(rdev, info);
13149
13150		if (r < 0)
13151			return r;
13152
13153		setup.control_port_over_nl80211 = true;
13154	}
13155
13156	wdev_lock(dev->ieee80211_ptr);
13157	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13158	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13159		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13160	wdev_unlock(dev->ieee80211_ptr);
13161
13162	return err;
13163}
13164
13165static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13166{
13167	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13168	struct net_device *dev = info->user_ptr[1];
13169
13170	return cfg80211_leave_mesh(rdev, dev);
13171}
13172
13173#ifdef CONFIG_PM
13174static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13175					struct cfg80211_registered_device *rdev)
13176{
13177	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13178	struct nlattr *nl_pats, *nl_pat;
13179	int i, pat_len;
13180
13181	if (!wowlan->n_patterns)
13182		return 0;
13183
13184	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13185	if (!nl_pats)
13186		return -ENOBUFS;
13187
13188	for (i = 0; i < wowlan->n_patterns; i++) {
13189		nl_pat = nla_nest_start_noflag(msg, i + 1);
13190		if (!nl_pat)
13191			return -ENOBUFS;
13192		pat_len = wowlan->patterns[i].pattern_len;
13193		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13194			    wowlan->patterns[i].mask) ||
13195		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13196			    wowlan->patterns[i].pattern) ||
13197		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13198				wowlan->patterns[i].pkt_offset))
13199			return -ENOBUFS;
13200		nla_nest_end(msg, nl_pat);
13201	}
13202	nla_nest_end(msg, nl_pats);
13203
13204	return 0;
13205}
13206
13207static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13208				   struct cfg80211_wowlan_tcp *tcp)
13209{
13210	struct nlattr *nl_tcp;
13211
13212	if (!tcp)
13213		return 0;
13214
13215	nl_tcp = nla_nest_start_noflag(msg,
13216				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13217	if (!nl_tcp)
13218		return -ENOBUFS;
13219
13220	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13221	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13222	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13223	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13224	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13225	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13226		    tcp->payload_len, tcp->payload) ||
13227	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13228			tcp->data_interval) ||
13229	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13230		    tcp->wake_len, tcp->wake_data) ||
13231	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13232		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13233		return -ENOBUFS;
13234
13235	if (tcp->payload_seq.len &&
13236	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13237		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13238		return -ENOBUFS;
13239
13240	if (tcp->payload_tok.len &&
13241	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13242		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13243		    &tcp->payload_tok))
13244		return -ENOBUFS;
13245
13246	nla_nest_end(msg, nl_tcp);
13247
13248	return 0;
13249}
13250
13251static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13252				  struct cfg80211_sched_scan_request *req)
13253{
13254	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13255	int i;
13256
13257	if (!req)
13258		return 0;
13259
13260	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13261	if (!nd)
13262		return -ENOBUFS;
13263
13264	if (req->n_scan_plans == 1 &&
13265	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13266			req->scan_plans[0].interval * 1000))
13267		return -ENOBUFS;
13268
13269	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13270		return -ENOBUFS;
13271
13272	if (req->relative_rssi_set) {
13273		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13274
13275		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13276			       req->relative_rssi))
13277			return -ENOBUFS;
13278
13279		rssi_adjust.band = req->rssi_adjust.band;
13280		rssi_adjust.delta = req->rssi_adjust.delta;
13281		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13282			    sizeof(rssi_adjust), &rssi_adjust))
13283			return -ENOBUFS;
13284	}
13285
13286	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13287	if (!freqs)
13288		return -ENOBUFS;
13289
13290	for (i = 0; i < req->n_channels; i++) {
13291		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13292			return -ENOBUFS;
13293	}
13294
13295	nla_nest_end(msg, freqs);
13296
13297	if (req->n_match_sets) {
13298		matches = nla_nest_start_noflag(msg,
13299						NL80211_ATTR_SCHED_SCAN_MATCH);
13300		if (!matches)
13301			return -ENOBUFS;
13302
13303		for (i = 0; i < req->n_match_sets; i++) {
13304			match = nla_nest_start_noflag(msg, i);
13305			if (!match)
13306				return -ENOBUFS;
13307
13308			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13309				    req->match_sets[i].ssid.ssid_len,
13310				    req->match_sets[i].ssid.ssid))
13311				return -ENOBUFS;
13312			nla_nest_end(msg, match);
13313		}
13314		nla_nest_end(msg, matches);
13315	}
13316
13317	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13318	if (!scan_plans)
13319		return -ENOBUFS;
13320
13321	for (i = 0; i < req->n_scan_plans; i++) {
13322		scan_plan = nla_nest_start_noflag(msg, i + 1);
13323		if (!scan_plan)
13324			return -ENOBUFS;
13325
13326		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13327				req->scan_plans[i].interval) ||
13328		    (req->scan_plans[i].iterations &&
13329		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13330				 req->scan_plans[i].iterations)))
13331			return -ENOBUFS;
13332		nla_nest_end(msg, scan_plan);
13333	}
13334	nla_nest_end(msg, scan_plans);
13335
13336	nla_nest_end(msg, nd);
13337
13338	return 0;
13339}
13340
13341static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13342{
13343	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13344	struct sk_buff *msg;
13345	void *hdr;
13346	u32 size = NLMSG_DEFAULT_SIZE;
13347
13348	if (!rdev->wiphy.wowlan)
13349		return -EOPNOTSUPP;
13350
13351	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13352		/* adjust size to have room for all the data */
13353		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13354			rdev->wiphy.wowlan_config->tcp->payload_len +
13355			rdev->wiphy.wowlan_config->tcp->wake_len +
13356			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13357	}
13358
13359	msg = nlmsg_new(size, GFP_KERNEL);
13360	if (!msg)
13361		return -ENOMEM;
13362
13363	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13364			     NL80211_CMD_GET_WOWLAN);
13365	if (!hdr)
13366		goto nla_put_failure;
13367
13368	if (rdev->wiphy.wowlan_config) {
13369		struct nlattr *nl_wowlan;
13370
13371		nl_wowlan = nla_nest_start_noflag(msg,
13372						  NL80211_ATTR_WOWLAN_TRIGGERS);
13373		if (!nl_wowlan)
13374			goto nla_put_failure;
13375
13376		if ((rdev->wiphy.wowlan_config->any &&
13377		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13378		    (rdev->wiphy.wowlan_config->disconnect &&
13379		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13380		    (rdev->wiphy.wowlan_config->magic_pkt &&
13381		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13382		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13383		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13384		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13385		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13386		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13387		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13388		    (rdev->wiphy.wowlan_config->rfkill_release &&
13389		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13390			goto nla_put_failure;
13391
13392		if (nl80211_send_wowlan_patterns(msg, rdev))
13393			goto nla_put_failure;
13394
13395		if (nl80211_send_wowlan_tcp(msg,
13396					    rdev->wiphy.wowlan_config->tcp))
13397			goto nla_put_failure;
13398
13399		if (nl80211_send_wowlan_nd(
13400			    msg,
13401			    rdev->wiphy.wowlan_config->nd_config))
13402			goto nla_put_failure;
13403
13404		nla_nest_end(msg, nl_wowlan);
13405	}
13406
13407	genlmsg_end(msg, hdr);
13408	return genlmsg_reply(msg, info);
13409
13410nla_put_failure:
13411	nlmsg_free(msg);
13412	return -ENOBUFS;
13413}
13414
13415static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13416				    struct nlattr *attr,
13417				    struct cfg80211_wowlan *trig)
13418{
13419	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13420	struct cfg80211_wowlan_tcp *cfg;
13421	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13422	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13423	u32 size;
13424	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13425	int err, port;
13426
13427	if (!rdev->wiphy.wowlan->tcp)
13428		return -EINVAL;
13429
13430	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13431					  nl80211_wowlan_tcp_policy, NULL);
13432	if (err)
13433		return err;
13434
13435	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13436	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13437	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13438	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13439	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13440	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13441	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13442	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13443		return -EINVAL;
13444
13445	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13446	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13447		return -EINVAL;
13448
13449	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13450			rdev->wiphy.wowlan->tcp->data_interval_max ||
13451	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13452		return -EINVAL;
13453
13454	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13455	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13456		return -EINVAL;
13457
13458	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13459	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13460		return -EINVAL;
13461
13462	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13463		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13464
13465		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13466		tokens_size = tokln - sizeof(*tok);
13467
13468		if (!tok->len || tokens_size % tok->len)
13469			return -EINVAL;
13470		if (!rdev->wiphy.wowlan->tcp->tok)
13471			return -EINVAL;
13472		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13473			return -EINVAL;
13474		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13475			return -EINVAL;
13476		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13477			return -EINVAL;
13478		if (tok->offset + tok->len > data_size)
13479			return -EINVAL;
13480	}
13481
13482	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13483		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13484		if (!rdev->wiphy.wowlan->tcp->seq)
13485			return -EINVAL;
13486		if (seq->len == 0 || seq->len > 4)
13487			return -EINVAL;
13488		if (seq->len + seq->offset > data_size)
13489			return -EINVAL;
13490	}
13491
13492	size = sizeof(*cfg);
13493	size += data_size;
13494	size += wake_size + wake_mask_size;
13495	size += tokens_size;
13496
13497	cfg = kzalloc(size, GFP_KERNEL);
13498	if (!cfg)
13499		return -ENOMEM;
13500	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13501	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13502	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13503	       ETH_ALEN);
13504	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
13505		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
13506	else
13507		port = 0;
13508#ifdef CONFIG_INET
13509	/* allocate a socket and port for it and use it */
13510	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13511			    IPPROTO_TCP, &cfg->sock, 1);
13512	if (err) {
13513		kfree(cfg);
13514		return err;
13515	}
13516	if (inet_csk_get_port(cfg->sock->sk, port)) {
13517		sock_release(cfg->sock);
13518		kfree(cfg);
13519		return -EADDRINUSE;
13520	}
13521	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13522#else
13523	if (!port) {
13524		kfree(cfg);
13525		return -EINVAL;
13526	}
13527	cfg->src_port = port;
13528#endif
13529
13530	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13531	cfg->payload_len = data_size;
13532	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13533	memcpy((void *)cfg->payload,
13534	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13535	       data_size);
13536	if (seq)
13537		cfg->payload_seq = *seq;
13538	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13539	cfg->wake_len = wake_size;
13540	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13541	memcpy((void *)cfg->wake_data,
13542	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13543	       wake_size);
13544	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13545			 data_size + wake_size;
13546	memcpy((void *)cfg->wake_mask,
13547	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13548	       wake_mask_size);
13549	if (tok) {
13550		cfg->tokens_size = tokens_size;
13551		cfg->payload_tok = *tok;
13552		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13553		       tokens_size);
13554	}
13555
13556	trig->tcp = cfg;
13557
13558	return 0;
13559}
13560
13561static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13562				   const struct wiphy_wowlan_support *wowlan,
13563				   struct nlattr *attr,
13564				   struct cfg80211_wowlan *trig)
13565{
13566	struct nlattr **tb;
13567	int err;
13568
13569	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13570	if (!tb)
13571		return -ENOMEM;
13572
13573	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13574		err = -EOPNOTSUPP;
13575		goto out;
13576	}
13577
13578	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13579					  nl80211_policy, NULL);
13580	if (err)
13581		goto out;
13582
13583	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13584						   wowlan->max_nd_match_sets);
13585	err = PTR_ERR_OR_ZERO(trig->nd_config);
13586	if (err)
13587		trig->nd_config = NULL;
13588
13589out:
13590	kfree(tb);
13591	return err;
13592}
13593
13594static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13595{
13596	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13597	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13598	struct cfg80211_wowlan new_triggers = {};
13599	struct cfg80211_wowlan *ntrig;
13600	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13601	int err, i;
13602	bool prev_enabled = rdev->wiphy.wowlan_config;
13603	bool regular = false;
13604
13605	if (!wowlan)
13606		return -EOPNOTSUPP;
13607
13608	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13609		cfg80211_rdev_free_wowlan(rdev);
13610		rdev->wiphy.wowlan_config = NULL;
13611		goto set_wakeup;
13612	}
13613
13614	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13615					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13616					  nl80211_wowlan_policy, info->extack);
13617	if (err)
13618		return err;
13619
13620	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13621		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13622			return -EINVAL;
13623		new_triggers.any = true;
13624	}
13625
13626	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13627		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13628			return -EINVAL;
13629		new_triggers.disconnect = true;
13630		regular = true;
13631	}
13632
13633	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13634		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13635			return -EINVAL;
13636		new_triggers.magic_pkt = true;
13637		regular = true;
13638	}
13639
13640	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13641		return -EINVAL;
13642
13643	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13644		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13645			return -EINVAL;
13646		new_triggers.gtk_rekey_failure = true;
13647		regular = true;
13648	}
13649
13650	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13651		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13652			return -EINVAL;
13653		new_triggers.eap_identity_req = true;
13654		regular = true;
13655	}
13656
13657	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13658		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13659			return -EINVAL;
13660		new_triggers.four_way_handshake = true;
13661		regular = true;
13662	}
13663
13664	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13665		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13666			return -EINVAL;
13667		new_triggers.rfkill_release = true;
13668		regular = true;
13669	}
13670
13671	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13672		struct nlattr *pat;
13673		int n_patterns = 0;
13674		int rem, pat_len, mask_len, pkt_offset;
13675		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13676
13677		regular = true;
13678
13679		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13680				    rem)
13681			n_patterns++;
13682		if (n_patterns > wowlan->n_patterns)
13683			return -EINVAL;
13684
13685		new_triggers.patterns = kcalloc(n_patterns,
13686						sizeof(new_triggers.patterns[0]),
13687						GFP_KERNEL);
13688		if (!new_triggers.patterns)
13689			return -ENOMEM;
13690
13691		new_triggers.n_patterns = n_patterns;
13692		i = 0;
13693
13694		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13695				    rem) {
13696			u8 *mask_pat;
13697
13698			err = nla_parse_nested_deprecated(pat_tb,
13699							  MAX_NL80211_PKTPAT,
13700							  pat,
13701							  nl80211_packet_pattern_policy,
13702							  info->extack);
13703			if (err)
13704				goto error;
13705
13706			err = -EINVAL;
13707			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13708			    !pat_tb[NL80211_PKTPAT_PATTERN])
13709				goto error;
13710			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13711			mask_len = DIV_ROUND_UP(pat_len, 8);
13712			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13713				goto error;
13714			if (pat_len > wowlan->pattern_max_len ||
13715			    pat_len < wowlan->pattern_min_len)
13716				goto error;
13717
13718			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13719				pkt_offset = 0;
13720			else
13721				pkt_offset = nla_get_u32(
13722					pat_tb[NL80211_PKTPAT_OFFSET]);
13723			if (pkt_offset > wowlan->max_pkt_offset)
13724				goto error;
13725			new_triggers.patterns[i].pkt_offset = pkt_offset;
13726
13727			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13728			if (!mask_pat) {
13729				err = -ENOMEM;
13730				goto error;
13731			}
13732			new_triggers.patterns[i].mask = mask_pat;
13733			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13734			       mask_len);
13735			mask_pat += mask_len;
13736			new_triggers.patterns[i].pattern = mask_pat;
13737			new_triggers.patterns[i].pattern_len = pat_len;
13738			memcpy(mask_pat,
13739			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13740			       pat_len);
13741			i++;
13742		}
13743	}
13744
13745	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13746		regular = true;
13747		err = nl80211_parse_wowlan_tcp(
13748			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13749			&new_triggers);
13750		if (err)
13751			goto error;
13752	}
13753
13754	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13755		regular = true;
13756		err = nl80211_parse_wowlan_nd(
13757			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13758			&new_triggers);
13759		if (err)
13760			goto error;
13761	}
13762
13763	/* The 'any' trigger means the device continues operating more or less
13764	 * as in its normal operation mode and wakes up the host on most of the
13765	 * normal interrupts (like packet RX, ...)
13766	 * It therefore makes little sense to combine with the more constrained
13767	 * wakeup trigger modes.
13768	 */
13769	if (new_triggers.any && regular) {
13770		err = -EINVAL;
13771		goto error;
13772	}
13773
13774	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13775	if (!ntrig) {
13776		err = -ENOMEM;
13777		goto error;
13778	}
13779	cfg80211_rdev_free_wowlan(rdev);
13780	rdev->wiphy.wowlan_config = ntrig;
13781
13782 set_wakeup:
13783	if (rdev->ops->set_wakeup &&
13784	    prev_enabled != !!rdev->wiphy.wowlan_config)
13785		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13786
13787	return 0;
13788 error:
13789	for (i = 0; i < new_triggers.n_patterns; i++)
13790		kfree(new_triggers.patterns[i].mask);
13791	kfree(new_triggers.patterns);
13792	if (new_triggers.tcp && new_triggers.tcp->sock)
13793		sock_release(new_triggers.tcp->sock);
13794	kfree(new_triggers.tcp);
13795	kfree(new_triggers.nd_config);
13796	return err;
13797}
13798#endif
13799
13800static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13801				       struct cfg80211_registered_device *rdev)
13802{
13803	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13804	int i, j, pat_len;
13805	struct cfg80211_coalesce_rules *rule;
13806
13807	if (!rdev->coalesce->n_rules)
13808		return 0;
13809
13810	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13811	if (!nl_rules)
13812		return -ENOBUFS;
13813
13814	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13815		nl_rule = nla_nest_start_noflag(msg, i + 1);
13816		if (!nl_rule)
13817			return -ENOBUFS;
13818
13819		rule = &rdev->coalesce->rules[i];
13820		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
13821				rule->delay))
13822			return -ENOBUFS;
13823
13824		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
13825				rule->condition))
13826			return -ENOBUFS;
13827
13828		nl_pats = nla_nest_start_noflag(msg,
13829						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
13830		if (!nl_pats)
13831			return -ENOBUFS;
13832
13833		for (j = 0; j < rule->n_patterns; j++) {
13834			nl_pat = nla_nest_start_noflag(msg, j + 1);
13835			if (!nl_pat)
13836				return -ENOBUFS;
13837			pat_len = rule->patterns[j].pattern_len;
13838			if (nla_put(msg, NL80211_PKTPAT_MASK,
13839				    DIV_ROUND_UP(pat_len, 8),
13840				    rule->patterns[j].mask) ||
13841			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13842				    rule->patterns[j].pattern) ||
13843			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13844					rule->patterns[j].pkt_offset))
13845				return -ENOBUFS;
13846			nla_nest_end(msg, nl_pat);
13847		}
13848		nla_nest_end(msg, nl_pats);
13849		nla_nest_end(msg, nl_rule);
13850	}
13851	nla_nest_end(msg, nl_rules);
13852
13853	return 0;
13854}
13855
13856static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13857{
13858	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13859	struct sk_buff *msg;
13860	void *hdr;
13861
13862	if (!rdev->wiphy.coalesce)
13863		return -EOPNOTSUPP;
13864
13865	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13866	if (!msg)
13867		return -ENOMEM;
13868
13869	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13870			     NL80211_CMD_GET_COALESCE);
13871	if (!hdr)
13872		goto nla_put_failure;
13873
13874	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13875		goto nla_put_failure;
13876
13877	genlmsg_end(msg, hdr);
13878	return genlmsg_reply(msg, info);
13879
13880nla_put_failure:
13881	nlmsg_free(msg);
13882	return -ENOBUFS;
13883}
13884
13885void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13886{
13887	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13888	int i, j;
13889	struct cfg80211_coalesce_rules *rule;
13890
13891	if (!coalesce)
13892		return;
13893
13894	for (i = 0; i < coalesce->n_rules; i++) {
13895		rule = &coalesce->rules[i];
13896		for (j = 0; j < rule->n_patterns; j++)
13897			kfree(rule->patterns[j].mask);
13898		kfree(rule->patterns);
13899	}
13900	kfree(coalesce->rules);
13901	kfree(coalesce);
13902	rdev->coalesce = NULL;
13903}
13904
13905static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13906				       struct nlattr *rule,
13907				       struct cfg80211_coalesce_rules *new_rule)
13908{
13909	int err, i;
13910	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13911	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13912	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13913	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13914
13915	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13916					  rule, nl80211_coalesce_policy, NULL);
13917	if (err)
13918		return err;
13919
13920	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13921		new_rule->delay =
13922			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13923	if (new_rule->delay > coalesce->max_delay)
13924		return -EINVAL;
13925
13926	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13927		new_rule->condition =
13928			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13929
13930	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13931		return -EINVAL;
13932
13933	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13934			    rem)
13935		n_patterns++;
13936	if (n_patterns > coalesce->n_patterns)
13937		return -EINVAL;
13938
13939	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13940				     GFP_KERNEL);
13941	if (!new_rule->patterns)
13942		return -ENOMEM;
13943
13944	new_rule->n_patterns = n_patterns;
13945	i = 0;
13946
13947	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13948			    rem) {
13949		u8 *mask_pat;
13950
13951		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13952						  pat,
13953						  nl80211_packet_pattern_policy,
13954						  NULL);
13955		if (err)
13956			return err;
13957
13958		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13959		    !pat_tb[NL80211_PKTPAT_PATTERN])
13960			return -EINVAL;
13961		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13962		mask_len = DIV_ROUND_UP(pat_len, 8);
13963		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13964			return -EINVAL;
13965		if (pat_len > coalesce->pattern_max_len ||
13966		    pat_len < coalesce->pattern_min_len)
13967			return -EINVAL;
13968
13969		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13970			pkt_offset = 0;
13971		else
13972			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13973		if (pkt_offset > coalesce->max_pkt_offset)
13974			return -EINVAL;
13975		new_rule->patterns[i].pkt_offset = pkt_offset;
13976
13977		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13978		if (!mask_pat)
13979			return -ENOMEM;
13980
13981		new_rule->patterns[i].mask = mask_pat;
13982		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13983		       mask_len);
13984
13985		mask_pat += mask_len;
13986		new_rule->patterns[i].pattern = mask_pat;
13987		new_rule->patterns[i].pattern_len = pat_len;
13988		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13989		       pat_len);
13990		i++;
13991	}
13992
13993	return 0;
13994}
13995
13996static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13997{
13998	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13999	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14000	struct cfg80211_coalesce new_coalesce = {};
14001	struct cfg80211_coalesce *n_coalesce;
14002	int err, rem_rule, n_rules = 0, i, j;
14003	struct nlattr *rule;
14004	struct cfg80211_coalesce_rules *tmp_rule;
14005
14006	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
14007		return -EOPNOTSUPP;
14008
14009	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
14010		cfg80211_rdev_free_coalesce(rdev);
14011		rdev_set_coalesce(rdev, NULL);
14012		return 0;
14013	}
14014
14015	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14016			    rem_rule)
14017		n_rules++;
14018	if (n_rules > coalesce->n_rules)
14019		return -EINVAL;
14020
14021	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
14022				     GFP_KERNEL);
14023	if (!new_coalesce.rules)
14024		return -ENOMEM;
14025
14026	new_coalesce.n_rules = n_rules;
14027	i = 0;
14028
14029	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14030			    rem_rule) {
14031		err = nl80211_parse_coalesce_rule(rdev, rule,
14032						  &new_coalesce.rules[i]);
14033		if (err)
14034			goto error;
14035
14036		i++;
14037	}
14038
14039	err = rdev_set_coalesce(rdev, &new_coalesce);
14040	if (err)
14041		goto error;
14042
14043	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
14044	if (!n_coalesce) {
14045		err = -ENOMEM;
14046		goto error;
14047	}
14048	cfg80211_rdev_free_coalesce(rdev);
14049	rdev->coalesce = n_coalesce;
14050
14051	return 0;
14052error:
14053	for (i = 0; i < new_coalesce.n_rules; i++) {
14054		tmp_rule = &new_coalesce.rules[i];
14055		for (j = 0; j < tmp_rule->n_patterns; j++)
14056			kfree(tmp_rule->patterns[j].mask);
14057		kfree(tmp_rule->patterns);
14058	}
14059	kfree(new_coalesce.rules);
14060
14061	return err;
14062}
14063
14064static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14065{
14066	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14067	struct net_device *dev = info->user_ptr[1];
14068	struct wireless_dev *wdev = dev->ieee80211_ptr;
14069	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14070	struct cfg80211_gtk_rekey_data rekey_data = {};
14071	int err;
14072
14073	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14074		return -EINVAL;
14075
14076	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14077					  info->attrs[NL80211_ATTR_REKEY_DATA],
14078					  nl80211_rekey_policy, info->extack);
14079	if (err)
14080		return err;
14081
14082	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14083	    !tb[NL80211_REKEY_DATA_KCK])
14084		return -EINVAL;
14085	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14086	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14087	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14088		return -ERANGE;
14089	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14090	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14091	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14092	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14093	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14094		return -ERANGE;
14095
14096	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14097	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14098	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14099	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14100	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14101	if (tb[NL80211_REKEY_DATA_AKM])
14102		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14103
14104	wdev_lock(wdev);
14105	if (!wdev->connected) {
14106		err = -ENOTCONN;
14107		goto out;
14108	}
14109
14110	if (!rdev->ops->set_rekey_data) {
14111		err = -EOPNOTSUPP;
14112		goto out;
14113	}
14114
14115	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
14116 out:
14117	wdev_unlock(wdev);
14118	return err;
14119}
14120
14121static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14122					     struct genl_info *info)
14123{
14124	struct net_device *dev = info->user_ptr[1];
14125	struct wireless_dev *wdev = dev->ieee80211_ptr;
14126
14127	if (wdev->iftype != NL80211_IFTYPE_AP &&
14128	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14129		return -EINVAL;
14130
14131	if (wdev->ap_unexpected_nlportid)
14132		return -EBUSY;
14133
14134	wdev->ap_unexpected_nlportid = info->snd_portid;
14135	return 0;
14136}
14137
14138static int nl80211_probe_client(struct sk_buff *skb,
14139				struct genl_info *info)
14140{
14141	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14142	struct net_device *dev = info->user_ptr[1];
14143	struct wireless_dev *wdev = dev->ieee80211_ptr;
14144	struct sk_buff *msg;
14145	void *hdr;
14146	const u8 *addr;
14147	u64 cookie;
14148	int err;
14149
14150	if (wdev->iftype != NL80211_IFTYPE_AP &&
14151	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14152		return -EOPNOTSUPP;
14153
14154	if (!info->attrs[NL80211_ATTR_MAC])
14155		return -EINVAL;
14156
14157	if (!rdev->ops->probe_client)
14158		return -EOPNOTSUPP;
14159
14160	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14161	if (!msg)
14162		return -ENOMEM;
14163
14164	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14165			     NL80211_CMD_PROBE_CLIENT);
14166	if (!hdr) {
14167		err = -ENOBUFS;
14168		goto free_msg;
14169	}
14170
14171	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14172
14173	err = rdev_probe_client(rdev, dev, addr, &cookie);
14174	if (err)
14175		goto free_msg;
14176
14177	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14178			      NL80211_ATTR_PAD))
14179		goto nla_put_failure;
14180
14181	genlmsg_end(msg, hdr);
14182
14183	return genlmsg_reply(msg, info);
14184
14185 nla_put_failure:
14186	err = -ENOBUFS;
14187 free_msg:
14188	nlmsg_free(msg);
14189	return err;
14190}
14191
14192static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14193{
14194	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14195	struct cfg80211_beacon_registration *reg, *nreg;
14196	int rv;
14197
14198	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14199		return -EOPNOTSUPP;
14200
14201	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14202	if (!nreg)
14203		return -ENOMEM;
14204
14205	/* First, check if already registered. */
14206	spin_lock_bh(&rdev->beacon_registrations_lock);
14207	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14208		if (reg->nlportid == info->snd_portid) {
14209			rv = -EALREADY;
14210			goto out_err;
14211		}
14212	}
14213	/* Add it to the list */
14214	nreg->nlportid = info->snd_portid;
14215	list_add(&nreg->list, &rdev->beacon_registrations);
14216
14217	spin_unlock_bh(&rdev->beacon_registrations_lock);
14218
14219	return 0;
14220out_err:
14221	spin_unlock_bh(&rdev->beacon_registrations_lock);
14222	kfree(nreg);
14223	return rv;
14224}
14225
14226static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14227{
14228	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14229	struct wireless_dev *wdev = info->user_ptr[1];
14230	int err;
14231
14232	if (!rdev->ops->start_p2p_device)
14233		return -EOPNOTSUPP;
14234
14235	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14236		return -EOPNOTSUPP;
14237
14238	if (wdev_running(wdev))
14239		return 0;
14240
14241	if (rfkill_blocked(rdev->wiphy.rfkill))
14242		return -ERFKILL;
14243
14244	err = rdev_start_p2p_device(rdev, wdev);
14245	if (err)
14246		return err;
14247
14248	wdev->is_running = true;
14249	rdev->opencount++;
14250
14251	return 0;
14252}
14253
14254static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14255{
14256	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14257	struct wireless_dev *wdev = info->user_ptr[1];
14258
14259	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14260		return -EOPNOTSUPP;
14261
14262	if (!rdev->ops->stop_p2p_device)
14263		return -EOPNOTSUPP;
14264
14265	cfg80211_stop_p2p_device(rdev, wdev);
14266
14267	return 0;
14268}
14269
14270static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14271{
14272	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14273	struct wireless_dev *wdev = info->user_ptr[1];
14274	struct cfg80211_nan_conf conf = {};
14275	int err;
14276
14277	if (wdev->iftype != NL80211_IFTYPE_NAN)
14278		return -EOPNOTSUPP;
14279
14280	if (wdev_running(wdev))
14281		return -EEXIST;
14282
14283	if (rfkill_blocked(rdev->wiphy.rfkill))
14284		return -ERFKILL;
14285
14286	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14287		return -EINVAL;
14288
14289	conf.master_pref =
14290		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14291
14292	if (info->attrs[NL80211_ATTR_BANDS]) {
14293		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14294
14295		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14296			return -EOPNOTSUPP;
14297
14298		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14299			return -EINVAL;
14300
14301		conf.bands = bands;
14302	}
14303
14304	err = rdev_start_nan(rdev, wdev, &conf);
14305	if (err)
14306		return err;
14307
14308	wdev->is_running = true;
14309	rdev->opencount++;
14310
14311	return 0;
14312}
14313
14314static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14315{
14316	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14317	struct wireless_dev *wdev = info->user_ptr[1];
14318
14319	if (wdev->iftype != NL80211_IFTYPE_NAN)
14320		return -EOPNOTSUPP;
14321
14322	cfg80211_stop_nan(rdev, wdev);
14323
14324	return 0;
14325}
14326
14327static int validate_nan_filter(struct nlattr *filter_attr)
14328{
14329	struct nlattr *attr;
14330	int len = 0, n_entries = 0, rem;
14331
14332	nla_for_each_nested(attr, filter_attr, rem) {
14333		len += nla_len(attr);
14334		n_entries++;
14335	}
14336
14337	if (len >= U8_MAX)
14338		return -EINVAL;
14339
14340	return n_entries;
14341}
14342
14343static int handle_nan_filter(struct nlattr *attr_filter,
14344			     struct cfg80211_nan_func *func,
14345			     bool tx)
14346{
14347	struct nlattr *attr;
14348	int n_entries, rem, i;
14349	struct cfg80211_nan_func_filter *filter;
14350
14351	n_entries = validate_nan_filter(attr_filter);
14352	if (n_entries < 0)
14353		return n_entries;
14354
14355	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14356
14357	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14358	if (!filter)
14359		return -ENOMEM;
14360
14361	i = 0;
14362	nla_for_each_nested(attr, attr_filter, rem) {
14363		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14364		if (!filter[i].filter)
14365			goto err;
14366
14367		filter[i].len = nla_len(attr);
14368		i++;
14369	}
14370	if (tx) {
14371		func->num_tx_filters = n_entries;
14372		func->tx_filters = filter;
14373	} else {
14374		func->num_rx_filters = n_entries;
14375		func->rx_filters = filter;
14376	}
14377
14378	return 0;
14379
14380err:
14381	i = 0;
14382	nla_for_each_nested(attr, attr_filter, rem) {
14383		kfree(filter[i].filter);
14384		i++;
14385	}
14386	kfree(filter);
14387	return -ENOMEM;
14388}
14389
14390static int nl80211_nan_add_func(struct sk_buff *skb,
14391				struct genl_info *info)
14392{
14393	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14394	struct wireless_dev *wdev = info->user_ptr[1];
14395	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14396	struct cfg80211_nan_func *func;
14397	struct sk_buff *msg = NULL;
14398	void *hdr = NULL;
14399	int err = 0;
14400
14401	if (wdev->iftype != NL80211_IFTYPE_NAN)
14402		return -EOPNOTSUPP;
14403
14404	if (!wdev_running(wdev))
14405		return -ENOTCONN;
14406
14407	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14408		return -EINVAL;
14409
14410	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14411					  info->attrs[NL80211_ATTR_NAN_FUNC],
14412					  nl80211_nan_func_policy,
14413					  info->extack);
14414	if (err)
14415		return err;
14416
14417	func = kzalloc(sizeof(*func), GFP_KERNEL);
14418	if (!func)
14419		return -ENOMEM;
14420
14421	func->cookie = cfg80211_assign_cookie(rdev);
14422
14423	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14424		err = -EINVAL;
14425		goto out;
14426	}
14427
14428
14429	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14430
14431	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14432		err = -EINVAL;
14433		goto out;
14434	}
14435
14436	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14437	       sizeof(func->service_id));
14438
14439	func->close_range =
14440		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14441
14442	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14443		func->serv_spec_info_len =
14444			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14445		func->serv_spec_info =
14446			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14447				func->serv_spec_info_len,
14448				GFP_KERNEL);
14449		if (!func->serv_spec_info) {
14450			err = -ENOMEM;
14451			goto out;
14452		}
14453	}
14454
14455	if (tb[NL80211_NAN_FUNC_TTL])
14456		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14457
14458	switch (func->type) {
14459	case NL80211_NAN_FUNC_PUBLISH:
14460		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14461			err = -EINVAL;
14462			goto out;
14463		}
14464
14465		func->publish_type =
14466			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14467		func->publish_bcast =
14468			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14469
14470		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14471			func->publish_bcast) {
14472			err = -EINVAL;
14473			goto out;
14474		}
14475		break;
14476	case NL80211_NAN_FUNC_SUBSCRIBE:
14477		func->subscribe_active =
14478			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14479		break;
14480	case NL80211_NAN_FUNC_FOLLOW_UP:
14481		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14482		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14483		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14484			err = -EINVAL;
14485			goto out;
14486		}
14487
14488		func->followup_id =
14489			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14490		func->followup_reqid =
14491			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14492		memcpy(func->followup_dest.addr,
14493		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14494		       sizeof(func->followup_dest.addr));
14495		if (func->ttl) {
14496			err = -EINVAL;
14497			goto out;
14498		}
14499		break;
14500	default:
14501		err = -EINVAL;
14502		goto out;
14503	}
14504
14505	if (tb[NL80211_NAN_FUNC_SRF]) {
14506		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14507
14508		err = nla_parse_nested_deprecated(srf_tb,
14509						  NL80211_NAN_SRF_ATTR_MAX,
14510						  tb[NL80211_NAN_FUNC_SRF],
14511						  nl80211_nan_srf_policy,
14512						  info->extack);
14513		if (err)
14514			goto out;
14515
14516		func->srf_include =
14517			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14518
14519		if (srf_tb[NL80211_NAN_SRF_BF]) {
14520			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14521			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14522				err = -EINVAL;
14523				goto out;
14524			}
14525
14526			func->srf_bf_len =
14527				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14528			func->srf_bf =
14529				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14530					func->srf_bf_len, GFP_KERNEL);
14531			if (!func->srf_bf) {
14532				err = -ENOMEM;
14533				goto out;
14534			}
14535
14536			func->srf_bf_idx =
14537				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14538		} else {
14539			struct nlattr *attr, *mac_attr =
14540				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14541			int n_entries, rem, i = 0;
14542
14543			if (!mac_attr) {
14544				err = -EINVAL;
14545				goto out;
14546			}
14547
14548			n_entries = validate_acl_mac_addrs(mac_attr);
14549			if (n_entries <= 0) {
14550				err = -EINVAL;
14551				goto out;
14552			}
14553
14554			func->srf_num_macs = n_entries;
14555			func->srf_macs =
14556				kcalloc(n_entries, sizeof(*func->srf_macs),
14557					GFP_KERNEL);
14558			if (!func->srf_macs) {
14559				err = -ENOMEM;
14560				goto out;
14561			}
14562
14563			nla_for_each_nested(attr, mac_attr, rem)
14564				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14565				       sizeof(*func->srf_macs));
14566		}
14567	}
14568
14569	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14570		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14571					func, true);
14572		if (err)
14573			goto out;
14574	}
14575
14576	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14577		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14578					func, false);
14579		if (err)
14580			goto out;
14581	}
14582
14583	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14584	if (!msg) {
14585		err = -ENOMEM;
14586		goto out;
14587	}
14588
14589	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14590			     NL80211_CMD_ADD_NAN_FUNCTION);
14591	/* This can't really happen - we just allocated 4KB */
14592	if (WARN_ON(!hdr)) {
14593		err = -ENOMEM;
14594		goto out;
14595	}
14596
14597	err = rdev_add_nan_func(rdev, wdev, func);
14598out:
14599	if (err < 0) {
14600		cfg80211_free_nan_func(func);
14601		nlmsg_free(msg);
14602		return err;
14603	}
14604
14605	/* propagate the instance id and cookie to userspace  */
14606	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14607			      NL80211_ATTR_PAD))
14608		goto nla_put_failure;
14609
14610	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14611	if (!func_attr)
14612		goto nla_put_failure;
14613
14614	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14615		       func->instance_id))
14616		goto nla_put_failure;
14617
14618	nla_nest_end(msg, func_attr);
14619
14620	genlmsg_end(msg, hdr);
14621	return genlmsg_reply(msg, info);
14622
14623nla_put_failure:
14624	nlmsg_free(msg);
14625	return -ENOBUFS;
14626}
14627
14628static int nl80211_nan_del_func(struct sk_buff *skb,
14629			       struct genl_info *info)
14630{
14631	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14632	struct wireless_dev *wdev = info->user_ptr[1];
14633	u64 cookie;
14634
14635	if (wdev->iftype != NL80211_IFTYPE_NAN)
14636		return -EOPNOTSUPP;
14637
14638	if (!wdev_running(wdev))
14639		return -ENOTCONN;
14640
14641	if (!info->attrs[NL80211_ATTR_COOKIE])
14642		return -EINVAL;
14643
14644	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14645
14646	rdev_del_nan_func(rdev, wdev, cookie);
14647
14648	return 0;
14649}
14650
14651static int nl80211_nan_change_config(struct sk_buff *skb,
14652				     struct genl_info *info)
14653{
14654	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14655	struct wireless_dev *wdev = info->user_ptr[1];
14656	struct cfg80211_nan_conf conf = {};
14657	u32 changed = 0;
14658
14659	if (wdev->iftype != NL80211_IFTYPE_NAN)
14660		return -EOPNOTSUPP;
14661
14662	if (!wdev_running(wdev))
14663		return -ENOTCONN;
14664
14665	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14666		conf.master_pref =
14667			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14668		if (conf.master_pref <= 1 || conf.master_pref == 255)
14669			return -EINVAL;
14670
14671		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14672	}
14673
14674	if (info->attrs[NL80211_ATTR_BANDS]) {
14675		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14676
14677		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14678			return -EOPNOTSUPP;
14679
14680		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14681			return -EINVAL;
14682
14683		conf.bands = bands;
14684		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14685	}
14686
14687	if (!changed)
14688		return -EINVAL;
14689
14690	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14691}
14692
14693void cfg80211_nan_match(struct wireless_dev *wdev,
14694			struct cfg80211_nan_match_params *match, gfp_t gfp)
14695{
14696	struct wiphy *wiphy = wdev->wiphy;
14697	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14698	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14699	struct sk_buff *msg;
14700	void *hdr;
14701
14702	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14703		return;
14704
14705	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14706	if (!msg)
14707		return;
14708
14709	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14710	if (!hdr) {
14711		nlmsg_free(msg);
14712		return;
14713	}
14714
14715	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14716	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14717					 wdev->netdev->ifindex)) ||
14718	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14719			      NL80211_ATTR_PAD))
14720		goto nla_put_failure;
14721
14722	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14723			      NL80211_ATTR_PAD) ||
14724	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14725		goto nla_put_failure;
14726
14727	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14728	if (!match_attr)
14729		goto nla_put_failure;
14730
14731	local_func_attr = nla_nest_start_noflag(msg,
14732						NL80211_NAN_MATCH_FUNC_LOCAL);
14733	if (!local_func_attr)
14734		goto nla_put_failure;
14735
14736	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14737		goto nla_put_failure;
14738
14739	nla_nest_end(msg, local_func_attr);
14740
14741	peer_func_attr = nla_nest_start_noflag(msg,
14742					       NL80211_NAN_MATCH_FUNC_PEER);
14743	if (!peer_func_attr)
14744		goto nla_put_failure;
14745
14746	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14747	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14748		goto nla_put_failure;
14749
14750	if (match->info && match->info_len &&
14751	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14752		    match->info))
14753		goto nla_put_failure;
14754
14755	nla_nest_end(msg, peer_func_attr);
14756	nla_nest_end(msg, match_attr);
14757	genlmsg_end(msg, hdr);
14758
14759	if (!wdev->owner_nlportid)
14760		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14761					msg, 0, NL80211_MCGRP_NAN, gfp);
14762	else
14763		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14764				wdev->owner_nlportid);
14765
14766	return;
14767
14768nla_put_failure:
14769	nlmsg_free(msg);
14770}
14771EXPORT_SYMBOL(cfg80211_nan_match);
14772
14773void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14774				  u8 inst_id,
14775				  enum nl80211_nan_func_term_reason reason,
14776				  u64 cookie, gfp_t gfp)
14777{
14778	struct wiphy *wiphy = wdev->wiphy;
14779	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14780	struct sk_buff *msg;
14781	struct nlattr *func_attr;
14782	void *hdr;
14783
14784	if (WARN_ON(!inst_id))
14785		return;
14786
14787	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14788	if (!msg)
14789		return;
14790
14791	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14792	if (!hdr) {
14793		nlmsg_free(msg);
14794		return;
14795	}
14796
14797	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14798	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14799					 wdev->netdev->ifindex)) ||
14800	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14801			      NL80211_ATTR_PAD))
14802		goto nla_put_failure;
14803
14804	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14805			      NL80211_ATTR_PAD))
14806		goto nla_put_failure;
14807
14808	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14809	if (!func_attr)
14810		goto nla_put_failure;
14811
14812	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14813	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14814		goto nla_put_failure;
14815
14816	nla_nest_end(msg, func_attr);
14817	genlmsg_end(msg, hdr);
14818
14819	if (!wdev->owner_nlportid)
14820		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14821					msg, 0, NL80211_MCGRP_NAN, gfp);
14822	else
14823		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14824				wdev->owner_nlportid);
14825
14826	return;
14827
14828nla_put_failure:
14829	nlmsg_free(msg);
14830}
14831EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14832
14833static int nl80211_get_protocol_features(struct sk_buff *skb,
14834					 struct genl_info *info)
14835{
14836	void *hdr;
14837	struct sk_buff *msg;
14838
14839	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14840	if (!msg)
14841		return -ENOMEM;
14842
14843	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14844			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14845	if (!hdr)
14846		goto nla_put_failure;
14847
14848	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14849			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14850		goto nla_put_failure;
14851
14852	genlmsg_end(msg, hdr);
14853	return genlmsg_reply(msg, info);
14854
14855 nla_put_failure:
14856	kfree_skb(msg);
14857	return -ENOBUFS;
14858}
14859
14860static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14861{
14862	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14863	struct cfg80211_update_ft_ies_params ft_params;
14864	struct net_device *dev = info->user_ptr[1];
14865
14866	if (!rdev->ops->update_ft_ies)
14867		return -EOPNOTSUPP;
14868
14869	if (!info->attrs[NL80211_ATTR_MDID] ||
14870	    !info->attrs[NL80211_ATTR_IE])
14871		return -EINVAL;
14872
14873	memset(&ft_params, 0, sizeof(ft_params));
14874	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14875	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14876	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14877
14878	return rdev_update_ft_ies(rdev, dev, &ft_params);
14879}
14880
14881static int nl80211_crit_protocol_start(struct sk_buff *skb,
14882				       struct genl_info *info)
14883{
14884	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14885	struct wireless_dev *wdev = info->user_ptr[1];
14886	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14887	u16 duration;
14888	int ret;
14889
14890	if (!rdev->ops->crit_proto_start)
14891		return -EOPNOTSUPP;
14892
14893	if (WARN_ON(!rdev->ops->crit_proto_stop))
14894		return -EINVAL;
14895
14896	if (rdev->crit_proto_nlportid)
14897		return -EBUSY;
14898
14899	/* determine protocol if provided */
14900	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14901		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14902
14903	if (proto >= NUM_NL80211_CRIT_PROTO)
14904		return -EINVAL;
14905
14906	/* timeout must be provided */
14907	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14908		return -EINVAL;
14909
14910	duration =
14911		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14912
14913	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14914	if (!ret)
14915		rdev->crit_proto_nlportid = info->snd_portid;
14916
14917	return ret;
14918}
14919
14920static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14921				      struct genl_info *info)
14922{
14923	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14924	struct wireless_dev *wdev = info->user_ptr[1];
14925
14926	if (!rdev->ops->crit_proto_stop)
14927		return -EOPNOTSUPP;
14928
14929	if (rdev->crit_proto_nlportid) {
14930		rdev->crit_proto_nlportid = 0;
14931		rdev_crit_proto_stop(rdev, wdev);
14932	}
14933	return 0;
14934}
14935
14936static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14937				       struct nlattr *attr,
14938				       struct netlink_ext_ack *extack)
14939{
14940	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14941		if (attr->nla_type & NLA_F_NESTED) {
14942			NL_SET_ERR_MSG_ATTR(extack, attr,
14943					    "unexpected nested data");
14944			return -EINVAL;
14945		}
14946
14947		return 0;
14948	}
14949
14950	if (!(attr->nla_type & NLA_F_NESTED)) {
14951		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14952		return -EINVAL;
14953	}
14954
14955	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14956}
14957
14958static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14959{
14960	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14961	struct wireless_dev *wdev =
14962		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14963					   info->attrs);
14964	int i, err;
14965	u32 vid, subcmd;
14966
14967	if (!rdev->wiphy.vendor_commands)
14968		return -EOPNOTSUPP;
14969
14970	if (IS_ERR(wdev)) {
14971		err = PTR_ERR(wdev);
14972		if (err != -EINVAL)
14973			return err;
14974		wdev = NULL;
14975	} else if (wdev->wiphy != &rdev->wiphy) {
14976		return -EINVAL;
14977	}
14978
14979	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14980	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14981		return -EINVAL;
14982
14983	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14984	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14985	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14986		const struct wiphy_vendor_command *vcmd;
14987		void *data = NULL;
14988		int len = 0;
14989
14990		vcmd = &rdev->wiphy.vendor_commands[i];
14991
14992		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14993			continue;
14994
14995		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14996				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14997			if (!wdev)
14998				return -EINVAL;
14999			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15000			    !wdev->netdev)
15001				return -EINVAL;
15002
15003			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15004				if (!wdev_running(wdev))
15005					return -ENETDOWN;
15006			}
15007		} else {
15008			wdev = NULL;
15009		}
15010
15011		if (!vcmd->doit)
15012			return -EOPNOTSUPP;
15013
15014		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
15015			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15016			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15017
15018			err = nl80211_vendor_check_policy(vcmd,
15019					info->attrs[NL80211_ATTR_VENDOR_DATA],
15020					info->extack);
15021			if (err)
15022				return err;
15023		}
15024
15025		rdev->cur_cmd_info = info;
15026		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
15027		rdev->cur_cmd_info = NULL;
15028		return err;
15029	}
15030
15031	return -EOPNOTSUPP;
15032}
15033
15034static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
15035				       struct netlink_callback *cb,
15036				       struct cfg80211_registered_device **rdev,
15037				       struct wireless_dev **wdev)
15038{
15039	struct nlattr **attrbuf;
15040	u32 vid, subcmd;
15041	unsigned int i;
15042	int vcmd_idx = -1;
15043	int err;
15044	void *data = NULL;
15045	unsigned int data_len = 0;
15046
15047	if (cb->args[0]) {
15048		/* subtract the 1 again here */
15049		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
15050		struct wireless_dev *tmp;
15051
15052		if (!wiphy)
15053			return -ENODEV;
15054		*rdev = wiphy_to_rdev(wiphy);
15055		*wdev = NULL;
15056
15057		if (cb->args[1]) {
15058			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
15059				if (tmp->identifier == cb->args[1] - 1) {
15060					*wdev = tmp;
15061					break;
15062				}
15063			}
15064		}
15065
15066		/* keep rtnl locked in successful case */
15067		return 0;
15068	}
15069
15070	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15071	if (!attrbuf)
15072		return -ENOMEM;
15073
15074	err = nlmsg_parse_deprecated(cb->nlh,
15075				     GENL_HDRLEN + nl80211_fam.hdrsize,
15076				     attrbuf, nl80211_fam.maxattr,
15077				     nl80211_policy, NULL);
15078	if (err)
15079		goto out;
15080
15081	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15082	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15083		err = -EINVAL;
15084		goto out;
15085	}
15086
15087	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15088	if (IS_ERR(*wdev))
15089		*wdev = NULL;
15090
15091	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15092	if (IS_ERR(*rdev)) {
15093		err = PTR_ERR(*rdev);
15094		goto out;
15095	}
15096
15097	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15098	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15099
15100	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15101		const struct wiphy_vendor_command *vcmd;
15102
15103		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15104
15105		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15106			continue;
15107
15108		if (!vcmd->dumpit) {
15109			err = -EOPNOTSUPP;
15110			goto out;
15111		}
15112
15113		vcmd_idx = i;
15114		break;
15115	}
15116
15117	if (vcmd_idx < 0) {
15118		err = -EOPNOTSUPP;
15119		goto out;
15120	}
15121
15122	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15123		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15124		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15125
15126		err = nl80211_vendor_check_policy(
15127				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15128				attrbuf[NL80211_ATTR_VENDOR_DATA],
15129				cb->extack);
15130		if (err)
15131			goto out;
15132	}
15133
15134	/* 0 is the first index - add 1 to parse only once */
15135	cb->args[0] = (*rdev)->wiphy_idx + 1;
15136	/* add 1 to know if it was NULL */
15137	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15138	cb->args[2] = vcmd_idx;
15139	cb->args[3] = (unsigned long)data;
15140	cb->args[4] = data_len;
15141
15142	/* keep rtnl locked in successful case */
15143	err = 0;
15144out:
15145	kfree(attrbuf);
15146	return err;
15147}
15148
15149static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15150				   struct netlink_callback *cb)
15151{
15152	struct cfg80211_registered_device *rdev;
15153	struct wireless_dev *wdev;
15154	unsigned int vcmd_idx;
15155	const struct wiphy_vendor_command *vcmd;
15156	void *data;
15157	int data_len;
15158	int err;
15159	struct nlattr *vendor_data;
15160
15161	rtnl_lock();
15162	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15163	if (err)
15164		goto out;
15165
15166	vcmd_idx = cb->args[2];
15167	data = (void *)cb->args[3];
15168	data_len = cb->args[4];
15169	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15170
15171	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15172			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15173		if (!wdev) {
15174			err = -EINVAL;
15175			goto out;
15176		}
15177		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15178		    !wdev->netdev) {
15179			err = -EINVAL;
15180			goto out;
15181		}
15182
15183		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15184			if (!wdev_running(wdev)) {
15185				err = -ENETDOWN;
15186				goto out;
15187			}
15188		}
15189	}
15190
15191	while (1) {
15192		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15193					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15194					   NL80211_CMD_VENDOR);
15195		if (!hdr)
15196			break;
15197
15198		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15199		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15200					       wdev_id(wdev),
15201					       NL80211_ATTR_PAD))) {
15202			genlmsg_cancel(skb, hdr);
15203			break;
15204		}
15205
15206		vendor_data = nla_nest_start_noflag(skb,
15207						    NL80211_ATTR_VENDOR_DATA);
15208		if (!vendor_data) {
15209			genlmsg_cancel(skb, hdr);
15210			break;
15211		}
15212
15213		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15214				   (unsigned long *)&cb->args[5]);
15215		nla_nest_end(skb, vendor_data);
15216
15217		if (err == -ENOBUFS || err == -ENOENT) {
15218			genlmsg_cancel(skb, hdr);
15219			break;
15220		} else if (err <= 0) {
15221			genlmsg_cancel(skb, hdr);
15222			goto out;
15223		}
15224
15225		genlmsg_end(skb, hdr);
15226	}
15227
15228	err = skb->len;
15229 out:
15230	rtnl_unlock();
15231	return err;
15232}
15233
15234struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15235					   enum nl80211_commands cmd,
15236					   enum nl80211_attrs attr,
15237					   int approxlen)
15238{
15239	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15240
15241	if (WARN_ON(!rdev->cur_cmd_info))
15242		return NULL;
15243
15244	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15245					   rdev->cur_cmd_info->snd_portid,
15246					   rdev->cur_cmd_info->snd_seq,
15247					   cmd, attr, NULL, GFP_KERNEL);
15248}
15249EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15250
15251int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15252{
15253	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15254	void *hdr = ((void **)skb->cb)[1];
15255	struct nlattr *data = ((void **)skb->cb)[2];
15256
15257	/* clear CB data for netlink core to own from now on */
15258	memset(skb->cb, 0, sizeof(skb->cb));
15259
15260	if (WARN_ON(!rdev->cur_cmd_info)) {
15261		kfree_skb(skb);
15262		return -EINVAL;
15263	}
15264
15265	nla_nest_end(skb, data);
15266	genlmsg_end(skb, hdr);
15267	return genlmsg_reply(skb, rdev->cur_cmd_info);
15268}
15269EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15270
15271unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15272{
15273	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15274
15275	if (WARN_ON(!rdev->cur_cmd_info))
15276		return 0;
15277
15278	return rdev->cur_cmd_info->snd_portid;
15279}
15280EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15281
15282static int nl80211_set_qos_map(struct sk_buff *skb,
15283			       struct genl_info *info)
15284{
15285	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15286	struct cfg80211_qos_map *qos_map = NULL;
15287	struct net_device *dev = info->user_ptr[1];
15288	u8 *pos, len, num_des, des_len, des;
15289	int ret;
15290
15291	if (!rdev->ops->set_qos_map)
15292		return -EOPNOTSUPP;
15293
15294	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15295		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15296		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15297
15298		if (len % 2)
15299			return -EINVAL;
15300
15301		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15302		if (!qos_map)
15303			return -ENOMEM;
15304
15305		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15306		if (num_des) {
15307			des_len = num_des *
15308				sizeof(struct cfg80211_dscp_exception);
15309			memcpy(qos_map->dscp_exception, pos, des_len);
15310			qos_map->num_des = num_des;
15311			for (des = 0; des < num_des; des++) {
15312				if (qos_map->dscp_exception[des].up > 7) {
15313					kfree(qos_map);
15314					return -EINVAL;
15315				}
15316			}
15317			pos += des_len;
15318		}
15319		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15320	}
15321
15322	wdev_lock(dev->ieee80211_ptr);
15323	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15324	if (!ret)
15325		ret = rdev_set_qos_map(rdev, dev, qos_map);
15326	wdev_unlock(dev->ieee80211_ptr);
15327
15328	kfree(qos_map);
15329	return ret;
15330}
15331
15332static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15333{
15334	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15335	struct net_device *dev = info->user_ptr[1];
15336	struct wireless_dev *wdev = dev->ieee80211_ptr;
15337	const u8 *peer;
15338	u8 tsid, up;
15339	u16 admitted_time = 0;
15340	int err;
15341
15342	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15343		return -EOPNOTSUPP;
15344
15345	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15346	    !info->attrs[NL80211_ATTR_USER_PRIO])
15347		return -EINVAL;
15348
15349	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15350	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15351
15352	/* WMM uses TIDs 0-7 even for TSPEC */
15353	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15354		/* TODO: handle 802.11 TSPEC/admission control
15355		 * need more attributes for that (e.g. BA session requirement);
15356		 * change the WMM adminssion test above to allow both then
15357		 */
15358		return -EINVAL;
15359	}
15360
15361	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15362
15363	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15364		admitted_time =
15365			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15366		if (!admitted_time)
15367			return -EINVAL;
15368	}
15369
15370	wdev_lock(wdev);
15371	switch (wdev->iftype) {
15372	case NL80211_IFTYPE_STATION:
15373	case NL80211_IFTYPE_P2P_CLIENT:
15374		if (wdev->connected)
15375			break;
15376		err = -ENOTCONN;
15377		goto out;
15378	default:
15379		err = -EOPNOTSUPP;
15380		goto out;
15381	}
15382
15383	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15384
15385 out:
15386	wdev_unlock(wdev);
15387	return err;
15388}
15389
15390static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15391{
15392	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15393	struct net_device *dev = info->user_ptr[1];
15394	struct wireless_dev *wdev = dev->ieee80211_ptr;
15395	const u8 *peer;
15396	u8 tsid;
15397	int err;
15398
15399	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15400		return -EINVAL;
15401
15402	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15403	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15404
15405	wdev_lock(wdev);
15406	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
15407	wdev_unlock(wdev);
15408
15409	return err;
15410}
15411
15412static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15413				       struct genl_info *info)
15414{
15415	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15416	struct net_device *dev = info->user_ptr[1];
15417	struct wireless_dev *wdev = dev->ieee80211_ptr;
15418	struct cfg80211_chan_def chandef = {};
15419	const u8 *addr;
15420	u8 oper_class;
15421	int err;
15422
15423	if (!rdev->ops->tdls_channel_switch ||
15424	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15425		return -EOPNOTSUPP;
15426
15427	switch (dev->ieee80211_ptr->iftype) {
15428	case NL80211_IFTYPE_STATION:
15429	case NL80211_IFTYPE_P2P_CLIENT:
15430		break;
15431	default:
15432		return -EOPNOTSUPP;
15433	}
15434
15435	if (!info->attrs[NL80211_ATTR_MAC] ||
15436	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15437		return -EINVAL;
15438
15439	err = nl80211_parse_chandef(rdev, info, &chandef);
15440	if (err)
15441		return err;
15442
15443	/*
15444	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15445	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15446	 * specification is not defined for them.
15447	 */
15448	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15449	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15450	    chandef.width != NL80211_CHAN_WIDTH_20)
15451		return -EINVAL;
15452
15453	/* we will be active on the TDLS link */
15454	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15455					   wdev->iftype))
15456		return -EINVAL;
15457
15458	/* don't allow switching to DFS channels */
15459	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15460		return -EINVAL;
15461
15462	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15463	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15464
15465	wdev_lock(wdev);
15466	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15467	wdev_unlock(wdev);
15468
15469	return err;
15470}
15471
15472static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15473					      struct genl_info *info)
15474{
15475	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15476	struct net_device *dev = info->user_ptr[1];
15477	struct wireless_dev *wdev = dev->ieee80211_ptr;
15478	const u8 *addr;
15479
15480	if (!rdev->ops->tdls_channel_switch ||
15481	    !rdev->ops->tdls_cancel_channel_switch ||
15482	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15483		return -EOPNOTSUPP;
15484
15485	switch (dev->ieee80211_ptr->iftype) {
15486	case NL80211_IFTYPE_STATION:
15487	case NL80211_IFTYPE_P2P_CLIENT:
15488		break;
15489	default:
15490		return -EOPNOTSUPP;
15491	}
15492
15493	if (!info->attrs[NL80211_ATTR_MAC])
15494		return -EINVAL;
15495
15496	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15497
15498	wdev_lock(wdev);
15499	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15500	wdev_unlock(wdev);
15501
15502	return 0;
15503}
15504
15505static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15506					    struct genl_info *info)
15507{
15508	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15509	struct net_device *dev = info->user_ptr[1];
15510	struct wireless_dev *wdev = dev->ieee80211_ptr;
15511	const struct nlattr *nla;
15512	bool enabled;
15513
15514	if (!rdev->ops->set_multicast_to_unicast)
15515		return -EOPNOTSUPP;
15516
15517	if (wdev->iftype != NL80211_IFTYPE_AP &&
15518	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15519		return -EOPNOTSUPP;
15520
15521	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15522	enabled = nla_get_flag(nla);
15523
15524	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15525}
15526
15527static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15528{
15529	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15530	struct net_device *dev = info->user_ptr[1];
15531	struct wireless_dev *wdev = dev->ieee80211_ptr;
15532	struct cfg80211_pmk_conf pmk_conf = {};
15533	int ret;
15534
15535	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15536	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15537		return -EOPNOTSUPP;
15538
15539	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15540				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15541		return -EOPNOTSUPP;
15542
15543	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15544		return -EINVAL;
15545
15546	wdev_lock(wdev);
15547	if (!wdev->connected) {
15548		ret = -ENOTCONN;
15549		goto out;
15550	}
15551
15552	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15553	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN)) {
15554		ret = -EINVAL;
15555		goto out;
15556	}
15557
15558	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15559	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15560	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15561	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
15562		ret = -EINVAL;
15563		goto out;
15564	}
15565
15566	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15567		pmk_conf.pmk_r0_name =
15568			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15569
15570	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
15571out:
15572	wdev_unlock(wdev);
15573	return ret;
15574}
15575
15576static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15577{
15578	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15579	struct net_device *dev = info->user_ptr[1];
15580	struct wireless_dev *wdev = dev->ieee80211_ptr;
15581	const u8 *aa;
15582	int ret;
15583
15584	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15585	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15586		return -EOPNOTSUPP;
15587
15588	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15589				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15590		return -EOPNOTSUPP;
15591
15592	if (!info->attrs[NL80211_ATTR_MAC])
15593		return -EINVAL;
15594
15595	wdev_lock(wdev);
15596	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15597	ret = rdev_del_pmk(rdev, dev, aa);
15598	wdev_unlock(wdev);
15599
15600	return ret;
15601}
15602
15603static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15604{
15605	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15606	struct net_device *dev = info->user_ptr[1];
15607	struct cfg80211_external_auth_params params;
15608
15609	if (!rdev->ops->external_auth)
15610		return -EOPNOTSUPP;
15611
15612	if (!info->attrs[NL80211_ATTR_SSID] &&
15613	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15614	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15615		return -EINVAL;
15616
15617	if (!info->attrs[NL80211_ATTR_BSSID])
15618		return -EINVAL;
15619
15620	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15621		return -EINVAL;
15622
15623	memset(&params, 0, sizeof(params));
15624
15625	if (info->attrs[NL80211_ATTR_SSID]) {
15626		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15627		if (params.ssid.ssid_len == 0)
15628			return -EINVAL;
15629		memcpy(params.ssid.ssid,
15630		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15631		       params.ssid.ssid_len);
15632	}
15633
15634	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15635	       ETH_ALEN);
15636
15637	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15638
15639	if (info->attrs[NL80211_ATTR_PMKID])
15640		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15641
15642	return rdev_external_auth(rdev, dev, &params);
15643}
15644
15645static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15646{
15647	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15648	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15649	struct net_device *dev = info->user_ptr[1];
15650	struct wireless_dev *wdev = dev->ieee80211_ptr;
15651	const u8 *buf;
15652	size_t len;
15653	u8 *dest;
15654	u16 proto;
15655	bool noencrypt;
15656	u64 cookie = 0;
15657	int link_id;
15658	int err;
15659
15660	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15661				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15662		return -EOPNOTSUPP;
15663
15664	if (!rdev->ops->tx_control_port)
15665		return -EOPNOTSUPP;
15666
15667	if (!info->attrs[NL80211_ATTR_FRAME] ||
15668	    !info->attrs[NL80211_ATTR_MAC] ||
15669	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15670		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15671		return -EINVAL;
15672	}
15673
15674	wdev_lock(wdev);
15675
15676	switch (wdev->iftype) {
15677	case NL80211_IFTYPE_AP:
15678	case NL80211_IFTYPE_P2P_GO:
15679	case NL80211_IFTYPE_MESH_POINT:
15680		break;
15681	case NL80211_IFTYPE_ADHOC:
15682		if (wdev->u.ibss.current_bss)
15683			break;
15684		err = -ENOTCONN;
15685		goto out;
15686	case NL80211_IFTYPE_STATION:
15687	case NL80211_IFTYPE_P2P_CLIENT:
15688		if (wdev->connected)
15689			break;
15690		err = -ENOTCONN;
15691		goto out;
15692	default:
15693		err = -EOPNOTSUPP;
15694		goto out;
15695	}
15696
15697	wdev_unlock(wdev);
15698
15699	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15700	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15701	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15702	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15703	noencrypt =
15704		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15705
15706	link_id = nl80211_link_id_or_invalid(info->attrs);
15707
15708	err = rdev_tx_control_port(rdev, dev, buf, len,
15709				   dest, cpu_to_be16(proto), noencrypt, link_id,
15710				   dont_wait_for_ack ? NULL : &cookie);
15711	if (!err && !dont_wait_for_ack)
15712		nl_set_extack_cookie_u64(info->extack, cookie);
15713	return err;
15714 out:
15715	wdev_unlock(wdev);
15716	return err;
15717}
15718
15719static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15720					   struct genl_info *info)
15721{
15722	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15723	struct net_device *dev = info->user_ptr[1];
15724	struct wireless_dev *wdev = dev->ieee80211_ptr;
15725	struct cfg80211_ftm_responder_stats ftm_stats = {};
15726	unsigned int link_id = nl80211_link_id(info->attrs);
15727	struct sk_buff *msg;
15728	void *hdr;
15729	struct nlattr *ftm_stats_attr;
15730	int err;
15731
15732	if (wdev->iftype != NL80211_IFTYPE_AP ||
15733	    !wdev->links[link_id].ap.beacon_interval)
15734		return -EOPNOTSUPP;
15735
15736	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15737	if (err)
15738		return err;
15739
15740	if (!ftm_stats.filled)
15741		return -ENODATA;
15742
15743	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15744	if (!msg)
15745		return -ENOMEM;
15746
15747	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15748			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15749	if (!hdr)
15750		goto nla_put_failure;
15751
15752	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15753		goto nla_put_failure;
15754
15755	ftm_stats_attr = nla_nest_start_noflag(msg,
15756					       NL80211_ATTR_FTM_RESPONDER_STATS);
15757	if (!ftm_stats_attr)
15758		goto nla_put_failure;
15759
15760#define SET_FTM(field, name, type)					 \
15761	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15762	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15763			     ftm_stats.field))				 \
15764		goto nla_put_failure; } while (0)
15765#define SET_FTM_U64(field, name)					 \
15766	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15767	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15768			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15769		goto nla_put_failure; } while (0)
15770
15771	SET_FTM(success_num, SUCCESS_NUM, u32);
15772	SET_FTM(partial_num, PARTIAL_NUM, u32);
15773	SET_FTM(failed_num, FAILED_NUM, u32);
15774	SET_FTM(asap_num, ASAP_NUM, u32);
15775	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15776	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15777	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15778	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15779	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15780#undef SET_FTM
15781
15782	nla_nest_end(msg, ftm_stats_attr);
15783
15784	genlmsg_end(msg, hdr);
15785	return genlmsg_reply(msg, info);
15786
15787nla_put_failure:
15788	nlmsg_free(msg);
15789	return -ENOBUFS;
15790}
15791
15792static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15793{
15794	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15795	struct cfg80211_update_owe_info owe_info;
15796	struct net_device *dev = info->user_ptr[1];
15797
15798	if (!rdev->ops->update_owe_info)
15799		return -EOPNOTSUPP;
15800
15801	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15802	    !info->attrs[NL80211_ATTR_MAC])
15803		return -EINVAL;
15804
15805	memset(&owe_info, 0, sizeof(owe_info));
15806	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15807	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15808
15809	if (info->attrs[NL80211_ATTR_IE]) {
15810		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15811		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15812	}
15813
15814	return rdev_update_owe_info(rdev, dev, &owe_info);
15815}
15816
15817static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15818{
15819	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15820	struct net_device *dev = info->user_ptr[1];
15821	struct wireless_dev *wdev = dev->ieee80211_ptr;
15822	struct station_info sinfo = {};
15823	const u8 *buf;
15824	size_t len;
15825	u8 *dest;
15826	int err;
15827
15828	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15829		return -EOPNOTSUPP;
15830
15831	if (!info->attrs[NL80211_ATTR_MAC] ||
15832	    !info->attrs[NL80211_ATTR_FRAME]) {
15833		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15834		return -EINVAL;
15835	}
15836
15837	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15838		return -EOPNOTSUPP;
15839
15840	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15841	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15842	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15843
15844	if (len < sizeof(struct ethhdr))
15845		return -EINVAL;
15846
15847	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15848	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15849		return -EINVAL;
15850
15851	err = rdev_get_station(rdev, dev, dest, &sinfo);
15852	if (err)
15853		return err;
15854
15855	cfg80211_sinfo_release_content(&sinfo);
15856
15857	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15858}
15859
15860static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15861			  struct nlattr *attrs[], struct net_device *dev,
15862			  struct cfg80211_tid_cfg *tid_conf,
15863			  struct genl_info *info, const u8 *peer,
15864			  unsigned int link_id)
15865{
15866	struct netlink_ext_ack *extack = info->extack;
15867	u64 mask;
15868	int err;
15869
15870	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15871		return -EINVAL;
15872
15873	tid_conf->config_override =
15874			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15875	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15876
15877	if (tid_conf->config_override) {
15878		if (rdev->ops->reset_tid_config) {
15879			err = rdev_reset_tid_config(rdev, dev, peer,
15880						    tid_conf->tids);
15881			if (err)
15882				return err;
15883		} else {
15884			return -EINVAL;
15885		}
15886	}
15887
15888	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15889		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15890		tid_conf->noack =
15891			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15892	}
15893
15894	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15895		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15896		tid_conf->retry_short =
15897			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15898
15899		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15900			return -EINVAL;
15901	}
15902
15903	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15904		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15905		tid_conf->retry_long =
15906			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15907
15908		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15909			return -EINVAL;
15910	}
15911
15912	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15913		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15914		tid_conf->ampdu =
15915			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15916	}
15917
15918	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15919		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15920		tid_conf->rtscts =
15921			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15922	}
15923
15924	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15925		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15926		tid_conf->amsdu =
15927			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15928	}
15929
15930	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15931		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15932
15933		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15934
15935		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15936			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15937			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15938						    &tid_conf->txrate_mask, dev,
15939						    true, link_id);
15940			if (err)
15941				return err;
15942
15943			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15944		}
15945		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15946	}
15947
15948	if (peer)
15949		mask = rdev->wiphy.tid_config_support.peer;
15950	else
15951		mask = rdev->wiphy.tid_config_support.vif;
15952
15953	if (tid_conf->mask & ~mask) {
15954		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15955		return -ENOTSUPP;
15956	}
15957
15958	return 0;
15959}
15960
15961static int nl80211_set_tid_config(struct sk_buff *skb,
15962				  struct genl_info *info)
15963{
15964	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15965	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15966	unsigned int link_id = nl80211_link_id(info->attrs);
15967	struct net_device *dev = info->user_ptr[1];
15968	struct cfg80211_tid_config *tid_config;
15969	struct nlattr *tid;
15970	int conf_idx = 0, rem_conf;
15971	int ret = -EINVAL;
15972	u32 num_conf = 0;
15973
15974	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15975		return -EINVAL;
15976
15977	if (!rdev->ops->set_tid_config)
15978		return -EOPNOTSUPP;
15979
15980	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15981			    rem_conf)
15982		num_conf++;
15983
15984	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15985			     GFP_KERNEL);
15986	if (!tid_config)
15987		return -ENOMEM;
15988
15989	tid_config->n_tid_conf = num_conf;
15990
15991	if (info->attrs[NL80211_ATTR_MAC])
15992		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15993
15994	wdev_lock(dev->ieee80211_ptr);
15995
15996	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15997			    rem_conf) {
15998		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15999				       tid, NULL, NULL);
16000
16001		if (ret)
16002			goto bad_tid_conf;
16003
16004		ret = parse_tid_conf(rdev, attrs, dev,
16005				     &tid_config->tid_conf[conf_idx],
16006				     info, tid_config->peer, link_id);
16007		if (ret)
16008			goto bad_tid_conf;
16009
16010		conf_idx++;
16011	}
16012
16013	ret = rdev_set_tid_config(rdev, dev, tid_config);
16014
16015bad_tid_conf:
16016	kfree(tid_config);
16017	wdev_unlock(dev->ieee80211_ptr);
16018	return ret;
16019}
16020
16021static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
16022{
16023	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16024	struct cfg80211_color_change_settings params = {};
16025	struct net_device *dev = info->user_ptr[1];
16026	struct wireless_dev *wdev = dev->ieee80211_ptr;
16027	struct nlattr **tb;
16028	u16 offset;
16029	int err;
16030
16031	if (!rdev->ops->color_change)
16032		return -EOPNOTSUPP;
16033
16034	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16035				     NL80211_EXT_FEATURE_BSS_COLOR))
16036		return -EOPNOTSUPP;
16037
16038	if (wdev->iftype != NL80211_IFTYPE_AP)
16039		return -EOPNOTSUPP;
16040
16041	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
16042	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
16043	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
16044		return -EINVAL;
16045
16046	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
16047	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
16048
16049	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
16050				   info->extack);
16051	if (err)
16052		return err;
16053
16054	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
16055	if (!tb)
16056		return -ENOMEM;
16057
16058	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
16059			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
16060			       nl80211_policy, info->extack);
16061	if (err)
16062		goto out;
16063
16064	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16065				   info->extack);
16066	if (err)
16067		goto out;
16068
16069	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16070		err = -EINVAL;
16071		goto out;
16072	}
16073
16074	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16075		err = -EINVAL;
16076		goto out;
16077	}
16078
16079	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16080	if (offset >= params.beacon_color_change.tail_len) {
16081		err = -EINVAL;
16082		goto out;
16083	}
16084
16085	if (params.beacon_color_change.tail[offset] != params.count) {
16086		err = -EINVAL;
16087		goto out;
16088	}
16089
16090	params.counter_offset_beacon = offset;
16091
16092	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16093		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16094		    sizeof(u16)) {
16095			err = -EINVAL;
16096			goto out;
16097		}
16098
16099		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16100		if (offset >= params.beacon_color_change.probe_resp_len) {
16101			err = -EINVAL;
16102			goto out;
16103		}
16104
16105		if (params.beacon_color_change.probe_resp[offset] !=
16106		    params.count) {
16107			err = -EINVAL;
16108			goto out;
16109		}
16110
16111		params.counter_offset_presp = offset;
16112	}
16113
16114	wdev_lock(wdev);
16115	err = rdev_color_change(rdev, dev, &params);
16116	wdev_unlock(wdev);
16117
16118out:
16119	kfree(params.beacon_next.mbssid_ies);
16120	kfree(params.beacon_color_change.mbssid_ies);
16121	kfree(params.beacon_next.rnr_ies);
16122	kfree(params.beacon_color_change.rnr_ies);
16123	kfree(tb);
16124	return err;
16125}
16126
16127static int nl80211_set_fils_aad(struct sk_buff *skb,
16128				struct genl_info *info)
16129{
16130	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16131	struct net_device *dev = info->user_ptr[1];
16132	struct cfg80211_fils_aad fils_aad = {};
16133	u8 *nonces;
16134
16135	if (!info->attrs[NL80211_ATTR_MAC] ||
16136	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16137	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16138		return -EINVAL;
16139
16140	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16141	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16142	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16143	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16144	fils_aad.snonce = nonces;
16145	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16146
16147	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16148}
16149
16150static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16151{
16152	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16153	unsigned int link_id = nl80211_link_id(info->attrs);
16154	struct net_device *dev = info->user_ptr[1];
16155	struct wireless_dev *wdev = dev->ieee80211_ptr;
16156	int ret;
16157
16158	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16159		return -EINVAL;
16160
16161	switch (wdev->iftype) {
16162	case NL80211_IFTYPE_AP:
16163		break;
16164	default:
16165		return -EINVAL;
16166	}
16167
16168	if (!info->attrs[NL80211_ATTR_MAC] ||
16169	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16170		return -EINVAL;
16171
16172	wdev_lock(wdev);
16173	wdev->valid_links |= BIT(link_id);
16174	ether_addr_copy(wdev->links[link_id].addr,
16175			nla_data(info->attrs[NL80211_ATTR_MAC]));
16176
16177	ret = rdev_add_intf_link(rdev, wdev, link_id);
16178	if (ret) {
16179		wdev->valid_links &= ~BIT(link_id);
16180		eth_zero_addr(wdev->links[link_id].addr);
16181	}
16182	wdev_unlock(wdev);
16183
16184	return ret;
16185}
16186
16187static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16188{
16189	unsigned int link_id = nl80211_link_id(info->attrs);
16190	struct net_device *dev = info->user_ptr[1];
16191	struct wireless_dev *wdev = dev->ieee80211_ptr;
16192
16193	/* cannot remove if there's no link */
16194	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16195		return -EINVAL;
16196
16197	switch (wdev->iftype) {
16198	case NL80211_IFTYPE_AP:
16199		break;
16200	default:
16201		return -EINVAL;
16202	}
16203
16204	wdev_lock(wdev);
16205	cfg80211_remove_link(wdev, link_id);
16206	wdev_unlock(wdev);
16207
16208	return 0;
16209}
16210
16211static int
16212nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16213			     bool add)
16214{
16215	struct link_station_parameters params = {};
16216	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16217	struct net_device *dev = info->user_ptr[1];
16218	int err;
16219
16220	if ((add && !rdev->ops->add_link_station) ||
16221	    (!add && !rdev->ops->mod_link_station))
16222		return -EOPNOTSUPP;
16223
16224	if (add && !info->attrs[NL80211_ATTR_MAC])
16225		return -EINVAL;
16226
16227	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16228		return -EINVAL;
16229
16230	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16231		return -EINVAL;
16232
16233	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16234
16235	if (info->attrs[NL80211_ATTR_MAC]) {
16236		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16237		if (!is_valid_ether_addr(params.link_mac))
16238			return -EINVAL;
16239	}
16240
16241	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16242		return -EINVAL;
16243
16244	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16245
16246	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16247		params.supported_rates =
16248			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16249		params.supported_rates_len =
16250			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16251	}
16252
16253	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16254		params.ht_capa =
16255			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16256
16257	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16258		params.vht_capa =
16259			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16260
16261	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16262		params.he_capa =
16263			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16264		params.he_capa_len =
16265			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16266
16267		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16268			params.eht_capa =
16269				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16270			params.eht_capa_len =
16271				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16272
16273			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16274							(const u8 *)params.eht_capa,
16275							params.eht_capa_len,
16276							false))
16277				return -EINVAL;
16278		}
16279	}
16280
16281	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16282		params.he_6ghz_capa =
16283			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16284
16285	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16286		params.opmode_notif_used = true;
16287		params.opmode_notif =
16288			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16289	}
16290
16291	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16292						&params.txpwr_set);
16293	if (err)
16294		return err;
16295
16296	wdev_lock(dev->ieee80211_ptr);
16297	if (add)
16298		err = rdev_add_link_station(rdev, dev, &params);
16299	else
16300		err = rdev_mod_link_station(rdev, dev, &params);
16301	wdev_unlock(dev->ieee80211_ptr);
16302
16303	return err;
16304}
16305
16306static int
16307nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16308{
16309	return nl80211_add_mod_link_station(skb, info, true);
16310}
16311
16312static int
16313nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16314{
16315	return nl80211_add_mod_link_station(skb, info, false);
16316}
16317
16318static int
16319nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16320{
16321	struct link_station_del_parameters params = {};
16322	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16323	struct net_device *dev = info->user_ptr[1];
16324	int ret;
16325
16326	if (!rdev->ops->del_link_station)
16327		return -EOPNOTSUPP;
16328
16329	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16330	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16331		return -EINVAL;
16332
16333	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16334	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16335
16336	wdev_lock(dev->ieee80211_ptr);
16337	ret = rdev_del_link_station(rdev, dev, &params);
16338	wdev_unlock(dev->ieee80211_ptr);
16339
16340	return ret;
16341}
16342
16343static int nl80211_set_hw_timestamp(struct sk_buff *skb,
16344				    struct genl_info *info)
16345{
16346	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16347	struct net_device *dev = info->user_ptr[1];
16348	struct cfg80211_set_hw_timestamp hwts = {};
16349
16350	if (!rdev->wiphy.hw_timestamp_max_peers)
16351		return -EOPNOTSUPP;
16352
16353	if (!info->attrs[NL80211_ATTR_MAC] &&
16354	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
16355		return -EOPNOTSUPP;
16356
16357	if (info->attrs[NL80211_ATTR_MAC])
16358		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16359
16360	hwts.enable =
16361		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
16362
16363	return rdev_set_hw_timestamp(rdev, dev, &hwts);
16364}
16365
16366#define NL80211_FLAG_NEED_WIPHY		0x01
16367#define NL80211_FLAG_NEED_NETDEV	0x02
16368#define NL80211_FLAG_NEED_RTNL		0x04
16369#define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16370#define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16371					 NL80211_FLAG_CHECK_NETDEV_UP)
16372#define NL80211_FLAG_NEED_WDEV		0x10
16373/* If a netdev is associated, it must be UP, P2P must be started */
16374#define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16375					 NL80211_FLAG_CHECK_NETDEV_UP)
16376#define NL80211_FLAG_CLEAR_SKB		0x20
16377#define NL80211_FLAG_NO_WIPHY_MTX	0x40
16378#define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16379#define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16380
16381#define INTERNAL_FLAG_SELECTORS(__sel)			\
16382	SELECTOR(__sel, NONE, 0) /* must be first */	\
16383	SELECTOR(__sel, WIPHY,				\
16384		 NL80211_FLAG_NEED_WIPHY)		\
16385	SELECTOR(__sel, WDEV,				\
16386		 NL80211_FLAG_NEED_WDEV)		\
16387	SELECTOR(__sel, NETDEV,				\
16388		 NL80211_FLAG_NEED_NETDEV)		\
16389	SELECTOR(__sel, NETDEV_LINK,			\
16390		 NL80211_FLAG_NEED_NETDEV |		\
16391		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16392	SELECTOR(__sel, NETDEV_NO_MLO,			\
16393		 NL80211_FLAG_NEED_NETDEV |		\
16394		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16395	SELECTOR(__sel, WIPHY_RTNL,			\
16396		 NL80211_FLAG_NEED_WIPHY |		\
16397		 NL80211_FLAG_NEED_RTNL)		\
16398	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16399		 NL80211_FLAG_NEED_WIPHY |		\
16400		 NL80211_FLAG_NEED_RTNL |		\
16401		 NL80211_FLAG_NO_WIPHY_MTX)		\
16402	SELECTOR(__sel, WDEV_RTNL,			\
16403		 NL80211_FLAG_NEED_WDEV |		\
16404		 NL80211_FLAG_NEED_RTNL)		\
16405	SELECTOR(__sel, NETDEV_RTNL,			\
16406		 NL80211_FLAG_NEED_NETDEV |		\
16407		 NL80211_FLAG_NEED_RTNL)		\
16408	SELECTOR(__sel, NETDEV_UP,			\
16409		 NL80211_FLAG_NEED_NETDEV_UP)		\
16410	SELECTOR(__sel, NETDEV_UP_LINK,			\
16411		 NL80211_FLAG_NEED_NETDEV_UP |		\
16412		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16413	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16414		 NL80211_FLAG_NEED_NETDEV_UP |		\
16415		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16416	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16417		 NL80211_FLAG_NEED_NETDEV_UP |		\
16418		 NL80211_FLAG_CLEAR_SKB |		\
16419		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16420	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16421		 NL80211_FLAG_NEED_NETDEV_UP |		\
16422		 NL80211_FLAG_NO_WIPHY_MTX)		\
16423	SELECTOR(__sel, NETDEV_UP_NOTMX_NOMLO,		\
16424		 NL80211_FLAG_NEED_NETDEV_UP |		\
16425		 NL80211_FLAG_NO_WIPHY_MTX |		\
16426		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16427	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16428		 NL80211_FLAG_NEED_NETDEV_UP |		\
16429		 NL80211_FLAG_CLEAR_SKB)		\
16430	SELECTOR(__sel, WDEV_UP,			\
16431		 NL80211_FLAG_NEED_WDEV_UP)		\
16432	SELECTOR(__sel, WDEV_UP_LINK,			\
16433		 NL80211_FLAG_NEED_WDEV_UP |		\
16434		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16435	SELECTOR(__sel, WDEV_UP_RTNL,			\
16436		 NL80211_FLAG_NEED_WDEV_UP |		\
16437		 NL80211_FLAG_NEED_RTNL)		\
16438	SELECTOR(__sel, WIPHY_CLEAR,			\
16439		 NL80211_FLAG_NEED_WIPHY |		\
16440		 NL80211_FLAG_CLEAR_SKB)
16441
16442enum nl80211_internal_flags_selector {
16443#define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16444	INTERNAL_FLAG_SELECTORS(_)
16445#undef SELECTOR
16446};
16447
16448static u32 nl80211_internal_flags[] = {
16449#define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16450	INTERNAL_FLAG_SELECTORS(_)
16451#undef SELECTOR
16452};
16453
16454static int nl80211_pre_doit(const struct genl_split_ops *ops,
16455			    struct sk_buff *skb,
16456			    struct genl_info *info)
16457{
16458	struct cfg80211_registered_device *rdev = NULL;
16459	struct wireless_dev *wdev = NULL;
16460	struct net_device *dev = NULL;
16461	u32 internal_flags;
16462	int err;
16463
16464	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16465		return -EINVAL;
16466
16467	internal_flags = nl80211_internal_flags[ops->internal_flags];
16468
16469	rtnl_lock();
16470	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16471		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16472		if (IS_ERR(rdev)) {
16473			err = PTR_ERR(rdev);
16474			goto out_unlock;
16475		}
16476		info->user_ptr[0] = rdev;
16477	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16478		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16479		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16480						  info->attrs);
16481		if (IS_ERR(wdev)) {
16482			err = PTR_ERR(wdev);
16483			goto out_unlock;
16484		}
16485
16486		dev = wdev->netdev;
16487		dev_hold(dev);
16488		rdev = wiphy_to_rdev(wdev->wiphy);
16489
16490		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16491			if (!dev) {
16492				err = -EINVAL;
16493				goto out_unlock;
16494			}
16495
16496			info->user_ptr[1] = dev;
16497		} else {
16498			info->user_ptr[1] = wdev;
16499		}
16500
16501		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16502		    !wdev_running(wdev)) {
16503			err = -ENETDOWN;
16504			goto out_unlock;
16505		}
16506
16507		info->user_ptr[0] = rdev;
16508	}
16509
16510	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16511		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16512
16513		if (!wdev) {
16514			err = -EINVAL;
16515			goto out_unlock;
16516		}
16517
16518		/* MLO -> require valid link ID */
16519		if (wdev->valid_links &&
16520		    (!link_id ||
16521		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16522			err = -EINVAL;
16523			goto out_unlock;
16524		}
16525
16526		/* non-MLO -> no link ID attribute accepted */
16527		if (!wdev->valid_links && link_id) {
16528			err = -EINVAL;
16529			goto out_unlock;
16530		}
16531	}
16532
16533	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16534		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16535		    (wdev && wdev->valid_links)) {
16536			err = -EINVAL;
16537			goto out_unlock;
16538		}
16539	}
16540
16541	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16542		wiphy_lock(&rdev->wiphy);
16543		/* we keep the mutex locked until post_doit */
16544		__release(&rdev->wiphy.mtx);
16545	}
16546	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16547		rtnl_unlock();
16548
16549	return 0;
16550out_unlock:
16551	rtnl_unlock();
16552	dev_put(dev);
16553	return err;
16554}
16555
16556static void nl80211_post_doit(const struct genl_split_ops *ops,
16557			      struct sk_buff *skb,
16558			      struct genl_info *info)
16559{
16560	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16561
16562	if (info->user_ptr[1]) {
16563		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16564			struct wireless_dev *wdev = info->user_ptr[1];
16565
16566			dev_put(wdev->netdev);
16567		} else {
16568			dev_put(info->user_ptr[1]);
16569		}
16570	}
16571
16572	if (info->user_ptr[0] &&
16573	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16574		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16575
16576		/* we kept the mutex locked since pre_doit */
16577		__acquire(&rdev->wiphy.mtx);
16578		wiphy_unlock(&rdev->wiphy);
16579	}
16580
16581	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16582		rtnl_unlock();
16583
16584	/* If needed, clear the netlink message payload from the SKB
16585	 * as it might contain key data that shouldn't stick around on
16586	 * the heap after the SKB is freed. The netlink message header
16587	 * is still needed for further processing, so leave it intact.
16588	 */
16589	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16590		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16591
16592		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16593	}
16594}
16595
16596static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16597				     struct cfg80211_sar_specs *sar_specs,
16598				     struct nlattr *spec[], int index)
16599{
16600	u32 range_index, i;
16601
16602	if (!sar_specs || !spec)
16603		return -EINVAL;
16604
16605	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16606	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16607		return -EINVAL;
16608
16609	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16610
16611	/* check if range_index exceeds num_freq_ranges */
16612	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16613		return -EINVAL;
16614
16615	/* check if range_index duplicates */
16616	for (i = 0; i < index; i++) {
16617		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16618			return -EINVAL;
16619	}
16620
16621	sar_specs->sub_specs[index].power =
16622		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16623
16624	sar_specs->sub_specs[index].freq_range_index = range_index;
16625
16626	return 0;
16627}
16628
16629static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16630{
16631	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16632	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16633	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16634	struct cfg80211_sar_specs *sar_spec;
16635	enum nl80211_sar_type type;
16636	struct nlattr *spec_list;
16637	u32 specs;
16638	int rem, err;
16639
16640	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16641		return -EOPNOTSUPP;
16642
16643	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16644		return -EINVAL;
16645
16646	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16647			 info->attrs[NL80211_ATTR_SAR_SPEC],
16648			 NULL, NULL);
16649
16650	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16651		return -EINVAL;
16652
16653	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16654	if (type != rdev->wiphy.sar_capa->type)
16655		return -EINVAL;
16656
16657	specs = 0;
16658	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16659		specs++;
16660
16661	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16662		return -EINVAL;
16663
16664	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16665	if (!sar_spec)
16666		return -ENOMEM;
16667
16668	sar_spec->type = type;
16669	specs = 0;
16670	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16671		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16672				 spec_list, NULL, NULL);
16673
16674		switch (type) {
16675		case NL80211_SAR_TYPE_POWER:
16676			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16677						      spec, specs)) {
16678				err = -EINVAL;
16679				goto error;
16680			}
16681			break;
16682		default:
16683			err = -EINVAL;
16684			goto error;
16685		}
16686		specs++;
16687	}
16688
16689	sar_spec->num_sub_specs = specs;
16690
16691	rdev->cur_cmd_info = info;
16692	err = rdev_set_sar_specs(rdev, sar_spec);
16693	rdev->cur_cmd_info = NULL;
16694error:
16695	kfree(sar_spec);
16696	return err;
16697}
16698
16699#define SELECTOR(__sel, name, value) \
16700	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16701int __missing_selector(void);
16702#define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16703
16704static const struct genl_ops nl80211_ops[] = {
16705	{
16706		.cmd = NL80211_CMD_GET_WIPHY,
16707		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16708		.doit = nl80211_get_wiphy,
16709		.dumpit = nl80211_dump_wiphy,
16710		.done = nl80211_dump_wiphy_done,
16711		/* can be retrieved by unprivileged users */
16712		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16713	},
16714};
16715
16716static const struct genl_small_ops nl80211_small_ops[] = {
16717	{
16718		.cmd = NL80211_CMD_SET_WIPHY,
16719		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16720		.doit = nl80211_set_wiphy,
16721		.flags = GENL_UNS_ADMIN_PERM,
16722	},
16723	{
16724		.cmd = NL80211_CMD_GET_INTERFACE,
16725		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16726		.doit = nl80211_get_interface,
16727		.dumpit = nl80211_dump_interface,
16728		/* can be retrieved by unprivileged users */
16729		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16730	},
16731	{
16732		.cmd = NL80211_CMD_SET_INTERFACE,
16733		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16734		.doit = nl80211_set_interface,
16735		.flags = GENL_UNS_ADMIN_PERM,
16736		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16737					 NL80211_FLAG_NEED_RTNL),
16738	},
16739	{
16740		.cmd = NL80211_CMD_NEW_INTERFACE,
16741		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16742		.doit = nl80211_new_interface,
16743		.flags = GENL_UNS_ADMIN_PERM,
16744		.internal_flags =
16745			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16746			       NL80211_FLAG_NEED_RTNL |
16747			       /* we take the wiphy mutex later ourselves */
16748			       NL80211_FLAG_NO_WIPHY_MTX),
16749	},
16750	{
16751		.cmd = NL80211_CMD_DEL_INTERFACE,
16752		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16753		.doit = nl80211_del_interface,
16754		.flags = GENL_UNS_ADMIN_PERM,
16755		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16756					 NL80211_FLAG_NEED_RTNL),
16757	},
16758	{
16759		.cmd = NL80211_CMD_GET_KEY,
16760		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16761		.doit = nl80211_get_key,
16762		.flags = GENL_UNS_ADMIN_PERM,
16763		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16764	},
16765	{
16766		.cmd = NL80211_CMD_SET_KEY,
16767		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16768		.doit = nl80211_set_key,
16769		.flags = GENL_UNS_ADMIN_PERM,
16770		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16771		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16772					 NL80211_FLAG_CLEAR_SKB),
16773	},
16774	{
16775		.cmd = NL80211_CMD_NEW_KEY,
16776		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16777		.doit = nl80211_new_key,
16778		.flags = GENL_UNS_ADMIN_PERM,
16779		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16780					 NL80211_FLAG_CLEAR_SKB),
16781	},
16782	{
16783		.cmd = NL80211_CMD_DEL_KEY,
16784		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16785		.doit = nl80211_del_key,
16786		.flags = GENL_UNS_ADMIN_PERM,
16787		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16788	},
16789	{
16790		.cmd = NL80211_CMD_SET_BEACON,
16791		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16792		.flags = GENL_UNS_ADMIN_PERM,
16793		.doit = nl80211_set_beacon,
16794		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16795					 NL80211_FLAG_MLO_VALID_LINK_ID),
16796	},
16797	{
16798		.cmd = NL80211_CMD_START_AP,
16799		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16800		.flags = GENL_UNS_ADMIN_PERM,
16801		.doit = nl80211_start_ap,
16802		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16803					 NL80211_FLAG_MLO_VALID_LINK_ID),
16804	},
16805	{
16806		.cmd = NL80211_CMD_STOP_AP,
16807		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16808		.flags = GENL_UNS_ADMIN_PERM,
16809		.doit = nl80211_stop_ap,
16810		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16811					 NL80211_FLAG_MLO_VALID_LINK_ID),
16812	},
16813	{
16814		.cmd = NL80211_CMD_GET_STATION,
16815		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16816		.doit = nl80211_get_station,
16817		.dumpit = nl80211_dump_station,
16818		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16819	},
16820	{
16821		.cmd = NL80211_CMD_SET_STATION,
16822		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16823		.doit = nl80211_set_station,
16824		.flags = GENL_UNS_ADMIN_PERM,
16825		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16826	},
16827	{
16828		.cmd = NL80211_CMD_NEW_STATION,
16829		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16830		.doit = nl80211_new_station,
16831		.flags = GENL_UNS_ADMIN_PERM,
16832		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16833	},
16834	{
16835		.cmd = NL80211_CMD_DEL_STATION,
16836		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16837		.doit = nl80211_del_station,
16838		.flags = GENL_UNS_ADMIN_PERM,
16839		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16840	},
16841	{
16842		.cmd = NL80211_CMD_GET_MPATH,
16843		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16844		.doit = nl80211_get_mpath,
16845		.dumpit = nl80211_dump_mpath,
16846		.flags = GENL_UNS_ADMIN_PERM,
16847		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16848	},
16849	{
16850		.cmd = NL80211_CMD_GET_MPP,
16851		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16852		.doit = nl80211_get_mpp,
16853		.dumpit = nl80211_dump_mpp,
16854		.flags = GENL_UNS_ADMIN_PERM,
16855		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16856	},
16857	{
16858		.cmd = NL80211_CMD_SET_MPATH,
16859		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16860		.doit = nl80211_set_mpath,
16861		.flags = GENL_UNS_ADMIN_PERM,
16862		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16863	},
16864	{
16865		.cmd = NL80211_CMD_NEW_MPATH,
16866		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16867		.doit = nl80211_new_mpath,
16868		.flags = GENL_UNS_ADMIN_PERM,
16869		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16870	},
16871	{
16872		.cmd = NL80211_CMD_DEL_MPATH,
16873		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16874		.doit = nl80211_del_mpath,
16875		.flags = GENL_UNS_ADMIN_PERM,
16876		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16877	},
16878	{
16879		.cmd = NL80211_CMD_SET_BSS,
16880		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16881		.doit = nl80211_set_bss,
16882		.flags = GENL_UNS_ADMIN_PERM,
16883		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16884					 NL80211_FLAG_MLO_VALID_LINK_ID),
16885	},
16886	{
16887		.cmd = NL80211_CMD_GET_REG,
16888		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16889		.doit = nl80211_get_reg_do,
16890		.dumpit = nl80211_get_reg_dump,
16891		/* can be retrieved by unprivileged users */
16892	},
16893#ifdef CONFIG_CFG80211_CRDA_SUPPORT
16894	{
16895		.cmd = NL80211_CMD_SET_REG,
16896		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16897		.doit = nl80211_set_reg,
16898		.flags = GENL_ADMIN_PERM,
16899	},
16900#endif
16901	{
16902		.cmd = NL80211_CMD_REQ_SET_REG,
16903		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16904		.doit = nl80211_req_set_reg,
16905		.flags = GENL_ADMIN_PERM,
16906	},
16907	{
16908		.cmd = NL80211_CMD_RELOAD_REGDB,
16909		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16910		.doit = nl80211_reload_regdb,
16911		.flags = GENL_ADMIN_PERM,
16912	},
16913	{
16914		.cmd = NL80211_CMD_GET_MESH_CONFIG,
16915		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16916		.doit = nl80211_get_mesh_config,
16917		/* can be retrieved by unprivileged users */
16918		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16919	},
16920	{
16921		.cmd = NL80211_CMD_SET_MESH_CONFIG,
16922		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16923		.doit = nl80211_update_mesh_config,
16924		.flags = GENL_UNS_ADMIN_PERM,
16925		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16926	},
16927	{
16928		.cmd = NL80211_CMD_TRIGGER_SCAN,
16929		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16930		.doit = nl80211_trigger_scan,
16931		.flags = GENL_UNS_ADMIN_PERM,
16932		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16933	},
16934	{
16935		.cmd = NL80211_CMD_ABORT_SCAN,
16936		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16937		.doit = nl80211_abort_scan,
16938		.flags = GENL_UNS_ADMIN_PERM,
16939		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16940	},
16941	{
16942		.cmd = NL80211_CMD_GET_SCAN,
16943		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16944		.dumpit = nl80211_dump_scan,
16945	},
16946	{
16947		.cmd = NL80211_CMD_START_SCHED_SCAN,
16948		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16949		.doit = nl80211_start_sched_scan,
16950		.flags = GENL_UNS_ADMIN_PERM,
16951		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16952	},
16953	{
16954		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
16955		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16956		.doit = nl80211_stop_sched_scan,
16957		.flags = GENL_UNS_ADMIN_PERM,
16958		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16959	},
16960	{
16961		.cmd = NL80211_CMD_AUTHENTICATE,
16962		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16963		.doit = nl80211_authenticate,
16964		.flags = GENL_UNS_ADMIN_PERM,
16965		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16966					 NL80211_FLAG_CLEAR_SKB),
16967	},
16968	{
16969		.cmd = NL80211_CMD_ASSOCIATE,
16970		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16971		.doit = nl80211_associate,
16972		.flags = GENL_UNS_ADMIN_PERM,
16973		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16974					 NL80211_FLAG_CLEAR_SKB),
16975	},
16976	{
16977		.cmd = NL80211_CMD_DEAUTHENTICATE,
16978		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16979		.doit = nl80211_deauthenticate,
16980		.flags = GENL_UNS_ADMIN_PERM,
16981		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16982	},
16983	{
16984		.cmd = NL80211_CMD_DISASSOCIATE,
16985		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16986		.doit = nl80211_disassociate,
16987		.flags = GENL_UNS_ADMIN_PERM,
16988		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16989	},
16990	{
16991		.cmd = NL80211_CMD_JOIN_IBSS,
16992		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16993		.doit = nl80211_join_ibss,
16994		.flags = GENL_UNS_ADMIN_PERM,
16995		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16996	},
16997	{
16998		.cmd = NL80211_CMD_LEAVE_IBSS,
16999		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17000		.doit = nl80211_leave_ibss,
17001		.flags = GENL_UNS_ADMIN_PERM,
17002		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17003	},
17004#ifdef CONFIG_NL80211_TESTMODE
17005	{
17006		.cmd = NL80211_CMD_TESTMODE,
17007		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17008		.doit = nl80211_testmode_do,
17009		.dumpit = nl80211_testmode_dump,
17010		.flags = GENL_UNS_ADMIN_PERM,
17011		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17012	},
17013#endif
17014	{
17015		.cmd = NL80211_CMD_CONNECT,
17016		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17017		.doit = nl80211_connect,
17018		.flags = GENL_UNS_ADMIN_PERM,
17019		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17020					 NL80211_FLAG_CLEAR_SKB),
17021	},
17022	{
17023		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
17024		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17025		.doit = nl80211_update_connect_params,
17026		.flags = GENL_ADMIN_PERM,
17027		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17028					 NL80211_FLAG_CLEAR_SKB),
17029	},
17030	{
17031		.cmd = NL80211_CMD_DISCONNECT,
17032		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17033		.doit = nl80211_disconnect,
17034		.flags = GENL_UNS_ADMIN_PERM,
17035		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17036	},
17037	{
17038		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
17039		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17040		.doit = nl80211_wiphy_netns,
17041		.flags = GENL_UNS_ADMIN_PERM,
17042		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17043					 NL80211_FLAG_NEED_RTNL |
17044					 NL80211_FLAG_NO_WIPHY_MTX),
17045	},
17046	{
17047		.cmd = NL80211_CMD_GET_SURVEY,
17048		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17049		.dumpit = nl80211_dump_survey,
17050	},
17051	{
17052		.cmd = NL80211_CMD_SET_PMKSA,
17053		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17054		.doit = nl80211_setdel_pmksa,
17055		.flags = GENL_UNS_ADMIN_PERM,
17056		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17057					 NL80211_FLAG_CLEAR_SKB),
17058	},
17059	{
17060		.cmd = NL80211_CMD_DEL_PMKSA,
17061		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17062		.doit = nl80211_setdel_pmksa,
17063		.flags = GENL_UNS_ADMIN_PERM,
17064		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17065	},
17066	{
17067		.cmd = NL80211_CMD_FLUSH_PMKSA,
17068		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17069		.doit = nl80211_flush_pmksa,
17070		.flags = GENL_UNS_ADMIN_PERM,
17071		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17072	},
17073	{
17074		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17075		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17076		.doit = nl80211_remain_on_channel,
17077		.flags = GENL_UNS_ADMIN_PERM,
17078		/* FIXME: requiring a link ID here is probably not good */
17079		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17080					 NL80211_FLAG_MLO_VALID_LINK_ID),
17081	},
17082	{
17083		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17084		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17085		.doit = nl80211_cancel_remain_on_channel,
17086		.flags = GENL_UNS_ADMIN_PERM,
17087		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17088	},
17089	{
17090		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17091		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17092		.doit = nl80211_set_tx_bitrate_mask,
17093		.flags = GENL_UNS_ADMIN_PERM,
17094		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17095					 NL80211_FLAG_MLO_VALID_LINK_ID),
17096	},
17097	{
17098		.cmd = NL80211_CMD_REGISTER_FRAME,
17099		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17100		.doit = nl80211_register_mgmt,
17101		.flags = GENL_UNS_ADMIN_PERM,
17102		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17103	},
17104	{
17105		.cmd = NL80211_CMD_FRAME,
17106		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17107		.doit = nl80211_tx_mgmt,
17108		.flags = GENL_UNS_ADMIN_PERM,
17109		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17110	},
17111	{
17112		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17113		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17114		.doit = nl80211_tx_mgmt_cancel_wait,
17115		.flags = GENL_UNS_ADMIN_PERM,
17116		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17117	},
17118	{
17119		.cmd = NL80211_CMD_SET_POWER_SAVE,
17120		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17121		.doit = nl80211_set_power_save,
17122		.flags = GENL_UNS_ADMIN_PERM,
17123		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17124	},
17125	{
17126		.cmd = NL80211_CMD_GET_POWER_SAVE,
17127		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17128		.doit = nl80211_get_power_save,
17129		/* can be retrieved by unprivileged users */
17130		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17131	},
17132	{
17133		.cmd = NL80211_CMD_SET_CQM,
17134		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17135		.doit = nl80211_set_cqm,
17136		.flags = GENL_UNS_ADMIN_PERM,
17137		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17138	},
17139	{
17140		.cmd = NL80211_CMD_SET_CHANNEL,
17141		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17142		.doit = nl80211_set_channel,
17143		.flags = GENL_UNS_ADMIN_PERM,
17144		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17145					 NL80211_FLAG_MLO_VALID_LINK_ID),
17146	},
17147	{
17148		.cmd = NL80211_CMD_JOIN_MESH,
17149		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17150		.doit = nl80211_join_mesh,
17151		.flags = GENL_UNS_ADMIN_PERM,
17152		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17153	},
17154	{
17155		.cmd = NL80211_CMD_LEAVE_MESH,
17156		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17157		.doit = nl80211_leave_mesh,
17158		.flags = GENL_UNS_ADMIN_PERM,
17159		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17160	},
17161	{
17162		.cmd = NL80211_CMD_JOIN_OCB,
17163		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17164		.doit = nl80211_join_ocb,
17165		.flags = GENL_UNS_ADMIN_PERM,
17166		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17167	},
17168	{
17169		.cmd = NL80211_CMD_LEAVE_OCB,
17170		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17171		.doit = nl80211_leave_ocb,
17172		.flags = GENL_UNS_ADMIN_PERM,
17173		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17174	},
17175#ifdef CONFIG_PM
17176	{
17177		.cmd = NL80211_CMD_GET_WOWLAN,
17178		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17179		.doit = nl80211_get_wowlan,
17180		/* can be retrieved by unprivileged users */
17181		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17182	},
17183	{
17184		.cmd = NL80211_CMD_SET_WOWLAN,
17185		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17186		.doit = nl80211_set_wowlan,
17187		.flags = GENL_UNS_ADMIN_PERM,
17188		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17189	},
17190#endif
17191	{
17192		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
17193		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17194		.doit = nl80211_set_rekey_data,
17195		.flags = GENL_UNS_ADMIN_PERM,
17196		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17197					 NL80211_FLAG_CLEAR_SKB),
17198	},
17199	{
17200		.cmd = NL80211_CMD_TDLS_MGMT,
17201		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17202		.doit = nl80211_tdls_mgmt,
17203		.flags = GENL_UNS_ADMIN_PERM,
17204		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17205					 NL80211_FLAG_MLO_VALID_LINK_ID),
17206	},
17207	{
17208		.cmd = NL80211_CMD_TDLS_OPER,
17209		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17210		.doit = nl80211_tdls_oper,
17211		.flags = GENL_UNS_ADMIN_PERM,
17212		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17213	},
17214	{
17215		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17216		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17217		.doit = nl80211_register_unexpected_frame,
17218		.flags = GENL_UNS_ADMIN_PERM,
17219		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17220	},
17221	{
17222		.cmd = NL80211_CMD_PROBE_CLIENT,
17223		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17224		.doit = nl80211_probe_client,
17225		.flags = GENL_UNS_ADMIN_PERM,
17226		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17227	},
17228	{
17229		.cmd = NL80211_CMD_REGISTER_BEACONS,
17230		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17231		.doit = nl80211_register_beacons,
17232		.flags = GENL_UNS_ADMIN_PERM,
17233		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17234	},
17235	{
17236		.cmd = NL80211_CMD_SET_NOACK_MAP,
17237		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17238		.doit = nl80211_set_noack_map,
17239		.flags = GENL_UNS_ADMIN_PERM,
17240		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17241	},
17242	{
17243		.cmd = NL80211_CMD_START_P2P_DEVICE,
17244		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17245		.doit = nl80211_start_p2p_device,
17246		.flags = GENL_UNS_ADMIN_PERM,
17247		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17248					 NL80211_FLAG_NEED_RTNL),
17249	},
17250	{
17251		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17252		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17253		.doit = nl80211_stop_p2p_device,
17254		.flags = GENL_UNS_ADMIN_PERM,
17255		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17256					 NL80211_FLAG_NEED_RTNL),
17257	},
17258	{
17259		.cmd = NL80211_CMD_START_NAN,
17260		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17261		.doit = nl80211_start_nan,
17262		.flags = GENL_ADMIN_PERM,
17263		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17264					 NL80211_FLAG_NEED_RTNL),
17265	},
17266	{
17267		.cmd = NL80211_CMD_STOP_NAN,
17268		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17269		.doit = nl80211_stop_nan,
17270		.flags = GENL_ADMIN_PERM,
17271		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17272					 NL80211_FLAG_NEED_RTNL),
17273	},
17274	{
17275		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17276		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17277		.doit = nl80211_nan_add_func,
17278		.flags = GENL_ADMIN_PERM,
17279		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17280	},
17281	{
17282		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17283		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17284		.doit = nl80211_nan_del_func,
17285		.flags = GENL_ADMIN_PERM,
17286		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17287	},
17288	{
17289		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17290		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17291		.doit = nl80211_nan_change_config,
17292		.flags = GENL_ADMIN_PERM,
17293		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17294	},
17295	{
17296		.cmd = NL80211_CMD_SET_MCAST_RATE,
17297		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17298		.doit = nl80211_set_mcast_rate,
17299		.flags = GENL_UNS_ADMIN_PERM,
17300		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17301	},
17302	{
17303		.cmd = NL80211_CMD_SET_MAC_ACL,
17304		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17305		.doit = nl80211_set_mac_acl,
17306		.flags = GENL_UNS_ADMIN_PERM,
17307		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17308					 NL80211_FLAG_MLO_UNSUPPORTED),
17309	},
17310	{
17311		.cmd = NL80211_CMD_RADAR_DETECT,
17312		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17313		.doit = nl80211_start_radar_detection,
17314		.flags = GENL_UNS_ADMIN_PERM,
17315		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17316					 NL80211_FLAG_NO_WIPHY_MTX |
17317					 NL80211_FLAG_MLO_UNSUPPORTED),
17318	},
17319	{
17320		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17321		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17322		.doit = nl80211_get_protocol_features,
17323	},
17324	{
17325		.cmd = NL80211_CMD_UPDATE_FT_IES,
17326		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17327		.doit = nl80211_update_ft_ies,
17328		.flags = GENL_UNS_ADMIN_PERM,
17329		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17330	},
17331	{
17332		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17333		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17334		.doit = nl80211_crit_protocol_start,
17335		.flags = GENL_UNS_ADMIN_PERM,
17336		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17337	},
17338	{
17339		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17340		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17341		.doit = nl80211_crit_protocol_stop,
17342		.flags = GENL_UNS_ADMIN_PERM,
17343		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17344	},
17345	{
17346		.cmd = NL80211_CMD_GET_COALESCE,
17347		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17348		.doit = nl80211_get_coalesce,
17349		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17350	},
17351	{
17352		.cmd = NL80211_CMD_SET_COALESCE,
17353		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17354		.doit = nl80211_set_coalesce,
17355		.flags = GENL_UNS_ADMIN_PERM,
17356		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17357	},
17358	{
17359		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17360		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17361		.doit = nl80211_channel_switch,
17362		.flags = GENL_UNS_ADMIN_PERM,
17363		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17364					 NL80211_FLAG_MLO_VALID_LINK_ID),
17365	},
17366	{
17367		.cmd = NL80211_CMD_VENDOR,
17368		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17369		.doit = nl80211_vendor_cmd,
17370		.dumpit = nl80211_vendor_cmd_dump,
17371		.flags = GENL_UNS_ADMIN_PERM,
17372		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17373					 NL80211_FLAG_CLEAR_SKB),
17374	},
17375	{
17376		.cmd = NL80211_CMD_SET_QOS_MAP,
17377		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17378		.doit = nl80211_set_qos_map,
17379		.flags = GENL_UNS_ADMIN_PERM,
17380		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17381	},
17382	{
17383		.cmd = NL80211_CMD_ADD_TX_TS,
17384		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17385		.doit = nl80211_add_tx_ts,
17386		.flags = GENL_UNS_ADMIN_PERM,
17387		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17388					 NL80211_FLAG_MLO_UNSUPPORTED),
17389	},
17390	{
17391		.cmd = NL80211_CMD_DEL_TX_TS,
17392		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17393		.doit = nl80211_del_tx_ts,
17394		.flags = GENL_UNS_ADMIN_PERM,
17395		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17396	},
17397	{
17398		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17399		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17400		.doit = nl80211_tdls_channel_switch,
17401		.flags = GENL_UNS_ADMIN_PERM,
17402		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17403	},
17404	{
17405		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17406		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17407		.doit = nl80211_tdls_cancel_channel_switch,
17408		.flags = GENL_UNS_ADMIN_PERM,
17409		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17410	},
17411	{
17412		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17413		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17414		.doit = nl80211_set_multicast_to_unicast,
17415		.flags = GENL_UNS_ADMIN_PERM,
17416		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17417	},
17418	{
17419		.cmd = NL80211_CMD_SET_PMK,
17420		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17421		.doit = nl80211_set_pmk,
17422		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17423					 NL80211_FLAG_CLEAR_SKB),
17424	},
17425	{
17426		.cmd = NL80211_CMD_DEL_PMK,
17427		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17428		.doit = nl80211_del_pmk,
17429		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17430	},
17431	{
17432		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17433		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17434		.doit = nl80211_external_auth,
17435		.flags = GENL_ADMIN_PERM,
17436		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17437	},
17438	{
17439		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17440		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17441		.doit = nl80211_tx_control_port,
17442		.flags = GENL_UNS_ADMIN_PERM,
17443		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17444	},
17445	{
17446		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17447		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17448		.doit = nl80211_get_ftm_responder_stats,
17449		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17450					 NL80211_FLAG_MLO_VALID_LINK_ID),
17451	},
17452	{
17453		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17454		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17455		.doit = nl80211_pmsr_start,
17456		.flags = GENL_UNS_ADMIN_PERM,
17457		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17458	},
17459	{
17460		.cmd = NL80211_CMD_NOTIFY_RADAR,
17461		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17462		.doit = nl80211_notify_radar_detection,
17463		.flags = GENL_UNS_ADMIN_PERM,
17464		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17465	},
17466	{
17467		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17468		.doit = nl80211_update_owe_info,
17469		.flags = GENL_ADMIN_PERM,
17470		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17471	},
17472	{
17473		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17474		.doit = nl80211_probe_mesh_link,
17475		.flags = GENL_UNS_ADMIN_PERM,
17476		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17477	},
17478	{
17479		.cmd = NL80211_CMD_SET_TID_CONFIG,
17480		.doit = nl80211_set_tid_config,
17481		.flags = GENL_UNS_ADMIN_PERM,
17482		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17483					 NL80211_FLAG_MLO_VALID_LINK_ID),
17484	},
17485	{
17486		.cmd = NL80211_CMD_SET_SAR_SPECS,
17487		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17488		.doit = nl80211_set_sar_specs,
17489		.flags = GENL_UNS_ADMIN_PERM,
17490		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17491					 NL80211_FLAG_NEED_RTNL),
17492	},
17493	{
17494		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17495		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17496		.doit = nl80211_color_change,
17497		.flags = GENL_UNS_ADMIN_PERM,
17498		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17499	},
17500	{
17501		.cmd = NL80211_CMD_SET_FILS_AAD,
17502		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17503		.doit = nl80211_set_fils_aad,
17504		.flags = GENL_UNS_ADMIN_PERM,
17505		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17506	},
17507	{
17508		.cmd = NL80211_CMD_ADD_LINK,
17509		.doit = nl80211_add_link,
17510		.flags = GENL_UNS_ADMIN_PERM,
17511		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17512	},
17513	{
17514		.cmd = NL80211_CMD_REMOVE_LINK,
17515		.doit = nl80211_remove_link,
17516		.flags = GENL_UNS_ADMIN_PERM,
17517		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17518					 NL80211_FLAG_MLO_VALID_LINK_ID),
17519	},
17520	{
17521		.cmd = NL80211_CMD_ADD_LINK_STA,
17522		.doit = nl80211_add_link_station,
17523		.flags = GENL_UNS_ADMIN_PERM,
17524		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17525					 NL80211_FLAG_MLO_VALID_LINK_ID),
17526	},
17527	{
17528		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17529		.doit = nl80211_modify_link_station,
17530		.flags = GENL_UNS_ADMIN_PERM,
17531		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17532					 NL80211_FLAG_MLO_VALID_LINK_ID),
17533	},
17534	{
17535		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17536		.doit = nl80211_remove_link_station,
17537		.flags = GENL_UNS_ADMIN_PERM,
17538		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17539					 NL80211_FLAG_MLO_VALID_LINK_ID),
17540	},
17541	{
17542		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
17543		.doit = nl80211_set_hw_timestamp,
17544		.flags = GENL_UNS_ADMIN_PERM,
17545		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17546	},
17547};
17548
17549static struct genl_family nl80211_fam __ro_after_init = {
17550	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17551	.hdrsize = 0,			/* no private header */
17552	.version = 1,			/* no particular meaning now */
17553	.maxattr = NL80211_ATTR_MAX,
17554	.policy = nl80211_policy,
17555	.netnsok = true,
17556	.pre_doit = nl80211_pre_doit,
17557	.post_doit = nl80211_post_doit,
17558	.module = THIS_MODULE,
17559	.ops = nl80211_ops,
17560	.n_ops = ARRAY_SIZE(nl80211_ops),
17561	.small_ops = nl80211_small_ops,
17562	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17563	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17564	.mcgrps = nl80211_mcgrps,
17565	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17566	.parallel_ops = true,
17567};
17568
17569/* notification functions */
17570
17571void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17572			  enum nl80211_commands cmd)
17573{
17574	struct sk_buff *msg;
17575	struct nl80211_dump_wiphy_state state = {};
17576
17577	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17578		cmd != NL80211_CMD_DEL_WIPHY);
17579
17580	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17581	if (!msg)
17582		return;
17583
17584	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17585		nlmsg_free(msg);
17586		return;
17587	}
17588
17589	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17590				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17591}
17592
17593void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17594				struct wireless_dev *wdev,
17595				enum nl80211_commands cmd)
17596{
17597	struct sk_buff *msg;
17598
17599	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17600	if (!msg)
17601		return;
17602
17603	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17604		nlmsg_free(msg);
17605		return;
17606	}
17607
17608	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17609				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17610}
17611
17612static int nl80211_add_scan_req(struct sk_buff *msg,
17613				struct cfg80211_registered_device *rdev)
17614{
17615	struct cfg80211_scan_request *req = rdev->scan_req;
17616	struct nlattr *nest;
17617	int i;
17618	struct cfg80211_scan_info *info;
17619
17620	if (WARN_ON(!req))
17621		return 0;
17622
17623	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17624	if (!nest)
17625		goto nla_put_failure;
17626	for (i = 0; i < req->n_ssids; i++) {
17627		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17628			goto nla_put_failure;
17629	}
17630	nla_nest_end(msg, nest);
17631
17632	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17633		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17634		if (!nest)
17635			goto nla_put_failure;
17636		for (i = 0; i < req->n_channels; i++) {
17637			if (nla_put_u32(msg, i,
17638				   ieee80211_channel_to_khz(req->channels[i])))
17639				goto nla_put_failure;
17640		}
17641		nla_nest_end(msg, nest);
17642	} else {
17643		nest = nla_nest_start_noflag(msg,
17644					     NL80211_ATTR_SCAN_FREQUENCIES);
17645		if (!nest)
17646			goto nla_put_failure;
17647		for (i = 0; i < req->n_channels; i++) {
17648			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17649				goto nla_put_failure;
17650		}
17651		nla_nest_end(msg, nest);
17652	}
17653
17654	if (req->ie &&
17655	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17656		goto nla_put_failure;
17657
17658	if (req->flags &&
17659	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17660		goto nla_put_failure;
17661
17662	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17663		&rdev->scan_req->info;
17664	if (info->scan_start_tsf &&
17665	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17666			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17667	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17668		     info->tsf_bssid)))
17669		goto nla_put_failure;
17670
17671	return 0;
17672 nla_put_failure:
17673	return -ENOBUFS;
17674}
17675
17676static int nl80211_prep_scan_msg(struct sk_buff *msg,
17677				 struct cfg80211_registered_device *rdev,
17678				 struct wireless_dev *wdev,
17679				 u32 portid, u32 seq, int flags,
17680				 u32 cmd)
17681{
17682	void *hdr;
17683
17684	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17685	if (!hdr)
17686		return -1;
17687
17688	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17689	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17690					 wdev->netdev->ifindex)) ||
17691	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17692			      NL80211_ATTR_PAD))
17693		goto nla_put_failure;
17694
17695	/* ignore errors and send incomplete event anyway */
17696	nl80211_add_scan_req(msg, rdev);
17697
17698	genlmsg_end(msg, hdr);
17699	return 0;
17700
17701 nla_put_failure:
17702	genlmsg_cancel(msg, hdr);
17703	return -EMSGSIZE;
17704}
17705
17706static int
17707nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17708			    struct cfg80211_sched_scan_request *req, u32 cmd)
17709{
17710	void *hdr;
17711
17712	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17713	if (!hdr)
17714		return -1;
17715
17716	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17717			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17718	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17719	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17720			      NL80211_ATTR_PAD))
17721		goto nla_put_failure;
17722
17723	genlmsg_end(msg, hdr);
17724	return 0;
17725
17726 nla_put_failure:
17727	genlmsg_cancel(msg, hdr);
17728	return -EMSGSIZE;
17729}
17730
17731void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17732			     struct wireless_dev *wdev)
17733{
17734	struct sk_buff *msg;
17735
17736	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17737	if (!msg)
17738		return;
17739
17740	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17741				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17742		nlmsg_free(msg);
17743		return;
17744	}
17745
17746	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17747				NL80211_MCGRP_SCAN, GFP_KERNEL);
17748}
17749
17750struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17751				       struct wireless_dev *wdev, bool aborted)
17752{
17753	struct sk_buff *msg;
17754
17755	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17756	if (!msg)
17757		return NULL;
17758
17759	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17760				  aborted ? NL80211_CMD_SCAN_ABORTED :
17761					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17762		nlmsg_free(msg);
17763		return NULL;
17764	}
17765
17766	return msg;
17767}
17768
17769/* send message created by nl80211_build_scan_msg() */
17770void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17771			   struct sk_buff *msg)
17772{
17773	if (!msg)
17774		return;
17775
17776	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17777				NL80211_MCGRP_SCAN, GFP_KERNEL);
17778}
17779
17780void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17781{
17782	struct sk_buff *msg;
17783
17784	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17785	if (!msg)
17786		return;
17787
17788	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17789		nlmsg_free(msg);
17790		return;
17791	}
17792
17793	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17794				NL80211_MCGRP_SCAN, GFP_KERNEL);
17795}
17796
17797static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17798					  struct regulatory_request *request)
17799{
17800	/* Userspace can always count this one always being set */
17801	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17802		goto nla_put_failure;
17803
17804	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17805		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17806			       NL80211_REGDOM_TYPE_WORLD))
17807			goto nla_put_failure;
17808	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17809		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17810			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17811			goto nla_put_failure;
17812	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17813		   request->intersect) {
17814		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17815			       NL80211_REGDOM_TYPE_INTERSECTION))
17816			goto nla_put_failure;
17817	} else {
17818		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17819			       NL80211_REGDOM_TYPE_COUNTRY) ||
17820		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17821				   request->alpha2))
17822			goto nla_put_failure;
17823	}
17824
17825	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17826		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17827
17828		if (wiphy &&
17829		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17830			goto nla_put_failure;
17831
17832		if (wiphy &&
17833		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17834		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17835			goto nla_put_failure;
17836	}
17837
17838	return true;
17839
17840nla_put_failure:
17841	return false;
17842}
17843
17844/*
17845 * This can happen on global regulatory changes or device specific settings
17846 * based on custom regulatory domains.
17847 */
17848void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17849				     struct regulatory_request *request)
17850{
17851	struct sk_buff *msg;
17852	void *hdr;
17853
17854	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17855	if (!msg)
17856		return;
17857
17858	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
17859	if (!hdr)
17860		goto nla_put_failure;
17861
17862	if (!nl80211_reg_change_event_fill(msg, request))
17863		goto nla_put_failure;
17864
17865	genlmsg_end(msg, hdr);
17866
17867	rcu_read_lock();
17868	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17869				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17870	rcu_read_unlock();
17871
17872	return;
17873
17874nla_put_failure:
17875	nlmsg_free(msg);
17876}
17877
17878static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
17879				    struct net_device *netdev,
17880				    const u8 *buf, size_t len,
17881				    enum nl80211_commands cmd, gfp_t gfp,
17882				    int uapsd_queues, const u8 *req_ies,
17883				    size_t req_ies_len, bool reconnect)
17884{
17885	struct sk_buff *msg;
17886	void *hdr;
17887
17888	msg = nlmsg_new(100 + len + req_ies_len, gfp);
17889	if (!msg)
17890		return;
17891
17892	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17893	if (!hdr) {
17894		nlmsg_free(msg);
17895		return;
17896	}
17897
17898	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17899	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17900	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17901	    (req_ies &&
17902	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
17903		goto nla_put_failure;
17904
17905	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
17906		goto nla_put_failure;
17907
17908	if (uapsd_queues >= 0) {
17909		struct nlattr *nla_wmm =
17910			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
17911		if (!nla_wmm)
17912			goto nla_put_failure;
17913
17914		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
17915			       uapsd_queues))
17916			goto nla_put_failure;
17917
17918		nla_nest_end(msg, nla_wmm);
17919	}
17920
17921	genlmsg_end(msg, hdr);
17922
17923	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17924				NL80211_MCGRP_MLME, gfp);
17925	return;
17926
17927 nla_put_failure:
17928	nlmsg_free(msg);
17929}
17930
17931void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
17932			  struct net_device *netdev, const u8 *buf,
17933			  size_t len, gfp_t gfp)
17934{
17935	nl80211_send_mlme_event(rdev, netdev, buf, len,
17936				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
17937				false);
17938}
17939
17940void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
17941			   struct net_device *netdev,
17942			   struct cfg80211_rx_assoc_resp *data)
17943{
17944	nl80211_send_mlme_event(rdev, netdev, data->buf, data->len,
17945				NL80211_CMD_ASSOCIATE, GFP_KERNEL,
17946				data->uapsd_queues,
17947				data->req_ies, data->req_ies_len, false);
17948}
17949
17950void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
17951			 struct net_device *netdev, const u8 *buf,
17952			 size_t len, bool reconnect, gfp_t gfp)
17953{
17954	nl80211_send_mlme_event(rdev, netdev, buf, len,
17955				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
17956				reconnect);
17957}
17958
17959void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
17960			   struct net_device *netdev, const u8 *buf,
17961			   size_t len, bool reconnect, gfp_t gfp)
17962{
17963	nl80211_send_mlme_event(rdev, netdev, buf, len,
17964				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
17965				reconnect);
17966}
17967
17968void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
17969				  size_t len)
17970{
17971	struct wireless_dev *wdev = dev->ieee80211_ptr;
17972	struct wiphy *wiphy = wdev->wiphy;
17973	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17974	const struct ieee80211_mgmt *mgmt = (void *)buf;
17975	u32 cmd;
17976
17977	if (WARN_ON(len < 2))
17978		return;
17979
17980	if (ieee80211_is_deauth(mgmt->frame_control)) {
17981		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
17982	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
17983		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
17984	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
17985		if (wdev->unprot_beacon_reported &&
17986		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
17987			return;
17988		cmd = NL80211_CMD_UNPROT_BEACON;
17989		wdev->unprot_beacon_reported = jiffies;
17990	} else {
17991		return;
17992	}
17993
17994	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
17995	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
17996				NULL, 0, false);
17997}
17998EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
17999
18000static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
18001				      struct net_device *netdev, int cmd,
18002				      const u8 *addr, gfp_t gfp)
18003{
18004	struct sk_buff *msg;
18005	void *hdr;
18006
18007	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18008	if (!msg)
18009		return;
18010
18011	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18012	if (!hdr) {
18013		nlmsg_free(msg);
18014		return;
18015	}
18016
18017	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18018	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18019	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18020	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18021		goto nla_put_failure;
18022
18023	genlmsg_end(msg, hdr);
18024
18025	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18026				NL80211_MCGRP_MLME, gfp);
18027	return;
18028
18029 nla_put_failure:
18030	nlmsg_free(msg);
18031}
18032
18033void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
18034			       struct net_device *netdev, const u8 *addr,
18035			       gfp_t gfp)
18036{
18037	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
18038				  addr, gfp);
18039}
18040
18041void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
18042				struct net_device *netdev, const u8 *addr,
18043				gfp_t gfp)
18044{
18045	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
18046				  addr, gfp);
18047}
18048
18049void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
18050				 struct net_device *netdev,
18051				 struct cfg80211_connect_resp_params *cr,
18052				 gfp_t gfp)
18053{
18054	struct sk_buff *msg;
18055	void *hdr;
18056	unsigned int link;
18057	size_t link_info_size = 0;
18058	const u8 *connected_addr = cr->valid_links ?
18059				   cr->ap_mld_addr : cr->links[0].bssid;
18060
18061	if (cr->valid_links) {
18062		for_each_valid_link(cr, link) {
18063			/* Nested attribute header */
18064			link_info_size += NLA_HDRLEN;
18065			/* Link ID */
18066			link_info_size += nla_total_size(sizeof(u8));
18067			link_info_size += cr->links[link].addr ?
18068					  nla_total_size(ETH_ALEN) : 0;
18069			link_info_size += (cr->links[link].bssid ||
18070					   cr->links[link].bss) ?
18071					  nla_total_size(ETH_ALEN) : 0;
18072			link_info_size += nla_total_size(sizeof(u16));
18073		}
18074	}
18075
18076	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18077			cr->fils.kek_len + cr->fils.pmk_len +
18078			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18079			gfp);
18080	if (!msg)
18081		return;
18082
18083	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18084	if (!hdr) {
18085		nlmsg_free(msg);
18086		return;
18087	}
18088
18089	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18090	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18091	    (connected_addr &&
18092	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18093	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18094			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18095			cr->status) ||
18096	    (cr->status < 0 &&
18097	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18098	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18099			  cr->timeout_reason))) ||
18100	    (cr->req_ie &&
18101	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18102	    (cr->resp_ie &&
18103	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18104		     cr->resp_ie)) ||
18105	    (cr->fils.update_erp_next_seq_num &&
18106	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18107			 cr->fils.erp_next_seq_num)) ||
18108	    (cr->status == WLAN_STATUS_SUCCESS &&
18109	     ((cr->fils.kek &&
18110	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18111		       cr->fils.kek)) ||
18112	      (cr->fils.pmk &&
18113	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18114	      (cr->fils.pmkid &&
18115	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18116		goto nla_put_failure;
18117
18118	if (cr->valid_links) {
18119		int i = 1;
18120		struct nlattr *nested;
18121
18122		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18123		if (!nested)
18124			goto nla_put_failure;
18125
18126		for_each_valid_link(cr, link) {
18127			struct nlattr *nested_mlo_links;
18128			const u8 *bssid = cr->links[link].bss ?
18129					  cr->links[link].bss->bssid :
18130					  cr->links[link].bssid;
18131
18132			nested_mlo_links = nla_nest_start(msg, i);
18133			if (!nested_mlo_links)
18134				goto nla_put_failure;
18135
18136			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18137			    (bssid &&
18138			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18139			    (cr->links[link].addr &&
18140			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18141				     cr->links[link].addr)) ||
18142			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18143					cr->links[link].status))
18144				goto nla_put_failure;
18145
18146			nla_nest_end(msg, nested_mlo_links);
18147			i++;
18148		}
18149		nla_nest_end(msg, nested);
18150	}
18151
18152	genlmsg_end(msg, hdr);
18153
18154	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18155				NL80211_MCGRP_MLME, gfp);
18156	return;
18157
18158 nla_put_failure:
18159	nlmsg_free(msg);
18160}
18161
18162void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
18163			 struct net_device *netdev,
18164			 struct cfg80211_roam_info *info, gfp_t gfp)
18165{
18166	struct sk_buff *msg;
18167	void *hdr;
18168	size_t link_info_size = 0;
18169	unsigned int link;
18170	const u8 *connected_addr = info->ap_mld_addr ?
18171				   info->ap_mld_addr :
18172				   (info->links[0].bss ?
18173				    info->links[0].bss->bssid :
18174				    info->links[0].bssid);
18175
18176	if (info->valid_links) {
18177		for_each_valid_link(info, link) {
18178			/* Nested attribute header */
18179			link_info_size += NLA_HDRLEN;
18180			/* Link ID */
18181			link_info_size += nla_total_size(sizeof(u8));
18182			link_info_size += info->links[link].addr ?
18183					  nla_total_size(ETH_ALEN) : 0;
18184			link_info_size += (info->links[link].bssid ||
18185					   info->links[link].bss) ?
18186					  nla_total_size(ETH_ALEN) : 0;
18187		}
18188	}
18189
18190	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
18191			info->fils.kek_len + info->fils.pmk_len +
18192			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
18193			link_info_size, gfp);
18194	if (!msg)
18195		return;
18196
18197	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
18198	if (!hdr) {
18199		nlmsg_free(msg);
18200		return;
18201	}
18202
18203	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18204	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18205	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
18206	    (info->req_ie &&
18207	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18208		     info->req_ie)) ||
18209	    (info->resp_ie &&
18210	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18211		     info->resp_ie)) ||
18212	    (info->fils.update_erp_next_seq_num &&
18213	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18214			 info->fils.erp_next_seq_num)) ||
18215	    (info->fils.kek &&
18216	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18217		     info->fils.kek)) ||
18218	    (info->fils.pmk &&
18219	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18220	    (info->fils.pmkid &&
18221	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18222		goto nla_put_failure;
18223
18224	if (info->valid_links) {
18225		int i = 1;
18226		struct nlattr *nested;
18227
18228		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18229		if (!nested)
18230			goto nla_put_failure;
18231
18232		for_each_valid_link(info, link) {
18233			struct nlattr *nested_mlo_links;
18234			const u8 *bssid = info->links[link].bss ?
18235					  info->links[link].bss->bssid :
18236					  info->links[link].bssid;
18237
18238			nested_mlo_links = nla_nest_start(msg, i);
18239			if (!nested_mlo_links)
18240				goto nla_put_failure;
18241
18242			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18243			    (bssid &&
18244			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18245			    (info->links[link].addr &&
18246			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18247				     info->links[link].addr)))
18248				goto nla_put_failure;
18249
18250			nla_nest_end(msg, nested_mlo_links);
18251			i++;
18252		}
18253		nla_nest_end(msg, nested);
18254	}
18255
18256	genlmsg_end(msg, hdr);
18257
18258	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18259				NL80211_MCGRP_MLME, gfp);
18260	return;
18261
18262 nla_put_failure:
18263	nlmsg_free(msg);
18264}
18265
18266void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18267				  struct net_device *netdev, const u8 *bssid,
18268				  const u8 *td_bitmap, u8 td_bitmap_len)
18269{
18270	struct sk_buff *msg;
18271	void *hdr;
18272
18273	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18274	if (!msg)
18275		return;
18276
18277	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18278	if (!hdr) {
18279		nlmsg_free(msg);
18280		return;
18281	}
18282
18283	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18284	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18285	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18286		goto nla_put_failure;
18287
18288	if ((td_bitmap_len > 0) && td_bitmap)
18289		if (nla_put(msg, NL80211_ATTR_TD_BITMAP,
18290			    td_bitmap_len, td_bitmap))
18291			goto nla_put_failure;
18292
18293	genlmsg_end(msg, hdr);
18294
18295	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18296				NL80211_MCGRP_MLME, GFP_KERNEL);
18297	return;
18298
18299 nla_put_failure:
18300	nlmsg_free(msg);
18301}
18302
18303void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18304			       struct net_device *netdev, u16 reason,
18305			       const u8 *ie, size_t ie_len, bool from_ap)
18306{
18307	struct sk_buff *msg;
18308	void *hdr;
18309
18310	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18311	if (!msg)
18312		return;
18313
18314	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18315	if (!hdr) {
18316		nlmsg_free(msg);
18317		return;
18318	}
18319
18320	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18321	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18322	    (reason &&
18323	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18324	    (from_ap &&
18325	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18326	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18327		goto nla_put_failure;
18328
18329	genlmsg_end(msg, hdr);
18330
18331	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18332				NL80211_MCGRP_MLME, GFP_KERNEL);
18333	return;
18334
18335 nla_put_failure:
18336	nlmsg_free(msg);
18337}
18338
18339void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
18340{
18341	struct wireless_dev *wdev = dev->ieee80211_ptr;
18342	struct wiphy *wiphy = wdev->wiphy;
18343	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18344	struct sk_buff *msg;
18345	struct nlattr *links;
18346	void *hdr;
18347
18348	ASSERT_WDEV_LOCK(wdev);
18349	trace_cfg80211_links_removed(dev, link_mask);
18350
18351	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
18352		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
18353		return;
18354
18355	if (WARN_ON(!wdev->valid_links || !link_mask ||
18356		    (wdev->valid_links & link_mask) != link_mask ||
18357		    wdev->valid_links == link_mask))
18358		return;
18359
18360	cfg80211_wdev_release_link_bsses(wdev, link_mask);
18361	wdev->valid_links &= ~link_mask;
18362
18363	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18364	if (!msg)
18365		return;
18366
18367	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
18368	if (!hdr) {
18369		nlmsg_free(msg);
18370		return;
18371	}
18372
18373	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18374	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18375		goto nla_put_failure;
18376
18377	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18378	if (!links)
18379		goto nla_put_failure;
18380
18381	while (link_mask) {
18382		struct nlattr *link;
18383		int link_id = __ffs(link_mask);
18384
18385		link = nla_nest_start(msg, link_id + 1);
18386		if (!link)
18387			goto nla_put_failure;
18388
18389		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
18390			goto nla_put_failure;
18391
18392		nla_nest_end(msg, link);
18393		link_mask &= ~(1 << link_id);
18394	}
18395
18396	nla_nest_end(msg, links);
18397
18398	genlmsg_end(msg, hdr);
18399
18400	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18401				NL80211_MCGRP_MLME, GFP_KERNEL);
18402	return;
18403
18404 nla_put_failure:
18405	nlmsg_free(msg);
18406}
18407EXPORT_SYMBOL(cfg80211_links_removed);
18408
18409void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18410			     struct net_device *netdev, const u8 *bssid,
18411			     gfp_t gfp)
18412{
18413	struct sk_buff *msg;
18414	void *hdr;
18415
18416	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18417	if (!msg)
18418		return;
18419
18420	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18421	if (!hdr) {
18422		nlmsg_free(msg);
18423		return;
18424	}
18425
18426	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18427	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18428	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18429		goto nla_put_failure;
18430
18431	genlmsg_end(msg, hdr);
18432
18433	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18434				NL80211_MCGRP_MLME, gfp);
18435	return;
18436
18437 nla_put_failure:
18438	nlmsg_free(msg);
18439}
18440
18441void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18442					const u8 *ie, u8 ie_len,
18443					int sig_dbm, gfp_t gfp)
18444{
18445	struct wireless_dev *wdev = dev->ieee80211_ptr;
18446	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18447	struct sk_buff *msg;
18448	void *hdr;
18449
18450	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18451		return;
18452
18453	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18454
18455	msg = nlmsg_new(100 + ie_len, gfp);
18456	if (!msg)
18457		return;
18458
18459	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18460	if (!hdr) {
18461		nlmsg_free(msg);
18462		return;
18463	}
18464
18465	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18466	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18467	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18468	    (ie_len && ie &&
18469	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18470	    (sig_dbm &&
18471	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18472		goto nla_put_failure;
18473
18474	genlmsg_end(msg, hdr);
18475
18476	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18477				NL80211_MCGRP_MLME, gfp);
18478	return;
18479
18480 nla_put_failure:
18481	nlmsg_free(msg);
18482}
18483EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18484
18485void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18486				 struct net_device *netdev, const u8 *addr,
18487				 enum nl80211_key_type key_type, int key_id,
18488				 const u8 *tsc, gfp_t gfp)
18489{
18490	struct sk_buff *msg;
18491	void *hdr;
18492
18493	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18494	if (!msg)
18495		return;
18496
18497	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18498	if (!hdr) {
18499		nlmsg_free(msg);
18500		return;
18501	}
18502
18503	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18504	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18505	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18506	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18507	    (key_id != -1 &&
18508	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18509	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18510		goto nla_put_failure;
18511
18512	genlmsg_end(msg, hdr);
18513
18514	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18515				NL80211_MCGRP_MLME, gfp);
18516	return;
18517
18518 nla_put_failure:
18519	nlmsg_free(msg);
18520}
18521
18522void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18523				    struct ieee80211_channel *channel_before,
18524				    struct ieee80211_channel *channel_after)
18525{
18526	struct sk_buff *msg;
18527	void *hdr;
18528	struct nlattr *nl_freq;
18529
18530	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18531	if (!msg)
18532		return;
18533
18534	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18535	if (!hdr) {
18536		nlmsg_free(msg);
18537		return;
18538	}
18539
18540	/*
18541	 * Since we are applying the beacon hint to a wiphy we know its
18542	 * wiphy_idx is valid
18543	 */
18544	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18545		goto nla_put_failure;
18546
18547	/* Before */
18548	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18549	if (!nl_freq)
18550		goto nla_put_failure;
18551
18552	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18553		goto nla_put_failure;
18554	nla_nest_end(msg, nl_freq);
18555
18556	/* After */
18557	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18558	if (!nl_freq)
18559		goto nla_put_failure;
18560
18561	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18562		goto nla_put_failure;
18563	nla_nest_end(msg, nl_freq);
18564
18565	genlmsg_end(msg, hdr);
18566
18567	rcu_read_lock();
18568	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18569				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
18570	rcu_read_unlock();
18571
18572	return;
18573
18574nla_put_failure:
18575	nlmsg_free(msg);
18576}
18577
18578static void nl80211_send_remain_on_chan_event(
18579	int cmd, struct cfg80211_registered_device *rdev,
18580	struct wireless_dev *wdev, u64 cookie,
18581	struct ieee80211_channel *chan,
18582	unsigned int duration, gfp_t gfp)
18583{
18584	struct sk_buff *msg;
18585	void *hdr;
18586
18587	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18588	if (!msg)
18589		return;
18590
18591	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18592	if (!hdr) {
18593		nlmsg_free(msg);
18594		return;
18595	}
18596
18597	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18598	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18599					 wdev->netdev->ifindex)) ||
18600	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18601			      NL80211_ATTR_PAD) ||
18602	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18603	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18604			NL80211_CHAN_NO_HT) ||
18605	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18606			      NL80211_ATTR_PAD))
18607		goto nla_put_failure;
18608
18609	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18610	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18611		goto nla_put_failure;
18612
18613	genlmsg_end(msg, hdr);
18614
18615	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18616				NL80211_MCGRP_MLME, gfp);
18617	return;
18618
18619 nla_put_failure:
18620	nlmsg_free(msg);
18621}
18622
18623void cfg80211_assoc_comeback(struct net_device *netdev,
18624			     const u8 *ap_addr, u32 timeout)
18625{
18626	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18627	struct wiphy *wiphy = wdev->wiphy;
18628	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18629	struct sk_buff *msg;
18630	void *hdr;
18631
18632	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18633
18634	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18635	if (!msg)
18636		return;
18637
18638	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18639	if (!hdr) {
18640		nlmsg_free(msg);
18641		return;
18642	}
18643
18644	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18645	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18646	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18647	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18648		goto nla_put_failure;
18649
18650	genlmsg_end(msg, hdr);
18651
18652	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18653				NL80211_MCGRP_MLME, GFP_KERNEL);
18654	return;
18655
18656 nla_put_failure:
18657	nlmsg_free(msg);
18658}
18659EXPORT_SYMBOL(cfg80211_assoc_comeback);
18660
18661void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18662			       struct ieee80211_channel *chan,
18663			       unsigned int duration, gfp_t gfp)
18664{
18665	struct wiphy *wiphy = wdev->wiphy;
18666	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18667
18668	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18669	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18670					  rdev, wdev, cookie, chan,
18671					  duration, gfp);
18672}
18673EXPORT_SYMBOL(cfg80211_ready_on_channel);
18674
18675void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18676					struct ieee80211_channel *chan,
18677					gfp_t gfp)
18678{
18679	struct wiphy *wiphy = wdev->wiphy;
18680	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18681
18682	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18683	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18684					  rdev, wdev, cookie, chan, 0, gfp);
18685}
18686EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18687
18688void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18689					struct ieee80211_channel *chan,
18690					gfp_t gfp)
18691{
18692	struct wiphy *wiphy = wdev->wiphy;
18693	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18694
18695	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18696	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18697					  rdev, wdev, cookie, chan, 0, gfp);
18698}
18699EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18700
18701void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18702		      struct station_info *sinfo, gfp_t gfp)
18703{
18704	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18705	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18706	struct sk_buff *msg;
18707
18708	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18709
18710	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18711	if (!msg)
18712		return;
18713
18714	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18715				 rdev, dev, mac_addr, sinfo) < 0) {
18716		nlmsg_free(msg);
18717		return;
18718	}
18719
18720	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18721				NL80211_MCGRP_MLME, gfp);
18722}
18723EXPORT_SYMBOL(cfg80211_new_sta);
18724
18725void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18726			    struct station_info *sinfo, gfp_t gfp)
18727{
18728	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18729	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18730	struct sk_buff *msg;
18731	struct station_info empty_sinfo = {};
18732
18733	if (!sinfo)
18734		sinfo = &empty_sinfo;
18735
18736	trace_cfg80211_del_sta(dev, mac_addr);
18737
18738	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18739	if (!msg) {
18740		cfg80211_sinfo_release_content(sinfo);
18741		return;
18742	}
18743
18744	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
18745				 rdev, dev, mac_addr, sinfo) < 0) {
18746		nlmsg_free(msg);
18747		return;
18748	}
18749
18750	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18751				NL80211_MCGRP_MLME, gfp);
18752}
18753EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
18754
18755void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
18756			  enum nl80211_connect_failed_reason reason,
18757			  gfp_t gfp)
18758{
18759	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18760	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18761	struct sk_buff *msg;
18762	void *hdr;
18763
18764	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
18765	if (!msg)
18766		return;
18767
18768	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
18769	if (!hdr) {
18770		nlmsg_free(msg);
18771		return;
18772	}
18773
18774	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18775	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
18776	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
18777		goto nla_put_failure;
18778
18779	genlmsg_end(msg, hdr);
18780
18781	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18782				NL80211_MCGRP_MLME, gfp);
18783	return;
18784
18785 nla_put_failure:
18786	nlmsg_free(msg);
18787}
18788EXPORT_SYMBOL(cfg80211_conn_failed);
18789
18790static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
18791				       const u8 *addr, gfp_t gfp)
18792{
18793	struct wireless_dev *wdev = dev->ieee80211_ptr;
18794	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18795	struct sk_buff *msg;
18796	void *hdr;
18797	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18798
18799	if (!nlportid)
18800		return false;
18801
18802	msg = nlmsg_new(100, gfp);
18803	if (!msg)
18804		return true;
18805
18806	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18807	if (!hdr) {
18808		nlmsg_free(msg);
18809		return true;
18810	}
18811
18812	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18813	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18814	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18815		goto nla_put_failure;
18816
18817	genlmsg_end(msg, hdr);
18818	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18819	return true;
18820
18821 nla_put_failure:
18822	nlmsg_free(msg);
18823	return true;
18824}
18825
18826bool cfg80211_rx_spurious_frame(struct net_device *dev,
18827				const u8 *addr, gfp_t gfp)
18828{
18829	struct wireless_dev *wdev = dev->ieee80211_ptr;
18830	bool ret;
18831
18832	trace_cfg80211_rx_spurious_frame(dev, addr);
18833
18834	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18835		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
18836		trace_cfg80211_return_bool(false);
18837		return false;
18838	}
18839	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
18840					 addr, gfp);
18841	trace_cfg80211_return_bool(ret);
18842	return ret;
18843}
18844EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
18845
18846bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
18847					const u8 *addr, gfp_t gfp)
18848{
18849	struct wireless_dev *wdev = dev->ieee80211_ptr;
18850	bool ret;
18851
18852	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
18853
18854	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18855		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
18856		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
18857		trace_cfg80211_return_bool(false);
18858		return false;
18859	}
18860	ret = __nl80211_unexpected_frame(dev,
18861					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
18862					 addr, gfp);
18863	trace_cfg80211_return_bool(ret);
18864	return ret;
18865}
18866EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
18867
18868int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
18869		      struct wireless_dev *wdev, u32 nlportid,
18870		      struct cfg80211_rx_info *info, gfp_t gfp)
18871{
18872	struct net_device *netdev = wdev->netdev;
18873	struct sk_buff *msg;
18874	void *hdr;
18875
18876	msg = nlmsg_new(100 + info->len, gfp);
18877	if (!msg)
18878		return -ENOMEM;
18879
18880	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18881	if (!hdr) {
18882		nlmsg_free(msg);
18883		return -ENOMEM;
18884	}
18885
18886	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18887	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18888					netdev->ifindex)) ||
18889	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18890			      NL80211_ATTR_PAD) ||
18891	    (info->have_link_id &&
18892	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
18893	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
18894	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
18895	    (info->sig_dbm &&
18896	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
18897	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
18898	    (info->flags &&
18899	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
18900	    (info->rx_tstamp && nla_put_u64_64bit(msg,
18901						  NL80211_ATTR_RX_HW_TIMESTAMP,
18902						  info->rx_tstamp,
18903						  NL80211_ATTR_PAD)) ||
18904	    (info->ack_tstamp && nla_put_u64_64bit(msg,
18905						   NL80211_ATTR_TX_HW_TIMESTAMP,
18906						   info->ack_tstamp,
18907						   NL80211_ATTR_PAD)))
18908		goto nla_put_failure;
18909
18910	genlmsg_end(msg, hdr);
18911
18912	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18913
18914 nla_put_failure:
18915	nlmsg_free(msg);
18916	return -ENOBUFS;
18917}
18918
18919static void nl80211_frame_tx_status(struct wireless_dev *wdev,
18920				    struct cfg80211_tx_status *status,
18921				    gfp_t gfp, enum nl80211_commands command)
18922{
18923	struct wiphy *wiphy = wdev->wiphy;
18924	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18925	struct net_device *netdev = wdev->netdev;
18926	struct sk_buff *msg;
18927	void *hdr;
18928
18929	if (command == NL80211_CMD_FRAME_TX_STATUS)
18930		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
18931					      status->ack);
18932	else
18933		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
18934						      status->ack);
18935
18936	msg = nlmsg_new(100 + status->len, gfp);
18937	if (!msg)
18938		return;
18939
18940	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
18941	if (!hdr) {
18942		nlmsg_free(msg);
18943		return;
18944	}
18945
18946	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18947	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18948				   netdev->ifindex)) ||
18949	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18950			      NL80211_ATTR_PAD) ||
18951	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
18952	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
18953			      NL80211_ATTR_PAD) ||
18954	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18955	    (status->tx_tstamp &&
18956	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
18957			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
18958	    (status->ack_tstamp &&
18959	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
18960			       status->ack_tstamp, NL80211_ATTR_PAD)))
18961		goto nla_put_failure;
18962
18963	genlmsg_end(msg, hdr);
18964
18965	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18966				NL80211_MCGRP_MLME, gfp);
18967	return;
18968
18969nla_put_failure:
18970	nlmsg_free(msg);
18971}
18972
18973void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
18974				     const u8 *buf, size_t len, bool ack,
18975				     gfp_t gfp)
18976{
18977	struct cfg80211_tx_status status = {
18978		.cookie = cookie,
18979		.buf = buf,
18980		.len = len,
18981		.ack = ack
18982	};
18983
18984	nl80211_frame_tx_status(wdev, &status, gfp,
18985				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
18986}
18987EXPORT_SYMBOL(cfg80211_control_port_tx_status);
18988
18989void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
18990				 struct cfg80211_tx_status *status, gfp_t gfp)
18991{
18992	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
18993}
18994EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
18995
18996static int __nl80211_rx_control_port(struct net_device *dev,
18997				     struct sk_buff *skb,
18998				     bool unencrypted,
18999				     int link_id,
19000				     gfp_t gfp)
19001{
19002	struct wireless_dev *wdev = dev->ieee80211_ptr;
19003	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19004	struct ethhdr *ehdr = eth_hdr(skb);
19005	const u8 *addr = ehdr->h_source;
19006	u16 proto = be16_to_cpu(skb->protocol);
19007	struct sk_buff *msg;
19008	void *hdr;
19009	struct nlattr *frame;
19010
19011	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
19012
19013	if (!nlportid)
19014		return -ENOENT;
19015
19016	msg = nlmsg_new(100 + skb->len, gfp);
19017	if (!msg)
19018		return -ENOMEM;
19019
19020	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
19021	if (!hdr) {
19022		nlmsg_free(msg);
19023		return -ENOBUFS;
19024	}
19025
19026	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19027	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19028	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19029			      NL80211_ATTR_PAD) ||
19030	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19031	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
19032	    (link_id >= 0 &&
19033	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
19034	    (unencrypted && nla_put_flag(msg,
19035					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
19036		goto nla_put_failure;
19037
19038	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
19039	if (!frame)
19040		goto nla_put_failure;
19041
19042	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
19043	genlmsg_end(msg, hdr);
19044
19045	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19046
19047 nla_put_failure:
19048	nlmsg_free(msg);
19049	return -ENOBUFS;
19050}
19051
19052bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
19053			      bool unencrypted, int link_id)
19054{
19055	int ret;
19056
19057	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
19058	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
19059					GFP_ATOMIC);
19060	trace_cfg80211_return_bool(ret == 0);
19061	return ret == 0;
19062}
19063EXPORT_SYMBOL(cfg80211_rx_control_port);
19064
19065static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
19066					    const char *mac, gfp_t gfp)
19067{
19068	struct wireless_dev *wdev = dev->ieee80211_ptr;
19069	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19070	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19071	void **cb;
19072
19073	if (!msg)
19074		return NULL;
19075
19076	cb = (void **)msg->cb;
19077
19078	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
19079	if (!cb[0]) {
19080		nlmsg_free(msg);
19081		return NULL;
19082	}
19083
19084	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19085	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19086		goto nla_put_failure;
19087
19088	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19089		goto nla_put_failure;
19090
19091	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
19092	if (!cb[1])
19093		goto nla_put_failure;
19094
19095	cb[2] = rdev;
19096
19097	return msg;
19098 nla_put_failure:
19099	nlmsg_free(msg);
19100	return NULL;
19101}
19102
19103static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
19104{
19105	void **cb = (void **)msg->cb;
19106	struct cfg80211_registered_device *rdev = cb[2];
19107
19108	nla_nest_end(msg, cb[1]);
19109	genlmsg_end(msg, cb[0]);
19110
19111	memset(msg->cb, 0, sizeof(msg->cb));
19112
19113	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19114				NL80211_MCGRP_MLME, gfp);
19115}
19116
19117void cfg80211_cqm_rssi_notify(struct net_device *dev,
19118			      enum nl80211_cqm_rssi_threshold_event rssi_event,
19119			      s32 rssi_level, gfp_t gfp)
19120{
19121	struct wireless_dev *wdev = dev->ieee80211_ptr;
19122	struct cfg80211_cqm_config *cqm_config;
19123
19124	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
19125
19126	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
19127		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
19128		return;
19129
19130	rcu_read_lock();
19131	cqm_config = rcu_dereference(wdev->cqm_config);
19132	if (cqm_config) {
19133		cqm_config->last_rssi_event_value = rssi_level;
19134		cqm_config->last_rssi_event_type = rssi_event;
19135		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
19136	}
19137	rcu_read_unlock();
19138}
19139EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
19140
19141void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
19142{
19143	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
19144						 cqm_rssi_work);
19145	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19146	enum nl80211_cqm_rssi_threshold_event rssi_event;
19147	struct cfg80211_cqm_config *cqm_config;
19148	struct sk_buff *msg;
19149	s32 rssi_level;
19150
19151	wdev_lock(wdev);
19152	cqm_config = rcu_dereference_protected(wdev->cqm_config,
19153					       lockdep_is_held(&wdev->mtx));
19154	if (!cqm_config)
19155		goto unlock;
19156
19157	if (cqm_config->use_range_api)
19158		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
19159
19160	rssi_level = cqm_config->last_rssi_event_value;
19161	rssi_event = cqm_config->last_rssi_event_type;
19162
19163	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
19164	if (!msg)
19165		goto unlock;
19166
19167	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
19168			rssi_event))
19169		goto nla_put_failure;
19170
19171	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
19172				      rssi_level))
19173		goto nla_put_failure;
19174
19175	cfg80211_send_cqm(msg, GFP_KERNEL);
19176
19177	goto unlock;
19178
19179 nla_put_failure:
19180	nlmsg_free(msg);
19181 unlock:
19182	wdev_unlock(wdev);
19183}
19184
19185void cfg80211_cqm_txe_notify(struct net_device *dev,
19186			     const u8 *peer, u32 num_packets,
19187			     u32 rate, u32 intvl, gfp_t gfp)
19188{
19189	struct sk_buff *msg;
19190
19191	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19192	if (!msg)
19193		return;
19194
19195	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
19196		goto nla_put_failure;
19197
19198	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
19199		goto nla_put_failure;
19200
19201	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
19202		goto nla_put_failure;
19203
19204	cfg80211_send_cqm(msg, gfp);
19205	return;
19206
19207 nla_put_failure:
19208	nlmsg_free(msg);
19209}
19210EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
19211
19212void cfg80211_cqm_pktloss_notify(struct net_device *dev,
19213				 const u8 *peer, u32 num_packets, gfp_t gfp)
19214{
19215	struct sk_buff *msg;
19216
19217	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
19218
19219	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19220	if (!msg)
19221		return;
19222
19223	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
19224		goto nla_put_failure;
19225
19226	cfg80211_send_cqm(msg, gfp);
19227	return;
19228
19229 nla_put_failure:
19230	nlmsg_free(msg);
19231}
19232EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
19233
19234void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
19235{
19236	struct sk_buff *msg;
19237
19238	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19239	if (!msg)
19240		return;
19241
19242	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
19243		goto nla_put_failure;
19244
19245	cfg80211_send_cqm(msg, gfp);
19246	return;
19247
19248 nla_put_failure:
19249	nlmsg_free(msg);
19250}
19251EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
19252
19253static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
19254				     struct net_device *netdev, const u8 *bssid,
19255				     const u8 *replay_ctr, gfp_t gfp)
19256{
19257	struct sk_buff *msg;
19258	struct nlattr *rekey_attr;
19259	void *hdr;
19260
19261	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19262	if (!msg)
19263		return;
19264
19265	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
19266	if (!hdr) {
19267		nlmsg_free(msg);
19268		return;
19269	}
19270
19271	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19272	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19273	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19274		goto nla_put_failure;
19275
19276	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
19277	if (!rekey_attr)
19278		goto nla_put_failure;
19279
19280	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
19281		    NL80211_REPLAY_CTR_LEN, replay_ctr))
19282		goto nla_put_failure;
19283
19284	nla_nest_end(msg, rekey_attr);
19285
19286	genlmsg_end(msg, hdr);
19287
19288	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19289				NL80211_MCGRP_MLME, gfp);
19290	return;
19291
19292 nla_put_failure:
19293	nlmsg_free(msg);
19294}
19295
19296void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
19297			       const u8 *replay_ctr, gfp_t gfp)
19298{
19299	struct wireless_dev *wdev = dev->ieee80211_ptr;
19300	struct wiphy *wiphy = wdev->wiphy;
19301	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19302
19303	trace_cfg80211_gtk_rekey_notify(dev, bssid);
19304	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
19305}
19306EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19307
19308static void
19309nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19310			       struct net_device *netdev, int index,
19311			       const u8 *bssid, bool preauth, gfp_t gfp)
19312{
19313	struct sk_buff *msg;
19314	struct nlattr *attr;
19315	void *hdr;
19316
19317	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19318	if (!msg)
19319		return;
19320
19321	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19322	if (!hdr) {
19323		nlmsg_free(msg);
19324		return;
19325	}
19326
19327	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19328	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19329		goto nla_put_failure;
19330
19331	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19332	if (!attr)
19333		goto nla_put_failure;
19334
19335	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19336	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19337	    (preauth &&
19338	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19339		goto nla_put_failure;
19340
19341	nla_nest_end(msg, attr);
19342
19343	genlmsg_end(msg, hdr);
19344
19345	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19346				NL80211_MCGRP_MLME, gfp);
19347	return;
19348
19349 nla_put_failure:
19350	nlmsg_free(msg);
19351}
19352
19353void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19354				     const u8 *bssid, bool preauth, gfp_t gfp)
19355{
19356	struct wireless_dev *wdev = dev->ieee80211_ptr;
19357	struct wiphy *wiphy = wdev->wiphy;
19358	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19359
19360	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19361	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19362}
19363EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19364
19365static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19366				     struct net_device *netdev,
19367				     unsigned int link_id,
19368				     struct cfg80211_chan_def *chandef,
19369				     gfp_t gfp,
19370				     enum nl80211_commands notif,
19371				     u8 count, bool quiet, u16 punct_bitmap)
19372{
19373	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19374	struct sk_buff *msg;
19375	void *hdr;
19376
19377	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19378	if (!msg)
19379		return;
19380
19381	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19382	if (!hdr) {
19383		nlmsg_free(msg);
19384		return;
19385	}
19386
19387	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19388		goto nla_put_failure;
19389
19390	if (wdev->valid_links &&
19391	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19392		goto nla_put_failure;
19393
19394	if (nl80211_send_chandef(msg, chandef))
19395		goto nla_put_failure;
19396
19397	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19398		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19399			goto nla_put_failure;
19400		if (quiet &&
19401		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19402			goto nla_put_failure;
19403	}
19404
19405	if (nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, punct_bitmap))
19406		goto nla_put_failure;
19407
19408	genlmsg_end(msg, hdr);
19409
19410	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19411				NL80211_MCGRP_MLME, gfp);
19412	return;
19413
19414 nla_put_failure:
19415	nlmsg_free(msg);
19416}
19417
19418void cfg80211_ch_switch_notify(struct net_device *dev,
19419			       struct cfg80211_chan_def *chandef,
19420			       unsigned int link_id, u16 punct_bitmap)
19421{
19422	struct wireless_dev *wdev = dev->ieee80211_ptr;
19423	struct wiphy *wiphy = wdev->wiphy;
19424	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19425
19426	ASSERT_WDEV_LOCK(wdev);
19427	WARN_INVALID_LINK_ID(wdev, link_id);
19428
19429	trace_cfg80211_ch_switch_notify(dev, chandef, link_id, punct_bitmap);
19430
19431	switch (wdev->iftype) {
19432	case NL80211_IFTYPE_STATION:
19433	case NL80211_IFTYPE_P2P_CLIENT:
19434		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19435			cfg80211_update_assoc_bss_entry(wdev, link_id,
19436							chandef->chan);
19437		break;
19438	case NL80211_IFTYPE_MESH_POINT:
19439		wdev->u.mesh.chandef = *chandef;
19440		wdev->u.mesh.preset_chandef = *chandef;
19441		break;
19442	case NL80211_IFTYPE_AP:
19443	case NL80211_IFTYPE_P2P_GO:
19444		wdev->links[link_id].ap.chandef = *chandef;
19445		break;
19446	case NL80211_IFTYPE_ADHOC:
19447		wdev->u.ibss.chandef = *chandef;
19448		break;
19449	default:
19450		WARN_ON(1);
19451		break;
19452	}
19453
19454	cfg80211_sched_dfs_chan_update(rdev);
19455
19456	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19457				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false,
19458				 punct_bitmap);
19459}
19460EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19461
19462void cfg80211_ch_switch_started_notify(struct net_device *dev,
19463				       struct cfg80211_chan_def *chandef,
19464				       unsigned int link_id, u8 count,
19465				       bool quiet, u16 punct_bitmap)
19466{
19467	struct wireless_dev *wdev = dev->ieee80211_ptr;
19468	struct wiphy *wiphy = wdev->wiphy;
19469	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19470
19471	ASSERT_WDEV_LOCK(wdev);
19472	WARN_INVALID_LINK_ID(wdev, link_id);
19473
19474	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id,
19475						punct_bitmap);
19476
19477
19478	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19479				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19480				 count, quiet, punct_bitmap);
19481}
19482EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19483
19484int cfg80211_bss_color_notify(struct net_device *dev,
19485			      enum nl80211_commands cmd, u8 count,
19486			      u64 color_bitmap)
19487{
19488	struct wireless_dev *wdev = dev->ieee80211_ptr;
19489	struct wiphy *wiphy = wdev->wiphy;
19490	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19491	struct sk_buff *msg;
19492	void *hdr;
19493
19494	ASSERT_WDEV_LOCK(wdev);
19495
19496	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19497
19498	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19499	if (!msg)
19500		return -ENOMEM;
19501
19502	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19503	if (!hdr)
19504		goto nla_put_failure;
19505
19506	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19507		goto nla_put_failure;
19508
19509	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19510	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19511		goto nla_put_failure;
19512
19513	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19514	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19515			      color_bitmap, NL80211_ATTR_PAD))
19516		goto nla_put_failure;
19517
19518	genlmsg_end(msg, hdr);
19519
19520	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19521				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19522
19523nla_put_failure:
19524	nlmsg_free(msg);
19525	return -EINVAL;
19526}
19527EXPORT_SYMBOL(cfg80211_bss_color_notify);
19528
19529void
19530nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19531		     const struct cfg80211_chan_def *chandef,
19532		     enum nl80211_radar_event event,
19533		     struct net_device *netdev, gfp_t gfp)
19534{
19535	struct sk_buff *msg;
19536	void *hdr;
19537
19538	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19539	if (!msg)
19540		return;
19541
19542	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19543	if (!hdr) {
19544		nlmsg_free(msg);
19545		return;
19546	}
19547
19548	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19549		goto nla_put_failure;
19550
19551	/* NOP and radar events don't need a netdev parameter */
19552	if (netdev) {
19553		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19554
19555		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19556		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19557				      NL80211_ATTR_PAD))
19558			goto nla_put_failure;
19559	}
19560
19561	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19562		goto nla_put_failure;
19563
19564	if (nl80211_send_chandef(msg, chandef))
19565		goto nla_put_failure;
19566
19567	genlmsg_end(msg, hdr);
19568
19569	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19570				NL80211_MCGRP_MLME, gfp);
19571	return;
19572
19573 nla_put_failure:
19574	nlmsg_free(msg);
19575}
19576
19577void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19578				       struct sta_opmode_info *sta_opmode,
19579				       gfp_t gfp)
19580{
19581	struct sk_buff *msg;
19582	struct wireless_dev *wdev = dev->ieee80211_ptr;
19583	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19584	void *hdr;
19585
19586	if (WARN_ON(!mac))
19587		return;
19588
19589	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19590	if (!msg)
19591		return;
19592
19593	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19594	if (!hdr) {
19595		nlmsg_free(msg);
19596		return;
19597	}
19598
19599	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19600		goto nla_put_failure;
19601
19602	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19603		goto nla_put_failure;
19604
19605	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19606		goto nla_put_failure;
19607
19608	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19609	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19610		goto nla_put_failure;
19611
19612	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19613	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19614		goto nla_put_failure;
19615
19616	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19617	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19618		goto nla_put_failure;
19619
19620	genlmsg_end(msg, hdr);
19621
19622	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19623				NL80211_MCGRP_MLME, gfp);
19624
19625	return;
19626
19627nla_put_failure:
19628	nlmsg_free(msg);
19629}
19630EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19631
19632void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19633			   u64 cookie, bool acked, s32 ack_signal,
19634			   bool is_valid_ack_signal, gfp_t gfp)
19635{
19636	struct wireless_dev *wdev = dev->ieee80211_ptr;
19637	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19638	struct sk_buff *msg;
19639	void *hdr;
19640
19641	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19642
19643	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19644
19645	if (!msg)
19646		return;
19647
19648	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19649	if (!hdr) {
19650		nlmsg_free(msg);
19651		return;
19652	}
19653
19654	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19655	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19656	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19657	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19658			      NL80211_ATTR_PAD) ||
19659	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19660	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19661						ack_signal)))
19662		goto nla_put_failure;
19663
19664	genlmsg_end(msg, hdr);
19665
19666	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19667				NL80211_MCGRP_MLME, gfp);
19668	return;
19669
19670 nla_put_failure:
19671	nlmsg_free(msg);
19672}
19673EXPORT_SYMBOL(cfg80211_probe_status);
19674
19675void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19676				     size_t len, int freq, int sig_dbm)
19677{
19678	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19679	struct sk_buff *msg;
19680	void *hdr;
19681	struct cfg80211_beacon_registration *reg;
19682
19683	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19684
19685	spin_lock_bh(&rdev->beacon_registrations_lock);
19686	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19687		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19688		if (!msg) {
19689			spin_unlock_bh(&rdev->beacon_registrations_lock);
19690			return;
19691		}
19692
19693		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19694		if (!hdr)
19695			goto nla_put_failure;
19696
19697		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19698		    (freq &&
19699		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19700				  KHZ_TO_MHZ(freq)) ||
19701		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19702				  freq % 1000))) ||
19703		    (sig_dbm &&
19704		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19705		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19706			goto nla_put_failure;
19707
19708		genlmsg_end(msg, hdr);
19709
19710		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19711	}
19712	spin_unlock_bh(&rdev->beacon_registrations_lock);
19713	return;
19714
19715 nla_put_failure:
19716	spin_unlock_bh(&rdev->beacon_registrations_lock);
19717	nlmsg_free(msg);
19718}
19719EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19720
19721#ifdef CONFIG_PM
19722static int cfg80211_net_detect_results(struct sk_buff *msg,
19723				       struct cfg80211_wowlan_wakeup *wakeup)
19724{
19725	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19726	struct nlattr *nl_results, *nl_match, *nl_freqs;
19727	int i, j;
19728
19729	nl_results = nla_nest_start_noflag(msg,
19730					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19731	if (!nl_results)
19732		return -EMSGSIZE;
19733
19734	for (i = 0; i < nd->n_matches; i++) {
19735		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
19736
19737		nl_match = nla_nest_start_noflag(msg, i);
19738		if (!nl_match)
19739			break;
19740
19741		/* The SSID attribute is optional in nl80211, but for
19742		 * simplicity reasons it's always present in the
19743		 * cfg80211 structure.  If a driver can't pass the
19744		 * SSID, that needs to be changed.  A zero length SSID
19745		 * is still a valid SSID (wildcard), so it cannot be
19746		 * used for this purpose.
19747		 */
19748		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
19749			    match->ssid.ssid)) {
19750			nla_nest_cancel(msg, nl_match);
19751			goto out;
19752		}
19753
19754		if (match->n_channels) {
19755			nl_freqs = nla_nest_start_noflag(msg,
19756							 NL80211_ATTR_SCAN_FREQUENCIES);
19757			if (!nl_freqs) {
19758				nla_nest_cancel(msg, nl_match);
19759				goto out;
19760			}
19761
19762			for (j = 0; j < match->n_channels; j++) {
19763				if (nla_put_u32(msg, j, match->channels[j])) {
19764					nla_nest_cancel(msg, nl_freqs);
19765					nla_nest_cancel(msg, nl_match);
19766					goto out;
19767				}
19768			}
19769
19770			nla_nest_end(msg, nl_freqs);
19771		}
19772
19773		nla_nest_end(msg, nl_match);
19774	}
19775
19776out:
19777	nla_nest_end(msg, nl_results);
19778	return 0;
19779}
19780
19781void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
19782				   struct cfg80211_wowlan_wakeup *wakeup,
19783				   gfp_t gfp)
19784{
19785	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19786	struct sk_buff *msg;
19787	void *hdr;
19788	int size = 200;
19789
19790	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
19791
19792	if (wakeup)
19793		size += wakeup->packet_present_len;
19794
19795	msg = nlmsg_new(size, gfp);
19796	if (!msg)
19797		return;
19798
19799	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
19800	if (!hdr)
19801		goto free_msg;
19802
19803	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19804	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19805			      NL80211_ATTR_PAD))
19806		goto free_msg;
19807
19808	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19809					wdev->netdev->ifindex))
19810		goto free_msg;
19811
19812	if (wakeup) {
19813		struct nlattr *reasons;
19814
19815		reasons = nla_nest_start_noflag(msg,
19816						NL80211_ATTR_WOWLAN_TRIGGERS);
19817		if (!reasons)
19818			goto free_msg;
19819
19820		if (wakeup->disconnect &&
19821		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
19822			goto free_msg;
19823		if (wakeup->magic_pkt &&
19824		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
19825			goto free_msg;
19826		if (wakeup->gtk_rekey_failure &&
19827		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
19828			goto free_msg;
19829		if (wakeup->eap_identity_req &&
19830		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
19831			goto free_msg;
19832		if (wakeup->four_way_handshake &&
19833		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
19834			goto free_msg;
19835		if (wakeup->rfkill_release &&
19836		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
19837			goto free_msg;
19838
19839		if (wakeup->pattern_idx >= 0 &&
19840		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
19841				wakeup->pattern_idx))
19842			goto free_msg;
19843
19844		if (wakeup->tcp_match &&
19845		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
19846			goto free_msg;
19847
19848		if (wakeup->tcp_connlost &&
19849		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
19850			goto free_msg;
19851
19852		if (wakeup->tcp_nomoretokens &&
19853		    nla_put_flag(msg,
19854				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
19855			goto free_msg;
19856
19857		if (wakeup->packet) {
19858			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
19859			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
19860
19861			if (!wakeup->packet_80211) {
19862				pkt_attr =
19863					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
19864				len_attr =
19865					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
19866			}
19867
19868			if (wakeup->packet_len &&
19869			    nla_put_u32(msg, len_attr, wakeup->packet_len))
19870				goto free_msg;
19871
19872			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
19873				    wakeup->packet))
19874				goto free_msg;
19875		}
19876
19877		if (wakeup->net_detect &&
19878		    cfg80211_net_detect_results(msg, wakeup))
19879				goto free_msg;
19880
19881		nla_nest_end(msg, reasons);
19882	}
19883
19884	genlmsg_end(msg, hdr);
19885
19886	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19887				NL80211_MCGRP_MLME, gfp);
19888	return;
19889
19890 free_msg:
19891	nlmsg_free(msg);
19892}
19893EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
19894#endif
19895
19896void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
19897				enum nl80211_tdls_operation oper,
19898				u16 reason_code, gfp_t gfp)
19899{
19900	struct wireless_dev *wdev = dev->ieee80211_ptr;
19901	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19902	struct sk_buff *msg;
19903	void *hdr;
19904
19905	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
19906					 reason_code);
19907
19908	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19909	if (!msg)
19910		return;
19911
19912	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
19913	if (!hdr) {
19914		nlmsg_free(msg);
19915		return;
19916	}
19917
19918	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19919	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19920	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
19921	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
19922	    (reason_code > 0 &&
19923	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
19924		goto nla_put_failure;
19925
19926	genlmsg_end(msg, hdr);
19927
19928	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19929				NL80211_MCGRP_MLME, gfp);
19930	return;
19931
19932 nla_put_failure:
19933	nlmsg_free(msg);
19934}
19935EXPORT_SYMBOL(cfg80211_tdls_oper_request);
19936
19937static int nl80211_netlink_notify(struct notifier_block * nb,
19938				  unsigned long state,
19939				  void *_notify)
19940{
19941	struct netlink_notify *notify = _notify;
19942	struct cfg80211_registered_device *rdev;
19943	struct wireless_dev *wdev;
19944	struct cfg80211_beacon_registration *reg, *tmp;
19945
19946	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
19947		return NOTIFY_DONE;
19948
19949	rcu_read_lock();
19950
19951	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
19952		struct cfg80211_sched_scan_request *sched_scan_req;
19953
19954		list_for_each_entry_rcu(sched_scan_req,
19955					&rdev->sched_scan_req_list,
19956					list) {
19957			if (sched_scan_req->owner_nlportid == notify->portid) {
19958				sched_scan_req->nl_owner_dead = true;
19959				wiphy_work_queue(&rdev->wiphy,
19960						 &rdev->sched_scan_stop_wk);
19961			}
19962		}
19963
19964		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
19965			cfg80211_mlme_unregister_socket(wdev, notify->portid);
19966
19967			if (wdev->owner_nlportid == notify->portid) {
19968				wdev->nl_owner_dead = true;
19969				schedule_work(&rdev->destroy_work);
19970			} else if (wdev->conn_owner_nlportid == notify->portid) {
19971				schedule_work(&wdev->disconnect_wk);
19972			}
19973
19974			cfg80211_release_pmsr(wdev, notify->portid);
19975		}
19976
19977		spin_lock_bh(&rdev->beacon_registrations_lock);
19978		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
19979					 list) {
19980			if (reg->nlportid == notify->portid) {
19981				list_del(&reg->list);
19982				kfree(reg);
19983				break;
19984			}
19985		}
19986		spin_unlock_bh(&rdev->beacon_registrations_lock);
19987	}
19988
19989	rcu_read_unlock();
19990
19991	/*
19992	 * It is possible that the user space process that is controlling the
19993	 * indoor setting disappeared, so notify the regulatory core.
19994	 */
19995	regulatory_netlink_notify(notify->portid);
19996	return NOTIFY_OK;
19997}
19998
19999static struct notifier_block nl80211_netlink_notifier = {
20000	.notifier_call = nl80211_netlink_notify,
20001};
20002
20003void cfg80211_ft_event(struct net_device *netdev,
20004		       struct cfg80211_ft_event_params *ft_event)
20005{
20006	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20007	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20008	struct sk_buff *msg;
20009	void *hdr;
20010
20011	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
20012
20013	if (!ft_event->target_ap)
20014		return;
20015
20016	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
20017			GFP_KERNEL);
20018	if (!msg)
20019		return;
20020
20021	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
20022	if (!hdr)
20023		goto out;
20024
20025	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20026	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20027	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
20028		goto out;
20029
20030	if (ft_event->ies &&
20031	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
20032		goto out;
20033	if (ft_event->ric_ies &&
20034	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
20035		    ft_event->ric_ies))
20036		goto out;
20037
20038	genlmsg_end(msg, hdr);
20039
20040	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20041				NL80211_MCGRP_MLME, GFP_KERNEL);
20042	return;
20043 out:
20044	nlmsg_free(msg);
20045}
20046EXPORT_SYMBOL(cfg80211_ft_event);
20047
20048void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
20049{
20050	struct cfg80211_registered_device *rdev;
20051	struct sk_buff *msg;
20052	void *hdr;
20053	u32 nlportid;
20054
20055	rdev = wiphy_to_rdev(wdev->wiphy);
20056	if (!rdev->crit_proto_nlportid)
20057		return;
20058
20059	nlportid = rdev->crit_proto_nlportid;
20060	rdev->crit_proto_nlportid = 0;
20061
20062	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20063	if (!msg)
20064		return;
20065
20066	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
20067	if (!hdr)
20068		goto nla_put_failure;
20069
20070	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20071	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20072			      NL80211_ATTR_PAD))
20073		goto nla_put_failure;
20074
20075	genlmsg_end(msg, hdr);
20076
20077	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20078	return;
20079
20080 nla_put_failure:
20081	nlmsg_free(msg);
20082}
20083EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
20084
20085void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
20086{
20087	struct wiphy *wiphy = wdev->wiphy;
20088	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20089	struct sk_buff *msg;
20090	void *hdr;
20091
20092	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20093	if (!msg)
20094		return;
20095
20096	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
20097	if (!hdr)
20098		goto out;
20099
20100	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20101	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
20102	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20103			      NL80211_ATTR_PAD) ||
20104	    (wdev->valid_links &&
20105	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20106		goto out;
20107
20108	genlmsg_end(msg, hdr);
20109
20110	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
20111				NL80211_MCGRP_MLME, GFP_KERNEL);
20112	return;
20113 out:
20114	nlmsg_free(msg);
20115}
20116
20117int cfg80211_external_auth_request(struct net_device *dev,
20118				   struct cfg80211_external_auth_params *params,
20119				   gfp_t gfp)
20120{
20121	struct wireless_dev *wdev = dev->ieee80211_ptr;
20122	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20123	struct sk_buff *msg;
20124	void *hdr;
20125
20126	if (!wdev->conn_owner_nlportid)
20127		return -EINVAL;
20128
20129	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20130	if (!msg)
20131		return -ENOMEM;
20132
20133	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
20134	if (!hdr)
20135		goto nla_put_failure;
20136
20137	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20138	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20139	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
20140	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
20141			params->action) ||
20142	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
20143	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
20144		    params->ssid.ssid) ||
20145	    (!is_zero_ether_addr(params->mld_addr) &&
20146	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
20147		goto nla_put_failure;
20148
20149	genlmsg_end(msg, hdr);
20150	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
20151			wdev->conn_owner_nlportid);
20152	return 0;
20153
20154 nla_put_failure:
20155	nlmsg_free(msg);
20156	return -ENOBUFS;
20157}
20158EXPORT_SYMBOL(cfg80211_external_auth_request);
20159
20160void cfg80211_update_owe_info_event(struct net_device *netdev,
20161				    struct cfg80211_update_owe_info *owe_info,
20162				    gfp_t gfp)
20163{
20164	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20165	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20166	struct sk_buff *msg;
20167	void *hdr;
20168
20169	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
20170
20171	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20172	if (!msg)
20173		return;
20174
20175	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
20176	if (!hdr)
20177		goto nla_put_failure;
20178
20179	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20180	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20181	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
20182		goto nla_put_failure;
20183
20184	if (!owe_info->ie_len ||
20185	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
20186		goto nla_put_failure;
20187
20188	if (owe_info->assoc_link_id != -1) {
20189		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
20190			       owe_info->assoc_link_id))
20191			goto nla_put_failure;
20192
20193		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
20194		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
20195			    owe_info->peer_mld_addr))
20196			goto nla_put_failure;
20197	}
20198
20199	genlmsg_end(msg, hdr);
20200
20201	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20202				NL80211_MCGRP_MLME, gfp);
20203	return;
20204
20205nla_put_failure:
20206	genlmsg_cancel(msg, hdr);
20207	nlmsg_free(msg);
20208}
20209EXPORT_SYMBOL(cfg80211_update_owe_info_event);
20210
20211/* initialisation/exit functions */
20212
20213int __init nl80211_init(void)
20214{
20215	int err;
20216
20217	err = genl_register_family(&nl80211_fam);
20218	if (err)
20219		return err;
20220
20221	err = netlink_register_notifier(&nl80211_netlink_notifier);
20222	if (err)
20223		goto err_out;
20224
20225	return 0;
20226 err_out:
20227	genl_unregister_family(&nl80211_fam);
20228	return err;
20229}
20230
20231void nl80211_exit(void)
20232{
20233	netlink_unregister_notifier(&nl80211_netlink_notifier);
20234	genl_unregister_family(&nl80211_fam);
20235}
20236