~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/wireless/nl80211.c

Version: ~ [ linux-4.20-rc6 ] ~ [ linux-4.19.8 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.87 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.144 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.166 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.128 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.61 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.39.4 ] ~ [ linux-2.6.38.8 ] ~ [ linux-2.6.37.6 ] ~ [ linux-2.6.36.4 ] ~ [ linux-2.6.35.14 ] ~ [ linux-2.6.34.15 ] ~ [ linux-2.6.33.20 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.31.14 ] ~ [ linux-2.6.30.10 ] ~ [ linux-2.6.29.6 ] ~ [ linux-2.6.28.10 ] ~ [ linux-2.6.27.62 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * This is the new netlink-based wireless configuration interface.
  3  *
  4  * Copyright 2006-2010  Johannes Berg <johannes@sipsolutions.net>
  5  * Copyright 2013-2014  Intel Mobile Communications GmbH
  6  * Copyright 2015-2017  Intel Deutschland GmbH
  7  * Copyright (C) 2018 Intel Corporation
  8  */
  9 
 10 #include <linux/if.h>
 11 #include <linux/module.h>
 12 #include <linux/err.h>
 13 #include <linux/slab.h>
 14 #include <linux/list.h>
 15 #include <linux/if_ether.h>
 16 #include <linux/ieee80211.h>
 17 #include <linux/nl80211.h>
 18 #include <linux/rtnetlink.h>
 19 #include <linux/netlink.h>
 20 #include <linux/nospec.h>
 21 #include <linux/etherdevice.h>
 22 #include <net/net_namespace.h>
 23 #include <net/genetlink.h>
 24 #include <net/cfg80211.h>
 25 #include <net/sock.h>
 26 #include <net/inet_connection_sock.h>
 27 #include "core.h"
 28 #include "nl80211.h"
 29 #include "reg.h"
 30 #include "rdev-ops.h"
 31 
 32 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
 33                                    struct genl_info *info,
 34                                    struct cfg80211_crypto_settings *settings,
 35                                    int cipher_limit);
 36 
 37 /* the netlink family */
 38 static struct genl_family nl80211_fam;
 39 
 40 /* multicast groups */
 41 enum nl80211_multicast_groups {
 42         NL80211_MCGRP_CONFIG,
 43         NL80211_MCGRP_SCAN,
 44         NL80211_MCGRP_REGULATORY,
 45         NL80211_MCGRP_MLME,
 46         NL80211_MCGRP_VENDOR,
 47         NL80211_MCGRP_NAN,
 48         NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
 49 };
 50 
 51 static const struct genl_multicast_group nl80211_mcgrps[] = {
 52         [NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
 53         [NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
 54         [NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
 55         [NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
 56         [NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
 57         [NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
 58 #ifdef CONFIG_NL80211_TESTMODE
 59         [NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
 60 #endif
 61 };
 62 
 63 /* returns ERR_PTR values */
 64 static struct wireless_dev *
 65 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
 66 {
 67         struct cfg80211_registered_device *rdev;
 68         struct wireless_dev *result = NULL;
 69         bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
 70         bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
 71         u64 wdev_id;
 72         int wiphy_idx = -1;
 73         int ifidx = -1;
 74 
 75         ASSERT_RTNL();
 76 
 77         if (!have_ifidx && !have_wdev_id)
 78                 return ERR_PTR(-EINVAL);
 79 
 80         if (have_ifidx)
 81                 ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
 82         if (have_wdev_id) {
 83                 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
 84                 wiphy_idx = wdev_id >> 32;
 85         }
 86 
 87         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
 88                 struct wireless_dev *wdev;
 89 
 90                 if (wiphy_net(&rdev->wiphy) != netns)
 91                         continue;
 92 
 93                 if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
 94                         continue;
 95 
 96                 list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
 97                         if (have_ifidx && wdev->netdev &&
 98                             wdev->netdev->ifindex == ifidx) {
 99                                 result = wdev;
100                                 break;
101                         }
102                         if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
103                                 result = wdev;
104                                 break;
105                         }
106                 }
107 
108                 if (result)
109                         break;
110         }
111 
112         if (result)
113                 return result;
114         return ERR_PTR(-ENODEV);
115 }
116 
117 static struct cfg80211_registered_device *
118 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
119 {
120         struct cfg80211_registered_device *rdev = NULL, *tmp;
121         struct net_device *netdev;
122 
123         ASSERT_RTNL();
124 
125         if (!attrs[NL80211_ATTR_WIPHY] &&
126             !attrs[NL80211_ATTR_IFINDEX] &&
127             !attrs[NL80211_ATTR_WDEV])
128                 return ERR_PTR(-EINVAL);
129 
130         if (attrs[NL80211_ATTR_WIPHY])
131                 rdev = cfg80211_rdev_by_wiphy_idx(
132                                 nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
133 
134         if (attrs[NL80211_ATTR_WDEV]) {
135                 u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
136                 struct wireless_dev *wdev;
137                 bool found = false;
138 
139                 tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
140                 if (tmp) {
141                         /* make sure wdev exists */
142                         list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
143                                 if (wdev->identifier != (u32)wdev_id)
144                                         continue;
145                                 found = true;
146                                 break;
147                         }
148 
149                         if (!found)
150                                 tmp = NULL;
151 
152                         if (rdev && tmp != rdev)
153                                 return ERR_PTR(-EINVAL);
154                         rdev = tmp;
155                 }
156         }
157 
158         if (attrs[NL80211_ATTR_IFINDEX]) {
159                 int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
160 
161                 netdev = __dev_get_by_index(netns, ifindex);
162                 if (netdev) {
163                         if (netdev->ieee80211_ptr)
164                                 tmp = wiphy_to_rdev(
165                                         netdev->ieee80211_ptr->wiphy);
166                         else
167                                 tmp = NULL;
168 
169                         /* not wireless device -- return error */
170                         if (!tmp)
171                                 return ERR_PTR(-EINVAL);
172 
173                         /* mismatch -- return error */
174                         if (rdev && tmp != rdev)
175                                 return ERR_PTR(-EINVAL);
176 
177                         rdev = tmp;
178                 }
179         }
180 
181         if (!rdev)
182                 return ERR_PTR(-ENODEV);
183 
184         if (netns != wiphy_net(&rdev->wiphy))
185                 return ERR_PTR(-ENODEV);
186 
187         return rdev;
188 }
189 
190 /*
191  * This function returns a pointer to the driver
192  * that the genl_info item that is passed refers to.
193  *
194  * The result of this can be a PTR_ERR and hence must
195  * be checked with IS_ERR() for errors.
196  */
197 static struct cfg80211_registered_device *
198 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
199 {
200         return __cfg80211_rdev_from_attrs(netns, info->attrs);
201 }
202 
203 static int validate_ie_attr(const struct nlattr *attr,
204                             struct netlink_ext_ack *extack)
205 {
206         const u8 *pos;
207         int len;
208 
209         pos = nla_data(attr);
210         len = nla_len(attr);
211 
212         while (len) {
213                 u8 elemlen;
214 
215                 if (len < 2)
216                         goto error;
217                 len -= 2;
218 
219                 elemlen = pos[1];
220                 if (elemlen > len)
221                         goto error;
222 
223                 len -= elemlen;
224                 pos += 2 + elemlen;
225         }
226 
227         return 0;
228 error:
229         NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
230         return -EINVAL;
231 }
232 
233 /* policy for the attributes */
234 static const struct nla_policy
235 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
236         [NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
237         [NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
238                                         .len = U8_MAX },
239         [NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
240                                              .len = U8_MAX },
241 };
242 
243 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
244         [NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
245         [NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
246                                       .len = 20-1 },
247         [NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
248 
249         [NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
250         [NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
251         [NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
252         [NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
253         [NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
254 
255         [NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
256         [NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
257         [NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
258         [NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
259         [NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
260         [NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
261 
262         [NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
263         [NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
264         [NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
265 
266         [NL80211_ATTR_MAC] = { .len = ETH_ALEN },
267         [NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
268 
269         [NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
270         [NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
271                                     .len = WLAN_MAX_KEY_LEN },
272         [NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 5),
273         [NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
274         [NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
275         [NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
276         [NL80211_ATTR_KEY_TYPE] =
277                 NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
278 
279         [NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
280         [NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
281         [NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
282                                        .len = IEEE80211_MAX_DATA_LEN },
283         [NL80211_ATTR_BEACON_TAIL] =
284                 NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
285                                        IEEE80211_MAX_DATA_LEN),
286         [NL80211_ATTR_STA_AID] =
287                 NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
288         [NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
289         [NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
290         [NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
291                                                .len = NL80211_MAX_SUPP_RATES },
292         [NL80211_ATTR_STA_PLINK_ACTION] =
293                 NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
294         [NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
295         [NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
296         [NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
297                                    .len = IEEE80211_MAX_MESH_ID_LEN },
298         [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
299 
300         [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
301         [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
302 
303         [NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
304         [NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
305         [NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
306         [NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
307                                            .len = NL80211_MAX_SUPP_RATES },
308         [NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
309 
310         [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
311         [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
312 
313         [NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
314 
315         [NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
316         [NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
317                                                    validate_ie_attr,
318                                                    IEEE80211_MAX_DATA_LEN),
319         [NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
320         [NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
321 
322         [NL80211_ATTR_SSID] = { .type = NLA_BINARY,
323                                 .len = IEEE80211_MAX_SSID_LEN },
324         [NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
325         [NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
326         [NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
327         [NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
328         [NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
329                                                   NL80211_MFP_NO,
330                                                   NL80211_MFP_OPTIONAL),
331         [NL80211_ATTR_STA_FLAGS2] = {
332                 .len = sizeof(struct nl80211_sta_flag_update),
333         },
334         [NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
335         [NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
336         [NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
337         [NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
338         [NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
339         [NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
340         [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
341         [NL80211_ATTR_PID] = { .type = NLA_U32 },
342         [NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
343         [NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN },
344         [NL80211_ATTR_DURATION] = { .type = NLA_U32 },
345         [NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
346         [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
347         [NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
348                                  .len = IEEE80211_MAX_DATA_LEN },
349         [NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
350         [NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
351                                                    NL80211_PS_DISABLED,
352                                                    NL80211_PS_ENABLED),
353         [NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
354         [NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
355         [NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
356         [NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
357         [NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
358         [NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
359         [NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
360         [NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
361         [NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
362         [NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
363         [NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
364         [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
365         [NL80211_ATTR_STA_PLINK_STATE] =
366                 NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
367         [NL80211_ATTR_MESH_PEER_AID] =
368                 NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
369         [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
370         [NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
371         [NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
372         [NL80211_ATTR_HIDDEN_SSID] =
373                 NLA_POLICY_RANGE(NLA_U32,
374                                  NL80211_HIDDEN_SSID_NOT_IN_USE,
375                                  NL80211_HIDDEN_SSID_ZERO_CONTENTS),
376         [NL80211_ATTR_IE_PROBE_RESP] =
377                 NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
378                                        IEEE80211_MAX_DATA_LEN),
379         [NL80211_ATTR_IE_ASSOC_RESP] =
380                 NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
381                                        IEEE80211_MAX_DATA_LEN),
382         [NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
383         [NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
384         [NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
385         [NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
386         [NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
387         [NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
388         [NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
389         [NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
390         [NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
391         [NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
392         [NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
393                                       .len = IEEE80211_MAX_DATA_LEN },
394         [NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
395         [NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
396         [NL80211_ATTR_HT_CAPABILITY_MASK] = {
397                 .len = NL80211_HT_CAPABILITY_LEN
398         },
399         [NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
400         [NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
401         [NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
402         [NL80211_ATTR_WDEV] = { .type = NLA_U64 },
403         [NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
404         [NL80211_ATTR_AUTH_DATA] = { .type = NLA_BINARY, },
405         [NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
406         [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
407         [NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
408         [NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
409         [NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
410                 NLA_POLICY_RANGE(NLA_U32,
411                                  NL80211_MESH_POWER_UNKNOWN + 1,
412                                  NL80211_MESH_POWER_MAX),
413         [NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
414         [NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
415         [NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
416         [NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
417         [NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
418         [NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
419         [NL80211_ATTR_VHT_CAPABILITY_MASK] = {
420                 .len = NL80211_VHT_CAPABILITY_LEN,
421         },
422         [NL80211_ATTR_MDID] = { .type = NLA_U16 },
423         [NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
424                                   .len = IEEE80211_MAX_DATA_LEN },
425         [NL80211_ATTR_PEER_AID] =
426                 NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
427         [NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
428         [NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
429         [NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
430         [NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
431         [NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
432         [NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
433         [NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
434         [NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
435         [NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
436         [NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
437         [NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
438         [NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
439         [NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
440                                    .len = IEEE80211_QOS_MAP_LEN_MAX },
441         [NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
442         [NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
443         [NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
444         [NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
445         [NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
446         [NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
447         [NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
448         [NL80211_ATTR_USER_PRIO] =
449                 NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
450         [NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
451         [NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
452         [NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
453         [NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
454         [NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
455         [NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
456         [NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
457         [NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
458         [NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
459         [NL80211_ATTR_STA_SUPPORT_P2P_PS] =
460                 NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
461         [NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
462                 .len = VHT_MUMIMO_GROUPS_DATA_LEN
463         },
464         [NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = { .len = ETH_ALEN },
465         [NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
466         [NL80211_ATTR_BANDS] = { .type = NLA_U32 },
467         [NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
468         [NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
469                                     .len = FILS_MAX_KEK_LEN },
470         [NL80211_ATTR_FILS_NONCES] = { .len = 2 * FILS_NONCE_LEN },
471         [NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
472         [NL80211_ATTR_BSSID] = { .len = ETH_ALEN },
473         [NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
474         [NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
475                 .len = sizeof(struct nl80211_bss_select_rssi_adjust)
476         },
477         [NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
478         [NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
479                                              .len = FILS_ERP_MAX_USERNAME_LEN },
480         [NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
481                                           .len = FILS_ERP_MAX_REALM_LEN },
482         [NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
483         [NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
484                                         .len = FILS_ERP_MAX_RRK_LEN },
485         [NL80211_ATTR_FILS_CACHE_ID] = { .len = 2 },
486         [NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
487         [NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
488         [NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
489 
490         [NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
491         [NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
492         [NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
493         [NL80211_ATTR_HE_CAPABILITY] = { .type = NLA_BINARY,
494                                          .len = NL80211_HE_MAX_CAPABILITY_LEN },
495 
496         [NL80211_ATTR_FTM_RESPONDER] = {
497                 .type = NLA_NESTED,
498                 .validation_data = nl80211_ftm_responder_policy,
499         },
500 };
501 
502 /* policy for the key attributes */
503 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
504         [NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
505         [NL80211_KEY_IDX] = { .type = NLA_U8 },
506         [NL80211_KEY_CIPHER] = { .type = NLA_U32 },
507         [NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
508         [NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
509         [NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
510         [NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
511         [NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
512 };
513 
514 /* policy for the key default flags */
515 static const struct nla_policy
516 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
517         [NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
518         [NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
519 };
520 
521 #ifdef CONFIG_PM
522 /* policy for WoWLAN attributes */
523 static const struct nla_policy
524 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
525         [NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
526         [NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
527         [NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
528         [NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
529         [NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
530         [NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
531         [NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
532         [NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
533         [NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
534         [NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
535 };
536 
537 static const struct nla_policy
538 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
539         [NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
540         [NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
541         [NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
542         [NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
543         [NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
544         [NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
545         [NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
546                 .len = sizeof(struct nl80211_wowlan_tcp_data_seq)
547         },
548         [NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
549                 .len = sizeof(struct nl80211_wowlan_tcp_data_token)
550         },
551         [NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
552         [NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
553         [NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
554 };
555 #endif /* CONFIG_PM */
556 
557 /* policy for coalesce rule attributes */
558 static const struct nla_policy
559 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
560         [NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
561         [NL80211_ATTR_COALESCE_RULE_CONDITION] =
562                 NLA_POLICY_RANGE(NLA_U32,
563                                  NL80211_COALESCE_CONDITION_MATCH,
564                                  NL80211_COALESCE_CONDITION_NO_MATCH),
565         [NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
566 };
567 
568 /* policy for GTK rekey offload attributes */
569 static const struct nla_policy
570 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
571         [NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
572         [NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
573         [NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
574 };
575 
576 static const struct nla_policy
577 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
578         [NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
579                                                  .len = IEEE80211_MAX_SSID_LEN },
580         [NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = { .len = ETH_ALEN },
581         [NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
582 };
583 
584 static const struct nla_policy
585 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
586         [NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
587         [NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
588 };
589 
590 static const struct nla_policy
591 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
592         [NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
593         [NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
594         [NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
595                 .len = sizeof(struct nl80211_bss_select_rssi_adjust)
596         },
597 };
598 
599 /* policy for NAN function attributes */
600 static const struct nla_policy
601 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
602         [NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
603         [NL80211_NAN_FUNC_SERVICE_ID] = {
604                                     .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
605         [NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
606         [NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
607         [NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
608         [NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
609         [NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
610         [NL80211_NAN_FUNC_FOLLOW_UP_DEST] = { .len = ETH_ALEN },
611         [NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
612         [NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
613         [NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
614                         .len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
615         [NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
616         [NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
617         [NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
618         [NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
619         [NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
620 };
621 
622 /* policy for Service Response Filter attributes */
623 static const struct nla_policy
624 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
625         [NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
626         [NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
627                                  .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
628         [NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
629         [NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
630 };
631 
632 /* policy for packet pattern attributes */
633 static const struct nla_policy
634 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
635         [NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
636         [NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
637         [NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
638 };
639 
640 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
641                                      struct cfg80211_registered_device **rdev,
642                                      struct wireless_dev **wdev)
643 {
644         int err;
645 
646         if (!cb->args[0]) {
647                 err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
648                                   genl_family_attrbuf(&nl80211_fam),
649                                   nl80211_fam.maxattr, nl80211_policy, NULL);
650                 if (err)
651                         return err;
652 
653                 *wdev = __cfg80211_wdev_from_attrs(
654                                         sock_net(cb->skb->sk),
655                                         genl_family_attrbuf(&nl80211_fam));
656                 if (IS_ERR(*wdev))
657                         return PTR_ERR(*wdev);
658                 *rdev = wiphy_to_rdev((*wdev)->wiphy);
659                 /* 0 is the first index - add 1 to parse only once */
660                 cb->args[0] = (*rdev)->wiphy_idx + 1;
661                 cb->args[1] = (*wdev)->identifier;
662         } else {
663                 /* subtract the 1 again here */
664                 struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
665                 struct wireless_dev *tmp;
666 
667                 if (!wiphy)
668                         return -ENODEV;
669                 *rdev = wiphy_to_rdev(wiphy);
670                 *wdev = NULL;
671 
672                 list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
673                         if (tmp->identifier == cb->args[1]) {
674                                 *wdev = tmp;
675                                 break;
676                         }
677                 }
678 
679                 if (!*wdev)
680                         return -ENODEV;
681         }
682 
683         return 0;
684 }
685 
686 /* message building helper */
687 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
688                                    int flags, u8 cmd)
689 {
690         /* since there is no private header just add the generic one */
691         return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
692 }
693 
694 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
695                                      const struct ieee80211_reg_rule *rule)
696 {
697         int j;
698         struct nlattr *nl_wmm_rules =
699                 nla_nest_start(msg, NL80211_FREQUENCY_ATTR_WMM);
700 
701         if (!nl_wmm_rules)
702                 goto nla_put_failure;
703 
704         for (j = 0; j < IEEE80211_NUM_ACS; j++) {
705                 struct nlattr *nl_wmm_rule = nla_nest_start(msg, j);
706 
707                 if (!nl_wmm_rule)
708                         goto nla_put_failure;
709 
710                 if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
711                                 rule->wmm_rule.client[j].cw_min) ||
712                     nla_put_u16(msg, NL80211_WMMR_CW_MAX,
713                                 rule->wmm_rule.client[j].cw_max) ||
714                     nla_put_u8(msg, NL80211_WMMR_AIFSN,
715                                rule->wmm_rule.client[j].aifsn) ||
716                     nla_put_u16(msg, NL80211_WMMR_TXOP,
717                                 rule->wmm_rule.client[j].cot))
718                         goto nla_put_failure;
719 
720                 nla_nest_end(msg, nl_wmm_rule);
721         }
722         nla_nest_end(msg, nl_wmm_rules);
723 
724         return 0;
725 
726 nla_put_failure:
727         return -ENOBUFS;
728 }
729 
730 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
731                                    struct ieee80211_channel *chan,
732                                    bool large)
733 {
734         /* Some channels must be completely excluded from the
735          * list to protect old user-space tools from breaking
736          */
737         if (!large && chan->flags &
738             (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
739                 return 0;
740 
741         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
742                         chan->center_freq))
743                 goto nla_put_failure;
744 
745         if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
746             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
747                 goto nla_put_failure;
748         if (chan->flags & IEEE80211_CHAN_NO_IR) {
749                 if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
750                         goto nla_put_failure;
751                 if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
752                         goto nla_put_failure;
753         }
754         if (chan->flags & IEEE80211_CHAN_RADAR) {
755                 if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
756                         goto nla_put_failure;
757                 if (large) {
758                         u32 time;
759 
760                         time = elapsed_jiffies_msecs(chan->dfs_state_entered);
761 
762                         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
763                                         chan->dfs_state))
764                                 goto nla_put_failure;
765                         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
766                                         time))
767                                 goto nla_put_failure;
768                         if (nla_put_u32(msg,
769                                         NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
770                                         chan->dfs_cac_ms))
771                                 goto nla_put_failure;
772                 }
773         }
774 
775         if (large) {
776                 if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
777                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
778                         goto nla_put_failure;
779                 if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
780                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
781                         goto nla_put_failure;
782                 if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
783                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
784                         goto nla_put_failure;
785                 if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
786                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
787                         goto nla_put_failure;
788                 if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
789                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
790                         goto nla_put_failure;
791                 if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
792                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
793                         goto nla_put_failure;
794                 if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
795                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
796                         goto nla_put_failure;
797                 if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
798                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
799                         goto nla_put_failure;
800         }
801 
802         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
803                         DBM_TO_MBM(chan->max_power)))
804                 goto nla_put_failure;
805 
806         if (large) {
807                 const struct ieee80211_reg_rule *rule =
808                         freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
809 
810                 if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
811                         if (nl80211_msg_put_wmm_rules(msg, rule))
812                                 goto nla_put_failure;
813                 }
814         }
815 
816         return 0;
817 
818  nla_put_failure:
819         return -ENOBUFS;
820 }
821 
822 static bool nl80211_put_txq_stats(struct sk_buff *msg,
823                                   struct cfg80211_txq_stats *txqstats,
824                                   int attrtype)
825 {
826         struct nlattr *txqattr;
827 
828 #define PUT_TXQVAL_U32(attr, memb) do {                                   \
829         if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&         \
830             nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
831                 return false;                                             \
832         } while (0)
833 
834         txqattr = nla_nest_start(msg, attrtype);
835         if (!txqattr)
836                 return false;
837 
838         PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
839         PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
840         PUT_TXQVAL_U32(FLOWS, flows);
841         PUT_TXQVAL_U32(DROPS, drops);
842         PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
843         PUT_TXQVAL_U32(OVERLIMIT, overlimit);
844         PUT_TXQVAL_U32(OVERMEMORY, overmemory);
845         PUT_TXQVAL_U32(COLLISIONS, collisions);
846         PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
847         PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
848         PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
849         nla_nest_end(msg, txqattr);
850 
851 #undef PUT_TXQVAL_U32
852         return true;
853 }
854 
855 /* netlink command implementations */
856 
857 struct key_parse {
858         struct key_params p;
859         int idx;
860         int type;
861         bool def, defmgmt;
862         bool def_uni, def_multi;
863 };
864 
865 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
866                                  struct key_parse *k)
867 {
868         struct nlattr *tb[NL80211_KEY_MAX + 1];
869         int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
870                                    nl80211_key_policy, info->extack);
871         if (err)
872                 return err;
873 
874         k->def = !!tb[NL80211_KEY_DEFAULT];
875         k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
876 
877         if (k->def) {
878                 k->def_uni = true;
879                 k->def_multi = true;
880         }
881         if (k->defmgmt)
882                 k->def_multi = true;
883 
884         if (tb[NL80211_KEY_IDX])
885                 k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
886 
887         if (tb[NL80211_KEY_DATA]) {
888                 k->p.key = nla_data(tb[NL80211_KEY_DATA]);
889                 k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
890         }
891 
892         if (tb[NL80211_KEY_SEQ]) {
893                 k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
894                 k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
895         }
896 
897         if (tb[NL80211_KEY_CIPHER])
898                 k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
899 
900         if (tb[NL80211_KEY_TYPE])
901                 k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
902 
903         if (tb[NL80211_KEY_DEFAULT_TYPES]) {
904                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
905 
906                 err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
907                                        tb[NL80211_KEY_DEFAULT_TYPES],
908                                        nl80211_key_default_policy,
909                                        info->extack);
910                 if (err)
911                         return err;
912 
913                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
914                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
915         }
916 
917         return 0;
918 }
919 
920 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
921 {
922         if (info->attrs[NL80211_ATTR_KEY_DATA]) {
923                 k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
924                 k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
925         }
926 
927         if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
928                 k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
929                 k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
930         }
931 
932         if (info->attrs[NL80211_ATTR_KEY_IDX])
933                 k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
934 
935         if (info->attrs[NL80211_ATTR_KEY_CIPHER])
936                 k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
937 
938         k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
939         k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
940 
941         if (k->def) {
942                 k->def_uni = true;
943                 k->def_multi = true;
944         }
945         if (k->defmgmt)
946                 k->def_multi = true;
947 
948         if (info->attrs[NL80211_ATTR_KEY_TYPE])
949                 k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
950 
951         if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
952                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
953                 int err = nla_parse_nested(kdt,
954                                            NUM_NL80211_KEY_DEFAULT_TYPES - 1,
955                                            info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
956                                            nl80211_key_default_policy,
957                                            info->extack);
958                 if (err)
959                         return err;
960 
961                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
962                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
963         }
964 
965         return 0;
966 }
967 
968 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
969 {
970         int err;
971 
972         memset(k, 0, sizeof(*k));
973         k->idx = -1;
974         k->type = -1;
975 
976         if (info->attrs[NL80211_ATTR_KEY])
977                 err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
978         else
979                 err = nl80211_parse_key_old(info, k);
980 
981         if (err)
982                 return err;
983 
984         if (k->def && k->defmgmt) {
985                 GENL_SET_ERR_MSG(info, "key with def && defmgmt is invalid");
986                 return -EINVAL;
987         }
988 
989         if (k->defmgmt) {
990                 if (k->def_uni || !k->def_multi) {
991                         GENL_SET_ERR_MSG(info, "defmgmt key must be mcast");
992                         return -EINVAL;
993                 }
994         }
995 
996         if (k->idx != -1) {
997                 if (k->defmgmt) {
998                         if (k->idx < 4 || k->idx > 5) {
999                                 GENL_SET_ERR_MSG(info,
1000                                                  "defmgmt key idx not 4 or 5");
1001                                 return -EINVAL;
1002                         }
1003                 } else if (k->def) {
1004                         if (k->idx < 0 || k->idx > 3) {
1005                                 GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1006                                 return -EINVAL;
1007                         }
1008                 } else {
1009                         if (k->idx < 0 || k->idx > 5) {
1010                                 GENL_SET_ERR_MSG(info, "key idx not 0-5");
1011                                 return -EINVAL;
1012                         }
1013                 }
1014         }
1015 
1016         return 0;
1017 }
1018 
1019 static struct cfg80211_cached_keys *
1020 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1021                        struct genl_info *info, bool *no_ht)
1022 {
1023         struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1024         struct key_parse parse;
1025         struct nlattr *key;
1026         struct cfg80211_cached_keys *result;
1027         int rem, err, def = 0;
1028         bool have_key = false;
1029 
1030         nla_for_each_nested(key, keys, rem) {
1031                 have_key = true;
1032                 break;
1033         }
1034 
1035         if (!have_key)
1036                 return NULL;
1037 
1038         result = kzalloc(sizeof(*result), GFP_KERNEL);
1039         if (!result)
1040                 return ERR_PTR(-ENOMEM);
1041 
1042         result->def = -1;
1043 
1044         nla_for_each_nested(key, keys, rem) {
1045                 memset(&parse, 0, sizeof(parse));
1046                 parse.idx = -1;
1047 
1048                 err = nl80211_parse_key_new(info, key, &parse);
1049                 if (err)
1050                         goto error;
1051                 err = -EINVAL;
1052                 if (!parse.p.key)
1053                         goto error;
1054                 if (parse.idx < 0 || parse.idx > 3) {
1055                         GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1056                         goto error;
1057                 }
1058                 if (parse.def) {
1059                         if (def) {
1060                                 GENL_SET_ERR_MSG(info,
1061                                                  "only one key can be default");
1062                                 goto error;
1063                         }
1064                         def = 1;
1065                         result->def = parse.idx;
1066                         if (!parse.def_uni || !parse.def_multi)
1067                                 goto error;
1068                 } else if (parse.defmgmt)
1069                         goto error;
1070                 err = cfg80211_validate_key_settings(rdev, &parse.p,
1071                                                      parse.idx, false, NULL);
1072                 if (err)
1073                         goto error;
1074                 if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1075                     parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1076                         GENL_SET_ERR_MSG(info, "connect key must be WEP");
1077                         err = -EINVAL;
1078                         goto error;
1079                 }
1080                 result->params[parse.idx].cipher = parse.p.cipher;
1081                 result->params[parse.idx].key_len = parse.p.key_len;
1082                 result->params[parse.idx].key = result->data[parse.idx];
1083                 memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1084 
1085                 /* must be WEP key if we got here */
1086                 if (no_ht)
1087                         *no_ht = true;
1088         }
1089 
1090         if (result->def < 0) {
1091                 err = -EINVAL;
1092                 GENL_SET_ERR_MSG(info, "need a default/TX key");
1093                 goto error;
1094         }
1095 
1096         return result;
1097  error:
1098         kfree(result);
1099         return ERR_PTR(err);
1100 }
1101 
1102 static int nl80211_key_allowed(struct wireless_dev *wdev)
1103 {
1104         ASSERT_WDEV_LOCK(wdev);
1105 
1106         switch (wdev->iftype) {
1107         case NL80211_IFTYPE_AP:
1108         case NL80211_IFTYPE_AP_VLAN:
1109         case NL80211_IFTYPE_P2P_GO:
1110         case NL80211_IFTYPE_MESH_POINT:
1111                 break;
1112         case NL80211_IFTYPE_ADHOC:
1113         case NL80211_IFTYPE_STATION:
1114         case NL80211_IFTYPE_P2P_CLIENT:
1115                 if (!wdev->current_bss)
1116                         return -ENOLINK;
1117                 break;
1118         case NL80211_IFTYPE_UNSPECIFIED:
1119         case NL80211_IFTYPE_OCB:
1120         case NL80211_IFTYPE_MONITOR:
1121         case NL80211_IFTYPE_NAN:
1122         case NL80211_IFTYPE_P2P_DEVICE:
1123         case NL80211_IFTYPE_WDS:
1124         case NUM_NL80211_IFTYPES:
1125                 return -EINVAL;
1126         }
1127 
1128         return 0;
1129 }
1130 
1131 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1132                                                         struct nlattr *tb)
1133 {
1134         struct ieee80211_channel *chan;
1135 
1136         if (tb == NULL)
1137                 return NULL;
1138         chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
1139         if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1140                 return NULL;
1141         return chan;
1142 }
1143 
1144 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1145 {
1146         struct nlattr *nl_modes = nla_nest_start(msg, attr);
1147         int i;
1148 
1149         if (!nl_modes)
1150                 goto nla_put_failure;
1151 
1152         i = 0;
1153         while (ifmodes) {
1154                 if ((ifmodes & 1) && nla_put_flag(msg, i))
1155                         goto nla_put_failure;
1156                 ifmodes >>= 1;
1157                 i++;
1158         }
1159 
1160         nla_nest_end(msg, nl_modes);
1161         return 0;
1162 
1163 nla_put_failure:
1164         return -ENOBUFS;
1165 }
1166 
1167 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1168                                           struct sk_buff *msg,
1169                                           bool large)
1170 {
1171         struct nlattr *nl_combis;
1172         int i, j;
1173 
1174         nl_combis = nla_nest_start(msg,
1175                                 NL80211_ATTR_INTERFACE_COMBINATIONS);
1176         if (!nl_combis)
1177                 goto nla_put_failure;
1178 
1179         for (i = 0; i < wiphy->n_iface_combinations; i++) {
1180                 const struct ieee80211_iface_combination *c;
1181                 struct nlattr *nl_combi, *nl_limits;
1182 
1183                 c = &wiphy->iface_combinations[i];
1184 
1185                 nl_combi = nla_nest_start(msg, i + 1);
1186                 if (!nl_combi)
1187                         goto nla_put_failure;
1188 
1189                 nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
1190                 if (!nl_limits)
1191                         goto nla_put_failure;
1192 
1193                 for (j = 0; j < c->n_limits; j++) {
1194                         struct nlattr *nl_limit;
1195 
1196                         nl_limit = nla_nest_start(msg, j + 1);
1197                         if (!nl_limit)
1198                                 goto nla_put_failure;
1199                         if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1200                                         c->limits[j].max))
1201                                 goto nla_put_failure;
1202                         if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1203                                                 c->limits[j].types))
1204                                 goto nla_put_failure;
1205                         nla_nest_end(msg, nl_limit);
1206                 }
1207 
1208                 nla_nest_end(msg, nl_limits);
1209 
1210                 if (c->beacon_int_infra_match &&
1211                     nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1212                         goto nla_put_failure;
1213                 if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1214                                 c->num_different_channels) ||
1215                     nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1216                                 c->max_interfaces))
1217                         goto nla_put_failure;
1218                 if (large &&
1219                     (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1220                                 c->radar_detect_widths) ||
1221                      nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1222                                 c->radar_detect_regions)))
1223                         goto nla_put_failure;
1224                 if (c->beacon_int_min_gcd &&
1225                     nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1226                                 c->beacon_int_min_gcd))
1227                         goto nla_put_failure;
1228 
1229                 nla_nest_end(msg, nl_combi);
1230         }
1231 
1232         nla_nest_end(msg, nl_combis);
1233 
1234         return 0;
1235 nla_put_failure:
1236         return -ENOBUFS;
1237 }
1238 
1239 #ifdef CONFIG_PM
1240 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1241                                         struct sk_buff *msg)
1242 {
1243         const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1244         struct nlattr *nl_tcp;
1245 
1246         if (!tcp)
1247                 return 0;
1248 
1249         nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1250         if (!nl_tcp)
1251                 return -ENOBUFS;
1252 
1253         if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1254                         tcp->data_payload_max))
1255                 return -ENOBUFS;
1256 
1257         if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1258                         tcp->data_payload_max))
1259                 return -ENOBUFS;
1260 
1261         if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1262                 return -ENOBUFS;
1263 
1264         if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1265                                 sizeof(*tcp->tok), tcp->tok))
1266                 return -ENOBUFS;
1267 
1268         if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1269                         tcp->data_interval_max))
1270                 return -ENOBUFS;
1271 
1272         if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1273                         tcp->wake_payload_max))
1274                 return -ENOBUFS;
1275 
1276         nla_nest_end(msg, nl_tcp);
1277         return 0;
1278 }
1279 
1280 static int nl80211_send_wowlan(struct sk_buff *msg,
1281                                struct cfg80211_registered_device *rdev,
1282                                bool large)
1283 {
1284         struct nlattr *nl_wowlan;
1285 
1286         if (!rdev->wiphy.wowlan)
1287                 return 0;
1288 
1289         nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1290         if (!nl_wowlan)
1291                 return -ENOBUFS;
1292 
1293         if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1294              nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1295             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1296              nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1297             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1298              nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1299             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1300              nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1301             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1302              nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1303             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1304              nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1305             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1306              nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1307             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1308              nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1309                 return -ENOBUFS;
1310 
1311         if (rdev->wiphy.wowlan->n_patterns) {
1312                 struct nl80211_pattern_support pat = {
1313                         .max_patterns = rdev->wiphy.wowlan->n_patterns,
1314                         .min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1315                         .max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1316                         .max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1317                 };
1318 
1319                 if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1320                             sizeof(pat), &pat))
1321                         return -ENOBUFS;
1322         }
1323 
1324         if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1325             nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1326                         rdev->wiphy.wowlan->max_nd_match_sets))
1327                 return -ENOBUFS;
1328 
1329         if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1330                 return -ENOBUFS;
1331 
1332         nla_nest_end(msg, nl_wowlan);
1333 
1334         return 0;
1335 }
1336 #endif
1337 
1338 static int nl80211_send_coalesce(struct sk_buff *msg,
1339                                  struct cfg80211_registered_device *rdev)
1340 {
1341         struct nl80211_coalesce_rule_support rule;
1342 
1343         if (!rdev->wiphy.coalesce)
1344                 return 0;
1345 
1346         rule.max_rules = rdev->wiphy.coalesce->n_rules;
1347         rule.max_delay = rdev->wiphy.coalesce->max_delay;
1348         rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1349         rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1350         rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1351         rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1352 
1353         if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1354                 return -ENOBUFS;
1355 
1356         return 0;
1357 }
1358 
1359 static int
1360 nl80211_send_iftype_data(struct sk_buff *msg,
1361                          const struct ieee80211_sband_iftype_data *iftdata)
1362 {
1363         const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1364 
1365         if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1366                                 iftdata->types_mask))
1367                 return -ENOBUFS;
1368 
1369         if (he_cap->has_he) {
1370                 if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1371                             sizeof(he_cap->he_cap_elem.mac_cap_info),
1372                             he_cap->he_cap_elem.mac_cap_info) ||
1373                     nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1374                             sizeof(he_cap->he_cap_elem.phy_cap_info),
1375                             he_cap->he_cap_elem.phy_cap_info) ||
1376                     nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1377                             sizeof(he_cap->he_mcs_nss_supp),
1378                             &he_cap->he_mcs_nss_supp) ||
1379                     nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1380                             sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1381                         return -ENOBUFS;
1382         }
1383 
1384         return 0;
1385 }
1386 
1387 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1388                                       struct ieee80211_supported_band *sband)
1389 {
1390         struct nlattr *nl_rates, *nl_rate;
1391         struct ieee80211_rate *rate;
1392         int i;
1393 
1394         /* add HT info */
1395         if (sband->ht_cap.ht_supported &&
1396             (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1397                      sizeof(sband->ht_cap.mcs),
1398                      &sband->ht_cap.mcs) ||
1399              nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1400                          sband->ht_cap.cap) ||
1401              nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1402                         sband->ht_cap.ampdu_factor) ||
1403              nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1404                         sband->ht_cap.ampdu_density)))
1405                 return -ENOBUFS;
1406 
1407         /* add VHT info */
1408         if (sband->vht_cap.vht_supported &&
1409             (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1410                      sizeof(sband->vht_cap.vht_mcs),
1411                      &sband->vht_cap.vht_mcs) ||
1412              nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1413                          sband->vht_cap.cap)))
1414                 return -ENOBUFS;
1415 
1416         if (sband->n_iftype_data) {
1417                 struct nlattr *nl_iftype_data =
1418                         nla_nest_start(msg, NL80211_BAND_ATTR_IFTYPE_DATA);
1419                 int err;
1420 
1421                 if (!nl_iftype_data)
1422                         return -ENOBUFS;
1423 
1424                 for (i = 0; i < sband->n_iftype_data; i++) {
1425                         struct nlattr *iftdata;
1426 
1427                         iftdata = nla_nest_start(msg, i + 1);
1428                         if (!iftdata)
1429                                 return -ENOBUFS;
1430 
1431                         err = nl80211_send_iftype_data(msg,
1432                                                        &sband->iftype_data[i]);
1433                         if (err)
1434                                 return err;
1435 
1436                         nla_nest_end(msg, iftdata);
1437                 }
1438 
1439                 nla_nest_end(msg, nl_iftype_data);
1440         }
1441 
1442         /* add bitrates */
1443         nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1444         if (!nl_rates)
1445                 return -ENOBUFS;
1446 
1447         for (i = 0; i < sband->n_bitrates; i++) {
1448                 nl_rate = nla_nest_start(msg, i);
1449                 if (!nl_rate)
1450                         return -ENOBUFS;
1451 
1452                 rate = &sband->bitrates[i];
1453                 if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1454                                 rate->bitrate))
1455                         return -ENOBUFS;
1456                 if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1457                     nla_put_flag(msg,
1458                                  NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1459                         return -ENOBUFS;
1460 
1461                 nla_nest_end(msg, nl_rate);
1462         }
1463 
1464         nla_nest_end(msg, nl_rates);
1465 
1466         return 0;
1467 }
1468 
1469 static int
1470 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1471                          const struct ieee80211_txrx_stypes *mgmt_stypes)
1472 {
1473         u16 stypes;
1474         struct nlattr *nl_ftypes, *nl_ifs;
1475         enum nl80211_iftype ift;
1476         int i;
1477 
1478         if (!mgmt_stypes)
1479                 return 0;
1480 
1481         nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1482         if (!nl_ifs)
1483                 return -ENOBUFS;
1484 
1485         for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1486                 nl_ftypes = nla_nest_start(msg, ift);
1487                 if (!nl_ftypes)
1488                         return -ENOBUFS;
1489                 i = 0;
1490                 stypes = mgmt_stypes[ift].tx;
1491                 while (stypes) {
1492                         if ((stypes & 1) &&
1493                             nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1494                                         (i << 4) | IEEE80211_FTYPE_MGMT))
1495                                 return -ENOBUFS;
1496                         stypes >>= 1;
1497                         i++;
1498                 }
1499                 nla_nest_end(msg, nl_ftypes);
1500         }
1501 
1502         nla_nest_end(msg, nl_ifs);
1503 
1504         nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1505         if (!nl_ifs)
1506                 return -ENOBUFS;
1507 
1508         for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1509                 nl_ftypes = nla_nest_start(msg, ift);
1510                 if (!nl_ftypes)
1511                         return -ENOBUFS;
1512                 i = 0;
1513                 stypes = mgmt_stypes[ift].rx;
1514                 while (stypes) {
1515                         if ((stypes & 1) &&
1516                             nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1517                                         (i << 4) | IEEE80211_FTYPE_MGMT))
1518                                 return -ENOBUFS;
1519                         stypes >>= 1;
1520                         i++;
1521                 }
1522                 nla_nest_end(msg, nl_ftypes);
1523         }
1524         nla_nest_end(msg, nl_ifs);
1525 
1526         return 0;
1527 }
1528 
1529 #define CMD(op, n)                                                      \
1530          do {                                                           \
1531                 if (rdev->ops->op) {                                    \
1532                         i++;                                            \
1533                         if (nla_put_u32(msg, i, NL80211_CMD_ ## n))     \
1534                                 goto nla_put_failure;                   \
1535                 }                                                       \
1536         } while (0)
1537 
1538 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1539                                         struct sk_buff *msg)
1540 {
1541         int i = 0;
1542 
1543         /*
1544          * do *NOT* add anything into this function, new things need to be
1545          * advertised only to new versions of userspace that can deal with
1546          * the split (and they can't possibly care about new features...
1547          */
1548         CMD(add_virtual_intf, NEW_INTERFACE);
1549         CMD(change_virtual_intf, SET_INTERFACE);
1550         CMD(add_key, NEW_KEY);
1551         CMD(start_ap, START_AP);
1552         CMD(add_station, NEW_STATION);
1553         CMD(add_mpath, NEW_MPATH);
1554         CMD(update_mesh_config, SET_MESH_CONFIG);
1555         CMD(change_bss, SET_BSS);
1556         CMD(auth, AUTHENTICATE);
1557         CMD(assoc, ASSOCIATE);
1558         CMD(deauth, DEAUTHENTICATE);
1559         CMD(disassoc, DISASSOCIATE);
1560         CMD(join_ibss, JOIN_IBSS);
1561         CMD(join_mesh, JOIN_MESH);
1562         CMD(set_pmksa, SET_PMKSA);
1563         CMD(del_pmksa, DEL_PMKSA);
1564         CMD(flush_pmksa, FLUSH_PMKSA);
1565         if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1566                 CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1567         CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1568         CMD(mgmt_tx, FRAME);
1569         CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1570         if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1571                 i++;
1572                 if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1573                         goto nla_put_failure;
1574         }
1575         if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1576             rdev->ops->join_mesh) {
1577                 i++;
1578                 if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1579                         goto nla_put_failure;
1580         }
1581         CMD(set_wds_peer, SET_WDS_PEER);
1582         if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1583                 CMD(tdls_mgmt, TDLS_MGMT);
1584                 CMD(tdls_oper, TDLS_OPER);
1585         }
1586         if (rdev->wiphy.max_sched_scan_reqs)
1587                 CMD(sched_scan_start, START_SCHED_SCAN);
1588         CMD(probe_client, PROBE_CLIENT);
1589         CMD(set_noack_map, SET_NOACK_MAP);
1590         if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1591                 i++;
1592                 if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1593                         goto nla_put_failure;
1594         }
1595         CMD(start_p2p_device, START_P2P_DEVICE);
1596         CMD(set_mcast_rate, SET_MCAST_RATE);
1597 #ifdef CONFIG_NL80211_TESTMODE
1598         CMD(testmode_cmd, TESTMODE);
1599 #endif
1600 
1601         if (rdev->ops->connect || rdev->ops->auth) {
1602                 i++;
1603                 if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1604                         goto nla_put_failure;
1605         }
1606 
1607         if (rdev->ops->disconnect || rdev->ops->deauth) {
1608                 i++;
1609                 if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1610                         goto nla_put_failure;
1611         }
1612 
1613         return i;
1614  nla_put_failure:
1615         return -ENOBUFS;
1616 }
1617 
1618 struct nl80211_dump_wiphy_state {
1619         s64 filter_wiphy;
1620         long start;
1621         long split_start, band_start, chan_start, capa_start;
1622         bool split;
1623 };
1624 
1625 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1626                               enum nl80211_commands cmd,
1627                               struct sk_buff *msg, u32 portid, u32 seq,
1628                               int flags, struct nl80211_dump_wiphy_state *state)
1629 {
1630         void *hdr;
1631         struct nlattr *nl_bands, *nl_band;
1632         struct nlattr *nl_freqs, *nl_freq;
1633         struct nlattr *nl_cmds;
1634         enum nl80211_band band;
1635         struct ieee80211_channel *chan;
1636         int i;
1637         const struct ieee80211_txrx_stypes *mgmt_stypes =
1638                                 rdev->wiphy.mgmt_stypes;
1639         u32 features;
1640 
1641         hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1642         if (!hdr)
1643                 return -ENOBUFS;
1644 
1645         if (WARN_ON(!state))
1646                 return -EINVAL;
1647 
1648         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1649             nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1650                            wiphy_name(&rdev->wiphy)) ||
1651             nla_put_u32(msg, NL80211_ATTR_GENERATION,
1652                         cfg80211_rdev_list_generation))
1653                 goto nla_put_failure;
1654 
1655         if (cmd != NL80211_CMD_NEW_WIPHY)
1656                 goto finish;
1657 
1658         switch (state->split_start) {
1659         case 0:
1660                 if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1661                                rdev->wiphy.retry_short) ||
1662                     nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1663                                rdev->wiphy.retry_long) ||
1664                     nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1665                                 rdev->wiphy.frag_threshold) ||
1666                     nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1667                                 rdev->wiphy.rts_threshold) ||
1668                     nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1669                                rdev->wiphy.coverage_class) ||
1670                     nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1671                                rdev->wiphy.max_scan_ssids) ||
1672                     nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1673                                rdev->wiphy.max_sched_scan_ssids) ||
1674                     nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1675                                 rdev->wiphy.max_scan_ie_len) ||
1676                     nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1677                                 rdev->wiphy.max_sched_scan_ie_len) ||
1678                     nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1679                                rdev->wiphy.max_match_sets) ||
1680                     nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
1681                                 rdev->wiphy.max_sched_scan_plans) ||
1682                     nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
1683                                 rdev->wiphy.max_sched_scan_plan_interval) ||
1684                     nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
1685                                 rdev->wiphy.max_sched_scan_plan_iterations))
1686                         goto nla_put_failure;
1687 
1688                 if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1689                     nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1690                         goto nla_put_failure;
1691                 if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1692                     nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1693                         goto nla_put_failure;
1694                 if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1695                     nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1696                         goto nla_put_failure;
1697                 if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1698                     nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1699                         goto nla_put_failure;
1700                 if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1701                     nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1702                         goto nla_put_failure;
1703                 if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1704                     nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1705                         goto nla_put_failure;
1706                 state->split_start++;
1707                 if (state->split)
1708                         break;
1709         case 1:
1710                 if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1711                             sizeof(u32) * rdev->wiphy.n_cipher_suites,
1712                             rdev->wiphy.cipher_suites))
1713                         goto nla_put_failure;
1714 
1715                 if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1716                                rdev->wiphy.max_num_pmkids))
1717                         goto nla_put_failure;
1718 
1719                 if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1720                     nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1721                         goto nla_put_failure;
1722 
1723                 if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1724                                 rdev->wiphy.available_antennas_tx) ||
1725                     nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1726                                 rdev->wiphy.available_antennas_rx))
1727                         goto nla_put_failure;
1728 
1729                 if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1730                     nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1731                                 rdev->wiphy.probe_resp_offload))
1732                         goto nla_put_failure;
1733 
1734                 if ((rdev->wiphy.available_antennas_tx ||
1735                      rdev->wiphy.available_antennas_rx) &&
1736                     rdev->ops->get_antenna) {
1737                         u32 tx_ant = 0, rx_ant = 0;
1738                         int res;
1739 
1740                         res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1741                         if (!res) {
1742                                 if (nla_put_u32(msg,
1743                                                 NL80211_ATTR_WIPHY_ANTENNA_TX,
1744                                                 tx_ant) ||
1745                                     nla_put_u32(msg,
1746                                                 NL80211_ATTR_WIPHY_ANTENNA_RX,
1747                                                 rx_ant))
1748                                         goto nla_put_failure;
1749                         }
1750                 }
1751 
1752                 state->split_start++;
1753                 if (state->split)
1754                         break;
1755         case 2:
1756                 if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1757                                         rdev->wiphy.interface_modes))
1758                                 goto nla_put_failure;
1759                 state->split_start++;
1760                 if (state->split)
1761                         break;
1762         case 3:
1763                 nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1764                 if (!nl_bands)
1765                         goto nla_put_failure;
1766 
1767                 for (band = state->band_start;
1768                      band < NUM_NL80211_BANDS; band++) {
1769                         struct ieee80211_supported_band *sband;
1770 
1771                         sband = rdev->wiphy.bands[band];
1772 
1773                         if (!sband)
1774                                 continue;
1775 
1776                         nl_band = nla_nest_start(msg, band);
1777                         if (!nl_band)
1778                                 goto nla_put_failure;
1779 
1780                         switch (state->chan_start) {
1781                         case 0:
1782                                 if (nl80211_send_band_rateinfo(msg, sband))
1783                                         goto nla_put_failure;
1784                                 state->chan_start++;
1785                                 if (state->split)
1786                                         break;
1787                         default:
1788                                 /* add frequencies */
1789                                 nl_freqs = nla_nest_start(
1790                                         msg, NL80211_BAND_ATTR_FREQS);
1791                                 if (!nl_freqs)
1792                                         goto nla_put_failure;
1793 
1794                                 for (i = state->chan_start - 1;
1795                                      i < sband->n_channels;
1796                                      i++) {
1797                                         nl_freq = nla_nest_start(msg, i);
1798                                         if (!nl_freq)
1799                                                 goto nla_put_failure;
1800 
1801                                         chan = &sband->channels[i];
1802 
1803                                         if (nl80211_msg_put_channel(
1804                                                         msg, &rdev->wiphy, chan,
1805                                                         state->split))
1806                                                 goto nla_put_failure;
1807 
1808                                         nla_nest_end(msg, nl_freq);
1809                                         if (state->split)
1810                                                 break;
1811                                 }
1812                                 if (i < sband->n_channels)
1813                                         state->chan_start = i + 2;
1814                                 else
1815                                         state->chan_start = 0;
1816                                 nla_nest_end(msg, nl_freqs);
1817                         }
1818 
1819                         nla_nest_end(msg, nl_band);
1820 
1821                         if (state->split) {
1822                                 /* start again here */
1823                                 if (state->chan_start)
1824                                         band--;
1825                                 break;
1826                         }
1827                 }
1828                 nla_nest_end(msg, nl_bands);
1829 
1830                 if (band < NUM_NL80211_BANDS)
1831                         state->band_start = band + 1;
1832                 else
1833                         state->band_start = 0;
1834 
1835                 /* if bands & channels are done, continue outside */
1836                 if (state->band_start == 0 && state->chan_start == 0)
1837                         state->split_start++;
1838                 if (state->split)
1839                         break;
1840         case 4:
1841                 nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1842                 if (!nl_cmds)
1843                         goto nla_put_failure;
1844 
1845                 i = nl80211_add_commands_unsplit(rdev, msg);
1846                 if (i < 0)
1847                         goto nla_put_failure;
1848                 if (state->split) {
1849                         CMD(crit_proto_start, CRIT_PROTOCOL_START);
1850                         CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1851                         if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
1852                                 CMD(channel_switch, CHANNEL_SWITCH);
1853                         CMD(set_qos_map, SET_QOS_MAP);
1854                         if (rdev->wiphy.features &
1855                                         NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
1856                                 CMD(add_tx_ts, ADD_TX_TS);
1857                         CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
1858                         CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
1859                 }
1860 #undef CMD
1861 
1862                 nla_nest_end(msg, nl_cmds);
1863                 state->split_start++;
1864                 if (state->split)
1865                         break;
1866         case 5:
1867                 if (rdev->ops->remain_on_channel &&
1868                     (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1869                     nla_put_u32(msg,
1870                                 NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1871                                 rdev->wiphy.max_remain_on_channel_duration))
1872                         goto nla_put_failure;
1873 
1874                 if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1875                     nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1876                         goto nla_put_failure;
1877 
1878                 if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1879                         goto nla_put_failure;
1880                 state->split_start++;
1881                 if (state->split)
1882                         break;
1883         case 6:
1884 #ifdef CONFIG_PM
1885                 if (nl80211_send_wowlan(msg, rdev, state->split))
1886                         goto nla_put_failure;
1887                 state->split_start++;
1888                 if (state->split)
1889                         break;
1890 #else
1891                 state->split_start++;
1892 #endif
1893         case 7:
1894                 if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1895                                         rdev->wiphy.software_iftypes))
1896                         goto nla_put_failure;
1897 
1898                 if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
1899                                                    state->split))
1900                         goto nla_put_failure;
1901 
1902                 state->split_start++;
1903                 if (state->split)
1904                         break;
1905         case 8:
1906                 if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1907                     nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1908                                 rdev->wiphy.ap_sme_capa))
1909                         goto nla_put_failure;
1910 
1911                 features = rdev->wiphy.features;
1912                 /*
1913                  * We can only add the per-channel limit information if the
1914                  * dump is split, otherwise it makes it too big. Therefore
1915                  * only advertise it in that case.
1916                  */
1917                 if (state->split)
1918                         features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1919                 if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1920                         goto nla_put_failure;
1921 
1922                 if (rdev->wiphy.ht_capa_mod_mask &&
1923                     nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1924                             sizeof(*rdev->wiphy.ht_capa_mod_mask),
1925                             rdev->wiphy.ht_capa_mod_mask))
1926                         goto nla_put_failure;
1927 
1928                 if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1929                     rdev->wiphy.max_acl_mac_addrs &&
1930                     nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1931                                 rdev->wiphy.max_acl_mac_addrs))
1932                         goto nla_put_failure;
1933 
1934                 /*
1935                  * Any information below this point is only available to
1936                  * applications that can deal with it being split. This
1937                  * helps ensure that newly added capabilities don't break
1938                  * older tools by overrunning their buffers.
1939                  *
1940                  * We still increment split_start so that in the split
1941                  * case we'll continue with more data in the next round,
1942                  * but break unconditionally so unsplit data stops here.
1943                  */
1944                 state->split_start++;
1945                 break;
1946         case 9:
1947                 if (rdev->wiphy.extended_capabilities &&
1948                     (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1949                              rdev->wiphy.extended_capabilities_len,
1950                              rdev->wiphy.extended_capabilities) ||
1951                      nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1952                              rdev->wiphy.extended_capabilities_len,
1953                              rdev->wiphy.extended_capabilities_mask)))
1954                         goto nla_put_failure;
1955 
1956                 if (rdev->wiphy.vht_capa_mod_mask &&
1957                     nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1958                             sizeof(*rdev->wiphy.vht_capa_mod_mask),
1959                             rdev->wiphy.vht_capa_mod_mask))
1960                         goto nla_put_failure;
1961 
1962                 state->split_start++;
1963                 break;
1964         case 10:
1965                 if (nl80211_send_coalesce(msg, rdev))
1966                         goto nla_put_failure;
1967 
1968                 if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
1969                     (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
1970                      nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
1971                         goto nla_put_failure;
1972 
1973                 if (rdev->wiphy.max_ap_assoc_sta &&
1974                     nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
1975                                 rdev->wiphy.max_ap_assoc_sta))
1976                         goto nla_put_failure;
1977 
1978                 state->split_start++;
1979                 break;
1980         case 11:
1981                 if (rdev->wiphy.n_vendor_commands) {
1982                         const struct nl80211_vendor_cmd_info *info;
1983                         struct nlattr *nested;
1984 
1985                         nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1986                         if (!nested)
1987                                 goto nla_put_failure;
1988 
1989                         for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
1990                                 info = &rdev->wiphy.vendor_commands[i].info;
1991                                 if (nla_put(msg, i + 1, sizeof(*info), info))
1992                                         goto nla_put_failure;
1993                         }
1994                         nla_nest_end(msg, nested);
1995                 }
1996 
1997                 if (rdev->wiphy.n_vendor_events) {
1998                         const struct nl80211_vendor_cmd_info *info;
1999                         struct nlattr *nested;
2000 
2001                         nested = nla_nest_start(msg,
2002                                                 NL80211_ATTR_VENDOR_EVENTS);
2003                         if (!nested)
2004                                 goto nla_put_failure;
2005 
2006                         for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2007                                 info = &rdev->wiphy.vendor_events[i];
2008                                 if (nla_put(msg, i + 1, sizeof(*info), info))
2009                                         goto nla_put_failure;
2010                         }
2011                         nla_nest_end(msg, nested);
2012                 }
2013                 state->split_start++;
2014                 break;
2015         case 12:
2016                 if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2017                     nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2018                                rdev->wiphy.max_num_csa_counters))
2019                         goto nla_put_failure;
2020 
2021                 if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2022                     nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2023                         goto nla_put_failure;
2024 
2025                 if (rdev->wiphy.max_sched_scan_reqs &&
2026                     nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2027                                 rdev->wiphy.max_sched_scan_reqs))
2028                         goto nla_put_failure;
2029 
2030                 if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2031                             sizeof(rdev->wiphy.ext_features),
2032                             rdev->wiphy.ext_features))
2033                         goto nla_put_failure;
2034 
2035                 if (rdev->wiphy.bss_select_support) {
2036                         struct nlattr *nested;
2037                         u32 bss_select_support = rdev->wiphy.bss_select_support;
2038 
2039                         nested = nla_nest_start(msg, NL80211_ATTR_BSS_SELECT);
2040                         if (!nested)
2041                                 goto nla_put_failure;
2042 
2043                         i = 0;
2044                         while (bss_select_support) {
2045                                 if ((bss_select_support & 1) &&
2046                                     nla_put_flag(msg, i))
2047                                         goto nla_put_failure;
2048                                 i++;
2049                                 bss_select_support >>= 1;
2050                         }
2051                         nla_nest_end(msg, nested);
2052                 }
2053 
2054                 state->split_start++;
2055                 break;
2056         case 13:
2057                 if (rdev->wiphy.num_iftype_ext_capab &&
2058                     rdev->wiphy.iftype_ext_capab) {
2059                         struct nlattr *nested_ext_capab, *nested;
2060 
2061                         nested = nla_nest_start(msg,
2062                                                 NL80211_ATTR_IFTYPE_EXT_CAPA);
2063                         if (!nested)
2064                                 goto nla_put_failure;
2065 
2066                         for (i = state->capa_start;
2067                              i < rdev->wiphy.num_iftype_ext_capab; i++) {
2068                                 const struct wiphy_iftype_ext_capab *capab;
2069 
2070                                 capab = &rdev->wiphy.iftype_ext_capab[i];
2071 
2072                                 nested_ext_capab = nla_nest_start(msg, i);
2073                                 if (!nested_ext_capab ||
2074                                     nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2075                                                 capab->iftype) ||
2076                                     nla_put(msg, NL80211_ATTR_EXT_CAPA,
2077                                             capab->extended_capabilities_len,
2078                                             capab->extended_capabilities) ||
2079                                     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2080                                             capab->extended_capabilities_len,
2081                                             capab->extended_capabilities_mask))
2082                                         goto nla_put_failure;
2083 
2084                                 nla_nest_end(msg, nested_ext_capab);
2085                                 if (state->split)
2086                                         break;
2087                         }
2088                         nla_nest_end(msg, nested);
2089                         if (i < rdev->wiphy.num_iftype_ext_capab) {
2090                                 state->capa_start = i + 1;
2091                                 break;
2092                         }
2093                 }
2094 
2095                 if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2096                                 rdev->wiphy.nan_supported_bands))
2097                         goto nla_put_failure;
2098 
2099                 if (wiphy_ext_feature_isset(&rdev->wiphy,
2100                                             NL80211_EXT_FEATURE_TXQS)) {
2101                         struct cfg80211_txq_stats txqstats = {};
2102                         int res;
2103 
2104                         res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2105                         if (!res &&
2106                             !nl80211_put_txq_stats(msg, &txqstats,
2107                                                    NL80211_ATTR_TXQ_STATS))
2108                                 goto nla_put_failure;
2109 
2110                         if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2111                                         rdev->wiphy.txq_limit))
2112                                 goto nla_put_failure;
2113                         if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2114                                         rdev->wiphy.txq_memory_limit))
2115                                 goto nla_put_failure;
2116                         if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2117                                         rdev->wiphy.txq_quantum))
2118                                 goto nla_put_failure;
2119                 }
2120 
2121                 /* done */
2122                 state->split_start = 0;
2123                 break;
2124         }
2125  finish:
2126         genlmsg_end(msg, hdr);
2127         return 0;
2128 
2129  nla_put_failure:
2130         genlmsg_cancel(msg, hdr);
2131         return -EMSGSIZE;
2132 }
2133 
2134 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2135                                     struct netlink_callback *cb,
2136                                     struct nl80211_dump_wiphy_state *state)
2137 {
2138         struct nlattr **tb = genl_family_attrbuf(&nl80211_fam);
2139         int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize, tb,
2140                               nl80211_fam.maxattr, nl80211_policy, NULL);
2141         /* ignore parse errors for backward compatibility */
2142         if (ret)
2143                 return 0;
2144 
2145         state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2146         if (tb[NL80211_ATTR_WIPHY])
2147                 state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2148         if (tb[NL80211_ATTR_WDEV])
2149                 state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2150         if (tb[NL80211_ATTR_IFINDEX]) {
2151                 struct net_device *netdev;
2152                 struct cfg80211_registered_device *rdev;
2153                 int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2154 
2155                 netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2156                 if (!netdev)
2157                         return -ENODEV;
2158                 if (netdev->ieee80211_ptr) {
2159                         rdev = wiphy_to_rdev(
2160                                 netdev->ieee80211_ptr->wiphy);
2161                         state->filter_wiphy = rdev->wiphy_idx;
2162                 }
2163         }
2164 
2165         return 0;
2166 }
2167 
2168 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2169 {
2170         int idx = 0, ret;
2171         struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2172         struct cfg80211_registered_device *rdev;
2173 
2174         rtnl_lock();
2175         if (!state) {
2176                 state = kzalloc(sizeof(*state), GFP_KERNEL);
2177                 if (!state) {
2178                         rtnl_unlock();
2179                         return -ENOMEM;
2180                 }
2181                 state->filter_wiphy = -1;
2182                 ret = nl80211_dump_wiphy_parse(skb, cb, state);
2183                 if (ret) {
2184                         kfree(state);
2185                         rtnl_unlock();
2186                         return ret;
2187                 }
2188                 cb->args[0] = (long)state;
2189         }
2190 
2191         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2192                 if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2193                         continue;
2194                 if (++idx <= state->start)
2195                         continue;
2196                 if (state->filter_wiphy != -1 &&
2197                     state->filter_wiphy != rdev->wiphy_idx)
2198                         continue;
2199                 /* attempt to fit multiple wiphy data chunks into the skb */
2200                 do {
2201                         ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2202                                                  skb,
2203                                                  NETLINK_CB(cb->skb).portid,
2204                                                  cb->nlh->nlmsg_seq,
2205                                                  NLM_F_MULTI, state);
2206                         if (ret < 0) {
2207                                 /*
2208                                  * If sending the wiphy data didn't fit (ENOBUFS
2209                                  * or EMSGSIZE returned), this SKB is still
2210                                  * empty (so it's not too big because another
2211                                  * wiphy dataset is already in the skb) and
2212                                  * we've not tried to adjust the dump allocation
2213                                  * yet ... then adjust the alloc size to be
2214                                  * bigger, and return 1 but with the empty skb.
2215                                  * This results in an empty message being RX'ed
2216                                  * in userspace, but that is ignored.
2217                                  *
2218                                  * We can then retry with the larger buffer.
2219                                  */
2220                                 if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2221                                     !skb->len && !state->split &&
2222                                     cb->min_dump_alloc < 4096) {
2223                                         cb->min_dump_alloc = 4096;
2224                                         state->split_start = 0;
2225                                         rtnl_unlock();
2226                                         return 1;
2227                                 }
2228                                 idx--;
2229                                 break;
2230                         }
2231                 } while (state->split_start > 0);
2232                 break;
2233         }
2234         rtnl_unlock();
2235 
2236         state->start = idx;
2237 
2238         return skb->len;
2239 }
2240 
2241 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2242 {
2243         kfree((void *)cb->args[0]);
2244         return 0;
2245 }
2246 
2247 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2248 {
2249         struct sk_buff *msg;
2250         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2251         struct nl80211_dump_wiphy_state state = {};
2252 
2253         msg = nlmsg_new(4096, GFP_KERNEL);
2254         if (!msg)
2255                 return -ENOMEM;
2256 
2257         if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2258                                info->snd_portid, info->snd_seq, 0,
2259                                &state) < 0) {
2260                 nlmsg_free(msg);
2261                 return -ENOBUFS;
2262         }
2263 
2264         return genlmsg_reply(msg, info);
2265 }
2266 
2267 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2268         [NL80211_TXQ_ATTR_QUEUE]                = { .type = NLA_U8 },
2269         [NL80211_TXQ_ATTR_TXOP]                 = { .type = NLA_U16 },
2270         [NL80211_TXQ_ATTR_CWMIN]                = { .type = NLA_U16 },
2271         [NL80211_TXQ_ATTR_CWMAX]                = { .type = NLA_U16 },
2272         [NL80211_TXQ_ATTR_AIFS]                 = { .type = NLA_U8 },
2273 };
2274 
2275 static int parse_txq_params(struct nlattr *tb[],
2276                             struct ieee80211_txq_params *txq_params)
2277 {
2278         u8 ac;
2279 
2280         if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2281             !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2282             !tb[NL80211_TXQ_ATTR_AIFS])
2283                 return -EINVAL;
2284 
2285         ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2286         txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2287         txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2288         txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2289         txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2290 
2291         if (ac >= NL80211_NUM_ACS)
2292                 return -EINVAL;
2293         txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2294         return 0;
2295 }
2296 
2297 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2298 {
2299         /*
2300          * You can only set the channel explicitly for WDS interfaces,
2301          * all others have their channel managed via their respective
2302          * "establish a connection" command (connect, join, ...)
2303          *
2304          * For AP/GO and mesh mode, the channel can be set with the
2305          * channel userspace API, but is only stored and passed to the
2306          * low-level driver when the AP starts or the mesh is joined.
2307          * This is for backward compatibility, userspace can also give
2308          * the channel in the start-ap or join-mesh commands instead.
2309          *
2310          * Monitors are special as they are normally slaved to
2311          * whatever else is going on, so they have their own special
2312          * operation to set the monitor channel if possible.
2313          */
2314         return !wdev ||
2315                 wdev->iftype == NL80211_IFTYPE_AP ||
2316                 wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2317                 wdev->iftype == NL80211_IFTYPE_MONITOR ||
2318                 wdev->iftype == NL80211_IFTYPE_P2P_GO;
2319 }
2320 
2321 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2322                                  struct genl_info *info,
2323                                  struct cfg80211_chan_def *chandef)
2324 {
2325         struct netlink_ext_ack *extack = info->extack;
2326         struct nlattr **attrs = info->attrs;
2327         u32 control_freq;
2328 
2329         if (!attrs[NL80211_ATTR_WIPHY_FREQ])
2330                 return -EINVAL;
2331 
2332         control_freq = nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]);
2333 
2334         chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
2335         chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2336         chandef->center_freq1 = control_freq;
2337         chandef->center_freq2 = 0;
2338 
2339         /* Primary channel not allowed */
2340         if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
2341                 NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
2342                                     "Channel is disabled");
2343                 return -EINVAL;
2344         }
2345 
2346         if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2347                 enum nl80211_channel_type chantype;
2348 
2349                 chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2350 
2351                 switch (chantype) {
2352                 case NL80211_CHAN_NO_HT:
2353                 case NL80211_CHAN_HT20:
2354                 case NL80211_CHAN_HT40PLUS:
2355                 case NL80211_CHAN_HT40MINUS:
2356                         cfg80211_chandef_create(chandef, chandef->chan,
2357                                                 chantype);
2358                         /* user input for center_freq is incorrect */
2359                         if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
2360                             chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
2361                                 NL_SET_ERR_MSG_ATTR(extack,
2362                                                     attrs[NL80211_ATTR_CENTER_FREQ1],
2363                                                     "bad center frequency 1");
2364                                 return -EINVAL;
2365                         }
2366                         /* center_freq2 must be zero */
2367                         if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
2368                             nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
2369                                 NL_SET_ERR_MSG_ATTR(extack,
2370                                                     attrs[NL80211_ATTR_CENTER_FREQ2],
2371                                                     "center frequency 2 can't be used");
2372                                 return -EINVAL;
2373                         }
2374                         break;
2375                 default:
2376                         NL_SET_ERR_MSG_ATTR(extack,
2377                                             attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
2378                                             "invalid channel type");
2379                         return -EINVAL;
2380                 }
2381         } else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2382                 chandef->width =
2383                         nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2384                 if (attrs[NL80211_ATTR_CENTER_FREQ1])
2385                         chandef->center_freq1 =
2386                                 nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
2387                 if (attrs[NL80211_ATTR_CENTER_FREQ2])
2388                         chandef->center_freq2 =
2389                                 nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
2390         }
2391 
2392         if (!cfg80211_chandef_valid(chandef)) {
2393                 NL_SET_ERR_MSG(extack, "invalid channel definition");
2394                 return -EINVAL;
2395         }
2396 
2397         if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2398                                      IEEE80211_CHAN_DISABLED)) {
2399                 NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
2400                 return -EINVAL;
2401         }
2402 
2403         if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2404              chandef->width == NL80211_CHAN_WIDTH_10) &&
2405             !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
2406                 NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
2407                 return -EINVAL;
2408         }
2409 
2410         return 0;
2411 }
2412 
2413 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2414                                  struct net_device *dev,
2415                                  struct genl_info *info)
2416 {
2417         struct cfg80211_chan_def chandef;
2418         int result;
2419         enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2420         struct wireless_dev *wdev = NULL;
2421 
2422         if (dev)
2423                 wdev = dev->ieee80211_ptr;
2424         if (!nl80211_can_set_dev_channel(wdev))
2425                 return -EOPNOTSUPP;
2426         if (wdev)
2427                 iftype = wdev->iftype;
2428 
2429         result = nl80211_parse_chandef(rdev, info, &chandef);
2430         if (result)
2431                 return result;
2432 
2433         switch (iftype) {
2434         case NL80211_IFTYPE_AP:
2435         case NL80211_IFTYPE_P2P_GO:
2436                 if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2437                                                    iftype)) {
2438                         result = -EINVAL;
2439                         break;
2440                 }
2441                 if (wdev->beacon_interval) {
2442                         if (!dev || !rdev->ops->set_ap_chanwidth ||
2443                             !(rdev->wiphy.features &
2444                               NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2445                                 result = -EBUSY;
2446                                 break;
2447                         }
2448 
2449                         /* Only allow dynamic channel width changes */
2450                         if (chandef.chan != wdev->preset_chandef.chan) {
2451                                 result = -EBUSY;
2452                                 break;
2453                         }
2454                         result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2455                         if (result)
2456                                 break;
2457                 }
2458                 wdev->preset_chandef = chandef;
2459                 result = 0;
2460                 break;
2461         case NL80211_IFTYPE_MESH_POINT:
2462                 result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2463                 break;
2464         case NL80211_IFTYPE_MONITOR:
2465                 result = cfg80211_set_monitor_channel(rdev, &chandef);
2466                 break;
2467         default:
2468                 result = -EINVAL;
2469         }
2470 
2471         return result;
2472 }
2473 
2474 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2475 {
2476         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2477         struct net_device *netdev = info->user_ptr[1];
2478 
2479         return __nl80211_set_channel(rdev, netdev, info);
2480 }
2481 
2482 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2483 {
2484         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2485         struct net_device *dev = info->user_ptr[1];
2486         struct wireless_dev *wdev = dev->ieee80211_ptr;
2487         const u8 *bssid;
2488 
2489         if (!info->attrs[NL80211_ATTR_MAC])
2490                 return -EINVAL;
2491 
2492         if (netif_running(dev))
2493                 return -EBUSY;
2494 
2495         if (!rdev->ops->set_wds_peer)
2496                 return -EOPNOTSUPP;
2497 
2498         if (wdev->iftype != NL80211_IFTYPE_WDS)
2499                 return -EOPNOTSUPP;
2500 
2501         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2502         return rdev_set_wds_peer(rdev, dev, bssid);
2503 }
2504 
2505 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2506 {
2507         struct cfg80211_registered_device *rdev;
2508         struct net_device *netdev = NULL;
2509         struct wireless_dev *wdev;
2510         int result = 0, rem_txq_params = 0;
2511         struct nlattr *nl_txq_params;
2512         u32 changed;
2513         u8 retry_short = 0, retry_long = 0;
2514         u32 frag_threshold = 0, rts_threshold = 0;
2515         u8 coverage_class = 0;
2516         u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
2517 
2518         ASSERT_RTNL();
2519 
2520         /*
2521          * Try to find the wiphy and netdev. Normally this
2522          * function shouldn't need the netdev, but this is
2523          * done for backward compatibility -- previously
2524          * setting the channel was done per wiphy, but now
2525          * it is per netdev. Previous userland like hostapd
2526          * also passed a netdev to set_wiphy, so that it is
2527          * possible to let that go to the right netdev!
2528          */
2529 
2530         if (info->attrs[NL80211_ATTR_IFINDEX]) {
2531                 int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2532 
2533                 netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2534                 if (netdev && netdev->ieee80211_ptr)
2535                         rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2536                 else
2537                         netdev = NULL;
2538         }
2539 
2540         if (!netdev) {
2541                 rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2542                                                   info->attrs);
2543                 if (IS_ERR(rdev))
2544                         return PTR_ERR(rdev);
2545                 wdev = NULL;
2546                 netdev = NULL;
2547                 result = 0;
2548         } else
2549                 wdev = netdev->ieee80211_ptr;
2550 
2551         /*
2552          * end workaround code, by now the rdev is available
2553          * and locked, and wdev may or may not be NULL.
2554          */
2555 
2556         if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2557                 result = cfg80211_dev_rename(
2558                         rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2559 
2560         if (result)
2561                 return result;
2562 
2563         if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2564                 struct ieee80211_txq_params txq_params;
2565                 struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2566 
2567                 if (!rdev->ops->set_txq_params)
2568                         return -EOPNOTSUPP;
2569 
2570                 if (!netdev)
2571                         return -EINVAL;
2572 
2573                 if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2574                     netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2575                         return -EINVAL;
2576 
2577                 if (!netif_running(netdev))
2578                         return -ENETDOWN;
2579 
2580                 nla_for_each_nested(nl_txq_params,
2581                                     info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2582                                     rem_txq_params) {
2583                         result = nla_parse_nested(tb, NL80211_TXQ_ATTR_MAX,
2584                                                   nl_txq_params,
2585                                                   txq_params_policy,
2586                                                   info->extack);
2587                         if (result)
2588                                 return result;
2589                         result = parse_txq_params(tb, &txq_params);
2590                         if (result)
2591                                 return result;
2592 
2593                         result = rdev_set_txq_params(rdev, netdev,
2594                                                      &txq_params);
2595                         if (result)
2596                                 return result;
2597                 }
2598         }
2599 
2600         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2601                 result = __nl80211_set_channel(
2602                         rdev,
2603                         nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2604                         info);
2605                 if (result)
2606                         return result;
2607         }
2608 
2609         if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2610                 struct wireless_dev *txp_wdev = wdev;
2611                 enum nl80211_tx_power_setting type;
2612                 int idx, mbm = 0;
2613 
2614                 if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2615                         txp_wdev = NULL;
2616 
2617                 if (!rdev->ops->set_tx_power)
2618                         return -EOPNOTSUPP;
2619 
2620                 idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2621                 type = nla_get_u32(info->attrs[idx]);
2622 
2623                 if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2624                     (type != NL80211_TX_POWER_AUTOMATIC))
2625                         return -EINVAL;
2626 
2627                 if (type != NL80211_TX_POWER_AUTOMATIC) {
2628                         idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2629                         mbm = nla_get_u32(info->attrs[idx]);
2630                 }
2631 
2632                 result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2633                 if (result)
2634                         return result;
2635         }
2636 
2637         if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2638             info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2639                 u32 tx_ant, rx_ant;
2640 
2641                 if ((!rdev->wiphy.available_antennas_tx &&
2642                      !rdev->wiphy.available_antennas_rx) ||
2643                     !rdev->ops->set_antenna)
2644                         return -EOPNOTSUPP;
2645 
2646                 tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2647                 rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2648 
2649                 /* reject antenna configurations which don't match the
2650                  * available antenna masks, except for the "all" mask */
2651                 if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2652                     (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2653                         return -EINVAL;
2654 
2655                 tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2656                 rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2657 
2658                 result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2659                 if (result)
2660                         return result;
2661         }
2662 
2663         changed = 0;
2664 
2665         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2666                 retry_short = nla_get_u8(
2667                         info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2668 
2669                 changed |= WIPHY_PARAM_RETRY_SHORT;
2670         }
2671 
2672         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2673                 retry_long = nla_get_u8(
2674                         info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2675 
2676                 changed |= WIPHY_PARAM_RETRY_LONG;
2677         }
2678 
2679         if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2680                 frag_threshold = nla_get_u32(
2681                         info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2682                 if (frag_threshold < 256)
2683                         return -EINVAL;
2684 
2685                 if (frag_threshold != (u32) -1) {
2686                         /*
2687                          * Fragments (apart from the last one) are required to
2688                          * have even length. Make the fragmentation code
2689                          * simpler by stripping LSB should someone try to use
2690                          * odd threshold value.
2691                          */
2692                         frag_threshold &= ~0x1;
2693                 }
2694                 changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2695         }
2696 
2697         if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2698                 rts_threshold = nla_get_u32(
2699                         info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2700                 changed |= WIPHY_PARAM_RTS_THRESHOLD;
2701         }
2702 
2703         if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2704                 if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2705                         return -EINVAL;
2706 
2707                 coverage_class = nla_get_u8(
2708                         info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2709                 changed |= WIPHY_PARAM_COVERAGE_CLASS;
2710         }
2711 
2712         if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2713                 if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2714                         return -EOPNOTSUPP;
2715 
2716                 changed |= WIPHY_PARAM_DYN_ACK;
2717         }
2718 
2719         if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
2720                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
2721                                              NL80211_EXT_FEATURE_TXQS))
2722                         return -EOPNOTSUPP;
2723                 txq_limit = nla_get_u32(
2724                         info->attrs[NL80211_ATTR_TXQ_LIMIT]);
2725                 changed |= WIPHY_PARAM_TXQ_LIMIT;
2726         }
2727 
2728         if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
2729                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
2730                                              NL80211_EXT_FEATURE_TXQS))
2731                         return -EOPNOTSUPP;
2732                 txq_memory_limit = nla_get_u32(
2733                         info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
2734                 changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
2735         }
2736 
2737         if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
2738                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
2739                                              NL80211_EXT_FEATURE_TXQS))
2740                         return -EOPNOTSUPP;
2741                 txq_quantum = nla_get_u32(
2742                         info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
2743                 changed |= WIPHY_PARAM_TXQ_QUANTUM;
2744         }
2745 
2746         if (changed) {
2747                 u8 old_retry_short, old_retry_long;
2748                 u32 old_frag_threshold, old_rts_threshold;
2749                 u8 old_coverage_class;
2750                 u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
2751 
2752                 if (!rdev->ops->set_wiphy_params)
2753                         return -EOPNOTSUPP;
2754 
2755                 old_retry_short = rdev->wiphy.retry_short;
2756                 old_retry_long = rdev->wiphy.retry_long;
2757                 old_frag_threshold = rdev->wiphy.frag_threshold;
2758                 old_rts_threshold = rdev->wiphy.rts_threshold;
2759                 old_coverage_class = rdev->wiphy.coverage_class;
2760                 old_txq_limit = rdev->wiphy.txq_limit;
2761                 old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
2762                 old_txq_quantum = rdev->wiphy.txq_quantum;
2763 
2764                 if (changed & WIPHY_PARAM_RETRY_SHORT)
2765                         rdev->wiphy.retry_short = retry_short;
2766                 if (changed & WIPHY_PARAM_RETRY_LONG)
2767                         rdev->wiphy.retry_long = retry_long;
2768                 if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2769                         rdev->wiphy.frag_threshold = frag_threshold;
2770                 if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2771                         rdev->wiphy.rts_threshold = rts_threshold;
2772                 if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2773                         rdev->wiphy.coverage_class = coverage_class;
2774                 if (changed & WIPHY_PARAM_TXQ_LIMIT)
2775                         rdev->wiphy.txq_limit = txq_limit;
2776                 if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
2777                         rdev->wiphy.txq_memory_limit = txq_memory_limit;
2778                 if (changed & WIPHY_PARAM_TXQ_QUANTUM)
2779                         rdev->wiphy.txq_quantum = txq_quantum;
2780 
2781                 result = rdev_set_wiphy_params(rdev, changed);
2782                 if (result) {
2783                         rdev->wiphy.retry_short = old_retry_short;
2784                         rdev->wiphy.retry_long = old_retry_long;
2785                         rdev->wiphy.frag_threshold = old_frag_threshold;
2786                         rdev->wiphy.rts_threshold = old_rts_threshold;
2787                         rdev->wiphy.coverage_class = old_coverage_class;
2788                         rdev->wiphy.txq_limit = old_txq_limit;
2789                         rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
2790                         rdev->wiphy.txq_quantum = old_txq_quantum;
2791                         return result;
2792                 }
2793         }
2794         return 0;
2795 }
2796 
2797 static inline u64 wdev_id(struct wireless_dev *wdev)
2798 {
2799         return (u64)wdev->identifier |
2800                ((u64)wiphy_to_rdev(wdev->wiphy)->wiphy_idx << 32);
2801 }
2802 
2803 static int nl80211_send_chandef(struct sk_buff *msg,
2804                                 const struct cfg80211_chan_def *chandef)
2805 {
2806         if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2807                 return -EINVAL;
2808 
2809         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2810                         chandef->chan->center_freq))
2811                 return -ENOBUFS;
2812         switch (chandef->width) {
2813         case NL80211_CHAN_WIDTH_20_NOHT:
2814         case NL80211_CHAN_WIDTH_20:
2815         case NL80211_CHAN_WIDTH_40:
2816                 if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2817                                 cfg80211_get_chandef_type(chandef)))
2818                         return -ENOBUFS;
2819                 break;
2820         default:
2821                 break;
2822         }
2823         if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2824                 return -ENOBUFS;
2825         if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2826                 return -ENOBUFS;
2827         if (chandef->center_freq2 &&
2828             nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2829                 return -ENOBUFS;
2830         return 0;
2831 }
2832 
2833 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2834                               struct cfg80211_registered_device *rdev,
2835                               struct wireless_dev *wdev, bool removal)
2836 {
2837         struct net_device *dev = wdev->netdev;
2838         u8 cmd = NL80211_CMD_NEW_INTERFACE;
2839         void *hdr;
2840 
2841         if (removal)
2842                 cmd = NL80211_CMD_DEL_INTERFACE;
2843 
2844         hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2845         if (!hdr)
2846                 return -1;
2847 
2848         if (dev &&
2849             (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2850              nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2851                 goto nla_put_failure;
2852 
2853         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2854             nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2855             nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
2856                               NL80211_ATTR_PAD) ||
2857             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2858             nla_put_u32(msg, NL80211_ATTR_GENERATION,
2859                         rdev->devlist_generation ^
2860                         (cfg80211_rdev_list_generation << 2)) ||
2861             nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
2862                 goto nla_put_failure;
2863 
2864         if (rdev->ops->get_channel) {
2865                 int ret;
2866                 struct cfg80211_chan_def chandef;
2867 
2868                 ret = rdev_get_channel(rdev, wdev, &chandef);
2869                 if (ret == 0) {
2870                         if (nl80211_send_chandef(msg, &chandef))
2871                                 goto nla_put_failure;
2872                 }
2873         }
2874 
2875         if (rdev->ops->get_tx_power) {
2876                 int dbm, ret;
2877 
2878                 ret = rdev_get_tx_power(rdev, wdev, &dbm);
2879                 if (ret == 0 &&
2880                     nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
2881                                 DBM_TO_MBM(dbm)))
2882                         goto nla_put_failure;
2883         }
2884 
2885         wdev_lock(wdev);
2886         switch (wdev->iftype) {
2887         case NL80211_IFTYPE_AP:
2888                 if (wdev->ssid_len &&
2889                     nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2890                         goto nla_put_failure_locked;
2891                 break;
2892         case NL80211_IFTYPE_STATION:
2893         case NL80211_IFTYPE_P2P_CLIENT:
2894         case NL80211_IFTYPE_ADHOC: {
2895                 const u8 *ssid_ie;
2896                 if (!wdev->current_bss)
2897                         break;
2898                 rcu_read_lock();
2899                 ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
2900                                                WLAN_EID_SSID);
2901                 if (ssid_ie &&
2902                     nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
2903                         goto nla_put_failure_rcu_locked;
2904                 rcu_read_unlock();
2905                 break;
2906                 }
2907         default:
2908                 /* nothing */
2909                 break;
2910         }
2911         wdev_unlock(wdev);
2912 
2913         if (rdev->ops->get_txq_stats) {
2914                 struct cfg80211_txq_stats txqstats = {};
2915                 int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
2916 
2917                 if (ret == 0 &&
2918                     !nl80211_put_txq_stats(msg, &txqstats,
2919                                            NL80211_ATTR_TXQ_STATS))
2920                         goto nla_put_failure;
2921         }
2922 
2923         genlmsg_end(msg, hdr);
2924         return 0;
2925 
2926  nla_put_failure_rcu_locked:
2927         rcu_read_unlock();
2928  nla_put_failure_locked:
2929         wdev_unlock(wdev);
2930  nla_put_failure:
2931         genlmsg_cancel(msg, hdr);
2932         return -EMSGSIZE;
2933 }
2934 
2935 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2936 {
2937         int wp_idx = 0;
2938         int if_idx = 0;
2939         int wp_start = cb->args[0];
2940         int if_start = cb->args[1];
2941         int filter_wiphy = -1;
2942         struct cfg80211_registered_device *rdev;
2943         struct wireless_dev *wdev;
2944         int ret;
2945 
2946         rtnl_lock();
2947         if (!cb->args[2]) {
2948                 struct nl80211_dump_wiphy_state state = {
2949                         .filter_wiphy = -1,
2950                 };
2951 
2952                 ret = nl80211_dump_wiphy_parse(skb, cb, &state);
2953                 if (ret)
2954                         goto out_unlock;
2955 
2956                 filter_wiphy = state.filter_wiphy;
2957 
2958                 /*
2959                  * if filtering, set cb->args[2] to +1 since 0 is the default
2960                  * value needed to determine that parsing is necessary.
2961                  */
2962                 if (filter_wiphy >= 0)
2963                         cb->args[2] = filter_wiphy + 1;
2964                 else
2965                         cb->args[2] = -1;
2966         } else if (cb->args[2] > 0) {
2967                 filter_wiphy = cb->args[2] - 1;
2968         }
2969 
2970         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2971                 if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2972                         continue;
2973                 if (wp_idx < wp_start) {
2974                         wp_idx++;
2975                         continue;
2976                 }
2977 
2978                 if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
2979                         continue;
2980 
2981                 if_idx = 0;
2982 
2983                 list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
2984                         if (if_idx < if_start) {
2985                                 if_idx++;
2986                                 continue;
2987                         }
2988                         if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2989                                                cb->nlh->nlmsg_seq, NLM_F_MULTI,
2990                                                rdev, wdev, false) < 0) {
2991                                 goto out;
2992                         }
2993                         if_idx++;
2994                 }
2995 
2996                 wp_idx++;
2997         }
2998  out:
2999         cb->args[0] = wp_idx;
3000         cb->args[1] = if_idx;
3001 
3002         ret = skb->len;
3003  out_unlock:
3004         rtnl_unlock();
3005 
3006         return ret;
3007 }
3008 
3009 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3010 {
3011         struct sk_buff *msg;
3012         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3013         struct wireless_dev *wdev = info->user_ptr[1];
3014 
3015         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3016         if (!msg)
3017                 return -ENOMEM;
3018 
3019         if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3020                                rdev, wdev, false) < 0) {
3021                 nlmsg_free(msg);
3022                 return -ENOBUFS;
3023         }
3024 
3025         return genlmsg_reply(msg, info);
3026 }
3027 
3028 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3029         [NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3030         [NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3031         [NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3032         [NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3033         [NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3034         [NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3035 };
3036 
3037 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3038 {
3039         struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3040         int flag;
3041 
3042         *mntrflags = 0;
3043 
3044         if (!nla)
3045                 return -EINVAL;
3046 
3047         if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX, nla,
3048                              mntr_flags_policy, NULL))
3049                 return -EINVAL;
3050 
3051         for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3052                 if (flags[flag])
3053                         *mntrflags |= (1<<flag);
3054 
3055         *mntrflags |= MONITOR_FLAG_CHANGED;
3056 
3057         return 0;
3058 }
3059 
3060 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3061                                      enum nl80211_iftype type,
3062                                      struct genl_info *info,
3063                                      struct vif_params *params)
3064 {
3065         bool change = false;
3066         int err;
3067 
3068         if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3069                 if (type != NL80211_IFTYPE_MONITOR)
3070                         return -EINVAL;
3071 
3072                 err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3073                                           &params->flags);
3074                 if (err)
3075                         return err;
3076 
3077                 change = true;
3078         }
3079 
3080         if (params->flags & MONITOR_FLAG_ACTIVE &&
3081             !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3082                 return -EOPNOTSUPP;
3083 
3084         if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3085                 const u8 *mumimo_groups;
3086                 u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3087 
3088                 if (type != NL80211_IFTYPE_MONITOR)
3089                         return -EINVAL;
3090 
3091                 if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3092                         return -EOPNOTSUPP;
3093 
3094                 mumimo_groups =
3095                         nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3096 
3097                 /* bits 0 and 63 are reserved and must be zero */
3098                 if ((mumimo_groups[0] & BIT(0)) ||
3099                     (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3100                         return -EINVAL;
3101 
3102                 params->vht_mumimo_groups = mumimo_groups;
3103                 change = true;
3104         }
3105 
3106         if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3107                 u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3108 
3109                 if (type != NL80211_IFTYPE_MONITOR)
3110                         return -EINVAL;
3111 
3112                 if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3113                         return -EOPNOTSUPP;
3114 
3115                 params->vht_mumimo_follow_addr =
3116                         nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3117                 change = true;
3118         }
3119 
3120         return change ? 1 : 0;
3121 }
3122 
3123 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3124                                struct net_device *netdev, u8 use_4addr,
3125                                enum nl80211_iftype iftype)
3126 {
3127         if (!use_4addr) {
3128                 if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
3129                         return -EBUSY;
3130                 return 0;
3131         }
3132 
3133         switch (iftype) {
3134         case NL80211_IFTYPE_AP_VLAN:
3135                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3136                         return 0;
3137                 break;
3138         case NL80211_IFTYPE_STATION:
3139                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3140                         return 0;
3141                 break;
3142         default:
3143                 break;
3144         }
3145 
3146         return -EOPNOTSUPP;
3147 }
3148 
3149 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3150 {
3151         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3152         struct vif_params params;
3153         int err;
3154         enum nl80211_iftype otype, ntype;
3155         struct net_device *dev = info->user_ptr[1];
3156         bool change = false;
3157 
3158         memset(&params, 0, sizeof(params));
3159 
3160         otype = ntype = dev->ieee80211_ptr->iftype;
3161 
3162         if (info->attrs[NL80211_ATTR_IFTYPE]) {
3163                 ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3164                 if (otype != ntype)
3165                         change = true;
3166         }
3167 
3168         if (info->attrs[NL80211_ATTR_MESH_ID]) {
3169                 struct wireless_dev *wdev = dev->ieee80211_ptr;
3170 
3171                 if (ntype != NL80211_IFTYPE_MESH_POINT)
3172                         return -EINVAL;
3173                 if (netif_running(dev))
3174                         return -EBUSY;
3175 
3176                 wdev_lock(wdev);
3177                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3178                              IEEE80211_MAX_MESH_ID_LEN);
3179                 wdev->mesh_id_up_len =
3180                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3181                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3182                        wdev->mesh_id_up_len);
3183                 wdev_unlock(wdev);
3184         }
3185 
3186         if (info->attrs[NL80211_ATTR_4ADDR]) {
3187                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3188                 change = true;
3189                 err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3190                 if (err)
3191                         return err;
3192         } else {
3193                 params.use_4addr = -1;
3194         }
3195 
3196         err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3197         if (err < 0)
3198                 return err;
3199         if (err > 0)
3200                 change = true;
3201 
3202         if (change)
3203                 err = cfg80211_change_iface(rdev, dev, ntype, &params);
3204         else
3205                 err = 0;
3206 
3207         if (!err && params.use_4addr != -1)
3208                 dev->ieee80211_ptr->use_4addr = params.use_4addr;
3209 
3210         return err;
3211 }
3212 
3213 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3214 {
3215         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3216         struct vif_params params;
3217         struct wireless_dev *wdev;
3218         struct sk_buff *msg;
3219         int err;
3220         enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3221 
3222         /* to avoid failing a new interface creation due to pending removal */
3223         cfg80211_destroy_ifaces(rdev);
3224 
3225         memset(&params, 0, sizeof(params));
3226 
3227         if (!info->attrs[NL80211_ATTR_IFNAME])
3228                 return -EINVAL;
3229 
3230         if (info->attrs[NL80211_ATTR_IFTYPE])
3231                 type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3232 
3233         if (!rdev->ops->add_virtual_intf ||
3234             !(rdev->wiphy.interface_modes & (1 << type)))
3235                 return -EOPNOTSUPP;
3236 
3237         if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3238              rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3239             info->attrs[NL80211_ATTR_MAC]) {
3240                 nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3241                            ETH_ALEN);
3242                 if (!is_valid_ether_addr(params.macaddr))
3243                         return -EADDRNOTAVAIL;
3244         }
3245 
3246         if (info->attrs[NL80211_ATTR_4ADDR]) {
3247                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3248                 err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3249                 if (err)
3250                         return err;
3251         }
3252 
3253         err = nl80211_parse_mon_options(rdev, type, info, &params);
3254         if (err < 0)
3255                 return err;
3256 
3257         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3258         if (!msg)
3259                 return -ENOMEM;
3260 
3261         wdev = rdev_add_virtual_intf(rdev,
3262                                 nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3263                                 NET_NAME_USER, type, &params);
3264         if (WARN_ON(!wdev)) {
3265                 nlmsg_free(msg);
3266                 return -EPROTO;
3267         } else if (IS_ERR(wdev)) {
3268                 nlmsg_free(msg);
3269                 return PTR_ERR(wdev);
3270         }
3271 
3272         if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3273                 wdev->owner_nlportid = info->snd_portid;
3274 
3275         switch (type) {
3276         case NL80211_IFTYPE_MESH_POINT:
3277                 if (!info->attrs[NL80211_ATTR_MESH_ID])
3278                         break;
3279                 wdev_lock(wdev);
3280                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3281                              IEEE80211_MAX_MESH_ID_LEN);
3282                 wdev->mesh_id_up_len =
3283                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3284                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3285                        wdev->mesh_id_up_len);
3286                 wdev_unlock(wdev);
3287                 break;
3288         case NL80211_IFTYPE_NAN:
3289         case NL80211_IFTYPE_P2P_DEVICE:
3290                 /*
3291                  * P2P Device and NAN do not have a netdev, so don't go
3292                  * through the netdev notifier and must be added here
3293                  */
3294                 cfg80211_init_wdev(rdev, wdev);
3295                 break;
3296         default:
3297                 break;
3298         }
3299 
3300         if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3301                                rdev, wdev, false) < 0) {
3302                 nlmsg_free(msg);
3303                 return -ENOBUFS;
3304         }
3305 
3306         return genlmsg_reply(msg, info);
3307 }
3308 
3309 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3310 {
3311         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3312         struct wireless_dev *wdev = info->user_ptr[1];
3313 
3314         if (!rdev->ops->del_virtual_intf)
3315                 return -EOPNOTSUPP;
3316 
3317         /*
3318          * If we remove a wireless device without a netdev then clear
3319          * user_ptr[1] so that nl80211_post_doit won't dereference it
3320          * to check if it needs to do dev_put(). Otherwise it crashes
3321          * since the wdev has been freed, unlike with a netdev where
3322          * we need the dev_put() for the netdev to really be freed.
3323          */
3324         if (!wdev->netdev)
3325                 info->user_ptr[1] = NULL;
3326 
3327         return rdev_del_virtual_intf(rdev, wdev);
3328 }
3329 
3330 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3331 {
3332         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3333         struct net_device *dev = info->user_ptr[1];
3334         u16 noack_map;
3335 
3336         if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3337                 return -EINVAL;
3338 
3339         if (!rdev->ops->set_noack_map)
3340                 return -EOPNOTSUPP;
3341 
3342         noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3343 
3344         return rdev_set_noack_map(rdev, dev, noack_map);
3345 }
3346 
3347 struct get_key_cookie {
3348         struct sk_buff *msg;
3349         int error;
3350         int idx;
3351 };
3352 
3353 static void get_key_callback(void *c, struct key_params *params)
3354 {
3355         struct nlattr *key;
3356         struct get_key_cookie *cookie = c;
3357 
3358         if ((params->key &&
3359              nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3360                      params->key_len, params->key)) ||
3361             (params->seq &&
3362              nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3363                      params->seq_len, params->seq)) ||
3364             (params->cipher &&
3365              nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3366                          params->cipher)))
3367                 goto nla_put_failure;
3368 
3369         key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
3370         if (!key)
3371                 goto nla_put_failure;
3372 
3373         if ((params->key &&
3374              nla_put(cookie->msg, NL80211_KEY_DATA,
3375                      params->key_len, params->key)) ||
3376             (params->seq &&
3377              nla_put(cookie->msg, NL80211_KEY_SEQ,
3378                      params->seq_len, params->seq)) ||
3379             (params->cipher &&
3380              nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3381                          params->cipher)))
3382                 goto nla_put_failure;
3383 
3384         if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
3385                 goto nla_put_failure;
3386 
3387         nla_nest_end(cookie->msg, key);
3388 
3389         return;
3390  nla_put_failure:
3391         cookie->error = 1;
3392 }
3393 
3394 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3395 {
3396         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3397         int err;
3398         struct net_device *dev = info->user_ptr[1];
3399         u8 key_idx = 0;
3400         const u8 *mac_addr = NULL;
3401         bool pairwise;
3402         struct get_key_cookie cookie = {
3403                 .error = 0,
3404         };
3405         void *hdr;
3406         struct sk_buff *msg;
3407 
3408         if (info->attrs[NL80211_ATTR_KEY_IDX])
3409                 key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
3410 
3411         if (info->attrs[NL80211_ATTR_MAC])
3412                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3413 
3414         pairwise = !!mac_addr;
3415         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
3416                 u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
3417 
3418                 if (kt != NL80211_KEYTYPE_GROUP &&
3419                     kt != NL80211_KEYTYPE_PAIRWISE)
3420                         return -EINVAL;
3421                 pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
3422         }
3423 
3424         if (!rdev->ops->get_key)
3425                 return -EOPNOTSUPP;
3426 
3427         if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3428                 return -ENOENT;
3429 
3430         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3431         if (!msg)
3432                 return -ENOMEM;
3433 
3434         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3435                              NL80211_CMD_NEW_KEY);
3436         if (!hdr)
3437                 goto nla_put_failure;
3438 
3439         cookie.msg = msg;
3440         cookie.idx = key_idx;
3441 
3442         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3443             nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
3444                 goto nla_put_failure;
3445         if (mac_addr &&
3446             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
3447                 goto nla_put_failure;
3448 
3449         err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3450                            get_key_callback);
3451 
3452         if (err)
3453                 goto free_msg;
3454 
3455         if (cookie.error)
3456                 goto nla_put_failure;
3457 
3458         genlmsg_end(msg, hdr);
3459         return genlmsg_reply(msg, info);
3460 
3461  nla_put_failure:
3462         err = -ENOBUFS;
3463  free_msg:
3464         nlmsg_free(msg);
3465         return err;
3466 }
3467 
3468 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
3469 {
3470         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3471         struct key_parse key;
3472         int err;
3473         struct net_device *dev = info->user_ptr[1];
3474 
3475         err = nl80211_parse_key(info, &key);
3476         if (err)
3477                 return err;
3478 
3479         if (key.idx < 0)
3480                 return -EINVAL;
3481 
3482         /* only support setting default key */
3483         if (!key.def && !key.defmgmt)
3484                 return -EINVAL;
3485 
3486         wdev_lock(dev->ieee80211_ptr);
3487 
3488         if (key.def) {
3489                 if (!rdev->ops->set_default_key) {
3490                         err = -EOPNOTSUPP;
3491                         goto out;
3492                 }
3493 
3494                 err = nl80211_key_allowed(dev->ieee80211_ptr);
3495                 if (err)
3496                         goto out;
3497 
3498                 err = rdev_set_default_key(rdev, dev, key.idx,
3499                                                  key.def_uni, key.def_multi);
3500 
3501                 if (err)
3502                         goto out;
3503 
3504 #ifdef CONFIG_CFG80211_WEXT
3505                 dev->ieee80211_ptr->wext.default_key = key.idx;
3506 #endif
3507         } else {
3508                 if (key.def_uni || !key.def_multi) {
3509                         err = -EINVAL;
3510                         goto out;
3511                 }
3512 
3513                 if (!rdev->ops->set_default_mgmt_key) {
3514                         err = -EOPNOTSUPP;
3515                         goto out;
3516                 }
3517 
3518                 err = nl80211_key_allowed(dev->ieee80211_ptr);
3519                 if (err)
3520                         goto out;
3521 
3522                 err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
3523                 if (err)
3524                         goto out;
3525 
3526 #ifdef CONFIG_CFG80211_WEXT
3527                 dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
3528 #endif
3529         }
3530 
3531  out:
3532         wdev_unlock(dev->ieee80211_ptr);
3533 
3534         return err;
3535 }
3536 
3537 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
3538 {
3539         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3540         int err;
3541         struct net_device *dev = info->user_ptr[1];
3542         struct key_parse key;
3543         const u8 *mac_addr = NULL;
3544 
3545         err = nl80211_parse_key(info, &key);
3546         if (err)
3547                 return err;
3548 
3549         if (!key.p.key)
3550                 return -EINVAL;
3551 
3552         if (info->attrs[NL80211_ATTR_MAC])
3553                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3554 
3555         if (key.type == -1) {
3556                 if (mac_addr)
3557                         key.type = NL80211_KEYTYPE_PAIRWISE;
3558                 else
3559                         key.type = NL80211_KEYTYPE_GROUP;
3560         }
3561 
3562         /* for now */
3563         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3564             key.type != NL80211_KEYTYPE_GROUP)
3565                 return -EINVAL;
3566 
3567         if (!rdev->ops->add_key)
3568                 return -EOPNOTSUPP;
3569 
3570         if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3571                                            key.type == NL80211_KEYTYPE_PAIRWISE,
3572                                            mac_addr))
3573                 return -EINVAL;
3574 
3575         wdev_lock(dev->ieee80211_ptr);
3576         err = nl80211_key_allowed(dev->ieee80211_ptr);
3577         if (!err)
3578                 err = rdev_add_key(rdev, dev, key.idx,
3579                                    key.type == NL80211_KEYTYPE_PAIRWISE,
3580                                     mac_addr, &key.p);
3581         wdev_unlock(dev->ieee80211_ptr);
3582 
3583         return err;
3584 }
3585 
3586 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3587 {
3588         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3589         int err;
3590         struct net_device *dev = info->user_ptr[1];
3591         u8 *mac_addr = NULL;
3592         struct key_parse key;
3593 
3594         err = nl80211_parse_key(info, &key);
3595         if (err)
3596                 return err;
3597 
3598         if (info->attrs[NL80211_ATTR_MAC])
3599                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3600 
3601         if (key.type == -1) {
3602                 if (mac_addr)
3603                         key.type = NL80211_KEYTYPE_PAIRWISE;
3604                 else
3605                         key.type = NL80211_KEYTYPE_GROUP;
3606         }
3607 
3608         /* for now */
3609         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3610             key.type != NL80211_KEYTYPE_GROUP)
3611                 return -EINVAL;
3612 
3613         if (!rdev->ops->del_key)
3614                 return -EOPNOTSUPP;
3615 
3616         wdev_lock(dev->ieee80211_ptr);
3617         err = nl80211_key_allowed(dev->ieee80211_ptr);
3618 
3619         if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3620             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3621                 err = -ENOENT;
3622 
3623         if (!err)
3624                 err = rdev_del_key(rdev, dev, key.idx,
3625                                    key.type == NL80211_KEYTYPE_PAIRWISE,
3626                                    mac_addr);
3627 
3628 #ifdef CONFIG_CFG80211_WEXT
3629         if (!err) {
3630                 if (key.idx == dev->ieee80211_ptr->wext.default_key)
3631                         dev->ieee80211_ptr->wext.default_key = -1;
3632                 else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3633                         dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3634         }
3635 #endif
3636         wdev_unlock(dev->ieee80211_ptr);
3637 
3638         return err;
3639 }
3640 
3641 /* This function returns an error or the number of nested attributes */
3642 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3643 {
3644         struct nlattr *attr;
3645         int n_entries = 0, tmp;
3646 
3647         nla_for_each_nested(attr, nl_attr, tmp) {
3648                 if (nla_len(attr) != ETH_ALEN)
3649                         return -EINVAL;
3650 
3651                 n_entries++;
3652         }
3653 
3654         return n_entries;
3655 }
3656 
3657 /*
3658  * This function parses ACL information and allocates memory for ACL data.
3659  * On successful return, the calling function is responsible to free the
3660  * ACL buffer returned by this function.
3661  */
3662 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3663                                                 struct genl_info *info)
3664 {
3665         enum nl80211_acl_policy acl_policy;
3666         struct nlattr *attr;
3667         struct cfg80211_acl_data *acl;
3668         int i = 0, n_entries, tmp;
3669 
3670         if (!wiphy->max_acl_mac_addrs)
3671                 return ERR_PTR(-EOPNOTSUPP);
3672 
3673         if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3674                 return ERR_PTR(-EINVAL);
3675 
3676         acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3677         if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3678             acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3679                 return ERR_PTR(-EINVAL);
3680 
3681         if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3682                 return ERR_PTR(-EINVAL);
3683 
3684         n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3685         if (n_entries < 0)
3686                 return ERR_PTR(n_entries);
3687 
3688         if (n_entries > wiphy->max_acl_mac_addrs)
3689                 return ERR_PTR(-ENOTSUPP);
3690 
3691         acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3692                       GFP_KERNEL);
3693         if (!acl)
3694                 return ERR_PTR(-ENOMEM);
3695 
3696         nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3697                 memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3698                 i++;
3699         }
3700 
3701         acl->n_acl_entries = n_entries;
3702         acl->acl_policy = acl_policy;
3703 
3704         return acl;
3705 }
3706 
3707 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3708 {
3709         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3710         struct net_device *dev = info->user_ptr[1];
3711         struct cfg80211_acl_data *acl;
3712         int err;
3713 
3714         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3715             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3716                 return -EOPNOTSUPP;
3717 
3718         if (!dev->ieee80211_ptr->beacon_interval)
3719                 return -EINVAL;
3720 
3721         acl = parse_acl_data(&rdev->wiphy, info);
3722         if (IS_ERR(acl))
3723                 return PTR_ERR(acl);
3724 
3725         err = rdev_set_mac_acl(rdev, dev, acl);
3726 
3727         kfree(acl);
3728 
3729         return err;
3730 }
3731 
3732 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
3733                            u8 *rates, u8 rates_len)
3734 {
3735         u8 i;
3736         u32 mask = 0;
3737 
3738         for (i = 0; i < rates_len; i++) {
3739                 int rate = (rates[i] & 0x7f) * 5;
3740                 int ridx;
3741 
3742                 for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
3743                         struct ieee80211_rate *srate =
3744                                 &sband->bitrates[ridx];
3745                         if (rate == srate->bitrate) {
3746                                 mask |= 1 << ridx;
3747                                 break;
3748                         }
3749                 }
3750                 if (ridx == sband->n_bitrates)
3751                         return 0; /* rate not found */
3752         }
3753 
3754         return mask;
3755 }
3756 
3757 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
3758                                u8 *rates, u8 rates_len,
3759                                u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
3760 {
3761         u8 i;
3762 
3763         memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
3764 
3765         for (i = 0; i < rates_len; i++) {
3766                 int ridx, rbit;
3767 
3768                 ridx = rates[i] / 8;
3769                 rbit = BIT(rates[i] % 8);
3770 
3771                 /* check validity */
3772                 if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
3773                         return false;
3774 
3775                 /* check availability */
3776                 ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
3777                 if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
3778                         mcs[ridx] |= rbit;
3779                 else
3780                         return false;
3781         }
3782 
3783         return true;
3784 }
3785 
3786 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
3787 {
3788         u16 mcs_mask = 0;
3789 
3790         switch (vht_mcs_map) {
3791         case IEEE80211_VHT_MCS_NOT_SUPPORTED:
3792                 break;
3793         case IEEE80211_VHT_MCS_SUPPORT_0_7:
3794                 mcs_mask = 0x00FF;
3795                 break;
3796         case IEEE80211_VHT_MCS_SUPPORT_0_8:
3797                 mcs_mask = 0x01FF;
3798                 break;
3799         case IEEE80211_VHT_MCS_SUPPORT_0_9:
3800                 mcs_mask = 0x03FF;
3801                 break;
3802         default:
3803                 break;
3804         }
3805 
3806         return mcs_mask;
3807 }
3808 
3809 static void vht_build_mcs_mask(u16 vht_mcs_map,
3810                                u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
3811 {
3812         u8 nss;
3813 
3814         for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
3815                 vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
3816                 vht_mcs_map >>= 2;
3817         }
3818 }
3819 
3820 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
3821                              struct nl80211_txrate_vht *txrate,
3822                              u16 mcs[NL80211_VHT_NSS_MAX])
3823 {
3824         u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
3825         u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
3826         u8 i;
3827 
3828         if (!sband->vht_cap.vht_supported)
3829                 return false;
3830 
3831         memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
3832 
3833         /* Build vht_mcs_mask from VHT capabilities */
3834         vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
3835 
3836         for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
3837                 if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
3838                         mcs[i] = txrate->mcs[i];
3839                 else
3840                         return false;
3841         }
3842 
3843         return true;
3844 }
3845 
3846 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
3847         [NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
3848                                     .len = NL80211_MAX_SUPP_RATES },
3849         [NL80211_TXRATE_HT] = { .type = NLA_BINARY,
3850                                 .len = NL80211_MAX_SUPP_HT_RATES },
3851         [NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
3852         [NL80211_TXRATE_GI] = { .type = NLA_U8 },
3853 };
3854 
3855 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
3856                                          struct cfg80211_bitrate_mask *mask)
3857 {
3858         struct nlattr *tb[NL80211_TXRATE_MAX + 1];
3859         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3860         int rem, i;
3861         struct nlattr *tx_rates;
3862         struct ieee80211_supported_band *sband;
3863         u16 vht_tx_mcs_map;
3864 
3865         memset(mask, 0, sizeof(*mask));
3866         /* Default to all rates enabled */
3867         for (i = 0; i < NUM_NL80211_BANDS; i++) {
3868                 sband = rdev->wiphy.bands[i];
3869 
3870                 if (!sband)
3871                         continue;
3872 
3873                 mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
3874                 memcpy(mask->control[i].ht_mcs,
3875                        sband->ht_cap.mcs.rx_mask,
3876                        sizeof(mask->control[i].ht_mcs));
3877 
3878                 if (!sband->vht_cap.vht_supported)
3879                         continue;
3880 
3881                 vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
3882                 vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
3883         }
3884 
3885         /* if no rates are given set it back to the defaults */
3886         if (!info->attrs[NL80211_ATTR_TX_RATES])
3887                 goto out;
3888 
3889         /* The nested attribute uses enum nl80211_band as the index. This maps
3890          * directly to the enum nl80211_band values used in cfg80211.
3891          */
3892         BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
3893         nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
3894                 enum nl80211_band band = nla_type(tx_rates);
3895                 int err;
3896 
3897                 if (band < 0 || band >= NUM_NL80211_BANDS)
3898                         return -EINVAL;
3899                 sband = rdev->wiphy.bands[band];
3900                 if (sband == NULL)
3901                         return -EINVAL;
3902                 err = nla_parse_nested(tb, NL80211_TXRATE_MAX, tx_rates,
3903                                        nl80211_txattr_policy, info->extack);
3904                 if (err)
3905                         return err;
3906                 if (tb[NL80211_TXRATE_LEGACY]) {
3907                         mask->control[band].legacy = rateset_to_mask(
3908                                 sband,
3909                                 nla_data(tb[NL80211_TXRATE_LEGACY]),
3910                                 nla_len(tb[NL80211_TXRATE_LEGACY]));
3911                         if ((mask->control[band].legacy == 0) &&
3912                             nla_len(tb[NL80211_TXRATE_LEGACY]))
3913                                 return -EINVAL;
3914                 }
3915                 if (tb[NL80211_TXRATE_HT]) {
3916                         if (!ht_rateset_to_mask(
3917                                         sband,
3918                                         nla_data(tb[NL80211_TXRATE_HT]),
3919                                         nla_len(tb[NL80211_TXRATE_HT]),
3920                                         mask->control[band].ht_mcs))
3921                                 return -EINVAL;
3922                 }
3923                 if (tb[NL80211_TXRATE_VHT]) {
3924                         if (!vht_set_mcs_mask(
3925                                         sband,
3926                                         nla_data(tb[NL80211_TXRATE_VHT]),
3927                                         mask->control[band].vht_mcs))
3928                                 return -EINVAL;
3929                 }
3930                 if (tb[NL80211_TXRATE_GI]) {
3931                         mask->control[band].gi =
3932                                 nla_get_u8(tb[NL80211_TXRATE_GI]);
3933                         if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
3934                                 return -EINVAL;
3935                 }
3936 
3937                 if (mask->control[band].legacy == 0) {
3938                         /* don't allow empty legacy rates if HT or VHT
3939                          * are not even supported.
3940                          */
3941                         if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
3942                               rdev->wiphy.bands[band]->vht_cap.vht_supported))
3943                                 return -EINVAL;
3944 
3945                         for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
3946                                 if (mask->control[band].ht_mcs[i])
3947                                         goto out;
3948 
3949                         for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
3950                                 if (mask->control[band].vht_mcs[i])
3951                                         goto out;
3952 
3953                         /* legacy and mcs rates may not be both empty */
3954                         return -EINVAL;
3955                 }
3956         }
3957 
3958 out:
3959         return 0;
3960 }
3961 
3962 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
3963                                    enum nl80211_band band,
3964                                    struct cfg80211_bitrate_mask *beacon_rate)
3965 {
3966         u32 count_ht, count_vht, i;
3967         u32 rate = beacon_rate->control[band].legacy;
3968 
3969         /* Allow only one rate */
3970         if (hweight32(rate) > 1)
3971                 return -EINVAL;
3972 
3973         count_ht = 0;
3974         for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
3975                 if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
3976                         return -EINVAL;
3977                 } else if (beacon_rate->control[band].ht_mcs[i]) {
3978                         count_ht++;
3979                         if (count_ht > 1)
3980                                 return -EINVAL;
3981                 }
3982                 if (count_ht && rate)
3983                         return -EINVAL;
3984         }
3985 
3986         count_vht = 0;
3987         for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
3988                 if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
3989                         return -EINVAL;
3990                 } else if (beacon_rate->control[band].vht_mcs[i]) {
3991                         count_vht++;
3992                         if (count_vht > 1)
3993                                 return -EINVAL;
3994                 }
3995                 if (count_vht && rate)
3996                         return -EINVAL;
3997         }
3998 
3999         if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
4000                 return -EINVAL;
4001 
4002         if (rate &&
4003             !wiphy_ext_feature_isset(&rdev->wiphy,
4004                                      NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4005                 return -EINVAL;
4006         if (count_ht &&
4007             !wiphy_ext_feature_isset(&rdev->wiphy,
4008                                      NL80211_EXT_FEATURE_BEACON_RATE_HT))
4009                 return -EINVAL;
4010         if (count_vht &&
4011             !wiphy_ext_feature_isset(&rdev->wiphy,
4012                                      NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4013                 return -EINVAL;
4014 
4015         return 0;
4016 }
4017 
4018 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4019                                 struct nlattr *attrs[],
4020                                 struct cfg80211_beacon_data *bcn)
4021 {
4022         bool haveinfo = false;
4023         int err;
4024 
4025         memset(bcn, 0, sizeof(*bcn));
4026 
4027         if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4028                 bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4029                 bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4030                 if (!bcn->head_len)
4031                         return -EINVAL;
4032                 haveinfo = true;
4033         }
4034 
4035         if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4036                 bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4037                 bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4038                 haveinfo = true;
4039         }
4040 
4041         if (!haveinfo)
4042                 return -EINVAL;
4043 
4044         if (attrs[NL80211_ATTR_IE]) {
4045                 bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4046                 bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4047         }
4048 
4049         if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4050                 bcn->proberesp_ies =
4051                         nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4052                 bcn->proberesp_ies_len =
4053                         nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4054         }
4055 
4056         if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4057                 bcn->assocresp_ies =
4058                         nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4059                 bcn->assocresp_ies_len =
4060                         nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4061         }
4062 
4063         if (attrs[NL80211_ATTR_PROBE_RESP]) {
4064                 bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
4065                 bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
4066         }
4067 
4068         if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
4069                 struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
4070 
4071                 err = nla_parse_nested(tb, NL80211_FTM_RESP_ATTR_MAX,
4072                                        attrs[NL80211_ATTR_FTM_RESPONDER],
4073                                        NULL, NULL);
4074                 if (err)
4075                         return err;
4076 
4077                 if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
4078                     wiphy_ext_feature_isset(&rdev->wiphy,
4079                                             NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
4080                         bcn->ftm_responder = 1;
4081                 else
4082                         return -EOPNOTSUPP;
4083 
4084                 if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
4085                         bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
4086                         bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
4087                 }
4088 
4089                 if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
4090                         bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4091                         bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4092                 }
4093         } else {
4094                 bcn->ftm_responder = -1;
4095         }
4096 
4097         return 0;
4098 }
4099 
4100 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
4101                                             const u8 *rates)
4102 {
4103         int i;
4104 
4105         if (!rates)
4106                 return;
4107 
4108         for (i = 0; i < rates[1]; i++) {
4109                 if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
4110                         params->ht_required = true;
4111                 if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
4112                         params->vht_required = true;
4113         }
4114 }
4115 
4116 /*
4117  * Since the nl80211 API didn't include, from the beginning, attributes about
4118  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
4119  * benefit of drivers that rebuild IEs in the firmware.
4120  */
4121 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
4122 {
4123         const struct cfg80211_beacon_data *bcn = &params->beacon;
4124         size_t ies_len = bcn->tail_len;
4125         const u8 *ies = bcn->tail;
4126         const u8 *rates;
4127         const u8 *cap;
4128 
4129         rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
4130         nl80211_check_ap_rate_selectors(params, rates);
4131 
4132         rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
4133         nl80211_check_ap_rate_selectors(params, rates);
4134 
4135         cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
4136         if (cap && cap[1] >= sizeof(*params->ht_cap))
4137                 params->ht_cap = (void *)(cap + 2);
4138         cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
4139         if (cap && cap[1] >= sizeof(*params->vht_cap))
4140                 params->vht_cap = (void *)(cap + 2);
4141         cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
4142         if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
4143                 params->he_cap = (void *)(cap + 3);
4144 }
4145 
4146 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
4147                                    struct cfg80211_ap_settings *params)
4148 {
4149         struct wireless_dev *wdev;
4150         bool ret = false;
4151 
4152         list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4153                 if (wdev->iftype != NL80211_IFTYPE_AP &&
4154                     wdev->iftype != NL80211_IFTYPE_P2P_GO)
4155                         continue;
4156 
4157                 if (!wdev->preset_chandef.chan)
4158                         continue;
4159 
4160                 params->chandef = wdev->preset_chandef;
4161                 ret = true;
4162                 break;
4163         }
4164 
4165         return ret;
4166 }
4167 
4168 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
4169                                     enum nl80211_auth_type auth_type,
4170                                     enum nl80211_commands cmd)
4171 {
4172         if (auth_type > NL80211_AUTHTYPE_MAX)
4173                 return false;
4174 
4175         switch (cmd) {
4176         case NL80211_CMD_AUTHENTICATE:
4177                 if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4178                     auth_type == NL80211_AUTHTYPE_SAE)
4179                         return false;
4180                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
4181                                              NL80211_EXT_FEATURE_FILS_STA) &&
4182                     (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4183                      auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4184                      auth_type == NL80211_AUTHTYPE_FILS_PK))
4185                         return false;
4186                 return true;
4187         case NL80211_CMD_CONNECT:
4188                 if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4189                     auth_type == NL80211_AUTHTYPE_SAE)
4190                         return false;
4191 
4192                 /* FILS with SK PFS or PK not supported yet */
4193                 if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4194                     auth_type == NL80211_AUTHTYPE_FILS_PK)
4195                         return false;
4196                 if (!wiphy_ext_feature_isset(
4197                             &rdev->wiphy,
4198                             NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
4199                     auth_type == NL80211_AUTHTYPE_FILS_SK)
4200                         return false;
4201                 return true;
4202         case NL80211_CMD_START_AP:
4203                 /* SAE not supported yet */
4204                 if (auth_type == NL80211_AUTHTYPE_SAE)
4205                         return false;
4206                 /* FILS not supported yet */
4207                 if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4208                     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4209                     auth_type == NL80211_AUTHTYPE_FILS_PK)
4210                         return false;
4211                 return true;
4212         default:
4213                 return false;
4214         }
4215 }
4216 
4217 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
4218 {
4219         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4220         struct net_device *dev = info->user_ptr[1];
4221         struct wireless_dev *wdev = dev->ieee80211_ptr;
4222         struct cfg80211_ap_settings params;
4223         int err;
4224 
4225         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4226             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4227                 return -EOPNOTSUPP;
4228 
4229         if (!rdev->ops->start_ap)
4230                 return -EOPNOTSUPP;
4231 
4232         if (wdev->beacon_interval)
4233                 return -EALREADY;
4234 
4235         memset(&params, 0, sizeof(params));
4236 
4237         /* these are required for START_AP */
4238         if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
4239             !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
4240             !info->attrs[NL80211_ATTR_BEACON_HEAD])
4241                 return -EINVAL;
4242 
4243         err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
4244         if (err)
4245                 return err;
4246 
4247         params.beacon_interval =
4248                 nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
4249         params.dtim_period =
4250                 nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
4251 
4252         err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
4253                                            params.beacon_interval);
4254         if (err)
4255                 return err;
4256 
4257         /*
4258          * In theory, some of these attributes should be required here
4259          * but since they were not used when the command was originally
4260          * added, keep them optional for old user space programs to let
4261          * them continue to work with drivers that do not need the
4262          * additional information -- drivers must check!
4263          */
4264         if (info->attrs[NL80211_ATTR_SSID]) {
4265                 params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4266                 params.ssid_len =
4267                         nla_len(info->attrs[NL80211_ATTR_SSID]);
4268                 if (params.ssid_len == 0 ||
4269                     params.ssid_len > IEEE80211_MAX_SSID_LEN)
4270                         return -EINVAL;
4271         }
4272 
4273         if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
4274                 params.hidden_ssid = nla_get_u32(
4275                         info->attrs[NL80211_ATTR_HIDDEN_SSID]);
4276 
4277         params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
4278 
4279         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
4280                 params.auth_type = nla_get_u32(
4281                         info->attrs[NL80211_ATTR_AUTH_TYPE]);
4282                 if (!nl80211_valid_auth_type(rdev, params.auth_type,
4283                                              NL80211_CMD_START_AP))
4284                         return -EINVAL;
4285         } else
4286                 params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
4287 
4288         err = nl80211_crypto_settings(rdev, info, &params.crypto,
4289                                       NL80211_MAX_NR_CIPHER_SUITES);
4290         if (err)
4291                 return err;
4292 
4293         if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
4294                 if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
4295                         return -EOPNOTSUPP;
4296                 params.inactivity_timeout = nla_get_u16(
4297                         info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
4298         }
4299 
4300         if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4301                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4302                         return -EINVAL;
4303                 params.p2p_ctwindow =
4304                         nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4305                 if (params.p2p_ctwindow != 0 &&
4306                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4307                         return -EINVAL;
4308         }
4309 
4310         if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4311                 u8 tmp;
4312 
4313                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4314                         return -EINVAL;
4315                 tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4316                 params.p2p_opp_ps = tmp;
4317                 if (params.p2p_opp_ps != 0 &&
4318                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4319                         return -EINVAL;
4320         }
4321 
4322         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4323                 err = nl80211_parse_chandef(rdev, info, &params.chandef);
4324                 if (err)
4325                         return err;
4326         } else if (wdev->preset_chandef.chan) {
4327                 params.chandef = wdev->preset_chandef;
4328         } else if (!nl80211_get_ap_channel(rdev, &params))
4329                 return -EINVAL;
4330 
4331         if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
4332                                            wdev->iftype))
4333                 return -EINVAL;
4334 
4335         if (info->attrs[NL80211_ATTR_TX_RATES]) {
4336                 err = nl80211_parse_tx_bitrate_mask(info, &params.beacon_rate);
4337                 if (err)
4338                         return err;
4339 
4340                 err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
4341                                               &params.beacon_rate);
4342                 if (err)
4343                         return err;
4344         }
4345 
4346         if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
4347                 params.smps_mode =
4348                         nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
4349                 switch (params.smps_mode) {
4350                 case NL80211_SMPS_OFF:
4351                         break;
4352                 case NL80211_SMPS_STATIC:
4353                         if (!(rdev->wiphy.features &
4354                               NL80211_FEATURE_STATIC_SMPS))
4355                                 return -EINVAL;
4356                         break;
4357                 case NL80211_SMPS_DYNAMIC:
4358                         if (!(rdev->wiphy.features &
4359                               NL80211_FEATURE_DYNAMIC_SMPS))
4360                                 return -EINVAL;
4361                         break;
4362                 default:
4363                         return -EINVAL;
4364                 }
4365         } else {
4366                 params.smps_mode = NL80211_SMPS_OFF;
4367         }
4368 
4369         params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
4370         if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
4371                 return -EOPNOTSUPP;
4372 
4373         if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
4374                 params.acl = parse_acl_data(&rdev->wiphy, info);
4375                 if (IS_ERR(params.acl))
4376                         return PTR_ERR(params.acl);
4377         }
4378 
4379         nl80211_calculate_ap_params(&params);
4380 
4381         wdev_lock(wdev);
4382         err = rdev_start_ap(rdev, dev, &params);
4383         if (!err) {
4384                 wdev->preset_chandef = params.chandef;
4385                 wdev->beacon_interval = params.beacon_interval;
4386                 wdev->chandef = params.chandef;
4387                 wdev->ssid_len = params.ssid_len;
4388                 memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
4389 
4390                 if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4391                         wdev->conn_owner_nlportid = info->snd_portid;
4392         }
4393         wdev_unlock(wdev);
4394 
4395         kfree(params.acl);
4396 
4397         return err;
4398 }
4399 
4400 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
4401 {
4402         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4403         struct net_device *dev = info->user_ptr[1];
4404         struct wireless_dev *wdev = dev->ieee80211_ptr;
4405         struct cfg80211_beacon_data params;
4406         int err;
4407 
4408         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4409             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4410                 return -EOPNOTSUPP;
4411 
4412         if (!rdev->ops->change_beacon)
4413                 return -EOPNOTSUPP;
4414 
4415         if (!wdev->beacon_interval)
4416                 return -EINVAL;
4417 
4418         err = nl80211_parse_beacon(rdev, info->attrs, &params);
4419         if (err)
4420                 return err;
4421 
4422         wdev_lock(wdev);
4423         err = rdev_change_beacon(rdev, dev, &params);
4424         wdev_unlock(wdev);
4425 
4426         return err;
4427 }
4428 
4429 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
4430 {
4431         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4432         struct net_device *dev = info->user_ptr[1];
4433 
4434         return cfg80211_stop_ap(rdev, dev, false);
4435 }
4436 
4437 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
4438         [NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
4439         [NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
4440         [NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
4441         [NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
4442         [NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
4443         [NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
4444 };
4445 
4446 static int parse_station_flags(struct genl_info *info,
4447                                enum nl80211_iftype iftype,
4448                                struct station_parameters *params)
4449 {
4450         struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
4451         struct nlattr *nla;
4452         int flag;
4453 
4454         /*
4455          * Try parsing the new attribute first so userspace
4456          * can specify both for older kernels.
4457          */
4458         nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
4459         if (nla) {
4460                 struct nl80211_sta_flag_update *sta_flags;
4461 
4462                 sta_flags = nla_data(nla);
4463                 params->sta_flags_mask = sta_flags->mask;
4464                 params->sta_flags_set = sta_flags->set;
4465                 params->sta_flags_set &= params->sta_flags_mask;
4466                 if ((params->sta_flags_mask |
4467                      params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
4468                         return -EINVAL;
4469                 return 0;
4470         }
4471 
4472         /* if present, parse the old attribute */
4473 
4474         nla = info->attrs[NL80211_ATTR_STA_FLAGS];
4475         if (!nla)
4476                 return 0;
4477 
4478         if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX, nla,
4479                              sta_flags_policy, info->extack))
4480                 return -EINVAL;
4481 
4482         /*
4483          * Only allow certain flags for interface types so that
4484          * other attributes are silently ignored. Remember that
4485          * this is backward compatibility code with old userspace
4486          * and shouldn't be hit in other cases anyway.
4487          */
4488         switch (iftype) {
4489         case NL80211_IFTYPE_AP:
4490         case NL80211_IFTYPE_AP_VLAN:
4491         case NL80211_IFTYPE_P2P_GO:
4492                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4493                                          BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4494                                          BIT(NL80211_STA_FLAG_WME) |
4495                                          BIT(NL80211_STA_FLAG_MFP);
4496                 break;
4497         case NL80211_IFTYPE_P2P_CLIENT:
4498         case NL80211_IFTYPE_STATION:
4499                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4500                                          BIT(NL80211_STA_FLAG_TDLS_PEER);
4501                 break;
4502         case NL80211_IFTYPE_MESH_POINT:
4503                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4504                                          BIT(NL80211_STA_FLAG_MFP) |
4505                                          BIT(NL80211_STA_FLAG_AUTHORIZED);
4506                 break;
4507         default:
4508                 return -EINVAL;
4509         }
4510 
4511         for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
4512                 if (flags[flag]) {
4513                         params->sta_flags_set |= (1<<flag);
4514 
4515                         /* no longer support new API additions in old API */
4516                         if (flag > NL80211_STA_FLAG_MAX_OLD_API)
4517                                 return -EINVAL;
4518                 }
4519         }
4520 
4521         return 0;
4522 }
4523 
4524 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
4525                                  int attr)
4526 {
4527         struct nlattr *rate;
4528         u32 bitrate;
4529         u16 bitrate_compat;
4530         enum nl80211_rate_info rate_flg;
4531 
4532         rate = nla_nest_start(msg, attr);
4533         if (!rate)
4534                 return false;
4535 
4536         /* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
4537         bitrate = cfg80211_calculate_bitrate(info);
4538         /* report 16-bit bitrate only if we can */
4539         bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
4540         if (bitrate > 0 &&
4541             nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
4542                 return false;
4543         if (bitrate_compat > 0 &&
4544             nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
4545                 return false;
4546 
4547         switch (info->bw) {
4548         case RATE_INFO_BW_5:
4549                 rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
4550                 break;
4551         case RATE_INFO_BW_10:
4552                 rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
4553                 break;
4554         default:
4555                 WARN_ON(1);
4556                 /* fall through */
4557         case RATE_INFO_BW_20:
4558                 rate_flg = 0;
4559                 break;
4560         case RATE_INFO_BW_40:
4561                 rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
4562                 break;
4563         case RATE_INFO_BW_80:
4564                 rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
4565                 break;
4566         case RATE_INFO_BW_160:
4567                 rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
4568                 break;
4569         case RATE_INFO_BW_HE_RU:
4570                 rate_flg = 0;
4571                 WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
4572         }
4573 
4574         if (rate_flg && nla_put_flag(msg, rate_flg))
4575                 return false;
4576 
4577         if (info->flags & RATE_INFO_FLAGS_MCS) {
4578                 if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
4579                         return false;
4580                 if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4581                     nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4582                         return false;
4583         } else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
4584                 if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
4585                         return false;
4586                 if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
4587                         return false;
4588                 if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4589                     nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4590                         return false;
4591         } else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
4592                 if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
4593                         return false;
4594                 if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
4595                         return false;
4596                 if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
4597                         return false;
4598                 if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
4599                         return false;
4600                 if (info->bw == RATE_INFO_BW_HE_RU &&
4601                     nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
4602                                info->he_ru_alloc))
4603                         return false;
4604         }
4605 
4606         nla_nest_end(msg, rate);
4607         return true;
4608 }
4609 
4610 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
4611                                int id)
4612 {
4613         void *attr;
4614         int i = 0;
4615 
4616         if (!mask)
4617                 return true;
4618 
4619         attr = nla_nest_start(msg, id);
4620         if (!attr)
4621                 return false;
4622 
4623         for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
4624                 if (!(mask & BIT(i)))
4625                         continue;
4626 
4627                 if (nla_put_u8(msg, i, signal[i]))
4628                         return false;
4629         }
4630 
4631         nla_nest_end(msg, attr);
4632 
4633         return true;
4634 }
4635 
4636 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
4637                                 u32 seq, int flags,
4638                                 struct cfg80211_registered_device *rdev,
4639                                 struct net_device *dev,
4640                                 const u8 *mac_addr, struct station_info *sinfo)
4641 {
4642         void *hdr;
4643         struct nlattr *sinfoattr, *bss_param;
4644 
4645         hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4646         if (!hdr)
4647                 return -1;
4648 
4649         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4650             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
4651             nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
4652                 goto nla_put_failure;
4653 
4654         sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
4655         if (!sinfoattr)
4656                 goto nla_put_failure;
4657 
4658 #define PUT_SINFO(attr, memb, type) do {                                \
4659         BUILD_BUG_ON(sizeof(type) == sizeof(u64));                      \
4660         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&       \
4661             nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,            \
4662                              sinfo->memb))                              \
4663                 goto nla_put_failure;                                   \
4664         } while (0)
4665 #define PUT_SINFO_U64(attr, memb) do {                                  \
4666         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&       \
4667             nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,           \
4668                               sinfo->memb, NL80211_STA_INFO_PAD))       \
4669                 goto nla_put_failure;                                   \
4670         } while (0)
4671 
4672         PUT_SINFO(CONNECTED_TIME, connected_time, u32);
4673         PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
4674 
4675         if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
4676                              BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
4677             nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
4678                         (u32)sinfo->rx_bytes))
4679                 goto nla_put_failure;
4680 
4681         if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
4682                              BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
4683             nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
4684                         (u32)sinfo->tx_bytes))
4685                 goto nla_put_failure;
4686 
4687         PUT_SINFO_U64(RX_BYTES64, rx_bytes);
4688         PUT_SINFO_U64(TX_BYTES64, tx_bytes);
4689         PUT_SINFO(LLID, llid, u16);
4690         PUT_SINFO(PLID, plid, u16);
4691         PUT_SINFO(PLINK_STATE, plink_state, u8);
4692         PUT_SINFO_U64(RX_DURATION, rx_duration);
4693 
4694         switch (rdev->wiphy.signal_type) {
4695         case CFG80211_SIGNAL_TYPE_MBM:
4696                 PUT_SINFO(SIGNAL, signal, u8);
4697                 PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
4698                 break;
4699         default:
4700                 break;
4701         }
4702         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
4703                 if (!nl80211_put_signal(msg, sinfo->chains,
4704                                         sinfo->chain_signal,
4705                                         NL80211_STA_INFO_CHAIN_SIGNAL))
4706                         goto nla_put_failure;
4707         }
4708         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
4709                 if (!nl80211_put_signal(msg, sinfo->chains,
4710                                         sinfo->chain_signal_avg,
4711                                         NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
4712                         goto nla_put_failure;
4713         }
4714         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
4715                 if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
4716                                           NL80211_STA_INFO_TX_BITRATE))
4717                         goto nla_put_failure;
4718         }
4719         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
4720                 if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
4721                                           NL80211_STA_INFO_RX_BITRATE))
4722                         goto nla_put_failure;
4723         }
4724 
4725         PUT_SINFO(RX_PACKETS, rx_packets, u32);
4726         PUT_SINFO(TX_PACKETS, tx_packets, u32);
4727         PUT_SINFO(TX_RETRIES, tx_retries, u32);
4728         PUT_SINFO(TX_FAILED, tx_failed, u32);
4729         PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
4730         PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
4731         PUT_SINFO(LOCAL_PM, local_pm, u32);
4732         PUT_SINFO(PEER_PM, peer_pm, u32);
4733         PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
4734 
4735         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
4736                 bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
4737                 if (!bss_param)
4738                         goto nla_put_failure;
4739 
4740                 if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
4741                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
4742                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
4743                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
4744                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
4745                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
4746                     nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
4747                                sinfo->bss_param.dtim_period) ||
4748                     nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
4749                                 sinfo->bss_param.beacon_interval))
4750                         goto nla_put_failure;
4751 
4752                 nla_nest_end(msg, bss_param);
4753         }
4754         if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
4755             nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
4756                     sizeof(struct nl80211_sta_flag_update),
4757                     &sinfo->sta_flags))
4758                 goto nla_put_failure;
4759 
4760         PUT_SINFO_U64(T_OFFSET, t_offset);
4761         PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
4762         PUT_SINFO_U64(BEACON_RX, rx_beacon);
4763         PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
4764         PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
4765         PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
4766         if (wiphy_ext_feature_isset(&rdev->wiphy,
4767                                     NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
4768                 PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
4769                 PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
4770         }
4771 
4772 #undef PUT_SINFO
4773 #undef PUT_SINFO_U64
4774 
4775         if (sinfo->pertid) {
4776                 struct nlattr *tidsattr;
4777                 int tid;
4778 
4779                 tidsattr = nla_nest_start(msg, NL80211_STA_INFO_TID_STATS);
4780                 if (!tidsattr)
4781                         goto nla_put_failure;
4782 
4783                 for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
4784                         struct cfg80211_tid_stats *tidstats;
4785                         struct nlattr *tidattr;
4786 
4787                         tidstats = &sinfo->pertid[tid];
4788 
4789                         if (!tidstats->filled)
4790                                 continue;
4791 
4792                         tidattr = nla_nest_start(msg, tid + 1);
4793                         if (!tidattr)
4794                                 goto nla_put_failure;
4795 
4796 #define PUT_TIDVAL_U64(attr, memb) do {                                 \
4797         if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&       \
4798             nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,          \
4799                               tidstats->memb, NL80211_TID_STATS_PAD))   \
4800                 goto nla_put_failure;                                   \
4801         } while (0)
4802 
4803                         PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
4804                         PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
4805                         PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
4806                         PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
4807 
4808 #undef PUT_TIDVAL_U64
4809                         if ((tidstats->filled &
4810                              BIT(NL80211_TID_STATS_TXQ_STATS)) &&
4811                             !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
4812                                                    NL80211_TID_STATS_TXQ_STATS))
4813                                 goto nla_put_failure;
4814 
4815                         nla_nest_end(msg, tidattr);
4816                 }
4817 
4818                 nla_nest_end(msg, tidsattr);
4819         }
4820 
4821         nla_nest_end(msg, sinfoattr);
4822 
4823         if (sinfo->assoc_req_ies_len &&
4824             nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
4825                     sinfo->assoc_req_ies))
4826                 goto nla_put_failure;
4827 
4828         cfg80211_sinfo_release_content(sinfo);
4829         genlmsg_end(msg, hdr);
4830         return 0;
4831 
4832  nla_put_failure:
4833         cfg80211_sinfo_release_content(sinfo);
4834         genlmsg_cancel(msg, hdr);
4835         return -EMSGSIZE;
4836 }
4837 
4838 static int nl80211_dump_station(struct sk_buff *skb,
4839                                 struct netlink_callback *cb)
4840 {
4841         struct station_info sinfo;
4842         struct cfg80211_registered_device *rdev;
4843         struct wireless_dev *wdev;
4844         u8 mac_addr[ETH_ALEN];
4845         int sta_idx = cb->args[2];
4846         int err;
4847 
4848         rtnl_lock();
4849         err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
4850         if (err)
4851                 goto out_err;
4852 
4853         if (!wdev->netdev) {
4854                 err = -EINVAL;
4855                 goto out_err;
4856         }
4857 
4858         if (!rdev->ops->dump_station) {
4859                 err = -EOPNOTSUPP;
4860                 goto out_err;
4861         }
4862 
4863         while (1) {
4864                 memset(&sinfo, 0, sizeof(sinfo));
4865                 err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
4866                                         mac_addr, &sinfo);
4867                 if (err == -ENOENT)
4868                         break;
4869                 if (err)
4870                         goto out_err;
4871 
4872                 if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
4873                                 NETLINK_CB(cb->skb).portid,
4874                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
4875                                 rdev, wdev->netdev, mac_addr,
4876                                 &sinfo) < 0)
4877                         goto out;
4878 
4879                 sta_idx++;
4880         }
4881 
4882  out:
4883         cb->args[2] = sta_idx;
4884         err = skb->len;
4885  out_err:
4886         rtnl_unlock();
4887 
4888         return err;
4889 }
4890 
4891 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
4892 {
4893         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4894         struct net_device *dev = info->user_ptr[1];
4895         struct station_info sinfo;
4896         struct sk_buff *msg;
4897         u8 *mac_addr = NULL;
4898         int err;
4899 
4900         memset(&sinfo, 0, sizeof(sinfo));
4901 
4902         if (!info->attrs[NL80211_ATTR_MAC])
4903                 return -EINVAL;
4904 
4905         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4906 
4907         if (!rdev->ops->get_station)
4908                 return -EOPNOTSUPP;
4909 
4910         err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
4911         if (err)
4912                 return err;
4913 
4914         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4915         if (!msg) {
4916                 cfg80211_sinfo_release_content(&sinfo);
4917                 return -ENOMEM;
4918         }
4919 
4920         if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
4921                                  info->snd_portid, info->snd_seq, 0,
4922                                  rdev, dev, mac_addr, &sinfo) < 0) {
4923                 nlmsg_free(msg);
4924                 return -ENOBUFS;
4925         }
4926 
4927         return genlmsg_reply(msg, info);
4928 }
4929 
4930 int cfg80211_check_station_change(struct wiphy *wiphy,
4931                                   struct station_parameters *params,
4932                                   enum cfg80211_station_type statype)
4933 {
4934         if (params->listen_interval != -1 &&
4935             statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4936                 return -EINVAL;
4937 
4938         if (params->support_p2p_ps != -1 &&
4939             statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4940                 return -EINVAL;
4941 
4942         if (params->aid &&
4943             !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
4944             statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4945                 return -EINVAL;
4946 
4947         /* When you run into this, adjust the code below for the new flag */
4948         BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4949 
4950         switch (statype) {
4951         case CFG80211_STA_MESH_PEER_KERNEL:
4952         case CFG80211_STA_MESH_PEER_USER:
4953                 /*
4954                  * No ignoring the TDLS flag here -- the userspace mesh
4955                  * code doesn't have the bug of including TDLS in the
4956                  * mask everywhere.
4957                  */
4958                 if (params->sta_flags_mask &
4959                                 ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4960                                   BIT(NL80211_STA_FLAG_MFP) |
4961                                   BIT(NL80211_STA_FLAG_AUTHORIZED)))
4962                         return -EINVAL;
4963                 break;
4964         case CFG80211_STA_TDLS_PEER_SETUP:
4965         case CFG80211_STA_TDLS_PEER_ACTIVE:
4966                 if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4967                         return -EINVAL;
4968                 /* ignore since it can't change */
4969                 params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4970                 break;
4971         default:
4972                 /* disallow mesh-specific things */
4973                 if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
4974                         return -EINVAL;
4975                 if (params->local_pm)
4976                         return -EINVAL;
4977                 if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4978                         return -EINVAL;
4979         }
4980 
4981         if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
4982             statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
4983                 /* TDLS can't be set, ... */
4984                 if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
4985                         return -EINVAL;
4986                 /*
4987                  * ... but don't bother the driver with it. This works around
4988                  * a hostapd/wpa_supplicant issue -- it always includes the
4989                  * TLDS_PEER flag in the mask even for AP mode.
4990                  */
4991                 params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4992         }
4993 
4994         if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
4995             statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
4996                 /* reject other things that can't change */
4997                 if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
4998                         return -EINVAL;
4999                 if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
5000                         return -EINVAL;
5001                 if (params->supported_rates)
5002                         return -EINVAL;
5003                 if (params->ext_capab || params->ht_capa || params->vht_capa ||
5004                     params->he_capa)
5005                         return -EINVAL;
5006         }
5007 
5008         if (statype != CFG80211_STA_AP_CLIENT &&
5009             statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5010                 if (params->vlan)
5011                         return -EINVAL;
5012         }
5013 
5014         switch (statype) {
5015         case CFG80211_STA_AP_MLME_CLIENT:
5016                 /* Use this only for authorizing/unauthorizing a station */
5017                 if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
5018                         return -EOPNOTSUPP;
5019                 break;
5020         case CFG80211_STA_AP_CLIENT:
5021         case CFG80211_STA_AP_CLIENT_UNASSOC:
5022                 /* accept only the listed bits */
5023                 if (params->sta_flags_mask &
5024                                 ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5025                                   BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5026                                   BIT(NL80211_STA_FLAG_ASSOCIATED) |
5027                                   BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5028                                   BIT(NL80211_STA_FLAG_WME) |
5029                                   BIT(NL80211_STA_FLAG_MFP)))
5030                         return -EINVAL;
5031 
5032                 /* but authenticated/associated only if driver handles it */
5033                 if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5034                     params->sta_flags_mask &
5035                                 (BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5036                                  BIT(NL80211_STA_FLAG_ASSOCIATED)))
5037                         return -EINVAL;
5038                 break;
5039         case CFG80211_STA_IBSS:
5040         case CFG80211_STA_AP_STA:
5041                 /* reject any changes other than AUTHORIZED */
5042                 if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
5043                         return -EINVAL;
5044                 break;
5045         case CFG80211_STA_TDLS_PEER_SETUP:
5046                 /* reject any changes other than AUTHORIZED or WME */
5047                 if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5048                                                BIT(NL80211_STA_FLAG_WME)))
5049                         return -EINVAL;
5050                 /* force (at least) rates when authorizing */
5051                 if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
5052                     !params->supported_rates)
5053                         return -EINVAL;
5054                 break;
5055         case CFG80211_STA_TDLS_PEER_ACTIVE:
5056                 /* reject any changes */
5057                 return -EINVAL;
5058         case CFG80211_STA_MESH_PEER_KERNEL:
5059                 if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5060                         return -EINVAL;
5061                 break;
5062         case CFG80211_STA_MESH_PEER_USER:
5063                 if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
5064                     params->plink_action != NL80211_PLINK_ACTION_BLOCK)
5065                         return -EINVAL;
5066                 break;
5067         }
5068 
5069         /*
5070          * Older kernel versions ignored this attribute entirely, so don't
5071          * reject attempts to update it but mark it as unused instead so the
5072          * driver won't look at the data.
5073          */
5074         if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
5075             statype != CFG80211_STA_TDLS_PEER_SETUP)
5076                 params->opmode_notif_used = false;
5077 
5078         return 0;
5079 }
5080 EXPORT_SYMBOL(cfg80211_check_station_change);
5081 
5082 /*
5083  * Get vlan interface making sure it is running and on the right wiphy.
5084  */
5085 static struct net_device *get_vlan(struct genl_info *info,
5086                                    struct cfg80211_registered_device *rdev)
5087 {
5088         struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
5089         struct net_device *v;
5090         int ret;
5091 
5092         if (!vlanattr)
5093                 return NULL;
5094 
5095         v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
5096         if (!v)
5097                 return ERR_PTR(-ENODEV);
5098 
5099         if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
5100                 ret = -EINVAL;
5101                 goto error;
5102         }
5103 
5104         if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5105             v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5106             v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5107                 ret = -EINVAL;
5108                 goto error;
5109         }
5110 
5111         if (!netif_running(v)) {
5112                 ret = -ENETDOWN;
5113                 goto error;
5114         }
5115 
5116         return v;
5117  error:
5118         dev_put(v);
5119         return ERR_PTR(ret);
5120 }
5121 
5122 static const struct nla_policy
5123 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
5124         [NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
5125         [NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
5126 };
5127 
5128 static int nl80211_parse_sta_wme(struct genl_info *info,
5129                                  struct station_parameters *params)
5130 {
5131         struct nlattr *tb[NL80211_STA_WME_MAX + 1];
5132         struct nlattr *nla;
5133         int err;
5134 
5135         /* parse WME attributes if present */
5136         if (!info->attrs[NL80211_ATTR_STA_WME])
5137                 return 0;
5138 
5139         nla = info->attrs[NL80211_ATTR_STA_WME];
5140         err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
5141                                nl80211_sta_wme_policy, info->extack);
5142         if (err)
5143                 return err;
5144 
5145         if (tb[NL80211_STA_WME_UAPSD_QUEUES])
5146                 params->uapsd_queues = nla_get_u8(
5147                         tb[NL80211_STA_WME_UAPSD_QUEUES]);
5148         if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
5149                 return -EINVAL;
5150 
5151         if (tb[NL80211_STA_WME_MAX_SP])
5152                 params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
5153 
5154         if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
5155                 return -EINVAL;
5156 
5157         params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
5158 
5159         return 0;
5160 }
5161 
5162 static int nl80211_parse_sta_channel_info(struct genl_info *info,
5163                                       struct station_parameters *params)
5164 {
5165         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
5166                 params->supported_channels =
5167                      nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5168                 params->supported_channels_len =
5169                      nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5170                 /*
5171                  * Need to include at least one (first channel, number of
5172                  * channels) tuple for each subband, and must have proper
5173                  * tuples for the rest of the data as well.
5174                  */
5175                 if (params->supported_channels_len < 2)
5176                         return -EINVAL;
5177                 if (params->supported_channels_len % 2)
5178                         return -EINVAL;
5179         }
5180 
5181         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
5182                 params->supported_oper_classes =
5183                  nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5184                 params->supported_oper_classes_len =
5185                   nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5186                 /*
5187                  * The value of the Length field of the Supported Operating
5188                  * Classes element is between 2 and 253.
5189                  */
5190                 if (params->supported_oper_classes_len < 2 ||
5191                     params->supported_oper_classes_len > 253)
5192                         return -EINVAL;
5193         }
5194         return 0;
5195 }
5196 
5197 static int nl80211_set_station_tdls(struct genl_info *info,
5198                                     struct station_parameters *params)
5199 {
5200         int err;
5201         /* Dummy STA entry gets updated once the peer capabilities are known */
5202         if (info->attrs[NL80211_ATTR_PEER_AID])
5203                 params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5204         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5205                 params->ht_capa =
5206                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5207         if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5208                 params->vht_capa =
5209                         nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5210         if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5211                 params->he_capa =
5212                         nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5213                 params->he_capa_len =
5214                         nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5215 
5216                 if (params->he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5217                         return -EINVAL;
5218         }
5219 
5220         err = nl80211_parse_sta_channel_info(info, params);
5221         if (err)
5222                 return err;
5223 
5224         return nl80211_parse_sta_wme(info, params);
5225 }
5226 
5227 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
5228 {
5229         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5230         struct net_device *dev = info->user_ptr[1];
5231         struct station_parameters params;
5232         u8 *mac_addr;
5233         int err;
5234 
5235         memset(&params, 0, sizeof(params));
5236 
5237         if (!rdev->ops->change_station)
5238                 return -EOPNOTSUPP;
5239 
5240         /*
5241          * AID and listen_interval properties can be set only for unassociated
5242          * station. Include these parameters here and will check them in
5243          * cfg80211_check_station_change().
5244          */
5245         if (info->attrs[NL80211_ATTR_STA_AID])
5246                 params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5247 
5248         if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5249                 params.listen_interval =
5250                      nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5251         else
5252                 params.listen_interval = -1;
5253 
5254         if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
5255                 params.support_p2p_ps =
5256                         nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5257         else
5258                 params.support_p2p_ps = -1;
5259 
5260         if (!info->attrs[NL80211_ATTR_MAC])
5261                 return -EINVAL;
5262 
5263         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5264 
5265         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
5266                 params.supported_rates =
5267                         nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5268                 params.supported_rates_len =
5269                         nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5270         }
5271 
5272         if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5273                 params.capability =
5274                         nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5275                 params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5276         }
5277 
5278         if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5279                 params.ext_capab =
5280                         nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5281                 params.ext_capab_len =
5282                         nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5283         }
5284 
5285         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5286                 return -EINVAL;
5287 
5288         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5289                 params.plink_action =
5290                         nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5291 
5292         if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
5293                 params.plink_state =
5294                         nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
5295                 if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
5296                         params.peer_aid = nla_get_u16(
5297                                 info->attrs[NL80211_ATTR_MESH_PEER_AID]);
5298                 params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
5299         }
5300 
5301         if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
5302                 params.local_pm = nla_get_u32(
5303                         info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
5304 
5305         if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5306                 params.opmode_notif_used = true;
5307                 params.opmode_notif =
5308                         nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5309         }
5310 
5311         /* Include parameters for TDLS peer (will check later) */
5312         err = nl80211_set_station_tdls(info, &params);
5313         if (err)
5314                 return err;
5315 
5316         params.vlan = get_vlan(info, rdev);
5317         if (IS_ERR(params.vlan))
5318                 return PTR_ERR(params.vlan);
5319 
5320         switch (dev->ieee80211_ptr->iftype) {
5321         case NL80211_IFTYPE_AP:
5322         case NL80211_IFTYPE_AP_VLAN:
5323         case NL80211_IFTYPE_P2P_GO:
5324         case NL80211_IFTYPE_P2P_CLIENT:
5325         case NL80211_IFTYPE_STATION:
5326         case NL80211_IFTYPE_ADHOC:
5327         case NL80211_IFTYPE_MESH_POINT:
5328                 break;
5329         default:
5330                 err = -EOPNOTSUPP;
5331                 goto out_put_vlan;
5332         }
5333 
5334         /* driver will call cfg80211_check_station_change() */
5335         err = rdev_change_station(rdev, dev, mac_addr, &params);
5336 
5337  out_put_vlan:
5338         if (params.vlan)
5339                 dev_put(params.vlan);
5340 
5341         return err;
5342 }
5343 
5344 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
5345 {
5346         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5347         int err;
5348         struct net_device *dev = info->user_ptr[1];
5349         struct station_parameters params;
5350         u8 *mac_addr = NULL;
5351         u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5352                          BIT(NL80211_STA_FLAG_ASSOCIATED);
5353 
5354         memset(&params, 0, sizeof(params));
5355 
5356         if (!rdev->ops->add_station)
5357                 return -EOPNOTSUPP;
5358 
5359         if (!info->attrs[NL80211_ATTR_MAC])
5360                 return -EINVAL;
5361 
5362         if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5363                 return -EINVAL;
5364 
5365         if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
5366                 return -EINVAL;
5367 
5368         if (!info->attrs[NL80211_ATTR_STA_AID] &&
5369             !info->attrs[NL80211_ATTR_PEER_AID])
5370                 return -EINVAL;
5371 
5372         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5373         params.supported_rates =
5374                 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5375         params.supported_rates_len =
5376                 nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5377         params.listen_interval =
5378                 nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5379 
5380         if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
5381                 params.support_p2p_ps =
5382                         nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5383         } else {
5384                 /*
5385                  * if not specified, assume it's supported for P2P GO interface,
5386                  * and is NOT supported for AP interface
5387                  */
5388                 params.support_p2p_ps =
5389                         dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
5390         }
5391 
5392         if (info->attrs[NL80211_ATTR_PEER_AID])
5393                 params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5394         else
5395                 params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5396 
5397         if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5398                 params.capability =
5399                         nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5400                 params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5401         }
5402 
5403         if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5404                 params.ext_capab =
5405                         nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5406                 params.ext_capab_len =
5407                         nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5408         }
5409 
5410         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5411                 params.ht_capa =
5412                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5413 
5414         if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5415                 params.vht_capa =
5416                         nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5417 
5418         if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5419                 params.he_capa =
5420                         nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5421                 params.he_capa_len =
5422                         nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5423 
5424                 /* max len is validated in nla policy */
5425                 if (params.he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5426                         return -EINVAL;
5427         }
5428 
5429         if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5430                 params.opmode_notif_used = true;
5431                 params.opmode_notif =
5432                         nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5433         }
5434 
5435         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5436                 params.plink_action =
5437                         nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5438 
5439         err = nl80211_parse_sta_channel_info(info, &params);
5440         if (err)
5441                 return err;
5442 
5443         err = nl80211_parse_sta_wme(info, &params);
5444         if (err)
5445                 return err;
5446 
5447         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5448                 return -EINVAL;
5449 
5450         /* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
5451          * as userspace might just pass through the capabilities from the IEs
5452          * directly, rather than enforcing this restriction and returning an
5453          * error in this case.
5454          */
5455         if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
5456                 params.ht_capa = NULL;
5457                 params.vht_capa = NULL;
5458 
5459                 /* HE requires WME */
5460                 if (params.he_capa_len)
5461                         return -EINVAL;
5462         }
5463 
5464         /* When you run into this, adjust the code below for the new flag */
5465         BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5466 
5467         switch (dev->ieee80211_ptr->iftype) {
5468         case NL80211_IFTYPE_AP:
5469         case NL80211_IFTYPE_AP_VLAN:
5470         case NL80211_IFTYPE_P2P_GO:
5471                 /* ignore WME attributes if iface/sta is not capable */
5472                 if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
5473                     !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
5474                         params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5475 
5476                 /* TDLS peers cannot be added */
5477                 if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5478                     info->attrs[NL80211_ATTR_PEER_AID])
5479                         return -EINVAL;
5480                 /* but don't bother the driver with it */
5481                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5482 
5483                 /* allow authenticated/associated only if driver handles it */
5484                 if (!(rdev->wiphy.features &
5485                                 NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5486                     params.sta_flags_mask & auth_assoc)
5487                         return -EINVAL;
5488 
5489                 /* Older userspace, or userspace wanting to be compatible with
5490                  * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
5491                  * and assoc flags in the mask, but assumes the station will be
5492                  * added as associated anyway since this was the required driver
5493                  * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
5494                  * introduced.
5495                  * In order to not bother drivers with this quirk in the API
5496                  * set the flags in both the mask and set for new stations in
5497                  * this case.
5498                  */
5499                 if (!(params.sta_flags_mask & auth_assoc)) {
5500                         params.sta_flags_mask |= auth_assoc;
5501                         params.sta_flags_set |= auth_assoc;
5502                 }
5503 
5504                 /* must be last in here for error handling */
5505                 params.vlan = get_vlan(info, rdev);
5506                 if (IS_ERR(params.vlan))
5507                         return PTR_ERR(params.vlan);
5508                 break;
5509         case NL80211_IFTYPE_MESH_POINT:
5510                 /* ignore uAPSD data */
5511                 params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5512 
5513                 /* associated is disallowed */
5514                 if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
5515                         return -EINVAL;
5516                 /* TDLS peers cannot be added */
5517                 if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5518                     info->attrs[NL80211_ATTR_PEER_AID])
5519                         return -EINVAL;
5520                 break;
5521         case NL80211_IFTYPE_STATION:
5522         case NL80211_IFTYPE_P2P_CLIENT:
5523                 /* ignore uAPSD data */
5524                 params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5525 
5526                 /* these are disallowed */
5527                 if (params.sta_flags_mask &
5528                                 (BIT(NL80211_STA_FLAG_ASSOCIATED) |
5529                                  BIT(NL80211_STA_FLAG_AUTHENTICATED)))
5530                         return -EINVAL;
5531                 /* Only TDLS peers can be added */
5532                 if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5533                         return -EINVAL;
5534                 /* Can only add if TDLS ... */
5535                 if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
5536                         return -EOPNOTSUPP;
5537                 /* ... with external setup is supported */
5538                 if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
5539                         return -EOPNOTSUPP;
5540                 /*
5541                  * Older wpa_supplicant versions always mark the TDLS peer
5542                  * as authorized, but it shouldn't yet be.
5543                  */
5544                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
5545                 break;
5546         default:
5547                 return -EOPNOTSUPP;
5548         }
5549 
5550         /* be aware of params.vlan when changing code here */
5551 
5552         err = rdev_add_station(rdev, dev, mac_addr, &params);
5553 
5554         if (params.vlan)
5555                 dev_put(params.vlan);
5556         return err;
5557 }
5558 
5559 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
5560 {
5561         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5562         struct net_device *dev = info->user_ptr[1];
5563         struct station_del_parameters params;
5564 
5565         memset(&params, 0, sizeof(params));
5566 
5567         if (info->attrs[NL80211_ATTR_MAC])
5568                 params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
5569 
5570         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5571             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5572             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
5573             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5574                 return -EINVAL;
5575 
5576         if (!rdev->ops->del_station)
5577                 return -EOPNOTSUPP;
5578 
5579         if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
5580                 params.subtype =
5581                         nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
5582                 if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
5583                     params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
5584                         return -EINVAL;
5585         } else {
5586                 /* Default to Deauthentication frame */
5587                 params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
5588         }
5589 
5590         if (info->attrs[NL80211_ATTR_REASON_CODE]) {
5591                 params.reason_code =
5592                         nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5593                 if (params.reason_code == 0)
5594                         return -EINVAL; /* 0 is reserved */
5595         } else {
5596                 /* Default to reason code 2 */
5597                 params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
5598         }
5599 
5600         return rdev_del_station(rdev, dev, &params);
5601 }
5602 
5603 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
5604                                 int flags, struct net_device *dev,
5605                                 u8 *dst, u8 *next_hop,
5606                                 struct mpath_info *pinfo)
5607 {
5608         void *hdr;
5609         struct nlattr *pinfoattr;
5610 
5611         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
5612         if (!hdr)
5613                 return -1;
5614 
5615         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5616             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
5617             nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
5618             nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
5619                 goto nla_put_failure;
5620 
5621         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
5622         if (!pinfoattr)
5623                 goto nla_put_failure;
5624         if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
5625             nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
5626                         pinfo->frame_qlen))
5627                 goto nla_put_failure;
5628         if (((pinfo->filled & MPATH_INFO_SN) &&
5629              nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
5630             ((pinfo->filled & MPATH_INFO_METRIC) &&
5631              nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
5632                          pinfo->metric)) ||
5633             ((pinfo->filled & MPATH_INFO_EXPTIME) &&
5634              nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
5635                          pinfo->exptime)) ||
5636             ((pinfo->filled & MPATH_INFO_FLAGS) &&
5637              nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
5638                         pinfo->flags)) ||
5639             ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
5640              nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
5641                          pinfo->discovery_timeout)) ||
5642             ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
5643              nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
5644                         pinfo->discovery_retries)))
5645                 goto nla_put_failure;
5646 
5647         nla_nest_end(msg, pinfoattr);
5648 
5649         genlmsg_end(msg, hdr);
5650         return 0;
5651 
5652  nla_put_failure:
5653         genlmsg_cancel(msg, hdr);
5654         return -EMSGSIZE;
5655 }
5656 
5657 static int nl80211_dump_mpath(struct sk_buff *skb,
5658                               struct netlink_callback *cb)
5659 {
5660         struct mpath_info pinfo;
5661         struct cfg80211_registered_device *rdev;
5662         struct wireless_dev *wdev;
5663         u8 dst[ETH_ALEN];
5664         u8 next_hop[ETH_ALEN];
5665         int path_idx = cb->args[2];
5666         int err;
5667 
5668         rtnl_lock();
5669         err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5670         if (err)
5671                 goto out_err;
5672 
5673         if (!rdev->ops->dump_mpath) {
5674                 err = -EOPNOTSUPP;
5675                 goto out_err;
5676         }
5677 
5678         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
5679                 err = -EOPNOTSUPP;
5680                 goto out_err;
5681         }
5682 
5683         while (1) {
5684                 err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
5685                                       next_hop, &pinfo);
5686                 if (err == -ENOENT)
5687                         break;
5688                 if (err)
5689                         goto out_err;
5690 
5691                 if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
5692                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
5693                                        wdev->netdev, dst, next_hop,
5694                                        &pinfo) < 0)
5695                         goto out;
5696 
5697                 path_idx++;
5698         }
5699 
5700  out:
5701         cb->args[2] = path_idx;
5702         err = skb->len;
5703  out_err:
5704         rtnl_unlock();
5705         return err;
5706 }
5707 
5708 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
5709 {
5710         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5711         int err;
5712         struct net_device *dev = info->user_ptr[1];
5713         struct mpath_info pinfo;
5714         struct sk_buff *msg;
5715         u8 *dst = NULL;
5716         u8 next_hop[ETH_ALEN];
5717 
5718         memset(&pinfo, 0, sizeof(pinfo));
5719 
5720         if (!info->attrs[NL80211_ATTR_MAC])
5721                 return -EINVAL;
5722 
5723         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5724 
5725         if (!rdev->ops->get_mpath)
5726                 return -EOPNOTSUPP;
5727 
5728         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5729                 return -EOPNOTSUPP;
5730 
5731         err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
5732         if (err)
5733                 return err;
5734 
5735         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5736         if (!msg)
5737                 return -ENOMEM;
5738 
5739         if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
5740                                  dev, dst, next_hop, &pinfo) < 0) {
5741                 nlmsg_free(msg);
5742                 return -ENOBUFS;
5743         }
5744 
5745         return genlmsg_reply(msg, info);
5746 }
5747 
5748 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
5749 {
5750         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5751         struct net_device *dev = info->user_ptr[1];
5752         u8 *dst = NULL;
5753         u8 *next_hop = NULL;
5754 
5755         if (!info->attrs[NL80211_ATTR_MAC])
5756                 return -EINVAL;
5757 
5758         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
5759                 return -EINVAL;
5760 
5761         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5762         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
5763 
5764         if (!rdev->ops->change_mpath)
5765                 return -EOPNOTSUPP;
5766 
5767         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5768                 return -EOPNOTSUPP;
5769 
5770         return rdev_change_mpath(rdev, dev, dst, next_hop);
5771 }
5772 
5773 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
5774 {
5775         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5776         struct net_device *dev = info->user_ptr[1];
5777         u8 *dst = NULL;
5778         u8 *next_hop = NULL;
5779 
5780         if (!info->attrs[NL80211_ATTR_MAC])
5781                 return -EINVAL;
5782 
5783         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
5784                 return -EINVAL;
5785 
5786         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5787         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
5788 
5789         if (!rdev->ops->add_mpath)
5790                 return -EOPNOTSUPP;
5791 
5792         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5793                 return -EOPNOTSUPP;
5794 
5795         return rdev_add_mpath(rdev, dev, dst, next_hop);
5796 }
5797 
5798 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
5799 {
5800         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5801         struct net_device *dev = info->user_ptr[1];
5802         u8 *dst = NULL;
5803 
5804         if (info->attrs[NL80211_ATTR_MAC])
5805                 dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5806 
5807         if (!rdev->ops->del_mpath)
5808                 return -EOPNOTSUPP;
5809 
5810         return rdev_del_mpath(rdev, dev, dst);
5811 }
5812 
5813 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
5814 {
5815         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5816         int err;
5817         struct net_device *dev = info->user_ptr[1];
5818         struct mpath_info pinfo;
5819         struct sk_buff *msg;
5820         u8 *dst = NULL;
5821         u8 mpp[ETH_ALEN];
5822 
5823         memset(&pinfo, 0, sizeof(pinfo));
5824 
5825         if (!info->attrs[NL80211_ATTR_MAC])
5826                 return -EINVAL;
5827 
5828         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5829 
5830         if (!rdev->ops->get_mpp)
5831                 return -EOPNOTSUPP;
5832 
5833         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5834                 return -EOPNOTSUPP;
5835 
5836         err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
5837         if (err)
5838                 return err;
5839 
5840         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5841         if (!msg)
5842                 return -ENOMEM;
5843 
5844         if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
5845                                dev, dst, mpp, &pinfo) < 0) {
5846                 nlmsg_free(msg);
5847                 return -ENOBUFS;
5848         }
5849 
5850         return genlmsg_reply(msg, info);
5851 }
5852 
5853 static int nl80211_dump_mpp(struct sk_buff *skb,
5854                             struct netlink_callback *cb)
5855 {
5856         struct mpath_info pinfo;
5857         struct cfg80211_registered_device *rdev;
5858         struct wireless_dev *wdev;
5859         u8 dst[ETH_ALEN];
5860         u8 mpp[ETH_ALEN];
5861         int path_idx = cb->args[2];
5862         int err;
5863 
5864         rtnl_lock();
5865         err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5866         if (err)
5867                 goto out_err;
5868 
5869         if (!rdev->ops->dump_mpp) {
5870                 err = -EOPNOTSUPP;
5871                 goto out_err;
5872         }
5873 
5874         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
5875                 err = -EOPNOTSUPP;
5876                 goto out_err;
5877         }
5878 
5879         while (1) {
5880                 err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
5881                                     mpp, &pinfo);
5882                 if (err == -ENOENT)
5883                         break;
5884                 if (err)
5885                         goto out_err;
5886 
5887                 if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
5888                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
5889                                        wdev->netdev, dst, mpp,
5890                                        &pinfo) < 0)
5891                         goto out;
5892 
5893                 path_idx++;
5894         }
5895 
5896  out:
5897         cb->args[2] = path_idx;
5898         err = skb->len;
5899  out_err:
5900         rtnl_unlock();
5901         return err;
5902 }
5903 
5904 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
5905 {
5906         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5907         struct net_device *dev = info->user_ptr[1];
5908         struct wireless_dev *wdev = dev->ieee80211_ptr;
5909         struct bss_parameters params;
5910         int err;
5911 
5912         memset(&params, 0, sizeof(params));
5913         /* default to not changing parameters */
5914         params.use_cts_prot = -1;
5915         params.use_short_preamble = -1;
5916         params.use_short_slot_time = -1;
5917         params.ap_isolate = -1;
5918         params.ht_opmode = -1;
5919         params.p2p_ctwindow = -1;
5920         params.p2p_opp_ps = -1;
5921 
5922         if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
5923                 params.use_cts_prot =
5924                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
5925         if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
5926                 params.use_short_preamble =
5927                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
5928         if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
5929                 params.use_short_slot_time =
5930                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
5931         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
5932                 params.basic_rates =
5933                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5934                 params.basic_rates_len =
5935                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5936         }
5937         if (info->attrs[NL80211_ATTR_AP_ISOLATE])
5938                 params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
5939         if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
5940                 params.ht_opmode =
5941                         nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
5942 
5943         if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5944                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5945                         return -EINVAL;
5946                 params.p2p_ctwindow =
5947                         nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5948                 if (params.p2p_ctwindow != 0 &&
5949                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
5950                         return -EINVAL;
5951         }
5952 
5953         if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5954                 u8 tmp;
5955 
5956                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5957                         return -EINVAL;
5958                 tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5959                 params.p2p_opp_ps = tmp;
5960                 if (params.p2p_opp_ps &&
5961                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
5962                         return -EINVAL;
5963         }
5964 
5965         if (!rdev->ops->change_bss)
5966                 return -EOPNOTSUPP;
5967 
5968         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5969             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5970                 return -EOPNOTSUPP;
5971 
5972         wdev_lock(wdev);
5973         err = rdev_change_bss(rdev, dev, &params);
5974         wdev_unlock(wdev);
5975 
5976         return err;
5977 }
5978 
5979 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
5980 {
5981         char *data = NULL;
5982         bool is_indoor;
5983         enum nl80211_user_reg_hint_type user_reg_hint_type;
5984         u32 owner_nlportid;
5985 
5986         /*
5987          * You should only get this when cfg80211 hasn't yet initialized
5988          * completely when built-in to the kernel right between the time
5989          * window between nl80211_init() and regulatory_init(), if that is
5990          * even possible.
5991          */
5992         if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
5993                 return -EINPROGRESS;
5994 
5995         if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
5996                 user_reg_hint_type =
5997                   nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
5998         else
5999                 user_reg_hint_type = NL80211_USER_REG_HINT_USER;
6000 
6001         switch (user_reg_hint_type) {
6002         case NL80211_USER_REG_HINT_USER:
6003         case NL80211_USER_REG_HINT_CELL_BASE:
6004                 if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6005                         return -EINVAL;
6006 
6007                 data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6008                 return regulatory_hint_user(data, user_reg_hint_type);
6009         case NL80211_USER_REG_HINT_INDOOR:
6010                 if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
6011                         owner_nlportid = info->snd_portid;
6012                         is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
6013                 } else {
6014                         owner_nlportid = 0;
6015                         is_indoor = true;
6016                 }
6017 
6018                 return regulatory_hint_indoor(is_indoor, owner_nlportid);
6019         default:
6020                 return -EINVAL;
6021         }
6022 }
6023 
6024 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
6025 {
6026         return reg_reload_regdb();
6027 }
6028 
6029 static int nl80211_get_mesh_config(struct sk_buff *skb,
6030                                    struct genl_info *info)
6031 {
6032         struct cfg80211_registered_device *rdev = info->user_ptr[0];
6033         struct net_device *dev = info->user_ptr[1];
6034         struct wireless_dev *wdev = dev->ieee80211_ptr;
6035         struct mesh_config cur_params;
6036         int err = 0;
6037         void *hdr;
6038         struct nlattr *pinfoattr;
6039         struct sk_buff *msg;
6040 
6041         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6042                 return -EOPNOTSUPP;
6043 
6044         if (!rdev->ops->get_mesh_config)
6045                 return -EOPNOTSUPP;
6046 
6047         wdev_lock(wdev);
6048         /* If not connected, get default parameters */
6049         if (!wdev->mesh_id_len)
6050                 memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
6051         else
6052                 err = rdev_get_mesh_config(rdev, dev, &cur_params);
6053         wdev_unlock(wdev);
6054 
6055         if (err)
6056                 return err;
6057 
6058         /* Draw up a netlink message to send back */
6059         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6060         if (!msg)
6061                 return -ENOMEM;
6062         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6063                              NL80211_CMD_GET_MESH_CONFIG);
6064         if (!hdr)
6065                 goto out;
6066         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
6067         if (!pinfoattr)
6068                 goto nla_put_failure;
6069         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6070             nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
6071                         cur_params.dot11MeshRetryTimeout) ||
6072             nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
6073                         cur_params.dot11MeshConfirmTimeout) ||
6074             nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
6075                         cur_params.dot11MeshHoldingTimeout) ||
6076             nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
6077                         cur_params.dot11MeshMaxPeerLinks) ||
6078             nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
6079                        cur_params.dot11MeshMaxRetries) ||
6080             nla_put_u8(msg, NL80211_MESHCONF_TTL,
6081                        cur_params.dot11MeshTTL) ||
6082             nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
6083                        cur_params.element_ttl) ||
6084             nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6085                        cur_params.auto_open_plinks) ||
6086             nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6087                         cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
6088             nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6089                        cur_params.dot11MeshHWMPmaxPREQretries) ||
6090             nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
6091                         cur_params.path_refresh_time) ||
6092             nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6093                         cur_params.min_discovery_timeout) ||
6094             nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6095                         cur_params.dot11MeshHWMPactivePathTimeout) ||
6096             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6097                         cur_params.dot11MeshHWMPpreqMinInterval) ||
6098             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6099                         cur_params.dot11MeshHWMPperrMinInterval) ||
6100             nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6101                         cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
6102             nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
6103                        cur_params.dot11MeshHWMPRootMode) ||
6104             nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6105                         cur_params.dot11MeshHWMPRannInterval) ||
6106             nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6107                        cur_params.dot11MeshGateAnnouncementProtocol) ||
6108             nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
6109                        cur_params.dot11MeshForwarding) ||
6110             nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
6111                         cur_params.rssi_threshold) ||
6112             nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
6113                         cur_params.ht_opmode) ||
6114             nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6115                         cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
6116             nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6117                         cur_params.dot11MeshHWMProotInterval) ||
6118             nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6119                         cur_params.dot11MeshHWMPconfirmationInterval) ||
6120             nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
6121                         cur_params.power_mode) ||
6122             nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
6123                         cur_params.dot11MeshAwakeWindowDuration) ||
6124             nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
6125                         cur_params.plink_timeout))
6126                 goto nla_put_failure;
6127         nla_nest_end(msg, pinfoattr);
6128         genlmsg_end(msg, hdr);
6129         return genlmsg_reply(msg, info);
6130 
6131  nla_put_failure:
6132  out:
6133         nlmsg_free(msg);
6134         return -ENOBUFS;
6135 }
6136 
6137 static const struct nla_policy
6138 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
6139         [NL80211_MESHCONF_RETRY_TIMEOUT] =
6140                 NLA_POLICY_RANGE(NLA_U16, 1, 255),
6141         [NL80211_MESHCONF_CONFIRM_TIMEOUT] =
6142                 NLA_POLICY_RANGE(NLA_U16, 1, 255),
6143         [NL80211_MESHCONF_HOLDING_TIMEOUT] =
6144                 NLA_POLICY_RANGE(NLA_U16, 1, 255),
6145         [NL80211_MESHCONF_MAX_PEER_LINKS] =
6146                 NLA_POLICY_RANGE(NLA_U16, 0, 255),
6147         [NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
6148         [NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6149         [NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6150         [NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
6151         [NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
6152                 NLA_POLICY_RANGE(NLA_U32, 1, 255),
6153         [NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
6154         [NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
6155         [NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
6156         [NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
6157         [NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
6158                 NLA_POLICY_MIN(NLA_U16, 1),
6159         [NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
6160                 NLA_POLICY_MIN(NLA_U16, 1),
6161         [NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
6162                 NLA_POLICY_MIN(NLA_U16, 1),
6163         [NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
6164         [NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
6165                 NLA_POLICY_MIN(NLA_U16, 1),
6166         [NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
6167         [NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
6168         [NL80211_MESHCONF_RSSI_THRESHOLD] =
6169                 NLA_POLICY_RANGE(NLA_S32, -255, 0),
6170         [NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
6171         [NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
6172         [NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
6173                 NLA_POLICY_MIN(NLA_U16, 1),
6174         [NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
6175                 NLA_POLICY_MIN(NLA_U16, 1),
6176         [NL80211_MESHCONF_POWER_MODE] =
6177                 NLA_POLICY_RANGE(NLA_U32,
6178                                  NL80211_MESH_POWER_ACTIVE,
6179                                  NL80211_MESH_POWER_MAX),
6180         [NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
6181         [NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
6182 };
6183 
6184 static const struct nla_policy
6185         nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
6186         [NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
6187         [NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
6188         [NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
6189         [NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
6190         [NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
6191         [NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
6192         [NL80211_MESH_SETUP_IE] =
6193                 NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
6194                                        IEEE80211_MAX_DATA_LEN),
6195         [NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
6196 };
6197 
6198 static int nl80211_parse_mesh_config(struct genl_info *info,
6199                                      struct mesh_config *cfg,
6200                                      u32 *mask_out)
6201 {
6202         struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
6203         u32 mask = 0;
6204         u16 ht_opmode;
6205 
6206 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)       \
6207 do {                                                                    \
6208         if (tb[attr]) {                                                 \
6209                 cfg->param = fn(tb[attr]);                              \
6210                 mask |= BIT((attr) - 1);                                \
6211         }                                                               \
6212 } while (0)
6213 
6214         if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
6215                 return -EINVAL;
6216         if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
6217                              info->attrs[NL80211_ATTR_MESH_CONFIG],
6218                              nl80211_meshconf_params_policy, info->extack))
6219                 return -EINVAL;
6220 
6221         /* This makes sure that there aren't more than 32 mesh config
6222          * parameters (otherwise our bitfield scheme would not work.) */
6223         BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
6224 
6225         /* Fill in the params struct */
6226         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
6227                                   NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
6228         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
6229                                   NL80211_MESHCONF_CONFIRM_TIMEOUT,
6230                                   nla_get_u16);
6231         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
6232                                   NL80211_MESHCONF_HOLDING_TIMEOUT,
6233                                   nla_get_u16);
6234         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
6235                                   NL80211_MESHCONF_MAX_PEER_LINKS,
6236                                   nla_get_u16);
6237         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
6238                                   NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
6239         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
6240                                   NL80211_MESHCONF_TTL, nla_get_u8);
6241         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
6242                                   NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
6243         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
6244                                   NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6245                                   nla_get_u8);
6246         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
6247                                   mask,
6248                                   NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6249                                   nla_get_u32);
6250         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
6251                                   NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6252                                   nla_get_u8);
6253         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
6254                                   NL80211_MESHCONF_PATH_REFRESH_TIME,
6255                                   nla_get_u32);
6256         if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
6257             (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
6258                 return -EINVAL;
6259         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
6260                                   NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6261                                   nla_get_u16);
6262         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
6263                                   mask,
6264                                   NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6265                                   nla_get_u32);
6266         if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
6267             (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
6268              cfg->dot11MeshHWMPactivePathTimeout > 65535))
6269                 return -EINVAL;
6270         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
6271                                   NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6272                                   nla_get_u16);
6273         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
6274                                   NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6275                                   nla_get_u16);
6276         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6277                                   dot11MeshHWMPnetDiameterTraversalTime, mask,
6278                                   NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6279                                   nla_get_u16);
6280         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
6281                                   NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
6282         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
6283                                   NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6284                                   nla_get_u16);
6285         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
6286                                   mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6287                                   nla_get_u8);
6288         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
6289                                   NL80211_MESHCONF_FORWARDING, nla_get_u8);
6290         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
6291                                   NL80211_MESHCONF_RSSI_THRESHOLD,
6292                                   nla_get_s32);
6293         /*
6294          * Check HT operation mode based on
6295          * IEEE 802.11-2016 9.4.2.57 HT Operation element.
6296          */
6297         if (tb[NL80211_MESHCONF_HT_OPMODE]) {
6298                 ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
6299 
6300                 if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
6301                                   IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
6302                                   IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
6303                         return -EINVAL;
6304 
6305                 /* NON_HT_STA bit is reserved, but some programs set it */
6306                 ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
6307 
6308                 cfg->ht_opmode = ht_opmode;
6309                 mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
6310         }
6311         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6312                                   dot11MeshHWMPactivePathToRootTimeout, mask,
6313                                   NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6314                                   nla_get_u32);
6315         if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
6316             (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
6317              cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
6318                 return -EINVAL;
6319         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
6320                                   NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6321                                   nla_get_u16);
6322         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
6323                                   mask,
6324                                   NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6325                                   nla_get_u16);
6326         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
6327                                   NL80211_MESHCONF_POWER_MODE, nla_get_u32);
6328         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
6329                                   NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
6330         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
6331                                   NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
6332         if (mask_out)
6333                 *mask_out = mask;
6334 
6335         return 0;
6336 
6337 #undef FILL_IN_MESH_PARAM_IF_SET
6338 }
6339 
6340 static int nl80211_parse_mesh_setup(struct genl_info *info,
6341                                      struct mesh_setup *setup)
6342 {
6343         struct cfg80211_registered_device *rdev = info->user_ptr[0];
6344         struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
6345 
6346         if (!info->attrs[NL80211_ATTR_MESH_SETUP])
6347                 return -EINVAL;
6348         if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
6349                              info->attrs[NL80211_ATTR_MESH_SETUP],
6350                              nl80211_mesh_setup_params_policy, info->extack))
6351                 return -EINVAL;
6352 
6353         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
6354                 setup->sync_method =
6355                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
6356                  IEEE80211_SYNC_METHOD_VENDOR :
6357                  IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
6358 
6359         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
6360                 setup->path_sel_proto =
6361                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
6362                  IEEE80211_PATH_PROTOCOL_VENDOR :
6363                  IEEE80211_PATH_PROTOCOL_HWMP;
6364 
6365         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
6366                 setup->path_metric =
6367                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
6368                  IEEE80211_PATH_METRIC_VENDOR :
6369                  IEEE80211_PATH_METRIC_AIRTIME;
6370 
6371         if (tb[NL80211_MESH_SETUP_IE]) {
6372                 struct nlattr *ieattr =
6373                         tb[NL80211_MESH_SETUP_IE];
6374                 setup->ie = nla_data(ieattr);
6375                 setup->ie_len = nla_len(ieattr);
6376         }
6377         if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
6378             !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
6379                 return -EINVAL;
6380         setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
6381         setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
6382         setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
6383         if (setup->is_secure)
6384                 setup->user_mpm = true;
6385 
6386         if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
6387                 if (!setup->user_mpm)
6388                         return -EINVAL;
6389                 setup->auth_id =
6390                         nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
6391         }
6392 
6393         return 0;
6394 }
6395 
6396 static int nl80211_update_mesh_config(struct sk_buff *skb,
6397                                       struct genl_info *info)
6398 {
6399         struct cfg80211_registered_device *rdev = info->user_ptr[0];
6400         struct net_device *dev = info->user_ptr[1];
6401         struct wireless_dev *wdev = dev->ieee80211_ptr;
6402         struct mesh_config cfg;
6403         u32 mask;
6404         int err;
6405 
6406         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6407                 return -EOPNOTSUPP;
6408 
6409         if (!rdev->ops->update_mesh_config)
6410                 return -EOPNOTSUPP;
6411 
6412         err = nl80211_parse_mesh_config(info, &cfg, &mask);
6413         if (err)
6414                 return err;
6415 
6416         wdev_lock(wdev);
6417         if (!wdev->mesh_id_len)
6418                 err = -ENOLINK;
6419 
6420         if (!err)
6421                 err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
6422 
6423         wdev_unlock(wdev);
6424 
6425         return err;
6426 }
6427 
6428 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
6429                               struct sk_buff *msg)
6430 {
6431         struct nlattr *nl_reg_rules;
6432         unsigned int i;
6433 
6434         if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
6435             (regdom->dfs_region &&
6436              nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
6437                 goto nla_put_failure;
6438 
6439         nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
6440         if (!nl_reg_rules)
6441                 goto nla_put_failure;
6442 
6443         for (i = 0; i < regdom->n_reg_rules; i++) {
6444                 struct nlattr *nl_reg_rule;
6445                 const struct ieee80211_reg_rule *reg_rule;
6446                 const struct ieee80211_freq_range *freq_range;
6447                 const struct ieee80211_power_rule *power_rule;
6448                 unsigned int max_bandwidth_khz;
6449 
6450                 reg_rule = &regdom->reg_rules[i];
6451                 freq_range = &reg_rule->freq_range;
6452                 power_rule = &reg_rule->power_rule;
6453 
6454                 nl_reg_rule = nla_nest_start(msg, i);
6455                 if (!nl_reg_rule)
6456                         goto nla_put_failure;
6457 
6458                 max_bandwidth_khz = freq_range->max_bandwidth_khz;
6459                 if (!max_bandwidth_khz)
6460                         max_bandwidth_khz = reg_get_max_bandwidth(regdom,
6461                                                                   reg_rule);
6462 
6463                 if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
6464                                 reg_rule->flags) ||
6465                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
6466                                 freq_range->start_freq_khz) ||
6467                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
6468                                 freq_range->end_freq_khz) ||
6469                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
6470                                 max_bandwidth_khz) ||
6471                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
6472                                 power_rule->max_antenna_gain) ||
6473                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
6474                                 power_rule->max_eirp) ||
6475                     nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
6476                                 reg_rule->dfs_cac_ms))
6477                         goto nla_put_failure;
6478 
6479                 nla_nest_end(msg, nl_reg_rule);
6480         }
6481 
6482         nla_nest_end(msg, nl_reg_rules);
6483         return 0;
6484 
6485 nla_put_failure:
6486         return -EMSGSIZE;
6487 }
6488 
6489 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
6490 {
6491         const struct ieee80211_regdomain *regdom = NULL;
6492         struct cfg80211_registered_device *rdev;
6493         struct wiphy *wiphy = NULL;
6494         struct sk_buff *msg;
6495         void *hdr;
6496 
6497         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6498         if (!msg)
6499                 return -ENOBUFS;
6500 
6501         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6502                              NL80211_CMD_GET_REG);
6503         if (!hdr)
6504                 goto put_failure;
6505 
6506         if (info->attrs[NL80211_ATTR_WIPHY]) {
6507                 bool self_managed;
6508 
6509                 rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
6510                 if (IS_ERR(rdev)) {
6511                         nlmsg_free(msg);
6512                         return PTR_ERR(rdev);
6513                 }
6514 
6515                 wiphy = &rdev->wiphy;
6516                 self_managed = wiphy->regulatory_flags &
6517                                REGULATORY_WIPHY_SELF_MANAGED;
6518                 regdom = get_wiphy_regdom(wiphy);
6519 
6520                 /* a self-managed-reg device must have a private regdom */
6521                 if (WARN_ON(!regdom && self_managed)) {
6522                         nlmsg_free(msg);
6523                         return -EINVAL;
6524                 }
6525 
6526                 if (regdom &&
6527                     nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6528                         goto nla_put_failure;
6529         }
6530 
6531         if (!wiphy && reg_last_request_cell_base() &&
6532             nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6533                         NL80211_USER_REG_HINT_CELL_BASE))
6534                 goto nla_put_failure;
6535 
6536         rcu_read_lock();
6537 
6538         if (!regdom)
6539                 regdom = rcu_dereference(cfg80211_regdomain);
6540 
6541         if (nl80211_put_regdom(regdom, msg))
6542                 goto nla_put_failure_rcu;
6543 
6544         rcu_read_unlock();
6545 
6546         genlmsg_end(msg, hdr);
6547         return genlmsg_reply(msg, info);
6548 
6549 nla_put_failure_rcu:
6550         rcu_read_unlock();
6551 nla_put_failure:
6552 put_failure:
6553         nlmsg_free(msg);
6554         return -EMSGSIZE;
6555 }
6556 
6557 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
6558                                u32 seq, int flags, struct wiphy *wiphy,
6559                                const struct ieee80211_regdomain *regdom)
6560 {
6561         void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6562                                    NL80211_CMD_GET_REG);
6563 
6564         if (!hdr)
6565                 return -1;
6566 
6567         genl_dump_check_consistent(cb, hdr);
6568 
6569         if (nl80211_put_regdom(regdom, msg))
6570                 goto nla_put_failure;
6571 
6572         if (!wiphy && reg_last_request_cell_base() &&
6573             nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6574                         NL80211_USER_REG_HINT_CELL_BASE))
6575                 goto nla_put_failure;
6576 
6577         if (wiphy &&
6578             nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6579                 goto nla_put_failure;
6580 
6581         if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
6582             nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
6583                 goto nla_put_failure;
6584 
6585         genlmsg_end(msg, hdr);
6586         return 0;
6587 
6588 nla_put_failure:
6589         genlmsg_cancel(msg, hdr);
6590         return -EMSGSIZE;
6591 }
6592 
6593 static int nl80211_get_reg_dump(struct sk_buff *skb,
6594                                 struct netlink_callback *cb)
6595 {
6596         const struct ieee80211_regdomain *regdom = NULL;
6597         struct cfg80211_registered_device *rdev;
6598         int err, reg_idx, start = cb->args[2];
6599 
6600         rtnl_lock();
6601 
6602         if (cfg80211_regdomain && start == 0) {
6603                 err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6604                                           NLM_F_MULTI, NULL,
6605                                           rtnl_dereference(cfg80211_regdomain));
6606                 if (err < 0)
6607                         goto out_err;
6608         }
6609 
6610         /* the global regdom is idx 0 */
6611         reg_idx = 1;
6612         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
6613                 regdom = get_wiphy_regdom(&rdev->wiphy);
6614                 if (!regdom)
6615                         continue;
6616 
6617                 if (++reg_idx <= start)
6618                         continue;
6619 
6620                 err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6621                                           NLM_F_MULTI, &rdev->wiphy, regdom);
6622                 if (err < 0) {
6623                         reg_idx--;
6624                         break;
6625                 }
6626         }
6627 
6628         cb->args[2] = reg_idx;
6629         err = skb->len;
6630 out_err:
6631         rtnl_unlock();
6632         return err;
6633 }
6634 
6635 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
6636 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
6637         [NL80211_ATTR_REG_RULE_FLAGS]           = { .type = NLA_U32 },
6638         [NL80211_ATTR_FREQ_RANGE_START]         = { .type = NLA_U32 },
6639         [NL80211_ATTR_FREQ_RANGE_END]           = { .type = NLA_U32 },
6640         [NL80211_ATTR_FREQ_RANGE_MAX_BW]        = { .type = NLA_U32 },
6641         [NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]  = { .type = NLA_U32 },
6642         [NL80211_ATTR_POWER_RULE_MAX_EIRP]      = { .type = NLA_U32 },
6643         [NL80211_ATTR_DFS_CAC_TIME]             = { .type = NLA_U32 },
6644 };
6645 
6646 static int parse_reg_rule(struct nlattr *tb[],
6647         struct ieee80211_reg_rule *reg_rule)
6648 {
6649         struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
6650         struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
6651 
6652         if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
6653                 return -EINVAL;
6654         if (!tb[NL80211_ATTR_FREQ_RANGE_START])
6655                 return -EINVAL;
6656         if (!tb[NL80211_ATTR_FREQ_RANGE_END])
6657                 return -EINVAL;
6658         if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
6659                 return -EINVAL;
6660         if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
6661                 return -EINVAL;
6662 
6663         reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
6664 
6665         freq_range->start_freq_khz =
6666                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
6667         freq_range->end_freq_khz =
6668                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
6669         freq_range->max_bandwidth_khz =
6670                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
6671 
6672         power_rule->max_eirp =
6673                 nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
6674 
6675         if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
6676                 power_rule->max_antenna_gain =
6677                         nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
6678 
6679         if (tb[NL80211_ATTR_DFS_CAC_TIME])
6680                 reg_rule->dfs_cac_ms =
6681                         nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
6682 
6683         return 0;
6684 }
6685 
6686 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
6687 {
6688         struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
6689         struct nlattr *nl_reg_rule;
6690         char *alpha2;
6691         int rem_reg_rules, r;
6692         u32 num_rules = 0, rule_idx = 0, size_of_regd;
6693         enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
6694         struct ieee80211_regdomain *rd;
6695 
6696         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6697                 return -EINVAL;
6698 
6699         if (!info->attrs[NL80211_ATTR_REG_RULES])
6700                 return -EINVAL;
6701 
6702         alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6703 
6704         if (info->attrs[NL80211_ATTR_DFS_REGION])
6705                 dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
6706 
6707         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
6708                             rem_reg_rules) {
6709                 num_rules++;
6710                 if (num_rules > NL80211_MAX_SUPP_REG_RULES)
6711                         return -EINVAL;
6712         }
6713 
6714         if (!reg_is_valid_request(alpha2))
6715                 return -EINVAL;
6716 
6717         size_of_regd = sizeof(struct ieee80211_regdomain) +
6718                        num_rules * sizeof(struct ieee80211_reg_rule);
6719 
6720         rd = kzalloc(size_of_regd, GFP_KERNEL);
6721         if (!rd)
6722                 return -ENOMEM;
6723 
6724         rd->n_reg_rules = num_rules;
6725         rd->alpha2[0] = alpha2[0];
6726         rd->alpha2[1] = alpha2[1];
6727 
6728         /*
6729          * Disable DFS master mode if the DFS region was
6730          * not supported or known on this kernel.
6731          */
6732         if (reg_supported_dfs_region(dfs_region))
6733                 rd->dfs_region = dfs_region;
6734 
6735         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
6736                             rem_reg_rules) {
6737                 r = nla_parse_nested(tb, NL80211_REG_RULE_ATTR_MAX,
6738                                      nl_reg_rule, reg_rule_policy,
6739                                      info->extack);
6740                 if (r)
6741                         goto bad_reg;
6742                 r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
6743                 if (r)
6744                         goto bad_reg;
6745 
6746                 rule_idx++;
6747 
6748                 if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
6749                         r = -EINVAL;
6750                         goto bad_reg;
6751                 }
6752         }
6753 
6754         /* set_regdom takes ownership of rd */
6755         return set_regdom(rd, REGD_SOURCE_CRDA);
6756  bad_reg:
6757         kfree(rd);
6758         return r;
6759 }
6760 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
6761 
6762 static int validate_scan_freqs(struct nlattr *freqs)
6763 {
6764         struct nlattr *attr1, *attr2;
6765         int n_channels = 0, tmp1, tmp2;
6766 
6767         nla_for_each_nested(attr1, freqs, tmp1)
6768                 if (nla_len(attr1) != sizeof(u32))
6769                         return 0;
6770 
6771         nla_for_each_nested(attr1, freqs, tmp1) {
6772                 n_channels++;
6773                 /*
6774                  * Some hardware has a limited channel list for
6775                  * scanning, and it is pretty much nonsensical
6776                  * to scan for a channel twice, so disallow that
6777                  * and don't require drivers to check that the
6778                  * channel list they get isn't longer than what
6779                  * they can scan, as long as they can scan all
6780                  * the channels they registered at once.
6781                  */
6782                 nla_for_each_nested(attr2, freqs, tmp2)
6783                         if (attr1 != attr2 &&
6784                             nla_get_u32(attr1) == nla_get_u32(attr2))
6785                                 return 0;
6786         }
6787 
6788         return n_channels;
6789 }
6790 
6791 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
6792 {
6793         return b < NUM_NL80211_BANDS && wiphy->bands[b];
6794 }
6795 
6796 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
6797                             struct cfg80211_bss_selection *bss_select)
6798 {
6799         struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
6800         struct nlattr *nest;
6801         int err;
6802         bool found = false;
6803         int i;
6804 
6805         /* only process one nested attribute */
6806         nest = nla_data(nla);
6807         if (!nla_ok(nest, nla_len(nest)))
6808                 return -EINVAL;
6809 
6810         err = nla_parse_nested(attr, NL80211_BSS_SELECT_ATTR_MAX, nest,
6811                                nl80211_bss_select_policy, NULL);
6812         if (err)
6813                 return err;
6814 
6815         /* only one attribute may be given */
6816         for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
6817                 if (attr[i]) {
6818                         if (found)
6819                                 return -EINVAL;
6820                         found = true;
6821                 }
6822         }
6823 
6824         bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
6825 
6826         if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
6827                 bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
6828 
6829         if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
6830                 bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
6831                 bss_select->param.band_pref =
6832                         nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
6833                 if (!is_band_valid(wiphy, bss_select->param.band_pref))
6834                         return -EINVAL;
6835         }
6836 
6837         if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
6838                 struct nl80211_bss_select_rssi_adjust *adj_param;
6839 
6840                 adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
6841                 bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
6842                 bss_select->param.adjust.band = adj_param->band;
6843                 bss_select->param.adjust.delta = adj_param->delta;
6844                 if (!is_band_valid(wiphy, bss_select->param.adjust.band))
6845                         return -EINVAL;
6846         }
6847 
6848         /* user-space did not provide behaviour attribute */
6849         if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
6850                 return -EINVAL;
6851 
6852         if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
6853                 return -EINVAL;
6854 
6855         return 0;
6856 }
6857 
6858 static int nl80211_parse_random_mac(struct nlattr **attrs,
6859                                     u8 *mac_addr, u8 *mac_addr_mask)
6860 {
6861         int i;
6862 
6863         if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
6864                 eth_zero_addr(mac_addr);
6865                 eth_zero_addr(mac_addr_mask);
6866                 mac_addr[0] = 0x2;
6867                 mac_addr_mask[0] = 0x3;
6868 
6869                 return 0;
6870         }
6871 
6872         /* need both or none */
6873         if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
6874                 return -EINVAL;
6875 
6876         memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
6877         memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
6878 
6879         /* don't allow or configure an mcast address */
6880         if (!is_multicast_ether_addr(mac_addr_mask) ||
6881             is_multicast_ether_addr(mac_addr))
6882                 return -EINVAL;
6883 
6884         /*
6885          * allow users to pass a MAC address that has bits set outside
6886          * of the mask, but don't bother drivers with having to deal
6887          * with such bits
6888          */
6889         for (i = 0; i < ETH_ALEN; i++)
6890                 mac_addr[i] &= mac_addr_mask[i];
6891 
6892         return 0;
6893 }
6894 
6895 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
6896 {
6897         ASSERT_WDEV_LOCK(wdev);
6898 
6899         if (!cfg80211_beaconing_iface_active(wdev))
6900                 return true;
6901 
6902         if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
6903                 return true;
6904 
6905         return regulatory_pre_cac_allowed(wdev->wiphy);
6906 }
6907 
6908 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
6909                                     enum nl80211_ext_feature_index feat)
6910 {
6911         if (!(flags & flag))
6912                 return true;
6913         if (wiphy_ext_feature_isset(wiphy, feat))
6914                 return true;
6915         return false;
6916 }
6917 
6918 static int
6919 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
6920                          void *request, struct nlattr **attrs,
6921                          bool is_sched_scan)
6922 {
6923         u8 *mac_addr, *mac_addr_mask;
6924         u32 *flags;
6925         enum nl80211_feature_flags randomness_flag;
6926 
6927         if (!attrs[NL80211_ATTR_SCAN_FLAGS])
6928                 return 0;
6929 
6930         if (is_sched_scan) {
6931                 struct cfg80211_sched_scan_request *req = request;
6932 
6933                 randomness_flag = wdev ?
6934                                   NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
6935                                   NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
6936                 flags = &req->flags;
6937                 mac_addr = req->mac_addr;
6938                 mac_addr_mask = req->mac_addr_mask;
6939         } else {
6940                 struct cfg80211_scan_request *req = request;
6941 
6942                 randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
6943                 flags = &req->flags;
6944                 mac_addr = req->mac_addr;
6945                 mac_addr_mask = req->mac_addr_mask;
6946         }
6947 
6948         *flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
6949 
6950         if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
6951              !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
6952             !nl80211_check_scan_feat(wiphy, *flags,
6953                                      NL80211_SCAN_FLAG_LOW_SPAN,
6954                                      NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
6955             !nl80211_check_scan_feat(wiphy, *flags,
6956                                      NL80211_SCAN_FLAG_LOW_POWER,
6957                                      NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
6958             !nl80211_check_scan_feat(wiphy, *flags,
6959                                      NL80211_SCAN_FLAG_HIGH_ACCURACY,
6960                                      NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
6961             !nl80211_check_scan_feat(wiphy, *flags,
6962                                      NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
6963                                      NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
6964             !nl80211_check_scan_feat(wiphy, *flags,
6965                                      NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
6966                                      NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
6967             !nl80211_check_scan_feat(wiphy, *flags,
6968                                      NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
6969                                      NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
6970             !nl80211_check_scan_feat(wiphy, *flags,
6971                                      NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
6972                                      NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
6973             !nl80211_check_scan_feat(wiphy, *flags,
6974                                      NL80211_SCAN_FLAG_RANDOM_SN,
6975                                      NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
6976             !nl80211_check_scan_feat(wiphy, *flags,
6977                                      NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
6978                                      NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
6979                 return -EOPNOTSUPP;
6980 
6981         if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
6982                 int err;
6983 
6984                 if (!(wiphy->features & randomness_flag) ||
6985                     (wdev && wdev->current_bss))
6986                         return -EOPNOTSUPP;
6987 
6988                 err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
6989                 if (err)
6990                         return err;
6991         }
6992 
6993         return 0;
6994 }
6995 
6996 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
6997 {
6998         struct cfg80211_registered_device *rdev = info->user_ptr[0];
6999         struct wireless_dev *wdev = info->user_ptr[1];
7000         struct cfg80211_scan_request *request;
7001         struct nlattr *attr;
7002         struct wiphy *wiphy;
7003         int err, tmp, n_ssids = 0, n_channels, i;
7004         size_t ie_len;
7005 
7006         wiphy = &rdev->wiphy;
7007 
7008         if (wdev->iftype == NL80211_IFTYPE_NAN)
7009                 return -EOPNOTSUPP;
7010 
7011         if (!rdev->ops->scan)
7012                 return -EOPNOTSUPP;
7013 
7014         if (rdev->scan_req || rdev->scan_msg) {
7015                 err = -EBUSY;
7016                 goto unlock;
7017         }
7018 
7019         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7020                 n_channels = validate_scan_freqs(
7021                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7022                 if (!n_channels) {
7023                         err = -EINVAL;
7024                         goto unlock;
7025                 }
7026         } else {
7027                 n_channels = ieee80211_get_num_supported_channels(wiphy);
7028         }
7029 
7030         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
7031                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
7032                         n_ssids++;
7033 
7034         if (n_ssids > wiphy->max_scan_ssids) {
7035                 err = -EINVAL;
7036                 goto unlock;
7037         }
7038 
7039         if (info->attrs[NL80211_ATTR_IE])
7040                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7041         else
7042                 ie_len = 0;
7043 
7044         if (ie_len > wiphy->max_scan_ie_len) {
7045                 err = -EINVAL;
7046                 goto unlock;
7047         }
7048 
7049         request = kzalloc(sizeof(*request)
7050                         + sizeof(*request->ssids) * n_ssids
7051                         + sizeof(*request->channels) * n_channels
7052                         + ie_len, GFP_KERNEL);
7053         if (!request) {
7054                 err = -ENOMEM;
7055                 goto unlock;
7056         }
7057 
7058         if (n_ssids)
7059                 request->ssids = (void *)&request->channels[n_channels];
7060         request->n_ssids = n_ssids;
7061         if (ie_len) {
7062                 if (n_ssids)
7063                         request->ie = (void *)(request->ssids + n_ssids);
7064                 else
7065                         request->ie = (void *)(request->channels + n_channels);
7066         }
7067 
7068         i = 0;
7069         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7070                 /* user specified, bail out if channel not found */
7071                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
7072                         struct ieee80211_channel *chan;
7073 
7074                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7075 
7076                         if (!chan) {
7077                                 err = -EINVAL;
7078                                 goto out_free;
7079                         }
7080 
7081                         /* ignore disabled channels */
7082                         if (chan->flags & IEEE80211_CHAN_DISABLED)
7083                                 continue;
7084 
7085                         request->channels[i] = chan;
7086                         i++;
7087                 }
7088         } else {
7089                 enum nl80211_band band;
7090 
7091                 /* all channels */
7092                 for (band = 0; band < NUM_NL80211_BANDS; band++) {
7093                         int j;
7094 
7095                         if (!wiphy->bands[band])
7096                                 continue;
7097                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7098                                 struct ieee80211_channel *chan;
7099 
7100                                 chan = &wiphy->bands[band]->channels[j];
7101 
7102                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
7103                                         continue;
7104 
7105                                 request->channels[i] = chan;
7106                                 i++;
7107                         }
7108                 }
7109         }
7110 
7111         if (!i) {
7112                 err = -EINVAL;
7113                 goto out_free;
7114         }
7115 
7116         request->n_channels = i;
7117 
7118         wdev_lock(wdev);
7119         if (!cfg80211_off_channel_oper_allowed(wdev)) {
7120                 struct ieee80211_channel *chan;
7121 
7122                 if (request->n_channels != 1) {
7123                         wdev_unlock(wdev);
7124                         err = -EBUSY;
7125                         goto out_free;
7126                 }
7127 
7128                 chan = request->channels[0];
7129                 if (chan->center_freq != wdev->chandef.chan->center_freq) {
7130                         wdev_unlock(wdev);
7131                         err = -EBUSY;
7132                         goto out_free;
7133                 }
7134         }
7135         wdev_unlock(wdev);
7136 
7137         i = 0;
7138         if (n_ssids) {
7139                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
7140                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7141                                 err = -EINVAL;
7142                                 goto out_free;
7143                         }
7144                         request->ssids[i].ssid_len = nla_len(attr);
7145                         memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
7146                         i++;
7147                 }
7148         }
7149 
7150         if (info->attrs[NL80211_ATTR_IE]) {
7151                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7152                 memcpy((void *)request->ie,
7153                        nla_data(info->attrs[NL80211_ATTR_IE]),
7154                        request->ie_len);
7155         }
7156 
7157         for (i = 0; i < NUM_NL80211_BANDS; i++)
7158                 if (wiphy->bands[i])
7159                         request->rates[i] =
7160                                 (1 << wiphy->bands[i]->n_bitrates) - 1;
7161 
7162         if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
7163                 nla_for_each_nested(attr,
7164                                     info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
7165                                     tmp) {
7166                         enum nl80211_band band = nla_type(attr);
7167 
7168                         if (band < 0 || band >= NUM_NL80211_BANDS) {
7169                                 err = -EINVAL;
7170                                 goto out_free;
7171                         }
7172 
7173                         if (!wiphy->bands[band])
7174                                 continue;
7175 
7176                         err = ieee80211_get_ratemask(wiphy->bands[band],
7177                                                      nla_data(attr),
7178                                                      nla_len(attr),
7179                                                      &request->rates[band]);
7180                         if (err)
7181                                 goto out_free;
7182                 }
7183         }
7184 
7185         if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
7186                 if (!wiphy_ext_feature_isset(wiphy,
7187                                         NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
7188                         err = -EOPNOTSUPP;
7189                         goto out_free;
7190                 }
7191 
7192                 request->duration =
7193                         nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
7194                 request->duration_mandatory =
7195                         nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
7196         }
7197 
7198         err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
7199                                        false);
7200         if (err)
7201                 goto out_free;
7202 
7203         request->no_cck =
7204                 nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7205 
7206         /* Initial implementation used NL80211_ATTR_MAC to set the specific
7207          * BSSID to scan for. This was problematic because that same attribute
7208          * was already used for another purpose (local random MAC address). The
7209          * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
7210          * compatibility with older userspace components, also use the
7211          * NL80211_ATTR_MAC value here if it can be determined to be used for
7212          * the specific BSSID use case instead of the random MAC address
7213          * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
7214          */
7215         if (info->attrs[NL80211_ATTR_BSSID])
7216                 memcpy(request->bssid,
7217                        nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
7218         else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
7219                  info->attrs[NL80211_ATTR_MAC])
7220                 memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
7221                        ETH_ALEN);
7222         else
7223                 eth_broadcast_addr(request->bssid);
7224 
7225         request->wdev = wdev;
7226         request->wiphy = &rdev->wiphy;
7227         request->scan_start = jiffies;
7228 
7229         rdev->scan_req = request;
7230         err = rdev_scan(rdev, request);
7231 
7232         if (!err) {
7233                 nl80211_send_scan_start(rdev, wdev);
7234                 if (wdev->netdev)
7235                         dev_hold(wdev->netdev);
7236         } else {
7237  out_free:
7238                 rdev->scan_req = NULL;
7239                 kfree(request);
7240         }
7241 
7242  unlock:
7243         return err;
7244 }
7245 
7246 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
7247 {
7248         struct cfg80211_registered_device *rdev = info->user_ptr[0];
7249         struct wireless_dev *wdev = info->user_ptr[1];
7250 
7251         if (!rdev->ops->abort_scan)
7252                 return -EOPNOTSUPP;
7253 
7254         if (rdev->scan_msg)
7255                 return 0;
7256 
7257         if (!rdev->scan_req)
7258                 return -ENOENT;
7259 
7260         rdev_abort_scan(rdev, wdev);
7261         return 0;
7262 }
7263 
7264 static int
7265 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
7266                                struct cfg80211_sched_scan_request *request,
7267                                struct nlattr **attrs)
7268 {
7269         int tmp, err, i = 0;
7270         struct nlattr *attr;
7271 
7272         if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7273                 u32 interval;
7274 
7275                 /*
7276                  * If scan plans are not specified,
7277                  * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
7278                  * case one scan plan will be set with the specified scan
7279                  * interval and infinite number of iterations.
7280                  */
7281                 interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
7282                 if (!interval)
7283                         return -EINVAL;
7284 
7285                 request->scan_plans[0].interval =
7286                         DIV_ROUND_UP(interval, MSEC_PER_SEC);
7287                 if (!request->scan_plans[0].interval)
7288                         return -EINVAL;
7289 
7290                 if (request->scan_plans[0].interval >
7291                     wiphy->max_sched_scan_plan_interval)
7292                         request->scan_plans[0].interval =
7293                                 wiphy->max_sched_scan_plan_interval;
7294 
7295                 return 0;
7296         }
7297 
7298         nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
7299                 struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
7300 
7301                 if (WARN_ON(i >= n_plans))
7302                         return -EINVAL;
7303 
7304                 err = nla_parse_nested(plan, NL80211_SCHED_SCAN_PLAN_MAX,
7305                                        attr, nl80211_plan_policy, NULL);
7306                 if (err)
7307                         return err;
7308 
7309                 if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
7310                         return -EINVAL;
7311 
7312                 request->scan_plans[i].interval =
7313                         nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
7314                 if (!request->scan_plans[i].interval ||
7315                     request->scan_plans[i].interval >
7316                     wiphy->max_sched_scan_plan_interval)
7317                         return -EINVAL;
7318 
7319                 if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
7320                         request->scan_plans[i].iterations =
7321                                 nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
7322                         if (!request->scan_plans[i].iterations ||
7323                             (request->scan_plans[i].iterations >
7324                              wiphy->max_sched_scan_plan_iterations))
7325                                 return -EINVAL;
7326                 } else if (i < n_plans - 1) {
7327                         /*
7328                          * All scan plans but the last one must specify
7329                          * a finite number of iterations
7330                          */
7331                         return -EINVAL;
7332                 }
7333 
7334                 i++;
7335         }
7336 
7337         /*
7338          * The last scan plan must not specify the number of
7339          * iterations, it is supposed to run infinitely
7340          */
7341         if (request->scan_plans[n_plans - 1].iterations)
7342                 return  -EINVAL;
7343 
7344         return 0;
7345 }
7346 
7347 static struct cfg80211_sched_scan_request *
7348 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
7349                          struct nlattr **attrs, int max_match_sets)
7350 {
7351         struct cfg80211_sched_scan_request *request;
7352         struct nlattr *attr;
7353         int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
7354         enum nl80211_band band;
7355         size_t ie_len;
7356         struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
7357         s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
7358 
7359         if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7360                 n_channels = validate_scan_freqs(
7361                                 attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7362                 if (!n_channels)
7363                         return ERR_PTR(-EINVAL);
7364         } else {
7365                 n_channels = ieee80211_get_num_supported_channels(wiphy);
7366         }
7367 
7368         if (attrs[NL80211_ATTR_SCAN_SSIDS])
7369                 nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7370                                     tmp)
7371                         n_ssids++;
7372 
7373         if (n_ssids > wiphy->max_sched_scan_ssids)
7374                 return ERR_PTR(-EINVAL);
7375 
7376         /*
7377          * First, count the number of 'real' matchsets. Due to an issue with
7378          * the old implementation, matchsets containing only the RSSI attribute
7379          * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
7380          * RSSI for all matchsets, rather than their own matchset for reporting
7381          * all APs with a strong RSSI. This is needed to be compatible with
7382          * older userspace that treated a matchset with only the RSSI as the
7383          * global RSSI for all other matchsets - if there are other matchsets.
7384          */
7385         if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7386                 nla_for_each_nested(attr,
7387                                     attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7388                                     tmp) {
7389                         struct nlattr *rssi;
7390 
7391                         err = nla_parse_nested(tb,
7392                                                NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7393                                                attr, nl80211_match_policy,
7394                                                NULL);
7395                         if (err)
7396                                 return ERR_PTR(err);
7397 
7398                         /* SSID and BSSID are mutually exclusive */
7399                         if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
7400                             tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
7401                                 return ERR_PTR(-EINVAL);
7402 
7403                         /* add other standalone attributes here */
7404                         if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
7405                             tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
7406                                 n_match_sets++;
7407                                 continue;
7408                         }
7409                         rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7410                         if (rssi)
7411                                 default_match_rssi = nla_get_s32(rssi);
7412                 }
7413         }
7414 
7415         /* However, if there's no other matchset, add the RSSI one */
7416         if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
7417                 n_match_sets = 1;
7418 
7419         if (n_match_sets > max_match_sets)
7420                 return ERR_PTR(-EINVAL);
7421 
7422         if (attrs[NL80211_ATTR_IE])
7423                 ie_len = nla_len(attrs[NL80211_ATTR_IE]);
7424         else
7425                 ie_len = 0;
7426 
7427         if (ie_len > wiphy->max_sched_scan_ie_len)
7428                 return ERR_PTR(-EINVAL);
7429 
7430         if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7431                 /*
7432                  * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
7433                  * each scan plan already specifies its own interval
7434                  */
7435                 if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7436                         return ERR_PTR(-EINVAL);
7437 
7438                 nla_for_each_nested(attr,
7439                                     attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
7440                         n_plans++;
7441         } else {
7442                 /*
7443                  * The scan interval attribute is kept for backward
7444                  * compatibility. If no scan plans are specified and sched scan
7445                  * interval is specified, one scan plan will be set with this
7446                  * scan interval and infinite number of iterations.
7447                  */
7448                 if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7449                         return ERR_PTR(-EINVAL);
7450 
7451                 n_plans = 1;
7452         }
7453 
7454         if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
7455                 return ERR_PTR(-EINVAL);
7456 
7457         if (!wiphy_ext_feature_isset(
7458                     wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
7459             (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
7460              attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
7461                 return ERR_PTR(-EINVAL);
7462 
7463         request = kzalloc(sizeof(*request)
7464                         + sizeof(*request->ssids) * n_ssids
7465                         + sizeof(*request->match_sets) * n_match_sets
7466                         + sizeof(*request->scan_plans) * n_plans
7467                         + sizeof(*request->channels) * n_channels
7468                         + ie_len, GFP_KERNEL);
7469         if (!request)
7470                 return ERR_PTR(-ENOMEM);
7471 
7472         if (n_ssids)
7473                 request->ssids = (void *)&request->channels[n_channels];
7474         request->n_ssids = n_ssids;
7475         if (ie_len) {
7476                 if (n_ssids)
7477                         request->ie = (void *)(request->ssids + n_ssids);
7478                 else
7479                         request->ie = (void *)(request->channels + n_channels);
7480         }
7481 
7482         if (n_match_sets) {
7483                 if (request->ie)
7484                         request->match_sets = (void *)(request->ie + ie_len);
7485                 else if (n_ssids)
7486                         request->match_sets =
7487                                 (void *)(request->ssids + n_ssids);
7488                 else
7489                         request->match_sets =
7490                                 (void *)(request->channels + n_channels);
7491         }
7492         request->n_match_sets = n_match_sets;
7493 
7494         if (n_match_sets)
7495                 request->scan_plans = (void *)(request->match_sets +
7496                                                n_match_sets);
7497         else if (request->ie)
7498                 request->scan_plans = (void *)(request->ie + ie_len);
7499         else if (n_ssids)
7500                 request->scan_plans = (void *)(request->ssids + n_ssids);
7501         else
7502                 request->scan_plans = (void *)(request->channels + n_channels);
7503 
7504         request->n_scan_plans = n_plans;
7505 
7506         i = 0;
7507         if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7508                 /* user specified, bail out if channel not found */
7509                 nla_for_each_nested(attr,
7510                                     attrs[NL80211_ATTR_SCAN_FREQUENCIES],
7511                                     tmp) {
7512                         struct ieee80211_channel *chan;
7513 
7514                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7515 
7516                         if (!chan) {
7517                                 err = -EINVAL;
7518                                 goto out_free;
7519                         }
7520 
7521                         /* ignore disabled channels */
7522                         if (chan->flags & IEEE80211_CHAN_DISABLED)
7523                                 continue;
7524 
7525                         request->channels[i] = chan;
7526                         i++;
7527                 }
7528         } else {
7529                 /* all channels */
7530                 for (band = 0; band < NUM_NL80211_BANDS; band++) {
7531                         int j;
7532 
7533                         if (!wiphy->bands[band])
7534                                 continue;
7535                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7536                                 struct ieee80211_channel *chan;
7537 
7538                                 chan = &wiphy->bands[band]->channels[j];
7539 
7540                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
7541                                         continue;
7542 
7543                                 request->channels[i] = chan;
7544                                 i++;
7545                         }
7546                 }
7547         }
7548 
7549         if (!i) {
7550                 err = -EINVAL;
7551                 goto out_free;
7552         }