~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/wireless/nl80211.c

Version: ~ [ linux-5.8 ] ~ [ linux-5.7.12 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.55 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.136 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.191 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.232 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.232 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0-only
  2 /*
  3  * This is the new netlink-based wireless configuration interface.
  4  *
  5  * Copyright 2006-2010  Johannes Berg <johannes@sipsolutions.net>
  6  * Copyright 2013-2014  Intel Mobile Communications GmbH
  7  * Copyright 2015-2017  Intel Deutschland GmbH
  8  * Copyright (C) 2018-2019 Intel Corporation
  9  */
 10 
 11 #include <linux/if.h>
 12 #include <linux/module.h>
 13 #include <linux/err.h>
 14 #include <linux/slab.h>
 15 #include <linux/list.h>
 16 #include <linux/if_ether.h>
 17 #include <linux/ieee80211.h>
 18 #include <linux/nl80211.h>
 19 #include <linux/rtnetlink.h>
 20 #include <linux/netlink.h>
 21 #include <linux/nospec.h>
 22 #include <linux/etherdevice.h>
 23 #include <net/net_namespace.h>
 24 #include <net/genetlink.h>
 25 #include <net/cfg80211.h>
 26 #include <net/sock.h>
 27 #include <net/inet_connection_sock.h>
 28 #include "core.h"
 29 #include "nl80211.h"
 30 #include "reg.h"
 31 #include "rdev-ops.h"
 32 
 33 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
 34                                    struct genl_info *info,
 35                                    struct cfg80211_crypto_settings *settings,
 36                                    int cipher_limit);
 37 
 38 /* the netlink family */
 39 static struct genl_family nl80211_fam;
 40 
 41 /* multicast groups */
 42 enum nl80211_multicast_groups {
 43         NL80211_MCGRP_CONFIG,
 44         NL80211_MCGRP_SCAN,
 45         NL80211_MCGRP_REGULATORY,
 46         NL80211_MCGRP_MLME,
 47         NL80211_MCGRP_VENDOR,
 48         NL80211_MCGRP_NAN,
 49         NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
 50 };
 51 
 52 static const struct genl_multicast_group nl80211_mcgrps[] = {
 53         [NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
 54         [NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
 55         [NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
 56         [NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
 57         [NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
 58         [NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
 59 #ifdef CONFIG_NL80211_TESTMODE
 60         [NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
 61 #endif
 62 };
 63 
 64 /* returns ERR_PTR values */
 65 static struct wireless_dev *
 66 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
 67 {
 68         struct cfg80211_registered_device *rdev;
 69         struct wireless_dev *result = NULL;
 70         bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
 71         bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
 72         u64 wdev_id;
 73         int wiphy_idx = -1;
 74         int ifidx = -1;
 75 
 76         ASSERT_RTNL();
 77 
 78         if (!have_ifidx && !have_wdev_id)
 79                 return ERR_PTR(-EINVAL);
 80 
 81         if (have_ifidx)
 82                 ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
 83         if (have_wdev_id) {
 84                 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
 85                 wiphy_idx = wdev_id >> 32;
 86         }
 87 
 88         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
 89                 struct wireless_dev *wdev;
 90 
 91                 if (wiphy_net(&rdev->wiphy) != netns)
 92                         continue;
 93 
 94                 if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
 95                         continue;
 96 
 97                 list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
 98                         if (have_ifidx && wdev->netdev &&
 99                             wdev->netdev->ifindex == ifidx) {
100                                 result = wdev;
101                                 break;
102                         }
103                         if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
104                                 result = wdev;
105                                 break;
106                         }
107                 }
108 
109                 if (result)
110                         break;
111         }
112 
113         if (result)
114                 return result;
115         return ERR_PTR(-ENODEV);
116 }
117 
118 static struct cfg80211_registered_device *
119 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
120 {
121         struct cfg80211_registered_device *rdev = NULL, *tmp;
122         struct net_device *netdev;
123 
124         ASSERT_RTNL();
125 
126         if (!attrs[NL80211_ATTR_WIPHY] &&
127             !attrs[NL80211_ATTR_IFINDEX] &&
128             !attrs[NL80211_ATTR_WDEV])
129                 return ERR_PTR(-EINVAL);
130 
131         if (attrs[NL80211_ATTR_WIPHY])
132                 rdev = cfg80211_rdev_by_wiphy_idx(
133                                 nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
134 
135         if (attrs[NL80211_ATTR_WDEV]) {
136                 u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
137                 struct wireless_dev *wdev;
138                 bool found = false;
139 
140                 tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
141                 if (tmp) {
142                         /* make sure wdev exists */
143                         list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
144                                 if (wdev->identifier != (u32)wdev_id)
145                                         continue;
146                                 found = true;
147                                 break;
148                         }
149 
150                         if (!found)
151                                 tmp = NULL;
152 
153                         if (rdev && tmp != rdev)
154                                 return ERR_PTR(-EINVAL);
155                         rdev = tmp;
156                 }
157         }
158 
159         if (attrs[NL80211_ATTR_IFINDEX]) {
160                 int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
161 
162                 netdev = __dev_get_by_index(netns, ifindex);
163                 if (netdev) {
164                         if (netdev->ieee80211_ptr)
165                                 tmp = wiphy_to_rdev(
166                                         netdev->ieee80211_ptr->wiphy);
167                         else
168                                 tmp = NULL;
169 
170                         /* not wireless device -- return error */
171                         if (!tmp)
172                                 return ERR_PTR(-EINVAL);
173 
174                         /* mismatch -- return error */
175                         if (rdev && tmp != rdev)
176                                 return ERR_PTR(-EINVAL);
177 
178                         rdev = tmp;
179                 }
180         }
181 
182         if (!rdev)
183                 return ERR_PTR(-ENODEV);
184 
185         if (netns != wiphy_net(&rdev->wiphy))
186                 return ERR_PTR(-ENODEV);
187 
188         return rdev;
189 }
190 
191 /*
192  * This function returns a pointer to the driver
193  * that the genl_info item that is passed refers to.
194  *
195  * The result of this can be a PTR_ERR and hence must
196  * be checked with IS_ERR() for errors.
197  */
198 static struct cfg80211_registered_device *
199 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
200 {
201         return __cfg80211_rdev_from_attrs(netns, info->attrs);
202 }
203 
204 static int validate_ie_attr(const struct nlattr *attr,
205                             struct netlink_ext_ack *extack)
206 {
207         const u8 *data = nla_data(attr);
208         unsigned int len = nla_len(attr);
209         const struct element *elem;
210 
211         for_each_element(elem, data, len) {
212                 /* nothing */
213         }
214 
215         if (for_each_element_completed(elem, data, len))
216                 return 0;
217 
218         NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
219         return -EINVAL;
220 }
221 
222 /* policy for the attributes */
223 static const struct nla_policy
224 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
225         [NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
226         [NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
227                                         .len = U8_MAX },
228         [NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
229                                              .len = U8_MAX },
230 };
231 
232 static const struct nla_policy
233 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
234         [NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
235         [NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
236         [NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
237                 NLA_POLICY_MAX(NLA_U8, 15),
238         [NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
239         [NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
240                 NLA_POLICY_MAX(NLA_U8, 15),
241         [NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
242                 NLA_POLICY_MAX(NLA_U8, 31),
243         [NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
244         [NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
245         [NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
246 };
247 
248 static const struct nla_policy
249 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
250         [NL80211_PMSR_TYPE_FTM] =
251                 NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
252 };
253 
254 static const struct nla_policy
255 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
256         [NL80211_PMSR_REQ_ATTR_DATA] =
257                 NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
258         [NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
259 };
260 
261 static const struct nla_policy
262 nl80211_psmr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
263         [NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
264         /*
265          * we could specify this again to be the top-level policy,
266          * but that would open us up to recursion problems ...
267          */
268         [NL80211_PMSR_PEER_ATTR_CHAN] = { .type = NLA_NESTED },
269         [NL80211_PMSR_PEER_ATTR_REQ] =
270                 NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
271         [NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
272 };
273 
274 static const struct nla_policy
275 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
276         [NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
277         [NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
278         [NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
279         [NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
280         [NL80211_PMSR_ATTR_PEERS] =
281                 NLA_POLICY_NESTED_ARRAY(nl80211_psmr_peer_attr_policy),
282 };
283 
284 const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
285         [NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
286         [NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
287                                       .len = 20-1 },
288         [NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
289 
290         [NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
291         [NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
292         [NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
293         [NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
294         [NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
295 
296         [NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
297         [NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
298         [NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
299         [NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
300         [NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
301         [NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
302 
303         [NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
304         [NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
305         [NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
306 
307         [NL80211_ATTR_MAC] = { .type = NLA_EXACT_LEN_WARN, .len = ETH_ALEN },
308         [NL80211_ATTR_PREV_BSSID] = {
309                 .type = NLA_EXACT_LEN_WARN,
310                 .len = ETH_ALEN
311         },
312 
313         [NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
314         [NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
315                                     .len = WLAN_MAX_KEY_LEN },
316         [NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 5),
317         [NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
318         [NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
319         [NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
320         [NL80211_ATTR_KEY_TYPE] =
321                 NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
322 
323         [NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
324         [NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
325         [NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
326                                        .len = IEEE80211_MAX_DATA_LEN },
327         [NL80211_ATTR_BEACON_TAIL] =
328                 NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
329                                        IEEE80211_MAX_DATA_LEN),
330         [NL80211_ATTR_STA_AID] =
331                 NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
332         [NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
333         [NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
334         [NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
335                                                .len = NL80211_MAX_SUPP_RATES },
336         [NL80211_ATTR_STA_PLINK_ACTION] =
337                 NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
338         [NL80211_ATTR_STA_TX_POWER_SETTING] =
339                 NLA_POLICY_RANGE(NLA_U8,
340                                  NL80211_TX_POWER_AUTOMATIC,
341                                  NL80211_TX_POWER_FIXED),
342         [NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
343         [NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
344         [NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
345         [NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
346                                    .len = IEEE80211_MAX_MESH_ID_LEN },
347         [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
348 
349         [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
350         [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
351 
352         [NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
353         [NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
354         [NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
355         [NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
356                                            .len = NL80211_MAX_SUPP_RATES },
357         [NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
358 
359         [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
360         [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
361 
362         [NL80211_ATTR_HT_CAPABILITY] = {
363                 .type = NLA_EXACT_LEN_WARN,
364                 .len = NL80211_HT_CAPABILITY_LEN
365         },
366 
367         [NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
368         [NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
369                                                    validate_ie_attr,
370                                                    IEEE80211_MAX_DATA_LEN),
371         [NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
372         [NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
373 
374         [NL80211_ATTR_SSID] = { .type = NLA_BINARY,
375                                 .len = IEEE80211_MAX_SSID_LEN },
376         [NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
377         [NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
378         [NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
379         [NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
380         [NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
381                                                   NL80211_MFP_NO,
382                                                   NL80211_MFP_OPTIONAL),
383         [NL80211_ATTR_STA_FLAGS2] = {
384                 .len = sizeof(struct nl80211_sta_flag_update),
385         },
386         [NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
387         [NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
388         [NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
389         [NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
390         [NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
391         [NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
392         [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
393         [NL80211_ATTR_PID] = { .type = NLA_U32 },
394         [NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
395         [NL80211_ATTR_PMKID] = {
396                 .type = NLA_EXACT_LEN_WARN,
397                 .len = WLAN_PMKID_LEN
398         },
399         [NL80211_ATTR_DURATION] = { .type = NLA_U32 },
400         [NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
401         [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
402         [NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
403                                  .len = IEEE80211_MAX_DATA_LEN },
404         [NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
405         [NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
406                                                    NL80211_PS_DISABLED,
407                                                    NL80211_PS_ENABLED),
408         [NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
409         [NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
410         [NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
411         [NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
412         [NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
413         [NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
414         [NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
415         [NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
416         [NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
417         [NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
418         [NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
419         [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
420         [NL80211_ATTR_STA_PLINK_STATE] =
421                 NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
422         [NL80211_ATTR_MESH_PEER_AID] =
423                 NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
424         [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
425         [NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
426         [NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
427         [NL80211_ATTR_HIDDEN_SSID] =
428                 NLA_POLICY_RANGE(NLA_U32,
429                                  NL80211_HIDDEN_SSID_NOT_IN_USE,
430                                  NL80211_HIDDEN_SSID_ZERO_CONTENTS),
431         [NL80211_ATTR_IE_PROBE_RESP] =
432                 NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
433                                        IEEE80211_MAX_DATA_LEN),
434         [NL80211_ATTR_IE_ASSOC_RESP] =
435                 NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
436                                        IEEE80211_MAX_DATA_LEN),
437         [NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
438         [NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
439         [NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
440         [NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
441         [NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
442         [NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
443         [NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
444         [NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
445         [NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
446         [NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
447         [NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
448                                       .len = IEEE80211_MAX_DATA_LEN },
449         [NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
450         [NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
451         [NL80211_ATTR_HT_CAPABILITY_MASK] = {
452                 .len = NL80211_HT_CAPABILITY_LEN
453         },
454         [NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
455         [NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
456         [NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
457         [NL80211_ATTR_WDEV] = { .type = NLA_U64 },
458         [NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
459         [NL80211_ATTR_AUTH_DATA] = { .type = NLA_BINARY, },
460         [NL80211_ATTR_VHT_CAPABILITY] = {
461                 .type = NLA_EXACT_LEN_WARN,
462                 .len = NL80211_VHT_CAPABILITY_LEN
463         },
464         [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
465         [NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
466         [NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
467         [NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
468                 NLA_POLICY_RANGE(NLA_U32,
469                                  NL80211_MESH_POWER_UNKNOWN + 1,
470                                  NL80211_MESH_POWER_MAX),
471         [NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
472         [NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
473         [NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
474         [NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
475         [NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
476         [NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
477         [NL80211_ATTR_VHT_CAPABILITY_MASK] = {
478                 .len = NL80211_VHT_CAPABILITY_LEN,
479         },
480         [NL80211_ATTR_MDID] = { .type = NLA_U16 },
481         [NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
482                                   .len = IEEE80211_MAX_DATA_LEN },
483         [NL80211_ATTR_PEER_AID] =
484                 NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
485         [NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
486         [NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
487         [NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
488         [NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
489         [NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
490         [NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
491         [NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
492         [NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
493         [NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
494         [NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
495         [NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
496         [NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
497         [NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
498                                    .len = IEEE80211_QOS_MAP_LEN_MAX },
499         [NL80211_ATTR_MAC_HINT] = {
500                 .type = NLA_EXACT_LEN_WARN,
501                 .len = ETH_ALEN
502         },
503         [NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
504         [NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
505         [NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
506         [NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
507         [NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
508         [NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
509         [NL80211_ATTR_USER_PRIO] =
510                 NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
511         [NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
512         [NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
513         [NL80211_ATTR_MAC_MASK] = {
514                 .type = NLA_EXACT_LEN_WARN,
515                 .len = ETH_ALEN
516         },
517         [NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
518         [NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
519         [NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
520         [NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
521         [NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
522         [NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
523         [NL80211_ATTR_STA_SUPPORT_P2P_PS] =
524                 NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
525         [NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
526                 .len = VHT_MUMIMO_GROUPS_DATA_LEN
527         },
528         [NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = {
529                 .type = NLA_EXACT_LEN_WARN,
530                 .len = ETH_ALEN
531         },
532         [NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
533         [NL80211_ATTR_BANDS] = { .type = NLA_U32 },
534         [NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
535         [NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
536                                     .len = FILS_MAX_KEK_LEN },
537         [NL80211_ATTR_FILS_NONCES] = {
538                 .type = NLA_EXACT_LEN_WARN,
539                 .len = 2 * FILS_NONCE_LEN
540         },
541         [NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
542         [NL80211_ATTR_BSSID] = { .type = NLA_EXACT_LEN_WARN, .len = ETH_ALEN },
543         [NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
544         [NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
545                 .len = sizeof(struct nl80211_bss_select_rssi_adjust)
546         },
547         [NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
548         [NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
549                                              .len = FILS_ERP_MAX_USERNAME_LEN },
550         [NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
551                                           .len = FILS_ERP_MAX_REALM_LEN },
552         [NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
553         [NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
554                                         .len = FILS_ERP_MAX_RRK_LEN },
555         [NL80211_ATTR_FILS_CACHE_ID] = { .type = NLA_EXACT_LEN_WARN, .len = 2 },
556         [NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
557         [NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
558         [NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
559 
560         [NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
561         [NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
562         [NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
563         [NL80211_ATTR_HE_CAPABILITY] = { .type = NLA_BINARY,
564                                          .len = NL80211_HE_MAX_CAPABILITY_LEN },
565 
566         [NL80211_ATTR_FTM_RESPONDER] = {
567                 .type = NLA_NESTED,
568                 .validation_data = nl80211_ftm_responder_policy,
569         },
570         [NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
571         [NL80211_ATTR_PEER_MEASUREMENTS] =
572                 NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
573         [NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
574 };
575 
576 /* policy for the key attributes */
577 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
578         [NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
579         [NL80211_KEY_IDX] = { .type = NLA_U8 },
580         [NL80211_KEY_CIPHER] = { .type = NLA_U32 },
581         [NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
582         [NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
583         [NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
584         [NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
585         [NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
586         [NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
587 };
588 
589 /* policy for the key default flags */
590 static const struct nla_policy
591 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
592         [NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
593         [NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
594 };
595 
596 #ifdef CONFIG_PM
597 /* policy for WoWLAN attributes */
598 static const struct nla_policy
599 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
600         [NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
601         [NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
602         [NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
603         [NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
604         [NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
605         [NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
606         [NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
607         [NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
608         [NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
609         [NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
610 };
611 
612 static const struct nla_policy
613 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
614         [NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
615         [NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
616         [NL80211_WOWLAN_TCP_DST_MAC] = {
617                 .type = NLA_EXACT_LEN_WARN,
618                 .len = ETH_ALEN
619         },
620         [NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
621         [NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
622         [NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .type = NLA_MIN_LEN, .len = 1 },
623         [NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
624                 .len = sizeof(struct nl80211_wowlan_tcp_data_seq)
625         },
626         [NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
627                 .len = sizeof(struct nl80211_wowlan_tcp_data_token)
628         },
629         [NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
630         [NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .type = NLA_MIN_LEN, .len = 1 },
631         [NL80211_WOWLAN_TCP_WAKE_MASK] = { .type = NLA_MIN_LEN, .len = 1 },
632 };
633 #endif /* CONFIG_PM */
634 
635 /* policy for coalesce rule attributes */
636 static const struct nla_policy
637 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
638         [NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
639         [NL80211_ATTR_COALESCE_RULE_CONDITION] =
640                 NLA_POLICY_RANGE(NLA_U32,
641                                  NL80211_COALESCE_CONDITION_MATCH,
642                                  NL80211_COALESCE_CONDITION_NO_MATCH),
643         [NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
644 };
645 
646 /* policy for GTK rekey offload attributes */
647 static const struct nla_policy
648 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
649         [NL80211_REKEY_DATA_KEK] = {
650                 .type = NLA_EXACT_LEN_WARN,
651                 .len = NL80211_KEK_LEN,
652         },
653         [NL80211_REKEY_DATA_KCK] = {
654                 .type = NLA_EXACT_LEN_WARN,
655                 .len = NL80211_KCK_LEN,
656         },
657         [NL80211_REKEY_DATA_REPLAY_CTR] = {
658                 .type = NLA_EXACT_LEN_WARN,
659                 .len = NL80211_REPLAY_CTR_LEN
660         },
661 };
662 
663 static const struct nla_policy
664 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
665         [NL80211_BAND_2GHZ] = { .type = NLA_S32 },
666         [NL80211_BAND_5GHZ] = { .type = NLA_S32 },
667         [NL80211_BAND_60GHZ] = { .type = NLA_S32 },
668 };
669 
670 static const struct nla_policy
671 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
672         [NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
673                                                  .len = IEEE80211_MAX_SSID_LEN },
674         [NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = {
675                 .type = NLA_EXACT_LEN_WARN,
676                 .len = ETH_ALEN
677         },
678         [NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
679         [NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
680                 NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
681 };
682 
683 static const struct nla_policy
684 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
685         [NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
686         [NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
687 };
688 
689 static const struct nla_policy
690 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
691         [NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
692         [NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
693         [NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
694                 .len = sizeof(struct nl80211_bss_select_rssi_adjust)
695         },
696 };
697 
698 /* policy for NAN function attributes */
699 static const struct nla_policy
700 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
701         [NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
702         [NL80211_NAN_FUNC_SERVICE_ID] = {
703                                     .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
704         [NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
705         [NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
706         [NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
707         [NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
708         [NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
709         [NL80211_NAN_FUNC_FOLLOW_UP_DEST] = {
710                 .type = NLA_EXACT_LEN_WARN,
711                 .len = ETH_ALEN
712         },
713         [NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
714         [NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
715         [NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
716                         .len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
717         [NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
718         [NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
719         [NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
720         [NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
721         [NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
722 };
723 
724 /* policy for Service Response Filter attributes */
725 static const struct nla_policy
726 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
727         [NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
728         [NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
729                                  .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
730         [NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
731         [NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
732 };
733 
734 /* policy for packet pattern attributes */
735 static const struct nla_policy
736 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
737         [NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
738         [NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
739         [NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
740 };
741 
742 int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
743                               struct cfg80211_registered_device **rdev,
744                               struct wireless_dev **wdev)
745 {
746         int err;
747 
748         if (!cb->args[0]) {
749                 err = nlmsg_parse_deprecated(cb->nlh,
750                                              GENL_HDRLEN + nl80211_fam.hdrsize,
751                                              genl_family_attrbuf(&nl80211_fam),
752                                              nl80211_fam.maxattr,
753                                              nl80211_policy, NULL);
754                 if (err)
755                         return err;
756 
757                 *wdev = __cfg80211_wdev_from_attrs(
758                                         sock_net(cb->skb->sk),
759                                         genl_family_attrbuf(&nl80211_fam));
760                 if (IS_ERR(*wdev))
761                         return PTR_ERR(*wdev);
762                 *rdev = wiphy_to_rdev((*wdev)->wiphy);
763                 /* 0 is the first index - add 1 to parse only once */
764                 cb->args[0] = (*rdev)->wiphy_idx + 1;
765                 cb->args[1] = (*wdev)->identifier;
766         } else {
767                 /* subtract the 1 again here */
768                 struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
769                 struct wireless_dev *tmp;
770 
771                 if (!wiphy)
772                         return -ENODEV;
773                 *rdev = wiphy_to_rdev(wiphy);
774                 *wdev = NULL;
775 
776                 list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
777                         if (tmp->identifier == cb->args[1]) {
778                                 *wdev = tmp;
779                                 break;
780                         }
781                 }
782 
783                 if (!*wdev)
784                         return -ENODEV;
785         }
786 
787         return 0;
788 }
789 
790 /* message building helper */
791 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
792                      int flags, u8 cmd)
793 {
794         /* since there is no private header just add the generic one */
795         return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
796 }
797 
798 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
799                                      const struct ieee80211_reg_rule *rule)
800 {
801         int j;
802         struct nlattr *nl_wmm_rules =
803                 nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
804 
805         if (!nl_wmm_rules)
806                 goto nla_put_failure;
807 
808         for (j = 0; j < IEEE80211_NUM_ACS; j++) {
809                 struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
810 
811                 if (!nl_wmm_rule)
812                         goto nla_put_failure;
813 
814                 if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
815                                 rule->wmm_rule.client[j].cw_min) ||
816                     nla_put_u16(msg, NL80211_WMMR_CW_MAX,
817                                 rule->wmm_rule.client[j].cw_max) ||
818                     nla_put_u8(msg, NL80211_WMMR_AIFSN,
819                                rule->wmm_rule.client[j].aifsn) ||
820                     nla_put_u16(msg, NL80211_WMMR_TXOP,
821                                 rule->wmm_rule.client[j].cot))
822                         goto nla_put_failure;
823 
824                 nla_nest_end(msg, nl_wmm_rule);
825         }
826         nla_nest_end(msg, nl_wmm_rules);
827 
828         return 0;
829 
830 nla_put_failure:
831         return -ENOBUFS;
832 }
833 
834 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
835                                    struct ieee80211_channel *chan,
836                                    bool large)
837 {
838         /* Some channels must be completely excluded from the
839          * list to protect old user-space tools from breaking
840          */
841         if (!large && chan->flags &
842             (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
843                 return 0;
844 
845         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
846                         chan->center_freq))
847                 goto nla_put_failure;
848 
849         if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
850             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
851                 goto nla_put_failure;
852         if (chan->flags & IEEE80211_CHAN_NO_IR) {
853                 if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
854                         goto nla_put_failure;
855                 if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
856                         goto nla_put_failure;
857         }
858         if (chan->flags & IEEE80211_CHAN_RADAR) {
859                 if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
860                         goto nla_put_failure;
861                 if (large) {
862                         u32 time;
863 
864                         time = elapsed_jiffies_msecs(chan->dfs_state_entered);
865 
866                         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
867                                         chan->dfs_state))
868                                 goto nla_put_failure;
869                         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
870                                         time))
871                                 goto nla_put_failure;
872                         if (nla_put_u32(msg,
873                                         NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
874                                         chan->dfs_cac_ms))
875                                 goto nla_put_failure;
876                 }
877         }
878 
879         if (large) {
880                 if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
881                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
882                         goto nla_put_failure;
883                 if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
884                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
885                         goto nla_put_failure;
886                 if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
887                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
888                         goto nla_put_failure;
889                 if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
890                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
891                         goto nla_put_failure;
892                 if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
893                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
894                         goto nla_put_failure;
895                 if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
896                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
897                         goto nla_put_failure;
898                 if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
899                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
900                         goto nla_put_failure;
901                 if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
902                     nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
903                         goto nla_put_failure;
904         }
905 
906         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
907                         DBM_TO_MBM(chan->max_power)))
908                 goto nla_put_failure;
909 
910         if (large) {
911                 const struct ieee80211_reg_rule *rule =
912                         freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
913 
914                 if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
915                         if (nl80211_msg_put_wmm_rules(msg, rule))
916                                 goto nla_put_failure;
917                 }
918         }
919 
920         return 0;
921 
922  nla_put_failure:
923         return -ENOBUFS;
924 }
925 
926 static bool nl80211_put_txq_stats(struct sk_buff *msg,
927                                   struct cfg80211_txq_stats *txqstats,
928                                   int attrtype)
929 {
930         struct nlattr *txqattr;
931 
932 #define PUT_TXQVAL_U32(attr, memb) do {                                   \
933         if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&         \
934             nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
935                 return false;                                             \
936         } while (0)
937 
938         txqattr = nla_nest_start_noflag(msg, attrtype);
939         if (!txqattr)
940                 return false;
941 
942         PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
943         PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
944         PUT_TXQVAL_U32(FLOWS, flows);
945         PUT_TXQVAL_U32(DROPS, drops);
946         PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
947         PUT_TXQVAL_U32(OVERLIMIT, overlimit);
948         PUT_TXQVAL_U32(OVERMEMORY, overmemory);
949         PUT_TXQVAL_U32(COLLISIONS, collisions);
950         PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
951         PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
952         PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
953         nla_nest_end(msg, txqattr);
954 
955 #undef PUT_TXQVAL_U32
956         return true;
957 }
958 
959 /* netlink command implementations */
960 
961 struct key_parse {
962         struct key_params p;
963         int idx;
964         int type;
965         bool def, defmgmt;
966         bool def_uni, def_multi;
967 };
968 
969 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
970                                  struct key_parse *k)
971 {
972         struct nlattr *tb[NL80211_KEY_MAX + 1];
973         int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
974                                               nl80211_key_policy,
975                                               info->extack);
976         if (err)
977                 return err;
978 
979         k->def = !!tb[NL80211_KEY_DEFAULT];
980         k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
981 
982         if (k->def) {
983                 k->def_uni = true;
984                 k->def_multi = true;
985         }
986         if (k->defmgmt)
987                 k->def_multi = true;
988 
989         if (tb[NL80211_KEY_IDX])
990                 k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
991 
992         if (tb[NL80211_KEY_DATA]) {
993                 k->p.key = nla_data(tb[NL80211_KEY_DATA]);
994                 k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
995         }
996 
997         if (tb[NL80211_KEY_SEQ]) {
998                 k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
999                 k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1000         }
1001 
1002         if (tb[NL80211_KEY_CIPHER])
1003                 k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1004 
1005         if (tb[NL80211_KEY_TYPE])
1006                 k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1007 
1008         if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1009                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1010 
1011                 err = nla_parse_nested_deprecated(kdt,
1012                                                   NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1013                                                   tb[NL80211_KEY_DEFAULT_TYPES],
1014                                                   nl80211_key_default_policy,
1015                                                   info->extack);
1016                 if (err)
1017                         return err;
1018 
1019                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1020                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1021         }
1022 
1023         if (tb[NL80211_KEY_MODE])
1024                 k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1025 
1026         return 0;
1027 }
1028 
1029 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1030 {
1031         if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1032                 k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1033                 k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1034         }
1035 
1036         if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1037                 k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1038                 k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1039         }
1040 
1041         if (info->attrs[NL80211_ATTR_KEY_IDX])
1042                 k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1043 
1044         if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1045                 k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1046 
1047         k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1048         k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1049 
1050         if (k->def) {
1051                 k->def_uni = true;
1052                 k->def_multi = true;
1053         }
1054         if (k->defmgmt)
1055                 k->def_multi = true;
1056 
1057         if (info->attrs[NL80211_ATTR_KEY_TYPE])
1058                 k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1059 
1060         if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1061                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1062                 int err = nla_parse_nested_deprecated(kdt,
1063                                                       NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1064                                                       info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1065                                                       nl80211_key_default_policy,
1066                                                       info->extack);
1067                 if (err)
1068                         return err;
1069 
1070                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1071                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1072         }
1073 
1074         return 0;
1075 }
1076 
1077 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1078 {
1079         int err;
1080 
1081         memset(k, 0, sizeof(*k));
1082         k->idx = -1;
1083         k->type = -1;
1084 
1085         if (info->attrs[NL80211_ATTR_KEY])
1086                 err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1087         else
1088                 err = nl80211_parse_key_old(info, k);
1089 
1090         if (err)
1091                 return err;
1092 
1093         if (k->def && k->defmgmt) {
1094                 GENL_SET_ERR_MSG(info, "key with def && defmgmt is invalid");
1095                 return -EINVAL;
1096         }
1097 
1098         if (k->defmgmt) {
1099                 if (k->def_uni || !k->def_multi) {
1100                         GENL_SET_ERR_MSG(info, "defmgmt key must be mcast");
1101                         return -EINVAL;
1102                 }
1103         }
1104 
1105         if (k->idx != -1) {
1106                 if (k->defmgmt) {
1107                         if (k->idx < 4 || k->idx > 5) {
1108                                 GENL_SET_ERR_MSG(info,
1109                                                  "defmgmt key idx not 4 or 5");
1110                                 return -EINVAL;
1111                         }
1112                 } else if (k->def) {
1113                         if (k->idx < 0 || k->idx > 3) {
1114                                 GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1115                                 return -EINVAL;
1116                         }
1117                 } else {
1118                         if (k->idx < 0 || k->idx > 5) {
1119                                 GENL_SET_ERR_MSG(info, "key idx not 0-5");
1120                                 return -EINVAL;
1121                         }
1122                 }
1123         }
1124 
1125         return 0;
1126 }
1127 
1128 static struct cfg80211_cached_keys *
1129 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1130                        struct genl_info *info, bool *no_ht)
1131 {
1132         struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1133         struct key_parse parse;
1134         struct nlattr *key;
1135         struct cfg80211_cached_keys *result;
1136         int rem, err, def = 0;
1137         bool have_key = false;
1138 
1139         nla_for_each_nested(key, keys, rem) {
1140                 have_key = true;
1141                 break;
1142         }
1143 
1144         if (!have_key)
1145                 return NULL;
1146 
1147         result = kzalloc(sizeof(*result), GFP_KERNEL);
1148         if (!result)
1149                 return ERR_PTR(-ENOMEM);
1150 
1151         result->def = -1;
1152 
1153         nla_for_each_nested(key, keys, rem) {
1154                 memset(&parse, 0, sizeof(parse));
1155                 parse.idx = -1;
1156 
1157                 err = nl80211_parse_key_new(info, key, &parse);
1158                 if (err)
1159                         goto error;
1160                 err = -EINVAL;
1161                 if (!parse.p.key)
1162                         goto error;
1163                 if (parse.idx < 0 || parse.idx > 3) {
1164                         GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1165                         goto error;
1166                 }
1167                 if (parse.def) {
1168                         if (def) {
1169                                 GENL_SET_ERR_MSG(info,
1170                                                  "only one key can be default");
1171                                 goto error;
1172                         }
1173                         def = 1;
1174                         result->def = parse.idx;
1175                         if (!parse.def_uni || !parse.def_multi)
1176                                 goto error;
1177                 } else if (parse.defmgmt)
1178                         goto error;
1179                 err = cfg80211_validate_key_settings(rdev, &parse.p,
1180                                                      parse.idx, false, NULL);
1181                 if (err)
1182                         goto error;
1183                 if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1184                     parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1185                         GENL_SET_ERR_MSG(info, "connect key must be WEP");
1186                         err = -EINVAL;
1187                         goto error;
1188                 }
1189                 result->params[parse.idx].cipher = parse.p.cipher;
1190                 result->params[parse.idx].key_len = parse.p.key_len;
1191                 result->params[parse.idx].key = result->data[parse.idx];
1192                 memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1193 
1194                 /* must be WEP key if we got here */
1195                 if (no_ht)
1196                         *no_ht = true;
1197         }
1198 
1199         if (result->def < 0) {
1200                 err = -EINVAL;
1201                 GENL_SET_ERR_MSG(info, "need a default/TX key");
1202                 goto error;
1203         }
1204 
1205         return result;
1206  error:
1207         kfree(result);
1208         return ERR_PTR(err);
1209 }
1210 
1211 static int nl80211_key_allowed(struct wireless_dev *wdev)
1212 {
1213         ASSERT_WDEV_LOCK(wdev);
1214 
1215         switch (wdev->iftype) {
1216         case NL80211_IFTYPE_AP:
1217         case NL80211_IFTYPE_AP_VLAN:
1218         case NL80211_IFTYPE_P2P_GO:
1219         case NL80211_IFTYPE_MESH_POINT:
1220                 break;
1221         case NL80211_IFTYPE_ADHOC:
1222         case NL80211_IFTYPE_STATION:
1223         case NL80211_IFTYPE_P2P_CLIENT:
1224                 if (!wdev->current_bss)
1225                         return -ENOLINK;
1226                 break;
1227         case NL80211_IFTYPE_UNSPECIFIED:
1228         case NL80211_IFTYPE_OCB:
1229         case NL80211_IFTYPE_MONITOR:
1230         case NL80211_IFTYPE_NAN:
1231         case NL80211_IFTYPE_P2P_DEVICE:
1232         case NL80211_IFTYPE_WDS:
1233         case NUM_NL80211_IFTYPES:
1234                 return -EINVAL;
1235         }
1236 
1237         return 0;
1238 }
1239 
1240 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1241                                                         struct nlattr *tb)
1242 {
1243         struct ieee80211_channel *chan;
1244 
1245         if (tb == NULL)
1246                 return NULL;
1247         chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
1248         if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1249                 return NULL;
1250         return chan;
1251 }
1252 
1253 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1254 {
1255         struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1256         int i;
1257 
1258         if (!nl_modes)
1259                 goto nla_put_failure;
1260 
1261         i = 0;
1262         while (ifmodes) {
1263                 if ((ifmodes & 1) && nla_put_flag(msg, i))
1264                         goto nla_put_failure;
1265                 ifmodes >>= 1;
1266                 i++;
1267         }
1268 
1269         nla_nest_end(msg, nl_modes);
1270         return 0;
1271 
1272 nla_put_failure:
1273         return -ENOBUFS;
1274 }
1275 
1276 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1277                                           struct sk_buff *msg,
1278                                           bool large)
1279 {
1280         struct nlattr *nl_combis;
1281         int i, j;
1282 
1283         nl_combis = nla_nest_start_noflag(msg,
1284                                           NL80211_ATTR_INTERFACE_COMBINATIONS);
1285         if (!nl_combis)
1286                 goto nla_put_failure;
1287 
1288         for (i = 0; i < wiphy->n_iface_combinations; i++) {
1289                 const struct ieee80211_iface_combination *c;
1290                 struct nlattr *nl_combi, *nl_limits;
1291 
1292                 c = &wiphy->iface_combinations[i];
1293 
1294                 nl_combi = nla_nest_start_noflag(msg, i + 1);
1295                 if (!nl_combi)
1296                         goto nla_put_failure;
1297 
1298                 nl_limits = nla_nest_start_noflag(msg,
1299                                                   NL80211_IFACE_COMB_LIMITS);
1300                 if (!nl_limits)
1301                         goto nla_put_failure;
1302 
1303                 for (j = 0; j < c->n_limits; j++) {
1304                         struct nlattr *nl_limit;
1305 
1306                         nl_limit = nla_nest_start_noflag(msg, j + 1);
1307                         if (!nl_limit)
1308                                 goto nla_put_failure;
1309                         if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1310                                         c->limits[j].max))
1311                                 goto nla_put_failure;
1312                         if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1313                                                 c->limits[j].types))
1314                                 goto nla_put_failure;
1315                         nla_nest_end(msg, nl_limit);
1316                 }
1317 
1318                 nla_nest_end(msg, nl_limits);
1319 
1320                 if (c->beacon_int_infra_match &&
1321                     nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1322                         goto nla_put_failure;
1323                 if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1324                                 c->num_different_channels) ||
1325                     nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1326                                 c->max_interfaces))
1327                         goto nla_put_failure;
1328                 if (large &&
1329                     (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1330                                 c->radar_detect_widths) ||
1331                      nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1332                                 c->radar_detect_regions)))
1333                         goto nla_put_failure;
1334                 if (c->beacon_int_min_gcd &&
1335                     nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1336                                 c->beacon_int_min_gcd))
1337                         goto nla_put_failure;
1338 
1339                 nla_nest_end(msg, nl_combi);
1340         }
1341 
1342         nla_nest_end(msg, nl_combis);
1343 
1344         return 0;
1345 nla_put_failure:
1346         return -ENOBUFS;
1347 }
1348 
1349 #ifdef CONFIG_PM
1350 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1351                                         struct sk_buff *msg)
1352 {
1353         const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1354         struct nlattr *nl_tcp;
1355 
1356         if (!tcp)
1357                 return 0;
1358 
1359         nl_tcp = nla_nest_start_noflag(msg,
1360                                        NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1361         if (!nl_tcp)
1362                 return -ENOBUFS;
1363 
1364         if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1365                         tcp->data_payload_max))
1366                 return -ENOBUFS;
1367 
1368         if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1369                         tcp->data_payload_max))
1370                 return -ENOBUFS;
1371 
1372         if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1373                 return -ENOBUFS;
1374 
1375         if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1376                                 sizeof(*tcp->tok), tcp->tok))
1377                 return -ENOBUFS;
1378 
1379         if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1380                         tcp->data_interval_max))
1381                 return -ENOBUFS;
1382 
1383         if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1384                         tcp->wake_payload_max))
1385                 return -ENOBUFS;
1386 
1387         nla_nest_end(msg, nl_tcp);
1388         return 0;
1389 }
1390 
1391 static int nl80211_send_wowlan(struct sk_buff *msg,
1392                                struct cfg80211_registered_device *rdev,
1393                                bool large)
1394 {
1395         struct nlattr *nl_wowlan;
1396 
1397         if (!rdev->wiphy.wowlan)
1398                 return 0;
1399 
1400         nl_wowlan = nla_nest_start_noflag(msg,
1401                                           NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1402         if (!nl_wowlan)
1403                 return -ENOBUFS;
1404 
1405         if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1406              nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1407             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1408              nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1409             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1410              nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1411             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1412              nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1413             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1414              nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1415             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1416              nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1417             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1418              nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1419             ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1420              nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1421                 return -ENOBUFS;
1422 
1423         if (rdev->wiphy.wowlan->n_patterns) {
1424                 struct nl80211_pattern_support pat = {
1425                         .max_patterns = rdev->wiphy.wowlan->n_patterns,
1426                         .min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1427                         .max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1428                         .max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1429                 };
1430 
1431                 if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1432                             sizeof(pat), &pat))
1433                         return -ENOBUFS;
1434         }
1435 
1436         if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1437             nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1438                         rdev->wiphy.wowlan->max_nd_match_sets))
1439                 return -ENOBUFS;
1440 
1441         if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1442                 return -ENOBUFS;
1443 
1444         nla_nest_end(msg, nl_wowlan);
1445 
1446         return 0;
1447 }
1448 #endif
1449 
1450 static int nl80211_send_coalesce(struct sk_buff *msg,
1451                                  struct cfg80211_registered_device *rdev)
1452 {
1453         struct nl80211_coalesce_rule_support rule;
1454 
1455         if (!rdev->wiphy.coalesce)
1456                 return 0;
1457 
1458         rule.max_rules = rdev->wiphy.coalesce->n_rules;
1459         rule.max_delay = rdev->wiphy.coalesce->max_delay;
1460         rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1461         rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1462         rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1463         rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1464 
1465         if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1466                 return -ENOBUFS;
1467 
1468         return 0;
1469 }
1470 
1471 static int
1472 nl80211_send_iftype_data(struct sk_buff *msg,
1473                          const struct ieee80211_sband_iftype_data *iftdata)
1474 {
1475         const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1476 
1477         if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1478                                 iftdata->types_mask))
1479                 return -ENOBUFS;
1480 
1481         if (he_cap->has_he) {
1482                 if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1483                             sizeof(he_cap->he_cap_elem.mac_cap_info),
1484                             he_cap->he_cap_elem.mac_cap_info) ||
1485                     nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1486                             sizeof(he_cap->he_cap_elem.phy_cap_info),
1487                             he_cap->he_cap_elem.phy_cap_info) ||
1488                     nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1489                             sizeof(he_cap->he_mcs_nss_supp),
1490                             &he_cap->he_mcs_nss_supp) ||
1491                     nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1492                             sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1493                         return -ENOBUFS;
1494         }
1495 
1496         return 0;
1497 }
1498 
1499 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1500                                       struct ieee80211_supported_band *sband)
1501 {
1502         struct nlattr *nl_rates, *nl_rate;
1503         struct ieee80211_rate *rate;
1504         int i;
1505 
1506         /* add HT info */
1507         if (sband->ht_cap.ht_supported &&
1508             (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1509                      sizeof(sband->ht_cap.mcs),
1510                      &sband->ht_cap.mcs) ||
1511              nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1512                          sband->ht_cap.cap) ||
1513              nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1514                         sband->ht_cap.ampdu_factor) ||
1515              nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1516                         sband->ht_cap.ampdu_density)))
1517                 return -ENOBUFS;
1518 
1519         /* add VHT info */
1520         if (sband->vht_cap.vht_supported &&
1521             (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1522                      sizeof(sband->vht_cap.vht_mcs),
1523                      &sband->vht_cap.vht_mcs) ||
1524              nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1525                          sband->vht_cap.cap)))
1526                 return -ENOBUFS;
1527 
1528         if (sband->n_iftype_data) {
1529                 struct nlattr *nl_iftype_data =
1530                         nla_nest_start_noflag(msg,
1531                                               NL80211_BAND_ATTR_IFTYPE_DATA);
1532                 int err;
1533 
1534                 if (!nl_iftype_data)
1535                         return -ENOBUFS;
1536 
1537                 for (i = 0; i < sband->n_iftype_data; i++) {
1538                         struct nlattr *iftdata;
1539 
1540                         iftdata = nla_nest_start_noflag(msg, i + 1);
1541                         if (!iftdata)
1542                                 return -ENOBUFS;
1543 
1544                         err = nl80211_send_iftype_data(msg,
1545                                                        &sband->iftype_data[i]);
1546                         if (err)
1547                                 return err;
1548 
1549                         nla_nest_end(msg, iftdata);
1550                 }
1551 
1552                 nla_nest_end(msg, nl_iftype_data);
1553         }
1554 
1555         /* add bitrates */
1556         nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1557         if (!nl_rates)
1558                 return -ENOBUFS;
1559 
1560         for (i = 0; i < sband->n_bitrates; i++) {
1561                 nl_rate = nla_nest_start_noflag(msg, i);
1562                 if (!nl_rate)
1563                         return -ENOBUFS;
1564 
1565                 rate = &sband->bitrates[i];
1566                 if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1567                                 rate->bitrate))
1568                         return -ENOBUFS;
1569                 if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1570                     nla_put_flag(msg,
1571                                  NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1572                         return -ENOBUFS;
1573 
1574                 nla_nest_end(msg, nl_rate);
1575         }
1576 
1577         nla_nest_end(msg, nl_rates);
1578 
1579         return 0;
1580 }
1581 
1582 static int
1583 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1584                          const struct ieee80211_txrx_stypes *mgmt_stypes)
1585 {
1586         u16 stypes;
1587         struct nlattr *nl_ftypes, *nl_ifs;
1588         enum nl80211_iftype ift;
1589         int i;
1590 
1591         if (!mgmt_stypes)
1592                 return 0;
1593 
1594         nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1595         if (!nl_ifs)
1596                 return -ENOBUFS;
1597 
1598         for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1599                 nl_ftypes = nla_nest_start_noflag(msg, ift);
1600                 if (!nl_ftypes)
1601                         return -ENOBUFS;
1602                 i = 0;
1603                 stypes = mgmt_stypes[ift].tx;
1604                 while (stypes) {
1605                         if ((stypes & 1) &&
1606                             nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1607                                         (i << 4) | IEEE80211_FTYPE_MGMT))
1608                                 return -ENOBUFS;
1609                         stypes >>= 1;
1610                         i++;
1611                 }
1612                 nla_nest_end(msg, nl_ftypes);
1613         }
1614 
1615         nla_nest_end(msg, nl_ifs);
1616 
1617         nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1618         if (!nl_ifs)
1619                 return -ENOBUFS;
1620 
1621         for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1622                 nl_ftypes = nla_nest_start_noflag(msg, ift);
1623                 if (!nl_ftypes)
1624                         return -ENOBUFS;
1625                 i = 0;
1626                 stypes = mgmt_stypes[ift].rx;
1627                 while (stypes) {
1628                         if ((stypes & 1) &&
1629                             nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1630                                         (i << 4) | IEEE80211_FTYPE_MGMT))
1631                                 return -ENOBUFS;
1632                         stypes >>= 1;
1633                         i++;
1634                 }
1635                 nla_nest_end(msg, nl_ftypes);
1636         }
1637         nla_nest_end(msg, nl_ifs);
1638 
1639         return 0;
1640 }
1641 
1642 #define CMD(op, n)                                                      \
1643          do {                                                           \
1644                 if (rdev->ops->op) {                                    \
1645                         i++;                                            \
1646                         if (nla_put_u32(msg, i, NL80211_CMD_ ## n))     \
1647                                 goto nla_put_failure;                   \
1648                 }                                                       \
1649         } while (0)
1650 
1651 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1652                                         struct sk_buff *msg)
1653 {
1654         int i = 0;
1655 
1656         /*
1657          * do *NOT* add anything into this function, new things need to be
1658          * advertised only to new versions of userspace that can deal with
1659          * the split (and they can't possibly care about new features...
1660          */
1661         CMD(add_virtual_intf, NEW_INTERFACE);
1662         CMD(change_virtual_intf, SET_INTERFACE);
1663         CMD(add_key, NEW_KEY);
1664         CMD(start_ap, START_AP);
1665         CMD(add_station, NEW_STATION);
1666         CMD(add_mpath, NEW_MPATH);
1667         CMD(update_mesh_config, SET_MESH_CONFIG);
1668         CMD(change_bss, SET_BSS);
1669         CMD(auth, AUTHENTICATE);
1670         CMD(assoc, ASSOCIATE);
1671         CMD(deauth, DEAUTHENTICATE);
1672         CMD(disassoc, DISASSOCIATE);
1673         CMD(join_ibss, JOIN_IBSS);
1674         CMD(join_mesh, JOIN_MESH);
1675         CMD(set_pmksa, SET_PMKSA);
1676         CMD(del_pmksa, DEL_PMKSA);
1677         CMD(flush_pmksa, FLUSH_PMKSA);
1678         if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1679                 CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1680         CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1681         CMD(mgmt_tx, FRAME);
1682         CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1683         if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1684                 i++;
1685                 if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1686                         goto nla_put_failure;
1687         }
1688         if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1689             rdev->ops->join_mesh) {
1690                 i++;
1691                 if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1692                         goto nla_put_failure;
1693         }
1694         CMD(set_wds_peer, SET_WDS_PEER);
1695         if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1696                 CMD(tdls_mgmt, TDLS_MGMT);
1697                 CMD(tdls_oper, TDLS_OPER);
1698         }
1699         if (rdev->wiphy.max_sched_scan_reqs)
1700                 CMD(sched_scan_start, START_SCHED_SCAN);
1701         CMD(probe_client, PROBE_CLIENT);
1702         CMD(set_noack_map, SET_NOACK_MAP);
1703         if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1704                 i++;
1705                 if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1706                         goto nla_put_failure;
1707         }
1708         CMD(start_p2p_device, START_P2P_DEVICE);
1709         CMD(set_mcast_rate, SET_MCAST_RATE);
1710 #ifdef CONFIG_NL80211_TESTMODE
1711         CMD(testmode_cmd, TESTMODE);
1712 #endif
1713 
1714         if (rdev->ops->connect || rdev->ops->auth) {
1715                 i++;
1716                 if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1717                         goto nla_put_failure;
1718         }
1719 
1720         if (rdev->ops->disconnect || rdev->ops->deauth) {
1721                 i++;
1722                 if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1723                         goto nla_put_failure;
1724         }
1725 
1726         return i;
1727  nla_put_failure:
1728         return -ENOBUFS;
1729 }
1730 
1731 static int
1732 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
1733                            struct sk_buff *msg)
1734 {
1735         struct nlattr *ftm;
1736 
1737         if (!cap->ftm.supported)
1738                 return 0;
1739 
1740         ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
1741         if (!ftm)
1742                 return -ENOBUFS;
1743 
1744         if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
1745                 return -ENOBUFS;
1746         if (cap->ftm.non_asap &&
1747             nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
1748                 return -ENOBUFS;
1749         if (cap->ftm.request_lci &&
1750             nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
1751                 return -ENOBUFS;
1752         if (cap->ftm.request_civicloc &&
1753             nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
1754                 return -ENOBUFS;
1755         if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
1756                         cap->ftm.preambles))
1757                 return -ENOBUFS;
1758         if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
1759                         cap->ftm.bandwidths))
1760                 return -ENOBUFS;
1761         if (cap->ftm.max_bursts_exponent >= 0 &&
1762             nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
1763                         cap->ftm.max_bursts_exponent))
1764                 return -ENOBUFS;
1765         if (cap->ftm.max_ftms_per_burst &&
1766             nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
1767                         cap->ftm.max_ftms_per_burst))
1768                 return -ENOBUFS;
1769 
1770         nla_nest_end(msg, ftm);
1771         return 0;
1772 }
1773 
1774 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
1775                                   struct sk_buff *msg)
1776 {
1777         const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
1778         struct nlattr *pmsr, *caps;
1779 
1780         if (!cap)
1781                 return 0;
1782 
1783         /*
1784          * we don't need to clean up anything here since the caller
1785          * will genlmsg_cancel() if we fail
1786          */
1787 
1788         pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
1789         if (!pmsr)
1790                 return -ENOBUFS;
1791 
1792         if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
1793                 return -ENOBUFS;
1794 
1795         if (cap->report_ap_tsf &&
1796             nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
1797                 return -ENOBUFS;
1798 
1799         if (cap->randomize_mac_addr &&
1800             nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
1801                 return -ENOBUFS;
1802 
1803         caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
1804         if (!caps)
1805                 return -ENOBUFS;
1806 
1807         if (nl80211_send_pmsr_ftm_capa(cap, msg))
1808                 return -ENOBUFS;
1809 
1810         nla_nest_end(msg, caps);
1811         nla_nest_end(msg, pmsr);
1812 
1813         return 0;
1814 }
1815 
1816 struct nl80211_dump_wiphy_state {
1817         s64 filter_wiphy;
1818         long start;
1819         long split_start, band_start, chan_start, capa_start;
1820         bool split;
1821 };
1822 
1823 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1824                               enum nl80211_commands cmd,
1825                               struct sk_buff *msg, u32 portid, u32 seq,
1826                               int flags, struct nl80211_dump_wiphy_state *state)
1827 {
1828         void *hdr;
1829         struct nlattr *nl_bands, *nl_band;
1830         struct nlattr *nl_freqs, *nl_freq;
1831         struct nlattr *nl_cmds;
1832         enum nl80211_band band;
1833         struct ieee80211_channel *chan;
1834         int i;
1835         const struct ieee80211_txrx_stypes *mgmt_stypes =
1836                                 rdev->wiphy.mgmt_stypes;
1837         u32 features;
1838 
1839         hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1840         if (!hdr)
1841                 return -ENOBUFS;
1842 
1843         if (WARN_ON(!state))
1844                 return -EINVAL;
1845 
1846         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1847             nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1848                            wiphy_name(&rdev->wiphy)) ||
1849             nla_put_u32(msg, NL80211_ATTR_GENERATION,
1850                         cfg80211_rdev_list_generation))
1851                 goto nla_put_failure;
1852 
1853         if (cmd != NL80211_CMD_NEW_WIPHY)
1854                 goto finish;
1855 
1856         switch (state->split_start) {
1857         case 0:
1858                 if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1859                                rdev->wiphy.retry_short) ||
1860                     nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1861                                rdev->wiphy.retry_long) ||
1862                     nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1863                                 rdev->wiphy.frag_threshold) ||
1864                     nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1865                                 rdev->wiphy.rts_threshold) ||
1866                     nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1867                                rdev->wiphy.coverage_class) ||
1868                     nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1869                                rdev->wiphy.max_scan_ssids) ||
1870                     nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1871                                rdev->wiphy.max_sched_scan_ssids) ||
1872                     nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1873                                 rdev->wiphy.max_scan_ie_len) ||
1874                     nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1875                                 rdev->wiphy.max_sched_scan_ie_len) ||
1876                     nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1877                                rdev->wiphy.max_match_sets) ||
1878                     nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
1879                                 rdev->wiphy.max_sched_scan_plans) ||
1880                     nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
1881                                 rdev->wiphy.max_sched_scan_plan_interval) ||
1882                     nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
1883                                 rdev->wiphy.max_sched_scan_plan_iterations))
1884                         goto nla_put_failure;
1885 
1886                 if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1887                     nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1888                         goto nla_put_failure;
1889                 if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1890                     nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1891                         goto nla_put_failure;
1892                 if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1893                     nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1894                         goto nla_put_failure;
1895                 if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1896                     nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1897                         goto nla_put_failure;
1898                 if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1899                     nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1900                         goto nla_put_failure;
1901                 if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1902                     nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1903                         goto nla_put_failure;
1904                 state->split_start++;
1905                 if (state->split)
1906                         break;
1907                 /* fall through */
1908         case 1:
1909                 if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1910                             sizeof(u32) * rdev->wiphy.n_cipher_suites,
1911                             rdev->wiphy.cipher_suites))
1912                         goto nla_put_failure;
1913 
1914                 if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1915                                rdev->wiphy.max_num_pmkids))
1916                         goto nla_put_failure;
1917 
1918                 if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1919                     nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1920                         goto nla_put_failure;
1921 
1922                 if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1923                                 rdev->wiphy.available_antennas_tx) ||
1924                     nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1925                                 rdev->wiphy.available_antennas_rx))
1926                         goto nla_put_failure;
1927 
1928                 if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1929                     nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1930                                 rdev->wiphy.probe_resp_offload))
1931                         goto nla_put_failure;
1932 
1933                 if ((rdev->wiphy.available_antennas_tx ||
1934                      rdev->wiphy.available_antennas_rx) &&
1935                     rdev->ops->get_antenna) {
1936                         u32 tx_ant = 0, rx_ant = 0;
1937                         int res;
1938 
1939                         res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1940                         if (!res) {
1941                                 if (nla_put_u32(msg,
1942                                                 NL80211_ATTR_WIPHY_ANTENNA_TX,
1943                                                 tx_ant) ||
1944                                     nla_put_u32(msg,
1945                                                 NL80211_ATTR_WIPHY_ANTENNA_RX,
1946                                                 rx_ant))
1947                                         goto nla_put_failure;
1948                         }
1949                 }
1950 
1951                 state->split_start++;
1952                 if (state->split)
1953                         break;
1954                 /* fall through */
1955         case 2:
1956                 if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1957                                         rdev->wiphy.interface_modes))
1958                                 goto nla_put_failure;
1959                 state->split_start++;
1960                 if (state->split)
1961                         break;
1962                 /* fall through */
1963         case 3:
1964                 nl_bands = nla_nest_start_noflag(msg,
1965                                                  NL80211_ATTR_WIPHY_BANDS);
1966                 if (!nl_bands)
1967                         goto nla_put_failure;
1968 
1969                 for (band = state->band_start;
1970                      band < NUM_NL80211_BANDS; band++) {
1971                         struct ieee80211_supported_band *sband;
1972 
1973                         sband = rdev->wiphy.bands[band];
1974 
1975                         if (!sband)
1976                                 continue;
1977 
1978                         nl_band = nla_nest_start_noflag(msg, band);
1979                         if (!nl_band)
1980                                 goto nla_put_failure;
1981 
1982                         switch (state->chan_start) {
1983                         case 0:
1984                                 if (nl80211_send_band_rateinfo(msg, sband))
1985                                         goto nla_put_failure;
1986                                 state->chan_start++;
1987                                 if (state->split)
1988                                         break;
1989                                 /* fall through */
1990                         default:
1991                                 /* add frequencies */
1992                                 nl_freqs = nla_nest_start_noflag(msg,
1993                                                                  NL80211_BAND_ATTR_FREQS);
1994                                 if (!nl_freqs)
1995                                         goto nla_put_failure;
1996 
1997                                 for (i = state->chan_start - 1;
1998                                      i < sband->n_channels;
1999                                      i++) {
2000                                         nl_freq = nla_nest_start_noflag(msg,
2001                                                                         i);
2002                                         if (!nl_freq)
2003                                                 goto nla_put_failure;
2004 
2005                                         chan = &sband->channels[i];
2006 
2007                                         if (nl80211_msg_put_channel(
2008                                                         msg, &rdev->wiphy, chan,
2009                                                         state->split))
2010                                                 goto nla_put_failure;
2011 
2012                                         nla_nest_end(msg, nl_freq);
2013                                         if (state->split)
2014                                                 break;
2015                                 }
2016                                 if (i < sband->n_channels)
2017                                         state->chan_start = i + 2;
2018                                 else
2019                                         state->chan_start = 0;
2020                                 nla_nest_end(msg, nl_freqs);
2021                         }
2022 
2023                         nla_nest_end(msg, nl_band);
2024 
2025                         if (state->split) {
2026                                 /* start again here */
2027                                 if (state->chan_start)
2028                                         band--;
2029                                 break;
2030                         }
2031                 }
2032                 nla_nest_end(msg, nl_bands);
2033 
2034                 if (band < NUM_NL80211_BANDS)
2035                         state->band_start = band + 1;
2036                 else
2037                         state->band_start = 0;
2038 
2039                 /* if bands & channels are done, continue outside */
2040                 if (state->band_start == 0 && state->chan_start == 0)
2041                         state->split_start++;
2042                 if (state->split)
2043                         break;
2044                 /* fall through */
2045         case 4:
2046                 nl_cmds = nla_nest_start_noflag(msg,
2047                                                 NL80211_ATTR_SUPPORTED_COMMANDS);
2048                 if (!nl_cmds)
2049                         goto nla_put_failure;
2050 
2051                 i = nl80211_add_commands_unsplit(rdev, msg);
2052                 if (i < 0)
2053                         goto nla_put_failure;
2054                 if (state->split) {
2055                         CMD(crit_proto_start, CRIT_PROTOCOL_START);
2056                         CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2057                         if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2058                                 CMD(channel_switch, CHANNEL_SWITCH);
2059                         CMD(set_qos_map, SET_QOS_MAP);
2060                         if (rdev->wiphy.features &
2061                                         NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2062                                 CMD(add_tx_ts, ADD_TX_TS);
2063                         CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2064                         CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2065                 }
2066 #undef CMD
2067 
2068                 nla_nest_end(msg, nl_cmds);
2069                 state->split_start++;
2070                 if (state->split)
2071                         break;
2072                 /* fall through */
2073         case 5:
2074                 if (rdev->ops->remain_on_channel &&
2075                     (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2076                     nla_put_u32(msg,
2077                                 NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2078                                 rdev->wiphy.max_remain_on_channel_duration))
2079                         goto nla_put_failure;
2080 
2081                 if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2082                     nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2083                         goto nla_put_failure;
2084 
2085                 if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2086                         goto nla_put_failure;
2087                 state->split_start++;
2088                 if (state->split)
2089                         break;
2090                 /* fall through */
2091         case 6:
2092 #ifdef CONFIG_PM
2093                 if (nl80211_send_wowlan(msg, rdev, state->split))
2094                         goto nla_put_failure;
2095                 state->split_start++;
2096                 if (state->split)
2097                         break;
2098 #else
2099                 state->split_start++;
2100 #endif
2101                 /* fall through */
2102         case 7:
2103                 if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2104                                         rdev->wiphy.software_iftypes))
2105                         goto nla_put_failure;
2106 
2107                 if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2108                                                    state->split))
2109                         goto nla_put_failure;
2110 
2111                 state->split_start++;
2112                 if (state->split)
2113                         break;
2114                 /* fall through */
2115         case 8:
2116                 if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2117                     nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2118                                 rdev->wiphy.ap_sme_capa))
2119                         goto nla_put_failure;
2120 
2121                 features = rdev->wiphy.features;
2122                 /*
2123                  * We can only add the per-channel limit information if the
2124                  * dump is split, otherwise it makes it too big. Therefore
2125                  * only advertise it in that case.
2126                  */
2127                 if (state->split)
2128                         features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2129                 if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2130                         goto nla_put_failure;
2131 
2132                 if (rdev->wiphy.ht_capa_mod_mask &&
2133                     nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2134                             sizeof(*rdev->wiphy.ht_capa_mod_mask),
2135                             rdev->wiphy.ht_capa_mod_mask))
2136                         goto nla_put_failure;
2137 
2138                 if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2139                     rdev->wiphy.max_acl_mac_addrs &&
2140                     nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2141                                 rdev->wiphy.max_acl_mac_addrs))
2142                         goto nla_put_failure;
2143 
2144                 /*
2145                  * Any information below this point is only available to
2146                  * applications that can deal with it being split. This
2147                  * helps ensure that newly added capabilities don't break
2148                  * older tools by overrunning their buffers.
2149                  *
2150                  * We still increment split_start so that in the split
2151                  * case we'll continue with more data in the next round,
2152                  * but break unconditionally so unsplit data stops here.
2153                  */
2154                 state->split_start++;
2155                 break;
2156         case 9:
2157                 if (rdev->wiphy.extended_capabilities &&
2158                     (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2159                              rdev->wiphy.extended_capabilities_len,
2160                              rdev->wiphy.extended_capabilities) ||
2161                      nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2162                              rdev->wiphy.extended_capabilities_len,
2163                              rdev->wiphy.extended_capabilities_mask)))
2164                         goto nla_put_failure;
2165 
2166                 if (rdev->wiphy.vht_capa_mod_mask &&
2167                     nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2168                             sizeof(*rdev->wiphy.vht_capa_mod_mask),
2169                             rdev->wiphy.vht_capa_mod_mask))
2170                         goto nla_put_failure;
2171 
2172                 state->split_start++;
2173                 break;
2174         case 10:
2175                 if (nl80211_send_coalesce(msg, rdev))
2176                         goto nla_put_failure;
2177 
2178                 if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2179                     (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2180                      nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2181                         goto nla_put_failure;
2182 
2183                 if (rdev->wiphy.max_ap_assoc_sta &&
2184                     nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2185                                 rdev->wiphy.max_ap_assoc_sta))
2186                         goto nla_put_failure;
2187 
2188                 state->split_start++;
2189                 break;
2190         case 11:
2191                 if (rdev->wiphy.n_vendor_commands) {
2192                         const struct nl80211_vendor_cmd_info *info;
2193                         struct nlattr *nested;
2194 
2195                         nested = nla_nest_start_noflag(msg,
2196                                                        NL80211_ATTR_VENDOR_DATA);
2197                         if (!nested)
2198                                 goto nla_put_failure;
2199 
2200                         for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2201                                 info = &rdev->wiphy.vendor_commands[i].info;
2202                                 if (nla_put(msg, i + 1, sizeof(*info), info))
2203                                         goto nla_put_failure;
2204                         }
2205                         nla_nest_end(msg, nested);
2206                 }
2207 
2208                 if (rdev->wiphy.n_vendor_events) {
2209                         const struct nl80211_vendor_cmd_info *info;
2210                         struct nlattr *nested;
2211 
2212                         nested = nla_nest_start_noflag(msg,
2213                                                        NL80211_ATTR_VENDOR_EVENTS);
2214                         if (!nested)
2215                                 goto nla_put_failure;
2216 
2217                         for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2218                                 info = &rdev->wiphy.vendor_events[i];
2219                                 if (nla_put(msg, i + 1, sizeof(*info), info))
2220                                         goto nla_put_failure;
2221                         }
2222                         nla_nest_end(msg, nested);
2223                 }
2224                 state->split_start++;
2225                 break;
2226         case 12:
2227                 if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2228                     nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2229                                rdev->wiphy.max_num_csa_counters))
2230                         goto nla_put_failure;
2231 
2232                 if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2233                     nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2234                         goto nla_put_failure;
2235 
2236                 if (rdev->wiphy.max_sched_scan_reqs &&
2237                     nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2238                                 rdev->wiphy.max_sched_scan_reqs))
2239                         goto nla_put_failure;
2240 
2241                 if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2242                             sizeof(rdev->wiphy.ext_features),
2243                             rdev->wiphy.ext_features))
2244                         goto nla_put_failure;
2245 
2246                 if (rdev->wiphy.bss_select_support) {
2247                         struct nlattr *nested;
2248                         u32 bss_select_support = rdev->wiphy.bss_select_support;
2249 
2250                         nested = nla_nest_start_noflag(msg,
2251                                                        NL80211_ATTR_BSS_SELECT);
2252                         if (!nested)
2253                                 goto nla_put_failure;
2254 
2255                         i = 0;
2256                         while (bss_select_support) {
2257                                 if ((bss_select_support & 1) &&
2258                                     nla_put_flag(msg, i))
2259                                         goto nla_put_failure;
2260                                 i++;
2261                                 bss_select_support >>= 1;
2262                         }
2263                         nla_nest_end(msg, nested);
2264                 }
2265 
2266                 state->split_start++;
2267                 break;
2268         case 13:
2269                 if (rdev->wiphy.num_iftype_ext_capab &&
2270                     rdev->wiphy.iftype_ext_capab) {
2271                         struct nlattr *nested_ext_capab, *nested;
2272 
2273                         nested = nla_nest_start_noflag(msg,
2274                                                        NL80211_ATTR_IFTYPE_EXT_CAPA);
2275                         if (!nested)
2276                                 goto nla_put_failure;
2277 
2278                         for (i = state->capa_start;
2279                              i < rdev->wiphy.num_iftype_ext_capab; i++) {
2280                                 const struct wiphy_iftype_ext_capab *capab;
2281 
2282                                 capab = &rdev->wiphy.iftype_ext_capab[i];
2283 
2284                                 nested_ext_capab = nla_nest_start_noflag(msg,
2285                                                                          i);
2286                                 if (!nested_ext_capab ||
2287                                     nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2288                                                 capab->iftype) ||
2289                                     nla_put(msg, NL80211_ATTR_EXT_CAPA,
2290                                             capab->extended_capabilities_len,
2291                                             capab->extended_capabilities) ||
2292                                     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2293                                             capab->extended_capabilities_len,
2294                                             capab->extended_capabilities_mask))
2295                                         goto nla_put_failure;
2296 
2297                                 nla_nest_end(msg, nested_ext_capab);
2298                                 if (state->split)
2299                                         break;
2300                         }
2301                         nla_nest_end(msg, nested);
2302                         if (i < rdev->wiphy.num_iftype_ext_capab) {
2303                                 state->capa_start = i + 1;
2304                                 break;
2305                         }
2306                 }
2307 
2308                 if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2309                                 rdev->wiphy.nan_supported_bands))
2310                         goto nla_put_failure;
2311 
2312                 if (wiphy_ext_feature_isset(&rdev->wiphy,
2313                                             NL80211_EXT_FEATURE_TXQS)) {
2314                         struct cfg80211_txq_stats txqstats = {};
2315                         int res;
2316 
2317                         res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2318                         if (!res &&
2319                             !nl80211_put_txq_stats(msg, &txqstats,
2320                                                    NL80211_ATTR_TXQ_STATS))
2321                                 goto nla_put_failure;
2322 
2323                         if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2324                                         rdev->wiphy.txq_limit))
2325                                 goto nla_put_failure;
2326                         if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2327                                         rdev->wiphy.txq_memory_limit))
2328                                 goto nla_put_failure;
2329                         if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2330                                         rdev->wiphy.txq_quantum))
2331                                 goto nla_put_failure;
2332                 }
2333 
2334                 state->split_start++;
2335                 break;
2336         case 14:
2337                 if (nl80211_send_pmsr_capa(rdev, msg))
2338                         goto nla_put_failure;
2339 
2340                 state->split_start++;
2341                 break;
2342         case 15:
2343                 if (rdev->wiphy.akm_suites &&
2344                     nla_put(msg, NL80211_ATTR_AKM_SUITES,
2345                             sizeof(u32) * rdev->wiphy.n_akm_suites,
2346                             rdev->wiphy.akm_suites))
2347                         goto nla_put_failure;
2348 
2349                 /* done */
2350                 state->split_start = 0;
2351                 break;
2352         }
2353  finish:
2354         genlmsg_end(msg, hdr);
2355         return 0;
2356 
2357  nla_put_failure:
2358         genlmsg_cancel(msg, hdr);
2359         return -EMSGSIZE;
2360 }
2361 
2362 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2363                                     struct netlink_callback *cb,
2364                                     struct nl80211_dump_wiphy_state *state)
2365 {
2366         struct nlattr **tb = genl_family_attrbuf(&nl80211_fam);
2367         int ret = nlmsg_parse_deprecated(cb->nlh,
2368                                          GENL_HDRLEN + nl80211_fam.hdrsize,
2369                                          tb, nl80211_fam.maxattr,
2370                                          nl80211_policy, NULL);
2371         /* ignore parse errors for backward compatibility */
2372         if (ret)
2373                 return 0;
2374 
2375         state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2376         if (tb[NL80211_ATTR_WIPHY])
2377                 state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2378         if (tb[NL80211_ATTR_WDEV])
2379                 state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2380         if (tb[NL80211_ATTR_IFINDEX]) {
2381                 struct net_device *netdev;
2382                 struct cfg80211_registered_device *rdev;
2383                 int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2384 
2385                 netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2386                 if (!netdev)
2387                         return -ENODEV;
2388                 if (netdev->ieee80211_ptr) {
2389                         rdev = wiphy_to_rdev(
2390                                 netdev->ieee80211_ptr->wiphy);
2391                         state->filter_wiphy = rdev->wiphy_idx;
2392                 }
2393         }
2394 
2395         return 0;
2396 }
2397 
2398 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2399 {
2400         int idx = 0, ret;
2401         struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2402         struct cfg80211_registered_device *rdev;
2403 
2404         rtnl_lock();
2405         if (!state) {
2406                 state = kzalloc(sizeof(*state), GFP_KERNEL);
2407                 if (!state) {
2408                         rtnl_unlock();
2409                         return -ENOMEM;
2410                 }
2411                 state->filter_wiphy = -1;
2412                 ret = nl80211_dump_wiphy_parse(skb, cb, state);
2413                 if (ret) {
2414                         kfree(state);
2415                         rtnl_unlock();
2416                         return ret;
2417                 }
2418                 cb->args[0] = (long)state;
2419         }
2420 
2421         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2422                 if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2423                         continue;
2424                 if (++idx <= state->start)
2425                         continue;
2426                 if (state->filter_wiphy != -1 &&
2427                     state->filter_wiphy != rdev->wiphy_idx)
2428                         continue;
2429                 /* attempt to fit multiple wiphy data chunks into the skb */
2430                 do {
2431                         ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2432                                                  skb,
2433                                                  NETLINK_CB(cb->skb).portid,
2434                                                  cb->nlh->nlmsg_seq,
2435                                                  NLM_F_MULTI, state);
2436                         if (ret < 0) {
2437                                 /*
2438                                  * If sending the wiphy data didn't fit (ENOBUFS
2439                                  * or EMSGSIZE returned), this SKB is still
2440                                  * empty (so it's not too big because another
2441                                  * wiphy dataset is already in the skb) and
2442                                  * we've not tried to adjust the dump allocation
2443                                  * yet ... then adjust the alloc size to be
2444                                  * bigger, and return 1 but with the empty skb.
2445                                  * This results in an empty message being RX'ed
2446                                  * in userspace, but that is ignored.
2447                                  *
2448                                  * We can then retry with the larger buffer.
2449                                  */
2450                                 if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2451                                     !skb->len && !state->split &&
2452                                     cb->min_dump_alloc < 4096) {
2453                                         cb->min_dump_alloc = 4096;
2454                                         state->split_start = 0;
2455                                         rtnl_unlock();
2456                                         return 1;
2457                                 }
2458                                 idx--;
2459                                 break;
2460                         }
2461                 } while (state->split_start > 0);
2462                 break;
2463         }
2464         rtnl_unlock();
2465 
2466         state->start = idx;
2467 
2468         return skb->len;
2469 }
2470 
2471 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2472 {
2473         kfree((void *)cb->args[0]);
2474         return 0;
2475 }
2476 
2477 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2478 {
2479         struct sk_buff *msg;
2480         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2481         struct nl80211_dump_wiphy_state state = {};
2482 
2483         msg = nlmsg_new(4096, GFP_KERNEL);
2484         if (!msg)
2485                 return -ENOMEM;
2486 
2487         if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2488                                info->snd_portid, info->snd_seq, 0,
2489                                &state) < 0) {
2490                 nlmsg_free(msg);
2491                 return -ENOBUFS;
2492         }
2493 
2494         return genlmsg_reply(msg, info);
2495 }
2496 
2497 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2498         [NL80211_TXQ_ATTR_QUEUE]                = { .type = NLA_U8 },
2499         [NL80211_TXQ_ATTR_TXOP]                 = { .type = NLA_U16 },
2500         [NL80211_TXQ_ATTR_CWMIN]                = { .type = NLA_U16 },
2501         [NL80211_TXQ_ATTR_CWMAX]                = { .type = NLA_U16 },
2502         [NL80211_TXQ_ATTR_AIFS]                 = { .type = NLA_U8 },
2503 };
2504 
2505 static int parse_txq_params(struct nlattr *tb[],
2506                             struct ieee80211_txq_params *txq_params)
2507 {
2508         u8 ac;
2509 
2510         if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2511             !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2512             !tb[NL80211_TXQ_ATTR_AIFS])
2513                 return -EINVAL;
2514 
2515         ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2516         txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2517         txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2518         txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2519         txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2520 
2521         if (ac >= NL80211_NUM_ACS)
2522                 return -EINVAL;
2523         txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2524         return 0;
2525 }
2526 
2527 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2528 {
2529         /*
2530          * You can only set the channel explicitly for WDS interfaces,
2531          * all others have their channel managed via their respective
2532          * "establish a connection" command (connect, join, ...)
2533          *
2534          * For AP/GO and mesh mode, the channel can be set with the
2535          * channel userspace API, but is only stored and passed to the
2536          * low-level driver when the AP starts or the mesh is joined.
2537          * This is for backward compatibility, userspace can also give
2538          * the channel in the start-ap or join-mesh commands instead.
2539          *
2540          * Monitors are special as they are normally slaved to
2541          * whatever else is going on, so they have their own special
2542          * operation to set the monitor channel if possible.
2543          */
2544         return !wdev ||
2545                 wdev->iftype == NL80211_IFTYPE_AP ||
2546                 wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2547                 wdev->iftype == NL80211_IFTYPE_MONITOR ||
2548                 wdev->iftype == NL80211_IFTYPE_P2P_GO;
2549 }
2550 
2551 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2552                           struct genl_info *info,
2553                           struct cfg80211_chan_def *chandef)
2554 {
2555         struct netlink_ext_ack *extack = info->extack;
2556         struct nlattr **attrs = info->attrs;
2557         u32 control_freq;
2558 
2559         if (!attrs[NL80211_ATTR_WIPHY_FREQ])
2560                 return -EINVAL;
2561 
2562         control_freq = nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]);
2563 
2564         chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
2565         chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2566         chandef->center_freq1 = control_freq;
2567         chandef->center_freq2 = 0;
2568 
2569         /* Primary channel not allowed */
2570         if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
2571                 NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
2572                                     "Channel is disabled");
2573                 return -EINVAL;
2574         }
2575 
2576         if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2577                 enum nl80211_channel_type chantype;
2578 
2579                 chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2580 
2581                 switch (chantype) {
2582                 case NL80211_CHAN_NO_HT:
2583                 case NL80211_CHAN_HT20:
2584                 case NL80211_CHAN_HT40PLUS:
2585                 case NL80211_CHAN_HT40MINUS:
2586                         cfg80211_chandef_create(chandef, chandef->chan,
2587                                                 chantype);
2588                         /* user input for center_freq is incorrect */
2589                         if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
2590                             chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
2591                                 NL_SET_ERR_MSG_ATTR(extack,
2592                                                     attrs[NL80211_ATTR_CENTER_FREQ1],
2593                                                     "bad center frequency 1");
2594                                 return -EINVAL;
2595                         }
2596                         /* center_freq2 must be zero */
2597                         if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
2598                             nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
2599                                 NL_SET_ERR_MSG_ATTR(extack,
2600                                                     attrs[NL80211_ATTR_CENTER_FREQ2],
2601                                                     "center frequency 2 can't be used");
2602                                 return -EINVAL;
2603                         }
2604                         break;
2605                 default:
2606                         NL_SET_ERR_MSG_ATTR(extack,
2607                                             attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
2608                                             "invalid channel type");
2609                         return -EINVAL;
2610                 }
2611         } else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2612                 chandef->width =
2613                         nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2614                 if (attrs[NL80211_ATTR_CENTER_FREQ1])
2615                         chandef->center_freq1 =
2616                                 nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
2617                 if (attrs[NL80211_ATTR_CENTER_FREQ2])
2618                         chandef->center_freq2 =
2619                                 nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
2620         }
2621 
2622         if (!cfg80211_chandef_valid(chandef)) {
2623                 NL_SET_ERR_MSG(extack, "invalid channel definition");
2624                 return -EINVAL;
2625         }
2626 
2627         if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2628                                      IEEE80211_CHAN_DISABLED)) {
2629                 NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
2630                 return -EINVAL;
2631         }
2632 
2633         if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2634              chandef->width == NL80211_CHAN_WIDTH_10) &&
2635             !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
2636                 NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
2637                 return -EINVAL;
2638         }
2639 
2640         return 0;
2641 }
2642 
2643 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2644                                  struct net_device *dev,
2645                                  struct genl_info *info)
2646 {
2647         struct cfg80211_chan_def chandef;
2648         int result;
2649         enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2650         struct wireless_dev *wdev = NULL;
2651 
2652         if (dev)
2653                 wdev = dev->ieee80211_ptr;
2654         if (!nl80211_can_set_dev_channel(wdev))
2655                 return -EOPNOTSUPP;
2656         if (wdev)
2657                 iftype = wdev->iftype;
2658 
2659         result = nl80211_parse_chandef(rdev, info, &chandef);
2660         if (result)
2661                 return result;
2662 
2663         switch (iftype) {
2664         case NL80211_IFTYPE_AP:
2665         case NL80211_IFTYPE_P2P_GO:
2666                 if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2667                                                    iftype)) {
2668                         result = -EINVAL;
2669                         break;
2670                 }
2671                 if (wdev->beacon_interval) {
2672                         if (!dev || !rdev->ops->set_ap_chanwidth ||
2673                             !(rdev->wiphy.features &
2674                               NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2675                                 result = -EBUSY;
2676                                 break;
2677                         }
2678 
2679                         /* Only allow dynamic channel width changes */
2680                         if (chandef.chan != wdev->preset_chandef.chan) {
2681                                 result = -EBUSY;
2682                                 break;
2683                         }
2684                         result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2685                         if (result)
2686                                 break;
2687                 }
2688                 wdev->preset_chandef = chandef;
2689                 result = 0;
2690                 break;
2691         case NL80211_IFTYPE_MESH_POINT:
2692                 result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2693                 break;
2694         case NL80211_IFTYPE_MONITOR:
2695                 result = cfg80211_set_monitor_channel(rdev, &chandef);
2696                 break;
2697         default:
2698                 result = -EINVAL;
2699         }
2700 
2701         return result;
2702 }
2703 
2704 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2705 {
2706         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2707         struct net_device *netdev = info->user_ptr[1];
2708 
2709         return __nl80211_set_channel(rdev, netdev, info);
2710 }
2711 
2712 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2713 {
2714         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2715         struct net_device *dev = info->user_ptr[1];
2716         struct wireless_dev *wdev = dev->ieee80211_ptr;
2717         const u8 *bssid;
2718 
2719         if (!info->attrs[NL80211_ATTR_MAC])
2720                 return -EINVAL;
2721 
2722         if (netif_running(dev))
2723                 return -EBUSY;
2724 
2725         if (!rdev->ops->set_wds_peer)
2726                 return -EOPNOTSUPP;
2727 
2728         if (wdev->iftype != NL80211_IFTYPE_WDS)
2729                 return -EOPNOTSUPP;
2730 
2731         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2732         return rdev_set_wds_peer(rdev, dev, bssid);
2733 }
2734 
2735 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2736 {
2737         struct cfg80211_registered_device *rdev;
2738         struct net_device *netdev = NULL;
2739         struct wireless_dev *wdev;
2740         int result = 0, rem_txq_params = 0;
2741         struct nlattr *nl_txq_params;
2742         u32 changed;
2743         u8 retry_short = 0, retry_long = 0;
2744         u32 frag_threshold = 0, rts_threshold = 0;
2745         u8 coverage_class = 0;
2746         u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
2747 
2748         ASSERT_RTNL();
2749 
2750         /*
2751          * Try to find the wiphy and netdev. Normally this
2752          * function shouldn't need the netdev, but this is
2753          * done for backward compatibility -- previously
2754          * setting the channel was done per wiphy, but now
2755          * it is per netdev. Previous userland like hostapd
2756          * also passed a netdev to set_wiphy, so that it is
2757          * possible to let that go to the right netdev!
2758          */
2759 
2760         if (info->attrs[NL80211_ATTR_IFINDEX]) {
2761                 int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2762 
2763                 netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2764                 if (netdev && netdev->ieee80211_ptr)
2765                         rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2766                 else
2767                         netdev = NULL;
2768         }
2769 
2770         if (!netdev) {
2771                 rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2772                                                   info->attrs);
2773                 if (IS_ERR(rdev))
2774                         return PTR_ERR(rdev);
2775                 wdev = NULL;
2776                 netdev = NULL;
2777                 result = 0;
2778         } else
2779                 wdev = netdev->ieee80211_ptr;
2780 
2781         /*
2782          * end workaround code, by now the rdev is available
2783          * and locked, and wdev may or may not be NULL.
2784          */
2785 
2786         if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2787                 result = cfg80211_dev_rename(
2788                         rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2789 
2790         if (result)
2791                 return result;
2792 
2793         if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2794                 struct ieee80211_txq_params txq_params;
2795                 struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2796 
2797                 if (!rdev->ops->set_txq_params)
2798                         return -EOPNOTSUPP;
2799 
2800                 if (!netdev)
2801                         return -EINVAL;
2802 
2803                 if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2804                     netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2805                         return -EINVAL;
2806 
2807                 if (!netif_running(netdev))
2808                         return -ENETDOWN;
2809 
2810                 nla_for_each_nested(nl_txq_params,
2811                                     info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2812                                     rem_txq_params) {
2813                         result = nla_parse_nested_deprecated(tb,
2814                                                              NL80211_TXQ_ATTR_MAX,
2815                                                              nl_txq_params,
2816                                                              txq_params_policy,
2817                                                              info->extack);
2818                         if (result)
2819                                 return result;
2820                         result = parse_txq_params(tb, &txq_params);
2821                         if (result)
2822                                 return result;
2823 
2824                         result = rdev_set_txq_params(rdev, netdev,
2825                                                      &txq_params);
2826                         if (result)
2827                                 return result;
2828                 }
2829         }
2830 
2831         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2832                 result = __nl80211_set_channel(
2833                         rdev,
2834                         nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2835                         info);
2836                 if (result)
2837                         return result;
2838         }
2839 
2840         if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2841                 struct wireless_dev *txp_wdev = wdev;
2842                 enum nl80211_tx_power_setting type;
2843                 int idx, mbm = 0;
2844 
2845                 if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2846                         txp_wdev = NULL;
2847 
2848                 if (!rdev->ops->set_tx_power)
2849                         return -EOPNOTSUPP;
2850 
2851                 idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2852                 type = nla_get_u32(info->attrs[idx]);
2853 
2854                 if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2855                     (type != NL80211_TX_POWER_AUTOMATIC))
2856                         return -EINVAL;
2857 
2858                 if (type != NL80211_TX_POWER_AUTOMATIC) {
2859                         idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2860                         mbm = nla_get_u32(info->attrs[idx]);
2861                 }
2862 
2863                 result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2864                 if (result)
2865                         return result;
2866         }
2867 
2868         if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2869             info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2870                 u32 tx_ant, rx_ant;
2871 
2872                 if ((!rdev->wiphy.available_antennas_tx &&
2873                      !rdev->wiphy.available_antennas_rx) ||
2874                     !rdev->ops->set_antenna)
2875                         return -EOPNOTSUPP;
2876 
2877                 tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2878                 rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2879 
2880                 /* reject antenna configurations which don't match the
2881                  * available antenna masks, except for the "all" mask */
2882                 if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2883                     (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2884                         return -EINVAL;
2885 
2886                 tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2887                 rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2888 
2889                 result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2890                 if (result)
2891                         return result;
2892         }
2893 
2894         changed = 0;
2895 
2896         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2897                 retry_short = nla_get_u8(
2898                         info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2899 
2900                 changed |= WIPHY_PARAM_RETRY_SHORT;
2901         }
2902 
2903         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2904                 retry_long = nla_get_u8(
2905                         info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2906 
2907                 changed |= WIPHY_PARAM_RETRY_LONG;
2908         }
2909 
2910         if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2911                 frag_threshold = nla_get_u32(
2912                         info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2913                 if (frag_threshold < 256)
2914                         return -EINVAL;
2915 
2916                 if (frag_threshold != (u32) -1) {
2917                         /*
2918                          * Fragments (apart from the last one) are required to
2919                          * have even length. Make the fragmentation code
2920                          * simpler by stripping LSB should someone try to use
2921                          * odd threshold value.
2922                          */
2923                         frag_threshold &= ~0x1;
2924                 }
2925                 changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2926         }
2927 
2928         if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2929                 rts_threshold = nla_get_u32(
2930                         info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2931                 changed |= WIPHY_PARAM_RTS_THRESHOLD;
2932         }
2933 
2934         if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2935                 if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2936                         return -EINVAL;
2937 
2938                 coverage_class = nla_get_u8(
2939                         info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2940                 changed |= WIPHY_PARAM_COVERAGE_CLASS;
2941         }
2942 
2943         if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2944                 if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2945                         return -EOPNOTSUPP;
2946 
2947                 changed |= WIPHY_PARAM_DYN_ACK;
2948         }
2949 
2950         if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
2951                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
2952                                              NL80211_EXT_FEATURE_TXQS))
2953                         return -EOPNOTSUPP;
2954                 txq_limit = nla_get_u32(
2955                         info->attrs[NL80211_ATTR_TXQ_LIMIT]);
2956                 changed |= WIPHY_PARAM_TXQ_LIMIT;
2957         }
2958 
2959         if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
2960                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
2961                                              NL80211_EXT_FEATURE_TXQS))
2962                         return -EOPNOTSUPP;
2963                 txq_memory_limit = nla_get_u32(
2964                         info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
2965                 changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
2966         }
2967 
2968         if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
2969                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
2970                                              NL80211_EXT_FEATURE_TXQS))
2971                         return -EOPNOTSUPP;
2972                 txq_quantum = nla_get_u32(
2973                         info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
2974                 changed |= WIPHY_PARAM_TXQ_QUANTUM;
2975         }
2976 
2977         if (changed) {
2978                 u8 old_retry_short, old_retry_long;
2979                 u32 old_frag_threshold, old_rts_threshold;
2980                 u8 old_coverage_class;
2981                 u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
2982 
2983                 if (!rdev->ops->set_wiphy_params)
2984                         return -EOPNOTSUPP;
2985 
2986                 old_retry_short = rdev->wiphy.retry_short;
2987                 old_retry_long = rdev->wiphy.retry_long;
2988                 old_frag_threshold = rdev->wiphy.frag_threshold;
2989                 old_rts_threshold = rdev->wiphy.rts_threshold;
2990                 old_coverage_class = rdev->wiphy.coverage_class;
2991                 old_txq_limit = rdev->wiphy.txq_limit;
2992                 old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
2993                 old_txq_quantum = rdev->wiphy.txq_quantum;
2994 
2995                 if (changed & WIPHY_PARAM_RETRY_SHORT)
2996                         rdev->wiphy.retry_short = retry_short;
2997                 if (changed & WIPHY_PARAM_RETRY_LONG)
2998                         rdev->wiphy.retry_long = retry_long;
2999                 if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3000                         rdev->wiphy.frag_threshold = frag_threshold;
3001                 if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3002                         rdev->wiphy.rts_threshold = rts_threshold;
3003                 if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3004                         rdev->wiphy.coverage_class = coverage_class;
3005                 if (changed & WIPHY_PARAM_TXQ_LIMIT)
3006                         rdev->wiphy.txq_limit = txq_limit;
3007                 if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3008                         rdev->wiphy.txq_memory_limit = txq_memory_limit;
3009                 if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3010                         rdev->wiphy.txq_quantum = txq_quantum;
3011 
3012                 result = rdev_set_wiphy_params(rdev, changed);
3013                 if (result) {
3014                         rdev->wiphy.retry_short = old_retry_short;
3015                         rdev->wiphy.retry_long = old_retry_long;
3016                         rdev->wiphy.frag_threshold = old_frag_threshold;
3017                         rdev->wiphy.rts_threshold = old_rts_threshold;
3018                         rdev->wiphy.coverage_class = old_coverage_class;
3019                         rdev->wiphy.txq_limit = old_txq_limit;
3020                         rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3021                         rdev->wiphy.txq_quantum = old_txq_quantum;
3022                         return result;
3023                 }
3024         }
3025         return 0;
3026 }
3027 
3028 static int nl80211_send_chandef(struct sk_buff *msg,
3029                                 const struct cfg80211_chan_def *chandef)
3030 {
3031         if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3032                 return -EINVAL;
3033 
3034         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3035                         chandef->chan->center_freq))
3036                 return -ENOBUFS;
3037         switch (chandef->width) {
3038         case NL80211_CHAN_WIDTH_20_NOHT:
3039         case NL80211_CHAN_WIDTH_20:
3040         case NL80211_CHAN_WIDTH_40:
3041                 if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3042                                 cfg80211_get_chandef_type(chandef)))
3043                         return -ENOBUFS;
3044                 break;
3045         default:
3046                 break;
3047         }
3048         if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3049                 return -ENOBUFS;
3050         if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3051                 return -ENOBUFS;
3052         if (chandef->center_freq2 &&
3053             nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3054                 return -ENOBUFS;
3055         return 0;
3056 }
3057 
3058 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3059                               struct cfg80211_registered_device *rdev,
3060                               struct wireless_dev *wdev,
3061                               enum nl80211_commands cmd)
3062 {
3063         struct net_device *dev = wdev->netdev;
3064         void *hdr;
3065 
3066         WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3067                 cmd != NL80211_CMD_DEL_INTERFACE &&
3068                 cmd != NL80211_CMD_SET_INTERFACE);
3069 
3070         hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3071         if (!hdr)
3072                 return -1;
3073 
3074         if (dev &&
3075             (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3076              nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3077                 goto nla_put_failure;
3078 
3079         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3080             nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3081             nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3082                               NL80211_ATTR_PAD) ||
3083             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3084             nla_put_u32(msg, NL80211_ATTR_GENERATION,
3085                         rdev->devlist_generation ^
3086                         (cfg80211_rdev_list_generation << 2)) ||
3087             nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3088                 goto nla_put_failure;
3089 
3090         if (rdev->ops->get_channel) {
3091                 int ret;
3092                 struct cfg80211_chan_def chandef;
3093 
3094                 ret = rdev_get_channel(rdev, wdev, &chandef);
3095                 if (ret == 0) {
3096                         if (nl80211_send_chandef(msg, &chandef))
3097                                 goto nla_put_failure;
3098                 }
3099         }
3100 
3101         if (rdev->ops->get_tx_power) {
3102                 int dbm, ret;
3103 
3104                 ret = rdev_get_tx_power(rdev, wdev, &dbm);
3105                 if (ret == 0 &&
3106                     nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3107                                 DBM_TO_MBM(dbm)))
3108                         goto nla_put_failure;
3109         }
3110 
3111         wdev_lock(wdev);
3112         switch (wdev->iftype) {
3113         case NL80211_IFTYPE_AP:
3114                 if (wdev->ssid_len &&
3115                     nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3116                         goto nla_put_failure_locked;
3117                 break;
3118         case NL80211_IFTYPE_STATION:
3119         case NL80211_IFTYPE_P2P_CLIENT:
3120         case NL80211_IFTYPE_ADHOC: {
3121                 const u8 *ssid_ie;
3122                 if (!wdev->current_bss)
3123                         break;
3124                 rcu_read_lock();
3125                 ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3126                                                WLAN_EID_SSID);
3127                 if (ssid_ie &&
3128                     nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3129                         goto nla_put_failure_rcu_locked;
3130                 rcu_read_unlock();
3131                 break;
3132                 }
3133         default:
3134                 /* nothing */
3135                 break;
3136         }
3137         wdev_unlock(wdev);
3138 
3139         if (rdev->ops->get_txq_stats) {
3140                 struct cfg80211_txq_stats txqstats = {};
3141                 int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3142 
3143                 if (ret == 0 &&
3144                     !nl80211_put_txq_stats(msg, &txqstats,
3145                                            NL80211_ATTR_TXQ_STATS))
3146                         goto nla_put_failure;
3147         }
3148 
3149         genlmsg_end(msg, hdr);
3150         return 0;
3151 
3152  nla_put_failure_rcu_locked:
3153         rcu_read_unlock();
3154  nla_put_failure_locked:
3155         wdev_unlock(wdev);
3156  nla_put_failure:
3157         genlmsg_cancel(msg, hdr);
3158         return -EMSGSIZE;
3159 }
3160 
3161 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3162 {
3163         int wp_idx = 0;
3164         int if_idx = 0;
3165         int wp_start = cb->args[0];
3166         int if_start = cb->args[1];
3167         int filter_wiphy = -1;
3168         struct cfg80211_registered_device *rdev;
3169         struct wireless_dev *wdev;
3170         int ret;
3171 
3172         rtnl_lock();
3173         if (!cb->args[2]) {
3174                 struct nl80211_dump_wiphy_state state = {
3175                         .filter_wiphy = -1,
3176                 };
3177 
3178                 ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3179                 if (ret)
3180                         goto out_unlock;
3181 
3182                 filter_wiphy = state.filter_wiphy;
3183 
3184                 /*
3185                  * if filtering, set cb->args[2] to +1 since 0 is the default
3186                  * value needed to determine that parsing is necessary.
3187                  */
3188                 if (filter_wiphy >= 0)
3189                         cb->args[2] = filter_wiphy + 1;
3190                 else
3191                         cb->args[2] = -1;
3192         } else if (cb->args[2] > 0) {
3193                 filter_wiphy = cb->args[2] - 1;
3194         }
3195 
3196         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3197                 if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3198                         continue;
3199                 if (wp_idx < wp_start) {
3200                         wp_idx++;
3201                         continue;
3202                 }
3203 
3204                 if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3205                         continue;
3206 
3207                 if_idx = 0;
3208 
3209                 list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3210                         if (if_idx < if_start) {
3211                                 if_idx++;
3212                                 continue;
3213                         }
3214                         if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3215                                                cb->nlh->nlmsg_seq, NLM_F_MULTI,
3216                                                rdev, wdev,
3217                                                NL80211_CMD_NEW_INTERFACE) < 0) {
3218                                 goto out;
3219                         }
3220                         if_idx++;
3221                 }
3222 
3223                 wp_idx++;
3224         }
3225  out:
3226         cb->args[0] = wp_idx;
3227         cb->args[1] = if_idx;
3228 
3229         ret = skb->len;
3230  out_unlock:
3231         rtnl_unlock();
3232 
3233         return ret;
3234 }
3235 
3236 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3237 {
3238         struct sk_buff *msg;
3239         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3240         struct wireless_dev *wdev = info->user_ptr[1];
3241 
3242         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3243         if (!msg)
3244                 return -ENOMEM;
3245 
3246         if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3247                                rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3248                 nlmsg_free(msg);
3249                 return -ENOBUFS;
3250         }
3251 
3252         return genlmsg_reply(msg, info);
3253 }
3254 
3255 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3256         [NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3257         [NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3258         [NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3259         [NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3260         [NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3261         [NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3262 };
3263 
3264 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3265 {
3266         struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3267         int flag;
3268 
3269         *mntrflags = 0;
3270 
3271         if (!nla)
3272                 return -EINVAL;
3273 
3274         if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3275                 return -EINVAL;
3276 
3277         for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3278                 if (flags[flag])
3279                         *mntrflags |= (1<<flag);
3280 
3281         *mntrflags |= MONITOR_FLAG_CHANGED;
3282 
3283         return 0;
3284 }
3285 
3286 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3287                                      enum nl80211_iftype type,
3288                                      struct genl_info *info,
3289                                      struct vif_params *params)
3290 {
3291         bool change = false;
3292         int err;
3293 
3294         if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3295                 if (type != NL80211_IFTYPE_MONITOR)
3296                         return -EINVAL;
3297 
3298                 err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3299                                           &params->flags);
3300                 if (err)
3301                         return err;
3302 
3303                 change = true;
3304         }
3305 
3306         if (params->flags & MONITOR_FLAG_ACTIVE &&
3307             !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3308                 return -EOPNOTSUPP;
3309 
3310         if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3311                 const u8 *mumimo_groups;
3312                 u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3313 
3314                 if (type != NL80211_IFTYPE_MONITOR)
3315                         return -EINVAL;
3316 
3317                 if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3318                         return -EOPNOTSUPP;
3319 
3320                 mumimo_groups =
3321                         nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3322 
3323                 /* bits 0 and 63 are reserved and must be zero */
3324                 if ((mumimo_groups[0] & BIT(0)) ||
3325                     (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3326                         return -EINVAL;
3327 
3328                 params->vht_mumimo_groups = mumimo_groups;
3329                 change = true;
3330         }
3331 
3332         if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3333                 u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3334 
3335                 if (type != NL80211_IFTYPE_MONITOR)
3336                         return -EINVAL;
3337 
3338                 if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3339                         return -EOPNOTSUPP;
3340 
3341                 params->vht_mumimo_follow_addr =
3342                         nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3343                 change = true;
3344         }
3345 
3346         return change ? 1 : 0;
3347 }
3348 
3349 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3350                                struct net_device *netdev, u8 use_4addr,
3351                                enum nl80211_iftype iftype)
3352 {
3353         if (!use_4addr) {
3354                 if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
3355                         return -EBUSY;
3356                 return 0;
3357         }
3358 
3359         switch (iftype) {
3360         case NL80211_IFTYPE_AP_VLAN:
3361                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3362                         return 0;
3363                 break;
3364         case NL80211_IFTYPE_STATION:
3365                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3366                         return 0;
3367                 break;
3368         default:
3369                 break;
3370         }
3371 
3372         return -EOPNOTSUPP;
3373 }
3374 
3375 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3376 {
3377         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3378         struct vif_params params;
3379         int err;
3380         enum nl80211_iftype otype, ntype;
3381         struct net_device *dev = info->user_ptr[1];
3382         bool change = false;
3383 
3384         memset(&params, 0, sizeof(params));
3385 
3386         otype = ntype = dev->ieee80211_ptr->iftype;
3387 
3388         if (info->attrs[NL80211_ATTR_IFTYPE]) {
3389                 ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3390                 if (otype != ntype)
3391                         change = true;
3392         }
3393 
3394         if (info->attrs[NL80211_ATTR_MESH_ID]) {
3395                 struct wireless_dev *wdev = dev->ieee80211_ptr;
3396 
3397                 if (ntype != NL80211_IFTYPE_MESH_POINT)
3398                         return -EINVAL;
3399                 if (netif_running(dev))
3400                         return -EBUSY;
3401 
3402                 wdev_lock(wdev);
3403                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3404                              IEEE80211_MAX_MESH_ID_LEN);
3405                 wdev->mesh_id_up_len =
3406                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3407                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3408                        wdev->mesh_id_up_len);
3409                 wdev_unlock(wdev);
3410         }
3411 
3412         if (info->attrs[NL80211_ATTR_4ADDR]) {
3413                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3414                 change = true;
3415                 err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3416                 if (err)
3417                         return err;
3418         } else {
3419                 params.use_4addr = -1;
3420         }
3421 
3422         err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3423         if (err < 0)
3424                 return err;
3425         if (err > 0)
3426                 change = true;
3427 
3428         if (change)
3429                 err = cfg80211_change_iface(rdev, dev, ntype, &params);
3430         else
3431                 err = 0;
3432 
3433         if (!err && params.use_4addr != -1)
3434                 dev->ieee80211_ptr->use_4addr = params.use_4addr;
3435 
3436         if (change && !err) {
3437                 struct wireless_dev *wdev = dev->ieee80211_ptr;
3438 
3439                 nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3440         }
3441 
3442         return err;
3443 }
3444 
3445 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3446 {
3447         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3448         struct vif_params params;
3449         struct wireless_dev *wdev;
3450         struct sk_buff *msg;
3451         int err;
3452         enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3453 
3454         /* to avoid failing a new interface creation due to pending removal */
3455         cfg80211_destroy_ifaces(rdev);
3456 
3457         memset(&params, 0, sizeof(params));
3458 
3459         if (!info->attrs[NL80211_ATTR_IFNAME])
3460                 return -EINVAL;
3461 
3462         if (info->attrs[NL80211_ATTR_IFTYPE])
3463                 type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3464 
3465         if (!rdev->ops->add_virtual_intf)
3466                 return -EOPNOTSUPP;
3467 
3468         if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3469              rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3470             info->attrs[NL80211_ATTR_MAC]) {
3471                 nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3472                            ETH_ALEN);
3473                 if (!is_valid_ether_addr(params.macaddr))
3474                         return -EADDRNOTAVAIL;
3475         }
3476 
3477         if (info->attrs[NL80211_ATTR_4ADDR]) {
3478                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3479                 err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3480                 if (err)
3481                         return err;
3482         }
3483 
3484         if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
3485                 return -EOPNOTSUPP;
3486 
3487         err = nl80211_parse_mon_options(rdev, type, info, &params);
3488         if (err < 0)
3489                 return err;
3490 
3491         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3492         if (!msg)
3493                 return -ENOMEM;
3494 
3495         wdev = rdev_add_virtual_intf(rdev,
3496                                 nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3497                                 NET_NAME_USER, type, &params);
3498         if (WARN_ON(!wdev)) {
3499                 nlmsg_free(msg);
3500                 return -EPROTO;
3501         } else if (IS_ERR(wdev)) {
3502                 nlmsg_free(msg);
3503                 return PTR_ERR(wdev);
3504         }
3505 
3506         if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3507                 wdev->owner_nlportid = info->snd_portid;
3508 
3509         switch (type) {
3510         case NL80211_IFTYPE_MESH_POINT:
3511                 if (!info->attrs[NL80211_ATTR_MESH_ID])
3512                         break;
3513                 wdev_lock(wdev);
3514                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3515                              IEEE80211_MAX_MESH_ID_LEN);
3516                 wdev->mesh_id_up_len =
3517                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3518                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3519                        wdev->mesh_id_up_len);
3520                 wdev_unlock(wdev);
3521                 break;
3522         case NL80211_IFTYPE_NAN:
3523         case NL80211_IFTYPE_P2P_DEVICE:
3524                 /*
3525                  * P2P Device and NAN do not have a netdev, so don't go
3526                  * through the netdev notifier and must be added here
3527                  */
3528                 cfg80211_init_wdev(rdev, wdev);
3529                 break;
3530         default:
3531                 break;
3532         }
3533 
3534         if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3535                                rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3536                 nlmsg_free(msg);
3537                 return -ENOBUFS;
3538         }
3539 
3540         return genlmsg_reply(msg, info);
3541 }
3542 
3543 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3544 {
3545         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3546         struct wireless_dev *wdev = info->user_ptr[1];
3547 
3548         if (!rdev->ops->del_virtual_intf)
3549                 return -EOPNOTSUPP;
3550 
3551         /*
3552          * If we remove a wireless device without a netdev then clear
3553          * user_ptr[1] so that nl80211_post_doit won't dereference it
3554          * to check if it needs to do dev_put(). Otherwise it crashes
3555          * since the wdev has been freed, unlike with a netdev where
3556          * we need the dev_put() for the netdev to really be freed.
3557          */
3558         if (!wdev->netdev)
3559                 info->user_ptr[1] = NULL;
3560 
3561         return rdev_del_virtual_intf(rdev, wdev);
3562 }
3563 
3564 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3565 {
3566         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3567         struct net_device *dev = info->user_ptr[1];
3568         u16 noack_map;
3569 
3570         if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3571                 return -EINVAL;
3572 
3573         if (!rdev->ops->set_noack_map)
3574                 return -EOPNOTSUPP;
3575 
3576         noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3577 
3578         return rdev_set_noack_map(rdev, dev, noack_map);
3579 }
3580 
3581 struct get_key_cookie {
3582         struct sk_buff *msg;
3583         int error;
3584         int idx;
3585 };
3586 
3587 static void get_key_callback(void *c, struct key_params *params)
3588 {
3589         struct nlattr *key;
3590         struct get_key_cookie *cookie = c;
3591 
3592         if ((params->key &&
3593              nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3594                      params->key_len, params->key)) ||
3595             (params->seq &&
3596              nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3597                      params->seq_len, params->seq)) ||
3598             (params->cipher &&
3599              nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3600                          params->cipher)))
3601                 goto nla_put_failure;
3602 
3603         key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
3604         if (!key)
3605                 goto nla_put_failure;
3606 
3607         if ((params->key &&
3608              nla_put(cookie->msg, NL80211_KEY_DATA,
3609                      params->key_len, params->key)) ||
3610             (params->seq &&
3611              nla_put(cookie->msg, NL80211_KEY_SEQ,
3612                      params->seq_len, params->seq)) ||
3613             (params->cipher &&
3614              nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3615                          params->cipher)))
3616                 goto nla_put_failure;
3617 
3618         if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
3619                 goto nla_put_failure;
3620 
3621         nla_nest_end(cookie->msg, key);
3622 
3623         return;
3624  nla_put_failure:
3625         cookie->error = 1;
3626 }
3627 
3628 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3629 {
3630         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3631         int err;
3632         struct net_device *dev = info->user_ptr[1];
3633         u8 key_idx = 0;
3634         const u8 *mac_addr = NULL;
3635         bool pairwise;
3636         struct get_key_cookie cookie = {
3637                 .error = 0,
3638         };
3639         void *hdr;
3640         struct sk_buff *msg;
3641 
3642         if (info->attrs[NL80211_ATTR_KEY_IDX])
3643                 key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
3644 
3645         if (info->attrs[NL80211_ATTR_MAC])
3646                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3647 
3648         pairwise = !!mac_addr;
3649         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
3650                 u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
3651 
3652                 if (kt != NL80211_KEYTYPE_GROUP &&
3653                     kt != NL80211_KEYTYPE_PAIRWISE)
3654                         return -EINVAL;
3655                 pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
3656         }
3657 
3658         if (!rdev->ops->get_key)
3659                 return -EOPNOTSUPP;
3660 
3661         if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3662                 return -ENOENT;
3663 
3664         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3665         if (!msg)
3666                 return -ENOMEM;
3667 
3668         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3669                              NL80211_CMD_NEW_KEY);
3670         if (!hdr)
3671                 goto nla_put_failure;
3672 
3673         cookie.msg = msg;
3674         cookie.idx = key_idx;
3675 
3676         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3677             nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
3678                 goto nla_put_failure;
3679         if (mac_addr &&
3680             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
3681                 goto nla_put_failure;
3682 
3683         err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3684                            get_key_callback);
3685 
3686         if (err)
3687                 goto free_msg;
3688 
3689         if (cookie.error)
3690                 goto nla_put_failure;
3691 
3692         genlmsg_end(msg, hdr);
3693         return genlmsg_reply(msg, info);
3694 
3695  nla_put_failure:
3696         err = -ENOBUFS;
3697  free_msg:
3698         nlmsg_free(msg);
3699         return err;
3700 }
3701 
3702 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
3703 {
3704         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3705         struct key_parse key;
3706         int err;
3707         struct net_device *dev = info->user_ptr[1];
3708 
3709         err = nl80211_parse_key(info, &key);
3710         if (err)
3711                 return err;
3712 
3713         if (key.idx < 0)
3714                 return -EINVAL;
3715 
3716         /* Only support setting default key and
3717          * Extended Key ID action NL80211_KEY_SET_TX.
3718          */
3719         if (!key.def && !key.defmgmt &&
3720             !(key.p.mode == NL80211_KEY_SET_TX))
3721                 return -EINVAL;
3722 
3723         wdev_lock(dev->ieee80211_ptr);
3724 
3725         if (key.def) {
3726                 if (!rdev->ops->set_default_key) {
3727                         err = -EOPNOTSUPP;
3728                         goto out;
3729                 }
3730 
3731                 err = nl80211_key_allowed(dev->ieee80211_ptr);
3732                 if (err)
3733                         goto out;
3734 
3735                 err = rdev_set_default_key(rdev, dev, key.idx,
3736                                                  key.def_uni, key.def_multi);
3737 
3738                 if (err)
3739                         goto out;
3740 
3741 #ifdef CONFIG_CFG80211_WEXT
3742                 dev->ieee80211_ptr->wext.default_key = key.idx;
3743 #endif
3744         } else if (key.defmgmt) {
3745                 if (key.def_uni || !key.def_multi) {
3746                         err = -EINVAL;
3747                         goto out;
3748                 }
3749 
3750                 if (!rdev->ops->set_default_mgmt_key) {
3751                         err = -EOPNOTSUPP;
3752                         goto out;
3753                 }
3754 
3755                 err = nl80211_key_allowed(dev->ieee80211_ptr);
3756                 if (err)
3757                         goto out;
3758 
3759                 err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
3760                 if (err)
3761                         goto out;
3762 
3763 #ifdef CONFIG_CFG80211_WEXT
3764                 dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
3765 #endif
3766         } else if (key.p.mode == NL80211_KEY_SET_TX &&
3767                    wiphy_ext_feature_isset(&rdev->wiphy,
3768                                            NL80211_EXT_FEATURE_EXT_KEY_ID)) {
3769                 u8 *mac_addr = NULL;
3770 
3771                 if (info->attrs[NL80211_ATTR_MAC])
3772                         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3773 
3774                 if (!mac_addr || key.idx < 0 || key.idx > 1) {
3775                         err = -EINVAL;
3776                         goto out;
3777                 }
3778 
3779                 err = rdev_add_key(rdev, dev, key.idx,
3780                                    NL80211_KEYTYPE_PAIRWISE,
3781                                    mac_addr, &key.p);
3782         } else {
3783                 err = -EINVAL;
3784         }
3785  out:
3786         wdev_unlock(dev->ieee80211_ptr);
3787 
3788         return err;
3789 }
3790 
3791 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
3792 {
3793         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3794         int err;
3795         struct net_device *dev = info->user_ptr[1];
3796         struct key_parse key;
3797         const u8 *mac_addr = NULL;
3798 
3799         err = nl80211_parse_key(info, &key);
3800         if (err)
3801                 return err;
3802 
3803         if (!key.p.key)
3804                 return -EINVAL;
3805 
3806         if (info->attrs[NL80211_ATTR_MAC])
3807                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3808 
3809         if (key.type == -1) {
3810                 if (mac_addr)
3811                         key.type = NL80211_KEYTYPE_PAIRWISE;
3812                 else
3813                         key.type = NL80211_KEYTYPE_GROUP;
3814         }
3815 
3816         /* for now */
3817         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3818             key.type != NL80211_KEYTYPE_GROUP)
3819                 return -EINVAL;
3820 
3821         if (!rdev->ops->add_key)
3822                 return -EOPNOTSUPP;
3823 
3824         if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3825                                            key.type == NL80211_KEYTYPE_PAIRWISE,
3826                                            mac_addr))
3827                 return -EINVAL;
3828 
3829         wdev_lock(dev->ieee80211_ptr);
3830         err = nl80211_key_allowed(dev->ieee80211_ptr);
3831         if (!err)
3832                 err = rdev_add_key(rdev, dev, key.idx,
3833                                    key.type == NL80211_KEYTYPE_PAIRWISE,
3834                                     mac_addr, &key.p);
3835         wdev_unlock(dev->ieee80211_ptr);
3836 
3837         return err;
3838 }
3839 
3840 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3841 {
3842         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3843         int err;
3844         struct net_device *dev = info->user_ptr[1];
3845         u8 *mac_addr = NULL;
3846         struct key_parse key;
3847 
3848         err = nl80211_parse_key(info, &key);
3849         if (err)
3850                 return err;
3851 
3852         if (info->attrs[NL80211_ATTR_MAC])
3853                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3854 
3855         if (key.type == -1) {
3856                 if (mac_addr)
3857                         key.type = NL80211_KEYTYPE_PAIRWISE;
3858                 else
3859                         key.type = NL80211_KEYTYPE_GROUP;
3860         }
3861 
3862         /* for now */
3863         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3864             key.type != NL80211_KEYTYPE_GROUP)
3865                 return -EINVAL;
3866 
3867         if (!rdev->ops->del_key)
3868                 return -EOPNOTSUPP;
3869 
3870         wdev_lock(dev->ieee80211_ptr);
3871         err = nl80211_key_allowed(dev->ieee80211_ptr);
3872 
3873         if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3874             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3875                 err = -ENOENT;
3876 
3877         if (!err)
3878                 err = rdev_del_key(rdev, dev, key.idx,
3879                                    key.type == NL80211_KEYTYPE_PAIRWISE,
3880                                    mac_addr);
3881 
3882 #ifdef CONFIG_CFG80211_WEXT
3883         if (!err) {
3884                 if (key.idx == dev->ieee80211_ptr->wext.default_key)
3885                         dev->ieee80211_ptr->wext.default_key = -1;
3886                 else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3887                         dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3888         }
3889 #endif
3890         wdev_unlock(dev->ieee80211_ptr);
3891 
3892         return err;
3893 }
3894 
3895 /* This function returns an error or the number of nested attributes */
3896 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3897 {
3898         struct nlattr *attr;
3899         int n_entries = 0, tmp;
3900 
3901         nla_for_each_nested(attr, nl_attr, tmp) {
3902                 if (nla_len(attr) != ETH_ALEN)
3903                         return -EINVAL;
3904 
3905                 n_entries++;
3906         }
3907 
3908         return n_entries;
3909 }
3910 
3911 /*
3912  * This function parses ACL information and allocates memory for ACL data.
3913  * On successful return, the calling function is responsible to free the
3914  * ACL buffer returned by this function.
3915  */
3916 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3917                                                 struct genl_info *info)
3918 {
3919         enum nl80211_acl_policy acl_policy;
3920         struct nlattr *attr;
3921         struct cfg80211_acl_data *acl;
3922         int i = 0, n_entries, tmp;
3923 
3924         if (!wiphy->max_acl_mac_addrs)
3925                 return ERR_PTR(-EOPNOTSUPP);
3926 
3927         if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3928                 return ERR_PTR(-EINVAL);
3929 
3930         acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3931         if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3932             acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3933                 return ERR_PTR(-EINVAL);
3934 
3935         if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3936                 return ERR_PTR(-EINVAL);
3937 
3938         n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3939         if (n_entries < 0)
3940                 return ERR_PTR(n_entries);
3941 
3942         if (n_entries > wiphy->max_acl_mac_addrs)
3943                 return ERR_PTR(-ENOTSUPP);
3944 
3945         acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
3946         if (!acl)
3947                 return ERR_PTR(-ENOMEM);
3948 
3949         nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3950                 memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3951                 i++;
3952         }
3953 
3954         acl->n_acl_entries = n_entries;
3955         acl->acl_policy = acl_policy;
3956 
3957         return acl;
3958 }
3959 
3960 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3961 {
3962         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3963         struct net_device *dev = info->user_ptr[1];
3964         struct cfg80211_acl_data *acl;
3965         int err;
3966 
3967         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3968             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3969                 return -EOPNOTSUPP;
3970 
3971         if (!dev->ieee80211_ptr->beacon_interval)
3972                 return -EINVAL;
3973 
3974         acl = parse_acl_data(&rdev->wiphy, info);
3975         if (IS_ERR(acl))
3976                 return PTR_ERR(acl);
3977 
3978         err = rdev_set_mac_acl(rdev, dev, acl);
3979 
3980         kfree(acl);
3981 
3982         return err;
3983 }
3984 
3985 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
3986                            u8 *rates, u8 rates_len)
3987 {
3988         u8 i;
3989         u32 mask = 0;
3990 
3991         for (i = 0; i < rates_len; i++) {
3992                 int rate = (rates[i] & 0x7f) * 5;
3993                 int ridx;
3994 
3995                 for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
3996                         struct ieee80211_rate *srate =
3997                                 &sband->bitrates[ridx];
3998                         if (rate == srate->bitrate) {
3999                                 mask |= 1 << ridx;
4000                                 break;
4001                         }
4002                 }
4003                 if (ridx == sband->n_bitrates)
4004                         return 0; /* rate not found */
4005         }
4006 
4007         return mask;
4008 }
4009 
4010 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4011                                u8 *rates, u8 rates_len,
4012                                u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4013 {
4014         u8 i;
4015 
4016         memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4017 
4018         for (i = 0; i < rates_len; i++) {
4019                 int ridx, rbit;
4020 
4021                 ridx = rates[i] / 8;
4022                 rbit = BIT(rates[i] % 8);
4023 
4024                 /* check validity */
4025                 if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4026                         return false;
4027 
4028                 /* check availability */
4029                 ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4030                 if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4031                         mcs[ridx] |= rbit;
4032                 else
4033                         return false;
4034         }
4035 
4036         return true;
4037 }
4038 
4039 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4040 {
4041         u16 mcs_mask = 0;
4042 
4043         switch (vht_mcs_map) {
4044         case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4045                 break;
4046         case IEEE80211_VHT_MCS_SUPPORT_0_7:
4047                 mcs_mask = 0x00FF;
4048                 break;
4049         case IEEE80211_VHT_MCS_SUPPORT_0_8:
4050                 mcs_mask = 0x01FF;
4051                 break;
4052         case IEEE80211_VHT_MCS_SUPPORT_0_9:
4053                 mcs_mask = 0x03FF;
4054                 break;
4055         default:
4056                 break;
4057         }
4058 
4059         return mcs_mask;
4060 }
4061 
4062 static void vht_build_mcs_mask(u16 vht_mcs_map,
4063                                u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4064 {
4065         u8 nss;
4066 
4067         for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4068                 vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4069                 vht_mcs_map >>= 2;
4070         }
4071 }
4072 
4073 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4074                              struct nl80211_txrate_vht *txrate,
4075                              u16 mcs[NL80211_VHT_NSS_MAX])
4076 {
4077         u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4078         u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4079         u8 i;
4080 
4081         if (!sband->vht_cap.vht_supported)
4082                 return false;
4083 
4084         memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4085 
4086         /* Build vht_mcs_mask from VHT capabilities */
4087         vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4088 
4089         for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4090                 if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4091                         mcs[i] = txrate->mcs[i];
4092                 else
4093                         return false;
4094         }
4095 
4096         return true;
4097 }
4098 
4099 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
4100         [NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
4101                                     .len = NL80211_MAX_SUPP_RATES },
4102         [NL80211_TXRATE_HT] = { .type = NLA_BINARY,
4103                                 .len = NL80211_MAX_SUPP_HT_RATES },
4104         [NL80211_TXRATE_VHT] = {
4105                 .type = NLA_EXACT_LEN_WARN,
4106                 .len = sizeof(struct nl80211_txrate_vht),
4107         },
4108         [NL80211_TXRATE_GI] = { .type = NLA_U8 },
4109 };
4110 
4111 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4112                                          struct cfg80211_bitrate_mask *mask)
4113 {
4114         struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4115         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4116         int rem, i;
4117         struct nlattr *tx_rates;
4118         struct ieee80211_supported_band *sband;
4119         u16 vht_tx_mcs_map;
4120 
4121         memset(mask, 0, sizeof(*mask));
4122         /* Default to all rates enabled */
4123         for (i = 0; i < NUM_NL80211_BANDS; i++) {
4124                 sband = rdev->wiphy.bands[i];
4125 
4126                 if (!sband)
4127                         continue;
4128 
4129                 mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4130                 memcpy(mask->control[i].ht_mcs,
4131                        sband->ht_cap.mcs.rx_mask,
4132                        sizeof(mask->control[i].ht_mcs));
4133 
4134                 if (!sband->vht_cap.vht_supported)
4135                         continue;
4136 
4137                 vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4138                 vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4139         }
4140 
4141         /* if no rates are given set it back to the defaults */
4142         if (!info->attrs[NL80211_ATTR_TX_RATES])
4143                 goto out;
4144 
4145         /* The nested attribute uses enum nl80211_band as the index. This maps
4146          * directly to the enum nl80211_band values used in cfg80211.
4147          */
4148         BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4149         nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
4150                 enum nl80211_band band = nla_type(tx_rates);
4151                 int err;
4152 
4153                 if (band < 0 || band >= NUM_NL80211_BANDS)
4154                         return -EINVAL;
4155                 sband = rdev->wiphy.bands[band];
4156                 if (sband == NULL)
4157                         return -EINVAL;
4158                 err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4159                                                   tx_rates,
4160                                                   nl80211_txattr_policy,
4161                                                   info->extack);
4162                 if (err)
4163                         return err;
4164                 if (tb[NL80211_TXRATE_LEGACY]) {
4165                         mask->control[band].legacy = rateset_to_mask(
4166                                 sband,
4167                                 nla_data(tb[NL80211_TXRATE_LEGACY]),
4168                                 nla_len(tb[NL80211_TXRATE_LEGACY]));
4169                         if ((mask->control[band].legacy == 0) &&
4170                             nla_len(tb[NL80211_TXRATE_LEGACY]))
4171                                 return -EINVAL;
4172                 }
4173                 if (tb[NL80211_TXRATE_HT]) {
4174                         if (!ht_rateset_to_mask(
4175                                         sband,
4176                                         nla_data(tb[NL80211_TXRATE_HT]),
4177                                         nla_len(tb[NL80211_TXRATE_HT]),
4178                                         mask->control[band].ht_mcs))
4179                                 return -EINVAL;
4180                 }
4181                 if (tb[NL80211_TXRATE_VHT]) {
4182                         if (!vht_set_mcs_mask(
4183                                         sband,
4184                                         nla_data(tb[NL80211_TXRATE_VHT]),
4185                                         mask->control[band].vht_mcs))
4186                                 return -EINVAL;
4187                 }
4188                 if (tb[NL80211_TXRATE_GI]) {
4189                         mask->control[band].gi =
4190                                 nla_get_u8(tb[NL80211_TXRATE_GI]);
4191                         if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4192                                 return -EINVAL;
4193                 }
4194 
4195                 if (mask->control[band].legacy == 0) {
4196                         /* don't allow empty legacy rates if HT or VHT
4197                          * are not even supported.
4198                          */
4199                         if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4200                               rdev->wiphy.bands[band]->vht_cap.vht_supported))
4201                                 return -EINVAL;
4202 
4203                         for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4204                                 if (mask->control[band].ht_mcs[i])
4205                                         goto out;
4206 
4207                         for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4208                                 if (mask->control[band].vht_mcs[i])
4209                                         goto out;
4210 
4211                         /* legacy and mcs rates may not be both empty */
4212                         return -EINVAL;
4213                 }
4214         }
4215 
4216 out:
4217         return 0;
4218 }
4219 
4220 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4221                                    enum nl80211_band band,
4222                                    struct cfg80211_bitrate_mask *beacon_rate)
4223 {
4224         u32 count_ht, count_vht, i;
4225         u32 rate = beacon_rate->control[band].legacy;
4226 
4227         /* Allow only one rate */
4228         if (hweight32(rate) > 1)
4229                 return -EINVAL;
4230 
4231         count_ht = 0;
4232         for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4233                 if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4234                         return -EINVAL;
4235                 } else if (beacon_rate->control[band].ht_mcs[i]) {
4236                         count_ht++;
4237                         if (count_ht > 1)
4238                                 return -EINVAL;
4239                 }
4240                 if (count_ht && rate)
4241                         return -EINVAL;
4242         }
4243 
4244         count_vht = 0;
4245         for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4246                 if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4247                         return -EINVAL;
4248                 } else if (beacon_rate->control[band].vht_mcs[i]) {
4249                         count_vht++;
4250                         if (count_vht > 1)
4251                                 return -EINVAL;
4252                 }
4253                 if (count_vht && rate)
4254                         return -EINVAL;
4255         }
4256 
4257         if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
4258                 return -EINVAL;
4259 
4260         if (rate &&
4261             !wiphy_ext_feature_isset(&rdev->wiphy,
4262                                      NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4263                 return -EINVAL;
4264         if (count_ht &&
4265             !wiphy_ext_feature_isset(&rdev->wiphy,
4266                                      NL80211_EXT_FEATURE_BEACON_RATE_HT))
4267                 return -EINVAL;
4268         if (count_vht &&
4269             !wiphy_ext_feature_isset(&rdev->wiphy,
4270                                      NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4271                 return -EINVAL;
4272 
4273         return 0;
4274 }
4275 
4276 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4277                                 struct nlattr *attrs[],
4278                                 struct cfg80211_beacon_data *bcn)
4279 {
4280         bool haveinfo = false;
4281         int err;
4282 
4283         memset(bcn, 0, sizeof(*bcn));
4284 
4285         if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4286                 bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4287                 bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4288                 if (!bcn->head_len)
4289                         return -EINVAL;
4290                 haveinfo = true;
4291         }
4292 
4293         if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4294                 bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4295                 bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4296                 haveinfo = true;
4297         }
4298 
4299         if (!haveinfo)
4300                 return -EINVAL;
4301 
4302         if (attrs[NL80211_ATTR_IE]) {
4303                 bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4304                 bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4305         }
4306 
4307         if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4308                 bcn->proberesp_ies =
4309                         nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4310                 bcn->proberesp_ies_len =
4311                         nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4312         }
4313 
4314         if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4315                 bcn->assocresp_ies =
4316                         nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4317                 bcn->assocresp_ies_len =
4318                         nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4319         }
4320 
4321         if (attrs[NL80211_ATTR_PROBE_RESP]) {
4322                 bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
4323                 bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
4324         }
4325 
4326         if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
4327                 struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
4328 
4329                 err = nla_parse_nested_deprecated(tb,
4330                                                   NL80211_FTM_RESP_ATTR_MAX,
4331                                                   attrs[NL80211_ATTR_FTM_RESPONDER],
4332                                                   NULL, NULL);
4333                 if (err)
4334                         return err;
4335 
4336                 if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
4337                     wiphy_ext_feature_isset(&rdev->wiphy,
4338                                             NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
4339                         bcn->ftm_responder = 1;
4340                 else
4341                         return -EOPNOTSUPP;
4342 
4343                 if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
4344                         bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
4345                         bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
4346                 }
4347 
4348                 if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
4349                         bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4350                         bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4351                 }
4352         } else {
4353                 bcn->ftm_responder = -1;
4354         }
4355 
4356         return 0;
4357 }
4358 
4359 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
4360                                             const u8 *rates)
4361 {
4362         int i;
4363 
4364         if (!rates)
4365                 return;
4366 
4367         for (i = 0; i < rates[1]; i++) {
4368                 if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
4369                         params->ht_required = true;
4370                 if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
4371                         params->vht_required = true;
4372         }
4373 }
4374 
4375 /*
4376  * Since the nl80211 API didn't include, from the beginning, attributes about
4377  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
4378  * benefit of drivers that rebuild IEs in the firmware.
4379  */
4380 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
4381 {
4382         const struct cfg80211_beacon_data *bcn = &params->beacon;
4383         size_t ies_len = bcn->tail_len;
4384         const u8 *ies = bcn->tail;
4385         const u8 *rates;
4386         const u8 *cap;
4387 
4388         rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
4389         nl80211_check_ap_rate_selectors(params, rates);
4390 
4391         rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
4392         nl80211_check_ap_rate_selectors(params, rates);
4393 
4394         cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
4395         if (cap && cap[1] >= sizeof(*params->ht_cap))
4396                 params->ht_cap = (void *)(cap + 2);
4397         cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
4398         if (cap && cap[1] >= sizeof(*params->vht_cap))
4399                 params->vht_cap = (void *)(cap + 2);
4400         cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
4401         if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
4402                 params->he_cap = (void *)(cap + 3);
4403 }
4404 
4405 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
4406                                    struct cfg80211_ap_settings *params)
4407 {
4408         struct wireless_dev *wdev;
4409         bool ret = false;
4410 
4411         list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4412                 if (wdev->iftype != NL80211_IFTYPE_AP &&
4413                     wdev->iftype != NL80211_IFTYPE_P2P_GO)
4414                         continue;
4415 
4416                 if (!wdev->preset_chandef.chan)
4417                         continue;
4418 
4419                 params->chandef = wdev->preset_chandef;
4420                 ret = true;
4421                 break;
4422         }
4423 
4424         return ret;
4425 }
4426 
4427 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
4428                                     enum nl80211_auth_type auth_type,
4429                                     enum nl80211_commands cmd)
4430 {
4431         if (auth_type > NL80211_AUTHTYPE_MAX)
4432                 return false;
4433 
4434         switch (cmd) {
4435         case NL80211_CMD_AUTHENTICATE:
4436                 if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4437                     auth_type == NL80211_AUTHTYPE_SAE)
4438                         return false;
4439                 if (!wiphy_ext_feature_isset(&rdev->wiphy,
4440                                              NL80211_EXT_FEATURE_FILS_STA) &&
4441                     (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4442                      auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4443                      auth_type == NL80211_AUTHTYPE_FILS_PK))
4444                         return false;
4445                 return true;
4446         case NL80211_CMD_CONNECT:
4447                 if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4448                     auth_type == NL80211_AUTHTYPE_SAE)
4449                         return false;
4450 
4451                 /* FILS with SK PFS or PK not supported yet */
4452                 if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4453                     auth_type == NL80211_AUTHTYPE_FILS_PK)
4454                         return false;
4455                 if (!wiphy_ext_feature_isset(
4456                             &rdev->wiphy,
4457                             NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
4458                     auth_type == NL80211_AUTHTYPE_FILS_SK)
4459                         return false;
4460                 return true;
4461         case NL80211_CMD_START_AP:
4462                 /* SAE not supported yet */
4463                 if (auth_type == NL80211_AUTHTYPE_SAE)
4464                         return false;
4465                 /* FILS not supported yet */
4466                 if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4467                     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4468                     auth_type == NL80211_AUTHTYPE_FILS_PK)
4469                         return false;
4470                 return true;
4471         default:
4472                 return false;
4473         }
4474 }
4475 
4476 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
4477 {
4478         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4479         struct net_device *dev = info->user_ptr[1];
4480         struct wireless_dev *wdev = dev->ieee80211_ptr;
4481         struct cfg80211_ap_settings params;
4482         int err;
4483 
4484         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4485             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4486                 return -EOPNOTSUPP;
4487 
4488         if (!rdev->ops->start_ap)
4489                 return -EOPNOTSUPP;
4490 
4491         if (wdev->beacon_interval)
4492                 return -EALREADY;
4493 
4494         memset(&params, 0, sizeof(params));
4495 
4496         /* these are required for START_AP */
4497         if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
4498             !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
4499             !info->attrs[NL80211_ATTR_BEACON_HEAD])
4500                 return -EINVAL;
4501 
4502         err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
4503         if (err)
4504                 return err;
4505 
4506         params.beacon_interval =
4507                 nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
4508         params.dtim_period =
4509                 nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
4510 
4511         err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
4512                                            params.beacon_interval);
4513         if (err)
4514                 return err;
4515 
4516         /*
4517          * In theory, some of these attributes should be required here
4518          * but since they were not used when the command was originally
4519          * added, keep them optional for old user space programs to let
4520          * them continue to work with drivers that do not need the
4521          * additional information -- drivers must check!
4522          */
4523         if (info->attrs[NL80211_ATTR_SSID]) {
4524                 params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4525                 params.ssid_len =
4526                         nla_len(info->attrs[NL80211_ATTR_SSID]);
4527                 if (params.ssid_len == 0 ||
4528                     params.ssid_len > IEEE80211_MAX_SSID_LEN)
4529                         return -EINVAL;
4530         }
4531 
4532         if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
4533                 params.hidden_ssid = nla_get_u32(
4534                         info->attrs[NL80211_ATTR_HIDDEN_SSID]);
4535 
4536         params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
4537 
4538         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
4539                 params.auth_type = nla_get_u32(
4540                         info->attrs[NL80211_ATTR_AUTH_TYPE]);
4541                 if (!nl80211_valid_auth_type(rdev, params.auth_type,
4542                                              NL80211_CMD_START_AP))
4543                         return -EINVAL;
4544         } else
4545                 params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
4546 
4547         err = nl80211_crypto_settings(rdev, info, &params.crypto,
4548                                       NL80211_MAX_NR_CIPHER_SUITES);
4549         if (err)
4550                 return err;
4551 
4552         if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
4553                 if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
4554                         return -EOPNOTSUPP;
4555                 params.inactivity_timeout = nla_get_u16(
4556                         info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
4557         }
4558 
4559         if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4560                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4561                         return -EINVAL;
4562                 params.p2p_ctwindow =
4563                         nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4564                 if (params.p2p_ctwindow != 0 &&
4565                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4566                         return -EINVAL;
4567         }
4568 
4569         if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4570                 u8 tmp;
4571 
4572                 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4573                         return -EINVAL;
4574                 tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4575                 params.p2p_opp_ps = tmp;
4576                 if (params.p2p_opp_ps != 0 &&
4577                     !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4578                         return -EINVAL;
4579         }
4580 
4581         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4582                 err = nl80211_parse_chandef(rdev, info, &params.chandef);
4583                 if (err)
4584                         return err;
4585         } else if (wdev->preset_chandef.chan) {
4586                 params.chandef = wdev->preset_chandef;
4587         } else if (!nl80211_get_ap_channel(rdev, &params))
4588                 return -EINVAL;
4589 
4590         if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
4591                                            wdev->iftype))
4592                 return -EINVAL;
4593 
4594         if (info->attrs[NL80211_ATTR_TX_RATES]) {
4595                 err = nl80211_parse_tx_bitrate_mask(info, &params.beacon_rate);
4596                 if (err)
4597                         return err;
4598 
4599                 err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
4600                                               &params.beacon_rate);
4601                 if (err)
4602                         return err;
4603         }
4604 
4605         if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
4606                 params.smps_mode =
4607                         nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
4608                 switch (params.smps_mode) {
4609                 case NL80211_SMPS_OFF:
4610                         break;
4611                 case NL80211_SMPS_STATIC:
4612                         if (!(rdev->wiphy.features &
4613                               NL80211_FEATURE_STATIC_SMPS))
4614                                 return -EINVAL;
4615                         break;
4616                 case NL80211_SMPS_DYNAMIC:
4617                         if (!(rdev->wiphy.features &
4618                               NL80211_FEATURE_DYNAMIC_SMPS))
4619                                 return -EINVAL;
4620                         break;
4621                 default:
4622                         return -EINVAL;
4623                 }
4624         } else {
4625                 params.smps_mode = NL80211_SMPS_OFF;
4626         }
4627 
4628         params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
4629         if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
4630                 return -EOPNOTSUPP;
4631 
4632         if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
4633                 params.acl = parse_acl_data(&rdev->wiphy, info);
4634                 if (IS_ERR(params.acl))
4635                         return PTR_ERR(params.acl);
4636         }
4637 
4638         nl80211_calculate_ap_params(&params);
4639 
4640         if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
4641                 params.flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
4642 
4643         wdev_lock(wdev);
4644         err = rdev_start_ap(rdev, dev, &params);
4645         if (!err) {
4646                 wdev->preset_chandef = params.chandef;
4647                 wdev->beacon_interval = params.beacon_interval;
4648                 wdev->chandef = params.chandef;
4649                 wdev->ssid_len = params.ssid_len;
4650                 memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
4651 
4652                 if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4653                         wdev->conn_owner_nlportid = info->snd_portid;
4654         }
4655         wdev_unlock(wdev);
4656 
4657         kfree(params.acl);
4658 
4659         return err;
4660 }
4661 
4662 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
4663 {
4664         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4665         struct net_device *dev = info->user_ptr[1];
4666         struct wireless_dev *wdev = dev->ieee80211_ptr;
4667         struct cfg80211_beacon_data params;
4668         int err;
4669 
4670         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4671             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4672                 return -EOPNOTSUPP;
4673 
4674         if (!rdev->ops->change_beacon)
4675                 return -EOPNOTSUPP;
4676 
4677         if (!wdev->beacon_interval)
4678                 return -EINVAL;
4679 
4680         err = nl80211_parse_beacon(rdev, info->attrs, &params);
4681         if (err)
4682                 return err;
4683 
4684         wdev_lock(wdev);
4685         err = rdev_change_beacon(rdev, dev, &params);
4686         wdev_unlock(wdev);
4687 
4688         return err;
4689 }
4690 
4691 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
4692 {
4693         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4694         struct net_device *dev = info->user_ptr[1];
4695 
4696         return cfg80211_stop_ap(rdev, dev, false);
4697 }
4698 
4699 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
4700         [NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
4701         [NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
4702         [NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
4703         [NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
4704         [NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
4705         [NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
4706 };
4707 
4708 static int parse_station_flags(struct genl_info *info,
4709                                enum nl80211_iftype iftype,
4710                                struct station_parameters *params)
4711 {
4712         struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
4713         struct nlattr *nla;
4714         int flag;
4715 
4716         /*
4717          * Try parsing the new attribute first so userspace
4718          * can specify both for older kernels.
4719          */
4720         nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
4721         if (nla) {
4722                 struct nl80211_sta_flag_update *sta_flags;
4723 
4724                 sta_flags = nla_data(nla);
4725                 params->sta_flags_mask = sta_flags->mask;
4726                 params->sta_flags_set = sta_flags->set;
4727                 params->sta_flags_set &= params->sta_flags_mask;
4728                 if ((params->sta_flags_mask |
4729                      params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
4730                         return -EINVAL;
4731                 return 0;
4732         }
4733 
4734         /* if present, parse the old attribute */
4735 
4736         nla = info->attrs[NL80211_ATTR_STA_FLAGS];
4737         if (!nla)
4738                 return 0;
4739 
4740         if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
4741                 return -EINVAL;
4742 
4743         /*
4744          * Only allow certain flags for interface types so that
4745          * other attributes are silently ignored. Remember that
4746          * this is backward compatibility code with old userspace
4747          * and shouldn't be hit in other cases anyway.
4748          */
4749         switch (iftype) {
4750         case NL80211_IFTYPE_AP:
4751         case NL80211_IFTYPE_AP_VLAN:
4752         case NL80211_IFTYPE_P2P_GO:
4753                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4754                                          BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4755                                          BIT(NL80211_STA_FLAG_WME) |
4756                                          BIT(NL80211_STA_FLAG_MFP);
4757                 break;
4758         case NL80211_IFTYPE_P2P_CLIENT:
4759         case NL80211_IFTYPE_STATION:
4760                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4761                                          BIT(NL80211_STA_FLAG_TDLS_PEER);
4762                 break;
4763         case NL80211_IFTYPE_MESH_POINT:
4764                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4765                                          BIT(NL80211_STA_FLAG_MFP) |
4766                                          BIT(NL80211_STA_FLAG_AUTHORIZED);
4767                 break;
4768         default:
4769                 return -EINVAL;
4770         }
4771 
4772         for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
4773                 if (flags[flag]) {
4774                         params->sta_flags_set |= (1<<flag);
4775 
4776                         /* no longer support new API additions in old API */
4777                         if (flag > NL80211_STA_FLAG_MAX_OLD_API)
4778                                 return -EINVAL;
4779                 }
4780         }
4781 
4782         return 0;
4783 }
4784 
4785 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
4786 {
4787         struct nlattr *rate;
4788         u32 bitrate;
4789         u16 bitrate_compat;
4790         enum nl80211_rate_info rate_flg;
4791 
4792         rate = nla_nest_start_noflag(msg, attr);
4793         if (!rate)
4794                 return false;
4795 
4796         /* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
4797         bitrate = cfg80211_calculate_bitrate(info);
4798         /* report 16-bit bitrate only if we can */
4799         bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
4800         if (bitrate > 0 &&
4801             nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
4802                 return false;
4803         if (bitrate_compat > 0 &&
4804             nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
4805                 return false;
4806 
4807         switch (info->bw) {
4808         case RATE_INFO_BW_5:
4809                 rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
4810                 break;
4811         case RATE_INFO_BW_10:
4812                 rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
4813                 break;
4814         default:
4815                 WARN_ON(1);
4816                 /* fall through */
4817         case RATE_INFO_BW_20:
4818                 rate_flg = 0;
4819                 break;
4820         case RATE_INFO_BW_40:
4821                 rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
4822                 break;
4823         case RATE_INFO_BW_80:
4824                 rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
4825                 break;
4826         case RATE_INFO_BW_160:
4827                 rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
4828                 break;
4829         case RATE_INFO_BW_HE_RU:
4830                 rate_flg = 0;
4831                 WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
4832         }
4833 
4834         if (rate_flg && nla_put_flag(msg, rate_flg))
4835                 return false;
4836 
4837         if (info->flags & RATE_INFO_FLAGS_MCS) {
4838                 if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
4839                         return false;
4840                 if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4841                     nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4842                         return false;
4843         } else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
4844                 if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
4845                         return false;
4846                 if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
4847                         return false;
4848                 if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4849                     nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4850                         return false;
4851         } else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
4852                 if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
4853                         return false;
4854                 if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
4855                         return false;
4856                 if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
4857                         return false;
4858                 if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
4859                         return false;
4860                 if (info->bw == RATE_INFO_BW_HE_RU &&
4861                     nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
4862                                info->he_ru_alloc))
4863                         return false;
4864         }
4865 
4866         nla_nest_end(msg, rate);
4867         return true;
4868 }
4869 
4870 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
4871                                int id)
4872 {
4873         void *attr;
4874         int i = 0;
4875 
4876         if (!mask)
4877                 return true;
4878 
4879         attr = nla_nest_start_noflag(msg, id);
4880         if (!attr)
4881                 return false;
4882 
4883         for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
4884                 if (!(mask & BIT(i)))
4885                         continue;
4886 
4887                 if (nla_put_u8(msg, i, signal[i]))
4888                         return false;
4889         }
4890 
4891         nla_nest_end(msg, attr);
4892 
4893         return true;
4894 }
4895 
4896 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
4897                                 u32 seq, int flags,
4898                                 struct cfg80211_registered_device *rdev,
4899                                 struct net_device *dev,
4900                                 const u8 *mac_addr, struct station_info *sinfo)
4901 {
4902         void *hdr;
4903         struct nlattr *sinfoattr, *bss_param;
4904 
4905         hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4906         if (!hdr) {
4907                 cfg80211_sinfo_release_content(sinfo);
4908                 return -1;
4909         }
4910 
4911         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4912             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
4913             nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
4914                 goto nla_put_failure;
4915 
4916         sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
4917         if (!sinfoattr)
4918                 goto nla_put_failure;
4919 
4920 #define PUT_SINFO(attr, memb, type) do {                                \
4921         BUILD_BUG_ON(sizeof(type) == sizeof(u64));                      \
4922         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&       \
4923             nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,            \
4924                              sinfo->memb))                              \
4925                 goto nla_put_failure;                                   \
4926         } while (0)
4927 #define PUT_SINFO_U64(attr, memb) do {                                  \
4928         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&       \
4929             nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,           \
4930                               sinfo->memb, NL80211_STA_INFO_PAD))       \
4931                 goto nla_put_failure;                                   \
4932         } while (0)
4933 
4934         PUT_SINFO(CONNECTED_TIME, connected_time, u32);
4935         PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
4936 
4937         if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
4938                              BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
4939             nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
4940                         (u32)sinfo->rx_bytes))
4941                 goto nla_put_failure;
4942 
4943         if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
4944                              BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
4945             nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
4946                         (u32)sinfo->tx_bytes))
4947                 goto nla_put_failure;
4948 
4949         PUT_SINFO_U64(RX_BYTES64, rx_bytes);
4950         PUT_SINFO_U64(TX_BYTES64, tx_bytes);
4951         PUT_SINFO(LLID, llid, u16);
4952         PUT_SINFO(PLID, plid, u16);
4953         PUT_SINFO(PLINK_STATE, plink_state, u8);
4954         PUT_SINFO_U64(RX_DURATION, rx_duration);
4955         PUT_SINFO_U64(TX_DURATION, tx_duration);
4956 
4957         if (wiphy_ext_feature_isset(&rdev->wiphy,
4958                                     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
4959                 PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
4960 
4961         switch (rdev->wiphy.signal_type) {
4962         case CFG80211_SIGNAL_TYPE_MBM:
4963                 PUT_SINFO(SIGNAL, signal, u8);
4964                 PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
4965                 break;
4966         default:
4967                 break;
4968         }
4969         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
4970                 if (!nl80211_put_signal(msg, sinfo->chains,
4971                                         sinfo->chain_signal,
4972                                         NL80211_STA_INFO_CHAIN_SIGNAL))
4973                         goto nla_put_failure;
4974         }
4975         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
4976                 if (!nl80211_put_signal(msg, sinfo->chains,
4977                                         sinfo->chain_signal_avg,
4978                                         NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
4979                         goto nla_put_failure;
4980         }
4981         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
4982                 if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
4983                                           NL80211_STA_INFO_TX_BITRATE))
4984                         goto nla_put_failure;
4985         }
4986         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
4987                 if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
4988                                           NL80211_STA_INFO_RX_BITRATE))
4989                         goto nla_put_failure;
4990         }
4991 
4992         PUT_SINFO(RX_PACKETS, rx_packets, u32);
4993         PUT_SINFO(TX_PACKETS, tx_packets, u32);
4994         PUT_SINFO(TX_RETRIES, tx_retries, u32);
4995         PUT_SINFO(TX_FAILED, tx_failed, u32);
4996         PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
4997         PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
4998         PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
4999         PUT_SINFO(LOCAL_PM, local_pm, u32);
5000         PUT_SINFO(PEER_PM, peer_pm, u32);
5001         PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
5002         PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
5003 
5004         if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
5005                 bss_param = nla_nest_start_noflag(msg,
5006                                                   NL80211_STA_INFO_BSS_PARAM);
5007                 if (!bss_param)
5008                         goto nla_put_failure;
5009 
5010                 if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
5011                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
5012                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
5013                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
5014                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
5015                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
5016                     nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
5017                                sinfo->bss_param.dtim_period) ||
5018                     nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
5019                                 sinfo->bss_param.beacon_interval))
5020                         goto nla_put_failure;
5021 
5022                 nla_nest_end(msg, bss_param);
5023         }
5024         if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
5025             nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
5026                     sizeof(struct nl80211_sta_flag_update),
5027                     &sinfo->sta_flags))
5028                 goto nla_put_failure;
5029 
5030         PUT_SINFO_U64(T_OFFSET, t_offset);
5031         PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
5032         PUT_SINFO_U64(BEACON_RX, rx_beacon);
5033         PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
5034         PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
5035         PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
5036         if (wiphy_ext_feature_isset(&rdev->wiphy,
5037                                     NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
5038                 PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
5039                 PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
5040         }
5041 
5042 #undef PUT_SINFO
5043 #undef PUT_SINFO_U64
5044 
5045         if (sinfo->pertid) {
5046                 struct nlattr *tidsattr;
5047                 int tid;
5048 
5049                 tidsattr = nla_nest_start_noflag(msg,
5050                                                  NL80211_STA_INFO_TID_STATS);
5051                 if (!tidsattr)
5052                         goto nla_put_failure;
5053 
5054                 for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
5055                         struct cfg80211_tid_stats *tidstats;
5056                         struct nlattr *tidattr;
5057 
5058                         tidstats = &sinfo->pertid[tid];
5059 
5060                         if (!tidstats->filled)
5061                                 continue;
5062 
5063                         tidattr = nla_nest_start_noflag(msg, tid + 1);
5064                         if (!tidattr)
5065                                 goto nla_put_failure;
5066 
5067 #define PUT_TIDVAL_U64(attr, memb) do {                                 \
5068         if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&       \
5069             nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,          \
5070                               tidstats->memb, NL80211_TID_STATS_PAD))   \
5071                 goto nla_put_failure;                                   \
5072         } while (0)
5073 
5074                         PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
5075                         PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
5076                         PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
5077                         PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
5078 
5079 #undef PUT_TIDVAL_U64
5080                         if ((tidstats->filled &
5081                              BIT(NL80211_TID_STATS_TXQ_STATS)) &&
5082                             !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
5083                                                    NL80211_TID_STATS_TXQ_STATS))
5084                                 goto nla_put_failure;
5085 
5086                         nla_nest_end(msg, tidattr);
5087                 }
5088 
5089                 nla_nest_end(msg, tidsattr);
5090         }
5091 
5092         nla_nest_end(msg, sinfoattr);
5093 
5094         if (sinfo->assoc_req_ies_len &&
5095             nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
5096                     sinfo->assoc_req_ies))
5097                 goto nla_put_failure;
5098 
5099         cfg80211_sinfo_release_content(sinfo);
5100         genlmsg_end(msg, hdr);
5101         return 0;
5102 
5103  nla_put_failure:
5104         cfg80211_sinfo_release_content(sinfo);
5105         genlmsg_cancel(msg, hdr);
5106         return -EMSGSIZE;
5107 }
5108 
5109 static int nl80211_dump_station(struct sk_buff *skb,
5110                                 struct netlink_callback *cb)
5111 {
5112         struct station_info sinfo;
5113         struct cfg80211_registered_device *rdev;
5114         struct wireless_dev *wdev;
5115         u8 mac_addr[ETH_ALEN];
5116         int sta_idx = cb->args[2];
5117         int err;
5118 
5119         rtnl_lock();
5120         err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5121         if (err)
5122                 goto out_err;
5123 
5124         if (!wdev->netdev) {
5125                 err = -EINVAL;
5126                 goto out_err;
5127         }
5128 
5129         if (!rdev->ops->dump_station) {
5130                 err = -EOPNOTSUPP;
5131                 goto out_err;
5132         }
5133 
5134         while (1) {
5135                 memset(&sinfo, 0, sizeof(sinfo));
5136                 err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
5137                                         mac_addr, &sinfo);
5138                 if (err == -ENOENT)
5139                         break;
5140                 if (err)
5141                         goto out_err;
5142 
5143                 if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
5144                                 NETLINK_CB(cb->skb).portid,
5145                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
5146                                 rdev, wdev->netdev, mac_addr,
5147                                 &sinfo) < 0)
5148                         goto out;
5149 
5150                 sta_idx++;
5151         }
5152 
5153  out:
5154         cb->args[2] = sta_idx;
5155         err = skb->len;
5156  out_err:
5157         rtnl_unlock();
5158 
5159         return err;
5160 }
5161 
5162 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
5163 {
5164         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5165         struct net_device *dev = info->user_ptr[1];
5166         struct station_info sinfo;
5167         struct sk_buff *msg;
5168         u8 *mac_addr = NULL;
5169         int err;
5170 
5171         memset(&sinfo, 0, sizeof(sinfo));
5172 
5173         if (!info->attrs[NL80211_ATTR_MAC])
5174                 return -EINVAL;
5175 
5176         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5177 
5178         if (!rdev->ops->get_station)
5179                 return -EOPNOTSUPP;
5180 
5181         err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
5182         if (err)
5183                 return err;
5184 
5185         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5186         if (!msg) {
5187                 cfg80211_sinfo_release_content(&sinfo);
5188                 return -ENOMEM;
5189         }
5190 
5191         if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
5192                                  info->snd_portid, info->snd_seq, 0,
5193                                  rdev, dev, mac_addr, &sinfo) < 0) {
5194                 nlmsg_free(msg);
5195                 return -ENOBUFS;
5196         }
5197 
5198         return genlmsg_reply(msg, info);
5199 }
5200 
5201 int cfg80211_check_station_change(struct wiphy *wiphy,
5202                                   struct station_parameters *params,
5203                                   enum cfg80211_station_type statype)
5204 {
5205         if (params->listen_interval != -1 &&
5206             statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5207                 return -EINVAL;
5208 
5209         if (params->support_p2p_ps != -1 &&
5210             statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5211                 return -EINVAL;
5212 
5213         if (params->aid &&
5214             !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
5215             statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5216                 return -EINVAL;
5217 
5218         /* When you run into this, adjust the code below for the new flag */
5219         BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5220 
5221         switch (statype) {
5222         case CFG80211_STA_MESH_PEER_KERNEL:
5223         case CFG80211_STA_MESH_PEER_USER:
5224                 /*
5225                  * No ignoring the TDLS flag here -- the userspace mesh
5226                  * code doesn't have the bug of including TDLS in the
5227                  * mask everywhere.
5228                  */
5229                 if (params->sta_flags_mask &
5230                                 ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5231                                   BIT(NL80211_STA_FLAG_MFP) |
5232                                   BIT(NL80211_STA_FLAG_AUTHORIZED)))
5233                         return -EINVAL;
5234                 break;
5235         case CFG80211_STA_TDLS_PEER_SETUP:
5236         case CFG80211_STA_TDLS_PEER_ACTIVE:
5237                 if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5238                         return -EINVAL;
5239                 /* ignore since it can't change */
5240                 params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5241                 break;
5242         default:
5243                 /* disallow mesh-specific things */
5244                 if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
5245                         return -EINVAL;
5246                 if (params->local_pm)
5247                         return -EINVAL;
5248                 if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5249                         return -EINVAL;
5250         }
5251 
5252         if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5253             statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
5254                 /* TDLS can't be set, ... */
5255                 if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
5256                         return -EINVAL;
5257                 /*
5258                  * ... but don't bother the driver with it. This works around
5259                  * a hostapd/wpa_supplicant issue -- it always includes the
5260                  * TLDS_PEER flag in the mask even for AP mode.
5261                  */
5262                 params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5263         }
5264 
5265         if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5266             statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5267                 /* reject other things that can't change */
5268                 if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
5269                         return -EINVAL;
5270                 if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
5271                         return -EINVAL;
5272                 if (params->supported_rates)
5273                         return -EINVAL;
5274                 if (params->ext_capab || params->ht_capa || params->vht_capa ||
5275                     params->he_capa)
5276                         return -EINVAL;
5277         }
5278 
5279         if (statype != CFG80211_STA_AP_CLIENT &&
5280             statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5281                 if (params->vlan)
5282                         return -EINVAL;
5283         }
5284 
5285         switch (statype) {
5286         case CFG80211_STA_AP_MLME_CLIENT:
5287                 /* Use this only for authorizing/unauthorizing a station */
5288                 if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
5289                         return -EOPNOTSUPP;
5290                 break;
5291         case CFG80211_STA_AP_CLIENT:
5292         case CFG80211_STA_AP_CLIENT_UNASSOC:
5293                 /* accept only the listed bits */
5294                 if (params->sta_flags_mask &
5295                                 ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5296                                   BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5297                                   BIT(NL80211_STA_FLAG_ASSOCIATED) |
5298                                   BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5299                                   BIT(NL80211_STA_FLAG_WME) |
5300                                   BIT(NL80211_STA_FLAG_MFP)))
5301                         return -EINVAL;
5302 
5303                 /* but authenticated/associated only if driver handles it */
5304                 if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5305                     params->sta_flags_mask &
5306                                 (BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5307                                  BIT(NL80211_STA_FLAG_ASSOCIATED)))
5308                         return -EINVAL;
5309                 break;
5310         case CFG80211_STA_IBSS:
5311         case CFG80211_STA_AP_STA:
5312                 /* reject any changes other than AUTHORIZED */
5313                 if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
5314                         return -EINVAL;
5315                 break;
5316         case CFG80211_STA_TDLS_PEER_SETUP:
5317                 /* reject any changes other than AUTHORIZED or WME */
5318                 if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5319                                                BIT(NL80211_STA_FLAG_WME)))
5320                         return -EINVAL;
5321                 /* force (at least) rates when authorizing */
5322                 if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
5323                     !params->supported_rates)
5324                         return -EINVAL;
5325                 break;
5326         case CFG80211_STA_TDLS_PEER_ACTIVE:
5327                 /* reject any changes */
5328                 return -EINVAL;
5329         case CFG80211_STA_MESH_PEER_KERNEL:
5330                 if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5331                         return -EINVAL;
5332                 break;
5333         case CFG80211_STA_MESH_PEER_USER:
5334                 if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
5335                     params->plink_action != NL80211_PLINK_ACTION_BLOCK)
5336                         return -EINVAL;
5337                 break;
5338         }
5339 
5340         /*
5341          * Older kernel versions ignored this attribute entirely, so don't
5342          * reject attempts to update it but mark it as unused instead so the
5343          * driver won't look at the data.
5344          */
5345         if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
5346             statype != CFG80211_STA_TDLS_PEER_SETUP)
5347                 params->opmode_notif_used = false;
5348 
5349         return 0;
5350 }
5351 EXPORT_SYMBOL(cfg80211_check_station_change);
5352 
5353 /*
5354  * Get vlan interface making sure it is running and on the right wiphy.
5355  */
5356 static struct net_device *get_vlan(struct genl_info *info,
5357                                    struct cfg80211_registered_device *rdev)
5358 {
5359         struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
5360         struct net_device *v;
5361         int ret;
5362 
5363         if (!vlanattr)
5364                 return NULL;
5365 
5366         v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
5367         if (!v)
5368                 return ERR_PTR(-ENODEV);
5369 
5370         if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
5371                 ret = -EINVAL;
5372                 goto error;
5373         }
5374 
5375         if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5376             v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5377             v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5378                 ret = -EINVAL;
5379                 goto error;
5380         }
5381 
5382         if (!netif_running(v)) {
5383                 ret = -ENETDOWN;
5384                 goto error;
5385         }
5386 
5387         return v;
5388  error:
5389         dev_put(v);
5390         return ERR_PTR(ret);
5391 }
5392 
5393 static const struct nla_policy
5394 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
5395         [NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
5396         [NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
5397 };
5398 
5399 static int nl80211_parse_sta_wme(struct genl_info *info,
5400                                  struct station_parameters *params)
5401 {
5402         struct nlattr *tb[NL80211_STA_WME_MAX + 1];
5403         struct nlattr *nla;
5404         int err;
5405 
5406         /* parse WME attributes if present */
5407         if (!info->attrs[NL80211_ATTR_STA_WME])
5408                 return 0;
5409 
5410         nla = info->attrs[NL80211_ATTR_STA_WME];
5411         err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
5412                                           nl80211_sta_wme_policy,
5413                                           info->extack);
5414         if (err)
5415                 return err;
5416 
5417         if (tb[NL80211_STA_WME_UAPSD_QUEUES])
5418                 params->uapsd_queues = nla_get_u8(
5419                         tb[NL80211_STA_WME_UAPSD_QUEUES]);
5420         if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
5421                 return -EINVAL;
5422 
5423         if (tb[NL80211_STA_WME_MAX_SP])
5424                 params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
5425 
5426         if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
5427                 return -EINVAL;
5428 
5429         params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
5430 
5431         return 0;
5432 }
5433 
5434 static int nl80211_parse_sta_channel_info(struct genl_info *info,
5435                                       struct station_parameters *params)
5436 {
5437         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
5438                 params->supported_channels =
5439                      nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5440                 params->supported_channels_len =
5441                      nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5442                 /*
5443                  * Need to include at least one (first channel, number of
5444                  * channels) tuple for each subband, and must have proper
5445                  * tuples for the rest of the data as well.
5446                  */
5447                 if (params->supported_channels_len < 2)
5448                         return -EINVAL;
5449                 if (params->supported_channels_len % 2)
5450                         return -EINVAL;
5451         }
5452 
5453         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
5454                 params->supported_oper_classes =
5455                  nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5456                 params->supported_oper_classes_len =
5457                   nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5458                 /*
5459                  * The value of the Length field of the Supported Operating
5460                  * Classes element is between 2 and 253.
5461                  */
5462                 if (params->supported_oper_classes_len < 2 ||
5463                     params->supported_oper_classes_len > 253)
5464                         return -EINVAL;
5465         }
5466         return 0;
5467 }
5468 
5469 static int nl80211_set_station_tdls(struct genl_info *info,
5470                                     struct station_parameters *params)
5471 {
5472         int err;
5473         /* Dummy STA entry gets updated once the peer capabilities are known */
5474         if (info->attrs[NL80211_ATTR_PEER_AID])
5475                 params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5476         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5477                 params->ht_capa =
5478                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5479         if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5480                 params->vht_capa =
5481                         nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5482         if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5483                 params->he_capa =
5484                         nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5485                 params->he_capa_len =
5486                         nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5487 
5488                 if (params->he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5489                         return -EINVAL;
5490         }
5491 
5492         err = nl80211_parse_sta_channel_info(info, params);
5493         if (err)
5494                 return err;
5495 
5496         return nl80211_parse_sta_wme(info, params);
5497 }
5498 
5499 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
5500                                              struct station_parameters *params)
5501 {
5502         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5503         int idx;
5504 
5505         if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
5506                 if (!rdev->ops->set_tx_power ||
5507                     !wiphy_ext_feature_isset(&rdev->wiphy,
5508                                          NL80211_EXT_FEATURE_STA_TX_PWR))
5509                         return -EOPNOTSUPP;
5510 
5511                 idx = NL80211_ATTR_STA_TX_POWER_SETTING;
5512                 params->txpwr.type = nla_get_u8(info->attrs[idx]);
5513 
5514                 if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
5515                         idx = NL80211_ATTR_STA_TX_POWER;
5516 
5517                         if (info->attrs[idx])
5518                                 params->txpwr.power =
5519                                         nla_get_s16(info->attrs[idx]);
5520                         else
5521                                 return -EINVAL;
5522                 }
5523                 params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
5524         }
5525 
5526         return 0;
5527 }
5528 
5529 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
5530 {
5531         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5532         struct net_device *dev = info->user_ptr[1];
5533         struct station_parameters params;
5534         u8 *mac_addr;
5535         int err;
5536 
5537         memset(&params, 0, sizeof(params));
5538 
5539         if (!rdev->ops->change_station)
5540                 return -EOPNOTSUPP;
5541 
5542         /*
5543          * AID and listen_interval properties can be set only for unassociated
5544          * station. Include these parameters here and will check them in
5545          * cfg80211_check_station_change().
5546          */
5547         if (info->attrs[NL80211_ATTR_STA_AID])
5548                 params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5549 
5550         if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5551                 params.listen_interval =
5552                      nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5553         else
5554                 params.listen_interval = -1;
5555 
5556         if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
5557                 params.support_p2p_ps =
5558                         nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5559         else
5560                 params.support_p2p_ps = -1;
5561 
5562         if (!info->attrs[NL80211_ATTR_MAC])
5563                 return -EINVAL;
5564 
5565         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5566 
5567         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
5568                 params.supported_rates =
5569                         nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5570                 params.supported_rates_len =
5571                         nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5572         }
5573 
5574         if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5575                 params.capability =
5576                         nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5577                 params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5578         }
5579 
5580         if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5581                 params.ext_capab =
5582                         nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5583                 params.ext_capab_len =
5584                         nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5585         }
5586 
5587         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5588                 return -EINVAL;
5589 
5590         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5591                 params.plink_action =
5592                         nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5593 
5594         if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
5595                 params.plink_state =
5596                         nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
5597                 if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
5598                         params.peer_aid = nla_get_u16(
5599                                 info->attrs[NL80211_ATTR_MESH_PEER_AID]);
5600                 params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
5601         }
5602 
5603         if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
5604                 params.local_pm = nla_get_u32(
5605                         info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
5606 
5607         if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5608                 params.opmode_notif_used = true;
5609                 params.opmode_notif =
5610                         nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5611         }
5612 
5613         if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
5614                 params.airtime_weight =
5615                         nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
5616 
5617         if (params.airtime_weight &&
5618             !wiphy_ext_feature_isset(&rdev->wiphy,
5619                                      NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5620                 return -EOPNOTSUPP;
5621 
5622         err = nl80211_parse_sta_txpower_setting(info, &params);
5623         if (err)
5624                 return err;
5625 
5626         /* Include parameters for TDLS peer (will check later) */
5627         err = nl80211_set_station_tdls(info, &params);
5628         if (err)
5629                 return err;
5630 
5631         params.vlan = get_vlan(info, rdev);
5632         if (IS_ERR(params.vlan))
5633                 return PTR_ERR(params.vlan);
5634 
5635         switch (dev->ieee80211_ptr->iftype) {
5636         case NL80211_IFTYPE_AP:
5637         case NL80211_IFTYPE_AP_VLAN:
5638         case NL80211_IFTYPE_P2P_GO:
5639         case NL80211_IFTYPE_P2P_CLIENT:
5640         case NL80211_IFTYPE_STATION:
5641         case NL80211_IFTYPE_ADHOC:
5642         case NL80211_IFTYPE_MESH_POINT:
5643                 break;
5644         default:
5645                 err = -EOPNOTSUPP;
5646                 goto out_put_vlan;
5647         }
5648 
5649         /* driver will call cfg80211_check_station_change() */
5650         err = rdev_change_station(rdev, dev, mac_addr, &params);
5651 
5652  out_put_vlan:
5653         if (params.vlan)
5654                 dev_put(params.vlan);
5655 
5656         return err;
5657 }
5658 
5659 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)