sys/linux: add 802.11 frame descriptions

This commit enables accurate generation of 802.11 frames for injection. The descriptions only include frames/fields/elements that are supported by mac80211. Also, this commit includes fixes to tests that were affected by modification of the existing descriptions. The validity of the frames was verified by capturing the generated packets and examining them in Wirehark.
author: Aleksandr Nogikh <nogikh@google.com> 2020-10-02 11:42:45 +0300
committer: Dmitry Vyukov <dvyukov@google.com> 2020-10-05 15:05:59 +0200
commit: a9f27fea2a48250098012d797d6f83500c35a67b (patch)
tree: f41240c859a8d61060d6dfd2726f57c7dc6d980f /sys/linux
parent: 5ef9c29141f85f210b326ce68718498ae0c1fd35 (diff)
5 files changed, 1043 insertions, 49 deletions
diff --git a/sys/linux/net_80211.txt b/sys/linux/net_80211.txt
index a3bc9139f..37b5e20ba 100644
--- a/sys/linux/net_80211.txt
+++ b/sys/linux/net_80211.txt
@@ -6,7 +6,7 @@
 
 include <linux/ieee80211.h>
 
-# Mac addresses of virtual wifi devices created during executor initialization
+# Mac addresses of virtual wifi devices created during executor initialization.
 type ieee80211_fixed_mac_addr[LAST] {
 	byte0	const[0x8, int8]
 	byte1	const[0x2, int8]
@@ -32,7 +32,11 @@ ieee80211_mesh_id [
 	default	array[const[0x3, int8], 6]
 ] [varlen]
 
-type ieee80211_frame array[int8]
+ieee80211_frame [
+	data_frame	ieee80211_data_frame
+	mgmt_frame	ieee80211_mgmt_frame
+	ctrl_frame	ieee80211_ctrl_frame
+] [varlen]
 
 ieee80211_bssid [
 	initial		array[const[0x50, int8], 6]
@@ -66,7 +70,7 @@ define JOIN_IBSS_BG_NO_SCAN	0x2
 join_ibss_modes = JOIN_IBSS_NO_SCAN, JOIN_IBSS_BG_SCAN, JOIN_IBSS_BG_NO_SCAN
 
 ################################################################################
-#  Common fields and enums
+#  Common fields and enums.
 ################################################################################
 
 # As defined in drivers/net/wireless/mac80211_hwsim.c
@@ -74,11 +78,11 @@ ieee80211_channel_freq_mhz = 2412, 2417, 2422, 2427, 2432, 2437, 2442, 2447, 245
 
 ieee80211_raw_rates = 10, 20, 55, 60, 90, 110, 120, 180, 240, 360, 480, 540
 
-# Combined set of 802.11 rates for 5Mhz, 10Mhz and other channel widths
-# Only rates for drivers/net/wireless/mac80211_hwsim.c are defined
+# Combined set of 802.11 rates for 5Mhz, 10Mhz and other channel widths.
+# Only rates for drivers/net/wireless/mac80211_hwsim.c are defined.
 ieee80211_rate_label = 1, 2, 3, 4, 5, 6, 9, 11, 12, 18, 22, 24, 27, 36, 48, 54, 72, 96, 108
 
-# Rates as they are represented (see 9.4.2.3 of IEEEE 802.11-2016)
+# Rates as they are represented (see 9.4.2.3 of IEEEE 802.11-2016).
 ieee80211_rate {
 	label		flags[ieee80211_rate_label, int8:7]
 	mandatory	int8:1
@@ -91,30 +95,27 @@ type ieee80211_beacon_interval[BASE_TYPE] [
 
 type ieee80211_timestamp int64
 
-# Pseudo syscalls and initially created devices use the default frequency below 
+ieee80211_assoc_id [
+	default	const[0x1, int16]
+	random	int16
+]
+
+# Pseudo syscalls and initially created devices use the default frequency below.
 type ieee80211_frequency_mhz[BASE_TYPE] [
 	default	const[2412, BASE_TYPE]
 	random	flags[ieee80211_channel_freq_mhz, BASE_TYPE]
 ]
 
-# Information Element structure (see 9.4.2.1 of IEEE 802.11-2016)
-# Also see `element` struct in include/linux/ieee80211.h
-type ieee80211_generic_ie[ID_TYPE, DATA_TYPE] {
-	id	ID_TYPE
-	len	len[data, int8]
-	data	DATA_TYPE
-} [packed]
+# These are the channels supported by mac80211_hwsim.
+ieee80211_channels = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 149, 153, 157, 161, 165, 169, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185
+type ieee80211_channel[BASE_TYPE] flags[ieee80211_channels, BASE_TYPE]
 
-ieee80211_ie [
-	random	ieee80211_generic_ie[int8, array[int8, 0:255]]
-] [varlen]
-
-# HT Capabilities (see 9.4.2.56 of IEEE 802.11-2016)
+# HT Capabilities (see 9.4.2.56 of IEEE 802.11-2016).
 ieee80211_ht_cap_info = IEEE80211_HT_CAP_LDPC_CODING, IEEE80211_HT_CAP_SUP_WIDTH_20_40, IEEE80211_HT_CAP_SM_PS, IEEE80211_HT_CAP_SM_PS_SHIFT, IEEE80211_HT_CAP_GRN_FLD, IEEE80211_HT_CAP_SGI_20, IEEE80211_HT_CAP_SGI_40, IEEE80211_HT_CAP_TX_STBC, IEEE80211_HT_CAP_RX_STBC, IEEE80211_HT_CAP_RX_STBC_SHIFT, IEEE80211_HT_CAP_DELAY_BA, IEEE80211_HT_CAP_MAX_AMSDU, IEEE80211_HT_CAP_DSSSCCK40, IEEE80211_HT_CAP_RESERVED, IEEE80211_HT_CAP_40MHZ_INTOLERANT, IEEE80211_HT_CAP_LSIG_TXOP_PROT
 
 ieee80211_ht_ext_cap_info = IEEE80211_HT_EXT_CAP_PCO, IEEE80211_HT_EXT_CAP_PCO_TIME, IEEE80211_HT_EXT_CAP_PCO_TIME_SHIFT, IEEE80211_HT_EXT_CAP_MCS_FB, IEEE80211_HT_EXT_CAP_MCS_FB_SHIFT, IEEE80211_HT_EXT_CAP_HTC_SUP, IEEE80211_HT_EXT_CAP_RD_RESPONDER
 
-# See 9.4.2.56.4 of IEEE 802.11-2016
+# See 9.4.2.56.4 of IEEE 802.11-2016.
 ieee80211_mcs_info {
 	rx_bitmask_1		int64
 	rx_bitmask_2		int64:13
@@ -125,10 +126,10 @@ ieee80211_mcs_info {
 	tx_rx_not_eq		int64:1
 	max_spac_streams	int64:2
 	uneq_modulation		int64:1
-	reserved_3		int64:27
+	reserved_3		const[0, int64:27]
 } [packed]
 
-# See Fig. 9-332 of IEEE 802.11-2016
+# See Fig. 9-332 of IEEE 802.11-2016.
 ieee80211_ht_cap {
 	cap_info		flags[ieee80211_ht_cap_info, int16]
 	a_mpdu_exponent		int8:2
@@ -140,7 +141,7 @@ ieee80211_ht_cap {
 	antenna_selection_info	int8
 } [packed]
 
-# VHT Capabilities (see 9.4.2.56 of IEEE 802.11-2016)
+# VHT Capabilities (see 9.4.2.56 of IEEE 802.11-2016).
 ieee80211_vht_cap_info = IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895, IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991, IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454, IEEE80211_VHT_CAP_MAX_MPDU_MASK, IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ, IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ, IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK, IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_SHIFT, IEEE80211_VHT_CAP_RXLDPC, IEEE80211_VHT_CAP_SHORT_GI_80, IEEE80211_VHT_CAP_SHORT_GI_160, IEEE80211_VHT_CAP_TXSTBC, IEEE80211_VHT_CAP_RXSTBC_1, IEEE80211_VHT_CAP_RXSTBC_2, IEEE80211_VHT_CAP_RXSTBC_3, IEEE80211_VHT_CAP_RXSTBC_4, IEEE80211_VHT_CAP_RXSTBC_MASK, IEEE80211_VHT_CAP_RXSTBC_SHIFT, IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE, IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE, IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT, IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK, IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_SHIFT, IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_MASK, IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE, IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE, IEEE80211_VHT_CAP_VHT_TXOP_PS, IEEE80211_VHT_CAP_HTC_VHT, IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_SHIFT, IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK, IEEE80211_VHT_CAP_VHT_LINK_ADAPTATION_VHT_UNSOL_MFB, IEEE80211_VHT_CAP_VHT_LINK_ADAPTATION_VHT_MRQ_MFB, IEEE80211_VHT_CAP_RX_ANTENNA_PATTERN, IEEE80211_VHT_CAP_TX_ANTENNA_PATTERN, IEEE80211_VHT_CAP_EXT_NSS_BW_SHIFT, IEEE80211_VHT_CAP_EXT_NSS_BW_MASK
 
 ieee80211_vht_mcs_info {
@@ -155,40 +156,76 @@ ieee80211_vht_cap {
 	supp_mcs	ieee80211_vht_mcs_info
 } [packed]
 
-# As defined by Table 9-45 of IEEE 802.11-2016
+# As defined by Table 9-45 of IEEE 802.11-2016.
 type ieee80211_reason_code[BASE_TYPE] BASE_TYPE[0:66]
 
-# As defined by Table 9-46 of IEEE 802.11-2016
+# As defined by Table 9-46 of IEEE 802.11-2016.
 type ieee80211_status_code[BASE_TYPE] BASE_TYPE[0:107]
 
-# Only NAV is supported at the moment. No CPE or PS-Poll frames
+# Only NAV is supported at the moment. No CPE or PS-Poll frames.
 ieee80211_duration {
 	duration	int16:15
 	nav_flag	const[0, int16:1]
 } [packed]
 
-# As defined in sect. 9.2.4.4.1 of IEEE 802.11-216
+# As defined in sect. 9.2.4.4.1 of IEEE 802.11-2016.
 ieee80211_seq_control {
 	frag_number	int16:4
 	seq_number	int16:12
 } [packed]
 
-# As defined by Table 9-342 of IEEE 802.11-2016
+ieee80211_block_ack_ssc {
+	fragment	int16:4
+	ssn		int16:12
+} [packed]
+
+# As defined by Table 9-342 of IEEE 802.11-2016.
 ieee80211_tdls_action_codes = WLAN_TDLS_SETUP_REQUEST, WLAN_TDLS_SETUP_RESPONSE, WLAN_TDLS_SETUP_CONFIRM, WLAN_TDLS_TEARDOWN, WLAN_TDLS_PEER_TRAFFIC_INDICATION, WLAN_TDLS_CHANNEL_SWITCH_REQUEST, WLAN_TDLS_CHANNEL_SWITCH_RESPONSE, WLAN_TDLS_PEER_PSM_REQUEST, WLAN_TDLS_PEER_PSM_RESPONSE, WLAN_TDLS_PEER_TRAFFIC_RESPONSE, WLAN_TDLS_DISCOVERY_REQUEST
 
-# As defined by Table 9-131 of IEEE 802.11-2016
+# As defined by Table 9-131 of IEEE 802.11-2016.
 ieee80211_cipher_suites = WLAN_CIPHER_SUITE_USE_GROUP, WLAN_CIPHER_SUITE_WEP40, WLAN_CIPHER_SUITE_TKIP, WLAN_CIPHER_SUITE_CCMP, WLAN_CIPHER_SUITE_WEP104, WLAN_CIPHER_SUITE_AES_CMAC, WLAN_CIPHER_SUITE_GCMP, WLAN_CIPHER_SUITE_GCMP_256, WLAN_CIPHER_SUITE_CCMP_256, WLAN_CIPHER_SUITE_BIP_GMAC_128, WLAN_CIPHER_SUITE_BIP_GMAC_256, WLAN_CIPHER_SUITE_BIP_CMAC_256
 
-# As defined by Table 9-133 of IEEE 802.11-2016
+# As defined by Table 9-133 of IEEE 802.11-2016.
 ieee80211_akm_suites = WLAN_AKM_SUITE_8021X, WLAN_AKM_SUITE_PSK, WLAN_AKM_SUITE_FT_8021X, WLAN_AKM_SUITE_FT_PSK, WLAN_AKM_SUITE_8021X_SHA256, WLAN_AKM_SUITE_PSK_SHA256, WLAN_AKM_SUITE_TDLS, WLAN_AKM_SUITE_SAE, WLAN_AKM_SUITE_FT_OVER_SAE, WLAN_AKM_SUITE_AP_PEER_KEY, WLAN_AKM_SUITE_8021X_SUITE_B, WLAN_AKM_SUITE_8021X_SUITE_B_192, WLAN_AKM_SUITE_FT_8021X_SHA384, WLAN_AKM_SUITE_FILS_SHA256, WLAN_AKM_SUITE_FILS_SHA384, WLAN_AKM_SUITE_FT_FILS_SHA256, WLAN_AKM_SUITE_FT_FILS_SHA384, WLAN_AKM_SUITE_OWE, WLAN_AKM_SUITE_FT_PSK_SHA384, WLAN_AKM_SUITE_PSK_SHA384
 
-# Capability Information field (see sect. 9.4.1.4 of IEEE 802.11-2016)
+# Capability Information field (see sect. 9.4.1.4 of IEEE 802.11-2016).
 ieee80211_capabilities = WLAN_CAPABILITY_ESS, WLAN_CAPABILITY_IBSS, WLAN_CAPABILITY_CF_POLLABLE, WLAN_CAPABILITY_CF_POLL_REQUEST, WLAN_CAPABILITY_PRIVACY, WLAN_CAPABILITY_SHORT_PREAMBLE, WLAN_CAPABILITY_PBCC, WLAN_CAPABILITY_CHANNEL_AGILITY, WLAN_CAPABILITY_SPECTRUM_MGMT, WLAN_CAPABILITY_QOS, WLAN_CAPABILITY_SHORT_SLOT_TIME, WLAN_CAPABILITY_APSD, WLAN_CAPABILITY_RADIO_MEASURE, WLAN_CAPABILITY_DSSS_OFDM, WLAN_CAPABILITY_DEL_BACK, WLAN_CAPABILITY_IMM_BACK
 
 type ieee80211_capability[TYPE] flags[ieee80211_capabilities, TYPE]
 
+# QoS Control field is quite complicated (see Table 9-6 of IEEE 802.11-2016), but
+# for fuzzing purposes we don't really care about most of its bits.
+type ieee80211_qos_control[A_MSDU] {
+	tid		int8:4
+	eosp		int8:1
+	ack_policy	int8:2
+	a_msdu		const[A_MSDU, int8:1]
+	rest		int8
+} [packed]
+
+type ieee80211_append_qos_control[PAYLOAD, A_MSDU] {
+	payload		PAYLOAD
+	qos_control	ieee80211_qos_control[A_MSDU]
+} [packed]
+
+# Operating Mode field (see sect. 9.4.1.53 of IEEE 802.11-2016).
+ieee80211_operating_mode {
+	channel_width	int8:2
+	supp_160_80_80	int8:1
+	no_ldpc		int8:1
+	rx_nss		int8:3
+	rx_nss_type	int8:1
+} [packed]
+
+# SM Power Control field (see sect. 9.4.1.23 of IEEE 802.11-2016).
+ieee80211_sm_power_control {
+	smps_enabled	int8:1
+	sm_mode		int8:1
+	reserver	const[0, int8:6]
+} [packed]
+
 #############################################
-# Basic 802.11 frame structures
+# Basic 802.11 frame structures.
 #############################################
 
 ieee80211_ht_control_80211n {
@@ -214,7 +251,7 @@ type ieee80211_append_ht_control[FRAME] {
 	ht_control	ieee80211_ht_control
 } [packed]
 
-# Generic Frame Control field
+# Generic Frame Control field.
 type ieee80211_fc[TO_DS, FROM_DS, TYPE, SUBTYPE, ORDER] {
 	version		const[0, int8:2]
 	type		TYPE
@@ -229,14 +266,435 @@ type ieee80211_fc[TO_DS, FROM_DS, TYPE, SUBTYPE, ORDER] {
 	order		ORDER
 } [packed]
 
+# Control packets use a simpler version of Frame Control.
+type ieee80211_control_fc[SUBTYPE_CONST] {
+	version	const[0, int8:2]
+	type	const[0x1, int8:2]
+	subtype	const[SUBTYPE_CONST, int8:4]
+	rest	const[0, int8:6]
+} [packed]
+
+define IEEE80211_MGMT_FRAME_TYPE	(IEEE80211_FTYPE_MGMT >> 2)
+define IEEE80211_DATA_FRAME_TYPE	(IEEE80211_FTYPE_DATA >> 2)
+define IEEE80211_CTL_FRAME_TYPE	(IEEE80211_FTYPE_CTL >> 2)
+
+############################################
+# Information Elements.
+############################################
+
+# Information Element structure (see 9.4.2.1 of IEEE 802.11-2016).
+type ieee80211_generic_ie[ID_TYPE, DATA_TYPE] {
+	id	ID_TYPE
+	len	len[data, int8]
+	data	DATA_TYPE
+} [packed]
+
+type ieee80211_generic_ie_const[ID_VAL, DATA_TYPE] ieee80211_generic_ie[const[ID_VAL, int8], DATA_TYPE]
+
+type ieee80211_random_vendor_ie ieee80211_generic_ie_const[WLAN_EID_VENDOR_SPECIFIC, array[int8, 6:255]]
+
+# SSID Information Element (see 9.4.2.2 of IEEE 802.11-2016).
+type ieee80211_ie_ssid ieee80211_generic_ie_const[WLAN_EID_SSID, ieee80211_ssid]
+
+# SSID Information Element (see 9.4.2.3 of IEEE 802.11-2016).
+type ieee80211_ie_supported_rates ieee80211_generic_ie_const[WLAN_EID_SUPP_RATES, array[ieee80211_rate, 0:8]]
+
+# DS Parameter Set / DSSS Information Element (see 9.4.2.4 of IEEE 802.11-2016).
+type ieee80211_ie_dsss ieee80211_generic_ie_const[WLAN_EID_DS_PARAMS, ieee80211_channel[int8]]
+
+# CF Parameter Set Information Element (see 9.4.2.5 of IEEE 802.11-2016).
+ieee80211_ie_cf_payload {
+	count		int8
+	period		int8
+	max_duration	int16
+	dur_remaining	int16
+} [packed]
+
+type ieee80211_ie_cf ieee80211_generic_ie_const[WLAN_EID_CF_PARAMS, ieee80211_ie_cf_payload]
+
+# Traffic Indication Map (TIM) Information Element (see 9.4.2.6 of IEEE 802.11-2016).
+ieee80211_ie_tim_payload {
+	dtim_count	int8
+	dtim_period	int8[1:255]
+	bitmap_control	int8
+	partial_bitmap	array[int8, 0:251]
+} [packed]
+
+type ieee80211_ie_tim ieee80211_generic_ie_const[WLAN_EID_TIM, ieee80211_ie_tim_payload]
+
+# IBSS Parameter Set Information Element (see 9.4.2.7 of IEEE 802.11-2016).
+type ieee80211_ie_ibss ieee80211_generic_ie_const[WLAN_EID_IBSS_PARAMS, int16]
+
+# Challenge Text Information Element (see 9.4.2.8 of IEEE 802.11-2016).
+type ieee80211_ie_challenge ieee80211_generic_ie_const[WLAN_EID_CHALLENGE, int8[1:253]]
+
+# Extended Rate PHY (ERP) Information Element (see 9.4.2.12 of IEEE 802.11-2016).
+ieee80211_ie_erp_payload {
+	non_erp_present		int8:1
+	use_protection		int8:1
+	barker_preamble_mode	int8:1
+	reserved		const[0, int8:5]
+} [packed]
+
+type ieee80211_ie_erp ieee80211_generic_ie_const[WLAN_EID_ERP_INFO, ieee80211_ie_erp_payload]
+
+# Channel Switch Announcement Information Element (see 9.4.2.19 of IEEE 802.11-2016).
+ieee80211_ie_channel_switch_annce_payload {
+	switch_mode	int8[0:1]
+	new_channel	ieee80211_channel[int8]
+	switch_count	int8
+} [packed]
+
+type ieee80211_ie_channel_switch ieee80211_generic_ie_const[WLAN_EID_CHANNEL_SWITCH, ieee80211_ie_channel_switch_annce_payload]
+
+# Secondary Channel Offset Information Element (see 9.4.2.20 of IEEE 802.11-2016).
+type ieee80211_ie_sec_chan_ofs ieee80211_generic_ie_const[WLAN_EID_SECONDARY_CHANNEL_OFFSET, int8[0:3]]
+
+# Measurement Request Information Element (see 9.4.2.21 of IEEE 802.11-2016).
+ieee80211_ie_measure_req_payload {
+	token		int8
+	mode		int8
+	type		int8
+	req_details	array[int8]
+} [packed]
+
+type ieee80211_ie_measure_req ieee80211_generic_ie_const[WLAN_EID_MEASURE_REQUEST, ieee80211_ie_measure_req_payload]
+
+# Fast BSS Transition element (FTE) (see 9.4.2.48 of IEEE 802.11-2016).
+ieee80211_ie_fast_bss_trans_payload {
+	mic_control_reserved	int8
+	mic_element_count	len[params, int8]
+	mic			array[int8, 16]
+	a_nonce			array[int8, 32]
+	s_nonce			array[int8, 32]
+	params			array[ieee80211_generic_ie[int8[1:4], array[int8, 0:40]]]
+} [packed]
+
+type ieee80211_ie_fast_bss_trans ieee80211_generic_ie_const[WLAN_EID_FAST_BSS_TRANSITION, ieee80211_ie_fast_bss_trans_payload]
+
+# Extended Channel Switch Announcement Information Element (see 9.4.2.53 of IEEE 802.11-2016).
+ieee80211_ie_ext_channel_switch_annce_payload {
+	switch_mode	int8[0:1]
+	new_class	int8
+	new_channel	ieee80211_channel[int8]
+	switch_count	int8
+} [packed]
+
+type ieee80211_ie_ext_channel_switch ieee80211_generic_ie_const[WLAN_EID_EXT_CHANSWITCH_ANN, ieee80211_ie_ext_channel_switch_annce_payload]
+
+# Management MIC Information Element (see 9.4.2.55 of IEEE 802.11-2016).
+type ieee80211_ie_mic ieee80211_generic_ie_const[WLAN_EID_MIC, ieee80211_ie_mic_payload]
+
+ieee80211_ie_mic_code [
+	short	array[int8, 8]
+	long	array[int8, 16]
+] [varlen]
+
+ieee80211_ie_mic_payload {
+	key_id	int16[0:4095]
+	ipn	array[int8, 6]
+	mic	ieee80211_ie_mic_code
+} [packed]
+
+# HT Capabilities Information Element (see 9.4.2.56 of IEEE 802.11-2016).
+type ieee80211_ie_ht ieee80211_generic_ie_const[WLAN_EID_HT_CAPABILITY, ieee80211_ht_cap]
+
+# Link Identifier Information Element (see 9.4.2.62 of IEEE 802.11-2016).
+ieee80211_ie_link_id_payload {
+	bssid		ieee80211_bssid
+	initiator	ieee80211_mac_addr
+	responder	ieee80211_mac_addr
+} [packed]
+
+type ieee80211_ie_link_id ieee80211_generic_ie_const[WLAN_EID_LINK_ID, ieee80211_ie_link_id_payload]
+
+# Channel Switch Timing Information Element (see 9.4.2.64 of IEEE 802.11-2016).
+ieee80211_ie_channel_switch_timing_payload {
+	switch_time	int16
+	switch_timeout	int16
+} [packed]
+
+type ieee80211_ie_channel_switch_timing ieee80211_generic_ie_const[WLAN_EID_CHAN_SWITCH_TIMING, ieee80211_ie_channel_switch_timing_payload]
+
+# Mesh Configuration Information Element (see 9.4.2.98 of IEEE 802.11-2016).
+type ieee80211_ie_mesh_config ieee80211_generic_ie_const[WLAN_EID_MESH_CONFIG, ieee80211_ie_mesh_config_payload]
+
+ieee80211_ie_mesh_config_payload {
+	psel_proto	int8[-1:1]
+	psel_metric	int8[-1:1]
+	cmode_id	int8[-1:1]
+	syncm_id	int8[-1:1]
+	auth_proto	int8[-1:2]
+	mesh_info	int8
+	mesh_cap	flags[mesh_config_capab_flags, int8]
+} [packed]
+
+mesh_config_capab_flags = IEEE80211_MESHCONF_CAPAB_ACCEPT_PLINKS, IEEE80211_MESHCONF_CAPAB_FORWARDING, IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING, IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL
+
+# Mesh Channel Switch Information Element (see 9.4.2.103 of IEEE 802.11-2016).
+ieee80211_ie_mesh_channel_switch_payload {
+	mesh_ttl	int8
+	mesh_flags	int8
+	mesh_reason	ieee80211_reason_code[int16]
+	meash_pre_value	int16
+} [packed]
+
+type ieee80211_ie_mesh_channel_switch ieee80211_generic_ie_const[WLAN_EID_CHAN_SWITCH_PARAM, ieee80211_ie_mesh_channel_switch_payload]
+
+# GCR Group Address Information Element (see 9.4.2.126 of IEEE 802.11-2016).
+type ieee80211_ie_gcr_ga ieee80211_generic_ie_const[WLAN_EID_GCR_GROUP_ADDR, ieee80211_mac_addr]
+
+# PREQ Information Element (see 9.4.2.113 of IEEE 802.11.2016).
+type ieee80211_ie_preq ieee80211_generic_ie_const[WLAN_EID_PREQ, ieee80211_ie_preq_payload]
+
+# See Figure 9-478 of IEEE 802.11-2016.
+type ieee80211_preq_flags[AE_CONST] {
+	gate_anncement	int8:1
+	addr_mode	int8:1
+	proactive_prep	int8:1
+	reserved	const[0, int8:3]
+	ae		const[AE_CONST, int8:1]
+	reserved_2	const[0, int8:1]
+} [packed]
+
+# See Figure 9-479 of IEEE 802.11-2016.
+ieee80211_preq_target_flags {
+	target_only	int8:1
+	reserved	const[0, int8:1]
+	usn		int8:1
+	reserved2	const[0, int8:5]
+} [packed]
+
+ieee80211_preq_target {
+	flags		ieee80211_preq_target_flags
+	target_addr	ieee80211_mac_addr
+	target_sn	int32
+} [packed]
+
+type ieee80211_ie_preq_payload_generic[AE_CONST, ORIGINATOR_TYPE] {
+	flags		ieee80211_preq_flags[AE_CONST]
+	hop_count	int8
+	ttl		int8
+	discovery_id	int32
+	originator	ieee80211_mac_addr
+	originator_sn	int32
+	originator_ext	ORIGINATOR_TYPE
+	lifetime	int32
+	metric		int32
+	target_count	len[targets, int8]
+	targets		array[ieee80211_preq_target]
+} [packed]
+
+ieee80211_ie_preq_payload [
+	ext	ieee80211_ie_preq_payload_generic[1, ieee80211_mac_addr]
+	not_ext	ieee80211_ie_preq_payload_generic[0, void]
+] [varlen]
+
+# PREP Information Element (see 9.4.2.113 of IEEE 802.11.2016).
+type ieee80211_ie_prep ieee80211_generic_ie_const[WLAN_EID_PREP, ieee80211_ie_prep_payload]
+
+# See Figure 9-481 and Figure 9-483 of IEEE 802.11.2016.
+type ieee80211_ae_flags[AE_CONST] {
+	reserved	const[0, int8:6]
+	ae		const[AE_CONST, int8:1]
+	reserved2	const[0, int8:1]
+} [packed]
+
+type ieee80211_ie_prep_payload_generic[AE_CONST, TARGET_EXT_TYPE] {
+	flags		ieee80211_ae_flags[AE_CONST]
+	hop_count	int8
+	ttl		int8
+	target_addr	ieee80211_mac_addr
+	target_sn	int32
+	target_ext	TARGET_EXT_TYPE
+	lifetime	int32
+	metric		int32
+	originator	ieee80211_mac_addr
+	originator_sn	int32
+} [packed]
+
+ieee80211_ie_prep_payload [
+	ext	ieee80211_ie_prep_payload_generic[1, ieee80211_mac_addr]
+	not_ext	ieee80211_ie_prep_payload_generic[0, void]
+] [varlen]
+
+# PERR Information Element (see 9.4.2.115 of IEEE 802.11.2016).
+type ieee80211_ie_perr ieee80211_generic_ie_const[WLAN_EID_PERR, ieee80211_ie_perr_payload]
+
+ieee80211_ie_perr_payload {
+	ttl		int8
+	dest_count	len[dest_list, int8]
+	dest_list	array[ieee80211_ie_perr_dest, 0:19]
+} [packed]
+
+type ieee80211_ie_perr_dest_generic[AE_CONST, DEST_EXT_TYPE] {
+	flags		ieee80211_ae_flags[AE_CONST]
+	dest_addr	ieee80211_mac_addr
+	dest_sn		int32
+	dest_ext	DEST_EXT_TYPE
+	reason		ieee80211_reason_code[int16]
+} [packed]
+
+ieee80211_ie_perr_dest [
+	ext	ieee80211_ie_perr_dest_generic[1, ieee80211_mac_addr]
+	not_ext	ieee80211_ie_perr_dest_generic[0, void]
+] [varlen]
+
+# RANN Information Element (see 9.4.2.112 of IEEE 802.11-2016).
+type ieee80211_ie_rann ieee80211_generic_ie_const[WLAN_EID_RANN, ieee80211_ie_rann_payload]
+
+# See Figure 9-476 of IEEE 802.11-2016.
+ieee80211_rann_flags {
+	gate_annce	int8:1
+	reserved	int8:7
+} [packed]
+
+ieee80211_ie_rann_payload {
+	flags		ieee80211_rann_flags
+	hop_count	int8
+	ttl		int8
+	root_sta	ieee80211_mac_addr
+	hwmp_seqno	int32
+	interval	int32
+	metric		int32
+} [packed]
+
+# Mesh ID Information Element (see 9.4.2.99 of IEEE 802.11-2016).
+type ieee80211_ie_mesh_id ieee80211_generic_ie_const[WLAN_EID_MESH_ID, ieee80211_mesh_id]
+
+# Mesh Peering Management (see 9.4.2.102 of IEEE 802.11-2016).
+type ieee80211_ie_peer_mgmt ieee80211_generic_ie_const[WLAN_EID_PEER_MGMT, ieee80211_ie_peering_mgmt_payload]
+
+ieee80211_ie_peering_mgmt_payload {
+	proto_id	int16[0:1]
+	local_link_id	int16
+	peer_link_id	optional[int16]
+	reason_code	optional[ieee80211_reason_code[int16]]
+	pmk		optional[array[int8, 16]]
+} [packed]
+
+# This union is not used in packet descriptions because IEs have a strictly specified order there.
+# It is only needed to feed nl80211 commands that require IEs.
+ieee80211_ie [
+	ssid			ieee80211_ie_ssid
+	supported_rates		ieee80211_ie_supported_rates
+	dsss			ieee80211_ie_dsss
+	cf			ieee80211_ie_cf
+	tim			ieee80211_ie_tim
+	ibss			ieee80211_ie_ibss
+	challenge		ieee80211_ie_challenge
+	erp			ieee80211_ie_erp
+	channel_switch		ieee80211_ie_channel_switch
+	sec_chan_ofs		ieee80211_ie_sec_chan_ofs
+	measure_req		ieee80211_ie_measure_req
+	fast_bss_trans		ieee80211_ie_fast_bss_trans
+	ext_channel_switch	ieee80211_ie_ext_channel_switch
+	ht			ieee80211_ie_ht
+	link_id			ieee80211_ie_link_id
+	chsw_timing		ieee80211_ie_channel_switch_timing
+	mesh_chsw		ieee80211_ie_mesh_channel_switch
+	gcr_ga			ieee80211_ie_gcr_ga
+	preq			ieee80211_ie_preq
+	prep			ieee80211_ie_prep
+	perr			ieee80211_ie_perr
+	rann			ieee80211_ie_rann
+	mesh_id			ieee80211_ie_mesh_id
+	mesh_config		ieee80211_ie_mesh_config
+	peer_mgmt		ieee80211_ie_peer_mgmt
+	mic			ieee80211_ie_mic
+	random_vendor		ieee80211_random_vendor_ie
+	random			ieee80211_generic_ie[int8, array[int8, 0:253]]
+] [varlen]
+
+##################################################
+# 802.11 Data frames (9.3.2 of IEEE 802.11-2016)
+##################################################
+
+# Specific 802.11 data frame headers determined by to_ds and from_ds values.
+# See Table 26 of IEEE 802.11-2016.
+
+type ieee80211_data_gen_hdr[TO, FROM, SUBTYPE, ORDER, ADDR_1, ADDR_2, ADDR_3, ADDR_4] {
+	fc		ieee80211_fc[TO, FROM, const[IEEE80211_DATA_FRAME_TYPE, int8:2], SUBTYPE, ORDER]
+	duration	ieee80211_duration
+	addr_1		ADDR_1
+	addr_2		ADDR_2
+	addr_3		ADDR_3
+	seqno		ieee80211_seq_control
+	addr_4		ADDR_4
+} [packed]
+
+type ieee80211_msdu_header[SUBTYPE, ORDER] [
+# 00: RA = DA, TA = SA, BSSID
+	type00	ieee80211_data_gen_hdr[0, 0, SUBTYPE, ORDER, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_bssid, void]
+# 01: RA = DA, TA = BSSID, SA
+	type01	ieee80211_data_gen_hdr[0, 1, SUBTYPE, ORDER, ieee80211_mac_addr, ieee80211_bssid, ieee80211_mac_addr, void]
+# 10: RA = BSSID, TA = SA, DA
+	type10	ieee80211_data_gen_hdr[1, 0, SUBTYPE, ORDER, ieee80211_bssid, ieee80211_mac_addr, ieee80211_mac_addr, void]
+# 11: RA, TA, DA, SA
+	type11	ieee80211_data_gen_hdr[1, 1, SUBTYPE, ORDER, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_mac_addr]
+] [varlen]
+
+type ieee80211_a_msdu_header[SUBTYPE, ORDER] [
+# 00: RA = DA, TA = SA, BSSID
+	type00	ieee80211_data_gen_hdr[0, 0, SUBTYPE, ORDER, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_bssid, void]
+# 01: RA = DA, TA = BSSID, BSSID
+	type01	ieee80211_data_gen_hdr[0, 1, SUBTYPE, ORDER, ieee80211_mac_addr, ieee80211_bssid, ieee80211_bssid, void]
+# 10: RA = BSSID, TA = SA, BSSID
+	type10	ieee80211_data_gen_hdr[1, 0, SUBTYPE, ORDER, ieee80211_bssid, ieee80211_mac_addr, ieee80211_bssid, void]
+# 11: RA, TA, BSSID, SA
+	type11	ieee80211_data_gen_hdr[1, 1, SUBTYPE, ORDER, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_bssid, ieee80211_mac_addr]
+] [varlen]
+
+type ieee80211_data_frame_no_qos_hdr ieee80211_msdu_header[int8:4[0x0:0x7], int8:1]
+
+type ieee80211_data_frame_qos_hdr[ORDER] {
+	msdu	ieee80211_append_qos_control[ieee80211_msdu_header[int8:4[0x8:0xf], ORDER], 0x0]
+	a_msdu	ieee80211_append_qos_control[ieee80211_a_msdu_header[int8:4[0x8:0xf], ORDER], 0x1]
+} [packed]
+
+ieee80211_data_frame_hdr [
+	no_qos		ieee80211_data_frame_no_qos_hdr
+	qos_no_ht	ieee80211_data_frame_qos_hdr[const[0, int8:1]]
+	qos_ht		ieee80211_append_ht_control[ieee80211_data_frame_qos_hdr[const[0x1, int8:1]]]
+] [varlen]
+
+ieee80211_a_msdu_subframe {
+	da	ieee80211_mac_addr
+	sa	ieee80211_mac_addr
+	len	len[data, int16]
+	data	array[int8]
+} [packed, align[4]]
+
+ieee80211_data_frame_payload [
+	random	array[int8, 0:IEEE80211_MAX_DATA_LEN]
+	a_msdu	array[ieee80211_a_msdu_subframe]
+] [varlen]
+
+ieee80211_data_frame {
+	header	ieee80211_data_frame_hdr
+	payload	ieee80211_data_frame_payload
+} [packed]
+
 ###############################################
 # 802.11 Management frames
 ###############################################
 
+define IEEE80211_MGMT_FRAME_ASSOC_REQ	(IEEE80211_STYPE_ASSOC_REQ >> 4)
+define IEEE80211_MGMT_FRAME_ASSOC_RESP	(IEEE80211_STYPE_ASSOC_RESP >> 4)
+define IEEE80211_MGMT_FRAME_REASSOC_REQ	(IEEE80211_STYPE_REASSOC_REQ >> 4)
+define IEEE80211_MGMT_FRAME_REASSOC_RESP	(IEEE80211_STYPE_REASSOC_RESP >> 4)
+define IEEE80211_MGMT_FRAME_PROBE_REQ	(IEEE80211_STYPE_PROBE_REQ >> 4)
+define IEEE80211_MGMT_FRAME_PROBE_RESP	(IEEE80211_STYPE_PROBE_RESP >> 4)
 define IEEE80211_MGMT_FRAME_BEACON	(IEEE80211_STYPE_BEACON >> 4)
+define IEEE80211_MGMT_FRAME_ATIM	(IEEE80211_STYPE_ATIM >> 4)
+define IEEE80211_MGMT_FRAME_DISASSOC	(IEEE80211_STYPE_DISASSOC >> 4)
+define IEEE80211_MGMT_FRAME_AUTH	(IEEE80211_STYPE_AUTH >> 4)
+define IEEE80211_MGMT_FRAME_DEAUTH	(IEEE80211_STYPE_DEAUTH >> 4)
+define IEEE80211_MGMT_FRAME_ACTION	(IEEE80211_STYPE_ACTION >> 4)
+define IEEE80211_MGMT_FRAME_ACTION_NOACK	((IEEE80211_STYPE_ACTION >> 4) + 1)
 
 type ieee80211_pre_mgmt_header[SUBTYPE_CONST, ORDER_CONST] {
-	fc		ieee80211_fc[0, 0, const[0x0, int8:2], const[SUBTYPE_CONST, int8:4], const[ORDER_CONST, int8:1]]
+	fc		ieee80211_fc[0, 0, const[IEEE80211_MGMT_FRAME_TYPE, int8:2], const[SUBTYPE_CONST, int8:4], const[ORDER_CONST, int8:1]]
 	duration	ieee80211_duration
 	addr_1		ieee80211_mac_addr
 	addr_2		ieee80211_mac_addr
@@ -249,13 +707,469 @@ type ieee80211_mgmt_header[SUBTYPE_CONST] [
 	with_ht	ieee80211_append_ht_control[ieee80211_pre_mgmt_header[SUBTYPE_CONST, 0x1]]
 ] [varlen]
 
-# Beacon frame
-# See Table 9-27 of IEEE 802.11-2016
-
+# Beacon frame (see Table 9-27 of IEEE 802.11-2016).
 ieee80211_mgmt_beacon {
 	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_BEACON]
 	timestamp	ieee80211_timestamp
 	beacon_interval	ieee80211_beacon_interval[int16]
+	capability	ieee80211_capability[int16]
+	ssid		optional[ieee80211_ie_ssid]
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	dsss		optional[ieee80211_ie_dsss]
+	cf		optional[ieee80211_ie_cf]
+	ibss		optional[ieee80211_ie_ibss]
+	tim		optional[ieee80211_ie_tim]
+	chsw		optional[ieee80211_ie_channel_switch]
+	erp		optional[ieee80211_ie_erp]
+	expt_chsw	optional[ieee80211_ie_ext_channel_switch]
+	ht		optional[ieee80211_ie_ht]
+	mesh_id		optional[ieee80211_ie_mesh_id]
+	mesh_config	optional[ieee80211_ie_mesh_config]
+	mesh_chsw	optional[ieee80211_ie_mesh_channel_switch]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Disassociation frame (see Table 9-28 of IEEE 802.11-2016).
+ieee80211_mgmt_disassoc_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_DISASSOC]
+	reason_code	ieee80211_reason_code[int16]
+	mic		optional[ieee80211_ie_mic]
+} [packed]
+
+# Association Request (see Table 9-29 of IEEE 802.11-2016).
+ieee80211_mgmt_assoc_req_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_ASSOC_REQ]
 	capabilities	ieee80211_capability[int16]
-# TODO: here should be Information Elements in the order specified by Table 9-27 of IEEE 802.11-2016
+	listen_interval	int16
+	ssid		ieee80211_ie_ssid
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	ht		optional[ieee80211_ie_ht]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Association Response (see Table 9-30 of IEEE 802.11-2016).
+ieee80211_mgmt_assoc_resp_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_ASSOC_RESP]
+	capabilities	ieee80211_capability[int16]
+	status_code	ieee80211_status_code[int16]
+	assoc_id	ieee80211_assoc_id
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	ht		optional[ieee80211_ie_ht]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Reassociation Request (see Table 9-31 of IEEE 802.11-2016).
+ieee80211_mgmt_reassoc_req_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_REASSOC_REQ]
+	capabilities	ieee80211_capability[int16]
+	listen_interval	int16
+	current_ap	ieee80211_mac_addr
+	ssid		ieee80211_ie_ssid
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	ht		optional[ieee80211_ie_ht]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Reassociation Response (see Table 9-32 of IEEE 802.11-2016).
+ieee80211_mgmt_reassoc_resp_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_REASSOC_RESP]
+	capabilities	ieee80211_capability[int16]
+	status_code	ieee80211_status_code[int16]
+	assoc_id	ieee80211_assoc_id
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	ht		optional[ieee80211_ie_ht]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Probe Request (see Table 9-33 of IEEE 802.11-2016).
+ieee80211_mgmt_probe_request {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_PROBE_REQ]
+	ssid		optional[ieee80211_ie_ssid]
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	dsss		optional[ieee80211_ie_dsss]
+	ht		optional[ieee80211_ie_ht]
+	mesh_id		optional[ieee80211_ie_mesh_id]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Probe Response (see Table 9-34 of IEEE 802.11-2016).
+ieee80211_mgmt_probe_response {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_PROBE_RESP]
+	timestamp	ieee80211_timestamp
+	beacon_interval	ieee80211_beacon_interval[int16]
+	capabilities	ieee80211_capability[int16]
+	ssid		optional[ieee80211_ie_ssid]
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	dsss		optional[ieee80211_ie_dsss]
+	cf		optional[ieee80211_ie_cf]
+	ibss		optional[ieee80211_ie_ibss]
+	ht		optional[ieee80211_ie_ht]
+	mesh_id		optional[ieee80211_ie_mesh_id]
+	mesh_config	optional[ieee80211_ie_mesh_config]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Authentication (see Table 9-35 of IEEE 802.11-2016).
+ieee80211_mgmt_auth_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_AUTH]
+	algo		int16[0:1]
+	trans_seq	int16[0:4]
+	status		ieee80211_status_code[int16]
+	challenge_tag	optional[ieee80211_ie_challenge]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Deauthenticaiton (see Table 9-37 of IEEE 802.11-2016).
+ieee80211_mgmt_deauth_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_DEAUTH]
+	reason_code	ieee80211_reason_code[int16]
+	mic		optional[ieee80211_ie_mic]
+} [packed]
+
+ieee80211_mgmt_frame [
+	probe_request	ieee80211_mgmt_probe_request
+	probe_response	ieee80211_mgmt_probe_response
+	beacon		ieee80211_mgmt_beacon
+	action		ieee80211_mgmt_action
+	action_no_ack	ieee80211_mgmt_action_no_ack
+	assoc_req	ieee80211_mgmt_assoc_req_frame
+	assoc_resp	ieee80211_mgmt_assoc_resp_frame
+	disassoc	ieee80211_mgmt_disassoc_frame
+	deauth		ieee80211_mgmt_deauth_frame
+	reassoc_req	ieee80211_mgmt_reassoc_req_frame
+	reassoc_resp	ieee80211_mgmt_reassoc_resp_frame
+	auth		ieee80211_mgmt_auth_frame
+] [varlen]
+
+######################################################
+# 802.11 Management Action frames
+######################################################
+
+# This is a large group of frames, so it is placed in a separate section.
+
+type ieee80211_mgmt_action_raw[CATEGORY, ACTION, PAYLOAD_TYPE] {
+	category	const[CATEGORY, int8]
+	action		const[ACTION, int8]
+	payload		PAYLOAD_TYPE
+} [packed]
+
+# Measurement Request (see sect. 9.6.2.2 of IEEE 802.11-2016).
+ieee80211_mgmt_action_measure_req {
+	dialog_token	int8
+	ie		array[ieee80211_ie_measure_req]
+} [packed]
+
+# Channel Switch Announcement (see sect. 9.6.2.6 of IEEE 802.11-2016).
+ieee80211_mgmt_action_channel_switch {
+	channel_switch	ieee80211_ie_channel_switch
+	secondary	optional[ieee80211_ie_sec_chan_ofs]
+	mesh		optional[ieee80211_ie_mesh_channel_switch]
+} [packed]
+
+# ADDBA Request (see sect. 9.6.5.2 of IEEE 802.11-2016).
+ieee80211_mgmt_action_addba_req {
+	dialog_token	int8
+	block_ack_param	ieee80211_block_ack_param_set
+	timeout_value	int16
+	ssc		ieee80211_block_ack_ssc
+} [packed]
+
+ieee80211_block_ack_param_set {
+	amsdu_supported		int16:1
+	block_ack_policy	int16:1
+	tid			int16:4
+	buffer_size		int16:10
+} [packed]
+
+# ADDBA Response (see sect. 9.6.5.3 of IEEE 802.11-2016).
+ieee80211_mgmt_action_addba_resp {
+	dialog_token	int8
+	status		ieee80211_status_code[int16]
+	block_ack_param	ieee80211_block_ack_param_set
+	timeout_value	int16
+} [packed]
+
+# DELBA (see sect. 9.6.5.4 of IEEE 802.11-2016).
+ieee80211_mgmt_action_delba {
+	delba_params	ieee80211_delba_param_set
+	reason		ieee80211_reason_code[int16]
+	group_addr_ie	ieee80211_ie_gcr_ga
+} [packed]
+
+ieee80211_delba_param_set {
+	reserved	const[0, int16:11]
+	initiator	int16:1
+	tid		int16:4
+} [packed]
+
+# Extended Channel Switch Announcement (see sect. 9.6.8.7 of IEEE 802.11-2016).
+ieee80211_mgmt_action_ext_chan_switch {
+	annce_ie	ieee80211_ie_ext_channel_switch_annce_payload
+	mesh_ie		optional[ieee80211_ie_mesh_channel_switch]
+} [packed]
+
+# See Table 9-343 and Table 9-344 of 802.11-2016.
+type ieee80211_mgmt_action_generic_tdls_setup[ACTION, STATUS] {
+	category	const[WLAN_CATEGORY_TDLS, int8]
+	action		const[ACTION, int8]
+	status		STATUS
+	dialog_token	int8
+	capability	optional[ieee80211_capability[int16]]
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	ht		optional[ieee80211_ie_ht]
+	link_id		optional[ieee80211_ie_link_id]
+} [packed]
+
+# TDLS Setup Confirm (see sect. 9.6.13.4 of IEEE 802.11-2016).
+ieee80211_mgmt_action_tdls_cfm {
+	status		ieee80211_status_code[int16]
+	dialog_token	int8
+} [packed]
+
+# TDLS Channel Switch Request (see sect. 9.6.13.7 of IEEE 802.11-2016).
+ieee80211_mgmt_action_tdls_chsw_req {
+	target_channel	ieee80211_channel[int8]
+	operating_class	int8
+	secondary	optional[ieee80211_ie_sec_chan_ofs]
+	link_id		ieee80211_ie_link_id
+	timing		ieee80211_ie_channel_switch_timing
+} [packed]
+
+# TDLS Channel Switch Response (see sect. 9.6.13.8 of IEEE 802.11-2016).
+ieee80211_mgmt_action_tdls_chsw_resp {
+	status	ieee80211_status_code[int16]
+	link_id	ieee80211_ie_link_id
+	timing	ieee80211_ie_channel_switch_timing
+} [packed]
+
+# TDLS Discovery Request (see sect. 9.6.13.12 of IEEE 802.11-2016).
+ieee80211_mgmt_action_tdls_disc_req {
+	dialog_token	int8
+	link_id		ieee80211_ie_link_id
 } [packed]
+
+# TDLS Teardown (see sect. 9.6.13.5 of IEEE 802.11-2016).
+ieee80211_mgmt_action_tdls_teardown {
+	reason	ieee80211_reason_code[int16]
+	fte	ieee80211_ie_fast_bss_trans
+	link_id	ieee80211_ie_link_id
+} [packed]
+
+# Notify Channel Width (see sect. 9.6.12.2 of IEEE 802.11-2016).
+type ieee80211_mgmt_action_notify_ch_sw int8[0:1]
+
+# Group ID Management (see sect. 9.6.23.3 of IEEE 802.11-2016).
+ieee80211_mgmt_action_group_id {
+	membership_status	int64
+	user_positions		array[int8, 16]
+} [packed]
+
+# Operating Mode Notification (see sect. 9.6.23.4 of IEEE 802.11-2016).
+type ieee80211_mgmt_action_op_mode_ntf ieee80211_operating_mode
+
+# HWMP Mesh Path Selection (see sect. 9.6.17.3 of IEEE 802.11-2016).
+ieee80211_mgmt_action_hwmp_path_sel {
+	preq	optional[ieee80211_ie_preq]
+	prep	optional[ieee80211_ie_prep]
+	perr	optional[ieee80211_ie_perr]
+	rann	optional[ieee80211_ie_rann]
+} [packed]
+
+# Mesh Peering Open (see sect. 9.6.16.2 of IEEE 802.11-2016).
+ieee80211_mgmt_action_mesh_peering_open {
+	capability	ieee80211_capability[int16]
+	supported_rates	ieee80211_ie_supported_rates
+	mesh_id		optional[ieee80211_ie_mesh_id]
+	ht		optional[ieee80211_ie_ht]
+} [packed]
+
+# Mesh Peering Confirm (see sect. 9.6.16.3 of IEEE 802.11-2016).
+ieee80211_mgmt_action_mesh_peering_confirm {
+	capability	ieee80211_capability[int16]
+	aid		ieee80211_assoc_id
+	supported_rates	ieee80211_ie_supported_rates
+	mesh_id		optional[ieee80211_ie_mesh_id]
+	ht		optional[ieee80211_ie_ht]
+} [packed]
+
+# Mesh Peering Close (see sect. 9.6.16.4 of IEEE 802.11-2016).
+ieee80211_mgmt_action_mesh_peering_close {
+	mesh_id	ieee80211_ie_mesh_id
+	mgmt	ieee80211_ie_peer_mgmt
+} [packed]
+
+ieee80211_mgmt_action_payload [
+	measure_req	ieee80211_mgmt_action_raw[WLAN_CATEGORY_SPECTRUM_MGMT, WLAN_ACTION_SPCT_MSR_REQ, ieee80211_mgmt_action_measure_req]
+	channel_switch	ieee80211_mgmt_action_raw[WLAN_CATEGORY_SPECTRUM_MGMT, WLAN_ACTION_SPCT_CHL_SWITCH, ieee80211_mgmt_action_channel_switch]
+	addba_req	ieee80211_mgmt_action_raw[WLAN_CATEGORY_BACK, WLAN_ACTION_ADDBA_REQ, ieee80211_mgmt_action_addba_req]
+	addba_resp	ieee80211_mgmt_action_raw[WLAN_CATEGORY_BACK, WLAN_ACTION_ADDBA_RESP, ieee80211_mgmt_action_addba_resp]
+	delba		ieee80211_mgmt_action_raw[WLAN_CATEGORY_BACK, WLAN_ACTION_DELBA, ieee80211_mgmt_action_delba]
+	ext_ch_sw	ieee80211_mgmt_action_raw[WLAN_CATEGORY_PUBLIC, WLAN_PUB_ACTION_EXT_CHANSW_ANN, ieee80211_mgmt_action_ext_chan_switch]
+	ntf_ch_w	ieee80211_mgmt_action_raw[WLAN_CATEGORY_HT, WLAN_HT_ACTION_NOTIFY_CHANWIDTH, ieee80211_mgmt_action_notify_ch_sw]
+	smps		ieee80211_mgmt_action_raw[WLAN_CATEGORY_HT, WLAN_HT_ACTION_SMPS, ieee80211_sm_power_control]
+	sa_query_req	ieee80211_mgmt_action_raw[WLAN_CATEGORY_SA_QUERY, WLAN_ACTION_SA_QUERY_REQUEST, int16]
+	tdls_setup_req	ieee80211_mgmt_action_generic_tdls_setup[WLAN_TDLS_SETUP_REQUEST, void]
+	tdls_setup_resp	ieee80211_mgmt_action_generic_tdls_setup[WLAN_TDLS_SETUP_RESPONSE, ieee80211_status_code[int16]]
+	tdls_setup_cfm	ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_SETUP_CONFIRM, ieee80211_mgmt_action_tdls_cfm]
+	tdls_teardown	ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_TEARDOWN, ieee80211_mgmt_action_tdls_teardown]
+	tdls_chsw_req	ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_CHANNEL_SWITCH_REQUEST, ieee80211_mgmt_action_tdls_chsw_req]
+	tdls_chsw_resp	ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_CHANNEL_SWITCH_RESPONSE, ieee80211_mgmt_action_tdls_chsw_resp]
+	tdls_disc_req	ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_DISCOVERY_REQUEST, ieee80211_mgmt_action_tdls_disc_req]
+	vht_op_mode_ntf	ieee80211_mgmt_action_raw[WLAN_CATEGORY_VHT, WLAN_VHT_ACTION_OPMODE_NOTIF, ieee80211_mgmt_action_op_mode_ntf]
+	vht_group_id	ieee80211_mgmt_action_raw[WLAN_CATEGORY_VHT, WLAN_VHT_ACTION_GROUPID_MGMT, ieee80211_mgmt_action_group_id]
+	mesh_hwmp_psel	ieee80211_mgmt_action_raw[WLAN_CATEGORY_MESH_ACTION, WLAN_MESH_ACTION_HWMP_PATH_SELECTION, ieee80211_mgmt_action_hwmp_path_sel]
+	sp_mp_open	ieee80211_mgmt_action_raw[WLAN_CATEGORY_SELF_PROTECTED, WLAN_SP_MESH_PEERING_OPEN, ieee80211_mgmt_action_mesh_peering_open]
+	sp_mp_confirm	ieee80211_mgmt_action_raw[WLAN_CATEGORY_SELF_PROTECTED, WLAN_SP_MESH_PEERING_CONFIRM, ieee80211_mgmt_action_mesh_peering_confirm]
+	sp_mp_close	ieee80211_mgmt_action_raw[WLAN_CATEGORY_SELF_PROTECTED, WLAN_SP_MESH_PEERING_CLOSE, ieee80211_mgmt_action_mesh_peering_close]
+] [varlen]
+
+ieee80211_mgmt_action {
+	header	ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_ACTION]
+	payload	ieee80211_mgmt_action_payload
+} [packed]
+
+ieee80211_mgmt_action_no_ack {
+	header	ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_ACTION_NOACK]
+	payload	ieee80211_mgmt_action_payload
+} [packed]
+
+####################################
+#  Control frames.
+####################################
+
+# For details see sect. 9.3.1 of IEEE 802.11-2016.
+
+define IEEE80211_MGMT_CTL_CTL_EXT	(IEEE80211_STYPE_CTL_EXT >> 4)
+define IEEE80211_MGMT_CTL_BACK_REQ	(IEEE80211_STYPE_BACK_REQ >> 4)
+define IEEE80211_MGMT_CTL_BACK	(IEEE80211_STYPE_BACK >> 4)
+define IEEE80211_MGMT_CTL_PSPOLL	(IEEE80211_STYPE_PSPOLL >> 4)
+define IEEE80211_MGMT_CTL_RTS	(IEEE80211_STYPE_RTS >> 4)
+define IEEE80211_MGMT_CTL_CTS	(IEEE80211_STYPE_CTS >> 4)
+define IEEE80211_MGMT_CTL_ACK	(IEEE80211_STYPE_ACK >> 4)
+define IEEE80211_MGMT_CTL_CFEND	(IEEE80211_STYPE_CFEND >> 4)
+define IEEE80211_MGMT_CTL_CFENDACK	(IEEE80211_STYPE_CFENDACK >> 4)
+
+# Request to Send (RTS) frame.
+ieee80211_ctrl_rts {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_RTS]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+	transmitter	ieee80211_mac_addr
+} [packed]
+
+# Clear to Send (CTS) frame.
+ieee80211_ctrl_cts {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_CTS]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+} [packed]
+
+# Acknowledgement (ACK) frame.
+ieee80211_ctrl_ack {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_ACK]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+} [packed]
+
+# Contention-Free End (CF-End) frame.
+ieee80211_ctrl_cf_end {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_CFEND]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+	bssid		ieee80211_bssid
+} [packed]
+
+# CF-End & CF-Ack frame.
+ieee80211_ctrl_cf_end_cf_ack {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_CFENDACK]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+	transmitter	ieee80211_mac_addr
+} [packed]
+
+# Power-Save Poll (PS-Poll) frame.
+ieee80211_ctrl_pspoll {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_PSPOLL]
+	assoc_id	ieee80211_assoc_id
+	bssid		ieee80211_bssid
+	transmitter	ieee80211_mac_addr
+} [packed]
+
+# Block Ack Request (BAR) frame (802.11n).
+type ieee80211_ctrl_bar_control[MULTI_CONST, COMPRESSED_CONST, TID_INFO] {
+	ack_policy		int8:1
+	multi_tid		const[MULTI_CONST, int8:1]
+	compressed_bitmap	const[COMPRESSED_CONST, int8:1]
+	reserved		const[0, int16:9]
+	tid_info		TID_INFO
+} [packed]
+
+type ieee80211_ctrl_bar_info[SUFFIX] {
+	tid_reserved	const[0, int16:12]
+	tid_value	int16:4
+	ssc		ieee80211_block_ack_ssc
+	suffix		SUFFIX
+} [packed]
+
+type ieee80211_ctrl_bar_simple_req[COMPRESSED] {
+	control_hdr	ieee80211_ctrl_bar_control[0, COMPRESSED, int8:4]
+	ssc		ieee80211_block_ack_ssc
+} [packed]
+
+ieee80211_ctrl_bar_multi {
+	control		ieee80211_ctrl_bar_control[1, 1, len[ieee80211_ctrl_bar_multi:bar_info, int8:4]]
+	bar_info	array[ieee80211_ctrl_bar_info[array[int8, 8]]]
+} [packed]
+
+ieee80211_ctrl_bar_any [
+	basic		ieee80211_ctrl_bar_simple_req[0]
+	compressed	ieee80211_ctrl_bar_simple_req[1]
+	multi		ieee80211_ctrl_bar_multi
+] [varlen]
+
+ieee80211_ctrl_bar {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_BACK_REQ]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+	transmitter	ieee80211_mac_addr
+	payload		ieee80211_ctrl_bar_any
+} [packed]
+
+# Block Ack (BA) frame (802.11n).
+type ieee80211_ctrl_ba_single[COMPRESSED, LEN] {
+	control		ieee80211_ctrl_bar_control[0, COMPRESSED, int8:4]
+	ssc		ieee80211_block_ack_ssc
+	ack_bitmap	array[int8, LEN]
+} [packed]
+
+ieee80211_ctrl_ba_multi {
+	control		ieee80211_ctrl_bar_control[1, 1, len[ieee80211_ctrl_ba_multi:tid_list, int8:4]]
+	tid_list	array[ieee80211_ctrl_bar_info[array[int8, 8]]]
+# There must be TID_INFO + 1 entries, so we add an extra one.
+	extra_tid	ieee80211_ctrl_bar_info[array[int8, 8]]
+} [packed]
+
+ieee80211_ctrl_ba_any [
+	basic		ieee80211_ctrl_ba_single[0, 128]
+	compressed	ieee80211_ctrl_ba_single[1, 8]
+	multi		ieee80211_ctrl_ba_multi
+] [varlen]
+
+ieee80211_ctrl_ba {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_BACK]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+	transmitter	ieee80211_mac_addr
+	payload		ieee80211_ctrl_ba_any
+} [packed]
+
+ieee80211_ctrl_frame [
+	rts		ieee80211_ctrl_rts
+	cts		ieee80211_ctrl_cts
+	ack		ieee80211_ctrl_ack
+	pspoll		ieee80211_ctrl_pspoll
+	bar		ieee80211_ctrl_bar
+	ba		ieee80211_ctrl_ba
+	cf_end		ieee80211_ctrl_cf_end
+	cf_end_cf_ack	ieee80211_ctrl_cf_end_cf_ack
+] [varlen]
diff --git a/sys/linux/net_80211.txt.const b/sys/linux/net_80211.txt.const
index dfbc992ac..b1ee0bd05 100644
--- a/sys/linux/net_80211.txt.const
+++ b/sys/linux/net_80211.txt.const
@@ -1,5 +1,7 @@
 # Code generated by syz-sysgen. DO NOT EDIT.
 arches = 386, amd64, arm, arm64, mips64le, ppc64le, riscv64, s390x
+IEEE80211_CTL_FRAME_TYPE = 1
+IEEE80211_DATA_FRAME_TYPE = 2
 IEEE80211_HT_CAP_40MHZ_INTOLERANT = 16384
 IEEE80211_HT_CAP_DELAY_BA = 1024
 IEEE80211_HT_CAP_DSSSCCK40 = 4096
@@ -23,8 +25,35 @@ IEEE80211_HT_EXT_CAP_PCO = 1
 IEEE80211_HT_EXT_CAP_PCO_TIME = 6
 IEEE80211_HT_EXT_CAP_PCO_TIME_SHIFT = 1
 IEEE80211_HT_EXT_CAP_RD_RESPONDER = 2048
+IEEE80211_MAX_DATA_LEN = 2304
 IEEE80211_MAX_SSID_LEN = 32
+IEEE80211_MESHCONF_CAPAB_ACCEPT_PLINKS = 1
+IEEE80211_MESHCONF_CAPAB_FORWARDING = 8
+IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL = 64
+IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING = 32
+IEEE80211_MGMT_CTL_ACK = 13
+IEEE80211_MGMT_CTL_BACK = 9
+IEEE80211_MGMT_CTL_BACK_REQ = 8
+IEEE80211_MGMT_CTL_CFEND = 14
+IEEE80211_MGMT_CTL_CFENDACK = 15
+IEEE80211_MGMT_CTL_CTL_EXT = 6
+IEEE80211_MGMT_CTL_CTS = 12
+IEEE80211_MGMT_CTL_PSPOLL = 10
+IEEE80211_MGMT_CTL_RTS = 11
+IEEE80211_MGMT_FRAME_ACTION = 13
+IEEE80211_MGMT_FRAME_ACTION_NOACK = 14
+IEEE80211_MGMT_FRAME_ASSOC_REQ = 0
+IEEE80211_MGMT_FRAME_ASSOC_RESP = 1
+IEEE80211_MGMT_FRAME_ATIM = 9
+IEEE80211_MGMT_FRAME_AUTH = 11
 IEEE80211_MGMT_FRAME_BEACON = 8
+IEEE80211_MGMT_FRAME_DEAUTH = 12
+IEEE80211_MGMT_FRAME_DISASSOC = 10
+IEEE80211_MGMT_FRAME_PROBE_REQ = 4
+IEEE80211_MGMT_FRAME_PROBE_RESP = 5
+IEEE80211_MGMT_FRAME_REASSOC_REQ = 2
+IEEE80211_MGMT_FRAME_REASSOC_RESP = 3
+IEEE80211_MGMT_FRAME_TYPE = 0
 IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK = 57344
 IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT = 13
 IEEE80211_VHT_CAP_EXT_NSS_BW_MASK = 3221225472
@@ -64,6 +93,12 @@ IEEE80211_VHT_CAP_VHT_TXOP_PS = 2097152
 JOIN_IBSS_BG_NO_SCAN = 2
 JOIN_IBSS_BG_SCAN = 1
 JOIN_IBSS_NO_SCAN = 0
+WLAN_ACTION_ADDBA_REQ = 0
+WLAN_ACTION_ADDBA_RESP = 1
+WLAN_ACTION_DELBA = 2
+WLAN_ACTION_SA_QUERY_REQUEST = 0
+WLAN_ACTION_SPCT_CHL_SWITCH = 4
+WLAN_ACTION_SPCT_MSR_REQ = 0
 WLAN_AKM_SUITE_8021X = 1027073
 WLAN_AKM_SUITE_8021X_SHA256 = 1027077
 WLAN_AKM_SUITE_8021X_SUITE_B = 1027083
@@ -100,6 +135,15 @@ WLAN_CAPABILITY_RADIO_MEASURE = 4096
 WLAN_CAPABILITY_SHORT_PREAMBLE = 32
 WLAN_CAPABILITY_SHORT_SLOT_TIME = 1024
 WLAN_CAPABILITY_SPECTRUM_MGMT = 256
+WLAN_CATEGORY_BACK = 3
+WLAN_CATEGORY_HT = 7
+WLAN_CATEGORY_MESH_ACTION = 13
+WLAN_CATEGORY_PUBLIC = 4
+WLAN_CATEGORY_SA_QUERY = 8
+WLAN_CATEGORY_SELF_PROTECTED = 15
+WLAN_CATEGORY_SPECTRUM_MGMT = 0
+WLAN_CATEGORY_TDLS = 12
+WLAN_CATEGORY_VHT = 21
 WLAN_CIPHER_SUITE_AES_CMAC = 1027078
 WLAN_CIPHER_SUITE_BIP_CMAC_256 = 1027085
 WLAN_CIPHER_SUITE_BIP_GMAC_128 = 1027083
@@ -112,6 +156,40 @@ WLAN_CIPHER_SUITE_TKIP = 1027074
 WLAN_CIPHER_SUITE_USE_GROUP = 1027072
 WLAN_CIPHER_SUITE_WEP104 = 1027077
 WLAN_CIPHER_SUITE_WEP40 = 1027073
+WLAN_EID_CF_PARAMS = 4
+WLAN_EID_CHALLENGE = 16
+WLAN_EID_CHANNEL_SWITCH = 37
+WLAN_EID_CHAN_SWITCH_PARAM = 118
+WLAN_EID_CHAN_SWITCH_TIMING = 104
+WLAN_EID_DS_PARAMS = 3
+WLAN_EID_ERP_INFO = 42
+WLAN_EID_EXT_CHANSWITCH_ANN = 60
+WLAN_EID_FAST_BSS_TRANSITION = 55
+WLAN_EID_GCR_GROUP_ADDR = 189
+WLAN_EID_HT_CAPABILITY = 45
+WLAN_EID_IBSS_PARAMS = 6
+WLAN_EID_LINK_ID = 101
+WLAN_EID_MEASURE_REQUEST = 38
+WLAN_EID_MESH_CONFIG = 113
+WLAN_EID_MESH_ID = 114
+WLAN_EID_MIC = 140
+WLAN_EID_PEER_MGMT = 117
+WLAN_EID_PERR = 132
+WLAN_EID_PREP = 131
+WLAN_EID_PREQ = 130
+WLAN_EID_RANN = 126
+WLAN_EID_SECONDARY_CHANNEL_OFFSET = 62
+WLAN_EID_SSID = 0
+WLAN_EID_SUPP_RATES = 1
+WLAN_EID_TIM = 5
+WLAN_EID_VENDOR_SPECIFIC = 221
+WLAN_HT_ACTION_NOTIFY_CHANWIDTH = 0
+WLAN_HT_ACTION_SMPS = 1
+WLAN_MESH_ACTION_HWMP_PATH_SELECTION = 1
+WLAN_PUB_ACTION_EXT_CHANSW_ANN = 4
+WLAN_SP_MESH_PEERING_CLOSE = 3
+WLAN_SP_MESH_PEERING_CONFIRM = 2
+WLAN_SP_MESH_PEERING_OPEN = 1
 WLAN_TDLS_CHANNEL_SWITCH_REQUEST = 5
 WLAN_TDLS_CHANNEL_SWITCH_RESPONSE = 6
 WLAN_TDLS_DISCOVERY_REQUEST = 10
@@ -123,3 +201,5 @@ WLAN_TDLS_SETUP_CONFIRM = 2
 WLAN_TDLS_SETUP_REQUEST = 0
 WLAN_TDLS_SETUP_RESPONSE = 1
 WLAN_TDLS_TEARDOWN = 3
+WLAN_VHT_ACTION_GROUPID_MGMT = 1
+WLAN_VHT_ACTION_OPMODE_NOTIF = 2
diff --git a/sys/linux/socket_netlink_generic_80211.txt b/sys/linux/socket_netlink_generic_80211.txt
index 83da3013f..64cd222a3 100644
--- a/sys/linux/socket_netlink_generic_80211.txt
+++ b/sys/linux/socket_netlink_generic_80211.txt
@@ -515,7 +515,7 @@ nl80211_scan_flags = NL80211_SCAN_FLAG_LOW_PRIORITY, NL80211_SCAN_FLAG_FLUSH, NL
 
 nl80211_policy_scan [
 	NL80211_ATTR_MAC				nlattr[NL80211_ATTR_MAC, ieee80211_mac_addr]
-	NL80211_ATTR_IE					nlattr[NL80211_ATTR_IE, array[int8, 0:IEEE80211_MAX_DATA_LEN]]
+	NL80211_ATTR_IE					nlattr[NL80211_ATTR_IE, array[ieee80211_ie]]
 	NL80211_ATTR_SCAN_FREQUENCIES			nlnest[NL80211_ATTR_SCAN_FREQUENCIES, array[nlattr[0, int32]]]
 	NL80211_ATTR_SCAN_SSIDS				nlnest[NL80211_ATTR_SCAN_SSIDS, array[nlattr[0, ieee80211_ssid]]]
 	NL80211_ATTR_SCHED_SCAN_INTERVAL		nlattr[NL80211_ATTR_SCHED_SCAN_INTERVAL, int32]
@@ -851,7 +851,7 @@ nl80211_policy_cqm [
 nl80211_policy_mgmt_frame [
 	chandef_params			array[nl80211_policy_chandef_params]
 	NL80211_ATTR_DONT_WAIT_FOR_ACK	nlattr[NL80211_ATTR_DONT_WAIT_FOR_ACK, void]
-	NL80211_ATTR_FRAME		nlattr[NL80211_ATTR_FRAME, ieee80211_frame]
+	NL80211_ATTR_FRAME		nlattr[NL80211_ATTR_FRAME, ieee80211_mgmt_frame]
 	NL80211_ATTR_DURATION		nlattr[NL80211_ATTR_DURATION, int32[NL80211_MIN_REMAIN_ON_CHANNEL_TIME:5000]]
 	NL80211_ATTR_OFFCHANNEL_TX_OK	nlattr[NL80211_ATTR_OFFCHANNEL_TX_OK, void]
 	NL80211_ATTR_TX_NO_CCK_RATE	nlattr[NL80211_ATTR_TX_NO_CCK_RATE, void]
diff --git a/sys/linux/test/80211_ibss b/sys/linux/test/80211_ibss
index 0bea2f5f8..cc52a509f 100644
--- a/sys/linux/test/80211_ibss
+++ b/sys/linux/test/80211_ibss
@@ -1,9 +1,9 @@
 # requires: -sandbox=namespace
 
-# Join IBSSS network
+# Join IBSSS network.
 
 syz_80211_join_ibss(&AUTO='wlan0\x00', &AUTO=@default_ibss_ssid, 0x6, 0x0)
 
-# Inject an arbitrary packet
+# Inject an arbitrary packet.
 
-syz_80211_inject_frame(&AUTO=@device_a, &AUTO="00112233445566778899", 0xa)
-\ No newline at end of file
+syz_80211_inject_frame(&AUTO=@device_a, &AUTO=@mgmt_frame=@beacon={@wo_ht={{AUTO, AUTO, AUTO, AUTO, AUTO, 0, 0, 0, 0, AUTO, 0}, {0, 0}, @device_b, @device_a, @from_mac=@device_a, {0,0}}, 0x0, @default, 0x1, @val={AUTO, AUTO, @default_ap_ssid}, @val={AUTO, AUTO, [{0x2,0x1}, {0x4,0x1}, {0xb,0x1}, {0x16,0x1}, {0x0c,0x0}, {0x12,0x0}, {0x18,0x0}, {0x24, 0x0}]}, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, []}, AUTO)
diff --git a/sys/linux/test/80211_setup_ap b/sys/linux/test/80211_setup_ap
index 8e378aa8a..be18aa80c 100644
--- a/sys/linux/test/80211_setup_ap
+++ b/sys/linux/test/80211_setup_ap
@@ -1,11 +1,11 @@
 r0 = socket$nl_generic(0x10, 0x3, 0x10)
-r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00')
-ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000700)={'wlan0\x00', <r2=>0x0})
+r1 = syz_genetlink_get_family_id$nl80211(&AUTO='nl80211\x00')
+ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &AUTO={'wlan0\x00', <r2=>0x0})
 
-# set AP mode for wlan0
+# Set AP mode for wlan0.
 
-sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={AUTO, r1, 0x5, 0x0, 0x0, {{AUTO, AUTO, AUTO}, {@val={AUTO, AUTO, r2, nil},@void}}, [@NL80211_ATTR_IFTYPE={AUTO, AUTO, 0x3, nil}]}, AUTO}, AUTO, AUTO, AUTO, 0x0}, 0x0)
+sendmsg$NL80211_CMD_SET_INTERFACE(r0, &AUTO={0x0, 0x0, &AUTO={&AUTO={AUTO, r1, 0x5, 0x0, 0x0, {{AUTO, AUTO, AUTO}, {@val={AUTO, AUTO, r2, nil},@void}}, [@NL80211_ATTR_IFTYPE={AUTO, AUTO, 0x3, nil}]}, AUTO}, AUTO, AUTO, AUTO, 0x0}, 0x0)
 
-# start AP at wlan0
+# Start AP at wlan0.
 
-sendmsg$NL80211_CMD_START_AP(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={AUTO, r1, 0x5, 0x0, 0x0, {{AUTO, AUTO, AUTO}, {@val={AUTO, AUTO, r2, nil},@void}}, [@beacon=[@NL80211_ATTR_BEACON_HEAD={AUTO, AUTO, {@wo_ht={{AUTO, AUTO, AUTO, AUTO, AUTO, 0, 0, 0, 0, AUTO, 0}, {0, AUTO}, @broadcast, @device_a, @from_mac=@device_a, {0,0}}, 0x0, @default, 0xFFFF}, nil}], @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={AUTO,AUTO,@default, nil}], @NL80211_ATTR_BEACON_INTERVAL={AUTO, AUTO, @default, nil},@NL80211_ATTR_DTIM_PERIOD={AUTO, AUTO, 0, nil}, @NL80211_ATTR_SSID={AUTO,AUTO,@default_ap_ssid, nil}, @NL80211_ATTR_AUTH_TYPE={AUTO, AUTO, 0, nil}, @NL80211_ATTR_EXTERNAL_AUTH_SUPPORT={AUTO,AUTO, nil, nil}]}, AUTO}, AUTO, AUTO, AUTO, 0x0}, 0x0)
+sendmsg$NL80211_CMD_START_AP(r0, &AUTO={0x0, 0x0, &AUTO={&AUTO={AUTO, r1, 0x5, 0x0, 0x0, {{AUTO, AUTO, AUTO}, {@val={AUTO, AUTO, r2, nil},@void}}, [@beacon=[@NL80211_ATTR_BEACON_HEAD={AUTO, AUTO, {@wo_ht={{AUTO, AUTO, AUTO, AUTO, AUTO, 0, 0, 0, 0, AUTO, 0}, {0, AUTO}, @broadcast, @device_a, @from_mac=@device_a, {0,0}}, 0x0, @default, 0x1, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, []}, nil}], @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={AUTO,AUTO,@default, nil}], @NL80211_ATTR_BEACON_INTERVAL={AUTO, AUTO, @default, nil},@NL80211_ATTR_DTIM_PERIOD={AUTO, AUTO, 0, nil}, @NL80211_ATTR_SSID={AUTO,AUTO,@default_ap_ssid, nil}, @NL80211_ATTR_AUTH_TYPE={AUTO, AUTO, 0, nil}, @NL80211_ATTR_EXTERNAL_AUTH_SUPPORT={AUTO,AUTO, nil, nil}]}, AUTO}, AUTO, AUTO, AUTO, 0x0}, 0x0)
author	Aleksandr Nogikh <nogikh@google.com>	2020-10-02 11:42:45 +0300
committer	Dmitry Vyukov <dvyukov@google.com>	2020-10-05 15:05:59 +0200
commit	a9f27fea2a48250098012d797d6f83500c35a67b (patch)
tree	f41240c859a8d61060d6dfd2726f57c7dc6d980f /sys/linux
parent	5ef9c29141f85f210b326ce68718498ae0c1fd35 (diff)