5 files changed, 1043 insertions, 49 deletions

diff --git a/sys/linux/net_80211.txt b/sys/linux/net_80211.txt
index a3bc9139f..37b5e20ba 100644
--- a/sys/linux/net_80211.txt
+++ b/sys/linux/net_80211.txt
@@ -6,7 +6,7 @@
 
 include <linux/ieee80211.h>
 
-# Mac addresses of virtual wifi devices created during executor initialization
+# Mac addresses of virtual wifi devices created during executor initialization.
 type ieee80211_fixed_mac_addr[LAST] {
 	byte0	const[0x8, int8]
 	byte1	const[0x2, int8]
@@ -32,7 +32,11 @@ ieee80211_mesh_id [
 	default	array[const[0x3, int8], 6]
 ] [varlen]
 
-type ieee80211_frame array[int8]
+ieee80211_frame [
+	data_frame	ieee80211_data_frame
+	mgmt_frame	ieee80211_mgmt_frame
+	ctrl_frame	ieee80211_ctrl_frame
+] [varlen]
 
 ieee80211_bssid [
 	initial		array[const[0x50, int8], 6]
@@ -66,7 +70,7 @@ define JOIN_IBSS_BG_NO_SCAN	0x2
 join_ibss_modes = JOIN_IBSS_NO_SCAN, JOIN_IBSS_BG_SCAN, JOIN_IBSS_BG_NO_SCAN
 
 ################################################################################
-#  Common fields and enums
+#  Common fields and enums.
 ################################################################################
 
 # As defined in drivers/net/wireless/mac80211_hwsim.c
@@ -74,11 +78,11 @@ ieee80211_channel_freq_mhz = 2412, 2417, 2422, 2427, 2432, 2437, 2442, 2447, 245
 
 ieee80211_raw_rates = 10, 20, 55, 60, 90, 110, 120, 180, 240, 360, 480, 540
 
-# Combined set of 802.11 rates for 5Mhz, 10Mhz and other channel widths
-# Only rates for drivers/net/wireless/mac80211_hwsim.c are defined
+# Combined set of 802.11 rates for 5Mhz, 10Mhz and other channel widths.
+# Only rates for drivers/net/wireless/mac80211_hwsim.c are defined.
 ieee80211_rate_label = 1, 2, 3, 4, 5, 6, 9, 11, 12, 18, 22, 24, 27, 36, 48, 54, 72, 96, 108
 
-# Rates as they are represented (see 9.4.2.3 of IEEEE 802.11-2016)
+# Rates as they are represented (see 9.4.2.3 of IEEEE 802.11-2016).
 ieee80211_rate {
 	label		flags[ieee80211_rate_label, int8:7]
 	mandatory	int8:1
@@ -91,30 +95,27 @@ type ieee80211_beacon_interval[BASE_TYPE] [
 
 type ieee80211_timestamp int64
 
-# Pseudo syscalls and initially created devices use the default frequency below 
+ieee80211_assoc_id [
+	default	const[0x1, int16]
+	random	int16
+]
+
+# Pseudo syscalls and initially created devices use the default frequency below.
 type ieee80211_frequency_mhz[BASE_TYPE] [
 	default	const[2412, BASE_TYPE]
 	random	flags[ieee80211_channel_freq_mhz, BASE_TYPE]
 ]
 
-# Information Element structure (see 9.4.2.1 of IEEE 802.11-2016)
-# Also see `element` struct in include/linux/ieee80211.h
-type ieee80211_generic_ie[ID_TYPE, DATA_TYPE] {
-	id	ID_TYPE
-	len	len[data, int8]
-	data	DATA_TYPE
-} [packed]
+# These are the channels supported by mac80211_hwsim.
+ieee80211_channels = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 149, 153, 157, 161, 165, 169, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185
+type ieee80211_channel[BASE_TYPE] flags[ieee80211_channels, BASE_TYPE]
 
-ieee80211_ie [
-	random	ieee80211_generic_ie[int8, array[int8, 0:255]]
-] [varlen]
-
-# HT Capabilities (see 9.4.2.56 of IEEE 802.11-2016)
+# HT Capabilities (see 9.4.2.56 of IEEE 802.11-2016).
 ieee80211_ht_cap_info = IEEE80211_HT_CAP_LDPC_CODING, IEEE80211_HT_CAP_SUP_WIDTH_20_40, IEEE80211_HT_CAP_SM_PS, IEEE80211_HT_CAP_SM_PS_SHIFT, IEEE80211_HT_CAP_GRN_FLD, IEEE80211_HT_CAP_SGI_20, IEEE80211_HT_CAP_SGI_40, IEEE80211_HT_CAP_TX_STBC, IEEE80211_HT_CAP_RX_STBC, IEEE80211_HT_CAP_RX_STBC_SHIFT, IEEE80211_HT_CAP_DELAY_BA, IEEE80211_HT_CAP_MAX_AMSDU, IEEE80211_HT_CAP_DSSSCCK40, IEEE80211_HT_CAP_RESERVED, IEEE80211_HT_CAP_40MHZ_INTOLERANT, IEEE80211_HT_CAP_LSIG_TXOP_PROT
 
 ieee80211_ht_ext_cap_info = IEEE80211_HT_EXT_CAP_PCO, IEEE80211_HT_EXT_CAP_PCO_TIME, IEEE80211_HT_EXT_CAP_PCO_TIME_SHIFT, IEEE80211_HT_EXT_CAP_MCS_FB, IEEE80211_HT_EXT_CAP_MCS_FB_SHIFT, IEEE80211_HT_EXT_CAP_HTC_SUP, IEEE80211_HT_EXT_CAP_RD_RESPONDER
 
-# See 9.4.2.56.4 of IEEE 802.11-2016
+# See 9.4.2.56.4 of IEEE 802.11-2016.
 ieee80211_mcs_info {
 	rx_bitmask_1		int64
 	rx_bitmask_2		int64:13
@@ -125,10 +126,10 @@ ieee80211_mcs_info {
 	tx_rx_not_eq		int64:1
 	max_spac_streams	int64:2
 	uneq_modulation		int64:1
-	reserved_3		int64:27
+	reserved_3		const[0, int64:27]
 } [packed]
 
-# See Fig. 9-332 of IEEE 802.11-2016
+# See Fig. 9-332 of IEEE 802.11-2016.
 ieee80211_ht_cap {
 	cap_info		flags[ieee80211_ht_cap_info, int16]
 	a_mpdu_exponent		int8:2
@@ -140,7 +141,7 @@ ieee80211_ht_cap {
 	antenna_selection_info	int8
 } [packed]
 
-# VHT Capabilities (see 9.4.2.56 of IEEE 802.11-2016)
+# VHT Capabilities (see 9.4.2.56 of IEEE 802.11-2016).
 ieee80211_vht_cap_info = IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895, IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991, IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454, IEEE80211_VHT_CAP_MAX_MPDU_MASK, IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ, IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ, IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK, IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_SHIFT, IEEE80211_VHT_CAP_RXLDPC, IEEE80211_VHT_CAP_SHORT_GI_80, IEEE80211_VHT_CAP_SHORT_GI_160, IEEE80211_VHT_CAP_TXSTBC, IEEE80211_VHT_CAP_RXSTBC_1, IEEE80211_VHT_CAP_RXSTBC_2, IEEE80211_VHT_CAP_RXSTBC_3, IEEE80211_VHT_CAP_RXSTBC_4, IEEE80211_VHT_CAP_RXSTBC_MASK, IEEE80211_VHT_CAP_RXSTBC_SHIFT, IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE, IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE, IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT, IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK, IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_SHIFT, IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_MASK, IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE, IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE, IEEE80211_VHT_CAP_VHT_TXOP_PS, IEEE80211_VHT_CAP_HTC_VHT, IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_SHIFT, IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK, IEEE80211_VHT_CAP_VHT_LINK_ADAPTATION_VHT_UNSOL_MFB, IEEE80211_VHT_CAP_VHT_LINK_ADAPTATION_VHT_MRQ_MFB, IEEE80211_VHT_CAP_RX_ANTENNA_PATTERN, IEEE80211_VHT_CAP_TX_ANTENNA_PATTERN, IEEE80211_VHT_CAP_EXT_NSS_BW_SHIFT, IEEE80211_VHT_CAP_EXT_NSS_BW_MASK
 
 ieee80211_vht_mcs_info {
@@ -155,40 +156,76 @@ ieee80211_vht_cap {
 	supp_mcs	ieee80211_vht_mcs_info
 } [packed]
 
-# As defined by Table 9-45 of IEEE 802.11-2016
+# As defined by Table 9-45 of IEEE 802.11-2016.
 type ieee80211_reason_code[BASE_TYPE] BASE_TYPE[0:66]
 
-# As defined by Table 9-46 of IEEE 802.11-2016
+# As defined by Table 9-46 of IEEE 802.11-2016.
 type ieee80211_status_code[BASE_TYPE] BASE_TYPE[0:107]
 
-# Only NAV is supported at the moment. No CPE or PS-Poll frames
+# Only NAV is supported at the moment. No CPE or PS-Poll frames.
 ieee80211_duration {
 	duration	int16:15
 	nav_flag	const[0, int16:1]
 } [packed]
 
-# As defined in sect. 9.2.4.4.1 of IEEE 802.11-216
+# As defined in sect. 9.2.4.4.1 of IEEE 802.11-2016.
 ieee80211_seq_control {
 	frag_number	int16:4
 	seq_number	int16:12
 } [packed]
 
-# As defined by Table 9-342 of IEEE 802.11-2016
+ieee80211_block_ack_ssc {
+	fragment	int16:4
+	ssn		int16:12
+} [packed]
+
+# As defined by Table 9-342 of IEEE 802.11-2016.
 ieee80211_tdls_action_codes = WLAN_TDLS_SETUP_REQUEST, WLAN_TDLS_SETUP_RESPONSE, WLAN_TDLS_SETUP_CONFIRM, WLAN_TDLS_TEARDOWN, WLAN_TDLS_PEER_TRAFFIC_INDICATION, WLAN_TDLS_CHANNEL_SWITCH_REQUEST, WLAN_TDLS_CHANNEL_SWITCH_RESPONSE, WLAN_TDLS_PEER_PSM_REQUEST, WLAN_TDLS_PEER_PSM_RESPONSE, WLAN_TDLS_PEER_TRAFFIC_RESPONSE, WLAN_TDLS_DISCOVERY_REQUEST
 
-# As defined by Table 9-131 of IEEE 802.11-2016
+# As defined by Table 9-131 of IEEE 802.11-2016.
 ieee80211_cipher_suites = WLAN_CIPHER_SUITE_USE_GROUP, WLAN_CIPHER_SUITE_WEP40, WLAN_CIPHER_SUITE_TKIP, WLAN_CIPHER_SUITE_CCMP, WLAN_CIPHER_SUITE_WEP104, WLAN_CIPHER_SUITE_AES_CMAC, WLAN_CIPHER_SUITE_GCMP, WLAN_CIPHER_SUITE_GCMP_256, WLAN_CIPHER_SUITE_CCMP_256, WLAN_CIPHER_SUITE_BIP_GMAC_128, WLAN_CIPHER_SUITE_BIP_GMAC_256, WLAN_CIPHER_SUITE_BIP_CMAC_256
 
-# As defined by Table 9-133 of IEEE 802.11-2016
+# As defined by Table 9-133 of IEEE 802.11-2016.
 ieee80211_akm_suites = WLAN_AKM_SUITE_8021X, WLAN_AKM_SUITE_PSK, WLAN_AKM_SUITE_FT_8021X, WLAN_AKM_SUITE_FT_PSK, WLAN_AKM_SUITE_8021X_SHA256, WLAN_AKM_SUITE_PSK_SHA256, WLAN_AKM_SUITE_TDLS, WLAN_AKM_SUITE_SAE, WLAN_AKM_SUITE_FT_OVER_SAE, WLAN_AKM_SUITE_AP_PEER_KEY, WLAN_AKM_SUITE_8021X_SUITE_B, WLAN_AKM_SUITE_8021X_SUITE_B_192, WLAN_AKM_SUITE_FT_8021X_SHA384, WLAN_AKM_SUITE_FILS_SHA256, WLAN_AKM_SUITE_FILS_SHA384, WLAN_AKM_SUITE_FT_FILS_SHA256, WLAN_AKM_SUITE_FT_FILS_SHA384, WLAN_AKM_SUITE_OWE, WLAN_AKM_SUITE_FT_PSK_SHA384, WLAN_AKM_SUITE_PSK_SHA384
 
-# Capability Information field (see sect. 9.4.1.4 of IEEE 802.11-2016)
+# Capability Information field (see sect. 9.4.1.4 of IEEE 802.11-2016).
 ieee80211_capabilities = WLAN_CAPABILITY_ESS, WLAN_CAPABILITY_IBSS, WLAN_CAPABILITY_CF_POLLABLE, WLAN_CAPABILITY_CF_POLL_REQUEST, WLAN_CAPABILITY_PRIVACY, WLAN_CAPABILITY_SHORT_PREAMBLE, WLAN_CAPABILITY_PBCC, WLAN_CAPABILITY_CHANNEL_AGILITY, WLAN_CAPABILITY_SPECTRUM_MGMT, WLAN_CAPABILITY_QOS, WLAN_CAPABILITY_SHORT_SLOT_TIME, WLAN_CAPABILITY_APSD, WLAN_CAPABILITY_RADIO_MEASURE, WLAN_CAPABILITY_DSSS_OFDM, WLAN_CAPABILITY_DEL_BACK, WLAN_CAPABILITY_IMM_BACK
 
 type ieee80211_capability[TYPE] flags[ieee80211_capabilities, TYPE]
 
+# QoS Control field is quite complicated (see Table 9-6 of IEEE 802.11-2016), but
+# for fuzzing purposes we don't really care about most of its bits.
+type ieee80211_qos_control[A_MSDU] {
+	tid		int8:4
+	eosp		int8:1
+	ack_policy	int8:2
+	a_msdu		const[A_MSDU, int8:1]
+	rest		int8
+} [packed]
+
+type ieee80211_append_qos_control[PAYLOAD, A_MSDU] {
+	payload		PAYLOAD
+	qos_control	ieee80211_qos_control[A_MSDU]
+} [packed]
+
+# Operating Mode field (see sect. 9.4.1.53 of IEEE 802.11-2016).
+ieee80211_operating_mode {
+	channel_width	int8:2
+	supp_160_80_80	int8:1
+	no_ldpc		int8:1
+	rx_nss		int8:3
+	rx_nss_type	int8:1
+} [packed]
+
+# SM Power Control field (see sect. 9.4.1.23 of IEEE 802.11-2016).
+ieee80211_sm_power_control {
+	smps_enabled	int8:1
+	sm_mode		int8:1
+	reserver	const[0, int8:6]
+} [packed]
+
 #############################################
-# Basic 802.11 frame structures
+# Basic 802.11 frame structures.
 #############################################
 
 ieee80211_ht_control_80211n {
@@ -214,7 +251,7 @@ type ieee80211_append_ht_control[FRAME] {
 	ht_control	ieee80211_ht_control
 } [packed]
 
-# Generic Frame Control field
+# Generic Frame Control field.
 type ieee80211_fc[TO_DS, FROM_DS, TYPE, SUBTYPE, ORDER] {
 	version		const[0, int8:2]
 	type		TYPE
@@ -229,14 +266,435 @@ type ieee80211_fc[TO_DS, FROM_DS, TYPE, SUBTYPE, ORDER] {
 	order		ORDER
 } [packed]
 
+# Control packets use a simpler version of Frame Control.
+type ieee80211_control_fc[SUBTYPE_CONST] {
+	version	const[0, int8:2]
+	type	const[0x1, int8:2]
+	subtype	const[SUBTYPE_CONST, int8:4]
+	rest	const[0, int8:6]
+} [packed]
+
+define IEEE80211_MGMT_FRAME_TYPE	(IEEE80211_FTYPE_MGMT >> 2)
+define IEEE80211_DATA_FRAME_TYPE	(IEEE80211_FTYPE_DATA >> 2)
+define IEEE80211_CTL_FRAME_TYPE	(IEEE80211_FTYPE_CTL >> 2)
+
+############################################
+# Information Elements.
+############################################
+
+# Information Element structure (see 9.4.2.1 of IEEE 802.11-2016).
+type ieee80211_generic_ie[ID_TYPE, DATA_TYPE] {
+	id	ID_TYPE
+	len	len[data, int8]
+	data	DATA_TYPE
+} [packed]
+
+type ieee80211_generic_ie_const[ID_VAL, DATA_TYPE] ieee80211_generic_ie[const[ID_VAL, int8], DATA_TYPE]
+
+type ieee80211_random_vendor_ie ieee80211_generic_ie_const[WLAN_EID_VENDOR_SPECIFIC, array[int8, 6:255]]
+
+# SSID Information Element (see 9.4.2.2 of IEEE 802.11-2016).
+type ieee80211_ie_ssid ieee80211_generic_ie_const[WLAN_EID_SSID, ieee80211_ssid]
+
+# SSID Information Element (see 9.4.2.3 of IEEE 802.11-2016).
+type ieee80211_ie_supported_rates ieee80211_generic_ie_const[WLAN_EID_SUPP_RATES, array[ieee80211_rate, 0:8]]
+
+# DS Parameter Set / DSSS Information Element (see 9.4.2.4 of IEEE 802.11-2016).
+type ieee80211_ie_dsss ieee80211_generic_ie_const[WLAN_EID_DS_PARAMS, ieee80211_channel[int8]]
+
+# CF Parameter Set Information Element (see 9.4.2.5 of IEEE 802.11-2016).
+ieee80211_ie_cf_payload {
+	count		int8
+	period		int8
+	max_duration	int16
+	dur_remaining	int16
+} [packed]
+
+type ieee80211_ie_cf ieee80211_generic_ie_const[WLAN_EID_CF_PARAMS, ieee80211_ie_cf_payload]
+
+# Traffic Indication Map (TIM) Information Element (see 9.4.2.6 of IEEE 802.11-2016).
+ieee80211_ie_tim_payload {
+	dtim_count	int8
+	dtim_period	int8[1:255]
+	bitmap_control	int8
+	partial_bitmap	array[int8, 0:251]
+} [packed]
+
+type ieee80211_ie_tim ieee80211_generic_ie_const[WLAN_EID_TIM, ieee80211_ie_tim_payload]
+
+# IBSS Parameter Set Information Element (see 9.4.2.7 of IEEE 802.11-2016).
+type ieee80211_ie_ibss ieee80211_generic_ie_const[WLAN_EID_IBSS_PARAMS, int16]
+
+# Challenge Text Information Element (see 9.4.2.8 of IEEE 802.11-2016).
+type ieee80211_ie_challenge ieee80211_generic_ie_const[WLAN_EID_CHALLENGE, int8[1:253]]
+
+# Extended Rate PHY (ERP) Information Element (see 9.4.2.12 of IEEE 802.11-2016).
+ieee80211_ie_erp_payload {
+	non_erp_present		int8:1
+	use_protection		int8:1
+	barker_preamble_mode	int8:1
+	reserved		const[0, int8:5]
+} [packed]
+
+type ieee80211_ie_erp ieee80211_generic_ie_const[WLAN_EID_ERP_INFO, ieee80211_ie_erp_payload]
+
+# Channel Switch Announcement Information Element (see 9.4.2.19 of IEEE 802.11-2016).
+ieee80211_ie_channel_switch_annce_payload {
+	switch_mode	int8[0:1]
+	new_channel	ieee80211_channel[int8]
+	switch_count	int8
+} [packed]
+
+type ieee80211_ie_channel_switch ieee80211_generic_ie_const[WLAN_EID_CHANNEL_SWITCH, ieee80211_ie_channel_switch_annce_payload]
+
+# Secondary Channel Offset Information Element (see 9.4.2.20 of IEEE 802.11-2016).
+type ieee80211_ie_sec_chan_ofs ieee80211_generic_ie_const[WLAN_EID_SECONDARY_CHANNEL_OFFSET, int8[0:3]]
+
+# Measurement Request Information Element (see 9.4.2.21 of IEEE 802.11-2016).
+ieee80211_ie_measure_req_payload {
+	token		int8
+	mode		int8
+	type		int8
+	req_details	array[int8]
+} [packed]
+
+type ieee80211_ie_measure_req ieee80211_generic_ie_const[WLAN_EID_MEASURE_REQUEST, ieee80211_ie_measure_req_payload]
+
+# Fast BSS Transition element (FTE) (see 9.4.2.48 of IEEE 802.11-2016).
+ieee80211_ie_fast_bss_trans_payload {
+	mic_control_reserved	int8
+	mic_element_count	len[params, int8]
+	mic			array[int8, 16]
+	a_nonce			array[int8, 32]
+	s_nonce			array[int8, 32]
+	params			array[ieee80211_generic_ie[int8[1:4], array[int8, 0:40]]]
+} [packed]
+
+type ieee80211_ie_fast_bss_trans ieee80211_generic_ie_const[WLAN_EID_FAST_BSS_TRANSITION, ieee80211_ie_fast_bss_trans_payload]
+
+# Extended Channel Switch Announcement Information Element (see 9.4.2.53 of IEEE 802.11-2016).
+ieee80211_ie_ext_channel_switch_annce_payload {
+	switch_mode	int8[0:1]
+	new_class	int8
+	new_channel	ieee80211_channel[int8]
+	switch_count	int8
+} [packed]
+
+type ieee80211_ie_ext_channel_switch ieee80211_generic_ie_const[WLAN_EID_EXT_CHANSWITCH_ANN, ieee80211_ie_ext_channel_switch_annce_payload]
+
+# Management MIC Information Element (see 9.4.2.55 of IEEE 802.11-2016).
+type ieee80211_ie_mic ieee80211_generic_ie_const[WLAN_EID_MIC, ieee80211_ie_mic_payload]
+
+ieee80211_ie_mic_code [
+	short	array[int8, 8]
+	long	array[int8, 16]
+] [varlen]
+
+ieee80211_ie_mic_payload {
+	key_id	int16[0:4095]
+	ipn	array[int8, 6]
+	mic	ieee80211_ie_mic_code
+} [packed]
+
+# HT Capabilities Information Element (see 9.4.2.56 of IEEE 802.11-2016).
+type ieee80211_ie_ht ieee80211_generic_ie_const[WLAN_EID_HT_CAPABILITY, ieee80211_ht_cap]
+
+# Link Identifier Information Element (see 9.4.2.62 of IEEE 802.11-2016).
+ieee80211_ie_link_id_payload {
+	bssid		ieee80211_bssid
+	initiator	ieee80211_mac_addr
+	responder	ieee80211_mac_addr
+} [packed]
+
+type ieee80211_ie_link_id ieee80211_generic_ie_const[WLAN_EID_LINK_ID, ieee80211_ie_link_id_payload]
+
+# Channel Switch Timing Information Element (see 9.4.2.64 of IEEE 802.11-2016).
+ieee80211_ie_channel_switch_timing_payload {
+	switch_time	int16
+	switch_timeout	int16
+} [packed]
+
+type ieee80211_ie_channel_switch_timing ieee80211_generic_ie_const[WLAN_EID_CHAN_SWITCH_TIMING, ieee80211_ie_channel_switch_timing_payload]
+
+# Mesh Configuration Information Element (see 9.4.2.98 of IEEE 802.11-2016).
+type ieee80211_ie_mesh_config ieee80211_generic_ie_const[WLAN_EID_MESH_CONFIG, ieee80211_ie_mesh_config_payload]
+
+ieee80211_ie_mesh_config_payload {
+	psel_proto	int8[-1:1]
+	psel_metric	int8[-1:1]
+	cmode_id	int8[-1:1]
+	syncm_id	int8[-1:1]
+	auth_proto	int8[-1:2]
+	mesh_info	int8
+	mesh_cap	flags[mesh_config_capab_flags, int8]
+} [packed]
+
+mesh_config_capab_flags = IEEE80211_MESHCONF_CAPAB_ACCEPT_PLINKS, IEEE80211_MESHCONF_CAPAB_FORWARDING, IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING, IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL
+
+# Mesh Channel Switch Information Element (see 9.4.2.103 of IEEE 802.11-2016).
+ieee80211_ie_mesh_channel_switch_payload {
+	mesh_ttl	int8
+	mesh_flags	int8
+	mesh_reason	ieee80211_reason_code[int16]
+	meash_pre_value	int16
+} [packed]
+
+type ieee80211_ie_mesh_channel_switch ieee80211_generic_ie_const[WLAN_EID_CHAN_SWITCH_PARAM, ieee80211_ie_mesh_channel_switch_payload]
+
+# GCR Group Address Information Element (see 9.4.2.126 of IEEE 802.11-2016).
+type ieee80211_ie_gcr_ga ieee80211_generic_ie_const[WLAN_EID_GCR_GROUP_ADDR, ieee80211_mac_addr]
+
+# PREQ Information Element (see 9.4.2.113 of IEEE 802.11.2016).
+type ieee80211_ie_preq ieee80211_generic_ie_const[WLAN_EID_PREQ, ieee80211_ie_preq_payload]
+
+# See Figure 9-478 of IEEE 802.11-2016.
+type ieee80211_preq_flags[AE_CONST] {
+	gate_anncement	int8:1
+	addr_mode	int8:1
+	proactive_prep	int8:1
+	reserved	const[0, int8:3]
+	ae		const[AE_CONST, int8:1]
+	reserved_2	const[0, int8:1]
+} [packed]
+
+# See Figure 9-479 of IEEE 802.11-2016.
+ieee80211_preq_target_flags {
+	target_only	int8:1
+	reserved	const[0, int8:1]
+	usn		int8:1
+	reserved2	const[0, int8:5]
+} [packed]
+
+ieee80211_preq_target {
+	flags		ieee80211_preq_target_flags
+	target_addr	ieee80211_mac_addr
+	target_sn	int32
+} [packed]
+
+type ieee80211_ie_preq_payload_generic[AE_CONST, ORIGINATOR_TYPE] {
+	flags		ieee80211_preq_flags[AE_CONST]
+	hop_count	int8
+	ttl		int8
+	discovery_id	int32
+	originator	ieee80211_mac_addr
+	originator_sn	int32
+	originator_ext	ORIGINATOR_TYPE
+	lifetime	int32
+	metric		int32
+	target_count	len[targets, int8]
+	targets		array[ieee80211_preq_target]
+} [packed]
+
+ieee80211_ie_preq_payload [
+	ext	ieee80211_ie_preq_payload_generic[1, ieee80211_mac_addr]
+	not_ext	ieee80211_ie_preq_payload_generic[0, void]
+] [varlen]
+
+# PREP Information Element (see 9.4.2.113 of IEEE 802.11.2016).
+type ieee80211_ie_prep ieee80211_generic_ie_const[WLAN_EID_PREP, ieee80211_ie_prep_payload]
+
+# See Figure 9-481 and Figure 9-483 of IEEE 802.11.2016.
+type ieee80211_ae_flags[AE_CONST] {
+	reserved	const[0, int8:6]
+	ae		const[AE_CONST, int8:1]
+	reserved2	const[0, int8:1]
+} [packed]
+
+type ieee80211_ie_prep_payload_generic[AE_CONST, TARGET_EXT_TYPE] {
+	flags		ieee80211_ae_flags[AE_CONST]
+	hop_count	int8
+	ttl		int8
+	target_addr	ieee80211_mac_addr
+	target_sn	int32
+	target_ext	TARGET_EXT_TYPE
+	lifetime	int32
+	metric		int32
+	originator	ieee80211_mac_addr
+	originator_sn	int32
+} [packed]
+
+ieee80211_ie_prep_payload [
+	ext	ieee80211_ie_prep_payload_generic[1, ieee80211_mac_addr]
+	not_ext	ieee80211_ie_prep_payload_generic[0, void]
+] [varlen]
+
+# PERR Information Element (see 9.4.2.115 of IEEE 802.11.2016).
+type ieee80211_ie_perr ieee80211_generic_ie_const[WLAN_EID_PERR, ieee80211_ie_perr_payload]
+
+ieee80211_ie_perr_payload {
+	ttl		int8
+	dest_count	len[dest_list, int8]
+	dest_list	array[ieee80211_ie_perr_dest, 0:19]
+} [packed]
+
+type ieee80211_ie_perr_dest_generic[AE_CONST, DEST_EXT_TYPE] {
+	flags		ieee80211_ae_flags[AE_CONST]
+	dest_addr	ieee80211_mac_addr
+	dest_sn		int32
+	dest_ext	DEST_EXT_TYPE
+	reason		ieee80211_reason_code[int16]
+} [packed]
+
+ieee80211_ie_perr_dest [
+	ext	ieee80211_ie_perr_dest_generic[1, ieee80211_mac_addr]
+	not_ext	ieee80211_ie_perr_dest_generic[0, void]
+] [varlen]
+
+# RANN Information Element (see 9.4.2.112 of IEEE 802.11-2016).
+type ieee80211_ie_rann ieee80211_generic_ie_const[WLAN_EID_RANN, ieee80211_ie_rann_payload]
+
+# See Figure 9-476 of IEEE 802.11-2016.
+ieee80211_rann_flags {
+	gate_annce	int8:1
+	reserved	int8:7
+} [packed]
+
+ieee80211_ie_rann_payload {
+	flags		ieee80211_rann_flags
+	hop_count	int8
+	ttl		int8
+	root_sta	ieee80211_mac_addr
+	hwmp_seqno	int32
+	interval	int32
+	metric		int32
+} [packed]
+
+# Mesh ID Information Element (see 9.4.2.99 of IEEE 802.11-2016).
+type ieee80211_ie_mesh_id ieee80211_generic_ie_const[WLAN_EID_MESH_ID, ieee80211_mesh_id]
+
+# Mesh Peering Management (see 9.4.2.102 of IEEE 802.11-2016).
+type ieee80211_ie_peer_mgmt ieee80211_generic_ie_const[WLAN_EID_PEER_MGMT, ieee80211_ie_peering_mgmt_payload]
+
+ieee80211_ie_peering_mgmt_payload {
+	proto_id	int16[0:1]
+	local_link_id	int16
+	peer_link_id	optional[int16]
+	reason_code	optional[ieee80211_reason_code[int16]]
+	pmk		optional[array[int8, 16]]
+} [packed]
+
+# This union is not used in packet descriptions because IEs have a strictly specified order there.
+# It is only needed to feed nl80211 commands that require IEs.
+ieee80211_ie [
+	ssid			ieee80211_ie_ssid
+	supported_rates		ieee80211_ie_supported_rates
+	dsss			ieee80211_ie_dsss
+	cf			ieee80211_ie_cf
+	tim			ieee80211_ie_tim
+	ibss			ieee80211_ie_ibss
+	challenge		ieee80211_ie_challenge
+	erp			ieee80211_ie_erp
+	channel_switch		ieee80211_ie_channel_switch
+	sec_chan_ofs		ieee80211_ie_sec_chan_ofs
+	measure_req		ieee80211_ie_measure_req
+	fast_bss_trans		ieee80211_ie_fast_bss_trans
+	ext_channel_switch	ieee80211_ie_ext_channel_switch
+	ht			ieee80211_ie_ht
+	link_id			ieee80211_ie_link_id
+	chsw_timing		ieee80211_ie_channel_switch_timing
+	mesh_chsw		ieee80211_ie_mesh_channel_switch
+	gcr_ga			ieee80211_ie_gcr_ga
+	preq			ieee80211_ie_preq
+	prep			ieee80211_ie_prep
+	perr			ieee80211_ie_perr
+	rann			ieee80211_ie_rann
+	mesh_id			ieee80211_ie_mesh_id
+	mesh_config		ieee80211_ie_mesh_config
+	peer_mgmt		ieee80211_ie_peer_mgmt
+	mic			ieee80211_ie_mic
+	random_vendor		ieee80211_random_vendor_ie
+	random			ieee80211_generic_ie[int8, array[int8, 0:253]]
+] [varlen]
+
+##################################################
+# 802.11 Data frames (9.3.2 of IEEE 802.11-2016)
+##################################################
+
+# Specific 802.11 data frame headers determined by to_ds and from_ds values.
+# See Table 26 of IEEE 802.11-2016.
+
+type ieee80211_data_gen_hdr[TO, FROM, SUBTYPE, ORDER, ADDR_1, ADDR_2, ADDR_3, ADDR_4] {
+	fc		ieee80211_fc[TO, FROM, const[IEEE80211_DATA_FRAME_TYPE, int8:2], SUBTYPE, ORDER]
+	duration	ieee80211_duration
+	addr_1		ADDR_1
+	addr_2		ADDR_2
+	addr_3		ADDR_3
+	seqno		ieee80211_seq_control
+	addr_4		ADDR_4
+} [packed]
+
+type ieee80211_msdu_header[SUBTYPE, ORDER] [
+# 00: RA = DA, TA = SA, BSSID
+	type00	ieee80211_data_gen_hdr[0, 0, SUBTYPE, ORDER, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_bssid, void]
+# 01: RA = DA, TA = BSSID, SA
+	type01	ieee80211_data_gen_hdr[0, 1, SUBTYPE, ORDER, ieee80211_mac_addr, ieee80211_bssid, ieee80211_mac_addr, void]
+# 10: RA = BSSID, TA = SA, DA
+	type10	ieee80211_data_gen_hdr[1, 0, SUBTYPE, ORDER, ieee80211_bssid, ieee80211_mac_addr, ieee80211_mac_addr, void]
+# 11: RA, TA, DA, SA
+	type11	ieee80211_data_gen_hdr[1, 1, SUBTYPE, ORDER, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_mac_addr]
+] [varlen]
+
+type ieee80211_a_msdu_header[SUBTYPE, ORDER] [
+# 00: RA = DA, TA = SA, BSSID
+	type00	ieee80211_data_gen_hdr[0, 0, SUBTYPE, ORDER, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_bssid, void]
+# 01: RA = DA, TA = BSSID, BSSID
+	type01	ieee80211_data_gen_hdr[0, 1, SUBTYPE, ORDER, ieee80211_mac_addr, ieee80211_bssid, ieee80211_bssid, void]
+# 10: RA = BSSID, TA = SA, BSSID
+	type10	ieee80211_data_gen_hdr[1, 0, SUBTYPE, ORDER, ieee80211_bssid, ieee80211_mac_addr, ieee80211_bssid, void]
+# 11: RA, TA, BSSID, SA
+	type11	ieee80211_data_gen_hdr[1, 1, SUBTYPE, ORDER, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_bssid, ieee80211_mac_addr]
+] [varlen]
+
+type ieee80211_data_frame_no_qos_hdr ieee80211_msdu_header[int8:4[0x0:0x7], int8:1]
+
+type ieee80211_data_frame_qos_hdr[ORDER] {
+	msdu	ieee80211_append_qos_control[ieee80211_msdu_header[int8:4[0x8:0xf], ORDER], 0x0]
+	a_msdu	ieee80211_append_qos_control[ieee80211_a_msdu_header[int8:4[0x8:0xf], ORDER], 0x1]
+} [packed]
+
+ieee80211_data_frame_hdr [
+	no_qos		ieee80211_data_frame_no_qos_hdr
+	qos_no_ht	ieee80211_data_frame_qos_hdr[const[0, int8:1]]
+	qos_ht		ieee80211_append_ht_control[ieee80211_data_frame_qos_hdr[const[0x1, int8:1]]]
+] [varlen]
+
+ieee80211_a_msdu_subframe {
+	da	ieee80211_mac_addr
+	sa	ieee80211_mac_addr
+	len	len[data, int16]
+	data	array[int8]
+} [packed, align[4]]
+
+ieee80211_data_frame_payload [
+	random	array[int8, 0:IEEE80211_MAX_DATA_LEN]
+	a_msdu	array[ieee80211_a_msdu_subframe]
+] [varlen]
+
+ieee80211_data_frame {
+	header	ieee80211_data_frame_hdr
+	payload	ieee80211_data_frame_payload
+} [packed]
+
 ###############################################
 # 802.11 Management frames
 ###############################################
 
+define IEEE80211_MGMT_FRAME_ASSOC_REQ	(IEEE80211_STYPE_ASSOC_REQ >> 4)
+define IEEE80211_MGMT_FRAME_ASSOC_RESP	(IEEE80211_STYPE_ASSOC_RESP >> 4)
+define IEEE80211_MGMT_FRAME_REASSOC_REQ	(IEEE80211_STYPE_REASSOC_REQ >> 4)
+define IEEE80211_MGMT_FRAME_REASSOC_RESP	(IEEE80211_STYPE_REASSOC_RESP >> 4)
+define IEEE80211_MGMT_FRAME_PROBE_REQ	(IEEE80211_STYPE_PROBE_REQ >> 4)
+define IEEE80211_MGMT_FRAME_PROBE_RESP	(IEEE80211_STYPE_PROBE_RESP >> 4)
 define IEEE80211_MGMT_FRAME_BEACON	(IEEE80211_STYPE_BEACON >> 4)
+define IEEE80211_MGMT_FRAME_ATIM	(IEEE80211_STYPE_ATIM >> 4)
+define IEEE80211_MGMT_FRAME_DISASSOC	(IEEE80211_STYPE_DISASSOC >> 4)
+define IEEE80211_MGMT_FRAME_AUTH	(IEEE80211_STYPE_AUTH >> 4)
+define IEEE80211_MGMT_FRAME_DEAUTH	(IEEE80211_STYPE_DEAUTH >> 4)
+define IEEE80211_MGMT_FRAME_ACTION	(IEEE80211_STYPE_ACTION >> 4)
+define IEEE80211_MGMT_FRAME_ACTION_NOACK	((IEEE80211_STYPE_ACTION >> 4) + 1)
 
 type ieee80211_pre_mgmt_header[SUBTYPE_CONST, ORDER_CONST] {
-	fc		ieee80211_fc[0, 0, const[0x0, int8:2], const[SUBTYPE_CONST, int8:4], const[ORDER_CONST, int8:1]]
+	fc		ieee80211_fc[0, 0, const[IEEE80211_MGMT_FRAME_TYPE, int8:2], const[SUBTYPE_CONST, int8:4], const[ORDER_CONST, int8:1]]
 	duration	ieee80211_duration
 	addr_1		ieee80211_mac_addr
 	addr_2		ieee80211_mac_addr
@@ -249,13 +707,469 @@ type ieee80211_mgmt_header[SUBTYPE_CONST] [
 	with_ht	ieee80211_append_ht_control[ieee80211_pre_mgmt_header[SUBTYPE_CONST, 0x1]]
 ] [varlen]
 
-# Beacon frame
-# See Table 9-27 of IEEE 802.11-2016
-
+# Beacon frame (see Table 9-27 of IEEE 802.11-2016).
 ieee80211_mgmt_beacon {
 	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_BEACON]
 	timestamp	ieee80211_timestamp
 	beacon_interval	ieee80211_beacon_interval[int16]
+	capability	ieee80211_capability[int16]
+	ssid		optional[ieee80211_ie_ssid]
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	dsss		optional[ieee80211_ie_dsss]
+	cf		optional[ieee80211_ie_cf]
+	ibss		optional[ieee80211_ie_ibss]
+	tim		optional[ieee80211_ie_tim]
+	chsw		optional[ieee80211_ie_channel_switch]
+	erp		optional[ieee80211_ie_erp]
+	expt_chsw	optional[ieee80211_ie_ext_channel_switch]
+	ht		optional[ieee80211_ie_ht]
+	mesh_id		optional[ieee80211_ie_mesh_id]
+	mesh_config	optional[ieee80211_ie_mesh_config]
+	mesh_chsw	optional[ieee80211_ie_mesh_channel_switch]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Disassociation frame (see Table 9-28 of IEEE 802.11-2016).
+ieee80211_mgmt_disassoc_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_DISASSOC]
+	reason_code	ieee80211_reason_code[int16]
+	mic		optional[ieee80211_ie_mic]
+} [packed]
+
+# Association Request (see Table 9-29 of IEEE 802.11-2016).
+ieee80211_mgmt_assoc_req_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_ASSOC_REQ]
 	capabilities	ieee80211_capability[int16]
-# TODO: here should be Information Elements in the order specified by Table 9-27 of IEEE 802.11-2016
+	listen_interval	int16
+	ssid		ieee80211_ie_ssid
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	ht		optional[ieee80211_ie_ht]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Association Response (see Table 9-30 of IEEE 802.11-2016).
+ieee80211_mgmt_assoc_resp_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_ASSOC_RESP]
+	capabilities	ieee80211_capability[int16]
+	status_code	ieee80211_status_code[int16]
+	assoc_id	ieee80211_assoc_id
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	ht		optional[ieee80211_ie_ht]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Reassociation Request (see Table 9-31 of IEEE 802.11-2016).
+ieee80211_mgmt_reassoc_req_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_REASSOC_REQ]
+	capabilities	ieee80211_capability[int16]
+	listen_interval	int16
+	current_ap	ieee80211_mac_addr
+	ssid		ieee80211_ie_ssid
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	ht		optional[ieee80211_ie_ht]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Reassociation Response (see Table 9-32 of IEEE 802.11-2016).
+ieee80211_mgmt_reassoc_resp_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_REASSOC_RESP]
+	capabilities	ieee80211_capability[int16]
+	status_code	ieee80211_status_code[int16]
+	assoc_id	ieee80211_assoc_id
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	ht		optional[ieee80211_ie_ht]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Probe Request (see Table 9-33 of IEEE 802.11-2016).
+ieee80211_mgmt_probe_request {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_PROBE_REQ]
+	ssid		optional[ieee80211_ie_ssid]
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	dsss		optional[ieee80211_ie_dsss]
+	ht		optional[ieee80211_ie_ht]
+	mesh_id		optional[ieee80211_ie_mesh_id]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Probe Response (see Table 9-34 of IEEE 802.11-2016).
+ieee80211_mgmt_probe_response {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_PROBE_RESP]
+	timestamp	ieee80211_timestamp
+	beacon_interval	ieee80211_beacon_interval[int16]
+	capabilities	ieee80211_capability[int16]
+	ssid		optional[ieee80211_ie_ssid]
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	dsss		optional[ieee80211_ie_dsss]
+	cf		optional[ieee80211_ie_cf]
+	ibss		optional[ieee80211_ie_ibss]
+	ht		optional[ieee80211_ie_ht]
+	mesh_id		optional[ieee80211_ie_mesh_id]
+	mesh_config	optional[ieee80211_ie_mesh_config]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Authentication (see Table 9-35 of IEEE 802.11-2016).
+ieee80211_mgmt_auth_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_AUTH]
+	algo		int16[0:1]
+	trans_seq	int16[0:4]
+	status		ieee80211_status_code[int16]
+	challenge_tag	optional[ieee80211_ie_challenge]
+	vendor		array[ieee80211_random_vendor_ie]
+} [packed]
+
+# Deauthenticaiton (see Table 9-37 of IEEE 802.11-2016).
+ieee80211_mgmt_deauth_frame {
+	header		ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_DEAUTH]
+	reason_code	ieee80211_reason_code[int16]
+	mic		optional[ieee80211_ie_mic]
+} [packed]
+
+ieee80211_mgmt_frame [
+	probe_request	ieee80211_mgmt_probe_request
+	probe_response	ieee80211_mgmt_probe_response
+	beacon		ieee80211_mgmt_beacon
+	action		ieee80211_mgmt_action
+	action_no_ack	ieee80211_mgmt_action_no_ack
+	assoc_req	ieee80211_mgmt_assoc_req_frame
+	assoc_resp	ieee80211_mgmt_assoc_resp_frame
+	disassoc	ieee80211_mgmt_disassoc_frame
+	deauth		ieee80211_mgmt_deauth_frame
+	reassoc_req	ieee80211_mgmt_reassoc_req_frame
+	reassoc_resp	ieee80211_mgmt_reassoc_resp_frame
+	auth		ieee80211_mgmt_auth_frame
+] [varlen]
+
+######################################################
+# 802.11 Management Action frames
+######################################################
+
+# This is a large group of frames, so it is placed in a separate section.
+
+type ieee80211_mgmt_action_raw[CATEGORY, ACTION, PAYLOAD_TYPE] {
+	category	const[CATEGORY, int8]
+	action		const[ACTION, int8]
+	payload		PAYLOAD_TYPE
+} [packed]
+
+# Measurement Request (see sect. 9.6.2.2 of IEEE 802.11-2016).
+ieee80211_mgmt_action_measure_req {
+	dialog_token	int8
+	ie		array[ieee80211_ie_measure_req]
+} [packed]
+
+# Channel Switch Announcement (see sect. 9.6.2.6 of IEEE 802.11-2016).
+ieee80211_mgmt_action_channel_switch {
+	channel_switch	ieee80211_ie_channel_switch
+	secondary	optional[ieee80211_ie_sec_chan_ofs]
+	mesh		optional[ieee80211_ie_mesh_channel_switch]
+} [packed]
+
+# ADDBA Request (see sect. 9.6.5.2 of IEEE 802.11-2016).
+ieee80211_mgmt_action_addba_req {
+	dialog_token	int8
+	block_ack_param	ieee80211_block_ack_param_set
+	timeout_value	int16
+	ssc		ieee80211_block_ack_ssc
+} [packed]
+
+ieee80211_block_ack_param_set {
+	amsdu_supported		int16:1
+	block_ack_policy	int16:1
+	tid			int16:4
+	buffer_size		int16:10
+} [packed]
+
+# ADDBA Response (see sect. 9.6.5.3 of IEEE 802.11-2016).
+ieee80211_mgmt_action_addba_resp {
+	dialog_token	int8
+	status		ieee80211_status_code[int16]
+	block_ack_param	ieee80211_block_ack_param_set
+	timeout_value	int16
+} [packed]
+
+# DELBA (see sect. 9.6.5.4 of IEEE 802.11-2016).
+ieee80211_mgmt_action_delba {
+	delba_params	ieee80211_delba_param_set
+	reason		ieee80211_reason_code[int16]
+	group_addr_ie	ieee80211_ie_gcr_ga
+} [packed]
+
+ieee80211_delba_param_set {
+	reserved	const[0, int16:11]
+	initiator	int16:1
+	tid		int16:4
+} [packed]
+
+# Extended Channel Switch Announcement (see sect. 9.6.8.7 of IEEE 802.11-2016).
+ieee80211_mgmt_action_ext_chan_switch {
+	annce_ie	ieee80211_ie_ext_channel_switch_annce_payload
+	mesh_ie		optional[ieee80211_ie_mesh_channel_switch]
+} [packed]
+
+# See Table 9-343 and Table 9-344 of 802.11-2016.
+type ieee80211_mgmt_action_generic_tdls_setup[ACTION, STATUS] {
+	category	const[WLAN_CATEGORY_TDLS, int8]
+	action		const[ACTION, int8]
+	status		STATUS
+	dialog_token	int8
+	capability	optional[ieee80211_capability[int16]]
+	supported_rates	optional[ieee80211_ie_supported_rates]
+	ht		optional[ieee80211_ie_ht]
+	link_id		optional[ieee80211_ie_link_id]
+} [packed]
+
+# TDLS Setup Confirm (see sect. 9.6.13.4 of IEEE 802.11-2016).
+ieee80211_mgmt_action_tdls_cfm {
+	status		ieee80211_status_code[int16]
+	dialog_token	int8
+} [packed]
+
+# TDLS Channel Switch Request (see sect. 9.6.13.7 of IEEE 802.11-2016).
+ieee80211_mgmt_action_tdls_chsw_req {
+	target_channel	ieee80211_channel[int8]
+	operating_class	int8
+	secondary	optional[ieee80211_ie_sec_chan_ofs]
+	link_id		ieee80211_ie_link_id
+	timing		ieee80211_ie_channel_switch_timing
+} [packed]
+
+# TDLS Channel Switch Response (see sect. 9.6.13.8 of IEEE 802.11-2016).
+ieee80211_mgmt_action_tdls_chsw_resp {
+	status	ieee80211_status_code[int16]
+	link_id	ieee80211_ie_link_id
+	timing	ieee80211_ie_channel_switch_timing
+} [packed]
+
+# TDLS Discovery Request (see sect. 9.6.13.12 of IEEE 802.11-2016).
+ieee80211_mgmt_action_tdls_disc_req {
+	dialog_token	int8
+	link_id		ieee80211_ie_link_id
 } [packed]
+
+# TDLS Teardown (see sect. 9.6.13.5 of IEEE 802.11-2016).
+ieee80211_mgmt_action_tdls_teardown {
+	reason	ieee80211_reason_code[int16]
+	fte	ieee80211_ie_fast_bss_trans
+	link_id	ieee80211_ie_link_id
+} [packed]
+
+# Notify Channel Width (see sect. 9.6.12.2 of IEEE 802.11-2016).
+type ieee80211_mgmt_action_notify_ch_sw int8[0:1]
+
+# Group ID Management (see sect. 9.6.23.3 of IEEE 802.11-2016).
+ieee80211_mgmt_action_group_id {
+	membership_status	int64
+	user_positions		array[int8, 16]
+} [packed]
+
+# Operating Mode Notification (see sect. 9.6.23.4 of IEEE 802.11-2016).
+type ieee80211_mgmt_action_op_mode_ntf ieee80211_operating_mode
+
+# HWMP Mesh Path Selection (see sect. 9.6.17.3 of IEEE 802.11-2016).
+ieee80211_mgmt_action_hwmp_path_sel {
+	preq	optional[ieee80211_ie_preq]
+	prep	optional[ieee80211_ie_prep]
+	perr	optional[ieee80211_ie_perr]
+	rann	optional[ieee80211_ie_rann]
+} [packed]
+
+# Mesh Peering Open (see sect. 9.6.16.2 of IEEE 802.11-2016).
+ieee80211_mgmt_action_mesh_peering_open {
+	capability	ieee80211_capability[int16]
+	supported_rates	ieee80211_ie_supported_rates
+	mesh_id		optional[ieee80211_ie_mesh_id]
+	ht		optional[ieee80211_ie_ht]
+} [packed]
+
+# Mesh Peering Confirm (see sect. 9.6.16.3 of IEEE 802.11-2016).
+ieee80211_mgmt_action_mesh_peering_confirm {
+	capability	ieee80211_capability[int16]
+	aid		ieee80211_assoc_id
+	supported_rates	ieee80211_ie_supported_rates
+	mesh_id		optional[ieee80211_ie_mesh_id]
+	ht		optional[ieee80211_ie_ht]
+} [packed]
+
+# Mesh Peering Close (see sect. 9.6.16.4 of IEEE 802.11-2016).
+ieee80211_mgmt_action_mesh_peering_close {
+	mesh_id	ieee80211_ie_mesh_id
+	mgmt	ieee80211_ie_peer_mgmt
+} [packed]
+
+ieee80211_mgmt_action_payload [
+	measure_req	ieee80211_mgmt_action_raw[WLAN_CATEGORY_SPECTRUM_MGMT, WLAN_ACTION_SPCT_MSR_REQ, ieee80211_mgmt_action_measure_req]
+	channel_switch	ieee80211_mgmt_action_raw[WLAN_CATEGORY_SPECTRUM_MGMT, WLAN_ACTION_SPCT_CHL_SWITCH, ieee80211_mgmt_action_channel_switch]
+	addba_req	ieee80211_mgmt_action_raw[WLAN_CATEGORY_BACK, WLAN_ACTION_ADDBA_REQ, ieee80211_mgmt_action_addba_req]
+	addba_resp	ieee80211_mgmt_action_raw[WLAN_CATEGORY_BACK, WLAN_ACTION_ADDBA_RESP, ieee80211_mgmt_action_addba_resp]
+	delba		ieee80211_mgmt_action_raw[WLAN_CATEGORY_BACK, WLAN_ACTION_DELBA, ieee80211_mgmt_action_delba]
+	ext_ch_sw	ieee80211_mgmt_action_raw[WLAN_CATEGORY_PUBLIC, WLAN_PUB_ACTION_EXT_CHANSW_ANN, ieee80211_mgmt_action_ext_chan_switch]
+	ntf_ch_w	ieee80211_mgmt_action_raw[WLAN_CATEGORY_HT, WLAN_HT_ACTION_NOTIFY_CHANWIDTH, ieee80211_mgmt_action_notify_ch_sw]
+	smps		ieee80211_mgmt_action_raw[WLAN_CATEGORY_HT, WLAN_HT_ACTION_SMPS, ieee80211_sm_power_control]
+	sa_query_req	ieee80211_mgmt_action_raw[WLAN_CATEGORY_SA_QUERY, WLAN_ACTION_SA_QUERY_REQUEST, int16]
+	tdls_setup_req	ieee80211_mgmt_action_generic_tdls_setup[WLAN_TDLS_SETUP_REQUEST, void]
+	tdls_setup_resp	ieee80211_mgmt_action_generic_tdls_setup[WLAN_TDLS_SETUP_RESPONSE, ieee80211_status_code[int16]]
+	tdls_setup_cfm	ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_SETUP_CONFIRM, ieee80211_mgmt_action_tdls_cfm]
+	tdls_teardown	ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_TEARDOWN, ieee80211_mgmt_action_tdls_teardown]
+	tdls_chsw_req	ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_CHANNEL_SWITCH_REQUEST, ieee80211_mgmt_action_tdls_chsw_req]
+	tdls_chsw_resp	ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_CHANNEL_SWITCH_RESPONSE, ieee80211_mgmt_action_tdls_chsw_resp]
+	tdls_disc_req	ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_DISCOVERY_REQUEST, ieee80211_mgmt_action_tdls_disc_req]
+	vht_op_mode_ntf	ieee80211_mgmt_action_raw[WLAN_CATEGORY_VHT, WLAN_VHT_ACTION_OPMODE_NOTIF, ieee80211_mgmt_action_op_mode_ntf]
+	vht_group_id	ieee80211_mgmt_action_raw[WLAN_CATEGORY_VHT, WLAN_VHT_ACTION_GROUPID_MGMT, ieee80211_mgmt_action_group_id]
+	mesh_hwmp_psel	ieee80211_mgmt_action_raw[WLAN_CATEGORY_MESH_ACTION, WLAN_MESH_ACTION_HWMP_PATH_SELECTION, ieee80211_mgmt_action_hwmp_path_sel]
+	sp_mp_open	ieee80211_mgmt_action_raw[WLAN_CATEGORY_SELF_PROTECTED, WLAN_SP_MESH_PEERING_OPEN, ieee80211_mgmt_action_mesh_peering_open]
+	sp_mp_confirm	ieee80211_mgmt_action_raw[WLAN_CATEGORY_SELF_PROTECTED, WLAN_SP_MESH_PEERING_CONFIRM, ieee80211_mgmt_action_mesh_peering_confirm]
+	sp_mp_close	ieee80211_mgmt_action_raw[WLAN_CATEGORY_SELF_PROTECTED, WLAN_SP_MESH_PEERING_CLOSE, ieee80211_mgmt_action_mesh_peering_close]
+] [varlen]
+
+ieee80211_mgmt_action {
+	header	ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_ACTION]
+	payload	ieee80211_mgmt_action_payload
+} [packed]
+
+ieee80211_mgmt_action_no_ack {
+	header	ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_ACTION_NOACK]
+	payload	ieee80211_mgmt_action_payload
+} [packed]
+
+####################################
+#  Control frames.
+####################################
+
+# For details see sect. 9.3.1 of IEEE 802.11-2016.
+
+define IEEE80211_MGMT_CTL_CTL_EXT	(IEEE80211_STYPE_CTL_EXT >> 4)
+define IEEE80211_MGMT_CTL_BACK_REQ	(IEEE80211_STYPE_BACK_REQ >> 4)
+define IEEE80211_MGMT_CTL_BACK	(IEEE80211_STYPE_BACK >> 4)
+define IEEE80211_MGMT_CTL_PSPOLL	(IEEE80211_STYPE_PSPOLL >> 4)
+define IEEE80211_MGMT_CTL_RTS	(IEEE80211_STYPE_RTS >> 4)
+define IEEE80211_MGMT_CTL_CTS	(IEEE80211_STYPE_CTS >> 4)
+define IEEE80211_MGMT_CTL_ACK	(IEEE80211_STYPE_ACK >> 4)
+define IEEE80211_MGMT_CTL_CFEND	(IEEE80211_STYPE_CFEND >> 4)
+define IEEE80211_MGMT_CTL_CFENDACK	(IEEE80211_STYPE_CFENDACK >> 4)
+
+# Request to Send (RTS) frame.
+ieee80211_ctrl_rts {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_RTS]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+	transmitter	ieee80211_mac_addr
+} [packed]
+
+# Clear to Send (CTS) frame.
+ieee80211_ctrl_cts {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_CTS]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+} [packed]
+
+# Acknowledgement (ACK) frame.
+ieee80211_ctrl_ack {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_ACK]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+} [packed]
+
+# Contention-Free End (CF-End) frame.
+ieee80211_ctrl_cf_end {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_CFEND]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+	bssid		ieee80211_bssid
+} [packed]
+
+# CF-End & CF-Ack frame.
+ieee80211_ctrl_cf_end_cf_ack {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_CFENDACK]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+	transmitter	ieee80211_mac_addr
+} [packed]
+
+# Power-Save Poll (PS-Poll) frame.
+ieee80211_ctrl_pspoll {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_PSPOLL]
+	assoc_id	ieee80211_assoc_id
+	bssid		ieee80211_bssid
+	transmitter	ieee80211_mac_addr
+} [packed]
+
+# Block Ack Request (BAR) frame (802.11n).
+type ieee80211_ctrl_bar_control[MULTI_CONST, COMPRESSED_CONST, TID_INFO] {
+	ack_policy		int8:1
+	multi_tid		const[MULTI_CONST, int8:1]
+	compressed_bitmap	const[COMPRESSED_CONST, int8:1]
+	reserved		const[0, int16:9]
+	tid_info		TID_INFO
+} [packed]
+
+type ieee80211_ctrl_bar_info[SUFFIX] {
+	tid_reserved	const[0, int16:12]
+	tid_value	int16:4
+	ssc		ieee80211_block_ack_ssc
+	suffix		SUFFIX
+} [packed]
+
+type ieee80211_ctrl_bar_simple_req[COMPRESSED] {
+	control_hdr	ieee80211_ctrl_bar_control[0, COMPRESSED, int8:4]
+	ssc		ieee80211_block_ack_ssc
+} [packed]
+
+ieee80211_ctrl_bar_multi {
+	control		ieee80211_ctrl_bar_control[1, 1, len[ieee80211_ctrl_bar_multi:bar_info, int8:4]]
+	bar_info	array[ieee80211_ctrl_bar_info[array[int8, 8]]]
+} [packed]
+
+ieee80211_ctrl_bar_any [
+	basic		ieee80211_ctrl_bar_simple_req[0]
+	compressed	ieee80211_ctrl_bar_simple_req[1]
+	multi		ieee80211_ctrl_bar_multi
+] [varlen]
+
+ieee80211_ctrl_bar {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_BACK_REQ]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+	transmitter	ieee80211_mac_addr
+	payload		ieee80211_ctrl_bar_any
+} [packed]
+
+# Block Ack (BA) frame (802.11n).
+type ieee80211_ctrl_ba_single[COMPRESSED, LEN] {
+	control		ieee80211_ctrl_bar_control[0, COMPRESSED, int8:4]
+	ssc		ieee80211_block_ack_ssc
+	ack_bitmap	array[int8, LEN]
+} [packed]
+
+ieee80211_ctrl_ba_multi {
+	control		ieee80211_ctrl_bar_control[1, 1, len[ieee80211_ctrl_ba_multi:tid_list, int8:4]]
+	tid_list	array[ieee80211_ctrl_bar_info[array[int8, 8]]]
+# There must be TID_INFO + 1 entries, so we add an extra one.
+	extra_tid	ieee80211_ctrl_bar_info[array[int8, 8]]
+} [packed]
+
+ieee80211_ctrl_ba_any [
+	basic		ieee80211_ctrl_ba_single[0, 128]
+	compressed	ieee80211_ctrl_ba_single[1, 8]
+	multi		ieee80211_ctrl_ba_multi
+] [varlen]
+
+ieee80211_ctrl_ba {
+	header		ieee80211_control_fc[IEEE80211_MGMT_CTL_BACK]
+	duration	ieee80211_duration
+	receiver	ieee80211_mac_addr
+	transmitter	ieee80211_mac_addr
+	payload		ieee80211_ctrl_ba_any
+} [packed]
+
+ieee80211_ctrl_frame [
+	rts		ieee80211_ctrl_rts
+	cts		ieee80211_ctrl_cts
+	ack		ieee80211_ctrl_ack
+	pspoll		ieee80211_ctrl_pspoll
+	bar		ieee80211_ctrl_bar
+	ba		ieee80211_ctrl_ba
+	cf_end		ieee80211_ctrl_cf_end
+	cf_end_cf_ack	ieee80211_ctrl_cf_end_cf_ack
+] [varlen]
diff --git a/sys/linux/net_80211.txt.const b/sys/linux/net_80211.txt.const
index dfbc992ac..b1ee0bd05 100644
--- a/sys/linux/net_80211.txt.const
+++ b/sys/linux/net_80211.txt.const
@@ -1,5 +1,7 @@
 # Code generated by syz-sysgen. DO NOT EDIT.
 arches = 386, amd64, arm, arm64, mips64le, ppc64le, riscv64, s390x
+IEEE80211_CTL_FRAME_TYPE = 1
+IEEE80211_DATA_FRAME_TYPE = 2
 IEEE80211_HT_CAP_40MHZ_INTOLERANT = 16384
 IEEE80211_HT_CAP_DELAY_BA = 1024
 IEEE80211_HT_CAP_DSSSCCK40 = 4096
@@ -23,8 +25,35 @@ IEEE80211_HT_EXT_CAP_PCO = 1
 IEEE80211_HT_EXT_CAP_PCO_TIME = 6
 IEEE80211_HT_EXT_CAP_PCO_TIME_SHIFT = 1
 IEEE80211_HT_EXT_CAP_RD_RESPONDER = 2048
+IEEE80211_MAX_DATA_LEN = 2304
 IEEE80211_MAX_SSID_LEN = 32
+IEEE80211_MESHCONF_CAPAB_ACCEPT_PLINKS = 1
+IEEE80211_MESHCONF_CAPAB_FORWARDING = 8
+IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL = 64
+IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING = 32
+IEEE80211_MGMT_CTL_ACK = 13
+IEEE80211_MGMT_CTL_BACK = 9
+IEEE80211_MGMT_CTL_BACK_REQ = 8
+IEEE80211_MGMT_CTL_CFEND = 14
+IEEE80211_MGMT_CTL_CFENDACK = 15
+IEEE80211_MGMT_CTL_CTL_EXT = 6
+IEEE80211_MGMT_CTL_CTS = 12
+IEEE80211_MGMT_CTL_PSPOLL = 10
+IEEE80211_MGMT_CTL_RTS = 11
+IEEE80211_MGMT_FRAME_ACTION = 13
+IEEE80211_MGMT_FRAME_ACTION_NOACK = 14
+IEEE80211_MGMT_FRAME_ASSOC_REQ = 0
+IEEE80211_MGMT_FRAME_ASSOC_RESP = 1
+IEEE80211_MGMT_FRAME_ATIM = 9
+IEEE80211_MGMT_FRAME_AUTH = 11
 IEEE80211_MGMT_FRAME_BEACON = 8
+IEEE80211_MGMT_FRAME_DEAUTH = 12
+IEEE80211_MGMT_FRAME_DISASSOC = 10
+IEEE80211_MGMT_FRAME_PROBE_REQ = 4
+IEEE80211_MGMT_FRAME_PROBE_RESP = 5
+IEEE80211_MGMT_FRAME_REASSOC_REQ = 2
+IEEE80211_MGMT_FRAME_REASSOC_RESP = 3
+IEEE80211_MGMT_FRAME_TYPE = 0
 IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK = 57344
 IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT = 13
 IEEE80211_VHT_CAP_EXT_NSS_BW_MASK = 3221225472
@@ -64,6 +93,12 @@ IEEE80211_VHT_CAP_VHT_TXOP_PS = 2097152
 JOIN_IBSS_BG_NO_SCAN = 2
 JOIN_IBSS_BG_SCAN = 1
 JOIN_IBSS_NO_SCAN = 0
+WLAN_ACTION_ADDBA_REQ = 0
+WLAN_ACTION_ADDBA_RESP = 1
+WLAN_ACTION_DELBA = 2
+WLAN_ACTION_SA_QUERY_REQUEST = 0
+WLAN_ACTION_SPCT_CHL_SWITCH = 4
+WLAN_ACTION_SPCT_MSR_REQ = 0
 WLAN_AKM_SUITE_8021X = 1027073
 WLAN_AKM_SUITE_8021X_SHA256 = 1027077
 WLAN_AKM_SUITE_8021X_SUITE_B = 1027083
@@ -100,6 +135,15 @@ WLAN_CAPABILITY_RADIO_MEASURE = 4096
 WLAN_CAPABILITY_SHORT_PREAMBLE = 32
 WLAN_CAPABILITY_SHORT_SLOT_TIME = 1024
 WLAN_CAPABILITY_SPECTRUM_MGMT = 256
+WLAN_CATEGORY_BACK = 3
+WLAN_CATEGORY_HT = 7
+WLAN_CATEGORY_MESH_ACTION = 13
+WLAN_CATEGORY_PUBLIC = 4
+WLAN_CATEGORY_SA_QUERY = 8
+WLAN_CATEGORY_SELF_PROTECTED = 15
+WLAN_CATEGORY_SPECTRUM_MGMT = 0
+WLAN_CATEGORY_TDLS = 12
+WLAN_CATEGORY_VHT = 21
 WLAN_CIPHER_SUITE_AES_CMAC = 1027078
 WLAN_CIPHER_SUITE_BIP_CMAC_256 = 1027085
 WLAN_CIPHER_SUITE_BIP_GMAC_128 = 1027083
@@ -112,6 +156,40 @@ WLAN_CIPHER_SUITE_TKIP = 1027074
 WLAN_CIPHER_SUITE_USE_GROUP = 1027072
 WLAN_CIPHER_SUITE_WEP104 = 1027077
 WLAN_CIPHER_SUITE_WEP40 = 1027073
+WLAN_EID_CF_PARAMS = 4
+WLAN_EID_CHALLENGE = 16
+WLAN_EID_CHANNEL_SWITCH = 37
+WLAN_EID_CHAN_SWITCH_PARAM = 118
+WLAN_EID_CHAN_SWITCH_TIMING = 104
+WLAN_EID_DS_PARAMS = 3
+WLAN_EID_ERP_INFO = 42
+WLAN_EID_EXT_CHANSWITCH_ANN = 60
+WLAN_EID_FAST_BSS_TRANSITION = 55
+WLAN_EID_GCR_GROUP_ADDR = 189
+WLAN_EID_HT_CAPABILITY = 45
+WLAN_EID_IBSS_PARAMS = 6
+WLAN_EID_LINK_ID = 101
+WLAN_EID_MEASURE_REQUEST = 38
+WLAN_EID_MESH_CONFIG = 113
+WLAN_EID_MESH_ID = 114
+WLAN_EID_MIC = 140
+WLAN_EID_PEER_MGMT = 117
+WLAN_EID_PERR = 132
+WLAN_EID_PREP = 131
+WLAN_EID_PREQ = 130
+WLAN_EID_RANN = 126
+WLAN_EID_SECONDARY_CHANNEL_OFFSET = 62
+WLAN_EID_SSID = 0
+WLAN_EID_SUPP_RATES = 1
+WLAN_EID_TIM = 5
+WLAN_EID_VENDOR_SPECIFIC = 221
+WLAN_HT_ACTION_NOTIFY_CHANWIDTH = 0
+WLAN_HT_ACTION_SMPS = 1
+WLAN_MESH_ACTION_HWMP_PATH_SELECTION = 1
+WLAN_PUB_ACTION_EXT_CHANSW_ANN = 4
+WLAN_SP_MESH_PEERING_CLOSE = 3
+WLAN_SP_MESH_PEERING_CONFIRM = 2
+WLAN_SP_MESH_PEERING_OPEN = 1
 WLAN_TDLS_CHANNEL_SWITCH_REQUEST = 5
 WLAN_TDLS_CHANNEL_SWITCH_RESPONSE = 6
 WLAN_TDLS_DISCOVERY_REQUEST = 10
@@ -123,3 +201,5 @@ WLAN_TDLS_SETUP_CONFIRM = 2
 WLAN_TDLS_SETUP_REQUEST = 0
 WLAN_TDLS_SETUP_RESPONSE = 1
 WLAN_TDLS_TEARDOWN = 3
+WLAN_VHT_ACTION_GROUPID_MGMT = 1
+WLAN_VHT_ACTION_OPMODE_NOTIF = 2
diff --git a/sys/linux/socket_netlink_generic_80211.txt b/sys/linux/socket_netlink_generic_80211.txt
index 83da3013f..64cd222a3 100644
--- a/sys/linux/socket_netlink_generic_80211.txt
+++ b/sys/linux/socket_netlink_generic_80211.txt
@@ -515,7 +515,7 @@ nl80211_scan_flags = NL80211_SCAN_FLAG_LOW_PRIORITY, NL80211_SCAN_FLAG_FLUSH, NL
 
 nl80211_policy_scan [
 	NL80211_ATTR_MAC				nlattr[NL80211_ATTR_MAC, ieee80211_mac_addr]
-	NL80211_ATTR_IE					nlattr[NL80211_ATTR_IE, array[int8, 0:IEEE80211_MAX_DATA_LEN]]
+	NL80211_ATTR_IE					nlattr[NL80211_ATTR_IE, array[ieee80211_ie]]
 	NL80211_ATTR_SCAN_FREQUENCIES			nlnest[NL80211_ATTR_SCAN_FREQUENCIES, array[nlattr[0, int32]]]
 	NL80211_ATTR_SCAN_SSIDS				nlnest[NL80211_ATTR_SCAN_SSIDS, array[nlattr[0, ieee80211_ssid]]]
 	NL80211_ATTR_SCHED_SCAN_INTERVAL		nlattr[NL80211_ATTR_SCHED_SCAN_INTERVAL, int32]
@@ -851,7 +851,7 @@ nl80211_policy_cqm [
 nl80211_policy_mgmt_frame [
 	chandef_params			array[nl80211_policy_chandef_params]
 	NL80211_ATTR_DONT_WAIT_FOR_ACK	nlattr[NL80211_ATTR_DONT_WAIT_FOR_ACK, void]
-	NL80211_ATTR_FRAME		nlattr[NL80211_ATTR_FRAME, ieee80211_frame]
+	NL80211_ATTR_FRAME		nlattr[NL80211_ATTR_FRAME, ieee80211_mgmt_frame]
 	NL80211_ATTR_DURATION		nlattr[NL80211_ATTR_DURATION, int32[NL80211_MIN_REMAIN_ON_CHANNEL_TIME:5000]]
 	NL80211_ATTR_OFFCHANNEL_TX_OK	nlattr[NL80211_ATTR_OFFCHANNEL_TX_OK, void]
 	NL80211_ATTR_TX_NO_CCK_RATE	nlattr[NL80211_ATTR_TX_NO_CCK_RATE, void]
diff --git a/sys/linux/test/80211_ibss b/sys/linux/test/80211_ibss
index 0bea2f5f8..cc52a509f 100644
--- a/sys/linux/test/80211_ibss
+++ b/sys/linux/test/80211_ibss
@@ -1,9 +1,9 @@
 # requires: -sandbox=namespace
 
-# Join IBSSS network
+# Join IBSSS network.
 
 syz_80211_join_ibss(&AUTO='wlan0\x00', &AUTO=@default_ibss_ssid, 0x6, 0x0)
 
-# Inject an arbitrary packet
+# Inject an arbitrary packet.
 
-syz_80211_inject_frame(&AUTO=@device_a, &AUTO="00112233445566778899", 0xa)
\ No newline at end of file
+syz_80211_inject_frame(&AUTO=@device_a, &AUTO=@mgmt_frame=@beacon={@wo_ht={{AUTO, AUTO, AUTO, AUTO, AUTO, 0, 0, 0, 0, AUTO, 0}, {0, 0}, @device_b, @device_a, @from_mac=@device_a, {0,0}}, 0x0, @default, 0x1, @val={AUTO, AUTO, @default_ap_ssid}, @val={AUTO, AUTO, [{0x2,0x1}, {0x4,0x1}, {0xb,0x1}, {0x16,0x1}, {0x0c,0x0}, {0x12,0x0}, {0x18,0x0}, {0x24, 0x0}]}, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, []}, AUTO)
diff --git a/sys/linux/test/80211_setup_ap b/sys/linux/test/80211_setup_ap
index 8e378aa8a..be18aa80c 100644
--- a/sys/linux/test/80211_setup_ap
+++ b/sys/linux/test/80211_setup_ap
@@ -1,11 +1,11 @@
 r0 = socket$nl_generic(0x10, 0x3, 0x10)
-r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200)='nl80211\x00')
-ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000700)={'wlan0\x00', <r2=>0x0})
+r1 = syz_genetlink_get_family_id$nl80211(&AUTO='nl80211\x00')
+ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &AUTO={'wlan0\x00', <r2=>0x0})
 
-# set AP mode for wlan0
+# Set AP mode for wlan0.
 
-sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={AUTO, r1, 0x5, 0x0, 0x0, {{AUTO, AUTO, AUTO}, {@val={AUTO, AUTO, r2, nil},@void}}, [@NL80211_ATTR_IFTYPE={AUTO, AUTO, 0x3, nil}]}, AUTO}, AUTO, AUTO, AUTO, 0x0}, 0x0)
+sendmsg$NL80211_CMD_SET_INTERFACE(r0, &AUTO={0x0, 0x0, &AUTO={&AUTO={AUTO, r1, 0x5, 0x0, 0x0, {{AUTO, AUTO, AUTO}, {@val={AUTO, AUTO, r2, nil},@void}}, [@NL80211_ATTR_IFTYPE={AUTO, AUTO, 0x3, nil}]}, AUTO}, AUTO, AUTO, AUTO, 0x0}, 0x0)
 
-# start AP at wlan0
+# Start AP at wlan0.
 
-sendmsg$NL80211_CMD_START_AP(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={AUTO, r1, 0x5, 0x0, 0x0, {{AUTO, AUTO, AUTO}, {@val={AUTO, AUTO, r2, nil},@void}}, [@beacon=[@NL80211_ATTR_BEACON_HEAD={AUTO, AUTO, {@wo_ht={{AUTO, AUTO, AUTO, AUTO, AUTO, 0, 0, 0, 0, AUTO, 0}, {0, AUTO}, @broadcast, @device_a, @from_mac=@device_a, {0,0}}, 0x0, @default, 0xFFFF}, nil}], @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={AUTO,AUTO,@default, nil}], @NL80211_ATTR_BEACON_INTERVAL={AUTO, AUTO, @default, nil},@NL80211_ATTR_DTIM_PERIOD={AUTO, AUTO, 0, nil}, @NL80211_ATTR_SSID={AUTO,AUTO,@default_ap_ssid, nil}, @NL80211_ATTR_AUTH_TYPE={AUTO, AUTO, 0, nil}, @NL80211_ATTR_EXTERNAL_AUTH_SUPPORT={AUTO,AUTO, nil, nil}]}, AUTO}, AUTO, AUTO, AUTO, 0x0}, 0x0)
+sendmsg$NL80211_CMD_START_AP(r0, &AUTO={0x0, 0x0, &AUTO={&AUTO={AUTO, r1, 0x5, 0x0, 0x0, {{AUTO, AUTO, AUTO}, {@val={AUTO, AUTO, r2, nil},@void}}, [@beacon=[@NL80211_ATTR_BEACON_HEAD={AUTO, AUTO, {@wo_ht={{AUTO, AUTO, AUTO, AUTO, AUTO, 0, 0, 0, 0, AUTO, 0}, {0, AUTO}, @broadcast, @device_a, @from_mac=@device_a, {0,0}}, 0x0, @default, 0x1, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, []}, nil}], @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={AUTO,AUTO,@default, nil}], @NL80211_ATTR_BEACON_INTERVAL={AUTO, AUTO, @default, nil},@NL80211_ATTR_DTIM_PERIOD={AUTO, AUTO, 0, nil}, @NL80211_ATTR_SSID={AUTO,AUTO,@default_ap_ssid, nil}, @NL80211_ATTR_AUTH_TYPE={AUTO, AUTO, 0, nil}, @NL80211_ATTR_EXTERNAL_AUTH_SUPPORT={AUTO,AUTO, nil, nil}]}, AUTO}, AUTO, AUTO, AUTO, 0x0}, 0x0)