1/*
2 * This is the new netlink-based wireless configuration interface.
3 *
4 * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5 */
6
7#include <linux/if.h>
8#include <linux/module.h>
9#include <linux/err.h>
10#include <linux/slab.h>
11#include <linux/list.h>
12#include <linux/if_ether.h>
13#include <linux/ieee80211.h>
14#include <linux/nl80211.h>
15#include <linux/rtnetlink.h>
16#include <linux/netlink.h>
17#include <linux/etherdevice.h>
18#include <net/net_namespace.h>
19#include <net/genetlink.h>
20#include <net/cfg80211.h>
21#include <net/sock.h>
22#include <net/inet_connection_sock.h>
23#include "core.h"
24#include "nl80211.h"
25#include "reg.h"
26#include "rdev-ops.h"
27
28static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
29				   struct genl_info *info,
30				   struct cfg80211_crypto_settings *settings,
31				   int cipher_limit);
32
33static int nl80211_pre_doit(struct genl_ops *ops, struct sk_buff *skb,
34			    struct genl_info *info);
35static void nl80211_post_doit(struct genl_ops *ops, struct sk_buff *skb,
36			      struct genl_info *info);
37
38/* the netlink family */
39static struct genl_family nl80211_fam = {
40	.id = GENL_ID_GENERATE,	/* don't bother with a hardcoded ID */
41	.name = "nl80211",	/* have users key off the name instead */
42	.hdrsize = 0,		/* no private header */
43	.version = 1,		/* no particular meaning now */
44	.maxattr = NL80211_ATTR_MAX,
45	.netnsok = true,
46	.pre_doit = nl80211_pre_doit,
47	.post_doit = nl80211_post_doit,
48};
49
50/* returns ERR_PTR values */
51static struct wireless_dev *
52__cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
53{
54	struct cfg80211_registered_device *rdev;
55	struct wireless_dev *result = NULL;
56	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
57	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
58	u64 wdev_id;
59	int wiphy_idx = -1;
60	int ifidx = -1;
61
62	assert_cfg80211_lock();
63
64	if (!have_ifidx && !have_wdev_id)
65		return ERR_PTR(-EINVAL);
66
67	if (have_ifidx)
68		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
69	if (have_wdev_id) {
70		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
71		wiphy_idx = wdev_id >> 32;
72	}
73
74	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
75		struct wireless_dev *wdev;
76
77		if (wiphy_net(&rdev->wiphy) != netns)
78			continue;
79
80		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
81			continue;
82
83		mutex_lock(&rdev->devlist_mtx);
84		list_for_each_entry(wdev, &rdev->wdev_list, list) {
85			if (have_ifidx && wdev->netdev &&
86			    wdev->netdev->ifindex == ifidx) {
87				result = wdev;
88				break;
89			}
90			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
91				result = wdev;
92				break;
93			}
94		}
95		mutex_unlock(&rdev->devlist_mtx);
96
97		if (result)
98			break;
99	}
100
101	if (result)
102		return result;
103	return ERR_PTR(-ENODEV);
104}
105
106static struct cfg80211_registered_device *
107__cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
108{
109	struct cfg80211_registered_device *rdev = NULL, *tmp;
110	struct net_device *netdev;
111
112	assert_cfg80211_lock();
113
114	if (!attrs[NL80211_ATTR_WIPHY] &&
115	    !attrs[NL80211_ATTR_IFINDEX] &&
116	    !attrs[NL80211_ATTR_WDEV])
117		return ERR_PTR(-EINVAL);
118
119	if (attrs[NL80211_ATTR_WIPHY])
120		rdev = cfg80211_rdev_by_wiphy_idx(
121				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
122
123	if (attrs[NL80211_ATTR_WDEV]) {
124		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
125		struct wireless_dev *wdev;
126		bool found = false;
127
128		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
129		if (tmp) {
130			/* make sure wdev exists */
131			mutex_lock(&tmp->devlist_mtx);
132			list_for_each_entry(wdev, &tmp->wdev_list, list) {
133				if (wdev->identifier != (u32)wdev_id)
134					continue;
135				found = true;
136				break;
137			}
138			mutex_unlock(&tmp->devlist_mtx);
139
140			if (!found)
141				tmp = NULL;
142
143			if (rdev && tmp != rdev)
144				return ERR_PTR(-EINVAL);
145			rdev = tmp;
146		}
147	}
148
149	if (attrs[NL80211_ATTR_IFINDEX]) {
150		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
151		netdev = dev_get_by_index(netns, ifindex);
152		if (netdev) {
153			if (netdev->ieee80211_ptr)
154				tmp = wiphy_to_dev(
155						netdev->ieee80211_ptr->wiphy);
156			else
157				tmp = NULL;
158
159			dev_put(netdev);
160
161			/* not wireless device -- return error */
162			if (!tmp)
163				return ERR_PTR(-EINVAL);
164
165			/* mismatch -- return error */
166			if (rdev && tmp != rdev)
167				return ERR_PTR(-EINVAL);
168
169			rdev = tmp;
170		}
171	}
172
173	if (!rdev)
174		return ERR_PTR(-ENODEV);
175
176	if (netns != wiphy_net(&rdev->wiphy))
177		return ERR_PTR(-ENODEV);
178
179	return rdev;
180}
181
182/*
183 * This function returns a pointer to the driver
184 * that the genl_info item that is passed refers to.
185 * If successful, it returns non-NULL and also locks
186 * the driver's mutex!
187 *
188 * This means that you need to call cfg80211_unlock_rdev()
189 * before being allowed to acquire &cfg80211_mutex!
190 *
191 * This is necessary because we need to lock the global
192 * mutex to get an item off the list safely, and then
193 * we lock the rdev mutex so it doesn't go away under us.
194 *
195 * We don't want to keep cfg80211_mutex locked
196 * for all the time in order to allow requests on
197 * other interfaces to go through at the same time.
198 *
199 * The result of this can be a PTR_ERR and hence must
200 * be checked with IS_ERR() for errors.
201 */
202static struct cfg80211_registered_device *
203cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
204{
205	struct cfg80211_registered_device *rdev;
206
207	mutex_lock(&cfg80211_mutex);
208	rdev = __cfg80211_rdev_from_attrs(netns, info->attrs);
209
210	/* if it is not an error we grab the lock on
211	 * it to assure it won't be going away while
212	 * we operate on it */
213	if (!IS_ERR(rdev))
214		mutex_lock(&rdev->mtx);
215
216	mutex_unlock(&cfg80211_mutex);
217
218	return rdev;
219}
220
221/* policy for the attributes */
222static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
223	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
224	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
225				      .len = 20-1 },
226	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
227
228	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
229	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
230	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
231	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
232	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
233
234	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
235	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
236	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
237	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
238	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
239
240	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
241	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
242	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
243
244	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
245	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
246
247	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
248	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
249				    .len = WLAN_MAX_KEY_LEN },
250	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
251	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
252	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
253	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
254	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
255
256	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
257	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
258	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
259				       .len = IEEE80211_MAX_DATA_LEN },
260	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
261				       .len = IEEE80211_MAX_DATA_LEN },
262	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
263	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
264	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
265	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
266					       .len = NL80211_MAX_SUPP_RATES },
267	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
268	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
269	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
270	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
271				   .len = IEEE80211_MAX_MESH_ID_LEN },
272	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
273
274	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
275	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
276
277	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
278	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
279	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
280	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
281					   .len = NL80211_MAX_SUPP_RATES },
282	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
283
284	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
285	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
286
287	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
288
289	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
290	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
291			      .len = IEEE80211_MAX_DATA_LEN },
292	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
293	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
294
295	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
296				.len = IEEE80211_MAX_SSID_LEN },
297	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
298	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
299	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
300	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
301	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
302	[NL80211_ATTR_STA_FLAGS2] = {
303		.len = sizeof(struct nl80211_sta_flag_update),
304	},
305	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
306	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
307	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
308	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
309	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
310	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
311	[NL80211_ATTR_PID] = { .type = NLA_U32 },
312	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
313	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
314				 .len = WLAN_PMKID_LEN },
315	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
316	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
317	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
318	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
319				 .len = IEEE80211_MAX_DATA_LEN },
320	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
321	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
322	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
323	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
324	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
325	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
326	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
327	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
328	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
329	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
330	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
331	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
332	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
333	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
334	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
335	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
336	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
337	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
338	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
339	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
340					 .len = IEEE80211_MAX_DATA_LEN },
341	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
342					 .len = IEEE80211_MAX_DATA_LEN },
343	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
344	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
345	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
346	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
347	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
348	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
349	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
350	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
351	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
352	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
353				      .len = IEEE80211_MAX_DATA_LEN },
354	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
355	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
356	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
357		.len = NL80211_HT_CAPABILITY_LEN
358	},
359	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
360	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
361	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
362	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
363	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
364	[NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
365	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
366	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
367	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
368	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
369	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
370	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
371	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
372	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
373	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
374	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
375	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
376		.len = NL80211_VHT_CAPABILITY_LEN,
377	},
378	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
379	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
380				  .len = IEEE80211_MAX_DATA_LEN },
381	[NL80211_ATTR_PEER_AID] = { .type = NLA_U16 },
382	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
383	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
384	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
385	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
386	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
387};
388
389/* policy for the key attributes */
390static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
391	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
392	[NL80211_KEY_IDX] = { .type = NLA_U8 },
393	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
394	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
395	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
396	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
397	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
398	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
399};
400
401/* policy for the key default flags */
402static const struct nla_policy
403nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
404	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
405	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
406};
407
408/* policy for WoWLAN attributes */
409static const struct nla_policy
410nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
411	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
412	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
413	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
414	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
415	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
416	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
417	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
418	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
419	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
420};
421
422static const struct nla_policy
423nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
424	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
425	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
426	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
427	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
428	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
429	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
430	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
431		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
432	},
433	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
434		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
435	},
436	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
437	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
438	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
439};
440
441/* policy for GTK rekey offload attributes */
442static const struct nla_policy
443nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
444	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
445	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
446	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
447};
448
449static const struct nla_policy
450nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
451	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
452						 .len = IEEE80211_MAX_SSID_LEN },
453	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
454};
455
456static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
457				     struct netlink_callback *cb,
458				     struct cfg80211_registered_device **rdev,
459				     struct wireless_dev **wdev)
460{
461	int err;
462
463	rtnl_lock();
464	mutex_lock(&cfg80211_mutex);
465
466	if (!cb->args[0]) {
467		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
468				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
469				  nl80211_policy);
470		if (err)
471			goto out_unlock;
472
473		*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
474						   nl80211_fam.attrbuf);
475		if (IS_ERR(*wdev)) {
476			err = PTR_ERR(*wdev);
477			goto out_unlock;
478		}
479		*rdev = wiphy_to_dev((*wdev)->wiphy);
480		/* 0 is the first index - add 1 to parse only once */
481		cb->args[0] = (*rdev)->wiphy_idx + 1;
482		cb->args[1] = (*wdev)->identifier;
483	} else {
484		/* subtract the 1 again here */
485		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
486		struct wireless_dev *tmp;
487
488		if (!wiphy) {
489			err = -ENODEV;
490			goto out_unlock;
491		}
492		*rdev = wiphy_to_dev(wiphy);
493		*wdev = NULL;
494
495		mutex_lock(&(*rdev)->devlist_mtx);
496		list_for_each_entry(tmp, &(*rdev)->wdev_list, list) {
497			if (tmp->identifier == cb->args[1]) {
498				*wdev = tmp;
499				break;
500			}
501		}
502		mutex_unlock(&(*rdev)->devlist_mtx);
503
504		if (!*wdev) {
505			err = -ENODEV;
506			goto out_unlock;
507		}
508	}
509
510	cfg80211_lock_rdev(*rdev);
511
512	mutex_unlock(&cfg80211_mutex);
513	return 0;
514 out_unlock:
515	mutex_unlock(&cfg80211_mutex);
516	rtnl_unlock();
517	return err;
518}
519
520static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
521{
522	cfg80211_unlock_rdev(rdev);
523	rtnl_unlock();
524}
525
526/* IE validation */
527static bool is_valid_ie_attr(const struct nlattr *attr)
528{
529	const u8 *pos;
530	int len;
531
532	if (!attr)
533		return true;
534
535	pos = nla_data(attr);
536	len = nla_len(attr);
537
538	while (len) {
539		u8 elemlen;
540
541		if (len < 2)
542			return false;
543		len -= 2;
544
545		elemlen = pos[1];
546		if (elemlen > len)
547			return false;
548
549		len -= elemlen;
550		pos += 2 + elemlen;
551	}
552
553	return true;
554}
555
556/* message building helper */
557static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
558				   int flags, u8 cmd)
559{
560	/* since there is no private header just add the generic one */
561	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
562}
563
564static int nl80211_msg_put_channel(struct sk_buff *msg,
565				   struct ieee80211_channel *chan,
566				   bool large)
567{
568	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
569			chan->center_freq))
570		goto nla_put_failure;
571
572	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
573	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
574		goto nla_put_failure;
575	if ((chan->flags & IEEE80211_CHAN_PASSIVE_SCAN) &&
576	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_PASSIVE_SCAN))
577		goto nla_put_failure;
578	if ((chan->flags & IEEE80211_CHAN_NO_IBSS) &&
579	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IBSS))
580		goto nla_put_failure;
581	if (chan->flags & IEEE80211_CHAN_RADAR) {
582		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
583			goto nla_put_failure;
584		if (large) {
585			u32 time;
586
587			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
588
589			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
590					chan->dfs_state))
591				goto nla_put_failure;
592			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
593					time))
594				goto nla_put_failure;
595		}
596	}
597
598	if (large) {
599		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
600		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
601			goto nla_put_failure;
602		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
603		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
604			goto nla_put_failure;
605		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
606		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
607			goto nla_put_failure;
608		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
609		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
610			goto nla_put_failure;
611	}
612
613	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
614			DBM_TO_MBM(chan->max_power)))
615		goto nla_put_failure;
616
617	return 0;
618
619 nla_put_failure:
620	return -ENOBUFS;
621}
622
623/* netlink command implementations */
624
625struct key_parse {
626	struct key_params p;
627	int idx;
628	int type;
629	bool def, defmgmt;
630	bool def_uni, def_multi;
631};
632
633static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
634{
635	struct nlattr *tb[NL80211_KEY_MAX + 1];
636	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
637				   nl80211_key_policy);
638	if (err)
639		return err;
640
641	k->def = !!tb[NL80211_KEY_DEFAULT];
642	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
643
644	if (k->def) {
645		k->def_uni = true;
646		k->def_multi = true;
647	}
648	if (k->defmgmt)
649		k->def_multi = true;
650
651	if (tb[NL80211_KEY_IDX])
652		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
653
654	if (tb[NL80211_KEY_DATA]) {
655		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
656		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
657	}
658
659	if (tb[NL80211_KEY_SEQ]) {
660		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
661		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
662	}
663
664	if (tb[NL80211_KEY_CIPHER])
665		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
666
667	if (tb[NL80211_KEY_TYPE]) {
668		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
669		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
670			return -EINVAL;
671	}
672
673	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
674		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
675		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
676				       tb[NL80211_KEY_DEFAULT_TYPES],
677				       nl80211_key_default_policy);
678		if (err)
679			return err;
680
681		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
682		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
683	}
684
685	return 0;
686}
687
688static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
689{
690	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
691		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
692		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
693	}
694
695	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
696		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
697		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
698	}
699
700	if (info->attrs[NL80211_ATTR_KEY_IDX])
701		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
702
703	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
704		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
705
706	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
707	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
708
709	if (k->def) {
710		k->def_uni = true;
711		k->def_multi = true;
712	}
713	if (k->defmgmt)
714		k->def_multi = true;
715
716	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
717		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
718		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
719			return -EINVAL;
720	}
721
722	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
723		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
724		int err = nla_parse_nested(
725				kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
726				info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
727				nl80211_key_default_policy);
728		if (err)
729			return err;
730
731		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
732		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
733	}
734
735	return 0;
736}
737
738static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
739{
740	int err;
741
742	memset(k, 0, sizeof(*k));
743	k->idx = -1;
744	k->type = -1;
745
746	if (info->attrs[NL80211_ATTR_KEY])
747		err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
748	else
749		err = nl80211_parse_key_old(info, k);
750
751	if (err)
752		return err;
753
754	if (k->def && k->defmgmt)
755		return -EINVAL;
756
757	if (k->defmgmt) {
758		if (k->def_uni || !k->def_multi)
759			return -EINVAL;
760	}
761
762	if (k->idx != -1) {
763		if (k->defmgmt) {
764			if (k->idx < 4 || k->idx > 5)
765				return -EINVAL;
766		} else if (k->def) {
767			if (k->idx < 0 || k->idx > 3)
768				return -EINVAL;
769		} else {
770			if (k->idx < 0 || k->idx > 5)
771				return -EINVAL;
772		}
773	}
774
775	return 0;
776}
777
778static struct cfg80211_cached_keys *
779nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
780		       struct nlattr *keys, bool *no_ht)
781{
782	struct key_parse parse;
783	struct nlattr *key;
784	struct cfg80211_cached_keys *result;
785	int rem, err, def = 0;
786
787	result = kzalloc(sizeof(*result), GFP_KERNEL);
788	if (!result)
789		return ERR_PTR(-ENOMEM);
790
791	result->def = -1;
792	result->defmgmt = -1;
793
794	nla_for_each_nested(key, keys, rem) {
795		memset(&parse, 0, sizeof(parse));
796		parse.idx = -1;
797
798		err = nl80211_parse_key_new(key, &parse);
799		if (err)
800			goto error;
801		err = -EINVAL;
802		if (!parse.p.key)
803			goto error;
804		if (parse.idx < 0 || parse.idx > 4)
805			goto error;
806		if (parse.def) {
807			if (def)
808				goto error;
809			def = 1;
810			result->def = parse.idx;
811			if (!parse.def_uni || !parse.def_multi)
812				goto error;
813		} else if (parse.defmgmt)
814			goto error;
815		err = cfg80211_validate_key_settings(rdev, &parse.p,
816						     parse.idx, false, NULL);
817		if (err)
818			goto error;
819		result->params[parse.idx].cipher = parse.p.cipher;
820		result->params[parse.idx].key_len = parse.p.key_len;
821		result->params[parse.idx].key = result->data[parse.idx];
822		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
823
824		if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
825		    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
826			if (no_ht)
827				*no_ht = true;
828		}
829	}
830
831	return result;
832 error:
833	kfree(result);
834	return ERR_PTR(err);
835}
836
837static int nl80211_key_allowed(struct wireless_dev *wdev)
838{
839	ASSERT_WDEV_LOCK(wdev);
840
841	switch (wdev->iftype) {
842	case NL80211_IFTYPE_AP:
843	case NL80211_IFTYPE_AP_VLAN:
844	case NL80211_IFTYPE_P2P_GO:
845	case NL80211_IFTYPE_MESH_POINT:
846		break;
847	case NL80211_IFTYPE_ADHOC:
848		if (!wdev->current_bss)
849			return -ENOLINK;
850		break;
851	case NL80211_IFTYPE_STATION:
852	case NL80211_IFTYPE_P2P_CLIENT:
853		if (wdev->sme_state != CFG80211_SME_CONNECTED)
854			return -ENOLINK;
855		break;
856	default:
857		return -EINVAL;
858	}
859
860	return 0;
861}
862
863static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
864{
865	struct nlattr *nl_modes = nla_nest_start(msg, attr);
866	int i;
867
868	if (!nl_modes)
869		goto nla_put_failure;
870
871	i = 0;
872	while (ifmodes) {
873		if ((ifmodes & 1) && nla_put_flag(msg, i))
874			goto nla_put_failure;
875		ifmodes >>= 1;
876		i++;
877	}
878
879	nla_nest_end(msg, nl_modes);
880	return 0;
881
882nla_put_failure:
883	return -ENOBUFS;
884}
885
886static int nl80211_put_iface_combinations(struct wiphy *wiphy,
887					  struct sk_buff *msg,
888					  bool large)
889{
890	struct nlattr *nl_combis;
891	int i, j;
892
893	nl_combis = nla_nest_start(msg,
894				NL80211_ATTR_INTERFACE_COMBINATIONS);
895	if (!nl_combis)
896		goto nla_put_failure;
897
898	for (i = 0; i < wiphy->n_iface_combinations; i++) {
899		const struct ieee80211_iface_combination *c;
900		struct nlattr *nl_combi, *nl_limits;
901
902		c = &wiphy->iface_combinations[i];
903
904		nl_combi = nla_nest_start(msg, i + 1);
905		if (!nl_combi)
906			goto nla_put_failure;
907
908		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
909		if (!nl_limits)
910			goto nla_put_failure;
911
912		for (j = 0; j < c->n_limits; j++) {
913			struct nlattr *nl_limit;
914
915			nl_limit = nla_nest_start(msg, j + 1);
916			if (!nl_limit)
917				goto nla_put_failure;
918			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
919					c->limits[j].max))
920				goto nla_put_failure;
921			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
922						c->limits[j].types))
923				goto nla_put_failure;
924			nla_nest_end(msg, nl_limit);
925		}
926
927		nla_nest_end(msg, nl_limits);
928
929		if (c->beacon_int_infra_match &&
930		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
931			goto nla_put_failure;
932		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
933				c->num_different_channels) ||
934		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
935				c->max_interfaces))
936			goto nla_put_failure;
937		if (large &&
938		    nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
939				c->radar_detect_widths))
940			goto nla_put_failure;
941
942		nla_nest_end(msg, nl_combi);
943	}
944
945	nla_nest_end(msg, nl_combis);
946
947	return 0;
948nla_put_failure:
949	return -ENOBUFS;
950}
951
952#ifdef CONFIG_PM
953static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
954					struct sk_buff *msg)
955{
956	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan.tcp;
957	struct nlattr *nl_tcp;
958
959	if (!tcp)
960		return 0;
961
962	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
963	if (!nl_tcp)
964		return -ENOBUFS;
965
966	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
967			tcp->data_payload_max))
968		return -ENOBUFS;
969
970	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
971			tcp->data_payload_max))
972		return -ENOBUFS;
973
974	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
975		return -ENOBUFS;
976
977	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
978				sizeof(*tcp->tok), tcp->tok))
979		return -ENOBUFS;
980
981	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
982			tcp->data_interval_max))
983		return -ENOBUFS;
984
985	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
986			tcp->wake_payload_max))
987		return -ENOBUFS;
988
989	nla_nest_end(msg, nl_tcp);
990	return 0;
991}
992
993static int nl80211_send_wowlan(struct sk_buff *msg,
994			       struct cfg80211_registered_device *dev,
995			       bool large)
996{
997	struct nlattr *nl_wowlan;
998
999	if (!dev->wiphy.wowlan.flags && !dev->wiphy.wowlan.n_patterns)
1000		return 0;
1001
1002	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1003	if (!nl_wowlan)
1004		return -ENOBUFS;
1005
1006	if (((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_ANY) &&
1007	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1008	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_DISCONNECT) &&
1009	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1010	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1011	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1012	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1013	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1014	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1015	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1016	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1017	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1018	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1019	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1020	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1021	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1022		return -ENOBUFS;
1023
1024	if (dev->wiphy.wowlan.n_patterns) {
1025		struct nl80211_wowlan_pattern_support pat = {
1026			.max_patterns = dev->wiphy.wowlan.n_patterns,
1027			.min_pattern_len = dev->wiphy.wowlan.pattern_min_len,
1028			.max_pattern_len = dev->wiphy.wowlan.pattern_max_len,
1029			.max_pkt_offset = dev->wiphy.wowlan.max_pkt_offset,
1030		};
1031
1032		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1033			    sizeof(pat), &pat))
1034			return -ENOBUFS;
1035	}
1036
1037	if (large && nl80211_send_wowlan_tcp_caps(dev, msg))
1038		return -ENOBUFS;
1039
1040	nla_nest_end(msg, nl_wowlan);
1041
1042	return 0;
1043}
1044#endif
1045
1046static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1047				      struct ieee80211_supported_band *sband)
1048{
1049	struct nlattr *nl_rates, *nl_rate;
1050	struct ieee80211_rate *rate;
1051	int i;
1052
1053	/* add HT info */
1054	if (sband->ht_cap.ht_supported &&
1055	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1056		     sizeof(sband->ht_cap.mcs),
1057		     &sband->ht_cap.mcs) ||
1058	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1059			 sband->ht_cap.cap) ||
1060	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1061			sband->ht_cap.ampdu_factor) ||
1062	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1063			sband->ht_cap.ampdu_density)))
1064		return -ENOBUFS;
1065
1066	/* add VHT info */
1067	if (sband->vht_cap.vht_supported &&
1068	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1069		     sizeof(sband->vht_cap.vht_mcs),
1070		     &sband->vht_cap.vht_mcs) ||
1071	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1072			 sband->vht_cap.cap)))
1073		return -ENOBUFS;
1074
1075	/* add bitrates */
1076	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1077	if (!nl_rates)
1078		return -ENOBUFS;
1079
1080	for (i = 0; i < sband->n_bitrates; i++) {
1081		nl_rate = nla_nest_start(msg, i);
1082		if (!nl_rate)
1083			return -ENOBUFS;
1084
1085		rate = &sband->bitrates[i];
1086		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1087				rate->bitrate))
1088			return -ENOBUFS;
1089		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1090		    nla_put_flag(msg,
1091				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1092			return -ENOBUFS;
1093
1094		nla_nest_end(msg, nl_rate);
1095	}
1096
1097	nla_nest_end(msg, nl_rates);
1098
1099	return 0;
1100}
1101
1102static int
1103nl80211_send_mgmt_stypes(struct sk_buff *msg,
1104			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1105{
1106	u16 stypes;
1107	struct nlattr *nl_ftypes, *nl_ifs;
1108	enum nl80211_iftype ift;
1109	int i;
1110
1111	if (!mgmt_stypes)
1112		return 0;
1113
1114	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1115	if (!nl_ifs)
1116		return -ENOBUFS;
1117
1118	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1119		nl_ftypes = nla_nest_start(msg, ift);
1120		if (!nl_ftypes)
1121			return -ENOBUFS;
1122		i = 0;
1123		stypes = mgmt_stypes[ift].tx;
1124		while (stypes) {
1125			if ((stypes & 1) &&
1126			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1127					(i << 4) | IEEE80211_FTYPE_MGMT))
1128				return -ENOBUFS;
1129			stypes >>= 1;
1130			i++;
1131		}
1132		nla_nest_end(msg, nl_ftypes);
1133	}
1134
1135	nla_nest_end(msg, nl_ifs);
1136
1137	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1138	if (!nl_ifs)
1139		return -ENOBUFS;
1140
1141	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1142		nl_ftypes = nla_nest_start(msg, ift);
1143		if (!nl_ftypes)
1144			return -ENOBUFS;
1145		i = 0;
1146		stypes = mgmt_stypes[ift].rx;
1147		while (stypes) {
1148			if ((stypes & 1) &&
1149			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1150					(i << 4) | IEEE80211_FTYPE_MGMT))
1151				return -ENOBUFS;
1152			stypes >>= 1;
1153			i++;
1154		}
1155		nla_nest_end(msg, nl_ftypes);
1156	}
1157	nla_nest_end(msg, nl_ifs);
1158
1159	return 0;
1160}
1161
1162static int nl80211_send_wiphy(struct cfg80211_registered_device *dev,
1163			      struct sk_buff *msg, u32 portid, u32 seq,
1164			      int flags, bool split, long *split_start,
1165			      long *band_start, long *chan_start)
1166{
1167	void *hdr;
1168	struct nlattr *nl_bands, *nl_band;
1169	struct nlattr *nl_freqs, *nl_freq;
1170	struct nlattr *nl_cmds;
1171	enum ieee80211_band band;
1172	struct ieee80211_channel *chan;
1173	int i;
1174	const struct ieee80211_txrx_stypes *mgmt_stypes =
1175				dev->wiphy.mgmt_stypes;
1176	long start = 0, start_chan = 0, start_band = 0;
1177	u32 features;
1178
1179	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_WIPHY);
1180	if (!hdr)
1181		return -ENOBUFS;
1182
1183	/* allow always using the variables */
1184	if (!split) {
1185		split_start = &start;
1186		band_start = &start_band;
1187		chan_start = &start_chan;
1188	}
1189
1190	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, dev->wiphy_idx) ||
1191	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1192			   wiphy_name(&dev->wiphy)) ||
1193	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1194			cfg80211_rdev_list_generation))
1195		goto nla_put_failure;
1196
1197	switch (*split_start) {
1198	case 0:
1199		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1200			       dev->wiphy.retry_short) ||
1201		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1202			       dev->wiphy.retry_long) ||
1203		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1204				dev->wiphy.frag_threshold) ||
1205		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1206				dev->wiphy.rts_threshold) ||
1207		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1208			       dev->wiphy.coverage_class) ||
1209		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1210			       dev->wiphy.max_scan_ssids) ||
1211		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1212			       dev->wiphy.max_sched_scan_ssids) ||
1213		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1214				dev->wiphy.max_scan_ie_len) ||
1215		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1216				dev->wiphy.max_sched_scan_ie_len) ||
1217		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1218			       dev->wiphy.max_match_sets))
1219			goto nla_put_failure;
1220
1221		if ((dev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1222		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1223			goto nla_put_failure;
1224		if ((dev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1225		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1226			goto nla_put_failure;
1227		if ((dev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1228		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1229			goto nla_put_failure;
1230		if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1231		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1232			goto nla_put_failure;
1233		if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1234		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1235			goto nla_put_failure;
1236		if ((dev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1237		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1238			goto nla_put_failure;
1239
1240		(*split_start)++;
1241		if (split)
1242			break;
1243	case 1:
1244		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1245			    sizeof(u32) * dev->wiphy.n_cipher_suites,
1246			    dev->wiphy.cipher_suites))
1247			goto nla_put_failure;
1248
1249		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1250			       dev->wiphy.max_num_pmkids))
1251			goto nla_put_failure;
1252
1253		if ((dev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1254		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1255			goto nla_put_failure;
1256
1257		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1258				dev->wiphy.available_antennas_tx) ||
1259		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1260				dev->wiphy.available_antennas_rx))
1261			goto nla_put_failure;
1262
1263		if ((dev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1264		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1265				dev->wiphy.probe_resp_offload))
1266			goto nla_put_failure;
1267
1268		if ((dev->wiphy.available_antennas_tx ||
1269		     dev->wiphy.available_antennas_rx) &&
1270		    dev->ops->get_antenna) {
1271			u32 tx_ant = 0, rx_ant = 0;
1272			int res;
1273			res = rdev_get_antenna(dev, &tx_ant, &rx_ant);
1274			if (!res) {
1275				if (nla_put_u32(msg,
1276						NL80211_ATTR_WIPHY_ANTENNA_TX,
1277						tx_ant) ||
1278				    nla_put_u32(msg,
1279						NL80211_ATTR_WIPHY_ANTENNA_RX,
1280						rx_ant))
1281					goto nla_put_failure;
1282			}
1283		}
1284
1285		(*split_start)++;
1286		if (split)
1287			break;
1288	case 2:
1289		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1290					dev->wiphy.interface_modes))
1291				goto nla_put_failure;
1292		(*split_start)++;
1293		if (split)
1294			break;
1295	case 3:
1296		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1297		if (!nl_bands)
1298			goto nla_put_failure;
1299
1300		for (band = *band_start; band < IEEE80211_NUM_BANDS; band++) {
1301			struct ieee80211_supported_band *sband;
1302
1303			sband = dev->wiphy.bands[band];
1304
1305			if (!sband)
1306				continue;
1307
1308			nl_band = nla_nest_start(msg, band);
1309			if (!nl_band)
1310				goto nla_put_failure;
1311
1312			switch (*chan_start) {
1313			case 0:
1314				if (nl80211_send_band_rateinfo(msg, sband))
1315					goto nla_put_failure;
1316				(*chan_start)++;
1317				if (split)
1318					break;
1319			default:
1320				/* add frequencies */
1321				nl_freqs = nla_nest_start(
1322					msg, NL80211_BAND_ATTR_FREQS);
1323				if (!nl_freqs)
1324					goto nla_put_failure;
1325
1326				for (i = *chan_start - 1;
1327				     i < sband->n_channels;
1328				     i++) {
1329					nl_freq = nla_nest_start(msg, i);
1330					if (!nl_freq)
1331						goto nla_put_failure;
1332
1333					chan = &sband->channels[i];
1334
1335					if (nl80211_msg_put_channel(msg, chan,
1336								    split))
1337						goto nla_put_failure;
1338
1339					nla_nest_end(msg, nl_freq);
1340					if (split)
1341						break;
1342				}
1343				if (i < sband->n_channels)
1344					*chan_start = i + 2;
1345				else
1346					*chan_start = 0;
1347				nla_nest_end(msg, nl_freqs);
1348			}
1349
1350			nla_nest_end(msg, nl_band);
1351
1352			if (split) {
1353				/* start again here */
1354				if (*chan_start)
1355					band--;
1356				break;
1357			}
1358		}
1359		nla_nest_end(msg, nl_bands);
1360
1361		if (band < IEEE80211_NUM_BANDS)
1362			*band_start = band + 1;
1363		else
1364			*band_start = 0;
1365
1366		/* if bands & channels are done, continue outside */
1367		if (*band_start == 0 && *chan_start == 0)
1368			(*split_start)++;
1369		if (split)
1370			break;
1371	case 4:
1372		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1373		if (!nl_cmds)
1374			goto nla_put_failure;
1375
1376		i = 0;
1377#define CMD(op, n)							\
1378		 do {							\
1379			if (dev->ops->op) {				\
1380				i++;					\
1381				if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1382					goto nla_put_failure;		\
1383			}						\
1384		} while (0)
1385
1386		CMD(add_virtual_intf, NEW_INTERFACE);
1387		CMD(change_virtual_intf, SET_INTERFACE);
1388		CMD(add_key, NEW_KEY);
1389		CMD(start_ap, START_AP);
1390		CMD(add_station, NEW_STATION);
1391		CMD(add_mpath, NEW_MPATH);
1392		CMD(update_mesh_config, SET_MESH_CONFIG);
1393		CMD(change_bss, SET_BSS);
1394		CMD(auth, AUTHENTICATE);
1395		CMD(assoc, ASSOCIATE);
1396		CMD(deauth, DEAUTHENTICATE);
1397		CMD(disassoc, DISASSOCIATE);
1398		CMD(join_ibss, JOIN_IBSS);
1399		CMD(join_mesh, JOIN_MESH);
1400		CMD(set_pmksa, SET_PMKSA);
1401		CMD(del_pmksa, DEL_PMKSA);
1402		CMD(flush_pmksa, FLUSH_PMKSA);
1403		if (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1404			CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1405		CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1406		CMD(mgmt_tx, FRAME);
1407		CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1408		if (dev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1409			i++;
1410			if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1411				goto nla_put_failure;
1412		}
1413		if (dev->ops->set_monitor_channel || dev->ops->start_ap ||
1414		    dev->ops->join_mesh) {
1415			i++;
1416			if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1417				goto nla_put_failure;
1418		}
1419		CMD(set_wds_peer, SET_WDS_PEER);
1420		if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1421			CMD(tdls_mgmt, TDLS_MGMT);
1422			CMD(tdls_oper, TDLS_OPER);
1423		}
1424		if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1425			CMD(sched_scan_start, START_SCHED_SCAN);
1426		CMD(probe_client, PROBE_CLIENT);
1427		CMD(set_noack_map, SET_NOACK_MAP);
1428		if (dev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1429			i++;
1430			if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1431				goto nla_put_failure;
1432		}
1433		CMD(start_p2p_device, START_P2P_DEVICE);
1434		CMD(set_mcast_rate, SET_MCAST_RATE);
1435		if (split) {
1436			CMD(crit_proto_start, CRIT_PROTOCOL_START);
1437			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1438		}
1439
1440#ifdef CONFIG_NL80211_TESTMODE
1441		CMD(testmode_cmd, TESTMODE);
1442#endif
1443
1444#undef CMD
1445
1446		if (dev->ops->connect || dev->ops->auth) {
1447			i++;
1448			if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1449				goto nla_put_failure;
1450		}
1451
1452		if (dev->ops->disconnect || dev->ops->deauth) {
1453			i++;
1454			if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1455				goto nla_put_failure;
1456		}
1457
1458		nla_nest_end(msg, nl_cmds);
1459		(*split_start)++;
1460		if (split)
1461			break;
1462	case 5:
1463		if (dev->ops->remain_on_channel &&
1464		    (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1465		    nla_put_u32(msg,
1466				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1467				dev->wiphy.max_remain_on_channel_duration))
1468			goto nla_put_failure;
1469
1470		if ((dev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1471		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1472			goto nla_put_failure;
1473
1474		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1475			goto nla_put_failure;
1476		(*split_start)++;
1477		if (split)
1478			break;
1479	case 6:
1480#ifdef CONFIG_PM
1481		if (nl80211_send_wowlan(msg, dev, split))
1482			goto nla_put_failure;
1483		(*split_start)++;
1484		if (split)
1485			break;
1486#else
1487		(*split_start)++;
1488#endif
1489	case 7:
1490		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1491					dev->wiphy.software_iftypes))
1492			goto nla_put_failure;
1493
1494		if (nl80211_put_iface_combinations(&dev->wiphy, msg, split))
1495			goto nla_put_failure;
1496
1497		(*split_start)++;
1498		if (split)
1499			break;
1500	case 8:
1501		if ((dev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1502		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1503				dev->wiphy.ap_sme_capa))
1504			goto nla_put_failure;
1505
1506		features = dev->wiphy.features;
1507		/*
1508		 * We can only add the per-channel limit information if the
1509		 * dump is split, otherwise it makes it too big. Therefore
1510		 * only advertise it in that case.
1511		 */
1512		if (split)
1513			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1514		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1515			goto nla_put_failure;
1516
1517		if (dev->wiphy.ht_capa_mod_mask &&
1518		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1519			    sizeof(*dev->wiphy.ht_capa_mod_mask),
1520			    dev->wiphy.ht_capa_mod_mask))
1521			goto nla_put_failure;
1522
1523		if (dev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1524		    dev->wiphy.max_acl_mac_addrs &&
1525		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1526				dev->wiphy.max_acl_mac_addrs))
1527			goto nla_put_failure;
1528
1529		if (dev->wiphy.n_vendor_commands) {
1530			const struct nl80211_vendor_cmd_info *info;
1531			struct nlattr *nested;
1532
1533			nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1534			if (!nested)
1535				goto nla_put_failure;
1536
1537			for (i = 0; i < dev->wiphy.n_vendor_commands; i++) {
1538				info = &dev->wiphy.vendor_commands[i].info;
1539				if (nla_put(msg, i + 1, sizeof(*info), info))
1540					goto nla_put_failure;
1541			}
1542				nla_nest_end(msg, nested);
1543		}
1544
1545		if (dev->wiphy.n_vendor_events) {
1546			const struct nl80211_vendor_cmd_info *info;
1547			struct nlattr *nested;
1548
1549			nested = nla_nest_start(msg,
1550				NL80211_ATTR_VENDOR_EVENTS);
1551			if (!nested)
1552				goto nla_put_failure;
1553
1554			for (i = 0; i < dev->wiphy.n_vendor_events; i++) {
1555				info = &dev->wiphy.vendor_events[i];
1556				if (nla_put(msg, i + 1, sizeof(*info), info))
1557					goto nla_put_failure;
1558			}
1559			nla_nest_end(msg, nested);
1560		}
1561
1562		/*
1563		 * Any information below this point is only available to
1564		 * applications that can deal with it being split. This
1565		 * helps ensure that newly added capabilities don't break
1566		 * older tools by overrunning their buffers.
1567		 *
1568		 * We still increment split_start so that in the split
1569		 * case we'll continue with more data in the next round,
1570		 * but break unconditionally so unsplit data stops here.
1571		 */
1572		(*split_start)++;
1573		break;
1574	case 9:
1575		if (dev->wiphy.extended_capabilities &&
1576		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1577			     dev->wiphy.extended_capabilities_len,
1578			     dev->wiphy.extended_capabilities) ||
1579		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1580			     dev->wiphy.extended_capabilities_len,
1581			     dev->wiphy.extended_capabilities_mask)))
1582			goto nla_put_failure;
1583
1584		if (dev->wiphy.vht_capa_mod_mask &&
1585		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1586			    sizeof(*dev->wiphy.vht_capa_mod_mask),
1587			    dev->wiphy.vht_capa_mod_mask))
1588			goto nla_put_failure;
1589
1590		/* done */
1591		*split_start = 0;
1592		break;
1593	}
1594	return genlmsg_end(msg, hdr);
1595
1596 nla_put_failure:
1597	genlmsg_cancel(msg, hdr);
1598	return -EMSGSIZE;
1599}
1600
1601static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1602{
1603	int idx = 0, ret;
1604	int start = cb->args[0];
1605	struct cfg80211_registered_device *dev;
1606	s64 filter_wiphy = -1;
1607	bool split = false;
1608	struct nlattr **tb;
1609	int res;
1610
1611	/* will be zeroed in nlmsg_parse() */
1612	tb = kmalloc(sizeof(*tb) * (NL80211_ATTR_MAX + 1), GFP_KERNEL);
1613	if (!tb)
1614		return -ENOMEM;
1615
1616	mutex_lock(&cfg80211_mutex);
1617	res = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
1618			  tb, NL80211_ATTR_MAX, nl80211_policy);
1619	if (res == 0) {
1620		split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
1621		if (tb[NL80211_ATTR_WIPHY])
1622			filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
1623		if (tb[NL80211_ATTR_WDEV])
1624			filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
1625		if (tb[NL80211_ATTR_IFINDEX]) {
1626			struct net_device *netdev;
1627			int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
1628
1629			netdev = dev_get_by_index(sock_net(skb->sk), ifidx);
1630			if (!netdev) {
1631				mutex_unlock(&cfg80211_mutex);
1632				kfree(tb);
1633				return -ENODEV;
1634			}
1635			if (netdev->ieee80211_ptr) {
1636				dev = wiphy_to_dev(
1637					netdev->ieee80211_ptr->wiphy);
1638				filter_wiphy = dev->wiphy_idx;
1639			}
1640			dev_put(netdev);
1641		}
1642	}
1643	kfree(tb);
1644
1645	list_for_each_entry(dev, &cfg80211_rdev_list, list) {
1646		if (!net_eq(wiphy_net(&dev->wiphy), sock_net(skb->sk)))
1647			continue;
1648		if (++idx <= start)
1649			continue;
1650		if (filter_wiphy != -1 && dev->wiphy_idx != filter_wiphy)
1651			continue;
1652		/* attempt to fit multiple wiphy data chunks into the skb */
1653		do {
1654			ret = nl80211_send_wiphy(dev, skb,
1655						 NETLINK_CB(cb->skb).portid,
1656						 cb->nlh->nlmsg_seq,
1657						 NLM_F_MULTI,
1658						 split, &cb->args[1],
1659						 &cb->args[2],
1660						 &cb->args[3]);
1661			if (ret < 0) {
1662				/*
1663				 * If sending the wiphy data didn't fit (ENOBUFS
1664				 * or EMSGSIZE returned), this SKB is still
1665				 * empty (so it's not too big because another
1666				 * wiphy dataset is already in the skb) and
1667				 * we've not tried to adjust the dump allocation
1668				 * yet ... then adjust the alloc size to be
1669				 * bigger, and return 1 but with the empty skb.
1670				 * This results in an empty message being RX'ed
1671				 * in userspace, but that is ignored.
1672				 *
1673				 * We can then retry with the larger buffer.
1674				 */
1675				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1676				    !skb->len &&
1677				    cb->min_dump_alloc < 4096) {
1678					cb->min_dump_alloc = 4096;
1679					mutex_unlock(&cfg80211_mutex);
1680					return 1;
1681				}
1682				idx--;
1683				break;
1684			}
1685		} while (cb->args[1] > 0);
1686		break;
1687	}
1688	mutex_unlock(&cfg80211_mutex);
1689
1690	cb->args[0] = idx;
1691
1692	return skb->len;
1693}
1694
1695static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1696{
1697	struct sk_buff *msg;
1698	struct cfg80211_registered_device *dev = info->user_ptr[0];
1699
1700	msg = nlmsg_new(4096, GFP_KERNEL);
1701	if (!msg)
1702		return -ENOMEM;
1703
1704	if (nl80211_send_wiphy(dev, msg, info->snd_portid, info->snd_seq, 0,
1705			       false, NULL, NULL, NULL) < 0) {
1706		nlmsg_free(msg);
1707		return -ENOBUFS;
1708	}
1709
1710	return genlmsg_reply(msg, info);
1711}
1712
1713static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1714	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
1715	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
1716	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
1717	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
1718	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
1719};
1720
1721static int parse_txq_params(struct nlattr *tb[],
1722			    struct ieee80211_txq_params *txq_params)
1723{
1724	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1725	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1726	    !tb[NL80211_TXQ_ATTR_AIFS])
1727		return -EINVAL;
1728
1729	txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1730	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1731	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1732	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1733	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1734
1735	if (txq_params->ac >= NL80211_NUM_ACS)
1736		return -EINVAL;
1737
1738	return 0;
1739}
1740
1741static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1742{
1743	/*
1744	 * You can only set the channel explicitly for WDS interfaces,
1745	 * all others have their channel managed via their respective
1746	 * "establish a connection" command (connect, join, ...)
1747	 *
1748	 * For AP/GO and mesh mode, the channel can be set with the
1749	 * channel userspace API, but is only stored and passed to the
1750	 * low-level driver when the AP starts or the mesh is joined.
1751	 * This is for backward compatibility, userspace can also give
1752	 * the channel in the start-ap or join-mesh commands instead.
1753	 *
1754	 * Monitors are special as they are normally slaved to
1755	 * whatever else is going on, so they have their own special
1756	 * operation to set the monitor channel if possible.
1757	 */
1758	return !wdev ||
1759		wdev->iftype == NL80211_IFTYPE_AP ||
1760		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1761		wdev->iftype == NL80211_IFTYPE_MONITOR ||
1762		wdev->iftype == NL80211_IFTYPE_P2P_GO;
1763}
1764
1765static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
1766				 struct genl_info *info,
1767				 struct cfg80211_chan_def *chandef)
1768{
1769	u32 control_freq;
1770
1771	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1772		return -EINVAL;
1773
1774	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1775
1776	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
1777	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
1778	chandef->center_freq1 = control_freq;
1779	chandef->center_freq2 = 0;
1780
1781	/* Primary channel not allowed */
1782	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
1783		return -EINVAL;
1784
1785	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
1786		enum nl80211_channel_type chantype;
1787
1788		chantype = nla_get_u32(
1789				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1790
1791		switch (chantype) {
1792		case NL80211_CHAN_NO_HT:
1793		case NL80211_CHAN_HT20:
1794		case NL80211_CHAN_HT40PLUS:
1795		case NL80211_CHAN_HT40MINUS:
1796			cfg80211_chandef_create(chandef, chandef->chan,
1797						chantype);
1798			break;
1799		default:
1800			return -EINVAL;
1801		}
1802	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
1803		chandef->width =
1804			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
1805		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
1806			chandef->center_freq1 =
1807				nla_get_u32(
1808					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
1809		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
1810			chandef->center_freq2 =
1811				nla_get_u32(
1812					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
1813	}
1814
1815	if (!cfg80211_chandef_valid(chandef))
1816		return -EINVAL;
1817
1818	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
1819				     IEEE80211_CHAN_DISABLED))
1820		return -EINVAL;
1821
1822	return 0;
1823}
1824
1825static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1826				 struct wireless_dev *wdev,
1827				 struct genl_info *info)
1828{
1829	struct cfg80211_chan_def chandef;
1830	int result;
1831	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1832
1833	if (wdev)
1834		iftype = wdev->iftype;
1835
1836	if (!nl80211_can_set_dev_channel(wdev))
1837		return -EOPNOTSUPP;
1838
1839	result = nl80211_parse_chandef(rdev, info, &chandef);
1840	if (result)
1841		return result;
1842
1843	mutex_lock(&rdev->devlist_mtx);
1844	switch (iftype) {
1845	case NL80211_IFTYPE_AP:
1846	case NL80211_IFTYPE_P2P_GO:
1847		if (wdev->beacon_interval) {
1848			result = -EBUSY;
1849			break;
1850		}
1851		if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef)) {
1852			result = -EINVAL;
1853			break;
1854		}
1855		wdev->preset_chandef = chandef;
1856		result = 0;
1857		break;
1858	case NL80211_IFTYPE_MESH_POINT:
1859		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
1860		break;
1861	case NL80211_IFTYPE_MONITOR:
1862		result = cfg80211_set_monitor_channel(rdev, &chandef);
1863		break;
1864	default:
1865		result = -EINVAL;
1866	}
1867	mutex_unlock(&rdev->devlist_mtx);
1868
1869	return result;
1870}
1871
1872static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
1873{
1874	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1875	struct net_device *netdev = info->user_ptr[1];
1876
1877	return __nl80211_set_channel(rdev, netdev->ieee80211_ptr, info);
1878}
1879
1880static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
1881{
1882	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1883	struct net_device *dev = info->user_ptr[1];
1884	struct wireless_dev *wdev = dev->ieee80211_ptr;
1885	const u8 *bssid;
1886
1887	if (!info->attrs[NL80211_ATTR_MAC])
1888		return -EINVAL;
1889
1890	if (netif_running(dev))
1891		return -EBUSY;
1892
1893	if (!rdev->ops->set_wds_peer)
1894		return -EOPNOTSUPP;
1895
1896	if (wdev->iftype != NL80211_IFTYPE_WDS)
1897		return -EOPNOTSUPP;
1898
1899	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
1900	return rdev_set_wds_peer(rdev, dev, bssid);
1901}
1902
1903
1904static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
1905{
1906	struct cfg80211_registered_device *rdev;
1907	struct net_device *netdev = NULL;
1908	struct wireless_dev *wdev;
1909	int result = 0, rem_txq_params = 0;
1910	struct nlattr *nl_txq_params;
1911	u32 changed;
1912	u8 retry_short = 0, retry_long = 0;
1913	u32 frag_threshold = 0, rts_threshold = 0;
1914	u8 coverage_class = 0;
1915
1916	/*
1917	 * Try to find the wiphy and netdev. Normally this
1918	 * function shouldn't need the netdev, but this is
1919	 * done for backward compatibility -- previously
1920	 * setting the channel was done per wiphy, but now
1921	 * it is per netdev. Previous userland like hostapd
1922	 * also passed a netdev to set_wiphy, so that it is
1923	 * possible to let that go to the right netdev!
1924	 */
1925	mutex_lock(&cfg80211_mutex);
1926
1927	if (info->attrs[NL80211_ATTR_IFINDEX]) {
1928		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
1929
1930		netdev = dev_get_by_index(genl_info_net(info), ifindex);
1931		if (netdev && netdev->ieee80211_ptr) {
1932			rdev = wiphy_to_dev(netdev->ieee80211_ptr->wiphy);
1933			mutex_lock(&rdev->mtx);
1934		} else
1935			netdev = NULL;
1936	}
1937
1938	if (!netdev) {
1939		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
1940						  info->attrs);
1941		if (IS_ERR(rdev)) {
1942			mutex_unlock(&cfg80211_mutex);
1943			return PTR_ERR(rdev);
1944		}
1945		wdev = NULL;
1946		netdev = NULL;
1947		result = 0;
1948
1949		mutex_lock(&rdev->mtx);
1950	} else
1951		wdev = netdev->ieee80211_ptr;
1952
1953	/*
1954	 * end workaround code, by now the rdev is available
1955	 * and locked, and wdev may or may not be NULL.
1956	 */
1957
1958	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
1959		result = cfg80211_dev_rename(
1960			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
1961
1962	mutex_unlock(&cfg80211_mutex);
1963
1964	if (result)
1965		goto bad_res;
1966
1967	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
1968		struct ieee80211_txq_params txq_params;
1969		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
1970
1971		if (!rdev->ops->set_txq_params) {
1972			result = -EOPNOTSUPP;
1973			goto bad_res;
1974		}
1975
1976		if (!netdev) {
1977			result = -EINVAL;
1978			goto bad_res;
1979		}
1980
1981		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
1982		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
1983			result = -EINVAL;
1984			goto bad_res;
1985		}
1986
1987		if (!netif_running(netdev)) {
1988			result = -ENETDOWN;
1989			goto bad_res;
1990		}
1991
1992		nla_for_each_nested(nl_txq_params,
1993				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
1994				    rem_txq_params) {
1995			nla_parse(tb, NL80211_TXQ_ATTR_MAX,
1996				  nla_data(nl_txq_params),
1997				  nla_len(nl_txq_params),
1998				  txq_params_policy);
1999			result = parse_txq_params(tb, &txq_params);
2000			if (result)
2001				goto bad_res;
2002
2003			result = rdev_set_txq_params(rdev, netdev,
2004						     &txq_params);
2005			if (result)
2006				goto bad_res;
2007		}
2008	}
2009
2010	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2011		result = __nl80211_set_channel(rdev,
2012				nl80211_can_set_dev_channel(wdev) ? wdev : NULL,
2013				info);
2014		if (result)
2015			goto bad_res;
2016	}
2017
2018	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2019		struct wireless_dev *txp_wdev = wdev;
2020		enum nl80211_tx_power_setting type;
2021		int idx, mbm = 0;
2022
2023		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2024			txp_wdev = NULL;
2025
2026		if (!rdev->ops->set_tx_power) {
2027			result = -EOPNOTSUPP;
2028			goto bad_res;
2029		}
2030
2031		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2032		type = nla_get_u32(info->attrs[idx]);
2033
2034		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2035		    (type != NL80211_TX_POWER_AUTOMATIC)) {
2036			result = -EINVAL;
2037			goto bad_res;
2038		}
2039
2040		if (type != NL80211_TX_POWER_AUTOMATIC) {
2041			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2042			mbm = nla_get_u32(info->attrs[idx]);
2043		}
2044
2045		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2046		if (result)
2047			goto bad_res;
2048	}
2049
2050	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2051	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2052		u32 tx_ant, rx_ant;
2053		if ((!rdev->wiphy.available_antennas_tx &&
2054		     !rdev->wiphy.available_antennas_rx) ||
2055		    !rdev->ops->set_antenna) {
2056			result = -EOPNOTSUPP;
2057			goto bad_res;
2058		}
2059
2060		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2061		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2062
2063		/* reject antenna configurations which don't match the
2064		 * available antenna masks, except for the "all" mask */
2065		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2066		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
2067			result = -EINVAL;
2068			goto bad_res;
2069		}
2070
2071		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2072		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2073
2074		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2075		if (result)
2076			goto bad_res;
2077	}
2078
2079	changed = 0;
2080
2081	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2082		retry_short = nla_get_u8(
2083			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2084		if (retry_short == 0) {
2085			result = -EINVAL;
2086			goto bad_res;
2087		}
2088		changed |= WIPHY_PARAM_RETRY_SHORT;
2089	}
2090
2091	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2092		retry_long = nla_get_u8(
2093			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2094		if (retry_long == 0) {
2095			result = -EINVAL;
2096			goto bad_res;
2097		}
2098		changed |= WIPHY_PARAM_RETRY_LONG;
2099	}
2100
2101	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2102		frag_threshold = nla_get_u32(
2103			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2104		if (frag_threshold < 256) {
2105			result = -EINVAL;
2106			goto bad_res;
2107		}
2108		if (frag_threshold != (u32) -1) {
2109			/*
2110			 * Fragments (apart from the last one) are required to
2111			 * have even length. Make the fragmentation code
2112			 * simpler by stripping LSB should someone try to use
2113			 * odd threshold value.
2114			 */
2115			frag_threshold &= ~0x1;
2116		}
2117		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2118	}
2119
2120	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2121		rts_threshold = nla_get_u32(
2122			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2123		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2124	}
2125
2126	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2127		coverage_class = nla_get_u8(
2128			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2129		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2130	}
2131
2132	if (changed) {
2133		u8 old_retry_short, old_retry_long;
2134		u32 old_frag_threshold, old_rts_threshold;
2135		u8 old_coverage_class;
2136
2137		if (!rdev->ops->set_wiphy_params) {
2138			result = -EOPNOTSUPP;
2139			goto bad_res;
2140		}
2141
2142		old_retry_short = rdev->wiphy.retry_short;
2143		old_retry_long = rdev->wiphy.retry_long;
2144		old_frag_threshold = rdev->wiphy.frag_threshold;
2145		old_rts_threshold = rdev->wiphy.rts_threshold;
2146		old_coverage_class = rdev->wiphy.coverage_class;
2147
2148		if (changed & WIPHY_PARAM_RETRY_SHORT)
2149			rdev->wiphy.retry_short = retry_short;
2150		if (changed & WIPHY_PARAM_RETRY_LONG)
2151			rdev->wiphy.retry_long = retry_long;
2152		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2153			rdev->wiphy.frag_threshold = frag_threshold;
2154		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2155			rdev->wiphy.rts_threshold = rts_threshold;
2156		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2157			rdev->wiphy.coverage_class = coverage_class;
2158
2159		result = rdev_set_wiphy_params(rdev, changed);
2160		if (result) {
2161			rdev->wiphy.retry_short = old_retry_short;
2162			rdev->wiphy.retry_long = old_retry_long;
2163			rdev->wiphy.frag_threshold = old_frag_threshold;
2164			rdev->wiphy.rts_threshold = old_rts_threshold;
2165			rdev->wiphy.coverage_class = old_coverage_class;
2166		}
2167	}
2168
2169 bad_res:
2170	mutex_unlock(&rdev->mtx);
2171	if (netdev)
2172		dev_put(netdev);
2173	return result;
2174}
2175
2176static inline u64 wdev_id(struct wireless_dev *wdev)
2177{
2178	return (u64)wdev->identifier |
2179	       ((u64)wiphy_to_dev(wdev->wiphy)->wiphy_idx << 32);
2180}
2181
2182static int nl80211_send_chandef(struct sk_buff *msg,
2183				 struct cfg80211_chan_def *chandef)
2184{
2185	WARN_ON(!cfg80211_chandef_valid(chandef));
2186
2187	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2188			chandef->chan->center_freq))
2189		return -ENOBUFS;
2190	switch (chandef->width) {
2191	case NL80211_CHAN_WIDTH_20_NOHT:
2192	case NL80211_CHAN_WIDTH_20:
2193	case NL80211_CHAN_WIDTH_40:
2194		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2195				cfg80211_get_chandef_type(chandef)))
2196			return -ENOBUFS;
2197		break;
2198	default:
2199		break;
2200	}
2201	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2202		return -ENOBUFS;
2203	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2204		return -ENOBUFS;
2205	if (chandef->center_freq2 &&
2206	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2207		return -ENOBUFS;
2208	return 0;
2209}
2210
2211static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2212			      struct cfg80211_registered_device *rdev,
2213			      struct wireless_dev *wdev)
2214{
2215	struct net_device *dev = wdev->netdev;
2216	void *hdr;
2217
2218	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_INTERFACE);
2219	if (!hdr)
2220		return -1;
2221
2222	if (dev &&
2223	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2224	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2225		goto nla_put_failure;
2226
2227	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2228	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2229	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
2230	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2231	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2232			rdev->devlist_generation ^
2233			(cfg80211_rdev_list_generation << 2)))
2234		goto nla_put_failure;
2235
2236	if (rdev->ops->get_channel) {
2237		int ret;
2238		struct cfg80211_chan_def chandef;
2239
2240		ret = rdev_get_channel(rdev, wdev, &chandef);
2241		if (ret == 0) {
2242			if (nl80211_send_chandef(msg, &chandef))
2243				goto nla_put_failure;
2244		}
2245	}
2246
2247	if (wdev->ssid_len) {
2248		if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2249			goto nla_put_failure;
2250	}
2251
2252	return genlmsg_end(msg, hdr);
2253
2254 nla_put_failure:
2255	genlmsg_cancel(msg, hdr);
2256	return -EMSGSIZE;
2257}
2258
2259static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2260{
2261	int wp_idx = 0;
2262	int if_idx = 0;
2263	int wp_start = cb->args[0];
2264	int if_start = cb->args[1];
2265	struct cfg80211_registered_device *rdev;
2266	struct wireless_dev *wdev;
2267
2268	mutex_lock(&cfg80211_mutex);
2269	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2270		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2271			continue;
2272		if (wp_idx < wp_start) {
2273			wp_idx++;
2274			continue;
2275		}
2276		if_idx = 0;
2277
2278		mutex_lock(&rdev->devlist_mtx);
2279		list_for_each_entry(wdev, &rdev->wdev_list, list) {
2280			if (if_idx < if_start) {
2281				if_idx++;
2282				continue;
2283			}
2284			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2285					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2286					       rdev, wdev) < 0) {
2287				mutex_unlock(&rdev->devlist_mtx);
2288				goto out;
2289			}
2290			if_idx++;
2291		}
2292		mutex_unlock(&rdev->devlist_mtx);
2293
2294		wp_idx++;
2295	}
2296 out:
2297	mutex_unlock(&cfg80211_mutex);
2298
2299	cb->args[0] = wp_idx;
2300	cb->args[1] = if_idx;
2301
2302	return skb->len;
2303}
2304
2305static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2306{
2307	struct sk_buff *msg;
2308	struct cfg80211_registered_device *dev = info->user_ptr[0];
2309	struct wireless_dev *wdev = info->user_ptr[1];
2310
2311	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2312	if (!msg)
2313		return -ENOMEM;
2314
2315	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2316			       dev, wdev) < 0) {
2317		nlmsg_free(msg);
2318		return -ENOBUFS;
2319	}
2320
2321	return genlmsg_reply(msg, info);
2322}
2323
2324static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2325	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2326	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2327	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2328	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2329	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2330};
2331
2332static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2333{
2334	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2335	int flag;
2336
2337	*mntrflags = 0;
2338
2339	if (!nla)
2340		return -EINVAL;
2341
2342	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
2343			     nla, mntr_flags_policy))
2344		return -EINVAL;
2345
2346	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2347		if (flags[flag])
2348			*mntrflags |= (1<<flag);
2349
2350	return 0;
2351}
2352
2353static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
2354			       struct net_device *netdev, u8 use_4addr,
2355			       enum nl80211_iftype iftype)
2356{
2357	if (!use_4addr) {
2358		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
2359			return -EBUSY;
2360		return 0;
2361	}
2362
2363	switch (iftype) {
2364	case NL80211_IFTYPE_AP_VLAN:
2365		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
2366			return 0;
2367		break;
2368	case NL80211_IFTYPE_STATION:
2369		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
2370			return 0;
2371		break;
2372	default:
2373		break;
2374	}
2375
2376	return -EOPNOTSUPP;
2377}
2378
2379static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
2380{
2381	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2382	struct vif_params params;
2383	int err;
2384	enum nl80211_iftype otype, ntype;
2385	struct net_device *dev = info->user_ptr[1];
2386	u32 _flags, *flags = NULL;
2387	bool change = false;
2388
2389	memset(&params, 0, sizeof(params));
2390
2391	otype = ntype = dev->ieee80211_ptr->iftype;
2392
2393	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2394		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2395		if (otype != ntype)
2396			change = true;
2397		if (ntype > NL80211_IFTYPE_MAX)
2398			return -EINVAL;
2399	}
2400
2401	if (info->attrs[NL80211_ATTR_MESH_ID]) {
2402		struct wireless_dev *wdev = dev->ieee80211_ptr;
2403
2404		if (ntype != NL80211_IFTYPE_MESH_POINT)
2405			return -EINVAL;
2406		if (netif_running(dev))
2407			return -EBUSY;
2408
2409		wdev_lock(wdev);
2410		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2411			     IEEE80211_MAX_MESH_ID_LEN);
2412		wdev->mesh_id_up_len =
2413			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2414		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2415		       wdev->mesh_id_up_len);
2416		wdev_unlock(wdev);
2417	}
2418
2419	if (info->attrs[NL80211_ATTR_4ADDR]) {
2420		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2421		change = true;
2422		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2423		if (err)
2424			return err;
2425	} else {
2426		params.use_4addr = -1;
2427	}
2428
2429	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2430		if (ntype != NL80211_IFTYPE_MONITOR)
2431			return -EINVAL;
2432		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2433					  &_flags);
2434		if (err)
2435			return err;
2436
2437		flags = &_flags;
2438		change = true;
2439	}
2440
2441	if (change)
2442		err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2443	else
2444		err = 0;
2445
2446	if (!err && params.use_4addr != -1)
2447		dev->ieee80211_ptr->use_4addr = params.use_4addr;
2448
2449	return err;
2450}
2451
2452static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2453{
2454	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2455	struct vif_params params;
2456	struct wireless_dev *wdev;
2457	struct sk_buff *msg;
2458	int err;
2459	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2460	u32 flags;
2461
2462	memset(&params, 0, sizeof(params));
2463
2464	if (!info->attrs[NL80211_ATTR_IFNAME])
2465		return -EINVAL;
2466
2467	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2468		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2469		if (type > NL80211_IFTYPE_MAX)
2470			return -EINVAL;
2471	}
2472
2473	if (!rdev->ops->add_virtual_intf ||
2474	    !(rdev->wiphy.interface_modes & (1 << type)))
2475		return -EOPNOTSUPP;
2476
2477	if (type == NL80211_IFTYPE_P2P_DEVICE && info->attrs[NL80211_ATTR_MAC]) {
2478		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2479			   ETH_ALEN);
2480		if (!is_valid_ether_addr(params.macaddr))
2481			return -EADDRNOTAVAIL;
2482	}
2483
2484	if (info->attrs[NL80211_ATTR_4ADDR]) {
2485		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2486		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2487		if (err)
2488			return err;
2489	}
2490
2491	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2492	if (!msg)
2493		return -ENOMEM;
2494
2495	err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2496				  info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2497				  &flags);
2498	wdev = rdev_add_virtual_intf(rdev,
2499				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2500				type, err ? NULL : &flags, &params);
2501	if (IS_ERR(wdev)) {
2502		nlmsg_free(msg);
2503		return PTR_ERR(wdev);
2504	}
2505
2506	switch (type) {
2507	case NL80211_IFTYPE_MESH_POINT:
2508		if (!info->attrs[NL80211_ATTR_MESH_ID])
2509			break;
2510		wdev_lock(wdev);
2511		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2512			     IEEE80211_MAX_MESH_ID_LEN);
2513		wdev->mesh_id_up_len =
2514			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2515		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2516		       wdev->mesh_id_up_len);
2517		wdev_unlock(wdev);
2518		break;
2519	case NL80211_IFTYPE_P2P_DEVICE:
2520		/*
2521		 * P2P Device doesn't have a netdev, so doesn't go
2522		 * through the netdev notifier and must be added here
2523		 */
2524		mutex_init(&wdev->mtx);
2525		INIT_LIST_HEAD(&wdev->event_list);
2526		spin_lock_init(&wdev->event_lock);
2527		INIT_LIST_HEAD(&wdev->mgmt_registrations);
2528		spin_lock_init(&wdev->mgmt_registrations_lock);
2529
2530		mutex_lock(&rdev->devlist_mtx);
2531		wdev->identifier = ++rdev->wdev_id;
2532		list_add_rcu(&wdev->list, &rdev->wdev_list);
2533		rdev->devlist_generation++;
2534		mutex_unlock(&rdev->devlist_mtx);
2535		break;
2536	default:
2537		break;
2538	}
2539
2540	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2541			       rdev, wdev) < 0) {
2542		nlmsg_free(msg);
2543		return -ENOBUFS;
2544	}
2545
2546	return genlmsg_reply(msg, info);
2547}
2548
2549static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2550{
2551	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2552	struct wireless_dev *wdev = info->user_ptr[1];
2553
2554	if (!rdev->ops->del_virtual_intf)
2555		return -EOPNOTSUPP;
2556
2557	/*
2558	 * If we remove a wireless device without a netdev then clear
2559	 * user_ptr[1] so that nl80211_post_doit won't dereference it
2560	 * to check if it needs to do dev_put(). Otherwise it crashes
2561	 * since the wdev has been freed, unlike with a netdev where
2562	 * we need the dev_put() for the netdev to really be freed.
2563	 */
2564	if (!wdev->netdev)
2565		info->user_ptr[1] = NULL;
2566
2567	return rdev_del_virtual_intf(rdev, wdev);
2568}
2569
2570static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2571{
2572	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2573	struct net_device *dev = info->user_ptr[1];
2574	u16 noack_map;
2575
2576	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2577		return -EINVAL;
2578
2579	if (!rdev->ops->set_noack_map)
2580		return -EOPNOTSUPP;
2581
2582	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2583
2584	return rdev_set_noack_map(rdev, dev, noack_map);
2585}
2586
2587struct get_key_cookie {
2588	struct sk_buff *msg;
2589	int error;
2590	int idx;
2591};
2592
2593static void get_key_callback(void *c, struct key_params *params)
2594{
2595	struct nlattr *key;
2596	struct get_key_cookie *cookie = c;
2597
2598	if ((params->key &&
2599	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2600		     params->key_len, params->key)) ||
2601	    (params->seq &&
2602	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2603		     params->seq_len, params->seq)) ||
2604	    (params->cipher &&
2605	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2606			 params->cipher)))
2607		goto nla_put_failure;
2608
2609	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2610	if (!key)
2611		goto nla_put_failure;
2612
2613	if ((params->key &&
2614	     nla_put(cookie->msg, NL80211_KEY_DATA,
2615		     params->key_len, params->key)) ||
2616	    (params->seq &&
2617	     nla_put(cookie->msg, NL80211_KEY_SEQ,
2618		     params->seq_len, params->seq)) ||
2619	    (params->cipher &&
2620	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2621			 params->cipher)))
2622		goto nla_put_failure;
2623
2624	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2625		goto nla_put_failure;
2626
2627	nla_nest_end(cookie->msg, key);
2628
2629	return;
2630 nla_put_failure:
2631	cookie->error = 1;
2632}
2633
2634static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2635{
2636	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2637	int err;
2638	struct net_device *dev = info->user_ptr[1];
2639	u8 key_idx = 0;
2640	const u8 *mac_addr = NULL;
2641	bool pairwise;
2642	struct get_key_cookie cookie = {
2643		.error = 0,
2644	};
2645	void *hdr;
2646	struct sk_buff *msg;
2647
2648	if (info->attrs[NL80211_ATTR_KEY_IDX])
2649		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2650
2651	if (key_idx > 5)
2652		return -EINVAL;
2653
2654	if (info->attrs[NL80211_ATTR_MAC])
2655		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2656
2657	pairwise = !!mac_addr;
2658	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2659		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2660		if (kt >= NUM_NL80211_KEYTYPES)
2661			return -EINVAL;
2662		if (kt != NL80211_KEYTYPE_GROUP &&
2663		    kt != NL80211_KEYTYPE_PAIRWISE)
2664			return -EINVAL;
2665		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2666	}
2667
2668	if (!rdev->ops->get_key)
2669		return -EOPNOTSUPP;
2670
2671	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2672	if (!msg)
2673		return -ENOMEM;
2674
2675	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2676			     NL80211_CMD_NEW_KEY);
2677	if (!hdr)
2678		goto nla_put_failure;
2679
2680	cookie.msg = msg;
2681	cookie.idx = key_idx;
2682
2683	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2684	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2685		goto nla_put_failure;
2686	if (mac_addr &&
2687	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2688		goto nla_put_failure;
2689
2690	if (pairwise && mac_addr &&
2691	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2692		return -ENOENT;
2693
2694	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2695			   get_key_callback);
2696
2697	if (err)
2698		goto free_msg;
2699
2700	if (cookie.error)
2701		goto nla_put_failure;
2702
2703	genlmsg_end(msg, hdr);
2704	return genlmsg_reply(msg, info);
2705
2706 nla_put_failure:
2707	err = -ENOBUFS;
2708 free_msg:
2709	nlmsg_free(msg);
2710	return err;
2711}
2712
2713static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2714{
2715	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2716	struct key_parse key;
2717	int err;
2718	struct net_device *dev = info->user_ptr[1];
2719
2720	err = nl80211_parse_key(info, &key);
2721	if (err)
2722		return err;
2723
2724	if (key.idx < 0)
2725		return -EINVAL;
2726
2727	/* only support setting default key */
2728	if (!key.def && !key.defmgmt)
2729		return -EINVAL;
2730
2731	wdev_lock(dev->ieee80211_ptr);
2732
2733	if (key.def) {
2734		if (!rdev->ops->set_default_key) {
2735			err = -EOPNOTSUPP;
2736			goto out;
2737		}
2738
2739		err = nl80211_key_allowed(dev->ieee80211_ptr);
2740		if (err)
2741			goto out;
2742
2743		err = rdev_set_default_key(rdev, dev, key.idx,
2744						 key.def_uni, key.def_multi);
2745
2746		if (err)
2747			goto out;
2748
2749#ifdef CONFIG_CFG80211_WEXT
2750		dev->ieee80211_ptr->wext.default_key = key.idx;
2751#endif
2752	} else {
2753		if (key.def_uni || !key.def_multi) {
2754			err = -EINVAL;
2755			goto out;
2756		}
2757
2758		if (!rdev->ops->set_default_mgmt_key) {
2759			err = -EOPNOTSUPP;
2760			goto out;
2761		}
2762
2763		err = nl80211_key_allowed(dev->ieee80211_ptr);
2764		if (err)
2765			goto out;
2766
2767		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
2768		if (err)
2769			goto out;
2770
2771#ifdef CONFIG_CFG80211_WEXT
2772		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2773#endif
2774	}
2775
2776 out:
2777	wdev_unlock(dev->ieee80211_ptr);
2778
2779	return err;
2780}
2781
2782static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2783{
2784	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2785	int err;
2786	struct net_device *dev = info->user_ptr[1];
2787	struct key_parse key;
2788	const u8 *mac_addr = NULL;
2789
2790	err = nl80211_parse_key(info, &key);
2791	if (err)
2792		return err;
2793
2794	if (!key.p.key)
2795		return -EINVAL;
2796
2797	if (info->attrs[NL80211_ATTR_MAC])
2798		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2799
2800	if (key.type == -1) {
2801		if (mac_addr)
2802			key.type = NL80211_KEYTYPE_PAIRWISE;
2803		else
2804			key.type = NL80211_KEYTYPE_GROUP;
2805	}
2806
2807	/* for now */
2808	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2809	    key.type != NL80211_KEYTYPE_GROUP)
2810		return -EINVAL;
2811
2812	if (!rdev->ops->add_key)
2813		return -EOPNOTSUPP;
2814
2815	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
2816					   key.type == NL80211_KEYTYPE_PAIRWISE,
2817					   mac_addr))
2818		return -EINVAL;
2819
2820	wdev_lock(dev->ieee80211_ptr);
2821	err = nl80211_key_allowed(dev->ieee80211_ptr);
2822	if (!err)
2823		err = rdev_add_key(rdev, dev, key.idx,
2824				   key.type == NL80211_KEYTYPE_PAIRWISE,
2825				    mac_addr, &key.p);
2826	wdev_unlock(dev->ieee80211_ptr);
2827
2828	return err;
2829}
2830
2831static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
2832{
2833	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2834	int err;
2835	struct net_device *dev = info->user_ptr[1];
2836	u8 *mac_addr = NULL;
2837	struct key_parse key;
2838
2839	err = nl80211_parse_key(info, &key);
2840	if (err)
2841		return err;
2842
2843	if (info->attrs[NL80211_ATTR_MAC])
2844		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2845
2846	if (key.type == -1) {
2847		if (mac_addr)
2848			key.type = NL80211_KEYTYPE_PAIRWISE;
2849		else
2850			key.type = NL80211_KEYTYPE_GROUP;
2851	}
2852
2853	/* for now */
2854	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2855	    key.type != NL80211_KEYTYPE_GROUP)
2856		return -EINVAL;
2857
2858	if (!rdev->ops->del_key)
2859		return -EOPNOTSUPP;
2860
2861	wdev_lock(dev->ieee80211_ptr);
2862	err = nl80211_key_allowed(dev->ieee80211_ptr);
2863
2864	if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
2865	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2866		err = -ENOENT;
2867
2868	if (!err)
2869		err = rdev_del_key(rdev, dev, key.idx,
2870				   key.type == NL80211_KEYTYPE_PAIRWISE,
2871				   mac_addr);
2872
2873#ifdef CONFIG_CFG80211_WEXT
2874	if (!err) {
2875		if (key.idx == dev->ieee80211_ptr->wext.default_key)
2876			dev->ieee80211_ptr->wext.default_key = -1;
2877		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
2878			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
2879	}
2880#endif
2881	wdev_unlock(dev->ieee80211_ptr);
2882
2883	return err;
2884}
2885
2886/* This function returns an error or the number of nested attributes */
2887static int validate_acl_mac_addrs(struct nlattr *nl_attr)
2888{
2889	struct nlattr *attr;
2890	int n_entries = 0, tmp;
2891
2892	nla_for_each_nested(attr, nl_attr, tmp) {
2893		if (nla_len(attr) != ETH_ALEN)
2894			return -EINVAL;
2895
2896		n_entries++;
2897	}
2898
2899	return n_entries;
2900}
2901
2902/*
2903 * This function parses ACL information and allocates memory for ACL data.
2904 * On successful return, the calling function is responsible to free the
2905 * ACL buffer returned by this function.
2906 */
2907static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
2908						struct genl_info *info)
2909{
2910	enum nl80211_acl_policy acl_policy;
2911	struct nlattr *attr;
2912	struct cfg80211_acl_data *acl;
2913	int i = 0, n_entries, tmp;
2914
2915	if (!wiphy->max_acl_mac_addrs)
2916		return ERR_PTR(-EOPNOTSUPP);
2917
2918	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
2919		return ERR_PTR(-EINVAL);
2920
2921	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
2922	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
2923	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
2924		return ERR_PTR(-EINVAL);
2925
2926	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
2927		return ERR_PTR(-EINVAL);
2928
2929	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
2930	if (n_entries < 0)
2931		return ERR_PTR(n_entries);
2932
2933	if (n_entries > wiphy->max_acl_mac_addrs)
2934		return ERR_PTR(-ENOTSUPP);
2935
2936	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
2937		      GFP_KERNEL);
2938	if (!acl)
2939		return ERR_PTR(-ENOMEM);
2940
2941	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
2942		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
2943		i++;
2944	}
2945
2946	acl->n_acl_entries = n_entries;
2947	acl->acl_policy = acl_policy;
2948
2949	return acl;
2950}
2951
2952static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
2953{
2954	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2955	struct net_device *dev = info->user_ptr[1];
2956	struct cfg80211_acl_data *acl;
2957	int err;
2958
2959	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2960	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2961		return -EOPNOTSUPP;
2962
2963	if (!dev->ieee80211_ptr->beacon_interval)
2964		return -EINVAL;
2965
2966	acl = parse_acl_data(&rdev->wiphy, info);
2967	if (IS_ERR(acl))
2968		return PTR_ERR(acl);
2969
2970	err = rdev_set_mac_acl(rdev, dev, acl);
2971
2972	kfree(acl);
2973
2974	return err;
2975}
2976
2977static int nl80211_parse_beacon(struct genl_info *info,
2978				struct cfg80211_beacon_data *bcn)
2979{
2980	bool haveinfo = false;
2981
2982	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_BEACON_TAIL]) ||
2983	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]) ||
2984	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
2985	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]))
2986		return -EINVAL;
2987
2988	memset(bcn, 0, sizeof(*bcn));
2989
2990	if (info->attrs[NL80211_ATTR_BEACON_HEAD]) {
2991		bcn->head = nla_data(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2992		bcn->head_len = nla_len(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2993		if (!bcn->head_len)
2994			return -EINVAL;
2995		haveinfo = true;
2996	}
2997
2998	if (info->attrs[NL80211_ATTR_BEACON_TAIL]) {
2999		bcn->tail = nla_data(info->attrs[NL80211_ATTR_BEACON_TAIL]);
3000		bcn->tail_len =
3001		    nla_len(info->attrs[NL80211_ATTR_BEACON_TAIL]);
3002		haveinfo = true;
3003	}
3004
3005	if (!haveinfo)
3006		return -EINVAL;
3007
3008	if (info->attrs[NL80211_ATTR_IE]) {
3009		bcn->beacon_ies = nla_data(info->attrs[NL80211_ATTR_IE]);
3010		bcn->beacon_ies_len = nla_len(info->attrs[NL80211_ATTR_IE]);
3011	}
3012
3013	if (info->attrs[NL80211_ATTR_IE_PROBE_RESP]) {
3014		bcn->proberesp_ies =
3015			nla_data(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
3016		bcn->proberesp_ies_len =
3017			nla_len(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
3018	}
3019
3020	if (info->attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
3021		bcn->assocresp_ies =
3022			nla_data(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3023		bcn->assocresp_ies_len =
3024			nla_len(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3025	}
3026
3027	if (info->attrs[NL80211_ATTR_PROBE_RESP]) {
3028		bcn->probe_resp =
3029			nla_data(info->attrs[NL80211_ATTR_PROBE_RESP]);
3030		bcn->probe_resp_len =
3031			nla_len(info->attrs[NL80211_ATTR_PROBE_RESP]);
3032	}
3033
3034	return 0;
3035}
3036
3037static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
3038				   struct cfg80211_ap_settings *params)
3039{
3040	struct wireless_dev *wdev;
3041	bool ret = false;
3042
3043	mutex_lock(&rdev->devlist_mtx);
3044
3045	list_for_each_entry(wdev, &rdev->wdev_list, list) {
3046		if (wdev->iftype != NL80211_IFTYPE_AP &&
3047		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
3048			continue;
3049
3050		if (!wdev->preset_chandef.chan)
3051			continue;
3052
3053		params->chandef = wdev->preset_chandef;
3054		ret = true;
3055		break;
3056	}
3057
3058	mutex_unlock(&rdev->devlist_mtx);
3059
3060	return ret;
3061}
3062
3063static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
3064				    enum nl80211_auth_type auth_type,
3065				    enum nl80211_commands cmd)
3066{
3067	if (auth_type > NL80211_AUTHTYPE_MAX)
3068		return false;
3069
3070	switch (cmd) {
3071	case NL80211_CMD_AUTHENTICATE:
3072		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
3073		    auth_type == NL80211_AUTHTYPE_SAE)
3074			return false;
3075		return true;
3076	case NL80211_CMD_CONNECT:
3077	case NL80211_CMD_START_AP:
3078		/* SAE not supported yet */
3079		if (auth_type == NL80211_AUTHTYPE_SAE)
3080			return false;
3081		return true;
3082	default:
3083		return false;
3084	}
3085}
3086
3087static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
3088{
3089	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3090	struct net_device *dev = info->user_ptr[1];
3091	struct wireless_dev *wdev = dev->ieee80211_ptr;
3092	struct cfg80211_ap_settings params;
3093	int err;
3094	u8 radar_detect_width = 0;
3095
3096	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3097	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3098		return -EOPNOTSUPP;
3099
3100	if (!rdev->ops->start_ap)
3101		return -EOPNOTSUPP;
3102
3103	if (wdev->beacon_interval)
3104		return -EALREADY;
3105
3106	memset(&params, 0, sizeof(params));
3107
3108	/* these are required for START_AP */
3109	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
3110	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
3111	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
3112		return -EINVAL;
3113
3114	err = nl80211_parse_beacon(info, &params.beacon);
3115	if (err)
3116		return err;
3117
3118	params.beacon_interval =
3119		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
3120	params.dtim_period =
3121		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
3122
3123	err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
3124	if (err)
3125		return err;
3126
3127	/*
3128	 * In theory, some of these attributes should be required here
3129	 * but since they were not used when the command was originally
3130	 * added, keep them optional for old user space programs to let
3131	 * them continue to work with drivers that do not need the
3132	 * additional information -- drivers must check!
3133	 */
3134	if (info->attrs[NL80211_ATTR_SSID]) {
3135		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
3136		params.ssid_len =
3137			nla_len(info->attrs[NL80211_ATTR_SSID]);
3138		if (params.ssid_len == 0 ||
3139		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
3140			return -EINVAL;
3141	}
3142
3143	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
3144		params.hidden_ssid = nla_get_u32(
3145			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
3146		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
3147		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
3148		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
3149			return -EINVAL;
3150	}
3151
3152	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
3153
3154	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
3155		params.auth_type = nla_get_u32(
3156			info->attrs[NL80211_ATTR_AUTH_TYPE]);
3157		if (!nl80211_valid_auth_type(rdev, params.auth_type,
3158					     NL80211_CMD_START_AP))
3159			return -EINVAL;
3160	} else
3161		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
3162
3163	err = nl80211_crypto_settings(rdev, info, &params.crypto,
3164				      NL80211_MAX_NR_CIPHER_SUITES);
3165	if (err)
3166		return err;
3167
3168	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
3169		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
3170			return -EOPNOTSUPP;
3171		params.inactivity_timeout = nla_get_u16(
3172			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
3173	}
3174
3175	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
3176		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3177			return -EINVAL;
3178		params.p2p_ctwindow =
3179			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
3180		if (params.p2p_ctwindow > 127)
3181			return -EINVAL;
3182		if (params.p2p_ctwindow != 0 &&
3183		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
3184			return -EINVAL;
3185	}
3186
3187	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
3188		u8 tmp;
3189
3190		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3191			return -EINVAL;
3192		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
3193		if (tmp > 1)
3194			return -EINVAL;
3195		params.p2p_opp_ps = tmp;
3196		if (params.p2p_opp_ps != 0 &&
3197		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
3198			return -EINVAL;
3199	}
3200
3201	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3202		err = nl80211_parse_chandef(rdev, info, &params.chandef);
3203		if (err)
3204			return err;
3205	} else if (wdev->preset_chandef.chan) {
3206		params.chandef = wdev->preset_chandef;
3207	} else if (!nl80211_get_ap_channel(rdev, &params))
3208		return -EINVAL;
3209
3210	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef))
3211		return -EINVAL;
3212
3213	err = cfg80211_chandef_dfs_required(wdev->wiphy, &params.chandef);
3214	if (err < 0)
3215		return err;
3216	if (err) {
3217		radar_detect_width = BIT(params.chandef.width);
3218		params.radar_required = true;
3219	}
3220
3221	mutex_lock(&rdev->devlist_mtx);
3222	err = cfg80211_can_use_iftype_chan(rdev, wdev, wdev->iftype,
3223					   params.chandef.chan,
3224					   CHAN_MODE_SHARED,
3225					   radar_detect_width);
3226	mutex_unlock(&rdev->devlist_mtx);
3227
3228	if (err)
3229		return err;
3230
3231	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
3232		params.acl = parse_acl_data(&rdev->wiphy, info);
3233		if (IS_ERR(params.acl))
3234			return PTR_ERR(params.acl);
3235	}
3236
3237	err = rdev_start_ap(rdev, dev, &params);
3238	if (!err) {
3239		wdev->preset_chandef = params.chandef;
3240		wdev->beacon_interval = params.beacon_interval;
3241		wdev->channel = params.chandef.chan;
3242		wdev->ssid_len = params.ssid_len;
3243		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
3244	}
3245
3246	kfree(params.acl);
3247
3248	return err;
3249}
3250
3251static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
3252{
3253	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3254	struct net_device *dev = info->user_ptr[1];
3255	struct wireless_dev *wdev = dev->ieee80211_ptr;
3256	struct cfg80211_beacon_data params;
3257	int err;
3258
3259	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3260	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3261		return -EOPNOTSUPP;
3262
3263	if (!rdev->ops->change_beacon)
3264		return -EOPNOTSUPP;
3265
3266	if (!wdev->beacon_interval)
3267		return -EINVAL;
3268
3269	err = nl80211_parse_beacon(info, &params);
3270	if (err)
3271		return err;
3272
3273	return rdev_change_beacon(rdev, dev, &params);
3274}
3275
3276static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
3277{
3278	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3279	struct net_device *dev = info->user_ptr[1];
3280
3281	return cfg80211_stop_ap(rdev, dev);
3282}
3283
3284static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
3285	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
3286	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
3287	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
3288	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
3289	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
3290	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
3291};
3292
3293static int parse_station_flags(struct genl_info *info,
3294			       enum nl80211_iftype iftype,
3295			       struct station_parameters *params)
3296{
3297	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
3298	struct nlattr *nla;
3299	int flag;
3300
3301	/*
3302	 * Try parsing the new attribute first so userspace
3303	 * can specify both for older kernels.
3304	 */
3305	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
3306	if (nla) {
3307		struct nl80211_sta_flag_update *sta_flags;
3308
3309		sta_flags = nla_data(nla);
3310		params->sta_flags_mask = sta_flags->mask;
3311		params->sta_flags_set = sta_flags->set;
3312		params->sta_flags_set &= params->sta_flags_mask;
3313		if ((params->sta_flags_mask |
3314		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
3315			return -EINVAL;
3316		return 0;
3317	}
3318
3319	/* if present, parse the old attribute */
3320
3321	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
3322	if (!nla)
3323		return 0;
3324
3325	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
3326			     nla, sta_flags_policy))
3327		return -EINVAL;
3328
3329	/*
3330	 * Only allow certain flags for interface types so that
3331	 * other attributes are silently ignored. Remember that
3332	 * this is backward compatibility code with old userspace
3333	 * and shouldn't be hit in other cases anyway.
3334	 */
3335	switch (iftype) {
3336	case NL80211_IFTYPE_AP:
3337	case NL80211_IFTYPE_AP_VLAN:
3338	case NL80211_IFTYPE_P2P_GO:
3339		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3340					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3341					 BIT(NL80211_STA_FLAG_WME) |
3342					 BIT(NL80211_STA_FLAG_MFP);
3343		break;
3344	case NL80211_IFTYPE_P2P_CLIENT:
3345	case NL80211_IFTYPE_STATION:
3346		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3347					 BIT(NL80211_STA_FLAG_TDLS_PEER);
3348		break;
3349	case NL80211_IFTYPE_MESH_POINT:
3350		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3351					 BIT(NL80211_STA_FLAG_MFP) |
3352					 BIT(NL80211_STA_FLAG_AUTHORIZED);
3353	default:
3354		return -EINVAL;
3355	}
3356
3357	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
3358		if (flags[flag]) {
3359			params->sta_flags_set |= (1<<flag);
3360
3361			/* no longer support new API additions in old API */
3362			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
3363				return -EINVAL;
3364		}
3365	}
3366
3367	return 0;
3368}
3369
3370static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
3371				 int attr)
3372{
3373	struct nlattr *rate;
3374	u32 bitrate;
3375	u16 bitrate_compat;
3376
3377	rate = nla_nest_start(msg, attr);
3378	if (!rate)
3379		return false;
3380
3381	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
3382	bitrate = cfg80211_calculate_bitrate(info);
3383	/* report 16-bit bitrate only if we can */
3384	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
3385	if (bitrate > 0 &&
3386	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
3387		return false;
3388	if (bitrate_compat > 0 &&
3389	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
3390		return false;
3391
3392	if (info->flags & RATE_INFO_FLAGS_MCS) {
3393		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
3394			return false;
3395		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3396		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3397			return false;
3398		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3399		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3400			return false;
3401	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
3402		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
3403			return false;
3404		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
3405			return false;
3406		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3407		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3408			return false;
3409		if (info->flags & RATE_INFO_FLAGS_80_MHZ_WIDTH &&
3410		    nla_put_flag(msg, NL80211_RATE_INFO_80_MHZ_WIDTH))
3411			return false;
3412		if (info->flags & RATE_INFO_FLAGS_80P80_MHZ_WIDTH &&
3413		    nla_put_flag(msg, NL80211_RATE_INFO_80P80_MHZ_WIDTH))
3414			return false;
3415		if (info->flags & RATE_INFO_FLAGS_160_MHZ_WIDTH &&
3416		    nla_put_flag(msg, NL80211_RATE_INFO_160_MHZ_WIDTH))
3417			return false;
3418		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3419		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3420			return false;
3421	}
3422
3423	nla_nest_end(msg, rate);
3424	return true;
3425}
3426
3427static int nl80211_send_station(struct sk_buff *msg, u32 portid, u32 seq,
3428				int flags,
3429				struct cfg80211_registered_device *rdev,
3430				struct net_device *dev,
3431				const u8 *mac_addr, struct station_info *sinfo)
3432{
3433	void *hdr;
3434	struct nlattr *sinfoattr, *bss_param;
3435
3436	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
3437	if (!hdr)
3438		return -1;
3439
3440	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3441	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
3442	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
3443		goto nla_put_failure;
3444
3445	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
3446	if (!sinfoattr)
3447		goto nla_put_failure;
3448	if ((sinfo->filled & STATION_INFO_CONNECTED_TIME) &&
3449	    nla_put_u32(msg, NL80211_STA_INFO_CONNECTED_TIME,
3450			sinfo->connected_time))
3451		goto nla_put_failure;
3452	if ((sinfo->filled & STATION_INFO_INACTIVE_TIME) &&
3453	    nla_put_u32(msg, NL80211_STA_INFO_INACTIVE_TIME,
3454			sinfo->inactive_time))
3455		goto nla_put_failure;
3456	if ((sinfo->filled & (STATION_INFO_RX_BYTES |
3457			      STATION_INFO_RX_BYTES64)) &&
3458	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
3459			(u32)sinfo->rx_bytes))
3460		goto nla_put_failure;
3461	if ((sinfo->filled & (STATION_INFO_TX_BYTES |
3462			      STATION_INFO_TX_BYTES64)) &&
3463	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
3464			(u32)sinfo->tx_bytes))
3465		goto nla_put_failure;
3466	if ((sinfo->filled & STATION_INFO_RX_BYTES64) &&
3467	    nla_put_u64(msg, NL80211_STA_INFO_RX_BYTES64,
3468			sinfo->rx_bytes))
3469		goto nla_put_failure;
3470	if ((sinfo->filled & STATION_INFO_TX_BYTES64) &&
3471	    nla_put_u64(msg, NL80211_STA_INFO_TX_BYTES64,
3472			sinfo->tx_bytes))
3473		goto nla_put_failure;
3474	if ((sinfo->filled & STATION_INFO_LLID) &&
3475	    nla_put_u16(msg, NL80211_STA_INFO_LLID, sinfo->llid))
3476		goto nla_put_failure;
3477	if ((sinfo->filled & STATION_INFO_PLID) &&
3478	    nla_put_u16(msg, NL80211_STA_INFO_PLID, sinfo->plid))
3479		goto nla_put_failure;
3480	if ((sinfo->filled & STATION_INFO_PLINK_STATE) &&
3481	    nla_put_u8(msg, NL80211_STA_INFO_PLINK_STATE,
3482		       sinfo->plink_state))
3483		goto nla_put_failure;
3484	switch (rdev->wiphy.signal_type) {
3485	case CFG80211_SIGNAL_TYPE_MBM:
3486		if ((sinfo->filled & STATION_INFO_SIGNAL) &&
3487		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL,
3488			       sinfo->signal))
3489			goto nla_put_failure;
3490		if ((sinfo->filled & STATION_INFO_SIGNAL_AVG) &&
3491		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL_AVG,
3492			       sinfo->signal_avg))
3493			goto nla_put_failure;
3494		break;
3495	default:
3496		break;
3497	}
3498	if (sinfo->filled & STATION_INFO_TX_BITRATE) {
3499		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
3500					  NL80211_STA_INFO_TX_BITRATE))
3501			goto nla_put_failure;
3502	}
3503	if (sinfo->filled & STATION_INFO_RX_BITRATE) {
3504		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
3505					  NL80211_STA_INFO_RX_BITRATE))
3506			goto nla_put_failure;
3507	}
3508	if ((sinfo->filled & STATION_INFO_RX_PACKETS) &&
3509	    nla_put_u32(msg, NL80211_STA_INFO_RX_PACKETS,
3510			sinfo->rx_packets))
3511		goto nla_put_failure;
3512	if ((sinfo->filled & STATION_INFO_TX_PACKETS) &&
3513	    nla_put_u32(msg, NL80211_STA_INFO_TX_PACKETS,
3514			sinfo->tx_packets))
3515		goto nla_put_failure;
3516	if ((sinfo->filled & STATION_INFO_TX_RETRIES) &&
3517	    nla_put_u32(msg, NL80211_STA_INFO_TX_RETRIES,
3518			sinfo->tx_retries))
3519		goto nla_put_failure;
3520	if ((sinfo->filled & STATION_INFO_TX_FAILED) &&
3521	    nla_put_u32(msg, NL80211_STA_INFO_TX_FAILED,
3522			sinfo->tx_failed))
3523		goto nla_put_failure;
3524	if ((sinfo->filled & STATION_INFO_BEACON_LOSS_COUNT) &&
3525	    nla_put_u32(msg, NL80211_STA_INFO_BEACON_LOSS,
3526			sinfo->beacon_loss_count))
3527		goto nla_put_failure;
3528	if ((sinfo->filled & STATION_INFO_LOCAL_PM) &&
3529	    nla_put_u32(msg, NL80211_STA_INFO_LOCAL_PM,
3530			sinfo->local_pm))
3531		goto nla_put_failure;
3532	if ((sinfo->filled & STATION_INFO_PEER_PM) &&
3533	    nla_put_u32(msg, NL80211_STA_INFO_PEER_PM,
3534			sinfo->peer_pm))
3535		goto nla_put_failure;
3536	if ((sinfo->filled & STATION_INFO_NONPEER_PM) &&
3537	    nla_put_u32(msg, NL80211_STA_INFO_NONPEER_PM,
3538			sinfo->nonpeer_pm))
3539		goto nla_put_failure;
3540	if (sinfo->filled & STATION_INFO_BSS_PARAM) {
3541		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
3542		if (!bss_param)
3543			goto nla_put_failure;
3544
3545		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
3546		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
3547		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
3548		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
3549		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
3550		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
3551		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
3552			       sinfo->bss_param.dtim_period) ||
3553		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
3554				sinfo->bss_param.beacon_interval))
3555			goto nla_put_failure;
3556
3557		nla_nest_end(msg, bss_param);
3558	}
3559	if ((sinfo->filled & STATION_INFO_STA_FLAGS) &&
3560	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
3561		    sizeof(struct nl80211_sta_flag_update),
3562		    &sinfo->sta_flags))
3563		goto nla_put_failure;
3564	if ((sinfo->filled & STATION_INFO_T_OFFSET) &&
3565		nla_put_u64(msg, NL80211_STA_INFO_T_OFFSET,
3566			    sinfo->t_offset))
3567		goto nla_put_failure;
3568	nla_nest_end(msg, sinfoattr);
3569
3570	if ((sinfo->filled & STATION_INFO_ASSOC_REQ_IES) &&
3571	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
3572		    sinfo->assoc_req_ies))
3573		goto nla_put_failure;
3574
3575	return genlmsg_end(msg, hdr);
3576
3577 nla_put_failure:
3578	genlmsg_cancel(msg, hdr);
3579	return -EMSGSIZE;
3580}
3581
3582static int nl80211_dump_station(struct sk_buff *skb,
3583				struct netlink_callback *cb)
3584{
3585	struct station_info sinfo;
3586	struct cfg80211_registered_device *dev;
3587	struct wireless_dev *wdev;
3588	u8 mac_addr[ETH_ALEN];
3589	int sta_idx = cb->args[2];
3590	int err;
3591
3592	err = nl80211_prepare_wdev_dump(skb, cb, &dev, &wdev);
3593	if (err)
3594		return err;
3595
3596	if (!wdev->netdev) {
3597		err = -EINVAL;
3598		goto out_err;
3599	}
3600
3601	if (!dev->ops->dump_station) {
3602		err = -EOPNOTSUPP;
3603		goto out_err;
3604	}
3605
3606	while (1) {
3607		memset(&sinfo, 0, sizeof(sinfo));
3608		err = rdev_dump_station(dev, wdev->netdev, sta_idx,
3609					mac_addr, &sinfo);
3610		if (err == -ENOENT)
3611			break;
3612		if (err)
3613			goto out_err;
3614
3615		if (nl80211_send_station(skb,
3616				NETLINK_CB(cb->skb).portid,
3617				cb->nlh->nlmsg_seq, NLM_F_MULTI,
3618				dev, wdev->netdev, mac_addr,
3619				&sinfo) < 0)
3620			goto out;
3621
3622		sta_idx++;
3623	}
3624
3625
3626 out:
3627	cb->args[2] = sta_idx;
3628	err = skb->len;
3629 out_err:
3630	nl80211_finish_wdev_dump(dev);
3631
3632	return err;
3633}
3634
3635static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
3636{
3637	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3638	struct net_device *dev = info->user_ptr[1];
3639	struct station_info sinfo;
3640	struct sk_buff *msg;
3641	u8 *mac_addr = NULL;
3642	int err;
3643
3644	memset(&sinfo, 0, sizeof(sinfo));
3645
3646	if (!info->attrs[NL80211_ATTR_MAC])
3647		return -EINVAL;
3648
3649	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3650
3651	if (!rdev->ops->get_station)
3652		return -EOPNOTSUPP;
3653
3654	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3655	if (err)
3656		return err;
3657
3658	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3659	if (!msg)
3660		return -ENOMEM;
3661
3662	if (nl80211_send_station(msg, info->snd_portid, info->snd_seq, 0,
3663				 rdev, dev, mac_addr, &sinfo) < 0) {
3664		nlmsg_free(msg);
3665		return -ENOBUFS;
3666	}
3667
3668	return genlmsg_reply(msg, info);
3669}
3670
3671int cfg80211_check_station_change(struct wiphy *wiphy,
3672				  struct station_parameters *params,
3673				  enum cfg80211_station_type statype)
3674{
3675	if (params->listen_interval != -1)
3676		return -EINVAL;
3677	if (params->aid)
3678		return -EINVAL;
3679
3680	/* When you run into this, adjust the code below for the new flag */
3681	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
3682
3683	switch (statype) {
3684	case CFG80211_STA_MESH_PEER_KERNEL:
3685	case CFG80211_STA_MESH_PEER_USER:
3686		/*
3687		 * No ignoring the TDLS flag here -- the userspace mesh
3688		 * code doesn't have the bug of including TDLS in the
3689		 * mask everywhere.
3690		 */
3691		if (params->sta_flags_mask &
3692				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3693				  BIT(NL80211_STA_FLAG_MFP) |
3694				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
3695			return -EINVAL;
3696		break;
3697	case CFG80211_STA_TDLS_PEER_SETUP:
3698	case CFG80211_STA_TDLS_PEER_ACTIVE:
3699		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3700			return -EINVAL;
3701		/* ignore since it can't change */
3702		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3703		break;
3704	default:
3705		/* disallow mesh-specific things */
3706		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
3707			return -EINVAL;
3708		if (params->local_pm)
3709			return -EINVAL;
3710		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
3711			return -EINVAL;
3712	}
3713
3714	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
3715	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
3716		/* TDLS can't be set, ... */
3717		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3718			return -EINVAL;
3719		/*
3720		 * ... but don't bother the driver with it. This works around
3721		 * a hostapd/wpa_supplicant issue -- it always includes the
3722		 * TLDS_PEER flag in the mask even for AP mode.
3723		 */
3724		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3725	}
3726
3727	if (statype != CFG80211_STA_TDLS_PEER_SETUP) {
3728		/* reject other things that can't change */
3729		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
3730			return -EINVAL;
3731		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
3732			return -EINVAL;
3733		if (params->supported_rates)
3734			return -EINVAL;
3735		if (params->ext_capab || params->ht_capa || params->vht_capa)
3736			return -EINVAL;
3737	}
3738
3739	if (statype != CFG80211_STA_AP_CLIENT) {
3740		if (params->vlan)
3741			return -EINVAL;
3742	}
3743
3744	switch (statype) {
3745	case CFG80211_STA_AP_MLME_CLIENT:
3746		/* Use this only for authorizing/unauthorizing a station */
3747		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
3748			return -EOPNOTSUPP;
3749		break;
3750	case CFG80211_STA_AP_CLIENT:
3751		/* accept only the listed bits */
3752		if (params->sta_flags_mask &
3753				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3754				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3755				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
3756				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3757				  BIT(NL80211_STA_FLAG_WME) |
3758				  BIT(NL80211_STA_FLAG_MFP)))
3759			return -EINVAL;
3760
3761		/* but authenticated/associated only if driver handles it */
3762		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
3763		    params->sta_flags_mask &
3764				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3765				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
3766			return -EINVAL;
3767		break;
3768	case CFG80211_STA_IBSS:
3769	case CFG80211_STA_AP_STA:
3770		/* reject any changes other than AUTHORIZED */
3771		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
3772			return -EINVAL;
3773		break;
3774	case CFG80211_STA_TDLS_PEER_SETUP:
3775		/* reject any changes other than AUTHORIZED or WME */
3776		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3777					       BIT(NL80211_STA_FLAG_WME)))
3778			return -EINVAL;
3779		/* force (at least) rates when authorizing */
3780		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
3781		    !params->supported_rates)
3782			return -EINVAL;
3783		break;
3784	case CFG80211_STA_TDLS_PEER_ACTIVE:
3785		/* reject any changes */
3786		return -EINVAL;
3787	case CFG80211_STA_MESH_PEER_KERNEL:
3788		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
3789			return -EINVAL;
3790		break;
3791	case CFG80211_STA_MESH_PEER_USER:
3792		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
3793			return -EINVAL;
3794		break;
3795	}
3796
3797	return 0;
3798}
3799EXPORT_SYMBOL(cfg80211_check_station_change);
3800
3801/*
3802 * Get vlan interface making sure it is running and on the right wiphy.
3803 */
3804static struct net_device *get_vlan(struct genl_info *info,
3805				   struct cfg80211_registered_device *rdev)
3806{
3807	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
3808	struct net_device *v;
3809	int ret;
3810
3811	if (!vlanattr)
3812		return NULL;
3813
3814	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
3815	if (!v)
3816		return ERR_PTR(-ENODEV);
3817
3818	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
3819		ret = -EINVAL;
3820		goto error;
3821	}
3822
3823	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
3824	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3825	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3826		ret = -EINVAL;
3827		goto error;
3828	}
3829
3830	if (!netif_running(v)) {
3831		ret = -ENETDOWN;
3832		goto error;
3833	}
3834
3835	return v;
3836 error:
3837	dev_put(v);
3838	return ERR_PTR(ret);
3839}
3840
3841static struct nla_policy
3842nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] __read_mostly = {
3843	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
3844	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
3845};
3846
3847static int nl80211_parse_sta_wme(struct genl_info *info,
3848				 struct station_parameters *params)
3849{
3850	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
3851	struct nlattr *nla;
3852	int err;
3853
3854	/* parse WME attributes if present */
3855	if (!info->attrs[NL80211_ATTR_STA_WME])
3856		return 0;
3857
3858	nla = info->attrs[NL80211_ATTR_STA_WME];
3859	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
3860			       nl80211_sta_wme_policy);
3861	if (err)
3862		return err;
3863
3864	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
3865		params->uapsd_queues = nla_get_u8(
3866			tb[NL80211_STA_WME_UAPSD_QUEUES]);
3867	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
3868		return -EINVAL;
3869
3870	if (tb[NL80211_STA_WME_MAX_SP])
3871		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
3872
3873	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
3874		return -EINVAL;
3875
3876	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
3877
3878	return 0;
3879}
3880
3881static int nl80211_set_station_tdls(struct genl_info *info,
3882				    struct station_parameters *params)
3883{
3884	/* Dummy STA entry gets updated once the peer capabilities are known */
3885	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
3886		params->ht_capa =
3887			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
3888	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
3889		params->vht_capa =
3890			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
3891
3892	return nl80211_parse_sta_wme(info, params);
3893}
3894
3895static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
3896{
3897	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3898	struct net_device *dev = info->user_ptr[1];
3899	struct station_parameters params;
3900	u8 *mac_addr;
3901	int err;
3902
3903	memset(&params, 0, sizeof(params));
3904
3905	params.listen_interval = -1;
3906
3907	if (!rdev->ops->change_station)
3908		return -EOPNOTSUPP;
3909
3910	if (info->attrs[NL80211_ATTR_STA_AID])
3911		return -EINVAL;
3912
3913	if (!info->attrs[NL80211_ATTR_MAC])
3914		return -EINVAL;
3915
3916	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3917
3918	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
3919		params.supported_rates =
3920			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3921		params.supported_rates_len =
3922			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3923	}
3924
3925	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
3926		params.capability =
3927			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
3928		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
3929	}
3930
3931	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
3932		params.ext_capab =
3933			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
3934		params.ext_capab_len =
3935			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
3936	}
3937
3938	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3939		return -EINVAL;
3940
3941	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3942		return -EINVAL;
3943
3944	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
3945		params.plink_action =
3946			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3947		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
3948			return -EINVAL;
3949	}
3950
3951	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
3952		params.plink_state =
3953			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
3954		if (params.plink_state >= NUM_NL80211_PLINK_STATES)
3955			return -EINVAL;
3956		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
3957	}
3958
3959	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
3960		enum nl80211_mesh_power_mode pm = nla_get_u32(
3961			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
3962
3963		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
3964		    pm > NL80211_MESH_POWER_MAX)
3965			return -EINVAL;
3966
3967		params.local_pm = pm;
3968	}
3969
3970	/* Include parameters for TDLS peer (will check later) */
3971	err = nl80211_set_station_tdls(info, &params);
3972	if (err)
3973		return err;
3974
3975	params.vlan = get_vlan(info, rdev);
3976	if (IS_ERR(params.vlan))
3977		return PTR_ERR(params.vlan);
3978
3979	switch (dev->ieee80211_ptr->iftype) {
3980	case NL80211_IFTYPE_AP:
3981	case NL80211_IFTYPE_AP_VLAN:
3982	case NL80211_IFTYPE_P2P_GO:
3983	case NL80211_IFTYPE_P2P_CLIENT:
3984	case NL80211_IFTYPE_STATION:
3985	case NL80211_IFTYPE_ADHOC:
3986	case NL80211_IFTYPE_MESH_POINT:
3987		break;
3988	default:
3989		err = -EOPNOTSUPP;
3990		goto out_put_vlan;
3991	}
3992
3993	/* driver will call cfg80211_check_station_change() */
3994	err = rdev_change_station(rdev, dev, mac_addr, &params);
3995
3996 out_put_vlan:
3997	if (params.vlan)
3998		dev_put(params.vlan);
3999
4000	return err;
4001}
4002
4003static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
4004{
4005	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4006	int err;
4007	struct net_device *dev = info->user_ptr[1];
4008	struct station_parameters params;
4009	u8 *mac_addr = NULL;
4010
4011	memset(&params, 0, sizeof(params));
4012
4013	if (!rdev->ops->add_station)
4014		return -EOPNOTSUPP;
4015
4016	if (!info->attrs[NL80211_ATTR_MAC])
4017		return -EINVAL;
4018
4019	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4020		return -EINVAL;
4021
4022	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
4023		return -EINVAL;
4024
4025	if (!info->attrs[NL80211_ATTR_STA_AID])
4026		return -EINVAL;
4027
4028	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4029	params.supported_rates =
4030		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4031	params.supported_rates_len =
4032		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4033	params.listen_interval =
4034		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4035
4036	params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4037	if (!params.aid || params.aid > IEEE80211_MAX_AID)
4038		return -EINVAL;
4039
4040	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4041		params.capability =
4042			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4043		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4044	}
4045
4046	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4047		params.ext_capab =
4048			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4049		params.ext_capab_len =
4050			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4051	}
4052
4053	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4054		params.ht_capa =
4055			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4056
4057	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4058		params.vht_capa =
4059			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4060
4061	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4062		params.plink_action =
4063			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4064		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4065			return -EINVAL;
4066	}
4067
4068	err = nl80211_parse_sta_wme(info, &params);
4069	if (err)
4070		return err;
4071
4072	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4073		return -EINVAL;
4074
4075	/* When you run into this, adjust the code below for the new flag */
4076	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4077
4078	switch (dev->ieee80211_ptr->iftype) {
4079	case NL80211_IFTYPE_AP:
4080	case NL80211_IFTYPE_AP_VLAN:
4081	case NL80211_IFTYPE_P2P_GO:
4082		/* ignore WME attributes if iface/sta is not capable */
4083		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
4084		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
4085			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4086
4087		/* TDLS peers cannot be added */
4088		if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
4089			return -EINVAL;
4090		/* but don't bother the driver with it */
4091		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4092
4093		/* allow authenticated/associated only if driver handles it */
4094		if (!(rdev->wiphy.features &
4095				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4096		    params.sta_flags_mask &
4097				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4098				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4099			return -EINVAL;
4100
4101		/* must be last in here for error handling */
4102		params.vlan = get_vlan(info, rdev);
4103		if (IS_ERR(params.vlan))
4104			return PTR_ERR(params.vlan);
4105		break;
4106	case NL80211_IFTYPE_MESH_POINT:
4107		/* ignore uAPSD data */
4108		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4109
4110		/* associated is disallowed */
4111		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
4112			return -EINVAL;
4113		/* TDLS peers cannot be added */
4114		if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
4115			return -EINVAL;
4116		break;
4117	case NL80211_IFTYPE_STATION:
4118	case NL80211_IFTYPE_P2P_CLIENT:
4119		/* ignore uAPSD data */
4120		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4121
4122		/* these are disallowed */
4123		if (params.sta_flags_mask &
4124				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
4125				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
4126			return -EINVAL;
4127		/* Only TDLS peers can be added */
4128		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4129			return -EINVAL;
4130		/* Can only add if TDLS ... */
4131		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
4132			return -EOPNOTSUPP;
4133		/* ... with external setup is supported */
4134		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
4135			return -EOPNOTSUPP;
4136		/*
4137		 * Older wpa_supplicant versions always mark the TDLS peer
4138		 * as authorized, but it shouldn't yet be.
4139		 */
4140		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
4141		break;
4142	default:
4143		return -EOPNOTSUPP;
4144	}
4145
4146	/* be aware of params.vlan when changing code here */
4147
4148	err = rdev_add_station(rdev, dev, mac_addr, &params);
4149
4150	if (params.vlan)
4151		dev_put(params.vlan);
4152	return err;
4153}
4154
4155static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
4156{
4157	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4158	struct net_device *dev = info->user_ptr[1];
4159	u8 *mac_addr = NULL;
4160
4161	if (info->attrs[NL80211_ATTR_MAC])
4162		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4163
4164	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4165	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4166	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
4167	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4168		return -EINVAL;
4169
4170	if (!rdev->ops->del_station)
4171		return -EOPNOTSUPP;
4172
4173	return rdev_del_station(rdev, dev, mac_addr);
4174}
4175
4176static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
4177				int flags, struct net_device *dev,
4178				u8 *dst, u8 *next_hop,
4179				struct mpath_info *pinfo)
4180{
4181	void *hdr;
4182	struct nlattr *pinfoattr;
4183
4184	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
4185	if (!hdr)
4186		return -1;
4187
4188	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4189	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
4190	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
4191	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
4192		goto nla_put_failure;
4193
4194	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
4195	if (!pinfoattr)
4196		goto nla_put_failure;
4197	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
4198	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
4199			pinfo->frame_qlen))
4200		goto nla_put_failure;
4201	if (((pinfo->filled & MPATH_INFO_SN) &&
4202	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
4203	    ((pinfo->filled & MPATH_INFO_METRIC) &&
4204	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
4205			 pinfo->metric)) ||
4206	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
4207	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
4208			 pinfo->exptime)) ||
4209	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
4210	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
4211			pinfo->flags)) ||
4212	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
4213	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
4214			 pinfo->discovery_timeout)) ||
4215	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
4216	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
4217			pinfo->discovery_retries)))
4218		goto nla_put_failure;
4219
4220	nla_nest_end(msg, pinfoattr);
4221
4222	return genlmsg_end(msg, hdr);
4223
4224 nla_put_failure:
4225	genlmsg_cancel(msg, hdr);
4226	return -EMSGSIZE;
4227}
4228
4229static int nl80211_dump_mpath(struct sk_buff *skb,
4230			      struct netlink_callback *cb)
4231{
4232	struct mpath_info pinfo;
4233	struct cfg80211_registered_device *dev;
4234	struct wireless_dev *wdev;
4235	u8 dst[ETH_ALEN];
4236	u8 next_hop[ETH_ALEN];
4237	int path_idx = cb->args[2];
4238	int err;
4239
4240	err = nl80211_prepare_wdev_dump(skb, cb, &dev, &wdev);
4241	if (err)
4242		return err;
4243
4244	if (!dev->ops->dump_mpath) {
4245		err = -EOPNOTSUPP;
4246		goto out_err;
4247	}
4248
4249	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4250		err = -EOPNOTSUPP;
4251		goto out_err;
4252	}
4253
4254	while (1) {
4255		err = rdev_dump_mpath(dev, wdev->netdev, path_idx, dst,
4256				      next_hop, &pinfo);
4257		if (err == -ENOENT)
4258			break;
4259		if (err)
4260			goto out_err;
4261
4262		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4263				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4264				       wdev->netdev, dst, next_hop,
4265				       &pinfo) < 0)
4266			goto out;
4267
4268		path_idx++;
4269	}
4270
4271
4272 out:
4273	cb->args[2] = path_idx;
4274	err = skb->len;
4275 out_err:
4276	nl80211_finish_wdev_dump(dev);
4277	return err;
4278}
4279
4280static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
4281{
4282	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4283	int err;
4284	struct net_device *dev = info->user_ptr[1];
4285	struct mpath_info pinfo;
4286	struct sk_buff *msg;
4287	u8 *dst = NULL;
4288	u8 next_hop[ETH_ALEN];
4289
4290	memset(&pinfo, 0, sizeof(pinfo));
4291
4292	if (!info->attrs[NL80211_ATTR_MAC])
4293		return -EINVAL;
4294
4295	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4296
4297	if (!rdev->ops->get_mpath)
4298		return -EOPNOTSUPP;
4299
4300	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4301		return -EOPNOTSUPP;
4302
4303	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
4304	if (err)
4305		return err;
4306
4307	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4308	if (!msg)
4309		return -ENOMEM;
4310
4311	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4312				 dev, dst, next_hop, &pinfo) < 0) {
4313		nlmsg_free(msg);
4314		return -ENOBUFS;
4315	}
4316
4317	return genlmsg_reply(msg, info);
4318}
4319
4320static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
4321{
4322	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4323	struct net_device *dev = info->user_ptr[1];
4324	u8 *dst = NULL;
4325	u8 *next_hop = NULL;
4326
4327	if (!info->attrs[NL80211_ATTR_MAC])
4328		return -EINVAL;
4329
4330	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4331		return -EINVAL;
4332
4333	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4334	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4335
4336	if (!rdev->ops->change_mpath)
4337		return -EOPNOTSUPP;
4338
4339	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4340		return -EOPNOTSUPP;
4341
4342	return rdev_change_mpath(rdev, dev, dst, next_hop);
4343}
4344
4345static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
4346{
4347	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4348	struct net_device *dev = info->user_ptr[1];
4349	u8 *dst = NULL;
4350	u8 *next_hop = NULL;
4351
4352	if (!info->attrs[NL80211_ATTR_MAC])
4353		return -EINVAL;
4354
4355	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4356		return -EINVAL;
4357
4358	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4359	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4360
4361	if (!rdev->ops->add_mpath)
4362		return -EOPNOTSUPP;
4363
4364	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4365		return -EOPNOTSUPP;
4366
4367	return rdev_add_mpath(rdev, dev, dst, next_hop);
4368}
4369
4370static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
4371{
4372	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4373	struct net_device *dev = info->user_ptr[1];
4374	u8 *dst = NULL;
4375
4376	if (info->attrs[NL80211_ATTR_MAC])
4377		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4378
4379	if (!rdev->ops->del_mpath)
4380		return -EOPNOTSUPP;
4381
4382	return rdev_del_mpath(rdev, dev, dst);
4383}
4384
4385static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
4386{
4387	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4388	struct net_device *dev = info->user_ptr[1];
4389	struct bss_parameters params;
4390
4391	memset(&params, 0, sizeof(params));
4392	/* default to not changing parameters */
4393	params.use_cts_prot = -1;
4394	params.use_short_preamble = -1;
4395	params.use_short_slot_time = -1;
4396	params.ap_isolate = -1;
4397	params.ht_opmode = -1;
4398	params.p2p_ctwindow = -1;
4399	params.p2p_opp_ps = -1;
4400
4401	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
4402		params.use_cts_prot =
4403		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
4404	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
4405		params.use_short_preamble =
4406		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
4407	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
4408		params.use_short_slot_time =
4409		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
4410	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
4411		params.basic_rates =
4412			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4413		params.basic_rates_len =
4414			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4415	}
4416	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
4417		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
4418	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
4419		params.ht_opmode =
4420			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
4421
4422	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4423		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4424			return -EINVAL;
4425		params.p2p_ctwindow =
4426			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4427		if (params.p2p_ctwindow < 0)
4428			return -EINVAL;
4429		if (params.p2p_ctwindow != 0 &&
4430		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4431			return -EINVAL;
4432	}
4433
4434	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4435		u8 tmp;
4436
4437		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4438			return -EINVAL;
4439		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4440		if (tmp > 1)
4441			return -EINVAL;
4442		params.p2p_opp_ps = tmp;
4443		if (params.p2p_opp_ps &&
4444		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4445			return -EINVAL;
4446	}
4447
4448	if (!rdev->ops->change_bss)
4449		return -EOPNOTSUPP;
4450
4451	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4452	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4453		return -EOPNOTSUPP;
4454
4455	return rdev_change_bss(rdev, dev, &params);
4456}
4457
4458static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
4459	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
4460	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
4461	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
4462	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
4463	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
4464	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
4465};
4466
4467static int parse_reg_rule(struct nlattr *tb[],
4468	struct ieee80211_reg_rule *reg_rule)
4469{
4470	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
4471	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
4472
4473	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
4474		return -EINVAL;
4475	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
4476		return -EINVAL;
4477	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
4478		return -EINVAL;
4479	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
4480		return -EINVAL;
4481	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
4482		return -EINVAL;
4483
4484	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
4485
4486	freq_range->start_freq_khz =
4487		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
4488	freq_range->end_freq_khz =
4489		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
4490	freq_range->max_bandwidth_khz =
4491		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
4492
4493	power_rule->max_eirp =
4494		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
4495
4496	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
4497		power_rule->max_antenna_gain =
4498			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
4499
4500	return 0;
4501}
4502
4503static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
4504{
4505	int r;
4506	char *data = NULL;
4507	enum nl80211_user_reg_hint_type user_reg_hint_type;
4508
4509	/*
4510	 * You should only get this when cfg80211 hasn't yet initialized
4511	 * completely when built-in to the kernel right between the time
4512	 * window between nl80211_init() and regulatory_init(), if that is
4513	 * even possible.
4514	 */
4515	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
4516		return -EINPROGRESS;
4517
4518	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4519		return -EINVAL;
4520
4521	data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4522
4523	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
4524		user_reg_hint_type =
4525		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
4526	else
4527		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
4528
4529	switch (user_reg_hint_type) {
4530	case NL80211_USER_REG_HINT_USER:
4531	case NL80211_USER_REG_HINT_CELL_BASE:
4532		break;
4533	default:
4534		return -EINVAL;
4535	}
4536
4537	r = regulatory_hint_user(data, user_reg_hint_type);
4538
4539	return r;
4540}
4541
4542static int nl80211_get_mesh_config(struct sk_buff *skb,
4543				   struct genl_info *info)
4544{
4545	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4546	struct net_device *dev = info->user_ptr[1];
4547	struct wireless_dev *wdev = dev->ieee80211_ptr;
4548	struct mesh_config cur_params;
4549	int err = 0;
4550	void *hdr;
4551	struct nlattr *pinfoattr;
4552	struct sk_buff *msg;
4553
4554	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
4555		return -EOPNOTSUPP;
4556
4557	if (!rdev->ops->get_mesh_config)
4558		return -EOPNOTSUPP;
4559
4560	wdev_lock(wdev);
4561	/* If not connected, get default parameters */
4562	if (!wdev->mesh_id_len)
4563		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
4564	else
4565		err = rdev_get_mesh_config(rdev, dev, &cur_params);
4566	wdev_unlock(wdev);
4567
4568	if (err)
4569		return err;
4570
4571	/* Draw up a netlink message to send back */
4572	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4573	if (!msg)
4574		return -ENOMEM;
4575	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4576			     NL80211_CMD_GET_MESH_CONFIG);
4577	if (!hdr)
4578		goto out;
4579	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
4580	if (!pinfoattr)
4581		goto nla_put_failure;
4582	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4583	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
4584			cur_params.dot11MeshRetryTimeout) ||
4585	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4586			cur_params.dot11MeshConfirmTimeout) ||
4587	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
4588			cur_params.dot11MeshHoldingTimeout) ||
4589	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
4590			cur_params.dot11MeshMaxPeerLinks) ||
4591	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
4592		       cur_params.dot11MeshMaxRetries) ||
4593	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
4594		       cur_params.dot11MeshTTL) ||
4595	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
4596		       cur_params.element_ttl) ||
4597	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4598		       cur_params.auto_open_plinks) ||
4599	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
4600			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
4601	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
4602		       cur_params.dot11MeshHWMPmaxPREQretries) ||
4603	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
4604			cur_params.path_refresh_time) ||
4605	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
4606			cur_params.min_discovery_timeout) ||
4607	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
4608			cur_params.dot11MeshHWMPactivePathTimeout) ||
4609	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
4610			cur_params.dot11MeshHWMPpreqMinInterval) ||
4611	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
4612			cur_params.dot11MeshHWMPperrMinInterval) ||
4613	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
4614			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
4615	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
4616		       cur_params.dot11MeshHWMPRootMode) ||
4617	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
4618			cur_params.dot11MeshHWMPRannInterval) ||
4619	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
4620		       cur_params.dot11MeshGateAnnouncementProtocol) ||
4621	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
4622		       cur_params.dot11MeshForwarding) ||
4623	    nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
4624			cur_params.rssi_threshold) ||
4625	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
4626			cur_params.ht_opmode) ||
4627	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
4628			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
4629	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
4630			cur_params.dot11MeshHWMProotInterval) ||
4631	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
4632			cur_params.dot11MeshHWMPconfirmationInterval) ||
4633	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
4634			cur_params.power_mode) ||
4635	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
4636			cur_params.dot11MeshAwakeWindowDuration))
4637		goto nla_put_failure;
4638	nla_nest_end(msg, pinfoattr);
4639	genlmsg_end(msg, hdr);
4640	return genlmsg_reply(msg, info);
4641
4642 nla_put_failure:
4643	genlmsg_cancel(msg, hdr);
4644 out:
4645	nlmsg_free(msg);
4646	return -ENOBUFS;
4647}
4648
4649static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
4650	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
4651	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
4652	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
4653	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
4654	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
4655	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
4656	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
4657	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
4658	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
4659	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
4660	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
4661	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
4662	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
4663	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
4664	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
4665	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
4666	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
4667	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
4668	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
4669	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
4670	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
4671	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
4672	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
4673	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
4674	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
4675	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
4676	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
4677};
4678
4679static const struct nla_policy
4680	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
4681	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
4682	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
4683	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
4684	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
4685	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
4686	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
4687				    .len = IEEE80211_MAX_DATA_LEN },
4688	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
4689};
4690
4691static int nl80211_parse_mesh_config(struct genl_info *info,
4692				     struct mesh_config *cfg,
4693				     u32 *mask_out)
4694{
4695	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
4696	u32 mask = 0;
4697
4698#define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
4699do {									    \
4700	if (tb[attr]) {							    \
4701		if (fn(tb[attr]) < min || fn(tb[attr]) > max)		    \
4702			return -EINVAL;					    \
4703		cfg->param = fn(tb[attr]);				    \
4704		mask |= (1 << (attr - 1));				    \
4705	}								    \
4706} while (0)
4707
4708
4709	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
4710		return -EINVAL;
4711	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
4712			     info->attrs[NL80211_ATTR_MESH_CONFIG],
4713			     nl80211_meshconf_params_policy))
4714		return -EINVAL;
4715
4716	/* This makes sure that there aren't more than 32 mesh config
4717	 * parameters (otherwise our bitfield scheme would not work.) */
4718	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
4719
4720	/* Fill in the params struct */
4721	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
4722				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
4723				  nla_get_u16);
4724	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
4725				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4726				  nla_get_u16);
4727	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
4728				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
4729				  nla_get_u16);
4730	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
4731				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
4732				  nla_get_u16);
4733	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
4734				  mask, NL80211_MESHCONF_MAX_RETRIES,
4735				  nla_get_u8);
4736	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
4737				  mask, NL80211_MESHCONF_TTL, nla_get_u8);
4738	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
4739				  mask, NL80211_MESHCONF_ELEMENT_TTL,
4740				  nla_get_u8);
4741	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
4742				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4743				  nla_get_u8);
4744	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
4745				  1, 255, mask,
4746				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
4747				  nla_get_u32);
4748	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
4749				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
4750				  nla_get_u8);
4751	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
4752				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
4753				  nla_get_u32);
4754	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
4755				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
4756				  nla_get_u16);
4757	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
4758				  1, 65535, mask,
4759				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
4760				  nla_get_u32);
4761	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
4762				  1, 65535, mask,
4763				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
4764				  nla_get_u16);
4765	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
4766				  1, 65535, mask,
4767				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
4768				  nla_get_u16);
4769	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
4770				  dot11MeshHWMPnetDiameterTraversalTime,
4771				  1, 65535, mask,
4772				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
4773				  nla_get_u16);
4774	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
4775				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
4776				  nla_get_u8);
4777	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
4778				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
4779				  nla_get_u16);
4780	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
4781				  dot11MeshGateAnnouncementProtocol, 0, 1,
4782				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
4783				  nla_get_u8);
4784	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
4785				  mask, NL80211_MESHCONF_FORWARDING,
4786				  nla_get_u8);
4787	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, 1, 255,
4788				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
4789				  nla_get_u32);
4790	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
4791				  mask, NL80211_MESHCONF_HT_OPMODE,
4792				  nla_get_u16);
4793	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
4794				  1, 65535, mask,
4795				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
4796				  nla_get_u32);
4797	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
4798				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
4799				  nla_get_u16);
4800	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
4801				  dot11MeshHWMPconfirmationInterval,
4802				  1, 65535, mask,
4803				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
4804				  nla_get_u16);
4805	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
4806				  NL80211_MESH_POWER_ACTIVE,
4807				  NL80211_MESH_POWER_MAX,
4808				  mask, NL80211_MESHCONF_POWER_MODE,
4809				  nla_get_u32);
4810	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
4811				  0, 65535, mask,
4812				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
4813	if (mask_out)
4814		*mask_out = mask;
4815
4816	return 0;
4817
4818#undef FILL_IN_MESH_PARAM_IF_SET
4819}
4820
4821static int nl80211_parse_mesh_setup(struct genl_info *info,
4822				     struct mesh_setup *setup)
4823{
4824	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4825	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
4826
4827	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
4828		return -EINVAL;
4829	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
4830			     info->attrs[NL80211_ATTR_MESH_SETUP],
4831			     nl80211_mesh_setup_params_policy))
4832		return -EINVAL;
4833
4834	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
4835		setup->sync_method =
4836		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
4837		 IEEE80211_SYNC_METHOD_VENDOR :
4838		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
4839
4840	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
4841		setup->path_sel_proto =
4842		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
4843		 IEEE80211_PATH_PROTOCOL_VENDOR :
4844		 IEEE80211_PATH_PROTOCOL_HWMP;
4845
4846	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
4847		setup->path_metric =
4848		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
4849		 IEEE80211_PATH_METRIC_VENDOR :
4850		 IEEE80211_PATH_METRIC_AIRTIME;
4851
4852
4853	if (tb[NL80211_MESH_SETUP_IE]) {
4854		struct nlattr *ieattr =
4855			tb[NL80211_MESH_SETUP_IE];
4856		if (!is_valid_ie_attr(ieattr))
4857			return -EINVAL;
4858		setup->ie = nla_data(ieattr);
4859		setup->ie_len = nla_len(ieattr);
4860	}
4861	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
4862	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
4863		return -EINVAL;
4864	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
4865	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
4866	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
4867	if (setup->is_secure)
4868		setup->user_mpm = true;
4869
4870	return 0;
4871}
4872
4873static int nl80211_update_mesh_config(struct sk_buff *skb,
4874				      struct genl_info *info)
4875{
4876	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4877	struct net_device *dev = info->user_ptr[1];
4878	struct wireless_dev *wdev = dev->ieee80211_ptr;
4879	struct mesh_config cfg;
4880	u32 mask;
4881	int err;
4882
4883	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
4884		return -EOPNOTSUPP;
4885
4886	if (!rdev->ops->update_mesh_config)
4887		return -EOPNOTSUPP;
4888
4889	err = nl80211_parse_mesh_config(info, &cfg, &mask);
4890	if (err)
4891		return err;
4892
4893	wdev_lock(wdev);
4894	if (!wdev->mesh_id_len)
4895		err = -ENOLINK;
4896
4897	if (!err)
4898		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
4899
4900	wdev_unlock(wdev);
4901
4902	return err;
4903}
4904
4905static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
4906{
4907	const struct ieee80211_regdomain *regdom;
4908	struct sk_buff *msg;
4909	void *hdr = NULL;
4910	struct nlattr *nl_reg_rules;
4911	unsigned int i;
4912	int err = -EINVAL;
4913
4914	mutex_lock(&cfg80211_mutex);
4915
4916	if (!cfg80211_regdomain)
4917		goto out;
4918
4919	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4920	if (!msg) {
4921		err = -ENOBUFS;
4922		goto out;
4923	}
4924
4925	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4926			     NL80211_CMD_GET_REG);
4927	if (!hdr)
4928		goto put_failure;
4929
4930	if (reg_last_request_cell_base() &&
4931	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
4932			NL80211_USER_REG_HINT_CELL_BASE))
4933		goto nla_put_failure;
4934
4935	rcu_read_lock();
4936	regdom = rcu_dereference(cfg80211_regdomain);
4937
4938	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
4939	    (regdom->dfs_region &&
4940	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
4941		goto nla_put_failure_rcu;
4942
4943	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
4944	if (!nl_reg_rules)
4945		goto nla_put_failure_rcu;
4946
4947	for (i = 0; i < regdom->n_reg_rules; i++) {
4948		struct nlattr *nl_reg_rule;
4949		const struct ieee80211_reg_rule *reg_rule;
4950		const struct ieee80211_freq_range *freq_range;
4951		const struct ieee80211_power_rule *power_rule;
4952
4953		reg_rule = &regdom->reg_rules[i];
4954		freq_range = &reg_rule->freq_range;
4955		power_rule = &reg_rule->power_rule;
4956
4957		nl_reg_rule = nla_nest_start(msg, i);
4958		if (!nl_reg_rule)
4959			goto nla_put_failure_rcu;
4960
4961		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
4962				reg_rule->flags) ||
4963		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
4964				freq_range->start_freq_khz) ||
4965		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
4966				freq_range->end_freq_khz) ||
4967		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
4968				freq_range->max_bandwidth_khz) ||
4969		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
4970				power_rule->max_antenna_gain) ||
4971		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
4972				power_rule->max_eirp))
4973			goto nla_put_failure_rcu;
4974
4975		nla_nest_end(msg, nl_reg_rule);
4976	}
4977	rcu_read_unlock();
4978
4979	nla_nest_end(msg, nl_reg_rules);
4980
4981	genlmsg_end(msg, hdr);
4982	err = genlmsg_reply(msg, info);
4983	goto out;
4984
4985nla_put_failure_rcu:
4986	rcu_read_unlock();
4987nla_put_failure:
4988	genlmsg_cancel(msg, hdr);
4989put_failure:
4990	nlmsg_free(msg);
4991	err = -EMSGSIZE;
4992out:
4993	mutex_unlock(&cfg80211_mutex);
4994	return err;
4995}
4996
4997static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
4998{
4999	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
5000	struct nlattr *nl_reg_rule;
5001	char *alpha2 = NULL;
5002	int rem_reg_rules = 0, r = 0;
5003	u32 num_rules = 0, rule_idx = 0, size_of_regd;
5004	u8 dfs_region = 0;
5005	struct ieee80211_regdomain *rd = NULL;
5006
5007	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5008		return -EINVAL;
5009
5010	if (!info->attrs[NL80211_ATTR_REG_RULES])
5011		return -EINVAL;
5012
5013	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5014
5015	if (info->attrs[NL80211_ATTR_DFS_REGION])
5016		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
5017
5018	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5019			    rem_reg_rules) {
5020		num_rules++;
5021		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
5022			return -EINVAL;
5023	}
5024
5025	size_of_regd = sizeof(struct ieee80211_regdomain) +
5026		       num_rules * sizeof(struct ieee80211_reg_rule);
5027
5028	rd = kzalloc(size_of_regd, GFP_KERNEL);
5029	if (!rd)
5030		return -ENOMEM;
5031
5032	rd->n_reg_rules = num_rules;
5033	rd->alpha2[0] = alpha2[0];
5034	rd->alpha2[1] = alpha2[1];
5035
5036	/*
5037	 * Disable DFS master mode if the DFS region was
5038	 * not supported or known on this kernel.
5039	 */
5040	if (reg_supported_dfs_region(dfs_region))
5041		rd->dfs_region = dfs_region;
5042
5043	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5044			    rem_reg_rules) {
5045		nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
5046			  nla_data(nl_reg_rule), nla_len(nl_reg_rule),
5047			  reg_rule_policy);
5048		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
5049		if (r)
5050			goto bad_reg;
5051
5052		rule_idx++;
5053
5054		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
5055			r = -EINVAL;
5056			goto bad_reg;
5057		}
5058	}
5059
5060	mutex_lock(&cfg80211_mutex);
5061
5062	r = set_regdom(rd);
5063	/* set_regdom took ownership */
5064	rd = NULL;
5065	mutex_unlock(&cfg80211_mutex);
5066
5067 bad_reg:
5068	kfree(rd);
5069	return r;
5070}
5071
5072static int validate_scan_freqs(struct nlattr *freqs)
5073{
5074	struct nlattr *attr1, *attr2;
5075	int n_channels = 0, tmp1, tmp2;
5076
5077	nla_for_each_nested(attr1, freqs, tmp1) {
5078		n_channels++;
5079		/*
5080		 * Some hardware has a limited channel list for
5081		 * scanning, and it is pretty much nonsensical
5082		 * to scan for a channel twice, so disallow that
5083		 * and don't require drivers to check that the
5084		 * channel list they get isn't longer than what
5085		 * they can scan, as long as they can scan all
5086		 * the channels they registered at once.
5087		 */
5088		nla_for_each_nested(attr2, freqs, tmp2)
5089			if (attr1 != attr2 &&
5090			    nla_get_u32(attr1) == nla_get_u32(attr2))
5091				return 0;
5092	}
5093
5094	return n_channels;
5095}
5096
5097static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
5098{
5099	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5100	struct wireless_dev *wdev = info->user_ptr[1];
5101	struct cfg80211_scan_request *request;
5102	struct nlattr *attr;
5103	struct wiphy *wiphy;
5104	int err, tmp, n_ssids = 0, n_channels, i;
5105	size_t ie_len;
5106
5107	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5108		return -EINVAL;
5109
5110	wiphy = &rdev->wiphy;
5111
5112	if (!rdev->ops->scan)
5113		return -EOPNOTSUPP;
5114
5115	mutex_lock(&rdev->sched_scan_mtx);
5116	if (rdev->scan_req) {
5117		err = -EBUSY;
5118		goto unlock;
5119	}
5120
5121	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5122		n_channels = validate_scan_freqs(
5123				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5124		if (!n_channels) {
5125			err = -EINVAL;
5126			goto unlock;
5127		}
5128	} else {
5129		enum ieee80211_band band;
5130		n_channels = 0;
5131
5132		for (band = 0; band < IEEE80211_NUM_BANDS; band++)
5133			if (wiphy->bands[band])
5134				n_channels += wiphy->bands[band]->n_channels;
5135	}
5136
5137	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5138		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
5139			n_ssids++;
5140
5141	if (n_ssids > wiphy->max_scan_ssids) {
5142		err = -EINVAL;
5143		goto unlock;
5144	}
5145
5146	if (info->attrs[NL80211_ATTR_IE])
5147		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5148	else
5149		ie_len = 0;
5150
5151	if (ie_len > wiphy->max_scan_ie_len) {
5152		err = -EINVAL;
5153		goto unlock;
5154	}
5155
5156	request = kzalloc(sizeof(*request)
5157			+ sizeof(*request->ssids) * n_ssids
5158			+ sizeof(*request->channels) * n_channels
5159			+ ie_len, GFP_KERNEL);
5160	if (!request) {
5161		err = -ENOMEM;
5162		goto unlock;
5163	}
5164
5165	if (n_ssids)
5166		request->ssids = (void *)&request->channels[n_channels];
5167	request->n_ssids = n_ssids;
5168	if (ie_len) {
5169		if (request->ssids)
5170			request->ie = (void *)(request->ssids + n_ssids);
5171		else
5172			request->ie = (void *)(request->channels + n_channels);
5173	}
5174
5175	i = 0;
5176	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5177		/* user specified, bail out if channel not found */
5178		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
5179			struct ieee80211_channel *chan;
5180
5181			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5182
5183			if (!chan) {
5184				err = -EINVAL;
5185				goto out_free;
5186			}
5187
5188			/* ignore disabled channels */
5189			if (chan->flags & IEEE80211_CHAN_DISABLED)
5190				continue;
5191
5192			request->channels[i] = chan;
5193			i++;
5194		}
5195	} else {
5196		enum ieee80211_band band;
5197
5198		/* all channels */
5199		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5200			int j;
5201			if (!wiphy->bands[band])
5202				continue;
5203			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5204				struct ieee80211_channel *chan;
5205
5206				chan = &wiphy->bands[band]->channels[j];
5207
5208				if (chan->flags & IEEE80211_CHAN_DISABLED)
5209					continue;
5210
5211				request->channels[i] = chan;
5212				i++;
5213			}
5214		}
5215	}
5216
5217	if (!i) {
5218		err = -EINVAL;
5219		goto out_free;
5220	}
5221
5222	request->n_channels = i;
5223
5224	i = 0;
5225	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
5226		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
5227			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5228				err = -EINVAL;
5229				goto out_free;
5230			}
5231			request->ssids[i].ssid_len = nla_len(attr);
5232			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
5233			i++;
5234		}
5235	}
5236
5237	if (info->attrs[NL80211_ATTR_IE]) {
5238		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5239		memcpy((void *)request->ie,
5240		       nla_data(info->attrs[NL80211_ATTR_IE]),
5241		       request->ie_len);
5242	}
5243
5244	for (i = 0; i < IEEE80211_NUM_BANDS; i++)
5245		if (wiphy->bands[i])
5246			request->rates[i] =
5247				(1 << wiphy->bands[i]->n_bitrates) - 1;
5248
5249	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
5250		nla_for_each_nested(attr,
5251				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
5252				    tmp) {
5253			enum ieee80211_band band = nla_type(attr);
5254
5255			if (band < 0 || band >= IEEE80211_NUM_BANDS) {
5256				err = -EINVAL;
5257				goto out_free;
5258			}
5259			err = ieee80211_get_ratemask(wiphy->bands[band],
5260						     nla_data(attr),
5261						     nla_len(attr),
5262						     &request->rates[band]);
5263			if (err)
5264				goto out_free;
5265		}
5266	}
5267
5268	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5269		request->flags = nla_get_u32(
5270			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5271		if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5272		     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
5273		    ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
5274		     !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
5275			err = -EOPNOTSUPP;
5276			goto out_free;
5277		}
5278	}
5279
5280	request->no_cck =
5281		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
5282
5283	request->wdev = wdev;
5284	request->wiphy = &rdev->wiphy;
5285	request->scan_start = jiffies;
5286
5287	rdev->scan_req = request;
5288	err = rdev_scan(rdev, request);
5289
5290	if (!err) {
5291		nl80211_send_scan_start(rdev, wdev);
5292		if (wdev->netdev)
5293			dev_hold(wdev->netdev);
5294	} else {
5295 out_free:
5296		rdev->scan_req = NULL;
5297		kfree(request);
5298	}
5299
5300 unlock:
5301	mutex_unlock(&rdev->sched_scan_mtx);
5302	return err;
5303}
5304
5305static int nl80211_start_sched_scan(struct sk_buff *skb,
5306				    struct genl_info *info)
5307{
5308	struct cfg80211_sched_scan_request *request;
5309	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5310	struct net_device *dev = info->user_ptr[1];
5311	struct nlattr *attr;
5312	struct wiphy *wiphy;
5313	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
5314	u32 interval;
5315	enum ieee80211_band band;
5316	size_t ie_len;
5317	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
5318	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
5319
5320	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
5321	    !rdev->ops->sched_scan_start)
5322		return -EOPNOTSUPP;
5323
5324	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5325		return -EINVAL;
5326
5327	if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
5328		return -EINVAL;
5329
5330	interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
5331	if (interval == 0)
5332		return -EINVAL;
5333
5334	wiphy = &rdev->wiphy;
5335
5336	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5337		n_channels = validate_scan_freqs(
5338				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5339		if (!n_channels)
5340			return -EINVAL;
5341	} else {
5342		n_channels = 0;
5343
5344		for (band = 0; band < IEEE80211_NUM_BANDS; band++)
5345			if (wiphy->bands[band])
5346				n_channels += wiphy->bands[band]->n_channels;
5347	}
5348
5349	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5350		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
5351				    tmp)
5352			n_ssids++;
5353
5354	if (n_ssids > wiphy->max_sched_scan_ssids)
5355		return -EINVAL;
5356
5357	/*
5358	 * First, count the number of 'real' matchsets. Due to an issue with
5359	 * the old implementation, matchsets containing only the RSSI attribute
5360	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
5361	 * RSSI for all matchsets, rather than their own matchset for reporting
5362	 * all APs with a strong RSSI. This is needed to be compatible with
5363	 * older userspace that treated a matchset with only the RSSI as the
5364	 * global RSSI for all other matchsets - if there are other matchsets.
5365	 */
5366	if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
5367		nla_for_each_nested(attr,
5368				    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
5369				    tmp) {
5370			struct nlattr *rssi;
5371
5372			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
5373					nla_data(attr), nla_len(attr),
5374					nl80211_match_policy);
5375			if (err)
5376				return err;
5377			/* add other standalone attributes here */
5378			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
5379				n_match_sets++;
5380				continue;
5381			}
5382			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
5383			if (rssi)
5384				default_match_rssi = nla_get_s32(rssi);
5385		}
5386	}
5387
5388	/* However, if there's no other matchset, add the RSSI one */
5389	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
5390		n_match_sets = 1;
5391
5392	if (n_match_sets > wiphy->max_match_sets)
5393		return -EINVAL;
5394
5395	if (info->attrs[NL80211_ATTR_IE])
5396		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5397	else
5398		ie_len = 0;
5399
5400	if (ie_len > wiphy->max_sched_scan_ie_len)
5401		return -EINVAL;
5402
5403	mutex_lock(&rdev->sched_scan_mtx);
5404
5405	if (rdev->sched_scan_req) {
5406		err = -EINPROGRESS;
5407		goto out;
5408	}
5409
5410	request = kzalloc(sizeof(*request)
5411			+ sizeof(*request->ssids) * n_ssids
5412			+ sizeof(*request->match_sets) * n_match_sets
5413			+ sizeof(*request->channels) * n_channels
5414			+ ie_len, GFP_KERNEL);
5415	if (!request) {
5416		err = -ENOMEM;
5417		goto out;
5418	}
5419
5420	if (n_ssids)
5421		request->ssids = (void *)&request->channels[n_channels];
5422	request->n_ssids = n_ssids;
5423	if (ie_len) {
5424		if (request->ssids)
5425			request->ie = (void *)(request->ssids + n_ssids);
5426		else
5427			request->ie = (void *)(request->channels + n_channels);
5428	}
5429
5430	if (n_match_sets) {
5431		if (request->ie)
5432			request->match_sets = (void *)(request->ie + ie_len);
5433		else if (request->ssids)
5434			request->match_sets =
5435				(void *)(request->ssids + n_ssids);
5436		else
5437			request->match_sets =
5438				(void *)(request->channels + n_channels);
5439	}
5440	request->n_match_sets = n_match_sets;
5441
5442	i = 0;
5443	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5444		/* user specified, bail out if channel not found */
5445		nla_for_each_nested(attr,
5446				    info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
5447				    tmp) {
5448			struct ieee80211_channel *chan;
5449
5450			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5451
5452			if (!chan) {
5453				err = -EINVAL;
5454				goto out_free;
5455			}
5456
5457			/* ignore disabled channels */
5458			if (chan->flags & IEEE80211_CHAN_DISABLED)
5459				continue;
5460
5461			request->channels[i] = chan;
5462			i++;
5463		}
5464	} else {
5465		/* all channels */
5466		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5467			int j;
5468			if (!wiphy->bands[band])
5469				continue;
5470			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5471				struct ieee80211_channel *chan;
5472
5473				chan = &wiphy->bands[band]->channels[j];
5474
5475				if (chan->flags & IEEE80211_CHAN_DISABLED)
5476					continue;
5477
5478				request->channels[i] = chan;
5479				i++;
5480			}
5481		}
5482	}
5483
5484	if (!i) {
5485		err = -EINVAL;
5486		goto out_free;
5487	}
5488
5489	request->n_channels = i;
5490
5491	i = 0;
5492	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
5493		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
5494				    tmp) {
5495			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5496				err = -EINVAL;
5497				goto out_free;
5498			}
5499			request->ssids[i].ssid_len = nla_len(attr);
5500			memcpy(request->ssids[i].ssid, nla_data(attr),
5501			       nla_len(attr));
5502			i++;
5503		}
5504	}
5505
5506	i = 0;
5507	if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
5508		nla_for_each_nested(attr,
5509				    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
5510				    tmp) {
5511			struct nlattr *ssid, *rssi;
5512
5513			nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
5514				  nla_data(attr), nla_len(attr),
5515				  nl80211_match_policy);
5516			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
5517			if (ssid) {
5518				if (WARN_ON(i >= n_match_sets)) {
5519					/* this indicates a programming error,
5520					 * the loop above should have verified
5521					 * things properly
5522					 */
5523					err = -EINVAL;
5524					goto out_free;
5525				}
5526
5527				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
5528					err = -EINVAL;
5529					goto out_free;
5530				}
5531				memcpy(request->match_sets[i].ssid.ssid,
5532				       nla_data(ssid), nla_len(ssid));
5533				request->match_sets[i].ssid.ssid_len =
5534					nla_len(ssid);
5535				/* special attribute - old implemenation w/a */
5536				request->match_sets[i].rssi_thold =
5537					default_match_rssi;
5538				rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
5539				if (rssi)
5540					request->match_sets[i].rssi_thold =
5541						nla_get_s32(rssi);
5542			}
5543			i++;
5544		}
5545
5546		/* there was no other matchset, so the RSSI one is alone */
5547		if (i == 0)
5548			request->match_sets[0].rssi_thold = default_match_rssi;
5549
5550		request->min_rssi_thold = INT_MAX;
5551		for (i = 0; i < n_match_sets; i++)
5552			request->min_rssi_thold =
5553				min(request->match_sets[i].rssi_thold,
5554				    request->min_rssi_thold);
5555	} else {
5556		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
5557	}
5558
5559	request->rssi_thold = request->min_rssi_thold;
5560
5561	if (info->attrs[NL80211_ATTR_IE]) {
5562		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5563		memcpy((void *)request->ie,
5564		       nla_data(info->attrs[NL80211_ATTR_IE]),
5565		       request->ie_len);
5566	}
5567
5568	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5569		request->flags = nla_get_u32(
5570			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5571		if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5572		     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
5573		    ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
5574		     !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
5575			err = -EOPNOTSUPP;
5576			goto out_free;
5577		}
5578	}
5579
5580	request->dev = dev;
5581	request->wiphy = &rdev->wiphy;
5582	request->interval = interval;
5583	request->scan_start = jiffies;
5584
5585	err = rdev_sched_scan_start(rdev, dev, request);
5586	if (!err) {
5587		rdev->sched_scan_req = request;
5588		nl80211_send_sched_scan(rdev, dev,
5589					NL80211_CMD_START_SCHED_SCAN);
5590		goto out;
5591	}
5592
5593out_free:
5594	kfree(request);
5595out:
5596	mutex_unlock(&rdev->sched_scan_mtx);
5597	return err;
5598}
5599
5600static int nl80211_stop_sched_scan(struct sk_buff *skb,
5601				   struct genl_info *info)
5602{
5603	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5604	int err;
5605
5606	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
5607	    !rdev->ops->sched_scan_stop)
5608		return -EOPNOTSUPP;
5609
5610	mutex_lock(&rdev->sched_scan_mtx);
5611	err = __cfg80211_stop_sched_scan(rdev, false);
5612	mutex_unlock(&rdev->sched_scan_mtx);
5613
5614	return err;
5615}
5616
5617static int nl80211_start_radar_detection(struct sk_buff *skb,
5618					 struct genl_info *info)
5619{
5620	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5621	struct net_device *dev = info->user_ptr[1];
5622	struct wireless_dev *wdev = dev->ieee80211_ptr;
5623	struct cfg80211_chan_def chandef;
5624	int err;
5625
5626	err = nl80211_parse_chandef(rdev, info, &chandef);
5627	if (err)
5628		return err;
5629
5630	if (wdev->cac_started)
5631		return -EBUSY;
5632
5633	err = cfg80211_chandef_dfs_required(wdev->wiphy, &chandef);
5634	if (err < 0)
5635		return err;
5636
5637	if (err == 0)
5638		return -EINVAL;
5639
5640	if (chandef.chan->dfs_state != NL80211_DFS_USABLE)
5641		return -EINVAL;
5642
5643	if (!rdev->ops->start_radar_detection)
5644		return -EOPNOTSUPP;
5645
5646	mutex_lock(&rdev->devlist_mtx);
5647	err = cfg80211_can_use_iftype_chan(rdev, wdev, wdev->iftype,
5648					   chandef.chan, CHAN_MODE_SHARED,
5649					   BIT(chandef.width));
5650	if (err)
5651		goto err_locked;
5652
5653	err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef);
5654	if (!err) {
5655		wdev->channel = chandef.chan;
5656		wdev->cac_started = true;
5657		wdev->cac_start_time = jiffies;
5658	}
5659err_locked:
5660	mutex_unlock(&rdev->devlist_mtx);
5661
5662	return err;
5663}
5664
5665static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
5666			    u32 seq, int flags,
5667			    struct cfg80211_registered_device *rdev,
5668			    struct wireless_dev *wdev,
5669			    struct cfg80211_internal_bss *intbss)
5670{
5671	struct cfg80211_bss *res = &intbss->pub;
5672	const struct cfg80211_bss_ies *ies;
5673	void *hdr;
5674	struct nlattr *bss;
5675	bool tsf = false;
5676
5677	ASSERT_WDEV_LOCK(wdev);
5678
5679	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
5680			     NL80211_CMD_NEW_SCAN_RESULTS);
5681	if (!hdr)
5682		return -1;
5683
5684	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
5685
5686	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
5687		goto nla_put_failure;
5688	if (wdev->netdev &&
5689	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
5690		goto nla_put_failure;
5691	if (nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
5692		goto nla_put_failure;
5693
5694	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
5695	if (!bss)
5696		goto nla_put_failure;
5697	if ((!is_zero_ether_addr(res->bssid) &&
5698	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
5699		goto nla_put_failure;
5700
5701	rcu_read_lock();
5702	ies = rcu_dereference(res->ies);
5703	if (ies) {
5704		if (nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
5705			goto fail_unlock_rcu;
5706		tsf = true;
5707		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
5708					ies->len, ies->data))
5709			goto fail_unlock_rcu;
5710	}
5711	ies = rcu_dereference(res->beacon_ies);
5712	if (ies) {
5713		if (!tsf && nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
5714			goto fail_unlock_rcu;
5715		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
5716					ies->len, ies->data))
5717			goto fail_unlock_rcu;
5718	}
5719	rcu_read_unlock();
5720
5721	if (res->beacon_interval &&
5722	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
5723		goto nla_put_failure;
5724	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
5725	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
5726	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
5727			jiffies_to_msecs(jiffies - intbss->ts)))
5728		goto nla_put_failure;
5729
5730	switch (rdev->wiphy.signal_type) {
5731	case CFG80211_SIGNAL_TYPE_MBM:
5732		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
5733			goto nla_put_failure;
5734		break;
5735	case CFG80211_SIGNAL_TYPE_UNSPEC:
5736		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
5737			goto nla_put_failure;
5738		break;
5739	default:
5740		break;
5741	}
5742
5743	switch (wdev->iftype) {
5744	case NL80211_IFTYPE_P2P_CLIENT:
5745	case NL80211_IFTYPE_STATION:
5746		if (intbss == wdev->current_bss &&
5747		    nla_put_u32(msg, NL80211_BSS_STATUS,
5748				NL80211_BSS_STATUS_ASSOCIATED))
5749			goto nla_put_failure;
5750		break;
5751	case NL80211_IFTYPE_ADHOC:
5752		if (intbss == wdev->current_bss &&
5753		    nla_put_u32(msg, NL80211_BSS_STATUS,
5754				NL80211_BSS_STATUS_IBSS_JOINED))
5755			goto nla_put_failure;
5756		break;
5757	default:
5758		break;
5759	}
5760
5761	nla_nest_end(msg, bss);
5762
5763	return genlmsg_end(msg, hdr);
5764
5765 fail_unlock_rcu:
5766	rcu_read_unlock();
5767 nla_put_failure:
5768	genlmsg_cancel(msg, hdr);
5769	return -EMSGSIZE;
5770}
5771
5772static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
5773{
5774	struct cfg80211_registered_device *rdev;
5775	struct cfg80211_internal_bss *scan;
5776	struct wireless_dev *wdev;
5777	int start = cb->args[2], idx = 0;
5778	int err;
5779
5780	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
5781	if (err)
5782		return err;
5783
5784	wdev_lock(wdev);
5785	spin_lock_bh(&rdev->bss_lock);
5786	cfg80211_bss_expire(rdev);
5787
5788	cb->seq = rdev->bss_generation;
5789
5790	list_for_each_entry(scan, &rdev->bss_list, list) {
5791		if (++idx <= start)
5792			continue;
5793		if (nl80211_send_bss(skb, cb,
5794				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5795				rdev, wdev, scan) < 0) {
5796			idx--;
5797			break;
5798		}
5799	}
5800
5801	spin_unlock_bh(&rdev->bss_lock);
5802	wdev_unlock(wdev);
5803
5804	cb->args[2] = idx;
5805	nl80211_finish_wdev_dump(rdev);
5806
5807	return skb->len;
5808}
5809
5810static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
5811				int flags, struct net_device *dev,
5812				struct survey_info *survey)
5813{
5814	void *hdr;
5815	struct nlattr *infoattr;
5816
5817	hdr = nl80211hdr_put(msg, portid, seq, flags,
5818			     NL80211_CMD_NEW_SURVEY_RESULTS);
5819	if (!hdr)
5820		return -ENOMEM;
5821
5822	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
5823		goto nla_put_failure;
5824
5825	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
5826	if (!infoattr)
5827		goto nla_put_failure;
5828
5829	if (nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
5830			survey->channel->center_freq))
5831		goto nla_put_failure;
5832
5833	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
5834	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
5835		goto nla_put_failure;
5836	if ((survey->filled & SURVEY_INFO_IN_USE) &&
5837	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
5838		goto nla_put_failure;
5839	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME) &&
5840	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME,
5841			survey->channel_time))
5842		goto nla_put_failure;
5843	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_BUSY) &&
5844	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_BUSY,
5845			survey->channel_time_busy))
5846		goto nla_put_failure;
5847	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_EXT_BUSY) &&
5848	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_EXT_BUSY,
5849			survey->channel_time_ext_busy))
5850		goto nla_put_failure;
5851	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_RX) &&
5852	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_RX,
5853			survey->channel_time_rx))
5854		goto nla_put_failure;
5855	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_TX) &&
5856	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_TX,
5857			survey->channel_time_tx))
5858		goto nla_put_failure;
5859
5860	nla_nest_end(msg, infoattr);
5861
5862	return genlmsg_end(msg, hdr);
5863
5864 nla_put_failure:
5865	genlmsg_cancel(msg, hdr);
5866	return -EMSGSIZE;
5867}
5868
5869static int nl80211_dump_survey(struct sk_buff *skb,
5870			struct netlink_callback *cb)
5871{
5872	struct survey_info survey;
5873	struct cfg80211_registered_device *dev;
5874	struct wireless_dev *wdev;
5875	int survey_idx = cb->args[2];
5876	int res;
5877
5878	res = nl80211_prepare_wdev_dump(skb, cb, &dev, &wdev);
5879	if (res)
5880		return res;
5881
5882	if (!wdev->netdev) {
5883		res = -EINVAL;
5884		goto out_err;
5885	}
5886
5887	if (!dev->ops->dump_survey) {
5888		res = -EOPNOTSUPP;
5889		goto out_err;
5890	}
5891
5892	while (1) {
5893		struct ieee80211_channel *chan;
5894
5895		res = rdev_dump_survey(dev, wdev->netdev, survey_idx, &survey);
5896		if (res == -ENOENT)
5897			break;
5898		if (res)
5899			goto out_err;
5900
5901		/* Survey without a channel doesn't make sense */
5902		if (!survey.channel) {
5903			res = -EINVAL;
5904			goto out;
5905		}
5906
5907		chan = ieee80211_get_channel(&dev->wiphy,
5908					     survey.channel->center_freq);
5909		if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
5910			survey_idx++;
5911			continue;
5912		}
5913
5914		if (nl80211_send_survey(skb,
5915				NETLINK_CB(cb->skb).portid,
5916				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5917				wdev->netdev, &survey) < 0)
5918			goto out;
5919		survey_idx++;
5920	}
5921
5922 out:
5923	cb->args[2] = survey_idx;
5924	res = skb->len;
5925 out_err:
5926	nl80211_finish_wdev_dump(dev);
5927	return res;
5928}
5929
5930static bool nl80211_valid_wpa_versions(u32 wpa_versions)
5931{
5932	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
5933				  NL80211_WPA_VERSION_2));
5934}
5935
5936static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
5937{
5938	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5939	struct net_device *dev = info->user_ptr[1];
5940	struct ieee80211_channel *chan;
5941	const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
5942	int err, ssid_len, ie_len = 0, sae_data_len = 0;
5943	enum nl80211_auth_type auth_type;
5944	struct key_parse key;
5945	bool local_state_change;
5946
5947	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5948		return -EINVAL;
5949
5950	if (!info->attrs[NL80211_ATTR_MAC])
5951		return -EINVAL;
5952
5953	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
5954		return -EINVAL;
5955
5956	if (!info->attrs[NL80211_ATTR_SSID])
5957		return -EINVAL;
5958
5959	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
5960		return -EINVAL;
5961
5962	err = nl80211_parse_key(info, &key);
5963	if (err)
5964		return err;
5965
5966	if (key.idx >= 0) {
5967		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
5968			return -EINVAL;
5969		if (!key.p.key || !key.p.key_len)
5970			return -EINVAL;
5971		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
5972		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
5973		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
5974		     key.p.key_len != WLAN_KEY_LEN_WEP104))
5975			return -EINVAL;
5976		if (key.idx > 4)
5977			return -EINVAL;
5978	} else {
5979		key.p.key_len = 0;
5980		key.p.key = NULL;
5981	}
5982
5983	if (key.idx >= 0) {
5984		int i;
5985		bool ok = false;
5986		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
5987			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
5988				ok = true;
5989				break;
5990			}
5991		}
5992		if (!ok)
5993			return -EINVAL;
5994	}
5995
5996	if (!rdev->ops->auth)
5997		return -EOPNOTSUPP;
5998
5999	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6000	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6001		return -EOPNOTSUPP;
6002
6003	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6004	chan = ieee80211_get_channel(&rdev->wiphy,
6005		nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
6006	if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
6007		return -EINVAL;
6008
6009	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6010	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6011
6012	if (info->attrs[NL80211_ATTR_IE]) {
6013		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6014		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6015	}
6016
6017	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
6018	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
6019		return -EINVAL;
6020
6021	if (auth_type == NL80211_AUTHTYPE_SAE &&
6022	    !info->attrs[NL80211_ATTR_SAE_DATA])
6023		return -EINVAL;
6024
6025	if (info->attrs[NL80211_ATTR_SAE_DATA]) {
6026		if (auth_type != NL80211_AUTHTYPE_SAE)
6027			return -EINVAL;
6028		sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
6029		sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
6030		/* need to include at least Auth Transaction and Status Code */
6031		if (sae_data_len < 4)
6032			return -EINVAL;
6033	}
6034
6035	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6036
6037	/*
6038	 * Since we no longer track auth state, ignore
6039	 * requests to only change local state.
6040	 */
6041	if (local_state_change)
6042		return 0;
6043
6044	return cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
6045				  ssid, ssid_len, ie, ie_len,
6046				  key.p.key, key.p.key_len, key.idx,
6047				  sae_data, sae_data_len);
6048}
6049
6050static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
6051				   struct genl_info *info,
6052				   struct cfg80211_crypto_settings *settings,
6053				   int cipher_limit)
6054{
6055	memset(settings, 0, sizeof(*settings));
6056
6057	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
6058
6059	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
6060		u16 proto;
6061		proto = nla_get_u16(
6062			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
6063		settings->control_port_ethertype = cpu_to_be16(proto);
6064		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
6065		    proto != ETH_P_PAE)
6066			return -EINVAL;
6067		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
6068			settings->control_port_no_encrypt = true;
6069	} else
6070		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
6071
6072	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
6073		void *data;
6074		int len, i;
6075
6076		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6077		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6078		settings->n_ciphers_pairwise = len / sizeof(u32);
6079
6080		if (len % sizeof(u32))
6081			return -EINVAL;
6082
6083		if (settings->n_ciphers_pairwise > cipher_limit)
6084			return -EINVAL;
6085
6086		memcpy(settings->ciphers_pairwise, data, len);
6087
6088		for (i = 0; i < settings->n_ciphers_pairwise; i++)
6089			if (!cfg80211_supported_cipher_suite(
6090					&rdev->wiphy,
6091					settings->ciphers_pairwise[i]))
6092				return -EINVAL;
6093	}
6094
6095	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
6096		settings->cipher_group =
6097			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
6098		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
6099						     settings->cipher_group))
6100			return -EINVAL;
6101	}
6102
6103	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
6104		settings->wpa_versions =
6105			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
6106		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
6107			return -EINVAL;
6108	}
6109
6110	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
6111		void *data;
6112		int len;
6113
6114		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
6115		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
6116		settings->n_akm_suites = len / sizeof(u32);
6117
6118		if (len % sizeof(u32))
6119			return -EINVAL;
6120
6121		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
6122			return -EINVAL;
6123
6124		memcpy(settings->akm_suites, data, len);
6125	}
6126
6127	return 0;
6128}
6129
6130static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
6131{
6132	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6133	struct net_device *dev = info->user_ptr[1];
6134	struct ieee80211_channel *chan;
6135	struct cfg80211_assoc_request req = {};
6136	const u8 *bssid, *ssid;
6137	int err, ssid_len = 0;
6138
6139	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6140		return -EINVAL;
6141
6142	if (!info->attrs[NL80211_ATTR_MAC] ||
6143	    !info->attrs[NL80211_ATTR_SSID] ||
6144	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
6145		return -EINVAL;
6146
6147	if (!rdev->ops->assoc)
6148		return -EOPNOTSUPP;
6149
6150	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6151	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6152		return -EOPNOTSUPP;
6153
6154	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6155
6156	chan = ieee80211_get_channel(&rdev->wiphy,
6157		nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
6158	if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
6159		return -EINVAL;
6160
6161	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6162	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6163
6164	if (info->attrs[NL80211_ATTR_IE]) {
6165		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6166		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6167	}
6168
6169	if (info->attrs[NL80211_ATTR_USE_MFP]) {
6170		enum nl80211_mfp mfp =
6171			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
6172		if (mfp == NL80211_MFP_REQUIRED)
6173			req.use_mfp = true;
6174		else if (mfp != NL80211_MFP_NO)
6175			return -EINVAL;
6176	}
6177
6178	if (info->attrs[NL80211_ATTR_PREV_BSSID])
6179		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
6180
6181	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
6182		req.flags |= ASSOC_REQ_DISABLE_HT;
6183
6184	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6185		memcpy(&req.ht_capa_mask,
6186		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
6187		       sizeof(req.ht_capa_mask));
6188
6189	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
6190		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6191			return -EINVAL;
6192		memcpy(&req.ht_capa,
6193		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
6194		       sizeof(req.ht_capa));
6195	}
6196
6197	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
6198		req.flags |= ASSOC_REQ_DISABLE_VHT;
6199
6200	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6201		memcpy(&req.vht_capa_mask,
6202		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
6203		       sizeof(req.vht_capa_mask));
6204
6205	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
6206		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6207			return -EINVAL;
6208		memcpy(&req.vht_capa,
6209		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
6210		       sizeof(req.vht_capa));
6211	}
6212
6213	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
6214	if (!err)
6215		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
6216					  ssid, ssid_len, &req);
6217
6218	return err;
6219}
6220
6221static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
6222{
6223	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6224	struct net_device *dev = info->user_ptr[1];
6225	const u8 *ie = NULL, *bssid;
6226	int ie_len = 0;
6227	u16 reason_code;
6228	bool local_state_change;
6229
6230	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6231		return -EINVAL;
6232
6233	if (!info->attrs[NL80211_ATTR_MAC])
6234		return -EINVAL;
6235
6236	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6237		return -EINVAL;
6238
6239	if (!rdev->ops->deauth)
6240		return -EOPNOTSUPP;
6241
6242	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6243	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6244		return -EOPNOTSUPP;
6245
6246	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6247
6248	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6249	if (reason_code == 0) {
6250		/* Reason Code 0 is reserved */
6251		return -EINVAL;
6252	}
6253
6254	if (info->attrs[NL80211_ATTR_IE]) {
6255		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6256		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6257	}
6258
6259	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6260
6261	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
6262				    local_state_change);
6263}
6264
6265static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
6266{
6267	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6268	struct net_device *dev = info->user_ptr[1];
6269	const u8 *ie = NULL, *bssid;
6270	int ie_len = 0;
6271	u16 reason_code;
6272	bool local_state_change;
6273
6274	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6275		return -EINVAL;
6276
6277	if (!info->attrs[NL80211_ATTR_MAC])
6278		return -EINVAL;
6279
6280	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6281		return -EINVAL;
6282
6283	if (!rdev->ops->disassoc)
6284		return -EOPNOTSUPP;
6285
6286	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6287	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6288		return -EOPNOTSUPP;
6289
6290	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6291
6292	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6293	if (reason_code == 0) {
6294		/* Reason Code 0 is reserved */
6295		return -EINVAL;
6296	}
6297
6298	if (info->attrs[NL80211_ATTR_IE]) {
6299		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6300		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6301	}
6302
6303	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6304
6305	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
6306				      local_state_change);
6307}
6308
6309static bool
6310nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
6311			 int mcast_rate[IEEE80211_NUM_BANDS],
6312			 int rateval)
6313{
6314	struct wiphy *wiphy = &rdev->wiphy;
6315	bool found = false;
6316	int band, i;
6317
6318	for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
6319		struct ieee80211_supported_band *sband;
6320
6321		sband = wiphy->bands[band];
6322		if (!sband)
6323			continue;
6324
6325		for (i = 0; i < sband->n_bitrates; i++) {
6326			if (sband->bitrates[i].bitrate == rateval) {
6327				mcast_rate[band] = i + 1;
6328				found = true;
6329				break;
6330			}
6331		}
6332	}
6333
6334	return found;
6335}
6336
6337static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
6338{
6339	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6340	struct net_device *dev = info->user_ptr[1];
6341	struct cfg80211_ibss_params ibss;
6342	struct wiphy *wiphy;
6343	struct cfg80211_cached_keys *connkeys = NULL;
6344	int err;
6345
6346	memset(&ibss, 0, sizeof(ibss));
6347
6348	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6349		return -EINVAL;
6350
6351	if (!info->attrs[NL80211_ATTR_SSID] ||
6352	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
6353		return -EINVAL;
6354
6355	ibss.beacon_interval = 100;
6356
6357	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
6358		ibss.beacon_interval =
6359			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6360		if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
6361			return -EINVAL;
6362	}
6363
6364	if (!rdev->ops->join_ibss)
6365		return -EOPNOTSUPP;
6366
6367	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
6368		return -EOPNOTSUPP;
6369
6370	wiphy = &rdev->wiphy;
6371
6372	if (info->attrs[NL80211_ATTR_MAC]) {
6373		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6374
6375		if (!is_valid_ether_addr(ibss.bssid))
6376			return -EINVAL;
6377	}
6378	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6379	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6380
6381	if (info->attrs[NL80211_ATTR_IE]) {
6382		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6383		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6384	}
6385
6386	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
6387	if (err)
6388		return err;
6389
6390	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef))
6391		return -EINVAL;
6392
6393	if (ibss.chandef.width > NL80211_CHAN_WIDTH_40)
6394		return -EINVAL;
6395	if (ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
6396	    !(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
6397		return -EINVAL;
6398
6399	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
6400	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6401
6402	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6403		u8 *rates =
6404			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6405		int n_rates =
6406			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6407		struct ieee80211_supported_band *sband =
6408			wiphy->bands[ibss.chandef.chan->band];
6409
6410		err = ieee80211_get_ratemask(sband, rates, n_rates,
6411					     &ibss.basic_rates);
6412		if (err)
6413			return err;
6414	}
6415
6416	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
6417	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
6418			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
6419		return -EINVAL;
6420
6421	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
6422		bool no_ht = false;
6423
6424		connkeys = nl80211_parse_connkeys(rdev,
6425					  info->attrs[NL80211_ATTR_KEYS],
6426					  &no_ht);
6427		if (IS_ERR(connkeys))
6428			return PTR_ERR(connkeys);
6429
6430		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
6431		    no_ht) {
6432			kfree(connkeys);
6433			return -EINVAL;
6434		}
6435	}
6436
6437	ibss.control_port =
6438		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
6439
6440	err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
6441	if (err)
6442		kfree(connkeys);
6443	return err;
6444}
6445
6446static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
6447{
6448	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6449	struct net_device *dev = info->user_ptr[1];
6450
6451	if (!rdev->ops->leave_ibss)
6452		return -EOPNOTSUPP;
6453
6454	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
6455		return -EOPNOTSUPP;
6456
6457	return cfg80211_leave_ibss(rdev, dev, false);
6458}
6459
6460static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
6461{
6462	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6463	struct net_device *dev = info->user_ptr[1];
6464	int mcast_rate[IEEE80211_NUM_BANDS];
6465	u32 nla_rate;
6466	int err;
6467
6468	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
6469	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6470		return -EOPNOTSUPP;
6471
6472	if (!rdev->ops->set_mcast_rate)
6473		return -EOPNOTSUPP;
6474
6475	memset(mcast_rate, 0, sizeof(mcast_rate));
6476
6477	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
6478		return -EINVAL;
6479
6480	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
6481	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
6482		return -EINVAL;
6483
6484	err = rdev->ops->set_mcast_rate(&rdev->wiphy, dev, mcast_rate);
6485
6486	return err;
6487}
6488
6489static struct sk_buff *
6490__cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
6491			    int approxlen, u32 portid, u32 seq,
6492			    enum nl80211_commands cmd,
6493			    enum nl80211_attrs attr,
6494			    const struct nl80211_vendor_cmd_info *info,
6495			    gfp_t gfp)
6496{
6497	struct sk_buff *skb;
6498	void *hdr;
6499	struct nlattr *data;
6500
6501	skb = nlmsg_new(approxlen + 100, gfp);
6502	if (!skb)
6503		return NULL;
6504
6505	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
6506	if (!hdr) {
6507		kfree_skb(skb);
6508		return NULL;
6509	}
6510
6511	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
6512		goto nla_put_failure;
6513
6514	if (info) {
6515		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
6516				info->vendor_id))
6517			goto nla_put_failure;
6518		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
6519				info->subcmd))
6520			goto nla_put_failure;
6521	}
6522
6523	data = nla_nest_start(skb, attr);
6524
6525	((void **)skb->cb)[0] = rdev;
6526	((void **)skb->cb)[1] = hdr;
6527	((void **)skb->cb)[2] = data;
6528
6529	return skb;
6530
6531 nla_put_failure:
6532	kfree_skb(skb);
6533	return NULL;
6534}
6535
6536#ifdef CONFIG_NL80211_TESTMODE
6537static struct genl_multicast_group nl80211_testmode_mcgrp = {
6538	.name = "testmode",
6539};
6540
6541static struct genl_multicast_group nl80211_vendor_mcgrp = {
6542	.name = "vendor",
6543};
6544
6545static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
6546{
6547	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6548	int err;
6549
6550	if (!info->attrs[NL80211_ATTR_TESTDATA])
6551		return -EINVAL;
6552
6553	err = -EOPNOTSUPP;
6554	if (rdev->ops->testmode_cmd) {
6555		rdev->cur_cmd_info = info;
6556		err = rdev_testmode_cmd(rdev,
6557				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
6558				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
6559		rdev->cur_cmd_info = NULL;
6560	}
6561
6562	return err;
6563}
6564
6565static int nl80211_testmode_dump(struct sk_buff *skb,
6566				 struct netlink_callback *cb)
6567{
6568	struct cfg80211_registered_device *rdev;
6569	int err;
6570	long phy_idx;
6571	void *data = NULL;
6572	int data_len = 0;
6573
6574	if (cb->args[0]) {
6575		/*
6576		 * 0 is a valid index, but not valid for args[0],
6577		 * so we need to offset by 1.
6578		 */
6579		phy_idx = cb->args[0] - 1;
6580	} else {
6581		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
6582				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
6583				  nl80211_policy);
6584		if (err)
6585			return err;
6586
6587		mutex_lock(&cfg80211_mutex);
6588		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
6589						  nl80211_fam.attrbuf);
6590		if (IS_ERR(rdev)) {
6591			mutex_unlock(&cfg80211_mutex);
6592			return PTR_ERR(rdev);
6593		}
6594		phy_idx = rdev->wiphy_idx;
6595		rdev = NULL;
6596		mutex_unlock(&cfg80211_mutex);
6597
6598		if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
6599			cb->args[1] =
6600				(long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
6601	}
6602
6603	if (cb->args[1]) {
6604		data = nla_data((void *)cb->args[1]);
6605		data_len = nla_len((void *)cb->args[1]);
6606	}
6607
6608	mutex_lock(&cfg80211_mutex);
6609	rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
6610	if (!rdev) {
6611		mutex_unlock(&cfg80211_mutex);
6612		return -ENOENT;
6613	}
6614	cfg80211_lock_rdev(rdev);
6615	mutex_unlock(&cfg80211_mutex);
6616
6617	if (!rdev->ops->testmode_dump) {
6618		err = -EOPNOTSUPP;
6619		goto out_err;
6620	}
6621
6622	while (1) {
6623		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
6624					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
6625					   NL80211_CMD_TESTMODE);
6626		struct nlattr *tmdata;
6627
6628		if (!hdr)
6629			break;
6630
6631		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
6632			genlmsg_cancel(skb, hdr);
6633			break;
6634		}
6635
6636		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
6637		if (!tmdata) {
6638			genlmsg_cancel(skb, hdr);
6639			break;
6640		}
6641		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
6642		nla_nest_end(skb, tmdata);
6643
6644		if (err == -ENOBUFS || err == -ENOENT) {
6645			genlmsg_cancel(skb, hdr);
6646			break;
6647		} else if (err) {
6648			genlmsg_cancel(skb, hdr);
6649			goto out_err;
6650		}
6651
6652		genlmsg_end(skb, hdr);
6653	}
6654
6655	err = skb->len;
6656	/* see above */
6657	cb->args[0] = phy_idx + 1;
6658 out_err:
6659	cfg80211_unlock_rdev(rdev);
6660	return err;
6661}
6662
6663struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
6664					   enum nl80211_commands cmd,
6665					   enum nl80211_attrs attr,
6666					   int vendor_event_idx,
6667					   int approxlen, gfp_t gfp)
6668{
6669	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
6670	const struct nl80211_vendor_cmd_info *info;
6671
6672	switch (cmd) {
6673	case NL80211_CMD_TESTMODE:
6674		if (WARN_ON(vendor_event_idx != -1))
6675			return NULL;
6676		info = NULL;
6677		break;
6678	case NL80211_CMD_VENDOR:
6679		if (WARN_ON(vendor_event_idx < 0 ||
6680			    vendor_event_idx >= wiphy->n_vendor_events))
6681			return NULL;
6682		info = &wiphy->vendor_events[vendor_event_idx];
6683		break;
6684	default:
6685		WARN_ON(1);
6686		return NULL;
6687	}
6688	return __cfg80211_alloc_vendor_skb(rdev, approxlen, 0, 0,
6689					   cmd, attr, info, gfp);
6690}
6691EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
6692
6693void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
6694{
6695	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
6696	void *hdr = ((void **)skb->cb)[1];
6697	struct nlattr *data = ((void **)skb->cb)[2];
6698
6699	nla_nest_end(skb, data);
6700	genlmsg_end(skb, hdr);
6701
6702	if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
6703		genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), skb, 0,
6704			nl80211_vendor_mcgrp.id, gfp);
6705	else
6706		genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), skb, 0,
6707			nl80211_testmode_mcgrp.id, gfp);
6708}
6709EXPORT_SYMBOL(__cfg80211_send_event_skb);
6710#endif
6711
6712static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
6713{
6714	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6715	struct net_device *dev = info->user_ptr[1];
6716	struct cfg80211_connect_params connect;
6717	struct wiphy *wiphy;
6718	struct cfg80211_cached_keys *connkeys = NULL;
6719	int err;
6720
6721	memset(&connect, 0, sizeof(connect));
6722
6723	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6724		return -EINVAL;
6725
6726	if (!info->attrs[NL80211_ATTR_SSID] ||
6727	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
6728		return -EINVAL;
6729
6730	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6731		connect.auth_type =
6732			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
6733		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
6734					     NL80211_CMD_CONNECT))
6735			return -EINVAL;
6736	} else
6737		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6738
6739	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
6740
6741	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
6742				      NL80211_MAX_NR_CIPHER_SUITES);
6743	if (err)
6744		return err;
6745
6746	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6747	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6748		return -EOPNOTSUPP;
6749
6750	wiphy = &rdev->wiphy;
6751
6752	connect.bg_scan_period = -1;
6753	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
6754		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
6755		connect.bg_scan_period =
6756			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
6757	}
6758
6759	if (info->attrs[NL80211_ATTR_MAC])
6760		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6761	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6762	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6763
6764	if (info->attrs[NL80211_ATTR_IE]) {
6765		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6766		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6767	}
6768
6769	if (info->attrs[NL80211_ATTR_USE_MFP]) {
6770		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
6771		if (connect.mfp != NL80211_MFP_REQUIRED &&
6772		    connect.mfp != NL80211_MFP_NO)
6773			return -EINVAL;
6774	} else {
6775		connect.mfp = NL80211_MFP_NO;
6776	}
6777
6778	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6779		connect.channel =
6780			ieee80211_get_channel(wiphy,
6781			    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
6782		if (!connect.channel ||
6783		    connect.channel->flags & IEEE80211_CHAN_DISABLED)
6784			return -EINVAL;
6785	}
6786
6787	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
6788		connkeys = nl80211_parse_connkeys(rdev,
6789					  info->attrs[NL80211_ATTR_KEYS], NULL);
6790		if (IS_ERR(connkeys))
6791			return PTR_ERR(connkeys);
6792	}
6793
6794	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
6795		connect.flags |= ASSOC_REQ_DISABLE_HT;
6796
6797	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6798		memcpy(&connect.ht_capa_mask,
6799		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
6800		       sizeof(connect.ht_capa_mask));
6801
6802	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
6803		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
6804			kfree(connkeys);
6805			return -EINVAL;
6806		}
6807		memcpy(&connect.ht_capa,
6808		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
6809		       sizeof(connect.ht_capa));
6810	}
6811
6812	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
6813		connect.flags |= ASSOC_REQ_DISABLE_VHT;
6814
6815	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6816		memcpy(&connect.vht_capa_mask,
6817		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
6818		       sizeof(connect.vht_capa_mask));
6819
6820	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
6821		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
6822			kfree(connkeys);
6823			return -EINVAL;
6824		}
6825		memcpy(&connect.vht_capa,
6826		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
6827		       sizeof(connect.vht_capa));
6828	}
6829
6830	err = cfg80211_connect(rdev, dev, &connect, connkeys);
6831	if (err)
6832		kfree(connkeys);
6833	return err;
6834}
6835
6836static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
6837{
6838	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6839	struct net_device *dev = info->user_ptr[1];
6840	u16 reason;
6841
6842	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6843		reason = WLAN_REASON_DEAUTH_LEAVING;
6844	else
6845		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6846
6847	if (reason == 0)
6848		return -EINVAL;
6849
6850	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6851	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6852		return -EOPNOTSUPP;
6853
6854	return cfg80211_disconnect(rdev, dev, reason, true);
6855}
6856
6857static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
6858{
6859	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6860	struct net *net;
6861	int err;
6862	u32 pid;
6863
6864	if (!info->attrs[NL80211_ATTR_PID])
6865		return -EINVAL;
6866
6867	pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
6868
6869	net = get_net_ns_by_pid(pid);
6870	if (IS_ERR(net))
6871		return PTR_ERR(net);
6872
6873	err = 0;
6874
6875	/* check if anything to do */
6876	if (!net_eq(wiphy_net(&rdev->wiphy), net))
6877		err = cfg80211_switch_netns(rdev, net);
6878
6879	put_net(net);
6880	return err;
6881}
6882
6883static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
6884{
6885	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6886	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
6887			struct cfg80211_pmksa *pmksa) = NULL;
6888	struct net_device *dev = info->user_ptr[1];
6889	struct cfg80211_pmksa pmksa;
6890
6891	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
6892
6893	if (!info->attrs[NL80211_ATTR_MAC])
6894		return -EINVAL;
6895
6896	if (!info->attrs[NL80211_ATTR_PMKID])
6897		return -EINVAL;
6898
6899	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
6900	pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6901
6902	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6903	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6904		return -EOPNOTSUPP;
6905
6906	switch (info->genlhdr->cmd) {
6907	case NL80211_CMD_SET_PMKSA:
6908		rdev_ops = rdev->ops->set_pmksa;
6909		break;
6910	case NL80211_CMD_DEL_PMKSA:
6911		rdev_ops = rdev->ops->del_pmksa;
6912		break;
6913	default:
6914		WARN_ON(1);
6915		break;
6916	}
6917
6918	if (!rdev_ops)
6919		return -EOPNOTSUPP;
6920
6921	return rdev_ops(&rdev->wiphy, dev, &pmksa);
6922}
6923
6924static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
6925{
6926	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6927	struct net_device *dev = info->user_ptr[1];
6928
6929	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6930	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6931		return -EOPNOTSUPP;
6932
6933	if (!rdev->ops->flush_pmksa)
6934		return -EOPNOTSUPP;
6935
6936	return rdev_flush_pmksa(rdev, dev);
6937}
6938
6939static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
6940{
6941	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6942	struct net_device *dev = info->user_ptr[1];
6943	u8 action_code, dialog_token;
6944	u16 status_code;
6945	u8 *peer;
6946
6947	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
6948	    !rdev->ops->tdls_mgmt)
6949		return -EOPNOTSUPP;
6950
6951	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
6952	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
6953	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
6954	    !info->attrs[NL80211_ATTR_IE] ||
6955	    !info->attrs[NL80211_ATTR_MAC])
6956		return -EINVAL;
6957
6958	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
6959	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
6960	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
6961	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
6962
6963	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
6964			      dialog_token, status_code,
6965			      nla_data(info->attrs[NL80211_ATTR_IE]),
6966			      nla_len(info->attrs[NL80211_ATTR_IE]));
6967}
6968
6969static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
6970{
6971	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6972	struct net_device *dev = info->user_ptr[1];
6973	enum nl80211_tdls_operation operation;
6974	u8 *peer;
6975
6976	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
6977	    !rdev->ops->tdls_oper)
6978		return -EOPNOTSUPP;
6979
6980	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
6981	    !info->attrs[NL80211_ATTR_MAC])
6982		return -EINVAL;
6983
6984	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
6985	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
6986
6987	return rdev_tdls_oper(rdev, dev, peer, operation);
6988}
6989
6990static int nl80211_remain_on_channel(struct sk_buff *skb,
6991				     struct genl_info *info)
6992{
6993	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6994	struct wireless_dev *wdev = info->user_ptr[1];
6995	struct cfg80211_chan_def chandef;
6996	struct sk_buff *msg;
6997	void *hdr;
6998	u64 cookie;
6999	u32 duration;
7000	int err;
7001
7002	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
7003	    !info->attrs[NL80211_ATTR_DURATION])
7004		return -EINVAL;
7005
7006	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
7007
7008	if (!rdev->ops->remain_on_channel ||
7009	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
7010		return -EOPNOTSUPP;
7011
7012	/*
7013	 * We should be on that channel for at least a minimum amount of
7014	 * time (10ms) but no longer than the driver supports.
7015	 */
7016	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
7017	    duration > rdev->wiphy.max_remain_on_channel_duration)
7018		return -EINVAL;
7019
7020	err = nl80211_parse_chandef(rdev, info, &chandef);
7021	if (err)
7022		return err;
7023
7024	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7025	if (!msg)
7026		return -ENOMEM;
7027
7028	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7029			     NL80211_CMD_REMAIN_ON_CHANNEL);
7030	if (!hdr) {
7031		err = -ENOBUFS;
7032		goto free_msg;
7033	}
7034
7035	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
7036				     duration, &cookie);
7037
7038	if (err)
7039		goto free_msg;
7040
7041	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
7042		goto nla_put_failure;
7043
7044	genlmsg_end(msg, hdr);
7045
7046	return genlmsg_reply(msg, info);
7047
7048 nla_put_failure:
7049	err = -ENOBUFS;
7050 free_msg:
7051	nlmsg_free(msg);
7052	return err;
7053}
7054
7055static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
7056					    struct genl_info *info)
7057{
7058	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7059	struct wireless_dev *wdev = info->user_ptr[1];
7060	u64 cookie;
7061
7062	if (!info->attrs[NL80211_ATTR_COOKIE])
7063		return -EINVAL;
7064
7065	if (!rdev->ops->cancel_remain_on_channel)
7066		return -EOPNOTSUPP;
7067
7068	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
7069
7070	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
7071}
7072
7073static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
7074			   u8 *rates, u8 rates_len)
7075{
7076	u8 i;
7077	u32 mask = 0;
7078
7079	for (i = 0; i < rates_len; i++) {
7080		int rate = (rates[i] & 0x7f) * 5;
7081		int ridx;
7082		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
7083			struct ieee80211_rate *srate =
7084				&sband->bitrates[ridx];
7085			if (rate == srate->bitrate) {
7086				mask |= 1 << ridx;
7087				break;
7088			}
7089		}
7090		if (ridx == sband->n_bitrates)
7091			return 0; /* rate not found */
7092	}
7093
7094	return mask;
7095}
7096
7097static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
7098			       u8 *rates, u8 rates_len,
7099			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
7100{
7101	u8 i;
7102
7103	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
7104
7105	for (i = 0; i < rates_len; i++) {
7106		int ridx, rbit;
7107
7108		ridx = rates[i] / 8;
7109		rbit = BIT(rates[i] % 8);
7110
7111		/* check validity */
7112		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
7113			return false;
7114
7115		/* check availability */
7116		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
7117			mcs[ridx] |= rbit;
7118		else
7119			return false;
7120	}
7121
7122	return true;
7123}
7124
7125static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
7126	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
7127				    .len = NL80211_MAX_SUPP_RATES },
7128	[NL80211_TXRATE_MCS] = { .type = NLA_BINARY,
7129				 .len = NL80211_MAX_SUPP_HT_RATES },
7130};
7131
7132static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
7133				       struct genl_info *info)
7134{
7135	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
7136	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7137	struct cfg80211_bitrate_mask mask;
7138	int rem, i;
7139	struct net_device *dev = info->user_ptr[1];
7140	struct nlattr *tx_rates;
7141	struct ieee80211_supported_band *sband;
7142
7143	if (info->attrs[NL80211_ATTR_TX_RATES] == NULL)
7144		return -EINVAL;
7145
7146	if (!rdev->ops->set_bitrate_mask)
7147		return -EOPNOTSUPP;
7148
7149	memset(&mask, 0, sizeof(mask));
7150	/* Default to all rates enabled */
7151	for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
7152		sband = rdev->wiphy.bands[i];
7153		mask.control[i].legacy =
7154			sband ? (1 << sband->n_bitrates) - 1 : 0;
7155		if (sband)
7156			memcpy(mask.control[i].mcs,
7157			       sband->ht_cap.mcs.rx_mask,
7158			       sizeof(mask.control[i].mcs));
7159		else
7160			memset(mask.control[i].mcs, 0,
7161			       sizeof(mask.control[i].mcs));
7162	}
7163
7164	/*
7165	 * The nested attribute uses enum nl80211_band as the index. This maps
7166	 * directly to the enum ieee80211_band values used in cfg80211.
7167	 */
7168	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
7169	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem)
7170	{
7171		enum ieee80211_band band = nla_type(tx_rates);
7172		if (band < 0 || band >= IEEE80211_NUM_BANDS)
7173			return -EINVAL;
7174		sband = rdev->wiphy.bands[band];
7175		if (sband == NULL)
7176			return -EINVAL;
7177		nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
7178			  nla_len(tx_rates), nl80211_txattr_policy);
7179		if (tb[NL80211_TXRATE_LEGACY]) {
7180			mask.control[band].legacy = rateset_to_mask(
7181				sband,
7182				nla_data(tb[NL80211_TXRATE_LEGACY]),
7183				nla_len(tb[NL80211_TXRATE_LEGACY]));
7184			if ((mask.control[band].legacy == 0) &&
7185			    nla_len(tb[NL80211_TXRATE_LEGACY]))
7186				return -EINVAL;
7187		}
7188		if (tb[NL80211_TXRATE_MCS]) {
7189			if (!ht_rateset_to_mask(
7190					sband,
7191					nla_data(tb[NL80211_TXRATE_MCS]),
7192					nla_len(tb[NL80211_TXRATE_MCS]),
7193					mask.control[band].mcs))
7194				return -EINVAL;
7195		}
7196
7197		if (mask.control[band].legacy == 0) {
7198			/* don't allow empty legacy rates if HT
7199			 * is not even supported. */
7200			if (!rdev->wiphy.bands[band]->ht_cap.ht_supported)
7201				return -EINVAL;
7202
7203			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
7204				if (mask.control[band].mcs[i])
7205					break;
7206
7207			/* legacy and mcs rates may not be both empty */
7208			if (i == IEEE80211_HT_MCS_MASK_LEN)
7209				return -EINVAL;
7210		}
7211	}
7212
7213	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
7214}
7215
7216static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
7217{
7218	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7219	struct wireless_dev *wdev = info->user_ptr[1];
7220	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
7221
7222	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
7223		return -EINVAL;
7224
7225	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
7226		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
7227
7228	switch (wdev->iftype) {
7229	case NL80211_IFTYPE_STATION:
7230	case NL80211_IFTYPE_ADHOC:
7231	case NL80211_IFTYPE_P2P_CLIENT:
7232	case NL80211_IFTYPE_AP:
7233	case NL80211_IFTYPE_AP_VLAN:
7234	case NL80211_IFTYPE_MESH_POINT:
7235	case NL80211_IFTYPE_P2P_GO:
7236	case NL80211_IFTYPE_P2P_DEVICE:
7237		break;
7238	default:
7239		return -EOPNOTSUPP;
7240	}
7241
7242	/* not much point in registering if we can't reply */
7243	if (!rdev->ops->mgmt_tx)
7244		return -EOPNOTSUPP;
7245
7246	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
7247			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
7248			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
7249}
7250
7251static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
7252{
7253	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7254	struct wireless_dev *wdev = info->user_ptr[1];
7255	struct cfg80211_chan_def chandef;
7256	int err;
7257	void *hdr = NULL;
7258	u64 cookie;
7259	struct sk_buff *msg = NULL;
7260	unsigned int wait = 0;
7261	bool offchan, no_cck, dont_wait_for_ack;
7262
7263	dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
7264
7265	if (!info->attrs[NL80211_ATTR_FRAME])
7266		return -EINVAL;
7267
7268	if (!rdev->ops->mgmt_tx)
7269		return -EOPNOTSUPP;
7270
7271	switch (wdev->iftype) {
7272	case NL80211_IFTYPE_STATION:
7273	case NL80211_IFTYPE_ADHOC:
7274	case NL80211_IFTYPE_P2P_CLIENT:
7275	case NL80211_IFTYPE_AP:
7276	case NL80211_IFTYPE_AP_VLAN:
7277	case NL80211_IFTYPE_MESH_POINT:
7278	case NL80211_IFTYPE_P2P_GO:
7279	case NL80211_IFTYPE_P2P_DEVICE:
7280		break;
7281	default:
7282		return -EOPNOTSUPP;
7283	}
7284
7285	if (info->attrs[NL80211_ATTR_DURATION]) {
7286		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
7287			return -EINVAL;
7288		wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
7289
7290		/*
7291		 * We should wait on the channel for at least a minimum amount
7292		 * of time (10ms) but no longer than the driver supports.
7293		 */
7294		if (wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
7295		    wait > rdev->wiphy.max_remain_on_channel_duration)
7296			return -EINVAL;
7297
7298	}
7299
7300	offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
7301
7302	if (offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
7303		return -EINVAL;
7304
7305	no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7306
7307	err = nl80211_parse_chandef(rdev, info, &chandef);
7308	if (err)
7309		return err;
7310
7311	if (!dont_wait_for_ack) {
7312		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7313		if (!msg)
7314			return -ENOMEM;
7315
7316		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7317				     NL80211_CMD_FRAME);
7318		if (!hdr) {
7319			err = -ENOBUFS;
7320			goto free_msg;
7321		}
7322	}
7323
7324	err = cfg80211_mlme_mgmt_tx(rdev, wdev, chandef.chan, offchan, wait,
7325				    nla_data(info->attrs[NL80211_ATTR_FRAME]),
7326				    nla_len(info->attrs[NL80211_ATTR_FRAME]),
7327				    no_cck, dont_wait_for_ack, &cookie);
7328	if (err)
7329		goto free_msg;
7330
7331	if (msg) {
7332		if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
7333			goto nla_put_failure;
7334
7335		genlmsg_end(msg, hdr);
7336		return genlmsg_reply(msg, info);
7337	}
7338
7339	return 0;
7340
7341 nla_put_failure:
7342	err = -ENOBUFS;
7343 free_msg:
7344	nlmsg_free(msg);
7345	return err;
7346}
7347
7348static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
7349{
7350	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7351	struct wireless_dev *wdev = info->user_ptr[1];
7352	u64 cookie;
7353
7354	if (!info->attrs[NL80211_ATTR_COOKIE])
7355		return -EINVAL;
7356
7357	if (!rdev->ops->mgmt_tx_cancel_wait)
7358		return -EOPNOTSUPP;
7359
7360	switch (wdev->iftype) {
7361	case NL80211_IFTYPE_STATION:
7362	case NL80211_IFTYPE_ADHOC:
7363	case NL80211_IFTYPE_P2P_CLIENT:
7364	case NL80211_IFTYPE_AP:
7365	case NL80211_IFTYPE_AP_VLAN:
7366	case NL80211_IFTYPE_P2P_GO:
7367	case NL80211_IFTYPE_P2P_DEVICE:
7368		break;
7369	default:
7370		return -EOPNOTSUPP;
7371	}
7372
7373	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
7374
7375	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
7376}
7377
7378static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
7379{
7380	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7381	struct wireless_dev *wdev;
7382	struct net_device *dev = info->user_ptr[1];
7383	u8 ps_state;
7384	bool state;
7385	int err;
7386
7387	if (!info->attrs[NL80211_ATTR_PS_STATE])
7388		return -EINVAL;
7389
7390	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
7391
7392	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
7393		return -EINVAL;
7394
7395	wdev = dev->ieee80211_ptr;
7396
7397	if (!rdev->ops->set_power_mgmt)
7398		return -EOPNOTSUPP;
7399
7400	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
7401
7402	if (state == wdev->ps)
7403		return 0;
7404
7405	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
7406	if (!err)
7407		wdev->ps = state;
7408	return err;
7409}
7410
7411static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
7412{
7413	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7414	enum nl80211_ps_state ps_state;
7415	struct wireless_dev *wdev;
7416	struct net_device *dev = info->user_ptr[1];
7417	struct sk_buff *msg;
7418	void *hdr;
7419	int err;
7420
7421	wdev = dev->ieee80211_ptr;
7422
7423	if (!rdev->ops->set_power_mgmt)
7424		return -EOPNOTSUPP;
7425
7426	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7427	if (!msg)
7428		return -ENOMEM;
7429
7430	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7431			     NL80211_CMD_GET_POWER_SAVE);
7432	if (!hdr) {
7433		err = -ENOBUFS;
7434		goto free_msg;
7435	}
7436
7437	if (wdev->ps)
7438		ps_state = NL80211_PS_ENABLED;
7439	else
7440		ps_state = NL80211_PS_DISABLED;
7441
7442	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
7443		goto nla_put_failure;
7444
7445	genlmsg_end(msg, hdr);
7446	return genlmsg_reply(msg, info);
7447
7448 nla_put_failure:
7449	err = -ENOBUFS;
7450 free_msg:
7451	nlmsg_free(msg);
7452	return err;
7453}
7454
7455static struct nla_policy
7456nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] __read_mostly = {
7457	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
7458	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
7459	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
7460	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
7461	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
7462	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
7463};
7464
7465static int nl80211_set_cqm_txe(struct genl_info *info,
7466			       u32 rate, u32 pkts, u32 intvl)
7467{
7468	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7469	struct wireless_dev *wdev;
7470	struct net_device *dev = info->user_ptr[1];
7471
7472	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
7473		return -EINVAL;
7474
7475	wdev = dev->ieee80211_ptr;
7476
7477	if (!rdev->ops->set_cqm_txe_config)
7478		return -EOPNOTSUPP;
7479
7480	if (wdev->iftype != NL80211_IFTYPE_STATION &&
7481	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
7482		return -EOPNOTSUPP;
7483
7484	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
7485}
7486
7487static int nl80211_set_cqm_rssi(struct genl_info *info,
7488				s32 threshold, u32 hysteresis)
7489{
7490	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7491	struct wireless_dev *wdev;
7492	struct net_device *dev = info->user_ptr[1];
7493
7494	if (threshold > 0)
7495		return -EINVAL;
7496
7497	wdev = dev->ieee80211_ptr;
7498
7499	if (!rdev->ops->set_cqm_rssi_config)
7500		return -EOPNOTSUPP;
7501
7502	if (wdev->iftype != NL80211_IFTYPE_STATION &&
7503	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
7504		return -EOPNOTSUPP;
7505
7506	return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
7507}
7508
7509static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
7510{
7511	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
7512	struct nlattr *cqm;
7513	int err;
7514
7515	cqm = info->attrs[NL80211_ATTR_CQM];
7516	if (!cqm) {
7517		err = -EINVAL;
7518		goto out;
7519	}
7520
7521	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
7522			       nl80211_attr_cqm_policy);
7523	if (err)
7524		goto out;
7525
7526	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
7527	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
7528		s32 threshold;
7529		u32 hysteresis;
7530		threshold = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
7531		hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
7532		err = nl80211_set_cqm_rssi(info, threshold, hysteresis);
7533	} else if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
7534		   attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
7535		   attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
7536		u32 rate, pkts, intvl;
7537		rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
7538		pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
7539		intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
7540		err = nl80211_set_cqm_txe(info, rate, pkts, intvl);
7541	} else
7542		err = -EINVAL;
7543
7544out:
7545	return err;
7546}
7547
7548static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
7549{
7550	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7551	struct net_device *dev = info->user_ptr[1];
7552	struct mesh_config cfg;
7553	struct mesh_setup setup;
7554	int err;
7555
7556	/* start with default */
7557	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
7558	memcpy(&setup, &default_mesh_setup, sizeof(setup));
7559
7560	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
7561		/* and parse parameters if given */
7562		err = nl80211_parse_mesh_config(info, &cfg, NULL);
7563		if (err)
7564			return err;
7565	}
7566
7567	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
7568	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
7569		return -EINVAL;
7570
7571	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
7572	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
7573
7574	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
7575	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
7576			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
7577			return -EINVAL;
7578
7579	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
7580		setup.beacon_interval =
7581			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
7582		if (setup.beacon_interval < 10 ||
7583		    setup.beacon_interval > 10000)
7584			return -EINVAL;
7585	}
7586
7587	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
7588		setup.dtim_period =
7589			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
7590		if (setup.dtim_period < 1 || setup.dtim_period > 100)
7591			return -EINVAL;
7592	}
7593
7594	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
7595		/* parse additional setup parameters if given */
7596		err = nl80211_parse_mesh_setup(info, &setup);
7597		if (err)
7598			return err;
7599	}
7600
7601	if (setup.user_mpm)
7602		cfg.auto_open_plinks = false;
7603
7604	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7605		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
7606		if (err)
7607			return err;
7608	} else {
7609		/* cfg80211_join_mesh() will sort it out */
7610		setup.chandef.chan = NULL;
7611	}
7612
7613	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
7614}
7615
7616static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
7617{
7618	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7619	struct net_device *dev = info->user_ptr[1];
7620
7621	return cfg80211_leave_mesh(rdev, dev);
7622}
7623
7624#ifdef CONFIG_PM
7625static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
7626					struct cfg80211_registered_device *rdev)
7627{
7628	struct nlattr *nl_pats, *nl_pat;
7629	int i, pat_len;
7630
7631	if (!rdev->wowlan->n_patterns)
7632		return 0;
7633
7634	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
7635	if (!nl_pats)
7636		return -ENOBUFS;
7637
7638	for (i = 0; i < rdev->wowlan->n_patterns; i++) {
7639		nl_pat = nla_nest_start(msg, i + 1);
7640		if (!nl_pat)
7641			return -ENOBUFS;
7642		pat_len = rdev->wowlan->patterns[i].pattern_len;
7643		if (nla_put(msg, NL80211_WOWLAN_PKTPAT_MASK,
7644			    DIV_ROUND_UP(pat_len, 8),
7645			    rdev->wowlan->patterns[i].mask) ||
7646		    nla_put(msg, NL80211_WOWLAN_PKTPAT_PATTERN,
7647			    pat_len, rdev->wowlan->patterns[i].pattern) ||
7648		    nla_put_u32(msg, NL80211_WOWLAN_PKTPAT_OFFSET,
7649				rdev->wowlan->patterns[i].pkt_offset))
7650			return -ENOBUFS;
7651		nla_nest_end(msg, nl_pat);
7652	}
7653	nla_nest_end(msg, nl_pats);
7654
7655	return 0;
7656}
7657
7658static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
7659				   struct cfg80211_wowlan_tcp *tcp)
7660{
7661	struct nlattr *nl_tcp;
7662
7663	if (!tcp)
7664		return 0;
7665
7666	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
7667	if (!nl_tcp)
7668		return -ENOBUFS;
7669
7670	if (nla_put_be32(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
7671	    nla_put_be32(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
7672	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
7673	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
7674	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
7675	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
7676		    tcp->payload_len, tcp->payload) ||
7677	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
7678			tcp->data_interval) ||
7679	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
7680		    tcp->wake_len, tcp->wake_data) ||
7681	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
7682		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
7683		return -ENOBUFS;
7684
7685	if (tcp->payload_seq.len &&
7686	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
7687		    sizeof(tcp->payload_seq), &tcp->payload_seq))
7688		return -ENOBUFS;
7689
7690	if (tcp->payload_tok.len &&
7691	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
7692		    sizeof(tcp->payload_tok) + tcp->tokens_size,
7693		    &tcp->payload_tok))
7694		return -ENOBUFS;
7695
7696	nla_nest_end(msg, nl_tcp);
7697
7698	return 0;
7699}
7700
7701static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
7702{
7703	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7704	struct sk_buff *msg;
7705	void *hdr;
7706	u32 size = NLMSG_DEFAULT_SIZE;
7707
7708	if (!rdev->wiphy.wowlan.flags && !rdev->wiphy.wowlan.n_patterns &&
7709	    !rdev->wiphy.wowlan.tcp)
7710		return -EOPNOTSUPP;
7711
7712	if (rdev->wowlan && rdev->wowlan->tcp) {
7713		/* adjust size to have room for all the data */
7714		size += rdev->wowlan->tcp->tokens_size +
7715			rdev->wowlan->tcp->payload_len +
7716			rdev->wowlan->tcp->wake_len +
7717			rdev->wowlan->tcp->wake_len / 8;
7718	}
7719
7720	msg = nlmsg_new(size, GFP_KERNEL);
7721	if (!msg)
7722		return -ENOMEM;
7723
7724	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7725			     NL80211_CMD_GET_WOWLAN);
7726	if (!hdr)
7727		goto nla_put_failure;
7728
7729	if (rdev->wowlan) {
7730		struct nlattr *nl_wowlan;
7731
7732		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
7733		if (!nl_wowlan)
7734			goto nla_put_failure;
7735
7736		if ((rdev->wowlan->any &&
7737		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
7738		    (rdev->wowlan->disconnect &&
7739		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
7740		    (rdev->wowlan->magic_pkt &&
7741		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
7742		    (rdev->wowlan->gtk_rekey_failure &&
7743		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
7744		    (rdev->wowlan->eap_identity_req &&
7745		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
7746		    (rdev->wowlan->four_way_handshake &&
7747		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
7748		    (rdev->wowlan->rfkill_release &&
7749		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
7750			goto nla_put_failure;
7751
7752		if (nl80211_send_wowlan_patterns(msg, rdev))
7753			goto nla_put_failure;
7754
7755		if (nl80211_send_wowlan_tcp(msg, rdev->wowlan->tcp))
7756			goto nla_put_failure;
7757
7758		nla_nest_end(msg, nl_wowlan);
7759	}
7760
7761	genlmsg_end(msg, hdr);
7762	return genlmsg_reply(msg, info);
7763
7764nla_put_failure:
7765	nlmsg_free(msg);
7766	return -ENOBUFS;
7767}
7768
7769static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
7770				    struct nlattr *attr,
7771				    struct cfg80211_wowlan *trig)
7772{
7773	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
7774	struct cfg80211_wowlan_tcp *cfg;
7775	struct nl80211_wowlan_tcp_data_token *tok = NULL;
7776	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
7777	u32 size;
7778	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
7779	int err, port;
7780
7781	if (!rdev->wiphy.wowlan.tcp)
7782		return -EINVAL;
7783
7784	err = nla_parse(tb, MAX_NL80211_WOWLAN_TCP,
7785			nla_data(attr), nla_len(attr),
7786			nl80211_wowlan_tcp_policy);
7787	if (err)
7788		return err;
7789
7790	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
7791	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
7792	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
7793	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
7794	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
7795	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
7796	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
7797	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
7798		return -EINVAL;
7799
7800	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
7801	if (data_size > rdev->wiphy.wowlan.tcp->data_payload_max)
7802		return -EINVAL;
7803
7804	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
7805			rdev->wiphy.wowlan.tcp->data_interval_max ||
7806	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
7807		return -EINVAL;
7808
7809	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
7810	if (wake_size > rdev->wiphy.wowlan.tcp->wake_payload_max)
7811		return -EINVAL;
7812
7813	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
7814	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
7815		return -EINVAL;
7816
7817	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
7818		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
7819
7820		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
7821		tokens_size = tokln - sizeof(*tok);
7822
7823		if (!tok->len || tokens_size % tok->len)
7824			return -EINVAL;
7825		if (!rdev->wiphy.wowlan.tcp->tok)
7826			return -EINVAL;
7827		if (tok->len > rdev->wiphy.wowlan.tcp->tok->max_len)
7828			return -EINVAL;
7829		if (tok->len < rdev->wiphy.wowlan.tcp->tok->min_len)
7830			return -EINVAL;
7831		if (tokens_size > rdev->wiphy.wowlan.tcp->tok->bufsize)
7832			return -EINVAL;
7833		if (tok->offset + tok->len > data_size)
7834			return -EINVAL;
7835	}
7836
7837	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
7838		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
7839		if (!rdev->wiphy.wowlan.tcp->seq)
7840			return -EINVAL;
7841		if (seq->len == 0 || seq->len > 4)
7842			return -EINVAL;
7843		if (seq->len + seq->offset > data_size)
7844			return -EINVAL;
7845	}
7846
7847	size = sizeof(*cfg);
7848	size += data_size;
7849	size += wake_size + wake_mask_size;
7850	size += tokens_size;
7851
7852	cfg = kzalloc(size, GFP_KERNEL);
7853	if (!cfg)
7854		return -ENOMEM;
7855	cfg->src = nla_get_be32(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
7856	cfg->dst = nla_get_be32(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
7857	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
7858	       ETH_ALEN);
7859	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
7860		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
7861	else
7862		port = 0;
7863#ifdef CONFIG_INET
7864	/* allocate a socket and port for it and use it */
7865	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
7866			    IPPROTO_TCP, &cfg->sock, 1);
7867	if (err) {
7868		kfree(cfg);
7869		return err;
7870	}
7871	if (inet_csk_get_port(cfg->sock->sk, port)) {
7872		sock_release(cfg->sock);
7873		kfree(cfg);
7874		return -EADDRINUSE;
7875	}
7876	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
7877#else
7878	if (!port) {
7879		kfree(cfg);
7880		return -EINVAL;
7881	}
7882	cfg->src_port = port;
7883#endif
7884
7885	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
7886	cfg->payload_len = data_size;
7887	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
7888	memcpy((void *)cfg->payload,
7889	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
7890	       data_size);
7891	if (seq)
7892		cfg->payload_seq = *seq;
7893	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
7894	cfg->wake_len = wake_size;
7895	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
7896	memcpy((void *)cfg->wake_data,
7897	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
7898	       wake_size);
7899	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
7900			 data_size + wake_size;
7901	memcpy((void *)cfg->wake_mask,
7902	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
7903	       wake_mask_size);
7904	if (tok) {
7905		cfg->tokens_size = tokens_size;
7906		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
7907	}
7908
7909	trig->tcp = cfg;
7910
7911	return 0;
7912}
7913
7914static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
7915{
7916	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7917	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
7918	struct cfg80211_wowlan new_triggers = {};
7919	struct cfg80211_wowlan *ntrig;
7920	struct wiphy_wowlan_support *wowlan = &rdev->wiphy.wowlan;
7921	int err, i;
7922	bool prev_enabled = rdev->wowlan;
7923
7924	if (!rdev->wiphy.wowlan.flags && !rdev->wiphy.wowlan.n_patterns &&
7925	    !rdev->wiphy.wowlan.tcp)
7926		return -EOPNOTSUPP;
7927
7928	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
7929		cfg80211_rdev_free_wowlan(rdev);
7930		rdev->wowlan = NULL;
7931		goto set_wakeup;
7932	}
7933
7934	err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
7935			nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
7936			nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
7937			nl80211_wowlan_policy);
7938	if (err)
7939		return err;
7940
7941	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
7942		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
7943			return -EINVAL;
7944		new_triggers.any = true;
7945	}
7946
7947	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
7948		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
7949			return -EINVAL;
7950		new_triggers.disconnect = true;
7951	}
7952
7953	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
7954		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
7955			return -EINVAL;
7956		new_triggers.magic_pkt = true;
7957	}
7958
7959	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
7960		return -EINVAL;
7961
7962	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
7963		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
7964			return -EINVAL;
7965		new_triggers.gtk_rekey_failure = true;
7966	}
7967
7968	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
7969		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
7970			return -EINVAL;
7971		new_triggers.eap_identity_req = true;
7972	}
7973
7974	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
7975		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
7976			return -EINVAL;
7977		new_triggers.four_way_handshake = true;
7978	}
7979
7980	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
7981		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
7982			return -EINVAL;
7983		new_triggers.rfkill_release = true;
7984	}
7985
7986	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
7987		struct nlattr *pat;
7988		int n_patterns = 0;
7989		int rem, pat_len, mask_len, pkt_offset;
7990		struct nlattr *pat_tb[NUM_NL80211_WOWLAN_PKTPAT];
7991
7992		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
7993				    rem)
7994			n_patterns++;
7995		if (n_patterns > wowlan->n_patterns)
7996			return -EINVAL;
7997
7998		new_triggers.patterns = kcalloc(n_patterns,
7999						sizeof(new_triggers.patterns[0]),
8000						GFP_KERNEL);
8001		if (!new_triggers.patterns)
8002			return -ENOMEM;
8003
8004		new_triggers.n_patterns = n_patterns;
8005		i = 0;
8006
8007		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
8008				    rem) {
8009			nla_parse(pat_tb, MAX_NL80211_WOWLAN_PKTPAT,
8010				  nla_data(pat), nla_len(pat), NULL);
8011			err = -EINVAL;
8012			if (!pat_tb[NL80211_WOWLAN_PKTPAT_MASK] ||
8013			    !pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN])
8014				goto error;
8015			pat_len = nla_len(pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN]);
8016			mask_len = DIV_ROUND_UP(pat_len, 8);
8017			if (nla_len(pat_tb[NL80211_WOWLAN_PKTPAT_MASK]) !=
8018			    mask_len)
8019				goto error;
8020			if (pat_len > wowlan->pattern_max_len ||
8021			    pat_len < wowlan->pattern_min_len)
8022				goto error;
8023
8024			if (!pat_tb[NL80211_WOWLAN_PKTPAT_OFFSET])
8025				pkt_offset = 0;
8026			else
8027				pkt_offset = nla_get_u32(
8028					pat_tb[NL80211_WOWLAN_PKTPAT_OFFSET]);
8029			if (pkt_offset > wowlan->max_pkt_offset)
8030				goto error;
8031			new_triggers.patterns[i].pkt_offset = pkt_offset;
8032
8033			new_triggers.patterns[i].mask =
8034				kmalloc(mask_len + pat_len, GFP_KERNEL);
8035			if (!new_triggers.patterns[i].mask) {
8036				err = -ENOMEM;
8037				goto error;
8038			}
8039			new_triggers.patterns[i].pattern =
8040				new_triggers.patterns[i].mask + mask_len;
8041			memcpy(new_triggers.patterns[i].mask,
8042			       nla_data(pat_tb[NL80211_WOWLAN_PKTPAT_MASK]),
8043			       mask_len);
8044			new_triggers.patterns[i].pattern_len = pat_len;
8045			memcpy(new_triggers.patterns[i].pattern,
8046			       nla_data(pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN]),
8047			       pat_len);
8048			i++;
8049		}
8050	}
8051
8052	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
8053		err = nl80211_parse_wowlan_tcp(
8054			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
8055			&new_triggers);
8056		if (err)
8057			goto error;
8058	}
8059
8060	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
8061	if (!ntrig) {
8062		err = -ENOMEM;
8063		goto error;
8064	}
8065	cfg80211_rdev_free_wowlan(rdev);
8066	rdev->wowlan = ntrig;
8067
8068 set_wakeup:
8069	if (rdev->ops->set_wakeup && prev_enabled != !!rdev->wowlan)
8070		rdev_set_wakeup(rdev, rdev->wowlan);
8071
8072	return 0;
8073 error:
8074	for (i = 0; i < new_triggers.n_patterns; i++)
8075		kfree(new_triggers.patterns[i].mask);
8076	kfree(new_triggers.patterns);
8077	if (new_triggers.tcp && new_triggers.tcp->sock)
8078		sock_release(new_triggers.tcp->sock);
8079	kfree(new_triggers.tcp);
8080	return err;
8081}
8082#endif
8083
8084static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
8085{
8086	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8087	struct net_device *dev = info->user_ptr[1];
8088	struct wireless_dev *wdev = dev->ieee80211_ptr;
8089	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
8090	struct cfg80211_gtk_rekey_data rekey_data;
8091	int err;
8092
8093	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
8094		return -EINVAL;
8095
8096	err = nla_parse(tb, MAX_NL80211_REKEY_DATA,
8097			nla_data(info->attrs[NL80211_ATTR_REKEY_DATA]),
8098			nla_len(info->attrs[NL80211_ATTR_REKEY_DATA]),
8099			nl80211_rekey_policy);
8100	if (err)
8101		return err;
8102
8103	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
8104		return -ERANGE;
8105	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
8106		return -ERANGE;
8107	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
8108		return -ERANGE;
8109
8110	memcpy(rekey_data.kek, nla_data(tb[NL80211_REKEY_DATA_KEK]),
8111	       NL80211_KEK_LEN);
8112	memcpy(rekey_data.kck, nla_data(tb[NL80211_REKEY_DATA_KCK]),
8113	       NL80211_KCK_LEN);
8114	memcpy(rekey_data.replay_ctr,
8115	       nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]),
8116	       NL80211_REPLAY_CTR_LEN);
8117
8118	wdev_lock(wdev);
8119	if (!wdev->current_bss) {
8120		err = -ENOTCONN;
8121		goto out;
8122	}
8123
8124	if (!rdev->ops->set_rekey_data) {
8125		err = -EOPNOTSUPP;
8126		goto out;
8127	}
8128
8129	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
8130 out:
8131	wdev_unlock(wdev);
8132	return err;
8133}
8134
8135static int nl80211_register_unexpected_frame(struct sk_buff *skb,
8136					     struct genl_info *info)
8137{
8138	struct net_device *dev = info->user_ptr[1];
8139	struct wireless_dev *wdev = dev->ieee80211_ptr;
8140
8141	if (wdev->iftype != NL80211_IFTYPE_AP &&
8142	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
8143		return -EINVAL;
8144
8145	if (wdev->ap_unexpected_nlportid)
8146		return -EBUSY;
8147
8148	wdev->ap_unexpected_nlportid = info->snd_portid;
8149	return 0;
8150}
8151
8152static int nl80211_probe_client(struct sk_buff *skb,
8153				struct genl_info *info)
8154{
8155	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8156	struct net_device *dev = info->user_ptr[1];
8157	struct wireless_dev *wdev = dev->ieee80211_ptr;
8158	struct sk_buff *msg;
8159	void *hdr;
8160	const u8 *addr;
8161	u64 cookie;
8162	int err;
8163
8164	if (wdev->iftype != NL80211_IFTYPE_AP &&
8165	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
8166		return -EOPNOTSUPP;
8167
8168	if (!info->attrs[NL80211_ATTR_MAC])
8169		return -EINVAL;
8170
8171	if (!rdev->ops->probe_client)
8172		return -EOPNOTSUPP;
8173
8174	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8175	if (!msg)
8176		return -ENOMEM;
8177
8178	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8179			     NL80211_CMD_PROBE_CLIENT);
8180	if (!hdr) {
8181		err = -ENOBUFS;
8182		goto free_msg;
8183	}
8184
8185	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8186
8187	err = rdev_probe_client(rdev, dev, addr, &cookie);
8188	if (err)
8189		goto free_msg;
8190
8191	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
8192		goto nla_put_failure;
8193
8194	genlmsg_end(msg, hdr);
8195
8196	return genlmsg_reply(msg, info);
8197
8198 nla_put_failure:
8199	err = -ENOBUFS;
8200 free_msg:
8201	nlmsg_free(msg);
8202	return err;
8203}
8204
8205static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
8206{
8207	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8208	struct cfg80211_beacon_registration *reg, *nreg;
8209	int rv;
8210
8211	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
8212		return -EOPNOTSUPP;
8213
8214	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
8215	if (!nreg)
8216		return -ENOMEM;
8217
8218	/* First, check if already registered. */
8219	spin_lock_bh(&rdev->beacon_registrations_lock);
8220	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
8221		if (reg->nlportid == info->snd_portid) {
8222			rv = -EALREADY;
8223			goto out_err;
8224		}
8225	}
8226	/* Add it to the list */
8227	nreg->nlportid = info->snd_portid;
8228	list_add(&nreg->list, &rdev->beacon_registrations);
8229
8230	spin_unlock_bh(&rdev->beacon_registrations_lock);
8231
8232	return 0;
8233out_err:
8234	spin_unlock_bh(&rdev->beacon_registrations_lock);
8235	kfree(nreg);
8236	return rv;
8237}
8238
8239static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
8240{
8241	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8242	struct wireless_dev *wdev = info->user_ptr[1];
8243	int err;
8244
8245	if (!rdev->ops->start_p2p_device)
8246		return -EOPNOTSUPP;
8247
8248	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
8249		return -EOPNOTSUPP;
8250
8251	if (wdev->p2p_started)
8252		return 0;
8253
8254	mutex_lock(&rdev->devlist_mtx);
8255	err = cfg80211_can_add_interface(rdev, wdev->iftype);
8256	mutex_unlock(&rdev->devlist_mtx);
8257	if (err)
8258		return err;
8259
8260	err = rdev_start_p2p_device(rdev, wdev);
8261	if (err)
8262		return err;
8263
8264	wdev->p2p_started = true;
8265	mutex_lock(&rdev->devlist_mtx);
8266	rdev->opencount++;
8267	mutex_unlock(&rdev->devlist_mtx);
8268
8269	return 0;
8270}
8271
8272static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
8273{
8274	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8275	struct wireless_dev *wdev = info->user_ptr[1];
8276
8277	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
8278		return -EOPNOTSUPP;
8279
8280	if (!rdev->ops->stop_p2p_device)
8281		return -EOPNOTSUPP;
8282
8283	mutex_lock(&rdev->devlist_mtx);
8284	mutex_lock(&rdev->sched_scan_mtx);
8285	cfg80211_stop_p2p_device(rdev, wdev);
8286	mutex_unlock(&rdev->sched_scan_mtx);
8287	mutex_unlock(&rdev->devlist_mtx);
8288
8289	return 0;
8290}
8291
8292static int nl80211_get_protocol_features(struct sk_buff *skb,
8293					 struct genl_info *info)
8294{
8295	void *hdr;
8296	struct sk_buff *msg;
8297
8298	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8299	if (!msg)
8300		return -ENOMEM;
8301
8302	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8303			     NL80211_CMD_GET_PROTOCOL_FEATURES);
8304	if (!hdr)
8305		goto nla_put_failure;
8306
8307	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
8308			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
8309		goto nla_put_failure;
8310
8311	genlmsg_end(msg, hdr);
8312	return genlmsg_reply(msg, info);
8313
8314 nla_put_failure:
8315	kfree_skb(msg);
8316	return -ENOBUFS;
8317}
8318
8319static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
8320{
8321	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8322	struct cfg80211_update_ft_ies_params ft_params;
8323	struct net_device *dev = info->user_ptr[1];
8324
8325	if (!rdev->ops->update_ft_ies)
8326		return -EOPNOTSUPP;
8327
8328	if (!info->attrs[NL80211_ATTR_MDID] ||
8329	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8330		return -EINVAL;
8331
8332	memset(&ft_params, 0, sizeof(ft_params));
8333	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
8334	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8335	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8336
8337	return rdev_update_ft_ies(rdev, dev, &ft_params);
8338}
8339
8340static int nl80211_crit_protocol_start(struct sk_buff *skb,
8341				       struct genl_info *info)
8342{
8343	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8344	struct wireless_dev *wdev = info->user_ptr[1];
8345	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
8346	u16 duration;
8347	int ret;
8348
8349	if (!rdev->ops->crit_proto_start)
8350		return -EOPNOTSUPP;
8351
8352	if (WARN_ON(!rdev->ops->crit_proto_stop))
8353		return -EINVAL;
8354
8355	if (rdev->crit_proto_nlportid)
8356		return -EBUSY;
8357
8358	/* determine protocol if provided */
8359	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
8360		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
8361
8362	if (proto >= NUM_NL80211_CRIT_PROTO)
8363		return -EINVAL;
8364
8365	/* timeout must be provided */
8366	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
8367		return -EINVAL;
8368
8369	duration =
8370		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
8371
8372	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
8373		return -ERANGE;
8374
8375	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
8376	if (!ret)
8377		rdev->crit_proto_nlportid = info->snd_portid;
8378
8379	return ret;
8380}
8381
8382static int nl80211_crit_protocol_stop(struct sk_buff *skb,
8383				      struct genl_info *info)
8384{
8385	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8386	struct wireless_dev *wdev = info->user_ptr[1];
8387
8388	if (!rdev->ops->crit_proto_stop)
8389		return -EOPNOTSUPP;
8390
8391	if (rdev->crit_proto_nlportid) {
8392		rdev->crit_proto_nlportid = 0;
8393		rdev_crit_proto_stop(rdev, wdev);
8394	}
8395	return 0;
8396}
8397
8398static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
8399{
8400	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8401	struct wireless_dev *wdev =
8402		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
8403	int i, err;
8404	u32 vid, subcmd;
8405
8406	if (!rdev || !rdev->wiphy.vendor_commands)
8407		return -EOPNOTSUPP;
8408
8409	if (IS_ERR(wdev)) {
8410		err = PTR_ERR(wdev);
8411		if (err != -EINVAL)
8412			return err;
8413		wdev = NULL;
8414	} else if (wdev->wiphy != &rdev->wiphy) {
8415		return -EINVAL;
8416	}
8417
8418	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
8419	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
8420		return -EINVAL;
8421
8422	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
8423	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
8424	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
8425		const struct wiphy_vendor_command *vcmd;
8426		void *data = NULL;
8427		int len = 0;
8428
8429		vcmd = &rdev->wiphy.vendor_commands[i];
8430
8431		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
8432			continue;
8433
8434		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
8435				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
8436			if (!wdev)
8437				return -EINVAL;
8438			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
8439			    !wdev->netdev)
8440				return -EINVAL;
8441
8442			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
8443				if (!wdev->netdev ||
8444				    !netif_running(wdev->netdev))
8445					return -ENETDOWN;
8446			}
8447		} else {
8448			wdev = NULL;
8449		}
8450
8451		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
8452			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
8453			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
8454		}
8455
8456		rdev->cur_cmd_info = info;
8457		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
8458								data, len);
8459		rdev->cur_cmd_info = NULL;
8460		return err;
8461	}
8462
8463	return -EOPNOTSUPP;
8464}
8465
8466struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
8467					   enum nl80211_commands cmd,
8468					   enum nl80211_attrs attr,
8469					   int approxlen)
8470{
8471	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
8472
8473	if (WARN_ON(!rdev->cur_cmd_info))
8474		return NULL;
8475
8476	return __cfg80211_alloc_vendor_skb(rdev, approxlen,
8477					   0,
8478					   0,
8479					   cmd, attr, NULL, GFP_KERNEL);
8480}
8481EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
8482
8483int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
8484{
8485	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
8486	void *hdr = ((void **)skb->cb)[1];
8487	struct nlattr *data = ((void **)skb->cb)[2];
8488
8489	if (WARN_ON(!rdev->cur_cmd_info)) {
8490		kfree_skb(skb);
8491		return -EINVAL;
8492	}
8493
8494	nla_nest_end(skb, data);
8495	genlmsg_end(skb, hdr);
8496	return genlmsg_reply(skb, rdev->cur_cmd_info);
8497}
8498EXPORT_SYMBOL(cfg80211_vendor_cmd_reply);
8499
8500#define NL80211_FLAG_NEED_WIPHY		0x01
8501#define NL80211_FLAG_NEED_NETDEV	0x02
8502#define NL80211_FLAG_NEED_RTNL		0x04
8503#define NL80211_FLAG_CHECK_NETDEV_UP	0x08
8504#define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
8505					 NL80211_FLAG_CHECK_NETDEV_UP)
8506#define NL80211_FLAG_NEED_WDEV		0x10
8507/* If a netdev is associated, it must be UP, P2P must be started */
8508#define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
8509					 NL80211_FLAG_CHECK_NETDEV_UP)
8510
8511static int nl80211_pre_doit(struct genl_ops *ops, struct sk_buff *skb,
8512			    struct genl_info *info)
8513{
8514	struct cfg80211_registered_device *rdev;
8515	struct wireless_dev *wdev;
8516	struct net_device *dev;
8517	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
8518
8519	if (rtnl)
8520		rtnl_lock();
8521
8522	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
8523		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8524		if (IS_ERR(rdev)) {
8525			if (rtnl)
8526				rtnl_unlock();
8527			return PTR_ERR(rdev);
8528		}
8529		info->user_ptr[0] = rdev;
8530	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
8531		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
8532		mutex_lock(&cfg80211_mutex);
8533		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
8534						  info->attrs);
8535		if (IS_ERR(wdev)) {
8536			mutex_unlock(&cfg80211_mutex);
8537			if (rtnl)
8538				rtnl_unlock();
8539			return PTR_ERR(wdev);
8540		}
8541
8542		dev = wdev->netdev;
8543		rdev = wiphy_to_dev(wdev->wiphy);
8544
8545		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
8546			if (!dev) {
8547				mutex_unlock(&cfg80211_mutex);
8548				if (rtnl)
8549					rtnl_unlock();
8550				return -EINVAL;
8551			}
8552
8553			info->user_ptr[1] = dev;
8554		} else {
8555			info->user_ptr[1] = wdev;
8556		}
8557
8558		if (dev) {
8559			if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
8560			    !netif_running(dev)) {
8561				mutex_unlock(&cfg80211_mutex);
8562				if (rtnl)
8563					rtnl_unlock();
8564				return -ENETDOWN;
8565			}
8566
8567			dev_hold(dev);
8568		} else if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP) {
8569			if (!wdev->p2p_started) {
8570				mutex_unlock(&cfg80211_mutex);
8571				if (rtnl)
8572					rtnl_unlock();
8573				return -ENETDOWN;
8574			}
8575		}
8576
8577		cfg80211_lock_rdev(rdev);
8578
8579		mutex_unlock(&cfg80211_mutex);
8580
8581		info->user_ptr[0] = rdev;
8582	}
8583
8584	return 0;
8585}
8586
8587static void nl80211_post_doit(struct genl_ops *ops, struct sk_buff *skb,
8588			      struct genl_info *info)
8589{
8590	if (info->user_ptr[0])
8591		cfg80211_unlock_rdev(info->user_ptr[0]);
8592	if (info->user_ptr[1]) {
8593		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
8594			struct wireless_dev *wdev = info->user_ptr[1];
8595
8596			if (wdev->netdev)
8597				dev_put(wdev->netdev);
8598		} else {
8599			dev_put(info->user_ptr[1]);
8600		}
8601	}
8602	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
8603		rtnl_unlock();
8604}
8605
8606static struct genl_ops nl80211_ops[] = {
8607	{
8608		.cmd = NL80211_CMD_GET_WIPHY,
8609		.doit = nl80211_get_wiphy,
8610		.dumpit = nl80211_dump_wiphy,
8611		.policy = nl80211_policy,
8612		/* can be retrieved by unprivileged users */
8613		.internal_flags = NL80211_FLAG_NEED_WIPHY,
8614	},
8615	{
8616		.cmd = NL80211_CMD_SET_WIPHY,
8617		.doit = nl80211_set_wiphy,
8618		.policy = nl80211_policy,
8619		.flags = GENL_ADMIN_PERM,
8620		.internal_flags = NL80211_FLAG_NEED_RTNL,
8621	},
8622	{
8623		.cmd = NL80211_CMD_GET_INTERFACE,
8624		.doit = nl80211_get_interface,
8625		.dumpit = nl80211_dump_interface,
8626		.policy = nl80211_policy,
8627		/* can be retrieved by unprivileged users */
8628		.internal_flags = NL80211_FLAG_NEED_WDEV,
8629	},
8630	{
8631		.cmd = NL80211_CMD_SET_INTERFACE,
8632		.doit = nl80211_set_interface,
8633		.policy = nl80211_policy,
8634		.flags = GENL_ADMIN_PERM,
8635		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8636				  NL80211_FLAG_NEED_RTNL,
8637	},
8638	{
8639		.cmd = NL80211_CMD_NEW_INTERFACE,
8640		.doit = nl80211_new_interface,
8641		.policy = nl80211_policy,
8642		.flags = GENL_ADMIN_PERM,
8643		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8644				  NL80211_FLAG_NEED_RTNL,
8645	},
8646	{
8647		.cmd = NL80211_CMD_DEL_INTERFACE,
8648		.doit = nl80211_del_interface,
8649		.policy = nl80211_policy,
8650		.flags = GENL_ADMIN_PERM,
8651		.internal_flags = NL80211_FLAG_NEED_WDEV |
8652				  NL80211_FLAG_NEED_RTNL,
8653	},
8654	{
8655		.cmd = NL80211_CMD_GET_KEY,
8656		.doit = nl80211_get_key,
8657		.policy = nl80211_policy,
8658		.flags = GENL_ADMIN_PERM,
8659		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8660				  NL80211_FLAG_NEED_RTNL,
8661	},
8662	{
8663		.cmd = NL80211_CMD_SET_KEY,
8664		.doit = nl80211_set_key,
8665		.policy = nl80211_policy,
8666		.flags = GENL_ADMIN_PERM,
8667		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8668				  NL80211_FLAG_NEED_RTNL,
8669	},
8670	{
8671		.cmd = NL80211_CMD_NEW_KEY,
8672		.doit = nl80211_new_key,
8673		.policy = nl80211_policy,
8674		.flags = GENL_ADMIN_PERM,
8675		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8676				  NL80211_FLAG_NEED_RTNL,
8677	},
8678	{
8679		.cmd = NL80211_CMD_DEL_KEY,
8680		.doit = nl80211_del_key,
8681		.policy = nl80211_policy,
8682		.flags = GENL_ADMIN_PERM,
8683		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8684				  NL80211_FLAG_NEED_RTNL,
8685	},
8686	{
8687		.cmd = NL80211_CMD_SET_BEACON,
8688		.policy = nl80211_policy,
8689		.flags = GENL_ADMIN_PERM,
8690		.doit = nl80211_set_beacon,
8691		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8692				  NL80211_FLAG_NEED_RTNL,
8693	},
8694	{
8695		.cmd = NL80211_CMD_START_AP,
8696		.policy = nl80211_policy,
8697		.flags = GENL_ADMIN_PERM,
8698		.doit = nl80211_start_ap,
8699		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8700				  NL80211_FLAG_NEED_RTNL,
8701	},
8702	{
8703		.cmd = NL80211_CMD_STOP_AP,
8704		.policy = nl80211_policy,
8705		.flags = GENL_ADMIN_PERM,
8706		.doit = nl80211_stop_ap,
8707		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8708				  NL80211_FLAG_NEED_RTNL,
8709	},
8710	{
8711		.cmd = NL80211_CMD_GET_STATION,
8712		.doit = nl80211_get_station,
8713		.dumpit = nl80211_dump_station,
8714		.policy = nl80211_policy,
8715		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8716				  NL80211_FLAG_NEED_RTNL,
8717	},
8718	{
8719		.cmd = NL80211_CMD_SET_STATION,
8720		.doit = nl80211_set_station,
8721		.policy = nl80211_policy,
8722		.flags = GENL_ADMIN_PERM,
8723		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8724				  NL80211_FLAG_NEED_RTNL,
8725	},
8726	{
8727		.cmd = NL80211_CMD_NEW_STATION,
8728		.doit = nl80211_new_station,
8729		.policy = nl80211_policy,
8730		.flags = GENL_ADMIN_PERM,
8731		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8732				  NL80211_FLAG_NEED_RTNL,
8733	},
8734	{
8735		.cmd = NL80211_CMD_DEL_STATION,
8736		.doit = nl80211_del_station,
8737		.policy = nl80211_policy,
8738		.flags = GENL_ADMIN_PERM,
8739		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8740				  NL80211_FLAG_NEED_RTNL,
8741	},
8742	{
8743		.cmd = NL80211_CMD_GET_MPATH,
8744		.doit = nl80211_get_mpath,
8745		.dumpit = nl80211_dump_mpath,
8746		.policy = nl80211_policy,
8747		.flags = GENL_ADMIN_PERM,
8748		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8749				  NL80211_FLAG_NEED_RTNL,
8750	},
8751	{
8752		.cmd = NL80211_CMD_SET_MPATH,
8753		.doit = nl80211_set_mpath,
8754		.policy = nl80211_policy,
8755		.flags = GENL_ADMIN_PERM,
8756		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8757				  NL80211_FLAG_NEED_RTNL,
8758	},
8759	{
8760		.cmd = NL80211_CMD_NEW_MPATH,
8761		.doit = nl80211_new_mpath,
8762		.policy = nl80211_policy,
8763		.flags = GENL_ADMIN_PERM,
8764		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8765				  NL80211_FLAG_NEED_RTNL,
8766	},
8767	{
8768		.cmd = NL80211_CMD_DEL_MPATH,
8769		.doit = nl80211_del_mpath,
8770		.policy = nl80211_policy,
8771		.flags = GENL_ADMIN_PERM,
8772		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8773				  NL80211_FLAG_NEED_RTNL,
8774	},
8775	{
8776		.cmd = NL80211_CMD_SET_BSS,
8777		.doit = nl80211_set_bss,
8778		.policy = nl80211_policy,
8779		.flags = GENL_ADMIN_PERM,
8780		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8781				  NL80211_FLAG_NEED_RTNL,
8782	},
8783	{
8784		.cmd = NL80211_CMD_GET_REG,
8785		.doit = nl80211_get_reg,
8786		.policy = nl80211_policy,
8787		/* can be retrieved by unprivileged users */
8788	},
8789	{
8790		.cmd = NL80211_CMD_SET_REG,
8791		.doit = nl80211_set_reg,
8792		.policy = nl80211_policy,
8793		.flags = GENL_ADMIN_PERM,
8794	},
8795	{
8796		.cmd = NL80211_CMD_REQ_SET_REG,
8797		.doit = nl80211_req_set_reg,
8798		.policy = nl80211_policy,
8799		.flags = GENL_ADMIN_PERM,
8800	},
8801	{
8802		.cmd = NL80211_CMD_GET_MESH_CONFIG,
8803		.doit = nl80211_get_mesh_config,
8804		.policy = nl80211_policy,
8805		/* can be retrieved by unprivileged users */
8806		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8807				  NL80211_FLAG_NEED_RTNL,
8808	},
8809	{
8810		.cmd = NL80211_CMD_SET_MESH_CONFIG,
8811		.doit = nl80211_update_mesh_config,
8812		.policy = nl80211_policy,
8813		.flags = GENL_ADMIN_PERM,
8814		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8815				  NL80211_FLAG_NEED_RTNL,
8816	},
8817	{
8818		.cmd = NL80211_CMD_TRIGGER_SCAN,
8819		.doit = nl80211_trigger_scan,
8820		.policy = nl80211_policy,
8821		.flags = GENL_ADMIN_PERM,
8822		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8823				  NL80211_FLAG_NEED_RTNL,
8824	},
8825	{
8826		.cmd = NL80211_CMD_GET_SCAN,
8827		.policy = nl80211_policy,
8828		.dumpit = nl80211_dump_scan,
8829	},
8830	{
8831		.cmd = NL80211_CMD_START_SCHED_SCAN,
8832		.doit = nl80211_start_sched_scan,
8833		.policy = nl80211_policy,
8834		.flags = GENL_ADMIN_PERM,
8835		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8836				  NL80211_FLAG_NEED_RTNL,
8837	},
8838	{
8839		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
8840		.doit = nl80211_stop_sched_scan,
8841		.policy = nl80211_policy,
8842		.flags = GENL_ADMIN_PERM,
8843		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8844				  NL80211_FLAG_NEED_RTNL,
8845	},
8846	{
8847		.cmd = NL80211_CMD_AUTHENTICATE,
8848		.doit = nl80211_authenticate,
8849		.policy = nl80211_policy,
8850		.flags = GENL_ADMIN_PERM,
8851		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8852				  NL80211_FLAG_NEED_RTNL,
8853	},
8854	{
8855		.cmd = NL80211_CMD_ASSOCIATE,
8856		.doit = nl80211_associate,
8857		.policy = nl80211_policy,
8858		.flags = GENL_ADMIN_PERM,
8859		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8860				  NL80211_FLAG_NEED_RTNL,
8861	},
8862	{
8863		.cmd = NL80211_CMD_DEAUTHENTICATE,
8864		.doit = nl80211_deauthenticate,
8865		.policy = nl80211_policy,
8866		.flags = GENL_ADMIN_PERM,
8867		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8868				  NL80211_FLAG_NEED_RTNL,
8869	},
8870	{
8871		.cmd = NL80211_CMD_DISASSOCIATE,
8872		.doit = nl80211_disassociate,
8873		.policy = nl80211_policy,
8874		.flags = GENL_ADMIN_PERM,
8875		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8876				  NL80211_FLAG_NEED_RTNL,
8877	},
8878	{
8879		.cmd = NL80211_CMD_JOIN_IBSS,
8880		.doit = nl80211_join_ibss,
8881		.policy = nl80211_policy,
8882		.flags = GENL_ADMIN_PERM,
8883		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8884				  NL80211_FLAG_NEED_RTNL,
8885	},
8886	{
8887		.cmd = NL80211_CMD_LEAVE_IBSS,
8888		.doit = nl80211_leave_ibss,
8889		.policy = nl80211_policy,
8890		.flags = GENL_ADMIN_PERM,
8891		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8892				  NL80211_FLAG_NEED_RTNL,
8893	},
8894#ifdef CONFIG_NL80211_TESTMODE
8895	{
8896		.cmd = NL80211_CMD_TESTMODE,
8897		.doit = nl80211_testmode_do,
8898		.dumpit = nl80211_testmode_dump,
8899		.policy = nl80211_policy,
8900		.flags = GENL_ADMIN_PERM,
8901		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8902				  NL80211_FLAG_NEED_RTNL,
8903	},
8904#endif
8905	{
8906		.cmd = NL80211_CMD_CONNECT,
8907		.doit = nl80211_connect,
8908		.policy = nl80211_policy,
8909		.flags = GENL_ADMIN_PERM,
8910		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8911				  NL80211_FLAG_NEED_RTNL,
8912	},
8913	{
8914		.cmd = NL80211_CMD_DISCONNECT,
8915		.doit = nl80211_disconnect,
8916		.policy = nl80211_policy,
8917		.flags = GENL_ADMIN_PERM,
8918		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8919				  NL80211_FLAG_NEED_RTNL,
8920	},
8921	{
8922		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
8923		.doit = nl80211_wiphy_netns,
8924		.policy = nl80211_policy,
8925		.flags = GENL_ADMIN_PERM,
8926		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8927				  NL80211_FLAG_NEED_RTNL,
8928	},
8929	{
8930		.cmd = NL80211_CMD_GET_SURVEY,
8931		.policy = nl80211_policy,
8932		.dumpit = nl80211_dump_survey,
8933	},
8934	{
8935		.cmd = NL80211_CMD_SET_PMKSA,
8936		.doit = nl80211_setdel_pmksa,
8937		.policy = nl80211_policy,
8938		.flags = GENL_ADMIN_PERM,
8939		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8940				  NL80211_FLAG_NEED_RTNL,
8941	},
8942	{
8943		.cmd = NL80211_CMD_DEL_PMKSA,
8944		.doit = nl80211_setdel_pmksa,
8945		.policy = nl80211_policy,
8946		.flags = GENL_ADMIN_PERM,
8947		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8948				  NL80211_FLAG_NEED_RTNL,
8949	},
8950	{
8951		.cmd = NL80211_CMD_FLUSH_PMKSA,
8952		.doit = nl80211_flush_pmksa,
8953		.policy = nl80211_policy,
8954		.flags = GENL_ADMIN_PERM,
8955		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8956				  NL80211_FLAG_NEED_RTNL,
8957	},
8958	{
8959		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
8960		.doit = nl80211_remain_on_channel,
8961		.policy = nl80211_policy,
8962		.flags = GENL_ADMIN_PERM,
8963		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8964				  NL80211_FLAG_NEED_RTNL,
8965	},
8966	{
8967		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
8968		.doit = nl80211_cancel_remain_on_channel,
8969		.policy = nl80211_policy,
8970		.flags = GENL_ADMIN_PERM,
8971		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8972				  NL80211_FLAG_NEED_RTNL,
8973	},
8974	{
8975		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
8976		.doit = nl80211_set_tx_bitrate_mask,
8977		.policy = nl80211_policy,
8978		.flags = GENL_ADMIN_PERM,
8979		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8980				  NL80211_FLAG_NEED_RTNL,
8981	},
8982	{
8983		.cmd = NL80211_CMD_REGISTER_FRAME,
8984		.doit = nl80211_register_mgmt,
8985		.policy = nl80211_policy,
8986		.flags = GENL_ADMIN_PERM,
8987		.internal_flags = NL80211_FLAG_NEED_WDEV |
8988				  NL80211_FLAG_NEED_RTNL,
8989	},
8990	{
8991		.cmd = NL80211_CMD_FRAME,
8992		.doit = nl80211_tx_mgmt,
8993		.policy = nl80211_policy,
8994		.flags = GENL_ADMIN_PERM,
8995		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8996				  NL80211_FLAG_NEED_RTNL,
8997	},
8998	{
8999		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
9000		.doit = nl80211_tx_mgmt_cancel_wait,
9001		.policy = nl80211_policy,
9002		.flags = GENL_ADMIN_PERM,
9003		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
9004				  NL80211_FLAG_NEED_RTNL,
9005	},
9006	{
9007		.cmd = NL80211_CMD_SET_POWER_SAVE,
9008		.doit = nl80211_set_power_save,
9009		.policy = nl80211_policy,
9010		.flags = GENL_ADMIN_PERM,
9011		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9012				  NL80211_FLAG_NEED_RTNL,
9013	},
9014	{
9015		.cmd = NL80211_CMD_GET_POWER_SAVE,
9016		.doit = nl80211_get_power_save,
9017		.policy = nl80211_policy,
9018		/* can be retrieved by unprivileged users */
9019		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9020				  NL80211_FLAG_NEED_RTNL,
9021	},
9022	{
9023		.cmd = NL80211_CMD_SET_CQM,
9024		.doit = nl80211_set_cqm,
9025		.policy = nl80211_policy,
9026		.flags = GENL_ADMIN_PERM,
9027		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9028				  NL80211_FLAG_NEED_RTNL,
9029	},
9030	{
9031		.cmd = NL80211_CMD_SET_CHANNEL,
9032		.doit = nl80211_set_channel,
9033		.policy = nl80211_policy,
9034		.flags = GENL_ADMIN_PERM,
9035		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9036				  NL80211_FLAG_NEED_RTNL,
9037	},
9038	{
9039		.cmd = NL80211_CMD_SET_WDS_PEER,
9040		.doit = nl80211_set_wds_peer,
9041		.policy = nl80211_policy,
9042		.flags = GENL_ADMIN_PERM,
9043		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9044				  NL80211_FLAG_NEED_RTNL,
9045	},
9046	{
9047		.cmd = NL80211_CMD_JOIN_MESH,
9048		.doit = nl80211_join_mesh,
9049		.policy = nl80211_policy,
9050		.flags = GENL_ADMIN_PERM,
9051		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9052				  NL80211_FLAG_NEED_RTNL,
9053	},
9054	{
9055		.cmd = NL80211_CMD_LEAVE_MESH,
9056		.doit = nl80211_leave_mesh,
9057		.policy = nl80211_policy,
9058		.flags = GENL_ADMIN_PERM,
9059		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9060				  NL80211_FLAG_NEED_RTNL,
9061	},
9062#ifdef CONFIG_PM
9063	{
9064		.cmd = NL80211_CMD_GET_WOWLAN,
9065		.doit = nl80211_get_wowlan,
9066		.policy = nl80211_policy,
9067		/* can be retrieved by unprivileged users */
9068		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9069				  NL80211_FLAG_NEED_RTNL,
9070	},
9071	{
9072		.cmd = NL80211_CMD_SET_WOWLAN,
9073		.doit = nl80211_set_wowlan,
9074		.policy = nl80211_policy,
9075		.flags = GENL_ADMIN_PERM,
9076		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9077				  NL80211_FLAG_NEED_RTNL,
9078	},
9079#endif
9080	{
9081		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
9082		.doit = nl80211_set_rekey_data,
9083		.policy = nl80211_policy,
9084		.flags = GENL_ADMIN_PERM,
9085		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9086				  NL80211_FLAG_NEED_RTNL,
9087	},
9088	{
9089		.cmd = NL80211_CMD_TDLS_MGMT,
9090		.doit = nl80211_tdls_mgmt,
9091		.policy = nl80211_policy,
9092		.flags = GENL_ADMIN_PERM,
9093		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9094				  NL80211_FLAG_NEED_RTNL,
9095	},
9096	{
9097		.cmd = NL80211_CMD_TDLS_OPER,
9098		.doit = nl80211_tdls_oper,
9099		.policy = nl80211_policy,
9100		.flags = GENL_ADMIN_PERM,
9101		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9102				  NL80211_FLAG_NEED_RTNL,
9103	},
9104	{
9105		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
9106		.doit = nl80211_register_unexpected_frame,
9107		.policy = nl80211_policy,
9108		.flags = GENL_ADMIN_PERM,
9109		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9110				  NL80211_FLAG_NEED_RTNL,
9111	},
9112	{
9113		.cmd = NL80211_CMD_PROBE_CLIENT,
9114		.doit = nl80211_probe_client,
9115		.policy = nl80211_policy,
9116		.flags = GENL_ADMIN_PERM,
9117		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9118				  NL80211_FLAG_NEED_RTNL,
9119	},
9120	{
9121		.cmd = NL80211_CMD_REGISTER_BEACONS,
9122		.doit = nl80211_register_beacons,
9123		.policy = nl80211_policy,
9124		.flags = GENL_ADMIN_PERM,
9125		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9126				  NL80211_FLAG_NEED_RTNL,
9127	},
9128	{
9129		.cmd = NL80211_CMD_SET_NOACK_MAP,
9130		.doit = nl80211_set_noack_map,
9131		.policy = nl80211_policy,
9132		.flags = GENL_ADMIN_PERM,
9133		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9134				  NL80211_FLAG_NEED_RTNL,
9135	},
9136	{
9137		.cmd = NL80211_CMD_START_P2P_DEVICE,
9138		.doit = nl80211_start_p2p_device,
9139		.policy = nl80211_policy,
9140		.flags = GENL_ADMIN_PERM,
9141		.internal_flags = NL80211_FLAG_NEED_WDEV |
9142				  NL80211_FLAG_NEED_RTNL,
9143	},
9144	{
9145		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
9146		.doit = nl80211_stop_p2p_device,
9147		.policy = nl80211_policy,
9148		.flags = GENL_ADMIN_PERM,
9149		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
9150				  NL80211_FLAG_NEED_RTNL,
9151	},
9152	{
9153		.cmd = NL80211_CMD_SET_MCAST_RATE,
9154		.doit = nl80211_set_mcast_rate,
9155		.policy = nl80211_policy,
9156		.flags = GENL_ADMIN_PERM,
9157		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9158				  NL80211_FLAG_NEED_RTNL,
9159	},
9160	{
9161		.cmd = NL80211_CMD_SET_MAC_ACL,
9162		.doit = nl80211_set_mac_acl,
9163		.policy = nl80211_policy,
9164		.flags = GENL_ADMIN_PERM,
9165		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9166				  NL80211_FLAG_NEED_RTNL,
9167	},
9168	{
9169		.cmd = NL80211_CMD_RADAR_DETECT,
9170		.doit = nl80211_start_radar_detection,
9171		.policy = nl80211_policy,
9172		.flags = GENL_ADMIN_PERM,
9173		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9174				  NL80211_FLAG_NEED_RTNL,
9175	},
9176	{
9177		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
9178		.doit = nl80211_get_protocol_features,
9179		.policy = nl80211_policy,
9180	},
9181	{
9182		.cmd = NL80211_CMD_UPDATE_FT_IES,
9183		.doit = nl80211_update_ft_ies,
9184		.policy = nl80211_policy,
9185		.flags = GENL_ADMIN_PERM,
9186		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9187				  NL80211_FLAG_NEED_RTNL,
9188	},
9189	{
9190		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
9191		.doit = nl80211_crit_protocol_start,
9192		.policy = nl80211_policy,
9193		.flags = GENL_ADMIN_PERM,
9194		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
9195				  NL80211_FLAG_NEED_RTNL,
9196	},
9197	{
9198		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
9199		.doit = nl80211_crit_protocol_stop,
9200		.policy = nl80211_policy,
9201		.flags = GENL_ADMIN_PERM,
9202		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
9203				  NL80211_FLAG_NEED_RTNL,
9204	},
9205	{
9206		.cmd = NL80211_CMD_VENDOR,
9207		.doit = nl80211_vendor_cmd,
9208		.policy = nl80211_policy,
9209		.flags = GENL_ADMIN_PERM,
9210		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9211				  NL80211_FLAG_NEED_RTNL,
9212	},
9213};
9214
9215static struct genl_multicast_group nl80211_mlme_mcgrp = {
9216	.name = "mlme",
9217};
9218
9219/* multicast groups */
9220static struct genl_multicast_group nl80211_config_mcgrp = {
9221	.name = "config",
9222};
9223static struct genl_multicast_group nl80211_scan_mcgrp = {
9224	.name = "scan",
9225};
9226static struct genl_multicast_group nl80211_regulatory_mcgrp = {
9227	.name = "regulatory",
9228};
9229
9230/* notification functions */
9231
9232void nl80211_notify_dev_rename(struct cfg80211_registered_device *rdev)
9233{
9234	struct sk_buff *msg;
9235
9236	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9237	if (!msg)
9238		return;
9239
9240	if (nl80211_send_wiphy(rdev, msg, 0, 0, 0,
9241			       false, NULL, NULL, NULL) < 0) {
9242		nlmsg_free(msg);
9243		return;
9244	}
9245
9246	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9247				nl80211_config_mcgrp.id, GFP_KERNEL);
9248}
9249
9250static int nl80211_add_scan_req(struct sk_buff *msg,
9251				struct cfg80211_registered_device *rdev)
9252{
9253	struct cfg80211_scan_request *req = rdev->scan_req;
9254	struct nlattr *nest;
9255	int i;
9256
9257	lockdep_assert_held(&rdev->sched_scan_mtx);
9258
9259	if (WARN_ON(!req))
9260		return 0;
9261
9262	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
9263	if (!nest)
9264		goto nla_put_failure;
9265	for (i = 0; i < req->n_ssids; i++) {
9266		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
9267			goto nla_put_failure;
9268	}
9269	nla_nest_end(msg, nest);
9270
9271	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
9272	if (!nest)
9273		goto nla_put_failure;
9274	for (i = 0; i < req->n_channels; i++) {
9275		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
9276			goto nla_put_failure;
9277	}
9278	nla_nest_end(msg, nest);
9279
9280	if (req->ie &&
9281	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
9282		goto nla_put_failure;
9283
9284	if (req->flags)
9285		nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags);
9286
9287	return 0;
9288 nla_put_failure:
9289	return -ENOBUFS;
9290}
9291
9292static int nl80211_send_scan_msg(struct sk_buff *msg,
9293				 struct cfg80211_registered_device *rdev,
9294				 struct wireless_dev *wdev,
9295				 u32 portid, u32 seq, int flags,
9296				 u32 cmd)
9297{
9298	void *hdr;
9299
9300	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
9301	if (!hdr)
9302		return -1;
9303
9304	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9305	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
9306					 wdev->netdev->ifindex)) ||
9307	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
9308		goto nla_put_failure;
9309
9310	/* ignore errors and send incomplete event anyway */
9311	nl80211_add_scan_req(msg, rdev);
9312
9313	return genlmsg_end(msg, hdr);
9314
9315 nla_put_failure:
9316	genlmsg_cancel(msg, hdr);
9317	return -EMSGSIZE;
9318}
9319
9320static int
9321nl80211_send_sched_scan_msg(struct sk_buff *msg,
9322			    struct cfg80211_registered_device *rdev,
9323			    struct net_device *netdev,
9324			    u32 portid, u32 seq, int flags, u32 cmd)
9325{
9326	void *hdr;
9327
9328	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
9329	if (!hdr)
9330		return -1;
9331
9332	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9333	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
9334		goto nla_put_failure;
9335
9336	return genlmsg_end(msg, hdr);
9337
9338 nla_put_failure:
9339	genlmsg_cancel(msg, hdr);
9340	return -EMSGSIZE;
9341}
9342
9343void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
9344			     struct wireless_dev *wdev)
9345{
9346	struct sk_buff *msg;
9347
9348	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9349	if (!msg)
9350		return;
9351
9352	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
9353				  NL80211_CMD_TRIGGER_SCAN) < 0) {
9354		nlmsg_free(msg);
9355		return;
9356	}
9357
9358	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9359				nl80211_scan_mcgrp.id, GFP_KERNEL);
9360}
9361
9362void nl80211_send_scan_done(struct cfg80211_registered_device *rdev,
9363			    struct wireless_dev *wdev)
9364{
9365	struct sk_buff *msg;
9366
9367	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9368	if (!msg)
9369		return;
9370
9371	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
9372				  NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
9373		nlmsg_free(msg);
9374		return;
9375	}
9376
9377	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9378				nl80211_scan_mcgrp.id, GFP_KERNEL);
9379}
9380
9381void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
9382			       struct wireless_dev *wdev)
9383{
9384	struct sk_buff *msg;
9385
9386	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9387	if (!msg)
9388		return;
9389
9390	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
9391				  NL80211_CMD_SCAN_ABORTED) < 0) {
9392		nlmsg_free(msg);
9393		return;
9394	}
9395
9396	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9397				nl80211_scan_mcgrp.id, GFP_KERNEL);
9398}
9399
9400void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
9401				     struct net_device *netdev)
9402{
9403	struct sk_buff *msg;
9404
9405	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9406	if (!msg)
9407		return;
9408
9409	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
9410					NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
9411		nlmsg_free(msg);
9412		return;
9413	}
9414
9415	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9416				nl80211_scan_mcgrp.id, GFP_KERNEL);
9417}
9418
9419void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
9420			     struct net_device *netdev, u32 cmd)
9421{
9422	struct sk_buff *msg;
9423
9424	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9425	if (!msg)
9426		return;
9427
9428	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
9429		nlmsg_free(msg);
9430		return;
9431	}
9432
9433	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9434				nl80211_scan_mcgrp.id, GFP_KERNEL);
9435}
9436
9437/*
9438 * This can happen on global regulatory changes or device specific settings
9439 * based on custom world regulatory domains.
9440 */
9441void nl80211_send_reg_change_event(struct regulatory_request *request)
9442{
9443	struct sk_buff *msg;
9444	void *hdr;
9445
9446	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9447	if (!msg)
9448		return;
9449
9450	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_CHANGE);
9451	if (!hdr) {
9452		nlmsg_free(msg);
9453		return;
9454	}
9455
9456	/* Userspace can always count this one always being set */
9457	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
9458		goto nla_put_failure;
9459
9460	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
9461		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
9462			       NL80211_REGDOM_TYPE_WORLD))
9463			goto nla_put_failure;
9464	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
9465		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
9466			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
9467			goto nla_put_failure;
9468	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
9469		   request->intersect) {
9470		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
9471			       NL80211_REGDOM_TYPE_INTERSECTION))
9472			goto nla_put_failure;
9473	} else {
9474		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
9475			       NL80211_REGDOM_TYPE_COUNTRY) ||
9476		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
9477				   request->alpha2))
9478			goto nla_put_failure;
9479	}
9480
9481	if (request->wiphy_idx != WIPHY_IDX_INVALID &&
9482	    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
9483		goto nla_put_failure;
9484
9485	genlmsg_end(msg, hdr);
9486
9487	rcu_read_lock();
9488	genlmsg_multicast_allns(msg, 0, nl80211_regulatory_mcgrp.id,
9489				GFP_ATOMIC);
9490	rcu_read_unlock();
9491
9492	return;
9493
9494nla_put_failure:
9495	genlmsg_cancel(msg, hdr);
9496	nlmsg_free(msg);
9497}
9498
9499static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
9500				    struct net_device *netdev,
9501				    const u8 *buf, size_t len,
9502				    enum nl80211_commands cmd, gfp_t gfp)
9503{
9504	struct sk_buff *msg;
9505	void *hdr;
9506
9507	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9508	if (!msg)
9509		return;
9510
9511	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
9512	if (!hdr) {
9513		nlmsg_free(msg);
9514		return;
9515	}
9516
9517	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9518	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9519	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
9520		goto nla_put_failure;
9521
9522	genlmsg_end(msg, hdr);
9523
9524	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9525				nl80211_mlme_mcgrp.id, gfp);
9526	return;
9527
9528 nla_put_failure:
9529	genlmsg_cancel(msg, hdr);
9530	nlmsg_free(msg);
9531}
9532
9533void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
9534			  struct net_device *netdev, const u8 *buf,
9535			  size_t len, gfp_t gfp)
9536{
9537	nl80211_send_mlme_event(rdev, netdev, buf, len,
9538				NL80211_CMD_AUTHENTICATE, gfp);
9539}
9540
9541void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
9542			   struct net_device *netdev, const u8 *buf,
9543			   size_t len, gfp_t gfp)
9544{
9545	nl80211_send_mlme_event(rdev, netdev, buf, len,
9546				NL80211_CMD_ASSOCIATE, gfp);
9547}
9548
9549void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
9550			 struct net_device *netdev, const u8 *buf,
9551			 size_t len, gfp_t gfp)
9552{
9553	nl80211_send_mlme_event(rdev, netdev, buf, len,
9554				NL80211_CMD_DEAUTHENTICATE, gfp);
9555}
9556
9557void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
9558			   struct net_device *netdev, const u8 *buf,
9559			   size_t len, gfp_t gfp)
9560{
9561	nl80211_send_mlme_event(rdev, netdev, buf, len,
9562				NL80211_CMD_DISASSOCIATE, gfp);
9563}
9564
9565void cfg80211_send_unprot_deauth(struct net_device *dev, const u8 *buf,
9566				 size_t len)
9567{
9568	struct wireless_dev *wdev = dev->ieee80211_ptr;
9569	struct wiphy *wiphy = wdev->wiphy;
9570	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
9571
9572	trace_cfg80211_send_unprot_deauth(dev);
9573	nl80211_send_mlme_event(rdev, dev, buf, len,
9574				NL80211_CMD_UNPROT_DEAUTHENTICATE, GFP_ATOMIC);
9575}
9576EXPORT_SYMBOL(cfg80211_send_unprot_deauth);
9577
9578void cfg80211_send_unprot_disassoc(struct net_device *dev, const u8 *buf,
9579				   size_t len)
9580{
9581	struct wireless_dev *wdev = dev->ieee80211_ptr;
9582	struct wiphy *wiphy = wdev->wiphy;
9583	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
9584
9585	trace_cfg80211_send_unprot_disassoc(dev);
9586	nl80211_send_mlme_event(rdev, dev, buf, len,
9587				NL80211_CMD_UNPROT_DISASSOCIATE, GFP_ATOMIC);
9588}
9589EXPORT_SYMBOL(cfg80211_send_unprot_disassoc);
9590
9591static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
9592				      struct net_device *netdev, int cmd,
9593				      const u8 *addr, gfp_t gfp)
9594{
9595	struct sk_buff *msg;
9596	void *hdr;
9597
9598	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9599	if (!msg)
9600		return;
9601
9602	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
9603	if (!hdr) {
9604		nlmsg_free(msg);
9605		return;
9606	}
9607
9608	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9609	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9610	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
9611	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
9612		goto nla_put_failure;
9613
9614	genlmsg_end(msg, hdr);
9615
9616	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9617				nl80211_mlme_mcgrp.id, gfp);
9618	return;
9619
9620 nla_put_failure:
9621	genlmsg_cancel(msg, hdr);
9622	nlmsg_free(msg);
9623}
9624
9625void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
9626			       struct net_device *netdev, const u8 *addr,
9627			       gfp_t gfp)
9628{
9629	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
9630				  addr, gfp);
9631}
9632
9633void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
9634				struct net_device *netdev, const u8 *addr,
9635				gfp_t gfp)
9636{
9637	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
9638				  addr, gfp);
9639}
9640
9641void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
9642				 struct net_device *netdev, const u8 *bssid,
9643				 const u8 *req_ie, size_t req_ie_len,
9644				 const u8 *resp_ie, size_t resp_ie_len,
9645				 u16 status, gfp_t gfp)
9646{
9647	struct sk_buff *msg;
9648	void *hdr;
9649
9650	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9651	if (!msg)
9652		return;
9653
9654	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
9655	if (!hdr) {
9656		nlmsg_free(msg);
9657		return;
9658	}
9659
9660	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9661	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9662	    (bssid && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) ||
9663	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE, status) ||
9664	    (req_ie &&
9665	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
9666	    (resp_ie &&
9667	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
9668		goto nla_put_failure;
9669
9670	genlmsg_end(msg, hdr);
9671
9672	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9673				nl80211_mlme_mcgrp.id, gfp);
9674	return;
9675
9676 nla_put_failure:
9677	genlmsg_cancel(msg, hdr);
9678	nlmsg_free(msg);
9679
9680}
9681
9682void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
9683			 struct net_device *netdev, const u8 *bssid,
9684			 const u8 *req_ie, size_t req_ie_len,
9685			 const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
9686{
9687	struct sk_buff *msg;
9688	void *hdr;
9689
9690	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9691	if (!msg)
9692		return;
9693
9694	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
9695	if (!hdr) {
9696		nlmsg_free(msg);
9697		return;
9698	}
9699
9700	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9701	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9702	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
9703	    (req_ie &&
9704	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
9705	    (resp_ie &&
9706	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
9707		goto nla_put_failure;
9708
9709	genlmsg_end(msg, hdr);
9710
9711	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9712				nl80211_mlme_mcgrp.id, gfp);
9713	return;
9714
9715 nla_put_failure:
9716	genlmsg_cancel(msg, hdr);
9717	nlmsg_free(msg);
9718
9719}
9720
9721void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
9722			       struct net_device *netdev, u16 reason,
9723			       const u8 *ie, size_t ie_len, bool from_ap)
9724{
9725	struct sk_buff *msg;
9726	void *hdr;
9727
9728	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9729	if (!msg)
9730		return;
9731
9732	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
9733	if (!hdr) {
9734		nlmsg_free(msg);
9735		return;
9736	}
9737
9738	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9739	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9740	    (from_ap && reason &&
9741	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
9742	    (from_ap &&
9743	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
9744	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
9745		goto nla_put_failure;
9746
9747	genlmsg_end(msg, hdr);
9748
9749	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9750				nl80211_mlme_mcgrp.id, GFP_KERNEL);
9751	return;
9752
9753 nla_put_failure:
9754	genlmsg_cancel(msg, hdr);
9755	nlmsg_free(msg);
9756
9757}
9758
9759void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
9760			     struct net_device *netdev, const u8 *bssid,
9761			     gfp_t gfp)
9762{
9763	struct sk_buff *msg;
9764	void *hdr;
9765
9766	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9767	if (!msg)
9768		return;
9769
9770	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
9771	if (!hdr) {
9772		nlmsg_free(msg);
9773		return;
9774	}
9775
9776	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9777	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9778	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
9779		goto nla_put_failure;
9780
9781	genlmsg_end(msg, hdr);
9782
9783	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9784				nl80211_mlme_mcgrp.id, gfp);
9785	return;
9786
9787 nla_put_failure:
9788	genlmsg_cancel(msg, hdr);
9789	nlmsg_free(msg);
9790}
9791
9792void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
9793					const u8* ie, u8 ie_len, gfp_t gfp)
9794{
9795	struct wireless_dev *wdev = dev->ieee80211_ptr;
9796	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
9797	struct sk_buff *msg;
9798	void *hdr;
9799
9800	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
9801		return;
9802
9803	trace_cfg80211_notify_new_peer_candidate(dev, addr);
9804
9805	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9806	if (!msg)
9807		return;
9808
9809	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
9810	if (!hdr) {
9811		nlmsg_free(msg);
9812		return;
9813	}
9814
9815	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9816	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9817	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
9818	    (ie_len && ie &&
9819	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
9820		goto nla_put_failure;
9821
9822	genlmsg_end(msg, hdr);
9823
9824	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9825				nl80211_mlme_mcgrp.id, gfp);
9826	return;
9827
9828 nla_put_failure:
9829	genlmsg_cancel(msg, hdr);
9830	nlmsg_free(msg);
9831}
9832EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
9833
9834void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
9835				 struct net_device *netdev, const u8 *addr,
9836				 enum nl80211_key_type key_type, int key_id,
9837				 const u8 *tsc, gfp_t gfp)
9838{
9839	struct sk_buff *msg;
9840	void *hdr;
9841
9842	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9843	if (!msg)
9844		return;
9845
9846	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
9847	if (!hdr) {
9848		nlmsg_free(msg);
9849		return;
9850	}
9851
9852	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9853	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9854	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
9855	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
9856	    (key_id != -1 &&
9857	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
9858	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
9859		goto nla_put_failure;
9860
9861	genlmsg_end(msg, hdr);
9862
9863	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9864				nl80211_mlme_mcgrp.id, gfp);
9865	return;
9866
9867 nla_put_failure:
9868	genlmsg_cancel(msg, hdr);
9869	nlmsg_free(msg);
9870}
9871
9872void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
9873				    struct ieee80211_channel *channel_before,
9874				    struct ieee80211_channel *channel_after)
9875{
9876	struct sk_buff *msg;
9877	void *hdr;
9878	struct nlattr *nl_freq;
9879
9880	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
9881	if (!msg)
9882		return;
9883
9884	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
9885	if (!hdr) {
9886		nlmsg_free(msg);
9887		return;
9888	}
9889
9890	/*
9891	 * Since we are applying the beacon hint to a wiphy we know its
9892	 * wiphy_idx is valid
9893	 */
9894	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
9895		goto nla_put_failure;
9896
9897	/* Before */
9898	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
9899	if (!nl_freq)
9900		goto nla_put_failure;
9901	if (nl80211_msg_put_channel(msg, channel_before, false))
9902		goto nla_put_failure;
9903	nla_nest_end(msg, nl_freq);
9904
9905	/* After */
9906	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
9907	if (!nl_freq)
9908		goto nla_put_failure;
9909	if (nl80211_msg_put_channel(msg, channel_after, false))
9910		goto nla_put_failure;
9911	nla_nest_end(msg, nl_freq);
9912
9913	genlmsg_end(msg, hdr);
9914
9915	rcu_read_lock();
9916	genlmsg_multicast_allns(msg, 0, nl80211_regulatory_mcgrp.id,
9917				GFP_ATOMIC);
9918	rcu_read_unlock();
9919
9920	return;
9921
9922nla_put_failure:
9923	genlmsg_cancel(msg, hdr);
9924	nlmsg_free(msg);
9925}
9926
9927static void nl80211_send_remain_on_chan_event(
9928	int cmd, struct cfg80211_registered_device *rdev,
9929	struct wireless_dev *wdev, u64 cookie,
9930	struct ieee80211_channel *chan,
9931	unsigned int duration, gfp_t gfp)
9932{
9933	struct sk_buff *msg;
9934	void *hdr;
9935
9936	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9937	if (!msg)
9938		return;
9939
9940	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
9941	if (!hdr) {
9942		nlmsg_free(msg);
9943		return;
9944	}
9945
9946	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9947	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
9948					 wdev->netdev->ifindex)) ||
9949	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
9950	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
9951	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
9952			NL80211_CHAN_NO_HT) ||
9953	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
9954		goto nla_put_failure;
9955
9956	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
9957	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
9958		goto nla_put_failure;
9959
9960	genlmsg_end(msg, hdr);
9961
9962	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9963				nl80211_mlme_mcgrp.id, gfp);
9964	return;
9965
9966 nla_put_failure:
9967	genlmsg_cancel(msg, hdr);
9968	nlmsg_free(msg);
9969}
9970
9971void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
9972			       struct ieee80211_channel *chan,
9973			       unsigned int duration, gfp_t gfp)
9974{
9975	struct wiphy *wiphy = wdev->wiphy;
9976	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
9977
9978	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
9979	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
9980					  rdev, wdev, cookie, chan,
9981					  duration, gfp);
9982}
9983EXPORT_SYMBOL(cfg80211_ready_on_channel);
9984
9985void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
9986					struct ieee80211_channel *chan,
9987					gfp_t gfp)
9988{
9989	struct wiphy *wiphy = wdev->wiphy;
9990	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
9991
9992	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
9993	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
9994					  rdev, wdev, cookie, chan, 0, gfp);
9995}
9996EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
9997
9998void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
9999		      struct station_info *sinfo, gfp_t gfp)
10000{
10001	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
10002	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10003	struct sk_buff *msg;
10004
10005	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
10006
10007	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10008	if (!msg)
10009		return;
10010
10011	if (nl80211_send_station(msg, 0, 0, 0,
10012				 rdev, dev, mac_addr, sinfo) < 0) {
10013		nlmsg_free(msg);
10014		return;
10015	}
10016
10017	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10018				nl80211_mlme_mcgrp.id, gfp);
10019}
10020EXPORT_SYMBOL(cfg80211_new_sta);
10021
10022void cfg80211_del_sta(struct net_device *dev, const u8 *mac_addr, gfp_t gfp)
10023{
10024	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
10025	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10026	struct sk_buff *msg;
10027	void *hdr;
10028
10029	trace_cfg80211_del_sta(dev, mac_addr);
10030
10031	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10032	if (!msg)
10033		return;
10034
10035	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_STATION);
10036	if (!hdr) {
10037		nlmsg_free(msg);
10038		return;
10039	}
10040
10041	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10042	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
10043		goto nla_put_failure;
10044
10045	genlmsg_end(msg, hdr);
10046
10047	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10048				nl80211_mlme_mcgrp.id, gfp);
10049	return;
10050
10051 nla_put_failure:
10052	genlmsg_cancel(msg, hdr);
10053	nlmsg_free(msg);
10054}
10055EXPORT_SYMBOL(cfg80211_del_sta);
10056
10057void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
10058			  enum nl80211_connect_failed_reason reason,
10059			  gfp_t gfp)
10060{
10061	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
10062	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10063	struct sk_buff *msg;
10064	void *hdr;
10065
10066	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
10067	if (!msg)
10068		return;
10069
10070	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
10071	if (!hdr) {
10072		nlmsg_free(msg);
10073		return;
10074	}
10075
10076	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10077	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
10078	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
10079		goto nla_put_failure;
10080
10081	genlmsg_end(msg, hdr);
10082
10083	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10084				nl80211_mlme_mcgrp.id, gfp);
10085	return;
10086
10087 nla_put_failure:
10088	genlmsg_cancel(msg, hdr);
10089	nlmsg_free(msg);
10090}
10091EXPORT_SYMBOL(cfg80211_conn_failed);
10092
10093static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
10094				       const u8 *addr, gfp_t gfp)
10095{
10096	struct wireless_dev *wdev = dev->ieee80211_ptr;
10097	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
10098	struct sk_buff *msg;
10099	void *hdr;
10100	int err;
10101	u32 nlportid = ACCESS_ONCE(wdev->ap_unexpected_nlportid);
10102
10103	if (!nlportid)
10104		return false;
10105
10106	msg = nlmsg_new(100, gfp);
10107	if (!msg)
10108		return true;
10109
10110	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
10111	if (!hdr) {
10112		nlmsg_free(msg);
10113		return true;
10114	}
10115
10116	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10117	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10118	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
10119		goto nla_put_failure;
10120
10121	err = genlmsg_end(msg, hdr);
10122	if (err < 0) {
10123		nlmsg_free(msg);
10124		return true;
10125	}
10126
10127	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
10128	return true;
10129
10130 nla_put_failure:
10131	genlmsg_cancel(msg, hdr);
10132	nlmsg_free(msg);
10133	return true;
10134}
10135
10136bool cfg80211_rx_spurious_frame(struct net_device *dev,
10137				const u8 *addr, gfp_t gfp)
10138{
10139	struct wireless_dev *wdev = dev->ieee80211_ptr;
10140	bool ret;
10141
10142	trace_cfg80211_rx_spurious_frame(dev, addr);
10143
10144	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
10145		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
10146		trace_cfg80211_return_bool(false);
10147		return false;
10148	}
10149	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
10150					 addr, gfp);
10151	trace_cfg80211_return_bool(ret);
10152	return ret;
10153}
10154EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
10155
10156bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
10157					const u8 *addr, gfp_t gfp)
10158{
10159	struct wireless_dev *wdev = dev->ieee80211_ptr;
10160	bool ret;
10161
10162	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
10163
10164	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
10165		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
10166		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
10167		trace_cfg80211_return_bool(false);
10168		return false;
10169	}
10170	ret = __nl80211_unexpected_frame(dev,
10171					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
10172					 addr, gfp);
10173	trace_cfg80211_return_bool(ret);
10174	return ret;
10175}
10176EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
10177
10178int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
10179		      struct wireless_dev *wdev, u32 nlportid,
10180		      int freq, int sig_dbm,
10181		      const u8 *buf, size_t len, gfp_t gfp)
10182{
10183	struct net_device *netdev = wdev->netdev;
10184	struct sk_buff *msg;
10185	void *hdr;
10186
10187	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10188	if (!msg)
10189		return -ENOMEM;
10190
10191	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
10192	if (!hdr) {
10193		nlmsg_free(msg);
10194		return -ENOMEM;
10195	}
10196
10197	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10198	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
10199					netdev->ifindex)) ||
10200	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
10201	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
10202	    (sig_dbm &&
10203	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
10204	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
10205		goto nla_put_failure;
10206
10207	genlmsg_end(msg, hdr);
10208
10209	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
10210
10211 nla_put_failure:
10212	genlmsg_cancel(msg, hdr);
10213	nlmsg_free(msg);
10214	return -ENOBUFS;
10215}
10216
10217void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
10218			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
10219{
10220	struct wiphy *wiphy = wdev->wiphy;
10221	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10222	struct net_device *netdev = wdev->netdev;
10223	struct sk_buff *msg;
10224	void *hdr;
10225
10226	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
10227
10228	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10229	if (!msg)
10230		return;
10231
10232	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
10233	if (!hdr) {
10234		nlmsg_free(msg);
10235		return;
10236	}
10237
10238	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10239	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
10240				   netdev->ifindex)) ||
10241	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
10242	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
10243	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
10244	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
10245		goto nla_put_failure;
10246
10247	genlmsg_end(msg, hdr);
10248
10249	genlmsg_multicast(msg, 0, nl80211_mlme_mcgrp.id, gfp);
10250	return;
10251
10252 nla_put_failure:
10253	genlmsg_cancel(msg, hdr);
10254	nlmsg_free(msg);
10255}
10256EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
10257
10258void cfg80211_cqm_rssi_notify(struct net_device *dev,
10259			      enum nl80211_cqm_rssi_threshold_event rssi_event,
10260			      gfp_t gfp)
10261{
10262	struct wireless_dev *wdev = dev->ieee80211_ptr;
10263	struct wiphy *wiphy = wdev->wiphy;
10264	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10265	struct sk_buff *msg;
10266	struct nlattr *pinfoattr;
10267	void *hdr;
10268
10269	trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
10270
10271	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10272	if (!msg)
10273		return;
10274
10275	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
10276	if (!hdr) {
10277		nlmsg_free(msg);
10278		return;
10279	}
10280
10281	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10282	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10283		goto nla_put_failure;
10284
10285	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
10286	if (!pinfoattr)
10287		goto nla_put_failure;
10288
10289	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
10290			rssi_event))
10291		goto nla_put_failure;
10292
10293	nla_nest_end(msg, pinfoattr);
10294
10295	genlmsg_end(msg, hdr);
10296
10297	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10298				nl80211_mlme_mcgrp.id, gfp);
10299	return;
10300
10301 nla_put_failure:
10302	genlmsg_cancel(msg, hdr);
10303	nlmsg_free(msg);
10304}
10305EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
10306
10307static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
10308				     struct net_device *netdev, const u8 *bssid,
10309				     const u8 *replay_ctr, gfp_t gfp)
10310{
10311	struct sk_buff *msg;
10312	struct nlattr *rekey_attr;
10313	void *hdr;
10314
10315	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10316	if (!msg)
10317		return;
10318
10319	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
10320	if (!hdr) {
10321		nlmsg_free(msg);
10322		return;
10323	}
10324
10325	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10326	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10327	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
10328		goto nla_put_failure;
10329
10330	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
10331	if (!rekey_attr)
10332		goto nla_put_failure;
10333
10334	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
10335		    NL80211_REPLAY_CTR_LEN, replay_ctr))
10336		goto nla_put_failure;
10337
10338	nla_nest_end(msg, rekey_attr);
10339
10340	genlmsg_end(msg, hdr);
10341
10342	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10343				nl80211_mlme_mcgrp.id, gfp);
10344	return;
10345
10346 nla_put_failure:
10347	genlmsg_cancel(msg, hdr);
10348	nlmsg_free(msg);
10349}
10350
10351void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
10352			       const u8 *replay_ctr, gfp_t gfp)
10353{
10354	struct wireless_dev *wdev = dev->ieee80211_ptr;
10355	struct wiphy *wiphy = wdev->wiphy;
10356	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10357
10358	trace_cfg80211_gtk_rekey_notify(dev, bssid);
10359	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
10360}
10361EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
10362
10363static void
10364nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
10365			       struct net_device *netdev, int index,
10366			       const u8 *bssid, bool preauth, gfp_t gfp)
10367{
10368	struct sk_buff *msg;
10369	struct nlattr *attr;
10370	void *hdr;
10371
10372	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10373	if (!msg)
10374		return;
10375
10376	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
10377	if (!hdr) {
10378		nlmsg_free(msg);
10379		return;
10380	}
10381
10382	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10383	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
10384		goto nla_put_failure;
10385
10386	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
10387	if (!attr)
10388		goto nla_put_failure;
10389
10390	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
10391	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
10392	    (preauth &&
10393	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
10394		goto nla_put_failure;
10395
10396	nla_nest_end(msg, attr);
10397
10398	genlmsg_end(msg, hdr);
10399
10400	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10401				nl80211_mlme_mcgrp.id, gfp);
10402	return;
10403
10404 nla_put_failure:
10405	genlmsg_cancel(msg, hdr);
10406	nlmsg_free(msg);
10407}
10408
10409void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
10410				     const u8 *bssid, bool preauth, gfp_t gfp)
10411{
10412	struct wireless_dev *wdev = dev->ieee80211_ptr;
10413	struct wiphy *wiphy = wdev->wiphy;
10414	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10415
10416	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
10417	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
10418}
10419EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
10420
10421static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
10422				     struct net_device *netdev,
10423				     struct cfg80211_chan_def *chandef,
10424				     gfp_t gfp)
10425{
10426	struct sk_buff *msg;
10427	void *hdr;
10428
10429	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10430	if (!msg)
10431		return;
10432
10433	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CH_SWITCH_NOTIFY);
10434	if (!hdr) {
10435		nlmsg_free(msg);
10436		return;
10437	}
10438
10439	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
10440		goto nla_put_failure;
10441
10442	if (nl80211_send_chandef(msg, chandef))
10443		goto nla_put_failure;
10444
10445	genlmsg_end(msg, hdr);
10446
10447	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10448				nl80211_mlme_mcgrp.id, gfp);
10449	return;
10450
10451 nla_put_failure:
10452	genlmsg_cancel(msg, hdr);
10453	nlmsg_free(msg);
10454}
10455
10456void cfg80211_ch_switch_notify(struct net_device *dev,
10457			       struct cfg80211_chan_def *chandef)
10458{
10459	struct wireless_dev *wdev = dev->ieee80211_ptr;
10460	struct wiphy *wiphy = wdev->wiphy;
10461	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10462
10463	trace_cfg80211_ch_switch_notify(dev, chandef);
10464
10465	wdev_lock(wdev);
10466
10467	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
10468		    wdev->iftype != NL80211_IFTYPE_P2P_GO))
10469		goto out;
10470
10471	wdev->channel = chandef->chan;
10472	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL);
10473out:
10474	wdev_unlock(wdev);
10475	return;
10476}
10477EXPORT_SYMBOL(cfg80211_ch_switch_notify);
10478
10479void cfg80211_cqm_txe_notify(struct net_device *dev,
10480			     const u8 *peer, u32 num_packets,
10481			     u32 rate, u32 intvl, gfp_t gfp)
10482{
10483	struct wireless_dev *wdev = dev->ieee80211_ptr;
10484	struct wiphy *wiphy = wdev->wiphy;
10485	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10486	struct sk_buff *msg;
10487	struct nlattr *pinfoattr;
10488	void *hdr;
10489
10490	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
10491	if (!msg)
10492		return;
10493
10494	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
10495	if (!hdr) {
10496		nlmsg_free(msg);
10497		return;
10498	}
10499
10500	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10501	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10502	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
10503		goto nla_put_failure;
10504
10505	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
10506	if (!pinfoattr)
10507		goto nla_put_failure;
10508
10509	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
10510		goto nla_put_failure;
10511
10512	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
10513		goto nla_put_failure;
10514
10515	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
10516		goto nla_put_failure;
10517
10518	nla_nest_end(msg, pinfoattr);
10519
10520	genlmsg_end(msg, hdr);
10521
10522	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10523				nl80211_mlme_mcgrp.id, gfp);
10524	return;
10525
10526 nla_put_failure:
10527	genlmsg_cancel(msg, hdr);
10528	nlmsg_free(msg);
10529}
10530EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
10531
10532void
10533nl80211_radar_notify(struct cfg80211_registered_device *rdev,
10534		     struct cfg80211_chan_def *chandef,
10535		     enum nl80211_radar_event event,
10536		     struct net_device *netdev, gfp_t gfp)
10537{
10538	struct sk_buff *msg;
10539	void *hdr;
10540
10541	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10542	if (!msg)
10543		return;
10544
10545	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
10546	if (!hdr) {
10547		nlmsg_free(msg);
10548		return;
10549	}
10550
10551	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10552		goto nla_put_failure;
10553
10554	/* NOP and radar events don't need a netdev parameter */
10555	if (netdev) {
10556		struct wireless_dev *wdev = netdev->ieee80211_ptr;
10557
10558		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10559		    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
10560			goto nla_put_failure;
10561	}
10562
10563	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
10564		goto nla_put_failure;
10565
10566	if (nl80211_send_chandef(msg, chandef))
10567		goto nla_put_failure;
10568
10569	if (genlmsg_end(msg, hdr) < 0) {
10570		nlmsg_free(msg);
10571		return;
10572	}
10573
10574	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10575				nl80211_mlme_mcgrp.id, gfp);
10576	return;
10577
10578 nla_put_failure:
10579	genlmsg_cancel(msg, hdr);
10580	nlmsg_free(msg);
10581}
10582
10583void cfg80211_cqm_pktloss_notify(struct net_device *dev,
10584				 const u8 *peer, u32 num_packets, gfp_t gfp)
10585{
10586	struct wireless_dev *wdev = dev->ieee80211_ptr;
10587	struct wiphy *wiphy = wdev->wiphy;
10588	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10589	struct sk_buff *msg;
10590	struct nlattr *pinfoattr;
10591	void *hdr;
10592
10593	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
10594
10595	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10596	if (!msg)
10597		return;
10598
10599	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
10600	if (!hdr) {
10601		nlmsg_free(msg);
10602		return;
10603	}
10604
10605	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10606	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10607	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
10608		goto nla_put_failure;
10609
10610	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
10611	if (!pinfoattr)
10612		goto nla_put_failure;
10613
10614	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
10615		goto nla_put_failure;
10616
10617	nla_nest_end(msg, pinfoattr);
10618
10619	genlmsg_end(msg, hdr);
10620
10621	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10622				nl80211_mlme_mcgrp.id, gfp);
10623	return;
10624
10625 nla_put_failure:
10626	genlmsg_cancel(msg, hdr);
10627	nlmsg_free(msg);
10628}
10629EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
10630
10631void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
10632			   u64 cookie, bool acked, gfp_t gfp)
10633{
10634	struct wireless_dev *wdev = dev->ieee80211_ptr;
10635	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
10636	struct sk_buff *msg;
10637	void *hdr;
10638	int err;
10639
10640	trace_cfg80211_probe_status(dev, addr, cookie, acked);
10641
10642	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10643
10644	if (!msg)
10645		return;
10646
10647	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
10648	if (!hdr) {
10649		nlmsg_free(msg);
10650		return;
10651	}
10652
10653	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10654	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10655	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
10656	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
10657	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)))
10658		goto nla_put_failure;
10659
10660	err = genlmsg_end(msg, hdr);
10661	if (err < 0) {
10662		nlmsg_free(msg);
10663		return;
10664	}
10665
10666	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10667				nl80211_mlme_mcgrp.id, gfp);
10668	return;
10669
10670 nla_put_failure:
10671	genlmsg_cancel(msg, hdr);
10672	nlmsg_free(msg);
10673}
10674EXPORT_SYMBOL(cfg80211_probe_status);
10675
10676void cfg80211_report_obss_beacon(struct wiphy *wiphy,
10677				 const u8 *frame, size_t len,
10678				 int freq, int sig_dbm)
10679{
10680	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10681	struct sk_buff *msg;
10682	void *hdr;
10683	struct cfg80211_beacon_registration *reg;
10684
10685	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
10686
10687	spin_lock_bh(&rdev->beacon_registrations_lock);
10688	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
10689		msg = nlmsg_new(len + 100, GFP_ATOMIC);
10690		if (!msg) {
10691			spin_unlock_bh(&rdev->beacon_registrations_lock);
10692			return;
10693		}
10694
10695		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
10696		if (!hdr)
10697			goto nla_put_failure;
10698
10699		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10700		    (freq &&
10701		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
10702		    (sig_dbm &&
10703		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
10704		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
10705			goto nla_put_failure;
10706
10707		genlmsg_end(msg, hdr);
10708
10709		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
10710	}
10711	spin_unlock_bh(&rdev->beacon_registrations_lock);
10712	return;
10713
10714 nla_put_failure:
10715	spin_unlock_bh(&rdev->beacon_registrations_lock);
10716	if (hdr)
10717		genlmsg_cancel(msg, hdr);
10718	nlmsg_free(msg);
10719}
10720EXPORT_SYMBOL(cfg80211_report_obss_beacon);
10721
10722#ifdef CONFIG_PM
10723void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
10724				   struct cfg80211_wowlan_wakeup *wakeup,
10725				   gfp_t gfp)
10726{
10727	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
10728	struct sk_buff *msg;
10729	void *hdr;
10730	int err, size = 200;
10731
10732	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
10733
10734	if (wakeup)
10735		size += wakeup->packet_present_len;
10736
10737	msg = nlmsg_new(size, gfp);
10738	if (!msg)
10739		return;
10740
10741	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
10742	if (!hdr)
10743		goto free_msg;
10744
10745	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10746	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
10747		goto free_msg;
10748
10749	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
10750					wdev->netdev->ifindex))
10751		goto free_msg;
10752
10753	if (wakeup) {
10754		struct nlattr *reasons;
10755
10756		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
10757
10758		if (wakeup->disconnect &&
10759		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
10760			goto free_msg;
10761		if (wakeup->magic_pkt &&
10762		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
10763			goto free_msg;
10764		if (wakeup->gtk_rekey_failure &&
10765		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
10766			goto free_msg;
10767		if (wakeup->eap_identity_req &&
10768		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
10769			goto free_msg;
10770		if (wakeup->four_way_handshake &&
10771		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
10772			goto free_msg;
10773		if (wakeup->rfkill_release &&
10774		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
10775			goto free_msg;
10776
10777		if (wakeup->pattern_idx >= 0 &&
10778		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
10779				wakeup->pattern_idx))
10780			goto free_msg;
10781
10782		if (wakeup->tcp_match)
10783			nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH);
10784
10785		if (wakeup->tcp_connlost)
10786			nla_put_flag(msg,
10787				     NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST);
10788
10789		if (wakeup->tcp_nomoretokens)
10790			nla_put_flag(msg,
10791				NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS);
10792
10793		if (wakeup->packet) {
10794			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
10795			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
10796
10797			if (!wakeup->packet_80211) {
10798				pkt_attr =
10799					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
10800				len_attr =
10801					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
10802			}
10803
10804			if (wakeup->packet_len &&
10805			    nla_put_u32(msg, len_attr, wakeup->packet_len))
10806				goto free_msg;
10807
10808			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
10809				    wakeup->packet))
10810				goto free_msg;
10811		}
10812
10813		nla_nest_end(msg, reasons);
10814	}
10815
10816	err = genlmsg_end(msg, hdr);
10817	if (err < 0)
10818		goto free_msg;
10819
10820	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10821				nl80211_mlme_mcgrp.id, gfp);
10822	return;
10823
10824 free_msg:
10825	nlmsg_free(msg);
10826}
10827EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
10828#endif
10829
10830void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
10831				enum nl80211_tdls_operation oper,
10832				u16 reason_code, gfp_t gfp)
10833{
10834	struct wireless_dev *wdev = dev->ieee80211_ptr;
10835	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
10836	struct sk_buff *msg;
10837	void *hdr;
10838	int err;
10839
10840	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
10841					 reason_code);
10842
10843	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10844	if (!msg)
10845		return;
10846
10847	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
10848	if (!hdr) {
10849		nlmsg_free(msg);
10850		return;
10851	}
10852
10853	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10854	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10855	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
10856	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
10857	    (reason_code > 0 &&
10858	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
10859		goto nla_put_failure;
10860
10861	err = genlmsg_end(msg, hdr);
10862	if (err < 0) {
10863		nlmsg_free(msg);
10864		return;
10865	}
10866
10867	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10868				nl80211_mlme_mcgrp.id, gfp);
10869	return;
10870
10871 nla_put_failure:
10872	genlmsg_cancel(msg, hdr);
10873	nlmsg_free(msg);
10874}
10875EXPORT_SYMBOL(cfg80211_tdls_oper_request);
10876
10877static int nl80211_netlink_notify(struct notifier_block * nb,
10878				  unsigned long state,
10879				  void *_notify)
10880{
10881	struct netlink_notify *notify = _notify;
10882	struct cfg80211_registered_device *rdev;
10883	struct wireless_dev *wdev;
10884	struct cfg80211_beacon_registration *reg, *tmp;
10885
10886	if (state != NETLINK_URELEASE)
10887		return NOTIFY_DONE;
10888
10889	rcu_read_lock();
10890
10891	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
10892		list_for_each_entry_rcu(wdev, &rdev->wdev_list, list)
10893			cfg80211_mlme_unregister_socket(wdev, notify->portid);
10894
10895		spin_lock_bh(&rdev->beacon_registrations_lock);
10896		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
10897					 list) {
10898			if (reg->nlportid == notify->portid) {
10899				list_del(&reg->list);
10900				kfree(reg);
10901				break;
10902			}
10903		}
10904		spin_unlock_bh(&rdev->beacon_registrations_lock);
10905	}
10906
10907	rcu_read_unlock();
10908
10909	return NOTIFY_DONE;
10910}
10911
10912static struct notifier_block nl80211_netlink_notifier = {
10913	.notifier_call = nl80211_netlink_notify,
10914};
10915
10916void cfg80211_ft_event(struct net_device *netdev,
10917		       struct cfg80211_ft_event_params *ft_event)
10918{
10919	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
10920	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10921	struct sk_buff *msg;
10922	void *hdr;
10923	int err;
10924
10925	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
10926
10927	if (!ft_event->target_ap)
10928		return;
10929
10930	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10931	if (!msg)
10932		return;
10933
10934	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
10935	if (!hdr) {
10936		nlmsg_free(msg);
10937		return;
10938	}
10939
10940	nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx);
10941	nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex);
10942	nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap);
10943	if (ft_event->ies)
10944		nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies);
10945	if (ft_event->ric_ies)
10946		nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
10947			ft_event->ric_ies);
10948
10949	err = genlmsg_end(msg, hdr);
10950	if (err < 0) {
10951		nlmsg_free(msg);
10952		return;
10953	}
10954
10955	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10956				nl80211_mlme_mcgrp.id, GFP_KERNEL);
10957}
10958EXPORT_SYMBOL(cfg80211_ft_event);
10959
10960void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
10961{
10962	struct cfg80211_registered_device *rdev;
10963	struct sk_buff *msg;
10964	void *hdr;
10965	u32 nlportid;
10966
10967	rdev = wiphy_to_dev(wdev->wiphy);
10968	if (!rdev->crit_proto_nlportid)
10969		return;
10970
10971	nlportid = rdev->crit_proto_nlportid;
10972	rdev->crit_proto_nlportid = 0;
10973
10974	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10975	if (!msg)
10976		return;
10977
10978	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
10979	if (!hdr)
10980		goto nla_put_failure;
10981
10982	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10983	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
10984		goto nla_put_failure;
10985
10986	genlmsg_end(msg, hdr);
10987
10988	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
10989	return;
10990
10991 nla_put_failure:
10992	if (hdr)
10993		genlmsg_cancel(msg, hdr);
10994	nlmsg_free(msg);
10995
10996}
10997EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
10998
10999/* initialisation/exit functions */
11000
11001int nl80211_init(void)
11002{
11003	int err;
11004
11005	err = genl_register_family_with_ops(&nl80211_fam,
11006		nl80211_ops, ARRAY_SIZE(nl80211_ops));
11007	if (err)
11008		return err;
11009
11010	err = genl_register_mc_group(&nl80211_fam, &nl80211_config_mcgrp);
11011	if (err)
11012		goto err_out;
11013
11014	err = genl_register_mc_group(&nl80211_fam, &nl80211_scan_mcgrp);
11015	if (err)
11016		goto err_out;
11017
11018	err = genl_register_mc_group(&nl80211_fam, &nl80211_regulatory_mcgrp);
11019	if (err)
11020		goto err_out;
11021
11022	err = genl_register_mc_group(&nl80211_fam, &nl80211_mlme_mcgrp);
11023	if (err)
11024		goto err_out;
11025
11026#ifdef CONFIG_NL80211_TESTMODE
11027	err = genl_register_mc_group(&nl80211_fam, &nl80211_testmode_mcgrp);
11028	if (err)
11029		goto err_out;
11030
11031	err = genl_register_mc_group(&nl80211_fam, &nl80211_vendor_mcgrp);
11032	if (err)
11033		goto err_out;
11034#endif
11035
11036	err = netlink_register_notifier(&nl80211_netlink_notifier);
11037	if (err)
11038		goto err_out;
11039
11040	return 0;
11041 err_out:
11042	genl_unregister_family(&nl80211_fam);
11043	return err;
11044}
11045
11046void nl80211_exit(void)
11047{
11048	netlink_unregister_notifier(&nl80211_netlink_notifier);
11049	genl_unregister_family(&nl80211_fam);
11050}
11051