1/*
2 * This is the new netlink-based wireless configuration interface.
3 *
4 * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5 * Copyright 2013-2014  Intel Mobile Communications GmbH
6 */
7
8#include <linux/if.h>
9#include <linux/module.h>
10#include <linux/err.h>
11#include <linux/slab.h>
12#include <linux/list.h>
13#include <linux/if_ether.h>
14#include <linux/ieee80211.h>
15#include <linux/nl80211.h>
16#include <linux/rtnetlink.h>
17#include <linux/netlink.h>
18#include <linux/etherdevice.h>
19#include <net/net_namespace.h>
20#include <net/genetlink.h>
21#include <net/cfg80211.h>
22#include <net/sock.h>
23#include <net/inet_connection_sock.h>
24#include "core.h"
25#include "nl80211.h"
26#include "reg.h"
27#include "rdev-ops.h"
28
29static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
30				   struct genl_info *info,
31				   struct cfg80211_crypto_settings *settings,
32				   int cipher_limit);
33
34static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
35			    struct genl_info *info);
36static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
37			      struct genl_info *info);
38
39/* the netlink family */
40static struct genl_family nl80211_fam = {
41	.id = GENL_ID_GENERATE,		/* don't bother with a hardcoded ID */
42	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
43	.hdrsize = 0,			/* no private header */
44	.version = 1,			/* no particular meaning now */
45	.maxattr = NL80211_ATTR_MAX,
46	.netnsok = true,
47	.pre_doit = nl80211_pre_doit,
48	.post_doit = nl80211_post_doit,
49};
50
51/* multicast groups */
52enum nl80211_multicast_groups {
53	NL80211_MCGRP_CONFIG,
54	NL80211_MCGRP_SCAN,
55	NL80211_MCGRP_REGULATORY,
56	NL80211_MCGRP_MLME,
57	NL80211_MCGRP_VENDOR,
58	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
59};
60
61static const struct genl_multicast_group nl80211_mcgrps[] = {
62	[NL80211_MCGRP_CONFIG] = { .name = "config", },
63	[NL80211_MCGRP_SCAN] = { .name = "scan", },
64	[NL80211_MCGRP_REGULATORY] = { .name = "regulatory", },
65	[NL80211_MCGRP_MLME] = { .name = "mlme", },
66	[NL80211_MCGRP_VENDOR] = { .name = "vendor", },
67#ifdef CONFIG_NL80211_TESTMODE
68	[NL80211_MCGRP_TESTMODE] = { .name = "testmode", }
69#endif
70};
71
72/* returns ERR_PTR values */
73static struct wireless_dev *
74__cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
75{
76	struct cfg80211_registered_device *rdev;
77	struct wireless_dev *result = NULL;
78	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
79	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
80	u64 wdev_id;
81	int wiphy_idx = -1;
82	int ifidx = -1;
83
84	ASSERT_RTNL();
85
86	if (!have_ifidx && !have_wdev_id)
87		return ERR_PTR(-EINVAL);
88
89	if (have_ifidx)
90		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
91	if (have_wdev_id) {
92		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
93		wiphy_idx = wdev_id >> 32;
94	}
95
96	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
97		struct wireless_dev *wdev;
98
99		if (wiphy_net(&rdev->wiphy) != netns)
100			continue;
101
102		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
103			continue;
104
105		list_for_each_entry(wdev, &rdev->wdev_list, list) {
106			if (have_ifidx && wdev->netdev &&
107			    wdev->netdev->ifindex == ifidx) {
108				result = wdev;
109				break;
110			}
111			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
112				result = wdev;
113				break;
114			}
115		}
116
117		if (result)
118			break;
119	}
120
121	if (result)
122		return result;
123	return ERR_PTR(-ENODEV);
124}
125
126static struct cfg80211_registered_device *
127__cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
128{
129	struct cfg80211_registered_device *rdev = NULL, *tmp;
130	struct net_device *netdev;
131
132	ASSERT_RTNL();
133
134	if (!attrs[NL80211_ATTR_WIPHY] &&
135	    !attrs[NL80211_ATTR_IFINDEX] &&
136	    !attrs[NL80211_ATTR_WDEV])
137		return ERR_PTR(-EINVAL);
138
139	if (attrs[NL80211_ATTR_WIPHY])
140		rdev = cfg80211_rdev_by_wiphy_idx(
141				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
142
143	if (attrs[NL80211_ATTR_WDEV]) {
144		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
145		struct wireless_dev *wdev;
146		bool found = false;
147
148		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
149		if (tmp) {
150			/* make sure wdev exists */
151			list_for_each_entry(wdev, &tmp->wdev_list, list) {
152				if (wdev->identifier != (u32)wdev_id)
153					continue;
154				found = true;
155				break;
156			}
157
158			if (!found)
159				tmp = NULL;
160
161			if (rdev && tmp != rdev)
162				return ERR_PTR(-EINVAL);
163			rdev = tmp;
164		}
165	}
166
167	if (attrs[NL80211_ATTR_IFINDEX]) {
168		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
169		netdev = __dev_get_by_index(netns, ifindex);
170		if (netdev) {
171			if (netdev->ieee80211_ptr)
172				tmp = wiphy_to_rdev(
173					netdev->ieee80211_ptr->wiphy);
174			else
175				tmp = NULL;
176
177			/* not wireless device -- return error */
178			if (!tmp)
179				return ERR_PTR(-EINVAL);
180
181			/* mismatch -- return error */
182			if (rdev && tmp != rdev)
183				return ERR_PTR(-EINVAL);
184
185			rdev = tmp;
186		}
187	}
188
189	if (!rdev)
190		return ERR_PTR(-ENODEV);
191
192	if (netns != wiphy_net(&rdev->wiphy))
193		return ERR_PTR(-ENODEV);
194
195	return rdev;
196}
197
198/*
199 * This function returns a pointer to the driver
200 * that the genl_info item that is passed refers to.
201 *
202 * The result of this can be a PTR_ERR and hence must
203 * be checked with IS_ERR() for errors.
204 */
205static struct cfg80211_registered_device *
206cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
207{
208	return __cfg80211_rdev_from_attrs(netns, info->attrs);
209}
210
211/* policy for the attributes */
212static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
213	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
214	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
215				      .len = 20-1 },
216	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
217
218	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
219	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
220	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
221	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
222	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
223
224	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
225	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
226	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
227	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
228	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
229	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
230
231	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
232	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
233	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
234
235	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
236	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
237
238	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
239	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
240				    .len = WLAN_MAX_KEY_LEN },
241	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
242	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
243	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
244	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
245	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
246
247	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
248	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
249	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
250				       .len = IEEE80211_MAX_DATA_LEN },
251	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
252				       .len = IEEE80211_MAX_DATA_LEN },
253	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
254	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
255	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
256	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
257					       .len = NL80211_MAX_SUPP_RATES },
258	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
259	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
260	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
261	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
262				   .len = IEEE80211_MAX_MESH_ID_LEN },
263	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
264
265	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
266	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
267
268	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
269	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
270	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
271	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
272					   .len = NL80211_MAX_SUPP_RATES },
273	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
274
275	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
276	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
277
278	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
279
280	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
281	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
282			      .len = IEEE80211_MAX_DATA_LEN },
283	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
284	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
285
286	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
287				.len = IEEE80211_MAX_SSID_LEN },
288	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
289	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
290	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
291	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
292	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
293	[NL80211_ATTR_STA_FLAGS2] = {
294		.len = sizeof(struct nl80211_sta_flag_update),
295	},
296	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
297	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
298	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
299	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
300	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
301	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
302	[NL80211_ATTR_PID] = { .type = NLA_U32 },
303	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
304	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
305				 .len = WLAN_PMKID_LEN },
306	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
307	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
308	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
309	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
310				 .len = IEEE80211_MAX_DATA_LEN },
311	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
312	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
313	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
314	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
315	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
316	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
317	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
318	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
319	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
320	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
321	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
322	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
323	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
324	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
325	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
326	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
327	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
328	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
329	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
330	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
331					 .len = IEEE80211_MAX_DATA_LEN },
332	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
333					 .len = IEEE80211_MAX_DATA_LEN },
334	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
335	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
336	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
337	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
338	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
339	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
340	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
341	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
342	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
343	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
344	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
345				      .len = IEEE80211_MAX_DATA_LEN },
346	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
347	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
348	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
349		.len = NL80211_HT_CAPABILITY_LEN
350	},
351	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
352	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
353	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
354	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
355	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
356	[NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
357	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
358	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
359	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
360	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
361	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
362	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
363	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
364	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
365	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
366	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
367	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
368		.len = NL80211_VHT_CAPABILITY_LEN,
369	},
370	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
371	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
372				  .len = IEEE80211_MAX_DATA_LEN },
373	[NL80211_ATTR_PEER_AID] = { .type = NLA_U16 },
374	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
375	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
376	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
377	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
378	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
379	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
380	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
381	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
382	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
383	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
384	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
385	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
386	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
387				   .len = IEEE80211_QOS_MAP_LEN_MAX },
388	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
389	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
390	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
391	[NL80211_ATTR_IFACE_SOCKET_OWNER] = { .type = NLA_FLAG },
392	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
393	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
394	[NL80211_ATTR_TSID] = { .type = NLA_U8 },
395	[NL80211_ATTR_USER_PRIO] = { .type = NLA_U8 },
396	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
397	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
398};
399
400/* policy for the key attributes */
401static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
402	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
403	[NL80211_KEY_IDX] = { .type = NLA_U8 },
404	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
405	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
406	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
407	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
408	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
409	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
410};
411
412/* policy for the key default flags */
413static const struct nla_policy
414nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
415	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
416	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
417};
418
419/* policy for WoWLAN attributes */
420static const struct nla_policy
421nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
422	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
423	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
424	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
425	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
426	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
427	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
428	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
429	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
430	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
431};
432
433static const struct nla_policy
434nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
435	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
436	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
437	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
438	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
439	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
440	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
441	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
442		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
443	},
444	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
445		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
446	},
447	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
448	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
449	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
450};
451
452/* policy for coalesce rule attributes */
453static const struct nla_policy
454nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
455	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
456	[NL80211_ATTR_COALESCE_RULE_CONDITION] = { .type = NLA_U32 },
457	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
458};
459
460/* policy for GTK rekey offload attributes */
461static const struct nla_policy
462nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
463	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
464	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
465	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
466};
467
468static const struct nla_policy
469nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
470	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
471						 .len = IEEE80211_MAX_SSID_LEN },
472	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
473};
474
475static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
476				     struct netlink_callback *cb,
477				     struct cfg80211_registered_device **rdev,
478				     struct wireless_dev **wdev)
479{
480	int err;
481
482	rtnl_lock();
483
484	if (!cb->args[0]) {
485		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
486				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
487				  nl80211_policy);
488		if (err)
489			goto out_unlock;
490
491		*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
492						   nl80211_fam.attrbuf);
493		if (IS_ERR(*wdev)) {
494			err = PTR_ERR(*wdev);
495			goto out_unlock;
496		}
497		*rdev = wiphy_to_rdev((*wdev)->wiphy);
498		/* 0 is the first index - add 1 to parse only once */
499		cb->args[0] = (*rdev)->wiphy_idx + 1;
500		cb->args[1] = (*wdev)->identifier;
501	} else {
502		/* subtract the 1 again here */
503		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
504		struct wireless_dev *tmp;
505
506		if (!wiphy) {
507			err = -ENODEV;
508			goto out_unlock;
509		}
510		*rdev = wiphy_to_rdev(wiphy);
511		*wdev = NULL;
512
513		list_for_each_entry(tmp, &(*rdev)->wdev_list, list) {
514			if (tmp->identifier == cb->args[1]) {
515				*wdev = tmp;
516				break;
517			}
518		}
519
520		if (!*wdev) {
521			err = -ENODEV;
522			goto out_unlock;
523		}
524	}
525
526	return 0;
527 out_unlock:
528	rtnl_unlock();
529	return err;
530}
531
532static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
533{
534	rtnl_unlock();
535}
536
537/* IE validation */
538static bool is_valid_ie_attr(const struct nlattr *attr)
539{
540	const u8 *pos;
541	int len;
542
543	if (!attr)
544		return true;
545
546	pos = nla_data(attr);
547	len = nla_len(attr);
548
549	while (len) {
550		u8 elemlen;
551
552		if (len < 2)
553			return false;
554		len -= 2;
555
556		elemlen = pos[1];
557		if (elemlen > len)
558			return false;
559
560		len -= elemlen;
561		pos += 2 + elemlen;
562	}
563
564	return true;
565}
566
567/* message building helper */
568static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
569				   int flags, u8 cmd)
570{
571	/* since there is no private header just add the generic one */
572	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
573}
574
575static int nl80211_msg_put_channel(struct sk_buff *msg,
576				   struct ieee80211_channel *chan,
577				   bool large)
578{
579	/* Some channels must be completely excluded from the
580	 * list to protect old user-space tools from breaking
581	 */
582	if (!large && chan->flags &
583	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
584		return 0;
585
586	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
587			chan->center_freq))
588		goto nla_put_failure;
589
590	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
591	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
592		goto nla_put_failure;
593	if (chan->flags & IEEE80211_CHAN_NO_IR) {
594		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
595			goto nla_put_failure;
596		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
597			goto nla_put_failure;
598	}
599	if (chan->flags & IEEE80211_CHAN_RADAR) {
600		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
601			goto nla_put_failure;
602		if (large) {
603			u32 time;
604
605			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
606
607			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
608					chan->dfs_state))
609				goto nla_put_failure;
610			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
611					time))
612				goto nla_put_failure;
613			if (nla_put_u32(msg,
614					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
615					chan->dfs_cac_ms))
616				goto nla_put_failure;
617		}
618	}
619
620	if (large) {
621		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
622		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
623			goto nla_put_failure;
624		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
625		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
626			goto nla_put_failure;
627		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
628		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
629			goto nla_put_failure;
630		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
631		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
632			goto nla_put_failure;
633		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
634		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
635			goto nla_put_failure;
636		if ((chan->flags & IEEE80211_CHAN_GO_CONCURRENT) &&
637		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_GO_CONCURRENT))
638			goto nla_put_failure;
639		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
640		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
641			goto nla_put_failure;
642		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
643		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
644			goto nla_put_failure;
645	}
646
647	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
648			DBM_TO_MBM(chan->max_power)))
649		goto nla_put_failure;
650
651	return 0;
652
653 nla_put_failure:
654	return -ENOBUFS;
655}
656
657/* netlink command implementations */
658
659struct key_parse {
660	struct key_params p;
661	int idx;
662	int type;
663	bool def, defmgmt;
664	bool def_uni, def_multi;
665};
666
667static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
668{
669	struct nlattr *tb[NL80211_KEY_MAX + 1];
670	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
671				   nl80211_key_policy);
672	if (err)
673		return err;
674
675	k->def = !!tb[NL80211_KEY_DEFAULT];
676	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
677
678	if (k->def) {
679		k->def_uni = true;
680		k->def_multi = true;
681	}
682	if (k->defmgmt)
683		k->def_multi = true;
684
685	if (tb[NL80211_KEY_IDX])
686		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
687
688	if (tb[NL80211_KEY_DATA]) {
689		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
690		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
691	}
692
693	if (tb[NL80211_KEY_SEQ]) {
694		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
695		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
696	}
697
698	if (tb[NL80211_KEY_CIPHER])
699		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
700
701	if (tb[NL80211_KEY_TYPE]) {
702		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
703		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
704			return -EINVAL;
705	}
706
707	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
708		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
709		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
710				       tb[NL80211_KEY_DEFAULT_TYPES],
711				       nl80211_key_default_policy);
712		if (err)
713			return err;
714
715		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
716		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
717	}
718
719	return 0;
720}
721
722static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
723{
724	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
725		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
726		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
727	}
728
729	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
730		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
731		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
732	}
733
734	if (info->attrs[NL80211_ATTR_KEY_IDX])
735		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
736
737	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
738		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
739
740	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
741	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
742
743	if (k->def) {
744		k->def_uni = true;
745		k->def_multi = true;
746	}
747	if (k->defmgmt)
748		k->def_multi = true;
749
750	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
751		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
752		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
753			return -EINVAL;
754	}
755
756	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
757		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
758		int err = nla_parse_nested(
759				kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
760				info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
761				nl80211_key_default_policy);
762		if (err)
763			return err;
764
765		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
766		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
767	}
768
769	return 0;
770}
771
772static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
773{
774	int err;
775
776	memset(k, 0, sizeof(*k));
777	k->idx = -1;
778	k->type = -1;
779
780	if (info->attrs[NL80211_ATTR_KEY])
781		err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
782	else
783		err = nl80211_parse_key_old(info, k);
784
785	if (err)
786		return err;
787
788	if (k->def && k->defmgmt)
789		return -EINVAL;
790
791	if (k->defmgmt) {
792		if (k->def_uni || !k->def_multi)
793			return -EINVAL;
794	}
795
796	if (k->idx != -1) {
797		if (k->defmgmt) {
798			if (k->idx < 4 || k->idx > 5)
799				return -EINVAL;
800		} else if (k->def) {
801			if (k->idx < 0 || k->idx > 3)
802				return -EINVAL;
803		} else {
804			if (k->idx < 0 || k->idx > 5)
805				return -EINVAL;
806		}
807	}
808
809	return 0;
810}
811
812static struct cfg80211_cached_keys *
813nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
814		       struct nlattr *keys, bool *no_ht)
815{
816	struct key_parse parse;
817	struct nlattr *key;
818	struct cfg80211_cached_keys *result;
819	int rem, err, def = 0;
820
821	result = kzalloc(sizeof(*result), GFP_KERNEL);
822	if (!result)
823		return ERR_PTR(-ENOMEM);
824
825	result->def = -1;
826	result->defmgmt = -1;
827
828	nla_for_each_nested(key, keys, rem) {
829		memset(&parse, 0, sizeof(parse));
830		parse.idx = -1;
831
832		err = nl80211_parse_key_new(key, &parse);
833		if (err)
834			goto error;
835		err = -EINVAL;
836		if (!parse.p.key)
837			goto error;
838		if (parse.idx < 0 || parse.idx > 4)
839			goto error;
840		if (parse.def) {
841			if (def)
842				goto error;
843			def = 1;
844			result->def = parse.idx;
845			if (!parse.def_uni || !parse.def_multi)
846				goto error;
847		} else if (parse.defmgmt)
848			goto error;
849		err = cfg80211_validate_key_settings(rdev, &parse.p,
850						     parse.idx, false, NULL);
851		if (err)
852			goto error;
853		result->params[parse.idx].cipher = parse.p.cipher;
854		result->params[parse.idx].key_len = parse.p.key_len;
855		result->params[parse.idx].key = result->data[parse.idx];
856		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
857
858		if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
859		    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
860			if (no_ht)
861				*no_ht = true;
862		}
863	}
864
865	return result;
866 error:
867	kfree(result);
868	return ERR_PTR(err);
869}
870
871static int nl80211_key_allowed(struct wireless_dev *wdev)
872{
873	ASSERT_WDEV_LOCK(wdev);
874
875	switch (wdev->iftype) {
876	case NL80211_IFTYPE_AP:
877	case NL80211_IFTYPE_AP_VLAN:
878	case NL80211_IFTYPE_P2P_GO:
879	case NL80211_IFTYPE_MESH_POINT:
880		break;
881	case NL80211_IFTYPE_ADHOC:
882	case NL80211_IFTYPE_STATION:
883	case NL80211_IFTYPE_P2P_CLIENT:
884		if (!wdev->current_bss)
885			return -ENOLINK;
886		break;
887	default:
888		return -EINVAL;
889	}
890
891	return 0;
892}
893
894static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
895							struct nlattr *tb)
896{
897	struct ieee80211_channel *chan;
898
899	if (tb == NULL)
900		return NULL;
901	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
902	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
903		return NULL;
904	return chan;
905}
906
907static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
908{
909	struct nlattr *nl_modes = nla_nest_start(msg, attr);
910	int i;
911
912	if (!nl_modes)
913		goto nla_put_failure;
914
915	i = 0;
916	while (ifmodes) {
917		if ((ifmodes & 1) && nla_put_flag(msg, i))
918			goto nla_put_failure;
919		ifmodes >>= 1;
920		i++;
921	}
922
923	nla_nest_end(msg, nl_modes);
924	return 0;
925
926nla_put_failure:
927	return -ENOBUFS;
928}
929
930static int nl80211_put_iface_combinations(struct wiphy *wiphy,
931					  struct sk_buff *msg,
932					  bool large)
933{
934	struct nlattr *nl_combis;
935	int i, j;
936
937	nl_combis = nla_nest_start(msg,
938				NL80211_ATTR_INTERFACE_COMBINATIONS);
939	if (!nl_combis)
940		goto nla_put_failure;
941
942	for (i = 0; i < wiphy->n_iface_combinations; i++) {
943		const struct ieee80211_iface_combination *c;
944		struct nlattr *nl_combi, *nl_limits;
945
946		c = &wiphy->iface_combinations[i];
947
948		nl_combi = nla_nest_start(msg, i + 1);
949		if (!nl_combi)
950			goto nla_put_failure;
951
952		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
953		if (!nl_limits)
954			goto nla_put_failure;
955
956		for (j = 0; j < c->n_limits; j++) {
957			struct nlattr *nl_limit;
958
959			nl_limit = nla_nest_start(msg, j + 1);
960			if (!nl_limit)
961				goto nla_put_failure;
962			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
963					c->limits[j].max))
964				goto nla_put_failure;
965			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
966						c->limits[j].types))
967				goto nla_put_failure;
968			nla_nest_end(msg, nl_limit);
969		}
970
971		nla_nest_end(msg, nl_limits);
972
973		if (c->beacon_int_infra_match &&
974		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
975			goto nla_put_failure;
976		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
977				c->num_different_channels) ||
978		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
979				c->max_interfaces))
980			goto nla_put_failure;
981		if (large &&
982		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
983				c->radar_detect_widths) ||
984		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
985				c->radar_detect_regions)))
986			goto nla_put_failure;
987
988		nla_nest_end(msg, nl_combi);
989	}
990
991	nla_nest_end(msg, nl_combis);
992
993	return 0;
994nla_put_failure:
995	return -ENOBUFS;
996}
997
998#ifdef CONFIG_PM
999static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1000					struct sk_buff *msg)
1001{
1002	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1003	struct nlattr *nl_tcp;
1004
1005	if (!tcp)
1006		return 0;
1007
1008	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1009	if (!nl_tcp)
1010		return -ENOBUFS;
1011
1012	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1013			tcp->data_payload_max))
1014		return -ENOBUFS;
1015
1016	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1017			tcp->data_payload_max))
1018		return -ENOBUFS;
1019
1020	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1021		return -ENOBUFS;
1022
1023	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1024				sizeof(*tcp->tok), tcp->tok))
1025		return -ENOBUFS;
1026
1027	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1028			tcp->data_interval_max))
1029		return -ENOBUFS;
1030
1031	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1032			tcp->wake_payload_max))
1033		return -ENOBUFS;
1034
1035	nla_nest_end(msg, nl_tcp);
1036	return 0;
1037}
1038
1039static int nl80211_send_wowlan(struct sk_buff *msg,
1040			       struct cfg80211_registered_device *rdev,
1041			       bool large)
1042{
1043	struct nlattr *nl_wowlan;
1044
1045	if (!rdev->wiphy.wowlan)
1046		return 0;
1047
1048	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1049	if (!nl_wowlan)
1050		return -ENOBUFS;
1051
1052	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1053	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1054	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1055	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1056	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1057	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1058	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1059	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1060	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1061	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1062	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1063	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1064	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1065	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1066	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1067	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1068		return -ENOBUFS;
1069
1070	if (rdev->wiphy.wowlan->n_patterns) {
1071		struct nl80211_pattern_support pat = {
1072			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1073			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1074			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1075			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1076		};
1077
1078		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1079			    sizeof(pat), &pat))
1080			return -ENOBUFS;
1081	}
1082
1083	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1084		return -ENOBUFS;
1085
1086	nla_nest_end(msg, nl_wowlan);
1087
1088	return 0;
1089}
1090#endif
1091
1092static int nl80211_send_coalesce(struct sk_buff *msg,
1093				 struct cfg80211_registered_device *rdev)
1094{
1095	struct nl80211_coalesce_rule_support rule;
1096
1097	if (!rdev->wiphy.coalesce)
1098		return 0;
1099
1100	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1101	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1102	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1103	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1104	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1105	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1106
1107	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1108		return -ENOBUFS;
1109
1110	return 0;
1111}
1112
1113static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1114				      struct ieee80211_supported_band *sband)
1115{
1116	struct nlattr *nl_rates, *nl_rate;
1117	struct ieee80211_rate *rate;
1118	int i;
1119
1120	/* add HT info */
1121	if (sband->ht_cap.ht_supported &&
1122	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1123		     sizeof(sband->ht_cap.mcs),
1124		     &sband->ht_cap.mcs) ||
1125	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1126			 sband->ht_cap.cap) ||
1127	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1128			sband->ht_cap.ampdu_factor) ||
1129	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1130			sband->ht_cap.ampdu_density)))
1131		return -ENOBUFS;
1132
1133	/* add VHT info */
1134	if (sband->vht_cap.vht_supported &&
1135	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1136		     sizeof(sband->vht_cap.vht_mcs),
1137		     &sband->vht_cap.vht_mcs) ||
1138	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1139			 sband->vht_cap.cap)))
1140		return -ENOBUFS;
1141
1142	/* add bitrates */
1143	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1144	if (!nl_rates)
1145		return -ENOBUFS;
1146
1147	for (i = 0; i < sband->n_bitrates; i++) {
1148		nl_rate = nla_nest_start(msg, i);
1149		if (!nl_rate)
1150			return -ENOBUFS;
1151
1152		rate = &sband->bitrates[i];
1153		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1154				rate->bitrate))
1155			return -ENOBUFS;
1156		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1157		    nla_put_flag(msg,
1158				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1159			return -ENOBUFS;
1160
1161		nla_nest_end(msg, nl_rate);
1162	}
1163
1164	nla_nest_end(msg, nl_rates);
1165
1166	return 0;
1167}
1168
1169static int
1170nl80211_send_mgmt_stypes(struct sk_buff *msg,
1171			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1172{
1173	u16 stypes;
1174	struct nlattr *nl_ftypes, *nl_ifs;
1175	enum nl80211_iftype ift;
1176	int i;
1177
1178	if (!mgmt_stypes)
1179		return 0;
1180
1181	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1182	if (!nl_ifs)
1183		return -ENOBUFS;
1184
1185	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1186		nl_ftypes = nla_nest_start(msg, ift);
1187		if (!nl_ftypes)
1188			return -ENOBUFS;
1189		i = 0;
1190		stypes = mgmt_stypes[ift].tx;
1191		while (stypes) {
1192			if ((stypes & 1) &&
1193			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1194					(i << 4) | IEEE80211_FTYPE_MGMT))
1195				return -ENOBUFS;
1196			stypes >>= 1;
1197			i++;
1198		}
1199		nla_nest_end(msg, nl_ftypes);
1200	}
1201
1202	nla_nest_end(msg, nl_ifs);
1203
1204	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1205	if (!nl_ifs)
1206		return -ENOBUFS;
1207
1208	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1209		nl_ftypes = nla_nest_start(msg, ift);
1210		if (!nl_ftypes)
1211			return -ENOBUFS;
1212		i = 0;
1213		stypes = mgmt_stypes[ift].rx;
1214		while (stypes) {
1215			if ((stypes & 1) &&
1216			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1217					(i << 4) | IEEE80211_FTYPE_MGMT))
1218				return -ENOBUFS;
1219			stypes >>= 1;
1220			i++;
1221		}
1222		nla_nest_end(msg, nl_ftypes);
1223	}
1224	nla_nest_end(msg, nl_ifs);
1225
1226	return 0;
1227}
1228
1229struct nl80211_dump_wiphy_state {
1230	s64 filter_wiphy;
1231	long start;
1232	long split_start, band_start, chan_start;
1233	bool split;
1234};
1235
1236static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1237			      enum nl80211_commands cmd,
1238			      struct sk_buff *msg, u32 portid, u32 seq,
1239			      int flags, struct nl80211_dump_wiphy_state *state)
1240{
1241	void *hdr;
1242	struct nlattr *nl_bands, *nl_band;
1243	struct nlattr *nl_freqs, *nl_freq;
1244	struct nlattr *nl_cmds;
1245	enum ieee80211_band band;
1246	struct ieee80211_channel *chan;
1247	int i;
1248	const struct ieee80211_txrx_stypes *mgmt_stypes =
1249				rdev->wiphy.mgmt_stypes;
1250	u32 features;
1251
1252	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1253	if (!hdr)
1254		return -ENOBUFS;
1255
1256	if (WARN_ON(!state))
1257		return -EINVAL;
1258
1259	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1260	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1261			   wiphy_name(&rdev->wiphy)) ||
1262	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1263			cfg80211_rdev_list_generation))
1264		goto nla_put_failure;
1265
1266	if (cmd != NL80211_CMD_NEW_WIPHY)
1267		goto finish;
1268
1269	switch (state->split_start) {
1270	case 0:
1271		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1272			       rdev->wiphy.retry_short) ||
1273		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1274			       rdev->wiphy.retry_long) ||
1275		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1276				rdev->wiphy.frag_threshold) ||
1277		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1278				rdev->wiphy.rts_threshold) ||
1279		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1280			       rdev->wiphy.coverage_class) ||
1281		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1282			       rdev->wiphy.max_scan_ssids) ||
1283		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1284			       rdev->wiphy.max_sched_scan_ssids) ||
1285		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1286				rdev->wiphy.max_scan_ie_len) ||
1287		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1288				rdev->wiphy.max_sched_scan_ie_len) ||
1289		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1290			       rdev->wiphy.max_match_sets))
1291			goto nla_put_failure;
1292
1293		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1294		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1295			goto nla_put_failure;
1296		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1297		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1298			goto nla_put_failure;
1299		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1300		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1301			goto nla_put_failure;
1302		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1303		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1304			goto nla_put_failure;
1305		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1306		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1307			goto nla_put_failure;
1308		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1309		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1310			goto nla_put_failure;
1311		state->split_start++;
1312		if (state->split)
1313			break;
1314	case 1:
1315		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1316			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1317			    rdev->wiphy.cipher_suites))
1318			goto nla_put_failure;
1319
1320		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1321			       rdev->wiphy.max_num_pmkids))
1322			goto nla_put_failure;
1323
1324		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1325		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1326			goto nla_put_failure;
1327
1328		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1329				rdev->wiphy.available_antennas_tx) ||
1330		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1331				rdev->wiphy.available_antennas_rx))
1332			goto nla_put_failure;
1333
1334		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1335		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1336				rdev->wiphy.probe_resp_offload))
1337			goto nla_put_failure;
1338
1339		if ((rdev->wiphy.available_antennas_tx ||
1340		     rdev->wiphy.available_antennas_rx) &&
1341		    rdev->ops->get_antenna) {
1342			u32 tx_ant = 0, rx_ant = 0;
1343			int res;
1344			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1345			if (!res) {
1346				if (nla_put_u32(msg,
1347						NL80211_ATTR_WIPHY_ANTENNA_TX,
1348						tx_ant) ||
1349				    nla_put_u32(msg,
1350						NL80211_ATTR_WIPHY_ANTENNA_RX,
1351						rx_ant))
1352					goto nla_put_failure;
1353			}
1354		}
1355
1356		state->split_start++;
1357		if (state->split)
1358			break;
1359	case 2:
1360		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1361					rdev->wiphy.interface_modes))
1362				goto nla_put_failure;
1363		state->split_start++;
1364		if (state->split)
1365			break;
1366	case 3:
1367		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1368		if (!nl_bands)
1369			goto nla_put_failure;
1370
1371		for (band = state->band_start;
1372		     band < IEEE80211_NUM_BANDS; band++) {
1373			struct ieee80211_supported_band *sband;
1374
1375			sband = rdev->wiphy.bands[band];
1376
1377			if (!sband)
1378				continue;
1379
1380			nl_band = nla_nest_start(msg, band);
1381			if (!nl_band)
1382				goto nla_put_failure;
1383
1384			switch (state->chan_start) {
1385			case 0:
1386				if (nl80211_send_band_rateinfo(msg, sband))
1387					goto nla_put_failure;
1388				state->chan_start++;
1389				if (state->split)
1390					break;
1391			default:
1392				/* add frequencies */
1393				nl_freqs = nla_nest_start(
1394					msg, NL80211_BAND_ATTR_FREQS);
1395				if (!nl_freqs)
1396					goto nla_put_failure;
1397
1398				for (i = state->chan_start - 1;
1399				     i < sband->n_channels;
1400				     i++) {
1401					nl_freq = nla_nest_start(msg, i);
1402					if (!nl_freq)
1403						goto nla_put_failure;
1404
1405					chan = &sband->channels[i];
1406
1407					if (nl80211_msg_put_channel(
1408							msg, chan,
1409							state->split))
1410						goto nla_put_failure;
1411
1412					nla_nest_end(msg, nl_freq);
1413					if (state->split)
1414						break;
1415				}
1416				if (i < sband->n_channels)
1417					state->chan_start = i + 2;
1418				else
1419					state->chan_start = 0;
1420				nla_nest_end(msg, nl_freqs);
1421			}
1422
1423			nla_nest_end(msg, nl_band);
1424
1425			if (state->split) {
1426				/* start again here */
1427				if (state->chan_start)
1428					band--;
1429				break;
1430			}
1431		}
1432		nla_nest_end(msg, nl_bands);
1433
1434		if (band < IEEE80211_NUM_BANDS)
1435			state->band_start = band + 1;
1436		else
1437			state->band_start = 0;
1438
1439		/* if bands & channels are done, continue outside */
1440		if (state->band_start == 0 && state->chan_start == 0)
1441			state->split_start++;
1442		if (state->split)
1443			break;
1444	case 4:
1445		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1446		if (!nl_cmds)
1447			goto nla_put_failure;
1448
1449		i = 0;
1450#define CMD(op, n)							\
1451		 do {							\
1452			if (rdev->ops->op) {				\
1453				i++;					\
1454				if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1455					goto nla_put_failure;		\
1456			}						\
1457		} while (0)
1458
1459		CMD(add_virtual_intf, NEW_INTERFACE);
1460		CMD(change_virtual_intf, SET_INTERFACE);
1461		CMD(add_key, NEW_KEY);
1462		CMD(start_ap, START_AP);
1463		CMD(add_station, NEW_STATION);
1464		CMD(add_mpath, NEW_MPATH);
1465		CMD(update_mesh_config, SET_MESH_CONFIG);
1466		CMD(change_bss, SET_BSS);
1467		CMD(auth, AUTHENTICATE);
1468		CMD(assoc, ASSOCIATE);
1469		CMD(deauth, DEAUTHENTICATE);
1470		CMD(disassoc, DISASSOCIATE);
1471		CMD(join_ibss, JOIN_IBSS);
1472		CMD(join_mesh, JOIN_MESH);
1473		CMD(set_pmksa, SET_PMKSA);
1474		CMD(del_pmksa, DEL_PMKSA);
1475		CMD(flush_pmksa, FLUSH_PMKSA);
1476		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1477			CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1478		CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1479		CMD(mgmt_tx, FRAME);
1480		CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1481		if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1482			i++;
1483			if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1484				goto nla_put_failure;
1485		}
1486		if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1487		    rdev->ops->join_mesh) {
1488			i++;
1489			if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1490				goto nla_put_failure;
1491		}
1492		CMD(set_wds_peer, SET_WDS_PEER);
1493		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1494			CMD(tdls_mgmt, TDLS_MGMT);
1495			CMD(tdls_oper, TDLS_OPER);
1496		}
1497		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1498			CMD(sched_scan_start, START_SCHED_SCAN);
1499		CMD(probe_client, PROBE_CLIENT);
1500		CMD(set_noack_map, SET_NOACK_MAP);
1501		if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1502			i++;
1503			if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1504				goto nla_put_failure;
1505		}
1506		CMD(start_p2p_device, START_P2P_DEVICE);
1507		CMD(set_mcast_rate, SET_MCAST_RATE);
1508#ifdef CONFIG_NL80211_TESTMODE
1509		CMD(testmode_cmd, TESTMODE);
1510#endif
1511		if (state->split) {
1512			CMD(crit_proto_start, CRIT_PROTOCOL_START);
1513			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1514			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
1515				CMD(channel_switch, CHANNEL_SWITCH);
1516			CMD(set_qos_map, SET_QOS_MAP);
1517			if (rdev->wiphy.flags &
1518					WIPHY_FLAG_SUPPORTS_WMM_ADMISSION)
1519				CMD(add_tx_ts, ADD_TX_TS);
1520		}
1521		/* add into the if now */
1522#undef CMD
1523
1524		if (rdev->ops->connect || rdev->ops->auth) {
1525			i++;
1526			if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1527				goto nla_put_failure;
1528		}
1529
1530		if (rdev->ops->disconnect || rdev->ops->deauth) {
1531			i++;
1532			if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1533				goto nla_put_failure;
1534		}
1535
1536		nla_nest_end(msg, nl_cmds);
1537		state->split_start++;
1538		if (state->split)
1539			break;
1540	case 5:
1541		if (rdev->ops->remain_on_channel &&
1542		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1543		    nla_put_u32(msg,
1544				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1545				rdev->wiphy.max_remain_on_channel_duration))
1546			goto nla_put_failure;
1547
1548		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1549		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1550			goto nla_put_failure;
1551
1552		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1553			goto nla_put_failure;
1554		state->split_start++;
1555		if (state->split)
1556			break;
1557	case 6:
1558#ifdef CONFIG_PM
1559		if (nl80211_send_wowlan(msg, rdev, state->split))
1560			goto nla_put_failure;
1561		state->split_start++;
1562		if (state->split)
1563			break;
1564#else
1565		state->split_start++;
1566#endif
1567	case 7:
1568		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1569					rdev->wiphy.software_iftypes))
1570			goto nla_put_failure;
1571
1572		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
1573						   state->split))
1574			goto nla_put_failure;
1575
1576		state->split_start++;
1577		if (state->split)
1578			break;
1579	case 8:
1580		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1581		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1582				rdev->wiphy.ap_sme_capa))
1583			goto nla_put_failure;
1584
1585		features = rdev->wiphy.features;
1586		/*
1587		 * We can only add the per-channel limit information if the
1588		 * dump is split, otherwise it makes it too big. Therefore
1589		 * only advertise it in that case.
1590		 */
1591		if (state->split)
1592			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1593		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1594			goto nla_put_failure;
1595
1596		if (rdev->wiphy.ht_capa_mod_mask &&
1597		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1598			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
1599			    rdev->wiphy.ht_capa_mod_mask))
1600			goto nla_put_failure;
1601
1602		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1603		    rdev->wiphy.max_acl_mac_addrs &&
1604		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1605				rdev->wiphy.max_acl_mac_addrs))
1606			goto nla_put_failure;
1607
1608		/*
1609		 * Any information below this point is only available to
1610		 * applications that can deal with it being split. This
1611		 * helps ensure that newly added capabilities don't break
1612		 * older tools by overrunning their buffers.
1613		 *
1614		 * We still increment split_start so that in the split
1615		 * case we'll continue with more data in the next round,
1616		 * but break unconditionally so unsplit data stops here.
1617		 */
1618		state->split_start++;
1619		break;
1620	case 9:
1621		if (rdev->wiphy.extended_capabilities &&
1622		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1623			     rdev->wiphy.extended_capabilities_len,
1624			     rdev->wiphy.extended_capabilities) ||
1625		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1626			     rdev->wiphy.extended_capabilities_len,
1627			     rdev->wiphy.extended_capabilities_mask)))
1628			goto nla_put_failure;
1629
1630		if (rdev->wiphy.vht_capa_mod_mask &&
1631		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1632			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
1633			    rdev->wiphy.vht_capa_mod_mask))
1634			goto nla_put_failure;
1635
1636		state->split_start++;
1637		break;
1638	case 10:
1639		if (nl80211_send_coalesce(msg, rdev))
1640			goto nla_put_failure;
1641
1642		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
1643		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
1644		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
1645			goto nla_put_failure;
1646
1647		if (rdev->wiphy.max_ap_assoc_sta &&
1648		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
1649				rdev->wiphy.max_ap_assoc_sta))
1650			goto nla_put_failure;
1651
1652		state->split_start++;
1653		break;
1654	case 11:
1655		if (rdev->wiphy.n_vendor_commands) {
1656			const struct nl80211_vendor_cmd_info *info;
1657			struct nlattr *nested;
1658
1659			nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1660			if (!nested)
1661				goto nla_put_failure;
1662
1663			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
1664				info = &rdev->wiphy.vendor_commands[i].info;
1665				if (nla_put(msg, i + 1, sizeof(*info), info))
1666					goto nla_put_failure;
1667			}
1668			nla_nest_end(msg, nested);
1669		}
1670
1671		if (rdev->wiphy.n_vendor_events) {
1672			const struct nl80211_vendor_cmd_info *info;
1673			struct nlattr *nested;
1674
1675			nested = nla_nest_start(msg,
1676						NL80211_ATTR_VENDOR_EVENTS);
1677			if (!nested)
1678				goto nla_put_failure;
1679
1680			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
1681				info = &rdev->wiphy.vendor_events[i];
1682				if (nla_put(msg, i + 1, sizeof(*info), info))
1683					goto nla_put_failure;
1684			}
1685			nla_nest_end(msg, nested);
1686		}
1687		state->split_start++;
1688		break;
1689	case 12:
1690		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
1691		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
1692			       rdev->wiphy.max_num_csa_counters))
1693			goto nla_put_failure;
1694
1695		/* done */
1696		state->split_start = 0;
1697		break;
1698	}
1699 finish:
1700	return genlmsg_end(msg, hdr);
1701
1702 nla_put_failure:
1703	genlmsg_cancel(msg, hdr);
1704	return -EMSGSIZE;
1705}
1706
1707static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
1708				    struct netlink_callback *cb,
1709				    struct nl80211_dump_wiphy_state *state)
1710{
1711	struct nlattr **tb = nl80211_fam.attrbuf;
1712	int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
1713			      tb, nl80211_fam.maxattr, nl80211_policy);
1714	/* ignore parse errors for backward compatibility */
1715	if (ret)
1716		return 0;
1717
1718	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
1719	if (tb[NL80211_ATTR_WIPHY])
1720		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
1721	if (tb[NL80211_ATTR_WDEV])
1722		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
1723	if (tb[NL80211_ATTR_IFINDEX]) {
1724		struct net_device *netdev;
1725		struct cfg80211_registered_device *rdev;
1726		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
1727
1728		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
1729		if (!netdev)
1730			return -ENODEV;
1731		if (netdev->ieee80211_ptr) {
1732			rdev = wiphy_to_rdev(
1733				netdev->ieee80211_ptr->wiphy);
1734			state->filter_wiphy = rdev->wiphy_idx;
1735		}
1736	}
1737
1738	return 0;
1739}
1740
1741static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1742{
1743	int idx = 0, ret;
1744	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
1745	struct cfg80211_registered_device *rdev;
1746
1747	rtnl_lock();
1748	if (!state) {
1749		state = kzalloc(sizeof(*state), GFP_KERNEL);
1750		if (!state) {
1751			rtnl_unlock();
1752			return -ENOMEM;
1753		}
1754		state->filter_wiphy = -1;
1755		ret = nl80211_dump_wiphy_parse(skb, cb, state);
1756		if (ret) {
1757			kfree(state);
1758			rtnl_unlock();
1759			return ret;
1760		}
1761		cb->args[0] = (long)state;
1762	}
1763
1764	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1765		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1766			continue;
1767		if (++idx <= state->start)
1768			continue;
1769		if (state->filter_wiphy != -1 &&
1770		    state->filter_wiphy != rdev->wiphy_idx)
1771			continue;
1772		/* attempt to fit multiple wiphy data chunks into the skb */
1773		do {
1774			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
1775						 skb,
1776						 NETLINK_CB(cb->skb).portid,
1777						 cb->nlh->nlmsg_seq,
1778						 NLM_F_MULTI, state);
1779			if (ret < 0) {
1780				/*
1781				 * If sending the wiphy data didn't fit (ENOBUFS
1782				 * or EMSGSIZE returned), this SKB is still
1783				 * empty (so it's not too big because another
1784				 * wiphy dataset is already in the skb) and
1785				 * we've not tried to adjust the dump allocation
1786				 * yet ... then adjust the alloc size to be
1787				 * bigger, and return 1 but with the empty skb.
1788				 * This results in an empty message being RX'ed
1789				 * in userspace, but that is ignored.
1790				 *
1791				 * We can then retry with the larger buffer.
1792				 */
1793				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1794				    !skb->len && !state->split &&
1795				    cb->min_dump_alloc < 4096) {
1796					cb->min_dump_alloc = 4096;
1797					state->split_start = 0;
1798					rtnl_unlock();
1799					return 1;
1800				}
1801				idx--;
1802				break;
1803			}
1804		} while (state->split_start > 0);
1805		break;
1806	}
1807	rtnl_unlock();
1808
1809	state->start = idx;
1810
1811	return skb->len;
1812}
1813
1814static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
1815{
1816	kfree((void *)cb->args[0]);
1817	return 0;
1818}
1819
1820static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1821{
1822	struct sk_buff *msg;
1823	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1824	struct nl80211_dump_wiphy_state state = {};
1825
1826	msg = nlmsg_new(4096, GFP_KERNEL);
1827	if (!msg)
1828		return -ENOMEM;
1829
1830	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
1831			       info->snd_portid, info->snd_seq, 0,
1832			       &state) < 0) {
1833		nlmsg_free(msg);
1834		return -ENOBUFS;
1835	}
1836
1837	return genlmsg_reply(msg, info);
1838}
1839
1840static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1841	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
1842	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
1843	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
1844	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
1845	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
1846};
1847
1848static int parse_txq_params(struct nlattr *tb[],
1849			    struct ieee80211_txq_params *txq_params)
1850{
1851	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1852	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1853	    !tb[NL80211_TXQ_ATTR_AIFS])
1854		return -EINVAL;
1855
1856	txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1857	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1858	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1859	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1860	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1861
1862	if (txq_params->ac >= NL80211_NUM_ACS)
1863		return -EINVAL;
1864
1865	return 0;
1866}
1867
1868static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1869{
1870	/*
1871	 * You can only set the channel explicitly for WDS interfaces,
1872	 * all others have their channel managed via their respective
1873	 * "establish a connection" command (connect, join, ...)
1874	 *
1875	 * For AP/GO and mesh mode, the channel can be set with the
1876	 * channel userspace API, but is only stored and passed to the
1877	 * low-level driver when the AP starts or the mesh is joined.
1878	 * This is for backward compatibility, userspace can also give
1879	 * the channel in the start-ap or join-mesh commands instead.
1880	 *
1881	 * Monitors are special as they are normally slaved to
1882	 * whatever else is going on, so they have their own special
1883	 * operation to set the monitor channel if possible.
1884	 */
1885	return !wdev ||
1886		wdev->iftype == NL80211_IFTYPE_AP ||
1887		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1888		wdev->iftype == NL80211_IFTYPE_MONITOR ||
1889		wdev->iftype == NL80211_IFTYPE_P2P_GO;
1890}
1891
1892static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
1893				 struct genl_info *info,
1894				 struct cfg80211_chan_def *chandef)
1895{
1896	u32 control_freq;
1897
1898	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1899		return -EINVAL;
1900
1901	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1902
1903	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
1904	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
1905	chandef->center_freq1 = control_freq;
1906	chandef->center_freq2 = 0;
1907
1908	/* Primary channel not allowed */
1909	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
1910		return -EINVAL;
1911
1912	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
1913		enum nl80211_channel_type chantype;
1914
1915		chantype = nla_get_u32(
1916				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1917
1918		switch (chantype) {
1919		case NL80211_CHAN_NO_HT:
1920		case NL80211_CHAN_HT20:
1921		case NL80211_CHAN_HT40PLUS:
1922		case NL80211_CHAN_HT40MINUS:
1923			cfg80211_chandef_create(chandef, chandef->chan,
1924						chantype);
1925			break;
1926		default:
1927			return -EINVAL;
1928		}
1929	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
1930		chandef->width =
1931			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
1932		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
1933			chandef->center_freq1 =
1934				nla_get_u32(
1935					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
1936		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
1937			chandef->center_freq2 =
1938				nla_get_u32(
1939					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
1940	}
1941
1942	if (!cfg80211_chandef_valid(chandef))
1943		return -EINVAL;
1944
1945	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
1946				     IEEE80211_CHAN_DISABLED))
1947		return -EINVAL;
1948
1949	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
1950	     chandef->width == NL80211_CHAN_WIDTH_10) &&
1951	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ))
1952		return -EINVAL;
1953
1954	return 0;
1955}
1956
1957static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1958				 struct net_device *dev,
1959				 struct genl_info *info)
1960{
1961	struct cfg80211_chan_def chandef;
1962	int result;
1963	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1964	struct wireless_dev *wdev = NULL;
1965
1966	if (dev)
1967		wdev = dev->ieee80211_ptr;
1968	if (!nl80211_can_set_dev_channel(wdev))
1969		return -EOPNOTSUPP;
1970	if (wdev)
1971		iftype = wdev->iftype;
1972
1973	result = nl80211_parse_chandef(rdev, info, &chandef);
1974	if (result)
1975		return result;
1976
1977	switch (iftype) {
1978	case NL80211_IFTYPE_AP:
1979	case NL80211_IFTYPE_P2P_GO:
1980		if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef, iftype)) {
1981			result = -EINVAL;
1982			break;
1983		}
1984		if (wdev->beacon_interval) {
1985			if (!dev || !rdev->ops->set_ap_chanwidth ||
1986			    !(rdev->wiphy.features &
1987			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
1988				result = -EBUSY;
1989				break;
1990			}
1991
1992			/* Only allow dynamic channel width changes */
1993			if (chandef.chan != wdev->preset_chandef.chan) {
1994				result = -EBUSY;
1995				break;
1996			}
1997			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
1998			if (result)
1999				break;
2000		}
2001		wdev->preset_chandef = chandef;
2002		result = 0;
2003		break;
2004	case NL80211_IFTYPE_MESH_POINT:
2005		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2006		break;
2007	case NL80211_IFTYPE_MONITOR:
2008		result = cfg80211_set_monitor_channel(rdev, &chandef);
2009		break;
2010	default:
2011		result = -EINVAL;
2012	}
2013
2014	return result;
2015}
2016
2017static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2018{
2019	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2020	struct net_device *netdev = info->user_ptr[1];
2021
2022	return __nl80211_set_channel(rdev, netdev, info);
2023}
2024
2025static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2026{
2027	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2028	struct net_device *dev = info->user_ptr[1];
2029	struct wireless_dev *wdev = dev->ieee80211_ptr;
2030	const u8 *bssid;
2031
2032	if (!info->attrs[NL80211_ATTR_MAC])
2033		return -EINVAL;
2034
2035	if (netif_running(dev))
2036		return -EBUSY;
2037
2038	if (!rdev->ops->set_wds_peer)
2039		return -EOPNOTSUPP;
2040
2041	if (wdev->iftype != NL80211_IFTYPE_WDS)
2042		return -EOPNOTSUPP;
2043
2044	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2045	return rdev_set_wds_peer(rdev, dev, bssid);
2046}
2047
2048
2049static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2050{
2051	struct cfg80211_registered_device *rdev;
2052	struct net_device *netdev = NULL;
2053	struct wireless_dev *wdev;
2054	int result = 0, rem_txq_params = 0;
2055	struct nlattr *nl_txq_params;
2056	u32 changed;
2057	u8 retry_short = 0, retry_long = 0;
2058	u32 frag_threshold = 0, rts_threshold = 0;
2059	u8 coverage_class = 0;
2060
2061	ASSERT_RTNL();
2062
2063	/*
2064	 * Try to find the wiphy and netdev. Normally this
2065	 * function shouldn't need the netdev, but this is
2066	 * done for backward compatibility -- previously
2067	 * setting the channel was done per wiphy, but now
2068	 * it is per netdev. Previous userland like hostapd
2069	 * also passed a netdev to set_wiphy, so that it is
2070	 * possible to let that go to the right netdev!
2071	 */
2072
2073	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2074		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2075
2076		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2077		if (netdev && netdev->ieee80211_ptr)
2078			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2079		else
2080			netdev = NULL;
2081	}
2082
2083	if (!netdev) {
2084		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2085						  info->attrs);
2086		if (IS_ERR(rdev))
2087			return PTR_ERR(rdev);
2088		wdev = NULL;
2089		netdev = NULL;
2090		result = 0;
2091	} else
2092		wdev = netdev->ieee80211_ptr;
2093
2094	/*
2095	 * end workaround code, by now the rdev is available
2096	 * and locked, and wdev may or may not be NULL.
2097	 */
2098
2099	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2100		result = cfg80211_dev_rename(
2101			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2102
2103	if (result)
2104		return result;
2105
2106	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2107		struct ieee80211_txq_params txq_params;
2108		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2109
2110		if (!rdev->ops->set_txq_params)
2111			return -EOPNOTSUPP;
2112
2113		if (!netdev)
2114			return -EINVAL;
2115
2116		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2117		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2118			return -EINVAL;
2119
2120		if (!netif_running(netdev))
2121			return -ENETDOWN;
2122
2123		nla_for_each_nested(nl_txq_params,
2124				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2125				    rem_txq_params) {
2126			result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
2127					   nla_data(nl_txq_params),
2128					   nla_len(nl_txq_params),
2129					   txq_params_policy);
2130			if (result)
2131				return result;
2132			result = parse_txq_params(tb, &txq_params);
2133			if (result)
2134				return result;
2135
2136			result = rdev_set_txq_params(rdev, netdev,
2137						     &txq_params);
2138			if (result)
2139				return result;
2140		}
2141	}
2142
2143	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2144		result = __nl80211_set_channel(
2145			rdev,
2146			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2147			info);
2148		if (result)
2149			return result;
2150	}
2151
2152	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2153		struct wireless_dev *txp_wdev = wdev;
2154		enum nl80211_tx_power_setting type;
2155		int idx, mbm = 0;
2156
2157		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2158			txp_wdev = NULL;
2159
2160		if (!rdev->ops->set_tx_power)
2161			return -EOPNOTSUPP;
2162
2163		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2164		type = nla_get_u32(info->attrs[idx]);
2165
2166		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2167		    (type != NL80211_TX_POWER_AUTOMATIC))
2168			return -EINVAL;
2169
2170		if (type != NL80211_TX_POWER_AUTOMATIC) {
2171			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2172			mbm = nla_get_u32(info->attrs[idx]);
2173		}
2174
2175		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2176		if (result)
2177			return result;
2178	}
2179
2180	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2181	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2182		u32 tx_ant, rx_ant;
2183		if ((!rdev->wiphy.available_antennas_tx &&
2184		     !rdev->wiphy.available_antennas_rx) ||
2185		    !rdev->ops->set_antenna)
2186			return -EOPNOTSUPP;
2187
2188		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2189		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2190
2191		/* reject antenna configurations which don't match the
2192		 * available antenna masks, except for the "all" mask */
2193		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2194		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2195			return -EINVAL;
2196
2197		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2198		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2199
2200		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2201		if (result)
2202			return result;
2203	}
2204
2205	changed = 0;
2206
2207	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2208		retry_short = nla_get_u8(
2209			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2210		if (retry_short == 0)
2211			return -EINVAL;
2212
2213		changed |= WIPHY_PARAM_RETRY_SHORT;
2214	}
2215
2216	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2217		retry_long = nla_get_u8(
2218			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2219		if (retry_long == 0)
2220			return -EINVAL;
2221
2222		changed |= WIPHY_PARAM_RETRY_LONG;
2223	}
2224
2225	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2226		frag_threshold = nla_get_u32(
2227			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2228		if (frag_threshold < 256)
2229			return -EINVAL;
2230
2231		if (frag_threshold != (u32) -1) {
2232			/*
2233			 * Fragments (apart from the last one) are required to
2234			 * have even length. Make the fragmentation code
2235			 * simpler by stripping LSB should someone try to use
2236			 * odd threshold value.
2237			 */
2238			frag_threshold &= ~0x1;
2239		}
2240		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2241	}
2242
2243	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2244		rts_threshold = nla_get_u32(
2245			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2246		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2247	}
2248
2249	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2250		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2251			return -EINVAL;
2252
2253		coverage_class = nla_get_u8(
2254			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2255		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2256	}
2257
2258	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2259		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2260			return -EOPNOTSUPP;
2261
2262		changed |= WIPHY_PARAM_DYN_ACK;
2263	}
2264
2265	if (changed) {
2266		u8 old_retry_short, old_retry_long;
2267		u32 old_frag_threshold, old_rts_threshold;
2268		u8 old_coverage_class;
2269
2270		if (!rdev->ops->set_wiphy_params)
2271			return -EOPNOTSUPP;
2272
2273		old_retry_short = rdev->wiphy.retry_short;
2274		old_retry_long = rdev->wiphy.retry_long;
2275		old_frag_threshold = rdev->wiphy.frag_threshold;
2276		old_rts_threshold = rdev->wiphy.rts_threshold;
2277		old_coverage_class = rdev->wiphy.coverage_class;
2278
2279		if (changed & WIPHY_PARAM_RETRY_SHORT)
2280			rdev->wiphy.retry_short = retry_short;
2281		if (changed & WIPHY_PARAM_RETRY_LONG)
2282			rdev->wiphy.retry_long = retry_long;
2283		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2284			rdev->wiphy.frag_threshold = frag_threshold;
2285		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2286			rdev->wiphy.rts_threshold = rts_threshold;
2287		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2288			rdev->wiphy.coverage_class = coverage_class;
2289
2290		result = rdev_set_wiphy_params(rdev, changed);
2291		if (result) {
2292			rdev->wiphy.retry_short = old_retry_short;
2293			rdev->wiphy.retry_long = old_retry_long;
2294			rdev->wiphy.frag_threshold = old_frag_threshold;
2295			rdev->wiphy.rts_threshold = old_rts_threshold;
2296			rdev->wiphy.coverage_class = old_coverage_class;
2297		}
2298	}
2299	return 0;
2300}
2301
2302static inline u64 wdev_id(struct wireless_dev *wdev)
2303{
2304	return (u64)wdev->identifier |
2305	       ((u64)wiphy_to_rdev(wdev->wiphy)->wiphy_idx << 32);
2306}
2307
2308static int nl80211_send_chandef(struct sk_buff *msg,
2309				const struct cfg80211_chan_def *chandef)
2310{
2311	WARN_ON(!cfg80211_chandef_valid(chandef));
2312
2313	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2314			chandef->chan->center_freq))
2315		return -ENOBUFS;
2316	switch (chandef->width) {
2317	case NL80211_CHAN_WIDTH_20_NOHT:
2318	case NL80211_CHAN_WIDTH_20:
2319	case NL80211_CHAN_WIDTH_40:
2320		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2321				cfg80211_get_chandef_type(chandef)))
2322			return -ENOBUFS;
2323		break;
2324	default:
2325		break;
2326	}
2327	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2328		return -ENOBUFS;
2329	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2330		return -ENOBUFS;
2331	if (chandef->center_freq2 &&
2332	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2333		return -ENOBUFS;
2334	return 0;
2335}
2336
2337static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2338			      struct cfg80211_registered_device *rdev,
2339			      struct wireless_dev *wdev)
2340{
2341	struct net_device *dev = wdev->netdev;
2342	void *hdr;
2343
2344	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_INTERFACE);
2345	if (!hdr)
2346		return -1;
2347
2348	if (dev &&
2349	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2350	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2351		goto nla_put_failure;
2352
2353	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2354	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2355	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
2356	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2357	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2358			rdev->devlist_generation ^
2359			(cfg80211_rdev_list_generation << 2)))
2360		goto nla_put_failure;
2361
2362	if (rdev->ops->get_channel) {
2363		int ret;
2364		struct cfg80211_chan_def chandef;
2365
2366		ret = rdev_get_channel(rdev, wdev, &chandef);
2367		if (ret == 0) {
2368			if (nl80211_send_chandef(msg, &chandef))
2369				goto nla_put_failure;
2370		}
2371	}
2372
2373	if (wdev->ssid_len) {
2374		if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2375			goto nla_put_failure;
2376	}
2377
2378	return genlmsg_end(msg, hdr);
2379
2380 nla_put_failure:
2381	genlmsg_cancel(msg, hdr);
2382	return -EMSGSIZE;
2383}
2384
2385static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2386{
2387	int wp_idx = 0;
2388	int if_idx = 0;
2389	int wp_start = cb->args[0];
2390	int if_start = cb->args[1];
2391	struct cfg80211_registered_device *rdev;
2392	struct wireless_dev *wdev;
2393
2394	rtnl_lock();
2395	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2396		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2397			continue;
2398		if (wp_idx < wp_start) {
2399			wp_idx++;
2400			continue;
2401		}
2402		if_idx = 0;
2403
2404		list_for_each_entry(wdev, &rdev->wdev_list, list) {
2405			if (if_idx < if_start) {
2406				if_idx++;
2407				continue;
2408			}
2409			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2410					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2411					       rdev, wdev) < 0) {
2412				goto out;
2413			}
2414			if_idx++;
2415		}
2416
2417		wp_idx++;
2418	}
2419 out:
2420	rtnl_unlock();
2421
2422	cb->args[0] = wp_idx;
2423	cb->args[1] = if_idx;
2424
2425	return skb->len;
2426}
2427
2428static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2429{
2430	struct sk_buff *msg;
2431	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2432	struct wireless_dev *wdev = info->user_ptr[1];
2433
2434	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2435	if (!msg)
2436		return -ENOMEM;
2437
2438	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2439			       rdev, wdev) < 0) {
2440		nlmsg_free(msg);
2441		return -ENOBUFS;
2442	}
2443
2444	return genlmsg_reply(msg, info);
2445}
2446
2447static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2448	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2449	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2450	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2451	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2452	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2453	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
2454};
2455
2456static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2457{
2458	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2459	int flag;
2460
2461	*mntrflags = 0;
2462
2463	if (!nla)
2464		return -EINVAL;
2465
2466	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
2467			     nla, mntr_flags_policy))
2468		return -EINVAL;
2469
2470	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2471		if (flags[flag])
2472			*mntrflags |= (1<<flag);
2473
2474	return 0;
2475}
2476
2477static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
2478			       struct net_device *netdev, u8 use_4addr,
2479			       enum nl80211_iftype iftype)
2480{
2481	if (!use_4addr) {
2482		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
2483			return -EBUSY;
2484		return 0;
2485	}
2486
2487	switch (iftype) {
2488	case NL80211_IFTYPE_AP_VLAN:
2489		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
2490			return 0;
2491		break;
2492	case NL80211_IFTYPE_STATION:
2493		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
2494			return 0;
2495		break;
2496	default:
2497		break;
2498	}
2499
2500	return -EOPNOTSUPP;
2501}
2502
2503static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
2504{
2505	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2506	struct vif_params params;
2507	int err;
2508	enum nl80211_iftype otype, ntype;
2509	struct net_device *dev = info->user_ptr[1];
2510	u32 _flags, *flags = NULL;
2511	bool change = false;
2512
2513	memset(&params, 0, sizeof(params));
2514
2515	otype = ntype = dev->ieee80211_ptr->iftype;
2516
2517	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2518		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2519		if (otype != ntype)
2520			change = true;
2521		if (ntype > NL80211_IFTYPE_MAX)
2522			return -EINVAL;
2523	}
2524
2525	if (info->attrs[NL80211_ATTR_MESH_ID]) {
2526		struct wireless_dev *wdev = dev->ieee80211_ptr;
2527
2528		if (ntype != NL80211_IFTYPE_MESH_POINT)
2529			return -EINVAL;
2530		if (netif_running(dev))
2531			return -EBUSY;
2532
2533		wdev_lock(wdev);
2534		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2535			     IEEE80211_MAX_MESH_ID_LEN);
2536		wdev->mesh_id_up_len =
2537			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2538		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2539		       wdev->mesh_id_up_len);
2540		wdev_unlock(wdev);
2541	}
2542
2543	if (info->attrs[NL80211_ATTR_4ADDR]) {
2544		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2545		change = true;
2546		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2547		if (err)
2548			return err;
2549	} else {
2550		params.use_4addr = -1;
2551	}
2552
2553	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2554		if (ntype != NL80211_IFTYPE_MONITOR)
2555			return -EINVAL;
2556		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2557					  &_flags);
2558		if (err)
2559			return err;
2560
2561		flags = &_flags;
2562		change = true;
2563	}
2564
2565	if (flags && (*flags & MONITOR_FLAG_ACTIVE) &&
2566	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2567		return -EOPNOTSUPP;
2568
2569	if (change)
2570		err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2571	else
2572		err = 0;
2573
2574	if (!err && params.use_4addr != -1)
2575		dev->ieee80211_ptr->use_4addr = params.use_4addr;
2576
2577	return err;
2578}
2579
2580static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2581{
2582	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2583	struct vif_params params;
2584	struct wireless_dev *wdev;
2585	struct sk_buff *msg;
2586	int err;
2587	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2588	u32 flags;
2589
2590	/* to avoid failing a new interface creation due to pending removal */
2591	cfg80211_destroy_ifaces(rdev);
2592
2593	memset(&params, 0, sizeof(params));
2594
2595	if (!info->attrs[NL80211_ATTR_IFNAME])
2596		return -EINVAL;
2597
2598	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2599		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2600		if (type > NL80211_IFTYPE_MAX)
2601			return -EINVAL;
2602	}
2603
2604	if (!rdev->ops->add_virtual_intf ||
2605	    !(rdev->wiphy.interface_modes & (1 << type)))
2606		return -EOPNOTSUPP;
2607
2608	if (type == NL80211_IFTYPE_P2P_DEVICE && info->attrs[NL80211_ATTR_MAC]) {
2609		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2610			   ETH_ALEN);
2611		if (!is_valid_ether_addr(params.macaddr))
2612			return -EADDRNOTAVAIL;
2613	}
2614
2615	if (info->attrs[NL80211_ATTR_4ADDR]) {
2616		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2617		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2618		if (err)
2619			return err;
2620	}
2621
2622	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2623	if (!msg)
2624		return -ENOMEM;
2625
2626	err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2627				  info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2628				  &flags);
2629
2630	if (!err && (flags & MONITOR_FLAG_ACTIVE) &&
2631	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2632		return -EOPNOTSUPP;
2633
2634	wdev = rdev_add_virtual_intf(rdev,
2635				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2636				type, err ? NULL : &flags, &params);
2637	if (IS_ERR(wdev)) {
2638		nlmsg_free(msg);
2639		return PTR_ERR(wdev);
2640	}
2641
2642	if (info->attrs[NL80211_ATTR_IFACE_SOCKET_OWNER])
2643		wdev->owner_nlportid = info->snd_portid;
2644
2645	switch (type) {
2646	case NL80211_IFTYPE_MESH_POINT:
2647		if (!info->attrs[NL80211_ATTR_MESH_ID])
2648			break;
2649		wdev_lock(wdev);
2650		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2651			     IEEE80211_MAX_MESH_ID_LEN);
2652		wdev->mesh_id_up_len =
2653			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2654		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2655		       wdev->mesh_id_up_len);
2656		wdev_unlock(wdev);
2657		break;
2658	case NL80211_IFTYPE_P2P_DEVICE:
2659		/*
2660		 * P2P Device doesn't have a netdev, so doesn't go
2661		 * through the netdev notifier and must be added here
2662		 */
2663		mutex_init(&wdev->mtx);
2664		INIT_LIST_HEAD(&wdev->event_list);
2665		spin_lock_init(&wdev->event_lock);
2666		INIT_LIST_HEAD(&wdev->mgmt_registrations);
2667		spin_lock_init(&wdev->mgmt_registrations_lock);
2668
2669		wdev->identifier = ++rdev->wdev_id;
2670		list_add_rcu(&wdev->list, &rdev->wdev_list);
2671		rdev->devlist_generation++;
2672		break;
2673	default:
2674		break;
2675	}
2676
2677	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2678			       rdev, wdev) < 0) {
2679		nlmsg_free(msg);
2680		return -ENOBUFS;
2681	}
2682
2683	return genlmsg_reply(msg, info);
2684}
2685
2686static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2687{
2688	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2689	struct wireless_dev *wdev = info->user_ptr[1];
2690
2691	if (!rdev->ops->del_virtual_intf)
2692		return -EOPNOTSUPP;
2693
2694	/*
2695	 * If we remove a wireless device without a netdev then clear
2696	 * user_ptr[1] so that nl80211_post_doit won't dereference it
2697	 * to check if it needs to do dev_put(). Otherwise it crashes
2698	 * since the wdev has been freed, unlike with a netdev where
2699	 * we need the dev_put() for the netdev to really be freed.
2700	 */
2701	if (!wdev->netdev)
2702		info->user_ptr[1] = NULL;
2703
2704	return rdev_del_virtual_intf(rdev, wdev);
2705}
2706
2707static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2708{
2709	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2710	struct net_device *dev = info->user_ptr[1];
2711	u16 noack_map;
2712
2713	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2714		return -EINVAL;
2715
2716	if (!rdev->ops->set_noack_map)
2717		return -EOPNOTSUPP;
2718
2719	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2720
2721	return rdev_set_noack_map(rdev, dev, noack_map);
2722}
2723
2724struct get_key_cookie {
2725	struct sk_buff *msg;
2726	int error;
2727	int idx;
2728};
2729
2730static void get_key_callback(void *c, struct key_params *params)
2731{
2732	struct nlattr *key;
2733	struct get_key_cookie *cookie = c;
2734
2735	if ((params->key &&
2736	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2737		     params->key_len, params->key)) ||
2738	    (params->seq &&
2739	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2740		     params->seq_len, params->seq)) ||
2741	    (params->cipher &&
2742	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2743			 params->cipher)))
2744		goto nla_put_failure;
2745
2746	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2747	if (!key)
2748		goto nla_put_failure;
2749
2750	if ((params->key &&
2751	     nla_put(cookie->msg, NL80211_KEY_DATA,
2752		     params->key_len, params->key)) ||
2753	    (params->seq &&
2754	     nla_put(cookie->msg, NL80211_KEY_SEQ,
2755		     params->seq_len, params->seq)) ||
2756	    (params->cipher &&
2757	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2758			 params->cipher)))
2759		goto nla_put_failure;
2760
2761	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2762		goto nla_put_failure;
2763
2764	nla_nest_end(cookie->msg, key);
2765
2766	return;
2767 nla_put_failure:
2768	cookie->error = 1;
2769}
2770
2771static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2772{
2773	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2774	int err;
2775	struct net_device *dev = info->user_ptr[1];
2776	u8 key_idx = 0;
2777	const u8 *mac_addr = NULL;
2778	bool pairwise;
2779	struct get_key_cookie cookie = {
2780		.error = 0,
2781	};
2782	void *hdr;
2783	struct sk_buff *msg;
2784
2785	if (info->attrs[NL80211_ATTR_KEY_IDX])
2786		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2787
2788	if (key_idx > 5)
2789		return -EINVAL;
2790
2791	if (info->attrs[NL80211_ATTR_MAC])
2792		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2793
2794	pairwise = !!mac_addr;
2795	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2796		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2797		if (kt >= NUM_NL80211_KEYTYPES)
2798			return -EINVAL;
2799		if (kt != NL80211_KEYTYPE_GROUP &&
2800		    kt != NL80211_KEYTYPE_PAIRWISE)
2801			return -EINVAL;
2802		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2803	}
2804
2805	if (!rdev->ops->get_key)
2806		return -EOPNOTSUPP;
2807
2808	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2809	if (!msg)
2810		return -ENOMEM;
2811
2812	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2813			     NL80211_CMD_NEW_KEY);
2814	if (!hdr)
2815		goto nla_put_failure;
2816
2817	cookie.msg = msg;
2818	cookie.idx = key_idx;
2819
2820	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2821	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2822		goto nla_put_failure;
2823	if (mac_addr &&
2824	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2825		goto nla_put_failure;
2826
2827	if (pairwise && mac_addr &&
2828	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2829		return -ENOENT;
2830
2831	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2832			   get_key_callback);
2833
2834	if (err)
2835		goto free_msg;
2836
2837	if (cookie.error)
2838		goto nla_put_failure;
2839
2840	genlmsg_end(msg, hdr);
2841	return genlmsg_reply(msg, info);
2842
2843 nla_put_failure:
2844	err = -ENOBUFS;
2845 free_msg:
2846	nlmsg_free(msg);
2847	return err;
2848}
2849
2850static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2851{
2852	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2853	struct key_parse key;
2854	int err;
2855	struct net_device *dev = info->user_ptr[1];
2856
2857	err = nl80211_parse_key(info, &key);
2858	if (err)
2859		return err;
2860
2861	if (key.idx < 0)
2862		return -EINVAL;
2863
2864	/* only support setting default key */
2865	if (!key.def && !key.defmgmt)
2866		return -EINVAL;
2867
2868	wdev_lock(dev->ieee80211_ptr);
2869
2870	if (key.def) {
2871		if (!rdev->ops->set_default_key) {
2872			err = -EOPNOTSUPP;
2873			goto out;
2874		}
2875
2876		err = nl80211_key_allowed(dev->ieee80211_ptr);
2877		if (err)
2878			goto out;
2879
2880		err = rdev_set_default_key(rdev, dev, key.idx,
2881						 key.def_uni, key.def_multi);
2882
2883		if (err)
2884			goto out;
2885
2886#ifdef CONFIG_CFG80211_WEXT
2887		dev->ieee80211_ptr->wext.default_key = key.idx;
2888#endif
2889	} else {
2890		if (key.def_uni || !key.def_multi) {
2891			err = -EINVAL;
2892			goto out;
2893		}
2894
2895		if (!rdev->ops->set_default_mgmt_key) {
2896			err = -EOPNOTSUPP;
2897			goto out;
2898		}
2899
2900		err = nl80211_key_allowed(dev->ieee80211_ptr);
2901		if (err)
2902			goto out;
2903
2904		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
2905		if (err)
2906			goto out;
2907
2908#ifdef CONFIG_CFG80211_WEXT
2909		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2910#endif
2911	}
2912
2913 out:
2914	wdev_unlock(dev->ieee80211_ptr);
2915
2916	return err;
2917}
2918
2919static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2920{
2921	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2922	int err;
2923	struct net_device *dev = info->user_ptr[1];
2924	struct key_parse key;
2925	const u8 *mac_addr = NULL;
2926
2927	err = nl80211_parse_key(info, &key);
2928	if (err)
2929		return err;
2930
2931	if (!key.p.key)
2932		return -EINVAL;
2933
2934	if (info->attrs[NL80211_ATTR_MAC])
2935		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2936
2937	if (key.type == -1) {
2938		if (mac_addr)
2939			key.type = NL80211_KEYTYPE_PAIRWISE;
2940		else
2941			key.type = NL80211_KEYTYPE_GROUP;
2942	}
2943
2944	/* for now */
2945	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2946	    key.type != NL80211_KEYTYPE_GROUP)
2947		return -EINVAL;
2948
2949	if (!rdev->ops->add_key)
2950		return -EOPNOTSUPP;
2951
2952	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
2953					   key.type == NL80211_KEYTYPE_PAIRWISE,
2954					   mac_addr))
2955		return -EINVAL;
2956
2957	wdev_lock(dev->ieee80211_ptr);
2958	err = nl80211_key_allowed(dev->ieee80211_ptr);
2959	if (!err)
2960		err = rdev_add_key(rdev, dev, key.idx,
2961				   key.type == NL80211_KEYTYPE_PAIRWISE,
2962				    mac_addr, &key.p);
2963	wdev_unlock(dev->ieee80211_ptr);
2964
2965	return err;
2966}
2967
2968static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
2969{
2970	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2971	int err;
2972	struct net_device *dev = info->user_ptr[1];
2973	u8 *mac_addr = NULL;
2974	struct key_parse key;
2975
2976	err = nl80211_parse_key(info, &key);
2977	if (err)
2978		return err;
2979
2980	if (info->attrs[NL80211_ATTR_MAC])
2981		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2982
2983	if (key.type == -1) {
2984		if (mac_addr)
2985			key.type = NL80211_KEYTYPE_PAIRWISE;
2986		else
2987			key.type = NL80211_KEYTYPE_GROUP;
2988	}
2989
2990	/* for now */
2991	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2992	    key.type != NL80211_KEYTYPE_GROUP)
2993		return -EINVAL;
2994
2995	if (!rdev->ops->del_key)
2996		return -EOPNOTSUPP;
2997
2998	wdev_lock(dev->ieee80211_ptr);
2999	err = nl80211_key_allowed(dev->ieee80211_ptr);
3000
3001	if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
3002	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3003		err = -ENOENT;
3004
3005	if (!err)
3006		err = rdev_del_key(rdev, dev, key.idx,
3007				   key.type == NL80211_KEYTYPE_PAIRWISE,
3008				   mac_addr);
3009
3010#ifdef CONFIG_CFG80211_WEXT
3011	if (!err) {
3012		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3013			dev->ieee80211_ptr->wext.default_key = -1;
3014		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3015			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3016	}
3017#endif
3018	wdev_unlock(dev->ieee80211_ptr);
3019
3020	return err;
3021}
3022
3023/* This function returns an error or the number of nested attributes */
3024static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3025{
3026	struct nlattr *attr;
3027	int n_entries = 0, tmp;
3028
3029	nla_for_each_nested(attr, nl_attr, tmp) {
3030		if (nla_len(attr) != ETH_ALEN)
3031			return -EINVAL;
3032
3033		n_entries++;
3034	}
3035
3036	return n_entries;
3037}
3038
3039/*
3040 * This function parses ACL information and allocates memory for ACL data.
3041 * On successful return, the calling function is responsible to free the
3042 * ACL buffer returned by this function.
3043 */
3044static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3045						struct genl_info *info)
3046{
3047	enum nl80211_acl_policy acl_policy;
3048	struct nlattr *attr;
3049	struct cfg80211_acl_data *acl;
3050	int i = 0, n_entries, tmp;
3051
3052	if (!wiphy->max_acl_mac_addrs)
3053		return ERR_PTR(-EOPNOTSUPP);
3054
3055	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3056		return ERR_PTR(-EINVAL);
3057
3058	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3059	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3060	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3061		return ERR_PTR(-EINVAL);
3062
3063	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3064		return ERR_PTR(-EINVAL);
3065
3066	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3067	if (n_entries < 0)
3068		return ERR_PTR(n_entries);
3069
3070	if (n_entries > wiphy->max_acl_mac_addrs)
3071		return ERR_PTR(-ENOTSUPP);
3072
3073	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3074		      GFP_KERNEL);
3075	if (!acl)
3076		return ERR_PTR(-ENOMEM);
3077
3078	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3079		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3080		i++;
3081	}
3082
3083	acl->n_acl_entries = n_entries;
3084	acl->acl_policy = acl_policy;
3085
3086	return acl;
3087}
3088
3089static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3090{
3091	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3092	struct net_device *dev = info->user_ptr[1];
3093	struct cfg80211_acl_data *acl;
3094	int err;
3095
3096	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3097	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3098		return -EOPNOTSUPP;
3099
3100	if (!dev->ieee80211_ptr->beacon_interval)
3101		return -EINVAL;
3102
3103	acl = parse_acl_data(&rdev->wiphy, info);
3104	if (IS_ERR(acl))
3105		return PTR_ERR(acl);
3106
3107	err = rdev_set_mac_acl(rdev, dev, acl);
3108
3109	kfree(acl);
3110
3111	return err;
3112}
3113
3114static int nl80211_parse_beacon(struct nlattr *attrs[],
3115				struct cfg80211_beacon_data *bcn)
3116{
3117	bool haveinfo = false;
3118
3119	if (!is_valid_ie_attr(attrs[NL80211_ATTR_BEACON_TAIL]) ||
3120	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE]) ||
3121	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
3122	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_ASSOC_RESP]))
3123		return -EINVAL;
3124
3125	memset(bcn, 0, sizeof(*bcn));
3126
3127	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
3128		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
3129		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
3130		if (!bcn->head_len)
3131			return -EINVAL;
3132		haveinfo = true;
3133	}
3134
3135	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
3136		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
3137		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
3138		haveinfo = true;
3139	}
3140
3141	if (!haveinfo)
3142		return -EINVAL;
3143
3144	if (attrs[NL80211_ATTR_IE]) {
3145		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
3146		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
3147	}
3148
3149	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
3150		bcn->proberesp_ies =
3151			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3152		bcn->proberesp_ies_len =
3153			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3154	}
3155
3156	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
3157		bcn->assocresp_ies =
3158			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3159		bcn->assocresp_ies_len =
3160			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3161	}
3162
3163	if (attrs[NL80211_ATTR_PROBE_RESP]) {
3164		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
3165		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
3166	}
3167
3168	return 0;
3169}
3170
3171static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
3172				   struct cfg80211_ap_settings *params)
3173{
3174	struct wireless_dev *wdev;
3175	bool ret = false;
3176
3177	list_for_each_entry(wdev, &rdev->wdev_list, list) {
3178		if (wdev->iftype != NL80211_IFTYPE_AP &&
3179		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
3180			continue;
3181
3182		if (!wdev->preset_chandef.chan)
3183			continue;
3184
3185		params->chandef = wdev->preset_chandef;
3186		ret = true;
3187		break;
3188	}
3189
3190	return ret;
3191}
3192
3193static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
3194				    enum nl80211_auth_type auth_type,
3195				    enum nl80211_commands cmd)
3196{
3197	if (auth_type > NL80211_AUTHTYPE_MAX)
3198		return false;
3199
3200	switch (cmd) {
3201	case NL80211_CMD_AUTHENTICATE:
3202		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
3203		    auth_type == NL80211_AUTHTYPE_SAE)
3204			return false;
3205		return true;
3206	case NL80211_CMD_CONNECT:
3207	case NL80211_CMD_START_AP:
3208		/* SAE not supported yet */
3209		if (auth_type == NL80211_AUTHTYPE_SAE)
3210			return false;
3211		return true;
3212	default:
3213		return false;
3214	}
3215}
3216
3217static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
3218{
3219	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3220	struct net_device *dev = info->user_ptr[1];
3221	struct wireless_dev *wdev = dev->ieee80211_ptr;
3222	struct cfg80211_ap_settings params;
3223	int err;
3224
3225	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3226	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3227		return -EOPNOTSUPP;
3228
3229	if (!rdev->ops->start_ap)
3230		return -EOPNOTSUPP;
3231
3232	if (wdev->beacon_interval)
3233		return -EALREADY;
3234
3235	memset(&params, 0, sizeof(params));
3236
3237	/* these are required for START_AP */
3238	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
3239	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
3240	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
3241		return -EINVAL;
3242
3243	err = nl80211_parse_beacon(info->attrs, &params.beacon);
3244	if (err)
3245		return err;
3246
3247	params.beacon_interval =
3248		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
3249	params.dtim_period =
3250		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
3251
3252	err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
3253	if (err)
3254		return err;
3255
3256	/*
3257	 * In theory, some of these attributes should be required here
3258	 * but since they were not used when the command was originally
3259	 * added, keep them optional for old user space programs to let
3260	 * them continue to work with drivers that do not need the
3261	 * additional information -- drivers must check!
3262	 */
3263	if (info->attrs[NL80211_ATTR_SSID]) {
3264		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
3265		params.ssid_len =
3266			nla_len(info->attrs[NL80211_ATTR_SSID]);
3267		if (params.ssid_len == 0 ||
3268		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
3269			return -EINVAL;
3270	}
3271
3272	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
3273		params.hidden_ssid = nla_get_u32(
3274			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
3275		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
3276		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
3277		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
3278			return -EINVAL;
3279	}
3280
3281	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
3282
3283	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
3284		params.auth_type = nla_get_u32(
3285			info->attrs[NL80211_ATTR_AUTH_TYPE]);
3286		if (!nl80211_valid_auth_type(rdev, params.auth_type,
3287					     NL80211_CMD_START_AP))
3288			return -EINVAL;
3289	} else
3290		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
3291
3292	err = nl80211_crypto_settings(rdev, info, &params.crypto,
3293				      NL80211_MAX_NR_CIPHER_SUITES);
3294	if (err)
3295		return err;
3296
3297	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
3298		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
3299			return -EOPNOTSUPP;
3300		params.inactivity_timeout = nla_get_u16(
3301			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
3302	}
3303
3304	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
3305		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3306			return -EINVAL;
3307		params.p2p_ctwindow =
3308			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
3309		if (params.p2p_ctwindow > 127)
3310			return -EINVAL;
3311		if (params.p2p_ctwindow != 0 &&
3312		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
3313			return -EINVAL;
3314	}
3315
3316	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
3317		u8 tmp;
3318
3319		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3320			return -EINVAL;
3321		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
3322		if (tmp > 1)
3323			return -EINVAL;
3324		params.p2p_opp_ps = tmp;
3325		if (params.p2p_opp_ps != 0 &&
3326		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
3327			return -EINVAL;
3328	}
3329
3330	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3331		err = nl80211_parse_chandef(rdev, info, &params.chandef);
3332		if (err)
3333			return err;
3334	} else if (wdev->preset_chandef.chan) {
3335		params.chandef = wdev->preset_chandef;
3336	} else if (!nl80211_get_ap_channel(rdev, &params))
3337		return -EINVAL;
3338
3339	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef,
3340				     wdev->iftype))
3341		return -EINVAL;
3342
3343	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
3344		params.acl = parse_acl_data(&rdev->wiphy, info);
3345		if (IS_ERR(params.acl))
3346			return PTR_ERR(params.acl);
3347	}
3348
3349	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
3350		params.smps_mode =
3351			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
3352		switch (params.smps_mode) {
3353		case NL80211_SMPS_OFF:
3354			break;
3355		case NL80211_SMPS_STATIC:
3356			if (!(rdev->wiphy.features &
3357			      NL80211_FEATURE_STATIC_SMPS))
3358				return -EINVAL;
3359			break;
3360		case NL80211_SMPS_DYNAMIC:
3361			if (!(rdev->wiphy.features &
3362			      NL80211_FEATURE_DYNAMIC_SMPS))
3363				return -EINVAL;
3364			break;
3365		default:
3366			return -EINVAL;
3367		}
3368	} else {
3369		params.smps_mode = NL80211_SMPS_OFF;
3370	}
3371
3372	wdev_lock(wdev);
3373	err = rdev_start_ap(rdev, dev, &params);
3374	if (!err) {
3375		wdev->preset_chandef = params.chandef;
3376		wdev->beacon_interval = params.beacon_interval;
3377		wdev->chandef = params.chandef;
3378		wdev->ssid_len = params.ssid_len;
3379		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
3380	}
3381	wdev_unlock(wdev);
3382
3383	kfree(params.acl);
3384
3385	return err;
3386}
3387
3388static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
3389{
3390	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3391	struct net_device *dev = info->user_ptr[1];
3392	struct wireless_dev *wdev = dev->ieee80211_ptr;
3393	struct cfg80211_beacon_data params;
3394	int err;
3395
3396	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3397	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3398		return -EOPNOTSUPP;
3399
3400	if (!rdev->ops->change_beacon)
3401		return -EOPNOTSUPP;
3402
3403	if (!wdev->beacon_interval)
3404		return -EINVAL;
3405
3406	err = nl80211_parse_beacon(info->attrs, &params);
3407	if (err)
3408		return err;
3409
3410	wdev_lock(wdev);
3411	err = rdev_change_beacon(rdev, dev, &params);
3412	wdev_unlock(wdev);
3413
3414	return err;
3415}
3416
3417static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
3418{
3419	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3420	struct net_device *dev = info->user_ptr[1];
3421
3422	return cfg80211_stop_ap(rdev, dev, false);
3423}
3424
3425static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
3426	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
3427	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
3428	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
3429	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
3430	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
3431	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
3432};
3433
3434static int parse_station_flags(struct genl_info *info,
3435			       enum nl80211_iftype iftype,
3436			       struct station_parameters *params)
3437{
3438	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
3439	struct nlattr *nla;
3440	int flag;
3441
3442	/*
3443	 * Try parsing the new attribute first so userspace
3444	 * can specify both for older kernels.
3445	 */
3446	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
3447	if (nla) {
3448		struct nl80211_sta_flag_update *sta_flags;
3449
3450		sta_flags = nla_data(nla);
3451		params->sta_flags_mask = sta_flags->mask;
3452		params->sta_flags_set = sta_flags->set;
3453		params->sta_flags_set &= params->sta_flags_mask;
3454		if ((params->sta_flags_mask |
3455		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
3456			return -EINVAL;
3457		return 0;
3458	}
3459
3460	/* if present, parse the old attribute */
3461
3462	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
3463	if (!nla)
3464		return 0;
3465
3466	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
3467			     nla, sta_flags_policy))
3468		return -EINVAL;
3469
3470	/*
3471	 * Only allow certain flags for interface types so that
3472	 * other attributes are silently ignored. Remember that
3473	 * this is backward compatibility code with old userspace
3474	 * and shouldn't be hit in other cases anyway.
3475	 */
3476	switch (iftype) {
3477	case NL80211_IFTYPE_AP:
3478	case NL80211_IFTYPE_AP_VLAN:
3479	case NL80211_IFTYPE_P2P_GO:
3480		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3481					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3482					 BIT(NL80211_STA_FLAG_WME) |
3483					 BIT(NL80211_STA_FLAG_MFP);
3484		break;
3485	case NL80211_IFTYPE_P2P_CLIENT:
3486	case NL80211_IFTYPE_STATION:
3487		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3488					 BIT(NL80211_STA_FLAG_TDLS_PEER);
3489		break;
3490	case NL80211_IFTYPE_MESH_POINT:
3491		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3492					 BIT(NL80211_STA_FLAG_MFP) |
3493					 BIT(NL80211_STA_FLAG_AUTHORIZED);
3494	default:
3495		return -EINVAL;
3496	}
3497
3498	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
3499		if (flags[flag]) {
3500			params->sta_flags_set |= (1<<flag);
3501
3502			/* no longer support new API additions in old API */
3503			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
3504				return -EINVAL;
3505		}
3506	}
3507
3508	return 0;
3509}
3510
3511static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
3512				 int attr)
3513{
3514	struct nlattr *rate;
3515	u32 bitrate;
3516	u16 bitrate_compat;
3517
3518	rate = nla_nest_start(msg, attr);
3519	if (!rate)
3520		return false;
3521
3522	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
3523	bitrate = cfg80211_calculate_bitrate(info);
3524	/* report 16-bit bitrate only if we can */
3525	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
3526	if (bitrate > 0 &&
3527	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
3528		return false;
3529	if (bitrate_compat > 0 &&
3530	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
3531		return false;
3532
3533	if (info->flags & RATE_INFO_FLAGS_MCS) {
3534		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
3535			return false;
3536		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3537		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3538			return false;
3539		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3540		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3541			return false;
3542	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
3543		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
3544			return false;
3545		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
3546			return false;
3547		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3548		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3549			return false;
3550		if (info->flags & RATE_INFO_FLAGS_80_MHZ_WIDTH &&
3551		    nla_put_flag(msg, NL80211_RATE_INFO_80_MHZ_WIDTH))
3552			return false;
3553		if (info->flags & RATE_INFO_FLAGS_80P80_MHZ_WIDTH &&
3554		    nla_put_flag(msg, NL80211_RATE_INFO_80P80_MHZ_WIDTH))
3555			return false;
3556		if (info->flags & RATE_INFO_FLAGS_160_MHZ_WIDTH &&
3557		    nla_put_flag(msg, NL80211_RATE_INFO_160_MHZ_WIDTH))
3558			return false;
3559		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3560		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3561			return false;
3562	}
3563
3564	nla_nest_end(msg, rate);
3565	return true;
3566}
3567
3568static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
3569			       int id)
3570{
3571	void *attr;
3572	int i = 0;
3573
3574	if (!mask)
3575		return true;
3576
3577	attr = nla_nest_start(msg, id);
3578	if (!attr)
3579		return false;
3580
3581	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
3582		if (!(mask & BIT(i)))
3583			continue;
3584
3585		if (nla_put_u8(msg, i, signal[i]))
3586			return false;
3587	}
3588
3589	nla_nest_end(msg, attr);
3590
3591	return true;
3592}
3593
3594static int nl80211_send_station(struct sk_buff *msg, u32 portid, u32 seq,
3595				int flags,
3596				struct cfg80211_registered_device *rdev,
3597				struct net_device *dev,
3598				const u8 *mac_addr, struct station_info *sinfo)
3599{
3600	void *hdr;
3601	struct nlattr *sinfoattr, *bss_param;
3602
3603	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
3604	if (!hdr)
3605		return -1;
3606
3607	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3608	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
3609	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
3610		goto nla_put_failure;
3611
3612	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
3613	if (!sinfoattr)
3614		goto nla_put_failure;
3615	if ((sinfo->filled & STATION_INFO_CONNECTED_TIME) &&
3616	    nla_put_u32(msg, NL80211_STA_INFO_CONNECTED_TIME,
3617			sinfo->connected_time))
3618		goto nla_put_failure;
3619	if ((sinfo->filled & STATION_INFO_INACTIVE_TIME) &&
3620	    nla_put_u32(msg, NL80211_STA_INFO_INACTIVE_TIME,
3621			sinfo->inactive_time))
3622		goto nla_put_failure;
3623	if ((sinfo->filled & (STATION_INFO_RX_BYTES |
3624			      STATION_INFO_RX_BYTES64)) &&
3625	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
3626			(u32)sinfo->rx_bytes))
3627		goto nla_put_failure;
3628	if ((sinfo->filled & (STATION_INFO_TX_BYTES |
3629			      STATION_INFO_TX_BYTES64)) &&
3630	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
3631			(u32)sinfo->tx_bytes))
3632		goto nla_put_failure;
3633	if ((sinfo->filled & STATION_INFO_RX_BYTES64) &&
3634	    nla_put_u64(msg, NL80211_STA_INFO_RX_BYTES64,
3635			sinfo->rx_bytes))
3636		goto nla_put_failure;
3637	if ((sinfo->filled & STATION_INFO_TX_BYTES64) &&
3638	    nla_put_u64(msg, NL80211_STA_INFO_TX_BYTES64,
3639			sinfo->tx_bytes))
3640		goto nla_put_failure;
3641	if ((sinfo->filled & STATION_INFO_LLID) &&
3642	    nla_put_u16(msg, NL80211_STA_INFO_LLID, sinfo->llid))
3643		goto nla_put_failure;
3644	if ((sinfo->filled & STATION_INFO_PLID) &&
3645	    nla_put_u16(msg, NL80211_STA_INFO_PLID, sinfo->plid))
3646		goto nla_put_failure;
3647	if ((sinfo->filled & STATION_INFO_PLINK_STATE) &&
3648	    nla_put_u8(msg, NL80211_STA_INFO_PLINK_STATE,
3649		       sinfo->plink_state))
3650		goto nla_put_failure;
3651	switch (rdev->wiphy.signal_type) {
3652	case CFG80211_SIGNAL_TYPE_MBM:
3653		if ((sinfo->filled & STATION_INFO_SIGNAL) &&
3654		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL,
3655			       sinfo->signal))
3656			goto nla_put_failure;
3657		if ((sinfo->filled & STATION_INFO_SIGNAL_AVG) &&
3658		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL_AVG,
3659			       sinfo->signal_avg))
3660			goto nla_put_failure;
3661		break;
3662	default:
3663		break;
3664	}
3665	if (sinfo->filled & STATION_INFO_CHAIN_SIGNAL) {
3666		if (!nl80211_put_signal(msg, sinfo->chains,
3667					sinfo->chain_signal,
3668					NL80211_STA_INFO_CHAIN_SIGNAL))
3669			goto nla_put_failure;
3670	}
3671	if (sinfo->filled & STATION_INFO_CHAIN_SIGNAL_AVG) {
3672		if (!nl80211_put_signal(msg, sinfo->chains,
3673					sinfo->chain_signal_avg,
3674					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
3675			goto nla_put_failure;
3676	}
3677	if (sinfo->filled & STATION_INFO_TX_BITRATE) {
3678		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
3679					  NL80211_STA_INFO_TX_BITRATE))
3680			goto nla_put_failure;
3681	}
3682	if (sinfo->filled & STATION_INFO_RX_BITRATE) {
3683		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
3684					  NL80211_STA_INFO_RX_BITRATE))
3685			goto nla_put_failure;
3686	}
3687	if ((sinfo->filled & STATION_INFO_RX_PACKETS) &&
3688	    nla_put_u32(msg, NL80211_STA_INFO_RX_PACKETS,
3689			sinfo->rx_packets))
3690		goto nla_put_failure;
3691	if ((sinfo->filled & STATION_INFO_TX_PACKETS) &&
3692	    nla_put_u32(msg, NL80211_STA_INFO_TX_PACKETS,
3693			sinfo->tx_packets))
3694		goto nla_put_failure;
3695	if ((sinfo->filled & STATION_INFO_TX_RETRIES) &&
3696	    nla_put_u32(msg, NL80211_STA_INFO_TX_RETRIES,
3697			sinfo->tx_retries))
3698		goto nla_put_failure;
3699	if ((sinfo->filled & STATION_INFO_TX_FAILED) &&
3700	    nla_put_u32(msg, NL80211_STA_INFO_TX_FAILED,
3701			sinfo->tx_failed))
3702		goto nla_put_failure;
3703	if ((sinfo->filled & STATION_INFO_EXPECTED_THROUGHPUT) &&
3704	    nla_put_u32(msg, NL80211_STA_INFO_EXPECTED_THROUGHPUT,
3705			sinfo->expected_throughput))
3706		goto nla_put_failure;
3707	if ((sinfo->filled & STATION_INFO_BEACON_LOSS_COUNT) &&
3708	    nla_put_u32(msg, NL80211_STA_INFO_BEACON_LOSS,
3709			sinfo->beacon_loss_count))
3710		goto nla_put_failure;
3711	if ((sinfo->filled & STATION_INFO_LOCAL_PM) &&
3712	    nla_put_u32(msg, NL80211_STA_INFO_LOCAL_PM,
3713			sinfo->local_pm))
3714		goto nla_put_failure;
3715	if ((sinfo->filled & STATION_INFO_PEER_PM) &&
3716	    nla_put_u32(msg, NL80211_STA_INFO_PEER_PM,
3717			sinfo->peer_pm))
3718		goto nla_put_failure;
3719	if ((sinfo->filled & STATION_INFO_NONPEER_PM) &&
3720	    nla_put_u32(msg, NL80211_STA_INFO_NONPEER_PM,
3721			sinfo->nonpeer_pm))
3722		goto nla_put_failure;
3723	if (sinfo->filled & STATION_INFO_BSS_PARAM) {
3724		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
3725		if (!bss_param)
3726			goto nla_put_failure;
3727
3728		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
3729		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
3730		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
3731		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
3732		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
3733		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
3734		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
3735			       sinfo->bss_param.dtim_period) ||
3736		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
3737				sinfo->bss_param.beacon_interval))
3738			goto nla_put_failure;
3739
3740		nla_nest_end(msg, bss_param);
3741	}
3742	if ((sinfo->filled & STATION_INFO_STA_FLAGS) &&
3743	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
3744		    sizeof(struct nl80211_sta_flag_update),
3745		    &sinfo->sta_flags))
3746		goto nla_put_failure;
3747	if ((sinfo->filled & STATION_INFO_T_OFFSET) &&
3748		nla_put_u64(msg, NL80211_STA_INFO_T_OFFSET,
3749			    sinfo->t_offset))
3750		goto nla_put_failure;
3751	nla_nest_end(msg, sinfoattr);
3752
3753	if ((sinfo->filled & STATION_INFO_ASSOC_REQ_IES) &&
3754	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
3755		    sinfo->assoc_req_ies))
3756		goto nla_put_failure;
3757
3758	return genlmsg_end(msg, hdr);
3759
3760 nla_put_failure:
3761	genlmsg_cancel(msg, hdr);
3762	return -EMSGSIZE;
3763}
3764
3765static int nl80211_dump_station(struct sk_buff *skb,
3766				struct netlink_callback *cb)
3767{
3768	struct station_info sinfo;
3769	struct cfg80211_registered_device *rdev;
3770	struct wireless_dev *wdev;
3771	u8 mac_addr[ETH_ALEN];
3772	int sta_idx = cb->args[2];
3773	int err;
3774
3775	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
3776	if (err)
3777		return err;
3778
3779	if (!wdev->netdev) {
3780		err = -EINVAL;
3781		goto out_err;
3782	}
3783
3784	if (!rdev->ops->dump_station) {
3785		err = -EOPNOTSUPP;
3786		goto out_err;
3787	}
3788
3789	while (1) {
3790		memset(&sinfo, 0, sizeof(sinfo));
3791		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
3792					mac_addr, &sinfo);
3793		if (err == -ENOENT)
3794			break;
3795		if (err)
3796			goto out_err;
3797
3798		if (nl80211_send_station(skb,
3799				NETLINK_CB(cb->skb).portid,
3800				cb->nlh->nlmsg_seq, NLM_F_MULTI,
3801				rdev, wdev->netdev, mac_addr,
3802				&sinfo) < 0)
3803			goto out;
3804
3805		sta_idx++;
3806	}
3807
3808
3809 out:
3810	cb->args[2] = sta_idx;
3811	err = skb->len;
3812 out_err:
3813	nl80211_finish_wdev_dump(rdev);
3814
3815	return err;
3816}
3817
3818static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
3819{
3820	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3821	struct net_device *dev = info->user_ptr[1];
3822	struct station_info sinfo;
3823	struct sk_buff *msg;
3824	u8 *mac_addr = NULL;
3825	int err;
3826
3827	memset(&sinfo, 0, sizeof(sinfo));
3828
3829	if (!info->attrs[NL80211_ATTR_MAC])
3830		return -EINVAL;
3831
3832	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3833
3834	if (!rdev->ops->get_station)
3835		return -EOPNOTSUPP;
3836
3837	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3838	if (err)
3839		return err;
3840
3841	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3842	if (!msg)
3843		return -ENOMEM;
3844
3845	if (nl80211_send_station(msg, info->snd_portid, info->snd_seq, 0,
3846				 rdev, dev, mac_addr, &sinfo) < 0) {
3847		nlmsg_free(msg);
3848		return -ENOBUFS;
3849	}
3850
3851	return genlmsg_reply(msg, info);
3852}
3853
3854int cfg80211_check_station_change(struct wiphy *wiphy,
3855				  struct station_parameters *params,
3856				  enum cfg80211_station_type statype)
3857{
3858	if (params->listen_interval != -1)
3859		return -EINVAL;
3860	if (params->aid &&
3861	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3862		return -EINVAL;
3863
3864	/* When you run into this, adjust the code below for the new flag */
3865	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
3866
3867	switch (statype) {
3868	case CFG80211_STA_MESH_PEER_KERNEL:
3869	case CFG80211_STA_MESH_PEER_USER:
3870		/*
3871		 * No ignoring the TDLS flag here -- the userspace mesh
3872		 * code doesn't have the bug of including TDLS in the
3873		 * mask everywhere.
3874		 */
3875		if (params->sta_flags_mask &
3876				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3877				  BIT(NL80211_STA_FLAG_MFP) |
3878				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
3879			return -EINVAL;
3880		break;
3881	case CFG80211_STA_TDLS_PEER_SETUP:
3882	case CFG80211_STA_TDLS_PEER_ACTIVE:
3883		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3884			return -EINVAL;
3885		/* ignore since it can't change */
3886		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3887		break;
3888	default:
3889		/* disallow mesh-specific things */
3890		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
3891			return -EINVAL;
3892		if (params->local_pm)
3893			return -EINVAL;
3894		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
3895			return -EINVAL;
3896	}
3897
3898	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
3899	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
3900		/* TDLS can't be set, ... */
3901		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3902			return -EINVAL;
3903		/*
3904		 * ... but don't bother the driver with it. This works around
3905		 * a hostapd/wpa_supplicant issue -- it always includes the
3906		 * TLDS_PEER flag in the mask even for AP mode.
3907		 */
3908		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3909	}
3910
3911	if (statype != CFG80211_STA_TDLS_PEER_SETUP) {
3912		/* reject other things that can't change */
3913		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
3914			return -EINVAL;
3915		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
3916			return -EINVAL;
3917		if (params->supported_rates)
3918			return -EINVAL;
3919		if (params->ext_capab || params->ht_capa || params->vht_capa)
3920			return -EINVAL;
3921	}
3922
3923	if (statype != CFG80211_STA_AP_CLIENT) {
3924		if (params->vlan)
3925			return -EINVAL;
3926	}
3927
3928	switch (statype) {
3929	case CFG80211_STA_AP_MLME_CLIENT:
3930		/* Use this only for authorizing/unauthorizing a station */
3931		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
3932			return -EOPNOTSUPP;
3933		break;
3934	case CFG80211_STA_AP_CLIENT:
3935		/* accept only the listed bits */
3936		if (params->sta_flags_mask &
3937				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3938				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3939				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
3940				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3941				  BIT(NL80211_STA_FLAG_WME) |
3942				  BIT(NL80211_STA_FLAG_MFP)))
3943			return -EINVAL;
3944
3945		/* but authenticated/associated only if driver handles it */
3946		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
3947		    params->sta_flags_mask &
3948				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3949				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
3950			return -EINVAL;
3951		break;
3952	case CFG80211_STA_IBSS:
3953	case CFG80211_STA_AP_STA:
3954		/* reject any changes other than AUTHORIZED */
3955		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
3956			return -EINVAL;
3957		break;
3958	case CFG80211_STA_TDLS_PEER_SETUP:
3959		/* reject any changes other than AUTHORIZED or WME */
3960		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3961					       BIT(NL80211_STA_FLAG_WME)))
3962			return -EINVAL;
3963		/* force (at least) rates when authorizing */
3964		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
3965		    !params->supported_rates)
3966			return -EINVAL;
3967		break;
3968	case CFG80211_STA_TDLS_PEER_ACTIVE:
3969		/* reject any changes */
3970		return -EINVAL;
3971	case CFG80211_STA_MESH_PEER_KERNEL:
3972		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
3973			return -EINVAL;
3974		break;
3975	case CFG80211_STA_MESH_PEER_USER:
3976		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
3977			return -EINVAL;
3978		break;
3979	}
3980
3981	return 0;
3982}
3983EXPORT_SYMBOL(cfg80211_check_station_change);
3984
3985/*
3986 * Get vlan interface making sure it is running and on the right wiphy.
3987 */
3988static struct net_device *get_vlan(struct genl_info *info,
3989				   struct cfg80211_registered_device *rdev)
3990{
3991	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
3992	struct net_device *v;
3993	int ret;
3994
3995	if (!vlanattr)
3996		return NULL;
3997
3998	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
3999	if (!v)
4000		return ERR_PTR(-ENODEV);
4001
4002	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
4003		ret = -EINVAL;
4004		goto error;
4005	}
4006
4007	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4008	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4009	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
4010		ret = -EINVAL;
4011		goto error;
4012	}
4013
4014	if (!netif_running(v)) {
4015		ret = -ENETDOWN;
4016		goto error;
4017	}
4018
4019	return v;
4020 error:
4021	dev_put(v);
4022	return ERR_PTR(ret);
4023}
4024
4025static const struct nla_policy
4026nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
4027	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
4028	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
4029};
4030
4031static int nl80211_parse_sta_wme(struct genl_info *info,
4032				 struct station_parameters *params)
4033{
4034	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
4035	struct nlattr *nla;
4036	int err;
4037
4038	/* parse WME attributes if present */
4039	if (!info->attrs[NL80211_ATTR_STA_WME])
4040		return 0;
4041
4042	nla = info->attrs[NL80211_ATTR_STA_WME];
4043	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
4044			       nl80211_sta_wme_policy);
4045	if (err)
4046		return err;
4047
4048	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
4049		params->uapsd_queues = nla_get_u8(
4050			tb[NL80211_STA_WME_UAPSD_QUEUES]);
4051	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
4052		return -EINVAL;
4053
4054	if (tb[NL80211_STA_WME_MAX_SP])
4055		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
4056
4057	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
4058		return -EINVAL;
4059
4060	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
4061
4062	return 0;
4063}
4064
4065static int nl80211_parse_sta_channel_info(struct genl_info *info,
4066				      struct station_parameters *params)
4067{
4068	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
4069		params->supported_channels =
4070		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4071		params->supported_channels_len =
4072		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4073		/*
4074		 * Need to include at least one (first channel, number of
4075		 * channels) tuple for each subband, and must have proper
4076		 * tuples for the rest of the data as well.
4077		 */
4078		if (params->supported_channels_len < 2)
4079			return -EINVAL;
4080		if (params->supported_channels_len % 2)
4081			return -EINVAL;
4082	}
4083
4084	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
4085		params->supported_oper_classes =
4086		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4087		params->supported_oper_classes_len =
4088		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4089		/*
4090		 * The value of the Length field of the Supported Operating
4091		 * Classes element is between 2 and 253.
4092		 */
4093		if (params->supported_oper_classes_len < 2 ||
4094		    params->supported_oper_classes_len > 253)
4095			return -EINVAL;
4096	}
4097	return 0;
4098}
4099
4100static int nl80211_set_station_tdls(struct genl_info *info,
4101				    struct station_parameters *params)
4102{
4103	int err;
4104	/* Dummy STA entry gets updated once the peer capabilities are known */
4105	if (info->attrs[NL80211_ATTR_PEER_AID])
4106		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4107	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4108		params->ht_capa =
4109			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4110	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4111		params->vht_capa =
4112			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4113
4114	err = nl80211_parse_sta_channel_info(info, params);
4115	if (err)
4116		return err;
4117
4118	return nl80211_parse_sta_wme(info, params);
4119}
4120
4121static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
4122{
4123	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4124	struct net_device *dev = info->user_ptr[1];
4125	struct station_parameters params;
4126	u8 *mac_addr;
4127	int err;
4128
4129	memset(&params, 0, sizeof(params));
4130
4131	params.listen_interval = -1;
4132
4133	if (!rdev->ops->change_station)
4134		return -EOPNOTSUPP;
4135
4136	if (info->attrs[NL80211_ATTR_STA_AID])
4137		return -EINVAL;
4138
4139	if (!info->attrs[NL80211_ATTR_MAC])
4140		return -EINVAL;
4141
4142	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4143
4144	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
4145		params.supported_rates =
4146			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4147		params.supported_rates_len =
4148			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4149	}
4150
4151	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4152		params.capability =
4153			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4154		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4155	}
4156
4157	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4158		params.ext_capab =
4159			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4160		params.ext_capab_len =
4161			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4162	}
4163
4164	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4165		return -EINVAL;
4166
4167	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4168		return -EINVAL;
4169
4170	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4171		params.plink_action =
4172			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4173		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4174			return -EINVAL;
4175	}
4176
4177	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
4178		params.plink_state =
4179			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
4180		if (params.plink_state >= NUM_NL80211_PLINK_STATES)
4181			return -EINVAL;
4182		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
4183	}
4184
4185	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
4186		enum nl80211_mesh_power_mode pm = nla_get_u32(
4187			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
4188
4189		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
4190		    pm > NL80211_MESH_POWER_MAX)
4191			return -EINVAL;
4192
4193		params.local_pm = pm;
4194	}
4195
4196	/* Include parameters for TDLS peer (will check later) */
4197	err = nl80211_set_station_tdls(info, &params);
4198	if (err)
4199		return err;
4200
4201	params.vlan = get_vlan(info, rdev);
4202	if (IS_ERR(params.vlan))
4203		return PTR_ERR(params.vlan);
4204
4205	switch (dev->ieee80211_ptr->iftype) {
4206	case NL80211_IFTYPE_AP:
4207	case NL80211_IFTYPE_AP_VLAN:
4208	case NL80211_IFTYPE_P2P_GO:
4209	case NL80211_IFTYPE_P2P_CLIENT:
4210	case NL80211_IFTYPE_STATION:
4211	case NL80211_IFTYPE_ADHOC:
4212	case NL80211_IFTYPE_MESH_POINT:
4213		break;
4214	default:
4215		err = -EOPNOTSUPP;
4216		goto out_put_vlan;
4217	}
4218
4219	/* driver will call cfg80211_check_station_change() */
4220	err = rdev_change_station(rdev, dev, mac_addr, &params);
4221
4222 out_put_vlan:
4223	if (params.vlan)
4224		dev_put(params.vlan);
4225
4226	return err;
4227}
4228
4229static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
4230{
4231	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4232	int err;
4233	struct net_device *dev = info->user_ptr[1];
4234	struct station_parameters params;
4235	u8 *mac_addr = NULL;
4236
4237	memset(&params, 0, sizeof(params));
4238
4239	if (!rdev->ops->add_station)
4240		return -EOPNOTSUPP;
4241
4242	if (!info->attrs[NL80211_ATTR_MAC])
4243		return -EINVAL;
4244
4245	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4246		return -EINVAL;
4247
4248	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
4249		return -EINVAL;
4250
4251	if (!info->attrs[NL80211_ATTR_STA_AID] &&
4252	    !info->attrs[NL80211_ATTR_PEER_AID])
4253		return -EINVAL;
4254
4255	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4256	params.supported_rates =
4257		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4258	params.supported_rates_len =
4259		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4260	params.listen_interval =
4261		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4262
4263	if (info->attrs[NL80211_ATTR_PEER_AID])
4264		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4265	else
4266		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4267	if (!params.aid || params.aid > IEEE80211_MAX_AID)
4268		return -EINVAL;
4269
4270	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4271		params.capability =
4272			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4273		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4274	}
4275
4276	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4277		params.ext_capab =
4278			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4279		params.ext_capab_len =
4280			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4281	}
4282
4283	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4284		params.ht_capa =
4285			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4286
4287	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4288		params.vht_capa =
4289			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4290
4291	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
4292		params.opmode_notif_used = true;
4293		params.opmode_notif =
4294			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
4295	}
4296
4297	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4298		params.plink_action =
4299			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4300		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4301			return -EINVAL;
4302	}
4303
4304	err = nl80211_parse_sta_channel_info(info, &params);
4305	if (err)
4306		return err;
4307
4308	err = nl80211_parse_sta_wme(info, &params);
4309	if (err)
4310		return err;
4311
4312	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4313		return -EINVAL;
4314
4315	/* When you run into this, adjust the code below for the new flag */
4316	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4317
4318	switch (dev->ieee80211_ptr->iftype) {
4319	case NL80211_IFTYPE_AP:
4320	case NL80211_IFTYPE_AP_VLAN:
4321	case NL80211_IFTYPE_P2P_GO:
4322		/* ignore WME attributes if iface/sta is not capable */
4323		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
4324		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
4325			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4326
4327		/* TDLS peers cannot be added */
4328		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4329		    info->attrs[NL80211_ATTR_PEER_AID])
4330			return -EINVAL;
4331		/* but don't bother the driver with it */
4332		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4333
4334		/* allow authenticated/associated only if driver handles it */
4335		if (!(rdev->wiphy.features &
4336				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4337		    params.sta_flags_mask &
4338				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4339				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4340			return -EINVAL;
4341
4342		/* must be last in here for error handling */
4343		params.vlan = get_vlan(info, rdev);
4344		if (IS_ERR(params.vlan))
4345			return PTR_ERR(params.vlan);
4346		break;
4347	case NL80211_IFTYPE_MESH_POINT:
4348		/* ignore uAPSD data */
4349		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4350
4351		/* associated is disallowed */
4352		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
4353			return -EINVAL;
4354		/* TDLS peers cannot be added */
4355		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4356		    info->attrs[NL80211_ATTR_PEER_AID])
4357			return -EINVAL;
4358		break;
4359	case NL80211_IFTYPE_STATION:
4360	case NL80211_IFTYPE_P2P_CLIENT:
4361		/* ignore uAPSD data */
4362		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4363
4364		/* these are disallowed */
4365		if (params.sta_flags_mask &
4366				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
4367				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
4368			return -EINVAL;
4369		/* Only TDLS peers can be added */
4370		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4371			return -EINVAL;
4372		/* Can only add if TDLS ... */
4373		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
4374			return -EOPNOTSUPP;
4375		/* ... with external setup is supported */
4376		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
4377			return -EOPNOTSUPP;
4378		/*
4379		 * Older wpa_supplicant versions always mark the TDLS peer
4380		 * as authorized, but it shouldn't yet be.
4381		 */
4382		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
4383		break;
4384	default:
4385		return -EOPNOTSUPP;
4386	}
4387
4388	/* be aware of params.vlan when changing code here */
4389
4390	err = rdev_add_station(rdev, dev, mac_addr, &params);
4391
4392	if (params.vlan)
4393		dev_put(params.vlan);
4394	return err;
4395}
4396
4397static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
4398{
4399	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4400	struct net_device *dev = info->user_ptr[1];
4401	u8 *mac_addr = NULL;
4402
4403	if (info->attrs[NL80211_ATTR_MAC])
4404		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4405
4406	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4407	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4408	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
4409	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4410		return -EINVAL;
4411
4412	if (!rdev->ops->del_station)
4413		return -EOPNOTSUPP;
4414
4415	return rdev_del_station(rdev, dev, mac_addr);
4416}
4417
4418static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
4419				int flags, struct net_device *dev,
4420				u8 *dst, u8 *next_hop,
4421				struct mpath_info *pinfo)
4422{
4423	void *hdr;
4424	struct nlattr *pinfoattr;
4425
4426	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
4427	if (!hdr)
4428		return -1;
4429
4430	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4431	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
4432	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
4433	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
4434		goto nla_put_failure;
4435
4436	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
4437	if (!pinfoattr)
4438		goto nla_put_failure;
4439	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
4440	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
4441			pinfo->frame_qlen))
4442		goto nla_put_failure;
4443	if (((pinfo->filled & MPATH_INFO_SN) &&
4444	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
4445	    ((pinfo->filled & MPATH_INFO_METRIC) &&
4446	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
4447			 pinfo->metric)) ||
4448	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
4449	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
4450			 pinfo->exptime)) ||
4451	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
4452	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
4453			pinfo->flags)) ||
4454	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
4455	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
4456			 pinfo->discovery_timeout)) ||
4457	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
4458	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
4459			pinfo->discovery_retries)))
4460		goto nla_put_failure;
4461
4462	nla_nest_end(msg, pinfoattr);
4463
4464	return genlmsg_end(msg, hdr);
4465
4466 nla_put_failure:
4467	genlmsg_cancel(msg, hdr);
4468	return -EMSGSIZE;
4469}
4470
4471static int nl80211_dump_mpath(struct sk_buff *skb,
4472			      struct netlink_callback *cb)
4473{
4474	struct mpath_info pinfo;
4475	struct cfg80211_registered_device *rdev;
4476	struct wireless_dev *wdev;
4477	u8 dst[ETH_ALEN];
4478	u8 next_hop[ETH_ALEN];
4479	int path_idx = cb->args[2];
4480	int err;
4481
4482	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4483	if (err)
4484		return err;
4485
4486	if (!rdev->ops->dump_mpath) {
4487		err = -EOPNOTSUPP;
4488		goto out_err;
4489	}
4490
4491	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4492		err = -EOPNOTSUPP;
4493		goto out_err;
4494	}
4495
4496	while (1) {
4497		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
4498				      next_hop, &pinfo);
4499		if (err == -ENOENT)
4500			break;
4501		if (err)
4502			goto out_err;
4503
4504		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4505				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4506				       wdev->netdev, dst, next_hop,
4507				       &pinfo) < 0)
4508			goto out;
4509
4510		path_idx++;
4511	}
4512
4513
4514 out:
4515	cb->args[2] = path_idx;
4516	err = skb->len;
4517 out_err:
4518	nl80211_finish_wdev_dump(rdev);
4519	return err;
4520}
4521
4522static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
4523{
4524	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4525	int err;
4526	struct net_device *dev = info->user_ptr[1];
4527	struct mpath_info pinfo;
4528	struct sk_buff *msg;
4529	u8 *dst = NULL;
4530	u8 next_hop[ETH_ALEN];
4531
4532	memset(&pinfo, 0, sizeof(pinfo));
4533
4534	if (!info->attrs[NL80211_ATTR_MAC])
4535		return -EINVAL;
4536
4537	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4538
4539	if (!rdev->ops->get_mpath)
4540		return -EOPNOTSUPP;
4541
4542	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4543		return -EOPNOTSUPP;
4544
4545	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
4546	if (err)
4547		return err;
4548
4549	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4550	if (!msg)
4551		return -ENOMEM;
4552
4553	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4554				 dev, dst, next_hop, &pinfo) < 0) {
4555		nlmsg_free(msg);
4556		return -ENOBUFS;
4557	}
4558
4559	return genlmsg_reply(msg, info);
4560}
4561
4562static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
4563{
4564	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4565	struct net_device *dev = info->user_ptr[1];
4566	u8 *dst = NULL;
4567	u8 *next_hop = NULL;
4568
4569	if (!info->attrs[NL80211_ATTR_MAC])
4570		return -EINVAL;
4571
4572	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4573		return -EINVAL;
4574
4575	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4576	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4577
4578	if (!rdev->ops->change_mpath)
4579		return -EOPNOTSUPP;
4580
4581	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4582		return -EOPNOTSUPP;
4583
4584	return rdev_change_mpath(rdev, dev, dst, next_hop);
4585}
4586
4587static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
4588{
4589	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4590	struct net_device *dev = info->user_ptr[1];
4591	u8 *dst = NULL;
4592	u8 *next_hop = NULL;
4593
4594	if (!info->attrs[NL80211_ATTR_MAC])
4595		return -EINVAL;
4596
4597	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4598		return -EINVAL;
4599
4600	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4601	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4602
4603	if (!rdev->ops->add_mpath)
4604		return -EOPNOTSUPP;
4605
4606	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4607		return -EOPNOTSUPP;
4608
4609	return rdev_add_mpath(rdev, dev, dst, next_hop);
4610}
4611
4612static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
4613{
4614	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4615	struct net_device *dev = info->user_ptr[1];
4616	u8 *dst = NULL;
4617
4618	if (info->attrs[NL80211_ATTR_MAC])
4619		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4620
4621	if (!rdev->ops->del_mpath)
4622		return -EOPNOTSUPP;
4623
4624	return rdev_del_mpath(rdev, dev, dst);
4625}
4626
4627static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
4628{
4629	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4630	struct net_device *dev = info->user_ptr[1];
4631	struct wireless_dev *wdev = dev->ieee80211_ptr;
4632	struct bss_parameters params;
4633	int err;
4634
4635	memset(&params, 0, sizeof(params));
4636	/* default to not changing parameters */
4637	params.use_cts_prot = -1;
4638	params.use_short_preamble = -1;
4639	params.use_short_slot_time = -1;
4640	params.ap_isolate = -1;
4641	params.ht_opmode = -1;
4642	params.p2p_ctwindow = -1;
4643	params.p2p_opp_ps = -1;
4644
4645	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
4646		params.use_cts_prot =
4647		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
4648	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
4649		params.use_short_preamble =
4650		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
4651	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
4652		params.use_short_slot_time =
4653		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
4654	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
4655		params.basic_rates =
4656			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4657		params.basic_rates_len =
4658			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4659	}
4660	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
4661		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
4662	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
4663		params.ht_opmode =
4664			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
4665
4666	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4667		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4668			return -EINVAL;
4669		params.p2p_ctwindow =
4670			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4671		if (params.p2p_ctwindow < 0)
4672			return -EINVAL;
4673		if (params.p2p_ctwindow != 0 &&
4674		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4675			return -EINVAL;
4676	}
4677
4678	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4679		u8 tmp;
4680
4681		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4682			return -EINVAL;
4683		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4684		if (tmp > 1)
4685			return -EINVAL;
4686		params.p2p_opp_ps = tmp;
4687		if (params.p2p_opp_ps &&
4688		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4689			return -EINVAL;
4690	}
4691
4692	if (!rdev->ops->change_bss)
4693		return -EOPNOTSUPP;
4694
4695	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4696	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4697		return -EOPNOTSUPP;
4698
4699	wdev_lock(wdev);
4700	err = rdev_change_bss(rdev, dev, &params);
4701	wdev_unlock(wdev);
4702
4703	return err;
4704}
4705
4706static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
4707	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
4708	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
4709	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
4710	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
4711	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
4712	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
4713	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
4714};
4715
4716static int parse_reg_rule(struct nlattr *tb[],
4717	struct ieee80211_reg_rule *reg_rule)
4718{
4719	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
4720	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
4721
4722	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
4723		return -EINVAL;
4724	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
4725		return -EINVAL;
4726	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
4727		return -EINVAL;
4728	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
4729		return -EINVAL;
4730	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
4731		return -EINVAL;
4732
4733	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
4734
4735	freq_range->start_freq_khz =
4736		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
4737	freq_range->end_freq_khz =
4738		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
4739	freq_range->max_bandwidth_khz =
4740		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
4741
4742	power_rule->max_eirp =
4743		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
4744
4745	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
4746		power_rule->max_antenna_gain =
4747			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
4748
4749	if (tb[NL80211_ATTR_DFS_CAC_TIME])
4750		reg_rule->dfs_cac_ms =
4751			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
4752
4753	return 0;
4754}
4755
4756static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
4757{
4758	char *data = NULL;
4759	enum nl80211_user_reg_hint_type user_reg_hint_type;
4760
4761	/*
4762	 * You should only get this when cfg80211 hasn't yet initialized
4763	 * completely when built-in to the kernel right between the time
4764	 * window between nl80211_init() and regulatory_init(), if that is
4765	 * even possible.
4766	 */
4767	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
4768		return -EINPROGRESS;
4769
4770	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
4771		user_reg_hint_type =
4772		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
4773	else
4774		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
4775
4776	switch (user_reg_hint_type) {
4777	case NL80211_USER_REG_HINT_USER:
4778	case NL80211_USER_REG_HINT_CELL_BASE:
4779		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4780			return -EINVAL;
4781
4782		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4783		return regulatory_hint_user(data, user_reg_hint_type);
4784	case NL80211_USER_REG_HINT_INDOOR:
4785		return regulatory_hint_indoor_user();
4786	default:
4787		return -EINVAL;
4788	}
4789}
4790
4791static int nl80211_get_mesh_config(struct sk_buff *skb,
4792				   struct genl_info *info)
4793{
4794	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4795	struct net_device *dev = info->user_ptr[1];
4796	struct wireless_dev *wdev = dev->ieee80211_ptr;
4797	struct mesh_config cur_params;
4798	int err = 0;
4799	void *hdr;
4800	struct nlattr *pinfoattr;
4801	struct sk_buff *msg;
4802
4803	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
4804		return -EOPNOTSUPP;
4805
4806	if (!rdev->ops->get_mesh_config)
4807		return -EOPNOTSUPP;
4808
4809	wdev_lock(wdev);
4810	/* If not connected, get default parameters */
4811	if (!wdev->mesh_id_len)
4812		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
4813	else
4814		err = rdev_get_mesh_config(rdev, dev, &cur_params);
4815	wdev_unlock(wdev);
4816
4817	if (err)
4818		return err;
4819
4820	/* Draw up a netlink message to send back */
4821	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4822	if (!msg)
4823		return -ENOMEM;
4824	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4825			     NL80211_CMD_GET_MESH_CONFIG);
4826	if (!hdr)
4827		goto out;
4828	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
4829	if (!pinfoattr)
4830		goto nla_put_failure;
4831	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4832	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
4833			cur_params.dot11MeshRetryTimeout) ||
4834	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4835			cur_params.dot11MeshConfirmTimeout) ||
4836	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
4837			cur_params.dot11MeshHoldingTimeout) ||
4838	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
4839			cur_params.dot11MeshMaxPeerLinks) ||
4840	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
4841		       cur_params.dot11MeshMaxRetries) ||
4842	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
4843		       cur_params.dot11MeshTTL) ||
4844	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
4845		       cur_params.element_ttl) ||
4846	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4847		       cur_params.auto_open_plinks) ||
4848	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
4849			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
4850	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
4851		       cur_params.dot11MeshHWMPmaxPREQretries) ||
4852	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
4853			cur_params.path_refresh_time) ||
4854	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
4855			cur_params.min_discovery_timeout) ||
4856	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
4857			cur_params.dot11MeshHWMPactivePathTimeout) ||
4858	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
4859			cur_params.dot11MeshHWMPpreqMinInterval) ||
4860	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
4861			cur_params.dot11MeshHWMPperrMinInterval) ||
4862	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
4863			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
4864	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
4865		       cur_params.dot11MeshHWMPRootMode) ||
4866	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
4867			cur_params.dot11MeshHWMPRannInterval) ||
4868	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
4869		       cur_params.dot11MeshGateAnnouncementProtocol) ||
4870	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
4871		       cur_params.dot11MeshForwarding) ||
4872	    nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
4873			cur_params.rssi_threshold) ||
4874	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
4875			cur_params.ht_opmode) ||
4876	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
4877			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
4878	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
4879			cur_params.dot11MeshHWMProotInterval) ||
4880	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
4881			cur_params.dot11MeshHWMPconfirmationInterval) ||
4882	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
4883			cur_params.power_mode) ||
4884	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
4885			cur_params.dot11MeshAwakeWindowDuration) ||
4886	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
4887			cur_params.plink_timeout))
4888		goto nla_put_failure;
4889	nla_nest_end(msg, pinfoattr);
4890	genlmsg_end(msg, hdr);
4891	return genlmsg_reply(msg, info);
4892
4893 nla_put_failure:
4894	genlmsg_cancel(msg, hdr);
4895 out:
4896	nlmsg_free(msg);
4897	return -ENOBUFS;
4898}
4899
4900static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
4901	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
4902	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
4903	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
4904	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
4905	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
4906	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
4907	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
4908	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
4909	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
4910	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
4911	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
4912	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
4913	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
4914	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
4915	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
4916	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
4917	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
4918	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
4919	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
4920	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
4921	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
4922	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
4923	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
4924	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
4925	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
4926	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
4927	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
4928	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
4929};
4930
4931static const struct nla_policy
4932	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
4933	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
4934	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
4935	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
4936	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
4937	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
4938	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
4939	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
4940				    .len = IEEE80211_MAX_DATA_LEN },
4941	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
4942};
4943
4944static int nl80211_parse_mesh_config(struct genl_info *info,
4945				     struct mesh_config *cfg,
4946				     u32 *mask_out)
4947{
4948	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
4949	u32 mask = 0;
4950
4951#define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
4952do {									    \
4953	if (tb[attr]) {							    \
4954		if (fn(tb[attr]) < min || fn(tb[attr]) > max)		    \
4955			return -EINVAL;					    \
4956		cfg->param = fn(tb[attr]);				    \
4957		mask |= (1 << (attr - 1));				    \
4958	}								    \
4959} while (0)
4960
4961
4962	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
4963		return -EINVAL;
4964	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
4965			     info->attrs[NL80211_ATTR_MESH_CONFIG],
4966			     nl80211_meshconf_params_policy))
4967		return -EINVAL;
4968
4969	/* This makes sure that there aren't more than 32 mesh config
4970	 * parameters (otherwise our bitfield scheme would not work.) */
4971	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
4972
4973	/* Fill in the params struct */
4974	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
4975				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
4976				  nla_get_u16);
4977	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
4978				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4979				  nla_get_u16);
4980	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
4981				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
4982				  nla_get_u16);
4983	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
4984				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
4985				  nla_get_u16);
4986	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
4987				  mask, NL80211_MESHCONF_MAX_RETRIES,
4988				  nla_get_u8);
4989	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
4990				  mask, NL80211_MESHCONF_TTL, nla_get_u8);
4991	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
4992				  mask, NL80211_MESHCONF_ELEMENT_TTL,
4993				  nla_get_u8);
4994	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
4995				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4996				  nla_get_u8);
4997	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
4998				  1, 255, mask,
4999				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5000				  nla_get_u32);
5001	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
5002				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5003				  nla_get_u8);
5004	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
5005				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
5006				  nla_get_u32);
5007	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
5008				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5009				  nla_get_u16);
5010	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
5011				  1, 65535, mask,
5012				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5013				  nla_get_u32);
5014	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
5015				  1, 65535, mask,
5016				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5017				  nla_get_u16);
5018	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
5019				  1, 65535, mask,
5020				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5021				  nla_get_u16);
5022	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5023				  dot11MeshHWMPnetDiameterTraversalTime,
5024				  1, 65535, mask,
5025				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5026				  nla_get_u16);
5027	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
5028				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
5029				  nla_get_u8);
5030	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
5031				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5032				  nla_get_u16);
5033	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5034				  dot11MeshGateAnnouncementProtocol, 0, 1,
5035				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5036				  nla_get_u8);
5037	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
5038				  mask, NL80211_MESHCONF_FORWARDING,
5039				  nla_get_u8);
5040	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, -255, 0,
5041				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
5042				  nla_get_s32);
5043	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
5044				  mask, NL80211_MESHCONF_HT_OPMODE,
5045				  nla_get_u16);
5046	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
5047				  1, 65535, mask,
5048				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5049				  nla_get_u32);
5050	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
5051				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5052				  nla_get_u16);
5053	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5054				  dot11MeshHWMPconfirmationInterval,
5055				  1, 65535, mask,
5056				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5057				  nla_get_u16);
5058	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
5059				  NL80211_MESH_POWER_ACTIVE,
5060				  NL80211_MESH_POWER_MAX,
5061				  mask, NL80211_MESHCONF_POWER_MODE,
5062				  nla_get_u32);
5063	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
5064				  0, 65535, mask,
5065				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
5066	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, 1, 0xffffffff,
5067				  mask, NL80211_MESHCONF_PLINK_TIMEOUT,
5068				  nla_get_u32);
5069	if (mask_out)
5070		*mask_out = mask;
5071
5072	return 0;
5073
5074#undef FILL_IN_MESH_PARAM_IF_SET
5075}
5076
5077static int nl80211_parse_mesh_setup(struct genl_info *info,
5078				     struct mesh_setup *setup)
5079{
5080	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5081	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
5082
5083	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
5084		return -EINVAL;
5085	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
5086			     info->attrs[NL80211_ATTR_MESH_SETUP],
5087			     nl80211_mesh_setup_params_policy))
5088		return -EINVAL;
5089
5090	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
5091		setup->sync_method =
5092		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
5093		 IEEE80211_SYNC_METHOD_VENDOR :
5094		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
5095
5096	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
5097		setup->path_sel_proto =
5098		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
5099		 IEEE80211_PATH_PROTOCOL_VENDOR :
5100		 IEEE80211_PATH_PROTOCOL_HWMP;
5101
5102	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
5103		setup->path_metric =
5104		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
5105		 IEEE80211_PATH_METRIC_VENDOR :
5106		 IEEE80211_PATH_METRIC_AIRTIME;
5107
5108
5109	if (tb[NL80211_MESH_SETUP_IE]) {
5110		struct nlattr *ieattr =
5111			tb[NL80211_MESH_SETUP_IE];
5112		if (!is_valid_ie_attr(ieattr))
5113			return -EINVAL;
5114		setup->ie = nla_data(ieattr);
5115		setup->ie_len = nla_len(ieattr);
5116	}
5117	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
5118	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
5119		return -EINVAL;
5120	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
5121	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
5122	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
5123	if (setup->is_secure)
5124		setup->user_mpm = true;
5125
5126	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
5127		if (!setup->user_mpm)
5128			return -EINVAL;
5129		setup->auth_id =
5130			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
5131	}
5132
5133	return 0;
5134}
5135
5136static int nl80211_update_mesh_config(struct sk_buff *skb,
5137				      struct genl_info *info)
5138{
5139	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5140	struct net_device *dev = info->user_ptr[1];
5141	struct wireless_dev *wdev = dev->ieee80211_ptr;
5142	struct mesh_config cfg;
5143	u32 mask;
5144	int err;
5145
5146	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5147		return -EOPNOTSUPP;
5148
5149	if (!rdev->ops->update_mesh_config)
5150		return -EOPNOTSUPP;
5151
5152	err = nl80211_parse_mesh_config(info, &cfg, &mask);
5153	if (err)
5154		return err;
5155
5156	wdev_lock(wdev);
5157	if (!wdev->mesh_id_len)
5158		err = -ENOLINK;
5159
5160	if (!err)
5161		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
5162
5163	wdev_unlock(wdev);
5164
5165	return err;
5166}
5167
5168static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
5169{
5170	const struct ieee80211_regdomain *regdom;
5171	struct sk_buff *msg;
5172	void *hdr = NULL;
5173	struct nlattr *nl_reg_rules;
5174	unsigned int i;
5175
5176	if (!cfg80211_regdomain)
5177		return -EINVAL;
5178
5179	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5180	if (!msg)
5181		return -ENOBUFS;
5182
5183	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5184			     NL80211_CMD_GET_REG);
5185	if (!hdr)
5186		goto put_failure;
5187
5188	if (reg_last_request_cell_base() &&
5189	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5190			NL80211_USER_REG_HINT_CELL_BASE))
5191		goto nla_put_failure;
5192
5193	rcu_read_lock();
5194	regdom = rcu_dereference(cfg80211_regdomain);
5195
5196	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
5197	    (regdom->dfs_region &&
5198	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
5199		goto nla_put_failure_rcu;
5200
5201	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
5202	if (!nl_reg_rules)
5203		goto nla_put_failure_rcu;
5204
5205	for (i = 0; i < regdom->n_reg_rules; i++) {
5206		struct nlattr *nl_reg_rule;
5207		const struct ieee80211_reg_rule *reg_rule;
5208		const struct ieee80211_freq_range *freq_range;
5209		const struct ieee80211_power_rule *power_rule;
5210		unsigned int max_bandwidth_khz;
5211
5212		reg_rule = &regdom->reg_rules[i];
5213		freq_range = &reg_rule->freq_range;
5214		power_rule = &reg_rule->power_rule;
5215
5216		nl_reg_rule = nla_nest_start(msg, i);
5217		if (!nl_reg_rule)
5218			goto nla_put_failure_rcu;
5219
5220		max_bandwidth_khz = freq_range->max_bandwidth_khz;
5221		if (!max_bandwidth_khz)
5222			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
5223								  reg_rule);
5224
5225		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
5226				reg_rule->flags) ||
5227		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
5228				freq_range->start_freq_khz) ||
5229		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
5230				freq_range->end_freq_khz) ||
5231		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
5232				max_bandwidth_khz) ||
5233		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
5234				power_rule->max_antenna_gain) ||
5235		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
5236				power_rule->max_eirp) ||
5237		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
5238				reg_rule->dfs_cac_ms))
5239			goto nla_put_failure_rcu;
5240
5241		nla_nest_end(msg, nl_reg_rule);
5242	}
5243	rcu_read_unlock();
5244
5245	nla_nest_end(msg, nl_reg_rules);
5246
5247	genlmsg_end(msg, hdr);
5248	return genlmsg_reply(msg, info);
5249
5250nla_put_failure_rcu:
5251	rcu_read_unlock();
5252nla_put_failure:
5253	genlmsg_cancel(msg, hdr);
5254put_failure:
5255	nlmsg_free(msg);
5256	return -EMSGSIZE;
5257}
5258
5259static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
5260{
5261	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
5262	struct nlattr *nl_reg_rule;
5263	char *alpha2 = NULL;
5264	int rem_reg_rules = 0, r = 0;
5265	u32 num_rules = 0, rule_idx = 0, size_of_regd;
5266	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
5267	struct ieee80211_regdomain *rd = NULL;
5268
5269	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5270		return -EINVAL;
5271
5272	if (!info->attrs[NL80211_ATTR_REG_RULES])
5273		return -EINVAL;
5274
5275	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5276
5277	if (info->attrs[NL80211_ATTR_DFS_REGION])
5278		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
5279
5280	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5281			    rem_reg_rules) {
5282		num_rules++;
5283		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
5284			return -EINVAL;
5285	}
5286
5287	if (!reg_is_valid_request(alpha2))
5288		return -EINVAL;
5289
5290	size_of_regd = sizeof(struct ieee80211_regdomain) +
5291		       num_rules * sizeof(struct ieee80211_reg_rule);
5292
5293	rd = kzalloc(size_of_regd, GFP_KERNEL);
5294	if (!rd)
5295		return -ENOMEM;
5296
5297	rd->n_reg_rules = num_rules;
5298	rd->alpha2[0] = alpha2[0];
5299	rd->alpha2[1] = alpha2[1];
5300
5301	/*
5302	 * Disable DFS master mode if the DFS region was
5303	 * not supported or known on this kernel.
5304	 */
5305	if (reg_supported_dfs_region(dfs_region))
5306		rd->dfs_region = dfs_region;
5307
5308	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5309			    rem_reg_rules) {
5310		r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
5311			      nla_data(nl_reg_rule), nla_len(nl_reg_rule),
5312			      reg_rule_policy);
5313		if (r)
5314			goto bad_reg;
5315		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
5316		if (r)
5317			goto bad_reg;
5318
5319		rule_idx++;
5320
5321		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
5322			r = -EINVAL;
5323			goto bad_reg;
5324		}
5325	}
5326
5327	r = set_regdom(rd);
5328	/* set_regdom took ownership */
5329	rd = NULL;
5330
5331 bad_reg:
5332	kfree(rd);
5333	return r;
5334}
5335
5336static int validate_scan_freqs(struct nlattr *freqs)
5337{
5338	struct nlattr *attr1, *attr2;
5339	int n_channels = 0, tmp1, tmp2;
5340
5341	nla_for_each_nested(attr1, freqs, tmp1) {
5342		n_channels++;
5343		/*
5344		 * Some hardware has a limited channel list for
5345		 * scanning, and it is pretty much nonsensical
5346		 * to scan for a channel twice, so disallow that
5347		 * and don't require drivers to check that the
5348		 * channel list they get isn't longer than what
5349		 * they can scan, as long as they can scan all
5350		 * the channels they registered at once.
5351		 */
5352		nla_for_each_nested(attr2, freqs, tmp2)
5353			if (attr1 != attr2 &&
5354			    nla_get_u32(attr1) == nla_get_u32(attr2))
5355				return 0;
5356	}
5357
5358	return n_channels;
5359}
5360
5361static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
5362{
5363	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5364	struct wireless_dev *wdev = info->user_ptr[1];
5365	struct cfg80211_scan_request *request;
5366	struct nlattr *attr;
5367	struct wiphy *wiphy;
5368	int err, tmp, n_ssids = 0, n_channels, i;
5369	size_t ie_len;
5370
5371	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5372		return -EINVAL;
5373
5374	wiphy = &rdev->wiphy;
5375
5376	if (!rdev->ops->scan)
5377		return -EOPNOTSUPP;
5378
5379	if (rdev->scan_req || rdev->scan_msg) {
5380		err = -EBUSY;
5381		goto unlock;
5382	}
5383
5384	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5385		n_channels = validate_scan_freqs(
5386				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5387		if (!n_channels) {
5388			err = -EINVAL;
5389			goto unlock;
5390		}
5391	} else {
5392		n_channels = ieee80211_get_num_supported_channels(wiphy);
5393	}
5394
5395	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5396		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
5397			n_ssids++;
5398
5399	if (n_ssids > wiphy->max_scan_ssids) {
5400		err = -EINVAL;
5401		goto unlock;
5402	}
5403
5404	if (info->attrs[NL80211_ATTR_IE])
5405		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5406	else
5407		ie_len = 0;
5408
5409	if (ie_len > wiphy->max_scan_ie_len) {
5410		err = -EINVAL;
5411		goto unlock;
5412	}
5413
5414	request = kzalloc(sizeof(*request)
5415			+ sizeof(*request->ssids) * n_ssids
5416			+ sizeof(*request->channels) * n_channels
5417			+ ie_len, GFP_KERNEL);
5418	if (!request) {
5419		err = -ENOMEM;
5420		goto unlock;
5421	}
5422
5423	if (n_ssids)
5424		request->ssids = (void *)&request->channels[n_channels];
5425	request->n_ssids = n_ssids;
5426	if (ie_len) {
5427		if (request->ssids)
5428			request->ie = (void *)(request->ssids + n_ssids);
5429		else
5430			request->ie = (void *)(request->channels + n_channels);
5431	}
5432
5433	i = 0;
5434	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5435		/* user specified, bail out if channel not found */
5436		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
5437			struct ieee80211_channel *chan;
5438
5439			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5440
5441			if (!chan) {
5442				err = -EINVAL;
5443				goto out_free;
5444			}
5445
5446			/* ignore disabled channels */
5447			if (chan->flags & IEEE80211_CHAN_DISABLED)
5448				continue;
5449
5450			request->channels[i] = chan;
5451			i++;
5452		}
5453	} else {
5454		enum ieee80211_band band;
5455
5456		/* all channels */
5457		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5458			int j;
5459			if (!wiphy->bands[band])
5460				continue;
5461			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5462				struct ieee80211_channel *chan;
5463
5464				chan = &wiphy->bands[band]->channels[j];
5465
5466				if (chan->flags & IEEE80211_CHAN_DISABLED)
5467					continue;
5468
5469				request->channels[i] = chan;
5470				i++;
5471			}
5472		}
5473	}
5474
5475	if (!i) {
5476		err = -EINVAL;
5477		goto out_free;
5478	}
5479
5480	request->n_channels = i;
5481
5482	i = 0;
5483	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
5484		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
5485			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5486				err = -EINVAL;
5487				goto out_free;
5488			}
5489			request->ssids[i].ssid_len = nla_len(attr);
5490			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
5491			i++;
5492		}
5493	}
5494
5495	if (info->attrs[NL80211_ATTR_IE]) {
5496		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5497		memcpy((void *)request->ie,
5498		       nla_data(info->attrs[NL80211_ATTR_IE]),
5499		       request->ie_len);
5500	}
5501
5502	for (i = 0; i < IEEE80211_NUM_BANDS; i++)
5503		if (wiphy->bands[i])
5504			request->rates[i] =
5505				(1 << wiphy->bands[i]->n_bitrates) - 1;
5506
5507	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
5508		nla_for_each_nested(attr,
5509				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
5510				    tmp) {
5511			enum ieee80211_band band = nla_type(attr);
5512
5513			if (band < 0 || band >= IEEE80211_NUM_BANDS) {
5514				err = -EINVAL;
5515				goto out_free;
5516			}
5517
5518			if (!wiphy->bands[band])
5519				continue;
5520
5521			err = ieee80211_get_ratemask(wiphy->bands[band],
5522						     nla_data(attr),
5523						     nla_len(attr),
5524						     &request->rates[band]);
5525			if (err)
5526				goto out_free;
5527		}
5528	}
5529
5530	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5531		request->flags = nla_get_u32(
5532			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5533		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5534		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
5535			err = -EOPNOTSUPP;
5536			goto out_free;
5537		}
5538	}
5539
5540	request->no_cck =
5541		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
5542
5543	request->wdev = wdev;
5544	request->wiphy = &rdev->wiphy;
5545	request->scan_start = jiffies;
5546
5547	rdev->scan_req = request;
5548	err = rdev_scan(rdev, request);
5549
5550	if (!err) {
5551		nl80211_send_scan_start(rdev, wdev);
5552		if (wdev->netdev)
5553			dev_hold(wdev->netdev);
5554	} else {
5555 out_free:
5556		rdev->scan_req = NULL;
5557		kfree(request);
5558	}
5559
5560 unlock:
5561	return err;
5562}
5563
5564static int nl80211_start_sched_scan(struct sk_buff *skb,
5565				    struct genl_info *info)
5566{
5567	struct cfg80211_sched_scan_request *request;
5568	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5569	struct net_device *dev = info->user_ptr[1];
5570	struct nlattr *attr;
5571	struct wiphy *wiphy;
5572	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
5573	u32 interval;
5574	enum ieee80211_band band;
5575	size_t ie_len;
5576	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
5577	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
5578
5579	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
5580	    !rdev->ops->sched_scan_start)
5581		return -EOPNOTSUPP;
5582
5583	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5584		return -EINVAL;
5585
5586	if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
5587		return -EINVAL;
5588
5589	interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
5590	if (interval == 0)
5591		return -EINVAL;
5592
5593	wiphy = &rdev->wiphy;
5594
5595	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5596		n_channels = validate_scan_freqs(
5597				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5598		if (!n_channels)
5599			return -EINVAL;
5600	} else {
5601		n_channels = ieee80211_get_num_supported_channels(wiphy);
5602	}
5603
5604	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5605		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
5606				    tmp)
5607			n_ssids++;
5608
5609	if (n_ssids > wiphy->max_sched_scan_ssids)
5610		return -EINVAL;
5611
5612	/*
5613	 * First, count the number of 'real' matchsets. Due to an issue with
5614	 * the old implementation, matchsets containing only the RSSI attribute
5615	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
5616	 * RSSI for all matchsets, rather than their own matchset for reporting
5617	 * all APs with a strong RSSI. This is needed to be compatible with
5618	 * older userspace that treated a matchset with only the RSSI as the
5619	 * global RSSI for all other matchsets - if there are other matchsets.
5620	 */
5621	if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
5622		nla_for_each_nested(attr,
5623				    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
5624				    tmp) {
5625			struct nlattr *rssi;
5626
5627			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
5628					nla_data(attr), nla_len(attr),
5629					nl80211_match_policy);
5630			if (err)
5631				return err;
5632			/* add other standalone attributes here */
5633			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
5634				n_match_sets++;
5635				continue;
5636			}
5637			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
5638			if (rssi)
5639				default_match_rssi = nla_get_s32(rssi);
5640		}
5641	}
5642
5643	/* However, if there's no other matchset, add the RSSI one */
5644	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
5645		n_match_sets = 1;
5646
5647	if (n_match_sets > wiphy->max_match_sets)
5648		return -EINVAL;
5649
5650	if (info->attrs[NL80211_ATTR_IE])
5651		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5652	else
5653		ie_len = 0;
5654
5655	if (ie_len > wiphy->max_sched_scan_ie_len)
5656		return -EINVAL;
5657
5658	if (rdev->sched_scan_req) {
5659		err = -EINPROGRESS;
5660		goto out;
5661	}
5662
5663	request = kzalloc(sizeof(*request)
5664			+ sizeof(*request->ssids) * n_ssids
5665			+ sizeof(*request->match_sets) * n_match_sets
5666			+ sizeof(*request->channels) * n_channels
5667			+ ie_len, GFP_KERNEL);
5668	if (!request) {
5669		err = -ENOMEM;
5670		goto out;
5671	}
5672
5673	if (n_ssids)
5674		request->ssids = (void *)&request->channels[n_channels];
5675	request->n_ssids = n_ssids;
5676	if (ie_len) {
5677		if (request->ssids)
5678			request->ie = (void *)(request->ssids + n_ssids);
5679		else
5680			request->ie = (void *)(request->channels + n_channels);
5681	}
5682
5683	if (n_match_sets) {
5684		if (request->ie)
5685			request->match_sets = (void *)(request->ie + ie_len);
5686		else if (request->ssids)
5687			request->match_sets =
5688				(void *)(request->ssids + n_ssids);
5689		else
5690			request->match_sets =
5691				(void *)(request->channels + n_channels);
5692	}
5693	request->n_match_sets = n_match_sets;
5694
5695	i = 0;
5696	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5697		/* user specified, bail out if channel not found */
5698		nla_for_each_nested(attr,
5699				    info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
5700				    tmp) {
5701			struct ieee80211_channel *chan;
5702
5703			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5704
5705			if (!chan) {
5706				err = -EINVAL;
5707				goto out_free;
5708			}
5709
5710			/* ignore disabled channels */
5711			if (chan->flags & IEEE80211_CHAN_DISABLED)
5712				continue;
5713
5714			request->channels[i] = chan;
5715			i++;
5716		}
5717	} else {
5718		/* all channels */
5719		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5720			int j;
5721			if (!wiphy->bands[band])
5722				continue;
5723			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5724				struct ieee80211_channel *chan;
5725
5726				chan = &wiphy->bands[band]->channels[j];
5727
5728				if (chan->flags & IEEE80211_CHAN_DISABLED)
5729					continue;
5730
5731				request->channels[i] = chan;
5732				i++;
5733			}
5734		}
5735	}
5736
5737	if (!i) {
5738		err = -EINVAL;
5739		goto out_free;
5740	}
5741
5742	request->n_channels = i;
5743
5744	i = 0;
5745	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
5746		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
5747				    tmp) {
5748			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5749				err = -EINVAL;
5750				goto out_free;
5751			}
5752			request->ssids[i].ssid_len = nla_len(attr);
5753			memcpy(request->ssids[i].ssid, nla_data(attr),
5754			       nla_len(attr));
5755			i++;
5756		}
5757	}
5758
5759	i = 0;
5760	if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
5761		nla_for_each_nested(attr,
5762				    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
5763				    tmp) {
5764			struct nlattr *ssid, *rssi;
5765
5766			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
5767					nla_data(attr), nla_len(attr),
5768					nl80211_match_policy);
5769			if (err)
5770				goto out_free;
5771			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
5772			if (ssid) {
5773				if (WARN_ON(i >= n_match_sets)) {
5774					/* this indicates a programming error,
5775					 * the loop above should have verified
5776					 * things properly
5777					 */
5778					err = -EINVAL;
5779					goto out_free;
5780				}
5781
5782				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
5783					err = -EINVAL;
5784					goto out_free;
5785				}
5786				memcpy(request->match_sets[i].ssid.ssid,
5787				       nla_data(ssid), nla_len(ssid));
5788				request->match_sets[i].ssid.ssid_len =
5789					nla_len(ssid);
5790				/* special attribute - old implemenation w/a */
5791				request->match_sets[i].rssi_thold =
5792					default_match_rssi;
5793				rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
5794				if (rssi)
5795					request->match_sets[i].rssi_thold =
5796						nla_get_s32(rssi);
5797			}
5798			i++;
5799		}
5800
5801		/* there was no other matchset, so the RSSI one is alone */
5802		if (i == 0)
5803			request->match_sets[0].rssi_thold = default_match_rssi;
5804
5805		request->min_rssi_thold = INT_MAX;
5806		for (i = 0; i < n_match_sets; i++)
5807			request->min_rssi_thold =
5808				min(request->match_sets[i].rssi_thold,
5809				    request->min_rssi_thold);
5810	} else {
5811		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
5812	}
5813
5814	if (ie_len) {
5815		request->ie_len = ie_len;
5816		memcpy((void *)request->ie,
5817		       nla_data(info->attrs[NL80211_ATTR_IE]),
5818		       request->ie_len);
5819	}
5820
5821	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5822		request->flags = nla_get_u32(
5823			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5824		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5825		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
5826			err = -EOPNOTSUPP;
5827			goto out_free;
5828		}
5829	}
5830
5831	request->dev = dev;
5832	request->wiphy = &rdev->wiphy;
5833	request->interval = interval;
5834	request->scan_start = jiffies;
5835
5836	err = rdev_sched_scan_start(rdev, dev, request);
5837	if (!err) {
5838		rdev->sched_scan_req = request;
5839		nl80211_send_sched_scan(rdev, dev,
5840					NL80211_CMD_START_SCHED_SCAN);
5841		goto out;
5842	}
5843
5844out_free:
5845	kfree(request);
5846out:
5847	return err;
5848}
5849
5850static int nl80211_stop_sched_scan(struct sk_buff *skb,
5851				   struct genl_info *info)
5852{
5853	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5854
5855	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
5856	    !rdev->ops->sched_scan_stop)
5857		return -EOPNOTSUPP;
5858
5859	return __cfg80211_stop_sched_scan(rdev, false);
5860}
5861
5862static int nl80211_start_radar_detection(struct sk_buff *skb,
5863					 struct genl_info *info)
5864{
5865	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5866	struct net_device *dev = info->user_ptr[1];
5867	struct wireless_dev *wdev = dev->ieee80211_ptr;
5868	struct cfg80211_chan_def chandef;
5869	enum nl80211_dfs_regions dfs_region;
5870	unsigned int cac_time_ms;
5871	int err;
5872
5873	dfs_region = reg_get_dfs_region(wdev->wiphy);
5874	if (dfs_region == NL80211_DFS_UNSET)
5875		return -EINVAL;
5876
5877	err = nl80211_parse_chandef(rdev, info, &chandef);
5878	if (err)
5879		return err;
5880
5881	if (netif_carrier_ok(dev))
5882		return -EBUSY;
5883
5884	if (wdev->cac_started)
5885		return -EBUSY;
5886
5887	err = cfg80211_chandef_dfs_required(wdev->wiphy, &chandef,
5888					    wdev->iftype);
5889	if (err < 0)
5890		return err;
5891
5892	if (err == 0)
5893		return -EINVAL;
5894
5895	if (!cfg80211_chandef_dfs_usable(wdev->wiphy, &chandef))
5896		return -EINVAL;
5897
5898	if (!rdev->ops->start_radar_detection)
5899		return -EOPNOTSUPP;
5900
5901	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
5902	if (WARN_ON(!cac_time_ms))
5903		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
5904
5905	err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef,
5906					       cac_time_ms);
5907	if (!err) {
5908		wdev->chandef = chandef;
5909		wdev->cac_started = true;
5910		wdev->cac_start_time = jiffies;
5911		wdev->cac_time_ms = cac_time_ms;
5912	}
5913	return err;
5914}
5915
5916static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
5917{
5918	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5919	struct net_device *dev = info->user_ptr[1];
5920	struct wireless_dev *wdev = dev->ieee80211_ptr;
5921	struct cfg80211_csa_settings params;
5922	/* csa_attrs is defined static to avoid waste of stack size - this
5923	 * function is called under RTNL lock, so this should not be a problem.
5924	 */
5925	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
5926	u8 radar_detect_width = 0;
5927	int err;
5928	bool need_new_beacon = false;
5929	int len, i;
5930	u32 cs_count;
5931
5932	if (!rdev->ops->channel_switch ||
5933	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
5934		return -EOPNOTSUPP;
5935
5936	switch (dev->ieee80211_ptr->iftype) {
5937	case NL80211_IFTYPE_AP:
5938	case NL80211_IFTYPE_P2P_GO:
5939		need_new_beacon = true;
5940
5941		/* useless if AP is not running */
5942		if (!wdev->beacon_interval)
5943			return -ENOTCONN;
5944		break;
5945	case NL80211_IFTYPE_ADHOC:
5946		if (!wdev->ssid_len)
5947			return -ENOTCONN;
5948		break;
5949	case NL80211_IFTYPE_MESH_POINT:
5950		if (!wdev->mesh_id_len)
5951			return -ENOTCONN;
5952		break;
5953	default:
5954		return -EOPNOTSUPP;
5955	}
5956
5957	memset(&params, 0, sizeof(params));
5958
5959	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
5960	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
5961		return -EINVAL;
5962
5963	/* only important for AP, IBSS and mesh create IEs internally */
5964	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
5965		return -EINVAL;
5966
5967	/* Even though the attribute is u32, the specification says
5968	 * u8, so let's make sure we don't overflow.
5969	 */
5970	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
5971	if (cs_count > 255)
5972		return -EINVAL;
5973
5974	params.count = cs_count;
5975
5976	if (!need_new_beacon)
5977		goto skip_beacons;
5978
5979	err = nl80211_parse_beacon(info->attrs, &params.beacon_after);
5980	if (err)
5981		return err;
5982
5983	err = nla_parse_nested(csa_attrs, NL80211_ATTR_MAX,
5984			       info->attrs[NL80211_ATTR_CSA_IES],
5985			       nl80211_policy);
5986	if (err)
5987		return err;
5988
5989	err = nl80211_parse_beacon(csa_attrs, &params.beacon_csa);
5990	if (err)
5991		return err;
5992
5993	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
5994		return -EINVAL;
5995
5996	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
5997	if (!len || (len % sizeof(u16)))
5998		return -EINVAL;
5999
6000	params.n_counter_offsets_beacon = len / sizeof(u16);
6001	if (rdev->wiphy.max_num_csa_counters &&
6002	    (params.n_counter_offsets_beacon >
6003	     rdev->wiphy.max_num_csa_counters))
6004		return -EINVAL;
6005
6006	params.counter_offsets_beacon =
6007		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6008
6009	/* sanity checks - counters should fit and be the same */
6010	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
6011		u16 offset = params.counter_offsets_beacon[i];
6012
6013		if (offset >= params.beacon_csa.tail_len)
6014			return -EINVAL;
6015
6016		if (params.beacon_csa.tail[offset] != params.count)
6017			return -EINVAL;
6018	}
6019
6020	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
6021		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6022		if (!len || (len % sizeof(u16)))
6023			return -EINVAL;
6024
6025		params.n_counter_offsets_presp = len / sizeof(u16);
6026		if (rdev->wiphy.max_num_csa_counters &&
6027		    (params.n_counter_offsets_beacon >
6028		     rdev->wiphy.max_num_csa_counters))
6029			return -EINVAL;
6030
6031		params.counter_offsets_presp =
6032			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6033
6034		/* sanity checks - counters should fit and be the same */
6035		for (i = 0; i < params.n_counter_offsets_presp; i++) {
6036			u16 offset = params.counter_offsets_presp[i];
6037
6038			if (offset >= params.beacon_csa.probe_resp_len)
6039				return -EINVAL;
6040
6041			if (params.beacon_csa.probe_resp[offset] !=
6042			    params.count)
6043				return -EINVAL;
6044		}
6045	}
6046
6047skip_beacons:
6048	err = nl80211_parse_chandef(rdev, info, &params.chandef);
6049	if (err)
6050		return err;
6051
6052	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef,
6053				     wdev->iftype))
6054		return -EINVAL;
6055
6056	err = cfg80211_chandef_dfs_required(wdev->wiphy,
6057					    &params.chandef,
6058					    wdev->iftype);
6059	if (err < 0)
6060		return err;
6061
6062	if (err > 0) {
6063		radar_detect_width = BIT(params.chandef.width);
6064		params.radar_required = true;
6065	}
6066
6067	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
6068		params.block_tx = true;
6069
6070	wdev_lock(wdev);
6071	err = rdev_channel_switch(rdev, dev, &params);
6072	wdev_unlock(wdev);
6073
6074	return err;
6075}
6076
6077static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
6078			    u32 seq, int flags,
6079			    struct cfg80211_registered_device *rdev,
6080			    struct wireless_dev *wdev,
6081			    struct cfg80211_internal_bss *intbss)
6082{
6083	struct cfg80211_bss *res = &intbss->pub;
6084	const struct cfg80211_bss_ies *ies;
6085	void *hdr;
6086	struct nlattr *bss;
6087
6088	ASSERT_WDEV_LOCK(wdev);
6089
6090	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6091			     NL80211_CMD_NEW_SCAN_RESULTS);
6092	if (!hdr)
6093		return -1;
6094
6095	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
6096
6097	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
6098		goto nla_put_failure;
6099	if (wdev->netdev &&
6100	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
6101		goto nla_put_failure;
6102	if (nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
6103		goto nla_put_failure;
6104
6105	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
6106	if (!bss)
6107		goto nla_put_failure;
6108	if ((!is_zero_ether_addr(res->bssid) &&
6109	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
6110		goto nla_put_failure;
6111
6112	rcu_read_lock();
6113	/* indicate whether we have probe response data or not */
6114	if (rcu_access_pointer(res->proberesp_ies) &&
6115	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
6116		goto fail_unlock_rcu;
6117
6118	/* this pointer prefers to be pointed to probe response data
6119	 * but is always valid
6120	 */
6121	ies = rcu_dereference(res->ies);
6122	if (ies) {
6123		if (nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
6124			goto fail_unlock_rcu;
6125		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
6126					ies->len, ies->data))
6127			goto fail_unlock_rcu;
6128	}
6129
6130	/* and this pointer is always (unless driver didn't know) beacon data */
6131	ies = rcu_dereference(res->beacon_ies);
6132	if (ies && ies->from_beacon) {
6133		if (nla_put_u64(msg, NL80211_BSS_BEACON_TSF, ies->tsf))
6134			goto fail_unlock_rcu;
6135		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
6136					ies->len, ies->data))
6137			goto fail_unlock_rcu;
6138	}
6139	rcu_read_unlock();
6140
6141	if (res->beacon_interval &&
6142	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
6143		goto nla_put_failure;
6144	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
6145	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
6146	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
6147	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
6148			jiffies_to_msecs(jiffies - intbss->ts)))
6149		goto nla_put_failure;
6150
6151	switch (rdev->wiphy.signal_type) {
6152	case CFG80211_SIGNAL_TYPE_MBM:
6153		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
6154			goto nla_put_failure;
6155		break;
6156	case CFG80211_SIGNAL_TYPE_UNSPEC:
6157		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
6158			goto nla_put_failure;
6159		break;
6160	default:
6161		break;
6162	}
6163
6164	switch (wdev->iftype) {
6165	case NL80211_IFTYPE_P2P_CLIENT:
6166	case NL80211_IFTYPE_STATION:
6167		if (intbss == wdev->current_bss &&
6168		    nla_put_u32(msg, NL80211_BSS_STATUS,
6169				NL80211_BSS_STATUS_ASSOCIATED))
6170			goto nla_put_failure;
6171		break;
6172	case NL80211_IFTYPE_ADHOC:
6173		if (intbss == wdev->current_bss &&
6174		    nla_put_u32(msg, NL80211_BSS_STATUS,
6175				NL80211_BSS_STATUS_IBSS_JOINED))
6176			goto nla_put_failure;
6177		break;
6178	default:
6179		break;
6180	}
6181
6182	nla_nest_end(msg, bss);
6183
6184	return genlmsg_end(msg, hdr);
6185
6186 fail_unlock_rcu:
6187	rcu_read_unlock();
6188 nla_put_failure:
6189	genlmsg_cancel(msg, hdr);
6190	return -EMSGSIZE;
6191}
6192
6193static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
6194{
6195	struct cfg80211_registered_device *rdev;
6196	struct cfg80211_internal_bss *scan;
6197	struct wireless_dev *wdev;
6198	int start = cb->args[2], idx = 0;
6199	int err;
6200
6201	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6202	if (err)
6203		return err;
6204
6205	wdev_lock(wdev);
6206	spin_lock_bh(&rdev->bss_lock);
6207	cfg80211_bss_expire(rdev);
6208
6209	cb->seq = rdev->bss_generation;
6210
6211	list_for_each_entry(scan, &rdev->bss_list, list) {
6212		if (++idx <= start)
6213			continue;
6214		if (nl80211_send_bss(skb, cb,
6215				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6216				rdev, wdev, scan) < 0) {
6217			idx--;
6218			break;
6219		}
6220	}
6221
6222	spin_unlock_bh(&rdev->bss_lock);
6223	wdev_unlock(wdev);
6224
6225	cb->args[2] = idx;
6226	nl80211_finish_wdev_dump(rdev);
6227
6228	return skb->len;
6229}
6230
6231static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
6232				int flags, struct net_device *dev,
6233				struct survey_info *survey)
6234{
6235	void *hdr;
6236	struct nlattr *infoattr;
6237
6238	hdr = nl80211hdr_put(msg, portid, seq, flags,
6239			     NL80211_CMD_NEW_SURVEY_RESULTS);
6240	if (!hdr)
6241		return -ENOMEM;
6242
6243	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
6244		goto nla_put_failure;
6245
6246	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
6247	if (!infoattr)
6248		goto nla_put_failure;
6249
6250	if (nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
6251			survey->channel->center_freq))
6252		goto nla_put_failure;
6253
6254	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
6255	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
6256		goto nla_put_failure;
6257	if ((survey->filled & SURVEY_INFO_IN_USE) &&
6258	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
6259		goto nla_put_failure;
6260	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME) &&
6261	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME,
6262			survey->channel_time))
6263		goto nla_put_failure;
6264	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_BUSY) &&
6265	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_BUSY,
6266			survey->channel_time_busy))
6267		goto nla_put_failure;
6268	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_EXT_BUSY) &&
6269	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_EXT_BUSY,
6270			survey->channel_time_ext_busy))
6271		goto nla_put_failure;
6272	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_RX) &&
6273	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_RX,
6274			survey->channel_time_rx))
6275		goto nla_put_failure;
6276	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_TX) &&
6277	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_TX,
6278			survey->channel_time_tx))
6279		goto nla_put_failure;
6280
6281	nla_nest_end(msg, infoattr);
6282
6283	return genlmsg_end(msg, hdr);
6284
6285 nla_put_failure:
6286	genlmsg_cancel(msg, hdr);
6287	return -EMSGSIZE;
6288}
6289
6290static int nl80211_dump_survey(struct sk_buff *skb,
6291			struct netlink_callback *cb)
6292{
6293	struct survey_info survey;
6294	struct cfg80211_registered_device *rdev;
6295	struct wireless_dev *wdev;
6296	int survey_idx = cb->args[2];
6297	int res;
6298
6299	res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6300	if (res)
6301		return res;
6302
6303	if (!wdev->netdev) {
6304		res = -EINVAL;
6305		goto out_err;
6306	}
6307
6308	if (!rdev->ops->dump_survey) {
6309		res = -EOPNOTSUPP;
6310		goto out_err;
6311	}
6312
6313	while (1) {
6314		struct ieee80211_channel *chan;
6315
6316		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
6317		if (res == -ENOENT)
6318			break;
6319		if (res)
6320			goto out_err;
6321
6322		/* Survey without a channel doesn't make sense */
6323		if (!survey.channel) {
6324			res = -EINVAL;
6325			goto out;
6326		}
6327
6328		chan = ieee80211_get_channel(&rdev->wiphy,
6329					     survey.channel->center_freq);
6330		if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
6331			survey_idx++;
6332			continue;
6333		}
6334
6335		if (nl80211_send_survey(skb,
6336				NETLINK_CB(cb->skb).portid,
6337				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6338				wdev->netdev, &survey) < 0)
6339			goto out;
6340		survey_idx++;
6341	}
6342
6343 out:
6344	cb->args[2] = survey_idx;
6345	res = skb->len;
6346 out_err:
6347	nl80211_finish_wdev_dump(rdev);
6348	return res;
6349}
6350
6351static bool nl80211_valid_wpa_versions(u32 wpa_versions)
6352{
6353	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
6354				  NL80211_WPA_VERSION_2));
6355}
6356
6357static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
6358{
6359	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6360	struct net_device *dev = info->user_ptr[1];
6361	struct ieee80211_channel *chan;
6362	const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
6363	int err, ssid_len, ie_len = 0, sae_data_len = 0;
6364	enum nl80211_auth_type auth_type;
6365	struct key_parse key;
6366	bool local_state_change;
6367
6368	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6369		return -EINVAL;
6370
6371	if (!info->attrs[NL80211_ATTR_MAC])
6372		return -EINVAL;
6373
6374	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
6375		return -EINVAL;
6376
6377	if (!info->attrs[NL80211_ATTR_SSID])
6378		return -EINVAL;
6379
6380	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
6381		return -EINVAL;
6382
6383	err = nl80211_parse_key(info, &key);
6384	if (err)
6385		return err;
6386
6387	if (key.idx >= 0) {
6388		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
6389			return -EINVAL;
6390		if (!key.p.key || !key.p.key_len)
6391			return -EINVAL;
6392		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
6393		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
6394		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
6395		     key.p.key_len != WLAN_KEY_LEN_WEP104))
6396			return -EINVAL;
6397		if (key.idx > 4)
6398			return -EINVAL;
6399	} else {
6400		key.p.key_len = 0;
6401		key.p.key = NULL;
6402	}
6403
6404	if (key.idx >= 0) {
6405		int i;
6406		bool ok = false;
6407		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
6408			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
6409				ok = true;
6410				break;
6411			}
6412		}
6413		if (!ok)
6414			return -EINVAL;
6415	}
6416
6417	if (!rdev->ops->auth)
6418		return -EOPNOTSUPP;
6419
6420	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6421	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6422		return -EOPNOTSUPP;
6423
6424	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6425	chan = nl80211_get_valid_chan(&rdev->wiphy,
6426				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
6427	if (!chan)
6428		return -EINVAL;
6429
6430	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6431	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6432
6433	if (info->attrs[NL80211_ATTR_IE]) {
6434		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6435		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6436	}
6437
6438	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
6439	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
6440		return -EINVAL;
6441
6442	if (auth_type == NL80211_AUTHTYPE_SAE &&
6443	    !info->attrs[NL80211_ATTR_SAE_DATA])
6444		return -EINVAL;
6445
6446	if (info->attrs[NL80211_ATTR_SAE_DATA]) {
6447		if (auth_type != NL80211_AUTHTYPE_SAE)
6448			return -EINVAL;
6449		sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
6450		sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
6451		/* need to include at least Auth Transaction and Status Code */
6452		if (sae_data_len < 4)
6453			return -EINVAL;
6454	}
6455
6456	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6457
6458	/*
6459	 * Since we no longer track auth state, ignore
6460	 * requests to only change local state.
6461	 */
6462	if (local_state_change)
6463		return 0;
6464
6465	wdev_lock(dev->ieee80211_ptr);
6466	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
6467				 ssid, ssid_len, ie, ie_len,
6468				 key.p.key, key.p.key_len, key.idx,
6469				 sae_data, sae_data_len);
6470	wdev_unlock(dev->ieee80211_ptr);
6471	return err;
6472}
6473
6474static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
6475				   struct genl_info *info,
6476				   struct cfg80211_crypto_settings *settings,
6477				   int cipher_limit)
6478{
6479	memset(settings, 0, sizeof(*settings));
6480
6481	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
6482
6483	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
6484		u16 proto;
6485		proto = nla_get_u16(
6486			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
6487		settings->control_port_ethertype = cpu_to_be16(proto);
6488		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
6489		    proto != ETH_P_PAE)
6490			return -EINVAL;
6491		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
6492			settings->control_port_no_encrypt = true;
6493	} else
6494		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
6495
6496	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
6497		void *data;
6498		int len, i;
6499
6500		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6501		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6502		settings->n_ciphers_pairwise = len / sizeof(u32);
6503
6504		if (len % sizeof(u32))
6505			return -EINVAL;
6506
6507		if (settings->n_ciphers_pairwise > cipher_limit)
6508			return -EINVAL;
6509
6510		memcpy(settings->ciphers_pairwise, data, len);
6511
6512		for (i = 0; i < settings->n_ciphers_pairwise; i++)
6513			if (!cfg80211_supported_cipher_suite(
6514					&rdev->wiphy,
6515					settings->ciphers_pairwise[i]))
6516				return -EINVAL;
6517	}
6518
6519	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
6520		settings->cipher_group =
6521			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
6522		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
6523						     settings->cipher_group))
6524			return -EINVAL;
6525	}
6526
6527	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
6528		settings->wpa_versions =
6529			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
6530		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
6531			return -EINVAL;
6532	}
6533
6534	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
6535		void *data;
6536		int len;
6537
6538		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
6539		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
6540		settings->n_akm_suites = len / sizeof(u32);
6541
6542		if (len % sizeof(u32))
6543			return -EINVAL;
6544
6545		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
6546			return -EINVAL;
6547
6548		memcpy(settings->akm_suites, data, len);
6549	}
6550
6551	return 0;
6552}
6553
6554static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
6555{
6556	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6557	struct net_device *dev = info->user_ptr[1];
6558	struct ieee80211_channel *chan;
6559	struct cfg80211_assoc_request req = {};
6560	const u8 *bssid, *ssid;
6561	int err, ssid_len = 0;
6562
6563	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6564		return -EINVAL;
6565
6566	if (!info->attrs[NL80211_ATTR_MAC] ||
6567	    !info->attrs[NL80211_ATTR_SSID] ||
6568	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
6569		return -EINVAL;
6570
6571	if (!rdev->ops->assoc)
6572		return -EOPNOTSUPP;
6573
6574	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6575	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6576		return -EOPNOTSUPP;
6577
6578	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6579
6580	chan = nl80211_get_valid_chan(&rdev->wiphy,
6581				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
6582	if (!chan)
6583		return -EINVAL;
6584
6585	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6586	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6587
6588	if (info->attrs[NL80211_ATTR_IE]) {
6589		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6590		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6591	}
6592
6593	if (info->attrs[NL80211_ATTR_USE_MFP]) {
6594		enum nl80211_mfp mfp =
6595			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
6596		if (mfp == NL80211_MFP_REQUIRED)
6597			req.use_mfp = true;
6598		else if (mfp != NL80211_MFP_NO)
6599			return -EINVAL;
6600	}
6601
6602	if (info->attrs[NL80211_ATTR_PREV_BSSID])
6603		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
6604
6605	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
6606		req.flags |= ASSOC_REQ_DISABLE_HT;
6607
6608	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6609		memcpy(&req.ht_capa_mask,
6610		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
6611		       sizeof(req.ht_capa_mask));
6612
6613	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
6614		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6615			return -EINVAL;
6616		memcpy(&req.ht_capa,
6617		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
6618		       sizeof(req.ht_capa));
6619	}
6620
6621	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
6622		req.flags |= ASSOC_REQ_DISABLE_VHT;
6623
6624	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6625		memcpy(&req.vht_capa_mask,
6626		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
6627		       sizeof(req.vht_capa_mask));
6628
6629	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
6630		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6631			return -EINVAL;
6632		memcpy(&req.vht_capa,
6633		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
6634		       sizeof(req.vht_capa));
6635	}
6636
6637	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
6638		if (!(rdev->wiphy.features &
6639		      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
6640		    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
6641			return -EINVAL;
6642		req.flags |= ASSOC_REQ_USE_RRM;
6643	}
6644
6645	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
6646	if (!err) {
6647		wdev_lock(dev->ieee80211_ptr);
6648		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
6649					  ssid, ssid_len, &req);
6650		wdev_unlock(dev->ieee80211_ptr);
6651	}
6652
6653	return err;
6654}
6655
6656static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
6657{
6658	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6659	struct net_device *dev = info->user_ptr[1];
6660	const u8 *ie = NULL, *bssid;
6661	int ie_len = 0, err;
6662	u16 reason_code;
6663	bool local_state_change;
6664
6665	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6666		return -EINVAL;
6667
6668	if (!info->attrs[NL80211_ATTR_MAC])
6669		return -EINVAL;
6670
6671	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6672		return -EINVAL;
6673
6674	if (!rdev->ops->deauth)
6675		return -EOPNOTSUPP;
6676
6677	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6678	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6679		return -EOPNOTSUPP;
6680
6681	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6682
6683	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6684	if (reason_code == 0) {
6685		/* Reason Code 0 is reserved */
6686		return -EINVAL;
6687	}
6688
6689	if (info->attrs[NL80211_ATTR_IE]) {
6690		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6691		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6692	}
6693
6694	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6695
6696	wdev_lock(dev->ieee80211_ptr);
6697	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
6698				   local_state_change);
6699	wdev_unlock(dev->ieee80211_ptr);
6700	return err;
6701}
6702
6703static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
6704{
6705	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6706	struct net_device *dev = info->user_ptr[1];
6707	const u8 *ie = NULL, *bssid;
6708	int ie_len = 0, err;
6709	u16 reason_code;
6710	bool local_state_change;
6711
6712	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6713		return -EINVAL;
6714
6715	if (!info->attrs[NL80211_ATTR_MAC])
6716		return -EINVAL;
6717
6718	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6719		return -EINVAL;
6720
6721	if (!rdev->ops->disassoc)
6722		return -EOPNOTSUPP;
6723
6724	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6725	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6726		return -EOPNOTSUPP;
6727
6728	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6729
6730	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6731	if (reason_code == 0) {
6732		/* Reason Code 0 is reserved */
6733		return -EINVAL;
6734	}
6735
6736	if (info->attrs[NL80211_ATTR_IE]) {
6737		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6738		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6739	}
6740
6741	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6742
6743	wdev_lock(dev->ieee80211_ptr);
6744	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
6745				     local_state_change);
6746	wdev_unlock(dev->ieee80211_ptr);
6747	return err;
6748}
6749
6750static bool
6751nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
6752			 int mcast_rate[IEEE80211_NUM_BANDS],
6753			 int rateval)
6754{
6755	struct wiphy *wiphy = &rdev->wiphy;
6756	bool found = false;
6757	int band, i;
6758
6759	for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
6760		struct ieee80211_supported_band *sband;
6761
6762		sband = wiphy->bands[band];
6763		if (!sband)
6764			continue;
6765
6766		for (i = 0; i < sband->n_bitrates; i++) {
6767			if (sband->bitrates[i].bitrate == rateval) {
6768				mcast_rate[band] = i + 1;
6769				found = true;
6770				break;
6771			}
6772		}
6773	}
6774
6775	return found;
6776}
6777
6778static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
6779{
6780	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6781	struct net_device *dev = info->user_ptr[1];
6782	struct cfg80211_ibss_params ibss;
6783	struct wiphy *wiphy;
6784	struct cfg80211_cached_keys *connkeys = NULL;
6785	int err;
6786
6787	memset(&ibss, 0, sizeof(ibss));
6788
6789	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6790		return -EINVAL;
6791
6792	if (!info->attrs[NL80211_ATTR_SSID] ||
6793	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
6794		return -EINVAL;
6795
6796	ibss.beacon_interval = 100;
6797
6798	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
6799		ibss.beacon_interval =
6800			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6801		if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
6802			return -EINVAL;
6803	}
6804
6805	if (!rdev->ops->join_ibss)
6806		return -EOPNOTSUPP;
6807
6808	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
6809		return -EOPNOTSUPP;
6810
6811	wiphy = &rdev->wiphy;
6812
6813	if (info->attrs[NL80211_ATTR_MAC]) {
6814		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6815
6816		if (!is_valid_ether_addr(ibss.bssid))
6817			return -EINVAL;
6818	}
6819	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6820	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6821
6822	if (info->attrs[NL80211_ATTR_IE]) {
6823		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6824		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6825	}
6826
6827	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
6828	if (err)
6829		return err;
6830
6831	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
6832				     NL80211_IFTYPE_ADHOC))
6833		return -EINVAL;
6834
6835	switch (ibss.chandef.width) {
6836	case NL80211_CHAN_WIDTH_5:
6837	case NL80211_CHAN_WIDTH_10:
6838	case NL80211_CHAN_WIDTH_20_NOHT:
6839		break;
6840	case NL80211_CHAN_WIDTH_20:
6841	case NL80211_CHAN_WIDTH_40:
6842		if (rdev->wiphy.features & NL80211_FEATURE_HT_IBSS)
6843			break;
6844	default:
6845		return -EINVAL;
6846	}
6847
6848	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
6849	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6850
6851	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6852		u8 *rates =
6853			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6854		int n_rates =
6855			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6856		struct ieee80211_supported_band *sband =
6857			wiphy->bands[ibss.chandef.chan->band];
6858
6859		err = ieee80211_get_ratemask(sband, rates, n_rates,
6860					     &ibss.basic_rates);
6861		if (err)
6862			return err;
6863	}
6864
6865	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6866		memcpy(&ibss.ht_capa_mask,
6867		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
6868		       sizeof(ibss.ht_capa_mask));
6869
6870	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
6871		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6872			return -EINVAL;
6873		memcpy(&ibss.ht_capa,
6874		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
6875		       sizeof(ibss.ht_capa));
6876	}
6877
6878	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
6879	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
6880			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
6881		return -EINVAL;
6882
6883	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
6884		bool no_ht = false;
6885
6886		connkeys = nl80211_parse_connkeys(rdev,
6887					  info->attrs[NL80211_ATTR_KEYS],
6888					  &no_ht);
6889		if (IS_ERR(connkeys))
6890			return PTR_ERR(connkeys);
6891
6892		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
6893		    no_ht) {
6894			kfree(connkeys);
6895			return -EINVAL;
6896		}
6897	}
6898
6899	ibss.control_port =
6900		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
6901
6902	ibss.userspace_handles_dfs =
6903		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
6904
6905	err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
6906	if (err)
6907		kzfree(connkeys);
6908	return err;
6909}
6910
6911static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
6912{
6913	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6914	struct net_device *dev = info->user_ptr[1];
6915
6916	if (!rdev->ops->leave_ibss)
6917		return -EOPNOTSUPP;
6918
6919	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
6920		return -EOPNOTSUPP;
6921
6922	return cfg80211_leave_ibss(rdev, dev, false);
6923}
6924
6925static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
6926{
6927	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6928	struct net_device *dev = info->user_ptr[1];
6929	int mcast_rate[IEEE80211_NUM_BANDS];
6930	u32 nla_rate;
6931	int err;
6932
6933	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
6934	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6935		return -EOPNOTSUPP;
6936
6937	if (!rdev->ops->set_mcast_rate)
6938		return -EOPNOTSUPP;
6939
6940	memset(mcast_rate, 0, sizeof(mcast_rate));
6941
6942	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
6943		return -EINVAL;
6944
6945	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
6946	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
6947		return -EINVAL;
6948
6949	err = rdev->ops->set_mcast_rate(&rdev->wiphy, dev, mcast_rate);
6950
6951	return err;
6952}
6953
6954static struct sk_buff *
6955__cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
6956			    int approxlen, u32 portid, u32 seq,
6957			    enum nl80211_commands cmd,
6958			    enum nl80211_attrs attr,
6959			    const struct nl80211_vendor_cmd_info *info,
6960			    gfp_t gfp)
6961{
6962	struct sk_buff *skb;
6963	void *hdr;
6964	struct nlattr *data;
6965
6966	skb = nlmsg_new(approxlen + 100, gfp);
6967	if (!skb)
6968		return NULL;
6969
6970	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
6971	if (!hdr) {
6972		kfree_skb(skb);
6973		return NULL;
6974	}
6975
6976	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
6977		goto nla_put_failure;
6978
6979	if (info) {
6980		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
6981				info->vendor_id))
6982			goto nla_put_failure;
6983		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
6984				info->subcmd))
6985			goto nla_put_failure;
6986	}
6987
6988	data = nla_nest_start(skb, attr);
6989
6990	((void **)skb->cb)[0] = rdev;
6991	((void **)skb->cb)[1] = hdr;
6992	((void **)skb->cb)[2] = data;
6993
6994	return skb;
6995
6996 nla_put_failure:
6997	kfree_skb(skb);
6998	return NULL;
6999}
7000
7001struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
7002					   enum nl80211_commands cmd,
7003					   enum nl80211_attrs attr,
7004					   int vendor_event_idx,
7005					   int approxlen, gfp_t gfp)
7006{
7007	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
7008	const struct nl80211_vendor_cmd_info *info;
7009
7010	switch (cmd) {
7011	case NL80211_CMD_TESTMODE:
7012		if (WARN_ON(vendor_event_idx != -1))
7013			return NULL;
7014		info = NULL;
7015		break;
7016	case NL80211_CMD_VENDOR:
7017		if (WARN_ON(vendor_event_idx < 0 ||
7018			    vendor_event_idx >= wiphy->n_vendor_events))
7019			return NULL;
7020		info = &wiphy->vendor_events[vendor_event_idx];
7021		break;
7022	default:
7023		WARN_ON(1);
7024		return NULL;
7025	}
7026
7027	return __cfg80211_alloc_vendor_skb(rdev, approxlen, 0, 0,
7028					   cmd, attr, info, gfp);
7029}
7030EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
7031
7032void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
7033{
7034	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
7035	void *hdr = ((void **)skb->cb)[1];
7036	struct nlattr *data = ((void **)skb->cb)[2];
7037	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
7038
7039	/* clear CB data for netlink core to own from now on */
7040	memset(skb->cb, 0, sizeof(skb->cb));
7041
7042	nla_nest_end(skb, data);
7043	genlmsg_end(skb, hdr);
7044
7045	if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
7046		mcgrp = NL80211_MCGRP_VENDOR;
7047
7048	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), skb, 0,
7049				mcgrp, gfp);
7050}
7051EXPORT_SYMBOL(__cfg80211_send_event_skb);
7052
7053#ifdef CONFIG_NL80211_TESTMODE
7054static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
7055{
7056	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7057	struct wireless_dev *wdev =
7058		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
7059	int err;
7060
7061	if (!rdev->ops->testmode_cmd)
7062		return -EOPNOTSUPP;
7063
7064	if (IS_ERR(wdev)) {
7065		err = PTR_ERR(wdev);
7066		if (err != -EINVAL)
7067			return err;
7068		wdev = NULL;
7069	} else if (wdev->wiphy != &rdev->wiphy) {
7070		return -EINVAL;
7071	}
7072
7073	if (!info->attrs[NL80211_ATTR_TESTDATA])
7074		return -EINVAL;
7075
7076	rdev->cur_cmd_info = info;
7077	err = rdev_testmode_cmd(rdev, wdev,
7078				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
7079				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
7080	rdev->cur_cmd_info = NULL;
7081
7082	return err;
7083}
7084
7085static int nl80211_testmode_dump(struct sk_buff *skb,
7086				 struct netlink_callback *cb)
7087{
7088	struct cfg80211_registered_device *rdev;
7089	int err;
7090	long phy_idx;
7091	void *data = NULL;
7092	int data_len = 0;
7093
7094	rtnl_lock();
7095
7096	if (cb->args[0]) {
7097		/*
7098		 * 0 is a valid index, but not valid for args[0],
7099		 * so we need to offset by 1.
7100		 */
7101		phy_idx = cb->args[0] - 1;
7102	} else {
7103		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
7104				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
7105				  nl80211_policy);
7106		if (err)
7107			goto out_err;
7108
7109		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
7110						  nl80211_fam.attrbuf);
7111		if (IS_ERR(rdev)) {
7112			err = PTR_ERR(rdev);
7113			goto out_err;
7114		}
7115		phy_idx = rdev->wiphy_idx;
7116		rdev = NULL;
7117
7118		if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
7119			cb->args[1] =
7120				(long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
7121	}
7122
7123	if (cb->args[1]) {
7124		data = nla_data((void *)cb->args[1]);
7125		data_len = nla_len((void *)cb->args[1]);
7126	}
7127
7128	rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
7129	if (!rdev) {
7130		err = -ENOENT;
7131		goto out_err;
7132	}
7133
7134	if (!rdev->ops->testmode_dump) {
7135		err = -EOPNOTSUPP;
7136		goto out_err;
7137	}
7138
7139	while (1) {
7140		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
7141					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
7142					   NL80211_CMD_TESTMODE);
7143		struct nlattr *tmdata;
7144
7145		if (!hdr)
7146			break;
7147
7148		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
7149			genlmsg_cancel(skb, hdr);
7150			break;
7151		}
7152
7153		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
7154		if (!tmdata) {
7155			genlmsg_cancel(skb, hdr);
7156			break;
7157		}
7158		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
7159		nla_nest_end(skb, tmdata);
7160
7161		if (err == -ENOBUFS || err == -ENOENT) {
7162			genlmsg_cancel(skb, hdr);
7163			break;
7164		} else if (err) {
7165			genlmsg_cancel(skb, hdr);
7166			goto out_err;
7167		}
7168
7169		genlmsg_end(skb, hdr);
7170	}
7171
7172	err = skb->len;
7173	/* see above */
7174	cb->args[0] = phy_idx + 1;
7175 out_err:
7176	rtnl_unlock();
7177	return err;
7178}
7179#endif
7180
7181static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
7182{
7183	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7184	struct net_device *dev = info->user_ptr[1];
7185	struct cfg80211_connect_params connect;
7186	struct wiphy *wiphy;
7187	struct cfg80211_cached_keys *connkeys = NULL;
7188	int err;
7189
7190	memset(&connect, 0, sizeof(connect));
7191
7192	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7193		return -EINVAL;
7194
7195	if (!info->attrs[NL80211_ATTR_SSID] ||
7196	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
7197		return -EINVAL;
7198
7199	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
7200		connect.auth_type =
7201			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
7202		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
7203					     NL80211_CMD_CONNECT))
7204			return -EINVAL;
7205	} else
7206		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
7207
7208	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
7209
7210	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
7211				      NL80211_MAX_NR_CIPHER_SUITES);
7212	if (err)
7213		return err;
7214
7215	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7216	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7217		return -EOPNOTSUPP;
7218
7219	wiphy = &rdev->wiphy;
7220
7221	connect.bg_scan_period = -1;
7222	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
7223		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
7224		connect.bg_scan_period =
7225			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
7226	}
7227
7228	if (info->attrs[NL80211_ATTR_MAC])
7229		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7230	else if (info->attrs[NL80211_ATTR_MAC_HINT])
7231		connect.bssid_hint =
7232			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
7233	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7234	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7235
7236	if (info->attrs[NL80211_ATTR_IE]) {
7237		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7238		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7239	}
7240
7241	if (info->attrs[NL80211_ATTR_USE_MFP]) {
7242		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
7243		if (connect.mfp != NL80211_MFP_REQUIRED &&
7244		    connect.mfp != NL80211_MFP_NO)
7245			return -EINVAL;
7246	} else {
7247		connect.mfp = NL80211_MFP_NO;
7248	}
7249
7250	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7251		connect.channel = nl80211_get_valid_chan(
7252			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7253		if (!connect.channel)
7254			return -EINVAL;
7255	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
7256		connect.channel_hint = nl80211_get_valid_chan(
7257			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
7258		if (!connect.channel_hint)
7259			return -EINVAL;
7260	}
7261
7262	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
7263		connkeys = nl80211_parse_connkeys(rdev,
7264					  info->attrs[NL80211_ATTR_KEYS], NULL);
7265		if (IS_ERR(connkeys))
7266			return PTR_ERR(connkeys);
7267	}
7268
7269	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
7270		connect.flags |= ASSOC_REQ_DISABLE_HT;
7271
7272	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7273		memcpy(&connect.ht_capa_mask,
7274		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7275		       sizeof(connect.ht_capa_mask));
7276
7277	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7278		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
7279			kzfree(connkeys);
7280			return -EINVAL;
7281		}
7282		memcpy(&connect.ht_capa,
7283		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7284		       sizeof(connect.ht_capa));
7285	}
7286
7287	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
7288		connect.flags |= ASSOC_REQ_DISABLE_VHT;
7289
7290	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7291		memcpy(&connect.vht_capa_mask,
7292		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
7293		       sizeof(connect.vht_capa_mask));
7294
7295	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
7296		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
7297			kzfree(connkeys);
7298			return -EINVAL;
7299		}
7300		memcpy(&connect.vht_capa,
7301		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
7302		       sizeof(connect.vht_capa));
7303	}
7304
7305	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
7306		if (!(rdev->wiphy.features &
7307		      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
7308		    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
7309			return -EINVAL;
7310		connect.flags |= ASSOC_REQ_USE_RRM;
7311	}
7312
7313	wdev_lock(dev->ieee80211_ptr);
7314	err = cfg80211_connect(rdev, dev, &connect, connkeys, NULL);
7315	wdev_unlock(dev->ieee80211_ptr);
7316	if (err)
7317		kzfree(connkeys);
7318	return err;
7319}
7320
7321static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
7322{
7323	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7324	struct net_device *dev = info->user_ptr[1];
7325	u16 reason;
7326	int ret;
7327
7328	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7329		reason = WLAN_REASON_DEAUTH_LEAVING;
7330	else
7331		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7332
7333	if (reason == 0)
7334		return -EINVAL;
7335
7336	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7337	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7338		return -EOPNOTSUPP;
7339
7340	wdev_lock(dev->ieee80211_ptr);
7341	ret = cfg80211_disconnect(rdev, dev, reason, true);
7342	wdev_unlock(dev->ieee80211_ptr);
7343	return ret;
7344}
7345
7346static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
7347{
7348	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7349	struct net *net;
7350	int err;
7351	u32 pid;
7352
7353	if (!info->attrs[NL80211_ATTR_PID])
7354		return -EINVAL;
7355
7356	pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
7357
7358	net = get_net_ns_by_pid(pid);
7359	if (IS_ERR(net))
7360		return PTR_ERR(net);
7361
7362	err = 0;
7363
7364	/* check if anything to do */
7365	if (!net_eq(wiphy_net(&rdev->wiphy), net))
7366		err = cfg80211_switch_netns(rdev, net);
7367
7368	put_net(net);
7369	return err;
7370}
7371
7372static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
7373{
7374	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7375	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
7376			struct cfg80211_pmksa *pmksa) = NULL;
7377	struct net_device *dev = info->user_ptr[1];
7378	struct cfg80211_pmksa pmksa;
7379
7380	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
7381
7382	if (!info->attrs[NL80211_ATTR_MAC])
7383		return -EINVAL;
7384
7385	if (!info->attrs[NL80211_ATTR_PMKID])
7386		return -EINVAL;
7387
7388	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
7389	pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7390
7391	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7392	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7393		return -EOPNOTSUPP;
7394
7395	switch (info->genlhdr->cmd) {
7396	case NL80211_CMD_SET_PMKSA:
7397		rdev_ops = rdev->ops->set_pmksa;
7398		break;
7399	case NL80211_CMD_DEL_PMKSA:
7400		rdev_ops = rdev->ops->del_pmksa;
7401		break;
7402	default:
7403		WARN_ON(1);
7404		break;
7405	}
7406
7407	if (!rdev_ops)
7408		return -EOPNOTSUPP;
7409
7410	return rdev_ops(&rdev->wiphy, dev, &pmksa);
7411}
7412
7413static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
7414{
7415	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7416	struct net_device *dev = info->user_ptr[1];
7417
7418	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7419	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7420		return -EOPNOTSUPP;
7421
7422	if (!rdev->ops->flush_pmksa)
7423		return -EOPNOTSUPP;
7424
7425	return rdev_flush_pmksa(rdev, dev);
7426}
7427
7428static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
7429{
7430	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7431	struct net_device *dev = info->user_ptr[1];
7432	u8 action_code, dialog_token;
7433	u32 peer_capability = 0;
7434	u16 status_code;
7435	u8 *peer;
7436	bool initiator;
7437
7438	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
7439	    !rdev->ops->tdls_mgmt)
7440		return -EOPNOTSUPP;
7441
7442	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
7443	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
7444	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
7445	    !info->attrs[NL80211_ATTR_IE] ||
7446	    !info->attrs[NL80211_ATTR_MAC])
7447		return -EINVAL;
7448
7449	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
7450	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
7451	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
7452	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
7453	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
7454	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
7455		peer_capability =
7456			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
7457
7458	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
7459			      dialog_token, status_code, peer_capability,
7460			      initiator,
7461			      nla_data(info->attrs[NL80211_ATTR_IE]),
7462			      nla_len(info->attrs[NL80211_ATTR_IE]));
7463}
7464
7465static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
7466{
7467	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7468	struct net_device *dev = info->user_ptr[1];
7469	enum nl80211_tdls_operation operation;
7470	u8 *peer;
7471
7472	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
7473	    !rdev->ops->tdls_oper)
7474		return -EOPNOTSUPP;
7475
7476	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
7477	    !info->attrs[NL80211_ATTR_MAC])
7478		return -EINVAL;
7479
7480	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
7481	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
7482
7483	return rdev_tdls_oper(rdev, dev, peer, operation);
7484}
7485
7486static int nl80211_remain_on_channel(struct sk_buff *skb,
7487				     struct genl_info *info)
7488{
7489	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7490	struct wireless_dev *wdev = info->user_ptr[1];
7491	struct cfg80211_chan_def chandef;
7492	struct sk_buff *msg;
7493	void *hdr;
7494	u64 cookie;
7495	u32 duration;
7496	int err;
7497
7498	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
7499	    !info->attrs[NL80211_ATTR_DURATION])
7500		return -EINVAL;
7501
7502	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
7503
7504	if (!rdev->ops->remain_on_channel ||
7505	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
7506		return -EOPNOTSUPP;
7507
7508	/*
7509	 * We should be on that channel for at least a minimum amount of
7510	 * time (10ms) but no longer than the driver supports.
7511	 */
7512	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
7513	    duration > rdev->wiphy.max_remain_on_channel_duration)
7514		return -EINVAL;
7515
7516	err = nl80211_parse_chandef(rdev, info, &chandef);
7517	if (err)
7518		return err;
7519
7520	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7521	if (!msg)
7522		return -ENOMEM;
7523
7524	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7525			     NL80211_CMD_REMAIN_ON_CHANNEL);
7526	if (!hdr) {
7527		err = -ENOBUFS;
7528		goto free_msg;
7529	}
7530
7531	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
7532				     duration, &cookie);
7533
7534	if (err)
7535		goto free_msg;
7536
7537	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
7538		goto nla_put_failure;
7539
7540	genlmsg_end(msg, hdr);
7541
7542	return genlmsg_reply(msg, info);
7543
7544 nla_put_failure:
7545	err = -ENOBUFS;
7546 free_msg:
7547	nlmsg_free(msg);
7548	return err;
7549}
7550
7551static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
7552					    struct genl_info *info)
7553{
7554	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7555	struct wireless_dev *wdev = info->user_ptr[1];
7556	u64 cookie;
7557
7558	if (!info->attrs[NL80211_ATTR_COOKIE])
7559		return -EINVAL;
7560
7561	if (!rdev->ops->cancel_remain_on_channel)
7562		return -EOPNOTSUPP;
7563
7564	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
7565
7566	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
7567}
7568
7569static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
7570			   u8 *rates, u8 rates_len)
7571{
7572	u8 i;
7573	u32 mask = 0;
7574
7575	for (i = 0; i < rates_len; i++) {
7576		int rate = (rates[i] & 0x7f) * 5;
7577		int ridx;
7578		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
7579			struct ieee80211_rate *srate =
7580				&sband->bitrates[ridx];
7581			if (rate == srate->bitrate) {
7582				mask |= 1 << ridx;
7583				break;
7584			}
7585		}
7586		if (ridx == sband->n_bitrates)
7587			return 0; /* rate not found */
7588	}
7589
7590	return mask;
7591}
7592
7593static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
7594			       u8 *rates, u8 rates_len,
7595			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
7596{
7597	u8 i;
7598
7599	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
7600
7601	for (i = 0; i < rates_len; i++) {
7602		int ridx, rbit;
7603
7604		ridx = rates[i] / 8;
7605		rbit = BIT(rates[i] % 8);
7606
7607		/* check validity */
7608		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
7609			return false;
7610
7611		/* check availability */
7612		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
7613			mcs[ridx] |= rbit;
7614		else
7615			return false;
7616	}
7617
7618	return true;
7619}
7620
7621static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
7622{
7623	u16 mcs_mask = 0;
7624
7625	switch (vht_mcs_map) {
7626	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
7627		break;
7628	case IEEE80211_VHT_MCS_SUPPORT_0_7:
7629		mcs_mask = 0x00FF;
7630		break;
7631	case IEEE80211_VHT_MCS_SUPPORT_0_8:
7632		mcs_mask = 0x01FF;
7633		break;
7634	case IEEE80211_VHT_MCS_SUPPORT_0_9:
7635		mcs_mask = 0x03FF;
7636		break;
7637	default:
7638		break;
7639	}
7640
7641	return mcs_mask;
7642}
7643
7644static void vht_build_mcs_mask(u16 vht_mcs_map,
7645			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
7646{
7647	u8 nss;
7648
7649	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
7650		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
7651		vht_mcs_map >>= 2;
7652	}
7653}
7654
7655static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
7656			     struct nl80211_txrate_vht *txrate,
7657			     u16 mcs[NL80211_VHT_NSS_MAX])
7658{
7659	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
7660	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
7661	u8 i;
7662
7663	if (!sband->vht_cap.vht_supported)
7664		return false;
7665
7666	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
7667
7668	/* Build vht_mcs_mask from VHT capabilities */
7669	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
7670
7671	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
7672		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
7673			mcs[i] = txrate->mcs[i];
7674		else
7675			return false;
7676	}
7677
7678	return true;
7679}
7680
7681static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
7682	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
7683				    .len = NL80211_MAX_SUPP_RATES },
7684	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
7685				.len = NL80211_MAX_SUPP_HT_RATES },
7686	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
7687	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
7688};
7689
7690static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
7691				       struct genl_info *info)
7692{
7693	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
7694	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7695	struct cfg80211_bitrate_mask mask;
7696	int rem, i;
7697	struct net_device *dev = info->user_ptr[1];
7698	struct nlattr *tx_rates;
7699	struct ieee80211_supported_band *sband;
7700	u16 vht_tx_mcs_map;
7701
7702	if (!rdev->ops->set_bitrate_mask)
7703		return -EOPNOTSUPP;
7704
7705	memset(&mask, 0, sizeof(mask));
7706	/* Default to all rates enabled */
7707	for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
7708		sband = rdev->wiphy.bands[i];
7709
7710		if (!sband)
7711			continue;
7712
7713		mask.control[i].legacy = (1 << sband->n_bitrates) - 1;
7714		memcpy(mask.control[i].ht_mcs,
7715		       sband->ht_cap.mcs.rx_mask,
7716		       sizeof(mask.control[i].ht_mcs));
7717
7718		if (!sband->vht_cap.vht_supported)
7719			continue;
7720
7721		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
7722		vht_build_mcs_mask(vht_tx_mcs_map, mask.control[i].vht_mcs);
7723	}
7724
7725	/* if no rates are given set it back to the defaults */
7726	if (!info->attrs[NL80211_ATTR_TX_RATES])
7727		goto out;
7728
7729	/*
7730	 * The nested attribute uses enum nl80211_band as the index. This maps
7731	 * directly to the enum ieee80211_band values used in cfg80211.
7732	 */
7733	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
7734	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
7735		enum ieee80211_band band = nla_type(tx_rates);
7736		int err;
7737
7738		if (band < 0 || band >= IEEE80211_NUM_BANDS)
7739			return -EINVAL;
7740		sband = rdev->wiphy.bands[band];
7741		if (sband == NULL)
7742			return -EINVAL;
7743		err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
7744				nla_len(tx_rates), nl80211_txattr_policy);
7745		if (err)
7746			return err;
7747		if (tb[NL80211_TXRATE_LEGACY]) {
7748			mask.control[band].legacy = rateset_to_mask(
7749				sband,
7750				nla_data(tb[NL80211_TXRATE_LEGACY]),
7751				nla_len(tb[NL80211_TXRATE_LEGACY]));
7752			if ((mask.control[band].legacy == 0) &&
7753			    nla_len(tb[NL80211_TXRATE_LEGACY]))
7754				return -EINVAL;
7755		}
7756		if (tb[NL80211_TXRATE_HT]) {
7757			if (!ht_rateset_to_mask(
7758					sband,
7759					nla_data(tb[NL80211_TXRATE_HT]),
7760					nla_len(tb[NL80211_TXRATE_HT]),
7761					mask.control[band].ht_mcs))
7762				return -EINVAL;
7763		}
7764		if (tb[NL80211_TXRATE_VHT]) {
7765			if (!vht_set_mcs_mask(
7766					sband,
7767					nla_data(tb[NL80211_TXRATE_VHT]),
7768					mask.control[band].vht_mcs))
7769				return -EINVAL;
7770		}
7771		if (tb[NL80211_TXRATE_GI]) {
7772			mask.control[band].gi =
7773				nla_get_u8(tb[NL80211_TXRATE_GI]);
7774			if (mask.control[band].gi > NL80211_TXRATE_FORCE_LGI)
7775				return -EINVAL;
7776		}
7777
7778		if (mask.control[band].legacy == 0) {
7779			/* don't allow empty legacy rates if HT or VHT
7780			 * are not even supported.
7781			 */
7782			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
7783			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
7784				return -EINVAL;
7785
7786			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
7787				if (mask.control[band].ht_mcs[i])
7788					goto out;
7789
7790			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
7791				if (mask.control[band].vht_mcs[i])
7792					goto out;
7793
7794			/* legacy and mcs rates may not be both empty */
7795			return -EINVAL;
7796		}
7797	}
7798
7799out:
7800	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
7801}
7802
7803static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
7804{
7805	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7806	struct wireless_dev *wdev = info->user_ptr[1];
7807	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
7808
7809	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
7810		return -EINVAL;
7811
7812	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
7813		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
7814
7815	switch (wdev->iftype) {
7816	case NL80211_IFTYPE_STATION:
7817	case NL80211_IFTYPE_ADHOC:
7818	case NL80211_IFTYPE_P2P_CLIENT:
7819	case NL80211_IFTYPE_AP:
7820	case NL80211_IFTYPE_AP_VLAN:
7821	case NL80211_IFTYPE_MESH_POINT:
7822	case NL80211_IFTYPE_P2P_GO:
7823	case NL80211_IFTYPE_P2P_DEVICE:
7824		break;
7825	default:
7826		return -EOPNOTSUPP;
7827	}
7828
7829	/* not much point in registering if we can't reply */
7830	if (!rdev->ops->mgmt_tx)
7831		return -EOPNOTSUPP;
7832
7833	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
7834			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
7835			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
7836}
7837
7838static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
7839{
7840	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7841	struct wireless_dev *wdev = info->user_ptr[1];
7842	struct cfg80211_chan_def chandef;
7843	int err;
7844	void *hdr = NULL;
7845	u64 cookie;
7846	struct sk_buff *msg = NULL;
7847	struct cfg80211_mgmt_tx_params params = {
7848		.dont_wait_for_ack =
7849			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
7850	};
7851
7852	if (!info->attrs[NL80211_ATTR_FRAME])
7853		return -EINVAL;
7854
7855	if (!rdev->ops->mgmt_tx)
7856		return -EOPNOTSUPP;
7857
7858	switch (wdev->iftype) {
7859	case NL80211_IFTYPE_P2P_DEVICE:
7860		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
7861			return -EINVAL;
7862	case NL80211_IFTYPE_STATION:
7863	case NL80211_IFTYPE_ADHOC:
7864	case NL80211_IFTYPE_P2P_CLIENT:
7865	case NL80211_IFTYPE_AP:
7866	case NL80211_IFTYPE_AP_VLAN:
7867	case NL80211_IFTYPE_MESH_POINT:
7868	case NL80211_IFTYPE_P2P_GO:
7869		break;
7870	default:
7871		return -EOPNOTSUPP;
7872	}
7873
7874	if (info->attrs[NL80211_ATTR_DURATION]) {
7875		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
7876			return -EINVAL;
7877		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
7878
7879		/*
7880		 * We should wait on the channel for at least a minimum amount
7881		 * of time (10ms) but no longer than the driver supports.
7882		 */
7883		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
7884		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
7885			return -EINVAL;
7886
7887	}
7888
7889	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
7890
7891	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
7892		return -EINVAL;
7893
7894	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7895
7896	/* get the channel if any has been specified, otherwise pass NULL to
7897	 * the driver. The latter will use the current one
7898	 */
7899	chandef.chan = NULL;
7900	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7901		err = nl80211_parse_chandef(rdev, info, &chandef);
7902		if (err)
7903			return err;
7904	}
7905
7906	if (!chandef.chan && params.offchan)
7907		return -EINVAL;
7908
7909	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
7910	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
7911
7912	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
7913		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
7914		int i;
7915
7916		if (len % sizeof(u16))
7917			return -EINVAL;
7918
7919		params.n_csa_offsets = len / sizeof(u16);
7920		params.csa_offsets =
7921			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
7922
7923		/* check that all the offsets fit the frame */
7924		for (i = 0; i < params.n_csa_offsets; i++) {
7925			if (params.csa_offsets[i] >= params.len)
7926				return -EINVAL;
7927		}
7928	}
7929
7930	if (!params.dont_wait_for_ack) {
7931		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7932		if (!msg)
7933			return -ENOMEM;
7934
7935		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7936				     NL80211_CMD_FRAME);
7937		if (!hdr) {
7938			err = -ENOBUFS;
7939			goto free_msg;
7940		}
7941	}
7942
7943	params.chan = chandef.chan;
7944	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
7945	if (err)
7946		goto free_msg;
7947
7948	if (msg) {
7949		if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
7950			goto nla_put_failure;
7951
7952		genlmsg_end(msg, hdr);
7953		return genlmsg_reply(msg, info);
7954	}
7955
7956	return 0;
7957
7958 nla_put_failure:
7959	err = -ENOBUFS;
7960 free_msg:
7961	nlmsg_free(msg);
7962	return err;
7963}
7964
7965static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
7966{
7967	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7968	struct wireless_dev *wdev = info->user_ptr[1];
7969	u64 cookie;
7970
7971	if (!info->attrs[NL80211_ATTR_COOKIE])
7972		return -EINVAL;
7973
7974	if (!rdev->ops->mgmt_tx_cancel_wait)
7975		return -EOPNOTSUPP;
7976
7977	switch (wdev->iftype) {
7978	case NL80211_IFTYPE_STATION:
7979	case NL80211_IFTYPE_ADHOC:
7980	case NL80211_IFTYPE_P2P_CLIENT:
7981	case NL80211_IFTYPE_AP:
7982	case NL80211_IFTYPE_AP_VLAN:
7983	case NL80211_IFTYPE_P2P_GO:
7984	case NL80211_IFTYPE_P2P_DEVICE:
7985		break;
7986	default:
7987		return -EOPNOTSUPP;
7988	}
7989
7990	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
7991
7992	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
7993}
7994
7995static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
7996{
7997	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7998	struct wireless_dev *wdev;
7999	struct net_device *dev = info->user_ptr[1];
8000	u8 ps_state;
8001	bool state;
8002	int err;
8003
8004	if (!info->attrs[NL80211_ATTR_PS_STATE])
8005		return -EINVAL;
8006
8007	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
8008
8009	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
8010		return -EINVAL;
8011
8012	wdev = dev->ieee80211_ptr;
8013
8014	if (!rdev->ops->set_power_mgmt)
8015		return -EOPNOTSUPP;
8016
8017	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
8018
8019	if (state == wdev->ps)
8020		return 0;
8021
8022	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
8023	if (!err)
8024		wdev->ps = state;
8025	return err;
8026}
8027
8028static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
8029{
8030	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8031	enum nl80211_ps_state ps_state;
8032	struct wireless_dev *wdev;
8033	struct net_device *dev = info->user_ptr[1];
8034	struct sk_buff *msg;
8035	void *hdr;
8036	int err;
8037
8038	wdev = dev->ieee80211_ptr;
8039
8040	if (!rdev->ops->set_power_mgmt)
8041		return -EOPNOTSUPP;
8042
8043	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8044	if (!msg)
8045		return -ENOMEM;
8046
8047	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8048			     NL80211_CMD_GET_POWER_SAVE);
8049	if (!hdr) {
8050		err = -ENOBUFS;
8051		goto free_msg;
8052	}
8053
8054	if (wdev->ps)
8055		ps_state = NL80211_PS_ENABLED;
8056	else
8057		ps_state = NL80211_PS_DISABLED;
8058
8059	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
8060		goto nla_put_failure;
8061
8062	genlmsg_end(msg, hdr);
8063	return genlmsg_reply(msg, info);
8064
8065 nla_put_failure:
8066	err = -ENOBUFS;
8067 free_msg:
8068	nlmsg_free(msg);
8069	return err;
8070}
8071
8072static const struct nla_policy
8073nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
8074	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
8075	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
8076	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
8077	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
8078	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
8079	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
8080};
8081
8082static int nl80211_set_cqm_txe(struct genl_info *info,
8083			       u32 rate, u32 pkts, u32 intvl)
8084{
8085	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8086	struct net_device *dev = info->user_ptr[1];
8087	struct wireless_dev *wdev = dev->ieee80211_ptr;
8088
8089	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
8090		return -EINVAL;
8091
8092	if (!rdev->ops->set_cqm_txe_config)
8093		return -EOPNOTSUPP;
8094
8095	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8096	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8097		return -EOPNOTSUPP;
8098
8099	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
8100}
8101
8102static int nl80211_set_cqm_rssi(struct genl_info *info,
8103				s32 threshold, u32 hysteresis)
8104{
8105	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8106	struct net_device *dev = info->user_ptr[1];
8107	struct wireless_dev *wdev = dev->ieee80211_ptr;
8108
8109	if (threshold > 0)
8110		return -EINVAL;
8111
8112	/* disabling - hysteresis should also be zero then */
8113	if (threshold == 0)
8114		hysteresis = 0;
8115
8116	if (!rdev->ops->set_cqm_rssi_config)
8117		return -EOPNOTSUPP;
8118
8119	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8120	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8121		return -EOPNOTSUPP;
8122
8123	return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
8124}
8125
8126static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
8127{
8128	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
8129	struct nlattr *cqm;
8130	int err;
8131
8132	cqm = info->attrs[NL80211_ATTR_CQM];
8133	if (!cqm)
8134		return -EINVAL;
8135
8136	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
8137			       nl80211_attr_cqm_policy);
8138	if (err)
8139		return err;
8140
8141	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
8142	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
8143		s32 threshold = nla_get_s32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
8144		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
8145
8146		return nl80211_set_cqm_rssi(info, threshold, hysteresis);
8147	}
8148
8149	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
8150	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
8151	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
8152		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
8153		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
8154		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
8155
8156		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
8157	}
8158
8159	return -EINVAL;
8160}
8161
8162static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
8163{
8164	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8165	struct net_device *dev = info->user_ptr[1];
8166	struct mesh_config cfg;
8167	struct mesh_setup setup;
8168	int err;
8169
8170	/* start with default */
8171	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
8172	memcpy(&setup, &default_mesh_setup, sizeof(setup));
8173
8174	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
8175		/* and parse parameters if given */
8176		err = nl80211_parse_mesh_config(info, &cfg, NULL);
8177		if (err)
8178			return err;
8179	}
8180
8181	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
8182	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
8183		return -EINVAL;
8184
8185	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
8186	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
8187
8188	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
8189	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
8190			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
8191			return -EINVAL;
8192
8193	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
8194		setup.beacon_interval =
8195			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
8196		if (setup.beacon_interval < 10 ||
8197		    setup.beacon_interval > 10000)
8198			return -EINVAL;
8199	}
8200
8201	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
8202		setup.dtim_period =
8203			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
8204		if (setup.dtim_period < 1 || setup.dtim_period > 100)
8205			return -EINVAL;
8206	}
8207
8208	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
8209		/* parse additional setup parameters if given */
8210		err = nl80211_parse_mesh_setup(info, &setup);
8211		if (err)
8212			return err;
8213	}
8214
8215	if (setup.user_mpm)
8216		cfg.auto_open_plinks = false;
8217
8218	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8219		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
8220		if (err)
8221			return err;
8222	} else {
8223		/* cfg80211_join_mesh() will sort it out */
8224		setup.chandef.chan = NULL;
8225	}
8226
8227	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8228		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8229		int n_rates =
8230			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8231		struct ieee80211_supported_band *sband;
8232
8233		if (!setup.chandef.chan)
8234			return -EINVAL;
8235
8236		sband = rdev->wiphy.bands[setup.chandef.chan->band];
8237
8238		err = ieee80211_get_ratemask(sband, rates, n_rates,
8239					     &setup.basic_rates);
8240		if (err)
8241			return err;
8242	}
8243
8244	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
8245}
8246
8247static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
8248{
8249	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8250	struct net_device *dev = info->user_ptr[1];
8251
8252	return cfg80211_leave_mesh(rdev, dev);
8253}
8254
8255#ifdef CONFIG_PM
8256static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
8257					struct cfg80211_registered_device *rdev)
8258{
8259	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
8260	struct nlattr *nl_pats, *nl_pat;
8261	int i, pat_len;
8262
8263	if (!wowlan->n_patterns)
8264		return 0;
8265
8266	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
8267	if (!nl_pats)
8268		return -ENOBUFS;
8269
8270	for (i = 0; i < wowlan->n_patterns; i++) {
8271		nl_pat = nla_nest_start(msg, i + 1);
8272		if (!nl_pat)
8273			return -ENOBUFS;
8274		pat_len = wowlan->patterns[i].pattern_len;
8275		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
8276			    wowlan->patterns[i].mask) ||
8277		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
8278			    wowlan->patterns[i].pattern) ||
8279		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
8280				wowlan->patterns[i].pkt_offset))
8281			return -ENOBUFS;
8282		nla_nest_end(msg, nl_pat);
8283	}
8284	nla_nest_end(msg, nl_pats);
8285
8286	return 0;
8287}
8288
8289static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
8290				   struct cfg80211_wowlan_tcp *tcp)
8291{
8292	struct nlattr *nl_tcp;
8293
8294	if (!tcp)
8295		return 0;
8296
8297	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
8298	if (!nl_tcp)
8299		return -ENOBUFS;
8300
8301	if (nla_put_be32(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
8302	    nla_put_be32(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
8303	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
8304	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
8305	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
8306	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
8307		    tcp->payload_len, tcp->payload) ||
8308	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
8309			tcp->data_interval) ||
8310	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
8311		    tcp->wake_len, tcp->wake_data) ||
8312	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
8313		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
8314		return -ENOBUFS;
8315
8316	if (tcp->payload_seq.len &&
8317	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
8318		    sizeof(tcp->payload_seq), &tcp->payload_seq))
8319		return -ENOBUFS;
8320
8321	if (tcp->payload_tok.len &&
8322	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
8323		    sizeof(tcp->payload_tok) + tcp->tokens_size,
8324		    &tcp->payload_tok))
8325		return -ENOBUFS;
8326
8327	nla_nest_end(msg, nl_tcp);
8328
8329	return 0;
8330}
8331
8332static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
8333{
8334	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8335	struct sk_buff *msg;
8336	void *hdr;
8337	u32 size = NLMSG_DEFAULT_SIZE;
8338
8339	if (!rdev->wiphy.wowlan)
8340		return -EOPNOTSUPP;
8341
8342	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
8343		/* adjust size to have room for all the data */
8344		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
8345			rdev->wiphy.wowlan_config->tcp->payload_len +
8346			rdev->wiphy.wowlan_config->tcp->wake_len +
8347			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
8348	}
8349
8350	msg = nlmsg_new(size, GFP_KERNEL);
8351	if (!msg)
8352		return -ENOMEM;
8353
8354	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8355			     NL80211_CMD_GET_WOWLAN);
8356	if (!hdr)
8357		goto nla_put_failure;
8358
8359	if (rdev->wiphy.wowlan_config) {
8360		struct nlattr *nl_wowlan;
8361
8362		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
8363		if (!nl_wowlan)
8364			goto nla_put_failure;
8365
8366		if ((rdev->wiphy.wowlan_config->any &&
8367		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
8368		    (rdev->wiphy.wowlan_config->disconnect &&
8369		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
8370		    (rdev->wiphy.wowlan_config->magic_pkt &&
8371		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
8372		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
8373		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
8374		    (rdev->wiphy.wowlan_config->eap_identity_req &&
8375		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
8376		    (rdev->wiphy.wowlan_config->four_way_handshake &&
8377		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
8378		    (rdev->wiphy.wowlan_config->rfkill_release &&
8379		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
8380			goto nla_put_failure;
8381
8382		if (nl80211_send_wowlan_patterns(msg, rdev))
8383			goto nla_put_failure;
8384
8385		if (nl80211_send_wowlan_tcp(msg,
8386					    rdev->wiphy.wowlan_config->tcp))
8387			goto nla_put_failure;
8388
8389		nla_nest_end(msg, nl_wowlan);
8390	}
8391
8392	genlmsg_end(msg, hdr);
8393	return genlmsg_reply(msg, info);
8394
8395nla_put_failure:
8396	nlmsg_free(msg);
8397	return -ENOBUFS;
8398}
8399
8400static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
8401				    struct nlattr *attr,
8402				    struct cfg80211_wowlan *trig)
8403{
8404	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
8405	struct cfg80211_wowlan_tcp *cfg;
8406	struct nl80211_wowlan_tcp_data_token *tok = NULL;
8407	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
8408	u32 size;
8409	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
8410	int err, port;
8411
8412	if (!rdev->wiphy.wowlan->tcp)
8413		return -EINVAL;
8414
8415	err = nla_parse(tb, MAX_NL80211_WOWLAN_TCP,
8416			nla_data(attr), nla_len(attr),
8417			nl80211_wowlan_tcp_policy);
8418	if (err)
8419		return err;
8420
8421	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
8422	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
8423	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
8424	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
8425	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
8426	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
8427	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
8428	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
8429		return -EINVAL;
8430
8431	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
8432	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
8433		return -EINVAL;
8434
8435	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
8436			rdev->wiphy.wowlan->tcp->data_interval_max ||
8437	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
8438		return -EINVAL;
8439
8440	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
8441	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
8442		return -EINVAL;
8443
8444	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
8445	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
8446		return -EINVAL;
8447
8448	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
8449		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
8450
8451		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
8452		tokens_size = tokln - sizeof(*tok);
8453
8454		if (!tok->len || tokens_size % tok->len)
8455			return -EINVAL;
8456		if (!rdev->wiphy.wowlan->tcp->tok)
8457			return -EINVAL;
8458		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
8459			return -EINVAL;
8460		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
8461			return -EINVAL;
8462		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
8463			return -EINVAL;
8464		if (tok->offset + tok->len > data_size)
8465			return -EINVAL;
8466	}
8467
8468	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
8469		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
8470		if (!rdev->wiphy.wowlan->tcp->seq)
8471			return -EINVAL;
8472		if (seq->len == 0 || seq->len > 4)
8473			return -EINVAL;
8474		if (seq->len + seq->offset > data_size)
8475			return -EINVAL;
8476	}
8477
8478	size = sizeof(*cfg);
8479	size += data_size;
8480	size += wake_size + wake_mask_size;
8481	size += tokens_size;
8482
8483	cfg = kzalloc(size, GFP_KERNEL);
8484	if (!cfg)
8485		return -ENOMEM;
8486	cfg->src = nla_get_be32(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
8487	cfg->dst = nla_get_be32(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
8488	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
8489	       ETH_ALEN);
8490	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
8491		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
8492	else
8493		port = 0;
8494#ifdef CONFIG_INET
8495	/* allocate a socket and port for it and use it */
8496	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
8497			    IPPROTO_TCP, &cfg->sock, 1);
8498	if (err) {
8499		kfree(cfg);
8500		return err;
8501	}
8502	if (inet_csk_get_port(cfg->sock->sk, port)) {
8503		sock_release(cfg->sock);
8504		kfree(cfg);
8505		return -EADDRINUSE;
8506	}
8507	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
8508#else
8509	if (!port) {
8510		kfree(cfg);
8511		return -EINVAL;
8512	}
8513	cfg->src_port = port;
8514#endif
8515
8516	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
8517	cfg->payload_len = data_size;
8518	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
8519	memcpy((void *)cfg->payload,
8520	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
8521	       data_size);
8522	if (seq)
8523		cfg->payload_seq = *seq;
8524	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
8525	cfg->wake_len = wake_size;
8526	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
8527	memcpy((void *)cfg->wake_data,
8528	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
8529	       wake_size);
8530	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
8531			 data_size + wake_size;
8532	memcpy((void *)cfg->wake_mask,
8533	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
8534	       wake_mask_size);
8535	if (tok) {
8536		cfg->tokens_size = tokens_size;
8537		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
8538	}
8539
8540	trig->tcp = cfg;
8541
8542	return 0;
8543}
8544
8545static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
8546{
8547	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8548	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
8549	struct cfg80211_wowlan new_triggers = {};
8550	struct cfg80211_wowlan *ntrig;
8551	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
8552	int err, i;
8553	bool prev_enabled = rdev->wiphy.wowlan_config;
8554
8555	if (!wowlan)
8556		return -EOPNOTSUPP;
8557
8558	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
8559		cfg80211_rdev_free_wowlan(rdev);
8560		rdev->wiphy.wowlan_config = NULL;
8561		goto set_wakeup;
8562	}
8563
8564	err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
8565			nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
8566			nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
8567			nl80211_wowlan_policy);
8568	if (err)
8569		return err;
8570
8571	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
8572		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
8573			return -EINVAL;
8574		new_triggers.any = true;
8575	}
8576
8577	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
8578		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
8579			return -EINVAL;
8580		new_triggers.disconnect = true;
8581	}
8582
8583	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
8584		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
8585			return -EINVAL;
8586		new_triggers.magic_pkt = true;
8587	}
8588
8589	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
8590		return -EINVAL;
8591
8592	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
8593		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
8594			return -EINVAL;
8595		new_triggers.gtk_rekey_failure = true;
8596	}
8597
8598	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
8599		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
8600			return -EINVAL;
8601		new_triggers.eap_identity_req = true;
8602	}
8603
8604	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
8605		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
8606			return -EINVAL;
8607		new_triggers.four_way_handshake = true;
8608	}
8609
8610	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
8611		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
8612			return -EINVAL;
8613		new_triggers.rfkill_release = true;
8614	}
8615
8616	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
8617		struct nlattr *pat;
8618		int n_patterns = 0;
8619		int rem, pat_len, mask_len, pkt_offset;
8620		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
8621
8622		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
8623				    rem)
8624			n_patterns++;
8625		if (n_patterns > wowlan->n_patterns)
8626			return -EINVAL;
8627
8628		new_triggers.patterns = kcalloc(n_patterns,
8629						sizeof(new_triggers.patterns[0]),
8630						GFP_KERNEL);
8631		if (!new_triggers.patterns)
8632			return -ENOMEM;
8633
8634		new_triggers.n_patterns = n_patterns;
8635		i = 0;
8636
8637		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
8638				    rem) {
8639			u8 *mask_pat;
8640
8641			nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
8642				  nla_len(pat), NULL);
8643			err = -EINVAL;
8644			if (!pat_tb[NL80211_PKTPAT_MASK] ||
8645			    !pat_tb[NL80211_PKTPAT_PATTERN])
8646				goto error;
8647			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
8648			mask_len = DIV_ROUND_UP(pat_len, 8);
8649			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
8650				goto error;
8651			if (pat_len > wowlan->pattern_max_len ||
8652			    pat_len < wowlan->pattern_min_len)
8653				goto error;
8654
8655			if (!pat_tb[NL80211_PKTPAT_OFFSET])
8656				pkt_offset = 0;
8657			else
8658				pkt_offset = nla_get_u32(
8659					pat_tb[NL80211_PKTPAT_OFFSET]);
8660			if (pkt_offset > wowlan->max_pkt_offset)
8661				goto error;
8662			new_triggers.patterns[i].pkt_offset = pkt_offset;
8663
8664			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
8665			if (!mask_pat) {
8666				err = -ENOMEM;
8667				goto error;
8668			}
8669			new_triggers.patterns[i].mask = mask_pat;
8670			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
8671			       mask_len);
8672			mask_pat += mask_len;
8673			new_triggers.patterns[i].pattern = mask_pat;
8674			new_triggers.patterns[i].pattern_len = pat_len;
8675			memcpy(mask_pat,
8676			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
8677			       pat_len);
8678			i++;
8679		}
8680	}
8681
8682	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
8683		err = nl80211_parse_wowlan_tcp(
8684			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
8685			&new_triggers);
8686		if (err)
8687			goto error;
8688	}
8689
8690	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
8691	if (!ntrig) {
8692		err = -ENOMEM;
8693		goto error;
8694	}
8695	cfg80211_rdev_free_wowlan(rdev);
8696	rdev->wiphy.wowlan_config = ntrig;
8697
8698 set_wakeup:
8699	if (rdev->ops->set_wakeup &&
8700	    prev_enabled != !!rdev->wiphy.wowlan_config)
8701		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
8702
8703	return 0;
8704 error:
8705	for (i = 0; i < new_triggers.n_patterns; i++)
8706		kfree(new_triggers.patterns[i].mask);
8707	kfree(new_triggers.patterns);
8708	if (new_triggers.tcp && new_triggers.tcp->sock)
8709		sock_release(new_triggers.tcp->sock);
8710	kfree(new_triggers.tcp);
8711	return err;
8712}
8713#endif
8714
8715static int nl80211_send_coalesce_rules(struct sk_buff *msg,
8716				       struct cfg80211_registered_device *rdev)
8717{
8718	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
8719	int i, j, pat_len;
8720	struct cfg80211_coalesce_rules *rule;
8721
8722	if (!rdev->coalesce->n_rules)
8723		return 0;
8724
8725	nl_rules = nla_nest_start(msg, NL80211_ATTR_COALESCE_RULE);
8726	if (!nl_rules)
8727		return -ENOBUFS;
8728
8729	for (i = 0; i < rdev->coalesce->n_rules; i++) {
8730		nl_rule = nla_nest_start(msg, i + 1);
8731		if (!nl_rule)
8732			return -ENOBUFS;
8733
8734		rule = &rdev->coalesce->rules[i];
8735		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
8736				rule->delay))
8737			return -ENOBUFS;
8738
8739		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
8740				rule->condition))
8741			return -ENOBUFS;
8742
8743		nl_pats = nla_nest_start(msg,
8744				NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
8745		if (!nl_pats)
8746			return -ENOBUFS;
8747
8748		for (j = 0; j < rule->n_patterns; j++) {
8749			nl_pat = nla_nest_start(msg, j + 1);
8750			if (!nl_pat)
8751				return -ENOBUFS;
8752			pat_len = rule->patterns[j].pattern_len;
8753			if (nla_put(msg, NL80211_PKTPAT_MASK,
8754				    DIV_ROUND_UP(pat_len, 8),
8755				    rule->patterns[j].mask) ||
8756			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
8757				    rule->patterns[j].pattern) ||
8758			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
8759					rule->patterns[j].pkt_offset))
8760				return -ENOBUFS;
8761			nla_nest_end(msg, nl_pat);
8762		}
8763		nla_nest_end(msg, nl_pats);
8764		nla_nest_end(msg, nl_rule);
8765	}
8766	nla_nest_end(msg, nl_rules);
8767
8768	return 0;
8769}
8770
8771static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
8772{
8773	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8774	struct sk_buff *msg;
8775	void *hdr;
8776
8777	if (!rdev->wiphy.coalesce)
8778		return -EOPNOTSUPP;
8779
8780	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8781	if (!msg)
8782		return -ENOMEM;
8783
8784	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8785			     NL80211_CMD_GET_COALESCE);
8786	if (!hdr)
8787		goto nla_put_failure;
8788
8789	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
8790		goto nla_put_failure;
8791
8792	genlmsg_end(msg, hdr);
8793	return genlmsg_reply(msg, info);
8794
8795nla_put_failure:
8796	nlmsg_free(msg);
8797	return -ENOBUFS;
8798}
8799
8800void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
8801{
8802	struct cfg80211_coalesce *coalesce = rdev->coalesce;
8803	int i, j;
8804	struct cfg80211_coalesce_rules *rule;
8805
8806	if (!coalesce)
8807		return;
8808
8809	for (i = 0; i < coalesce->n_rules; i++) {
8810		rule = &coalesce->rules[i];
8811		for (j = 0; j < rule->n_patterns; j++)
8812			kfree(rule->patterns[j].mask);
8813		kfree(rule->patterns);
8814	}
8815	kfree(coalesce->rules);
8816	kfree(coalesce);
8817	rdev->coalesce = NULL;
8818}
8819
8820static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
8821				       struct nlattr *rule,
8822				       struct cfg80211_coalesce_rules *new_rule)
8823{
8824	int err, i;
8825	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
8826	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
8827	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
8828	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
8829
8830	err = nla_parse(tb, NL80211_ATTR_COALESCE_RULE_MAX, nla_data(rule),
8831			nla_len(rule), nl80211_coalesce_policy);
8832	if (err)
8833		return err;
8834
8835	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
8836		new_rule->delay =
8837			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
8838	if (new_rule->delay > coalesce->max_delay)
8839		return -EINVAL;
8840
8841	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
8842		new_rule->condition =
8843			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
8844	if (new_rule->condition != NL80211_COALESCE_CONDITION_MATCH &&
8845	    new_rule->condition != NL80211_COALESCE_CONDITION_NO_MATCH)
8846		return -EINVAL;
8847
8848	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
8849		return -EINVAL;
8850
8851	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
8852			    rem)
8853		n_patterns++;
8854	if (n_patterns > coalesce->n_patterns)
8855		return -EINVAL;
8856
8857	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
8858				     GFP_KERNEL);
8859	if (!new_rule->patterns)
8860		return -ENOMEM;
8861
8862	new_rule->n_patterns = n_patterns;
8863	i = 0;
8864
8865	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
8866			    rem) {
8867		u8 *mask_pat;
8868
8869		nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
8870			  nla_len(pat), NULL);
8871		if (!pat_tb[NL80211_PKTPAT_MASK] ||
8872		    !pat_tb[NL80211_PKTPAT_PATTERN])
8873			return -EINVAL;
8874		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
8875		mask_len = DIV_ROUND_UP(pat_len, 8);
8876		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
8877			return -EINVAL;
8878		if (pat_len > coalesce->pattern_max_len ||
8879		    pat_len < coalesce->pattern_min_len)
8880			return -EINVAL;
8881
8882		if (!pat_tb[NL80211_PKTPAT_OFFSET])
8883			pkt_offset = 0;
8884		else
8885			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
8886		if (pkt_offset > coalesce->max_pkt_offset)
8887			return -EINVAL;
8888		new_rule->patterns[i].pkt_offset = pkt_offset;
8889
8890		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
8891		if (!mask_pat)
8892			return -ENOMEM;
8893
8894		new_rule->patterns[i].mask = mask_pat;
8895		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
8896		       mask_len);
8897
8898		mask_pat += mask_len;
8899		new_rule->patterns[i].pattern = mask_pat;
8900		new_rule->patterns[i].pattern_len = pat_len;
8901		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
8902		       pat_len);
8903		i++;
8904	}
8905
8906	return 0;
8907}
8908
8909static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
8910{
8911	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8912	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
8913	struct cfg80211_coalesce new_coalesce = {};
8914	struct cfg80211_coalesce *n_coalesce;
8915	int err, rem_rule, n_rules = 0, i, j;
8916	struct nlattr *rule;
8917	struct cfg80211_coalesce_rules *tmp_rule;
8918
8919	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
8920		return -EOPNOTSUPP;
8921
8922	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
8923		cfg80211_rdev_free_coalesce(rdev);
8924		rdev->ops->set_coalesce(&rdev->wiphy, NULL);
8925		return 0;
8926	}
8927
8928	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
8929			    rem_rule)
8930		n_rules++;
8931	if (n_rules > coalesce->n_rules)
8932		return -EINVAL;
8933
8934	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
8935				     GFP_KERNEL);
8936	if (!new_coalesce.rules)
8937		return -ENOMEM;
8938
8939	new_coalesce.n_rules = n_rules;
8940	i = 0;
8941
8942	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
8943			    rem_rule) {
8944		err = nl80211_parse_coalesce_rule(rdev, rule,
8945						  &new_coalesce.rules[i]);
8946		if (err)
8947			goto error;
8948
8949		i++;
8950	}
8951
8952	err = rdev->ops->set_coalesce(&rdev->wiphy, &new_coalesce);
8953	if (err)
8954		goto error;
8955
8956	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
8957	if (!n_coalesce) {
8958		err = -ENOMEM;
8959		goto error;
8960	}
8961	cfg80211_rdev_free_coalesce(rdev);
8962	rdev->coalesce = n_coalesce;
8963
8964	return 0;
8965error:
8966	for (i = 0; i < new_coalesce.n_rules; i++) {
8967		tmp_rule = &new_coalesce.rules[i];
8968		for (j = 0; j < tmp_rule->n_patterns; j++)
8969			kfree(tmp_rule->patterns[j].mask);
8970		kfree(tmp_rule->patterns);
8971	}
8972	kfree(new_coalesce.rules);
8973
8974	return err;
8975}
8976
8977static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
8978{
8979	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8980	struct net_device *dev = info->user_ptr[1];
8981	struct wireless_dev *wdev = dev->ieee80211_ptr;
8982	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
8983	struct cfg80211_gtk_rekey_data rekey_data;
8984	int err;
8985
8986	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
8987		return -EINVAL;
8988
8989	err = nla_parse(tb, MAX_NL80211_REKEY_DATA,
8990			nla_data(info->attrs[NL80211_ATTR_REKEY_DATA]),
8991			nla_len(info->attrs[NL80211_ATTR_REKEY_DATA]),
8992			nl80211_rekey_policy);
8993	if (err)
8994		return err;
8995
8996	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
8997		return -ERANGE;
8998	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
8999		return -ERANGE;
9000	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
9001		return -ERANGE;
9002
9003	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
9004	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
9005	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
9006
9007	wdev_lock(wdev);
9008	if (!wdev->current_bss) {
9009		err = -ENOTCONN;
9010		goto out;
9011	}
9012
9013	if (!rdev->ops->set_rekey_data) {
9014		err = -EOPNOTSUPP;
9015		goto out;
9016	}
9017
9018	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
9019 out:
9020	wdev_unlock(wdev);
9021	return err;
9022}
9023
9024static int nl80211_register_unexpected_frame(struct sk_buff *skb,
9025					     struct genl_info *info)
9026{
9027	struct net_device *dev = info->user_ptr[1];
9028	struct wireless_dev *wdev = dev->ieee80211_ptr;
9029
9030	if (wdev->iftype != NL80211_IFTYPE_AP &&
9031	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
9032		return -EINVAL;
9033
9034	if (wdev->ap_unexpected_nlportid)
9035		return -EBUSY;
9036
9037	wdev->ap_unexpected_nlportid = info->snd_portid;
9038	return 0;
9039}
9040
9041static int nl80211_probe_client(struct sk_buff *skb,
9042				struct genl_info *info)
9043{
9044	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9045	struct net_device *dev = info->user_ptr[1];
9046	struct wireless_dev *wdev = dev->ieee80211_ptr;
9047	struct sk_buff *msg;
9048	void *hdr;
9049	const u8 *addr;
9050	u64 cookie;
9051	int err;
9052
9053	if (wdev->iftype != NL80211_IFTYPE_AP &&
9054	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
9055		return -EOPNOTSUPP;
9056
9057	if (!info->attrs[NL80211_ATTR_MAC])
9058		return -EINVAL;
9059
9060	if (!rdev->ops->probe_client)
9061		return -EOPNOTSUPP;
9062
9063	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9064	if (!msg)
9065		return -ENOMEM;
9066
9067	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9068			     NL80211_CMD_PROBE_CLIENT);
9069	if (!hdr) {
9070		err = -ENOBUFS;
9071		goto free_msg;
9072	}
9073
9074	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
9075
9076	err = rdev_probe_client(rdev, dev, addr, &cookie);
9077	if (err)
9078		goto free_msg;
9079
9080	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
9081		goto nla_put_failure;
9082
9083	genlmsg_end(msg, hdr);
9084
9085	return genlmsg_reply(msg, info);
9086
9087 nla_put_failure:
9088	err = -ENOBUFS;
9089 free_msg:
9090	nlmsg_free(msg);
9091	return err;
9092}
9093
9094static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
9095{
9096	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9097	struct cfg80211_beacon_registration *reg, *nreg;
9098	int rv;
9099
9100	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
9101		return -EOPNOTSUPP;
9102
9103	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
9104	if (!nreg)
9105		return -ENOMEM;
9106
9107	/* First, check if already registered. */
9108	spin_lock_bh(&rdev->beacon_registrations_lock);
9109	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
9110		if (reg->nlportid == info->snd_portid) {
9111			rv = -EALREADY;
9112			goto out_err;
9113		}
9114	}
9115	/* Add it to the list */
9116	nreg->nlportid = info->snd_portid;
9117	list_add(&nreg->list, &rdev->beacon_registrations);
9118
9119	spin_unlock_bh(&rdev->beacon_registrations_lock);
9120
9121	return 0;
9122out_err:
9123	spin_unlock_bh(&rdev->beacon_registrations_lock);
9124	kfree(nreg);
9125	return rv;
9126}
9127
9128static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
9129{
9130	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9131	struct wireless_dev *wdev = info->user_ptr[1];
9132	int err;
9133
9134	if (!rdev->ops->start_p2p_device)
9135		return -EOPNOTSUPP;
9136
9137	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
9138		return -EOPNOTSUPP;
9139
9140	if (wdev->p2p_started)
9141		return 0;
9142
9143	if (rfkill_blocked(rdev->rfkill))
9144		return -ERFKILL;
9145
9146	err = rdev_start_p2p_device(rdev, wdev);
9147	if (err)
9148		return err;
9149
9150	wdev->p2p_started = true;
9151	rdev->opencount++;
9152
9153	return 0;
9154}
9155
9156static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
9157{
9158	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9159	struct wireless_dev *wdev = info->user_ptr[1];
9160
9161	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
9162		return -EOPNOTSUPP;
9163
9164	if (!rdev->ops->stop_p2p_device)
9165		return -EOPNOTSUPP;
9166
9167	cfg80211_stop_p2p_device(rdev, wdev);
9168
9169	return 0;
9170}
9171
9172static int nl80211_get_protocol_features(struct sk_buff *skb,
9173					 struct genl_info *info)
9174{
9175	void *hdr;
9176	struct sk_buff *msg;
9177
9178	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9179	if (!msg)
9180		return -ENOMEM;
9181
9182	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9183			     NL80211_CMD_GET_PROTOCOL_FEATURES);
9184	if (!hdr)
9185		goto nla_put_failure;
9186
9187	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
9188			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
9189		goto nla_put_failure;
9190
9191	genlmsg_end(msg, hdr);
9192	return genlmsg_reply(msg, info);
9193
9194 nla_put_failure:
9195	kfree_skb(msg);
9196	return -ENOBUFS;
9197}
9198
9199static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
9200{
9201	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9202	struct cfg80211_update_ft_ies_params ft_params;
9203	struct net_device *dev = info->user_ptr[1];
9204
9205	if (!rdev->ops->update_ft_ies)
9206		return -EOPNOTSUPP;
9207
9208	if (!info->attrs[NL80211_ATTR_MDID] ||
9209	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
9210		return -EINVAL;
9211
9212	memset(&ft_params, 0, sizeof(ft_params));
9213	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
9214	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9215	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9216
9217	return rdev_update_ft_ies(rdev, dev, &ft_params);
9218}
9219
9220static int nl80211_crit_protocol_start(struct sk_buff *skb,
9221				       struct genl_info *info)
9222{
9223	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9224	struct wireless_dev *wdev = info->user_ptr[1];
9225	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
9226	u16 duration;
9227	int ret;
9228
9229	if (!rdev->ops->crit_proto_start)
9230		return -EOPNOTSUPP;
9231
9232	if (WARN_ON(!rdev->ops->crit_proto_stop))
9233		return -EINVAL;
9234
9235	if (rdev->crit_proto_nlportid)
9236		return -EBUSY;
9237
9238	/* determine protocol if provided */
9239	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
9240		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
9241
9242	if (proto >= NUM_NL80211_CRIT_PROTO)
9243		return -EINVAL;
9244
9245	/* timeout must be provided */
9246	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
9247		return -EINVAL;
9248
9249	duration =
9250		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
9251
9252	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
9253		return -ERANGE;
9254
9255	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
9256	if (!ret)
9257		rdev->crit_proto_nlportid = info->snd_portid;
9258
9259	return ret;
9260}
9261
9262static int nl80211_crit_protocol_stop(struct sk_buff *skb,
9263				      struct genl_info *info)
9264{
9265	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9266	struct wireless_dev *wdev = info->user_ptr[1];
9267
9268	if (!rdev->ops->crit_proto_stop)
9269		return -EOPNOTSUPP;
9270
9271	if (rdev->crit_proto_nlportid) {
9272		rdev->crit_proto_nlportid = 0;
9273		rdev_crit_proto_stop(rdev, wdev);
9274	}
9275	return 0;
9276}
9277
9278static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
9279{
9280	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9281	struct wireless_dev *wdev =
9282		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9283	int i, err;
9284	u32 vid, subcmd;
9285
9286	if (!rdev->wiphy.vendor_commands)
9287		return -EOPNOTSUPP;
9288
9289	if (IS_ERR(wdev)) {
9290		err = PTR_ERR(wdev);
9291		if (err != -EINVAL)
9292			return err;
9293		wdev = NULL;
9294	} else if (wdev->wiphy != &rdev->wiphy) {
9295		return -EINVAL;
9296	}
9297
9298	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
9299	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
9300		return -EINVAL;
9301
9302	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
9303	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
9304	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
9305		const struct wiphy_vendor_command *vcmd;
9306		void *data = NULL;
9307		int len = 0;
9308
9309		vcmd = &rdev->wiphy.vendor_commands[i];
9310
9311		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
9312			continue;
9313
9314		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
9315				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
9316			if (!wdev)
9317				return -EINVAL;
9318			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
9319			    !wdev->netdev)
9320				return -EINVAL;
9321
9322			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
9323				if (wdev->netdev &&
9324				    !netif_running(wdev->netdev))
9325					return -ENETDOWN;
9326				if (!wdev->netdev && !wdev->p2p_started)
9327					return -ENETDOWN;
9328			}
9329		} else {
9330			wdev = NULL;
9331		}
9332
9333		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
9334			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
9335			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
9336		}
9337
9338		rdev->cur_cmd_info = info;
9339		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
9340							  data, len);
9341		rdev->cur_cmd_info = NULL;
9342		return err;
9343	}
9344
9345	return -EOPNOTSUPP;
9346}
9347
9348struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
9349					   enum nl80211_commands cmd,
9350					   enum nl80211_attrs attr,
9351					   int approxlen)
9352{
9353	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9354
9355	if (WARN_ON(!rdev->cur_cmd_info))
9356		return NULL;
9357
9358	return __cfg80211_alloc_vendor_skb(rdev, approxlen,
9359					   rdev->cur_cmd_info->snd_portid,
9360					   rdev->cur_cmd_info->snd_seq,
9361					   cmd, attr, NULL, GFP_KERNEL);
9362}
9363EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
9364
9365int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
9366{
9367	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9368	void *hdr = ((void **)skb->cb)[1];
9369	struct nlattr *data = ((void **)skb->cb)[2];
9370
9371	/* clear CB data for netlink core to own from now on */
9372	memset(skb->cb, 0, sizeof(skb->cb));
9373
9374	if (WARN_ON(!rdev->cur_cmd_info)) {
9375		kfree_skb(skb);
9376		return -EINVAL;
9377	}
9378
9379	nla_nest_end(skb, data);
9380	genlmsg_end(skb, hdr);
9381	return genlmsg_reply(skb, rdev->cur_cmd_info);
9382}
9383EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
9384
9385
9386static int nl80211_set_qos_map(struct sk_buff *skb,
9387			       struct genl_info *info)
9388{
9389	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9390	struct cfg80211_qos_map *qos_map = NULL;
9391	struct net_device *dev = info->user_ptr[1];
9392	u8 *pos, len, num_des, des_len, des;
9393	int ret;
9394
9395	if (!rdev->ops->set_qos_map)
9396		return -EOPNOTSUPP;
9397
9398	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
9399		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
9400		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
9401
9402		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
9403		    len > IEEE80211_QOS_MAP_LEN_MAX)
9404			return -EINVAL;
9405
9406		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
9407		if (!qos_map)
9408			return -ENOMEM;
9409
9410		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
9411		if (num_des) {
9412			des_len = num_des *
9413				sizeof(struct cfg80211_dscp_exception);
9414			memcpy(qos_map->dscp_exception, pos, des_len);
9415			qos_map->num_des = num_des;
9416			for (des = 0; des < num_des; des++) {
9417				if (qos_map->dscp_exception[des].up > 7) {
9418					kfree(qos_map);
9419					return -EINVAL;
9420				}
9421			}
9422			pos += des_len;
9423		}
9424		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
9425	}
9426
9427	wdev_lock(dev->ieee80211_ptr);
9428	ret = nl80211_key_allowed(dev->ieee80211_ptr);
9429	if (!ret)
9430		ret = rdev_set_qos_map(rdev, dev, qos_map);
9431	wdev_unlock(dev->ieee80211_ptr);
9432
9433	kfree(qos_map);
9434	return ret;
9435}
9436
9437static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
9438{
9439	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9440	struct net_device *dev = info->user_ptr[1];
9441	struct wireless_dev *wdev = dev->ieee80211_ptr;
9442	const u8 *peer;
9443	u8 tsid, up;
9444	u16 admitted_time = 0;
9445	int err;
9446
9447	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_WMM_ADMISSION))
9448		return -EOPNOTSUPP;
9449
9450	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
9451	    !info->attrs[NL80211_ATTR_USER_PRIO])
9452		return -EINVAL;
9453
9454	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
9455	if (tsid >= IEEE80211_NUM_TIDS)
9456		return -EINVAL;
9457
9458	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
9459	if (up >= IEEE80211_NUM_UPS)
9460		return -EINVAL;
9461
9462	/* WMM uses TIDs 0-7 even for TSPEC */
9463	if (tsid < IEEE80211_FIRST_TSPEC_TSID) {
9464		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_WMM_ADMISSION))
9465			return -EINVAL;
9466	} else {
9467		/* TODO: handle 802.11 TSPEC/admission control
9468		 * need more attributes for that (e.g. BA session requirement)
9469		 */
9470		return -EINVAL;
9471	}
9472
9473	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9474
9475	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
9476		admitted_time =
9477			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
9478		if (!admitted_time)
9479			return -EINVAL;
9480	}
9481
9482	wdev_lock(wdev);
9483	switch (wdev->iftype) {
9484	case NL80211_IFTYPE_STATION:
9485	case NL80211_IFTYPE_P2P_CLIENT:
9486		if (wdev->current_bss)
9487			break;
9488		err = -ENOTCONN;
9489		goto out;
9490	default:
9491		err = -EOPNOTSUPP;
9492		goto out;
9493	}
9494
9495	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
9496
9497 out:
9498	wdev_unlock(wdev);
9499	return err;
9500}
9501
9502static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
9503{
9504	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9505	struct net_device *dev = info->user_ptr[1];
9506	struct wireless_dev *wdev = dev->ieee80211_ptr;
9507	const u8 *peer;
9508	u8 tsid;
9509	int err;
9510
9511	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
9512		return -EINVAL;
9513
9514	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
9515	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9516
9517	wdev_lock(wdev);
9518	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
9519	wdev_unlock(wdev);
9520
9521	return err;
9522}
9523
9524#define NL80211_FLAG_NEED_WIPHY		0x01
9525#define NL80211_FLAG_NEED_NETDEV	0x02
9526#define NL80211_FLAG_NEED_RTNL		0x04
9527#define NL80211_FLAG_CHECK_NETDEV_UP	0x08
9528#define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
9529					 NL80211_FLAG_CHECK_NETDEV_UP)
9530#define NL80211_FLAG_NEED_WDEV		0x10
9531/* If a netdev is associated, it must be UP, P2P must be started */
9532#define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
9533					 NL80211_FLAG_CHECK_NETDEV_UP)
9534#define NL80211_FLAG_CLEAR_SKB		0x20
9535
9536static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
9537			    struct genl_info *info)
9538{
9539	struct cfg80211_registered_device *rdev;
9540	struct wireless_dev *wdev;
9541	struct net_device *dev;
9542	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
9543
9544	if (rtnl)
9545		rtnl_lock();
9546
9547	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
9548		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
9549		if (IS_ERR(rdev)) {
9550			if (rtnl)
9551				rtnl_unlock();
9552			return PTR_ERR(rdev);
9553		}
9554		info->user_ptr[0] = rdev;
9555	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
9556		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
9557		ASSERT_RTNL();
9558
9559		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
9560						  info->attrs);
9561		if (IS_ERR(wdev)) {
9562			if (rtnl)
9563				rtnl_unlock();
9564			return PTR_ERR(wdev);
9565		}
9566
9567		dev = wdev->netdev;
9568		rdev = wiphy_to_rdev(wdev->wiphy);
9569
9570		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
9571			if (!dev) {
9572				if (rtnl)
9573					rtnl_unlock();
9574				return -EINVAL;
9575			}
9576
9577			info->user_ptr[1] = dev;
9578		} else {
9579			info->user_ptr[1] = wdev;
9580		}
9581
9582		if (dev) {
9583			if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
9584			    !netif_running(dev)) {
9585				if (rtnl)
9586					rtnl_unlock();
9587				return -ENETDOWN;
9588			}
9589
9590			dev_hold(dev);
9591		} else if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP) {
9592			if (!wdev->p2p_started) {
9593				if (rtnl)
9594					rtnl_unlock();
9595				return -ENETDOWN;
9596			}
9597		}
9598
9599		info->user_ptr[0] = rdev;
9600	}
9601
9602	return 0;
9603}
9604
9605static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
9606			      struct genl_info *info)
9607{
9608	if (info->user_ptr[1]) {
9609		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
9610			struct wireless_dev *wdev = info->user_ptr[1];
9611
9612			if (wdev->netdev)
9613				dev_put(wdev->netdev);
9614		} else {
9615			dev_put(info->user_ptr[1]);
9616		}
9617	}
9618
9619	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
9620		rtnl_unlock();
9621
9622	/* If needed, clear the netlink message payload from the SKB
9623	 * as it might contain key data that shouldn't stick around on
9624	 * the heap after the SKB is freed. The netlink message header
9625	 * is still needed for further processing, so leave it intact.
9626	 */
9627	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
9628		struct nlmsghdr *nlh = nlmsg_hdr(skb);
9629
9630		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
9631	}
9632}
9633
9634static const struct genl_ops nl80211_ops[] = {
9635	{
9636		.cmd = NL80211_CMD_GET_WIPHY,
9637		.doit = nl80211_get_wiphy,
9638		.dumpit = nl80211_dump_wiphy,
9639		.done = nl80211_dump_wiphy_done,
9640		.policy = nl80211_policy,
9641		/* can be retrieved by unprivileged users */
9642		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9643				  NL80211_FLAG_NEED_RTNL,
9644	},
9645	{
9646		.cmd = NL80211_CMD_SET_WIPHY,
9647		.doit = nl80211_set_wiphy,
9648		.policy = nl80211_policy,
9649		.flags = GENL_ADMIN_PERM,
9650		.internal_flags = NL80211_FLAG_NEED_RTNL,
9651	},
9652	{
9653		.cmd = NL80211_CMD_GET_INTERFACE,
9654		.doit = nl80211_get_interface,
9655		.dumpit = nl80211_dump_interface,
9656		.policy = nl80211_policy,
9657		/* can be retrieved by unprivileged users */
9658		.internal_flags = NL80211_FLAG_NEED_WDEV |
9659				  NL80211_FLAG_NEED_RTNL,
9660	},
9661	{
9662		.cmd = NL80211_CMD_SET_INTERFACE,
9663		.doit = nl80211_set_interface,
9664		.policy = nl80211_policy,
9665		.flags = GENL_ADMIN_PERM,
9666		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9667				  NL80211_FLAG_NEED_RTNL,
9668	},
9669	{
9670		.cmd = NL80211_CMD_NEW_INTERFACE,
9671		.doit = nl80211_new_interface,
9672		.policy = nl80211_policy,
9673		.flags = GENL_ADMIN_PERM,
9674		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9675				  NL80211_FLAG_NEED_RTNL,
9676	},
9677	{
9678		.cmd = NL80211_CMD_DEL_INTERFACE,
9679		.doit = nl80211_del_interface,
9680		.policy = nl80211_policy,
9681		.flags = GENL_ADMIN_PERM,
9682		.internal_flags = NL80211_FLAG_NEED_WDEV |
9683				  NL80211_FLAG_NEED_RTNL,
9684	},
9685	{
9686		.cmd = NL80211_CMD_GET_KEY,
9687		.doit = nl80211_get_key,
9688		.policy = nl80211_policy,
9689		.flags = GENL_ADMIN_PERM,
9690		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9691				  NL80211_FLAG_NEED_RTNL,
9692	},
9693	{
9694		.cmd = NL80211_CMD_SET_KEY,
9695		.doit = nl80211_set_key,
9696		.policy = nl80211_policy,
9697		.flags = GENL_ADMIN_PERM,
9698		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9699				  NL80211_FLAG_NEED_RTNL |
9700				  NL80211_FLAG_CLEAR_SKB,
9701	},
9702	{
9703		.cmd = NL80211_CMD_NEW_KEY,
9704		.doit = nl80211_new_key,
9705		.policy = nl80211_policy,
9706		.flags = GENL_ADMIN_PERM,
9707		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9708				  NL80211_FLAG_NEED_RTNL |
9709				  NL80211_FLAG_CLEAR_SKB,
9710	},
9711	{
9712		.cmd = NL80211_CMD_DEL_KEY,
9713		.doit = nl80211_del_key,
9714		.policy = nl80211_policy,
9715		.flags = GENL_ADMIN_PERM,
9716		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9717				  NL80211_FLAG_NEED_RTNL,
9718	},
9719	{
9720		.cmd = NL80211_CMD_SET_BEACON,
9721		.policy = nl80211_policy,
9722		.flags = GENL_ADMIN_PERM,
9723		.doit = nl80211_set_beacon,
9724		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9725				  NL80211_FLAG_NEED_RTNL,
9726	},
9727	{
9728		.cmd = NL80211_CMD_START_AP,
9729		.policy = nl80211_policy,
9730		.flags = GENL_ADMIN_PERM,
9731		.doit = nl80211_start_ap,
9732		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9733				  NL80211_FLAG_NEED_RTNL,
9734	},
9735	{
9736		.cmd = NL80211_CMD_STOP_AP,
9737		.policy = nl80211_policy,
9738		.flags = GENL_ADMIN_PERM,
9739		.doit = nl80211_stop_ap,
9740		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9741				  NL80211_FLAG_NEED_RTNL,
9742	},
9743	{
9744		.cmd = NL80211_CMD_GET_STATION,
9745		.doit = nl80211_get_station,
9746		.dumpit = nl80211_dump_station,
9747		.policy = nl80211_policy,
9748		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9749				  NL80211_FLAG_NEED_RTNL,
9750	},
9751	{
9752		.cmd = NL80211_CMD_SET_STATION,
9753		.doit = nl80211_set_station,
9754		.policy = nl80211_policy,
9755		.flags = GENL_ADMIN_PERM,
9756		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9757				  NL80211_FLAG_NEED_RTNL,
9758	},
9759	{
9760		.cmd = NL80211_CMD_NEW_STATION,
9761		.doit = nl80211_new_station,
9762		.policy = nl80211_policy,
9763		.flags = GENL_ADMIN_PERM,
9764		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9765				  NL80211_FLAG_NEED_RTNL,
9766	},
9767	{
9768		.cmd = NL80211_CMD_DEL_STATION,
9769		.doit = nl80211_del_station,
9770		.policy = nl80211_policy,
9771		.flags = GENL_ADMIN_PERM,
9772		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9773				  NL80211_FLAG_NEED_RTNL,
9774	},
9775	{
9776		.cmd = NL80211_CMD_GET_MPATH,
9777		.doit = nl80211_get_mpath,
9778		.dumpit = nl80211_dump_mpath,
9779		.policy = nl80211_policy,
9780		.flags = GENL_ADMIN_PERM,
9781		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9782				  NL80211_FLAG_NEED_RTNL,
9783	},
9784	{
9785		.cmd = NL80211_CMD_SET_MPATH,
9786		.doit = nl80211_set_mpath,
9787		.policy = nl80211_policy,
9788		.flags = GENL_ADMIN_PERM,
9789		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9790				  NL80211_FLAG_NEED_RTNL,
9791	},
9792	{
9793		.cmd = NL80211_CMD_NEW_MPATH,
9794		.doit = nl80211_new_mpath,
9795		.policy = nl80211_policy,
9796		.flags = GENL_ADMIN_PERM,
9797		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9798				  NL80211_FLAG_NEED_RTNL,
9799	},
9800	{
9801		.cmd = NL80211_CMD_DEL_MPATH,
9802		.doit = nl80211_del_mpath,
9803		.policy = nl80211_policy,
9804		.flags = GENL_ADMIN_PERM,
9805		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9806				  NL80211_FLAG_NEED_RTNL,
9807	},
9808	{
9809		.cmd = NL80211_CMD_SET_BSS,
9810		.doit = nl80211_set_bss,
9811		.policy = nl80211_policy,
9812		.flags = GENL_ADMIN_PERM,
9813		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9814				  NL80211_FLAG_NEED_RTNL,
9815	},
9816	{
9817		.cmd = NL80211_CMD_GET_REG,
9818		.doit = nl80211_get_reg,
9819		.policy = nl80211_policy,
9820		.internal_flags = NL80211_FLAG_NEED_RTNL,
9821		/* can be retrieved by unprivileged users */
9822	},
9823	{
9824		.cmd = NL80211_CMD_SET_REG,
9825		.doit = nl80211_set_reg,
9826		.policy = nl80211_policy,
9827		.flags = GENL_ADMIN_PERM,
9828		.internal_flags = NL80211_FLAG_NEED_RTNL,
9829	},
9830	{
9831		.cmd = NL80211_CMD_REQ_SET_REG,
9832		.doit = nl80211_req_set_reg,
9833		.policy = nl80211_policy,
9834		.flags = GENL_ADMIN_PERM,
9835	},
9836	{
9837		.cmd = NL80211_CMD_GET_MESH_CONFIG,
9838		.doit = nl80211_get_mesh_config,
9839		.policy = nl80211_policy,
9840		/* can be retrieved by unprivileged users */
9841		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9842				  NL80211_FLAG_NEED_RTNL,
9843	},
9844	{
9845		.cmd = NL80211_CMD_SET_MESH_CONFIG,
9846		.doit = nl80211_update_mesh_config,
9847		.policy = nl80211_policy,
9848		.flags = GENL_ADMIN_PERM,
9849		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9850				  NL80211_FLAG_NEED_RTNL,
9851	},
9852	{
9853		.cmd = NL80211_CMD_TRIGGER_SCAN,
9854		.doit = nl80211_trigger_scan,
9855		.policy = nl80211_policy,
9856		.flags = GENL_ADMIN_PERM,
9857		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
9858				  NL80211_FLAG_NEED_RTNL,
9859	},
9860	{
9861		.cmd = NL80211_CMD_GET_SCAN,
9862		.policy = nl80211_policy,
9863		.dumpit = nl80211_dump_scan,
9864	},
9865	{
9866		.cmd = NL80211_CMD_START_SCHED_SCAN,
9867		.doit = nl80211_start_sched_scan,
9868		.policy = nl80211_policy,
9869		.flags = GENL_ADMIN_PERM,
9870		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9871				  NL80211_FLAG_NEED_RTNL,
9872	},
9873	{
9874		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
9875		.doit = nl80211_stop_sched_scan,
9876		.policy = nl80211_policy,
9877		.flags = GENL_ADMIN_PERM,
9878		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9879				  NL80211_FLAG_NEED_RTNL,
9880	},
9881	{
9882		.cmd = NL80211_CMD_AUTHENTICATE,
9883		.doit = nl80211_authenticate,
9884		.policy = nl80211_policy,
9885		.flags = GENL_ADMIN_PERM,
9886		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9887				  NL80211_FLAG_NEED_RTNL |
9888				  NL80211_FLAG_CLEAR_SKB,
9889	},
9890	{
9891		.cmd = NL80211_CMD_ASSOCIATE,
9892		.doit = nl80211_associate,
9893		.policy = nl80211_policy,
9894		.flags = GENL_ADMIN_PERM,
9895		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9896				  NL80211_FLAG_NEED_RTNL,
9897	},
9898	{
9899		.cmd = NL80211_CMD_DEAUTHENTICATE,
9900		.doit = nl80211_deauthenticate,
9901		.policy = nl80211_policy,
9902		.flags = GENL_ADMIN_PERM,
9903		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9904				  NL80211_FLAG_NEED_RTNL,
9905	},
9906	{
9907		.cmd = NL80211_CMD_DISASSOCIATE,
9908		.doit = nl80211_disassociate,
9909		.policy = nl80211_policy,
9910		.flags = GENL_ADMIN_PERM,
9911		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9912				  NL80211_FLAG_NEED_RTNL,
9913	},
9914	{
9915		.cmd = NL80211_CMD_JOIN_IBSS,
9916		.doit = nl80211_join_ibss,
9917		.policy = nl80211_policy,
9918		.flags = GENL_ADMIN_PERM,
9919		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9920				  NL80211_FLAG_NEED_RTNL,
9921	},
9922	{
9923		.cmd = NL80211_CMD_LEAVE_IBSS,
9924		.doit = nl80211_leave_ibss,
9925		.policy = nl80211_policy,
9926		.flags = GENL_ADMIN_PERM,
9927		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9928				  NL80211_FLAG_NEED_RTNL,
9929	},
9930#ifdef CONFIG_NL80211_TESTMODE
9931	{
9932		.cmd = NL80211_CMD_TESTMODE,
9933		.doit = nl80211_testmode_do,
9934		.dumpit = nl80211_testmode_dump,
9935		.policy = nl80211_policy,
9936		.flags = GENL_ADMIN_PERM,
9937		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9938				  NL80211_FLAG_NEED_RTNL,
9939	},
9940#endif
9941	{
9942		.cmd = NL80211_CMD_CONNECT,
9943		.doit = nl80211_connect,
9944		.policy = nl80211_policy,
9945		.flags = GENL_ADMIN_PERM,
9946		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9947				  NL80211_FLAG_NEED_RTNL,
9948	},
9949	{
9950		.cmd = NL80211_CMD_DISCONNECT,
9951		.doit = nl80211_disconnect,
9952		.policy = nl80211_policy,
9953		.flags = GENL_ADMIN_PERM,
9954		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9955				  NL80211_FLAG_NEED_RTNL,
9956	},
9957	{
9958		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
9959		.doit = nl80211_wiphy_netns,
9960		.policy = nl80211_policy,
9961		.flags = GENL_ADMIN_PERM,
9962		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9963				  NL80211_FLAG_NEED_RTNL,
9964	},
9965	{
9966		.cmd = NL80211_CMD_GET_SURVEY,
9967		.policy = nl80211_policy,
9968		.dumpit = nl80211_dump_survey,
9969	},
9970	{
9971		.cmd = NL80211_CMD_SET_PMKSA,
9972		.doit = nl80211_setdel_pmksa,
9973		.policy = nl80211_policy,
9974		.flags = GENL_ADMIN_PERM,
9975		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9976				  NL80211_FLAG_NEED_RTNL,
9977	},
9978	{
9979		.cmd = NL80211_CMD_DEL_PMKSA,
9980		.doit = nl80211_setdel_pmksa,
9981		.policy = nl80211_policy,
9982		.flags = GENL_ADMIN_PERM,
9983		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9984				  NL80211_FLAG_NEED_RTNL,
9985	},
9986	{
9987		.cmd = NL80211_CMD_FLUSH_PMKSA,
9988		.doit = nl80211_flush_pmksa,
9989		.policy = nl80211_policy,
9990		.flags = GENL_ADMIN_PERM,
9991		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9992				  NL80211_FLAG_NEED_RTNL,
9993	},
9994	{
9995		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
9996		.doit = nl80211_remain_on_channel,
9997		.policy = nl80211_policy,
9998		.flags = GENL_ADMIN_PERM,
9999		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10000				  NL80211_FLAG_NEED_RTNL,
10001	},
10002	{
10003		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
10004		.doit = nl80211_cancel_remain_on_channel,
10005		.policy = nl80211_policy,
10006		.flags = GENL_ADMIN_PERM,
10007		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10008				  NL80211_FLAG_NEED_RTNL,
10009	},
10010	{
10011		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
10012		.doit = nl80211_set_tx_bitrate_mask,
10013		.policy = nl80211_policy,
10014		.flags = GENL_ADMIN_PERM,
10015		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10016				  NL80211_FLAG_NEED_RTNL,
10017	},
10018	{
10019		.cmd = NL80211_CMD_REGISTER_FRAME,
10020		.doit = nl80211_register_mgmt,
10021		.policy = nl80211_policy,
10022		.flags = GENL_ADMIN_PERM,
10023		.internal_flags = NL80211_FLAG_NEED_WDEV |
10024				  NL80211_FLAG_NEED_RTNL,
10025	},
10026	{
10027		.cmd = NL80211_CMD_FRAME,
10028		.doit = nl80211_tx_mgmt,
10029		.policy = nl80211_policy,
10030		.flags = GENL_ADMIN_PERM,
10031		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10032				  NL80211_FLAG_NEED_RTNL,
10033	},
10034	{
10035		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
10036		.doit = nl80211_tx_mgmt_cancel_wait,
10037		.policy = nl80211_policy,
10038		.flags = GENL_ADMIN_PERM,
10039		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10040				  NL80211_FLAG_NEED_RTNL,
10041	},
10042	{
10043		.cmd = NL80211_CMD_SET_POWER_SAVE,
10044		.doit = nl80211_set_power_save,
10045		.policy = nl80211_policy,
10046		.flags = GENL_ADMIN_PERM,
10047		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10048				  NL80211_FLAG_NEED_RTNL,
10049	},
10050	{
10051		.cmd = NL80211_CMD_GET_POWER_SAVE,
10052		.doit = nl80211_get_power_save,
10053		.policy = nl80211_policy,
10054		/* can be retrieved by unprivileged users */
10055		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10056				  NL80211_FLAG_NEED_RTNL,
10057	},
10058	{
10059		.cmd = NL80211_CMD_SET_CQM,
10060		.doit = nl80211_set_cqm,
10061		.policy = nl80211_policy,
10062		.flags = GENL_ADMIN_PERM,
10063		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10064				  NL80211_FLAG_NEED_RTNL,
10065	},
10066	{
10067		.cmd = NL80211_CMD_SET_CHANNEL,
10068		.doit = nl80211_set_channel,
10069		.policy = nl80211_policy,
10070		.flags = GENL_ADMIN_PERM,
10071		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10072				  NL80211_FLAG_NEED_RTNL,
10073	},
10074	{
10075		.cmd = NL80211_CMD_SET_WDS_PEER,
10076		.doit = nl80211_set_wds_peer,
10077		.policy = nl80211_policy,
10078		.flags = GENL_ADMIN_PERM,
10079		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10080				  NL80211_FLAG_NEED_RTNL,
10081	},
10082	{
10083		.cmd = NL80211_CMD_JOIN_MESH,
10084		.doit = nl80211_join_mesh,
10085		.policy = nl80211_policy,
10086		.flags = GENL_ADMIN_PERM,
10087		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10088				  NL80211_FLAG_NEED_RTNL,
10089	},
10090	{
10091		.cmd = NL80211_CMD_LEAVE_MESH,
10092		.doit = nl80211_leave_mesh,
10093		.policy = nl80211_policy,
10094		.flags = GENL_ADMIN_PERM,
10095		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10096				  NL80211_FLAG_NEED_RTNL,
10097	},
10098#ifdef CONFIG_PM
10099	{
10100		.cmd = NL80211_CMD_GET_WOWLAN,
10101		.doit = nl80211_get_wowlan,
10102		.policy = nl80211_policy,
10103		/* can be retrieved by unprivileged users */
10104		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10105				  NL80211_FLAG_NEED_RTNL,
10106	},
10107	{
10108		.cmd = NL80211_CMD_SET_WOWLAN,
10109		.doit = nl80211_set_wowlan,
10110		.policy = nl80211_policy,
10111		.flags = GENL_ADMIN_PERM,
10112		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10113				  NL80211_FLAG_NEED_RTNL,
10114	},
10115#endif
10116	{
10117		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
10118		.doit = nl80211_set_rekey_data,
10119		.policy = nl80211_policy,
10120		.flags = GENL_ADMIN_PERM,
10121		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10122				  NL80211_FLAG_NEED_RTNL |
10123				  NL80211_FLAG_CLEAR_SKB,
10124	},
10125	{
10126		.cmd = NL80211_CMD_TDLS_MGMT,
10127		.doit = nl80211_tdls_mgmt,
10128		.policy = nl80211_policy,
10129		.flags = GENL_ADMIN_PERM,
10130		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10131				  NL80211_FLAG_NEED_RTNL,
10132	},
10133	{
10134		.cmd = NL80211_CMD_TDLS_OPER,
10135		.doit = nl80211_tdls_oper,
10136		.policy = nl80211_policy,
10137		.flags = GENL_ADMIN_PERM,
10138		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10139				  NL80211_FLAG_NEED_RTNL,
10140	},
10141	{
10142		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
10143		.doit = nl80211_register_unexpected_frame,
10144		.policy = nl80211_policy,
10145		.flags = GENL_ADMIN_PERM,
10146		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10147				  NL80211_FLAG_NEED_RTNL,
10148	},
10149	{
10150		.cmd = NL80211_CMD_PROBE_CLIENT,
10151		.doit = nl80211_probe_client,
10152		.policy = nl80211_policy,
10153		.flags = GENL_ADMIN_PERM,
10154		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10155				  NL80211_FLAG_NEED_RTNL,
10156	},
10157	{
10158		.cmd = NL80211_CMD_REGISTER_BEACONS,
10159		.doit = nl80211_register_beacons,
10160		.policy = nl80211_policy,
10161		.flags = GENL_ADMIN_PERM,
10162		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10163				  NL80211_FLAG_NEED_RTNL,
10164	},
10165	{
10166		.cmd = NL80211_CMD_SET_NOACK_MAP,
10167		.doit = nl80211_set_noack_map,
10168		.policy = nl80211_policy,
10169		.flags = GENL_ADMIN_PERM,
10170		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10171				  NL80211_FLAG_NEED_RTNL,
10172	},
10173	{
10174		.cmd = NL80211_CMD_START_P2P_DEVICE,
10175		.doit = nl80211_start_p2p_device,
10176		.policy = nl80211_policy,
10177		.flags = GENL_ADMIN_PERM,
10178		.internal_flags = NL80211_FLAG_NEED_WDEV |
10179				  NL80211_FLAG_NEED_RTNL,
10180	},
10181	{
10182		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
10183		.doit = nl80211_stop_p2p_device,
10184		.policy = nl80211_policy,
10185		.flags = GENL_ADMIN_PERM,
10186		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10187				  NL80211_FLAG_NEED_RTNL,
10188	},
10189	{
10190		.cmd = NL80211_CMD_SET_MCAST_RATE,
10191		.doit = nl80211_set_mcast_rate,
10192		.policy = nl80211_policy,
10193		.flags = GENL_ADMIN_PERM,
10194		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10195				  NL80211_FLAG_NEED_RTNL,
10196	},
10197	{
10198		.cmd = NL80211_CMD_SET_MAC_ACL,
10199		.doit = nl80211_set_mac_acl,
10200		.policy = nl80211_policy,
10201		.flags = GENL_ADMIN_PERM,
10202		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10203				  NL80211_FLAG_NEED_RTNL,
10204	},
10205	{
10206		.cmd = NL80211_CMD_RADAR_DETECT,
10207		.doit = nl80211_start_radar_detection,
10208		.policy = nl80211_policy,
10209		.flags = GENL_ADMIN_PERM,
10210		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10211				  NL80211_FLAG_NEED_RTNL,
10212	},
10213	{
10214		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
10215		.doit = nl80211_get_protocol_features,
10216		.policy = nl80211_policy,
10217	},
10218	{
10219		.cmd = NL80211_CMD_UPDATE_FT_IES,
10220		.doit = nl80211_update_ft_ies,
10221		.policy = nl80211_policy,
10222		.flags = GENL_ADMIN_PERM,
10223		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10224				  NL80211_FLAG_NEED_RTNL,
10225	},
10226	{
10227		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
10228		.doit = nl80211_crit_protocol_start,
10229		.policy = nl80211_policy,
10230		.flags = GENL_ADMIN_PERM,
10231		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10232				  NL80211_FLAG_NEED_RTNL,
10233	},
10234	{
10235		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
10236		.doit = nl80211_crit_protocol_stop,
10237		.policy = nl80211_policy,
10238		.flags = GENL_ADMIN_PERM,
10239		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10240				  NL80211_FLAG_NEED_RTNL,
10241	},
10242	{
10243		.cmd = NL80211_CMD_GET_COALESCE,
10244		.doit = nl80211_get_coalesce,
10245		.policy = nl80211_policy,
10246		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10247				  NL80211_FLAG_NEED_RTNL,
10248	},
10249	{
10250		.cmd = NL80211_CMD_SET_COALESCE,
10251		.doit = nl80211_set_coalesce,
10252		.policy = nl80211_policy,
10253		.flags = GENL_ADMIN_PERM,
10254		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10255				  NL80211_FLAG_NEED_RTNL,
10256	},
10257	{
10258		.cmd = NL80211_CMD_CHANNEL_SWITCH,
10259		.doit = nl80211_channel_switch,
10260		.policy = nl80211_policy,
10261		.flags = GENL_ADMIN_PERM,
10262		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10263				  NL80211_FLAG_NEED_RTNL,
10264	},
10265	{
10266		.cmd = NL80211_CMD_VENDOR,
10267		.doit = nl80211_vendor_cmd,
10268		.policy = nl80211_policy,
10269		.flags = GENL_ADMIN_PERM,
10270		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10271				  NL80211_FLAG_NEED_RTNL,
10272	},
10273	{
10274		.cmd = NL80211_CMD_SET_QOS_MAP,
10275		.doit = nl80211_set_qos_map,
10276		.policy = nl80211_policy,
10277		.flags = GENL_ADMIN_PERM,
10278		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10279				  NL80211_FLAG_NEED_RTNL,
10280	},
10281	{
10282		.cmd = NL80211_CMD_ADD_TX_TS,
10283		.doit = nl80211_add_tx_ts,
10284		.policy = nl80211_policy,
10285		.flags = GENL_ADMIN_PERM,
10286		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10287				  NL80211_FLAG_NEED_RTNL,
10288	},
10289	{
10290		.cmd = NL80211_CMD_DEL_TX_TS,
10291		.doit = nl80211_del_tx_ts,
10292		.policy = nl80211_policy,
10293		.flags = GENL_ADMIN_PERM,
10294		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10295				  NL80211_FLAG_NEED_RTNL,
10296	},
10297};
10298
10299/* notification functions */
10300
10301void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
10302			  enum nl80211_commands cmd)
10303{
10304	struct sk_buff *msg;
10305	struct nl80211_dump_wiphy_state state = {};
10306
10307	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
10308		cmd != NL80211_CMD_DEL_WIPHY);
10309
10310	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10311	if (!msg)
10312		return;
10313
10314	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
10315		nlmsg_free(msg);
10316		return;
10317	}
10318
10319	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10320				NL80211_MCGRP_CONFIG, GFP_KERNEL);
10321}
10322
10323static int nl80211_add_scan_req(struct sk_buff *msg,
10324				struct cfg80211_registered_device *rdev)
10325{
10326	struct cfg80211_scan_request *req = rdev->scan_req;
10327	struct nlattr *nest;
10328	int i;
10329
10330	if (WARN_ON(!req))
10331		return 0;
10332
10333	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
10334	if (!nest)
10335		goto nla_put_failure;
10336	for (i = 0; i < req->n_ssids; i++) {
10337		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
10338			goto nla_put_failure;
10339	}
10340	nla_nest_end(msg, nest);
10341
10342	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
10343	if (!nest)
10344		goto nla_put_failure;
10345	for (i = 0; i < req->n_channels; i++) {
10346		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
10347			goto nla_put_failure;
10348	}
10349	nla_nest_end(msg, nest);
10350
10351	if (req->ie &&
10352	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
10353		goto nla_put_failure;
10354
10355	if (req->flags &&
10356	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
10357		goto nla_put_failure;
10358
10359	return 0;
10360 nla_put_failure:
10361	return -ENOBUFS;
10362}
10363
10364static int nl80211_send_scan_msg(struct sk_buff *msg,
10365				 struct cfg80211_registered_device *rdev,
10366				 struct wireless_dev *wdev,
10367				 u32 portid, u32 seq, int flags,
10368				 u32 cmd)
10369{
10370	void *hdr;
10371
10372	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
10373	if (!hdr)
10374		return -1;
10375
10376	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10377	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
10378					 wdev->netdev->ifindex)) ||
10379	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
10380		goto nla_put_failure;
10381
10382	/* ignore errors and send incomplete event anyway */
10383	nl80211_add_scan_req(msg, rdev);
10384
10385	return genlmsg_end(msg, hdr);
10386
10387 nla_put_failure:
10388	genlmsg_cancel(msg, hdr);
10389	return -EMSGSIZE;
10390}
10391
10392static int
10393nl80211_send_sched_scan_msg(struct sk_buff *msg,
10394			    struct cfg80211_registered_device *rdev,
10395			    struct net_device *netdev,
10396			    u32 portid, u32 seq, int flags, u32 cmd)
10397{
10398	void *hdr;
10399
10400	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
10401	if (!hdr)
10402		return -1;
10403
10404	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10405	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
10406		goto nla_put_failure;
10407
10408	return genlmsg_end(msg, hdr);
10409
10410 nla_put_failure:
10411	genlmsg_cancel(msg, hdr);
10412	return -EMSGSIZE;
10413}
10414
10415void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
10416			     struct wireless_dev *wdev)
10417{
10418	struct sk_buff *msg;
10419
10420	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10421	if (!msg)
10422		return;
10423
10424	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
10425				  NL80211_CMD_TRIGGER_SCAN) < 0) {
10426		nlmsg_free(msg);
10427		return;
10428	}
10429
10430	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10431				NL80211_MCGRP_SCAN, GFP_KERNEL);
10432}
10433
10434struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
10435				       struct wireless_dev *wdev, bool aborted)
10436{
10437	struct sk_buff *msg;
10438
10439	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10440	if (!msg)
10441		return NULL;
10442
10443	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
10444				  aborted ? NL80211_CMD_SCAN_ABORTED :
10445					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
10446		nlmsg_free(msg);
10447		return NULL;
10448	}
10449
10450	return msg;
10451}
10452
10453void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
10454			      struct sk_buff *msg)
10455{
10456	if (!msg)
10457		return;
10458
10459	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10460				NL80211_MCGRP_SCAN, GFP_KERNEL);
10461}
10462
10463void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
10464				     struct net_device *netdev)
10465{
10466	struct sk_buff *msg;
10467
10468	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10469	if (!msg)
10470		return;
10471
10472	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
10473					NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
10474		nlmsg_free(msg);
10475		return;
10476	}
10477
10478	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10479				NL80211_MCGRP_SCAN, GFP_KERNEL);
10480}
10481
10482void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
10483			     struct net_device *netdev, u32 cmd)
10484{
10485	struct sk_buff *msg;
10486
10487	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10488	if (!msg)
10489		return;
10490
10491	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
10492		nlmsg_free(msg);
10493		return;
10494	}
10495
10496	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10497				NL80211_MCGRP_SCAN, GFP_KERNEL);
10498}
10499
10500/*
10501 * This can happen on global regulatory changes or device specific settings
10502 * based on custom world regulatory domains.
10503 */
10504void nl80211_send_reg_change_event(struct regulatory_request *request)
10505{
10506	struct sk_buff *msg;
10507	void *hdr;
10508
10509	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10510	if (!msg)
10511		return;
10512
10513	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_CHANGE);
10514	if (!hdr) {
10515		nlmsg_free(msg);
10516		return;
10517	}
10518
10519	/* Userspace can always count this one always being set */
10520	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
10521		goto nla_put_failure;
10522
10523	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
10524		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10525			       NL80211_REGDOM_TYPE_WORLD))
10526			goto nla_put_failure;
10527	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
10528		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10529			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
10530			goto nla_put_failure;
10531	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
10532		   request->intersect) {
10533		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10534			       NL80211_REGDOM_TYPE_INTERSECTION))
10535			goto nla_put_failure;
10536	} else {
10537		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10538			       NL80211_REGDOM_TYPE_COUNTRY) ||
10539		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
10540				   request->alpha2))
10541			goto nla_put_failure;
10542	}
10543
10544	if (request->wiphy_idx != WIPHY_IDX_INVALID &&
10545	    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
10546		goto nla_put_failure;
10547
10548	genlmsg_end(msg, hdr);
10549
10550	rcu_read_lock();
10551	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
10552				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
10553	rcu_read_unlock();
10554
10555	return;
10556
10557nla_put_failure:
10558	genlmsg_cancel(msg, hdr);
10559	nlmsg_free(msg);
10560}
10561
10562static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
10563				    struct net_device *netdev,
10564				    const u8 *buf, size_t len,
10565				    enum nl80211_commands cmd, gfp_t gfp,
10566				    int uapsd_queues)
10567{
10568	struct sk_buff *msg;
10569	void *hdr;
10570
10571	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10572	if (!msg)
10573		return;
10574
10575	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
10576	if (!hdr) {
10577		nlmsg_free(msg);
10578		return;
10579	}
10580
10581	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10582	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10583	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
10584		goto nla_put_failure;
10585
10586	if (uapsd_queues >= 0) {
10587		struct nlattr *nla_wmm =
10588			nla_nest_start(msg, NL80211_ATTR_STA_WME);
10589		if (!nla_wmm)
10590			goto nla_put_failure;
10591
10592		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
10593			       uapsd_queues))
10594			goto nla_put_failure;
10595
10596		nla_nest_end(msg, nla_wmm);
10597	}
10598
10599	genlmsg_end(msg, hdr);
10600
10601	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10602				NL80211_MCGRP_MLME, gfp);
10603	return;
10604
10605 nla_put_failure:
10606	genlmsg_cancel(msg, hdr);
10607	nlmsg_free(msg);
10608}
10609
10610void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
10611			  struct net_device *netdev, const u8 *buf,
10612			  size_t len, gfp_t gfp)
10613{
10614	nl80211_send_mlme_event(rdev, netdev, buf, len,
10615				NL80211_CMD_AUTHENTICATE, gfp, -1);
10616}
10617
10618void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
10619			   struct net_device *netdev, const u8 *buf,
10620			   size_t len, gfp_t gfp, int uapsd_queues)
10621{
10622	nl80211_send_mlme_event(rdev, netdev, buf, len,
10623				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues);
10624}
10625
10626void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
10627			 struct net_device *netdev, const u8 *buf,
10628			 size_t len, gfp_t gfp)
10629{
10630	nl80211_send_mlme_event(rdev, netdev, buf, len,
10631				NL80211_CMD_DEAUTHENTICATE, gfp, -1);
10632}
10633
10634void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
10635			   struct net_device *netdev, const u8 *buf,
10636			   size_t len, gfp_t gfp)
10637{
10638	nl80211_send_mlme_event(rdev, netdev, buf, len,
10639				NL80211_CMD_DISASSOCIATE, gfp, -1);
10640}
10641
10642void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
10643				  size_t len)
10644{
10645	struct wireless_dev *wdev = dev->ieee80211_ptr;
10646	struct wiphy *wiphy = wdev->wiphy;
10647	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10648	const struct ieee80211_mgmt *mgmt = (void *)buf;
10649	u32 cmd;
10650
10651	if (WARN_ON(len < 2))
10652		return;
10653
10654	if (ieee80211_is_deauth(mgmt->frame_control))
10655		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
10656	else
10657		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
10658
10659	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
10660	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1);
10661}
10662EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
10663
10664static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
10665				      struct net_device *netdev, int cmd,
10666				      const u8 *addr, gfp_t gfp)
10667{
10668	struct sk_buff *msg;
10669	void *hdr;
10670
10671	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10672	if (!msg)
10673		return;
10674
10675	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
10676	if (!hdr) {
10677		nlmsg_free(msg);
10678		return;
10679	}
10680
10681	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10682	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10683	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
10684	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
10685		goto nla_put_failure;
10686
10687	genlmsg_end(msg, hdr);
10688
10689	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10690				NL80211_MCGRP_MLME, gfp);
10691	return;
10692
10693 nla_put_failure:
10694	genlmsg_cancel(msg, hdr);
10695	nlmsg_free(msg);
10696}
10697
10698void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
10699			       struct net_device *netdev, const u8 *addr,
10700			       gfp_t gfp)
10701{
10702	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
10703				  addr, gfp);
10704}
10705
10706void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
10707				struct net_device *netdev, const u8 *addr,
10708				gfp_t gfp)
10709{
10710	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
10711				  addr, gfp);
10712}
10713
10714void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
10715				 struct net_device *netdev, const u8 *bssid,
10716				 const u8 *req_ie, size_t req_ie_len,
10717				 const u8 *resp_ie, size_t resp_ie_len,
10718				 u16 status, gfp_t gfp)
10719{
10720	struct sk_buff *msg;
10721	void *hdr;
10722
10723	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10724	if (!msg)
10725		return;
10726
10727	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
10728	if (!hdr) {
10729		nlmsg_free(msg);
10730		return;
10731	}
10732
10733	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10734	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10735	    (bssid && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) ||
10736	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE, status) ||
10737	    (req_ie &&
10738	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
10739	    (resp_ie &&
10740	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
10741		goto nla_put_failure;
10742
10743	genlmsg_end(msg, hdr);
10744
10745	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10746				NL80211_MCGRP_MLME, gfp);
10747	return;
10748
10749 nla_put_failure:
10750	genlmsg_cancel(msg, hdr);
10751	nlmsg_free(msg);
10752
10753}
10754
10755void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
10756			 struct net_device *netdev, const u8 *bssid,
10757			 const u8 *req_ie, size_t req_ie_len,
10758			 const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
10759{
10760	struct sk_buff *msg;
10761	void *hdr;
10762
10763	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10764	if (!msg)
10765		return;
10766
10767	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
10768	if (!hdr) {
10769		nlmsg_free(msg);
10770		return;
10771	}
10772
10773	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10774	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10775	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
10776	    (req_ie &&
10777	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
10778	    (resp_ie &&
10779	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
10780		goto nla_put_failure;
10781
10782	genlmsg_end(msg, hdr);
10783
10784	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10785				NL80211_MCGRP_MLME, gfp);
10786	return;
10787
10788 nla_put_failure:
10789	genlmsg_cancel(msg, hdr);
10790	nlmsg_free(msg);
10791
10792}
10793
10794void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
10795			       struct net_device *netdev, u16 reason,
10796			       const u8 *ie, size_t ie_len, bool from_ap)
10797{
10798	struct sk_buff *msg;
10799	void *hdr;
10800
10801	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10802	if (!msg)
10803		return;
10804
10805	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
10806	if (!hdr) {
10807		nlmsg_free(msg);
10808		return;
10809	}
10810
10811	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10812	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10813	    (from_ap && reason &&
10814	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
10815	    (from_ap &&
10816	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
10817	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
10818		goto nla_put_failure;
10819
10820	genlmsg_end(msg, hdr);
10821
10822	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10823				NL80211_MCGRP_MLME, GFP_KERNEL);
10824	return;
10825
10826 nla_put_failure:
10827	genlmsg_cancel(msg, hdr);
10828	nlmsg_free(msg);
10829
10830}
10831
10832void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
10833			     struct net_device *netdev, const u8 *bssid,
10834			     gfp_t gfp)
10835{
10836	struct sk_buff *msg;
10837	void *hdr;
10838
10839	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10840	if (!msg)
10841		return;
10842
10843	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
10844	if (!hdr) {
10845		nlmsg_free(msg);
10846		return;
10847	}
10848
10849	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10850	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10851	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
10852		goto nla_put_failure;
10853
10854	genlmsg_end(msg, hdr);
10855
10856	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10857				NL80211_MCGRP_MLME, gfp);
10858	return;
10859
10860 nla_put_failure:
10861	genlmsg_cancel(msg, hdr);
10862	nlmsg_free(msg);
10863}
10864
10865void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
10866					const u8* ie, u8 ie_len, gfp_t gfp)
10867{
10868	struct wireless_dev *wdev = dev->ieee80211_ptr;
10869	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
10870	struct sk_buff *msg;
10871	void *hdr;
10872
10873	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
10874		return;
10875
10876	trace_cfg80211_notify_new_peer_candidate(dev, addr);
10877
10878	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10879	if (!msg)
10880		return;
10881
10882	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
10883	if (!hdr) {
10884		nlmsg_free(msg);
10885		return;
10886	}
10887
10888	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10889	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10890	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
10891	    (ie_len && ie &&
10892	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
10893		goto nla_put_failure;
10894
10895	genlmsg_end(msg, hdr);
10896
10897	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10898				NL80211_MCGRP_MLME, gfp);
10899	return;
10900
10901 nla_put_failure:
10902	genlmsg_cancel(msg, hdr);
10903	nlmsg_free(msg);
10904}
10905EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
10906
10907void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
10908				 struct net_device *netdev, const u8 *addr,
10909				 enum nl80211_key_type key_type, int key_id,
10910				 const u8 *tsc, gfp_t gfp)
10911{
10912	struct sk_buff *msg;
10913	void *hdr;
10914
10915	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10916	if (!msg)
10917		return;
10918
10919	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
10920	if (!hdr) {
10921		nlmsg_free(msg);
10922		return;
10923	}
10924
10925	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10926	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10927	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
10928	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
10929	    (key_id != -1 &&
10930	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
10931	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
10932		goto nla_put_failure;
10933
10934	genlmsg_end(msg, hdr);
10935
10936	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10937				NL80211_MCGRP_MLME, gfp);
10938	return;
10939
10940 nla_put_failure:
10941	genlmsg_cancel(msg, hdr);
10942	nlmsg_free(msg);
10943}
10944
10945void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
10946				    struct ieee80211_channel *channel_before,
10947				    struct ieee80211_channel *channel_after)
10948{
10949	struct sk_buff *msg;
10950	void *hdr;
10951	struct nlattr *nl_freq;
10952
10953	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
10954	if (!msg)
10955		return;
10956
10957	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
10958	if (!hdr) {
10959		nlmsg_free(msg);
10960		return;
10961	}
10962
10963	/*
10964	 * Since we are applying the beacon hint to a wiphy we know its
10965	 * wiphy_idx is valid
10966	 */
10967	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10968		goto nla_put_failure;
10969
10970	/* Before */
10971	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
10972	if (!nl_freq)
10973		goto nla_put_failure;
10974	if (nl80211_msg_put_channel(msg, channel_before, false))
10975		goto nla_put_failure;
10976	nla_nest_end(msg, nl_freq);
10977
10978	/* After */
10979	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
10980	if (!nl_freq)
10981		goto nla_put_failure;
10982	if (nl80211_msg_put_channel(msg, channel_after, false))
10983		goto nla_put_failure;
10984	nla_nest_end(msg, nl_freq);
10985
10986	genlmsg_end(msg, hdr);
10987
10988	rcu_read_lock();
10989	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
10990				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
10991	rcu_read_unlock();
10992
10993	return;
10994
10995nla_put_failure:
10996	genlmsg_cancel(msg, hdr);
10997	nlmsg_free(msg);
10998}
10999
11000static void nl80211_send_remain_on_chan_event(
11001	int cmd, struct cfg80211_registered_device *rdev,
11002	struct wireless_dev *wdev, u64 cookie,
11003	struct ieee80211_channel *chan,
11004	unsigned int duration, gfp_t gfp)
11005{
11006	struct sk_buff *msg;
11007	void *hdr;
11008
11009	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11010	if (!msg)
11011		return;
11012
11013	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11014	if (!hdr) {
11015		nlmsg_free(msg);
11016		return;
11017	}
11018
11019	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11020	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11021					 wdev->netdev->ifindex)) ||
11022	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11023	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
11024	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
11025			NL80211_CHAN_NO_HT) ||
11026	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
11027		goto nla_put_failure;
11028
11029	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
11030	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
11031		goto nla_put_failure;
11032
11033	genlmsg_end(msg, hdr);
11034
11035	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11036				NL80211_MCGRP_MLME, gfp);
11037	return;
11038
11039 nla_put_failure:
11040	genlmsg_cancel(msg, hdr);
11041	nlmsg_free(msg);
11042}
11043
11044void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
11045			       struct ieee80211_channel *chan,
11046			       unsigned int duration, gfp_t gfp)
11047{
11048	struct wiphy *wiphy = wdev->wiphy;
11049	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11050
11051	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
11052	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
11053					  rdev, wdev, cookie, chan,
11054					  duration, gfp);
11055}
11056EXPORT_SYMBOL(cfg80211_ready_on_channel);
11057
11058void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
11059					struct ieee80211_channel *chan,
11060					gfp_t gfp)
11061{
11062	struct wiphy *wiphy = wdev->wiphy;
11063	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11064
11065	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
11066	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
11067					  rdev, wdev, cookie, chan, 0, gfp);
11068}
11069EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
11070
11071void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
11072		      struct station_info *sinfo, gfp_t gfp)
11073{
11074	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11075	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11076	struct sk_buff *msg;
11077
11078	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
11079
11080	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11081	if (!msg)
11082		return;
11083
11084	if (nl80211_send_station(msg, 0, 0, 0,
11085				 rdev, dev, mac_addr, sinfo) < 0) {
11086		nlmsg_free(msg);
11087		return;
11088	}
11089
11090	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11091				NL80211_MCGRP_MLME, gfp);
11092}
11093EXPORT_SYMBOL(cfg80211_new_sta);
11094
11095void cfg80211_del_sta(struct net_device *dev, const u8 *mac_addr, gfp_t gfp)
11096{
11097	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11098	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11099	struct sk_buff *msg;
11100	void *hdr;
11101
11102	trace_cfg80211_del_sta(dev, mac_addr);
11103
11104	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11105	if (!msg)
11106		return;
11107
11108	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_STATION);
11109	if (!hdr) {
11110		nlmsg_free(msg);
11111		return;
11112	}
11113
11114	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11115	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
11116		goto nla_put_failure;
11117
11118	genlmsg_end(msg, hdr);
11119
11120	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11121				NL80211_MCGRP_MLME, gfp);
11122	return;
11123
11124 nla_put_failure:
11125	genlmsg_cancel(msg, hdr);
11126	nlmsg_free(msg);
11127}
11128EXPORT_SYMBOL(cfg80211_del_sta);
11129
11130void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
11131			  enum nl80211_connect_failed_reason reason,
11132			  gfp_t gfp)
11133{
11134	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11135	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11136	struct sk_buff *msg;
11137	void *hdr;
11138
11139	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
11140	if (!msg)
11141		return;
11142
11143	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
11144	if (!hdr) {
11145		nlmsg_free(msg);
11146		return;
11147	}
11148
11149	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11150	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
11151	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
11152		goto nla_put_failure;
11153
11154	genlmsg_end(msg, hdr);
11155
11156	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11157				NL80211_MCGRP_MLME, gfp);
11158	return;
11159
11160 nla_put_failure:
11161	genlmsg_cancel(msg, hdr);
11162	nlmsg_free(msg);
11163}
11164EXPORT_SYMBOL(cfg80211_conn_failed);
11165
11166static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
11167				       const u8 *addr, gfp_t gfp)
11168{
11169	struct wireless_dev *wdev = dev->ieee80211_ptr;
11170	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11171	struct sk_buff *msg;
11172	void *hdr;
11173	u32 nlportid = ACCESS_ONCE(wdev->ap_unexpected_nlportid);
11174
11175	if (!nlportid)
11176		return false;
11177
11178	msg = nlmsg_new(100, gfp);
11179	if (!msg)
11180		return true;
11181
11182	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11183	if (!hdr) {
11184		nlmsg_free(msg);
11185		return true;
11186	}
11187
11188	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11189	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11190	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
11191		goto nla_put_failure;
11192
11193	genlmsg_end(msg, hdr);
11194	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
11195	return true;
11196
11197 nla_put_failure:
11198	genlmsg_cancel(msg, hdr);
11199	nlmsg_free(msg);
11200	return true;
11201}
11202
11203bool cfg80211_rx_spurious_frame(struct net_device *dev,
11204				const u8 *addr, gfp_t gfp)
11205{
11206	struct wireless_dev *wdev = dev->ieee80211_ptr;
11207	bool ret;
11208
11209	trace_cfg80211_rx_spurious_frame(dev, addr);
11210
11211	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11212		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
11213		trace_cfg80211_return_bool(false);
11214		return false;
11215	}
11216	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
11217					 addr, gfp);
11218	trace_cfg80211_return_bool(ret);
11219	return ret;
11220}
11221EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
11222
11223bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
11224					const u8 *addr, gfp_t gfp)
11225{
11226	struct wireless_dev *wdev = dev->ieee80211_ptr;
11227	bool ret;
11228
11229	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
11230
11231	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11232		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
11233		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
11234		trace_cfg80211_return_bool(false);
11235		return false;
11236	}
11237	ret = __nl80211_unexpected_frame(dev,
11238					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
11239					 addr, gfp);
11240	trace_cfg80211_return_bool(ret);
11241	return ret;
11242}
11243EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
11244
11245int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
11246		      struct wireless_dev *wdev, u32 nlportid,
11247		      int freq, int sig_dbm,
11248		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
11249{
11250	struct net_device *netdev = wdev->netdev;
11251	struct sk_buff *msg;
11252	void *hdr;
11253
11254	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11255	if (!msg)
11256		return -ENOMEM;
11257
11258	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
11259	if (!hdr) {
11260		nlmsg_free(msg);
11261		return -ENOMEM;
11262	}
11263
11264	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11265	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11266					netdev->ifindex)) ||
11267	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11268	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
11269	    (sig_dbm &&
11270	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
11271	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
11272	    (flags &&
11273	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
11274		goto nla_put_failure;
11275
11276	genlmsg_end(msg, hdr);
11277
11278	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
11279
11280 nla_put_failure:
11281	genlmsg_cancel(msg, hdr);
11282	nlmsg_free(msg);
11283	return -ENOBUFS;
11284}
11285
11286void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
11287			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
11288{
11289	struct wiphy *wiphy = wdev->wiphy;
11290	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11291	struct net_device *netdev = wdev->netdev;
11292	struct sk_buff *msg;
11293	void *hdr;
11294
11295	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
11296
11297	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11298	if (!msg)
11299		return;
11300
11301	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
11302	if (!hdr) {
11303		nlmsg_free(msg);
11304		return;
11305	}
11306
11307	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11308	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11309				   netdev->ifindex)) ||
11310	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11311	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
11312	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
11313	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
11314		goto nla_put_failure;
11315
11316	genlmsg_end(msg, hdr);
11317
11318	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11319				NL80211_MCGRP_MLME, gfp);
11320	return;
11321
11322 nla_put_failure:
11323	genlmsg_cancel(msg, hdr);
11324	nlmsg_free(msg);
11325}
11326EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
11327
11328void cfg80211_cqm_rssi_notify(struct net_device *dev,
11329			      enum nl80211_cqm_rssi_threshold_event rssi_event,
11330			      gfp_t gfp)
11331{
11332	struct wireless_dev *wdev = dev->ieee80211_ptr;
11333	struct wiphy *wiphy = wdev->wiphy;
11334	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11335	struct sk_buff *msg;
11336	struct nlattr *pinfoattr;
11337	void *hdr;
11338
11339	trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
11340
11341	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11342	if (!msg)
11343		return;
11344
11345	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
11346	if (!hdr) {
11347		nlmsg_free(msg);
11348		return;
11349	}
11350
11351	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11352	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
11353		goto nla_put_failure;
11354
11355	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
11356	if (!pinfoattr)
11357		goto nla_put_failure;
11358
11359	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
11360			rssi_event))
11361		goto nla_put_failure;
11362
11363	nla_nest_end(msg, pinfoattr);
11364
11365	genlmsg_end(msg, hdr);
11366
11367	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11368				NL80211_MCGRP_MLME, gfp);
11369	return;
11370
11371 nla_put_failure:
11372	genlmsg_cancel(msg, hdr);
11373	nlmsg_free(msg);
11374}
11375EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
11376
11377static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
11378				     struct net_device *netdev, const u8 *bssid,
11379				     const u8 *replay_ctr, gfp_t gfp)
11380{
11381	struct sk_buff *msg;
11382	struct nlattr *rekey_attr;
11383	void *hdr;
11384
11385	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11386	if (!msg)
11387		return;
11388
11389	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
11390	if (!hdr) {
11391		nlmsg_free(msg);
11392		return;
11393	}
11394
11395	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11396	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11397	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
11398		goto nla_put_failure;
11399
11400	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
11401	if (!rekey_attr)
11402		goto nla_put_failure;
11403
11404	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
11405		    NL80211_REPLAY_CTR_LEN, replay_ctr))
11406		goto nla_put_failure;
11407
11408	nla_nest_end(msg, rekey_attr);
11409
11410	genlmsg_end(msg, hdr);
11411
11412	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11413				NL80211_MCGRP_MLME, gfp);
11414	return;
11415
11416 nla_put_failure:
11417	genlmsg_cancel(msg, hdr);
11418	nlmsg_free(msg);
11419}
11420
11421void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
11422			       const u8 *replay_ctr, gfp_t gfp)
11423{
11424	struct wireless_dev *wdev = dev->ieee80211_ptr;
11425	struct wiphy *wiphy = wdev->wiphy;
11426	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11427
11428	trace_cfg80211_gtk_rekey_notify(dev, bssid);
11429	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
11430}
11431EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
11432
11433static void
11434nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
11435			       struct net_device *netdev, int index,
11436			       const u8 *bssid, bool preauth, gfp_t gfp)
11437{
11438	struct sk_buff *msg;
11439	struct nlattr *attr;
11440	void *hdr;
11441
11442	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11443	if (!msg)
11444		return;
11445
11446	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
11447	if (!hdr) {
11448		nlmsg_free(msg);
11449		return;
11450	}
11451
11452	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11453	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
11454		goto nla_put_failure;
11455
11456	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
11457	if (!attr)
11458		goto nla_put_failure;
11459
11460	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
11461	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
11462	    (preauth &&
11463	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
11464		goto nla_put_failure;
11465
11466	nla_nest_end(msg, attr);
11467
11468	genlmsg_end(msg, hdr);
11469
11470	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11471				NL80211_MCGRP_MLME, gfp);
11472	return;
11473
11474 nla_put_failure:
11475	genlmsg_cancel(msg, hdr);
11476	nlmsg_free(msg);
11477}
11478
11479void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
11480				     const u8 *bssid, bool preauth, gfp_t gfp)
11481{
11482	struct wireless_dev *wdev = dev->ieee80211_ptr;
11483	struct wiphy *wiphy = wdev->wiphy;
11484	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11485
11486	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
11487	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
11488}
11489EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
11490
11491static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
11492				     struct net_device *netdev,
11493				     struct cfg80211_chan_def *chandef,
11494				     gfp_t gfp)
11495{
11496	struct sk_buff *msg;
11497	void *hdr;
11498
11499	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11500	if (!msg)
11501		return;
11502
11503	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CH_SWITCH_NOTIFY);
11504	if (!hdr) {
11505		nlmsg_free(msg);
11506		return;
11507	}
11508
11509	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
11510		goto nla_put_failure;
11511
11512	if (nl80211_send_chandef(msg, chandef))
11513		goto nla_put_failure;
11514
11515	genlmsg_end(msg, hdr);
11516
11517	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11518				NL80211_MCGRP_MLME, gfp);
11519	return;
11520
11521 nla_put_failure:
11522	genlmsg_cancel(msg, hdr);
11523	nlmsg_free(msg);
11524}
11525
11526void cfg80211_ch_switch_notify(struct net_device *dev,
11527			       struct cfg80211_chan_def *chandef)
11528{
11529	struct wireless_dev *wdev = dev->ieee80211_ptr;
11530	struct wiphy *wiphy = wdev->wiphy;
11531	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11532
11533	ASSERT_WDEV_LOCK(wdev);
11534
11535	trace_cfg80211_ch_switch_notify(dev, chandef);
11536
11537	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11538		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
11539		    wdev->iftype != NL80211_IFTYPE_ADHOC &&
11540		    wdev->iftype != NL80211_IFTYPE_MESH_POINT))
11541		return;
11542
11543	wdev->chandef = *chandef;
11544	wdev->preset_chandef = *chandef;
11545	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL);
11546}
11547EXPORT_SYMBOL(cfg80211_ch_switch_notify);
11548
11549void cfg80211_cqm_txe_notify(struct net_device *dev,
11550			     const u8 *peer, u32 num_packets,
11551			     u32 rate, u32 intvl, gfp_t gfp)
11552{
11553	struct wireless_dev *wdev = dev->ieee80211_ptr;
11554	struct wiphy *wiphy = wdev->wiphy;
11555	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11556	struct sk_buff *msg;
11557	struct nlattr *pinfoattr;
11558	void *hdr;
11559
11560	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
11561	if (!msg)
11562		return;
11563
11564	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
11565	if (!hdr) {
11566		nlmsg_free(msg);
11567		return;
11568	}
11569
11570	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11571	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11572	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
11573		goto nla_put_failure;
11574
11575	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
11576	if (!pinfoattr)
11577		goto nla_put_failure;
11578
11579	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
11580		goto nla_put_failure;
11581
11582	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
11583		goto nla_put_failure;
11584
11585	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
11586		goto nla_put_failure;
11587
11588	nla_nest_end(msg, pinfoattr);
11589
11590	genlmsg_end(msg, hdr);
11591
11592	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11593				NL80211_MCGRP_MLME, gfp);
11594	return;
11595
11596 nla_put_failure:
11597	genlmsg_cancel(msg, hdr);
11598	nlmsg_free(msg);
11599}
11600EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
11601
11602void
11603nl80211_radar_notify(struct cfg80211_registered_device *rdev,
11604		     const struct cfg80211_chan_def *chandef,
11605		     enum nl80211_radar_event event,
11606		     struct net_device *netdev, gfp_t gfp)
11607{
11608	struct sk_buff *msg;
11609	void *hdr;
11610
11611	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11612	if (!msg)
11613		return;
11614
11615	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
11616	if (!hdr) {
11617		nlmsg_free(msg);
11618		return;
11619	}
11620
11621	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11622		goto nla_put_failure;
11623
11624	/* NOP and radar events don't need a netdev parameter */
11625	if (netdev) {
11626		struct wireless_dev *wdev = netdev->ieee80211_ptr;
11627
11628		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11629		    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
11630			goto nla_put_failure;
11631	}
11632
11633	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
11634		goto nla_put_failure;
11635
11636	if (nl80211_send_chandef(msg, chandef))
11637		goto nla_put_failure;
11638
11639	genlmsg_end(msg, hdr);
11640
11641	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11642				NL80211_MCGRP_MLME, gfp);
11643	return;
11644
11645 nla_put_failure:
11646	genlmsg_cancel(msg, hdr);
11647	nlmsg_free(msg);
11648}
11649
11650void cfg80211_cqm_pktloss_notify(struct net_device *dev,
11651				 const u8 *peer, u32 num_packets, gfp_t gfp)
11652{
11653	struct wireless_dev *wdev = dev->ieee80211_ptr;
11654	struct wiphy *wiphy = wdev->wiphy;
11655	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11656	struct sk_buff *msg;
11657	struct nlattr *pinfoattr;
11658	void *hdr;
11659
11660	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
11661
11662	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11663	if (!msg)
11664		return;
11665
11666	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
11667	if (!hdr) {
11668		nlmsg_free(msg);
11669		return;
11670	}
11671
11672	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11673	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11674	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
11675		goto nla_put_failure;
11676
11677	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
11678	if (!pinfoattr)
11679		goto nla_put_failure;
11680
11681	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
11682		goto nla_put_failure;
11683
11684	nla_nest_end(msg, pinfoattr);
11685
11686	genlmsg_end(msg, hdr);
11687
11688	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11689				NL80211_MCGRP_MLME, gfp);
11690	return;
11691
11692 nla_put_failure:
11693	genlmsg_cancel(msg, hdr);
11694	nlmsg_free(msg);
11695}
11696EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
11697
11698void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
11699			   u64 cookie, bool acked, gfp_t gfp)
11700{
11701	struct wireless_dev *wdev = dev->ieee80211_ptr;
11702	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11703	struct sk_buff *msg;
11704	void *hdr;
11705
11706	trace_cfg80211_probe_status(dev, addr, cookie, acked);
11707
11708	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11709
11710	if (!msg)
11711		return;
11712
11713	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
11714	if (!hdr) {
11715		nlmsg_free(msg);
11716		return;
11717	}
11718
11719	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11720	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11721	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
11722	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
11723	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)))
11724		goto nla_put_failure;
11725
11726	genlmsg_end(msg, hdr);
11727
11728	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11729				NL80211_MCGRP_MLME, gfp);
11730	return;
11731
11732 nla_put_failure:
11733	genlmsg_cancel(msg, hdr);
11734	nlmsg_free(msg);
11735}
11736EXPORT_SYMBOL(cfg80211_probe_status);
11737
11738void cfg80211_report_obss_beacon(struct wiphy *wiphy,
11739				 const u8 *frame, size_t len,
11740				 int freq, int sig_dbm)
11741{
11742	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11743	struct sk_buff *msg;
11744	void *hdr;
11745	struct cfg80211_beacon_registration *reg;
11746
11747	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
11748
11749	spin_lock_bh(&rdev->beacon_registrations_lock);
11750	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
11751		msg = nlmsg_new(len + 100, GFP_ATOMIC);
11752		if (!msg) {
11753			spin_unlock_bh(&rdev->beacon_registrations_lock);
11754			return;
11755		}
11756
11757		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
11758		if (!hdr)
11759			goto nla_put_failure;
11760
11761		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11762		    (freq &&
11763		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
11764		    (sig_dbm &&
11765		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
11766		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
11767			goto nla_put_failure;
11768
11769		genlmsg_end(msg, hdr);
11770
11771		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
11772	}
11773	spin_unlock_bh(&rdev->beacon_registrations_lock);
11774	return;
11775
11776 nla_put_failure:
11777	spin_unlock_bh(&rdev->beacon_registrations_lock);
11778	if (hdr)
11779		genlmsg_cancel(msg, hdr);
11780	nlmsg_free(msg);
11781}
11782EXPORT_SYMBOL(cfg80211_report_obss_beacon);
11783
11784#ifdef CONFIG_PM
11785void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
11786				   struct cfg80211_wowlan_wakeup *wakeup,
11787				   gfp_t gfp)
11788{
11789	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11790	struct sk_buff *msg;
11791	void *hdr;
11792	int size = 200;
11793
11794	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
11795
11796	if (wakeup)
11797		size += wakeup->packet_present_len;
11798
11799	msg = nlmsg_new(size, gfp);
11800	if (!msg)
11801		return;
11802
11803	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
11804	if (!hdr)
11805		goto free_msg;
11806
11807	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11808	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
11809		goto free_msg;
11810
11811	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11812					wdev->netdev->ifindex))
11813		goto free_msg;
11814
11815	if (wakeup) {
11816		struct nlattr *reasons;
11817
11818		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
11819		if (!reasons)
11820			goto free_msg;
11821
11822		if (wakeup->disconnect &&
11823		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
11824			goto free_msg;
11825		if (wakeup->magic_pkt &&
11826		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
11827			goto free_msg;
11828		if (wakeup->gtk_rekey_failure &&
11829		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
11830			goto free_msg;
11831		if (wakeup->eap_identity_req &&
11832		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
11833			goto free_msg;
11834		if (wakeup->four_way_handshake &&
11835		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
11836			goto free_msg;
11837		if (wakeup->rfkill_release &&
11838		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
11839			goto free_msg;
11840
11841		if (wakeup->pattern_idx >= 0 &&
11842		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
11843				wakeup->pattern_idx))
11844			goto free_msg;
11845
11846		if (wakeup->tcp_match &&
11847		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
11848			goto free_msg;
11849
11850		if (wakeup->tcp_connlost &&
11851		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
11852			goto free_msg;
11853
11854		if (wakeup->tcp_nomoretokens &&
11855		    nla_put_flag(msg,
11856				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
11857			goto free_msg;
11858
11859		if (wakeup->packet) {
11860			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
11861			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
11862
11863			if (!wakeup->packet_80211) {
11864				pkt_attr =
11865					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
11866				len_attr =
11867					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
11868			}
11869
11870			if (wakeup->packet_len &&
11871			    nla_put_u32(msg, len_attr, wakeup->packet_len))
11872				goto free_msg;
11873
11874			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
11875				    wakeup->packet))
11876				goto free_msg;
11877		}
11878
11879		nla_nest_end(msg, reasons);
11880	}
11881
11882	genlmsg_end(msg, hdr);
11883
11884	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11885				NL80211_MCGRP_MLME, gfp);
11886	return;
11887
11888 free_msg:
11889	nlmsg_free(msg);
11890}
11891EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
11892#endif
11893
11894void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
11895				enum nl80211_tdls_operation oper,
11896				u16 reason_code, gfp_t gfp)
11897{
11898	struct wireless_dev *wdev = dev->ieee80211_ptr;
11899	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11900	struct sk_buff *msg;
11901	void *hdr;
11902
11903	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
11904					 reason_code);
11905
11906	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11907	if (!msg)
11908		return;
11909
11910	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
11911	if (!hdr) {
11912		nlmsg_free(msg);
11913		return;
11914	}
11915
11916	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11917	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11918	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
11919	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
11920	    (reason_code > 0 &&
11921	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
11922		goto nla_put_failure;
11923
11924	genlmsg_end(msg, hdr);
11925
11926	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11927				NL80211_MCGRP_MLME, gfp);
11928	return;
11929
11930 nla_put_failure:
11931	genlmsg_cancel(msg, hdr);
11932	nlmsg_free(msg);
11933}
11934EXPORT_SYMBOL(cfg80211_tdls_oper_request);
11935
11936static int nl80211_netlink_notify(struct notifier_block * nb,
11937				  unsigned long state,
11938				  void *_notify)
11939{
11940	struct netlink_notify *notify = _notify;
11941	struct cfg80211_registered_device *rdev;
11942	struct wireless_dev *wdev;
11943	struct cfg80211_beacon_registration *reg, *tmp;
11944
11945	if (state != NETLINK_URELEASE)
11946		return NOTIFY_DONE;
11947
11948	rcu_read_lock();
11949
11950	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
11951		bool schedule_destroy_work = false;
11952
11953		list_for_each_entry_rcu(wdev, &rdev->wdev_list, list) {
11954			cfg80211_mlme_unregister_socket(wdev, notify->portid);
11955
11956			if (wdev->owner_nlportid == notify->portid)
11957				schedule_destroy_work = true;
11958		}
11959
11960		spin_lock_bh(&rdev->beacon_registrations_lock);
11961		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
11962					 list) {
11963			if (reg->nlportid == notify->portid) {
11964				list_del(&reg->list);
11965				kfree(reg);
11966				break;
11967			}
11968		}
11969		spin_unlock_bh(&rdev->beacon_registrations_lock);
11970
11971		if (schedule_destroy_work) {
11972			struct cfg80211_iface_destroy *destroy;
11973
11974			destroy = kzalloc(sizeof(*destroy), GFP_ATOMIC);
11975			if (destroy) {
11976				destroy->nlportid = notify->portid;
11977				spin_lock(&rdev->destroy_list_lock);
11978				list_add(&destroy->list, &rdev->destroy_list);
11979				spin_unlock(&rdev->destroy_list_lock);
11980				schedule_work(&rdev->destroy_work);
11981			}
11982		}
11983	}
11984
11985	rcu_read_unlock();
11986
11987	return NOTIFY_OK;
11988}
11989
11990static struct notifier_block nl80211_netlink_notifier = {
11991	.notifier_call = nl80211_netlink_notify,
11992};
11993
11994void cfg80211_ft_event(struct net_device *netdev,
11995		       struct cfg80211_ft_event_params *ft_event)
11996{
11997	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
11998	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11999	struct sk_buff *msg;
12000	void *hdr;
12001
12002	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
12003
12004	if (!ft_event->target_ap)
12005		return;
12006
12007	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12008	if (!msg)
12009		return;
12010
12011	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
12012	if (!hdr)
12013		goto out;
12014
12015	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12016	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12017	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
12018		goto out;
12019
12020	if (ft_event->ies &&
12021	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
12022		goto out;
12023	if (ft_event->ric_ies &&
12024	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
12025		    ft_event->ric_ies))
12026		goto out;
12027
12028	genlmsg_end(msg, hdr);
12029
12030	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12031				NL80211_MCGRP_MLME, GFP_KERNEL);
12032	return;
12033 out:
12034	nlmsg_free(msg);
12035}
12036EXPORT_SYMBOL(cfg80211_ft_event);
12037
12038void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
12039{
12040	struct cfg80211_registered_device *rdev;
12041	struct sk_buff *msg;
12042	void *hdr;
12043	u32 nlportid;
12044
12045	rdev = wiphy_to_rdev(wdev->wiphy);
12046	if (!rdev->crit_proto_nlportid)
12047		return;
12048
12049	nlportid = rdev->crit_proto_nlportid;
12050	rdev->crit_proto_nlportid = 0;
12051
12052	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12053	if (!msg)
12054		return;
12055
12056	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
12057	if (!hdr)
12058		goto nla_put_failure;
12059
12060	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12061	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12062		goto nla_put_failure;
12063
12064	genlmsg_end(msg, hdr);
12065
12066	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12067	return;
12068
12069 nla_put_failure:
12070	if (hdr)
12071		genlmsg_cancel(msg, hdr);
12072	nlmsg_free(msg);
12073
12074}
12075EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
12076
12077void nl80211_send_ap_stopped(struct wireless_dev *wdev)
12078{
12079	struct wiphy *wiphy = wdev->wiphy;
12080	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12081	struct sk_buff *msg;
12082	void *hdr;
12083
12084	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12085	if (!msg)
12086		return;
12087
12088	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
12089	if (!hdr)
12090		goto out;
12091
12092	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12093	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
12094	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12095		goto out;
12096
12097	genlmsg_end(msg, hdr);
12098
12099	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
12100				NL80211_MCGRP_MLME, GFP_KERNEL);
12101	return;
12102 out:
12103	nlmsg_free(msg);
12104}
12105
12106/* initialisation/exit functions */
12107
12108int nl80211_init(void)
12109{
12110	int err;
12111
12112	err = genl_register_family_with_ops_groups(&nl80211_fam, nl80211_ops,
12113						   nl80211_mcgrps);
12114	if (err)
12115		return err;
12116
12117	err = netlink_register_notifier(&nl80211_netlink_notifier);
12118	if (err)
12119		goto err_out;
12120
12121	return 0;
12122 err_out:
12123	genl_unregister_family(&nl80211_fam);
12124	return err;
12125}
12126
12127void nl80211_exit(void)
12128{
12129	netlink_unregister_notifier(&nl80211_netlink_notifier);
12130	genl_unregister_family(&nl80211_fam);
12131}
12132