xref: /openbmc/linux/net/wireless/nl80211.c (revision ba6fbacf9c073effaedf0c52fe7e52e2baf67725) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  * Copyright 2015-2016	Intel Deutschland GmbH
7  */
8 
9 #include <linux/if.h>
10 #include <linux/module.h>
11 #include <linux/err.h>
12 #include <linux/slab.h>
13 #include <linux/list.h>
14 #include <linux/if_ether.h>
15 #include <linux/ieee80211.h>
16 #include <linux/nl80211.h>
17 #include <linux/rtnetlink.h>
18 #include <linux/netlink.h>
19 #include <linux/etherdevice.h>
20 #include <net/net_namespace.h>
21 #include <net/genetlink.h>
22 #include <net/cfg80211.h>
23 #include <net/sock.h>
24 #include <net/inet_connection_sock.h>
25 #include "core.h"
26 #include "nl80211.h"
27 #include "reg.h"
28 #include "rdev-ops.h"
29 
30 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
31 				   struct genl_info *info,
32 				   struct cfg80211_crypto_settings *settings,
33 				   int cipher_limit);
34 
35 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
36 			    struct genl_info *info);
37 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
38 			      struct genl_info *info);
39 
40 /* the netlink family */
41 static struct genl_family nl80211_fam = {
42 	.id = GENL_ID_GENERATE,		/* don't bother with a hardcoded ID */
43 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
44 	.hdrsize = 0,			/* no private header */
45 	.version = 1,			/* no particular meaning now */
46 	.maxattr = NL80211_ATTR_MAX,
47 	.netnsok = true,
48 	.pre_doit = nl80211_pre_doit,
49 	.post_doit = nl80211_post_doit,
50 };
51 
52 /* multicast groups */
53 enum nl80211_multicast_groups {
54 	NL80211_MCGRP_CONFIG,
55 	NL80211_MCGRP_SCAN,
56 	NL80211_MCGRP_REGULATORY,
57 	NL80211_MCGRP_MLME,
58 	NL80211_MCGRP_VENDOR,
59 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
60 };
61 
62 static const struct genl_multicast_group nl80211_mcgrps[] = {
63 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
64 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
65 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
66 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
67 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
68 #ifdef CONFIG_NL80211_TESTMODE
69 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
70 #endif
71 };
72 
73 /* returns ERR_PTR values */
74 static struct wireless_dev *
75 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
76 {
77 	struct cfg80211_registered_device *rdev;
78 	struct wireless_dev *result = NULL;
79 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
80 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
81 	u64 wdev_id;
82 	int wiphy_idx = -1;
83 	int ifidx = -1;
84 
85 	ASSERT_RTNL();
86 
87 	if (!have_ifidx && !have_wdev_id)
88 		return ERR_PTR(-EINVAL);
89 
90 	if (have_ifidx)
91 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
92 	if (have_wdev_id) {
93 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
94 		wiphy_idx = wdev_id >> 32;
95 	}
96 
97 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
98 		struct wireless_dev *wdev;
99 
100 		if (wiphy_net(&rdev->wiphy) != netns)
101 			continue;
102 
103 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
104 			continue;
105 
106 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
107 			if (have_ifidx && wdev->netdev &&
108 			    wdev->netdev->ifindex == ifidx) {
109 				result = wdev;
110 				break;
111 			}
112 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
113 				result = wdev;
114 				break;
115 			}
116 		}
117 
118 		if (result)
119 			break;
120 	}
121 
122 	if (result)
123 		return result;
124 	return ERR_PTR(-ENODEV);
125 }
126 
127 static struct cfg80211_registered_device *
128 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
129 {
130 	struct cfg80211_registered_device *rdev = NULL, *tmp;
131 	struct net_device *netdev;
132 
133 	ASSERT_RTNL();
134 
135 	if (!attrs[NL80211_ATTR_WIPHY] &&
136 	    !attrs[NL80211_ATTR_IFINDEX] &&
137 	    !attrs[NL80211_ATTR_WDEV])
138 		return ERR_PTR(-EINVAL);
139 
140 	if (attrs[NL80211_ATTR_WIPHY])
141 		rdev = cfg80211_rdev_by_wiphy_idx(
142 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
143 
144 	if (attrs[NL80211_ATTR_WDEV]) {
145 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
146 		struct wireless_dev *wdev;
147 		bool found = false;
148 
149 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
150 		if (tmp) {
151 			/* make sure wdev exists */
152 			list_for_each_entry(wdev, &tmp->wdev_list, list) {
153 				if (wdev->identifier != (u32)wdev_id)
154 					continue;
155 				found = true;
156 				break;
157 			}
158 
159 			if (!found)
160 				tmp = NULL;
161 
162 			if (rdev && tmp != rdev)
163 				return ERR_PTR(-EINVAL);
164 			rdev = tmp;
165 		}
166 	}
167 
168 	if (attrs[NL80211_ATTR_IFINDEX]) {
169 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
170 		netdev = __dev_get_by_index(netns, ifindex);
171 		if (netdev) {
172 			if (netdev->ieee80211_ptr)
173 				tmp = wiphy_to_rdev(
174 					netdev->ieee80211_ptr->wiphy);
175 			else
176 				tmp = NULL;
177 
178 			/* not wireless device -- return error */
179 			if (!tmp)
180 				return ERR_PTR(-EINVAL);
181 
182 			/* mismatch -- return error */
183 			if (rdev && tmp != rdev)
184 				return ERR_PTR(-EINVAL);
185 
186 			rdev = tmp;
187 		}
188 	}
189 
190 	if (!rdev)
191 		return ERR_PTR(-ENODEV);
192 
193 	if (netns != wiphy_net(&rdev->wiphy))
194 		return ERR_PTR(-ENODEV);
195 
196 	return rdev;
197 }
198 
199 /*
200  * This function returns a pointer to the driver
201  * that the genl_info item that is passed refers to.
202  *
203  * The result of this can be a PTR_ERR and hence must
204  * be checked with IS_ERR() for errors.
205  */
206 static struct cfg80211_registered_device *
207 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
208 {
209 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
210 }
211 
212 /* policy for the attributes */
213 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
214 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
215 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
216 				      .len = 20-1 },
217 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
218 
219 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
220 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
221 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
222 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
223 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
224 
225 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
226 	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
227 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
228 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
229 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
230 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
231 
232 	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
233 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
234 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
235 
236 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
237 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
238 
239 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
240 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
241 				    .len = WLAN_MAX_KEY_LEN },
242 	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
243 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
244 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
245 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
246 	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
247 
248 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
249 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
250 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
251 				       .len = IEEE80211_MAX_DATA_LEN },
252 	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
253 				       .len = IEEE80211_MAX_DATA_LEN },
254 	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
255 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
256 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
257 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
258 					       .len = NL80211_MAX_SUPP_RATES },
259 	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
260 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
261 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
262 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
263 				   .len = IEEE80211_MAX_MESH_ID_LEN },
264 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
265 
266 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
267 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
268 
269 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
270 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
271 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
272 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
273 					   .len = NL80211_MAX_SUPP_RATES },
274 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
275 
276 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
277 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
278 
279 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
280 
281 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
282 	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
283 			      .len = IEEE80211_MAX_DATA_LEN },
284 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
285 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
286 
287 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
288 				.len = IEEE80211_MAX_SSID_LEN },
289 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
290 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
291 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
292 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
293 	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
294 	[NL80211_ATTR_STA_FLAGS2] = {
295 		.len = sizeof(struct nl80211_sta_flag_update),
296 	},
297 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
298 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
299 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
300 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
301 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
302 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
303 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
304 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
305 	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
306 				 .len = WLAN_PMKID_LEN },
307 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
308 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
309 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
310 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
311 				 .len = IEEE80211_MAX_DATA_LEN },
312 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
313 	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
314 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
315 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
316 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
317 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
318 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
319 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
320 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
321 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
322 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
323 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
324 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
325 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
326 	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
327 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
328 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
329 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
330 	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
331 	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
332 					 .len = IEEE80211_MAX_DATA_LEN },
333 	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
334 					 .len = IEEE80211_MAX_DATA_LEN },
335 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
336 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
337 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
338 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
339 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
340 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
341 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
342 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
343 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
344 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
345 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
346 				      .len = IEEE80211_MAX_DATA_LEN },
347 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
348 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
349 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
350 		.len = NL80211_HT_CAPABILITY_LEN
351 	},
352 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
353 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
354 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
355 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
356 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
357 	[NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
358 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
359 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
360 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
361 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
362 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
363 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
364 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
365 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
366 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
367 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
368 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
369 		.len = NL80211_VHT_CAPABILITY_LEN,
370 	},
371 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
372 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
373 				  .len = IEEE80211_MAX_DATA_LEN },
374 	[NL80211_ATTR_PEER_AID] = { .type = NLA_U16 },
375 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
376 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
377 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
378 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
379 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
380 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
381 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
382 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
383 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
384 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
385 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
386 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
387 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
388 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
389 	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
390 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
391 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
392 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
393 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
394 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
395 	[NL80211_ATTR_TSID] = { .type = NLA_U8 },
396 	[NL80211_ATTR_USER_PRIO] = { .type = NLA_U8 },
397 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
398 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
399 	[NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
400 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
401 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
402 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
403 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
404 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
405 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
406 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] = { .type = NLA_U8 },
407 };
408 
409 /* policy for the key attributes */
410 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
411 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
412 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
413 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
414 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
415 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
416 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
417 	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
418 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
419 };
420 
421 /* policy for the key default flags */
422 static const struct nla_policy
423 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
424 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
425 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
426 };
427 
428 /* policy for WoWLAN attributes */
429 static const struct nla_policy
430 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
431 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
432 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
433 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
434 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
435 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
436 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
437 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
438 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
439 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
440 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
441 };
442 
443 static const struct nla_policy
444 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
445 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
446 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
447 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
448 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
449 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
450 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
451 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
452 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
453 	},
454 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
455 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
456 	},
457 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
458 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
459 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
460 };
461 
462 /* policy for coalesce rule attributes */
463 static const struct nla_policy
464 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
465 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
466 	[NL80211_ATTR_COALESCE_RULE_CONDITION] = { .type = NLA_U32 },
467 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
468 };
469 
470 /* policy for GTK rekey offload attributes */
471 static const struct nla_policy
472 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
473 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
474 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
475 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
476 };
477 
478 static const struct nla_policy
479 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
480 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
481 						 .len = IEEE80211_MAX_SSID_LEN },
482 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
483 };
484 
485 static const struct nla_policy
486 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
487 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
488 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
489 };
490 
491 static const struct nla_policy
492 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
493 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
494 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
495 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
496 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
497 	},
498 };
499 
500 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
501 				     struct netlink_callback *cb,
502 				     struct cfg80211_registered_device **rdev,
503 				     struct wireless_dev **wdev)
504 {
505 	int err;
506 
507 	rtnl_lock();
508 
509 	if (!cb->args[0]) {
510 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
511 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
512 				  nl80211_policy);
513 		if (err)
514 			goto out_unlock;
515 
516 		*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
517 						   nl80211_fam.attrbuf);
518 		if (IS_ERR(*wdev)) {
519 			err = PTR_ERR(*wdev);
520 			goto out_unlock;
521 		}
522 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
523 		/* 0 is the first index - add 1 to parse only once */
524 		cb->args[0] = (*rdev)->wiphy_idx + 1;
525 		cb->args[1] = (*wdev)->identifier;
526 	} else {
527 		/* subtract the 1 again here */
528 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
529 		struct wireless_dev *tmp;
530 
531 		if (!wiphy) {
532 			err = -ENODEV;
533 			goto out_unlock;
534 		}
535 		*rdev = wiphy_to_rdev(wiphy);
536 		*wdev = NULL;
537 
538 		list_for_each_entry(tmp, &(*rdev)->wdev_list, list) {
539 			if (tmp->identifier == cb->args[1]) {
540 				*wdev = tmp;
541 				break;
542 			}
543 		}
544 
545 		if (!*wdev) {
546 			err = -ENODEV;
547 			goto out_unlock;
548 		}
549 	}
550 
551 	return 0;
552  out_unlock:
553 	rtnl_unlock();
554 	return err;
555 }
556 
557 static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
558 {
559 	rtnl_unlock();
560 }
561 
562 /* IE validation */
563 static bool is_valid_ie_attr(const struct nlattr *attr)
564 {
565 	const u8 *pos;
566 	int len;
567 
568 	if (!attr)
569 		return true;
570 
571 	pos = nla_data(attr);
572 	len = nla_len(attr);
573 
574 	while (len) {
575 		u8 elemlen;
576 
577 		if (len < 2)
578 			return false;
579 		len -= 2;
580 
581 		elemlen = pos[1];
582 		if (elemlen > len)
583 			return false;
584 
585 		len -= elemlen;
586 		pos += 2 + elemlen;
587 	}
588 
589 	return true;
590 }
591 
592 /* message building helper */
593 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
594 				   int flags, u8 cmd)
595 {
596 	/* since there is no private header just add the generic one */
597 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
598 }
599 
600 static int nl80211_msg_put_channel(struct sk_buff *msg,
601 				   struct ieee80211_channel *chan,
602 				   bool large)
603 {
604 	/* Some channels must be completely excluded from the
605 	 * list to protect old user-space tools from breaking
606 	 */
607 	if (!large && chan->flags &
608 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
609 		return 0;
610 
611 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
612 			chan->center_freq))
613 		goto nla_put_failure;
614 
615 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
616 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
617 		goto nla_put_failure;
618 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
619 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
620 			goto nla_put_failure;
621 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
622 			goto nla_put_failure;
623 	}
624 	if (chan->flags & IEEE80211_CHAN_RADAR) {
625 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
626 			goto nla_put_failure;
627 		if (large) {
628 			u32 time;
629 
630 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
631 
632 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
633 					chan->dfs_state))
634 				goto nla_put_failure;
635 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
636 					time))
637 				goto nla_put_failure;
638 			if (nla_put_u32(msg,
639 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
640 					chan->dfs_cac_ms))
641 				goto nla_put_failure;
642 		}
643 	}
644 
645 	if (large) {
646 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
647 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
648 			goto nla_put_failure;
649 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
650 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
651 			goto nla_put_failure;
652 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
653 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
654 			goto nla_put_failure;
655 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
656 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
657 			goto nla_put_failure;
658 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
659 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
660 			goto nla_put_failure;
661 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
662 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
663 			goto nla_put_failure;
664 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
665 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
666 			goto nla_put_failure;
667 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
668 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
669 			goto nla_put_failure;
670 	}
671 
672 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
673 			DBM_TO_MBM(chan->max_power)))
674 		goto nla_put_failure;
675 
676 	return 0;
677 
678  nla_put_failure:
679 	return -ENOBUFS;
680 }
681 
682 /* netlink command implementations */
683 
684 struct key_parse {
685 	struct key_params p;
686 	int idx;
687 	int type;
688 	bool def, defmgmt;
689 	bool def_uni, def_multi;
690 };
691 
692 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
693 {
694 	struct nlattr *tb[NL80211_KEY_MAX + 1];
695 	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
696 				   nl80211_key_policy);
697 	if (err)
698 		return err;
699 
700 	k->def = !!tb[NL80211_KEY_DEFAULT];
701 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
702 
703 	if (k->def) {
704 		k->def_uni = true;
705 		k->def_multi = true;
706 	}
707 	if (k->defmgmt)
708 		k->def_multi = true;
709 
710 	if (tb[NL80211_KEY_IDX])
711 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
712 
713 	if (tb[NL80211_KEY_DATA]) {
714 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
715 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
716 	}
717 
718 	if (tb[NL80211_KEY_SEQ]) {
719 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
720 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
721 	}
722 
723 	if (tb[NL80211_KEY_CIPHER])
724 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
725 
726 	if (tb[NL80211_KEY_TYPE]) {
727 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
728 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
729 			return -EINVAL;
730 	}
731 
732 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
733 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
734 		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
735 				       tb[NL80211_KEY_DEFAULT_TYPES],
736 				       nl80211_key_default_policy);
737 		if (err)
738 			return err;
739 
740 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
741 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
742 	}
743 
744 	return 0;
745 }
746 
747 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
748 {
749 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
750 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
751 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
752 	}
753 
754 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
755 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
756 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
757 	}
758 
759 	if (info->attrs[NL80211_ATTR_KEY_IDX])
760 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
761 
762 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
763 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
764 
765 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
766 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
767 
768 	if (k->def) {
769 		k->def_uni = true;
770 		k->def_multi = true;
771 	}
772 	if (k->defmgmt)
773 		k->def_multi = true;
774 
775 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
776 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
777 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
778 			return -EINVAL;
779 	}
780 
781 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
782 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
783 		int err = nla_parse_nested(
784 				kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
785 				info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
786 				nl80211_key_default_policy);
787 		if (err)
788 			return err;
789 
790 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
791 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
792 	}
793 
794 	return 0;
795 }
796 
797 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
798 {
799 	int err;
800 
801 	memset(k, 0, sizeof(*k));
802 	k->idx = -1;
803 	k->type = -1;
804 
805 	if (info->attrs[NL80211_ATTR_KEY])
806 		err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
807 	else
808 		err = nl80211_parse_key_old(info, k);
809 
810 	if (err)
811 		return err;
812 
813 	if (k->def && k->defmgmt)
814 		return -EINVAL;
815 
816 	if (k->defmgmt) {
817 		if (k->def_uni || !k->def_multi)
818 			return -EINVAL;
819 	}
820 
821 	if (k->idx != -1) {
822 		if (k->defmgmt) {
823 			if (k->idx < 4 || k->idx > 5)
824 				return -EINVAL;
825 		} else if (k->def) {
826 			if (k->idx < 0 || k->idx > 3)
827 				return -EINVAL;
828 		} else {
829 			if (k->idx < 0 || k->idx > 5)
830 				return -EINVAL;
831 		}
832 	}
833 
834 	return 0;
835 }
836 
837 static struct cfg80211_cached_keys *
838 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
839 		       struct nlattr *keys, bool *no_ht)
840 {
841 	struct key_parse parse;
842 	struct nlattr *key;
843 	struct cfg80211_cached_keys *result;
844 	int rem, err, def = 0;
845 
846 	result = kzalloc(sizeof(*result), GFP_KERNEL);
847 	if (!result)
848 		return ERR_PTR(-ENOMEM);
849 
850 	result->def = -1;
851 	result->defmgmt = -1;
852 
853 	nla_for_each_nested(key, keys, rem) {
854 		memset(&parse, 0, sizeof(parse));
855 		parse.idx = -1;
856 
857 		err = nl80211_parse_key_new(key, &parse);
858 		if (err)
859 			goto error;
860 		err = -EINVAL;
861 		if (!parse.p.key)
862 			goto error;
863 		if (parse.idx < 0 || parse.idx > 4)
864 			goto error;
865 		if (parse.def) {
866 			if (def)
867 				goto error;
868 			def = 1;
869 			result->def = parse.idx;
870 			if (!parse.def_uni || !parse.def_multi)
871 				goto error;
872 		} else if (parse.defmgmt)
873 			goto error;
874 		err = cfg80211_validate_key_settings(rdev, &parse.p,
875 						     parse.idx, false, NULL);
876 		if (err)
877 			goto error;
878 		result->params[parse.idx].cipher = parse.p.cipher;
879 		result->params[parse.idx].key_len = parse.p.key_len;
880 		result->params[parse.idx].key = result->data[parse.idx];
881 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
882 
883 		if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
884 		    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
885 			if (no_ht)
886 				*no_ht = true;
887 		}
888 	}
889 
890 	return result;
891  error:
892 	kfree(result);
893 	return ERR_PTR(err);
894 }
895 
896 static int nl80211_key_allowed(struct wireless_dev *wdev)
897 {
898 	ASSERT_WDEV_LOCK(wdev);
899 
900 	switch (wdev->iftype) {
901 	case NL80211_IFTYPE_AP:
902 	case NL80211_IFTYPE_AP_VLAN:
903 	case NL80211_IFTYPE_P2P_GO:
904 	case NL80211_IFTYPE_MESH_POINT:
905 		break;
906 	case NL80211_IFTYPE_ADHOC:
907 	case NL80211_IFTYPE_STATION:
908 	case NL80211_IFTYPE_P2P_CLIENT:
909 		if (!wdev->current_bss)
910 			return -ENOLINK;
911 		break;
912 	case NL80211_IFTYPE_UNSPECIFIED:
913 	case NL80211_IFTYPE_OCB:
914 	case NL80211_IFTYPE_MONITOR:
915 	case NL80211_IFTYPE_P2P_DEVICE:
916 	case NL80211_IFTYPE_WDS:
917 	case NUM_NL80211_IFTYPES:
918 		return -EINVAL;
919 	}
920 
921 	return 0;
922 }
923 
924 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
925 							struct nlattr *tb)
926 {
927 	struct ieee80211_channel *chan;
928 
929 	if (tb == NULL)
930 		return NULL;
931 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
932 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
933 		return NULL;
934 	return chan;
935 }
936 
937 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
938 {
939 	struct nlattr *nl_modes = nla_nest_start(msg, attr);
940 	int i;
941 
942 	if (!nl_modes)
943 		goto nla_put_failure;
944 
945 	i = 0;
946 	while (ifmodes) {
947 		if ((ifmodes & 1) && nla_put_flag(msg, i))
948 			goto nla_put_failure;
949 		ifmodes >>= 1;
950 		i++;
951 	}
952 
953 	nla_nest_end(msg, nl_modes);
954 	return 0;
955 
956 nla_put_failure:
957 	return -ENOBUFS;
958 }
959 
960 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
961 					  struct sk_buff *msg,
962 					  bool large)
963 {
964 	struct nlattr *nl_combis;
965 	int i, j;
966 
967 	nl_combis = nla_nest_start(msg,
968 				NL80211_ATTR_INTERFACE_COMBINATIONS);
969 	if (!nl_combis)
970 		goto nla_put_failure;
971 
972 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
973 		const struct ieee80211_iface_combination *c;
974 		struct nlattr *nl_combi, *nl_limits;
975 
976 		c = &wiphy->iface_combinations[i];
977 
978 		nl_combi = nla_nest_start(msg, i + 1);
979 		if (!nl_combi)
980 			goto nla_put_failure;
981 
982 		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
983 		if (!nl_limits)
984 			goto nla_put_failure;
985 
986 		for (j = 0; j < c->n_limits; j++) {
987 			struct nlattr *nl_limit;
988 
989 			nl_limit = nla_nest_start(msg, j + 1);
990 			if (!nl_limit)
991 				goto nla_put_failure;
992 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
993 					c->limits[j].max))
994 				goto nla_put_failure;
995 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
996 						c->limits[j].types))
997 				goto nla_put_failure;
998 			nla_nest_end(msg, nl_limit);
999 		}
1000 
1001 		nla_nest_end(msg, nl_limits);
1002 
1003 		if (c->beacon_int_infra_match &&
1004 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1005 			goto nla_put_failure;
1006 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1007 				c->num_different_channels) ||
1008 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1009 				c->max_interfaces))
1010 			goto nla_put_failure;
1011 		if (large &&
1012 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1013 				c->radar_detect_widths) ||
1014 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1015 				c->radar_detect_regions)))
1016 			goto nla_put_failure;
1017 
1018 		nla_nest_end(msg, nl_combi);
1019 	}
1020 
1021 	nla_nest_end(msg, nl_combis);
1022 
1023 	return 0;
1024 nla_put_failure:
1025 	return -ENOBUFS;
1026 }
1027 
1028 #ifdef CONFIG_PM
1029 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1030 					struct sk_buff *msg)
1031 {
1032 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1033 	struct nlattr *nl_tcp;
1034 
1035 	if (!tcp)
1036 		return 0;
1037 
1038 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1039 	if (!nl_tcp)
1040 		return -ENOBUFS;
1041 
1042 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1043 			tcp->data_payload_max))
1044 		return -ENOBUFS;
1045 
1046 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1047 			tcp->data_payload_max))
1048 		return -ENOBUFS;
1049 
1050 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1051 		return -ENOBUFS;
1052 
1053 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1054 				sizeof(*tcp->tok), tcp->tok))
1055 		return -ENOBUFS;
1056 
1057 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1058 			tcp->data_interval_max))
1059 		return -ENOBUFS;
1060 
1061 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1062 			tcp->wake_payload_max))
1063 		return -ENOBUFS;
1064 
1065 	nla_nest_end(msg, nl_tcp);
1066 	return 0;
1067 }
1068 
1069 static int nl80211_send_wowlan(struct sk_buff *msg,
1070 			       struct cfg80211_registered_device *rdev,
1071 			       bool large)
1072 {
1073 	struct nlattr *nl_wowlan;
1074 
1075 	if (!rdev->wiphy.wowlan)
1076 		return 0;
1077 
1078 	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1079 	if (!nl_wowlan)
1080 		return -ENOBUFS;
1081 
1082 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1083 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1084 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1085 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1086 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1087 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1088 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1089 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1090 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1091 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1092 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1093 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1094 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1095 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1096 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1097 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1098 		return -ENOBUFS;
1099 
1100 	if (rdev->wiphy.wowlan->n_patterns) {
1101 		struct nl80211_pattern_support pat = {
1102 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1103 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1104 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1105 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1106 		};
1107 
1108 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1109 			    sizeof(pat), &pat))
1110 			return -ENOBUFS;
1111 	}
1112 
1113 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1114 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1115 			rdev->wiphy.wowlan->max_nd_match_sets))
1116 		return -ENOBUFS;
1117 
1118 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1119 		return -ENOBUFS;
1120 
1121 	nla_nest_end(msg, nl_wowlan);
1122 
1123 	return 0;
1124 }
1125 #endif
1126 
1127 static int nl80211_send_coalesce(struct sk_buff *msg,
1128 				 struct cfg80211_registered_device *rdev)
1129 {
1130 	struct nl80211_coalesce_rule_support rule;
1131 
1132 	if (!rdev->wiphy.coalesce)
1133 		return 0;
1134 
1135 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1136 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1137 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1138 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1139 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1140 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1141 
1142 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1143 		return -ENOBUFS;
1144 
1145 	return 0;
1146 }
1147 
1148 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1149 				      struct ieee80211_supported_band *sband)
1150 {
1151 	struct nlattr *nl_rates, *nl_rate;
1152 	struct ieee80211_rate *rate;
1153 	int i;
1154 
1155 	/* add HT info */
1156 	if (sband->ht_cap.ht_supported &&
1157 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1158 		     sizeof(sband->ht_cap.mcs),
1159 		     &sband->ht_cap.mcs) ||
1160 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1161 			 sband->ht_cap.cap) ||
1162 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1163 			sband->ht_cap.ampdu_factor) ||
1164 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1165 			sband->ht_cap.ampdu_density)))
1166 		return -ENOBUFS;
1167 
1168 	/* add VHT info */
1169 	if (sband->vht_cap.vht_supported &&
1170 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1171 		     sizeof(sband->vht_cap.vht_mcs),
1172 		     &sband->vht_cap.vht_mcs) ||
1173 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1174 			 sband->vht_cap.cap)))
1175 		return -ENOBUFS;
1176 
1177 	/* add bitrates */
1178 	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1179 	if (!nl_rates)
1180 		return -ENOBUFS;
1181 
1182 	for (i = 0; i < sband->n_bitrates; i++) {
1183 		nl_rate = nla_nest_start(msg, i);
1184 		if (!nl_rate)
1185 			return -ENOBUFS;
1186 
1187 		rate = &sband->bitrates[i];
1188 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1189 				rate->bitrate))
1190 			return -ENOBUFS;
1191 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1192 		    nla_put_flag(msg,
1193 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1194 			return -ENOBUFS;
1195 
1196 		nla_nest_end(msg, nl_rate);
1197 	}
1198 
1199 	nla_nest_end(msg, nl_rates);
1200 
1201 	return 0;
1202 }
1203 
1204 static int
1205 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1206 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1207 {
1208 	u16 stypes;
1209 	struct nlattr *nl_ftypes, *nl_ifs;
1210 	enum nl80211_iftype ift;
1211 	int i;
1212 
1213 	if (!mgmt_stypes)
1214 		return 0;
1215 
1216 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1217 	if (!nl_ifs)
1218 		return -ENOBUFS;
1219 
1220 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1221 		nl_ftypes = nla_nest_start(msg, ift);
1222 		if (!nl_ftypes)
1223 			return -ENOBUFS;
1224 		i = 0;
1225 		stypes = mgmt_stypes[ift].tx;
1226 		while (stypes) {
1227 			if ((stypes & 1) &&
1228 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1229 					(i << 4) | IEEE80211_FTYPE_MGMT))
1230 				return -ENOBUFS;
1231 			stypes >>= 1;
1232 			i++;
1233 		}
1234 		nla_nest_end(msg, nl_ftypes);
1235 	}
1236 
1237 	nla_nest_end(msg, nl_ifs);
1238 
1239 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1240 	if (!nl_ifs)
1241 		return -ENOBUFS;
1242 
1243 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1244 		nl_ftypes = nla_nest_start(msg, ift);
1245 		if (!nl_ftypes)
1246 			return -ENOBUFS;
1247 		i = 0;
1248 		stypes = mgmt_stypes[ift].rx;
1249 		while (stypes) {
1250 			if ((stypes & 1) &&
1251 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1252 					(i << 4) | IEEE80211_FTYPE_MGMT))
1253 				return -ENOBUFS;
1254 			stypes >>= 1;
1255 			i++;
1256 		}
1257 		nla_nest_end(msg, nl_ftypes);
1258 	}
1259 	nla_nest_end(msg, nl_ifs);
1260 
1261 	return 0;
1262 }
1263 
1264 struct nl80211_dump_wiphy_state {
1265 	s64 filter_wiphy;
1266 	long start;
1267 	long split_start, band_start, chan_start;
1268 	bool split;
1269 };
1270 
1271 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1272 			      enum nl80211_commands cmd,
1273 			      struct sk_buff *msg, u32 portid, u32 seq,
1274 			      int flags, struct nl80211_dump_wiphy_state *state)
1275 {
1276 	void *hdr;
1277 	struct nlattr *nl_bands, *nl_band;
1278 	struct nlattr *nl_freqs, *nl_freq;
1279 	struct nlattr *nl_cmds;
1280 	enum ieee80211_band band;
1281 	struct ieee80211_channel *chan;
1282 	int i;
1283 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1284 				rdev->wiphy.mgmt_stypes;
1285 	u32 features;
1286 
1287 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1288 	if (!hdr)
1289 		return -ENOBUFS;
1290 
1291 	if (WARN_ON(!state))
1292 		return -EINVAL;
1293 
1294 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1295 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1296 			   wiphy_name(&rdev->wiphy)) ||
1297 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1298 			cfg80211_rdev_list_generation))
1299 		goto nla_put_failure;
1300 
1301 	if (cmd != NL80211_CMD_NEW_WIPHY)
1302 		goto finish;
1303 
1304 	switch (state->split_start) {
1305 	case 0:
1306 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1307 			       rdev->wiphy.retry_short) ||
1308 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1309 			       rdev->wiphy.retry_long) ||
1310 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1311 				rdev->wiphy.frag_threshold) ||
1312 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1313 				rdev->wiphy.rts_threshold) ||
1314 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1315 			       rdev->wiphy.coverage_class) ||
1316 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1317 			       rdev->wiphy.max_scan_ssids) ||
1318 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1319 			       rdev->wiphy.max_sched_scan_ssids) ||
1320 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1321 				rdev->wiphy.max_scan_ie_len) ||
1322 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1323 				rdev->wiphy.max_sched_scan_ie_len) ||
1324 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1325 			       rdev->wiphy.max_match_sets) ||
1326 		    nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
1327 				rdev->wiphy.max_sched_scan_plans) ||
1328 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
1329 				rdev->wiphy.max_sched_scan_plan_interval) ||
1330 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
1331 				rdev->wiphy.max_sched_scan_plan_iterations))
1332 			goto nla_put_failure;
1333 
1334 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1335 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1336 			goto nla_put_failure;
1337 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1338 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1339 			goto nla_put_failure;
1340 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1341 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1342 			goto nla_put_failure;
1343 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1344 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1345 			goto nla_put_failure;
1346 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1347 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1348 			goto nla_put_failure;
1349 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1350 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1351 			goto nla_put_failure;
1352 		state->split_start++;
1353 		if (state->split)
1354 			break;
1355 	case 1:
1356 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1357 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1358 			    rdev->wiphy.cipher_suites))
1359 			goto nla_put_failure;
1360 
1361 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1362 			       rdev->wiphy.max_num_pmkids))
1363 			goto nla_put_failure;
1364 
1365 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1366 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1367 			goto nla_put_failure;
1368 
1369 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1370 				rdev->wiphy.available_antennas_tx) ||
1371 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1372 				rdev->wiphy.available_antennas_rx))
1373 			goto nla_put_failure;
1374 
1375 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1376 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1377 				rdev->wiphy.probe_resp_offload))
1378 			goto nla_put_failure;
1379 
1380 		if ((rdev->wiphy.available_antennas_tx ||
1381 		     rdev->wiphy.available_antennas_rx) &&
1382 		    rdev->ops->get_antenna) {
1383 			u32 tx_ant = 0, rx_ant = 0;
1384 			int res;
1385 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1386 			if (!res) {
1387 				if (nla_put_u32(msg,
1388 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1389 						tx_ant) ||
1390 				    nla_put_u32(msg,
1391 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1392 						rx_ant))
1393 					goto nla_put_failure;
1394 			}
1395 		}
1396 
1397 		state->split_start++;
1398 		if (state->split)
1399 			break;
1400 	case 2:
1401 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1402 					rdev->wiphy.interface_modes))
1403 				goto nla_put_failure;
1404 		state->split_start++;
1405 		if (state->split)
1406 			break;
1407 	case 3:
1408 		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1409 		if (!nl_bands)
1410 			goto nla_put_failure;
1411 
1412 		for (band = state->band_start;
1413 		     band < IEEE80211_NUM_BANDS; band++) {
1414 			struct ieee80211_supported_band *sband;
1415 
1416 			sband = rdev->wiphy.bands[band];
1417 
1418 			if (!sband)
1419 				continue;
1420 
1421 			nl_band = nla_nest_start(msg, band);
1422 			if (!nl_band)
1423 				goto nla_put_failure;
1424 
1425 			switch (state->chan_start) {
1426 			case 0:
1427 				if (nl80211_send_band_rateinfo(msg, sband))
1428 					goto nla_put_failure;
1429 				state->chan_start++;
1430 				if (state->split)
1431 					break;
1432 			default:
1433 				/* add frequencies */
1434 				nl_freqs = nla_nest_start(
1435 					msg, NL80211_BAND_ATTR_FREQS);
1436 				if (!nl_freqs)
1437 					goto nla_put_failure;
1438 
1439 				for (i = state->chan_start - 1;
1440 				     i < sband->n_channels;
1441 				     i++) {
1442 					nl_freq = nla_nest_start(msg, i);
1443 					if (!nl_freq)
1444 						goto nla_put_failure;
1445 
1446 					chan = &sband->channels[i];
1447 
1448 					if (nl80211_msg_put_channel(
1449 							msg, chan,
1450 							state->split))
1451 						goto nla_put_failure;
1452 
1453 					nla_nest_end(msg, nl_freq);
1454 					if (state->split)
1455 						break;
1456 				}
1457 				if (i < sband->n_channels)
1458 					state->chan_start = i + 2;
1459 				else
1460 					state->chan_start = 0;
1461 				nla_nest_end(msg, nl_freqs);
1462 			}
1463 
1464 			nla_nest_end(msg, nl_band);
1465 
1466 			if (state->split) {
1467 				/* start again here */
1468 				if (state->chan_start)
1469 					band--;
1470 				break;
1471 			}
1472 		}
1473 		nla_nest_end(msg, nl_bands);
1474 
1475 		if (band < IEEE80211_NUM_BANDS)
1476 			state->band_start = band + 1;
1477 		else
1478 			state->band_start = 0;
1479 
1480 		/* if bands & channels are done, continue outside */
1481 		if (state->band_start == 0 && state->chan_start == 0)
1482 			state->split_start++;
1483 		if (state->split)
1484 			break;
1485 	case 4:
1486 		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1487 		if (!nl_cmds)
1488 			goto nla_put_failure;
1489 
1490 		i = 0;
1491 #define CMD(op, n)							\
1492 		 do {							\
1493 			if (rdev->ops->op) {				\
1494 				i++;					\
1495 				if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1496 					goto nla_put_failure;		\
1497 			}						\
1498 		} while (0)
1499 
1500 		CMD(add_virtual_intf, NEW_INTERFACE);
1501 		CMD(change_virtual_intf, SET_INTERFACE);
1502 		CMD(add_key, NEW_KEY);
1503 		CMD(start_ap, START_AP);
1504 		CMD(add_station, NEW_STATION);
1505 		CMD(add_mpath, NEW_MPATH);
1506 		CMD(update_mesh_config, SET_MESH_CONFIG);
1507 		CMD(change_bss, SET_BSS);
1508 		CMD(auth, AUTHENTICATE);
1509 		CMD(assoc, ASSOCIATE);
1510 		CMD(deauth, DEAUTHENTICATE);
1511 		CMD(disassoc, DISASSOCIATE);
1512 		CMD(join_ibss, JOIN_IBSS);
1513 		CMD(join_mesh, JOIN_MESH);
1514 		CMD(set_pmksa, SET_PMKSA);
1515 		CMD(del_pmksa, DEL_PMKSA);
1516 		CMD(flush_pmksa, FLUSH_PMKSA);
1517 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1518 			CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1519 		CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1520 		CMD(mgmt_tx, FRAME);
1521 		CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1522 		if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1523 			i++;
1524 			if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1525 				goto nla_put_failure;
1526 		}
1527 		if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1528 		    rdev->ops->join_mesh) {
1529 			i++;
1530 			if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1531 				goto nla_put_failure;
1532 		}
1533 		CMD(set_wds_peer, SET_WDS_PEER);
1534 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1535 			CMD(tdls_mgmt, TDLS_MGMT);
1536 			CMD(tdls_oper, TDLS_OPER);
1537 		}
1538 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1539 			CMD(sched_scan_start, START_SCHED_SCAN);
1540 		CMD(probe_client, PROBE_CLIENT);
1541 		CMD(set_noack_map, SET_NOACK_MAP);
1542 		if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1543 			i++;
1544 			if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1545 				goto nla_put_failure;
1546 		}
1547 		CMD(start_p2p_device, START_P2P_DEVICE);
1548 		CMD(set_mcast_rate, SET_MCAST_RATE);
1549 #ifdef CONFIG_NL80211_TESTMODE
1550 		CMD(testmode_cmd, TESTMODE);
1551 #endif
1552 		if (state->split) {
1553 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
1554 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1555 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
1556 				CMD(channel_switch, CHANNEL_SWITCH);
1557 			CMD(set_qos_map, SET_QOS_MAP);
1558 			if (rdev->wiphy.features &
1559 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
1560 				CMD(add_tx_ts, ADD_TX_TS);
1561 		}
1562 		/* add into the if now */
1563 #undef CMD
1564 
1565 		if (rdev->ops->connect || rdev->ops->auth) {
1566 			i++;
1567 			if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1568 				goto nla_put_failure;
1569 		}
1570 
1571 		if (rdev->ops->disconnect || rdev->ops->deauth) {
1572 			i++;
1573 			if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1574 				goto nla_put_failure;
1575 		}
1576 
1577 		nla_nest_end(msg, nl_cmds);
1578 		state->split_start++;
1579 		if (state->split)
1580 			break;
1581 	case 5:
1582 		if (rdev->ops->remain_on_channel &&
1583 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1584 		    nla_put_u32(msg,
1585 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1586 				rdev->wiphy.max_remain_on_channel_duration))
1587 			goto nla_put_failure;
1588 
1589 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1590 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1591 			goto nla_put_failure;
1592 
1593 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1594 			goto nla_put_failure;
1595 		state->split_start++;
1596 		if (state->split)
1597 			break;
1598 	case 6:
1599 #ifdef CONFIG_PM
1600 		if (nl80211_send_wowlan(msg, rdev, state->split))
1601 			goto nla_put_failure;
1602 		state->split_start++;
1603 		if (state->split)
1604 			break;
1605 #else
1606 		state->split_start++;
1607 #endif
1608 	case 7:
1609 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1610 					rdev->wiphy.software_iftypes))
1611 			goto nla_put_failure;
1612 
1613 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
1614 						   state->split))
1615 			goto nla_put_failure;
1616 
1617 		state->split_start++;
1618 		if (state->split)
1619 			break;
1620 	case 8:
1621 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1622 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1623 				rdev->wiphy.ap_sme_capa))
1624 			goto nla_put_failure;
1625 
1626 		features = rdev->wiphy.features;
1627 		/*
1628 		 * We can only add the per-channel limit information if the
1629 		 * dump is split, otherwise it makes it too big. Therefore
1630 		 * only advertise it in that case.
1631 		 */
1632 		if (state->split)
1633 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1634 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1635 			goto nla_put_failure;
1636 
1637 		if (rdev->wiphy.ht_capa_mod_mask &&
1638 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1639 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
1640 			    rdev->wiphy.ht_capa_mod_mask))
1641 			goto nla_put_failure;
1642 
1643 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1644 		    rdev->wiphy.max_acl_mac_addrs &&
1645 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1646 				rdev->wiphy.max_acl_mac_addrs))
1647 			goto nla_put_failure;
1648 
1649 		/*
1650 		 * Any information below this point is only available to
1651 		 * applications that can deal with it being split. This
1652 		 * helps ensure that newly added capabilities don't break
1653 		 * older tools by overrunning their buffers.
1654 		 *
1655 		 * We still increment split_start so that in the split
1656 		 * case we'll continue with more data in the next round,
1657 		 * but break unconditionally so unsplit data stops here.
1658 		 */
1659 		state->split_start++;
1660 		break;
1661 	case 9:
1662 		if (rdev->wiphy.extended_capabilities &&
1663 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1664 			     rdev->wiphy.extended_capabilities_len,
1665 			     rdev->wiphy.extended_capabilities) ||
1666 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1667 			     rdev->wiphy.extended_capabilities_len,
1668 			     rdev->wiphy.extended_capabilities_mask)))
1669 			goto nla_put_failure;
1670 
1671 		if (rdev->wiphy.vht_capa_mod_mask &&
1672 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1673 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
1674 			    rdev->wiphy.vht_capa_mod_mask))
1675 			goto nla_put_failure;
1676 
1677 		state->split_start++;
1678 		break;
1679 	case 10:
1680 		if (nl80211_send_coalesce(msg, rdev))
1681 			goto nla_put_failure;
1682 
1683 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
1684 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
1685 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
1686 			goto nla_put_failure;
1687 
1688 		if (rdev->wiphy.max_ap_assoc_sta &&
1689 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
1690 				rdev->wiphy.max_ap_assoc_sta))
1691 			goto nla_put_failure;
1692 
1693 		state->split_start++;
1694 		break;
1695 	case 11:
1696 		if (rdev->wiphy.n_vendor_commands) {
1697 			const struct nl80211_vendor_cmd_info *info;
1698 			struct nlattr *nested;
1699 
1700 			nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1701 			if (!nested)
1702 				goto nla_put_failure;
1703 
1704 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
1705 				info = &rdev->wiphy.vendor_commands[i].info;
1706 				if (nla_put(msg, i + 1, sizeof(*info), info))
1707 					goto nla_put_failure;
1708 			}
1709 			nla_nest_end(msg, nested);
1710 		}
1711 
1712 		if (rdev->wiphy.n_vendor_events) {
1713 			const struct nl80211_vendor_cmd_info *info;
1714 			struct nlattr *nested;
1715 
1716 			nested = nla_nest_start(msg,
1717 						NL80211_ATTR_VENDOR_EVENTS);
1718 			if (!nested)
1719 				goto nla_put_failure;
1720 
1721 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
1722 				info = &rdev->wiphy.vendor_events[i];
1723 				if (nla_put(msg, i + 1, sizeof(*info), info))
1724 					goto nla_put_failure;
1725 			}
1726 			nla_nest_end(msg, nested);
1727 		}
1728 		state->split_start++;
1729 		break;
1730 	case 12:
1731 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
1732 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
1733 			       rdev->wiphy.max_num_csa_counters))
1734 			goto nla_put_failure;
1735 
1736 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
1737 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
1738 			goto nla_put_failure;
1739 
1740 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
1741 			    sizeof(rdev->wiphy.ext_features),
1742 			    rdev->wiphy.ext_features))
1743 			goto nla_put_failure;
1744 
1745 		if (rdev->wiphy.bss_select_support) {
1746 			struct nlattr *nested;
1747 			u32 bss_select_support = rdev->wiphy.bss_select_support;
1748 
1749 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_SELECT);
1750 			if (!nested)
1751 				goto nla_put_failure;
1752 
1753 			i = 0;
1754 			while (bss_select_support) {
1755 				if ((bss_select_support & 1) &&
1756 				    nla_put_flag(msg, i))
1757 					goto nla_put_failure;
1758 				i++;
1759 				bss_select_support >>= 1;
1760 			}
1761 			nla_nest_end(msg, nested);
1762 		}
1763 
1764 		/* done */
1765 		state->split_start = 0;
1766 		break;
1767 	}
1768  finish:
1769 	genlmsg_end(msg, hdr);
1770 	return 0;
1771 
1772  nla_put_failure:
1773 	genlmsg_cancel(msg, hdr);
1774 	return -EMSGSIZE;
1775 }
1776 
1777 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
1778 				    struct netlink_callback *cb,
1779 				    struct nl80211_dump_wiphy_state *state)
1780 {
1781 	struct nlattr **tb = nl80211_fam.attrbuf;
1782 	int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
1783 			      tb, nl80211_fam.maxattr, nl80211_policy);
1784 	/* ignore parse errors for backward compatibility */
1785 	if (ret)
1786 		return 0;
1787 
1788 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
1789 	if (tb[NL80211_ATTR_WIPHY])
1790 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
1791 	if (tb[NL80211_ATTR_WDEV])
1792 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
1793 	if (tb[NL80211_ATTR_IFINDEX]) {
1794 		struct net_device *netdev;
1795 		struct cfg80211_registered_device *rdev;
1796 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
1797 
1798 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
1799 		if (!netdev)
1800 			return -ENODEV;
1801 		if (netdev->ieee80211_ptr) {
1802 			rdev = wiphy_to_rdev(
1803 				netdev->ieee80211_ptr->wiphy);
1804 			state->filter_wiphy = rdev->wiphy_idx;
1805 		}
1806 	}
1807 
1808 	return 0;
1809 }
1810 
1811 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1812 {
1813 	int idx = 0, ret;
1814 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
1815 	struct cfg80211_registered_device *rdev;
1816 
1817 	rtnl_lock();
1818 	if (!state) {
1819 		state = kzalloc(sizeof(*state), GFP_KERNEL);
1820 		if (!state) {
1821 			rtnl_unlock();
1822 			return -ENOMEM;
1823 		}
1824 		state->filter_wiphy = -1;
1825 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
1826 		if (ret) {
1827 			kfree(state);
1828 			rtnl_unlock();
1829 			return ret;
1830 		}
1831 		cb->args[0] = (long)state;
1832 	}
1833 
1834 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1835 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1836 			continue;
1837 		if (++idx <= state->start)
1838 			continue;
1839 		if (state->filter_wiphy != -1 &&
1840 		    state->filter_wiphy != rdev->wiphy_idx)
1841 			continue;
1842 		/* attempt to fit multiple wiphy data chunks into the skb */
1843 		do {
1844 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
1845 						 skb,
1846 						 NETLINK_CB(cb->skb).portid,
1847 						 cb->nlh->nlmsg_seq,
1848 						 NLM_F_MULTI, state);
1849 			if (ret < 0) {
1850 				/*
1851 				 * If sending the wiphy data didn't fit (ENOBUFS
1852 				 * or EMSGSIZE returned), this SKB is still
1853 				 * empty (so it's not too big because another
1854 				 * wiphy dataset is already in the skb) and
1855 				 * we've not tried to adjust the dump allocation
1856 				 * yet ... then adjust the alloc size to be
1857 				 * bigger, and return 1 but with the empty skb.
1858 				 * This results in an empty message being RX'ed
1859 				 * in userspace, but that is ignored.
1860 				 *
1861 				 * We can then retry with the larger buffer.
1862 				 */
1863 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1864 				    !skb->len && !state->split &&
1865 				    cb->min_dump_alloc < 4096) {
1866 					cb->min_dump_alloc = 4096;
1867 					state->split_start = 0;
1868 					rtnl_unlock();
1869 					return 1;
1870 				}
1871 				idx--;
1872 				break;
1873 			}
1874 		} while (state->split_start > 0);
1875 		break;
1876 	}
1877 	rtnl_unlock();
1878 
1879 	state->start = idx;
1880 
1881 	return skb->len;
1882 }
1883 
1884 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
1885 {
1886 	kfree((void *)cb->args[0]);
1887 	return 0;
1888 }
1889 
1890 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1891 {
1892 	struct sk_buff *msg;
1893 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1894 	struct nl80211_dump_wiphy_state state = {};
1895 
1896 	msg = nlmsg_new(4096, GFP_KERNEL);
1897 	if (!msg)
1898 		return -ENOMEM;
1899 
1900 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
1901 			       info->snd_portid, info->snd_seq, 0,
1902 			       &state) < 0) {
1903 		nlmsg_free(msg);
1904 		return -ENOBUFS;
1905 	}
1906 
1907 	return genlmsg_reply(msg, info);
1908 }
1909 
1910 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1911 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
1912 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
1913 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
1914 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
1915 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
1916 };
1917 
1918 static int parse_txq_params(struct nlattr *tb[],
1919 			    struct ieee80211_txq_params *txq_params)
1920 {
1921 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1922 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1923 	    !tb[NL80211_TXQ_ATTR_AIFS])
1924 		return -EINVAL;
1925 
1926 	txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1927 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1928 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1929 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1930 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1931 
1932 	if (txq_params->ac >= NL80211_NUM_ACS)
1933 		return -EINVAL;
1934 
1935 	return 0;
1936 }
1937 
1938 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1939 {
1940 	/*
1941 	 * You can only set the channel explicitly for WDS interfaces,
1942 	 * all others have their channel managed via their respective
1943 	 * "establish a connection" command (connect, join, ...)
1944 	 *
1945 	 * For AP/GO and mesh mode, the channel can be set with the
1946 	 * channel userspace API, but is only stored and passed to the
1947 	 * low-level driver when the AP starts or the mesh is joined.
1948 	 * This is for backward compatibility, userspace can also give
1949 	 * the channel in the start-ap or join-mesh commands instead.
1950 	 *
1951 	 * Monitors are special as they are normally slaved to
1952 	 * whatever else is going on, so they have their own special
1953 	 * operation to set the monitor channel if possible.
1954 	 */
1955 	return !wdev ||
1956 		wdev->iftype == NL80211_IFTYPE_AP ||
1957 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1958 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
1959 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
1960 }
1961 
1962 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
1963 				 struct genl_info *info,
1964 				 struct cfg80211_chan_def *chandef)
1965 {
1966 	u32 control_freq;
1967 
1968 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1969 		return -EINVAL;
1970 
1971 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1972 
1973 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
1974 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
1975 	chandef->center_freq1 = control_freq;
1976 	chandef->center_freq2 = 0;
1977 
1978 	/* Primary channel not allowed */
1979 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
1980 		return -EINVAL;
1981 
1982 	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
1983 		enum nl80211_channel_type chantype;
1984 
1985 		chantype = nla_get_u32(
1986 				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1987 
1988 		switch (chantype) {
1989 		case NL80211_CHAN_NO_HT:
1990 		case NL80211_CHAN_HT20:
1991 		case NL80211_CHAN_HT40PLUS:
1992 		case NL80211_CHAN_HT40MINUS:
1993 			cfg80211_chandef_create(chandef, chandef->chan,
1994 						chantype);
1995 			break;
1996 		default:
1997 			return -EINVAL;
1998 		}
1999 	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2000 		chandef->width =
2001 			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2002 		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
2003 			chandef->center_freq1 =
2004 				nla_get_u32(
2005 					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
2006 		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
2007 			chandef->center_freq2 =
2008 				nla_get_u32(
2009 					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
2010 	}
2011 
2012 	if (!cfg80211_chandef_valid(chandef))
2013 		return -EINVAL;
2014 
2015 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2016 				     IEEE80211_CHAN_DISABLED))
2017 		return -EINVAL;
2018 
2019 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2020 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2021 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ))
2022 		return -EINVAL;
2023 
2024 	return 0;
2025 }
2026 
2027 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2028 				 struct net_device *dev,
2029 				 struct genl_info *info)
2030 {
2031 	struct cfg80211_chan_def chandef;
2032 	int result;
2033 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2034 	struct wireless_dev *wdev = NULL;
2035 
2036 	if (dev)
2037 		wdev = dev->ieee80211_ptr;
2038 	if (!nl80211_can_set_dev_channel(wdev))
2039 		return -EOPNOTSUPP;
2040 	if (wdev)
2041 		iftype = wdev->iftype;
2042 
2043 	result = nl80211_parse_chandef(rdev, info, &chandef);
2044 	if (result)
2045 		return result;
2046 
2047 	switch (iftype) {
2048 	case NL80211_IFTYPE_AP:
2049 	case NL80211_IFTYPE_P2P_GO:
2050 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2051 						   iftype)) {
2052 			result = -EINVAL;
2053 			break;
2054 		}
2055 		if (wdev->beacon_interval) {
2056 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2057 			    !(rdev->wiphy.features &
2058 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2059 				result = -EBUSY;
2060 				break;
2061 			}
2062 
2063 			/* Only allow dynamic channel width changes */
2064 			if (chandef.chan != wdev->preset_chandef.chan) {
2065 				result = -EBUSY;
2066 				break;
2067 			}
2068 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2069 			if (result)
2070 				break;
2071 		}
2072 		wdev->preset_chandef = chandef;
2073 		result = 0;
2074 		break;
2075 	case NL80211_IFTYPE_MESH_POINT:
2076 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2077 		break;
2078 	case NL80211_IFTYPE_MONITOR:
2079 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2080 		break;
2081 	default:
2082 		result = -EINVAL;
2083 	}
2084 
2085 	return result;
2086 }
2087 
2088 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2089 {
2090 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2091 	struct net_device *netdev = info->user_ptr[1];
2092 
2093 	return __nl80211_set_channel(rdev, netdev, info);
2094 }
2095 
2096 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2097 {
2098 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2099 	struct net_device *dev = info->user_ptr[1];
2100 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2101 	const u8 *bssid;
2102 
2103 	if (!info->attrs[NL80211_ATTR_MAC])
2104 		return -EINVAL;
2105 
2106 	if (netif_running(dev))
2107 		return -EBUSY;
2108 
2109 	if (!rdev->ops->set_wds_peer)
2110 		return -EOPNOTSUPP;
2111 
2112 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2113 		return -EOPNOTSUPP;
2114 
2115 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2116 	return rdev_set_wds_peer(rdev, dev, bssid);
2117 }
2118 
2119 
2120 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2121 {
2122 	struct cfg80211_registered_device *rdev;
2123 	struct net_device *netdev = NULL;
2124 	struct wireless_dev *wdev;
2125 	int result = 0, rem_txq_params = 0;
2126 	struct nlattr *nl_txq_params;
2127 	u32 changed;
2128 	u8 retry_short = 0, retry_long = 0;
2129 	u32 frag_threshold = 0, rts_threshold = 0;
2130 	u8 coverage_class = 0;
2131 
2132 	ASSERT_RTNL();
2133 
2134 	/*
2135 	 * Try to find the wiphy and netdev. Normally this
2136 	 * function shouldn't need the netdev, but this is
2137 	 * done for backward compatibility -- previously
2138 	 * setting the channel was done per wiphy, but now
2139 	 * it is per netdev. Previous userland like hostapd
2140 	 * also passed a netdev to set_wiphy, so that it is
2141 	 * possible to let that go to the right netdev!
2142 	 */
2143 
2144 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2145 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2146 
2147 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2148 		if (netdev && netdev->ieee80211_ptr)
2149 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2150 		else
2151 			netdev = NULL;
2152 	}
2153 
2154 	if (!netdev) {
2155 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2156 						  info->attrs);
2157 		if (IS_ERR(rdev))
2158 			return PTR_ERR(rdev);
2159 		wdev = NULL;
2160 		netdev = NULL;
2161 		result = 0;
2162 	} else
2163 		wdev = netdev->ieee80211_ptr;
2164 
2165 	/*
2166 	 * end workaround code, by now the rdev is available
2167 	 * and locked, and wdev may or may not be NULL.
2168 	 */
2169 
2170 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2171 		result = cfg80211_dev_rename(
2172 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2173 
2174 	if (result)
2175 		return result;
2176 
2177 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2178 		struct ieee80211_txq_params txq_params;
2179 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2180 
2181 		if (!rdev->ops->set_txq_params)
2182 			return -EOPNOTSUPP;
2183 
2184 		if (!netdev)
2185 			return -EINVAL;
2186 
2187 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2188 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2189 			return -EINVAL;
2190 
2191 		if (!netif_running(netdev))
2192 			return -ENETDOWN;
2193 
2194 		nla_for_each_nested(nl_txq_params,
2195 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2196 				    rem_txq_params) {
2197 			result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
2198 					   nla_data(nl_txq_params),
2199 					   nla_len(nl_txq_params),
2200 					   txq_params_policy);
2201 			if (result)
2202 				return result;
2203 			result = parse_txq_params(tb, &txq_params);
2204 			if (result)
2205 				return result;
2206 
2207 			result = rdev_set_txq_params(rdev, netdev,
2208 						     &txq_params);
2209 			if (result)
2210 				return result;
2211 		}
2212 	}
2213 
2214 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2215 		result = __nl80211_set_channel(
2216 			rdev,
2217 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2218 			info);
2219 		if (result)
2220 			return result;
2221 	}
2222 
2223 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2224 		struct wireless_dev *txp_wdev = wdev;
2225 		enum nl80211_tx_power_setting type;
2226 		int idx, mbm = 0;
2227 
2228 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2229 			txp_wdev = NULL;
2230 
2231 		if (!rdev->ops->set_tx_power)
2232 			return -EOPNOTSUPP;
2233 
2234 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2235 		type = nla_get_u32(info->attrs[idx]);
2236 
2237 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2238 		    (type != NL80211_TX_POWER_AUTOMATIC))
2239 			return -EINVAL;
2240 
2241 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2242 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2243 			mbm = nla_get_u32(info->attrs[idx]);
2244 		}
2245 
2246 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2247 		if (result)
2248 			return result;
2249 	}
2250 
2251 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2252 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2253 		u32 tx_ant, rx_ant;
2254 		if ((!rdev->wiphy.available_antennas_tx &&
2255 		     !rdev->wiphy.available_antennas_rx) ||
2256 		    !rdev->ops->set_antenna)
2257 			return -EOPNOTSUPP;
2258 
2259 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2260 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2261 
2262 		/* reject antenna configurations which don't match the
2263 		 * available antenna masks, except for the "all" mask */
2264 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2265 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2266 			return -EINVAL;
2267 
2268 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2269 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2270 
2271 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2272 		if (result)
2273 			return result;
2274 	}
2275 
2276 	changed = 0;
2277 
2278 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2279 		retry_short = nla_get_u8(
2280 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2281 		if (retry_short == 0)
2282 			return -EINVAL;
2283 
2284 		changed |= WIPHY_PARAM_RETRY_SHORT;
2285 	}
2286 
2287 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2288 		retry_long = nla_get_u8(
2289 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2290 		if (retry_long == 0)
2291 			return -EINVAL;
2292 
2293 		changed |= WIPHY_PARAM_RETRY_LONG;
2294 	}
2295 
2296 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2297 		frag_threshold = nla_get_u32(
2298 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2299 		if (frag_threshold < 256)
2300 			return -EINVAL;
2301 
2302 		if (frag_threshold != (u32) -1) {
2303 			/*
2304 			 * Fragments (apart from the last one) are required to
2305 			 * have even length. Make the fragmentation code
2306 			 * simpler by stripping LSB should someone try to use
2307 			 * odd threshold value.
2308 			 */
2309 			frag_threshold &= ~0x1;
2310 		}
2311 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2312 	}
2313 
2314 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2315 		rts_threshold = nla_get_u32(
2316 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2317 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2318 	}
2319 
2320 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2321 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2322 			return -EINVAL;
2323 
2324 		coverage_class = nla_get_u8(
2325 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2326 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2327 	}
2328 
2329 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2330 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2331 			return -EOPNOTSUPP;
2332 
2333 		changed |= WIPHY_PARAM_DYN_ACK;
2334 	}
2335 
2336 	if (changed) {
2337 		u8 old_retry_short, old_retry_long;
2338 		u32 old_frag_threshold, old_rts_threshold;
2339 		u8 old_coverage_class;
2340 
2341 		if (!rdev->ops->set_wiphy_params)
2342 			return -EOPNOTSUPP;
2343 
2344 		old_retry_short = rdev->wiphy.retry_short;
2345 		old_retry_long = rdev->wiphy.retry_long;
2346 		old_frag_threshold = rdev->wiphy.frag_threshold;
2347 		old_rts_threshold = rdev->wiphy.rts_threshold;
2348 		old_coverage_class = rdev->wiphy.coverage_class;
2349 
2350 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2351 			rdev->wiphy.retry_short = retry_short;
2352 		if (changed & WIPHY_PARAM_RETRY_LONG)
2353 			rdev->wiphy.retry_long = retry_long;
2354 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2355 			rdev->wiphy.frag_threshold = frag_threshold;
2356 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2357 			rdev->wiphy.rts_threshold = rts_threshold;
2358 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2359 			rdev->wiphy.coverage_class = coverage_class;
2360 
2361 		result = rdev_set_wiphy_params(rdev, changed);
2362 		if (result) {
2363 			rdev->wiphy.retry_short = old_retry_short;
2364 			rdev->wiphy.retry_long = old_retry_long;
2365 			rdev->wiphy.frag_threshold = old_frag_threshold;
2366 			rdev->wiphy.rts_threshold = old_rts_threshold;
2367 			rdev->wiphy.coverage_class = old_coverage_class;
2368 			return result;
2369 		}
2370 	}
2371 	return 0;
2372 }
2373 
2374 static inline u64 wdev_id(struct wireless_dev *wdev)
2375 {
2376 	return (u64)wdev->identifier |
2377 	       ((u64)wiphy_to_rdev(wdev->wiphy)->wiphy_idx << 32);
2378 }
2379 
2380 static int nl80211_send_chandef(struct sk_buff *msg,
2381 				const struct cfg80211_chan_def *chandef)
2382 {
2383 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2384 		return -EINVAL;
2385 
2386 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2387 			chandef->chan->center_freq))
2388 		return -ENOBUFS;
2389 	switch (chandef->width) {
2390 	case NL80211_CHAN_WIDTH_20_NOHT:
2391 	case NL80211_CHAN_WIDTH_20:
2392 	case NL80211_CHAN_WIDTH_40:
2393 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2394 				cfg80211_get_chandef_type(chandef)))
2395 			return -ENOBUFS;
2396 		break;
2397 	default:
2398 		break;
2399 	}
2400 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2401 		return -ENOBUFS;
2402 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2403 		return -ENOBUFS;
2404 	if (chandef->center_freq2 &&
2405 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2406 		return -ENOBUFS;
2407 	return 0;
2408 }
2409 
2410 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2411 			      struct cfg80211_registered_device *rdev,
2412 			      struct wireless_dev *wdev, bool removal)
2413 {
2414 	struct net_device *dev = wdev->netdev;
2415 	u8 cmd = NL80211_CMD_NEW_INTERFACE;
2416 	void *hdr;
2417 
2418 	if (removal)
2419 		cmd = NL80211_CMD_DEL_INTERFACE;
2420 
2421 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2422 	if (!hdr)
2423 		return -1;
2424 
2425 	if (dev &&
2426 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2427 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2428 		goto nla_put_failure;
2429 
2430 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2431 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2432 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
2433 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2434 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2435 			rdev->devlist_generation ^
2436 			(cfg80211_rdev_list_generation << 2)))
2437 		goto nla_put_failure;
2438 
2439 	if (rdev->ops->get_channel) {
2440 		int ret;
2441 		struct cfg80211_chan_def chandef;
2442 
2443 		ret = rdev_get_channel(rdev, wdev, &chandef);
2444 		if (ret == 0) {
2445 			if (nl80211_send_chandef(msg, &chandef))
2446 				goto nla_put_failure;
2447 		}
2448 	}
2449 
2450 	if (rdev->ops->get_tx_power) {
2451 		int dbm, ret;
2452 
2453 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
2454 		if (ret == 0 &&
2455 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
2456 				DBM_TO_MBM(dbm)))
2457 			goto nla_put_failure;
2458 	}
2459 
2460 	if (wdev->ssid_len) {
2461 		if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2462 			goto nla_put_failure;
2463 	}
2464 
2465 	genlmsg_end(msg, hdr);
2466 	return 0;
2467 
2468  nla_put_failure:
2469 	genlmsg_cancel(msg, hdr);
2470 	return -EMSGSIZE;
2471 }
2472 
2473 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2474 {
2475 	int wp_idx = 0;
2476 	int if_idx = 0;
2477 	int wp_start = cb->args[0];
2478 	int if_start = cb->args[1];
2479 	struct cfg80211_registered_device *rdev;
2480 	struct wireless_dev *wdev;
2481 
2482 	rtnl_lock();
2483 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2484 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2485 			continue;
2486 		if (wp_idx < wp_start) {
2487 			wp_idx++;
2488 			continue;
2489 		}
2490 		if_idx = 0;
2491 
2492 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
2493 			if (if_idx < if_start) {
2494 				if_idx++;
2495 				continue;
2496 			}
2497 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2498 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2499 					       rdev, wdev, false) < 0) {
2500 				goto out;
2501 			}
2502 			if_idx++;
2503 		}
2504 
2505 		wp_idx++;
2506 	}
2507  out:
2508 	rtnl_unlock();
2509 
2510 	cb->args[0] = wp_idx;
2511 	cb->args[1] = if_idx;
2512 
2513 	return skb->len;
2514 }
2515 
2516 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2517 {
2518 	struct sk_buff *msg;
2519 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2520 	struct wireless_dev *wdev = info->user_ptr[1];
2521 
2522 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2523 	if (!msg)
2524 		return -ENOMEM;
2525 
2526 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2527 			       rdev, wdev, false) < 0) {
2528 		nlmsg_free(msg);
2529 		return -ENOBUFS;
2530 	}
2531 
2532 	return genlmsg_reply(msg, info);
2533 }
2534 
2535 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2536 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2537 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2538 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2539 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2540 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2541 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
2542 };
2543 
2544 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2545 {
2546 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2547 	int flag;
2548 
2549 	*mntrflags = 0;
2550 
2551 	if (!nla)
2552 		return -EINVAL;
2553 
2554 	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
2555 			     nla, mntr_flags_policy))
2556 		return -EINVAL;
2557 
2558 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2559 		if (flags[flag])
2560 			*mntrflags |= (1<<flag);
2561 
2562 	return 0;
2563 }
2564 
2565 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
2566 			       struct net_device *netdev, u8 use_4addr,
2567 			       enum nl80211_iftype iftype)
2568 {
2569 	if (!use_4addr) {
2570 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
2571 			return -EBUSY;
2572 		return 0;
2573 	}
2574 
2575 	switch (iftype) {
2576 	case NL80211_IFTYPE_AP_VLAN:
2577 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
2578 			return 0;
2579 		break;
2580 	case NL80211_IFTYPE_STATION:
2581 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
2582 			return 0;
2583 		break;
2584 	default:
2585 		break;
2586 	}
2587 
2588 	return -EOPNOTSUPP;
2589 }
2590 
2591 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
2592 {
2593 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2594 	struct vif_params params;
2595 	int err;
2596 	enum nl80211_iftype otype, ntype;
2597 	struct net_device *dev = info->user_ptr[1];
2598 	u32 _flags, *flags = NULL;
2599 	bool change = false;
2600 
2601 	memset(&params, 0, sizeof(params));
2602 
2603 	otype = ntype = dev->ieee80211_ptr->iftype;
2604 
2605 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2606 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2607 		if (otype != ntype)
2608 			change = true;
2609 		if (ntype > NL80211_IFTYPE_MAX)
2610 			return -EINVAL;
2611 	}
2612 
2613 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
2614 		struct wireless_dev *wdev = dev->ieee80211_ptr;
2615 
2616 		if (ntype != NL80211_IFTYPE_MESH_POINT)
2617 			return -EINVAL;
2618 		if (netif_running(dev))
2619 			return -EBUSY;
2620 
2621 		wdev_lock(wdev);
2622 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2623 			     IEEE80211_MAX_MESH_ID_LEN);
2624 		wdev->mesh_id_up_len =
2625 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2626 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2627 		       wdev->mesh_id_up_len);
2628 		wdev_unlock(wdev);
2629 	}
2630 
2631 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2632 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2633 		change = true;
2634 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2635 		if (err)
2636 			return err;
2637 	} else {
2638 		params.use_4addr = -1;
2639 	}
2640 
2641 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2642 		if (ntype != NL80211_IFTYPE_MONITOR)
2643 			return -EINVAL;
2644 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2645 					  &_flags);
2646 		if (err)
2647 			return err;
2648 
2649 		flags = &_flags;
2650 		change = true;
2651 	}
2652 
2653 	if (flags && (*flags & MONITOR_FLAG_ACTIVE) &&
2654 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2655 		return -EOPNOTSUPP;
2656 
2657 	if (change)
2658 		err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2659 	else
2660 		err = 0;
2661 
2662 	if (!err && params.use_4addr != -1)
2663 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
2664 
2665 	return err;
2666 }
2667 
2668 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2669 {
2670 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2671 	struct vif_params params;
2672 	struct wireless_dev *wdev;
2673 	struct sk_buff *msg, *event;
2674 	int err;
2675 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2676 	u32 flags;
2677 
2678 	/* to avoid failing a new interface creation due to pending removal */
2679 	cfg80211_destroy_ifaces(rdev);
2680 
2681 	memset(&params, 0, sizeof(params));
2682 
2683 	if (!info->attrs[NL80211_ATTR_IFNAME])
2684 		return -EINVAL;
2685 
2686 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2687 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2688 		if (type > NL80211_IFTYPE_MAX)
2689 			return -EINVAL;
2690 	}
2691 
2692 	if (!rdev->ops->add_virtual_intf ||
2693 	    !(rdev->wiphy.interface_modes & (1 << type)))
2694 		return -EOPNOTSUPP;
2695 
2696 	if ((type == NL80211_IFTYPE_P2P_DEVICE ||
2697 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
2698 	    info->attrs[NL80211_ATTR_MAC]) {
2699 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2700 			   ETH_ALEN);
2701 		if (!is_valid_ether_addr(params.macaddr))
2702 			return -EADDRNOTAVAIL;
2703 	}
2704 
2705 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2706 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2707 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2708 		if (err)
2709 			return err;
2710 	}
2711 
2712 	err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2713 				  info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2714 				  &flags);
2715 
2716 	if (!err && (flags & MONITOR_FLAG_ACTIVE) &&
2717 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2718 		return -EOPNOTSUPP;
2719 
2720 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2721 	if (!msg)
2722 		return -ENOMEM;
2723 
2724 	wdev = rdev_add_virtual_intf(rdev,
2725 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2726 				NET_NAME_USER, type, err ? NULL : &flags,
2727 				&params);
2728 	if (WARN_ON(!wdev)) {
2729 		nlmsg_free(msg);
2730 		return -EPROTO;
2731 	} else if (IS_ERR(wdev)) {
2732 		nlmsg_free(msg);
2733 		return PTR_ERR(wdev);
2734 	}
2735 
2736 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
2737 		wdev->owner_nlportid = info->snd_portid;
2738 
2739 	switch (type) {
2740 	case NL80211_IFTYPE_MESH_POINT:
2741 		if (!info->attrs[NL80211_ATTR_MESH_ID])
2742 			break;
2743 		wdev_lock(wdev);
2744 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2745 			     IEEE80211_MAX_MESH_ID_LEN);
2746 		wdev->mesh_id_up_len =
2747 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2748 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2749 		       wdev->mesh_id_up_len);
2750 		wdev_unlock(wdev);
2751 		break;
2752 	case NL80211_IFTYPE_P2P_DEVICE:
2753 		/*
2754 		 * P2P Device doesn't have a netdev, so doesn't go
2755 		 * through the netdev notifier and must be added here
2756 		 */
2757 		mutex_init(&wdev->mtx);
2758 		INIT_LIST_HEAD(&wdev->event_list);
2759 		spin_lock_init(&wdev->event_lock);
2760 		INIT_LIST_HEAD(&wdev->mgmt_registrations);
2761 		spin_lock_init(&wdev->mgmt_registrations_lock);
2762 
2763 		wdev->identifier = ++rdev->wdev_id;
2764 		list_add_rcu(&wdev->list, &rdev->wdev_list);
2765 		rdev->devlist_generation++;
2766 		break;
2767 	default:
2768 		break;
2769 	}
2770 
2771 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2772 			       rdev, wdev, false) < 0) {
2773 		nlmsg_free(msg);
2774 		return -ENOBUFS;
2775 	}
2776 
2777 	event = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2778 	if (event) {
2779 		if (nl80211_send_iface(event, 0, 0, 0,
2780 				       rdev, wdev, false) < 0) {
2781 			nlmsg_free(event);
2782 			goto out;
2783 		}
2784 
2785 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
2786 					event, 0, NL80211_MCGRP_CONFIG,
2787 					GFP_KERNEL);
2788 	}
2789 
2790 out:
2791 	return genlmsg_reply(msg, info);
2792 }
2793 
2794 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2795 {
2796 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2797 	struct wireless_dev *wdev = info->user_ptr[1];
2798 	struct sk_buff *msg;
2799 	int status;
2800 
2801 	if (!rdev->ops->del_virtual_intf)
2802 		return -EOPNOTSUPP;
2803 
2804 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2805 	if (msg && nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, true) < 0) {
2806 		nlmsg_free(msg);
2807 		msg = NULL;
2808 	}
2809 
2810 	/*
2811 	 * If we remove a wireless device without a netdev then clear
2812 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
2813 	 * to check if it needs to do dev_put(). Otherwise it crashes
2814 	 * since the wdev has been freed, unlike with a netdev where
2815 	 * we need the dev_put() for the netdev to really be freed.
2816 	 */
2817 	if (!wdev->netdev)
2818 		info->user_ptr[1] = NULL;
2819 
2820 	status = rdev_del_virtual_intf(rdev, wdev);
2821 	if (status >= 0 && msg)
2822 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
2823 					msg, 0, NL80211_MCGRP_CONFIG,
2824 					GFP_KERNEL);
2825 	else
2826 		nlmsg_free(msg);
2827 
2828 	return status;
2829 }
2830 
2831 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2832 {
2833 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2834 	struct net_device *dev = info->user_ptr[1];
2835 	u16 noack_map;
2836 
2837 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2838 		return -EINVAL;
2839 
2840 	if (!rdev->ops->set_noack_map)
2841 		return -EOPNOTSUPP;
2842 
2843 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2844 
2845 	return rdev_set_noack_map(rdev, dev, noack_map);
2846 }
2847 
2848 struct get_key_cookie {
2849 	struct sk_buff *msg;
2850 	int error;
2851 	int idx;
2852 };
2853 
2854 static void get_key_callback(void *c, struct key_params *params)
2855 {
2856 	struct nlattr *key;
2857 	struct get_key_cookie *cookie = c;
2858 
2859 	if ((params->key &&
2860 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2861 		     params->key_len, params->key)) ||
2862 	    (params->seq &&
2863 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2864 		     params->seq_len, params->seq)) ||
2865 	    (params->cipher &&
2866 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2867 			 params->cipher)))
2868 		goto nla_put_failure;
2869 
2870 	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2871 	if (!key)
2872 		goto nla_put_failure;
2873 
2874 	if ((params->key &&
2875 	     nla_put(cookie->msg, NL80211_KEY_DATA,
2876 		     params->key_len, params->key)) ||
2877 	    (params->seq &&
2878 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
2879 		     params->seq_len, params->seq)) ||
2880 	    (params->cipher &&
2881 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2882 			 params->cipher)))
2883 		goto nla_put_failure;
2884 
2885 	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2886 		goto nla_put_failure;
2887 
2888 	nla_nest_end(cookie->msg, key);
2889 
2890 	return;
2891  nla_put_failure:
2892 	cookie->error = 1;
2893 }
2894 
2895 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2896 {
2897 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2898 	int err;
2899 	struct net_device *dev = info->user_ptr[1];
2900 	u8 key_idx = 0;
2901 	const u8 *mac_addr = NULL;
2902 	bool pairwise;
2903 	struct get_key_cookie cookie = {
2904 		.error = 0,
2905 	};
2906 	void *hdr;
2907 	struct sk_buff *msg;
2908 
2909 	if (info->attrs[NL80211_ATTR_KEY_IDX])
2910 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2911 
2912 	if (key_idx > 5)
2913 		return -EINVAL;
2914 
2915 	if (info->attrs[NL80211_ATTR_MAC])
2916 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2917 
2918 	pairwise = !!mac_addr;
2919 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2920 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2921 		if (kt >= NUM_NL80211_KEYTYPES)
2922 			return -EINVAL;
2923 		if (kt != NL80211_KEYTYPE_GROUP &&
2924 		    kt != NL80211_KEYTYPE_PAIRWISE)
2925 			return -EINVAL;
2926 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2927 	}
2928 
2929 	if (!rdev->ops->get_key)
2930 		return -EOPNOTSUPP;
2931 
2932 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2933 		return -ENOENT;
2934 
2935 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2936 	if (!msg)
2937 		return -ENOMEM;
2938 
2939 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2940 			     NL80211_CMD_NEW_KEY);
2941 	if (!hdr)
2942 		goto nla_put_failure;
2943 
2944 	cookie.msg = msg;
2945 	cookie.idx = key_idx;
2946 
2947 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2948 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2949 		goto nla_put_failure;
2950 	if (mac_addr &&
2951 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2952 		goto nla_put_failure;
2953 
2954 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2955 			   get_key_callback);
2956 
2957 	if (err)
2958 		goto free_msg;
2959 
2960 	if (cookie.error)
2961 		goto nla_put_failure;
2962 
2963 	genlmsg_end(msg, hdr);
2964 	return genlmsg_reply(msg, info);
2965 
2966  nla_put_failure:
2967 	err = -ENOBUFS;
2968  free_msg:
2969 	nlmsg_free(msg);
2970 	return err;
2971 }
2972 
2973 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2974 {
2975 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2976 	struct key_parse key;
2977 	int err;
2978 	struct net_device *dev = info->user_ptr[1];
2979 
2980 	err = nl80211_parse_key(info, &key);
2981 	if (err)
2982 		return err;
2983 
2984 	if (key.idx < 0)
2985 		return -EINVAL;
2986 
2987 	/* only support setting default key */
2988 	if (!key.def && !key.defmgmt)
2989 		return -EINVAL;
2990 
2991 	wdev_lock(dev->ieee80211_ptr);
2992 
2993 	if (key.def) {
2994 		if (!rdev->ops->set_default_key) {
2995 			err = -EOPNOTSUPP;
2996 			goto out;
2997 		}
2998 
2999 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3000 		if (err)
3001 			goto out;
3002 
3003 		err = rdev_set_default_key(rdev, dev, key.idx,
3004 						 key.def_uni, key.def_multi);
3005 
3006 		if (err)
3007 			goto out;
3008 
3009 #ifdef CONFIG_CFG80211_WEXT
3010 		dev->ieee80211_ptr->wext.default_key = key.idx;
3011 #endif
3012 	} else {
3013 		if (key.def_uni || !key.def_multi) {
3014 			err = -EINVAL;
3015 			goto out;
3016 		}
3017 
3018 		if (!rdev->ops->set_default_mgmt_key) {
3019 			err = -EOPNOTSUPP;
3020 			goto out;
3021 		}
3022 
3023 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3024 		if (err)
3025 			goto out;
3026 
3027 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
3028 		if (err)
3029 			goto out;
3030 
3031 #ifdef CONFIG_CFG80211_WEXT
3032 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
3033 #endif
3034 	}
3035 
3036  out:
3037 	wdev_unlock(dev->ieee80211_ptr);
3038 
3039 	return err;
3040 }
3041 
3042 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
3043 {
3044 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3045 	int err;
3046 	struct net_device *dev = info->user_ptr[1];
3047 	struct key_parse key;
3048 	const u8 *mac_addr = NULL;
3049 
3050 	err = nl80211_parse_key(info, &key);
3051 	if (err)
3052 		return err;
3053 
3054 	if (!key.p.key)
3055 		return -EINVAL;
3056 
3057 	if (info->attrs[NL80211_ATTR_MAC])
3058 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3059 
3060 	if (key.type == -1) {
3061 		if (mac_addr)
3062 			key.type = NL80211_KEYTYPE_PAIRWISE;
3063 		else
3064 			key.type = NL80211_KEYTYPE_GROUP;
3065 	}
3066 
3067 	/* for now */
3068 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3069 	    key.type != NL80211_KEYTYPE_GROUP)
3070 		return -EINVAL;
3071 
3072 	if (!rdev->ops->add_key)
3073 		return -EOPNOTSUPP;
3074 
3075 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3076 					   key.type == NL80211_KEYTYPE_PAIRWISE,
3077 					   mac_addr))
3078 		return -EINVAL;
3079 
3080 	wdev_lock(dev->ieee80211_ptr);
3081 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3082 	if (!err)
3083 		err = rdev_add_key(rdev, dev, key.idx,
3084 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3085 				    mac_addr, &key.p);
3086 	wdev_unlock(dev->ieee80211_ptr);
3087 
3088 	return err;
3089 }
3090 
3091 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3092 {
3093 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3094 	int err;
3095 	struct net_device *dev = info->user_ptr[1];
3096 	u8 *mac_addr = NULL;
3097 	struct key_parse key;
3098 
3099 	err = nl80211_parse_key(info, &key);
3100 	if (err)
3101 		return err;
3102 
3103 	if (info->attrs[NL80211_ATTR_MAC])
3104 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3105 
3106 	if (key.type == -1) {
3107 		if (mac_addr)
3108 			key.type = NL80211_KEYTYPE_PAIRWISE;
3109 		else
3110 			key.type = NL80211_KEYTYPE_GROUP;
3111 	}
3112 
3113 	/* for now */
3114 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3115 	    key.type != NL80211_KEYTYPE_GROUP)
3116 		return -EINVAL;
3117 
3118 	if (!rdev->ops->del_key)
3119 		return -EOPNOTSUPP;
3120 
3121 	wdev_lock(dev->ieee80211_ptr);
3122 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3123 
3124 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3125 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3126 		err = -ENOENT;
3127 
3128 	if (!err)
3129 		err = rdev_del_key(rdev, dev, key.idx,
3130 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3131 				   mac_addr);
3132 
3133 #ifdef CONFIG_CFG80211_WEXT
3134 	if (!err) {
3135 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3136 			dev->ieee80211_ptr->wext.default_key = -1;
3137 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3138 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3139 	}
3140 #endif
3141 	wdev_unlock(dev->ieee80211_ptr);
3142 
3143 	return err;
3144 }
3145 
3146 /* This function returns an error or the number of nested attributes */
3147 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3148 {
3149 	struct nlattr *attr;
3150 	int n_entries = 0, tmp;
3151 
3152 	nla_for_each_nested(attr, nl_attr, tmp) {
3153 		if (nla_len(attr) != ETH_ALEN)
3154 			return -EINVAL;
3155 
3156 		n_entries++;
3157 	}
3158 
3159 	return n_entries;
3160 }
3161 
3162 /*
3163  * This function parses ACL information and allocates memory for ACL data.
3164  * On successful return, the calling function is responsible to free the
3165  * ACL buffer returned by this function.
3166  */
3167 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3168 						struct genl_info *info)
3169 {
3170 	enum nl80211_acl_policy acl_policy;
3171 	struct nlattr *attr;
3172 	struct cfg80211_acl_data *acl;
3173 	int i = 0, n_entries, tmp;
3174 
3175 	if (!wiphy->max_acl_mac_addrs)
3176 		return ERR_PTR(-EOPNOTSUPP);
3177 
3178 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3179 		return ERR_PTR(-EINVAL);
3180 
3181 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3182 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3183 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3184 		return ERR_PTR(-EINVAL);
3185 
3186 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3187 		return ERR_PTR(-EINVAL);
3188 
3189 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3190 	if (n_entries < 0)
3191 		return ERR_PTR(n_entries);
3192 
3193 	if (n_entries > wiphy->max_acl_mac_addrs)
3194 		return ERR_PTR(-ENOTSUPP);
3195 
3196 	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3197 		      GFP_KERNEL);
3198 	if (!acl)
3199 		return ERR_PTR(-ENOMEM);
3200 
3201 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3202 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3203 		i++;
3204 	}
3205 
3206 	acl->n_acl_entries = n_entries;
3207 	acl->acl_policy = acl_policy;
3208 
3209 	return acl;
3210 }
3211 
3212 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3213 {
3214 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3215 	struct net_device *dev = info->user_ptr[1];
3216 	struct cfg80211_acl_data *acl;
3217 	int err;
3218 
3219 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3220 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3221 		return -EOPNOTSUPP;
3222 
3223 	if (!dev->ieee80211_ptr->beacon_interval)
3224 		return -EINVAL;
3225 
3226 	acl = parse_acl_data(&rdev->wiphy, info);
3227 	if (IS_ERR(acl))
3228 		return PTR_ERR(acl);
3229 
3230 	err = rdev_set_mac_acl(rdev, dev, acl);
3231 
3232 	kfree(acl);
3233 
3234 	return err;
3235 }
3236 
3237 static int nl80211_parse_beacon(struct nlattr *attrs[],
3238 				struct cfg80211_beacon_data *bcn)
3239 {
3240 	bool haveinfo = false;
3241 
3242 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_BEACON_TAIL]) ||
3243 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE]) ||
3244 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
3245 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_ASSOC_RESP]))
3246 		return -EINVAL;
3247 
3248 	memset(bcn, 0, sizeof(*bcn));
3249 
3250 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
3251 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
3252 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
3253 		if (!bcn->head_len)
3254 			return -EINVAL;
3255 		haveinfo = true;
3256 	}
3257 
3258 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
3259 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
3260 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
3261 		haveinfo = true;
3262 	}
3263 
3264 	if (!haveinfo)
3265 		return -EINVAL;
3266 
3267 	if (attrs[NL80211_ATTR_IE]) {
3268 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
3269 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
3270 	}
3271 
3272 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
3273 		bcn->proberesp_ies =
3274 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3275 		bcn->proberesp_ies_len =
3276 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3277 	}
3278 
3279 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
3280 		bcn->assocresp_ies =
3281 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3282 		bcn->assocresp_ies_len =
3283 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3284 	}
3285 
3286 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
3287 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
3288 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
3289 	}
3290 
3291 	return 0;
3292 }
3293 
3294 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
3295 				   struct cfg80211_ap_settings *params)
3296 {
3297 	struct wireless_dev *wdev;
3298 	bool ret = false;
3299 
3300 	list_for_each_entry(wdev, &rdev->wdev_list, list) {
3301 		if (wdev->iftype != NL80211_IFTYPE_AP &&
3302 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
3303 			continue;
3304 
3305 		if (!wdev->preset_chandef.chan)
3306 			continue;
3307 
3308 		params->chandef = wdev->preset_chandef;
3309 		ret = true;
3310 		break;
3311 	}
3312 
3313 	return ret;
3314 }
3315 
3316 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
3317 				    enum nl80211_auth_type auth_type,
3318 				    enum nl80211_commands cmd)
3319 {
3320 	if (auth_type > NL80211_AUTHTYPE_MAX)
3321 		return false;
3322 
3323 	switch (cmd) {
3324 	case NL80211_CMD_AUTHENTICATE:
3325 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
3326 		    auth_type == NL80211_AUTHTYPE_SAE)
3327 			return false;
3328 		return true;
3329 	case NL80211_CMD_CONNECT:
3330 	case NL80211_CMD_START_AP:
3331 		/* SAE not supported yet */
3332 		if (auth_type == NL80211_AUTHTYPE_SAE)
3333 			return false;
3334 		return true;
3335 	default:
3336 		return false;
3337 	}
3338 }
3339 
3340 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
3341 {
3342 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3343 	struct net_device *dev = info->user_ptr[1];
3344 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3345 	struct cfg80211_ap_settings params;
3346 	int err;
3347 
3348 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3349 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3350 		return -EOPNOTSUPP;
3351 
3352 	if (!rdev->ops->start_ap)
3353 		return -EOPNOTSUPP;
3354 
3355 	if (wdev->beacon_interval)
3356 		return -EALREADY;
3357 
3358 	memset(&params, 0, sizeof(params));
3359 
3360 	/* these are required for START_AP */
3361 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
3362 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
3363 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
3364 		return -EINVAL;
3365 
3366 	err = nl80211_parse_beacon(info->attrs, &params.beacon);
3367 	if (err)
3368 		return err;
3369 
3370 	params.beacon_interval =
3371 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
3372 	params.dtim_period =
3373 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
3374 
3375 	err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
3376 	if (err)
3377 		return err;
3378 
3379 	/*
3380 	 * In theory, some of these attributes should be required here
3381 	 * but since they were not used when the command was originally
3382 	 * added, keep them optional for old user space programs to let
3383 	 * them continue to work with drivers that do not need the
3384 	 * additional information -- drivers must check!
3385 	 */
3386 	if (info->attrs[NL80211_ATTR_SSID]) {
3387 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
3388 		params.ssid_len =
3389 			nla_len(info->attrs[NL80211_ATTR_SSID]);
3390 		if (params.ssid_len == 0 ||
3391 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
3392 			return -EINVAL;
3393 	}
3394 
3395 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
3396 		params.hidden_ssid = nla_get_u32(
3397 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
3398 		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
3399 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
3400 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
3401 			return -EINVAL;
3402 	}
3403 
3404 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
3405 
3406 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
3407 		params.auth_type = nla_get_u32(
3408 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
3409 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
3410 					     NL80211_CMD_START_AP))
3411 			return -EINVAL;
3412 	} else
3413 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
3414 
3415 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
3416 				      NL80211_MAX_NR_CIPHER_SUITES);
3417 	if (err)
3418 		return err;
3419 
3420 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
3421 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
3422 			return -EOPNOTSUPP;
3423 		params.inactivity_timeout = nla_get_u16(
3424 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
3425 	}
3426 
3427 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
3428 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3429 			return -EINVAL;
3430 		params.p2p_ctwindow =
3431 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
3432 		if (params.p2p_ctwindow > 127)
3433 			return -EINVAL;
3434 		if (params.p2p_ctwindow != 0 &&
3435 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
3436 			return -EINVAL;
3437 	}
3438 
3439 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
3440 		u8 tmp;
3441 
3442 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3443 			return -EINVAL;
3444 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
3445 		if (tmp > 1)
3446 			return -EINVAL;
3447 		params.p2p_opp_ps = tmp;
3448 		if (params.p2p_opp_ps != 0 &&
3449 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
3450 			return -EINVAL;
3451 	}
3452 
3453 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3454 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
3455 		if (err)
3456 			return err;
3457 	} else if (wdev->preset_chandef.chan) {
3458 		params.chandef = wdev->preset_chandef;
3459 	} else if (!nl80211_get_ap_channel(rdev, &params))
3460 		return -EINVAL;
3461 
3462 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
3463 					   wdev->iftype))
3464 		return -EINVAL;
3465 
3466 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
3467 		params.smps_mode =
3468 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
3469 		switch (params.smps_mode) {
3470 		case NL80211_SMPS_OFF:
3471 			break;
3472 		case NL80211_SMPS_STATIC:
3473 			if (!(rdev->wiphy.features &
3474 			      NL80211_FEATURE_STATIC_SMPS))
3475 				return -EINVAL;
3476 			break;
3477 		case NL80211_SMPS_DYNAMIC:
3478 			if (!(rdev->wiphy.features &
3479 			      NL80211_FEATURE_DYNAMIC_SMPS))
3480 				return -EINVAL;
3481 			break;
3482 		default:
3483 			return -EINVAL;
3484 		}
3485 	} else {
3486 		params.smps_mode = NL80211_SMPS_OFF;
3487 	}
3488 
3489 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
3490 		params.acl = parse_acl_data(&rdev->wiphy, info);
3491 		if (IS_ERR(params.acl))
3492 			return PTR_ERR(params.acl);
3493 	}
3494 
3495 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
3496 	if (params.pbss && !rdev->wiphy.bands[IEEE80211_BAND_60GHZ])
3497 		return -EOPNOTSUPP;
3498 
3499 	wdev_lock(wdev);
3500 	err = rdev_start_ap(rdev, dev, &params);
3501 	if (!err) {
3502 		wdev->preset_chandef = params.chandef;
3503 		wdev->beacon_interval = params.beacon_interval;
3504 		wdev->chandef = params.chandef;
3505 		wdev->ssid_len = params.ssid_len;
3506 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
3507 	}
3508 	wdev_unlock(wdev);
3509 
3510 	kfree(params.acl);
3511 
3512 	return err;
3513 }
3514 
3515 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
3516 {
3517 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3518 	struct net_device *dev = info->user_ptr[1];
3519 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3520 	struct cfg80211_beacon_data params;
3521 	int err;
3522 
3523 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3524 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3525 		return -EOPNOTSUPP;
3526 
3527 	if (!rdev->ops->change_beacon)
3528 		return -EOPNOTSUPP;
3529 
3530 	if (!wdev->beacon_interval)
3531 		return -EINVAL;
3532 
3533 	err = nl80211_parse_beacon(info->attrs, &params);
3534 	if (err)
3535 		return err;
3536 
3537 	wdev_lock(wdev);
3538 	err = rdev_change_beacon(rdev, dev, &params);
3539 	wdev_unlock(wdev);
3540 
3541 	return err;
3542 }
3543 
3544 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
3545 {
3546 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3547 	struct net_device *dev = info->user_ptr[1];
3548 
3549 	return cfg80211_stop_ap(rdev, dev, false);
3550 }
3551 
3552 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
3553 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
3554 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
3555 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
3556 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
3557 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
3558 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
3559 };
3560 
3561 static int parse_station_flags(struct genl_info *info,
3562 			       enum nl80211_iftype iftype,
3563 			       struct station_parameters *params)
3564 {
3565 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
3566 	struct nlattr *nla;
3567 	int flag;
3568 
3569 	/*
3570 	 * Try parsing the new attribute first so userspace
3571 	 * can specify both for older kernels.
3572 	 */
3573 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
3574 	if (nla) {
3575 		struct nl80211_sta_flag_update *sta_flags;
3576 
3577 		sta_flags = nla_data(nla);
3578 		params->sta_flags_mask = sta_flags->mask;
3579 		params->sta_flags_set = sta_flags->set;
3580 		params->sta_flags_set &= params->sta_flags_mask;
3581 		if ((params->sta_flags_mask |
3582 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
3583 			return -EINVAL;
3584 		return 0;
3585 	}
3586 
3587 	/* if present, parse the old attribute */
3588 
3589 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
3590 	if (!nla)
3591 		return 0;
3592 
3593 	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
3594 			     nla, sta_flags_policy))
3595 		return -EINVAL;
3596 
3597 	/*
3598 	 * Only allow certain flags for interface types so that
3599 	 * other attributes are silently ignored. Remember that
3600 	 * this is backward compatibility code with old userspace
3601 	 * and shouldn't be hit in other cases anyway.
3602 	 */
3603 	switch (iftype) {
3604 	case NL80211_IFTYPE_AP:
3605 	case NL80211_IFTYPE_AP_VLAN:
3606 	case NL80211_IFTYPE_P2P_GO:
3607 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3608 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3609 					 BIT(NL80211_STA_FLAG_WME) |
3610 					 BIT(NL80211_STA_FLAG_MFP);
3611 		break;
3612 	case NL80211_IFTYPE_P2P_CLIENT:
3613 	case NL80211_IFTYPE_STATION:
3614 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3615 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
3616 		break;
3617 	case NL80211_IFTYPE_MESH_POINT:
3618 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3619 					 BIT(NL80211_STA_FLAG_MFP) |
3620 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
3621 	default:
3622 		return -EINVAL;
3623 	}
3624 
3625 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
3626 		if (flags[flag]) {
3627 			params->sta_flags_set |= (1<<flag);
3628 
3629 			/* no longer support new API additions in old API */
3630 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
3631 				return -EINVAL;
3632 		}
3633 	}
3634 
3635 	return 0;
3636 }
3637 
3638 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
3639 				 int attr)
3640 {
3641 	struct nlattr *rate;
3642 	u32 bitrate;
3643 	u16 bitrate_compat;
3644 	enum nl80211_attrs rate_flg;
3645 
3646 	rate = nla_nest_start(msg, attr);
3647 	if (!rate)
3648 		return false;
3649 
3650 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
3651 	bitrate = cfg80211_calculate_bitrate(info);
3652 	/* report 16-bit bitrate only if we can */
3653 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
3654 	if (bitrate > 0 &&
3655 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
3656 		return false;
3657 	if (bitrate_compat > 0 &&
3658 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
3659 		return false;
3660 
3661 	switch (info->bw) {
3662 	case RATE_INFO_BW_5:
3663 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
3664 		break;
3665 	case RATE_INFO_BW_10:
3666 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
3667 		break;
3668 	default:
3669 		WARN_ON(1);
3670 		/* fall through */
3671 	case RATE_INFO_BW_20:
3672 		rate_flg = 0;
3673 		break;
3674 	case RATE_INFO_BW_40:
3675 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
3676 		break;
3677 	case RATE_INFO_BW_80:
3678 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
3679 		break;
3680 	case RATE_INFO_BW_160:
3681 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
3682 		break;
3683 	}
3684 
3685 	if (rate_flg && nla_put_flag(msg, rate_flg))
3686 		return false;
3687 
3688 	if (info->flags & RATE_INFO_FLAGS_MCS) {
3689 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
3690 			return false;
3691 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3692 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3693 			return false;
3694 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
3695 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
3696 			return false;
3697 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
3698 			return false;
3699 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3700 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3701 			return false;
3702 	}
3703 
3704 	nla_nest_end(msg, rate);
3705 	return true;
3706 }
3707 
3708 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
3709 			       int id)
3710 {
3711 	void *attr;
3712 	int i = 0;
3713 
3714 	if (!mask)
3715 		return true;
3716 
3717 	attr = nla_nest_start(msg, id);
3718 	if (!attr)
3719 		return false;
3720 
3721 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
3722 		if (!(mask & BIT(i)))
3723 			continue;
3724 
3725 		if (nla_put_u8(msg, i, signal[i]))
3726 			return false;
3727 	}
3728 
3729 	nla_nest_end(msg, attr);
3730 
3731 	return true;
3732 }
3733 
3734 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
3735 				u32 seq, int flags,
3736 				struct cfg80211_registered_device *rdev,
3737 				struct net_device *dev,
3738 				const u8 *mac_addr, struct station_info *sinfo)
3739 {
3740 	void *hdr;
3741 	struct nlattr *sinfoattr, *bss_param;
3742 
3743 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3744 	if (!hdr)
3745 		return -1;
3746 
3747 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3748 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
3749 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
3750 		goto nla_put_failure;
3751 
3752 	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
3753 	if (!sinfoattr)
3754 		goto nla_put_failure;
3755 
3756 #define PUT_SINFO(attr, memb, type) do {				\
3757 	if (sinfo->filled & BIT(NL80211_STA_INFO_ ## attr) &&		\
3758 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
3759 			     sinfo->memb))				\
3760 		goto nla_put_failure;					\
3761 	} while (0)
3762 
3763 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
3764 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
3765 
3766 	if (sinfo->filled & (BIT(NL80211_STA_INFO_RX_BYTES) |
3767 			     BIT(NL80211_STA_INFO_RX_BYTES64)) &&
3768 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
3769 			(u32)sinfo->rx_bytes))
3770 		goto nla_put_failure;
3771 
3772 	if (sinfo->filled & (BIT(NL80211_STA_INFO_TX_BYTES) |
3773 			     BIT(NL80211_STA_INFO_TX_BYTES64)) &&
3774 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
3775 			(u32)sinfo->tx_bytes))
3776 		goto nla_put_failure;
3777 
3778 	PUT_SINFO(RX_BYTES64, rx_bytes, u64);
3779 	PUT_SINFO(TX_BYTES64, tx_bytes, u64);
3780 	PUT_SINFO(LLID, llid, u16);
3781 	PUT_SINFO(PLID, plid, u16);
3782 	PUT_SINFO(PLINK_STATE, plink_state, u8);
3783 
3784 	switch (rdev->wiphy.signal_type) {
3785 	case CFG80211_SIGNAL_TYPE_MBM:
3786 		PUT_SINFO(SIGNAL, signal, u8);
3787 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
3788 		break;
3789 	default:
3790 		break;
3791 	}
3792 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL)) {
3793 		if (!nl80211_put_signal(msg, sinfo->chains,
3794 					sinfo->chain_signal,
3795 					NL80211_STA_INFO_CHAIN_SIGNAL))
3796 			goto nla_put_failure;
3797 	}
3798 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
3799 		if (!nl80211_put_signal(msg, sinfo->chains,
3800 					sinfo->chain_signal_avg,
3801 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
3802 			goto nla_put_failure;
3803 	}
3804 	if (sinfo->filled & BIT(NL80211_STA_INFO_TX_BITRATE)) {
3805 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
3806 					  NL80211_STA_INFO_TX_BITRATE))
3807 			goto nla_put_failure;
3808 	}
3809 	if (sinfo->filled & BIT(NL80211_STA_INFO_RX_BITRATE)) {
3810 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
3811 					  NL80211_STA_INFO_RX_BITRATE))
3812 			goto nla_put_failure;
3813 	}
3814 
3815 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
3816 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
3817 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
3818 	PUT_SINFO(TX_FAILED, tx_failed, u32);
3819 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
3820 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
3821 	PUT_SINFO(LOCAL_PM, local_pm, u32);
3822 	PUT_SINFO(PEER_PM, peer_pm, u32);
3823 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
3824 
3825 	if (sinfo->filled & BIT(NL80211_STA_INFO_BSS_PARAM)) {
3826 		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
3827 		if (!bss_param)
3828 			goto nla_put_failure;
3829 
3830 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
3831 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
3832 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
3833 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
3834 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
3835 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
3836 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
3837 			       sinfo->bss_param.dtim_period) ||
3838 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
3839 				sinfo->bss_param.beacon_interval))
3840 			goto nla_put_failure;
3841 
3842 		nla_nest_end(msg, bss_param);
3843 	}
3844 	if ((sinfo->filled & BIT(NL80211_STA_INFO_STA_FLAGS)) &&
3845 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
3846 		    sizeof(struct nl80211_sta_flag_update),
3847 		    &sinfo->sta_flags))
3848 		goto nla_put_failure;
3849 
3850 	PUT_SINFO(T_OFFSET, t_offset, u64);
3851 	PUT_SINFO(RX_DROP_MISC, rx_dropped_misc, u64);
3852 	PUT_SINFO(BEACON_RX, rx_beacon, u64);
3853 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
3854 
3855 #undef PUT_SINFO
3856 
3857 	if (sinfo->filled & BIT(NL80211_STA_INFO_TID_STATS)) {
3858 		struct nlattr *tidsattr;
3859 		int tid;
3860 
3861 		tidsattr = nla_nest_start(msg, NL80211_STA_INFO_TID_STATS);
3862 		if (!tidsattr)
3863 			goto nla_put_failure;
3864 
3865 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
3866 			struct cfg80211_tid_stats *tidstats;
3867 			struct nlattr *tidattr;
3868 
3869 			tidstats = &sinfo->pertid[tid];
3870 
3871 			if (!tidstats->filled)
3872 				continue;
3873 
3874 			tidattr = nla_nest_start(msg, tid + 1);
3875 			if (!tidattr)
3876 				goto nla_put_failure;
3877 
3878 #define PUT_TIDVAL(attr, memb, type) do {				\
3879 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
3880 	    nla_put_ ## type(msg, NL80211_TID_STATS_ ## attr,		\
3881 			     tidstats->memb))				\
3882 		goto nla_put_failure;					\
3883 	} while (0)
3884 
3885 			PUT_TIDVAL(RX_MSDU, rx_msdu, u64);
3886 			PUT_TIDVAL(TX_MSDU, tx_msdu, u64);
3887 			PUT_TIDVAL(TX_MSDU_RETRIES, tx_msdu_retries, u64);
3888 			PUT_TIDVAL(TX_MSDU_FAILED, tx_msdu_failed, u64);
3889 
3890 #undef PUT_TIDVAL
3891 			nla_nest_end(msg, tidattr);
3892 		}
3893 
3894 		nla_nest_end(msg, tidsattr);
3895 	}
3896 
3897 	nla_nest_end(msg, sinfoattr);
3898 
3899 	if (sinfo->assoc_req_ies_len &&
3900 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
3901 		    sinfo->assoc_req_ies))
3902 		goto nla_put_failure;
3903 
3904 	genlmsg_end(msg, hdr);
3905 	return 0;
3906 
3907  nla_put_failure:
3908 	genlmsg_cancel(msg, hdr);
3909 	return -EMSGSIZE;
3910 }
3911 
3912 static int nl80211_dump_station(struct sk_buff *skb,
3913 				struct netlink_callback *cb)
3914 {
3915 	struct station_info sinfo;
3916 	struct cfg80211_registered_device *rdev;
3917 	struct wireless_dev *wdev;
3918 	u8 mac_addr[ETH_ALEN];
3919 	int sta_idx = cb->args[2];
3920 	int err;
3921 
3922 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
3923 	if (err)
3924 		return err;
3925 
3926 	if (!wdev->netdev) {
3927 		err = -EINVAL;
3928 		goto out_err;
3929 	}
3930 
3931 	if (!rdev->ops->dump_station) {
3932 		err = -EOPNOTSUPP;
3933 		goto out_err;
3934 	}
3935 
3936 	while (1) {
3937 		memset(&sinfo, 0, sizeof(sinfo));
3938 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
3939 					mac_addr, &sinfo);
3940 		if (err == -ENOENT)
3941 			break;
3942 		if (err)
3943 			goto out_err;
3944 
3945 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
3946 				NETLINK_CB(cb->skb).portid,
3947 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
3948 				rdev, wdev->netdev, mac_addr,
3949 				&sinfo) < 0)
3950 			goto out;
3951 
3952 		sta_idx++;
3953 	}
3954 
3955 
3956  out:
3957 	cb->args[2] = sta_idx;
3958 	err = skb->len;
3959  out_err:
3960 	nl80211_finish_wdev_dump(rdev);
3961 
3962 	return err;
3963 }
3964 
3965 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
3966 {
3967 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3968 	struct net_device *dev = info->user_ptr[1];
3969 	struct station_info sinfo;
3970 	struct sk_buff *msg;
3971 	u8 *mac_addr = NULL;
3972 	int err;
3973 
3974 	memset(&sinfo, 0, sizeof(sinfo));
3975 
3976 	if (!info->attrs[NL80211_ATTR_MAC])
3977 		return -EINVAL;
3978 
3979 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3980 
3981 	if (!rdev->ops->get_station)
3982 		return -EOPNOTSUPP;
3983 
3984 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3985 	if (err)
3986 		return err;
3987 
3988 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3989 	if (!msg)
3990 		return -ENOMEM;
3991 
3992 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
3993 				 info->snd_portid, info->snd_seq, 0,
3994 				 rdev, dev, mac_addr, &sinfo) < 0) {
3995 		nlmsg_free(msg);
3996 		return -ENOBUFS;
3997 	}
3998 
3999 	return genlmsg_reply(msg, info);
4000 }
4001 
4002 int cfg80211_check_station_change(struct wiphy *wiphy,
4003 				  struct station_parameters *params,
4004 				  enum cfg80211_station_type statype)
4005 {
4006 	if (params->listen_interval != -1 &&
4007 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4008 		return -EINVAL;
4009 
4010 	if (params->support_p2p_ps != -1 &&
4011 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4012 		return -EINVAL;
4013 
4014 	if (params->aid &&
4015 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
4016 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4017 		return -EINVAL;
4018 
4019 	/* When you run into this, adjust the code below for the new flag */
4020 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4021 
4022 	switch (statype) {
4023 	case CFG80211_STA_MESH_PEER_KERNEL:
4024 	case CFG80211_STA_MESH_PEER_USER:
4025 		/*
4026 		 * No ignoring the TDLS flag here -- the userspace mesh
4027 		 * code doesn't have the bug of including TDLS in the
4028 		 * mask everywhere.
4029 		 */
4030 		if (params->sta_flags_mask &
4031 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4032 				  BIT(NL80211_STA_FLAG_MFP) |
4033 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
4034 			return -EINVAL;
4035 		break;
4036 	case CFG80211_STA_TDLS_PEER_SETUP:
4037 	case CFG80211_STA_TDLS_PEER_ACTIVE:
4038 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4039 			return -EINVAL;
4040 		/* ignore since it can't change */
4041 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4042 		break;
4043 	default:
4044 		/* disallow mesh-specific things */
4045 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
4046 			return -EINVAL;
4047 		if (params->local_pm)
4048 			return -EINVAL;
4049 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4050 			return -EINVAL;
4051 	}
4052 
4053 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
4054 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
4055 		/* TDLS can't be set, ... */
4056 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
4057 			return -EINVAL;
4058 		/*
4059 		 * ... but don't bother the driver with it. This works around
4060 		 * a hostapd/wpa_supplicant issue -- it always includes the
4061 		 * TLDS_PEER flag in the mask even for AP mode.
4062 		 */
4063 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4064 	}
4065 
4066 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
4067 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
4068 		/* reject other things that can't change */
4069 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
4070 			return -EINVAL;
4071 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
4072 			return -EINVAL;
4073 		if (params->supported_rates)
4074 			return -EINVAL;
4075 		if (params->ext_capab || params->ht_capa || params->vht_capa)
4076 			return -EINVAL;
4077 	}
4078 
4079 	if (statype != CFG80211_STA_AP_CLIENT &&
4080 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
4081 		if (params->vlan)
4082 			return -EINVAL;
4083 	}
4084 
4085 	switch (statype) {
4086 	case CFG80211_STA_AP_MLME_CLIENT:
4087 		/* Use this only for authorizing/unauthorizing a station */
4088 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
4089 			return -EOPNOTSUPP;
4090 		break;
4091 	case CFG80211_STA_AP_CLIENT:
4092 	case CFG80211_STA_AP_CLIENT_UNASSOC:
4093 		/* accept only the listed bits */
4094 		if (params->sta_flags_mask &
4095 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4096 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4097 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
4098 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4099 				  BIT(NL80211_STA_FLAG_WME) |
4100 				  BIT(NL80211_STA_FLAG_MFP)))
4101 			return -EINVAL;
4102 
4103 		/* but authenticated/associated only if driver handles it */
4104 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4105 		    params->sta_flags_mask &
4106 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4107 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4108 			return -EINVAL;
4109 		break;
4110 	case CFG80211_STA_IBSS:
4111 	case CFG80211_STA_AP_STA:
4112 		/* reject any changes other than AUTHORIZED */
4113 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
4114 			return -EINVAL;
4115 		break;
4116 	case CFG80211_STA_TDLS_PEER_SETUP:
4117 		/* reject any changes other than AUTHORIZED or WME */
4118 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4119 					       BIT(NL80211_STA_FLAG_WME)))
4120 			return -EINVAL;
4121 		/* force (at least) rates when authorizing */
4122 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
4123 		    !params->supported_rates)
4124 			return -EINVAL;
4125 		break;
4126 	case CFG80211_STA_TDLS_PEER_ACTIVE:
4127 		/* reject any changes */
4128 		return -EINVAL;
4129 	case CFG80211_STA_MESH_PEER_KERNEL:
4130 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4131 			return -EINVAL;
4132 		break;
4133 	case CFG80211_STA_MESH_PEER_USER:
4134 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
4135 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
4136 			return -EINVAL;
4137 		break;
4138 	}
4139 
4140 	return 0;
4141 }
4142 EXPORT_SYMBOL(cfg80211_check_station_change);
4143 
4144 /*
4145  * Get vlan interface making sure it is running and on the right wiphy.
4146  */
4147 static struct net_device *get_vlan(struct genl_info *info,
4148 				   struct cfg80211_registered_device *rdev)
4149 {
4150 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
4151 	struct net_device *v;
4152 	int ret;
4153 
4154 	if (!vlanattr)
4155 		return NULL;
4156 
4157 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
4158 	if (!v)
4159 		return ERR_PTR(-ENODEV);
4160 
4161 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
4162 		ret = -EINVAL;
4163 		goto error;
4164 	}
4165 
4166 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4167 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4168 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
4169 		ret = -EINVAL;
4170 		goto error;
4171 	}
4172 
4173 	if (!netif_running(v)) {
4174 		ret = -ENETDOWN;
4175 		goto error;
4176 	}
4177 
4178 	return v;
4179  error:
4180 	dev_put(v);
4181 	return ERR_PTR(ret);
4182 }
4183 
4184 static const struct nla_policy
4185 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
4186 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
4187 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
4188 };
4189 
4190 static int nl80211_parse_sta_wme(struct genl_info *info,
4191 				 struct station_parameters *params)
4192 {
4193 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
4194 	struct nlattr *nla;
4195 	int err;
4196 
4197 	/* parse WME attributes if present */
4198 	if (!info->attrs[NL80211_ATTR_STA_WME])
4199 		return 0;
4200 
4201 	nla = info->attrs[NL80211_ATTR_STA_WME];
4202 	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
4203 			       nl80211_sta_wme_policy);
4204 	if (err)
4205 		return err;
4206 
4207 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
4208 		params->uapsd_queues = nla_get_u8(
4209 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
4210 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
4211 		return -EINVAL;
4212 
4213 	if (tb[NL80211_STA_WME_MAX_SP])
4214 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
4215 
4216 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
4217 		return -EINVAL;
4218 
4219 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
4220 
4221 	return 0;
4222 }
4223 
4224 static int nl80211_parse_sta_channel_info(struct genl_info *info,
4225 				      struct station_parameters *params)
4226 {
4227 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
4228 		params->supported_channels =
4229 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4230 		params->supported_channels_len =
4231 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4232 		/*
4233 		 * Need to include at least one (first channel, number of
4234 		 * channels) tuple for each subband, and must have proper
4235 		 * tuples for the rest of the data as well.
4236 		 */
4237 		if (params->supported_channels_len < 2)
4238 			return -EINVAL;
4239 		if (params->supported_channels_len % 2)
4240 			return -EINVAL;
4241 	}
4242 
4243 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
4244 		params->supported_oper_classes =
4245 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4246 		params->supported_oper_classes_len =
4247 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4248 		/*
4249 		 * The value of the Length field of the Supported Operating
4250 		 * Classes element is between 2 and 253.
4251 		 */
4252 		if (params->supported_oper_classes_len < 2 ||
4253 		    params->supported_oper_classes_len > 253)
4254 			return -EINVAL;
4255 	}
4256 	return 0;
4257 }
4258 
4259 static int nl80211_set_station_tdls(struct genl_info *info,
4260 				    struct station_parameters *params)
4261 {
4262 	int err;
4263 	/* Dummy STA entry gets updated once the peer capabilities are known */
4264 	if (info->attrs[NL80211_ATTR_PEER_AID])
4265 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4266 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4267 		params->ht_capa =
4268 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4269 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4270 		params->vht_capa =
4271 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4272 
4273 	err = nl80211_parse_sta_channel_info(info, params);
4274 	if (err)
4275 		return err;
4276 
4277 	return nl80211_parse_sta_wme(info, params);
4278 }
4279 
4280 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
4281 {
4282 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4283 	struct net_device *dev = info->user_ptr[1];
4284 	struct station_parameters params;
4285 	u8 *mac_addr;
4286 	int err;
4287 
4288 	memset(&params, 0, sizeof(params));
4289 
4290 	if (!rdev->ops->change_station)
4291 		return -EOPNOTSUPP;
4292 
4293 	/*
4294 	 * AID and listen_interval properties can be set only for unassociated
4295 	 * station. Include these parameters here and will check them in
4296 	 * cfg80211_check_station_change().
4297 	 */
4298 	if (info->attrs[NL80211_ATTR_STA_AID])
4299 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4300 
4301 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4302 		params.listen_interval =
4303 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4304 	else
4305 		params.listen_interval = -1;
4306 
4307 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
4308 		u8 tmp;
4309 
4310 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
4311 		if (tmp >= NUM_NL80211_P2P_PS_STATUS)
4312 			return -EINVAL;
4313 
4314 		params.support_p2p_ps = tmp;
4315 	} else {
4316 		params.support_p2p_ps = -1;
4317 	}
4318 
4319 	if (!info->attrs[NL80211_ATTR_MAC])
4320 		return -EINVAL;
4321 
4322 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4323 
4324 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
4325 		params.supported_rates =
4326 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4327 		params.supported_rates_len =
4328 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4329 	}
4330 
4331 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4332 		params.capability =
4333 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4334 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4335 	}
4336 
4337 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4338 		params.ext_capab =
4339 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4340 		params.ext_capab_len =
4341 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4342 	}
4343 
4344 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4345 		return -EINVAL;
4346 
4347 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4348 		params.plink_action =
4349 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4350 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4351 			return -EINVAL;
4352 	}
4353 
4354 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
4355 		params.plink_state =
4356 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
4357 		if (params.plink_state >= NUM_NL80211_PLINK_STATES)
4358 			return -EINVAL;
4359 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
4360 	}
4361 
4362 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
4363 		enum nl80211_mesh_power_mode pm = nla_get_u32(
4364 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
4365 
4366 		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
4367 		    pm > NL80211_MESH_POWER_MAX)
4368 			return -EINVAL;
4369 
4370 		params.local_pm = pm;
4371 	}
4372 
4373 	/* Include parameters for TDLS peer (will check later) */
4374 	err = nl80211_set_station_tdls(info, &params);
4375 	if (err)
4376 		return err;
4377 
4378 	params.vlan = get_vlan(info, rdev);
4379 	if (IS_ERR(params.vlan))
4380 		return PTR_ERR(params.vlan);
4381 
4382 	switch (dev->ieee80211_ptr->iftype) {
4383 	case NL80211_IFTYPE_AP:
4384 	case NL80211_IFTYPE_AP_VLAN:
4385 	case NL80211_IFTYPE_P2P_GO:
4386 	case NL80211_IFTYPE_P2P_CLIENT:
4387 	case NL80211_IFTYPE_STATION:
4388 	case NL80211_IFTYPE_ADHOC:
4389 	case NL80211_IFTYPE_MESH_POINT:
4390 		break;
4391 	default:
4392 		err = -EOPNOTSUPP;
4393 		goto out_put_vlan;
4394 	}
4395 
4396 	/* driver will call cfg80211_check_station_change() */
4397 	err = rdev_change_station(rdev, dev, mac_addr, &params);
4398 
4399  out_put_vlan:
4400 	if (params.vlan)
4401 		dev_put(params.vlan);
4402 
4403 	return err;
4404 }
4405 
4406 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
4407 {
4408 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4409 	int err;
4410 	struct net_device *dev = info->user_ptr[1];
4411 	struct station_parameters params;
4412 	u8 *mac_addr = NULL;
4413 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4414 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
4415 
4416 	memset(&params, 0, sizeof(params));
4417 
4418 	if (!rdev->ops->add_station)
4419 		return -EOPNOTSUPP;
4420 
4421 	if (!info->attrs[NL80211_ATTR_MAC])
4422 		return -EINVAL;
4423 
4424 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4425 		return -EINVAL;
4426 
4427 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
4428 		return -EINVAL;
4429 
4430 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
4431 	    !info->attrs[NL80211_ATTR_PEER_AID])
4432 		return -EINVAL;
4433 
4434 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4435 	params.supported_rates =
4436 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4437 	params.supported_rates_len =
4438 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4439 	params.listen_interval =
4440 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4441 
4442 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
4443 		u8 tmp;
4444 
4445 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
4446 		if (tmp >= NUM_NL80211_P2P_PS_STATUS)
4447 			return -EINVAL;
4448 
4449 		params.support_p2p_ps = tmp;
4450 	} else {
4451 		/*
4452 		 * if not specified, assume it's supported for P2P GO interface,
4453 		 * and is NOT supported for AP interface
4454 		 */
4455 		params.support_p2p_ps =
4456 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
4457 	}
4458 
4459 	if (info->attrs[NL80211_ATTR_PEER_AID])
4460 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4461 	else
4462 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4463 	if (!params.aid || params.aid > IEEE80211_MAX_AID)
4464 		return -EINVAL;
4465 
4466 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4467 		params.capability =
4468 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4469 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4470 	}
4471 
4472 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4473 		params.ext_capab =
4474 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4475 		params.ext_capab_len =
4476 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4477 	}
4478 
4479 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4480 		params.ht_capa =
4481 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4482 
4483 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4484 		params.vht_capa =
4485 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4486 
4487 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
4488 		params.opmode_notif_used = true;
4489 		params.opmode_notif =
4490 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
4491 	}
4492 
4493 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4494 		params.plink_action =
4495 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4496 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4497 			return -EINVAL;
4498 	}
4499 
4500 	err = nl80211_parse_sta_channel_info(info, &params);
4501 	if (err)
4502 		return err;
4503 
4504 	err = nl80211_parse_sta_wme(info, &params);
4505 	if (err)
4506 		return err;
4507 
4508 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4509 		return -EINVAL;
4510 
4511 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
4512 	 * as userspace might just pass through the capabilities from the IEs
4513 	 * directly, rather than enforcing this restriction and returning an
4514 	 * error in this case.
4515 	 */
4516 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
4517 		params.ht_capa = NULL;
4518 		params.vht_capa = NULL;
4519 	}
4520 
4521 	/* When you run into this, adjust the code below for the new flag */
4522 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4523 
4524 	switch (dev->ieee80211_ptr->iftype) {
4525 	case NL80211_IFTYPE_AP:
4526 	case NL80211_IFTYPE_AP_VLAN:
4527 	case NL80211_IFTYPE_P2P_GO:
4528 		/* ignore WME attributes if iface/sta is not capable */
4529 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
4530 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
4531 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4532 
4533 		/* TDLS peers cannot be added */
4534 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4535 		    info->attrs[NL80211_ATTR_PEER_AID])
4536 			return -EINVAL;
4537 		/* but don't bother the driver with it */
4538 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4539 
4540 		/* allow authenticated/associated only if driver handles it */
4541 		if (!(rdev->wiphy.features &
4542 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4543 		    params.sta_flags_mask & auth_assoc)
4544 			return -EINVAL;
4545 
4546 		/* Older userspace, or userspace wanting to be compatible with
4547 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
4548 		 * and assoc flags in the mask, but assumes the station will be
4549 		 * added as associated anyway since this was the required driver
4550 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
4551 		 * introduced.
4552 		 * In order to not bother drivers with this quirk in the API
4553 		 * set the flags in both the mask and set for new stations in
4554 		 * this case.
4555 		 */
4556 		if (!(params.sta_flags_mask & auth_assoc)) {
4557 			params.sta_flags_mask |= auth_assoc;
4558 			params.sta_flags_set |= auth_assoc;
4559 		}
4560 
4561 		/* must be last in here for error handling */
4562 		params.vlan = get_vlan(info, rdev);
4563 		if (IS_ERR(params.vlan))
4564 			return PTR_ERR(params.vlan);
4565 		break;
4566 	case NL80211_IFTYPE_MESH_POINT:
4567 		/* ignore uAPSD data */
4568 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4569 
4570 		/* associated is disallowed */
4571 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
4572 			return -EINVAL;
4573 		/* TDLS peers cannot be added */
4574 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4575 		    info->attrs[NL80211_ATTR_PEER_AID])
4576 			return -EINVAL;
4577 		break;
4578 	case NL80211_IFTYPE_STATION:
4579 	case NL80211_IFTYPE_P2P_CLIENT:
4580 		/* ignore uAPSD data */
4581 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4582 
4583 		/* these are disallowed */
4584 		if (params.sta_flags_mask &
4585 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
4586 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
4587 			return -EINVAL;
4588 		/* Only TDLS peers can be added */
4589 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4590 			return -EINVAL;
4591 		/* Can only add if TDLS ... */
4592 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
4593 			return -EOPNOTSUPP;
4594 		/* ... with external setup is supported */
4595 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
4596 			return -EOPNOTSUPP;
4597 		/*
4598 		 * Older wpa_supplicant versions always mark the TDLS peer
4599 		 * as authorized, but it shouldn't yet be.
4600 		 */
4601 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
4602 		break;
4603 	default:
4604 		return -EOPNOTSUPP;
4605 	}
4606 
4607 	/* be aware of params.vlan when changing code here */
4608 
4609 	err = rdev_add_station(rdev, dev, mac_addr, &params);
4610 
4611 	if (params.vlan)
4612 		dev_put(params.vlan);
4613 	return err;
4614 }
4615 
4616 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
4617 {
4618 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4619 	struct net_device *dev = info->user_ptr[1];
4620 	struct station_del_parameters params;
4621 
4622 	memset(&params, 0, sizeof(params));
4623 
4624 	if (info->attrs[NL80211_ATTR_MAC])
4625 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
4626 
4627 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4628 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4629 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
4630 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4631 		return -EINVAL;
4632 
4633 	if (!rdev->ops->del_station)
4634 		return -EOPNOTSUPP;
4635 
4636 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
4637 		params.subtype =
4638 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
4639 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
4640 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
4641 			return -EINVAL;
4642 	} else {
4643 		/* Default to Deauthentication frame */
4644 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
4645 	}
4646 
4647 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
4648 		params.reason_code =
4649 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
4650 		if (params.reason_code == 0)
4651 			return -EINVAL; /* 0 is reserved */
4652 	} else {
4653 		/* Default to reason code 2 */
4654 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
4655 	}
4656 
4657 	return rdev_del_station(rdev, dev, &params);
4658 }
4659 
4660 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
4661 				int flags, struct net_device *dev,
4662 				u8 *dst, u8 *next_hop,
4663 				struct mpath_info *pinfo)
4664 {
4665 	void *hdr;
4666 	struct nlattr *pinfoattr;
4667 
4668 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
4669 	if (!hdr)
4670 		return -1;
4671 
4672 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4673 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
4674 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
4675 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
4676 		goto nla_put_failure;
4677 
4678 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
4679 	if (!pinfoattr)
4680 		goto nla_put_failure;
4681 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
4682 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
4683 			pinfo->frame_qlen))
4684 		goto nla_put_failure;
4685 	if (((pinfo->filled & MPATH_INFO_SN) &&
4686 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
4687 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
4688 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
4689 			 pinfo->metric)) ||
4690 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
4691 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
4692 			 pinfo->exptime)) ||
4693 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
4694 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
4695 			pinfo->flags)) ||
4696 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
4697 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
4698 			 pinfo->discovery_timeout)) ||
4699 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
4700 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
4701 			pinfo->discovery_retries)))
4702 		goto nla_put_failure;
4703 
4704 	nla_nest_end(msg, pinfoattr);
4705 
4706 	genlmsg_end(msg, hdr);
4707 	return 0;
4708 
4709  nla_put_failure:
4710 	genlmsg_cancel(msg, hdr);
4711 	return -EMSGSIZE;
4712 }
4713 
4714 static int nl80211_dump_mpath(struct sk_buff *skb,
4715 			      struct netlink_callback *cb)
4716 {
4717 	struct mpath_info pinfo;
4718 	struct cfg80211_registered_device *rdev;
4719 	struct wireless_dev *wdev;
4720 	u8 dst[ETH_ALEN];
4721 	u8 next_hop[ETH_ALEN];
4722 	int path_idx = cb->args[2];
4723 	int err;
4724 
4725 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4726 	if (err)
4727 		return err;
4728 
4729 	if (!rdev->ops->dump_mpath) {
4730 		err = -EOPNOTSUPP;
4731 		goto out_err;
4732 	}
4733 
4734 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4735 		err = -EOPNOTSUPP;
4736 		goto out_err;
4737 	}
4738 
4739 	while (1) {
4740 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
4741 				      next_hop, &pinfo);
4742 		if (err == -ENOENT)
4743 			break;
4744 		if (err)
4745 			goto out_err;
4746 
4747 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4748 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4749 				       wdev->netdev, dst, next_hop,
4750 				       &pinfo) < 0)
4751 			goto out;
4752 
4753 		path_idx++;
4754 	}
4755 
4756 
4757  out:
4758 	cb->args[2] = path_idx;
4759 	err = skb->len;
4760  out_err:
4761 	nl80211_finish_wdev_dump(rdev);
4762 	return err;
4763 }
4764 
4765 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
4766 {
4767 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4768 	int err;
4769 	struct net_device *dev = info->user_ptr[1];
4770 	struct mpath_info pinfo;
4771 	struct sk_buff *msg;
4772 	u8 *dst = NULL;
4773 	u8 next_hop[ETH_ALEN];
4774 
4775 	memset(&pinfo, 0, sizeof(pinfo));
4776 
4777 	if (!info->attrs[NL80211_ATTR_MAC])
4778 		return -EINVAL;
4779 
4780 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4781 
4782 	if (!rdev->ops->get_mpath)
4783 		return -EOPNOTSUPP;
4784 
4785 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4786 		return -EOPNOTSUPP;
4787 
4788 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
4789 	if (err)
4790 		return err;
4791 
4792 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4793 	if (!msg)
4794 		return -ENOMEM;
4795 
4796 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4797 				 dev, dst, next_hop, &pinfo) < 0) {
4798 		nlmsg_free(msg);
4799 		return -ENOBUFS;
4800 	}
4801 
4802 	return genlmsg_reply(msg, info);
4803 }
4804 
4805 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
4806 {
4807 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4808 	struct net_device *dev = info->user_ptr[1];
4809 	u8 *dst = NULL;
4810 	u8 *next_hop = NULL;
4811 
4812 	if (!info->attrs[NL80211_ATTR_MAC])
4813 		return -EINVAL;
4814 
4815 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4816 		return -EINVAL;
4817 
4818 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4819 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4820 
4821 	if (!rdev->ops->change_mpath)
4822 		return -EOPNOTSUPP;
4823 
4824 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4825 		return -EOPNOTSUPP;
4826 
4827 	return rdev_change_mpath(rdev, dev, dst, next_hop);
4828 }
4829 
4830 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
4831 {
4832 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4833 	struct net_device *dev = info->user_ptr[1];
4834 	u8 *dst = NULL;
4835 	u8 *next_hop = NULL;
4836 
4837 	if (!info->attrs[NL80211_ATTR_MAC])
4838 		return -EINVAL;
4839 
4840 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4841 		return -EINVAL;
4842 
4843 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4844 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4845 
4846 	if (!rdev->ops->add_mpath)
4847 		return -EOPNOTSUPP;
4848 
4849 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4850 		return -EOPNOTSUPP;
4851 
4852 	return rdev_add_mpath(rdev, dev, dst, next_hop);
4853 }
4854 
4855 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
4856 {
4857 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4858 	struct net_device *dev = info->user_ptr[1];
4859 	u8 *dst = NULL;
4860 
4861 	if (info->attrs[NL80211_ATTR_MAC])
4862 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4863 
4864 	if (!rdev->ops->del_mpath)
4865 		return -EOPNOTSUPP;
4866 
4867 	return rdev_del_mpath(rdev, dev, dst);
4868 }
4869 
4870 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
4871 {
4872 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4873 	int err;
4874 	struct net_device *dev = info->user_ptr[1];
4875 	struct mpath_info pinfo;
4876 	struct sk_buff *msg;
4877 	u8 *dst = NULL;
4878 	u8 mpp[ETH_ALEN];
4879 
4880 	memset(&pinfo, 0, sizeof(pinfo));
4881 
4882 	if (!info->attrs[NL80211_ATTR_MAC])
4883 		return -EINVAL;
4884 
4885 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4886 
4887 	if (!rdev->ops->get_mpp)
4888 		return -EOPNOTSUPP;
4889 
4890 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4891 		return -EOPNOTSUPP;
4892 
4893 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
4894 	if (err)
4895 		return err;
4896 
4897 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4898 	if (!msg)
4899 		return -ENOMEM;
4900 
4901 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4902 			       dev, dst, mpp, &pinfo) < 0) {
4903 		nlmsg_free(msg);
4904 		return -ENOBUFS;
4905 	}
4906 
4907 	return genlmsg_reply(msg, info);
4908 }
4909 
4910 static int nl80211_dump_mpp(struct sk_buff *skb,
4911 			    struct netlink_callback *cb)
4912 {
4913 	struct mpath_info pinfo;
4914 	struct cfg80211_registered_device *rdev;
4915 	struct wireless_dev *wdev;
4916 	u8 dst[ETH_ALEN];
4917 	u8 mpp[ETH_ALEN];
4918 	int path_idx = cb->args[2];
4919 	int err;
4920 
4921 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4922 	if (err)
4923 		return err;
4924 
4925 	if (!rdev->ops->dump_mpp) {
4926 		err = -EOPNOTSUPP;
4927 		goto out_err;
4928 	}
4929 
4930 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4931 		err = -EOPNOTSUPP;
4932 		goto out_err;
4933 	}
4934 
4935 	while (1) {
4936 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
4937 				    mpp, &pinfo);
4938 		if (err == -ENOENT)
4939 			break;
4940 		if (err)
4941 			goto out_err;
4942 
4943 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4944 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4945 				       wdev->netdev, dst, mpp,
4946 				       &pinfo) < 0)
4947 			goto out;
4948 
4949 		path_idx++;
4950 	}
4951 
4952  out:
4953 	cb->args[2] = path_idx;
4954 	err = skb->len;
4955  out_err:
4956 	nl80211_finish_wdev_dump(rdev);
4957 	return err;
4958 }
4959 
4960 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
4961 {
4962 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4963 	struct net_device *dev = info->user_ptr[1];
4964 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4965 	struct bss_parameters params;
4966 	int err;
4967 
4968 	memset(&params, 0, sizeof(params));
4969 	/* default to not changing parameters */
4970 	params.use_cts_prot = -1;
4971 	params.use_short_preamble = -1;
4972 	params.use_short_slot_time = -1;
4973 	params.ap_isolate = -1;
4974 	params.ht_opmode = -1;
4975 	params.p2p_ctwindow = -1;
4976 	params.p2p_opp_ps = -1;
4977 
4978 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
4979 		params.use_cts_prot =
4980 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
4981 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
4982 		params.use_short_preamble =
4983 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
4984 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
4985 		params.use_short_slot_time =
4986 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
4987 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
4988 		params.basic_rates =
4989 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4990 		params.basic_rates_len =
4991 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4992 	}
4993 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
4994 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
4995 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
4996 		params.ht_opmode =
4997 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
4998 
4999 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5000 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5001 			return -EINVAL;
5002 		params.p2p_ctwindow =
5003 			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5004 		if (params.p2p_ctwindow < 0)
5005 			return -EINVAL;
5006 		if (params.p2p_ctwindow != 0 &&
5007 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
5008 			return -EINVAL;
5009 	}
5010 
5011 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5012 		u8 tmp;
5013 
5014 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5015 			return -EINVAL;
5016 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5017 		if (tmp > 1)
5018 			return -EINVAL;
5019 		params.p2p_opp_ps = tmp;
5020 		if (params.p2p_opp_ps &&
5021 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
5022 			return -EINVAL;
5023 	}
5024 
5025 	if (!rdev->ops->change_bss)
5026 		return -EOPNOTSUPP;
5027 
5028 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5029 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5030 		return -EOPNOTSUPP;
5031 
5032 	wdev_lock(wdev);
5033 	err = rdev_change_bss(rdev, dev, &params);
5034 	wdev_unlock(wdev);
5035 
5036 	return err;
5037 }
5038 
5039 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
5040 {
5041 	char *data = NULL;
5042 	bool is_indoor;
5043 	enum nl80211_user_reg_hint_type user_reg_hint_type;
5044 	u32 owner_nlportid;
5045 
5046 
5047 	/*
5048 	 * You should only get this when cfg80211 hasn't yet initialized
5049 	 * completely when built-in to the kernel right between the time
5050 	 * window between nl80211_init() and regulatory_init(), if that is
5051 	 * even possible.
5052 	 */
5053 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
5054 		return -EINPROGRESS;
5055 
5056 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
5057 		user_reg_hint_type =
5058 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
5059 	else
5060 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
5061 
5062 	switch (user_reg_hint_type) {
5063 	case NL80211_USER_REG_HINT_USER:
5064 	case NL80211_USER_REG_HINT_CELL_BASE:
5065 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5066 			return -EINVAL;
5067 
5068 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5069 		return regulatory_hint_user(data, user_reg_hint_type);
5070 	case NL80211_USER_REG_HINT_INDOOR:
5071 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
5072 			owner_nlportid = info->snd_portid;
5073 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
5074 		} else {
5075 			owner_nlportid = 0;
5076 			is_indoor = true;
5077 		}
5078 
5079 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
5080 	default:
5081 		return -EINVAL;
5082 	}
5083 }
5084 
5085 static int nl80211_get_mesh_config(struct sk_buff *skb,
5086 				   struct genl_info *info)
5087 {
5088 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5089 	struct net_device *dev = info->user_ptr[1];
5090 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5091 	struct mesh_config cur_params;
5092 	int err = 0;
5093 	void *hdr;
5094 	struct nlattr *pinfoattr;
5095 	struct sk_buff *msg;
5096 
5097 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5098 		return -EOPNOTSUPP;
5099 
5100 	if (!rdev->ops->get_mesh_config)
5101 		return -EOPNOTSUPP;
5102 
5103 	wdev_lock(wdev);
5104 	/* If not connected, get default parameters */
5105 	if (!wdev->mesh_id_len)
5106 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
5107 	else
5108 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
5109 	wdev_unlock(wdev);
5110 
5111 	if (err)
5112 		return err;
5113 
5114 	/* Draw up a netlink message to send back */
5115 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5116 	if (!msg)
5117 		return -ENOMEM;
5118 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5119 			     NL80211_CMD_GET_MESH_CONFIG);
5120 	if (!hdr)
5121 		goto out;
5122 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
5123 	if (!pinfoattr)
5124 		goto nla_put_failure;
5125 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5126 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
5127 			cur_params.dot11MeshRetryTimeout) ||
5128 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5129 			cur_params.dot11MeshConfirmTimeout) ||
5130 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
5131 			cur_params.dot11MeshHoldingTimeout) ||
5132 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
5133 			cur_params.dot11MeshMaxPeerLinks) ||
5134 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
5135 		       cur_params.dot11MeshMaxRetries) ||
5136 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
5137 		       cur_params.dot11MeshTTL) ||
5138 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
5139 		       cur_params.element_ttl) ||
5140 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5141 		       cur_params.auto_open_plinks) ||
5142 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5143 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
5144 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5145 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
5146 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
5147 			cur_params.path_refresh_time) ||
5148 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5149 			cur_params.min_discovery_timeout) ||
5150 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5151 			cur_params.dot11MeshHWMPactivePathTimeout) ||
5152 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5153 			cur_params.dot11MeshHWMPpreqMinInterval) ||
5154 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5155 			cur_params.dot11MeshHWMPperrMinInterval) ||
5156 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5157 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
5158 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
5159 		       cur_params.dot11MeshHWMPRootMode) ||
5160 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5161 			cur_params.dot11MeshHWMPRannInterval) ||
5162 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5163 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
5164 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
5165 		       cur_params.dot11MeshForwarding) ||
5166 	    nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
5167 			cur_params.rssi_threshold) ||
5168 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
5169 			cur_params.ht_opmode) ||
5170 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5171 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
5172 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5173 			cur_params.dot11MeshHWMProotInterval) ||
5174 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5175 			cur_params.dot11MeshHWMPconfirmationInterval) ||
5176 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
5177 			cur_params.power_mode) ||
5178 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
5179 			cur_params.dot11MeshAwakeWindowDuration) ||
5180 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
5181 			cur_params.plink_timeout))
5182 		goto nla_put_failure;
5183 	nla_nest_end(msg, pinfoattr);
5184 	genlmsg_end(msg, hdr);
5185 	return genlmsg_reply(msg, info);
5186 
5187  nla_put_failure:
5188 	genlmsg_cancel(msg, hdr);
5189  out:
5190 	nlmsg_free(msg);
5191 	return -ENOBUFS;
5192 }
5193 
5194 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
5195 	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
5196 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
5197 	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
5198 	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
5199 	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
5200 	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
5201 	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
5202 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
5203 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
5204 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
5205 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
5206 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
5207 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
5208 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
5209 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
5210 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
5211 	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
5212 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
5213 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
5214 	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
5215 	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
5216 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
5217 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
5218 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
5219 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
5220 	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
5221 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
5222 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
5223 };
5224 
5225 static const struct nla_policy
5226 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
5227 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
5228 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
5229 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
5230 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
5231 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
5232 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
5233 	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
5234 				    .len = IEEE80211_MAX_DATA_LEN },
5235 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
5236 };
5237 
5238 static int nl80211_parse_mesh_config(struct genl_info *info,
5239 				     struct mesh_config *cfg,
5240 				     u32 *mask_out)
5241 {
5242 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
5243 	u32 mask = 0;
5244 
5245 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
5246 do {									    \
5247 	if (tb[attr]) {							    \
5248 		if (fn(tb[attr]) < min || fn(tb[attr]) > max)		    \
5249 			return -EINVAL;					    \
5250 		cfg->param = fn(tb[attr]);				    \
5251 		mask |= (1 << (attr - 1));				    \
5252 	}								    \
5253 } while (0)
5254 
5255 
5256 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
5257 		return -EINVAL;
5258 	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
5259 			     info->attrs[NL80211_ATTR_MESH_CONFIG],
5260 			     nl80211_meshconf_params_policy))
5261 		return -EINVAL;
5262 
5263 	/* This makes sure that there aren't more than 32 mesh config
5264 	 * parameters (otherwise our bitfield scheme would not work.) */
5265 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
5266 
5267 	/* Fill in the params struct */
5268 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
5269 				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
5270 				  nla_get_u16);
5271 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
5272 				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5273 				  nla_get_u16);
5274 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
5275 				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
5276 				  nla_get_u16);
5277 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
5278 				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
5279 				  nla_get_u16);
5280 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
5281 				  mask, NL80211_MESHCONF_MAX_RETRIES,
5282 				  nla_get_u8);
5283 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
5284 				  mask, NL80211_MESHCONF_TTL, nla_get_u8);
5285 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
5286 				  mask, NL80211_MESHCONF_ELEMENT_TTL,
5287 				  nla_get_u8);
5288 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
5289 				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5290 				  nla_get_u8);
5291 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
5292 				  1, 255, mask,
5293 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5294 				  nla_get_u32);
5295 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
5296 				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5297 				  nla_get_u8);
5298 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
5299 				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
5300 				  nla_get_u32);
5301 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
5302 				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5303 				  nla_get_u16);
5304 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
5305 				  1, 65535, mask,
5306 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5307 				  nla_get_u32);
5308 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
5309 				  1, 65535, mask,
5310 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5311 				  nla_get_u16);
5312 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
5313 				  1, 65535, mask,
5314 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5315 				  nla_get_u16);
5316 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5317 				  dot11MeshHWMPnetDiameterTraversalTime,
5318 				  1, 65535, mask,
5319 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5320 				  nla_get_u16);
5321 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
5322 				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
5323 				  nla_get_u8);
5324 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
5325 				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5326 				  nla_get_u16);
5327 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5328 				  dot11MeshGateAnnouncementProtocol, 0, 1,
5329 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5330 				  nla_get_u8);
5331 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
5332 				  mask, NL80211_MESHCONF_FORWARDING,
5333 				  nla_get_u8);
5334 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, -255, 0,
5335 				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
5336 				  nla_get_s32);
5337 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
5338 				  mask, NL80211_MESHCONF_HT_OPMODE,
5339 				  nla_get_u16);
5340 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
5341 				  1, 65535, mask,
5342 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5343 				  nla_get_u32);
5344 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
5345 				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5346 				  nla_get_u16);
5347 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5348 				  dot11MeshHWMPconfirmationInterval,
5349 				  1, 65535, mask,
5350 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5351 				  nla_get_u16);
5352 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
5353 				  NL80211_MESH_POWER_ACTIVE,
5354 				  NL80211_MESH_POWER_MAX,
5355 				  mask, NL80211_MESHCONF_POWER_MODE,
5356 				  nla_get_u32);
5357 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
5358 				  0, 65535, mask,
5359 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
5360 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, 0, 0xffffffff,
5361 				  mask, NL80211_MESHCONF_PLINK_TIMEOUT,
5362 				  nla_get_u32);
5363 	if (mask_out)
5364 		*mask_out = mask;
5365 
5366 	return 0;
5367 
5368 #undef FILL_IN_MESH_PARAM_IF_SET
5369 }
5370 
5371 static int nl80211_parse_mesh_setup(struct genl_info *info,
5372 				     struct mesh_setup *setup)
5373 {
5374 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5375 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
5376 
5377 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
5378 		return -EINVAL;
5379 	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
5380 			     info->attrs[NL80211_ATTR_MESH_SETUP],
5381 			     nl80211_mesh_setup_params_policy))
5382 		return -EINVAL;
5383 
5384 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
5385 		setup->sync_method =
5386 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
5387 		 IEEE80211_SYNC_METHOD_VENDOR :
5388 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
5389 
5390 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
5391 		setup->path_sel_proto =
5392 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
5393 		 IEEE80211_PATH_PROTOCOL_VENDOR :
5394 		 IEEE80211_PATH_PROTOCOL_HWMP;
5395 
5396 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
5397 		setup->path_metric =
5398 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
5399 		 IEEE80211_PATH_METRIC_VENDOR :
5400 		 IEEE80211_PATH_METRIC_AIRTIME;
5401 
5402 
5403 	if (tb[NL80211_MESH_SETUP_IE]) {
5404 		struct nlattr *ieattr =
5405 			tb[NL80211_MESH_SETUP_IE];
5406 		if (!is_valid_ie_attr(ieattr))
5407 			return -EINVAL;
5408 		setup->ie = nla_data(ieattr);
5409 		setup->ie_len = nla_len(ieattr);
5410 	}
5411 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
5412 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
5413 		return -EINVAL;
5414 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
5415 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
5416 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
5417 	if (setup->is_secure)
5418 		setup->user_mpm = true;
5419 
5420 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
5421 		if (!setup->user_mpm)
5422 			return -EINVAL;
5423 		setup->auth_id =
5424 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
5425 	}
5426 
5427 	return 0;
5428 }
5429 
5430 static int nl80211_update_mesh_config(struct sk_buff *skb,
5431 				      struct genl_info *info)
5432 {
5433 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5434 	struct net_device *dev = info->user_ptr[1];
5435 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5436 	struct mesh_config cfg;
5437 	u32 mask;
5438 	int err;
5439 
5440 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5441 		return -EOPNOTSUPP;
5442 
5443 	if (!rdev->ops->update_mesh_config)
5444 		return -EOPNOTSUPP;
5445 
5446 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
5447 	if (err)
5448 		return err;
5449 
5450 	wdev_lock(wdev);
5451 	if (!wdev->mesh_id_len)
5452 		err = -ENOLINK;
5453 
5454 	if (!err)
5455 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
5456 
5457 	wdev_unlock(wdev);
5458 
5459 	return err;
5460 }
5461 
5462 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
5463 			      struct sk_buff *msg)
5464 {
5465 	struct nlattr *nl_reg_rules;
5466 	unsigned int i;
5467 
5468 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
5469 	    (regdom->dfs_region &&
5470 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
5471 		goto nla_put_failure;
5472 
5473 	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
5474 	if (!nl_reg_rules)
5475 		goto nla_put_failure;
5476 
5477 	for (i = 0; i < regdom->n_reg_rules; i++) {
5478 		struct nlattr *nl_reg_rule;
5479 		const struct ieee80211_reg_rule *reg_rule;
5480 		const struct ieee80211_freq_range *freq_range;
5481 		const struct ieee80211_power_rule *power_rule;
5482 		unsigned int max_bandwidth_khz;
5483 
5484 		reg_rule = &regdom->reg_rules[i];
5485 		freq_range = &reg_rule->freq_range;
5486 		power_rule = &reg_rule->power_rule;
5487 
5488 		nl_reg_rule = nla_nest_start(msg, i);
5489 		if (!nl_reg_rule)
5490 			goto nla_put_failure;
5491 
5492 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
5493 		if (!max_bandwidth_khz)
5494 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
5495 								  reg_rule);
5496 
5497 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
5498 				reg_rule->flags) ||
5499 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
5500 				freq_range->start_freq_khz) ||
5501 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
5502 				freq_range->end_freq_khz) ||
5503 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
5504 				max_bandwidth_khz) ||
5505 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
5506 				power_rule->max_antenna_gain) ||
5507 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
5508 				power_rule->max_eirp) ||
5509 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
5510 				reg_rule->dfs_cac_ms))
5511 			goto nla_put_failure;
5512 
5513 		nla_nest_end(msg, nl_reg_rule);
5514 	}
5515 
5516 	nla_nest_end(msg, nl_reg_rules);
5517 	return 0;
5518 
5519 nla_put_failure:
5520 	return -EMSGSIZE;
5521 }
5522 
5523 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
5524 {
5525 	const struct ieee80211_regdomain *regdom = NULL;
5526 	struct cfg80211_registered_device *rdev;
5527 	struct wiphy *wiphy = NULL;
5528 	struct sk_buff *msg;
5529 	void *hdr;
5530 
5531 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5532 	if (!msg)
5533 		return -ENOBUFS;
5534 
5535 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5536 			     NL80211_CMD_GET_REG);
5537 	if (!hdr)
5538 		goto put_failure;
5539 
5540 	if (info->attrs[NL80211_ATTR_WIPHY]) {
5541 		bool self_managed;
5542 
5543 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
5544 		if (IS_ERR(rdev)) {
5545 			nlmsg_free(msg);
5546 			return PTR_ERR(rdev);
5547 		}
5548 
5549 		wiphy = &rdev->wiphy;
5550 		self_managed = wiphy->regulatory_flags &
5551 			       REGULATORY_WIPHY_SELF_MANAGED;
5552 		regdom = get_wiphy_regdom(wiphy);
5553 
5554 		/* a self-managed-reg device must have a private regdom */
5555 		if (WARN_ON(!regdom && self_managed)) {
5556 			nlmsg_free(msg);
5557 			return -EINVAL;
5558 		}
5559 
5560 		if (regdom &&
5561 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
5562 			goto nla_put_failure;
5563 	}
5564 
5565 	if (!wiphy && reg_last_request_cell_base() &&
5566 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5567 			NL80211_USER_REG_HINT_CELL_BASE))
5568 		goto nla_put_failure;
5569 
5570 	rcu_read_lock();
5571 
5572 	if (!regdom)
5573 		regdom = rcu_dereference(cfg80211_regdomain);
5574 
5575 	if (nl80211_put_regdom(regdom, msg))
5576 		goto nla_put_failure_rcu;
5577 
5578 	rcu_read_unlock();
5579 
5580 	genlmsg_end(msg, hdr);
5581 	return genlmsg_reply(msg, info);
5582 
5583 nla_put_failure_rcu:
5584 	rcu_read_unlock();
5585 nla_put_failure:
5586 	genlmsg_cancel(msg, hdr);
5587 put_failure:
5588 	nlmsg_free(msg);
5589 	return -EMSGSIZE;
5590 }
5591 
5592 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
5593 			       u32 seq, int flags, struct wiphy *wiphy,
5594 			       const struct ieee80211_regdomain *regdom)
5595 {
5596 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
5597 				   NL80211_CMD_GET_REG);
5598 
5599 	if (!hdr)
5600 		return -1;
5601 
5602 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
5603 
5604 	if (nl80211_put_regdom(regdom, msg))
5605 		goto nla_put_failure;
5606 
5607 	if (!wiphy && reg_last_request_cell_base() &&
5608 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5609 			NL80211_USER_REG_HINT_CELL_BASE))
5610 		goto nla_put_failure;
5611 
5612 	if (wiphy &&
5613 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
5614 		goto nla_put_failure;
5615 
5616 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
5617 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
5618 		goto nla_put_failure;
5619 
5620 	genlmsg_end(msg, hdr);
5621 	return 0;
5622 
5623 nla_put_failure:
5624 	genlmsg_cancel(msg, hdr);
5625 	return -EMSGSIZE;
5626 }
5627 
5628 static int nl80211_get_reg_dump(struct sk_buff *skb,
5629 				struct netlink_callback *cb)
5630 {
5631 	const struct ieee80211_regdomain *regdom = NULL;
5632 	struct cfg80211_registered_device *rdev;
5633 	int err, reg_idx, start = cb->args[2];
5634 
5635 	rtnl_lock();
5636 
5637 	if (cfg80211_regdomain && start == 0) {
5638 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
5639 					  NLM_F_MULTI, NULL,
5640 					  rtnl_dereference(cfg80211_regdomain));
5641 		if (err < 0)
5642 			goto out_err;
5643 	}
5644 
5645 	/* the global regdom is idx 0 */
5646 	reg_idx = 1;
5647 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
5648 		regdom = get_wiphy_regdom(&rdev->wiphy);
5649 		if (!regdom)
5650 			continue;
5651 
5652 		if (++reg_idx <= start)
5653 			continue;
5654 
5655 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
5656 					  NLM_F_MULTI, &rdev->wiphy, regdom);
5657 		if (err < 0) {
5658 			reg_idx--;
5659 			break;
5660 		}
5661 	}
5662 
5663 	cb->args[2] = reg_idx;
5664 	err = skb->len;
5665 out_err:
5666 	rtnl_unlock();
5667 	return err;
5668 }
5669 
5670 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
5671 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
5672 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
5673 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
5674 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
5675 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
5676 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
5677 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
5678 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
5679 };
5680 
5681 static int parse_reg_rule(struct nlattr *tb[],
5682 	struct ieee80211_reg_rule *reg_rule)
5683 {
5684 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
5685 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
5686 
5687 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
5688 		return -EINVAL;
5689 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
5690 		return -EINVAL;
5691 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
5692 		return -EINVAL;
5693 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
5694 		return -EINVAL;
5695 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
5696 		return -EINVAL;
5697 
5698 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
5699 
5700 	freq_range->start_freq_khz =
5701 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
5702 	freq_range->end_freq_khz =
5703 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
5704 	freq_range->max_bandwidth_khz =
5705 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
5706 
5707 	power_rule->max_eirp =
5708 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
5709 
5710 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
5711 		power_rule->max_antenna_gain =
5712 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
5713 
5714 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
5715 		reg_rule->dfs_cac_ms =
5716 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
5717 
5718 	return 0;
5719 }
5720 
5721 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
5722 {
5723 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
5724 	struct nlattr *nl_reg_rule;
5725 	char *alpha2;
5726 	int rem_reg_rules, r;
5727 	u32 num_rules = 0, rule_idx = 0, size_of_regd;
5728 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
5729 	struct ieee80211_regdomain *rd;
5730 
5731 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5732 		return -EINVAL;
5733 
5734 	if (!info->attrs[NL80211_ATTR_REG_RULES])
5735 		return -EINVAL;
5736 
5737 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5738 
5739 	if (info->attrs[NL80211_ATTR_DFS_REGION])
5740 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
5741 
5742 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5743 			    rem_reg_rules) {
5744 		num_rules++;
5745 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
5746 			return -EINVAL;
5747 	}
5748 
5749 	if (!reg_is_valid_request(alpha2))
5750 		return -EINVAL;
5751 
5752 	size_of_regd = sizeof(struct ieee80211_regdomain) +
5753 		       num_rules * sizeof(struct ieee80211_reg_rule);
5754 
5755 	rd = kzalloc(size_of_regd, GFP_KERNEL);
5756 	if (!rd)
5757 		return -ENOMEM;
5758 
5759 	rd->n_reg_rules = num_rules;
5760 	rd->alpha2[0] = alpha2[0];
5761 	rd->alpha2[1] = alpha2[1];
5762 
5763 	/*
5764 	 * Disable DFS master mode if the DFS region was
5765 	 * not supported or known on this kernel.
5766 	 */
5767 	if (reg_supported_dfs_region(dfs_region))
5768 		rd->dfs_region = dfs_region;
5769 
5770 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5771 			    rem_reg_rules) {
5772 		r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
5773 			      nla_data(nl_reg_rule), nla_len(nl_reg_rule),
5774 			      reg_rule_policy);
5775 		if (r)
5776 			goto bad_reg;
5777 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
5778 		if (r)
5779 			goto bad_reg;
5780 
5781 		rule_idx++;
5782 
5783 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
5784 			r = -EINVAL;
5785 			goto bad_reg;
5786 		}
5787 	}
5788 
5789 	r = set_regdom(rd, REGD_SOURCE_CRDA);
5790 	/* set_regdom took ownership */
5791 	rd = NULL;
5792 
5793  bad_reg:
5794 	kfree(rd);
5795 	return r;
5796 }
5797 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
5798 
5799 static int validate_scan_freqs(struct nlattr *freqs)
5800 {
5801 	struct nlattr *attr1, *attr2;
5802 	int n_channels = 0, tmp1, tmp2;
5803 
5804 	nla_for_each_nested(attr1, freqs, tmp1) {
5805 		n_channels++;
5806 		/*
5807 		 * Some hardware has a limited channel list for
5808 		 * scanning, and it is pretty much nonsensical
5809 		 * to scan for a channel twice, so disallow that
5810 		 * and don't require drivers to check that the
5811 		 * channel list they get isn't longer than what
5812 		 * they can scan, as long as they can scan all
5813 		 * the channels they registered at once.
5814 		 */
5815 		nla_for_each_nested(attr2, freqs, tmp2)
5816 			if (attr1 != attr2 &&
5817 			    nla_get_u32(attr1) == nla_get_u32(attr2))
5818 				return 0;
5819 	}
5820 
5821 	return n_channels;
5822 }
5823 
5824 static bool is_band_valid(struct wiphy *wiphy, enum ieee80211_band b)
5825 {
5826 	return b < IEEE80211_NUM_BANDS && wiphy->bands[b];
5827 }
5828 
5829 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
5830 			    struct cfg80211_bss_selection *bss_select)
5831 {
5832 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
5833 	struct nlattr *nest;
5834 	int err;
5835 	bool found = false;
5836 	int i;
5837 
5838 	/* only process one nested attribute */
5839 	nest = nla_data(nla);
5840 	if (!nla_ok(nest, nla_len(nest)))
5841 		return -EINVAL;
5842 
5843 	err = nla_parse(attr, NL80211_BSS_SELECT_ATTR_MAX, nla_data(nest),
5844 			nla_len(nest), nl80211_bss_select_policy);
5845 	if (err)
5846 		return err;
5847 
5848 	/* only one attribute may be given */
5849 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
5850 		if (attr[i]) {
5851 			if (found)
5852 				return -EINVAL;
5853 			found = true;
5854 		}
5855 	}
5856 
5857 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
5858 
5859 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
5860 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
5861 
5862 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
5863 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
5864 		bss_select->param.band_pref =
5865 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
5866 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
5867 			return -EINVAL;
5868 	}
5869 
5870 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
5871 		struct nl80211_bss_select_rssi_adjust *adj_param;
5872 
5873 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
5874 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
5875 		bss_select->param.adjust.band = adj_param->band;
5876 		bss_select->param.adjust.delta = adj_param->delta;
5877 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
5878 			return -EINVAL;
5879 	}
5880 
5881 	/* user-space did not provide behaviour attribute */
5882 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
5883 		return -EINVAL;
5884 
5885 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
5886 		return -EINVAL;
5887 
5888 	return 0;
5889 }
5890 
5891 static int nl80211_parse_random_mac(struct nlattr **attrs,
5892 				    u8 *mac_addr, u8 *mac_addr_mask)
5893 {
5894 	int i;
5895 
5896 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
5897 		eth_zero_addr(mac_addr);
5898 		eth_zero_addr(mac_addr_mask);
5899 		mac_addr[0] = 0x2;
5900 		mac_addr_mask[0] = 0x3;
5901 
5902 		return 0;
5903 	}
5904 
5905 	/* need both or none */
5906 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
5907 		return -EINVAL;
5908 
5909 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
5910 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
5911 
5912 	/* don't allow or configure an mcast address */
5913 	if (!is_multicast_ether_addr(mac_addr_mask) ||
5914 	    is_multicast_ether_addr(mac_addr))
5915 		return -EINVAL;
5916 
5917 	/*
5918 	 * allow users to pass a MAC address that has bits set outside
5919 	 * of the mask, but don't bother drivers with having to deal
5920 	 * with such bits
5921 	 */
5922 	for (i = 0; i < ETH_ALEN; i++)
5923 		mac_addr[i] &= mac_addr_mask[i];
5924 
5925 	return 0;
5926 }
5927 
5928 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
5929 {
5930 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5931 	struct wireless_dev *wdev = info->user_ptr[1];
5932 	struct cfg80211_scan_request *request;
5933 	struct nlattr *attr;
5934 	struct wiphy *wiphy;
5935 	int err, tmp, n_ssids = 0, n_channels, i;
5936 	size_t ie_len;
5937 
5938 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5939 		return -EINVAL;
5940 
5941 	wiphy = &rdev->wiphy;
5942 
5943 	if (!rdev->ops->scan)
5944 		return -EOPNOTSUPP;
5945 
5946 	if (rdev->scan_req || rdev->scan_msg) {
5947 		err = -EBUSY;
5948 		goto unlock;
5949 	}
5950 
5951 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5952 		n_channels = validate_scan_freqs(
5953 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5954 		if (!n_channels) {
5955 			err = -EINVAL;
5956 			goto unlock;
5957 		}
5958 	} else {
5959 		n_channels = ieee80211_get_num_supported_channels(wiphy);
5960 	}
5961 
5962 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5963 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
5964 			n_ssids++;
5965 
5966 	if (n_ssids > wiphy->max_scan_ssids) {
5967 		err = -EINVAL;
5968 		goto unlock;
5969 	}
5970 
5971 	if (info->attrs[NL80211_ATTR_IE])
5972 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5973 	else
5974 		ie_len = 0;
5975 
5976 	if (ie_len > wiphy->max_scan_ie_len) {
5977 		err = -EINVAL;
5978 		goto unlock;
5979 	}
5980 
5981 	request = kzalloc(sizeof(*request)
5982 			+ sizeof(*request->ssids) * n_ssids
5983 			+ sizeof(*request->channels) * n_channels
5984 			+ ie_len, GFP_KERNEL);
5985 	if (!request) {
5986 		err = -ENOMEM;
5987 		goto unlock;
5988 	}
5989 
5990 	if (n_ssids)
5991 		request->ssids = (void *)&request->channels[n_channels];
5992 	request->n_ssids = n_ssids;
5993 	if (ie_len) {
5994 		if (n_ssids)
5995 			request->ie = (void *)(request->ssids + n_ssids);
5996 		else
5997 			request->ie = (void *)(request->channels + n_channels);
5998 	}
5999 
6000 	i = 0;
6001 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6002 		/* user specified, bail out if channel not found */
6003 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
6004 			struct ieee80211_channel *chan;
6005 
6006 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
6007 
6008 			if (!chan) {
6009 				err = -EINVAL;
6010 				goto out_free;
6011 			}
6012 
6013 			/* ignore disabled channels */
6014 			if (chan->flags & IEEE80211_CHAN_DISABLED)
6015 				continue;
6016 
6017 			request->channels[i] = chan;
6018 			i++;
6019 		}
6020 	} else {
6021 		enum ieee80211_band band;
6022 
6023 		/* all channels */
6024 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
6025 			int j;
6026 			if (!wiphy->bands[band])
6027 				continue;
6028 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
6029 				struct ieee80211_channel *chan;
6030 
6031 				chan = &wiphy->bands[band]->channels[j];
6032 
6033 				if (chan->flags & IEEE80211_CHAN_DISABLED)
6034 					continue;
6035 
6036 				request->channels[i] = chan;
6037 				i++;
6038 			}
6039 		}
6040 	}
6041 
6042 	if (!i) {
6043 		err = -EINVAL;
6044 		goto out_free;
6045 	}
6046 
6047 	request->n_channels = i;
6048 
6049 	i = 0;
6050 	if (n_ssids) {
6051 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
6052 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
6053 				err = -EINVAL;
6054 				goto out_free;
6055 			}
6056 			request->ssids[i].ssid_len = nla_len(attr);
6057 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
6058 			i++;
6059 		}
6060 	}
6061 
6062 	if (info->attrs[NL80211_ATTR_IE]) {
6063 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6064 		memcpy((void *)request->ie,
6065 		       nla_data(info->attrs[NL80211_ATTR_IE]),
6066 		       request->ie_len);
6067 	}
6068 
6069 	for (i = 0; i < IEEE80211_NUM_BANDS; i++)
6070 		if (wiphy->bands[i])
6071 			request->rates[i] =
6072 				(1 << wiphy->bands[i]->n_bitrates) - 1;
6073 
6074 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
6075 		nla_for_each_nested(attr,
6076 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
6077 				    tmp) {
6078 			enum ieee80211_band band = nla_type(attr);
6079 
6080 			if (band < 0 || band >= IEEE80211_NUM_BANDS) {
6081 				err = -EINVAL;
6082 				goto out_free;
6083 			}
6084 
6085 			if (!wiphy->bands[band])
6086 				continue;
6087 
6088 			err = ieee80211_get_ratemask(wiphy->bands[band],
6089 						     nla_data(attr),
6090 						     nla_len(attr),
6091 						     &request->rates[band]);
6092 			if (err)
6093 				goto out_free;
6094 		}
6095 	}
6096 
6097 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
6098 		request->flags = nla_get_u32(
6099 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
6100 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
6101 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
6102 			err = -EOPNOTSUPP;
6103 			goto out_free;
6104 		}
6105 
6106 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
6107 			if (!(wiphy->features &
6108 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR)) {
6109 				err = -EOPNOTSUPP;
6110 				goto out_free;
6111 			}
6112 
6113 			if (wdev->current_bss) {
6114 				err = -EOPNOTSUPP;
6115 				goto out_free;
6116 			}
6117 
6118 			err = nl80211_parse_random_mac(info->attrs,
6119 						       request->mac_addr,
6120 						       request->mac_addr_mask);
6121 			if (err)
6122 				goto out_free;
6123 		}
6124 	}
6125 
6126 	request->no_cck =
6127 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
6128 
6129 	if (info->attrs[NL80211_ATTR_MAC])
6130 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
6131 		       ETH_ALEN);
6132 	else
6133 		eth_broadcast_addr(request->bssid);
6134 
6135 	request->wdev = wdev;
6136 	request->wiphy = &rdev->wiphy;
6137 	request->scan_start = jiffies;
6138 
6139 	rdev->scan_req = request;
6140 	err = rdev_scan(rdev, request);
6141 
6142 	if (!err) {
6143 		nl80211_send_scan_start(rdev, wdev);
6144 		if (wdev->netdev)
6145 			dev_hold(wdev->netdev);
6146 	} else {
6147  out_free:
6148 		rdev->scan_req = NULL;
6149 		kfree(request);
6150 	}
6151 
6152  unlock:
6153 	return err;
6154 }
6155 
6156 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
6157 {
6158 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6159 	struct wireless_dev *wdev = info->user_ptr[1];
6160 
6161 	if (!rdev->ops->abort_scan)
6162 		return -EOPNOTSUPP;
6163 
6164 	if (rdev->scan_msg)
6165 		return 0;
6166 
6167 	if (!rdev->scan_req)
6168 		return -ENOENT;
6169 
6170 	rdev_abort_scan(rdev, wdev);
6171 	return 0;
6172 }
6173 
6174 static int
6175 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
6176 			       struct cfg80211_sched_scan_request *request,
6177 			       struct nlattr **attrs)
6178 {
6179 	int tmp, err, i = 0;
6180 	struct nlattr *attr;
6181 
6182 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
6183 		u32 interval;
6184 
6185 		/*
6186 		 * If scan plans are not specified,
6187 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL must be specified. In this
6188 		 * case one scan plan will be set with the specified scan
6189 		 * interval and infinite number of iterations.
6190 		 */
6191 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
6192 			return -EINVAL;
6193 
6194 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
6195 		if (!interval)
6196 			return -EINVAL;
6197 
6198 		request->scan_plans[0].interval =
6199 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
6200 		if (!request->scan_plans[0].interval)
6201 			return -EINVAL;
6202 
6203 		if (request->scan_plans[0].interval >
6204 		    wiphy->max_sched_scan_plan_interval)
6205 			request->scan_plans[0].interval =
6206 				wiphy->max_sched_scan_plan_interval;
6207 
6208 		return 0;
6209 	}
6210 
6211 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
6212 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
6213 
6214 		if (WARN_ON(i >= n_plans))
6215 			return -EINVAL;
6216 
6217 		err = nla_parse(plan, NL80211_SCHED_SCAN_PLAN_MAX,
6218 				nla_data(attr), nla_len(attr),
6219 				nl80211_plan_policy);
6220 		if (err)
6221 			return err;
6222 
6223 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
6224 			return -EINVAL;
6225 
6226 		request->scan_plans[i].interval =
6227 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
6228 		if (!request->scan_plans[i].interval ||
6229 		    request->scan_plans[i].interval >
6230 		    wiphy->max_sched_scan_plan_interval)
6231 			return -EINVAL;
6232 
6233 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
6234 			request->scan_plans[i].iterations =
6235 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
6236 			if (!request->scan_plans[i].iterations ||
6237 			    (request->scan_plans[i].iterations >
6238 			     wiphy->max_sched_scan_plan_iterations))
6239 				return -EINVAL;
6240 		} else if (i < n_plans - 1) {
6241 			/*
6242 			 * All scan plans but the last one must specify
6243 			 * a finite number of iterations
6244 			 */
6245 			return -EINVAL;
6246 		}
6247 
6248 		i++;
6249 	}
6250 
6251 	/*
6252 	 * The last scan plan must not specify the number of
6253 	 * iterations, it is supposed to run infinitely
6254 	 */
6255 	if (request->scan_plans[n_plans - 1].iterations)
6256 		return  -EINVAL;
6257 
6258 	return 0;
6259 }
6260 
6261 static struct cfg80211_sched_scan_request *
6262 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
6263 			 struct nlattr **attrs)
6264 {
6265 	struct cfg80211_sched_scan_request *request;
6266 	struct nlattr *attr;
6267 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
6268 	enum ieee80211_band band;
6269 	size_t ie_len;
6270 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
6271 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
6272 
6273 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_IE]))
6274 		return ERR_PTR(-EINVAL);
6275 
6276 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6277 		n_channels = validate_scan_freqs(
6278 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
6279 		if (!n_channels)
6280 			return ERR_PTR(-EINVAL);
6281 	} else {
6282 		n_channels = ieee80211_get_num_supported_channels(wiphy);
6283 	}
6284 
6285 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
6286 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
6287 				    tmp)
6288 			n_ssids++;
6289 
6290 	if (n_ssids > wiphy->max_sched_scan_ssids)
6291 		return ERR_PTR(-EINVAL);
6292 
6293 	/*
6294 	 * First, count the number of 'real' matchsets. Due to an issue with
6295 	 * the old implementation, matchsets containing only the RSSI attribute
6296 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
6297 	 * RSSI for all matchsets, rather than their own matchset for reporting
6298 	 * all APs with a strong RSSI. This is needed to be compatible with
6299 	 * older userspace that treated a matchset with only the RSSI as the
6300 	 * global RSSI for all other matchsets - if there are other matchsets.
6301 	 */
6302 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
6303 		nla_for_each_nested(attr,
6304 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
6305 				    tmp) {
6306 			struct nlattr *rssi;
6307 
6308 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
6309 					nla_data(attr), nla_len(attr),
6310 					nl80211_match_policy);
6311 			if (err)
6312 				return ERR_PTR(err);
6313 			/* add other standalone attributes here */
6314 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
6315 				n_match_sets++;
6316 				continue;
6317 			}
6318 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
6319 			if (rssi)
6320 				default_match_rssi = nla_get_s32(rssi);
6321 		}
6322 	}
6323 
6324 	/* However, if there's no other matchset, add the RSSI one */
6325 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
6326 		n_match_sets = 1;
6327 
6328 	if (n_match_sets > wiphy->max_match_sets)
6329 		return ERR_PTR(-EINVAL);
6330 
6331 	if (attrs[NL80211_ATTR_IE])
6332 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
6333 	else
6334 		ie_len = 0;
6335 
6336 	if (ie_len > wiphy->max_sched_scan_ie_len)
6337 		return ERR_PTR(-EINVAL);
6338 
6339 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
6340 		/*
6341 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
6342 		 * each scan plan already specifies its own interval
6343 		 */
6344 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
6345 			return ERR_PTR(-EINVAL);
6346 
6347 		nla_for_each_nested(attr,
6348 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
6349 			n_plans++;
6350 	} else {
6351 		/*
6352 		 * The scan interval attribute is kept for backward
6353 		 * compatibility. If no scan plans are specified and sched scan
6354 		 * interval is specified, one scan plan will be set with this
6355 		 * scan interval and infinite number of iterations.
6356 		 */
6357 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
6358 			return ERR_PTR(-EINVAL);
6359 
6360 		n_plans = 1;
6361 	}
6362 
6363 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
6364 		return ERR_PTR(-EINVAL);
6365 
6366 	request = kzalloc(sizeof(*request)
6367 			+ sizeof(*request->ssids) * n_ssids
6368 			+ sizeof(*request->match_sets) * n_match_sets
6369 			+ sizeof(*request->scan_plans) * n_plans
6370 			+ sizeof(*request->channels) * n_channels
6371 			+ ie_len, GFP_KERNEL);
6372 	if (!request)
6373 		return ERR_PTR(-ENOMEM);
6374 
6375 	if (n_ssids)
6376 		request->ssids = (void *)&request->channels[n_channels];
6377 	request->n_ssids = n_ssids;
6378 	if (ie_len) {
6379 		if (n_ssids)
6380 			request->ie = (void *)(request->ssids + n_ssids);
6381 		else
6382 			request->ie = (void *)(request->channels + n_channels);
6383 	}
6384 
6385 	if (n_match_sets) {
6386 		if (request->ie)
6387 			request->match_sets = (void *)(request->ie + ie_len);
6388 		else if (n_ssids)
6389 			request->match_sets =
6390 				(void *)(request->ssids + n_ssids);
6391 		else
6392 			request->match_sets =
6393 				(void *)(request->channels + n_channels);
6394 	}
6395 	request->n_match_sets = n_match_sets;
6396 
6397 	if (n_match_sets)
6398 		request->scan_plans = (void *)(request->match_sets +
6399 					       n_match_sets);
6400 	else if (request->ie)
6401 		request->scan_plans = (void *)(request->ie + ie_len);
6402 	else if (n_ssids)
6403 		request->scan_plans = (void *)(request->ssids + n_ssids);
6404 	else
6405 		request->scan_plans = (void *)(request->channels + n_channels);
6406 
6407 	request->n_scan_plans = n_plans;
6408 
6409 	i = 0;
6410 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6411 		/* user specified, bail out if channel not found */
6412 		nla_for_each_nested(attr,
6413 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
6414 				    tmp) {
6415 			struct ieee80211_channel *chan;
6416 
6417 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
6418 
6419 			if (!chan) {
6420 				err = -EINVAL;
6421 				goto out_free;
6422 			}
6423 
6424 			/* ignore disabled channels */
6425 			if (chan->flags & IEEE80211_CHAN_DISABLED)
6426 				continue;
6427 
6428 			request->channels[i] = chan;
6429 			i++;
6430 		}
6431 	} else {
6432 		/* all channels */
6433 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
6434 			int j;
6435 			if (!wiphy->bands[band])
6436 				continue;
6437 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
6438 				struct ieee80211_channel *chan;
6439 
6440 				chan = &wiphy->bands[band]->channels[j];
6441 
6442 				if (chan->flags & IEEE80211_CHAN_DISABLED)
6443 					continue;
6444 
6445 				request->channels[i] = chan;
6446 				i++;
6447 			}
6448 		}
6449 	}
6450 
6451 	if (!i) {
6452 		err = -EINVAL;
6453 		goto out_free;
6454 	}
6455 
6456 	request->n_channels = i;
6457 
6458 	i = 0;
6459 	if (n_ssids) {
6460 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
6461 				    tmp) {
6462 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
6463 				err = -EINVAL;
6464 				goto out_free;
6465 			}
6466 			request->ssids[i].ssid_len = nla_len(attr);
6467 			memcpy(request->ssids[i].ssid, nla_data(attr),
6468 			       nla_len(attr));
6469 			i++;
6470 		}
6471 	}
6472 
6473 	i = 0;
6474 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
6475 		nla_for_each_nested(attr,
6476 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
6477 				    tmp) {
6478 			struct nlattr *ssid, *rssi;
6479 
6480 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
6481 					nla_data(attr), nla_len(attr),
6482 					nl80211_match_policy);
6483 			if (err)
6484 				goto out_free;
6485 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
6486 			if (ssid) {
6487 				if (WARN_ON(i >= n_match_sets)) {
6488 					/* this indicates a programming error,
6489 					 * the loop above should have verified
6490 					 * things properly
6491 					 */
6492 					err = -EINVAL;
6493 					goto out_free;
6494 				}
6495 
6496 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
6497 					err = -EINVAL;
6498 					goto out_free;
6499 				}
6500 				memcpy(request->match_sets[i].ssid.ssid,
6501 				       nla_data(ssid), nla_len(ssid));
6502 				request->match_sets[i].ssid.ssid_len =
6503 					nla_len(ssid);
6504 				/* special attribute - old implemenation w/a */
6505 				request->match_sets[i].rssi_thold =
6506 					default_match_rssi;
6507 				rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
6508 				if (rssi)
6509 					request->match_sets[i].rssi_thold =
6510 						nla_get_s32(rssi);
6511 			}
6512 			i++;
6513 		}
6514 
6515 		/* there was no other matchset, so the RSSI one is alone */
6516 		if (i == 0 && n_match_sets)
6517 			request->match_sets[0].rssi_thold = default_match_rssi;
6518 
6519 		request->min_rssi_thold = INT_MAX;
6520 		for (i = 0; i < n_match_sets; i++)
6521 			request->min_rssi_thold =
6522 				min(request->match_sets[i].rssi_thold,
6523 				    request->min_rssi_thold);
6524 	} else {
6525 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
6526 	}
6527 
6528 	if (ie_len) {
6529 		request->ie_len = ie_len;
6530 		memcpy((void *)request->ie,
6531 		       nla_data(attrs[NL80211_ATTR_IE]),
6532 		       request->ie_len);
6533 	}
6534 
6535 	if (attrs[NL80211_ATTR_SCAN_FLAGS]) {
6536 		request->flags = nla_get_u32(
6537 			attrs[NL80211_ATTR_SCAN_FLAGS]);
6538 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
6539 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
6540 			err = -EOPNOTSUPP;
6541 			goto out_free;
6542 		}
6543 
6544 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
6545 			u32 flg = NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR;
6546 
6547 			if (!wdev) /* must be net-detect */
6548 				flg = NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
6549 
6550 			if (!(wiphy->features & flg)) {
6551 				err = -EOPNOTSUPP;
6552 				goto out_free;
6553 			}
6554 
6555 			if (wdev && wdev->current_bss) {
6556 				err = -EOPNOTSUPP;
6557 				goto out_free;
6558 			}
6559 
6560 			err = nl80211_parse_random_mac(attrs, request->mac_addr,
6561 						       request->mac_addr_mask);
6562 			if (err)
6563 				goto out_free;
6564 		}
6565 	}
6566 
6567 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
6568 		request->delay =
6569 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
6570 
6571 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
6572 	if (err)
6573 		goto out_free;
6574 
6575 	request->scan_start = jiffies;
6576 
6577 	return request;
6578 
6579 out_free:
6580 	kfree(request);
6581 	return ERR_PTR(err);
6582 }
6583 
6584 static int nl80211_start_sched_scan(struct sk_buff *skb,
6585 				    struct genl_info *info)
6586 {
6587 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6588 	struct net_device *dev = info->user_ptr[1];
6589 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6590 	struct cfg80211_sched_scan_request *sched_scan_req;
6591 	int err;
6592 
6593 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
6594 	    !rdev->ops->sched_scan_start)
6595 		return -EOPNOTSUPP;
6596 
6597 	if (rdev->sched_scan_req)
6598 		return -EINPROGRESS;
6599 
6600 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
6601 						  info->attrs);
6602 
6603 	err = PTR_ERR_OR_ZERO(sched_scan_req);
6604 	if (err)
6605 		goto out_err;
6606 
6607 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
6608 	if (err)
6609 		goto out_free;
6610 
6611 	sched_scan_req->dev = dev;
6612 	sched_scan_req->wiphy = &rdev->wiphy;
6613 
6614 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6615 		sched_scan_req->owner_nlportid = info->snd_portid;
6616 
6617 	rcu_assign_pointer(rdev->sched_scan_req, sched_scan_req);
6618 
6619 	nl80211_send_sched_scan(rdev, dev,
6620 				NL80211_CMD_START_SCHED_SCAN);
6621 	return 0;
6622 
6623 out_free:
6624 	kfree(sched_scan_req);
6625 out_err:
6626 	return err;
6627 }
6628 
6629 static int nl80211_stop_sched_scan(struct sk_buff *skb,
6630 				   struct genl_info *info)
6631 {
6632 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6633 
6634 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
6635 	    !rdev->ops->sched_scan_stop)
6636 		return -EOPNOTSUPP;
6637 
6638 	return __cfg80211_stop_sched_scan(rdev, false);
6639 }
6640 
6641 static int nl80211_start_radar_detection(struct sk_buff *skb,
6642 					 struct genl_info *info)
6643 {
6644 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6645 	struct net_device *dev = info->user_ptr[1];
6646 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6647 	struct cfg80211_chan_def chandef;
6648 	enum nl80211_dfs_regions dfs_region;
6649 	unsigned int cac_time_ms;
6650 	int err;
6651 
6652 	dfs_region = reg_get_dfs_region(wdev->wiphy);
6653 	if (dfs_region == NL80211_DFS_UNSET)
6654 		return -EINVAL;
6655 
6656 	err = nl80211_parse_chandef(rdev, info, &chandef);
6657 	if (err)
6658 		return err;
6659 
6660 	if (netif_carrier_ok(dev))
6661 		return -EBUSY;
6662 
6663 	if (wdev->cac_started)
6664 		return -EBUSY;
6665 
6666 	err = cfg80211_chandef_dfs_required(wdev->wiphy, &chandef,
6667 					    wdev->iftype);
6668 	if (err < 0)
6669 		return err;
6670 
6671 	if (err == 0)
6672 		return -EINVAL;
6673 
6674 	if (!cfg80211_chandef_dfs_usable(wdev->wiphy, &chandef))
6675 		return -EINVAL;
6676 
6677 	if (!rdev->ops->start_radar_detection)
6678 		return -EOPNOTSUPP;
6679 
6680 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
6681 	if (WARN_ON(!cac_time_ms))
6682 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
6683 
6684 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
6685 	if (!err) {
6686 		wdev->chandef = chandef;
6687 		wdev->cac_started = true;
6688 		wdev->cac_start_time = jiffies;
6689 		wdev->cac_time_ms = cac_time_ms;
6690 	}
6691 	return err;
6692 }
6693 
6694 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
6695 {
6696 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6697 	struct net_device *dev = info->user_ptr[1];
6698 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6699 	struct cfg80211_csa_settings params;
6700 	/* csa_attrs is defined static to avoid waste of stack size - this
6701 	 * function is called under RTNL lock, so this should not be a problem.
6702 	 */
6703 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
6704 	int err;
6705 	bool need_new_beacon = false;
6706 	int len, i;
6707 	u32 cs_count;
6708 
6709 	if (!rdev->ops->channel_switch ||
6710 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
6711 		return -EOPNOTSUPP;
6712 
6713 	switch (dev->ieee80211_ptr->iftype) {
6714 	case NL80211_IFTYPE_AP:
6715 	case NL80211_IFTYPE_P2P_GO:
6716 		need_new_beacon = true;
6717 
6718 		/* useless if AP is not running */
6719 		if (!wdev->beacon_interval)
6720 			return -ENOTCONN;
6721 		break;
6722 	case NL80211_IFTYPE_ADHOC:
6723 		if (!wdev->ssid_len)
6724 			return -ENOTCONN;
6725 		break;
6726 	case NL80211_IFTYPE_MESH_POINT:
6727 		if (!wdev->mesh_id_len)
6728 			return -ENOTCONN;
6729 		break;
6730 	default:
6731 		return -EOPNOTSUPP;
6732 	}
6733 
6734 	memset(&params, 0, sizeof(params));
6735 
6736 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
6737 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
6738 		return -EINVAL;
6739 
6740 	/* only important for AP, IBSS and mesh create IEs internally */
6741 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
6742 		return -EINVAL;
6743 
6744 	/* Even though the attribute is u32, the specification says
6745 	 * u8, so let's make sure we don't overflow.
6746 	 */
6747 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
6748 	if (cs_count > 255)
6749 		return -EINVAL;
6750 
6751 	params.count = cs_count;
6752 
6753 	if (!need_new_beacon)
6754 		goto skip_beacons;
6755 
6756 	err = nl80211_parse_beacon(info->attrs, &params.beacon_after);
6757 	if (err)
6758 		return err;
6759 
6760 	err = nla_parse_nested(csa_attrs, NL80211_ATTR_MAX,
6761 			       info->attrs[NL80211_ATTR_CSA_IES],
6762 			       nl80211_policy);
6763 	if (err)
6764 		return err;
6765 
6766 	err = nl80211_parse_beacon(csa_attrs, &params.beacon_csa);
6767 	if (err)
6768 		return err;
6769 
6770 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
6771 		return -EINVAL;
6772 
6773 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6774 	if (!len || (len % sizeof(u16)))
6775 		return -EINVAL;
6776 
6777 	params.n_counter_offsets_beacon = len / sizeof(u16);
6778 	if (rdev->wiphy.max_num_csa_counters &&
6779 	    (params.n_counter_offsets_beacon >
6780 	     rdev->wiphy.max_num_csa_counters))
6781 		return -EINVAL;
6782 
6783 	params.counter_offsets_beacon =
6784 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6785 
6786 	/* sanity checks - counters should fit and be the same */
6787 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
6788 		u16 offset = params.counter_offsets_beacon[i];
6789 
6790 		if (offset >= params.beacon_csa.tail_len)
6791 			return -EINVAL;
6792 
6793 		if (params.beacon_csa.tail[offset] != params.count)
6794 			return -EINVAL;
6795 	}
6796 
6797 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
6798 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6799 		if (!len || (len % sizeof(u16)))
6800 			return -EINVAL;
6801 
6802 		params.n_counter_offsets_presp = len / sizeof(u16);
6803 		if (rdev->wiphy.max_num_csa_counters &&
6804 		    (params.n_counter_offsets_beacon >
6805 		     rdev->wiphy.max_num_csa_counters))
6806 			return -EINVAL;
6807 
6808 		params.counter_offsets_presp =
6809 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6810 
6811 		/* sanity checks - counters should fit and be the same */
6812 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
6813 			u16 offset = params.counter_offsets_presp[i];
6814 
6815 			if (offset >= params.beacon_csa.probe_resp_len)
6816 				return -EINVAL;
6817 
6818 			if (params.beacon_csa.probe_resp[offset] !=
6819 			    params.count)
6820 				return -EINVAL;
6821 		}
6822 	}
6823 
6824 skip_beacons:
6825 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
6826 	if (err)
6827 		return err;
6828 
6829 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
6830 					   wdev->iftype))
6831 		return -EINVAL;
6832 
6833 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
6834 					    &params.chandef,
6835 					    wdev->iftype);
6836 	if (err < 0)
6837 		return err;
6838 
6839 	if (err > 0)
6840 		params.radar_required = true;
6841 
6842 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
6843 		params.block_tx = true;
6844 
6845 	wdev_lock(wdev);
6846 	err = rdev_channel_switch(rdev, dev, &params);
6847 	wdev_unlock(wdev);
6848 
6849 	return err;
6850 }
6851 
6852 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
6853 			    u32 seq, int flags,
6854 			    struct cfg80211_registered_device *rdev,
6855 			    struct wireless_dev *wdev,
6856 			    struct cfg80211_internal_bss *intbss)
6857 {
6858 	struct cfg80211_bss *res = &intbss->pub;
6859 	const struct cfg80211_bss_ies *ies;
6860 	void *hdr;
6861 	struct nlattr *bss;
6862 
6863 	ASSERT_WDEV_LOCK(wdev);
6864 
6865 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6866 			     NL80211_CMD_NEW_SCAN_RESULTS);
6867 	if (!hdr)
6868 		return -1;
6869 
6870 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
6871 
6872 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
6873 		goto nla_put_failure;
6874 	if (wdev->netdev &&
6875 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
6876 		goto nla_put_failure;
6877 	if (nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
6878 		goto nla_put_failure;
6879 
6880 	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
6881 	if (!bss)
6882 		goto nla_put_failure;
6883 	if ((!is_zero_ether_addr(res->bssid) &&
6884 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
6885 		goto nla_put_failure;
6886 
6887 	rcu_read_lock();
6888 	/* indicate whether we have probe response data or not */
6889 	if (rcu_access_pointer(res->proberesp_ies) &&
6890 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
6891 		goto fail_unlock_rcu;
6892 
6893 	/* this pointer prefers to be pointed to probe response data
6894 	 * but is always valid
6895 	 */
6896 	ies = rcu_dereference(res->ies);
6897 	if (ies) {
6898 		if (nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
6899 			goto fail_unlock_rcu;
6900 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
6901 					ies->len, ies->data))
6902 			goto fail_unlock_rcu;
6903 	}
6904 
6905 	/* and this pointer is always (unless driver didn't know) beacon data */
6906 	ies = rcu_dereference(res->beacon_ies);
6907 	if (ies && ies->from_beacon) {
6908 		if (nla_put_u64(msg, NL80211_BSS_BEACON_TSF, ies->tsf))
6909 			goto fail_unlock_rcu;
6910 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
6911 					ies->len, ies->data))
6912 			goto fail_unlock_rcu;
6913 	}
6914 	rcu_read_unlock();
6915 
6916 	if (res->beacon_interval &&
6917 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
6918 		goto nla_put_failure;
6919 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
6920 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
6921 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
6922 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
6923 			jiffies_to_msecs(jiffies - intbss->ts)))
6924 		goto nla_put_failure;
6925 
6926 	if (intbss->ts_boottime &&
6927 	    nla_put_u64(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
6928 			intbss->ts_boottime))
6929 		goto nla_put_failure;
6930 
6931 	switch (rdev->wiphy.signal_type) {
6932 	case CFG80211_SIGNAL_TYPE_MBM:
6933 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
6934 			goto nla_put_failure;
6935 		break;
6936 	case CFG80211_SIGNAL_TYPE_UNSPEC:
6937 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
6938 			goto nla_put_failure;
6939 		break;
6940 	default:
6941 		break;
6942 	}
6943 
6944 	switch (wdev->iftype) {
6945 	case NL80211_IFTYPE_P2P_CLIENT:
6946 	case NL80211_IFTYPE_STATION:
6947 		if (intbss == wdev->current_bss &&
6948 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6949 				NL80211_BSS_STATUS_ASSOCIATED))
6950 			goto nla_put_failure;
6951 		break;
6952 	case NL80211_IFTYPE_ADHOC:
6953 		if (intbss == wdev->current_bss &&
6954 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6955 				NL80211_BSS_STATUS_IBSS_JOINED))
6956 			goto nla_put_failure;
6957 		break;
6958 	default:
6959 		break;
6960 	}
6961 
6962 	nla_nest_end(msg, bss);
6963 
6964 	genlmsg_end(msg, hdr);
6965 	return 0;
6966 
6967  fail_unlock_rcu:
6968 	rcu_read_unlock();
6969  nla_put_failure:
6970 	genlmsg_cancel(msg, hdr);
6971 	return -EMSGSIZE;
6972 }
6973 
6974 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
6975 {
6976 	struct cfg80211_registered_device *rdev;
6977 	struct cfg80211_internal_bss *scan;
6978 	struct wireless_dev *wdev;
6979 	int start = cb->args[2], idx = 0;
6980 	int err;
6981 
6982 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6983 	if (err)
6984 		return err;
6985 
6986 	wdev_lock(wdev);
6987 	spin_lock_bh(&rdev->bss_lock);
6988 	cfg80211_bss_expire(rdev);
6989 
6990 	cb->seq = rdev->bss_generation;
6991 
6992 	list_for_each_entry(scan, &rdev->bss_list, list) {
6993 		if (++idx <= start)
6994 			continue;
6995 		if (nl80211_send_bss(skb, cb,
6996 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6997 				rdev, wdev, scan) < 0) {
6998 			idx--;
6999 			break;
7000 		}
7001 	}
7002 
7003 	spin_unlock_bh(&rdev->bss_lock);
7004 	wdev_unlock(wdev);
7005 
7006 	cb->args[2] = idx;
7007 	nl80211_finish_wdev_dump(rdev);
7008 
7009 	return skb->len;
7010 }
7011 
7012 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
7013 			       int flags, struct net_device *dev,
7014 			       bool allow_radio_stats,
7015 			       struct survey_info *survey)
7016 {
7017 	void *hdr;
7018 	struct nlattr *infoattr;
7019 
7020 	/* skip radio stats if userspace didn't request them */
7021 	if (!survey->channel && !allow_radio_stats)
7022 		return 0;
7023 
7024 	hdr = nl80211hdr_put(msg, portid, seq, flags,
7025 			     NL80211_CMD_NEW_SURVEY_RESULTS);
7026 	if (!hdr)
7027 		return -ENOMEM;
7028 
7029 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
7030 		goto nla_put_failure;
7031 
7032 	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
7033 	if (!infoattr)
7034 		goto nla_put_failure;
7035 
7036 	if (survey->channel &&
7037 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
7038 			survey->channel->center_freq))
7039 		goto nla_put_failure;
7040 
7041 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
7042 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
7043 		goto nla_put_failure;
7044 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
7045 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
7046 		goto nla_put_failure;
7047 	if ((survey->filled & SURVEY_INFO_TIME) &&
7048 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME,
7049 			survey->time))
7050 		goto nla_put_failure;
7051 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
7052 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_BUSY,
7053 			survey->time_busy))
7054 		goto nla_put_failure;
7055 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
7056 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
7057 			survey->time_ext_busy))
7058 		goto nla_put_failure;
7059 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
7060 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_RX,
7061 			survey->time_rx))
7062 		goto nla_put_failure;
7063 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
7064 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_TX,
7065 			survey->time_tx))
7066 		goto nla_put_failure;
7067 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
7068 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_SCAN,
7069 			survey->time_scan))
7070 		goto nla_put_failure;
7071 
7072 	nla_nest_end(msg, infoattr);
7073 
7074 	genlmsg_end(msg, hdr);
7075 	return 0;
7076 
7077  nla_put_failure:
7078 	genlmsg_cancel(msg, hdr);
7079 	return -EMSGSIZE;
7080 }
7081 
7082 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
7083 {
7084 	struct survey_info survey;
7085 	struct cfg80211_registered_device *rdev;
7086 	struct wireless_dev *wdev;
7087 	int survey_idx = cb->args[2];
7088 	int res;
7089 	bool radio_stats;
7090 
7091 	res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
7092 	if (res)
7093 		return res;
7094 
7095 	/* prepare_wdev_dump parsed the attributes */
7096 	radio_stats = nl80211_fam.attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
7097 
7098 	if (!wdev->netdev) {
7099 		res = -EINVAL;
7100 		goto out_err;
7101 	}
7102 
7103 	if (!rdev->ops->dump_survey) {
7104 		res = -EOPNOTSUPP;
7105 		goto out_err;
7106 	}
7107 
7108 	while (1) {
7109 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
7110 		if (res == -ENOENT)
7111 			break;
7112 		if (res)
7113 			goto out_err;
7114 
7115 		/* don't send disabled channels, but do send non-channel data */
7116 		if (survey.channel &&
7117 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
7118 			survey_idx++;
7119 			continue;
7120 		}
7121 
7122 		if (nl80211_send_survey(skb,
7123 				NETLINK_CB(cb->skb).portid,
7124 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
7125 				wdev->netdev, radio_stats, &survey) < 0)
7126 			goto out;
7127 		survey_idx++;
7128 	}
7129 
7130  out:
7131 	cb->args[2] = survey_idx;
7132 	res = skb->len;
7133  out_err:
7134 	nl80211_finish_wdev_dump(rdev);
7135 	return res;
7136 }
7137 
7138 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
7139 {
7140 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
7141 				  NL80211_WPA_VERSION_2));
7142 }
7143 
7144 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
7145 {
7146 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7147 	struct net_device *dev = info->user_ptr[1];
7148 	struct ieee80211_channel *chan;
7149 	const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
7150 	int err, ssid_len, ie_len = 0, sae_data_len = 0;
7151 	enum nl80211_auth_type auth_type;
7152 	struct key_parse key;
7153 	bool local_state_change;
7154 
7155 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7156 		return -EINVAL;
7157 
7158 	if (!info->attrs[NL80211_ATTR_MAC])
7159 		return -EINVAL;
7160 
7161 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
7162 		return -EINVAL;
7163 
7164 	if (!info->attrs[NL80211_ATTR_SSID])
7165 		return -EINVAL;
7166 
7167 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
7168 		return -EINVAL;
7169 
7170 	err = nl80211_parse_key(info, &key);
7171 	if (err)
7172 		return err;
7173 
7174 	if (key.idx >= 0) {
7175 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
7176 			return -EINVAL;
7177 		if (!key.p.key || !key.p.key_len)
7178 			return -EINVAL;
7179 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
7180 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
7181 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
7182 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
7183 			return -EINVAL;
7184 		if (key.idx > 4)
7185 			return -EINVAL;
7186 	} else {
7187 		key.p.key_len = 0;
7188 		key.p.key = NULL;
7189 	}
7190 
7191 	if (key.idx >= 0) {
7192 		int i;
7193 		bool ok = false;
7194 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
7195 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
7196 				ok = true;
7197 				break;
7198 			}
7199 		}
7200 		if (!ok)
7201 			return -EINVAL;
7202 	}
7203 
7204 	if (!rdev->ops->auth)
7205 		return -EOPNOTSUPP;
7206 
7207 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7208 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7209 		return -EOPNOTSUPP;
7210 
7211 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7212 	chan = nl80211_get_valid_chan(&rdev->wiphy,
7213 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7214 	if (!chan)
7215 		return -EINVAL;
7216 
7217 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7218 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7219 
7220 	if (info->attrs[NL80211_ATTR_IE]) {
7221 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7222 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7223 	}
7224 
7225 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
7226 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
7227 		return -EINVAL;
7228 
7229 	if (auth_type == NL80211_AUTHTYPE_SAE &&
7230 	    !info->attrs[NL80211_ATTR_SAE_DATA])
7231 		return -EINVAL;
7232 
7233 	if (info->attrs[NL80211_ATTR_SAE_DATA]) {
7234 		if (auth_type != NL80211_AUTHTYPE_SAE)
7235 			return -EINVAL;
7236 		sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
7237 		sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
7238 		/* need to include at least Auth Transaction and Status Code */
7239 		if (sae_data_len < 4)
7240 			return -EINVAL;
7241 	}
7242 
7243 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7244 
7245 	/*
7246 	 * Since we no longer track auth state, ignore
7247 	 * requests to only change local state.
7248 	 */
7249 	if (local_state_change)
7250 		return 0;
7251 
7252 	wdev_lock(dev->ieee80211_ptr);
7253 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
7254 				 ssid, ssid_len, ie, ie_len,
7255 				 key.p.key, key.p.key_len, key.idx,
7256 				 sae_data, sae_data_len);
7257 	wdev_unlock(dev->ieee80211_ptr);
7258 	return err;
7259 }
7260 
7261 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
7262 				   struct genl_info *info,
7263 				   struct cfg80211_crypto_settings *settings,
7264 				   int cipher_limit)
7265 {
7266 	memset(settings, 0, sizeof(*settings));
7267 
7268 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
7269 
7270 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
7271 		u16 proto;
7272 		proto = nla_get_u16(
7273 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
7274 		settings->control_port_ethertype = cpu_to_be16(proto);
7275 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
7276 		    proto != ETH_P_PAE)
7277 			return -EINVAL;
7278 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
7279 			settings->control_port_no_encrypt = true;
7280 	} else
7281 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
7282 
7283 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
7284 		void *data;
7285 		int len, i;
7286 
7287 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
7288 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
7289 		settings->n_ciphers_pairwise = len / sizeof(u32);
7290 
7291 		if (len % sizeof(u32))
7292 			return -EINVAL;
7293 
7294 		if (settings->n_ciphers_pairwise > cipher_limit)
7295 			return -EINVAL;
7296 
7297 		memcpy(settings->ciphers_pairwise, data, len);
7298 
7299 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
7300 			if (!cfg80211_supported_cipher_suite(
7301 					&rdev->wiphy,
7302 					settings->ciphers_pairwise[i]))
7303 				return -EINVAL;
7304 	}
7305 
7306 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
7307 		settings->cipher_group =
7308 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
7309 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
7310 						     settings->cipher_group))
7311 			return -EINVAL;
7312 	}
7313 
7314 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
7315 		settings->wpa_versions =
7316 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
7317 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
7318 			return -EINVAL;
7319 	}
7320 
7321 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
7322 		void *data;
7323 		int len;
7324 
7325 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
7326 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
7327 		settings->n_akm_suites = len / sizeof(u32);
7328 
7329 		if (len % sizeof(u32))
7330 			return -EINVAL;
7331 
7332 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
7333 			return -EINVAL;
7334 
7335 		memcpy(settings->akm_suites, data, len);
7336 	}
7337 
7338 	return 0;
7339 }
7340 
7341 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
7342 {
7343 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7344 	struct net_device *dev = info->user_ptr[1];
7345 	struct ieee80211_channel *chan;
7346 	struct cfg80211_assoc_request req = {};
7347 	const u8 *bssid, *ssid;
7348 	int err, ssid_len = 0;
7349 
7350 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7351 		return -EINVAL;
7352 
7353 	if (!info->attrs[NL80211_ATTR_MAC] ||
7354 	    !info->attrs[NL80211_ATTR_SSID] ||
7355 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
7356 		return -EINVAL;
7357 
7358 	if (!rdev->ops->assoc)
7359 		return -EOPNOTSUPP;
7360 
7361 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7362 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7363 		return -EOPNOTSUPP;
7364 
7365 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7366 
7367 	chan = nl80211_get_valid_chan(&rdev->wiphy,
7368 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7369 	if (!chan)
7370 		return -EINVAL;
7371 
7372 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7373 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7374 
7375 	if (info->attrs[NL80211_ATTR_IE]) {
7376 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7377 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7378 	}
7379 
7380 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
7381 		enum nl80211_mfp mfp =
7382 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
7383 		if (mfp == NL80211_MFP_REQUIRED)
7384 			req.use_mfp = true;
7385 		else if (mfp != NL80211_MFP_NO)
7386 			return -EINVAL;
7387 	}
7388 
7389 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
7390 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
7391 
7392 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
7393 		req.flags |= ASSOC_REQ_DISABLE_HT;
7394 
7395 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7396 		memcpy(&req.ht_capa_mask,
7397 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7398 		       sizeof(req.ht_capa_mask));
7399 
7400 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7401 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7402 			return -EINVAL;
7403 		memcpy(&req.ht_capa,
7404 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7405 		       sizeof(req.ht_capa));
7406 	}
7407 
7408 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
7409 		req.flags |= ASSOC_REQ_DISABLE_VHT;
7410 
7411 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7412 		memcpy(&req.vht_capa_mask,
7413 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
7414 		       sizeof(req.vht_capa_mask));
7415 
7416 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
7417 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7418 			return -EINVAL;
7419 		memcpy(&req.vht_capa,
7420 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
7421 		       sizeof(req.vht_capa));
7422 	}
7423 
7424 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
7425 		if (!((rdev->wiphy.features &
7426 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
7427 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
7428 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7429 					     NL80211_EXT_FEATURE_RRM))
7430 			return -EINVAL;
7431 		req.flags |= ASSOC_REQ_USE_RRM;
7432 	}
7433 
7434 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
7435 	if (!err) {
7436 		wdev_lock(dev->ieee80211_ptr);
7437 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
7438 					  ssid, ssid_len, &req);
7439 		wdev_unlock(dev->ieee80211_ptr);
7440 	}
7441 
7442 	return err;
7443 }
7444 
7445 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
7446 {
7447 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7448 	struct net_device *dev = info->user_ptr[1];
7449 	const u8 *ie = NULL, *bssid;
7450 	int ie_len = 0, err;
7451 	u16 reason_code;
7452 	bool local_state_change;
7453 
7454 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7455 		return -EINVAL;
7456 
7457 	if (!info->attrs[NL80211_ATTR_MAC])
7458 		return -EINVAL;
7459 
7460 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7461 		return -EINVAL;
7462 
7463 	if (!rdev->ops->deauth)
7464 		return -EOPNOTSUPP;
7465 
7466 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7467 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7468 		return -EOPNOTSUPP;
7469 
7470 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7471 
7472 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7473 	if (reason_code == 0) {
7474 		/* Reason Code 0 is reserved */
7475 		return -EINVAL;
7476 	}
7477 
7478 	if (info->attrs[NL80211_ATTR_IE]) {
7479 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7480 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7481 	}
7482 
7483 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7484 
7485 	wdev_lock(dev->ieee80211_ptr);
7486 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
7487 				   local_state_change);
7488 	wdev_unlock(dev->ieee80211_ptr);
7489 	return err;
7490 }
7491 
7492 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
7493 {
7494 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7495 	struct net_device *dev = info->user_ptr[1];
7496 	const u8 *ie = NULL, *bssid;
7497 	int ie_len = 0, err;
7498 	u16 reason_code;
7499 	bool local_state_change;
7500 
7501 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7502 		return -EINVAL;
7503 
7504 	if (!info->attrs[NL80211_ATTR_MAC])
7505 		return -EINVAL;
7506 
7507 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7508 		return -EINVAL;
7509 
7510 	if (!rdev->ops->disassoc)
7511 		return -EOPNOTSUPP;
7512 
7513 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7514 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7515 		return -EOPNOTSUPP;
7516 
7517 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7518 
7519 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7520 	if (reason_code == 0) {
7521 		/* Reason Code 0 is reserved */
7522 		return -EINVAL;
7523 	}
7524 
7525 	if (info->attrs[NL80211_ATTR_IE]) {
7526 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7527 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7528 	}
7529 
7530 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7531 
7532 	wdev_lock(dev->ieee80211_ptr);
7533 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
7534 				     local_state_change);
7535 	wdev_unlock(dev->ieee80211_ptr);
7536 	return err;
7537 }
7538 
7539 static bool
7540 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
7541 			 int mcast_rate[IEEE80211_NUM_BANDS],
7542 			 int rateval)
7543 {
7544 	struct wiphy *wiphy = &rdev->wiphy;
7545 	bool found = false;
7546 	int band, i;
7547 
7548 	for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
7549 		struct ieee80211_supported_band *sband;
7550 
7551 		sband = wiphy->bands[band];
7552 		if (!sband)
7553 			continue;
7554 
7555 		for (i = 0; i < sband->n_bitrates; i++) {
7556 			if (sband->bitrates[i].bitrate == rateval) {
7557 				mcast_rate[band] = i + 1;
7558 				found = true;
7559 				break;
7560 			}
7561 		}
7562 	}
7563 
7564 	return found;
7565 }
7566 
7567 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
7568 {
7569 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7570 	struct net_device *dev = info->user_ptr[1];
7571 	struct cfg80211_ibss_params ibss;
7572 	struct wiphy *wiphy;
7573 	struct cfg80211_cached_keys *connkeys = NULL;
7574 	int err;
7575 
7576 	memset(&ibss, 0, sizeof(ibss));
7577 
7578 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7579 		return -EINVAL;
7580 
7581 	if (!info->attrs[NL80211_ATTR_SSID] ||
7582 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
7583 		return -EINVAL;
7584 
7585 	ibss.beacon_interval = 100;
7586 
7587 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
7588 		ibss.beacon_interval =
7589 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
7590 		if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
7591 			return -EINVAL;
7592 	}
7593 
7594 	if (!rdev->ops->join_ibss)
7595 		return -EOPNOTSUPP;
7596 
7597 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
7598 		return -EOPNOTSUPP;
7599 
7600 	wiphy = &rdev->wiphy;
7601 
7602 	if (info->attrs[NL80211_ATTR_MAC]) {
7603 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7604 
7605 		if (!is_valid_ether_addr(ibss.bssid))
7606 			return -EINVAL;
7607 	}
7608 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7609 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7610 
7611 	if (info->attrs[NL80211_ATTR_IE]) {
7612 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7613 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7614 	}
7615 
7616 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
7617 	if (err)
7618 		return err;
7619 
7620 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
7621 				     NL80211_IFTYPE_ADHOC))
7622 		return -EINVAL;
7623 
7624 	switch (ibss.chandef.width) {
7625 	case NL80211_CHAN_WIDTH_5:
7626 	case NL80211_CHAN_WIDTH_10:
7627 	case NL80211_CHAN_WIDTH_20_NOHT:
7628 		break;
7629 	case NL80211_CHAN_WIDTH_20:
7630 	case NL80211_CHAN_WIDTH_40:
7631 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
7632 			return -EINVAL;
7633 		break;
7634 	case NL80211_CHAN_WIDTH_80:
7635 	case NL80211_CHAN_WIDTH_80P80:
7636 	case NL80211_CHAN_WIDTH_160:
7637 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
7638 			return -EINVAL;
7639 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7640 					     NL80211_EXT_FEATURE_VHT_IBSS))
7641 			return -EINVAL;
7642 		break;
7643 	default:
7644 		return -EINVAL;
7645 	}
7646 
7647 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
7648 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
7649 
7650 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7651 		u8 *rates =
7652 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7653 		int n_rates =
7654 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7655 		struct ieee80211_supported_band *sband =
7656 			wiphy->bands[ibss.chandef.chan->band];
7657 
7658 		err = ieee80211_get_ratemask(sband, rates, n_rates,
7659 					     &ibss.basic_rates);
7660 		if (err)
7661 			return err;
7662 	}
7663 
7664 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7665 		memcpy(&ibss.ht_capa_mask,
7666 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7667 		       sizeof(ibss.ht_capa_mask));
7668 
7669 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7670 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7671 			return -EINVAL;
7672 		memcpy(&ibss.ht_capa,
7673 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7674 		       sizeof(ibss.ht_capa));
7675 	}
7676 
7677 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
7678 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
7679 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
7680 		return -EINVAL;
7681 
7682 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
7683 		bool no_ht = false;
7684 
7685 		connkeys = nl80211_parse_connkeys(rdev,
7686 					  info->attrs[NL80211_ATTR_KEYS],
7687 					  &no_ht);
7688 		if (IS_ERR(connkeys))
7689 			return PTR_ERR(connkeys);
7690 
7691 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
7692 		    no_ht) {
7693 			kzfree(connkeys);
7694 			return -EINVAL;
7695 		}
7696 	}
7697 
7698 	ibss.control_port =
7699 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
7700 
7701 	ibss.userspace_handles_dfs =
7702 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
7703 
7704 	err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
7705 	if (err)
7706 		kzfree(connkeys);
7707 	return err;
7708 }
7709 
7710 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
7711 {
7712 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7713 	struct net_device *dev = info->user_ptr[1];
7714 
7715 	if (!rdev->ops->leave_ibss)
7716 		return -EOPNOTSUPP;
7717 
7718 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
7719 		return -EOPNOTSUPP;
7720 
7721 	return cfg80211_leave_ibss(rdev, dev, false);
7722 }
7723 
7724 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
7725 {
7726 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7727 	struct net_device *dev = info->user_ptr[1];
7728 	int mcast_rate[IEEE80211_NUM_BANDS];
7729 	u32 nla_rate;
7730 	int err;
7731 
7732 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
7733 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
7734 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
7735 		return -EOPNOTSUPP;
7736 
7737 	if (!rdev->ops->set_mcast_rate)
7738 		return -EOPNOTSUPP;
7739 
7740 	memset(mcast_rate, 0, sizeof(mcast_rate));
7741 
7742 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
7743 		return -EINVAL;
7744 
7745 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
7746 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
7747 		return -EINVAL;
7748 
7749 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
7750 
7751 	return err;
7752 }
7753 
7754 static struct sk_buff *
7755 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
7756 			    struct wireless_dev *wdev, int approxlen,
7757 			    u32 portid, u32 seq, enum nl80211_commands cmd,
7758 			    enum nl80211_attrs attr,
7759 			    const struct nl80211_vendor_cmd_info *info,
7760 			    gfp_t gfp)
7761 {
7762 	struct sk_buff *skb;
7763 	void *hdr;
7764 	struct nlattr *data;
7765 
7766 	skb = nlmsg_new(approxlen + 100, gfp);
7767 	if (!skb)
7768 		return NULL;
7769 
7770 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
7771 	if (!hdr) {
7772 		kfree_skb(skb);
7773 		return NULL;
7774 	}
7775 
7776 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
7777 		goto nla_put_failure;
7778 
7779 	if (info) {
7780 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
7781 				info->vendor_id))
7782 			goto nla_put_failure;
7783 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
7784 				info->subcmd))
7785 			goto nla_put_failure;
7786 	}
7787 
7788 	if (wdev) {
7789 		if (nla_put_u64(skb, NL80211_ATTR_WDEV,
7790 				wdev_id(wdev)))
7791 			goto nla_put_failure;
7792 		if (wdev->netdev &&
7793 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
7794 				wdev->netdev->ifindex))
7795 			goto nla_put_failure;
7796 	}
7797 
7798 	data = nla_nest_start(skb, attr);
7799 
7800 	((void **)skb->cb)[0] = rdev;
7801 	((void **)skb->cb)[1] = hdr;
7802 	((void **)skb->cb)[2] = data;
7803 
7804 	return skb;
7805 
7806  nla_put_failure:
7807 	kfree_skb(skb);
7808 	return NULL;
7809 }
7810 
7811 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
7812 					   struct wireless_dev *wdev,
7813 					   enum nl80211_commands cmd,
7814 					   enum nl80211_attrs attr,
7815 					   int vendor_event_idx,
7816 					   int approxlen, gfp_t gfp)
7817 {
7818 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
7819 	const struct nl80211_vendor_cmd_info *info;
7820 
7821 	switch (cmd) {
7822 	case NL80211_CMD_TESTMODE:
7823 		if (WARN_ON(vendor_event_idx != -1))
7824 			return NULL;
7825 		info = NULL;
7826 		break;
7827 	case NL80211_CMD_VENDOR:
7828 		if (WARN_ON(vendor_event_idx < 0 ||
7829 			    vendor_event_idx >= wiphy->n_vendor_events))
7830 			return NULL;
7831 		info = &wiphy->vendor_events[vendor_event_idx];
7832 		break;
7833 	default:
7834 		WARN_ON(1);
7835 		return NULL;
7836 	}
7837 
7838 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, 0, 0,
7839 					   cmd, attr, info, gfp);
7840 }
7841 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
7842 
7843 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
7844 {
7845 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
7846 	void *hdr = ((void **)skb->cb)[1];
7847 	struct nlattr *data = ((void **)skb->cb)[2];
7848 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
7849 
7850 	/* clear CB data for netlink core to own from now on */
7851 	memset(skb->cb, 0, sizeof(skb->cb));
7852 
7853 	nla_nest_end(skb, data);
7854 	genlmsg_end(skb, hdr);
7855 
7856 	if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
7857 		mcgrp = NL80211_MCGRP_VENDOR;
7858 
7859 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), skb, 0,
7860 				mcgrp, gfp);
7861 }
7862 EXPORT_SYMBOL(__cfg80211_send_event_skb);
7863 
7864 #ifdef CONFIG_NL80211_TESTMODE
7865 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
7866 {
7867 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7868 	struct wireless_dev *wdev =
7869 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
7870 	int err;
7871 
7872 	if (!rdev->ops->testmode_cmd)
7873 		return -EOPNOTSUPP;
7874 
7875 	if (IS_ERR(wdev)) {
7876 		err = PTR_ERR(wdev);
7877 		if (err != -EINVAL)
7878 			return err;
7879 		wdev = NULL;
7880 	} else if (wdev->wiphy != &rdev->wiphy) {
7881 		return -EINVAL;
7882 	}
7883 
7884 	if (!info->attrs[NL80211_ATTR_TESTDATA])
7885 		return -EINVAL;
7886 
7887 	rdev->cur_cmd_info = info;
7888 	err = rdev_testmode_cmd(rdev, wdev,
7889 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
7890 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
7891 	rdev->cur_cmd_info = NULL;
7892 
7893 	return err;
7894 }
7895 
7896 static int nl80211_testmode_dump(struct sk_buff *skb,
7897 				 struct netlink_callback *cb)
7898 {
7899 	struct cfg80211_registered_device *rdev;
7900 	int err;
7901 	long phy_idx;
7902 	void *data = NULL;
7903 	int data_len = 0;
7904 
7905 	rtnl_lock();
7906 
7907 	if (cb->args[0]) {
7908 		/*
7909 		 * 0 is a valid index, but not valid for args[0],
7910 		 * so we need to offset by 1.
7911 		 */
7912 		phy_idx = cb->args[0] - 1;
7913 	} else {
7914 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
7915 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
7916 				  nl80211_policy);
7917 		if (err)
7918 			goto out_err;
7919 
7920 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
7921 						  nl80211_fam.attrbuf);
7922 		if (IS_ERR(rdev)) {
7923 			err = PTR_ERR(rdev);
7924 			goto out_err;
7925 		}
7926 		phy_idx = rdev->wiphy_idx;
7927 		rdev = NULL;
7928 
7929 		if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
7930 			cb->args[1] =
7931 				(long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
7932 	}
7933 
7934 	if (cb->args[1]) {
7935 		data = nla_data((void *)cb->args[1]);
7936 		data_len = nla_len((void *)cb->args[1]);
7937 	}
7938 
7939 	rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
7940 	if (!rdev) {
7941 		err = -ENOENT;
7942 		goto out_err;
7943 	}
7944 
7945 	if (!rdev->ops->testmode_dump) {
7946 		err = -EOPNOTSUPP;
7947 		goto out_err;
7948 	}
7949 
7950 	while (1) {
7951 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
7952 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
7953 					   NL80211_CMD_TESTMODE);
7954 		struct nlattr *tmdata;
7955 
7956 		if (!hdr)
7957 			break;
7958 
7959 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
7960 			genlmsg_cancel(skb, hdr);
7961 			break;
7962 		}
7963 
7964 		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
7965 		if (!tmdata) {
7966 			genlmsg_cancel(skb, hdr);
7967 			break;
7968 		}
7969 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
7970 		nla_nest_end(skb, tmdata);
7971 
7972 		if (err == -ENOBUFS || err == -ENOENT) {
7973 			genlmsg_cancel(skb, hdr);
7974 			break;
7975 		} else if (err) {
7976 			genlmsg_cancel(skb, hdr);
7977 			goto out_err;
7978 		}
7979 
7980 		genlmsg_end(skb, hdr);
7981 	}
7982 
7983 	err = skb->len;
7984 	/* see above */
7985 	cb->args[0] = phy_idx + 1;
7986  out_err:
7987 	rtnl_unlock();
7988 	return err;
7989 }
7990 #endif
7991 
7992 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
7993 {
7994 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7995 	struct net_device *dev = info->user_ptr[1];
7996 	struct cfg80211_connect_params connect;
7997 	struct wiphy *wiphy;
7998 	struct cfg80211_cached_keys *connkeys = NULL;
7999 	int err;
8000 
8001 	memset(&connect, 0, sizeof(connect));
8002 
8003 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8004 		return -EINVAL;
8005 
8006 	if (!info->attrs[NL80211_ATTR_SSID] ||
8007 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
8008 		return -EINVAL;
8009 
8010 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
8011 		connect.auth_type =
8012 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
8013 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
8014 					     NL80211_CMD_CONNECT))
8015 			return -EINVAL;
8016 	} else
8017 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
8018 
8019 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
8020 
8021 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
8022 				      NL80211_MAX_NR_CIPHER_SUITES);
8023 	if (err)
8024 		return err;
8025 
8026 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8027 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8028 		return -EOPNOTSUPP;
8029 
8030 	wiphy = &rdev->wiphy;
8031 
8032 	connect.bg_scan_period = -1;
8033 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
8034 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
8035 		connect.bg_scan_period =
8036 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
8037 	}
8038 
8039 	if (info->attrs[NL80211_ATTR_MAC])
8040 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8041 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
8042 		connect.bssid_hint =
8043 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
8044 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8045 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8046 
8047 	if (info->attrs[NL80211_ATTR_IE]) {
8048 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8049 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8050 	}
8051 
8052 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
8053 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
8054 		if (connect.mfp != NL80211_MFP_REQUIRED &&
8055 		    connect.mfp != NL80211_MFP_NO)
8056 			return -EINVAL;
8057 	} else {
8058 		connect.mfp = NL80211_MFP_NO;
8059 	}
8060 
8061 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
8062 		connect.prev_bssid =
8063 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
8064 
8065 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8066 		connect.channel = nl80211_get_valid_chan(
8067 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8068 		if (!connect.channel)
8069 			return -EINVAL;
8070 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
8071 		connect.channel_hint = nl80211_get_valid_chan(
8072 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
8073 		if (!connect.channel_hint)
8074 			return -EINVAL;
8075 	}
8076 
8077 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
8078 		connkeys = nl80211_parse_connkeys(rdev,
8079 					  info->attrs[NL80211_ATTR_KEYS], NULL);
8080 		if (IS_ERR(connkeys))
8081 			return PTR_ERR(connkeys);
8082 	}
8083 
8084 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
8085 		connect.flags |= ASSOC_REQ_DISABLE_HT;
8086 
8087 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8088 		memcpy(&connect.ht_capa_mask,
8089 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
8090 		       sizeof(connect.ht_capa_mask));
8091 
8092 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
8093 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
8094 			kzfree(connkeys);
8095 			return -EINVAL;
8096 		}
8097 		memcpy(&connect.ht_capa,
8098 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
8099 		       sizeof(connect.ht_capa));
8100 	}
8101 
8102 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
8103 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
8104 
8105 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
8106 		memcpy(&connect.vht_capa_mask,
8107 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
8108 		       sizeof(connect.vht_capa_mask));
8109 
8110 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
8111 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
8112 			kzfree(connkeys);
8113 			return -EINVAL;
8114 		}
8115 		memcpy(&connect.vht_capa,
8116 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
8117 		       sizeof(connect.vht_capa));
8118 	}
8119 
8120 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
8121 		if (!((rdev->wiphy.features &
8122 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
8123 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
8124 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8125 					     NL80211_EXT_FEATURE_RRM)) {
8126 			kzfree(connkeys);
8127 			return -EINVAL;
8128 		}
8129 		connect.flags |= ASSOC_REQ_USE_RRM;
8130 	}
8131 
8132 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
8133 	if (connect.pbss && !rdev->wiphy.bands[IEEE80211_BAND_60GHZ]) {
8134 		kzfree(connkeys);
8135 		return -EOPNOTSUPP;
8136 	}
8137 
8138 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
8139 		/* bss selection makes no sense if bssid is set */
8140 		if (connect.bssid) {
8141 			kzfree(connkeys);
8142 			return -EINVAL;
8143 		}
8144 
8145 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
8146 				       wiphy, &connect.bss_select);
8147 		if (err) {
8148 			kzfree(connkeys);
8149 			return err;
8150 		}
8151 	}
8152 
8153 	wdev_lock(dev->ieee80211_ptr);
8154 	err = cfg80211_connect(rdev, dev, &connect, connkeys, NULL);
8155 	wdev_unlock(dev->ieee80211_ptr);
8156 	if (err)
8157 		kzfree(connkeys);
8158 	return err;
8159 }
8160 
8161 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
8162 {
8163 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8164 	struct net_device *dev = info->user_ptr[1];
8165 	u16 reason;
8166 	int ret;
8167 
8168 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
8169 		reason = WLAN_REASON_DEAUTH_LEAVING;
8170 	else
8171 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8172 
8173 	if (reason == 0)
8174 		return -EINVAL;
8175 
8176 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8177 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8178 		return -EOPNOTSUPP;
8179 
8180 	wdev_lock(dev->ieee80211_ptr);
8181 	ret = cfg80211_disconnect(rdev, dev, reason, true);
8182 	wdev_unlock(dev->ieee80211_ptr);
8183 	return ret;
8184 }
8185 
8186 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
8187 {
8188 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8189 	struct net *net;
8190 	int err;
8191 
8192 	if (info->attrs[NL80211_ATTR_PID]) {
8193 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
8194 
8195 		net = get_net_ns_by_pid(pid);
8196 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
8197 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
8198 
8199 		net = get_net_ns_by_fd(fd);
8200 	} else {
8201 		return -EINVAL;
8202 	}
8203 
8204 	if (IS_ERR(net))
8205 		return PTR_ERR(net);
8206 
8207 	err = 0;
8208 
8209 	/* check if anything to do */
8210 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
8211 		err = cfg80211_switch_netns(rdev, net);
8212 
8213 	put_net(net);
8214 	return err;
8215 }
8216 
8217 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
8218 {
8219 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8220 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
8221 			struct cfg80211_pmksa *pmksa) = NULL;
8222 	struct net_device *dev = info->user_ptr[1];
8223 	struct cfg80211_pmksa pmksa;
8224 
8225 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
8226 
8227 	if (!info->attrs[NL80211_ATTR_MAC])
8228 		return -EINVAL;
8229 
8230 	if (!info->attrs[NL80211_ATTR_PMKID])
8231 		return -EINVAL;
8232 
8233 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
8234 	pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8235 
8236 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8237 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8238 		return -EOPNOTSUPP;
8239 
8240 	switch (info->genlhdr->cmd) {
8241 	case NL80211_CMD_SET_PMKSA:
8242 		rdev_ops = rdev->ops->set_pmksa;
8243 		break;
8244 	case NL80211_CMD_DEL_PMKSA:
8245 		rdev_ops = rdev->ops->del_pmksa;
8246 		break;
8247 	default:
8248 		WARN_ON(1);
8249 		break;
8250 	}
8251 
8252 	if (!rdev_ops)
8253 		return -EOPNOTSUPP;
8254 
8255 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
8256 }
8257 
8258 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
8259 {
8260 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8261 	struct net_device *dev = info->user_ptr[1];
8262 
8263 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8264 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8265 		return -EOPNOTSUPP;
8266 
8267 	if (!rdev->ops->flush_pmksa)
8268 		return -EOPNOTSUPP;
8269 
8270 	return rdev_flush_pmksa(rdev, dev);
8271 }
8272 
8273 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
8274 {
8275 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8276 	struct net_device *dev = info->user_ptr[1];
8277 	u8 action_code, dialog_token;
8278 	u32 peer_capability = 0;
8279 	u16 status_code;
8280 	u8 *peer;
8281 	bool initiator;
8282 
8283 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
8284 	    !rdev->ops->tdls_mgmt)
8285 		return -EOPNOTSUPP;
8286 
8287 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
8288 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
8289 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
8290 	    !info->attrs[NL80211_ATTR_IE] ||
8291 	    !info->attrs[NL80211_ATTR_MAC])
8292 		return -EINVAL;
8293 
8294 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
8295 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
8296 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
8297 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
8298 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
8299 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
8300 		peer_capability =
8301 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
8302 
8303 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
8304 			      dialog_token, status_code, peer_capability,
8305 			      initiator,
8306 			      nla_data(info->attrs[NL80211_ATTR_IE]),
8307 			      nla_len(info->attrs[NL80211_ATTR_IE]));
8308 }
8309 
8310 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
8311 {
8312 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8313 	struct net_device *dev = info->user_ptr[1];
8314 	enum nl80211_tdls_operation operation;
8315 	u8 *peer;
8316 
8317 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
8318 	    !rdev->ops->tdls_oper)
8319 		return -EOPNOTSUPP;
8320 
8321 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
8322 	    !info->attrs[NL80211_ATTR_MAC])
8323 		return -EINVAL;
8324 
8325 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
8326 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
8327 
8328 	return rdev_tdls_oper(rdev, dev, peer, operation);
8329 }
8330 
8331 static int nl80211_remain_on_channel(struct sk_buff *skb,
8332 				     struct genl_info *info)
8333 {
8334 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8335 	struct wireless_dev *wdev = info->user_ptr[1];
8336 	struct cfg80211_chan_def chandef;
8337 	struct sk_buff *msg;
8338 	void *hdr;
8339 	u64 cookie;
8340 	u32 duration;
8341 	int err;
8342 
8343 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
8344 	    !info->attrs[NL80211_ATTR_DURATION])
8345 		return -EINVAL;
8346 
8347 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
8348 
8349 	if (!rdev->ops->remain_on_channel ||
8350 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
8351 		return -EOPNOTSUPP;
8352 
8353 	/*
8354 	 * We should be on that channel for at least a minimum amount of
8355 	 * time (10ms) but no longer than the driver supports.
8356 	 */
8357 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
8358 	    duration > rdev->wiphy.max_remain_on_channel_duration)
8359 		return -EINVAL;
8360 
8361 	err = nl80211_parse_chandef(rdev, info, &chandef);
8362 	if (err)
8363 		return err;
8364 
8365 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8366 	if (!msg)
8367 		return -ENOMEM;
8368 
8369 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8370 			     NL80211_CMD_REMAIN_ON_CHANNEL);
8371 	if (!hdr) {
8372 		err = -ENOBUFS;
8373 		goto free_msg;
8374 	}
8375 
8376 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
8377 				     duration, &cookie);
8378 
8379 	if (err)
8380 		goto free_msg;
8381 
8382 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
8383 		goto nla_put_failure;
8384 
8385 	genlmsg_end(msg, hdr);
8386 
8387 	return genlmsg_reply(msg, info);
8388 
8389  nla_put_failure:
8390 	err = -ENOBUFS;
8391  free_msg:
8392 	nlmsg_free(msg);
8393 	return err;
8394 }
8395 
8396 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
8397 					    struct genl_info *info)
8398 {
8399 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8400 	struct wireless_dev *wdev = info->user_ptr[1];
8401 	u64 cookie;
8402 
8403 	if (!info->attrs[NL80211_ATTR_COOKIE])
8404 		return -EINVAL;
8405 
8406 	if (!rdev->ops->cancel_remain_on_channel)
8407 		return -EOPNOTSUPP;
8408 
8409 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8410 
8411 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
8412 }
8413 
8414 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
8415 			   u8 *rates, u8 rates_len)
8416 {
8417 	u8 i;
8418 	u32 mask = 0;
8419 
8420 	for (i = 0; i < rates_len; i++) {
8421 		int rate = (rates[i] & 0x7f) * 5;
8422 		int ridx;
8423 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
8424 			struct ieee80211_rate *srate =
8425 				&sband->bitrates[ridx];
8426 			if (rate == srate->bitrate) {
8427 				mask |= 1 << ridx;
8428 				break;
8429 			}
8430 		}
8431 		if (ridx == sband->n_bitrates)
8432 			return 0; /* rate not found */
8433 	}
8434 
8435 	return mask;
8436 }
8437 
8438 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
8439 			       u8 *rates, u8 rates_len,
8440 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
8441 {
8442 	u8 i;
8443 
8444 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
8445 
8446 	for (i = 0; i < rates_len; i++) {
8447 		int ridx, rbit;
8448 
8449 		ridx = rates[i] / 8;
8450 		rbit = BIT(rates[i] % 8);
8451 
8452 		/* check validity */
8453 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
8454 			return false;
8455 
8456 		/* check availability */
8457 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
8458 			mcs[ridx] |= rbit;
8459 		else
8460 			return false;
8461 	}
8462 
8463 	return true;
8464 }
8465 
8466 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
8467 {
8468 	u16 mcs_mask = 0;
8469 
8470 	switch (vht_mcs_map) {
8471 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
8472 		break;
8473 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
8474 		mcs_mask = 0x00FF;
8475 		break;
8476 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
8477 		mcs_mask = 0x01FF;
8478 		break;
8479 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
8480 		mcs_mask = 0x03FF;
8481 		break;
8482 	default:
8483 		break;
8484 	}
8485 
8486 	return mcs_mask;
8487 }
8488 
8489 static void vht_build_mcs_mask(u16 vht_mcs_map,
8490 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
8491 {
8492 	u8 nss;
8493 
8494 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
8495 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
8496 		vht_mcs_map >>= 2;
8497 	}
8498 }
8499 
8500 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
8501 			     struct nl80211_txrate_vht *txrate,
8502 			     u16 mcs[NL80211_VHT_NSS_MAX])
8503 {
8504 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
8505 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
8506 	u8 i;
8507 
8508 	if (!sband->vht_cap.vht_supported)
8509 		return false;
8510 
8511 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
8512 
8513 	/* Build vht_mcs_mask from VHT capabilities */
8514 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
8515 
8516 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
8517 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
8518 			mcs[i] = txrate->mcs[i];
8519 		else
8520 			return false;
8521 	}
8522 
8523 	return true;
8524 }
8525 
8526 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
8527 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
8528 				    .len = NL80211_MAX_SUPP_RATES },
8529 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
8530 				.len = NL80211_MAX_SUPP_HT_RATES },
8531 	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
8532 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
8533 };
8534 
8535 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
8536 				       struct genl_info *info)
8537 {
8538 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
8539 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8540 	struct cfg80211_bitrate_mask mask;
8541 	int rem, i;
8542 	struct net_device *dev = info->user_ptr[1];
8543 	struct nlattr *tx_rates;
8544 	struct ieee80211_supported_band *sband;
8545 	u16 vht_tx_mcs_map;
8546 
8547 	if (!rdev->ops->set_bitrate_mask)
8548 		return -EOPNOTSUPP;
8549 
8550 	memset(&mask, 0, sizeof(mask));
8551 	/* Default to all rates enabled */
8552 	for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
8553 		sband = rdev->wiphy.bands[i];
8554 
8555 		if (!sband)
8556 			continue;
8557 
8558 		mask.control[i].legacy = (1 << sband->n_bitrates) - 1;
8559 		memcpy(mask.control[i].ht_mcs,
8560 		       sband->ht_cap.mcs.rx_mask,
8561 		       sizeof(mask.control[i].ht_mcs));
8562 
8563 		if (!sband->vht_cap.vht_supported)
8564 			continue;
8565 
8566 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
8567 		vht_build_mcs_mask(vht_tx_mcs_map, mask.control[i].vht_mcs);
8568 	}
8569 
8570 	/* if no rates are given set it back to the defaults */
8571 	if (!info->attrs[NL80211_ATTR_TX_RATES])
8572 		goto out;
8573 
8574 	/*
8575 	 * The nested attribute uses enum nl80211_band as the index. This maps
8576 	 * directly to the enum ieee80211_band values used in cfg80211.
8577 	 */
8578 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
8579 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
8580 		enum ieee80211_band band = nla_type(tx_rates);
8581 		int err;
8582 
8583 		if (band < 0 || band >= IEEE80211_NUM_BANDS)
8584 			return -EINVAL;
8585 		sband = rdev->wiphy.bands[band];
8586 		if (sband == NULL)
8587 			return -EINVAL;
8588 		err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
8589 				nla_len(tx_rates), nl80211_txattr_policy);
8590 		if (err)
8591 			return err;
8592 		if (tb[NL80211_TXRATE_LEGACY]) {
8593 			mask.control[band].legacy = rateset_to_mask(
8594 				sband,
8595 				nla_data(tb[NL80211_TXRATE_LEGACY]),
8596 				nla_len(tb[NL80211_TXRATE_LEGACY]));
8597 			if ((mask.control[band].legacy == 0) &&
8598 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
8599 				return -EINVAL;
8600 		}
8601 		if (tb[NL80211_TXRATE_HT]) {
8602 			if (!ht_rateset_to_mask(
8603 					sband,
8604 					nla_data(tb[NL80211_TXRATE_HT]),
8605 					nla_len(tb[NL80211_TXRATE_HT]),
8606 					mask.control[band].ht_mcs))
8607 				return -EINVAL;
8608 		}
8609 		if (tb[NL80211_TXRATE_VHT]) {
8610 			if (!vht_set_mcs_mask(
8611 					sband,
8612 					nla_data(tb[NL80211_TXRATE_VHT]),
8613 					mask.control[band].vht_mcs))
8614 				return -EINVAL;
8615 		}
8616 		if (tb[NL80211_TXRATE_GI]) {
8617 			mask.control[band].gi =
8618 				nla_get_u8(tb[NL80211_TXRATE_GI]);
8619 			if (mask.control[band].gi > NL80211_TXRATE_FORCE_LGI)
8620 				return -EINVAL;
8621 		}
8622 
8623 		if (mask.control[band].legacy == 0) {
8624 			/* don't allow empty legacy rates if HT or VHT
8625 			 * are not even supported.
8626 			 */
8627 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
8628 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
8629 				return -EINVAL;
8630 
8631 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
8632 				if (mask.control[band].ht_mcs[i])
8633 					goto out;
8634 
8635 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
8636 				if (mask.control[band].vht_mcs[i])
8637 					goto out;
8638 
8639 			/* legacy and mcs rates may not be both empty */
8640 			return -EINVAL;
8641 		}
8642 	}
8643 
8644 out:
8645 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
8646 }
8647 
8648 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
8649 {
8650 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8651 	struct wireless_dev *wdev = info->user_ptr[1];
8652 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
8653 
8654 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
8655 		return -EINVAL;
8656 
8657 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
8658 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
8659 
8660 	switch (wdev->iftype) {
8661 	case NL80211_IFTYPE_STATION:
8662 	case NL80211_IFTYPE_ADHOC:
8663 	case NL80211_IFTYPE_P2P_CLIENT:
8664 	case NL80211_IFTYPE_AP:
8665 	case NL80211_IFTYPE_AP_VLAN:
8666 	case NL80211_IFTYPE_MESH_POINT:
8667 	case NL80211_IFTYPE_P2P_GO:
8668 	case NL80211_IFTYPE_P2P_DEVICE:
8669 		break;
8670 	default:
8671 		return -EOPNOTSUPP;
8672 	}
8673 
8674 	/* not much point in registering if we can't reply */
8675 	if (!rdev->ops->mgmt_tx)
8676 		return -EOPNOTSUPP;
8677 
8678 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
8679 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
8680 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
8681 }
8682 
8683 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
8684 {
8685 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8686 	struct wireless_dev *wdev = info->user_ptr[1];
8687 	struct cfg80211_chan_def chandef;
8688 	int err;
8689 	void *hdr = NULL;
8690 	u64 cookie;
8691 	struct sk_buff *msg = NULL;
8692 	struct cfg80211_mgmt_tx_params params = {
8693 		.dont_wait_for_ack =
8694 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
8695 	};
8696 
8697 	if (!info->attrs[NL80211_ATTR_FRAME])
8698 		return -EINVAL;
8699 
8700 	if (!rdev->ops->mgmt_tx)
8701 		return -EOPNOTSUPP;
8702 
8703 	switch (wdev->iftype) {
8704 	case NL80211_IFTYPE_P2P_DEVICE:
8705 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
8706 			return -EINVAL;
8707 	case NL80211_IFTYPE_STATION:
8708 	case NL80211_IFTYPE_ADHOC:
8709 	case NL80211_IFTYPE_P2P_CLIENT:
8710 	case NL80211_IFTYPE_AP:
8711 	case NL80211_IFTYPE_AP_VLAN:
8712 	case NL80211_IFTYPE_MESH_POINT:
8713 	case NL80211_IFTYPE_P2P_GO:
8714 		break;
8715 	default:
8716 		return -EOPNOTSUPP;
8717 	}
8718 
8719 	if (info->attrs[NL80211_ATTR_DURATION]) {
8720 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
8721 			return -EINVAL;
8722 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
8723 
8724 		/*
8725 		 * We should wait on the channel for at least a minimum amount
8726 		 * of time (10ms) but no longer than the driver supports.
8727 		 */
8728 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
8729 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
8730 			return -EINVAL;
8731 
8732 	}
8733 
8734 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
8735 
8736 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
8737 		return -EINVAL;
8738 
8739 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8740 
8741 	/* get the channel if any has been specified, otherwise pass NULL to
8742 	 * the driver. The latter will use the current one
8743 	 */
8744 	chandef.chan = NULL;
8745 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8746 		err = nl80211_parse_chandef(rdev, info, &chandef);
8747 		if (err)
8748 			return err;
8749 	}
8750 
8751 	if (!chandef.chan && params.offchan)
8752 		return -EINVAL;
8753 
8754 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
8755 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
8756 
8757 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
8758 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
8759 		int i;
8760 
8761 		if (len % sizeof(u16))
8762 			return -EINVAL;
8763 
8764 		params.n_csa_offsets = len / sizeof(u16);
8765 		params.csa_offsets =
8766 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
8767 
8768 		/* check that all the offsets fit the frame */
8769 		for (i = 0; i < params.n_csa_offsets; i++) {
8770 			if (params.csa_offsets[i] >= params.len)
8771 				return -EINVAL;
8772 		}
8773 	}
8774 
8775 	if (!params.dont_wait_for_ack) {
8776 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8777 		if (!msg)
8778 			return -ENOMEM;
8779 
8780 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8781 				     NL80211_CMD_FRAME);
8782 		if (!hdr) {
8783 			err = -ENOBUFS;
8784 			goto free_msg;
8785 		}
8786 	}
8787 
8788 	params.chan = chandef.chan;
8789 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
8790 	if (err)
8791 		goto free_msg;
8792 
8793 	if (msg) {
8794 		if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
8795 			goto nla_put_failure;
8796 
8797 		genlmsg_end(msg, hdr);
8798 		return genlmsg_reply(msg, info);
8799 	}
8800 
8801 	return 0;
8802 
8803  nla_put_failure:
8804 	err = -ENOBUFS;
8805  free_msg:
8806 	nlmsg_free(msg);
8807 	return err;
8808 }
8809 
8810 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
8811 {
8812 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8813 	struct wireless_dev *wdev = info->user_ptr[1];
8814 	u64 cookie;
8815 
8816 	if (!info->attrs[NL80211_ATTR_COOKIE])
8817 		return -EINVAL;
8818 
8819 	if (!rdev->ops->mgmt_tx_cancel_wait)
8820 		return -EOPNOTSUPP;
8821 
8822 	switch (wdev->iftype) {
8823 	case NL80211_IFTYPE_STATION:
8824 	case NL80211_IFTYPE_ADHOC:
8825 	case NL80211_IFTYPE_P2P_CLIENT:
8826 	case NL80211_IFTYPE_AP:
8827 	case NL80211_IFTYPE_AP_VLAN:
8828 	case NL80211_IFTYPE_P2P_GO:
8829 	case NL80211_IFTYPE_P2P_DEVICE:
8830 		break;
8831 	default:
8832 		return -EOPNOTSUPP;
8833 	}
8834 
8835 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8836 
8837 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
8838 }
8839 
8840 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
8841 {
8842 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8843 	struct wireless_dev *wdev;
8844 	struct net_device *dev = info->user_ptr[1];
8845 	u8 ps_state;
8846 	bool state;
8847 	int err;
8848 
8849 	if (!info->attrs[NL80211_ATTR_PS_STATE])
8850 		return -EINVAL;
8851 
8852 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
8853 
8854 	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
8855 		return -EINVAL;
8856 
8857 	wdev = dev->ieee80211_ptr;
8858 
8859 	if (!rdev->ops->set_power_mgmt)
8860 		return -EOPNOTSUPP;
8861 
8862 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
8863 
8864 	if (state == wdev->ps)
8865 		return 0;
8866 
8867 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
8868 	if (!err)
8869 		wdev->ps = state;
8870 	return err;
8871 }
8872 
8873 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
8874 {
8875 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8876 	enum nl80211_ps_state ps_state;
8877 	struct wireless_dev *wdev;
8878 	struct net_device *dev = info->user_ptr[1];
8879 	struct sk_buff *msg;
8880 	void *hdr;
8881 	int err;
8882 
8883 	wdev = dev->ieee80211_ptr;
8884 
8885 	if (!rdev->ops->set_power_mgmt)
8886 		return -EOPNOTSUPP;
8887 
8888 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8889 	if (!msg)
8890 		return -ENOMEM;
8891 
8892 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8893 			     NL80211_CMD_GET_POWER_SAVE);
8894 	if (!hdr) {
8895 		err = -ENOBUFS;
8896 		goto free_msg;
8897 	}
8898 
8899 	if (wdev->ps)
8900 		ps_state = NL80211_PS_ENABLED;
8901 	else
8902 		ps_state = NL80211_PS_DISABLED;
8903 
8904 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
8905 		goto nla_put_failure;
8906 
8907 	genlmsg_end(msg, hdr);
8908 	return genlmsg_reply(msg, info);
8909 
8910  nla_put_failure:
8911 	err = -ENOBUFS;
8912  free_msg:
8913 	nlmsg_free(msg);
8914 	return err;
8915 }
8916 
8917 static const struct nla_policy
8918 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
8919 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
8920 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
8921 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
8922 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
8923 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
8924 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
8925 };
8926 
8927 static int nl80211_set_cqm_txe(struct genl_info *info,
8928 			       u32 rate, u32 pkts, u32 intvl)
8929 {
8930 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8931 	struct net_device *dev = info->user_ptr[1];
8932 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8933 
8934 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
8935 		return -EINVAL;
8936 
8937 	if (!rdev->ops->set_cqm_txe_config)
8938 		return -EOPNOTSUPP;
8939 
8940 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8941 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8942 		return -EOPNOTSUPP;
8943 
8944 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
8945 }
8946 
8947 static int nl80211_set_cqm_rssi(struct genl_info *info,
8948 				s32 threshold, u32 hysteresis)
8949 {
8950 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8951 	struct net_device *dev = info->user_ptr[1];
8952 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8953 
8954 	if (threshold > 0)
8955 		return -EINVAL;
8956 
8957 	/* disabling - hysteresis should also be zero then */
8958 	if (threshold == 0)
8959 		hysteresis = 0;
8960 
8961 	if (!rdev->ops->set_cqm_rssi_config)
8962 		return -EOPNOTSUPP;
8963 
8964 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8965 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8966 		return -EOPNOTSUPP;
8967 
8968 	return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
8969 }
8970 
8971 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
8972 {
8973 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
8974 	struct nlattr *cqm;
8975 	int err;
8976 
8977 	cqm = info->attrs[NL80211_ATTR_CQM];
8978 	if (!cqm)
8979 		return -EINVAL;
8980 
8981 	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
8982 			       nl80211_attr_cqm_policy);
8983 	if (err)
8984 		return err;
8985 
8986 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
8987 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
8988 		s32 threshold = nla_get_s32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
8989 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
8990 
8991 		return nl80211_set_cqm_rssi(info, threshold, hysteresis);
8992 	}
8993 
8994 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
8995 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
8996 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
8997 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
8998 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
8999 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
9000 
9001 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
9002 	}
9003 
9004 	return -EINVAL;
9005 }
9006 
9007 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
9008 {
9009 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9010 	struct net_device *dev = info->user_ptr[1];
9011 	struct ocb_setup setup = {};
9012 	int err;
9013 
9014 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
9015 	if (err)
9016 		return err;
9017 
9018 	return cfg80211_join_ocb(rdev, dev, &setup);
9019 }
9020 
9021 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
9022 {
9023 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9024 	struct net_device *dev = info->user_ptr[1];
9025 
9026 	return cfg80211_leave_ocb(rdev, dev);
9027 }
9028 
9029 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
9030 {
9031 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9032 	struct net_device *dev = info->user_ptr[1];
9033 	struct mesh_config cfg;
9034 	struct mesh_setup setup;
9035 	int err;
9036 
9037 	/* start with default */
9038 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
9039 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
9040 
9041 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
9042 		/* and parse parameters if given */
9043 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
9044 		if (err)
9045 			return err;
9046 	}
9047 
9048 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
9049 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
9050 		return -EINVAL;
9051 
9052 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
9053 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
9054 
9055 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
9056 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
9057 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
9058 			return -EINVAL;
9059 
9060 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
9061 		setup.beacon_interval =
9062 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
9063 		if (setup.beacon_interval < 10 ||
9064 		    setup.beacon_interval > 10000)
9065 			return -EINVAL;
9066 	}
9067 
9068 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
9069 		setup.dtim_period =
9070 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
9071 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
9072 			return -EINVAL;
9073 	}
9074 
9075 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
9076 		/* parse additional setup parameters if given */
9077 		err = nl80211_parse_mesh_setup(info, &setup);
9078 		if (err)
9079 			return err;
9080 	}
9081 
9082 	if (setup.user_mpm)
9083 		cfg.auto_open_plinks = false;
9084 
9085 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
9086 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
9087 		if (err)
9088 			return err;
9089 	} else {
9090 		/* cfg80211_join_mesh() will sort it out */
9091 		setup.chandef.chan = NULL;
9092 	}
9093 
9094 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9095 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9096 		int n_rates =
9097 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9098 		struct ieee80211_supported_band *sband;
9099 
9100 		if (!setup.chandef.chan)
9101 			return -EINVAL;
9102 
9103 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
9104 
9105 		err = ieee80211_get_ratemask(sband, rates, n_rates,
9106 					     &setup.basic_rates);
9107 		if (err)
9108 			return err;
9109 	}
9110 
9111 	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
9112 }
9113 
9114 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
9115 {
9116 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9117 	struct net_device *dev = info->user_ptr[1];
9118 
9119 	return cfg80211_leave_mesh(rdev, dev);
9120 }
9121 
9122 #ifdef CONFIG_PM
9123 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
9124 					struct cfg80211_registered_device *rdev)
9125 {
9126 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
9127 	struct nlattr *nl_pats, *nl_pat;
9128 	int i, pat_len;
9129 
9130 	if (!wowlan->n_patterns)
9131 		return 0;
9132 
9133 	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
9134 	if (!nl_pats)
9135 		return -ENOBUFS;
9136 
9137 	for (i = 0; i < wowlan->n_patterns; i++) {
9138 		nl_pat = nla_nest_start(msg, i + 1);
9139 		if (!nl_pat)
9140 			return -ENOBUFS;
9141 		pat_len = wowlan->patterns[i].pattern_len;
9142 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
9143 			    wowlan->patterns[i].mask) ||
9144 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
9145 			    wowlan->patterns[i].pattern) ||
9146 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
9147 				wowlan->patterns[i].pkt_offset))
9148 			return -ENOBUFS;
9149 		nla_nest_end(msg, nl_pat);
9150 	}
9151 	nla_nest_end(msg, nl_pats);
9152 
9153 	return 0;
9154 }
9155 
9156 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
9157 				   struct cfg80211_wowlan_tcp *tcp)
9158 {
9159 	struct nlattr *nl_tcp;
9160 
9161 	if (!tcp)
9162 		return 0;
9163 
9164 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
9165 	if (!nl_tcp)
9166 		return -ENOBUFS;
9167 
9168 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
9169 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
9170 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
9171 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
9172 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
9173 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
9174 		    tcp->payload_len, tcp->payload) ||
9175 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
9176 			tcp->data_interval) ||
9177 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
9178 		    tcp->wake_len, tcp->wake_data) ||
9179 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
9180 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
9181 		return -ENOBUFS;
9182 
9183 	if (tcp->payload_seq.len &&
9184 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
9185 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
9186 		return -ENOBUFS;
9187 
9188 	if (tcp->payload_tok.len &&
9189 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
9190 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
9191 		    &tcp->payload_tok))
9192 		return -ENOBUFS;
9193 
9194 	nla_nest_end(msg, nl_tcp);
9195 
9196 	return 0;
9197 }
9198 
9199 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
9200 				  struct cfg80211_sched_scan_request *req)
9201 {
9202 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
9203 	int i;
9204 
9205 	if (!req)
9206 		return 0;
9207 
9208 	nd = nla_nest_start(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
9209 	if (!nd)
9210 		return -ENOBUFS;
9211 
9212 	if (req->n_scan_plans == 1 &&
9213 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
9214 			req->scan_plans[0].interval * 1000))
9215 		return -ENOBUFS;
9216 
9217 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
9218 		return -ENOBUFS;
9219 
9220 	freqs = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
9221 	if (!freqs)
9222 		return -ENOBUFS;
9223 
9224 	for (i = 0; i < req->n_channels; i++)
9225 		nla_put_u32(msg, i, req->channels[i]->center_freq);
9226 
9227 	nla_nest_end(msg, freqs);
9228 
9229 	if (req->n_match_sets) {
9230 		matches = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_MATCH);
9231 		for (i = 0; i < req->n_match_sets; i++) {
9232 			match = nla_nest_start(msg, i);
9233 			nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
9234 				req->match_sets[i].ssid.ssid_len,
9235 				req->match_sets[i].ssid.ssid);
9236 			nla_nest_end(msg, match);
9237 		}
9238 		nla_nest_end(msg, matches);
9239 	}
9240 
9241 	scan_plans = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
9242 	if (!scan_plans)
9243 		return -ENOBUFS;
9244 
9245 	for (i = 0; i < req->n_scan_plans; i++) {
9246 		scan_plan = nla_nest_start(msg, i + 1);
9247 		if (!scan_plan ||
9248 		    nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
9249 				req->scan_plans[i].interval) ||
9250 		    (req->scan_plans[i].iterations &&
9251 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
9252 				 req->scan_plans[i].iterations)))
9253 			return -ENOBUFS;
9254 		nla_nest_end(msg, scan_plan);
9255 	}
9256 	nla_nest_end(msg, scan_plans);
9257 
9258 	nla_nest_end(msg, nd);
9259 
9260 	return 0;
9261 }
9262 
9263 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
9264 {
9265 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9266 	struct sk_buff *msg;
9267 	void *hdr;
9268 	u32 size = NLMSG_DEFAULT_SIZE;
9269 
9270 	if (!rdev->wiphy.wowlan)
9271 		return -EOPNOTSUPP;
9272 
9273 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
9274 		/* adjust size to have room for all the data */
9275 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
9276 			rdev->wiphy.wowlan_config->tcp->payload_len +
9277 			rdev->wiphy.wowlan_config->tcp->wake_len +
9278 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
9279 	}
9280 
9281 	msg = nlmsg_new(size, GFP_KERNEL);
9282 	if (!msg)
9283 		return -ENOMEM;
9284 
9285 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9286 			     NL80211_CMD_GET_WOWLAN);
9287 	if (!hdr)
9288 		goto nla_put_failure;
9289 
9290 	if (rdev->wiphy.wowlan_config) {
9291 		struct nlattr *nl_wowlan;
9292 
9293 		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
9294 		if (!nl_wowlan)
9295 			goto nla_put_failure;
9296 
9297 		if ((rdev->wiphy.wowlan_config->any &&
9298 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
9299 		    (rdev->wiphy.wowlan_config->disconnect &&
9300 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
9301 		    (rdev->wiphy.wowlan_config->magic_pkt &&
9302 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
9303 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
9304 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
9305 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
9306 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
9307 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
9308 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
9309 		    (rdev->wiphy.wowlan_config->rfkill_release &&
9310 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
9311 			goto nla_put_failure;
9312 
9313 		if (nl80211_send_wowlan_patterns(msg, rdev))
9314 			goto nla_put_failure;
9315 
9316 		if (nl80211_send_wowlan_tcp(msg,
9317 					    rdev->wiphy.wowlan_config->tcp))
9318 			goto nla_put_failure;
9319 
9320 		if (nl80211_send_wowlan_nd(
9321 			    msg,
9322 			    rdev->wiphy.wowlan_config->nd_config))
9323 			goto nla_put_failure;
9324 
9325 		nla_nest_end(msg, nl_wowlan);
9326 	}
9327 
9328 	genlmsg_end(msg, hdr);
9329 	return genlmsg_reply(msg, info);
9330 
9331 nla_put_failure:
9332 	nlmsg_free(msg);
9333 	return -ENOBUFS;
9334 }
9335 
9336 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
9337 				    struct nlattr *attr,
9338 				    struct cfg80211_wowlan *trig)
9339 {
9340 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
9341 	struct cfg80211_wowlan_tcp *cfg;
9342 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
9343 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
9344 	u32 size;
9345 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
9346 	int err, port;
9347 
9348 	if (!rdev->wiphy.wowlan->tcp)
9349 		return -EINVAL;
9350 
9351 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TCP,
9352 			nla_data(attr), nla_len(attr),
9353 			nl80211_wowlan_tcp_policy);
9354 	if (err)
9355 		return err;
9356 
9357 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
9358 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
9359 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
9360 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
9361 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
9362 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
9363 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
9364 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
9365 		return -EINVAL;
9366 
9367 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
9368 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
9369 		return -EINVAL;
9370 
9371 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
9372 			rdev->wiphy.wowlan->tcp->data_interval_max ||
9373 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
9374 		return -EINVAL;
9375 
9376 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
9377 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
9378 		return -EINVAL;
9379 
9380 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
9381 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
9382 		return -EINVAL;
9383 
9384 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
9385 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
9386 
9387 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
9388 		tokens_size = tokln - sizeof(*tok);
9389 
9390 		if (!tok->len || tokens_size % tok->len)
9391 			return -EINVAL;
9392 		if (!rdev->wiphy.wowlan->tcp->tok)
9393 			return -EINVAL;
9394 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
9395 			return -EINVAL;
9396 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
9397 			return -EINVAL;
9398 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
9399 			return -EINVAL;
9400 		if (tok->offset + tok->len > data_size)
9401 			return -EINVAL;
9402 	}
9403 
9404 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
9405 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
9406 		if (!rdev->wiphy.wowlan->tcp->seq)
9407 			return -EINVAL;
9408 		if (seq->len == 0 || seq->len > 4)
9409 			return -EINVAL;
9410 		if (seq->len + seq->offset > data_size)
9411 			return -EINVAL;
9412 	}
9413 
9414 	size = sizeof(*cfg);
9415 	size += data_size;
9416 	size += wake_size + wake_mask_size;
9417 	size += tokens_size;
9418 
9419 	cfg = kzalloc(size, GFP_KERNEL);
9420 	if (!cfg)
9421 		return -ENOMEM;
9422 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
9423 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
9424 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
9425 	       ETH_ALEN);
9426 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
9427 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
9428 	else
9429 		port = 0;
9430 #ifdef CONFIG_INET
9431 	/* allocate a socket and port for it and use it */
9432 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
9433 			    IPPROTO_TCP, &cfg->sock, 1);
9434 	if (err) {
9435 		kfree(cfg);
9436 		return err;
9437 	}
9438 	if (inet_csk_get_port(cfg->sock->sk, port)) {
9439 		sock_release(cfg->sock);
9440 		kfree(cfg);
9441 		return -EADDRINUSE;
9442 	}
9443 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
9444 #else
9445 	if (!port) {
9446 		kfree(cfg);
9447 		return -EINVAL;
9448 	}
9449 	cfg->src_port = port;
9450 #endif
9451 
9452 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
9453 	cfg->payload_len = data_size;
9454 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
9455 	memcpy((void *)cfg->payload,
9456 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
9457 	       data_size);
9458 	if (seq)
9459 		cfg->payload_seq = *seq;
9460 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
9461 	cfg->wake_len = wake_size;
9462 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
9463 	memcpy((void *)cfg->wake_data,
9464 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
9465 	       wake_size);
9466 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
9467 			 data_size + wake_size;
9468 	memcpy((void *)cfg->wake_mask,
9469 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
9470 	       wake_mask_size);
9471 	if (tok) {
9472 		cfg->tokens_size = tokens_size;
9473 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
9474 	}
9475 
9476 	trig->tcp = cfg;
9477 
9478 	return 0;
9479 }
9480 
9481 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
9482 				   const struct wiphy_wowlan_support *wowlan,
9483 				   struct nlattr *attr,
9484 				   struct cfg80211_wowlan *trig)
9485 {
9486 	struct nlattr **tb;
9487 	int err;
9488 
9489 	tb = kzalloc(NUM_NL80211_ATTR * sizeof(*tb), GFP_KERNEL);
9490 	if (!tb)
9491 		return -ENOMEM;
9492 
9493 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
9494 		err = -EOPNOTSUPP;
9495 		goto out;
9496 	}
9497 
9498 	err = nla_parse(tb, NL80211_ATTR_MAX,
9499 			nla_data(attr), nla_len(attr),
9500 			nl80211_policy);
9501 	if (err)
9502 		goto out;
9503 
9504 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb);
9505 	err = PTR_ERR_OR_ZERO(trig->nd_config);
9506 	if (err)
9507 		trig->nd_config = NULL;
9508 
9509 out:
9510 	kfree(tb);
9511 	return err;
9512 }
9513 
9514 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
9515 {
9516 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9517 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
9518 	struct cfg80211_wowlan new_triggers = {};
9519 	struct cfg80211_wowlan *ntrig;
9520 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
9521 	int err, i;
9522 	bool prev_enabled = rdev->wiphy.wowlan_config;
9523 	bool regular = false;
9524 
9525 	if (!wowlan)
9526 		return -EOPNOTSUPP;
9527 
9528 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
9529 		cfg80211_rdev_free_wowlan(rdev);
9530 		rdev->wiphy.wowlan_config = NULL;
9531 		goto set_wakeup;
9532 	}
9533 
9534 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
9535 			nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
9536 			nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
9537 			nl80211_wowlan_policy);
9538 	if (err)
9539 		return err;
9540 
9541 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
9542 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
9543 			return -EINVAL;
9544 		new_triggers.any = true;
9545 	}
9546 
9547 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
9548 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
9549 			return -EINVAL;
9550 		new_triggers.disconnect = true;
9551 		regular = true;
9552 	}
9553 
9554 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
9555 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
9556 			return -EINVAL;
9557 		new_triggers.magic_pkt = true;
9558 		regular = true;
9559 	}
9560 
9561 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
9562 		return -EINVAL;
9563 
9564 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
9565 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
9566 			return -EINVAL;
9567 		new_triggers.gtk_rekey_failure = true;
9568 		regular = true;
9569 	}
9570 
9571 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
9572 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
9573 			return -EINVAL;
9574 		new_triggers.eap_identity_req = true;
9575 		regular = true;
9576 	}
9577 
9578 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
9579 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
9580 			return -EINVAL;
9581 		new_triggers.four_way_handshake = true;
9582 		regular = true;
9583 	}
9584 
9585 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
9586 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
9587 			return -EINVAL;
9588 		new_triggers.rfkill_release = true;
9589 		regular = true;
9590 	}
9591 
9592 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
9593 		struct nlattr *pat;
9594 		int n_patterns = 0;
9595 		int rem, pat_len, mask_len, pkt_offset;
9596 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
9597 
9598 		regular = true;
9599 
9600 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
9601 				    rem)
9602 			n_patterns++;
9603 		if (n_patterns > wowlan->n_patterns)
9604 			return -EINVAL;
9605 
9606 		new_triggers.patterns = kcalloc(n_patterns,
9607 						sizeof(new_triggers.patterns[0]),
9608 						GFP_KERNEL);
9609 		if (!new_triggers.patterns)
9610 			return -ENOMEM;
9611 
9612 		new_triggers.n_patterns = n_patterns;
9613 		i = 0;
9614 
9615 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
9616 				    rem) {
9617 			u8 *mask_pat;
9618 
9619 			nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
9620 				  nla_len(pat), NULL);
9621 			err = -EINVAL;
9622 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
9623 			    !pat_tb[NL80211_PKTPAT_PATTERN])
9624 				goto error;
9625 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
9626 			mask_len = DIV_ROUND_UP(pat_len, 8);
9627 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
9628 				goto error;
9629 			if (pat_len > wowlan->pattern_max_len ||
9630 			    pat_len < wowlan->pattern_min_len)
9631 				goto error;
9632 
9633 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
9634 				pkt_offset = 0;
9635 			else
9636 				pkt_offset = nla_get_u32(
9637 					pat_tb[NL80211_PKTPAT_OFFSET]);
9638 			if (pkt_offset > wowlan->max_pkt_offset)
9639 				goto error;
9640 			new_triggers.patterns[i].pkt_offset = pkt_offset;
9641 
9642 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
9643 			if (!mask_pat) {
9644 				err = -ENOMEM;
9645 				goto error;
9646 			}
9647 			new_triggers.patterns[i].mask = mask_pat;
9648 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
9649 			       mask_len);
9650 			mask_pat += mask_len;
9651 			new_triggers.patterns[i].pattern = mask_pat;
9652 			new_triggers.patterns[i].pattern_len = pat_len;
9653 			memcpy(mask_pat,
9654 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
9655 			       pat_len);
9656 			i++;
9657 		}
9658 	}
9659 
9660 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
9661 		regular = true;
9662 		err = nl80211_parse_wowlan_tcp(
9663 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
9664 			&new_triggers);
9665 		if (err)
9666 			goto error;
9667 	}
9668 
9669 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
9670 		regular = true;
9671 		err = nl80211_parse_wowlan_nd(
9672 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
9673 			&new_triggers);
9674 		if (err)
9675 			goto error;
9676 	}
9677 
9678 	/* The 'any' trigger means the device continues operating more or less
9679 	 * as in its normal operation mode and wakes up the host on most of the
9680 	 * normal interrupts (like packet RX, ...)
9681 	 * It therefore makes little sense to combine with the more constrained
9682 	 * wakeup trigger modes.
9683 	 */
9684 	if (new_triggers.any && regular) {
9685 		err = -EINVAL;
9686 		goto error;
9687 	}
9688 
9689 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
9690 	if (!ntrig) {
9691 		err = -ENOMEM;
9692 		goto error;
9693 	}
9694 	cfg80211_rdev_free_wowlan(rdev);
9695 	rdev->wiphy.wowlan_config = ntrig;
9696 
9697  set_wakeup:
9698 	if (rdev->ops->set_wakeup &&
9699 	    prev_enabled != !!rdev->wiphy.wowlan_config)
9700 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
9701 
9702 	return 0;
9703  error:
9704 	for (i = 0; i < new_triggers.n_patterns; i++)
9705 		kfree(new_triggers.patterns[i].mask);
9706 	kfree(new_triggers.patterns);
9707 	if (new_triggers.tcp && new_triggers.tcp->sock)
9708 		sock_release(new_triggers.tcp->sock);
9709 	kfree(new_triggers.tcp);
9710 	kfree(new_triggers.nd_config);
9711 	return err;
9712 }
9713 #endif
9714 
9715 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
9716 				       struct cfg80211_registered_device *rdev)
9717 {
9718 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
9719 	int i, j, pat_len;
9720 	struct cfg80211_coalesce_rules *rule;
9721 
9722 	if (!rdev->coalesce->n_rules)
9723 		return 0;
9724 
9725 	nl_rules = nla_nest_start(msg, NL80211_ATTR_COALESCE_RULE);
9726 	if (!nl_rules)
9727 		return -ENOBUFS;
9728 
9729 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
9730 		nl_rule = nla_nest_start(msg, i + 1);
9731 		if (!nl_rule)
9732 			return -ENOBUFS;
9733 
9734 		rule = &rdev->coalesce->rules[i];
9735 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
9736 				rule->delay))
9737 			return -ENOBUFS;
9738 
9739 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
9740 				rule->condition))
9741 			return -ENOBUFS;
9742 
9743 		nl_pats = nla_nest_start(msg,
9744 				NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
9745 		if (!nl_pats)
9746 			return -ENOBUFS;
9747 
9748 		for (j = 0; j < rule->n_patterns; j++) {
9749 			nl_pat = nla_nest_start(msg, j + 1);
9750 			if (!nl_pat)
9751 				return -ENOBUFS;
9752 			pat_len = rule->patterns[j].pattern_len;
9753 			if (nla_put(msg, NL80211_PKTPAT_MASK,
9754 				    DIV_ROUND_UP(pat_len, 8),
9755 				    rule->patterns[j].mask) ||
9756 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
9757 				    rule->patterns[j].pattern) ||
9758 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
9759 					rule->patterns[j].pkt_offset))
9760 				return -ENOBUFS;
9761 			nla_nest_end(msg, nl_pat);
9762 		}
9763 		nla_nest_end(msg, nl_pats);
9764 		nla_nest_end(msg, nl_rule);
9765 	}
9766 	nla_nest_end(msg, nl_rules);
9767 
9768 	return 0;
9769 }
9770 
9771 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
9772 {
9773 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9774 	struct sk_buff *msg;
9775 	void *hdr;
9776 
9777 	if (!rdev->wiphy.coalesce)
9778 		return -EOPNOTSUPP;
9779 
9780 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9781 	if (!msg)
9782 		return -ENOMEM;
9783 
9784 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9785 			     NL80211_CMD_GET_COALESCE);
9786 	if (!hdr)
9787 		goto nla_put_failure;
9788 
9789 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
9790 		goto nla_put_failure;
9791 
9792 	genlmsg_end(msg, hdr);
9793 	return genlmsg_reply(msg, info);
9794 
9795 nla_put_failure:
9796 	nlmsg_free(msg);
9797 	return -ENOBUFS;
9798 }
9799 
9800 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
9801 {
9802 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
9803 	int i, j;
9804 	struct cfg80211_coalesce_rules *rule;
9805 
9806 	if (!coalesce)
9807 		return;
9808 
9809 	for (i = 0; i < coalesce->n_rules; i++) {
9810 		rule = &coalesce->rules[i];
9811 		for (j = 0; j < rule->n_patterns; j++)
9812 			kfree(rule->patterns[j].mask);
9813 		kfree(rule->patterns);
9814 	}
9815 	kfree(coalesce->rules);
9816 	kfree(coalesce);
9817 	rdev->coalesce = NULL;
9818 }
9819 
9820 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
9821 				       struct nlattr *rule,
9822 				       struct cfg80211_coalesce_rules *new_rule)
9823 {
9824 	int err, i;
9825 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
9826 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
9827 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
9828 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
9829 
9830 	err = nla_parse(tb, NL80211_ATTR_COALESCE_RULE_MAX, nla_data(rule),
9831 			nla_len(rule), nl80211_coalesce_policy);
9832 	if (err)
9833 		return err;
9834 
9835 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
9836 		new_rule->delay =
9837 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
9838 	if (new_rule->delay > coalesce->max_delay)
9839 		return -EINVAL;
9840 
9841 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
9842 		new_rule->condition =
9843 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
9844 	if (new_rule->condition != NL80211_COALESCE_CONDITION_MATCH &&
9845 	    new_rule->condition != NL80211_COALESCE_CONDITION_NO_MATCH)
9846 		return -EINVAL;
9847 
9848 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
9849 		return -EINVAL;
9850 
9851 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
9852 			    rem)
9853 		n_patterns++;
9854 	if (n_patterns > coalesce->n_patterns)
9855 		return -EINVAL;
9856 
9857 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
9858 				     GFP_KERNEL);
9859 	if (!new_rule->patterns)
9860 		return -ENOMEM;
9861 
9862 	new_rule->n_patterns = n_patterns;
9863 	i = 0;
9864 
9865 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
9866 			    rem) {
9867 		u8 *mask_pat;
9868 
9869 		nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
9870 			  nla_len(pat), NULL);
9871 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
9872 		    !pat_tb[NL80211_PKTPAT_PATTERN])
9873 			return -EINVAL;
9874 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
9875 		mask_len = DIV_ROUND_UP(pat_len, 8);
9876 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
9877 			return -EINVAL;
9878 		if (pat_len > coalesce->pattern_max_len ||
9879 		    pat_len < coalesce->pattern_min_len)
9880 			return -EINVAL;
9881 
9882 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
9883 			pkt_offset = 0;
9884 		else
9885 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
9886 		if (pkt_offset > coalesce->max_pkt_offset)
9887 			return -EINVAL;
9888 		new_rule->patterns[i].pkt_offset = pkt_offset;
9889 
9890 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
9891 		if (!mask_pat)
9892 			return -ENOMEM;
9893 
9894 		new_rule->patterns[i].mask = mask_pat;
9895 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
9896 		       mask_len);
9897 
9898 		mask_pat += mask_len;
9899 		new_rule->patterns[i].pattern = mask_pat;
9900 		new_rule->patterns[i].pattern_len = pat_len;
9901 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
9902 		       pat_len);
9903 		i++;
9904 	}
9905 
9906 	return 0;
9907 }
9908 
9909 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
9910 {
9911 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9912 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
9913 	struct cfg80211_coalesce new_coalesce = {};
9914 	struct cfg80211_coalesce *n_coalesce;
9915 	int err, rem_rule, n_rules = 0, i, j;
9916 	struct nlattr *rule;
9917 	struct cfg80211_coalesce_rules *tmp_rule;
9918 
9919 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
9920 		return -EOPNOTSUPP;
9921 
9922 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
9923 		cfg80211_rdev_free_coalesce(rdev);
9924 		rdev_set_coalesce(rdev, NULL);
9925 		return 0;
9926 	}
9927 
9928 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
9929 			    rem_rule)
9930 		n_rules++;
9931 	if (n_rules > coalesce->n_rules)
9932 		return -EINVAL;
9933 
9934 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
9935 				     GFP_KERNEL);
9936 	if (!new_coalesce.rules)
9937 		return -ENOMEM;
9938 
9939 	new_coalesce.n_rules = n_rules;
9940 	i = 0;
9941 
9942 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
9943 			    rem_rule) {
9944 		err = nl80211_parse_coalesce_rule(rdev, rule,
9945 						  &new_coalesce.rules[i]);
9946 		if (err)
9947 			goto error;
9948 
9949 		i++;
9950 	}
9951 
9952 	err = rdev_set_coalesce(rdev, &new_coalesce);
9953 	if (err)
9954 		goto error;
9955 
9956 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
9957 	if (!n_coalesce) {
9958 		err = -ENOMEM;
9959 		goto error;
9960 	}
9961 	cfg80211_rdev_free_coalesce(rdev);
9962 	rdev->coalesce = n_coalesce;
9963 
9964 	return 0;
9965 error:
9966 	for (i = 0; i < new_coalesce.n_rules; i++) {
9967 		tmp_rule = &new_coalesce.rules[i];
9968 		for (j = 0; j < tmp_rule->n_patterns; j++)
9969 			kfree(tmp_rule->patterns[j].mask);
9970 		kfree(tmp_rule->patterns);
9971 	}
9972 	kfree(new_coalesce.rules);
9973 
9974 	return err;
9975 }
9976 
9977 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
9978 {
9979 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9980 	struct net_device *dev = info->user_ptr[1];
9981 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9982 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
9983 	struct cfg80211_gtk_rekey_data rekey_data;
9984 	int err;
9985 
9986 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
9987 		return -EINVAL;
9988 
9989 	err = nla_parse(tb, MAX_NL80211_REKEY_DATA,
9990 			nla_data(info->attrs[NL80211_ATTR_REKEY_DATA]),
9991 			nla_len(info->attrs[NL80211_ATTR_REKEY_DATA]),
9992 			nl80211_rekey_policy);
9993 	if (err)
9994 		return err;
9995 
9996 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
9997 		return -ERANGE;
9998 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
9999 		return -ERANGE;
10000 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
10001 		return -ERANGE;
10002 
10003 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
10004 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
10005 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
10006 
10007 	wdev_lock(wdev);
10008 	if (!wdev->current_bss) {
10009 		err = -ENOTCONN;
10010 		goto out;
10011 	}
10012 
10013 	if (!rdev->ops->set_rekey_data) {
10014 		err = -EOPNOTSUPP;
10015 		goto out;
10016 	}
10017 
10018 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
10019  out:
10020 	wdev_unlock(wdev);
10021 	return err;
10022 }
10023 
10024 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
10025 					     struct genl_info *info)
10026 {
10027 	struct net_device *dev = info->user_ptr[1];
10028 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10029 
10030 	if (wdev->iftype != NL80211_IFTYPE_AP &&
10031 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
10032 		return -EINVAL;
10033 
10034 	if (wdev->ap_unexpected_nlportid)
10035 		return -EBUSY;
10036 
10037 	wdev->ap_unexpected_nlportid = info->snd_portid;
10038 	return 0;
10039 }
10040 
10041 static int nl80211_probe_client(struct sk_buff *skb,
10042 				struct genl_info *info)
10043 {
10044 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10045 	struct net_device *dev = info->user_ptr[1];
10046 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10047 	struct sk_buff *msg;
10048 	void *hdr;
10049 	const u8 *addr;
10050 	u64 cookie;
10051 	int err;
10052 
10053 	if (wdev->iftype != NL80211_IFTYPE_AP &&
10054 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
10055 		return -EOPNOTSUPP;
10056 
10057 	if (!info->attrs[NL80211_ATTR_MAC])
10058 		return -EINVAL;
10059 
10060 	if (!rdev->ops->probe_client)
10061 		return -EOPNOTSUPP;
10062 
10063 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10064 	if (!msg)
10065 		return -ENOMEM;
10066 
10067 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10068 			     NL80211_CMD_PROBE_CLIENT);
10069 	if (!hdr) {
10070 		err = -ENOBUFS;
10071 		goto free_msg;
10072 	}
10073 
10074 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10075 
10076 	err = rdev_probe_client(rdev, dev, addr, &cookie);
10077 	if (err)
10078 		goto free_msg;
10079 
10080 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
10081 		goto nla_put_failure;
10082 
10083 	genlmsg_end(msg, hdr);
10084 
10085 	return genlmsg_reply(msg, info);
10086 
10087  nla_put_failure:
10088 	err = -ENOBUFS;
10089  free_msg:
10090 	nlmsg_free(msg);
10091 	return err;
10092 }
10093 
10094 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
10095 {
10096 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10097 	struct cfg80211_beacon_registration *reg, *nreg;
10098 	int rv;
10099 
10100 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
10101 		return -EOPNOTSUPP;
10102 
10103 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
10104 	if (!nreg)
10105 		return -ENOMEM;
10106 
10107 	/* First, check if already registered. */
10108 	spin_lock_bh(&rdev->beacon_registrations_lock);
10109 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
10110 		if (reg->nlportid == info->snd_portid) {
10111 			rv = -EALREADY;
10112 			goto out_err;
10113 		}
10114 	}
10115 	/* Add it to the list */
10116 	nreg->nlportid = info->snd_portid;
10117 	list_add(&nreg->list, &rdev->beacon_registrations);
10118 
10119 	spin_unlock_bh(&rdev->beacon_registrations_lock);
10120 
10121 	return 0;
10122 out_err:
10123 	spin_unlock_bh(&rdev->beacon_registrations_lock);
10124 	kfree(nreg);
10125 	return rv;
10126 }
10127 
10128 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
10129 {
10130 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10131 	struct wireless_dev *wdev = info->user_ptr[1];
10132 	int err;
10133 
10134 	if (!rdev->ops->start_p2p_device)
10135 		return -EOPNOTSUPP;
10136 
10137 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
10138 		return -EOPNOTSUPP;
10139 
10140 	if (wdev->p2p_started)
10141 		return 0;
10142 
10143 	if (rfkill_blocked(rdev->rfkill))
10144 		return -ERFKILL;
10145 
10146 	err = rdev_start_p2p_device(rdev, wdev);
10147 	if (err)
10148 		return err;
10149 
10150 	wdev->p2p_started = true;
10151 	rdev->opencount++;
10152 
10153 	return 0;
10154 }
10155 
10156 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
10157 {
10158 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10159 	struct wireless_dev *wdev = info->user_ptr[1];
10160 
10161 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
10162 		return -EOPNOTSUPP;
10163 
10164 	if (!rdev->ops->stop_p2p_device)
10165 		return -EOPNOTSUPP;
10166 
10167 	cfg80211_stop_p2p_device(rdev, wdev);
10168 
10169 	return 0;
10170 }
10171 
10172 static int nl80211_get_protocol_features(struct sk_buff *skb,
10173 					 struct genl_info *info)
10174 {
10175 	void *hdr;
10176 	struct sk_buff *msg;
10177 
10178 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10179 	if (!msg)
10180 		return -ENOMEM;
10181 
10182 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10183 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
10184 	if (!hdr)
10185 		goto nla_put_failure;
10186 
10187 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
10188 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
10189 		goto nla_put_failure;
10190 
10191 	genlmsg_end(msg, hdr);
10192 	return genlmsg_reply(msg, info);
10193 
10194  nla_put_failure:
10195 	kfree_skb(msg);
10196 	return -ENOBUFS;
10197 }
10198 
10199 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
10200 {
10201 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10202 	struct cfg80211_update_ft_ies_params ft_params;
10203 	struct net_device *dev = info->user_ptr[1];
10204 
10205 	if (!rdev->ops->update_ft_ies)
10206 		return -EOPNOTSUPP;
10207 
10208 	if (!info->attrs[NL80211_ATTR_MDID] ||
10209 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
10210 		return -EINVAL;
10211 
10212 	memset(&ft_params, 0, sizeof(ft_params));
10213 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
10214 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10215 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10216 
10217 	return rdev_update_ft_ies(rdev, dev, &ft_params);
10218 }
10219 
10220 static int nl80211_crit_protocol_start(struct sk_buff *skb,
10221 				       struct genl_info *info)
10222 {
10223 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10224 	struct wireless_dev *wdev = info->user_ptr[1];
10225 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
10226 	u16 duration;
10227 	int ret;
10228 
10229 	if (!rdev->ops->crit_proto_start)
10230 		return -EOPNOTSUPP;
10231 
10232 	if (WARN_ON(!rdev->ops->crit_proto_stop))
10233 		return -EINVAL;
10234 
10235 	if (rdev->crit_proto_nlportid)
10236 		return -EBUSY;
10237 
10238 	/* determine protocol if provided */
10239 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
10240 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
10241 
10242 	if (proto >= NUM_NL80211_CRIT_PROTO)
10243 		return -EINVAL;
10244 
10245 	/* timeout must be provided */
10246 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
10247 		return -EINVAL;
10248 
10249 	duration =
10250 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
10251 
10252 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
10253 		return -ERANGE;
10254 
10255 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
10256 	if (!ret)
10257 		rdev->crit_proto_nlportid = info->snd_portid;
10258 
10259 	return ret;
10260 }
10261 
10262 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
10263 				      struct genl_info *info)
10264 {
10265 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10266 	struct wireless_dev *wdev = info->user_ptr[1];
10267 
10268 	if (!rdev->ops->crit_proto_stop)
10269 		return -EOPNOTSUPP;
10270 
10271 	if (rdev->crit_proto_nlportid) {
10272 		rdev->crit_proto_nlportid = 0;
10273 		rdev_crit_proto_stop(rdev, wdev);
10274 	}
10275 	return 0;
10276 }
10277 
10278 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
10279 {
10280 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10281 	struct wireless_dev *wdev =
10282 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
10283 	int i, err;
10284 	u32 vid, subcmd;
10285 
10286 	if (!rdev->wiphy.vendor_commands)
10287 		return -EOPNOTSUPP;
10288 
10289 	if (IS_ERR(wdev)) {
10290 		err = PTR_ERR(wdev);
10291 		if (err != -EINVAL)
10292 			return err;
10293 		wdev = NULL;
10294 	} else if (wdev->wiphy != &rdev->wiphy) {
10295 		return -EINVAL;
10296 	}
10297 
10298 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
10299 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
10300 		return -EINVAL;
10301 
10302 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
10303 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
10304 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
10305 		const struct wiphy_vendor_command *vcmd;
10306 		void *data = NULL;
10307 		int len = 0;
10308 
10309 		vcmd = &rdev->wiphy.vendor_commands[i];
10310 
10311 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
10312 			continue;
10313 
10314 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
10315 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
10316 			if (!wdev)
10317 				return -EINVAL;
10318 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
10319 			    !wdev->netdev)
10320 				return -EINVAL;
10321 
10322 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
10323 				if (wdev->netdev &&
10324 				    !netif_running(wdev->netdev))
10325 					return -ENETDOWN;
10326 				if (!wdev->netdev && !wdev->p2p_started)
10327 					return -ENETDOWN;
10328 			}
10329 
10330 			if (!vcmd->doit)
10331 				return -EOPNOTSUPP;
10332 		} else {
10333 			wdev = NULL;
10334 		}
10335 
10336 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
10337 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
10338 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
10339 		}
10340 
10341 		rdev->cur_cmd_info = info;
10342 		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
10343 							  data, len);
10344 		rdev->cur_cmd_info = NULL;
10345 		return err;
10346 	}
10347 
10348 	return -EOPNOTSUPP;
10349 }
10350 
10351 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
10352 				       struct netlink_callback *cb,
10353 				       struct cfg80211_registered_device **rdev,
10354 				       struct wireless_dev **wdev)
10355 {
10356 	u32 vid, subcmd;
10357 	unsigned int i;
10358 	int vcmd_idx = -1;
10359 	int err;
10360 	void *data = NULL;
10361 	unsigned int data_len = 0;
10362 
10363 	rtnl_lock();
10364 
10365 	if (cb->args[0]) {
10366 		/* subtract the 1 again here */
10367 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
10368 		struct wireless_dev *tmp;
10369 
10370 		if (!wiphy) {
10371 			err = -ENODEV;
10372 			goto out_unlock;
10373 		}
10374 		*rdev = wiphy_to_rdev(wiphy);
10375 		*wdev = NULL;
10376 
10377 		if (cb->args[1]) {
10378 			list_for_each_entry(tmp, &(*rdev)->wdev_list, list) {
10379 				if (tmp->identifier == cb->args[1] - 1) {
10380 					*wdev = tmp;
10381 					break;
10382 				}
10383 			}
10384 		}
10385 
10386 		/* keep rtnl locked in successful case */
10387 		return 0;
10388 	}
10389 
10390 	err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
10391 			  nl80211_fam.attrbuf, nl80211_fam.maxattr,
10392 			  nl80211_policy);
10393 	if (err)
10394 		goto out_unlock;
10395 
10396 	if (!nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_ID] ||
10397 	    !nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
10398 		err = -EINVAL;
10399 		goto out_unlock;
10400 	}
10401 
10402 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
10403 					   nl80211_fam.attrbuf);
10404 	if (IS_ERR(*wdev))
10405 		*wdev = NULL;
10406 
10407 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
10408 					   nl80211_fam.attrbuf);
10409 	if (IS_ERR(*rdev)) {
10410 		err = PTR_ERR(*rdev);
10411 		goto out_unlock;
10412 	}
10413 
10414 	vid = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_ID]);
10415 	subcmd = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
10416 
10417 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
10418 		const struct wiphy_vendor_command *vcmd;
10419 
10420 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
10421 
10422 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
10423 			continue;
10424 
10425 		if (!vcmd->dumpit) {
10426 			err = -EOPNOTSUPP;
10427 			goto out_unlock;
10428 		}
10429 
10430 		vcmd_idx = i;
10431 		break;
10432 	}
10433 
10434 	if (vcmd_idx < 0) {
10435 		err = -EOPNOTSUPP;
10436 		goto out_unlock;
10437 	}
10438 
10439 	if (nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]) {
10440 		data = nla_data(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]);
10441 		data_len = nla_len(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]);
10442 	}
10443 
10444 	/* 0 is the first index - add 1 to parse only once */
10445 	cb->args[0] = (*rdev)->wiphy_idx + 1;
10446 	/* add 1 to know if it was NULL */
10447 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
10448 	cb->args[2] = vcmd_idx;
10449 	cb->args[3] = (unsigned long)data;
10450 	cb->args[4] = data_len;
10451 
10452 	/* keep rtnl locked in successful case */
10453 	return 0;
10454  out_unlock:
10455 	rtnl_unlock();
10456 	return err;
10457 }
10458 
10459 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
10460 				   struct netlink_callback *cb)
10461 {
10462 	struct cfg80211_registered_device *rdev;
10463 	struct wireless_dev *wdev;
10464 	unsigned int vcmd_idx;
10465 	const struct wiphy_vendor_command *vcmd;
10466 	void *data;
10467 	int data_len;
10468 	int err;
10469 	struct nlattr *vendor_data;
10470 
10471 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
10472 	if (err)
10473 		return err;
10474 
10475 	vcmd_idx = cb->args[2];
10476 	data = (void *)cb->args[3];
10477 	data_len = cb->args[4];
10478 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
10479 
10480 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
10481 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
10482 		if (!wdev)
10483 			return -EINVAL;
10484 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
10485 		    !wdev->netdev)
10486 			return -EINVAL;
10487 
10488 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
10489 			if (wdev->netdev &&
10490 			    !netif_running(wdev->netdev))
10491 				return -ENETDOWN;
10492 			if (!wdev->netdev && !wdev->p2p_started)
10493 				return -ENETDOWN;
10494 		}
10495 	}
10496 
10497 	while (1) {
10498 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10499 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10500 					   NL80211_CMD_VENDOR);
10501 		if (!hdr)
10502 			break;
10503 
10504 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10505 		    (wdev && nla_put_u64(skb, NL80211_ATTR_WDEV,
10506 					 wdev_id(wdev)))) {
10507 			genlmsg_cancel(skb, hdr);
10508 			break;
10509 		}
10510 
10511 		vendor_data = nla_nest_start(skb, NL80211_ATTR_VENDOR_DATA);
10512 		if (!vendor_data) {
10513 			genlmsg_cancel(skb, hdr);
10514 			break;
10515 		}
10516 
10517 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
10518 				   (unsigned long *)&cb->args[5]);
10519 		nla_nest_end(skb, vendor_data);
10520 
10521 		if (err == -ENOBUFS || err == -ENOENT) {
10522 			genlmsg_cancel(skb, hdr);
10523 			break;
10524 		} else if (err) {
10525 			genlmsg_cancel(skb, hdr);
10526 			goto out;
10527 		}
10528 
10529 		genlmsg_end(skb, hdr);
10530 	}
10531 
10532 	err = skb->len;
10533  out:
10534 	rtnl_unlock();
10535 	return err;
10536 }
10537 
10538 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
10539 					   enum nl80211_commands cmd,
10540 					   enum nl80211_attrs attr,
10541 					   int approxlen)
10542 {
10543 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10544 
10545 	if (WARN_ON(!rdev->cur_cmd_info))
10546 		return NULL;
10547 
10548 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
10549 					   rdev->cur_cmd_info->snd_portid,
10550 					   rdev->cur_cmd_info->snd_seq,
10551 					   cmd, attr, NULL, GFP_KERNEL);
10552 }
10553 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
10554 
10555 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
10556 {
10557 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10558 	void *hdr = ((void **)skb->cb)[1];
10559 	struct nlattr *data = ((void **)skb->cb)[2];
10560 
10561 	/* clear CB data for netlink core to own from now on */
10562 	memset(skb->cb, 0, sizeof(skb->cb));
10563 
10564 	if (WARN_ON(!rdev->cur_cmd_info)) {
10565 		kfree_skb(skb);
10566 		return -EINVAL;
10567 	}
10568 
10569 	nla_nest_end(skb, data);
10570 	genlmsg_end(skb, hdr);
10571 	return genlmsg_reply(skb, rdev->cur_cmd_info);
10572 }
10573 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
10574 
10575 
10576 static int nl80211_set_qos_map(struct sk_buff *skb,
10577 			       struct genl_info *info)
10578 {
10579 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10580 	struct cfg80211_qos_map *qos_map = NULL;
10581 	struct net_device *dev = info->user_ptr[1];
10582 	u8 *pos, len, num_des, des_len, des;
10583 	int ret;
10584 
10585 	if (!rdev->ops->set_qos_map)
10586 		return -EOPNOTSUPP;
10587 
10588 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
10589 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
10590 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
10591 
10592 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
10593 		    len > IEEE80211_QOS_MAP_LEN_MAX)
10594 			return -EINVAL;
10595 
10596 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
10597 		if (!qos_map)
10598 			return -ENOMEM;
10599 
10600 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
10601 		if (num_des) {
10602 			des_len = num_des *
10603 				sizeof(struct cfg80211_dscp_exception);
10604 			memcpy(qos_map->dscp_exception, pos, des_len);
10605 			qos_map->num_des = num_des;
10606 			for (des = 0; des < num_des; des++) {
10607 				if (qos_map->dscp_exception[des].up > 7) {
10608 					kfree(qos_map);
10609 					return -EINVAL;
10610 				}
10611 			}
10612 			pos += des_len;
10613 		}
10614 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
10615 	}
10616 
10617 	wdev_lock(dev->ieee80211_ptr);
10618 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
10619 	if (!ret)
10620 		ret = rdev_set_qos_map(rdev, dev, qos_map);
10621 	wdev_unlock(dev->ieee80211_ptr);
10622 
10623 	kfree(qos_map);
10624 	return ret;
10625 }
10626 
10627 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
10628 {
10629 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10630 	struct net_device *dev = info->user_ptr[1];
10631 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10632 	const u8 *peer;
10633 	u8 tsid, up;
10634 	u16 admitted_time = 0;
10635 	int err;
10636 
10637 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
10638 		return -EOPNOTSUPP;
10639 
10640 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
10641 	    !info->attrs[NL80211_ATTR_USER_PRIO])
10642 		return -EINVAL;
10643 
10644 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
10645 	if (tsid >= IEEE80211_NUM_TIDS)
10646 		return -EINVAL;
10647 
10648 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
10649 	if (up >= IEEE80211_NUM_UPS)
10650 		return -EINVAL;
10651 
10652 	/* WMM uses TIDs 0-7 even for TSPEC */
10653 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
10654 		/* TODO: handle 802.11 TSPEC/admission control
10655 		 * need more attributes for that (e.g. BA session requirement);
10656 		 * change the WMM adminssion test above to allow both then
10657 		 */
10658 		return -EINVAL;
10659 	}
10660 
10661 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10662 
10663 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
10664 		admitted_time =
10665 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
10666 		if (!admitted_time)
10667 			return -EINVAL;
10668 	}
10669 
10670 	wdev_lock(wdev);
10671 	switch (wdev->iftype) {
10672 	case NL80211_IFTYPE_STATION:
10673 	case NL80211_IFTYPE_P2P_CLIENT:
10674 		if (wdev->current_bss)
10675 			break;
10676 		err = -ENOTCONN;
10677 		goto out;
10678 	default:
10679 		err = -EOPNOTSUPP;
10680 		goto out;
10681 	}
10682 
10683 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
10684 
10685  out:
10686 	wdev_unlock(wdev);
10687 	return err;
10688 }
10689 
10690 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
10691 {
10692 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10693 	struct net_device *dev = info->user_ptr[1];
10694 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10695 	const u8 *peer;
10696 	u8 tsid;
10697 	int err;
10698 
10699 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
10700 		return -EINVAL;
10701 
10702 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
10703 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10704 
10705 	wdev_lock(wdev);
10706 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
10707 	wdev_unlock(wdev);
10708 
10709 	return err;
10710 }
10711 
10712 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
10713 				       struct genl_info *info)
10714 {
10715 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10716 	struct net_device *dev = info->user_ptr[1];
10717 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10718 	struct cfg80211_chan_def chandef = {};
10719 	const u8 *addr;
10720 	u8 oper_class;
10721 	int err;
10722 
10723 	if (!rdev->ops->tdls_channel_switch ||
10724 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
10725 		return -EOPNOTSUPP;
10726 
10727 	switch (dev->ieee80211_ptr->iftype) {
10728 	case NL80211_IFTYPE_STATION:
10729 	case NL80211_IFTYPE_P2P_CLIENT:
10730 		break;
10731 	default:
10732 		return -EOPNOTSUPP;
10733 	}
10734 
10735 	if (!info->attrs[NL80211_ATTR_MAC] ||
10736 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
10737 		return -EINVAL;
10738 
10739 	err = nl80211_parse_chandef(rdev, info, &chandef);
10740 	if (err)
10741 		return err;
10742 
10743 	/*
10744 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
10745 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
10746 	 * specification is not defined for them.
10747 	 */
10748 	if (chandef.chan->band == IEEE80211_BAND_2GHZ &&
10749 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
10750 	    chandef.width != NL80211_CHAN_WIDTH_20)
10751 		return -EINVAL;
10752 
10753 	/* we will be active on the TDLS link */
10754 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
10755 					   wdev->iftype))
10756 		return -EINVAL;
10757 
10758 	/* don't allow switching to DFS channels */
10759 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
10760 		return -EINVAL;
10761 
10762 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10763 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
10764 
10765 	wdev_lock(wdev);
10766 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
10767 	wdev_unlock(wdev);
10768 
10769 	return err;
10770 }
10771 
10772 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
10773 					      struct genl_info *info)
10774 {
10775 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10776 	struct net_device *dev = info->user_ptr[1];
10777 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10778 	const u8 *addr;
10779 
10780 	if (!rdev->ops->tdls_channel_switch ||
10781 	    !rdev->ops->tdls_cancel_channel_switch ||
10782 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
10783 		return -EOPNOTSUPP;
10784 
10785 	switch (dev->ieee80211_ptr->iftype) {
10786 	case NL80211_IFTYPE_STATION:
10787 	case NL80211_IFTYPE_P2P_CLIENT:
10788 		break;
10789 	default:
10790 		return -EOPNOTSUPP;
10791 	}
10792 
10793 	if (!info->attrs[NL80211_ATTR_MAC])
10794 		return -EINVAL;
10795 
10796 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10797 
10798 	wdev_lock(wdev);
10799 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
10800 	wdev_unlock(wdev);
10801 
10802 	return 0;
10803 }
10804 
10805 #define NL80211_FLAG_NEED_WIPHY		0x01
10806 #define NL80211_FLAG_NEED_NETDEV	0x02
10807 #define NL80211_FLAG_NEED_RTNL		0x04
10808 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
10809 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
10810 					 NL80211_FLAG_CHECK_NETDEV_UP)
10811 #define NL80211_FLAG_NEED_WDEV		0x10
10812 /* If a netdev is associated, it must be UP, P2P must be started */
10813 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
10814 					 NL80211_FLAG_CHECK_NETDEV_UP)
10815 #define NL80211_FLAG_CLEAR_SKB		0x20
10816 
10817 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
10818 			    struct genl_info *info)
10819 {
10820 	struct cfg80211_registered_device *rdev;
10821 	struct wireless_dev *wdev;
10822 	struct net_device *dev;
10823 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
10824 
10825 	if (rtnl)
10826 		rtnl_lock();
10827 
10828 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
10829 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
10830 		if (IS_ERR(rdev)) {
10831 			if (rtnl)
10832 				rtnl_unlock();
10833 			return PTR_ERR(rdev);
10834 		}
10835 		info->user_ptr[0] = rdev;
10836 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
10837 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
10838 		ASSERT_RTNL();
10839 
10840 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
10841 						  info->attrs);
10842 		if (IS_ERR(wdev)) {
10843 			if (rtnl)
10844 				rtnl_unlock();
10845 			return PTR_ERR(wdev);
10846 		}
10847 
10848 		dev = wdev->netdev;
10849 		rdev = wiphy_to_rdev(wdev->wiphy);
10850 
10851 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
10852 			if (!dev) {
10853 				if (rtnl)
10854 					rtnl_unlock();
10855 				return -EINVAL;
10856 			}
10857 
10858 			info->user_ptr[1] = dev;
10859 		} else {
10860 			info->user_ptr[1] = wdev;
10861 		}
10862 
10863 		if (dev) {
10864 			if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
10865 			    !netif_running(dev)) {
10866 				if (rtnl)
10867 					rtnl_unlock();
10868 				return -ENETDOWN;
10869 			}
10870 
10871 			dev_hold(dev);
10872 		} else if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP) {
10873 			if (!wdev->p2p_started) {
10874 				if (rtnl)
10875 					rtnl_unlock();
10876 				return -ENETDOWN;
10877 			}
10878 		}
10879 
10880 		info->user_ptr[0] = rdev;
10881 	}
10882 
10883 	return 0;
10884 }
10885 
10886 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
10887 			      struct genl_info *info)
10888 {
10889 	if (info->user_ptr[1]) {
10890 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
10891 			struct wireless_dev *wdev = info->user_ptr[1];
10892 
10893 			if (wdev->netdev)
10894 				dev_put(wdev->netdev);
10895 		} else {
10896 			dev_put(info->user_ptr[1]);
10897 		}
10898 	}
10899 
10900 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
10901 		rtnl_unlock();
10902 
10903 	/* If needed, clear the netlink message payload from the SKB
10904 	 * as it might contain key data that shouldn't stick around on
10905 	 * the heap after the SKB is freed. The netlink message header
10906 	 * is still needed for further processing, so leave it intact.
10907 	 */
10908 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
10909 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
10910 
10911 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
10912 	}
10913 }
10914 
10915 static const struct genl_ops nl80211_ops[] = {
10916 	{
10917 		.cmd = NL80211_CMD_GET_WIPHY,
10918 		.doit = nl80211_get_wiphy,
10919 		.dumpit = nl80211_dump_wiphy,
10920 		.done = nl80211_dump_wiphy_done,
10921 		.policy = nl80211_policy,
10922 		/* can be retrieved by unprivileged users */
10923 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10924 				  NL80211_FLAG_NEED_RTNL,
10925 	},
10926 	{
10927 		.cmd = NL80211_CMD_SET_WIPHY,
10928 		.doit = nl80211_set_wiphy,
10929 		.policy = nl80211_policy,
10930 		.flags = GENL_ADMIN_PERM,
10931 		.internal_flags = NL80211_FLAG_NEED_RTNL,
10932 	},
10933 	{
10934 		.cmd = NL80211_CMD_GET_INTERFACE,
10935 		.doit = nl80211_get_interface,
10936 		.dumpit = nl80211_dump_interface,
10937 		.policy = nl80211_policy,
10938 		/* can be retrieved by unprivileged users */
10939 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10940 				  NL80211_FLAG_NEED_RTNL,
10941 	},
10942 	{
10943 		.cmd = NL80211_CMD_SET_INTERFACE,
10944 		.doit = nl80211_set_interface,
10945 		.policy = nl80211_policy,
10946 		.flags = GENL_ADMIN_PERM,
10947 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10948 				  NL80211_FLAG_NEED_RTNL,
10949 	},
10950 	{
10951 		.cmd = NL80211_CMD_NEW_INTERFACE,
10952 		.doit = nl80211_new_interface,
10953 		.policy = nl80211_policy,
10954 		.flags = GENL_ADMIN_PERM,
10955 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10956 				  NL80211_FLAG_NEED_RTNL,
10957 	},
10958 	{
10959 		.cmd = NL80211_CMD_DEL_INTERFACE,
10960 		.doit = nl80211_del_interface,
10961 		.policy = nl80211_policy,
10962 		.flags = GENL_ADMIN_PERM,
10963 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10964 				  NL80211_FLAG_NEED_RTNL,
10965 	},
10966 	{
10967 		.cmd = NL80211_CMD_GET_KEY,
10968 		.doit = nl80211_get_key,
10969 		.policy = nl80211_policy,
10970 		.flags = GENL_ADMIN_PERM,
10971 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10972 				  NL80211_FLAG_NEED_RTNL,
10973 	},
10974 	{
10975 		.cmd = NL80211_CMD_SET_KEY,
10976 		.doit = nl80211_set_key,
10977 		.policy = nl80211_policy,
10978 		.flags = GENL_ADMIN_PERM,
10979 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10980 				  NL80211_FLAG_NEED_RTNL |
10981 				  NL80211_FLAG_CLEAR_SKB,
10982 	},
10983 	{
10984 		.cmd = NL80211_CMD_NEW_KEY,
10985 		.doit = nl80211_new_key,
10986 		.policy = nl80211_policy,
10987 		.flags = GENL_ADMIN_PERM,
10988 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10989 				  NL80211_FLAG_NEED_RTNL |
10990 				  NL80211_FLAG_CLEAR_SKB,
10991 	},
10992 	{
10993 		.cmd = NL80211_CMD_DEL_KEY,
10994 		.doit = nl80211_del_key,
10995 		.policy = nl80211_policy,
10996 		.flags = GENL_ADMIN_PERM,
10997 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10998 				  NL80211_FLAG_NEED_RTNL,
10999 	},
11000 	{
11001 		.cmd = NL80211_CMD_SET_BEACON,
11002 		.policy = nl80211_policy,
11003 		.flags = GENL_ADMIN_PERM,
11004 		.doit = nl80211_set_beacon,
11005 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11006 				  NL80211_FLAG_NEED_RTNL,
11007 	},
11008 	{
11009 		.cmd = NL80211_CMD_START_AP,
11010 		.policy = nl80211_policy,
11011 		.flags = GENL_ADMIN_PERM,
11012 		.doit = nl80211_start_ap,
11013 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11014 				  NL80211_FLAG_NEED_RTNL,
11015 	},
11016 	{
11017 		.cmd = NL80211_CMD_STOP_AP,
11018 		.policy = nl80211_policy,
11019 		.flags = GENL_ADMIN_PERM,
11020 		.doit = nl80211_stop_ap,
11021 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11022 				  NL80211_FLAG_NEED_RTNL,
11023 	},
11024 	{
11025 		.cmd = NL80211_CMD_GET_STATION,
11026 		.doit = nl80211_get_station,
11027 		.dumpit = nl80211_dump_station,
11028 		.policy = nl80211_policy,
11029 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11030 				  NL80211_FLAG_NEED_RTNL,
11031 	},
11032 	{
11033 		.cmd = NL80211_CMD_SET_STATION,
11034 		.doit = nl80211_set_station,
11035 		.policy = nl80211_policy,
11036 		.flags = GENL_ADMIN_PERM,
11037 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11038 				  NL80211_FLAG_NEED_RTNL,
11039 	},
11040 	{
11041 		.cmd = NL80211_CMD_NEW_STATION,
11042 		.doit = nl80211_new_station,
11043 		.policy = nl80211_policy,
11044 		.flags = GENL_ADMIN_PERM,
11045 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11046 				  NL80211_FLAG_NEED_RTNL,
11047 	},
11048 	{
11049 		.cmd = NL80211_CMD_DEL_STATION,
11050 		.doit = nl80211_del_station,
11051 		.policy = nl80211_policy,
11052 		.flags = GENL_ADMIN_PERM,
11053 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11054 				  NL80211_FLAG_NEED_RTNL,
11055 	},
11056 	{
11057 		.cmd = NL80211_CMD_GET_MPATH,
11058 		.doit = nl80211_get_mpath,
11059 		.dumpit = nl80211_dump_mpath,
11060 		.policy = nl80211_policy,
11061 		.flags = GENL_ADMIN_PERM,
11062 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11063 				  NL80211_FLAG_NEED_RTNL,
11064 	},
11065 	{
11066 		.cmd = NL80211_CMD_GET_MPP,
11067 		.doit = nl80211_get_mpp,
11068 		.dumpit = nl80211_dump_mpp,
11069 		.policy = nl80211_policy,
11070 		.flags = GENL_ADMIN_PERM,
11071 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11072 				  NL80211_FLAG_NEED_RTNL,
11073 	},
11074 	{
11075 		.cmd = NL80211_CMD_SET_MPATH,
11076 		.doit = nl80211_set_mpath,
11077 		.policy = nl80211_policy,
11078 		.flags = GENL_ADMIN_PERM,
11079 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11080 				  NL80211_FLAG_NEED_RTNL,
11081 	},
11082 	{
11083 		.cmd = NL80211_CMD_NEW_MPATH,
11084 		.doit = nl80211_new_mpath,
11085 		.policy = nl80211_policy,
11086 		.flags = GENL_ADMIN_PERM,
11087 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11088 				  NL80211_FLAG_NEED_RTNL,
11089 	},
11090 	{
11091 		.cmd = NL80211_CMD_DEL_MPATH,
11092 		.doit = nl80211_del_mpath,
11093 		.policy = nl80211_policy,
11094 		.flags = GENL_ADMIN_PERM,
11095 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11096 				  NL80211_FLAG_NEED_RTNL,
11097 	},
11098 	{
11099 		.cmd = NL80211_CMD_SET_BSS,
11100 		.doit = nl80211_set_bss,
11101 		.policy = nl80211_policy,
11102 		.flags = GENL_ADMIN_PERM,
11103 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11104 				  NL80211_FLAG_NEED_RTNL,
11105 	},
11106 	{
11107 		.cmd = NL80211_CMD_GET_REG,
11108 		.doit = nl80211_get_reg_do,
11109 		.dumpit = nl80211_get_reg_dump,
11110 		.policy = nl80211_policy,
11111 		.internal_flags = NL80211_FLAG_NEED_RTNL,
11112 		/* can be retrieved by unprivileged users */
11113 	},
11114 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
11115 	{
11116 		.cmd = NL80211_CMD_SET_REG,
11117 		.doit = nl80211_set_reg,
11118 		.policy = nl80211_policy,
11119 		.flags = GENL_ADMIN_PERM,
11120 		.internal_flags = NL80211_FLAG_NEED_RTNL,
11121 	},
11122 #endif
11123 	{
11124 		.cmd = NL80211_CMD_REQ_SET_REG,
11125 		.doit = nl80211_req_set_reg,
11126 		.policy = nl80211_policy,
11127 		.flags = GENL_ADMIN_PERM,
11128 	},
11129 	{
11130 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
11131 		.doit = nl80211_get_mesh_config,
11132 		.policy = nl80211_policy,
11133 		/* can be retrieved by unprivileged users */
11134 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11135 				  NL80211_FLAG_NEED_RTNL,
11136 	},
11137 	{
11138 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
11139 		.doit = nl80211_update_mesh_config,
11140 		.policy = nl80211_policy,
11141 		.flags = GENL_ADMIN_PERM,
11142 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11143 				  NL80211_FLAG_NEED_RTNL,
11144 	},
11145 	{
11146 		.cmd = NL80211_CMD_TRIGGER_SCAN,
11147 		.doit = nl80211_trigger_scan,
11148 		.policy = nl80211_policy,
11149 		.flags = GENL_ADMIN_PERM,
11150 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11151 				  NL80211_FLAG_NEED_RTNL,
11152 	},
11153 	{
11154 		.cmd = NL80211_CMD_ABORT_SCAN,
11155 		.doit = nl80211_abort_scan,
11156 		.policy = nl80211_policy,
11157 		.flags = GENL_ADMIN_PERM,
11158 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11159 				  NL80211_FLAG_NEED_RTNL,
11160 	},
11161 	{
11162 		.cmd = NL80211_CMD_GET_SCAN,
11163 		.policy = nl80211_policy,
11164 		.dumpit = nl80211_dump_scan,
11165 	},
11166 	{
11167 		.cmd = NL80211_CMD_START_SCHED_SCAN,
11168 		.doit = nl80211_start_sched_scan,
11169 		.policy = nl80211_policy,
11170 		.flags = GENL_ADMIN_PERM,
11171 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11172 				  NL80211_FLAG_NEED_RTNL,
11173 	},
11174 	{
11175 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
11176 		.doit = nl80211_stop_sched_scan,
11177 		.policy = nl80211_policy,
11178 		.flags = GENL_ADMIN_PERM,
11179 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11180 				  NL80211_FLAG_NEED_RTNL,
11181 	},
11182 	{
11183 		.cmd = NL80211_CMD_AUTHENTICATE,
11184 		.doit = nl80211_authenticate,
11185 		.policy = nl80211_policy,
11186 		.flags = GENL_ADMIN_PERM,
11187 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11188 				  NL80211_FLAG_NEED_RTNL |
11189 				  NL80211_FLAG_CLEAR_SKB,
11190 	},
11191 	{
11192 		.cmd = NL80211_CMD_ASSOCIATE,
11193 		.doit = nl80211_associate,
11194 		.policy = nl80211_policy,
11195 		.flags = GENL_ADMIN_PERM,
11196 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11197 				  NL80211_FLAG_NEED_RTNL,
11198 	},
11199 	{
11200 		.cmd = NL80211_CMD_DEAUTHENTICATE,
11201 		.doit = nl80211_deauthenticate,
11202 		.policy = nl80211_policy,
11203 		.flags = GENL_ADMIN_PERM,
11204 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11205 				  NL80211_FLAG_NEED_RTNL,
11206 	},
11207 	{
11208 		.cmd = NL80211_CMD_DISASSOCIATE,
11209 		.doit = nl80211_disassociate,
11210 		.policy = nl80211_policy,
11211 		.flags = GENL_ADMIN_PERM,
11212 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11213 				  NL80211_FLAG_NEED_RTNL,
11214 	},
11215 	{
11216 		.cmd = NL80211_CMD_JOIN_IBSS,
11217 		.doit = nl80211_join_ibss,
11218 		.policy = nl80211_policy,
11219 		.flags = GENL_ADMIN_PERM,
11220 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11221 				  NL80211_FLAG_NEED_RTNL,
11222 	},
11223 	{
11224 		.cmd = NL80211_CMD_LEAVE_IBSS,
11225 		.doit = nl80211_leave_ibss,
11226 		.policy = nl80211_policy,
11227 		.flags = GENL_ADMIN_PERM,
11228 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11229 				  NL80211_FLAG_NEED_RTNL,
11230 	},
11231 #ifdef CONFIG_NL80211_TESTMODE
11232 	{
11233 		.cmd = NL80211_CMD_TESTMODE,
11234 		.doit = nl80211_testmode_do,
11235 		.dumpit = nl80211_testmode_dump,
11236 		.policy = nl80211_policy,
11237 		.flags = GENL_ADMIN_PERM,
11238 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11239 				  NL80211_FLAG_NEED_RTNL,
11240 	},
11241 #endif
11242 	{
11243 		.cmd = NL80211_CMD_CONNECT,
11244 		.doit = nl80211_connect,
11245 		.policy = nl80211_policy,
11246 		.flags = GENL_ADMIN_PERM,
11247 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11248 				  NL80211_FLAG_NEED_RTNL,
11249 	},
11250 	{
11251 		.cmd = NL80211_CMD_DISCONNECT,
11252 		.doit = nl80211_disconnect,
11253 		.policy = nl80211_policy,
11254 		.flags = GENL_ADMIN_PERM,
11255 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11256 				  NL80211_FLAG_NEED_RTNL,
11257 	},
11258 	{
11259 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
11260 		.doit = nl80211_wiphy_netns,
11261 		.policy = nl80211_policy,
11262 		.flags = GENL_ADMIN_PERM,
11263 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11264 				  NL80211_FLAG_NEED_RTNL,
11265 	},
11266 	{
11267 		.cmd = NL80211_CMD_GET_SURVEY,
11268 		.policy = nl80211_policy,
11269 		.dumpit = nl80211_dump_survey,
11270 	},
11271 	{
11272 		.cmd = NL80211_CMD_SET_PMKSA,
11273 		.doit = nl80211_setdel_pmksa,
11274 		.policy = nl80211_policy,
11275 		.flags = GENL_ADMIN_PERM,
11276 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11277 				  NL80211_FLAG_NEED_RTNL,
11278 	},
11279 	{
11280 		.cmd = NL80211_CMD_DEL_PMKSA,
11281 		.doit = nl80211_setdel_pmksa,
11282 		.policy = nl80211_policy,
11283 		.flags = GENL_ADMIN_PERM,
11284 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11285 				  NL80211_FLAG_NEED_RTNL,
11286 	},
11287 	{
11288 		.cmd = NL80211_CMD_FLUSH_PMKSA,
11289 		.doit = nl80211_flush_pmksa,
11290 		.policy = nl80211_policy,
11291 		.flags = GENL_ADMIN_PERM,
11292 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11293 				  NL80211_FLAG_NEED_RTNL,
11294 	},
11295 	{
11296 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
11297 		.doit = nl80211_remain_on_channel,
11298 		.policy = nl80211_policy,
11299 		.flags = GENL_ADMIN_PERM,
11300 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11301 				  NL80211_FLAG_NEED_RTNL,
11302 	},
11303 	{
11304 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
11305 		.doit = nl80211_cancel_remain_on_channel,
11306 		.policy = nl80211_policy,
11307 		.flags = GENL_ADMIN_PERM,
11308 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11309 				  NL80211_FLAG_NEED_RTNL,
11310 	},
11311 	{
11312 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
11313 		.doit = nl80211_set_tx_bitrate_mask,
11314 		.policy = nl80211_policy,
11315 		.flags = GENL_ADMIN_PERM,
11316 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11317 				  NL80211_FLAG_NEED_RTNL,
11318 	},
11319 	{
11320 		.cmd = NL80211_CMD_REGISTER_FRAME,
11321 		.doit = nl80211_register_mgmt,
11322 		.policy = nl80211_policy,
11323 		.flags = GENL_ADMIN_PERM,
11324 		.internal_flags = NL80211_FLAG_NEED_WDEV |
11325 				  NL80211_FLAG_NEED_RTNL,
11326 	},
11327 	{
11328 		.cmd = NL80211_CMD_FRAME,
11329 		.doit = nl80211_tx_mgmt,
11330 		.policy = nl80211_policy,
11331 		.flags = GENL_ADMIN_PERM,
11332 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11333 				  NL80211_FLAG_NEED_RTNL,
11334 	},
11335 	{
11336 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
11337 		.doit = nl80211_tx_mgmt_cancel_wait,
11338 		.policy = nl80211_policy,
11339 		.flags = GENL_ADMIN_PERM,
11340 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11341 				  NL80211_FLAG_NEED_RTNL,
11342 	},
11343 	{
11344 		.cmd = NL80211_CMD_SET_POWER_SAVE,
11345 		.doit = nl80211_set_power_save,
11346 		.policy = nl80211_policy,
11347 		.flags = GENL_ADMIN_PERM,
11348 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11349 				  NL80211_FLAG_NEED_RTNL,
11350 	},
11351 	{
11352 		.cmd = NL80211_CMD_GET_POWER_SAVE,
11353 		.doit = nl80211_get_power_save,
11354 		.policy = nl80211_policy,
11355 		/* can be retrieved by unprivileged users */
11356 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11357 				  NL80211_FLAG_NEED_RTNL,
11358 	},
11359 	{
11360 		.cmd = NL80211_CMD_SET_CQM,
11361 		.doit = nl80211_set_cqm,
11362 		.policy = nl80211_policy,
11363 		.flags = GENL_ADMIN_PERM,
11364 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11365 				  NL80211_FLAG_NEED_RTNL,
11366 	},
11367 	{
11368 		.cmd = NL80211_CMD_SET_CHANNEL,
11369 		.doit = nl80211_set_channel,
11370 		.policy = nl80211_policy,
11371 		.flags = GENL_ADMIN_PERM,
11372 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11373 				  NL80211_FLAG_NEED_RTNL,
11374 	},
11375 	{
11376 		.cmd = NL80211_CMD_SET_WDS_PEER,
11377 		.doit = nl80211_set_wds_peer,
11378 		.policy = nl80211_policy,
11379 		.flags = GENL_ADMIN_PERM,
11380 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11381 				  NL80211_FLAG_NEED_RTNL,
11382 	},
11383 	{
11384 		.cmd = NL80211_CMD_JOIN_MESH,
11385 		.doit = nl80211_join_mesh,
11386 		.policy = nl80211_policy,
11387 		.flags = GENL_ADMIN_PERM,
11388 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11389 				  NL80211_FLAG_NEED_RTNL,
11390 	},
11391 	{
11392 		.cmd = NL80211_CMD_LEAVE_MESH,
11393 		.doit = nl80211_leave_mesh,
11394 		.policy = nl80211_policy,
11395 		.flags = GENL_ADMIN_PERM,
11396 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11397 				  NL80211_FLAG_NEED_RTNL,
11398 	},
11399 	{
11400 		.cmd = NL80211_CMD_JOIN_OCB,
11401 		.doit = nl80211_join_ocb,
11402 		.policy = nl80211_policy,
11403 		.flags = GENL_ADMIN_PERM,
11404 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11405 				  NL80211_FLAG_NEED_RTNL,
11406 	},
11407 	{
11408 		.cmd = NL80211_CMD_LEAVE_OCB,
11409 		.doit = nl80211_leave_ocb,
11410 		.policy = nl80211_policy,
11411 		.flags = GENL_ADMIN_PERM,
11412 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11413 				  NL80211_FLAG_NEED_RTNL,
11414 	},
11415 #ifdef CONFIG_PM
11416 	{
11417 		.cmd = NL80211_CMD_GET_WOWLAN,
11418 		.doit = nl80211_get_wowlan,
11419 		.policy = nl80211_policy,
11420 		/* can be retrieved by unprivileged users */
11421 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11422 				  NL80211_FLAG_NEED_RTNL,
11423 	},
11424 	{
11425 		.cmd = NL80211_CMD_SET_WOWLAN,
11426 		.doit = nl80211_set_wowlan,
11427 		.policy = nl80211_policy,
11428 		.flags = GENL_ADMIN_PERM,
11429 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11430 				  NL80211_FLAG_NEED_RTNL,
11431 	},
11432 #endif
11433 	{
11434 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
11435 		.doit = nl80211_set_rekey_data,
11436 		.policy = nl80211_policy,
11437 		.flags = GENL_ADMIN_PERM,
11438 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11439 				  NL80211_FLAG_NEED_RTNL |
11440 				  NL80211_FLAG_CLEAR_SKB,
11441 	},
11442 	{
11443 		.cmd = NL80211_CMD_TDLS_MGMT,
11444 		.doit = nl80211_tdls_mgmt,
11445 		.policy = nl80211_policy,
11446 		.flags = GENL_ADMIN_PERM,
11447 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11448 				  NL80211_FLAG_NEED_RTNL,
11449 	},
11450 	{
11451 		.cmd = NL80211_CMD_TDLS_OPER,
11452 		.doit = nl80211_tdls_oper,
11453 		.policy = nl80211_policy,
11454 		.flags = GENL_ADMIN_PERM,
11455 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11456 				  NL80211_FLAG_NEED_RTNL,
11457 	},
11458 	{
11459 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
11460 		.doit = nl80211_register_unexpected_frame,
11461 		.policy = nl80211_policy,
11462 		.flags = GENL_ADMIN_PERM,
11463 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11464 				  NL80211_FLAG_NEED_RTNL,
11465 	},
11466 	{
11467 		.cmd = NL80211_CMD_PROBE_CLIENT,
11468 		.doit = nl80211_probe_client,
11469 		.policy = nl80211_policy,
11470 		.flags = GENL_ADMIN_PERM,
11471 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11472 				  NL80211_FLAG_NEED_RTNL,
11473 	},
11474 	{
11475 		.cmd = NL80211_CMD_REGISTER_BEACONS,
11476 		.doit = nl80211_register_beacons,
11477 		.policy = nl80211_policy,
11478 		.flags = GENL_ADMIN_PERM,
11479 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11480 				  NL80211_FLAG_NEED_RTNL,
11481 	},
11482 	{
11483 		.cmd = NL80211_CMD_SET_NOACK_MAP,
11484 		.doit = nl80211_set_noack_map,
11485 		.policy = nl80211_policy,
11486 		.flags = GENL_ADMIN_PERM,
11487 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11488 				  NL80211_FLAG_NEED_RTNL,
11489 	},
11490 	{
11491 		.cmd = NL80211_CMD_START_P2P_DEVICE,
11492 		.doit = nl80211_start_p2p_device,
11493 		.policy = nl80211_policy,
11494 		.flags = GENL_ADMIN_PERM,
11495 		.internal_flags = NL80211_FLAG_NEED_WDEV |
11496 				  NL80211_FLAG_NEED_RTNL,
11497 	},
11498 	{
11499 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
11500 		.doit = nl80211_stop_p2p_device,
11501 		.policy = nl80211_policy,
11502 		.flags = GENL_ADMIN_PERM,
11503 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11504 				  NL80211_FLAG_NEED_RTNL,
11505 	},
11506 	{
11507 		.cmd = NL80211_CMD_SET_MCAST_RATE,
11508 		.doit = nl80211_set_mcast_rate,
11509 		.policy = nl80211_policy,
11510 		.flags = GENL_ADMIN_PERM,
11511 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11512 				  NL80211_FLAG_NEED_RTNL,
11513 	},
11514 	{
11515 		.cmd = NL80211_CMD_SET_MAC_ACL,
11516 		.doit = nl80211_set_mac_acl,
11517 		.policy = nl80211_policy,
11518 		.flags = GENL_ADMIN_PERM,
11519 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11520 				  NL80211_FLAG_NEED_RTNL,
11521 	},
11522 	{
11523 		.cmd = NL80211_CMD_RADAR_DETECT,
11524 		.doit = nl80211_start_radar_detection,
11525 		.policy = nl80211_policy,
11526 		.flags = GENL_ADMIN_PERM,
11527 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11528 				  NL80211_FLAG_NEED_RTNL,
11529 	},
11530 	{
11531 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
11532 		.doit = nl80211_get_protocol_features,
11533 		.policy = nl80211_policy,
11534 	},
11535 	{
11536 		.cmd = NL80211_CMD_UPDATE_FT_IES,
11537 		.doit = nl80211_update_ft_ies,
11538 		.policy = nl80211_policy,
11539 		.flags = GENL_ADMIN_PERM,
11540 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11541 				  NL80211_FLAG_NEED_RTNL,
11542 	},
11543 	{
11544 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
11545 		.doit = nl80211_crit_protocol_start,
11546 		.policy = nl80211_policy,
11547 		.flags = GENL_ADMIN_PERM,
11548 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11549 				  NL80211_FLAG_NEED_RTNL,
11550 	},
11551 	{
11552 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
11553 		.doit = nl80211_crit_protocol_stop,
11554 		.policy = nl80211_policy,
11555 		.flags = GENL_ADMIN_PERM,
11556 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11557 				  NL80211_FLAG_NEED_RTNL,
11558 	},
11559 	{
11560 		.cmd = NL80211_CMD_GET_COALESCE,
11561 		.doit = nl80211_get_coalesce,
11562 		.policy = nl80211_policy,
11563 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11564 				  NL80211_FLAG_NEED_RTNL,
11565 	},
11566 	{
11567 		.cmd = NL80211_CMD_SET_COALESCE,
11568 		.doit = nl80211_set_coalesce,
11569 		.policy = nl80211_policy,
11570 		.flags = GENL_ADMIN_PERM,
11571 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11572 				  NL80211_FLAG_NEED_RTNL,
11573 	},
11574 	{
11575 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
11576 		.doit = nl80211_channel_switch,
11577 		.policy = nl80211_policy,
11578 		.flags = GENL_ADMIN_PERM,
11579 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11580 				  NL80211_FLAG_NEED_RTNL,
11581 	},
11582 	{
11583 		.cmd = NL80211_CMD_VENDOR,
11584 		.doit = nl80211_vendor_cmd,
11585 		.dumpit = nl80211_vendor_cmd_dump,
11586 		.policy = nl80211_policy,
11587 		.flags = GENL_ADMIN_PERM,
11588 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11589 				  NL80211_FLAG_NEED_RTNL,
11590 	},
11591 	{
11592 		.cmd = NL80211_CMD_SET_QOS_MAP,
11593 		.doit = nl80211_set_qos_map,
11594 		.policy = nl80211_policy,
11595 		.flags = GENL_ADMIN_PERM,
11596 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11597 				  NL80211_FLAG_NEED_RTNL,
11598 	},
11599 	{
11600 		.cmd = NL80211_CMD_ADD_TX_TS,
11601 		.doit = nl80211_add_tx_ts,
11602 		.policy = nl80211_policy,
11603 		.flags = GENL_ADMIN_PERM,
11604 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11605 				  NL80211_FLAG_NEED_RTNL,
11606 	},
11607 	{
11608 		.cmd = NL80211_CMD_DEL_TX_TS,
11609 		.doit = nl80211_del_tx_ts,
11610 		.policy = nl80211_policy,
11611 		.flags = GENL_ADMIN_PERM,
11612 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11613 				  NL80211_FLAG_NEED_RTNL,
11614 	},
11615 	{
11616 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
11617 		.doit = nl80211_tdls_channel_switch,
11618 		.policy = nl80211_policy,
11619 		.flags = GENL_ADMIN_PERM,
11620 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11621 				  NL80211_FLAG_NEED_RTNL,
11622 	},
11623 	{
11624 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
11625 		.doit = nl80211_tdls_cancel_channel_switch,
11626 		.policy = nl80211_policy,
11627 		.flags = GENL_ADMIN_PERM,
11628 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11629 				  NL80211_FLAG_NEED_RTNL,
11630 	},
11631 };
11632 
11633 /* notification functions */
11634 
11635 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
11636 			  enum nl80211_commands cmd)
11637 {
11638 	struct sk_buff *msg;
11639 	struct nl80211_dump_wiphy_state state = {};
11640 
11641 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
11642 		cmd != NL80211_CMD_DEL_WIPHY);
11643 
11644 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11645 	if (!msg)
11646 		return;
11647 
11648 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
11649 		nlmsg_free(msg);
11650 		return;
11651 	}
11652 
11653 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11654 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
11655 }
11656 
11657 static int nl80211_add_scan_req(struct sk_buff *msg,
11658 				struct cfg80211_registered_device *rdev)
11659 {
11660 	struct cfg80211_scan_request *req = rdev->scan_req;
11661 	struct nlattr *nest;
11662 	int i;
11663 
11664 	if (WARN_ON(!req))
11665 		return 0;
11666 
11667 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
11668 	if (!nest)
11669 		goto nla_put_failure;
11670 	for (i = 0; i < req->n_ssids; i++) {
11671 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
11672 			goto nla_put_failure;
11673 	}
11674 	nla_nest_end(msg, nest);
11675 
11676 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
11677 	if (!nest)
11678 		goto nla_put_failure;
11679 	for (i = 0; i < req->n_channels; i++) {
11680 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
11681 			goto nla_put_failure;
11682 	}
11683 	nla_nest_end(msg, nest);
11684 
11685 	if (req->ie &&
11686 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
11687 		goto nla_put_failure;
11688 
11689 	if (req->flags &&
11690 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
11691 		goto nla_put_failure;
11692 
11693 	return 0;
11694  nla_put_failure:
11695 	return -ENOBUFS;
11696 }
11697 
11698 static int nl80211_send_scan_msg(struct sk_buff *msg,
11699 				 struct cfg80211_registered_device *rdev,
11700 				 struct wireless_dev *wdev,
11701 				 u32 portid, u32 seq, int flags,
11702 				 u32 cmd)
11703 {
11704 	void *hdr;
11705 
11706 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
11707 	if (!hdr)
11708 		return -1;
11709 
11710 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11711 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11712 					 wdev->netdev->ifindex)) ||
11713 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
11714 		goto nla_put_failure;
11715 
11716 	/* ignore errors and send incomplete event anyway */
11717 	nl80211_add_scan_req(msg, rdev);
11718 
11719 	genlmsg_end(msg, hdr);
11720 	return 0;
11721 
11722  nla_put_failure:
11723 	genlmsg_cancel(msg, hdr);
11724 	return -EMSGSIZE;
11725 }
11726 
11727 static int
11728 nl80211_send_sched_scan_msg(struct sk_buff *msg,
11729 			    struct cfg80211_registered_device *rdev,
11730 			    struct net_device *netdev,
11731 			    u32 portid, u32 seq, int flags, u32 cmd)
11732 {
11733 	void *hdr;
11734 
11735 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
11736 	if (!hdr)
11737 		return -1;
11738 
11739 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11740 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
11741 		goto nla_put_failure;
11742 
11743 	genlmsg_end(msg, hdr);
11744 	return 0;
11745 
11746  nla_put_failure:
11747 	genlmsg_cancel(msg, hdr);
11748 	return -EMSGSIZE;
11749 }
11750 
11751 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
11752 			     struct wireless_dev *wdev)
11753 {
11754 	struct sk_buff *msg;
11755 
11756 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11757 	if (!msg)
11758 		return;
11759 
11760 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
11761 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
11762 		nlmsg_free(msg);
11763 		return;
11764 	}
11765 
11766 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11767 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11768 }
11769 
11770 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
11771 				       struct wireless_dev *wdev, bool aborted)
11772 {
11773 	struct sk_buff *msg;
11774 
11775 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11776 	if (!msg)
11777 		return NULL;
11778 
11779 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
11780 				  aborted ? NL80211_CMD_SCAN_ABORTED :
11781 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
11782 		nlmsg_free(msg);
11783 		return NULL;
11784 	}
11785 
11786 	return msg;
11787 }
11788 
11789 void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
11790 			      struct sk_buff *msg)
11791 {
11792 	if (!msg)
11793 		return;
11794 
11795 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11796 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11797 }
11798 
11799 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
11800 				     struct net_device *netdev)
11801 {
11802 	struct sk_buff *msg;
11803 
11804 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11805 	if (!msg)
11806 		return;
11807 
11808 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
11809 					NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
11810 		nlmsg_free(msg);
11811 		return;
11812 	}
11813 
11814 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11815 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11816 }
11817 
11818 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
11819 			     struct net_device *netdev, u32 cmd)
11820 {
11821 	struct sk_buff *msg;
11822 
11823 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11824 	if (!msg)
11825 		return;
11826 
11827 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
11828 		nlmsg_free(msg);
11829 		return;
11830 	}
11831 
11832 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11833 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11834 }
11835 
11836 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
11837 					  struct regulatory_request *request)
11838 {
11839 	/* Userspace can always count this one always being set */
11840 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
11841 		goto nla_put_failure;
11842 
11843 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
11844 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11845 			       NL80211_REGDOM_TYPE_WORLD))
11846 			goto nla_put_failure;
11847 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
11848 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11849 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
11850 			goto nla_put_failure;
11851 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
11852 		   request->intersect) {
11853 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11854 			       NL80211_REGDOM_TYPE_INTERSECTION))
11855 			goto nla_put_failure;
11856 	} else {
11857 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11858 			       NL80211_REGDOM_TYPE_COUNTRY) ||
11859 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
11860 				   request->alpha2))
11861 			goto nla_put_failure;
11862 	}
11863 
11864 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
11865 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
11866 
11867 		if (wiphy &&
11868 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
11869 			goto nla_put_failure;
11870 
11871 		if (wiphy &&
11872 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
11873 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
11874 			goto nla_put_failure;
11875 	}
11876 
11877 	return true;
11878 
11879 nla_put_failure:
11880 	return false;
11881 }
11882 
11883 /*
11884  * This can happen on global regulatory changes or device specific settings
11885  * based on custom regulatory domains.
11886  */
11887 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
11888 				     struct regulatory_request *request)
11889 {
11890 	struct sk_buff *msg;
11891 	void *hdr;
11892 
11893 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11894 	if (!msg)
11895 		return;
11896 
11897 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
11898 	if (!hdr) {
11899 		nlmsg_free(msg);
11900 		return;
11901 	}
11902 
11903 	if (nl80211_reg_change_event_fill(msg, request) == false)
11904 		goto nla_put_failure;
11905 
11906 	genlmsg_end(msg, hdr);
11907 
11908 	rcu_read_lock();
11909 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
11910 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
11911 	rcu_read_unlock();
11912 
11913 	return;
11914 
11915 nla_put_failure:
11916 	genlmsg_cancel(msg, hdr);
11917 	nlmsg_free(msg);
11918 }
11919 
11920 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
11921 				    struct net_device *netdev,
11922 				    const u8 *buf, size_t len,
11923 				    enum nl80211_commands cmd, gfp_t gfp,
11924 				    int uapsd_queues)
11925 {
11926 	struct sk_buff *msg;
11927 	void *hdr;
11928 
11929 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11930 	if (!msg)
11931 		return;
11932 
11933 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11934 	if (!hdr) {
11935 		nlmsg_free(msg);
11936 		return;
11937 	}
11938 
11939 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11940 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11941 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
11942 		goto nla_put_failure;
11943 
11944 	if (uapsd_queues >= 0) {
11945 		struct nlattr *nla_wmm =
11946 			nla_nest_start(msg, NL80211_ATTR_STA_WME);
11947 		if (!nla_wmm)
11948 			goto nla_put_failure;
11949 
11950 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
11951 			       uapsd_queues))
11952 			goto nla_put_failure;
11953 
11954 		nla_nest_end(msg, nla_wmm);
11955 	}
11956 
11957 	genlmsg_end(msg, hdr);
11958 
11959 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11960 				NL80211_MCGRP_MLME, gfp);
11961 	return;
11962 
11963  nla_put_failure:
11964 	genlmsg_cancel(msg, hdr);
11965 	nlmsg_free(msg);
11966 }
11967 
11968 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
11969 			  struct net_device *netdev, const u8 *buf,
11970 			  size_t len, gfp_t gfp)
11971 {
11972 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11973 				NL80211_CMD_AUTHENTICATE, gfp, -1);
11974 }
11975 
11976 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
11977 			   struct net_device *netdev, const u8 *buf,
11978 			   size_t len, gfp_t gfp, int uapsd_queues)
11979 {
11980 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11981 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues);
11982 }
11983 
11984 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
11985 			 struct net_device *netdev, const u8 *buf,
11986 			 size_t len, gfp_t gfp)
11987 {
11988 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11989 				NL80211_CMD_DEAUTHENTICATE, gfp, -1);
11990 }
11991 
11992 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
11993 			   struct net_device *netdev, const u8 *buf,
11994 			   size_t len, gfp_t gfp)
11995 {
11996 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11997 				NL80211_CMD_DISASSOCIATE, gfp, -1);
11998 }
11999 
12000 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
12001 				  size_t len)
12002 {
12003 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12004 	struct wiphy *wiphy = wdev->wiphy;
12005 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12006 	const struct ieee80211_mgmt *mgmt = (void *)buf;
12007 	u32 cmd;
12008 
12009 	if (WARN_ON(len < 2))
12010 		return;
12011 
12012 	if (ieee80211_is_deauth(mgmt->frame_control))
12013 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
12014 	else
12015 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
12016 
12017 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
12018 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1);
12019 }
12020 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
12021 
12022 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
12023 				      struct net_device *netdev, int cmd,
12024 				      const u8 *addr, gfp_t gfp)
12025 {
12026 	struct sk_buff *msg;
12027 	void *hdr;
12028 
12029 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12030 	if (!msg)
12031 		return;
12032 
12033 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
12034 	if (!hdr) {
12035 		nlmsg_free(msg);
12036 		return;
12037 	}
12038 
12039 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12040 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12041 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
12042 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
12043 		goto nla_put_failure;
12044 
12045 	genlmsg_end(msg, hdr);
12046 
12047 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12048 				NL80211_MCGRP_MLME, gfp);
12049 	return;
12050 
12051  nla_put_failure:
12052 	genlmsg_cancel(msg, hdr);
12053 	nlmsg_free(msg);
12054 }
12055 
12056 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
12057 			       struct net_device *netdev, const u8 *addr,
12058 			       gfp_t gfp)
12059 {
12060 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
12061 				  addr, gfp);
12062 }
12063 
12064 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
12065 				struct net_device *netdev, const u8 *addr,
12066 				gfp_t gfp)
12067 {
12068 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
12069 				  addr, gfp);
12070 }
12071 
12072 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
12073 				 struct net_device *netdev, const u8 *bssid,
12074 				 const u8 *req_ie, size_t req_ie_len,
12075 				 const u8 *resp_ie, size_t resp_ie_len,
12076 				 u16 status, gfp_t gfp)
12077 {
12078 	struct sk_buff *msg;
12079 	void *hdr;
12080 
12081 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12082 	if (!msg)
12083 		return;
12084 
12085 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
12086 	if (!hdr) {
12087 		nlmsg_free(msg);
12088 		return;
12089 	}
12090 
12091 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12092 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12093 	    (bssid && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) ||
12094 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE, status) ||
12095 	    (req_ie &&
12096 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
12097 	    (resp_ie &&
12098 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
12099 		goto nla_put_failure;
12100 
12101 	genlmsg_end(msg, hdr);
12102 
12103 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12104 				NL80211_MCGRP_MLME, gfp);
12105 	return;
12106 
12107  nla_put_failure:
12108 	genlmsg_cancel(msg, hdr);
12109 	nlmsg_free(msg);
12110 
12111 }
12112 
12113 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
12114 			 struct net_device *netdev, const u8 *bssid,
12115 			 const u8 *req_ie, size_t req_ie_len,
12116 			 const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
12117 {
12118 	struct sk_buff *msg;
12119 	void *hdr;
12120 
12121 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12122 	if (!msg)
12123 		return;
12124 
12125 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
12126 	if (!hdr) {
12127 		nlmsg_free(msg);
12128 		return;
12129 	}
12130 
12131 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12132 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12133 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
12134 	    (req_ie &&
12135 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
12136 	    (resp_ie &&
12137 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
12138 		goto nla_put_failure;
12139 
12140 	genlmsg_end(msg, hdr);
12141 
12142 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12143 				NL80211_MCGRP_MLME, gfp);
12144 	return;
12145 
12146  nla_put_failure:
12147 	genlmsg_cancel(msg, hdr);
12148 	nlmsg_free(msg);
12149 
12150 }
12151 
12152 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
12153 			       struct net_device *netdev, u16 reason,
12154 			       const u8 *ie, size_t ie_len, bool from_ap)
12155 {
12156 	struct sk_buff *msg;
12157 	void *hdr;
12158 
12159 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12160 	if (!msg)
12161 		return;
12162 
12163 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
12164 	if (!hdr) {
12165 		nlmsg_free(msg);
12166 		return;
12167 	}
12168 
12169 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12170 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12171 	    (from_ap && reason &&
12172 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
12173 	    (from_ap &&
12174 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
12175 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
12176 		goto nla_put_failure;
12177 
12178 	genlmsg_end(msg, hdr);
12179 
12180 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12181 				NL80211_MCGRP_MLME, GFP_KERNEL);
12182 	return;
12183 
12184  nla_put_failure:
12185 	genlmsg_cancel(msg, hdr);
12186 	nlmsg_free(msg);
12187 
12188 }
12189 
12190 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
12191 			     struct net_device *netdev, const u8 *bssid,
12192 			     gfp_t gfp)
12193 {
12194 	struct sk_buff *msg;
12195 	void *hdr;
12196 
12197 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12198 	if (!msg)
12199 		return;
12200 
12201 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
12202 	if (!hdr) {
12203 		nlmsg_free(msg);
12204 		return;
12205 	}
12206 
12207 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12208 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12209 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
12210 		goto nla_put_failure;
12211 
12212 	genlmsg_end(msg, hdr);
12213 
12214 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12215 				NL80211_MCGRP_MLME, gfp);
12216 	return;
12217 
12218  nla_put_failure:
12219 	genlmsg_cancel(msg, hdr);
12220 	nlmsg_free(msg);
12221 }
12222 
12223 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
12224 					const u8* ie, u8 ie_len, gfp_t gfp)
12225 {
12226 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12227 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12228 	struct sk_buff *msg;
12229 	void *hdr;
12230 
12231 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
12232 		return;
12233 
12234 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
12235 
12236 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12237 	if (!msg)
12238 		return;
12239 
12240 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
12241 	if (!hdr) {
12242 		nlmsg_free(msg);
12243 		return;
12244 	}
12245 
12246 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12247 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12248 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
12249 	    (ie_len && ie &&
12250 	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
12251 		goto nla_put_failure;
12252 
12253 	genlmsg_end(msg, hdr);
12254 
12255 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12256 				NL80211_MCGRP_MLME, gfp);
12257 	return;
12258 
12259  nla_put_failure:
12260 	genlmsg_cancel(msg, hdr);
12261 	nlmsg_free(msg);
12262 }
12263 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
12264 
12265 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
12266 				 struct net_device *netdev, const u8 *addr,
12267 				 enum nl80211_key_type key_type, int key_id,
12268 				 const u8 *tsc, gfp_t gfp)
12269 {
12270 	struct sk_buff *msg;
12271 	void *hdr;
12272 
12273 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12274 	if (!msg)
12275 		return;
12276 
12277 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
12278 	if (!hdr) {
12279 		nlmsg_free(msg);
12280 		return;
12281 	}
12282 
12283 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12284 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12285 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
12286 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
12287 	    (key_id != -1 &&
12288 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
12289 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
12290 		goto nla_put_failure;
12291 
12292 	genlmsg_end(msg, hdr);
12293 
12294 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12295 				NL80211_MCGRP_MLME, gfp);
12296 	return;
12297 
12298  nla_put_failure:
12299 	genlmsg_cancel(msg, hdr);
12300 	nlmsg_free(msg);
12301 }
12302 
12303 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
12304 				    struct ieee80211_channel *channel_before,
12305 				    struct ieee80211_channel *channel_after)
12306 {
12307 	struct sk_buff *msg;
12308 	void *hdr;
12309 	struct nlattr *nl_freq;
12310 
12311 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
12312 	if (!msg)
12313 		return;
12314 
12315 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
12316 	if (!hdr) {
12317 		nlmsg_free(msg);
12318 		return;
12319 	}
12320 
12321 	/*
12322 	 * Since we are applying the beacon hint to a wiphy we know its
12323 	 * wiphy_idx is valid
12324 	 */
12325 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
12326 		goto nla_put_failure;
12327 
12328 	/* Before */
12329 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
12330 	if (!nl_freq)
12331 		goto nla_put_failure;
12332 	if (nl80211_msg_put_channel(msg, channel_before, false))
12333 		goto nla_put_failure;
12334 	nla_nest_end(msg, nl_freq);
12335 
12336 	/* After */
12337 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
12338 	if (!nl_freq)
12339 		goto nla_put_failure;
12340 	if (nl80211_msg_put_channel(msg, channel_after, false))
12341 		goto nla_put_failure;
12342 	nla_nest_end(msg, nl_freq);
12343 
12344 	genlmsg_end(msg, hdr);
12345 
12346 	rcu_read_lock();
12347 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
12348 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
12349 	rcu_read_unlock();
12350 
12351 	return;
12352 
12353 nla_put_failure:
12354 	genlmsg_cancel(msg, hdr);
12355 	nlmsg_free(msg);
12356 }
12357 
12358 static void nl80211_send_remain_on_chan_event(
12359 	int cmd, struct cfg80211_registered_device *rdev,
12360 	struct wireless_dev *wdev, u64 cookie,
12361 	struct ieee80211_channel *chan,
12362 	unsigned int duration, gfp_t gfp)
12363 {
12364 	struct sk_buff *msg;
12365 	void *hdr;
12366 
12367 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12368 	if (!msg)
12369 		return;
12370 
12371 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
12372 	if (!hdr) {
12373 		nlmsg_free(msg);
12374 		return;
12375 	}
12376 
12377 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12378 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12379 					 wdev->netdev->ifindex)) ||
12380 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
12381 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
12382 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
12383 			NL80211_CHAN_NO_HT) ||
12384 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
12385 		goto nla_put_failure;
12386 
12387 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
12388 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
12389 		goto nla_put_failure;
12390 
12391 	genlmsg_end(msg, hdr);
12392 
12393 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12394 				NL80211_MCGRP_MLME, gfp);
12395 	return;
12396 
12397  nla_put_failure:
12398 	genlmsg_cancel(msg, hdr);
12399 	nlmsg_free(msg);
12400 }
12401 
12402 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
12403 			       struct ieee80211_channel *chan,
12404 			       unsigned int duration, gfp_t gfp)
12405 {
12406 	struct wiphy *wiphy = wdev->wiphy;
12407 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12408 
12409 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
12410 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
12411 					  rdev, wdev, cookie, chan,
12412 					  duration, gfp);
12413 }
12414 EXPORT_SYMBOL(cfg80211_ready_on_channel);
12415 
12416 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
12417 					struct ieee80211_channel *chan,
12418 					gfp_t gfp)
12419 {
12420 	struct wiphy *wiphy = wdev->wiphy;
12421 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12422 
12423 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
12424 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
12425 					  rdev, wdev, cookie, chan, 0, gfp);
12426 }
12427 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
12428 
12429 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
12430 		      struct station_info *sinfo, gfp_t gfp)
12431 {
12432 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
12433 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12434 	struct sk_buff *msg;
12435 
12436 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
12437 
12438 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12439 	if (!msg)
12440 		return;
12441 
12442 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
12443 				 rdev, dev, mac_addr, sinfo) < 0) {
12444 		nlmsg_free(msg);
12445 		return;
12446 	}
12447 
12448 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12449 				NL80211_MCGRP_MLME, gfp);
12450 }
12451 EXPORT_SYMBOL(cfg80211_new_sta);
12452 
12453 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
12454 			    struct station_info *sinfo, gfp_t gfp)
12455 {
12456 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
12457 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12458 	struct sk_buff *msg;
12459 	struct station_info empty_sinfo = {};
12460 
12461 	if (!sinfo)
12462 		sinfo = &empty_sinfo;
12463 
12464 	trace_cfg80211_del_sta(dev, mac_addr);
12465 
12466 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12467 	if (!msg)
12468 		return;
12469 
12470 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
12471 				 rdev, dev, mac_addr, sinfo) < 0) {
12472 		nlmsg_free(msg);
12473 		return;
12474 	}
12475 
12476 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12477 				NL80211_MCGRP_MLME, gfp);
12478 }
12479 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
12480 
12481 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
12482 			  enum nl80211_connect_failed_reason reason,
12483 			  gfp_t gfp)
12484 {
12485 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
12486 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12487 	struct sk_buff *msg;
12488 	void *hdr;
12489 
12490 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
12491 	if (!msg)
12492 		return;
12493 
12494 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
12495 	if (!hdr) {
12496 		nlmsg_free(msg);
12497 		return;
12498 	}
12499 
12500 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12501 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
12502 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
12503 		goto nla_put_failure;
12504 
12505 	genlmsg_end(msg, hdr);
12506 
12507 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12508 				NL80211_MCGRP_MLME, gfp);
12509 	return;
12510 
12511  nla_put_failure:
12512 	genlmsg_cancel(msg, hdr);
12513 	nlmsg_free(msg);
12514 }
12515 EXPORT_SYMBOL(cfg80211_conn_failed);
12516 
12517 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
12518 				       const u8 *addr, gfp_t gfp)
12519 {
12520 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12521 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12522 	struct sk_buff *msg;
12523 	void *hdr;
12524 	u32 nlportid = ACCESS_ONCE(wdev->ap_unexpected_nlportid);
12525 
12526 	if (!nlportid)
12527 		return false;
12528 
12529 	msg = nlmsg_new(100, gfp);
12530 	if (!msg)
12531 		return true;
12532 
12533 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
12534 	if (!hdr) {
12535 		nlmsg_free(msg);
12536 		return true;
12537 	}
12538 
12539 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12540 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12541 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
12542 		goto nla_put_failure;
12543 
12544 	genlmsg_end(msg, hdr);
12545 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12546 	return true;
12547 
12548  nla_put_failure:
12549 	genlmsg_cancel(msg, hdr);
12550 	nlmsg_free(msg);
12551 	return true;
12552 }
12553 
12554 bool cfg80211_rx_spurious_frame(struct net_device *dev,
12555 				const u8 *addr, gfp_t gfp)
12556 {
12557 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12558 	bool ret;
12559 
12560 	trace_cfg80211_rx_spurious_frame(dev, addr);
12561 
12562 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
12563 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
12564 		trace_cfg80211_return_bool(false);
12565 		return false;
12566 	}
12567 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
12568 					 addr, gfp);
12569 	trace_cfg80211_return_bool(ret);
12570 	return ret;
12571 }
12572 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
12573 
12574 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
12575 					const u8 *addr, gfp_t gfp)
12576 {
12577 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12578 	bool ret;
12579 
12580 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
12581 
12582 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
12583 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
12584 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
12585 		trace_cfg80211_return_bool(false);
12586 		return false;
12587 	}
12588 	ret = __nl80211_unexpected_frame(dev,
12589 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
12590 					 addr, gfp);
12591 	trace_cfg80211_return_bool(ret);
12592 	return ret;
12593 }
12594 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
12595 
12596 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
12597 		      struct wireless_dev *wdev, u32 nlportid,
12598 		      int freq, int sig_dbm,
12599 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
12600 {
12601 	struct net_device *netdev = wdev->netdev;
12602 	struct sk_buff *msg;
12603 	void *hdr;
12604 
12605 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12606 	if (!msg)
12607 		return -ENOMEM;
12608 
12609 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
12610 	if (!hdr) {
12611 		nlmsg_free(msg);
12612 		return -ENOMEM;
12613 	}
12614 
12615 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12616 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12617 					netdev->ifindex)) ||
12618 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
12619 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
12620 	    (sig_dbm &&
12621 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
12622 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
12623 	    (flags &&
12624 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
12625 		goto nla_put_failure;
12626 
12627 	genlmsg_end(msg, hdr);
12628 
12629 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12630 
12631  nla_put_failure:
12632 	genlmsg_cancel(msg, hdr);
12633 	nlmsg_free(msg);
12634 	return -ENOBUFS;
12635 }
12636 
12637 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
12638 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
12639 {
12640 	struct wiphy *wiphy = wdev->wiphy;
12641 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12642 	struct net_device *netdev = wdev->netdev;
12643 	struct sk_buff *msg;
12644 	void *hdr;
12645 
12646 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
12647 
12648 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12649 	if (!msg)
12650 		return;
12651 
12652 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
12653 	if (!hdr) {
12654 		nlmsg_free(msg);
12655 		return;
12656 	}
12657 
12658 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12659 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12660 				   netdev->ifindex)) ||
12661 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
12662 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
12663 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
12664 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
12665 		goto nla_put_failure;
12666 
12667 	genlmsg_end(msg, hdr);
12668 
12669 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12670 				NL80211_MCGRP_MLME, gfp);
12671 	return;
12672 
12673  nla_put_failure:
12674 	genlmsg_cancel(msg, hdr);
12675 	nlmsg_free(msg);
12676 }
12677 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
12678 
12679 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
12680 					    const char *mac, gfp_t gfp)
12681 {
12682 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12683 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12684 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12685 	void **cb;
12686 
12687 	if (!msg)
12688 		return NULL;
12689 
12690 	cb = (void **)msg->cb;
12691 
12692 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
12693 	if (!cb[0]) {
12694 		nlmsg_free(msg);
12695 		return NULL;
12696 	}
12697 
12698 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12699 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
12700 		goto nla_put_failure;
12701 
12702 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
12703 		goto nla_put_failure;
12704 
12705 	cb[1] = nla_nest_start(msg, NL80211_ATTR_CQM);
12706 	if (!cb[1])
12707 		goto nla_put_failure;
12708 
12709 	cb[2] = rdev;
12710 
12711 	return msg;
12712  nla_put_failure:
12713 	nlmsg_free(msg);
12714 	return NULL;
12715 }
12716 
12717 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
12718 {
12719 	void **cb = (void **)msg->cb;
12720 	struct cfg80211_registered_device *rdev = cb[2];
12721 
12722 	nla_nest_end(msg, cb[1]);
12723 	genlmsg_end(msg, cb[0]);
12724 
12725 	memset(msg->cb, 0, sizeof(msg->cb));
12726 
12727 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12728 				NL80211_MCGRP_MLME, gfp);
12729 }
12730 
12731 void cfg80211_cqm_rssi_notify(struct net_device *dev,
12732 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
12733 			      gfp_t gfp)
12734 {
12735 	struct sk_buff *msg;
12736 
12737 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
12738 
12739 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
12740 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
12741 		return;
12742 
12743 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
12744 	if (!msg)
12745 		return;
12746 
12747 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
12748 			rssi_event))
12749 		goto nla_put_failure;
12750 
12751 	cfg80211_send_cqm(msg, gfp);
12752 
12753 	return;
12754 
12755  nla_put_failure:
12756 	nlmsg_free(msg);
12757 }
12758 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
12759 
12760 void cfg80211_cqm_txe_notify(struct net_device *dev,
12761 			     const u8 *peer, u32 num_packets,
12762 			     u32 rate, u32 intvl, gfp_t gfp)
12763 {
12764 	struct sk_buff *msg;
12765 
12766 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
12767 	if (!msg)
12768 		return;
12769 
12770 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
12771 		goto nla_put_failure;
12772 
12773 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
12774 		goto nla_put_failure;
12775 
12776 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
12777 		goto nla_put_failure;
12778 
12779 	cfg80211_send_cqm(msg, gfp);
12780 	return;
12781 
12782  nla_put_failure:
12783 	nlmsg_free(msg);
12784 }
12785 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
12786 
12787 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
12788 				 const u8 *peer, u32 num_packets, gfp_t gfp)
12789 {
12790 	struct sk_buff *msg;
12791 
12792 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
12793 
12794 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
12795 	if (!msg)
12796 		return;
12797 
12798 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
12799 		goto nla_put_failure;
12800 
12801 	cfg80211_send_cqm(msg, gfp);
12802 	return;
12803 
12804  nla_put_failure:
12805 	nlmsg_free(msg);
12806 }
12807 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
12808 
12809 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
12810 {
12811 	struct sk_buff *msg;
12812 
12813 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
12814 	if (!msg)
12815 		return;
12816 
12817 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
12818 		goto nla_put_failure;
12819 
12820 	cfg80211_send_cqm(msg, gfp);
12821 	return;
12822 
12823  nla_put_failure:
12824 	nlmsg_free(msg);
12825 }
12826 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
12827 
12828 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
12829 				     struct net_device *netdev, const u8 *bssid,
12830 				     const u8 *replay_ctr, gfp_t gfp)
12831 {
12832 	struct sk_buff *msg;
12833 	struct nlattr *rekey_attr;
12834 	void *hdr;
12835 
12836 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12837 	if (!msg)
12838 		return;
12839 
12840 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
12841 	if (!hdr) {
12842 		nlmsg_free(msg);
12843 		return;
12844 	}
12845 
12846 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12847 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12848 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
12849 		goto nla_put_failure;
12850 
12851 	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
12852 	if (!rekey_attr)
12853 		goto nla_put_failure;
12854 
12855 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
12856 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
12857 		goto nla_put_failure;
12858 
12859 	nla_nest_end(msg, rekey_attr);
12860 
12861 	genlmsg_end(msg, hdr);
12862 
12863 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12864 				NL80211_MCGRP_MLME, gfp);
12865 	return;
12866 
12867  nla_put_failure:
12868 	genlmsg_cancel(msg, hdr);
12869 	nlmsg_free(msg);
12870 }
12871 
12872 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
12873 			       const u8 *replay_ctr, gfp_t gfp)
12874 {
12875 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12876 	struct wiphy *wiphy = wdev->wiphy;
12877 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12878 
12879 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
12880 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
12881 }
12882 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
12883 
12884 static void
12885 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
12886 			       struct net_device *netdev, int index,
12887 			       const u8 *bssid, bool preauth, gfp_t gfp)
12888 {
12889 	struct sk_buff *msg;
12890 	struct nlattr *attr;
12891 	void *hdr;
12892 
12893 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12894 	if (!msg)
12895 		return;
12896 
12897 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
12898 	if (!hdr) {
12899 		nlmsg_free(msg);
12900 		return;
12901 	}
12902 
12903 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12904 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
12905 		goto nla_put_failure;
12906 
12907 	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
12908 	if (!attr)
12909 		goto nla_put_failure;
12910 
12911 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
12912 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
12913 	    (preauth &&
12914 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
12915 		goto nla_put_failure;
12916 
12917 	nla_nest_end(msg, attr);
12918 
12919 	genlmsg_end(msg, hdr);
12920 
12921 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12922 				NL80211_MCGRP_MLME, gfp);
12923 	return;
12924 
12925  nla_put_failure:
12926 	genlmsg_cancel(msg, hdr);
12927 	nlmsg_free(msg);
12928 }
12929 
12930 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
12931 				     const u8 *bssid, bool preauth, gfp_t gfp)
12932 {
12933 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12934 	struct wiphy *wiphy = wdev->wiphy;
12935 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12936 
12937 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
12938 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
12939 }
12940 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
12941 
12942 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
12943 				     struct net_device *netdev,
12944 				     struct cfg80211_chan_def *chandef,
12945 				     gfp_t gfp,
12946 				     enum nl80211_commands notif,
12947 				     u8 count)
12948 {
12949 	struct sk_buff *msg;
12950 	void *hdr;
12951 
12952 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12953 	if (!msg)
12954 		return;
12955 
12956 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
12957 	if (!hdr) {
12958 		nlmsg_free(msg);
12959 		return;
12960 	}
12961 
12962 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
12963 		goto nla_put_failure;
12964 
12965 	if (nl80211_send_chandef(msg, chandef))
12966 		goto nla_put_failure;
12967 
12968 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
12969 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
12970 			goto nla_put_failure;
12971 
12972 	genlmsg_end(msg, hdr);
12973 
12974 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12975 				NL80211_MCGRP_MLME, gfp);
12976 	return;
12977 
12978  nla_put_failure:
12979 	genlmsg_cancel(msg, hdr);
12980 	nlmsg_free(msg);
12981 }
12982 
12983 void cfg80211_ch_switch_notify(struct net_device *dev,
12984 			       struct cfg80211_chan_def *chandef)
12985 {
12986 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12987 	struct wiphy *wiphy = wdev->wiphy;
12988 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12989 
12990 	ASSERT_WDEV_LOCK(wdev);
12991 
12992 	trace_cfg80211_ch_switch_notify(dev, chandef);
12993 
12994 	wdev->chandef = *chandef;
12995 	wdev->preset_chandef = *chandef;
12996 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
12997 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
12998 }
12999 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
13000 
13001 void cfg80211_ch_switch_started_notify(struct net_device *dev,
13002 				       struct cfg80211_chan_def *chandef,
13003 				       u8 count)
13004 {
13005 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13006 	struct wiphy *wiphy = wdev->wiphy;
13007 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13008 
13009 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
13010 
13011 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
13012 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
13013 }
13014 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
13015 
13016 void
13017 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
13018 		     const struct cfg80211_chan_def *chandef,
13019 		     enum nl80211_radar_event event,
13020 		     struct net_device *netdev, gfp_t gfp)
13021 {
13022 	struct sk_buff *msg;
13023 	void *hdr;
13024 
13025 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13026 	if (!msg)
13027 		return;
13028 
13029 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
13030 	if (!hdr) {
13031 		nlmsg_free(msg);
13032 		return;
13033 	}
13034 
13035 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
13036 		goto nla_put_failure;
13037 
13038 	/* NOP and radar events don't need a netdev parameter */
13039 	if (netdev) {
13040 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
13041 
13042 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13043 		    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
13044 			goto nla_put_failure;
13045 	}
13046 
13047 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
13048 		goto nla_put_failure;
13049 
13050 	if (nl80211_send_chandef(msg, chandef))
13051 		goto nla_put_failure;
13052 
13053 	genlmsg_end(msg, hdr);
13054 
13055 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13056 				NL80211_MCGRP_MLME, gfp);
13057 	return;
13058 
13059  nla_put_failure:
13060 	genlmsg_cancel(msg, hdr);
13061 	nlmsg_free(msg);
13062 }
13063 
13064 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
13065 			   u64 cookie, bool acked, gfp_t gfp)
13066 {
13067 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13068 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
13069 	struct sk_buff *msg;
13070 	void *hdr;
13071 
13072 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
13073 
13074 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13075 
13076 	if (!msg)
13077 		return;
13078 
13079 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
13080 	if (!hdr) {
13081 		nlmsg_free(msg);
13082 		return;
13083 	}
13084 
13085 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13086 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
13087 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
13088 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
13089 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)))
13090 		goto nla_put_failure;
13091 
13092 	genlmsg_end(msg, hdr);
13093 
13094 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13095 				NL80211_MCGRP_MLME, gfp);
13096 	return;
13097 
13098  nla_put_failure:
13099 	genlmsg_cancel(msg, hdr);
13100 	nlmsg_free(msg);
13101 }
13102 EXPORT_SYMBOL(cfg80211_probe_status);
13103 
13104 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
13105 				 const u8 *frame, size_t len,
13106 				 int freq, int sig_dbm)
13107 {
13108 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13109 	struct sk_buff *msg;
13110 	void *hdr;
13111 	struct cfg80211_beacon_registration *reg;
13112 
13113 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
13114 
13115 	spin_lock_bh(&rdev->beacon_registrations_lock);
13116 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13117 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
13118 		if (!msg) {
13119 			spin_unlock_bh(&rdev->beacon_registrations_lock);
13120 			return;
13121 		}
13122 
13123 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
13124 		if (!hdr)
13125 			goto nla_put_failure;
13126 
13127 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13128 		    (freq &&
13129 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
13130 		    (sig_dbm &&
13131 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
13132 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
13133 			goto nla_put_failure;
13134 
13135 		genlmsg_end(msg, hdr);
13136 
13137 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
13138 	}
13139 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13140 	return;
13141 
13142  nla_put_failure:
13143 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13144 	if (hdr)
13145 		genlmsg_cancel(msg, hdr);
13146 	nlmsg_free(msg);
13147 }
13148 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
13149 
13150 #ifdef CONFIG_PM
13151 static int cfg80211_net_detect_results(struct sk_buff *msg,
13152 				       struct cfg80211_wowlan_wakeup *wakeup)
13153 {
13154 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
13155 	struct nlattr *nl_results, *nl_match, *nl_freqs;
13156 	int i, j;
13157 
13158 	nl_results = nla_nest_start(
13159 		msg, NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
13160 	if (!nl_results)
13161 		return -EMSGSIZE;
13162 
13163 	for (i = 0; i < nd->n_matches; i++) {
13164 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
13165 
13166 		nl_match = nla_nest_start(msg, i);
13167 		if (!nl_match)
13168 			break;
13169 
13170 		/* The SSID attribute is optional in nl80211, but for
13171 		 * simplicity reasons it's always present in the
13172 		 * cfg80211 structure.  If a driver can't pass the
13173 		 * SSID, that needs to be changed.  A zero length SSID
13174 		 * is still a valid SSID (wildcard), so it cannot be
13175 		 * used for this purpose.
13176 		 */
13177 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
13178 			    match->ssid.ssid)) {
13179 			nla_nest_cancel(msg, nl_match);
13180 			goto out;
13181 		}
13182 
13183 		if (match->n_channels) {
13184 			nl_freqs = nla_nest_start(
13185 				msg, NL80211_ATTR_SCAN_FREQUENCIES);
13186 			if (!nl_freqs) {
13187 				nla_nest_cancel(msg, nl_match);
13188 				goto out;
13189 			}
13190 
13191 			for (j = 0; j < match->n_channels; j++) {
13192 				if (nla_put_u32(msg, j, match->channels[j])) {
13193 					nla_nest_cancel(msg, nl_freqs);
13194 					nla_nest_cancel(msg, nl_match);
13195 					goto out;
13196 				}
13197 			}
13198 
13199 			nla_nest_end(msg, nl_freqs);
13200 		}
13201 
13202 		nla_nest_end(msg, nl_match);
13203 	}
13204 
13205 out:
13206 	nla_nest_end(msg, nl_results);
13207 	return 0;
13208 }
13209 
13210 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
13211 				   struct cfg80211_wowlan_wakeup *wakeup,
13212 				   gfp_t gfp)
13213 {
13214 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
13215 	struct sk_buff *msg;
13216 	void *hdr;
13217 	int size = 200;
13218 
13219 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
13220 
13221 	if (wakeup)
13222 		size += wakeup->packet_present_len;
13223 
13224 	msg = nlmsg_new(size, gfp);
13225 	if (!msg)
13226 		return;
13227 
13228 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
13229 	if (!hdr)
13230 		goto free_msg;
13231 
13232 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13233 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
13234 		goto free_msg;
13235 
13236 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13237 					wdev->netdev->ifindex))
13238 		goto free_msg;
13239 
13240 	if (wakeup) {
13241 		struct nlattr *reasons;
13242 
13243 		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
13244 		if (!reasons)
13245 			goto free_msg;
13246 
13247 		if (wakeup->disconnect &&
13248 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
13249 			goto free_msg;
13250 		if (wakeup->magic_pkt &&
13251 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
13252 			goto free_msg;
13253 		if (wakeup->gtk_rekey_failure &&
13254 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
13255 			goto free_msg;
13256 		if (wakeup->eap_identity_req &&
13257 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
13258 			goto free_msg;
13259 		if (wakeup->four_way_handshake &&
13260 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
13261 			goto free_msg;
13262 		if (wakeup->rfkill_release &&
13263 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
13264 			goto free_msg;
13265 
13266 		if (wakeup->pattern_idx >= 0 &&
13267 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
13268 				wakeup->pattern_idx))
13269 			goto free_msg;
13270 
13271 		if (wakeup->tcp_match &&
13272 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
13273 			goto free_msg;
13274 
13275 		if (wakeup->tcp_connlost &&
13276 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
13277 			goto free_msg;
13278 
13279 		if (wakeup->tcp_nomoretokens &&
13280 		    nla_put_flag(msg,
13281 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
13282 			goto free_msg;
13283 
13284 		if (wakeup->packet) {
13285 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
13286 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
13287 
13288 			if (!wakeup->packet_80211) {
13289 				pkt_attr =
13290 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
13291 				len_attr =
13292 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
13293 			}
13294 
13295 			if (wakeup->packet_len &&
13296 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
13297 				goto free_msg;
13298 
13299 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
13300 				    wakeup->packet))
13301 				goto free_msg;
13302 		}
13303 
13304 		if (wakeup->net_detect &&
13305 		    cfg80211_net_detect_results(msg, wakeup))
13306 				goto free_msg;
13307 
13308 		nla_nest_end(msg, reasons);
13309 	}
13310 
13311 	genlmsg_end(msg, hdr);
13312 
13313 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13314 				NL80211_MCGRP_MLME, gfp);
13315 	return;
13316 
13317  free_msg:
13318 	nlmsg_free(msg);
13319 }
13320 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
13321 #endif
13322 
13323 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
13324 				enum nl80211_tdls_operation oper,
13325 				u16 reason_code, gfp_t gfp)
13326 {
13327 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13328 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
13329 	struct sk_buff *msg;
13330 	void *hdr;
13331 
13332 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
13333 					 reason_code);
13334 
13335 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13336 	if (!msg)
13337 		return;
13338 
13339 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
13340 	if (!hdr) {
13341 		nlmsg_free(msg);
13342 		return;
13343 	}
13344 
13345 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13346 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
13347 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
13348 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
13349 	    (reason_code > 0 &&
13350 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
13351 		goto nla_put_failure;
13352 
13353 	genlmsg_end(msg, hdr);
13354 
13355 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13356 				NL80211_MCGRP_MLME, gfp);
13357 	return;
13358 
13359  nla_put_failure:
13360 	genlmsg_cancel(msg, hdr);
13361 	nlmsg_free(msg);
13362 }
13363 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
13364 
13365 static int nl80211_netlink_notify(struct notifier_block * nb,
13366 				  unsigned long state,
13367 				  void *_notify)
13368 {
13369 	struct netlink_notify *notify = _notify;
13370 	struct cfg80211_registered_device *rdev;
13371 	struct wireless_dev *wdev;
13372 	struct cfg80211_beacon_registration *reg, *tmp;
13373 
13374 	if (state != NETLINK_URELEASE)
13375 		return NOTIFY_DONE;
13376 
13377 	rcu_read_lock();
13378 
13379 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
13380 		bool schedule_destroy_work = false;
13381 		bool schedule_scan_stop = false;
13382 		struct cfg80211_sched_scan_request *sched_scan_req =
13383 			rcu_dereference(rdev->sched_scan_req);
13384 
13385 		if (sched_scan_req && notify->portid &&
13386 		    sched_scan_req->owner_nlportid == notify->portid)
13387 			schedule_scan_stop = true;
13388 
13389 		list_for_each_entry_rcu(wdev, &rdev->wdev_list, list) {
13390 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
13391 
13392 			if (wdev->owner_nlportid == notify->portid)
13393 				schedule_destroy_work = true;
13394 		}
13395 
13396 		spin_lock_bh(&rdev->beacon_registrations_lock);
13397 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
13398 					 list) {
13399 			if (reg->nlportid == notify->portid) {
13400 				list_del(&reg->list);
13401 				kfree(reg);
13402 				break;
13403 			}
13404 		}
13405 		spin_unlock_bh(&rdev->beacon_registrations_lock);
13406 
13407 		if (schedule_destroy_work) {
13408 			struct cfg80211_iface_destroy *destroy;
13409 
13410 			destroy = kzalloc(sizeof(*destroy), GFP_ATOMIC);
13411 			if (destroy) {
13412 				destroy->nlportid = notify->portid;
13413 				spin_lock(&rdev->destroy_list_lock);
13414 				list_add(&destroy->list, &rdev->destroy_list);
13415 				spin_unlock(&rdev->destroy_list_lock);
13416 				schedule_work(&rdev->destroy_work);
13417 			}
13418 		} else if (schedule_scan_stop) {
13419 			sched_scan_req->owner_nlportid = 0;
13420 
13421 			if (rdev->ops->sched_scan_stop &&
13422 			    rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
13423 				schedule_work(&rdev->sched_scan_stop_wk);
13424 		}
13425 	}
13426 
13427 	rcu_read_unlock();
13428 
13429 	/*
13430 	 * It is possible that the user space process that is controlling the
13431 	 * indoor setting disappeared, so notify the regulatory core.
13432 	 */
13433 	regulatory_netlink_notify(notify->portid);
13434 	return NOTIFY_OK;
13435 }
13436 
13437 static struct notifier_block nl80211_netlink_notifier = {
13438 	.notifier_call = nl80211_netlink_notify,
13439 };
13440 
13441 void cfg80211_ft_event(struct net_device *netdev,
13442 		       struct cfg80211_ft_event_params *ft_event)
13443 {
13444 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
13445 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13446 	struct sk_buff *msg;
13447 	void *hdr;
13448 
13449 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
13450 
13451 	if (!ft_event->target_ap)
13452 		return;
13453 
13454 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13455 	if (!msg)
13456 		return;
13457 
13458 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
13459 	if (!hdr)
13460 		goto out;
13461 
13462 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13463 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13464 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
13465 		goto out;
13466 
13467 	if (ft_event->ies &&
13468 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
13469 		goto out;
13470 	if (ft_event->ric_ies &&
13471 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
13472 		    ft_event->ric_ies))
13473 		goto out;
13474 
13475 	genlmsg_end(msg, hdr);
13476 
13477 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13478 				NL80211_MCGRP_MLME, GFP_KERNEL);
13479 	return;
13480  out:
13481 	nlmsg_free(msg);
13482 }
13483 EXPORT_SYMBOL(cfg80211_ft_event);
13484 
13485 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
13486 {
13487 	struct cfg80211_registered_device *rdev;
13488 	struct sk_buff *msg;
13489 	void *hdr;
13490 	u32 nlportid;
13491 
13492 	rdev = wiphy_to_rdev(wdev->wiphy);
13493 	if (!rdev->crit_proto_nlportid)
13494 		return;
13495 
13496 	nlportid = rdev->crit_proto_nlportid;
13497 	rdev->crit_proto_nlportid = 0;
13498 
13499 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13500 	if (!msg)
13501 		return;
13502 
13503 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
13504 	if (!hdr)
13505 		goto nla_put_failure;
13506 
13507 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13508 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
13509 		goto nla_put_failure;
13510 
13511 	genlmsg_end(msg, hdr);
13512 
13513 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
13514 	return;
13515 
13516  nla_put_failure:
13517 	if (hdr)
13518 		genlmsg_cancel(msg, hdr);
13519 	nlmsg_free(msg);
13520 
13521 }
13522 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
13523 
13524 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
13525 {
13526 	struct wiphy *wiphy = wdev->wiphy;
13527 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13528 	struct sk_buff *msg;
13529 	void *hdr;
13530 
13531 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13532 	if (!msg)
13533 		return;
13534 
13535 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
13536 	if (!hdr)
13537 		goto out;
13538 
13539 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13540 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
13541 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
13542 		goto out;
13543 
13544 	genlmsg_end(msg, hdr);
13545 
13546 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
13547 				NL80211_MCGRP_MLME, GFP_KERNEL);
13548 	return;
13549  out:
13550 	nlmsg_free(msg);
13551 }
13552 
13553 /* initialisation/exit functions */
13554 
13555 int nl80211_init(void)
13556 {
13557 	int err;
13558 
13559 	err = genl_register_family_with_ops_groups(&nl80211_fam, nl80211_ops,
13560 						   nl80211_mcgrps);
13561 	if (err)
13562 		return err;
13563 
13564 	err = netlink_register_notifier(&nl80211_netlink_notifier);
13565 	if (err)
13566 		goto err_out;
13567 
13568 	return 0;
13569  err_out:
13570 	genl_unregister_family(&nl80211_fam);
13571 	return err;
13572 }
13573 
13574 void nl80211_exit(void)
13575 {
13576 	netlink_unregister_notifier(&nl80211_netlink_notifier);
13577 	genl_unregister_family(&nl80211_fam);
13578 }
13579