xref: /openbmc/linux/net/wireless/nl80211.c (revision 609e478b) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  */
7 
8 #include <linux/if.h>
9 #include <linux/module.h>
10 #include <linux/err.h>
11 #include <linux/slab.h>
12 #include <linux/list.h>
13 #include <linux/if_ether.h>
14 #include <linux/ieee80211.h>
15 #include <linux/nl80211.h>
16 #include <linux/rtnetlink.h>
17 #include <linux/netlink.h>
18 #include <linux/etherdevice.h>
19 #include <net/net_namespace.h>
20 #include <net/genetlink.h>
21 #include <net/cfg80211.h>
22 #include <net/sock.h>
23 #include <net/inet_connection_sock.h>
24 #include "core.h"
25 #include "nl80211.h"
26 #include "reg.h"
27 #include "rdev-ops.h"
28 
29 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
30 				   struct genl_info *info,
31 				   struct cfg80211_crypto_settings *settings,
32 				   int cipher_limit);
33 
34 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
35 			    struct genl_info *info);
36 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
37 			      struct genl_info *info);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam = {
41 	.id = GENL_ID_GENERATE,		/* don't bother with a hardcoded ID */
42 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
43 	.hdrsize = 0,			/* no private header */
44 	.version = 1,			/* no particular meaning now */
45 	.maxattr = NL80211_ATTR_MAX,
46 	.netnsok = true,
47 	.pre_doit = nl80211_pre_doit,
48 	.post_doit = nl80211_post_doit,
49 };
50 
51 /* multicast groups */
52 enum nl80211_multicast_groups {
53 	NL80211_MCGRP_CONFIG,
54 	NL80211_MCGRP_SCAN,
55 	NL80211_MCGRP_REGULATORY,
56 	NL80211_MCGRP_MLME,
57 	NL80211_MCGRP_VENDOR,
58 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
59 };
60 
61 static const struct genl_multicast_group nl80211_mcgrps[] = {
62 	[NL80211_MCGRP_CONFIG] = { .name = "config", },
63 	[NL80211_MCGRP_SCAN] = { .name = "scan", },
64 	[NL80211_MCGRP_REGULATORY] = { .name = "regulatory", },
65 	[NL80211_MCGRP_MLME] = { .name = "mlme", },
66 	[NL80211_MCGRP_VENDOR] = { .name = "vendor", },
67 #ifdef CONFIG_NL80211_TESTMODE
68 	[NL80211_MCGRP_TESTMODE] = { .name = "testmode", }
69 #endif
70 };
71 
72 /* returns ERR_PTR values */
73 static struct wireless_dev *
74 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
75 {
76 	struct cfg80211_registered_device *rdev;
77 	struct wireless_dev *result = NULL;
78 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
79 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
80 	u64 wdev_id;
81 	int wiphy_idx = -1;
82 	int ifidx = -1;
83 
84 	ASSERT_RTNL();
85 
86 	if (!have_ifidx && !have_wdev_id)
87 		return ERR_PTR(-EINVAL);
88 
89 	if (have_ifidx)
90 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
91 	if (have_wdev_id) {
92 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
93 		wiphy_idx = wdev_id >> 32;
94 	}
95 
96 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
97 		struct wireless_dev *wdev;
98 
99 		if (wiphy_net(&rdev->wiphy) != netns)
100 			continue;
101 
102 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
103 			continue;
104 
105 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
106 			if (have_ifidx && wdev->netdev &&
107 			    wdev->netdev->ifindex == ifidx) {
108 				result = wdev;
109 				break;
110 			}
111 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
112 				result = wdev;
113 				break;
114 			}
115 		}
116 
117 		if (result)
118 			break;
119 	}
120 
121 	if (result)
122 		return result;
123 	return ERR_PTR(-ENODEV);
124 }
125 
126 static struct cfg80211_registered_device *
127 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
128 {
129 	struct cfg80211_registered_device *rdev = NULL, *tmp;
130 	struct net_device *netdev;
131 
132 	ASSERT_RTNL();
133 
134 	if (!attrs[NL80211_ATTR_WIPHY] &&
135 	    !attrs[NL80211_ATTR_IFINDEX] &&
136 	    !attrs[NL80211_ATTR_WDEV])
137 		return ERR_PTR(-EINVAL);
138 
139 	if (attrs[NL80211_ATTR_WIPHY])
140 		rdev = cfg80211_rdev_by_wiphy_idx(
141 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
142 
143 	if (attrs[NL80211_ATTR_WDEV]) {
144 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
145 		struct wireless_dev *wdev;
146 		bool found = false;
147 
148 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
149 		if (tmp) {
150 			/* make sure wdev exists */
151 			list_for_each_entry(wdev, &tmp->wdev_list, list) {
152 				if (wdev->identifier != (u32)wdev_id)
153 					continue;
154 				found = true;
155 				break;
156 			}
157 
158 			if (!found)
159 				tmp = NULL;
160 
161 			if (rdev && tmp != rdev)
162 				return ERR_PTR(-EINVAL);
163 			rdev = tmp;
164 		}
165 	}
166 
167 	if (attrs[NL80211_ATTR_IFINDEX]) {
168 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
169 		netdev = __dev_get_by_index(netns, ifindex);
170 		if (netdev) {
171 			if (netdev->ieee80211_ptr)
172 				tmp = wiphy_to_rdev(
173 					netdev->ieee80211_ptr->wiphy);
174 			else
175 				tmp = NULL;
176 
177 			/* not wireless device -- return error */
178 			if (!tmp)
179 				return ERR_PTR(-EINVAL);
180 
181 			/* mismatch -- return error */
182 			if (rdev && tmp != rdev)
183 				return ERR_PTR(-EINVAL);
184 
185 			rdev = tmp;
186 		}
187 	}
188 
189 	if (!rdev)
190 		return ERR_PTR(-ENODEV);
191 
192 	if (netns != wiphy_net(&rdev->wiphy))
193 		return ERR_PTR(-ENODEV);
194 
195 	return rdev;
196 }
197 
198 /*
199  * This function returns a pointer to the driver
200  * that the genl_info item that is passed refers to.
201  *
202  * The result of this can be a PTR_ERR and hence must
203  * be checked with IS_ERR() for errors.
204  */
205 static struct cfg80211_registered_device *
206 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
207 {
208 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
209 }
210 
211 /* policy for the attributes */
212 static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
213 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
214 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
215 				      .len = 20-1 },
216 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
217 
218 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
219 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
220 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
221 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
222 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
223 
224 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
225 	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
226 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
227 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
228 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
229 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
230 
231 	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
232 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
233 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
234 
235 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
236 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
237 
238 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
239 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
240 				    .len = WLAN_MAX_KEY_LEN },
241 	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
242 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
243 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
244 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
245 	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
246 
247 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
248 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
249 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
250 				       .len = IEEE80211_MAX_DATA_LEN },
251 	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
252 				       .len = IEEE80211_MAX_DATA_LEN },
253 	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
254 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
255 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
256 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
257 					       .len = NL80211_MAX_SUPP_RATES },
258 	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
259 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
260 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
261 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
262 				   .len = IEEE80211_MAX_MESH_ID_LEN },
263 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
264 
265 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
266 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
267 
268 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
269 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
270 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
271 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
272 					   .len = NL80211_MAX_SUPP_RATES },
273 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
274 
275 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
276 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
277 
278 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
279 
280 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
281 	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
282 			      .len = IEEE80211_MAX_DATA_LEN },
283 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
284 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
285 
286 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
287 				.len = IEEE80211_MAX_SSID_LEN },
288 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
289 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
290 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
291 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
292 	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
293 	[NL80211_ATTR_STA_FLAGS2] = {
294 		.len = sizeof(struct nl80211_sta_flag_update),
295 	},
296 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
297 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
298 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
299 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
300 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
301 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
302 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
303 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
304 	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
305 				 .len = WLAN_PMKID_LEN },
306 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
307 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
308 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
309 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
310 				 .len = IEEE80211_MAX_DATA_LEN },
311 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
312 	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
313 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
314 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
315 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
316 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
317 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
318 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
319 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
320 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
321 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
322 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
323 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
324 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
325 	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
326 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
327 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
328 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
329 	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
330 	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
331 					 .len = IEEE80211_MAX_DATA_LEN },
332 	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
333 					 .len = IEEE80211_MAX_DATA_LEN },
334 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
335 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
336 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
337 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
338 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
339 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
340 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
341 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
342 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
343 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
344 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
345 				      .len = IEEE80211_MAX_DATA_LEN },
346 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
347 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
348 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
349 		.len = NL80211_HT_CAPABILITY_LEN
350 	},
351 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
352 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
353 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
354 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
355 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
356 	[NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
357 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
358 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
359 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
360 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
361 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
362 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
363 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
364 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
365 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
366 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
367 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
368 		.len = NL80211_VHT_CAPABILITY_LEN,
369 	},
370 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
371 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
372 				  .len = IEEE80211_MAX_DATA_LEN },
373 	[NL80211_ATTR_PEER_AID] = { .type = NLA_U16 },
374 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
375 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
376 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
377 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
378 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
379 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
380 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
381 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
382 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
383 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
384 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
385 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
386 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
387 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
388 	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
389 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
390 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
391 	[NL80211_ATTR_IFACE_SOCKET_OWNER] = { .type = NLA_FLAG },
392 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
393 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
394 	[NL80211_ATTR_TSID] = { .type = NLA_U8 },
395 	[NL80211_ATTR_USER_PRIO] = { .type = NLA_U8 },
396 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
397 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
398 };
399 
400 /* policy for the key attributes */
401 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
402 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
403 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
404 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
405 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
406 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
407 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
408 	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
409 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
410 };
411 
412 /* policy for the key default flags */
413 static const struct nla_policy
414 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
415 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
416 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
417 };
418 
419 /* policy for WoWLAN attributes */
420 static const struct nla_policy
421 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
422 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
423 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
424 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
425 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
426 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
427 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
428 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
429 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
430 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
431 };
432 
433 static const struct nla_policy
434 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
435 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
436 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
437 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
438 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
439 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
440 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
441 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
442 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
443 	},
444 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
445 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
446 	},
447 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
448 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
449 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
450 };
451 
452 /* policy for coalesce rule attributes */
453 static const struct nla_policy
454 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
455 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
456 	[NL80211_ATTR_COALESCE_RULE_CONDITION] = { .type = NLA_U32 },
457 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
458 };
459 
460 /* policy for GTK rekey offload attributes */
461 static const struct nla_policy
462 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
463 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
464 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
465 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
466 };
467 
468 static const struct nla_policy
469 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
470 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
471 						 .len = IEEE80211_MAX_SSID_LEN },
472 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
473 };
474 
475 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
476 				     struct netlink_callback *cb,
477 				     struct cfg80211_registered_device **rdev,
478 				     struct wireless_dev **wdev)
479 {
480 	int err;
481 
482 	rtnl_lock();
483 
484 	if (!cb->args[0]) {
485 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
486 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
487 				  nl80211_policy);
488 		if (err)
489 			goto out_unlock;
490 
491 		*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
492 						   nl80211_fam.attrbuf);
493 		if (IS_ERR(*wdev)) {
494 			err = PTR_ERR(*wdev);
495 			goto out_unlock;
496 		}
497 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
498 		/* 0 is the first index - add 1 to parse only once */
499 		cb->args[0] = (*rdev)->wiphy_idx + 1;
500 		cb->args[1] = (*wdev)->identifier;
501 	} else {
502 		/* subtract the 1 again here */
503 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
504 		struct wireless_dev *tmp;
505 
506 		if (!wiphy) {
507 			err = -ENODEV;
508 			goto out_unlock;
509 		}
510 		*rdev = wiphy_to_rdev(wiphy);
511 		*wdev = NULL;
512 
513 		list_for_each_entry(tmp, &(*rdev)->wdev_list, list) {
514 			if (tmp->identifier == cb->args[1]) {
515 				*wdev = tmp;
516 				break;
517 			}
518 		}
519 
520 		if (!*wdev) {
521 			err = -ENODEV;
522 			goto out_unlock;
523 		}
524 	}
525 
526 	return 0;
527  out_unlock:
528 	rtnl_unlock();
529 	return err;
530 }
531 
532 static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
533 {
534 	rtnl_unlock();
535 }
536 
537 /* IE validation */
538 static bool is_valid_ie_attr(const struct nlattr *attr)
539 {
540 	const u8 *pos;
541 	int len;
542 
543 	if (!attr)
544 		return true;
545 
546 	pos = nla_data(attr);
547 	len = nla_len(attr);
548 
549 	while (len) {
550 		u8 elemlen;
551 
552 		if (len < 2)
553 			return false;
554 		len -= 2;
555 
556 		elemlen = pos[1];
557 		if (elemlen > len)
558 			return false;
559 
560 		len -= elemlen;
561 		pos += 2 + elemlen;
562 	}
563 
564 	return true;
565 }
566 
567 /* message building helper */
568 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
569 				   int flags, u8 cmd)
570 {
571 	/* since there is no private header just add the generic one */
572 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
573 }
574 
575 static int nl80211_msg_put_channel(struct sk_buff *msg,
576 				   struct ieee80211_channel *chan,
577 				   bool large)
578 {
579 	/* Some channels must be completely excluded from the
580 	 * list to protect old user-space tools from breaking
581 	 */
582 	if (!large && chan->flags &
583 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
584 		return 0;
585 
586 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
587 			chan->center_freq))
588 		goto nla_put_failure;
589 
590 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
591 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
592 		goto nla_put_failure;
593 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
594 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
595 			goto nla_put_failure;
596 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
597 			goto nla_put_failure;
598 	}
599 	if (chan->flags & IEEE80211_CHAN_RADAR) {
600 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
601 			goto nla_put_failure;
602 		if (large) {
603 			u32 time;
604 
605 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
606 
607 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
608 					chan->dfs_state))
609 				goto nla_put_failure;
610 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
611 					time))
612 				goto nla_put_failure;
613 			if (nla_put_u32(msg,
614 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
615 					chan->dfs_cac_ms))
616 				goto nla_put_failure;
617 		}
618 	}
619 
620 	if (large) {
621 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
622 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
623 			goto nla_put_failure;
624 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
625 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
626 			goto nla_put_failure;
627 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
628 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
629 			goto nla_put_failure;
630 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
631 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
632 			goto nla_put_failure;
633 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
634 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
635 			goto nla_put_failure;
636 		if ((chan->flags & IEEE80211_CHAN_GO_CONCURRENT) &&
637 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_GO_CONCURRENT))
638 			goto nla_put_failure;
639 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
640 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
641 			goto nla_put_failure;
642 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
643 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
644 			goto nla_put_failure;
645 	}
646 
647 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
648 			DBM_TO_MBM(chan->max_power)))
649 		goto nla_put_failure;
650 
651 	return 0;
652 
653  nla_put_failure:
654 	return -ENOBUFS;
655 }
656 
657 /* netlink command implementations */
658 
659 struct key_parse {
660 	struct key_params p;
661 	int idx;
662 	int type;
663 	bool def, defmgmt;
664 	bool def_uni, def_multi;
665 };
666 
667 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
668 {
669 	struct nlattr *tb[NL80211_KEY_MAX + 1];
670 	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
671 				   nl80211_key_policy);
672 	if (err)
673 		return err;
674 
675 	k->def = !!tb[NL80211_KEY_DEFAULT];
676 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
677 
678 	if (k->def) {
679 		k->def_uni = true;
680 		k->def_multi = true;
681 	}
682 	if (k->defmgmt)
683 		k->def_multi = true;
684 
685 	if (tb[NL80211_KEY_IDX])
686 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
687 
688 	if (tb[NL80211_KEY_DATA]) {
689 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
690 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
691 	}
692 
693 	if (tb[NL80211_KEY_SEQ]) {
694 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
695 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
696 	}
697 
698 	if (tb[NL80211_KEY_CIPHER])
699 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
700 
701 	if (tb[NL80211_KEY_TYPE]) {
702 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
703 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
704 			return -EINVAL;
705 	}
706 
707 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
708 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
709 		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
710 				       tb[NL80211_KEY_DEFAULT_TYPES],
711 				       nl80211_key_default_policy);
712 		if (err)
713 			return err;
714 
715 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
716 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
717 	}
718 
719 	return 0;
720 }
721 
722 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
723 {
724 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
725 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
726 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
727 	}
728 
729 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
730 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
731 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
732 	}
733 
734 	if (info->attrs[NL80211_ATTR_KEY_IDX])
735 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
736 
737 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
738 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
739 
740 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
741 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
742 
743 	if (k->def) {
744 		k->def_uni = true;
745 		k->def_multi = true;
746 	}
747 	if (k->defmgmt)
748 		k->def_multi = true;
749 
750 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
751 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
752 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
753 			return -EINVAL;
754 	}
755 
756 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
757 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
758 		int err = nla_parse_nested(
759 				kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
760 				info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
761 				nl80211_key_default_policy);
762 		if (err)
763 			return err;
764 
765 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
766 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
767 	}
768 
769 	return 0;
770 }
771 
772 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
773 {
774 	int err;
775 
776 	memset(k, 0, sizeof(*k));
777 	k->idx = -1;
778 	k->type = -1;
779 
780 	if (info->attrs[NL80211_ATTR_KEY])
781 		err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
782 	else
783 		err = nl80211_parse_key_old(info, k);
784 
785 	if (err)
786 		return err;
787 
788 	if (k->def && k->defmgmt)
789 		return -EINVAL;
790 
791 	if (k->defmgmt) {
792 		if (k->def_uni || !k->def_multi)
793 			return -EINVAL;
794 	}
795 
796 	if (k->idx != -1) {
797 		if (k->defmgmt) {
798 			if (k->idx < 4 || k->idx > 5)
799 				return -EINVAL;
800 		} else if (k->def) {
801 			if (k->idx < 0 || k->idx > 3)
802 				return -EINVAL;
803 		} else {
804 			if (k->idx < 0 || k->idx > 5)
805 				return -EINVAL;
806 		}
807 	}
808 
809 	return 0;
810 }
811 
812 static struct cfg80211_cached_keys *
813 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
814 		       struct nlattr *keys, bool *no_ht)
815 {
816 	struct key_parse parse;
817 	struct nlattr *key;
818 	struct cfg80211_cached_keys *result;
819 	int rem, err, def = 0;
820 
821 	result = kzalloc(sizeof(*result), GFP_KERNEL);
822 	if (!result)
823 		return ERR_PTR(-ENOMEM);
824 
825 	result->def = -1;
826 	result->defmgmt = -1;
827 
828 	nla_for_each_nested(key, keys, rem) {
829 		memset(&parse, 0, sizeof(parse));
830 		parse.idx = -1;
831 
832 		err = nl80211_parse_key_new(key, &parse);
833 		if (err)
834 			goto error;
835 		err = -EINVAL;
836 		if (!parse.p.key)
837 			goto error;
838 		if (parse.idx < 0 || parse.idx > 4)
839 			goto error;
840 		if (parse.def) {
841 			if (def)
842 				goto error;
843 			def = 1;
844 			result->def = parse.idx;
845 			if (!parse.def_uni || !parse.def_multi)
846 				goto error;
847 		} else if (parse.defmgmt)
848 			goto error;
849 		err = cfg80211_validate_key_settings(rdev, &parse.p,
850 						     parse.idx, false, NULL);
851 		if (err)
852 			goto error;
853 		result->params[parse.idx].cipher = parse.p.cipher;
854 		result->params[parse.idx].key_len = parse.p.key_len;
855 		result->params[parse.idx].key = result->data[parse.idx];
856 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
857 
858 		if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
859 		    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
860 			if (no_ht)
861 				*no_ht = true;
862 		}
863 	}
864 
865 	return result;
866  error:
867 	kfree(result);
868 	return ERR_PTR(err);
869 }
870 
871 static int nl80211_key_allowed(struct wireless_dev *wdev)
872 {
873 	ASSERT_WDEV_LOCK(wdev);
874 
875 	switch (wdev->iftype) {
876 	case NL80211_IFTYPE_AP:
877 	case NL80211_IFTYPE_AP_VLAN:
878 	case NL80211_IFTYPE_P2P_GO:
879 	case NL80211_IFTYPE_MESH_POINT:
880 		break;
881 	case NL80211_IFTYPE_ADHOC:
882 	case NL80211_IFTYPE_STATION:
883 	case NL80211_IFTYPE_P2P_CLIENT:
884 		if (!wdev->current_bss)
885 			return -ENOLINK;
886 		break;
887 	default:
888 		return -EINVAL;
889 	}
890 
891 	return 0;
892 }
893 
894 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
895 							struct nlattr *tb)
896 {
897 	struct ieee80211_channel *chan;
898 
899 	if (tb == NULL)
900 		return NULL;
901 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
902 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
903 		return NULL;
904 	return chan;
905 }
906 
907 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
908 {
909 	struct nlattr *nl_modes = nla_nest_start(msg, attr);
910 	int i;
911 
912 	if (!nl_modes)
913 		goto nla_put_failure;
914 
915 	i = 0;
916 	while (ifmodes) {
917 		if ((ifmodes & 1) && nla_put_flag(msg, i))
918 			goto nla_put_failure;
919 		ifmodes >>= 1;
920 		i++;
921 	}
922 
923 	nla_nest_end(msg, nl_modes);
924 	return 0;
925 
926 nla_put_failure:
927 	return -ENOBUFS;
928 }
929 
930 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
931 					  struct sk_buff *msg,
932 					  bool large)
933 {
934 	struct nlattr *nl_combis;
935 	int i, j;
936 
937 	nl_combis = nla_nest_start(msg,
938 				NL80211_ATTR_INTERFACE_COMBINATIONS);
939 	if (!nl_combis)
940 		goto nla_put_failure;
941 
942 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
943 		const struct ieee80211_iface_combination *c;
944 		struct nlattr *nl_combi, *nl_limits;
945 
946 		c = &wiphy->iface_combinations[i];
947 
948 		nl_combi = nla_nest_start(msg, i + 1);
949 		if (!nl_combi)
950 			goto nla_put_failure;
951 
952 		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
953 		if (!nl_limits)
954 			goto nla_put_failure;
955 
956 		for (j = 0; j < c->n_limits; j++) {
957 			struct nlattr *nl_limit;
958 
959 			nl_limit = nla_nest_start(msg, j + 1);
960 			if (!nl_limit)
961 				goto nla_put_failure;
962 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
963 					c->limits[j].max))
964 				goto nla_put_failure;
965 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
966 						c->limits[j].types))
967 				goto nla_put_failure;
968 			nla_nest_end(msg, nl_limit);
969 		}
970 
971 		nla_nest_end(msg, nl_limits);
972 
973 		if (c->beacon_int_infra_match &&
974 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
975 			goto nla_put_failure;
976 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
977 				c->num_different_channels) ||
978 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
979 				c->max_interfaces))
980 			goto nla_put_failure;
981 		if (large &&
982 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
983 				c->radar_detect_widths) ||
984 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
985 				c->radar_detect_regions)))
986 			goto nla_put_failure;
987 
988 		nla_nest_end(msg, nl_combi);
989 	}
990 
991 	nla_nest_end(msg, nl_combis);
992 
993 	return 0;
994 nla_put_failure:
995 	return -ENOBUFS;
996 }
997 
998 #ifdef CONFIG_PM
999 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1000 					struct sk_buff *msg)
1001 {
1002 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1003 	struct nlattr *nl_tcp;
1004 
1005 	if (!tcp)
1006 		return 0;
1007 
1008 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1009 	if (!nl_tcp)
1010 		return -ENOBUFS;
1011 
1012 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1013 			tcp->data_payload_max))
1014 		return -ENOBUFS;
1015 
1016 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1017 			tcp->data_payload_max))
1018 		return -ENOBUFS;
1019 
1020 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1021 		return -ENOBUFS;
1022 
1023 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1024 				sizeof(*tcp->tok), tcp->tok))
1025 		return -ENOBUFS;
1026 
1027 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1028 			tcp->data_interval_max))
1029 		return -ENOBUFS;
1030 
1031 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1032 			tcp->wake_payload_max))
1033 		return -ENOBUFS;
1034 
1035 	nla_nest_end(msg, nl_tcp);
1036 	return 0;
1037 }
1038 
1039 static int nl80211_send_wowlan(struct sk_buff *msg,
1040 			       struct cfg80211_registered_device *rdev,
1041 			       bool large)
1042 {
1043 	struct nlattr *nl_wowlan;
1044 
1045 	if (!rdev->wiphy.wowlan)
1046 		return 0;
1047 
1048 	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1049 	if (!nl_wowlan)
1050 		return -ENOBUFS;
1051 
1052 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1053 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1054 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1055 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1056 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1057 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1058 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1059 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1060 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1061 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1062 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1063 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1064 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1065 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1066 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1067 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1068 		return -ENOBUFS;
1069 
1070 	if (rdev->wiphy.wowlan->n_patterns) {
1071 		struct nl80211_pattern_support pat = {
1072 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1073 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1074 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1075 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1076 		};
1077 
1078 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1079 			    sizeof(pat), &pat))
1080 			return -ENOBUFS;
1081 	}
1082 
1083 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1084 		return -ENOBUFS;
1085 
1086 	nla_nest_end(msg, nl_wowlan);
1087 
1088 	return 0;
1089 }
1090 #endif
1091 
1092 static int nl80211_send_coalesce(struct sk_buff *msg,
1093 				 struct cfg80211_registered_device *rdev)
1094 {
1095 	struct nl80211_coalesce_rule_support rule;
1096 
1097 	if (!rdev->wiphy.coalesce)
1098 		return 0;
1099 
1100 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1101 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1102 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1103 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1104 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1105 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1106 
1107 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1108 		return -ENOBUFS;
1109 
1110 	return 0;
1111 }
1112 
1113 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1114 				      struct ieee80211_supported_band *sband)
1115 {
1116 	struct nlattr *nl_rates, *nl_rate;
1117 	struct ieee80211_rate *rate;
1118 	int i;
1119 
1120 	/* add HT info */
1121 	if (sband->ht_cap.ht_supported &&
1122 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1123 		     sizeof(sband->ht_cap.mcs),
1124 		     &sband->ht_cap.mcs) ||
1125 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1126 			 sband->ht_cap.cap) ||
1127 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1128 			sband->ht_cap.ampdu_factor) ||
1129 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1130 			sband->ht_cap.ampdu_density)))
1131 		return -ENOBUFS;
1132 
1133 	/* add VHT info */
1134 	if (sband->vht_cap.vht_supported &&
1135 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1136 		     sizeof(sband->vht_cap.vht_mcs),
1137 		     &sband->vht_cap.vht_mcs) ||
1138 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1139 			 sband->vht_cap.cap)))
1140 		return -ENOBUFS;
1141 
1142 	/* add bitrates */
1143 	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1144 	if (!nl_rates)
1145 		return -ENOBUFS;
1146 
1147 	for (i = 0; i < sband->n_bitrates; i++) {
1148 		nl_rate = nla_nest_start(msg, i);
1149 		if (!nl_rate)
1150 			return -ENOBUFS;
1151 
1152 		rate = &sband->bitrates[i];
1153 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1154 				rate->bitrate))
1155 			return -ENOBUFS;
1156 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1157 		    nla_put_flag(msg,
1158 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1159 			return -ENOBUFS;
1160 
1161 		nla_nest_end(msg, nl_rate);
1162 	}
1163 
1164 	nla_nest_end(msg, nl_rates);
1165 
1166 	return 0;
1167 }
1168 
1169 static int
1170 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1171 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1172 {
1173 	u16 stypes;
1174 	struct nlattr *nl_ftypes, *nl_ifs;
1175 	enum nl80211_iftype ift;
1176 	int i;
1177 
1178 	if (!mgmt_stypes)
1179 		return 0;
1180 
1181 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1182 	if (!nl_ifs)
1183 		return -ENOBUFS;
1184 
1185 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1186 		nl_ftypes = nla_nest_start(msg, ift);
1187 		if (!nl_ftypes)
1188 			return -ENOBUFS;
1189 		i = 0;
1190 		stypes = mgmt_stypes[ift].tx;
1191 		while (stypes) {
1192 			if ((stypes & 1) &&
1193 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1194 					(i << 4) | IEEE80211_FTYPE_MGMT))
1195 				return -ENOBUFS;
1196 			stypes >>= 1;
1197 			i++;
1198 		}
1199 		nla_nest_end(msg, nl_ftypes);
1200 	}
1201 
1202 	nla_nest_end(msg, nl_ifs);
1203 
1204 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1205 	if (!nl_ifs)
1206 		return -ENOBUFS;
1207 
1208 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1209 		nl_ftypes = nla_nest_start(msg, ift);
1210 		if (!nl_ftypes)
1211 			return -ENOBUFS;
1212 		i = 0;
1213 		stypes = mgmt_stypes[ift].rx;
1214 		while (stypes) {
1215 			if ((stypes & 1) &&
1216 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1217 					(i << 4) | IEEE80211_FTYPE_MGMT))
1218 				return -ENOBUFS;
1219 			stypes >>= 1;
1220 			i++;
1221 		}
1222 		nla_nest_end(msg, nl_ftypes);
1223 	}
1224 	nla_nest_end(msg, nl_ifs);
1225 
1226 	return 0;
1227 }
1228 
1229 struct nl80211_dump_wiphy_state {
1230 	s64 filter_wiphy;
1231 	long start;
1232 	long split_start, band_start, chan_start;
1233 	bool split;
1234 };
1235 
1236 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1237 			      enum nl80211_commands cmd,
1238 			      struct sk_buff *msg, u32 portid, u32 seq,
1239 			      int flags, struct nl80211_dump_wiphy_state *state)
1240 {
1241 	void *hdr;
1242 	struct nlattr *nl_bands, *nl_band;
1243 	struct nlattr *nl_freqs, *nl_freq;
1244 	struct nlattr *nl_cmds;
1245 	enum ieee80211_band band;
1246 	struct ieee80211_channel *chan;
1247 	int i;
1248 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1249 				rdev->wiphy.mgmt_stypes;
1250 	u32 features;
1251 
1252 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1253 	if (!hdr)
1254 		return -ENOBUFS;
1255 
1256 	if (WARN_ON(!state))
1257 		return -EINVAL;
1258 
1259 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1260 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1261 			   wiphy_name(&rdev->wiphy)) ||
1262 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1263 			cfg80211_rdev_list_generation))
1264 		goto nla_put_failure;
1265 
1266 	if (cmd != NL80211_CMD_NEW_WIPHY)
1267 		goto finish;
1268 
1269 	switch (state->split_start) {
1270 	case 0:
1271 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1272 			       rdev->wiphy.retry_short) ||
1273 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1274 			       rdev->wiphy.retry_long) ||
1275 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1276 				rdev->wiphy.frag_threshold) ||
1277 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1278 				rdev->wiphy.rts_threshold) ||
1279 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1280 			       rdev->wiphy.coverage_class) ||
1281 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1282 			       rdev->wiphy.max_scan_ssids) ||
1283 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1284 			       rdev->wiphy.max_sched_scan_ssids) ||
1285 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1286 				rdev->wiphy.max_scan_ie_len) ||
1287 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1288 				rdev->wiphy.max_sched_scan_ie_len) ||
1289 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1290 			       rdev->wiphy.max_match_sets))
1291 			goto nla_put_failure;
1292 
1293 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1294 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1295 			goto nla_put_failure;
1296 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1297 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1298 			goto nla_put_failure;
1299 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1300 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1301 			goto nla_put_failure;
1302 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1303 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1304 			goto nla_put_failure;
1305 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1306 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1307 			goto nla_put_failure;
1308 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1309 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1310 			goto nla_put_failure;
1311 		state->split_start++;
1312 		if (state->split)
1313 			break;
1314 	case 1:
1315 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1316 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1317 			    rdev->wiphy.cipher_suites))
1318 			goto nla_put_failure;
1319 
1320 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1321 			       rdev->wiphy.max_num_pmkids))
1322 			goto nla_put_failure;
1323 
1324 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1325 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1326 			goto nla_put_failure;
1327 
1328 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1329 				rdev->wiphy.available_antennas_tx) ||
1330 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1331 				rdev->wiphy.available_antennas_rx))
1332 			goto nla_put_failure;
1333 
1334 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1335 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1336 				rdev->wiphy.probe_resp_offload))
1337 			goto nla_put_failure;
1338 
1339 		if ((rdev->wiphy.available_antennas_tx ||
1340 		     rdev->wiphy.available_antennas_rx) &&
1341 		    rdev->ops->get_antenna) {
1342 			u32 tx_ant = 0, rx_ant = 0;
1343 			int res;
1344 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1345 			if (!res) {
1346 				if (nla_put_u32(msg,
1347 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1348 						tx_ant) ||
1349 				    nla_put_u32(msg,
1350 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1351 						rx_ant))
1352 					goto nla_put_failure;
1353 			}
1354 		}
1355 
1356 		state->split_start++;
1357 		if (state->split)
1358 			break;
1359 	case 2:
1360 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1361 					rdev->wiphy.interface_modes))
1362 				goto nla_put_failure;
1363 		state->split_start++;
1364 		if (state->split)
1365 			break;
1366 	case 3:
1367 		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1368 		if (!nl_bands)
1369 			goto nla_put_failure;
1370 
1371 		for (band = state->band_start;
1372 		     band < IEEE80211_NUM_BANDS; band++) {
1373 			struct ieee80211_supported_band *sband;
1374 
1375 			sband = rdev->wiphy.bands[band];
1376 
1377 			if (!sband)
1378 				continue;
1379 
1380 			nl_band = nla_nest_start(msg, band);
1381 			if (!nl_band)
1382 				goto nla_put_failure;
1383 
1384 			switch (state->chan_start) {
1385 			case 0:
1386 				if (nl80211_send_band_rateinfo(msg, sband))
1387 					goto nla_put_failure;
1388 				state->chan_start++;
1389 				if (state->split)
1390 					break;
1391 			default:
1392 				/* add frequencies */
1393 				nl_freqs = nla_nest_start(
1394 					msg, NL80211_BAND_ATTR_FREQS);
1395 				if (!nl_freqs)
1396 					goto nla_put_failure;
1397 
1398 				for (i = state->chan_start - 1;
1399 				     i < sband->n_channels;
1400 				     i++) {
1401 					nl_freq = nla_nest_start(msg, i);
1402 					if (!nl_freq)
1403 						goto nla_put_failure;
1404 
1405 					chan = &sband->channels[i];
1406 
1407 					if (nl80211_msg_put_channel(
1408 							msg, chan,
1409 							state->split))
1410 						goto nla_put_failure;
1411 
1412 					nla_nest_end(msg, nl_freq);
1413 					if (state->split)
1414 						break;
1415 				}
1416 				if (i < sband->n_channels)
1417 					state->chan_start = i + 2;
1418 				else
1419 					state->chan_start = 0;
1420 				nla_nest_end(msg, nl_freqs);
1421 			}
1422 
1423 			nla_nest_end(msg, nl_band);
1424 
1425 			if (state->split) {
1426 				/* start again here */
1427 				if (state->chan_start)
1428 					band--;
1429 				break;
1430 			}
1431 		}
1432 		nla_nest_end(msg, nl_bands);
1433 
1434 		if (band < IEEE80211_NUM_BANDS)
1435 			state->band_start = band + 1;
1436 		else
1437 			state->band_start = 0;
1438 
1439 		/* if bands & channels are done, continue outside */
1440 		if (state->band_start == 0 && state->chan_start == 0)
1441 			state->split_start++;
1442 		if (state->split)
1443 			break;
1444 	case 4:
1445 		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1446 		if (!nl_cmds)
1447 			goto nla_put_failure;
1448 
1449 		i = 0;
1450 #define CMD(op, n)							\
1451 		 do {							\
1452 			if (rdev->ops->op) {				\
1453 				i++;					\
1454 				if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1455 					goto nla_put_failure;		\
1456 			}						\
1457 		} while (0)
1458 
1459 		CMD(add_virtual_intf, NEW_INTERFACE);
1460 		CMD(change_virtual_intf, SET_INTERFACE);
1461 		CMD(add_key, NEW_KEY);
1462 		CMD(start_ap, START_AP);
1463 		CMD(add_station, NEW_STATION);
1464 		CMD(add_mpath, NEW_MPATH);
1465 		CMD(update_mesh_config, SET_MESH_CONFIG);
1466 		CMD(change_bss, SET_BSS);
1467 		CMD(auth, AUTHENTICATE);
1468 		CMD(assoc, ASSOCIATE);
1469 		CMD(deauth, DEAUTHENTICATE);
1470 		CMD(disassoc, DISASSOCIATE);
1471 		CMD(join_ibss, JOIN_IBSS);
1472 		CMD(join_mesh, JOIN_MESH);
1473 		CMD(set_pmksa, SET_PMKSA);
1474 		CMD(del_pmksa, DEL_PMKSA);
1475 		CMD(flush_pmksa, FLUSH_PMKSA);
1476 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1477 			CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1478 		CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1479 		CMD(mgmt_tx, FRAME);
1480 		CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1481 		if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1482 			i++;
1483 			if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1484 				goto nla_put_failure;
1485 		}
1486 		if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1487 		    rdev->ops->join_mesh) {
1488 			i++;
1489 			if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1490 				goto nla_put_failure;
1491 		}
1492 		CMD(set_wds_peer, SET_WDS_PEER);
1493 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1494 			CMD(tdls_mgmt, TDLS_MGMT);
1495 			CMD(tdls_oper, TDLS_OPER);
1496 		}
1497 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1498 			CMD(sched_scan_start, START_SCHED_SCAN);
1499 		CMD(probe_client, PROBE_CLIENT);
1500 		CMD(set_noack_map, SET_NOACK_MAP);
1501 		if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1502 			i++;
1503 			if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1504 				goto nla_put_failure;
1505 		}
1506 		CMD(start_p2p_device, START_P2P_DEVICE);
1507 		CMD(set_mcast_rate, SET_MCAST_RATE);
1508 #ifdef CONFIG_NL80211_TESTMODE
1509 		CMD(testmode_cmd, TESTMODE);
1510 #endif
1511 		if (state->split) {
1512 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
1513 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1514 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
1515 				CMD(channel_switch, CHANNEL_SWITCH);
1516 			CMD(set_qos_map, SET_QOS_MAP);
1517 			if (rdev->wiphy.flags &
1518 					WIPHY_FLAG_SUPPORTS_WMM_ADMISSION)
1519 				CMD(add_tx_ts, ADD_TX_TS);
1520 		}
1521 		/* add into the if now */
1522 #undef CMD
1523 
1524 		if (rdev->ops->connect || rdev->ops->auth) {
1525 			i++;
1526 			if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1527 				goto nla_put_failure;
1528 		}
1529 
1530 		if (rdev->ops->disconnect || rdev->ops->deauth) {
1531 			i++;
1532 			if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1533 				goto nla_put_failure;
1534 		}
1535 
1536 		nla_nest_end(msg, nl_cmds);
1537 		state->split_start++;
1538 		if (state->split)
1539 			break;
1540 	case 5:
1541 		if (rdev->ops->remain_on_channel &&
1542 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1543 		    nla_put_u32(msg,
1544 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1545 				rdev->wiphy.max_remain_on_channel_duration))
1546 			goto nla_put_failure;
1547 
1548 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1549 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1550 			goto nla_put_failure;
1551 
1552 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1553 			goto nla_put_failure;
1554 		state->split_start++;
1555 		if (state->split)
1556 			break;
1557 	case 6:
1558 #ifdef CONFIG_PM
1559 		if (nl80211_send_wowlan(msg, rdev, state->split))
1560 			goto nla_put_failure;
1561 		state->split_start++;
1562 		if (state->split)
1563 			break;
1564 #else
1565 		state->split_start++;
1566 #endif
1567 	case 7:
1568 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1569 					rdev->wiphy.software_iftypes))
1570 			goto nla_put_failure;
1571 
1572 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
1573 						   state->split))
1574 			goto nla_put_failure;
1575 
1576 		state->split_start++;
1577 		if (state->split)
1578 			break;
1579 	case 8:
1580 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1581 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1582 				rdev->wiphy.ap_sme_capa))
1583 			goto nla_put_failure;
1584 
1585 		features = rdev->wiphy.features;
1586 		/*
1587 		 * We can only add the per-channel limit information if the
1588 		 * dump is split, otherwise it makes it too big. Therefore
1589 		 * only advertise it in that case.
1590 		 */
1591 		if (state->split)
1592 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1593 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1594 			goto nla_put_failure;
1595 
1596 		if (rdev->wiphy.ht_capa_mod_mask &&
1597 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1598 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
1599 			    rdev->wiphy.ht_capa_mod_mask))
1600 			goto nla_put_failure;
1601 
1602 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1603 		    rdev->wiphy.max_acl_mac_addrs &&
1604 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1605 				rdev->wiphy.max_acl_mac_addrs))
1606 			goto nla_put_failure;
1607 
1608 		/*
1609 		 * Any information below this point is only available to
1610 		 * applications that can deal with it being split. This
1611 		 * helps ensure that newly added capabilities don't break
1612 		 * older tools by overrunning their buffers.
1613 		 *
1614 		 * We still increment split_start so that in the split
1615 		 * case we'll continue with more data in the next round,
1616 		 * but break unconditionally so unsplit data stops here.
1617 		 */
1618 		state->split_start++;
1619 		break;
1620 	case 9:
1621 		if (rdev->wiphy.extended_capabilities &&
1622 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1623 			     rdev->wiphy.extended_capabilities_len,
1624 			     rdev->wiphy.extended_capabilities) ||
1625 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1626 			     rdev->wiphy.extended_capabilities_len,
1627 			     rdev->wiphy.extended_capabilities_mask)))
1628 			goto nla_put_failure;
1629 
1630 		if (rdev->wiphy.vht_capa_mod_mask &&
1631 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1632 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
1633 			    rdev->wiphy.vht_capa_mod_mask))
1634 			goto nla_put_failure;
1635 
1636 		state->split_start++;
1637 		break;
1638 	case 10:
1639 		if (nl80211_send_coalesce(msg, rdev))
1640 			goto nla_put_failure;
1641 
1642 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
1643 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
1644 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
1645 			goto nla_put_failure;
1646 
1647 		if (rdev->wiphy.max_ap_assoc_sta &&
1648 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
1649 				rdev->wiphy.max_ap_assoc_sta))
1650 			goto nla_put_failure;
1651 
1652 		state->split_start++;
1653 		break;
1654 	case 11:
1655 		if (rdev->wiphy.n_vendor_commands) {
1656 			const struct nl80211_vendor_cmd_info *info;
1657 			struct nlattr *nested;
1658 
1659 			nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1660 			if (!nested)
1661 				goto nla_put_failure;
1662 
1663 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
1664 				info = &rdev->wiphy.vendor_commands[i].info;
1665 				if (nla_put(msg, i + 1, sizeof(*info), info))
1666 					goto nla_put_failure;
1667 			}
1668 			nla_nest_end(msg, nested);
1669 		}
1670 
1671 		if (rdev->wiphy.n_vendor_events) {
1672 			const struct nl80211_vendor_cmd_info *info;
1673 			struct nlattr *nested;
1674 
1675 			nested = nla_nest_start(msg,
1676 						NL80211_ATTR_VENDOR_EVENTS);
1677 			if (!nested)
1678 				goto nla_put_failure;
1679 
1680 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
1681 				info = &rdev->wiphy.vendor_events[i];
1682 				if (nla_put(msg, i + 1, sizeof(*info), info))
1683 					goto nla_put_failure;
1684 			}
1685 			nla_nest_end(msg, nested);
1686 		}
1687 		state->split_start++;
1688 		break;
1689 	case 12:
1690 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
1691 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
1692 			       rdev->wiphy.max_num_csa_counters))
1693 			goto nla_put_failure;
1694 
1695 		/* done */
1696 		state->split_start = 0;
1697 		break;
1698 	}
1699  finish:
1700 	return genlmsg_end(msg, hdr);
1701 
1702  nla_put_failure:
1703 	genlmsg_cancel(msg, hdr);
1704 	return -EMSGSIZE;
1705 }
1706 
1707 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
1708 				    struct netlink_callback *cb,
1709 				    struct nl80211_dump_wiphy_state *state)
1710 {
1711 	struct nlattr **tb = nl80211_fam.attrbuf;
1712 	int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
1713 			      tb, nl80211_fam.maxattr, nl80211_policy);
1714 	/* ignore parse errors for backward compatibility */
1715 	if (ret)
1716 		return 0;
1717 
1718 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
1719 	if (tb[NL80211_ATTR_WIPHY])
1720 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
1721 	if (tb[NL80211_ATTR_WDEV])
1722 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
1723 	if (tb[NL80211_ATTR_IFINDEX]) {
1724 		struct net_device *netdev;
1725 		struct cfg80211_registered_device *rdev;
1726 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
1727 
1728 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
1729 		if (!netdev)
1730 			return -ENODEV;
1731 		if (netdev->ieee80211_ptr) {
1732 			rdev = wiphy_to_rdev(
1733 				netdev->ieee80211_ptr->wiphy);
1734 			state->filter_wiphy = rdev->wiphy_idx;
1735 		}
1736 	}
1737 
1738 	return 0;
1739 }
1740 
1741 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1742 {
1743 	int idx = 0, ret;
1744 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
1745 	struct cfg80211_registered_device *rdev;
1746 
1747 	rtnl_lock();
1748 	if (!state) {
1749 		state = kzalloc(sizeof(*state), GFP_KERNEL);
1750 		if (!state) {
1751 			rtnl_unlock();
1752 			return -ENOMEM;
1753 		}
1754 		state->filter_wiphy = -1;
1755 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
1756 		if (ret) {
1757 			kfree(state);
1758 			rtnl_unlock();
1759 			return ret;
1760 		}
1761 		cb->args[0] = (long)state;
1762 	}
1763 
1764 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1765 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1766 			continue;
1767 		if (++idx <= state->start)
1768 			continue;
1769 		if (state->filter_wiphy != -1 &&
1770 		    state->filter_wiphy != rdev->wiphy_idx)
1771 			continue;
1772 		/* attempt to fit multiple wiphy data chunks into the skb */
1773 		do {
1774 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
1775 						 skb,
1776 						 NETLINK_CB(cb->skb).portid,
1777 						 cb->nlh->nlmsg_seq,
1778 						 NLM_F_MULTI, state);
1779 			if (ret < 0) {
1780 				/*
1781 				 * If sending the wiphy data didn't fit (ENOBUFS
1782 				 * or EMSGSIZE returned), this SKB is still
1783 				 * empty (so it's not too big because another
1784 				 * wiphy dataset is already in the skb) and
1785 				 * we've not tried to adjust the dump allocation
1786 				 * yet ... then adjust the alloc size to be
1787 				 * bigger, and return 1 but with the empty skb.
1788 				 * This results in an empty message being RX'ed
1789 				 * in userspace, but that is ignored.
1790 				 *
1791 				 * We can then retry with the larger buffer.
1792 				 */
1793 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1794 				    !skb->len && !state->split &&
1795 				    cb->min_dump_alloc < 4096) {
1796 					cb->min_dump_alloc = 4096;
1797 					state->split_start = 0;
1798 					rtnl_unlock();
1799 					return 1;
1800 				}
1801 				idx--;
1802 				break;
1803 			}
1804 		} while (state->split_start > 0);
1805 		break;
1806 	}
1807 	rtnl_unlock();
1808 
1809 	state->start = idx;
1810 
1811 	return skb->len;
1812 }
1813 
1814 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
1815 {
1816 	kfree((void *)cb->args[0]);
1817 	return 0;
1818 }
1819 
1820 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1821 {
1822 	struct sk_buff *msg;
1823 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1824 	struct nl80211_dump_wiphy_state state = {};
1825 
1826 	msg = nlmsg_new(4096, GFP_KERNEL);
1827 	if (!msg)
1828 		return -ENOMEM;
1829 
1830 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
1831 			       info->snd_portid, info->snd_seq, 0,
1832 			       &state) < 0) {
1833 		nlmsg_free(msg);
1834 		return -ENOBUFS;
1835 	}
1836 
1837 	return genlmsg_reply(msg, info);
1838 }
1839 
1840 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1841 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
1842 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
1843 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
1844 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
1845 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
1846 };
1847 
1848 static int parse_txq_params(struct nlattr *tb[],
1849 			    struct ieee80211_txq_params *txq_params)
1850 {
1851 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1852 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1853 	    !tb[NL80211_TXQ_ATTR_AIFS])
1854 		return -EINVAL;
1855 
1856 	txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1857 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1858 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1859 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1860 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1861 
1862 	if (txq_params->ac >= NL80211_NUM_ACS)
1863 		return -EINVAL;
1864 
1865 	return 0;
1866 }
1867 
1868 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1869 {
1870 	/*
1871 	 * You can only set the channel explicitly for WDS interfaces,
1872 	 * all others have their channel managed via their respective
1873 	 * "establish a connection" command (connect, join, ...)
1874 	 *
1875 	 * For AP/GO and mesh mode, the channel can be set with the
1876 	 * channel userspace API, but is only stored and passed to the
1877 	 * low-level driver when the AP starts or the mesh is joined.
1878 	 * This is for backward compatibility, userspace can also give
1879 	 * the channel in the start-ap or join-mesh commands instead.
1880 	 *
1881 	 * Monitors are special as they are normally slaved to
1882 	 * whatever else is going on, so they have their own special
1883 	 * operation to set the monitor channel if possible.
1884 	 */
1885 	return !wdev ||
1886 		wdev->iftype == NL80211_IFTYPE_AP ||
1887 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1888 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
1889 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
1890 }
1891 
1892 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
1893 				 struct genl_info *info,
1894 				 struct cfg80211_chan_def *chandef)
1895 {
1896 	u32 control_freq;
1897 
1898 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1899 		return -EINVAL;
1900 
1901 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1902 
1903 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
1904 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
1905 	chandef->center_freq1 = control_freq;
1906 	chandef->center_freq2 = 0;
1907 
1908 	/* Primary channel not allowed */
1909 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
1910 		return -EINVAL;
1911 
1912 	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
1913 		enum nl80211_channel_type chantype;
1914 
1915 		chantype = nla_get_u32(
1916 				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1917 
1918 		switch (chantype) {
1919 		case NL80211_CHAN_NO_HT:
1920 		case NL80211_CHAN_HT20:
1921 		case NL80211_CHAN_HT40PLUS:
1922 		case NL80211_CHAN_HT40MINUS:
1923 			cfg80211_chandef_create(chandef, chandef->chan,
1924 						chantype);
1925 			break;
1926 		default:
1927 			return -EINVAL;
1928 		}
1929 	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
1930 		chandef->width =
1931 			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
1932 		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
1933 			chandef->center_freq1 =
1934 				nla_get_u32(
1935 					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
1936 		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
1937 			chandef->center_freq2 =
1938 				nla_get_u32(
1939 					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
1940 	}
1941 
1942 	if (!cfg80211_chandef_valid(chandef))
1943 		return -EINVAL;
1944 
1945 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
1946 				     IEEE80211_CHAN_DISABLED))
1947 		return -EINVAL;
1948 
1949 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
1950 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
1951 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ))
1952 		return -EINVAL;
1953 
1954 	return 0;
1955 }
1956 
1957 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1958 				 struct net_device *dev,
1959 				 struct genl_info *info)
1960 {
1961 	struct cfg80211_chan_def chandef;
1962 	int result;
1963 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1964 	struct wireless_dev *wdev = NULL;
1965 
1966 	if (dev)
1967 		wdev = dev->ieee80211_ptr;
1968 	if (!nl80211_can_set_dev_channel(wdev))
1969 		return -EOPNOTSUPP;
1970 	if (wdev)
1971 		iftype = wdev->iftype;
1972 
1973 	result = nl80211_parse_chandef(rdev, info, &chandef);
1974 	if (result)
1975 		return result;
1976 
1977 	switch (iftype) {
1978 	case NL80211_IFTYPE_AP:
1979 	case NL80211_IFTYPE_P2P_GO:
1980 		if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef, iftype)) {
1981 			result = -EINVAL;
1982 			break;
1983 		}
1984 		if (wdev->beacon_interval) {
1985 			if (!dev || !rdev->ops->set_ap_chanwidth ||
1986 			    !(rdev->wiphy.features &
1987 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
1988 				result = -EBUSY;
1989 				break;
1990 			}
1991 
1992 			/* Only allow dynamic channel width changes */
1993 			if (chandef.chan != wdev->preset_chandef.chan) {
1994 				result = -EBUSY;
1995 				break;
1996 			}
1997 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
1998 			if (result)
1999 				break;
2000 		}
2001 		wdev->preset_chandef = chandef;
2002 		result = 0;
2003 		break;
2004 	case NL80211_IFTYPE_MESH_POINT:
2005 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2006 		break;
2007 	case NL80211_IFTYPE_MONITOR:
2008 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2009 		break;
2010 	default:
2011 		result = -EINVAL;
2012 	}
2013 
2014 	return result;
2015 }
2016 
2017 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2018 {
2019 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2020 	struct net_device *netdev = info->user_ptr[1];
2021 
2022 	return __nl80211_set_channel(rdev, netdev, info);
2023 }
2024 
2025 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2026 {
2027 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2028 	struct net_device *dev = info->user_ptr[1];
2029 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2030 	const u8 *bssid;
2031 
2032 	if (!info->attrs[NL80211_ATTR_MAC])
2033 		return -EINVAL;
2034 
2035 	if (netif_running(dev))
2036 		return -EBUSY;
2037 
2038 	if (!rdev->ops->set_wds_peer)
2039 		return -EOPNOTSUPP;
2040 
2041 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2042 		return -EOPNOTSUPP;
2043 
2044 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2045 	return rdev_set_wds_peer(rdev, dev, bssid);
2046 }
2047 
2048 
2049 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2050 {
2051 	struct cfg80211_registered_device *rdev;
2052 	struct net_device *netdev = NULL;
2053 	struct wireless_dev *wdev;
2054 	int result = 0, rem_txq_params = 0;
2055 	struct nlattr *nl_txq_params;
2056 	u32 changed;
2057 	u8 retry_short = 0, retry_long = 0;
2058 	u32 frag_threshold = 0, rts_threshold = 0;
2059 	u8 coverage_class = 0;
2060 
2061 	ASSERT_RTNL();
2062 
2063 	/*
2064 	 * Try to find the wiphy and netdev. Normally this
2065 	 * function shouldn't need the netdev, but this is
2066 	 * done for backward compatibility -- previously
2067 	 * setting the channel was done per wiphy, but now
2068 	 * it is per netdev. Previous userland like hostapd
2069 	 * also passed a netdev to set_wiphy, so that it is
2070 	 * possible to let that go to the right netdev!
2071 	 */
2072 
2073 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2074 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2075 
2076 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2077 		if (netdev && netdev->ieee80211_ptr)
2078 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2079 		else
2080 			netdev = NULL;
2081 	}
2082 
2083 	if (!netdev) {
2084 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2085 						  info->attrs);
2086 		if (IS_ERR(rdev))
2087 			return PTR_ERR(rdev);
2088 		wdev = NULL;
2089 		netdev = NULL;
2090 		result = 0;
2091 	} else
2092 		wdev = netdev->ieee80211_ptr;
2093 
2094 	/*
2095 	 * end workaround code, by now the rdev is available
2096 	 * and locked, and wdev may or may not be NULL.
2097 	 */
2098 
2099 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2100 		result = cfg80211_dev_rename(
2101 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2102 
2103 	if (result)
2104 		return result;
2105 
2106 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2107 		struct ieee80211_txq_params txq_params;
2108 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2109 
2110 		if (!rdev->ops->set_txq_params)
2111 			return -EOPNOTSUPP;
2112 
2113 		if (!netdev)
2114 			return -EINVAL;
2115 
2116 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2117 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2118 			return -EINVAL;
2119 
2120 		if (!netif_running(netdev))
2121 			return -ENETDOWN;
2122 
2123 		nla_for_each_nested(nl_txq_params,
2124 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2125 				    rem_txq_params) {
2126 			result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
2127 					   nla_data(nl_txq_params),
2128 					   nla_len(nl_txq_params),
2129 					   txq_params_policy);
2130 			if (result)
2131 				return result;
2132 			result = parse_txq_params(tb, &txq_params);
2133 			if (result)
2134 				return result;
2135 
2136 			result = rdev_set_txq_params(rdev, netdev,
2137 						     &txq_params);
2138 			if (result)
2139 				return result;
2140 		}
2141 	}
2142 
2143 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2144 		result = __nl80211_set_channel(
2145 			rdev,
2146 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2147 			info);
2148 		if (result)
2149 			return result;
2150 	}
2151 
2152 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2153 		struct wireless_dev *txp_wdev = wdev;
2154 		enum nl80211_tx_power_setting type;
2155 		int idx, mbm = 0;
2156 
2157 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2158 			txp_wdev = NULL;
2159 
2160 		if (!rdev->ops->set_tx_power)
2161 			return -EOPNOTSUPP;
2162 
2163 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2164 		type = nla_get_u32(info->attrs[idx]);
2165 
2166 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2167 		    (type != NL80211_TX_POWER_AUTOMATIC))
2168 			return -EINVAL;
2169 
2170 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2171 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2172 			mbm = nla_get_u32(info->attrs[idx]);
2173 		}
2174 
2175 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2176 		if (result)
2177 			return result;
2178 	}
2179 
2180 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2181 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2182 		u32 tx_ant, rx_ant;
2183 		if ((!rdev->wiphy.available_antennas_tx &&
2184 		     !rdev->wiphy.available_antennas_rx) ||
2185 		    !rdev->ops->set_antenna)
2186 			return -EOPNOTSUPP;
2187 
2188 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2189 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2190 
2191 		/* reject antenna configurations which don't match the
2192 		 * available antenna masks, except for the "all" mask */
2193 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2194 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2195 			return -EINVAL;
2196 
2197 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2198 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2199 
2200 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2201 		if (result)
2202 			return result;
2203 	}
2204 
2205 	changed = 0;
2206 
2207 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2208 		retry_short = nla_get_u8(
2209 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2210 		if (retry_short == 0)
2211 			return -EINVAL;
2212 
2213 		changed |= WIPHY_PARAM_RETRY_SHORT;
2214 	}
2215 
2216 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2217 		retry_long = nla_get_u8(
2218 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2219 		if (retry_long == 0)
2220 			return -EINVAL;
2221 
2222 		changed |= WIPHY_PARAM_RETRY_LONG;
2223 	}
2224 
2225 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2226 		frag_threshold = nla_get_u32(
2227 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2228 		if (frag_threshold < 256)
2229 			return -EINVAL;
2230 
2231 		if (frag_threshold != (u32) -1) {
2232 			/*
2233 			 * Fragments (apart from the last one) are required to
2234 			 * have even length. Make the fragmentation code
2235 			 * simpler by stripping LSB should someone try to use
2236 			 * odd threshold value.
2237 			 */
2238 			frag_threshold &= ~0x1;
2239 		}
2240 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2241 	}
2242 
2243 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2244 		rts_threshold = nla_get_u32(
2245 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2246 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2247 	}
2248 
2249 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2250 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2251 			return -EINVAL;
2252 
2253 		coverage_class = nla_get_u8(
2254 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2255 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2256 	}
2257 
2258 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2259 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2260 			return -EOPNOTSUPP;
2261 
2262 		changed |= WIPHY_PARAM_DYN_ACK;
2263 	}
2264 
2265 	if (changed) {
2266 		u8 old_retry_short, old_retry_long;
2267 		u32 old_frag_threshold, old_rts_threshold;
2268 		u8 old_coverage_class;
2269 
2270 		if (!rdev->ops->set_wiphy_params)
2271 			return -EOPNOTSUPP;
2272 
2273 		old_retry_short = rdev->wiphy.retry_short;
2274 		old_retry_long = rdev->wiphy.retry_long;
2275 		old_frag_threshold = rdev->wiphy.frag_threshold;
2276 		old_rts_threshold = rdev->wiphy.rts_threshold;
2277 		old_coverage_class = rdev->wiphy.coverage_class;
2278 
2279 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2280 			rdev->wiphy.retry_short = retry_short;
2281 		if (changed & WIPHY_PARAM_RETRY_LONG)
2282 			rdev->wiphy.retry_long = retry_long;
2283 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2284 			rdev->wiphy.frag_threshold = frag_threshold;
2285 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2286 			rdev->wiphy.rts_threshold = rts_threshold;
2287 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2288 			rdev->wiphy.coverage_class = coverage_class;
2289 
2290 		result = rdev_set_wiphy_params(rdev, changed);
2291 		if (result) {
2292 			rdev->wiphy.retry_short = old_retry_short;
2293 			rdev->wiphy.retry_long = old_retry_long;
2294 			rdev->wiphy.frag_threshold = old_frag_threshold;
2295 			rdev->wiphy.rts_threshold = old_rts_threshold;
2296 			rdev->wiphy.coverage_class = old_coverage_class;
2297 		}
2298 	}
2299 	return 0;
2300 }
2301 
2302 static inline u64 wdev_id(struct wireless_dev *wdev)
2303 {
2304 	return (u64)wdev->identifier |
2305 	       ((u64)wiphy_to_rdev(wdev->wiphy)->wiphy_idx << 32);
2306 }
2307 
2308 static int nl80211_send_chandef(struct sk_buff *msg,
2309 				const struct cfg80211_chan_def *chandef)
2310 {
2311 	WARN_ON(!cfg80211_chandef_valid(chandef));
2312 
2313 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2314 			chandef->chan->center_freq))
2315 		return -ENOBUFS;
2316 	switch (chandef->width) {
2317 	case NL80211_CHAN_WIDTH_20_NOHT:
2318 	case NL80211_CHAN_WIDTH_20:
2319 	case NL80211_CHAN_WIDTH_40:
2320 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2321 				cfg80211_get_chandef_type(chandef)))
2322 			return -ENOBUFS;
2323 		break;
2324 	default:
2325 		break;
2326 	}
2327 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2328 		return -ENOBUFS;
2329 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2330 		return -ENOBUFS;
2331 	if (chandef->center_freq2 &&
2332 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2333 		return -ENOBUFS;
2334 	return 0;
2335 }
2336 
2337 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2338 			      struct cfg80211_registered_device *rdev,
2339 			      struct wireless_dev *wdev)
2340 {
2341 	struct net_device *dev = wdev->netdev;
2342 	void *hdr;
2343 
2344 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_INTERFACE);
2345 	if (!hdr)
2346 		return -1;
2347 
2348 	if (dev &&
2349 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2350 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2351 		goto nla_put_failure;
2352 
2353 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2354 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2355 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
2356 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2357 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2358 			rdev->devlist_generation ^
2359 			(cfg80211_rdev_list_generation << 2)))
2360 		goto nla_put_failure;
2361 
2362 	if (rdev->ops->get_channel) {
2363 		int ret;
2364 		struct cfg80211_chan_def chandef;
2365 
2366 		ret = rdev_get_channel(rdev, wdev, &chandef);
2367 		if (ret == 0) {
2368 			if (nl80211_send_chandef(msg, &chandef))
2369 				goto nla_put_failure;
2370 		}
2371 	}
2372 
2373 	if (wdev->ssid_len) {
2374 		if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2375 			goto nla_put_failure;
2376 	}
2377 
2378 	return genlmsg_end(msg, hdr);
2379 
2380  nla_put_failure:
2381 	genlmsg_cancel(msg, hdr);
2382 	return -EMSGSIZE;
2383 }
2384 
2385 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2386 {
2387 	int wp_idx = 0;
2388 	int if_idx = 0;
2389 	int wp_start = cb->args[0];
2390 	int if_start = cb->args[1];
2391 	struct cfg80211_registered_device *rdev;
2392 	struct wireless_dev *wdev;
2393 
2394 	rtnl_lock();
2395 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2396 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2397 			continue;
2398 		if (wp_idx < wp_start) {
2399 			wp_idx++;
2400 			continue;
2401 		}
2402 		if_idx = 0;
2403 
2404 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
2405 			if (if_idx < if_start) {
2406 				if_idx++;
2407 				continue;
2408 			}
2409 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2410 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2411 					       rdev, wdev) < 0) {
2412 				goto out;
2413 			}
2414 			if_idx++;
2415 		}
2416 
2417 		wp_idx++;
2418 	}
2419  out:
2420 	rtnl_unlock();
2421 
2422 	cb->args[0] = wp_idx;
2423 	cb->args[1] = if_idx;
2424 
2425 	return skb->len;
2426 }
2427 
2428 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2429 {
2430 	struct sk_buff *msg;
2431 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2432 	struct wireless_dev *wdev = info->user_ptr[1];
2433 
2434 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2435 	if (!msg)
2436 		return -ENOMEM;
2437 
2438 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2439 			       rdev, wdev) < 0) {
2440 		nlmsg_free(msg);
2441 		return -ENOBUFS;
2442 	}
2443 
2444 	return genlmsg_reply(msg, info);
2445 }
2446 
2447 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2448 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2449 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2450 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2451 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2452 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2453 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
2454 };
2455 
2456 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2457 {
2458 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2459 	int flag;
2460 
2461 	*mntrflags = 0;
2462 
2463 	if (!nla)
2464 		return -EINVAL;
2465 
2466 	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
2467 			     nla, mntr_flags_policy))
2468 		return -EINVAL;
2469 
2470 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2471 		if (flags[flag])
2472 			*mntrflags |= (1<<flag);
2473 
2474 	return 0;
2475 }
2476 
2477 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
2478 			       struct net_device *netdev, u8 use_4addr,
2479 			       enum nl80211_iftype iftype)
2480 {
2481 	if (!use_4addr) {
2482 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
2483 			return -EBUSY;
2484 		return 0;
2485 	}
2486 
2487 	switch (iftype) {
2488 	case NL80211_IFTYPE_AP_VLAN:
2489 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
2490 			return 0;
2491 		break;
2492 	case NL80211_IFTYPE_STATION:
2493 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
2494 			return 0;
2495 		break;
2496 	default:
2497 		break;
2498 	}
2499 
2500 	return -EOPNOTSUPP;
2501 }
2502 
2503 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
2504 {
2505 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2506 	struct vif_params params;
2507 	int err;
2508 	enum nl80211_iftype otype, ntype;
2509 	struct net_device *dev = info->user_ptr[1];
2510 	u32 _flags, *flags = NULL;
2511 	bool change = false;
2512 
2513 	memset(&params, 0, sizeof(params));
2514 
2515 	otype = ntype = dev->ieee80211_ptr->iftype;
2516 
2517 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2518 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2519 		if (otype != ntype)
2520 			change = true;
2521 		if (ntype > NL80211_IFTYPE_MAX)
2522 			return -EINVAL;
2523 	}
2524 
2525 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
2526 		struct wireless_dev *wdev = dev->ieee80211_ptr;
2527 
2528 		if (ntype != NL80211_IFTYPE_MESH_POINT)
2529 			return -EINVAL;
2530 		if (netif_running(dev))
2531 			return -EBUSY;
2532 
2533 		wdev_lock(wdev);
2534 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2535 			     IEEE80211_MAX_MESH_ID_LEN);
2536 		wdev->mesh_id_up_len =
2537 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2538 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2539 		       wdev->mesh_id_up_len);
2540 		wdev_unlock(wdev);
2541 	}
2542 
2543 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2544 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2545 		change = true;
2546 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2547 		if (err)
2548 			return err;
2549 	} else {
2550 		params.use_4addr = -1;
2551 	}
2552 
2553 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2554 		if (ntype != NL80211_IFTYPE_MONITOR)
2555 			return -EINVAL;
2556 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2557 					  &_flags);
2558 		if (err)
2559 			return err;
2560 
2561 		flags = &_flags;
2562 		change = true;
2563 	}
2564 
2565 	if (flags && (*flags & MONITOR_FLAG_ACTIVE) &&
2566 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2567 		return -EOPNOTSUPP;
2568 
2569 	if (change)
2570 		err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2571 	else
2572 		err = 0;
2573 
2574 	if (!err && params.use_4addr != -1)
2575 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
2576 
2577 	return err;
2578 }
2579 
2580 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2581 {
2582 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2583 	struct vif_params params;
2584 	struct wireless_dev *wdev;
2585 	struct sk_buff *msg;
2586 	int err;
2587 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2588 	u32 flags;
2589 
2590 	/* to avoid failing a new interface creation due to pending removal */
2591 	cfg80211_destroy_ifaces(rdev);
2592 
2593 	memset(&params, 0, sizeof(params));
2594 
2595 	if (!info->attrs[NL80211_ATTR_IFNAME])
2596 		return -EINVAL;
2597 
2598 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2599 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2600 		if (type > NL80211_IFTYPE_MAX)
2601 			return -EINVAL;
2602 	}
2603 
2604 	if (!rdev->ops->add_virtual_intf ||
2605 	    !(rdev->wiphy.interface_modes & (1 << type)))
2606 		return -EOPNOTSUPP;
2607 
2608 	if (type == NL80211_IFTYPE_P2P_DEVICE && info->attrs[NL80211_ATTR_MAC]) {
2609 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2610 			   ETH_ALEN);
2611 		if (!is_valid_ether_addr(params.macaddr))
2612 			return -EADDRNOTAVAIL;
2613 	}
2614 
2615 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2616 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2617 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2618 		if (err)
2619 			return err;
2620 	}
2621 
2622 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2623 	if (!msg)
2624 		return -ENOMEM;
2625 
2626 	err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2627 				  info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2628 				  &flags);
2629 
2630 	if (!err && (flags & MONITOR_FLAG_ACTIVE) &&
2631 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2632 		return -EOPNOTSUPP;
2633 
2634 	wdev = rdev_add_virtual_intf(rdev,
2635 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2636 				type, err ? NULL : &flags, &params);
2637 	if (IS_ERR(wdev)) {
2638 		nlmsg_free(msg);
2639 		return PTR_ERR(wdev);
2640 	}
2641 
2642 	if (info->attrs[NL80211_ATTR_IFACE_SOCKET_OWNER])
2643 		wdev->owner_nlportid = info->snd_portid;
2644 
2645 	switch (type) {
2646 	case NL80211_IFTYPE_MESH_POINT:
2647 		if (!info->attrs[NL80211_ATTR_MESH_ID])
2648 			break;
2649 		wdev_lock(wdev);
2650 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2651 			     IEEE80211_MAX_MESH_ID_LEN);
2652 		wdev->mesh_id_up_len =
2653 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2654 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2655 		       wdev->mesh_id_up_len);
2656 		wdev_unlock(wdev);
2657 		break;
2658 	case NL80211_IFTYPE_P2P_DEVICE:
2659 		/*
2660 		 * P2P Device doesn't have a netdev, so doesn't go
2661 		 * through the netdev notifier and must be added here
2662 		 */
2663 		mutex_init(&wdev->mtx);
2664 		INIT_LIST_HEAD(&wdev->event_list);
2665 		spin_lock_init(&wdev->event_lock);
2666 		INIT_LIST_HEAD(&wdev->mgmt_registrations);
2667 		spin_lock_init(&wdev->mgmt_registrations_lock);
2668 
2669 		wdev->identifier = ++rdev->wdev_id;
2670 		list_add_rcu(&wdev->list, &rdev->wdev_list);
2671 		rdev->devlist_generation++;
2672 		break;
2673 	default:
2674 		break;
2675 	}
2676 
2677 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2678 			       rdev, wdev) < 0) {
2679 		nlmsg_free(msg);
2680 		return -ENOBUFS;
2681 	}
2682 
2683 	return genlmsg_reply(msg, info);
2684 }
2685 
2686 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2687 {
2688 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2689 	struct wireless_dev *wdev = info->user_ptr[1];
2690 
2691 	if (!rdev->ops->del_virtual_intf)
2692 		return -EOPNOTSUPP;
2693 
2694 	/*
2695 	 * If we remove a wireless device without a netdev then clear
2696 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
2697 	 * to check if it needs to do dev_put(). Otherwise it crashes
2698 	 * since the wdev has been freed, unlike with a netdev where
2699 	 * we need the dev_put() for the netdev to really be freed.
2700 	 */
2701 	if (!wdev->netdev)
2702 		info->user_ptr[1] = NULL;
2703 
2704 	return rdev_del_virtual_intf(rdev, wdev);
2705 }
2706 
2707 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2708 {
2709 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2710 	struct net_device *dev = info->user_ptr[1];
2711 	u16 noack_map;
2712 
2713 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2714 		return -EINVAL;
2715 
2716 	if (!rdev->ops->set_noack_map)
2717 		return -EOPNOTSUPP;
2718 
2719 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2720 
2721 	return rdev_set_noack_map(rdev, dev, noack_map);
2722 }
2723 
2724 struct get_key_cookie {
2725 	struct sk_buff *msg;
2726 	int error;
2727 	int idx;
2728 };
2729 
2730 static void get_key_callback(void *c, struct key_params *params)
2731 {
2732 	struct nlattr *key;
2733 	struct get_key_cookie *cookie = c;
2734 
2735 	if ((params->key &&
2736 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2737 		     params->key_len, params->key)) ||
2738 	    (params->seq &&
2739 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2740 		     params->seq_len, params->seq)) ||
2741 	    (params->cipher &&
2742 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2743 			 params->cipher)))
2744 		goto nla_put_failure;
2745 
2746 	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2747 	if (!key)
2748 		goto nla_put_failure;
2749 
2750 	if ((params->key &&
2751 	     nla_put(cookie->msg, NL80211_KEY_DATA,
2752 		     params->key_len, params->key)) ||
2753 	    (params->seq &&
2754 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
2755 		     params->seq_len, params->seq)) ||
2756 	    (params->cipher &&
2757 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2758 			 params->cipher)))
2759 		goto nla_put_failure;
2760 
2761 	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2762 		goto nla_put_failure;
2763 
2764 	nla_nest_end(cookie->msg, key);
2765 
2766 	return;
2767  nla_put_failure:
2768 	cookie->error = 1;
2769 }
2770 
2771 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2772 {
2773 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2774 	int err;
2775 	struct net_device *dev = info->user_ptr[1];
2776 	u8 key_idx = 0;
2777 	const u8 *mac_addr = NULL;
2778 	bool pairwise;
2779 	struct get_key_cookie cookie = {
2780 		.error = 0,
2781 	};
2782 	void *hdr;
2783 	struct sk_buff *msg;
2784 
2785 	if (info->attrs[NL80211_ATTR_KEY_IDX])
2786 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2787 
2788 	if (key_idx > 5)
2789 		return -EINVAL;
2790 
2791 	if (info->attrs[NL80211_ATTR_MAC])
2792 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2793 
2794 	pairwise = !!mac_addr;
2795 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2796 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2797 		if (kt >= NUM_NL80211_KEYTYPES)
2798 			return -EINVAL;
2799 		if (kt != NL80211_KEYTYPE_GROUP &&
2800 		    kt != NL80211_KEYTYPE_PAIRWISE)
2801 			return -EINVAL;
2802 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2803 	}
2804 
2805 	if (!rdev->ops->get_key)
2806 		return -EOPNOTSUPP;
2807 
2808 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2809 	if (!msg)
2810 		return -ENOMEM;
2811 
2812 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2813 			     NL80211_CMD_NEW_KEY);
2814 	if (!hdr)
2815 		goto nla_put_failure;
2816 
2817 	cookie.msg = msg;
2818 	cookie.idx = key_idx;
2819 
2820 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2821 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2822 		goto nla_put_failure;
2823 	if (mac_addr &&
2824 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2825 		goto nla_put_failure;
2826 
2827 	if (pairwise && mac_addr &&
2828 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2829 		return -ENOENT;
2830 
2831 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2832 			   get_key_callback);
2833 
2834 	if (err)
2835 		goto free_msg;
2836 
2837 	if (cookie.error)
2838 		goto nla_put_failure;
2839 
2840 	genlmsg_end(msg, hdr);
2841 	return genlmsg_reply(msg, info);
2842 
2843  nla_put_failure:
2844 	err = -ENOBUFS;
2845  free_msg:
2846 	nlmsg_free(msg);
2847 	return err;
2848 }
2849 
2850 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2851 {
2852 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2853 	struct key_parse key;
2854 	int err;
2855 	struct net_device *dev = info->user_ptr[1];
2856 
2857 	err = nl80211_parse_key(info, &key);
2858 	if (err)
2859 		return err;
2860 
2861 	if (key.idx < 0)
2862 		return -EINVAL;
2863 
2864 	/* only support setting default key */
2865 	if (!key.def && !key.defmgmt)
2866 		return -EINVAL;
2867 
2868 	wdev_lock(dev->ieee80211_ptr);
2869 
2870 	if (key.def) {
2871 		if (!rdev->ops->set_default_key) {
2872 			err = -EOPNOTSUPP;
2873 			goto out;
2874 		}
2875 
2876 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2877 		if (err)
2878 			goto out;
2879 
2880 		err = rdev_set_default_key(rdev, dev, key.idx,
2881 						 key.def_uni, key.def_multi);
2882 
2883 		if (err)
2884 			goto out;
2885 
2886 #ifdef CONFIG_CFG80211_WEXT
2887 		dev->ieee80211_ptr->wext.default_key = key.idx;
2888 #endif
2889 	} else {
2890 		if (key.def_uni || !key.def_multi) {
2891 			err = -EINVAL;
2892 			goto out;
2893 		}
2894 
2895 		if (!rdev->ops->set_default_mgmt_key) {
2896 			err = -EOPNOTSUPP;
2897 			goto out;
2898 		}
2899 
2900 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2901 		if (err)
2902 			goto out;
2903 
2904 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
2905 		if (err)
2906 			goto out;
2907 
2908 #ifdef CONFIG_CFG80211_WEXT
2909 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2910 #endif
2911 	}
2912 
2913  out:
2914 	wdev_unlock(dev->ieee80211_ptr);
2915 
2916 	return err;
2917 }
2918 
2919 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2920 {
2921 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2922 	int err;
2923 	struct net_device *dev = info->user_ptr[1];
2924 	struct key_parse key;
2925 	const u8 *mac_addr = NULL;
2926 
2927 	err = nl80211_parse_key(info, &key);
2928 	if (err)
2929 		return err;
2930 
2931 	if (!key.p.key)
2932 		return -EINVAL;
2933 
2934 	if (info->attrs[NL80211_ATTR_MAC])
2935 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2936 
2937 	if (key.type == -1) {
2938 		if (mac_addr)
2939 			key.type = NL80211_KEYTYPE_PAIRWISE;
2940 		else
2941 			key.type = NL80211_KEYTYPE_GROUP;
2942 	}
2943 
2944 	/* for now */
2945 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2946 	    key.type != NL80211_KEYTYPE_GROUP)
2947 		return -EINVAL;
2948 
2949 	if (!rdev->ops->add_key)
2950 		return -EOPNOTSUPP;
2951 
2952 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
2953 					   key.type == NL80211_KEYTYPE_PAIRWISE,
2954 					   mac_addr))
2955 		return -EINVAL;
2956 
2957 	wdev_lock(dev->ieee80211_ptr);
2958 	err = nl80211_key_allowed(dev->ieee80211_ptr);
2959 	if (!err)
2960 		err = rdev_add_key(rdev, dev, key.idx,
2961 				   key.type == NL80211_KEYTYPE_PAIRWISE,
2962 				    mac_addr, &key.p);
2963 	wdev_unlock(dev->ieee80211_ptr);
2964 
2965 	return err;
2966 }
2967 
2968 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
2969 {
2970 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2971 	int err;
2972 	struct net_device *dev = info->user_ptr[1];
2973 	u8 *mac_addr = NULL;
2974 	struct key_parse key;
2975 
2976 	err = nl80211_parse_key(info, &key);
2977 	if (err)
2978 		return err;
2979 
2980 	if (info->attrs[NL80211_ATTR_MAC])
2981 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2982 
2983 	if (key.type == -1) {
2984 		if (mac_addr)
2985 			key.type = NL80211_KEYTYPE_PAIRWISE;
2986 		else
2987 			key.type = NL80211_KEYTYPE_GROUP;
2988 	}
2989 
2990 	/* for now */
2991 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2992 	    key.type != NL80211_KEYTYPE_GROUP)
2993 		return -EINVAL;
2994 
2995 	if (!rdev->ops->del_key)
2996 		return -EOPNOTSUPP;
2997 
2998 	wdev_lock(dev->ieee80211_ptr);
2999 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3000 
3001 	if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
3002 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3003 		err = -ENOENT;
3004 
3005 	if (!err)
3006 		err = rdev_del_key(rdev, dev, key.idx,
3007 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3008 				   mac_addr);
3009 
3010 #ifdef CONFIG_CFG80211_WEXT
3011 	if (!err) {
3012 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3013 			dev->ieee80211_ptr->wext.default_key = -1;
3014 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3015 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3016 	}
3017 #endif
3018 	wdev_unlock(dev->ieee80211_ptr);
3019 
3020 	return err;
3021 }
3022 
3023 /* This function returns an error or the number of nested attributes */
3024 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3025 {
3026 	struct nlattr *attr;
3027 	int n_entries = 0, tmp;
3028 
3029 	nla_for_each_nested(attr, nl_attr, tmp) {
3030 		if (nla_len(attr) != ETH_ALEN)
3031 			return -EINVAL;
3032 
3033 		n_entries++;
3034 	}
3035 
3036 	return n_entries;
3037 }
3038 
3039 /*
3040  * This function parses ACL information and allocates memory for ACL data.
3041  * On successful return, the calling function is responsible to free the
3042  * ACL buffer returned by this function.
3043  */
3044 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3045 						struct genl_info *info)
3046 {
3047 	enum nl80211_acl_policy acl_policy;
3048 	struct nlattr *attr;
3049 	struct cfg80211_acl_data *acl;
3050 	int i = 0, n_entries, tmp;
3051 
3052 	if (!wiphy->max_acl_mac_addrs)
3053 		return ERR_PTR(-EOPNOTSUPP);
3054 
3055 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3056 		return ERR_PTR(-EINVAL);
3057 
3058 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3059 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3060 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3061 		return ERR_PTR(-EINVAL);
3062 
3063 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3064 		return ERR_PTR(-EINVAL);
3065 
3066 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3067 	if (n_entries < 0)
3068 		return ERR_PTR(n_entries);
3069 
3070 	if (n_entries > wiphy->max_acl_mac_addrs)
3071 		return ERR_PTR(-ENOTSUPP);
3072 
3073 	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3074 		      GFP_KERNEL);
3075 	if (!acl)
3076 		return ERR_PTR(-ENOMEM);
3077 
3078 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3079 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3080 		i++;
3081 	}
3082 
3083 	acl->n_acl_entries = n_entries;
3084 	acl->acl_policy = acl_policy;
3085 
3086 	return acl;
3087 }
3088 
3089 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3090 {
3091 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3092 	struct net_device *dev = info->user_ptr[1];
3093 	struct cfg80211_acl_data *acl;
3094 	int err;
3095 
3096 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3097 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3098 		return -EOPNOTSUPP;
3099 
3100 	if (!dev->ieee80211_ptr->beacon_interval)
3101 		return -EINVAL;
3102 
3103 	acl = parse_acl_data(&rdev->wiphy, info);
3104 	if (IS_ERR(acl))
3105 		return PTR_ERR(acl);
3106 
3107 	err = rdev_set_mac_acl(rdev, dev, acl);
3108 
3109 	kfree(acl);
3110 
3111 	return err;
3112 }
3113 
3114 static int nl80211_parse_beacon(struct nlattr *attrs[],
3115 				struct cfg80211_beacon_data *bcn)
3116 {
3117 	bool haveinfo = false;
3118 
3119 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_BEACON_TAIL]) ||
3120 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE]) ||
3121 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
3122 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_ASSOC_RESP]))
3123 		return -EINVAL;
3124 
3125 	memset(bcn, 0, sizeof(*bcn));
3126 
3127 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
3128 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
3129 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
3130 		if (!bcn->head_len)
3131 			return -EINVAL;
3132 		haveinfo = true;
3133 	}
3134 
3135 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
3136 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
3137 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
3138 		haveinfo = true;
3139 	}
3140 
3141 	if (!haveinfo)
3142 		return -EINVAL;
3143 
3144 	if (attrs[NL80211_ATTR_IE]) {
3145 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
3146 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
3147 	}
3148 
3149 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
3150 		bcn->proberesp_ies =
3151 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3152 		bcn->proberesp_ies_len =
3153 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3154 	}
3155 
3156 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
3157 		bcn->assocresp_ies =
3158 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3159 		bcn->assocresp_ies_len =
3160 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3161 	}
3162 
3163 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
3164 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
3165 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
3166 	}
3167 
3168 	return 0;
3169 }
3170 
3171 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
3172 				   struct cfg80211_ap_settings *params)
3173 {
3174 	struct wireless_dev *wdev;
3175 	bool ret = false;
3176 
3177 	list_for_each_entry(wdev, &rdev->wdev_list, list) {
3178 		if (wdev->iftype != NL80211_IFTYPE_AP &&
3179 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
3180 			continue;
3181 
3182 		if (!wdev->preset_chandef.chan)
3183 			continue;
3184 
3185 		params->chandef = wdev->preset_chandef;
3186 		ret = true;
3187 		break;
3188 	}
3189 
3190 	return ret;
3191 }
3192 
3193 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
3194 				    enum nl80211_auth_type auth_type,
3195 				    enum nl80211_commands cmd)
3196 {
3197 	if (auth_type > NL80211_AUTHTYPE_MAX)
3198 		return false;
3199 
3200 	switch (cmd) {
3201 	case NL80211_CMD_AUTHENTICATE:
3202 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
3203 		    auth_type == NL80211_AUTHTYPE_SAE)
3204 			return false;
3205 		return true;
3206 	case NL80211_CMD_CONNECT:
3207 	case NL80211_CMD_START_AP:
3208 		/* SAE not supported yet */
3209 		if (auth_type == NL80211_AUTHTYPE_SAE)
3210 			return false;
3211 		return true;
3212 	default:
3213 		return false;
3214 	}
3215 }
3216 
3217 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
3218 {
3219 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3220 	struct net_device *dev = info->user_ptr[1];
3221 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3222 	struct cfg80211_ap_settings params;
3223 	int err;
3224 
3225 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3226 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3227 		return -EOPNOTSUPP;
3228 
3229 	if (!rdev->ops->start_ap)
3230 		return -EOPNOTSUPP;
3231 
3232 	if (wdev->beacon_interval)
3233 		return -EALREADY;
3234 
3235 	memset(&params, 0, sizeof(params));
3236 
3237 	/* these are required for START_AP */
3238 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
3239 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
3240 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
3241 		return -EINVAL;
3242 
3243 	err = nl80211_parse_beacon(info->attrs, &params.beacon);
3244 	if (err)
3245 		return err;
3246 
3247 	params.beacon_interval =
3248 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
3249 	params.dtim_period =
3250 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
3251 
3252 	err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
3253 	if (err)
3254 		return err;
3255 
3256 	/*
3257 	 * In theory, some of these attributes should be required here
3258 	 * but since they were not used when the command was originally
3259 	 * added, keep them optional for old user space programs to let
3260 	 * them continue to work with drivers that do not need the
3261 	 * additional information -- drivers must check!
3262 	 */
3263 	if (info->attrs[NL80211_ATTR_SSID]) {
3264 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
3265 		params.ssid_len =
3266 			nla_len(info->attrs[NL80211_ATTR_SSID]);
3267 		if (params.ssid_len == 0 ||
3268 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
3269 			return -EINVAL;
3270 	}
3271 
3272 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
3273 		params.hidden_ssid = nla_get_u32(
3274 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
3275 		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
3276 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
3277 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
3278 			return -EINVAL;
3279 	}
3280 
3281 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
3282 
3283 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
3284 		params.auth_type = nla_get_u32(
3285 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
3286 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
3287 					     NL80211_CMD_START_AP))
3288 			return -EINVAL;
3289 	} else
3290 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
3291 
3292 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
3293 				      NL80211_MAX_NR_CIPHER_SUITES);
3294 	if (err)
3295 		return err;
3296 
3297 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
3298 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
3299 			return -EOPNOTSUPP;
3300 		params.inactivity_timeout = nla_get_u16(
3301 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
3302 	}
3303 
3304 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
3305 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3306 			return -EINVAL;
3307 		params.p2p_ctwindow =
3308 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
3309 		if (params.p2p_ctwindow > 127)
3310 			return -EINVAL;
3311 		if (params.p2p_ctwindow != 0 &&
3312 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
3313 			return -EINVAL;
3314 	}
3315 
3316 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
3317 		u8 tmp;
3318 
3319 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3320 			return -EINVAL;
3321 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
3322 		if (tmp > 1)
3323 			return -EINVAL;
3324 		params.p2p_opp_ps = tmp;
3325 		if (params.p2p_opp_ps != 0 &&
3326 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
3327 			return -EINVAL;
3328 	}
3329 
3330 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3331 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
3332 		if (err)
3333 			return err;
3334 	} else if (wdev->preset_chandef.chan) {
3335 		params.chandef = wdev->preset_chandef;
3336 	} else if (!nl80211_get_ap_channel(rdev, &params))
3337 		return -EINVAL;
3338 
3339 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef,
3340 				     wdev->iftype))
3341 		return -EINVAL;
3342 
3343 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
3344 		params.acl = parse_acl_data(&rdev->wiphy, info);
3345 		if (IS_ERR(params.acl))
3346 			return PTR_ERR(params.acl);
3347 	}
3348 
3349 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
3350 		params.smps_mode =
3351 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
3352 		switch (params.smps_mode) {
3353 		case NL80211_SMPS_OFF:
3354 			break;
3355 		case NL80211_SMPS_STATIC:
3356 			if (!(rdev->wiphy.features &
3357 			      NL80211_FEATURE_STATIC_SMPS))
3358 				return -EINVAL;
3359 			break;
3360 		case NL80211_SMPS_DYNAMIC:
3361 			if (!(rdev->wiphy.features &
3362 			      NL80211_FEATURE_DYNAMIC_SMPS))
3363 				return -EINVAL;
3364 			break;
3365 		default:
3366 			return -EINVAL;
3367 		}
3368 	} else {
3369 		params.smps_mode = NL80211_SMPS_OFF;
3370 	}
3371 
3372 	wdev_lock(wdev);
3373 	err = rdev_start_ap(rdev, dev, &params);
3374 	if (!err) {
3375 		wdev->preset_chandef = params.chandef;
3376 		wdev->beacon_interval = params.beacon_interval;
3377 		wdev->chandef = params.chandef;
3378 		wdev->ssid_len = params.ssid_len;
3379 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
3380 	}
3381 	wdev_unlock(wdev);
3382 
3383 	kfree(params.acl);
3384 
3385 	return err;
3386 }
3387 
3388 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
3389 {
3390 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3391 	struct net_device *dev = info->user_ptr[1];
3392 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3393 	struct cfg80211_beacon_data params;
3394 	int err;
3395 
3396 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3397 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3398 		return -EOPNOTSUPP;
3399 
3400 	if (!rdev->ops->change_beacon)
3401 		return -EOPNOTSUPP;
3402 
3403 	if (!wdev->beacon_interval)
3404 		return -EINVAL;
3405 
3406 	err = nl80211_parse_beacon(info->attrs, &params);
3407 	if (err)
3408 		return err;
3409 
3410 	wdev_lock(wdev);
3411 	err = rdev_change_beacon(rdev, dev, &params);
3412 	wdev_unlock(wdev);
3413 
3414 	return err;
3415 }
3416 
3417 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
3418 {
3419 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3420 	struct net_device *dev = info->user_ptr[1];
3421 
3422 	return cfg80211_stop_ap(rdev, dev, false);
3423 }
3424 
3425 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
3426 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
3427 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
3428 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
3429 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
3430 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
3431 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
3432 };
3433 
3434 static int parse_station_flags(struct genl_info *info,
3435 			       enum nl80211_iftype iftype,
3436 			       struct station_parameters *params)
3437 {
3438 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
3439 	struct nlattr *nla;
3440 	int flag;
3441 
3442 	/*
3443 	 * Try parsing the new attribute first so userspace
3444 	 * can specify both for older kernels.
3445 	 */
3446 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
3447 	if (nla) {
3448 		struct nl80211_sta_flag_update *sta_flags;
3449 
3450 		sta_flags = nla_data(nla);
3451 		params->sta_flags_mask = sta_flags->mask;
3452 		params->sta_flags_set = sta_flags->set;
3453 		params->sta_flags_set &= params->sta_flags_mask;
3454 		if ((params->sta_flags_mask |
3455 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
3456 			return -EINVAL;
3457 		return 0;
3458 	}
3459 
3460 	/* if present, parse the old attribute */
3461 
3462 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
3463 	if (!nla)
3464 		return 0;
3465 
3466 	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
3467 			     nla, sta_flags_policy))
3468 		return -EINVAL;
3469 
3470 	/*
3471 	 * Only allow certain flags for interface types so that
3472 	 * other attributes are silently ignored. Remember that
3473 	 * this is backward compatibility code with old userspace
3474 	 * and shouldn't be hit in other cases anyway.
3475 	 */
3476 	switch (iftype) {
3477 	case NL80211_IFTYPE_AP:
3478 	case NL80211_IFTYPE_AP_VLAN:
3479 	case NL80211_IFTYPE_P2P_GO:
3480 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3481 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3482 					 BIT(NL80211_STA_FLAG_WME) |
3483 					 BIT(NL80211_STA_FLAG_MFP);
3484 		break;
3485 	case NL80211_IFTYPE_P2P_CLIENT:
3486 	case NL80211_IFTYPE_STATION:
3487 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3488 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
3489 		break;
3490 	case NL80211_IFTYPE_MESH_POINT:
3491 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3492 					 BIT(NL80211_STA_FLAG_MFP) |
3493 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
3494 	default:
3495 		return -EINVAL;
3496 	}
3497 
3498 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
3499 		if (flags[flag]) {
3500 			params->sta_flags_set |= (1<<flag);
3501 
3502 			/* no longer support new API additions in old API */
3503 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
3504 				return -EINVAL;
3505 		}
3506 	}
3507 
3508 	return 0;
3509 }
3510 
3511 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
3512 				 int attr)
3513 {
3514 	struct nlattr *rate;
3515 	u32 bitrate;
3516 	u16 bitrate_compat;
3517 
3518 	rate = nla_nest_start(msg, attr);
3519 	if (!rate)
3520 		return false;
3521 
3522 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
3523 	bitrate = cfg80211_calculate_bitrate(info);
3524 	/* report 16-bit bitrate only if we can */
3525 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
3526 	if (bitrate > 0 &&
3527 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
3528 		return false;
3529 	if (bitrate_compat > 0 &&
3530 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
3531 		return false;
3532 
3533 	if (info->flags & RATE_INFO_FLAGS_MCS) {
3534 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
3535 			return false;
3536 		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3537 		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3538 			return false;
3539 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3540 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3541 			return false;
3542 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
3543 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
3544 			return false;
3545 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
3546 			return false;
3547 		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3548 		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3549 			return false;
3550 		if (info->flags & RATE_INFO_FLAGS_80_MHZ_WIDTH &&
3551 		    nla_put_flag(msg, NL80211_RATE_INFO_80_MHZ_WIDTH))
3552 			return false;
3553 		if (info->flags & RATE_INFO_FLAGS_80P80_MHZ_WIDTH &&
3554 		    nla_put_flag(msg, NL80211_RATE_INFO_80P80_MHZ_WIDTH))
3555 			return false;
3556 		if (info->flags & RATE_INFO_FLAGS_160_MHZ_WIDTH &&
3557 		    nla_put_flag(msg, NL80211_RATE_INFO_160_MHZ_WIDTH))
3558 			return false;
3559 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3560 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3561 			return false;
3562 	}
3563 
3564 	nla_nest_end(msg, rate);
3565 	return true;
3566 }
3567 
3568 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
3569 			       int id)
3570 {
3571 	void *attr;
3572 	int i = 0;
3573 
3574 	if (!mask)
3575 		return true;
3576 
3577 	attr = nla_nest_start(msg, id);
3578 	if (!attr)
3579 		return false;
3580 
3581 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
3582 		if (!(mask & BIT(i)))
3583 			continue;
3584 
3585 		if (nla_put_u8(msg, i, signal[i]))
3586 			return false;
3587 	}
3588 
3589 	nla_nest_end(msg, attr);
3590 
3591 	return true;
3592 }
3593 
3594 static int nl80211_send_station(struct sk_buff *msg, u32 portid, u32 seq,
3595 				int flags,
3596 				struct cfg80211_registered_device *rdev,
3597 				struct net_device *dev,
3598 				const u8 *mac_addr, struct station_info *sinfo)
3599 {
3600 	void *hdr;
3601 	struct nlattr *sinfoattr, *bss_param;
3602 
3603 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
3604 	if (!hdr)
3605 		return -1;
3606 
3607 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3608 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
3609 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
3610 		goto nla_put_failure;
3611 
3612 	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
3613 	if (!sinfoattr)
3614 		goto nla_put_failure;
3615 	if ((sinfo->filled & STATION_INFO_CONNECTED_TIME) &&
3616 	    nla_put_u32(msg, NL80211_STA_INFO_CONNECTED_TIME,
3617 			sinfo->connected_time))
3618 		goto nla_put_failure;
3619 	if ((sinfo->filled & STATION_INFO_INACTIVE_TIME) &&
3620 	    nla_put_u32(msg, NL80211_STA_INFO_INACTIVE_TIME,
3621 			sinfo->inactive_time))
3622 		goto nla_put_failure;
3623 	if ((sinfo->filled & (STATION_INFO_RX_BYTES |
3624 			      STATION_INFO_RX_BYTES64)) &&
3625 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
3626 			(u32)sinfo->rx_bytes))
3627 		goto nla_put_failure;
3628 	if ((sinfo->filled & (STATION_INFO_TX_BYTES |
3629 			      STATION_INFO_TX_BYTES64)) &&
3630 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
3631 			(u32)sinfo->tx_bytes))
3632 		goto nla_put_failure;
3633 	if ((sinfo->filled & STATION_INFO_RX_BYTES64) &&
3634 	    nla_put_u64(msg, NL80211_STA_INFO_RX_BYTES64,
3635 			sinfo->rx_bytes))
3636 		goto nla_put_failure;
3637 	if ((sinfo->filled & STATION_INFO_TX_BYTES64) &&
3638 	    nla_put_u64(msg, NL80211_STA_INFO_TX_BYTES64,
3639 			sinfo->tx_bytes))
3640 		goto nla_put_failure;
3641 	if ((sinfo->filled & STATION_INFO_LLID) &&
3642 	    nla_put_u16(msg, NL80211_STA_INFO_LLID, sinfo->llid))
3643 		goto nla_put_failure;
3644 	if ((sinfo->filled & STATION_INFO_PLID) &&
3645 	    nla_put_u16(msg, NL80211_STA_INFO_PLID, sinfo->plid))
3646 		goto nla_put_failure;
3647 	if ((sinfo->filled & STATION_INFO_PLINK_STATE) &&
3648 	    nla_put_u8(msg, NL80211_STA_INFO_PLINK_STATE,
3649 		       sinfo->plink_state))
3650 		goto nla_put_failure;
3651 	switch (rdev->wiphy.signal_type) {
3652 	case CFG80211_SIGNAL_TYPE_MBM:
3653 		if ((sinfo->filled & STATION_INFO_SIGNAL) &&
3654 		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL,
3655 			       sinfo->signal))
3656 			goto nla_put_failure;
3657 		if ((sinfo->filled & STATION_INFO_SIGNAL_AVG) &&
3658 		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL_AVG,
3659 			       sinfo->signal_avg))
3660 			goto nla_put_failure;
3661 		break;
3662 	default:
3663 		break;
3664 	}
3665 	if (sinfo->filled & STATION_INFO_CHAIN_SIGNAL) {
3666 		if (!nl80211_put_signal(msg, sinfo->chains,
3667 					sinfo->chain_signal,
3668 					NL80211_STA_INFO_CHAIN_SIGNAL))
3669 			goto nla_put_failure;
3670 	}
3671 	if (sinfo->filled & STATION_INFO_CHAIN_SIGNAL_AVG) {
3672 		if (!nl80211_put_signal(msg, sinfo->chains,
3673 					sinfo->chain_signal_avg,
3674 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
3675 			goto nla_put_failure;
3676 	}
3677 	if (sinfo->filled & STATION_INFO_TX_BITRATE) {
3678 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
3679 					  NL80211_STA_INFO_TX_BITRATE))
3680 			goto nla_put_failure;
3681 	}
3682 	if (sinfo->filled & STATION_INFO_RX_BITRATE) {
3683 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
3684 					  NL80211_STA_INFO_RX_BITRATE))
3685 			goto nla_put_failure;
3686 	}
3687 	if ((sinfo->filled & STATION_INFO_RX_PACKETS) &&
3688 	    nla_put_u32(msg, NL80211_STA_INFO_RX_PACKETS,
3689 			sinfo->rx_packets))
3690 		goto nla_put_failure;
3691 	if ((sinfo->filled & STATION_INFO_TX_PACKETS) &&
3692 	    nla_put_u32(msg, NL80211_STA_INFO_TX_PACKETS,
3693 			sinfo->tx_packets))
3694 		goto nla_put_failure;
3695 	if ((sinfo->filled & STATION_INFO_TX_RETRIES) &&
3696 	    nla_put_u32(msg, NL80211_STA_INFO_TX_RETRIES,
3697 			sinfo->tx_retries))
3698 		goto nla_put_failure;
3699 	if ((sinfo->filled & STATION_INFO_TX_FAILED) &&
3700 	    nla_put_u32(msg, NL80211_STA_INFO_TX_FAILED,
3701 			sinfo->tx_failed))
3702 		goto nla_put_failure;
3703 	if ((sinfo->filled & STATION_INFO_EXPECTED_THROUGHPUT) &&
3704 	    nla_put_u32(msg, NL80211_STA_INFO_EXPECTED_THROUGHPUT,
3705 			sinfo->expected_throughput))
3706 		goto nla_put_failure;
3707 	if ((sinfo->filled & STATION_INFO_BEACON_LOSS_COUNT) &&
3708 	    nla_put_u32(msg, NL80211_STA_INFO_BEACON_LOSS,
3709 			sinfo->beacon_loss_count))
3710 		goto nla_put_failure;
3711 	if ((sinfo->filled & STATION_INFO_LOCAL_PM) &&
3712 	    nla_put_u32(msg, NL80211_STA_INFO_LOCAL_PM,
3713 			sinfo->local_pm))
3714 		goto nla_put_failure;
3715 	if ((sinfo->filled & STATION_INFO_PEER_PM) &&
3716 	    nla_put_u32(msg, NL80211_STA_INFO_PEER_PM,
3717 			sinfo->peer_pm))
3718 		goto nla_put_failure;
3719 	if ((sinfo->filled & STATION_INFO_NONPEER_PM) &&
3720 	    nla_put_u32(msg, NL80211_STA_INFO_NONPEER_PM,
3721 			sinfo->nonpeer_pm))
3722 		goto nla_put_failure;
3723 	if (sinfo->filled & STATION_INFO_BSS_PARAM) {
3724 		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
3725 		if (!bss_param)
3726 			goto nla_put_failure;
3727 
3728 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
3729 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
3730 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
3731 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
3732 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
3733 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
3734 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
3735 			       sinfo->bss_param.dtim_period) ||
3736 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
3737 				sinfo->bss_param.beacon_interval))
3738 			goto nla_put_failure;
3739 
3740 		nla_nest_end(msg, bss_param);
3741 	}
3742 	if ((sinfo->filled & STATION_INFO_STA_FLAGS) &&
3743 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
3744 		    sizeof(struct nl80211_sta_flag_update),
3745 		    &sinfo->sta_flags))
3746 		goto nla_put_failure;
3747 	if ((sinfo->filled & STATION_INFO_T_OFFSET) &&
3748 		nla_put_u64(msg, NL80211_STA_INFO_T_OFFSET,
3749 			    sinfo->t_offset))
3750 		goto nla_put_failure;
3751 	nla_nest_end(msg, sinfoattr);
3752 
3753 	if ((sinfo->filled & STATION_INFO_ASSOC_REQ_IES) &&
3754 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
3755 		    sinfo->assoc_req_ies))
3756 		goto nla_put_failure;
3757 
3758 	return genlmsg_end(msg, hdr);
3759 
3760  nla_put_failure:
3761 	genlmsg_cancel(msg, hdr);
3762 	return -EMSGSIZE;
3763 }
3764 
3765 static int nl80211_dump_station(struct sk_buff *skb,
3766 				struct netlink_callback *cb)
3767 {
3768 	struct station_info sinfo;
3769 	struct cfg80211_registered_device *rdev;
3770 	struct wireless_dev *wdev;
3771 	u8 mac_addr[ETH_ALEN];
3772 	int sta_idx = cb->args[2];
3773 	int err;
3774 
3775 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
3776 	if (err)
3777 		return err;
3778 
3779 	if (!wdev->netdev) {
3780 		err = -EINVAL;
3781 		goto out_err;
3782 	}
3783 
3784 	if (!rdev->ops->dump_station) {
3785 		err = -EOPNOTSUPP;
3786 		goto out_err;
3787 	}
3788 
3789 	while (1) {
3790 		memset(&sinfo, 0, sizeof(sinfo));
3791 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
3792 					mac_addr, &sinfo);
3793 		if (err == -ENOENT)
3794 			break;
3795 		if (err)
3796 			goto out_err;
3797 
3798 		if (nl80211_send_station(skb,
3799 				NETLINK_CB(cb->skb).portid,
3800 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
3801 				rdev, wdev->netdev, mac_addr,
3802 				&sinfo) < 0)
3803 			goto out;
3804 
3805 		sta_idx++;
3806 	}
3807 
3808 
3809  out:
3810 	cb->args[2] = sta_idx;
3811 	err = skb->len;
3812  out_err:
3813 	nl80211_finish_wdev_dump(rdev);
3814 
3815 	return err;
3816 }
3817 
3818 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
3819 {
3820 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3821 	struct net_device *dev = info->user_ptr[1];
3822 	struct station_info sinfo;
3823 	struct sk_buff *msg;
3824 	u8 *mac_addr = NULL;
3825 	int err;
3826 
3827 	memset(&sinfo, 0, sizeof(sinfo));
3828 
3829 	if (!info->attrs[NL80211_ATTR_MAC])
3830 		return -EINVAL;
3831 
3832 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3833 
3834 	if (!rdev->ops->get_station)
3835 		return -EOPNOTSUPP;
3836 
3837 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3838 	if (err)
3839 		return err;
3840 
3841 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3842 	if (!msg)
3843 		return -ENOMEM;
3844 
3845 	if (nl80211_send_station(msg, info->snd_portid, info->snd_seq, 0,
3846 				 rdev, dev, mac_addr, &sinfo) < 0) {
3847 		nlmsg_free(msg);
3848 		return -ENOBUFS;
3849 	}
3850 
3851 	return genlmsg_reply(msg, info);
3852 }
3853 
3854 int cfg80211_check_station_change(struct wiphy *wiphy,
3855 				  struct station_parameters *params,
3856 				  enum cfg80211_station_type statype)
3857 {
3858 	if (params->listen_interval != -1)
3859 		return -EINVAL;
3860 	if (params->aid &&
3861 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3862 		return -EINVAL;
3863 
3864 	/* When you run into this, adjust the code below for the new flag */
3865 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
3866 
3867 	switch (statype) {
3868 	case CFG80211_STA_MESH_PEER_KERNEL:
3869 	case CFG80211_STA_MESH_PEER_USER:
3870 		/*
3871 		 * No ignoring the TDLS flag here -- the userspace mesh
3872 		 * code doesn't have the bug of including TDLS in the
3873 		 * mask everywhere.
3874 		 */
3875 		if (params->sta_flags_mask &
3876 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3877 				  BIT(NL80211_STA_FLAG_MFP) |
3878 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
3879 			return -EINVAL;
3880 		break;
3881 	case CFG80211_STA_TDLS_PEER_SETUP:
3882 	case CFG80211_STA_TDLS_PEER_ACTIVE:
3883 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3884 			return -EINVAL;
3885 		/* ignore since it can't change */
3886 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3887 		break;
3888 	default:
3889 		/* disallow mesh-specific things */
3890 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
3891 			return -EINVAL;
3892 		if (params->local_pm)
3893 			return -EINVAL;
3894 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
3895 			return -EINVAL;
3896 	}
3897 
3898 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
3899 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
3900 		/* TDLS can't be set, ... */
3901 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3902 			return -EINVAL;
3903 		/*
3904 		 * ... but don't bother the driver with it. This works around
3905 		 * a hostapd/wpa_supplicant issue -- it always includes the
3906 		 * TLDS_PEER flag in the mask even for AP mode.
3907 		 */
3908 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3909 	}
3910 
3911 	if (statype != CFG80211_STA_TDLS_PEER_SETUP) {
3912 		/* reject other things that can't change */
3913 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
3914 			return -EINVAL;
3915 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
3916 			return -EINVAL;
3917 		if (params->supported_rates)
3918 			return -EINVAL;
3919 		if (params->ext_capab || params->ht_capa || params->vht_capa)
3920 			return -EINVAL;
3921 	}
3922 
3923 	if (statype != CFG80211_STA_AP_CLIENT) {
3924 		if (params->vlan)
3925 			return -EINVAL;
3926 	}
3927 
3928 	switch (statype) {
3929 	case CFG80211_STA_AP_MLME_CLIENT:
3930 		/* Use this only for authorizing/unauthorizing a station */
3931 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
3932 			return -EOPNOTSUPP;
3933 		break;
3934 	case CFG80211_STA_AP_CLIENT:
3935 		/* accept only the listed bits */
3936 		if (params->sta_flags_mask &
3937 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3938 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3939 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
3940 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3941 				  BIT(NL80211_STA_FLAG_WME) |
3942 				  BIT(NL80211_STA_FLAG_MFP)))
3943 			return -EINVAL;
3944 
3945 		/* but authenticated/associated only if driver handles it */
3946 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
3947 		    params->sta_flags_mask &
3948 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3949 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
3950 			return -EINVAL;
3951 		break;
3952 	case CFG80211_STA_IBSS:
3953 	case CFG80211_STA_AP_STA:
3954 		/* reject any changes other than AUTHORIZED */
3955 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
3956 			return -EINVAL;
3957 		break;
3958 	case CFG80211_STA_TDLS_PEER_SETUP:
3959 		/* reject any changes other than AUTHORIZED or WME */
3960 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3961 					       BIT(NL80211_STA_FLAG_WME)))
3962 			return -EINVAL;
3963 		/* force (at least) rates when authorizing */
3964 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
3965 		    !params->supported_rates)
3966 			return -EINVAL;
3967 		break;
3968 	case CFG80211_STA_TDLS_PEER_ACTIVE:
3969 		/* reject any changes */
3970 		return -EINVAL;
3971 	case CFG80211_STA_MESH_PEER_KERNEL:
3972 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
3973 			return -EINVAL;
3974 		break;
3975 	case CFG80211_STA_MESH_PEER_USER:
3976 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
3977 			return -EINVAL;
3978 		break;
3979 	}
3980 
3981 	return 0;
3982 }
3983 EXPORT_SYMBOL(cfg80211_check_station_change);
3984 
3985 /*
3986  * Get vlan interface making sure it is running and on the right wiphy.
3987  */
3988 static struct net_device *get_vlan(struct genl_info *info,
3989 				   struct cfg80211_registered_device *rdev)
3990 {
3991 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
3992 	struct net_device *v;
3993 	int ret;
3994 
3995 	if (!vlanattr)
3996 		return NULL;
3997 
3998 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
3999 	if (!v)
4000 		return ERR_PTR(-ENODEV);
4001 
4002 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
4003 		ret = -EINVAL;
4004 		goto error;
4005 	}
4006 
4007 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4008 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4009 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
4010 		ret = -EINVAL;
4011 		goto error;
4012 	}
4013 
4014 	if (!netif_running(v)) {
4015 		ret = -ENETDOWN;
4016 		goto error;
4017 	}
4018 
4019 	return v;
4020  error:
4021 	dev_put(v);
4022 	return ERR_PTR(ret);
4023 }
4024 
4025 static const struct nla_policy
4026 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
4027 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
4028 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
4029 };
4030 
4031 static int nl80211_parse_sta_wme(struct genl_info *info,
4032 				 struct station_parameters *params)
4033 {
4034 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
4035 	struct nlattr *nla;
4036 	int err;
4037 
4038 	/* parse WME attributes if present */
4039 	if (!info->attrs[NL80211_ATTR_STA_WME])
4040 		return 0;
4041 
4042 	nla = info->attrs[NL80211_ATTR_STA_WME];
4043 	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
4044 			       nl80211_sta_wme_policy);
4045 	if (err)
4046 		return err;
4047 
4048 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
4049 		params->uapsd_queues = nla_get_u8(
4050 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
4051 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
4052 		return -EINVAL;
4053 
4054 	if (tb[NL80211_STA_WME_MAX_SP])
4055 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
4056 
4057 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
4058 		return -EINVAL;
4059 
4060 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
4061 
4062 	return 0;
4063 }
4064 
4065 static int nl80211_parse_sta_channel_info(struct genl_info *info,
4066 				      struct station_parameters *params)
4067 {
4068 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
4069 		params->supported_channels =
4070 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4071 		params->supported_channels_len =
4072 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4073 		/*
4074 		 * Need to include at least one (first channel, number of
4075 		 * channels) tuple for each subband, and must have proper
4076 		 * tuples for the rest of the data as well.
4077 		 */
4078 		if (params->supported_channels_len < 2)
4079 			return -EINVAL;
4080 		if (params->supported_channels_len % 2)
4081 			return -EINVAL;
4082 	}
4083 
4084 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
4085 		params->supported_oper_classes =
4086 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4087 		params->supported_oper_classes_len =
4088 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4089 		/*
4090 		 * The value of the Length field of the Supported Operating
4091 		 * Classes element is between 2 and 253.
4092 		 */
4093 		if (params->supported_oper_classes_len < 2 ||
4094 		    params->supported_oper_classes_len > 253)
4095 			return -EINVAL;
4096 	}
4097 	return 0;
4098 }
4099 
4100 static int nl80211_set_station_tdls(struct genl_info *info,
4101 				    struct station_parameters *params)
4102 {
4103 	int err;
4104 	/* Dummy STA entry gets updated once the peer capabilities are known */
4105 	if (info->attrs[NL80211_ATTR_PEER_AID])
4106 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4107 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4108 		params->ht_capa =
4109 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4110 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4111 		params->vht_capa =
4112 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4113 
4114 	err = nl80211_parse_sta_channel_info(info, params);
4115 	if (err)
4116 		return err;
4117 
4118 	return nl80211_parse_sta_wme(info, params);
4119 }
4120 
4121 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
4122 {
4123 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4124 	struct net_device *dev = info->user_ptr[1];
4125 	struct station_parameters params;
4126 	u8 *mac_addr;
4127 	int err;
4128 
4129 	memset(&params, 0, sizeof(params));
4130 
4131 	params.listen_interval = -1;
4132 
4133 	if (!rdev->ops->change_station)
4134 		return -EOPNOTSUPP;
4135 
4136 	if (info->attrs[NL80211_ATTR_STA_AID])
4137 		return -EINVAL;
4138 
4139 	if (!info->attrs[NL80211_ATTR_MAC])
4140 		return -EINVAL;
4141 
4142 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4143 
4144 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
4145 		params.supported_rates =
4146 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4147 		params.supported_rates_len =
4148 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4149 	}
4150 
4151 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4152 		params.capability =
4153 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4154 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4155 	}
4156 
4157 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4158 		params.ext_capab =
4159 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4160 		params.ext_capab_len =
4161 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4162 	}
4163 
4164 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4165 		return -EINVAL;
4166 
4167 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4168 		return -EINVAL;
4169 
4170 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4171 		params.plink_action =
4172 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4173 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4174 			return -EINVAL;
4175 	}
4176 
4177 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
4178 		params.plink_state =
4179 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
4180 		if (params.plink_state >= NUM_NL80211_PLINK_STATES)
4181 			return -EINVAL;
4182 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
4183 	}
4184 
4185 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
4186 		enum nl80211_mesh_power_mode pm = nla_get_u32(
4187 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
4188 
4189 		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
4190 		    pm > NL80211_MESH_POWER_MAX)
4191 			return -EINVAL;
4192 
4193 		params.local_pm = pm;
4194 	}
4195 
4196 	/* Include parameters for TDLS peer (will check later) */
4197 	err = nl80211_set_station_tdls(info, &params);
4198 	if (err)
4199 		return err;
4200 
4201 	params.vlan = get_vlan(info, rdev);
4202 	if (IS_ERR(params.vlan))
4203 		return PTR_ERR(params.vlan);
4204 
4205 	switch (dev->ieee80211_ptr->iftype) {
4206 	case NL80211_IFTYPE_AP:
4207 	case NL80211_IFTYPE_AP_VLAN:
4208 	case NL80211_IFTYPE_P2P_GO:
4209 	case NL80211_IFTYPE_P2P_CLIENT:
4210 	case NL80211_IFTYPE_STATION:
4211 	case NL80211_IFTYPE_ADHOC:
4212 	case NL80211_IFTYPE_MESH_POINT:
4213 		break;
4214 	default:
4215 		err = -EOPNOTSUPP;
4216 		goto out_put_vlan;
4217 	}
4218 
4219 	/* driver will call cfg80211_check_station_change() */
4220 	err = rdev_change_station(rdev, dev, mac_addr, &params);
4221 
4222  out_put_vlan:
4223 	if (params.vlan)
4224 		dev_put(params.vlan);
4225 
4226 	return err;
4227 }
4228 
4229 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
4230 {
4231 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4232 	int err;
4233 	struct net_device *dev = info->user_ptr[1];
4234 	struct station_parameters params;
4235 	u8 *mac_addr = NULL;
4236 
4237 	memset(&params, 0, sizeof(params));
4238 
4239 	if (!rdev->ops->add_station)
4240 		return -EOPNOTSUPP;
4241 
4242 	if (!info->attrs[NL80211_ATTR_MAC])
4243 		return -EINVAL;
4244 
4245 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4246 		return -EINVAL;
4247 
4248 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
4249 		return -EINVAL;
4250 
4251 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
4252 	    !info->attrs[NL80211_ATTR_PEER_AID])
4253 		return -EINVAL;
4254 
4255 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4256 	params.supported_rates =
4257 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4258 	params.supported_rates_len =
4259 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4260 	params.listen_interval =
4261 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4262 
4263 	if (info->attrs[NL80211_ATTR_PEER_AID])
4264 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4265 	else
4266 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4267 	if (!params.aid || params.aid > IEEE80211_MAX_AID)
4268 		return -EINVAL;
4269 
4270 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4271 		params.capability =
4272 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4273 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4274 	}
4275 
4276 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4277 		params.ext_capab =
4278 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4279 		params.ext_capab_len =
4280 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4281 	}
4282 
4283 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4284 		params.ht_capa =
4285 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4286 
4287 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4288 		params.vht_capa =
4289 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4290 
4291 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
4292 		params.opmode_notif_used = true;
4293 		params.opmode_notif =
4294 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
4295 	}
4296 
4297 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4298 		params.plink_action =
4299 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4300 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4301 			return -EINVAL;
4302 	}
4303 
4304 	err = nl80211_parse_sta_channel_info(info, &params);
4305 	if (err)
4306 		return err;
4307 
4308 	err = nl80211_parse_sta_wme(info, &params);
4309 	if (err)
4310 		return err;
4311 
4312 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4313 		return -EINVAL;
4314 
4315 	/* When you run into this, adjust the code below for the new flag */
4316 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4317 
4318 	switch (dev->ieee80211_ptr->iftype) {
4319 	case NL80211_IFTYPE_AP:
4320 	case NL80211_IFTYPE_AP_VLAN:
4321 	case NL80211_IFTYPE_P2P_GO:
4322 		/* ignore WME attributes if iface/sta is not capable */
4323 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
4324 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
4325 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4326 
4327 		/* TDLS peers cannot be added */
4328 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4329 		    info->attrs[NL80211_ATTR_PEER_AID])
4330 			return -EINVAL;
4331 		/* but don't bother the driver with it */
4332 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4333 
4334 		/* allow authenticated/associated only if driver handles it */
4335 		if (!(rdev->wiphy.features &
4336 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4337 		    params.sta_flags_mask &
4338 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4339 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4340 			return -EINVAL;
4341 
4342 		/* must be last in here for error handling */
4343 		params.vlan = get_vlan(info, rdev);
4344 		if (IS_ERR(params.vlan))
4345 			return PTR_ERR(params.vlan);
4346 		break;
4347 	case NL80211_IFTYPE_MESH_POINT:
4348 		/* ignore uAPSD data */
4349 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4350 
4351 		/* associated is disallowed */
4352 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
4353 			return -EINVAL;
4354 		/* TDLS peers cannot be added */
4355 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4356 		    info->attrs[NL80211_ATTR_PEER_AID])
4357 			return -EINVAL;
4358 		break;
4359 	case NL80211_IFTYPE_STATION:
4360 	case NL80211_IFTYPE_P2P_CLIENT:
4361 		/* ignore uAPSD data */
4362 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4363 
4364 		/* these are disallowed */
4365 		if (params.sta_flags_mask &
4366 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
4367 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
4368 			return -EINVAL;
4369 		/* Only TDLS peers can be added */
4370 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4371 			return -EINVAL;
4372 		/* Can only add if TDLS ... */
4373 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
4374 			return -EOPNOTSUPP;
4375 		/* ... with external setup is supported */
4376 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
4377 			return -EOPNOTSUPP;
4378 		/*
4379 		 * Older wpa_supplicant versions always mark the TDLS peer
4380 		 * as authorized, but it shouldn't yet be.
4381 		 */
4382 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
4383 		break;
4384 	default:
4385 		return -EOPNOTSUPP;
4386 	}
4387 
4388 	/* be aware of params.vlan when changing code here */
4389 
4390 	err = rdev_add_station(rdev, dev, mac_addr, &params);
4391 
4392 	if (params.vlan)
4393 		dev_put(params.vlan);
4394 	return err;
4395 }
4396 
4397 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
4398 {
4399 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4400 	struct net_device *dev = info->user_ptr[1];
4401 	u8 *mac_addr = NULL;
4402 
4403 	if (info->attrs[NL80211_ATTR_MAC])
4404 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4405 
4406 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4407 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4408 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
4409 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4410 		return -EINVAL;
4411 
4412 	if (!rdev->ops->del_station)
4413 		return -EOPNOTSUPP;
4414 
4415 	return rdev_del_station(rdev, dev, mac_addr);
4416 }
4417 
4418 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
4419 				int flags, struct net_device *dev,
4420 				u8 *dst, u8 *next_hop,
4421 				struct mpath_info *pinfo)
4422 {
4423 	void *hdr;
4424 	struct nlattr *pinfoattr;
4425 
4426 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
4427 	if (!hdr)
4428 		return -1;
4429 
4430 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4431 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
4432 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
4433 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
4434 		goto nla_put_failure;
4435 
4436 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
4437 	if (!pinfoattr)
4438 		goto nla_put_failure;
4439 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
4440 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
4441 			pinfo->frame_qlen))
4442 		goto nla_put_failure;
4443 	if (((pinfo->filled & MPATH_INFO_SN) &&
4444 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
4445 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
4446 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
4447 			 pinfo->metric)) ||
4448 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
4449 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
4450 			 pinfo->exptime)) ||
4451 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
4452 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
4453 			pinfo->flags)) ||
4454 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
4455 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
4456 			 pinfo->discovery_timeout)) ||
4457 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
4458 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
4459 			pinfo->discovery_retries)))
4460 		goto nla_put_failure;
4461 
4462 	nla_nest_end(msg, pinfoattr);
4463 
4464 	return genlmsg_end(msg, hdr);
4465 
4466  nla_put_failure:
4467 	genlmsg_cancel(msg, hdr);
4468 	return -EMSGSIZE;
4469 }
4470 
4471 static int nl80211_dump_mpath(struct sk_buff *skb,
4472 			      struct netlink_callback *cb)
4473 {
4474 	struct mpath_info pinfo;
4475 	struct cfg80211_registered_device *rdev;
4476 	struct wireless_dev *wdev;
4477 	u8 dst[ETH_ALEN];
4478 	u8 next_hop[ETH_ALEN];
4479 	int path_idx = cb->args[2];
4480 	int err;
4481 
4482 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4483 	if (err)
4484 		return err;
4485 
4486 	if (!rdev->ops->dump_mpath) {
4487 		err = -EOPNOTSUPP;
4488 		goto out_err;
4489 	}
4490 
4491 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4492 		err = -EOPNOTSUPP;
4493 		goto out_err;
4494 	}
4495 
4496 	while (1) {
4497 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
4498 				      next_hop, &pinfo);
4499 		if (err == -ENOENT)
4500 			break;
4501 		if (err)
4502 			goto out_err;
4503 
4504 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4505 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4506 				       wdev->netdev, dst, next_hop,
4507 				       &pinfo) < 0)
4508 			goto out;
4509 
4510 		path_idx++;
4511 	}
4512 
4513 
4514  out:
4515 	cb->args[2] = path_idx;
4516 	err = skb->len;
4517  out_err:
4518 	nl80211_finish_wdev_dump(rdev);
4519 	return err;
4520 }
4521 
4522 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
4523 {
4524 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4525 	int err;
4526 	struct net_device *dev = info->user_ptr[1];
4527 	struct mpath_info pinfo;
4528 	struct sk_buff *msg;
4529 	u8 *dst = NULL;
4530 	u8 next_hop[ETH_ALEN];
4531 
4532 	memset(&pinfo, 0, sizeof(pinfo));
4533 
4534 	if (!info->attrs[NL80211_ATTR_MAC])
4535 		return -EINVAL;
4536 
4537 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4538 
4539 	if (!rdev->ops->get_mpath)
4540 		return -EOPNOTSUPP;
4541 
4542 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4543 		return -EOPNOTSUPP;
4544 
4545 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
4546 	if (err)
4547 		return err;
4548 
4549 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4550 	if (!msg)
4551 		return -ENOMEM;
4552 
4553 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4554 				 dev, dst, next_hop, &pinfo) < 0) {
4555 		nlmsg_free(msg);
4556 		return -ENOBUFS;
4557 	}
4558 
4559 	return genlmsg_reply(msg, info);
4560 }
4561 
4562 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
4563 {
4564 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4565 	struct net_device *dev = info->user_ptr[1];
4566 	u8 *dst = NULL;
4567 	u8 *next_hop = NULL;
4568 
4569 	if (!info->attrs[NL80211_ATTR_MAC])
4570 		return -EINVAL;
4571 
4572 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4573 		return -EINVAL;
4574 
4575 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4576 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4577 
4578 	if (!rdev->ops->change_mpath)
4579 		return -EOPNOTSUPP;
4580 
4581 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4582 		return -EOPNOTSUPP;
4583 
4584 	return rdev_change_mpath(rdev, dev, dst, next_hop);
4585 }
4586 
4587 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
4588 {
4589 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4590 	struct net_device *dev = info->user_ptr[1];
4591 	u8 *dst = NULL;
4592 	u8 *next_hop = NULL;
4593 
4594 	if (!info->attrs[NL80211_ATTR_MAC])
4595 		return -EINVAL;
4596 
4597 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4598 		return -EINVAL;
4599 
4600 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4601 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4602 
4603 	if (!rdev->ops->add_mpath)
4604 		return -EOPNOTSUPP;
4605 
4606 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4607 		return -EOPNOTSUPP;
4608 
4609 	return rdev_add_mpath(rdev, dev, dst, next_hop);
4610 }
4611 
4612 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
4613 {
4614 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4615 	struct net_device *dev = info->user_ptr[1];
4616 	u8 *dst = NULL;
4617 
4618 	if (info->attrs[NL80211_ATTR_MAC])
4619 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4620 
4621 	if (!rdev->ops->del_mpath)
4622 		return -EOPNOTSUPP;
4623 
4624 	return rdev_del_mpath(rdev, dev, dst);
4625 }
4626 
4627 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
4628 {
4629 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4630 	struct net_device *dev = info->user_ptr[1];
4631 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4632 	struct bss_parameters params;
4633 	int err;
4634 
4635 	memset(&params, 0, sizeof(params));
4636 	/* default to not changing parameters */
4637 	params.use_cts_prot = -1;
4638 	params.use_short_preamble = -1;
4639 	params.use_short_slot_time = -1;
4640 	params.ap_isolate = -1;
4641 	params.ht_opmode = -1;
4642 	params.p2p_ctwindow = -1;
4643 	params.p2p_opp_ps = -1;
4644 
4645 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
4646 		params.use_cts_prot =
4647 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
4648 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
4649 		params.use_short_preamble =
4650 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
4651 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
4652 		params.use_short_slot_time =
4653 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
4654 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
4655 		params.basic_rates =
4656 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4657 		params.basic_rates_len =
4658 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4659 	}
4660 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
4661 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
4662 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
4663 		params.ht_opmode =
4664 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
4665 
4666 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4667 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4668 			return -EINVAL;
4669 		params.p2p_ctwindow =
4670 			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4671 		if (params.p2p_ctwindow < 0)
4672 			return -EINVAL;
4673 		if (params.p2p_ctwindow != 0 &&
4674 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4675 			return -EINVAL;
4676 	}
4677 
4678 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4679 		u8 tmp;
4680 
4681 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4682 			return -EINVAL;
4683 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4684 		if (tmp > 1)
4685 			return -EINVAL;
4686 		params.p2p_opp_ps = tmp;
4687 		if (params.p2p_opp_ps &&
4688 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4689 			return -EINVAL;
4690 	}
4691 
4692 	if (!rdev->ops->change_bss)
4693 		return -EOPNOTSUPP;
4694 
4695 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4696 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4697 		return -EOPNOTSUPP;
4698 
4699 	wdev_lock(wdev);
4700 	err = rdev_change_bss(rdev, dev, &params);
4701 	wdev_unlock(wdev);
4702 
4703 	return err;
4704 }
4705 
4706 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
4707 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
4708 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
4709 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
4710 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
4711 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
4712 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
4713 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
4714 };
4715 
4716 static int parse_reg_rule(struct nlattr *tb[],
4717 	struct ieee80211_reg_rule *reg_rule)
4718 {
4719 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
4720 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
4721 
4722 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
4723 		return -EINVAL;
4724 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
4725 		return -EINVAL;
4726 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
4727 		return -EINVAL;
4728 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
4729 		return -EINVAL;
4730 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
4731 		return -EINVAL;
4732 
4733 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
4734 
4735 	freq_range->start_freq_khz =
4736 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
4737 	freq_range->end_freq_khz =
4738 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
4739 	freq_range->max_bandwidth_khz =
4740 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
4741 
4742 	power_rule->max_eirp =
4743 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
4744 
4745 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
4746 		power_rule->max_antenna_gain =
4747 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
4748 
4749 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
4750 		reg_rule->dfs_cac_ms =
4751 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
4752 
4753 	return 0;
4754 }
4755 
4756 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
4757 {
4758 	char *data = NULL;
4759 	enum nl80211_user_reg_hint_type user_reg_hint_type;
4760 
4761 	/*
4762 	 * You should only get this when cfg80211 hasn't yet initialized
4763 	 * completely when built-in to the kernel right between the time
4764 	 * window between nl80211_init() and regulatory_init(), if that is
4765 	 * even possible.
4766 	 */
4767 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
4768 		return -EINPROGRESS;
4769 
4770 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
4771 		user_reg_hint_type =
4772 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
4773 	else
4774 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
4775 
4776 	switch (user_reg_hint_type) {
4777 	case NL80211_USER_REG_HINT_USER:
4778 	case NL80211_USER_REG_HINT_CELL_BASE:
4779 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4780 			return -EINVAL;
4781 
4782 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4783 		return regulatory_hint_user(data, user_reg_hint_type);
4784 	case NL80211_USER_REG_HINT_INDOOR:
4785 		return regulatory_hint_indoor_user();
4786 	default:
4787 		return -EINVAL;
4788 	}
4789 }
4790 
4791 static int nl80211_get_mesh_config(struct sk_buff *skb,
4792 				   struct genl_info *info)
4793 {
4794 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4795 	struct net_device *dev = info->user_ptr[1];
4796 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4797 	struct mesh_config cur_params;
4798 	int err = 0;
4799 	void *hdr;
4800 	struct nlattr *pinfoattr;
4801 	struct sk_buff *msg;
4802 
4803 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
4804 		return -EOPNOTSUPP;
4805 
4806 	if (!rdev->ops->get_mesh_config)
4807 		return -EOPNOTSUPP;
4808 
4809 	wdev_lock(wdev);
4810 	/* If not connected, get default parameters */
4811 	if (!wdev->mesh_id_len)
4812 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
4813 	else
4814 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
4815 	wdev_unlock(wdev);
4816 
4817 	if (err)
4818 		return err;
4819 
4820 	/* Draw up a netlink message to send back */
4821 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4822 	if (!msg)
4823 		return -ENOMEM;
4824 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4825 			     NL80211_CMD_GET_MESH_CONFIG);
4826 	if (!hdr)
4827 		goto out;
4828 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
4829 	if (!pinfoattr)
4830 		goto nla_put_failure;
4831 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4832 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
4833 			cur_params.dot11MeshRetryTimeout) ||
4834 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4835 			cur_params.dot11MeshConfirmTimeout) ||
4836 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
4837 			cur_params.dot11MeshHoldingTimeout) ||
4838 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
4839 			cur_params.dot11MeshMaxPeerLinks) ||
4840 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
4841 		       cur_params.dot11MeshMaxRetries) ||
4842 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
4843 		       cur_params.dot11MeshTTL) ||
4844 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
4845 		       cur_params.element_ttl) ||
4846 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4847 		       cur_params.auto_open_plinks) ||
4848 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
4849 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
4850 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
4851 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
4852 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
4853 			cur_params.path_refresh_time) ||
4854 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
4855 			cur_params.min_discovery_timeout) ||
4856 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
4857 			cur_params.dot11MeshHWMPactivePathTimeout) ||
4858 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
4859 			cur_params.dot11MeshHWMPpreqMinInterval) ||
4860 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
4861 			cur_params.dot11MeshHWMPperrMinInterval) ||
4862 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
4863 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
4864 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
4865 		       cur_params.dot11MeshHWMPRootMode) ||
4866 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
4867 			cur_params.dot11MeshHWMPRannInterval) ||
4868 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
4869 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
4870 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
4871 		       cur_params.dot11MeshForwarding) ||
4872 	    nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
4873 			cur_params.rssi_threshold) ||
4874 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
4875 			cur_params.ht_opmode) ||
4876 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
4877 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
4878 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
4879 			cur_params.dot11MeshHWMProotInterval) ||
4880 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
4881 			cur_params.dot11MeshHWMPconfirmationInterval) ||
4882 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
4883 			cur_params.power_mode) ||
4884 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
4885 			cur_params.dot11MeshAwakeWindowDuration) ||
4886 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
4887 			cur_params.plink_timeout))
4888 		goto nla_put_failure;
4889 	nla_nest_end(msg, pinfoattr);
4890 	genlmsg_end(msg, hdr);
4891 	return genlmsg_reply(msg, info);
4892 
4893  nla_put_failure:
4894 	genlmsg_cancel(msg, hdr);
4895  out:
4896 	nlmsg_free(msg);
4897 	return -ENOBUFS;
4898 }
4899 
4900 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
4901 	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
4902 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
4903 	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
4904 	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
4905 	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
4906 	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
4907 	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
4908 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
4909 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
4910 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
4911 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
4912 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
4913 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
4914 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
4915 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
4916 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
4917 	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
4918 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
4919 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
4920 	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
4921 	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
4922 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
4923 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
4924 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
4925 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
4926 	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
4927 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
4928 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
4929 };
4930 
4931 static const struct nla_policy
4932 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
4933 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
4934 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
4935 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
4936 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
4937 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
4938 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
4939 	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
4940 				    .len = IEEE80211_MAX_DATA_LEN },
4941 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
4942 };
4943 
4944 static int nl80211_parse_mesh_config(struct genl_info *info,
4945 				     struct mesh_config *cfg,
4946 				     u32 *mask_out)
4947 {
4948 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
4949 	u32 mask = 0;
4950 
4951 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
4952 do {									    \
4953 	if (tb[attr]) {							    \
4954 		if (fn(tb[attr]) < min || fn(tb[attr]) > max)		    \
4955 			return -EINVAL;					    \
4956 		cfg->param = fn(tb[attr]);				    \
4957 		mask |= (1 << (attr - 1));				    \
4958 	}								    \
4959 } while (0)
4960 
4961 
4962 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
4963 		return -EINVAL;
4964 	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
4965 			     info->attrs[NL80211_ATTR_MESH_CONFIG],
4966 			     nl80211_meshconf_params_policy))
4967 		return -EINVAL;
4968 
4969 	/* This makes sure that there aren't more than 32 mesh config
4970 	 * parameters (otherwise our bitfield scheme would not work.) */
4971 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
4972 
4973 	/* Fill in the params struct */
4974 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
4975 				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
4976 				  nla_get_u16);
4977 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
4978 				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4979 				  nla_get_u16);
4980 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
4981 				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
4982 				  nla_get_u16);
4983 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
4984 				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
4985 				  nla_get_u16);
4986 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
4987 				  mask, NL80211_MESHCONF_MAX_RETRIES,
4988 				  nla_get_u8);
4989 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
4990 				  mask, NL80211_MESHCONF_TTL, nla_get_u8);
4991 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
4992 				  mask, NL80211_MESHCONF_ELEMENT_TTL,
4993 				  nla_get_u8);
4994 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
4995 				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4996 				  nla_get_u8);
4997 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
4998 				  1, 255, mask,
4999 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5000 				  nla_get_u32);
5001 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
5002 				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5003 				  nla_get_u8);
5004 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
5005 				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
5006 				  nla_get_u32);
5007 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
5008 				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5009 				  nla_get_u16);
5010 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
5011 				  1, 65535, mask,
5012 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5013 				  nla_get_u32);
5014 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
5015 				  1, 65535, mask,
5016 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5017 				  nla_get_u16);
5018 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
5019 				  1, 65535, mask,
5020 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5021 				  nla_get_u16);
5022 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5023 				  dot11MeshHWMPnetDiameterTraversalTime,
5024 				  1, 65535, mask,
5025 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5026 				  nla_get_u16);
5027 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
5028 				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
5029 				  nla_get_u8);
5030 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
5031 				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5032 				  nla_get_u16);
5033 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5034 				  dot11MeshGateAnnouncementProtocol, 0, 1,
5035 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5036 				  nla_get_u8);
5037 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
5038 				  mask, NL80211_MESHCONF_FORWARDING,
5039 				  nla_get_u8);
5040 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, -255, 0,
5041 				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
5042 				  nla_get_s32);
5043 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
5044 				  mask, NL80211_MESHCONF_HT_OPMODE,
5045 				  nla_get_u16);
5046 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
5047 				  1, 65535, mask,
5048 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5049 				  nla_get_u32);
5050 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
5051 				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5052 				  nla_get_u16);
5053 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5054 				  dot11MeshHWMPconfirmationInterval,
5055 				  1, 65535, mask,
5056 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5057 				  nla_get_u16);
5058 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
5059 				  NL80211_MESH_POWER_ACTIVE,
5060 				  NL80211_MESH_POWER_MAX,
5061 				  mask, NL80211_MESHCONF_POWER_MODE,
5062 				  nla_get_u32);
5063 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
5064 				  0, 65535, mask,
5065 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
5066 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, 1, 0xffffffff,
5067 				  mask, NL80211_MESHCONF_PLINK_TIMEOUT,
5068 				  nla_get_u32);
5069 	if (mask_out)
5070 		*mask_out = mask;
5071 
5072 	return 0;
5073 
5074 #undef FILL_IN_MESH_PARAM_IF_SET
5075 }
5076 
5077 static int nl80211_parse_mesh_setup(struct genl_info *info,
5078 				     struct mesh_setup *setup)
5079 {
5080 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5081 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
5082 
5083 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
5084 		return -EINVAL;
5085 	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
5086 			     info->attrs[NL80211_ATTR_MESH_SETUP],
5087 			     nl80211_mesh_setup_params_policy))
5088 		return -EINVAL;
5089 
5090 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
5091 		setup->sync_method =
5092 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
5093 		 IEEE80211_SYNC_METHOD_VENDOR :
5094 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
5095 
5096 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
5097 		setup->path_sel_proto =
5098 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
5099 		 IEEE80211_PATH_PROTOCOL_VENDOR :
5100 		 IEEE80211_PATH_PROTOCOL_HWMP;
5101 
5102 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
5103 		setup->path_metric =
5104 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
5105 		 IEEE80211_PATH_METRIC_VENDOR :
5106 		 IEEE80211_PATH_METRIC_AIRTIME;
5107 
5108 
5109 	if (tb[NL80211_MESH_SETUP_IE]) {
5110 		struct nlattr *ieattr =
5111 			tb[NL80211_MESH_SETUP_IE];
5112 		if (!is_valid_ie_attr(ieattr))
5113 			return -EINVAL;
5114 		setup->ie = nla_data(ieattr);
5115 		setup->ie_len = nla_len(ieattr);
5116 	}
5117 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
5118 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
5119 		return -EINVAL;
5120 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
5121 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
5122 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
5123 	if (setup->is_secure)
5124 		setup->user_mpm = true;
5125 
5126 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
5127 		if (!setup->user_mpm)
5128 			return -EINVAL;
5129 		setup->auth_id =
5130 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
5131 	}
5132 
5133 	return 0;
5134 }
5135 
5136 static int nl80211_update_mesh_config(struct sk_buff *skb,
5137 				      struct genl_info *info)
5138 {
5139 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5140 	struct net_device *dev = info->user_ptr[1];
5141 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5142 	struct mesh_config cfg;
5143 	u32 mask;
5144 	int err;
5145 
5146 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5147 		return -EOPNOTSUPP;
5148 
5149 	if (!rdev->ops->update_mesh_config)
5150 		return -EOPNOTSUPP;
5151 
5152 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
5153 	if (err)
5154 		return err;
5155 
5156 	wdev_lock(wdev);
5157 	if (!wdev->mesh_id_len)
5158 		err = -ENOLINK;
5159 
5160 	if (!err)
5161 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
5162 
5163 	wdev_unlock(wdev);
5164 
5165 	return err;
5166 }
5167 
5168 static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
5169 {
5170 	const struct ieee80211_regdomain *regdom;
5171 	struct sk_buff *msg;
5172 	void *hdr = NULL;
5173 	struct nlattr *nl_reg_rules;
5174 	unsigned int i;
5175 
5176 	if (!cfg80211_regdomain)
5177 		return -EINVAL;
5178 
5179 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5180 	if (!msg)
5181 		return -ENOBUFS;
5182 
5183 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5184 			     NL80211_CMD_GET_REG);
5185 	if (!hdr)
5186 		goto put_failure;
5187 
5188 	if (reg_last_request_cell_base() &&
5189 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5190 			NL80211_USER_REG_HINT_CELL_BASE))
5191 		goto nla_put_failure;
5192 
5193 	rcu_read_lock();
5194 	regdom = rcu_dereference(cfg80211_regdomain);
5195 
5196 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
5197 	    (regdom->dfs_region &&
5198 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
5199 		goto nla_put_failure_rcu;
5200 
5201 	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
5202 	if (!nl_reg_rules)
5203 		goto nla_put_failure_rcu;
5204 
5205 	for (i = 0; i < regdom->n_reg_rules; i++) {
5206 		struct nlattr *nl_reg_rule;
5207 		const struct ieee80211_reg_rule *reg_rule;
5208 		const struct ieee80211_freq_range *freq_range;
5209 		const struct ieee80211_power_rule *power_rule;
5210 		unsigned int max_bandwidth_khz;
5211 
5212 		reg_rule = &regdom->reg_rules[i];
5213 		freq_range = &reg_rule->freq_range;
5214 		power_rule = &reg_rule->power_rule;
5215 
5216 		nl_reg_rule = nla_nest_start(msg, i);
5217 		if (!nl_reg_rule)
5218 			goto nla_put_failure_rcu;
5219 
5220 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
5221 		if (!max_bandwidth_khz)
5222 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
5223 								  reg_rule);
5224 
5225 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
5226 				reg_rule->flags) ||
5227 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
5228 				freq_range->start_freq_khz) ||
5229 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
5230 				freq_range->end_freq_khz) ||
5231 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
5232 				max_bandwidth_khz) ||
5233 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
5234 				power_rule->max_antenna_gain) ||
5235 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
5236 				power_rule->max_eirp) ||
5237 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
5238 				reg_rule->dfs_cac_ms))
5239 			goto nla_put_failure_rcu;
5240 
5241 		nla_nest_end(msg, nl_reg_rule);
5242 	}
5243 	rcu_read_unlock();
5244 
5245 	nla_nest_end(msg, nl_reg_rules);
5246 
5247 	genlmsg_end(msg, hdr);
5248 	return genlmsg_reply(msg, info);
5249 
5250 nla_put_failure_rcu:
5251 	rcu_read_unlock();
5252 nla_put_failure:
5253 	genlmsg_cancel(msg, hdr);
5254 put_failure:
5255 	nlmsg_free(msg);
5256 	return -EMSGSIZE;
5257 }
5258 
5259 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
5260 {
5261 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
5262 	struct nlattr *nl_reg_rule;
5263 	char *alpha2 = NULL;
5264 	int rem_reg_rules = 0, r = 0;
5265 	u32 num_rules = 0, rule_idx = 0, size_of_regd;
5266 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
5267 	struct ieee80211_regdomain *rd = NULL;
5268 
5269 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5270 		return -EINVAL;
5271 
5272 	if (!info->attrs[NL80211_ATTR_REG_RULES])
5273 		return -EINVAL;
5274 
5275 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5276 
5277 	if (info->attrs[NL80211_ATTR_DFS_REGION])
5278 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
5279 
5280 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5281 			    rem_reg_rules) {
5282 		num_rules++;
5283 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
5284 			return -EINVAL;
5285 	}
5286 
5287 	if (!reg_is_valid_request(alpha2))
5288 		return -EINVAL;
5289 
5290 	size_of_regd = sizeof(struct ieee80211_regdomain) +
5291 		       num_rules * sizeof(struct ieee80211_reg_rule);
5292 
5293 	rd = kzalloc(size_of_regd, GFP_KERNEL);
5294 	if (!rd)
5295 		return -ENOMEM;
5296 
5297 	rd->n_reg_rules = num_rules;
5298 	rd->alpha2[0] = alpha2[0];
5299 	rd->alpha2[1] = alpha2[1];
5300 
5301 	/*
5302 	 * Disable DFS master mode if the DFS region was
5303 	 * not supported or known on this kernel.
5304 	 */
5305 	if (reg_supported_dfs_region(dfs_region))
5306 		rd->dfs_region = dfs_region;
5307 
5308 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5309 			    rem_reg_rules) {
5310 		r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
5311 			      nla_data(nl_reg_rule), nla_len(nl_reg_rule),
5312 			      reg_rule_policy);
5313 		if (r)
5314 			goto bad_reg;
5315 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
5316 		if (r)
5317 			goto bad_reg;
5318 
5319 		rule_idx++;
5320 
5321 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
5322 			r = -EINVAL;
5323 			goto bad_reg;
5324 		}
5325 	}
5326 
5327 	r = set_regdom(rd);
5328 	/* set_regdom took ownership */
5329 	rd = NULL;
5330 
5331  bad_reg:
5332 	kfree(rd);
5333 	return r;
5334 }
5335 
5336 static int validate_scan_freqs(struct nlattr *freqs)
5337 {
5338 	struct nlattr *attr1, *attr2;
5339 	int n_channels = 0, tmp1, tmp2;
5340 
5341 	nla_for_each_nested(attr1, freqs, tmp1) {
5342 		n_channels++;
5343 		/*
5344 		 * Some hardware has a limited channel list for
5345 		 * scanning, and it is pretty much nonsensical
5346 		 * to scan for a channel twice, so disallow that
5347 		 * and don't require drivers to check that the
5348 		 * channel list they get isn't longer than what
5349 		 * they can scan, as long as they can scan all
5350 		 * the channels they registered at once.
5351 		 */
5352 		nla_for_each_nested(attr2, freqs, tmp2)
5353 			if (attr1 != attr2 &&
5354 			    nla_get_u32(attr1) == nla_get_u32(attr2))
5355 				return 0;
5356 	}
5357 
5358 	return n_channels;
5359 }
5360 
5361 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
5362 {
5363 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5364 	struct wireless_dev *wdev = info->user_ptr[1];
5365 	struct cfg80211_scan_request *request;
5366 	struct nlattr *attr;
5367 	struct wiphy *wiphy;
5368 	int err, tmp, n_ssids = 0, n_channels, i;
5369 	size_t ie_len;
5370 
5371 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5372 		return -EINVAL;
5373 
5374 	wiphy = &rdev->wiphy;
5375 
5376 	if (!rdev->ops->scan)
5377 		return -EOPNOTSUPP;
5378 
5379 	if (rdev->scan_req || rdev->scan_msg) {
5380 		err = -EBUSY;
5381 		goto unlock;
5382 	}
5383 
5384 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5385 		n_channels = validate_scan_freqs(
5386 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5387 		if (!n_channels) {
5388 			err = -EINVAL;
5389 			goto unlock;
5390 		}
5391 	} else {
5392 		n_channels = ieee80211_get_num_supported_channels(wiphy);
5393 	}
5394 
5395 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5396 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
5397 			n_ssids++;
5398 
5399 	if (n_ssids > wiphy->max_scan_ssids) {
5400 		err = -EINVAL;
5401 		goto unlock;
5402 	}
5403 
5404 	if (info->attrs[NL80211_ATTR_IE])
5405 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5406 	else
5407 		ie_len = 0;
5408 
5409 	if (ie_len > wiphy->max_scan_ie_len) {
5410 		err = -EINVAL;
5411 		goto unlock;
5412 	}
5413 
5414 	request = kzalloc(sizeof(*request)
5415 			+ sizeof(*request->ssids) * n_ssids
5416 			+ sizeof(*request->channels) * n_channels
5417 			+ ie_len, GFP_KERNEL);
5418 	if (!request) {
5419 		err = -ENOMEM;
5420 		goto unlock;
5421 	}
5422 
5423 	if (n_ssids)
5424 		request->ssids = (void *)&request->channels[n_channels];
5425 	request->n_ssids = n_ssids;
5426 	if (ie_len) {
5427 		if (request->ssids)
5428 			request->ie = (void *)(request->ssids + n_ssids);
5429 		else
5430 			request->ie = (void *)(request->channels + n_channels);
5431 	}
5432 
5433 	i = 0;
5434 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5435 		/* user specified, bail out if channel not found */
5436 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
5437 			struct ieee80211_channel *chan;
5438 
5439 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5440 
5441 			if (!chan) {
5442 				err = -EINVAL;
5443 				goto out_free;
5444 			}
5445 
5446 			/* ignore disabled channels */
5447 			if (chan->flags & IEEE80211_CHAN_DISABLED)
5448 				continue;
5449 
5450 			request->channels[i] = chan;
5451 			i++;
5452 		}
5453 	} else {
5454 		enum ieee80211_band band;
5455 
5456 		/* all channels */
5457 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5458 			int j;
5459 			if (!wiphy->bands[band])
5460 				continue;
5461 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5462 				struct ieee80211_channel *chan;
5463 
5464 				chan = &wiphy->bands[band]->channels[j];
5465 
5466 				if (chan->flags & IEEE80211_CHAN_DISABLED)
5467 					continue;
5468 
5469 				request->channels[i] = chan;
5470 				i++;
5471 			}
5472 		}
5473 	}
5474 
5475 	if (!i) {
5476 		err = -EINVAL;
5477 		goto out_free;
5478 	}
5479 
5480 	request->n_channels = i;
5481 
5482 	i = 0;
5483 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
5484 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
5485 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5486 				err = -EINVAL;
5487 				goto out_free;
5488 			}
5489 			request->ssids[i].ssid_len = nla_len(attr);
5490 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
5491 			i++;
5492 		}
5493 	}
5494 
5495 	if (info->attrs[NL80211_ATTR_IE]) {
5496 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5497 		memcpy((void *)request->ie,
5498 		       nla_data(info->attrs[NL80211_ATTR_IE]),
5499 		       request->ie_len);
5500 	}
5501 
5502 	for (i = 0; i < IEEE80211_NUM_BANDS; i++)
5503 		if (wiphy->bands[i])
5504 			request->rates[i] =
5505 				(1 << wiphy->bands[i]->n_bitrates) - 1;
5506 
5507 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
5508 		nla_for_each_nested(attr,
5509 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
5510 				    tmp) {
5511 			enum ieee80211_band band = nla_type(attr);
5512 
5513 			if (band < 0 || band >= IEEE80211_NUM_BANDS) {
5514 				err = -EINVAL;
5515 				goto out_free;
5516 			}
5517 
5518 			if (!wiphy->bands[band])
5519 				continue;
5520 
5521 			err = ieee80211_get_ratemask(wiphy->bands[band],
5522 						     nla_data(attr),
5523 						     nla_len(attr),
5524 						     &request->rates[band]);
5525 			if (err)
5526 				goto out_free;
5527 		}
5528 	}
5529 
5530 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5531 		request->flags = nla_get_u32(
5532 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5533 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5534 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
5535 			err = -EOPNOTSUPP;
5536 			goto out_free;
5537 		}
5538 	}
5539 
5540 	request->no_cck =
5541 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
5542 
5543 	request->wdev = wdev;
5544 	request->wiphy = &rdev->wiphy;
5545 	request->scan_start = jiffies;
5546 
5547 	rdev->scan_req = request;
5548 	err = rdev_scan(rdev, request);
5549 
5550 	if (!err) {
5551 		nl80211_send_scan_start(rdev, wdev);
5552 		if (wdev->netdev)
5553 			dev_hold(wdev->netdev);
5554 	} else {
5555  out_free:
5556 		rdev->scan_req = NULL;
5557 		kfree(request);
5558 	}
5559 
5560  unlock:
5561 	return err;
5562 }
5563 
5564 static int nl80211_start_sched_scan(struct sk_buff *skb,
5565 				    struct genl_info *info)
5566 {
5567 	struct cfg80211_sched_scan_request *request;
5568 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5569 	struct net_device *dev = info->user_ptr[1];
5570 	struct nlattr *attr;
5571 	struct wiphy *wiphy;
5572 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
5573 	u32 interval;
5574 	enum ieee80211_band band;
5575 	size_t ie_len;
5576 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
5577 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
5578 
5579 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
5580 	    !rdev->ops->sched_scan_start)
5581 		return -EOPNOTSUPP;
5582 
5583 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5584 		return -EINVAL;
5585 
5586 	if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
5587 		return -EINVAL;
5588 
5589 	interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
5590 	if (interval == 0)
5591 		return -EINVAL;
5592 
5593 	wiphy = &rdev->wiphy;
5594 
5595 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5596 		n_channels = validate_scan_freqs(
5597 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5598 		if (!n_channels)
5599 			return -EINVAL;
5600 	} else {
5601 		n_channels = ieee80211_get_num_supported_channels(wiphy);
5602 	}
5603 
5604 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5605 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
5606 				    tmp)
5607 			n_ssids++;
5608 
5609 	if (n_ssids > wiphy->max_sched_scan_ssids)
5610 		return -EINVAL;
5611 
5612 	/*
5613 	 * First, count the number of 'real' matchsets. Due to an issue with
5614 	 * the old implementation, matchsets containing only the RSSI attribute
5615 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
5616 	 * RSSI for all matchsets, rather than their own matchset for reporting
5617 	 * all APs with a strong RSSI. This is needed to be compatible with
5618 	 * older userspace that treated a matchset with only the RSSI as the
5619 	 * global RSSI for all other matchsets - if there are other matchsets.
5620 	 */
5621 	if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
5622 		nla_for_each_nested(attr,
5623 				    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
5624 				    tmp) {
5625 			struct nlattr *rssi;
5626 
5627 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
5628 					nla_data(attr), nla_len(attr),
5629 					nl80211_match_policy);
5630 			if (err)
5631 				return err;
5632 			/* add other standalone attributes here */
5633 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
5634 				n_match_sets++;
5635 				continue;
5636 			}
5637 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
5638 			if (rssi)
5639 				default_match_rssi = nla_get_s32(rssi);
5640 		}
5641 	}
5642 
5643 	/* However, if there's no other matchset, add the RSSI one */
5644 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
5645 		n_match_sets = 1;
5646 
5647 	if (n_match_sets > wiphy->max_match_sets)
5648 		return -EINVAL;
5649 
5650 	if (info->attrs[NL80211_ATTR_IE])
5651 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5652 	else
5653 		ie_len = 0;
5654 
5655 	if (ie_len > wiphy->max_sched_scan_ie_len)
5656 		return -EINVAL;
5657 
5658 	if (rdev->sched_scan_req) {
5659 		err = -EINPROGRESS;
5660 		goto out;
5661 	}
5662 
5663 	request = kzalloc(sizeof(*request)
5664 			+ sizeof(*request->ssids) * n_ssids
5665 			+ sizeof(*request->match_sets) * n_match_sets
5666 			+ sizeof(*request->channels) * n_channels
5667 			+ ie_len, GFP_KERNEL);
5668 	if (!request) {
5669 		err = -ENOMEM;
5670 		goto out;
5671 	}
5672 
5673 	if (n_ssids)
5674 		request->ssids = (void *)&request->channels[n_channels];
5675 	request->n_ssids = n_ssids;
5676 	if (ie_len) {
5677 		if (request->ssids)
5678 			request->ie = (void *)(request->ssids + n_ssids);
5679 		else
5680 			request->ie = (void *)(request->channels + n_channels);
5681 	}
5682 
5683 	if (n_match_sets) {
5684 		if (request->ie)
5685 			request->match_sets = (void *)(request->ie + ie_len);
5686 		else if (request->ssids)
5687 			request->match_sets =
5688 				(void *)(request->ssids + n_ssids);
5689 		else
5690 			request->match_sets =
5691 				(void *)(request->channels + n_channels);
5692 	}
5693 	request->n_match_sets = n_match_sets;
5694 
5695 	i = 0;
5696 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5697 		/* user specified, bail out if channel not found */
5698 		nla_for_each_nested(attr,
5699 				    info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
5700 				    tmp) {
5701 			struct ieee80211_channel *chan;
5702 
5703 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5704 
5705 			if (!chan) {
5706 				err = -EINVAL;
5707 				goto out_free;
5708 			}
5709 
5710 			/* ignore disabled channels */
5711 			if (chan->flags & IEEE80211_CHAN_DISABLED)
5712 				continue;
5713 
5714 			request->channels[i] = chan;
5715 			i++;
5716 		}
5717 	} else {
5718 		/* all channels */
5719 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5720 			int j;
5721 			if (!wiphy->bands[band])
5722 				continue;
5723 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5724 				struct ieee80211_channel *chan;
5725 
5726 				chan = &wiphy->bands[band]->channels[j];
5727 
5728 				if (chan->flags & IEEE80211_CHAN_DISABLED)
5729 					continue;
5730 
5731 				request->channels[i] = chan;
5732 				i++;
5733 			}
5734 		}
5735 	}
5736 
5737 	if (!i) {
5738 		err = -EINVAL;
5739 		goto out_free;
5740 	}
5741 
5742 	request->n_channels = i;
5743 
5744 	i = 0;
5745 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
5746 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
5747 				    tmp) {
5748 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5749 				err = -EINVAL;
5750 				goto out_free;
5751 			}
5752 			request->ssids[i].ssid_len = nla_len(attr);
5753 			memcpy(request->ssids[i].ssid, nla_data(attr),
5754 			       nla_len(attr));
5755 			i++;
5756 		}
5757 	}
5758 
5759 	i = 0;
5760 	if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
5761 		nla_for_each_nested(attr,
5762 				    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
5763 				    tmp) {
5764 			struct nlattr *ssid, *rssi;
5765 
5766 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
5767 					nla_data(attr), nla_len(attr),
5768 					nl80211_match_policy);
5769 			if (err)
5770 				goto out_free;
5771 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
5772 			if (ssid) {
5773 				if (WARN_ON(i >= n_match_sets)) {
5774 					/* this indicates a programming error,
5775 					 * the loop above should have verified
5776 					 * things properly
5777 					 */
5778 					err = -EINVAL;
5779 					goto out_free;
5780 				}
5781 
5782 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
5783 					err = -EINVAL;
5784 					goto out_free;
5785 				}
5786 				memcpy(request->match_sets[i].ssid.ssid,
5787 				       nla_data(ssid), nla_len(ssid));
5788 				request->match_sets[i].ssid.ssid_len =
5789 					nla_len(ssid);
5790 				/* special attribute - old implemenation w/a */
5791 				request->match_sets[i].rssi_thold =
5792 					default_match_rssi;
5793 				rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
5794 				if (rssi)
5795 					request->match_sets[i].rssi_thold =
5796 						nla_get_s32(rssi);
5797 			}
5798 			i++;
5799 		}
5800 
5801 		/* there was no other matchset, so the RSSI one is alone */
5802 		if (i == 0)
5803 			request->match_sets[0].rssi_thold = default_match_rssi;
5804 
5805 		request->min_rssi_thold = INT_MAX;
5806 		for (i = 0; i < n_match_sets; i++)
5807 			request->min_rssi_thold =
5808 				min(request->match_sets[i].rssi_thold,
5809 				    request->min_rssi_thold);
5810 	} else {
5811 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
5812 	}
5813 
5814 	if (ie_len) {
5815 		request->ie_len = ie_len;
5816 		memcpy((void *)request->ie,
5817 		       nla_data(info->attrs[NL80211_ATTR_IE]),
5818 		       request->ie_len);
5819 	}
5820 
5821 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5822 		request->flags = nla_get_u32(
5823 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5824 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5825 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
5826 			err = -EOPNOTSUPP;
5827 			goto out_free;
5828 		}
5829 	}
5830 
5831 	request->dev = dev;
5832 	request->wiphy = &rdev->wiphy;
5833 	request->interval = interval;
5834 	request->scan_start = jiffies;
5835 
5836 	err = rdev_sched_scan_start(rdev, dev, request);
5837 	if (!err) {
5838 		rdev->sched_scan_req = request;
5839 		nl80211_send_sched_scan(rdev, dev,
5840 					NL80211_CMD_START_SCHED_SCAN);
5841 		goto out;
5842 	}
5843 
5844 out_free:
5845 	kfree(request);
5846 out:
5847 	return err;
5848 }
5849 
5850 static int nl80211_stop_sched_scan(struct sk_buff *skb,
5851 				   struct genl_info *info)
5852 {
5853 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5854 
5855 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
5856 	    !rdev->ops->sched_scan_stop)
5857 		return -EOPNOTSUPP;
5858 
5859 	return __cfg80211_stop_sched_scan(rdev, false);
5860 }
5861 
5862 static int nl80211_start_radar_detection(struct sk_buff *skb,
5863 					 struct genl_info *info)
5864 {
5865 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5866 	struct net_device *dev = info->user_ptr[1];
5867 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5868 	struct cfg80211_chan_def chandef;
5869 	enum nl80211_dfs_regions dfs_region;
5870 	unsigned int cac_time_ms;
5871 	int err;
5872 
5873 	dfs_region = reg_get_dfs_region(wdev->wiphy);
5874 	if (dfs_region == NL80211_DFS_UNSET)
5875 		return -EINVAL;
5876 
5877 	err = nl80211_parse_chandef(rdev, info, &chandef);
5878 	if (err)
5879 		return err;
5880 
5881 	if (netif_carrier_ok(dev))
5882 		return -EBUSY;
5883 
5884 	if (wdev->cac_started)
5885 		return -EBUSY;
5886 
5887 	err = cfg80211_chandef_dfs_required(wdev->wiphy, &chandef,
5888 					    wdev->iftype);
5889 	if (err < 0)
5890 		return err;
5891 
5892 	if (err == 0)
5893 		return -EINVAL;
5894 
5895 	if (!cfg80211_chandef_dfs_usable(wdev->wiphy, &chandef))
5896 		return -EINVAL;
5897 
5898 	if (!rdev->ops->start_radar_detection)
5899 		return -EOPNOTSUPP;
5900 
5901 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
5902 	if (WARN_ON(!cac_time_ms))
5903 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
5904 
5905 	err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef,
5906 					       cac_time_ms);
5907 	if (!err) {
5908 		wdev->chandef = chandef;
5909 		wdev->cac_started = true;
5910 		wdev->cac_start_time = jiffies;
5911 		wdev->cac_time_ms = cac_time_ms;
5912 	}
5913 	return err;
5914 }
5915 
5916 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
5917 {
5918 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5919 	struct net_device *dev = info->user_ptr[1];
5920 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5921 	struct cfg80211_csa_settings params;
5922 	/* csa_attrs is defined static to avoid waste of stack size - this
5923 	 * function is called under RTNL lock, so this should not be a problem.
5924 	 */
5925 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
5926 	u8 radar_detect_width = 0;
5927 	int err;
5928 	bool need_new_beacon = false;
5929 	int len, i;
5930 
5931 	if (!rdev->ops->channel_switch ||
5932 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
5933 		return -EOPNOTSUPP;
5934 
5935 	switch (dev->ieee80211_ptr->iftype) {
5936 	case NL80211_IFTYPE_AP:
5937 	case NL80211_IFTYPE_P2P_GO:
5938 		need_new_beacon = true;
5939 
5940 		/* useless if AP is not running */
5941 		if (!wdev->beacon_interval)
5942 			return -ENOTCONN;
5943 		break;
5944 	case NL80211_IFTYPE_ADHOC:
5945 		if (!wdev->ssid_len)
5946 			return -ENOTCONN;
5947 		break;
5948 	case NL80211_IFTYPE_MESH_POINT:
5949 		if (!wdev->mesh_id_len)
5950 			return -ENOTCONN;
5951 		break;
5952 	default:
5953 		return -EOPNOTSUPP;
5954 	}
5955 
5956 	memset(&params, 0, sizeof(params));
5957 
5958 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
5959 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
5960 		return -EINVAL;
5961 
5962 	/* only important for AP, IBSS and mesh create IEs internally */
5963 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
5964 		return -EINVAL;
5965 
5966 	params.count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
5967 
5968 	if (!need_new_beacon)
5969 		goto skip_beacons;
5970 
5971 	err = nl80211_parse_beacon(info->attrs, &params.beacon_after);
5972 	if (err)
5973 		return err;
5974 
5975 	err = nla_parse_nested(csa_attrs, NL80211_ATTR_MAX,
5976 			       info->attrs[NL80211_ATTR_CSA_IES],
5977 			       nl80211_policy);
5978 	if (err)
5979 		return err;
5980 
5981 	err = nl80211_parse_beacon(csa_attrs, &params.beacon_csa);
5982 	if (err)
5983 		return err;
5984 
5985 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
5986 		return -EINVAL;
5987 
5988 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
5989 	if (!len || (len % sizeof(u16)))
5990 		return -EINVAL;
5991 
5992 	params.n_counter_offsets_beacon = len / sizeof(u16);
5993 	if (rdev->wiphy.max_num_csa_counters &&
5994 	    (params.n_counter_offsets_beacon >
5995 	     rdev->wiphy.max_num_csa_counters))
5996 		return -EINVAL;
5997 
5998 	params.counter_offsets_beacon =
5999 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6000 
6001 	/* sanity checks - counters should fit and be the same */
6002 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
6003 		u16 offset = params.counter_offsets_beacon[i];
6004 
6005 		if (offset >= params.beacon_csa.tail_len)
6006 			return -EINVAL;
6007 
6008 		if (params.beacon_csa.tail[offset] != params.count)
6009 			return -EINVAL;
6010 	}
6011 
6012 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
6013 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6014 		if (!len || (len % sizeof(u16)))
6015 			return -EINVAL;
6016 
6017 		params.n_counter_offsets_presp = len / sizeof(u16);
6018 		if (rdev->wiphy.max_num_csa_counters &&
6019 		    (params.n_counter_offsets_beacon >
6020 		     rdev->wiphy.max_num_csa_counters))
6021 			return -EINVAL;
6022 
6023 		params.counter_offsets_presp =
6024 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6025 
6026 		/* sanity checks - counters should fit and be the same */
6027 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
6028 			u16 offset = params.counter_offsets_presp[i];
6029 
6030 			if (offset >= params.beacon_csa.probe_resp_len)
6031 				return -EINVAL;
6032 
6033 			if (params.beacon_csa.probe_resp[offset] !=
6034 			    params.count)
6035 				return -EINVAL;
6036 		}
6037 	}
6038 
6039 skip_beacons:
6040 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
6041 	if (err)
6042 		return err;
6043 
6044 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef,
6045 				     wdev->iftype))
6046 		return -EINVAL;
6047 
6048 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
6049 					    &params.chandef,
6050 					    wdev->iftype);
6051 	if (err < 0)
6052 		return err;
6053 
6054 	if (err > 0) {
6055 		radar_detect_width = BIT(params.chandef.width);
6056 		params.radar_required = true;
6057 	}
6058 
6059 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
6060 		params.block_tx = true;
6061 
6062 	wdev_lock(wdev);
6063 	err = rdev_channel_switch(rdev, dev, &params);
6064 	wdev_unlock(wdev);
6065 
6066 	return err;
6067 }
6068 
6069 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
6070 			    u32 seq, int flags,
6071 			    struct cfg80211_registered_device *rdev,
6072 			    struct wireless_dev *wdev,
6073 			    struct cfg80211_internal_bss *intbss)
6074 {
6075 	struct cfg80211_bss *res = &intbss->pub;
6076 	const struct cfg80211_bss_ies *ies;
6077 	void *hdr;
6078 	struct nlattr *bss;
6079 
6080 	ASSERT_WDEV_LOCK(wdev);
6081 
6082 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6083 			     NL80211_CMD_NEW_SCAN_RESULTS);
6084 	if (!hdr)
6085 		return -1;
6086 
6087 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
6088 
6089 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
6090 		goto nla_put_failure;
6091 	if (wdev->netdev &&
6092 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
6093 		goto nla_put_failure;
6094 	if (nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
6095 		goto nla_put_failure;
6096 
6097 	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
6098 	if (!bss)
6099 		goto nla_put_failure;
6100 	if ((!is_zero_ether_addr(res->bssid) &&
6101 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
6102 		goto nla_put_failure;
6103 
6104 	rcu_read_lock();
6105 	/* indicate whether we have probe response data or not */
6106 	if (rcu_access_pointer(res->proberesp_ies) &&
6107 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
6108 		goto fail_unlock_rcu;
6109 
6110 	/* this pointer prefers to be pointed to probe response data
6111 	 * but is always valid
6112 	 */
6113 	ies = rcu_dereference(res->ies);
6114 	if (ies) {
6115 		if (nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
6116 			goto fail_unlock_rcu;
6117 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
6118 					ies->len, ies->data))
6119 			goto fail_unlock_rcu;
6120 	}
6121 
6122 	/* and this pointer is always (unless driver didn't know) beacon data */
6123 	ies = rcu_dereference(res->beacon_ies);
6124 	if (ies && ies->from_beacon) {
6125 		if (nla_put_u64(msg, NL80211_BSS_BEACON_TSF, ies->tsf))
6126 			goto fail_unlock_rcu;
6127 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
6128 					ies->len, ies->data))
6129 			goto fail_unlock_rcu;
6130 	}
6131 	rcu_read_unlock();
6132 
6133 	if (res->beacon_interval &&
6134 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
6135 		goto nla_put_failure;
6136 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
6137 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
6138 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
6139 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
6140 			jiffies_to_msecs(jiffies - intbss->ts)))
6141 		goto nla_put_failure;
6142 
6143 	switch (rdev->wiphy.signal_type) {
6144 	case CFG80211_SIGNAL_TYPE_MBM:
6145 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
6146 			goto nla_put_failure;
6147 		break;
6148 	case CFG80211_SIGNAL_TYPE_UNSPEC:
6149 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
6150 			goto nla_put_failure;
6151 		break;
6152 	default:
6153 		break;
6154 	}
6155 
6156 	switch (wdev->iftype) {
6157 	case NL80211_IFTYPE_P2P_CLIENT:
6158 	case NL80211_IFTYPE_STATION:
6159 		if (intbss == wdev->current_bss &&
6160 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6161 				NL80211_BSS_STATUS_ASSOCIATED))
6162 			goto nla_put_failure;
6163 		break;
6164 	case NL80211_IFTYPE_ADHOC:
6165 		if (intbss == wdev->current_bss &&
6166 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6167 				NL80211_BSS_STATUS_IBSS_JOINED))
6168 			goto nla_put_failure;
6169 		break;
6170 	default:
6171 		break;
6172 	}
6173 
6174 	nla_nest_end(msg, bss);
6175 
6176 	return genlmsg_end(msg, hdr);
6177 
6178  fail_unlock_rcu:
6179 	rcu_read_unlock();
6180  nla_put_failure:
6181 	genlmsg_cancel(msg, hdr);
6182 	return -EMSGSIZE;
6183 }
6184 
6185 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
6186 {
6187 	struct cfg80211_registered_device *rdev;
6188 	struct cfg80211_internal_bss *scan;
6189 	struct wireless_dev *wdev;
6190 	int start = cb->args[2], idx = 0;
6191 	int err;
6192 
6193 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6194 	if (err)
6195 		return err;
6196 
6197 	wdev_lock(wdev);
6198 	spin_lock_bh(&rdev->bss_lock);
6199 	cfg80211_bss_expire(rdev);
6200 
6201 	cb->seq = rdev->bss_generation;
6202 
6203 	list_for_each_entry(scan, &rdev->bss_list, list) {
6204 		if (++idx <= start)
6205 			continue;
6206 		if (nl80211_send_bss(skb, cb,
6207 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6208 				rdev, wdev, scan) < 0) {
6209 			idx--;
6210 			break;
6211 		}
6212 	}
6213 
6214 	spin_unlock_bh(&rdev->bss_lock);
6215 	wdev_unlock(wdev);
6216 
6217 	cb->args[2] = idx;
6218 	nl80211_finish_wdev_dump(rdev);
6219 
6220 	return skb->len;
6221 }
6222 
6223 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
6224 				int flags, struct net_device *dev,
6225 				struct survey_info *survey)
6226 {
6227 	void *hdr;
6228 	struct nlattr *infoattr;
6229 
6230 	hdr = nl80211hdr_put(msg, portid, seq, flags,
6231 			     NL80211_CMD_NEW_SURVEY_RESULTS);
6232 	if (!hdr)
6233 		return -ENOMEM;
6234 
6235 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
6236 		goto nla_put_failure;
6237 
6238 	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
6239 	if (!infoattr)
6240 		goto nla_put_failure;
6241 
6242 	if (nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
6243 			survey->channel->center_freq))
6244 		goto nla_put_failure;
6245 
6246 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
6247 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
6248 		goto nla_put_failure;
6249 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
6250 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
6251 		goto nla_put_failure;
6252 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME) &&
6253 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME,
6254 			survey->channel_time))
6255 		goto nla_put_failure;
6256 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_BUSY) &&
6257 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_BUSY,
6258 			survey->channel_time_busy))
6259 		goto nla_put_failure;
6260 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_EXT_BUSY) &&
6261 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_EXT_BUSY,
6262 			survey->channel_time_ext_busy))
6263 		goto nla_put_failure;
6264 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_RX) &&
6265 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_RX,
6266 			survey->channel_time_rx))
6267 		goto nla_put_failure;
6268 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_TX) &&
6269 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_TX,
6270 			survey->channel_time_tx))
6271 		goto nla_put_failure;
6272 
6273 	nla_nest_end(msg, infoattr);
6274 
6275 	return genlmsg_end(msg, hdr);
6276 
6277  nla_put_failure:
6278 	genlmsg_cancel(msg, hdr);
6279 	return -EMSGSIZE;
6280 }
6281 
6282 static int nl80211_dump_survey(struct sk_buff *skb,
6283 			struct netlink_callback *cb)
6284 {
6285 	struct survey_info survey;
6286 	struct cfg80211_registered_device *rdev;
6287 	struct wireless_dev *wdev;
6288 	int survey_idx = cb->args[2];
6289 	int res;
6290 
6291 	res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6292 	if (res)
6293 		return res;
6294 
6295 	if (!wdev->netdev) {
6296 		res = -EINVAL;
6297 		goto out_err;
6298 	}
6299 
6300 	if (!rdev->ops->dump_survey) {
6301 		res = -EOPNOTSUPP;
6302 		goto out_err;
6303 	}
6304 
6305 	while (1) {
6306 		struct ieee80211_channel *chan;
6307 
6308 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
6309 		if (res == -ENOENT)
6310 			break;
6311 		if (res)
6312 			goto out_err;
6313 
6314 		/* Survey without a channel doesn't make sense */
6315 		if (!survey.channel) {
6316 			res = -EINVAL;
6317 			goto out;
6318 		}
6319 
6320 		chan = ieee80211_get_channel(&rdev->wiphy,
6321 					     survey.channel->center_freq);
6322 		if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
6323 			survey_idx++;
6324 			continue;
6325 		}
6326 
6327 		if (nl80211_send_survey(skb,
6328 				NETLINK_CB(cb->skb).portid,
6329 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6330 				wdev->netdev, &survey) < 0)
6331 			goto out;
6332 		survey_idx++;
6333 	}
6334 
6335  out:
6336 	cb->args[2] = survey_idx;
6337 	res = skb->len;
6338  out_err:
6339 	nl80211_finish_wdev_dump(rdev);
6340 	return res;
6341 }
6342 
6343 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
6344 {
6345 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
6346 				  NL80211_WPA_VERSION_2));
6347 }
6348 
6349 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
6350 {
6351 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6352 	struct net_device *dev = info->user_ptr[1];
6353 	struct ieee80211_channel *chan;
6354 	const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
6355 	int err, ssid_len, ie_len = 0, sae_data_len = 0;
6356 	enum nl80211_auth_type auth_type;
6357 	struct key_parse key;
6358 	bool local_state_change;
6359 
6360 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6361 		return -EINVAL;
6362 
6363 	if (!info->attrs[NL80211_ATTR_MAC])
6364 		return -EINVAL;
6365 
6366 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
6367 		return -EINVAL;
6368 
6369 	if (!info->attrs[NL80211_ATTR_SSID])
6370 		return -EINVAL;
6371 
6372 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
6373 		return -EINVAL;
6374 
6375 	err = nl80211_parse_key(info, &key);
6376 	if (err)
6377 		return err;
6378 
6379 	if (key.idx >= 0) {
6380 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
6381 			return -EINVAL;
6382 		if (!key.p.key || !key.p.key_len)
6383 			return -EINVAL;
6384 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
6385 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
6386 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
6387 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
6388 			return -EINVAL;
6389 		if (key.idx > 4)
6390 			return -EINVAL;
6391 	} else {
6392 		key.p.key_len = 0;
6393 		key.p.key = NULL;
6394 	}
6395 
6396 	if (key.idx >= 0) {
6397 		int i;
6398 		bool ok = false;
6399 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
6400 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
6401 				ok = true;
6402 				break;
6403 			}
6404 		}
6405 		if (!ok)
6406 			return -EINVAL;
6407 	}
6408 
6409 	if (!rdev->ops->auth)
6410 		return -EOPNOTSUPP;
6411 
6412 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6413 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6414 		return -EOPNOTSUPP;
6415 
6416 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6417 	chan = nl80211_get_valid_chan(&rdev->wiphy,
6418 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
6419 	if (!chan)
6420 		return -EINVAL;
6421 
6422 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6423 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6424 
6425 	if (info->attrs[NL80211_ATTR_IE]) {
6426 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6427 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6428 	}
6429 
6430 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
6431 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
6432 		return -EINVAL;
6433 
6434 	if (auth_type == NL80211_AUTHTYPE_SAE &&
6435 	    !info->attrs[NL80211_ATTR_SAE_DATA])
6436 		return -EINVAL;
6437 
6438 	if (info->attrs[NL80211_ATTR_SAE_DATA]) {
6439 		if (auth_type != NL80211_AUTHTYPE_SAE)
6440 			return -EINVAL;
6441 		sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
6442 		sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
6443 		/* need to include at least Auth Transaction and Status Code */
6444 		if (sae_data_len < 4)
6445 			return -EINVAL;
6446 	}
6447 
6448 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6449 
6450 	/*
6451 	 * Since we no longer track auth state, ignore
6452 	 * requests to only change local state.
6453 	 */
6454 	if (local_state_change)
6455 		return 0;
6456 
6457 	wdev_lock(dev->ieee80211_ptr);
6458 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
6459 				 ssid, ssid_len, ie, ie_len,
6460 				 key.p.key, key.p.key_len, key.idx,
6461 				 sae_data, sae_data_len);
6462 	wdev_unlock(dev->ieee80211_ptr);
6463 	return err;
6464 }
6465 
6466 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
6467 				   struct genl_info *info,
6468 				   struct cfg80211_crypto_settings *settings,
6469 				   int cipher_limit)
6470 {
6471 	memset(settings, 0, sizeof(*settings));
6472 
6473 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
6474 
6475 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
6476 		u16 proto;
6477 		proto = nla_get_u16(
6478 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
6479 		settings->control_port_ethertype = cpu_to_be16(proto);
6480 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
6481 		    proto != ETH_P_PAE)
6482 			return -EINVAL;
6483 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
6484 			settings->control_port_no_encrypt = true;
6485 	} else
6486 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
6487 
6488 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
6489 		void *data;
6490 		int len, i;
6491 
6492 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6493 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6494 		settings->n_ciphers_pairwise = len / sizeof(u32);
6495 
6496 		if (len % sizeof(u32))
6497 			return -EINVAL;
6498 
6499 		if (settings->n_ciphers_pairwise > cipher_limit)
6500 			return -EINVAL;
6501 
6502 		memcpy(settings->ciphers_pairwise, data, len);
6503 
6504 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
6505 			if (!cfg80211_supported_cipher_suite(
6506 					&rdev->wiphy,
6507 					settings->ciphers_pairwise[i]))
6508 				return -EINVAL;
6509 	}
6510 
6511 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
6512 		settings->cipher_group =
6513 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
6514 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
6515 						     settings->cipher_group))
6516 			return -EINVAL;
6517 	}
6518 
6519 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
6520 		settings->wpa_versions =
6521 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
6522 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
6523 			return -EINVAL;
6524 	}
6525 
6526 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
6527 		void *data;
6528 		int len;
6529 
6530 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
6531 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
6532 		settings->n_akm_suites = len / sizeof(u32);
6533 
6534 		if (len % sizeof(u32))
6535 			return -EINVAL;
6536 
6537 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
6538 			return -EINVAL;
6539 
6540 		memcpy(settings->akm_suites, data, len);
6541 	}
6542 
6543 	return 0;
6544 }
6545 
6546 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
6547 {
6548 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6549 	struct net_device *dev = info->user_ptr[1];
6550 	struct ieee80211_channel *chan;
6551 	struct cfg80211_assoc_request req = {};
6552 	const u8 *bssid, *ssid;
6553 	int err, ssid_len = 0;
6554 
6555 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6556 		return -EINVAL;
6557 
6558 	if (!info->attrs[NL80211_ATTR_MAC] ||
6559 	    !info->attrs[NL80211_ATTR_SSID] ||
6560 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
6561 		return -EINVAL;
6562 
6563 	if (!rdev->ops->assoc)
6564 		return -EOPNOTSUPP;
6565 
6566 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6567 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6568 		return -EOPNOTSUPP;
6569 
6570 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6571 
6572 	chan = nl80211_get_valid_chan(&rdev->wiphy,
6573 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
6574 	if (!chan)
6575 		return -EINVAL;
6576 
6577 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6578 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6579 
6580 	if (info->attrs[NL80211_ATTR_IE]) {
6581 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6582 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6583 	}
6584 
6585 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
6586 		enum nl80211_mfp mfp =
6587 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
6588 		if (mfp == NL80211_MFP_REQUIRED)
6589 			req.use_mfp = true;
6590 		else if (mfp != NL80211_MFP_NO)
6591 			return -EINVAL;
6592 	}
6593 
6594 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
6595 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
6596 
6597 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
6598 		req.flags |= ASSOC_REQ_DISABLE_HT;
6599 
6600 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6601 		memcpy(&req.ht_capa_mask,
6602 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
6603 		       sizeof(req.ht_capa_mask));
6604 
6605 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
6606 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6607 			return -EINVAL;
6608 		memcpy(&req.ht_capa,
6609 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
6610 		       sizeof(req.ht_capa));
6611 	}
6612 
6613 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
6614 		req.flags |= ASSOC_REQ_DISABLE_VHT;
6615 
6616 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6617 		memcpy(&req.vht_capa_mask,
6618 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
6619 		       sizeof(req.vht_capa_mask));
6620 
6621 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
6622 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6623 			return -EINVAL;
6624 		memcpy(&req.vht_capa,
6625 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
6626 		       sizeof(req.vht_capa));
6627 	}
6628 
6629 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
6630 		if (!(rdev->wiphy.features &
6631 		      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
6632 		    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
6633 			return -EINVAL;
6634 		req.flags |= ASSOC_REQ_USE_RRM;
6635 	}
6636 
6637 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
6638 	if (!err) {
6639 		wdev_lock(dev->ieee80211_ptr);
6640 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
6641 					  ssid, ssid_len, &req);
6642 		wdev_unlock(dev->ieee80211_ptr);
6643 	}
6644 
6645 	return err;
6646 }
6647 
6648 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
6649 {
6650 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6651 	struct net_device *dev = info->user_ptr[1];
6652 	const u8 *ie = NULL, *bssid;
6653 	int ie_len = 0, err;
6654 	u16 reason_code;
6655 	bool local_state_change;
6656 
6657 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6658 		return -EINVAL;
6659 
6660 	if (!info->attrs[NL80211_ATTR_MAC])
6661 		return -EINVAL;
6662 
6663 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6664 		return -EINVAL;
6665 
6666 	if (!rdev->ops->deauth)
6667 		return -EOPNOTSUPP;
6668 
6669 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6670 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6671 		return -EOPNOTSUPP;
6672 
6673 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6674 
6675 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6676 	if (reason_code == 0) {
6677 		/* Reason Code 0 is reserved */
6678 		return -EINVAL;
6679 	}
6680 
6681 	if (info->attrs[NL80211_ATTR_IE]) {
6682 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6683 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6684 	}
6685 
6686 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6687 
6688 	wdev_lock(dev->ieee80211_ptr);
6689 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
6690 				   local_state_change);
6691 	wdev_unlock(dev->ieee80211_ptr);
6692 	return err;
6693 }
6694 
6695 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
6696 {
6697 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6698 	struct net_device *dev = info->user_ptr[1];
6699 	const u8 *ie = NULL, *bssid;
6700 	int ie_len = 0, err;
6701 	u16 reason_code;
6702 	bool local_state_change;
6703 
6704 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6705 		return -EINVAL;
6706 
6707 	if (!info->attrs[NL80211_ATTR_MAC])
6708 		return -EINVAL;
6709 
6710 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6711 		return -EINVAL;
6712 
6713 	if (!rdev->ops->disassoc)
6714 		return -EOPNOTSUPP;
6715 
6716 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6717 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6718 		return -EOPNOTSUPP;
6719 
6720 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6721 
6722 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6723 	if (reason_code == 0) {
6724 		/* Reason Code 0 is reserved */
6725 		return -EINVAL;
6726 	}
6727 
6728 	if (info->attrs[NL80211_ATTR_IE]) {
6729 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6730 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6731 	}
6732 
6733 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6734 
6735 	wdev_lock(dev->ieee80211_ptr);
6736 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
6737 				     local_state_change);
6738 	wdev_unlock(dev->ieee80211_ptr);
6739 	return err;
6740 }
6741 
6742 static bool
6743 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
6744 			 int mcast_rate[IEEE80211_NUM_BANDS],
6745 			 int rateval)
6746 {
6747 	struct wiphy *wiphy = &rdev->wiphy;
6748 	bool found = false;
6749 	int band, i;
6750 
6751 	for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
6752 		struct ieee80211_supported_band *sband;
6753 
6754 		sband = wiphy->bands[band];
6755 		if (!sband)
6756 			continue;
6757 
6758 		for (i = 0; i < sband->n_bitrates; i++) {
6759 			if (sband->bitrates[i].bitrate == rateval) {
6760 				mcast_rate[band] = i + 1;
6761 				found = true;
6762 				break;
6763 			}
6764 		}
6765 	}
6766 
6767 	return found;
6768 }
6769 
6770 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
6771 {
6772 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6773 	struct net_device *dev = info->user_ptr[1];
6774 	struct cfg80211_ibss_params ibss;
6775 	struct wiphy *wiphy;
6776 	struct cfg80211_cached_keys *connkeys = NULL;
6777 	int err;
6778 
6779 	memset(&ibss, 0, sizeof(ibss));
6780 
6781 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6782 		return -EINVAL;
6783 
6784 	if (!info->attrs[NL80211_ATTR_SSID] ||
6785 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
6786 		return -EINVAL;
6787 
6788 	ibss.beacon_interval = 100;
6789 
6790 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
6791 		ibss.beacon_interval =
6792 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6793 		if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
6794 			return -EINVAL;
6795 	}
6796 
6797 	if (!rdev->ops->join_ibss)
6798 		return -EOPNOTSUPP;
6799 
6800 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
6801 		return -EOPNOTSUPP;
6802 
6803 	wiphy = &rdev->wiphy;
6804 
6805 	if (info->attrs[NL80211_ATTR_MAC]) {
6806 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6807 
6808 		if (!is_valid_ether_addr(ibss.bssid))
6809 			return -EINVAL;
6810 	}
6811 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6812 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6813 
6814 	if (info->attrs[NL80211_ATTR_IE]) {
6815 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6816 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6817 	}
6818 
6819 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
6820 	if (err)
6821 		return err;
6822 
6823 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
6824 				     NL80211_IFTYPE_ADHOC))
6825 		return -EINVAL;
6826 
6827 	switch (ibss.chandef.width) {
6828 	case NL80211_CHAN_WIDTH_5:
6829 	case NL80211_CHAN_WIDTH_10:
6830 	case NL80211_CHAN_WIDTH_20_NOHT:
6831 		break;
6832 	case NL80211_CHAN_WIDTH_20:
6833 	case NL80211_CHAN_WIDTH_40:
6834 		if (rdev->wiphy.features & NL80211_FEATURE_HT_IBSS)
6835 			break;
6836 	default:
6837 		return -EINVAL;
6838 	}
6839 
6840 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
6841 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6842 
6843 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6844 		u8 *rates =
6845 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6846 		int n_rates =
6847 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6848 		struct ieee80211_supported_band *sband =
6849 			wiphy->bands[ibss.chandef.chan->band];
6850 
6851 		err = ieee80211_get_ratemask(sband, rates, n_rates,
6852 					     &ibss.basic_rates);
6853 		if (err)
6854 			return err;
6855 	}
6856 
6857 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6858 		memcpy(&ibss.ht_capa_mask,
6859 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
6860 		       sizeof(ibss.ht_capa_mask));
6861 
6862 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
6863 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6864 			return -EINVAL;
6865 		memcpy(&ibss.ht_capa,
6866 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
6867 		       sizeof(ibss.ht_capa));
6868 	}
6869 
6870 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
6871 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
6872 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
6873 		return -EINVAL;
6874 
6875 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
6876 		bool no_ht = false;
6877 
6878 		connkeys = nl80211_parse_connkeys(rdev,
6879 					  info->attrs[NL80211_ATTR_KEYS],
6880 					  &no_ht);
6881 		if (IS_ERR(connkeys))
6882 			return PTR_ERR(connkeys);
6883 
6884 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
6885 		    no_ht) {
6886 			kfree(connkeys);
6887 			return -EINVAL;
6888 		}
6889 	}
6890 
6891 	ibss.control_port =
6892 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
6893 
6894 	ibss.userspace_handles_dfs =
6895 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
6896 
6897 	err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
6898 	if (err)
6899 		kzfree(connkeys);
6900 	return err;
6901 }
6902 
6903 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
6904 {
6905 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6906 	struct net_device *dev = info->user_ptr[1];
6907 
6908 	if (!rdev->ops->leave_ibss)
6909 		return -EOPNOTSUPP;
6910 
6911 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
6912 		return -EOPNOTSUPP;
6913 
6914 	return cfg80211_leave_ibss(rdev, dev, false);
6915 }
6916 
6917 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
6918 {
6919 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6920 	struct net_device *dev = info->user_ptr[1];
6921 	int mcast_rate[IEEE80211_NUM_BANDS];
6922 	u32 nla_rate;
6923 	int err;
6924 
6925 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
6926 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6927 		return -EOPNOTSUPP;
6928 
6929 	if (!rdev->ops->set_mcast_rate)
6930 		return -EOPNOTSUPP;
6931 
6932 	memset(mcast_rate, 0, sizeof(mcast_rate));
6933 
6934 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
6935 		return -EINVAL;
6936 
6937 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
6938 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
6939 		return -EINVAL;
6940 
6941 	err = rdev->ops->set_mcast_rate(&rdev->wiphy, dev, mcast_rate);
6942 
6943 	return err;
6944 }
6945 
6946 static struct sk_buff *
6947 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
6948 			    int approxlen, u32 portid, u32 seq,
6949 			    enum nl80211_commands cmd,
6950 			    enum nl80211_attrs attr,
6951 			    const struct nl80211_vendor_cmd_info *info,
6952 			    gfp_t gfp)
6953 {
6954 	struct sk_buff *skb;
6955 	void *hdr;
6956 	struct nlattr *data;
6957 
6958 	skb = nlmsg_new(approxlen + 100, gfp);
6959 	if (!skb)
6960 		return NULL;
6961 
6962 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
6963 	if (!hdr) {
6964 		kfree_skb(skb);
6965 		return NULL;
6966 	}
6967 
6968 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
6969 		goto nla_put_failure;
6970 
6971 	if (info) {
6972 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
6973 				info->vendor_id))
6974 			goto nla_put_failure;
6975 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
6976 				info->subcmd))
6977 			goto nla_put_failure;
6978 	}
6979 
6980 	data = nla_nest_start(skb, attr);
6981 
6982 	((void **)skb->cb)[0] = rdev;
6983 	((void **)skb->cb)[1] = hdr;
6984 	((void **)skb->cb)[2] = data;
6985 
6986 	return skb;
6987 
6988  nla_put_failure:
6989 	kfree_skb(skb);
6990 	return NULL;
6991 }
6992 
6993 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
6994 					   enum nl80211_commands cmd,
6995 					   enum nl80211_attrs attr,
6996 					   int vendor_event_idx,
6997 					   int approxlen, gfp_t gfp)
6998 {
6999 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
7000 	const struct nl80211_vendor_cmd_info *info;
7001 
7002 	switch (cmd) {
7003 	case NL80211_CMD_TESTMODE:
7004 		if (WARN_ON(vendor_event_idx != -1))
7005 			return NULL;
7006 		info = NULL;
7007 		break;
7008 	case NL80211_CMD_VENDOR:
7009 		if (WARN_ON(vendor_event_idx < 0 ||
7010 			    vendor_event_idx >= wiphy->n_vendor_events))
7011 			return NULL;
7012 		info = &wiphy->vendor_events[vendor_event_idx];
7013 		break;
7014 	default:
7015 		WARN_ON(1);
7016 		return NULL;
7017 	}
7018 
7019 	return __cfg80211_alloc_vendor_skb(rdev, approxlen, 0, 0,
7020 					   cmd, attr, info, gfp);
7021 }
7022 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
7023 
7024 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
7025 {
7026 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
7027 	void *hdr = ((void **)skb->cb)[1];
7028 	struct nlattr *data = ((void **)skb->cb)[2];
7029 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
7030 
7031 	/* clear CB data for netlink core to own from now on */
7032 	memset(skb->cb, 0, sizeof(skb->cb));
7033 
7034 	nla_nest_end(skb, data);
7035 	genlmsg_end(skb, hdr);
7036 
7037 	if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
7038 		mcgrp = NL80211_MCGRP_VENDOR;
7039 
7040 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), skb, 0,
7041 				mcgrp, gfp);
7042 }
7043 EXPORT_SYMBOL(__cfg80211_send_event_skb);
7044 
7045 #ifdef CONFIG_NL80211_TESTMODE
7046 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
7047 {
7048 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7049 	struct wireless_dev *wdev =
7050 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
7051 	int err;
7052 
7053 	if (!rdev->ops->testmode_cmd)
7054 		return -EOPNOTSUPP;
7055 
7056 	if (IS_ERR(wdev)) {
7057 		err = PTR_ERR(wdev);
7058 		if (err != -EINVAL)
7059 			return err;
7060 		wdev = NULL;
7061 	} else if (wdev->wiphy != &rdev->wiphy) {
7062 		return -EINVAL;
7063 	}
7064 
7065 	if (!info->attrs[NL80211_ATTR_TESTDATA])
7066 		return -EINVAL;
7067 
7068 	rdev->cur_cmd_info = info;
7069 	err = rdev_testmode_cmd(rdev, wdev,
7070 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
7071 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
7072 	rdev->cur_cmd_info = NULL;
7073 
7074 	return err;
7075 }
7076 
7077 static int nl80211_testmode_dump(struct sk_buff *skb,
7078 				 struct netlink_callback *cb)
7079 {
7080 	struct cfg80211_registered_device *rdev;
7081 	int err;
7082 	long phy_idx;
7083 	void *data = NULL;
7084 	int data_len = 0;
7085 
7086 	rtnl_lock();
7087 
7088 	if (cb->args[0]) {
7089 		/*
7090 		 * 0 is a valid index, but not valid for args[0],
7091 		 * so we need to offset by 1.
7092 		 */
7093 		phy_idx = cb->args[0] - 1;
7094 	} else {
7095 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
7096 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
7097 				  nl80211_policy);
7098 		if (err)
7099 			goto out_err;
7100 
7101 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
7102 						  nl80211_fam.attrbuf);
7103 		if (IS_ERR(rdev)) {
7104 			err = PTR_ERR(rdev);
7105 			goto out_err;
7106 		}
7107 		phy_idx = rdev->wiphy_idx;
7108 		rdev = NULL;
7109 
7110 		if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
7111 			cb->args[1] =
7112 				(long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
7113 	}
7114 
7115 	if (cb->args[1]) {
7116 		data = nla_data((void *)cb->args[1]);
7117 		data_len = nla_len((void *)cb->args[1]);
7118 	}
7119 
7120 	rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
7121 	if (!rdev) {
7122 		err = -ENOENT;
7123 		goto out_err;
7124 	}
7125 
7126 	if (!rdev->ops->testmode_dump) {
7127 		err = -EOPNOTSUPP;
7128 		goto out_err;
7129 	}
7130 
7131 	while (1) {
7132 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
7133 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
7134 					   NL80211_CMD_TESTMODE);
7135 		struct nlattr *tmdata;
7136 
7137 		if (!hdr)
7138 			break;
7139 
7140 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
7141 			genlmsg_cancel(skb, hdr);
7142 			break;
7143 		}
7144 
7145 		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
7146 		if (!tmdata) {
7147 			genlmsg_cancel(skb, hdr);
7148 			break;
7149 		}
7150 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
7151 		nla_nest_end(skb, tmdata);
7152 
7153 		if (err == -ENOBUFS || err == -ENOENT) {
7154 			genlmsg_cancel(skb, hdr);
7155 			break;
7156 		} else if (err) {
7157 			genlmsg_cancel(skb, hdr);
7158 			goto out_err;
7159 		}
7160 
7161 		genlmsg_end(skb, hdr);
7162 	}
7163 
7164 	err = skb->len;
7165 	/* see above */
7166 	cb->args[0] = phy_idx + 1;
7167  out_err:
7168 	rtnl_unlock();
7169 	return err;
7170 }
7171 #endif
7172 
7173 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
7174 {
7175 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7176 	struct net_device *dev = info->user_ptr[1];
7177 	struct cfg80211_connect_params connect;
7178 	struct wiphy *wiphy;
7179 	struct cfg80211_cached_keys *connkeys = NULL;
7180 	int err;
7181 
7182 	memset(&connect, 0, sizeof(connect));
7183 
7184 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7185 		return -EINVAL;
7186 
7187 	if (!info->attrs[NL80211_ATTR_SSID] ||
7188 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
7189 		return -EINVAL;
7190 
7191 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
7192 		connect.auth_type =
7193 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
7194 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
7195 					     NL80211_CMD_CONNECT))
7196 			return -EINVAL;
7197 	} else
7198 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
7199 
7200 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
7201 
7202 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
7203 				      NL80211_MAX_NR_CIPHER_SUITES);
7204 	if (err)
7205 		return err;
7206 
7207 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7208 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7209 		return -EOPNOTSUPP;
7210 
7211 	wiphy = &rdev->wiphy;
7212 
7213 	connect.bg_scan_period = -1;
7214 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
7215 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
7216 		connect.bg_scan_period =
7217 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
7218 	}
7219 
7220 	if (info->attrs[NL80211_ATTR_MAC])
7221 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7222 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
7223 		connect.bssid_hint =
7224 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
7225 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7226 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7227 
7228 	if (info->attrs[NL80211_ATTR_IE]) {
7229 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7230 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7231 	}
7232 
7233 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
7234 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
7235 		if (connect.mfp != NL80211_MFP_REQUIRED &&
7236 		    connect.mfp != NL80211_MFP_NO)
7237 			return -EINVAL;
7238 	} else {
7239 		connect.mfp = NL80211_MFP_NO;
7240 	}
7241 
7242 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7243 		connect.channel = nl80211_get_valid_chan(
7244 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7245 		if (!connect.channel)
7246 			return -EINVAL;
7247 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
7248 		connect.channel_hint = nl80211_get_valid_chan(
7249 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
7250 		if (!connect.channel_hint)
7251 			return -EINVAL;
7252 	}
7253 
7254 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
7255 		connkeys = nl80211_parse_connkeys(rdev,
7256 					  info->attrs[NL80211_ATTR_KEYS], NULL);
7257 		if (IS_ERR(connkeys))
7258 			return PTR_ERR(connkeys);
7259 	}
7260 
7261 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
7262 		connect.flags |= ASSOC_REQ_DISABLE_HT;
7263 
7264 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7265 		memcpy(&connect.ht_capa_mask,
7266 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7267 		       sizeof(connect.ht_capa_mask));
7268 
7269 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7270 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
7271 			kzfree(connkeys);
7272 			return -EINVAL;
7273 		}
7274 		memcpy(&connect.ht_capa,
7275 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7276 		       sizeof(connect.ht_capa));
7277 	}
7278 
7279 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
7280 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
7281 
7282 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7283 		memcpy(&connect.vht_capa_mask,
7284 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
7285 		       sizeof(connect.vht_capa_mask));
7286 
7287 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
7288 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
7289 			kzfree(connkeys);
7290 			return -EINVAL;
7291 		}
7292 		memcpy(&connect.vht_capa,
7293 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
7294 		       sizeof(connect.vht_capa));
7295 	}
7296 
7297 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
7298 		if (!(rdev->wiphy.features &
7299 		      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
7300 		    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
7301 			return -EINVAL;
7302 		connect.flags |= ASSOC_REQ_USE_RRM;
7303 	}
7304 
7305 	wdev_lock(dev->ieee80211_ptr);
7306 	err = cfg80211_connect(rdev, dev, &connect, connkeys, NULL);
7307 	wdev_unlock(dev->ieee80211_ptr);
7308 	if (err)
7309 		kzfree(connkeys);
7310 	return err;
7311 }
7312 
7313 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
7314 {
7315 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7316 	struct net_device *dev = info->user_ptr[1];
7317 	u16 reason;
7318 	int ret;
7319 
7320 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7321 		reason = WLAN_REASON_DEAUTH_LEAVING;
7322 	else
7323 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7324 
7325 	if (reason == 0)
7326 		return -EINVAL;
7327 
7328 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7329 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7330 		return -EOPNOTSUPP;
7331 
7332 	wdev_lock(dev->ieee80211_ptr);
7333 	ret = cfg80211_disconnect(rdev, dev, reason, true);
7334 	wdev_unlock(dev->ieee80211_ptr);
7335 	return ret;
7336 }
7337 
7338 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
7339 {
7340 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7341 	struct net *net;
7342 	int err;
7343 	u32 pid;
7344 
7345 	if (!info->attrs[NL80211_ATTR_PID])
7346 		return -EINVAL;
7347 
7348 	pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
7349 
7350 	net = get_net_ns_by_pid(pid);
7351 	if (IS_ERR(net))
7352 		return PTR_ERR(net);
7353 
7354 	err = 0;
7355 
7356 	/* check if anything to do */
7357 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
7358 		err = cfg80211_switch_netns(rdev, net);
7359 
7360 	put_net(net);
7361 	return err;
7362 }
7363 
7364 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
7365 {
7366 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7367 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
7368 			struct cfg80211_pmksa *pmksa) = NULL;
7369 	struct net_device *dev = info->user_ptr[1];
7370 	struct cfg80211_pmksa pmksa;
7371 
7372 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
7373 
7374 	if (!info->attrs[NL80211_ATTR_MAC])
7375 		return -EINVAL;
7376 
7377 	if (!info->attrs[NL80211_ATTR_PMKID])
7378 		return -EINVAL;
7379 
7380 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
7381 	pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7382 
7383 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7384 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7385 		return -EOPNOTSUPP;
7386 
7387 	switch (info->genlhdr->cmd) {
7388 	case NL80211_CMD_SET_PMKSA:
7389 		rdev_ops = rdev->ops->set_pmksa;
7390 		break;
7391 	case NL80211_CMD_DEL_PMKSA:
7392 		rdev_ops = rdev->ops->del_pmksa;
7393 		break;
7394 	default:
7395 		WARN_ON(1);
7396 		break;
7397 	}
7398 
7399 	if (!rdev_ops)
7400 		return -EOPNOTSUPP;
7401 
7402 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
7403 }
7404 
7405 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
7406 {
7407 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7408 	struct net_device *dev = info->user_ptr[1];
7409 
7410 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7411 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7412 		return -EOPNOTSUPP;
7413 
7414 	if (!rdev->ops->flush_pmksa)
7415 		return -EOPNOTSUPP;
7416 
7417 	return rdev_flush_pmksa(rdev, dev);
7418 }
7419 
7420 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
7421 {
7422 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7423 	struct net_device *dev = info->user_ptr[1];
7424 	u8 action_code, dialog_token;
7425 	u32 peer_capability = 0;
7426 	u16 status_code;
7427 	u8 *peer;
7428 	bool initiator;
7429 
7430 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
7431 	    !rdev->ops->tdls_mgmt)
7432 		return -EOPNOTSUPP;
7433 
7434 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
7435 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
7436 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
7437 	    !info->attrs[NL80211_ATTR_IE] ||
7438 	    !info->attrs[NL80211_ATTR_MAC])
7439 		return -EINVAL;
7440 
7441 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
7442 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
7443 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
7444 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
7445 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
7446 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
7447 		peer_capability =
7448 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
7449 
7450 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
7451 			      dialog_token, status_code, peer_capability,
7452 			      initiator,
7453 			      nla_data(info->attrs[NL80211_ATTR_IE]),
7454 			      nla_len(info->attrs[NL80211_ATTR_IE]));
7455 }
7456 
7457 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
7458 {
7459 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7460 	struct net_device *dev = info->user_ptr[1];
7461 	enum nl80211_tdls_operation operation;
7462 	u8 *peer;
7463 
7464 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
7465 	    !rdev->ops->tdls_oper)
7466 		return -EOPNOTSUPP;
7467 
7468 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
7469 	    !info->attrs[NL80211_ATTR_MAC])
7470 		return -EINVAL;
7471 
7472 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
7473 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
7474 
7475 	return rdev_tdls_oper(rdev, dev, peer, operation);
7476 }
7477 
7478 static int nl80211_remain_on_channel(struct sk_buff *skb,
7479 				     struct genl_info *info)
7480 {
7481 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7482 	struct wireless_dev *wdev = info->user_ptr[1];
7483 	struct cfg80211_chan_def chandef;
7484 	struct sk_buff *msg;
7485 	void *hdr;
7486 	u64 cookie;
7487 	u32 duration;
7488 	int err;
7489 
7490 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
7491 	    !info->attrs[NL80211_ATTR_DURATION])
7492 		return -EINVAL;
7493 
7494 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
7495 
7496 	if (!rdev->ops->remain_on_channel ||
7497 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
7498 		return -EOPNOTSUPP;
7499 
7500 	/*
7501 	 * We should be on that channel for at least a minimum amount of
7502 	 * time (10ms) but no longer than the driver supports.
7503 	 */
7504 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
7505 	    duration > rdev->wiphy.max_remain_on_channel_duration)
7506 		return -EINVAL;
7507 
7508 	err = nl80211_parse_chandef(rdev, info, &chandef);
7509 	if (err)
7510 		return err;
7511 
7512 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7513 	if (!msg)
7514 		return -ENOMEM;
7515 
7516 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7517 			     NL80211_CMD_REMAIN_ON_CHANNEL);
7518 	if (!hdr) {
7519 		err = -ENOBUFS;
7520 		goto free_msg;
7521 	}
7522 
7523 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
7524 				     duration, &cookie);
7525 
7526 	if (err)
7527 		goto free_msg;
7528 
7529 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
7530 		goto nla_put_failure;
7531 
7532 	genlmsg_end(msg, hdr);
7533 
7534 	return genlmsg_reply(msg, info);
7535 
7536  nla_put_failure:
7537 	err = -ENOBUFS;
7538  free_msg:
7539 	nlmsg_free(msg);
7540 	return err;
7541 }
7542 
7543 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
7544 					    struct genl_info *info)
7545 {
7546 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7547 	struct wireless_dev *wdev = info->user_ptr[1];
7548 	u64 cookie;
7549 
7550 	if (!info->attrs[NL80211_ATTR_COOKIE])
7551 		return -EINVAL;
7552 
7553 	if (!rdev->ops->cancel_remain_on_channel)
7554 		return -EOPNOTSUPP;
7555 
7556 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
7557 
7558 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
7559 }
7560 
7561 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
7562 			   u8 *rates, u8 rates_len)
7563 {
7564 	u8 i;
7565 	u32 mask = 0;
7566 
7567 	for (i = 0; i < rates_len; i++) {
7568 		int rate = (rates[i] & 0x7f) * 5;
7569 		int ridx;
7570 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
7571 			struct ieee80211_rate *srate =
7572 				&sband->bitrates[ridx];
7573 			if (rate == srate->bitrate) {
7574 				mask |= 1 << ridx;
7575 				break;
7576 			}
7577 		}
7578 		if (ridx == sband->n_bitrates)
7579 			return 0; /* rate not found */
7580 	}
7581 
7582 	return mask;
7583 }
7584 
7585 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
7586 			       u8 *rates, u8 rates_len,
7587 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
7588 {
7589 	u8 i;
7590 
7591 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
7592 
7593 	for (i = 0; i < rates_len; i++) {
7594 		int ridx, rbit;
7595 
7596 		ridx = rates[i] / 8;
7597 		rbit = BIT(rates[i] % 8);
7598 
7599 		/* check validity */
7600 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
7601 			return false;
7602 
7603 		/* check availability */
7604 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
7605 			mcs[ridx] |= rbit;
7606 		else
7607 			return false;
7608 	}
7609 
7610 	return true;
7611 }
7612 
7613 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
7614 {
7615 	u16 mcs_mask = 0;
7616 
7617 	switch (vht_mcs_map) {
7618 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
7619 		break;
7620 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
7621 		mcs_mask = 0x00FF;
7622 		break;
7623 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
7624 		mcs_mask = 0x01FF;
7625 		break;
7626 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
7627 		mcs_mask = 0x03FF;
7628 		break;
7629 	default:
7630 		break;
7631 	}
7632 
7633 	return mcs_mask;
7634 }
7635 
7636 static void vht_build_mcs_mask(u16 vht_mcs_map,
7637 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
7638 {
7639 	u8 nss;
7640 
7641 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
7642 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
7643 		vht_mcs_map >>= 2;
7644 	}
7645 }
7646 
7647 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
7648 			     struct nl80211_txrate_vht *txrate,
7649 			     u16 mcs[NL80211_VHT_NSS_MAX])
7650 {
7651 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
7652 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
7653 	u8 i;
7654 
7655 	if (!sband->vht_cap.vht_supported)
7656 		return false;
7657 
7658 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
7659 
7660 	/* Build vht_mcs_mask from VHT capabilities */
7661 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
7662 
7663 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
7664 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
7665 			mcs[i] = txrate->mcs[i];
7666 		else
7667 			return false;
7668 	}
7669 
7670 	return true;
7671 }
7672 
7673 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
7674 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
7675 				    .len = NL80211_MAX_SUPP_RATES },
7676 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
7677 				.len = NL80211_MAX_SUPP_HT_RATES },
7678 	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
7679 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
7680 };
7681 
7682 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
7683 				       struct genl_info *info)
7684 {
7685 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
7686 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7687 	struct cfg80211_bitrate_mask mask;
7688 	int rem, i;
7689 	struct net_device *dev = info->user_ptr[1];
7690 	struct nlattr *tx_rates;
7691 	struct ieee80211_supported_band *sband;
7692 	u16 vht_tx_mcs_map;
7693 
7694 	if (!rdev->ops->set_bitrate_mask)
7695 		return -EOPNOTSUPP;
7696 
7697 	memset(&mask, 0, sizeof(mask));
7698 	/* Default to all rates enabled */
7699 	for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
7700 		sband = rdev->wiphy.bands[i];
7701 
7702 		if (!sband)
7703 			continue;
7704 
7705 		mask.control[i].legacy = (1 << sband->n_bitrates) - 1;
7706 		memcpy(mask.control[i].ht_mcs,
7707 		       sband->ht_cap.mcs.rx_mask,
7708 		       sizeof(mask.control[i].ht_mcs));
7709 
7710 		if (!sband->vht_cap.vht_supported)
7711 			continue;
7712 
7713 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
7714 		vht_build_mcs_mask(vht_tx_mcs_map, mask.control[i].vht_mcs);
7715 	}
7716 
7717 	/* if no rates are given set it back to the defaults */
7718 	if (!info->attrs[NL80211_ATTR_TX_RATES])
7719 		goto out;
7720 
7721 	/*
7722 	 * The nested attribute uses enum nl80211_band as the index. This maps
7723 	 * directly to the enum ieee80211_band values used in cfg80211.
7724 	 */
7725 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
7726 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
7727 		enum ieee80211_band band = nla_type(tx_rates);
7728 		int err;
7729 
7730 		if (band < 0 || band >= IEEE80211_NUM_BANDS)
7731 			return -EINVAL;
7732 		sband = rdev->wiphy.bands[band];
7733 		if (sband == NULL)
7734 			return -EINVAL;
7735 		err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
7736 				nla_len(tx_rates), nl80211_txattr_policy);
7737 		if (err)
7738 			return err;
7739 		if (tb[NL80211_TXRATE_LEGACY]) {
7740 			mask.control[band].legacy = rateset_to_mask(
7741 				sband,
7742 				nla_data(tb[NL80211_TXRATE_LEGACY]),
7743 				nla_len(tb[NL80211_TXRATE_LEGACY]));
7744 			if ((mask.control[band].legacy == 0) &&
7745 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
7746 				return -EINVAL;
7747 		}
7748 		if (tb[NL80211_TXRATE_HT]) {
7749 			if (!ht_rateset_to_mask(
7750 					sband,
7751 					nla_data(tb[NL80211_TXRATE_HT]),
7752 					nla_len(tb[NL80211_TXRATE_HT]),
7753 					mask.control[band].ht_mcs))
7754 				return -EINVAL;
7755 		}
7756 		if (tb[NL80211_TXRATE_VHT]) {
7757 			if (!vht_set_mcs_mask(
7758 					sband,
7759 					nla_data(tb[NL80211_TXRATE_VHT]),
7760 					mask.control[band].vht_mcs))
7761 				return -EINVAL;
7762 		}
7763 		if (tb[NL80211_TXRATE_GI]) {
7764 			mask.control[band].gi =
7765 				nla_get_u8(tb[NL80211_TXRATE_GI]);
7766 			if (mask.control[band].gi > NL80211_TXRATE_FORCE_LGI)
7767 				return -EINVAL;
7768 		}
7769 
7770 		if (mask.control[band].legacy == 0) {
7771 			/* don't allow empty legacy rates if HT or VHT
7772 			 * are not even supported.
7773 			 */
7774 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
7775 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
7776 				return -EINVAL;
7777 
7778 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
7779 				if (mask.control[band].ht_mcs[i])
7780 					goto out;
7781 
7782 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
7783 				if (mask.control[band].vht_mcs[i])
7784 					goto out;
7785 
7786 			/* legacy and mcs rates may not be both empty */
7787 			return -EINVAL;
7788 		}
7789 	}
7790 
7791 out:
7792 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
7793 }
7794 
7795 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
7796 {
7797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7798 	struct wireless_dev *wdev = info->user_ptr[1];
7799 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
7800 
7801 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
7802 		return -EINVAL;
7803 
7804 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
7805 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
7806 
7807 	switch (wdev->iftype) {
7808 	case NL80211_IFTYPE_STATION:
7809 	case NL80211_IFTYPE_ADHOC:
7810 	case NL80211_IFTYPE_P2P_CLIENT:
7811 	case NL80211_IFTYPE_AP:
7812 	case NL80211_IFTYPE_AP_VLAN:
7813 	case NL80211_IFTYPE_MESH_POINT:
7814 	case NL80211_IFTYPE_P2P_GO:
7815 	case NL80211_IFTYPE_P2P_DEVICE:
7816 		break;
7817 	default:
7818 		return -EOPNOTSUPP;
7819 	}
7820 
7821 	/* not much point in registering if we can't reply */
7822 	if (!rdev->ops->mgmt_tx)
7823 		return -EOPNOTSUPP;
7824 
7825 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
7826 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
7827 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
7828 }
7829 
7830 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
7831 {
7832 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7833 	struct wireless_dev *wdev = info->user_ptr[1];
7834 	struct cfg80211_chan_def chandef;
7835 	int err;
7836 	void *hdr = NULL;
7837 	u64 cookie;
7838 	struct sk_buff *msg = NULL;
7839 	struct cfg80211_mgmt_tx_params params = {
7840 		.dont_wait_for_ack =
7841 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
7842 	};
7843 
7844 	if (!info->attrs[NL80211_ATTR_FRAME])
7845 		return -EINVAL;
7846 
7847 	if (!rdev->ops->mgmt_tx)
7848 		return -EOPNOTSUPP;
7849 
7850 	switch (wdev->iftype) {
7851 	case NL80211_IFTYPE_P2P_DEVICE:
7852 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
7853 			return -EINVAL;
7854 	case NL80211_IFTYPE_STATION:
7855 	case NL80211_IFTYPE_ADHOC:
7856 	case NL80211_IFTYPE_P2P_CLIENT:
7857 	case NL80211_IFTYPE_AP:
7858 	case NL80211_IFTYPE_AP_VLAN:
7859 	case NL80211_IFTYPE_MESH_POINT:
7860 	case NL80211_IFTYPE_P2P_GO:
7861 		break;
7862 	default:
7863 		return -EOPNOTSUPP;
7864 	}
7865 
7866 	if (info->attrs[NL80211_ATTR_DURATION]) {
7867 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
7868 			return -EINVAL;
7869 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
7870 
7871 		/*
7872 		 * We should wait on the channel for at least a minimum amount
7873 		 * of time (10ms) but no longer than the driver supports.
7874 		 */
7875 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
7876 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
7877 			return -EINVAL;
7878 
7879 	}
7880 
7881 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
7882 
7883 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
7884 		return -EINVAL;
7885 
7886 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7887 
7888 	/* get the channel if any has been specified, otherwise pass NULL to
7889 	 * the driver. The latter will use the current one
7890 	 */
7891 	chandef.chan = NULL;
7892 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7893 		err = nl80211_parse_chandef(rdev, info, &chandef);
7894 		if (err)
7895 			return err;
7896 	}
7897 
7898 	if (!chandef.chan && params.offchan)
7899 		return -EINVAL;
7900 
7901 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
7902 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
7903 
7904 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
7905 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
7906 		int i;
7907 
7908 		if (len % sizeof(u16))
7909 			return -EINVAL;
7910 
7911 		params.n_csa_offsets = len / sizeof(u16);
7912 		params.csa_offsets =
7913 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
7914 
7915 		/* check that all the offsets fit the frame */
7916 		for (i = 0; i < params.n_csa_offsets; i++) {
7917 			if (params.csa_offsets[i] >= params.len)
7918 				return -EINVAL;
7919 		}
7920 	}
7921 
7922 	if (!params.dont_wait_for_ack) {
7923 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7924 		if (!msg)
7925 			return -ENOMEM;
7926 
7927 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7928 				     NL80211_CMD_FRAME);
7929 		if (!hdr) {
7930 			err = -ENOBUFS;
7931 			goto free_msg;
7932 		}
7933 	}
7934 
7935 	params.chan = chandef.chan;
7936 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
7937 	if (err)
7938 		goto free_msg;
7939 
7940 	if (msg) {
7941 		if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
7942 			goto nla_put_failure;
7943 
7944 		genlmsg_end(msg, hdr);
7945 		return genlmsg_reply(msg, info);
7946 	}
7947 
7948 	return 0;
7949 
7950  nla_put_failure:
7951 	err = -ENOBUFS;
7952  free_msg:
7953 	nlmsg_free(msg);
7954 	return err;
7955 }
7956 
7957 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
7958 {
7959 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7960 	struct wireless_dev *wdev = info->user_ptr[1];
7961 	u64 cookie;
7962 
7963 	if (!info->attrs[NL80211_ATTR_COOKIE])
7964 		return -EINVAL;
7965 
7966 	if (!rdev->ops->mgmt_tx_cancel_wait)
7967 		return -EOPNOTSUPP;
7968 
7969 	switch (wdev->iftype) {
7970 	case NL80211_IFTYPE_STATION:
7971 	case NL80211_IFTYPE_ADHOC:
7972 	case NL80211_IFTYPE_P2P_CLIENT:
7973 	case NL80211_IFTYPE_AP:
7974 	case NL80211_IFTYPE_AP_VLAN:
7975 	case NL80211_IFTYPE_P2P_GO:
7976 	case NL80211_IFTYPE_P2P_DEVICE:
7977 		break;
7978 	default:
7979 		return -EOPNOTSUPP;
7980 	}
7981 
7982 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
7983 
7984 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
7985 }
7986 
7987 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
7988 {
7989 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7990 	struct wireless_dev *wdev;
7991 	struct net_device *dev = info->user_ptr[1];
7992 	u8 ps_state;
7993 	bool state;
7994 	int err;
7995 
7996 	if (!info->attrs[NL80211_ATTR_PS_STATE])
7997 		return -EINVAL;
7998 
7999 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
8000 
8001 	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
8002 		return -EINVAL;
8003 
8004 	wdev = dev->ieee80211_ptr;
8005 
8006 	if (!rdev->ops->set_power_mgmt)
8007 		return -EOPNOTSUPP;
8008 
8009 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
8010 
8011 	if (state == wdev->ps)
8012 		return 0;
8013 
8014 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
8015 	if (!err)
8016 		wdev->ps = state;
8017 	return err;
8018 }
8019 
8020 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
8021 {
8022 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8023 	enum nl80211_ps_state ps_state;
8024 	struct wireless_dev *wdev;
8025 	struct net_device *dev = info->user_ptr[1];
8026 	struct sk_buff *msg;
8027 	void *hdr;
8028 	int err;
8029 
8030 	wdev = dev->ieee80211_ptr;
8031 
8032 	if (!rdev->ops->set_power_mgmt)
8033 		return -EOPNOTSUPP;
8034 
8035 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8036 	if (!msg)
8037 		return -ENOMEM;
8038 
8039 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8040 			     NL80211_CMD_GET_POWER_SAVE);
8041 	if (!hdr) {
8042 		err = -ENOBUFS;
8043 		goto free_msg;
8044 	}
8045 
8046 	if (wdev->ps)
8047 		ps_state = NL80211_PS_ENABLED;
8048 	else
8049 		ps_state = NL80211_PS_DISABLED;
8050 
8051 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
8052 		goto nla_put_failure;
8053 
8054 	genlmsg_end(msg, hdr);
8055 	return genlmsg_reply(msg, info);
8056 
8057  nla_put_failure:
8058 	err = -ENOBUFS;
8059  free_msg:
8060 	nlmsg_free(msg);
8061 	return err;
8062 }
8063 
8064 static const struct nla_policy
8065 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
8066 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
8067 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
8068 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
8069 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
8070 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
8071 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
8072 };
8073 
8074 static int nl80211_set_cqm_txe(struct genl_info *info,
8075 			       u32 rate, u32 pkts, u32 intvl)
8076 {
8077 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8078 	struct net_device *dev = info->user_ptr[1];
8079 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8080 
8081 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
8082 		return -EINVAL;
8083 
8084 	if (!rdev->ops->set_cqm_txe_config)
8085 		return -EOPNOTSUPP;
8086 
8087 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8088 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8089 		return -EOPNOTSUPP;
8090 
8091 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
8092 }
8093 
8094 static int nl80211_set_cqm_rssi(struct genl_info *info,
8095 				s32 threshold, u32 hysteresis)
8096 {
8097 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8098 	struct net_device *dev = info->user_ptr[1];
8099 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8100 
8101 	if (threshold > 0)
8102 		return -EINVAL;
8103 
8104 	/* disabling - hysteresis should also be zero then */
8105 	if (threshold == 0)
8106 		hysteresis = 0;
8107 
8108 	if (!rdev->ops->set_cqm_rssi_config)
8109 		return -EOPNOTSUPP;
8110 
8111 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8112 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8113 		return -EOPNOTSUPP;
8114 
8115 	return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
8116 }
8117 
8118 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
8119 {
8120 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
8121 	struct nlattr *cqm;
8122 	int err;
8123 
8124 	cqm = info->attrs[NL80211_ATTR_CQM];
8125 	if (!cqm)
8126 		return -EINVAL;
8127 
8128 	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
8129 			       nl80211_attr_cqm_policy);
8130 	if (err)
8131 		return err;
8132 
8133 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
8134 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
8135 		s32 threshold = nla_get_s32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
8136 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
8137 
8138 		return nl80211_set_cqm_rssi(info, threshold, hysteresis);
8139 	}
8140 
8141 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
8142 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
8143 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
8144 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
8145 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
8146 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
8147 
8148 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
8149 	}
8150 
8151 	return -EINVAL;
8152 }
8153 
8154 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
8155 {
8156 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8157 	struct net_device *dev = info->user_ptr[1];
8158 	struct mesh_config cfg;
8159 	struct mesh_setup setup;
8160 	int err;
8161 
8162 	/* start with default */
8163 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
8164 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
8165 
8166 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
8167 		/* and parse parameters if given */
8168 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
8169 		if (err)
8170 			return err;
8171 	}
8172 
8173 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
8174 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
8175 		return -EINVAL;
8176 
8177 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
8178 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
8179 
8180 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
8181 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
8182 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
8183 			return -EINVAL;
8184 
8185 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
8186 		setup.beacon_interval =
8187 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
8188 		if (setup.beacon_interval < 10 ||
8189 		    setup.beacon_interval > 10000)
8190 			return -EINVAL;
8191 	}
8192 
8193 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
8194 		setup.dtim_period =
8195 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
8196 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
8197 			return -EINVAL;
8198 	}
8199 
8200 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
8201 		/* parse additional setup parameters if given */
8202 		err = nl80211_parse_mesh_setup(info, &setup);
8203 		if (err)
8204 			return err;
8205 	}
8206 
8207 	if (setup.user_mpm)
8208 		cfg.auto_open_plinks = false;
8209 
8210 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8211 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
8212 		if (err)
8213 			return err;
8214 	} else {
8215 		/* cfg80211_join_mesh() will sort it out */
8216 		setup.chandef.chan = NULL;
8217 	}
8218 
8219 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8220 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8221 		int n_rates =
8222 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8223 		struct ieee80211_supported_band *sband;
8224 
8225 		if (!setup.chandef.chan)
8226 			return -EINVAL;
8227 
8228 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
8229 
8230 		err = ieee80211_get_ratemask(sband, rates, n_rates,
8231 					     &setup.basic_rates);
8232 		if (err)
8233 			return err;
8234 	}
8235 
8236 	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
8237 }
8238 
8239 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
8240 {
8241 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8242 	struct net_device *dev = info->user_ptr[1];
8243 
8244 	return cfg80211_leave_mesh(rdev, dev);
8245 }
8246 
8247 #ifdef CONFIG_PM
8248 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
8249 					struct cfg80211_registered_device *rdev)
8250 {
8251 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
8252 	struct nlattr *nl_pats, *nl_pat;
8253 	int i, pat_len;
8254 
8255 	if (!wowlan->n_patterns)
8256 		return 0;
8257 
8258 	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
8259 	if (!nl_pats)
8260 		return -ENOBUFS;
8261 
8262 	for (i = 0; i < wowlan->n_patterns; i++) {
8263 		nl_pat = nla_nest_start(msg, i + 1);
8264 		if (!nl_pat)
8265 			return -ENOBUFS;
8266 		pat_len = wowlan->patterns[i].pattern_len;
8267 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
8268 			    wowlan->patterns[i].mask) ||
8269 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
8270 			    wowlan->patterns[i].pattern) ||
8271 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
8272 				wowlan->patterns[i].pkt_offset))
8273 			return -ENOBUFS;
8274 		nla_nest_end(msg, nl_pat);
8275 	}
8276 	nla_nest_end(msg, nl_pats);
8277 
8278 	return 0;
8279 }
8280 
8281 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
8282 				   struct cfg80211_wowlan_tcp *tcp)
8283 {
8284 	struct nlattr *nl_tcp;
8285 
8286 	if (!tcp)
8287 		return 0;
8288 
8289 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
8290 	if (!nl_tcp)
8291 		return -ENOBUFS;
8292 
8293 	if (nla_put_be32(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
8294 	    nla_put_be32(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
8295 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
8296 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
8297 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
8298 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
8299 		    tcp->payload_len, tcp->payload) ||
8300 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
8301 			tcp->data_interval) ||
8302 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
8303 		    tcp->wake_len, tcp->wake_data) ||
8304 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
8305 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
8306 		return -ENOBUFS;
8307 
8308 	if (tcp->payload_seq.len &&
8309 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
8310 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
8311 		return -ENOBUFS;
8312 
8313 	if (tcp->payload_tok.len &&
8314 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
8315 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
8316 		    &tcp->payload_tok))
8317 		return -ENOBUFS;
8318 
8319 	nla_nest_end(msg, nl_tcp);
8320 
8321 	return 0;
8322 }
8323 
8324 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
8325 {
8326 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8327 	struct sk_buff *msg;
8328 	void *hdr;
8329 	u32 size = NLMSG_DEFAULT_SIZE;
8330 
8331 	if (!rdev->wiphy.wowlan)
8332 		return -EOPNOTSUPP;
8333 
8334 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
8335 		/* adjust size to have room for all the data */
8336 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
8337 			rdev->wiphy.wowlan_config->tcp->payload_len +
8338 			rdev->wiphy.wowlan_config->tcp->wake_len +
8339 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
8340 	}
8341 
8342 	msg = nlmsg_new(size, GFP_KERNEL);
8343 	if (!msg)
8344 		return -ENOMEM;
8345 
8346 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8347 			     NL80211_CMD_GET_WOWLAN);
8348 	if (!hdr)
8349 		goto nla_put_failure;
8350 
8351 	if (rdev->wiphy.wowlan_config) {
8352 		struct nlattr *nl_wowlan;
8353 
8354 		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
8355 		if (!nl_wowlan)
8356 			goto nla_put_failure;
8357 
8358 		if ((rdev->wiphy.wowlan_config->any &&
8359 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
8360 		    (rdev->wiphy.wowlan_config->disconnect &&
8361 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
8362 		    (rdev->wiphy.wowlan_config->magic_pkt &&
8363 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
8364 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
8365 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
8366 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
8367 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
8368 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
8369 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
8370 		    (rdev->wiphy.wowlan_config->rfkill_release &&
8371 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
8372 			goto nla_put_failure;
8373 
8374 		if (nl80211_send_wowlan_patterns(msg, rdev))
8375 			goto nla_put_failure;
8376 
8377 		if (nl80211_send_wowlan_tcp(msg,
8378 					    rdev->wiphy.wowlan_config->tcp))
8379 			goto nla_put_failure;
8380 
8381 		nla_nest_end(msg, nl_wowlan);
8382 	}
8383 
8384 	genlmsg_end(msg, hdr);
8385 	return genlmsg_reply(msg, info);
8386 
8387 nla_put_failure:
8388 	nlmsg_free(msg);
8389 	return -ENOBUFS;
8390 }
8391 
8392 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
8393 				    struct nlattr *attr,
8394 				    struct cfg80211_wowlan *trig)
8395 {
8396 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
8397 	struct cfg80211_wowlan_tcp *cfg;
8398 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
8399 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
8400 	u32 size;
8401 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
8402 	int err, port;
8403 
8404 	if (!rdev->wiphy.wowlan->tcp)
8405 		return -EINVAL;
8406 
8407 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TCP,
8408 			nla_data(attr), nla_len(attr),
8409 			nl80211_wowlan_tcp_policy);
8410 	if (err)
8411 		return err;
8412 
8413 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
8414 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
8415 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
8416 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
8417 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
8418 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
8419 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
8420 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
8421 		return -EINVAL;
8422 
8423 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
8424 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
8425 		return -EINVAL;
8426 
8427 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
8428 			rdev->wiphy.wowlan->tcp->data_interval_max ||
8429 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
8430 		return -EINVAL;
8431 
8432 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
8433 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
8434 		return -EINVAL;
8435 
8436 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
8437 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
8438 		return -EINVAL;
8439 
8440 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
8441 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
8442 
8443 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
8444 		tokens_size = tokln - sizeof(*tok);
8445 
8446 		if (!tok->len || tokens_size % tok->len)
8447 			return -EINVAL;
8448 		if (!rdev->wiphy.wowlan->tcp->tok)
8449 			return -EINVAL;
8450 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
8451 			return -EINVAL;
8452 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
8453 			return -EINVAL;
8454 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
8455 			return -EINVAL;
8456 		if (tok->offset + tok->len > data_size)
8457 			return -EINVAL;
8458 	}
8459 
8460 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
8461 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
8462 		if (!rdev->wiphy.wowlan->tcp->seq)
8463 			return -EINVAL;
8464 		if (seq->len == 0 || seq->len > 4)
8465 			return -EINVAL;
8466 		if (seq->len + seq->offset > data_size)
8467 			return -EINVAL;
8468 	}
8469 
8470 	size = sizeof(*cfg);
8471 	size += data_size;
8472 	size += wake_size + wake_mask_size;
8473 	size += tokens_size;
8474 
8475 	cfg = kzalloc(size, GFP_KERNEL);
8476 	if (!cfg)
8477 		return -ENOMEM;
8478 	cfg->src = nla_get_be32(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
8479 	cfg->dst = nla_get_be32(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
8480 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
8481 	       ETH_ALEN);
8482 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
8483 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
8484 	else
8485 		port = 0;
8486 #ifdef CONFIG_INET
8487 	/* allocate a socket and port for it and use it */
8488 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
8489 			    IPPROTO_TCP, &cfg->sock, 1);
8490 	if (err) {
8491 		kfree(cfg);
8492 		return err;
8493 	}
8494 	if (inet_csk_get_port(cfg->sock->sk, port)) {
8495 		sock_release(cfg->sock);
8496 		kfree(cfg);
8497 		return -EADDRINUSE;
8498 	}
8499 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
8500 #else
8501 	if (!port) {
8502 		kfree(cfg);
8503 		return -EINVAL;
8504 	}
8505 	cfg->src_port = port;
8506 #endif
8507 
8508 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
8509 	cfg->payload_len = data_size;
8510 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
8511 	memcpy((void *)cfg->payload,
8512 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
8513 	       data_size);
8514 	if (seq)
8515 		cfg->payload_seq = *seq;
8516 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
8517 	cfg->wake_len = wake_size;
8518 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
8519 	memcpy((void *)cfg->wake_data,
8520 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
8521 	       wake_size);
8522 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
8523 			 data_size + wake_size;
8524 	memcpy((void *)cfg->wake_mask,
8525 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
8526 	       wake_mask_size);
8527 	if (tok) {
8528 		cfg->tokens_size = tokens_size;
8529 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
8530 	}
8531 
8532 	trig->tcp = cfg;
8533 
8534 	return 0;
8535 }
8536 
8537 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
8538 {
8539 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8540 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
8541 	struct cfg80211_wowlan new_triggers = {};
8542 	struct cfg80211_wowlan *ntrig;
8543 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
8544 	int err, i;
8545 	bool prev_enabled = rdev->wiphy.wowlan_config;
8546 
8547 	if (!wowlan)
8548 		return -EOPNOTSUPP;
8549 
8550 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
8551 		cfg80211_rdev_free_wowlan(rdev);
8552 		rdev->wiphy.wowlan_config = NULL;
8553 		goto set_wakeup;
8554 	}
8555 
8556 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
8557 			nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
8558 			nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
8559 			nl80211_wowlan_policy);
8560 	if (err)
8561 		return err;
8562 
8563 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
8564 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
8565 			return -EINVAL;
8566 		new_triggers.any = true;
8567 	}
8568 
8569 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
8570 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
8571 			return -EINVAL;
8572 		new_triggers.disconnect = true;
8573 	}
8574 
8575 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
8576 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
8577 			return -EINVAL;
8578 		new_triggers.magic_pkt = true;
8579 	}
8580 
8581 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
8582 		return -EINVAL;
8583 
8584 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
8585 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
8586 			return -EINVAL;
8587 		new_triggers.gtk_rekey_failure = true;
8588 	}
8589 
8590 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
8591 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
8592 			return -EINVAL;
8593 		new_triggers.eap_identity_req = true;
8594 	}
8595 
8596 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
8597 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
8598 			return -EINVAL;
8599 		new_triggers.four_way_handshake = true;
8600 	}
8601 
8602 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
8603 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
8604 			return -EINVAL;
8605 		new_triggers.rfkill_release = true;
8606 	}
8607 
8608 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
8609 		struct nlattr *pat;
8610 		int n_patterns = 0;
8611 		int rem, pat_len, mask_len, pkt_offset;
8612 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
8613 
8614 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
8615 				    rem)
8616 			n_patterns++;
8617 		if (n_patterns > wowlan->n_patterns)
8618 			return -EINVAL;
8619 
8620 		new_triggers.patterns = kcalloc(n_patterns,
8621 						sizeof(new_triggers.patterns[0]),
8622 						GFP_KERNEL);
8623 		if (!new_triggers.patterns)
8624 			return -ENOMEM;
8625 
8626 		new_triggers.n_patterns = n_patterns;
8627 		i = 0;
8628 
8629 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
8630 				    rem) {
8631 			u8 *mask_pat;
8632 
8633 			nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
8634 				  nla_len(pat), NULL);
8635 			err = -EINVAL;
8636 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
8637 			    !pat_tb[NL80211_PKTPAT_PATTERN])
8638 				goto error;
8639 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
8640 			mask_len = DIV_ROUND_UP(pat_len, 8);
8641 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
8642 				goto error;
8643 			if (pat_len > wowlan->pattern_max_len ||
8644 			    pat_len < wowlan->pattern_min_len)
8645 				goto error;
8646 
8647 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
8648 				pkt_offset = 0;
8649 			else
8650 				pkt_offset = nla_get_u32(
8651 					pat_tb[NL80211_PKTPAT_OFFSET]);
8652 			if (pkt_offset > wowlan->max_pkt_offset)
8653 				goto error;
8654 			new_triggers.patterns[i].pkt_offset = pkt_offset;
8655 
8656 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
8657 			if (!mask_pat) {
8658 				err = -ENOMEM;
8659 				goto error;
8660 			}
8661 			new_triggers.patterns[i].mask = mask_pat;
8662 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
8663 			       mask_len);
8664 			mask_pat += mask_len;
8665 			new_triggers.patterns[i].pattern = mask_pat;
8666 			new_triggers.patterns[i].pattern_len = pat_len;
8667 			memcpy(mask_pat,
8668 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
8669 			       pat_len);
8670 			i++;
8671 		}
8672 	}
8673 
8674 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
8675 		err = nl80211_parse_wowlan_tcp(
8676 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
8677 			&new_triggers);
8678 		if (err)
8679 			goto error;
8680 	}
8681 
8682 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
8683 	if (!ntrig) {
8684 		err = -ENOMEM;
8685 		goto error;
8686 	}
8687 	cfg80211_rdev_free_wowlan(rdev);
8688 	rdev->wiphy.wowlan_config = ntrig;
8689 
8690  set_wakeup:
8691 	if (rdev->ops->set_wakeup &&
8692 	    prev_enabled != !!rdev->wiphy.wowlan_config)
8693 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
8694 
8695 	return 0;
8696  error:
8697 	for (i = 0; i < new_triggers.n_patterns; i++)
8698 		kfree(new_triggers.patterns[i].mask);
8699 	kfree(new_triggers.patterns);
8700 	if (new_triggers.tcp && new_triggers.tcp->sock)
8701 		sock_release(new_triggers.tcp->sock);
8702 	kfree(new_triggers.tcp);
8703 	return err;
8704 }
8705 #endif
8706 
8707 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
8708 				       struct cfg80211_registered_device *rdev)
8709 {
8710 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
8711 	int i, j, pat_len;
8712 	struct cfg80211_coalesce_rules *rule;
8713 
8714 	if (!rdev->coalesce->n_rules)
8715 		return 0;
8716 
8717 	nl_rules = nla_nest_start(msg, NL80211_ATTR_COALESCE_RULE);
8718 	if (!nl_rules)
8719 		return -ENOBUFS;
8720 
8721 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
8722 		nl_rule = nla_nest_start(msg, i + 1);
8723 		if (!nl_rule)
8724 			return -ENOBUFS;
8725 
8726 		rule = &rdev->coalesce->rules[i];
8727 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
8728 				rule->delay))
8729 			return -ENOBUFS;
8730 
8731 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
8732 				rule->condition))
8733 			return -ENOBUFS;
8734 
8735 		nl_pats = nla_nest_start(msg,
8736 				NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
8737 		if (!nl_pats)
8738 			return -ENOBUFS;
8739 
8740 		for (j = 0; j < rule->n_patterns; j++) {
8741 			nl_pat = nla_nest_start(msg, j + 1);
8742 			if (!nl_pat)
8743 				return -ENOBUFS;
8744 			pat_len = rule->patterns[j].pattern_len;
8745 			if (nla_put(msg, NL80211_PKTPAT_MASK,
8746 				    DIV_ROUND_UP(pat_len, 8),
8747 				    rule->patterns[j].mask) ||
8748 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
8749 				    rule->patterns[j].pattern) ||
8750 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
8751 					rule->patterns[j].pkt_offset))
8752 				return -ENOBUFS;
8753 			nla_nest_end(msg, nl_pat);
8754 		}
8755 		nla_nest_end(msg, nl_pats);
8756 		nla_nest_end(msg, nl_rule);
8757 	}
8758 	nla_nest_end(msg, nl_rules);
8759 
8760 	return 0;
8761 }
8762 
8763 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
8764 {
8765 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8766 	struct sk_buff *msg;
8767 	void *hdr;
8768 
8769 	if (!rdev->wiphy.coalesce)
8770 		return -EOPNOTSUPP;
8771 
8772 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8773 	if (!msg)
8774 		return -ENOMEM;
8775 
8776 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8777 			     NL80211_CMD_GET_COALESCE);
8778 	if (!hdr)
8779 		goto nla_put_failure;
8780 
8781 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
8782 		goto nla_put_failure;
8783 
8784 	genlmsg_end(msg, hdr);
8785 	return genlmsg_reply(msg, info);
8786 
8787 nla_put_failure:
8788 	nlmsg_free(msg);
8789 	return -ENOBUFS;
8790 }
8791 
8792 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
8793 {
8794 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
8795 	int i, j;
8796 	struct cfg80211_coalesce_rules *rule;
8797 
8798 	if (!coalesce)
8799 		return;
8800 
8801 	for (i = 0; i < coalesce->n_rules; i++) {
8802 		rule = &coalesce->rules[i];
8803 		for (j = 0; j < rule->n_patterns; j++)
8804 			kfree(rule->patterns[j].mask);
8805 		kfree(rule->patterns);
8806 	}
8807 	kfree(coalesce->rules);
8808 	kfree(coalesce);
8809 	rdev->coalesce = NULL;
8810 }
8811 
8812 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
8813 				       struct nlattr *rule,
8814 				       struct cfg80211_coalesce_rules *new_rule)
8815 {
8816 	int err, i;
8817 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
8818 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
8819 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
8820 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
8821 
8822 	err = nla_parse(tb, NL80211_ATTR_COALESCE_RULE_MAX, nla_data(rule),
8823 			nla_len(rule), nl80211_coalesce_policy);
8824 	if (err)
8825 		return err;
8826 
8827 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
8828 		new_rule->delay =
8829 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
8830 	if (new_rule->delay > coalesce->max_delay)
8831 		return -EINVAL;
8832 
8833 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
8834 		new_rule->condition =
8835 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
8836 	if (new_rule->condition != NL80211_COALESCE_CONDITION_MATCH &&
8837 	    new_rule->condition != NL80211_COALESCE_CONDITION_NO_MATCH)
8838 		return -EINVAL;
8839 
8840 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
8841 		return -EINVAL;
8842 
8843 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
8844 			    rem)
8845 		n_patterns++;
8846 	if (n_patterns > coalesce->n_patterns)
8847 		return -EINVAL;
8848 
8849 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
8850 				     GFP_KERNEL);
8851 	if (!new_rule->patterns)
8852 		return -ENOMEM;
8853 
8854 	new_rule->n_patterns = n_patterns;
8855 	i = 0;
8856 
8857 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
8858 			    rem) {
8859 		u8 *mask_pat;
8860 
8861 		nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
8862 			  nla_len(pat), NULL);
8863 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
8864 		    !pat_tb[NL80211_PKTPAT_PATTERN])
8865 			return -EINVAL;
8866 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
8867 		mask_len = DIV_ROUND_UP(pat_len, 8);
8868 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
8869 			return -EINVAL;
8870 		if (pat_len > coalesce->pattern_max_len ||
8871 		    pat_len < coalesce->pattern_min_len)
8872 			return -EINVAL;
8873 
8874 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
8875 			pkt_offset = 0;
8876 		else
8877 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
8878 		if (pkt_offset > coalesce->max_pkt_offset)
8879 			return -EINVAL;
8880 		new_rule->patterns[i].pkt_offset = pkt_offset;
8881 
8882 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
8883 		if (!mask_pat)
8884 			return -ENOMEM;
8885 
8886 		new_rule->patterns[i].mask = mask_pat;
8887 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
8888 		       mask_len);
8889 
8890 		mask_pat += mask_len;
8891 		new_rule->patterns[i].pattern = mask_pat;
8892 		new_rule->patterns[i].pattern_len = pat_len;
8893 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
8894 		       pat_len);
8895 		i++;
8896 	}
8897 
8898 	return 0;
8899 }
8900 
8901 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
8902 {
8903 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8904 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
8905 	struct cfg80211_coalesce new_coalesce = {};
8906 	struct cfg80211_coalesce *n_coalesce;
8907 	int err, rem_rule, n_rules = 0, i, j;
8908 	struct nlattr *rule;
8909 	struct cfg80211_coalesce_rules *tmp_rule;
8910 
8911 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
8912 		return -EOPNOTSUPP;
8913 
8914 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
8915 		cfg80211_rdev_free_coalesce(rdev);
8916 		rdev->ops->set_coalesce(&rdev->wiphy, NULL);
8917 		return 0;
8918 	}
8919 
8920 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
8921 			    rem_rule)
8922 		n_rules++;
8923 	if (n_rules > coalesce->n_rules)
8924 		return -EINVAL;
8925 
8926 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
8927 				     GFP_KERNEL);
8928 	if (!new_coalesce.rules)
8929 		return -ENOMEM;
8930 
8931 	new_coalesce.n_rules = n_rules;
8932 	i = 0;
8933 
8934 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
8935 			    rem_rule) {
8936 		err = nl80211_parse_coalesce_rule(rdev, rule,
8937 						  &new_coalesce.rules[i]);
8938 		if (err)
8939 			goto error;
8940 
8941 		i++;
8942 	}
8943 
8944 	err = rdev->ops->set_coalesce(&rdev->wiphy, &new_coalesce);
8945 	if (err)
8946 		goto error;
8947 
8948 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
8949 	if (!n_coalesce) {
8950 		err = -ENOMEM;
8951 		goto error;
8952 	}
8953 	cfg80211_rdev_free_coalesce(rdev);
8954 	rdev->coalesce = n_coalesce;
8955 
8956 	return 0;
8957 error:
8958 	for (i = 0; i < new_coalesce.n_rules; i++) {
8959 		tmp_rule = &new_coalesce.rules[i];
8960 		for (j = 0; j < tmp_rule->n_patterns; j++)
8961 			kfree(tmp_rule->patterns[j].mask);
8962 		kfree(tmp_rule->patterns);
8963 	}
8964 	kfree(new_coalesce.rules);
8965 
8966 	return err;
8967 }
8968 
8969 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
8970 {
8971 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8972 	struct net_device *dev = info->user_ptr[1];
8973 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8974 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
8975 	struct cfg80211_gtk_rekey_data rekey_data;
8976 	int err;
8977 
8978 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
8979 		return -EINVAL;
8980 
8981 	err = nla_parse(tb, MAX_NL80211_REKEY_DATA,
8982 			nla_data(info->attrs[NL80211_ATTR_REKEY_DATA]),
8983 			nla_len(info->attrs[NL80211_ATTR_REKEY_DATA]),
8984 			nl80211_rekey_policy);
8985 	if (err)
8986 		return err;
8987 
8988 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
8989 		return -ERANGE;
8990 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
8991 		return -ERANGE;
8992 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
8993 		return -ERANGE;
8994 
8995 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
8996 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
8997 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
8998 
8999 	wdev_lock(wdev);
9000 	if (!wdev->current_bss) {
9001 		err = -ENOTCONN;
9002 		goto out;
9003 	}
9004 
9005 	if (!rdev->ops->set_rekey_data) {
9006 		err = -EOPNOTSUPP;
9007 		goto out;
9008 	}
9009 
9010 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
9011  out:
9012 	wdev_unlock(wdev);
9013 	return err;
9014 }
9015 
9016 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
9017 					     struct genl_info *info)
9018 {
9019 	struct net_device *dev = info->user_ptr[1];
9020 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9021 
9022 	if (wdev->iftype != NL80211_IFTYPE_AP &&
9023 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
9024 		return -EINVAL;
9025 
9026 	if (wdev->ap_unexpected_nlportid)
9027 		return -EBUSY;
9028 
9029 	wdev->ap_unexpected_nlportid = info->snd_portid;
9030 	return 0;
9031 }
9032 
9033 static int nl80211_probe_client(struct sk_buff *skb,
9034 				struct genl_info *info)
9035 {
9036 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9037 	struct net_device *dev = info->user_ptr[1];
9038 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9039 	struct sk_buff *msg;
9040 	void *hdr;
9041 	const u8 *addr;
9042 	u64 cookie;
9043 	int err;
9044 
9045 	if (wdev->iftype != NL80211_IFTYPE_AP &&
9046 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
9047 		return -EOPNOTSUPP;
9048 
9049 	if (!info->attrs[NL80211_ATTR_MAC])
9050 		return -EINVAL;
9051 
9052 	if (!rdev->ops->probe_client)
9053 		return -EOPNOTSUPP;
9054 
9055 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9056 	if (!msg)
9057 		return -ENOMEM;
9058 
9059 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9060 			     NL80211_CMD_PROBE_CLIENT);
9061 	if (!hdr) {
9062 		err = -ENOBUFS;
9063 		goto free_msg;
9064 	}
9065 
9066 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
9067 
9068 	err = rdev_probe_client(rdev, dev, addr, &cookie);
9069 	if (err)
9070 		goto free_msg;
9071 
9072 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
9073 		goto nla_put_failure;
9074 
9075 	genlmsg_end(msg, hdr);
9076 
9077 	return genlmsg_reply(msg, info);
9078 
9079  nla_put_failure:
9080 	err = -ENOBUFS;
9081  free_msg:
9082 	nlmsg_free(msg);
9083 	return err;
9084 }
9085 
9086 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
9087 {
9088 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9089 	struct cfg80211_beacon_registration *reg, *nreg;
9090 	int rv;
9091 
9092 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
9093 		return -EOPNOTSUPP;
9094 
9095 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
9096 	if (!nreg)
9097 		return -ENOMEM;
9098 
9099 	/* First, check if already registered. */
9100 	spin_lock_bh(&rdev->beacon_registrations_lock);
9101 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
9102 		if (reg->nlportid == info->snd_portid) {
9103 			rv = -EALREADY;
9104 			goto out_err;
9105 		}
9106 	}
9107 	/* Add it to the list */
9108 	nreg->nlportid = info->snd_portid;
9109 	list_add(&nreg->list, &rdev->beacon_registrations);
9110 
9111 	spin_unlock_bh(&rdev->beacon_registrations_lock);
9112 
9113 	return 0;
9114 out_err:
9115 	spin_unlock_bh(&rdev->beacon_registrations_lock);
9116 	kfree(nreg);
9117 	return rv;
9118 }
9119 
9120 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
9121 {
9122 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9123 	struct wireless_dev *wdev = info->user_ptr[1];
9124 	int err;
9125 
9126 	if (!rdev->ops->start_p2p_device)
9127 		return -EOPNOTSUPP;
9128 
9129 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
9130 		return -EOPNOTSUPP;
9131 
9132 	if (wdev->p2p_started)
9133 		return 0;
9134 
9135 	if (rfkill_blocked(rdev->rfkill))
9136 		return -ERFKILL;
9137 
9138 	err = rdev_start_p2p_device(rdev, wdev);
9139 	if (err)
9140 		return err;
9141 
9142 	wdev->p2p_started = true;
9143 	rdev->opencount++;
9144 
9145 	return 0;
9146 }
9147 
9148 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
9149 {
9150 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9151 	struct wireless_dev *wdev = info->user_ptr[1];
9152 
9153 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
9154 		return -EOPNOTSUPP;
9155 
9156 	if (!rdev->ops->stop_p2p_device)
9157 		return -EOPNOTSUPP;
9158 
9159 	cfg80211_stop_p2p_device(rdev, wdev);
9160 
9161 	return 0;
9162 }
9163 
9164 static int nl80211_get_protocol_features(struct sk_buff *skb,
9165 					 struct genl_info *info)
9166 {
9167 	void *hdr;
9168 	struct sk_buff *msg;
9169 
9170 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9171 	if (!msg)
9172 		return -ENOMEM;
9173 
9174 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9175 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
9176 	if (!hdr)
9177 		goto nla_put_failure;
9178 
9179 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
9180 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
9181 		goto nla_put_failure;
9182 
9183 	genlmsg_end(msg, hdr);
9184 	return genlmsg_reply(msg, info);
9185 
9186  nla_put_failure:
9187 	kfree_skb(msg);
9188 	return -ENOBUFS;
9189 }
9190 
9191 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
9192 {
9193 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9194 	struct cfg80211_update_ft_ies_params ft_params;
9195 	struct net_device *dev = info->user_ptr[1];
9196 
9197 	if (!rdev->ops->update_ft_ies)
9198 		return -EOPNOTSUPP;
9199 
9200 	if (!info->attrs[NL80211_ATTR_MDID] ||
9201 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
9202 		return -EINVAL;
9203 
9204 	memset(&ft_params, 0, sizeof(ft_params));
9205 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
9206 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9207 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9208 
9209 	return rdev_update_ft_ies(rdev, dev, &ft_params);
9210 }
9211 
9212 static int nl80211_crit_protocol_start(struct sk_buff *skb,
9213 				       struct genl_info *info)
9214 {
9215 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9216 	struct wireless_dev *wdev = info->user_ptr[1];
9217 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
9218 	u16 duration;
9219 	int ret;
9220 
9221 	if (!rdev->ops->crit_proto_start)
9222 		return -EOPNOTSUPP;
9223 
9224 	if (WARN_ON(!rdev->ops->crit_proto_stop))
9225 		return -EINVAL;
9226 
9227 	if (rdev->crit_proto_nlportid)
9228 		return -EBUSY;
9229 
9230 	/* determine protocol if provided */
9231 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
9232 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
9233 
9234 	if (proto >= NUM_NL80211_CRIT_PROTO)
9235 		return -EINVAL;
9236 
9237 	/* timeout must be provided */
9238 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
9239 		return -EINVAL;
9240 
9241 	duration =
9242 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
9243 
9244 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
9245 		return -ERANGE;
9246 
9247 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
9248 	if (!ret)
9249 		rdev->crit_proto_nlportid = info->snd_portid;
9250 
9251 	return ret;
9252 }
9253 
9254 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
9255 				      struct genl_info *info)
9256 {
9257 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9258 	struct wireless_dev *wdev = info->user_ptr[1];
9259 
9260 	if (!rdev->ops->crit_proto_stop)
9261 		return -EOPNOTSUPP;
9262 
9263 	if (rdev->crit_proto_nlportid) {
9264 		rdev->crit_proto_nlportid = 0;
9265 		rdev_crit_proto_stop(rdev, wdev);
9266 	}
9267 	return 0;
9268 }
9269 
9270 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
9271 {
9272 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9273 	struct wireless_dev *wdev =
9274 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9275 	int i, err;
9276 	u32 vid, subcmd;
9277 
9278 	if (!rdev->wiphy.vendor_commands)
9279 		return -EOPNOTSUPP;
9280 
9281 	if (IS_ERR(wdev)) {
9282 		err = PTR_ERR(wdev);
9283 		if (err != -EINVAL)
9284 			return err;
9285 		wdev = NULL;
9286 	} else if (wdev->wiphy != &rdev->wiphy) {
9287 		return -EINVAL;
9288 	}
9289 
9290 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
9291 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
9292 		return -EINVAL;
9293 
9294 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
9295 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
9296 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
9297 		const struct wiphy_vendor_command *vcmd;
9298 		void *data = NULL;
9299 		int len = 0;
9300 
9301 		vcmd = &rdev->wiphy.vendor_commands[i];
9302 
9303 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
9304 			continue;
9305 
9306 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
9307 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
9308 			if (!wdev)
9309 				return -EINVAL;
9310 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
9311 			    !wdev->netdev)
9312 				return -EINVAL;
9313 
9314 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
9315 				if (wdev->netdev &&
9316 				    !netif_running(wdev->netdev))
9317 					return -ENETDOWN;
9318 				if (!wdev->netdev && !wdev->p2p_started)
9319 					return -ENETDOWN;
9320 			}
9321 		} else {
9322 			wdev = NULL;
9323 		}
9324 
9325 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
9326 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
9327 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
9328 		}
9329 
9330 		rdev->cur_cmd_info = info;
9331 		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
9332 							  data, len);
9333 		rdev->cur_cmd_info = NULL;
9334 		return err;
9335 	}
9336 
9337 	return -EOPNOTSUPP;
9338 }
9339 
9340 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
9341 					   enum nl80211_commands cmd,
9342 					   enum nl80211_attrs attr,
9343 					   int approxlen)
9344 {
9345 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9346 
9347 	if (WARN_ON(!rdev->cur_cmd_info))
9348 		return NULL;
9349 
9350 	return __cfg80211_alloc_vendor_skb(rdev, approxlen,
9351 					   rdev->cur_cmd_info->snd_portid,
9352 					   rdev->cur_cmd_info->snd_seq,
9353 					   cmd, attr, NULL, GFP_KERNEL);
9354 }
9355 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
9356 
9357 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
9358 {
9359 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9360 	void *hdr = ((void **)skb->cb)[1];
9361 	struct nlattr *data = ((void **)skb->cb)[2];
9362 
9363 	/* clear CB data for netlink core to own from now on */
9364 	memset(skb->cb, 0, sizeof(skb->cb));
9365 
9366 	if (WARN_ON(!rdev->cur_cmd_info)) {
9367 		kfree_skb(skb);
9368 		return -EINVAL;
9369 	}
9370 
9371 	nla_nest_end(skb, data);
9372 	genlmsg_end(skb, hdr);
9373 	return genlmsg_reply(skb, rdev->cur_cmd_info);
9374 }
9375 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
9376 
9377 
9378 static int nl80211_set_qos_map(struct sk_buff *skb,
9379 			       struct genl_info *info)
9380 {
9381 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9382 	struct cfg80211_qos_map *qos_map = NULL;
9383 	struct net_device *dev = info->user_ptr[1];
9384 	u8 *pos, len, num_des, des_len, des;
9385 	int ret;
9386 
9387 	if (!rdev->ops->set_qos_map)
9388 		return -EOPNOTSUPP;
9389 
9390 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
9391 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
9392 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
9393 
9394 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
9395 		    len > IEEE80211_QOS_MAP_LEN_MAX)
9396 			return -EINVAL;
9397 
9398 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
9399 		if (!qos_map)
9400 			return -ENOMEM;
9401 
9402 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
9403 		if (num_des) {
9404 			des_len = num_des *
9405 				sizeof(struct cfg80211_dscp_exception);
9406 			memcpy(qos_map->dscp_exception, pos, des_len);
9407 			qos_map->num_des = num_des;
9408 			for (des = 0; des < num_des; des++) {
9409 				if (qos_map->dscp_exception[des].up > 7) {
9410 					kfree(qos_map);
9411 					return -EINVAL;
9412 				}
9413 			}
9414 			pos += des_len;
9415 		}
9416 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
9417 	}
9418 
9419 	wdev_lock(dev->ieee80211_ptr);
9420 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
9421 	if (!ret)
9422 		ret = rdev_set_qos_map(rdev, dev, qos_map);
9423 	wdev_unlock(dev->ieee80211_ptr);
9424 
9425 	kfree(qos_map);
9426 	return ret;
9427 }
9428 
9429 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
9430 {
9431 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9432 	struct net_device *dev = info->user_ptr[1];
9433 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9434 	const u8 *peer;
9435 	u8 tsid, up;
9436 	u16 admitted_time = 0;
9437 	int err;
9438 
9439 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_WMM_ADMISSION))
9440 		return -EOPNOTSUPP;
9441 
9442 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
9443 	    !info->attrs[NL80211_ATTR_USER_PRIO])
9444 		return -EINVAL;
9445 
9446 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
9447 	if (tsid >= IEEE80211_NUM_TIDS)
9448 		return -EINVAL;
9449 
9450 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
9451 	if (up >= IEEE80211_NUM_UPS)
9452 		return -EINVAL;
9453 
9454 	/* WMM uses TIDs 0-7 even for TSPEC */
9455 	if (tsid < IEEE80211_FIRST_TSPEC_TSID) {
9456 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_WMM_ADMISSION))
9457 			return -EINVAL;
9458 	} else {
9459 		/* TODO: handle 802.11 TSPEC/admission control
9460 		 * need more attributes for that (e.g. BA session requirement)
9461 		 */
9462 		return -EINVAL;
9463 	}
9464 
9465 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9466 
9467 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
9468 		admitted_time =
9469 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
9470 		if (!admitted_time)
9471 			return -EINVAL;
9472 	}
9473 
9474 	wdev_lock(wdev);
9475 	switch (wdev->iftype) {
9476 	case NL80211_IFTYPE_STATION:
9477 	case NL80211_IFTYPE_P2P_CLIENT:
9478 		if (wdev->current_bss)
9479 			break;
9480 		err = -ENOTCONN;
9481 		goto out;
9482 	default:
9483 		err = -EOPNOTSUPP;
9484 		goto out;
9485 	}
9486 
9487 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
9488 
9489  out:
9490 	wdev_unlock(wdev);
9491 	return err;
9492 }
9493 
9494 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
9495 {
9496 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9497 	struct net_device *dev = info->user_ptr[1];
9498 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9499 	const u8 *peer;
9500 	u8 tsid;
9501 	int err;
9502 
9503 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
9504 		return -EINVAL;
9505 
9506 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
9507 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9508 
9509 	wdev_lock(wdev);
9510 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
9511 	wdev_unlock(wdev);
9512 
9513 	return err;
9514 }
9515 
9516 #define NL80211_FLAG_NEED_WIPHY		0x01
9517 #define NL80211_FLAG_NEED_NETDEV	0x02
9518 #define NL80211_FLAG_NEED_RTNL		0x04
9519 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
9520 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
9521 					 NL80211_FLAG_CHECK_NETDEV_UP)
9522 #define NL80211_FLAG_NEED_WDEV		0x10
9523 /* If a netdev is associated, it must be UP, P2P must be started */
9524 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
9525 					 NL80211_FLAG_CHECK_NETDEV_UP)
9526 #define NL80211_FLAG_CLEAR_SKB		0x20
9527 
9528 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
9529 			    struct genl_info *info)
9530 {
9531 	struct cfg80211_registered_device *rdev;
9532 	struct wireless_dev *wdev;
9533 	struct net_device *dev;
9534 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
9535 
9536 	if (rtnl)
9537 		rtnl_lock();
9538 
9539 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
9540 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
9541 		if (IS_ERR(rdev)) {
9542 			if (rtnl)
9543 				rtnl_unlock();
9544 			return PTR_ERR(rdev);
9545 		}
9546 		info->user_ptr[0] = rdev;
9547 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
9548 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
9549 		ASSERT_RTNL();
9550 
9551 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
9552 						  info->attrs);
9553 		if (IS_ERR(wdev)) {
9554 			if (rtnl)
9555 				rtnl_unlock();
9556 			return PTR_ERR(wdev);
9557 		}
9558 
9559 		dev = wdev->netdev;
9560 		rdev = wiphy_to_rdev(wdev->wiphy);
9561 
9562 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
9563 			if (!dev) {
9564 				if (rtnl)
9565 					rtnl_unlock();
9566 				return -EINVAL;
9567 			}
9568 
9569 			info->user_ptr[1] = dev;
9570 		} else {
9571 			info->user_ptr[1] = wdev;
9572 		}
9573 
9574 		if (dev) {
9575 			if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
9576 			    !netif_running(dev)) {
9577 				if (rtnl)
9578 					rtnl_unlock();
9579 				return -ENETDOWN;
9580 			}
9581 
9582 			dev_hold(dev);
9583 		} else if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP) {
9584 			if (!wdev->p2p_started) {
9585 				if (rtnl)
9586 					rtnl_unlock();
9587 				return -ENETDOWN;
9588 			}
9589 		}
9590 
9591 		info->user_ptr[0] = rdev;
9592 	}
9593 
9594 	return 0;
9595 }
9596 
9597 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
9598 			      struct genl_info *info)
9599 {
9600 	if (info->user_ptr[1]) {
9601 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
9602 			struct wireless_dev *wdev = info->user_ptr[1];
9603 
9604 			if (wdev->netdev)
9605 				dev_put(wdev->netdev);
9606 		} else {
9607 			dev_put(info->user_ptr[1]);
9608 		}
9609 	}
9610 
9611 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
9612 		rtnl_unlock();
9613 
9614 	/* If needed, clear the netlink message payload from the SKB
9615 	 * as it might contain key data that shouldn't stick around on
9616 	 * the heap after the SKB is freed. The netlink message header
9617 	 * is still needed for further processing, so leave it intact.
9618 	 */
9619 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
9620 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
9621 
9622 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
9623 	}
9624 }
9625 
9626 static const struct genl_ops nl80211_ops[] = {
9627 	{
9628 		.cmd = NL80211_CMD_GET_WIPHY,
9629 		.doit = nl80211_get_wiphy,
9630 		.dumpit = nl80211_dump_wiphy,
9631 		.done = nl80211_dump_wiphy_done,
9632 		.policy = nl80211_policy,
9633 		/* can be retrieved by unprivileged users */
9634 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9635 				  NL80211_FLAG_NEED_RTNL,
9636 	},
9637 	{
9638 		.cmd = NL80211_CMD_SET_WIPHY,
9639 		.doit = nl80211_set_wiphy,
9640 		.policy = nl80211_policy,
9641 		.flags = GENL_ADMIN_PERM,
9642 		.internal_flags = NL80211_FLAG_NEED_RTNL,
9643 	},
9644 	{
9645 		.cmd = NL80211_CMD_GET_INTERFACE,
9646 		.doit = nl80211_get_interface,
9647 		.dumpit = nl80211_dump_interface,
9648 		.policy = nl80211_policy,
9649 		/* can be retrieved by unprivileged users */
9650 		.internal_flags = NL80211_FLAG_NEED_WDEV |
9651 				  NL80211_FLAG_NEED_RTNL,
9652 	},
9653 	{
9654 		.cmd = NL80211_CMD_SET_INTERFACE,
9655 		.doit = nl80211_set_interface,
9656 		.policy = nl80211_policy,
9657 		.flags = GENL_ADMIN_PERM,
9658 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9659 				  NL80211_FLAG_NEED_RTNL,
9660 	},
9661 	{
9662 		.cmd = NL80211_CMD_NEW_INTERFACE,
9663 		.doit = nl80211_new_interface,
9664 		.policy = nl80211_policy,
9665 		.flags = GENL_ADMIN_PERM,
9666 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9667 				  NL80211_FLAG_NEED_RTNL,
9668 	},
9669 	{
9670 		.cmd = NL80211_CMD_DEL_INTERFACE,
9671 		.doit = nl80211_del_interface,
9672 		.policy = nl80211_policy,
9673 		.flags = GENL_ADMIN_PERM,
9674 		.internal_flags = NL80211_FLAG_NEED_WDEV |
9675 				  NL80211_FLAG_NEED_RTNL,
9676 	},
9677 	{
9678 		.cmd = NL80211_CMD_GET_KEY,
9679 		.doit = nl80211_get_key,
9680 		.policy = nl80211_policy,
9681 		.flags = GENL_ADMIN_PERM,
9682 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9683 				  NL80211_FLAG_NEED_RTNL,
9684 	},
9685 	{
9686 		.cmd = NL80211_CMD_SET_KEY,
9687 		.doit = nl80211_set_key,
9688 		.policy = nl80211_policy,
9689 		.flags = GENL_ADMIN_PERM,
9690 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9691 				  NL80211_FLAG_NEED_RTNL |
9692 				  NL80211_FLAG_CLEAR_SKB,
9693 	},
9694 	{
9695 		.cmd = NL80211_CMD_NEW_KEY,
9696 		.doit = nl80211_new_key,
9697 		.policy = nl80211_policy,
9698 		.flags = GENL_ADMIN_PERM,
9699 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9700 				  NL80211_FLAG_NEED_RTNL |
9701 				  NL80211_FLAG_CLEAR_SKB,
9702 	},
9703 	{
9704 		.cmd = NL80211_CMD_DEL_KEY,
9705 		.doit = nl80211_del_key,
9706 		.policy = nl80211_policy,
9707 		.flags = GENL_ADMIN_PERM,
9708 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9709 				  NL80211_FLAG_NEED_RTNL,
9710 	},
9711 	{
9712 		.cmd = NL80211_CMD_SET_BEACON,
9713 		.policy = nl80211_policy,
9714 		.flags = GENL_ADMIN_PERM,
9715 		.doit = nl80211_set_beacon,
9716 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9717 				  NL80211_FLAG_NEED_RTNL,
9718 	},
9719 	{
9720 		.cmd = NL80211_CMD_START_AP,
9721 		.policy = nl80211_policy,
9722 		.flags = GENL_ADMIN_PERM,
9723 		.doit = nl80211_start_ap,
9724 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9725 				  NL80211_FLAG_NEED_RTNL,
9726 	},
9727 	{
9728 		.cmd = NL80211_CMD_STOP_AP,
9729 		.policy = nl80211_policy,
9730 		.flags = GENL_ADMIN_PERM,
9731 		.doit = nl80211_stop_ap,
9732 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9733 				  NL80211_FLAG_NEED_RTNL,
9734 	},
9735 	{
9736 		.cmd = NL80211_CMD_GET_STATION,
9737 		.doit = nl80211_get_station,
9738 		.dumpit = nl80211_dump_station,
9739 		.policy = nl80211_policy,
9740 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9741 				  NL80211_FLAG_NEED_RTNL,
9742 	},
9743 	{
9744 		.cmd = NL80211_CMD_SET_STATION,
9745 		.doit = nl80211_set_station,
9746 		.policy = nl80211_policy,
9747 		.flags = GENL_ADMIN_PERM,
9748 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9749 				  NL80211_FLAG_NEED_RTNL,
9750 	},
9751 	{
9752 		.cmd = NL80211_CMD_NEW_STATION,
9753 		.doit = nl80211_new_station,
9754 		.policy = nl80211_policy,
9755 		.flags = GENL_ADMIN_PERM,
9756 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9757 				  NL80211_FLAG_NEED_RTNL,
9758 	},
9759 	{
9760 		.cmd = NL80211_CMD_DEL_STATION,
9761 		.doit = nl80211_del_station,
9762 		.policy = nl80211_policy,
9763 		.flags = GENL_ADMIN_PERM,
9764 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9765 				  NL80211_FLAG_NEED_RTNL,
9766 	},
9767 	{
9768 		.cmd = NL80211_CMD_GET_MPATH,
9769 		.doit = nl80211_get_mpath,
9770 		.dumpit = nl80211_dump_mpath,
9771 		.policy = nl80211_policy,
9772 		.flags = GENL_ADMIN_PERM,
9773 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9774 				  NL80211_FLAG_NEED_RTNL,
9775 	},
9776 	{
9777 		.cmd = NL80211_CMD_SET_MPATH,
9778 		.doit = nl80211_set_mpath,
9779 		.policy = nl80211_policy,
9780 		.flags = GENL_ADMIN_PERM,
9781 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9782 				  NL80211_FLAG_NEED_RTNL,
9783 	},
9784 	{
9785 		.cmd = NL80211_CMD_NEW_MPATH,
9786 		.doit = nl80211_new_mpath,
9787 		.policy = nl80211_policy,
9788 		.flags = GENL_ADMIN_PERM,
9789 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9790 				  NL80211_FLAG_NEED_RTNL,
9791 	},
9792 	{
9793 		.cmd = NL80211_CMD_DEL_MPATH,
9794 		.doit = nl80211_del_mpath,
9795 		.policy = nl80211_policy,
9796 		.flags = GENL_ADMIN_PERM,
9797 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9798 				  NL80211_FLAG_NEED_RTNL,
9799 	},
9800 	{
9801 		.cmd = NL80211_CMD_SET_BSS,
9802 		.doit = nl80211_set_bss,
9803 		.policy = nl80211_policy,
9804 		.flags = GENL_ADMIN_PERM,
9805 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9806 				  NL80211_FLAG_NEED_RTNL,
9807 	},
9808 	{
9809 		.cmd = NL80211_CMD_GET_REG,
9810 		.doit = nl80211_get_reg,
9811 		.policy = nl80211_policy,
9812 		.internal_flags = NL80211_FLAG_NEED_RTNL,
9813 		/* can be retrieved by unprivileged users */
9814 	},
9815 	{
9816 		.cmd = NL80211_CMD_SET_REG,
9817 		.doit = nl80211_set_reg,
9818 		.policy = nl80211_policy,
9819 		.flags = GENL_ADMIN_PERM,
9820 		.internal_flags = NL80211_FLAG_NEED_RTNL,
9821 	},
9822 	{
9823 		.cmd = NL80211_CMD_REQ_SET_REG,
9824 		.doit = nl80211_req_set_reg,
9825 		.policy = nl80211_policy,
9826 		.flags = GENL_ADMIN_PERM,
9827 	},
9828 	{
9829 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
9830 		.doit = nl80211_get_mesh_config,
9831 		.policy = nl80211_policy,
9832 		/* can be retrieved by unprivileged users */
9833 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9834 				  NL80211_FLAG_NEED_RTNL,
9835 	},
9836 	{
9837 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
9838 		.doit = nl80211_update_mesh_config,
9839 		.policy = nl80211_policy,
9840 		.flags = GENL_ADMIN_PERM,
9841 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9842 				  NL80211_FLAG_NEED_RTNL,
9843 	},
9844 	{
9845 		.cmd = NL80211_CMD_TRIGGER_SCAN,
9846 		.doit = nl80211_trigger_scan,
9847 		.policy = nl80211_policy,
9848 		.flags = GENL_ADMIN_PERM,
9849 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
9850 				  NL80211_FLAG_NEED_RTNL,
9851 	},
9852 	{
9853 		.cmd = NL80211_CMD_GET_SCAN,
9854 		.policy = nl80211_policy,
9855 		.dumpit = nl80211_dump_scan,
9856 	},
9857 	{
9858 		.cmd = NL80211_CMD_START_SCHED_SCAN,
9859 		.doit = nl80211_start_sched_scan,
9860 		.policy = nl80211_policy,
9861 		.flags = GENL_ADMIN_PERM,
9862 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9863 				  NL80211_FLAG_NEED_RTNL,
9864 	},
9865 	{
9866 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
9867 		.doit = nl80211_stop_sched_scan,
9868 		.policy = nl80211_policy,
9869 		.flags = GENL_ADMIN_PERM,
9870 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9871 				  NL80211_FLAG_NEED_RTNL,
9872 	},
9873 	{
9874 		.cmd = NL80211_CMD_AUTHENTICATE,
9875 		.doit = nl80211_authenticate,
9876 		.policy = nl80211_policy,
9877 		.flags = GENL_ADMIN_PERM,
9878 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9879 				  NL80211_FLAG_NEED_RTNL |
9880 				  NL80211_FLAG_CLEAR_SKB,
9881 	},
9882 	{
9883 		.cmd = NL80211_CMD_ASSOCIATE,
9884 		.doit = nl80211_associate,
9885 		.policy = nl80211_policy,
9886 		.flags = GENL_ADMIN_PERM,
9887 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9888 				  NL80211_FLAG_NEED_RTNL,
9889 	},
9890 	{
9891 		.cmd = NL80211_CMD_DEAUTHENTICATE,
9892 		.doit = nl80211_deauthenticate,
9893 		.policy = nl80211_policy,
9894 		.flags = GENL_ADMIN_PERM,
9895 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9896 				  NL80211_FLAG_NEED_RTNL,
9897 	},
9898 	{
9899 		.cmd = NL80211_CMD_DISASSOCIATE,
9900 		.doit = nl80211_disassociate,
9901 		.policy = nl80211_policy,
9902 		.flags = GENL_ADMIN_PERM,
9903 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9904 				  NL80211_FLAG_NEED_RTNL,
9905 	},
9906 	{
9907 		.cmd = NL80211_CMD_JOIN_IBSS,
9908 		.doit = nl80211_join_ibss,
9909 		.policy = nl80211_policy,
9910 		.flags = GENL_ADMIN_PERM,
9911 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9912 				  NL80211_FLAG_NEED_RTNL,
9913 	},
9914 	{
9915 		.cmd = NL80211_CMD_LEAVE_IBSS,
9916 		.doit = nl80211_leave_ibss,
9917 		.policy = nl80211_policy,
9918 		.flags = GENL_ADMIN_PERM,
9919 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9920 				  NL80211_FLAG_NEED_RTNL,
9921 	},
9922 #ifdef CONFIG_NL80211_TESTMODE
9923 	{
9924 		.cmd = NL80211_CMD_TESTMODE,
9925 		.doit = nl80211_testmode_do,
9926 		.dumpit = nl80211_testmode_dump,
9927 		.policy = nl80211_policy,
9928 		.flags = GENL_ADMIN_PERM,
9929 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9930 				  NL80211_FLAG_NEED_RTNL,
9931 	},
9932 #endif
9933 	{
9934 		.cmd = NL80211_CMD_CONNECT,
9935 		.doit = nl80211_connect,
9936 		.policy = nl80211_policy,
9937 		.flags = GENL_ADMIN_PERM,
9938 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9939 				  NL80211_FLAG_NEED_RTNL,
9940 	},
9941 	{
9942 		.cmd = NL80211_CMD_DISCONNECT,
9943 		.doit = nl80211_disconnect,
9944 		.policy = nl80211_policy,
9945 		.flags = GENL_ADMIN_PERM,
9946 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9947 				  NL80211_FLAG_NEED_RTNL,
9948 	},
9949 	{
9950 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
9951 		.doit = nl80211_wiphy_netns,
9952 		.policy = nl80211_policy,
9953 		.flags = GENL_ADMIN_PERM,
9954 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9955 				  NL80211_FLAG_NEED_RTNL,
9956 	},
9957 	{
9958 		.cmd = NL80211_CMD_GET_SURVEY,
9959 		.policy = nl80211_policy,
9960 		.dumpit = nl80211_dump_survey,
9961 	},
9962 	{
9963 		.cmd = NL80211_CMD_SET_PMKSA,
9964 		.doit = nl80211_setdel_pmksa,
9965 		.policy = nl80211_policy,
9966 		.flags = GENL_ADMIN_PERM,
9967 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9968 				  NL80211_FLAG_NEED_RTNL,
9969 	},
9970 	{
9971 		.cmd = NL80211_CMD_DEL_PMKSA,
9972 		.doit = nl80211_setdel_pmksa,
9973 		.policy = nl80211_policy,
9974 		.flags = GENL_ADMIN_PERM,
9975 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9976 				  NL80211_FLAG_NEED_RTNL,
9977 	},
9978 	{
9979 		.cmd = NL80211_CMD_FLUSH_PMKSA,
9980 		.doit = nl80211_flush_pmksa,
9981 		.policy = nl80211_policy,
9982 		.flags = GENL_ADMIN_PERM,
9983 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9984 				  NL80211_FLAG_NEED_RTNL,
9985 	},
9986 	{
9987 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
9988 		.doit = nl80211_remain_on_channel,
9989 		.policy = nl80211_policy,
9990 		.flags = GENL_ADMIN_PERM,
9991 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
9992 				  NL80211_FLAG_NEED_RTNL,
9993 	},
9994 	{
9995 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
9996 		.doit = nl80211_cancel_remain_on_channel,
9997 		.policy = nl80211_policy,
9998 		.flags = GENL_ADMIN_PERM,
9999 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10000 				  NL80211_FLAG_NEED_RTNL,
10001 	},
10002 	{
10003 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
10004 		.doit = nl80211_set_tx_bitrate_mask,
10005 		.policy = nl80211_policy,
10006 		.flags = GENL_ADMIN_PERM,
10007 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10008 				  NL80211_FLAG_NEED_RTNL,
10009 	},
10010 	{
10011 		.cmd = NL80211_CMD_REGISTER_FRAME,
10012 		.doit = nl80211_register_mgmt,
10013 		.policy = nl80211_policy,
10014 		.flags = GENL_ADMIN_PERM,
10015 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10016 				  NL80211_FLAG_NEED_RTNL,
10017 	},
10018 	{
10019 		.cmd = NL80211_CMD_FRAME,
10020 		.doit = nl80211_tx_mgmt,
10021 		.policy = nl80211_policy,
10022 		.flags = GENL_ADMIN_PERM,
10023 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10024 				  NL80211_FLAG_NEED_RTNL,
10025 	},
10026 	{
10027 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
10028 		.doit = nl80211_tx_mgmt_cancel_wait,
10029 		.policy = nl80211_policy,
10030 		.flags = GENL_ADMIN_PERM,
10031 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10032 				  NL80211_FLAG_NEED_RTNL,
10033 	},
10034 	{
10035 		.cmd = NL80211_CMD_SET_POWER_SAVE,
10036 		.doit = nl80211_set_power_save,
10037 		.policy = nl80211_policy,
10038 		.flags = GENL_ADMIN_PERM,
10039 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10040 				  NL80211_FLAG_NEED_RTNL,
10041 	},
10042 	{
10043 		.cmd = NL80211_CMD_GET_POWER_SAVE,
10044 		.doit = nl80211_get_power_save,
10045 		.policy = nl80211_policy,
10046 		/* can be retrieved by unprivileged users */
10047 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10048 				  NL80211_FLAG_NEED_RTNL,
10049 	},
10050 	{
10051 		.cmd = NL80211_CMD_SET_CQM,
10052 		.doit = nl80211_set_cqm,
10053 		.policy = nl80211_policy,
10054 		.flags = GENL_ADMIN_PERM,
10055 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10056 				  NL80211_FLAG_NEED_RTNL,
10057 	},
10058 	{
10059 		.cmd = NL80211_CMD_SET_CHANNEL,
10060 		.doit = nl80211_set_channel,
10061 		.policy = nl80211_policy,
10062 		.flags = GENL_ADMIN_PERM,
10063 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10064 				  NL80211_FLAG_NEED_RTNL,
10065 	},
10066 	{
10067 		.cmd = NL80211_CMD_SET_WDS_PEER,
10068 		.doit = nl80211_set_wds_peer,
10069 		.policy = nl80211_policy,
10070 		.flags = GENL_ADMIN_PERM,
10071 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10072 				  NL80211_FLAG_NEED_RTNL,
10073 	},
10074 	{
10075 		.cmd = NL80211_CMD_JOIN_MESH,
10076 		.doit = nl80211_join_mesh,
10077 		.policy = nl80211_policy,
10078 		.flags = GENL_ADMIN_PERM,
10079 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10080 				  NL80211_FLAG_NEED_RTNL,
10081 	},
10082 	{
10083 		.cmd = NL80211_CMD_LEAVE_MESH,
10084 		.doit = nl80211_leave_mesh,
10085 		.policy = nl80211_policy,
10086 		.flags = GENL_ADMIN_PERM,
10087 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10088 				  NL80211_FLAG_NEED_RTNL,
10089 	},
10090 #ifdef CONFIG_PM
10091 	{
10092 		.cmd = NL80211_CMD_GET_WOWLAN,
10093 		.doit = nl80211_get_wowlan,
10094 		.policy = nl80211_policy,
10095 		/* can be retrieved by unprivileged users */
10096 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10097 				  NL80211_FLAG_NEED_RTNL,
10098 	},
10099 	{
10100 		.cmd = NL80211_CMD_SET_WOWLAN,
10101 		.doit = nl80211_set_wowlan,
10102 		.policy = nl80211_policy,
10103 		.flags = GENL_ADMIN_PERM,
10104 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10105 				  NL80211_FLAG_NEED_RTNL,
10106 	},
10107 #endif
10108 	{
10109 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
10110 		.doit = nl80211_set_rekey_data,
10111 		.policy = nl80211_policy,
10112 		.flags = GENL_ADMIN_PERM,
10113 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10114 				  NL80211_FLAG_NEED_RTNL |
10115 				  NL80211_FLAG_CLEAR_SKB,
10116 	},
10117 	{
10118 		.cmd = NL80211_CMD_TDLS_MGMT,
10119 		.doit = nl80211_tdls_mgmt,
10120 		.policy = nl80211_policy,
10121 		.flags = GENL_ADMIN_PERM,
10122 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10123 				  NL80211_FLAG_NEED_RTNL,
10124 	},
10125 	{
10126 		.cmd = NL80211_CMD_TDLS_OPER,
10127 		.doit = nl80211_tdls_oper,
10128 		.policy = nl80211_policy,
10129 		.flags = GENL_ADMIN_PERM,
10130 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10131 				  NL80211_FLAG_NEED_RTNL,
10132 	},
10133 	{
10134 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
10135 		.doit = nl80211_register_unexpected_frame,
10136 		.policy = nl80211_policy,
10137 		.flags = GENL_ADMIN_PERM,
10138 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10139 				  NL80211_FLAG_NEED_RTNL,
10140 	},
10141 	{
10142 		.cmd = NL80211_CMD_PROBE_CLIENT,
10143 		.doit = nl80211_probe_client,
10144 		.policy = nl80211_policy,
10145 		.flags = GENL_ADMIN_PERM,
10146 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10147 				  NL80211_FLAG_NEED_RTNL,
10148 	},
10149 	{
10150 		.cmd = NL80211_CMD_REGISTER_BEACONS,
10151 		.doit = nl80211_register_beacons,
10152 		.policy = nl80211_policy,
10153 		.flags = GENL_ADMIN_PERM,
10154 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10155 				  NL80211_FLAG_NEED_RTNL,
10156 	},
10157 	{
10158 		.cmd = NL80211_CMD_SET_NOACK_MAP,
10159 		.doit = nl80211_set_noack_map,
10160 		.policy = nl80211_policy,
10161 		.flags = GENL_ADMIN_PERM,
10162 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10163 				  NL80211_FLAG_NEED_RTNL,
10164 	},
10165 	{
10166 		.cmd = NL80211_CMD_START_P2P_DEVICE,
10167 		.doit = nl80211_start_p2p_device,
10168 		.policy = nl80211_policy,
10169 		.flags = GENL_ADMIN_PERM,
10170 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10171 				  NL80211_FLAG_NEED_RTNL,
10172 	},
10173 	{
10174 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
10175 		.doit = nl80211_stop_p2p_device,
10176 		.policy = nl80211_policy,
10177 		.flags = GENL_ADMIN_PERM,
10178 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10179 				  NL80211_FLAG_NEED_RTNL,
10180 	},
10181 	{
10182 		.cmd = NL80211_CMD_SET_MCAST_RATE,
10183 		.doit = nl80211_set_mcast_rate,
10184 		.policy = nl80211_policy,
10185 		.flags = GENL_ADMIN_PERM,
10186 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10187 				  NL80211_FLAG_NEED_RTNL,
10188 	},
10189 	{
10190 		.cmd = NL80211_CMD_SET_MAC_ACL,
10191 		.doit = nl80211_set_mac_acl,
10192 		.policy = nl80211_policy,
10193 		.flags = GENL_ADMIN_PERM,
10194 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10195 				  NL80211_FLAG_NEED_RTNL,
10196 	},
10197 	{
10198 		.cmd = NL80211_CMD_RADAR_DETECT,
10199 		.doit = nl80211_start_radar_detection,
10200 		.policy = nl80211_policy,
10201 		.flags = GENL_ADMIN_PERM,
10202 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10203 				  NL80211_FLAG_NEED_RTNL,
10204 	},
10205 	{
10206 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
10207 		.doit = nl80211_get_protocol_features,
10208 		.policy = nl80211_policy,
10209 	},
10210 	{
10211 		.cmd = NL80211_CMD_UPDATE_FT_IES,
10212 		.doit = nl80211_update_ft_ies,
10213 		.policy = nl80211_policy,
10214 		.flags = GENL_ADMIN_PERM,
10215 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10216 				  NL80211_FLAG_NEED_RTNL,
10217 	},
10218 	{
10219 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
10220 		.doit = nl80211_crit_protocol_start,
10221 		.policy = nl80211_policy,
10222 		.flags = GENL_ADMIN_PERM,
10223 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10224 				  NL80211_FLAG_NEED_RTNL,
10225 	},
10226 	{
10227 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
10228 		.doit = nl80211_crit_protocol_stop,
10229 		.policy = nl80211_policy,
10230 		.flags = GENL_ADMIN_PERM,
10231 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10232 				  NL80211_FLAG_NEED_RTNL,
10233 	},
10234 	{
10235 		.cmd = NL80211_CMD_GET_COALESCE,
10236 		.doit = nl80211_get_coalesce,
10237 		.policy = nl80211_policy,
10238 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10239 				  NL80211_FLAG_NEED_RTNL,
10240 	},
10241 	{
10242 		.cmd = NL80211_CMD_SET_COALESCE,
10243 		.doit = nl80211_set_coalesce,
10244 		.policy = nl80211_policy,
10245 		.flags = GENL_ADMIN_PERM,
10246 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10247 				  NL80211_FLAG_NEED_RTNL,
10248 	},
10249 	{
10250 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
10251 		.doit = nl80211_channel_switch,
10252 		.policy = nl80211_policy,
10253 		.flags = GENL_ADMIN_PERM,
10254 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10255 				  NL80211_FLAG_NEED_RTNL,
10256 	},
10257 	{
10258 		.cmd = NL80211_CMD_VENDOR,
10259 		.doit = nl80211_vendor_cmd,
10260 		.policy = nl80211_policy,
10261 		.flags = GENL_ADMIN_PERM,
10262 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10263 				  NL80211_FLAG_NEED_RTNL,
10264 	},
10265 	{
10266 		.cmd = NL80211_CMD_SET_QOS_MAP,
10267 		.doit = nl80211_set_qos_map,
10268 		.policy = nl80211_policy,
10269 		.flags = GENL_ADMIN_PERM,
10270 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10271 				  NL80211_FLAG_NEED_RTNL,
10272 	},
10273 	{
10274 		.cmd = NL80211_CMD_ADD_TX_TS,
10275 		.doit = nl80211_add_tx_ts,
10276 		.policy = nl80211_policy,
10277 		.flags = GENL_ADMIN_PERM,
10278 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10279 				  NL80211_FLAG_NEED_RTNL,
10280 	},
10281 	{
10282 		.cmd = NL80211_CMD_DEL_TX_TS,
10283 		.doit = nl80211_del_tx_ts,
10284 		.policy = nl80211_policy,
10285 		.flags = GENL_ADMIN_PERM,
10286 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10287 				  NL80211_FLAG_NEED_RTNL,
10288 	},
10289 };
10290 
10291 /* notification functions */
10292 
10293 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
10294 			  enum nl80211_commands cmd)
10295 {
10296 	struct sk_buff *msg;
10297 	struct nl80211_dump_wiphy_state state = {};
10298 
10299 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
10300 		cmd != NL80211_CMD_DEL_WIPHY);
10301 
10302 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10303 	if (!msg)
10304 		return;
10305 
10306 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
10307 		nlmsg_free(msg);
10308 		return;
10309 	}
10310 
10311 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10312 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
10313 }
10314 
10315 static int nl80211_add_scan_req(struct sk_buff *msg,
10316 				struct cfg80211_registered_device *rdev)
10317 {
10318 	struct cfg80211_scan_request *req = rdev->scan_req;
10319 	struct nlattr *nest;
10320 	int i;
10321 
10322 	if (WARN_ON(!req))
10323 		return 0;
10324 
10325 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
10326 	if (!nest)
10327 		goto nla_put_failure;
10328 	for (i = 0; i < req->n_ssids; i++) {
10329 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
10330 			goto nla_put_failure;
10331 	}
10332 	nla_nest_end(msg, nest);
10333 
10334 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
10335 	if (!nest)
10336 		goto nla_put_failure;
10337 	for (i = 0; i < req->n_channels; i++) {
10338 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
10339 			goto nla_put_failure;
10340 	}
10341 	nla_nest_end(msg, nest);
10342 
10343 	if (req->ie &&
10344 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
10345 		goto nla_put_failure;
10346 
10347 	if (req->flags &&
10348 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
10349 		goto nla_put_failure;
10350 
10351 	return 0;
10352  nla_put_failure:
10353 	return -ENOBUFS;
10354 }
10355 
10356 static int nl80211_send_scan_msg(struct sk_buff *msg,
10357 				 struct cfg80211_registered_device *rdev,
10358 				 struct wireless_dev *wdev,
10359 				 u32 portid, u32 seq, int flags,
10360 				 u32 cmd)
10361 {
10362 	void *hdr;
10363 
10364 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
10365 	if (!hdr)
10366 		return -1;
10367 
10368 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10369 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
10370 					 wdev->netdev->ifindex)) ||
10371 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
10372 		goto nla_put_failure;
10373 
10374 	/* ignore errors and send incomplete event anyway */
10375 	nl80211_add_scan_req(msg, rdev);
10376 
10377 	return genlmsg_end(msg, hdr);
10378 
10379  nla_put_failure:
10380 	genlmsg_cancel(msg, hdr);
10381 	return -EMSGSIZE;
10382 }
10383 
10384 static int
10385 nl80211_send_sched_scan_msg(struct sk_buff *msg,
10386 			    struct cfg80211_registered_device *rdev,
10387 			    struct net_device *netdev,
10388 			    u32 portid, u32 seq, int flags, u32 cmd)
10389 {
10390 	void *hdr;
10391 
10392 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
10393 	if (!hdr)
10394 		return -1;
10395 
10396 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10397 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
10398 		goto nla_put_failure;
10399 
10400 	return genlmsg_end(msg, hdr);
10401 
10402  nla_put_failure:
10403 	genlmsg_cancel(msg, hdr);
10404 	return -EMSGSIZE;
10405 }
10406 
10407 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
10408 			     struct wireless_dev *wdev)
10409 {
10410 	struct sk_buff *msg;
10411 
10412 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10413 	if (!msg)
10414 		return;
10415 
10416 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
10417 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
10418 		nlmsg_free(msg);
10419 		return;
10420 	}
10421 
10422 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10423 				NL80211_MCGRP_SCAN, GFP_KERNEL);
10424 }
10425 
10426 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
10427 				       struct wireless_dev *wdev, bool aborted)
10428 {
10429 	struct sk_buff *msg;
10430 
10431 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10432 	if (!msg)
10433 		return NULL;
10434 
10435 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
10436 				  aborted ? NL80211_CMD_SCAN_ABORTED :
10437 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
10438 		nlmsg_free(msg);
10439 		return NULL;
10440 	}
10441 
10442 	return msg;
10443 }
10444 
10445 void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
10446 			      struct sk_buff *msg)
10447 {
10448 	if (!msg)
10449 		return;
10450 
10451 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10452 				NL80211_MCGRP_SCAN, GFP_KERNEL);
10453 }
10454 
10455 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
10456 				     struct net_device *netdev)
10457 {
10458 	struct sk_buff *msg;
10459 
10460 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10461 	if (!msg)
10462 		return;
10463 
10464 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
10465 					NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
10466 		nlmsg_free(msg);
10467 		return;
10468 	}
10469 
10470 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10471 				NL80211_MCGRP_SCAN, GFP_KERNEL);
10472 }
10473 
10474 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
10475 			     struct net_device *netdev, u32 cmd)
10476 {
10477 	struct sk_buff *msg;
10478 
10479 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10480 	if (!msg)
10481 		return;
10482 
10483 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
10484 		nlmsg_free(msg);
10485 		return;
10486 	}
10487 
10488 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10489 				NL80211_MCGRP_SCAN, GFP_KERNEL);
10490 }
10491 
10492 /*
10493  * This can happen on global regulatory changes or device specific settings
10494  * based on custom world regulatory domains.
10495  */
10496 void nl80211_send_reg_change_event(struct regulatory_request *request)
10497 {
10498 	struct sk_buff *msg;
10499 	void *hdr;
10500 
10501 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10502 	if (!msg)
10503 		return;
10504 
10505 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_CHANGE);
10506 	if (!hdr) {
10507 		nlmsg_free(msg);
10508 		return;
10509 	}
10510 
10511 	/* Userspace can always count this one always being set */
10512 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
10513 		goto nla_put_failure;
10514 
10515 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
10516 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10517 			       NL80211_REGDOM_TYPE_WORLD))
10518 			goto nla_put_failure;
10519 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
10520 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10521 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
10522 			goto nla_put_failure;
10523 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
10524 		   request->intersect) {
10525 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10526 			       NL80211_REGDOM_TYPE_INTERSECTION))
10527 			goto nla_put_failure;
10528 	} else {
10529 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10530 			       NL80211_REGDOM_TYPE_COUNTRY) ||
10531 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
10532 				   request->alpha2))
10533 			goto nla_put_failure;
10534 	}
10535 
10536 	if (request->wiphy_idx != WIPHY_IDX_INVALID &&
10537 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
10538 		goto nla_put_failure;
10539 
10540 	genlmsg_end(msg, hdr);
10541 
10542 	rcu_read_lock();
10543 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
10544 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
10545 	rcu_read_unlock();
10546 
10547 	return;
10548 
10549 nla_put_failure:
10550 	genlmsg_cancel(msg, hdr);
10551 	nlmsg_free(msg);
10552 }
10553 
10554 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
10555 				    struct net_device *netdev,
10556 				    const u8 *buf, size_t len,
10557 				    enum nl80211_commands cmd, gfp_t gfp,
10558 				    int uapsd_queues)
10559 {
10560 	struct sk_buff *msg;
10561 	void *hdr;
10562 
10563 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10564 	if (!msg)
10565 		return;
10566 
10567 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
10568 	if (!hdr) {
10569 		nlmsg_free(msg);
10570 		return;
10571 	}
10572 
10573 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10574 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10575 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
10576 		goto nla_put_failure;
10577 
10578 	if (uapsd_queues >= 0) {
10579 		struct nlattr *nla_wmm =
10580 			nla_nest_start(msg, NL80211_ATTR_STA_WME);
10581 		if (!nla_wmm)
10582 			goto nla_put_failure;
10583 
10584 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
10585 			       uapsd_queues))
10586 			goto nla_put_failure;
10587 
10588 		nla_nest_end(msg, nla_wmm);
10589 	}
10590 
10591 	genlmsg_end(msg, hdr);
10592 
10593 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10594 				NL80211_MCGRP_MLME, gfp);
10595 	return;
10596 
10597  nla_put_failure:
10598 	genlmsg_cancel(msg, hdr);
10599 	nlmsg_free(msg);
10600 }
10601 
10602 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
10603 			  struct net_device *netdev, const u8 *buf,
10604 			  size_t len, gfp_t gfp)
10605 {
10606 	nl80211_send_mlme_event(rdev, netdev, buf, len,
10607 				NL80211_CMD_AUTHENTICATE, gfp, -1);
10608 }
10609 
10610 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
10611 			   struct net_device *netdev, const u8 *buf,
10612 			   size_t len, gfp_t gfp, int uapsd_queues)
10613 {
10614 	nl80211_send_mlme_event(rdev, netdev, buf, len,
10615 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues);
10616 }
10617 
10618 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
10619 			 struct net_device *netdev, const u8 *buf,
10620 			 size_t len, gfp_t gfp)
10621 {
10622 	nl80211_send_mlme_event(rdev, netdev, buf, len,
10623 				NL80211_CMD_DEAUTHENTICATE, gfp, -1);
10624 }
10625 
10626 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
10627 			   struct net_device *netdev, const u8 *buf,
10628 			   size_t len, gfp_t gfp)
10629 {
10630 	nl80211_send_mlme_event(rdev, netdev, buf, len,
10631 				NL80211_CMD_DISASSOCIATE, gfp, -1);
10632 }
10633 
10634 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
10635 				  size_t len)
10636 {
10637 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10638 	struct wiphy *wiphy = wdev->wiphy;
10639 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10640 	const struct ieee80211_mgmt *mgmt = (void *)buf;
10641 	u32 cmd;
10642 
10643 	if (WARN_ON(len < 2))
10644 		return;
10645 
10646 	if (ieee80211_is_deauth(mgmt->frame_control))
10647 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
10648 	else
10649 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
10650 
10651 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
10652 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1);
10653 }
10654 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
10655 
10656 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
10657 				      struct net_device *netdev, int cmd,
10658 				      const u8 *addr, gfp_t gfp)
10659 {
10660 	struct sk_buff *msg;
10661 	void *hdr;
10662 
10663 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10664 	if (!msg)
10665 		return;
10666 
10667 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
10668 	if (!hdr) {
10669 		nlmsg_free(msg);
10670 		return;
10671 	}
10672 
10673 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10674 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10675 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
10676 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
10677 		goto nla_put_failure;
10678 
10679 	genlmsg_end(msg, hdr);
10680 
10681 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10682 				NL80211_MCGRP_MLME, gfp);
10683 	return;
10684 
10685  nla_put_failure:
10686 	genlmsg_cancel(msg, hdr);
10687 	nlmsg_free(msg);
10688 }
10689 
10690 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
10691 			       struct net_device *netdev, const u8 *addr,
10692 			       gfp_t gfp)
10693 {
10694 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
10695 				  addr, gfp);
10696 }
10697 
10698 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
10699 				struct net_device *netdev, const u8 *addr,
10700 				gfp_t gfp)
10701 {
10702 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
10703 				  addr, gfp);
10704 }
10705 
10706 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
10707 				 struct net_device *netdev, const u8 *bssid,
10708 				 const u8 *req_ie, size_t req_ie_len,
10709 				 const u8 *resp_ie, size_t resp_ie_len,
10710 				 u16 status, gfp_t gfp)
10711 {
10712 	struct sk_buff *msg;
10713 	void *hdr;
10714 
10715 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10716 	if (!msg)
10717 		return;
10718 
10719 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
10720 	if (!hdr) {
10721 		nlmsg_free(msg);
10722 		return;
10723 	}
10724 
10725 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10726 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10727 	    (bssid && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) ||
10728 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE, status) ||
10729 	    (req_ie &&
10730 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
10731 	    (resp_ie &&
10732 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
10733 		goto nla_put_failure;
10734 
10735 	genlmsg_end(msg, hdr);
10736 
10737 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10738 				NL80211_MCGRP_MLME, gfp);
10739 	return;
10740 
10741  nla_put_failure:
10742 	genlmsg_cancel(msg, hdr);
10743 	nlmsg_free(msg);
10744 
10745 }
10746 
10747 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
10748 			 struct net_device *netdev, const u8 *bssid,
10749 			 const u8 *req_ie, size_t req_ie_len,
10750 			 const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
10751 {
10752 	struct sk_buff *msg;
10753 	void *hdr;
10754 
10755 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10756 	if (!msg)
10757 		return;
10758 
10759 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
10760 	if (!hdr) {
10761 		nlmsg_free(msg);
10762 		return;
10763 	}
10764 
10765 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10766 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10767 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
10768 	    (req_ie &&
10769 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
10770 	    (resp_ie &&
10771 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
10772 		goto nla_put_failure;
10773 
10774 	genlmsg_end(msg, hdr);
10775 
10776 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10777 				NL80211_MCGRP_MLME, gfp);
10778 	return;
10779 
10780  nla_put_failure:
10781 	genlmsg_cancel(msg, hdr);
10782 	nlmsg_free(msg);
10783 
10784 }
10785 
10786 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
10787 			       struct net_device *netdev, u16 reason,
10788 			       const u8 *ie, size_t ie_len, bool from_ap)
10789 {
10790 	struct sk_buff *msg;
10791 	void *hdr;
10792 
10793 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10794 	if (!msg)
10795 		return;
10796 
10797 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
10798 	if (!hdr) {
10799 		nlmsg_free(msg);
10800 		return;
10801 	}
10802 
10803 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10804 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10805 	    (from_ap && reason &&
10806 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
10807 	    (from_ap &&
10808 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
10809 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
10810 		goto nla_put_failure;
10811 
10812 	genlmsg_end(msg, hdr);
10813 
10814 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10815 				NL80211_MCGRP_MLME, GFP_KERNEL);
10816 	return;
10817 
10818  nla_put_failure:
10819 	genlmsg_cancel(msg, hdr);
10820 	nlmsg_free(msg);
10821 
10822 }
10823 
10824 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
10825 			     struct net_device *netdev, const u8 *bssid,
10826 			     gfp_t gfp)
10827 {
10828 	struct sk_buff *msg;
10829 	void *hdr;
10830 
10831 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10832 	if (!msg)
10833 		return;
10834 
10835 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
10836 	if (!hdr) {
10837 		nlmsg_free(msg);
10838 		return;
10839 	}
10840 
10841 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10842 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10843 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
10844 		goto nla_put_failure;
10845 
10846 	genlmsg_end(msg, hdr);
10847 
10848 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10849 				NL80211_MCGRP_MLME, gfp);
10850 	return;
10851 
10852  nla_put_failure:
10853 	genlmsg_cancel(msg, hdr);
10854 	nlmsg_free(msg);
10855 }
10856 
10857 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
10858 					const u8* ie, u8 ie_len, gfp_t gfp)
10859 {
10860 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10861 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
10862 	struct sk_buff *msg;
10863 	void *hdr;
10864 
10865 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
10866 		return;
10867 
10868 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
10869 
10870 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10871 	if (!msg)
10872 		return;
10873 
10874 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
10875 	if (!hdr) {
10876 		nlmsg_free(msg);
10877 		return;
10878 	}
10879 
10880 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10881 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10882 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
10883 	    (ie_len && ie &&
10884 	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
10885 		goto nla_put_failure;
10886 
10887 	genlmsg_end(msg, hdr);
10888 
10889 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10890 				NL80211_MCGRP_MLME, gfp);
10891 	return;
10892 
10893  nla_put_failure:
10894 	genlmsg_cancel(msg, hdr);
10895 	nlmsg_free(msg);
10896 }
10897 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
10898 
10899 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
10900 				 struct net_device *netdev, const u8 *addr,
10901 				 enum nl80211_key_type key_type, int key_id,
10902 				 const u8 *tsc, gfp_t gfp)
10903 {
10904 	struct sk_buff *msg;
10905 	void *hdr;
10906 
10907 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10908 	if (!msg)
10909 		return;
10910 
10911 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
10912 	if (!hdr) {
10913 		nlmsg_free(msg);
10914 		return;
10915 	}
10916 
10917 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10918 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10919 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
10920 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
10921 	    (key_id != -1 &&
10922 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
10923 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
10924 		goto nla_put_failure;
10925 
10926 	genlmsg_end(msg, hdr);
10927 
10928 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10929 				NL80211_MCGRP_MLME, gfp);
10930 	return;
10931 
10932  nla_put_failure:
10933 	genlmsg_cancel(msg, hdr);
10934 	nlmsg_free(msg);
10935 }
10936 
10937 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
10938 				    struct ieee80211_channel *channel_before,
10939 				    struct ieee80211_channel *channel_after)
10940 {
10941 	struct sk_buff *msg;
10942 	void *hdr;
10943 	struct nlattr *nl_freq;
10944 
10945 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
10946 	if (!msg)
10947 		return;
10948 
10949 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
10950 	if (!hdr) {
10951 		nlmsg_free(msg);
10952 		return;
10953 	}
10954 
10955 	/*
10956 	 * Since we are applying the beacon hint to a wiphy we know its
10957 	 * wiphy_idx is valid
10958 	 */
10959 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10960 		goto nla_put_failure;
10961 
10962 	/* Before */
10963 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
10964 	if (!nl_freq)
10965 		goto nla_put_failure;
10966 	if (nl80211_msg_put_channel(msg, channel_before, false))
10967 		goto nla_put_failure;
10968 	nla_nest_end(msg, nl_freq);
10969 
10970 	/* After */
10971 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
10972 	if (!nl_freq)
10973 		goto nla_put_failure;
10974 	if (nl80211_msg_put_channel(msg, channel_after, false))
10975 		goto nla_put_failure;
10976 	nla_nest_end(msg, nl_freq);
10977 
10978 	genlmsg_end(msg, hdr);
10979 
10980 	rcu_read_lock();
10981 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
10982 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
10983 	rcu_read_unlock();
10984 
10985 	return;
10986 
10987 nla_put_failure:
10988 	genlmsg_cancel(msg, hdr);
10989 	nlmsg_free(msg);
10990 }
10991 
10992 static void nl80211_send_remain_on_chan_event(
10993 	int cmd, struct cfg80211_registered_device *rdev,
10994 	struct wireless_dev *wdev, u64 cookie,
10995 	struct ieee80211_channel *chan,
10996 	unsigned int duration, gfp_t gfp)
10997 {
10998 	struct sk_buff *msg;
10999 	void *hdr;
11000 
11001 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11002 	if (!msg)
11003 		return;
11004 
11005 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11006 	if (!hdr) {
11007 		nlmsg_free(msg);
11008 		return;
11009 	}
11010 
11011 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11012 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11013 					 wdev->netdev->ifindex)) ||
11014 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11015 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
11016 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
11017 			NL80211_CHAN_NO_HT) ||
11018 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
11019 		goto nla_put_failure;
11020 
11021 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
11022 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
11023 		goto nla_put_failure;
11024 
11025 	genlmsg_end(msg, hdr);
11026 
11027 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11028 				NL80211_MCGRP_MLME, gfp);
11029 	return;
11030 
11031  nla_put_failure:
11032 	genlmsg_cancel(msg, hdr);
11033 	nlmsg_free(msg);
11034 }
11035 
11036 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
11037 			       struct ieee80211_channel *chan,
11038 			       unsigned int duration, gfp_t gfp)
11039 {
11040 	struct wiphy *wiphy = wdev->wiphy;
11041 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11042 
11043 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
11044 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
11045 					  rdev, wdev, cookie, chan,
11046 					  duration, gfp);
11047 }
11048 EXPORT_SYMBOL(cfg80211_ready_on_channel);
11049 
11050 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
11051 					struct ieee80211_channel *chan,
11052 					gfp_t gfp)
11053 {
11054 	struct wiphy *wiphy = wdev->wiphy;
11055 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11056 
11057 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
11058 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
11059 					  rdev, wdev, cookie, chan, 0, gfp);
11060 }
11061 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
11062 
11063 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
11064 		      struct station_info *sinfo, gfp_t gfp)
11065 {
11066 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11067 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11068 	struct sk_buff *msg;
11069 
11070 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
11071 
11072 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11073 	if (!msg)
11074 		return;
11075 
11076 	if (nl80211_send_station(msg, 0, 0, 0,
11077 				 rdev, dev, mac_addr, sinfo) < 0) {
11078 		nlmsg_free(msg);
11079 		return;
11080 	}
11081 
11082 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11083 				NL80211_MCGRP_MLME, gfp);
11084 }
11085 EXPORT_SYMBOL(cfg80211_new_sta);
11086 
11087 void cfg80211_del_sta(struct net_device *dev, const u8 *mac_addr, gfp_t gfp)
11088 {
11089 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11090 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11091 	struct sk_buff *msg;
11092 	void *hdr;
11093 
11094 	trace_cfg80211_del_sta(dev, mac_addr);
11095 
11096 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11097 	if (!msg)
11098 		return;
11099 
11100 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_STATION);
11101 	if (!hdr) {
11102 		nlmsg_free(msg);
11103 		return;
11104 	}
11105 
11106 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11107 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
11108 		goto nla_put_failure;
11109 
11110 	genlmsg_end(msg, hdr);
11111 
11112 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11113 				NL80211_MCGRP_MLME, gfp);
11114 	return;
11115 
11116  nla_put_failure:
11117 	genlmsg_cancel(msg, hdr);
11118 	nlmsg_free(msg);
11119 }
11120 EXPORT_SYMBOL(cfg80211_del_sta);
11121 
11122 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
11123 			  enum nl80211_connect_failed_reason reason,
11124 			  gfp_t gfp)
11125 {
11126 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11127 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11128 	struct sk_buff *msg;
11129 	void *hdr;
11130 
11131 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
11132 	if (!msg)
11133 		return;
11134 
11135 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
11136 	if (!hdr) {
11137 		nlmsg_free(msg);
11138 		return;
11139 	}
11140 
11141 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11142 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
11143 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
11144 		goto nla_put_failure;
11145 
11146 	genlmsg_end(msg, hdr);
11147 
11148 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11149 				NL80211_MCGRP_MLME, gfp);
11150 	return;
11151 
11152  nla_put_failure:
11153 	genlmsg_cancel(msg, hdr);
11154 	nlmsg_free(msg);
11155 }
11156 EXPORT_SYMBOL(cfg80211_conn_failed);
11157 
11158 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
11159 				       const u8 *addr, gfp_t gfp)
11160 {
11161 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11162 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11163 	struct sk_buff *msg;
11164 	void *hdr;
11165 	u32 nlportid = ACCESS_ONCE(wdev->ap_unexpected_nlportid);
11166 
11167 	if (!nlportid)
11168 		return false;
11169 
11170 	msg = nlmsg_new(100, gfp);
11171 	if (!msg)
11172 		return true;
11173 
11174 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11175 	if (!hdr) {
11176 		nlmsg_free(msg);
11177 		return true;
11178 	}
11179 
11180 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11181 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11182 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
11183 		goto nla_put_failure;
11184 
11185 	genlmsg_end(msg, hdr);
11186 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
11187 	return true;
11188 
11189  nla_put_failure:
11190 	genlmsg_cancel(msg, hdr);
11191 	nlmsg_free(msg);
11192 	return true;
11193 }
11194 
11195 bool cfg80211_rx_spurious_frame(struct net_device *dev,
11196 				const u8 *addr, gfp_t gfp)
11197 {
11198 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11199 	bool ret;
11200 
11201 	trace_cfg80211_rx_spurious_frame(dev, addr);
11202 
11203 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11204 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
11205 		trace_cfg80211_return_bool(false);
11206 		return false;
11207 	}
11208 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
11209 					 addr, gfp);
11210 	trace_cfg80211_return_bool(ret);
11211 	return ret;
11212 }
11213 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
11214 
11215 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
11216 					const u8 *addr, gfp_t gfp)
11217 {
11218 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11219 	bool ret;
11220 
11221 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
11222 
11223 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11224 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
11225 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
11226 		trace_cfg80211_return_bool(false);
11227 		return false;
11228 	}
11229 	ret = __nl80211_unexpected_frame(dev,
11230 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
11231 					 addr, gfp);
11232 	trace_cfg80211_return_bool(ret);
11233 	return ret;
11234 }
11235 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
11236 
11237 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
11238 		      struct wireless_dev *wdev, u32 nlportid,
11239 		      int freq, int sig_dbm,
11240 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
11241 {
11242 	struct net_device *netdev = wdev->netdev;
11243 	struct sk_buff *msg;
11244 	void *hdr;
11245 
11246 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11247 	if (!msg)
11248 		return -ENOMEM;
11249 
11250 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
11251 	if (!hdr) {
11252 		nlmsg_free(msg);
11253 		return -ENOMEM;
11254 	}
11255 
11256 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11257 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11258 					netdev->ifindex)) ||
11259 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11260 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
11261 	    (sig_dbm &&
11262 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
11263 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
11264 	    (flags &&
11265 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
11266 		goto nla_put_failure;
11267 
11268 	genlmsg_end(msg, hdr);
11269 
11270 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
11271 
11272  nla_put_failure:
11273 	genlmsg_cancel(msg, hdr);
11274 	nlmsg_free(msg);
11275 	return -ENOBUFS;
11276 }
11277 
11278 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
11279 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
11280 {
11281 	struct wiphy *wiphy = wdev->wiphy;
11282 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11283 	struct net_device *netdev = wdev->netdev;
11284 	struct sk_buff *msg;
11285 	void *hdr;
11286 
11287 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
11288 
11289 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11290 	if (!msg)
11291 		return;
11292 
11293 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
11294 	if (!hdr) {
11295 		nlmsg_free(msg);
11296 		return;
11297 	}
11298 
11299 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11300 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11301 				   netdev->ifindex)) ||
11302 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11303 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
11304 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
11305 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
11306 		goto nla_put_failure;
11307 
11308 	genlmsg_end(msg, hdr);
11309 
11310 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11311 				NL80211_MCGRP_MLME, gfp);
11312 	return;
11313 
11314  nla_put_failure:
11315 	genlmsg_cancel(msg, hdr);
11316 	nlmsg_free(msg);
11317 }
11318 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
11319 
11320 void cfg80211_cqm_rssi_notify(struct net_device *dev,
11321 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
11322 			      gfp_t gfp)
11323 {
11324 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11325 	struct wiphy *wiphy = wdev->wiphy;
11326 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11327 	struct sk_buff *msg;
11328 	struct nlattr *pinfoattr;
11329 	void *hdr;
11330 
11331 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
11332 
11333 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11334 	if (!msg)
11335 		return;
11336 
11337 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
11338 	if (!hdr) {
11339 		nlmsg_free(msg);
11340 		return;
11341 	}
11342 
11343 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11344 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
11345 		goto nla_put_failure;
11346 
11347 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
11348 	if (!pinfoattr)
11349 		goto nla_put_failure;
11350 
11351 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
11352 			rssi_event))
11353 		goto nla_put_failure;
11354 
11355 	nla_nest_end(msg, pinfoattr);
11356 
11357 	genlmsg_end(msg, hdr);
11358 
11359 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11360 				NL80211_MCGRP_MLME, gfp);
11361 	return;
11362 
11363  nla_put_failure:
11364 	genlmsg_cancel(msg, hdr);
11365 	nlmsg_free(msg);
11366 }
11367 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
11368 
11369 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
11370 				     struct net_device *netdev, const u8 *bssid,
11371 				     const u8 *replay_ctr, gfp_t gfp)
11372 {
11373 	struct sk_buff *msg;
11374 	struct nlattr *rekey_attr;
11375 	void *hdr;
11376 
11377 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11378 	if (!msg)
11379 		return;
11380 
11381 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
11382 	if (!hdr) {
11383 		nlmsg_free(msg);
11384 		return;
11385 	}
11386 
11387 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11388 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11389 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
11390 		goto nla_put_failure;
11391 
11392 	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
11393 	if (!rekey_attr)
11394 		goto nla_put_failure;
11395 
11396 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
11397 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
11398 		goto nla_put_failure;
11399 
11400 	nla_nest_end(msg, rekey_attr);
11401 
11402 	genlmsg_end(msg, hdr);
11403 
11404 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11405 				NL80211_MCGRP_MLME, gfp);
11406 	return;
11407 
11408  nla_put_failure:
11409 	genlmsg_cancel(msg, hdr);
11410 	nlmsg_free(msg);
11411 }
11412 
11413 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
11414 			       const u8 *replay_ctr, gfp_t gfp)
11415 {
11416 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11417 	struct wiphy *wiphy = wdev->wiphy;
11418 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11419 
11420 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
11421 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
11422 }
11423 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
11424 
11425 static void
11426 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
11427 			       struct net_device *netdev, int index,
11428 			       const u8 *bssid, bool preauth, gfp_t gfp)
11429 {
11430 	struct sk_buff *msg;
11431 	struct nlattr *attr;
11432 	void *hdr;
11433 
11434 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11435 	if (!msg)
11436 		return;
11437 
11438 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
11439 	if (!hdr) {
11440 		nlmsg_free(msg);
11441 		return;
11442 	}
11443 
11444 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11445 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
11446 		goto nla_put_failure;
11447 
11448 	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
11449 	if (!attr)
11450 		goto nla_put_failure;
11451 
11452 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
11453 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
11454 	    (preauth &&
11455 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
11456 		goto nla_put_failure;
11457 
11458 	nla_nest_end(msg, attr);
11459 
11460 	genlmsg_end(msg, hdr);
11461 
11462 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11463 				NL80211_MCGRP_MLME, gfp);
11464 	return;
11465 
11466  nla_put_failure:
11467 	genlmsg_cancel(msg, hdr);
11468 	nlmsg_free(msg);
11469 }
11470 
11471 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
11472 				     const u8 *bssid, bool preauth, gfp_t gfp)
11473 {
11474 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11475 	struct wiphy *wiphy = wdev->wiphy;
11476 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11477 
11478 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
11479 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
11480 }
11481 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
11482 
11483 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
11484 				     struct net_device *netdev,
11485 				     struct cfg80211_chan_def *chandef,
11486 				     gfp_t gfp)
11487 {
11488 	struct sk_buff *msg;
11489 	void *hdr;
11490 
11491 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11492 	if (!msg)
11493 		return;
11494 
11495 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CH_SWITCH_NOTIFY);
11496 	if (!hdr) {
11497 		nlmsg_free(msg);
11498 		return;
11499 	}
11500 
11501 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
11502 		goto nla_put_failure;
11503 
11504 	if (nl80211_send_chandef(msg, chandef))
11505 		goto nla_put_failure;
11506 
11507 	genlmsg_end(msg, hdr);
11508 
11509 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11510 				NL80211_MCGRP_MLME, gfp);
11511 	return;
11512 
11513  nla_put_failure:
11514 	genlmsg_cancel(msg, hdr);
11515 	nlmsg_free(msg);
11516 }
11517 
11518 void cfg80211_ch_switch_notify(struct net_device *dev,
11519 			       struct cfg80211_chan_def *chandef)
11520 {
11521 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11522 	struct wiphy *wiphy = wdev->wiphy;
11523 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11524 
11525 	ASSERT_WDEV_LOCK(wdev);
11526 
11527 	trace_cfg80211_ch_switch_notify(dev, chandef);
11528 
11529 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11530 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
11531 		    wdev->iftype != NL80211_IFTYPE_ADHOC &&
11532 		    wdev->iftype != NL80211_IFTYPE_MESH_POINT))
11533 		return;
11534 
11535 	wdev->chandef = *chandef;
11536 	wdev->preset_chandef = *chandef;
11537 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL);
11538 }
11539 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
11540 
11541 void cfg80211_cqm_txe_notify(struct net_device *dev,
11542 			     const u8 *peer, u32 num_packets,
11543 			     u32 rate, u32 intvl, gfp_t gfp)
11544 {
11545 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11546 	struct wiphy *wiphy = wdev->wiphy;
11547 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11548 	struct sk_buff *msg;
11549 	struct nlattr *pinfoattr;
11550 	void *hdr;
11551 
11552 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
11553 	if (!msg)
11554 		return;
11555 
11556 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
11557 	if (!hdr) {
11558 		nlmsg_free(msg);
11559 		return;
11560 	}
11561 
11562 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11563 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11564 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
11565 		goto nla_put_failure;
11566 
11567 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
11568 	if (!pinfoattr)
11569 		goto nla_put_failure;
11570 
11571 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
11572 		goto nla_put_failure;
11573 
11574 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
11575 		goto nla_put_failure;
11576 
11577 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
11578 		goto nla_put_failure;
11579 
11580 	nla_nest_end(msg, pinfoattr);
11581 
11582 	genlmsg_end(msg, hdr);
11583 
11584 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11585 				NL80211_MCGRP_MLME, gfp);
11586 	return;
11587 
11588  nla_put_failure:
11589 	genlmsg_cancel(msg, hdr);
11590 	nlmsg_free(msg);
11591 }
11592 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
11593 
11594 void
11595 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
11596 		     const struct cfg80211_chan_def *chandef,
11597 		     enum nl80211_radar_event event,
11598 		     struct net_device *netdev, gfp_t gfp)
11599 {
11600 	struct sk_buff *msg;
11601 	void *hdr;
11602 
11603 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11604 	if (!msg)
11605 		return;
11606 
11607 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
11608 	if (!hdr) {
11609 		nlmsg_free(msg);
11610 		return;
11611 	}
11612 
11613 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11614 		goto nla_put_failure;
11615 
11616 	/* NOP and radar events don't need a netdev parameter */
11617 	if (netdev) {
11618 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
11619 
11620 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11621 		    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
11622 			goto nla_put_failure;
11623 	}
11624 
11625 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
11626 		goto nla_put_failure;
11627 
11628 	if (nl80211_send_chandef(msg, chandef))
11629 		goto nla_put_failure;
11630 
11631 	genlmsg_end(msg, hdr);
11632 
11633 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11634 				NL80211_MCGRP_MLME, gfp);
11635 	return;
11636 
11637  nla_put_failure:
11638 	genlmsg_cancel(msg, hdr);
11639 	nlmsg_free(msg);
11640 }
11641 
11642 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
11643 				 const u8 *peer, u32 num_packets, gfp_t gfp)
11644 {
11645 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11646 	struct wiphy *wiphy = wdev->wiphy;
11647 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11648 	struct sk_buff *msg;
11649 	struct nlattr *pinfoattr;
11650 	void *hdr;
11651 
11652 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
11653 
11654 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11655 	if (!msg)
11656 		return;
11657 
11658 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
11659 	if (!hdr) {
11660 		nlmsg_free(msg);
11661 		return;
11662 	}
11663 
11664 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11665 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11666 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
11667 		goto nla_put_failure;
11668 
11669 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
11670 	if (!pinfoattr)
11671 		goto nla_put_failure;
11672 
11673 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
11674 		goto nla_put_failure;
11675 
11676 	nla_nest_end(msg, pinfoattr);
11677 
11678 	genlmsg_end(msg, hdr);
11679 
11680 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11681 				NL80211_MCGRP_MLME, gfp);
11682 	return;
11683 
11684  nla_put_failure:
11685 	genlmsg_cancel(msg, hdr);
11686 	nlmsg_free(msg);
11687 }
11688 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
11689 
11690 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
11691 			   u64 cookie, bool acked, gfp_t gfp)
11692 {
11693 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11694 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11695 	struct sk_buff *msg;
11696 	void *hdr;
11697 
11698 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
11699 
11700 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11701 
11702 	if (!msg)
11703 		return;
11704 
11705 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
11706 	if (!hdr) {
11707 		nlmsg_free(msg);
11708 		return;
11709 	}
11710 
11711 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11712 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11713 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
11714 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
11715 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)))
11716 		goto nla_put_failure;
11717 
11718 	genlmsg_end(msg, hdr);
11719 
11720 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11721 				NL80211_MCGRP_MLME, gfp);
11722 	return;
11723 
11724  nla_put_failure:
11725 	genlmsg_cancel(msg, hdr);
11726 	nlmsg_free(msg);
11727 }
11728 EXPORT_SYMBOL(cfg80211_probe_status);
11729 
11730 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
11731 				 const u8 *frame, size_t len,
11732 				 int freq, int sig_dbm)
11733 {
11734 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11735 	struct sk_buff *msg;
11736 	void *hdr;
11737 	struct cfg80211_beacon_registration *reg;
11738 
11739 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
11740 
11741 	spin_lock_bh(&rdev->beacon_registrations_lock);
11742 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
11743 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
11744 		if (!msg) {
11745 			spin_unlock_bh(&rdev->beacon_registrations_lock);
11746 			return;
11747 		}
11748 
11749 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
11750 		if (!hdr)
11751 			goto nla_put_failure;
11752 
11753 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11754 		    (freq &&
11755 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
11756 		    (sig_dbm &&
11757 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
11758 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
11759 			goto nla_put_failure;
11760 
11761 		genlmsg_end(msg, hdr);
11762 
11763 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
11764 	}
11765 	spin_unlock_bh(&rdev->beacon_registrations_lock);
11766 	return;
11767 
11768  nla_put_failure:
11769 	spin_unlock_bh(&rdev->beacon_registrations_lock);
11770 	if (hdr)
11771 		genlmsg_cancel(msg, hdr);
11772 	nlmsg_free(msg);
11773 }
11774 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
11775 
11776 #ifdef CONFIG_PM
11777 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
11778 				   struct cfg80211_wowlan_wakeup *wakeup,
11779 				   gfp_t gfp)
11780 {
11781 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11782 	struct sk_buff *msg;
11783 	void *hdr;
11784 	int size = 200;
11785 
11786 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
11787 
11788 	if (wakeup)
11789 		size += wakeup->packet_present_len;
11790 
11791 	msg = nlmsg_new(size, gfp);
11792 	if (!msg)
11793 		return;
11794 
11795 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
11796 	if (!hdr)
11797 		goto free_msg;
11798 
11799 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11800 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
11801 		goto free_msg;
11802 
11803 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11804 					wdev->netdev->ifindex))
11805 		goto free_msg;
11806 
11807 	if (wakeup) {
11808 		struct nlattr *reasons;
11809 
11810 		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
11811 		if (!reasons)
11812 			goto free_msg;
11813 
11814 		if (wakeup->disconnect &&
11815 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
11816 			goto free_msg;
11817 		if (wakeup->magic_pkt &&
11818 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
11819 			goto free_msg;
11820 		if (wakeup->gtk_rekey_failure &&
11821 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
11822 			goto free_msg;
11823 		if (wakeup->eap_identity_req &&
11824 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
11825 			goto free_msg;
11826 		if (wakeup->four_way_handshake &&
11827 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
11828 			goto free_msg;
11829 		if (wakeup->rfkill_release &&
11830 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
11831 			goto free_msg;
11832 
11833 		if (wakeup->pattern_idx >= 0 &&
11834 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
11835 				wakeup->pattern_idx))
11836 			goto free_msg;
11837 
11838 		if (wakeup->tcp_match &&
11839 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
11840 			goto free_msg;
11841 
11842 		if (wakeup->tcp_connlost &&
11843 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
11844 			goto free_msg;
11845 
11846 		if (wakeup->tcp_nomoretokens &&
11847 		    nla_put_flag(msg,
11848 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
11849 			goto free_msg;
11850 
11851 		if (wakeup->packet) {
11852 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
11853 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
11854 
11855 			if (!wakeup->packet_80211) {
11856 				pkt_attr =
11857 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
11858 				len_attr =
11859 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
11860 			}
11861 
11862 			if (wakeup->packet_len &&
11863 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
11864 				goto free_msg;
11865 
11866 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
11867 				    wakeup->packet))
11868 				goto free_msg;
11869 		}
11870 
11871 		nla_nest_end(msg, reasons);
11872 	}
11873 
11874 	genlmsg_end(msg, hdr);
11875 
11876 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11877 				NL80211_MCGRP_MLME, gfp);
11878 	return;
11879 
11880  free_msg:
11881 	nlmsg_free(msg);
11882 }
11883 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
11884 #endif
11885 
11886 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
11887 				enum nl80211_tdls_operation oper,
11888 				u16 reason_code, gfp_t gfp)
11889 {
11890 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11891 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11892 	struct sk_buff *msg;
11893 	void *hdr;
11894 
11895 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
11896 					 reason_code);
11897 
11898 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11899 	if (!msg)
11900 		return;
11901 
11902 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
11903 	if (!hdr) {
11904 		nlmsg_free(msg);
11905 		return;
11906 	}
11907 
11908 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11909 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11910 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
11911 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
11912 	    (reason_code > 0 &&
11913 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
11914 		goto nla_put_failure;
11915 
11916 	genlmsg_end(msg, hdr);
11917 
11918 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11919 				NL80211_MCGRP_MLME, gfp);
11920 	return;
11921 
11922  nla_put_failure:
11923 	genlmsg_cancel(msg, hdr);
11924 	nlmsg_free(msg);
11925 }
11926 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
11927 
11928 static int nl80211_netlink_notify(struct notifier_block * nb,
11929 				  unsigned long state,
11930 				  void *_notify)
11931 {
11932 	struct netlink_notify *notify = _notify;
11933 	struct cfg80211_registered_device *rdev;
11934 	struct wireless_dev *wdev;
11935 	struct cfg80211_beacon_registration *reg, *tmp;
11936 
11937 	if (state != NETLINK_URELEASE)
11938 		return NOTIFY_DONE;
11939 
11940 	rcu_read_lock();
11941 
11942 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
11943 		bool schedule_destroy_work = false;
11944 
11945 		list_for_each_entry_rcu(wdev, &rdev->wdev_list, list) {
11946 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
11947 
11948 			if (wdev->owner_nlportid == notify->portid)
11949 				schedule_destroy_work = true;
11950 		}
11951 
11952 		spin_lock_bh(&rdev->beacon_registrations_lock);
11953 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
11954 					 list) {
11955 			if (reg->nlportid == notify->portid) {
11956 				list_del(&reg->list);
11957 				kfree(reg);
11958 				break;
11959 			}
11960 		}
11961 		spin_unlock_bh(&rdev->beacon_registrations_lock);
11962 
11963 		if (schedule_destroy_work) {
11964 			struct cfg80211_iface_destroy *destroy;
11965 
11966 			destroy = kzalloc(sizeof(*destroy), GFP_ATOMIC);
11967 			if (destroy) {
11968 				destroy->nlportid = notify->portid;
11969 				spin_lock(&rdev->destroy_list_lock);
11970 				list_add(&destroy->list, &rdev->destroy_list);
11971 				spin_unlock(&rdev->destroy_list_lock);
11972 				schedule_work(&rdev->destroy_work);
11973 			}
11974 		}
11975 	}
11976 
11977 	rcu_read_unlock();
11978 
11979 	return NOTIFY_OK;
11980 }
11981 
11982 static struct notifier_block nl80211_netlink_notifier = {
11983 	.notifier_call = nl80211_netlink_notify,
11984 };
11985 
11986 void cfg80211_ft_event(struct net_device *netdev,
11987 		       struct cfg80211_ft_event_params *ft_event)
11988 {
11989 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
11990 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11991 	struct sk_buff *msg;
11992 	void *hdr;
11993 
11994 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
11995 
11996 	if (!ft_event->target_ap)
11997 		return;
11998 
11999 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12000 	if (!msg)
12001 		return;
12002 
12003 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
12004 	if (!hdr)
12005 		goto out;
12006 
12007 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12008 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12009 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
12010 		goto out;
12011 
12012 	if (ft_event->ies &&
12013 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
12014 		goto out;
12015 	if (ft_event->ric_ies &&
12016 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
12017 		    ft_event->ric_ies))
12018 		goto out;
12019 
12020 	genlmsg_end(msg, hdr);
12021 
12022 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12023 				NL80211_MCGRP_MLME, GFP_KERNEL);
12024 	return;
12025  out:
12026 	nlmsg_free(msg);
12027 }
12028 EXPORT_SYMBOL(cfg80211_ft_event);
12029 
12030 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
12031 {
12032 	struct cfg80211_registered_device *rdev;
12033 	struct sk_buff *msg;
12034 	void *hdr;
12035 	u32 nlportid;
12036 
12037 	rdev = wiphy_to_rdev(wdev->wiphy);
12038 	if (!rdev->crit_proto_nlportid)
12039 		return;
12040 
12041 	nlportid = rdev->crit_proto_nlportid;
12042 	rdev->crit_proto_nlportid = 0;
12043 
12044 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12045 	if (!msg)
12046 		return;
12047 
12048 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
12049 	if (!hdr)
12050 		goto nla_put_failure;
12051 
12052 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12053 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12054 		goto nla_put_failure;
12055 
12056 	genlmsg_end(msg, hdr);
12057 
12058 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12059 	return;
12060 
12061  nla_put_failure:
12062 	if (hdr)
12063 		genlmsg_cancel(msg, hdr);
12064 	nlmsg_free(msg);
12065 
12066 }
12067 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
12068 
12069 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
12070 {
12071 	struct wiphy *wiphy = wdev->wiphy;
12072 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12073 	struct sk_buff *msg;
12074 	void *hdr;
12075 
12076 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12077 	if (!msg)
12078 		return;
12079 
12080 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
12081 	if (!hdr)
12082 		goto out;
12083 
12084 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12085 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
12086 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12087 		goto out;
12088 
12089 	genlmsg_end(msg, hdr);
12090 
12091 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
12092 				NL80211_MCGRP_MLME, GFP_KERNEL);
12093 	return;
12094  out:
12095 	nlmsg_free(msg);
12096 }
12097 
12098 /* initialisation/exit functions */
12099 
12100 int nl80211_init(void)
12101 {
12102 	int err;
12103 
12104 	err = genl_register_family_with_ops_groups(&nl80211_fam, nl80211_ops,
12105 						   nl80211_mcgrps);
12106 	if (err)
12107 		return err;
12108 
12109 	err = netlink_register_notifier(&nl80211_netlink_notifier);
12110 	if (err)
12111 		goto err_out;
12112 
12113 	return 0;
12114  err_out:
12115 	genl_unregister_family(&nl80211_fam);
12116 	return err;
12117 }
12118 
12119 void nl80211_exit(void)
12120 {
12121 	netlink_unregister_notifier(&nl80211_netlink_notifier);
12122 	genl_unregister_family(&nl80211_fam);
12123 }
12124