xref: /openbmc/linux/net/wireless/nl80211.c (revision 7b6d864b) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  */
6 
7 #include <linux/if.h>
8 #include <linux/module.h>
9 #include <linux/err.h>
10 #include <linux/slab.h>
11 #include <linux/list.h>
12 #include <linux/if_ether.h>
13 #include <linux/ieee80211.h>
14 #include <linux/nl80211.h>
15 #include <linux/rtnetlink.h>
16 #include <linux/netlink.h>
17 #include <linux/etherdevice.h>
18 #include <net/net_namespace.h>
19 #include <net/genetlink.h>
20 #include <net/cfg80211.h>
21 #include <net/sock.h>
22 #include <net/inet_connection_sock.h>
23 #include "core.h"
24 #include "nl80211.h"
25 #include "reg.h"
26 #include "rdev-ops.h"
27 
28 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
29 				   struct genl_info *info,
30 				   struct cfg80211_crypto_settings *settings,
31 				   int cipher_limit);
32 
33 static int nl80211_pre_doit(struct genl_ops *ops, struct sk_buff *skb,
34 			    struct genl_info *info);
35 static void nl80211_post_doit(struct genl_ops *ops, struct sk_buff *skb,
36 			      struct genl_info *info);
37 
38 /* the netlink family */
39 static struct genl_family nl80211_fam = {
40 	.id = GENL_ID_GENERATE,	/* don't bother with a hardcoded ID */
41 	.name = "nl80211",	/* have users key off the name instead */
42 	.hdrsize = 0,		/* no private header */
43 	.version = 1,		/* no particular meaning now */
44 	.maxattr = NL80211_ATTR_MAX,
45 	.netnsok = true,
46 	.pre_doit = nl80211_pre_doit,
47 	.post_doit = nl80211_post_doit,
48 };
49 
50 /* returns ERR_PTR values */
51 static struct wireless_dev *
52 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
53 {
54 	struct cfg80211_registered_device *rdev;
55 	struct wireless_dev *result = NULL;
56 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
57 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
58 	u64 wdev_id;
59 	int wiphy_idx = -1;
60 	int ifidx = -1;
61 
62 	assert_cfg80211_lock();
63 
64 	if (!have_ifidx && !have_wdev_id)
65 		return ERR_PTR(-EINVAL);
66 
67 	if (have_ifidx)
68 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
69 	if (have_wdev_id) {
70 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
71 		wiphy_idx = wdev_id >> 32;
72 	}
73 
74 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
75 		struct wireless_dev *wdev;
76 
77 		if (wiphy_net(&rdev->wiphy) != netns)
78 			continue;
79 
80 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
81 			continue;
82 
83 		mutex_lock(&rdev->devlist_mtx);
84 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
85 			if (have_ifidx && wdev->netdev &&
86 			    wdev->netdev->ifindex == ifidx) {
87 				result = wdev;
88 				break;
89 			}
90 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
91 				result = wdev;
92 				break;
93 			}
94 		}
95 		mutex_unlock(&rdev->devlist_mtx);
96 
97 		if (result)
98 			break;
99 	}
100 
101 	if (result)
102 		return result;
103 	return ERR_PTR(-ENODEV);
104 }
105 
106 static struct cfg80211_registered_device *
107 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
108 {
109 	struct cfg80211_registered_device *rdev = NULL, *tmp;
110 	struct net_device *netdev;
111 
112 	assert_cfg80211_lock();
113 
114 	if (!attrs[NL80211_ATTR_WIPHY] &&
115 	    !attrs[NL80211_ATTR_IFINDEX] &&
116 	    !attrs[NL80211_ATTR_WDEV])
117 		return ERR_PTR(-EINVAL);
118 
119 	if (attrs[NL80211_ATTR_WIPHY])
120 		rdev = cfg80211_rdev_by_wiphy_idx(
121 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
122 
123 	if (attrs[NL80211_ATTR_WDEV]) {
124 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
125 		struct wireless_dev *wdev;
126 		bool found = false;
127 
128 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
129 		if (tmp) {
130 			/* make sure wdev exists */
131 			mutex_lock(&tmp->devlist_mtx);
132 			list_for_each_entry(wdev, &tmp->wdev_list, list) {
133 				if (wdev->identifier != (u32)wdev_id)
134 					continue;
135 				found = true;
136 				break;
137 			}
138 			mutex_unlock(&tmp->devlist_mtx);
139 
140 			if (!found)
141 				tmp = NULL;
142 
143 			if (rdev && tmp != rdev)
144 				return ERR_PTR(-EINVAL);
145 			rdev = tmp;
146 		}
147 	}
148 
149 	if (attrs[NL80211_ATTR_IFINDEX]) {
150 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
151 		netdev = dev_get_by_index(netns, ifindex);
152 		if (netdev) {
153 			if (netdev->ieee80211_ptr)
154 				tmp = wiphy_to_dev(
155 						netdev->ieee80211_ptr->wiphy);
156 			else
157 				tmp = NULL;
158 
159 			dev_put(netdev);
160 
161 			/* not wireless device -- return error */
162 			if (!tmp)
163 				return ERR_PTR(-EINVAL);
164 
165 			/* mismatch -- return error */
166 			if (rdev && tmp != rdev)
167 				return ERR_PTR(-EINVAL);
168 
169 			rdev = tmp;
170 		}
171 	}
172 
173 	if (!rdev)
174 		return ERR_PTR(-ENODEV);
175 
176 	if (netns != wiphy_net(&rdev->wiphy))
177 		return ERR_PTR(-ENODEV);
178 
179 	return rdev;
180 }
181 
182 /*
183  * This function returns a pointer to the driver
184  * that the genl_info item that is passed refers to.
185  * If successful, it returns non-NULL and also locks
186  * the driver's mutex!
187  *
188  * This means that you need to call cfg80211_unlock_rdev()
189  * before being allowed to acquire &cfg80211_mutex!
190  *
191  * This is necessary because we need to lock the global
192  * mutex to get an item off the list safely, and then
193  * we lock the rdev mutex so it doesn't go away under us.
194  *
195  * We don't want to keep cfg80211_mutex locked
196  * for all the time in order to allow requests on
197  * other interfaces to go through at the same time.
198  *
199  * The result of this can be a PTR_ERR and hence must
200  * be checked with IS_ERR() for errors.
201  */
202 static struct cfg80211_registered_device *
203 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
204 {
205 	struct cfg80211_registered_device *rdev;
206 
207 	mutex_lock(&cfg80211_mutex);
208 	rdev = __cfg80211_rdev_from_attrs(netns, info->attrs);
209 
210 	/* if it is not an error we grab the lock on
211 	 * it to assure it won't be going away while
212 	 * we operate on it */
213 	if (!IS_ERR(rdev))
214 		mutex_lock(&rdev->mtx);
215 
216 	mutex_unlock(&cfg80211_mutex);
217 
218 	return rdev;
219 }
220 
221 /* policy for the attributes */
222 static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
223 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
224 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
225 				      .len = 20-1 },
226 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
227 
228 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
229 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
230 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
231 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
232 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
233 
234 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
235 	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
236 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
237 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
238 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
239 
240 	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
241 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
242 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
243 
244 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
245 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
246 
247 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
248 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
249 				    .len = WLAN_MAX_KEY_LEN },
250 	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
251 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
252 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
253 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
254 	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
255 
256 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
257 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
258 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
259 				       .len = IEEE80211_MAX_DATA_LEN },
260 	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
261 				       .len = IEEE80211_MAX_DATA_LEN },
262 	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
263 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
264 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
265 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
266 					       .len = NL80211_MAX_SUPP_RATES },
267 	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
268 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
269 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
270 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
271 				   .len = IEEE80211_MAX_MESH_ID_LEN },
272 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
273 
274 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
275 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
276 
277 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
278 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
279 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
280 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
281 					   .len = NL80211_MAX_SUPP_RATES },
282 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
283 
284 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
285 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
286 
287 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
288 
289 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
290 	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
291 			      .len = IEEE80211_MAX_DATA_LEN },
292 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
293 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
294 
295 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
296 				.len = IEEE80211_MAX_SSID_LEN },
297 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
298 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
299 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
300 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
301 	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
302 	[NL80211_ATTR_STA_FLAGS2] = {
303 		.len = sizeof(struct nl80211_sta_flag_update),
304 	},
305 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
306 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
307 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
308 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
309 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
310 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
311 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
312 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
313 	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
314 				 .len = WLAN_PMKID_LEN },
315 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
316 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
317 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
318 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
319 				 .len = IEEE80211_MAX_DATA_LEN },
320 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
321 	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
322 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
323 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
324 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
325 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
326 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
327 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
328 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
329 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
330 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
331 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
332 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
333 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
334 	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
335 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
336 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
337 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
338 	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
339 	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
340 					 .len = IEEE80211_MAX_DATA_LEN },
341 	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
342 					 .len = IEEE80211_MAX_DATA_LEN },
343 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
344 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
345 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
346 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
347 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
348 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
349 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
350 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
351 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
352 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
353 				      .len = IEEE80211_MAX_DATA_LEN },
354 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
355 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
356 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
357 		.len = NL80211_HT_CAPABILITY_LEN
358 	},
359 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
360 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
361 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
362 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
363 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
364 	[NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
365 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
366 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
367 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
368 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
369 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
370 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
371 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
372 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
373 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
374 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
375 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
376 		.len = NL80211_VHT_CAPABILITY_LEN,
377 	},
378 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
379 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
380 				  .len = IEEE80211_MAX_DATA_LEN },
381 };
382 
383 /* policy for the key attributes */
384 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
385 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
386 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
387 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
388 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
389 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
390 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
391 	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
392 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
393 };
394 
395 /* policy for the key default flags */
396 static const struct nla_policy
397 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
398 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
399 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
400 };
401 
402 /* policy for WoWLAN attributes */
403 static const struct nla_policy
404 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
405 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
406 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
407 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
408 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
409 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
410 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
411 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
412 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
413 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
414 };
415 
416 static const struct nla_policy
417 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
418 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
419 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
420 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
421 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
422 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
423 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
424 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
425 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
426 	},
427 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
428 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
429 	},
430 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
431 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
432 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
433 };
434 
435 /* policy for GTK rekey offload attributes */
436 static const struct nla_policy
437 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
438 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
439 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
440 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
441 };
442 
443 static const struct nla_policy
444 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
445 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
446 						 .len = IEEE80211_MAX_SSID_LEN },
447 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
448 };
449 
450 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
451 				     struct netlink_callback *cb,
452 				     struct cfg80211_registered_device **rdev,
453 				     struct wireless_dev **wdev)
454 {
455 	int err;
456 
457 	rtnl_lock();
458 	mutex_lock(&cfg80211_mutex);
459 
460 	if (!cb->args[0]) {
461 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
462 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
463 				  nl80211_policy);
464 		if (err)
465 			goto out_unlock;
466 
467 		*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
468 						   nl80211_fam.attrbuf);
469 		if (IS_ERR(*wdev)) {
470 			err = PTR_ERR(*wdev);
471 			goto out_unlock;
472 		}
473 		*rdev = wiphy_to_dev((*wdev)->wiphy);
474 		cb->args[0] = (*rdev)->wiphy_idx;
475 		cb->args[1] = (*wdev)->identifier;
476 	} else {
477 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0]);
478 		struct wireless_dev *tmp;
479 
480 		if (!wiphy) {
481 			err = -ENODEV;
482 			goto out_unlock;
483 		}
484 		*rdev = wiphy_to_dev(wiphy);
485 		*wdev = NULL;
486 
487 		mutex_lock(&(*rdev)->devlist_mtx);
488 		list_for_each_entry(tmp, &(*rdev)->wdev_list, list) {
489 			if (tmp->identifier == cb->args[1]) {
490 				*wdev = tmp;
491 				break;
492 			}
493 		}
494 		mutex_unlock(&(*rdev)->devlist_mtx);
495 
496 		if (!*wdev) {
497 			err = -ENODEV;
498 			goto out_unlock;
499 		}
500 	}
501 
502 	cfg80211_lock_rdev(*rdev);
503 
504 	mutex_unlock(&cfg80211_mutex);
505 	return 0;
506  out_unlock:
507 	mutex_unlock(&cfg80211_mutex);
508 	rtnl_unlock();
509 	return err;
510 }
511 
512 static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
513 {
514 	cfg80211_unlock_rdev(rdev);
515 	rtnl_unlock();
516 }
517 
518 /* IE validation */
519 static bool is_valid_ie_attr(const struct nlattr *attr)
520 {
521 	const u8 *pos;
522 	int len;
523 
524 	if (!attr)
525 		return true;
526 
527 	pos = nla_data(attr);
528 	len = nla_len(attr);
529 
530 	while (len) {
531 		u8 elemlen;
532 
533 		if (len < 2)
534 			return false;
535 		len -= 2;
536 
537 		elemlen = pos[1];
538 		if (elemlen > len)
539 			return false;
540 
541 		len -= elemlen;
542 		pos += 2 + elemlen;
543 	}
544 
545 	return true;
546 }
547 
548 /* message building helper */
549 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
550 				   int flags, u8 cmd)
551 {
552 	/* since there is no private header just add the generic one */
553 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
554 }
555 
556 static int nl80211_msg_put_channel(struct sk_buff *msg,
557 				   struct ieee80211_channel *chan,
558 				   bool large)
559 {
560 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
561 			chan->center_freq))
562 		goto nla_put_failure;
563 
564 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
565 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
566 		goto nla_put_failure;
567 	if ((chan->flags & IEEE80211_CHAN_PASSIVE_SCAN) &&
568 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_PASSIVE_SCAN))
569 		goto nla_put_failure;
570 	if ((chan->flags & IEEE80211_CHAN_NO_IBSS) &&
571 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IBSS))
572 		goto nla_put_failure;
573 	if (chan->flags & IEEE80211_CHAN_RADAR) {
574 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
575 			goto nla_put_failure;
576 		if (large) {
577 			u32 time;
578 
579 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
580 
581 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
582 					chan->dfs_state))
583 				goto nla_put_failure;
584 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
585 					time))
586 				goto nla_put_failure;
587 		}
588 	}
589 
590 	if (large) {
591 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
592 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
593 			goto nla_put_failure;
594 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
595 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
596 			goto nla_put_failure;
597 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
598 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
599 			goto nla_put_failure;
600 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
601 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
602 			goto nla_put_failure;
603 	}
604 
605 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
606 			DBM_TO_MBM(chan->max_power)))
607 		goto nla_put_failure;
608 
609 	return 0;
610 
611  nla_put_failure:
612 	return -ENOBUFS;
613 }
614 
615 /* netlink command implementations */
616 
617 struct key_parse {
618 	struct key_params p;
619 	int idx;
620 	int type;
621 	bool def, defmgmt;
622 	bool def_uni, def_multi;
623 };
624 
625 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
626 {
627 	struct nlattr *tb[NL80211_KEY_MAX + 1];
628 	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
629 				   nl80211_key_policy);
630 	if (err)
631 		return err;
632 
633 	k->def = !!tb[NL80211_KEY_DEFAULT];
634 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
635 
636 	if (k->def) {
637 		k->def_uni = true;
638 		k->def_multi = true;
639 	}
640 	if (k->defmgmt)
641 		k->def_multi = true;
642 
643 	if (tb[NL80211_KEY_IDX])
644 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
645 
646 	if (tb[NL80211_KEY_DATA]) {
647 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
648 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
649 	}
650 
651 	if (tb[NL80211_KEY_SEQ]) {
652 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
653 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
654 	}
655 
656 	if (tb[NL80211_KEY_CIPHER])
657 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
658 
659 	if (tb[NL80211_KEY_TYPE]) {
660 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
661 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
662 			return -EINVAL;
663 	}
664 
665 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
666 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
667 		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
668 				       tb[NL80211_KEY_DEFAULT_TYPES],
669 				       nl80211_key_default_policy);
670 		if (err)
671 			return err;
672 
673 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
674 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
675 	}
676 
677 	return 0;
678 }
679 
680 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
681 {
682 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
683 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
684 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
685 	}
686 
687 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
688 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
689 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
690 	}
691 
692 	if (info->attrs[NL80211_ATTR_KEY_IDX])
693 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
694 
695 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
696 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
697 
698 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
699 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
700 
701 	if (k->def) {
702 		k->def_uni = true;
703 		k->def_multi = true;
704 	}
705 	if (k->defmgmt)
706 		k->def_multi = true;
707 
708 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
709 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
710 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
711 			return -EINVAL;
712 	}
713 
714 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
715 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
716 		int err = nla_parse_nested(
717 				kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
718 				info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
719 				nl80211_key_default_policy);
720 		if (err)
721 			return err;
722 
723 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
724 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
725 	}
726 
727 	return 0;
728 }
729 
730 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
731 {
732 	int err;
733 
734 	memset(k, 0, sizeof(*k));
735 	k->idx = -1;
736 	k->type = -1;
737 
738 	if (info->attrs[NL80211_ATTR_KEY])
739 		err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
740 	else
741 		err = nl80211_parse_key_old(info, k);
742 
743 	if (err)
744 		return err;
745 
746 	if (k->def && k->defmgmt)
747 		return -EINVAL;
748 
749 	if (k->defmgmt) {
750 		if (k->def_uni || !k->def_multi)
751 			return -EINVAL;
752 	}
753 
754 	if (k->idx != -1) {
755 		if (k->defmgmt) {
756 			if (k->idx < 4 || k->idx > 5)
757 				return -EINVAL;
758 		} else if (k->def) {
759 			if (k->idx < 0 || k->idx > 3)
760 				return -EINVAL;
761 		} else {
762 			if (k->idx < 0 || k->idx > 5)
763 				return -EINVAL;
764 		}
765 	}
766 
767 	return 0;
768 }
769 
770 static struct cfg80211_cached_keys *
771 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
772 		       struct nlattr *keys, bool *no_ht)
773 {
774 	struct key_parse parse;
775 	struct nlattr *key;
776 	struct cfg80211_cached_keys *result;
777 	int rem, err, def = 0;
778 
779 	result = kzalloc(sizeof(*result), GFP_KERNEL);
780 	if (!result)
781 		return ERR_PTR(-ENOMEM);
782 
783 	result->def = -1;
784 	result->defmgmt = -1;
785 
786 	nla_for_each_nested(key, keys, rem) {
787 		memset(&parse, 0, sizeof(parse));
788 		parse.idx = -1;
789 
790 		err = nl80211_parse_key_new(key, &parse);
791 		if (err)
792 			goto error;
793 		err = -EINVAL;
794 		if (!parse.p.key)
795 			goto error;
796 		if (parse.idx < 0 || parse.idx > 4)
797 			goto error;
798 		if (parse.def) {
799 			if (def)
800 				goto error;
801 			def = 1;
802 			result->def = parse.idx;
803 			if (!parse.def_uni || !parse.def_multi)
804 				goto error;
805 		} else if (parse.defmgmt)
806 			goto error;
807 		err = cfg80211_validate_key_settings(rdev, &parse.p,
808 						     parse.idx, false, NULL);
809 		if (err)
810 			goto error;
811 		result->params[parse.idx].cipher = parse.p.cipher;
812 		result->params[parse.idx].key_len = parse.p.key_len;
813 		result->params[parse.idx].key = result->data[parse.idx];
814 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
815 
816 		if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
817 		    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
818 			if (no_ht)
819 				*no_ht = true;
820 		}
821 	}
822 
823 	return result;
824  error:
825 	kfree(result);
826 	return ERR_PTR(err);
827 }
828 
829 static int nl80211_key_allowed(struct wireless_dev *wdev)
830 {
831 	ASSERT_WDEV_LOCK(wdev);
832 
833 	switch (wdev->iftype) {
834 	case NL80211_IFTYPE_AP:
835 	case NL80211_IFTYPE_AP_VLAN:
836 	case NL80211_IFTYPE_P2P_GO:
837 	case NL80211_IFTYPE_MESH_POINT:
838 		break;
839 	case NL80211_IFTYPE_ADHOC:
840 		if (!wdev->current_bss)
841 			return -ENOLINK;
842 		break;
843 	case NL80211_IFTYPE_STATION:
844 	case NL80211_IFTYPE_P2P_CLIENT:
845 		if (wdev->sme_state != CFG80211_SME_CONNECTED)
846 			return -ENOLINK;
847 		break;
848 	default:
849 		return -EINVAL;
850 	}
851 
852 	return 0;
853 }
854 
855 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
856 {
857 	struct nlattr *nl_modes = nla_nest_start(msg, attr);
858 	int i;
859 
860 	if (!nl_modes)
861 		goto nla_put_failure;
862 
863 	i = 0;
864 	while (ifmodes) {
865 		if ((ifmodes & 1) && nla_put_flag(msg, i))
866 			goto nla_put_failure;
867 		ifmodes >>= 1;
868 		i++;
869 	}
870 
871 	nla_nest_end(msg, nl_modes);
872 	return 0;
873 
874 nla_put_failure:
875 	return -ENOBUFS;
876 }
877 
878 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
879 					  struct sk_buff *msg,
880 					  bool large)
881 {
882 	struct nlattr *nl_combis;
883 	int i, j;
884 
885 	nl_combis = nla_nest_start(msg,
886 				NL80211_ATTR_INTERFACE_COMBINATIONS);
887 	if (!nl_combis)
888 		goto nla_put_failure;
889 
890 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
891 		const struct ieee80211_iface_combination *c;
892 		struct nlattr *nl_combi, *nl_limits;
893 
894 		c = &wiphy->iface_combinations[i];
895 
896 		nl_combi = nla_nest_start(msg, i + 1);
897 		if (!nl_combi)
898 			goto nla_put_failure;
899 
900 		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
901 		if (!nl_limits)
902 			goto nla_put_failure;
903 
904 		for (j = 0; j < c->n_limits; j++) {
905 			struct nlattr *nl_limit;
906 
907 			nl_limit = nla_nest_start(msg, j + 1);
908 			if (!nl_limit)
909 				goto nla_put_failure;
910 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
911 					c->limits[j].max))
912 				goto nla_put_failure;
913 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
914 						c->limits[j].types))
915 				goto nla_put_failure;
916 			nla_nest_end(msg, nl_limit);
917 		}
918 
919 		nla_nest_end(msg, nl_limits);
920 
921 		if (c->beacon_int_infra_match &&
922 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
923 			goto nla_put_failure;
924 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
925 				c->num_different_channels) ||
926 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
927 				c->max_interfaces))
928 			goto nla_put_failure;
929 		if (large &&
930 		    nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
931 				c->radar_detect_widths))
932 			goto nla_put_failure;
933 
934 		nla_nest_end(msg, nl_combi);
935 	}
936 
937 	nla_nest_end(msg, nl_combis);
938 
939 	return 0;
940 nla_put_failure:
941 	return -ENOBUFS;
942 }
943 
944 #ifdef CONFIG_PM
945 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
946 					struct sk_buff *msg)
947 {
948 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan.tcp;
949 	struct nlattr *nl_tcp;
950 
951 	if (!tcp)
952 		return 0;
953 
954 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
955 	if (!nl_tcp)
956 		return -ENOBUFS;
957 
958 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
959 			tcp->data_payload_max))
960 		return -ENOBUFS;
961 
962 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
963 			tcp->data_payload_max))
964 		return -ENOBUFS;
965 
966 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
967 		return -ENOBUFS;
968 
969 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
970 				sizeof(*tcp->tok), tcp->tok))
971 		return -ENOBUFS;
972 
973 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
974 			tcp->data_interval_max))
975 		return -ENOBUFS;
976 
977 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
978 			tcp->wake_payload_max))
979 		return -ENOBUFS;
980 
981 	nla_nest_end(msg, nl_tcp);
982 	return 0;
983 }
984 
985 static int nl80211_send_wowlan(struct sk_buff *msg,
986 			       struct cfg80211_registered_device *dev,
987 			       bool large)
988 {
989 	struct nlattr *nl_wowlan;
990 
991 	if (!dev->wiphy.wowlan.flags && !dev->wiphy.wowlan.n_patterns)
992 		return 0;
993 
994 	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
995 	if (!nl_wowlan)
996 		return -ENOBUFS;
997 
998 	if (((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_ANY) &&
999 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1000 	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_DISCONNECT) &&
1001 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1002 	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1003 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1004 	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1005 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1006 	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1007 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1008 	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1009 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1010 	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1011 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1012 	    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1013 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1014 		return -ENOBUFS;
1015 
1016 	if (dev->wiphy.wowlan.n_patterns) {
1017 		struct nl80211_wowlan_pattern_support pat = {
1018 			.max_patterns = dev->wiphy.wowlan.n_patterns,
1019 			.min_pattern_len = dev->wiphy.wowlan.pattern_min_len,
1020 			.max_pattern_len = dev->wiphy.wowlan.pattern_max_len,
1021 			.max_pkt_offset = dev->wiphy.wowlan.max_pkt_offset,
1022 		};
1023 
1024 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1025 			    sizeof(pat), &pat))
1026 			return -ENOBUFS;
1027 	}
1028 
1029 	if (large && nl80211_send_wowlan_tcp_caps(dev, msg))
1030 		return -ENOBUFS;
1031 
1032 	nla_nest_end(msg, nl_wowlan);
1033 
1034 	return 0;
1035 }
1036 #endif
1037 
1038 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1039 				      struct ieee80211_supported_band *sband)
1040 {
1041 	struct nlattr *nl_rates, *nl_rate;
1042 	struct ieee80211_rate *rate;
1043 	int i;
1044 
1045 	/* add HT info */
1046 	if (sband->ht_cap.ht_supported &&
1047 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1048 		     sizeof(sband->ht_cap.mcs),
1049 		     &sband->ht_cap.mcs) ||
1050 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1051 			 sband->ht_cap.cap) ||
1052 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1053 			sband->ht_cap.ampdu_factor) ||
1054 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1055 			sband->ht_cap.ampdu_density)))
1056 		return -ENOBUFS;
1057 
1058 	/* add VHT info */
1059 	if (sband->vht_cap.vht_supported &&
1060 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1061 		     sizeof(sband->vht_cap.vht_mcs),
1062 		     &sband->vht_cap.vht_mcs) ||
1063 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1064 			 sband->vht_cap.cap)))
1065 		return -ENOBUFS;
1066 
1067 	/* add bitrates */
1068 	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1069 	if (!nl_rates)
1070 		return -ENOBUFS;
1071 
1072 	for (i = 0; i < sband->n_bitrates; i++) {
1073 		nl_rate = nla_nest_start(msg, i);
1074 		if (!nl_rate)
1075 			return -ENOBUFS;
1076 
1077 		rate = &sband->bitrates[i];
1078 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1079 				rate->bitrate))
1080 			return -ENOBUFS;
1081 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1082 		    nla_put_flag(msg,
1083 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1084 			return -ENOBUFS;
1085 
1086 		nla_nest_end(msg, nl_rate);
1087 	}
1088 
1089 	nla_nest_end(msg, nl_rates);
1090 
1091 	return 0;
1092 }
1093 
1094 static int
1095 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1096 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1097 {
1098 	u16 stypes;
1099 	struct nlattr *nl_ftypes, *nl_ifs;
1100 	enum nl80211_iftype ift;
1101 	int i;
1102 
1103 	if (!mgmt_stypes)
1104 		return 0;
1105 
1106 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1107 	if (!nl_ifs)
1108 		return -ENOBUFS;
1109 
1110 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1111 		nl_ftypes = nla_nest_start(msg, ift);
1112 		if (!nl_ftypes)
1113 			return -ENOBUFS;
1114 		i = 0;
1115 		stypes = mgmt_stypes[ift].tx;
1116 		while (stypes) {
1117 			if ((stypes & 1) &&
1118 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1119 					(i << 4) | IEEE80211_FTYPE_MGMT))
1120 				return -ENOBUFS;
1121 			stypes >>= 1;
1122 			i++;
1123 		}
1124 		nla_nest_end(msg, nl_ftypes);
1125 	}
1126 
1127 	nla_nest_end(msg, nl_ifs);
1128 
1129 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1130 	if (!nl_ifs)
1131 		return -ENOBUFS;
1132 
1133 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1134 		nl_ftypes = nla_nest_start(msg, ift);
1135 		if (!nl_ftypes)
1136 			return -ENOBUFS;
1137 		i = 0;
1138 		stypes = mgmt_stypes[ift].rx;
1139 		while (stypes) {
1140 			if ((stypes & 1) &&
1141 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1142 					(i << 4) | IEEE80211_FTYPE_MGMT))
1143 				return -ENOBUFS;
1144 			stypes >>= 1;
1145 			i++;
1146 		}
1147 		nla_nest_end(msg, nl_ftypes);
1148 	}
1149 	nla_nest_end(msg, nl_ifs);
1150 
1151 	return 0;
1152 }
1153 
1154 static int nl80211_send_wiphy(struct cfg80211_registered_device *dev,
1155 			      struct sk_buff *msg, u32 portid, u32 seq,
1156 			      int flags, bool split, long *split_start,
1157 			      long *band_start, long *chan_start)
1158 {
1159 	void *hdr;
1160 	struct nlattr *nl_bands, *nl_band;
1161 	struct nlattr *nl_freqs, *nl_freq;
1162 	struct nlattr *nl_cmds;
1163 	enum ieee80211_band band;
1164 	struct ieee80211_channel *chan;
1165 	int i;
1166 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1167 				dev->wiphy.mgmt_stypes;
1168 	long start = 0, start_chan = 0, start_band = 0;
1169 	u32 features;
1170 
1171 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_WIPHY);
1172 	if (!hdr)
1173 		return -ENOBUFS;
1174 
1175 	/* allow always using the variables */
1176 	if (!split) {
1177 		split_start = &start;
1178 		band_start = &start_band;
1179 		chan_start = &start_chan;
1180 	}
1181 
1182 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, dev->wiphy_idx) ||
1183 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1184 			   wiphy_name(&dev->wiphy)) ||
1185 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1186 			cfg80211_rdev_list_generation))
1187 		goto nla_put_failure;
1188 
1189 	switch (*split_start) {
1190 	case 0:
1191 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1192 			       dev->wiphy.retry_short) ||
1193 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1194 			       dev->wiphy.retry_long) ||
1195 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1196 				dev->wiphy.frag_threshold) ||
1197 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1198 				dev->wiphy.rts_threshold) ||
1199 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1200 			       dev->wiphy.coverage_class) ||
1201 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1202 			       dev->wiphy.max_scan_ssids) ||
1203 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1204 			       dev->wiphy.max_sched_scan_ssids) ||
1205 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1206 				dev->wiphy.max_scan_ie_len) ||
1207 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1208 				dev->wiphy.max_sched_scan_ie_len) ||
1209 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1210 			       dev->wiphy.max_match_sets))
1211 			goto nla_put_failure;
1212 
1213 		if ((dev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1214 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1215 			goto nla_put_failure;
1216 		if ((dev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1217 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1218 			goto nla_put_failure;
1219 		if ((dev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1220 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1221 			goto nla_put_failure;
1222 		if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1223 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1224 			goto nla_put_failure;
1225 		if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1226 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1227 			goto nla_put_failure;
1228 		if ((dev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1229 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1230 			goto nla_put_failure;
1231 
1232 		(*split_start)++;
1233 		if (split)
1234 			break;
1235 	case 1:
1236 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1237 			    sizeof(u32) * dev->wiphy.n_cipher_suites,
1238 			    dev->wiphy.cipher_suites))
1239 			goto nla_put_failure;
1240 
1241 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1242 			       dev->wiphy.max_num_pmkids))
1243 			goto nla_put_failure;
1244 
1245 		if ((dev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1246 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1247 			goto nla_put_failure;
1248 
1249 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1250 				dev->wiphy.available_antennas_tx) ||
1251 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1252 				dev->wiphy.available_antennas_rx))
1253 			goto nla_put_failure;
1254 
1255 		if ((dev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1256 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1257 				dev->wiphy.probe_resp_offload))
1258 			goto nla_put_failure;
1259 
1260 		if ((dev->wiphy.available_antennas_tx ||
1261 		     dev->wiphy.available_antennas_rx) &&
1262 		    dev->ops->get_antenna) {
1263 			u32 tx_ant = 0, rx_ant = 0;
1264 			int res;
1265 			res = rdev_get_antenna(dev, &tx_ant, &rx_ant);
1266 			if (!res) {
1267 				if (nla_put_u32(msg,
1268 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1269 						tx_ant) ||
1270 				    nla_put_u32(msg,
1271 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1272 						rx_ant))
1273 					goto nla_put_failure;
1274 			}
1275 		}
1276 
1277 		(*split_start)++;
1278 		if (split)
1279 			break;
1280 	case 2:
1281 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1282 					dev->wiphy.interface_modes))
1283 				goto nla_put_failure;
1284 		(*split_start)++;
1285 		if (split)
1286 			break;
1287 	case 3:
1288 		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1289 		if (!nl_bands)
1290 			goto nla_put_failure;
1291 
1292 		for (band = *band_start; band < IEEE80211_NUM_BANDS; band++) {
1293 			struct ieee80211_supported_band *sband;
1294 
1295 			sband = dev->wiphy.bands[band];
1296 
1297 			if (!sband)
1298 				continue;
1299 
1300 			nl_band = nla_nest_start(msg, band);
1301 			if (!nl_band)
1302 				goto nla_put_failure;
1303 
1304 			switch (*chan_start) {
1305 			case 0:
1306 				if (nl80211_send_band_rateinfo(msg, sband))
1307 					goto nla_put_failure;
1308 				(*chan_start)++;
1309 				if (split)
1310 					break;
1311 			default:
1312 				/* add frequencies */
1313 				nl_freqs = nla_nest_start(
1314 					msg, NL80211_BAND_ATTR_FREQS);
1315 				if (!nl_freqs)
1316 					goto nla_put_failure;
1317 
1318 				for (i = *chan_start - 1;
1319 				     i < sband->n_channels;
1320 				     i++) {
1321 					nl_freq = nla_nest_start(msg, i);
1322 					if (!nl_freq)
1323 						goto nla_put_failure;
1324 
1325 					chan = &sband->channels[i];
1326 
1327 					if (nl80211_msg_put_channel(msg, chan,
1328 								    split))
1329 						goto nla_put_failure;
1330 
1331 					nla_nest_end(msg, nl_freq);
1332 					if (split)
1333 						break;
1334 				}
1335 				if (i < sband->n_channels)
1336 					*chan_start = i + 2;
1337 				else
1338 					*chan_start = 0;
1339 				nla_nest_end(msg, nl_freqs);
1340 			}
1341 
1342 			nla_nest_end(msg, nl_band);
1343 
1344 			if (split) {
1345 				/* start again here */
1346 				if (*chan_start)
1347 					band--;
1348 				break;
1349 			}
1350 		}
1351 		nla_nest_end(msg, nl_bands);
1352 
1353 		if (band < IEEE80211_NUM_BANDS)
1354 			*band_start = band + 1;
1355 		else
1356 			*band_start = 0;
1357 
1358 		/* if bands & channels are done, continue outside */
1359 		if (*band_start == 0 && *chan_start == 0)
1360 			(*split_start)++;
1361 		if (split)
1362 			break;
1363 	case 4:
1364 		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1365 		if (!nl_cmds)
1366 			goto nla_put_failure;
1367 
1368 		i = 0;
1369 #define CMD(op, n)							\
1370 		 do {							\
1371 			if (dev->ops->op) {				\
1372 				i++;					\
1373 				if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1374 					goto nla_put_failure;		\
1375 			}						\
1376 		} while (0)
1377 
1378 		CMD(add_virtual_intf, NEW_INTERFACE);
1379 		CMD(change_virtual_intf, SET_INTERFACE);
1380 		CMD(add_key, NEW_KEY);
1381 		CMD(start_ap, START_AP);
1382 		CMD(add_station, NEW_STATION);
1383 		CMD(add_mpath, NEW_MPATH);
1384 		CMD(update_mesh_config, SET_MESH_CONFIG);
1385 		CMD(change_bss, SET_BSS);
1386 		CMD(auth, AUTHENTICATE);
1387 		CMD(assoc, ASSOCIATE);
1388 		CMD(deauth, DEAUTHENTICATE);
1389 		CMD(disassoc, DISASSOCIATE);
1390 		CMD(join_ibss, JOIN_IBSS);
1391 		CMD(join_mesh, JOIN_MESH);
1392 		CMD(set_pmksa, SET_PMKSA);
1393 		CMD(del_pmksa, DEL_PMKSA);
1394 		CMD(flush_pmksa, FLUSH_PMKSA);
1395 		if (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1396 			CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1397 		CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1398 		CMD(mgmt_tx, FRAME);
1399 		CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1400 		if (dev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1401 			i++;
1402 			if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1403 				goto nla_put_failure;
1404 		}
1405 		if (dev->ops->set_monitor_channel || dev->ops->start_ap ||
1406 		    dev->ops->join_mesh) {
1407 			i++;
1408 			if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1409 				goto nla_put_failure;
1410 		}
1411 		CMD(set_wds_peer, SET_WDS_PEER);
1412 		if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1413 			CMD(tdls_mgmt, TDLS_MGMT);
1414 			CMD(tdls_oper, TDLS_OPER);
1415 		}
1416 		if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1417 			CMD(sched_scan_start, START_SCHED_SCAN);
1418 		CMD(probe_client, PROBE_CLIENT);
1419 		CMD(set_noack_map, SET_NOACK_MAP);
1420 		if (dev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1421 			i++;
1422 			if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1423 				goto nla_put_failure;
1424 		}
1425 		CMD(start_p2p_device, START_P2P_DEVICE);
1426 		CMD(set_mcast_rate, SET_MCAST_RATE);
1427 		if (split) {
1428 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
1429 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1430 		}
1431 
1432 #ifdef CONFIG_NL80211_TESTMODE
1433 		CMD(testmode_cmd, TESTMODE);
1434 #endif
1435 
1436 #undef CMD
1437 
1438 		if (dev->ops->connect || dev->ops->auth) {
1439 			i++;
1440 			if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1441 				goto nla_put_failure;
1442 		}
1443 
1444 		if (dev->ops->disconnect || dev->ops->deauth) {
1445 			i++;
1446 			if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1447 				goto nla_put_failure;
1448 		}
1449 
1450 		nla_nest_end(msg, nl_cmds);
1451 		(*split_start)++;
1452 		if (split)
1453 			break;
1454 	case 5:
1455 		if (dev->ops->remain_on_channel &&
1456 		    (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1457 		    nla_put_u32(msg,
1458 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1459 				dev->wiphy.max_remain_on_channel_duration))
1460 			goto nla_put_failure;
1461 
1462 		if ((dev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1463 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1464 			goto nla_put_failure;
1465 
1466 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1467 			goto nla_put_failure;
1468 		(*split_start)++;
1469 		if (split)
1470 			break;
1471 	case 6:
1472 #ifdef CONFIG_PM
1473 		if (nl80211_send_wowlan(msg, dev, split))
1474 			goto nla_put_failure;
1475 		(*split_start)++;
1476 		if (split)
1477 			break;
1478 #else
1479 		(*split_start)++;
1480 #endif
1481 	case 7:
1482 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1483 					dev->wiphy.software_iftypes))
1484 			goto nla_put_failure;
1485 
1486 		if (nl80211_put_iface_combinations(&dev->wiphy, msg, split))
1487 			goto nla_put_failure;
1488 
1489 		(*split_start)++;
1490 		if (split)
1491 			break;
1492 	case 8:
1493 		if ((dev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1494 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1495 				dev->wiphy.ap_sme_capa))
1496 			goto nla_put_failure;
1497 
1498 		features = dev->wiphy.features;
1499 		/*
1500 		 * We can only add the per-channel limit information if the
1501 		 * dump is split, otherwise it makes it too big. Therefore
1502 		 * only advertise it in that case.
1503 		 */
1504 		if (split)
1505 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1506 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1507 			goto nla_put_failure;
1508 
1509 		if (dev->wiphy.ht_capa_mod_mask &&
1510 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1511 			    sizeof(*dev->wiphy.ht_capa_mod_mask),
1512 			    dev->wiphy.ht_capa_mod_mask))
1513 			goto nla_put_failure;
1514 
1515 		if (dev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1516 		    dev->wiphy.max_acl_mac_addrs &&
1517 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1518 				dev->wiphy.max_acl_mac_addrs))
1519 			goto nla_put_failure;
1520 
1521 		/*
1522 		 * Any information below this point is only available to
1523 		 * applications that can deal with it being split. This
1524 		 * helps ensure that newly added capabilities don't break
1525 		 * older tools by overrunning their buffers.
1526 		 *
1527 		 * We still increment split_start so that in the split
1528 		 * case we'll continue with more data in the next round,
1529 		 * but break unconditionally so unsplit data stops here.
1530 		 */
1531 		(*split_start)++;
1532 		break;
1533 	case 9:
1534 		if (dev->wiphy.extended_capabilities &&
1535 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1536 			     dev->wiphy.extended_capabilities_len,
1537 			     dev->wiphy.extended_capabilities) ||
1538 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1539 			     dev->wiphy.extended_capabilities_len,
1540 			     dev->wiphy.extended_capabilities_mask)))
1541 			goto nla_put_failure;
1542 
1543 		if (dev->wiphy.vht_capa_mod_mask &&
1544 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1545 			    sizeof(*dev->wiphy.vht_capa_mod_mask),
1546 			    dev->wiphy.vht_capa_mod_mask))
1547 			goto nla_put_failure;
1548 
1549 		/* done */
1550 		*split_start = 0;
1551 		break;
1552 	}
1553 	return genlmsg_end(msg, hdr);
1554 
1555  nla_put_failure:
1556 	genlmsg_cancel(msg, hdr);
1557 	return -EMSGSIZE;
1558 }
1559 
1560 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1561 {
1562 	int idx = 0, ret;
1563 	int start = cb->args[0];
1564 	struct cfg80211_registered_device *dev;
1565 	s64 filter_wiphy = -1;
1566 	bool split = false;
1567 	struct nlattr **tb;
1568 	int res;
1569 
1570 	/* will be zeroed in nlmsg_parse() */
1571 	tb = kmalloc(sizeof(*tb) * (NL80211_ATTR_MAX + 1), GFP_KERNEL);
1572 	if (!tb)
1573 		return -ENOMEM;
1574 
1575 	mutex_lock(&cfg80211_mutex);
1576 	res = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
1577 			  tb, NL80211_ATTR_MAX, nl80211_policy);
1578 	if (res == 0) {
1579 		split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
1580 		if (tb[NL80211_ATTR_WIPHY])
1581 			filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
1582 		if (tb[NL80211_ATTR_WDEV])
1583 			filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
1584 		if (tb[NL80211_ATTR_IFINDEX]) {
1585 			struct net_device *netdev;
1586 			int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
1587 
1588 			netdev = dev_get_by_index(sock_net(skb->sk), ifidx);
1589 			if (!netdev) {
1590 				mutex_unlock(&cfg80211_mutex);
1591 				kfree(tb);
1592 				return -ENODEV;
1593 			}
1594 			if (netdev->ieee80211_ptr) {
1595 				dev = wiphy_to_dev(
1596 					netdev->ieee80211_ptr->wiphy);
1597 				filter_wiphy = dev->wiphy_idx;
1598 			}
1599 			dev_put(netdev);
1600 		}
1601 	}
1602 	kfree(tb);
1603 
1604 	list_for_each_entry(dev, &cfg80211_rdev_list, list) {
1605 		if (!net_eq(wiphy_net(&dev->wiphy), sock_net(skb->sk)))
1606 			continue;
1607 		if (++idx <= start)
1608 			continue;
1609 		if (filter_wiphy != -1 && dev->wiphy_idx != filter_wiphy)
1610 			continue;
1611 		/* attempt to fit multiple wiphy data chunks into the skb */
1612 		do {
1613 			ret = nl80211_send_wiphy(dev, skb,
1614 						 NETLINK_CB(cb->skb).portid,
1615 						 cb->nlh->nlmsg_seq,
1616 						 NLM_F_MULTI,
1617 						 split, &cb->args[1],
1618 						 &cb->args[2],
1619 						 &cb->args[3]);
1620 			if (ret < 0) {
1621 				/*
1622 				 * If sending the wiphy data didn't fit (ENOBUFS
1623 				 * or EMSGSIZE returned), this SKB is still
1624 				 * empty (so it's not too big because another
1625 				 * wiphy dataset is already in the skb) and
1626 				 * we've not tried to adjust the dump allocation
1627 				 * yet ... then adjust the alloc size to be
1628 				 * bigger, and return 1 but with the empty skb.
1629 				 * This results in an empty message being RX'ed
1630 				 * in userspace, but that is ignored.
1631 				 *
1632 				 * We can then retry with the larger buffer.
1633 				 */
1634 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1635 				    !skb->len &&
1636 				    cb->min_dump_alloc < 4096) {
1637 					cb->min_dump_alloc = 4096;
1638 					mutex_unlock(&cfg80211_mutex);
1639 					return 1;
1640 				}
1641 				idx--;
1642 				break;
1643 			}
1644 		} while (cb->args[1] > 0);
1645 		break;
1646 	}
1647 	mutex_unlock(&cfg80211_mutex);
1648 
1649 	cb->args[0] = idx;
1650 
1651 	return skb->len;
1652 }
1653 
1654 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1655 {
1656 	struct sk_buff *msg;
1657 	struct cfg80211_registered_device *dev = info->user_ptr[0];
1658 
1659 	msg = nlmsg_new(4096, GFP_KERNEL);
1660 	if (!msg)
1661 		return -ENOMEM;
1662 
1663 	if (nl80211_send_wiphy(dev, msg, info->snd_portid, info->snd_seq, 0,
1664 			       false, NULL, NULL, NULL) < 0) {
1665 		nlmsg_free(msg);
1666 		return -ENOBUFS;
1667 	}
1668 
1669 	return genlmsg_reply(msg, info);
1670 }
1671 
1672 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1673 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
1674 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
1675 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
1676 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
1677 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
1678 };
1679 
1680 static int parse_txq_params(struct nlattr *tb[],
1681 			    struct ieee80211_txq_params *txq_params)
1682 {
1683 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1684 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1685 	    !tb[NL80211_TXQ_ATTR_AIFS])
1686 		return -EINVAL;
1687 
1688 	txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1689 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1690 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1691 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1692 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1693 
1694 	if (txq_params->ac >= NL80211_NUM_ACS)
1695 		return -EINVAL;
1696 
1697 	return 0;
1698 }
1699 
1700 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1701 {
1702 	/*
1703 	 * You can only set the channel explicitly for WDS interfaces,
1704 	 * all others have their channel managed via their respective
1705 	 * "establish a connection" command (connect, join, ...)
1706 	 *
1707 	 * For AP/GO and mesh mode, the channel can be set with the
1708 	 * channel userspace API, but is only stored and passed to the
1709 	 * low-level driver when the AP starts or the mesh is joined.
1710 	 * This is for backward compatibility, userspace can also give
1711 	 * the channel in the start-ap or join-mesh commands instead.
1712 	 *
1713 	 * Monitors are special as they are normally slaved to
1714 	 * whatever else is going on, so they have their own special
1715 	 * operation to set the monitor channel if possible.
1716 	 */
1717 	return !wdev ||
1718 		wdev->iftype == NL80211_IFTYPE_AP ||
1719 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1720 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
1721 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
1722 }
1723 
1724 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
1725 				 struct genl_info *info,
1726 				 struct cfg80211_chan_def *chandef)
1727 {
1728 	u32 control_freq;
1729 
1730 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1731 		return -EINVAL;
1732 
1733 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1734 
1735 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
1736 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
1737 	chandef->center_freq1 = control_freq;
1738 	chandef->center_freq2 = 0;
1739 
1740 	/* Primary channel not allowed */
1741 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
1742 		return -EINVAL;
1743 
1744 	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
1745 		enum nl80211_channel_type chantype;
1746 
1747 		chantype = nla_get_u32(
1748 				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1749 
1750 		switch (chantype) {
1751 		case NL80211_CHAN_NO_HT:
1752 		case NL80211_CHAN_HT20:
1753 		case NL80211_CHAN_HT40PLUS:
1754 		case NL80211_CHAN_HT40MINUS:
1755 			cfg80211_chandef_create(chandef, chandef->chan,
1756 						chantype);
1757 			break;
1758 		default:
1759 			return -EINVAL;
1760 		}
1761 	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
1762 		chandef->width =
1763 			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
1764 		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
1765 			chandef->center_freq1 =
1766 				nla_get_u32(
1767 					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
1768 		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
1769 			chandef->center_freq2 =
1770 				nla_get_u32(
1771 					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
1772 	}
1773 
1774 	if (!cfg80211_chandef_valid(chandef))
1775 		return -EINVAL;
1776 
1777 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
1778 				     IEEE80211_CHAN_DISABLED))
1779 		return -EINVAL;
1780 
1781 	return 0;
1782 }
1783 
1784 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1785 				 struct wireless_dev *wdev,
1786 				 struct genl_info *info)
1787 {
1788 	struct cfg80211_chan_def chandef;
1789 	int result;
1790 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1791 
1792 	if (wdev)
1793 		iftype = wdev->iftype;
1794 
1795 	if (!nl80211_can_set_dev_channel(wdev))
1796 		return -EOPNOTSUPP;
1797 
1798 	result = nl80211_parse_chandef(rdev, info, &chandef);
1799 	if (result)
1800 		return result;
1801 
1802 	mutex_lock(&rdev->devlist_mtx);
1803 	switch (iftype) {
1804 	case NL80211_IFTYPE_AP:
1805 	case NL80211_IFTYPE_P2P_GO:
1806 		if (wdev->beacon_interval) {
1807 			result = -EBUSY;
1808 			break;
1809 		}
1810 		if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef)) {
1811 			result = -EINVAL;
1812 			break;
1813 		}
1814 		wdev->preset_chandef = chandef;
1815 		result = 0;
1816 		break;
1817 	case NL80211_IFTYPE_MESH_POINT:
1818 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
1819 		break;
1820 	case NL80211_IFTYPE_MONITOR:
1821 		result = cfg80211_set_monitor_channel(rdev, &chandef);
1822 		break;
1823 	default:
1824 		result = -EINVAL;
1825 	}
1826 	mutex_unlock(&rdev->devlist_mtx);
1827 
1828 	return result;
1829 }
1830 
1831 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
1832 {
1833 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1834 	struct net_device *netdev = info->user_ptr[1];
1835 
1836 	return __nl80211_set_channel(rdev, netdev->ieee80211_ptr, info);
1837 }
1838 
1839 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
1840 {
1841 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1842 	struct net_device *dev = info->user_ptr[1];
1843 	struct wireless_dev *wdev = dev->ieee80211_ptr;
1844 	const u8 *bssid;
1845 
1846 	if (!info->attrs[NL80211_ATTR_MAC])
1847 		return -EINVAL;
1848 
1849 	if (netif_running(dev))
1850 		return -EBUSY;
1851 
1852 	if (!rdev->ops->set_wds_peer)
1853 		return -EOPNOTSUPP;
1854 
1855 	if (wdev->iftype != NL80211_IFTYPE_WDS)
1856 		return -EOPNOTSUPP;
1857 
1858 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
1859 	return rdev_set_wds_peer(rdev, dev, bssid);
1860 }
1861 
1862 
1863 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
1864 {
1865 	struct cfg80211_registered_device *rdev;
1866 	struct net_device *netdev = NULL;
1867 	struct wireless_dev *wdev;
1868 	int result = 0, rem_txq_params = 0;
1869 	struct nlattr *nl_txq_params;
1870 	u32 changed;
1871 	u8 retry_short = 0, retry_long = 0;
1872 	u32 frag_threshold = 0, rts_threshold = 0;
1873 	u8 coverage_class = 0;
1874 
1875 	/*
1876 	 * Try to find the wiphy and netdev. Normally this
1877 	 * function shouldn't need the netdev, but this is
1878 	 * done for backward compatibility -- previously
1879 	 * setting the channel was done per wiphy, but now
1880 	 * it is per netdev. Previous userland like hostapd
1881 	 * also passed a netdev to set_wiphy, so that it is
1882 	 * possible to let that go to the right netdev!
1883 	 */
1884 	mutex_lock(&cfg80211_mutex);
1885 
1886 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
1887 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
1888 
1889 		netdev = dev_get_by_index(genl_info_net(info), ifindex);
1890 		if (netdev && netdev->ieee80211_ptr) {
1891 			rdev = wiphy_to_dev(netdev->ieee80211_ptr->wiphy);
1892 			mutex_lock(&rdev->mtx);
1893 		} else
1894 			netdev = NULL;
1895 	}
1896 
1897 	if (!netdev) {
1898 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
1899 						  info->attrs);
1900 		if (IS_ERR(rdev)) {
1901 			mutex_unlock(&cfg80211_mutex);
1902 			return PTR_ERR(rdev);
1903 		}
1904 		wdev = NULL;
1905 		netdev = NULL;
1906 		result = 0;
1907 
1908 		mutex_lock(&rdev->mtx);
1909 	} else
1910 		wdev = netdev->ieee80211_ptr;
1911 
1912 	/*
1913 	 * end workaround code, by now the rdev is available
1914 	 * and locked, and wdev may or may not be NULL.
1915 	 */
1916 
1917 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
1918 		result = cfg80211_dev_rename(
1919 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
1920 
1921 	mutex_unlock(&cfg80211_mutex);
1922 
1923 	if (result)
1924 		goto bad_res;
1925 
1926 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
1927 		struct ieee80211_txq_params txq_params;
1928 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
1929 
1930 		if (!rdev->ops->set_txq_params) {
1931 			result = -EOPNOTSUPP;
1932 			goto bad_res;
1933 		}
1934 
1935 		if (!netdev) {
1936 			result = -EINVAL;
1937 			goto bad_res;
1938 		}
1939 
1940 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
1941 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
1942 			result = -EINVAL;
1943 			goto bad_res;
1944 		}
1945 
1946 		if (!netif_running(netdev)) {
1947 			result = -ENETDOWN;
1948 			goto bad_res;
1949 		}
1950 
1951 		nla_for_each_nested(nl_txq_params,
1952 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
1953 				    rem_txq_params) {
1954 			nla_parse(tb, NL80211_TXQ_ATTR_MAX,
1955 				  nla_data(nl_txq_params),
1956 				  nla_len(nl_txq_params),
1957 				  txq_params_policy);
1958 			result = parse_txq_params(tb, &txq_params);
1959 			if (result)
1960 				goto bad_res;
1961 
1962 			result = rdev_set_txq_params(rdev, netdev,
1963 						     &txq_params);
1964 			if (result)
1965 				goto bad_res;
1966 		}
1967 	}
1968 
1969 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
1970 		result = __nl80211_set_channel(rdev,
1971 				nl80211_can_set_dev_channel(wdev) ? wdev : NULL,
1972 				info);
1973 		if (result)
1974 			goto bad_res;
1975 	}
1976 
1977 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
1978 		struct wireless_dev *txp_wdev = wdev;
1979 		enum nl80211_tx_power_setting type;
1980 		int idx, mbm = 0;
1981 
1982 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
1983 			txp_wdev = NULL;
1984 
1985 		if (!rdev->ops->set_tx_power) {
1986 			result = -EOPNOTSUPP;
1987 			goto bad_res;
1988 		}
1989 
1990 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
1991 		type = nla_get_u32(info->attrs[idx]);
1992 
1993 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
1994 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
1995 			result = -EINVAL;
1996 			goto bad_res;
1997 		}
1998 
1999 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2000 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2001 			mbm = nla_get_u32(info->attrs[idx]);
2002 		}
2003 
2004 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2005 		if (result)
2006 			goto bad_res;
2007 	}
2008 
2009 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2010 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2011 		u32 tx_ant, rx_ant;
2012 		if ((!rdev->wiphy.available_antennas_tx &&
2013 		     !rdev->wiphy.available_antennas_rx) ||
2014 		    !rdev->ops->set_antenna) {
2015 			result = -EOPNOTSUPP;
2016 			goto bad_res;
2017 		}
2018 
2019 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2020 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2021 
2022 		/* reject antenna configurations which don't match the
2023 		 * available antenna masks, except for the "all" mask */
2024 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2025 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
2026 			result = -EINVAL;
2027 			goto bad_res;
2028 		}
2029 
2030 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2031 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2032 
2033 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2034 		if (result)
2035 			goto bad_res;
2036 	}
2037 
2038 	changed = 0;
2039 
2040 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2041 		retry_short = nla_get_u8(
2042 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2043 		if (retry_short == 0) {
2044 			result = -EINVAL;
2045 			goto bad_res;
2046 		}
2047 		changed |= WIPHY_PARAM_RETRY_SHORT;
2048 	}
2049 
2050 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2051 		retry_long = nla_get_u8(
2052 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2053 		if (retry_long == 0) {
2054 			result = -EINVAL;
2055 			goto bad_res;
2056 		}
2057 		changed |= WIPHY_PARAM_RETRY_LONG;
2058 	}
2059 
2060 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2061 		frag_threshold = nla_get_u32(
2062 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2063 		if (frag_threshold < 256) {
2064 			result = -EINVAL;
2065 			goto bad_res;
2066 		}
2067 		if (frag_threshold != (u32) -1) {
2068 			/*
2069 			 * Fragments (apart from the last one) are required to
2070 			 * have even length. Make the fragmentation code
2071 			 * simpler by stripping LSB should someone try to use
2072 			 * odd threshold value.
2073 			 */
2074 			frag_threshold &= ~0x1;
2075 		}
2076 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2077 	}
2078 
2079 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2080 		rts_threshold = nla_get_u32(
2081 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2082 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2083 	}
2084 
2085 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2086 		coverage_class = nla_get_u8(
2087 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2088 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2089 	}
2090 
2091 	if (changed) {
2092 		u8 old_retry_short, old_retry_long;
2093 		u32 old_frag_threshold, old_rts_threshold;
2094 		u8 old_coverage_class;
2095 
2096 		if (!rdev->ops->set_wiphy_params) {
2097 			result = -EOPNOTSUPP;
2098 			goto bad_res;
2099 		}
2100 
2101 		old_retry_short = rdev->wiphy.retry_short;
2102 		old_retry_long = rdev->wiphy.retry_long;
2103 		old_frag_threshold = rdev->wiphy.frag_threshold;
2104 		old_rts_threshold = rdev->wiphy.rts_threshold;
2105 		old_coverage_class = rdev->wiphy.coverage_class;
2106 
2107 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2108 			rdev->wiphy.retry_short = retry_short;
2109 		if (changed & WIPHY_PARAM_RETRY_LONG)
2110 			rdev->wiphy.retry_long = retry_long;
2111 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2112 			rdev->wiphy.frag_threshold = frag_threshold;
2113 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2114 			rdev->wiphy.rts_threshold = rts_threshold;
2115 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2116 			rdev->wiphy.coverage_class = coverage_class;
2117 
2118 		result = rdev_set_wiphy_params(rdev, changed);
2119 		if (result) {
2120 			rdev->wiphy.retry_short = old_retry_short;
2121 			rdev->wiphy.retry_long = old_retry_long;
2122 			rdev->wiphy.frag_threshold = old_frag_threshold;
2123 			rdev->wiphy.rts_threshold = old_rts_threshold;
2124 			rdev->wiphy.coverage_class = old_coverage_class;
2125 		}
2126 	}
2127 
2128  bad_res:
2129 	mutex_unlock(&rdev->mtx);
2130 	if (netdev)
2131 		dev_put(netdev);
2132 	return result;
2133 }
2134 
2135 static inline u64 wdev_id(struct wireless_dev *wdev)
2136 {
2137 	return (u64)wdev->identifier |
2138 	       ((u64)wiphy_to_dev(wdev->wiphy)->wiphy_idx << 32);
2139 }
2140 
2141 static int nl80211_send_chandef(struct sk_buff *msg,
2142 				 struct cfg80211_chan_def *chandef)
2143 {
2144 	WARN_ON(!cfg80211_chandef_valid(chandef));
2145 
2146 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2147 			chandef->chan->center_freq))
2148 		return -ENOBUFS;
2149 	switch (chandef->width) {
2150 	case NL80211_CHAN_WIDTH_20_NOHT:
2151 	case NL80211_CHAN_WIDTH_20:
2152 	case NL80211_CHAN_WIDTH_40:
2153 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2154 				cfg80211_get_chandef_type(chandef)))
2155 			return -ENOBUFS;
2156 		break;
2157 	default:
2158 		break;
2159 	}
2160 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2161 		return -ENOBUFS;
2162 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2163 		return -ENOBUFS;
2164 	if (chandef->center_freq2 &&
2165 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2166 		return -ENOBUFS;
2167 	return 0;
2168 }
2169 
2170 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2171 			      struct cfg80211_registered_device *rdev,
2172 			      struct wireless_dev *wdev)
2173 {
2174 	struct net_device *dev = wdev->netdev;
2175 	void *hdr;
2176 
2177 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_INTERFACE);
2178 	if (!hdr)
2179 		return -1;
2180 
2181 	if (dev &&
2182 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2183 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2184 		goto nla_put_failure;
2185 
2186 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2187 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2188 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
2189 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2190 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2191 			rdev->devlist_generation ^
2192 			(cfg80211_rdev_list_generation << 2)))
2193 		goto nla_put_failure;
2194 
2195 	if (rdev->ops->get_channel) {
2196 		int ret;
2197 		struct cfg80211_chan_def chandef;
2198 
2199 		ret = rdev_get_channel(rdev, wdev, &chandef);
2200 		if (ret == 0) {
2201 			if (nl80211_send_chandef(msg, &chandef))
2202 				goto nla_put_failure;
2203 		}
2204 	}
2205 
2206 	if (wdev->ssid_len) {
2207 		if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2208 			goto nla_put_failure;
2209 	}
2210 
2211 	return genlmsg_end(msg, hdr);
2212 
2213  nla_put_failure:
2214 	genlmsg_cancel(msg, hdr);
2215 	return -EMSGSIZE;
2216 }
2217 
2218 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2219 {
2220 	int wp_idx = 0;
2221 	int if_idx = 0;
2222 	int wp_start = cb->args[0];
2223 	int if_start = cb->args[1];
2224 	struct cfg80211_registered_device *rdev;
2225 	struct wireless_dev *wdev;
2226 
2227 	mutex_lock(&cfg80211_mutex);
2228 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2229 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2230 			continue;
2231 		if (wp_idx < wp_start) {
2232 			wp_idx++;
2233 			continue;
2234 		}
2235 		if_idx = 0;
2236 
2237 		mutex_lock(&rdev->devlist_mtx);
2238 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
2239 			if (if_idx < if_start) {
2240 				if_idx++;
2241 				continue;
2242 			}
2243 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2244 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2245 					       rdev, wdev) < 0) {
2246 				mutex_unlock(&rdev->devlist_mtx);
2247 				goto out;
2248 			}
2249 			if_idx++;
2250 		}
2251 		mutex_unlock(&rdev->devlist_mtx);
2252 
2253 		wp_idx++;
2254 	}
2255  out:
2256 	mutex_unlock(&cfg80211_mutex);
2257 
2258 	cb->args[0] = wp_idx;
2259 	cb->args[1] = if_idx;
2260 
2261 	return skb->len;
2262 }
2263 
2264 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2265 {
2266 	struct sk_buff *msg;
2267 	struct cfg80211_registered_device *dev = info->user_ptr[0];
2268 	struct wireless_dev *wdev = info->user_ptr[1];
2269 
2270 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2271 	if (!msg)
2272 		return -ENOMEM;
2273 
2274 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2275 			       dev, wdev) < 0) {
2276 		nlmsg_free(msg);
2277 		return -ENOBUFS;
2278 	}
2279 
2280 	return genlmsg_reply(msg, info);
2281 }
2282 
2283 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2284 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2285 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2286 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2287 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2288 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2289 };
2290 
2291 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2292 {
2293 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2294 	int flag;
2295 
2296 	*mntrflags = 0;
2297 
2298 	if (!nla)
2299 		return -EINVAL;
2300 
2301 	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
2302 			     nla, mntr_flags_policy))
2303 		return -EINVAL;
2304 
2305 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2306 		if (flags[flag])
2307 			*mntrflags |= (1<<flag);
2308 
2309 	return 0;
2310 }
2311 
2312 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
2313 			       struct net_device *netdev, u8 use_4addr,
2314 			       enum nl80211_iftype iftype)
2315 {
2316 	if (!use_4addr) {
2317 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
2318 			return -EBUSY;
2319 		return 0;
2320 	}
2321 
2322 	switch (iftype) {
2323 	case NL80211_IFTYPE_AP_VLAN:
2324 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
2325 			return 0;
2326 		break;
2327 	case NL80211_IFTYPE_STATION:
2328 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
2329 			return 0;
2330 		break;
2331 	default:
2332 		break;
2333 	}
2334 
2335 	return -EOPNOTSUPP;
2336 }
2337 
2338 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
2339 {
2340 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2341 	struct vif_params params;
2342 	int err;
2343 	enum nl80211_iftype otype, ntype;
2344 	struct net_device *dev = info->user_ptr[1];
2345 	u32 _flags, *flags = NULL;
2346 	bool change = false;
2347 
2348 	memset(&params, 0, sizeof(params));
2349 
2350 	otype = ntype = dev->ieee80211_ptr->iftype;
2351 
2352 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2353 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2354 		if (otype != ntype)
2355 			change = true;
2356 		if (ntype > NL80211_IFTYPE_MAX)
2357 			return -EINVAL;
2358 	}
2359 
2360 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
2361 		struct wireless_dev *wdev = dev->ieee80211_ptr;
2362 
2363 		if (ntype != NL80211_IFTYPE_MESH_POINT)
2364 			return -EINVAL;
2365 		if (netif_running(dev))
2366 			return -EBUSY;
2367 
2368 		wdev_lock(wdev);
2369 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2370 			     IEEE80211_MAX_MESH_ID_LEN);
2371 		wdev->mesh_id_up_len =
2372 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2373 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2374 		       wdev->mesh_id_up_len);
2375 		wdev_unlock(wdev);
2376 	}
2377 
2378 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2379 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2380 		change = true;
2381 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2382 		if (err)
2383 			return err;
2384 	} else {
2385 		params.use_4addr = -1;
2386 	}
2387 
2388 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2389 		if (ntype != NL80211_IFTYPE_MONITOR)
2390 			return -EINVAL;
2391 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2392 					  &_flags);
2393 		if (err)
2394 			return err;
2395 
2396 		flags = &_flags;
2397 		change = true;
2398 	}
2399 
2400 	if (change)
2401 		err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2402 	else
2403 		err = 0;
2404 
2405 	if (!err && params.use_4addr != -1)
2406 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
2407 
2408 	return err;
2409 }
2410 
2411 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2412 {
2413 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2414 	struct vif_params params;
2415 	struct wireless_dev *wdev;
2416 	struct sk_buff *msg;
2417 	int err;
2418 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2419 	u32 flags;
2420 
2421 	memset(&params, 0, sizeof(params));
2422 
2423 	if (!info->attrs[NL80211_ATTR_IFNAME])
2424 		return -EINVAL;
2425 
2426 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2427 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2428 		if (type > NL80211_IFTYPE_MAX)
2429 			return -EINVAL;
2430 	}
2431 
2432 	if (!rdev->ops->add_virtual_intf ||
2433 	    !(rdev->wiphy.interface_modes & (1 << type)))
2434 		return -EOPNOTSUPP;
2435 
2436 	if (type == NL80211_IFTYPE_P2P_DEVICE && info->attrs[NL80211_ATTR_MAC]) {
2437 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2438 			   ETH_ALEN);
2439 		if (!is_valid_ether_addr(params.macaddr))
2440 			return -EADDRNOTAVAIL;
2441 	}
2442 
2443 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2444 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2445 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2446 		if (err)
2447 			return err;
2448 	}
2449 
2450 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2451 	if (!msg)
2452 		return -ENOMEM;
2453 
2454 	err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2455 				  info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2456 				  &flags);
2457 	wdev = rdev_add_virtual_intf(rdev,
2458 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2459 				type, err ? NULL : &flags, &params);
2460 	if (IS_ERR(wdev)) {
2461 		nlmsg_free(msg);
2462 		return PTR_ERR(wdev);
2463 	}
2464 
2465 	switch (type) {
2466 	case NL80211_IFTYPE_MESH_POINT:
2467 		if (!info->attrs[NL80211_ATTR_MESH_ID])
2468 			break;
2469 		wdev_lock(wdev);
2470 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2471 			     IEEE80211_MAX_MESH_ID_LEN);
2472 		wdev->mesh_id_up_len =
2473 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2474 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2475 		       wdev->mesh_id_up_len);
2476 		wdev_unlock(wdev);
2477 		break;
2478 	case NL80211_IFTYPE_P2P_DEVICE:
2479 		/*
2480 		 * P2P Device doesn't have a netdev, so doesn't go
2481 		 * through the netdev notifier and must be added here
2482 		 */
2483 		mutex_init(&wdev->mtx);
2484 		INIT_LIST_HEAD(&wdev->event_list);
2485 		spin_lock_init(&wdev->event_lock);
2486 		INIT_LIST_HEAD(&wdev->mgmt_registrations);
2487 		spin_lock_init(&wdev->mgmt_registrations_lock);
2488 
2489 		mutex_lock(&rdev->devlist_mtx);
2490 		wdev->identifier = ++rdev->wdev_id;
2491 		list_add_rcu(&wdev->list, &rdev->wdev_list);
2492 		rdev->devlist_generation++;
2493 		mutex_unlock(&rdev->devlist_mtx);
2494 		break;
2495 	default:
2496 		break;
2497 	}
2498 
2499 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2500 			       rdev, wdev) < 0) {
2501 		nlmsg_free(msg);
2502 		return -ENOBUFS;
2503 	}
2504 
2505 	return genlmsg_reply(msg, info);
2506 }
2507 
2508 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2509 {
2510 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2511 	struct wireless_dev *wdev = info->user_ptr[1];
2512 
2513 	if (!rdev->ops->del_virtual_intf)
2514 		return -EOPNOTSUPP;
2515 
2516 	/*
2517 	 * If we remove a wireless device without a netdev then clear
2518 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
2519 	 * to check if it needs to do dev_put(). Otherwise it crashes
2520 	 * since the wdev has been freed, unlike with a netdev where
2521 	 * we need the dev_put() for the netdev to really be freed.
2522 	 */
2523 	if (!wdev->netdev)
2524 		info->user_ptr[1] = NULL;
2525 
2526 	return rdev_del_virtual_intf(rdev, wdev);
2527 }
2528 
2529 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2530 {
2531 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2532 	struct net_device *dev = info->user_ptr[1];
2533 	u16 noack_map;
2534 
2535 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2536 		return -EINVAL;
2537 
2538 	if (!rdev->ops->set_noack_map)
2539 		return -EOPNOTSUPP;
2540 
2541 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2542 
2543 	return rdev_set_noack_map(rdev, dev, noack_map);
2544 }
2545 
2546 struct get_key_cookie {
2547 	struct sk_buff *msg;
2548 	int error;
2549 	int idx;
2550 };
2551 
2552 static void get_key_callback(void *c, struct key_params *params)
2553 {
2554 	struct nlattr *key;
2555 	struct get_key_cookie *cookie = c;
2556 
2557 	if ((params->key &&
2558 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2559 		     params->key_len, params->key)) ||
2560 	    (params->seq &&
2561 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2562 		     params->seq_len, params->seq)) ||
2563 	    (params->cipher &&
2564 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2565 			 params->cipher)))
2566 		goto nla_put_failure;
2567 
2568 	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2569 	if (!key)
2570 		goto nla_put_failure;
2571 
2572 	if ((params->key &&
2573 	     nla_put(cookie->msg, NL80211_KEY_DATA,
2574 		     params->key_len, params->key)) ||
2575 	    (params->seq &&
2576 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
2577 		     params->seq_len, params->seq)) ||
2578 	    (params->cipher &&
2579 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2580 			 params->cipher)))
2581 		goto nla_put_failure;
2582 
2583 	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2584 		goto nla_put_failure;
2585 
2586 	nla_nest_end(cookie->msg, key);
2587 
2588 	return;
2589  nla_put_failure:
2590 	cookie->error = 1;
2591 }
2592 
2593 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2594 {
2595 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2596 	int err;
2597 	struct net_device *dev = info->user_ptr[1];
2598 	u8 key_idx = 0;
2599 	const u8 *mac_addr = NULL;
2600 	bool pairwise;
2601 	struct get_key_cookie cookie = {
2602 		.error = 0,
2603 	};
2604 	void *hdr;
2605 	struct sk_buff *msg;
2606 
2607 	if (info->attrs[NL80211_ATTR_KEY_IDX])
2608 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2609 
2610 	if (key_idx > 5)
2611 		return -EINVAL;
2612 
2613 	if (info->attrs[NL80211_ATTR_MAC])
2614 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2615 
2616 	pairwise = !!mac_addr;
2617 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2618 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2619 		if (kt >= NUM_NL80211_KEYTYPES)
2620 			return -EINVAL;
2621 		if (kt != NL80211_KEYTYPE_GROUP &&
2622 		    kt != NL80211_KEYTYPE_PAIRWISE)
2623 			return -EINVAL;
2624 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2625 	}
2626 
2627 	if (!rdev->ops->get_key)
2628 		return -EOPNOTSUPP;
2629 
2630 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2631 	if (!msg)
2632 		return -ENOMEM;
2633 
2634 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2635 			     NL80211_CMD_NEW_KEY);
2636 	if (IS_ERR(hdr))
2637 		return PTR_ERR(hdr);
2638 
2639 	cookie.msg = msg;
2640 	cookie.idx = key_idx;
2641 
2642 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2643 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2644 		goto nla_put_failure;
2645 	if (mac_addr &&
2646 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2647 		goto nla_put_failure;
2648 
2649 	if (pairwise && mac_addr &&
2650 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2651 		return -ENOENT;
2652 
2653 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2654 			   get_key_callback);
2655 
2656 	if (err)
2657 		goto free_msg;
2658 
2659 	if (cookie.error)
2660 		goto nla_put_failure;
2661 
2662 	genlmsg_end(msg, hdr);
2663 	return genlmsg_reply(msg, info);
2664 
2665  nla_put_failure:
2666 	err = -ENOBUFS;
2667  free_msg:
2668 	nlmsg_free(msg);
2669 	return err;
2670 }
2671 
2672 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2673 {
2674 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2675 	struct key_parse key;
2676 	int err;
2677 	struct net_device *dev = info->user_ptr[1];
2678 
2679 	err = nl80211_parse_key(info, &key);
2680 	if (err)
2681 		return err;
2682 
2683 	if (key.idx < 0)
2684 		return -EINVAL;
2685 
2686 	/* only support setting default key */
2687 	if (!key.def && !key.defmgmt)
2688 		return -EINVAL;
2689 
2690 	wdev_lock(dev->ieee80211_ptr);
2691 
2692 	if (key.def) {
2693 		if (!rdev->ops->set_default_key) {
2694 			err = -EOPNOTSUPP;
2695 			goto out;
2696 		}
2697 
2698 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2699 		if (err)
2700 			goto out;
2701 
2702 		err = rdev_set_default_key(rdev, dev, key.idx,
2703 						 key.def_uni, key.def_multi);
2704 
2705 		if (err)
2706 			goto out;
2707 
2708 #ifdef CONFIG_CFG80211_WEXT
2709 		dev->ieee80211_ptr->wext.default_key = key.idx;
2710 #endif
2711 	} else {
2712 		if (key.def_uni || !key.def_multi) {
2713 			err = -EINVAL;
2714 			goto out;
2715 		}
2716 
2717 		if (!rdev->ops->set_default_mgmt_key) {
2718 			err = -EOPNOTSUPP;
2719 			goto out;
2720 		}
2721 
2722 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2723 		if (err)
2724 			goto out;
2725 
2726 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
2727 		if (err)
2728 			goto out;
2729 
2730 #ifdef CONFIG_CFG80211_WEXT
2731 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2732 #endif
2733 	}
2734 
2735  out:
2736 	wdev_unlock(dev->ieee80211_ptr);
2737 
2738 	return err;
2739 }
2740 
2741 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2742 {
2743 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2744 	int err;
2745 	struct net_device *dev = info->user_ptr[1];
2746 	struct key_parse key;
2747 	const u8 *mac_addr = NULL;
2748 
2749 	err = nl80211_parse_key(info, &key);
2750 	if (err)
2751 		return err;
2752 
2753 	if (!key.p.key)
2754 		return -EINVAL;
2755 
2756 	if (info->attrs[NL80211_ATTR_MAC])
2757 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2758 
2759 	if (key.type == -1) {
2760 		if (mac_addr)
2761 			key.type = NL80211_KEYTYPE_PAIRWISE;
2762 		else
2763 			key.type = NL80211_KEYTYPE_GROUP;
2764 	}
2765 
2766 	/* for now */
2767 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2768 	    key.type != NL80211_KEYTYPE_GROUP)
2769 		return -EINVAL;
2770 
2771 	if (!rdev->ops->add_key)
2772 		return -EOPNOTSUPP;
2773 
2774 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
2775 					   key.type == NL80211_KEYTYPE_PAIRWISE,
2776 					   mac_addr))
2777 		return -EINVAL;
2778 
2779 	wdev_lock(dev->ieee80211_ptr);
2780 	err = nl80211_key_allowed(dev->ieee80211_ptr);
2781 	if (!err)
2782 		err = rdev_add_key(rdev, dev, key.idx,
2783 				   key.type == NL80211_KEYTYPE_PAIRWISE,
2784 				    mac_addr, &key.p);
2785 	wdev_unlock(dev->ieee80211_ptr);
2786 
2787 	return err;
2788 }
2789 
2790 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
2791 {
2792 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2793 	int err;
2794 	struct net_device *dev = info->user_ptr[1];
2795 	u8 *mac_addr = NULL;
2796 	struct key_parse key;
2797 
2798 	err = nl80211_parse_key(info, &key);
2799 	if (err)
2800 		return err;
2801 
2802 	if (info->attrs[NL80211_ATTR_MAC])
2803 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2804 
2805 	if (key.type == -1) {
2806 		if (mac_addr)
2807 			key.type = NL80211_KEYTYPE_PAIRWISE;
2808 		else
2809 			key.type = NL80211_KEYTYPE_GROUP;
2810 	}
2811 
2812 	/* for now */
2813 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2814 	    key.type != NL80211_KEYTYPE_GROUP)
2815 		return -EINVAL;
2816 
2817 	if (!rdev->ops->del_key)
2818 		return -EOPNOTSUPP;
2819 
2820 	wdev_lock(dev->ieee80211_ptr);
2821 	err = nl80211_key_allowed(dev->ieee80211_ptr);
2822 
2823 	if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
2824 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2825 		err = -ENOENT;
2826 
2827 	if (!err)
2828 		err = rdev_del_key(rdev, dev, key.idx,
2829 				   key.type == NL80211_KEYTYPE_PAIRWISE,
2830 				   mac_addr);
2831 
2832 #ifdef CONFIG_CFG80211_WEXT
2833 	if (!err) {
2834 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
2835 			dev->ieee80211_ptr->wext.default_key = -1;
2836 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
2837 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
2838 	}
2839 #endif
2840 	wdev_unlock(dev->ieee80211_ptr);
2841 
2842 	return err;
2843 }
2844 
2845 /* This function returns an error or the number of nested attributes */
2846 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
2847 {
2848 	struct nlattr *attr;
2849 	int n_entries = 0, tmp;
2850 
2851 	nla_for_each_nested(attr, nl_attr, tmp) {
2852 		if (nla_len(attr) != ETH_ALEN)
2853 			return -EINVAL;
2854 
2855 		n_entries++;
2856 	}
2857 
2858 	return n_entries;
2859 }
2860 
2861 /*
2862  * This function parses ACL information and allocates memory for ACL data.
2863  * On successful return, the calling function is responsible to free the
2864  * ACL buffer returned by this function.
2865  */
2866 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
2867 						struct genl_info *info)
2868 {
2869 	enum nl80211_acl_policy acl_policy;
2870 	struct nlattr *attr;
2871 	struct cfg80211_acl_data *acl;
2872 	int i = 0, n_entries, tmp;
2873 
2874 	if (!wiphy->max_acl_mac_addrs)
2875 		return ERR_PTR(-EOPNOTSUPP);
2876 
2877 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
2878 		return ERR_PTR(-EINVAL);
2879 
2880 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
2881 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
2882 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
2883 		return ERR_PTR(-EINVAL);
2884 
2885 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
2886 		return ERR_PTR(-EINVAL);
2887 
2888 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
2889 	if (n_entries < 0)
2890 		return ERR_PTR(n_entries);
2891 
2892 	if (n_entries > wiphy->max_acl_mac_addrs)
2893 		return ERR_PTR(-ENOTSUPP);
2894 
2895 	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
2896 		      GFP_KERNEL);
2897 	if (!acl)
2898 		return ERR_PTR(-ENOMEM);
2899 
2900 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
2901 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
2902 		i++;
2903 	}
2904 
2905 	acl->n_acl_entries = n_entries;
2906 	acl->acl_policy = acl_policy;
2907 
2908 	return acl;
2909 }
2910 
2911 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
2912 {
2913 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2914 	struct net_device *dev = info->user_ptr[1];
2915 	struct cfg80211_acl_data *acl;
2916 	int err;
2917 
2918 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2919 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2920 		return -EOPNOTSUPP;
2921 
2922 	if (!dev->ieee80211_ptr->beacon_interval)
2923 		return -EINVAL;
2924 
2925 	acl = parse_acl_data(&rdev->wiphy, info);
2926 	if (IS_ERR(acl))
2927 		return PTR_ERR(acl);
2928 
2929 	err = rdev_set_mac_acl(rdev, dev, acl);
2930 
2931 	kfree(acl);
2932 
2933 	return err;
2934 }
2935 
2936 static int nl80211_parse_beacon(struct genl_info *info,
2937 				struct cfg80211_beacon_data *bcn)
2938 {
2939 	bool haveinfo = false;
2940 
2941 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_BEACON_TAIL]) ||
2942 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]) ||
2943 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
2944 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]))
2945 		return -EINVAL;
2946 
2947 	memset(bcn, 0, sizeof(*bcn));
2948 
2949 	if (info->attrs[NL80211_ATTR_BEACON_HEAD]) {
2950 		bcn->head = nla_data(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2951 		bcn->head_len = nla_len(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2952 		if (!bcn->head_len)
2953 			return -EINVAL;
2954 		haveinfo = true;
2955 	}
2956 
2957 	if (info->attrs[NL80211_ATTR_BEACON_TAIL]) {
2958 		bcn->tail = nla_data(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2959 		bcn->tail_len =
2960 		    nla_len(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2961 		haveinfo = true;
2962 	}
2963 
2964 	if (!haveinfo)
2965 		return -EINVAL;
2966 
2967 	if (info->attrs[NL80211_ATTR_IE]) {
2968 		bcn->beacon_ies = nla_data(info->attrs[NL80211_ATTR_IE]);
2969 		bcn->beacon_ies_len = nla_len(info->attrs[NL80211_ATTR_IE]);
2970 	}
2971 
2972 	if (info->attrs[NL80211_ATTR_IE_PROBE_RESP]) {
2973 		bcn->proberesp_ies =
2974 			nla_data(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2975 		bcn->proberesp_ies_len =
2976 			nla_len(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2977 	}
2978 
2979 	if (info->attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
2980 		bcn->assocresp_ies =
2981 			nla_data(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2982 		bcn->assocresp_ies_len =
2983 			nla_len(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2984 	}
2985 
2986 	if (info->attrs[NL80211_ATTR_PROBE_RESP]) {
2987 		bcn->probe_resp =
2988 			nla_data(info->attrs[NL80211_ATTR_PROBE_RESP]);
2989 		bcn->probe_resp_len =
2990 			nla_len(info->attrs[NL80211_ATTR_PROBE_RESP]);
2991 	}
2992 
2993 	return 0;
2994 }
2995 
2996 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
2997 				   struct cfg80211_ap_settings *params)
2998 {
2999 	struct wireless_dev *wdev;
3000 	bool ret = false;
3001 
3002 	mutex_lock(&rdev->devlist_mtx);
3003 
3004 	list_for_each_entry(wdev, &rdev->wdev_list, list) {
3005 		if (wdev->iftype != NL80211_IFTYPE_AP &&
3006 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
3007 			continue;
3008 
3009 		if (!wdev->preset_chandef.chan)
3010 			continue;
3011 
3012 		params->chandef = wdev->preset_chandef;
3013 		ret = true;
3014 		break;
3015 	}
3016 
3017 	mutex_unlock(&rdev->devlist_mtx);
3018 
3019 	return ret;
3020 }
3021 
3022 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
3023 				    enum nl80211_auth_type auth_type,
3024 				    enum nl80211_commands cmd)
3025 {
3026 	if (auth_type > NL80211_AUTHTYPE_MAX)
3027 		return false;
3028 
3029 	switch (cmd) {
3030 	case NL80211_CMD_AUTHENTICATE:
3031 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
3032 		    auth_type == NL80211_AUTHTYPE_SAE)
3033 			return false;
3034 		return true;
3035 	case NL80211_CMD_CONNECT:
3036 	case NL80211_CMD_START_AP:
3037 		/* SAE not supported yet */
3038 		if (auth_type == NL80211_AUTHTYPE_SAE)
3039 			return false;
3040 		return true;
3041 	default:
3042 		return false;
3043 	}
3044 }
3045 
3046 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
3047 {
3048 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3049 	struct net_device *dev = info->user_ptr[1];
3050 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3051 	struct cfg80211_ap_settings params;
3052 	int err;
3053 	u8 radar_detect_width = 0;
3054 
3055 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3056 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3057 		return -EOPNOTSUPP;
3058 
3059 	if (!rdev->ops->start_ap)
3060 		return -EOPNOTSUPP;
3061 
3062 	if (wdev->beacon_interval)
3063 		return -EALREADY;
3064 
3065 	memset(&params, 0, sizeof(params));
3066 
3067 	/* these are required for START_AP */
3068 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
3069 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
3070 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
3071 		return -EINVAL;
3072 
3073 	err = nl80211_parse_beacon(info, &params.beacon);
3074 	if (err)
3075 		return err;
3076 
3077 	params.beacon_interval =
3078 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
3079 	params.dtim_period =
3080 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
3081 
3082 	err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
3083 	if (err)
3084 		return err;
3085 
3086 	/*
3087 	 * In theory, some of these attributes should be required here
3088 	 * but since they were not used when the command was originally
3089 	 * added, keep them optional for old user space programs to let
3090 	 * them continue to work with drivers that do not need the
3091 	 * additional information -- drivers must check!
3092 	 */
3093 	if (info->attrs[NL80211_ATTR_SSID]) {
3094 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
3095 		params.ssid_len =
3096 			nla_len(info->attrs[NL80211_ATTR_SSID]);
3097 		if (params.ssid_len == 0 ||
3098 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
3099 			return -EINVAL;
3100 	}
3101 
3102 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
3103 		params.hidden_ssid = nla_get_u32(
3104 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
3105 		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
3106 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
3107 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
3108 			return -EINVAL;
3109 	}
3110 
3111 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
3112 
3113 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
3114 		params.auth_type = nla_get_u32(
3115 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
3116 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
3117 					     NL80211_CMD_START_AP))
3118 			return -EINVAL;
3119 	} else
3120 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
3121 
3122 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
3123 				      NL80211_MAX_NR_CIPHER_SUITES);
3124 	if (err)
3125 		return err;
3126 
3127 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
3128 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
3129 			return -EOPNOTSUPP;
3130 		params.inactivity_timeout = nla_get_u16(
3131 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
3132 	}
3133 
3134 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
3135 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3136 			return -EINVAL;
3137 		params.p2p_ctwindow =
3138 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
3139 		if (params.p2p_ctwindow > 127)
3140 			return -EINVAL;
3141 		if (params.p2p_ctwindow != 0 &&
3142 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
3143 			return -EINVAL;
3144 	}
3145 
3146 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
3147 		u8 tmp;
3148 
3149 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3150 			return -EINVAL;
3151 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
3152 		if (tmp > 1)
3153 			return -EINVAL;
3154 		params.p2p_opp_ps = tmp;
3155 		if (params.p2p_opp_ps != 0 &&
3156 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
3157 			return -EINVAL;
3158 	}
3159 
3160 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3161 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
3162 		if (err)
3163 			return err;
3164 	} else if (wdev->preset_chandef.chan) {
3165 		params.chandef = wdev->preset_chandef;
3166 	} else if (!nl80211_get_ap_channel(rdev, &params))
3167 		return -EINVAL;
3168 
3169 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef))
3170 		return -EINVAL;
3171 
3172 	err = cfg80211_chandef_dfs_required(wdev->wiphy, &params.chandef);
3173 	if (err < 0)
3174 		return err;
3175 	if (err) {
3176 		radar_detect_width = BIT(params.chandef.width);
3177 		params.radar_required = true;
3178 	}
3179 
3180 	mutex_lock(&rdev->devlist_mtx);
3181 	err = cfg80211_can_use_iftype_chan(rdev, wdev, wdev->iftype,
3182 					   params.chandef.chan,
3183 					   CHAN_MODE_SHARED,
3184 					   radar_detect_width);
3185 	mutex_unlock(&rdev->devlist_mtx);
3186 
3187 	if (err)
3188 		return err;
3189 
3190 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
3191 		params.acl = parse_acl_data(&rdev->wiphy, info);
3192 		if (IS_ERR(params.acl))
3193 			return PTR_ERR(params.acl);
3194 	}
3195 
3196 	err = rdev_start_ap(rdev, dev, &params);
3197 	if (!err) {
3198 		wdev->preset_chandef = params.chandef;
3199 		wdev->beacon_interval = params.beacon_interval;
3200 		wdev->channel = params.chandef.chan;
3201 		wdev->ssid_len = params.ssid_len;
3202 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
3203 	}
3204 
3205 	kfree(params.acl);
3206 
3207 	return err;
3208 }
3209 
3210 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
3211 {
3212 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3213 	struct net_device *dev = info->user_ptr[1];
3214 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3215 	struct cfg80211_beacon_data params;
3216 	int err;
3217 
3218 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3219 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3220 		return -EOPNOTSUPP;
3221 
3222 	if (!rdev->ops->change_beacon)
3223 		return -EOPNOTSUPP;
3224 
3225 	if (!wdev->beacon_interval)
3226 		return -EINVAL;
3227 
3228 	err = nl80211_parse_beacon(info, &params);
3229 	if (err)
3230 		return err;
3231 
3232 	return rdev_change_beacon(rdev, dev, &params);
3233 }
3234 
3235 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
3236 {
3237 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3238 	struct net_device *dev = info->user_ptr[1];
3239 
3240 	return cfg80211_stop_ap(rdev, dev);
3241 }
3242 
3243 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
3244 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
3245 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
3246 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
3247 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
3248 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
3249 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
3250 };
3251 
3252 static int parse_station_flags(struct genl_info *info,
3253 			       enum nl80211_iftype iftype,
3254 			       struct station_parameters *params)
3255 {
3256 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
3257 	struct nlattr *nla;
3258 	int flag;
3259 
3260 	/*
3261 	 * Try parsing the new attribute first so userspace
3262 	 * can specify both for older kernels.
3263 	 */
3264 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
3265 	if (nla) {
3266 		struct nl80211_sta_flag_update *sta_flags;
3267 
3268 		sta_flags = nla_data(nla);
3269 		params->sta_flags_mask = sta_flags->mask;
3270 		params->sta_flags_set = sta_flags->set;
3271 		params->sta_flags_set &= params->sta_flags_mask;
3272 		if ((params->sta_flags_mask |
3273 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
3274 			return -EINVAL;
3275 		return 0;
3276 	}
3277 
3278 	/* if present, parse the old attribute */
3279 
3280 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
3281 	if (!nla)
3282 		return 0;
3283 
3284 	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
3285 			     nla, sta_flags_policy))
3286 		return -EINVAL;
3287 
3288 	/*
3289 	 * Only allow certain flags for interface types so that
3290 	 * other attributes are silently ignored. Remember that
3291 	 * this is backward compatibility code with old userspace
3292 	 * and shouldn't be hit in other cases anyway.
3293 	 */
3294 	switch (iftype) {
3295 	case NL80211_IFTYPE_AP:
3296 	case NL80211_IFTYPE_AP_VLAN:
3297 	case NL80211_IFTYPE_P2P_GO:
3298 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3299 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3300 					 BIT(NL80211_STA_FLAG_WME) |
3301 					 BIT(NL80211_STA_FLAG_MFP);
3302 		break;
3303 	case NL80211_IFTYPE_P2P_CLIENT:
3304 	case NL80211_IFTYPE_STATION:
3305 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3306 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
3307 		break;
3308 	case NL80211_IFTYPE_MESH_POINT:
3309 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3310 					 BIT(NL80211_STA_FLAG_MFP) |
3311 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
3312 	default:
3313 		return -EINVAL;
3314 	}
3315 
3316 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
3317 		if (flags[flag]) {
3318 			params->sta_flags_set |= (1<<flag);
3319 
3320 			/* no longer support new API additions in old API */
3321 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
3322 				return -EINVAL;
3323 		}
3324 	}
3325 
3326 	return 0;
3327 }
3328 
3329 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
3330 				 int attr)
3331 {
3332 	struct nlattr *rate;
3333 	u32 bitrate;
3334 	u16 bitrate_compat;
3335 
3336 	rate = nla_nest_start(msg, attr);
3337 	if (!rate)
3338 		return false;
3339 
3340 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
3341 	bitrate = cfg80211_calculate_bitrate(info);
3342 	/* report 16-bit bitrate only if we can */
3343 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
3344 	if (bitrate > 0 &&
3345 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
3346 		return false;
3347 	if (bitrate_compat > 0 &&
3348 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
3349 		return false;
3350 
3351 	if (info->flags & RATE_INFO_FLAGS_MCS) {
3352 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
3353 			return false;
3354 		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3355 		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3356 			return false;
3357 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3358 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3359 			return false;
3360 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
3361 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
3362 			return false;
3363 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
3364 			return false;
3365 		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3366 		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3367 			return false;
3368 		if (info->flags & RATE_INFO_FLAGS_80_MHZ_WIDTH &&
3369 		    nla_put_flag(msg, NL80211_RATE_INFO_80_MHZ_WIDTH))
3370 			return false;
3371 		if (info->flags & RATE_INFO_FLAGS_80P80_MHZ_WIDTH &&
3372 		    nla_put_flag(msg, NL80211_RATE_INFO_80P80_MHZ_WIDTH))
3373 			return false;
3374 		if (info->flags & RATE_INFO_FLAGS_160_MHZ_WIDTH &&
3375 		    nla_put_flag(msg, NL80211_RATE_INFO_160_MHZ_WIDTH))
3376 			return false;
3377 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3378 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3379 			return false;
3380 	}
3381 
3382 	nla_nest_end(msg, rate);
3383 	return true;
3384 }
3385 
3386 static int nl80211_send_station(struct sk_buff *msg, u32 portid, u32 seq,
3387 				int flags,
3388 				struct cfg80211_registered_device *rdev,
3389 				struct net_device *dev,
3390 				const u8 *mac_addr, struct station_info *sinfo)
3391 {
3392 	void *hdr;
3393 	struct nlattr *sinfoattr, *bss_param;
3394 
3395 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
3396 	if (!hdr)
3397 		return -1;
3398 
3399 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3400 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
3401 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
3402 		goto nla_put_failure;
3403 
3404 	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
3405 	if (!sinfoattr)
3406 		goto nla_put_failure;
3407 	if ((sinfo->filled & STATION_INFO_CONNECTED_TIME) &&
3408 	    nla_put_u32(msg, NL80211_STA_INFO_CONNECTED_TIME,
3409 			sinfo->connected_time))
3410 		goto nla_put_failure;
3411 	if ((sinfo->filled & STATION_INFO_INACTIVE_TIME) &&
3412 	    nla_put_u32(msg, NL80211_STA_INFO_INACTIVE_TIME,
3413 			sinfo->inactive_time))
3414 		goto nla_put_failure;
3415 	if ((sinfo->filled & (STATION_INFO_RX_BYTES |
3416 			      STATION_INFO_RX_BYTES64)) &&
3417 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
3418 			(u32)sinfo->rx_bytes))
3419 		goto nla_put_failure;
3420 	if ((sinfo->filled & (STATION_INFO_TX_BYTES |
3421 			      STATION_INFO_TX_BYTES64)) &&
3422 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
3423 			(u32)sinfo->tx_bytes))
3424 		goto nla_put_failure;
3425 	if ((sinfo->filled & STATION_INFO_RX_BYTES64) &&
3426 	    nla_put_u64(msg, NL80211_STA_INFO_RX_BYTES64,
3427 			sinfo->rx_bytes))
3428 		goto nla_put_failure;
3429 	if ((sinfo->filled & STATION_INFO_TX_BYTES64) &&
3430 	    nla_put_u64(msg, NL80211_STA_INFO_TX_BYTES64,
3431 			sinfo->tx_bytes))
3432 		goto nla_put_failure;
3433 	if ((sinfo->filled & STATION_INFO_LLID) &&
3434 	    nla_put_u16(msg, NL80211_STA_INFO_LLID, sinfo->llid))
3435 		goto nla_put_failure;
3436 	if ((sinfo->filled & STATION_INFO_PLID) &&
3437 	    nla_put_u16(msg, NL80211_STA_INFO_PLID, sinfo->plid))
3438 		goto nla_put_failure;
3439 	if ((sinfo->filled & STATION_INFO_PLINK_STATE) &&
3440 	    nla_put_u8(msg, NL80211_STA_INFO_PLINK_STATE,
3441 		       sinfo->plink_state))
3442 		goto nla_put_failure;
3443 	switch (rdev->wiphy.signal_type) {
3444 	case CFG80211_SIGNAL_TYPE_MBM:
3445 		if ((sinfo->filled & STATION_INFO_SIGNAL) &&
3446 		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL,
3447 			       sinfo->signal))
3448 			goto nla_put_failure;
3449 		if ((sinfo->filled & STATION_INFO_SIGNAL_AVG) &&
3450 		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL_AVG,
3451 			       sinfo->signal_avg))
3452 			goto nla_put_failure;
3453 		break;
3454 	default:
3455 		break;
3456 	}
3457 	if (sinfo->filled & STATION_INFO_TX_BITRATE) {
3458 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
3459 					  NL80211_STA_INFO_TX_BITRATE))
3460 			goto nla_put_failure;
3461 	}
3462 	if (sinfo->filled & STATION_INFO_RX_BITRATE) {
3463 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
3464 					  NL80211_STA_INFO_RX_BITRATE))
3465 			goto nla_put_failure;
3466 	}
3467 	if ((sinfo->filled & STATION_INFO_RX_PACKETS) &&
3468 	    nla_put_u32(msg, NL80211_STA_INFO_RX_PACKETS,
3469 			sinfo->rx_packets))
3470 		goto nla_put_failure;
3471 	if ((sinfo->filled & STATION_INFO_TX_PACKETS) &&
3472 	    nla_put_u32(msg, NL80211_STA_INFO_TX_PACKETS,
3473 			sinfo->tx_packets))
3474 		goto nla_put_failure;
3475 	if ((sinfo->filled & STATION_INFO_TX_RETRIES) &&
3476 	    nla_put_u32(msg, NL80211_STA_INFO_TX_RETRIES,
3477 			sinfo->tx_retries))
3478 		goto nla_put_failure;
3479 	if ((sinfo->filled & STATION_INFO_TX_FAILED) &&
3480 	    nla_put_u32(msg, NL80211_STA_INFO_TX_FAILED,
3481 			sinfo->tx_failed))
3482 		goto nla_put_failure;
3483 	if ((sinfo->filled & STATION_INFO_BEACON_LOSS_COUNT) &&
3484 	    nla_put_u32(msg, NL80211_STA_INFO_BEACON_LOSS,
3485 			sinfo->beacon_loss_count))
3486 		goto nla_put_failure;
3487 	if ((sinfo->filled & STATION_INFO_LOCAL_PM) &&
3488 	    nla_put_u32(msg, NL80211_STA_INFO_LOCAL_PM,
3489 			sinfo->local_pm))
3490 		goto nla_put_failure;
3491 	if ((sinfo->filled & STATION_INFO_PEER_PM) &&
3492 	    nla_put_u32(msg, NL80211_STA_INFO_PEER_PM,
3493 			sinfo->peer_pm))
3494 		goto nla_put_failure;
3495 	if ((sinfo->filled & STATION_INFO_NONPEER_PM) &&
3496 	    nla_put_u32(msg, NL80211_STA_INFO_NONPEER_PM,
3497 			sinfo->nonpeer_pm))
3498 		goto nla_put_failure;
3499 	if (sinfo->filled & STATION_INFO_BSS_PARAM) {
3500 		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
3501 		if (!bss_param)
3502 			goto nla_put_failure;
3503 
3504 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
3505 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
3506 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
3507 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
3508 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
3509 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
3510 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
3511 			       sinfo->bss_param.dtim_period) ||
3512 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
3513 				sinfo->bss_param.beacon_interval))
3514 			goto nla_put_failure;
3515 
3516 		nla_nest_end(msg, bss_param);
3517 	}
3518 	if ((sinfo->filled & STATION_INFO_STA_FLAGS) &&
3519 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
3520 		    sizeof(struct nl80211_sta_flag_update),
3521 		    &sinfo->sta_flags))
3522 		goto nla_put_failure;
3523 	if ((sinfo->filled & STATION_INFO_T_OFFSET) &&
3524 		nla_put_u64(msg, NL80211_STA_INFO_T_OFFSET,
3525 			    sinfo->t_offset))
3526 		goto nla_put_failure;
3527 	nla_nest_end(msg, sinfoattr);
3528 
3529 	if ((sinfo->filled & STATION_INFO_ASSOC_REQ_IES) &&
3530 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
3531 		    sinfo->assoc_req_ies))
3532 		goto nla_put_failure;
3533 
3534 	return genlmsg_end(msg, hdr);
3535 
3536  nla_put_failure:
3537 	genlmsg_cancel(msg, hdr);
3538 	return -EMSGSIZE;
3539 }
3540 
3541 static int nl80211_dump_station(struct sk_buff *skb,
3542 				struct netlink_callback *cb)
3543 {
3544 	struct station_info sinfo;
3545 	struct cfg80211_registered_device *dev;
3546 	struct wireless_dev *wdev;
3547 	u8 mac_addr[ETH_ALEN];
3548 	int sta_idx = cb->args[2];
3549 	int err;
3550 
3551 	err = nl80211_prepare_wdev_dump(skb, cb, &dev, &wdev);
3552 	if (err)
3553 		return err;
3554 
3555 	if (!wdev->netdev) {
3556 		err = -EINVAL;
3557 		goto out_err;
3558 	}
3559 
3560 	if (!dev->ops->dump_station) {
3561 		err = -EOPNOTSUPP;
3562 		goto out_err;
3563 	}
3564 
3565 	while (1) {
3566 		memset(&sinfo, 0, sizeof(sinfo));
3567 		err = rdev_dump_station(dev, wdev->netdev, sta_idx,
3568 					mac_addr, &sinfo);
3569 		if (err == -ENOENT)
3570 			break;
3571 		if (err)
3572 			goto out_err;
3573 
3574 		if (nl80211_send_station(skb,
3575 				NETLINK_CB(cb->skb).portid,
3576 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
3577 				dev, wdev->netdev, mac_addr,
3578 				&sinfo) < 0)
3579 			goto out;
3580 
3581 		sta_idx++;
3582 	}
3583 
3584 
3585  out:
3586 	cb->args[2] = sta_idx;
3587 	err = skb->len;
3588  out_err:
3589 	nl80211_finish_wdev_dump(dev);
3590 
3591 	return err;
3592 }
3593 
3594 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
3595 {
3596 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3597 	struct net_device *dev = info->user_ptr[1];
3598 	struct station_info sinfo;
3599 	struct sk_buff *msg;
3600 	u8 *mac_addr = NULL;
3601 	int err;
3602 
3603 	memset(&sinfo, 0, sizeof(sinfo));
3604 
3605 	if (!info->attrs[NL80211_ATTR_MAC])
3606 		return -EINVAL;
3607 
3608 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3609 
3610 	if (!rdev->ops->get_station)
3611 		return -EOPNOTSUPP;
3612 
3613 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3614 	if (err)
3615 		return err;
3616 
3617 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3618 	if (!msg)
3619 		return -ENOMEM;
3620 
3621 	if (nl80211_send_station(msg, info->snd_portid, info->snd_seq, 0,
3622 				 rdev, dev, mac_addr, &sinfo) < 0) {
3623 		nlmsg_free(msg);
3624 		return -ENOBUFS;
3625 	}
3626 
3627 	return genlmsg_reply(msg, info);
3628 }
3629 
3630 int cfg80211_check_station_change(struct wiphy *wiphy,
3631 				  struct station_parameters *params,
3632 				  enum cfg80211_station_type statype)
3633 {
3634 	if (params->listen_interval != -1)
3635 		return -EINVAL;
3636 	if (params->aid)
3637 		return -EINVAL;
3638 
3639 	/* When you run into this, adjust the code below for the new flag */
3640 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
3641 
3642 	switch (statype) {
3643 	case CFG80211_STA_MESH_PEER_KERNEL:
3644 	case CFG80211_STA_MESH_PEER_USER:
3645 		/*
3646 		 * No ignoring the TDLS flag here -- the userspace mesh
3647 		 * code doesn't have the bug of including TDLS in the
3648 		 * mask everywhere.
3649 		 */
3650 		if (params->sta_flags_mask &
3651 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3652 				  BIT(NL80211_STA_FLAG_MFP) |
3653 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
3654 			return -EINVAL;
3655 		break;
3656 	case CFG80211_STA_TDLS_PEER_SETUP:
3657 	case CFG80211_STA_TDLS_PEER_ACTIVE:
3658 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3659 			return -EINVAL;
3660 		/* ignore since it can't change */
3661 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3662 		break;
3663 	default:
3664 		/* disallow mesh-specific things */
3665 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
3666 			return -EINVAL;
3667 		if (params->local_pm)
3668 			return -EINVAL;
3669 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
3670 			return -EINVAL;
3671 	}
3672 
3673 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
3674 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
3675 		/* TDLS can't be set, ... */
3676 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3677 			return -EINVAL;
3678 		/*
3679 		 * ... but don't bother the driver with it. This works around
3680 		 * a hostapd/wpa_supplicant issue -- it always includes the
3681 		 * TLDS_PEER flag in the mask even for AP mode.
3682 		 */
3683 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3684 	}
3685 
3686 	if (statype != CFG80211_STA_TDLS_PEER_SETUP) {
3687 		/* reject other things that can't change */
3688 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
3689 			return -EINVAL;
3690 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
3691 			return -EINVAL;
3692 		if (params->supported_rates)
3693 			return -EINVAL;
3694 		if (params->ext_capab || params->ht_capa || params->vht_capa)
3695 			return -EINVAL;
3696 	}
3697 
3698 	if (statype != CFG80211_STA_AP_CLIENT) {
3699 		if (params->vlan)
3700 			return -EINVAL;
3701 	}
3702 
3703 	switch (statype) {
3704 	case CFG80211_STA_AP_MLME_CLIENT:
3705 		/* Use this only for authorizing/unauthorizing a station */
3706 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
3707 			return -EOPNOTSUPP;
3708 		break;
3709 	case CFG80211_STA_AP_CLIENT:
3710 		/* accept only the listed bits */
3711 		if (params->sta_flags_mask &
3712 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3713 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3714 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
3715 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3716 				  BIT(NL80211_STA_FLAG_WME) |
3717 				  BIT(NL80211_STA_FLAG_MFP)))
3718 			return -EINVAL;
3719 
3720 		/* but authenticated/associated only if driver handles it */
3721 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
3722 		    params->sta_flags_mask &
3723 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3724 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
3725 			return -EINVAL;
3726 		break;
3727 	case CFG80211_STA_IBSS:
3728 	case CFG80211_STA_AP_STA:
3729 		/* reject any changes other than AUTHORIZED */
3730 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
3731 			return -EINVAL;
3732 		break;
3733 	case CFG80211_STA_TDLS_PEER_SETUP:
3734 		/* reject any changes other than AUTHORIZED or WME */
3735 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3736 					       BIT(NL80211_STA_FLAG_WME)))
3737 			return -EINVAL;
3738 		/* force (at least) rates when authorizing */
3739 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
3740 		    !params->supported_rates)
3741 			return -EINVAL;
3742 		break;
3743 	case CFG80211_STA_TDLS_PEER_ACTIVE:
3744 		/* reject any changes */
3745 		return -EINVAL;
3746 	case CFG80211_STA_MESH_PEER_KERNEL:
3747 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
3748 			return -EINVAL;
3749 		break;
3750 	case CFG80211_STA_MESH_PEER_USER:
3751 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
3752 			return -EINVAL;
3753 		break;
3754 	}
3755 
3756 	return 0;
3757 }
3758 EXPORT_SYMBOL(cfg80211_check_station_change);
3759 
3760 /*
3761  * Get vlan interface making sure it is running and on the right wiphy.
3762  */
3763 static struct net_device *get_vlan(struct genl_info *info,
3764 				   struct cfg80211_registered_device *rdev)
3765 {
3766 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
3767 	struct net_device *v;
3768 	int ret;
3769 
3770 	if (!vlanattr)
3771 		return NULL;
3772 
3773 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
3774 	if (!v)
3775 		return ERR_PTR(-ENODEV);
3776 
3777 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
3778 		ret = -EINVAL;
3779 		goto error;
3780 	}
3781 
3782 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
3783 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3784 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3785 		ret = -EINVAL;
3786 		goto error;
3787 	}
3788 
3789 	if (!netif_running(v)) {
3790 		ret = -ENETDOWN;
3791 		goto error;
3792 	}
3793 
3794 	return v;
3795  error:
3796 	dev_put(v);
3797 	return ERR_PTR(ret);
3798 }
3799 
3800 static struct nla_policy
3801 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] __read_mostly = {
3802 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
3803 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
3804 };
3805 
3806 static int nl80211_parse_sta_wme(struct genl_info *info,
3807 				 struct station_parameters *params)
3808 {
3809 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
3810 	struct nlattr *nla;
3811 	int err;
3812 
3813 	/* parse WME attributes if present */
3814 	if (!info->attrs[NL80211_ATTR_STA_WME])
3815 		return 0;
3816 
3817 	nla = info->attrs[NL80211_ATTR_STA_WME];
3818 	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
3819 			       nl80211_sta_wme_policy);
3820 	if (err)
3821 		return err;
3822 
3823 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
3824 		params->uapsd_queues = nla_get_u8(
3825 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
3826 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
3827 		return -EINVAL;
3828 
3829 	if (tb[NL80211_STA_WME_MAX_SP])
3830 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
3831 
3832 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
3833 		return -EINVAL;
3834 
3835 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
3836 
3837 	return 0;
3838 }
3839 
3840 static int nl80211_set_station_tdls(struct genl_info *info,
3841 				    struct station_parameters *params)
3842 {
3843 	/* Dummy STA entry gets updated once the peer capabilities are known */
3844 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
3845 		params->ht_capa =
3846 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
3847 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
3848 		params->vht_capa =
3849 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
3850 
3851 	return nl80211_parse_sta_wme(info, params);
3852 }
3853 
3854 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
3855 {
3856 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3857 	struct net_device *dev = info->user_ptr[1];
3858 	struct station_parameters params;
3859 	u8 *mac_addr;
3860 	int err;
3861 
3862 	memset(&params, 0, sizeof(params));
3863 
3864 	params.listen_interval = -1;
3865 
3866 	if (!rdev->ops->change_station)
3867 		return -EOPNOTSUPP;
3868 
3869 	if (info->attrs[NL80211_ATTR_STA_AID])
3870 		return -EINVAL;
3871 
3872 	if (!info->attrs[NL80211_ATTR_MAC])
3873 		return -EINVAL;
3874 
3875 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3876 
3877 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
3878 		params.supported_rates =
3879 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3880 		params.supported_rates_len =
3881 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3882 	}
3883 
3884 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
3885 		params.capability =
3886 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
3887 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
3888 	}
3889 
3890 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
3891 		params.ext_capab =
3892 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
3893 		params.ext_capab_len =
3894 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
3895 	}
3896 
3897 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3898 		return -EINVAL;
3899 
3900 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3901 		return -EINVAL;
3902 
3903 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
3904 		params.plink_action =
3905 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3906 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
3907 			return -EINVAL;
3908 	}
3909 
3910 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
3911 		params.plink_state =
3912 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
3913 		if (params.plink_state >= NUM_NL80211_PLINK_STATES)
3914 			return -EINVAL;
3915 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
3916 	}
3917 
3918 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
3919 		enum nl80211_mesh_power_mode pm = nla_get_u32(
3920 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
3921 
3922 		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
3923 		    pm > NL80211_MESH_POWER_MAX)
3924 			return -EINVAL;
3925 
3926 		params.local_pm = pm;
3927 	}
3928 
3929 	/* Include parameters for TDLS peer (will check later) */
3930 	err = nl80211_set_station_tdls(info, &params);
3931 	if (err)
3932 		return err;
3933 
3934 	params.vlan = get_vlan(info, rdev);
3935 	if (IS_ERR(params.vlan))
3936 		return PTR_ERR(params.vlan);
3937 
3938 	switch (dev->ieee80211_ptr->iftype) {
3939 	case NL80211_IFTYPE_AP:
3940 	case NL80211_IFTYPE_AP_VLAN:
3941 	case NL80211_IFTYPE_P2P_GO:
3942 	case NL80211_IFTYPE_P2P_CLIENT:
3943 	case NL80211_IFTYPE_STATION:
3944 	case NL80211_IFTYPE_ADHOC:
3945 	case NL80211_IFTYPE_MESH_POINT:
3946 		break;
3947 	default:
3948 		err = -EOPNOTSUPP;
3949 		goto out_put_vlan;
3950 	}
3951 
3952 	/* driver will call cfg80211_check_station_change() */
3953 	err = rdev_change_station(rdev, dev, mac_addr, &params);
3954 
3955  out_put_vlan:
3956 	if (params.vlan)
3957 		dev_put(params.vlan);
3958 
3959 	return err;
3960 }
3961 
3962 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
3963 {
3964 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3965 	int err;
3966 	struct net_device *dev = info->user_ptr[1];
3967 	struct station_parameters params;
3968 	u8 *mac_addr = NULL;
3969 
3970 	memset(&params, 0, sizeof(params));
3971 
3972 	if (!rdev->ops->add_station)
3973 		return -EOPNOTSUPP;
3974 
3975 	if (!info->attrs[NL80211_ATTR_MAC])
3976 		return -EINVAL;
3977 
3978 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3979 		return -EINVAL;
3980 
3981 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
3982 		return -EINVAL;
3983 
3984 	if (!info->attrs[NL80211_ATTR_STA_AID])
3985 		return -EINVAL;
3986 
3987 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3988 	params.supported_rates =
3989 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3990 	params.supported_rates_len =
3991 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3992 	params.listen_interval =
3993 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
3994 
3995 	params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
3996 	if (!params.aid || params.aid > IEEE80211_MAX_AID)
3997 		return -EINVAL;
3998 
3999 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4000 		params.capability =
4001 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4002 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4003 	}
4004 
4005 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4006 		params.ext_capab =
4007 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4008 		params.ext_capab_len =
4009 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4010 	}
4011 
4012 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4013 		params.ht_capa =
4014 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4015 
4016 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4017 		params.vht_capa =
4018 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4019 
4020 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4021 		params.plink_action =
4022 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4023 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4024 			return -EINVAL;
4025 	}
4026 
4027 	err = nl80211_parse_sta_wme(info, &params);
4028 	if (err)
4029 		return err;
4030 
4031 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4032 		return -EINVAL;
4033 
4034 	/* When you run into this, adjust the code below for the new flag */
4035 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4036 
4037 	switch (dev->ieee80211_ptr->iftype) {
4038 	case NL80211_IFTYPE_AP:
4039 	case NL80211_IFTYPE_AP_VLAN:
4040 	case NL80211_IFTYPE_P2P_GO:
4041 		/* ignore WME attributes if iface/sta is not capable */
4042 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
4043 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
4044 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4045 
4046 		/* TDLS peers cannot be added */
4047 		if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
4048 			return -EINVAL;
4049 		/* but don't bother the driver with it */
4050 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4051 
4052 		/* allow authenticated/associated only if driver handles it */
4053 		if (!(rdev->wiphy.features &
4054 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4055 		    params.sta_flags_mask &
4056 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4057 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4058 			return -EINVAL;
4059 
4060 		/* must be last in here for error handling */
4061 		params.vlan = get_vlan(info, rdev);
4062 		if (IS_ERR(params.vlan))
4063 			return PTR_ERR(params.vlan);
4064 		break;
4065 	case NL80211_IFTYPE_MESH_POINT:
4066 		/* ignore uAPSD data */
4067 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4068 
4069 		/* associated is disallowed */
4070 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
4071 			return -EINVAL;
4072 		/* TDLS peers cannot be added */
4073 		if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
4074 			return -EINVAL;
4075 		break;
4076 	case NL80211_IFTYPE_STATION:
4077 	case NL80211_IFTYPE_P2P_CLIENT:
4078 		/* ignore uAPSD data */
4079 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4080 
4081 		/* these are disallowed */
4082 		if (params.sta_flags_mask &
4083 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
4084 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
4085 			return -EINVAL;
4086 		/* Only TDLS peers can be added */
4087 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4088 			return -EINVAL;
4089 		/* Can only add if TDLS ... */
4090 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
4091 			return -EOPNOTSUPP;
4092 		/* ... with external setup is supported */
4093 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
4094 			return -EOPNOTSUPP;
4095 		/*
4096 		 * Older wpa_supplicant versions always mark the TDLS peer
4097 		 * as authorized, but it shouldn't yet be.
4098 		 */
4099 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
4100 		break;
4101 	default:
4102 		return -EOPNOTSUPP;
4103 	}
4104 
4105 	/* be aware of params.vlan when changing code here */
4106 
4107 	err = rdev_add_station(rdev, dev, mac_addr, &params);
4108 
4109 	if (params.vlan)
4110 		dev_put(params.vlan);
4111 	return err;
4112 }
4113 
4114 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
4115 {
4116 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4117 	struct net_device *dev = info->user_ptr[1];
4118 	u8 *mac_addr = NULL;
4119 
4120 	if (info->attrs[NL80211_ATTR_MAC])
4121 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4122 
4123 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4124 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4125 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
4126 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4127 		return -EINVAL;
4128 
4129 	if (!rdev->ops->del_station)
4130 		return -EOPNOTSUPP;
4131 
4132 	return rdev_del_station(rdev, dev, mac_addr);
4133 }
4134 
4135 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
4136 				int flags, struct net_device *dev,
4137 				u8 *dst, u8 *next_hop,
4138 				struct mpath_info *pinfo)
4139 {
4140 	void *hdr;
4141 	struct nlattr *pinfoattr;
4142 
4143 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
4144 	if (!hdr)
4145 		return -1;
4146 
4147 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4148 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
4149 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
4150 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
4151 		goto nla_put_failure;
4152 
4153 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
4154 	if (!pinfoattr)
4155 		goto nla_put_failure;
4156 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
4157 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
4158 			pinfo->frame_qlen))
4159 		goto nla_put_failure;
4160 	if (((pinfo->filled & MPATH_INFO_SN) &&
4161 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
4162 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
4163 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
4164 			 pinfo->metric)) ||
4165 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
4166 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
4167 			 pinfo->exptime)) ||
4168 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
4169 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
4170 			pinfo->flags)) ||
4171 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
4172 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
4173 			 pinfo->discovery_timeout)) ||
4174 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
4175 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
4176 			pinfo->discovery_retries)))
4177 		goto nla_put_failure;
4178 
4179 	nla_nest_end(msg, pinfoattr);
4180 
4181 	return genlmsg_end(msg, hdr);
4182 
4183  nla_put_failure:
4184 	genlmsg_cancel(msg, hdr);
4185 	return -EMSGSIZE;
4186 }
4187 
4188 static int nl80211_dump_mpath(struct sk_buff *skb,
4189 			      struct netlink_callback *cb)
4190 {
4191 	struct mpath_info pinfo;
4192 	struct cfg80211_registered_device *dev;
4193 	struct wireless_dev *wdev;
4194 	u8 dst[ETH_ALEN];
4195 	u8 next_hop[ETH_ALEN];
4196 	int path_idx = cb->args[2];
4197 	int err;
4198 
4199 	err = nl80211_prepare_wdev_dump(skb, cb, &dev, &wdev);
4200 	if (err)
4201 		return err;
4202 
4203 	if (!dev->ops->dump_mpath) {
4204 		err = -EOPNOTSUPP;
4205 		goto out_err;
4206 	}
4207 
4208 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4209 		err = -EOPNOTSUPP;
4210 		goto out_err;
4211 	}
4212 
4213 	while (1) {
4214 		err = rdev_dump_mpath(dev, wdev->netdev, path_idx, dst,
4215 				      next_hop, &pinfo);
4216 		if (err == -ENOENT)
4217 			break;
4218 		if (err)
4219 			goto out_err;
4220 
4221 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4222 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4223 				       wdev->netdev, dst, next_hop,
4224 				       &pinfo) < 0)
4225 			goto out;
4226 
4227 		path_idx++;
4228 	}
4229 
4230 
4231  out:
4232 	cb->args[2] = path_idx;
4233 	err = skb->len;
4234  out_err:
4235 	nl80211_finish_wdev_dump(dev);
4236 	return err;
4237 }
4238 
4239 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
4240 {
4241 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4242 	int err;
4243 	struct net_device *dev = info->user_ptr[1];
4244 	struct mpath_info pinfo;
4245 	struct sk_buff *msg;
4246 	u8 *dst = NULL;
4247 	u8 next_hop[ETH_ALEN];
4248 
4249 	memset(&pinfo, 0, sizeof(pinfo));
4250 
4251 	if (!info->attrs[NL80211_ATTR_MAC])
4252 		return -EINVAL;
4253 
4254 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4255 
4256 	if (!rdev->ops->get_mpath)
4257 		return -EOPNOTSUPP;
4258 
4259 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4260 		return -EOPNOTSUPP;
4261 
4262 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
4263 	if (err)
4264 		return err;
4265 
4266 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4267 	if (!msg)
4268 		return -ENOMEM;
4269 
4270 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4271 				 dev, dst, next_hop, &pinfo) < 0) {
4272 		nlmsg_free(msg);
4273 		return -ENOBUFS;
4274 	}
4275 
4276 	return genlmsg_reply(msg, info);
4277 }
4278 
4279 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
4280 {
4281 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4282 	struct net_device *dev = info->user_ptr[1];
4283 	u8 *dst = NULL;
4284 	u8 *next_hop = NULL;
4285 
4286 	if (!info->attrs[NL80211_ATTR_MAC])
4287 		return -EINVAL;
4288 
4289 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4290 		return -EINVAL;
4291 
4292 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4293 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4294 
4295 	if (!rdev->ops->change_mpath)
4296 		return -EOPNOTSUPP;
4297 
4298 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4299 		return -EOPNOTSUPP;
4300 
4301 	return rdev_change_mpath(rdev, dev, dst, next_hop);
4302 }
4303 
4304 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
4305 {
4306 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4307 	struct net_device *dev = info->user_ptr[1];
4308 	u8 *dst = NULL;
4309 	u8 *next_hop = NULL;
4310 
4311 	if (!info->attrs[NL80211_ATTR_MAC])
4312 		return -EINVAL;
4313 
4314 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4315 		return -EINVAL;
4316 
4317 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4318 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4319 
4320 	if (!rdev->ops->add_mpath)
4321 		return -EOPNOTSUPP;
4322 
4323 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4324 		return -EOPNOTSUPP;
4325 
4326 	return rdev_add_mpath(rdev, dev, dst, next_hop);
4327 }
4328 
4329 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
4330 {
4331 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4332 	struct net_device *dev = info->user_ptr[1];
4333 	u8 *dst = NULL;
4334 
4335 	if (info->attrs[NL80211_ATTR_MAC])
4336 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4337 
4338 	if (!rdev->ops->del_mpath)
4339 		return -EOPNOTSUPP;
4340 
4341 	return rdev_del_mpath(rdev, dev, dst);
4342 }
4343 
4344 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
4345 {
4346 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4347 	struct net_device *dev = info->user_ptr[1];
4348 	struct bss_parameters params;
4349 
4350 	memset(&params, 0, sizeof(params));
4351 	/* default to not changing parameters */
4352 	params.use_cts_prot = -1;
4353 	params.use_short_preamble = -1;
4354 	params.use_short_slot_time = -1;
4355 	params.ap_isolate = -1;
4356 	params.ht_opmode = -1;
4357 	params.p2p_ctwindow = -1;
4358 	params.p2p_opp_ps = -1;
4359 
4360 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
4361 		params.use_cts_prot =
4362 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
4363 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
4364 		params.use_short_preamble =
4365 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
4366 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
4367 		params.use_short_slot_time =
4368 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
4369 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
4370 		params.basic_rates =
4371 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4372 		params.basic_rates_len =
4373 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4374 	}
4375 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
4376 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
4377 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
4378 		params.ht_opmode =
4379 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
4380 
4381 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4382 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4383 			return -EINVAL;
4384 		params.p2p_ctwindow =
4385 			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4386 		if (params.p2p_ctwindow < 0)
4387 			return -EINVAL;
4388 		if (params.p2p_ctwindow != 0 &&
4389 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4390 			return -EINVAL;
4391 	}
4392 
4393 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4394 		u8 tmp;
4395 
4396 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4397 			return -EINVAL;
4398 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4399 		if (tmp > 1)
4400 			return -EINVAL;
4401 		params.p2p_opp_ps = tmp;
4402 		if (params.p2p_opp_ps &&
4403 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4404 			return -EINVAL;
4405 	}
4406 
4407 	if (!rdev->ops->change_bss)
4408 		return -EOPNOTSUPP;
4409 
4410 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4411 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4412 		return -EOPNOTSUPP;
4413 
4414 	return rdev_change_bss(rdev, dev, &params);
4415 }
4416 
4417 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
4418 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
4419 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
4420 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
4421 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
4422 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
4423 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
4424 };
4425 
4426 static int parse_reg_rule(struct nlattr *tb[],
4427 	struct ieee80211_reg_rule *reg_rule)
4428 {
4429 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
4430 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
4431 
4432 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
4433 		return -EINVAL;
4434 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
4435 		return -EINVAL;
4436 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
4437 		return -EINVAL;
4438 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
4439 		return -EINVAL;
4440 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
4441 		return -EINVAL;
4442 
4443 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
4444 
4445 	freq_range->start_freq_khz =
4446 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
4447 	freq_range->end_freq_khz =
4448 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
4449 	freq_range->max_bandwidth_khz =
4450 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
4451 
4452 	power_rule->max_eirp =
4453 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
4454 
4455 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
4456 		power_rule->max_antenna_gain =
4457 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
4458 
4459 	return 0;
4460 }
4461 
4462 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
4463 {
4464 	int r;
4465 	char *data = NULL;
4466 	enum nl80211_user_reg_hint_type user_reg_hint_type;
4467 
4468 	/*
4469 	 * You should only get this when cfg80211 hasn't yet initialized
4470 	 * completely when built-in to the kernel right between the time
4471 	 * window between nl80211_init() and regulatory_init(), if that is
4472 	 * even possible.
4473 	 */
4474 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
4475 		return -EINPROGRESS;
4476 
4477 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4478 		return -EINVAL;
4479 
4480 	data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4481 
4482 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
4483 		user_reg_hint_type =
4484 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
4485 	else
4486 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
4487 
4488 	switch (user_reg_hint_type) {
4489 	case NL80211_USER_REG_HINT_USER:
4490 	case NL80211_USER_REG_HINT_CELL_BASE:
4491 		break;
4492 	default:
4493 		return -EINVAL;
4494 	}
4495 
4496 	r = regulatory_hint_user(data, user_reg_hint_type);
4497 
4498 	return r;
4499 }
4500 
4501 static int nl80211_get_mesh_config(struct sk_buff *skb,
4502 				   struct genl_info *info)
4503 {
4504 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4505 	struct net_device *dev = info->user_ptr[1];
4506 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4507 	struct mesh_config cur_params;
4508 	int err = 0;
4509 	void *hdr;
4510 	struct nlattr *pinfoattr;
4511 	struct sk_buff *msg;
4512 
4513 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
4514 		return -EOPNOTSUPP;
4515 
4516 	if (!rdev->ops->get_mesh_config)
4517 		return -EOPNOTSUPP;
4518 
4519 	wdev_lock(wdev);
4520 	/* If not connected, get default parameters */
4521 	if (!wdev->mesh_id_len)
4522 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
4523 	else
4524 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
4525 	wdev_unlock(wdev);
4526 
4527 	if (err)
4528 		return err;
4529 
4530 	/* Draw up a netlink message to send back */
4531 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4532 	if (!msg)
4533 		return -ENOMEM;
4534 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4535 			     NL80211_CMD_GET_MESH_CONFIG);
4536 	if (!hdr)
4537 		goto out;
4538 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
4539 	if (!pinfoattr)
4540 		goto nla_put_failure;
4541 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4542 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
4543 			cur_params.dot11MeshRetryTimeout) ||
4544 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4545 			cur_params.dot11MeshConfirmTimeout) ||
4546 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
4547 			cur_params.dot11MeshHoldingTimeout) ||
4548 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
4549 			cur_params.dot11MeshMaxPeerLinks) ||
4550 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
4551 		       cur_params.dot11MeshMaxRetries) ||
4552 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
4553 		       cur_params.dot11MeshTTL) ||
4554 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
4555 		       cur_params.element_ttl) ||
4556 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4557 		       cur_params.auto_open_plinks) ||
4558 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
4559 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
4560 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
4561 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
4562 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
4563 			cur_params.path_refresh_time) ||
4564 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
4565 			cur_params.min_discovery_timeout) ||
4566 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
4567 			cur_params.dot11MeshHWMPactivePathTimeout) ||
4568 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
4569 			cur_params.dot11MeshHWMPpreqMinInterval) ||
4570 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
4571 			cur_params.dot11MeshHWMPperrMinInterval) ||
4572 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
4573 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
4574 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
4575 		       cur_params.dot11MeshHWMPRootMode) ||
4576 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
4577 			cur_params.dot11MeshHWMPRannInterval) ||
4578 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
4579 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
4580 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
4581 		       cur_params.dot11MeshForwarding) ||
4582 	    nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
4583 			cur_params.rssi_threshold) ||
4584 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
4585 			cur_params.ht_opmode) ||
4586 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
4587 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
4588 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
4589 			cur_params.dot11MeshHWMProotInterval) ||
4590 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
4591 			cur_params.dot11MeshHWMPconfirmationInterval) ||
4592 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
4593 			cur_params.power_mode) ||
4594 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
4595 			cur_params.dot11MeshAwakeWindowDuration))
4596 		goto nla_put_failure;
4597 	nla_nest_end(msg, pinfoattr);
4598 	genlmsg_end(msg, hdr);
4599 	return genlmsg_reply(msg, info);
4600 
4601  nla_put_failure:
4602 	genlmsg_cancel(msg, hdr);
4603  out:
4604 	nlmsg_free(msg);
4605 	return -ENOBUFS;
4606 }
4607 
4608 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
4609 	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
4610 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
4611 	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
4612 	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
4613 	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
4614 	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
4615 	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
4616 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
4617 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
4618 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
4619 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
4620 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
4621 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
4622 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
4623 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
4624 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
4625 	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
4626 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
4627 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
4628 	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
4629 	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
4630 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
4631 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
4632 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
4633 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
4634 	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
4635 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
4636 };
4637 
4638 static const struct nla_policy
4639 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
4640 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
4641 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
4642 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
4643 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
4644 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
4645 	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
4646 				    .len = IEEE80211_MAX_DATA_LEN },
4647 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
4648 };
4649 
4650 static int nl80211_parse_mesh_config(struct genl_info *info,
4651 				     struct mesh_config *cfg,
4652 				     u32 *mask_out)
4653 {
4654 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
4655 	u32 mask = 0;
4656 
4657 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
4658 do {									    \
4659 	if (tb[attr]) {							    \
4660 		if (fn(tb[attr]) < min || fn(tb[attr]) > max)		    \
4661 			return -EINVAL;					    \
4662 		cfg->param = fn(tb[attr]);				    \
4663 		mask |= (1 << (attr - 1));				    \
4664 	}								    \
4665 } while (0)
4666 
4667 
4668 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
4669 		return -EINVAL;
4670 	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
4671 			     info->attrs[NL80211_ATTR_MESH_CONFIG],
4672 			     nl80211_meshconf_params_policy))
4673 		return -EINVAL;
4674 
4675 	/* This makes sure that there aren't more than 32 mesh config
4676 	 * parameters (otherwise our bitfield scheme would not work.) */
4677 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
4678 
4679 	/* Fill in the params struct */
4680 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
4681 				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
4682 				  nla_get_u16);
4683 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
4684 				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4685 				  nla_get_u16);
4686 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
4687 				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
4688 				  nla_get_u16);
4689 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
4690 				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
4691 				  nla_get_u16);
4692 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
4693 				  mask, NL80211_MESHCONF_MAX_RETRIES,
4694 				  nla_get_u8);
4695 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
4696 				  mask, NL80211_MESHCONF_TTL, nla_get_u8);
4697 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
4698 				  mask, NL80211_MESHCONF_ELEMENT_TTL,
4699 				  nla_get_u8);
4700 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
4701 				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4702 				  nla_get_u8);
4703 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
4704 				  1, 255, mask,
4705 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
4706 				  nla_get_u32);
4707 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
4708 				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
4709 				  nla_get_u8);
4710 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
4711 				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
4712 				  nla_get_u32);
4713 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
4714 				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
4715 				  nla_get_u16);
4716 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
4717 				  1, 65535, mask,
4718 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
4719 				  nla_get_u32);
4720 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
4721 				  1, 65535, mask,
4722 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
4723 				  nla_get_u16);
4724 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
4725 				  1, 65535, mask,
4726 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
4727 				  nla_get_u16);
4728 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
4729 				  dot11MeshHWMPnetDiameterTraversalTime,
4730 				  1, 65535, mask,
4731 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
4732 				  nla_get_u16);
4733 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
4734 				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
4735 				  nla_get_u8);
4736 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
4737 				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
4738 				  nla_get_u16);
4739 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
4740 				  dot11MeshGateAnnouncementProtocol, 0, 1,
4741 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
4742 				  nla_get_u8);
4743 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
4744 				  mask, NL80211_MESHCONF_FORWARDING,
4745 				  nla_get_u8);
4746 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, 1, 255,
4747 				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
4748 				  nla_get_u32);
4749 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
4750 				  mask, NL80211_MESHCONF_HT_OPMODE,
4751 				  nla_get_u16);
4752 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
4753 				  1, 65535, mask,
4754 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
4755 				  nla_get_u32);
4756 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
4757 				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
4758 				  nla_get_u16);
4759 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
4760 				  dot11MeshHWMPconfirmationInterval,
4761 				  1, 65535, mask,
4762 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
4763 				  nla_get_u16);
4764 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
4765 				  NL80211_MESH_POWER_ACTIVE,
4766 				  NL80211_MESH_POWER_MAX,
4767 				  mask, NL80211_MESHCONF_POWER_MODE,
4768 				  nla_get_u32);
4769 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
4770 				  0, 65535, mask,
4771 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
4772 	if (mask_out)
4773 		*mask_out = mask;
4774 
4775 	return 0;
4776 
4777 #undef FILL_IN_MESH_PARAM_IF_SET
4778 }
4779 
4780 static int nl80211_parse_mesh_setup(struct genl_info *info,
4781 				     struct mesh_setup *setup)
4782 {
4783 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4784 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
4785 
4786 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
4787 		return -EINVAL;
4788 	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
4789 			     info->attrs[NL80211_ATTR_MESH_SETUP],
4790 			     nl80211_mesh_setup_params_policy))
4791 		return -EINVAL;
4792 
4793 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
4794 		setup->sync_method =
4795 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
4796 		 IEEE80211_SYNC_METHOD_VENDOR :
4797 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
4798 
4799 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
4800 		setup->path_sel_proto =
4801 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
4802 		 IEEE80211_PATH_PROTOCOL_VENDOR :
4803 		 IEEE80211_PATH_PROTOCOL_HWMP;
4804 
4805 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
4806 		setup->path_metric =
4807 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
4808 		 IEEE80211_PATH_METRIC_VENDOR :
4809 		 IEEE80211_PATH_METRIC_AIRTIME;
4810 
4811 
4812 	if (tb[NL80211_MESH_SETUP_IE]) {
4813 		struct nlattr *ieattr =
4814 			tb[NL80211_MESH_SETUP_IE];
4815 		if (!is_valid_ie_attr(ieattr))
4816 			return -EINVAL;
4817 		setup->ie = nla_data(ieattr);
4818 		setup->ie_len = nla_len(ieattr);
4819 	}
4820 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
4821 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
4822 		return -EINVAL;
4823 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
4824 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
4825 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
4826 	if (setup->is_secure)
4827 		setup->user_mpm = true;
4828 
4829 	return 0;
4830 }
4831 
4832 static int nl80211_update_mesh_config(struct sk_buff *skb,
4833 				      struct genl_info *info)
4834 {
4835 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4836 	struct net_device *dev = info->user_ptr[1];
4837 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4838 	struct mesh_config cfg;
4839 	u32 mask;
4840 	int err;
4841 
4842 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
4843 		return -EOPNOTSUPP;
4844 
4845 	if (!rdev->ops->update_mesh_config)
4846 		return -EOPNOTSUPP;
4847 
4848 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
4849 	if (err)
4850 		return err;
4851 
4852 	wdev_lock(wdev);
4853 	if (!wdev->mesh_id_len)
4854 		err = -ENOLINK;
4855 
4856 	if (!err)
4857 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
4858 
4859 	wdev_unlock(wdev);
4860 
4861 	return err;
4862 }
4863 
4864 static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
4865 {
4866 	const struct ieee80211_regdomain *regdom;
4867 	struct sk_buff *msg;
4868 	void *hdr = NULL;
4869 	struct nlattr *nl_reg_rules;
4870 	unsigned int i;
4871 	int err = -EINVAL;
4872 
4873 	mutex_lock(&cfg80211_mutex);
4874 
4875 	if (!cfg80211_regdomain)
4876 		goto out;
4877 
4878 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4879 	if (!msg) {
4880 		err = -ENOBUFS;
4881 		goto out;
4882 	}
4883 
4884 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4885 			     NL80211_CMD_GET_REG);
4886 	if (!hdr)
4887 		goto put_failure;
4888 
4889 	if (reg_last_request_cell_base() &&
4890 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
4891 			NL80211_USER_REG_HINT_CELL_BASE))
4892 		goto nla_put_failure;
4893 
4894 	rcu_read_lock();
4895 	regdom = rcu_dereference(cfg80211_regdomain);
4896 
4897 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
4898 	    (regdom->dfs_region &&
4899 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
4900 		goto nla_put_failure_rcu;
4901 
4902 	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
4903 	if (!nl_reg_rules)
4904 		goto nla_put_failure_rcu;
4905 
4906 	for (i = 0; i < regdom->n_reg_rules; i++) {
4907 		struct nlattr *nl_reg_rule;
4908 		const struct ieee80211_reg_rule *reg_rule;
4909 		const struct ieee80211_freq_range *freq_range;
4910 		const struct ieee80211_power_rule *power_rule;
4911 
4912 		reg_rule = &regdom->reg_rules[i];
4913 		freq_range = &reg_rule->freq_range;
4914 		power_rule = &reg_rule->power_rule;
4915 
4916 		nl_reg_rule = nla_nest_start(msg, i);
4917 		if (!nl_reg_rule)
4918 			goto nla_put_failure_rcu;
4919 
4920 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
4921 				reg_rule->flags) ||
4922 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
4923 				freq_range->start_freq_khz) ||
4924 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
4925 				freq_range->end_freq_khz) ||
4926 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
4927 				freq_range->max_bandwidth_khz) ||
4928 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
4929 				power_rule->max_antenna_gain) ||
4930 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
4931 				power_rule->max_eirp))
4932 			goto nla_put_failure_rcu;
4933 
4934 		nla_nest_end(msg, nl_reg_rule);
4935 	}
4936 	rcu_read_unlock();
4937 
4938 	nla_nest_end(msg, nl_reg_rules);
4939 
4940 	genlmsg_end(msg, hdr);
4941 	err = genlmsg_reply(msg, info);
4942 	goto out;
4943 
4944 nla_put_failure_rcu:
4945 	rcu_read_unlock();
4946 nla_put_failure:
4947 	genlmsg_cancel(msg, hdr);
4948 put_failure:
4949 	nlmsg_free(msg);
4950 	err = -EMSGSIZE;
4951 out:
4952 	mutex_unlock(&cfg80211_mutex);
4953 	return err;
4954 }
4955 
4956 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
4957 {
4958 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
4959 	struct nlattr *nl_reg_rule;
4960 	char *alpha2 = NULL;
4961 	int rem_reg_rules = 0, r = 0;
4962 	u32 num_rules = 0, rule_idx = 0, size_of_regd;
4963 	u8 dfs_region = 0;
4964 	struct ieee80211_regdomain *rd = NULL;
4965 
4966 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4967 		return -EINVAL;
4968 
4969 	if (!info->attrs[NL80211_ATTR_REG_RULES])
4970 		return -EINVAL;
4971 
4972 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4973 
4974 	if (info->attrs[NL80211_ATTR_DFS_REGION])
4975 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
4976 
4977 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
4978 			    rem_reg_rules) {
4979 		num_rules++;
4980 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
4981 			return -EINVAL;
4982 	}
4983 
4984 	size_of_regd = sizeof(struct ieee80211_regdomain) +
4985 		       num_rules * sizeof(struct ieee80211_reg_rule);
4986 
4987 	rd = kzalloc(size_of_regd, GFP_KERNEL);
4988 	if (!rd)
4989 		return -ENOMEM;
4990 
4991 	rd->n_reg_rules = num_rules;
4992 	rd->alpha2[0] = alpha2[0];
4993 	rd->alpha2[1] = alpha2[1];
4994 
4995 	/*
4996 	 * Disable DFS master mode if the DFS region was
4997 	 * not supported or known on this kernel.
4998 	 */
4999 	if (reg_supported_dfs_region(dfs_region))
5000 		rd->dfs_region = dfs_region;
5001 
5002 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5003 			    rem_reg_rules) {
5004 		nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
5005 			  nla_data(nl_reg_rule), nla_len(nl_reg_rule),
5006 			  reg_rule_policy);
5007 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
5008 		if (r)
5009 			goto bad_reg;
5010 
5011 		rule_idx++;
5012 
5013 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
5014 			r = -EINVAL;
5015 			goto bad_reg;
5016 		}
5017 	}
5018 
5019 	mutex_lock(&cfg80211_mutex);
5020 
5021 	r = set_regdom(rd);
5022 	/* set_regdom took ownership */
5023 	rd = NULL;
5024 	mutex_unlock(&cfg80211_mutex);
5025 
5026  bad_reg:
5027 	kfree(rd);
5028 	return r;
5029 }
5030 
5031 static int validate_scan_freqs(struct nlattr *freqs)
5032 {
5033 	struct nlattr *attr1, *attr2;
5034 	int n_channels = 0, tmp1, tmp2;
5035 
5036 	nla_for_each_nested(attr1, freqs, tmp1) {
5037 		n_channels++;
5038 		/*
5039 		 * Some hardware has a limited channel list for
5040 		 * scanning, and it is pretty much nonsensical
5041 		 * to scan for a channel twice, so disallow that
5042 		 * and don't require drivers to check that the
5043 		 * channel list they get isn't longer than what
5044 		 * they can scan, as long as they can scan all
5045 		 * the channels they registered at once.
5046 		 */
5047 		nla_for_each_nested(attr2, freqs, tmp2)
5048 			if (attr1 != attr2 &&
5049 			    nla_get_u32(attr1) == nla_get_u32(attr2))
5050 				return 0;
5051 	}
5052 
5053 	return n_channels;
5054 }
5055 
5056 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
5057 {
5058 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5059 	struct wireless_dev *wdev = info->user_ptr[1];
5060 	struct cfg80211_scan_request *request;
5061 	struct nlattr *attr;
5062 	struct wiphy *wiphy;
5063 	int err, tmp, n_ssids = 0, n_channels, i;
5064 	size_t ie_len;
5065 
5066 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5067 		return -EINVAL;
5068 
5069 	wiphy = &rdev->wiphy;
5070 
5071 	if (!rdev->ops->scan)
5072 		return -EOPNOTSUPP;
5073 
5074 	mutex_lock(&rdev->sched_scan_mtx);
5075 	if (rdev->scan_req) {
5076 		err = -EBUSY;
5077 		goto unlock;
5078 	}
5079 
5080 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5081 		n_channels = validate_scan_freqs(
5082 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5083 		if (!n_channels) {
5084 			err = -EINVAL;
5085 			goto unlock;
5086 		}
5087 	} else {
5088 		enum ieee80211_band band;
5089 		n_channels = 0;
5090 
5091 		for (band = 0; band < IEEE80211_NUM_BANDS; band++)
5092 			if (wiphy->bands[band])
5093 				n_channels += wiphy->bands[band]->n_channels;
5094 	}
5095 
5096 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5097 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
5098 			n_ssids++;
5099 
5100 	if (n_ssids > wiphy->max_scan_ssids) {
5101 		err = -EINVAL;
5102 		goto unlock;
5103 	}
5104 
5105 	if (info->attrs[NL80211_ATTR_IE])
5106 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5107 	else
5108 		ie_len = 0;
5109 
5110 	if (ie_len > wiphy->max_scan_ie_len) {
5111 		err = -EINVAL;
5112 		goto unlock;
5113 	}
5114 
5115 	request = kzalloc(sizeof(*request)
5116 			+ sizeof(*request->ssids) * n_ssids
5117 			+ sizeof(*request->channels) * n_channels
5118 			+ ie_len, GFP_KERNEL);
5119 	if (!request) {
5120 		err = -ENOMEM;
5121 		goto unlock;
5122 	}
5123 
5124 	if (n_ssids)
5125 		request->ssids = (void *)&request->channels[n_channels];
5126 	request->n_ssids = n_ssids;
5127 	if (ie_len) {
5128 		if (request->ssids)
5129 			request->ie = (void *)(request->ssids + n_ssids);
5130 		else
5131 			request->ie = (void *)(request->channels + n_channels);
5132 	}
5133 
5134 	i = 0;
5135 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5136 		/* user specified, bail out if channel not found */
5137 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
5138 			struct ieee80211_channel *chan;
5139 
5140 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5141 
5142 			if (!chan) {
5143 				err = -EINVAL;
5144 				goto out_free;
5145 			}
5146 
5147 			/* ignore disabled channels */
5148 			if (chan->flags & IEEE80211_CHAN_DISABLED)
5149 				continue;
5150 
5151 			request->channels[i] = chan;
5152 			i++;
5153 		}
5154 	} else {
5155 		enum ieee80211_band band;
5156 
5157 		/* all channels */
5158 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5159 			int j;
5160 			if (!wiphy->bands[band])
5161 				continue;
5162 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5163 				struct ieee80211_channel *chan;
5164 
5165 				chan = &wiphy->bands[band]->channels[j];
5166 
5167 				if (chan->flags & IEEE80211_CHAN_DISABLED)
5168 					continue;
5169 
5170 				request->channels[i] = chan;
5171 				i++;
5172 			}
5173 		}
5174 	}
5175 
5176 	if (!i) {
5177 		err = -EINVAL;
5178 		goto out_free;
5179 	}
5180 
5181 	request->n_channels = i;
5182 
5183 	i = 0;
5184 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
5185 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
5186 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5187 				err = -EINVAL;
5188 				goto out_free;
5189 			}
5190 			request->ssids[i].ssid_len = nla_len(attr);
5191 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
5192 			i++;
5193 		}
5194 	}
5195 
5196 	if (info->attrs[NL80211_ATTR_IE]) {
5197 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5198 		memcpy((void *)request->ie,
5199 		       nla_data(info->attrs[NL80211_ATTR_IE]),
5200 		       request->ie_len);
5201 	}
5202 
5203 	for (i = 0; i < IEEE80211_NUM_BANDS; i++)
5204 		if (wiphy->bands[i])
5205 			request->rates[i] =
5206 				(1 << wiphy->bands[i]->n_bitrates) - 1;
5207 
5208 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
5209 		nla_for_each_nested(attr,
5210 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
5211 				    tmp) {
5212 			enum ieee80211_band band = nla_type(attr);
5213 
5214 			if (band < 0 || band >= IEEE80211_NUM_BANDS) {
5215 				err = -EINVAL;
5216 				goto out_free;
5217 			}
5218 			err = ieee80211_get_ratemask(wiphy->bands[band],
5219 						     nla_data(attr),
5220 						     nla_len(attr),
5221 						     &request->rates[band]);
5222 			if (err)
5223 				goto out_free;
5224 		}
5225 	}
5226 
5227 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5228 		request->flags = nla_get_u32(
5229 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5230 		if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5231 		     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
5232 		    ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
5233 		     !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
5234 			err = -EOPNOTSUPP;
5235 			goto out_free;
5236 		}
5237 	}
5238 
5239 	request->no_cck =
5240 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
5241 
5242 	request->wdev = wdev;
5243 	request->wiphy = &rdev->wiphy;
5244 	request->scan_start = jiffies;
5245 
5246 	rdev->scan_req = request;
5247 	err = rdev_scan(rdev, request);
5248 
5249 	if (!err) {
5250 		nl80211_send_scan_start(rdev, wdev);
5251 		if (wdev->netdev)
5252 			dev_hold(wdev->netdev);
5253 	} else {
5254  out_free:
5255 		rdev->scan_req = NULL;
5256 		kfree(request);
5257 	}
5258 
5259  unlock:
5260 	mutex_unlock(&rdev->sched_scan_mtx);
5261 	return err;
5262 }
5263 
5264 static int nl80211_start_sched_scan(struct sk_buff *skb,
5265 				    struct genl_info *info)
5266 {
5267 	struct cfg80211_sched_scan_request *request;
5268 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5269 	struct net_device *dev = info->user_ptr[1];
5270 	struct nlattr *attr;
5271 	struct wiphy *wiphy;
5272 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
5273 	u32 interval;
5274 	enum ieee80211_band band;
5275 	size_t ie_len;
5276 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
5277 
5278 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
5279 	    !rdev->ops->sched_scan_start)
5280 		return -EOPNOTSUPP;
5281 
5282 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5283 		return -EINVAL;
5284 
5285 	if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
5286 		return -EINVAL;
5287 
5288 	interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
5289 	if (interval == 0)
5290 		return -EINVAL;
5291 
5292 	wiphy = &rdev->wiphy;
5293 
5294 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5295 		n_channels = validate_scan_freqs(
5296 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5297 		if (!n_channels)
5298 			return -EINVAL;
5299 	} else {
5300 		n_channels = 0;
5301 
5302 		for (band = 0; band < IEEE80211_NUM_BANDS; band++)
5303 			if (wiphy->bands[band])
5304 				n_channels += wiphy->bands[band]->n_channels;
5305 	}
5306 
5307 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5308 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
5309 				    tmp)
5310 			n_ssids++;
5311 
5312 	if (n_ssids > wiphy->max_sched_scan_ssids)
5313 		return -EINVAL;
5314 
5315 	if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH])
5316 		nla_for_each_nested(attr,
5317 				    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
5318 				    tmp)
5319 			n_match_sets++;
5320 
5321 	if (n_match_sets > wiphy->max_match_sets)
5322 		return -EINVAL;
5323 
5324 	if (info->attrs[NL80211_ATTR_IE])
5325 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5326 	else
5327 		ie_len = 0;
5328 
5329 	if (ie_len > wiphy->max_sched_scan_ie_len)
5330 		return -EINVAL;
5331 
5332 	mutex_lock(&rdev->sched_scan_mtx);
5333 
5334 	if (rdev->sched_scan_req) {
5335 		err = -EINPROGRESS;
5336 		goto out;
5337 	}
5338 
5339 	request = kzalloc(sizeof(*request)
5340 			+ sizeof(*request->ssids) * n_ssids
5341 			+ sizeof(*request->match_sets) * n_match_sets
5342 			+ sizeof(*request->channels) * n_channels
5343 			+ ie_len, GFP_KERNEL);
5344 	if (!request) {
5345 		err = -ENOMEM;
5346 		goto out;
5347 	}
5348 
5349 	if (n_ssids)
5350 		request->ssids = (void *)&request->channels[n_channels];
5351 	request->n_ssids = n_ssids;
5352 	if (ie_len) {
5353 		if (request->ssids)
5354 			request->ie = (void *)(request->ssids + n_ssids);
5355 		else
5356 			request->ie = (void *)(request->channels + n_channels);
5357 	}
5358 
5359 	if (n_match_sets) {
5360 		if (request->ie)
5361 			request->match_sets = (void *)(request->ie + ie_len);
5362 		else if (request->ssids)
5363 			request->match_sets =
5364 				(void *)(request->ssids + n_ssids);
5365 		else
5366 			request->match_sets =
5367 				(void *)(request->channels + n_channels);
5368 	}
5369 	request->n_match_sets = n_match_sets;
5370 
5371 	i = 0;
5372 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5373 		/* user specified, bail out if channel not found */
5374 		nla_for_each_nested(attr,
5375 				    info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
5376 				    tmp) {
5377 			struct ieee80211_channel *chan;
5378 
5379 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5380 
5381 			if (!chan) {
5382 				err = -EINVAL;
5383 				goto out_free;
5384 			}
5385 
5386 			/* ignore disabled channels */
5387 			if (chan->flags & IEEE80211_CHAN_DISABLED)
5388 				continue;
5389 
5390 			request->channels[i] = chan;
5391 			i++;
5392 		}
5393 	} else {
5394 		/* all channels */
5395 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5396 			int j;
5397 			if (!wiphy->bands[band])
5398 				continue;
5399 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5400 				struct ieee80211_channel *chan;
5401 
5402 				chan = &wiphy->bands[band]->channels[j];
5403 
5404 				if (chan->flags & IEEE80211_CHAN_DISABLED)
5405 					continue;
5406 
5407 				request->channels[i] = chan;
5408 				i++;
5409 			}
5410 		}
5411 	}
5412 
5413 	if (!i) {
5414 		err = -EINVAL;
5415 		goto out_free;
5416 	}
5417 
5418 	request->n_channels = i;
5419 
5420 	i = 0;
5421 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
5422 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
5423 				    tmp) {
5424 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5425 				err = -EINVAL;
5426 				goto out_free;
5427 			}
5428 			request->ssids[i].ssid_len = nla_len(attr);
5429 			memcpy(request->ssids[i].ssid, nla_data(attr),
5430 			       nla_len(attr));
5431 			i++;
5432 		}
5433 	}
5434 
5435 	i = 0;
5436 	if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
5437 		nla_for_each_nested(attr,
5438 				    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
5439 				    tmp) {
5440 			struct nlattr *ssid, *rssi;
5441 
5442 			nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
5443 				  nla_data(attr), nla_len(attr),
5444 				  nl80211_match_policy);
5445 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
5446 			if (ssid) {
5447 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
5448 					err = -EINVAL;
5449 					goto out_free;
5450 				}
5451 				memcpy(request->match_sets[i].ssid.ssid,
5452 				       nla_data(ssid), nla_len(ssid));
5453 				request->match_sets[i].ssid.ssid_len =
5454 					nla_len(ssid);
5455 			}
5456 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
5457 			if (rssi)
5458 				request->rssi_thold = nla_get_u32(rssi);
5459 			else
5460 				request->rssi_thold =
5461 						   NL80211_SCAN_RSSI_THOLD_OFF;
5462 			i++;
5463 		}
5464 	}
5465 
5466 	if (info->attrs[NL80211_ATTR_IE]) {
5467 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5468 		memcpy((void *)request->ie,
5469 		       nla_data(info->attrs[NL80211_ATTR_IE]),
5470 		       request->ie_len);
5471 	}
5472 
5473 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5474 		request->flags = nla_get_u32(
5475 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5476 		if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5477 		     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
5478 		    ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
5479 		     !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
5480 			err = -EOPNOTSUPP;
5481 			goto out_free;
5482 		}
5483 	}
5484 
5485 	request->dev = dev;
5486 	request->wiphy = &rdev->wiphy;
5487 	request->interval = interval;
5488 	request->scan_start = jiffies;
5489 
5490 	err = rdev_sched_scan_start(rdev, dev, request);
5491 	if (!err) {
5492 		rdev->sched_scan_req = request;
5493 		nl80211_send_sched_scan(rdev, dev,
5494 					NL80211_CMD_START_SCHED_SCAN);
5495 		goto out;
5496 	}
5497 
5498 out_free:
5499 	kfree(request);
5500 out:
5501 	mutex_unlock(&rdev->sched_scan_mtx);
5502 	return err;
5503 }
5504 
5505 static int nl80211_stop_sched_scan(struct sk_buff *skb,
5506 				   struct genl_info *info)
5507 {
5508 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5509 	int err;
5510 
5511 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
5512 	    !rdev->ops->sched_scan_stop)
5513 		return -EOPNOTSUPP;
5514 
5515 	mutex_lock(&rdev->sched_scan_mtx);
5516 	err = __cfg80211_stop_sched_scan(rdev, false);
5517 	mutex_unlock(&rdev->sched_scan_mtx);
5518 
5519 	return err;
5520 }
5521 
5522 static int nl80211_start_radar_detection(struct sk_buff *skb,
5523 					 struct genl_info *info)
5524 {
5525 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5526 	struct net_device *dev = info->user_ptr[1];
5527 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5528 	struct cfg80211_chan_def chandef;
5529 	int err;
5530 
5531 	err = nl80211_parse_chandef(rdev, info, &chandef);
5532 	if (err)
5533 		return err;
5534 
5535 	if (wdev->cac_started)
5536 		return -EBUSY;
5537 
5538 	err = cfg80211_chandef_dfs_required(wdev->wiphy, &chandef);
5539 	if (err < 0)
5540 		return err;
5541 
5542 	if (err == 0)
5543 		return -EINVAL;
5544 
5545 	if (chandef.chan->dfs_state != NL80211_DFS_USABLE)
5546 		return -EINVAL;
5547 
5548 	if (!rdev->ops->start_radar_detection)
5549 		return -EOPNOTSUPP;
5550 
5551 	mutex_lock(&rdev->devlist_mtx);
5552 	err = cfg80211_can_use_iftype_chan(rdev, wdev, wdev->iftype,
5553 					   chandef.chan, CHAN_MODE_SHARED,
5554 					   BIT(chandef.width));
5555 	if (err)
5556 		goto err_locked;
5557 
5558 	err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef);
5559 	if (!err) {
5560 		wdev->channel = chandef.chan;
5561 		wdev->cac_started = true;
5562 		wdev->cac_start_time = jiffies;
5563 	}
5564 err_locked:
5565 	mutex_unlock(&rdev->devlist_mtx);
5566 
5567 	return err;
5568 }
5569 
5570 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
5571 			    u32 seq, int flags,
5572 			    struct cfg80211_registered_device *rdev,
5573 			    struct wireless_dev *wdev,
5574 			    struct cfg80211_internal_bss *intbss)
5575 {
5576 	struct cfg80211_bss *res = &intbss->pub;
5577 	const struct cfg80211_bss_ies *ies;
5578 	void *hdr;
5579 	struct nlattr *bss;
5580 	bool tsf = false;
5581 
5582 	ASSERT_WDEV_LOCK(wdev);
5583 
5584 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
5585 			     NL80211_CMD_NEW_SCAN_RESULTS);
5586 	if (!hdr)
5587 		return -1;
5588 
5589 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
5590 
5591 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
5592 		goto nla_put_failure;
5593 	if (wdev->netdev &&
5594 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
5595 		goto nla_put_failure;
5596 	if (nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
5597 		goto nla_put_failure;
5598 
5599 	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
5600 	if (!bss)
5601 		goto nla_put_failure;
5602 	if ((!is_zero_ether_addr(res->bssid) &&
5603 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
5604 		goto nla_put_failure;
5605 
5606 	rcu_read_lock();
5607 	ies = rcu_dereference(res->ies);
5608 	if (ies) {
5609 		if (nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
5610 			goto fail_unlock_rcu;
5611 		tsf = true;
5612 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
5613 					ies->len, ies->data))
5614 			goto fail_unlock_rcu;
5615 	}
5616 	ies = rcu_dereference(res->beacon_ies);
5617 	if (ies) {
5618 		if (!tsf && nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
5619 			goto fail_unlock_rcu;
5620 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
5621 					ies->len, ies->data))
5622 			goto fail_unlock_rcu;
5623 	}
5624 	rcu_read_unlock();
5625 
5626 	if (res->beacon_interval &&
5627 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
5628 		goto nla_put_failure;
5629 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
5630 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
5631 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
5632 			jiffies_to_msecs(jiffies - intbss->ts)))
5633 		goto nla_put_failure;
5634 
5635 	switch (rdev->wiphy.signal_type) {
5636 	case CFG80211_SIGNAL_TYPE_MBM:
5637 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
5638 			goto nla_put_failure;
5639 		break;
5640 	case CFG80211_SIGNAL_TYPE_UNSPEC:
5641 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
5642 			goto nla_put_failure;
5643 		break;
5644 	default:
5645 		break;
5646 	}
5647 
5648 	switch (wdev->iftype) {
5649 	case NL80211_IFTYPE_P2P_CLIENT:
5650 	case NL80211_IFTYPE_STATION:
5651 		if (intbss == wdev->current_bss &&
5652 		    nla_put_u32(msg, NL80211_BSS_STATUS,
5653 				NL80211_BSS_STATUS_ASSOCIATED))
5654 			goto nla_put_failure;
5655 		break;
5656 	case NL80211_IFTYPE_ADHOC:
5657 		if (intbss == wdev->current_bss &&
5658 		    nla_put_u32(msg, NL80211_BSS_STATUS,
5659 				NL80211_BSS_STATUS_IBSS_JOINED))
5660 			goto nla_put_failure;
5661 		break;
5662 	default:
5663 		break;
5664 	}
5665 
5666 	nla_nest_end(msg, bss);
5667 
5668 	return genlmsg_end(msg, hdr);
5669 
5670  fail_unlock_rcu:
5671 	rcu_read_unlock();
5672  nla_put_failure:
5673 	genlmsg_cancel(msg, hdr);
5674 	return -EMSGSIZE;
5675 }
5676 
5677 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
5678 {
5679 	struct cfg80211_registered_device *rdev;
5680 	struct cfg80211_internal_bss *scan;
5681 	struct wireless_dev *wdev;
5682 	int start = cb->args[2], idx = 0;
5683 	int err;
5684 
5685 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
5686 	if (err)
5687 		return err;
5688 
5689 	wdev_lock(wdev);
5690 	spin_lock_bh(&rdev->bss_lock);
5691 	cfg80211_bss_expire(rdev);
5692 
5693 	cb->seq = rdev->bss_generation;
5694 
5695 	list_for_each_entry(scan, &rdev->bss_list, list) {
5696 		if (++idx <= start)
5697 			continue;
5698 		if (nl80211_send_bss(skb, cb,
5699 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5700 				rdev, wdev, scan) < 0) {
5701 			idx--;
5702 			break;
5703 		}
5704 	}
5705 
5706 	spin_unlock_bh(&rdev->bss_lock);
5707 	wdev_unlock(wdev);
5708 
5709 	cb->args[2] = idx;
5710 	nl80211_finish_wdev_dump(rdev);
5711 
5712 	return skb->len;
5713 }
5714 
5715 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
5716 				int flags, struct net_device *dev,
5717 				struct survey_info *survey)
5718 {
5719 	void *hdr;
5720 	struct nlattr *infoattr;
5721 
5722 	hdr = nl80211hdr_put(msg, portid, seq, flags,
5723 			     NL80211_CMD_NEW_SURVEY_RESULTS);
5724 	if (!hdr)
5725 		return -ENOMEM;
5726 
5727 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
5728 		goto nla_put_failure;
5729 
5730 	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
5731 	if (!infoattr)
5732 		goto nla_put_failure;
5733 
5734 	if (nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
5735 			survey->channel->center_freq))
5736 		goto nla_put_failure;
5737 
5738 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
5739 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
5740 		goto nla_put_failure;
5741 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
5742 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
5743 		goto nla_put_failure;
5744 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME) &&
5745 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME,
5746 			survey->channel_time))
5747 		goto nla_put_failure;
5748 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_BUSY) &&
5749 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_BUSY,
5750 			survey->channel_time_busy))
5751 		goto nla_put_failure;
5752 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_EXT_BUSY) &&
5753 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_EXT_BUSY,
5754 			survey->channel_time_ext_busy))
5755 		goto nla_put_failure;
5756 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_RX) &&
5757 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_RX,
5758 			survey->channel_time_rx))
5759 		goto nla_put_failure;
5760 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_TX) &&
5761 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_TX,
5762 			survey->channel_time_tx))
5763 		goto nla_put_failure;
5764 
5765 	nla_nest_end(msg, infoattr);
5766 
5767 	return genlmsg_end(msg, hdr);
5768 
5769  nla_put_failure:
5770 	genlmsg_cancel(msg, hdr);
5771 	return -EMSGSIZE;
5772 }
5773 
5774 static int nl80211_dump_survey(struct sk_buff *skb,
5775 			struct netlink_callback *cb)
5776 {
5777 	struct survey_info survey;
5778 	struct cfg80211_registered_device *dev;
5779 	struct wireless_dev *wdev;
5780 	int survey_idx = cb->args[2];
5781 	int res;
5782 
5783 	res = nl80211_prepare_wdev_dump(skb, cb, &dev, &wdev);
5784 	if (res)
5785 		return res;
5786 
5787 	if (!wdev->netdev) {
5788 		res = -EINVAL;
5789 		goto out_err;
5790 	}
5791 
5792 	if (!dev->ops->dump_survey) {
5793 		res = -EOPNOTSUPP;
5794 		goto out_err;
5795 	}
5796 
5797 	while (1) {
5798 		struct ieee80211_channel *chan;
5799 
5800 		res = rdev_dump_survey(dev, wdev->netdev, survey_idx, &survey);
5801 		if (res == -ENOENT)
5802 			break;
5803 		if (res)
5804 			goto out_err;
5805 
5806 		/* Survey without a channel doesn't make sense */
5807 		if (!survey.channel) {
5808 			res = -EINVAL;
5809 			goto out;
5810 		}
5811 
5812 		chan = ieee80211_get_channel(&dev->wiphy,
5813 					     survey.channel->center_freq);
5814 		if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
5815 			survey_idx++;
5816 			continue;
5817 		}
5818 
5819 		if (nl80211_send_survey(skb,
5820 				NETLINK_CB(cb->skb).portid,
5821 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5822 				wdev->netdev, &survey) < 0)
5823 			goto out;
5824 		survey_idx++;
5825 	}
5826 
5827  out:
5828 	cb->args[2] = survey_idx;
5829 	res = skb->len;
5830  out_err:
5831 	nl80211_finish_wdev_dump(dev);
5832 	return res;
5833 }
5834 
5835 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
5836 {
5837 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
5838 				  NL80211_WPA_VERSION_2));
5839 }
5840 
5841 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
5842 {
5843 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5844 	struct net_device *dev = info->user_ptr[1];
5845 	struct ieee80211_channel *chan;
5846 	const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
5847 	int err, ssid_len, ie_len = 0, sae_data_len = 0;
5848 	enum nl80211_auth_type auth_type;
5849 	struct key_parse key;
5850 	bool local_state_change;
5851 
5852 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5853 		return -EINVAL;
5854 
5855 	if (!info->attrs[NL80211_ATTR_MAC])
5856 		return -EINVAL;
5857 
5858 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
5859 		return -EINVAL;
5860 
5861 	if (!info->attrs[NL80211_ATTR_SSID])
5862 		return -EINVAL;
5863 
5864 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
5865 		return -EINVAL;
5866 
5867 	err = nl80211_parse_key(info, &key);
5868 	if (err)
5869 		return err;
5870 
5871 	if (key.idx >= 0) {
5872 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
5873 			return -EINVAL;
5874 		if (!key.p.key || !key.p.key_len)
5875 			return -EINVAL;
5876 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
5877 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
5878 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
5879 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
5880 			return -EINVAL;
5881 		if (key.idx > 4)
5882 			return -EINVAL;
5883 	} else {
5884 		key.p.key_len = 0;
5885 		key.p.key = NULL;
5886 	}
5887 
5888 	if (key.idx >= 0) {
5889 		int i;
5890 		bool ok = false;
5891 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
5892 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
5893 				ok = true;
5894 				break;
5895 			}
5896 		}
5897 		if (!ok)
5898 			return -EINVAL;
5899 	}
5900 
5901 	if (!rdev->ops->auth)
5902 		return -EOPNOTSUPP;
5903 
5904 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5905 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5906 		return -EOPNOTSUPP;
5907 
5908 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5909 	chan = ieee80211_get_channel(&rdev->wiphy,
5910 		nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5911 	if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
5912 		return -EINVAL;
5913 
5914 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5915 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5916 
5917 	if (info->attrs[NL80211_ATTR_IE]) {
5918 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5919 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5920 	}
5921 
5922 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
5923 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
5924 		return -EINVAL;
5925 
5926 	if (auth_type == NL80211_AUTHTYPE_SAE &&
5927 	    !info->attrs[NL80211_ATTR_SAE_DATA])
5928 		return -EINVAL;
5929 
5930 	if (info->attrs[NL80211_ATTR_SAE_DATA]) {
5931 		if (auth_type != NL80211_AUTHTYPE_SAE)
5932 			return -EINVAL;
5933 		sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
5934 		sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
5935 		/* need to include at least Auth Transaction and Status Code */
5936 		if (sae_data_len < 4)
5937 			return -EINVAL;
5938 	}
5939 
5940 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5941 
5942 	/*
5943 	 * Since we no longer track auth state, ignore
5944 	 * requests to only change local state.
5945 	 */
5946 	if (local_state_change)
5947 		return 0;
5948 
5949 	return cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
5950 				  ssid, ssid_len, ie, ie_len,
5951 				  key.p.key, key.p.key_len, key.idx,
5952 				  sae_data, sae_data_len);
5953 }
5954 
5955 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
5956 				   struct genl_info *info,
5957 				   struct cfg80211_crypto_settings *settings,
5958 				   int cipher_limit)
5959 {
5960 	memset(settings, 0, sizeof(*settings));
5961 
5962 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
5963 
5964 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
5965 		u16 proto;
5966 		proto = nla_get_u16(
5967 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
5968 		settings->control_port_ethertype = cpu_to_be16(proto);
5969 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
5970 		    proto != ETH_P_PAE)
5971 			return -EINVAL;
5972 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
5973 			settings->control_port_no_encrypt = true;
5974 	} else
5975 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
5976 
5977 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
5978 		void *data;
5979 		int len, i;
5980 
5981 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
5982 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
5983 		settings->n_ciphers_pairwise = len / sizeof(u32);
5984 
5985 		if (len % sizeof(u32))
5986 			return -EINVAL;
5987 
5988 		if (settings->n_ciphers_pairwise > cipher_limit)
5989 			return -EINVAL;
5990 
5991 		memcpy(settings->ciphers_pairwise, data, len);
5992 
5993 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
5994 			if (!cfg80211_supported_cipher_suite(
5995 					&rdev->wiphy,
5996 					settings->ciphers_pairwise[i]))
5997 				return -EINVAL;
5998 	}
5999 
6000 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
6001 		settings->cipher_group =
6002 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
6003 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
6004 						     settings->cipher_group))
6005 			return -EINVAL;
6006 	}
6007 
6008 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
6009 		settings->wpa_versions =
6010 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
6011 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
6012 			return -EINVAL;
6013 	}
6014 
6015 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
6016 		void *data;
6017 		int len;
6018 
6019 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
6020 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
6021 		settings->n_akm_suites = len / sizeof(u32);
6022 
6023 		if (len % sizeof(u32))
6024 			return -EINVAL;
6025 
6026 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
6027 			return -EINVAL;
6028 
6029 		memcpy(settings->akm_suites, data, len);
6030 	}
6031 
6032 	return 0;
6033 }
6034 
6035 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
6036 {
6037 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6038 	struct net_device *dev = info->user_ptr[1];
6039 	struct ieee80211_channel *chan;
6040 	struct cfg80211_assoc_request req = {};
6041 	const u8 *bssid, *ssid;
6042 	int err, ssid_len = 0;
6043 
6044 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6045 		return -EINVAL;
6046 
6047 	if (!info->attrs[NL80211_ATTR_MAC] ||
6048 	    !info->attrs[NL80211_ATTR_SSID] ||
6049 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
6050 		return -EINVAL;
6051 
6052 	if (!rdev->ops->assoc)
6053 		return -EOPNOTSUPP;
6054 
6055 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6056 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6057 		return -EOPNOTSUPP;
6058 
6059 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6060 
6061 	chan = ieee80211_get_channel(&rdev->wiphy,
6062 		nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
6063 	if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
6064 		return -EINVAL;
6065 
6066 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6067 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6068 
6069 	if (info->attrs[NL80211_ATTR_IE]) {
6070 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6071 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6072 	}
6073 
6074 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
6075 		enum nl80211_mfp mfp =
6076 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
6077 		if (mfp == NL80211_MFP_REQUIRED)
6078 			req.use_mfp = true;
6079 		else if (mfp != NL80211_MFP_NO)
6080 			return -EINVAL;
6081 	}
6082 
6083 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
6084 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
6085 
6086 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
6087 		req.flags |= ASSOC_REQ_DISABLE_HT;
6088 
6089 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6090 		memcpy(&req.ht_capa_mask,
6091 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
6092 		       sizeof(req.ht_capa_mask));
6093 
6094 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
6095 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6096 			return -EINVAL;
6097 		memcpy(&req.ht_capa,
6098 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
6099 		       sizeof(req.ht_capa));
6100 	}
6101 
6102 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
6103 		req.flags |= ASSOC_REQ_DISABLE_VHT;
6104 
6105 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6106 		memcpy(&req.vht_capa_mask,
6107 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
6108 		       sizeof(req.vht_capa_mask));
6109 
6110 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
6111 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6112 			return -EINVAL;
6113 		memcpy(&req.vht_capa,
6114 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
6115 		       sizeof(req.vht_capa));
6116 	}
6117 
6118 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
6119 	if (!err)
6120 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
6121 					  ssid, ssid_len, &req);
6122 
6123 	return err;
6124 }
6125 
6126 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
6127 {
6128 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6129 	struct net_device *dev = info->user_ptr[1];
6130 	const u8 *ie = NULL, *bssid;
6131 	int ie_len = 0;
6132 	u16 reason_code;
6133 	bool local_state_change;
6134 
6135 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6136 		return -EINVAL;
6137 
6138 	if (!info->attrs[NL80211_ATTR_MAC])
6139 		return -EINVAL;
6140 
6141 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6142 		return -EINVAL;
6143 
6144 	if (!rdev->ops->deauth)
6145 		return -EOPNOTSUPP;
6146 
6147 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6148 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6149 		return -EOPNOTSUPP;
6150 
6151 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6152 
6153 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6154 	if (reason_code == 0) {
6155 		/* Reason Code 0 is reserved */
6156 		return -EINVAL;
6157 	}
6158 
6159 	if (info->attrs[NL80211_ATTR_IE]) {
6160 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6161 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6162 	}
6163 
6164 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6165 
6166 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
6167 				    local_state_change);
6168 }
6169 
6170 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
6171 {
6172 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6173 	struct net_device *dev = info->user_ptr[1];
6174 	const u8 *ie = NULL, *bssid;
6175 	int ie_len = 0;
6176 	u16 reason_code;
6177 	bool local_state_change;
6178 
6179 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6180 		return -EINVAL;
6181 
6182 	if (!info->attrs[NL80211_ATTR_MAC])
6183 		return -EINVAL;
6184 
6185 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6186 		return -EINVAL;
6187 
6188 	if (!rdev->ops->disassoc)
6189 		return -EOPNOTSUPP;
6190 
6191 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6192 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6193 		return -EOPNOTSUPP;
6194 
6195 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6196 
6197 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6198 	if (reason_code == 0) {
6199 		/* Reason Code 0 is reserved */
6200 		return -EINVAL;
6201 	}
6202 
6203 	if (info->attrs[NL80211_ATTR_IE]) {
6204 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6205 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6206 	}
6207 
6208 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6209 
6210 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
6211 				      local_state_change);
6212 }
6213 
6214 static bool
6215 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
6216 			 int mcast_rate[IEEE80211_NUM_BANDS],
6217 			 int rateval)
6218 {
6219 	struct wiphy *wiphy = &rdev->wiphy;
6220 	bool found = false;
6221 	int band, i;
6222 
6223 	for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
6224 		struct ieee80211_supported_band *sband;
6225 
6226 		sband = wiphy->bands[band];
6227 		if (!sband)
6228 			continue;
6229 
6230 		for (i = 0; i < sband->n_bitrates; i++) {
6231 			if (sband->bitrates[i].bitrate == rateval) {
6232 				mcast_rate[band] = i + 1;
6233 				found = true;
6234 				break;
6235 			}
6236 		}
6237 	}
6238 
6239 	return found;
6240 }
6241 
6242 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
6243 {
6244 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6245 	struct net_device *dev = info->user_ptr[1];
6246 	struct cfg80211_ibss_params ibss;
6247 	struct wiphy *wiphy;
6248 	struct cfg80211_cached_keys *connkeys = NULL;
6249 	int err;
6250 
6251 	memset(&ibss, 0, sizeof(ibss));
6252 
6253 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6254 		return -EINVAL;
6255 
6256 	if (!info->attrs[NL80211_ATTR_SSID] ||
6257 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
6258 		return -EINVAL;
6259 
6260 	ibss.beacon_interval = 100;
6261 
6262 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
6263 		ibss.beacon_interval =
6264 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6265 		if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
6266 			return -EINVAL;
6267 	}
6268 
6269 	if (!rdev->ops->join_ibss)
6270 		return -EOPNOTSUPP;
6271 
6272 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
6273 		return -EOPNOTSUPP;
6274 
6275 	wiphy = &rdev->wiphy;
6276 
6277 	if (info->attrs[NL80211_ATTR_MAC]) {
6278 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6279 
6280 		if (!is_valid_ether_addr(ibss.bssid))
6281 			return -EINVAL;
6282 	}
6283 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6284 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6285 
6286 	if (info->attrs[NL80211_ATTR_IE]) {
6287 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6288 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6289 	}
6290 
6291 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
6292 	if (err)
6293 		return err;
6294 
6295 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef))
6296 		return -EINVAL;
6297 
6298 	if (ibss.chandef.width > NL80211_CHAN_WIDTH_40)
6299 		return -EINVAL;
6300 	if (ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
6301 	    !(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
6302 		return -EINVAL;
6303 
6304 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
6305 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6306 
6307 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6308 		u8 *rates =
6309 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6310 		int n_rates =
6311 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6312 		struct ieee80211_supported_band *sband =
6313 			wiphy->bands[ibss.chandef.chan->band];
6314 
6315 		err = ieee80211_get_ratemask(sband, rates, n_rates,
6316 					     &ibss.basic_rates);
6317 		if (err)
6318 			return err;
6319 	}
6320 
6321 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
6322 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
6323 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
6324 		return -EINVAL;
6325 
6326 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
6327 		bool no_ht = false;
6328 
6329 		connkeys = nl80211_parse_connkeys(rdev,
6330 					  info->attrs[NL80211_ATTR_KEYS],
6331 					  &no_ht);
6332 		if (IS_ERR(connkeys))
6333 			return PTR_ERR(connkeys);
6334 
6335 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
6336 		    no_ht) {
6337 			kfree(connkeys);
6338 			return -EINVAL;
6339 		}
6340 	}
6341 
6342 	ibss.control_port =
6343 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
6344 
6345 	err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
6346 	if (err)
6347 		kfree(connkeys);
6348 	return err;
6349 }
6350 
6351 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
6352 {
6353 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6354 	struct net_device *dev = info->user_ptr[1];
6355 
6356 	if (!rdev->ops->leave_ibss)
6357 		return -EOPNOTSUPP;
6358 
6359 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
6360 		return -EOPNOTSUPP;
6361 
6362 	return cfg80211_leave_ibss(rdev, dev, false);
6363 }
6364 
6365 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
6366 {
6367 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6368 	struct net_device *dev = info->user_ptr[1];
6369 	int mcast_rate[IEEE80211_NUM_BANDS];
6370 	u32 nla_rate;
6371 	int err;
6372 
6373 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
6374 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6375 		return -EOPNOTSUPP;
6376 
6377 	if (!rdev->ops->set_mcast_rate)
6378 		return -EOPNOTSUPP;
6379 
6380 	memset(mcast_rate, 0, sizeof(mcast_rate));
6381 
6382 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
6383 		return -EINVAL;
6384 
6385 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
6386 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
6387 		return -EINVAL;
6388 
6389 	err = rdev->ops->set_mcast_rate(&rdev->wiphy, dev, mcast_rate);
6390 
6391 	return err;
6392 }
6393 
6394 
6395 #ifdef CONFIG_NL80211_TESTMODE
6396 static struct genl_multicast_group nl80211_testmode_mcgrp = {
6397 	.name = "testmode",
6398 };
6399 
6400 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
6401 {
6402 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6403 	int err;
6404 
6405 	if (!info->attrs[NL80211_ATTR_TESTDATA])
6406 		return -EINVAL;
6407 
6408 	err = -EOPNOTSUPP;
6409 	if (rdev->ops->testmode_cmd) {
6410 		rdev->testmode_info = info;
6411 		err = rdev_testmode_cmd(rdev,
6412 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
6413 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
6414 		rdev->testmode_info = NULL;
6415 	}
6416 
6417 	return err;
6418 }
6419 
6420 static int nl80211_testmode_dump(struct sk_buff *skb,
6421 				 struct netlink_callback *cb)
6422 {
6423 	struct cfg80211_registered_device *rdev;
6424 	int err;
6425 	long phy_idx;
6426 	void *data = NULL;
6427 	int data_len = 0;
6428 
6429 	if (cb->args[0]) {
6430 		/*
6431 		 * 0 is a valid index, but not valid for args[0],
6432 		 * so we need to offset by 1.
6433 		 */
6434 		phy_idx = cb->args[0] - 1;
6435 	} else {
6436 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
6437 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
6438 				  nl80211_policy);
6439 		if (err)
6440 			return err;
6441 
6442 		mutex_lock(&cfg80211_mutex);
6443 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
6444 						  nl80211_fam.attrbuf);
6445 		if (IS_ERR(rdev)) {
6446 			mutex_unlock(&cfg80211_mutex);
6447 			return PTR_ERR(rdev);
6448 		}
6449 		phy_idx = rdev->wiphy_idx;
6450 		rdev = NULL;
6451 		mutex_unlock(&cfg80211_mutex);
6452 
6453 		if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
6454 			cb->args[1] =
6455 				(long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
6456 	}
6457 
6458 	if (cb->args[1]) {
6459 		data = nla_data((void *)cb->args[1]);
6460 		data_len = nla_len((void *)cb->args[1]);
6461 	}
6462 
6463 	mutex_lock(&cfg80211_mutex);
6464 	rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
6465 	if (!rdev) {
6466 		mutex_unlock(&cfg80211_mutex);
6467 		return -ENOENT;
6468 	}
6469 	cfg80211_lock_rdev(rdev);
6470 	mutex_unlock(&cfg80211_mutex);
6471 
6472 	if (!rdev->ops->testmode_dump) {
6473 		err = -EOPNOTSUPP;
6474 		goto out_err;
6475 	}
6476 
6477 	while (1) {
6478 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
6479 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
6480 					   NL80211_CMD_TESTMODE);
6481 		struct nlattr *tmdata;
6482 
6483 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
6484 			genlmsg_cancel(skb, hdr);
6485 			break;
6486 		}
6487 
6488 		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
6489 		if (!tmdata) {
6490 			genlmsg_cancel(skb, hdr);
6491 			break;
6492 		}
6493 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
6494 		nla_nest_end(skb, tmdata);
6495 
6496 		if (err == -ENOBUFS || err == -ENOENT) {
6497 			genlmsg_cancel(skb, hdr);
6498 			break;
6499 		} else if (err) {
6500 			genlmsg_cancel(skb, hdr);
6501 			goto out_err;
6502 		}
6503 
6504 		genlmsg_end(skb, hdr);
6505 	}
6506 
6507 	err = skb->len;
6508 	/* see above */
6509 	cb->args[0] = phy_idx + 1;
6510  out_err:
6511 	cfg80211_unlock_rdev(rdev);
6512 	return err;
6513 }
6514 
6515 static struct sk_buff *
6516 __cfg80211_testmode_alloc_skb(struct cfg80211_registered_device *rdev,
6517 			      int approxlen, u32 portid, u32 seq, gfp_t gfp)
6518 {
6519 	struct sk_buff *skb;
6520 	void *hdr;
6521 	struct nlattr *data;
6522 
6523 	skb = nlmsg_new(approxlen + 100, gfp);
6524 	if (!skb)
6525 		return NULL;
6526 
6527 	hdr = nl80211hdr_put(skb, portid, seq, 0, NL80211_CMD_TESTMODE);
6528 	if (!hdr) {
6529 		kfree_skb(skb);
6530 		return NULL;
6531 	}
6532 
6533 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
6534 		goto nla_put_failure;
6535 	data = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
6536 
6537 	((void **)skb->cb)[0] = rdev;
6538 	((void **)skb->cb)[1] = hdr;
6539 	((void **)skb->cb)[2] = data;
6540 
6541 	return skb;
6542 
6543  nla_put_failure:
6544 	kfree_skb(skb);
6545 	return NULL;
6546 }
6547 
6548 struct sk_buff *cfg80211_testmode_alloc_reply_skb(struct wiphy *wiphy,
6549 						  int approxlen)
6550 {
6551 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
6552 
6553 	if (WARN_ON(!rdev->testmode_info))
6554 		return NULL;
6555 
6556 	return __cfg80211_testmode_alloc_skb(rdev, approxlen,
6557 				rdev->testmode_info->snd_portid,
6558 				rdev->testmode_info->snd_seq,
6559 				GFP_KERNEL);
6560 }
6561 EXPORT_SYMBOL(cfg80211_testmode_alloc_reply_skb);
6562 
6563 int cfg80211_testmode_reply(struct sk_buff *skb)
6564 {
6565 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
6566 	void *hdr = ((void **)skb->cb)[1];
6567 	struct nlattr *data = ((void **)skb->cb)[2];
6568 
6569 	if (WARN_ON(!rdev->testmode_info)) {
6570 		kfree_skb(skb);
6571 		return -EINVAL;
6572 	}
6573 
6574 	nla_nest_end(skb, data);
6575 	genlmsg_end(skb, hdr);
6576 	return genlmsg_reply(skb, rdev->testmode_info);
6577 }
6578 EXPORT_SYMBOL(cfg80211_testmode_reply);
6579 
6580 struct sk_buff *cfg80211_testmode_alloc_event_skb(struct wiphy *wiphy,
6581 						  int approxlen, gfp_t gfp)
6582 {
6583 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
6584 
6585 	return __cfg80211_testmode_alloc_skb(rdev, approxlen, 0, 0, gfp);
6586 }
6587 EXPORT_SYMBOL(cfg80211_testmode_alloc_event_skb);
6588 
6589 void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp)
6590 {
6591 	void *hdr = ((void **)skb->cb)[1];
6592 	struct nlattr *data = ((void **)skb->cb)[2];
6593 
6594 	nla_nest_end(skb, data);
6595 	genlmsg_end(skb, hdr);
6596 	genlmsg_multicast(skb, 0, nl80211_testmode_mcgrp.id, gfp);
6597 }
6598 EXPORT_SYMBOL(cfg80211_testmode_event);
6599 #endif
6600 
6601 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
6602 {
6603 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6604 	struct net_device *dev = info->user_ptr[1];
6605 	struct cfg80211_connect_params connect;
6606 	struct wiphy *wiphy;
6607 	struct cfg80211_cached_keys *connkeys = NULL;
6608 	int err;
6609 
6610 	memset(&connect, 0, sizeof(connect));
6611 
6612 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6613 		return -EINVAL;
6614 
6615 	if (!info->attrs[NL80211_ATTR_SSID] ||
6616 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
6617 		return -EINVAL;
6618 
6619 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6620 		connect.auth_type =
6621 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
6622 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
6623 					     NL80211_CMD_CONNECT))
6624 			return -EINVAL;
6625 	} else
6626 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6627 
6628 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
6629 
6630 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
6631 				      NL80211_MAX_NR_CIPHER_SUITES);
6632 	if (err)
6633 		return err;
6634 
6635 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6636 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6637 		return -EOPNOTSUPP;
6638 
6639 	wiphy = &rdev->wiphy;
6640 
6641 	connect.bg_scan_period = -1;
6642 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
6643 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
6644 		connect.bg_scan_period =
6645 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
6646 	}
6647 
6648 	if (info->attrs[NL80211_ATTR_MAC])
6649 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6650 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6651 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6652 
6653 	if (info->attrs[NL80211_ATTR_IE]) {
6654 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6655 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6656 	}
6657 
6658 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
6659 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
6660 		if (connect.mfp != NL80211_MFP_REQUIRED &&
6661 		    connect.mfp != NL80211_MFP_NO)
6662 			return -EINVAL;
6663 	} else {
6664 		connect.mfp = NL80211_MFP_NO;
6665 	}
6666 
6667 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6668 		connect.channel =
6669 			ieee80211_get_channel(wiphy,
6670 			    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
6671 		if (!connect.channel ||
6672 		    connect.channel->flags & IEEE80211_CHAN_DISABLED)
6673 			return -EINVAL;
6674 	}
6675 
6676 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
6677 		connkeys = nl80211_parse_connkeys(rdev,
6678 					  info->attrs[NL80211_ATTR_KEYS], NULL);
6679 		if (IS_ERR(connkeys))
6680 			return PTR_ERR(connkeys);
6681 	}
6682 
6683 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
6684 		connect.flags |= ASSOC_REQ_DISABLE_HT;
6685 
6686 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6687 		memcpy(&connect.ht_capa_mask,
6688 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
6689 		       sizeof(connect.ht_capa_mask));
6690 
6691 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
6692 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
6693 			kfree(connkeys);
6694 			return -EINVAL;
6695 		}
6696 		memcpy(&connect.ht_capa,
6697 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
6698 		       sizeof(connect.ht_capa));
6699 	}
6700 
6701 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
6702 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
6703 
6704 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6705 		memcpy(&connect.vht_capa_mask,
6706 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
6707 		       sizeof(connect.vht_capa_mask));
6708 
6709 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
6710 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
6711 			kfree(connkeys);
6712 			return -EINVAL;
6713 		}
6714 		memcpy(&connect.vht_capa,
6715 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
6716 		       sizeof(connect.vht_capa));
6717 	}
6718 
6719 	err = cfg80211_connect(rdev, dev, &connect, connkeys);
6720 	if (err)
6721 		kfree(connkeys);
6722 	return err;
6723 }
6724 
6725 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
6726 {
6727 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6728 	struct net_device *dev = info->user_ptr[1];
6729 	u16 reason;
6730 
6731 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6732 		reason = WLAN_REASON_DEAUTH_LEAVING;
6733 	else
6734 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6735 
6736 	if (reason == 0)
6737 		return -EINVAL;
6738 
6739 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6740 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6741 		return -EOPNOTSUPP;
6742 
6743 	return cfg80211_disconnect(rdev, dev, reason, true);
6744 }
6745 
6746 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
6747 {
6748 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6749 	struct net *net;
6750 	int err;
6751 	u32 pid;
6752 
6753 	if (!info->attrs[NL80211_ATTR_PID])
6754 		return -EINVAL;
6755 
6756 	pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
6757 
6758 	net = get_net_ns_by_pid(pid);
6759 	if (IS_ERR(net))
6760 		return PTR_ERR(net);
6761 
6762 	err = 0;
6763 
6764 	/* check if anything to do */
6765 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
6766 		err = cfg80211_switch_netns(rdev, net);
6767 
6768 	put_net(net);
6769 	return err;
6770 }
6771 
6772 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
6773 {
6774 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6775 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
6776 			struct cfg80211_pmksa *pmksa) = NULL;
6777 	struct net_device *dev = info->user_ptr[1];
6778 	struct cfg80211_pmksa pmksa;
6779 
6780 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
6781 
6782 	if (!info->attrs[NL80211_ATTR_MAC])
6783 		return -EINVAL;
6784 
6785 	if (!info->attrs[NL80211_ATTR_PMKID])
6786 		return -EINVAL;
6787 
6788 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
6789 	pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6790 
6791 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6792 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6793 		return -EOPNOTSUPP;
6794 
6795 	switch (info->genlhdr->cmd) {
6796 	case NL80211_CMD_SET_PMKSA:
6797 		rdev_ops = rdev->ops->set_pmksa;
6798 		break;
6799 	case NL80211_CMD_DEL_PMKSA:
6800 		rdev_ops = rdev->ops->del_pmksa;
6801 		break;
6802 	default:
6803 		WARN_ON(1);
6804 		break;
6805 	}
6806 
6807 	if (!rdev_ops)
6808 		return -EOPNOTSUPP;
6809 
6810 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
6811 }
6812 
6813 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
6814 {
6815 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6816 	struct net_device *dev = info->user_ptr[1];
6817 
6818 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6819 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6820 		return -EOPNOTSUPP;
6821 
6822 	if (!rdev->ops->flush_pmksa)
6823 		return -EOPNOTSUPP;
6824 
6825 	return rdev_flush_pmksa(rdev, dev);
6826 }
6827 
6828 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
6829 {
6830 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6831 	struct net_device *dev = info->user_ptr[1];
6832 	u8 action_code, dialog_token;
6833 	u16 status_code;
6834 	u8 *peer;
6835 
6836 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
6837 	    !rdev->ops->tdls_mgmt)
6838 		return -EOPNOTSUPP;
6839 
6840 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
6841 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
6842 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
6843 	    !info->attrs[NL80211_ATTR_IE] ||
6844 	    !info->attrs[NL80211_ATTR_MAC])
6845 		return -EINVAL;
6846 
6847 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
6848 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
6849 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
6850 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
6851 
6852 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
6853 			      dialog_token, status_code,
6854 			      nla_data(info->attrs[NL80211_ATTR_IE]),
6855 			      nla_len(info->attrs[NL80211_ATTR_IE]));
6856 }
6857 
6858 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
6859 {
6860 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6861 	struct net_device *dev = info->user_ptr[1];
6862 	enum nl80211_tdls_operation operation;
6863 	u8 *peer;
6864 
6865 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
6866 	    !rdev->ops->tdls_oper)
6867 		return -EOPNOTSUPP;
6868 
6869 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
6870 	    !info->attrs[NL80211_ATTR_MAC])
6871 		return -EINVAL;
6872 
6873 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
6874 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
6875 
6876 	return rdev_tdls_oper(rdev, dev, peer, operation);
6877 }
6878 
6879 static int nl80211_remain_on_channel(struct sk_buff *skb,
6880 				     struct genl_info *info)
6881 {
6882 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6883 	struct wireless_dev *wdev = info->user_ptr[1];
6884 	struct cfg80211_chan_def chandef;
6885 	struct sk_buff *msg;
6886 	void *hdr;
6887 	u64 cookie;
6888 	u32 duration;
6889 	int err;
6890 
6891 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
6892 	    !info->attrs[NL80211_ATTR_DURATION])
6893 		return -EINVAL;
6894 
6895 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
6896 
6897 	if (!rdev->ops->remain_on_channel ||
6898 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
6899 		return -EOPNOTSUPP;
6900 
6901 	/*
6902 	 * We should be on that channel for at least a minimum amount of
6903 	 * time (10ms) but no longer than the driver supports.
6904 	 */
6905 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
6906 	    duration > rdev->wiphy.max_remain_on_channel_duration)
6907 		return -EINVAL;
6908 
6909 	err = nl80211_parse_chandef(rdev, info, &chandef);
6910 	if (err)
6911 		return err;
6912 
6913 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6914 	if (!msg)
6915 		return -ENOMEM;
6916 
6917 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6918 			     NL80211_CMD_REMAIN_ON_CHANNEL);
6919 
6920 	if (IS_ERR(hdr)) {
6921 		err = PTR_ERR(hdr);
6922 		goto free_msg;
6923 	}
6924 
6925 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
6926 				     duration, &cookie);
6927 
6928 	if (err)
6929 		goto free_msg;
6930 
6931 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
6932 		goto nla_put_failure;
6933 
6934 	genlmsg_end(msg, hdr);
6935 
6936 	return genlmsg_reply(msg, info);
6937 
6938  nla_put_failure:
6939 	err = -ENOBUFS;
6940  free_msg:
6941 	nlmsg_free(msg);
6942 	return err;
6943 }
6944 
6945 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
6946 					    struct genl_info *info)
6947 {
6948 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6949 	struct wireless_dev *wdev = info->user_ptr[1];
6950 	u64 cookie;
6951 
6952 	if (!info->attrs[NL80211_ATTR_COOKIE])
6953 		return -EINVAL;
6954 
6955 	if (!rdev->ops->cancel_remain_on_channel)
6956 		return -EOPNOTSUPP;
6957 
6958 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
6959 
6960 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
6961 }
6962 
6963 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
6964 			   u8 *rates, u8 rates_len)
6965 {
6966 	u8 i;
6967 	u32 mask = 0;
6968 
6969 	for (i = 0; i < rates_len; i++) {
6970 		int rate = (rates[i] & 0x7f) * 5;
6971 		int ridx;
6972 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
6973 			struct ieee80211_rate *srate =
6974 				&sband->bitrates[ridx];
6975 			if (rate == srate->bitrate) {
6976 				mask |= 1 << ridx;
6977 				break;
6978 			}
6979 		}
6980 		if (ridx == sband->n_bitrates)
6981 			return 0; /* rate not found */
6982 	}
6983 
6984 	return mask;
6985 }
6986 
6987 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
6988 			       u8 *rates, u8 rates_len,
6989 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
6990 {
6991 	u8 i;
6992 
6993 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
6994 
6995 	for (i = 0; i < rates_len; i++) {
6996 		int ridx, rbit;
6997 
6998 		ridx = rates[i] / 8;
6999 		rbit = BIT(rates[i] % 8);
7000 
7001 		/* check validity */
7002 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
7003 			return false;
7004 
7005 		/* check availability */
7006 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
7007 			mcs[ridx] |= rbit;
7008 		else
7009 			return false;
7010 	}
7011 
7012 	return true;
7013 }
7014 
7015 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
7016 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
7017 				    .len = NL80211_MAX_SUPP_RATES },
7018 	[NL80211_TXRATE_MCS] = { .type = NLA_BINARY,
7019 				 .len = NL80211_MAX_SUPP_HT_RATES },
7020 };
7021 
7022 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
7023 				       struct genl_info *info)
7024 {
7025 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
7026 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7027 	struct cfg80211_bitrate_mask mask;
7028 	int rem, i;
7029 	struct net_device *dev = info->user_ptr[1];
7030 	struct nlattr *tx_rates;
7031 	struct ieee80211_supported_band *sband;
7032 
7033 	if (info->attrs[NL80211_ATTR_TX_RATES] == NULL)
7034 		return -EINVAL;
7035 
7036 	if (!rdev->ops->set_bitrate_mask)
7037 		return -EOPNOTSUPP;
7038 
7039 	memset(&mask, 0, sizeof(mask));
7040 	/* Default to all rates enabled */
7041 	for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
7042 		sband = rdev->wiphy.bands[i];
7043 		mask.control[i].legacy =
7044 			sband ? (1 << sband->n_bitrates) - 1 : 0;
7045 		if (sband)
7046 			memcpy(mask.control[i].mcs,
7047 			       sband->ht_cap.mcs.rx_mask,
7048 			       sizeof(mask.control[i].mcs));
7049 		else
7050 			memset(mask.control[i].mcs, 0,
7051 			       sizeof(mask.control[i].mcs));
7052 	}
7053 
7054 	/*
7055 	 * The nested attribute uses enum nl80211_band as the index. This maps
7056 	 * directly to the enum ieee80211_band values used in cfg80211.
7057 	 */
7058 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
7059 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem)
7060 	{
7061 		enum ieee80211_band band = nla_type(tx_rates);
7062 		if (band < 0 || band >= IEEE80211_NUM_BANDS)
7063 			return -EINVAL;
7064 		sband = rdev->wiphy.bands[band];
7065 		if (sband == NULL)
7066 			return -EINVAL;
7067 		nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
7068 			  nla_len(tx_rates), nl80211_txattr_policy);
7069 		if (tb[NL80211_TXRATE_LEGACY]) {
7070 			mask.control[band].legacy = rateset_to_mask(
7071 				sband,
7072 				nla_data(tb[NL80211_TXRATE_LEGACY]),
7073 				nla_len(tb[NL80211_TXRATE_LEGACY]));
7074 			if ((mask.control[band].legacy == 0) &&
7075 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
7076 				return -EINVAL;
7077 		}
7078 		if (tb[NL80211_TXRATE_MCS]) {
7079 			if (!ht_rateset_to_mask(
7080 					sband,
7081 					nla_data(tb[NL80211_TXRATE_MCS]),
7082 					nla_len(tb[NL80211_TXRATE_MCS]),
7083 					mask.control[band].mcs))
7084 				return -EINVAL;
7085 		}
7086 
7087 		if (mask.control[band].legacy == 0) {
7088 			/* don't allow empty legacy rates if HT
7089 			 * is not even supported. */
7090 			if (!rdev->wiphy.bands[band]->ht_cap.ht_supported)
7091 				return -EINVAL;
7092 
7093 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
7094 				if (mask.control[band].mcs[i])
7095 					break;
7096 
7097 			/* legacy and mcs rates may not be both empty */
7098 			if (i == IEEE80211_HT_MCS_MASK_LEN)
7099 				return -EINVAL;
7100 		}
7101 	}
7102 
7103 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
7104 }
7105 
7106 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
7107 {
7108 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7109 	struct wireless_dev *wdev = info->user_ptr[1];
7110 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
7111 
7112 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
7113 		return -EINVAL;
7114 
7115 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
7116 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
7117 
7118 	switch (wdev->iftype) {
7119 	case NL80211_IFTYPE_STATION:
7120 	case NL80211_IFTYPE_ADHOC:
7121 	case NL80211_IFTYPE_P2P_CLIENT:
7122 	case NL80211_IFTYPE_AP:
7123 	case NL80211_IFTYPE_AP_VLAN:
7124 	case NL80211_IFTYPE_MESH_POINT:
7125 	case NL80211_IFTYPE_P2P_GO:
7126 	case NL80211_IFTYPE_P2P_DEVICE:
7127 		break;
7128 	default:
7129 		return -EOPNOTSUPP;
7130 	}
7131 
7132 	/* not much point in registering if we can't reply */
7133 	if (!rdev->ops->mgmt_tx)
7134 		return -EOPNOTSUPP;
7135 
7136 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
7137 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
7138 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
7139 }
7140 
7141 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
7142 {
7143 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7144 	struct wireless_dev *wdev = info->user_ptr[1];
7145 	struct cfg80211_chan_def chandef;
7146 	int err;
7147 	void *hdr = NULL;
7148 	u64 cookie;
7149 	struct sk_buff *msg = NULL;
7150 	unsigned int wait = 0;
7151 	bool offchan, no_cck, dont_wait_for_ack;
7152 
7153 	dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
7154 
7155 	if (!info->attrs[NL80211_ATTR_FRAME])
7156 		return -EINVAL;
7157 
7158 	if (!rdev->ops->mgmt_tx)
7159 		return -EOPNOTSUPP;
7160 
7161 	switch (wdev->iftype) {
7162 	case NL80211_IFTYPE_STATION:
7163 	case NL80211_IFTYPE_ADHOC:
7164 	case NL80211_IFTYPE_P2P_CLIENT:
7165 	case NL80211_IFTYPE_AP:
7166 	case NL80211_IFTYPE_AP_VLAN:
7167 	case NL80211_IFTYPE_MESH_POINT:
7168 	case NL80211_IFTYPE_P2P_GO:
7169 	case NL80211_IFTYPE_P2P_DEVICE:
7170 		break;
7171 	default:
7172 		return -EOPNOTSUPP;
7173 	}
7174 
7175 	if (info->attrs[NL80211_ATTR_DURATION]) {
7176 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
7177 			return -EINVAL;
7178 		wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
7179 
7180 		/*
7181 		 * We should wait on the channel for at least a minimum amount
7182 		 * of time (10ms) but no longer than the driver supports.
7183 		 */
7184 		if (wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
7185 		    wait > rdev->wiphy.max_remain_on_channel_duration)
7186 			return -EINVAL;
7187 
7188 	}
7189 
7190 	offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
7191 
7192 	if (offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
7193 		return -EINVAL;
7194 
7195 	no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7196 
7197 	err = nl80211_parse_chandef(rdev, info, &chandef);
7198 	if (err)
7199 		return err;
7200 
7201 	if (!dont_wait_for_ack) {
7202 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7203 		if (!msg)
7204 			return -ENOMEM;
7205 
7206 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7207 				     NL80211_CMD_FRAME);
7208 
7209 		if (IS_ERR(hdr)) {
7210 			err = PTR_ERR(hdr);
7211 			goto free_msg;
7212 		}
7213 	}
7214 
7215 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, chandef.chan, offchan, wait,
7216 				    nla_data(info->attrs[NL80211_ATTR_FRAME]),
7217 				    nla_len(info->attrs[NL80211_ATTR_FRAME]),
7218 				    no_cck, dont_wait_for_ack, &cookie);
7219 	if (err)
7220 		goto free_msg;
7221 
7222 	if (msg) {
7223 		if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
7224 			goto nla_put_failure;
7225 
7226 		genlmsg_end(msg, hdr);
7227 		return genlmsg_reply(msg, info);
7228 	}
7229 
7230 	return 0;
7231 
7232  nla_put_failure:
7233 	err = -ENOBUFS;
7234  free_msg:
7235 	nlmsg_free(msg);
7236 	return err;
7237 }
7238 
7239 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
7240 {
7241 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7242 	struct wireless_dev *wdev = info->user_ptr[1];
7243 	u64 cookie;
7244 
7245 	if (!info->attrs[NL80211_ATTR_COOKIE])
7246 		return -EINVAL;
7247 
7248 	if (!rdev->ops->mgmt_tx_cancel_wait)
7249 		return -EOPNOTSUPP;
7250 
7251 	switch (wdev->iftype) {
7252 	case NL80211_IFTYPE_STATION:
7253 	case NL80211_IFTYPE_ADHOC:
7254 	case NL80211_IFTYPE_P2P_CLIENT:
7255 	case NL80211_IFTYPE_AP:
7256 	case NL80211_IFTYPE_AP_VLAN:
7257 	case NL80211_IFTYPE_P2P_GO:
7258 	case NL80211_IFTYPE_P2P_DEVICE:
7259 		break;
7260 	default:
7261 		return -EOPNOTSUPP;
7262 	}
7263 
7264 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
7265 
7266 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
7267 }
7268 
7269 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
7270 {
7271 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7272 	struct wireless_dev *wdev;
7273 	struct net_device *dev = info->user_ptr[1];
7274 	u8 ps_state;
7275 	bool state;
7276 	int err;
7277 
7278 	if (!info->attrs[NL80211_ATTR_PS_STATE])
7279 		return -EINVAL;
7280 
7281 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
7282 
7283 	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
7284 		return -EINVAL;
7285 
7286 	wdev = dev->ieee80211_ptr;
7287 
7288 	if (!rdev->ops->set_power_mgmt)
7289 		return -EOPNOTSUPP;
7290 
7291 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
7292 
7293 	if (state == wdev->ps)
7294 		return 0;
7295 
7296 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
7297 	if (!err)
7298 		wdev->ps = state;
7299 	return err;
7300 }
7301 
7302 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
7303 {
7304 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7305 	enum nl80211_ps_state ps_state;
7306 	struct wireless_dev *wdev;
7307 	struct net_device *dev = info->user_ptr[1];
7308 	struct sk_buff *msg;
7309 	void *hdr;
7310 	int err;
7311 
7312 	wdev = dev->ieee80211_ptr;
7313 
7314 	if (!rdev->ops->set_power_mgmt)
7315 		return -EOPNOTSUPP;
7316 
7317 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7318 	if (!msg)
7319 		return -ENOMEM;
7320 
7321 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7322 			     NL80211_CMD_GET_POWER_SAVE);
7323 	if (!hdr) {
7324 		err = -ENOBUFS;
7325 		goto free_msg;
7326 	}
7327 
7328 	if (wdev->ps)
7329 		ps_state = NL80211_PS_ENABLED;
7330 	else
7331 		ps_state = NL80211_PS_DISABLED;
7332 
7333 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
7334 		goto nla_put_failure;
7335 
7336 	genlmsg_end(msg, hdr);
7337 	return genlmsg_reply(msg, info);
7338 
7339  nla_put_failure:
7340 	err = -ENOBUFS;
7341  free_msg:
7342 	nlmsg_free(msg);
7343 	return err;
7344 }
7345 
7346 static struct nla_policy
7347 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] __read_mostly = {
7348 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
7349 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
7350 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
7351 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
7352 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
7353 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
7354 };
7355 
7356 static int nl80211_set_cqm_txe(struct genl_info *info,
7357 			       u32 rate, u32 pkts, u32 intvl)
7358 {
7359 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7360 	struct wireless_dev *wdev;
7361 	struct net_device *dev = info->user_ptr[1];
7362 
7363 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
7364 		return -EINVAL;
7365 
7366 	wdev = dev->ieee80211_ptr;
7367 
7368 	if (!rdev->ops->set_cqm_txe_config)
7369 		return -EOPNOTSUPP;
7370 
7371 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
7372 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
7373 		return -EOPNOTSUPP;
7374 
7375 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
7376 }
7377 
7378 static int nl80211_set_cqm_rssi(struct genl_info *info,
7379 				s32 threshold, u32 hysteresis)
7380 {
7381 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7382 	struct wireless_dev *wdev;
7383 	struct net_device *dev = info->user_ptr[1];
7384 
7385 	if (threshold > 0)
7386 		return -EINVAL;
7387 
7388 	wdev = dev->ieee80211_ptr;
7389 
7390 	if (!rdev->ops->set_cqm_rssi_config)
7391 		return -EOPNOTSUPP;
7392 
7393 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
7394 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
7395 		return -EOPNOTSUPP;
7396 
7397 	return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
7398 }
7399 
7400 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
7401 {
7402 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
7403 	struct nlattr *cqm;
7404 	int err;
7405 
7406 	cqm = info->attrs[NL80211_ATTR_CQM];
7407 	if (!cqm) {
7408 		err = -EINVAL;
7409 		goto out;
7410 	}
7411 
7412 	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
7413 			       nl80211_attr_cqm_policy);
7414 	if (err)
7415 		goto out;
7416 
7417 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
7418 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
7419 		s32 threshold;
7420 		u32 hysteresis;
7421 		threshold = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
7422 		hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
7423 		err = nl80211_set_cqm_rssi(info, threshold, hysteresis);
7424 	} else if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
7425 		   attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
7426 		   attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
7427 		u32 rate, pkts, intvl;
7428 		rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
7429 		pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
7430 		intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
7431 		err = nl80211_set_cqm_txe(info, rate, pkts, intvl);
7432 	} else
7433 		err = -EINVAL;
7434 
7435 out:
7436 	return err;
7437 }
7438 
7439 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
7440 {
7441 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7442 	struct net_device *dev = info->user_ptr[1];
7443 	struct mesh_config cfg;
7444 	struct mesh_setup setup;
7445 	int err;
7446 
7447 	/* start with default */
7448 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
7449 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
7450 
7451 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
7452 		/* and parse parameters if given */
7453 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
7454 		if (err)
7455 			return err;
7456 	}
7457 
7458 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
7459 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
7460 		return -EINVAL;
7461 
7462 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
7463 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
7464 
7465 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
7466 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
7467 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
7468 			return -EINVAL;
7469 
7470 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
7471 		setup.beacon_interval =
7472 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
7473 		if (setup.beacon_interval < 10 ||
7474 		    setup.beacon_interval > 10000)
7475 			return -EINVAL;
7476 	}
7477 
7478 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
7479 		setup.dtim_period =
7480 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
7481 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
7482 			return -EINVAL;
7483 	}
7484 
7485 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
7486 		/* parse additional setup parameters if given */
7487 		err = nl80211_parse_mesh_setup(info, &setup);
7488 		if (err)
7489 			return err;
7490 	}
7491 
7492 	if (setup.user_mpm)
7493 		cfg.auto_open_plinks = false;
7494 
7495 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7496 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
7497 		if (err)
7498 			return err;
7499 	} else {
7500 		/* cfg80211_join_mesh() will sort it out */
7501 		setup.chandef.chan = NULL;
7502 	}
7503 
7504 	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
7505 }
7506 
7507 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
7508 {
7509 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7510 	struct net_device *dev = info->user_ptr[1];
7511 
7512 	return cfg80211_leave_mesh(rdev, dev);
7513 }
7514 
7515 #ifdef CONFIG_PM
7516 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
7517 					struct cfg80211_registered_device *rdev)
7518 {
7519 	struct nlattr *nl_pats, *nl_pat;
7520 	int i, pat_len;
7521 
7522 	if (!rdev->wowlan->n_patterns)
7523 		return 0;
7524 
7525 	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
7526 	if (!nl_pats)
7527 		return -ENOBUFS;
7528 
7529 	for (i = 0; i < rdev->wowlan->n_patterns; i++) {
7530 		nl_pat = nla_nest_start(msg, i + 1);
7531 		if (!nl_pat)
7532 			return -ENOBUFS;
7533 		pat_len = rdev->wowlan->patterns[i].pattern_len;
7534 		if (nla_put(msg, NL80211_WOWLAN_PKTPAT_MASK,
7535 			    DIV_ROUND_UP(pat_len, 8),
7536 			    rdev->wowlan->patterns[i].mask) ||
7537 		    nla_put(msg, NL80211_WOWLAN_PKTPAT_PATTERN,
7538 			    pat_len, rdev->wowlan->patterns[i].pattern) ||
7539 		    nla_put_u32(msg, NL80211_WOWLAN_PKTPAT_OFFSET,
7540 				rdev->wowlan->patterns[i].pkt_offset))
7541 			return -ENOBUFS;
7542 		nla_nest_end(msg, nl_pat);
7543 	}
7544 	nla_nest_end(msg, nl_pats);
7545 
7546 	return 0;
7547 }
7548 
7549 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
7550 				   struct cfg80211_wowlan_tcp *tcp)
7551 {
7552 	struct nlattr *nl_tcp;
7553 
7554 	if (!tcp)
7555 		return 0;
7556 
7557 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
7558 	if (!nl_tcp)
7559 		return -ENOBUFS;
7560 
7561 	if (nla_put_be32(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
7562 	    nla_put_be32(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
7563 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
7564 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
7565 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
7566 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
7567 		    tcp->payload_len, tcp->payload) ||
7568 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
7569 			tcp->data_interval) ||
7570 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
7571 		    tcp->wake_len, tcp->wake_data) ||
7572 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
7573 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
7574 		return -ENOBUFS;
7575 
7576 	if (tcp->payload_seq.len &&
7577 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
7578 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
7579 		return -ENOBUFS;
7580 
7581 	if (tcp->payload_tok.len &&
7582 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
7583 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
7584 		    &tcp->payload_tok))
7585 		return -ENOBUFS;
7586 
7587 	nla_nest_end(msg, nl_tcp);
7588 
7589 	return 0;
7590 }
7591 
7592 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
7593 {
7594 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7595 	struct sk_buff *msg;
7596 	void *hdr;
7597 	u32 size = NLMSG_DEFAULT_SIZE;
7598 
7599 	if (!rdev->wiphy.wowlan.flags && !rdev->wiphy.wowlan.n_patterns &&
7600 	    !rdev->wiphy.wowlan.tcp)
7601 		return -EOPNOTSUPP;
7602 
7603 	if (rdev->wowlan && rdev->wowlan->tcp) {
7604 		/* adjust size to have room for all the data */
7605 		size += rdev->wowlan->tcp->tokens_size +
7606 			rdev->wowlan->tcp->payload_len +
7607 			rdev->wowlan->tcp->wake_len +
7608 			rdev->wowlan->tcp->wake_len / 8;
7609 	}
7610 
7611 	msg = nlmsg_new(size, GFP_KERNEL);
7612 	if (!msg)
7613 		return -ENOMEM;
7614 
7615 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7616 			     NL80211_CMD_GET_WOWLAN);
7617 	if (!hdr)
7618 		goto nla_put_failure;
7619 
7620 	if (rdev->wowlan) {
7621 		struct nlattr *nl_wowlan;
7622 
7623 		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
7624 		if (!nl_wowlan)
7625 			goto nla_put_failure;
7626 
7627 		if ((rdev->wowlan->any &&
7628 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
7629 		    (rdev->wowlan->disconnect &&
7630 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
7631 		    (rdev->wowlan->magic_pkt &&
7632 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
7633 		    (rdev->wowlan->gtk_rekey_failure &&
7634 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
7635 		    (rdev->wowlan->eap_identity_req &&
7636 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
7637 		    (rdev->wowlan->four_way_handshake &&
7638 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
7639 		    (rdev->wowlan->rfkill_release &&
7640 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
7641 			goto nla_put_failure;
7642 
7643 		if (nl80211_send_wowlan_patterns(msg, rdev))
7644 			goto nla_put_failure;
7645 
7646 		if (nl80211_send_wowlan_tcp(msg, rdev->wowlan->tcp))
7647 			goto nla_put_failure;
7648 
7649 		nla_nest_end(msg, nl_wowlan);
7650 	}
7651 
7652 	genlmsg_end(msg, hdr);
7653 	return genlmsg_reply(msg, info);
7654 
7655 nla_put_failure:
7656 	nlmsg_free(msg);
7657 	return -ENOBUFS;
7658 }
7659 
7660 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
7661 				    struct nlattr *attr,
7662 				    struct cfg80211_wowlan *trig)
7663 {
7664 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
7665 	struct cfg80211_wowlan_tcp *cfg;
7666 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
7667 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
7668 	u32 size;
7669 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
7670 	int err, port;
7671 
7672 	if (!rdev->wiphy.wowlan.tcp)
7673 		return -EINVAL;
7674 
7675 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TCP,
7676 			nla_data(attr), nla_len(attr),
7677 			nl80211_wowlan_tcp_policy);
7678 	if (err)
7679 		return err;
7680 
7681 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
7682 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
7683 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
7684 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
7685 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
7686 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
7687 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
7688 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
7689 		return -EINVAL;
7690 
7691 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
7692 	if (data_size > rdev->wiphy.wowlan.tcp->data_payload_max)
7693 		return -EINVAL;
7694 
7695 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
7696 			rdev->wiphy.wowlan.tcp->data_interval_max ||
7697 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
7698 		return -EINVAL;
7699 
7700 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
7701 	if (wake_size > rdev->wiphy.wowlan.tcp->wake_payload_max)
7702 		return -EINVAL;
7703 
7704 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
7705 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
7706 		return -EINVAL;
7707 
7708 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
7709 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
7710 
7711 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
7712 		tokens_size = tokln - sizeof(*tok);
7713 
7714 		if (!tok->len || tokens_size % tok->len)
7715 			return -EINVAL;
7716 		if (!rdev->wiphy.wowlan.tcp->tok)
7717 			return -EINVAL;
7718 		if (tok->len > rdev->wiphy.wowlan.tcp->tok->max_len)
7719 			return -EINVAL;
7720 		if (tok->len < rdev->wiphy.wowlan.tcp->tok->min_len)
7721 			return -EINVAL;
7722 		if (tokens_size > rdev->wiphy.wowlan.tcp->tok->bufsize)
7723 			return -EINVAL;
7724 		if (tok->offset + tok->len > data_size)
7725 			return -EINVAL;
7726 	}
7727 
7728 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
7729 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
7730 		if (!rdev->wiphy.wowlan.tcp->seq)
7731 			return -EINVAL;
7732 		if (seq->len == 0 || seq->len > 4)
7733 			return -EINVAL;
7734 		if (seq->len + seq->offset > data_size)
7735 			return -EINVAL;
7736 	}
7737 
7738 	size = sizeof(*cfg);
7739 	size += data_size;
7740 	size += wake_size + wake_mask_size;
7741 	size += tokens_size;
7742 
7743 	cfg = kzalloc(size, GFP_KERNEL);
7744 	if (!cfg)
7745 		return -ENOMEM;
7746 	cfg->src = nla_get_be32(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
7747 	cfg->dst = nla_get_be32(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
7748 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
7749 	       ETH_ALEN);
7750 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
7751 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
7752 	else
7753 		port = 0;
7754 #ifdef CONFIG_INET
7755 	/* allocate a socket and port for it and use it */
7756 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
7757 			    IPPROTO_TCP, &cfg->sock, 1);
7758 	if (err) {
7759 		kfree(cfg);
7760 		return err;
7761 	}
7762 	if (inet_csk_get_port(cfg->sock->sk, port)) {
7763 		sock_release(cfg->sock);
7764 		kfree(cfg);
7765 		return -EADDRINUSE;
7766 	}
7767 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
7768 #else
7769 	if (!port) {
7770 		kfree(cfg);
7771 		return -EINVAL;
7772 	}
7773 	cfg->src_port = port;
7774 #endif
7775 
7776 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
7777 	cfg->payload_len = data_size;
7778 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
7779 	memcpy((void *)cfg->payload,
7780 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
7781 	       data_size);
7782 	if (seq)
7783 		cfg->payload_seq = *seq;
7784 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
7785 	cfg->wake_len = wake_size;
7786 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
7787 	memcpy((void *)cfg->wake_data,
7788 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
7789 	       wake_size);
7790 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
7791 			 data_size + wake_size;
7792 	memcpy((void *)cfg->wake_mask,
7793 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
7794 	       wake_mask_size);
7795 	if (tok) {
7796 		cfg->tokens_size = tokens_size;
7797 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
7798 	}
7799 
7800 	trig->tcp = cfg;
7801 
7802 	return 0;
7803 }
7804 
7805 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
7806 {
7807 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7808 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
7809 	struct cfg80211_wowlan new_triggers = {};
7810 	struct cfg80211_wowlan *ntrig;
7811 	struct wiphy_wowlan_support *wowlan = &rdev->wiphy.wowlan;
7812 	int err, i;
7813 	bool prev_enabled = rdev->wowlan;
7814 
7815 	if (!rdev->wiphy.wowlan.flags && !rdev->wiphy.wowlan.n_patterns &&
7816 	    !rdev->wiphy.wowlan.tcp)
7817 		return -EOPNOTSUPP;
7818 
7819 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
7820 		cfg80211_rdev_free_wowlan(rdev);
7821 		rdev->wowlan = NULL;
7822 		goto set_wakeup;
7823 	}
7824 
7825 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
7826 			nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
7827 			nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
7828 			nl80211_wowlan_policy);
7829 	if (err)
7830 		return err;
7831 
7832 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
7833 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
7834 			return -EINVAL;
7835 		new_triggers.any = true;
7836 	}
7837 
7838 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
7839 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
7840 			return -EINVAL;
7841 		new_triggers.disconnect = true;
7842 	}
7843 
7844 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
7845 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
7846 			return -EINVAL;
7847 		new_triggers.magic_pkt = true;
7848 	}
7849 
7850 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
7851 		return -EINVAL;
7852 
7853 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
7854 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
7855 			return -EINVAL;
7856 		new_triggers.gtk_rekey_failure = true;
7857 	}
7858 
7859 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
7860 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
7861 			return -EINVAL;
7862 		new_triggers.eap_identity_req = true;
7863 	}
7864 
7865 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
7866 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
7867 			return -EINVAL;
7868 		new_triggers.four_way_handshake = true;
7869 	}
7870 
7871 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
7872 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
7873 			return -EINVAL;
7874 		new_triggers.rfkill_release = true;
7875 	}
7876 
7877 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
7878 		struct nlattr *pat;
7879 		int n_patterns = 0;
7880 		int rem, pat_len, mask_len, pkt_offset;
7881 		struct nlattr *pat_tb[NUM_NL80211_WOWLAN_PKTPAT];
7882 
7883 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
7884 				    rem)
7885 			n_patterns++;
7886 		if (n_patterns > wowlan->n_patterns)
7887 			return -EINVAL;
7888 
7889 		new_triggers.patterns = kcalloc(n_patterns,
7890 						sizeof(new_triggers.patterns[0]),
7891 						GFP_KERNEL);
7892 		if (!new_triggers.patterns)
7893 			return -ENOMEM;
7894 
7895 		new_triggers.n_patterns = n_patterns;
7896 		i = 0;
7897 
7898 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
7899 				    rem) {
7900 			nla_parse(pat_tb, MAX_NL80211_WOWLAN_PKTPAT,
7901 				  nla_data(pat), nla_len(pat), NULL);
7902 			err = -EINVAL;
7903 			if (!pat_tb[NL80211_WOWLAN_PKTPAT_MASK] ||
7904 			    !pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN])
7905 				goto error;
7906 			pat_len = nla_len(pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN]);
7907 			mask_len = DIV_ROUND_UP(pat_len, 8);
7908 			if (nla_len(pat_tb[NL80211_WOWLAN_PKTPAT_MASK]) !=
7909 			    mask_len)
7910 				goto error;
7911 			if (pat_len > wowlan->pattern_max_len ||
7912 			    pat_len < wowlan->pattern_min_len)
7913 				goto error;
7914 
7915 			if (!pat_tb[NL80211_WOWLAN_PKTPAT_OFFSET])
7916 				pkt_offset = 0;
7917 			else
7918 				pkt_offset = nla_get_u32(
7919 					pat_tb[NL80211_WOWLAN_PKTPAT_OFFSET]);
7920 			if (pkt_offset > wowlan->max_pkt_offset)
7921 				goto error;
7922 			new_triggers.patterns[i].pkt_offset = pkt_offset;
7923 
7924 			new_triggers.patterns[i].mask =
7925 				kmalloc(mask_len + pat_len, GFP_KERNEL);
7926 			if (!new_triggers.patterns[i].mask) {
7927 				err = -ENOMEM;
7928 				goto error;
7929 			}
7930 			new_triggers.patterns[i].pattern =
7931 				new_triggers.patterns[i].mask + mask_len;
7932 			memcpy(new_triggers.patterns[i].mask,
7933 			       nla_data(pat_tb[NL80211_WOWLAN_PKTPAT_MASK]),
7934 			       mask_len);
7935 			new_triggers.patterns[i].pattern_len = pat_len;
7936 			memcpy(new_triggers.patterns[i].pattern,
7937 			       nla_data(pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN]),
7938 			       pat_len);
7939 			i++;
7940 		}
7941 	}
7942 
7943 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
7944 		err = nl80211_parse_wowlan_tcp(
7945 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
7946 			&new_triggers);
7947 		if (err)
7948 			goto error;
7949 	}
7950 
7951 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
7952 	if (!ntrig) {
7953 		err = -ENOMEM;
7954 		goto error;
7955 	}
7956 	cfg80211_rdev_free_wowlan(rdev);
7957 	rdev->wowlan = ntrig;
7958 
7959  set_wakeup:
7960 	if (rdev->ops->set_wakeup && prev_enabled != !!rdev->wowlan)
7961 		rdev_set_wakeup(rdev, rdev->wowlan);
7962 
7963 	return 0;
7964  error:
7965 	for (i = 0; i < new_triggers.n_patterns; i++)
7966 		kfree(new_triggers.patterns[i].mask);
7967 	kfree(new_triggers.patterns);
7968 	if (new_triggers.tcp && new_triggers.tcp->sock)
7969 		sock_release(new_triggers.tcp->sock);
7970 	kfree(new_triggers.tcp);
7971 	return err;
7972 }
7973 #endif
7974 
7975 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
7976 {
7977 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7978 	struct net_device *dev = info->user_ptr[1];
7979 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7980 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
7981 	struct cfg80211_gtk_rekey_data rekey_data;
7982 	int err;
7983 
7984 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
7985 		return -EINVAL;
7986 
7987 	err = nla_parse(tb, MAX_NL80211_REKEY_DATA,
7988 			nla_data(info->attrs[NL80211_ATTR_REKEY_DATA]),
7989 			nla_len(info->attrs[NL80211_ATTR_REKEY_DATA]),
7990 			nl80211_rekey_policy);
7991 	if (err)
7992 		return err;
7993 
7994 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
7995 		return -ERANGE;
7996 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
7997 		return -ERANGE;
7998 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
7999 		return -ERANGE;
8000 
8001 	memcpy(rekey_data.kek, nla_data(tb[NL80211_REKEY_DATA_KEK]),
8002 	       NL80211_KEK_LEN);
8003 	memcpy(rekey_data.kck, nla_data(tb[NL80211_REKEY_DATA_KCK]),
8004 	       NL80211_KCK_LEN);
8005 	memcpy(rekey_data.replay_ctr,
8006 	       nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]),
8007 	       NL80211_REPLAY_CTR_LEN);
8008 
8009 	wdev_lock(wdev);
8010 	if (!wdev->current_bss) {
8011 		err = -ENOTCONN;
8012 		goto out;
8013 	}
8014 
8015 	if (!rdev->ops->set_rekey_data) {
8016 		err = -EOPNOTSUPP;
8017 		goto out;
8018 	}
8019 
8020 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
8021  out:
8022 	wdev_unlock(wdev);
8023 	return err;
8024 }
8025 
8026 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
8027 					     struct genl_info *info)
8028 {
8029 	struct net_device *dev = info->user_ptr[1];
8030 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8031 
8032 	if (wdev->iftype != NL80211_IFTYPE_AP &&
8033 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
8034 		return -EINVAL;
8035 
8036 	if (wdev->ap_unexpected_nlportid)
8037 		return -EBUSY;
8038 
8039 	wdev->ap_unexpected_nlportid = info->snd_portid;
8040 	return 0;
8041 }
8042 
8043 static int nl80211_probe_client(struct sk_buff *skb,
8044 				struct genl_info *info)
8045 {
8046 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8047 	struct net_device *dev = info->user_ptr[1];
8048 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8049 	struct sk_buff *msg;
8050 	void *hdr;
8051 	const u8 *addr;
8052 	u64 cookie;
8053 	int err;
8054 
8055 	if (wdev->iftype != NL80211_IFTYPE_AP &&
8056 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
8057 		return -EOPNOTSUPP;
8058 
8059 	if (!info->attrs[NL80211_ATTR_MAC])
8060 		return -EINVAL;
8061 
8062 	if (!rdev->ops->probe_client)
8063 		return -EOPNOTSUPP;
8064 
8065 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8066 	if (!msg)
8067 		return -ENOMEM;
8068 
8069 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8070 			     NL80211_CMD_PROBE_CLIENT);
8071 
8072 	if (IS_ERR(hdr)) {
8073 		err = PTR_ERR(hdr);
8074 		goto free_msg;
8075 	}
8076 
8077 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8078 
8079 	err = rdev_probe_client(rdev, dev, addr, &cookie);
8080 	if (err)
8081 		goto free_msg;
8082 
8083 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
8084 		goto nla_put_failure;
8085 
8086 	genlmsg_end(msg, hdr);
8087 
8088 	return genlmsg_reply(msg, info);
8089 
8090  nla_put_failure:
8091 	err = -ENOBUFS;
8092  free_msg:
8093 	nlmsg_free(msg);
8094 	return err;
8095 }
8096 
8097 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
8098 {
8099 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8100 	struct cfg80211_beacon_registration *reg, *nreg;
8101 	int rv;
8102 
8103 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
8104 		return -EOPNOTSUPP;
8105 
8106 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
8107 	if (!nreg)
8108 		return -ENOMEM;
8109 
8110 	/* First, check if already registered. */
8111 	spin_lock_bh(&rdev->beacon_registrations_lock);
8112 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
8113 		if (reg->nlportid == info->snd_portid) {
8114 			rv = -EALREADY;
8115 			goto out_err;
8116 		}
8117 	}
8118 	/* Add it to the list */
8119 	nreg->nlportid = info->snd_portid;
8120 	list_add(&nreg->list, &rdev->beacon_registrations);
8121 
8122 	spin_unlock_bh(&rdev->beacon_registrations_lock);
8123 
8124 	return 0;
8125 out_err:
8126 	spin_unlock_bh(&rdev->beacon_registrations_lock);
8127 	kfree(nreg);
8128 	return rv;
8129 }
8130 
8131 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
8132 {
8133 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8134 	struct wireless_dev *wdev = info->user_ptr[1];
8135 	int err;
8136 
8137 	if (!rdev->ops->start_p2p_device)
8138 		return -EOPNOTSUPP;
8139 
8140 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
8141 		return -EOPNOTSUPP;
8142 
8143 	if (wdev->p2p_started)
8144 		return 0;
8145 
8146 	mutex_lock(&rdev->devlist_mtx);
8147 	err = cfg80211_can_add_interface(rdev, wdev->iftype);
8148 	mutex_unlock(&rdev->devlist_mtx);
8149 	if (err)
8150 		return err;
8151 
8152 	err = rdev_start_p2p_device(rdev, wdev);
8153 	if (err)
8154 		return err;
8155 
8156 	wdev->p2p_started = true;
8157 	mutex_lock(&rdev->devlist_mtx);
8158 	rdev->opencount++;
8159 	mutex_unlock(&rdev->devlist_mtx);
8160 
8161 	return 0;
8162 }
8163 
8164 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
8165 {
8166 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8167 	struct wireless_dev *wdev = info->user_ptr[1];
8168 
8169 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
8170 		return -EOPNOTSUPP;
8171 
8172 	if (!rdev->ops->stop_p2p_device)
8173 		return -EOPNOTSUPP;
8174 
8175 	mutex_lock(&rdev->devlist_mtx);
8176 	mutex_lock(&rdev->sched_scan_mtx);
8177 	cfg80211_stop_p2p_device(rdev, wdev);
8178 	mutex_unlock(&rdev->sched_scan_mtx);
8179 	mutex_unlock(&rdev->devlist_mtx);
8180 
8181 	return 0;
8182 }
8183 
8184 static int nl80211_get_protocol_features(struct sk_buff *skb,
8185 					 struct genl_info *info)
8186 {
8187 	void *hdr;
8188 	struct sk_buff *msg;
8189 
8190 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8191 	if (!msg)
8192 		return -ENOMEM;
8193 
8194 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8195 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
8196 	if (!hdr)
8197 		goto nla_put_failure;
8198 
8199 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
8200 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
8201 		goto nla_put_failure;
8202 
8203 	genlmsg_end(msg, hdr);
8204 	return genlmsg_reply(msg, info);
8205 
8206  nla_put_failure:
8207 	kfree_skb(msg);
8208 	return -ENOBUFS;
8209 }
8210 
8211 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
8212 {
8213 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8214 	struct cfg80211_update_ft_ies_params ft_params;
8215 	struct net_device *dev = info->user_ptr[1];
8216 
8217 	if (!rdev->ops->update_ft_ies)
8218 		return -EOPNOTSUPP;
8219 
8220 	if (!info->attrs[NL80211_ATTR_MDID] ||
8221 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8222 		return -EINVAL;
8223 
8224 	memset(&ft_params, 0, sizeof(ft_params));
8225 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
8226 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8227 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8228 
8229 	return rdev_update_ft_ies(rdev, dev, &ft_params);
8230 }
8231 
8232 static int nl80211_crit_protocol_start(struct sk_buff *skb,
8233 				       struct genl_info *info)
8234 {
8235 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8236 	struct wireless_dev *wdev = info->user_ptr[1];
8237 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
8238 	u16 duration;
8239 	int ret;
8240 
8241 	if (!rdev->ops->crit_proto_start)
8242 		return -EOPNOTSUPP;
8243 
8244 	if (WARN_ON(!rdev->ops->crit_proto_stop))
8245 		return -EINVAL;
8246 
8247 	if (rdev->crit_proto_nlportid)
8248 		return -EBUSY;
8249 
8250 	/* determine protocol if provided */
8251 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
8252 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
8253 
8254 	if (proto >= NUM_NL80211_CRIT_PROTO)
8255 		return -EINVAL;
8256 
8257 	/* timeout must be provided */
8258 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
8259 		return -EINVAL;
8260 
8261 	duration =
8262 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
8263 
8264 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
8265 		return -ERANGE;
8266 
8267 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
8268 	if (!ret)
8269 		rdev->crit_proto_nlportid = info->snd_portid;
8270 
8271 	return ret;
8272 }
8273 
8274 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
8275 				      struct genl_info *info)
8276 {
8277 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8278 	struct wireless_dev *wdev = info->user_ptr[1];
8279 
8280 	if (!rdev->ops->crit_proto_stop)
8281 		return -EOPNOTSUPP;
8282 
8283 	if (rdev->crit_proto_nlportid) {
8284 		rdev->crit_proto_nlportid = 0;
8285 		rdev_crit_proto_stop(rdev, wdev);
8286 	}
8287 	return 0;
8288 }
8289 
8290 #define NL80211_FLAG_NEED_WIPHY		0x01
8291 #define NL80211_FLAG_NEED_NETDEV	0x02
8292 #define NL80211_FLAG_NEED_RTNL		0x04
8293 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
8294 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
8295 					 NL80211_FLAG_CHECK_NETDEV_UP)
8296 #define NL80211_FLAG_NEED_WDEV		0x10
8297 /* If a netdev is associated, it must be UP, P2P must be started */
8298 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
8299 					 NL80211_FLAG_CHECK_NETDEV_UP)
8300 
8301 static int nl80211_pre_doit(struct genl_ops *ops, struct sk_buff *skb,
8302 			    struct genl_info *info)
8303 {
8304 	struct cfg80211_registered_device *rdev;
8305 	struct wireless_dev *wdev;
8306 	struct net_device *dev;
8307 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
8308 
8309 	if (rtnl)
8310 		rtnl_lock();
8311 
8312 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
8313 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8314 		if (IS_ERR(rdev)) {
8315 			if (rtnl)
8316 				rtnl_unlock();
8317 			return PTR_ERR(rdev);
8318 		}
8319 		info->user_ptr[0] = rdev;
8320 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
8321 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
8322 		mutex_lock(&cfg80211_mutex);
8323 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
8324 						  info->attrs);
8325 		if (IS_ERR(wdev)) {
8326 			mutex_unlock(&cfg80211_mutex);
8327 			if (rtnl)
8328 				rtnl_unlock();
8329 			return PTR_ERR(wdev);
8330 		}
8331 
8332 		dev = wdev->netdev;
8333 		rdev = wiphy_to_dev(wdev->wiphy);
8334 
8335 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
8336 			if (!dev) {
8337 				mutex_unlock(&cfg80211_mutex);
8338 				if (rtnl)
8339 					rtnl_unlock();
8340 				return -EINVAL;
8341 			}
8342 
8343 			info->user_ptr[1] = dev;
8344 		} else {
8345 			info->user_ptr[1] = wdev;
8346 		}
8347 
8348 		if (dev) {
8349 			if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
8350 			    !netif_running(dev)) {
8351 				mutex_unlock(&cfg80211_mutex);
8352 				if (rtnl)
8353 					rtnl_unlock();
8354 				return -ENETDOWN;
8355 			}
8356 
8357 			dev_hold(dev);
8358 		} else if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP) {
8359 			if (!wdev->p2p_started) {
8360 				mutex_unlock(&cfg80211_mutex);
8361 				if (rtnl)
8362 					rtnl_unlock();
8363 				return -ENETDOWN;
8364 			}
8365 		}
8366 
8367 		cfg80211_lock_rdev(rdev);
8368 
8369 		mutex_unlock(&cfg80211_mutex);
8370 
8371 		info->user_ptr[0] = rdev;
8372 	}
8373 
8374 	return 0;
8375 }
8376 
8377 static void nl80211_post_doit(struct genl_ops *ops, struct sk_buff *skb,
8378 			      struct genl_info *info)
8379 {
8380 	if (info->user_ptr[0])
8381 		cfg80211_unlock_rdev(info->user_ptr[0]);
8382 	if (info->user_ptr[1]) {
8383 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
8384 			struct wireless_dev *wdev = info->user_ptr[1];
8385 
8386 			if (wdev->netdev)
8387 				dev_put(wdev->netdev);
8388 		} else {
8389 			dev_put(info->user_ptr[1]);
8390 		}
8391 	}
8392 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
8393 		rtnl_unlock();
8394 }
8395 
8396 static struct genl_ops nl80211_ops[] = {
8397 	{
8398 		.cmd = NL80211_CMD_GET_WIPHY,
8399 		.doit = nl80211_get_wiphy,
8400 		.dumpit = nl80211_dump_wiphy,
8401 		.policy = nl80211_policy,
8402 		/* can be retrieved by unprivileged users */
8403 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
8404 	},
8405 	{
8406 		.cmd = NL80211_CMD_SET_WIPHY,
8407 		.doit = nl80211_set_wiphy,
8408 		.policy = nl80211_policy,
8409 		.flags = GENL_ADMIN_PERM,
8410 		.internal_flags = NL80211_FLAG_NEED_RTNL,
8411 	},
8412 	{
8413 		.cmd = NL80211_CMD_GET_INTERFACE,
8414 		.doit = nl80211_get_interface,
8415 		.dumpit = nl80211_dump_interface,
8416 		.policy = nl80211_policy,
8417 		/* can be retrieved by unprivileged users */
8418 		.internal_flags = NL80211_FLAG_NEED_WDEV,
8419 	},
8420 	{
8421 		.cmd = NL80211_CMD_SET_INTERFACE,
8422 		.doit = nl80211_set_interface,
8423 		.policy = nl80211_policy,
8424 		.flags = GENL_ADMIN_PERM,
8425 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8426 				  NL80211_FLAG_NEED_RTNL,
8427 	},
8428 	{
8429 		.cmd = NL80211_CMD_NEW_INTERFACE,
8430 		.doit = nl80211_new_interface,
8431 		.policy = nl80211_policy,
8432 		.flags = GENL_ADMIN_PERM,
8433 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8434 				  NL80211_FLAG_NEED_RTNL,
8435 	},
8436 	{
8437 		.cmd = NL80211_CMD_DEL_INTERFACE,
8438 		.doit = nl80211_del_interface,
8439 		.policy = nl80211_policy,
8440 		.flags = GENL_ADMIN_PERM,
8441 		.internal_flags = NL80211_FLAG_NEED_WDEV |
8442 				  NL80211_FLAG_NEED_RTNL,
8443 	},
8444 	{
8445 		.cmd = NL80211_CMD_GET_KEY,
8446 		.doit = nl80211_get_key,
8447 		.policy = nl80211_policy,
8448 		.flags = GENL_ADMIN_PERM,
8449 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8450 				  NL80211_FLAG_NEED_RTNL,
8451 	},
8452 	{
8453 		.cmd = NL80211_CMD_SET_KEY,
8454 		.doit = nl80211_set_key,
8455 		.policy = nl80211_policy,
8456 		.flags = GENL_ADMIN_PERM,
8457 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8458 				  NL80211_FLAG_NEED_RTNL,
8459 	},
8460 	{
8461 		.cmd = NL80211_CMD_NEW_KEY,
8462 		.doit = nl80211_new_key,
8463 		.policy = nl80211_policy,
8464 		.flags = GENL_ADMIN_PERM,
8465 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8466 				  NL80211_FLAG_NEED_RTNL,
8467 	},
8468 	{
8469 		.cmd = NL80211_CMD_DEL_KEY,
8470 		.doit = nl80211_del_key,
8471 		.policy = nl80211_policy,
8472 		.flags = GENL_ADMIN_PERM,
8473 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8474 				  NL80211_FLAG_NEED_RTNL,
8475 	},
8476 	{
8477 		.cmd = NL80211_CMD_SET_BEACON,
8478 		.policy = nl80211_policy,
8479 		.flags = GENL_ADMIN_PERM,
8480 		.doit = nl80211_set_beacon,
8481 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8482 				  NL80211_FLAG_NEED_RTNL,
8483 	},
8484 	{
8485 		.cmd = NL80211_CMD_START_AP,
8486 		.policy = nl80211_policy,
8487 		.flags = GENL_ADMIN_PERM,
8488 		.doit = nl80211_start_ap,
8489 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8490 				  NL80211_FLAG_NEED_RTNL,
8491 	},
8492 	{
8493 		.cmd = NL80211_CMD_STOP_AP,
8494 		.policy = nl80211_policy,
8495 		.flags = GENL_ADMIN_PERM,
8496 		.doit = nl80211_stop_ap,
8497 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8498 				  NL80211_FLAG_NEED_RTNL,
8499 	},
8500 	{
8501 		.cmd = NL80211_CMD_GET_STATION,
8502 		.doit = nl80211_get_station,
8503 		.dumpit = nl80211_dump_station,
8504 		.policy = nl80211_policy,
8505 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8506 				  NL80211_FLAG_NEED_RTNL,
8507 	},
8508 	{
8509 		.cmd = NL80211_CMD_SET_STATION,
8510 		.doit = nl80211_set_station,
8511 		.policy = nl80211_policy,
8512 		.flags = GENL_ADMIN_PERM,
8513 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8514 				  NL80211_FLAG_NEED_RTNL,
8515 	},
8516 	{
8517 		.cmd = NL80211_CMD_NEW_STATION,
8518 		.doit = nl80211_new_station,
8519 		.policy = nl80211_policy,
8520 		.flags = GENL_ADMIN_PERM,
8521 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8522 				  NL80211_FLAG_NEED_RTNL,
8523 	},
8524 	{
8525 		.cmd = NL80211_CMD_DEL_STATION,
8526 		.doit = nl80211_del_station,
8527 		.policy = nl80211_policy,
8528 		.flags = GENL_ADMIN_PERM,
8529 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8530 				  NL80211_FLAG_NEED_RTNL,
8531 	},
8532 	{
8533 		.cmd = NL80211_CMD_GET_MPATH,
8534 		.doit = nl80211_get_mpath,
8535 		.dumpit = nl80211_dump_mpath,
8536 		.policy = nl80211_policy,
8537 		.flags = GENL_ADMIN_PERM,
8538 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8539 				  NL80211_FLAG_NEED_RTNL,
8540 	},
8541 	{
8542 		.cmd = NL80211_CMD_SET_MPATH,
8543 		.doit = nl80211_set_mpath,
8544 		.policy = nl80211_policy,
8545 		.flags = GENL_ADMIN_PERM,
8546 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8547 				  NL80211_FLAG_NEED_RTNL,
8548 	},
8549 	{
8550 		.cmd = NL80211_CMD_NEW_MPATH,
8551 		.doit = nl80211_new_mpath,
8552 		.policy = nl80211_policy,
8553 		.flags = GENL_ADMIN_PERM,
8554 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8555 				  NL80211_FLAG_NEED_RTNL,
8556 	},
8557 	{
8558 		.cmd = NL80211_CMD_DEL_MPATH,
8559 		.doit = nl80211_del_mpath,
8560 		.policy = nl80211_policy,
8561 		.flags = GENL_ADMIN_PERM,
8562 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8563 				  NL80211_FLAG_NEED_RTNL,
8564 	},
8565 	{
8566 		.cmd = NL80211_CMD_SET_BSS,
8567 		.doit = nl80211_set_bss,
8568 		.policy = nl80211_policy,
8569 		.flags = GENL_ADMIN_PERM,
8570 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8571 				  NL80211_FLAG_NEED_RTNL,
8572 	},
8573 	{
8574 		.cmd = NL80211_CMD_GET_REG,
8575 		.doit = nl80211_get_reg,
8576 		.policy = nl80211_policy,
8577 		/* can be retrieved by unprivileged users */
8578 	},
8579 	{
8580 		.cmd = NL80211_CMD_SET_REG,
8581 		.doit = nl80211_set_reg,
8582 		.policy = nl80211_policy,
8583 		.flags = GENL_ADMIN_PERM,
8584 	},
8585 	{
8586 		.cmd = NL80211_CMD_REQ_SET_REG,
8587 		.doit = nl80211_req_set_reg,
8588 		.policy = nl80211_policy,
8589 		.flags = GENL_ADMIN_PERM,
8590 	},
8591 	{
8592 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
8593 		.doit = nl80211_get_mesh_config,
8594 		.policy = nl80211_policy,
8595 		/* can be retrieved by unprivileged users */
8596 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8597 				  NL80211_FLAG_NEED_RTNL,
8598 	},
8599 	{
8600 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
8601 		.doit = nl80211_update_mesh_config,
8602 		.policy = nl80211_policy,
8603 		.flags = GENL_ADMIN_PERM,
8604 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8605 				  NL80211_FLAG_NEED_RTNL,
8606 	},
8607 	{
8608 		.cmd = NL80211_CMD_TRIGGER_SCAN,
8609 		.doit = nl80211_trigger_scan,
8610 		.policy = nl80211_policy,
8611 		.flags = GENL_ADMIN_PERM,
8612 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8613 				  NL80211_FLAG_NEED_RTNL,
8614 	},
8615 	{
8616 		.cmd = NL80211_CMD_GET_SCAN,
8617 		.policy = nl80211_policy,
8618 		.dumpit = nl80211_dump_scan,
8619 	},
8620 	{
8621 		.cmd = NL80211_CMD_START_SCHED_SCAN,
8622 		.doit = nl80211_start_sched_scan,
8623 		.policy = nl80211_policy,
8624 		.flags = GENL_ADMIN_PERM,
8625 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8626 				  NL80211_FLAG_NEED_RTNL,
8627 	},
8628 	{
8629 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
8630 		.doit = nl80211_stop_sched_scan,
8631 		.policy = nl80211_policy,
8632 		.flags = GENL_ADMIN_PERM,
8633 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8634 				  NL80211_FLAG_NEED_RTNL,
8635 	},
8636 	{
8637 		.cmd = NL80211_CMD_AUTHENTICATE,
8638 		.doit = nl80211_authenticate,
8639 		.policy = nl80211_policy,
8640 		.flags = GENL_ADMIN_PERM,
8641 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8642 				  NL80211_FLAG_NEED_RTNL,
8643 	},
8644 	{
8645 		.cmd = NL80211_CMD_ASSOCIATE,
8646 		.doit = nl80211_associate,
8647 		.policy = nl80211_policy,
8648 		.flags = GENL_ADMIN_PERM,
8649 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8650 				  NL80211_FLAG_NEED_RTNL,
8651 	},
8652 	{
8653 		.cmd = NL80211_CMD_DEAUTHENTICATE,
8654 		.doit = nl80211_deauthenticate,
8655 		.policy = nl80211_policy,
8656 		.flags = GENL_ADMIN_PERM,
8657 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8658 				  NL80211_FLAG_NEED_RTNL,
8659 	},
8660 	{
8661 		.cmd = NL80211_CMD_DISASSOCIATE,
8662 		.doit = nl80211_disassociate,
8663 		.policy = nl80211_policy,
8664 		.flags = GENL_ADMIN_PERM,
8665 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8666 				  NL80211_FLAG_NEED_RTNL,
8667 	},
8668 	{
8669 		.cmd = NL80211_CMD_JOIN_IBSS,
8670 		.doit = nl80211_join_ibss,
8671 		.policy = nl80211_policy,
8672 		.flags = GENL_ADMIN_PERM,
8673 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8674 				  NL80211_FLAG_NEED_RTNL,
8675 	},
8676 	{
8677 		.cmd = NL80211_CMD_LEAVE_IBSS,
8678 		.doit = nl80211_leave_ibss,
8679 		.policy = nl80211_policy,
8680 		.flags = GENL_ADMIN_PERM,
8681 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8682 				  NL80211_FLAG_NEED_RTNL,
8683 	},
8684 #ifdef CONFIG_NL80211_TESTMODE
8685 	{
8686 		.cmd = NL80211_CMD_TESTMODE,
8687 		.doit = nl80211_testmode_do,
8688 		.dumpit = nl80211_testmode_dump,
8689 		.policy = nl80211_policy,
8690 		.flags = GENL_ADMIN_PERM,
8691 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8692 				  NL80211_FLAG_NEED_RTNL,
8693 	},
8694 #endif
8695 	{
8696 		.cmd = NL80211_CMD_CONNECT,
8697 		.doit = nl80211_connect,
8698 		.policy = nl80211_policy,
8699 		.flags = GENL_ADMIN_PERM,
8700 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8701 				  NL80211_FLAG_NEED_RTNL,
8702 	},
8703 	{
8704 		.cmd = NL80211_CMD_DISCONNECT,
8705 		.doit = nl80211_disconnect,
8706 		.policy = nl80211_policy,
8707 		.flags = GENL_ADMIN_PERM,
8708 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8709 				  NL80211_FLAG_NEED_RTNL,
8710 	},
8711 	{
8712 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
8713 		.doit = nl80211_wiphy_netns,
8714 		.policy = nl80211_policy,
8715 		.flags = GENL_ADMIN_PERM,
8716 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8717 				  NL80211_FLAG_NEED_RTNL,
8718 	},
8719 	{
8720 		.cmd = NL80211_CMD_GET_SURVEY,
8721 		.policy = nl80211_policy,
8722 		.dumpit = nl80211_dump_survey,
8723 	},
8724 	{
8725 		.cmd = NL80211_CMD_SET_PMKSA,
8726 		.doit = nl80211_setdel_pmksa,
8727 		.policy = nl80211_policy,
8728 		.flags = GENL_ADMIN_PERM,
8729 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8730 				  NL80211_FLAG_NEED_RTNL,
8731 	},
8732 	{
8733 		.cmd = NL80211_CMD_DEL_PMKSA,
8734 		.doit = nl80211_setdel_pmksa,
8735 		.policy = nl80211_policy,
8736 		.flags = GENL_ADMIN_PERM,
8737 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8738 				  NL80211_FLAG_NEED_RTNL,
8739 	},
8740 	{
8741 		.cmd = NL80211_CMD_FLUSH_PMKSA,
8742 		.doit = nl80211_flush_pmksa,
8743 		.policy = nl80211_policy,
8744 		.flags = GENL_ADMIN_PERM,
8745 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8746 				  NL80211_FLAG_NEED_RTNL,
8747 	},
8748 	{
8749 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
8750 		.doit = nl80211_remain_on_channel,
8751 		.policy = nl80211_policy,
8752 		.flags = GENL_ADMIN_PERM,
8753 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8754 				  NL80211_FLAG_NEED_RTNL,
8755 	},
8756 	{
8757 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
8758 		.doit = nl80211_cancel_remain_on_channel,
8759 		.policy = nl80211_policy,
8760 		.flags = GENL_ADMIN_PERM,
8761 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8762 				  NL80211_FLAG_NEED_RTNL,
8763 	},
8764 	{
8765 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
8766 		.doit = nl80211_set_tx_bitrate_mask,
8767 		.policy = nl80211_policy,
8768 		.flags = GENL_ADMIN_PERM,
8769 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8770 				  NL80211_FLAG_NEED_RTNL,
8771 	},
8772 	{
8773 		.cmd = NL80211_CMD_REGISTER_FRAME,
8774 		.doit = nl80211_register_mgmt,
8775 		.policy = nl80211_policy,
8776 		.flags = GENL_ADMIN_PERM,
8777 		.internal_flags = NL80211_FLAG_NEED_WDEV |
8778 				  NL80211_FLAG_NEED_RTNL,
8779 	},
8780 	{
8781 		.cmd = NL80211_CMD_FRAME,
8782 		.doit = nl80211_tx_mgmt,
8783 		.policy = nl80211_policy,
8784 		.flags = GENL_ADMIN_PERM,
8785 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8786 				  NL80211_FLAG_NEED_RTNL,
8787 	},
8788 	{
8789 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
8790 		.doit = nl80211_tx_mgmt_cancel_wait,
8791 		.policy = nl80211_policy,
8792 		.flags = GENL_ADMIN_PERM,
8793 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8794 				  NL80211_FLAG_NEED_RTNL,
8795 	},
8796 	{
8797 		.cmd = NL80211_CMD_SET_POWER_SAVE,
8798 		.doit = nl80211_set_power_save,
8799 		.policy = nl80211_policy,
8800 		.flags = GENL_ADMIN_PERM,
8801 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8802 				  NL80211_FLAG_NEED_RTNL,
8803 	},
8804 	{
8805 		.cmd = NL80211_CMD_GET_POWER_SAVE,
8806 		.doit = nl80211_get_power_save,
8807 		.policy = nl80211_policy,
8808 		/* can be retrieved by unprivileged users */
8809 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8810 				  NL80211_FLAG_NEED_RTNL,
8811 	},
8812 	{
8813 		.cmd = NL80211_CMD_SET_CQM,
8814 		.doit = nl80211_set_cqm,
8815 		.policy = nl80211_policy,
8816 		.flags = GENL_ADMIN_PERM,
8817 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8818 				  NL80211_FLAG_NEED_RTNL,
8819 	},
8820 	{
8821 		.cmd = NL80211_CMD_SET_CHANNEL,
8822 		.doit = nl80211_set_channel,
8823 		.policy = nl80211_policy,
8824 		.flags = GENL_ADMIN_PERM,
8825 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8826 				  NL80211_FLAG_NEED_RTNL,
8827 	},
8828 	{
8829 		.cmd = NL80211_CMD_SET_WDS_PEER,
8830 		.doit = nl80211_set_wds_peer,
8831 		.policy = nl80211_policy,
8832 		.flags = GENL_ADMIN_PERM,
8833 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8834 				  NL80211_FLAG_NEED_RTNL,
8835 	},
8836 	{
8837 		.cmd = NL80211_CMD_JOIN_MESH,
8838 		.doit = nl80211_join_mesh,
8839 		.policy = nl80211_policy,
8840 		.flags = GENL_ADMIN_PERM,
8841 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8842 				  NL80211_FLAG_NEED_RTNL,
8843 	},
8844 	{
8845 		.cmd = NL80211_CMD_LEAVE_MESH,
8846 		.doit = nl80211_leave_mesh,
8847 		.policy = nl80211_policy,
8848 		.flags = GENL_ADMIN_PERM,
8849 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8850 				  NL80211_FLAG_NEED_RTNL,
8851 	},
8852 #ifdef CONFIG_PM
8853 	{
8854 		.cmd = NL80211_CMD_GET_WOWLAN,
8855 		.doit = nl80211_get_wowlan,
8856 		.policy = nl80211_policy,
8857 		/* can be retrieved by unprivileged users */
8858 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8859 				  NL80211_FLAG_NEED_RTNL,
8860 	},
8861 	{
8862 		.cmd = NL80211_CMD_SET_WOWLAN,
8863 		.doit = nl80211_set_wowlan,
8864 		.policy = nl80211_policy,
8865 		.flags = GENL_ADMIN_PERM,
8866 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8867 				  NL80211_FLAG_NEED_RTNL,
8868 	},
8869 #endif
8870 	{
8871 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
8872 		.doit = nl80211_set_rekey_data,
8873 		.policy = nl80211_policy,
8874 		.flags = GENL_ADMIN_PERM,
8875 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8876 				  NL80211_FLAG_NEED_RTNL,
8877 	},
8878 	{
8879 		.cmd = NL80211_CMD_TDLS_MGMT,
8880 		.doit = nl80211_tdls_mgmt,
8881 		.policy = nl80211_policy,
8882 		.flags = GENL_ADMIN_PERM,
8883 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8884 				  NL80211_FLAG_NEED_RTNL,
8885 	},
8886 	{
8887 		.cmd = NL80211_CMD_TDLS_OPER,
8888 		.doit = nl80211_tdls_oper,
8889 		.policy = nl80211_policy,
8890 		.flags = GENL_ADMIN_PERM,
8891 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8892 				  NL80211_FLAG_NEED_RTNL,
8893 	},
8894 	{
8895 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
8896 		.doit = nl80211_register_unexpected_frame,
8897 		.policy = nl80211_policy,
8898 		.flags = GENL_ADMIN_PERM,
8899 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8900 				  NL80211_FLAG_NEED_RTNL,
8901 	},
8902 	{
8903 		.cmd = NL80211_CMD_PROBE_CLIENT,
8904 		.doit = nl80211_probe_client,
8905 		.policy = nl80211_policy,
8906 		.flags = GENL_ADMIN_PERM,
8907 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8908 				  NL80211_FLAG_NEED_RTNL,
8909 	},
8910 	{
8911 		.cmd = NL80211_CMD_REGISTER_BEACONS,
8912 		.doit = nl80211_register_beacons,
8913 		.policy = nl80211_policy,
8914 		.flags = GENL_ADMIN_PERM,
8915 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8916 				  NL80211_FLAG_NEED_RTNL,
8917 	},
8918 	{
8919 		.cmd = NL80211_CMD_SET_NOACK_MAP,
8920 		.doit = nl80211_set_noack_map,
8921 		.policy = nl80211_policy,
8922 		.flags = GENL_ADMIN_PERM,
8923 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8924 				  NL80211_FLAG_NEED_RTNL,
8925 	},
8926 	{
8927 		.cmd = NL80211_CMD_START_P2P_DEVICE,
8928 		.doit = nl80211_start_p2p_device,
8929 		.policy = nl80211_policy,
8930 		.flags = GENL_ADMIN_PERM,
8931 		.internal_flags = NL80211_FLAG_NEED_WDEV |
8932 				  NL80211_FLAG_NEED_RTNL,
8933 	},
8934 	{
8935 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
8936 		.doit = nl80211_stop_p2p_device,
8937 		.policy = nl80211_policy,
8938 		.flags = GENL_ADMIN_PERM,
8939 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8940 				  NL80211_FLAG_NEED_RTNL,
8941 	},
8942 	{
8943 		.cmd = NL80211_CMD_SET_MCAST_RATE,
8944 		.doit = nl80211_set_mcast_rate,
8945 		.policy = nl80211_policy,
8946 		.flags = GENL_ADMIN_PERM,
8947 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8948 				  NL80211_FLAG_NEED_RTNL,
8949 	},
8950 	{
8951 		.cmd = NL80211_CMD_SET_MAC_ACL,
8952 		.doit = nl80211_set_mac_acl,
8953 		.policy = nl80211_policy,
8954 		.flags = GENL_ADMIN_PERM,
8955 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8956 				  NL80211_FLAG_NEED_RTNL,
8957 	},
8958 	{
8959 		.cmd = NL80211_CMD_RADAR_DETECT,
8960 		.doit = nl80211_start_radar_detection,
8961 		.policy = nl80211_policy,
8962 		.flags = GENL_ADMIN_PERM,
8963 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8964 				  NL80211_FLAG_NEED_RTNL,
8965 	},
8966 	{
8967 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
8968 		.doit = nl80211_get_protocol_features,
8969 		.policy = nl80211_policy,
8970 	},
8971 	{
8972 		.cmd = NL80211_CMD_UPDATE_FT_IES,
8973 		.doit = nl80211_update_ft_ies,
8974 		.policy = nl80211_policy,
8975 		.flags = GENL_ADMIN_PERM,
8976 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8977 				  NL80211_FLAG_NEED_RTNL,
8978 	},
8979 	{
8980 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
8981 		.doit = nl80211_crit_protocol_start,
8982 		.policy = nl80211_policy,
8983 		.flags = GENL_ADMIN_PERM,
8984 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8985 				  NL80211_FLAG_NEED_RTNL,
8986 	},
8987 	{
8988 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
8989 		.doit = nl80211_crit_protocol_stop,
8990 		.policy = nl80211_policy,
8991 		.flags = GENL_ADMIN_PERM,
8992 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8993 				  NL80211_FLAG_NEED_RTNL,
8994 	}
8995 };
8996 
8997 static struct genl_multicast_group nl80211_mlme_mcgrp = {
8998 	.name = "mlme",
8999 };
9000 
9001 /* multicast groups */
9002 static struct genl_multicast_group nl80211_config_mcgrp = {
9003 	.name = "config",
9004 };
9005 static struct genl_multicast_group nl80211_scan_mcgrp = {
9006 	.name = "scan",
9007 };
9008 static struct genl_multicast_group nl80211_regulatory_mcgrp = {
9009 	.name = "regulatory",
9010 };
9011 
9012 /* notification functions */
9013 
9014 void nl80211_notify_dev_rename(struct cfg80211_registered_device *rdev)
9015 {
9016 	struct sk_buff *msg;
9017 
9018 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9019 	if (!msg)
9020 		return;
9021 
9022 	if (nl80211_send_wiphy(rdev, msg, 0, 0, 0,
9023 			       false, NULL, NULL, NULL) < 0) {
9024 		nlmsg_free(msg);
9025 		return;
9026 	}
9027 
9028 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9029 				nl80211_config_mcgrp.id, GFP_KERNEL);
9030 }
9031 
9032 static int nl80211_add_scan_req(struct sk_buff *msg,
9033 				struct cfg80211_registered_device *rdev)
9034 {
9035 	struct cfg80211_scan_request *req = rdev->scan_req;
9036 	struct nlattr *nest;
9037 	int i;
9038 
9039 	lockdep_assert_held(&rdev->sched_scan_mtx);
9040 
9041 	if (WARN_ON(!req))
9042 		return 0;
9043 
9044 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
9045 	if (!nest)
9046 		goto nla_put_failure;
9047 	for (i = 0; i < req->n_ssids; i++) {
9048 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
9049 			goto nla_put_failure;
9050 	}
9051 	nla_nest_end(msg, nest);
9052 
9053 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
9054 	if (!nest)
9055 		goto nla_put_failure;
9056 	for (i = 0; i < req->n_channels; i++) {
9057 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
9058 			goto nla_put_failure;
9059 	}
9060 	nla_nest_end(msg, nest);
9061 
9062 	if (req->ie &&
9063 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
9064 		goto nla_put_failure;
9065 
9066 	if (req->flags)
9067 		nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags);
9068 
9069 	return 0;
9070  nla_put_failure:
9071 	return -ENOBUFS;
9072 }
9073 
9074 static int nl80211_send_scan_msg(struct sk_buff *msg,
9075 				 struct cfg80211_registered_device *rdev,
9076 				 struct wireless_dev *wdev,
9077 				 u32 portid, u32 seq, int flags,
9078 				 u32 cmd)
9079 {
9080 	void *hdr;
9081 
9082 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
9083 	if (!hdr)
9084 		return -1;
9085 
9086 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9087 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
9088 					 wdev->netdev->ifindex)) ||
9089 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
9090 		goto nla_put_failure;
9091 
9092 	/* ignore errors and send incomplete event anyway */
9093 	nl80211_add_scan_req(msg, rdev);
9094 
9095 	return genlmsg_end(msg, hdr);
9096 
9097  nla_put_failure:
9098 	genlmsg_cancel(msg, hdr);
9099 	return -EMSGSIZE;
9100 }
9101 
9102 static int
9103 nl80211_send_sched_scan_msg(struct sk_buff *msg,
9104 			    struct cfg80211_registered_device *rdev,
9105 			    struct net_device *netdev,
9106 			    u32 portid, u32 seq, int flags, u32 cmd)
9107 {
9108 	void *hdr;
9109 
9110 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
9111 	if (!hdr)
9112 		return -1;
9113 
9114 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9115 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
9116 		goto nla_put_failure;
9117 
9118 	return genlmsg_end(msg, hdr);
9119 
9120  nla_put_failure:
9121 	genlmsg_cancel(msg, hdr);
9122 	return -EMSGSIZE;
9123 }
9124 
9125 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
9126 			     struct wireless_dev *wdev)
9127 {
9128 	struct sk_buff *msg;
9129 
9130 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9131 	if (!msg)
9132 		return;
9133 
9134 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
9135 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
9136 		nlmsg_free(msg);
9137 		return;
9138 	}
9139 
9140 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9141 				nl80211_scan_mcgrp.id, GFP_KERNEL);
9142 }
9143 
9144 void nl80211_send_scan_done(struct cfg80211_registered_device *rdev,
9145 			    struct wireless_dev *wdev)
9146 {
9147 	struct sk_buff *msg;
9148 
9149 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9150 	if (!msg)
9151 		return;
9152 
9153 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
9154 				  NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
9155 		nlmsg_free(msg);
9156 		return;
9157 	}
9158 
9159 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9160 				nl80211_scan_mcgrp.id, GFP_KERNEL);
9161 }
9162 
9163 void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
9164 			       struct wireless_dev *wdev)
9165 {
9166 	struct sk_buff *msg;
9167 
9168 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9169 	if (!msg)
9170 		return;
9171 
9172 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
9173 				  NL80211_CMD_SCAN_ABORTED) < 0) {
9174 		nlmsg_free(msg);
9175 		return;
9176 	}
9177 
9178 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9179 				nl80211_scan_mcgrp.id, GFP_KERNEL);
9180 }
9181 
9182 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
9183 				     struct net_device *netdev)
9184 {
9185 	struct sk_buff *msg;
9186 
9187 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9188 	if (!msg)
9189 		return;
9190 
9191 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
9192 					NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
9193 		nlmsg_free(msg);
9194 		return;
9195 	}
9196 
9197 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9198 				nl80211_scan_mcgrp.id, GFP_KERNEL);
9199 }
9200 
9201 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
9202 			     struct net_device *netdev, u32 cmd)
9203 {
9204 	struct sk_buff *msg;
9205 
9206 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9207 	if (!msg)
9208 		return;
9209 
9210 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
9211 		nlmsg_free(msg);
9212 		return;
9213 	}
9214 
9215 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9216 				nl80211_scan_mcgrp.id, GFP_KERNEL);
9217 }
9218 
9219 /*
9220  * This can happen on global regulatory changes or device specific settings
9221  * based on custom world regulatory domains.
9222  */
9223 void nl80211_send_reg_change_event(struct regulatory_request *request)
9224 {
9225 	struct sk_buff *msg;
9226 	void *hdr;
9227 
9228 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9229 	if (!msg)
9230 		return;
9231 
9232 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_CHANGE);
9233 	if (!hdr) {
9234 		nlmsg_free(msg);
9235 		return;
9236 	}
9237 
9238 	/* Userspace can always count this one always being set */
9239 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
9240 		goto nla_put_failure;
9241 
9242 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
9243 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
9244 			       NL80211_REGDOM_TYPE_WORLD))
9245 			goto nla_put_failure;
9246 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
9247 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
9248 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
9249 			goto nla_put_failure;
9250 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
9251 		   request->intersect) {
9252 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
9253 			       NL80211_REGDOM_TYPE_INTERSECTION))
9254 			goto nla_put_failure;
9255 	} else {
9256 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
9257 			       NL80211_REGDOM_TYPE_COUNTRY) ||
9258 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
9259 				   request->alpha2))
9260 			goto nla_put_failure;
9261 	}
9262 
9263 	if (request->wiphy_idx != WIPHY_IDX_INVALID &&
9264 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
9265 		goto nla_put_failure;
9266 
9267 	genlmsg_end(msg, hdr);
9268 
9269 	rcu_read_lock();
9270 	genlmsg_multicast_allns(msg, 0, nl80211_regulatory_mcgrp.id,
9271 				GFP_ATOMIC);
9272 	rcu_read_unlock();
9273 
9274 	return;
9275 
9276 nla_put_failure:
9277 	genlmsg_cancel(msg, hdr);
9278 	nlmsg_free(msg);
9279 }
9280 
9281 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
9282 				    struct net_device *netdev,
9283 				    const u8 *buf, size_t len,
9284 				    enum nl80211_commands cmd, gfp_t gfp)
9285 {
9286 	struct sk_buff *msg;
9287 	void *hdr;
9288 
9289 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9290 	if (!msg)
9291 		return;
9292 
9293 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
9294 	if (!hdr) {
9295 		nlmsg_free(msg);
9296 		return;
9297 	}
9298 
9299 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9300 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9301 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
9302 		goto nla_put_failure;
9303 
9304 	genlmsg_end(msg, hdr);
9305 
9306 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9307 				nl80211_mlme_mcgrp.id, gfp);
9308 	return;
9309 
9310  nla_put_failure:
9311 	genlmsg_cancel(msg, hdr);
9312 	nlmsg_free(msg);
9313 }
9314 
9315 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
9316 			  struct net_device *netdev, const u8 *buf,
9317 			  size_t len, gfp_t gfp)
9318 {
9319 	nl80211_send_mlme_event(rdev, netdev, buf, len,
9320 				NL80211_CMD_AUTHENTICATE, gfp);
9321 }
9322 
9323 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
9324 			   struct net_device *netdev, const u8 *buf,
9325 			   size_t len, gfp_t gfp)
9326 {
9327 	nl80211_send_mlme_event(rdev, netdev, buf, len,
9328 				NL80211_CMD_ASSOCIATE, gfp);
9329 }
9330 
9331 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
9332 			 struct net_device *netdev, const u8 *buf,
9333 			 size_t len, gfp_t gfp)
9334 {
9335 	nl80211_send_mlme_event(rdev, netdev, buf, len,
9336 				NL80211_CMD_DEAUTHENTICATE, gfp);
9337 }
9338 
9339 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
9340 			   struct net_device *netdev, const u8 *buf,
9341 			   size_t len, gfp_t gfp)
9342 {
9343 	nl80211_send_mlme_event(rdev, netdev, buf, len,
9344 				NL80211_CMD_DISASSOCIATE, gfp);
9345 }
9346 
9347 void cfg80211_send_unprot_deauth(struct net_device *dev, const u8 *buf,
9348 				 size_t len)
9349 {
9350 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9351 	struct wiphy *wiphy = wdev->wiphy;
9352 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
9353 
9354 	trace_cfg80211_send_unprot_deauth(dev);
9355 	nl80211_send_mlme_event(rdev, dev, buf, len,
9356 				NL80211_CMD_UNPROT_DEAUTHENTICATE, GFP_ATOMIC);
9357 }
9358 EXPORT_SYMBOL(cfg80211_send_unprot_deauth);
9359 
9360 void cfg80211_send_unprot_disassoc(struct net_device *dev, const u8 *buf,
9361 				   size_t len)
9362 {
9363 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9364 	struct wiphy *wiphy = wdev->wiphy;
9365 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
9366 
9367 	trace_cfg80211_send_unprot_disassoc(dev);
9368 	nl80211_send_mlme_event(rdev, dev, buf, len,
9369 				NL80211_CMD_UNPROT_DISASSOCIATE, GFP_ATOMIC);
9370 }
9371 EXPORT_SYMBOL(cfg80211_send_unprot_disassoc);
9372 
9373 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
9374 				      struct net_device *netdev, int cmd,
9375 				      const u8 *addr, gfp_t gfp)
9376 {
9377 	struct sk_buff *msg;
9378 	void *hdr;
9379 
9380 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9381 	if (!msg)
9382 		return;
9383 
9384 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
9385 	if (!hdr) {
9386 		nlmsg_free(msg);
9387 		return;
9388 	}
9389 
9390 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9391 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9392 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
9393 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
9394 		goto nla_put_failure;
9395 
9396 	genlmsg_end(msg, hdr);
9397 
9398 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9399 				nl80211_mlme_mcgrp.id, gfp);
9400 	return;
9401 
9402  nla_put_failure:
9403 	genlmsg_cancel(msg, hdr);
9404 	nlmsg_free(msg);
9405 }
9406 
9407 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
9408 			       struct net_device *netdev, const u8 *addr,
9409 			       gfp_t gfp)
9410 {
9411 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
9412 				  addr, gfp);
9413 }
9414 
9415 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
9416 				struct net_device *netdev, const u8 *addr,
9417 				gfp_t gfp)
9418 {
9419 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
9420 				  addr, gfp);
9421 }
9422 
9423 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
9424 				 struct net_device *netdev, const u8 *bssid,
9425 				 const u8 *req_ie, size_t req_ie_len,
9426 				 const u8 *resp_ie, size_t resp_ie_len,
9427 				 u16 status, gfp_t gfp)
9428 {
9429 	struct sk_buff *msg;
9430 	void *hdr;
9431 
9432 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9433 	if (!msg)
9434 		return;
9435 
9436 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
9437 	if (!hdr) {
9438 		nlmsg_free(msg);
9439 		return;
9440 	}
9441 
9442 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9443 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9444 	    (bssid && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) ||
9445 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE, status) ||
9446 	    (req_ie &&
9447 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
9448 	    (resp_ie &&
9449 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
9450 		goto nla_put_failure;
9451 
9452 	genlmsg_end(msg, hdr);
9453 
9454 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9455 				nl80211_mlme_mcgrp.id, gfp);
9456 	return;
9457 
9458  nla_put_failure:
9459 	genlmsg_cancel(msg, hdr);
9460 	nlmsg_free(msg);
9461 
9462 }
9463 
9464 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
9465 			 struct net_device *netdev, const u8 *bssid,
9466 			 const u8 *req_ie, size_t req_ie_len,
9467 			 const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
9468 {
9469 	struct sk_buff *msg;
9470 	void *hdr;
9471 
9472 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9473 	if (!msg)
9474 		return;
9475 
9476 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
9477 	if (!hdr) {
9478 		nlmsg_free(msg);
9479 		return;
9480 	}
9481 
9482 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9483 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9484 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
9485 	    (req_ie &&
9486 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
9487 	    (resp_ie &&
9488 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
9489 		goto nla_put_failure;
9490 
9491 	genlmsg_end(msg, hdr);
9492 
9493 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9494 				nl80211_mlme_mcgrp.id, gfp);
9495 	return;
9496 
9497  nla_put_failure:
9498 	genlmsg_cancel(msg, hdr);
9499 	nlmsg_free(msg);
9500 
9501 }
9502 
9503 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
9504 			       struct net_device *netdev, u16 reason,
9505 			       const u8 *ie, size_t ie_len, bool from_ap)
9506 {
9507 	struct sk_buff *msg;
9508 	void *hdr;
9509 
9510 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9511 	if (!msg)
9512 		return;
9513 
9514 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
9515 	if (!hdr) {
9516 		nlmsg_free(msg);
9517 		return;
9518 	}
9519 
9520 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9521 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9522 	    (from_ap && reason &&
9523 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
9524 	    (from_ap &&
9525 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
9526 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
9527 		goto nla_put_failure;
9528 
9529 	genlmsg_end(msg, hdr);
9530 
9531 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9532 				nl80211_mlme_mcgrp.id, GFP_KERNEL);
9533 	return;
9534 
9535  nla_put_failure:
9536 	genlmsg_cancel(msg, hdr);
9537 	nlmsg_free(msg);
9538 
9539 }
9540 
9541 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
9542 			     struct net_device *netdev, const u8 *bssid,
9543 			     gfp_t gfp)
9544 {
9545 	struct sk_buff *msg;
9546 	void *hdr;
9547 
9548 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9549 	if (!msg)
9550 		return;
9551 
9552 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
9553 	if (!hdr) {
9554 		nlmsg_free(msg);
9555 		return;
9556 	}
9557 
9558 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9559 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9560 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
9561 		goto nla_put_failure;
9562 
9563 	genlmsg_end(msg, hdr);
9564 
9565 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9566 				nl80211_mlme_mcgrp.id, gfp);
9567 	return;
9568 
9569  nla_put_failure:
9570 	genlmsg_cancel(msg, hdr);
9571 	nlmsg_free(msg);
9572 }
9573 
9574 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
9575 					const u8* ie, u8 ie_len, gfp_t gfp)
9576 {
9577 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9578 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
9579 	struct sk_buff *msg;
9580 	void *hdr;
9581 
9582 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
9583 		return;
9584 
9585 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
9586 
9587 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9588 	if (!msg)
9589 		return;
9590 
9591 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
9592 	if (!hdr) {
9593 		nlmsg_free(msg);
9594 		return;
9595 	}
9596 
9597 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9598 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9599 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
9600 	    (ie_len && ie &&
9601 	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
9602 		goto nla_put_failure;
9603 
9604 	genlmsg_end(msg, hdr);
9605 
9606 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9607 				nl80211_mlme_mcgrp.id, gfp);
9608 	return;
9609 
9610  nla_put_failure:
9611 	genlmsg_cancel(msg, hdr);
9612 	nlmsg_free(msg);
9613 }
9614 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
9615 
9616 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
9617 				 struct net_device *netdev, const u8 *addr,
9618 				 enum nl80211_key_type key_type, int key_id,
9619 				 const u8 *tsc, gfp_t gfp)
9620 {
9621 	struct sk_buff *msg;
9622 	void *hdr;
9623 
9624 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9625 	if (!msg)
9626 		return;
9627 
9628 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
9629 	if (!hdr) {
9630 		nlmsg_free(msg);
9631 		return;
9632 	}
9633 
9634 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9635 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9636 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
9637 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
9638 	    (key_id != -1 &&
9639 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
9640 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
9641 		goto nla_put_failure;
9642 
9643 	genlmsg_end(msg, hdr);
9644 
9645 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9646 				nl80211_mlme_mcgrp.id, gfp);
9647 	return;
9648 
9649  nla_put_failure:
9650 	genlmsg_cancel(msg, hdr);
9651 	nlmsg_free(msg);
9652 }
9653 
9654 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
9655 				    struct ieee80211_channel *channel_before,
9656 				    struct ieee80211_channel *channel_after)
9657 {
9658 	struct sk_buff *msg;
9659 	void *hdr;
9660 	struct nlattr *nl_freq;
9661 
9662 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
9663 	if (!msg)
9664 		return;
9665 
9666 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
9667 	if (!hdr) {
9668 		nlmsg_free(msg);
9669 		return;
9670 	}
9671 
9672 	/*
9673 	 * Since we are applying the beacon hint to a wiphy we know its
9674 	 * wiphy_idx is valid
9675 	 */
9676 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
9677 		goto nla_put_failure;
9678 
9679 	/* Before */
9680 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
9681 	if (!nl_freq)
9682 		goto nla_put_failure;
9683 	if (nl80211_msg_put_channel(msg, channel_before, false))
9684 		goto nla_put_failure;
9685 	nla_nest_end(msg, nl_freq);
9686 
9687 	/* After */
9688 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
9689 	if (!nl_freq)
9690 		goto nla_put_failure;
9691 	if (nl80211_msg_put_channel(msg, channel_after, false))
9692 		goto nla_put_failure;
9693 	nla_nest_end(msg, nl_freq);
9694 
9695 	genlmsg_end(msg, hdr);
9696 
9697 	rcu_read_lock();
9698 	genlmsg_multicast_allns(msg, 0, nl80211_regulatory_mcgrp.id,
9699 				GFP_ATOMIC);
9700 	rcu_read_unlock();
9701 
9702 	return;
9703 
9704 nla_put_failure:
9705 	genlmsg_cancel(msg, hdr);
9706 	nlmsg_free(msg);
9707 }
9708 
9709 static void nl80211_send_remain_on_chan_event(
9710 	int cmd, struct cfg80211_registered_device *rdev,
9711 	struct wireless_dev *wdev, u64 cookie,
9712 	struct ieee80211_channel *chan,
9713 	unsigned int duration, gfp_t gfp)
9714 {
9715 	struct sk_buff *msg;
9716 	void *hdr;
9717 
9718 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9719 	if (!msg)
9720 		return;
9721 
9722 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
9723 	if (!hdr) {
9724 		nlmsg_free(msg);
9725 		return;
9726 	}
9727 
9728 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9729 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
9730 					 wdev->netdev->ifindex)) ||
9731 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
9732 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
9733 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
9734 			NL80211_CHAN_NO_HT) ||
9735 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
9736 		goto nla_put_failure;
9737 
9738 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
9739 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
9740 		goto nla_put_failure;
9741 
9742 	genlmsg_end(msg, hdr);
9743 
9744 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9745 				nl80211_mlme_mcgrp.id, gfp);
9746 	return;
9747 
9748  nla_put_failure:
9749 	genlmsg_cancel(msg, hdr);
9750 	nlmsg_free(msg);
9751 }
9752 
9753 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
9754 			       struct ieee80211_channel *chan,
9755 			       unsigned int duration, gfp_t gfp)
9756 {
9757 	struct wiphy *wiphy = wdev->wiphy;
9758 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
9759 
9760 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
9761 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
9762 					  rdev, wdev, cookie, chan,
9763 					  duration, gfp);
9764 }
9765 EXPORT_SYMBOL(cfg80211_ready_on_channel);
9766 
9767 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
9768 					struct ieee80211_channel *chan,
9769 					gfp_t gfp)
9770 {
9771 	struct wiphy *wiphy = wdev->wiphy;
9772 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
9773 
9774 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
9775 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
9776 					  rdev, wdev, cookie, chan, 0, gfp);
9777 }
9778 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
9779 
9780 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
9781 		      struct station_info *sinfo, gfp_t gfp)
9782 {
9783 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
9784 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
9785 	struct sk_buff *msg;
9786 
9787 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
9788 
9789 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9790 	if (!msg)
9791 		return;
9792 
9793 	if (nl80211_send_station(msg, 0, 0, 0,
9794 				 rdev, dev, mac_addr, sinfo) < 0) {
9795 		nlmsg_free(msg);
9796 		return;
9797 	}
9798 
9799 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9800 				nl80211_mlme_mcgrp.id, gfp);
9801 }
9802 EXPORT_SYMBOL(cfg80211_new_sta);
9803 
9804 void cfg80211_del_sta(struct net_device *dev, const u8 *mac_addr, gfp_t gfp)
9805 {
9806 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
9807 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
9808 	struct sk_buff *msg;
9809 	void *hdr;
9810 
9811 	trace_cfg80211_del_sta(dev, mac_addr);
9812 
9813 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9814 	if (!msg)
9815 		return;
9816 
9817 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_STATION);
9818 	if (!hdr) {
9819 		nlmsg_free(msg);
9820 		return;
9821 	}
9822 
9823 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9824 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
9825 		goto nla_put_failure;
9826 
9827 	genlmsg_end(msg, hdr);
9828 
9829 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9830 				nl80211_mlme_mcgrp.id, gfp);
9831 	return;
9832 
9833  nla_put_failure:
9834 	genlmsg_cancel(msg, hdr);
9835 	nlmsg_free(msg);
9836 }
9837 EXPORT_SYMBOL(cfg80211_del_sta);
9838 
9839 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
9840 			  enum nl80211_connect_failed_reason reason,
9841 			  gfp_t gfp)
9842 {
9843 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
9844 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
9845 	struct sk_buff *msg;
9846 	void *hdr;
9847 
9848 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
9849 	if (!msg)
9850 		return;
9851 
9852 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
9853 	if (!hdr) {
9854 		nlmsg_free(msg);
9855 		return;
9856 	}
9857 
9858 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9859 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
9860 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
9861 		goto nla_put_failure;
9862 
9863 	genlmsg_end(msg, hdr);
9864 
9865 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9866 				nl80211_mlme_mcgrp.id, gfp);
9867 	return;
9868 
9869  nla_put_failure:
9870 	genlmsg_cancel(msg, hdr);
9871 	nlmsg_free(msg);
9872 }
9873 EXPORT_SYMBOL(cfg80211_conn_failed);
9874 
9875 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
9876 				       const u8 *addr, gfp_t gfp)
9877 {
9878 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9879 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
9880 	struct sk_buff *msg;
9881 	void *hdr;
9882 	int err;
9883 	u32 nlportid = ACCESS_ONCE(wdev->ap_unexpected_nlportid);
9884 
9885 	if (!nlportid)
9886 		return false;
9887 
9888 	msg = nlmsg_new(100, gfp);
9889 	if (!msg)
9890 		return true;
9891 
9892 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
9893 	if (!hdr) {
9894 		nlmsg_free(msg);
9895 		return true;
9896 	}
9897 
9898 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9899 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9900 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
9901 		goto nla_put_failure;
9902 
9903 	err = genlmsg_end(msg, hdr);
9904 	if (err < 0) {
9905 		nlmsg_free(msg);
9906 		return true;
9907 	}
9908 
9909 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
9910 	return true;
9911 
9912  nla_put_failure:
9913 	genlmsg_cancel(msg, hdr);
9914 	nlmsg_free(msg);
9915 	return true;
9916 }
9917 
9918 bool cfg80211_rx_spurious_frame(struct net_device *dev,
9919 				const u8 *addr, gfp_t gfp)
9920 {
9921 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9922 	bool ret;
9923 
9924 	trace_cfg80211_rx_spurious_frame(dev, addr);
9925 
9926 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
9927 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
9928 		trace_cfg80211_return_bool(false);
9929 		return false;
9930 	}
9931 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
9932 					 addr, gfp);
9933 	trace_cfg80211_return_bool(ret);
9934 	return ret;
9935 }
9936 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
9937 
9938 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
9939 					const u8 *addr, gfp_t gfp)
9940 {
9941 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9942 	bool ret;
9943 
9944 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
9945 
9946 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
9947 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
9948 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
9949 		trace_cfg80211_return_bool(false);
9950 		return false;
9951 	}
9952 	ret = __nl80211_unexpected_frame(dev,
9953 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
9954 					 addr, gfp);
9955 	trace_cfg80211_return_bool(ret);
9956 	return ret;
9957 }
9958 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
9959 
9960 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
9961 		      struct wireless_dev *wdev, u32 nlportid,
9962 		      int freq, int sig_dbm,
9963 		      const u8 *buf, size_t len, gfp_t gfp)
9964 {
9965 	struct net_device *netdev = wdev->netdev;
9966 	struct sk_buff *msg;
9967 	void *hdr;
9968 
9969 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9970 	if (!msg)
9971 		return -ENOMEM;
9972 
9973 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
9974 	if (!hdr) {
9975 		nlmsg_free(msg);
9976 		return -ENOMEM;
9977 	}
9978 
9979 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9980 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
9981 					netdev->ifindex)) ||
9982 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
9983 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
9984 	    (sig_dbm &&
9985 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
9986 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
9987 		goto nla_put_failure;
9988 
9989 	genlmsg_end(msg, hdr);
9990 
9991 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
9992 
9993  nla_put_failure:
9994 	genlmsg_cancel(msg, hdr);
9995 	nlmsg_free(msg);
9996 	return -ENOBUFS;
9997 }
9998 
9999 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
10000 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
10001 {
10002 	struct wiphy *wiphy = wdev->wiphy;
10003 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10004 	struct net_device *netdev = wdev->netdev;
10005 	struct sk_buff *msg;
10006 	void *hdr;
10007 
10008 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
10009 
10010 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10011 	if (!msg)
10012 		return;
10013 
10014 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
10015 	if (!hdr) {
10016 		nlmsg_free(msg);
10017 		return;
10018 	}
10019 
10020 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10021 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
10022 				   netdev->ifindex)) ||
10023 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
10024 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
10025 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
10026 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
10027 		goto nla_put_failure;
10028 
10029 	genlmsg_end(msg, hdr);
10030 
10031 	genlmsg_multicast(msg, 0, nl80211_mlme_mcgrp.id, gfp);
10032 	return;
10033 
10034  nla_put_failure:
10035 	genlmsg_cancel(msg, hdr);
10036 	nlmsg_free(msg);
10037 }
10038 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
10039 
10040 void cfg80211_cqm_rssi_notify(struct net_device *dev,
10041 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
10042 			      gfp_t gfp)
10043 {
10044 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10045 	struct wiphy *wiphy = wdev->wiphy;
10046 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10047 	struct sk_buff *msg;
10048 	struct nlattr *pinfoattr;
10049 	void *hdr;
10050 
10051 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
10052 
10053 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10054 	if (!msg)
10055 		return;
10056 
10057 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
10058 	if (!hdr) {
10059 		nlmsg_free(msg);
10060 		return;
10061 	}
10062 
10063 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10064 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10065 		goto nla_put_failure;
10066 
10067 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
10068 	if (!pinfoattr)
10069 		goto nla_put_failure;
10070 
10071 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
10072 			rssi_event))
10073 		goto nla_put_failure;
10074 
10075 	nla_nest_end(msg, pinfoattr);
10076 
10077 	genlmsg_end(msg, hdr);
10078 
10079 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10080 				nl80211_mlme_mcgrp.id, gfp);
10081 	return;
10082 
10083  nla_put_failure:
10084 	genlmsg_cancel(msg, hdr);
10085 	nlmsg_free(msg);
10086 }
10087 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
10088 
10089 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
10090 				     struct net_device *netdev, const u8 *bssid,
10091 				     const u8 *replay_ctr, gfp_t gfp)
10092 {
10093 	struct sk_buff *msg;
10094 	struct nlattr *rekey_attr;
10095 	void *hdr;
10096 
10097 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10098 	if (!msg)
10099 		return;
10100 
10101 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
10102 	if (!hdr) {
10103 		nlmsg_free(msg);
10104 		return;
10105 	}
10106 
10107 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10108 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10109 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
10110 		goto nla_put_failure;
10111 
10112 	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
10113 	if (!rekey_attr)
10114 		goto nla_put_failure;
10115 
10116 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
10117 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
10118 		goto nla_put_failure;
10119 
10120 	nla_nest_end(msg, rekey_attr);
10121 
10122 	genlmsg_end(msg, hdr);
10123 
10124 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10125 				nl80211_mlme_mcgrp.id, gfp);
10126 	return;
10127 
10128  nla_put_failure:
10129 	genlmsg_cancel(msg, hdr);
10130 	nlmsg_free(msg);
10131 }
10132 
10133 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
10134 			       const u8 *replay_ctr, gfp_t gfp)
10135 {
10136 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10137 	struct wiphy *wiphy = wdev->wiphy;
10138 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10139 
10140 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
10141 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
10142 }
10143 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
10144 
10145 static void
10146 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
10147 			       struct net_device *netdev, int index,
10148 			       const u8 *bssid, bool preauth, gfp_t gfp)
10149 {
10150 	struct sk_buff *msg;
10151 	struct nlattr *attr;
10152 	void *hdr;
10153 
10154 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10155 	if (!msg)
10156 		return;
10157 
10158 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
10159 	if (!hdr) {
10160 		nlmsg_free(msg);
10161 		return;
10162 	}
10163 
10164 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10165 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
10166 		goto nla_put_failure;
10167 
10168 	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
10169 	if (!attr)
10170 		goto nla_put_failure;
10171 
10172 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
10173 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
10174 	    (preauth &&
10175 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
10176 		goto nla_put_failure;
10177 
10178 	nla_nest_end(msg, attr);
10179 
10180 	genlmsg_end(msg, hdr);
10181 
10182 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10183 				nl80211_mlme_mcgrp.id, gfp);
10184 	return;
10185 
10186  nla_put_failure:
10187 	genlmsg_cancel(msg, hdr);
10188 	nlmsg_free(msg);
10189 }
10190 
10191 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
10192 				     const u8 *bssid, bool preauth, gfp_t gfp)
10193 {
10194 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10195 	struct wiphy *wiphy = wdev->wiphy;
10196 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10197 
10198 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
10199 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
10200 }
10201 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
10202 
10203 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
10204 				     struct net_device *netdev,
10205 				     struct cfg80211_chan_def *chandef,
10206 				     gfp_t gfp)
10207 {
10208 	struct sk_buff *msg;
10209 	void *hdr;
10210 
10211 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10212 	if (!msg)
10213 		return;
10214 
10215 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CH_SWITCH_NOTIFY);
10216 	if (!hdr) {
10217 		nlmsg_free(msg);
10218 		return;
10219 	}
10220 
10221 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
10222 		goto nla_put_failure;
10223 
10224 	if (nl80211_send_chandef(msg, chandef))
10225 		goto nla_put_failure;
10226 
10227 	genlmsg_end(msg, hdr);
10228 
10229 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10230 				nl80211_mlme_mcgrp.id, gfp);
10231 	return;
10232 
10233  nla_put_failure:
10234 	genlmsg_cancel(msg, hdr);
10235 	nlmsg_free(msg);
10236 }
10237 
10238 void cfg80211_ch_switch_notify(struct net_device *dev,
10239 			       struct cfg80211_chan_def *chandef)
10240 {
10241 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10242 	struct wiphy *wiphy = wdev->wiphy;
10243 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10244 
10245 	trace_cfg80211_ch_switch_notify(dev, chandef);
10246 
10247 	wdev_lock(wdev);
10248 
10249 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
10250 		    wdev->iftype != NL80211_IFTYPE_P2P_GO))
10251 		goto out;
10252 
10253 	wdev->channel = chandef->chan;
10254 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL);
10255 out:
10256 	wdev_unlock(wdev);
10257 	return;
10258 }
10259 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
10260 
10261 void cfg80211_cqm_txe_notify(struct net_device *dev,
10262 			     const u8 *peer, u32 num_packets,
10263 			     u32 rate, u32 intvl, gfp_t gfp)
10264 {
10265 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10266 	struct wiphy *wiphy = wdev->wiphy;
10267 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10268 	struct sk_buff *msg;
10269 	struct nlattr *pinfoattr;
10270 	void *hdr;
10271 
10272 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
10273 	if (!msg)
10274 		return;
10275 
10276 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
10277 	if (!hdr) {
10278 		nlmsg_free(msg);
10279 		return;
10280 	}
10281 
10282 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10283 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10284 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
10285 		goto nla_put_failure;
10286 
10287 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
10288 	if (!pinfoattr)
10289 		goto nla_put_failure;
10290 
10291 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
10292 		goto nla_put_failure;
10293 
10294 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
10295 		goto nla_put_failure;
10296 
10297 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
10298 		goto nla_put_failure;
10299 
10300 	nla_nest_end(msg, pinfoattr);
10301 
10302 	genlmsg_end(msg, hdr);
10303 
10304 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10305 				nl80211_mlme_mcgrp.id, gfp);
10306 	return;
10307 
10308  nla_put_failure:
10309 	genlmsg_cancel(msg, hdr);
10310 	nlmsg_free(msg);
10311 }
10312 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
10313 
10314 void
10315 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
10316 		     struct cfg80211_chan_def *chandef,
10317 		     enum nl80211_radar_event event,
10318 		     struct net_device *netdev, gfp_t gfp)
10319 {
10320 	struct sk_buff *msg;
10321 	void *hdr;
10322 
10323 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10324 	if (!msg)
10325 		return;
10326 
10327 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
10328 	if (!hdr) {
10329 		nlmsg_free(msg);
10330 		return;
10331 	}
10332 
10333 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10334 		goto nla_put_failure;
10335 
10336 	/* NOP and radar events don't need a netdev parameter */
10337 	if (netdev) {
10338 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
10339 
10340 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10341 		    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
10342 			goto nla_put_failure;
10343 	}
10344 
10345 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
10346 		goto nla_put_failure;
10347 
10348 	if (nl80211_send_chandef(msg, chandef))
10349 		goto nla_put_failure;
10350 
10351 	if (genlmsg_end(msg, hdr) < 0) {
10352 		nlmsg_free(msg);
10353 		return;
10354 	}
10355 
10356 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10357 				nl80211_mlme_mcgrp.id, gfp);
10358 	return;
10359 
10360  nla_put_failure:
10361 	genlmsg_cancel(msg, hdr);
10362 	nlmsg_free(msg);
10363 }
10364 
10365 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
10366 				 const u8 *peer, u32 num_packets, gfp_t gfp)
10367 {
10368 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10369 	struct wiphy *wiphy = wdev->wiphy;
10370 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10371 	struct sk_buff *msg;
10372 	struct nlattr *pinfoattr;
10373 	void *hdr;
10374 
10375 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
10376 
10377 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10378 	if (!msg)
10379 		return;
10380 
10381 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
10382 	if (!hdr) {
10383 		nlmsg_free(msg);
10384 		return;
10385 	}
10386 
10387 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10388 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10389 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
10390 		goto nla_put_failure;
10391 
10392 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
10393 	if (!pinfoattr)
10394 		goto nla_put_failure;
10395 
10396 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
10397 		goto nla_put_failure;
10398 
10399 	nla_nest_end(msg, pinfoattr);
10400 
10401 	genlmsg_end(msg, hdr);
10402 
10403 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10404 				nl80211_mlme_mcgrp.id, gfp);
10405 	return;
10406 
10407  nla_put_failure:
10408 	genlmsg_cancel(msg, hdr);
10409 	nlmsg_free(msg);
10410 }
10411 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
10412 
10413 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
10414 			   u64 cookie, bool acked, gfp_t gfp)
10415 {
10416 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10417 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
10418 	struct sk_buff *msg;
10419 	void *hdr;
10420 	int err;
10421 
10422 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
10423 
10424 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10425 
10426 	if (!msg)
10427 		return;
10428 
10429 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
10430 	if (!hdr) {
10431 		nlmsg_free(msg);
10432 		return;
10433 	}
10434 
10435 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10436 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10437 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
10438 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
10439 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)))
10440 		goto nla_put_failure;
10441 
10442 	err = genlmsg_end(msg, hdr);
10443 	if (err < 0) {
10444 		nlmsg_free(msg);
10445 		return;
10446 	}
10447 
10448 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10449 				nl80211_mlme_mcgrp.id, gfp);
10450 	return;
10451 
10452  nla_put_failure:
10453 	genlmsg_cancel(msg, hdr);
10454 	nlmsg_free(msg);
10455 }
10456 EXPORT_SYMBOL(cfg80211_probe_status);
10457 
10458 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
10459 				 const u8 *frame, size_t len,
10460 				 int freq, int sig_dbm)
10461 {
10462 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10463 	struct sk_buff *msg;
10464 	void *hdr;
10465 	struct cfg80211_beacon_registration *reg;
10466 
10467 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
10468 
10469 	spin_lock_bh(&rdev->beacon_registrations_lock);
10470 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
10471 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
10472 		if (!msg) {
10473 			spin_unlock_bh(&rdev->beacon_registrations_lock);
10474 			return;
10475 		}
10476 
10477 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
10478 		if (!hdr)
10479 			goto nla_put_failure;
10480 
10481 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10482 		    (freq &&
10483 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
10484 		    (sig_dbm &&
10485 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
10486 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
10487 			goto nla_put_failure;
10488 
10489 		genlmsg_end(msg, hdr);
10490 
10491 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
10492 	}
10493 	spin_unlock_bh(&rdev->beacon_registrations_lock);
10494 	return;
10495 
10496  nla_put_failure:
10497 	spin_unlock_bh(&rdev->beacon_registrations_lock);
10498 	if (hdr)
10499 		genlmsg_cancel(msg, hdr);
10500 	nlmsg_free(msg);
10501 }
10502 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
10503 
10504 #ifdef CONFIG_PM
10505 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
10506 				   struct cfg80211_wowlan_wakeup *wakeup,
10507 				   gfp_t gfp)
10508 {
10509 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
10510 	struct sk_buff *msg;
10511 	void *hdr;
10512 	int err, size = 200;
10513 
10514 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
10515 
10516 	if (wakeup)
10517 		size += wakeup->packet_present_len;
10518 
10519 	msg = nlmsg_new(size, gfp);
10520 	if (!msg)
10521 		return;
10522 
10523 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
10524 	if (!hdr)
10525 		goto free_msg;
10526 
10527 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10528 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
10529 		goto free_msg;
10530 
10531 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
10532 					wdev->netdev->ifindex))
10533 		goto free_msg;
10534 
10535 	if (wakeup) {
10536 		struct nlattr *reasons;
10537 
10538 		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
10539 
10540 		if (wakeup->disconnect &&
10541 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
10542 			goto free_msg;
10543 		if (wakeup->magic_pkt &&
10544 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
10545 			goto free_msg;
10546 		if (wakeup->gtk_rekey_failure &&
10547 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
10548 			goto free_msg;
10549 		if (wakeup->eap_identity_req &&
10550 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
10551 			goto free_msg;
10552 		if (wakeup->four_way_handshake &&
10553 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
10554 			goto free_msg;
10555 		if (wakeup->rfkill_release &&
10556 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
10557 			goto free_msg;
10558 
10559 		if (wakeup->pattern_idx >= 0 &&
10560 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
10561 				wakeup->pattern_idx))
10562 			goto free_msg;
10563 
10564 		if (wakeup->tcp_match)
10565 			nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH);
10566 
10567 		if (wakeup->tcp_connlost)
10568 			nla_put_flag(msg,
10569 				     NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST);
10570 
10571 		if (wakeup->tcp_nomoretokens)
10572 			nla_put_flag(msg,
10573 				NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS);
10574 
10575 		if (wakeup->packet) {
10576 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
10577 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
10578 
10579 			if (!wakeup->packet_80211) {
10580 				pkt_attr =
10581 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
10582 				len_attr =
10583 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
10584 			}
10585 
10586 			if (wakeup->packet_len &&
10587 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
10588 				goto free_msg;
10589 
10590 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
10591 				    wakeup->packet))
10592 				goto free_msg;
10593 		}
10594 
10595 		nla_nest_end(msg, reasons);
10596 	}
10597 
10598 	err = genlmsg_end(msg, hdr);
10599 	if (err < 0)
10600 		goto free_msg;
10601 
10602 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10603 				nl80211_mlme_mcgrp.id, gfp);
10604 	return;
10605 
10606  free_msg:
10607 	nlmsg_free(msg);
10608 }
10609 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
10610 #endif
10611 
10612 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
10613 				enum nl80211_tdls_operation oper,
10614 				u16 reason_code, gfp_t gfp)
10615 {
10616 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10617 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
10618 	struct sk_buff *msg;
10619 	void *hdr;
10620 	int err;
10621 
10622 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
10623 					 reason_code);
10624 
10625 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10626 	if (!msg)
10627 		return;
10628 
10629 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
10630 	if (!hdr) {
10631 		nlmsg_free(msg);
10632 		return;
10633 	}
10634 
10635 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10636 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10637 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
10638 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
10639 	    (reason_code > 0 &&
10640 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
10641 		goto nla_put_failure;
10642 
10643 	err = genlmsg_end(msg, hdr);
10644 	if (err < 0) {
10645 		nlmsg_free(msg);
10646 		return;
10647 	}
10648 
10649 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10650 				nl80211_mlme_mcgrp.id, gfp);
10651 	return;
10652 
10653  nla_put_failure:
10654 	genlmsg_cancel(msg, hdr);
10655 	nlmsg_free(msg);
10656 }
10657 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
10658 
10659 static int nl80211_netlink_notify(struct notifier_block * nb,
10660 				  unsigned long state,
10661 				  void *_notify)
10662 {
10663 	struct netlink_notify *notify = _notify;
10664 	struct cfg80211_registered_device *rdev;
10665 	struct wireless_dev *wdev;
10666 	struct cfg80211_beacon_registration *reg, *tmp;
10667 
10668 	if (state != NETLINK_URELEASE)
10669 		return NOTIFY_DONE;
10670 
10671 	rcu_read_lock();
10672 
10673 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
10674 		list_for_each_entry_rcu(wdev, &rdev->wdev_list, list)
10675 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
10676 
10677 		spin_lock_bh(&rdev->beacon_registrations_lock);
10678 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
10679 					 list) {
10680 			if (reg->nlportid == notify->portid) {
10681 				list_del(&reg->list);
10682 				kfree(reg);
10683 				break;
10684 			}
10685 		}
10686 		spin_unlock_bh(&rdev->beacon_registrations_lock);
10687 	}
10688 
10689 	rcu_read_unlock();
10690 
10691 	return NOTIFY_DONE;
10692 }
10693 
10694 static struct notifier_block nl80211_netlink_notifier = {
10695 	.notifier_call = nl80211_netlink_notify,
10696 };
10697 
10698 void cfg80211_ft_event(struct net_device *netdev,
10699 		       struct cfg80211_ft_event_params *ft_event)
10700 {
10701 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
10702 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
10703 	struct sk_buff *msg;
10704 	void *hdr;
10705 	int err;
10706 
10707 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
10708 
10709 	if (!ft_event->target_ap)
10710 		return;
10711 
10712 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10713 	if (!msg)
10714 		return;
10715 
10716 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
10717 	if (!hdr) {
10718 		nlmsg_free(msg);
10719 		return;
10720 	}
10721 
10722 	nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx);
10723 	nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex);
10724 	nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap);
10725 	if (ft_event->ies)
10726 		nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies);
10727 	if (ft_event->ric_ies)
10728 		nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
10729 			ft_event->ric_ies);
10730 
10731 	err = genlmsg_end(msg, hdr);
10732 	if (err < 0) {
10733 		nlmsg_free(msg);
10734 		return;
10735 	}
10736 
10737 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10738 				nl80211_mlme_mcgrp.id, GFP_KERNEL);
10739 }
10740 EXPORT_SYMBOL(cfg80211_ft_event);
10741 
10742 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
10743 {
10744 	struct cfg80211_registered_device *rdev;
10745 	struct sk_buff *msg;
10746 	void *hdr;
10747 	u32 nlportid;
10748 
10749 	rdev = wiphy_to_dev(wdev->wiphy);
10750 	if (!rdev->crit_proto_nlportid)
10751 		return;
10752 
10753 	nlportid = rdev->crit_proto_nlportid;
10754 	rdev->crit_proto_nlportid = 0;
10755 
10756 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10757 	if (!msg)
10758 		return;
10759 
10760 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
10761 	if (!hdr)
10762 		goto nla_put_failure;
10763 
10764 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10765 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
10766 		goto nla_put_failure;
10767 
10768 	genlmsg_end(msg, hdr);
10769 
10770 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
10771 	return;
10772 
10773  nla_put_failure:
10774 	if (hdr)
10775 		genlmsg_cancel(msg, hdr);
10776 	nlmsg_free(msg);
10777 
10778 }
10779 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
10780 
10781 /* initialisation/exit functions */
10782 
10783 int nl80211_init(void)
10784 {
10785 	int err;
10786 
10787 	err = genl_register_family_with_ops(&nl80211_fam,
10788 		nl80211_ops, ARRAY_SIZE(nl80211_ops));
10789 	if (err)
10790 		return err;
10791 
10792 	err = genl_register_mc_group(&nl80211_fam, &nl80211_config_mcgrp);
10793 	if (err)
10794 		goto err_out;
10795 
10796 	err = genl_register_mc_group(&nl80211_fam, &nl80211_scan_mcgrp);
10797 	if (err)
10798 		goto err_out;
10799 
10800 	err = genl_register_mc_group(&nl80211_fam, &nl80211_regulatory_mcgrp);
10801 	if (err)
10802 		goto err_out;
10803 
10804 	err = genl_register_mc_group(&nl80211_fam, &nl80211_mlme_mcgrp);
10805 	if (err)
10806 		goto err_out;
10807 
10808 #ifdef CONFIG_NL80211_TESTMODE
10809 	err = genl_register_mc_group(&nl80211_fam, &nl80211_testmode_mcgrp);
10810 	if (err)
10811 		goto err_out;
10812 #endif
10813 
10814 	err = netlink_register_notifier(&nl80211_netlink_notifier);
10815 	if (err)
10816 		goto err_out;
10817 
10818 	return 0;
10819  err_out:
10820 	genl_unregister_family(&nl80211_fam);
10821 	return err;
10822 }
10823 
10824 void nl80211_exit(void)
10825 {
10826 	netlink_unregister_notifier(&nl80211_netlink_notifier);
10827 	genl_unregister_family(&nl80211_fam);
10828 }
10829