xref: /openbmc/linux/net/wireless/nl80211.c (revision 94cdda6b) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  */
7 
8 #include <linux/if.h>
9 #include <linux/module.h>
10 #include <linux/err.h>
11 #include <linux/slab.h>
12 #include <linux/list.h>
13 #include <linux/if_ether.h>
14 #include <linux/ieee80211.h>
15 #include <linux/nl80211.h>
16 #include <linux/rtnetlink.h>
17 #include <linux/netlink.h>
18 #include <linux/etherdevice.h>
19 #include <net/net_namespace.h>
20 #include <net/genetlink.h>
21 #include <net/cfg80211.h>
22 #include <net/sock.h>
23 #include <net/inet_connection_sock.h>
24 #include "core.h"
25 #include "nl80211.h"
26 #include "reg.h"
27 #include "rdev-ops.h"
28 
29 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
30 				   struct genl_info *info,
31 				   struct cfg80211_crypto_settings *settings,
32 				   int cipher_limit);
33 
34 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
35 			    struct genl_info *info);
36 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
37 			      struct genl_info *info);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam = {
41 	.id = GENL_ID_GENERATE,		/* don't bother with a hardcoded ID */
42 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
43 	.hdrsize = 0,			/* no private header */
44 	.version = 1,			/* no particular meaning now */
45 	.maxattr = NL80211_ATTR_MAX,
46 	.netnsok = true,
47 	.pre_doit = nl80211_pre_doit,
48 	.post_doit = nl80211_post_doit,
49 };
50 
51 /* multicast groups */
52 enum nl80211_multicast_groups {
53 	NL80211_MCGRP_CONFIG,
54 	NL80211_MCGRP_SCAN,
55 	NL80211_MCGRP_REGULATORY,
56 	NL80211_MCGRP_MLME,
57 	NL80211_MCGRP_VENDOR,
58 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
59 };
60 
61 static const struct genl_multicast_group nl80211_mcgrps[] = {
62 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
63 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
64 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
65 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
66 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
67 #ifdef CONFIG_NL80211_TESTMODE
68 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
69 #endif
70 };
71 
72 /* returns ERR_PTR values */
73 static struct wireless_dev *
74 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
75 {
76 	struct cfg80211_registered_device *rdev;
77 	struct wireless_dev *result = NULL;
78 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
79 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
80 	u64 wdev_id;
81 	int wiphy_idx = -1;
82 	int ifidx = -1;
83 
84 	ASSERT_RTNL();
85 
86 	if (!have_ifidx && !have_wdev_id)
87 		return ERR_PTR(-EINVAL);
88 
89 	if (have_ifidx)
90 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
91 	if (have_wdev_id) {
92 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
93 		wiphy_idx = wdev_id >> 32;
94 	}
95 
96 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
97 		struct wireless_dev *wdev;
98 
99 		if (wiphy_net(&rdev->wiphy) != netns)
100 			continue;
101 
102 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
103 			continue;
104 
105 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
106 			if (have_ifidx && wdev->netdev &&
107 			    wdev->netdev->ifindex == ifidx) {
108 				result = wdev;
109 				break;
110 			}
111 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
112 				result = wdev;
113 				break;
114 			}
115 		}
116 
117 		if (result)
118 			break;
119 	}
120 
121 	if (result)
122 		return result;
123 	return ERR_PTR(-ENODEV);
124 }
125 
126 static struct cfg80211_registered_device *
127 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
128 {
129 	struct cfg80211_registered_device *rdev = NULL, *tmp;
130 	struct net_device *netdev;
131 
132 	ASSERT_RTNL();
133 
134 	if (!attrs[NL80211_ATTR_WIPHY] &&
135 	    !attrs[NL80211_ATTR_IFINDEX] &&
136 	    !attrs[NL80211_ATTR_WDEV])
137 		return ERR_PTR(-EINVAL);
138 
139 	if (attrs[NL80211_ATTR_WIPHY])
140 		rdev = cfg80211_rdev_by_wiphy_idx(
141 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
142 
143 	if (attrs[NL80211_ATTR_WDEV]) {
144 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
145 		struct wireless_dev *wdev;
146 		bool found = false;
147 
148 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
149 		if (tmp) {
150 			/* make sure wdev exists */
151 			list_for_each_entry(wdev, &tmp->wdev_list, list) {
152 				if (wdev->identifier != (u32)wdev_id)
153 					continue;
154 				found = true;
155 				break;
156 			}
157 
158 			if (!found)
159 				tmp = NULL;
160 
161 			if (rdev && tmp != rdev)
162 				return ERR_PTR(-EINVAL);
163 			rdev = tmp;
164 		}
165 	}
166 
167 	if (attrs[NL80211_ATTR_IFINDEX]) {
168 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
169 		netdev = __dev_get_by_index(netns, ifindex);
170 		if (netdev) {
171 			if (netdev->ieee80211_ptr)
172 				tmp = wiphy_to_rdev(
173 					netdev->ieee80211_ptr->wiphy);
174 			else
175 				tmp = NULL;
176 
177 			/* not wireless device -- return error */
178 			if (!tmp)
179 				return ERR_PTR(-EINVAL);
180 
181 			/* mismatch -- return error */
182 			if (rdev && tmp != rdev)
183 				return ERR_PTR(-EINVAL);
184 
185 			rdev = tmp;
186 		}
187 	}
188 
189 	if (!rdev)
190 		return ERR_PTR(-ENODEV);
191 
192 	if (netns != wiphy_net(&rdev->wiphy))
193 		return ERR_PTR(-ENODEV);
194 
195 	return rdev;
196 }
197 
198 /*
199  * This function returns a pointer to the driver
200  * that the genl_info item that is passed refers to.
201  *
202  * The result of this can be a PTR_ERR and hence must
203  * be checked with IS_ERR() for errors.
204  */
205 static struct cfg80211_registered_device *
206 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
207 {
208 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
209 }
210 
211 /* policy for the attributes */
212 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
213 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
214 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
215 				      .len = 20-1 },
216 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
217 
218 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
219 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
220 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
221 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
222 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
223 
224 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
225 	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
226 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
227 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
228 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
229 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
230 
231 	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
232 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
233 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
234 
235 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
236 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
237 
238 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
239 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
240 				    .len = WLAN_MAX_KEY_LEN },
241 	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
242 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
243 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
244 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
245 	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
246 
247 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
248 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
249 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
250 				       .len = IEEE80211_MAX_DATA_LEN },
251 	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
252 				       .len = IEEE80211_MAX_DATA_LEN },
253 	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
254 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
255 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
256 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
257 					       .len = NL80211_MAX_SUPP_RATES },
258 	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
259 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
260 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
261 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
262 				   .len = IEEE80211_MAX_MESH_ID_LEN },
263 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
264 
265 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
266 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
267 
268 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
269 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
270 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
271 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
272 					   .len = NL80211_MAX_SUPP_RATES },
273 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
274 
275 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
276 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
277 
278 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
279 
280 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
281 	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
282 			      .len = IEEE80211_MAX_DATA_LEN },
283 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
284 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
285 
286 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
287 				.len = IEEE80211_MAX_SSID_LEN },
288 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
289 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
290 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
291 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
292 	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
293 	[NL80211_ATTR_STA_FLAGS2] = {
294 		.len = sizeof(struct nl80211_sta_flag_update),
295 	},
296 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
297 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
298 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
299 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
300 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
301 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
302 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
303 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
304 	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
305 				 .len = WLAN_PMKID_LEN },
306 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
307 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
308 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
309 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
310 				 .len = IEEE80211_MAX_DATA_LEN },
311 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
312 	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
313 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
314 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
315 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
316 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
317 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
318 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
319 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
320 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
321 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
322 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
323 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
324 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
325 	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
326 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
327 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
328 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
329 	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
330 	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
331 					 .len = IEEE80211_MAX_DATA_LEN },
332 	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
333 					 .len = IEEE80211_MAX_DATA_LEN },
334 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
335 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
336 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
337 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
338 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
339 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
340 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
341 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
342 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
343 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
344 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
345 				      .len = IEEE80211_MAX_DATA_LEN },
346 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
347 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
348 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
349 		.len = NL80211_HT_CAPABILITY_LEN
350 	},
351 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
352 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
353 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
354 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
355 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
356 	[NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
357 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
358 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
359 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
360 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
361 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
362 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
363 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
364 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
365 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
366 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
367 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
368 		.len = NL80211_VHT_CAPABILITY_LEN,
369 	},
370 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
371 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
372 				  .len = IEEE80211_MAX_DATA_LEN },
373 	[NL80211_ATTR_PEER_AID] = { .type = NLA_U16 },
374 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
375 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
376 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
377 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
378 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
379 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
380 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
381 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
382 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
383 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
384 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
385 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
386 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
387 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
388 	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
389 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
390 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
391 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
392 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
393 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
394 	[NL80211_ATTR_TSID] = { .type = NLA_U8 },
395 	[NL80211_ATTR_USER_PRIO] = { .type = NLA_U8 },
396 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
397 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
398 	[NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
399 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
400 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
401 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
402 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
403 };
404 
405 /* policy for the key attributes */
406 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
407 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
408 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
409 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
410 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
411 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
412 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
413 	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
414 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
415 };
416 
417 /* policy for the key default flags */
418 static const struct nla_policy
419 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
420 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
421 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
422 };
423 
424 /* policy for WoWLAN attributes */
425 static const struct nla_policy
426 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
427 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
428 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
429 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
430 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
431 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
432 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
433 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
434 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
435 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
436 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
437 };
438 
439 static const struct nla_policy
440 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
441 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
442 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
443 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
444 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
445 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
446 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
447 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
448 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
449 	},
450 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
451 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
452 	},
453 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
454 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
455 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
456 };
457 
458 /* policy for coalesce rule attributes */
459 static const struct nla_policy
460 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
461 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
462 	[NL80211_ATTR_COALESCE_RULE_CONDITION] = { .type = NLA_U32 },
463 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
464 };
465 
466 /* policy for GTK rekey offload attributes */
467 static const struct nla_policy
468 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
469 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
470 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
471 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
472 };
473 
474 static const struct nla_policy
475 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
476 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
477 						 .len = IEEE80211_MAX_SSID_LEN },
478 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
479 };
480 
481 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
482 				     struct netlink_callback *cb,
483 				     struct cfg80211_registered_device **rdev,
484 				     struct wireless_dev **wdev)
485 {
486 	int err;
487 
488 	rtnl_lock();
489 
490 	if (!cb->args[0]) {
491 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
492 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
493 				  nl80211_policy);
494 		if (err)
495 			goto out_unlock;
496 
497 		*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
498 						   nl80211_fam.attrbuf);
499 		if (IS_ERR(*wdev)) {
500 			err = PTR_ERR(*wdev);
501 			goto out_unlock;
502 		}
503 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
504 		/* 0 is the first index - add 1 to parse only once */
505 		cb->args[0] = (*rdev)->wiphy_idx + 1;
506 		cb->args[1] = (*wdev)->identifier;
507 	} else {
508 		/* subtract the 1 again here */
509 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
510 		struct wireless_dev *tmp;
511 
512 		if (!wiphy) {
513 			err = -ENODEV;
514 			goto out_unlock;
515 		}
516 		*rdev = wiphy_to_rdev(wiphy);
517 		*wdev = NULL;
518 
519 		list_for_each_entry(tmp, &(*rdev)->wdev_list, list) {
520 			if (tmp->identifier == cb->args[1]) {
521 				*wdev = tmp;
522 				break;
523 			}
524 		}
525 
526 		if (!*wdev) {
527 			err = -ENODEV;
528 			goto out_unlock;
529 		}
530 	}
531 
532 	return 0;
533  out_unlock:
534 	rtnl_unlock();
535 	return err;
536 }
537 
538 static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
539 {
540 	rtnl_unlock();
541 }
542 
543 /* IE validation */
544 static bool is_valid_ie_attr(const struct nlattr *attr)
545 {
546 	const u8 *pos;
547 	int len;
548 
549 	if (!attr)
550 		return true;
551 
552 	pos = nla_data(attr);
553 	len = nla_len(attr);
554 
555 	while (len) {
556 		u8 elemlen;
557 
558 		if (len < 2)
559 			return false;
560 		len -= 2;
561 
562 		elemlen = pos[1];
563 		if (elemlen > len)
564 			return false;
565 
566 		len -= elemlen;
567 		pos += 2 + elemlen;
568 	}
569 
570 	return true;
571 }
572 
573 /* message building helper */
574 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
575 				   int flags, u8 cmd)
576 {
577 	/* since there is no private header just add the generic one */
578 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
579 }
580 
581 static int nl80211_msg_put_channel(struct sk_buff *msg,
582 				   struct ieee80211_channel *chan,
583 				   bool large)
584 {
585 	/* Some channels must be completely excluded from the
586 	 * list to protect old user-space tools from breaking
587 	 */
588 	if (!large && chan->flags &
589 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
590 		return 0;
591 
592 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
593 			chan->center_freq))
594 		goto nla_put_failure;
595 
596 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
597 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
598 		goto nla_put_failure;
599 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
600 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
601 			goto nla_put_failure;
602 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
603 			goto nla_put_failure;
604 	}
605 	if (chan->flags & IEEE80211_CHAN_RADAR) {
606 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
607 			goto nla_put_failure;
608 		if (large) {
609 			u32 time;
610 
611 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
612 
613 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
614 					chan->dfs_state))
615 				goto nla_put_failure;
616 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
617 					time))
618 				goto nla_put_failure;
619 			if (nla_put_u32(msg,
620 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
621 					chan->dfs_cac_ms))
622 				goto nla_put_failure;
623 		}
624 	}
625 
626 	if (large) {
627 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
628 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
629 			goto nla_put_failure;
630 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
631 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
632 			goto nla_put_failure;
633 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
634 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
635 			goto nla_put_failure;
636 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
637 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
638 			goto nla_put_failure;
639 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
640 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
641 			goto nla_put_failure;
642 		if ((chan->flags & IEEE80211_CHAN_GO_CONCURRENT) &&
643 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_GO_CONCURRENT))
644 			goto nla_put_failure;
645 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
646 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
647 			goto nla_put_failure;
648 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
649 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
650 			goto nla_put_failure;
651 	}
652 
653 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
654 			DBM_TO_MBM(chan->max_power)))
655 		goto nla_put_failure;
656 
657 	return 0;
658 
659  nla_put_failure:
660 	return -ENOBUFS;
661 }
662 
663 /* netlink command implementations */
664 
665 struct key_parse {
666 	struct key_params p;
667 	int idx;
668 	int type;
669 	bool def, defmgmt;
670 	bool def_uni, def_multi;
671 };
672 
673 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
674 {
675 	struct nlattr *tb[NL80211_KEY_MAX + 1];
676 	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
677 				   nl80211_key_policy);
678 	if (err)
679 		return err;
680 
681 	k->def = !!tb[NL80211_KEY_DEFAULT];
682 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
683 
684 	if (k->def) {
685 		k->def_uni = true;
686 		k->def_multi = true;
687 	}
688 	if (k->defmgmt)
689 		k->def_multi = true;
690 
691 	if (tb[NL80211_KEY_IDX])
692 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
693 
694 	if (tb[NL80211_KEY_DATA]) {
695 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
696 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
697 	}
698 
699 	if (tb[NL80211_KEY_SEQ]) {
700 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
701 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
702 	}
703 
704 	if (tb[NL80211_KEY_CIPHER])
705 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
706 
707 	if (tb[NL80211_KEY_TYPE]) {
708 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
709 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
710 			return -EINVAL;
711 	}
712 
713 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
714 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
715 		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
716 				       tb[NL80211_KEY_DEFAULT_TYPES],
717 				       nl80211_key_default_policy);
718 		if (err)
719 			return err;
720 
721 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
722 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
723 	}
724 
725 	return 0;
726 }
727 
728 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
729 {
730 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
731 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
732 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
733 	}
734 
735 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
736 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
737 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
738 	}
739 
740 	if (info->attrs[NL80211_ATTR_KEY_IDX])
741 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
742 
743 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
744 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
745 
746 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
747 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
748 
749 	if (k->def) {
750 		k->def_uni = true;
751 		k->def_multi = true;
752 	}
753 	if (k->defmgmt)
754 		k->def_multi = true;
755 
756 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
757 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
758 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
759 			return -EINVAL;
760 	}
761 
762 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
763 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
764 		int err = nla_parse_nested(
765 				kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
766 				info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
767 				nl80211_key_default_policy);
768 		if (err)
769 			return err;
770 
771 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
772 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
773 	}
774 
775 	return 0;
776 }
777 
778 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
779 {
780 	int err;
781 
782 	memset(k, 0, sizeof(*k));
783 	k->idx = -1;
784 	k->type = -1;
785 
786 	if (info->attrs[NL80211_ATTR_KEY])
787 		err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
788 	else
789 		err = nl80211_parse_key_old(info, k);
790 
791 	if (err)
792 		return err;
793 
794 	if (k->def && k->defmgmt)
795 		return -EINVAL;
796 
797 	if (k->defmgmt) {
798 		if (k->def_uni || !k->def_multi)
799 			return -EINVAL;
800 	}
801 
802 	if (k->idx != -1) {
803 		if (k->defmgmt) {
804 			if (k->idx < 4 || k->idx > 5)
805 				return -EINVAL;
806 		} else if (k->def) {
807 			if (k->idx < 0 || k->idx > 3)
808 				return -EINVAL;
809 		} else {
810 			if (k->idx < 0 || k->idx > 5)
811 				return -EINVAL;
812 		}
813 	}
814 
815 	return 0;
816 }
817 
818 static struct cfg80211_cached_keys *
819 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
820 		       struct nlattr *keys, bool *no_ht)
821 {
822 	struct key_parse parse;
823 	struct nlattr *key;
824 	struct cfg80211_cached_keys *result;
825 	int rem, err, def = 0;
826 
827 	result = kzalloc(sizeof(*result), GFP_KERNEL);
828 	if (!result)
829 		return ERR_PTR(-ENOMEM);
830 
831 	result->def = -1;
832 	result->defmgmt = -1;
833 
834 	nla_for_each_nested(key, keys, rem) {
835 		memset(&parse, 0, sizeof(parse));
836 		parse.idx = -1;
837 
838 		err = nl80211_parse_key_new(key, &parse);
839 		if (err)
840 			goto error;
841 		err = -EINVAL;
842 		if (!parse.p.key)
843 			goto error;
844 		if (parse.idx < 0 || parse.idx > 4)
845 			goto error;
846 		if (parse.def) {
847 			if (def)
848 				goto error;
849 			def = 1;
850 			result->def = parse.idx;
851 			if (!parse.def_uni || !parse.def_multi)
852 				goto error;
853 		} else if (parse.defmgmt)
854 			goto error;
855 		err = cfg80211_validate_key_settings(rdev, &parse.p,
856 						     parse.idx, false, NULL);
857 		if (err)
858 			goto error;
859 		result->params[parse.idx].cipher = parse.p.cipher;
860 		result->params[parse.idx].key_len = parse.p.key_len;
861 		result->params[parse.idx].key = result->data[parse.idx];
862 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
863 
864 		if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
865 		    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
866 			if (no_ht)
867 				*no_ht = true;
868 		}
869 	}
870 
871 	return result;
872  error:
873 	kfree(result);
874 	return ERR_PTR(err);
875 }
876 
877 static int nl80211_key_allowed(struct wireless_dev *wdev)
878 {
879 	ASSERT_WDEV_LOCK(wdev);
880 
881 	switch (wdev->iftype) {
882 	case NL80211_IFTYPE_AP:
883 	case NL80211_IFTYPE_AP_VLAN:
884 	case NL80211_IFTYPE_P2P_GO:
885 	case NL80211_IFTYPE_MESH_POINT:
886 		break;
887 	case NL80211_IFTYPE_ADHOC:
888 	case NL80211_IFTYPE_STATION:
889 	case NL80211_IFTYPE_P2P_CLIENT:
890 		if (!wdev->current_bss)
891 			return -ENOLINK;
892 		break;
893 	case NL80211_IFTYPE_UNSPECIFIED:
894 	case NL80211_IFTYPE_OCB:
895 	case NL80211_IFTYPE_MONITOR:
896 	case NL80211_IFTYPE_P2P_DEVICE:
897 	case NL80211_IFTYPE_WDS:
898 	case NUM_NL80211_IFTYPES:
899 		return -EINVAL;
900 	}
901 
902 	return 0;
903 }
904 
905 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
906 							struct nlattr *tb)
907 {
908 	struct ieee80211_channel *chan;
909 
910 	if (tb == NULL)
911 		return NULL;
912 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
913 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
914 		return NULL;
915 	return chan;
916 }
917 
918 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
919 {
920 	struct nlattr *nl_modes = nla_nest_start(msg, attr);
921 	int i;
922 
923 	if (!nl_modes)
924 		goto nla_put_failure;
925 
926 	i = 0;
927 	while (ifmodes) {
928 		if ((ifmodes & 1) && nla_put_flag(msg, i))
929 			goto nla_put_failure;
930 		ifmodes >>= 1;
931 		i++;
932 	}
933 
934 	nla_nest_end(msg, nl_modes);
935 	return 0;
936 
937 nla_put_failure:
938 	return -ENOBUFS;
939 }
940 
941 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
942 					  struct sk_buff *msg,
943 					  bool large)
944 {
945 	struct nlattr *nl_combis;
946 	int i, j;
947 
948 	nl_combis = nla_nest_start(msg,
949 				NL80211_ATTR_INTERFACE_COMBINATIONS);
950 	if (!nl_combis)
951 		goto nla_put_failure;
952 
953 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
954 		const struct ieee80211_iface_combination *c;
955 		struct nlattr *nl_combi, *nl_limits;
956 
957 		c = &wiphy->iface_combinations[i];
958 
959 		nl_combi = nla_nest_start(msg, i + 1);
960 		if (!nl_combi)
961 			goto nla_put_failure;
962 
963 		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
964 		if (!nl_limits)
965 			goto nla_put_failure;
966 
967 		for (j = 0; j < c->n_limits; j++) {
968 			struct nlattr *nl_limit;
969 
970 			nl_limit = nla_nest_start(msg, j + 1);
971 			if (!nl_limit)
972 				goto nla_put_failure;
973 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
974 					c->limits[j].max))
975 				goto nla_put_failure;
976 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
977 						c->limits[j].types))
978 				goto nla_put_failure;
979 			nla_nest_end(msg, nl_limit);
980 		}
981 
982 		nla_nest_end(msg, nl_limits);
983 
984 		if (c->beacon_int_infra_match &&
985 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
986 			goto nla_put_failure;
987 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
988 				c->num_different_channels) ||
989 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
990 				c->max_interfaces))
991 			goto nla_put_failure;
992 		if (large &&
993 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
994 				c->radar_detect_widths) ||
995 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
996 				c->radar_detect_regions)))
997 			goto nla_put_failure;
998 
999 		nla_nest_end(msg, nl_combi);
1000 	}
1001 
1002 	nla_nest_end(msg, nl_combis);
1003 
1004 	return 0;
1005 nla_put_failure:
1006 	return -ENOBUFS;
1007 }
1008 
1009 #ifdef CONFIG_PM
1010 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1011 					struct sk_buff *msg)
1012 {
1013 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1014 	struct nlattr *nl_tcp;
1015 
1016 	if (!tcp)
1017 		return 0;
1018 
1019 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1020 	if (!nl_tcp)
1021 		return -ENOBUFS;
1022 
1023 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1024 			tcp->data_payload_max))
1025 		return -ENOBUFS;
1026 
1027 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1028 			tcp->data_payload_max))
1029 		return -ENOBUFS;
1030 
1031 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1032 		return -ENOBUFS;
1033 
1034 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1035 				sizeof(*tcp->tok), tcp->tok))
1036 		return -ENOBUFS;
1037 
1038 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1039 			tcp->data_interval_max))
1040 		return -ENOBUFS;
1041 
1042 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1043 			tcp->wake_payload_max))
1044 		return -ENOBUFS;
1045 
1046 	nla_nest_end(msg, nl_tcp);
1047 	return 0;
1048 }
1049 
1050 static int nl80211_send_wowlan(struct sk_buff *msg,
1051 			       struct cfg80211_registered_device *rdev,
1052 			       bool large)
1053 {
1054 	struct nlattr *nl_wowlan;
1055 
1056 	if (!rdev->wiphy.wowlan)
1057 		return 0;
1058 
1059 	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1060 	if (!nl_wowlan)
1061 		return -ENOBUFS;
1062 
1063 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1064 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1065 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1066 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1067 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1068 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1069 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1070 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1071 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1072 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1073 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1074 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1075 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1076 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1077 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1078 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1079 		return -ENOBUFS;
1080 
1081 	if (rdev->wiphy.wowlan->n_patterns) {
1082 		struct nl80211_pattern_support pat = {
1083 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1084 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1085 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1086 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1087 		};
1088 
1089 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1090 			    sizeof(pat), &pat))
1091 			return -ENOBUFS;
1092 	}
1093 
1094 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1095 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1096 			rdev->wiphy.wowlan->max_nd_match_sets))
1097 		return -ENOBUFS;
1098 
1099 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1100 		return -ENOBUFS;
1101 
1102 	nla_nest_end(msg, nl_wowlan);
1103 
1104 	return 0;
1105 }
1106 #endif
1107 
1108 static int nl80211_send_coalesce(struct sk_buff *msg,
1109 				 struct cfg80211_registered_device *rdev)
1110 {
1111 	struct nl80211_coalesce_rule_support rule;
1112 
1113 	if (!rdev->wiphy.coalesce)
1114 		return 0;
1115 
1116 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1117 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1118 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1119 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1120 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1121 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1122 
1123 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1124 		return -ENOBUFS;
1125 
1126 	return 0;
1127 }
1128 
1129 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1130 				      struct ieee80211_supported_band *sband)
1131 {
1132 	struct nlattr *nl_rates, *nl_rate;
1133 	struct ieee80211_rate *rate;
1134 	int i;
1135 
1136 	/* add HT info */
1137 	if (sband->ht_cap.ht_supported &&
1138 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1139 		     sizeof(sband->ht_cap.mcs),
1140 		     &sband->ht_cap.mcs) ||
1141 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1142 			 sband->ht_cap.cap) ||
1143 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1144 			sband->ht_cap.ampdu_factor) ||
1145 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1146 			sband->ht_cap.ampdu_density)))
1147 		return -ENOBUFS;
1148 
1149 	/* add VHT info */
1150 	if (sband->vht_cap.vht_supported &&
1151 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1152 		     sizeof(sband->vht_cap.vht_mcs),
1153 		     &sband->vht_cap.vht_mcs) ||
1154 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1155 			 sband->vht_cap.cap)))
1156 		return -ENOBUFS;
1157 
1158 	/* add bitrates */
1159 	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1160 	if (!nl_rates)
1161 		return -ENOBUFS;
1162 
1163 	for (i = 0; i < sband->n_bitrates; i++) {
1164 		nl_rate = nla_nest_start(msg, i);
1165 		if (!nl_rate)
1166 			return -ENOBUFS;
1167 
1168 		rate = &sband->bitrates[i];
1169 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1170 				rate->bitrate))
1171 			return -ENOBUFS;
1172 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1173 		    nla_put_flag(msg,
1174 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1175 			return -ENOBUFS;
1176 
1177 		nla_nest_end(msg, nl_rate);
1178 	}
1179 
1180 	nla_nest_end(msg, nl_rates);
1181 
1182 	return 0;
1183 }
1184 
1185 static int
1186 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1187 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1188 {
1189 	u16 stypes;
1190 	struct nlattr *nl_ftypes, *nl_ifs;
1191 	enum nl80211_iftype ift;
1192 	int i;
1193 
1194 	if (!mgmt_stypes)
1195 		return 0;
1196 
1197 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1198 	if (!nl_ifs)
1199 		return -ENOBUFS;
1200 
1201 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1202 		nl_ftypes = nla_nest_start(msg, ift);
1203 		if (!nl_ftypes)
1204 			return -ENOBUFS;
1205 		i = 0;
1206 		stypes = mgmt_stypes[ift].tx;
1207 		while (stypes) {
1208 			if ((stypes & 1) &&
1209 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1210 					(i << 4) | IEEE80211_FTYPE_MGMT))
1211 				return -ENOBUFS;
1212 			stypes >>= 1;
1213 			i++;
1214 		}
1215 		nla_nest_end(msg, nl_ftypes);
1216 	}
1217 
1218 	nla_nest_end(msg, nl_ifs);
1219 
1220 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1221 	if (!nl_ifs)
1222 		return -ENOBUFS;
1223 
1224 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1225 		nl_ftypes = nla_nest_start(msg, ift);
1226 		if (!nl_ftypes)
1227 			return -ENOBUFS;
1228 		i = 0;
1229 		stypes = mgmt_stypes[ift].rx;
1230 		while (stypes) {
1231 			if ((stypes & 1) &&
1232 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1233 					(i << 4) | IEEE80211_FTYPE_MGMT))
1234 				return -ENOBUFS;
1235 			stypes >>= 1;
1236 			i++;
1237 		}
1238 		nla_nest_end(msg, nl_ftypes);
1239 	}
1240 	nla_nest_end(msg, nl_ifs);
1241 
1242 	return 0;
1243 }
1244 
1245 struct nl80211_dump_wiphy_state {
1246 	s64 filter_wiphy;
1247 	long start;
1248 	long split_start, band_start, chan_start;
1249 	bool split;
1250 };
1251 
1252 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1253 			      enum nl80211_commands cmd,
1254 			      struct sk_buff *msg, u32 portid, u32 seq,
1255 			      int flags, struct nl80211_dump_wiphy_state *state)
1256 {
1257 	void *hdr;
1258 	struct nlattr *nl_bands, *nl_band;
1259 	struct nlattr *nl_freqs, *nl_freq;
1260 	struct nlattr *nl_cmds;
1261 	enum ieee80211_band band;
1262 	struct ieee80211_channel *chan;
1263 	int i;
1264 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1265 				rdev->wiphy.mgmt_stypes;
1266 	u32 features;
1267 
1268 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1269 	if (!hdr)
1270 		return -ENOBUFS;
1271 
1272 	if (WARN_ON(!state))
1273 		return -EINVAL;
1274 
1275 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1276 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1277 			   wiphy_name(&rdev->wiphy)) ||
1278 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1279 			cfg80211_rdev_list_generation))
1280 		goto nla_put_failure;
1281 
1282 	if (cmd != NL80211_CMD_NEW_WIPHY)
1283 		goto finish;
1284 
1285 	switch (state->split_start) {
1286 	case 0:
1287 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1288 			       rdev->wiphy.retry_short) ||
1289 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1290 			       rdev->wiphy.retry_long) ||
1291 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1292 				rdev->wiphy.frag_threshold) ||
1293 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1294 				rdev->wiphy.rts_threshold) ||
1295 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1296 			       rdev->wiphy.coverage_class) ||
1297 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1298 			       rdev->wiphy.max_scan_ssids) ||
1299 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1300 			       rdev->wiphy.max_sched_scan_ssids) ||
1301 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1302 				rdev->wiphy.max_scan_ie_len) ||
1303 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1304 				rdev->wiphy.max_sched_scan_ie_len) ||
1305 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1306 			       rdev->wiphy.max_match_sets))
1307 			goto nla_put_failure;
1308 
1309 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1310 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1311 			goto nla_put_failure;
1312 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1313 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1314 			goto nla_put_failure;
1315 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1316 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1317 			goto nla_put_failure;
1318 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1319 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1320 			goto nla_put_failure;
1321 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1322 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1323 			goto nla_put_failure;
1324 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1325 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1326 			goto nla_put_failure;
1327 		state->split_start++;
1328 		if (state->split)
1329 			break;
1330 	case 1:
1331 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1332 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1333 			    rdev->wiphy.cipher_suites))
1334 			goto nla_put_failure;
1335 
1336 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1337 			       rdev->wiphy.max_num_pmkids))
1338 			goto nla_put_failure;
1339 
1340 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1341 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1342 			goto nla_put_failure;
1343 
1344 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1345 				rdev->wiphy.available_antennas_tx) ||
1346 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1347 				rdev->wiphy.available_antennas_rx))
1348 			goto nla_put_failure;
1349 
1350 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1351 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1352 				rdev->wiphy.probe_resp_offload))
1353 			goto nla_put_failure;
1354 
1355 		if ((rdev->wiphy.available_antennas_tx ||
1356 		     rdev->wiphy.available_antennas_rx) &&
1357 		    rdev->ops->get_antenna) {
1358 			u32 tx_ant = 0, rx_ant = 0;
1359 			int res;
1360 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1361 			if (!res) {
1362 				if (nla_put_u32(msg,
1363 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1364 						tx_ant) ||
1365 				    nla_put_u32(msg,
1366 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1367 						rx_ant))
1368 					goto nla_put_failure;
1369 			}
1370 		}
1371 
1372 		state->split_start++;
1373 		if (state->split)
1374 			break;
1375 	case 2:
1376 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1377 					rdev->wiphy.interface_modes))
1378 				goto nla_put_failure;
1379 		state->split_start++;
1380 		if (state->split)
1381 			break;
1382 	case 3:
1383 		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1384 		if (!nl_bands)
1385 			goto nla_put_failure;
1386 
1387 		for (band = state->band_start;
1388 		     band < IEEE80211_NUM_BANDS; band++) {
1389 			struct ieee80211_supported_band *sband;
1390 
1391 			sband = rdev->wiphy.bands[band];
1392 
1393 			if (!sband)
1394 				continue;
1395 
1396 			nl_band = nla_nest_start(msg, band);
1397 			if (!nl_band)
1398 				goto nla_put_failure;
1399 
1400 			switch (state->chan_start) {
1401 			case 0:
1402 				if (nl80211_send_band_rateinfo(msg, sband))
1403 					goto nla_put_failure;
1404 				state->chan_start++;
1405 				if (state->split)
1406 					break;
1407 			default:
1408 				/* add frequencies */
1409 				nl_freqs = nla_nest_start(
1410 					msg, NL80211_BAND_ATTR_FREQS);
1411 				if (!nl_freqs)
1412 					goto nla_put_failure;
1413 
1414 				for (i = state->chan_start - 1;
1415 				     i < sband->n_channels;
1416 				     i++) {
1417 					nl_freq = nla_nest_start(msg, i);
1418 					if (!nl_freq)
1419 						goto nla_put_failure;
1420 
1421 					chan = &sband->channels[i];
1422 
1423 					if (nl80211_msg_put_channel(
1424 							msg, chan,
1425 							state->split))
1426 						goto nla_put_failure;
1427 
1428 					nla_nest_end(msg, nl_freq);
1429 					if (state->split)
1430 						break;
1431 				}
1432 				if (i < sband->n_channels)
1433 					state->chan_start = i + 2;
1434 				else
1435 					state->chan_start = 0;
1436 				nla_nest_end(msg, nl_freqs);
1437 			}
1438 
1439 			nla_nest_end(msg, nl_band);
1440 
1441 			if (state->split) {
1442 				/* start again here */
1443 				if (state->chan_start)
1444 					band--;
1445 				break;
1446 			}
1447 		}
1448 		nla_nest_end(msg, nl_bands);
1449 
1450 		if (band < IEEE80211_NUM_BANDS)
1451 			state->band_start = band + 1;
1452 		else
1453 			state->band_start = 0;
1454 
1455 		/* if bands & channels are done, continue outside */
1456 		if (state->band_start == 0 && state->chan_start == 0)
1457 			state->split_start++;
1458 		if (state->split)
1459 			break;
1460 	case 4:
1461 		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1462 		if (!nl_cmds)
1463 			goto nla_put_failure;
1464 
1465 		i = 0;
1466 #define CMD(op, n)							\
1467 		 do {							\
1468 			if (rdev->ops->op) {				\
1469 				i++;					\
1470 				if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1471 					goto nla_put_failure;		\
1472 			}						\
1473 		} while (0)
1474 
1475 		CMD(add_virtual_intf, NEW_INTERFACE);
1476 		CMD(change_virtual_intf, SET_INTERFACE);
1477 		CMD(add_key, NEW_KEY);
1478 		CMD(start_ap, START_AP);
1479 		CMD(add_station, NEW_STATION);
1480 		CMD(add_mpath, NEW_MPATH);
1481 		CMD(update_mesh_config, SET_MESH_CONFIG);
1482 		CMD(change_bss, SET_BSS);
1483 		CMD(auth, AUTHENTICATE);
1484 		CMD(assoc, ASSOCIATE);
1485 		CMD(deauth, DEAUTHENTICATE);
1486 		CMD(disassoc, DISASSOCIATE);
1487 		CMD(join_ibss, JOIN_IBSS);
1488 		CMD(join_mesh, JOIN_MESH);
1489 		CMD(set_pmksa, SET_PMKSA);
1490 		CMD(del_pmksa, DEL_PMKSA);
1491 		CMD(flush_pmksa, FLUSH_PMKSA);
1492 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1493 			CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1494 		CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1495 		CMD(mgmt_tx, FRAME);
1496 		CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1497 		if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1498 			i++;
1499 			if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1500 				goto nla_put_failure;
1501 		}
1502 		if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1503 		    rdev->ops->join_mesh) {
1504 			i++;
1505 			if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1506 				goto nla_put_failure;
1507 		}
1508 		CMD(set_wds_peer, SET_WDS_PEER);
1509 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1510 			CMD(tdls_mgmt, TDLS_MGMT);
1511 			CMD(tdls_oper, TDLS_OPER);
1512 		}
1513 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1514 			CMD(sched_scan_start, START_SCHED_SCAN);
1515 		CMD(probe_client, PROBE_CLIENT);
1516 		CMD(set_noack_map, SET_NOACK_MAP);
1517 		if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1518 			i++;
1519 			if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1520 				goto nla_put_failure;
1521 		}
1522 		CMD(start_p2p_device, START_P2P_DEVICE);
1523 		CMD(set_mcast_rate, SET_MCAST_RATE);
1524 #ifdef CONFIG_NL80211_TESTMODE
1525 		CMD(testmode_cmd, TESTMODE);
1526 #endif
1527 		if (state->split) {
1528 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
1529 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1530 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
1531 				CMD(channel_switch, CHANNEL_SWITCH);
1532 			CMD(set_qos_map, SET_QOS_MAP);
1533 			if (rdev->wiphy.features &
1534 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
1535 				CMD(add_tx_ts, ADD_TX_TS);
1536 		}
1537 		/* add into the if now */
1538 #undef CMD
1539 
1540 		if (rdev->ops->connect || rdev->ops->auth) {
1541 			i++;
1542 			if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1543 				goto nla_put_failure;
1544 		}
1545 
1546 		if (rdev->ops->disconnect || rdev->ops->deauth) {
1547 			i++;
1548 			if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1549 				goto nla_put_failure;
1550 		}
1551 
1552 		nla_nest_end(msg, nl_cmds);
1553 		state->split_start++;
1554 		if (state->split)
1555 			break;
1556 	case 5:
1557 		if (rdev->ops->remain_on_channel &&
1558 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1559 		    nla_put_u32(msg,
1560 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1561 				rdev->wiphy.max_remain_on_channel_duration))
1562 			goto nla_put_failure;
1563 
1564 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1565 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1566 			goto nla_put_failure;
1567 
1568 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1569 			goto nla_put_failure;
1570 		state->split_start++;
1571 		if (state->split)
1572 			break;
1573 	case 6:
1574 #ifdef CONFIG_PM
1575 		if (nl80211_send_wowlan(msg, rdev, state->split))
1576 			goto nla_put_failure;
1577 		state->split_start++;
1578 		if (state->split)
1579 			break;
1580 #else
1581 		state->split_start++;
1582 #endif
1583 	case 7:
1584 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1585 					rdev->wiphy.software_iftypes))
1586 			goto nla_put_failure;
1587 
1588 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
1589 						   state->split))
1590 			goto nla_put_failure;
1591 
1592 		state->split_start++;
1593 		if (state->split)
1594 			break;
1595 	case 8:
1596 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1597 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1598 				rdev->wiphy.ap_sme_capa))
1599 			goto nla_put_failure;
1600 
1601 		features = rdev->wiphy.features;
1602 		/*
1603 		 * We can only add the per-channel limit information if the
1604 		 * dump is split, otherwise it makes it too big. Therefore
1605 		 * only advertise it in that case.
1606 		 */
1607 		if (state->split)
1608 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1609 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1610 			goto nla_put_failure;
1611 
1612 		if (rdev->wiphy.ht_capa_mod_mask &&
1613 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1614 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
1615 			    rdev->wiphy.ht_capa_mod_mask))
1616 			goto nla_put_failure;
1617 
1618 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1619 		    rdev->wiphy.max_acl_mac_addrs &&
1620 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1621 				rdev->wiphy.max_acl_mac_addrs))
1622 			goto nla_put_failure;
1623 
1624 		/*
1625 		 * Any information below this point is only available to
1626 		 * applications that can deal with it being split. This
1627 		 * helps ensure that newly added capabilities don't break
1628 		 * older tools by overrunning their buffers.
1629 		 *
1630 		 * We still increment split_start so that in the split
1631 		 * case we'll continue with more data in the next round,
1632 		 * but break unconditionally so unsplit data stops here.
1633 		 */
1634 		state->split_start++;
1635 		break;
1636 	case 9:
1637 		if (rdev->wiphy.extended_capabilities &&
1638 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1639 			     rdev->wiphy.extended_capabilities_len,
1640 			     rdev->wiphy.extended_capabilities) ||
1641 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1642 			     rdev->wiphy.extended_capabilities_len,
1643 			     rdev->wiphy.extended_capabilities_mask)))
1644 			goto nla_put_failure;
1645 
1646 		if (rdev->wiphy.vht_capa_mod_mask &&
1647 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1648 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
1649 			    rdev->wiphy.vht_capa_mod_mask))
1650 			goto nla_put_failure;
1651 
1652 		state->split_start++;
1653 		break;
1654 	case 10:
1655 		if (nl80211_send_coalesce(msg, rdev))
1656 			goto nla_put_failure;
1657 
1658 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
1659 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
1660 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
1661 			goto nla_put_failure;
1662 
1663 		if (rdev->wiphy.max_ap_assoc_sta &&
1664 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
1665 				rdev->wiphy.max_ap_assoc_sta))
1666 			goto nla_put_failure;
1667 
1668 		state->split_start++;
1669 		break;
1670 	case 11:
1671 		if (rdev->wiphy.n_vendor_commands) {
1672 			const struct nl80211_vendor_cmd_info *info;
1673 			struct nlattr *nested;
1674 
1675 			nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1676 			if (!nested)
1677 				goto nla_put_failure;
1678 
1679 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
1680 				info = &rdev->wiphy.vendor_commands[i].info;
1681 				if (nla_put(msg, i + 1, sizeof(*info), info))
1682 					goto nla_put_failure;
1683 			}
1684 			nla_nest_end(msg, nested);
1685 		}
1686 
1687 		if (rdev->wiphy.n_vendor_events) {
1688 			const struct nl80211_vendor_cmd_info *info;
1689 			struct nlattr *nested;
1690 
1691 			nested = nla_nest_start(msg,
1692 						NL80211_ATTR_VENDOR_EVENTS);
1693 			if (!nested)
1694 				goto nla_put_failure;
1695 
1696 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
1697 				info = &rdev->wiphy.vendor_events[i];
1698 				if (nla_put(msg, i + 1, sizeof(*info), info))
1699 					goto nla_put_failure;
1700 			}
1701 			nla_nest_end(msg, nested);
1702 		}
1703 		state->split_start++;
1704 		break;
1705 	case 12:
1706 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
1707 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
1708 			       rdev->wiphy.max_num_csa_counters))
1709 			goto nla_put_failure;
1710 
1711 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
1712 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
1713 			goto nla_put_failure;
1714 
1715 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
1716 			    sizeof(rdev->wiphy.ext_features),
1717 			    rdev->wiphy.ext_features))
1718 			goto nla_put_failure;
1719 
1720 		/* done */
1721 		state->split_start = 0;
1722 		break;
1723 	}
1724  finish:
1725 	genlmsg_end(msg, hdr);
1726 	return 0;
1727 
1728  nla_put_failure:
1729 	genlmsg_cancel(msg, hdr);
1730 	return -EMSGSIZE;
1731 }
1732 
1733 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
1734 				    struct netlink_callback *cb,
1735 				    struct nl80211_dump_wiphy_state *state)
1736 {
1737 	struct nlattr **tb = nl80211_fam.attrbuf;
1738 	int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
1739 			      tb, nl80211_fam.maxattr, nl80211_policy);
1740 	/* ignore parse errors for backward compatibility */
1741 	if (ret)
1742 		return 0;
1743 
1744 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
1745 	if (tb[NL80211_ATTR_WIPHY])
1746 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
1747 	if (tb[NL80211_ATTR_WDEV])
1748 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
1749 	if (tb[NL80211_ATTR_IFINDEX]) {
1750 		struct net_device *netdev;
1751 		struct cfg80211_registered_device *rdev;
1752 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
1753 
1754 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
1755 		if (!netdev)
1756 			return -ENODEV;
1757 		if (netdev->ieee80211_ptr) {
1758 			rdev = wiphy_to_rdev(
1759 				netdev->ieee80211_ptr->wiphy);
1760 			state->filter_wiphy = rdev->wiphy_idx;
1761 		}
1762 	}
1763 
1764 	return 0;
1765 }
1766 
1767 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1768 {
1769 	int idx = 0, ret;
1770 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
1771 	struct cfg80211_registered_device *rdev;
1772 
1773 	rtnl_lock();
1774 	if (!state) {
1775 		state = kzalloc(sizeof(*state), GFP_KERNEL);
1776 		if (!state) {
1777 			rtnl_unlock();
1778 			return -ENOMEM;
1779 		}
1780 		state->filter_wiphy = -1;
1781 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
1782 		if (ret) {
1783 			kfree(state);
1784 			rtnl_unlock();
1785 			return ret;
1786 		}
1787 		cb->args[0] = (long)state;
1788 	}
1789 
1790 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1791 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1792 			continue;
1793 		if (++idx <= state->start)
1794 			continue;
1795 		if (state->filter_wiphy != -1 &&
1796 		    state->filter_wiphy != rdev->wiphy_idx)
1797 			continue;
1798 		/* attempt to fit multiple wiphy data chunks into the skb */
1799 		do {
1800 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
1801 						 skb,
1802 						 NETLINK_CB(cb->skb).portid,
1803 						 cb->nlh->nlmsg_seq,
1804 						 NLM_F_MULTI, state);
1805 			if (ret < 0) {
1806 				/*
1807 				 * If sending the wiphy data didn't fit (ENOBUFS
1808 				 * or EMSGSIZE returned), this SKB is still
1809 				 * empty (so it's not too big because another
1810 				 * wiphy dataset is already in the skb) and
1811 				 * we've not tried to adjust the dump allocation
1812 				 * yet ... then adjust the alloc size to be
1813 				 * bigger, and return 1 but with the empty skb.
1814 				 * This results in an empty message being RX'ed
1815 				 * in userspace, but that is ignored.
1816 				 *
1817 				 * We can then retry with the larger buffer.
1818 				 */
1819 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1820 				    !skb->len && !state->split &&
1821 				    cb->min_dump_alloc < 4096) {
1822 					cb->min_dump_alloc = 4096;
1823 					state->split_start = 0;
1824 					rtnl_unlock();
1825 					return 1;
1826 				}
1827 				idx--;
1828 				break;
1829 			}
1830 		} while (state->split_start > 0);
1831 		break;
1832 	}
1833 	rtnl_unlock();
1834 
1835 	state->start = idx;
1836 
1837 	return skb->len;
1838 }
1839 
1840 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
1841 {
1842 	kfree((void *)cb->args[0]);
1843 	return 0;
1844 }
1845 
1846 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1847 {
1848 	struct sk_buff *msg;
1849 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1850 	struct nl80211_dump_wiphy_state state = {};
1851 
1852 	msg = nlmsg_new(4096, GFP_KERNEL);
1853 	if (!msg)
1854 		return -ENOMEM;
1855 
1856 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
1857 			       info->snd_portid, info->snd_seq, 0,
1858 			       &state) < 0) {
1859 		nlmsg_free(msg);
1860 		return -ENOBUFS;
1861 	}
1862 
1863 	return genlmsg_reply(msg, info);
1864 }
1865 
1866 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1867 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
1868 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
1869 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
1870 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
1871 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
1872 };
1873 
1874 static int parse_txq_params(struct nlattr *tb[],
1875 			    struct ieee80211_txq_params *txq_params)
1876 {
1877 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1878 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1879 	    !tb[NL80211_TXQ_ATTR_AIFS])
1880 		return -EINVAL;
1881 
1882 	txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1883 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1884 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1885 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1886 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1887 
1888 	if (txq_params->ac >= NL80211_NUM_ACS)
1889 		return -EINVAL;
1890 
1891 	return 0;
1892 }
1893 
1894 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1895 {
1896 	/*
1897 	 * You can only set the channel explicitly for WDS interfaces,
1898 	 * all others have their channel managed via their respective
1899 	 * "establish a connection" command (connect, join, ...)
1900 	 *
1901 	 * For AP/GO and mesh mode, the channel can be set with the
1902 	 * channel userspace API, but is only stored and passed to the
1903 	 * low-level driver when the AP starts or the mesh is joined.
1904 	 * This is for backward compatibility, userspace can also give
1905 	 * the channel in the start-ap or join-mesh commands instead.
1906 	 *
1907 	 * Monitors are special as they are normally slaved to
1908 	 * whatever else is going on, so they have their own special
1909 	 * operation to set the monitor channel if possible.
1910 	 */
1911 	return !wdev ||
1912 		wdev->iftype == NL80211_IFTYPE_AP ||
1913 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1914 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
1915 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
1916 }
1917 
1918 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
1919 				 struct genl_info *info,
1920 				 struct cfg80211_chan_def *chandef)
1921 {
1922 	u32 control_freq;
1923 
1924 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1925 		return -EINVAL;
1926 
1927 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1928 
1929 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
1930 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
1931 	chandef->center_freq1 = control_freq;
1932 	chandef->center_freq2 = 0;
1933 
1934 	/* Primary channel not allowed */
1935 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
1936 		return -EINVAL;
1937 
1938 	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
1939 		enum nl80211_channel_type chantype;
1940 
1941 		chantype = nla_get_u32(
1942 				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1943 
1944 		switch (chantype) {
1945 		case NL80211_CHAN_NO_HT:
1946 		case NL80211_CHAN_HT20:
1947 		case NL80211_CHAN_HT40PLUS:
1948 		case NL80211_CHAN_HT40MINUS:
1949 			cfg80211_chandef_create(chandef, chandef->chan,
1950 						chantype);
1951 			break;
1952 		default:
1953 			return -EINVAL;
1954 		}
1955 	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
1956 		chandef->width =
1957 			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
1958 		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
1959 			chandef->center_freq1 =
1960 				nla_get_u32(
1961 					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
1962 		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
1963 			chandef->center_freq2 =
1964 				nla_get_u32(
1965 					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
1966 	}
1967 
1968 	if (!cfg80211_chandef_valid(chandef))
1969 		return -EINVAL;
1970 
1971 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
1972 				     IEEE80211_CHAN_DISABLED))
1973 		return -EINVAL;
1974 
1975 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
1976 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
1977 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ))
1978 		return -EINVAL;
1979 
1980 	return 0;
1981 }
1982 
1983 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1984 				 struct net_device *dev,
1985 				 struct genl_info *info)
1986 {
1987 	struct cfg80211_chan_def chandef;
1988 	int result;
1989 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1990 	struct wireless_dev *wdev = NULL;
1991 
1992 	if (dev)
1993 		wdev = dev->ieee80211_ptr;
1994 	if (!nl80211_can_set_dev_channel(wdev))
1995 		return -EOPNOTSUPP;
1996 	if (wdev)
1997 		iftype = wdev->iftype;
1998 
1999 	result = nl80211_parse_chandef(rdev, info, &chandef);
2000 	if (result)
2001 		return result;
2002 
2003 	switch (iftype) {
2004 	case NL80211_IFTYPE_AP:
2005 	case NL80211_IFTYPE_P2P_GO:
2006 		if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef, iftype)) {
2007 			result = -EINVAL;
2008 			break;
2009 		}
2010 		if (wdev->beacon_interval) {
2011 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2012 			    !(rdev->wiphy.features &
2013 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2014 				result = -EBUSY;
2015 				break;
2016 			}
2017 
2018 			/* Only allow dynamic channel width changes */
2019 			if (chandef.chan != wdev->preset_chandef.chan) {
2020 				result = -EBUSY;
2021 				break;
2022 			}
2023 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2024 			if (result)
2025 				break;
2026 		}
2027 		wdev->preset_chandef = chandef;
2028 		result = 0;
2029 		break;
2030 	case NL80211_IFTYPE_MESH_POINT:
2031 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2032 		break;
2033 	case NL80211_IFTYPE_MONITOR:
2034 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2035 		break;
2036 	default:
2037 		result = -EINVAL;
2038 	}
2039 
2040 	return result;
2041 }
2042 
2043 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2044 {
2045 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2046 	struct net_device *netdev = info->user_ptr[1];
2047 
2048 	return __nl80211_set_channel(rdev, netdev, info);
2049 }
2050 
2051 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2052 {
2053 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2054 	struct net_device *dev = info->user_ptr[1];
2055 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2056 	const u8 *bssid;
2057 
2058 	if (!info->attrs[NL80211_ATTR_MAC])
2059 		return -EINVAL;
2060 
2061 	if (netif_running(dev))
2062 		return -EBUSY;
2063 
2064 	if (!rdev->ops->set_wds_peer)
2065 		return -EOPNOTSUPP;
2066 
2067 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2068 		return -EOPNOTSUPP;
2069 
2070 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2071 	return rdev_set_wds_peer(rdev, dev, bssid);
2072 }
2073 
2074 
2075 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2076 {
2077 	struct cfg80211_registered_device *rdev;
2078 	struct net_device *netdev = NULL;
2079 	struct wireless_dev *wdev;
2080 	int result = 0, rem_txq_params = 0;
2081 	struct nlattr *nl_txq_params;
2082 	u32 changed;
2083 	u8 retry_short = 0, retry_long = 0;
2084 	u32 frag_threshold = 0, rts_threshold = 0;
2085 	u8 coverage_class = 0;
2086 
2087 	ASSERT_RTNL();
2088 
2089 	/*
2090 	 * Try to find the wiphy and netdev. Normally this
2091 	 * function shouldn't need the netdev, but this is
2092 	 * done for backward compatibility -- previously
2093 	 * setting the channel was done per wiphy, but now
2094 	 * it is per netdev. Previous userland like hostapd
2095 	 * also passed a netdev to set_wiphy, so that it is
2096 	 * possible to let that go to the right netdev!
2097 	 */
2098 
2099 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2100 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2101 
2102 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2103 		if (netdev && netdev->ieee80211_ptr)
2104 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2105 		else
2106 			netdev = NULL;
2107 	}
2108 
2109 	if (!netdev) {
2110 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2111 						  info->attrs);
2112 		if (IS_ERR(rdev))
2113 			return PTR_ERR(rdev);
2114 		wdev = NULL;
2115 		netdev = NULL;
2116 		result = 0;
2117 	} else
2118 		wdev = netdev->ieee80211_ptr;
2119 
2120 	/*
2121 	 * end workaround code, by now the rdev is available
2122 	 * and locked, and wdev may or may not be NULL.
2123 	 */
2124 
2125 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2126 		result = cfg80211_dev_rename(
2127 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2128 
2129 	if (result)
2130 		return result;
2131 
2132 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2133 		struct ieee80211_txq_params txq_params;
2134 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2135 
2136 		if (!rdev->ops->set_txq_params)
2137 			return -EOPNOTSUPP;
2138 
2139 		if (!netdev)
2140 			return -EINVAL;
2141 
2142 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2143 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2144 			return -EINVAL;
2145 
2146 		if (!netif_running(netdev))
2147 			return -ENETDOWN;
2148 
2149 		nla_for_each_nested(nl_txq_params,
2150 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2151 				    rem_txq_params) {
2152 			result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
2153 					   nla_data(nl_txq_params),
2154 					   nla_len(nl_txq_params),
2155 					   txq_params_policy);
2156 			if (result)
2157 				return result;
2158 			result = parse_txq_params(tb, &txq_params);
2159 			if (result)
2160 				return result;
2161 
2162 			result = rdev_set_txq_params(rdev, netdev,
2163 						     &txq_params);
2164 			if (result)
2165 				return result;
2166 		}
2167 	}
2168 
2169 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2170 		result = __nl80211_set_channel(
2171 			rdev,
2172 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2173 			info);
2174 		if (result)
2175 			return result;
2176 	}
2177 
2178 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2179 		struct wireless_dev *txp_wdev = wdev;
2180 		enum nl80211_tx_power_setting type;
2181 		int idx, mbm = 0;
2182 
2183 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2184 			txp_wdev = NULL;
2185 
2186 		if (!rdev->ops->set_tx_power)
2187 			return -EOPNOTSUPP;
2188 
2189 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2190 		type = nla_get_u32(info->attrs[idx]);
2191 
2192 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2193 		    (type != NL80211_TX_POWER_AUTOMATIC))
2194 			return -EINVAL;
2195 
2196 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2197 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2198 			mbm = nla_get_u32(info->attrs[idx]);
2199 		}
2200 
2201 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2202 		if (result)
2203 			return result;
2204 	}
2205 
2206 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2207 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2208 		u32 tx_ant, rx_ant;
2209 		if ((!rdev->wiphy.available_antennas_tx &&
2210 		     !rdev->wiphy.available_antennas_rx) ||
2211 		    !rdev->ops->set_antenna)
2212 			return -EOPNOTSUPP;
2213 
2214 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2215 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2216 
2217 		/* reject antenna configurations which don't match the
2218 		 * available antenna masks, except for the "all" mask */
2219 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2220 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2221 			return -EINVAL;
2222 
2223 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2224 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2225 
2226 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2227 		if (result)
2228 			return result;
2229 	}
2230 
2231 	changed = 0;
2232 
2233 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2234 		retry_short = nla_get_u8(
2235 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2236 		if (retry_short == 0)
2237 			return -EINVAL;
2238 
2239 		changed |= WIPHY_PARAM_RETRY_SHORT;
2240 	}
2241 
2242 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2243 		retry_long = nla_get_u8(
2244 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2245 		if (retry_long == 0)
2246 			return -EINVAL;
2247 
2248 		changed |= WIPHY_PARAM_RETRY_LONG;
2249 	}
2250 
2251 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2252 		frag_threshold = nla_get_u32(
2253 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2254 		if (frag_threshold < 256)
2255 			return -EINVAL;
2256 
2257 		if (frag_threshold != (u32) -1) {
2258 			/*
2259 			 * Fragments (apart from the last one) are required to
2260 			 * have even length. Make the fragmentation code
2261 			 * simpler by stripping LSB should someone try to use
2262 			 * odd threshold value.
2263 			 */
2264 			frag_threshold &= ~0x1;
2265 		}
2266 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2267 	}
2268 
2269 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2270 		rts_threshold = nla_get_u32(
2271 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2272 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2273 	}
2274 
2275 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2276 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2277 			return -EINVAL;
2278 
2279 		coverage_class = nla_get_u8(
2280 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2281 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2282 	}
2283 
2284 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2285 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2286 			return -EOPNOTSUPP;
2287 
2288 		changed |= WIPHY_PARAM_DYN_ACK;
2289 	}
2290 
2291 	if (changed) {
2292 		u8 old_retry_short, old_retry_long;
2293 		u32 old_frag_threshold, old_rts_threshold;
2294 		u8 old_coverage_class;
2295 
2296 		if (!rdev->ops->set_wiphy_params)
2297 			return -EOPNOTSUPP;
2298 
2299 		old_retry_short = rdev->wiphy.retry_short;
2300 		old_retry_long = rdev->wiphy.retry_long;
2301 		old_frag_threshold = rdev->wiphy.frag_threshold;
2302 		old_rts_threshold = rdev->wiphy.rts_threshold;
2303 		old_coverage_class = rdev->wiphy.coverage_class;
2304 
2305 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2306 			rdev->wiphy.retry_short = retry_short;
2307 		if (changed & WIPHY_PARAM_RETRY_LONG)
2308 			rdev->wiphy.retry_long = retry_long;
2309 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2310 			rdev->wiphy.frag_threshold = frag_threshold;
2311 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2312 			rdev->wiphy.rts_threshold = rts_threshold;
2313 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2314 			rdev->wiphy.coverage_class = coverage_class;
2315 
2316 		result = rdev_set_wiphy_params(rdev, changed);
2317 		if (result) {
2318 			rdev->wiphy.retry_short = old_retry_short;
2319 			rdev->wiphy.retry_long = old_retry_long;
2320 			rdev->wiphy.frag_threshold = old_frag_threshold;
2321 			rdev->wiphy.rts_threshold = old_rts_threshold;
2322 			rdev->wiphy.coverage_class = old_coverage_class;
2323 		}
2324 	}
2325 	return 0;
2326 }
2327 
2328 static inline u64 wdev_id(struct wireless_dev *wdev)
2329 {
2330 	return (u64)wdev->identifier |
2331 	       ((u64)wiphy_to_rdev(wdev->wiphy)->wiphy_idx << 32);
2332 }
2333 
2334 static int nl80211_send_chandef(struct sk_buff *msg,
2335 				const struct cfg80211_chan_def *chandef)
2336 {
2337 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2338 		return -EINVAL;
2339 
2340 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2341 			chandef->chan->center_freq))
2342 		return -ENOBUFS;
2343 	switch (chandef->width) {
2344 	case NL80211_CHAN_WIDTH_20_NOHT:
2345 	case NL80211_CHAN_WIDTH_20:
2346 	case NL80211_CHAN_WIDTH_40:
2347 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2348 				cfg80211_get_chandef_type(chandef)))
2349 			return -ENOBUFS;
2350 		break;
2351 	default:
2352 		break;
2353 	}
2354 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2355 		return -ENOBUFS;
2356 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2357 		return -ENOBUFS;
2358 	if (chandef->center_freq2 &&
2359 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2360 		return -ENOBUFS;
2361 	return 0;
2362 }
2363 
2364 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2365 			      struct cfg80211_registered_device *rdev,
2366 			      struct wireless_dev *wdev, bool removal)
2367 {
2368 	struct net_device *dev = wdev->netdev;
2369 	u8 cmd = NL80211_CMD_NEW_INTERFACE;
2370 	void *hdr;
2371 
2372 	if (removal)
2373 		cmd = NL80211_CMD_DEL_INTERFACE;
2374 
2375 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2376 	if (!hdr)
2377 		return -1;
2378 
2379 	if (dev &&
2380 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2381 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2382 		goto nla_put_failure;
2383 
2384 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2385 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2386 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
2387 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2388 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2389 			rdev->devlist_generation ^
2390 			(cfg80211_rdev_list_generation << 2)))
2391 		goto nla_put_failure;
2392 
2393 	if (rdev->ops->get_channel) {
2394 		int ret;
2395 		struct cfg80211_chan_def chandef;
2396 
2397 		ret = rdev_get_channel(rdev, wdev, &chandef);
2398 		if (ret == 0) {
2399 			if (nl80211_send_chandef(msg, &chandef))
2400 				goto nla_put_failure;
2401 		}
2402 	}
2403 
2404 	if (wdev->ssid_len) {
2405 		if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2406 			goto nla_put_failure;
2407 	}
2408 
2409 	genlmsg_end(msg, hdr);
2410 	return 0;
2411 
2412  nla_put_failure:
2413 	genlmsg_cancel(msg, hdr);
2414 	return -EMSGSIZE;
2415 }
2416 
2417 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2418 {
2419 	int wp_idx = 0;
2420 	int if_idx = 0;
2421 	int wp_start = cb->args[0];
2422 	int if_start = cb->args[1];
2423 	struct cfg80211_registered_device *rdev;
2424 	struct wireless_dev *wdev;
2425 
2426 	rtnl_lock();
2427 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2428 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2429 			continue;
2430 		if (wp_idx < wp_start) {
2431 			wp_idx++;
2432 			continue;
2433 		}
2434 		if_idx = 0;
2435 
2436 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
2437 			if (if_idx < if_start) {
2438 				if_idx++;
2439 				continue;
2440 			}
2441 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2442 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2443 					       rdev, wdev, false) < 0) {
2444 				goto out;
2445 			}
2446 			if_idx++;
2447 		}
2448 
2449 		wp_idx++;
2450 	}
2451  out:
2452 	rtnl_unlock();
2453 
2454 	cb->args[0] = wp_idx;
2455 	cb->args[1] = if_idx;
2456 
2457 	return skb->len;
2458 }
2459 
2460 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2461 {
2462 	struct sk_buff *msg;
2463 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2464 	struct wireless_dev *wdev = info->user_ptr[1];
2465 
2466 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2467 	if (!msg)
2468 		return -ENOMEM;
2469 
2470 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2471 			       rdev, wdev, false) < 0) {
2472 		nlmsg_free(msg);
2473 		return -ENOBUFS;
2474 	}
2475 
2476 	return genlmsg_reply(msg, info);
2477 }
2478 
2479 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2480 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2481 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2482 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2483 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2484 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2485 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
2486 };
2487 
2488 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2489 {
2490 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2491 	int flag;
2492 
2493 	*mntrflags = 0;
2494 
2495 	if (!nla)
2496 		return -EINVAL;
2497 
2498 	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
2499 			     nla, mntr_flags_policy))
2500 		return -EINVAL;
2501 
2502 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2503 		if (flags[flag])
2504 			*mntrflags |= (1<<flag);
2505 
2506 	return 0;
2507 }
2508 
2509 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
2510 			       struct net_device *netdev, u8 use_4addr,
2511 			       enum nl80211_iftype iftype)
2512 {
2513 	if (!use_4addr) {
2514 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
2515 			return -EBUSY;
2516 		return 0;
2517 	}
2518 
2519 	switch (iftype) {
2520 	case NL80211_IFTYPE_AP_VLAN:
2521 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
2522 			return 0;
2523 		break;
2524 	case NL80211_IFTYPE_STATION:
2525 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
2526 			return 0;
2527 		break;
2528 	default:
2529 		break;
2530 	}
2531 
2532 	return -EOPNOTSUPP;
2533 }
2534 
2535 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
2536 {
2537 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2538 	struct vif_params params;
2539 	int err;
2540 	enum nl80211_iftype otype, ntype;
2541 	struct net_device *dev = info->user_ptr[1];
2542 	u32 _flags, *flags = NULL;
2543 	bool change = false;
2544 
2545 	memset(&params, 0, sizeof(params));
2546 
2547 	otype = ntype = dev->ieee80211_ptr->iftype;
2548 
2549 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2550 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2551 		if (otype != ntype)
2552 			change = true;
2553 		if (ntype > NL80211_IFTYPE_MAX)
2554 			return -EINVAL;
2555 	}
2556 
2557 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
2558 		struct wireless_dev *wdev = dev->ieee80211_ptr;
2559 
2560 		if (ntype != NL80211_IFTYPE_MESH_POINT)
2561 			return -EINVAL;
2562 		if (netif_running(dev))
2563 			return -EBUSY;
2564 
2565 		wdev_lock(wdev);
2566 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2567 			     IEEE80211_MAX_MESH_ID_LEN);
2568 		wdev->mesh_id_up_len =
2569 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2570 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2571 		       wdev->mesh_id_up_len);
2572 		wdev_unlock(wdev);
2573 	}
2574 
2575 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2576 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2577 		change = true;
2578 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2579 		if (err)
2580 			return err;
2581 	} else {
2582 		params.use_4addr = -1;
2583 	}
2584 
2585 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2586 		if (ntype != NL80211_IFTYPE_MONITOR)
2587 			return -EINVAL;
2588 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2589 					  &_flags);
2590 		if (err)
2591 			return err;
2592 
2593 		flags = &_flags;
2594 		change = true;
2595 	}
2596 
2597 	if (flags && (*flags & MONITOR_FLAG_ACTIVE) &&
2598 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2599 		return -EOPNOTSUPP;
2600 
2601 	if (change)
2602 		err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2603 	else
2604 		err = 0;
2605 
2606 	if (!err && params.use_4addr != -1)
2607 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
2608 
2609 	return err;
2610 }
2611 
2612 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2613 {
2614 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2615 	struct vif_params params;
2616 	struct wireless_dev *wdev;
2617 	struct sk_buff *msg, *event;
2618 	int err;
2619 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2620 	u32 flags;
2621 
2622 	/* to avoid failing a new interface creation due to pending removal */
2623 	cfg80211_destroy_ifaces(rdev);
2624 
2625 	memset(&params, 0, sizeof(params));
2626 
2627 	if (!info->attrs[NL80211_ATTR_IFNAME])
2628 		return -EINVAL;
2629 
2630 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2631 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2632 		if (type > NL80211_IFTYPE_MAX)
2633 			return -EINVAL;
2634 	}
2635 
2636 	if (!rdev->ops->add_virtual_intf ||
2637 	    !(rdev->wiphy.interface_modes & (1 << type)))
2638 		return -EOPNOTSUPP;
2639 
2640 	if ((type == NL80211_IFTYPE_P2P_DEVICE ||
2641 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
2642 	    info->attrs[NL80211_ATTR_MAC]) {
2643 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2644 			   ETH_ALEN);
2645 		if (!is_valid_ether_addr(params.macaddr))
2646 			return -EADDRNOTAVAIL;
2647 	}
2648 
2649 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2650 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2651 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2652 		if (err)
2653 			return err;
2654 	}
2655 
2656 	err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2657 				  info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2658 				  &flags);
2659 
2660 	if (!err && (flags & MONITOR_FLAG_ACTIVE) &&
2661 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2662 		return -EOPNOTSUPP;
2663 
2664 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2665 	if (!msg)
2666 		return -ENOMEM;
2667 
2668 	wdev = rdev_add_virtual_intf(rdev,
2669 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2670 				NET_NAME_USER, type, err ? NULL : &flags,
2671 				&params);
2672 	if (WARN_ON(!wdev)) {
2673 		nlmsg_free(msg);
2674 		return -EPROTO;
2675 	} else if (IS_ERR(wdev)) {
2676 		nlmsg_free(msg);
2677 		return PTR_ERR(wdev);
2678 	}
2679 
2680 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
2681 		wdev->owner_nlportid = info->snd_portid;
2682 
2683 	switch (type) {
2684 	case NL80211_IFTYPE_MESH_POINT:
2685 		if (!info->attrs[NL80211_ATTR_MESH_ID])
2686 			break;
2687 		wdev_lock(wdev);
2688 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2689 			     IEEE80211_MAX_MESH_ID_LEN);
2690 		wdev->mesh_id_up_len =
2691 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2692 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2693 		       wdev->mesh_id_up_len);
2694 		wdev_unlock(wdev);
2695 		break;
2696 	case NL80211_IFTYPE_P2P_DEVICE:
2697 		/*
2698 		 * P2P Device doesn't have a netdev, so doesn't go
2699 		 * through the netdev notifier and must be added here
2700 		 */
2701 		mutex_init(&wdev->mtx);
2702 		INIT_LIST_HEAD(&wdev->event_list);
2703 		spin_lock_init(&wdev->event_lock);
2704 		INIT_LIST_HEAD(&wdev->mgmt_registrations);
2705 		spin_lock_init(&wdev->mgmt_registrations_lock);
2706 
2707 		wdev->identifier = ++rdev->wdev_id;
2708 		list_add_rcu(&wdev->list, &rdev->wdev_list);
2709 		rdev->devlist_generation++;
2710 		break;
2711 	default:
2712 		break;
2713 	}
2714 
2715 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2716 			       rdev, wdev, false) < 0) {
2717 		nlmsg_free(msg);
2718 		return -ENOBUFS;
2719 	}
2720 
2721 	event = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2722 	if (event) {
2723 		if (nl80211_send_iface(event, 0, 0, 0,
2724 				       rdev, wdev, false) < 0) {
2725 			nlmsg_free(event);
2726 			goto out;
2727 		}
2728 
2729 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
2730 					event, 0, NL80211_MCGRP_CONFIG,
2731 					GFP_KERNEL);
2732 	}
2733 
2734 out:
2735 	return genlmsg_reply(msg, info);
2736 }
2737 
2738 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2739 {
2740 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2741 	struct wireless_dev *wdev = info->user_ptr[1];
2742 	struct sk_buff *msg;
2743 	int status;
2744 
2745 	if (!rdev->ops->del_virtual_intf)
2746 		return -EOPNOTSUPP;
2747 
2748 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2749 	if (msg && nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, true) < 0) {
2750 		nlmsg_free(msg);
2751 		msg = NULL;
2752 	}
2753 
2754 	/*
2755 	 * If we remove a wireless device without a netdev then clear
2756 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
2757 	 * to check if it needs to do dev_put(). Otherwise it crashes
2758 	 * since the wdev has been freed, unlike with a netdev where
2759 	 * we need the dev_put() for the netdev to really be freed.
2760 	 */
2761 	if (!wdev->netdev)
2762 		info->user_ptr[1] = NULL;
2763 
2764 	status = rdev_del_virtual_intf(rdev, wdev);
2765 	if (status >= 0 && msg)
2766 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
2767 					msg, 0, NL80211_MCGRP_CONFIG,
2768 					GFP_KERNEL);
2769 	else
2770 		nlmsg_free(msg);
2771 
2772 	return status;
2773 }
2774 
2775 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2776 {
2777 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2778 	struct net_device *dev = info->user_ptr[1];
2779 	u16 noack_map;
2780 
2781 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2782 		return -EINVAL;
2783 
2784 	if (!rdev->ops->set_noack_map)
2785 		return -EOPNOTSUPP;
2786 
2787 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2788 
2789 	return rdev_set_noack_map(rdev, dev, noack_map);
2790 }
2791 
2792 struct get_key_cookie {
2793 	struct sk_buff *msg;
2794 	int error;
2795 	int idx;
2796 };
2797 
2798 static void get_key_callback(void *c, struct key_params *params)
2799 {
2800 	struct nlattr *key;
2801 	struct get_key_cookie *cookie = c;
2802 
2803 	if ((params->key &&
2804 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2805 		     params->key_len, params->key)) ||
2806 	    (params->seq &&
2807 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2808 		     params->seq_len, params->seq)) ||
2809 	    (params->cipher &&
2810 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2811 			 params->cipher)))
2812 		goto nla_put_failure;
2813 
2814 	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2815 	if (!key)
2816 		goto nla_put_failure;
2817 
2818 	if ((params->key &&
2819 	     nla_put(cookie->msg, NL80211_KEY_DATA,
2820 		     params->key_len, params->key)) ||
2821 	    (params->seq &&
2822 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
2823 		     params->seq_len, params->seq)) ||
2824 	    (params->cipher &&
2825 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2826 			 params->cipher)))
2827 		goto nla_put_failure;
2828 
2829 	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2830 		goto nla_put_failure;
2831 
2832 	nla_nest_end(cookie->msg, key);
2833 
2834 	return;
2835  nla_put_failure:
2836 	cookie->error = 1;
2837 }
2838 
2839 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2840 {
2841 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2842 	int err;
2843 	struct net_device *dev = info->user_ptr[1];
2844 	u8 key_idx = 0;
2845 	const u8 *mac_addr = NULL;
2846 	bool pairwise;
2847 	struct get_key_cookie cookie = {
2848 		.error = 0,
2849 	};
2850 	void *hdr;
2851 	struct sk_buff *msg;
2852 
2853 	if (info->attrs[NL80211_ATTR_KEY_IDX])
2854 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2855 
2856 	if (key_idx > 5)
2857 		return -EINVAL;
2858 
2859 	if (info->attrs[NL80211_ATTR_MAC])
2860 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2861 
2862 	pairwise = !!mac_addr;
2863 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2864 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2865 		if (kt >= NUM_NL80211_KEYTYPES)
2866 			return -EINVAL;
2867 		if (kt != NL80211_KEYTYPE_GROUP &&
2868 		    kt != NL80211_KEYTYPE_PAIRWISE)
2869 			return -EINVAL;
2870 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2871 	}
2872 
2873 	if (!rdev->ops->get_key)
2874 		return -EOPNOTSUPP;
2875 
2876 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2877 		return -ENOENT;
2878 
2879 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2880 	if (!msg)
2881 		return -ENOMEM;
2882 
2883 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2884 			     NL80211_CMD_NEW_KEY);
2885 	if (!hdr)
2886 		goto nla_put_failure;
2887 
2888 	cookie.msg = msg;
2889 	cookie.idx = key_idx;
2890 
2891 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2892 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2893 		goto nla_put_failure;
2894 	if (mac_addr &&
2895 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2896 		goto nla_put_failure;
2897 
2898 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2899 			   get_key_callback);
2900 
2901 	if (err)
2902 		goto free_msg;
2903 
2904 	if (cookie.error)
2905 		goto nla_put_failure;
2906 
2907 	genlmsg_end(msg, hdr);
2908 	return genlmsg_reply(msg, info);
2909 
2910  nla_put_failure:
2911 	err = -ENOBUFS;
2912  free_msg:
2913 	nlmsg_free(msg);
2914 	return err;
2915 }
2916 
2917 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2918 {
2919 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2920 	struct key_parse key;
2921 	int err;
2922 	struct net_device *dev = info->user_ptr[1];
2923 
2924 	err = nl80211_parse_key(info, &key);
2925 	if (err)
2926 		return err;
2927 
2928 	if (key.idx < 0)
2929 		return -EINVAL;
2930 
2931 	/* only support setting default key */
2932 	if (!key.def && !key.defmgmt)
2933 		return -EINVAL;
2934 
2935 	wdev_lock(dev->ieee80211_ptr);
2936 
2937 	if (key.def) {
2938 		if (!rdev->ops->set_default_key) {
2939 			err = -EOPNOTSUPP;
2940 			goto out;
2941 		}
2942 
2943 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2944 		if (err)
2945 			goto out;
2946 
2947 		err = rdev_set_default_key(rdev, dev, key.idx,
2948 						 key.def_uni, key.def_multi);
2949 
2950 		if (err)
2951 			goto out;
2952 
2953 #ifdef CONFIG_CFG80211_WEXT
2954 		dev->ieee80211_ptr->wext.default_key = key.idx;
2955 #endif
2956 	} else {
2957 		if (key.def_uni || !key.def_multi) {
2958 			err = -EINVAL;
2959 			goto out;
2960 		}
2961 
2962 		if (!rdev->ops->set_default_mgmt_key) {
2963 			err = -EOPNOTSUPP;
2964 			goto out;
2965 		}
2966 
2967 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2968 		if (err)
2969 			goto out;
2970 
2971 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
2972 		if (err)
2973 			goto out;
2974 
2975 #ifdef CONFIG_CFG80211_WEXT
2976 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2977 #endif
2978 	}
2979 
2980  out:
2981 	wdev_unlock(dev->ieee80211_ptr);
2982 
2983 	return err;
2984 }
2985 
2986 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2987 {
2988 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2989 	int err;
2990 	struct net_device *dev = info->user_ptr[1];
2991 	struct key_parse key;
2992 	const u8 *mac_addr = NULL;
2993 
2994 	err = nl80211_parse_key(info, &key);
2995 	if (err)
2996 		return err;
2997 
2998 	if (!key.p.key)
2999 		return -EINVAL;
3000 
3001 	if (info->attrs[NL80211_ATTR_MAC])
3002 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3003 
3004 	if (key.type == -1) {
3005 		if (mac_addr)
3006 			key.type = NL80211_KEYTYPE_PAIRWISE;
3007 		else
3008 			key.type = NL80211_KEYTYPE_GROUP;
3009 	}
3010 
3011 	/* for now */
3012 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3013 	    key.type != NL80211_KEYTYPE_GROUP)
3014 		return -EINVAL;
3015 
3016 	if (!rdev->ops->add_key)
3017 		return -EOPNOTSUPP;
3018 
3019 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3020 					   key.type == NL80211_KEYTYPE_PAIRWISE,
3021 					   mac_addr))
3022 		return -EINVAL;
3023 
3024 	wdev_lock(dev->ieee80211_ptr);
3025 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3026 	if (!err)
3027 		err = rdev_add_key(rdev, dev, key.idx,
3028 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3029 				    mac_addr, &key.p);
3030 	wdev_unlock(dev->ieee80211_ptr);
3031 
3032 	return err;
3033 }
3034 
3035 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3036 {
3037 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3038 	int err;
3039 	struct net_device *dev = info->user_ptr[1];
3040 	u8 *mac_addr = NULL;
3041 	struct key_parse key;
3042 
3043 	err = nl80211_parse_key(info, &key);
3044 	if (err)
3045 		return err;
3046 
3047 	if (info->attrs[NL80211_ATTR_MAC])
3048 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3049 
3050 	if (key.type == -1) {
3051 		if (mac_addr)
3052 			key.type = NL80211_KEYTYPE_PAIRWISE;
3053 		else
3054 			key.type = NL80211_KEYTYPE_GROUP;
3055 	}
3056 
3057 	/* for now */
3058 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3059 	    key.type != NL80211_KEYTYPE_GROUP)
3060 		return -EINVAL;
3061 
3062 	if (!rdev->ops->del_key)
3063 		return -EOPNOTSUPP;
3064 
3065 	wdev_lock(dev->ieee80211_ptr);
3066 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3067 
3068 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3069 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3070 		err = -ENOENT;
3071 
3072 	if (!err)
3073 		err = rdev_del_key(rdev, dev, key.idx,
3074 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3075 				   mac_addr);
3076 
3077 #ifdef CONFIG_CFG80211_WEXT
3078 	if (!err) {
3079 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3080 			dev->ieee80211_ptr->wext.default_key = -1;
3081 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3082 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3083 	}
3084 #endif
3085 	wdev_unlock(dev->ieee80211_ptr);
3086 
3087 	return err;
3088 }
3089 
3090 /* This function returns an error or the number of nested attributes */
3091 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3092 {
3093 	struct nlattr *attr;
3094 	int n_entries = 0, tmp;
3095 
3096 	nla_for_each_nested(attr, nl_attr, tmp) {
3097 		if (nla_len(attr) != ETH_ALEN)
3098 			return -EINVAL;
3099 
3100 		n_entries++;
3101 	}
3102 
3103 	return n_entries;
3104 }
3105 
3106 /*
3107  * This function parses ACL information and allocates memory for ACL data.
3108  * On successful return, the calling function is responsible to free the
3109  * ACL buffer returned by this function.
3110  */
3111 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3112 						struct genl_info *info)
3113 {
3114 	enum nl80211_acl_policy acl_policy;
3115 	struct nlattr *attr;
3116 	struct cfg80211_acl_data *acl;
3117 	int i = 0, n_entries, tmp;
3118 
3119 	if (!wiphy->max_acl_mac_addrs)
3120 		return ERR_PTR(-EOPNOTSUPP);
3121 
3122 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3123 		return ERR_PTR(-EINVAL);
3124 
3125 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3126 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3127 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3128 		return ERR_PTR(-EINVAL);
3129 
3130 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3131 		return ERR_PTR(-EINVAL);
3132 
3133 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3134 	if (n_entries < 0)
3135 		return ERR_PTR(n_entries);
3136 
3137 	if (n_entries > wiphy->max_acl_mac_addrs)
3138 		return ERR_PTR(-ENOTSUPP);
3139 
3140 	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3141 		      GFP_KERNEL);
3142 	if (!acl)
3143 		return ERR_PTR(-ENOMEM);
3144 
3145 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3146 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3147 		i++;
3148 	}
3149 
3150 	acl->n_acl_entries = n_entries;
3151 	acl->acl_policy = acl_policy;
3152 
3153 	return acl;
3154 }
3155 
3156 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3157 {
3158 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3159 	struct net_device *dev = info->user_ptr[1];
3160 	struct cfg80211_acl_data *acl;
3161 	int err;
3162 
3163 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3164 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3165 		return -EOPNOTSUPP;
3166 
3167 	if (!dev->ieee80211_ptr->beacon_interval)
3168 		return -EINVAL;
3169 
3170 	acl = parse_acl_data(&rdev->wiphy, info);
3171 	if (IS_ERR(acl))
3172 		return PTR_ERR(acl);
3173 
3174 	err = rdev_set_mac_acl(rdev, dev, acl);
3175 
3176 	kfree(acl);
3177 
3178 	return err;
3179 }
3180 
3181 static int nl80211_parse_beacon(struct nlattr *attrs[],
3182 				struct cfg80211_beacon_data *bcn)
3183 {
3184 	bool haveinfo = false;
3185 
3186 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_BEACON_TAIL]) ||
3187 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE]) ||
3188 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
3189 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_ASSOC_RESP]))
3190 		return -EINVAL;
3191 
3192 	memset(bcn, 0, sizeof(*bcn));
3193 
3194 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
3195 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
3196 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
3197 		if (!bcn->head_len)
3198 			return -EINVAL;
3199 		haveinfo = true;
3200 	}
3201 
3202 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
3203 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
3204 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
3205 		haveinfo = true;
3206 	}
3207 
3208 	if (!haveinfo)
3209 		return -EINVAL;
3210 
3211 	if (attrs[NL80211_ATTR_IE]) {
3212 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
3213 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
3214 	}
3215 
3216 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
3217 		bcn->proberesp_ies =
3218 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3219 		bcn->proberesp_ies_len =
3220 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3221 	}
3222 
3223 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
3224 		bcn->assocresp_ies =
3225 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3226 		bcn->assocresp_ies_len =
3227 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3228 	}
3229 
3230 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
3231 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
3232 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
3233 	}
3234 
3235 	return 0;
3236 }
3237 
3238 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
3239 				   struct cfg80211_ap_settings *params)
3240 {
3241 	struct wireless_dev *wdev;
3242 	bool ret = false;
3243 
3244 	list_for_each_entry(wdev, &rdev->wdev_list, list) {
3245 		if (wdev->iftype != NL80211_IFTYPE_AP &&
3246 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
3247 			continue;
3248 
3249 		if (!wdev->preset_chandef.chan)
3250 			continue;
3251 
3252 		params->chandef = wdev->preset_chandef;
3253 		ret = true;
3254 		break;
3255 	}
3256 
3257 	return ret;
3258 }
3259 
3260 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
3261 				    enum nl80211_auth_type auth_type,
3262 				    enum nl80211_commands cmd)
3263 {
3264 	if (auth_type > NL80211_AUTHTYPE_MAX)
3265 		return false;
3266 
3267 	switch (cmd) {
3268 	case NL80211_CMD_AUTHENTICATE:
3269 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
3270 		    auth_type == NL80211_AUTHTYPE_SAE)
3271 			return false;
3272 		return true;
3273 	case NL80211_CMD_CONNECT:
3274 	case NL80211_CMD_START_AP:
3275 		/* SAE not supported yet */
3276 		if (auth_type == NL80211_AUTHTYPE_SAE)
3277 			return false;
3278 		return true;
3279 	default:
3280 		return false;
3281 	}
3282 }
3283 
3284 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
3285 {
3286 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3287 	struct net_device *dev = info->user_ptr[1];
3288 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3289 	struct cfg80211_ap_settings params;
3290 	int err;
3291 
3292 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3293 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3294 		return -EOPNOTSUPP;
3295 
3296 	if (!rdev->ops->start_ap)
3297 		return -EOPNOTSUPP;
3298 
3299 	if (wdev->beacon_interval)
3300 		return -EALREADY;
3301 
3302 	memset(&params, 0, sizeof(params));
3303 
3304 	/* these are required for START_AP */
3305 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
3306 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
3307 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
3308 		return -EINVAL;
3309 
3310 	err = nl80211_parse_beacon(info->attrs, &params.beacon);
3311 	if (err)
3312 		return err;
3313 
3314 	params.beacon_interval =
3315 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
3316 	params.dtim_period =
3317 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
3318 
3319 	err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
3320 	if (err)
3321 		return err;
3322 
3323 	/*
3324 	 * In theory, some of these attributes should be required here
3325 	 * but since they were not used when the command was originally
3326 	 * added, keep them optional for old user space programs to let
3327 	 * them continue to work with drivers that do not need the
3328 	 * additional information -- drivers must check!
3329 	 */
3330 	if (info->attrs[NL80211_ATTR_SSID]) {
3331 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
3332 		params.ssid_len =
3333 			nla_len(info->attrs[NL80211_ATTR_SSID]);
3334 		if (params.ssid_len == 0 ||
3335 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
3336 			return -EINVAL;
3337 	}
3338 
3339 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
3340 		params.hidden_ssid = nla_get_u32(
3341 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
3342 		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
3343 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
3344 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
3345 			return -EINVAL;
3346 	}
3347 
3348 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
3349 
3350 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
3351 		params.auth_type = nla_get_u32(
3352 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
3353 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
3354 					     NL80211_CMD_START_AP))
3355 			return -EINVAL;
3356 	} else
3357 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
3358 
3359 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
3360 				      NL80211_MAX_NR_CIPHER_SUITES);
3361 	if (err)
3362 		return err;
3363 
3364 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
3365 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
3366 			return -EOPNOTSUPP;
3367 		params.inactivity_timeout = nla_get_u16(
3368 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
3369 	}
3370 
3371 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
3372 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3373 			return -EINVAL;
3374 		params.p2p_ctwindow =
3375 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
3376 		if (params.p2p_ctwindow > 127)
3377 			return -EINVAL;
3378 		if (params.p2p_ctwindow != 0 &&
3379 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
3380 			return -EINVAL;
3381 	}
3382 
3383 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
3384 		u8 tmp;
3385 
3386 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3387 			return -EINVAL;
3388 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
3389 		if (tmp > 1)
3390 			return -EINVAL;
3391 		params.p2p_opp_ps = tmp;
3392 		if (params.p2p_opp_ps != 0 &&
3393 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
3394 			return -EINVAL;
3395 	}
3396 
3397 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3398 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
3399 		if (err)
3400 			return err;
3401 	} else if (wdev->preset_chandef.chan) {
3402 		params.chandef = wdev->preset_chandef;
3403 	} else if (!nl80211_get_ap_channel(rdev, &params))
3404 		return -EINVAL;
3405 
3406 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef,
3407 				     wdev->iftype))
3408 		return -EINVAL;
3409 
3410 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
3411 		params.acl = parse_acl_data(&rdev->wiphy, info);
3412 		if (IS_ERR(params.acl))
3413 			return PTR_ERR(params.acl);
3414 	}
3415 
3416 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
3417 		params.smps_mode =
3418 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
3419 		switch (params.smps_mode) {
3420 		case NL80211_SMPS_OFF:
3421 			break;
3422 		case NL80211_SMPS_STATIC:
3423 			if (!(rdev->wiphy.features &
3424 			      NL80211_FEATURE_STATIC_SMPS))
3425 				return -EINVAL;
3426 			break;
3427 		case NL80211_SMPS_DYNAMIC:
3428 			if (!(rdev->wiphy.features &
3429 			      NL80211_FEATURE_DYNAMIC_SMPS))
3430 				return -EINVAL;
3431 			break;
3432 		default:
3433 			return -EINVAL;
3434 		}
3435 	} else {
3436 		params.smps_mode = NL80211_SMPS_OFF;
3437 	}
3438 
3439 	wdev_lock(wdev);
3440 	err = rdev_start_ap(rdev, dev, &params);
3441 	if (!err) {
3442 		wdev->preset_chandef = params.chandef;
3443 		wdev->beacon_interval = params.beacon_interval;
3444 		wdev->chandef = params.chandef;
3445 		wdev->ssid_len = params.ssid_len;
3446 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
3447 	}
3448 	wdev_unlock(wdev);
3449 
3450 	kfree(params.acl);
3451 
3452 	return err;
3453 }
3454 
3455 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
3456 {
3457 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3458 	struct net_device *dev = info->user_ptr[1];
3459 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3460 	struct cfg80211_beacon_data params;
3461 	int err;
3462 
3463 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3464 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3465 		return -EOPNOTSUPP;
3466 
3467 	if (!rdev->ops->change_beacon)
3468 		return -EOPNOTSUPP;
3469 
3470 	if (!wdev->beacon_interval)
3471 		return -EINVAL;
3472 
3473 	err = nl80211_parse_beacon(info->attrs, &params);
3474 	if (err)
3475 		return err;
3476 
3477 	wdev_lock(wdev);
3478 	err = rdev_change_beacon(rdev, dev, &params);
3479 	wdev_unlock(wdev);
3480 
3481 	return err;
3482 }
3483 
3484 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
3485 {
3486 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3487 	struct net_device *dev = info->user_ptr[1];
3488 
3489 	return cfg80211_stop_ap(rdev, dev, false);
3490 }
3491 
3492 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
3493 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
3494 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
3495 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
3496 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
3497 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
3498 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
3499 };
3500 
3501 static int parse_station_flags(struct genl_info *info,
3502 			       enum nl80211_iftype iftype,
3503 			       struct station_parameters *params)
3504 {
3505 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
3506 	struct nlattr *nla;
3507 	int flag;
3508 
3509 	/*
3510 	 * Try parsing the new attribute first so userspace
3511 	 * can specify both for older kernels.
3512 	 */
3513 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
3514 	if (nla) {
3515 		struct nl80211_sta_flag_update *sta_flags;
3516 
3517 		sta_flags = nla_data(nla);
3518 		params->sta_flags_mask = sta_flags->mask;
3519 		params->sta_flags_set = sta_flags->set;
3520 		params->sta_flags_set &= params->sta_flags_mask;
3521 		if ((params->sta_flags_mask |
3522 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
3523 			return -EINVAL;
3524 		return 0;
3525 	}
3526 
3527 	/* if present, parse the old attribute */
3528 
3529 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
3530 	if (!nla)
3531 		return 0;
3532 
3533 	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
3534 			     nla, sta_flags_policy))
3535 		return -EINVAL;
3536 
3537 	/*
3538 	 * Only allow certain flags for interface types so that
3539 	 * other attributes are silently ignored. Remember that
3540 	 * this is backward compatibility code with old userspace
3541 	 * and shouldn't be hit in other cases anyway.
3542 	 */
3543 	switch (iftype) {
3544 	case NL80211_IFTYPE_AP:
3545 	case NL80211_IFTYPE_AP_VLAN:
3546 	case NL80211_IFTYPE_P2P_GO:
3547 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3548 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3549 					 BIT(NL80211_STA_FLAG_WME) |
3550 					 BIT(NL80211_STA_FLAG_MFP);
3551 		break;
3552 	case NL80211_IFTYPE_P2P_CLIENT:
3553 	case NL80211_IFTYPE_STATION:
3554 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3555 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
3556 		break;
3557 	case NL80211_IFTYPE_MESH_POINT:
3558 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3559 					 BIT(NL80211_STA_FLAG_MFP) |
3560 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
3561 	default:
3562 		return -EINVAL;
3563 	}
3564 
3565 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
3566 		if (flags[flag]) {
3567 			params->sta_flags_set |= (1<<flag);
3568 
3569 			/* no longer support new API additions in old API */
3570 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
3571 				return -EINVAL;
3572 		}
3573 	}
3574 
3575 	return 0;
3576 }
3577 
3578 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
3579 				 int attr)
3580 {
3581 	struct nlattr *rate;
3582 	u32 bitrate;
3583 	u16 bitrate_compat;
3584 	enum nl80211_attrs rate_flg;
3585 
3586 	rate = nla_nest_start(msg, attr);
3587 	if (!rate)
3588 		return false;
3589 
3590 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
3591 	bitrate = cfg80211_calculate_bitrate(info);
3592 	/* report 16-bit bitrate only if we can */
3593 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
3594 	if (bitrate > 0 &&
3595 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
3596 		return false;
3597 	if (bitrate_compat > 0 &&
3598 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
3599 		return false;
3600 
3601 	switch (info->bw) {
3602 	case RATE_INFO_BW_5:
3603 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
3604 		break;
3605 	case RATE_INFO_BW_10:
3606 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
3607 		break;
3608 	default:
3609 		WARN_ON(1);
3610 		/* fall through */
3611 	case RATE_INFO_BW_20:
3612 		rate_flg = 0;
3613 		break;
3614 	case RATE_INFO_BW_40:
3615 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
3616 		break;
3617 	case RATE_INFO_BW_80:
3618 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
3619 		break;
3620 	case RATE_INFO_BW_160:
3621 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
3622 		break;
3623 	}
3624 
3625 	if (rate_flg && nla_put_flag(msg, rate_flg))
3626 		return false;
3627 
3628 	if (info->flags & RATE_INFO_FLAGS_MCS) {
3629 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
3630 			return false;
3631 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3632 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3633 			return false;
3634 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
3635 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
3636 			return false;
3637 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
3638 			return false;
3639 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3640 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3641 			return false;
3642 	}
3643 
3644 	nla_nest_end(msg, rate);
3645 	return true;
3646 }
3647 
3648 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
3649 			       int id)
3650 {
3651 	void *attr;
3652 	int i = 0;
3653 
3654 	if (!mask)
3655 		return true;
3656 
3657 	attr = nla_nest_start(msg, id);
3658 	if (!attr)
3659 		return false;
3660 
3661 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
3662 		if (!(mask & BIT(i)))
3663 			continue;
3664 
3665 		if (nla_put_u8(msg, i, signal[i]))
3666 			return false;
3667 	}
3668 
3669 	nla_nest_end(msg, attr);
3670 
3671 	return true;
3672 }
3673 
3674 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
3675 				u32 seq, int flags,
3676 				struct cfg80211_registered_device *rdev,
3677 				struct net_device *dev,
3678 				const u8 *mac_addr, struct station_info *sinfo)
3679 {
3680 	void *hdr;
3681 	struct nlattr *sinfoattr, *bss_param;
3682 
3683 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3684 	if (!hdr)
3685 		return -1;
3686 
3687 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3688 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
3689 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
3690 		goto nla_put_failure;
3691 
3692 	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
3693 	if (!sinfoattr)
3694 		goto nla_put_failure;
3695 
3696 #define PUT_SINFO(attr, memb, type) do {				\
3697 	if (sinfo->filled & BIT(NL80211_STA_INFO_ ## attr) &&		\
3698 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
3699 			     sinfo->memb))				\
3700 		goto nla_put_failure;					\
3701 	} while (0)
3702 
3703 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
3704 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
3705 
3706 	if (sinfo->filled & (BIT(NL80211_STA_INFO_RX_BYTES) |
3707 			     BIT(NL80211_STA_INFO_RX_BYTES64)) &&
3708 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
3709 			(u32)sinfo->rx_bytes))
3710 		goto nla_put_failure;
3711 
3712 	if (sinfo->filled & (BIT(NL80211_STA_INFO_TX_BYTES) |
3713 			     BIT(NL80211_STA_INFO_TX_BYTES64)) &&
3714 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
3715 			(u32)sinfo->tx_bytes))
3716 		goto nla_put_failure;
3717 
3718 	PUT_SINFO(RX_BYTES64, rx_bytes, u64);
3719 	PUT_SINFO(TX_BYTES64, tx_bytes, u64);
3720 	PUT_SINFO(LLID, llid, u16);
3721 	PUT_SINFO(PLID, plid, u16);
3722 	PUT_SINFO(PLINK_STATE, plink_state, u8);
3723 
3724 	switch (rdev->wiphy.signal_type) {
3725 	case CFG80211_SIGNAL_TYPE_MBM:
3726 		PUT_SINFO(SIGNAL, signal, u8);
3727 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
3728 		break;
3729 	default:
3730 		break;
3731 	}
3732 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL)) {
3733 		if (!nl80211_put_signal(msg, sinfo->chains,
3734 					sinfo->chain_signal,
3735 					NL80211_STA_INFO_CHAIN_SIGNAL))
3736 			goto nla_put_failure;
3737 	}
3738 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
3739 		if (!nl80211_put_signal(msg, sinfo->chains,
3740 					sinfo->chain_signal_avg,
3741 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
3742 			goto nla_put_failure;
3743 	}
3744 	if (sinfo->filled & BIT(NL80211_STA_INFO_TX_BITRATE)) {
3745 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
3746 					  NL80211_STA_INFO_TX_BITRATE))
3747 			goto nla_put_failure;
3748 	}
3749 	if (sinfo->filled & BIT(NL80211_STA_INFO_RX_BITRATE)) {
3750 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
3751 					  NL80211_STA_INFO_RX_BITRATE))
3752 			goto nla_put_failure;
3753 	}
3754 
3755 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
3756 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
3757 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
3758 	PUT_SINFO(TX_FAILED, tx_failed, u32);
3759 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
3760 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
3761 	PUT_SINFO(LOCAL_PM, local_pm, u32);
3762 	PUT_SINFO(PEER_PM, peer_pm, u32);
3763 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
3764 
3765 	if (sinfo->filled & BIT(NL80211_STA_INFO_BSS_PARAM)) {
3766 		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
3767 		if (!bss_param)
3768 			goto nla_put_failure;
3769 
3770 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
3771 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
3772 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
3773 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
3774 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
3775 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
3776 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
3777 			       sinfo->bss_param.dtim_period) ||
3778 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
3779 				sinfo->bss_param.beacon_interval))
3780 			goto nla_put_failure;
3781 
3782 		nla_nest_end(msg, bss_param);
3783 	}
3784 	if ((sinfo->filled & BIT(NL80211_STA_INFO_STA_FLAGS)) &&
3785 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
3786 		    sizeof(struct nl80211_sta_flag_update),
3787 		    &sinfo->sta_flags))
3788 		goto nla_put_failure;
3789 
3790 	PUT_SINFO(T_OFFSET, t_offset, u64);
3791 	PUT_SINFO(RX_DROP_MISC, rx_dropped_misc, u64);
3792 	PUT_SINFO(BEACON_RX, rx_beacon, u64);
3793 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
3794 
3795 #undef PUT_SINFO
3796 
3797 	if (sinfo->filled & BIT(NL80211_STA_INFO_TID_STATS)) {
3798 		struct nlattr *tidsattr;
3799 		int tid;
3800 
3801 		tidsattr = nla_nest_start(msg, NL80211_STA_INFO_TID_STATS);
3802 		if (!tidsattr)
3803 			goto nla_put_failure;
3804 
3805 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
3806 			struct cfg80211_tid_stats *tidstats;
3807 			struct nlattr *tidattr;
3808 
3809 			tidstats = &sinfo->pertid[tid];
3810 
3811 			if (!tidstats->filled)
3812 				continue;
3813 
3814 			tidattr = nla_nest_start(msg, tid + 1);
3815 			if (!tidattr)
3816 				goto nla_put_failure;
3817 
3818 #define PUT_TIDVAL(attr, memb, type) do {				\
3819 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
3820 	    nla_put_ ## type(msg, NL80211_TID_STATS_ ## attr,		\
3821 			     tidstats->memb))				\
3822 		goto nla_put_failure;					\
3823 	} while (0)
3824 
3825 			PUT_TIDVAL(RX_MSDU, rx_msdu, u64);
3826 			PUT_TIDVAL(TX_MSDU, tx_msdu, u64);
3827 			PUT_TIDVAL(TX_MSDU_RETRIES, tx_msdu_retries, u64);
3828 			PUT_TIDVAL(TX_MSDU_FAILED, tx_msdu_failed, u64);
3829 
3830 #undef PUT_TIDVAL
3831 			nla_nest_end(msg, tidattr);
3832 		}
3833 
3834 		nla_nest_end(msg, tidsattr);
3835 	}
3836 
3837 	nla_nest_end(msg, sinfoattr);
3838 
3839 	if (sinfo->assoc_req_ies_len &&
3840 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
3841 		    sinfo->assoc_req_ies))
3842 		goto nla_put_failure;
3843 
3844 	genlmsg_end(msg, hdr);
3845 	return 0;
3846 
3847  nla_put_failure:
3848 	genlmsg_cancel(msg, hdr);
3849 	return -EMSGSIZE;
3850 }
3851 
3852 static int nl80211_dump_station(struct sk_buff *skb,
3853 				struct netlink_callback *cb)
3854 {
3855 	struct station_info sinfo;
3856 	struct cfg80211_registered_device *rdev;
3857 	struct wireless_dev *wdev;
3858 	u8 mac_addr[ETH_ALEN];
3859 	int sta_idx = cb->args[2];
3860 	int err;
3861 
3862 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
3863 	if (err)
3864 		return err;
3865 
3866 	if (!wdev->netdev) {
3867 		err = -EINVAL;
3868 		goto out_err;
3869 	}
3870 
3871 	if (!rdev->ops->dump_station) {
3872 		err = -EOPNOTSUPP;
3873 		goto out_err;
3874 	}
3875 
3876 	while (1) {
3877 		memset(&sinfo, 0, sizeof(sinfo));
3878 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
3879 					mac_addr, &sinfo);
3880 		if (err == -ENOENT)
3881 			break;
3882 		if (err)
3883 			goto out_err;
3884 
3885 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
3886 				NETLINK_CB(cb->skb).portid,
3887 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
3888 				rdev, wdev->netdev, mac_addr,
3889 				&sinfo) < 0)
3890 			goto out;
3891 
3892 		sta_idx++;
3893 	}
3894 
3895 
3896  out:
3897 	cb->args[2] = sta_idx;
3898 	err = skb->len;
3899  out_err:
3900 	nl80211_finish_wdev_dump(rdev);
3901 
3902 	return err;
3903 }
3904 
3905 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
3906 {
3907 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3908 	struct net_device *dev = info->user_ptr[1];
3909 	struct station_info sinfo;
3910 	struct sk_buff *msg;
3911 	u8 *mac_addr = NULL;
3912 	int err;
3913 
3914 	memset(&sinfo, 0, sizeof(sinfo));
3915 
3916 	if (!info->attrs[NL80211_ATTR_MAC])
3917 		return -EINVAL;
3918 
3919 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3920 
3921 	if (!rdev->ops->get_station)
3922 		return -EOPNOTSUPP;
3923 
3924 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3925 	if (err)
3926 		return err;
3927 
3928 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3929 	if (!msg)
3930 		return -ENOMEM;
3931 
3932 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
3933 				 info->snd_portid, info->snd_seq, 0,
3934 				 rdev, dev, mac_addr, &sinfo) < 0) {
3935 		nlmsg_free(msg);
3936 		return -ENOBUFS;
3937 	}
3938 
3939 	return genlmsg_reply(msg, info);
3940 }
3941 
3942 int cfg80211_check_station_change(struct wiphy *wiphy,
3943 				  struct station_parameters *params,
3944 				  enum cfg80211_station_type statype)
3945 {
3946 	if (params->listen_interval != -1)
3947 		return -EINVAL;
3948 	if (params->aid &&
3949 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3950 		return -EINVAL;
3951 
3952 	/* When you run into this, adjust the code below for the new flag */
3953 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
3954 
3955 	switch (statype) {
3956 	case CFG80211_STA_MESH_PEER_KERNEL:
3957 	case CFG80211_STA_MESH_PEER_USER:
3958 		/*
3959 		 * No ignoring the TDLS flag here -- the userspace mesh
3960 		 * code doesn't have the bug of including TDLS in the
3961 		 * mask everywhere.
3962 		 */
3963 		if (params->sta_flags_mask &
3964 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3965 				  BIT(NL80211_STA_FLAG_MFP) |
3966 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
3967 			return -EINVAL;
3968 		break;
3969 	case CFG80211_STA_TDLS_PEER_SETUP:
3970 	case CFG80211_STA_TDLS_PEER_ACTIVE:
3971 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3972 			return -EINVAL;
3973 		/* ignore since it can't change */
3974 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3975 		break;
3976 	default:
3977 		/* disallow mesh-specific things */
3978 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
3979 			return -EINVAL;
3980 		if (params->local_pm)
3981 			return -EINVAL;
3982 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
3983 			return -EINVAL;
3984 	}
3985 
3986 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
3987 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
3988 		/* TDLS can't be set, ... */
3989 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3990 			return -EINVAL;
3991 		/*
3992 		 * ... but don't bother the driver with it. This works around
3993 		 * a hostapd/wpa_supplicant issue -- it always includes the
3994 		 * TLDS_PEER flag in the mask even for AP mode.
3995 		 */
3996 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3997 	}
3998 
3999 	if (statype != CFG80211_STA_TDLS_PEER_SETUP) {
4000 		/* reject other things that can't change */
4001 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
4002 			return -EINVAL;
4003 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
4004 			return -EINVAL;
4005 		if (params->supported_rates)
4006 			return -EINVAL;
4007 		if (params->ext_capab || params->ht_capa || params->vht_capa)
4008 			return -EINVAL;
4009 	}
4010 
4011 	if (statype != CFG80211_STA_AP_CLIENT) {
4012 		if (params->vlan)
4013 			return -EINVAL;
4014 	}
4015 
4016 	switch (statype) {
4017 	case CFG80211_STA_AP_MLME_CLIENT:
4018 		/* Use this only for authorizing/unauthorizing a station */
4019 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
4020 			return -EOPNOTSUPP;
4021 		break;
4022 	case CFG80211_STA_AP_CLIENT:
4023 		/* accept only the listed bits */
4024 		if (params->sta_flags_mask &
4025 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4026 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4027 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
4028 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4029 				  BIT(NL80211_STA_FLAG_WME) |
4030 				  BIT(NL80211_STA_FLAG_MFP)))
4031 			return -EINVAL;
4032 
4033 		/* but authenticated/associated only if driver handles it */
4034 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4035 		    params->sta_flags_mask &
4036 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4037 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4038 			return -EINVAL;
4039 		break;
4040 	case CFG80211_STA_IBSS:
4041 	case CFG80211_STA_AP_STA:
4042 		/* reject any changes other than AUTHORIZED */
4043 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
4044 			return -EINVAL;
4045 		break;
4046 	case CFG80211_STA_TDLS_PEER_SETUP:
4047 		/* reject any changes other than AUTHORIZED or WME */
4048 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4049 					       BIT(NL80211_STA_FLAG_WME)))
4050 			return -EINVAL;
4051 		/* force (at least) rates when authorizing */
4052 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
4053 		    !params->supported_rates)
4054 			return -EINVAL;
4055 		break;
4056 	case CFG80211_STA_TDLS_PEER_ACTIVE:
4057 		/* reject any changes */
4058 		return -EINVAL;
4059 	case CFG80211_STA_MESH_PEER_KERNEL:
4060 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4061 			return -EINVAL;
4062 		break;
4063 	case CFG80211_STA_MESH_PEER_USER:
4064 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
4065 			return -EINVAL;
4066 		break;
4067 	}
4068 
4069 	return 0;
4070 }
4071 EXPORT_SYMBOL(cfg80211_check_station_change);
4072 
4073 /*
4074  * Get vlan interface making sure it is running and on the right wiphy.
4075  */
4076 static struct net_device *get_vlan(struct genl_info *info,
4077 				   struct cfg80211_registered_device *rdev)
4078 {
4079 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
4080 	struct net_device *v;
4081 	int ret;
4082 
4083 	if (!vlanattr)
4084 		return NULL;
4085 
4086 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
4087 	if (!v)
4088 		return ERR_PTR(-ENODEV);
4089 
4090 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
4091 		ret = -EINVAL;
4092 		goto error;
4093 	}
4094 
4095 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4096 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4097 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
4098 		ret = -EINVAL;
4099 		goto error;
4100 	}
4101 
4102 	if (!netif_running(v)) {
4103 		ret = -ENETDOWN;
4104 		goto error;
4105 	}
4106 
4107 	return v;
4108  error:
4109 	dev_put(v);
4110 	return ERR_PTR(ret);
4111 }
4112 
4113 static const struct nla_policy
4114 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
4115 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
4116 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
4117 };
4118 
4119 static int nl80211_parse_sta_wme(struct genl_info *info,
4120 				 struct station_parameters *params)
4121 {
4122 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
4123 	struct nlattr *nla;
4124 	int err;
4125 
4126 	/* parse WME attributes if present */
4127 	if (!info->attrs[NL80211_ATTR_STA_WME])
4128 		return 0;
4129 
4130 	nla = info->attrs[NL80211_ATTR_STA_WME];
4131 	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
4132 			       nl80211_sta_wme_policy);
4133 	if (err)
4134 		return err;
4135 
4136 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
4137 		params->uapsd_queues = nla_get_u8(
4138 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
4139 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
4140 		return -EINVAL;
4141 
4142 	if (tb[NL80211_STA_WME_MAX_SP])
4143 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
4144 
4145 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
4146 		return -EINVAL;
4147 
4148 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
4149 
4150 	return 0;
4151 }
4152 
4153 static int nl80211_parse_sta_channel_info(struct genl_info *info,
4154 				      struct station_parameters *params)
4155 {
4156 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
4157 		params->supported_channels =
4158 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4159 		params->supported_channels_len =
4160 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4161 		/*
4162 		 * Need to include at least one (first channel, number of
4163 		 * channels) tuple for each subband, and must have proper
4164 		 * tuples for the rest of the data as well.
4165 		 */
4166 		if (params->supported_channels_len < 2)
4167 			return -EINVAL;
4168 		if (params->supported_channels_len % 2)
4169 			return -EINVAL;
4170 	}
4171 
4172 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
4173 		params->supported_oper_classes =
4174 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4175 		params->supported_oper_classes_len =
4176 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4177 		/*
4178 		 * The value of the Length field of the Supported Operating
4179 		 * Classes element is between 2 and 253.
4180 		 */
4181 		if (params->supported_oper_classes_len < 2 ||
4182 		    params->supported_oper_classes_len > 253)
4183 			return -EINVAL;
4184 	}
4185 	return 0;
4186 }
4187 
4188 static int nl80211_set_station_tdls(struct genl_info *info,
4189 				    struct station_parameters *params)
4190 {
4191 	int err;
4192 	/* Dummy STA entry gets updated once the peer capabilities are known */
4193 	if (info->attrs[NL80211_ATTR_PEER_AID])
4194 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4195 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4196 		params->ht_capa =
4197 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4198 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4199 		params->vht_capa =
4200 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4201 
4202 	err = nl80211_parse_sta_channel_info(info, params);
4203 	if (err)
4204 		return err;
4205 
4206 	return nl80211_parse_sta_wme(info, params);
4207 }
4208 
4209 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
4210 {
4211 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4212 	struct net_device *dev = info->user_ptr[1];
4213 	struct station_parameters params;
4214 	u8 *mac_addr;
4215 	int err;
4216 
4217 	memset(&params, 0, sizeof(params));
4218 
4219 	params.listen_interval = -1;
4220 
4221 	if (!rdev->ops->change_station)
4222 		return -EOPNOTSUPP;
4223 
4224 	if (info->attrs[NL80211_ATTR_STA_AID])
4225 		return -EINVAL;
4226 
4227 	if (!info->attrs[NL80211_ATTR_MAC])
4228 		return -EINVAL;
4229 
4230 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4231 
4232 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
4233 		params.supported_rates =
4234 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4235 		params.supported_rates_len =
4236 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4237 	}
4238 
4239 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4240 		params.capability =
4241 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4242 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4243 	}
4244 
4245 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4246 		params.ext_capab =
4247 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4248 		params.ext_capab_len =
4249 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4250 	}
4251 
4252 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4253 		return -EINVAL;
4254 
4255 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4256 		return -EINVAL;
4257 
4258 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4259 		params.plink_action =
4260 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4261 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4262 			return -EINVAL;
4263 	}
4264 
4265 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
4266 		params.plink_state =
4267 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
4268 		if (params.plink_state >= NUM_NL80211_PLINK_STATES)
4269 			return -EINVAL;
4270 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
4271 	}
4272 
4273 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
4274 		enum nl80211_mesh_power_mode pm = nla_get_u32(
4275 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
4276 
4277 		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
4278 		    pm > NL80211_MESH_POWER_MAX)
4279 			return -EINVAL;
4280 
4281 		params.local_pm = pm;
4282 	}
4283 
4284 	/* Include parameters for TDLS peer (will check later) */
4285 	err = nl80211_set_station_tdls(info, &params);
4286 	if (err)
4287 		return err;
4288 
4289 	params.vlan = get_vlan(info, rdev);
4290 	if (IS_ERR(params.vlan))
4291 		return PTR_ERR(params.vlan);
4292 
4293 	switch (dev->ieee80211_ptr->iftype) {
4294 	case NL80211_IFTYPE_AP:
4295 	case NL80211_IFTYPE_AP_VLAN:
4296 	case NL80211_IFTYPE_P2P_GO:
4297 	case NL80211_IFTYPE_P2P_CLIENT:
4298 	case NL80211_IFTYPE_STATION:
4299 	case NL80211_IFTYPE_ADHOC:
4300 	case NL80211_IFTYPE_MESH_POINT:
4301 		break;
4302 	default:
4303 		err = -EOPNOTSUPP;
4304 		goto out_put_vlan;
4305 	}
4306 
4307 	/* driver will call cfg80211_check_station_change() */
4308 	err = rdev_change_station(rdev, dev, mac_addr, &params);
4309 
4310  out_put_vlan:
4311 	if (params.vlan)
4312 		dev_put(params.vlan);
4313 
4314 	return err;
4315 }
4316 
4317 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
4318 {
4319 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4320 	int err;
4321 	struct net_device *dev = info->user_ptr[1];
4322 	struct station_parameters params;
4323 	u8 *mac_addr = NULL;
4324 
4325 	memset(&params, 0, sizeof(params));
4326 
4327 	if (!rdev->ops->add_station)
4328 		return -EOPNOTSUPP;
4329 
4330 	if (!info->attrs[NL80211_ATTR_MAC])
4331 		return -EINVAL;
4332 
4333 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4334 		return -EINVAL;
4335 
4336 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
4337 		return -EINVAL;
4338 
4339 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
4340 	    !info->attrs[NL80211_ATTR_PEER_AID])
4341 		return -EINVAL;
4342 
4343 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4344 	params.supported_rates =
4345 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4346 	params.supported_rates_len =
4347 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4348 	params.listen_interval =
4349 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4350 
4351 	if (info->attrs[NL80211_ATTR_PEER_AID])
4352 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4353 	else
4354 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4355 	if (!params.aid || params.aid > IEEE80211_MAX_AID)
4356 		return -EINVAL;
4357 
4358 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4359 		params.capability =
4360 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4361 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4362 	}
4363 
4364 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4365 		params.ext_capab =
4366 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4367 		params.ext_capab_len =
4368 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4369 	}
4370 
4371 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4372 		params.ht_capa =
4373 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4374 
4375 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4376 		params.vht_capa =
4377 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4378 
4379 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
4380 		params.opmode_notif_used = true;
4381 		params.opmode_notif =
4382 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
4383 	}
4384 
4385 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4386 		params.plink_action =
4387 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4388 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4389 			return -EINVAL;
4390 	}
4391 
4392 	err = nl80211_parse_sta_channel_info(info, &params);
4393 	if (err)
4394 		return err;
4395 
4396 	err = nl80211_parse_sta_wme(info, &params);
4397 	if (err)
4398 		return err;
4399 
4400 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4401 		return -EINVAL;
4402 
4403 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
4404 	 * as userspace might just pass through the capabilities from the IEs
4405 	 * directly, rather than enforcing this restriction and returning an
4406 	 * error in this case.
4407 	 */
4408 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
4409 		params.ht_capa = NULL;
4410 		params.vht_capa = NULL;
4411 	}
4412 
4413 	/* When you run into this, adjust the code below for the new flag */
4414 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4415 
4416 	switch (dev->ieee80211_ptr->iftype) {
4417 	case NL80211_IFTYPE_AP:
4418 	case NL80211_IFTYPE_AP_VLAN:
4419 	case NL80211_IFTYPE_P2P_GO:
4420 		/* ignore WME attributes if iface/sta is not capable */
4421 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
4422 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
4423 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4424 
4425 		/* TDLS peers cannot be added */
4426 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4427 		    info->attrs[NL80211_ATTR_PEER_AID])
4428 			return -EINVAL;
4429 		/* but don't bother the driver with it */
4430 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4431 
4432 		/* allow authenticated/associated only if driver handles it */
4433 		if (!(rdev->wiphy.features &
4434 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4435 		    params.sta_flags_mask &
4436 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4437 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4438 			return -EINVAL;
4439 
4440 		/* must be last in here for error handling */
4441 		params.vlan = get_vlan(info, rdev);
4442 		if (IS_ERR(params.vlan))
4443 			return PTR_ERR(params.vlan);
4444 		break;
4445 	case NL80211_IFTYPE_MESH_POINT:
4446 		/* ignore uAPSD data */
4447 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4448 
4449 		/* associated is disallowed */
4450 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
4451 			return -EINVAL;
4452 		/* TDLS peers cannot be added */
4453 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4454 		    info->attrs[NL80211_ATTR_PEER_AID])
4455 			return -EINVAL;
4456 		break;
4457 	case NL80211_IFTYPE_STATION:
4458 	case NL80211_IFTYPE_P2P_CLIENT:
4459 		/* ignore uAPSD data */
4460 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4461 
4462 		/* these are disallowed */
4463 		if (params.sta_flags_mask &
4464 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
4465 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
4466 			return -EINVAL;
4467 		/* Only TDLS peers can be added */
4468 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4469 			return -EINVAL;
4470 		/* Can only add if TDLS ... */
4471 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
4472 			return -EOPNOTSUPP;
4473 		/* ... with external setup is supported */
4474 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
4475 			return -EOPNOTSUPP;
4476 		/*
4477 		 * Older wpa_supplicant versions always mark the TDLS peer
4478 		 * as authorized, but it shouldn't yet be.
4479 		 */
4480 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
4481 		break;
4482 	default:
4483 		return -EOPNOTSUPP;
4484 	}
4485 
4486 	/* be aware of params.vlan when changing code here */
4487 
4488 	err = rdev_add_station(rdev, dev, mac_addr, &params);
4489 
4490 	if (params.vlan)
4491 		dev_put(params.vlan);
4492 	return err;
4493 }
4494 
4495 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
4496 {
4497 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4498 	struct net_device *dev = info->user_ptr[1];
4499 	struct station_del_parameters params;
4500 
4501 	memset(&params, 0, sizeof(params));
4502 
4503 	if (info->attrs[NL80211_ATTR_MAC])
4504 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
4505 
4506 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4507 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4508 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
4509 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4510 		return -EINVAL;
4511 
4512 	if (!rdev->ops->del_station)
4513 		return -EOPNOTSUPP;
4514 
4515 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
4516 		params.subtype =
4517 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
4518 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
4519 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
4520 			return -EINVAL;
4521 	} else {
4522 		/* Default to Deauthentication frame */
4523 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
4524 	}
4525 
4526 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
4527 		params.reason_code =
4528 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
4529 		if (params.reason_code == 0)
4530 			return -EINVAL; /* 0 is reserved */
4531 	} else {
4532 		/* Default to reason code 2 */
4533 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
4534 	}
4535 
4536 	return rdev_del_station(rdev, dev, &params);
4537 }
4538 
4539 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
4540 				int flags, struct net_device *dev,
4541 				u8 *dst, u8 *next_hop,
4542 				struct mpath_info *pinfo)
4543 {
4544 	void *hdr;
4545 	struct nlattr *pinfoattr;
4546 
4547 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
4548 	if (!hdr)
4549 		return -1;
4550 
4551 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4552 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
4553 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
4554 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
4555 		goto nla_put_failure;
4556 
4557 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
4558 	if (!pinfoattr)
4559 		goto nla_put_failure;
4560 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
4561 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
4562 			pinfo->frame_qlen))
4563 		goto nla_put_failure;
4564 	if (((pinfo->filled & MPATH_INFO_SN) &&
4565 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
4566 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
4567 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
4568 			 pinfo->metric)) ||
4569 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
4570 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
4571 			 pinfo->exptime)) ||
4572 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
4573 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
4574 			pinfo->flags)) ||
4575 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
4576 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
4577 			 pinfo->discovery_timeout)) ||
4578 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
4579 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
4580 			pinfo->discovery_retries)))
4581 		goto nla_put_failure;
4582 
4583 	nla_nest_end(msg, pinfoattr);
4584 
4585 	genlmsg_end(msg, hdr);
4586 	return 0;
4587 
4588  nla_put_failure:
4589 	genlmsg_cancel(msg, hdr);
4590 	return -EMSGSIZE;
4591 }
4592 
4593 static int nl80211_dump_mpath(struct sk_buff *skb,
4594 			      struct netlink_callback *cb)
4595 {
4596 	struct mpath_info pinfo;
4597 	struct cfg80211_registered_device *rdev;
4598 	struct wireless_dev *wdev;
4599 	u8 dst[ETH_ALEN];
4600 	u8 next_hop[ETH_ALEN];
4601 	int path_idx = cb->args[2];
4602 	int err;
4603 
4604 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4605 	if (err)
4606 		return err;
4607 
4608 	if (!rdev->ops->dump_mpath) {
4609 		err = -EOPNOTSUPP;
4610 		goto out_err;
4611 	}
4612 
4613 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4614 		err = -EOPNOTSUPP;
4615 		goto out_err;
4616 	}
4617 
4618 	while (1) {
4619 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
4620 				      next_hop, &pinfo);
4621 		if (err == -ENOENT)
4622 			break;
4623 		if (err)
4624 			goto out_err;
4625 
4626 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4627 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4628 				       wdev->netdev, dst, next_hop,
4629 				       &pinfo) < 0)
4630 			goto out;
4631 
4632 		path_idx++;
4633 	}
4634 
4635 
4636  out:
4637 	cb->args[2] = path_idx;
4638 	err = skb->len;
4639  out_err:
4640 	nl80211_finish_wdev_dump(rdev);
4641 	return err;
4642 }
4643 
4644 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
4645 {
4646 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4647 	int err;
4648 	struct net_device *dev = info->user_ptr[1];
4649 	struct mpath_info pinfo;
4650 	struct sk_buff *msg;
4651 	u8 *dst = NULL;
4652 	u8 next_hop[ETH_ALEN];
4653 
4654 	memset(&pinfo, 0, sizeof(pinfo));
4655 
4656 	if (!info->attrs[NL80211_ATTR_MAC])
4657 		return -EINVAL;
4658 
4659 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4660 
4661 	if (!rdev->ops->get_mpath)
4662 		return -EOPNOTSUPP;
4663 
4664 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4665 		return -EOPNOTSUPP;
4666 
4667 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
4668 	if (err)
4669 		return err;
4670 
4671 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4672 	if (!msg)
4673 		return -ENOMEM;
4674 
4675 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4676 				 dev, dst, next_hop, &pinfo) < 0) {
4677 		nlmsg_free(msg);
4678 		return -ENOBUFS;
4679 	}
4680 
4681 	return genlmsg_reply(msg, info);
4682 }
4683 
4684 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
4685 {
4686 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4687 	struct net_device *dev = info->user_ptr[1];
4688 	u8 *dst = NULL;
4689 	u8 *next_hop = NULL;
4690 
4691 	if (!info->attrs[NL80211_ATTR_MAC])
4692 		return -EINVAL;
4693 
4694 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4695 		return -EINVAL;
4696 
4697 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4698 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4699 
4700 	if (!rdev->ops->change_mpath)
4701 		return -EOPNOTSUPP;
4702 
4703 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4704 		return -EOPNOTSUPP;
4705 
4706 	return rdev_change_mpath(rdev, dev, dst, next_hop);
4707 }
4708 
4709 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
4710 {
4711 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4712 	struct net_device *dev = info->user_ptr[1];
4713 	u8 *dst = NULL;
4714 	u8 *next_hop = NULL;
4715 
4716 	if (!info->attrs[NL80211_ATTR_MAC])
4717 		return -EINVAL;
4718 
4719 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4720 		return -EINVAL;
4721 
4722 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4723 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4724 
4725 	if (!rdev->ops->add_mpath)
4726 		return -EOPNOTSUPP;
4727 
4728 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4729 		return -EOPNOTSUPP;
4730 
4731 	return rdev_add_mpath(rdev, dev, dst, next_hop);
4732 }
4733 
4734 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
4735 {
4736 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4737 	struct net_device *dev = info->user_ptr[1];
4738 	u8 *dst = NULL;
4739 
4740 	if (info->attrs[NL80211_ATTR_MAC])
4741 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4742 
4743 	if (!rdev->ops->del_mpath)
4744 		return -EOPNOTSUPP;
4745 
4746 	return rdev_del_mpath(rdev, dev, dst);
4747 }
4748 
4749 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
4750 {
4751 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4752 	int err;
4753 	struct net_device *dev = info->user_ptr[1];
4754 	struct mpath_info pinfo;
4755 	struct sk_buff *msg;
4756 	u8 *dst = NULL;
4757 	u8 mpp[ETH_ALEN];
4758 
4759 	memset(&pinfo, 0, sizeof(pinfo));
4760 
4761 	if (!info->attrs[NL80211_ATTR_MAC])
4762 		return -EINVAL;
4763 
4764 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4765 
4766 	if (!rdev->ops->get_mpp)
4767 		return -EOPNOTSUPP;
4768 
4769 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4770 		return -EOPNOTSUPP;
4771 
4772 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
4773 	if (err)
4774 		return err;
4775 
4776 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4777 	if (!msg)
4778 		return -ENOMEM;
4779 
4780 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4781 			       dev, dst, mpp, &pinfo) < 0) {
4782 		nlmsg_free(msg);
4783 		return -ENOBUFS;
4784 	}
4785 
4786 	return genlmsg_reply(msg, info);
4787 }
4788 
4789 static int nl80211_dump_mpp(struct sk_buff *skb,
4790 			    struct netlink_callback *cb)
4791 {
4792 	struct mpath_info pinfo;
4793 	struct cfg80211_registered_device *rdev;
4794 	struct wireless_dev *wdev;
4795 	u8 dst[ETH_ALEN];
4796 	u8 mpp[ETH_ALEN];
4797 	int path_idx = cb->args[2];
4798 	int err;
4799 
4800 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4801 	if (err)
4802 		return err;
4803 
4804 	if (!rdev->ops->dump_mpp) {
4805 		err = -EOPNOTSUPP;
4806 		goto out_err;
4807 	}
4808 
4809 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4810 		err = -EOPNOTSUPP;
4811 		goto out_err;
4812 	}
4813 
4814 	while (1) {
4815 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
4816 				    mpp, &pinfo);
4817 		if (err == -ENOENT)
4818 			break;
4819 		if (err)
4820 			goto out_err;
4821 
4822 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4823 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4824 				       wdev->netdev, dst, mpp,
4825 				       &pinfo) < 0)
4826 			goto out;
4827 
4828 		path_idx++;
4829 	}
4830 
4831  out:
4832 	cb->args[2] = path_idx;
4833 	err = skb->len;
4834  out_err:
4835 	nl80211_finish_wdev_dump(rdev);
4836 	return err;
4837 }
4838 
4839 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
4840 {
4841 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4842 	struct net_device *dev = info->user_ptr[1];
4843 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4844 	struct bss_parameters params;
4845 	int err;
4846 
4847 	memset(&params, 0, sizeof(params));
4848 	/* default to not changing parameters */
4849 	params.use_cts_prot = -1;
4850 	params.use_short_preamble = -1;
4851 	params.use_short_slot_time = -1;
4852 	params.ap_isolate = -1;
4853 	params.ht_opmode = -1;
4854 	params.p2p_ctwindow = -1;
4855 	params.p2p_opp_ps = -1;
4856 
4857 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
4858 		params.use_cts_prot =
4859 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
4860 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
4861 		params.use_short_preamble =
4862 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
4863 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
4864 		params.use_short_slot_time =
4865 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
4866 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
4867 		params.basic_rates =
4868 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4869 		params.basic_rates_len =
4870 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4871 	}
4872 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
4873 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
4874 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
4875 		params.ht_opmode =
4876 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
4877 
4878 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4879 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4880 			return -EINVAL;
4881 		params.p2p_ctwindow =
4882 			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4883 		if (params.p2p_ctwindow < 0)
4884 			return -EINVAL;
4885 		if (params.p2p_ctwindow != 0 &&
4886 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4887 			return -EINVAL;
4888 	}
4889 
4890 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4891 		u8 tmp;
4892 
4893 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4894 			return -EINVAL;
4895 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4896 		if (tmp > 1)
4897 			return -EINVAL;
4898 		params.p2p_opp_ps = tmp;
4899 		if (params.p2p_opp_ps &&
4900 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4901 			return -EINVAL;
4902 	}
4903 
4904 	if (!rdev->ops->change_bss)
4905 		return -EOPNOTSUPP;
4906 
4907 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4908 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4909 		return -EOPNOTSUPP;
4910 
4911 	wdev_lock(wdev);
4912 	err = rdev_change_bss(rdev, dev, &params);
4913 	wdev_unlock(wdev);
4914 
4915 	return err;
4916 }
4917 
4918 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
4919 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
4920 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
4921 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
4922 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
4923 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
4924 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
4925 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
4926 };
4927 
4928 static int parse_reg_rule(struct nlattr *tb[],
4929 	struct ieee80211_reg_rule *reg_rule)
4930 {
4931 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
4932 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
4933 
4934 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
4935 		return -EINVAL;
4936 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
4937 		return -EINVAL;
4938 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
4939 		return -EINVAL;
4940 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
4941 		return -EINVAL;
4942 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
4943 		return -EINVAL;
4944 
4945 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
4946 
4947 	freq_range->start_freq_khz =
4948 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
4949 	freq_range->end_freq_khz =
4950 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
4951 	freq_range->max_bandwidth_khz =
4952 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
4953 
4954 	power_rule->max_eirp =
4955 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
4956 
4957 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
4958 		power_rule->max_antenna_gain =
4959 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
4960 
4961 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
4962 		reg_rule->dfs_cac_ms =
4963 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
4964 
4965 	return 0;
4966 }
4967 
4968 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
4969 {
4970 	char *data = NULL;
4971 	bool is_indoor;
4972 	enum nl80211_user_reg_hint_type user_reg_hint_type;
4973 	u32 owner_nlportid;
4974 
4975 
4976 	/*
4977 	 * You should only get this when cfg80211 hasn't yet initialized
4978 	 * completely when built-in to the kernel right between the time
4979 	 * window between nl80211_init() and regulatory_init(), if that is
4980 	 * even possible.
4981 	 */
4982 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
4983 		return -EINPROGRESS;
4984 
4985 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
4986 		user_reg_hint_type =
4987 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
4988 	else
4989 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
4990 
4991 	switch (user_reg_hint_type) {
4992 	case NL80211_USER_REG_HINT_USER:
4993 	case NL80211_USER_REG_HINT_CELL_BASE:
4994 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4995 			return -EINVAL;
4996 
4997 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4998 		return regulatory_hint_user(data, user_reg_hint_type);
4999 	case NL80211_USER_REG_HINT_INDOOR:
5000 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
5001 			owner_nlportid = info->snd_portid;
5002 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
5003 		} else {
5004 			owner_nlportid = 0;
5005 			is_indoor = true;
5006 		}
5007 
5008 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
5009 	default:
5010 		return -EINVAL;
5011 	}
5012 }
5013 
5014 static int nl80211_get_mesh_config(struct sk_buff *skb,
5015 				   struct genl_info *info)
5016 {
5017 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5018 	struct net_device *dev = info->user_ptr[1];
5019 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5020 	struct mesh_config cur_params;
5021 	int err = 0;
5022 	void *hdr;
5023 	struct nlattr *pinfoattr;
5024 	struct sk_buff *msg;
5025 
5026 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5027 		return -EOPNOTSUPP;
5028 
5029 	if (!rdev->ops->get_mesh_config)
5030 		return -EOPNOTSUPP;
5031 
5032 	wdev_lock(wdev);
5033 	/* If not connected, get default parameters */
5034 	if (!wdev->mesh_id_len)
5035 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
5036 	else
5037 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
5038 	wdev_unlock(wdev);
5039 
5040 	if (err)
5041 		return err;
5042 
5043 	/* Draw up a netlink message to send back */
5044 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5045 	if (!msg)
5046 		return -ENOMEM;
5047 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5048 			     NL80211_CMD_GET_MESH_CONFIG);
5049 	if (!hdr)
5050 		goto out;
5051 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
5052 	if (!pinfoattr)
5053 		goto nla_put_failure;
5054 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5055 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
5056 			cur_params.dot11MeshRetryTimeout) ||
5057 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5058 			cur_params.dot11MeshConfirmTimeout) ||
5059 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
5060 			cur_params.dot11MeshHoldingTimeout) ||
5061 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
5062 			cur_params.dot11MeshMaxPeerLinks) ||
5063 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
5064 		       cur_params.dot11MeshMaxRetries) ||
5065 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
5066 		       cur_params.dot11MeshTTL) ||
5067 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
5068 		       cur_params.element_ttl) ||
5069 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5070 		       cur_params.auto_open_plinks) ||
5071 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5072 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
5073 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5074 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
5075 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
5076 			cur_params.path_refresh_time) ||
5077 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5078 			cur_params.min_discovery_timeout) ||
5079 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5080 			cur_params.dot11MeshHWMPactivePathTimeout) ||
5081 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5082 			cur_params.dot11MeshHWMPpreqMinInterval) ||
5083 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5084 			cur_params.dot11MeshHWMPperrMinInterval) ||
5085 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5086 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
5087 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
5088 		       cur_params.dot11MeshHWMPRootMode) ||
5089 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5090 			cur_params.dot11MeshHWMPRannInterval) ||
5091 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5092 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
5093 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
5094 		       cur_params.dot11MeshForwarding) ||
5095 	    nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
5096 			cur_params.rssi_threshold) ||
5097 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
5098 			cur_params.ht_opmode) ||
5099 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5100 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
5101 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5102 			cur_params.dot11MeshHWMProotInterval) ||
5103 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5104 			cur_params.dot11MeshHWMPconfirmationInterval) ||
5105 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
5106 			cur_params.power_mode) ||
5107 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
5108 			cur_params.dot11MeshAwakeWindowDuration) ||
5109 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
5110 			cur_params.plink_timeout))
5111 		goto nla_put_failure;
5112 	nla_nest_end(msg, pinfoattr);
5113 	genlmsg_end(msg, hdr);
5114 	return genlmsg_reply(msg, info);
5115 
5116  nla_put_failure:
5117 	genlmsg_cancel(msg, hdr);
5118  out:
5119 	nlmsg_free(msg);
5120 	return -ENOBUFS;
5121 }
5122 
5123 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
5124 	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
5125 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
5126 	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
5127 	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
5128 	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
5129 	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
5130 	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
5131 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
5132 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
5133 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
5134 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
5135 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
5136 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
5137 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
5138 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
5139 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
5140 	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
5141 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
5142 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
5143 	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
5144 	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
5145 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
5146 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
5147 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
5148 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
5149 	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
5150 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
5151 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
5152 };
5153 
5154 static const struct nla_policy
5155 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
5156 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
5157 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
5158 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
5159 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
5160 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
5161 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
5162 	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
5163 				    .len = IEEE80211_MAX_DATA_LEN },
5164 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
5165 };
5166 
5167 static int nl80211_parse_mesh_config(struct genl_info *info,
5168 				     struct mesh_config *cfg,
5169 				     u32 *mask_out)
5170 {
5171 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
5172 	u32 mask = 0;
5173 
5174 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
5175 do {									    \
5176 	if (tb[attr]) {							    \
5177 		if (fn(tb[attr]) < min || fn(tb[attr]) > max)		    \
5178 			return -EINVAL;					    \
5179 		cfg->param = fn(tb[attr]);				    \
5180 		mask |= (1 << (attr - 1));				    \
5181 	}								    \
5182 } while (0)
5183 
5184 
5185 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
5186 		return -EINVAL;
5187 	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
5188 			     info->attrs[NL80211_ATTR_MESH_CONFIG],
5189 			     nl80211_meshconf_params_policy))
5190 		return -EINVAL;
5191 
5192 	/* This makes sure that there aren't more than 32 mesh config
5193 	 * parameters (otherwise our bitfield scheme would not work.) */
5194 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
5195 
5196 	/* Fill in the params struct */
5197 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
5198 				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
5199 				  nla_get_u16);
5200 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
5201 				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5202 				  nla_get_u16);
5203 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
5204 				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
5205 				  nla_get_u16);
5206 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
5207 				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
5208 				  nla_get_u16);
5209 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
5210 				  mask, NL80211_MESHCONF_MAX_RETRIES,
5211 				  nla_get_u8);
5212 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
5213 				  mask, NL80211_MESHCONF_TTL, nla_get_u8);
5214 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
5215 				  mask, NL80211_MESHCONF_ELEMENT_TTL,
5216 				  nla_get_u8);
5217 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
5218 				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5219 				  nla_get_u8);
5220 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
5221 				  1, 255, mask,
5222 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5223 				  nla_get_u32);
5224 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
5225 				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5226 				  nla_get_u8);
5227 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
5228 				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
5229 				  nla_get_u32);
5230 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
5231 				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5232 				  nla_get_u16);
5233 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
5234 				  1, 65535, mask,
5235 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5236 				  nla_get_u32);
5237 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
5238 				  1, 65535, mask,
5239 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5240 				  nla_get_u16);
5241 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
5242 				  1, 65535, mask,
5243 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5244 				  nla_get_u16);
5245 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5246 				  dot11MeshHWMPnetDiameterTraversalTime,
5247 				  1, 65535, mask,
5248 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5249 				  nla_get_u16);
5250 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
5251 				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
5252 				  nla_get_u8);
5253 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
5254 				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5255 				  nla_get_u16);
5256 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5257 				  dot11MeshGateAnnouncementProtocol, 0, 1,
5258 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5259 				  nla_get_u8);
5260 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
5261 				  mask, NL80211_MESHCONF_FORWARDING,
5262 				  nla_get_u8);
5263 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, -255, 0,
5264 				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
5265 				  nla_get_s32);
5266 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
5267 				  mask, NL80211_MESHCONF_HT_OPMODE,
5268 				  nla_get_u16);
5269 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
5270 				  1, 65535, mask,
5271 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5272 				  nla_get_u32);
5273 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
5274 				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5275 				  nla_get_u16);
5276 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5277 				  dot11MeshHWMPconfirmationInterval,
5278 				  1, 65535, mask,
5279 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5280 				  nla_get_u16);
5281 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
5282 				  NL80211_MESH_POWER_ACTIVE,
5283 				  NL80211_MESH_POWER_MAX,
5284 				  mask, NL80211_MESHCONF_POWER_MODE,
5285 				  nla_get_u32);
5286 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
5287 				  0, 65535, mask,
5288 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
5289 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, 0, 0xffffffff,
5290 				  mask, NL80211_MESHCONF_PLINK_TIMEOUT,
5291 				  nla_get_u32);
5292 	if (mask_out)
5293 		*mask_out = mask;
5294 
5295 	return 0;
5296 
5297 #undef FILL_IN_MESH_PARAM_IF_SET
5298 }
5299 
5300 static int nl80211_parse_mesh_setup(struct genl_info *info,
5301 				     struct mesh_setup *setup)
5302 {
5303 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5304 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
5305 
5306 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
5307 		return -EINVAL;
5308 	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
5309 			     info->attrs[NL80211_ATTR_MESH_SETUP],
5310 			     nl80211_mesh_setup_params_policy))
5311 		return -EINVAL;
5312 
5313 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
5314 		setup->sync_method =
5315 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
5316 		 IEEE80211_SYNC_METHOD_VENDOR :
5317 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
5318 
5319 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
5320 		setup->path_sel_proto =
5321 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
5322 		 IEEE80211_PATH_PROTOCOL_VENDOR :
5323 		 IEEE80211_PATH_PROTOCOL_HWMP;
5324 
5325 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
5326 		setup->path_metric =
5327 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
5328 		 IEEE80211_PATH_METRIC_VENDOR :
5329 		 IEEE80211_PATH_METRIC_AIRTIME;
5330 
5331 
5332 	if (tb[NL80211_MESH_SETUP_IE]) {
5333 		struct nlattr *ieattr =
5334 			tb[NL80211_MESH_SETUP_IE];
5335 		if (!is_valid_ie_attr(ieattr))
5336 			return -EINVAL;
5337 		setup->ie = nla_data(ieattr);
5338 		setup->ie_len = nla_len(ieattr);
5339 	}
5340 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
5341 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
5342 		return -EINVAL;
5343 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
5344 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
5345 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
5346 	if (setup->is_secure)
5347 		setup->user_mpm = true;
5348 
5349 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
5350 		if (!setup->user_mpm)
5351 			return -EINVAL;
5352 		setup->auth_id =
5353 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
5354 	}
5355 
5356 	return 0;
5357 }
5358 
5359 static int nl80211_update_mesh_config(struct sk_buff *skb,
5360 				      struct genl_info *info)
5361 {
5362 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5363 	struct net_device *dev = info->user_ptr[1];
5364 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5365 	struct mesh_config cfg;
5366 	u32 mask;
5367 	int err;
5368 
5369 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5370 		return -EOPNOTSUPP;
5371 
5372 	if (!rdev->ops->update_mesh_config)
5373 		return -EOPNOTSUPP;
5374 
5375 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
5376 	if (err)
5377 		return err;
5378 
5379 	wdev_lock(wdev);
5380 	if (!wdev->mesh_id_len)
5381 		err = -ENOLINK;
5382 
5383 	if (!err)
5384 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
5385 
5386 	wdev_unlock(wdev);
5387 
5388 	return err;
5389 }
5390 
5391 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
5392 			      struct sk_buff *msg)
5393 {
5394 	struct nlattr *nl_reg_rules;
5395 	unsigned int i;
5396 
5397 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
5398 	    (regdom->dfs_region &&
5399 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
5400 		goto nla_put_failure;
5401 
5402 	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
5403 	if (!nl_reg_rules)
5404 		goto nla_put_failure;
5405 
5406 	for (i = 0; i < regdom->n_reg_rules; i++) {
5407 		struct nlattr *nl_reg_rule;
5408 		const struct ieee80211_reg_rule *reg_rule;
5409 		const struct ieee80211_freq_range *freq_range;
5410 		const struct ieee80211_power_rule *power_rule;
5411 		unsigned int max_bandwidth_khz;
5412 
5413 		reg_rule = &regdom->reg_rules[i];
5414 		freq_range = &reg_rule->freq_range;
5415 		power_rule = &reg_rule->power_rule;
5416 
5417 		nl_reg_rule = nla_nest_start(msg, i);
5418 		if (!nl_reg_rule)
5419 			goto nla_put_failure;
5420 
5421 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
5422 		if (!max_bandwidth_khz)
5423 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
5424 								  reg_rule);
5425 
5426 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
5427 				reg_rule->flags) ||
5428 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
5429 				freq_range->start_freq_khz) ||
5430 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
5431 				freq_range->end_freq_khz) ||
5432 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
5433 				max_bandwidth_khz) ||
5434 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
5435 				power_rule->max_antenna_gain) ||
5436 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
5437 				power_rule->max_eirp) ||
5438 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
5439 				reg_rule->dfs_cac_ms))
5440 			goto nla_put_failure;
5441 
5442 		nla_nest_end(msg, nl_reg_rule);
5443 	}
5444 
5445 	nla_nest_end(msg, nl_reg_rules);
5446 	return 0;
5447 
5448 nla_put_failure:
5449 	return -EMSGSIZE;
5450 }
5451 
5452 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
5453 {
5454 	const struct ieee80211_regdomain *regdom = NULL;
5455 	struct cfg80211_registered_device *rdev;
5456 	struct wiphy *wiphy = NULL;
5457 	struct sk_buff *msg;
5458 	void *hdr;
5459 
5460 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5461 	if (!msg)
5462 		return -ENOBUFS;
5463 
5464 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5465 			     NL80211_CMD_GET_REG);
5466 	if (!hdr)
5467 		goto put_failure;
5468 
5469 	if (info->attrs[NL80211_ATTR_WIPHY]) {
5470 		bool self_managed;
5471 
5472 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
5473 		if (IS_ERR(rdev)) {
5474 			nlmsg_free(msg);
5475 			return PTR_ERR(rdev);
5476 		}
5477 
5478 		wiphy = &rdev->wiphy;
5479 		self_managed = wiphy->regulatory_flags &
5480 			       REGULATORY_WIPHY_SELF_MANAGED;
5481 		regdom = get_wiphy_regdom(wiphy);
5482 
5483 		/* a self-managed-reg device must have a private regdom */
5484 		if (WARN_ON(!regdom && self_managed)) {
5485 			nlmsg_free(msg);
5486 			return -EINVAL;
5487 		}
5488 
5489 		if (regdom &&
5490 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
5491 			goto nla_put_failure;
5492 	}
5493 
5494 	if (!wiphy && reg_last_request_cell_base() &&
5495 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5496 			NL80211_USER_REG_HINT_CELL_BASE))
5497 		goto nla_put_failure;
5498 
5499 	rcu_read_lock();
5500 
5501 	if (!regdom)
5502 		regdom = rcu_dereference(cfg80211_regdomain);
5503 
5504 	if (nl80211_put_regdom(regdom, msg))
5505 		goto nla_put_failure_rcu;
5506 
5507 	rcu_read_unlock();
5508 
5509 	genlmsg_end(msg, hdr);
5510 	return genlmsg_reply(msg, info);
5511 
5512 nla_put_failure_rcu:
5513 	rcu_read_unlock();
5514 nla_put_failure:
5515 	genlmsg_cancel(msg, hdr);
5516 put_failure:
5517 	nlmsg_free(msg);
5518 	return -EMSGSIZE;
5519 }
5520 
5521 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
5522 			       u32 seq, int flags, struct wiphy *wiphy,
5523 			       const struct ieee80211_regdomain *regdom)
5524 {
5525 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
5526 				   NL80211_CMD_GET_REG);
5527 
5528 	if (!hdr)
5529 		return -1;
5530 
5531 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
5532 
5533 	if (nl80211_put_regdom(regdom, msg))
5534 		goto nla_put_failure;
5535 
5536 	if (!wiphy && reg_last_request_cell_base() &&
5537 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5538 			NL80211_USER_REG_HINT_CELL_BASE))
5539 		goto nla_put_failure;
5540 
5541 	if (wiphy &&
5542 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
5543 		goto nla_put_failure;
5544 
5545 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
5546 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
5547 		goto nla_put_failure;
5548 
5549 	genlmsg_end(msg, hdr);
5550 	return 0;
5551 
5552 nla_put_failure:
5553 	genlmsg_cancel(msg, hdr);
5554 	return -EMSGSIZE;
5555 }
5556 
5557 static int nl80211_get_reg_dump(struct sk_buff *skb,
5558 				struct netlink_callback *cb)
5559 {
5560 	const struct ieee80211_regdomain *regdom = NULL;
5561 	struct cfg80211_registered_device *rdev;
5562 	int err, reg_idx, start = cb->args[2];
5563 
5564 	rtnl_lock();
5565 
5566 	if (cfg80211_regdomain && start == 0) {
5567 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
5568 					  NLM_F_MULTI, NULL,
5569 					  rtnl_dereference(cfg80211_regdomain));
5570 		if (err < 0)
5571 			goto out_err;
5572 	}
5573 
5574 	/* the global regdom is idx 0 */
5575 	reg_idx = 1;
5576 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
5577 		regdom = get_wiphy_regdom(&rdev->wiphy);
5578 		if (!regdom)
5579 			continue;
5580 
5581 		if (++reg_idx <= start)
5582 			continue;
5583 
5584 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
5585 					  NLM_F_MULTI, &rdev->wiphy, regdom);
5586 		if (err < 0) {
5587 			reg_idx--;
5588 			break;
5589 		}
5590 	}
5591 
5592 	cb->args[2] = reg_idx;
5593 	err = skb->len;
5594 out_err:
5595 	rtnl_unlock();
5596 	return err;
5597 }
5598 
5599 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
5600 {
5601 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
5602 	struct nlattr *nl_reg_rule;
5603 	char *alpha2;
5604 	int rem_reg_rules, r;
5605 	u32 num_rules = 0, rule_idx = 0, size_of_regd;
5606 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
5607 	struct ieee80211_regdomain *rd;
5608 
5609 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5610 		return -EINVAL;
5611 
5612 	if (!info->attrs[NL80211_ATTR_REG_RULES])
5613 		return -EINVAL;
5614 
5615 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5616 
5617 	if (info->attrs[NL80211_ATTR_DFS_REGION])
5618 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
5619 
5620 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5621 			    rem_reg_rules) {
5622 		num_rules++;
5623 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
5624 			return -EINVAL;
5625 	}
5626 
5627 	if (!reg_is_valid_request(alpha2))
5628 		return -EINVAL;
5629 
5630 	size_of_regd = sizeof(struct ieee80211_regdomain) +
5631 		       num_rules * sizeof(struct ieee80211_reg_rule);
5632 
5633 	rd = kzalloc(size_of_regd, GFP_KERNEL);
5634 	if (!rd)
5635 		return -ENOMEM;
5636 
5637 	rd->n_reg_rules = num_rules;
5638 	rd->alpha2[0] = alpha2[0];
5639 	rd->alpha2[1] = alpha2[1];
5640 
5641 	/*
5642 	 * Disable DFS master mode if the DFS region was
5643 	 * not supported or known on this kernel.
5644 	 */
5645 	if (reg_supported_dfs_region(dfs_region))
5646 		rd->dfs_region = dfs_region;
5647 
5648 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5649 			    rem_reg_rules) {
5650 		r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
5651 			      nla_data(nl_reg_rule), nla_len(nl_reg_rule),
5652 			      reg_rule_policy);
5653 		if (r)
5654 			goto bad_reg;
5655 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
5656 		if (r)
5657 			goto bad_reg;
5658 
5659 		rule_idx++;
5660 
5661 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
5662 			r = -EINVAL;
5663 			goto bad_reg;
5664 		}
5665 	}
5666 
5667 	r = set_regdom(rd, REGD_SOURCE_CRDA);
5668 	/* set_regdom took ownership */
5669 	rd = NULL;
5670 
5671  bad_reg:
5672 	kfree(rd);
5673 	return r;
5674 }
5675 
5676 static int validate_scan_freqs(struct nlattr *freqs)
5677 {
5678 	struct nlattr *attr1, *attr2;
5679 	int n_channels = 0, tmp1, tmp2;
5680 
5681 	nla_for_each_nested(attr1, freqs, tmp1) {
5682 		n_channels++;
5683 		/*
5684 		 * Some hardware has a limited channel list for
5685 		 * scanning, and it is pretty much nonsensical
5686 		 * to scan for a channel twice, so disallow that
5687 		 * and don't require drivers to check that the
5688 		 * channel list they get isn't longer than what
5689 		 * they can scan, as long as they can scan all
5690 		 * the channels they registered at once.
5691 		 */
5692 		nla_for_each_nested(attr2, freqs, tmp2)
5693 			if (attr1 != attr2 &&
5694 			    nla_get_u32(attr1) == nla_get_u32(attr2))
5695 				return 0;
5696 	}
5697 
5698 	return n_channels;
5699 }
5700 
5701 static int nl80211_parse_random_mac(struct nlattr **attrs,
5702 				    u8 *mac_addr, u8 *mac_addr_mask)
5703 {
5704 	int i;
5705 
5706 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
5707 		eth_zero_addr(mac_addr);
5708 		eth_zero_addr(mac_addr_mask);
5709 		mac_addr[0] = 0x2;
5710 		mac_addr_mask[0] = 0x3;
5711 
5712 		return 0;
5713 	}
5714 
5715 	/* need both or none */
5716 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
5717 		return -EINVAL;
5718 
5719 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
5720 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
5721 
5722 	/* don't allow or configure an mcast address */
5723 	if (!is_multicast_ether_addr(mac_addr_mask) ||
5724 	    is_multicast_ether_addr(mac_addr))
5725 		return -EINVAL;
5726 
5727 	/*
5728 	 * allow users to pass a MAC address that has bits set outside
5729 	 * of the mask, but don't bother drivers with having to deal
5730 	 * with such bits
5731 	 */
5732 	for (i = 0; i < ETH_ALEN; i++)
5733 		mac_addr[i] &= mac_addr_mask[i];
5734 
5735 	return 0;
5736 }
5737 
5738 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
5739 {
5740 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5741 	struct wireless_dev *wdev = info->user_ptr[1];
5742 	struct cfg80211_scan_request *request;
5743 	struct nlattr *attr;
5744 	struct wiphy *wiphy;
5745 	int err, tmp, n_ssids = 0, n_channels, i;
5746 	size_t ie_len;
5747 
5748 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5749 		return -EINVAL;
5750 
5751 	wiphy = &rdev->wiphy;
5752 
5753 	if (!rdev->ops->scan)
5754 		return -EOPNOTSUPP;
5755 
5756 	if (rdev->scan_req || rdev->scan_msg) {
5757 		err = -EBUSY;
5758 		goto unlock;
5759 	}
5760 
5761 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5762 		n_channels = validate_scan_freqs(
5763 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5764 		if (!n_channels) {
5765 			err = -EINVAL;
5766 			goto unlock;
5767 		}
5768 	} else {
5769 		n_channels = ieee80211_get_num_supported_channels(wiphy);
5770 	}
5771 
5772 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5773 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
5774 			n_ssids++;
5775 
5776 	if (n_ssids > wiphy->max_scan_ssids) {
5777 		err = -EINVAL;
5778 		goto unlock;
5779 	}
5780 
5781 	if (info->attrs[NL80211_ATTR_IE])
5782 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5783 	else
5784 		ie_len = 0;
5785 
5786 	if (ie_len > wiphy->max_scan_ie_len) {
5787 		err = -EINVAL;
5788 		goto unlock;
5789 	}
5790 
5791 	request = kzalloc(sizeof(*request)
5792 			+ sizeof(*request->ssids) * n_ssids
5793 			+ sizeof(*request->channels) * n_channels
5794 			+ ie_len, GFP_KERNEL);
5795 	if (!request) {
5796 		err = -ENOMEM;
5797 		goto unlock;
5798 	}
5799 
5800 	if (n_ssids)
5801 		request->ssids = (void *)&request->channels[n_channels];
5802 	request->n_ssids = n_ssids;
5803 	if (ie_len) {
5804 		if (n_ssids)
5805 			request->ie = (void *)(request->ssids + n_ssids);
5806 		else
5807 			request->ie = (void *)(request->channels + n_channels);
5808 	}
5809 
5810 	i = 0;
5811 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5812 		/* user specified, bail out if channel not found */
5813 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
5814 			struct ieee80211_channel *chan;
5815 
5816 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5817 
5818 			if (!chan) {
5819 				err = -EINVAL;
5820 				goto out_free;
5821 			}
5822 
5823 			/* ignore disabled channels */
5824 			if (chan->flags & IEEE80211_CHAN_DISABLED)
5825 				continue;
5826 
5827 			request->channels[i] = chan;
5828 			i++;
5829 		}
5830 	} else {
5831 		enum ieee80211_band band;
5832 
5833 		/* all channels */
5834 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5835 			int j;
5836 			if (!wiphy->bands[band])
5837 				continue;
5838 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5839 				struct ieee80211_channel *chan;
5840 
5841 				chan = &wiphy->bands[band]->channels[j];
5842 
5843 				if (chan->flags & IEEE80211_CHAN_DISABLED)
5844 					continue;
5845 
5846 				request->channels[i] = chan;
5847 				i++;
5848 			}
5849 		}
5850 	}
5851 
5852 	if (!i) {
5853 		err = -EINVAL;
5854 		goto out_free;
5855 	}
5856 
5857 	request->n_channels = i;
5858 
5859 	i = 0;
5860 	if (n_ssids) {
5861 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
5862 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5863 				err = -EINVAL;
5864 				goto out_free;
5865 			}
5866 			request->ssids[i].ssid_len = nla_len(attr);
5867 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
5868 			i++;
5869 		}
5870 	}
5871 
5872 	if (info->attrs[NL80211_ATTR_IE]) {
5873 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5874 		memcpy((void *)request->ie,
5875 		       nla_data(info->attrs[NL80211_ATTR_IE]),
5876 		       request->ie_len);
5877 	}
5878 
5879 	for (i = 0; i < IEEE80211_NUM_BANDS; i++)
5880 		if (wiphy->bands[i])
5881 			request->rates[i] =
5882 				(1 << wiphy->bands[i]->n_bitrates) - 1;
5883 
5884 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
5885 		nla_for_each_nested(attr,
5886 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
5887 				    tmp) {
5888 			enum ieee80211_band band = nla_type(attr);
5889 
5890 			if (band < 0 || band >= IEEE80211_NUM_BANDS) {
5891 				err = -EINVAL;
5892 				goto out_free;
5893 			}
5894 
5895 			if (!wiphy->bands[band])
5896 				continue;
5897 
5898 			err = ieee80211_get_ratemask(wiphy->bands[band],
5899 						     nla_data(attr),
5900 						     nla_len(attr),
5901 						     &request->rates[band]);
5902 			if (err)
5903 				goto out_free;
5904 		}
5905 	}
5906 
5907 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5908 		request->flags = nla_get_u32(
5909 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5910 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5911 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
5912 			err = -EOPNOTSUPP;
5913 			goto out_free;
5914 		}
5915 
5916 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
5917 			if (!(wiphy->features &
5918 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR)) {
5919 				err = -EOPNOTSUPP;
5920 				goto out_free;
5921 			}
5922 
5923 			if (wdev->current_bss) {
5924 				err = -EOPNOTSUPP;
5925 				goto out_free;
5926 			}
5927 
5928 			err = nl80211_parse_random_mac(info->attrs,
5929 						       request->mac_addr,
5930 						       request->mac_addr_mask);
5931 			if (err)
5932 				goto out_free;
5933 		}
5934 	}
5935 
5936 	request->no_cck =
5937 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
5938 
5939 	request->wdev = wdev;
5940 	request->wiphy = &rdev->wiphy;
5941 	request->scan_start = jiffies;
5942 
5943 	rdev->scan_req = request;
5944 	err = rdev_scan(rdev, request);
5945 
5946 	if (!err) {
5947 		nl80211_send_scan_start(rdev, wdev);
5948 		if (wdev->netdev)
5949 			dev_hold(wdev->netdev);
5950 	} else {
5951  out_free:
5952 		rdev->scan_req = NULL;
5953 		kfree(request);
5954 	}
5955 
5956  unlock:
5957 	return err;
5958 }
5959 
5960 static struct cfg80211_sched_scan_request *
5961 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
5962 			 struct nlattr **attrs)
5963 {
5964 	struct cfg80211_sched_scan_request *request;
5965 	struct nlattr *attr;
5966 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
5967 	u32 interval;
5968 	enum ieee80211_band band;
5969 	size_t ie_len;
5970 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
5971 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
5972 
5973 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_IE]))
5974 		return ERR_PTR(-EINVAL);
5975 
5976 	if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
5977 		return ERR_PTR(-EINVAL);
5978 
5979 	interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
5980 	if (interval == 0)
5981 		return ERR_PTR(-EINVAL);
5982 
5983 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5984 		n_channels = validate_scan_freqs(
5985 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5986 		if (!n_channels)
5987 			return ERR_PTR(-EINVAL);
5988 	} else {
5989 		n_channels = ieee80211_get_num_supported_channels(wiphy);
5990 	}
5991 
5992 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
5993 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
5994 				    tmp)
5995 			n_ssids++;
5996 
5997 	if (n_ssids > wiphy->max_sched_scan_ssids)
5998 		return ERR_PTR(-EINVAL);
5999 
6000 	/*
6001 	 * First, count the number of 'real' matchsets. Due to an issue with
6002 	 * the old implementation, matchsets containing only the RSSI attribute
6003 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
6004 	 * RSSI for all matchsets, rather than their own matchset for reporting
6005 	 * all APs with a strong RSSI. This is needed to be compatible with
6006 	 * older userspace that treated a matchset with only the RSSI as the
6007 	 * global RSSI for all other matchsets - if there are other matchsets.
6008 	 */
6009 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
6010 		nla_for_each_nested(attr,
6011 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
6012 				    tmp) {
6013 			struct nlattr *rssi;
6014 
6015 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
6016 					nla_data(attr), nla_len(attr),
6017 					nl80211_match_policy);
6018 			if (err)
6019 				return ERR_PTR(err);
6020 			/* add other standalone attributes here */
6021 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
6022 				n_match_sets++;
6023 				continue;
6024 			}
6025 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
6026 			if (rssi)
6027 				default_match_rssi = nla_get_s32(rssi);
6028 		}
6029 	}
6030 
6031 	/* However, if there's no other matchset, add the RSSI one */
6032 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
6033 		n_match_sets = 1;
6034 
6035 	if (n_match_sets > wiphy->max_match_sets)
6036 		return ERR_PTR(-EINVAL);
6037 
6038 	if (attrs[NL80211_ATTR_IE])
6039 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
6040 	else
6041 		ie_len = 0;
6042 
6043 	if (ie_len > wiphy->max_sched_scan_ie_len)
6044 		return ERR_PTR(-EINVAL);
6045 
6046 	request = kzalloc(sizeof(*request)
6047 			+ sizeof(*request->ssids) * n_ssids
6048 			+ sizeof(*request->match_sets) * n_match_sets
6049 			+ sizeof(*request->channels) * n_channels
6050 			+ ie_len, GFP_KERNEL);
6051 	if (!request)
6052 		return ERR_PTR(-ENOMEM);
6053 
6054 	if (n_ssids)
6055 		request->ssids = (void *)&request->channels[n_channels];
6056 	request->n_ssids = n_ssids;
6057 	if (ie_len) {
6058 		if (n_ssids)
6059 			request->ie = (void *)(request->ssids + n_ssids);
6060 		else
6061 			request->ie = (void *)(request->channels + n_channels);
6062 	}
6063 
6064 	if (n_match_sets) {
6065 		if (request->ie)
6066 			request->match_sets = (void *)(request->ie + ie_len);
6067 		else if (n_ssids)
6068 			request->match_sets =
6069 				(void *)(request->ssids + n_ssids);
6070 		else
6071 			request->match_sets =
6072 				(void *)(request->channels + n_channels);
6073 	}
6074 	request->n_match_sets = n_match_sets;
6075 
6076 	i = 0;
6077 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6078 		/* user specified, bail out if channel not found */
6079 		nla_for_each_nested(attr,
6080 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
6081 				    tmp) {
6082 			struct ieee80211_channel *chan;
6083 
6084 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
6085 
6086 			if (!chan) {
6087 				err = -EINVAL;
6088 				goto out_free;
6089 			}
6090 
6091 			/* ignore disabled channels */
6092 			if (chan->flags & IEEE80211_CHAN_DISABLED)
6093 				continue;
6094 
6095 			request->channels[i] = chan;
6096 			i++;
6097 		}
6098 	} else {
6099 		/* all channels */
6100 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
6101 			int j;
6102 			if (!wiphy->bands[band])
6103 				continue;
6104 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
6105 				struct ieee80211_channel *chan;
6106 
6107 				chan = &wiphy->bands[band]->channels[j];
6108 
6109 				if (chan->flags & IEEE80211_CHAN_DISABLED)
6110 					continue;
6111 
6112 				request->channels[i] = chan;
6113 				i++;
6114 			}
6115 		}
6116 	}
6117 
6118 	if (!i) {
6119 		err = -EINVAL;
6120 		goto out_free;
6121 	}
6122 
6123 	request->n_channels = i;
6124 
6125 	i = 0;
6126 	if (n_ssids) {
6127 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
6128 				    tmp) {
6129 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
6130 				err = -EINVAL;
6131 				goto out_free;
6132 			}
6133 			request->ssids[i].ssid_len = nla_len(attr);
6134 			memcpy(request->ssids[i].ssid, nla_data(attr),
6135 			       nla_len(attr));
6136 			i++;
6137 		}
6138 	}
6139 
6140 	i = 0;
6141 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
6142 		nla_for_each_nested(attr,
6143 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
6144 				    tmp) {
6145 			struct nlattr *ssid, *rssi;
6146 
6147 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
6148 					nla_data(attr), nla_len(attr),
6149 					nl80211_match_policy);
6150 			if (err)
6151 				goto out_free;
6152 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
6153 			if (ssid) {
6154 				if (WARN_ON(i >= n_match_sets)) {
6155 					/* this indicates a programming error,
6156 					 * the loop above should have verified
6157 					 * things properly
6158 					 */
6159 					err = -EINVAL;
6160 					goto out_free;
6161 				}
6162 
6163 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
6164 					err = -EINVAL;
6165 					goto out_free;
6166 				}
6167 				memcpy(request->match_sets[i].ssid.ssid,
6168 				       nla_data(ssid), nla_len(ssid));
6169 				request->match_sets[i].ssid.ssid_len =
6170 					nla_len(ssid);
6171 				/* special attribute - old implemenation w/a */
6172 				request->match_sets[i].rssi_thold =
6173 					default_match_rssi;
6174 				rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
6175 				if (rssi)
6176 					request->match_sets[i].rssi_thold =
6177 						nla_get_s32(rssi);
6178 			}
6179 			i++;
6180 		}
6181 
6182 		/* there was no other matchset, so the RSSI one is alone */
6183 		if (i == 0 && n_match_sets)
6184 			request->match_sets[0].rssi_thold = default_match_rssi;
6185 
6186 		request->min_rssi_thold = INT_MAX;
6187 		for (i = 0; i < n_match_sets; i++)
6188 			request->min_rssi_thold =
6189 				min(request->match_sets[i].rssi_thold,
6190 				    request->min_rssi_thold);
6191 	} else {
6192 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
6193 	}
6194 
6195 	if (ie_len) {
6196 		request->ie_len = ie_len;
6197 		memcpy((void *)request->ie,
6198 		       nla_data(attrs[NL80211_ATTR_IE]),
6199 		       request->ie_len);
6200 	}
6201 
6202 	if (attrs[NL80211_ATTR_SCAN_FLAGS]) {
6203 		request->flags = nla_get_u32(
6204 			attrs[NL80211_ATTR_SCAN_FLAGS]);
6205 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
6206 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
6207 			err = -EOPNOTSUPP;
6208 			goto out_free;
6209 		}
6210 
6211 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
6212 			u32 flg = NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR;
6213 
6214 			if (!wdev) /* must be net-detect */
6215 				flg = NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
6216 
6217 			if (!(wiphy->features & flg)) {
6218 				err = -EOPNOTSUPP;
6219 				goto out_free;
6220 			}
6221 
6222 			if (wdev && wdev->current_bss) {
6223 				err = -EOPNOTSUPP;
6224 				goto out_free;
6225 			}
6226 
6227 			err = nl80211_parse_random_mac(attrs, request->mac_addr,
6228 						       request->mac_addr_mask);
6229 			if (err)
6230 				goto out_free;
6231 		}
6232 	}
6233 
6234 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
6235 		request->delay =
6236 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
6237 
6238 	request->interval = interval;
6239 	request->scan_start = jiffies;
6240 
6241 	return request;
6242 
6243 out_free:
6244 	kfree(request);
6245 	return ERR_PTR(err);
6246 }
6247 
6248 static int nl80211_start_sched_scan(struct sk_buff *skb,
6249 				    struct genl_info *info)
6250 {
6251 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6252 	struct net_device *dev = info->user_ptr[1];
6253 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6254 	struct cfg80211_sched_scan_request *sched_scan_req;
6255 	int err;
6256 
6257 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
6258 	    !rdev->ops->sched_scan_start)
6259 		return -EOPNOTSUPP;
6260 
6261 	if (rdev->sched_scan_req)
6262 		return -EINPROGRESS;
6263 
6264 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
6265 						  info->attrs);
6266 
6267 	err = PTR_ERR_OR_ZERO(sched_scan_req);
6268 	if (err)
6269 		goto out_err;
6270 
6271 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
6272 	if (err)
6273 		goto out_free;
6274 
6275 	sched_scan_req->dev = dev;
6276 	sched_scan_req->wiphy = &rdev->wiphy;
6277 
6278 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6279 		sched_scan_req->owner_nlportid = info->snd_portid;
6280 
6281 	rcu_assign_pointer(rdev->sched_scan_req, sched_scan_req);
6282 
6283 	nl80211_send_sched_scan(rdev, dev,
6284 				NL80211_CMD_START_SCHED_SCAN);
6285 	return 0;
6286 
6287 out_free:
6288 	kfree(sched_scan_req);
6289 out_err:
6290 	return err;
6291 }
6292 
6293 static int nl80211_stop_sched_scan(struct sk_buff *skb,
6294 				   struct genl_info *info)
6295 {
6296 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6297 
6298 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
6299 	    !rdev->ops->sched_scan_stop)
6300 		return -EOPNOTSUPP;
6301 
6302 	return __cfg80211_stop_sched_scan(rdev, false);
6303 }
6304 
6305 static int nl80211_start_radar_detection(struct sk_buff *skb,
6306 					 struct genl_info *info)
6307 {
6308 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6309 	struct net_device *dev = info->user_ptr[1];
6310 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6311 	struct cfg80211_chan_def chandef;
6312 	enum nl80211_dfs_regions dfs_region;
6313 	unsigned int cac_time_ms;
6314 	int err;
6315 
6316 	dfs_region = reg_get_dfs_region(wdev->wiphy);
6317 	if (dfs_region == NL80211_DFS_UNSET)
6318 		return -EINVAL;
6319 
6320 	err = nl80211_parse_chandef(rdev, info, &chandef);
6321 	if (err)
6322 		return err;
6323 
6324 	if (netif_carrier_ok(dev))
6325 		return -EBUSY;
6326 
6327 	if (wdev->cac_started)
6328 		return -EBUSY;
6329 
6330 	err = cfg80211_chandef_dfs_required(wdev->wiphy, &chandef,
6331 					    wdev->iftype);
6332 	if (err < 0)
6333 		return err;
6334 
6335 	if (err == 0)
6336 		return -EINVAL;
6337 
6338 	if (!cfg80211_chandef_dfs_usable(wdev->wiphy, &chandef))
6339 		return -EINVAL;
6340 
6341 	if (!rdev->ops->start_radar_detection)
6342 		return -EOPNOTSUPP;
6343 
6344 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
6345 	if (WARN_ON(!cac_time_ms))
6346 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
6347 
6348 	err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef,
6349 					       cac_time_ms);
6350 	if (!err) {
6351 		wdev->chandef = chandef;
6352 		wdev->cac_started = true;
6353 		wdev->cac_start_time = jiffies;
6354 		wdev->cac_time_ms = cac_time_ms;
6355 	}
6356 	return err;
6357 }
6358 
6359 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
6360 {
6361 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6362 	struct net_device *dev = info->user_ptr[1];
6363 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6364 	struct cfg80211_csa_settings params;
6365 	/* csa_attrs is defined static to avoid waste of stack size - this
6366 	 * function is called under RTNL lock, so this should not be a problem.
6367 	 */
6368 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
6369 	int err;
6370 	bool need_new_beacon = false;
6371 	int len, i;
6372 	u32 cs_count;
6373 
6374 	if (!rdev->ops->channel_switch ||
6375 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
6376 		return -EOPNOTSUPP;
6377 
6378 	switch (dev->ieee80211_ptr->iftype) {
6379 	case NL80211_IFTYPE_AP:
6380 	case NL80211_IFTYPE_P2P_GO:
6381 		need_new_beacon = true;
6382 
6383 		/* useless if AP is not running */
6384 		if (!wdev->beacon_interval)
6385 			return -ENOTCONN;
6386 		break;
6387 	case NL80211_IFTYPE_ADHOC:
6388 		if (!wdev->ssid_len)
6389 			return -ENOTCONN;
6390 		break;
6391 	case NL80211_IFTYPE_MESH_POINT:
6392 		if (!wdev->mesh_id_len)
6393 			return -ENOTCONN;
6394 		break;
6395 	default:
6396 		return -EOPNOTSUPP;
6397 	}
6398 
6399 	memset(&params, 0, sizeof(params));
6400 
6401 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
6402 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
6403 		return -EINVAL;
6404 
6405 	/* only important for AP, IBSS and mesh create IEs internally */
6406 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
6407 		return -EINVAL;
6408 
6409 	/* Even though the attribute is u32, the specification says
6410 	 * u8, so let's make sure we don't overflow.
6411 	 */
6412 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
6413 	if (cs_count > 255)
6414 		return -EINVAL;
6415 
6416 	params.count = cs_count;
6417 
6418 	if (!need_new_beacon)
6419 		goto skip_beacons;
6420 
6421 	err = nl80211_parse_beacon(info->attrs, &params.beacon_after);
6422 	if (err)
6423 		return err;
6424 
6425 	err = nla_parse_nested(csa_attrs, NL80211_ATTR_MAX,
6426 			       info->attrs[NL80211_ATTR_CSA_IES],
6427 			       nl80211_policy);
6428 	if (err)
6429 		return err;
6430 
6431 	err = nl80211_parse_beacon(csa_attrs, &params.beacon_csa);
6432 	if (err)
6433 		return err;
6434 
6435 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
6436 		return -EINVAL;
6437 
6438 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6439 	if (!len || (len % sizeof(u16)))
6440 		return -EINVAL;
6441 
6442 	params.n_counter_offsets_beacon = len / sizeof(u16);
6443 	if (rdev->wiphy.max_num_csa_counters &&
6444 	    (params.n_counter_offsets_beacon >
6445 	     rdev->wiphy.max_num_csa_counters))
6446 		return -EINVAL;
6447 
6448 	params.counter_offsets_beacon =
6449 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6450 
6451 	/* sanity checks - counters should fit and be the same */
6452 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
6453 		u16 offset = params.counter_offsets_beacon[i];
6454 
6455 		if (offset >= params.beacon_csa.tail_len)
6456 			return -EINVAL;
6457 
6458 		if (params.beacon_csa.tail[offset] != params.count)
6459 			return -EINVAL;
6460 	}
6461 
6462 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
6463 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6464 		if (!len || (len % sizeof(u16)))
6465 			return -EINVAL;
6466 
6467 		params.n_counter_offsets_presp = len / sizeof(u16);
6468 		if (rdev->wiphy.max_num_csa_counters &&
6469 		    (params.n_counter_offsets_beacon >
6470 		     rdev->wiphy.max_num_csa_counters))
6471 			return -EINVAL;
6472 
6473 		params.counter_offsets_presp =
6474 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6475 
6476 		/* sanity checks - counters should fit and be the same */
6477 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
6478 			u16 offset = params.counter_offsets_presp[i];
6479 
6480 			if (offset >= params.beacon_csa.probe_resp_len)
6481 				return -EINVAL;
6482 
6483 			if (params.beacon_csa.probe_resp[offset] !=
6484 			    params.count)
6485 				return -EINVAL;
6486 		}
6487 	}
6488 
6489 skip_beacons:
6490 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
6491 	if (err)
6492 		return err;
6493 
6494 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef,
6495 				     wdev->iftype))
6496 		return -EINVAL;
6497 
6498 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
6499 					    &params.chandef,
6500 					    wdev->iftype);
6501 	if (err < 0)
6502 		return err;
6503 
6504 	if (err > 0)
6505 		params.radar_required = true;
6506 
6507 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
6508 		params.block_tx = true;
6509 
6510 	wdev_lock(wdev);
6511 	err = rdev_channel_switch(rdev, dev, &params);
6512 	wdev_unlock(wdev);
6513 
6514 	return err;
6515 }
6516 
6517 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
6518 			    u32 seq, int flags,
6519 			    struct cfg80211_registered_device *rdev,
6520 			    struct wireless_dev *wdev,
6521 			    struct cfg80211_internal_bss *intbss)
6522 {
6523 	struct cfg80211_bss *res = &intbss->pub;
6524 	const struct cfg80211_bss_ies *ies;
6525 	void *hdr;
6526 	struct nlattr *bss;
6527 
6528 	ASSERT_WDEV_LOCK(wdev);
6529 
6530 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6531 			     NL80211_CMD_NEW_SCAN_RESULTS);
6532 	if (!hdr)
6533 		return -1;
6534 
6535 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
6536 
6537 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
6538 		goto nla_put_failure;
6539 	if (wdev->netdev &&
6540 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
6541 		goto nla_put_failure;
6542 	if (nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
6543 		goto nla_put_failure;
6544 
6545 	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
6546 	if (!bss)
6547 		goto nla_put_failure;
6548 	if ((!is_zero_ether_addr(res->bssid) &&
6549 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
6550 		goto nla_put_failure;
6551 
6552 	rcu_read_lock();
6553 	/* indicate whether we have probe response data or not */
6554 	if (rcu_access_pointer(res->proberesp_ies) &&
6555 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
6556 		goto fail_unlock_rcu;
6557 
6558 	/* this pointer prefers to be pointed to probe response data
6559 	 * but is always valid
6560 	 */
6561 	ies = rcu_dereference(res->ies);
6562 	if (ies) {
6563 		if (nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
6564 			goto fail_unlock_rcu;
6565 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
6566 					ies->len, ies->data))
6567 			goto fail_unlock_rcu;
6568 	}
6569 
6570 	/* and this pointer is always (unless driver didn't know) beacon data */
6571 	ies = rcu_dereference(res->beacon_ies);
6572 	if (ies && ies->from_beacon) {
6573 		if (nla_put_u64(msg, NL80211_BSS_BEACON_TSF, ies->tsf))
6574 			goto fail_unlock_rcu;
6575 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
6576 					ies->len, ies->data))
6577 			goto fail_unlock_rcu;
6578 	}
6579 	rcu_read_unlock();
6580 
6581 	if (res->beacon_interval &&
6582 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
6583 		goto nla_put_failure;
6584 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
6585 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
6586 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
6587 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
6588 			jiffies_to_msecs(jiffies - intbss->ts)))
6589 		goto nla_put_failure;
6590 
6591 	switch (rdev->wiphy.signal_type) {
6592 	case CFG80211_SIGNAL_TYPE_MBM:
6593 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
6594 			goto nla_put_failure;
6595 		break;
6596 	case CFG80211_SIGNAL_TYPE_UNSPEC:
6597 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
6598 			goto nla_put_failure;
6599 		break;
6600 	default:
6601 		break;
6602 	}
6603 
6604 	switch (wdev->iftype) {
6605 	case NL80211_IFTYPE_P2P_CLIENT:
6606 	case NL80211_IFTYPE_STATION:
6607 		if (intbss == wdev->current_bss &&
6608 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6609 				NL80211_BSS_STATUS_ASSOCIATED))
6610 			goto nla_put_failure;
6611 		break;
6612 	case NL80211_IFTYPE_ADHOC:
6613 		if (intbss == wdev->current_bss &&
6614 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6615 				NL80211_BSS_STATUS_IBSS_JOINED))
6616 			goto nla_put_failure;
6617 		break;
6618 	default:
6619 		break;
6620 	}
6621 
6622 	nla_nest_end(msg, bss);
6623 
6624 	genlmsg_end(msg, hdr);
6625 	return 0;
6626 
6627  fail_unlock_rcu:
6628 	rcu_read_unlock();
6629  nla_put_failure:
6630 	genlmsg_cancel(msg, hdr);
6631 	return -EMSGSIZE;
6632 }
6633 
6634 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
6635 {
6636 	struct cfg80211_registered_device *rdev;
6637 	struct cfg80211_internal_bss *scan;
6638 	struct wireless_dev *wdev;
6639 	int start = cb->args[2], idx = 0;
6640 	int err;
6641 
6642 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6643 	if (err)
6644 		return err;
6645 
6646 	wdev_lock(wdev);
6647 	spin_lock_bh(&rdev->bss_lock);
6648 	cfg80211_bss_expire(rdev);
6649 
6650 	cb->seq = rdev->bss_generation;
6651 
6652 	list_for_each_entry(scan, &rdev->bss_list, list) {
6653 		if (++idx <= start)
6654 			continue;
6655 		if (nl80211_send_bss(skb, cb,
6656 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6657 				rdev, wdev, scan) < 0) {
6658 			idx--;
6659 			break;
6660 		}
6661 	}
6662 
6663 	spin_unlock_bh(&rdev->bss_lock);
6664 	wdev_unlock(wdev);
6665 
6666 	cb->args[2] = idx;
6667 	nl80211_finish_wdev_dump(rdev);
6668 
6669 	return skb->len;
6670 }
6671 
6672 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
6673 			       int flags, struct net_device *dev,
6674 			       bool allow_radio_stats,
6675 			       struct survey_info *survey)
6676 {
6677 	void *hdr;
6678 	struct nlattr *infoattr;
6679 
6680 	/* skip radio stats if userspace didn't request them */
6681 	if (!survey->channel && !allow_radio_stats)
6682 		return 0;
6683 
6684 	hdr = nl80211hdr_put(msg, portid, seq, flags,
6685 			     NL80211_CMD_NEW_SURVEY_RESULTS);
6686 	if (!hdr)
6687 		return -ENOMEM;
6688 
6689 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
6690 		goto nla_put_failure;
6691 
6692 	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
6693 	if (!infoattr)
6694 		goto nla_put_failure;
6695 
6696 	if (survey->channel &&
6697 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
6698 			survey->channel->center_freq))
6699 		goto nla_put_failure;
6700 
6701 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
6702 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
6703 		goto nla_put_failure;
6704 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
6705 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
6706 		goto nla_put_failure;
6707 	if ((survey->filled & SURVEY_INFO_TIME) &&
6708 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME,
6709 			survey->time))
6710 		goto nla_put_failure;
6711 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
6712 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_BUSY,
6713 			survey->time_busy))
6714 		goto nla_put_failure;
6715 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
6716 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
6717 			survey->time_ext_busy))
6718 		goto nla_put_failure;
6719 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
6720 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_RX,
6721 			survey->time_rx))
6722 		goto nla_put_failure;
6723 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
6724 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_TX,
6725 			survey->time_tx))
6726 		goto nla_put_failure;
6727 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
6728 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_SCAN,
6729 			survey->time_scan))
6730 		goto nla_put_failure;
6731 
6732 	nla_nest_end(msg, infoattr);
6733 
6734 	genlmsg_end(msg, hdr);
6735 	return 0;
6736 
6737  nla_put_failure:
6738 	genlmsg_cancel(msg, hdr);
6739 	return -EMSGSIZE;
6740 }
6741 
6742 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
6743 {
6744 	struct survey_info survey;
6745 	struct cfg80211_registered_device *rdev;
6746 	struct wireless_dev *wdev;
6747 	int survey_idx = cb->args[2];
6748 	int res;
6749 	bool radio_stats;
6750 
6751 	res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6752 	if (res)
6753 		return res;
6754 
6755 	/* prepare_wdev_dump parsed the attributes */
6756 	radio_stats = nl80211_fam.attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
6757 
6758 	if (!wdev->netdev) {
6759 		res = -EINVAL;
6760 		goto out_err;
6761 	}
6762 
6763 	if (!rdev->ops->dump_survey) {
6764 		res = -EOPNOTSUPP;
6765 		goto out_err;
6766 	}
6767 
6768 	while (1) {
6769 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
6770 		if (res == -ENOENT)
6771 			break;
6772 		if (res)
6773 			goto out_err;
6774 
6775 		/* don't send disabled channels, but do send non-channel data */
6776 		if (survey.channel &&
6777 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
6778 			survey_idx++;
6779 			continue;
6780 		}
6781 
6782 		if (nl80211_send_survey(skb,
6783 				NETLINK_CB(cb->skb).portid,
6784 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6785 				wdev->netdev, radio_stats, &survey) < 0)
6786 			goto out;
6787 		survey_idx++;
6788 	}
6789 
6790  out:
6791 	cb->args[2] = survey_idx;
6792 	res = skb->len;
6793  out_err:
6794 	nl80211_finish_wdev_dump(rdev);
6795 	return res;
6796 }
6797 
6798 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
6799 {
6800 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
6801 				  NL80211_WPA_VERSION_2));
6802 }
6803 
6804 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
6805 {
6806 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6807 	struct net_device *dev = info->user_ptr[1];
6808 	struct ieee80211_channel *chan;
6809 	const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
6810 	int err, ssid_len, ie_len = 0, sae_data_len = 0;
6811 	enum nl80211_auth_type auth_type;
6812 	struct key_parse key;
6813 	bool local_state_change;
6814 
6815 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6816 		return -EINVAL;
6817 
6818 	if (!info->attrs[NL80211_ATTR_MAC])
6819 		return -EINVAL;
6820 
6821 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
6822 		return -EINVAL;
6823 
6824 	if (!info->attrs[NL80211_ATTR_SSID])
6825 		return -EINVAL;
6826 
6827 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
6828 		return -EINVAL;
6829 
6830 	err = nl80211_parse_key(info, &key);
6831 	if (err)
6832 		return err;
6833 
6834 	if (key.idx >= 0) {
6835 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
6836 			return -EINVAL;
6837 		if (!key.p.key || !key.p.key_len)
6838 			return -EINVAL;
6839 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
6840 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
6841 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
6842 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
6843 			return -EINVAL;
6844 		if (key.idx > 4)
6845 			return -EINVAL;
6846 	} else {
6847 		key.p.key_len = 0;
6848 		key.p.key = NULL;
6849 	}
6850 
6851 	if (key.idx >= 0) {
6852 		int i;
6853 		bool ok = false;
6854 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
6855 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
6856 				ok = true;
6857 				break;
6858 			}
6859 		}
6860 		if (!ok)
6861 			return -EINVAL;
6862 	}
6863 
6864 	if (!rdev->ops->auth)
6865 		return -EOPNOTSUPP;
6866 
6867 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6868 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6869 		return -EOPNOTSUPP;
6870 
6871 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6872 	chan = nl80211_get_valid_chan(&rdev->wiphy,
6873 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
6874 	if (!chan)
6875 		return -EINVAL;
6876 
6877 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6878 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6879 
6880 	if (info->attrs[NL80211_ATTR_IE]) {
6881 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6882 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6883 	}
6884 
6885 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
6886 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
6887 		return -EINVAL;
6888 
6889 	if (auth_type == NL80211_AUTHTYPE_SAE &&
6890 	    !info->attrs[NL80211_ATTR_SAE_DATA])
6891 		return -EINVAL;
6892 
6893 	if (info->attrs[NL80211_ATTR_SAE_DATA]) {
6894 		if (auth_type != NL80211_AUTHTYPE_SAE)
6895 			return -EINVAL;
6896 		sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
6897 		sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
6898 		/* need to include at least Auth Transaction and Status Code */
6899 		if (sae_data_len < 4)
6900 			return -EINVAL;
6901 	}
6902 
6903 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6904 
6905 	/*
6906 	 * Since we no longer track auth state, ignore
6907 	 * requests to only change local state.
6908 	 */
6909 	if (local_state_change)
6910 		return 0;
6911 
6912 	wdev_lock(dev->ieee80211_ptr);
6913 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
6914 				 ssid, ssid_len, ie, ie_len,
6915 				 key.p.key, key.p.key_len, key.idx,
6916 				 sae_data, sae_data_len);
6917 	wdev_unlock(dev->ieee80211_ptr);
6918 	return err;
6919 }
6920 
6921 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
6922 				   struct genl_info *info,
6923 				   struct cfg80211_crypto_settings *settings,
6924 				   int cipher_limit)
6925 {
6926 	memset(settings, 0, sizeof(*settings));
6927 
6928 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
6929 
6930 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
6931 		u16 proto;
6932 		proto = nla_get_u16(
6933 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
6934 		settings->control_port_ethertype = cpu_to_be16(proto);
6935 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
6936 		    proto != ETH_P_PAE)
6937 			return -EINVAL;
6938 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
6939 			settings->control_port_no_encrypt = true;
6940 	} else
6941 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
6942 
6943 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
6944 		void *data;
6945 		int len, i;
6946 
6947 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6948 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6949 		settings->n_ciphers_pairwise = len / sizeof(u32);
6950 
6951 		if (len % sizeof(u32))
6952 			return -EINVAL;
6953 
6954 		if (settings->n_ciphers_pairwise > cipher_limit)
6955 			return -EINVAL;
6956 
6957 		memcpy(settings->ciphers_pairwise, data, len);
6958 
6959 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
6960 			if (!cfg80211_supported_cipher_suite(
6961 					&rdev->wiphy,
6962 					settings->ciphers_pairwise[i]))
6963 				return -EINVAL;
6964 	}
6965 
6966 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
6967 		settings->cipher_group =
6968 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
6969 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
6970 						     settings->cipher_group))
6971 			return -EINVAL;
6972 	}
6973 
6974 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
6975 		settings->wpa_versions =
6976 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
6977 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
6978 			return -EINVAL;
6979 	}
6980 
6981 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
6982 		void *data;
6983 		int len;
6984 
6985 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
6986 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
6987 		settings->n_akm_suites = len / sizeof(u32);
6988 
6989 		if (len % sizeof(u32))
6990 			return -EINVAL;
6991 
6992 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
6993 			return -EINVAL;
6994 
6995 		memcpy(settings->akm_suites, data, len);
6996 	}
6997 
6998 	return 0;
6999 }
7000 
7001 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
7002 {
7003 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7004 	struct net_device *dev = info->user_ptr[1];
7005 	struct ieee80211_channel *chan;
7006 	struct cfg80211_assoc_request req = {};
7007 	const u8 *bssid, *ssid;
7008 	int err, ssid_len = 0;
7009 
7010 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7011 		return -EINVAL;
7012 
7013 	if (!info->attrs[NL80211_ATTR_MAC] ||
7014 	    !info->attrs[NL80211_ATTR_SSID] ||
7015 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
7016 		return -EINVAL;
7017 
7018 	if (!rdev->ops->assoc)
7019 		return -EOPNOTSUPP;
7020 
7021 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7022 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7023 		return -EOPNOTSUPP;
7024 
7025 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7026 
7027 	chan = nl80211_get_valid_chan(&rdev->wiphy,
7028 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7029 	if (!chan)
7030 		return -EINVAL;
7031 
7032 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7033 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7034 
7035 	if (info->attrs[NL80211_ATTR_IE]) {
7036 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7037 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7038 	}
7039 
7040 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
7041 		enum nl80211_mfp mfp =
7042 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
7043 		if (mfp == NL80211_MFP_REQUIRED)
7044 			req.use_mfp = true;
7045 		else if (mfp != NL80211_MFP_NO)
7046 			return -EINVAL;
7047 	}
7048 
7049 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
7050 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
7051 
7052 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
7053 		req.flags |= ASSOC_REQ_DISABLE_HT;
7054 
7055 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7056 		memcpy(&req.ht_capa_mask,
7057 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7058 		       sizeof(req.ht_capa_mask));
7059 
7060 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7061 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7062 			return -EINVAL;
7063 		memcpy(&req.ht_capa,
7064 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7065 		       sizeof(req.ht_capa));
7066 	}
7067 
7068 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
7069 		req.flags |= ASSOC_REQ_DISABLE_VHT;
7070 
7071 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7072 		memcpy(&req.vht_capa_mask,
7073 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
7074 		       sizeof(req.vht_capa_mask));
7075 
7076 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
7077 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7078 			return -EINVAL;
7079 		memcpy(&req.vht_capa,
7080 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
7081 		       sizeof(req.vht_capa));
7082 	}
7083 
7084 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
7085 		if (!(rdev->wiphy.features &
7086 		      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
7087 		    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
7088 			return -EINVAL;
7089 		req.flags |= ASSOC_REQ_USE_RRM;
7090 	}
7091 
7092 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
7093 	if (!err) {
7094 		wdev_lock(dev->ieee80211_ptr);
7095 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
7096 					  ssid, ssid_len, &req);
7097 		wdev_unlock(dev->ieee80211_ptr);
7098 	}
7099 
7100 	return err;
7101 }
7102 
7103 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
7104 {
7105 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7106 	struct net_device *dev = info->user_ptr[1];
7107 	const u8 *ie = NULL, *bssid;
7108 	int ie_len = 0, err;
7109 	u16 reason_code;
7110 	bool local_state_change;
7111 
7112 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7113 		return -EINVAL;
7114 
7115 	if (!info->attrs[NL80211_ATTR_MAC])
7116 		return -EINVAL;
7117 
7118 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7119 		return -EINVAL;
7120 
7121 	if (!rdev->ops->deauth)
7122 		return -EOPNOTSUPP;
7123 
7124 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7125 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7126 		return -EOPNOTSUPP;
7127 
7128 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7129 
7130 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7131 	if (reason_code == 0) {
7132 		/* Reason Code 0 is reserved */
7133 		return -EINVAL;
7134 	}
7135 
7136 	if (info->attrs[NL80211_ATTR_IE]) {
7137 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7138 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7139 	}
7140 
7141 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7142 
7143 	wdev_lock(dev->ieee80211_ptr);
7144 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
7145 				   local_state_change);
7146 	wdev_unlock(dev->ieee80211_ptr);
7147 	return err;
7148 }
7149 
7150 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
7151 {
7152 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7153 	struct net_device *dev = info->user_ptr[1];
7154 	const u8 *ie = NULL, *bssid;
7155 	int ie_len = 0, err;
7156 	u16 reason_code;
7157 	bool local_state_change;
7158 
7159 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7160 		return -EINVAL;
7161 
7162 	if (!info->attrs[NL80211_ATTR_MAC])
7163 		return -EINVAL;
7164 
7165 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7166 		return -EINVAL;
7167 
7168 	if (!rdev->ops->disassoc)
7169 		return -EOPNOTSUPP;
7170 
7171 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7172 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7173 		return -EOPNOTSUPP;
7174 
7175 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7176 
7177 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7178 	if (reason_code == 0) {
7179 		/* Reason Code 0 is reserved */
7180 		return -EINVAL;
7181 	}
7182 
7183 	if (info->attrs[NL80211_ATTR_IE]) {
7184 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7185 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7186 	}
7187 
7188 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7189 
7190 	wdev_lock(dev->ieee80211_ptr);
7191 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
7192 				     local_state_change);
7193 	wdev_unlock(dev->ieee80211_ptr);
7194 	return err;
7195 }
7196 
7197 static bool
7198 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
7199 			 int mcast_rate[IEEE80211_NUM_BANDS],
7200 			 int rateval)
7201 {
7202 	struct wiphy *wiphy = &rdev->wiphy;
7203 	bool found = false;
7204 	int band, i;
7205 
7206 	for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
7207 		struct ieee80211_supported_band *sband;
7208 
7209 		sband = wiphy->bands[band];
7210 		if (!sband)
7211 			continue;
7212 
7213 		for (i = 0; i < sband->n_bitrates; i++) {
7214 			if (sband->bitrates[i].bitrate == rateval) {
7215 				mcast_rate[band] = i + 1;
7216 				found = true;
7217 				break;
7218 			}
7219 		}
7220 	}
7221 
7222 	return found;
7223 }
7224 
7225 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
7226 {
7227 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7228 	struct net_device *dev = info->user_ptr[1];
7229 	struct cfg80211_ibss_params ibss;
7230 	struct wiphy *wiphy;
7231 	struct cfg80211_cached_keys *connkeys = NULL;
7232 	int err;
7233 
7234 	memset(&ibss, 0, sizeof(ibss));
7235 
7236 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7237 		return -EINVAL;
7238 
7239 	if (!info->attrs[NL80211_ATTR_SSID] ||
7240 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
7241 		return -EINVAL;
7242 
7243 	ibss.beacon_interval = 100;
7244 
7245 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
7246 		ibss.beacon_interval =
7247 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
7248 		if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
7249 			return -EINVAL;
7250 	}
7251 
7252 	if (!rdev->ops->join_ibss)
7253 		return -EOPNOTSUPP;
7254 
7255 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
7256 		return -EOPNOTSUPP;
7257 
7258 	wiphy = &rdev->wiphy;
7259 
7260 	if (info->attrs[NL80211_ATTR_MAC]) {
7261 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7262 
7263 		if (!is_valid_ether_addr(ibss.bssid))
7264 			return -EINVAL;
7265 	}
7266 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7267 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7268 
7269 	if (info->attrs[NL80211_ATTR_IE]) {
7270 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7271 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7272 	}
7273 
7274 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
7275 	if (err)
7276 		return err;
7277 
7278 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
7279 				     NL80211_IFTYPE_ADHOC))
7280 		return -EINVAL;
7281 
7282 	switch (ibss.chandef.width) {
7283 	case NL80211_CHAN_WIDTH_5:
7284 	case NL80211_CHAN_WIDTH_10:
7285 	case NL80211_CHAN_WIDTH_20_NOHT:
7286 		break;
7287 	case NL80211_CHAN_WIDTH_20:
7288 	case NL80211_CHAN_WIDTH_40:
7289 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
7290 			return -EINVAL;
7291 		break;
7292 	case NL80211_CHAN_WIDTH_80:
7293 	case NL80211_CHAN_WIDTH_80P80:
7294 	case NL80211_CHAN_WIDTH_160:
7295 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
7296 			return -EINVAL;
7297 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7298 					     NL80211_EXT_FEATURE_VHT_IBSS))
7299 			return -EINVAL;
7300 		break;
7301 	default:
7302 		return -EINVAL;
7303 	}
7304 
7305 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
7306 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
7307 
7308 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7309 		u8 *rates =
7310 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7311 		int n_rates =
7312 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7313 		struct ieee80211_supported_band *sband =
7314 			wiphy->bands[ibss.chandef.chan->band];
7315 
7316 		err = ieee80211_get_ratemask(sband, rates, n_rates,
7317 					     &ibss.basic_rates);
7318 		if (err)
7319 			return err;
7320 	}
7321 
7322 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7323 		memcpy(&ibss.ht_capa_mask,
7324 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7325 		       sizeof(ibss.ht_capa_mask));
7326 
7327 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7328 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7329 			return -EINVAL;
7330 		memcpy(&ibss.ht_capa,
7331 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7332 		       sizeof(ibss.ht_capa));
7333 	}
7334 
7335 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
7336 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
7337 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
7338 		return -EINVAL;
7339 
7340 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
7341 		bool no_ht = false;
7342 
7343 		connkeys = nl80211_parse_connkeys(rdev,
7344 					  info->attrs[NL80211_ATTR_KEYS],
7345 					  &no_ht);
7346 		if (IS_ERR(connkeys))
7347 			return PTR_ERR(connkeys);
7348 
7349 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
7350 		    no_ht) {
7351 			kfree(connkeys);
7352 			return -EINVAL;
7353 		}
7354 	}
7355 
7356 	ibss.control_port =
7357 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
7358 
7359 	ibss.userspace_handles_dfs =
7360 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
7361 
7362 	err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
7363 	if (err)
7364 		kzfree(connkeys);
7365 	return err;
7366 }
7367 
7368 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
7369 {
7370 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7371 	struct net_device *dev = info->user_ptr[1];
7372 
7373 	if (!rdev->ops->leave_ibss)
7374 		return -EOPNOTSUPP;
7375 
7376 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
7377 		return -EOPNOTSUPP;
7378 
7379 	return cfg80211_leave_ibss(rdev, dev, false);
7380 }
7381 
7382 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
7383 {
7384 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7385 	struct net_device *dev = info->user_ptr[1];
7386 	int mcast_rate[IEEE80211_NUM_BANDS];
7387 	u32 nla_rate;
7388 	int err;
7389 
7390 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
7391 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7392 		return -EOPNOTSUPP;
7393 
7394 	if (!rdev->ops->set_mcast_rate)
7395 		return -EOPNOTSUPP;
7396 
7397 	memset(mcast_rate, 0, sizeof(mcast_rate));
7398 
7399 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
7400 		return -EINVAL;
7401 
7402 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
7403 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
7404 		return -EINVAL;
7405 
7406 	err = rdev->ops->set_mcast_rate(&rdev->wiphy, dev, mcast_rate);
7407 
7408 	return err;
7409 }
7410 
7411 static struct sk_buff *
7412 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
7413 			    struct wireless_dev *wdev, int approxlen,
7414 			    u32 portid, u32 seq, enum nl80211_commands cmd,
7415 			    enum nl80211_attrs attr,
7416 			    const struct nl80211_vendor_cmd_info *info,
7417 			    gfp_t gfp)
7418 {
7419 	struct sk_buff *skb;
7420 	void *hdr;
7421 	struct nlattr *data;
7422 
7423 	skb = nlmsg_new(approxlen + 100, gfp);
7424 	if (!skb)
7425 		return NULL;
7426 
7427 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
7428 	if (!hdr) {
7429 		kfree_skb(skb);
7430 		return NULL;
7431 	}
7432 
7433 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
7434 		goto nla_put_failure;
7435 
7436 	if (info) {
7437 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
7438 				info->vendor_id))
7439 			goto nla_put_failure;
7440 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
7441 				info->subcmd))
7442 			goto nla_put_failure;
7443 	}
7444 
7445 	if (wdev) {
7446 		if (nla_put_u64(skb, NL80211_ATTR_WDEV,
7447 				wdev_id(wdev)))
7448 			goto nla_put_failure;
7449 		if (wdev->netdev &&
7450 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
7451 				wdev->netdev->ifindex))
7452 			goto nla_put_failure;
7453 	}
7454 
7455 	data = nla_nest_start(skb, attr);
7456 
7457 	((void **)skb->cb)[0] = rdev;
7458 	((void **)skb->cb)[1] = hdr;
7459 	((void **)skb->cb)[2] = data;
7460 
7461 	return skb;
7462 
7463  nla_put_failure:
7464 	kfree_skb(skb);
7465 	return NULL;
7466 }
7467 
7468 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
7469 					   struct wireless_dev *wdev,
7470 					   enum nl80211_commands cmd,
7471 					   enum nl80211_attrs attr,
7472 					   int vendor_event_idx,
7473 					   int approxlen, gfp_t gfp)
7474 {
7475 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
7476 	const struct nl80211_vendor_cmd_info *info;
7477 
7478 	switch (cmd) {
7479 	case NL80211_CMD_TESTMODE:
7480 		if (WARN_ON(vendor_event_idx != -1))
7481 			return NULL;
7482 		info = NULL;
7483 		break;
7484 	case NL80211_CMD_VENDOR:
7485 		if (WARN_ON(vendor_event_idx < 0 ||
7486 			    vendor_event_idx >= wiphy->n_vendor_events))
7487 			return NULL;
7488 		info = &wiphy->vendor_events[vendor_event_idx];
7489 		break;
7490 	default:
7491 		WARN_ON(1);
7492 		return NULL;
7493 	}
7494 
7495 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, 0, 0,
7496 					   cmd, attr, info, gfp);
7497 }
7498 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
7499 
7500 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
7501 {
7502 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
7503 	void *hdr = ((void **)skb->cb)[1];
7504 	struct nlattr *data = ((void **)skb->cb)[2];
7505 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
7506 
7507 	/* clear CB data for netlink core to own from now on */
7508 	memset(skb->cb, 0, sizeof(skb->cb));
7509 
7510 	nla_nest_end(skb, data);
7511 	genlmsg_end(skb, hdr);
7512 
7513 	if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
7514 		mcgrp = NL80211_MCGRP_VENDOR;
7515 
7516 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), skb, 0,
7517 				mcgrp, gfp);
7518 }
7519 EXPORT_SYMBOL(__cfg80211_send_event_skb);
7520 
7521 #ifdef CONFIG_NL80211_TESTMODE
7522 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
7523 {
7524 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7525 	struct wireless_dev *wdev =
7526 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
7527 	int err;
7528 
7529 	if (!rdev->ops->testmode_cmd)
7530 		return -EOPNOTSUPP;
7531 
7532 	if (IS_ERR(wdev)) {
7533 		err = PTR_ERR(wdev);
7534 		if (err != -EINVAL)
7535 			return err;
7536 		wdev = NULL;
7537 	} else if (wdev->wiphy != &rdev->wiphy) {
7538 		return -EINVAL;
7539 	}
7540 
7541 	if (!info->attrs[NL80211_ATTR_TESTDATA])
7542 		return -EINVAL;
7543 
7544 	rdev->cur_cmd_info = info;
7545 	err = rdev_testmode_cmd(rdev, wdev,
7546 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
7547 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
7548 	rdev->cur_cmd_info = NULL;
7549 
7550 	return err;
7551 }
7552 
7553 static int nl80211_testmode_dump(struct sk_buff *skb,
7554 				 struct netlink_callback *cb)
7555 {
7556 	struct cfg80211_registered_device *rdev;
7557 	int err;
7558 	long phy_idx;
7559 	void *data = NULL;
7560 	int data_len = 0;
7561 
7562 	rtnl_lock();
7563 
7564 	if (cb->args[0]) {
7565 		/*
7566 		 * 0 is a valid index, but not valid for args[0],
7567 		 * so we need to offset by 1.
7568 		 */
7569 		phy_idx = cb->args[0] - 1;
7570 	} else {
7571 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
7572 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
7573 				  nl80211_policy);
7574 		if (err)
7575 			goto out_err;
7576 
7577 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
7578 						  nl80211_fam.attrbuf);
7579 		if (IS_ERR(rdev)) {
7580 			err = PTR_ERR(rdev);
7581 			goto out_err;
7582 		}
7583 		phy_idx = rdev->wiphy_idx;
7584 		rdev = NULL;
7585 
7586 		if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
7587 			cb->args[1] =
7588 				(long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
7589 	}
7590 
7591 	if (cb->args[1]) {
7592 		data = nla_data((void *)cb->args[1]);
7593 		data_len = nla_len((void *)cb->args[1]);
7594 	}
7595 
7596 	rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
7597 	if (!rdev) {
7598 		err = -ENOENT;
7599 		goto out_err;
7600 	}
7601 
7602 	if (!rdev->ops->testmode_dump) {
7603 		err = -EOPNOTSUPP;
7604 		goto out_err;
7605 	}
7606 
7607 	while (1) {
7608 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
7609 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
7610 					   NL80211_CMD_TESTMODE);
7611 		struct nlattr *tmdata;
7612 
7613 		if (!hdr)
7614 			break;
7615 
7616 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
7617 			genlmsg_cancel(skb, hdr);
7618 			break;
7619 		}
7620 
7621 		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
7622 		if (!tmdata) {
7623 			genlmsg_cancel(skb, hdr);
7624 			break;
7625 		}
7626 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
7627 		nla_nest_end(skb, tmdata);
7628 
7629 		if (err == -ENOBUFS || err == -ENOENT) {
7630 			genlmsg_cancel(skb, hdr);
7631 			break;
7632 		} else if (err) {
7633 			genlmsg_cancel(skb, hdr);
7634 			goto out_err;
7635 		}
7636 
7637 		genlmsg_end(skb, hdr);
7638 	}
7639 
7640 	err = skb->len;
7641 	/* see above */
7642 	cb->args[0] = phy_idx + 1;
7643  out_err:
7644 	rtnl_unlock();
7645 	return err;
7646 }
7647 #endif
7648 
7649 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
7650 {
7651 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7652 	struct net_device *dev = info->user_ptr[1];
7653 	struct cfg80211_connect_params connect;
7654 	struct wiphy *wiphy;
7655 	struct cfg80211_cached_keys *connkeys = NULL;
7656 	int err;
7657 
7658 	memset(&connect, 0, sizeof(connect));
7659 
7660 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7661 		return -EINVAL;
7662 
7663 	if (!info->attrs[NL80211_ATTR_SSID] ||
7664 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
7665 		return -EINVAL;
7666 
7667 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
7668 		connect.auth_type =
7669 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
7670 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
7671 					     NL80211_CMD_CONNECT))
7672 			return -EINVAL;
7673 	} else
7674 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
7675 
7676 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
7677 
7678 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
7679 				      NL80211_MAX_NR_CIPHER_SUITES);
7680 	if (err)
7681 		return err;
7682 
7683 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7684 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7685 		return -EOPNOTSUPP;
7686 
7687 	wiphy = &rdev->wiphy;
7688 
7689 	connect.bg_scan_period = -1;
7690 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
7691 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
7692 		connect.bg_scan_period =
7693 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
7694 	}
7695 
7696 	if (info->attrs[NL80211_ATTR_MAC])
7697 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7698 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
7699 		connect.bssid_hint =
7700 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
7701 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7702 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7703 
7704 	if (info->attrs[NL80211_ATTR_IE]) {
7705 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7706 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7707 	}
7708 
7709 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
7710 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
7711 		if (connect.mfp != NL80211_MFP_REQUIRED &&
7712 		    connect.mfp != NL80211_MFP_NO)
7713 			return -EINVAL;
7714 	} else {
7715 		connect.mfp = NL80211_MFP_NO;
7716 	}
7717 
7718 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7719 		connect.channel = nl80211_get_valid_chan(
7720 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7721 		if (!connect.channel)
7722 			return -EINVAL;
7723 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
7724 		connect.channel_hint = nl80211_get_valid_chan(
7725 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
7726 		if (!connect.channel_hint)
7727 			return -EINVAL;
7728 	}
7729 
7730 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
7731 		connkeys = nl80211_parse_connkeys(rdev,
7732 					  info->attrs[NL80211_ATTR_KEYS], NULL);
7733 		if (IS_ERR(connkeys))
7734 			return PTR_ERR(connkeys);
7735 	}
7736 
7737 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
7738 		connect.flags |= ASSOC_REQ_DISABLE_HT;
7739 
7740 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7741 		memcpy(&connect.ht_capa_mask,
7742 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7743 		       sizeof(connect.ht_capa_mask));
7744 
7745 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7746 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
7747 			kzfree(connkeys);
7748 			return -EINVAL;
7749 		}
7750 		memcpy(&connect.ht_capa,
7751 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7752 		       sizeof(connect.ht_capa));
7753 	}
7754 
7755 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
7756 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
7757 
7758 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7759 		memcpy(&connect.vht_capa_mask,
7760 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
7761 		       sizeof(connect.vht_capa_mask));
7762 
7763 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
7764 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
7765 			kzfree(connkeys);
7766 			return -EINVAL;
7767 		}
7768 		memcpy(&connect.vht_capa,
7769 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
7770 		       sizeof(connect.vht_capa));
7771 	}
7772 
7773 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
7774 		if (!(rdev->wiphy.features &
7775 		      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
7776 		    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
7777 			return -EINVAL;
7778 		connect.flags |= ASSOC_REQ_USE_RRM;
7779 	}
7780 
7781 	wdev_lock(dev->ieee80211_ptr);
7782 	err = cfg80211_connect(rdev, dev, &connect, connkeys, NULL);
7783 	wdev_unlock(dev->ieee80211_ptr);
7784 	if (err)
7785 		kzfree(connkeys);
7786 	return err;
7787 }
7788 
7789 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
7790 {
7791 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7792 	struct net_device *dev = info->user_ptr[1];
7793 	u16 reason;
7794 	int ret;
7795 
7796 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7797 		reason = WLAN_REASON_DEAUTH_LEAVING;
7798 	else
7799 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7800 
7801 	if (reason == 0)
7802 		return -EINVAL;
7803 
7804 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7805 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7806 		return -EOPNOTSUPP;
7807 
7808 	wdev_lock(dev->ieee80211_ptr);
7809 	ret = cfg80211_disconnect(rdev, dev, reason, true);
7810 	wdev_unlock(dev->ieee80211_ptr);
7811 	return ret;
7812 }
7813 
7814 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
7815 {
7816 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7817 	struct net *net;
7818 	int err;
7819 
7820 	if (info->attrs[NL80211_ATTR_PID]) {
7821 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
7822 
7823 		net = get_net_ns_by_pid(pid);
7824 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
7825 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
7826 
7827 		net = get_net_ns_by_fd(fd);
7828 	} else {
7829 		return -EINVAL;
7830 	}
7831 
7832 	if (IS_ERR(net))
7833 		return PTR_ERR(net);
7834 
7835 	err = 0;
7836 
7837 	/* check if anything to do */
7838 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
7839 		err = cfg80211_switch_netns(rdev, net);
7840 
7841 	put_net(net);
7842 	return err;
7843 }
7844 
7845 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
7846 {
7847 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7848 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
7849 			struct cfg80211_pmksa *pmksa) = NULL;
7850 	struct net_device *dev = info->user_ptr[1];
7851 	struct cfg80211_pmksa pmksa;
7852 
7853 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
7854 
7855 	if (!info->attrs[NL80211_ATTR_MAC])
7856 		return -EINVAL;
7857 
7858 	if (!info->attrs[NL80211_ATTR_PMKID])
7859 		return -EINVAL;
7860 
7861 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
7862 	pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7863 
7864 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7865 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7866 		return -EOPNOTSUPP;
7867 
7868 	switch (info->genlhdr->cmd) {
7869 	case NL80211_CMD_SET_PMKSA:
7870 		rdev_ops = rdev->ops->set_pmksa;
7871 		break;
7872 	case NL80211_CMD_DEL_PMKSA:
7873 		rdev_ops = rdev->ops->del_pmksa;
7874 		break;
7875 	default:
7876 		WARN_ON(1);
7877 		break;
7878 	}
7879 
7880 	if (!rdev_ops)
7881 		return -EOPNOTSUPP;
7882 
7883 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
7884 }
7885 
7886 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
7887 {
7888 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7889 	struct net_device *dev = info->user_ptr[1];
7890 
7891 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7892 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7893 		return -EOPNOTSUPP;
7894 
7895 	if (!rdev->ops->flush_pmksa)
7896 		return -EOPNOTSUPP;
7897 
7898 	return rdev_flush_pmksa(rdev, dev);
7899 }
7900 
7901 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
7902 {
7903 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7904 	struct net_device *dev = info->user_ptr[1];
7905 	u8 action_code, dialog_token;
7906 	u32 peer_capability = 0;
7907 	u16 status_code;
7908 	u8 *peer;
7909 	bool initiator;
7910 
7911 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
7912 	    !rdev->ops->tdls_mgmt)
7913 		return -EOPNOTSUPP;
7914 
7915 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
7916 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
7917 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
7918 	    !info->attrs[NL80211_ATTR_IE] ||
7919 	    !info->attrs[NL80211_ATTR_MAC])
7920 		return -EINVAL;
7921 
7922 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
7923 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
7924 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
7925 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
7926 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
7927 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
7928 		peer_capability =
7929 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
7930 
7931 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
7932 			      dialog_token, status_code, peer_capability,
7933 			      initiator,
7934 			      nla_data(info->attrs[NL80211_ATTR_IE]),
7935 			      nla_len(info->attrs[NL80211_ATTR_IE]));
7936 }
7937 
7938 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
7939 {
7940 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7941 	struct net_device *dev = info->user_ptr[1];
7942 	enum nl80211_tdls_operation operation;
7943 	u8 *peer;
7944 
7945 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
7946 	    !rdev->ops->tdls_oper)
7947 		return -EOPNOTSUPP;
7948 
7949 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
7950 	    !info->attrs[NL80211_ATTR_MAC])
7951 		return -EINVAL;
7952 
7953 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
7954 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
7955 
7956 	return rdev_tdls_oper(rdev, dev, peer, operation);
7957 }
7958 
7959 static int nl80211_remain_on_channel(struct sk_buff *skb,
7960 				     struct genl_info *info)
7961 {
7962 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7963 	struct wireless_dev *wdev = info->user_ptr[1];
7964 	struct cfg80211_chan_def chandef;
7965 	struct sk_buff *msg;
7966 	void *hdr;
7967 	u64 cookie;
7968 	u32 duration;
7969 	int err;
7970 
7971 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
7972 	    !info->attrs[NL80211_ATTR_DURATION])
7973 		return -EINVAL;
7974 
7975 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
7976 
7977 	if (!rdev->ops->remain_on_channel ||
7978 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
7979 		return -EOPNOTSUPP;
7980 
7981 	/*
7982 	 * We should be on that channel for at least a minimum amount of
7983 	 * time (10ms) but no longer than the driver supports.
7984 	 */
7985 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
7986 	    duration > rdev->wiphy.max_remain_on_channel_duration)
7987 		return -EINVAL;
7988 
7989 	err = nl80211_parse_chandef(rdev, info, &chandef);
7990 	if (err)
7991 		return err;
7992 
7993 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7994 	if (!msg)
7995 		return -ENOMEM;
7996 
7997 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7998 			     NL80211_CMD_REMAIN_ON_CHANNEL);
7999 	if (!hdr) {
8000 		err = -ENOBUFS;
8001 		goto free_msg;
8002 	}
8003 
8004 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
8005 				     duration, &cookie);
8006 
8007 	if (err)
8008 		goto free_msg;
8009 
8010 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
8011 		goto nla_put_failure;
8012 
8013 	genlmsg_end(msg, hdr);
8014 
8015 	return genlmsg_reply(msg, info);
8016 
8017  nla_put_failure:
8018 	err = -ENOBUFS;
8019  free_msg:
8020 	nlmsg_free(msg);
8021 	return err;
8022 }
8023 
8024 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
8025 					    struct genl_info *info)
8026 {
8027 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8028 	struct wireless_dev *wdev = info->user_ptr[1];
8029 	u64 cookie;
8030 
8031 	if (!info->attrs[NL80211_ATTR_COOKIE])
8032 		return -EINVAL;
8033 
8034 	if (!rdev->ops->cancel_remain_on_channel)
8035 		return -EOPNOTSUPP;
8036 
8037 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8038 
8039 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
8040 }
8041 
8042 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
8043 			   u8 *rates, u8 rates_len)
8044 {
8045 	u8 i;
8046 	u32 mask = 0;
8047 
8048 	for (i = 0; i < rates_len; i++) {
8049 		int rate = (rates[i] & 0x7f) * 5;
8050 		int ridx;
8051 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
8052 			struct ieee80211_rate *srate =
8053 				&sband->bitrates[ridx];
8054 			if (rate == srate->bitrate) {
8055 				mask |= 1 << ridx;
8056 				break;
8057 			}
8058 		}
8059 		if (ridx == sband->n_bitrates)
8060 			return 0; /* rate not found */
8061 	}
8062 
8063 	return mask;
8064 }
8065 
8066 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
8067 			       u8 *rates, u8 rates_len,
8068 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
8069 {
8070 	u8 i;
8071 
8072 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
8073 
8074 	for (i = 0; i < rates_len; i++) {
8075 		int ridx, rbit;
8076 
8077 		ridx = rates[i] / 8;
8078 		rbit = BIT(rates[i] % 8);
8079 
8080 		/* check validity */
8081 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
8082 			return false;
8083 
8084 		/* check availability */
8085 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
8086 			mcs[ridx] |= rbit;
8087 		else
8088 			return false;
8089 	}
8090 
8091 	return true;
8092 }
8093 
8094 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
8095 {
8096 	u16 mcs_mask = 0;
8097 
8098 	switch (vht_mcs_map) {
8099 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
8100 		break;
8101 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
8102 		mcs_mask = 0x00FF;
8103 		break;
8104 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
8105 		mcs_mask = 0x01FF;
8106 		break;
8107 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
8108 		mcs_mask = 0x03FF;
8109 		break;
8110 	default:
8111 		break;
8112 	}
8113 
8114 	return mcs_mask;
8115 }
8116 
8117 static void vht_build_mcs_mask(u16 vht_mcs_map,
8118 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
8119 {
8120 	u8 nss;
8121 
8122 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
8123 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
8124 		vht_mcs_map >>= 2;
8125 	}
8126 }
8127 
8128 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
8129 			     struct nl80211_txrate_vht *txrate,
8130 			     u16 mcs[NL80211_VHT_NSS_MAX])
8131 {
8132 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
8133 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
8134 	u8 i;
8135 
8136 	if (!sband->vht_cap.vht_supported)
8137 		return false;
8138 
8139 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
8140 
8141 	/* Build vht_mcs_mask from VHT capabilities */
8142 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
8143 
8144 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
8145 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
8146 			mcs[i] = txrate->mcs[i];
8147 		else
8148 			return false;
8149 	}
8150 
8151 	return true;
8152 }
8153 
8154 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
8155 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
8156 				    .len = NL80211_MAX_SUPP_RATES },
8157 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
8158 				.len = NL80211_MAX_SUPP_HT_RATES },
8159 	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
8160 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
8161 };
8162 
8163 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
8164 				       struct genl_info *info)
8165 {
8166 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
8167 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8168 	struct cfg80211_bitrate_mask mask;
8169 	int rem, i;
8170 	struct net_device *dev = info->user_ptr[1];
8171 	struct nlattr *tx_rates;
8172 	struct ieee80211_supported_band *sband;
8173 	u16 vht_tx_mcs_map;
8174 
8175 	if (!rdev->ops->set_bitrate_mask)
8176 		return -EOPNOTSUPP;
8177 
8178 	memset(&mask, 0, sizeof(mask));
8179 	/* Default to all rates enabled */
8180 	for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
8181 		sband = rdev->wiphy.bands[i];
8182 
8183 		if (!sband)
8184 			continue;
8185 
8186 		mask.control[i].legacy = (1 << sband->n_bitrates) - 1;
8187 		memcpy(mask.control[i].ht_mcs,
8188 		       sband->ht_cap.mcs.rx_mask,
8189 		       sizeof(mask.control[i].ht_mcs));
8190 
8191 		if (!sband->vht_cap.vht_supported)
8192 			continue;
8193 
8194 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
8195 		vht_build_mcs_mask(vht_tx_mcs_map, mask.control[i].vht_mcs);
8196 	}
8197 
8198 	/* if no rates are given set it back to the defaults */
8199 	if (!info->attrs[NL80211_ATTR_TX_RATES])
8200 		goto out;
8201 
8202 	/*
8203 	 * The nested attribute uses enum nl80211_band as the index. This maps
8204 	 * directly to the enum ieee80211_band values used in cfg80211.
8205 	 */
8206 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
8207 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
8208 		enum ieee80211_band band = nla_type(tx_rates);
8209 		int err;
8210 
8211 		if (band < 0 || band >= IEEE80211_NUM_BANDS)
8212 			return -EINVAL;
8213 		sband = rdev->wiphy.bands[band];
8214 		if (sband == NULL)
8215 			return -EINVAL;
8216 		err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
8217 				nla_len(tx_rates), nl80211_txattr_policy);
8218 		if (err)
8219 			return err;
8220 		if (tb[NL80211_TXRATE_LEGACY]) {
8221 			mask.control[band].legacy = rateset_to_mask(
8222 				sband,
8223 				nla_data(tb[NL80211_TXRATE_LEGACY]),
8224 				nla_len(tb[NL80211_TXRATE_LEGACY]));
8225 			if ((mask.control[band].legacy == 0) &&
8226 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
8227 				return -EINVAL;
8228 		}
8229 		if (tb[NL80211_TXRATE_HT]) {
8230 			if (!ht_rateset_to_mask(
8231 					sband,
8232 					nla_data(tb[NL80211_TXRATE_HT]),
8233 					nla_len(tb[NL80211_TXRATE_HT]),
8234 					mask.control[band].ht_mcs))
8235 				return -EINVAL;
8236 		}
8237 		if (tb[NL80211_TXRATE_VHT]) {
8238 			if (!vht_set_mcs_mask(
8239 					sband,
8240 					nla_data(tb[NL80211_TXRATE_VHT]),
8241 					mask.control[band].vht_mcs))
8242 				return -EINVAL;
8243 		}
8244 		if (tb[NL80211_TXRATE_GI]) {
8245 			mask.control[band].gi =
8246 				nla_get_u8(tb[NL80211_TXRATE_GI]);
8247 			if (mask.control[band].gi > NL80211_TXRATE_FORCE_LGI)
8248 				return -EINVAL;
8249 		}
8250 
8251 		if (mask.control[band].legacy == 0) {
8252 			/* don't allow empty legacy rates if HT or VHT
8253 			 * are not even supported.
8254 			 */
8255 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
8256 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
8257 				return -EINVAL;
8258 
8259 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
8260 				if (mask.control[band].ht_mcs[i])
8261 					goto out;
8262 
8263 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
8264 				if (mask.control[band].vht_mcs[i])
8265 					goto out;
8266 
8267 			/* legacy and mcs rates may not be both empty */
8268 			return -EINVAL;
8269 		}
8270 	}
8271 
8272 out:
8273 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
8274 }
8275 
8276 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
8277 {
8278 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8279 	struct wireless_dev *wdev = info->user_ptr[1];
8280 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
8281 
8282 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
8283 		return -EINVAL;
8284 
8285 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
8286 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
8287 
8288 	switch (wdev->iftype) {
8289 	case NL80211_IFTYPE_STATION:
8290 	case NL80211_IFTYPE_ADHOC:
8291 	case NL80211_IFTYPE_P2P_CLIENT:
8292 	case NL80211_IFTYPE_AP:
8293 	case NL80211_IFTYPE_AP_VLAN:
8294 	case NL80211_IFTYPE_MESH_POINT:
8295 	case NL80211_IFTYPE_P2P_GO:
8296 	case NL80211_IFTYPE_P2P_DEVICE:
8297 		break;
8298 	default:
8299 		return -EOPNOTSUPP;
8300 	}
8301 
8302 	/* not much point in registering if we can't reply */
8303 	if (!rdev->ops->mgmt_tx)
8304 		return -EOPNOTSUPP;
8305 
8306 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
8307 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
8308 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
8309 }
8310 
8311 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
8312 {
8313 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8314 	struct wireless_dev *wdev = info->user_ptr[1];
8315 	struct cfg80211_chan_def chandef;
8316 	int err;
8317 	void *hdr = NULL;
8318 	u64 cookie;
8319 	struct sk_buff *msg = NULL;
8320 	struct cfg80211_mgmt_tx_params params = {
8321 		.dont_wait_for_ack =
8322 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
8323 	};
8324 
8325 	if (!info->attrs[NL80211_ATTR_FRAME])
8326 		return -EINVAL;
8327 
8328 	if (!rdev->ops->mgmt_tx)
8329 		return -EOPNOTSUPP;
8330 
8331 	switch (wdev->iftype) {
8332 	case NL80211_IFTYPE_P2P_DEVICE:
8333 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
8334 			return -EINVAL;
8335 	case NL80211_IFTYPE_STATION:
8336 	case NL80211_IFTYPE_ADHOC:
8337 	case NL80211_IFTYPE_P2P_CLIENT:
8338 	case NL80211_IFTYPE_AP:
8339 	case NL80211_IFTYPE_AP_VLAN:
8340 	case NL80211_IFTYPE_MESH_POINT:
8341 	case NL80211_IFTYPE_P2P_GO:
8342 		break;
8343 	default:
8344 		return -EOPNOTSUPP;
8345 	}
8346 
8347 	if (info->attrs[NL80211_ATTR_DURATION]) {
8348 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
8349 			return -EINVAL;
8350 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
8351 
8352 		/*
8353 		 * We should wait on the channel for at least a minimum amount
8354 		 * of time (10ms) but no longer than the driver supports.
8355 		 */
8356 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
8357 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
8358 			return -EINVAL;
8359 
8360 	}
8361 
8362 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
8363 
8364 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
8365 		return -EINVAL;
8366 
8367 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8368 
8369 	/* get the channel if any has been specified, otherwise pass NULL to
8370 	 * the driver. The latter will use the current one
8371 	 */
8372 	chandef.chan = NULL;
8373 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8374 		err = nl80211_parse_chandef(rdev, info, &chandef);
8375 		if (err)
8376 			return err;
8377 	}
8378 
8379 	if (!chandef.chan && params.offchan)
8380 		return -EINVAL;
8381 
8382 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
8383 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
8384 
8385 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
8386 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
8387 		int i;
8388 
8389 		if (len % sizeof(u16))
8390 			return -EINVAL;
8391 
8392 		params.n_csa_offsets = len / sizeof(u16);
8393 		params.csa_offsets =
8394 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
8395 
8396 		/* check that all the offsets fit the frame */
8397 		for (i = 0; i < params.n_csa_offsets; i++) {
8398 			if (params.csa_offsets[i] >= params.len)
8399 				return -EINVAL;
8400 		}
8401 	}
8402 
8403 	if (!params.dont_wait_for_ack) {
8404 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8405 		if (!msg)
8406 			return -ENOMEM;
8407 
8408 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8409 				     NL80211_CMD_FRAME);
8410 		if (!hdr) {
8411 			err = -ENOBUFS;
8412 			goto free_msg;
8413 		}
8414 	}
8415 
8416 	params.chan = chandef.chan;
8417 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
8418 	if (err)
8419 		goto free_msg;
8420 
8421 	if (msg) {
8422 		if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
8423 			goto nla_put_failure;
8424 
8425 		genlmsg_end(msg, hdr);
8426 		return genlmsg_reply(msg, info);
8427 	}
8428 
8429 	return 0;
8430 
8431  nla_put_failure:
8432 	err = -ENOBUFS;
8433  free_msg:
8434 	nlmsg_free(msg);
8435 	return err;
8436 }
8437 
8438 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
8439 {
8440 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8441 	struct wireless_dev *wdev = info->user_ptr[1];
8442 	u64 cookie;
8443 
8444 	if (!info->attrs[NL80211_ATTR_COOKIE])
8445 		return -EINVAL;
8446 
8447 	if (!rdev->ops->mgmt_tx_cancel_wait)
8448 		return -EOPNOTSUPP;
8449 
8450 	switch (wdev->iftype) {
8451 	case NL80211_IFTYPE_STATION:
8452 	case NL80211_IFTYPE_ADHOC:
8453 	case NL80211_IFTYPE_P2P_CLIENT:
8454 	case NL80211_IFTYPE_AP:
8455 	case NL80211_IFTYPE_AP_VLAN:
8456 	case NL80211_IFTYPE_P2P_GO:
8457 	case NL80211_IFTYPE_P2P_DEVICE:
8458 		break;
8459 	default:
8460 		return -EOPNOTSUPP;
8461 	}
8462 
8463 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8464 
8465 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
8466 }
8467 
8468 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
8469 {
8470 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8471 	struct wireless_dev *wdev;
8472 	struct net_device *dev = info->user_ptr[1];
8473 	u8 ps_state;
8474 	bool state;
8475 	int err;
8476 
8477 	if (!info->attrs[NL80211_ATTR_PS_STATE])
8478 		return -EINVAL;
8479 
8480 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
8481 
8482 	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
8483 		return -EINVAL;
8484 
8485 	wdev = dev->ieee80211_ptr;
8486 
8487 	if (!rdev->ops->set_power_mgmt)
8488 		return -EOPNOTSUPP;
8489 
8490 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
8491 
8492 	if (state == wdev->ps)
8493 		return 0;
8494 
8495 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
8496 	if (!err)
8497 		wdev->ps = state;
8498 	return err;
8499 }
8500 
8501 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
8502 {
8503 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8504 	enum nl80211_ps_state ps_state;
8505 	struct wireless_dev *wdev;
8506 	struct net_device *dev = info->user_ptr[1];
8507 	struct sk_buff *msg;
8508 	void *hdr;
8509 	int err;
8510 
8511 	wdev = dev->ieee80211_ptr;
8512 
8513 	if (!rdev->ops->set_power_mgmt)
8514 		return -EOPNOTSUPP;
8515 
8516 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8517 	if (!msg)
8518 		return -ENOMEM;
8519 
8520 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8521 			     NL80211_CMD_GET_POWER_SAVE);
8522 	if (!hdr) {
8523 		err = -ENOBUFS;
8524 		goto free_msg;
8525 	}
8526 
8527 	if (wdev->ps)
8528 		ps_state = NL80211_PS_ENABLED;
8529 	else
8530 		ps_state = NL80211_PS_DISABLED;
8531 
8532 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
8533 		goto nla_put_failure;
8534 
8535 	genlmsg_end(msg, hdr);
8536 	return genlmsg_reply(msg, info);
8537 
8538  nla_put_failure:
8539 	err = -ENOBUFS;
8540  free_msg:
8541 	nlmsg_free(msg);
8542 	return err;
8543 }
8544 
8545 static const struct nla_policy
8546 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
8547 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
8548 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
8549 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
8550 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
8551 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
8552 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
8553 };
8554 
8555 static int nl80211_set_cqm_txe(struct genl_info *info,
8556 			       u32 rate, u32 pkts, u32 intvl)
8557 {
8558 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8559 	struct net_device *dev = info->user_ptr[1];
8560 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8561 
8562 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
8563 		return -EINVAL;
8564 
8565 	if (!rdev->ops->set_cqm_txe_config)
8566 		return -EOPNOTSUPP;
8567 
8568 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8569 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8570 		return -EOPNOTSUPP;
8571 
8572 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
8573 }
8574 
8575 static int nl80211_set_cqm_rssi(struct genl_info *info,
8576 				s32 threshold, u32 hysteresis)
8577 {
8578 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8579 	struct net_device *dev = info->user_ptr[1];
8580 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8581 
8582 	if (threshold > 0)
8583 		return -EINVAL;
8584 
8585 	/* disabling - hysteresis should also be zero then */
8586 	if (threshold == 0)
8587 		hysteresis = 0;
8588 
8589 	if (!rdev->ops->set_cqm_rssi_config)
8590 		return -EOPNOTSUPP;
8591 
8592 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8593 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8594 		return -EOPNOTSUPP;
8595 
8596 	return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
8597 }
8598 
8599 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
8600 {
8601 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
8602 	struct nlattr *cqm;
8603 	int err;
8604 
8605 	cqm = info->attrs[NL80211_ATTR_CQM];
8606 	if (!cqm)
8607 		return -EINVAL;
8608 
8609 	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
8610 			       nl80211_attr_cqm_policy);
8611 	if (err)
8612 		return err;
8613 
8614 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
8615 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
8616 		s32 threshold = nla_get_s32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
8617 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
8618 
8619 		return nl80211_set_cqm_rssi(info, threshold, hysteresis);
8620 	}
8621 
8622 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
8623 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
8624 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
8625 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
8626 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
8627 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
8628 
8629 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
8630 	}
8631 
8632 	return -EINVAL;
8633 }
8634 
8635 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
8636 {
8637 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8638 	struct net_device *dev = info->user_ptr[1];
8639 	struct ocb_setup setup = {};
8640 	int err;
8641 
8642 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
8643 	if (err)
8644 		return err;
8645 
8646 	return cfg80211_join_ocb(rdev, dev, &setup);
8647 }
8648 
8649 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
8650 {
8651 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8652 	struct net_device *dev = info->user_ptr[1];
8653 
8654 	return cfg80211_leave_ocb(rdev, dev);
8655 }
8656 
8657 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
8658 {
8659 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8660 	struct net_device *dev = info->user_ptr[1];
8661 	struct mesh_config cfg;
8662 	struct mesh_setup setup;
8663 	int err;
8664 
8665 	/* start with default */
8666 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
8667 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
8668 
8669 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
8670 		/* and parse parameters if given */
8671 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
8672 		if (err)
8673 			return err;
8674 	}
8675 
8676 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
8677 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
8678 		return -EINVAL;
8679 
8680 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
8681 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
8682 
8683 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
8684 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
8685 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
8686 			return -EINVAL;
8687 
8688 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
8689 		setup.beacon_interval =
8690 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
8691 		if (setup.beacon_interval < 10 ||
8692 		    setup.beacon_interval > 10000)
8693 			return -EINVAL;
8694 	}
8695 
8696 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
8697 		setup.dtim_period =
8698 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
8699 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
8700 			return -EINVAL;
8701 	}
8702 
8703 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
8704 		/* parse additional setup parameters if given */
8705 		err = nl80211_parse_mesh_setup(info, &setup);
8706 		if (err)
8707 			return err;
8708 	}
8709 
8710 	if (setup.user_mpm)
8711 		cfg.auto_open_plinks = false;
8712 
8713 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8714 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
8715 		if (err)
8716 			return err;
8717 	} else {
8718 		/* cfg80211_join_mesh() will sort it out */
8719 		setup.chandef.chan = NULL;
8720 	}
8721 
8722 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8723 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8724 		int n_rates =
8725 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8726 		struct ieee80211_supported_band *sband;
8727 
8728 		if (!setup.chandef.chan)
8729 			return -EINVAL;
8730 
8731 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
8732 
8733 		err = ieee80211_get_ratemask(sband, rates, n_rates,
8734 					     &setup.basic_rates);
8735 		if (err)
8736 			return err;
8737 	}
8738 
8739 	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
8740 }
8741 
8742 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
8743 {
8744 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8745 	struct net_device *dev = info->user_ptr[1];
8746 
8747 	return cfg80211_leave_mesh(rdev, dev);
8748 }
8749 
8750 #ifdef CONFIG_PM
8751 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
8752 					struct cfg80211_registered_device *rdev)
8753 {
8754 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
8755 	struct nlattr *nl_pats, *nl_pat;
8756 	int i, pat_len;
8757 
8758 	if (!wowlan->n_patterns)
8759 		return 0;
8760 
8761 	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
8762 	if (!nl_pats)
8763 		return -ENOBUFS;
8764 
8765 	for (i = 0; i < wowlan->n_patterns; i++) {
8766 		nl_pat = nla_nest_start(msg, i + 1);
8767 		if (!nl_pat)
8768 			return -ENOBUFS;
8769 		pat_len = wowlan->patterns[i].pattern_len;
8770 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
8771 			    wowlan->patterns[i].mask) ||
8772 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
8773 			    wowlan->patterns[i].pattern) ||
8774 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
8775 				wowlan->patterns[i].pkt_offset))
8776 			return -ENOBUFS;
8777 		nla_nest_end(msg, nl_pat);
8778 	}
8779 	nla_nest_end(msg, nl_pats);
8780 
8781 	return 0;
8782 }
8783 
8784 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
8785 				   struct cfg80211_wowlan_tcp *tcp)
8786 {
8787 	struct nlattr *nl_tcp;
8788 
8789 	if (!tcp)
8790 		return 0;
8791 
8792 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
8793 	if (!nl_tcp)
8794 		return -ENOBUFS;
8795 
8796 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
8797 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
8798 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
8799 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
8800 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
8801 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
8802 		    tcp->payload_len, tcp->payload) ||
8803 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
8804 			tcp->data_interval) ||
8805 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
8806 		    tcp->wake_len, tcp->wake_data) ||
8807 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
8808 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
8809 		return -ENOBUFS;
8810 
8811 	if (tcp->payload_seq.len &&
8812 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
8813 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
8814 		return -ENOBUFS;
8815 
8816 	if (tcp->payload_tok.len &&
8817 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
8818 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
8819 		    &tcp->payload_tok))
8820 		return -ENOBUFS;
8821 
8822 	nla_nest_end(msg, nl_tcp);
8823 
8824 	return 0;
8825 }
8826 
8827 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
8828 				  struct cfg80211_sched_scan_request *req)
8829 {
8830 	struct nlattr *nd, *freqs, *matches, *match;
8831 	int i;
8832 
8833 	if (!req)
8834 		return 0;
8835 
8836 	nd = nla_nest_start(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
8837 	if (!nd)
8838 		return -ENOBUFS;
8839 
8840 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL, req->interval))
8841 		return -ENOBUFS;
8842 
8843 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
8844 		return -ENOBUFS;
8845 
8846 	freqs = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
8847 	if (!freqs)
8848 		return -ENOBUFS;
8849 
8850 	for (i = 0; i < req->n_channels; i++)
8851 		nla_put_u32(msg, i, req->channels[i]->center_freq);
8852 
8853 	nla_nest_end(msg, freqs);
8854 
8855 	if (req->n_match_sets) {
8856 		matches = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_MATCH);
8857 		for (i = 0; i < req->n_match_sets; i++) {
8858 			match = nla_nest_start(msg, i);
8859 			nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
8860 				req->match_sets[i].ssid.ssid_len,
8861 				req->match_sets[i].ssid.ssid);
8862 			nla_nest_end(msg, match);
8863 		}
8864 		nla_nest_end(msg, matches);
8865 	}
8866 
8867 	nla_nest_end(msg, nd);
8868 
8869 	return 0;
8870 }
8871 
8872 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
8873 {
8874 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8875 	struct sk_buff *msg;
8876 	void *hdr;
8877 	u32 size = NLMSG_DEFAULT_SIZE;
8878 
8879 	if (!rdev->wiphy.wowlan)
8880 		return -EOPNOTSUPP;
8881 
8882 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
8883 		/* adjust size to have room for all the data */
8884 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
8885 			rdev->wiphy.wowlan_config->tcp->payload_len +
8886 			rdev->wiphy.wowlan_config->tcp->wake_len +
8887 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
8888 	}
8889 
8890 	msg = nlmsg_new(size, GFP_KERNEL);
8891 	if (!msg)
8892 		return -ENOMEM;
8893 
8894 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8895 			     NL80211_CMD_GET_WOWLAN);
8896 	if (!hdr)
8897 		goto nla_put_failure;
8898 
8899 	if (rdev->wiphy.wowlan_config) {
8900 		struct nlattr *nl_wowlan;
8901 
8902 		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
8903 		if (!nl_wowlan)
8904 			goto nla_put_failure;
8905 
8906 		if ((rdev->wiphy.wowlan_config->any &&
8907 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
8908 		    (rdev->wiphy.wowlan_config->disconnect &&
8909 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
8910 		    (rdev->wiphy.wowlan_config->magic_pkt &&
8911 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
8912 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
8913 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
8914 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
8915 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
8916 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
8917 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
8918 		    (rdev->wiphy.wowlan_config->rfkill_release &&
8919 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
8920 			goto nla_put_failure;
8921 
8922 		if (nl80211_send_wowlan_patterns(msg, rdev))
8923 			goto nla_put_failure;
8924 
8925 		if (nl80211_send_wowlan_tcp(msg,
8926 					    rdev->wiphy.wowlan_config->tcp))
8927 			goto nla_put_failure;
8928 
8929 		if (nl80211_send_wowlan_nd(
8930 			    msg,
8931 			    rdev->wiphy.wowlan_config->nd_config))
8932 			goto nla_put_failure;
8933 
8934 		nla_nest_end(msg, nl_wowlan);
8935 	}
8936 
8937 	genlmsg_end(msg, hdr);
8938 	return genlmsg_reply(msg, info);
8939 
8940 nla_put_failure:
8941 	nlmsg_free(msg);
8942 	return -ENOBUFS;
8943 }
8944 
8945 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
8946 				    struct nlattr *attr,
8947 				    struct cfg80211_wowlan *trig)
8948 {
8949 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
8950 	struct cfg80211_wowlan_tcp *cfg;
8951 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
8952 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
8953 	u32 size;
8954 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
8955 	int err, port;
8956 
8957 	if (!rdev->wiphy.wowlan->tcp)
8958 		return -EINVAL;
8959 
8960 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TCP,
8961 			nla_data(attr), nla_len(attr),
8962 			nl80211_wowlan_tcp_policy);
8963 	if (err)
8964 		return err;
8965 
8966 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
8967 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
8968 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
8969 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
8970 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
8971 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
8972 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
8973 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
8974 		return -EINVAL;
8975 
8976 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
8977 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
8978 		return -EINVAL;
8979 
8980 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
8981 			rdev->wiphy.wowlan->tcp->data_interval_max ||
8982 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
8983 		return -EINVAL;
8984 
8985 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
8986 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
8987 		return -EINVAL;
8988 
8989 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
8990 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
8991 		return -EINVAL;
8992 
8993 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
8994 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
8995 
8996 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
8997 		tokens_size = tokln - sizeof(*tok);
8998 
8999 		if (!tok->len || tokens_size % tok->len)
9000 			return -EINVAL;
9001 		if (!rdev->wiphy.wowlan->tcp->tok)
9002 			return -EINVAL;
9003 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
9004 			return -EINVAL;
9005 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
9006 			return -EINVAL;
9007 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
9008 			return -EINVAL;
9009 		if (tok->offset + tok->len > data_size)
9010 			return -EINVAL;
9011 	}
9012 
9013 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
9014 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
9015 		if (!rdev->wiphy.wowlan->tcp->seq)
9016 			return -EINVAL;
9017 		if (seq->len == 0 || seq->len > 4)
9018 			return -EINVAL;
9019 		if (seq->len + seq->offset > data_size)
9020 			return -EINVAL;
9021 	}
9022 
9023 	size = sizeof(*cfg);
9024 	size += data_size;
9025 	size += wake_size + wake_mask_size;
9026 	size += tokens_size;
9027 
9028 	cfg = kzalloc(size, GFP_KERNEL);
9029 	if (!cfg)
9030 		return -ENOMEM;
9031 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
9032 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
9033 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
9034 	       ETH_ALEN);
9035 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
9036 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
9037 	else
9038 		port = 0;
9039 #ifdef CONFIG_INET
9040 	/* allocate a socket and port for it and use it */
9041 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
9042 			    IPPROTO_TCP, &cfg->sock, 1);
9043 	if (err) {
9044 		kfree(cfg);
9045 		return err;
9046 	}
9047 	if (inet_csk_get_port(cfg->sock->sk, port)) {
9048 		sock_release(cfg->sock);
9049 		kfree(cfg);
9050 		return -EADDRINUSE;
9051 	}
9052 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
9053 #else
9054 	if (!port) {
9055 		kfree(cfg);
9056 		return -EINVAL;
9057 	}
9058 	cfg->src_port = port;
9059 #endif
9060 
9061 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
9062 	cfg->payload_len = data_size;
9063 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
9064 	memcpy((void *)cfg->payload,
9065 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
9066 	       data_size);
9067 	if (seq)
9068 		cfg->payload_seq = *seq;
9069 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
9070 	cfg->wake_len = wake_size;
9071 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
9072 	memcpy((void *)cfg->wake_data,
9073 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
9074 	       wake_size);
9075 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
9076 			 data_size + wake_size;
9077 	memcpy((void *)cfg->wake_mask,
9078 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
9079 	       wake_mask_size);
9080 	if (tok) {
9081 		cfg->tokens_size = tokens_size;
9082 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
9083 	}
9084 
9085 	trig->tcp = cfg;
9086 
9087 	return 0;
9088 }
9089 
9090 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
9091 				   const struct wiphy_wowlan_support *wowlan,
9092 				   struct nlattr *attr,
9093 				   struct cfg80211_wowlan *trig)
9094 {
9095 	struct nlattr **tb;
9096 	int err;
9097 
9098 	tb = kzalloc(NUM_NL80211_ATTR * sizeof(*tb), GFP_KERNEL);
9099 	if (!tb)
9100 		return -ENOMEM;
9101 
9102 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
9103 		err = -EOPNOTSUPP;
9104 		goto out;
9105 	}
9106 
9107 	err = nla_parse(tb, NL80211_ATTR_MAX,
9108 			nla_data(attr), nla_len(attr),
9109 			nl80211_policy);
9110 	if (err)
9111 		goto out;
9112 
9113 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb);
9114 	err = PTR_ERR_OR_ZERO(trig->nd_config);
9115 	if (err)
9116 		trig->nd_config = NULL;
9117 
9118 out:
9119 	kfree(tb);
9120 	return err;
9121 }
9122 
9123 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
9124 {
9125 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9126 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
9127 	struct cfg80211_wowlan new_triggers = {};
9128 	struct cfg80211_wowlan *ntrig;
9129 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
9130 	int err, i;
9131 	bool prev_enabled = rdev->wiphy.wowlan_config;
9132 	bool regular = false;
9133 
9134 	if (!wowlan)
9135 		return -EOPNOTSUPP;
9136 
9137 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
9138 		cfg80211_rdev_free_wowlan(rdev);
9139 		rdev->wiphy.wowlan_config = NULL;
9140 		goto set_wakeup;
9141 	}
9142 
9143 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
9144 			nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
9145 			nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
9146 			nl80211_wowlan_policy);
9147 	if (err)
9148 		return err;
9149 
9150 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
9151 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
9152 			return -EINVAL;
9153 		new_triggers.any = true;
9154 	}
9155 
9156 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
9157 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
9158 			return -EINVAL;
9159 		new_triggers.disconnect = true;
9160 		regular = true;
9161 	}
9162 
9163 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
9164 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
9165 			return -EINVAL;
9166 		new_triggers.magic_pkt = true;
9167 		regular = true;
9168 	}
9169 
9170 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
9171 		return -EINVAL;
9172 
9173 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
9174 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
9175 			return -EINVAL;
9176 		new_triggers.gtk_rekey_failure = true;
9177 		regular = true;
9178 	}
9179 
9180 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
9181 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
9182 			return -EINVAL;
9183 		new_triggers.eap_identity_req = true;
9184 		regular = true;
9185 	}
9186 
9187 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
9188 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
9189 			return -EINVAL;
9190 		new_triggers.four_way_handshake = true;
9191 		regular = true;
9192 	}
9193 
9194 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
9195 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
9196 			return -EINVAL;
9197 		new_triggers.rfkill_release = true;
9198 		regular = true;
9199 	}
9200 
9201 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
9202 		struct nlattr *pat;
9203 		int n_patterns = 0;
9204 		int rem, pat_len, mask_len, pkt_offset;
9205 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
9206 
9207 		regular = true;
9208 
9209 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
9210 				    rem)
9211 			n_patterns++;
9212 		if (n_patterns > wowlan->n_patterns)
9213 			return -EINVAL;
9214 
9215 		new_triggers.patterns = kcalloc(n_patterns,
9216 						sizeof(new_triggers.patterns[0]),
9217 						GFP_KERNEL);
9218 		if (!new_triggers.patterns)
9219 			return -ENOMEM;
9220 
9221 		new_triggers.n_patterns = n_patterns;
9222 		i = 0;
9223 
9224 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
9225 				    rem) {
9226 			u8 *mask_pat;
9227 
9228 			nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
9229 				  nla_len(pat), NULL);
9230 			err = -EINVAL;
9231 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
9232 			    !pat_tb[NL80211_PKTPAT_PATTERN])
9233 				goto error;
9234 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
9235 			mask_len = DIV_ROUND_UP(pat_len, 8);
9236 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
9237 				goto error;
9238 			if (pat_len > wowlan->pattern_max_len ||
9239 			    pat_len < wowlan->pattern_min_len)
9240 				goto error;
9241 
9242 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
9243 				pkt_offset = 0;
9244 			else
9245 				pkt_offset = nla_get_u32(
9246 					pat_tb[NL80211_PKTPAT_OFFSET]);
9247 			if (pkt_offset > wowlan->max_pkt_offset)
9248 				goto error;
9249 			new_triggers.patterns[i].pkt_offset = pkt_offset;
9250 
9251 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
9252 			if (!mask_pat) {
9253 				err = -ENOMEM;
9254 				goto error;
9255 			}
9256 			new_triggers.patterns[i].mask = mask_pat;
9257 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
9258 			       mask_len);
9259 			mask_pat += mask_len;
9260 			new_triggers.patterns[i].pattern = mask_pat;
9261 			new_triggers.patterns[i].pattern_len = pat_len;
9262 			memcpy(mask_pat,
9263 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
9264 			       pat_len);
9265 			i++;
9266 		}
9267 	}
9268 
9269 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
9270 		regular = true;
9271 		err = nl80211_parse_wowlan_tcp(
9272 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
9273 			&new_triggers);
9274 		if (err)
9275 			goto error;
9276 	}
9277 
9278 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
9279 		regular = true;
9280 		err = nl80211_parse_wowlan_nd(
9281 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
9282 			&new_triggers);
9283 		if (err)
9284 			goto error;
9285 	}
9286 
9287 	/* The 'any' trigger means the device continues operating more or less
9288 	 * as in its normal operation mode and wakes up the host on most of the
9289 	 * normal interrupts (like packet RX, ...)
9290 	 * It therefore makes little sense to combine with the more constrained
9291 	 * wakeup trigger modes.
9292 	 */
9293 	if (new_triggers.any && regular) {
9294 		err = -EINVAL;
9295 		goto error;
9296 	}
9297 
9298 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
9299 	if (!ntrig) {
9300 		err = -ENOMEM;
9301 		goto error;
9302 	}
9303 	cfg80211_rdev_free_wowlan(rdev);
9304 	rdev->wiphy.wowlan_config = ntrig;
9305 
9306  set_wakeup:
9307 	if (rdev->ops->set_wakeup &&
9308 	    prev_enabled != !!rdev->wiphy.wowlan_config)
9309 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
9310 
9311 	return 0;
9312  error:
9313 	for (i = 0; i < new_triggers.n_patterns; i++)
9314 		kfree(new_triggers.patterns[i].mask);
9315 	kfree(new_triggers.patterns);
9316 	if (new_triggers.tcp && new_triggers.tcp->sock)
9317 		sock_release(new_triggers.tcp->sock);
9318 	kfree(new_triggers.tcp);
9319 	return err;
9320 }
9321 #endif
9322 
9323 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
9324 				       struct cfg80211_registered_device *rdev)
9325 {
9326 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
9327 	int i, j, pat_len;
9328 	struct cfg80211_coalesce_rules *rule;
9329 
9330 	if (!rdev->coalesce->n_rules)
9331 		return 0;
9332 
9333 	nl_rules = nla_nest_start(msg, NL80211_ATTR_COALESCE_RULE);
9334 	if (!nl_rules)
9335 		return -ENOBUFS;
9336 
9337 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
9338 		nl_rule = nla_nest_start(msg, i + 1);
9339 		if (!nl_rule)
9340 			return -ENOBUFS;
9341 
9342 		rule = &rdev->coalesce->rules[i];
9343 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
9344 				rule->delay))
9345 			return -ENOBUFS;
9346 
9347 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
9348 				rule->condition))
9349 			return -ENOBUFS;
9350 
9351 		nl_pats = nla_nest_start(msg,
9352 				NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
9353 		if (!nl_pats)
9354 			return -ENOBUFS;
9355 
9356 		for (j = 0; j < rule->n_patterns; j++) {
9357 			nl_pat = nla_nest_start(msg, j + 1);
9358 			if (!nl_pat)
9359 				return -ENOBUFS;
9360 			pat_len = rule->patterns[j].pattern_len;
9361 			if (nla_put(msg, NL80211_PKTPAT_MASK,
9362 				    DIV_ROUND_UP(pat_len, 8),
9363 				    rule->patterns[j].mask) ||
9364 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
9365 				    rule->patterns[j].pattern) ||
9366 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
9367 					rule->patterns[j].pkt_offset))
9368 				return -ENOBUFS;
9369 			nla_nest_end(msg, nl_pat);
9370 		}
9371 		nla_nest_end(msg, nl_pats);
9372 		nla_nest_end(msg, nl_rule);
9373 	}
9374 	nla_nest_end(msg, nl_rules);
9375 
9376 	return 0;
9377 }
9378 
9379 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
9380 {
9381 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9382 	struct sk_buff *msg;
9383 	void *hdr;
9384 
9385 	if (!rdev->wiphy.coalesce)
9386 		return -EOPNOTSUPP;
9387 
9388 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9389 	if (!msg)
9390 		return -ENOMEM;
9391 
9392 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9393 			     NL80211_CMD_GET_COALESCE);
9394 	if (!hdr)
9395 		goto nla_put_failure;
9396 
9397 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
9398 		goto nla_put_failure;
9399 
9400 	genlmsg_end(msg, hdr);
9401 	return genlmsg_reply(msg, info);
9402 
9403 nla_put_failure:
9404 	nlmsg_free(msg);
9405 	return -ENOBUFS;
9406 }
9407 
9408 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
9409 {
9410 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
9411 	int i, j;
9412 	struct cfg80211_coalesce_rules *rule;
9413 
9414 	if (!coalesce)
9415 		return;
9416 
9417 	for (i = 0; i < coalesce->n_rules; i++) {
9418 		rule = &coalesce->rules[i];
9419 		for (j = 0; j < rule->n_patterns; j++)
9420 			kfree(rule->patterns[j].mask);
9421 		kfree(rule->patterns);
9422 	}
9423 	kfree(coalesce->rules);
9424 	kfree(coalesce);
9425 	rdev->coalesce = NULL;
9426 }
9427 
9428 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
9429 				       struct nlattr *rule,
9430 				       struct cfg80211_coalesce_rules *new_rule)
9431 {
9432 	int err, i;
9433 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
9434 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
9435 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
9436 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
9437 
9438 	err = nla_parse(tb, NL80211_ATTR_COALESCE_RULE_MAX, nla_data(rule),
9439 			nla_len(rule), nl80211_coalesce_policy);
9440 	if (err)
9441 		return err;
9442 
9443 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
9444 		new_rule->delay =
9445 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
9446 	if (new_rule->delay > coalesce->max_delay)
9447 		return -EINVAL;
9448 
9449 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
9450 		new_rule->condition =
9451 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
9452 	if (new_rule->condition != NL80211_COALESCE_CONDITION_MATCH &&
9453 	    new_rule->condition != NL80211_COALESCE_CONDITION_NO_MATCH)
9454 		return -EINVAL;
9455 
9456 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
9457 		return -EINVAL;
9458 
9459 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
9460 			    rem)
9461 		n_patterns++;
9462 	if (n_patterns > coalesce->n_patterns)
9463 		return -EINVAL;
9464 
9465 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
9466 				     GFP_KERNEL);
9467 	if (!new_rule->patterns)
9468 		return -ENOMEM;
9469 
9470 	new_rule->n_patterns = n_patterns;
9471 	i = 0;
9472 
9473 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
9474 			    rem) {
9475 		u8 *mask_pat;
9476 
9477 		nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
9478 			  nla_len(pat), NULL);
9479 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
9480 		    !pat_tb[NL80211_PKTPAT_PATTERN])
9481 			return -EINVAL;
9482 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
9483 		mask_len = DIV_ROUND_UP(pat_len, 8);
9484 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
9485 			return -EINVAL;
9486 		if (pat_len > coalesce->pattern_max_len ||
9487 		    pat_len < coalesce->pattern_min_len)
9488 			return -EINVAL;
9489 
9490 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
9491 			pkt_offset = 0;
9492 		else
9493 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
9494 		if (pkt_offset > coalesce->max_pkt_offset)
9495 			return -EINVAL;
9496 		new_rule->patterns[i].pkt_offset = pkt_offset;
9497 
9498 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
9499 		if (!mask_pat)
9500 			return -ENOMEM;
9501 
9502 		new_rule->patterns[i].mask = mask_pat;
9503 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
9504 		       mask_len);
9505 
9506 		mask_pat += mask_len;
9507 		new_rule->patterns[i].pattern = mask_pat;
9508 		new_rule->patterns[i].pattern_len = pat_len;
9509 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
9510 		       pat_len);
9511 		i++;
9512 	}
9513 
9514 	return 0;
9515 }
9516 
9517 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
9518 {
9519 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9520 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
9521 	struct cfg80211_coalesce new_coalesce = {};
9522 	struct cfg80211_coalesce *n_coalesce;
9523 	int err, rem_rule, n_rules = 0, i, j;
9524 	struct nlattr *rule;
9525 	struct cfg80211_coalesce_rules *tmp_rule;
9526 
9527 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
9528 		return -EOPNOTSUPP;
9529 
9530 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
9531 		cfg80211_rdev_free_coalesce(rdev);
9532 		rdev->ops->set_coalesce(&rdev->wiphy, NULL);
9533 		return 0;
9534 	}
9535 
9536 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
9537 			    rem_rule)
9538 		n_rules++;
9539 	if (n_rules > coalesce->n_rules)
9540 		return -EINVAL;
9541 
9542 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
9543 				     GFP_KERNEL);
9544 	if (!new_coalesce.rules)
9545 		return -ENOMEM;
9546 
9547 	new_coalesce.n_rules = n_rules;
9548 	i = 0;
9549 
9550 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
9551 			    rem_rule) {
9552 		err = nl80211_parse_coalesce_rule(rdev, rule,
9553 						  &new_coalesce.rules[i]);
9554 		if (err)
9555 			goto error;
9556 
9557 		i++;
9558 	}
9559 
9560 	err = rdev->ops->set_coalesce(&rdev->wiphy, &new_coalesce);
9561 	if (err)
9562 		goto error;
9563 
9564 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
9565 	if (!n_coalesce) {
9566 		err = -ENOMEM;
9567 		goto error;
9568 	}
9569 	cfg80211_rdev_free_coalesce(rdev);
9570 	rdev->coalesce = n_coalesce;
9571 
9572 	return 0;
9573 error:
9574 	for (i = 0; i < new_coalesce.n_rules; i++) {
9575 		tmp_rule = &new_coalesce.rules[i];
9576 		for (j = 0; j < tmp_rule->n_patterns; j++)
9577 			kfree(tmp_rule->patterns[j].mask);
9578 		kfree(tmp_rule->patterns);
9579 	}
9580 	kfree(new_coalesce.rules);
9581 
9582 	return err;
9583 }
9584 
9585 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
9586 {
9587 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9588 	struct net_device *dev = info->user_ptr[1];
9589 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9590 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
9591 	struct cfg80211_gtk_rekey_data rekey_data;
9592 	int err;
9593 
9594 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
9595 		return -EINVAL;
9596 
9597 	err = nla_parse(tb, MAX_NL80211_REKEY_DATA,
9598 			nla_data(info->attrs[NL80211_ATTR_REKEY_DATA]),
9599 			nla_len(info->attrs[NL80211_ATTR_REKEY_DATA]),
9600 			nl80211_rekey_policy);
9601 	if (err)
9602 		return err;
9603 
9604 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
9605 		return -ERANGE;
9606 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
9607 		return -ERANGE;
9608 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
9609 		return -ERANGE;
9610 
9611 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
9612 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
9613 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
9614 
9615 	wdev_lock(wdev);
9616 	if (!wdev->current_bss) {
9617 		err = -ENOTCONN;
9618 		goto out;
9619 	}
9620 
9621 	if (!rdev->ops->set_rekey_data) {
9622 		err = -EOPNOTSUPP;
9623 		goto out;
9624 	}
9625 
9626 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
9627  out:
9628 	wdev_unlock(wdev);
9629 	return err;
9630 }
9631 
9632 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
9633 					     struct genl_info *info)
9634 {
9635 	struct net_device *dev = info->user_ptr[1];
9636 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9637 
9638 	if (wdev->iftype != NL80211_IFTYPE_AP &&
9639 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
9640 		return -EINVAL;
9641 
9642 	if (wdev->ap_unexpected_nlportid)
9643 		return -EBUSY;
9644 
9645 	wdev->ap_unexpected_nlportid = info->snd_portid;
9646 	return 0;
9647 }
9648 
9649 static int nl80211_probe_client(struct sk_buff *skb,
9650 				struct genl_info *info)
9651 {
9652 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9653 	struct net_device *dev = info->user_ptr[1];
9654 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9655 	struct sk_buff *msg;
9656 	void *hdr;
9657 	const u8 *addr;
9658 	u64 cookie;
9659 	int err;
9660 
9661 	if (wdev->iftype != NL80211_IFTYPE_AP &&
9662 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
9663 		return -EOPNOTSUPP;
9664 
9665 	if (!info->attrs[NL80211_ATTR_MAC])
9666 		return -EINVAL;
9667 
9668 	if (!rdev->ops->probe_client)
9669 		return -EOPNOTSUPP;
9670 
9671 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9672 	if (!msg)
9673 		return -ENOMEM;
9674 
9675 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9676 			     NL80211_CMD_PROBE_CLIENT);
9677 	if (!hdr) {
9678 		err = -ENOBUFS;
9679 		goto free_msg;
9680 	}
9681 
9682 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
9683 
9684 	err = rdev_probe_client(rdev, dev, addr, &cookie);
9685 	if (err)
9686 		goto free_msg;
9687 
9688 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
9689 		goto nla_put_failure;
9690 
9691 	genlmsg_end(msg, hdr);
9692 
9693 	return genlmsg_reply(msg, info);
9694 
9695  nla_put_failure:
9696 	err = -ENOBUFS;
9697  free_msg:
9698 	nlmsg_free(msg);
9699 	return err;
9700 }
9701 
9702 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
9703 {
9704 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9705 	struct cfg80211_beacon_registration *reg, *nreg;
9706 	int rv;
9707 
9708 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
9709 		return -EOPNOTSUPP;
9710 
9711 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
9712 	if (!nreg)
9713 		return -ENOMEM;
9714 
9715 	/* First, check if already registered. */
9716 	spin_lock_bh(&rdev->beacon_registrations_lock);
9717 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
9718 		if (reg->nlportid == info->snd_portid) {
9719 			rv = -EALREADY;
9720 			goto out_err;
9721 		}
9722 	}
9723 	/* Add it to the list */
9724 	nreg->nlportid = info->snd_portid;
9725 	list_add(&nreg->list, &rdev->beacon_registrations);
9726 
9727 	spin_unlock_bh(&rdev->beacon_registrations_lock);
9728 
9729 	return 0;
9730 out_err:
9731 	spin_unlock_bh(&rdev->beacon_registrations_lock);
9732 	kfree(nreg);
9733 	return rv;
9734 }
9735 
9736 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
9737 {
9738 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9739 	struct wireless_dev *wdev = info->user_ptr[1];
9740 	int err;
9741 
9742 	if (!rdev->ops->start_p2p_device)
9743 		return -EOPNOTSUPP;
9744 
9745 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
9746 		return -EOPNOTSUPP;
9747 
9748 	if (wdev->p2p_started)
9749 		return 0;
9750 
9751 	if (rfkill_blocked(rdev->rfkill))
9752 		return -ERFKILL;
9753 
9754 	err = rdev_start_p2p_device(rdev, wdev);
9755 	if (err)
9756 		return err;
9757 
9758 	wdev->p2p_started = true;
9759 	rdev->opencount++;
9760 
9761 	return 0;
9762 }
9763 
9764 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
9765 {
9766 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9767 	struct wireless_dev *wdev = info->user_ptr[1];
9768 
9769 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
9770 		return -EOPNOTSUPP;
9771 
9772 	if (!rdev->ops->stop_p2p_device)
9773 		return -EOPNOTSUPP;
9774 
9775 	cfg80211_stop_p2p_device(rdev, wdev);
9776 
9777 	return 0;
9778 }
9779 
9780 static int nl80211_get_protocol_features(struct sk_buff *skb,
9781 					 struct genl_info *info)
9782 {
9783 	void *hdr;
9784 	struct sk_buff *msg;
9785 
9786 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9787 	if (!msg)
9788 		return -ENOMEM;
9789 
9790 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9791 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
9792 	if (!hdr)
9793 		goto nla_put_failure;
9794 
9795 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
9796 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
9797 		goto nla_put_failure;
9798 
9799 	genlmsg_end(msg, hdr);
9800 	return genlmsg_reply(msg, info);
9801 
9802  nla_put_failure:
9803 	kfree_skb(msg);
9804 	return -ENOBUFS;
9805 }
9806 
9807 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
9808 {
9809 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9810 	struct cfg80211_update_ft_ies_params ft_params;
9811 	struct net_device *dev = info->user_ptr[1];
9812 
9813 	if (!rdev->ops->update_ft_ies)
9814 		return -EOPNOTSUPP;
9815 
9816 	if (!info->attrs[NL80211_ATTR_MDID] ||
9817 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
9818 		return -EINVAL;
9819 
9820 	memset(&ft_params, 0, sizeof(ft_params));
9821 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
9822 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9823 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9824 
9825 	return rdev_update_ft_ies(rdev, dev, &ft_params);
9826 }
9827 
9828 static int nl80211_crit_protocol_start(struct sk_buff *skb,
9829 				       struct genl_info *info)
9830 {
9831 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9832 	struct wireless_dev *wdev = info->user_ptr[1];
9833 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
9834 	u16 duration;
9835 	int ret;
9836 
9837 	if (!rdev->ops->crit_proto_start)
9838 		return -EOPNOTSUPP;
9839 
9840 	if (WARN_ON(!rdev->ops->crit_proto_stop))
9841 		return -EINVAL;
9842 
9843 	if (rdev->crit_proto_nlportid)
9844 		return -EBUSY;
9845 
9846 	/* determine protocol if provided */
9847 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
9848 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
9849 
9850 	if (proto >= NUM_NL80211_CRIT_PROTO)
9851 		return -EINVAL;
9852 
9853 	/* timeout must be provided */
9854 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
9855 		return -EINVAL;
9856 
9857 	duration =
9858 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
9859 
9860 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
9861 		return -ERANGE;
9862 
9863 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
9864 	if (!ret)
9865 		rdev->crit_proto_nlportid = info->snd_portid;
9866 
9867 	return ret;
9868 }
9869 
9870 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
9871 				      struct genl_info *info)
9872 {
9873 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9874 	struct wireless_dev *wdev = info->user_ptr[1];
9875 
9876 	if (!rdev->ops->crit_proto_stop)
9877 		return -EOPNOTSUPP;
9878 
9879 	if (rdev->crit_proto_nlportid) {
9880 		rdev->crit_proto_nlportid = 0;
9881 		rdev_crit_proto_stop(rdev, wdev);
9882 	}
9883 	return 0;
9884 }
9885 
9886 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
9887 {
9888 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9889 	struct wireless_dev *wdev =
9890 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9891 	int i, err;
9892 	u32 vid, subcmd;
9893 
9894 	if (!rdev->wiphy.vendor_commands)
9895 		return -EOPNOTSUPP;
9896 
9897 	if (IS_ERR(wdev)) {
9898 		err = PTR_ERR(wdev);
9899 		if (err != -EINVAL)
9900 			return err;
9901 		wdev = NULL;
9902 	} else if (wdev->wiphy != &rdev->wiphy) {
9903 		return -EINVAL;
9904 	}
9905 
9906 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
9907 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
9908 		return -EINVAL;
9909 
9910 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
9911 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
9912 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
9913 		const struct wiphy_vendor_command *vcmd;
9914 		void *data = NULL;
9915 		int len = 0;
9916 
9917 		vcmd = &rdev->wiphy.vendor_commands[i];
9918 
9919 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
9920 			continue;
9921 
9922 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
9923 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
9924 			if (!wdev)
9925 				return -EINVAL;
9926 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
9927 			    !wdev->netdev)
9928 				return -EINVAL;
9929 
9930 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
9931 				if (wdev->netdev &&
9932 				    !netif_running(wdev->netdev))
9933 					return -ENETDOWN;
9934 				if (!wdev->netdev && !wdev->p2p_started)
9935 					return -ENETDOWN;
9936 			}
9937 		} else {
9938 			wdev = NULL;
9939 		}
9940 
9941 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
9942 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
9943 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
9944 		}
9945 
9946 		rdev->cur_cmd_info = info;
9947 		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
9948 							  data, len);
9949 		rdev->cur_cmd_info = NULL;
9950 		return err;
9951 	}
9952 
9953 	return -EOPNOTSUPP;
9954 }
9955 
9956 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
9957 					   enum nl80211_commands cmd,
9958 					   enum nl80211_attrs attr,
9959 					   int approxlen)
9960 {
9961 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9962 
9963 	if (WARN_ON(!rdev->cur_cmd_info))
9964 		return NULL;
9965 
9966 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
9967 					   rdev->cur_cmd_info->snd_portid,
9968 					   rdev->cur_cmd_info->snd_seq,
9969 					   cmd, attr, NULL, GFP_KERNEL);
9970 }
9971 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
9972 
9973 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
9974 {
9975 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9976 	void *hdr = ((void **)skb->cb)[1];
9977 	struct nlattr *data = ((void **)skb->cb)[2];
9978 
9979 	/* clear CB data for netlink core to own from now on */
9980 	memset(skb->cb, 0, sizeof(skb->cb));
9981 
9982 	if (WARN_ON(!rdev->cur_cmd_info)) {
9983 		kfree_skb(skb);
9984 		return -EINVAL;
9985 	}
9986 
9987 	nla_nest_end(skb, data);
9988 	genlmsg_end(skb, hdr);
9989 	return genlmsg_reply(skb, rdev->cur_cmd_info);
9990 }
9991 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
9992 
9993 
9994 static int nl80211_set_qos_map(struct sk_buff *skb,
9995 			       struct genl_info *info)
9996 {
9997 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9998 	struct cfg80211_qos_map *qos_map = NULL;
9999 	struct net_device *dev = info->user_ptr[1];
10000 	u8 *pos, len, num_des, des_len, des;
10001 	int ret;
10002 
10003 	if (!rdev->ops->set_qos_map)
10004 		return -EOPNOTSUPP;
10005 
10006 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
10007 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
10008 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
10009 
10010 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
10011 		    len > IEEE80211_QOS_MAP_LEN_MAX)
10012 			return -EINVAL;
10013 
10014 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
10015 		if (!qos_map)
10016 			return -ENOMEM;
10017 
10018 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
10019 		if (num_des) {
10020 			des_len = num_des *
10021 				sizeof(struct cfg80211_dscp_exception);
10022 			memcpy(qos_map->dscp_exception, pos, des_len);
10023 			qos_map->num_des = num_des;
10024 			for (des = 0; des < num_des; des++) {
10025 				if (qos_map->dscp_exception[des].up > 7) {
10026 					kfree(qos_map);
10027 					return -EINVAL;
10028 				}
10029 			}
10030 			pos += des_len;
10031 		}
10032 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
10033 	}
10034 
10035 	wdev_lock(dev->ieee80211_ptr);
10036 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
10037 	if (!ret)
10038 		ret = rdev_set_qos_map(rdev, dev, qos_map);
10039 	wdev_unlock(dev->ieee80211_ptr);
10040 
10041 	kfree(qos_map);
10042 	return ret;
10043 }
10044 
10045 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
10046 {
10047 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10048 	struct net_device *dev = info->user_ptr[1];
10049 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10050 	const u8 *peer;
10051 	u8 tsid, up;
10052 	u16 admitted_time = 0;
10053 	int err;
10054 
10055 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
10056 		return -EOPNOTSUPP;
10057 
10058 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
10059 	    !info->attrs[NL80211_ATTR_USER_PRIO])
10060 		return -EINVAL;
10061 
10062 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
10063 	if (tsid >= IEEE80211_NUM_TIDS)
10064 		return -EINVAL;
10065 
10066 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
10067 	if (up >= IEEE80211_NUM_UPS)
10068 		return -EINVAL;
10069 
10070 	/* WMM uses TIDs 0-7 even for TSPEC */
10071 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
10072 		/* TODO: handle 802.11 TSPEC/admission control
10073 		 * need more attributes for that (e.g. BA session requirement);
10074 		 * change the WMM adminssion test above to allow both then
10075 		 */
10076 		return -EINVAL;
10077 	}
10078 
10079 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10080 
10081 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
10082 		admitted_time =
10083 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
10084 		if (!admitted_time)
10085 			return -EINVAL;
10086 	}
10087 
10088 	wdev_lock(wdev);
10089 	switch (wdev->iftype) {
10090 	case NL80211_IFTYPE_STATION:
10091 	case NL80211_IFTYPE_P2P_CLIENT:
10092 		if (wdev->current_bss)
10093 			break;
10094 		err = -ENOTCONN;
10095 		goto out;
10096 	default:
10097 		err = -EOPNOTSUPP;
10098 		goto out;
10099 	}
10100 
10101 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
10102 
10103  out:
10104 	wdev_unlock(wdev);
10105 	return err;
10106 }
10107 
10108 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
10109 {
10110 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10111 	struct net_device *dev = info->user_ptr[1];
10112 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10113 	const u8 *peer;
10114 	u8 tsid;
10115 	int err;
10116 
10117 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
10118 		return -EINVAL;
10119 
10120 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
10121 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10122 
10123 	wdev_lock(wdev);
10124 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
10125 	wdev_unlock(wdev);
10126 
10127 	return err;
10128 }
10129 
10130 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
10131 				       struct genl_info *info)
10132 {
10133 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10134 	struct net_device *dev = info->user_ptr[1];
10135 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10136 	struct cfg80211_chan_def chandef = {};
10137 	const u8 *addr;
10138 	u8 oper_class;
10139 	int err;
10140 
10141 	if (!rdev->ops->tdls_channel_switch ||
10142 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
10143 		return -EOPNOTSUPP;
10144 
10145 	switch (dev->ieee80211_ptr->iftype) {
10146 	case NL80211_IFTYPE_STATION:
10147 	case NL80211_IFTYPE_P2P_CLIENT:
10148 		break;
10149 	default:
10150 		return -EOPNOTSUPP;
10151 	}
10152 
10153 	if (!info->attrs[NL80211_ATTR_MAC] ||
10154 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
10155 		return -EINVAL;
10156 
10157 	err = nl80211_parse_chandef(rdev, info, &chandef);
10158 	if (err)
10159 		return err;
10160 
10161 	/*
10162 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
10163 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
10164 	 * specification is not defined for them.
10165 	 */
10166 	if (chandef.chan->band == IEEE80211_BAND_2GHZ &&
10167 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
10168 	    chandef.width != NL80211_CHAN_WIDTH_20)
10169 		return -EINVAL;
10170 
10171 	/* we will be active on the TDLS link */
10172 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef, wdev->iftype))
10173 		return -EINVAL;
10174 
10175 	/* don't allow switching to DFS channels */
10176 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
10177 		return -EINVAL;
10178 
10179 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10180 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
10181 
10182 	wdev_lock(wdev);
10183 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
10184 	wdev_unlock(wdev);
10185 
10186 	return err;
10187 }
10188 
10189 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
10190 					      struct genl_info *info)
10191 {
10192 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10193 	struct net_device *dev = info->user_ptr[1];
10194 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10195 	const u8 *addr;
10196 
10197 	if (!rdev->ops->tdls_channel_switch ||
10198 	    !rdev->ops->tdls_cancel_channel_switch ||
10199 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
10200 		return -EOPNOTSUPP;
10201 
10202 	switch (dev->ieee80211_ptr->iftype) {
10203 	case NL80211_IFTYPE_STATION:
10204 	case NL80211_IFTYPE_P2P_CLIENT:
10205 		break;
10206 	default:
10207 		return -EOPNOTSUPP;
10208 	}
10209 
10210 	if (!info->attrs[NL80211_ATTR_MAC])
10211 		return -EINVAL;
10212 
10213 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10214 
10215 	wdev_lock(wdev);
10216 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
10217 	wdev_unlock(wdev);
10218 
10219 	return 0;
10220 }
10221 
10222 #define NL80211_FLAG_NEED_WIPHY		0x01
10223 #define NL80211_FLAG_NEED_NETDEV	0x02
10224 #define NL80211_FLAG_NEED_RTNL		0x04
10225 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
10226 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
10227 					 NL80211_FLAG_CHECK_NETDEV_UP)
10228 #define NL80211_FLAG_NEED_WDEV		0x10
10229 /* If a netdev is associated, it must be UP, P2P must be started */
10230 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
10231 					 NL80211_FLAG_CHECK_NETDEV_UP)
10232 #define NL80211_FLAG_CLEAR_SKB		0x20
10233 
10234 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
10235 			    struct genl_info *info)
10236 {
10237 	struct cfg80211_registered_device *rdev;
10238 	struct wireless_dev *wdev;
10239 	struct net_device *dev;
10240 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
10241 
10242 	if (rtnl)
10243 		rtnl_lock();
10244 
10245 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
10246 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
10247 		if (IS_ERR(rdev)) {
10248 			if (rtnl)
10249 				rtnl_unlock();
10250 			return PTR_ERR(rdev);
10251 		}
10252 		info->user_ptr[0] = rdev;
10253 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
10254 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
10255 		ASSERT_RTNL();
10256 
10257 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
10258 						  info->attrs);
10259 		if (IS_ERR(wdev)) {
10260 			if (rtnl)
10261 				rtnl_unlock();
10262 			return PTR_ERR(wdev);
10263 		}
10264 
10265 		dev = wdev->netdev;
10266 		rdev = wiphy_to_rdev(wdev->wiphy);
10267 
10268 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
10269 			if (!dev) {
10270 				if (rtnl)
10271 					rtnl_unlock();
10272 				return -EINVAL;
10273 			}
10274 
10275 			info->user_ptr[1] = dev;
10276 		} else {
10277 			info->user_ptr[1] = wdev;
10278 		}
10279 
10280 		if (dev) {
10281 			if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
10282 			    !netif_running(dev)) {
10283 				if (rtnl)
10284 					rtnl_unlock();
10285 				return -ENETDOWN;
10286 			}
10287 
10288 			dev_hold(dev);
10289 		} else if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP) {
10290 			if (!wdev->p2p_started) {
10291 				if (rtnl)
10292 					rtnl_unlock();
10293 				return -ENETDOWN;
10294 			}
10295 		}
10296 
10297 		info->user_ptr[0] = rdev;
10298 	}
10299 
10300 	return 0;
10301 }
10302 
10303 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
10304 			      struct genl_info *info)
10305 {
10306 	if (info->user_ptr[1]) {
10307 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
10308 			struct wireless_dev *wdev = info->user_ptr[1];
10309 
10310 			if (wdev->netdev)
10311 				dev_put(wdev->netdev);
10312 		} else {
10313 			dev_put(info->user_ptr[1]);
10314 		}
10315 	}
10316 
10317 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
10318 		rtnl_unlock();
10319 
10320 	/* If needed, clear the netlink message payload from the SKB
10321 	 * as it might contain key data that shouldn't stick around on
10322 	 * the heap after the SKB is freed. The netlink message header
10323 	 * is still needed for further processing, so leave it intact.
10324 	 */
10325 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
10326 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
10327 
10328 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
10329 	}
10330 }
10331 
10332 static const struct genl_ops nl80211_ops[] = {
10333 	{
10334 		.cmd = NL80211_CMD_GET_WIPHY,
10335 		.doit = nl80211_get_wiphy,
10336 		.dumpit = nl80211_dump_wiphy,
10337 		.done = nl80211_dump_wiphy_done,
10338 		.policy = nl80211_policy,
10339 		/* can be retrieved by unprivileged users */
10340 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10341 				  NL80211_FLAG_NEED_RTNL,
10342 	},
10343 	{
10344 		.cmd = NL80211_CMD_SET_WIPHY,
10345 		.doit = nl80211_set_wiphy,
10346 		.policy = nl80211_policy,
10347 		.flags = GENL_ADMIN_PERM,
10348 		.internal_flags = NL80211_FLAG_NEED_RTNL,
10349 	},
10350 	{
10351 		.cmd = NL80211_CMD_GET_INTERFACE,
10352 		.doit = nl80211_get_interface,
10353 		.dumpit = nl80211_dump_interface,
10354 		.policy = nl80211_policy,
10355 		/* can be retrieved by unprivileged users */
10356 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10357 				  NL80211_FLAG_NEED_RTNL,
10358 	},
10359 	{
10360 		.cmd = NL80211_CMD_SET_INTERFACE,
10361 		.doit = nl80211_set_interface,
10362 		.policy = nl80211_policy,
10363 		.flags = GENL_ADMIN_PERM,
10364 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10365 				  NL80211_FLAG_NEED_RTNL,
10366 	},
10367 	{
10368 		.cmd = NL80211_CMD_NEW_INTERFACE,
10369 		.doit = nl80211_new_interface,
10370 		.policy = nl80211_policy,
10371 		.flags = GENL_ADMIN_PERM,
10372 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10373 				  NL80211_FLAG_NEED_RTNL,
10374 	},
10375 	{
10376 		.cmd = NL80211_CMD_DEL_INTERFACE,
10377 		.doit = nl80211_del_interface,
10378 		.policy = nl80211_policy,
10379 		.flags = GENL_ADMIN_PERM,
10380 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10381 				  NL80211_FLAG_NEED_RTNL,
10382 	},
10383 	{
10384 		.cmd = NL80211_CMD_GET_KEY,
10385 		.doit = nl80211_get_key,
10386 		.policy = nl80211_policy,
10387 		.flags = GENL_ADMIN_PERM,
10388 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10389 				  NL80211_FLAG_NEED_RTNL,
10390 	},
10391 	{
10392 		.cmd = NL80211_CMD_SET_KEY,
10393 		.doit = nl80211_set_key,
10394 		.policy = nl80211_policy,
10395 		.flags = GENL_ADMIN_PERM,
10396 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10397 				  NL80211_FLAG_NEED_RTNL |
10398 				  NL80211_FLAG_CLEAR_SKB,
10399 	},
10400 	{
10401 		.cmd = NL80211_CMD_NEW_KEY,
10402 		.doit = nl80211_new_key,
10403 		.policy = nl80211_policy,
10404 		.flags = GENL_ADMIN_PERM,
10405 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10406 				  NL80211_FLAG_NEED_RTNL |
10407 				  NL80211_FLAG_CLEAR_SKB,
10408 	},
10409 	{
10410 		.cmd = NL80211_CMD_DEL_KEY,
10411 		.doit = nl80211_del_key,
10412 		.policy = nl80211_policy,
10413 		.flags = GENL_ADMIN_PERM,
10414 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10415 				  NL80211_FLAG_NEED_RTNL,
10416 	},
10417 	{
10418 		.cmd = NL80211_CMD_SET_BEACON,
10419 		.policy = nl80211_policy,
10420 		.flags = GENL_ADMIN_PERM,
10421 		.doit = nl80211_set_beacon,
10422 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10423 				  NL80211_FLAG_NEED_RTNL,
10424 	},
10425 	{
10426 		.cmd = NL80211_CMD_START_AP,
10427 		.policy = nl80211_policy,
10428 		.flags = GENL_ADMIN_PERM,
10429 		.doit = nl80211_start_ap,
10430 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10431 				  NL80211_FLAG_NEED_RTNL,
10432 	},
10433 	{
10434 		.cmd = NL80211_CMD_STOP_AP,
10435 		.policy = nl80211_policy,
10436 		.flags = GENL_ADMIN_PERM,
10437 		.doit = nl80211_stop_ap,
10438 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10439 				  NL80211_FLAG_NEED_RTNL,
10440 	},
10441 	{
10442 		.cmd = NL80211_CMD_GET_STATION,
10443 		.doit = nl80211_get_station,
10444 		.dumpit = nl80211_dump_station,
10445 		.policy = nl80211_policy,
10446 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10447 				  NL80211_FLAG_NEED_RTNL,
10448 	},
10449 	{
10450 		.cmd = NL80211_CMD_SET_STATION,
10451 		.doit = nl80211_set_station,
10452 		.policy = nl80211_policy,
10453 		.flags = GENL_ADMIN_PERM,
10454 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10455 				  NL80211_FLAG_NEED_RTNL,
10456 	},
10457 	{
10458 		.cmd = NL80211_CMD_NEW_STATION,
10459 		.doit = nl80211_new_station,
10460 		.policy = nl80211_policy,
10461 		.flags = GENL_ADMIN_PERM,
10462 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10463 				  NL80211_FLAG_NEED_RTNL,
10464 	},
10465 	{
10466 		.cmd = NL80211_CMD_DEL_STATION,
10467 		.doit = nl80211_del_station,
10468 		.policy = nl80211_policy,
10469 		.flags = GENL_ADMIN_PERM,
10470 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10471 				  NL80211_FLAG_NEED_RTNL,
10472 	},
10473 	{
10474 		.cmd = NL80211_CMD_GET_MPATH,
10475 		.doit = nl80211_get_mpath,
10476 		.dumpit = nl80211_dump_mpath,
10477 		.policy = nl80211_policy,
10478 		.flags = GENL_ADMIN_PERM,
10479 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10480 				  NL80211_FLAG_NEED_RTNL,
10481 	},
10482 	{
10483 		.cmd = NL80211_CMD_GET_MPP,
10484 		.doit = nl80211_get_mpp,
10485 		.dumpit = nl80211_dump_mpp,
10486 		.policy = nl80211_policy,
10487 		.flags = GENL_ADMIN_PERM,
10488 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10489 				  NL80211_FLAG_NEED_RTNL,
10490 	},
10491 	{
10492 		.cmd = NL80211_CMD_SET_MPATH,
10493 		.doit = nl80211_set_mpath,
10494 		.policy = nl80211_policy,
10495 		.flags = GENL_ADMIN_PERM,
10496 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10497 				  NL80211_FLAG_NEED_RTNL,
10498 	},
10499 	{
10500 		.cmd = NL80211_CMD_NEW_MPATH,
10501 		.doit = nl80211_new_mpath,
10502 		.policy = nl80211_policy,
10503 		.flags = GENL_ADMIN_PERM,
10504 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10505 				  NL80211_FLAG_NEED_RTNL,
10506 	},
10507 	{
10508 		.cmd = NL80211_CMD_DEL_MPATH,
10509 		.doit = nl80211_del_mpath,
10510 		.policy = nl80211_policy,
10511 		.flags = GENL_ADMIN_PERM,
10512 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10513 				  NL80211_FLAG_NEED_RTNL,
10514 	},
10515 	{
10516 		.cmd = NL80211_CMD_SET_BSS,
10517 		.doit = nl80211_set_bss,
10518 		.policy = nl80211_policy,
10519 		.flags = GENL_ADMIN_PERM,
10520 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10521 				  NL80211_FLAG_NEED_RTNL,
10522 	},
10523 	{
10524 		.cmd = NL80211_CMD_GET_REG,
10525 		.doit = nl80211_get_reg_do,
10526 		.dumpit = nl80211_get_reg_dump,
10527 		.policy = nl80211_policy,
10528 		.internal_flags = NL80211_FLAG_NEED_RTNL,
10529 		/* can be retrieved by unprivileged users */
10530 	},
10531 	{
10532 		.cmd = NL80211_CMD_SET_REG,
10533 		.doit = nl80211_set_reg,
10534 		.policy = nl80211_policy,
10535 		.flags = GENL_ADMIN_PERM,
10536 		.internal_flags = NL80211_FLAG_NEED_RTNL,
10537 	},
10538 	{
10539 		.cmd = NL80211_CMD_REQ_SET_REG,
10540 		.doit = nl80211_req_set_reg,
10541 		.policy = nl80211_policy,
10542 		.flags = GENL_ADMIN_PERM,
10543 	},
10544 	{
10545 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
10546 		.doit = nl80211_get_mesh_config,
10547 		.policy = nl80211_policy,
10548 		/* can be retrieved by unprivileged users */
10549 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10550 				  NL80211_FLAG_NEED_RTNL,
10551 	},
10552 	{
10553 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
10554 		.doit = nl80211_update_mesh_config,
10555 		.policy = nl80211_policy,
10556 		.flags = GENL_ADMIN_PERM,
10557 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10558 				  NL80211_FLAG_NEED_RTNL,
10559 	},
10560 	{
10561 		.cmd = NL80211_CMD_TRIGGER_SCAN,
10562 		.doit = nl80211_trigger_scan,
10563 		.policy = nl80211_policy,
10564 		.flags = GENL_ADMIN_PERM,
10565 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10566 				  NL80211_FLAG_NEED_RTNL,
10567 	},
10568 	{
10569 		.cmd = NL80211_CMD_GET_SCAN,
10570 		.policy = nl80211_policy,
10571 		.dumpit = nl80211_dump_scan,
10572 	},
10573 	{
10574 		.cmd = NL80211_CMD_START_SCHED_SCAN,
10575 		.doit = nl80211_start_sched_scan,
10576 		.policy = nl80211_policy,
10577 		.flags = GENL_ADMIN_PERM,
10578 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10579 				  NL80211_FLAG_NEED_RTNL,
10580 	},
10581 	{
10582 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
10583 		.doit = nl80211_stop_sched_scan,
10584 		.policy = nl80211_policy,
10585 		.flags = GENL_ADMIN_PERM,
10586 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10587 				  NL80211_FLAG_NEED_RTNL,
10588 	},
10589 	{
10590 		.cmd = NL80211_CMD_AUTHENTICATE,
10591 		.doit = nl80211_authenticate,
10592 		.policy = nl80211_policy,
10593 		.flags = GENL_ADMIN_PERM,
10594 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10595 				  NL80211_FLAG_NEED_RTNL |
10596 				  NL80211_FLAG_CLEAR_SKB,
10597 	},
10598 	{
10599 		.cmd = NL80211_CMD_ASSOCIATE,
10600 		.doit = nl80211_associate,
10601 		.policy = nl80211_policy,
10602 		.flags = GENL_ADMIN_PERM,
10603 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10604 				  NL80211_FLAG_NEED_RTNL,
10605 	},
10606 	{
10607 		.cmd = NL80211_CMD_DEAUTHENTICATE,
10608 		.doit = nl80211_deauthenticate,
10609 		.policy = nl80211_policy,
10610 		.flags = GENL_ADMIN_PERM,
10611 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10612 				  NL80211_FLAG_NEED_RTNL,
10613 	},
10614 	{
10615 		.cmd = NL80211_CMD_DISASSOCIATE,
10616 		.doit = nl80211_disassociate,
10617 		.policy = nl80211_policy,
10618 		.flags = GENL_ADMIN_PERM,
10619 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10620 				  NL80211_FLAG_NEED_RTNL,
10621 	},
10622 	{
10623 		.cmd = NL80211_CMD_JOIN_IBSS,
10624 		.doit = nl80211_join_ibss,
10625 		.policy = nl80211_policy,
10626 		.flags = GENL_ADMIN_PERM,
10627 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10628 				  NL80211_FLAG_NEED_RTNL,
10629 	},
10630 	{
10631 		.cmd = NL80211_CMD_LEAVE_IBSS,
10632 		.doit = nl80211_leave_ibss,
10633 		.policy = nl80211_policy,
10634 		.flags = GENL_ADMIN_PERM,
10635 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10636 				  NL80211_FLAG_NEED_RTNL,
10637 	},
10638 #ifdef CONFIG_NL80211_TESTMODE
10639 	{
10640 		.cmd = NL80211_CMD_TESTMODE,
10641 		.doit = nl80211_testmode_do,
10642 		.dumpit = nl80211_testmode_dump,
10643 		.policy = nl80211_policy,
10644 		.flags = GENL_ADMIN_PERM,
10645 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10646 				  NL80211_FLAG_NEED_RTNL,
10647 	},
10648 #endif
10649 	{
10650 		.cmd = NL80211_CMD_CONNECT,
10651 		.doit = nl80211_connect,
10652 		.policy = nl80211_policy,
10653 		.flags = GENL_ADMIN_PERM,
10654 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10655 				  NL80211_FLAG_NEED_RTNL,
10656 	},
10657 	{
10658 		.cmd = NL80211_CMD_DISCONNECT,
10659 		.doit = nl80211_disconnect,
10660 		.policy = nl80211_policy,
10661 		.flags = GENL_ADMIN_PERM,
10662 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10663 				  NL80211_FLAG_NEED_RTNL,
10664 	},
10665 	{
10666 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
10667 		.doit = nl80211_wiphy_netns,
10668 		.policy = nl80211_policy,
10669 		.flags = GENL_ADMIN_PERM,
10670 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10671 				  NL80211_FLAG_NEED_RTNL,
10672 	},
10673 	{
10674 		.cmd = NL80211_CMD_GET_SURVEY,
10675 		.policy = nl80211_policy,
10676 		.dumpit = nl80211_dump_survey,
10677 	},
10678 	{
10679 		.cmd = NL80211_CMD_SET_PMKSA,
10680 		.doit = nl80211_setdel_pmksa,
10681 		.policy = nl80211_policy,
10682 		.flags = GENL_ADMIN_PERM,
10683 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10684 				  NL80211_FLAG_NEED_RTNL,
10685 	},
10686 	{
10687 		.cmd = NL80211_CMD_DEL_PMKSA,
10688 		.doit = nl80211_setdel_pmksa,
10689 		.policy = nl80211_policy,
10690 		.flags = GENL_ADMIN_PERM,
10691 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10692 				  NL80211_FLAG_NEED_RTNL,
10693 	},
10694 	{
10695 		.cmd = NL80211_CMD_FLUSH_PMKSA,
10696 		.doit = nl80211_flush_pmksa,
10697 		.policy = nl80211_policy,
10698 		.flags = GENL_ADMIN_PERM,
10699 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10700 				  NL80211_FLAG_NEED_RTNL,
10701 	},
10702 	{
10703 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
10704 		.doit = nl80211_remain_on_channel,
10705 		.policy = nl80211_policy,
10706 		.flags = GENL_ADMIN_PERM,
10707 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10708 				  NL80211_FLAG_NEED_RTNL,
10709 	},
10710 	{
10711 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
10712 		.doit = nl80211_cancel_remain_on_channel,
10713 		.policy = nl80211_policy,
10714 		.flags = GENL_ADMIN_PERM,
10715 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10716 				  NL80211_FLAG_NEED_RTNL,
10717 	},
10718 	{
10719 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
10720 		.doit = nl80211_set_tx_bitrate_mask,
10721 		.policy = nl80211_policy,
10722 		.flags = GENL_ADMIN_PERM,
10723 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10724 				  NL80211_FLAG_NEED_RTNL,
10725 	},
10726 	{
10727 		.cmd = NL80211_CMD_REGISTER_FRAME,
10728 		.doit = nl80211_register_mgmt,
10729 		.policy = nl80211_policy,
10730 		.flags = GENL_ADMIN_PERM,
10731 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10732 				  NL80211_FLAG_NEED_RTNL,
10733 	},
10734 	{
10735 		.cmd = NL80211_CMD_FRAME,
10736 		.doit = nl80211_tx_mgmt,
10737 		.policy = nl80211_policy,
10738 		.flags = GENL_ADMIN_PERM,
10739 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10740 				  NL80211_FLAG_NEED_RTNL,
10741 	},
10742 	{
10743 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
10744 		.doit = nl80211_tx_mgmt_cancel_wait,
10745 		.policy = nl80211_policy,
10746 		.flags = GENL_ADMIN_PERM,
10747 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10748 				  NL80211_FLAG_NEED_RTNL,
10749 	},
10750 	{
10751 		.cmd = NL80211_CMD_SET_POWER_SAVE,
10752 		.doit = nl80211_set_power_save,
10753 		.policy = nl80211_policy,
10754 		.flags = GENL_ADMIN_PERM,
10755 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10756 				  NL80211_FLAG_NEED_RTNL,
10757 	},
10758 	{
10759 		.cmd = NL80211_CMD_GET_POWER_SAVE,
10760 		.doit = nl80211_get_power_save,
10761 		.policy = nl80211_policy,
10762 		/* can be retrieved by unprivileged users */
10763 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10764 				  NL80211_FLAG_NEED_RTNL,
10765 	},
10766 	{
10767 		.cmd = NL80211_CMD_SET_CQM,
10768 		.doit = nl80211_set_cqm,
10769 		.policy = nl80211_policy,
10770 		.flags = GENL_ADMIN_PERM,
10771 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10772 				  NL80211_FLAG_NEED_RTNL,
10773 	},
10774 	{
10775 		.cmd = NL80211_CMD_SET_CHANNEL,
10776 		.doit = nl80211_set_channel,
10777 		.policy = nl80211_policy,
10778 		.flags = GENL_ADMIN_PERM,
10779 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10780 				  NL80211_FLAG_NEED_RTNL,
10781 	},
10782 	{
10783 		.cmd = NL80211_CMD_SET_WDS_PEER,
10784 		.doit = nl80211_set_wds_peer,
10785 		.policy = nl80211_policy,
10786 		.flags = GENL_ADMIN_PERM,
10787 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10788 				  NL80211_FLAG_NEED_RTNL,
10789 	},
10790 	{
10791 		.cmd = NL80211_CMD_JOIN_MESH,
10792 		.doit = nl80211_join_mesh,
10793 		.policy = nl80211_policy,
10794 		.flags = GENL_ADMIN_PERM,
10795 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10796 				  NL80211_FLAG_NEED_RTNL,
10797 	},
10798 	{
10799 		.cmd = NL80211_CMD_LEAVE_MESH,
10800 		.doit = nl80211_leave_mesh,
10801 		.policy = nl80211_policy,
10802 		.flags = GENL_ADMIN_PERM,
10803 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10804 				  NL80211_FLAG_NEED_RTNL,
10805 	},
10806 	{
10807 		.cmd = NL80211_CMD_JOIN_OCB,
10808 		.doit = nl80211_join_ocb,
10809 		.policy = nl80211_policy,
10810 		.flags = GENL_ADMIN_PERM,
10811 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10812 				  NL80211_FLAG_NEED_RTNL,
10813 	},
10814 	{
10815 		.cmd = NL80211_CMD_LEAVE_OCB,
10816 		.doit = nl80211_leave_ocb,
10817 		.policy = nl80211_policy,
10818 		.flags = GENL_ADMIN_PERM,
10819 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10820 				  NL80211_FLAG_NEED_RTNL,
10821 	},
10822 #ifdef CONFIG_PM
10823 	{
10824 		.cmd = NL80211_CMD_GET_WOWLAN,
10825 		.doit = nl80211_get_wowlan,
10826 		.policy = nl80211_policy,
10827 		/* can be retrieved by unprivileged users */
10828 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10829 				  NL80211_FLAG_NEED_RTNL,
10830 	},
10831 	{
10832 		.cmd = NL80211_CMD_SET_WOWLAN,
10833 		.doit = nl80211_set_wowlan,
10834 		.policy = nl80211_policy,
10835 		.flags = GENL_ADMIN_PERM,
10836 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10837 				  NL80211_FLAG_NEED_RTNL,
10838 	},
10839 #endif
10840 	{
10841 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
10842 		.doit = nl80211_set_rekey_data,
10843 		.policy = nl80211_policy,
10844 		.flags = GENL_ADMIN_PERM,
10845 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10846 				  NL80211_FLAG_NEED_RTNL |
10847 				  NL80211_FLAG_CLEAR_SKB,
10848 	},
10849 	{
10850 		.cmd = NL80211_CMD_TDLS_MGMT,
10851 		.doit = nl80211_tdls_mgmt,
10852 		.policy = nl80211_policy,
10853 		.flags = GENL_ADMIN_PERM,
10854 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10855 				  NL80211_FLAG_NEED_RTNL,
10856 	},
10857 	{
10858 		.cmd = NL80211_CMD_TDLS_OPER,
10859 		.doit = nl80211_tdls_oper,
10860 		.policy = nl80211_policy,
10861 		.flags = GENL_ADMIN_PERM,
10862 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10863 				  NL80211_FLAG_NEED_RTNL,
10864 	},
10865 	{
10866 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
10867 		.doit = nl80211_register_unexpected_frame,
10868 		.policy = nl80211_policy,
10869 		.flags = GENL_ADMIN_PERM,
10870 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10871 				  NL80211_FLAG_NEED_RTNL,
10872 	},
10873 	{
10874 		.cmd = NL80211_CMD_PROBE_CLIENT,
10875 		.doit = nl80211_probe_client,
10876 		.policy = nl80211_policy,
10877 		.flags = GENL_ADMIN_PERM,
10878 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10879 				  NL80211_FLAG_NEED_RTNL,
10880 	},
10881 	{
10882 		.cmd = NL80211_CMD_REGISTER_BEACONS,
10883 		.doit = nl80211_register_beacons,
10884 		.policy = nl80211_policy,
10885 		.flags = GENL_ADMIN_PERM,
10886 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10887 				  NL80211_FLAG_NEED_RTNL,
10888 	},
10889 	{
10890 		.cmd = NL80211_CMD_SET_NOACK_MAP,
10891 		.doit = nl80211_set_noack_map,
10892 		.policy = nl80211_policy,
10893 		.flags = GENL_ADMIN_PERM,
10894 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10895 				  NL80211_FLAG_NEED_RTNL,
10896 	},
10897 	{
10898 		.cmd = NL80211_CMD_START_P2P_DEVICE,
10899 		.doit = nl80211_start_p2p_device,
10900 		.policy = nl80211_policy,
10901 		.flags = GENL_ADMIN_PERM,
10902 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10903 				  NL80211_FLAG_NEED_RTNL,
10904 	},
10905 	{
10906 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
10907 		.doit = nl80211_stop_p2p_device,
10908 		.policy = nl80211_policy,
10909 		.flags = GENL_ADMIN_PERM,
10910 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10911 				  NL80211_FLAG_NEED_RTNL,
10912 	},
10913 	{
10914 		.cmd = NL80211_CMD_SET_MCAST_RATE,
10915 		.doit = nl80211_set_mcast_rate,
10916 		.policy = nl80211_policy,
10917 		.flags = GENL_ADMIN_PERM,
10918 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10919 				  NL80211_FLAG_NEED_RTNL,
10920 	},
10921 	{
10922 		.cmd = NL80211_CMD_SET_MAC_ACL,
10923 		.doit = nl80211_set_mac_acl,
10924 		.policy = nl80211_policy,
10925 		.flags = GENL_ADMIN_PERM,
10926 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10927 				  NL80211_FLAG_NEED_RTNL,
10928 	},
10929 	{
10930 		.cmd = NL80211_CMD_RADAR_DETECT,
10931 		.doit = nl80211_start_radar_detection,
10932 		.policy = nl80211_policy,
10933 		.flags = GENL_ADMIN_PERM,
10934 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10935 				  NL80211_FLAG_NEED_RTNL,
10936 	},
10937 	{
10938 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
10939 		.doit = nl80211_get_protocol_features,
10940 		.policy = nl80211_policy,
10941 	},
10942 	{
10943 		.cmd = NL80211_CMD_UPDATE_FT_IES,
10944 		.doit = nl80211_update_ft_ies,
10945 		.policy = nl80211_policy,
10946 		.flags = GENL_ADMIN_PERM,
10947 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10948 				  NL80211_FLAG_NEED_RTNL,
10949 	},
10950 	{
10951 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
10952 		.doit = nl80211_crit_protocol_start,
10953 		.policy = nl80211_policy,
10954 		.flags = GENL_ADMIN_PERM,
10955 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10956 				  NL80211_FLAG_NEED_RTNL,
10957 	},
10958 	{
10959 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
10960 		.doit = nl80211_crit_protocol_stop,
10961 		.policy = nl80211_policy,
10962 		.flags = GENL_ADMIN_PERM,
10963 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10964 				  NL80211_FLAG_NEED_RTNL,
10965 	},
10966 	{
10967 		.cmd = NL80211_CMD_GET_COALESCE,
10968 		.doit = nl80211_get_coalesce,
10969 		.policy = nl80211_policy,
10970 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10971 				  NL80211_FLAG_NEED_RTNL,
10972 	},
10973 	{
10974 		.cmd = NL80211_CMD_SET_COALESCE,
10975 		.doit = nl80211_set_coalesce,
10976 		.policy = nl80211_policy,
10977 		.flags = GENL_ADMIN_PERM,
10978 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10979 				  NL80211_FLAG_NEED_RTNL,
10980 	},
10981 	{
10982 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
10983 		.doit = nl80211_channel_switch,
10984 		.policy = nl80211_policy,
10985 		.flags = GENL_ADMIN_PERM,
10986 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10987 				  NL80211_FLAG_NEED_RTNL,
10988 	},
10989 	{
10990 		.cmd = NL80211_CMD_VENDOR,
10991 		.doit = nl80211_vendor_cmd,
10992 		.policy = nl80211_policy,
10993 		.flags = GENL_ADMIN_PERM,
10994 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10995 				  NL80211_FLAG_NEED_RTNL,
10996 	},
10997 	{
10998 		.cmd = NL80211_CMD_SET_QOS_MAP,
10999 		.doit = nl80211_set_qos_map,
11000 		.policy = nl80211_policy,
11001 		.flags = GENL_ADMIN_PERM,
11002 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11003 				  NL80211_FLAG_NEED_RTNL,
11004 	},
11005 	{
11006 		.cmd = NL80211_CMD_ADD_TX_TS,
11007 		.doit = nl80211_add_tx_ts,
11008 		.policy = nl80211_policy,
11009 		.flags = GENL_ADMIN_PERM,
11010 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11011 				  NL80211_FLAG_NEED_RTNL,
11012 	},
11013 	{
11014 		.cmd = NL80211_CMD_DEL_TX_TS,
11015 		.doit = nl80211_del_tx_ts,
11016 		.policy = nl80211_policy,
11017 		.flags = GENL_ADMIN_PERM,
11018 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11019 				  NL80211_FLAG_NEED_RTNL,
11020 	},
11021 	{
11022 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
11023 		.doit = nl80211_tdls_channel_switch,
11024 		.policy = nl80211_policy,
11025 		.flags = GENL_ADMIN_PERM,
11026 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11027 				  NL80211_FLAG_NEED_RTNL,
11028 	},
11029 	{
11030 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
11031 		.doit = nl80211_tdls_cancel_channel_switch,
11032 		.policy = nl80211_policy,
11033 		.flags = GENL_ADMIN_PERM,
11034 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11035 				  NL80211_FLAG_NEED_RTNL,
11036 	},
11037 };
11038 
11039 /* notification functions */
11040 
11041 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
11042 			  enum nl80211_commands cmd)
11043 {
11044 	struct sk_buff *msg;
11045 	struct nl80211_dump_wiphy_state state = {};
11046 
11047 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
11048 		cmd != NL80211_CMD_DEL_WIPHY);
11049 
11050 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11051 	if (!msg)
11052 		return;
11053 
11054 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
11055 		nlmsg_free(msg);
11056 		return;
11057 	}
11058 
11059 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11060 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
11061 }
11062 
11063 static int nl80211_add_scan_req(struct sk_buff *msg,
11064 				struct cfg80211_registered_device *rdev)
11065 {
11066 	struct cfg80211_scan_request *req = rdev->scan_req;
11067 	struct nlattr *nest;
11068 	int i;
11069 
11070 	if (WARN_ON(!req))
11071 		return 0;
11072 
11073 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
11074 	if (!nest)
11075 		goto nla_put_failure;
11076 	for (i = 0; i < req->n_ssids; i++) {
11077 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
11078 			goto nla_put_failure;
11079 	}
11080 	nla_nest_end(msg, nest);
11081 
11082 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
11083 	if (!nest)
11084 		goto nla_put_failure;
11085 	for (i = 0; i < req->n_channels; i++) {
11086 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
11087 			goto nla_put_failure;
11088 	}
11089 	nla_nest_end(msg, nest);
11090 
11091 	if (req->ie &&
11092 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
11093 		goto nla_put_failure;
11094 
11095 	if (req->flags &&
11096 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
11097 		goto nla_put_failure;
11098 
11099 	return 0;
11100  nla_put_failure:
11101 	return -ENOBUFS;
11102 }
11103 
11104 static int nl80211_send_scan_msg(struct sk_buff *msg,
11105 				 struct cfg80211_registered_device *rdev,
11106 				 struct wireless_dev *wdev,
11107 				 u32 portid, u32 seq, int flags,
11108 				 u32 cmd)
11109 {
11110 	void *hdr;
11111 
11112 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
11113 	if (!hdr)
11114 		return -1;
11115 
11116 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11117 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11118 					 wdev->netdev->ifindex)) ||
11119 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
11120 		goto nla_put_failure;
11121 
11122 	/* ignore errors and send incomplete event anyway */
11123 	nl80211_add_scan_req(msg, rdev);
11124 
11125 	genlmsg_end(msg, hdr);
11126 	return 0;
11127 
11128  nla_put_failure:
11129 	genlmsg_cancel(msg, hdr);
11130 	return -EMSGSIZE;
11131 }
11132 
11133 static int
11134 nl80211_send_sched_scan_msg(struct sk_buff *msg,
11135 			    struct cfg80211_registered_device *rdev,
11136 			    struct net_device *netdev,
11137 			    u32 portid, u32 seq, int flags, u32 cmd)
11138 {
11139 	void *hdr;
11140 
11141 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
11142 	if (!hdr)
11143 		return -1;
11144 
11145 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11146 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
11147 		goto nla_put_failure;
11148 
11149 	genlmsg_end(msg, hdr);
11150 	return 0;
11151 
11152  nla_put_failure:
11153 	genlmsg_cancel(msg, hdr);
11154 	return -EMSGSIZE;
11155 }
11156 
11157 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
11158 			     struct wireless_dev *wdev)
11159 {
11160 	struct sk_buff *msg;
11161 
11162 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11163 	if (!msg)
11164 		return;
11165 
11166 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
11167 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
11168 		nlmsg_free(msg);
11169 		return;
11170 	}
11171 
11172 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11173 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11174 }
11175 
11176 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
11177 				       struct wireless_dev *wdev, bool aborted)
11178 {
11179 	struct sk_buff *msg;
11180 
11181 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11182 	if (!msg)
11183 		return NULL;
11184 
11185 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
11186 				  aborted ? NL80211_CMD_SCAN_ABORTED :
11187 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
11188 		nlmsg_free(msg);
11189 		return NULL;
11190 	}
11191 
11192 	return msg;
11193 }
11194 
11195 void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
11196 			      struct sk_buff *msg)
11197 {
11198 	if (!msg)
11199 		return;
11200 
11201 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11202 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11203 }
11204 
11205 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
11206 				     struct net_device *netdev)
11207 {
11208 	struct sk_buff *msg;
11209 
11210 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11211 	if (!msg)
11212 		return;
11213 
11214 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
11215 					NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
11216 		nlmsg_free(msg);
11217 		return;
11218 	}
11219 
11220 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11221 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11222 }
11223 
11224 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
11225 			     struct net_device *netdev, u32 cmd)
11226 {
11227 	struct sk_buff *msg;
11228 
11229 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11230 	if (!msg)
11231 		return;
11232 
11233 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
11234 		nlmsg_free(msg);
11235 		return;
11236 	}
11237 
11238 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11239 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11240 }
11241 
11242 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
11243 					  struct regulatory_request *request)
11244 {
11245 	/* Userspace can always count this one always being set */
11246 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
11247 		goto nla_put_failure;
11248 
11249 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
11250 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11251 			       NL80211_REGDOM_TYPE_WORLD))
11252 			goto nla_put_failure;
11253 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
11254 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11255 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
11256 			goto nla_put_failure;
11257 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
11258 		   request->intersect) {
11259 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11260 			       NL80211_REGDOM_TYPE_INTERSECTION))
11261 			goto nla_put_failure;
11262 	} else {
11263 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11264 			       NL80211_REGDOM_TYPE_COUNTRY) ||
11265 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
11266 				   request->alpha2))
11267 			goto nla_put_failure;
11268 	}
11269 
11270 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
11271 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
11272 
11273 		if (wiphy &&
11274 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
11275 			goto nla_put_failure;
11276 
11277 		if (wiphy &&
11278 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
11279 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
11280 			goto nla_put_failure;
11281 	}
11282 
11283 	return true;
11284 
11285 nla_put_failure:
11286 	return false;
11287 }
11288 
11289 /*
11290  * This can happen on global regulatory changes or device specific settings
11291  * based on custom regulatory domains.
11292  */
11293 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
11294 				     struct regulatory_request *request)
11295 {
11296 	struct sk_buff *msg;
11297 	void *hdr;
11298 
11299 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11300 	if (!msg)
11301 		return;
11302 
11303 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
11304 	if (!hdr) {
11305 		nlmsg_free(msg);
11306 		return;
11307 	}
11308 
11309 	if (nl80211_reg_change_event_fill(msg, request) == false)
11310 		goto nla_put_failure;
11311 
11312 	genlmsg_end(msg, hdr);
11313 
11314 	rcu_read_lock();
11315 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
11316 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
11317 	rcu_read_unlock();
11318 
11319 	return;
11320 
11321 nla_put_failure:
11322 	genlmsg_cancel(msg, hdr);
11323 	nlmsg_free(msg);
11324 }
11325 
11326 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
11327 				    struct net_device *netdev,
11328 				    const u8 *buf, size_t len,
11329 				    enum nl80211_commands cmd, gfp_t gfp,
11330 				    int uapsd_queues)
11331 {
11332 	struct sk_buff *msg;
11333 	void *hdr;
11334 
11335 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11336 	if (!msg)
11337 		return;
11338 
11339 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11340 	if (!hdr) {
11341 		nlmsg_free(msg);
11342 		return;
11343 	}
11344 
11345 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11346 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11347 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
11348 		goto nla_put_failure;
11349 
11350 	if (uapsd_queues >= 0) {
11351 		struct nlattr *nla_wmm =
11352 			nla_nest_start(msg, NL80211_ATTR_STA_WME);
11353 		if (!nla_wmm)
11354 			goto nla_put_failure;
11355 
11356 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
11357 			       uapsd_queues))
11358 			goto nla_put_failure;
11359 
11360 		nla_nest_end(msg, nla_wmm);
11361 	}
11362 
11363 	genlmsg_end(msg, hdr);
11364 
11365 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11366 				NL80211_MCGRP_MLME, gfp);
11367 	return;
11368 
11369  nla_put_failure:
11370 	genlmsg_cancel(msg, hdr);
11371 	nlmsg_free(msg);
11372 }
11373 
11374 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
11375 			  struct net_device *netdev, const u8 *buf,
11376 			  size_t len, gfp_t gfp)
11377 {
11378 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11379 				NL80211_CMD_AUTHENTICATE, gfp, -1);
11380 }
11381 
11382 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
11383 			   struct net_device *netdev, const u8 *buf,
11384 			   size_t len, gfp_t gfp, int uapsd_queues)
11385 {
11386 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11387 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues);
11388 }
11389 
11390 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
11391 			 struct net_device *netdev, const u8 *buf,
11392 			 size_t len, gfp_t gfp)
11393 {
11394 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11395 				NL80211_CMD_DEAUTHENTICATE, gfp, -1);
11396 }
11397 
11398 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
11399 			   struct net_device *netdev, const u8 *buf,
11400 			   size_t len, gfp_t gfp)
11401 {
11402 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11403 				NL80211_CMD_DISASSOCIATE, gfp, -1);
11404 }
11405 
11406 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
11407 				  size_t len)
11408 {
11409 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11410 	struct wiphy *wiphy = wdev->wiphy;
11411 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11412 	const struct ieee80211_mgmt *mgmt = (void *)buf;
11413 	u32 cmd;
11414 
11415 	if (WARN_ON(len < 2))
11416 		return;
11417 
11418 	if (ieee80211_is_deauth(mgmt->frame_control))
11419 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
11420 	else
11421 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
11422 
11423 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
11424 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1);
11425 }
11426 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
11427 
11428 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
11429 				      struct net_device *netdev, int cmd,
11430 				      const u8 *addr, gfp_t gfp)
11431 {
11432 	struct sk_buff *msg;
11433 	void *hdr;
11434 
11435 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11436 	if (!msg)
11437 		return;
11438 
11439 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11440 	if (!hdr) {
11441 		nlmsg_free(msg);
11442 		return;
11443 	}
11444 
11445 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11446 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11447 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
11448 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
11449 		goto nla_put_failure;
11450 
11451 	genlmsg_end(msg, hdr);
11452 
11453 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11454 				NL80211_MCGRP_MLME, gfp);
11455 	return;
11456 
11457  nla_put_failure:
11458 	genlmsg_cancel(msg, hdr);
11459 	nlmsg_free(msg);
11460 }
11461 
11462 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
11463 			       struct net_device *netdev, const u8 *addr,
11464 			       gfp_t gfp)
11465 {
11466 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
11467 				  addr, gfp);
11468 }
11469 
11470 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
11471 				struct net_device *netdev, const u8 *addr,
11472 				gfp_t gfp)
11473 {
11474 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
11475 				  addr, gfp);
11476 }
11477 
11478 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
11479 				 struct net_device *netdev, const u8 *bssid,
11480 				 const u8 *req_ie, size_t req_ie_len,
11481 				 const u8 *resp_ie, size_t resp_ie_len,
11482 				 u16 status, gfp_t gfp)
11483 {
11484 	struct sk_buff *msg;
11485 	void *hdr;
11486 
11487 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11488 	if (!msg)
11489 		return;
11490 
11491 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
11492 	if (!hdr) {
11493 		nlmsg_free(msg);
11494 		return;
11495 	}
11496 
11497 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11498 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11499 	    (bssid && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) ||
11500 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE, status) ||
11501 	    (req_ie &&
11502 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
11503 	    (resp_ie &&
11504 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
11505 		goto nla_put_failure;
11506 
11507 	genlmsg_end(msg, hdr);
11508 
11509 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11510 				NL80211_MCGRP_MLME, gfp);
11511 	return;
11512 
11513  nla_put_failure:
11514 	genlmsg_cancel(msg, hdr);
11515 	nlmsg_free(msg);
11516 
11517 }
11518 
11519 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
11520 			 struct net_device *netdev, const u8 *bssid,
11521 			 const u8 *req_ie, size_t req_ie_len,
11522 			 const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
11523 {
11524 	struct sk_buff *msg;
11525 	void *hdr;
11526 
11527 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11528 	if (!msg)
11529 		return;
11530 
11531 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
11532 	if (!hdr) {
11533 		nlmsg_free(msg);
11534 		return;
11535 	}
11536 
11537 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11538 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11539 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
11540 	    (req_ie &&
11541 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
11542 	    (resp_ie &&
11543 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
11544 		goto nla_put_failure;
11545 
11546 	genlmsg_end(msg, hdr);
11547 
11548 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11549 				NL80211_MCGRP_MLME, gfp);
11550 	return;
11551 
11552  nla_put_failure:
11553 	genlmsg_cancel(msg, hdr);
11554 	nlmsg_free(msg);
11555 
11556 }
11557 
11558 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
11559 			       struct net_device *netdev, u16 reason,
11560 			       const u8 *ie, size_t ie_len, bool from_ap)
11561 {
11562 	struct sk_buff *msg;
11563 	void *hdr;
11564 
11565 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11566 	if (!msg)
11567 		return;
11568 
11569 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
11570 	if (!hdr) {
11571 		nlmsg_free(msg);
11572 		return;
11573 	}
11574 
11575 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11576 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11577 	    (from_ap && reason &&
11578 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
11579 	    (from_ap &&
11580 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
11581 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
11582 		goto nla_put_failure;
11583 
11584 	genlmsg_end(msg, hdr);
11585 
11586 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11587 				NL80211_MCGRP_MLME, GFP_KERNEL);
11588 	return;
11589 
11590  nla_put_failure:
11591 	genlmsg_cancel(msg, hdr);
11592 	nlmsg_free(msg);
11593 
11594 }
11595 
11596 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
11597 			     struct net_device *netdev, const u8 *bssid,
11598 			     gfp_t gfp)
11599 {
11600 	struct sk_buff *msg;
11601 	void *hdr;
11602 
11603 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11604 	if (!msg)
11605 		return;
11606 
11607 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
11608 	if (!hdr) {
11609 		nlmsg_free(msg);
11610 		return;
11611 	}
11612 
11613 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11614 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11615 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
11616 		goto nla_put_failure;
11617 
11618 	genlmsg_end(msg, hdr);
11619 
11620 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11621 				NL80211_MCGRP_MLME, gfp);
11622 	return;
11623 
11624  nla_put_failure:
11625 	genlmsg_cancel(msg, hdr);
11626 	nlmsg_free(msg);
11627 }
11628 
11629 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
11630 					const u8* ie, u8 ie_len, gfp_t gfp)
11631 {
11632 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11633 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11634 	struct sk_buff *msg;
11635 	void *hdr;
11636 
11637 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
11638 		return;
11639 
11640 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
11641 
11642 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11643 	if (!msg)
11644 		return;
11645 
11646 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
11647 	if (!hdr) {
11648 		nlmsg_free(msg);
11649 		return;
11650 	}
11651 
11652 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11653 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11654 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
11655 	    (ie_len && ie &&
11656 	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
11657 		goto nla_put_failure;
11658 
11659 	genlmsg_end(msg, hdr);
11660 
11661 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11662 				NL80211_MCGRP_MLME, gfp);
11663 	return;
11664 
11665  nla_put_failure:
11666 	genlmsg_cancel(msg, hdr);
11667 	nlmsg_free(msg);
11668 }
11669 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
11670 
11671 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
11672 				 struct net_device *netdev, const u8 *addr,
11673 				 enum nl80211_key_type key_type, int key_id,
11674 				 const u8 *tsc, gfp_t gfp)
11675 {
11676 	struct sk_buff *msg;
11677 	void *hdr;
11678 
11679 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11680 	if (!msg)
11681 		return;
11682 
11683 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
11684 	if (!hdr) {
11685 		nlmsg_free(msg);
11686 		return;
11687 	}
11688 
11689 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11690 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11691 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
11692 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
11693 	    (key_id != -1 &&
11694 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
11695 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
11696 		goto nla_put_failure;
11697 
11698 	genlmsg_end(msg, hdr);
11699 
11700 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11701 				NL80211_MCGRP_MLME, gfp);
11702 	return;
11703 
11704  nla_put_failure:
11705 	genlmsg_cancel(msg, hdr);
11706 	nlmsg_free(msg);
11707 }
11708 
11709 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
11710 				    struct ieee80211_channel *channel_before,
11711 				    struct ieee80211_channel *channel_after)
11712 {
11713 	struct sk_buff *msg;
11714 	void *hdr;
11715 	struct nlattr *nl_freq;
11716 
11717 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
11718 	if (!msg)
11719 		return;
11720 
11721 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
11722 	if (!hdr) {
11723 		nlmsg_free(msg);
11724 		return;
11725 	}
11726 
11727 	/*
11728 	 * Since we are applying the beacon hint to a wiphy we know its
11729 	 * wiphy_idx is valid
11730 	 */
11731 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
11732 		goto nla_put_failure;
11733 
11734 	/* Before */
11735 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
11736 	if (!nl_freq)
11737 		goto nla_put_failure;
11738 	if (nl80211_msg_put_channel(msg, channel_before, false))
11739 		goto nla_put_failure;
11740 	nla_nest_end(msg, nl_freq);
11741 
11742 	/* After */
11743 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
11744 	if (!nl_freq)
11745 		goto nla_put_failure;
11746 	if (nl80211_msg_put_channel(msg, channel_after, false))
11747 		goto nla_put_failure;
11748 	nla_nest_end(msg, nl_freq);
11749 
11750 	genlmsg_end(msg, hdr);
11751 
11752 	rcu_read_lock();
11753 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
11754 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
11755 	rcu_read_unlock();
11756 
11757 	return;
11758 
11759 nla_put_failure:
11760 	genlmsg_cancel(msg, hdr);
11761 	nlmsg_free(msg);
11762 }
11763 
11764 static void nl80211_send_remain_on_chan_event(
11765 	int cmd, struct cfg80211_registered_device *rdev,
11766 	struct wireless_dev *wdev, u64 cookie,
11767 	struct ieee80211_channel *chan,
11768 	unsigned int duration, gfp_t gfp)
11769 {
11770 	struct sk_buff *msg;
11771 	void *hdr;
11772 
11773 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11774 	if (!msg)
11775 		return;
11776 
11777 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11778 	if (!hdr) {
11779 		nlmsg_free(msg);
11780 		return;
11781 	}
11782 
11783 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11784 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11785 					 wdev->netdev->ifindex)) ||
11786 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11787 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
11788 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
11789 			NL80211_CHAN_NO_HT) ||
11790 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
11791 		goto nla_put_failure;
11792 
11793 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
11794 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
11795 		goto nla_put_failure;
11796 
11797 	genlmsg_end(msg, hdr);
11798 
11799 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11800 				NL80211_MCGRP_MLME, gfp);
11801 	return;
11802 
11803  nla_put_failure:
11804 	genlmsg_cancel(msg, hdr);
11805 	nlmsg_free(msg);
11806 }
11807 
11808 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
11809 			       struct ieee80211_channel *chan,
11810 			       unsigned int duration, gfp_t gfp)
11811 {
11812 	struct wiphy *wiphy = wdev->wiphy;
11813 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11814 
11815 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
11816 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
11817 					  rdev, wdev, cookie, chan,
11818 					  duration, gfp);
11819 }
11820 EXPORT_SYMBOL(cfg80211_ready_on_channel);
11821 
11822 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
11823 					struct ieee80211_channel *chan,
11824 					gfp_t gfp)
11825 {
11826 	struct wiphy *wiphy = wdev->wiphy;
11827 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11828 
11829 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
11830 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
11831 					  rdev, wdev, cookie, chan, 0, gfp);
11832 }
11833 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
11834 
11835 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
11836 		      struct station_info *sinfo, gfp_t gfp)
11837 {
11838 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11839 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11840 	struct sk_buff *msg;
11841 
11842 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
11843 
11844 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11845 	if (!msg)
11846 		return;
11847 
11848 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
11849 				 rdev, dev, mac_addr, sinfo) < 0) {
11850 		nlmsg_free(msg);
11851 		return;
11852 	}
11853 
11854 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11855 				NL80211_MCGRP_MLME, gfp);
11856 }
11857 EXPORT_SYMBOL(cfg80211_new_sta);
11858 
11859 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
11860 			    struct station_info *sinfo, gfp_t gfp)
11861 {
11862 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11863 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11864 	struct sk_buff *msg;
11865 	struct station_info empty_sinfo = {};
11866 
11867 	if (!sinfo)
11868 		sinfo = &empty_sinfo;
11869 
11870 	trace_cfg80211_del_sta(dev, mac_addr);
11871 
11872 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11873 	if (!msg)
11874 		return;
11875 
11876 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
11877 				 rdev, dev, mac_addr, sinfo) < 0) {
11878 		nlmsg_free(msg);
11879 		return;
11880 	}
11881 
11882 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11883 				NL80211_MCGRP_MLME, gfp);
11884 }
11885 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
11886 
11887 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
11888 			  enum nl80211_connect_failed_reason reason,
11889 			  gfp_t gfp)
11890 {
11891 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11892 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11893 	struct sk_buff *msg;
11894 	void *hdr;
11895 
11896 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
11897 	if (!msg)
11898 		return;
11899 
11900 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
11901 	if (!hdr) {
11902 		nlmsg_free(msg);
11903 		return;
11904 	}
11905 
11906 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11907 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
11908 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
11909 		goto nla_put_failure;
11910 
11911 	genlmsg_end(msg, hdr);
11912 
11913 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11914 				NL80211_MCGRP_MLME, gfp);
11915 	return;
11916 
11917  nla_put_failure:
11918 	genlmsg_cancel(msg, hdr);
11919 	nlmsg_free(msg);
11920 }
11921 EXPORT_SYMBOL(cfg80211_conn_failed);
11922 
11923 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
11924 				       const u8 *addr, gfp_t gfp)
11925 {
11926 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11927 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11928 	struct sk_buff *msg;
11929 	void *hdr;
11930 	u32 nlportid = ACCESS_ONCE(wdev->ap_unexpected_nlportid);
11931 
11932 	if (!nlportid)
11933 		return false;
11934 
11935 	msg = nlmsg_new(100, gfp);
11936 	if (!msg)
11937 		return true;
11938 
11939 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11940 	if (!hdr) {
11941 		nlmsg_free(msg);
11942 		return true;
11943 	}
11944 
11945 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11946 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11947 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
11948 		goto nla_put_failure;
11949 
11950 	genlmsg_end(msg, hdr);
11951 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
11952 	return true;
11953 
11954  nla_put_failure:
11955 	genlmsg_cancel(msg, hdr);
11956 	nlmsg_free(msg);
11957 	return true;
11958 }
11959 
11960 bool cfg80211_rx_spurious_frame(struct net_device *dev,
11961 				const u8 *addr, gfp_t gfp)
11962 {
11963 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11964 	bool ret;
11965 
11966 	trace_cfg80211_rx_spurious_frame(dev, addr);
11967 
11968 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11969 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
11970 		trace_cfg80211_return_bool(false);
11971 		return false;
11972 	}
11973 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
11974 					 addr, gfp);
11975 	trace_cfg80211_return_bool(ret);
11976 	return ret;
11977 }
11978 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
11979 
11980 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
11981 					const u8 *addr, gfp_t gfp)
11982 {
11983 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11984 	bool ret;
11985 
11986 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
11987 
11988 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11989 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
11990 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
11991 		trace_cfg80211_return_bool(false);
11992 		return false;
11993 	}
11994 	ret = __nl80211_unexpected_frame(dev,
11995 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
11996 					 addr, gfp);
11997 	trace_cfg80211_return_bool(ret);
11998 	return ret;
11999 }
12000 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
12001 
12002 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
12003 		      struct wireless_dev *wdev, u32 nlportid,
12004 		      int freq, int sig_dbm,
12005 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
12006 {
12007 	struct net_device *netdev = wdev->netdev;
12008 	struct sk_buff *msg;
12009 	void *hdr;
12010 
12011 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12012 	if (!msg)
12013 		return -ENOMEM;
12014 
12015 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
12016 	if (!hdr) {
12017 		nlmsg_free(msg);
12018 		return -ENOMEM;
12019 	}
12020 
12021 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12022 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12023 					netdev->ifindex)) ||
12024 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
12025 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
12026 	    (sig_dbm &&
12027 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
12028 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
12029 	    (flags &&
12030 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
12031 		goto nla_put_failure;
12032 
12033 	genlmsg_end(msg, hdr);
12034 
12035 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12036 
12037  nla_put_failure:
12038 	genlmsg_cancel(msg, hdr);
12039 	nlmsg_free(msg);
12040 	return -ENOBUFS;
12041 }
12042 
12043 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
12044 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
12045 {
12046 	struct wiphy *wiphy = wdev->wiphy;
12047 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12048 	struct net_device *netdev = wdev->netdev;
12049 	struct sk_buff *msg;
12050 	void *hdr;
12051 
12052 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
12053 
12054 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12055 	if (!msg)
12056 		return;
12057 
12058 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
12059 	if (!hdr) {
12060 		nlmsg_free(msg);
12061 		return;
12062 	}
12063 
12064 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12065 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12066 				   netdev->ifindex)) ||
12067 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
12068 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
12069 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
12070 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
12071 		goto nla_put_failure;
12072 
12073 	genlmsg_end(msg, hdr);
12074 
12075 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12076 				NL80211_MCGRP_MLME, gfp);
12077 	return;
12078 
12079  nla_put_failure:
12080 	genlmsg_cancel(msg, hdr);
12081 	nlmsg_free(msg);
12082 }
12083 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
12084 
12085 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
12086 					    const char *mac, gfp_t gfp)
12087 {
12088 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12089 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12090 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12091 	void **cb;
12092 
12093 	if (!msg)
12094 		return NULL;
12095 
12096 	cb = (void **)msg->cb;
12097 
12098 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
12099 	if (!cb[0]) {
12100 		nlmsg_free(msg);
12101 		return NULL;
12102 	}
12103 
12104 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12105 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
12106 		goto nla_put_failure;
12107 
12108 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
12109 		goto nla_put_failure;
12110 
12111 	cb[1] = nla_nest_start(msg, NL80211_ATTR_CQM);
12112 	if (!cb[1])
12113 		goto nla_put_failure;
12114 
12115 	cb[2] = rdev;
12116 
12117 	return msg;
12118  nla_put_failure:
12119 	nlmsg_free(msg);
12120 	return NULL;
12121 }
12122 
12123 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
12124 {
12125 	void **cb = (void **)msg->cb;
12126 	struct cfg80211_registered_device *rdev = cb[2];
12127 
12128 	nla_nest_end(msg, cb[1]);
12129 	genlmsg_end(msg, cb[0]);
12130 
12131 	memset(msg->cb, 0, sizeof(msg->cb));
12132 
12133 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12134 				NL80211_MCGRP_MLME, gfp);
12135 }
12136 
12137 void cfg80211_cqm_rssi_notify(struct net_device *dev,
12138 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
12139 			      gfp_t gfp)
12140 {
12141 	struct sk_buff *msg;
12142 
12143 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
12144 
12145 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
12146 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
12147 		return;
12148 
12149 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
12150 	if (!msg)
12151 		return;
12152 
12153 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
12154 			rssi_event))
12155 		goto nla_put_failure;
12156 
12157 	cfg80211_send_cqm(msg, gfp);
12158 
12159 	return;
12160 
12161  nla_put_failure:
12162 	nlmsg_free(msg);
12163 }
12164 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
12165 
12166 void cfg80211_cqm_txe_notify(struct net_device *dev,
12167 			     const u8 *peer, u32 num_packets,
12168 			     u32 rate, u32 intvl, gfp_t gfp)
12169 {
12170 	struct sk_buff *msg;
12171 
12172 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
12173 	if (!msg)
12174 		return;
12175 
12176 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
12177 		goto nla_put_failure;
12178 
12179 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
12180 		goto nla_put_failure;
12181 
12182 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
12183 		goto nla_put_failure;
12184 
12185 	cfg80211_send_cqm(msg, gfp);
12186 	return;
12187 
12188  nla_put_failure:
12189 	nlmsg_free(msg);
12190 }
12191 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
12192 
12193 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
12194 				 const u8 *peer, u32 num_packets, gfp_t gfp)
12195 {
12196 	struct sk_buff *msg;
12197 
12198 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
12199 
12200 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
12201 	if (!msg)
12202 		return;
12203 
12204 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
12205 		goto nla_put_failure;
12206 
12207 	cfg80211_send_cqm(msg, gfp);
12208 	return;
12209 
12210  nla_put_failure:
12211 	nlmsg_free(msg);
12212 }
12213 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
12214 
12215 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
12216 {
12217 	struct sk_buff *msg;
12218 
12219 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
12220 	if (!msg)
12221 		return;
12222 
12223 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
12224 		goto nla_put_failure;
12225 
12226 	cfg80211_send_cqm(msg, gfp);
12227 	return;
12228 
12229  nla_put_failure:
12230 	nlmsg_free(msg);
12231 }
12232 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
12233 
12234 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
12235 				     struct net_device *netdev, const u8 *bssid,
12236 				     const u8 *replay_ctr, gfp_t gfp)
12237 {
12238 	struct sk_buff *msg;
12239 	struct nlattr *rekey_attr;
12240 	void *hdr;
12241 
12242 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12243 	if (!msg)
12244 		return;
12245 
12246 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
12247 	if (!hdr) {
12248 		nlmsg_free(msg);
12249 		return;
12250 	}
12251 
12252 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12253 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12254 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
12255 		goto nla_put_failure;
12256 
12257 	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
12258 	if (!rekey_attr)
12259 		goto nla_put_failure;
12260 
12261 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
12262 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
12263 		goto nla_put_failure;
12264 
12265 	nla_nest_end(msg, rekey_attr);
12266 
12267 	genlmsg_end(msg, hdr);
12268 
12269 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12270 				NL80211_MCGRP_MLME, gfp);
12271 	return;
12272 
12273  nla_put_failure:
12274 	genlmsg_cancel(msg, hdr);
12275 	nlmsg_free(msg);
12276 }
12277 
12278 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
12279 			       const u8 *replay_ctr, gfp_t gfp)
12280 {
12281 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12282 	struct wiphy *wiphy = wdev->wiphy;
12283 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12284 
12285 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
12286 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
12287 }
12288 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
12289 
12290 static void
12291 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
12292 			       struct net_device *netdev, int index,
12293 			       const u8 *bssid, bool preauth, gfp_t gfp)
12294 {
12295 	struct sk_buff *msg;
12296 	struct nlattr *attr;
12297 	void *hdr;
12298 
12299 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12300 	if (!msg)
12301 		return;
12302 
12303 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
12304 	if (!hdr) {
12305 		nlmsg_free(msg);
12306 		return;
12307 	}
12308 
12309 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12310 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
12311 		goto nla_put_failure;
12312 
12313 	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
12314 	if (!attr)
12315 		goto nla_put_failure;
12316 
12317 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
12318 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
12319 	    (preauth &&
12320 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
12321 		goto nla_put_failure;
12322 
12323 	nla_nest_end(msg, attr);
12324 
12325 	genlmsg_end(msg, hdr);
12326 
12327 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12328 				NL80211_MCGRP_MLME, gfp);
12329 	return;
12330 
12331  nla_put_failure:
12332 	genlmsg_cancel(msg, hdr);
12333 	nlmsg_free(msg);
12334 }
12335 
12336 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
12337 				     const u8 *bssid, bool preauth, gfp_t gfp)
12338 {
12339 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12340 	struct wiphy *wiphy = wdev->wiphy;
12341 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12342 
12343 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
12344 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
12345 }
12346 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
12347 
12348 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
12349 				     struct net_device *netdev,
12350 				     struct cfg80211_chan_def *chandef,
12351 				     gfp_t gfp,
12352 				     enum nl80211_commands notif,
12353 				     u8 count)
12354 {
12355 	struct sk_buff *msg;
12356 	void *hdr;
12357 
12358 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12359 	if (!msg)
12360 		return;
12361 
12362 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
12363 	if (!hdr) {
12364 		nlmsg_free(msg);
12365 		return;
12366 	}
12367 
12368 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
12369 		goto nla_put_failure;
12370 
12371 	if (nl80211_send_chandef(msg, chandef))
12372 		goto nla_put_failure;
12373 
12374 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
12375 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
12376 			goto nla_put_failure;
12377 
12378 	genlmsg_end(msg, hdr);
12379 
12380 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12381 				NL80211_MCGRP_MLME, gfp);
12382 	return;
12383 
12384  nla_put_failure:
12385 	genlmsg_cancel(msg, hdr);
12386 	nlmsg_free(msg);
12387 }
12388 
12389 void cfg80211_ch_switch_notify(struct net_device *dev,
12390 			       struct cfg80211_chan_def *chandef)
12391 {
12392 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12393 	struct wiphy *wiphy = wdev->wiphy;
12394 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12395 
12396 	ASSERT_WDEV_LOCK(wdev);
12397 
12398 	trace_cfg80211_ch_switch_notify(dev, chandef);
12399 
12400 	wdev->chandef = *chandef;
12401 	wdev->preset_chandef = *chandef;
12402 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
12403 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
12404 }
12405 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
12406 
12407 void cfg80211_ch_switch_started_notify(struct net_device *dev,
12408 				       struct cfg80211_chan_def *chandef,
12409 				       u8 count)
12410 {
12411 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12412 	struct wiphy *wiphy = wdev->wiphy;
12413 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12414 
12415 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
12416 
12417 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
12418 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
12419 }
12420 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
12421 
12422 void
12423 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
12424 		     const struct cfg80211_chan_def *chandef,
12425 		     enum nl80211_radar_event event,
12426 		     struct net_device *netdev, gfp_t gfp)
12427 {
12428 	struct sk_buff *msg;
12429 	void *hdr;
12430 
12431 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12432 	if (!msg)
12433 		return;
12434 
12435 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
12436 	if (!hdr) {
12437 		nlmsg_free(msg);
12438 		return;
12439 	}
12440 
12441 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
12442 		goto nla_put_failure;
12443 
12444 	/* NOP and radar events don't need a netdev parameter */
12445 	if (netdev) {
12446 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
12447 
12448 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12449 		    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12450 			goto nla_put_failure;
12451 	}
12452 
12453 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
12454 		goto nla_put_failure;
12455 
12456 	if (nl80211_send_chandef(msg, chandef))
12457 		goto nla_put_failure;
12458 
12459 	genlmsg_end(msg, hdr);
12460 
12461 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12462 				NL80211_MCGRP_MLME, gfp);
12463 	return;
12464 
12465  nla_put_failure:
12466 	genlmsg_cancel(msg, hdr);
12467 	nlmsg_free(msg);
12468 }
12469 
12470 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
12471 			   u64 cookie, bool acked, gfp_t gfp)
12472 {
12473 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12474 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12475 	struct sk_buff *msg;
12476 	void *hdr;
12477 
12478 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
12479 
12480 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12481 
12482 	if (!msg)
12483 		return;
12484 
12485 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
12486 	if (!hdr) {
12487 		nlmsg_free(msg);
12488 		return;
12489 	}
12490 
12491 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12492 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12493 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
12494 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
12495 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)))
12496 		goto nla_put_failure;
12497 
12498 	genlmsg_end(msg, hdr);
12499 
12500 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12501 				NL80211_MCGRP_MLME, gfp);
12502 	return;
12503 
12504  nla_put_failure:
12505 	genlmsg_cancel(msg, hdr);
12506 	nlmsg_free(msg);
12507 }
12508 EXPORT_SYMBOL(cfg80211_probe_status);
12509 
12510 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
12511 				 const u8 *frame, size_t len,
12512 				 int freq, int sig_dbm)
12513 {
12514 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12515 	struct sk_buff *msg;
12516 	void *hdr;
12517 	struct cfg80211_beacon_registration *reg;
12518 
12519 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
12520 
12521 	spin_lock_bh(&rdev->beacon_registrations_lock);
12522 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
12523 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
12524 		if (!msg) {
12525 			spin_unlock_bh(&rdev->beacon_registrations_lock);
12526 			return;
12527 		}
12528 
12529 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
12530 		if (!hdr)
12531 			goto nla_put_failure;
12532 
12533 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12534 		    (freq &&
12535 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
12536 		    (sig_dbm &&
12537 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
12538 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
12539 			goto nla_put_failure;
12540 
12541 		genlmsg_end(msg, hdr);
12542 
12543 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
12544 	}
12545 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12546 	return;
12547 
12548  nla_put_failure:
12549 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12550 	if (hdr)
12551 		genlmsg_cancel(msg, hdr);
12552 	nlmsg_free(msg);
12553 }
12554 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
12555 
12556 #ifdef CONFIG_PM
12557 static int cfg80211_net_detect_results(struct sk_buff *msg,
12558 				       struct cfg80211_wowlan_wakeup *wakeup)
12559 {
12560 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
12561 	struct nlattr *nl_results, *nl_match, *nl_freqs;
12562 	int i, j;
12563 
12564 	nl_results = nla_nest_start(
12565 		msg, NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
12566 	if (!nl_results)
12567 		return -EMSGSIZE;
12568 
12569 	for (i = 0; i < nd->n_matches; i++) {
12570 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
12571 
12572 		nl_match = nla_nest_start(msg, i);
12573 		if (!nl_match)
12574 			break;
12575 
12576 		/* The SSID attribute is optional in nl80211, but for
12577 		 * simplicity reasons it's always present in the
12578 		 * cfg80211 structure.  If a driver can't pass the
12579 		 * SSID, that needs to be changed.  A zero length SSID
12580 		 * is still a valid SSID (wildcard), so it cannot be
12581 		 * used for this purpose.
12582 		 */
12583 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
12584 			    match->ssid.ssid)) {
12585 			nla_nest_cancel(msg, nl_match);
12586 			goto out;
12587 		}
12588 
12589 		if (match->n_channels) {
12590 			nl_freqs = nla_nest_start(
12591 				msg, NL80211_ATTR_SCAN_FREQUENCIES);
12592 			if (!nl_freqs) {
12593 				nla_nest_cancel(msg, nl_match);
12594 				goto out;
12595 			}
12596 
12597 			for (j = 0; j < match->n_channels; j++) {
12598 				if (nla_put_u32(msg, j, match->channels[j])) {
12599 					nla_nest_cancel(msg, nl_freqs);
12600 					nla_nest_cancel(msg, nl_match);
12601 					goto out;
12602 				}
12603 			}
12604 
12605 			nla_nest_end(msg, nl_freqs);
12606 		}
12607 
12608 		nla_nest_end(msg, nl_match);
12609 	}
12610 
12611 out:
12612 	nla_nest_end(msg, nl_results);
12613 	return 0;
12614 }
12615 
12616 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
12617 				   struct cfg80211_wowlan_wakeup *wakeup,
12618 				   gfp_t gfp)
12619 {
12620 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12621 	struct sk_buff *msg;
12622 	void *hdr;
12623 	int size = 200;
12624 
12625 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
12626 
12627 	if (wakeup)
12628 		size += wakeup->packet_present_len;
12629 
12630 	msg = nlmsg_new(size, gfp);
12631 	if (!msg)
12632 		return;
12633 
12634 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
12635 	if (!hdr)
12636 		goto free_msg;
12637 
12638 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12639 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12640 		goto free_msg;
12641 
12642 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12643 					wdev->netdev->ifindex))
12644 		goto free_msg;
12645 
12646 	if (wakeup) {
12647 		struct nlattr *reasons;
12648 
12649 		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
12650 		if (!reasons)
12651 			goto free_msg;
12652 
12653 		if (wakeup->disconnect &&
12654 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
12655 			goto free_msg;
12656 		if (wakeup->magic_pkt &&
12657 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
12658 			goto free_msg;
12659 		if (wakeup->gtk_rekey_failure &&
12660 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
12661 			goto free_msg;
12662 		if (wakeup->eap_identity_req &&
12663 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
12664 			goto free_msg;
12665 		if (wakeup->four_way_handshake &&
12666 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
12667 			goto free_msg;
12668 		if (wakeup->rfkill_release &&
12669 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
12670 			goto free_msg;
12671 
12672 		if (wakeup->pattern_idx >= 0 &&
12673 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
12674 				wakeup->pattern_idx))
12675 			goto free_msg;
12676 
12677 		if (wakeup->tcp_match &&
12678 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
12679 			goto free_msg;
12680 
12681 		if (wakeup->tcp_connlost &&
12682 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
12683 			goto free_msg;
12684 
12685 		if (wakeup->tcp_nomoretokens &&
12686 		    nla_put_flag(msg,
12687 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
12688 			goto free_msg;
12689 
12690 		if (wakeup->packet) {
12691 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
12692 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
12693 
12694 			if (!wakeup->packet_80211) {
12695 				pkt_attr =
12696 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
12697 				len_attr =
12698 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
12699 			}
12700 
12701 			if (wakeup->packet_len &&
12702 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
12703 				goto free_msg;
12704 
12705 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
12706 				    wakeup->packet))
12707 				goto free_msg;
12708 		}
12709 
12710 		if (wakeup->net_detect &&
12711 		    cfg80211_net_detect_results(msg, wakeup))
12712 				goto free_msg;
12713 
12714 		nla_nest_end(msg, reasons);
12715 	}
12716 
12717 	genlmsg_end(msg, hdr);
12718 
12719 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12720 				NL80211_MCGRP_MLME, gfp);
12721 	return;
12722 
12723  free_msg:
12724 	nlmsg_free(msg);
12725 }
12726 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
12727 #endif
12728 
12729 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
12730 				enum nl80211_tdls_operation oper,
12731 				u16 reason_code, gfp_t gfp)
12732 {
12733 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12734 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12735 	struct sk_buff *msg;
12736 	void *hdr;
12737 
12738 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
12739 					 reason_code);
12740 
12741 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12742 	if (!msg)
12743 		return;
12744 
12745 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
12746 	if (!hdr) {
12747 		nlmsg_free(msg);
12748 		return;
12749 	}
12750 
12751 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12752 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12753 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
12754 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
12755 	    (reason_code > 0 &&
12756 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
12757 		goto nla_put_failure;
12758 
12759 	genlmsg_end(msg, hdr);
12760 
12761 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12762 				NL80211_MCGRP_MLME, gfp);
12763 	return;
12764 
12765  nla_put_failure:
12766 	genlmsg_cancel(msg, hdr);
12767 	nlmsg_free(msg);
12768 }
12769 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
12770 
12771 static int nl80211_netlink_notify(struct notifier_block * nb,
12772 				  unsigned long state,
12773 				  void *_notify)
12774 {
12775 	struct netlink_notify *notify = _notify;
12776 	struct cfg80211_registered_device *rdev;
12777 	struct wireless_dev *wdev;
12778 	struct cfg80211_beacon_registration *reg, *tmp;
12779 
12780 	if (state != NETLINK_URELEASE)
12781 		return NOTIFY_DONE;
12782 
12783 	rcu_read_lock();
12784 
12785 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
12786 		bool schedule_destroy_work = false;
12787 		bool schedule_scan_stop = false;
12788 		struct cfg80211_sched_scan_request *sched_scan_req =
12789 			rcu_dereference(rdev->sched_scan_req);
12790 
12791 		if (sched_scan_req && notify->portid &&
12792 		    sched_scan_req->owner_nlportid == notify->portid)
12793 			schedule_scan_stop = true;
12794 
12795 		list_for_each_entry_rcu(wdev, &rdev->wdev_list, list) {
12796 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
12797 
12798 			if (wdev->owner_nlportid == notify->portid)
12799 				schedule_destroy_work = true;
12800 		}
12801 
12802 		spin_lock_bh(&rdev->beacon_registrations_lock);
12803 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
12804 					 list) {
12805 			if (reg->nlportid == notify->portid) {
12806 				list_del(&reg->list);
12807 				kfree(reg);
12808 				break;
12809 			}
12810 		}
12811 		spin_unlock_bh(&rdev->beacon_registrations_lock);
12812 
12813 		if (schedule_destroy_work) {
12814 			struct cfg80211_iface_destroy *destroy;
12815 
12816 			destroy = kzalloc(sizeof(*destroy), GFP_ATOMIC);
12817 			if (destroy) {
12818 				destroy->nlportid = notify->portid;
12819 				spin_lock(&rdev->destroy_list_lock);
12820 				list_add(&destroy->list, &rdev->destroy_list);
12821 				spin_unlock(&rdev->destroy_list_lock);
12822 				schedule_work(&rdev->destroy_work);
12823 			}
12824 		} else if (schedule_scan_stop) {
12825 			sched_scan_req->owner_nlportid = 0;
12826 
12827 			if (rdev->ops->sched_scan_stop &&
12828 			    rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
12829 				schedule_work(&rdev->sched_scan_stop_wk);
12830 		}
12831 	}
12832 
12833 	rcu_read_unlock();
12834 
12835 	/*
12836 	 * It is possible that the user space process that is controlling the
12837 	 * indoor setting disappeared, so notify the regulatory core.
12838 	 */
12839 	regulatory_netlink_notify(notify->portid);
12840 	return NOTIFY_OK;
12841 }
12842 
12843 static struct notifier_block nl80211_netlink_notifier = {
12844 	.notifier_call = nl80211_netlink_notify,
12845 };
12846 
12847 void cfg80211_ft_event(struct net_device *netdev,
12848 		       struct cfg80211_ft_event_params *ft_event)
12849 {
12850 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
12851 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12852 	struct sk_buff *msg;
12853 	void *hdr;
12854 
12855 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
12856 
12857 	if (!ft_event->target_ap)
12858 		return;
12859 
12860 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12861 	if (!msg)
12862 		return;
12863 
12864 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
12865 	if (!hdr)
12866 		goto out;
12867 
12868 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12869 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12870 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
12871 		goto out;
12872 
12873 	if (ft_event->ies &&
12874 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
12875 		goto out;
12876 	if (ft_event->ric_ies &&
12877 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
12878 		    ft_event->ric_ies))
12879 		goto out;
12880 
12881 	genlmsg_end(msg, hdr);
12882 
12883 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12884 				NL80211_MCGRP_MLME, GFP_KERNEL);
12885 	return;
12886  out:
12887 	nlmsg_free(msg);
12888 }
12889 EXPORT_SYMBOL(cfg80211_ft_event);
12890 
12891 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
12892 {
12893 	struct cfg80211_registered_device *rdev;
12894 	struct sk_buff *msg;
12895 	void *hdr;
12896 	u32 nlportid;
12897 
12898 	rdev = wiphy_to_rdev(wdev->wiphy);
12899 	if (!rdev->crit_proto_nlportid)
12900 		return;
12901 
12902 	nlportid = rdev->crit_proto_nlportid;
12903 	rdev->crit_proto_nlportid = 0;
12904 
12905 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12906 	if (!msg)
12907 		return;
12908 
12909 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
12910 	if (!hdr)
12911 		goto nla_put_failure;
12912 
12913 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12914 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12915 		goto nla_put_failure;
12916 
12917 	genlmsg_end(msg, hdr);
12918 
12919 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12920 	return;
12921 
12922  nla_put_failure:
12923 	if (hdr)
12924 		genlmsg_cancel(msg, hdr);
12925 	nlmsg_free(msg);
12926 
12927 }
12928 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
12929 
12930 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
12931 {
12932 	struct wiphy *wiphy = wdev->wiphy;
12933 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12934 	struct sk_buff *msg;
12935 	void *hdr;
12936 
12937 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12938 	if (!msg)
12939 		return;
12940 
12941 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
12942 	if (!hdr)
12943 		goto out;
12944 
12945 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12946 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
12947 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12948 		goto out;
12949 
12950 	genlmsg_end(msg, hdr);
12951 
12952 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
12953 				NL80211_MCGRP_MLME, GFP_KERNEL);
12954 	return;
12955  out:
12956 	nlmsg_free(msg);
12957 }
12958 
12959 /* initialisation/exit functions */
12960 
12961 int nl80211_init(void)
12962 {
12963 	int err;
12964 
12965 	err = genl_register_family_with_ops_groups(&nl80211_fam, nl80211_ops,
12966 						   nl80211_mcgrps);
12967 	if (err)
12968 		return err;
12969 
12970 	err = netlink_register_notifier(&nl80211_netlink_notifier);
12971 	if (err)
12972 		goto err_out;
12973 
12974 	return 0;
12975  err_out:
12976 	genl_unregister_family(&nl80211_fam);
12977 	return err;
12978 }
12979 
12980 void nl80211_exit(void)
12981 {
12982 	netlink_unregister_notifier(&nl80211_netlink_notifier);
12983 	genl_unregister_family(&nl80211_fam);
12984 }
12985