xref: /openbmc/linux/net/wireless/nl80211.c (revision c51d39010a1bccc9c1294e2d7c00005aefeb2b5c) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  * Copyright 2015-2016	Intel Deutschland GmbH
7  */
8 
9 #include <linux/if.h>
10 #include <linux/module.h>
11 #include <linux/err.h>
12 #include <linux/slab.h>
13 #include <linux/list.h>
14 #include <linux/if_ether.h>
15 #include <linux/ieee80211.h>
16 #include <linux/nl80211.h>
17 #include <linux/rtnetlink.h>
18 #include <linux/netlink.h>
19 #include <linux/etherdevice.h>
20 #include <net/net_namespace.h>
21 #include <net/genetlink.h>
22 #include <net/cfg80211.h>
23 #include <net/sock.h>
24 #include <net/inet_connection_sock.h>
25 #include "core.h"
26 #include "nl80211.h"
27 #include "reg.h"
28 #include "rdev-ops.h"
29 
30 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
31 				   struct genl_info *info,
32 				   struct cfg80211_crypto_settings *settings,
33 				   int cipher_limit);
34 
35 /* the netlink family */
36 static struct genl_family nl80211_fam;
37 
38 /* multicast groups */
39 enum nl80211_multicast_groups {
40 	NL80211_MCGRP_CONFIG,
41 	NL80211_MCGRP_SCAN,
42 	NL80211_MCGRP_REGULATORY,
43 	NL80211_MCGRP_MLME,
44 	NL80211_MCGRP_VENDOR,
45 	NL80211_MCGRP_NAN,
46 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
47 };
48 
49 static const struct genl_multicast_group nl80211_mcgrps[] = {
50 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
51 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
52 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
53 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
54 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
55 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
56 #ifdef CONFIG_NL80211_TESTMODE
57 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
58 #endif
59 };
60 
61 /* returns ERR_PTR values */
62 static struct wireless_dev *
63 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
64 {
65 	struct cfg80211_registered_device *rdev;
66 	struct wireless_dev *result = NULL;
67 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
68 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
69 	u64 wdev_id;
70 	int wiphy_idx = -1;
71 	int ifidx = -1;
72 
73 	ASSERT_RTNL();
74 
75 	if (!have_ifidx && !have_wdev_id)
76 		return ERR_PTR(-EINVAL);
77 
78 	if (have_ifidx)
79 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
80 	if (have_wdev_id) {
81 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
82 		wiphy_idx = wdev_id >> 32;
83 	}
84 
85 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
86 		struct wireless_dev *wdev;
87 
88 		if (wiphy_net(&rdev->wiphy) != netns)
89 			continue;
90 
91 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
92 			continue;
93 
94 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
95 			if (have_ifidx && wdev->netdev &&
96 			    wdev->netdev->ifindex == ifidx) {
97 				result = wdev;
98 				break;
99 			}
100 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
101 				result = wdev;
102 				break;
103 			}
104 		}
105 
106 		if (result)
107 			break;
108 	}
109 
110 	if (result)
111 		return result;
112 	return ERR_PTR(-ENODEV);
113 }
114 
115 static struct cfg80211_registered_device *
116 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
117 {
118 	struct cfg80211_registered_device *rdev = NULL, *tmp;
119 	struct net_device *netdev;
120 
121 	ASSERT_RTNL();
122 
123 	if (!attrs[NL80211_ATTR_WIPHY] &&
124 	    !attrs[NL80211_ATTR_IFINDEX] &&
125 	    !attrs[NL80211_ATTR_WDEV])
126 		return ERR_PTR(-EINVAL);
127 
128 	if (attrs[NL80211_ATTR_WIPHY])
129 		rdev = cfg80211_rdev_by_wiphy_idx(
130 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
131 
132 	if (attrs[NL80211_ATTR_WDEV]) {
133 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
134 		struct wireless_dev *wdev;
135 		bool found = false;
136 
137 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
138 		if (tmp) {
139 			/* make sure wdev exists */
140 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
141 				if (wdev->identifier != (u32)wdev_id)
142 					continue;
143 				found = true;
144 				break;
145 			}
146 
147 			if (!found)
148 				tmp = NULL;
149 
150 			if (rdev && tmp != rdev)
151 				return ERR_PTR(-EINVAL);
152 			rdev = tmp;
153 		}
154 	}
155 
156 	if (attrs[NL80211_ATTR_IFINDEX]) {
157 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
158 
159 		netdev = __dev_get_by_index(netns, ifindex);
160 		if (netdev) {
161 			if (netdev->ieee80211_ptr)
162 				tmp = wiphy_to_rdev(
163 					netdev->ieee80211_ptr->wiphy);
164 			else
165 				tmp = NULL;
166 
167 			/* not wireless device -- return error */
168 			if (!tmp)
169 				return ERR_PTR(-EINVAL);
170 
171 			/* mismatch -- return error */
172 			if (rdev && tmp != rdev)
173 				return ERR_PTR(-EINVAL);
174 
175 			rdev = tmp;
176 		}
177 	}
178 
179 	if (!rdev)
180 		return ERR_PTR(-ENODEV);
181 
182 	if (netns != wiphy_net(&rdev->wiphy))
183 		return ERR_PTR(-ENODEV);
184 
185 	return rdev;
186 }
187 
188 /*
189  * This function returns a pointer to the driver
190  * that the genl_info item that is passed refers to.
191  *
192  * The result of this can be a PTR_ERR and hence must
193  * be checked with IS_ERR() for errors.
194  */
195 static struct cfg80211_registered_device *
196 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
197 {
198 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
199 }
200 
201 /* policy for the attributes */
202 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
203 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
204 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
205 				      .len = 20-1 },
206 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
207 
208 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
209 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
210 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
211 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
212 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
213 
214 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
215 	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
216 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
217 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
218 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
219 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
220 
221 	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
222 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
223 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
224 
225 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
226 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
227 
228 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
229 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
230 				    .len = WLAN_MAX_KEY_LEN },
231 	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
232 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
233 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
234 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
235 	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
236 
237 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
238 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
239 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
240 				       .len = IEEE80211_MAX_DATA_LEN },
241 	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
242 				       .len = IEEE80211_MAX_DATA_LEN },
243 	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
244 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
245 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
246 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
247 					       .len = NL80211_MAX_SUPP_RATES },
248 	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
249 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
250 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
251 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
252 				   .len = IEEE80211_MAX_MESH_ID_LEN },
253 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
254 
255 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
256 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
257 
258 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
259 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
260 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
261 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
262 					   .len = NL80211_MAX_SUPP_RATES },
263 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
264 
265 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
266 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
267 
268 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
269 
270 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
271 	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
272 			      .len = IEEE80211_MAX_DATA_LEN },
273 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
274 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
275 
276 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
277 				.len = IEEE80211_MAX_SSID_LEN },
278 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
279 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
280 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
281 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
282 	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
283 	[NL80211_ATTR_STA_FLAGS2] = {
284 		.len = sizeof(struct nl80211_sta_flag_update),
285 	},
286 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
287 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
288 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
289 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
290 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
291 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
292 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
293 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
294 	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
295 				 .len = WLAN_PMKID_LEN },
296 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
297 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
298 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
299 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
300 				 .len = IEEE80211_MAX_DATA_LEN },
301 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
302 	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
303 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
304 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
305 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
306 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
307 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
308 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
309 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
310 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
311 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
312 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
313 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
314 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
315 	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
316 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
317 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
318 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
319 	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
320 	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
321 					 .len = IEEE80211_MAX_DATA_LEN },
322 	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
323 					 .len = IEEE80211_MAX_DATA_LEN },
324 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
325 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
326 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
327 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
328 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
329 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
330 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
331 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
332 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
333 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
334 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
335 				      .len = IEEE80211_MAX_DATA_LEN },
336 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
337 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
338 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
339 		.len = NL80211_HT_CAPABILITY_LEN
340 	},
341 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
342 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
343 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
344 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
345 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
346 	[NL80211_ATTR_AUTH_DATA] = { .type = NLA_BINARY, },
347 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
348 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
349 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
350 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
351 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
352 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
353 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
354 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
355 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
356 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
357 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
358 		.len = NL80211_VHT_CAPABILITY_LEN,
359 	},
360 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
361 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
362 				  .len = IEEE80211_MAX_DATA_LEN },
363 	[NL80211_ATTR_PEER_AID] = { .type = NLA_U16 },
364 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
365 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
366 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
367 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
368 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
369 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
370 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
371 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
372 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
373 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
374 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
375 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
376 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
377 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
378 	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
379 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
380 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
381 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
382 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
383 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
384 	[NL80211_ATTR_TSID] = { .type = NLA_U8 },
385 	[NL80211_ATTR_USER_PRIO] = { .type = NLA_U8 },
386 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
387 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
388 	[NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
389 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
390 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
391 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
392 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
393 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
394 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
395 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] = { .type = NLA_U8 },
396 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
397 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
398 	},
399 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = { .len = ETH_ALEN },
400 	[NL80211_ATTR_NAN_MASTER_PREF] = { .type = NLA_U8 },
401 	[NL80211_ATTR_NAN_DUAL] = { .type = NLA_U8 },
402 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
403 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
404 				    .len = FILS_MAX_KEK_LEN },
405 	[NL80211_ATTR_FILS_NONCES] = { .len = 2 * FILS_NONCE_LEN },
406 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
407 };
408 
409 /* policy for the key attributes */
410 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
411 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
412 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
413 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
414 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
415 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
416 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
417 	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
418 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
419 };
420 
421 /* policy for the key default flags */
422 static const struct nla_policy
423 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
424 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
425 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
426 };
427 
428 #ifdef CONFIG_PM
429 /* policy for WoWLAN attributes */
430 static const struct nla_policy
431 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
432 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
433 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
434 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
435 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
436 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
437 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
438 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
439 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
440 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
441 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
442 };
443 
444 static const struct nla_policy
445 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
446 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
447 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
448 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
449 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
450 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
451 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
452 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
453 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
454 	},
455 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
456 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
457 	},
458 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
459 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
460 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
461 };
462 #endif /* CONFIG_PM */
463 
464 /* policy for coalesce rule attributes */
465 static const struct nla_policy
466 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
467 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
468 	[NL80211_ATTR_COALESCE_RULE_CONDITION] = { .type = NLA_U32 },
469 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
470 };
471 
472 /* policy for GTK rekey offload attributes */
473 static const struct nla_policy
474 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
475 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
476 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
477 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
478 };
479 
480 static const struct nla_policy
481 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
482 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
483 						 .len = IEEE80211_MAX_SSID_LEN },
484 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
485 };
486 
487 static const struct nla_policy
488 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
489 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
490 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
491 };
492 
493 static const struct nla_policy
494 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
495 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
496 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
497 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
498 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
499 	},
500 };
501 
502 /* policy for NAN function attributes */
503 static const struct nla_policy
504 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
505 	[NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
506 	[NL80211_NAN_FUNC_SERVICE_ID] = { .type = NLA_BINARY,
507 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
508 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
509 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
510 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
511 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
512 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
513 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = { .len = ETH_ALEN },
514 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
515 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
516 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
517 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
518 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
519 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
520 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
521 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
522 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
523 };
524 
525 /* policy for Service Response Filter attributes */
526 static const struct nla_policy
527 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
528 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
529 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
530 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
531 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
532 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
533 };
534 
535 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
536 				     struct netlink_callback *cb,
537 				     struct cfg80211_registered_device **rdev,
538 				     struct wireless_dev **wdev)
539 {
540 	int err;
541 
542 	rtnl_lock();
543 
544 	if (!cb->args[0]) {
545 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
546 				  genl_family_attrbuf(&nl80211_fam),
547 				  nl80211_fam.maxattr, nl80211_policy);
548 		if (err)
549 			goto out_unlock;
550 
551 		*wdev = __cfg80211_wdev_from_attrs(
552 					sock_net(skb->sk),
553 					genl_family_attrbuf(&nl80211_fam));
554 		if (IS_ERR(*wdev)) {
555 			err = PTR_ERR(*wdev);
556 			goto out_unlock;
557 		}
558 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
559 		/* 0 is the first index - add 1 to parse only once */
560 		cb->args[0] = (*rdev)->wiphy_idx + 1;
561 		cb->args[1] = (*wdev)->identifier;
562 	} else {
563 		/* subtract the 1 again here */
564 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
565 		struct wireless_dev *tmp;
566 
567 		if (!wiphy) {
568 			err = -ENODEV;
569 			goto out_unlock;
570 		}
571 		*rdev = wiphy_to_rdev(wiphy);
572 		*wdev = NULL;
573 
574 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
575 			if (tmp->identifier == cb->args[1]) {
576 				*wdev = tmp;
577 				break;
578 			}
579 		}
580 
581 		if (!*wdev) {
582 			err = -ENODEV;
583 			goto out_unlock;
584 		}
585 	}
586 
587 	return 0;
588  out_unlock:
589 	rtnl_unlock();
590 	return err;
591 }
592 
593 static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
594 {
595 	rtnl_unlock();
596 }
597 
598 /* IE validation */
599 static bool is_valid_ie_attr(const struct nlattr *attr)
600 {
601 	const u8 *pos;
602 	int len;
603 
604 	if (!attr)
605 		return true;
606 
607 	pos = nla_data(attr);
608 	len = nla_len(attr);
609 
610 	while (len) {
611 		u8 elemlen;
612 
613 		if (len < 2)
614 			return false;
615 		len -= 2;
616 
617 		elemlen = pos[1];
618 		if (elemlen > len)
619 			return false;
620 
621 		len -= elemlen;
622 		pos += 2 + elemlen;
623 	}
624 
625 	return true;
626 }
627 
628 /* message building helper */
629 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
630 				   int flags, u8 cmd)
631 {
632 	/* since there is no private header just add the generic one */
633 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
634 }
635 
636 static int nl80211_msg_put_channel(struct sk_buff *msg,
637 				   struct ieee80211_channel *chan,
638 				   bool large)
639 {
640 	/* Some channels must be completely excluded from the
641 	 * list to protect old user-space tools from breaking
642 	 */
643 	if (!large && chan->flags &
644 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
645 		return 0;
646 
647 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
648 			chan->center_freq))
649 		goto nla_put_failure;
650 
651 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
652 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
653 		goto nla_put_failure;
654 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
655 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
656 			goto nla_put_failure;
657 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
658 			goto nla_put_failure;
659 	}
660 	if (chan->flags & IEEE80211_CHAN_RADAR) {
661 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
662 			goto nla_put_failure;
663 		if (large) {
664 			u32 time;
665 
666 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
667 
668 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
669 					chan->dfs_state))
670 				goto nla_put_failure;
671 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
672 					time))
673 				goto nla_put_failure;
674 			if (nla_put_u32(msg,
675 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
676 					chan->dfs_cac_ms))
677 				goto nla_put_failure;
678 		}
679 	}
680 
681 	if (large) {
682 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
683 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
684 			goto nla_put_failure;
685 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
686 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
687 			goto nla_put_failure;
688 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
689 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
690 			goto nla_put_failure;
691 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
692 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
693 			goto nla_put_failure;
694 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
695 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
696 			goto nla_put_failure;
697 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
698 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
699 			goto nla_put_failure;
700 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
701 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
702 			goto nla_put_failure;
703 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
704 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
705 			goto nla_put_failure;
706 	}
707 
708 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
709 			DBM_TO_MBM(chan->max_power)))
710 		goto nla_put_failure;
711 
712 	return 0;
713 
714  nla_put_failure:
715 	return -ENOBUFS;
716 }
717 
718 /* netlink command implementations */
719 
720 struct key_parse {
721 	struct key_params p;
722 	int idx;
723 	int type;
724 	bool def, defmgmt;
725 	bool def_uni, def_multi;
726 };
727 
728 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
729 {
730 	struct nlattr *tb[NL80211_KEY_MAX + 1];
731 	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
732 				   nl80211_key_policy);
733 	if (err)
734 		return err;
735 
736 	k->def = !!tb[NL80211_KEY_DEFAULT];
737 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
738 
739 	if (k->def) {
740 		k->def_uni = true;
741 		k->def_multi = true;
742 	}
743 	if (k->defmgmt)
744 		k->def_multi = true;
745 
746 	if (tb[NL80211_KEY_IDX])
747 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
748 
749 	if (tb[NL80211_KEY_DATA]) {
750 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
751 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
752 	}
753 
754 	if (tb[NL80211_KEY_SEQ]) {
755 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
756 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
757 	}
758 
759 	if (tb[NL80211_KEY_CIPHER])
760 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
761 
762 	if (tb[NL80211_KEY_TYPE]) {
763 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
764 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
765 			return -EINVAL;
766 	}
767 
768 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
769 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
770 
771 		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
772 				       tb[NL80211_KEY_DEFAULT_TYPES],
773 				       nl80211_key_default_policy);
774 		if (err)
775 			return err;
776 
777 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
778 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
779 	}
780 
781 	return 0;
782 }
783 
784 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
785 {
786 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
787 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
788 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
789 	}
790 
791 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
792 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
793 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
794 	}
795 
796 	if (info->attrs[NL80211_ATTR_KEY_IDX])
797 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
798 
799 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
800 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
801 
802 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
803 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
804 
805 	if (k->def) {
806 		k->def_uni = true;
807 		k->def_multi = true;
808 	}
809 	if (k->defmgmt)
810 		k->def_multi = true;
811 
812 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
813 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
814 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
815 			return -EINVAL;
816 	}
817 
818 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
819 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
820 		int err = nla_parse_nested(
821 				kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
822 				info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
823 				nl80211_key_default_policy);
824 		if (err)
825 			return err;
826 
827 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
828 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
829 	}
830 
831 	return 0;
832 }
833 
834 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
835 {
836 	int err;
837 
838 	memset(k, 0, sizeof(*k));
839 	k->idx = -1;
840 	k->type = -1;
841 
842 	if (info->attrs[NL80211_ATTR_KEY])
843 		err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
844 	else
845 		err = nl80211_parse_key_old(info, k);
846 
847 	if (err)
848 		return err;
849 
850 	if (k->def && k->defmgmt)
851 		return -EINVAL;
852 
853 	if (k->defmgmt) {
854 		if (k->def_uni || !k->def_multi)
855 			return -EINVAL;
856 	}
857 
858 	if (k->idx != -1) {
859 		if (k->defmgmt) {
860 			if (k->idx < 4 || k->idx > 5)
861 				return -EINVAL;
862 		} else if (k->def) {
863 			if (k->idx < 0 || k->idx > 3)
864 				return -EINVAL;
865 		} else {
866 			if (k->idx < 0 || k->idx > 5)
867 				return -EINVAL;
868 		}
869 	}
870 
871 	return 0;
872 }
873 
874 static struct cfg80211_cached_keys *
875 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
876 		       struct nlattr *keys, bool *no_ht)
877 {
878 	struct key_parse parse;
879 	struct nlattr *key;
880 	struct cfg80211_cached_keys *result;
881 	int rem, err, def = 0;
882 	bool have_key = false;
883 
884 	nla_for_each_nested(key, keys, rem) {
885 		have_key = true;
886 		break;
887 	}
888 
889 	if (!have_key)
890 		return NULL;
891 
892 	result = kzalloc(sizeof(*result), GFP_KERNEL);
893 	if (!result)
894 		return ERR_PTR(-ENOMEM);
895 
896 	result->def = -1;
897 
898 	nla_for_each_nested(key, keys, rem) {
899 		memset(&parse, 0, sizeof(parse));
900 		parse.idx = -1;
901 
902 		err = nl80211_parse_key_new(key, &parse);
903 		if (err)
904 			goto error;
905 		err = -EINVAL;
906 		if (!parse.p.key)
907 			goto error;
908 		if (parse.idx < 0 || parse.idx > 3)
909 			goto error;
910 		if (parse.def) {
911 			if (def)
912 				goto error;
913 			def = 1;
914 			result->def = parse.idx;
915 			if (!parse.def_uni || !parse.def_multi)
916 				goto error;
917 		} else if (parse.defmgmt)
918 			goto error;
919 		err = cfg80211_validate_key_settings(rdev, &parse.p,
920 						     parse.idx, false, NULL);
921 		if (err)
922 			goto error;
923 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
924 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
925 			err = -EINVAL;
926 			goto error;
927 		}
928 		result->params[parse.idx].cipher = parse.p.cipher;
929 		result->params[parse.idx].key_len = parse.p.key_len;
930 		result->params[parse.idx].key = result->data[parse.idx];
931 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
932 
933 		/* must be WEP key if we got here */
934 		if (no_ht)
935 			*no_ht = true;
936 	}
937 
938 	if (result->def < 0) {
939 		err = -EINVAL;
940 		goto error;
941 	}
942 
943 	return result;
944  error:
945 	kfree(result);
946 	return ERR_PTR(err);
947 }
948 
949 static int nl80211_key_allowed(struct wireless_dev *wdev)
950 {
951 	ASSERT_WDEV_LOCK(wdev);
952 
953 	switch (wdev->iftype) {
954 	case NL80211_IFTYPE_AP:
955 	case NL80211_IFTYPE_AP_VLAN:
956 	case NL80211_IFTYPE_P2P_GO:
957 	case NL80211_IFTYPE_MESH_POINT:
958 		break;
959 	case NL80211_IFTYPE_ADHOC:
960 	case NL80211_IFTYPE_STATION:
961 	case NL80211_IFTYPE_P2P_CLIENT:
962 		if (!wdev->current_bss)
963 			return -ENOLINK;
964 		break;
965 	case NL80211_IFTYPE_UNSPECIFIED:
966 	case NL80211_IFTYPE_OCB:
967 	case NL80211_IFTYPE_MONITOR:
968 	case NL80211_IFTYPE_NAN:
969 	case NL80211_IFTYPE_P2P_DEVICE:
970 	case NL80211_IFTYPE_WDS:
971 	case NUM_NL80211_IFTYPES:
972 		return -EINVAL;
973 	}
974 
975 	return 0;
976 }
977 
978 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
979 							struct nlattr *tb)
980 {
981 	struct ieee80211_channel *chan;
982 
983 	if (tb == NULL)
984 		return NULL;
985 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
986 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
987 		return NULL;
988 	return chan;
989 }
990 
991 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
992 {
993 	struct nlattr *nl_modes = nla_nest_start(msg, attr);
994 	int i;
995 
996 	if (!nl_modes)
997 		goto nla_put_failure;
998 
999 	i = 0;
1000 	while (ifmodes) {
1001 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1002 			goto nla_put_failure;
1003 		ifmodes >>= 1;
1004 		i++;
1005 	}
1006 
1007 	nla_nest_end(msg, nl_modes);
1008 	return 0;
1009 
1010 nla_put_failure:
1011 	return -ENOBUFS;
1012 }
1013 
1014 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1015 					  struct sk_buff *msg,
1016 					  bool large)
1017 {
1018 	struct nlattr *nl_combis;
1019 	int i, j;
1020 
1021 	nl_combis = nla_nest_start(msg,
1022 				NL80211_ATTR_INTERFACE_COMBINATIONS);
1023 	if (!nl_combis)
1024 		goto nla_put_failure;
1025 
1026 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1027 		const struct ieee80211_iface_combination *c;
1028 		struct nlattr *nl_combi, *nl_limits;
1029 
1030 		c = &wiphy->iface_combinations[i];
1031 
1032 		nl_combi = nla_nest_start(msg, i + 1);
1033 		if (!nl_combi)
1034 			goto nla_put_failure;
1035 
1036 		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
1037 		if (!nl_limits)
1038 			goto nla_put_failure;
1039 
1040 		for (j = 0; j < c->n_limits; j++) {
1041 			struct nlattr *nl_limit;
1042 
1043 			nl_limit = nla_nest_start(msg, j + 1);
1044 			if (!nl_limit)
1045 				goto nla_put_failure;
1046 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1047 					c->limits[j].max))
1048 				goto nla_put_failure;
1049 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1050 						c->limits[j].types))
1051 				goto nla_put_failure;
1052 			nla_nest_end(msg, nl_limit);
1053 		}
1054 
1055 		nla_nest_end(msg, nl_limits);
1056 
1057 		if (c->beacon_int_infra_match &&
1058 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1059 			goto nla_put_failure;
1060 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1061 				c->num_different_channels) ||
1062 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1063 				c->max_interfaces))
1064 			goto nla_put_failure;
1065 		if (large &&
1066 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1067 				c->radar_detect_widths) ||
1068 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1069 				c->radar_detect_regions)))
1070 			goto nla_put_failure;
1071 		if (c->beacon_int_min_gcd &&
1072 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1073 				c->beacon_int_min_gcd))
1074 			goto nla_put_failure;
1075 
1076 		nla_nest_end(msg, nl_combi);
1077 	}
1078 
1079 	nla_nest_end(msg, nl_combis);
1080 
1081 	return 0;
1082 nla_put_failure:
1083 	return -ENOBUFS;
1084 }
1085 
1086 #ifdef CONFIG_PM
1087 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1088 					struct sk_buff *msg)
1089 {
1090 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1091 	struct nlattr *nl_tcp;
1092 
1093 	if (!tcp)
1094 		return 0;
1095 
1096 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1097 	if (!nl_tcp)
1098 		return -ENOBUFS;
1099 
1100 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1101 			tcp->data_payload_max))
1102 		return -ENOBUFS;
1103 
1104 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1105 			tcp->data_payload_max))
1106 		return -ENOBUFS;
1107 
1108 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1109 		return -ENOBUFS;
1110 
1111 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1112 				sizeof(*tcp->tok), tcp->tok))
1113 		return -ENOBUFS;
1114 
1115 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1116 			tcp->data_interval_max))
1117 		return -ENOBUFS;
1118 
1119 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1120 			tcp->wake_payload_max))
1121 		return -ENOBUFS;
1122 
1123 	nla_nest_end(msg, nl_tcp);
1124 	return 0;
1125 }
1126 
1127 static int nl80211_send_wowlan(struct sk_buff *msg,
1128 			       struct cfg80211_registered_device *rdev,
1129 			       bool large)
1130 {
1131 	struct nlattr *nl_wowlan;
1132 
1133 	if (!rdev->wiphy.wowlan)
1134 		return 0;
1135 
1136 	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1137 	if (!nl_wowlan)
1138 		return -ENOBUFS;
1139 
1140 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1141 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1142 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1143 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1144 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1145 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1146 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1147 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1148 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1149 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1150 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1151 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1152 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1153 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1154 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1155 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1156 		return -ENOBUFS;
1157 
1158 	if (rdev->wiphy.wowlan->n_patterns) {
1159 		struct nl80211_pattern_support pat = {
1160 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1161 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1162 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1163 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1164 		};
1165 
1166 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1167 			    sizeof(pat), &pat))
1168 			return -ENOBUFS;
1169 	}
1170 
1171 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1172 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1173 			rdev->wiphy.wowlan->max_nd_match_sets))
1174 		return -ENOBUFS;
1175 
1176 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1177 		return -ENOBUFS;
1178 
1179 	nla_nest_end(msg, nl_wowlan);
1180 
1181 	return 0;
1182 }
1183 #endif
1184 
1185 static int nl80211_send_coalesce(struct sk_buff *msg,
1186 				 struct cfg80211_registered_device *rdev)
1187 {
1188 	struct nl80211_coalesce_rule_support rule;
1189 
1190 	if (!rdev->wiphy.coalesce)
1191 		return 0;
1192 
1193 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1194 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1195 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1196 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1197 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1198 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1199 
1200 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1201 		return -ENOBUFS;
1202 
1203 	return 0;
1204 }
1205 
1206 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1207 				      struct ieee80211_supported_band *sband)
1208 {
1209 	struct nlattr *nl_rates, *nl_rate;
1210 	struct ieee80211_rate *rate;
1211 	int i;
1212 
1213 	/* add HT info */
1214 	if (sband->ht_cap.ht_supported &&
1215 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1216 		     sizeof(sband->ht_cap.mcs),
1217 		     &sband->ht_cap.mcs) ||
1218 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1219 			 sband->ht_cap.cap) ||
1220 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1221 			sband->ht_cap.ampdu_factor) ||
1222 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1223 			sband->ht_cap.ampdu_density)))
1224 		return -ENOBUFS;
1225 
1226 	/* add VHT info */
1227 	if (sband->vht_cap.vht_supported &&
1228 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1229 		     sizeof(sband->vht_cap.vht_mcs),
1230 		     &sband->vht_cap.vht_mcs) ||
1231 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1232 			 sband->vht_cap.cap)))
1233 		return -ENOBUFS;
1234 
1235 	/* add bitrates */
1236 	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1237 	if (!nl_rates)
1238 		return -ENOBUFS;
1239 
1240 	for (i = 0; i < sband->n_bitrates; i++) {
1241 		nl_rate = nla_nest_start(msg, i);
1242 		if (!nl_rate)
1243 			return -ENOBUFS;
1244 
1245 		rate = &sband->bitrates[i];
1246 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1247 				rate->bitrate))
1248 			return -ENOBUFS;
1249 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1250 		    nla_put_flag(msg,
1251 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1252 			return -ENOBUFS;
1253 
1254 		nla_nest_end(msg, nl_rate);
1255 	}
1256 
1257 	nla_nest_end(msg, nl_rates);
1258 
1259 	return 0;
1260 }
1261 
1262 static int
1263 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1264 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1265 {
1266 	u16 stypes;
1267 	struct nlattr *nl_ftypes, *nl_ifs;
1268 	enum nl80211_iftype ift;
1269 	int i;
1270 
1271 	if (!mgmt_stypes)
1272 		return 0;
1273 
1274 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1275 	if (!nl_ifs)
1276 		return -ENOBUFS;
1277 
1278 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1279 		nl_ftypes = nla_nest_start(msg, ift);
1280 		if (!nl_ftypes)
1281 			return -ENOBUFS;
1282 		i = 0;
1283 		stypes = mgmt_stypes[ift].tx;
1284 		while (stypes) {
1285 			if ((stypes & 1) &&
1286 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1287 					(i << 4) | IEEE80211_FTYPE_MGMT))
1288 				return -ENOBUFS;
1289 			stypes >>= 1;
1290 			i++;
1291 		}
1292 		nla_nest_end(msg, nl_ftypes);
1293 	}
1294 
1295 	nla_nest_end(msg, nl_ifs);
1296 
1297 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1298 	if (!nl_ifs)
1299 		return -ENOBUFS;
1300 
1301 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1302 		nl_ftypes = nla_nest_start(msg, ift);
1303 		if (!nl_ftypes)
1304 			return -ENOBUFS;
1305 		i = 0;
1306 		stypes = mgmt_stypes[ift].rx;
1307 		while (stypes) {
1308 			if ((stypes & 1) &&
1309 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1310 					(i << 4) | IEEE80211_FTYPE_MGMT))
1311 				return -ENOBUFS;
1312 			stypes >>= 1;
1313 			i++;
1314 		}
1315 		nla_nest_end(msg, nl_ftypes);
1316 	}
1317 	nla_nest_end(msg, nl_ifs);
1318 
1319 	return 0;
1320 }
1321 
1322 #define CMD(op, n)							\
1323 	 do {								\
1324 		if (rdev->ops->op) {					\
1325 			i++;						\
1326 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1327 				goto nla_put_failure;			\
1328 		}							\
1329 	} while (0)
1330 
1331 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1332 					struct sk_buff *msg)
1333 {
1334 	int i = 0;
1335 
1336 	/*
1337 	 * do *NOT* add anything into this function, new things need to be
1338 	 * advertised only to new versions of userspace that can deal with
1339 	 * the split (and they can't possibly care about new features...
1340 	 */
1341 	CMD(add_virtual_intf, NEW_INTERFACE);
1342 	CMD(change_virtual_intf, SET_INTERFACE);
1343 	CMD(add_key, NEW_KEY);
1344 	CMD(start_ap, START_AP);
1345 	CMD(add_station, NEW_STATION);
1346 	CMD(add_mpath, NEW_MPATH);
1347 	CMD(update_mesh_config, SET_MESH_CONFIG);
1348 	CMD(change_bss, SET_BSS);
1349 	CMD(auth, AUTHENTICATE);
1350 	CMD(assoc, ASSOCIATE);
1351 	CMD(deauth, DEAUTHENTICATE);
1352 	CMD(disassoc, DISASSOCIATE);
1353 	CMD(join_ibss, JOIN_IBSS);
1354 	CMD(join_mesh, JOIN_MESH);
1355 	CMD(set_pmksa, SET_PMKSA);
1356 	CMD(del_pmksa, DEL_PMKSA);
1357 	CMD(flush_pmksa, FLUSH_PMKSA);
1358 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1359 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1360 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1361 	CMD(mgmt_tx, FRAME);
1362 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1363 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1364 		i++;
1365 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1366 			goto nla_put_failure;
1367 	}
1368 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1369 	    rdev->ops->join_mesh) {
1370 		i++;
1371 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1372 			goto nla_put_failure;
1373 	}
1374 	CMD(set_wds_peer, SET_WDS_PEER);
1375 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1376 		CMD(tdls_mgmt, TDLS_MGMT);
1377 		CMD(tdls_oper, TDLS_OPER);
1378 	}
1379 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1380 		CMD(sched_scan_start, START_SCHED_SCAN);
1381 	CMD(probe_client, PROBE_CLIENT);
1382 	CMD(set_noack_map, SET_NOACK_MAP);
1383 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1384 		i++;
1385 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1386 			goto nla_put_failure;
1387 	}
1388 	CMD(start_p2p_device, START_P2P_DEVICE);
1389 	CMD(set_mcast_rate, SET_MCAST_RATE);
1390 #ifdef CONFIG_NL80211_TESTMODE
1391 	CMD(testmode_cmd, TESTMODE);
1392 #endif
1393 
1394 	if (rdev->ops->connect || rdev->ops->auth) {
1395 		i++;
1396 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1397 			goto nla_put_failure;
1398 	}
1399 
1400 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1401 		i++;
1402 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1403 			goto nla_put_failure;
1404 	}
1405 
1406 	return i;
1407  nla_put_failure:
1408 	return -ENOBUFS;
1409 }
1410 
1411 struct nl80211_dump_wiphy_state {
1412 	s64 filter_wiphy;
1413 	long start;
1414 	long split_start, band_start, chan_start, capa_start;
1415 	bool split;
1416 };
1417 
1418 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1419 			      enum nl80211_commands cmd,
1420 			      struct sk_buff *msg, u32 portid, u32 seq,
1421 			      int flags, struct nl80211_dump_wiphy_state *state)
1422 {
1423 	void *hdr;
1424 	struct nlattr *nl_bands, *nl_band;
1425 	struct nlattr *nl_freqs, *nl_freq;
1426 	struct nlattr *nl_cmds;
1427 	enum nl80211_band band;
1428 	struct ieee80211_channel *chan;
1429 	int i;
1430 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1431 				rdev->wiphy.mgmt_stypes;
1432 	u32 features;
1433 
1434 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1435 	if (!hdr)
1436 		return -ENOBUFS;
1437 
1438 	if (WARN_ON(!state))
1439 		return -EINVAL;
1440 
1441 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1442 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1443 			   wiphy_name(&rdev->wiphy)) ||
1444 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1445 			cfg80211_rdev_list_generation))
1446 		goto nla_put_failure;
1447 
1448 	if (cmd != NL80211_CMD_NEW_WIPHY)
1449 		goto finish;
1450 
1451 	switch (state->split_start) {
1452 	case 0:
1453 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1454 			       rdev->wiphy.retry_short) ||
1455 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1456 			       rdev->wiphy.retry_long) ||
1457 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1458 				rdev->wiphy.frag_threshold) ||
1459 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1460 				rdev->wiphy.rts_threshold) ||
1461 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1462 			       rdev->wiphy.coverage_class) ||
1463 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1464 			       rdev->wiphy.max_scan_ssids) ||
1465 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1466 			       rdev->wiphy.max_sched_scan_ssids) ||
1467 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1468 				rdev->wiphy.max_scan_ie_len) ||
1469 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1470 				rdev->wiphy.max_sched_scan_ie_len) ||
1471 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1472 			       rdev->wiphy.max_match_sets) ||
1473 		    nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
1474 				rdev->wiphy.max_sched_scan_plans) ||
1475 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
1476 				rdev->wiphy.max_sched_scan_plan_interval) ||
1477 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
1478 				rdev->wiphy.max_sched_scan_plan_iterations))
1479 			goto nla_put_failure;
1480 
1481 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1482 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1483 			goto nla_put_failure;
1484 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1485 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1486 			goto nla_put_failure;
1487 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1488 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1489 			goto nla_put_failure;
1490 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1491 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1492 			goto nla_put_failure;
1493 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1494 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1495 			goto nla_put_failure;
1496 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1497 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1498 			goto nla_put_failure;
1499 		state->split_start++;
1500 		if (state->split)
1501 			break;
1502 	case 1:
1503 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1504 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1505 			    rdev->wiphy.cipher_suites))
1506 			goto nla_put_failure;
1507 
1508 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1509 			       rdev->wiphy.max_num_pmkids))
1510 			goto nla_put_failure;
1511 
1512 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1513 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1514 			goto nla_put_failure;
1515 
1516 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1517 				rdev->wiphy.available_antennas_tx) ||
1518 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1519 				rdev->wiphy.available_antennas_rx))
1520 			goto nla_put_failure;
1521 
1522 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1523 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1524 				rdev->wiphy.probe_resp_offload))
1525 			goto nla_put_failure;
1526 
1527 		if ((rdev->wiphy.available_antennas_tx ||
1528 		     rdev->wiphy.available_antennas_rx) &&
1529 		    rdev->ops->get_antenna) {
1530 			u32 tx_ant = 0, rx_ant = 0;
1531 			int res;
1532 
1533 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1534 			if (!res) {
1535 				if (nla_put_u32(msg,
1536 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1537 						tx_ant) ||
1538 				    nla_put_u32(msg,
1539 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1540 						rx_ant))
1541 					goto nla_put_failure;
1542 			}
1543 		}
1544 
1545 		state->split_start++;
1546 		if (state->split)
1547 			break;
1548 	case 2:
1549 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1550 					rdev->wiphy.interface_modes))
1551 				goto nla_put_failure;
1552 		state->split_start++;
1553 		if (state->split)
1554 			break;
1555 	case 3:
1556 		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1557 		if (!nl_bands)
1558 			goto nla_put_failure;
1559 
1560 		for (band = state->band_start;
1561 		     band < NUM_NL80211_BANDS; band++) {
1562 			struct ieee80211_supported_band *sband;
1563 
1564 			sband = rdev->wiphy.bands[band];
1565 
1566 			if (!sband)
1567 				continue;
1568 
1569 			nl_band = nla_nest_start(msg, band);
1570 			if (!nl_band)
1571 				goto nla_put_failure;
1572 
1573 			switch (state->chan_start) {
1574 			case 0:
1575 				if (nl80211_send_band_rateinfo(msg, sband))
1576 					goto nla_put_failure;
1577 				state->chan_start++;
1578 				if (state->split)
1579 					break;
1580 			default:
1581 				/* add frequencies */
1582 				nl_freqs = nla_nest_start(
1583 					msg, NL80211_BAND_ATTR_FREQS);
1584 				if (!nl_freqs)
1585 					goto nla_put_failure;
1586 
1587 				for (i = state->chan_start - 1;
1588 				     i < sband->n_channels;
1589 				     i++) {
1590 					nl_freq = nla_nest_start(msg, i);
1591 					if (!nl_freq)
1592 						goto nla_put_failure;
1593 
1594 					chan = &sband->channels[i];
1595 
1596 					if (nl80211_msg_put_channel(
1597 							msg, chan,
1598 							state->split))
1599 						goto nla_put_failure;
1600 
1601 					nla_nest_end(msg, nl_freq);
1602 					if (state->split)
1603 						break;
1604 				}
1605 				if (i < sband->n_channels)
1606 					state->chan_start = i + 2;
1607 				else
1608 					state->chan_start = 0;
1609 				nla_nest_end(msg, nl_freqs);
1610 			}
1611 
1612 			nla_nest_end(msg, nl_band);
1613 
1614 			if (state->split) {
1615 				/* start again here */
1616 				if (state->chan_start)
1617 					band--;
1618 				break;
1619 			}
1620 		}
1621 		nla_nest_end(msg, nl_bands);
1622 
1623 		if (band < NUM_NL80211_BANDS)
1624 			state->band_start = band + 1;
1625 		else
1626 			state->band_start = 0;
1627 
1628 		/* if bands & channels are done, continue outside */
1629 		if (state->band_start == 0 && state->chan_start == 0)
1630 			state->split_start++;
1631 		if (state->split)
1632 			break;
1633 	case 4:
1634 		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1635 		if (!nl_cmds)
1636 			goto nla_put_failure;
1637 
1638 		i = nl80211_add_commands_unsplit(rdev, msg);
1639 		if (i < 0)
1640 			goto nla_put_failure;
1641 		if (state->split) {
1642 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
1643 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1644 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
1645 				CMD(channel_switch, CHANNEL_SWITCH);
1646 			CMD(set_qos_map, SET_QOS_MAP);
1647 			if (rdev->wiphy.features &
1648 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
1649 				CMD(add_tx_ts, ADD_TX_TS);
1650 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
1651 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
1652 		}
1653 #undef CMD
1654 
1655 		nla_nest_end(msg, nl_cmds);
1656 		state->split_start++;
1657 		if (state->split)
1658 			break;
1659 	case 5:
1660 		if (rdev->ops->remain_on_channel &&
1661 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1662 		    nla_put_u32(msg,
1663 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1664 				rdev->wiphy.max_remain_on_channel_duration))
1665 			goto nla_put_failure;
1666 
1667 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1668 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1669 			goto nla_put_failure;
1670 
1671 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1672 			goto nla_put_failure;
1673 		state->split_start++;
1674 		if (state->split)
1675 			break;
1676 	case 6:
1677 #ifdef CONFIG_PM
1678 		if (nl80211_send_wowlan(msg, rdev, state->split))
1679 			goto nla_put_failure;
1680 		state->split_start++;
1681 		if (state->split)
1682 			break;
1683 #else
1684 		state->split_start++;
1685 #endif
1686 	case 7:
1687 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1688 					rdev->wiphy.software_iftypes))
1689 			goto nla_put_failure;
1690 
1691 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
1692 						   state->split))
1693 			goto nla_put_failure;
1694 
1695 		state->split_start++;
1696 		if (state->split)
1697 			break;
1698 	case 8:
1699 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1700 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1701 				rdev->wiphy.ap_sme_capa))
1702 			goto nla_put_failure;
1703 
1704 		features = rdev->wiphy.features;
1705 		/*
1706 		 * We can only add the per-channel limit information if the
1707 		 * dump is split, otherwise it makes it too big. Therefore
1708 		 * only advertise it in that case.
1709 		 */
1710 		if (state->split)
1711 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1712 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1713 			goto nla_put_failure;
1714 
1715 		if (rdev->wiphy.ht_capa_mod_mask &&
1716 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1717 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
1718 			    rdev->wiphy.ht_capa_mod_mask))
1719 			goto nla_put_failure;
1720 
1721 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1722 		    rdev->wiphy.max_acl_mac_addrs &&
1723 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1724 				rdev->wiphy.max_acl_mac_addrs))
1725 			goto nla_put_failure;
1726 
1727 		/*
1728 		 * Any information below this point is only available to
1729 		 * applications that can deal with it being split. This
1730 		 * helps ensure that newly added capabilities don't break
1731 		 * older tools by overrunning their buffers.
1732 		 *
1733 		 * We still increment split_start so that in the split
1734 		 * case we'll continue with more data in the next round,
1735 		 * but break unconditionally so unsplit data stops here.
1736 		 */
1737 		state->split_start++;
1738 		break;
1739 	case 9:
1740 		if (rdev->wiphy.extended_capabilities &&
1741 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1742 			     rdev->wiphy.extended_capabilities_len,
1743 			     rdev->wiphy.extended_capabilities) ||
1744 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1745 			     rdev->wiphy.extended_capabilities_len,
1746 			     rdev->wiphy.extended_capabilities_mask)))
1747 			goto nla_put_failure;
1748 
1749 		if (rdev->wiphy.vht_capa_mod_mask &&
1750 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1751 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
1752 			    rdev->wiphy.vht_capa_mod_mask))
1753 			goto nla_put_failure;
1754 
1755 		state->split_start++;
1756 		break;
1757 	case 10:
1758 		if (nl80211_send_coalesce(msg, rdev))
1759 			goto nla_put_failure;
1760 
1761 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
1762 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
1763 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
1764 			goto nla_put_failure;
1765 
1766 		if (rdev->wiphy.max_ap_assoc_sta &&
1767 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
1768 				rdev->wiphy.max_ap_assoc_sta))
1769 			goto nla_put_failure;
1770 
1771 		state->split_start++;
1772 		break;
1773 	case 11:
1774 		if (rdev->wiphy.n_vendor_commands) {
1775 			const struct nl80211_vendor_cmd_info *info;
1776 			struct nlattr *nested;
1777 
1778 			nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1779 			if (!nested)
1780 				goto nla_put_failure;
1781 
1782 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
1783 				info = &rdev->wiphy.vendor_commands[i].info;
1784 				if (nla_put(msg, i + 1, sizeof(*info), info))
1785 					goto nla_put_failure;
1786 			}
1787 			nla_nest_end(msg, nested);
1788 		}
1789 
1790 		if (rdev->wiphy.n_vendor_events) {
1791 			const struct nl80211_vendor_cmd_info *info;
1792 			struct nlattr *nested;
1793 
1794 			nested = nla_nest_start(msg,
1795 						NL80211_ATTR_VENDOR_EVENTS);
1796 			if (!nested)
1797 				goto nla_put_failure;
1798 
1799 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
1800 				info = &rdev->wiphy.vendor_events[i];
1801 				if (nla_put(msg, i + 1, sizeof(*info), info))
1802 					goto nla_put_failure;
1803 			}
1804 			nla_nest_end(msg, nested);
1805 		}
1806 		state->split_start++;
1807 		break;
1808 	case 12:
1809 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
1810 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
1811 			       rdev->wiphy.max_num_csa_counters))
1812 			goto nla_put_failure;
1813 
1814 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
1815 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
1816 			goto nla_put_failure;
1817 
1818 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
1819 			    sizeof(rdev->wiphy.ext_features),
1820 			    rdev->wiphy.ext_features))
1821 			goto nla_put_failure;
1822 
1823 		if (rdev->wiphy.bss_select_support) {
1824 			struct nlattr *nested;
1825 			u32 bss_select_support = rdev->wiphy.bss_select_support;
1826 
1827 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_SELECT);
1828 			if (!nested)
1829 				goto nla_put_failure;
1830 
1831 			i = 0;
1832 			while (bss_select_support) {
1833 				if ((bss_select_support & 1) &&
1834 				    nla_put_flag(msg, i))
1835 					goto nla_put_failure;
1836 				i++;
1837 				bss_select_support >>= 1;
1838 			}
1839 			nla_nest_end(msg, nested);
1840 		}
1841 
1842 		state->split_start++;
1843 		break;
1844 	case 13:
1845 		if (rdev->wiphy.num_iftype_ext_capab &&
1846 		    rdev->wiphy.iftype_ext_capab) {
1847 			struct nlattr *nested_ext_capab, *nested;
1848 
1849 			nested = nla_nest_start(msg,
1850 						NL80211_ATTR_IFTYPE_EXT_CAPA);
1851 			if (!nested)
1852 				goto nla_put_failure;
1853 
1854 			for (i = state->capa_start;
1855 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
1856 				const struct wiphy_iftype_ext_capab *capab;
1857 
1858 				capab = &rdev->wiphy.iftype_ext_capab[i];
1859 
1860 				nested_ext_capab = nla_nest_start(msg, i);
1861 				if (!nested_ext_capab ||
1862 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
1863 						capab->iftype) ||
1864 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
1865 					    capab->extended_capabilities_len,
1866 					    capab->extended_capabilities) ||
1867 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1868 					    capab->extended_capabilities_len,
1869 					    capab->extended_capabilities_mask))
1870 					goto nla_put_failure;
1871 
1872 				nla_nest_end(msg, nested_ext_capab);
1873 				if (state->split)
1874 					break;
1875 			}
1876 			nla_nest_end(msg, nested);
1877 			if (i < rdev->wiphy.num_iftype_ext_capab) {
1878 				state->capa_start = i + 1;
1879 				break;
1880 			}
1881 		}
1882 
1883 		/* done */
1884 		state->split_start = 0;
1885 		break;
1886 	}
1887  finish:
1888 	genlmsg_end(msg, hdr);
1889 	return 0;
1890 
1891  nla_put_failure:
1892 	genlmsg_cancel(msg, hdr);
1893 	return -EMSGSIZE;
1894 }
1895 
1896 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
1897 				    struct netlink_callback *cb,
1898 				    struct nl80211_dump_wiphy_state *state)
1899 {
1900 	struct nlattr **tb = genl_family_attrbuf(&nl80211_fam);
1901 	int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
1902 			      tb, nl80211_fam.maxattr, nl80211_policy);
1903 	/* ignore parse errors for backward compatibility */
1904 	if (ret)
1905 		return 0;
1906 
1907 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
1908 	if (tb[NL80211_ATTR_WIPHY])
1909 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
1910 	if (tb[NL80211_ATTR_WDEV])
1911 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
1912 	if (tb[NL80211_ATTR_IFINDEX]) {
1913 		struct net_device *netdev;
1914 		struct cfg80211_registered_device *rdev;
1915 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
1916 
1917 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
1918 		if (!netdev)
1919 			return -ENODEV;
1920 		if (netdev->ieee80211_ptr) {
1921 			rdev = wiphy_to_rdev(
1922 				netdev->ieee80211_ptr->wiphy);
1923 			state->filter_wiphy = rdev->wiphy_idx;
1924 		}
1925 	}
1926 
1927 	return 0;
1928 }
1929 
1930 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1931 {
1932 	int idx = 0, ret;
1933 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
1934 	struct cfg80211_registered_device *rdev;
1935 
1936 	rtnl_lock();
1937 	if (!state) {
1938 		state = kzalloc(sizeof(*state), GFP_KERNEL);
1939 		if (!state) {
1940 			rtnl_unlock();
1941 			return -ENOMEM;
1942 		}
1943 		state->filter_wiphy = -1;
1944 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
1945 		if (ret) {
1946 			kfree(state);
1947 			rtnl_unlock();
1948 			return ret;
1949 		}
1950 		cb->args[0] = (long)state;
1951 	}
1952 
1953 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1954 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1955 			continue;
1956 		if (++idx <= state->start)
1957 			continue;
1958 		if (state->filter_wiphy != -1 &&
1959 		    state->filter_wiphy != rdev->wiphy_idx)
1960 			continue;
1961 		/* attempt to fit multiple wiphy data chunks into the skb */
1962 		do {
1963 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
1964 						 skb,
1965 						 NETLINK_CB(cb->skb).portid,
1966 						 cb->nlh->nlmsg_seq,
1967 						 NLM_F_MULTI, state);
1968 			if (ret < 0) {
1969 				/*
1970 				 * If sending the wiphy data didn't fit (ENOBUFS
1971 				 * or EMSGSIZE returned), this SKB is still
1972 				 * empty (so it's not too big because another
1973 				 * wiphy dataset is already in the skb) and
1974 				 * we've not tried to adjust the dump allocation
1975 				 * yet ... then adjust the alloc size to be
1976 				 * bigger, and return 1 but with the empty skb.
1977 				 * This results in an empty message being RX'ed
1978 				 * in userspace, but that is ignored.
1979 				 *
1980 				 * We can then retry with the larger buffer.
1981 				 */
1982 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1983 				    !skb->len && !state->split &&
1984 				    cb->min_dump_alloc < 4096) {
1985 					cb->min_dump_alloc = 4096;
1986 					state->split_start = 0;
1987 					rtnl_unlock();
1988 					return 1;
1989 				}
1990 				idx--;
1991 				break;
1992 			}
1993 		} while (state->split_start > 0);
1994 		break;
1995 	}
1996 	rtnl_unlock();
1997 
1998 	state->start = idx;
1999 
2000 	return skb->len;
2001 }
2002 
2003 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2004 {
2005 	kfree((void *)cb->args[0]);
2006 	return 0;
2007 }
2008 
2009 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2010 {
2011 	struct sk_buff *msg;
2012 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2013 	struct nl80211_dump_wiphy_state state = {};
2014 
2015 	msg = nlmsg_new(4096, GFP_KERNEL);
2016 	if (!msg)
2017 		return -ENOMEM;
2018 
2019 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2020 			       info->snd_portid, info->snd_seq, 0,
2021 			       &state) < 0) {
2022 		nlmsg_free(msg);
2023 		return -ENOBUFS;
2024 	}
2025 
2026 	return genlmsg_reply(msg, info);
2027 }
2028 
2029 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2030 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2031 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2032 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2033 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2034 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2035 };
2036 
2037 static int parse_txq_params(struct nlattr *tb[],
2038 			    struct ieee80211_txq_params *txq_params)
2039 {
2040 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2041 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2042 	    !tb[NL80211_TXQ_ATTR_AIFS])
2043 		return -EINVAL;
2044 
2045 	txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2046 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2047 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2048 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2049 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2050 
2051 	if (txq_params->ac >= NL80211_NUM_ACS)
2052 		return -EINVAL;
2053 
2054 	return 0;
2055 }
2056 
2057 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2058 {
2059 	/*
2060 	 * You can only set the channel explicitly for WDS interfaces,
2061 	 * all others have their channel managed via their respective
2062 	 * "establish a connection" command (connect, join, ...)
2063 	 *
2064 	 * For AP/GO and mesh mode, the channel can be set with the
2065 	 * channel userspace API, but is only stored and passed to the
2066 	 * low-level driver when the AP starts or the mesh is joined.
2067 	 * This is for backward compatibility, userspace can also give
2068 	 * the channel in the start-ap or join-mesh commands instead.
2069 	 *
2070 	 * Monitors are special as they are normally slaved to
2071 	 * whatever else is going on, so they have their own special
2072 	 * operation to set the monitor channel if possible.
2073 	 */
2074 	return !wdev ||
2075 		wdev->iftype == NL80211_IFTYPE_AP ||
2076 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2077 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2078 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2079 }
2080 
2081 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2082 				 struct genl_info *info,
2083 				 struct cfg80211_chan_def *chandef)
2084 {
2085 	u32 control_freq;
2086 
2087 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
2088 		return -EINVAL;
2089 
2090 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
2091 
2092 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
2093 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2094 	chandef->center_freq1 = control_freq;
2095 	chandef->center_freq2 = 0;
2096 
2097 	/* Primary channel not allowed */
2098 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
2099 		return -EINVAL;
2100 
2101 	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2102 		enum nl80211_channel_type chantype;
2103 
2104 		chantype = nla_get_u32(
2105 				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2106 
2107 		switch (chantype) {
2108 		case NL80211_CHAN_NO_HT:
2109 		case NL80211_CHAN_HT20:
2110 		case NL80211_CHAN_HT40PLUS:
2111 		case NL80211_CHAN_HT40MINUS:
2112 			cfg80211_chandef_create(chandef, chandef->chan,
2113 						chantype);
2114 			break;
2115 		default:
2116 			return -EINVAL;
2117 		}
2118 	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2119 		chandef->width =
2120 			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2121 		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
2122 			chandef->center_freq1 =
2123 				nla_get_u32(
2124 					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
2125 		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
2126 			chandef->center_freq2 =
2127 				nla_get_u32(
2128 					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
2129 	}
2130 
2131 	if (!cfg80211_chandef_valid(chandef))
2132 		return -EINVAL;
2133 
2134 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2135 				     IEEE80211_CHAN_DISABLED))
2136 		return -EINVAL;
2137 
2138 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2139 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2140 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ))
2141 		return -EINVAL;
2142 
2143 	return 0;
2144 }
2145 
2146 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2147 				 struct net_device *dev,
2148 				 struct genl_info *info)
2149 {
2150 	struct cfg80211_chan_def chandef;
2151 	int result;
2152 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2153 	struct wireless_dev *wdev = NULL;
2154 
2155 	if (dev)
2156 		wdev = dev->ieee80211_ptr;
2157 	if (!nl80211_can_set_dev_channel(wdev))
2158 		return -EOPNOTSUPP;
2159 	if (wdev)
2160 		iftype = wdev->iftype;
2161 
2162 	result = nl80211_parse_chandef(rdev, info, &chandef);
2163 	if (result)
2164 		return result;
2165 
2166 	switch (iftype) {
2167 	case NL80211_IFTYPE_AP:
2168 	case NL80211_IFTYPE_P2P_GO:
2169 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2170 						   iftype)) {
2171 			result = -EINVAL;
2172 			break;
2173 		}
2174 		if (wdev->beacon_interval) {
2175 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2176 			    !(rdev->wiphy.features &
2177 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2178 				result = -EBUSY;
2179 				break;
2180 			}
2181 
2182 			/* Only allow dynamic channel width changes */
2183 			if (chandef.chan != wdev->preset_chandef.chan) {
2184 				result = -EBUSY;
2185 				break;
2186 			}
2187 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2188 			if (result)
2189 				break;
2190 		}
2191 		wdev->preset_chandef = chandef;
2192 		result = 0;
2193 		break;
2194 	case NL80211_IFTYPE_MESH_POINT:
2195 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2196 		break;
2197 	case NL80211_IFTYPE_MONITOR:
2198 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2199 		break;
2200 	default:
2201 		result = -EINVAL;
2202 	}
2203 
2204 	return result;
2205 }
2206 
2207 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2208 {
2209 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2210 	struct net_device *netdev = info->user_ptr[1];
2211 
2212 	return __nl80211_set_channel(rdev, netdev, info);
2213 }
2214 
2215 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2216 {
2217 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2218 	struct net_device *dev = info->user_ptr[1];
2219 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2220 	const u8 *bssid;
2221 
2222 	if (!info->attrs[NL80211_ATTR_MAC])
2223 		return -EINVAL;
2224 
2225 	if (netif_running(dev))
2226 		return -EBUSY;
2227 
2228 	if (!rdev->ops->set_wds_peer)
2229 		return -EOPNOTSUPP;
2230 
2231 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2232 		return -EOPNOTSUPP;
2233 
2234 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2235 	return rdev_set_wds_peer(rdev, dev, bssid);
2236 }
2237 
2238 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2239 {
2240 	struct cfg80211_registered_device *rdev;
2241 	struct net_device *netdev = NULL;
2242 	struct wireless_dev *wdev;
2243 	int result = 0, rem_txq_params = 0;
2244 	struct nlattr *nl_txq_params;
2245 	u32 changed;
2246 	u8 retry_short = 0, retry_long = 0;
2247 	u32 frag_threshold = 0, rts_threshold = 0;
2248 	u8 coverage_class = 0;
2249 
2250 	ASSERT_RTNL();
2251 
2252 	/*
2253 	 * Try to find the wiphy and netdev. Normally this
2254 	 * function shouldn't need the netdev, but this is
2255 	 * done for backward compatibility -- previously
2256 	 * setting the channel was done per wiphy, but now
2257 	 * it is per netdev. Previous userland like hostapd
2258 	 * also passed a netdev to set_wiphy, so that it is
2259 	 * possible to let that go to the right netdev!
2260 	 */
2261 
2262 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2263 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2264 
2265 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2266 		if (netdev && netdev->ieee80211_ptr)
2267 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2268 		else
2269 			netdev = NULL;
2270 	}
2271 
2272 	if (!netdev) {
2273 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2274 						  info->attrs);
2275 		if (IS_ERR(rdev))
2276 			return PTR_ERR(rdev);
2277 		wdev = NULL;
2278 		netdev = NULL;
2279 		result = 0;
2280 	} else
2281 		wdev = netdev->ieee80211_ptr;
2282 
2283 	/*
2284 	 * end workaround code, by now the rdev is available
2285 	 * and locked, and wdev may or may not be NULL.
2286 	 */
2287 
2288 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2289 		result = cfg80211_dev_rename(
2290 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2291 
2292 	if (result)
2293 		return result;
2294 
2295 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2296 		struct ieee80211_txq_params txq_params;
2297 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2298 
2299 		if (!rdev->ops->set_txq_params)
2300 			return -EOPNOTSUPP;
2301 
2302 		if (!netdev)
2303 			return -EINVAL;
2304 
2305 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2306 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2307 			return -EINVAL;
2308 
2309 		if (!netif_running(netdev))
2310 			return -ENETDOWN;
2311 
2312 		nla_for_each_nested(nl_txq_params,
2313 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2314 				    rem_txq_params) {
2315 			result = nla_parse_nested(tb, NL80211_TXQ_ATTR_MAX,
2316 						  nl_txq_params,
2317 						  txq_params_policy);
2318 			if (result)
2319 				return result;
2320 			result = parse_txq_params(tb, &txq_params);
2321 			if (result)
2322 				return result;
2323 
2324 			result = rdev_set_txq_params(rdev, netdev,
2325 						     &txq_params);
2326 			if (result)
2327 				return result;
2328 		}
2329 	}
2330 
2331 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2332 		result = __nl80211_set_channel(
2333 			rdev,
2334 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2335 			info);
2336 		if (result)
2337 			return result;
2338 	}
2339 
2340 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2341 		struct wireless_dev *txp_wdev = wdev;
2342 		enum nl80211_tx_power_setting type;
2343 		int idx, mbm = 0;
2344 
2345 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2346 			txp_wdev = NULL;
2347 
2348 		if (!rdev->ops->set_tx_power)
2349 			return -EOPNOTSUPP;
2350 
2351 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2352 		type = nla_get_u32(info->attrs[idx]);
2353 
2354 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2355 		    (type != NL80211_TX_POWER_AUTOMATIC))
2356 			return -EINVAL;
2357 
2358 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2359 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2360 			mbm = nla_get_u32(info->attrs[idx]);
2361 		}
2362 
2363 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2364 		if (result)
2365 			return result;
2366 	}
2367 
2368 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2369 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2370 		u32 tx_ant, rx_ant;
2371 
2372 		if ((!rdev->wiphy.available_antennas_tx &&
2373 		     !rdev->wiphy.available_antennas_rx) ||
2374 		    !rdev->ops->set_antenna)
2375 			return -EOPNOTSUPP;
2376 
2377 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2378 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2379 
2380 		/* reject antenna configurations which don't match the
2381 		 * available antenna masks, except for the "all" mask */
2382 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2383 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2384 			return -EINVAL;
2385 
2386 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2387 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2388 
2389 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2390 		if (result)
2391 			return result;
2392 	}
2393 
2394 	changed = 0;
2395 
2396 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2397 		retry_short = nla_get_u8(
2398 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2399 		if (retry_short == 0)
2400 			return -EINVAL;
2401 
2402 		changed |= WIPHY_PARAM_RETRY_SHORT;
2403 	}
2404 
2405 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2406 		retry_long = nla_get_u8(
2407 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2408 		if (retry_long == 0)
2409 			return -EINVAL;
2410 
2411 		changed |= WIPHY_PARAM_RETRY_LONG;
2412 	}
2413 
2414 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2415 		frag_threshold = nla_get_u32(
2416 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2417 		if (frag_threshold < 256)
2418 			return -EINVAL;
2419 
2420 		if (frag_threshold != (u32) -1) {
2421 			/*
2422 			 * Fragments (apart from the last one) are required to
2423 			 * have even length. Make the fragmentation code
2424 			 * simpler by stripping LSB should someone try to use
2425 			 * odd threshold value.
2426 			 */
2427 			frag_threshold &= ~0x1;
2428 		}
2429 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2430 	}
2431 
2432 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2433 		rts_threshold = nla_get_u32(
2434 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2435 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2436 	}
2437 
2438 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2439 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2440 			return -EINVAL;
2441 
2442 		coverage_class = nla_get_u8(
2443 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2444 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2445 	}
2446 
2447 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2448 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2449 			return -EOPNOTSUPP;
2450 
2451 		changed |= WIPHY_PARAM_DYN_ACK;
2452 	}
2453 
2454 	if (changed) {
2455 		u8 old_retry_short, old_retry_long;
2456 		u32 old_frag_threshold, old_rts_threshold;
2457 		u8 old_coverage_class;
2458 
2459 		if (!rdev->ops->set_wiphy_params)
2460 			return -EOPNOTSUPP;
2461 
2462 		old_retry_short = rdev->wiphy.retry_short;
2463 		old_retry_long = rdev->wiphy.retry_long;
2464 		old_frag_threshold = rdev->wiphy.frag_threshold;
2465 		old_rts_threshold = rdev->wiphy.rts_threshold;
2466 		old_coverage_class = rdev->wiphy.coverage_class;
2467 
2468 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2469 			rdev->wiphy.retry_short = retry_short;
2470 		if (changed & WIPHY_PARAM_RETRY_LONG)
2471 			rdev->wiphy.retry_long = retry_long;
2472 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2473 			rdev->wiphy.frag_threshold = frag_threshold;
2474 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2475 			rdev->wiphy.rts_threshold = rts_threshold;
2476 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2477 			rdev->wiphy.coverage_class = coverage_class;
2478 
2479 		result = rdev_set_wiphy_params(rdev, changed);
2480 		if (result) {
2481 			rdev->wiphy.retry_short = old_retry_short;
2482 			rdev->wiphy.retry_long = old_retry_long;
2483 			rdev->wiphy.frag_threshold = old_frag_threshold;
2484 			rdev->wiphy.rts_threshold = old_rts_threshold;
2485 			rdev->wiphy.coverage_class = old_coverage_class;
2486 			return result;
2487 		}
2488 	}
2489 	return 0;
2490 }
2491 
2492 static inline u64 wdev_id(struct wireless_dev *wdev)
2493 {
2494 	return (u64)wdev->identifier |
2495 	       ((u64)wiphy_to_rdev(wdev->wiphy)->wiphy_idx << 32);
2496 }
2497 
2498 static int nl80211_send_chandef(struct sk_buff *msg,
2499 				const struct cfg80211_chan_def *chandef)
2500 {
2501 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2502 		return -EINVAL;
2503 
2504 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2505 			chandef->chan->center_freq))
2506 		return -ENOBUFS;
2507 	switch (chandef->width) {
2508 	case NL80211_CHAN_WIDTH_20_NOHT:
2509 	case NL80211_CHAN_WIDTH_20:
2510 	case NL80211_CHAN_WIDTH_40:
2511 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2512 				cfg80211_get_chandef_type(chandef)))
2513 			return -ENOBUFS;
2514 		break;
2515 	default:
2516 		break;
2517 	}
2518 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2519 		return -ENOBUFS;
2520 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2521 		return -ENOBUFS;
2522 	if (chandef->center_freq2 &&
2523 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2524 		return -ENOBUFS;
2525 	return 0;
2526 }
2527 
2528 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2529 			      struct cfg80211_registered_device *rdev,
2530 			      struct wireless_dev *wdev, bool removal)
2531 {
2532 	struct net_device *dev = wdev->netdev;
2533 	u8 cmd = NL80211_CMD_NEW_INTERFACE;
2534 	void *hdr;
2535 
2536 	if (removal)
2537 		cmd = NL80211_CMD_DEL_INTERFACE;
2538 
2539 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2540 	if (!hdr)
2541 		return -1;
2542 
2543 	if (dev &&
2544 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2545 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2546 		goto nla_put_failure;
2547 
2548 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2549 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2550 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
2551 			      NL80211_ATTR_PAD) ||
2552 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2553 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2554 			rdev->devlist_generation ^
2555 			(cfg80211_rdev_list_generation << 2)))
2556 		goto nla_put_failure;
2557 
2558 	if (rdev->ops->get_channel) {
2559 		int ret;
2560 		struct cfg80211_chan_def chandef;
2561 
2562 		ret = rdev_get_channel(rdev, wdev, &chandef);
2563 		if (ret == 0) {
2564 			if (nl80211_send_chandef(msg, &chandef))
2565 				goto nla_put_failure;
2566 		}
2567 	}
2568 
2569 	if (rdev->ops->get_tx_power) {
2570 		int dbm, ret;
2571 
2572 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
2573 		if (ret == 0 &&
2574 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
2575 				DBM_TO_MBM(dbm)))
2576 			goto nla_put_failure;
2577 	}
2578 
2579 	if (wdev->ssid_len) {
2580 		if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2581 			goto nla_put_failure;
2582 	}
2583 
2584 	genlmsg_end(msg, hdr);
2585 	return 0;
2586 
2587  nla_put_failure:
2588 	genlmsg_cancel(msg, hdr);
2589 	return -EMSGSIZE;
2590 }
2591 
2592 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2593 {
2594 	int wp_idx = 0;
2595 	int if_idx = 0;
2596 	int wp_start = cb->args[0];
2597 	int if_start = cb->args[1];
2598 	int filter_wiphy = -1;
2599 	struct cfg80211_registered_device *rdev;
2600 	struct wireless_dev *wdev;
2601 
2602 	rtnl_lock();
2603 	if (!cb->args[2]) {
2604 		struct nl80211_dump_wiphy_state state = {
2605 			.filter_wiphy = -1,
2606 		};
2607 		int ret;
2608 
2609 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
2610 		if (ret)
2611 			return ret;
2612 
2613 		filter_wiphy = state.filter_wiphy;
2614 
2615 		/*
2616 		 * if filtering, set cb->args[2] to +1 since 0 is the default
2617 		 * value needed to determine that parsing is necessary.
2618 		 */
2619 		if (filter_wiphy >= 0)
2620 			cb->args[2] = filter_wiphy + 1;
2621 		else
2622 			cb->args[2] = -1;
2623 	} else if (cb->args[2] > 0) {
2624 		filter_wiphy = cb->args[2] - 1;
2625 	}
2626 
2627 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2628 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2629 			continue;
2630 		if (wp_idx < wp_start) {
2631 			wp_idx++;
2632 			continue;
2633 		}
2634 
2635 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
2636 			continue;
2637 
2638 		if_idx = 0;
2639 
2640 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
2641 			if (if_idx < if_start) {
2642 				if_idx++;
2643 				continue;
2644 			}
2645 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2646 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2647 					       rdev, wdev, false) < 0) {
2648 				goto out;
2649 			}
2650 			if_idx++;
2651 		}
2652 
2653 		wp_idx++;
2654 	}
2655  out:
2656 	rtnl_unlock();
2657 
2658 	cb->args[0] = wp_idx;
2659 	cb->args[1] = if_idx;
2660 
2661 	return skb->len;
2662 }
2663 
2664 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2665 {
2666 	struct sk_buff *msg;
2667 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2668 	struct wireless_dev *wdev = info->user_ptr[1];
2669 
2670 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2671 	if (!msg)
2672 		return -ENOMEM;
2673 
2674 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2675 			       rdev, wdev, false) < 0) {
2676 		nlmsg_free(msg);
2677 		return -ENOBUFS;
2678 	}
2679 
2680 	return genlmsg_reply(msg, info);
2681 }
2682 
2683 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2684 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2685 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2686 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2687 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2688 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2689 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
2690 };
2691 
2692 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2693 {
2694 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2695 	int flag;
2696 
2697 	*mntrflags = 0;
2698 
2699 	if (!nla)
2700 		return -EINVAL;
2701 
2702 	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
2703 			     nla, mntr_flags_policy))
2704 		return -EINVAL;
2705 
2706 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2707 		if (flags[flag])
2708 			*mntrflags |= (1<<flag);
2709 
2710 	return 0;
2711 }
2712 
2713 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
2714 			       struct net_device *netdev, u8 use_4addr,
2715 			       enum nl80211_iftype iftype)
2716 {
2717 	if (!use_4addr) {
2718 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
2719 			return -EBUSY;
2720 		return 0;
2721 	}
2722 
2723 	switch (iftype) {
2724 	case NL80211_IFTYPE_AP_VLAN:
2725 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
2726 			return 0;
2727 		break;
2728 	case NL80211_IFTYPE_STATION:
2729 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
2730 			return 0;
2731 		break;
2732 	default:
2733 		break;
2734 	}
2735 
2736 	return -EOPNOTSUPP;
2737 }
2738 
2739 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
2740 {
2741 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2742 	struct vif_params params;
2743 	int err;
2744 	enum nl80211_iftype otype, ntype;
2745 	struct net_device *dev = info->user_ptr[1];
2746 	u32 _flags, *flags = NULL;
2747 	bool change = false;
2748 
2749 	memset(&params, 0, sizeof(params));
2750 
2751 	otype = ntype = dev->ieee80211_ptr->iftype;
2752 
2753 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2754 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2755 		if (otype != ntype)
2756 			change = true;
2757 		if (ntype > NL80211_IFTYPE_MAX)
2758 			return -EINVAL;
2759 	}
2760 
2761 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
2762 		struct wireless_dev *wdev = dev->ieee80211_ptr;
2763 
2764 		if (ntype != NL80211_IFTYPE_MESH_POINT)
2765 			return -EINVAL;
2766 		if (netif_running(dev))
2767 			return -EBUSY;
2768 
2769 		wdev_lock(wdev);
2770 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2771 			     IEEE80211_MAX_MESH_ID_LEN);
2772 		wdev->mesh_id_up_len =
2773 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2774 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2775 		       wdev->mesh_id_up_len);
2776 		wdev_unlock(wdev);
2777 	}
2778 
2779 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2780 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2781 		change = true;
2782 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2783 		if (err)
2784 			return err;
2785 	} else {
2786 		params.use_4addr = -1;
2787 	}
2788 
2789 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2790 		if (ntype != NL80211_IFTYPE_MONITOR)
2791 			return -EINVAL;
2792 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2793 					  &_flags);
2794 		if (err)
2795 			return err;
2796 
2797 		flags = &_flags;
2798 		change = true;
2799 	}
2800 
2801 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
2802 		const u8 *mumimo_groups;
2803 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
2804 
2805 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
2806 			return -EOPNOTSUPP;
2807 
2808 		mumimo_groups =
2809 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
2810 
2811 		/* bits 0 and 63 are reserved and must be zero */
2812 		if ((mumimo_groups[0] & BIT(7)) ||
2813 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(0)))
2814 			return -EINVAL;
2815 
2816 		memcpy(params.vht_mumimo_groups, mumimo_groups,
2817 		       VHT_MUMIMO_GROUPS_DATA_LEN);
2818 		change = true;
2819 	}
2820 
2821 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
2822 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
2823 
2824 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
2825 			return -EOPNOTSUPP;
2826 
2827 		nla_memcpy(params.macaddr,
2828 			   info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR],
2829 			   ETH_ALEN);
2830 		change = true;
2831 	}
2832 
2833 	if (flags && (*flags & MONITOR_FLAG_ACTIVE) &&
2834 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2835 		return -EOPNOTSUPP;
2836 
2837 	if (change)
2838 		err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2839 	else
2840 		err = 0;
2841 
2842 	if (!err && params.use_4addr != -1)
2843 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
2844 
2845 	return err;
2846 }
2847 
2848 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2849 {
2850 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2851 	struct vif_params params;
2852 	struct wireless_dev *wdev;
2853 	struct sk_buff *msg;
2854 	int err;
2855 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2856 	u32 flags;
2857 
2858 	/* to avoid failing a new interface creation due to pending removal */
2859 	cfg80211_destroy_ifaces(rdev);
2860 
2861 	memset(&params, 0, sizeof(params));
2862 
2863 	if (!info->attrs[NL80211_ATTR_IFNAME])
2864 		return -EINVAL;
2865 
2866 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2867 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2868 		if (type > NL80211_IFTYPE_MAX)
2869 			return -EINVAL;
2870 	}
2871 
2872 	if (!rdev->ops->add_virtual_intf ||
2873 	    !(rdev->wiphy.interface_modes & (1 << type)))
2874 		return -EOPNOTSUPP;
2875 
2876 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
2877 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
2878 	    info->attrs[NL80211_ATTR_MAC]) {
2879 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2880 			   ETH_ALEN);
2881 		if (!is_valid_ether_addr(params.macaddr))
2882 			return -EADDRNOTAVAIL;
2883 	}
2884 
2885 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2886 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2887 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2888 		if (err)
2889 			return err;
2890 	}
2891 
2892 	err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2893 				  info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2894 				  &flags);
2895 
2896 	if (!err && (flags & MONITOR_FLAG_ACTIVE) &&
2897 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2898 		return -EOPNOTSUPP;
2899 
2900 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2901 	if (!msg)
2902 		return -ENOMEM;
2903 
2904 	wdev = rdev_add_virtual_intf(rdev,
2905 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2906 				NET_NAME_USER, type, err ? NULL : &flags,
2907 				&params);
2908 	if (WARN_ON(!wdev)) {
2909 		nlmsg_free(msg);
2910 		return -EPROTO;
2911 	} else if (IS_ERR(wdev)) {
2912 		nlmsg_free(msg);
2913 		return PTR_ERR(wdev);
2914 	}
2915 
2916 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
2917 		wdev->owner_nlportid = info->snd_portid;
2918 
2919 	switch (type) {
2920 	case NL80211_IFTYPE_MESH_POINT:
2921 		if (!info->attrs[NL80211_ATTR_MESH_ID])
2922 			break;
2923 		wdev_lock(wdev);
2924 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2925 			     IEEE80211_MAX_MESH_ID_LEN);
2926 		wdev->mesh_id_up_len =
2927 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2928 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2929 		       wdev->mesh_id_up_len);
2930 		wdev_unlock(wdev);
2931 		break;
2932 	case NL80211_IFTYPE_NAN:
2933 	case NL80211_IFTYPE_P2P_DEVICE:
2934 		/*
2935 		 * P2P Device and NAN do not have a netdev, so don't go
2936 		 * through the netdev notifier and must be added here
2937 		 */
2938 		mutex_init(&wdev->mtx);
2939 		INIT_LIST_HEAD(&wdev->event_list);
2940 		spin_lock_init(&wdev->event_lock);
2941 		INIT_LIST_HEAD(&wdev->mgmt_registrations);
2942 		spin_lock_init(&wdev->mgmt_registrations_lock);
2943 
2944 		wdev->identifier = ++rdev->wdev_id;
2945 		list_add_rcu(&wdev->list, &rdev->wiphy.wdev_list);
2946 		rdev->devlist_generation++;
2947 		break;
2948 	default:
2949 		break;
2950 	}
2951 
2952 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2953 			       rdev, wdev, false) < 0) {
2954 		nlmsg_free(msg);
2955 		return -ENOBUFS;
2956 	}
2957 
2958 	/*
2959 	 * For wdevs which have no associated netdev object (e.g. of type
2960 	 * NL80211_IFTYPE_P2P_DEVICE), emit the NEW_INTERFACE event here.
2961 	 * For all other types, the event will be generated from the
2962 	 * netdev notifier
2963 	 */
2964 	if (!wdev->netdev)
2965 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_NEW_INTERFACE);
2966 
2967 	return genlmsg_reply(msg, info);
2968 }
2969 
2970 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2971 {
2972 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2973 	struct wireless_dev *wdev = info->user_ptr[1];
2974 
2975 	if (!rdev->ops->del_virtual_intf)
2976 		return -EOPNOTSUPP;
2977 
2978 	/*
2979 	 * If we remove a wireless device without a netdev then clear
2980 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
2981 	 * to check if it needs to do dev_put(). Otherwise it crashes
2982 	 * since the wdev has been freed, unlike with a netdev where
2983 	 * we need the dev_put() for the netdev to really be freed.
2984 	 */
2985 	if (!wdev->netdev)
2986 		info->user_ptr[1] = NULL;
2987 
2988 	return rdev_del_virtual_intf(rdev, wdev);
2989 }
2990 
2991 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2992 {
2993 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2994 	struct net_device *dev = info->user_ptr[1];
2995 	u16 noack_map;
2996 
2997 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2998 		return -EINVAL;
2999 
3000 	if (!rdev->ops->set_noack_map)
3001 		return -EOPNOTSUPP;
3002 
3003 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3004 
3005 	return rdev_set_noack_map(rdev, dev, noack_map);
3006 }
3007 
3008 struct get_key_cookie {
3009 	struct sk_buff *msg;
3010 	int error;
3011 	int idx;
3012 };
3013 
3014 static void get_key_callback(void *c, struct key_params *params)
3015 {
3016 	struct nlattr *key;
3017 	struct get_key_cookie *cookie = c;
3018 
3019 	if ((params->key &&
3020 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3021 		     params->key_len, params->key)) ||
3022 	    (params->seq &&
3023 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3024 		     params->seq_len, params->seq)) ||
3025 	    (params->cipher &&
3026 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3027 			 params->cipher)))
3028 		goto nla_put_failure;
3029 
3030 	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
3031 	if (!key)
3032 		goto nla_put_failure;
3033 
3034 	if ((params->key &&
3035 	     nla_put(cookie->msg, NL80211_KEY_DATA,
3036 		     params->key_len, params->key)) ||
3037 	    (params->seq &&
3038 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
3039 		     params->seq_len, params->seq)) ||
3040 	    (params->cipher &&
3041 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3042 			 params->cipher)))
3043 		goto nla_put_failure;
3044 
3045 	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
3046 		goto nla_put_failure;
3047 
3048 	nla_nest_end(cookie->msg, key);
3049 
3050 	return;
3051  nla_put_failure:
3052 	cookie->error = 1;
3053 }
3054 
3055 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3056 {
3057 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3058 	int err;
3059 	struct net_device *dev = info->user_ptr[1];
3060 	u8 key_idx = 0;
3061 	const u8 *mac_addr = NULL;
3062 	bool pairwise;
3063 	struct get_key_cookie cookie = {
3064 		.error = 0,
3065 	};
3066 	void *hdr;
3067 	struct sk_buff *msg;
3068 
3069 	if (info->attrs[NL80211_ATTR_KEY_IDX])
3070 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
3071 
3072 	if (key_idx > 5)
3073 		return -EINVAL;
3074 
3075 	if (info->attrs[NL80211_ATTR_MAC])
3076 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3077 
3078 	pairwise = !!mac_addr;
3079 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
3080 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
3081 
3082 		if (kt >= NUM_NL80211_KEYTYPES)
3083 			return -EINVAL;
3084 		if (kt != NL80211_KEYTYPE_GROUP &&
3085 		    kt != NL80211_KEYTYPE_PAIRWISE)
3086 			return -EINVAL;
3087 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
3088 	}
3089 
3090 	if (!rdev->ops->get_key)
3091 		return -EOPNOTSUPP;
3092 
3093 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3094 		return -ENOENT;
3095 
3096 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3097 	if (!msg)
3098 		return -ENOMEM;
3099 
3100 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3101 			     NL80211_CMD_NEW_KEY);
3102 	if (!hdr)
3103 		goto nla_put_failure;
3104 
3105 	cookie.msg = msg;
3106 	cookie.idx = key_idx;
3107 
3108 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3109 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
3110 		goto nla_put_failure;
3111 	if (mac_addr &&
3112 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
3113 		goto nla_put_failure;
3114 
3115 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3116 			   get_key_callback);
3117 
3118 	if (err)
3119 		goto free_msg;
3120 
3121 	if (cookie.error)
3122 		goto nla_put_failure;
3123 
3124 	genlmsg_end(msg, hdr);
3125 	return genlmsg_reply(msg, info);
3126 
3127  nla_put_failure:
3128 	err = -ENOBUFS;
3129  free_msg:
3130 	nlmsg_free(msg);
3131 	return err;
3132 }
3133 
3134 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
3135 {
3136 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3137 	struct key_parse key;
3138 	int err;
3139 	struct net_device *dev = info->user_ptr[1];
3140 
3141 	err = nl80211_parse_key(info, &key);
3142 	if (err)
3143 		return err;
3144 
3145 	if (key.idx < 0)
3146 		return -EINVAL;
3147 
3148 	/* only support setting default key */
3149 	if (!key.def && !key.defmgmt)
3150 		return -EINVAL;
3151 
3152 	wdev_lock(dev->ieee80211_ptr);
3153 
3154 	if (key.def) {
3155 		if (!rdev->ops->set_default_key) {
3156 			err = -EOPNOTSUPP;
3157 			goto out;
3158 		}
3159 
3160 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3161 		if (err)
3162 			goto out;
3163 
3164 		err = rdev_set_default_key(rdev, dev, key.idx,
3165 						 key.def_uni, key.def_multi);
3166 
3167 		if (err)
3168 			goto out;
3169 
3170 #ifdef CONFIG_CFG80211_WEXT
3171 		dev->ieee80211_ptr->wext.default_key = key.idx;
3172 #endif
3173 	} else {
3174 		if (key.def_uni || !key.def_multi) {
3175 			err = -EINVAL;
3176 			goto out;
3177 		}
3178 
3179 		if (!rdev->ops->set_default_mgmt_key) {
3180 			err = -EOPNOTSUPP;
3181 			goto out;
3182 		}
3183 
3184 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3185 		if (err)
3186 			goto out;
3187 
3188 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
3189 		if (err)
3190 			goto out;
3191 
3192 #ifdef CONFIG_CFG80211_WEXT
3193 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
3194 #endif
3195 	}
3196 
3197  out:
3198 	wdev_unlock(dev->ieee80211_ptr);
3199 
3200 	return err;
3201 }
3202 
3203 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
3204 {
3205 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3206 	int err;
3207 	struct net_device *dev = info->user_ptr[1];
3208 	struct key_parse key;
3209 	const u8 *mac_addr = NULL;
3210 
3211 	err = nl80211_parse_key(info, &key);
3212 	if (err)
3213 		return err;
3214 
3215 	if (!key.p.key)
3216 		return -EINVAL;
3217 
3218 	if (info->attrs[NL80211_ATTR_MAC])
3219 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3220 
3221 	if (key.type == -1) {
3222 		if (mac_addr)
3223 			key.type = NL80211_KEYTYPE_PAIRWISE;
3224 		else
3225 			key.type = NL80211_KEYTYPE_GROUP;
3226 	}
3227 
3228 	/* for now */
3229 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3230 	    key.type != NL80211_KEYTYPE_GROUP)
3231 		return -EINVAL;
3232 
3233 	if (!rdev->ops->add_key)
3234 		return -EOPNOTSUPP;
3235 
3236 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3237 					   key.type == NL80211_KEYTYPE_PAIRWISE,
3238 					   mac_addr))
3239 		return -EINVAL;
3240 
3241 	wdev_lock(dev->ieee80211_ptr);
3242 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3243 	if (!err)
3244 		err = rdev_add_key(rdev, dev, key.idx,
3245 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3246 				    mac_addr, &key.p);
3247 	wdev_unlock(dev->ieee80211_ptr);
3248 
3249 	return err;
3250 }
3251 
3252 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3253 {
3254 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3255 	int err;
3256 	struct net_device *dev = info->user_ptr[1];
3257 	u8 *mac_addr = NULL;
3258 	struct key_parse key;
3259 
3260 	err = nl80211_parse_key(info, &key);
3261 	if (err)
3262 		return err;
3263 
3264 	if (info->attrs[NL80211_ATTR_MAC])
3265 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3266 
3267 	if (key.type == -1) {
3268 		if (mac_addr)
3269 			key.type = NL80211_KEYTYPE_PAIRWISE;
3270 		else
3271 			key.type = NL80211_KEYTYPE_GROUP;
3272 	}
3273 
3274 	/* for now */
3275 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3276 	    key.type != NL80211_KEYTYPE_GROUP)
3277 		return -EINVAL;
3278 
3279 	if (!rdev->ops->del_key)
3280 		return -EOPNOTSUPP;
3281 
3282 	wdev_lock(dev->ieee80211_ptr);
3283 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3284 
3285 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3286 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3287 		err = -ENOENT;
3288 
3289 	if (!err)
3290 		err = rdev_del_key(rdev, dev, key.idx,
3291 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3292 				   mac_addr);
3293 
3294 #ifdef CONFIG_CFG80211_WEXT
3295 	if (!err) {
3296 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3297 			dev->ieee80211_ptr->wext.default_key = -1;
3298 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3299 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3300 	}
3301 #endif
3302 	wdev_unlock(dev->ieee80211_ptr);
3303 
3304 	return err;
3305 }
3306 
3307 /* This function returns an error or the number of nested attributes */
3308 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3309 {
3310 	struct nlattr *attr;
3311 	int n_entries = 0, tmp;
3312 
3313 	nla_for_each_nested(attr, nl_attr, tmp) {
3314 		if (nla_len(attr) != ETH_ALEN)
3315 			return -EINVAL;
3316 
3317 		n_entries++;
3318 	}
3319 
3320 	return n_entries;
3321 }
3322 
3323 /*
3324  * This function parses ACL information and allocates memory for ACL data.
3325  * On successful return, the calling function is responsible to free the
3326  * ACL buffer returned by this function.
3327  */
3328 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3329 						struct genl_info *info)
3330 {
3331 	enum nl80211_acl_policy acl_policy;
3332 	struct nlattr *attr;
3333 	struct cfg80211_acl_data *acl;
3334 	int i = 0, n_entries, tmp;
3335 
3336 	if (!wiphy->max_acl_mac_addrs)
3337 		return ERR_PTR(-EOPNOTSUPP);
3338 
3339 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3340 		return ERR_PTR(-EINVAL);
3341 
3342 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3343 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3344 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3345 		return ERR_PTR(-EINVAL);
3346 
3347 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3348 		return ERR_PTR(-EINVAL);
3349 
3350 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3351 	if (n_entries < 0)
3352 		return ERR_PTR(n_entries);
3353 
3354 	if (n_entries > wiphy->max_acl_mac_addrs)
3355 		return ERR_PTR(-ENOTSUPP);
3356 
3357 	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3358 		      GFP_KERNEL);
3359 	if (!acl)
3360 		return ERR_PTR(-ENOMEM);
3361 
3362 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3363 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3364 		i++;
3365 	}
3366 
3367 	acl->n_acl_entries = n_entries;
3368 	acl->acl_policy = acl_policy;
3369 
3370 	return acl;
3371 }
3372 
3373 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3374 {
3375 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3376 	struct net_device *dev = info->user_ptr[1];
3377 	struct cfg80211_acl_data *acl;
3378 	int err;
3379 
3380 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3381 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3382 		return -EOPNOTSUPP;
3383 
3384 	if (!dev->ieee80211_ptr->beacon_interval)
3385 		return -EINVAL;
3386 
3387 	acl = parse_acl_data(&rdev->wiphy, info);
3388 	if (IS_ERR(acl))
3389 		return PTR_ERR(acl);
3390 
3391 	err = rdev_set_mac_acl(rdev, dev, acl);
3392 
3393 	kfree(acl);
3394 
3395 	return err;
3396 }
3397 
3398 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
3399 			   u8 *rates, u8 rates_len)
3400 {
3401 	u8 i;
3402 	u32 mask = 0;
3403 
3404 	for (i = 0; i < rates_len; i++) {
3405 		int rate = (rates[i] & 0x7f) * 5;
3406 		int ridx;
3407 
3408 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
3409 			struct ieee80211_rate *srate =
3410 				&sband->bitrates[ridx];
3411 			if (rate == srate->bitrate) {
3412 				mask |= 1 << ridx;
3413 				break;
3414 			}
3415 		}
3416 		if (ridx == sband->n_bitrates)
3417 			return 0; /* rate not found */
3418 	}
3419 
3420 	return mask;
3421 }
3422 
3423 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
3424 			       u8 *rates, u8 rates_len,
3425 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
3426 {
3427 	u8 i;
3428 
3429 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
3430 
3431 	for (i = 0; i < rates_len; i++) {
3432 		int ridx, rbit;
3433 
3434 		ridx = rates[i] / 8;
3435 		rbit = BIT(rates[i] % 8);
3436 
3437 		/* check validity */
3438 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
3439 			return false;
3440 
3441 		/* check availability */
3442 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
3443 			mcs[ridx] |= rbit;
3444 		else
3445 			return false;
3446 	}
3447 
3448 	return true;
3449 }
3450 
3451 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
3452 {
3453 	u16 mcs_mask = 0;
3454 
3455 	switch (vht_mcs_map) {
3456 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
3457 		break;
3458 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
3459 		mcs_mask = 0x00FF;
3460 		break;
3461 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
3462 		mcs_mask = 0x01FF;
3463 		break;
3464 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
3465 		mcs_mask = 0x03FF;
3466 		break;
3467 	default:
3468 		break;
3469 	}
3470 
3471 	return mcs_mask;
3472 }
3473 
3474 static void vht_build_mcs_mask(u16 vht_mcs_map,
3475 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
3476 {
3477 	u8 nss;
3478 
3479 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
3480 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
3481 		vht_mcs_map >>= 2;
3482 	}
3483 }
3484 
3485 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
3486 			     struct nl80211_txrate_vht *txrate,
3487 			     u16 mcs[NL80211_VHT_NSS_MAX])
3488 {
3489 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
3490 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
3491 	u8 i;
3492 
3493 	if (!sband->vht_cap.vht_supported)
3494 		return false;
3495 
3496 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
3497 
3498 	/* Build vht_mcs_mask from VHT capabilities */
3499 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
3500 
3501 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
3502 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
3503 			mcs[i] = txrate->mcs[i];
3504 		else
3505 			return false;
3506 	}
3507 
3508 	return true;
3509 }
3510 
3511 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
3512 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
3513 				    .len = NL80211_MAX_SUPP_RATES },
3514 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
3515 				.len = NL80211_MAX_SUPP_HT_RATES },
3516 	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
3517 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
3518 };
3519 
3520 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
3521 					 struct cfg80211_bitrate_mask *mask)
3522 {
3523 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
3524 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3525 	int rem, i;
3526 	struct nlattr *tx_rates;
3527 	struct ieee80211_supported_band *sband;
3528 	u16 vht_tx_mcs_map;
3529 
3530 	memset(mask, 0, sizeof(*mask));
3531 	/* Default to all rates enabled */
3532 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
3533 		sband = rdev->wiphy.bands[i];
3534 
3535 		if (!sband)
3536 			continue;
3537 
3538 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
3539 		memcpy(mask->control[i].ht_mcs,
3540 		       sband->ht_cap.mcs.rx_mask,
3541 		       sizeof(mask->control[i].ht_mcs));
3542 
3543 		if (!sband->vht_cap.vht_supported)
3544 			continue;
3545 
3546 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
3547 		vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
3548 	}
3549 
3550 	/* if no rates are given set it back to the defaults */
3551 	if (!info->attrs[NL80211_ATTR_TX_RATES])
3552 		goto out;
3553 
3554 	/* The nested attribute uses enum nl80211_band as the index. This maps
3555 	 * directly to the enum nl80211_band values used in cfg80211.
3556 	 */
3557 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
3558 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
3559 		enum nl80211_band band = nla_type(tx_rates);
3560 		int err;
3561 
3562 		if (band < 0 || band >= NUM_NL80211_BANDS)
3563 			return -EINVAL;
3564 		sband = rdev->wiphy.bands[band];
3565 		if (sband == NULL)
3566 			return -EINVAL;
3567 		err = nla_parse_nested(tb, NL80211_TXRATE_MAX, tx_rates,
3568 				       nl80211_txattr_policy);
3569 		if (err)
3570 			return err;
3571 		if (tb[NL80211_TXRATE_LEGACY]) {
3572 			mask->control[band].legacy = rateset_to_mask(
3573 				sband,
3574 				nla_data(tb[NL80211_TXRATE_LEGACY]),
3575 				nla_len(tb[NL80211_TXRATE_LEGACY]));
3576 			if ((mask->control[band].legacy == 0) &&
3577 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
3578 				return -EINVAL;
3579 		}
3580 		if (tb[NL80211_TXRATE_HT]) {
3581 			if (!ht_rateset_to_mask(
3582 					sband,
3583 					nla_data(tb[NL80211_TXRATE_HT]),
3584 					nla_len(tb[NL80211_TXRATE_HT]),
3585 					mask->control[band].ht_mcs))
3586 				return -EINVAL;
3587 		}
3588 		if (tb[NL80211_TXRATE_VHT]) {
3589 			if (!vht_set_mcs_mask(
3590 					sband,
3591 					nla_data(tb[NL80211_TXRATE_VHT]),
3592 					mask->control[band].vht_mcs))
3593 				return -EINVAL;
3594 		}
3595 		if (tb[NL80211_TXRATE_GI]) {
3596 			mask->control[band].gi =
3597 				nla_get_u8(tb[NL80211_TXRATE_GI]);
3598 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
3599 				return -EINVAL;
3600 		}
3601 
3602 		if (mask->control[band].legacy == 0) {
3603 			/* don't allow empty legacy rates if HT or VHT
3604 			 * are not even supported.
3605 			 */
3606 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
3607 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
3608 				return -EINVAL;
3609 
3610 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
3611 				if (mask->control[band].ht_mcs[i])
3612 					goto out;
3613 
3614 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
3615 				if (mask->control[band].vht_mcs[i])
3616 					goto out;
3617 
3618 			/* legacy and mcs rates may not be both empty */
3619 			return -EINVAL;
3620 		}
3621 	}
3622 
3623 out:
3624 	return 0;
3625 }
3626 
3627 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
3628 				   enum nl80211_band band,
3629 				   struct cfg80211_bitrate_mask *beacon_rate)
3630 {
3631 	u32 count_ht, count_vht, i;
3632 	u32 rate = beacon_rate->control[band].legacy;
3633 
3634 	/* Allow only one rate */
3635 	if (hweight32(rate) > 1)
3636 		return -EINVAL;
3637 
3638 	count_ht = 0;
3639 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
3640 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
3641 			return -EINVAL;
3642 		} else if (beacon_rate->control[band].ht_mcs[i]) {
3643 			count_ht++;
3644 			if (count_ht > 1)
3645 				return -EINVAL;
3646 		}
3647 		if (count_ht && rate)
3648 			return -EINVAL;
3649 	}
3650 
3651 	count_vht = 0;
3652 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
3653 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
3654 			return -EINVAL;
3655 		} else if (beacon_rate->control[band].vht_mcs[i]) {
3656 			count_vht++;
3657 			if (count_vht > 1)
3658 				return -EINVAL;
3659 		}
3660 		if (count_vht && rate)
3661 			return -EINVAL;
3662 	}
3663 
3664 	if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
3665 		return -EINVAL;
3666 
3667 	if (rate &&
3668 	    !wiphy_ext_feature_isset(&rdev->wiphy,
3669 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
3670 		return -EINVAL;
3671 	if (count_ht &&
3672 	    !wiphy_ext_feature_isset(&rdev->wiphy,
3673 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
3674 		return -EINVAL;
3675 	if (count_vht &&
3676 	    !wiphy_ext_feature_isset(&rdev->wiphy,
3677 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
3678 		return -EINVAL;
3679 
3680 	return 0;
3681 }
3682 
3683 static int nl80211_parse_beacon(struct nlattr *attrs[],
3684 				struct cfg80211_beacon_data *bcn)
3685 {
3686 	bool haveinfo = false;
3687 
3688 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_BEACON_TAIL]) ||
3689 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE]) ||
3690 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
3691 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_ASSOC_RESP]))
3692 		return -EINVAL;
3693 
3694 	memset(bcn, 0, sizeof(*bcn));
3695 
3696 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
3697 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
3698 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
3699 		if (!bcn->head_len)
3700 			return -EINVAL;
3701 		haveinfo = true;
3702 	}
3703 
3704 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
3705 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
3706 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
3707 		haveinfo = true;
3708 	}
3709 
3710 	if (!haveinfo)
3711 		return -EINVAL;
3712 
3713 	if (attrs[NL80211_ATTR_IE]) {
3714 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
3715 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
3716 	}
3717 
3718 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
3719 		bcn->proberesp_ies =
3720 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3721 		bcn->proberesp_ies_len =
3722 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3723 	}
3724 
3725 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
3726 		bcn->assocresp_ies =
3727 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3728 		bcn->assocresp_ies_len =
3729 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3730 	}
3731 
3732 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
3733 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
3734 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
3735 	}
3736 
3737 	return 0;
3738 }
3739 
3740 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
3741 				   struct cfg80211_ap_settings *params)
3742 {
3743 	struct wireless_dev *wdev;
3744 	bool ret = false;
3745 
3746 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3747 		if (wdev->iftype != NL80211_IFTYPE_AP &&
3748 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
3749 			continue;
3750 
3751 		if (!wdev->preset_chandef.chan)
3752 			continue;
3753 
3754 		params->chandef = wdev->preset_chandef;
3755 		ret = true;
3756 		break;
3757 	}
3758 
3759 	return ret;
3760 }
3761 
3762 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
3763 				    enum nl80211_auth_type auth_type,
3764 				    enum nl80211_commands cmd)
3765 {
3766 	if (auth_type > NL80211_AUTHTYPE_MAX)
3767 		return false;
3768 
3769 	switch (cmd) {
3770 	case NL80211_CMD_AUTHENTICATE:
3771 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
3772 		    auth_type == NL80211_AUTHTYPE_SAE)
3773 			return false;
3774 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3775 					     NL80211_EXT_FEATURE_FILS_STA) &&
3776 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
3777 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
3778 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
3779 			return false;
3780 		return true;
3781 	case NL80211_CMD_CONNECT:
3782 	case NL80211_CMD_START_AP:
3783 		/* SAE not supported yet */
3784 		if (auth_type == NL80211_AUTHTYPE_SAE)
3785 			return false;
3786 		/* FILS not supported yet */
3787 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
3788 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
3789 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
3790 			return false;
3791 		return true;
3792 	default:
3793 		return false;
3794 	}
3795 }
3796 
3797 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
3798 {
3799 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3800 	struct net_device *dev = info->user_ptr[1];
3801 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3802 	struct cfg80211_ap_settings params;
3803 	int err;
3804 
3805 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3806 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3807 		return -EOPNOTSUPP;
3808 
3809 	if (!rdev->ops->start_ap)
3810 		return -EOPNOTSUPP;
3811 
3812 	if (wdev->beacon_interval)
3813 		return -EALREADY;
3814 
3815 	memset(&params, 0, sizeof(params));
3816 
3817 	/* these are required for START_AP */
3818 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
3819 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
3820 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
3821 		return -EINVAL;
3822 
3823 	err = nl80211_parse_beacon(info->attrs, &params.beacon);
3824 	if (err)
3825 		return err;
3826 
3827 	params.beacon_interval =
3828 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
3829 	params.dtim_period =
3830 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
3831 
3832 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
3833 					   params.beacon_interval);
3834 	if (err)
3835 		return err;
3836 
3837 	/*
3838 	 * In theory, some of these attributes should be required here
3839 	 * but since they were not used when the command was originally
3840 	 * added, keep them optional for old user space programs to let
3841 	 * them continue to work with drivers that do not need the
3842 	 * additional information -- drivers must check!
3843 	 */
3844 	if (info->attrs[NL80211_ATTR_SSID]) {
3845 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
3846 		params.ssid_len =
3847 			nla_len(info->attrs[NL80211_ATTR_SSID]);
3848 		if (params.ssid_len == 0 ||
3849 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
3850 			return -EINVAL;
3851 	}
3852 
3853 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
3854 		params.hidden_ssid = nla_get_u32(
3855 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
3856 		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
3857 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
3858 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
3859 			return -EINVAL;
3860 	}
3861 
3862 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
3863 
3864 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
3865 		params.auth_type = nla_get_u32(
3866 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
3867 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
3868 					     NL80211_CMD_START_AP))
3869 			return -EINVAL;
3870 	} else
3871 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
3872 
3873 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
3874 				      NL80211_MAX_NR_CIPHER_SUITES);
3875 	if (err)
3876 		return err;
3877 
3878 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
3879 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
3880 			return -EOPNOTSUPP;
3881 		params.inactivity_timeout = nla_get_u16(
3882 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
3883 	}
3884 
3885 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
3886 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3887 			return -EINVAL;
3888 		params.p2p_ctwindow =
3889 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
3890 		if (params.p2p_ctwindow > 127)
3891 			return -EINVAL;
3892 		if (params.p2p_ctwindow != 0 &&
3893 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
3894 			return -EINVAL;
3895 	}
3896 
3897 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
3898 		u8 tmp;
3899 
3900 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3901 			return -EINVAL;
3902 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
3903 		if (tmp > 1)
3904 			return -EINVAL;
3905 		params.p2p_opp_ps = tmp;
3906 		if (params.p2p_opp_ps != 0 &&
3907 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
3908 			return -EINVAL;
3909 	}
3910 
3911 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3912 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
3913 		if (err)
3914 			return err;
3915 	} else if (wdev->preset_chandef.chan) {
3916 		params.chandef = wdev->preset_chandef;
3917 	} else if (!nl80211_get_ap_channel(rdev, &params))
3918 		return -EINVAL;
3919 
3920 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
3921 					   wdev->iftype))
3922 		return -EINVAL;
3923 
3924 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
3925 		err = nl80211_parse_tx_bitrate_mask(info, &params.beacon_rate);
3926 		if (err)
3927 			return err;
3928 
3929 		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
3930 					      &params.beacon_rate);
3931 		if (err)
3932 			return err;
3933 	}
3934 
3935 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
3936 		params.smps_mode =
3937 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
3938 		switch (params.smps_mode) {
3939 		case NL80211_SMPS_OFF:
3940 			break;
3941 		case NL80211_SMPS_STATIC:
3942 			if (!(rdev->wiphy.features &
3943 			      NL80211_FEATURE_STATIC_SMPS))
3944 				return -EINVAL;
3945 			break;
3946 		case NL80211_SMPS_DYNAMIC:
3947 			if (!(rdev->wiphy.features &
3948 			      NL80211_FEATURE_DYNAMIC_SMPS))
3949 				return -EINVAL;
3950 			break;
3951 		default:
3952 			return -EINVAL;
3953 		}
3954 	} else {
3955 		params.smps_mode = NL80211_SMPS_OFF;
3956 	}
3957 
3958 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
3959 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
3960 		return -EOPNOTSUPP;
3961 
3962 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
3963 		params.acl = parse_acl_data(&rdev->wiphy, info);
3964 		if (IS_ERR(params.acl))
3965 			return PTR_ERR(params.acl);
3966 	}
3967 
3968 	wdev_lock(wdev);
3969 	err = rdev_start_ap(rdev, dev, &params);
3970 	if (!err) {
3971 		wdev->preset_chandef = params.chandef;
3972 		wdev->beacon_interval = params.beacon_interval;
3973 		wdev->chandef = params.chandef;
3974 		wdev->ssid_len = params.ssid_len;
3975 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
3976 	}
3977 	wdev_unlock(wdev);
3978 
3979 	kfree(params.acl);
3980 
3981 	return err;
3982 }
3983 
3984 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
3985 {
3986 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3987 	struct net_device *dev = info->user_ptr[1];
3988 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3989 	struct cfg80211_beacon_data params;
3990 	int err;
3991 
3992 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3993 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3994 		return -EOPNOTSUPP;
3995 
3996 	if (!rdev->ops->change_beacon)
3997 		return -EOPNOTSUPP;
3998 
3999 	if (!wdev->beacon_interval)
4000 		return -EINVAL;
4001 
4002 	err = nl80211_parse_beacon(info->attrs, &params);
4003 	if (err)
4004 		return err;
4005 
4006 	wdev_lock(wdev);
4007 	err = rdev_change_beacon(rdev, dev, &params);
4008 	wdev_unlock(wdev);
4009 
4010 	return err;
4011 }
4012 
4013 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
4014 {
4015 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4016 	struct net_device *dev = info->user_ptr[1];
4017 
4018 	return cfg80211_stop_ap(rdev, dev, false);
4019 }
4020 
4021 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
4022 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
4023 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
4024 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
4025 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
4026 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
4027 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
4028 };
4029 
4030 static int parse_station_flags(struct genl_info *info,
4031 			       enum nl80211_iftype iftype,
4032 			       struct station_parameters *params)
4033 {
4034 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
4035 	struct nlattr *nla;
4036 	int flag;
4037 
4038 	/*
4039 	 * Try parsing the new attribute first so userspace
4040 	 * can specify both for older kernels.
4041 	 */
4042 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
4043 	if (nla) {
4044 		struct nl80211_sta_flag_update *sta_flags;
4045 
4046 		sta_flags = nla_data(nla);
4047 		params->sta_flags_mask = sta_flags->mask;
4048 		params->sta_flags_set = sta_flags->set;
4049 		params->sta_flags_set &= params->sta_flags_mask;
4050 		if ((params->sta_flags_mask |
4051 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
4052 			return -EINVAL;
4053 		return 0;
4054 	}
4055 
4056 	/* if present, parse the old attribute */
4057 
4058 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
4059 	if (!nla)
4060 		return 0;
4061 
4062 	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
4063 			     nla, sta_flags_policy))
4064 		return -EINVAL;
4065 
4066 	/*
4067 	 * Only allow certain flags for interface types so that
4068 	 * other attributes are silently ignored. Remember that
4069 	 * this is backward compatibility code with old userspace
4070 	 * and shouldn't be hit in other cases anyway.
4071 	 */
4072 	switch (iftype) {
4073 	case NL80211_IFTYPE_AP:
4074 	case NL80211_IFTYPE_AP_VLAN:
4075 	case NL80211_IFTYPE_P2P_GO:
4076 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4077 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4078 					 BIT(NL80211_STA_FLAG_WME) |
4079 					 BIT(NL80211_STA_FLAG_MFP);
4080 		break;
4081 	case NL80211_IFTYPE_P2P_CLIENT:
4082 	case NL80211_IFTYPE_STATION:
4083 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4084 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
4085 		break;
4086 	case NL80211_IFTYPE_MESH_POINT:
4087 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4088 					 BIT(NL80211_STA_FLAG_MFP) |
4089 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
4090 	default:
4091 		return -EINVAL;
4092 	}
4093 
4094 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
4095 		if (flags[flag]) {
4096 			params->sta_flags_set |= (1<<flag);
4097 
4098 			/* no longer support new API additions in old API */
4099 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
4100 				return -EINVAL;
4101 		}
4102 	}
4103 
4104 	return 0;
4105 }
4106 
4107 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
4108 				 int attr)
4109 {
4110 	struct nlattr *rate;
4111 	u32 bitrate;
4112 	u16 bitrate_compat;
4113 	enum nl80211_attrs rate_flg;
4114 
4115 	rate = nla_nest_start(msg, attr);
4116 	if (!rate)
4117 		return false;
4118 
4119 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
4120 	bitrate = cfg80211_calculate_bitrate(info);
4121 	/* report 16-bit bitrate only if we can */
4122 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
4123 	if (bitrate > 0 &&
4124 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
4125 		return false;
4126 	if (bitrate_compat > 0 &&
4127 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
4128 		return false;
4129 
4130 	switch (info->bw) {
4131 	case RATE_INFO_BW_5:
4132 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
4133 		break;
4134 	case RATE_INFO_BW_10:
4135 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
4136 		break;
4137 	default:
4138 		WARN_ON(1);
4139 		/* fall through */
4140 	case RATE_INFO_BW_20:
4141 		rate_flg = 0;
4142 		break;
4143 	case RATE_INFO_BW_40:
4144 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
4145 		break;
4146 	case RATE_INFO_BW_80:
4147 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
4148 		break;
4149 	case RATE_INFO_BW_160:
4150 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
4151 		break;
4152 	}
4153 
4154 	if (rate_flg && nla_put_flag(msg, rate_flg))
4155 		return false;
4156 
4157 	if (info->flags & RATE_INFO_FLAGS_MCS) {
4158 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
4159 			return false;
4160 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4161 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4162 			return false;
4163 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
4164 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
4165 			return false;
4166 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
4167 			return false;
4168 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4169 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4170 			return false;
4171 	}
4172 
4173 	nla_nest_end(msg, rate);
4174 	return true;
4175 }
4176 
4177 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
4178 			       int id)
4179 {
4180 	void *attr;
4181 	int i = 0;
4182 
4183 	if (!mask)
4184 		return true;
4185 
4186 	attr = nla_nest_start(msg, id);
4187 	if (!attr)
4188 		return false;
4189 
4190 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
4191 		if (!(mask & BIT(i)))
4192 			continue;
4193 
4194 		if (nla_put_u8(msg, i, signal[i]))
4195 			return false;
4196 	}
4197 
4198 	nla_nest_end(msg, attr);
4199 
4200 	return true;
4201 }
4202 
4203 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
4204 				u32 seq, int flags,
4205 				struct cfg80211_registered_device *rdev,
4206 				struct net_device *dev,
4207 				const u8 *mac_addr, struct station_info *sinfo)
4208 {
4209 	void *hdr;
4210 	struct nlattr *sinfoattr, *bss_param;
4211 
4212 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4213 	if (!hdr)
4214 		return -1;
4215 
4216 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4217 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
4218 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
4219 		goto nla_put_failure;
4220 
4221 	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
4222 	if (!sinfoattr)
4223 		goto nla_put_failure;
4224 
4225 #define PUT_SINFO(attr, memb, type) do {				\
4226 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
4227 	if (sinfo->filled & (1ULL << NL80211_STA_INFO_ ## attr) &&	\
4228 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
4229 			     sinfo->memb))				\
4230 		goto nla_put_failure;					\
4231 	} while (0)
4232 #define PUT_SINFO_U64(attr, memb) do {					\
4233 	if (sinfo->filled & (1ULL << NL80211_STA_INFO_ ## attr) &&	\
4234 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
4235 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
4236 		goto nla_put_failure;					\
4237 	} while (0)
4238 
4239 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
4240 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
4241 
4242 	if (sinfo->filled & (BIT(NL80211_STA_INFO_RX_BYTES) |
4243 			     BIT(NL80211_STA_INFO_RX_BYTES64)) &&
4244 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
4245 			(u32)sinfo->rx_bytes))
4246 		goto nla_put_failure;
4247 
4248 	if (sinfo->filled & (BIT(NL80211_STA_INFO_TX_BYTES) |
4249 			     BIT(NL80211_STA_INFO_TX_BYTES64)) &&
4250 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
4251 			(u32)sinfo->tx_bytes))
4252 		goto nla_put_failure;
4253 
4254 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
4255 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
4256 	PUT_SINFO(LLID, llid, u16);
4257 	PUT_SINFO(PLID, plid, u16);
4258 	PUT_SINFO(PLINK_STATE, plink_state, u8);
4259 	PUT_SINFO_U64(RX_DURATION, rx_duration);
4260 
4261 	switch (rdev->wiphy.signal_type) {
4262 	case CFG80211_SIGNAL_TYPE_MBM:
4263 		PUT_SINFO(SIGNAL, signal, u8);
4264 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
4265 		break;
4266 	default:
4267 		break;
4268 	}
4269 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL)) {
4270 		if (!nl80211_put_signal(msg, sinfo->chains,
4271 					sinfo->chain_signal,
4272 					NL80211_STA_INFO_CHAIN_SIGNAL))
4273 			goto nla_put_failure;
4274 	}
4275 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
4276 		if (!nl80211_put_signal(msg, sinfo->chains,
4277 					sinfo->chain_signal_avg,
4278 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
4279 			goto nla_put_failure;
4280 	}
4281 	if (sinfo->filled & BIT(NL80211_STA_INFO_TX_BITRATE)) {
4282 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
4283 					  NL80211_STA_INFO_TX_BITRATE))
4284 			goto nla_put_failure;
4285 	}
4286 	if (sinfo->filled & BIT(NL80211_STA_INFO_RX_BITRATE)) {
4287 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
4288 					  NL80211_STA_INFO_RX_BITRATE))
4289 			goto nla_put_failure;
4290 	}
4291 
4292 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
4293 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
4294 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
4295 	PUT_SINFO(TX_FAILED, tx_failed, u32);
4296 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
4297 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
4298 	PUT_SINFO(LOCAL_PM, local_pm, u32);
4299 	PUT_SINFO(PEER_PM, peer_pm, u32);
4300 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
4301 
4302 	if (sinfo->filled & BIT(NL80211_STA_INFO_BSS_PARAM)) {
4303 		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
4304 		if (!bss_param)
4305 			goto nla_put_failure;
4306 
4307 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
4308 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
4309 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
4310 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
4311 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
4312 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
4313 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
4314 			       sinfo->bss_param.dtim_period) ||
4315 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
4316 				sinfo->bss_param.beacon_interval))
4317 			goto nla_put_failure;
4318 
4319 		nla_nest_end(msg, bss_param);
4320 	}
4321 	if ((sinfo->filled & BIT(NL80211_STA_INFO_STA_FLAGS)) &&
4322 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
4323 		    sizeof(struct nl80211_sta_flag_update),
4324 		    &sinfo->sta_flags))
4325 		goto nla_put_failure;
4326 
4327 	PUT_SINFO_U64(T_OFFSET, t_offset);
4328 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
4329 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
4330 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
4331 
4332 #undef PUT_SINFO
4333 #undef PUT_SINFO_U64
4334 
4335 	if (sinfo->filled & BIT(NL80211_STA_INFO_TID_STATS)) {
4336 		struct nlattr *tidsattr;
4337 		int tid;
4338 
4339 		tidsattr = nla_nest_start(msg, NL80211_STA_INFO_TID_STATS);
4340 		if (!tidsattr)
4341 			goto nla_put_failure;
4342 
4343 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
4344 			struct cfg80211_tid_stats *tidstats;
4345 			struct nlattr *tidattr;
4346 
4347 			tidstats = &sinfo->pertid[tid];
4348 
4349 			if (!tidstats->filled)
4350 				continue;
4351 
4352 			tidattr = nla_nest_start(msg, tid + 1);
4353 			if (!tidattr)
4354 				goto nla_put_failure;
4355 
4356 #define PUT_TIDVAL_U64(attr, memb) do {					\
4357 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
4358 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
4359 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
4360 		goto nla_put_failure;					\
4361 	} while (0)
4362 
4363 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
4364 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
4365 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
4366 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
4367 
4368 #undef PUT_TIDVAL_U64
4369 			nla_nest_end(msg, tidattr);
4370 		}
4371 
4372 		nla_nest_end(msg, tidsattr);
4373 	}
4374 
4375 	nla_nest_end(msg, sinfoattr);
4376 
4377 	if (sinfo->assoc_req_ies_len &&
4378 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
4379 		    sinfo->assoc_req_ies))
4380 		goto nla_put_failure;
4381 
4382 	genlmsg_end(msg, hdr);
4383 	return 0;
4384 
4385  nla_put_failure:
4386 	genlmsg_cancel(msg, hdr);
4387 	return -EMSGSIZE;
4388 }
4389 
4390 static int nl80211_dump_station(struct sk_buff *skb,
4391 				struct netlink_callback *cb)
4392 {
4393 	struct station_info sinfo;
4394 	struct cfg80211_registered_device *rdev;
4395 	struct wireless_dev *wdev;
4396 	u8 mac_addr[ETH_ALEN];
4397 	int sta_idx = cb->args[2];
4398 	int err;
4399 
4400 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4401 	if (err)
4402 		return err;
4403 
4404 	if (!wdev->netdev) {
4405 		err = -EINVAL;
4406 		goto out_err;
4407 	}
4408 
4409 	if (!rdev->ops->dump_station) {
4410 		err = -EOPNOTSUPP;
4411 		goto out_err;
4412 	}
4413 
4414 	while (1) {
4415 		memset(&sinfo, 0, sizeof(sinfo));
4416 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
4417 					mac_addr, &sinfo);
4418 		if (err == -ENOENT)
4419 			break;
4420 		if (err)
4421 			goto out_err;
4422 
4423 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
4424 				NETLINK_CB(cb->skb).portid,
4425 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
4426 				rdev, wdev->netdev, mac_addr,
4427 				&sinfo) < 0)
4428 			goto out;
4429 
4430 		sta_idx++;
4431 	}
4432 
4433  out:
4434 	cb->args[2] = sta_idx;
4435 	err = skb->len;
4436  out_err:
4437 	nl80211_finish_wdev_dump(rdev);
4438 
4439 	return err;
4440 }
4441 
4442 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
4443 {
4444 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4445 	struct net_device *dev = info->user_ptr[1];
4446 	struct station_info sinfo;
4447 	struct sk_buff *msg;
4448 	u8 *mac_addr = NULL;
4449 	int err;
4450 
4451 	memset(&sinfo, 0, sizeof(sinfo));
4452 
4453 	if (!info->attrs[NL80211_ATTR_MAC])
4454 		return -EINVAL;
4455 
4456 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4457 
4458 	if (!rdev->ops->get_station)
4459 		return -EOPNOTSUPP;
4460 
4461 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
4462 	if (err)
4463 		return err;
4464 
4465 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4466 	if (!msg)
4467 		return -ENOMEM;
4468 
4469 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
4470 				 info->snd_portid, info->snd_seq, 0,
4471 				 rdev, dev, mac_addr, &sinfo) < 0) {
4472 		nlmsg_free(msg);
4473 		return -ENOBUFS;
4474 	}
4475 
4476 	return genlmsg_reply(msg, info);
4477 }
4478 
4479 int cfg80211_check_station_change(struct wiphy *wiphy,
4480 				  struct station_parameters *params,
4481 				  enum cfg80211_station_type statype)
4482 {
4483 	if (params->listen_interval != -1 &&
4484 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4485 		return -EINVAL;
4486 
4487 	if (params->support_p2p_ps != -1 &&
4488 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4489 		return -EINVAL;
4490 
4491 	if (params->aid &&
4492 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
4493 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4494 		return -EINVAL;
4495 
4496 	/* When you run into this, adjust the code below for the new flag */
4497 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4498 
4499 	switch (statype) {
4500 	case CFG80211_STA_MESH_PEER_KERNEL:
4501 	case CFG80211_STA_MESH_PEER_USER:
4502 		/*
4503 		 * No ignoring the TDLS flag here -- the userspace mesh
4504 		 * code doesn't have the bug of including TDLS in the
4505 		 * mask everywhere.
4506 		 */
4507 		if (params->sta_flags_mask &
4508 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4509 				  BIT(NL80211_STA_FLAG_MFP) |
4510 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
4511 			return -EINVAL;
4512 		break;
4513 	case CFG80211_STA_TDLS_PEER_SETUP:
4514 	case CFG80211_STA_TDLS_PEER_ACTIVE:
4515 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4516 			return -EINVAL;
4517 		/* ignore since it can't change */
4518 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4519 		break;
4520 	default:
4521 		/* disallow mesh-specific things */
4522 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
4523 			return -EINVAL;
4524 		if (params->local_pm)
4525 			return -EINVAL;
4526 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4527 			return -EINVAL;
4528 	}
4529 
4530 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
4531 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
4532 		/* TDLS can't be set, ... */
4533 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
4534 			return -EINVAL;
4535 		/*
4536 		 * ... but don't bother the driver with it. This works around
4537 		 * a hostapd/wpa_supplicant issue -- it always includes the
4538 		 * TLDS_PEER flag in the mask even for AP mode.
4539 		 */
4540 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4541 	}
4542 
4543 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
4544 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
4545 		/* reject other things that can't change */
4546 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
4547 			return -EINVAL;
4548 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
4549 			return -EINVAL;
4550 		if (params->supported_rates)
4551 			return -EINVAL;
4552 		if (params->ext_capab || params->ht_capa || params->vht_capa)
4553 			return -EINVAL;
4554 	}
4555 
4556 	if (statype != CFG80211_STA_AP_CLIENT &&
4557 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
4558 		if (params->vlan)
4559 			return -EINVAL;
4560 	}
4561 
4562 	switch (statype) {
4563 	case CFG80211_STA_AP_MLME_CLIENT:
4564 		/* Use this only for authorizing/unauthorizing a station */
4565 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
4566 			return -EOPNOTSUPP;
4567 		break;
4568 	case CFG80211_STA_AP_CLIENT:
4569 	case CFG80211_STA_AP_CLIENT_UNASSOC:
4570 		/* accept only the listed bits */
4571 		if (params->sta_flags_mask &
4572 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4573 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4574 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
4575 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4576 				  BIT(NL80211_STA_FLAG_WME) |
4577 				  BIT(NL80211_STA_FLAG_MFP)))
4578 			return -EINVAL;
4579 
4580 		/* but authenticated/associated only if driver handles it */
4581 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4582 		    params->sta_flags_mask &
4583 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4584 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4585 			return -EINVAL;
4586 		break;
4587 	case CFG80211_STA_IBSS:
4588 	case CFG80211_STA_AP_STA:
4589 		/* reject any changes other than AUTHORIZED */
4590 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
4591 			return -EINVAL;
4592 		break;
4593 	case CFG80211_STA_TDLS_PEER_SETUP:
4594 		/* reject any changes other than AUTHORIZED or WME */
4595 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4596 					       BIT(NL80211_STA_FLAG_WME)))
4597 			return -EINVAL;
4598 		/* force (at least) rates when authorizing */
4599 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
4600 		    !params->supported_rates)
4601 			return -EINVAL;
4602 		break;
4603 	case CFG80211_STA_TDLS_PEER_ACTIVE:
4604 		/* reject any changes */
4605 		return -EINVAL;
4606 	case CFG80211_STA_MESH_PEER_KERNEL:
4607 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4608 			return -EINVAL;
4609 		break;
4610 	case CFG80211_STA_MESH_PEER_USER:
4611 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
4612 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
4613 			return -EINVAL;
4614 		break;
4615 	}
4616 
4617 	return 0;
4618 }
4619 EXPORT_SYMBOL(cfg80211_check_station_change);
4620 
4621 /*
4622  * Get vlan interface making sure it is running and on the right wiphy.
4623  */
4624 static struct net_device *get_vlan(struct genl_info *info,
4625 				   struct cfg80211_registered_device *rdev)
4626 {
4627 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
4628 	struct net_device *v;
4629 	int ret;
4630 
4631 	if (!vlanattr)
4632 		return NULL;
4633 
4634 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
4635 	if (!v)
4636 		return ERR_PTR(-ENODEV);
4637 
4638 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
4639 		ret = -EINVAL;
4640 		goto error;
4641 	}
4642 
4643 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4644 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4645 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
4646 		ret = -EINVAL;
4647 		goto error;
4648 	}
4649 
4650 	if (!netif_running(v)) {
4651 		ret = -ENETDOWN;
4652 		goto error;
4653 	}
4654 
4655 	return v;
4656  error:
4657 	dev_put(v);
4658 	return ERR_PTR(ret);
4659 }
4660 
4661 static const struct nla_policy
4662 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
4663 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
4664 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
4665 };
4666 
4667 static int nl80211_parse_sta_wme(struct genl_info *info,
4668 				 struct station_parameters *params)
4669 {
4670 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
4671 	struct nlattr *nla;
4672 	int err;
4673 
4674 	/* parse WME attributes if present */
4675 	if (!info->attrs[NL80211_ATTR_STA_WME])
4676 		return 0;
4677 
4678 	nla = info->attrs[NL80211_ATTR_STA_WME];
4679 	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
4680 			       nl80211_sta_wme_policy);
4681 	if (err)
4682 		return err;
4683 
4684 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
4685 		params->uapsd_queues = nla_get_u8(
4686 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
4687 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
4688 		return -EINVAL;
4689 
4690 	if (tb[NL80211_STA_WME_MAX_SP])
4691 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
4692 
4693 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
4694 		return -EINVAL;
4695 
4696 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
4697 
4698 	return 0;
4699 }
4700 
4701 static int nl80211_parse_sta_channel_info(struct genl_info *info,
4702 				      struct station_parameters *params)
4703 {
4704 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
4705 		params->supported_channels =
4706 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4707 		params->supported_channels_len =
4708 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4709 		/*
4710 		 * Need to include at least one (first channel, number of
4711 		 * channels) tuple for each subband, and must have proper
4712 		 * tuples for the rest of the data as well.
4713 		 */
4714 		if (params->supported_channels_len < 2)
4715 			return -EINVAL;
4716 		if (params->supported_channels_len % 2)
4717 			return -EINVAL;
4718 	}
4719 
4720 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
4721 		params->supported_oper_classes =
4722 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4723 		params->supported_oper_classes_len =
4724 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4725 		/*
4726 		 * The value of the Length field of the Supported Operating
4727 		 * Classes element is between 2 and 253.
4728 		 */
4729 		if (params->supported_oper_classes_len < 2 ||
4730 		    params->supported_oper_classes_len > 253)
4731 			return -EINVAL;
4732 	}
4733 	return 0;
4734 }
4735 
4736 static int nl80211_set_station_tdls(struct genl_info *info,
4737 				    struct station_parameters *params)
4738 {
4739 	int err;
4740 	/* Dummy STA entry gets updated once the peer capabilities are known */
4741 	if (info->attrs[NL80211_ATTR_PEER_AID])
4742 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4743 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4744 		params->ht_capa =
4745 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4746 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4747 		params->vht_capa =
4748 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4749 
4750 	err = nl80211_parse_sta_channel_info(info, params);
4751 	if (err)
4752 		return err;
4753 
4754 	return nl80211_parse_sta_wme(info, params);
4755 }
4756 
4757 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
4758 {
4759 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4760 	struct net_device *dev = info->user_ptr[1];
4761 	struct station_parameters params;
4762 	u8 *mac_addr;
4763 	int err;
4764 
4765 	memset(&params, 0, sizeof(params));
4766 
4767 	if (!rdev->ops->change_station)
4768 		return -EOPNOTSUPP;
4769 
4770 	/*
4771 	 * AID and listen_interval properties can be set only for unassociated
4772 	 * station. Include these parameters here and will check them in
4773 	 * cfg80211_check_station_change().
4774 	 */
4775 	if (info->attrs[NL80211_ATTR_STA_AID])
4776 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4777 
4778 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4779 		params.listen_interval =
4780 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4781 	else
4782 		params.listen_interval = -1;
4783 
4784 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
4785 		u8 tmp;
4786 
4787 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
4788 		if (tmp >= NUM_NL80211_P2P_PS_STATUS)
4789 			return -EINVAL;
4790 
4791 		params.support_p2p_ps = tmp;
4792 	} else {
4793 		params.support_p2p_ps = -1;
4794 	}
4795 
4796 	if (!info->attrs[NL80211_ATTR_MAC])
4797 		return -EINVAL;
4798 
4799 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4800 
4801 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
4802 		params.supported_rates =
4803 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4804 		params.supported_rates_len =
4805 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4806 	}
4807 
4808 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4809 		params.capability =
4810 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4811 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4812 	}
4813 
4814 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4815 		params.ext_capab =
4816 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4817 		params.ext_capab_len =
4818 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4819 	}
4820 
4821 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4822 		return -EINVAL;
4823 
4824 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4825 		params.plink_action =
4826 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4827 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4828 			return -EINVAL;
4829 	}
4830 
4831 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
4832 		params.plink_state =
4833 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
4834 		if (params.plink_state >= NUM_NL80211_PLINK_STATES)
4835 			return -EINVAL;
4836 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID]) {
4837 			params.peer_aid = nla_get_u16(
4838 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
4839 			if (params.peer_aid > IEEE80211_MAX_AID)
4840 				return -EINVAL;
4841 		}
4842 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
4843 	}
4844 
4845 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
4846 		enum nl80211_mesh_power_mode pm = nla_get_u32(
4847 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
4848 
4849 		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
4850 		    pm > NL80211_MESH_POWER_MAX)
4851 			return -EINVAL;
4852 
4853 		params.local_pm = pm;
4854 	}
4855 
4856 	/* Include parameters for TDLS peer (will check later) */
4857 	err = nl80211_set_station_tdls(info, &params);
4858 	if (err)
4859 		return err;
4860 
4861 	params.vlan = get_vlan(info, rdev);
4862 	if (IS_ERR(params.vlan))
4863 		return PTR_ERR(params.vlan);
4864 
4865 	switch (dev->ieee80211_ptr->iftype) {
4866 	case NL80211_IFTYPE_AP:
4867 	case NL80211_IFTYPE_AP_VLAN:
4868 	case NL80211_IFTYPE_P2P_GO:
4869 	case NL80211_IFTYPE_P2P_CLIENT:
4870 	case NL80211_IFTYPE_STATION:
4871 	case NL80211_IFTYPE_ADHOC:
4872 	case NL80211_IFTYPE_MESH_POINT:
4873 		break;
4874 	default:
4875 		err = -EOPNOTSUPP;
4876 		goto out_put_vlan;
4877 	}
4878 
4879 	/* driver will call cfg80211_check_station_change() */
4880 	err = rdev_change_station(rdev, dev, mac_addr, &params);
4881 
4882  out_put_vlan:
4883 	if (params.vlan)
4884 		dev_put(params.vlan);
4885 
4886 	return err;
4887 }
4888 
4889 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
4890 {
4891 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4892 	int err;
4893 	struct net_device *dev = info->user_ptr[1];
4894 	struct station_parameters params;
4895 	u8 *mac_addr = NULL;
4896 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4897 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
4898 
4899 	memset(&params, 0, sizeof(params));
4900 
4901 	if (!rdev->ops->add_station)
4902 		return -EOPNOTSUPP;
4903 
4904 	if (!info->attrs[NL80211_ATTR_MAC])
4905 		return -EINVAL;
4906 
4907 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4908 		return -EINVAL;
4909 
4910 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
4911 		return -EINVAL;
4912 
4913 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
4914 	    !info->attrs[NL80211_ATTR_PEER_AID])
4915 		return -EINVAL;
4916 
4917 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4918 	params.supported_rates =
4919 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4920 	params.supported_rates_len =
4921 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4922 	params.listen_interval =
4923 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4924 
4925 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
4926 		u8 tmp;
4927 
4928 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
4929 		if (tmp >= NUM_NL80211_P2P_PS_STATUS)
4930 			return -EINVAL;
4931 
4932 		params.support_p2p_ps = tmp;
4933 	} else {
4934 		/*
4935 		 * if not specified, assume it's supported for P2P GO interface,
4936 		 * and is NOT supported for AP interface
4937 		 */
4938 		params.support_p2p_ps =
4939 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
4940 	}
4941 
4942 	if (info->attrs[NL80211_ATTR_PEER_AID])
4943 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4944 	else
4945 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4946 	if (!params.aid || params.aid > IEEE80211_MAX_AID)
4947 		return -EINVAL;
4948 
4949 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4950 		params.capability =
4951 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4952 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4953 	}
4954 
4955 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4956 		params.ext_capab =
4957 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4958 		params.ext_capab_len =
4959 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4960 	}
4961 
4962 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4963 		params.ht_capa =
4964 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4965 
4966 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4967 		params.vht_capa =
4968 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4969 
4970 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
4971 		params.opmode_notif_used = true;
4972 		params.opmode_notif =
4973 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
4974 	}
4975 
4976 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4977 		params.plink_action =
4978 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4979 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4980 			return -EINVAL;
4981 	}
4982 
4983 	err = nl80211_parse_sta_channel_info(info, &params);
4984 	if (err)
4985 		return err;
4986 
4987 	err = nl80211_parse_sta_wme(info, &params);
4988 	if (err)
4989 		return err;
4990 
4991 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4992 		return -EINVAL;
4993 
4994 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
4995 	 * as userspace might just pass through the capabilities from the IEs
4996 	 * directly, rather than enforcing this restriction and returning an
4997 	 * error in this case.
4998 	 */
4999 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
5000 		params.ht_capa = NULL;
5001 		params.vht_capa = NULL;
5002 	}
5003 
5004 	/* When you run into this, adjust the code below for the new flag */
5005 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5006 
5007 	switch (dev->ieee80211_ptr->iftype) {
5008 	case NL80211_IFTYPE_AP:
5009 	case NL80211_IFTYPE_AP_VLAN:
5010 	case NL80211_IFTYPE_P2P_GO:
5011 		/* ignore WME attributes if iface/sta is not capable */
5012 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
5013 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
5014 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5015 
5016 		/* TDLS peers cannot be added */
5017 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5018 		    info->attrs[NL80211_ATTR_PEER_AID])
5019 			return -EINVAL;
5020 		/* but don't bother the driver with it */
5021 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5022 
5023 		/* allow authenticated/associated only if driver handles it */
5024 		if (!(rdev->wiphy.features &
5025 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5026 		    params.sta_flags_mask & auth_assoc)
5027 			return -EINVAL;
5028 
5029 		/* Older userspace, or userspace wanting to be compatible with
5030 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
5031 		 * and assoc flags in the mask, but assumes the station will be
5032 		 * added as associated anyway since this was the required driver
5033 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
5034 		 * introduced.
5035 		 * In order to not bother drivers with this quirk in the API
5036 		 * set the flags in both the mask and set for new stations in
5037 		 * this case.
5038 		 */
5039 		if (!(params.sta_flags_mask & auth_assoc)) {
5040 			params.sta_flags_mask |= auth_assoc;
5041 			params.sta_flags_set |= auth_assoc;
5042 		}
5043 
5044 		/* must be last in here for error handling */
5045 		params.vlan = get_vlan(info, rdev);
5046 		if (IS_ERR(params.vlan))
5047 			return PTR_ERR(params.vlan);
5048 		break;
5049 	case NL80211_IFTYPE_MESH_POINT:
5050 		/* ignore uAPSD data */
5051 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5052 
5053 		/* associated is disallowed */
5054 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
5055 			return -EINVAL;
5056 		/* TDLS peers cannot be added */
5057 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5058 		    info->attrs[NL80211_ATTR_PEER_AID])
5059 			return -EINVAL;
5060 		break;
5061 	case NL80211_IFTYPE_STATION:
5062 	case NL80211_IFTYPE_P2P_CLIENT:
5063 		/* ignore uAPSD data */
5064 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5065 
5066 		/* these are disallowed */
5067 		if (params.sta_flags_mask &
5068 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
5069 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
5070 			return -EINVAL;
5071 		/* Only TDLS peers can be added */
5072 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5073 			return -EINVAL;
5074 		/* Can only add if TDLS ... */
5075 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
5076 			return -EOPNOTSUPP;
5077 		/* ... with external setup is supported */
5078 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
5079 			return -EOPNOTSUPP;
5080 		/*
5081 		 * Older wpa_supplicant versions always mark the TDLS peer
5082 		 * as authorized, but it shouldn't yet be.
5083 		 */
5084 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
5085 		break;
5086 	default:
5087 		return -EOPNOTSUPP;
5088 	}
5089 
5090 	/* be aware of params.vlan when changing code here */
5091 
5092 	err = rdev_add_station(rdev, dev, mac_addr, &params);
5093 
5094 	if (params.vlan)
5095 		dev_put(params.vlan);
5096 	return err;
5097 }
5098 
5099 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
5100 {
5101 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5102 	struct net_device *dev = info->user_ptr[1];
5103 	struct station_del_parameters params;
5104 
5105 	memset(&params, 0, sizeof(params));
5106 
5107 	if (info->attrs[NL80211_ATTR_MAC])
5108 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
5109 
5110 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5111 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5112 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
5113 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5114 		return -EINVAL;
5115 
5116 	if (!rdev->ops->del_station)
5117 		return -EOPNOTSUPP;
5118 
5119 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
5120 		params.subtype =
5121 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
5122 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
5123 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
5124 			return -EINVAL;
5125 	} else {
5126 		/* Default to Deauthentication frame */
5127 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
5128 	}
5129 
5130 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
5131 		params.reason_code =
5132 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5133 		if (params.reason_code == 0)
5134 			return -EINVAL; /* 0 is reserved */
5135 	} else {
5136 		/* Default to reason code 2 */
5137 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
5138 	}
5139 
5140 	return rdev_del_station(rdev, dev, &params);
5141 }
5142 
5143 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
5144 				int flags, struct net_device *dev,
5145 				u8 *dst, u8 *next_hop,
5146 				struct mpath_info *pinfo)
5147 {
5148 	void *hdr;
5149 	struct nlattr *pinfoattr;
5150 
5151 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
5152 	if (!hdr)
5153 		return -1;
5154 
5155 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5156 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
5157 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
5158 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
5159 		goto nla_put_failure;
5160 
5161 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
5162 	if (!pinfoattr)
5163 		goto nla_put_failure;
5164 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
5165 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
5166 			pinfo->frame_qlen))
5167 		goto nla_put_failure;
5168 	if (((pinfo->filled & MPATH_INFO_SN) &&
5169 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
5170 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
5171 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
5172 			 pinfo->metric)) ||
5173 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
5174 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
5175 			 pinfo->exptime)) ||
5176 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
5177 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
5178 			pinfo->flags)) ||
5179 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
5180 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
5181 			 pinfo->discovery_timeout)) ||
5182 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
5183 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
5184 			pinfo->discovery_retries)))
5185 		goto nla_put_failure;
5186 
5187 	nla_nest_end(msg, pinfoattr);
5188 
5189 	genlmsg_end(msg, hdr);
5190 	return 0;
5191 
5192  nla_put_failure:
5193 	genlmsg_cancel(msg, hdr);
5194 	return -EMSGSIZE;
5195 }
5196 
5197 static int nl80211_dump_mpath(struct sk_buff *skb,
5198 			      struct netlink_callback *cb)
5199 {
5200 	struct mpath_info pinfo;
5201 	struct cfg80211_registered_device *rdev;
5202 	struct wireless_dev *wdev;
5203 	u8 dst[ETH_ALEN];
5204 	u8 next_hop[ETH_ALEN];
5205 	int path_idx = cb->args[2];
5206 	int err;
5207 
5208 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
5209 	if (err)
5210 		return err;
5211 
5212 	if (!rdev->ops->dump_mpath) {
5213 		err = -EOPNOTSUPP;
5214 		goto out_err;
5215 	}
5216 
5217 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
5218 		err = -EOPNOTSUPP;
5219 		goto out_err;
5220 	}
5221 
5222 	while (1) {
5223 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
5224 				      next_hop, &pinfo);
5225 		if (err == -ENOENT)
5226 			break;
5227 		if (err)
5228 			goto out_err;
5229 
5230 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
5231 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
5232 				       wdev->netdev, dst, next_hop,
5233 				       &pinfo) < 0)
5234 			goto out;
5235 
5236 		path_idx++;
5237 	}
5238 
5239  out:
5240 	cb->args[2] = path_idx;
5241 	err = skb->len;
5242  out_err:
5243 	nl80211_finish_wdev_dump(rdev);
5244 	return err;
5245 }
5246 
5247 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
5248 {
5249 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5250 	int err;
5251 	struct net_device *dev = info->user_ptr[1];
5252 	struct mpath_info pinfo;
5253 	struct sk_buff *msg;
5254 	u8 *dst = NULL;
5255 	u8 next_hop[ETH_ALEN];
5256 
5257 	memset(&pinfo, 0, sizeof(pinfo));
5258 
5259 	if (!info->attrs[NL80211_ATTR_MAC])
5260 		return -EINVAL;
5261 
5262 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5263 
5264 	if (!rdev->ops->get_mpath)
5265 		return -EOPNOTSUPP;
5266 
5267 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5268 		return -EOPNOTSUPP;
5269 
5270 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
5271 	if (err)
5272 		return err;
5273 
5274 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5275 	if (!msg)
5276 		return -ENOMEM;
5277 
5278 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
5279 				 dev, dst, next_hop, &pinfo) < 0) {
5280 		nlmsg_free(msg);
5281 		return -ENOBUFS;
5282 	}
5283 
5284 	return genlmsg_reply(msg, info);
5285 }
5286 
5287 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
5288 {
5289 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5290 	struct net_device *dev = info->user_ptr[1];
5291 	u8 *dst = NULL;
5292 	u8 *next_hop = NULL;
5293 
5294 	if (!info->attrs[NL80211_ATTR_MAC])
5295 		return -EINVAL;
5296 
5297 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
5298 		return -EINVAL;
5299 
5300 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5301 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
5302 
5303 	if (!rdev->ops->change_mpath)
5304 		return -EOPNOTSUPP;
5305 
5306 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5307 		return -EOPNOTSUPP;
5308 
5309 	return rdev_change_mpath(rdev, dev, dst, next_hop);
5310 }
5311 
5312 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
5313 {
5314 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5315 	struct net_device *dev = info->user_ptr[1];
5316 	u8 *dst = NULL;
5317 	u8 *next_hop = NULL;
5318 
5319 	if (!info->attrs[NL80211_ATTR_MAC])
5320 		return -EINVAL;
5321 
5322 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
5323 		return -EINVAL;
5324 
5325 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5326 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
5327 
5328 	if (!rdev->ops->add_mpath)
5329 		return -EOPNOTSUPP;
5330 
5331 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5332 		return -EOPNOTSUPP;
5333 
5334 	return rdev_add_mpath(rdev, dev, dst, next_hop);
5335 }
5336 
5337 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
5338 {
5339 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5340 	struct net_device *dev = info->user_ptr[1];
5341 	u8 *dst = NULL;
5342 
5343 	if (info->attrs[NL80211_ATTR_MAC])
5344 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5345 
5346 	if (!rdev->ops->del_mpath)
5347 		return -EOPNOTSUPP;
5348 
5349 	return rdev_del_mpath(rdev, dev, dst);
5350 }
5351 
5352 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
5353 {
5354 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5355 	int err;
5356 	struct net_device *dev = info->user_ptr[1];
5357 	struct mpath_info pinfo;
5358 	struct sk_buff *msg;
5359 	u8 *dst = NULL;
5360 	u8 mpp[ETH_ALEN];
5361 
5362 	memset(&pinfo, 0, sizeof(pinfo));
5363 
5364 	if (!info->attrs[NL80211_ATTR_MAC])
5365 		return -EINVAL;
5366 
5367 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5368 
5369 	if (!rdev->ops->get_mpp)
5370 		return -EOPNOTSUPP;
5371 
5372 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5373 		return -EOPNOTSUPP;
5374 
5375 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
5376 	if (err)
5377 		return err;
5378 
5379 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5380 	if (!msg)
5381 		return -ENOMEM;
5382 
5383 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
5384 			       dev, dst, mpp, &pinfo) < 0) {
5385 		nlmsg_free(msg);
5386 		return -ENOBUFS;
5387 	}
5388 
5389 	return genlmsg_reply(msg, info);
5390 }
5391 
5392 static int nl80211_dump_mpp(struct sk_buff *skb,
5393 			    struct netlink_callback *cb)
5394 {
5395 	struct mpath_info pinfo;
5396 	struct cfg80211_registered_device *rdev;
5397 	struct wireless_dev *wdev;
5398 	u8 dst[ETH_ALEN];
5399 	u8 mpp[ETH_ALEN];
5400 	int path_idx = cb->args[2];
5401 	int err;
5402 
5403 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
5404 	if (err)
5405 		return err;
5406 
5407 	if (!rdev->ops->dump_mpp) {
5408 		err = -EOPNOTSUPP;
5409 		goto out_err;
5410 	}
5411 
5412 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
5413 		err = -EOPNOTSUPP;
5414 		goto out_err;
5415 	}
5416 
5417 	while (1) {
5418 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
5419 				    mpp, &pinfo);
5420 		if (err == -ENOENT)
5421 			break;
5422 		if (err)
5423 			goto out_err;
5424 
5425 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
5426 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
5427 				       wdev->netdev, dst, mpp,
5428 				       &pinfo) < 0)
5429 			goto out;
5430 
5431 		path_idx++;
5432 	}
5433 
5434  out:
5435 	cb->args[2] = path_idx;
5436 	err = skb->len;
5437  out_err:
5438 	nl80211_finish_wdev_dump(rdev);
5439 	return err;
5440 }
5441 
5442 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
5443 {
5444 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5445 	struct net_device *dev = info->user_ptr[1];
5446 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5447 	struct bss_parameters params;
5448 	int err;
5449 
5450 	memset(&params, 0, sizeof(params));
5451 	/* default to not changing parameters */
5452 	params.use_cts_prot = -1;
5453 	params.use_short_preamble = -1;
5454 	params.use_short_slot_time = -1;
5455 	params.ap_isolate = -1;
5456 	params.ht_opmode = -1;
5457 	params.p2p_ctwindow = -1;
5458 	params.p2p_opp_ps = -1;
5459 
5460 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
5461 		params.use_cts_prot =
5462 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
5463 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
5464 		params.use_short_preamble =
5465 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
5466 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
5467 		params.use_short_slot_time =
5468 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
5469 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
5470 		params.basic_rates =
5471 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5472 		params.basic_rates_len =
5473 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5474 	}
5475 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
5476 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
5477 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
5478 		params.ht_opmode =
5479 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
5480 
5481 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5482 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5483 			return -EINVAL;
5484 		params.p2p_ctwindow =
5485 			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5486 		if (params.p2p_ctwindow < 0)
5487 			return -EINVAL;
5488 		if (params.p2p_ctwindow != 0 &&
5489 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
5490 			return -EINVAL;
5491 	}
5492 
5493 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5494 		u8 tmp;
5495 
5496 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5497 			return -EINVAL;
5498 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5499 		if (tmp > 1)
5500 			return -EINVAL;
5501 		params.p2p_opp_ps = tmp;
5502 		if (params.p2p_opp_ps &&
5503 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
5504 			return -EINVAL;
5505 	}
5506 
5507 	if (!rdev->ops->change_bss)
5508 		return -EOPNOTSUPP;
5509 
5510 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5511 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5512 		return -EOPNOTSUPP;
5513 
5514 	wdev_lock(wdev);
5515 	err = rdev_change_bss(rdev, dev, &params);
5516 	wdev_unlock(wdev);
5517 
5518 	return err;
5519 }
5520 
5521 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
5522 {
5523 	char *data = NULL;
5524 	bool is_indoor;
5525 	enum nl80211_user_reg_hint_type user_reg_hint_type;
5526 	u32 owner_nlportid;
5527 
5528 	/*
5529 	 * You should only get this when cfg80211 hasn't yet initialized
5530 	 * completely when built-in to the kernel right between the time
5531 	 * window between nl80211_init() and regulatory_init(), if that is
5532 	 * even possible.
5533 	 */
5534 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
5535 		return -EINPROGRESS;
5536 
5537 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
5538 		user_reg_hint_type =
5539 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
5540 	else
5541 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
5542 
5543 	switch (user_reg_hint_type) {
5544 	case NL80211_USER_REG_HINT_USER:
5545 	case NL80211_USER_REG_HINT_CELL_BASE:
5546 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5547 			return -EINVAL;
5548 
5549 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5550 		return regulatory_hint_user(data, user_reg_hint_type);
5551 	case NL80211_USER_REG_HINT_INDOOR:
5552 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
5553 			owner_nlportid = info->snd_portid;
5554 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
5555 		} else {
5556 			owner_nlportid = 0;
5557 			is_indoor = true;
5558 		}
5559 
5560 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
5561 	default:
5562 		return -EINVAL;
5563 	}
5564 }
5565 
5566 static int nl80211_get_mesh_config(struct sk_buff *skb,
5567 				   struct genl_info *info)
5568 {
5569 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5570 	struct net_device *dev = info->user_ptr[1];
5571 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5572 	struct mesh_config cur_params;
5573 	int err = 0;
5574 	void *hdr;
5575 	struct nlattr *pinfoattr;
5576 	struct sk_buff *msg;
5577 
5578 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5579 		return -EOPNOTSUPP;
5580 
5581 	if (!rdev->ops->get_mesh_config)
5582 		return -EOPNOTSUPP;
5583 
5584 	wdev_lock(wdev);
5585 	/* If not connected, get default parameters */
5586 	if (!wdev->mesh_id_len)
5587 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
5588 	else
5589 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
5590 	wdev_unlock(wdev);
5591 
5592 	if (err)
5593 		return err;
5594 
5595 	/* Draw up a netlink message to send back */
5596 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5597 	if (!msg)
5598 		return -ENOMEM;
5599 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5600 			     NL80211_CMD_GET_MESH_CONFIG);
5601 	if (!hdr)
5602 		goto out;
5603 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
5604 	if (!pinfoattr)
5605 		goto nla_put_failure;
5606 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5607 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
5608 			cur_params.dot11MeshRetryTimeout) ||
5609 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5610 			cur_params.dot11MeshConfirmTimeout) ||
5611 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
5612 			cur_params.dot11MeshHoldingTimeout) ||
5613 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
5614 			cur_params.dot11MeshMaxPeerLinks) ||
5615 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
5616 		       cur_params.dot11MeshMaxRetries) ||
5617 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
5618 		       cur_params.dot11MeshTTL) ||
5619 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
5620 		       cur_params.element_ttl) ||
5621 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5622 		       cur_params.auto_open_plinks) ||
5623 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5624 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
5625 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5626 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
5627 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
5628 			cur_params.path_refresh_time) ||
5629 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5630 			cur_params.min_discovery_timeout) ||
5631 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5632 			cur_params.dot11MeshHWMPactivePathTimeout) ||
5633 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5634 			cur_params.dot11MeshHWMPpreqMinInterval) ||
5635 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5636 			cur_params.dot11MeshHWMPperrMinInterval) ||
5637 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5638 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
5639 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
5640 		       cur_params.dot11MeshHWMPRootMode) ||
5641 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5642 			cur_params.dot11MeshHWMPRannInterval) ||
5643 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5644 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
5645 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
5646 		       cur_params.dot11MeshForwarding) ||
5647 	    nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
5648 			cur_params.rssi_threshold) ||
5649 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
5650 			cur_params.ht_opmode) ||
5651 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5652 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
5653 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5654 			cur_params.dot11MeshHWMProotInterval) ||
5655 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5656 			cur_params.dot11MeshHWMPconfirmationInterval) ||
5657 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
5658 			cur_params.power_mode) ||
5659 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
5660 			cur_params.dot11MeshAwakeWindowDuration) ||
5661 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
5662 			cur_params.plink_timeout))
5663 		goto nla_put_failure;
5664 	nla_nest_end(msg, pinfoattr);
5665 	genlmsg_end(msg, hdr);
5666 	return genlmsg_reply(msg, info);
5667 
5668  nla_put_failure:
5669 	genlmsg_cancel(msg, hdr);
5670  out:
5671 	nlmsg_free(msg);
5672 	return -ENOBUFS;
5673 }
5674 
5675 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
5676 	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
5677 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
5678 	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
5679 	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
5680 	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
5681 	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
5682 	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
5683 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
5684 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
5685 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
5686 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
5687 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
5688 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
5689 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
5690 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
5691 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
5692 	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
5693 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
5694 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
5695 	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
5696 	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
5697 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
5698 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
5699 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
5700 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
5701 	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
5702 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
5703 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
5704 };
5705 
5706 static const struct nla_policy
5707 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
5708 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
5709 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
5710 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
5711 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
5712 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
5713 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
5714 	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
5715 				    .len = IEEE80211_MAX_DATA_LEN },
5716 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
5717 };
5718 
5719 static int nl80211_check_bool(const struct nlattr *nla, u8 min, u8 max, bool *out)
5720 {
5721 	u8 val = nla_get_u8(nla);
5722 	if (val < min || val > max)
5723 		return -EINVAL;
5724 	*out = val;
5725 	return 0;
5726 }
5727 
5728 static int nl80211_check_u8(const struct nlattr *nla, u8 min, u8 max, u8 *out)
5729 {
5730 	u8 val = nla_get_u8(nla);
5731 	if (val < min || val > max)
5732 		return -EINVAL;
5733 	*out = val;
5734 	return 0;
5735 }
5736 
5737 static int nl80211_check_u16(const struct nlattr *nla, u16 min, u16 max, u16 *out)
5738 {
5739 	u16 val = nla_get_u16(nla);
5740 	if (val < min || val > max)
5741 		return -EINVAL;
5742 	*out = val;
5743 	return 0;
5744 }
5745 
5746 static int nl80211_check_u32(const struct nlattr *nla, u32 min, u32 max, u32 *out)
5747 {
5748 	u32 val = nla_get_u32(nla);
5749 	if (val < min || val > max)
5750 		return -EINVAL;
5751 	*out = val;
5752 	return 0;
5753 }
5754 
5755 static int nl80211_check_s32(const struct nlattr *nla, s32 min, s32 max, s32 *out)
5756 {
5757 	s32 val = nla_get_s32(nla);
5758 	if (val < min || val > max)
5759 		return -EINVAL;
5760 	*out = val;
5761 	return 0;
5762 }
5763 
5764 static int nl80211_check_power_mode(const struct nlattr *nla,
5765 				    enum nl80211_mesh_power_mode min,
5766 				    enum nl80211_mesh_power_mode max,
5767 				    enum nl80211_mesh_power_mode *out)
5768 {
5769 	u32 val = nla_get_u32(nla);
5770 	if (val < min || val > max)
5771 		return -EINVAL;
5772 	*out = val;
5773 	return 0;
5774 }
5775 
5776 static int nl80211_parse_mesh_config(struct genl_info *info,
5777 				     struct mesh_config *cfg,
5778 				     u32 *mask_out)
5779 {
5780 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
5781 	u32 mask = 0;
5782 	u16 ht_opmode;
5783 
5784 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
5785 do {									    \
5786 	if (tb[attr]) {							    \
5787 		if (fn(tb[attr], min, max, &cfg->param))		    \
5788 			return -EINVAL;					    \
5789 		mask |= (1 << (attr - 1));				    \
5790 	}								    \
5791 } while (0)
5792 
5793 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
5794 		return -EINVAL;
5795 	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
5796 			     info->attrs[NL80211_ATTR_MESH_CONFIG],
5797 			     nl80211_meshconf_params_policy))
5798 		return -EINVAL;
5799 
5800 	/* This makes sure that there aren't more than 32 mesh config
5801 	 * parameters (otherwise our bitfield scheme would not work.) */
5802 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
5803 
5804 	/* Fill in the params struct */
5805 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
5806 				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
5807 				  nl80211_check_u16);
5808 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
5809 				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5810 				  nl80211_check_u16);
5811 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
5812 				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
5813 				  nl80211_check_u16);
5814 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
5815 				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
5816 				  nl80211_check_u16);
5817 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
5818 				  mask, NL80211_MESHCONF_MAX_RETRIES,
5819 				  nl80211_check_u8);
5820 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
5821 				  mask, NL80211_MESHCONF_TTL, nl80211_check_u8);
5822 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
5823 				  mask, NL80211_MESHCONF_ELEMENT_TTL,
5824 				  nl80211_check_u8);
5825 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
5826 				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5827 				  nl80211_check_bool);
5828 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
5829 				  1, 255, mask,
5830 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5831 				  nl80211_check_u32);
5832 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
5833 				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5834 				  nl80211_check_u8);
5835 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
5836 				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
5837 				  nl80211_check_u32);
5838 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
5839 				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5840 				  nl80211_check_u16);
5841 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
5842 				  1, 65535, mask,
5843 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5844 				  nl80211_check_u32);
5845 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
5846 				  1, 65535, mask,
5847 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5848 				  nl80211_check_u16);
5849 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
5850 				  1, 65535, mask,
5851 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5852 				  nl80211_check_u16);
5853 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5854 				  dot11MeshHWMPnetDiameterTraversalTime,
5855 				  1, 65535, mask,
5856 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5857 				  nl80211_check_u16);
5858 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
5859 				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
5860 				  nl80211_check_u8);
5861 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
5862 				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5863 				  nl80211_check_u16);
5864 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5865 				  dot11MeshGateAnnouncementProtocol, 0, 1,
5866 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5867 				  nl80211_check_bool);
5868 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
5869 				  mask, NL80211_MESHCONF_FORWARDING,
5870 				  nl80211_check_bool);
5871 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, -255, 0,
5872 				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
5873 				  nl80211_check_s32);
5874 	/*
5875 	 * Check HT operation mode based on
5876 	 * IEEE 802.11 2012 8.4.2.59 HT Operation element.
5877 	 */
5878 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
5879 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
5880 
5881 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
5882 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
5883 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
5884 			return -EINVAL;
5885 
5886 		if ((ht_opmode & IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT) &&
5887 		    (ht_opmode & IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
5888 			return -EINVAL;
5889 
5890 		switch (ht_opmode & IEEE80211_HT_OP_MODE_PROTECTION) {
5891 		case IEEE80211_HT_OP_MODE_PROTECTION_NONE:
5892 		case IEEE80211_HT_OP_MODE_PROTECTION_20MHZ:
5893 			if (ht_opmode & IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT)
5894 				return -EINVAL;
5895 			break;
5896 		case IEEE80211_HT_OP_MODE_PROTECTION_NONMEMBER:
5897 		case IEEE80211_HT_OP_MODE_PROTECTION_NONHT_MIXED:
5898 			if (!(ht_opmode & IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
5899 				return -EINVAL;
5900 			break;
5901 		}
5902 		cfg->ht_opmode = ht_opmode;
5903 	}
5904 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
5905 				  1, 65535, mask,
5906 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5907 				  nl80211_check_u32);
5908 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
5909 				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5910 				  nl80211_check_u16);
5911 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5912 				  dot11MeshHWMPconfirmationInterval,
5913 				  1, 65535, mask,
5914 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5915 				  nl80211_check_u16);
5916 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
5917 				  NL80211_MESH_POWER_ACTIVE,
5918 				  NL80211_MESH_POWER_MAX,
5919 				  mask, NL80211_MESHCONF_POWER_MODE,
5920 				  nl80211_check_power_mode);
5921 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
5922 				  0, 65535, mask,
5923 				  NL80211_MESHCONF_AWAKE_WINDOW, nl80211_check_u16);
5924 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, 0, 0xffffffff,
5925 				  mask, NL80211_MESHCONF_PLINK_TIMEOUT,
5926 				  nl80211_check_u32);
5927 	if (mask_out)
5928 		*mask_out = mask;
5929 
5930 	return 0;
5931 
5932 #undef FILL_IN_MESH_PARAM_IF_SET
5933 }
5934 
5935 static int nl80211_parse_mesh_setup(struct genl_info *info,
5936 				     struct mesh_setup *setup)
5937 {
5938 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5939 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
5940 
5941 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
5942 		return -EINVAL;
5943 	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
5944 			     info->attrs[NL80211_ATTR_MESH_SETUP],
5945 			     nl80211_mesh_setup_params_policy))
5946 		return -EINVAL;
5947 
5948 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
5949 		setup->sync_method =
5950 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
5951 		 IEEE80211_SYNC_METHOD_VENDOR :
5952 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
5953 
5954 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
5955 		setup->path_sel_proto =
5956 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
5957 		 IEEE80211_PATH_PROTOCOL_VENDOR :
5958 		 IEEE80211_PATH_PROTOCOL_HWMP;
5959 
5960 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
5961 		setup->path_metric =
5962 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
5963 		 IEEE80211_PATH_METRIC_VENDOR :
5964 		 IEEE80211_PATH_METRIC_AIRTIME;
5965 
5966 	if (tb[NL80211_MESH_SETUP_IE]) {
5967 		struct nlattr *ieattr =
5968 			tb[NL80211_MESH_SETUP_IE];
5969 		if (!is_valid_ie_attr(ieattr))
5970 			return -EINVAL;
5971 		setup->ie = nla_data(ieattr);
5972 		setup->ie_len = nla_len(ieattr);
5973 	}
5974 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
5975 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
5976 		return -EINVAL;
5977 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
5978 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
5979 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
5980 	if (setup->is_secure)
5981 		setup->user_mpm = true;
5982 
5983 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
5984 		if (!setup->user_mpm)
5985 			return -EINVAL;
5986 		setup->auth_id =
5987 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
5988 	}
5989 
5990 	return 0;
5991 }
5992 
5993 static int nl80211_update_mesh_config(struct sk_buff *skb,
5994 				      struct genl_info *info)
5995 {
5996 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5997 	struct net_device *dev = info->user_ptr[1];
5998 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5999 	struct mesh_config cfg;
6000 	u32 mask;
6001 	int err;
6002 
6003 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6004 		return -EOPNOTSUPP;
6005 
6006 	if (!rdev->ops->update_mesh_config)
6007 		return -EOPNOTSUPP;
6008 
6009 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
6010 	if (err)
6011 		return err;
6012 
6013 	wdev_lock(wdev);
6014 	if (!wdev->mesh_id_len)
6015 		err = -ENOLINK;
6016 
6017 	if (!err)
6018 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
6019 
6020 	wdev_unlock(wdev);
6021 
6022 	return err;
6023 }
6024 
6025 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
6026 			      struct sk_buff *msg)
6027 {
6028 	struct nlattr *nl_reg_rules;
6029 	unsigned int i;
6030 
6031 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
6032 	    (regdom->dfs_region &&
6033 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
6034 		goto nla_put_failure;
6035 
6036 	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
6037 	if (!nl_reg_rules)
6038 		goto nla_put_failure;
6039 
6040 	for (i = 0; i < regdom->n_reg_rules; i++) {
6041 		struct nlattr *nl_reg_rule;
6042 		const struct ieee80211_reg_rule *reg_rule;
6043 		const struct ieee80211_freq_range *freq_range;
6044 		const struct ieee80211_power_rule *power_rule;
6045 		unsigned int max_bandwidth_khz;
6046 
6047 		reg_rule = &regdom->reg_rules[i];
6048 		freq_range = &reg_rule->freq_range;
6049 		power_rule = &reg_rule->power_rule;
6050 
6051 		nl_reg_rule = nla_nest_start(msg, i);
6052 		if (!nl_reg_rule)
6053 			goto nla_put_failure;
6054 
6055 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
6056 		if (!max_bandwidth_khz)
6057 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
6058 								  reg_rule);
6059 
6060 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
6061 				reg_rule->flags) ||
6062 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
6063 				freq_range->start_freq_khz) ||
6064 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
6065 				freq_range->end_freq_khz) ||
6066 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
6067 				max_bandwidth_khz) ||
6068 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
6069 				power_rule->max_antenna_gain) ||
6070 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
6071 				power_rule->max_eirp) ||
6072 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
6073 				reg_rule->dfs_cac_ms))
6074 			goto nla_put_failure;
6075 
6076 		nla_nest_end(msg, nl_reg_rule);
6077 	}
6078 
6079 	nla_nest_end(msg, nl_reg_rules);
6080 	return 0;
6081 
6082 nla_put_failure:
6083 	return -EMSGSIZE;
6084 }
6085 
6086 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
6087 {
6088 	const struct ieee80211_regdomain *regdom = NULL;
6089 	struct cfg80211_registered_device *rdev;
6090 	struct wiphy *wiphy = NULL;
6091 	struct sk_buff *msg;
6092 	void *hdr;
6093 
6094 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6095 	if (!msg)
6096 		return -ENOBUFS;
6097 
6098 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6099 			     NL80211_CMD_GET_REG);
6100 	if (!hdr)
6101 		goto put_failure;
6102 
6103 	if (info->attrs[NL80211_ATTR_WIPHY]) {
6104 		bool self_managed;
6105 
6106 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
6107 		if (IS_ERR(rdev)) {
6108 			nlmsg_free(msg);
6109 			return PTR_ERR(rdev);
6110 		}
6111 
6112 		wiphy = &rdev->wiphy;
6113 		self_managed = wiphy->regulatory_flags &
6114 			       REGULATORY_WIPHY_SELF_MANAGED;
6115 		regdom = get_wiphy_regdom(wiphy);
6116 
6117 		/* a self-managed-reg device must have a private regdom */
6118 		if (WARN_ON(!regdom && self_managed)) {
6119 			nlmsg_free(msg);
6120 			return -EINVAL;
6121 		}
6122 
6123 		if (regdom &&
6124 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6125 			goto nla_put_failure;
6126 	}
6127 
6128 	if (!wiphy && reg_last_request_cell_base() &&
6129 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6130 			NL80211_USER_REG_HINT_CELL_BASE))
6131 		goto nla_put_failure;
6132 
6133 	rcu_read_lock();
6134 
6135 	if (!regdom)
6136 		regdom = rcu_dereference(cfg80211_regdomain);
6137 
6138 	if (nl80211_put_regdom(regdom, msg))
6139 		goto nla_put_failure_rcu;
6140 
6141 	rcu_read_unlock();
6142 
6143 	genlmsg_end(msg, hdr);
6144 	return genlmsg_reply(msg, info);
6145 
6146 nla_put_failure_rcu:
6147 	rcu_read_unlock();
6148 nla_put_failure:
6149 	genlmsg_cancel(msg, hdr);
6150 put_failure:
6151 	nlmsg_free(msg);
6152 	return -EMSGSIZE;
6153 }
6154 
6155 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
6156 			       u32 seq, int flags, struct wiphy *wiphy,
6157 			       const struct ieee80211_regdomain *regdom)
6158 {
6159 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6160 				   NL80211_CMD_GET_REG);
6161 
6162 	if (!hdr)
6163 		return -1;
6164 
6165 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
6166 
6167 	if (nl80211_put_regdom(regdom, msg))
6168 		goto nla_put_failure;
6169 
6170 	if (!wiphy && reg_last_request_cell_base() &&
6171 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6172 			NL80211_USER_REG_HINT_CELL_BASE))
6173 		goto nla_put_failure;
6174 
6175 	if (wiphy &&
6176 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6177 		goto nla_put_failure;
6178 
6179 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
6180 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
6181 		goto nla_put_failure;
6182 
6183 	genlmsg_end(msg, hdr);
6184 	return 0;
6185 
6186 nla_put_failure:
6187 	genlmsg_cancel(msg, hdr);
6188 	return -EMSGSIZE;
6189 }
6190 
6191 static int nl80211_get_reg_dump(struct sk_buff *skb,
6192 				struct netlink_callback *cb)
6193 {
6194 	const struct ieee80211_regdomain *regdom = NULL;
6195 	struct cfg80211_registered_device *rdev;
6196 	int err, reg_idx, start = cb->args[2];
6197 
6198 	rtnl_lock();
6199 
6200 	if (cfg80211_regdomain && start == 0) {
6201 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6202 					  NLM_F_MULTI, NULL,
6203 					  rtnl_dereference(cfg80211_regdomain));
6204 		if (err < 0)
6205 			goto out_err;
6206 	}
6207 
6208 	/* the global regdom is idx 0 */
6209 	reg_idx = 1;
6210 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
6211 		regdom = get_wiphy_regdom(&rdev->wiphy);
6212 		if (!regdom)
6213 			continue;
6214 
6215 		if (++reg_idx <= start)
6216 			continue;
6217 
6218 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6219 					  NLM_F_MULTI, &rdev->wiphy, regdom);
6220 		if (err < 0) {
6221 			reg_idx--;
6222 			break;
6223 		}
6224 	}
6225 
6226 	cb->args[2] = reg_idx;
6227 	err = skb->len;
6228 out_err:
6229 	rtnl_unlock();
6230 	return err;
6231 }
6232 
6233 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
6234 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
6235 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
6236 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
6237 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
6238 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
6239 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
6240 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
6241 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
6242 };
6243 
6244 static int parse_reg_rule(struct nlattr *tb[],
6245 	struct ieee80211_reg_rule *reg_rule)
6246 {
6247 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
6248 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
6249 
6250 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
6251 		return -EINVAL;
6252 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
6253 		return -EINVAL;
6254 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
6255 		return -EINVAL;
6256 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
6257 		return -EINVAL;
6258 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
6259 		return -EINVAL;
6260 
6261 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
6262 
6263 	freq_range->start_freq_khz =
6264 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
6265 	freq_range->end_freq_khz =
6266 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
6267 	freq_range->max_bandwidth_khz =
6268 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
6269 
6270 	power_rule->max_eirp =
6271 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
6272 
6273 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
6274 		power_rule->max_antenna_gain =
6275 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
6276 
6277 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
6278 		reg_rule->dfs_cac_ms =
6279 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
6280 
6281 	return 0;
6282 }
6283 
6284 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
6285 {
6286 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
6287 	struct nlattr *nl_reg_rule;
6288 	char *alpha2;
6289 	int rem_reg_rules, r;
6290 	u32 num_rules = 0, rule_idx = 0, size_of_regd;
6291 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
6292 	struct ieee80211_regdomain *rd;
6293 
6294 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6295 		return -EINVAL;
6296 
6297 	if (!info->attrs[NL80211_ATTR_REG_RULES])
6298 		return -EINVAL;
6299 
6300 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6301 
6302 	if (info->attrs[NL80211_ATTR_DFS_REGION])
6303 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
6304 
6305 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
6306 			    rem_reg_rules) {
6307 		num_rules++;
6308 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
6309 			return -EINVAL;
6310 	}
6311 
6312 	if (!reg_is_valid_request(alpha2))
6313 		return -EINVAL;
6314 
6315 	size_of_regd = sizeof(struct ieee80211_regdomain) +
6316 		       num_rules * sizeof(struct ieee80211_reg_rule);
6317 
6318 	rd = kzalloc(size_of_regd, GFP_KERNEL);
6319 	if (!rd)
6320 		return -ENOMEM;
6321 
6322 	rd->n_reg_rules = num_rules;
6323 	rd->alpha2[0] = alpha2[0];
6324 	rd->alpha2[1] = alpha2[1];
6325 
6326 	/*
6327 	 * Disable DFS master mode if the DFS region was
6328 	 * not supported or known on this kernel.
6329 	 */
6330 	if (reg_supported_dfs_region(dfs_region))
6331 		rd->dfs_region = dfs_region;
6332 
6333 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
6334 			    rem_reg_rules) {
6335 		r = nla_parse_nested(tb, NL80211_REG_RULE_ATTR_MAX,
6336 				     nl_reg_rule, reg_rule_policy);
6337 		if (r)
6338 			goto bad_reg;
6339 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
6340 		if (r)
6341 			goto bad_reg;
6342 
6343 		rule_idx++;
6344 
6345 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
6346 			r = -EINVAL;
6347 			goto bad_reg;
6348 		}
6349 	}
6350 
6351 	/* set_regdom takes ownership of rd */
6352 	return set_regdom(rd, REGD_SOURCE_CRDA);
6353  bad_reg:
6354 	kfree(rd);
6355 	return r;
6356 }
6357 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
6358 
6359 static int validate_scan_freqs(struct nlattr *freqs)
6360 {
6361 	struct nlattr *attr1, *attr2;
6362 	int n_channels = 0, tmp1, tmp2;
6363 
6364 	nla_for_each_nested(attr1, freqs, tmp1) {
6365 		n_channels++;
6366 		/*
6367 		 * Some hardware has a limited channel list for
6368 		 * scanning, and it is pretty much nonsensical
6369 		 * to scan for a channel twice, so disallow that
6370 		 * and don't require drivers to check that the
6371 		 * channel list they get isn't longer than what
6372 		 * they can scan, as long as they can scan all
6373 		 * the channels they registered at once.
6374 		 */
6375 		nla_for_each_nested(attr2, freqs, tmp2)
6376 			if (attr1 != attr2 &&
6377 			    nla_get_u32(attr1) == nla_get_u32(attr2))
6378 				return 0;
6379 	}
6380 
6381 	return n_channels;
6382 }
6383 
6384 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
6385 {
6386 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
6387 }
6388 
6389 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
6390 			    struct cfg80211_bss_selection *bss_select)
6391 {
6392 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
6393 	struct nlattr *nest;
6394 	int err;
6395 	bool found = false;
6396 	int i;
6397 
6398 	/* only process one nested attribute */
6399 	nest = nla_data(nla);
6400 	if (!nla_ok(nest, nla_len(nest)))
6401 		return -EINVAL;
6402 
6403 	err = nla_parse_nested(attr, NL80211_BSS_SELECT_ATTR_MAX, nest,
6404 			       nl80211_bss_select_policy);
6405 	if (err)
6406 		return err;
6407 
6408 	/* only one attribute may be given */
6409 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
6410 		if (attr[i]) {
6411 			if (found)
6412 				return -EINVAL;
6413 			found = true;
6414 		}
6415 	}
6416 
6417 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
6418 
6419 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
6420 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
6421 
6422 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
6423 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
6424 		bss_select->param.band_pref =
6425 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
6426 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
6427 			return -EINVAL;
6428 	}
6429 
6430 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
6431 		struct nl80211_bss_select_rssi_adjust *adj_param;
6432 
6433 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
6434 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
6435 		bss_select->param.adjust.band = adj_param->band;
6436 		bss_select->param.adjust.delta = adj_param->delta;
6437 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
6438 			return -EINVAL;
6439 	}
6440 
6441 	/* user-space did not provide behaviour attribute */
6442 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
6443 		return -EINVAL;
6444 
6445 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
6446 		return -EINVAL;
6447 
6448 	return 0;
6449 }
6450 
6451 static int nl80211_parse_random_mac(struct nlattr **attrs,
6452 				    u8 *mac_addr, u8 *mac_addr_mask)
6453 {
6454 	int i;
6455 
6456 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
6457 		eth_zero_addr(mac_addr);
6458 		eth_zero_addr(mac_addr_mask);
6459 		mac_addr[0] = 0x2;
6460 		mac_addr_mask[0] = 0x3;
6461 
6462 		return 0;
6463 	}
6464 
6465 	/* need both or none */
6466 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
6467 		return -EINVAL;
6468 
6469 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
6470 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
6471 
6472 	/* don't allow or configure an mcast address */
6473 	if (!is_multicast_ether_addr(mac_addr_mask) ||
6474 	    is_multicast_ether_addr(mac_addr))
6475 		return -EINVAL;
6476 
6477 	/*
6478 	 * allow users to pass a MAC address that has bits set outside
6479 	 * of the mask, but don't bother drivers with having to deal
6480 	 * with such bits
6481 	 */
6482 	for (i = 0; i < ETH_ALEN; i++)
6483 		mac_addr[i] &= mac_addr_mask[i];
6484 
6485 	return 0;
6486 }
6487 
6488 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
6489 {
6490 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6491 	struct wireless_dev *wdev = info->user_ptr[1];
6492 	struct cfg80211_scan_request *request;
6493 	struct nlattr *attr;
6494 	struct wiphy *wiphy;
6495 	int err, tmp, n_ssids = 0, n_channels, i;
6496 	size_t ie_len;
6497 
6498 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6499 		return -EINVAL;
6500 
6501 	wiphy = &rdev->wiphy;
6502 
6503 	if (wdev->iftype == NL80211_IFTYPE_NAN)
6504 		return -EOPNOTSUPP;
6505 
6506 	if (!rdev->ops->scan)
6507 		return -EOPNOTSUPP;
6508 
6509 	if (rdev->scan_req || rdev->scan_msg) {
6510 		err = -EBUSY;
6511 		goto unlock;
6512 	}
6513 
6514 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6515 		n_channels = validate_scan_freqs(
6516 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
6517 		if (!n_channels) {
6518 			err = -EINVAL;
6519 			goto unlock;
6520 		}
6521 	} else {
6522 		n_channels = ieee80211_get_num_supported_channels(wiphy);
6523 	}
6524 
6525 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
6526 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
6527 			n_ssids++;
6528 
6529 	if (n_ssids > wiphy->max_scan_ssids) {
6530 		err = -EINVAL;
6531 		goto unlock;
6532 	}
6533 
6534 	if (info->attrs[NL80211_ATTR_IE])
6535 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6536 	else
6537 		ie_len = 0;
6538 
6539 	if (ie_len > wiphy->max_scan_ie_len) {
6540 		err = -EINVAL;
6541 		goto unlock;
6542 	}
6543 
6544 	request = kzalloc(sizeof(*request)
6545 			+ sizeof(*request->ssids) * n_ssids
6546 			+ sizeof(*request->channels) * n_channels
6547 			+ ie_len, GFP_KERNEL);
6548 	if (!request) {
6549 		err = -ENOMEM;
6550 		goto unlock;
6551 	}
6552 
6553 	if (n_ssids)
6554 		request->ssids = (void *)&request->channels[n_channels];
6555 	request->n_ssids = n_ssids;
6556 	if (ie_len) {
6557 		if (n_ssids)
6558 			request->ie = (void *)(request->ssids + n_ssids);
6559 		else
6560 			request->ie = (void *)(request->channels + n_channels);
6561 	}
6562 
6563 	i = 0;
6564 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6565 		/* user specified, bail out if channel not found */
6566 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
6567 			struct ieee80211_channel *chan;
6568 
6569 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
6570 
6571 			if (!chan) {
6572 				err = -EINVAL;
6573 				goto out_free;
6574 			}
6575 
6576 			/* ignore disabled channels */
6577 			if (chan->flags & IEEE80211_CHAN_DISABLED)
6578 				continue;
6579 
6580 			request->channels[i] = chan;
6581 			i++;
6582 		}
6583 	} else {
6584 		enum nl80211_band band;
6585 
6586 		/* all channels */
6587 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
6588 			int j;
6589 
6590 			if (!wiphy->bands[band])
6591 				continue;
6592 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
6593 				struct ieee80211_channel *chan;
6594 
6595 				chan = &wiphy->bands[band]->channels[j];
6596 
6597 				if (chan->flags & IEEE80211_CHAN_DISABLED)
6598 					continue;
6599 
6600 				request->channels[i] = chan;
6601 				i++;
6602 			}
6603 		}
6604 	}
6605 
6606 	if (!i) {
6607 		err = -EINVAL;
6608 		goto out_free;
6609 	}
6610 
6611 	request->n_channels = i;
6612 
6613 	i = 0;
6614 	if (n_ssids) {
6615 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
6616 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
6617 				err = -EINVAL;
6618 				goto out_free;
6619 			}
6620 			request->ssids[i].ssid_len = nla_len(attr);
6621 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
6622 			i++;
6623 		}
6624 	}
6625 
6626 	if (info->attrs[NL80211_ATTR_IE]) {
6627 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6628 		memcpy((void *)request->ie,
6629 		       nla_data(info->attrs[NL80211_ATTR_IE]),
6630 		       request->ie_len);
6631 	}
6632 
6633 	for (i = 0; i < NUM_NL80211_BANDS; i++)
6634 		if (wiphy->bands[i])
6635 			request->rates[i] =
6636 				(1 << wiphy->bands[i]->n_bitrates) - 1;
6637 
6638 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
6639 		nla_for_each_nested(attr,
6640 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
6641 				    tmp) {
6642 			enum nl80211_band band = nla_type(attr);
6643 
6644 			if (band < 0 || band >= NUM_NL80211_BANDS) {
6645 				err = -EINVAL;
6646 				goto out_free;
6647 			}
6648 
6649 			if (!wiphy->bands[band])
6650 				continue;
6651 
6652 			err = ieee80211_get_ratemask(wiphy->bands[band],
6653 						     nla_data(attr),
6654 						     nla_len(attr),
6655 						     &request->rates[band]);
6656 			if (err)
6657 				goto out_free;
6658 		}
6659 	}
6660 
6661 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
6662 		if (!wiphy_ext_feature_isset(wiphy,
6663 					NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
6664 			err = -EOPNOTSUPP;
6665 			goto out_free;
6666 		}
6667 
6668 		request->duration =
6669 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
6670 		request->duration_mandatory =
6671 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
6672 	}
6673 
6674 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
6675 		request->flags = nla_get_u32(
6676 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
6677 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
6678 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
6679 			err = -EOPNOTSUPP;
6680 			goto out_free;
6681 		}
6682 
6683 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
6684 			if (!(wiphy->features &
6685 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR)) {
6686 				err = -EOPNOTSUPP;
6687 				goto out_free;
6688 			}
6689 
6690 			if (wdev->current_bss) {
6691 				err = -EOPNOTSUPP;
6692 				goto out_free;
6693 			}
6694 
6695 			err = nl80211_parse_random_mac(info->attrs,
6696 						       request->mac_addr,
6697 						       request->mac_addr_mask);
6698 			if (err)
6699 				goto out_free;
6700 		}
6701 	}
6702 
6703 	request->no_cck =
6704 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
6705 
6706 	if (info->attrs[NL80211_ATTR_MAC])
6707 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
6708 		       ETH_ALEN);
6709 	else
6710 		eth_broadcast_addr(request->bssid);
6711 
6712 	request->wdev = wdev;
6713 	request->wiphy = &rdev->wiphy;
6714 	request->scan_start = jiffies;
6715 
6716 	rdev->scan_req = request;
6717 	err = rdev_scan(rdev, request);
6718 
6719 	if (!err) {
6720 		nl80211_send_scan_start(rdev, wdev);
6721 		if (wdev->netdev)
6722 			dev_hold(wdev->netdev);
6723 	} else {
6724  out_free:
6725 		rdev->scan_req = NULL;
6726 		kfree(request);
6727 	}
6728 
6729  unlock:
6730 	return err;
6731 }
6732 
6733 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
6734 {
6735 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6736 	struct wireless_dev *wdev = info->user_ptr[1];
6737 
6738 	if (!rdev->ops->abort_scan)
6739 		return -EOPNOTSUPP;
6740 
6741 	if (rdev->scan_msg)
6742 		return 0;
6743 
6744 	if (!rdev->scan_req)
6745 		return -ENOENT;
6746 
6747 	rdev_abort_scan(rdev, wdev);
6748 	return 0;
6749 }
6750 
6751 static int
6752 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
6753 			       struct cfg80211_sched_scan_request *request,
6754 			       struct nlattr **attrs)
6755 {
6756 	int tmp, err, i = 0;
6757 	struct nlattr *attr;
6758 
6759 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
6760 		u32 interval;
6761 
6762 		/*
6763 		 * If scan plans are not specified,
6764 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL must be specified. In this
6765 		 * case one scan plan will be set with the specified scan
6766 		 * interval and infinite number of iterations.
6767 		 */
6768 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
6769 			return -EINVAL;
6770 
6771 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
6772 		if (!interval)
6773 			return -EINVAL;
6774 
6775 		request->scan_plans[0].interval =
6776 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
6777 		if (!request->scan_plans[0].interval)
6778 			return -EINVAL;
6779 
6780 		if (request->scan_plans[0].interval >
6781 		    wiphy->max_sched_scan_plan_interval)
6782 			request->scan_plans[0].interval =
6783 				wiphy->max_sched_scan_plan_interval;
6784 
6785 		return 0;
6786 	}
6787 
6788 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
6789 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
6790 
6791 		if (WARN_ON(i >= n_plans))
6792 			return -EINVAL;
6793 
6794 		err = nla_parse_nested(plan, NL80211_SCHED_SCAN_PLAN_MAX,
6795 				       attr, nl80211_plan_policy);
6796 		if (err)
6797 			return err;
6798 
6799 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
6800 			return -EINVAL;
6801 
6802 		request->scan_plans[i].interval =
6803 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
6804 		if (!request->scan_plans[i].interval ||
6805 		    request->scan_plans[i].interval >
6806 		    wiphy->max_sched_scan_plan_interval)
6807 			return -EINVAL;
6808 
6809 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
6810 			request->scan_plans[i].iterations =
6811 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
6812 			if (!request->scan_plans[i].iterations ||
6813 			    (request->scan_plans[i].iterations >
6814 			     wiphy->max_sched_scan_plan_iterations))
6815 				return -EINVAL;
6816 		} else if (i < n_plans - 1) {
6817 			/*
6818 			 * All scan plans but the last one must specify
6819 			 * a finite number of iterations
6820 			 */
6821 			return -EINVAL;
6822 		}
6823 
6824 		i++;
6825 	}
6826 
6827 	/*
6828 	 * The last scan plan must not specify the number of
6829 	 * iterations, it is supposed to run infinitely
6830 	 */
6831 	if (request->scan_plans[n_plans - 1].iterations)
6832 		return  -EINVAL;
6833 
6834 	return 0;
6835 }
6836 
6837 static struct cfg80211_sched_scan_request *
6838 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
6839 			 struct nlattr **attrs)
6840 {
6841 	struct cfg80211_sched_scan_request *request;
6842 	struct nlattr *attr;
6843 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
6844 	enum nl80211_band band;
6845 	size_t ie_len;
6846 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
6847 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
6848 
6849 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_IE]))
6850 		return ERR_PTR(-EINVAL);
6851 
6852 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6853 		n_channels = validate_scan_freqs(
6854 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
6855 		if (!n_channels)
6856 			return ERR_PTR(-EINVAL);
6857 	} else {
6858 		n_channels = ieee80211_get_num_supported_channels(wiphy);
6859 	}
6860 
6861 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
6862 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
6863 				    tmp)
6864 			n_ssids++;
6865 
6866 	if (n_ssids > wiphy->max_sched_scan_ssids)
6867 		return ERR_PTR(-EINVAL);
6868 
6869 	/*
6870 	 * First, count the number of 'real' matchsets. Due to an issue with
6871 	 * the old implementation, matchsets containing only the RSSI attribute
6872 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
6873 	 * RSSI for all matchsets, rather than their own matchset for reporting
6874 	 * all APs with a strong RSSI. This is needed to be compatible with
6875 	 * older userspace that treated a matchset with only the RSSI as the
6876 	 * global RSSI for all other matchsets - if there are other matchsets.
6877 	 */
6878 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
6879 		nla_for_each_nested(attr,
6880 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
6881 				    tmp) {
6882 			struct nlattr *rssi;
6883 
6884 			err = nla_parse_nested(tb,
6885 					       NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
6886 					       attr, nl80211_match_policy);
6887 			if (err)
6888 				return ERR_PTR(err);
6889 			/* add other standalone attributes here */
6890 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
6891 				n_match_sets++;
6892 				continue;
6893 			}
6894 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
6895 			if (rssi)
6896 				default_match_rssi = nla_get_s32(rssi);
6897 		}
6898 	}
6899 
6900 	/* However, if there's no other matchset, add the RSSI one */
6901 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
6902 		n_match_sets = 1;
6903 
6904 	if (n_match_sets > wiphy->max_match_sets)
6905 		return ERR_PTR(-EINVAL);
6906 
6907 	if (attrs[NL80211_ATTR_IE])
6908 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
6909 	else
6910 		ie_len = 0;
6911 
6912 	if (ie_len > wiphy->max_sched_scan_ie_len)
6913 		return ERR_PTR(-EINVAL);
6914 
6915 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
6916 		/*
6917 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
6918 		 * each scan plan already specifies its own interval
6919 		 */
6920 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
6921 			return ERR_PTR(-EINVAL);
6922 
6923 		nla_for_each_nested(attr,
6924 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
6925 			n_plans++;
6926 	} else {
6927 		/*
6928 		 * The scan interval attribute is kept for backward
6929 		 * compatibility. If no scan plans are specified and sched scan
6930 		 * interval is specified, one scan plan will be set with this
6931 		 * scan interval and infinite number of iterations.
6932 		 */
6933 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
6934 			return ERR_PTR(-EINVAL);
6935 
6936 		n_plans = 1;
6937 	}
6938 
6939 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
6940 		return ERR_PTR(-EINVAL);
6941 
6942 	request = kzalloc(sizeof(*request)
6943 			+ sizeof(*request->ssids) * n_ssids
6944 			+ sizeof(*request->match_sets) * n_match_sets
6945 			+ sizeof(*request->scan_plans) * n_plans
6946 			+ sizeof(*request->channels) * n_channels
6947 			+ ie_len, GFP_KERNEL);
6948 	if (!request)
6949 		return ERR_PTR(-ENOMEM);
6950 
6951 	if (n_ssids)
6952 		request->ssids = (void *)&request->channels[n_channels];
6953 	request->n_ssids = n_ssids;
6954 	if (ie_len) {
6955 		if (n_ssids)
6956 			request->ie = (void *)(request->ssids + n_ssids);
6957 		else
6958 			request->ie = (void *)(request->channels + n_channels);
6959 	}
6960 
6961 	if (n_match_sets) {
6962 		if (request->ie)
6963 			request->match_sets = (void *)(request->ie + ie_len);
6964 		else if (n_ssids)
6965 			request->match_sets =
6966 				(void *)(request->ssids + n_ssids);
6967 		else
6968 			request->match_sets =
6969 				(void *)(request->channels + n_channels);
6970 	}
6971 	request->n_match_sets = n_match_sets;
6972 
6973 	if (n_match_sets)
6974 		request->scan_plans = (void *)(request->match_sets +
6975 					       n_match_sets);
6976 	else if (request->ie)
6977 		request->scan_plans = (void *)(request->ie + ie_len);
6978 	else if (n_ssids)
6979 		request->scan_plans = (void *)(request->ssids + n_ssids);
6980 	else
6981 		request->scan_plans = (void *)(request->channels + n_channels);
6982 
6983 	request->n_scan_plans = n_plans;
6984 
6985 	i = 0;
6986 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6987 		/* user specified, bail out if channel not found */
6988 		nla_for_each_nested(attr,
6989 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
6990 				    tmp) {
6991 			struct ieee80211_channel *chan;
6992 
6993 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
6994 
6995 			if (!chan) {
6996 				err = -EINVAL;
6997 				goto out_free;
6998 			}
6999 
7000 			/* ignore disabled channels */
7001 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7002 				continue;
7003 
7004 			request->channels[i] = chan;
7005 			i++;
7006 		}
7007 	} else {
7008 		/* all channels */
7009 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7010 			int j;
7011 
7012 			if (!wiphy->bands[band])
7013 				continue;
7014 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7015 				struct ieee80211_channel *chan;
7016 
7017 				chan = &wiphy->bands[band]->channels[j];
7018 
7019 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7020 					continue;
7021 
7022 				request->channels[i] = chan;
7023 				i++;
7024 			}
7025 		}
7026 	}
7027 
7028 	if (!i) {
7029 		err = -EINVAL;
7030 		goto out_free;
7031 	}
7032 
7033 	request->n_channels = i;
7034 
7035 	i = 0;
7036 	if (n_ssids) {
7037 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7038 				    tmp) {
7039 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7040 				err = -EINVAL;
7041 				goto out_free;
7042 			}
7043 			request->ssids[i].ssid_len = nla_len(attr);
7044 			memcpy(request->ssids[i].ssid, nla_data(attr),
7045 			       nla_len(attr));
7046 			i++;
7047 		}
7048 	}
7049 
7050 	i = 0;
7051 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7052 		nla_for_each_nested(attr,
7053 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7054 				    tmp) {
7055 			struct nlattr *ssid, *rssi;
7056 
7057 			err = nla_parse_nested(tb,
7058 					       NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7059 					       attr, nl80211_match_policy);
7060 			if (err)
7061 				goto out_free;
7062 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
7063 			if (ssid) {
7064 				if (WARN_ON(i >= n_match_sets)) {
7065 					/* this indicates a programming error,
7066 					 * the loop above should have verified
7067 					 * things properly
7068 					 */
7069 					err = -EINVAL;
7070 					goto out_free;
7071 				}
7072 
7073 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
7074 					err = -EINVAL;
7075 					goto out_free;
7076 				}
7077 				memcpy(request->match_sets[i].ssid.ssid,
7078 				       nla_data(ssid), nla_len(ssid));
7079 				request->match_sets[i].ssid.ssid_len =
7080 					nla_len(ssid);
7081 				/* special attribute - old implementation w/a */
7082 				request->match_sets[i].rssi_thold =
7083 					default_match_rssi;
7084 				rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7085 				if (rssi)
7086 					request->match_sets[i].rssi_thold =
7087 						nla_get_s32(rssi);
7088 			}
7089 			i++;
7090 		}
7091 
7092 		/* there was no other matchset, so the RSSI one is alone */
7093 		if (i == 0 && n_match_sets)
7094 			request->match_sets[0].rssi_thold = default_match_rssi;
7095 
7096 		request->min_rssi_thold = INT_MAX;
7097 		for (i = 0; i < n_match_sets; i++)
7098 			request->min_rssi_thold =
7099 				min(request->match_sets[i].rssi_thold,
7100 				    request->min_rssi_thold);
7101 	} else {
7102 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
7103 	}
7104 
7105 	if (ie_len) {
7106 		request->ie_len = ie_len;
7107 		memcpy((void *)request->ie,
7108 		       nla_data(attrs[NL80211_ATTR_IE]),
7109 		       request->ie_len);
7110 	}
7111 
7112 	if (attrs[NL80211_ATTR_SCAN_FLAGS]) {
7113 		request->flags = nla_get_u32(
7114 			attrs[NL80211_ATTR_SCAN_FLAGS]);
7115 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
7116 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
7117 			err = -EOPNOTSUPP;
7118 			goto out_free;
7119 		}
7120 
7121 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
7122 			u32 flg = NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR;
7123 
7124 			if (!wdev) /* must be net-detect */
7125 				flg = NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
7126 
7127 			if (!(wiphy->features & flg)) {
7128 				err = -EOPNOTSUPP;
7129 				goto out_free;
7130 			}
7131 
7132 			if (wdev && wdev->current_bss) {
7133 				err = -EOPNOTSUPP;
7134 				goto out_free;
7135 			}
7136 
7137 			err = nl80211_parse_random_mac(attrs, request->mac_addr,
7138 						       request->mac_addr_mask);
7139 			if (err)
7140 				goto out_free;
7141 		}
7142 	}
7143 
7144 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
7145 		request->delay =
7146 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
7147 
7148 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
7149 	if (err)
7150 		goto out_free;
7151 
7152 	request->scan_start = jiffies;
7153 
7154 	return request;
7155 
7156 out_free:
7157 	kfree(request);
7158 	return ERR_PTR(err);
7159 }
7160 
7161 static int nl80211_start_sched_scan(struct sk_buff *skb,
7162 				    struct genl_info *info)
7163 {
7164 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7165 	struct net_device *dev = info->user_ptr[1];
7166 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7167 	struct cfg80211_sched_scan_request *sched_scan_req;
7168 	int err;
7169 
7170 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
7171 	    !rdev->ops->sched_scan_start)
7172 		return -EOPNOTSUPP;
7173 
7174 	if (rdev->sched_scan_req)
7175 		return -EINPROGRESS;
7176 
7177 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
7178 						  info->attrs);
7179 
7180 	err = PTR_ERR_OR_ZERO(sched_scan_req);
7181 	if (err)
7182 		goto out_err;
7183 
7184 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
7185 	if (err)
7186 		goto out_free;
7187 
7188 	sched_scan_req->dev = dev;
7189 	sched_scan_req->wiphy = &rdev->wiphy;
7190 
7191 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
7192 		sched_scan_req->owner_nlportid = info->snd_portid;
7193 
7194 	rcu_assign_pointer(rdev->sched_scan_req, sched_scan_req);
7195 
7196 	nl80211_send_sched_scan(rdev, dev,
7197 				NL80211_CMD_START_SCHED_SCAN);
7198 	return 0;
7199 
7200 out_free:
7201 	kfree(sched_scan_req);
7202 out_err:
7203 	return err;
7204 }
7205 
7206 static int nl80211_stop_sched_scan(struct sk_buff *skb,
7207 				   struct genl_info *info)
7208 {
7209 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7210 
7211 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
7212 	    !rdev->ops->sched_scan_stop)
7213 		return -EOPNOTSUPP;
7214 
7215 	return __cfg80211_stop_sched_scan(rdev, false);
7216 }
7217 
7218 static int nl80211_start_radar_detection(struct sk_buff *skb,
7219 					 struct genl_info *info)
7220 {
7221 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7222 	struct net_device *dev = info->user_ptr[1];
7223 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7224 	struct cfg80211_chan_def chandef;
7225 	enum nl80211_dfs_regions dfs_region;
7226 	unsigned int cac_time_ms;
7227 	int err;
7228 
7229 	dfs_region = reg_get_dfs_region(wdev->wiphy);
7230 	if (dfs_region == NL80211_DFS_UNSET)
7231 		return -EINVAL;
7232 
7233 	err = nl80211_parse_chandef(rdev, info, &chandef);
7234 	if (err)
7235 		return err;
7236 
7237 	if (netif_carrier_ok(dev))
7238 		return -EBUSY;
7239 
7240 	if (wdev->cac_started)
7241 		return -EBUSY;
7242 
7243 	err = cfg80211_chandef_dfs_required(wdev->wiphy, &chandef,
7244 					    wdev->iftype);
7245 	if (err < 0)
7246 		return err;
7247 
7248 	if (err == 0)
7249 		return -EINVAL;
7250 
7251 	if (!cfg80211_chandef_dfs_usable(wdev->wiphy, &chandef))
7252 		return -EINVAL;
7253 
7254 	if (!rdev->ops->start_radar_detection)
7255 		return -EOPNOTSUPP;
7256 
7257 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
7258 	if (WARN_ON(!cac_time_ms))
7259 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
7260 
7261 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
7262 	if (!err) {
7263 		wdev->chandef = chandef;
7264 		wdev->cac_started = true;
7265 		wdev->cac_start_time = jiffies;
7266 		wdev->cac_time_ms = cac_time_ms;
7267 	}
7268 	return err;
7269 }
7270 
7271 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
7272 {
7273 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7274 	struct net_device *dev = info->user_ptr[1];
7275 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7276 	struct cfg80211_csa_settings params;
7277 	/* csa_attrs is defined static to avoid waste of stack size - this
7278 	 * function is called under RTNL lock, so this should not be a problem.
7279 	 */
7280 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
7281 	int err;
7282 	bool need_new_beacon = false;
7283 	int len, i;
7284 	u32 cs_count;
7285 
7286 	if (!rdev->ops->channel_switch ||
7287 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
7288 		return -EOPNOTSUPP;
7289 
7290 	switch (dev->ieee80211_ptr->iftype) {
7291 	case NL80211_IFTYPE_AP:
7292 	case NL80211_IFTYPE_P2P_GO:
7293 		need_new_beacon = true;
7294 
7295 		/* useless if AP is not running */
7296 		if (!wdev->beacon_interval)
7297 			return -ENOTCONN;
7298 		break;
7299 	case NL80211_IFTYPE_ADHOC:
7300 		if (!wdev->ssid_len)
7301 			return -ENOTCONN;
7302 		break;
7303 	case NL80211_IFTYPE_MESH_POINT:
7304 		if (!wdev->mesh_id_len)
7305 			return -ENOTCONN;
7306 		break;
7307 	default:
7308 		return -EOPNOTSUPP;
7309 	}
7310 
7311 	memset(&params, 0, sizeof(params));
7312 
7313 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
7314 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
7315 		return -EINVAL;
7316 
7317 	/* only important for AP, IBSS and mesh create IEs internally */
7318 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
7319 		return -EINVAL;
7320 
7321 	/* Even though the attribute is u32, the specification says
7322 	 * u8, so let's make sure we don't overflow.
7323 	 */
7324 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
7325 	if (cs_count > 255)
7326 		return -EINVAL;
7327 
7328 	params.count = cs_count;
7329 
7330 	if (!need_new_beacon)
7331 		goto skip_beacons;
7332 
7333 	err = nl80211_parse_beacon(info->attrs, &params.beacon_after);
7334 	if (err)
7335 		return err;
7336 
7337 	err = nla_parse_nested(csa_attrs, NL80211_ATTR_MAX,
7338 			       info->attrs[NL80211_ATTR_CSA_IES],
7339 			       nl80211_policy);
7340 	if (err)
7341 		return err;
7342 
7343 	err = nl80211_parse_beacon(csa_attrs, &params.beacon_csa);
7344 	if (err)
7345 		return err;
7346 
7347 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
7348 		return -EINVAL;
7349 
7350 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
7351 	if (!len || (len % sizeof(u16)))
7352 		return -EINVAL;
7353 
7354 	params.n_counter_offsets_beacon = len / sizeof(u16);
7355 	if (rdev->wiphy.max_num_csa_counters &&
7356 	    (params.n_counter_offsets_beacon >
7357 	     rdev->wiphy.max_num_csa_counters))
7358 		return -EINVAL;
7359 
7360 	params.counter_offsets_beacon =
7361 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
7362 
7363 	/* sanity checks - counters should fit and be the same */
7364 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
7365 		u16 offset = params.counter_offsets_beacon[i];
7366 
7367 		if (offset >= params.beacon_csa.tail_len)
7368 			return -EINVAL;
7369 
7370 		if (params.beacon_csa.tail[offset] != params.count)
7371 			return -EINVAL;
7372 	}
7373 
7374 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
7375 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
7376 		if (!len || (len % sizeof(u16)))
7377 			return -EINVAL;
7378 
7379 		params.n_counter_offsets_presp = len / sizeof(u16);
7380 		if (rdev->wiphy.max_num_csa_counters &&
7381 		    (params.n_counter_offsets_presp >
7382 		     rdev->wiphy.max_num_csa_counters))
7383 			return -EINVAL;
7384 
7385 		params.counter_offsets_presp =
7386 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
7387 
7388 		/* sanity checks - counters should fit and be the same */
7389 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
7390 			u16 offset = params.counter_offsets_presp[i];
7391 
7392 			if (offset >= params.beacon_csa.probe_resp_len)
7393 				return -EINVAL;
7394 
7395 			if (params.beacon_csa.probe_resp[offset] !=
7396 			    params.count)
7397 				return -EINVAL;
7398 		}
7399 	}
7400 
7401 skip_beacons:
7402 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
7403 	if (err)
7404 		return err;
7405 
7406 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
7407 					   wdev->iftype))
7408 		return -EINVAL;
7409 
7410 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
7411 					    &params.chandef,
7412 					    wdev->iftype);
7413 	if (err < 0)
7414 		return err;
7415 
7416 	if (err > 0)
7417 		params.radar_required = true;
7418 
7419 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
7420 		params.block_tx = true;
7421 
7422 	wdev_lock(wdev);
7423 	err = rdev_channel_switch(rdev, dev, &params);
7424 	wdev_unlock(wdev);
7425 
7426 	return err;
7427 }
7428 
7429 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
7430 			    u32 seq, int flags,
7431 			    struct cfg80211_registered_device *rdev,
7432 			    struct wireless_dev *wdev,
7433 			    struct cfg80211_internal_bss *intbss)
7434 {
7435 	struct cfg80211_bss *res = &intbss->pub;
7436 	const struct cfg80211_bss_ies *ies;
7437 	void *hdr;
7438 	struct nlattr *bss;
7439 
7440 	ASSERT_WDEV_LOCK(wdev);
7441 
7442 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
7443 			     NL80211_CMD_NEW_SCAN_RESULTS);
7444 	if (!hdr)
7445 		return -1;
7446 
7447 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
7448 
7449 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
7450 		goto nla_put_failure;
7451 	if (wdev->netdev &&
7452 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
7453 		goto nla_put_failure;
7454 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
7455 			      NL80211_ATTR_PAD))
7456 		goto nla_put_failure;
7457 
7458 	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
7459 	if (!bss)
7460 		goto nla_put_failure;
7461 	if ((!is_zero_ether_addr(res->bssid) &&
7462 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
7463 		goto nla_put_failure;
7464 
7465 	rcu_read_lock();
7466 	/* indicate whether we have probe response data or not */
7467 	if (rcu_access_pointer(res->proberesp_ies) &&
7468 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
7469 		goto fail_unlock_rcu;
7470 
7471 	/* this pointer prefers to be pointed to probe response data
7472 	 * but is always valid
7473 	 */
7474 	ies = rcu_dereference(res->ies);
7475 	if (ies) {
7476 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
7477 				      NL80211_BSS_PAD))
7478 			goto fail_unlock_rcu;
7479 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
7480 					ies->len, ies->data))
7481 			goto fail_unlock_rcu;
7482 	}
7483 
7484 	/* and this pointer is always (unless driver didn't know) beacon data */
7485 	ies = rcu_dereference(res->beacon_ies);
7486 	if (ies && ies->from_beacon) {
7487 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
7488 				      NL80211_BSS_PAD))
7489 			goto fail_unlock_rcu;
7490 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
7491 					ies->len, ies->data))
7492 			goto fail_unlock_rcu;
7493 	}
7494 	rcu_read_unlock();
7495 
7496 	if (res->beacon_interval &&
7497 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
7498 		goto nla_put_failure;
7499 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
7500 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
7501 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
7502 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
7503 			jiffies_to_msecs(jiffies - intbss->ts)))
7504 		goto nla_put_failure;
7505 
7506 	if (intbss->parent_tsf &&
7507 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
7508 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
7509 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
7510 		     intbss->parent_bssid)))
7511 		goto nla_put_failure;
7512 
7513 	if (intbss->ts_boottime &&
7514 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
7515 			      intbss->ts_boottime, NL80211_BSS_PAD))
7516 		goto nla_put_failure;
7517 
7518 	switch (rdev->wiphy.signal_type) {
7519 	case CFG80211_SIGNAL_TYPE_MBM:
7520 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
7521 			goto nla_put_failure;
7522 		break;
7523 	case CFG80211_SIGNAL_TYPE_UNSPEC:
7524 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
7525 			goto nla_put_failure;
7526 		break;
7527 	default:
7528 		break;
7529 	}
7530 
7531 	switch (wdev->iftype) {
7532 	case NL80211_IFTYPE_P2P_CLIENT:
7533 	case NL80211_IFTYPE_STATION:
7534 		if (intbss == wdev->current_bss &&
7535 		    nla_put_u32(msg, NL80211_BSS_STATUS,
7536 				NL80211_BSS_STATUS_ASSOCIATED))
7537 			goto nla_put_failure;
7538 		break;
7539 	case NL80211_IFTYPE_ADHOC:
7540 		if (intbss == wdev->current_bss &&
7541 		    nla_put_u32(msg, NL80211_BSS_STATUS,
7542 				NL80211_BSS_STATUS_IBSS_JOINED))
7543 			goto nla_put_failure;
7544 		break;
7545 	default:
7546 		break;
7547 	}
7548 
7549 	nla_nest_end(msg, bss);
7550 
7551 	genlmsg_end(msg, hdr);
7552 	return 0;
7553 
7554  fail_unlock_rcu:
7555 	rcu_read_unlock();
7556  nla_put_failure:
7557 	genlmsg_cancel(msg, hdr);
7558 	return -EMSGSIZE;
7559 }
7560 
7561 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
7562 {
7563 	struct cfg80211_registered_device *rdev;
7564 	struct cfg80211_internal_bss *scan;
7565 	struct wireless_dev *wdev;
7566 	int start = cb->args[2], idx = 0;
7567 	int err;
7568 
7569 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
7570 	if (err)
7571 		return err;
7572 
7573 	wdev_lock(wdev);
7574 	spin_lock_bh(&rdev->bss_lock);
7575 	cfg80211_bss_expire(rdev);
7576 
7577 	cb->seq = rdev->bss_generation;
7578 
7579 	list_for_each_entry(scan, &rdev->bss_list, list) {
7580 		if (++idx <= start)
7581 			continue;
7582 		if (nl80211_send_bss(skb, cb,
7583 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
7584 				rdev, wdev, scan) < 0) {
7585 			idx--;
7586 			break;
7587 		}
7588 	}
7589 
7590 	spin_unlock_bh(&rdev->bss_lock);
7591 	wdev_unlock(wdev);
7592 
7593 	cb->args[2] = idx;
7594 	nl80211_finish_wdev_dump(rdev);
7595 
7596 	return skb->len;
7597 }
7598 
7599 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
7600 			       int flags, struct net_device *dev,
7601 			       bool allow_radio_stats,
7602 			       struct survey_info *survey)
7603 {
7604 	void *hdr;
7605 	struct nlattr *infoattr;
7606 
7607 	/* skip radio stats if userspace didn't request them */
7608 	if (!survey->channel && !allow_radio_stats)
7609 		return 0;
7610 
7611 	hdr = nl80211hdr_put(msg, portid, seq, flags,
7612 			     NL80211_CMD_NEW_SURVEY_RESULTS);
7613 	if (!hdr)
7614 		return -ENOMEM;
7615 
7616 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
7617 		goto nla_put_failure;
7618 
7619 	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
7620 	if (!infoattr)
7621 		goto nla_put_failure;
7622 
7623 	if (survey->channel &&
7624 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
7625 			survey->channel->center_freq))
7626 		goto nla_put_failure;
7627 
7628 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
7629 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
7630 		goto nla_put_failure;
7631 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
7632 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
7633 		goto nla_put_failure;
7634 	if ((survey->filled & SURVEY_INFO_TIME) &&
7635 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
7636 			survey->time, NL80211_SURVEY_INFO_PAD))
7637 		goto nla_put_failure;
7638 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
7639 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
7640 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
7641 		goto nla_put_failure;
7642 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
7643 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
7644 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
7645 		goto nla_put_failure;
7646 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
7647 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
7648 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
7649 		goto nla_put_failure;
7650 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
7651 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
7652 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
7653 		goto nla_put_failure;
7654 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
7655 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
7656 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
7657 		goto nla_put_failure;
7658 
7659 	nla_nest_end(msg, infoattr);
7660 
7661 	genlmsg_end(msg, hdr);
7662 	return 0;
7663 
7664  nla_put_failure:
7665 	genlmsg_cancel(msg, hdr);
7666 	return -EMSGSIZE;
7667 }
7668 
7669 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
7670 {
7671 	struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
7672 	struct survey_info survey;
7673 	struct cfg80211_registered_device *rdev;
7674 	struct wireless_dev *wdev;
7675 	int survey_idx = cb->args[2];
7676 	int res;
7677 	bool radio_stats;
7678 
7679 	res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
7680 	if (res)
7681 		return res;
7682 
7683 	/* prepare_wdev_dump parsed the attributes */
7684 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
7685 
7686 	if (!wdev->netdev) {
7687 		res = -EINVAL;
7688 		goto out_err;
7689 	}
7690 
7691 	if (!rdev->ops->dump_survey) {
7692 		res = -EOPNOTSUPP;
7693 		goto out_err;
7694 	}
7695 
7696 	while (1) {
7697 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
7698 		if (res == -ENOENT)
7699 			break;
7700 		if (res)
7701 			goto out_err;
7702 
7703 		/* don't send disabled channels, but do send non-channel data */
7704 		if (survey.channel &&
7705 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
7706 			survey_idx++;
7707 			continue;
7708 		}
7709 
7710 		if (nl80211_send_survey(skb,
7711 				NETLINK_CB(cb->skb).portid,
7712 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
7713 				wdev->netdev, radio_stats, &survey) < 0)
7714 			goto out;
7715 		survey_idx++;
7716 	}
7717 
7718  out:
7719 	cb->args[2] = survey_idx;
7720 	res = skb->len;
7721  out_err:
7722 	nl80211_finish_wdev_dump(rdev);
7723 	return res;
7724 }
7725 
7726 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
7727 {
7728 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
7729 				  NL80211_WPA_VERSION_2));
7730 }
7731 
7732 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
7733 {
7734 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7735 	struct net_device *dev = info->user_ptr[1];
7736 	struct ieee80211_channel *chan;
7737 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
7738 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
7739 	enum nl80211_auth_type auth_type;
7740 	struct key_parse key;
7741 	bool local_state_change;
7742 
7743 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7744 		return -EINVAL;
7745 
7746 	if (!info->attrs[NL80211_ATTR_MAC])
7747 		return -EINVAL;
7748 
7749 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
7750 		return -EINVAL;
7751 
7752 	if (!info->attrs[NL80211_ATTR_SSID])
7753 		return -EINVAL;
7754 
7755 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
7756 		return -EINVAL;
7757 
7758 	err = nl80211_parse_key(info, &key);
7759 	if (err)
7760 		return err;
7761 
7762 	if (key.idx >= 0) {
7763 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
7764 			return -EINVAL;
7765 		if (!key.p.key || !key.p.key_len)
7766 			return -EINVAL;
7767 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
7768 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
7769 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
7770 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
7771 			return -EINVAL;
7772 		if (key.idx > 3)
7773 			return -EINVAL;
7774 	} else {
7775 		key.p.key_len = 0;
7776 		key.p.key = NULL;
7777 	}
7778 
7779 	if (key.idx >= 0) {
7780 		int i;
7781 		bool ok = false;
7782 
7783 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
7784 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
7785 				ok = true;
7786 				break;
7787 			}
7788 		}
7789 		if (!ok)
7790 			return -EINVAL;
7791 	}
7792 
7793 	if (!rdev->ops->auth)
7794 		return -EOPNOTSUPP;
7795 
7796 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7797 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7798 		return -EOPNOTSUPP;
7799 
7800 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7801 	chan = nl80211_get_valid_chan(&rdev->wiphy,
7802 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7803 	if (!chan)
7804 		return -EINVAL;
7805 
7806 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7807 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7808 
7809 	if (info->attrs[NL80211_ATTR_IE]) {
7810 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7811 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7812 	}
7813 
7814 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
7815 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
7816 		return -EINVAL;
7817 
7818 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
7819 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
7820 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
7821 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
7822 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
7823 		return -EINVAL;
7824 
7825 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
7826 		if (auth_type != NL80211_AUTHTYPE_SAE &&
7827 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
7828 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
7829 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
7830 			return -EINVAL;
7831 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
7832 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
7833 		/* need to include at least Auth Transaction and Status Code */
7834 		if (auth_data_len < 4)
7835 			return -EINVAL;
7836 	}
7837 
7838 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7839 
7840 	/*
7841 	 * Since we no longer track auth state, ignore
7842 	 * requests to only change local state.
7843 	 */
7844 	if (local_state_change)
7845 		return 0;
7846 
7847 	wdev_lock(dev->ieee80211_ptr);
7848 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
7849 				 ssid, ssid_len, ie, ie_len,
7850 				 key.p.key, key.p.key_len, key.idx,
7851 				 auth_data, auth_data_len);
7852 	wdev_unlock(dev->ieee80211_ptr);
7853 	return err;
7854 }
7855 
7856 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
7857 				   struct genl_info *info,
7858 				   struct cfg80211_crypto_settings *settings,
7859 				   int cipher_limit)
7860 {
7861 	memset(settings, 0, sizeof(*settings));
7862 
7863 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
7864 
7865 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
7866 		u16 proto;
7867 
7868 		proto = nla_get_u16(
7869 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
7870 		settings->control_port_ethertype = cpu_to_be16(proto);
7871 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
7872 		    proto != ETH_P_PAE)
7873 			return -EINVAL;
7874 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
7875 			settings->control_port_no_encrypt = true;
7876 	} else
7877 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
7878 
7879 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
7880 		void *data;
7881 		int len, i;
7882 
7883 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
7884 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
7885 		settings->n_ciphers_pairwise = len / sizeof(u32);
7886 
7887 		if (len % sizeof(u32))
7888 			return -EINVAL;
7889 
7890 		if (settings->n_ciphers_pairwise > cipher_limit)
7891 			return -EINVAL;
7892 
7893 		memcpy(settings->ciphers_pairwise, data, len);
7894 
7895 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
7896 			if (!cfg80211_supported_cipher_suite(
7897 					&rdev->wiphy,
7898 					settings->ciphers_pairwise[i]))
7899 				return -EINVAL;
7900 	}
7901 
7902 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
7903 		settings->cipher_group =
7904 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
7905 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
7906 						     settings->cipher_group))
7907 			return -EINVAL;
7908 	}
7909 
7910 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
7911 		settings->wpa_versions =
7912 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
7913 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
7914 			return -EINVAL;
7915 	}
7916 
7917 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
7918 		void *data;
7919 		int len;
7920 
7921 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
7922 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
7923 		settings->n_akm_suites = len / sizeof(u32);
7924 
7925 		if (len % sizeof(u32))
7926 			return -EINVAL;
7927 
7928 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
7929 			return -EINVAL;
7930 
7931 		memcpy(settings->akm_suites, data, len);
7932 	}
7933 
7934 	return 0;
7935 }
7936 
7937 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
7938 {
7939 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7940 	struct net_device *dev = info->user_ptr[1];
7941 	struct ieee80211_channel *chan;
7942 	struct cfg80211_assoc_request req = {};
7943 	const u8 *bssid, *ssid;
7944 	int err, ssid_len = 0;
7945 
7946 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7947 		return -EINVAL;
7948 
7949 	if (!info->attrs[NL80211_ATTR_MAC] ||
7950 	    !info->attrs[NL80211_ATTR_SSID] ||
7951 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
7952 		return -EINVAL;
7953 
7954 	if (!rdev->ops->assoc)
7955 		return -EOPNOTSUPP;
7956 
7957 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7958 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7959 		return -EOPNOTSUPP;
7960 
7961 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7962 
7963 	chan = nl80211_get_valid_chan(&rdev->wiphy,
7964 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7965 	if (!chan)
7966 		return -EINVAL;
7967 
7968 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7969 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7970 
7971 	if (info->attrs[NL80211_ATTR_IE]) {
7972 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7973 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7974 	}
7975 
7976 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
7977 		enum nl80211_mfp mfp =
7978 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
7979 		if (mfp == NL80211_MFP_REQUIRED)
7980 			req.use_mfp = true;
7981 		else if (mfp != NL80211_MFP_NO)
7982 			return -EINVAL;
7983 	}
7984 
7985 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
7986 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
7987 
7988 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
7989 		req.flags |= ASSOC_REQ_DISABLE_HT;
7990 
7991 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7992 		memcpy(&req.ht_capa_mask,
7993 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7994 		       sizeof(req.ht_capa_mask));
7995 
7996 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7997 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7998 			return -EINVAL;
7999 		memcpy(&req.ht_capa,
8000 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
8001 		       sizeof(req.ht_capa));
8002 	}
8003 
8004 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
8005 		req.flags |= ASSOC_REQ_DISABLE_VHT;
8006 
8007 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
8008 		memcpy(&req.vht_capa_mask,
8009 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
8010 		       sizeof(req.vht_capa_mask));
8011 
8012 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
8013 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
8014 			return -EINVAL;
8015 		memcpy(&req.vht_capa,
8016 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
8017 		       sizeof(req.vht_capa));
8018 	}
8019 
8020 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
8021 		if (!((rdev->wiphy.features &
8022 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
8023 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
8024 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8025 					     NL80211_EXT_FEATURE_RRM))
8026 			return -EINVAL;
8027 		req.flags |= ASSOC_REQ_USE_RRM;
8028 	}
8029 
8030 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
8031 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
8032 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
8033 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
8034 			return -EINVAL;
8035 		req.fils_nonces =
8036 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
8037 	}
8038 
8039 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
8040 	if (!err) {
8041 		wdev_lock(dev->ieee80211_ptr);
8042 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
8043 					  ssid, ssid_len, &req);
8044 		wdev_unlock(dev->ieee80211_ptr);
8045 	}
8046 
8047 	return err;
8048 }
8049 
8050 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
8051 {
8052 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8053 	struct net_device *dev = info->user_ptr[1];
8054 	const u8 *ie = NULL, *bssid;
8055 	int ie_len = 0, err;
8056 	u16 reason_code;
8057 	bool local_state_change;
8058 
8059 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8060 		return -EINVAL;
8061 
8062 	if (!info->attrs[NL80211_ATTR_MAC])
8063 		return -EINVAL;
8064 
8065 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
8066 		return -EINVAL;
8067 
8068 	if (!rdev->ops->deauth)
8069 		return -EOPNOTSUPP;
8070 
8071 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8072 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8073 		return -EOPNOTSUPP;
8074 
8075 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8076 
8077 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8078 	if (reason_code == 0) {
8079 		/* Reason Code 0 is reserved */
8080 		return -EINVAL;
8081 	}
8082 
8083 	if (info->attrs[NL80211_ATTR_IE]) {
8084 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8085 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8086 	}
8087 
8088 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8089 
8090 	wdev_lock(dev->ieee80211_ptr);
8091 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
8092 				   local_state_change);
8093 	wdev_unlock(dev->ieee80211_ptr);
8094 	return err;
8095 }
8096 
8097 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
8098 {
8099 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8100 	struct net_device *dev = info->user_ptr[1];
8101 	const u8 *ie = NULL, *bssid;
8102 	int ie_len = 0, err;
8103 	u16 reason_code;
8104 	bool local_state_change;
8105 
8106 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8107 		return -EINVAL;
8108 
8109 	if (!info->attrs[NL80211_ATTR_MAC])
8110 		return -EINVAL;
8111 
8112 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
8113 		return -EINVAL;
8114 
8115 	if (!rdev->ops->disassoc)
8116 		return -EOPNOTSUPP;
8117 
8118 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8119 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8120 		return -EOPNOTSUPP;
8121 
8122 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8123 
8124 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8125 	if (reason_code == 0) {
8126 		/* Reason Code 0 is reserved */
8127 		return -EINVAL;
8128 	}
8129 
8130 	if (info->attrs[NL80211_ATTR_IE]) {
8131 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8132 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8133 	}
8134 
8135 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8136 
8137 	wdev_lock(dev->ieee80211_ptr);
8138 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
8139 				     local_state_change);
8140 	wdev_unlock(dev->ieee80211_ptr);
8141 	return err;
8142 }
8143 
8144 static bool
8145 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
8146 			 int mcast_rate[NUM_NL80211_BANDS],
8147 			 int rateval)
8148 {
8149 	struct wiphy *wiphy = &rdev->wiphy;
8150 	bool found = false;
8151 	int band, i;
8152 
8153 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
8154 		struct ieee80211_supported_band *sband;
8155 
8156 		sband = wiphy->bands[band];
8157 		if (!sband)
8158 			continue;
8159 
8160 		for (i = 0; i < sband->n_bitrates; i++) {
8161 			if (sband->bitrates[i].bitrate == rateval) {
8162 				mcast_rate[band] = i + 1;
8163 				found = true;
8164 				break;
8165 			}
8166 		}
8167 	}
8168 
8169 	return found;
8170 }
8171 
8172 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
8173 {
8174 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8175 	struct net_device *dev = info->user_ptr[1];
8176 	struct cfg80211_ibss_params ibss;
8177 	struct wiphy *wiphy;
8178 	struct cfg80211_cached_keys *connkeys = NULL;
8179 	int err;
8180 
8181 	memset(&ibss, 0, sizeof(ibss));
8182 
8183 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8184 		return -EINVAL;
8185 
8186 	if (!info->attrs[NL80211_ATTR_SSID] ||
8187 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
8188 		return -EINVAL;
8189 
8190 	ibss.beacon_interval = 100;
8191 
8192 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
8193 		ibss.beacon_interval =
8194 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
8195 
8196 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
8197 					   ibss.beacon_interval);
8198 	if (err)
8199 		return err;
8200 
8201 	if (!rdev->ops->join_ibss)
8202 		return -EOPNOTSUPP;
8203 
8204 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
8205 		return -EOPNOTSUPP;
8206 
8207 	wiphy = &rdev->wiphy;
8208 
8209 	if (info->attrs[NL80211_ATTR_MAC]) {
8210 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8211 
8212 		if (!is_valid_ether_addr(ibss.bssid))
8213 			return -EINVAL;
8214 	}
8215 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8216 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8217 
8218 	if (info->attrs[NL80211_ATTR_IE]) {
8219 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8220 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8221 	}
8222 
8223 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
8224 	if (err)
8225 		return err;
8226 
8227 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
8228 				     NL80211_IFTYPE_ADHOC))
8229 		return -EINVAL;
8230 
8231 	switch (ibss.chandef.width) {
8232 	case NL80211_CHAN_WIDTH_5:
8233 	case NL80211_CHAN_WIDTH_10:
8234 	case NL80211_CHAN_WIDTH_20_NOHT:
8235 		break;
8236 	case NL80211_CHAN_WIDTH_20:
8237 	case NL80211_CHAN_WIDTH_40:
8238 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
8239 			return -EINVAL;
8240 		break;
8241 	case NL80211_CHAN_WIDTH_80:
8242 	case NL80211_CHAN_WIDTH_80P80:
8243 	case NL80211_CHAN_WIDTH_160:
8244 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
8245 			return -EINVAL;
8246 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
8247 					     NL80211_EXT_FEATURE_VHT_IBSS))
8248 			return -EINVAL;
8249 		break;
8250 	default:
8251 		return -EINVAL;
8252 	}
8253 
8254 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
8255 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
8256 
8257 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8258 		u8 *rates =
8259 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8260 		int n_rates =
8261 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8262 		struct ieee80211_supported_band *sband =
8263 			wiphy->bands[ibss.chandef.chan->band];
8264 
8265 		err = ieee80211_get_ratemask(sband, rates, n_rates,
8266 					     &ibss.basic_rates);
8267 		if (err)
8268 			return err;
8269 	}
8270 
8271 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8272 		memcpy(&ibss.ht_capa_mask,
8273 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
8274 		       sizeof(ibss.ht_capa_mask));
8275 
8276 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
8277 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8278 			return -EINVAL;
8279 		memcpy(&ibss.ht_capa,
8280 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
8281 		       sizeof(ibss.ht_capa));
8282 	}
8283 
8284 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
8285 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
8286 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
8287 		return -EINVAL;
8288 
8289 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
8290 		bool no_ht = false;
8291 
8292 		connkeys = nl80211_parse_connkeys(rdev,
8293 					  info->attrs[NL80211_ATTR_KEYS],
8294 					  &no_ht);
8295 		if (IS_ERR(connkeys))
8296 			return PTR_ERR(connkeys);
8297 
8298 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
8299 		    no_ht) {
8300 			kzfree(connkeys);
8301 			return -EINVAL;
8302 		}
8303 	}
8304 
8305 	ibss.control_port =
8306 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
8307 
8308 	ibss.userspace_handles_dfs =
8309 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
8310 
8311 	err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
8312 	if (err)
8313 		kzfree(connkeys);
8314 	return err;
8315 }
8316 
8317 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
8318 {
8319 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8320 	struct net_device *dev = info->user_ptr[1];
8321 
8322 	if (!rdev->ops->leave_ibss)
8323 		return -EOPNOTSUPP;
8324 
8325 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
8326 		return -EOPNOTSUPP;
8327 
8328 	return cfg80211_leave_ibss(rdev, dev, false);
8329 }
8330 
8331 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
8332 {
8333 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8334 	struct net_device *dev = info->user_ptr[1];
8335 	int mcast_rate[NUM_NL80211_BANDS];
8336 	u32 nla_rate;
8337 	int err;
8338 
8339 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
8340 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
8341 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
8342 		return -EOPNOTSUPP;
8343 
8344 	if (!rdev->ops->set_mcast_rate)
8345 		return -EOPNOTSUPP;
8346 
8347 	memset(mcast_rate, 0, sizeof(mcast_rate));
8348 
8349 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
8350 		return -EINVAL;
8351 
8352 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
8353 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
8354 		return -EINVAL;
8355 
8356 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
8357 
8358 	return err;
8359 }
8360 
8361 static struct sk_buff *
8362 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
8363 			    struct wireless_dev *wdev, int approxlen,
8364 			    u32 portid, u32 seq, enum nl80211_commands cmd,
8365 			    enum nl80211_attrs attr,
8366 			    const struct nl80211_vendor_cmd_info *info,
8367 			    gfp_t gfp)
8368 {
8369 	struct sk_buff *skb;
8370 	void *hdr;
8371 	struct nlattr *data;
8372 
8373 	skb = nlmsg_new(approxlen + 100, gfp);
8374 	if (!skb)
8375 		return NULL;
8376 
8377 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
8378 	if (!hdr) {
8379 		kfree_skb(skb);
8380 		return NULL;
8381 	}
8382 
8383 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
8384 		goto nla_put_failure;
8385 
8386 	if (info) {
8387 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
8388 				info->vendor_id))
8389 			goto nla_put_failure;
8390 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
8391 				info->subcmd))
8392 			goto nla_put_failure;
8393 	}
8394 
8395 	if (wdev) {
8396 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
8397 				      wdev_id(wdev), NL80211_ATTR_PAD))
8398 			goto nla_put_failure;
8399 		if (wdev->netdev &&
8400 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
8401 				wdev->netdev->ifindex))
8402 			goto nla_put_failure;
8403 	}
8404 
8405 	data = nla_nest_start(skb, attr);
8406 	if (!data)
8407 		goto nla_put_failure;
8408 
8409 	((void **)skb->cb)[0] = rdev;
8410 	((void **)skb->cb)[1] = hdr;
8411 	((void **)skb->cb)[2] = data;
8412 
8413 	return skb;
8414 
8415  nla_put_failure:
8416 	kfree_skb(skb);
8417 	return NULL;
8418 }
8419 
8420 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
8421 					   struct wireless_dev *wdev,
8422 					   enum nl80211_commands cmd,
8423 					   enum nl80211_attrs attr,
8424 					   int vendor_event_idx,
8425 					   int approxlen, gfp_t gfp)
8426 {
8427 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
8428 	const struct nl80211_vendor_cmd_info *info;
8429 
8430 	switch (cmd) {
8431 	case NL80211_CMD_TESTMODE:
8432 		if (WARN_ON(vendor_event_idx != -1))
8433 			return NULL;
8434 		info = NULL;
8435 		break;
8436 	case NL80211_CMD_VENDOR:
8437 		if (WARN_ON(vendor_event_idx < 0 ||
8438 			    vendor_event_idx >= wiphy->n_vendor_events))
8439 			return NULL;
8440 		info = &wiphy->vendor_events[vendor_event_idx];
8441 		break;
8442 	default:
8443 		WARN_ON(1);
8444 		return NULL;
8445 	}
8446 
8447 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, 0, 0,
8448 					   cmd, attr, info, gfp);
8449 }
8450 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
8451 
8452 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
8453 {
8454 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
8455 	void *hdr = ((void **)skb->cb)[1];
8456 	struct nlattr *data = ((void **)skb->cb)[2];
8457 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
8458 
8459 	/* clear CB data for netlink core to own from now on */
8460 	memset(skb->cb, 0, sizeof(skb->cb));
8461 
8462 	nla_nest_end(skb, data);
8463 	genlmsg_end(skb, hdr);
8464 
8465 	if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
8466 		mcgrp = NL80211_MCGRP_VENDOR;
8467 
8468 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), skb, 0,
8469 				mcgrp, gfp);
8470 }
8471 EXPORT_SYMBOL(__cfg80211_send_event_skb);
8472 
8473 #ifdef CONFIG_NL80211_TESTMODE
8474 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
8475 {
8476 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8477 	struct wireless_dev *wdev =
8478 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
8479 	int err;
8480 
8481 	if (!rdev->ops->testmode_cmd)
8482 		return -EOPNOTSUPP;
8483 
8484 	if (IS_ERR(wdev)) {
8485 		err = PTR_ERR(wdev);
8486 		if (err != -EINVAL)
8487 			return err;
8488 		wdev = NULL;
8489 	} else if (wdev->wiphy != &rdev->wiphy) {
8490 		return -EINVAL;
8491 	}
8492 
8493 	if (!info->attrs[NL80211_ATTR_TESTDATA])
8494 		return -EINVAL;
8495 
8496 	rdev->cur_cmd_info = info;
8497 	err = rdev_testmode_cmd(rdev, wdev,
8498 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
8499 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
8500 	rdev->cur_cmd_info = NULL;
8501 
8502 	return err;
8503 }
8504 
8505 static int nl80211_testmode_dump(struct sk_buff *skb,
8506 				 struct netlink_callback *cb)
8507 {
8508 	struct cfg80211_registered_device *rdev;
8509 	int err;
8510 	long phy_idx;
8511 	void *data = NULL;
8512 	int data_len = 0;
8513 
8514 	rtnl_lock();
8515 
8516 	if (cb->args[0]) {
8517 		/*
8518 		 * 0 is a valid index, but not valid for args[0],
8519 		 * so we need to offset by 1.
8520 		 */
8521 		phy_idx = cb->args[0] - 1;
8522 	} else {
8523 		struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
8524 
8525 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
8526 				  attrbuf, nl80211_fam.maxattr, nl80211_policy);
8527 		if (err)
8528 			goto out_err;
8529 
8530 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
8531 		if (IS_ERR(rdev)) {
8532 			err = PTR_ERR(rdev);
8533 			goto out_err;
8534 		}
8535 		phy_idx = rdev->wiphy_idx;
8536 		rdev = NULL;
8537 
8538 		if (attrbuf[NL80211_ATTR_TESTDATA])
8539 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
8540 	}
8541 
8542 	if (cb->args[1]) {
8543 		data = nla_data((void *)cb->args[1]);
8544 		data_len = nla_len((void *)cb->args[1]);
8545 	}
8546 
8547 	rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
8548 	if (!rdev) {
8549 		err = -ENOENT;
8550 		goto out_err;
8551 	}
8552 
8553 	if (!rdev->ops->testmode_dump) {
8554 		err = -EOPNOTSUPP;
8555 		goto out_err;
8556 	}
8557 
8558 	while (1) {
8559 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
8560 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
8561 					   NL80211_CMD_TESTMODE);
8562 		struct nlattr *tmdata;
8563 
8564 		if (!hdr)
8565 			break;
8566 
8567 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
8568 			genlmsg_cancel(skb, hdr);
8569 			break;
8570 		}
8571 
8572 		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
8573 		if (!tmdata) {
8574 			genlmsg_cancel(skb, hdr);
8575 			break;
8576 		}
8577 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
8578 		nla_nest_end(skb, tmdata);
8579 
8580 		if (err == -ENOBUFS || err == -ENOENT) {
8581 			genlmsg_cancel(skb, hdr);
8582 			break;
8583 		} else if (err) {
8584 			genlmsg_cancel(skb, hdr);
8585 			goto out_err;
8586 		}
8587 
8588 		genlmsg_end(skb, hdr);
8589 	}
8590 
8591 	err = skb->len;
8592 	/* see above */
8593 	cb->args[0] = phy_idx + 1;
8594  out_err:
8595 	rtnl_unlock();
8596 	return err;
8597 }
8598 #endif
8599 
8600 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
8601 {
8602 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8603 	struct net_device *dev = info->user_ptr[1];
8604 	struct cfg80211_connect_params connect;
8605 	struct wiphy *wiphy;
8606 	struct cfg80211_cached_keys *connkeys = NULL;
8607 	int err;
8608 
8609 	memset(&connect, 0, sizeof(connect));
8610 
8611 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8612 		return -EINVAL;
8613 
8614 	if (!info->attrs[NL80211_ATTR_SSID] ||
8615 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
8616 		return -EINVAL;
8617 
8618 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
8619 		connect.auth_type =
8620 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
8621 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
8622 					     NL80211_CMD_CONNECT))
8623 			return -EINVAL;
8624 	} else
8625 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
8626 
8627 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
8628 
8629 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
8630 				      NL80211_MAX_NR_CIPHER_SUITES);
8631 	if (err)
8632 		return err;
8633 
8634 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8635 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8636 		return -EOPNOTSUPP;
8637 
8638 	wiphy = &rdev->wiphy;
8639 
8640 	connect.bg_scan_period = -1;
8641 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
8642 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
8643 		connect.bg_scan_period =
8644 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
8645 	}
8646 
8647 	if (info->attrs[NL80211_ATTR_MAC])
8648 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8649 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
8650 		connect.bssid_hint =
8651 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
8652 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8653 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8654 
8655 	if (info->attrs[NL80211_ATTR_IE]) {
8656 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8657 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8658 	}
8659 
8660 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
8661 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
8662 		if (connect.mfp != NL80211_MFP_REQUIRED &&
8663 		    connect.mfp != NL80211_MFP_NO)
8664 			return -EINVAL;
8665 	} else {
8666 		connect.mfp = NL80211_MFP_NO;
8667 	}
8668 
8669 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
8670 		connect.prev_bssid =
8671 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
8672 
8673 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8674 		connect.channel = nl80211_get_valid_chan(
8675 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8676 		if (!connect.channel)
8677 			return -EINVAL;
8678 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
8679 		connect.channel_hint = nl80211_get_valid_chan(
8680 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
8681 		if (!connect.channel_hint)
8682 			return -EINVAL;
8683 	}
8684 
8685 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
8686 		connkeys = nl80211_parse_connkeys(rdev,
8687 					  info->attrs[NL80211_ATTR_KEYS], NULL);
8688 		if (IS_ERR(connkeys))
8689 			return PTR_ERR(connkeys);
8690 	}
8691 
8692 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
8693 		connect.flags |= ASSOC_REQ_DISABLE_HT;
8694 
8695 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8696 		memcpy(&connect.ht_capa_mask,
8697 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
8698 		       sizeof(connect.ht_capa_mask));
8699 
8700 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
8701 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
8702 			kzfree(connkeys);
8703 			return -EINVAL;
8704 		}
8705 		memcpy(&connect.ht_capa,
8706 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
8707 		       sizeof(connect.ht_capa));
8708 	}
8709 
8710 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
8711 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
8712 
8713 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
8714 		memcpy(&connect.vht_capa_mask,
8715 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
8716 		       sizeof(connect.vht_capa_mask));
8717 
8718 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
8719 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
8720 			kzfree(connkeys);
8721 			return -EINVAL;
8722 		}
8723 		memcpy(&connect.vht_capa,
8724 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
8725 		       sizeof(connect.vht_capa));
8726 	}
8727 
8728 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
8729 		if (!((rdev->wiphy.features &
8730 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
8731 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
8732 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8733 					     NL80211_EXT_FEATURE_RRM)) {
8734 			kzfree(connkeys);
8735 			return -EINVAL;
8736 		}
8737 		connect.flags |= ASSOC_REQ_USE_RRM;
8738 	}
8739 
8740 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
8741 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
8742 		kzfree(connkeys);
8743 		return -EOPNOTSUPP;
8744 	}
8745 
8746 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
8747 		/* bss selection makes no sense if bssid is set */
8748 		if (connect.bssid) {
8749 			kzfree(connkeys);
8750 			return -EINVAL;
8751 		}
8752 
8753 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
8754 				       wiphy, &connect.bss_select);
8755 		if (err) {
8756 			kzfree(connkeys);
8757 			return err;
8758 		}
8759 	}
8760 
8761 	wdev_lock(dev->ieee80211_ptr);
8762 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
8763 			       connect.prev_bssid);
8764 	wdev_unlock(dev->ieee80211_ptr);
8765 	if (err)
8766 		kzfree(connkeys);
8767 	return err;
8768 }
8769 
8770 static int nl80211_update_connect_params(struct sk_buff *skb,
8771 					 struct genl_info *info)
8772 {
8773 	struct cfg80211_connect_params connect = {};
8774 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8775 	struct net_device *dev = info->user_ptr[1];
8776 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8777 	u32 changed = 0;
8778 	int ret;
8779 
8780 	if (!rdev->ops->update_connect_params)
8781 		return -EOPNOTSUPP;
8782 
8783 	if (info->attrs[NL80211_ATTR_IE]) {
8784 		if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8785 			return -EINVAL;
8786 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8787 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8788 		changed |= UPDATE_ASSOC_IES;
8789 	}
8790 
8791 	wdev_lock(dev->ieee80211_ptr);
8792 	if (!wdev->current_bss)
8793 		ret = -ENOLINK;
8794 	else
8795 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
8796 	wdev_unlock(dev->ieee80211_ptr);
8797 
8798 	return ret;
8799 }
8800 
8801 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
8802 {
8803 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8804 	struct net_device *dev = info->user_ptr[1];
8805 	u16 reason;
8806 	int ret;
8807 
8808 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
8809 		reason = WLAN_REASON_DEAUTH_LEAVING;
8810 	else
8811 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8812 
8813 	if (reason == 0)
8814 		return -EINVAL;
8815 
8816 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8817 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8818 		return -EOPNOTSUPP;
8819 
8820 	wdev_lock(dev->ieee80211_ptr);
8821 	ret = cfg80211_disconnect(rdev, dev, reason, true);
8822 	wdev_unlock(dev->ieee80211_ptr);
8823 	return ret;
8824 }
8825 
8826 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
8827 {
8828 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8829 	struct net *net;
8830 	int err;
8831 
8832 	if (info->attrs[NL80211_ATTR_PID]) {
8833 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
8834 
8835 		net = get_net_ns_by_pid(pid);
8836 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
8837 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
8838 
8839 		net = get_net_ns_by_fd(fd);
8840 	} else {
8841 		return -EINVAL;
8842 	}
8843 
8844 	if (IS_ERR(net))
8845 		return PTR_ERR(net);
8846 
8847 	err = 0;
8848 
8849 	/* check if anything to do */
8850 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
8851 		err = cfg80211_switch_netns(rdev, net);
8852 
8853 	put_net(net);
8854 	return err;
8855 }
8856 
8857 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
8858 {
8859 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8860 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
8861 			struct cfg80211_pmksa *pmksa) = NULL;
8862 	struct net_device *dev = info->user_ptr[1];
8863 	struct cfg80211_pmksa pmksa;
8864 
8865 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
8866 
8867 	if (!info->attrs[NL80211_ATTR_MAC])
8868 		return -EINVAL;
8869 
8870 	if (!info->attrs[NL80211_ATTR_PMKID])
8871 		return -EINVAL;
8872 
8873 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
8874 	pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8875 
8876 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8877 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8878 		return -EOPNOTSUPP;
8879 
8880 	switch (info->genlhdr->cmd) {
8881 	case NL80211_CMD_SET_PMKSA:
8882 		rdev_ops = rdev->ops->set_pmksa;
8883 		break;
8884 	case NL80211_CMD_DEL_PMKSA:
8885 		rdev_ops = rdev->ops->del_pmksa;
8886 		break;
8887 	default:
8888 		WARN_ON(1);
8889 		break;
8890 	}
8891 
8892 	if (!rdev_ops)
8893 		return -EOPNOTSUPP;
8894 
8895 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
8896 }
8897 
8898 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
8899 {
8900 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8901 	struct net_device *dev = info->user_ptr[1];
8902 
8903 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8904 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8905 		return -EOPNOTSUPP;
8906 
8907 	if (!rdev->ops->flush_pmksa)
8908 		return -EOPNOTSUPP;
8909 
8910 	return rdev_flush_pmksa(rdev, dev);
8911 }
8912 
8913 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
8914 {
8915 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8916 	struct net_device *dev = info->user_ptr[1];
8917 	u8 action_code, dialog_token;
8918 	u32 peer_capability = 0;
8919 	u16 status_code;
8920 	u8 *peer;
8921 	bool initiator;
8922 
8923 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
8924 	    !rdev->ops->tdls_mgmt)
8925 		return -EOPNOTSUPP;
8926 
8927 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
8928 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
8929 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
8930 	    !info->attrs[NL80211_ATTR_IE] ||
8931 	    !info->attrs[NL80211_ATTR_MAC])
8932 		return -EINVAL;
8933 
8934 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
8935 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
8936 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
8937 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
8938 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
8939 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
8940 		peer_capability =
8941 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
8942 
8943 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
8944 			      dialog_token, status_code, peer_capability,
8945 			      initiator,
8946 			      nla_data(info->attrs[NL80211_ATTR_IE]),
8947 			      nla_len(info->attrs[NL80211_ATTR_IE]));
8948 }
8949 
8950 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
8951 {
8952 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8953 	struct net_device *dev = info->user_ptr[1];
8954 	enum nl80211_tdls_operation operation;
8955 	u8 *peer;
8956 
8957 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
8958 	    !rdev->ops->tdls_oper)
8959 		return -EOPNOTSUPP;
8960 
8961 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
8962 	    !info->attrs[NL80211_ATTR_MAC])
8963 		return -EINVAL;
8964 
8965 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
8966 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
8967 
8968 	return rdev_tdls_oper(rdev, dev, peer, operation);
8969 }
8970 
8971 static int nl80211_remain_on_channel(struct sk_buff *skb,
8972 				     struct genl_info *info)
8973 {
8974 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8975 	struct wireless_dev *wdev = info->user_ptr[1];
8976 	struct cfg80211_chan_def chandef;
8977 	struct sk_buff *msg;
8978 	void *hdr;
8979 	u64 cookie;
8980 	u32 duration;
8981 	int err;
8982 
8983 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
8984 	    !info->attrs[NL80211_ATTR_DURATION])
8985 		return -EINVAL;
8986 
8987 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
8988 
8989 	if (!rdev->ops->remain_on_channel ||
8990 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
8991 		return -EOPNOTSUPP;
8992 
8993 	/*
8994 	 * We should be on that channel for at least a minimum amount of
8995 	 * time (10ms) but no longer than the driver supports.
8996 	 */
8997 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
8998 	    duration > rdev->wiphy.max_remain_on_channel_duration)
8999 		return -EINVAL;
9000 
9001 	err = nl80211_parse_chandef(rdev, info, &chandef);
9002 	if (err)
9003 		return err;
9004 
9005 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9006 	if (!msg)
9007 		return -ENOMEM;
9008 
9009 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9010 			     NL80211_CMD_REMAIN_ON_CHANNEL);
9011 	if (!hdr) {
9012 		err = -ENOBUFS;
9013 		goto free_msg;
9014 	}
9015 
9016 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
9017 				     duration, &cookie);
9018 
9019 	if (err)
9020 		goto free_msg;
9021 
9022 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
9023 			      NL80211_ATTR_PAD))
9024 		goto nla_put_failure;
9025 
9026 	genlmsg_end(msg, hdr);
9027 
9028 	return genlmsg_reply(msg, info);
9029 
9030  nla_put_failure:
9031 	err = -ENOBUFS;
9032  free_msg:
9033 	nlmsg_free(msg);
9034 	return err;
9035 }
9036 
9037 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
9038 					    struct genl_info *info)
9039 {
9040 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9041 	struct wireless_dev *wdev = info->user_ptr[1];
9042 	u64 cookie;
9043 
9044 	if (!info->attrs[NL80211_ATTR_COOKIE])
9045 		return -EINVAL;
9046 
9047 	if (!rdev->ops->cancel_remain_on_channel)
9048 		return -EOPNOTSUPP;
9049 
9050 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9051 
9052 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
9053 }
9054 
9055 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
9056 				       struct genl_info *info)
9057 {
9058 	struct cfg80211_bitrate_mask mask;
9059 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9060 	struct net_device *dev = info->user_ptr[1];
9061 	int err;
9062 
9063 	if (!rdev->ops->set_bitrate_mask)
9064 		return -EOPNOTSUPP;
9065 
9066 	err = nl80211_parse_tx_bitrate_mask(info, &mask);
9067 	if (err)
9068 		return err;
9069 
9070 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
9071 }
9072 
9073 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
9074 {
9075 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9076 	struct wireless_dev *wdev = info->user_ptr[1];
9077 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
9078 
9079 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
9080 		return -EINVAL;
9081 
9082 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
9083 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
9084 
9085 	switch (wdev->iftype) {
9086 	case NL80211_IFTYPE_STATION:
9087 	case NL80211_IFTYPE_ADHOC:
9088 	case NL80211_IFTYPE_P2P_CLIENT:
9089 	case NL80211_IFTYPE_AP:
9090 	case NL80211_IFTYPE_AP_VLAN:
9091 	case NL80211_IFTYPE_MESH_POINT:
9092 	case NL80211_IFTYPE_P2P_GO:
9093 	case NL80211_IFTYPE_P2P_DEVICE:
9094 		break;
9095 	case NL80211_IFTYPE_NAN:
9096 	default:
9097 		return -EOPNOTSUPP;
9098 	}
9099 
9100 	/* not much point in registering if we can't reply */
9101 	if (!rdev->ops->mgmt_tx)
9102 		return -EOPNOTSUPP;
9103 
9104 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
9105 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
9106 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
9107 }
9108 
9109 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
9110 {
9111 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9112 	struct wireless_dev *wdev = info->user_ptr[1];
9113 	struct cfg80211_chan_def chandef;
9114 	int err;
9115 	void *hdr = NULL;
9116 	u64 cookie;
9117 	struct sk_buff *msg = NULL;
9118 	struct cfg80211_mgmt_tx_params params = {
9119 		.dont_wait_for_ack =
9120 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
9121 	};
9122 
9123 	if (!info->attrs[NL80211_ATTR_FRAME])
9124 		return -EINVAL;
9125 
9126 	if (!rdev->ops->mgmt_tx)
9127 		return -EOPNOTSUPP;
9128 
9129 	switch (wdev->iftype) {
9130 	case NL80211_IFTYPE_P2P_DEVICE:
9131 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
9132 			return -EINVAL;
9133 	case NL80211_IFTYPE_STATION:
9134 	case NL80211_IFTYPE_ADHOC:
9135 	case NL80211_IFTYPE_P2P_CLIENT:
9136 	case NL80211_IFTYPE_AP:
9137 	case NL80211_IFTYPE_AP_VLAN:
9138 	case NL80211_IFTYPE_MESH_POINT:
9139 	case NL80211_IFTYPE_P2P_GO:
9140 		break;
9141 	case NL80211_IFTYPE_NAN:
9142 	default:
9143 		return -EOPNOTSUPP;
9144 	}
9145 
9146 	if (info->attrs[NL80211_ATTR_DURATION]) {
9147 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
9148 			return -EINVAL;
9149 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
9150 
9151 		/*
9152 		 * We should wait on the channel for at least a minimum amount
9153 		 * of time (10ms) but no longer than the driver supports.
9154 		 */
9155 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
9156 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
9157 			return -EINVAL;
9158 	}
9159 
9160 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
9161 
9162 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
9163 		return -EINVAL;
9164 
9165 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9166 
9167 	/* get the channel if any has been specified, otherwise pass NULL to
9168 	 * the driver. The latter will use the current one
9169 	 */
9170 	chandef.chan = NULL;
9171 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
9172 		err = nl80211_parse_chandef(rdev, info, &chandef);
9173 		if (err)
9174 			return err;
9175 	}
9176 
9177 	if (!chandef.chan && params.offchan)
9178 		return -EINVAL;
9179 
9180 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
9181 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
9182 
9183 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
9184 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
9185 		int i;
9186 
9187 		if (len % sizeof(u16))
9188 			return -EINVAL;
9189 
9190 		params.n_csa_offsets = len / sizeof(u16);
9191 		params.csa_offsets =
9192 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
9193 
9194 		/* check that all the offsets fit the frame */
9195 		for (i = 0; i < params.n_csa_offsets; i++) {
9196 			if (params.csa_offsets[i] >= params.len)
9197 				return -EINVAL;
9198 		}
9199 	}
9200 
9201 	if (!params.dont_wait_for_ack) {
9202 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9203 		if (!msg)
9204 			return -ENOMEM;
9205 
9206 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9207 				     NL80211_CMD_FRAME);
9208 		if (!hdr) {
9209 			err = -ENOBUFS;
9210 			goto free_msg;
9211 		}
9212 	}
9213 
9214 	params.chan = chandef.chan;
9215 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
9216 	if (err)
9217 		goto free_msg;
9218 
9219 	if (msg) {
9220 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
9221 				      NL80211_ATTR_PAD))
9222 			goto nla_put_failure;
9223 
9224 		genlmsg_end(msg, hdr);
9225 		return genlmsg_reply(msg, info);
9226 	}
9227 
9228 	return 0;
9229 
9230  nla_put_failure:
9231 	err = -ENOBUFS;
9232  free_msg:
9233 	nlmsg_free(msg);
9234 	return err;
9235 }
9236 
9237 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
9238 {
9239 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9240 	struct wireless_dev *wdev = info->user_ptr[1];
9241 	u64 cookie;
9242 
9243 	if (!info->attrs[NL80211_ATTR_COOKIE])
9244 		return -EINVAL;
9245 
9246 	if (!rdev->ops->mgmt_tx_cancel_wait)
9247 		return -EOPNOTSUPP;
9248 
9249 	switch (wdev->iftype) {
9250 	case NL80211_IFTYPE_STATION:
9251 	case NL80211_IFTYPE_ADHOC:
9252 	case NL80211_IFTYPE_P2P_CLIENT:
9253 	case NL80211_IFTYPE_AP:
9254 	case NL80211_IFTYPE_AP_VLAN:
9255 	case NL80211_IFTYPE_P2P_GO:
9256 	case NL80211_IFTYPE_P2P_DEVICE:
9257 		break;
9258 	case NL80211_IFTYPE_NAN:
9259 	default:
9260 		return -EOPNOTSUPP;
9261 	}
9262 
9263 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9264 
9265 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
9266 }
9267 
9268 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
9269 {
9270 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9271 	struct wireless_dev *wdev;
9272 	struct net_device *dev = info->user_ptr[1];
9273 	u8 ps_state;
9274 	bool state;
9275 	int err;
9276 
9277 	if (!info->attrs[NL80211_ATTR_PS_STATE])
9278 		return -EINVAL;
9279 
9280 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
9281 
9282 	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
9283 		return -EINVAL;
9284 
9285 	wdev = dev->ieee80211_ptr;
9286 
9287 	if (!rdev->ops->set_power_mgmt)
9288 		return -EOPNOTSUPP;
9289 
9290 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
9291 
9292 	if (state == wdev->ps)
9293 		return 0;
9294 
9295 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
9296 	if (!err)
9297 		wdev->ps = state;
9298 	return err;
9299 }
9300 
9301 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
9302 {
9303 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9304 	enum nl80211_ps_state ps_state;
9305 	struct wireless_dev *wdev;
9306 	struct net_device *dev = info->user_ptr[1];
9307 	struct sk_buff *msg;
9308 	void *hdr;
9309 	int err;
9310 
9311 	wdev = dev->ieee80211_ptr;
9312 
9313 	if (!rdev->ops->set_power_mgmt)
9314 		return -EOPNOTSUPP;
9315 
9316 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9317 	if (!msg)
9318 		return -ENOMEM;
9319 
9320 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9321 			     NL80211_CMD_GET_POWER_SAVE);
9322 	if (!hdr) {
9323 		err = -ENOBUFS;
9324 		goto free_msg;
9325 	}
9326 
9327 	if (wdev->ps)
9328 		ps_state = NL80211_PS_ENABLED;
9329 	else
9330 		ps_state = NL80211_PS_DISABLED;
9331 
9332 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
9333 		goto nla_put_failure;
9334 
9335 	genlmsg_end(msg, hdr);
9336 	return genlmsg_reply(msg, info);
9337 
9338  nla_put_failure:
9339 	err = -ENOBUFS;
9340  free_msg:
9341 	nlmsg_free(msg);
9342 	return err;
9343 }
9344 
9345 static const struct nla_policy
9346 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
9347 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
9348 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
9349 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
9350 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
9351 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
9352 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
9353 };
9354 
9355 static int nl80211_set_cqm_txe(struct genl_info *info,
9356 			       u32 rate, u32 pkts, u32 intvl)
9357 {
9358 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9359 	struct net_device *dev = info->user_ptr[1];
9360 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9361 
9362 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
9363 		return -EINVAL;
9364 
9365 	if (!rdev->ops->set_cqm_txe_config)
9366 		return -EOPNOTSUPP;
9367 
9368 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
9369 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
9370 		return -EOPNOTSUPP;
9371 
9372 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
9373 }
9374 
9375 static int nl80211_set_cqm_rssi(struct genl_info *info,
9376 				s32 threshold, u32 hysteresis)
9377 {
9378 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9379 	struct net_device *dev = info->user_ptr[1];
9380 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9381 
9382 	if (threshold > 0)
9383 		return -EINVAL;
9384 
9385 	/* disabling - hysteresis should also be zero then */
9386 	if (threshold == 0)
9387 		hysteresis = 0;
9388 
9389 	if (!rdev->ops->set_cqm_rssi_config)
9390 		return -EOPNOTSUPP;
9391 
9392 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
9393 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
9394 		return -EOPNOTSUPP;
9395 
9396 	return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
9397 }
9398 
9399 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
9400 {
9401 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
9402 	struct nlattr *cqm;
9403 	int err;
9404 
9405 	cqm = info->attrs[NL80211_ATTR_CQM];
9406 	if (!cqm)
9407 		return -EINVAL;
9408 
9409 	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
9410 			       nl80211_attr_cqm_policy);
9411 	if (err)
9412 		return err;
9413 
9414 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
9415 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
9416 		s32 threshold = nla_get_s32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
9417 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
9418 
9419 		return nl80211_set_cqm_rssi(info, threshold, hysteresis);
9420 	}
9421 
9422 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
9423 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
9424 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
9425 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
9426 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
9427 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
9428 
9429 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
9430 	}
9431 
9432 	return -EINVAL;
9433 }
9434 
9435 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
9436 {
9437 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9438 	struct net_device *dev = info->user_ptr[1];
9439 	struct ocb_setup setup = {};
9440 	int err;
9441 
9442 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
9443 	if (err)
9444 		return err;
9445 
9446 	return cfg80211_join_ocb(rdev, dev, &setup);
9447 }
9448 
9449 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
9450 {
9451 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9452 	struct net_device *dev = info->user_ptr[1];
9453 
9454 	return cfg80211_leave_ocb(rdev, dev);
9455 }
9456 
9457 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
9458 {
9459 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9460 	struct net_device *dev = info->user_ptr[1];
9461 	struct mesh_config cfg;
9462 	struct mesh_setup setup;
9463 	int err;
9464 
9465 	/* start with default */
9466 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
9467 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
9468 
9469 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
9470 		/* and parse parameters if given */
9471 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
9472 		if (err)
9473 			return err;
9474 	}
9475 
9476 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
9477 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
9478 		return -EINVAL;
9479 
9480 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
9481 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
9482 
9483 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
9484 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
9485 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
9486 			return -EINVAL;
9487 
9488 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
9489 		setup.beacon_interval =
9490 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
9491 
9492 		err = cfg80211_validate_beacon_int(rdev,
9493 						   NL80211_IFTYPE_MESH_POINT,
9494 						   setup.beacon_interval);
9495 		if (err)
9496 			return err;
9497 	}
9498 
9499 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
9500 		setup.dtim_period =
9501 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
9502 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
9503 			return -EINVAL;
9504 	}
9505 
9506 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
9507 		/* parse additional setup parameters if given */
9508 		err = nl80211_parse_mesh_setup(info, &setup);
9509 		if (err)
9510 			return err;
9511 	}
9512 
9513 	if (setup.user_mpm)
9514 		cfg.auto_open_plinks = false;
9515 
9516 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
9517 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
9518 		if (err)
9519 			return err;
9520 	} else {
9521 		/* cfg80211_join_mesh() will sort it out */
9522 		setup.chandef.chan = NULL;
9523 	}
9524 
9525 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9526 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9527 		int n_rates =
9528 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9529 		struct ieee80211_supported_band *sband;
9530 
9531 		if (!setup.chandef.chan)
9532 			return -EINVAL;
9533 
9534 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
9535 
9536 		err = ieee80211_get_ratemask(sband, rates, n_rates,
9537 					     &setup.basic_rates);
9538 		if (err)
9539 			return err;
9540 	}
9541 
9542 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
9543 		err = nl80211_parse_tx_bitrate_mask(info, &setup.beacon_rate);
9544 		if (err)
9545 			return err;
9546 
9547 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
9548 					      &setup.beacon_rate);
9549 		if (err)
9550 			return err;
9551 	}
9552 
9553 	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
9554 }
9555 
9556 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
9557 {
9558 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9559 	struct net_device *dev = info->user_ptr[1];
9560 
9561 	return cfg80211_leave_mesh(rdev, dev);
9562 }
9563 
9564 #ifdef CONFIG_PM
9565 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
9566 					struct cfg80211_registered_device *rdev)
9567 {
9568 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
9569 	struct nlattr *nl_pats, *nl_pat;
9570 	int i, pat_len;
9571 
9572 	if (!wowlan->n_patterns)
9573 		return 0;
9574 
9575 	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
9576 	if (!nl_pats)
9577 		return -ENOBUFS;
9578 
9579 	for (i = 0; i < wowlan->n_patterns; i++) {
9580 		nl_pat = nla_nest_start(msg, i + 1);
9581 		if (!nl_pat)
9582 			return -ENOBUFS;
9583 		pat_len = wowlan->patterns[i].pattern_len;
9584 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
9585 			    wowlan->patterns[i].mask) ||
9586 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
9587 			    wowlan->patterns[i].pattern) ||
9588 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
9589 				wowlan->patterns[i].pkt_offset))
9590 			return -ENOBUFS;
9591 		nla_nest_end(msg, nl_pat);
9592 	}
9593 	nla_nest_end(msg, nl_pats);
9594 
9595 	return 0;
9596 }
9597 
9598 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
9599 				   struct cfg80211_wowlan_tcp *tcp)
9600 {
9601 	struct nlattr *nl_tcp;
9602 
9603 	if (!tcp)
9604 		return 0;
9605 
9606 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
9607 	if (!nl_tcp)
9608 		return -ENOBUFS;
9609 
9610 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
9611 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
9612 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
9613 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
9614 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
9615 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
9616 		    tcp->payload_len, tcp->payload) ||
9617 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
9618 			tcp->data_interval) ||
9619 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
9620 		    tcp->wake_len, tcp->wake_data) ||
9621 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
9622 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
9623 		return -ENOBUFS;
9624 
9625 	if (tcp->payload_seq.len &&
9626 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
9627 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
9628 		return -ENOBUFS;
9629 
9630 	if (tcp->payload_tok.len &&
9631 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
9632 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
9633 		    &tcp->payload_tok))
9634 		return -ENOBUFS;
9635 
9636 	nla_nest_end(msg, nl_tcp);
9637 
9638 	return 0;
9639 }
9640 
9641 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
9642 				  struct cfg80211_sched_scan_request *req)
9643 {
9644 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
9645 	int i;
9646 
9647 	if (!req)
9648 		return 0;
9649 
9650 	nd = nla_nest_start(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
9651 	if (!nd)
9652 		return -ENOBUFS;
9653 
9654 	if (req->n_scan_plans == 1 &&
9655 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
9656 			req->scan_plans[0].interval * 1000))
9657 		return -ENOBUFS;
9658 
9659 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
9660 		return -ENOBUFS;
9661 
9662 	freqs = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
9663 	if (!freqs)
9664 		return -ENOBUFS;
9665 
9666 	for (i = 0; i < req->n_channels; i++) {
9667 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
9668 			return -ENOBUFS;
9669 	}
9670 
9671 	nla_nest_end(msg, freqs);
9672 
9673 	if (req->n_match_sets) {
9674 		matches = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_MATCH);
9675 		if (!matches)
9676 			return -ENOBUFS;
9677 
9678 		for (i = 0; i < req->n_match_sets; i++) {
9679 			match = nla_nest_start(msg, i);
9680 			if (!match)
9681 				return -ENOBUFS;
9682 
9683 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
9684 				    req->match_sets[i].ssid.ssid_len,
9685 				    req->match_sets[i].ssid.ssid))
9686 				return -ENOBUFS;
9687 			nla_nest_end(msg, match);
9688 		}
9689 		nla_nest_end(msg, matches);
9690 	}
9691 
9692 	scan_plans = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
9693 	if (!scan_plans)
9694 		return -ENOBUFS;
9695 
9696 	for (i = 0; i < req->n_scan_plans; i++) {
9697 		scan_plan = nla_nest_start(msg, i + 1);
9698 		if (!scan_plan)
9699 			return -ENOBUFS;
9700 
9701 		if (!scan_plan ||
9702 		    nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
9703 				req->scan_plans[i].interval) ||
9704 		    (req->scan_plans[i].iterations &&
9705 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
9706 				 req->scan_plans[i].iterations)))
9707 			return -ENOBUFS;
9708 		nla_nest_end(msg, scan_plan);
9709 	}
9710 	nla_nest_end(msg, scan_plans);
9711 
9712 	nla_nest_end(msg, nd);
9713 
9714 	return 0;
9715 }
9716 
9717 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
9718 {
9719 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9720 	struct sk_buff *msg;
9721 	void *hdr;
9722 	u32 size = NLMSG_DEFAULT_SIZE;
9723 
9724 	if (!rdev->wiphy.wowlan)
9725 		return -EOPNOTSUPP;
9726 
9727 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
9728 		/* adjust size to have room for all the data */
9729 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
9730 			rdev->wiphy.wowlan_config->tcp->payload_len +
9731 			rdev->wiphy.wowlan_config->tcp->wake_len +
9732 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
9733 	}
9734 
9735 	msg = nlmsg_new(size, GFP_KERNEL);
9736 	if (!msg)
9737 		return -ENOMEM;
9738 
9739 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9740 			     NL80211_CMD_GET_WOWLAN);
9741 	if (!hdr)
9742 		goto nla_put_failure;
9743 
9744 	if (rdev->wiphy.wowlan_config) {
9745 		struct nlattr *nl_wowlan;
9746 
9747 		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
9748 		if (!nl_wowlan)
9749 			goto nla_put_failure;
9750 
9751 		if ((rdev->wiphy.wowlan_config->any &&
9752 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
9753 		    (rdev->wiphy.wowlan_config->disconnect &&
9754 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
9755 		    (rdev->wiphy.wowlan_config->magic_pkt &&
9756 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
9757 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
9758 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
9759 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
9760 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
9761 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
9762 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
9763 		    (rdev->wiphy.wowlan_config->rfkill_release &&
9764 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
9765 			goto nla_put_failure;
9766 
9767 		if (nl80211_send_wowlan_patterns(msg, rdev))
9768 			goto nla_put_failure;
9769 
9770 		if (nl80211_send_wowlan_tcp(msg,
9771 					    rdev->wiphy.wowlan_config->tcp))
9772 			goto nla_put_failure;
9773 
9774 		if (nl80211_send_wowlan_nd(
9775 			    msg,
9776 			    rdev->wiphy.wowlan_config->nd_config))
9777 			goto nla_put_failure;
9778 
9779 		nla_nest_end(msg, nl_wowlan);
9780 	}
9781 
9782 	genlmsg_end(msg, hdr);
9783 	return genlmsg_reply(msg, info);
9784 
9785 nla_put_failure:
9786 	nlmsg_free(msg);
9787 	return -ENOBUFS;
9788 }
9789 
9790 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
9791 				    struct nlattr *attr,
9792 				    struct cfg80211_wowlan *trig)
9793 {
9794 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
9795 	struct cfg80211_wowlan_tcp *cfg;
9796 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
9797 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
9798 	u32 size;
9799 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
9800 	int err, port;
9801 
9802 	if (!rdev->wiphy.wowlan->tcp)
9803 		return -EINVAL;
9804 
9805 	err = nla_parse_nested(tb, MAX_NL80211_WOWLAN_TCP, attr,
9806 			       nl80211_wowlan_tcp_policy);
9807 	if (err)
9808 		return err;
9809 
9810 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
9811 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
9812 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
9813 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
9814 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
9815 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
9816 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
9817 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
9818 		return -EINVAL;
9819 
9820 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
9821 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
9822 		return -EINVAL;
9823 
9824 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
9825 			rdev->wiphy.wowlan->tcp->data_interval_max ||
9826 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
9827 		return -EINVAL;
9828 
9829 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
9830 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
9831 		return -EINVAL;
9832 
9833 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
9834 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
9835 		return -EINVAL;
9836 
9837 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
9838 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
9839 
9840 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
9841 		tokens_size = tokln - sizeof(*tok);
9842 
9843 		if (!tok->len || tokens_size % tok->len)
9844 			return -EINVAL;
9845 		if (!rdev->wiphy.wowlan->tcp->tok)
9846 			return -EINVAL;
9847 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
9848 			return -EINVAL;
9849 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
9850 			return -EINVAL;
9851 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
9852 			return -EINVAL;
9853 		if (tok->offset + tok->len > data_size)
9854 			return -EINVAL;
9855 	}
9856 
9857 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
9858 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
9859 		if (!rdev->wiphy.wowlan->tcp->seq)
9860 			return -EINVAL;
9861 		if (seq->len == 0 || seq->len > 4)
9862 			return -EINVAL;
9863 		if (seq->len + seq->offset > data_size)
9864 			return -EINVAL;
9865 	}
9866 
9867 	size = sizeof(*cfg);
9868 	size += data_size;
9869 	size += wake_size + wake_mask_size;
9870 	size += tokens_size;
9871 
9872 	cfg = kzalloc(size, GFP_KERNEL);
9873 	if (!cfg)
9874 		return -ENOMEM;
9875 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
9876 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
9877 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
9878 	       ETH_ALEN);
9879 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
9880 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
9881 	else
9882 		port = 0;
9883 #ifdef CONFIG_INET
9884 	/* allocate a socket and port for it and use it */
9885 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
9886 			    IPPROTO_TCP, &cfg->sock, 1);
9887 	if (err) {
9888 		kfree(cfg);
9889 		return err;
9890 	}
9891 	if (inet_csk_get_port(cfg->sock->sk, port)) {
9892 		sock_release(cfg->sock);
9893 		kfree(cfg);
9894 		return -EADDRINUSE;
9895 	}
9896 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
9897 #else
9898 	if (!port) {
9899 		kfree(cfg);
9900 		return -EINVAL;
9901 	}
9902 	cfg->src_port = port;
9903 #endif
9904 
9905 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
9906 	cfg->payload_len = data_size;
9907 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
9908 	memcpy((void *)cfg->payload,
9909 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
9910 	       data_size);
9911 	if (seq)
9912 		cfg->payload_seq = *seq;
9913 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
9914 	cfg->wake_len = wake_size;
9915 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
9916 	memcpy((void *)cfg->wake_data,
9917 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
9918 	       wake_size);
9919 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
9920 			 data_size + wake_size;
9921 	memcpy((void *)cfg->wake_mask,
9922 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
9923 	       wake_mask_size);
9924 	if (tok) {
9925 		cfg->tokens_size = tokens_size;
9926 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
9927 	}
9928 
9929 	trig->tcp = cfg;
9930 
9931 	return 0;
9932 }
9933 
9934 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
9935 				   const struct wiphy_wowlan_support *wowlan,
9936 				   struct nlattr *attr,
9937 				   struct cfg80211_wowlan *trig)
9938 {
9939 	struct nlattr **tb;
9940 	int err;
9941 
9942 	tb = kzalloc(NUM_NL80211_ATTR * sizeof(*tb), GFP_KERNEL);
9943 	if (!tb)
9944 		return -ENOMEM;
9945 
9946 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
9947 		err = -EOPNOTSUPP;
9948 		goto out;
9949 	}
9950 
9951 	err = nla_parse_nested(tb, NL80211_ATTR_MAX, attr, nl80211_policy);
9952 	if (err)
9953 		goto out;
9954 
9955 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb);
9956 	err = PTR_ERR_OR_ZERO(trig->nd_config);
9957 	if (err)
9958 		trig->nd_config = NULL;
9959 
9960 out:
9961 	kfree(tb);
9962 	return err;
9963 }
9964 
9965 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
9966 {
9967 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9968 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
9969 	struct cfg80211_wowlan new_triggers = {};
9970 	struct cfg80211_wowlan *ntrig;
9971 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
9972 	int err, i;
9973 	bool prev_enabled = rdev->wiphy.wowlan_config;
9974 	bool regular = false;
9975 
9976 	if (!wowlan)
9977 		return -EOPNOTSUPP;
9978 
9979 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
9980 		cfg80211_rdev_free_wowlan(rdev);
9981 		rdev->wiphy.wowlan_config = NULL;
9982 		goto set_wakeup;
9983 	}
9984 
9985 	err = nla_parse_nested(tb, MAX_NL80211_WOWLAN_TRIG,
9986 			       info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
9987 			       nl80211_wowlan_policy);
9988 	if (err)
9989 		return err;
9990 
9991 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
9992 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
9993 			return -EINVAL;
9994 		new_triggers.any = true;
9995 	}
9996 
9997 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
9998 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
9999 			return -EINVAL;
10000 		new_triggers.disconnect = true;
10001 		regular = true;
10002 	}
10003 
10004 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
10005 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
10006 			return -EINVAL;
10007 		new_triggers.magic_pkt = true;
10008 		regular = true;
10009 	}
10010 
10011 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
10012 		return -EINVAL;
10013 
10014 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
10015 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
10016 			return -EINVAL;
10017 		new_triggers.gtk_rekey_failure = true;
10018 		regular = true;
10019 	}
10020 
10021 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
10022 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
10023 			return -EINVAL;
10024 		new_triggers.eap_identity_req = true;
10025 		regular = true;
10026 	}
10027 
10028 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
10029 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
10030 			return -EINVAL;
10031 		new_triggers.four_way_handshake = true;
10032 		regular = true;
10033 	}
10034 
10035 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
10036 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
10037 			return -EINVAL;
10038 		new_triggers.rfkill_release = true;
10039 		regular = true;
10040 	}
10041 
10042 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
10043 		struct nlattr *pat;
10044 		int n_patterns = 0;
10045 		int rem, pat_len, mask_len, pkt_offset;
10046 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
10047 
10048 		regular = true;
10049 
10050 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
10051 				    rem)
10052 			n_patterns++;
10053 		if (n_patterns > wowlan->n_patterns)
10054 			return -EINVAL;
10055 
10056 		new_triggers.patterns = kcalloc(n_patterns,
10057 						sizeof(new_triggers.patterns[0]),
10058 						GFP_KERNEL);
10059 		if (!new_triggers.patterns)
10060 			return -ENOMEM;
10061 
10062 		new_triggers.n_patterns = n_patterns;
10063 		i = 0;
10064 
10065 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
10066 				    rem) {
10067 			u8 *mask_pat;
10068 
10069 			nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat,
10070 					 NULL);
10071 			err = -EINVAL;
10072 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
10073 			    !pat_tb[NL80211_PKTPAT_PATTERN])
10074 				goto error;
10075 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
10076 			mask_len = DIV_ROUND_UP(pat_len, 8);
10077 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
10078 				goto error;
10079 			if (pat_len > wowlan->pattern_max_len ||
10080 			    pat_len < wowlan->pattern_min_len)
10081 				goto error;
10082 
10083 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
10084 				pkt_offset = 0;
10085 			else
10086 				pkt_offset = nla_get_u32(
10087 					pat_tb[NL80211_PKTPAT_OFFSET]);
10088 			if (pkt_offset > wowlan->max_pkt_offset)
10089 				goto error;
10090 			new_triggers.patterns[i].pkt_offset = pkt_offset;
10091 
10092 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
10093 			if (!mask_pat) {
10094 				err = -ENOMEM;
10095 				goto error;
10096 			}
10097 			new_triggers.patterns[i].mask = mask_pat;
10098 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
10099 			       mask_len);
10100 			mask_pat += mask_len;
10101 			new_triggers.patterns[i].pattern = mask_pat;
10102 			new_triggers.patterns[i].pattern_len = pat_len;
10103 			memcpy(mask_pat,
10104 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
10105 			       pat_len);
10106 			i++;
10107 		}
10108 	}
10109 
10110 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
10111 		regular = true;
10112 		err = nl80211_parse_wowlan_tcp(
10113 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
10114 			&new_triggers);
10115 		if (err)
10116 			goto error;
10117 	}
10118 
10119 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
10120 		regular = true;
10121 		err = nl80211_parse_wowlan_nd(
10122 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
10123 			&new_triggers);
10124 		if (err)
10125 			goto error;
10126 	}
10127 
10128 	/* The 'any' trigger means the device continues operating more or less
10129 	 * as in its normal operation mode and wakes up the host on most of the
10130 	 * normal interrupts (like packet RX, ...)
10131 	 * It therefore makes little sense to combine with the more constrained
10132 	 * wakeup trigger modes.
10133 	 */
10134 	if (new_triggers.any && regular) {
10135 		err = -EINVAL;
10136 		goto error;
10137 	}
10138 
10139 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
10140 	if (!ntrig) {
10141 		err = -ENOMEM;
10142 		goto error;
10143 	}
10144 	cfg80211_rdev_free_wowlan(rdev);
10145 	rdev->wiphy.wowlan_config = ntrig;
10146 
10147  set_wakeup:
10148 	if (rdev->ops->set_wakeup &&
10149 	    prev_enabled != !!rdev->wiphy.wowlan_config)
10150 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
10151 
10152 	return 0;
10153  error:
10154 	for (i = 0; i < new_triggers.n_patterns; i++)
10155 		kfree(new_triggers.patterns[i].mask);
10156 	kfree(new_triggers.patterns);
10157 	if (new_triggers.tcp && new_triggers.tcp->sock)
10158 		sock_release(new_triggers.tcp->sock);
10159 	kfree(new_triggers.tcp);
10160 	kfree(new_triggers.nd_config);
10161 	return err;
10162 }
10163 #endif
10164 
10165 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
10166 				       struct cfg80211_registered_device *rdev)
10167 {
10168 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
10169 	int i, j, pat_len;
10170 	struct cfg80211_coalesce_rules *rule;
10171 
10172 	if (!rdev->coalesce->n_rules)
10173 		return 0;
10174 
10175 	nl_rules = nla_nest_start(msg, NL80211_ATTR_COALESCE_RULE);
10176 	if (!nl_rules)
10177 		return -ENOBUFS;
10178 
10179 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
10180 		nl_rule = nla_nest_start(msg, i + 1);
10181 		if (!nl_rule)
10182 			return -ENOBUFS;
10183 
10184 		rule = &rdev->coalesce->rules[i];
10185 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
10186 				rule->delay))
10187 			return -ENOBUFS;
10188 
10189 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
10190 				rule->condition))
10191 			return -ENOBUFS;
10192 
10193 		nl_pats = nla_nest_start(msg,
10194 				NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
10195 		if (!nl_pats)
10196 			return -ENOBUFS;
10197 
10198 		for (j = 0; j < rule->n_patterns; j++) {
10199 			nl_pat = nla_nest_start(msg, j + 1);
10200 			if (!nl_pat)
10201 				return -ENOBUFS;
10202 			pat_len = rule->patterns[j].pattern_len;
10203 			if (nla_put(msg, NL80211_PKTPAT_MASK,
10204 				    DIV_ROUND_UP(pat_len, 8),
10205 				    rule->patterns[j].mask) ||
10206 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
10207 				    rule->patterns[j].pattern) ||
10208 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
10209 					rule->patterns[j].pkt_offset))
10210 				return -ENOBUFS;
10211 			nla_nest_end(msg, nl_pat);
10212 		}
10213 		nla_nest_end(msg, nl_pats);
10214 		nla_nest_end(msg, nl_rule);
10215 	}
10216 	nla_nest_end(msg, nl_rules);
10217 
10218 	return 0;
10219 }
10220 
10221 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
10222 {
10223 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10224 	struct sk_buff *msg;
10225 	void *hdr;
10226 
10227 	if (!rdev->wiphy.coalesce)
10228 		return -EOPNOTSUPP;
10229 
10230 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10231 	if (!msg)
10232 		return -ENOMEM;
10233 
10234 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10235 			     NL80211_CMD_GET_COALESCE);
10236 	if (!hdr)
10237 		goto nla_put_failure;
10238 
10239 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
10240 		goto nla_put_failure;
10241 
10242 	genlmsg_end(msg, hdr);
10243 	return genlmsg_reply(msg, info);
10244 
10245 nla_put_failure:
10246 	nlmsg_free(msg);
10247 	return -ENOBUFS;
10248 }
10249 
10250 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
10251 {
10252 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
10253 	int i, j;
10254 	struct cfg80211_coalesce_rules *rule;
10255 
10256 	if (!coalesce)
10257 		return;
10258 
10259 	for (i = 0; i < coalesce->n_rules; i++) {
10260 		rule = &coalesce->rules[i];
10261 		for (j = 0; j < rule->n_patterns; j++)
10262 			kfree(rule->patterns[j].mask);
10263 		kfree(rule->patterns);
10264 	}
10265 	kfree(coalesce->rules);
10266 	kfree(coalesce);
10267 	rdev->coalesce = NULL;
10268 }
10269 
10270 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
10271 				       struct nlattr *rule,
10272 				       struct cfg80211_coalesce_rules *new_rule)
10273 {
10274 	int err, i;
10275 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
10276 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
10277 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
10278 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
10279 
10280 	err = nla_parse_nested(tb, NL80211_ATTR_COALESCE_RULE_MAX, rule,
10281 			       nl80211_coalesce_policy);
10282 	if (err)
10283 		return err;
10284 
10285 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
10286 		new_rule->delay =
10287 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
10288 	if (new_rule->delay > coalesce->max_delay)
10289 		return -EINVAL;
10290 
10291 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
10292 		new_rule->condition =
10293 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
10294 	if (new_rule->condition != NL80211_COALESCE_CONDITION_MATCH &&
10295 	    new_rule->condition != NL80211_COALESCE_CONDITION_NO_MATCH)
10296 		return -EINVAL;
10297 
10298 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
10299 		return -EINVAL;
10300 
10301 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
10302 			    rem)
10303 		n_patterns++;
10304 	if (n_patterns > coalesce->n_patterns)
10305 		return -EINVAL;
10306 
10307 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
10308 				     GFP_KERNEL);
10309 	if (!new_rule->patterns)
10310 		return -ENOMEM;
10311 
10312 	new_rule->n_patterns = n_patterns;
10313 	i = 0;
10314 
10315 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
10316 			    rem) {
10317 		u8 *mask_pat;
10318 
10319 		nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat, NULL);
10320 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
10321 		    !pat_tb[NL80211_PKTPAT_PATTERN])
10322 			return -EINVAL;
10323 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
10324 		mask_len = DIV_ROUND_UP(pat_len, 8);
10325 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
10326 			return -EINVAL;
10327 		if (pat_len > coalesce->pattern_max_len ||
10328 		    pat_len < coalesce->pattern_min_len)
10329 			return -EINVAL;
10330 
10331 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
10332 			pkt_offset = 0;
10333 		else
10334 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
10335 		if (pkt_offset > coalesce->max_pkt_offset)
10336 			return -EINVAL;
10337 		new_rule->patterns[i].pkt_offset = pkt_offset;
10338 
10339 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
10340 		if (!mask_pat)
10341 			return -ENOMEM;
10342 
10343 		new_rule->patterns[i].mask = mask_pat;
10344 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
10345 		       mask_len);
10346 
10347 		mask_pat += mask_len;
10348 		new_rule->patterns[i].pattern = mask_pat;
10349 		new_rule->patterns[i].pattern_len = pat_len;
10350 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
10351 		       pat_len);
10352 		i++;
10353 	}
10354 
10355 	return 0;
10356 }
10357 
10358 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
10359 {
10360 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10361 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
10362 	struct cfg80211_coalesce new_coalesce = {};
10363 	struct cfg80211_coalesce *n_coalesce;
10364 	int err, rem_rule, n_rules = 0, i, j;
10365 	struct nlattr *rule;
10366 	struct cfg80211_coalesce_rules *tmp_rule;
10367 
10368 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
10369 		return -EOPNOTSUPP;
10370 
10371 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
10372 		cfg80211_rdev_free_coalesce(rdev);
10373 		rdev_set_coalesce(rdev, NULL);
10374 		return 0;
10375 	}
10376 
10377 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
10378 			    rem_rule)
10379 		n_rules++;
10380 	if (n_rules > coalesce->n_rules)
10381 		return -EINVAL;
10382 
10383 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
10384 				     GFP_KERNEL);
10385 	if (!new_coalesce.rules)
10386 		return -ENOMEM;
10387 
10388 	new_coalesce.n_rules = n_rules;
10389 	i = 0;
10390 
10391 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
10392 			    rem_rule) {
10393 		err = nl80211_parse_coalesce_rule(rdev, rule,
10394 						  &new_coalesce.rules[i]);
10395 		if (err)
10396 			goto error;
10397 
10398 		i++;
10399 	}
10400 
10401 	err = rdev_set_coalesce(rdev, &new_coalesce);
10402 	if (err)
10403 		goto error;
10404 
10405 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
10406 	if (!n_coalesce) {
10407 		err = -ENOMEM;
10408 		goto error;
10409 	}
10410 	cfg80211_rdev_free_coalesce(rdev);
10411 	rdev->coalesce = n_coalesce;
10412 
10413 	return 0;
10414 error:
10415 	for (i = 0; i < new_coalesce.n_rules; i++) {
10416 		tmp_rule = &new_coalesce.rules[i];
10417 		for (j = 0; j < tmp_rule->n_patterns; j++)
10418 			kfree(tmp_rule->patterns[j].mask);
10419 		kfree(tmp_rule->patterns);
10420 	}
10421 	kfree(new_coalesce.rules);
10422 
10423 	return err;
10424 }
10425 
10426 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
10427 {
10428 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10429 	struct net_device *dev = info->user_ptr[1];
10430 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10431 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
10432 	struct cfg80211_gtk_rekey_data rekey_data;
10433 	int err;
10434 
10435 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
10436 		return -EINVAL;
10437 
10438 	err = nla_parse_nested(tb, MAX_NL80211_REKEY_DATA,
10439 			       info->attrs[NL80211_ATTR_REKEY_DATA],
10440 			       nl80211_rekey_policy);
10441 	if (err)
10442 		return err;
10443 
10444 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
10445 		return -ERANGE;
10446 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
10447 		return -ERANGE;
10448 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
10449 		return -ERANGE;
10450 
10451 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
10452 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
10453 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
10454 
10455 	wdev_lock(wdev);
10456 	if (!wdev->current_bss) {
10457 		err = -ENOTCONN;
10458 		goto out;
10459 	}
10460 
10461 	if (!rdev->ops->set_rekey_data) {
10462 		err = -EOPNOTSUPP;
10463 		goto out;
10464 	}
10465 
10466 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
10467  out:
10468 	wdev_unlock(wdev);
10469 	return err;
10470 }
10471 
10472 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
10473 					     struct genl_info *info)
10474 {
10475 	struct net_device *dev = info->user_ptr[1];
10476 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10477 
10478 	if (wdev->iftype != NL80211_IFTYPE_AP &&
10479 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
10480 		return -EINVAL;
10481 
10482 	if (wdev->ap_unexpected_nlportid)
10483 		return -EBUSY;
10484 
10485 	wdev->ap_unexpected_nlportid = info->snd_portid;
10486 	return 0;
10487 }
10488 
10489 static int nl80211_probe_client(struct sk_buff *skb,
10490 				struct genl_info *info)
10491 {
10492 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10493 	struct net_device *dev = info->user_ptr[1];
10494 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10495 	struct sk_buff *msg;
10496 	void *hdr;
10497 	const u8 *addr;
10498 	u64 cookie;
10499 	int err;
10500 
10501 	if (wdev->iftype != NL80211_IFTYPE_AP &&
10502 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
10503 		return -EOPNOTSUPP;
10504 
10505 	if (!info->attrs[NL80211_ATTR_MAC])
10506 		return -EINVAL;
10507 
10508 	if (!rdev->ops->probe_client)
10509 		return -EOPNOTSUPP;
10510 
10511 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10512 	if (!msg)
10513 		return -ENOMEM;
10514 
10515 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10516 			     NL80211_CMD_PROBE_CLIENT);
10517 	if (!hdr) {
10518 		err = -ENOBUFS;
10519 		goto free_msg;
10520 	}
10521 
10522 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10523 
10524 	err = rdev_probe_client(rdev, dev, addr, &cookie);
10525 	if (err)
10526 		goto free_msg;
10527 
10528 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10529 			      NL80211_ATTR_PAD))
10530 		goto nla_put_failure;
10531 
10532 	genlmsg_end(msg, hdr);
10533 
10534 	return genlmsg_reply(msg, info);
10535 
10536  nla_put_failure:
10537 	err = -ENOBUFS;
10538  free_msg:
10539 	nlmsg_free(msg);
10540 	return err;
10541 }
10542 
10543 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
10544 {
10545 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10546 	struct cfg80211_beacon_registration *reg, *nreg;
10547 	int rv;
10548 
10549 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
10550 		return -EOPNOTSUPP;
10551 
10552 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
10553 	if (!nreg)
10554 		return -ENOMEM;
10555 
10556 	/* First, check if already registered. */
10557 	spin_lock_bh(&rdev->beacon_registrations_lock);
10558 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
10559 		if (reg->nlportid == info->snd_portid) {
10560 			rv = -EALREADY;
10561 			goto out_err;
10562 		}
10563 	}
10564 	/* Add it to the list */
10565 	nreg->nlportid = info->snd_portid;
10566 	list_add(&nreg->list, &rdev->beacon_registrations);
10567 
10568 	spin_unlock_bh(&rdev->beacon_registrations_lock);
10569 
10570 	return 0;
10571 out_err:
10572 	spin_unlock_bh(&rdev->beacon_registrations_lock);
10573 	kfree(nreg);
10574 	return rv;
10575 }
10576 
10577 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
10578 {
10579 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10580 	struct wireless_dev *wdev = info->user_ptr[1];
10581 	int err;
10582 
10583 	if (!rdev->ops->start_p2p_device)
10584 		return -EOPNOTSUPP;
10585 
10586 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
10587 		return -EOPNOTSUPP;
10588 
10589 	if (wdev_running(wdev))
10590 		return 0;
10591 
10592 	if (rfkill_blocked(rdev->rfkill))
10593 		return -ERFKILL;
10594 
10595 	err = rdev_start_p2p_device(rdev, wdev);
10596 	if (err)
10597 		return err;
10598 
10599 	wdev->is_running = true;
10600 	rdev->opencount++;
10601 
10602 	return 0;
10603 }
10604 
10605 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
10606 {
10607 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10608 	struct wireless_dev *wdev = info->user_ptr[1];
10609 
10610 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
10611 		return -EOPNOTSUPP;
10612 
10613 	if (!rdev->ops->stop_p2p_device)
10614 		return -EOPNOTSUPP;
10615 
10616 	cfg80211_stop_p2p_device(rdev, wdev);
10617 
10618 	return 0;
10619 }
10620 
10621 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
10622 {
10623 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10624 	struct wireless_dev *wdev = info->user_ptr[1];
10625 	struct cfg80211_nan_conf conf = {};
10626 	int err;
10627 
10628 	if (wdev->iftype != NL80211_IFTYPE_NAN)
10629 		return -EOPNOTSUPP;
10630 
10631 	if (!wdev_running(wdev))
10632 		return -EEXIST;
10633 
10634 	if (rfkill_blocked(rdev->rfkill))
10635 		return -ERFKILL;
10636 
10637 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
10638 		return -EINVAL;
10639 
10640 	if (!info->attrs[NL80211_ATTR_NAN_DUAL])
10641 		return -EINVAL;
10642 
10643 	conf.master_pref =
10644 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
10645 	if (!conf.master_pref)
10646 		return -EINVAL;
10647 
10648 	conf.dual = nla_get_u8(info->attrs[NL80211_ATTR_NAN_DUAL]);
10649 
10650 	err = rdev_start_nan(rdev, wdev, &conf);
10651 	if (err)
10652 		return err;
10653 
10654 	wdev->is_running = true;
10655 	rdev->opencount++;
10656 
10657 	return 0;
10658 }
10659 
10660 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
10661 {
10662 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10663 	struct wireless_dev *wdev = info->user_ptr[1];
10664 
10665 	if (wdev->iftype != NL80211_IFTYPE_NAN)
10666 		return -EOPNOTSUPP;
10667 
10668 	cfg80211_stop_nan(rdev, wdev);
10669 
10670 	return 0;
10671 }
10672 
10673 static int validate_nan_filter(struct nlattr *filter_attr)
10674 {
10675 	struct nlattr *attr;
10676 	int len = 0, n_entries = 0, rem;
10677 
10678 	nla_for_each_nested(attr, filter_attr, rem) {
10679 		len += nla_len(attr);
10680 		n_entries++;
10681 	}
10682 
10683 	if (len >= U8_MAX)
10684 		return -EINVAL;
10685 
10686 	return n_entries;
10687 }
10688 
10689 static int handle_nan_filter(struct nlattr *attr_filter,
10690 			     struct cfg80211_nan_func *func,
10691 			     bool tx)
10692 {
10693 	struct nlattr *attr;
10694 	int n_entries, rem, i;
10695 	struct cfg80211_nan_func_filter *filter;
10696 
10697 	n_entries = validate_nan_filter(attr_filter);
10698 	if (n_entries < 0)
10699 		return n_entries;
10700 
10701 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
10702 
10703 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
10704 	if (!filter)
10705 		return -ENOMEM;
10706 
10707 	i = 0;
10708 	nla_for_each_nested(attr, attr_filter, rem) {
10709 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
10710 		filter[i].len = nla_len(attr);
10711 		i++;
10712 	}
10713 	if (tx) {
10714 		func->num_tx_filters = n_entries;
10715 		func->tx_filters = filter;
10716 	} else {
10717 		func->num_rx_filters = n_entries;
10718 		func->rx_filters = filter;
10719 	}
10720 
10721 	return 0;
10722 }
10723 
10724 static int nl80211_nan_add_func(struct sk_buff *skb,
10725 				struct genl_info *info)
10726 {
10727 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10728 	struct wireless_dev *wdev = info->user_ptr[1];
10729 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
10730 	struct cfg80211_nan_func *func;
10731 	struct sk_buff *msg = NULL;
10732 	void *hdr = NULL;
10733 	int err = 0;
10734 
10735 	if (wdev->iftype != NL80211_IFTYPE_NAN)
10736 		return -EOPNOTSUPP;
10737 
10738 	if (!wdev_running(wdev))
10739 		return -ENOTCONN;
10740 
10741 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
10742 		return -EINVAL;
10743 
10744 	if (wdev->owner_nlportid &&
10745 	    wdev->owner_nlportid != info->snd_portid)
10746 		return -ENOTCONN;
10747 
10748 	err = nla_parse_nested(tb, NL80211_NAN_FUNC_ATTR_MAX,
10749 			       info->attrs[NL80211_ATTR_NAN_FUNC],
10750 			       nl80211_nan_func_policy);
10751 	if (err)
10752 		return err;
10753 
10754 	func = kzalloc(sizeof(*func), GFP_KERNEL);
10755 	if (!func)
10756 		return -ENOMEM;
10757 
10758 	func->cookie = wdev->wiphy->cookie_counter++;
10759 
10760 	if (!tb[NL80211_NAN_FUNC_TYPE] ||
10761 	    nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]) > NL80211_NAN_FUNC_MAX_TYPE) {
10762 		err = -EINVAL;
10763 		goto out;
10764 	}
10765 
10766 
10767 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
10768 
10769 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
10770 		err = -EINVAL;
10771 		goto out;
10772 	}
10773 
10774 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
10775 	       sizeof(func->service_id));
10776 
10777 	func->close_range =
10778 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
10779 
10780 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
10781 		func->serv_spec_info_len =
10782 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
10783 		func->serv_spec_info =
10784 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
10785 				func->serv_spec_info_len,
10786 				GFP_KERNEL);
10787 		if (!func->serv_spec_info) {
10788 			err = -ENOMEM;
10789 			goto out;
10790 		}
10791 	}
10792 
10793 	if (tb[NL80211_NAN_FUNC_TTL])
10794 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
10795 
10796 	switch (func->type) {
10797 	case NL80211_NAN_FUNC_PUBLISH:
10798 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
10799 			err = -EINVAL;
10800 			goto out;
10801 		}
10802 
10803 		func->publish_type =
10804 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
10805 		func->publish_bcast =
10806 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
10807 
10808 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
10809 			func->publish_bcast) {
10810 			err = -EINVAL;
10811 			goto out;
10812 		}
10813 		break;
10814 	case NL80211_NAN_FUNC_SUBSCRIBE:
10815 		func->subscribe_active =
10816 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
10817 		break;
10818 	case NL80211_NAN_FUNC_FOLLOW_UP:
10819 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
10820 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]) {
10821 			err = -EINVAL;
10822 			goto out;
10823 		}
10824 
10825 		func->followup_id =
10826 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
10827 		func->followup_reqid =
10828 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
10829 		memcpy(func->followup_dest.addr,
10830 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
10831 		       sizeof(func->followup_dest.addr));
10832 		if (func->ttl) {
10833 			err = -EINVAL;
10834 			goto out;
10835 		}
10836 		break;
10837 	default:
10838 		err = -EINVAL;
10839 		goto out;
10840 	}
10841 
10842 	if (tb[NL80211_NAN_FUNC_SRF]) {
10843 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
10844 
10845 		err = nla_parse_nested(srf_tb, NL80211_NAN_SRF_ATTR_MAX,
10846 				       tb[NL80211_NAN_FUNC_SRF],
10847 				       nl80211_nan_srf_policy);
10848 		if (err)
10849 			goto out;
10850 
10851 		func->srf_include =
10852 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
10853 
10854 		if (srf_tb[NL80211_NAN_SRF_BF]) {
10855 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
10856 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
10857 				err = -EINVAL;
10858 				goto out;
10859 			}
10860 
10861 			func->srf_bf_len =
10862 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
10863 			func->srf_bf =
10864 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
10865 					func->srf_bf_len, GFP_KERNEL);
10866 			if (!func->srf_bf) {
10867 				err = -ENOMEM;
10868 				goto out;
10869 			}
10870 
10871 			func->srf_bf_idx =
10872 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
10873 		} else {
10874 			struct nlattr *attr, *mac_attr =
10875 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
10876 			int n_entries, rem, i = 0;
10877 
10878 			if (!mac_attr) {
10879 				err = -EINVAL;
10880 				goto out;
10881 			}
10882 
10883 			n_entries = validate_acl_mac_addrs(mac_attr);
10884 			if (n_entries <= 0) {
10885 				err = -EINVAL;
10886 				goto out;
10887 			}
10888 
10889 			func->srf_num_macs = n_entries;
10890 			func->srf_macs =
10891 				kzalloc(sizeof(*func->srf_macs) * n_entries,
10892 					GFP_KERNEL);
10893 			if (!func->srf_macs) {
10894 				err = -ENOMEM;
10895 				goto out;
10896 			}
10897 
10898 			nla_for_each_nested(attr, mac_attr, rem)
10899 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
10900 				       sizeof(*func->srf_macs));
10901 		}
10902 	}
10903 
10904 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
10905 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
10906 					func, true);
10907 		if (err)
10908 			goto out;
10909 	}
10910 
10911 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
10912 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
10913 					func, false);
10914 		if (err)
10915 			goto out;
10916 	}
10917 
10918 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10919 	if (!msg) {
10920 		err = -ENOMEM;
10921 		goto out;
10922 	}
10923 
10924 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10925 			     NL80211_CMD_ADD_NAN_FUNCTION);
10926 	/* This can't really happen - we just allocated 4KB */
10927 	if (WARN_ON(!hdr)) {
10928 		err = -ENOMEM;
10929 		goto out;
10930 	}
10931 
10932 	err = rdev_add_nan_func(rdev, wdev, func);
10933 out:
10934 	if (err < 0) {
10935 		cfg80211_free_nan_func(func);
10936 		nlmsg_free(msg);
10937 		return err;
10938 	}
10939 
10940 	/* propagate the instance id and cookie to userspace  */
10941 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
10942 			      NL80211_ATTR_PAD))
10943 		goto nla_put_failure;
10944 
10945 	func_attr = nla_nest_start(msg, NL80211_ATTR_NAN_FUNC);
10946 	if (!func_attr)
10947 		goto nla_put_failure;
10948 
10949 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
10950 		       func->instance_id))
10951 		goto nla_put_failure;
10952 
10953 	nla_nest_end(msg, func_attr);
10954 
10955 	genlmsg_end(msg, hdr);
10956 	return genlmsg_reply(msg, info);
10957 
10958 nla_put_failure:
10959 	nlmsg_free(msg);
10960 	return -ENOBUFS;
10961 }
10962 
10963 static int nl80211_nan_del_func(struct sk_buff *skb,
10964 			       struct genl_info *info)
10965 {
10966 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10967 	struct wireless_dev *wdev = info->user_ptr[1];
10968 	u64 cookie;
10969 
10970 	if (wdev->iftype != NL80211_IFTYPE_NAN)
10971 		return -EOPNOTSUPP;
10972 
10973 	if (!wdev_running(wdev))
10974 		return -ENOTCONN;
10975 
10976 	if (!info->attrs[NL80211_ATTR_COOKIE])
10977 		return -EINVAL;
10978 
10979 	if (wdev->owner_nlportid &&
10980 	    wdev->owner_nlportid != info->snd_portid)
10981 		return -ENOTCONN;
10982 
10983 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10984 
10985 	rdev_del_nan_func(rdev, wdev, cookie);
10986 
10987 	return 0;
10988 }
10989 
10990 static int nl80211_nan_change_config(struct sk_buff *skb,
10991 				     struct genl_info *info)
10992 {
10993 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10994 	struct wireless_dev *wdev = info->user_ptr[1];
10995 	struct cfg80211_nan_conf conf = {};
10996 	u32 changed = 0;
10997 
10998 	if (wdev->iftype != NL80211_IFTYPE_NAN)
10999 		return -EOPNOTSUPP;
11000 
11001 	if (!wdev_running(wdev))
11002 		return -ENOTCONN;
11003 
11004 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
11005 		conf.master_pref =
11006 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
11007 		if (conf.master_pref <= 1 || conf.master_pref == 255)
11008 			return -EINVAL;
11009 
11010 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
11011 	}
11012 
11013 	if (info->attrs[NL80211_ATTR_NAN_DUAL]) {
11014 		conf.dual = nla_get_u8(info->attrs[NL80211_ATTR_NAN_DUAL]);
11015 		changed |= CFG80211_NAN_CONF_CHANGED_DUAL;
11016 	}
11017 
11018 	if (!changed)
11019 		return -EINVAL;
11020 
11021 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
11022 }
11023 
11024 void cfg80211_nan_match(struct wireless_dev *wdev,
11025 			struct cfg80211_nan_match_params *match, gfp_t gfp)
11026 {
11027 	struct wiphy *wiphy = wdev->wiphy;
11028 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11029 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
11030 	struct sk_buff *msg;
11031 	void *hdr;
11032 
11033 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
11034 		return;
11035 
11036 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11037 	if (!msg)
11038 		return;
11039 
11040 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
11041 	if (!hdr) {
11042 		nlmsg_free(msg);
11043 		return;
11044 	}
11045 
11046 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11047 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11048 					 wdev->netdev->ifindex)) ||
11049 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11050 			      NL80211_ATTR_PAD))
11051 		goto nla_put_failure;
11052 
11053 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
11054 			      NL80211_ATTR_PAD) ||
11055 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
11056 		goto nla_put_failure;
11057 
11058 	match_attr = nla_nest_start(msg, NL80211_ATTR_NAN_MATCH);
11059 	if (!match_attr)
11060 		goto nla_put_failure;
11061 
11062 	local_func_attr = nla_nest_start(msg, NL80211_NAN_MATCH_FUNC_LOCAL);
11063 	if (!local_func_attr)
11064 		goto nla_put_failure;
11065 
11066 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
11067 		goto nla_put_failure;
11068 
11069 	nla_nest_end(msg, local_func_attr);
11070 
11071 	peer_func_attr = nla_nest_start(msg, NL80211_NAN_MATCH_FUNC_PEER);
11072 	if (!peer_func_attr)
11073 		goto nla_put_failure;
11074 
11075 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
11076 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
11077 		goto nla_put_failure;
11078 
11079 	if (match->info && match->info_len &&
11080 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
11081 		    match->info))
11082 		goto nla_put_failure;
11083 
11084 	nla_nest_end(msg, peer_func_attr);
11085 	nla_nest_end(msg, match_attr);
11086 	genlmsg_end(msg, hdr);
11087 
11088 	if (!wdev->owner_nlportid)
11089 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11090 					msg, 0, NL80211_MCGRP_NAN, gfp);
11091 	else
11092 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
11093 				wdev->owner_nlportid);
11094 
11095 	return;
11096 
11097 nla_put_failure:
11098 	nlmsg_free(msg);
11099 }
11100 EXPORT_SYMBOL(cfg80211_nan_match);
11101 
11102 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
11103 				  u8 inst_id,
11104 				  enum nl80211_nan_func_term_reason reason,
11105 				  u64 cookie, gfp_t gfp)
11106 {
11107 	struct wiphy *wiphy = wdev->wiphy;
11108 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11109 	struct sk_buff *msg;
11110 	struct nlattr *func_attr;
11111 	void *hdr;
11112 
11113 	if (WARN_ON(!inst_id))
11114 		return;
11115 
11116 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11117 	if (!msg)
11118 		return;
11119 
11120 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
11121 	if (!hdr) {
11122 		nlmsg_free(msg);
11123 		return;
11124 	}
11125 
11126 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11127 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11128 					 wdev->netdev->ifindex)) ||
11129 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11130 			      NL80211_ATTR_PAD))
11131 		goto nla_put_failure;
11132 
11133 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11134 			      NL80211_ATTR_PAD))
11135 		goto nla_put_failure;
11136 
11137 	func_attr = nla_nest_start(msg, NL80211_ATTR_NAN_FUNC);
11138 	if (!func_attr)
11139 		goto nla_put_failure;
11140 
11141 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
11142 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
11143 		goto nla_put_failure;
11144 
11145 	nla_nest_end(msg, func_attr);
11146 	genlmsg_end(msg, hdr);
11147 
11148 	if (!wdev->owner_nlportid)
11149 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11150 					msg, 0, NL80211_MCGRP_NAN, gfp);
11151 	else
11152 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
11153 				wdev->owner_nlportid);
11154 
11155 	return;
11156 
11157 nla_put_failure:
11158 	nlmsg_free(msg);
11159 }
11160 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
11161 
11162 static int nl80211_get_protocol_features(struct sk_buff *skb,
11163 					 struct genl_info *info)
11164 {
11165 	void *hdr;
11166 	struct sk_buff *msg;
11167 
11168 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11169 	if (!msg)
11170 		return -ENOMEM;
11171 
11172 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11173 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
11174 	if (!hdr)
11175 		goto nla_put_failure;
11176 
11177 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
11178 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
11179 		goto nla_put_failure;
11180 
11181 	genlmsg_end(msg, hdr);
11182 	return genlmsg_reply(msg, info);
11183 
11184  nla_put_failure:
11185 	kfree_skb(msg);
11186 	return -ENOBUFS;
11187 }
11188 
11189 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
11190 {
11191 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11192 	struct cfg80211_update_ft_ies_params ft_params;
11193 	struct net_device *dev = info->user_ptr[1];
11194 
11195 	if (!rdev->ops->update_ft_ies)
11196 		return -EOPNOTSUPP;
11197 
11198 	if (!info->attrs[NL80211_ATTR_MDID] ||
11199 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
11200 		return -EINVAL;
11201 
11202 	memset(&ft_params, 0, sizeof(ft_params));
11203 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
11204 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11205 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11206 
11207 	return rdev_update_ft_ies(rdev, dev, &ft_params);
11208 }
11209 
11210 static int nl80211_crit_protocol_start(struct sk_buff *skb,
11211 				       struct genl_info *info)
11212 {
11213 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11214 	struct wireless_dev *wdev = info->user_ptr[1];
11215 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
11216 	u16 duration;
11217 	int ret;
11218 
11219 	if (!rdev->ops->crit_proto_start)
11220 		return -EOPNOTSUPP;
11221 
11222 	if (WARN_ON(!rdev->ops->crit_proto_stop))
11223 		return -EINVAL;
11224 
11225 	if (rdev->crit_proto_nlportid)
11226 		return -EBUSY;
11227 
11228 	/* determine protocol if provided */
11229 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
11230 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
11231 
11232 	if (proto >= NUM_NL80211_CRIT_PROTO)
11233 		return -EINVAL;
11234 
11235 	/* timeout must be provided */
11236 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
11237 		return -EINVAL;
11238 
11239 	duration =
11240 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
11241 
11242 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
11243 		return -ERANGE;
11244 
11245 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
11246 	if (!ret)
11247 		rdev->crit_proto_nlportid = info->snd_portid;
11248 
11249 	return ret;
11250 }
11251 
11252 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
11253 				      struct genl_info *info)
11254 {
11255 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11256 	struct wireless_dev *wdev = info->user_ptr[1];
11257 
11258 	if (!rdev->ops->crit_proto_stop)
11259 		return -EOPNOTSUPP;
11260 
11261 	if (rdev->crit_proto_nlportid) {
11262 		rdev->crit_proto_nlportid = 0;
11263 		rdev_crit_proto_stop(rdev, wdev);
11264 	}
11265 	return 0;
11266 }
11267 
11268 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
11269 {
11270 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11271 	struct wireless_dev *wdev =
11272 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
11273 	int i, err;
11274 	u32 vid, subcmd;
11275 
11276 	if (!rdev->wiphy.vendor_commands)
11277 		return -EOPNOTSUPP;
11278 
11279 	if (IS_ERR(wdev)) {
11280 		err = PTR_ERR(wdev);
11281 		if (err != -EINVAL)
11282 			return err;
11283 		wdev = NULL;
11284 	} else if (wdev->wiphy != &rdev->wiphy) {
11285 		return -EINVAL;
11286 	}
11287 
11288 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
11289 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
11290 		return -EINVAL;
11291 
11292 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
11293 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
11294 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
11295 		const struct wiphy_vendor_command *vcmd;
11296 		void *data = NULL;
11297 		int len = 0;
11298 
11299 		vcmd = &rdev->wiphy.vendor_commands[i];
11300 
11301 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
11302 			continue;
11303 
11304 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
11305 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
11306 			if (!wdev)
11307 				return -EINVAL;
11308 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
11309 			    !wdev->netdev)
11310 				return -EINVAL;
11311 
11312 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
11313 				if (!wdev_running(wdev))
11314 					return -ENETDOWN;
11315 			}
11316 
11317 			if (!vcmd->doit)
11318 				return -EOPNOTSUPP;
11319 		} else {
11320 			wdev = NULL;
11321 		}
11322 
11323 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
11324 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
11325 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
11326 		}
11327 
11328 		rdev->cur_cmd_info = info;
11329 		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
11330 							  data, len);
11331 		rdev->cur_cmd_info = NULL;
11332 		return err;
11333 	}
11334 
11335 	return -EOPNOTSUPP;
11336 }
11337 
11338 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
11339 				       struct netlink_callback *cb,
11340 				       struct cfg80211_registered_device **rdev,
11341 				       struct wireless_dev **wdev)
11342 {
11343 	struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
11344 	u32 vid, subcmd;
11345 	unsigned int i;
11346 	int vcmd_idx = -1;
11347 	int err;
11348 	void *data = NULL;
11349 	unsigned int data_len = 0;
11350 
11351 	rtnl_lock();
11352 
11353 	if (cb->args[0]) {
11354 		/* subtract the 1 again here */
11355 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
11356 		struct wireless_dev *tmp;
11357 
11358 		if (!wiphy) {
11359 			err = -ENODEV;
11360 			goto out_unlock;
11361 		}
11362 		*rdev = wiphy_to_rdev(wiphy);
11363 		*wdev = NULL;
11364 
11365 		if (cb->args[1]) {
11366 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
11367 				if (tmp->identifier == cb->args[1] - 1) {
11368 					*wdev = tmp;
11369 					break;
11370 				}
11371 			}
11372 		}
11373 
11374 		/* keep rtnl locked in successful case */
11375 		return 0;
11376 	}
11377 
11378 	err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
11379 			  attrbuf, nl80211_fam.maxattr, nl80211_policy);
11380 	if (err)
11381 		goto out_unlock;
11382 
11383 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
11384 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
11385 		err = -EINVAL;
11386 		goto out_unlock;
11387 	}
11388 
11389 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
11390 	if (IS_ERR(*wdev))
11391 		*wdev = NULL;
11392 
11393 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11394 	if (IS_ERR(*rdev)) {
11395 		err = PTR_ERR(*rdev);
11396 		goto out_unlock;
11397 	}
11398 
11399 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
11400 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
11401 
11402 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
11403 		const struct wiphy_vendor_command *vcmd;
11404 
11405 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
11406 
11407 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
11408 			continue;
11409 
11410 		if (!vcmd->dumpit) {
11411 			err = -EOPNOTSUPP;
11412 			goto out_unlock;
11413 		}
11414 
11415 		vcmd_idx = i;
11416 		break;
11417 	}
11418 
11419 	if (vcmd_idx < 0) {
11420 		err = -EOPNOTSUPP;
11421 		goto out_unlock;
11422 	}
11423 
11424 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
11425 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
11426 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
11427 	}
11428 
11429 	/* 0 is the first index - add 1 to parse only once */
11430 	cb->args[0] = (*rdev)->wiphy_idx + 1;
11431 	/* add 1 to know if it was NULL */
11432 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
11433 	cb->args[2] = vcmd_idx;
11434 	cb->args[3] = (unsigned long)data;
11435 	cb->args[4] = data_len;
11436 
11437 	/* keep rtnl locked in successful case */
11438 	return 0;
11439  out_unlock:
11440 	rtnl_unlock();
11441 	return err;
11442 }
11443 
11444 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
11445 				   struct netlink_callback *cb)
11446 {
11447 	struct cfg80211_registered_device *rdev;
11448 	struct wireless_dev *wdev;
11449 	unsigned int vcmd_idx;
11450 	const struct wiphy_vendor_command *vcmd;
11451 	void *data;
11452 	int data_len;
11453 	int err;
11454 	struct nlattr *vendor_data;
11455 
11456 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
11457 	if (err)
11458 		return err;
11459 
11460 	vcmd_idx = cb->args[2];
11461 	data = (void *)cb->args[3];
11462 	data_len = cb->args[4];
11463 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
11464 
11465 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
11466 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
11467 		if (!wdev)
11468 			return -EINVAL;
11469 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
11470 		    !wdev->netdev)
11471 			return -EINVAL;
11472 
11473 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
11474 			if (!wdev_running(wdev))
11475 				return -ENETDOWN;
11476 		}
11477 	}
11478 
11479 	while (1) {
11480 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11481 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11482 					   NL80211_CMD_VENDOR);
11483 		if (!hdr)
11484 			break;
11485 
11486 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11487 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11488 					       wdev_id(wdev),
11489 					       NL80211_ATTR_PAD))) {
11490 			genlmsg_cancel(skb, hdr);
11491 			break;
11492 		}
11493 
11494 		vendor_data = nla_nest_start(skb, NL80211_ATTR_VENDOR_DATA);
11495 		if (!vendor_data) {
11496 			genlmsg_cancel(skb, hdr);
11497 			break;
11498 		}
11499 
11500 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
11501 				   (unsigned long *)&cb->args[5]);
11502 		nla_nest_end(skb, vendor_data);
11503 
11504 		if (err == -ENOBUFS || err == -ENOENT) {
11505 			genlmsg_cancel(skb, hdr);
11506 			break;
11507 		} else if (err) {
11508 			genlmsg_cancel(skb, hdr);
11509 			goto out;
11510 		}
11511 
11512 		genlmsg_end(skb, hdr);
11513 	}
11514 
11515 	err = skb->len;
11516  out:
11517 	rtnl_unlock();
11518 	return err;
11519 }
11520 
11521 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
11522 					   enum nl80211_commands cmd,
11523 					   enum nl80211_attrs attr,
11524 					   int approxlen)
11525 {
11526 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11527 
11528 	if (WARN_ON(!rdev->cur_cmd_info))
11529 		return NULL;
11530 
11531 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
11532 					   rdev->cur_cmd_info->snd_portid,
11533 					   rdev->cur_cmd_info->snd_seq,
11534 					   cmd, attr, NULL, GFP_KERNEL);
11535 }
11536 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
11537 
11538 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
11539 {
11540 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11541 	void *hdr = ((void **)skb->cb)[1];
11542 	struct nlattr *data = ((void **)skb->cb)[2];
11543 
11544 	/* clear CB data for netlink core to own from now on */
11545 	memset(skb->cb, 0, sizeof(skb->cb));
11546 
11547 	if (WARN_ON(!rdev->cur_cmd_info)) {
11548 		kfree_skb(skb);
11549 		return -EINVAL;
11550 	}
11551 
11552 	nla_nest_end(skb, data);
11553 	genlmsg_end(skb, hdr);
11554 	return genlmsg_reply(skb, rdev->cur_cmd_info);
11555 }
11556 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
11557 
11558 static int nl80211_set_qos_map(struct sk_buff *skb,
11559 			       struct genl_info *info)
11560 {
11561 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11562 	struct cfg80211_qos_map *qos_map = NULL;
11563 	struct net_device *dev = info->user_ptr[1];
11564 	u8 *pos, len, num_des, des_len, des;
11565 	int ret;
11566 
11567 	if (!rdev->ops->set_qos_map)
11568 		return -EOPNOTSUPP;
11569 
11570 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
11571 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
11572 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
11573 
11574 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
11575 		    len > IEEE80211_QOS_MAP_LEN_MAX)
11576 			return -EINVAL;
11577 
11578 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
11579 		if (!qos_map)
11580 			return -ENOMEM;
11581 
11582 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
11583 		if (num_des) {
11584 			des_len = num_des *
11585 				sizeof(struct cfg80211_dscp_exception);
11586 			memcpy(qos_map->dscp_exception, pos, des_len);
11587 			qos_map->num_des = num_des;
11588 			for (des = 0; des < num_des; des++) {
11589 				if (qos_map->dscp_exception[des].up > 7) {
11590 					kfree(qos_map);
11591 					return -EINVAL;
11592 				}
11593 			}
11594 			pos += des_len;
11595 		}
11596 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
11597 	}
11598 
11599 	wdev_lock(dev->ieee80211_ptr);
11600 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
11601 	if (!ret)
11602 		ret = rdev_set_qos_map(rdev, dev, qos_map);
11603 	wdev_unlock(dev->ieee80211_ptr);
11604 
11605 	kfree(qos_map);
11606 	return ret;
11607 }
11608 
11609 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
11610 {
11611 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11612 	struct net_device *dev = info->user_ptr[1];
11613 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11614 	const u8 *peer;
11615 	u8 tsid, up;
11616 	u16 admitted_time = 0;
11617 	int err;
11618 
11619 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
11620 		return -EOPNOTSUPP;
11621 
11622 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
11623 	    !info->attrs[NL80211_ATTR_USER_PRIO])
11624 		return -EINVAL;
11625 
11626 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
11627 	if (tsid >= IEEE80211_NUM_TIDS)
11628 		return -EINVAL;
11629 
11630 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
11631 	if (up >= IEEE80211_NUM_UPS)
11632 		return -EINVAL;
11633 
11634 	/* WMM uses TIDs 0-7 even for TSPEC */
11635 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
11636 		/* TODO: handle 802.11 TSPEC/admission control
11637 		 * need more attributes for that (e.g. BA session requirement);
11638 		 * change the WMM adminssion test above to allow both then
11639 		 */
11640 		return -EINVAL;
11641 	}
11642 
11643 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11644 
11645 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
11646 		admitted_time =
11647 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
11648 		if (!admitted_time)
11649 			return -EINVAL;
11650 	}
11651 
11652 	wdev_lock(wdev);
11653 	switch (wdev->iftype) {
11654 	case NL80211_IFTYPE_STATION:
11655 	case NL80211_IFTYPE_P2P_CLIENT:
11656 		if (wdev->current_bss)
11657 			break;
11658 		err = -ENOTCONN;
11659 		goto out;
11660 	default:
11661 		err = -EOPNOTSUPP;
11662 		goto out;
11663 	}
11664 
11665 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
11666 
11667  out:
11668 	wdev_unlock(wdev);
11669 	return err;
11670 }
11671 
11672 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
11673 {
11674 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11675 	struct net_device *dev = info->user_ptr[1];
11676 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11677 	const u8 *peer;
11678 	u8 tsid;
11679 	int err;
11680 
11681 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
11682 		return -EINVAL;
11683 
11684 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
11685 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11686 
11687 	wdev_lock(wdev);
11688 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
11689 	wdev_unlock(wdev);
11690 
11691 	return err;
11692 }
11693 
11694 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
11695 				       struct genl_info *info)
11696 {
11697 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11698 	struct net_device *dev = info->user_ptr[1];
11699 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11700 	struct cfg80211_chan_def chandef = {};
11701 	const u8 *addr;
11702 	u8 oper_class;
11703 	int err;
11704 
11705 	if (!rdev->ops->tdls_channel_switch ||
11706 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
11707 		return -EOPNOTSUPP;
11708 
11709 	switch (dev->ieee80211_ptr->iftype) {
11710 	case NL80211_IFTYPE_STATION:
11711 	case NL80211_IFTYPE_P2P_CLIENT:
11712 		break;
11713 	default:
11714 		return -EOPNOTSUPP;
11715 	}
11716 
11717 	if (!info->attrs[NL80211_ATTR_MAC] ||
11718 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
11719 		return -EINVAL;
11720 
11721 	err = nl80211_parse_chandef(rdev, info, &chandef);
11722 	if (err)
11723 		return err;
11724 
11725 	/*
11726 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
11727 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
11728 	 * specification is not defined for them.
11729 	 */
11730 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
11731 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
11732 	    chandef.width != NL80211_CHAN_WIDTH_20)
11733 		return -EINVAL;
11734 
11735 	/* we will be active on the TDLS link */
11736 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
11737 					   wdev->iftype))
11738 		return -EINVAL;
11739 
11740 	/* don't allow switching to DFS channels */
11741 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
11742 		return -EINVAL;
11743 
11744 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
11745 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
11746 
11747 	wdev_lock(wdev);
11748 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
11749 	wdev_unlock(wdev);
11750 
11751 	return err;
11752 }
11753 
11754 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
11755 					      struct genl_info *info)
11756 {
11757 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11758 	struct net_device *dev = info->user_ptr[1];
11759 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11760 	const u8 *addr;
11761 
11762 	if (!rdev->ops->tdls_channel_switch ||
11763 	    !rdev->ops->tdls_cancel_channel_switch ||
11764 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
11765 		return -EOPNOTSUPP;
11766 
11767 	switch (dev->ieee80211_ptr->iftype) {
11768 	case NL80211_IFTYPE_STATION:
11769 	case NL80211_IFTYPE_P2P_CLIENT:
11770 		break;
11771 	default:
11772 		return -EOPNOTSUPP;
11773 	}
11774 
11775 	if (!info->attrs[NL80211_ATTR_MAC])
11776 		return -EINVAL;
11777 
11778 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
11779 
11780 	wdev_lock(wdev);
11781 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
11782 	wdev_unlock(wdev);
11783 
11784 	return 0;
11785 }
11786 
11787 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
11788 					    struct genl_info *info)
11789 {
11790 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11791 	struct net_device *dev = info->user_ptr[1];
11792 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11793 	const struct nlattr *nla;
11794 	bool enabled;
11795 
11796 	if (netif_running(dev))
11797 		return -EBUSY;
11798 
11799 	if (!rdev->ops->set_multicast_to_unicast)
11800 		return -EOPNOTSUPP;
11801 
11802 	if (wdev->iftype != NL80211_IFTYPE_AP &&
11803 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
11804 		return -EOPNOTSUPP;
11805 
11806 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
11807 	enabled = nla_get_flag(nla);
11808 
11809 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
11810 }
11811 
11812 #define NL80211_FLAG_NEED_WIPHY		0x01
11813 #define NL80211_FLAG_NEED_NETDEV	0x02
11814 #define NL80211_FLAG_NEED_RTNL		0x04
11815 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
11816 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
11817 					 NL80211_FLAG_CHECK_NETDEV_UP)
11818 #define NL80211_FLAG_NEED_WDEV		0x10
11819 /* If a netdev is associated, it must be UP, P2P must be started */
11820 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
11821 					 NL80211_FLAG_CHECK_NETDEV_UP)
11822 #define NL80211_FLAG_CLEAR_SKB		0x20
11823 
11824 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
11825 			    struct genl_info *info)
11826 {
11827 	struct cfg80211_registered_device *rdev;
11828 	struct wireless_dev *wdev;
11829 	struct net_device *dev;
11830 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
11831 
11832 	if (rtnl)
11833 		rtnl_lock();
11834 
11835 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
11836 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
11837 		if (IS_ERR(rdev)) {
11838 			if (rtnl)
11839 				rtnl_unlock();
11840 			return PTR_ERR(rdev);
11841 		}
11842 		info->user_ptr[0] = rdev;
11843 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
11844 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
11845 		ASSERT_RTNL();
11846 
11847 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
11848 						  info->attrs);
11849 		if (IS_ERR(wdev)) {
11850 			if (rtnl)
11851 				rtnl_unlock();
11852 			return PTR_ERR(wdev);
11853 		}
11854 
11855 		dev = wdev->netdev;
11856 		rdev = wiphy_to_rdev(wdev->wiphy);
11857 
11858 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
11859 			if (!dev) {
11860 				if (rtnl)
11861 					rtnl_unlock();
11862 				return -EINVAL;
11863 			}
11864 
11865 			info->user_ptr[1] = dev;
11866 		} else {
11867 			info->user_ptr[1] = wdev;
11868 		}
11869 
11870 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
11871 		    !wdev_running(wdev)) {
11872 			if (rtnl)
11873 				rtnl_unlock();
11874 			return -ENETDOWN;
11875 		}
11876 
11877 		if (dev)
11878 			dev_hold(dev);
11879 
11880 		info->user_ptr[0] = rdev;
11881 	}
11882 
11883 	return 0;
11884 }
11885 
11886 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
11887 			      struct genl_info *info)
11888 {
11889 	if (info->user_ptr[1]) {
11890 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
11891 			struct wireless_dev *wdev = info->user_ptr[1];
11892 
11893 			if (wdev->netdev)
11894 				dev_put(wdev->netdev);
11895 		} else {
11896 			dev_put(info->user_ptr[1]);
11897 		}
11898 	}
11899 
11900 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
11901 		rtnl_unlock();
11902 
11903 	/* If needed, clear the netlink message payload from the SKB
11904 	 * as it might contain key data that shouldn't stick around on
11905 	 * the heap after the SKB is freed. The netlink message header
11906 	 * is still needed for further processing, so leave it intact.
11907 	 */
11908 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
11909 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
11910 
11911 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
11912 	}
11913 }
11914 
11915 static const struct genl_ops nl80211_ops[] = {
11916 	{
11917 		.cmd = NL80211_CMD_GET_WIPHY,
11918 		.doit = nl80211_get_wiphy,
11919 		.dumpit = nl80211_dump_wiphy,
11920 		.done = nl80211_dump_wiphy_done,
11921 		.policy = nl80211_policy,
11922 		/* can be retrieved by unprivileged users */
11923 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11924 				  NL80211_FLAG_NEED_RTNL,
11925 	},
11926 	{
11927 		.cmd = NL80211_CMD_SET_WIPHY,
11928 		.doit = nl80211_set_wiphy,
11929 		.policy = nl80211_policy,
11930 		.flags = GENL_UNS_ADMIN_PERM,
11931 		.internal_flags = NL80211_FLAG_NEED_RTNL,
11932 	},
11933 	{
11934 		.cmd = NL80211_CMD_GET_INTERFACE,
11935 		.doit = nl80211_get_interface,
11936 		.dumpit = nl80211_dump_interface,
11937 		.policy = nl80211_policy,
11938 		/* can be retrieved by unprivileged users */
11939 		.internal_flags = NL80211_FLAG_NEED_WDEV |
11940 				  NL80211_FLAG_NEED_RTNL,
11941 	},
11942 	{
11943 		.cmd = NL80211_CMD_SET_INTERFACE,
11944 		.doit = nl80211_set_interface,
11945 		.policy = nl80211_policy,
11946 		.flags = GENL_UNS_ADMIN_PERM,
11947 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11948 				  NL80211_FLAG_NEED_RTNL,
11949 	},
11950 	{
11951 		.cmd = NL80211_CMD_NEW_INTERFACE,
11952 		.doit = nl80211_new_interface,
11953 		.policy = nl80211_policy,
11954 		.flags = GENL_UNS_ADMIN_PERM,
11955 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11956 				  NL80211_FLAG_NEED_RTNL,
11957 	},
11958 	{
11959 		.cmd = NL80211_CMD_DEL_INTERFACE,
11960 		.doit = nl80211_del_interface,
11961 		.policy = nl80211_policy,
11962 		.flags = GENL_UNS_ADMIN_PERM,
11963 		.internal_flags = NL80211_FLAG_NEED_WDEV |
11964 				  NL80211_FLAG_NEED_RTNL,
11965 	},
11966 	{
11967 		.cmd = NL80211_CMD_GET_KEY,
11968 		.doit = nl80211_get_key,
11969 		.policy = nl80211_policy,
11970 		.flags = GENL_UNS_ADMIN_PERM,
11971 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11972 				  NL80211_FLAG_NEED_RTNL,
11973 	},
11974 	{
11975 		.cmd = NL80211_CMD_SET_KEY,
11976 		.doit = nl80211_set_key,
11977 		.policy = nl80211_policy,
11978 		.flags = GENL_UNS_ADMIN_PERM,
11979 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11980 				  NL80211_FLAG_NEED_RTNL |
11981 				  NL80211_FLAG_CLEAR_SKB,
11982 	},
11983 	{
11984 		.cmd = NL80211_CMD_NEW_KEY,
11985 		.doit = nl80211_new_key,
11986 		.policy = nl80211_policy,
11987 		.flags = GENL_UNS_ADMIN_PERM,
11988 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11989 				  NL80211_FLAG_NEED_RTNL |
11990 				  NL80211_FLAG_CLEAR_SKB,
11991 	},
11992 	{
11993 		.cmd = NL80211_CMD_DEL_KEY,
11994 		.doit = nl80211_del_key,
11995 		.policy = nl80211_policy,
11996 		.flags = GENL_UNS_ADMIN_PERM,
11997 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11998 				  NL80211_FLAG_NEED_RTNL,
11999 	},
12000 	{
12001 		.cmd = NL80211_CMD_SET_BEACON,
12002 		.policy = nl80211_policy,
12003 		.flags = GENL_UNS_ADMIN_PERM,
12004 		.doit = nl80211_set_beacon,
12005 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12006 				  NL80211_FLAG_NEED_RTNL,
12007 	},
12008 	{
12009 		.cmd = NL80211_CMD_START_AP,
12010 		.policy = nl80211_policy,
12011 		.flags = GENL_UNS_ADMIN_PERM,
12012 		.doit = nl80211_start_ap,
12013 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12014 				  NL80211_FLAG_NEED_RTNL,
12015 	},
12016 	{
12017 		.cmd = NL80211_CMD_STOP_AP,
12018 		.policy = nl80211_policy,
12019 		.flags = GENL_UNS_ADMIN_PERM,
12020 		.doit = nl80211_stop_ap,
12021 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12022 				  NL80211_FLAG_NEED_RTNL,
12023 	},
12024 	{
12025 		.cmd = NL80211_CMD_GET_STATION,
12026 		.doit = nl80211_get_station,
12027 		.dumpit = nl80211_dump_station,
12028 		.policy = nl80211_policy,
12029 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
12030 				  NL80211_FLAG_NEED_RTNL,
12031 	},
12032 	{
12033 		.cmd = NL80211_CMD_SET_STATION,
12034 		.doit = nl80211_set_station,
12035 		.policy = nl80211_policy,
12036 		.flags = GENL_UNS_ADMIN_PERM,
12037 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12038 				  NL80211_FLAG_NEED_RTNL,
12039 	},
12040 	{
12041 		.cmd = NL80211_CMD_NEW_STATION,
12042 		.doit = nl80211_new_station,
12043 		.policy = nl80211_policy,
12044 		.flags = GENL_UNS_ADMIN_PERM,
12045 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12046 				  NL80211_FLAG_NEED_RTNL,
12047 	},
12048 	{
12049 		.cmd = NL80211_CMD_DEL_STATION,
12050 		.doit = nl80211_del_station,
12051 		.policy = nl80211_policy,
12052 		.flags = GENL_UNS_ADMIN_PERM,
12053 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12054 				  NL80211_FLAG_NEED_RTNL,
12055 	},
12056 	{
12057 		.cmd = NL80211_CMD_GET_MPATH,
12058 		.doit = nl80211_get_mpath,
12059 		.dumpit = nl80211_dump_mpath,
12060 		.policy = nl80211_policy,
12061 		.flags = GENL_UNS_ADMIN_PERM,
12062 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12063 				  NL80211_FLAG_NEED_RTNL,
12064 	},
12065 	{
12066 		.cmd = NL80211_CMD_GET_MPP,
12067 		.doit = nl80211_get_mpp,
12068 		.dumpit = nl80211_dump_mpp,
12069 		.policy = nl80211_policy,
12070 		.flags = GENL_UNS_ADMIN_PERM,
12071 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12072 				  NL80211_FLAG_NEED_RTNL,
12073 	},
12074 	{
12075 		.cmd = NL80211_CMD_SET_MPATH,
12076 		.doit = nl80211_set_mpath,
12077 		.policy = nl80211_policy,
12078 		.flags = GENL_UNS_ADMIN_PERM,
12079 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12080 				  NL80211_FLAG_NEED_RTNL,
12081 	},
12082 	{
12083 		.cmd = NL80211_CMD_NEW_MPATH,
12084 		.doit = nl80211_new_mpath,
12085 		.policy = nl80211_policy,
12086 		.flags = GENL_UNS_ADMIN_PERM,
12087 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12088 				  NL80211_FLAG_NEED_RTNL,
12089 	},
12090 	{
12091 		.cmd = NL80211_CMD_DEL_MPATH,
12092 		.doit = nl80211_del_mpath,
12093 		.policy = nl80211_policy,
12094 		.flags = GENL_UNS_ADMIN_PERM,
12095 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12096 				  NL80211_FLAG_NEED_RTNL,
12097 	},
12098 	{
12099 		.cmd = NL80211_CMD_SET_BSS,
12100 		.doit = nl80211_set_bss,
12101 		.policy = nl80211_policy,
12102 		.flags = GENL_UNS_ADMIN_PERM,
12103 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12104 				  NL80211_FLAG_NEED_RTNL,
12105 	},
12106 	{
12107 		.cmd = NL80211_CMD_GET_REG,
12108 		.doit = nl80211_get_reg_do,
12109 		.dumpit = nl80211_get_reg_dump,
12110 		.policy = nl80211_policy,
12111 		.internal_flags = NL80211_FLAG_NEED_RTNL,
12112 		/* can be retrieved by unprivileged users */
12113 	},
12114 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
12115 	{
12116 		.cmd = NL80211_CMD_SET_REG,
12117 		.doit = nl80211_set_reg,
12118 		.policy = nl80211_policy,
12119 		.flags = GENL_ADMIN_PERM,
12120 		.internal_flags = NL80211_FLAG_NEED_RTNL,
12121 	},
12122 #endif
12123 	{
12124 		.cmd = NL80211_CMD_REQ_SET_REG,
12125 		.doit = nl80211_req_set_reg,
12126 		.policy = nl80211_policy,
12127 		.flags = GENL_ADMIN_PERM,
12128 	},
12129 	{
12130 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
12131 		.doit = nl80211_get_mesh_config,
12132 		.policy = nl80211_policy,
12133 		/* can be retrieved by unprivileged users */
12134 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12135 				  NL80211_FLAG_NEED_RTNL,
12136 	},
12137 	{
12138 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
12139 		.doit = nl80211_update_mesh_config,
12140 		.policy = nl80211_policy,
12141 		.flags = GENL_UNS_ADMIN_PERM,
12142 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12143 				  NL80211_FLAG_NEED_RTNL,
12144 	},
12145 	{
12146 		.cmd = NL80211_CMD_TRIGGER_SCAN,
12147 		.doit = nl80211_trigger_scan,
12148 		.policy = nl80211_policy,
12149 		.flags = GENL_UNS_ADMIN_PERM,
12150 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
12151 				  NL80211_FLAG_NEED_RTNL,
12152 	},
12153 	{
12154 		.cmd = NL80211_CMD_ABORT_SCAN,
12155 		.doit = nl80211_abort_scan,
12156 		.policy = nl80211_policy,
12157 		.flags = GENL_UNS_ADMIN_PERM,
12158 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
12159 				  NL80211_FLAG_NEED_RTNL,
12160 	},
12161 	{
12162 		.cmd = NL80211_CMD_GET_SCAN,
12163 		.policy = nl80211_policy,
12164 		.dumpit = nl80211_dump_scan,
12165 	},
12166 	{
12167 		.cmd = NL80211_CMD_START_SCHED_SCAN,
12168 		.doit = nl80211_start_sched_scan,
12169 		.policy = nl80211_policy,
12170 		.flags = GENL_UNS_ADMIN_PERM,
12171 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12172 				  NL80211_FLAG_NEED_RTNL,
12173 	},
12174 	{
12175 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
12176 		.doit = nl80211_stop_sched_scan,
12177 		.policy = nl80211_policy,
12178 		.flags = GENL_UNS_ADMIN_PERM,
12179 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12180 				  NL80211_FLAG_NEED_RTNL,
12181 	},
12182 	{
12183 		.cmd = NL80211_CMD_AUTHENTICATE,
12184 		.doit = nl80211_authenticate,
12185 		.policy = nl80211_policy,
12186 		.flags = GENL_UNS_ADMIN_PERM,
12187 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12188 				  NL80211_FLAG_NEED_RTNL |
12189 				  NL80211_FLAG_CLEAR_SKB,
12190 	},
12191 	{
12192 		.cmd = NL80211_CMD_ASSOCIATE,
12193 		.doit = nl80211_associate,
12194 		.policy = nl80211_policy,
12195 		.flags = GENL_UNS_ADMIN_PERM,
12196 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12197 				  NL80211_FLAG_NEED_RTNL,
12198 	},
12199 	{
12200 		.cmd = NL80211_CMD_DEAUTHENTICATE,
12201 		.doit = nl80211_deauthenticate,
12202 		.policy = nl80211_policy,
12203 		.flags = GENL_UNS_ADMIN_PERM,
12204 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12205 				  NL80211_FLAG_NEED_RTNL,
12206 	},
12207 	{
12208 		.cmd = NL80211_CMD_DISASSOCIATE,
12209 		.doit = nl80211_disassociate,
12210 		.policy = nl80211_policy,
12211 		.flags = GENL_UNS_ADMIN_PERM,
12212 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12213 				  NL80211_FLAG_NEED_RTNL,
12214 	},
12215 	{
12216 		.cmd = NL80211_CMD_JOIN_IBSS,
12217 		.doit = nl80211_join_ibss,
12218 		.policy = nl80211_policy,
12219 		.flags = GENL_UNS_ADMIN_PERM,
12220 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12221 				  NL80211_FLAG_NEED_RTNL,
12222 	},
12223 	{
12224 		.cmd = NL80211_CMD_LEAVE_IBSS,
12225 		.doit = nl80211_leave_ibss,
12226 		.policy = nl80211_policy,
12227 		.flags = GENL_UNS_ADMIN_PERM,
12228 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12229 				  NL80211_FLAG_NEED_RTNL,
12230 	},
12231 #ifdef CONFIG_NL80211_TESTMODE
12232 	{
12233 		.cmd = NL80211_CMD_TESTMODE,
12234 		.doit = nl80211_testmode_do,
12235 		.dumpit = nl80211_testmode_dump,
12236 		.policy = nl80211_policy,
12237 		.flags = GENL_UNS_ADMIN_PERM,
12238 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
12239 				  NL80211_FLAG_NEED_RTNL,
12240 	},
12241 #endif
12242 	{
12243 		.cmd = NL80211_CMD_CONNECT,
12244 		.doit = nl80211_connect,
12245 		.policy = nl80211_policy,
12246 		.flags = GENL_UNS_ADMIN_PERM,
12247 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12248 				  NL80211_FLAG_NEED_RTNL,
12249 	},
12250 	{
12251 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
12252 		.doit = nl80211_update_connect_params,
12253 		.policy = nl80211_policy,
12254 		.flags = GENL_ADMIN_PERM,
12255 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12256 				  NL80211_FLAG_NEED_RTNL,
12257 	},
12258 	{
12259 		.cmd = NL80211_CMD_DISCONNECT,
12260 		.doit = nl80211_disconnect,
12261 		.policy = nl80211_policy,
12262 		.flags = GENL_UNS_ADMIN_PERM,
12263 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12264 				  NL80211_FLAG_NEED_RTNL,
12265 	},
12266 	{
12267 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
12268 		.doit = nl80211_wiphy_netns,
12269 		.policy = nl80211_policy,
12270 		.flags = GENL_UNS_ADMIN_PERM,
12271 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
12272 				  NL80211_FLAG_NEED_RTNL,
12273 	},
12274 	{
12275 		.cmd = NL80211_CMD_GET_SURVEY,
12276 		.policy = nl80211_policy,
12277 		.dumpit = nl80211_dump_survey,
12278 	},
12279 	{
12280 		.cmd = NL80211_CMD_SET_PMKSA,
12281 		.doit = nl80211_setdel_pmksa,
12282 		.policy = nl80211_policy,
12283 		.flags = GENL_UNS_ADMIN_PERM,
12284 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12285 				  NL80211_FLAG_NEED_RTNL,
12286 	},
12287 	{
12288 		.cmd = NL80211_CMD_DEL_PMKSA,
12289 		.doit = nl80211_setdel_pmksa,
12290 		.policy = nl80211_policy,
12291 		.flags = GENL_UNS_ADMIN_PERM,
12292 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12293 				  NL80211_FLAG_NEED_RTNL,
12294 	},
12295 	{
12296 		.cmd = NL80211_CMD_FLUSH_PMKSA,
12297 		.doit = nl80211_flush_pmksa,
12298 		.policy = nl80211_policy,
12299 		.flags = GENL_UNS_ADMIN_PERM,
12300 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12301 				  NL80211_FLAG_NEED_RTNL,
12302 	},
12303 	{
12304 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
12305 		.doit = nl80211_remain_on_channel,
12306 		.policy = nl80211_policy,
12307 		.flags = GENL_UNS_ADMIN_PERM,
12308 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
12309 				  NL80211_FLAG_NEED_RTNL,
12310 	},
12311 	{
12312 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
12313 		.doit = nl80211_cancel_remain_on_channel,
12314 		.policy = nl80211_policy,
12315 		.flags = GENL_UNS_ADMIN_PERM,
12316 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
12317 				  NL80211_FLAG_NEED_RTNL,
12318 	},
12319 	{
12320 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
12321 		.doit = nl80211_set_tx_bitrate_mask,
12322 		.policy = nl80211_policy,
12323 		.flags = GENL_UNS_ADMIN_PERM,
12324 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
12325 				  NL80211_FLAG_NEED_RTNL,
12326 	},
12327 	{
12328 		.cmd = NL80211_CMD_REGISTER_FRAME,
12329 		.doit = nl80211_register_mgmt,
12330 		.policy = nl80211_policy,
12331 		.flags = GENL_UNS_ADMIN_PERM,
12332 		.internal_flags = NL80211_FLAG_NEED_WDEV |
12333 				  NL80211_FLAG_NEED_RTNL,
12334 	},
12335 	{
12336 		.cmd = NL80211_CMD_FRAME,
12337 		.doit = nl80211_tx_mgmt,
12338 		.policy = nl80211_policy,
12339 		.flags = GENL_UNS_ADMIN_PERM,
12340 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
12341 				  NL80211_FLAG_NEED_RTNL,
12342 	},
12343 	{
12344 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
12345 		.doit = nl80211_tx_mgmt_cancel_wait,
12346 		.policy = nl80211_policy,
12347 		.flags = GENL_UNS_ADMIN_PERM,
12348 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
12349 				  NL80211_FLAG_NEED_RTNL,
12350 	},
12351 	{
12352 		.cmd = NL80211_CMD_SET_POWER_SAVE,
12353 		.doit = nl80211_set_power_save,
12354 		.policy = nl80211_policy,
12355 		.flags = GENL_UNS_ADMIN_PERM,
12356 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
12357 				  NL80211_FLAG_NEED_RTNL,
12358 	},
12359 	{
12360 		.cmd = NL80211_CMD_GET_POWER_SAVE,
12361 		.doit = nl80211_get_power_save,
12362 		.policy = nl80211_policy,
12363 		/* can be retrieved by unprivileged users */
12364 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
12365 				  NL80211_FLAG_NEED_RTNL,
12366 	},
12367 	{
12368 		.cmd = NL80211_CMD_SET_CQM,
12369 		.doit = nl80211_set_cqm,
12370 		.policy = nl80211_policy,
12371 		.flags = GENL_UNS_ADMIN_PERM,
12372 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
12373 				  NL80211_FLAG_NEED_RTNL,
12374 	},
12375 	{
12376 		.cmd = NL80211_CMD_SET_CHANNEL,
12377 		.doit = nl80211_set_channel,
12378 		.policy = nl80211_policy,
12379 		.flags = GENL_UNS_ADMIN_PERM,
12380 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
12381 				  NL80211_FLAG_NEED_RTNL,
12382 	},
12383 	{
12384 		.cmd = NL80211_CMD_SET_WDS_PEER,
12385 		.doit = nl80211_set_wds_peer,
12386 		.policy = nl80211_policy,
12387 		.flags = GENL_UNS_ADMIN_PERM,
12388 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
12389 				  NL80211_FLAG_NEED_RTNL,
12390 	},
12391 	{
12392 		.cmd = NL80211_CMD_JOIN_MESH,
12393 		.doit = nl80211_join_mesh,
12394 		.policy = nl80211_policy,
12395 		.flags = GENL_UNS_ADMIN_PERM,
12396 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12397 				  NL80211_FLAG_NEED_RTNL,
12398 	},
12399 	{
12400 		.cmd = NL80211_CMD_LEAVE_MESH,
12401 		.doit = nl80211_leave_mesh,
12402 		.policy = nl80211_policy,
12403 		.flags = GENL_UNS_ADMIN_PERM,
12404 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12405 				  NL80211_FLAG_NEED_RTNL,
12406 	},
12407 	{
12408 		.cmd = NL80211_CMD_JOIN_OCB,
12409 		.doit = nl80211_join_ocb,
12410 		.policy = nl80211_policy,
12411 		.flags = GENL_UNS_ADMIN_PERM,
12412 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12413 				  NL80211_FLAG_NEED_RTNL,
12414 	},
12415 	{
12416 		.cmd = NL80211_CMD_LEAVE_OCB,
12417 		.doit = nl80211_leave_ocb,
12418 		.policy = nl80211_policy,
12419 		.flags = GENL_UNS_ADMIN_PERM,
12420 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12421 				  NL80211_FLAG_NEED_RTNL,
12422 	},
12423 #ifdef CONFIG_PM
12424 	{
12425 		.cmd = NL80211_CMD_GET_WOWLAN,
12426 		.doit = nl80211_get_wowlan,
12427 		.policy = nl80211_policy,
12428 		/* can be retrieved by unprivileged users */
12429 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
12430 				  NL80211_FLAG_NEED_RTNL,
12431 	},
12432 	{
12433 		.cmd = NL80211_CMD_SET_WOWLAN,
12434 		.doit = nl80211_set_wowlan,
12435 		.policy = nl80211_policy,
12436 		.flags = GENL_UNS_ADMIN_PERM,
12437 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
12438 				  NL80211_FLAG_NEED_RTNL,
12439 	},
12440 #endif
12441 	{
12442 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
12443 		.doit = nl80211_set_rekey_data,
12444 		.policy = nl80211_policy,
12445 		.flags = GENL_UNS_ADMIN_PERM,
12446 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12447 				  NL80211_FLAG_NEED_RTNL |
12448 				  NL80211_FLAG_CLEAR_SKB,
12449 	},
12450 	{
12451 		.cmd = NL80211_CMD_TDLS_MGMT,
12452 		.doit = nl80211_tdls_mgmt,
12453 		.policy = nl80211_policy,
12454 		.flags = GENL_UNS_ADMIN_PERM,
12455 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12456 				  NL80211_FLAG_NEED_RTNL,
12457 	},
12458 	{
12459 		.cmd = NL80211_CMD_TDLS_OPER,
12460 		.doit = nl80211_tdls_oper,
12461 		.policy = nl80211_policy,
12462 		.flags = GENL_UNS_ADMIN_PERM,
12463 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12464 				  NL80211_FLAG_NEED_RTNL,
12465 	},
12466 	{
12467 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
12468 		.doit = nl80211_register_unexpected_frame,
12469 		.policy = nl80211_policy,
12470 		.flags = GENL_UNS_ADMIN_PERM,
12471 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
12472 				  NL80211_FLAG_NEED_RTNL,
12473 	},
12474 	{
12475 		.cmd = NL80211_CMD_PROBE_CLIENT,
12476 		.doit = nl80211_probe_client,
12477 		.policy = nl80211_policy,
12478 		.flags = GENL_UNS_ADMIN_PERM,
12479 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12480 				  NL80211_FLAG_NEED_RTNL,
12481 	},
12482 	{
12483 		.cmd = NL80211_CMD_REGISTER_BEACONS,
12484 		.doit = nl80211_register_beacons,
12485 		.policy = nl80211_policy,
12486 		.flags = GENL_UNS_ADMIN_PERM,
12487 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
12488 				  NL80211_FLAG_NEED_RTNL,
12489 	},
12490 	{
12491 		.cmd = NL80211_CMD_SET_NOACK_MAP,
12492 		.doit = nl80211_set_noack_map,
12493 		.policy = nl80211_policy,
12494 		.flags = GENL_UNS_ADMIN_PERM,
12495 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
12496 				  NL80211_FLAG_NEED_RTNL,
12497 	},
12498 	{
12499 		.cmd = NL80211_CMD_START_P2P_DEVICE,
12500 		.doit = nl80211_start_p2p_device,
12501 		.policy = nl80211_policy,
12502 		.flags = GENL_UNS_ADMIN_PERM,
12503 		.internal_flags = NL80211_FLAG_NEED_WDEV |
12504 				  NL80211_FLAG_NEED_RTNL,
12505 	},
12506 	{
12507 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
12508 		.doit = nl80211_stop_p2p_device,
12509 		.policy = nl80211_policy,
12510 		.flags = GENL_UNS_ADMIN_PERM,
12511 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
12512 				  NL80211_FLAG_NEED_RTNL,
12513 	},
12514 	{
12515 		.cmd = NL80211_CMD_START_NAN,
12516 		.doit = nl80211_start_nan,
12517 		.policy = nl80211_policy,
12518 		.flags = GENL_ADMIN_PERM,
12519 		.internal_flags = NL80211_FLAG_NEED_WDEV |
12520 				  NL80211_FLAG_NEED_RTNL,
12521 	},
12522 	{
12523 		.cmd = NL80211_CMD_STOP_NAN,
12524 		.doit = nl80211_stop_nan,
12525 		.policy = nl80211_policy,
12526 		.flags = GENL_ADMIN_PERM,
12527 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
12528 				  NL80211_FLAG_NEED_RTNL,
12529 	},
12530 	{
12531 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
12532 		.doit = nl80211_nan_add_func,
12533 		.policy = nl80211_policy,
12534 		.flags = GENL_ADMIN_PERM,
12535 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
12536 				  NL80211_FLAG_NEED_RTNL,
12537 	},
12538 	{
12539 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
12540 		.doit = nl80211_nan_del_func,
12541 		.policy = nl80211_policy,
12542 		.flags = GENL_ADMIN_PERM,
12543 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
12544 				  NL80211_FLAG_NEED_RTNL,
12545 	},
12546 	{
12547 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
12548 		.doit = nl80211_nan_change_config,
12549 		.policy = nl80211_policy,
12550 		.flags = GENL_ADMIN_PERM,
12551 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
12552 				  NL80211_FLAG_NEED_RTNL,
12553 	},
12554 	{
12555 		.cmd = NL80211_CMD_SET_MCAST_RATE,
12556 		.doit = nl80211_set_mcast_rate,
12557 		.policy = nl80211_policy,
12558 		.flags = GENL_UNS_ADMIN_PERM,
12559 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
12560 				  NL80211_FLAG_NEED_RTNL,
12561 	},
12562 	{
12563 		.cmd = NL80211_CMD_SET_MAC_ACL,
12564 		.doit = nl80211_set_mac_acl,
12565 		.policy = nl80211_policy,
12566 		.flags = GENL_UNS_ADMIN_PERM,
12567 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
12568 				  NL80211_FLAG_NEED_RTNL,
12569 	},
12570 	{
12571 		.cmd = NL80211_CMD_RADAR_DETECT,
12572 		.doit = nl80211_start_radar_detection,
12573 		.policy = nl80211_policy,
12574 		.flags = GENL_UNS_ADMIN_PERM,
12575 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12576 				  NL80211_FLAG_NEED_RTNL,
12577 	},
12578 	{
12579 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
12580 		.doit = nl80211_get_protocol_features,
12581 		.policy = nl80211_policy,
12582 	},
12583 	{
12584 		.cmd = NL80211_CMD_UPDATE_FT_IES,
12585 		.doit = nl80211_update_ft_ies,
12586 		.policy = nl80211_policy,
12587 		.flags = GENL_UNS_ADMIN_PERM,
12588 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12589 				  NL80211_FLAG_NEED_RTNL,
12590 	},
12591 	{
12592 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
12593 		.doit = nl80211_crit_protocol_start,
12594 		.policy = nl80211_policy,
12595 		.flags = GENL_UNS_ADMIN_PERM,
12596 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
12597 				  NL80211_FLAG_NEED_RTNL,
12598 	},
12599 	{
12600 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
12601 		.doit = nl80211_crit_protocol_stop,
12602 		.policy = nl80211_policy,
12603 		.flags = GENL_UNS_ADMIN_PERM,
12604 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
12605 				  NL80211_FLAG_NEED_RTNL,
12606 	},
12607 	{
12608 		.cmd = NL80211_CMD_GET_COALESCE,
12609 		.doit = nl80211_get_coalesce,
12610 		.policy = nl80211_policy,
12611 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
12612 				  NL80211_FLAG_NEED_RTNL,
12613 	},
12614 	{
12615 		.cmd = NL80211_CMD_SET_COALESCE,
12616 		.doit = nl80211_set_coalesce,
12617 		.policy = nl80211_policy,
12618 		.flags = GENL_UNS_ADMIN_PERM,
12619 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
12620 				  NL80211_FLAG_NEED_RTNL,
12621 	},
12622 	{
12623 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
12624 		.doit = nl80211_channel_switch,
12625 		.policy = nl80211_policy,
12626 		.flags = GENL_UNS_ADMIN_PERM,
12627 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12628 				  NL80211_FLAG_NEED_RTNL,
12629 	},
12630 	{
12631 		.cmd = NL80211_CMD_VENDOR,
12632 		.doit = nl80211_vendor_cmd,
12633 		.dumpit = nl80211_vendor_cmd_dump,
12634 		.policy = nl80211_policy,
12635 		.flags = GENL_UNS_ADMIN_PERM,
12636 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
12637 				  NL80211_FLAG_NEED_RTNL,
12638 	},
12639 	{
12640 		.cmd = NL80211_CMD_SET_QOS_MAP,
12641 		.doit = nl80211_set_qos_map,
12642 		.policy = nl80211_policy,
12643 		.flags = GENL_UNS_ADMIN_PERM,
12644 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12645 				  NL80211_FLAG_NEED_RTNL,
12646 	},
12647 	{
12648 		.cmd = NL80211_CMD_ADD_TX_TS,
12649 		.doit = nl80211_add_tx_ts,
12650 		.policy = nl80211_policy,
12651 		.flags = GENL_UNS_ADMIN_PERM,
12652 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12653 				  NL80211_FLAG_NEED_RTNL,
12654 	},
12655 	{
12656 		.cmd = NL80211_CMD_DEL_TX_TS,
12657 		.doit = nl80211_del_tx_ts,
12658 		.policy = nl80211_policy,
12659 		.flags = GENL_UNS_ADMIN_PERM,
12660 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12661 				  NL80211_FLAG_NEED_RTNL,
12662 	},
12663 	{
12664 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
12665 		.doit = nl80211_tdls_channel_switch,
12666 		.policy = nl80211_policy,
12667 		.flags = GENL_UNS_ADMIN_PERM,
12668 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12669 				  NL80211_FLAG_NEED_RTNL,
12670 	},
12671 	{
12672 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
12673 		.doit = nl80211_tdls_cancel_channel_switch,
12674 		.policy = nl80211_policy,
12675 		.flags = GENL_UNS_ADMIN_PERM,
12676 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
12677 				  NL80211_FLAG_NEED_RTNL,
12678 	},
12679 	{
12680 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
12681 		.doit = nl80211_set_multicast_to_unicast,
12682 		.policy = nl80211_policy,
12683 		.flags = GENL_UNS_ADMIN_PERM,
12684 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
12685 				  NL80211_FLAG_NEED_RTNL,
12686 	},
12687 };
12688 
12689 static struct genl_family nl80211_fam __ro_after_init = {
12690 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
12691 	.hdrsize = 0,			/* no private header */
12692 	.version = 1,			/* no particular meaning now */
12693 	.maxattr = NL80211_ATTR_MAX,
12694 	.netnsok = true,
12695 	.pre_doit = nl80211_pre_doit,
12696 	.post_doit = nl80211_post_doit,
12697 	.module = THIS_MODULE,
12698 	.ops = nl80211_ops,
12699 	.n_ops = ARRAY_SIZE(nl80211_ops),
12700 	.mcgrps = nl80211_mcgrps,
12701 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
12702 };
12703 
12704 /* notification functions */
12705 
12706 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
12707 			  enum nl80211_commands cmd)
12708 {
12709 	struct sk_buff *msg;
12710 	struct nl80211_dump_wiphy_state state = {};
12711 
12712 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
12713 		cmd != NL80211_CMD_DEL_WIPHY);
12714 
12715 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12716 	if (!msg)
12717 		return;
12718 
12719 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
12720 		nlmsg_free(msg);
12721 		return;
12722 	}
12723 
12724 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12725 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
12726 }
12727 
12728 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
12729 				struct wireless_dev *wdev,
12730 				enum nl80211_commands cmd)
12731 {
12732 	struct sk_buff *msg;
12733 
12734 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
12735 		cmd != NL80211_CMD_DEL_INTERFACE);
12736 
12737 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12738 	if (!msg)
12739 		return;
12740 
12741 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev,
12742 			       cmd == NL80211_CMD_DEL_INTERFACE) < 0) {
12743 		nlmsg_free(msg);
12744 		return;
12745 	}
12746 
12747 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12748 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
12749 }
12750 
12751 static int nl80211_add_scan_req(struct sk_buff *msg,
12752 				struct cfg80211_registered_device *rdev)
12753 {
12754 	struct cfg80211_scan_request *req = rdev->scan_req;
12755 	struct nlattr *nest;
12756 	int i;
12757 
12758 	if (WARN_ON(!req))
12759 		return 0;
12760 
12761 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
12762 	if (!nest)
12763 		goto nla_put_failure;
12764 	for (i = 0; i < req->n_ssids; i++) {
12765 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
12766 			goto nla_put_failure;
12767 	}
12768 	nla_nest_end(msg, nest);
12769 
12770 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
12771 	if (!nest)
12772 		goto nla_put_failure;
12773 	for (i = 0; i < req->n_channels; i++) {
12774 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
12775 			goto nla_put_failure;
12776 	}
12777 	nla_nest_end(msg, nest);
12778 
12779 	if (req->ie &&
12780 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
12781 		goto nla_put_failure;
12782 
12783 	if (req->flags &&
12784 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
12785 		goto nla_put_failure;
12786 
12787 	if (req->info.scan_start_tsf &&
12788 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
12789 			       req->info.scan_start_tsf, NL80211_BSS_PAD) ||
12790 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
12791 		     req->info.tsf_bssid)))
12792 		goto nla_put_failure;
12793 
12794 	return 0;
12795  nla_put_failure:
12796 	return -ENOBUFS;
12797 }
12798 
12799 static int nl80211_send_scan_msg(struct sk_buff *msg,
12800 				 struct cfg80211_registered_device *rdev,
12801 				 struct wireless_dev *wdev,
12802 				 u32 portid, u32 seq, int flags,
12803 				 u32 cmd)
12804 {
12805 	void *hdr;
12806 
12807 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
12808 	if (!hdr)
12809 		return -1;
12810 
12811 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12812 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12813 					 wdev->netdev->ifindex)) ||
12814 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12815 			      NL80211_ATTR_PAD))
12816 		goto nla_put_failure;
12817 
12818 	/* ignore errors and send incomplete event anyway */
12819 	nl80211_add_scan_req(msg, rdev);
12820 
12821 	genlmsg_end(msg, hdr);
12822 	return 0;
12823 
12824  nla_put_failure:
12825 	genlmsg_cancel(msg, hdr);
12826 	return -EMSGSIZE;
12827 }
12828 
12829 static int
12830 nl80211_send_sched_scan_msg(struct sk_buff *msg,
12831 			    struct cfg80211_registered_device *rdev,
12832 			    struct net_device *netdev,
12833 			    u32 portid, u32 seq, int flags, u32 cmd)
12834 {
12835 	void *hdr;
12836 
12837 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
12838 	if (!hdr)
12839 		return -1;
12840 
12841 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12842 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
12843 		goto nla_put_failure;
12844 
12845 	genlmsg_end(msg, hdr);
12846 	return 0;
12847 
12848  nla_put_failure:
12849 	genlmsg_cancel(msg, hdr);
12850 	return -EMSGSIZE;
12851 }
12852 
12853 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
12854 			     struct wireless_dev *wdev)
12855 {
12856 	struct sk_buff *msg;
12857 
12858 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12859 	if (!msg)
12860 		return;
12861 
12862 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
12863 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
12864 		nlmsg_free(msg);
12865 		return;
12866 	}
12867 
12868 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12869 				NL80211_MCGRP_SCAN, GFP_KERNEL);
12870 }
12871 
12872 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
12873 				       struct wireless_dev *wdev, bool aborted)
12874 {
12875 	struct sk_buff *msg;
12876 
12877 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12878 	if (!msg)
12879 		return NULL;
12880 
12881 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
12882 				  aborted ? NL80211_CMD_SCAN_ABORTED :
12883 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
12884 		nlmsg_free(msg);
12885 		return NULL;
12886 	}
12887 
12888 	return msg;
12889 }
12890 
12891 void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
12892 			      struct sk_buff *msg)
12893 {
12894 	if (!msg)
12895 		return;
12896 
12897 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12898 				NL80211_MCGRP_SCAN, GFP_KERNEL);
12899 }
12900 
12901 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
12902 				     struct net_device *netdev)
12903 {
12904 	struct sk_buff *msg;
12905 
12906 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12907 	if (!msg)
12908 		return;
12909 
12910 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
12911 					NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
12912 		nlmsg_free(msg);
12913 		return;
12914 	}
12915 
12916 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12917 				NL80211_MCGRP_SCAN, GFP_KERNEL);
12918 }
12919 
12920 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
12921 			     struct net_device *netdev, u32 cmd)
12922 {
12923 	struct sk_buff *msg;
12924 
12925 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12926 	if (!msg)
12927 		return;
12928 
12929 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
12930 		nlmsg_free(msg);
12931 		return;
12932 	}
12933 
12934 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12935 				NL80211_MCGRP_SCAN, GFP_KERNEL);
12936 }
12937 
12938 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
12939 					  struct regulatory_request *request)
12940 {
12941 	/* Userspace can always count this one always being set */
12942 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
12943 		goto nla_put_failure;
12944 
12945 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
12946 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
12947 			       NL80211_REGDOM_TYPE_WORLD))
12948 			goto nla_put_failure;
12949 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
12950 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
12951 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
12952 			goto nla_put_failure;
12953 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
12954 		   request->intersect) {
12955 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
12956 			       NL80211_REGDOM_TYPE_INTERSECTION))
12957 			goto nla_put_failure;
12958 	} else {
12959 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
12960 			       NL80211_REGDOM_TYPE_COUNTRY) ||
12961 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
12962 				   request->alpha2))
12963 			goto nla_put_failure;
12964 	}
12965 
12966 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
12967 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
12968 
12969 		if (wiphy &&
12970 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
12971 			goto nla_put_failure;
12972 
12973 		if (wiphy &&
12974 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
12975 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
12976 			goto nla_put_failure;
12977 	}
12978 
12979 	return true;
12980 
12981 nla_put_failure:
12982 	return false;
12983 }
12984 
12985 /*
12986  * This can happen on global regulatory changes or device specific settings
12987  * based on custom regulatory domains.
12988  */
12989 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
12990 				     struct regulatory_request *request)
12991 {
12992 	struct sk_buff *msg;
12993 	void *hdr;
12994 
12995 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12996 	if (!msg)
12997 		return;
12998 
12999 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
13000 	if (!hdr) {
13001 		nlmsg_free(msg);
13002 		return;
13003 	}
13004 
13005 	if (nl80211_reg_change_event_fill(msg, request) == false)
13006 		goto nla_put_failure;
13007 
13008 	genlmsg_end(msg, hdr);
13009 
13010 	rcu_read_lock();
13011 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
13012 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
13013 	rcu_read_unlock();
13014 
13015 	return;
13016 
13017 nla_put_failure:
13018 	genlmsg_cancel(msg, hdr);
13019 	nlmsg_free(msg);
13020 }
13021 
13022 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
13023 				    struct net_device *netdev,
13024 				    const u8 *buf, size_t len,
13025 				    enum nl80211_commands cmd, gfp_t gfp,
13026 				    int uapsd_queues)
13027 {
13028 	struct sk_buff *msg;
13029 	void *hdr;
13030 
13031 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13032 	if (!msg)
13033 		return;
13034 
13035 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
13036 	if (!hdr) {
13037 		nlmsg_free(msg);
13038 		return;
13039 	}
13040 
13041 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13042 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13043 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
13044 		goto nla_put_failure;
13045 
13046 	if (uapsd_queues >= 0) {
13047 		struct nlattr *nla_wmm =
13048 			nla_nest_start(msg, NL80211_ATTR_STA_WME);
13049 		if (!nla_wmm)
13050 			goto nla_put_failure;
13051 
13052 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
13053 			       uapsd_queues))
13054 			goto nla_put_failure;
13055 
13056 		nla_nest_end(msg, nla_wmm);
13057 	}
13058 
13059 	genlmsg_end(msg, hdr);
13060 
13061 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13062 				NL80211_MCGRP_MLME, gfp);
13063 	return;
13064 
13065  nla_put_failure:
13066 	genlmsg_cancel(msg, hdr);
13067 	nlmsg_free(msg);
13068 }
13069 
13070 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
13071 			  struct net_device *netdev, const u8 *buf,
13072 			  size_t len, gfp_t gfp)
13073 {
13074 	nl80211_send_mlme_event(rdev, netdev, buf, len,
13075 				NL80211_CMD_AUTHENTICATE, gfp, -1);
13076 }
13077 
13078 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
13079 			   struct net_device *netdev, const u8 *buf,
13080 			   size_t len, gfp_t gfp, int uapsd_queues)
13081 {
13082 	nl80211_send_mlme_event(rdev, netdev, buf, len,
13083 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues);
13084 }
13085 
13086 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
13087 			 struct net_device *netdev, const u8 *buf,
13088 			 size_t len, gfp_t gfp)
13089 {
13090 	nl80211_send_mlme_event(rdev, netdev, buf, len,
13091 				NL80211_CMD_DEAUTHENTICATE, gfp, -1);
13092 }
13093 
13094 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
13095 			   struct net_device *netdev, const u8 *buf,
13096 			   size_t len, gfp_t gfp)
13097 {
13098 	nl80211_send_mlme_event(rdev, netdev, buf, len,
13099 				NL80211_CMD_DISASSOCIATE, gfp, -1);
13100 }
13101 
13102 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
13103 				  size_t len)
13104 {
13105 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13106 	struct wiphy *wiphy = wdev->wiphy;
13107 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13108 	const struct ieee80211_mgmt *mgmt = (void *)buf;
13109 	u32 cmd;
13110 
13111 	if (WARN_ON(len < 2))
13112 		return;
13113 
13114 	if (ieee80211_is_deauth(mgmt->frame_control))
13115 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
13116 	else
13117 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
13118 
13119 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
13120 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1);
13121 }
13122 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
13123 
13124 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
13125 				      struct net_device *netdev, int cmd,
13126 				      const u8 *addr, gfp_t gfp)
13127 {
13128 	struct sk_buff *msg;
13129 	void *hdr;
13130 
13131 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13132 	if (!msg)
13133 		return;
13134 
13135 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
13136 	if (!hdr) {
13137 		nlmsg_free(msg);
13138 		return;
13139 	}
13140 
13141 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13142 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13143 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
13144 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
13145 		goto nla_put_failure;
13146 
13147 	genlmsg_end(msg, hdr);
13148 
13149 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13150 				NL80211_MCGRP_MLME, gfp);
13151 	return;
13152 
13153  nla_put_failure:
13154 	genlmsg_cancel(msg, hdr);
13155 	nlmsg_free(msg);
13156 }
13157 
13158 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
13159 			       struct net_device *netdev, const u8 *addr,
13160 			       gfp_t gfp)
13161 {
13162 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
13163 				  addr, gfp);
13164 }
13165 
13166 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
13167 				struct net_device *netdev, const u8 *addr,
13168 				gfp_t gfp)
13169 {
13170 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
13171 				  addr, gfp);
13172 }
13173 
13174 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
13175 				 struct net_device *netdev, const u8 *bssid,
13176 				 const u8 *req_ie, size_t req_ie_len,
13177 				 const u8 *resp_ie, size_t resp_ie_len,
13178 				 int status, gfp_t gfp)
13179 {
13180 	struct sk_buff *msg;
13181 	void *hdr;
13182 
13183 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13184 	if (!msg)
13185 		return;
13186 
13187 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
13188 	if (!hdr) {
13189 		nlmsg_free(msg);
13190 		return;
13191 	}
13192 
13193 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13194 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13195 	    (bssid && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) ||
13196 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
13197 			status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
13198 			status) ||
13199 	    (status < 0 && nla_put_flag(msg, NL80211_ATTR_TIMED_OUT)) ||
13200 	    (req_ie &&
13201 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
13202 	    (resp_ie &&
13203 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
13204 		goto nla_put_failure;
13205 
13206 	genlmsg_end(msg, hdr);
13207 
13208 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13209 				NL80211_MCGRP_MLME, gfp);
13210 	return;
13211 
13212  nla_put_failure:
13213 	genlmsg_cancel(msg, hdr);
13214 	nlmsg_free(msg);
13215 }
13216 
13217 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
13218 			 struct net_device *netdev, const u8 *bssid,
13219 			 const u8 *req_ie, size_t req_ie_len,
13220 			 const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
13221 {
13222 	struct sk_buff *msg;
13223 	void *hdr;
13224 
13225 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13226 	if (!msg)
13227 		return;
13228 
13229 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
13230 	if (!hdr) {
13231 		nlmsg_free(msg);
13232 		return;
13233 	}
13234 
13235 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13236 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13237 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
13238 	    (req_ie &&
13239 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
13240 	    (resp_ie &&
13241 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
13242 		goto nla_put_failure;
13243 
13244 	genlmsg_end(msg, hdr);
13245 
13246 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13247 				NL80211_MCGRP_MLME, gfp);
13248 	return;
13249 
13250  nla_put_failure:
13251 	genlmsg_cancel(msg, hdr);
13252 	nlmsg_free(msg);
13253 }
13254 
13255 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
13256 			       struct net_device *netdev, u16 reason,
13257 			       const u8 *ie, size_t ie_len, bool from_ap)
13258 {
13259 	struct sk_buff *msg;
13260 	void *hdr;
13261 
13262 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13263 	if (!msg)
13264 		return;
13265 
13266 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
13267 	if (!hdr) {
13268 		nlmsg_free(msg);
13269 		return;
13270 	}
13271 
13272 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13273 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13274 	    (from_ap && reason &&
13275 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
13276 	    (from_ap &&
13277 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
13278 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
13279 		goto nla_put_failure;
13280 
13281 	genlmsg_end(msg, hdr);
13282 
13283 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13284 				NL80211_MCGRP_MLME, GFP_KERNEL);
13285 	return;
13286 
13287  nla_put_failure:
13288 	genlmsg_cancel(msg, hdr);
13289 	nlmsg_free(msg);
13290 }
13291 
13292 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
13293 			     struct net_device *netdev, const u8 *bssid,
13294 			     gfp_t gfp)
13295 {
13296 	struct sk_buff *msg;
13297 	void *hdr;
13298 
13299 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13300 	if (!msg)
13301 		return;
13302 
13303 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
13304 	if (!hdr) {
13305 		nlmsg_free(msg);
13306 		return;
13307 	}
13308 
13309 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13310 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13311 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
13312 		goto nla_put_failure;
13313 
13314 	genlmsg_end(msg, hdr);
13315 
13316 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13317 				NL80211_MCGRP_MLME, gfp);
13318 	return;
13319 
13320  nla_put_failure:
13321 	genlmsg_cancel(msg, hdr);
13322 	nlmsg_free(msg);
13323 }
13324 
13325 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
13326 					const u8* ie, u8 ie_len, gfp_t gfp)
13327 {
13328 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13329 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
13330 	struct sk_buff *msg;
13331 	void *hdr;
13332 
13333 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
13334 		return;
13335 
13336 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
13337 
13338 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13339 	if (!msg)
13340 		return;
13341 
13342 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
13343 	if (!hdr) {
13344 		nlmsg_free(msg);
13345 		return;
13346 	}
13347 
13348 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13349 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
13350 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
13351 	    (ie_len && ie &&
13352 	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
13353 		goto nla_put_failure;
13354 
13355 	genlmsg_end(msg, hdr);
13356 
13357 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13358 				NL80211_MCGRP_MLME, gfp);
13359 	return;
13360 
13361  nla_put_failure:
13362 	genlmsg_cancel(msg, hdr);
13363 	nlmsg_free(msg);
13364 }
13365 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
13366 
13367 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
13368 				 struct net_device *netdev, const u8 *addr,
13369 				 enum nl80211_key_type key_type, int key_id,
13370 				 const u8 *tsc, gfp_t gfp)
13371 {
13372 	struct sk_buff *msg;
13373 	void *hdr;
13374 
13375 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13376 	if (!msg)
13377 		return;
13378 
13379 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
13380 	if (!hdr) {
13381 		nlmsg_free(msg);
13382 		return;
13383 	}
13384 
13385 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13386 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13387 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
13388 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
13389 	    (key_id != -1 &&
13390 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
13391 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
13392 		goto nla_put_failure;
13393 
13394 	genlmsg_end(msg, hdr);
13395 
13396 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13397 				NL80211_MCGRP_MLME, gfp);
13398 	return;
13399 
13400  nla_put_failure:
13401 	genlmsg_cancel(msg, hdr);
13402 	nlmsg_free(msg);
13403 }
13404 
13405 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
13406 				    struct ieee80211_channel *channel_before,
13407 				    struct ieee80211_channel *channel_after)
13408 {
13409 	struct sk_buff *msg;
13410 	void *hdr;
13411 	struct nlattr *nl_freq;
13412 
13413 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
13414 	if (!msg)
13415 		return;
13416 
13417 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
13418 	if (!hdr) {
13419 		nlmsg_free(msg);
13420 		return;
13421 	}
13422 
13423 	/*
13424 	 * Since we are applying the beacon hint to a wiphy we know its
13425 	 * wiphy_idx is valid
13426 	 */
13427 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
13428 		goto nla_put_failure;
13429 
13430 	/* Before */
13431 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
13432 	if (!nl_freq)
13433 		goto nla_put_failure;
13434 	if (nl80211_msg_put_channel(msg, channel_before, false))
13435 		goto nla_put_failure;
13436 	nla_nest_end(msg, nl_freq);
13437 
13438 	/* After */
13439 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
13440 	if (!nl_freq)
13441 		goto nla_put_failure;
13442 	if (nl80211_msg_put_channel(msg, channel_after, false))
13443 		goto nla_put_failure;
13444 	nla_nest_end(msg, nl_freq);
13445 
13446 	genlmsg_end(msg, hdr);
13447 
13448 	rcu_read_lock();
13449 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
13450 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
13451 	rcu_read_unlock();
13452 
13453 	return;
13454 
13455 nla_put_failure:
13456 	genlmsg_cancel(msg, hdr);
13457 	nlmsg_free(msg);
13458 }
13459 
13460 static void nl80211_send_remain_on_chan_event(
13461 	int cmd, struct cfg80211_registered_device *rdev,
13462 	struct wireless_dev *wdev, u64 cookie,
13463 	struct ieee80211_channel *chan,
13464 	unsigned int duration, gfp_t gfp)
13465 {
13466 	struct sk_buff *msg;
13467 	void *hdr;
13468 
13469 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13470 	if (!msg)
13471 		return;
13472 
13473 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
13474 	if (!hdr) {
13475 		nlmsg_free(msg);
13476 		return;
13477 	}
13478 
13479 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13480 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13481 					 wdev->netdev->ifindex)) ||
13482 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13483 			      NL80211_ATTR_PAD) ||
13484 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
13485 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
13486 			NL80211_CHAN_NO_HT) ||
13487 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13488 			      NL80211_ATTR_PAD))
13489 		goto nla_put_failure;
13490 
13491 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
13492 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
13493 		goto nla_put_failure;
13494 
13495 	genlmsg_end(msg, hdr);
13496 
13497 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13498 				NL80211_MCGRP_MLME, gfp);
13499 	return;
13500 
13501  nla_put_failure:
13502 	genlmsg_cancel(msg, hdr);
13503 	nlmsg_free(msg);
13504 }
13505 
13506 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
13507 			       struct ieee80211_channel *chan,
13508 			       unsigned int duration, gfp_t gfp)
13509 {
13510 	struct wiphy *wiphy = wdev->wiphy;
13511 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13512 
13513 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
13514 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
13515 					  rdev, wdev, cookie, chan,
13516 					  duration, gfp);
13517 }
13518 EXPORT_SYMBOL(cfg80211_ready_on_channel);
13519 
13520 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
13521 					struct ieee80211_channel *chan,
13522 					gfp_t gfp)
13523 {
13524 	struct wiphy *wiphy = wdev->wiphy;
13525 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13526 
13527 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
13528 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
13529 					  rdev, wdev, cookie, chan, 0, gfp);
13530 }
13531 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
13532 
13533 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
13534 		      struct station_info *sinfo, gfp_t gfp)
13535 {
13536 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
13537 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13538 	struct sk_buff *msg;
13539 
13540 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
13541 
13542 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13543 	if (!msg)
13544 		return;
13545 
13546 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
13547 				 rdev, dev, mac_addr, sinfo) < 0) {
13548 		nlmsg_free(msg);
13549 		return;
13550 	}
13551 
13552 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13553 				NL80211_MCGRP_MLME, gfp);
13554 }
13555 EXPORT_SYMBOL(cfg80211_new_sta);
13556 
13557 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
13558 			    struct station_info *sinfo, gfp_t gfp)
13559 {
13560 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
13561 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13562 	struct sk_buff *msg;
13563 	struct station_info empty_sinfo = {};
13564 
13565 	if (!sinfo)
13566 		sinfo = &empty_sinfo;
13567 
13568 	trace_cfg80211_del_sta(dev, mac_addr);
13569 
13570 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13571 	if (!msg)
13572 		return;
13573 
13574 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
13575 				 rdev, dev, mac_addr, sinfo) < 0) {
13576 		nlmsg_free(msg);
13577 		return;
13578 	}
13579 
13580 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13581 				NL80211_MCGRP_MLME, gfp);
13582 }
13583 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
13584 
13585 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
13586 			  enum nl80211_connect_failed_reason reason,
13587 			  gfp_t gfp)
13588 {
13589 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
13590 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13591 	struct sk_buff *msg;
13592 	void *hdr;
13593 
13594 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
13595 	if (!msg)
13596 		return;
13597 
13598 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
13599 	if (!hdr) {
13600 		nlmsg_free(msg);
13601 		return;
13602 	}
13603 
13604 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
13605 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
13606 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
13607 		goto nla_put_failure;
13608 
13609 	genlmsg_end(msg, hdr);
13610 
13611 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13612 				NL80211_MCGRP_MLME, gfp);
13613 	return;
13614 
13615  nla_put_failure:
13616 	genlmsg_cancel(msg, hdr);
13617 	nlmsg_free(msg);
13618 }
13619 EXPORT_SYMBOL(cfg80211_conn_failed);
13620 
13621 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
13622 				       const u8 *addr, gfp_t gfp)
13623 {
13624 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13625 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
13626 	struct sk_buff *msg;
13627 	void *hdr;
13628 	u32 nlportid = ACCESS_ONCE(wdev->ap_unexpected_nlportid);
13629 
13630 	if (!nlportid)
13631 		return false;
13632 
13633 	msg = nlmsg_new(100, gfp);
13634 	if (!msg)
13635 		return true;
13636 
13637 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
13638 	if (!hdr) {
13639 		nlmsg_free(msg);
13640 		return true;
13641 	}
13642 
13643 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13644 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
13645 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
13646 		goto nla_put_failure;
13647 
13648 	genlmsg_end(msg, hdr);
13649 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
13650 	return true;
13651 
13652  nla_put_failure:
13653 	genlmsg_cancel(msg, hdr);
13654 	nlmsg_free(msg);
13655 	return true;
13656 }
13657 
13658 bool cfg80211_rx_spurious_frame(struct net_device *dev,
13659 				const u8 *addr, gfp_t gfp)
13660 {
13661 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13662 	bool ret;
13663 
13664 	trace_cfg80211_rx_spurious_frame(dev, addr);
13665 
13666 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
13667 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
13668 		trace_cfg80211_return_bool(false);
13669 		return false;
13670 	}
13671 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
13672 					 addr, gfp);
13673 	trace_cfg80211_return_bool(ret);
13674 	return ret;
13675 }
13676 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
13677 
13678 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
13679 					const u8 *addr, gfp_t gfp)
13680 {
13681 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13682 	bool ret;
13683 
13684 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
13685 
13686 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
13687 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
13688 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
13689 		trace_cfg80211_return_bool(false);
13690 		return false;
13691 	}
13692 	ret = __nl80211_unexpected_frame(dev,
13693 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
13694 					 addr, gfp);
13695 	trace_cfg80211_return_bool(ret);
13696 	return ret;
13697 }
13698 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
13699 
13700 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
13701 		      struct wireless_dev *wdev, u32 nlportid,
13702 		      int freq, int sig_dbm,
13703 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
13704 {
13705 	struct net_device *netdev = wdev->netdev;
13706 	struct sk_buff *msg;
13707 	void *hdr;
13708 
13709 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13710 	if (!msg)
13711 		return -ENOMEM;
13712 
13713 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
13714 	if (!hdr) {
13715 		nlmsg_free(msg);
13716 		return -ENOMEM;
13717 	}
13718 
13719 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13720 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13721 					netdev->ifindex)) ||
13722 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13723 			      NL80211_ATTR_PAD) ||
13724 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
13725 	    (sig_dbm &&
13726 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
13727 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
13728 	    (flags &&
13729 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
13730 		goto nla_put_failure;
13731 
13732 	genlmsg_end(msg, hdr);
13733 
13734 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
13735 
13736  nla_put_failure:
13737 	genlmsg_cancel(msg, hdr);
13738 	nlmsg_free(msg);
13739 	return -ENOBUFS;
13740 }
13741 
13742 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
13743 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
13744 {
13745 	struct wiphy *wiphy = wdev->wiphy;
13746 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13747 	struct net_device *netdev = wdev->netdev;
13748 	struct sk_buff *msg;
13749 	void *hdr;
13750 
13751 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
13752 
13753 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13754 	if (!msg)
13755 		return;
13756 
13757 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
13758 	if (!hdr) {
13759 		nlmsg_free(msg);
13760 		return;
13761 	}
13762 
13763 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13764 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13765 				   netdev->ifindex)) ||
13766 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13767 			      NL80211_ATTR_PAD) ||
13768 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
13769 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13770 			      NL80211_ATTR_PAD) ||
13771 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
13772 		goto nla_put_failure;
13773 
13774 	genlmsg_end(msg, hdr);
13775 
13776 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13777 				NL80211_MCGRP_MLME, gfp);
13778 	return;
13779 
13780  nla_put_failure:
13781 	genlmsg_cancel(msg, hdr);
13782 	nlmsg_free(msg);
13783 }
13784 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
13785 
13786 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
13787 					    const char *mac, gfp_t gfp)
13788 {
13789 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13790 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
13791 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13792 	void **cb;
13793 
13794 	if (!msg)
13795 		return NULL;
13796 
13797 	cb = (void **)msg->cb;
13798 
13799 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
13800 	if (!cb[0]) {
13801 		nlmsg_free(msg);
13802 		return NULL;
13803 	}
13804 
13805 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13806 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
13807 		goto nla_put_failure;
13808 
13809 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
13810 		goto nla_put_failure;
13811 
13812 	cb[1] = nla_nest_start(msg, NL80211_ATTR_CQM);
13813 	if (!cb[1])
13814 		goto nla_put_failure;
13815 
13816 	cb[2] = rdev;
13817 
13818 	return msg;
13819  nla_put_failure:
13820 	nlmsg_free(msg);
13821 	return NULL;
13822 }
13823 
13824 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
13825 {
13826 	void **cb = (void **)msg->cb;
13827 	struct cfg80211_registered_device *rdev = cb[2];
13828 
13829 	nla_nest_end(msg, cb[1]);
13830 	genlmsg_end(msg, cb[0]);
13831 
13832 	memset(msg->cb, 0, sizeof(msg->cb));
13833 
13834 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13835 				NL80211_MCGRP_MLME, gfp);
13836 }
13837 
13838 void cfg80211_cqm_rssi_notify(struct net_device *dev,
13839 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
13840 			      gfp_t gfp)
13841 {
13842 	struct sk_buff *msg;
13843 
13844 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
13845 
13846 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
13847 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
13848 		return;
13849 
13850 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
13851 	if (!msg)
13852 		return;
13853 
13854 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
13855 			rssi_event))
13856 		goto nla_put_failure;
13857 
13858 	cfg80211_send_cqm(msg, gfp);
13859 
13860 	return;
13861 
13862  nla_put_failure:
13863 	nlmsg_free(msg);
13864 }
13865 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
13866 
13867 void cfg80211_cqm_txe_notify(struct net_device *dev,
13868 			     const u8 *peer, u32 num_packets,
13869 			     u32 rate, u32 intvl, gfp_t gfp)
13870 {
13871 	struct sk_buff *msg;
13872 
13873 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
13874 	if (!msg)
13875 		return;
13876 
13877 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
13878 		goto nla_put_failure;
13879 
13880 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
13881 		goto nla_put_failure;
13882 
13883 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
13884 		goto nla_put_failure;
13885 
13886 	cfg80211_send_cqm(msg, gfp);
13887 	return;
13888 
13889  nla_put_failure:
13890 	nlmsg_free(msg);
13891 }
13892 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
13893 
13894 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
13895 				 const u8 *peer, u32 num_packets, gfp_t gfp)
13896 {
13897 	struct sk_buff *msg;
13898 
13899 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
13900 
13901 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
13902 	if (!msg)
13903 		return;
13904 
13905 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
13906 		goto nla_put_failure;
13907 
13908 	cfg80211_send_cqm(msg, gfp);
13909 	return;
13910 
13911  nla_put_failure:
13912 	nlmsg_free(msg);
13913 }
13914 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
13915 
13916 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
13917 {
13918 	struct sk_buff *msg;
13919 
13920 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
13921 	if (!msg)
13922 		return;
13923 
13924 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
13925 		goto nla_put_failure;
13926 
13927 	cfg80211_send_cqm(msg, gfp);
13928 	return;
13929 
13930  nla_put_failure:
13931 	nlmsg_free(msg);
13932 }
13933 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
13934 
13935 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
13936 				     struct net_device *netdev, const u8 *bssid,
13937 				     const u8 *replay_ctr, gfp_t gfp)
13938 {
13939 	struct sk_buff *msg;
13940 	struct nlattr *rekey_attr;
13941 	void *hdr;
13942 
13943 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13944 	if (!msg)
13945 		return;
13946 
13947 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
13948 	if (!hdr) {
13949 		nlmsg_free(msg);
13950 		return;
13951 	}
13952 
13953 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13954 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13955 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
13956 		goto nla_put_failure;
13957 
13958 	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
13959 	if (!rekey_attr)
13960 		goto nla_put_failure;
13961 
13962 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
13963 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
13964 		goto nla_put_failure;
13965 
13966 	nla_nest_end(msg, rekey_attr);
13967 
13968 	genlmsg_end(msg, hdr);
13969 
13970 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13971 				NL80211_MCGRP_MLME, gfp);
13972 	return;
13973 
13974  nla_put_failure:
13975 	genlmsg_cancel(msg, hdr);
13976 	nlmsg_free(msg);
13977 }
13978 
13979 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
13980 			       const u8 *replay_ctr, gfp_t gfp)
13981 {
13982 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13983 	struct wiphy *wiphy = wdev->wiphy;
13984 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13985 
13986 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
13987 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
13988 }
13989 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
13990 
13991 static void
13992 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
13993 			       struct net_device *netdev, int index,
13994 			       const u8 *bssid, bool preauth, gfp_t gfp)
13995 {
13996 	struct sk_buff *msg;
13997 	struct nlattr *attr;
13998 	void *hdr;
13999 
14000 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14001 	if (!msg)
14002 		return;
14003 
14004 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
14005 	if (!hdr) {
14006 		nlmsg_free(msg);
14007 		return;
14008 	}
14009 
14010 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14011 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
14012 		goto nla_put_failure;
14013 
14014 	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
14015 	if (!attr)
14016 		goto nla_put_failure;
14017 
14018 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
14019 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
14020 	    (preauth &&
14021 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
14022 		goto nla_put_failure;
14023 
14024 	nla_nest_end(msg, attr);
14025 
14026 	genlmsg_end(msg, hdr);
14027 
14028 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14029 				NL80211_MCGRP_MLME, gfp);
14030 	return;
14031 
14032  nla_put_failure:
14033 	genlmsg_cancel(msg, hdr);
14034 	nlmsg_free(msg);
14035 }
14036 
14037 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
14038 				     const u8 *bssid, bool preauth, gfp_t gfp)
14039 {
14040 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14041 	struct wiphy *wiphy = wdev->wiphy;
14042 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14043 
14044 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
14045 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
14046 }
14047 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
14048 
14049 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
14050 				     struct net_device *netdev,
14051 				     struct cfg80211_chan_def *chandef,
14052 				     gfp_t gfp,
14053 				     enum nl80211_commands notif,
14054 				     u8 count)
14055 {
14056 	struct sk_buff *msg;
14057 	void *hdr;
14058 
14059 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14060 	if (!msg)
14061 		return;
14062 
14063 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
14064 	if (!hdr) {
14065 		nlmsg_free(msg);
14066 		return;
14067 	}
14068 
14069 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
14070 		goto nla_put_failure;
14071 
14072 	if (nl80211_send_chandef(msg, chandef))
14073 		goto nla_put_failure;
14074 
14075 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
14076 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
14077 			goto nla_put_failure;
14078 
14079 	genlmsg_end(msg, hdr);
14080 
14081 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14082 				NL80211_MCGRP_MLME, gfp);
14083 	return;
14084 
14085  nla_put_failure:
14086 	genlmsg_cancel(msg, hdr);
14087 	nlmsg_free(msg);
14088 }
14089 
14090 void cfg80211_ch_switch_notify(struct net_device *dev,
14091 			       struct cfg80211_chan_def *chandef)
14092 {
14093 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14094 	struct wiphy *wiphy = wdev->wiphy;
14095 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14096 
14097 	ASSERT_WDEV_LOCK(wdev);
14098 
14099 	trace_cfg80211_ch_switch_notify(dev, chandef);
14100 
14101 	wdev->chandef = *chandef;
14102 	wdev->preset_chandef = *chandef;
14103 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
14104 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
14105 }
14106 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
14107 
14108 void cfg80211_ch_switch_started_notify(struct net_device *dev,
14109 				       struct cfg80211_chan_def *chandef,
14110 				       u8 count)
14111 {
14112 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14113 	struct wiphy *wiphy = wdev->wiphy;
14114 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14115 
14116 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
14117 
14118 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
14119 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
14120 }
14121 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
14122 
14123 void
14124 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
14125 		     const struct cfg80211_chan_def *chandef,
14126 		     enum nl80211_radar_event event,
14127 		     struct net_device *netdev, gfp_t gfp)
14128 {
14129 	struct sk_buff *msg;
14130 	void *hdr;
14131 
14132 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14133 	if (!msg)
14134 		return;
14135 
14136 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
14137 	if (!hdr) {
14138 		nlmsg_free(msg);
14139 		return;
14140 	}
14141 
14142 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
14143 		goto nla_put_failure;
14144 
14145 	/* NOP and radar events don't need a netdev parameter */
14146 	if (netdev) {
14147 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
14148 
14149 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14150 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14151 				      NL80211_ATTR_PAD))
14152 			goto nla_put_failure;
14153 	}
14154 
14155 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
14156 		goto nla_put_failure;
14157 
14158 	if (nl80211_send_chandef(msg, chandef))
14159 		goto nla_put_failure;
14160 
14161 	genlmsg_end(msg, hdr);
14162 
14163 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14164 				NL80211_MCGRP_MLME, gfp);
14165 	return;
14166 
14167  nla_put_failure:
14168 	genlmsg_cancel(msg, hdr);
14169 	nlmsg_free(msg);
14170 }
14171 
14172 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
14173 			   u64 cookie, bool acked, gfp_t gfp)
14174 {
14175 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14176 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
14177 	struct sk_buff *msg;
14178 	void *hdr;
14179 
14180 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
14181 
14182 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14183 
14184 	if (!msg)
14185 		return;
14186 
14187 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
14188 	if (!hdr) {
14189 		nlmsg_free(msg);
14190 		return;
14191 	}
14192 
14193 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14194 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
14195 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
14196 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14197 			      NL80211_ATTR_PAD) ||
14198 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)))
14199 		goto nla_put_failure;
14200 
14201 	genlmsg_end(msg, hdr);
14202 
14203 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14204 				NL80211_MCGRP_MLME, gfp);
14205 	return;
14206 
14207  nla_put_failure:
14208 	genlmsg_cancel(msg, hdr);
14209 	nlmsg_free(msg);
14210 }
14211 EXPORT_SYMBOL(cfg80211_probe_status);
14212 
14213 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
14214 				 const u8 *frame, size_t len,
14215 				 int freq, int sig_dbm)
14216 {
14217 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14218 	struct sk_buff *msg;
14219 	void *hdr;
14220 	struct cfg80211_beacon_registration *reg;
14221 
14222 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
14223 
14224 	spin_lock_bh(&rdev->beacon_registrations_lock);
14225 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14226 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
14227 		if (!msg) {
14228 			spin_unlock_bh(&rdev->beacon_registrations_lock);
14229 			return;
14230 		}
14231 
14232 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
14233 		if (!hdr)
14234 			goto nla_put_failure;
14235 
14236 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14237 		    (freq &&
14238 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
14239 		    (sig_dbm &&
14240 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
14241 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
14242 			goto nla_put_failure;
14243 
14244 		genlmsg_end(msg, hdr);
14245 
14246 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
14247 	}
14248 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14249 	return;
14250 
14251  nla_put_failure:
14252 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14253 	if (hdr)
14254 		genlmsg_cancel(msg, hdr);
14255 	nlmsg_free(msg);
14256 }
14257 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
14258 
14259 #ifdef CONFIG_PM
14260 static int cfg80211_net_detect_results(struct sk_buff *msg,
14261 				       struct cfg80211_wowlan_wakeup *wakeup)
14262 {
14263 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
14264 	struct nlattr *nl_results, *nl_match, *nl_freqs;
14265 	int i, j;
14266 
14267 	nl_results = nla_nest_start(
14268 		msg, NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
14269 	if (!nl_results)
14270 		return -EMSGSIZE;
14271 
14272 	for (i = 0; i < nd->n_matches; i++) {
14273 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
14274 
14275 		nl_match = nla_nest_start(msg, i);
14276 		if (!nl_match)
14277 			break;
14278 
14279 		/* The SSID attribute is optional in nl80211, but for
14280 		 * simplicity reasons it's always present in the
14281 		 * cfg80211 structure.  If a driver can't pass the
14282 		 * SSID, that needs to be changed.  A zero length SSID
14283 		 * is still a valid SSID (wildcard), so it cannot be
14284 		 * used for this purpose.
14285 		 */
14286 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
14287 			    match->ssid.ssid)) {
14288 			nla_nest_cancel(msg, nl_match);
14289 			goto out;
14290 		}
14291 
14292 		if (match->n_channels) {
14293 			nl_freqs = nla_nest_start(
14294 				msg, NL80211_ATTR_SCAN_FREQUENCIES);
14295 			if (!nl_freqs) {
14296 				nla_nest_cancel(msg, nl_match);
14297 				goto out;
14298 			}
14299 
14300 			for (j = 0; j < match->n_channels; j++) {
14301 				if (nla_put_u32(msg, j, match->channels[j])) {
14302 					nla_nest_cancel(msg, nl_freqs);
14303 					nla_nest_cancel(msg, nl_match);
14304 					goto out;
14305 				}
14306 			}
14307 
14308 			nla_nest_end(msg, nl_freqs);
14309 		}
14310 
14311 		nla_nest_end(msg, nl_match);
14312 	}
14313 
14314 out:
14315 	nla_nest_end(msg, nl_results);
14316 	return 0;
14317 }
14318 
14319 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
14320 				   struct cfg80211_wowlan_wakeup *wakeup,
14321 				   gfp_t gfp)
14322 {
14323 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
14324 	struct sk_buff *msg;
14325 	void *hdr;
14326 	int size = 200;
14327 
14328 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
14329 
14330 	if (wakeup)
14331 		size += wakeup->packet_present_len;
14332 
14333 	msg = nlmsg_new(size, gfp);
14334 	if (!msg)
14335 		return;
14336 
14337 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
14338 	if (!hdr)
14339 		goto free_msg;
14340 
14341 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14342 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14343 			      NL80211_ATTR_PAD))
14344 		goto free_msg;
14345 
14346 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14347 					wdev->netdev->ifindex))
14348 		goto free_msg;
14349 
14350 	if (wakeup) {
14351 		struct nlattr *reasons;
14352 
14353 		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
14354 		if (!reasons)
14355 			goto free_msg;
14356 
14357 		if (wakeup->disconnect &&
14358 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
14359 			goto free_msg;
14360 		if (wakeup->magic_pkt &&
14361 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
14362 			goto free_msg;
14363 		if (wakeup->gtk_rekey_failure &&
14364 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
14365 			goto free_msg;
14366 		if (wakeup->eap_identity_req &&
14367 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
14368 			goto free_msg;
14369 		if (wakeup->four_way_handshake &&
14370 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
14371 			goto free_msg;
14372 		if (wakeup->rfkill_release &&
14373 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
14374 			goto free_msg;
14375 
14376 		if (wakeup->pattern_idx >= 0 &&
14377 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
14378 				wakeup->pattern_idx))
14379 			goto free_msg;
14380 
14381 		if (wakeup->tcp_match &&
14382 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
14383 			goto free_msg;
14384 
14385 		if (wakeup->tcp_connlost &&
14386 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
14387 			goto free_msg;
14388 
14389 		if (wakeup->tcp_nomoretokens &&
14390 		    nla_put_flag(msg,
14391 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
14392 			goto free_msg;
14393 
14394 		if (wakeup->packet) {
14395 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
14396 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
14397 
14398 			if (!wakeup->packet_80211) {
14399 				pkt_attr =
14400 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
14401 				len_attr =
14402 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
14403 			}
14404 
14405 			if (wakeup->packet_len &&
14406 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
14407 				goto free_msg;
14408 
14409 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
14410 				    wakeup->packet))
14411 				goto free_msg;
14412 		}
14413 
14414 		if (wakeup->net_detect &&
14415 		    cfg80211_net_detect_results(msg, wakeup))
14416 				goto free_msg;
14417 
14418 		nla_nest_end(msg, reasons);
14419 	}
14420 
14421 	genlmsg_end(msg, hdr);
14422 
14423 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14424 				NL80211_MCGRP_MLME, gfp);
14425 	return;
14426 
14427  free_msg:
14428 	nlmsg_free(msg);
14429 }
14430 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
14431 #endif
14432 
14433 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
14434 				enum nl80211_tdls_operation oper,
14435 				u16 reason_code, gfp_t gfp)
14436 {
14437 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14438 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
14439 	struct sk_buff *msg;
14440 	void *hdr;
14441 
14442 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
14443 					 reason_code);
14444 
14445 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14446 	if (!msg)
14447 		return;
14448 
14449 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
14450 	if (!hdr) {
14451 		nlmsg_free(msg);
14452 		return;
14453 	}
14454 
14455 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14456 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
14457 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
14458 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
14459 	    (reason_code > 0 &&
14460 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
14461 		goto nla_put_failure;
14462 
14463 	genlmsg_end(msg, hdr);
14464 
14465 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14466 				NL80211_MCGRP_MLME, gfp);
14467 	return;
14468 
14469  nla_put_failure:
14470 	genlmsg_cancel(msg, hdr);
14471 	nlmsg_free(msg);
14472 }
14473 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
14474 
14475 static int nl80211_netlink_notify(struct notifier_block * nb,
14476 				  unsigned long state,
14477 				  void *_notify)
14478 {
14479 	struct netlink_notify *notify = _notify;
14480 	struct cfg80211_registered_device *rdev;
14481 	struct wireless_dev *wdev;
14482 	struct cfg80211_beacon_registration *reg, *tmp;
14483 
14484 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
14485 		return NOTIFY_DONE;
14486 
14487 	rcu_read_lock();
14488 
14489 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
14490 		bool schedule_destroy_work = false;
14491 		bool schedule_scan_stop = false;
14492 		struct cfg80211_sched_scan_request *sched_scan_req =
14493 			rcu_dereference(rdev->sched_scan_req);
14494 
14495 		if (sched_scan_req && notify->portid &&
14496 		    sched_scan_req->owner_nlportid == notify->portid)
14497 			schedule_scan_stop = true;
14498 
14499 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
14500 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
14501 
14502 			if (wdev->owner_nlportid == notify->portid)
14503 				schedule_destroy_work = true;
14504 		}
14505 
14506 		spin_lock_bh(&rdev->beacon_registrations_lock);
14507 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
14508 					 list) {
14509 			if (reg->nlportid == notify->portid) {
14510 				list_del(&reg->list);
14511 				kfree(reg);
14512 				break;
14513 			}
14514 		}
14515 		spin_unlock_bh(&rdev->beacon_registrations_lock);
14516 
14517 		if (schedule_destroy_work) {
14518 			struct cfg80211_iface_destroy *destroy;
14519 
14520 			destroy = kzalloc(sizeof(*destroy), GFP_ATOMIC);
14521 			if (destroy) {
14522 				destroy->nlportid = notify->portid;
14523 				spin_lock(&rdev->destroy_list_lock);
14524 				list_add(&destroy->list, &rdev->destroy_list);
14525 				spin_unlock(&rdev->destroy_list_lock);
14526 				schedule_work(&rdev->destroy_work);
14527 			}
14528 		} else if (schedule_scan_stop) {
14529 			sched_scan_req->owner_nlportid = 0;
14530 
14531 			if (rdev->ops->sched_scan_stop &&
14532 			    rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
14533 				schedule_work(&rdev->sched_scan_stop_wk);
14534 		}
14535 	}
14536 
14537 	rcu_read_unlock();
14538 
14539 	/*
14540 	 * It is possible that the user space process that is controlling the
14541 	 * indoor setting disappeared, so notify the regulatory core.
14542 	 */
14543 	regulatory_netlink_notify(notify->portid);
14544 	return NOTIFY_OK;
14545 }
14546 
14547 static struct notifier_block nl80211_netlink_notifier = {
14548 	.notifier_call = nl80211_netlink_notify,
14549 };
14550 
14551 void cfg80211_ft_event(struct net_device *netdev,
14552 		       struct cfg80211_ft_event_params *ft_event)
14553 {
14554 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
14555 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14556 	struct sk_buff *msg;
14557 	void *hdr;
14558 
14559 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
14560 
14561 	if (!ft_event->target_ap)
14562 		return;
14563 
14564 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14565 	if (!msg)
14566 		return;
14567 
14568 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
14569 	if (!hdr)
14570 		goto out;
14571 
14572 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14573 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14574 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
14575 		goto out;
14576 
14577 	if (ft_event->ies &&
14578 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
14579 		goto out;
14580 	if (ft_event->ric_ies &&
14581 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
14582 		    ft_event->ric_ies))
14583 		goto out;
14584 
14585 	genlmsg_end(msg, hdr);
14586 
14587 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14588 				NL80211_MCGRP_MLME, GFP_KERNEL);
14589 	return;
14590  out:
14591 	nlmsg_free(msg);
14592 }
14593 EXPORT_SYMBOL(cfg80211_ft_event);
14594 
14595 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
14596 {
14597 	struct cfg80211_registered_device *rdev;
14598 	struct sk_buff *msg;
14599 	void *hdr;
14600 	u32 nlportid;
14601 
14602 	rdev = wiphy_to_rdev(wdev->wiphy);
14603 	if (!rdev->crit_proto_nlportid)
14604 		return;
14605 
14606 	nlportid = rdev->crit_proto_nlportid;
14607 	rdev->crit_proto_nlportid = 0;
14608 
14609 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14610 	if (!msg)
14611 		return;
14612 
14613 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
14614 	if (!hdr)
14615 		goto nla_put_failure;
14616 
14617 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14618 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14619 			      NL80211_ATTR_PAD))
14620 		goto nla_put_failure;
14621 
14622 	genlmsg_end(msg, hdr);
14623 
14624 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
14625 	return;
14626 
14627  nla_put_failure:
14628 	if (hdr)
14629 		genlmsg_cancel(msg, hdr);
14630 	nlmsg_free(msg);
14631 }
14632 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
14633 
14634 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
14635 {
14636 	struct wiphy *wiphy = wdev->wiphy;
14637 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14638 	struct sk_buff *msg;
14639 	void *hdr;
14640 
14641 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14642 	if (!msg)
14643 		return;
14644 
14645 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
14646 	if (!hdr)
14647 		goto out;
14648 
14649 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14650 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
14651 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14652 			      NL80211_ATTR_PAD))
14653 		goto out;
14654 
14655 	genlmsg_end(msg, hdr);
14656 
14657 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
14658 				NL80211_MCGRP_MLME, GFP_KERNEL);
14659 	return;
14660  out:
14661 	nlmsg_free(msg);
14662 }
14663 
14664 /* initialisation/exit functions */
14665 
14666 int __init nl80211_init(void)
14667 {
14668 	int err;
14669 
14670 	err = genl_register_family(&nl80211_fam);
14671 	if (err)
14672 		return err;
14673 
14674 	err = netlink_register_notifier(&nl80211_netlink_notifier);
14675 	if (err)
14676 		goto err_out;
14677 
14678 	return 0;
14679  err_out:
14680 	genl_unregister_family(&nl80211_fam);
14681 	return err;
14682 }
14683 
14684 void nl80211_exit(void)
14685 {
14686 	netlink_unregister_notifier(&nl80211_netlink_notifier);
14687 	genl_unregister_family(&nl80211_fam);
14688 }
14689