xref: /openbmc/linux/net/wireless/nl80211.c (revision c819e2cf) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  */
7 
8 #include <linux/if.h>
9 #include <linux/module.h>
10 #include <linux/err.h>
11 #include <linux/slab.h>
12 #include <linux/list.h>
13 #include <linux/if_ether.h>
14 #include <linux/ieee80211.h>
15 #include <linux/nl80211.h>
16 #include <linux/rtnetlink.h>
17 #include <linux/netlink.h>
18 #include <linux/etherdevice.h>
19 #include <net/net_namespace.h>
20 #include <net/genetlink.h>
21 #include <net/cfg80211.h>
22 #include <net/sock.h>
23 #include <net/inet_connection_sock.h>
24 #include "core.h"
25 #include "nl80211.h"
26 #include "reg.h"
27 #include "rdev-ops.h"
28 
29 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
30 				   struct genl_info *info,
31 				   struct cfg80211_crypto_settings *settings,
32 				   int cipher_limit);
33 
34 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
35 			    struct genl_info *info);
36 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
37 			      struct genl_info *info);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam = {
41 	.id = GENL_ID_GENERATE,		/* don't bother with a hardcoded ID */
42 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
43 	.hdrsize = 0,			/* no private header */
44 	.version = 1,			/* no particular meaning now */
45 	.maxattr = NL80211_ATTR_MAX,
46 	.netnsok = true,
47 	.pre_doit = nl80211_pre_doit,
48 	.post_doit = nl80211_post_doit,
49 };
50 
51 /* multicast groups */
52 enum nl80211_multicast_groups {
53 	NL80211_MCGRP_CONFIG,
54 	NL80211_MCGRP_SCAN,
55 	NL80211_MCGRP_REGULATORY,
56 	NL80211_MCGRP_MLME,
57 	NL80211_MCGRP_VENDOR,
58 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
59 };
60 
61 static const struct genl_multicast_group nl80211_mcgrps[] = {
62 	[NL80211_MCGRP_CONFIG] = { .name = "config", },
63 	[NL80211_MCGRP_SCAN] = { .name = "scan", },
64 	[NL80211_MCGRP_REGULATORY] = { .name = "regulatory", },
65 	[NL80211_MCGRP_MLME] = { .name = "mlme", },
66 	[NL80211_MCGRP_VENDOR] = { .name = "vendor", },
67 #ifdef CONFIG_NL80211_TESTMODE
68 	[NL80211_MCGRP_TESTMODE] = { .name = "testmode", }
69 #endif
70 };
71 
72 /* returns ERR_PTR values */
73 static struct wireless_dev *
74 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
75 {
76 	struct cfg80211_registered_device *rdev;
77 	struct wireless_dev *result = NULL;
78 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
79 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
80 	u64 wdev_id;
81 	int wiphy_idx = -1;
82 	int ifidx = -1;
83 
84 	ASSERT_RTNL();
85 
86 	if (!have_ifidx && !have_wdev_id)
87 		return ERR_PTR(-EINVAL);
88 
89 	if (have_ifidx)
90 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
91 	if (have_wdev_id) {
92 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
93 		wiphy_idx = wdev_id >> 32;
94 	}
95 
96 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
97 		struct wireless_dev *wdev;
98 
99 		if (wiphy_net(&rdev->wiphy) != netns)
100 			continue;
101 
102 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
103 			continue;
104 
105 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
106 			if (have_ifidx && wdev->netdev &&
107 			    wdev->netdev->ifindex == ifidx) {
108 				result = wdev;
109 				break;
110 			}
111 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
112 				result = wdev;
113 				break;
114 			}
115 		}
116 
117 		if (result)
118 			break;
119 	}
120 
121 	if (result)
122 		return result;
123 	return ERR_PTR(-ENODEV);
124 }
125 
126 static struct cfg80211_registered_device *
127 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
128 {
129 	struct cfg80211_registered_device *rdev = NULL, *tmp;
130 	struct net_device *netdev;
131 
132 	ASSERT_RTNL();
133 
134 	if (!attrs[NL80211_ATTR_WIPHY] &&
135 	    !attrs[NL80211_ATTR_IFINDEX] &&
136 	    !attrs[NL80211_ATTR_WDEV])
137 		return ERR_PTR(-EINVAL);
138 
139 	if (attrs[NL80211_ATTR_WIPHY])
140 		rdev = cfg80211_rdev_by_wiphy_idx(
141 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
142 
143 	if (attrs[NL80211_ATTR_WDEV]) {
144 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
145 		struct wireless_dev *wdev;
146 		bool found = false;
147 
148 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
149 		if (tmp) {
150 			/* make sure wdev exists */
151 			list_for_each_entry(wdev, &tmp->wdev_list, list) {
152 				if (wdev->identifier != (u32)wdev_id)
153 					continue;
154 				found = true;
155 				break;
156 			}
157 
158 			if (!found)
159 				tmp = NULL;
160 
161 			if (rdev && tmp != rdev)
162 				return ERR_PTR(-EINVAL);
163 			rdev = tmp;
164 		}
165 	}
166 
167 	if (attrs[NL80211_ATTR_IFINDEX]) {
168 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
169 		netdev = __dev_get_by_index(netns, ifindex);
170 		if (netdev) {
171 			if (netdev->ieee80211_ptr)
172 				tmp = wiphy_to_rdev(
173 					netdev->ieee80211_ptr->wiphy);
174 			else
175 				tmp = NULL;
176 
177 			/* not wireless device -- return error */
178 			if (!tmp)
179 				return ERR_PTR(-EINVAL);
180 
181 			/* mismatch -- return error */
182 			if (rdev && tmp != rdev)
183 				return ERR_PTR(-EINVAL);
184 
185 			rdev = tmp;
186 		}
187 	}
188 
189 	if (!rdev)
190 		return ERR_PTR(-ENODEV);
191 
192 	if (netns != wiphy_net(&rdev->wiphy))
193 		return ERR_PTR(-ENODEV);
194 
195 	return rdev;
196 }
197 
198 /*
199  * This function returns a pointer to the driver
200  * that the genl_info item that is passed refers to.
201  *
202  * The result of this can be a PTR_ERR and hence must
203  * be checked with IS_ERR() for errors.
204  */
205 static struct cfg80211_registered_device *
206 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
207 {
208 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
209 }
210 
211 /* policy for the attributes */
212 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
213 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
214 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
215 				      .len = 20-1 },
216 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
217 
218 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
219 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
220 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
221 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
222 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
223 
224 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
225 	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
226 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
227 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
228 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
229 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
230 
231 	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
232 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
233 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
234 
235 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
236 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
237 
238 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
239 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
240 				    .len = WLAN_MAX_KEY_LEN },
241 	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
242 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
243 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
244 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
245 	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
246 
247 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
248 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
249 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
250 				       .len = IEEE80211_MAX_DATA_LEN },
251 	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
252 				       .len = IEEE80211_MAX_DATA_LEN },
253 	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
254 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
255 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
256 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
257 					       .len = NL80211_MAX_SUPP_RATES },
258 	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
259 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
260 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
261 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
262 				   .len = IEEE80211_MAX_MESH_ID_LEN },
263 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
264 
265 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
266 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
267 
268 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
269 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
270 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
271 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
272 					   .len = NL80211_MAX_SUPP_RATES },
273 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
274 
275 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
276 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
277 
278 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
279 
280 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
281 	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
282 			      .len = IEEE80211_MAX_DATA_LEN },
283 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
284 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
285 
286 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
287 				.len = IEEE80211_MAX_SSID_LEN },
288 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
289 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
290 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
291 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
292 	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
293 	[NL80211_ATTR_STA_FLAGS2] = {
294 		.len = sizeof(struct nl80211_sta_flag_update),
295 	},
296 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
297 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
298 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
299 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
300 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
301 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
302 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
303 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
304 	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
305 				 .len = WLAN_PMKID_LEN },
306 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
307 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
308 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
309 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
310 				 .len = IEEE80211_MAX_DATA_LEN },
311 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
312 	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
313 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
314 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
315 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
316 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
317 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
318 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
319 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
320 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
321 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
322 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
323 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
324 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
325 	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
326 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
327 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
328 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
329 	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
330 	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
331 					 .len = IEEE80211_MAX_DATA_LEN },
332 	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
333 					 .len = IEEE80211_MAX_DATA_LEN },
334 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
335 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
336 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
337 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
338 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
339 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
340 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
341 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
342 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
343 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
344 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
345 				      .len = IEEE80211_MAX_DATA_LEN },
346 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
347 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
348 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
349 		.len = NL80211_HT_CAPABILITY_LEN
350 	},
351 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
352 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
353 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
354 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
355 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
356 	[NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
357 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
358 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
359 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
360 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
361 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
362 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
363 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
364 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
365 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
366 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
367 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
368 		.len = NL80211_VHT_CAPABILITY_LEN,
369 	},
370 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
371 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
372 				  .len = IEEE80211_MAX_DATA_LEN },
373 	[NL80211_ATTR_PEER_AID] = { .type = NLA_U16 },
374 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
375 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
376 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
377 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
378 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
379 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
380 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
381 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
382 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
383 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
384 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
385 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
386 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
387 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
388 	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
389 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
390 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
391 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
392 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
393 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
394 	[NL80211_ATTR_TSID] = { .type = NLA_U8 },
395 	[NL80211_ATTR_USER_PRIO] = { .type = NLA_U8 },
396 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
397 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
398 	[NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
399 };
400 
401 /* policy for the key attributes */
402 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
403 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
404 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
405 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
406 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
407 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
408 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
409 	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
410 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
411 };
412 
413 /* policy for the key default flags */
414 static const struct nla_policy
415 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
416 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
417 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
418 };
419 
420 /* policy for WoWLAN attributes */
421 static const struct nla_policy
422 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
423 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
424 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
425 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
426 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
427 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
428 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
429 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
430 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
431 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
432 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
433 };
434 
435 static const struct nla_policy
436 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
437 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
438 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
439 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
440 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
441 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
442 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
443 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
444 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
445 	},
446 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
447 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
448 	},
449 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
450 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
451 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
452 };
453 
454 /* policy for coalesce rule attributes */
455 static const struct nla_policy
456 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
457 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
458 	[NL80211_ATTR_COALESCE_RULE_CONDITION] = { .type = NLA_U32 },
459 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
460 };
461 
462 /* policy for GTK rekey offload attributes */
463 static const struct nla_policy
464 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
465 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
466 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
467 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
468 };
469 
470 static const struct nla_policy
471 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
472 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
473 						 .len = IEEE80211_MAX_SSID_LEN },
474 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
475 };
476 
477 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
478 				     struct netlink_callback *cb,
479 				     struct cfg80211_registered_device **rdev,
480 				     struct wireless_dev **wdev)
481 {
482 	int err;
483 
484 	rtnl_lock();
485 
486 	if (!cb->args[0]) {
487 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
488 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
489 				  nl80211_policy);
490 		if (err)
491 			goto out_unlock;
492 
493 		*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
494 						   nl80211_fam.attrbuf);
495 		if (IS_ERR(*wdev)) {
496 			err = PTR_ERR(*wdev);
497 			goto out_unlock;
498 		}
499 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
500 		/* 0 is the first index - add 1 to parse only once */
501 		cb->args[0] = (*rdev)->wiphy_idx + 1;
502 		cb->args[1] = (*wdev)->identifier;
503 	} else {
504 		/* subtract the 1 again here */
505 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
506 		struct wireless_dev *tmp;
507 
508 		if (!wiphy) {
509 			err = -ENODEV;
510 			goto out_unlock;
511 		}
512 		*rdev = wiphy_to_rdev(wiphy);
513 		*wdev = NULL;
514 
515 		list_for_each_entry(tmp, &(*rdev)->wdev_list, list) {
516 			if (tmp->identifier == cb->args[1]) {
517 				*wdev = tmp;
518 				break;
519 			}
520 		}
521 
522 		if (!*wdev) {
523 			err = -ENODEV;
524 			goto out_unlock;
525 		}
526 	}
527 
528 	return 0;
529  out_unlock:
530 	rtnl_unlock();
531 	return err;
532 }
533 
534 static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
535 {
536 	rtnl_unlock();
537 }
538 
539 /* IE validation */
540 static bool is_valid_ie_attr(const struct nlattr *attr)
541 {
542 	const u8 *pos;
543 	int len;
544 
545 	if (!attr)
546 		return true;
547 
548 	pos = nla_data(attr);
549 	len = nla_len(attr);
550 
551 	while (len) {
552 		u8 elemlen;
553 
554 		if (len < 2)
555 			return false;
556 		len -= 2;
557 
558 		elemlen = pos[1];
559 		if (elemlen > len)
560 			return false;
561 
562 		len -= elemlen;
563 		pos += 2 + elemlen;
564 	}
565 
566 	return true;
567 }
568 
569 /* message building helper */
570 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
571 				   int flags, u8 cmd)
572 {
573 	/* since there is no private header just add the generic one */
574 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
575 }
576 
577 static int nl80211_msg_put_channel(struct sk_buff *msg,
578 				   struct ieee80211_channel *chan,
579 				   bool large)
580 {
581 	/* Some channels must be completely excluded from the
582 	 * list to protect old user-space tools from breaking
583 	 */
584 	if (!large && chan->flags &
585 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
586 		return 0;
587 
588 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
589 			chan->center_freq))
590 		goto nla_put_failure;
591 
592 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
593 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
594 		goto nla_put_failure;
595 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
596 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
597 			goto nla_put_failure;
598 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
599 			goto nla_put_failure;
600 	}
601 	if (chan->flags & IEEE80211_CHAN_RADAR) {
602 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
603 			goto nla_put_failure;
604 		if (large) {
605 			u32 time;
606 
607 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
608 
609 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
610 					chan->dfs_state))
611 				goto nla_put_failure;
612 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
613 					time))
614 				goto nla_put_failure;
615 			if (nla_put_u32(msg,
616 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
617 					chan->dfs_cac_ms))
618 				goto nla_put_failure;
619 		}
620 	}
621 
622 	if (large) {
623 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
624 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
625 			goto nla_put_failure;
626 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
627 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
628 			goto nla_put_failure;
629 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
630 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
631 			goto nla_put_failure;
632 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
633 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
634 			goto nla_put_failure;
635 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
636 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
637 			goto nla_put_failure;
638 		if ((chan->flags & IEEE80211_CHAN_GO_CONCURRENT) &&
639 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_GO_CONCURRENT))
640 			goto nla_put_failure;
641 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
642 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
643 			goto nla_put_failure;
644 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
645 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
646 			goto nla_put_failure;
647 	}
648 
649 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
650 			DBM_TO_MBM(chan->max_power)))
651 		goto nla_put_failure;
652 
653 	return 0;
654 
655  nla_put_failure:
656 	return -ENOBUFS;
657 }
658 
659 /* netlink command implementations */
660 
661 struct key_parse {
662 	struct key_params p;
663 	int idx;
664 	int type;
665 	bool def, defmgmt;
666 	bool def_uni, def_multi;
667 };
668 
669 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
670 {
671 	struct nlattr *tb[NL80211_KEY_MAX + 1];
672 	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
673 				   nl80211_key_policy);
674 	if (err)
675 		return err;
676 
677 	k->def = !!tb[NL80211_KEY_DEFAULT];
678 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
679 
680 	if (k->def) {
681 		k->def_uni = true;
682 		k->def_multi = true;
683 	}
684 	if (k->defmgmt)
685 		k->def_multi = true;
686 
687 	if (tb[NL80211_KEY_IDX])
688 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
689 
690 	if (tb[NL80211_KEY_DATA]) {
691 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
692 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
693 	}
694 
695 	if (tb[NL80211_KEY_SEQ]) {
696 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
697 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
698 	}
699 
700 	if (tb[NL80211_KEY_CIPHER])
701 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
702 
703 	if (tb[NL80211_KEY_TYPE]) {
704 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
705 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
706 			return -EINVAL;
707 	}
708 
709 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
710 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
711 		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
712 				       tb[NL80211_KEY_DEFAULT_TYPES],
713 				       nl80211_key_default_policy);
714 		if (err)
715 			return err;
716 
717 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
718 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
719 	}
720 
721 	return 0;
722 }
723 
724 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
725 {
726 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
727 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
728 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
729 	}
730 
731 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
732 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
733 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
734 	}
735 
736 	if (info->attrs[NL80211_ATTR_KEY_IDX])
737 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
738 
739 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
740 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
741 
742 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
743 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
744 
745 	if (k->def) {
746 		k->def_uni = true;
747 		k->def_multi = true;
748 	}
749 	if (k->defmgmt)
750 		k->def_multi = true;
751 
752 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
753 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
754 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
755 			return -EINVAL;
756 	}
757 
758 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
759 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
760 		int err = nla_parse_nested(
761 				kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
762 				info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
763 				nl80211_key_default_policy);
764 		if (err)
765 			return err;
766 
767 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
768 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
769 	}
770 
771 	return 0;
772 }
773 
774 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
775 {
776 	int err;
777 
778 	memset(k, 0, sizeof(*k));
779 	k->idx = -1;
780 	k->type = -1;
781 
782 	if (info->attrs[NL80211_ATTR_KEY])
783 		err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
784 	else
785 		err = nl80211_parse_key_old(info, k);
786 
787 	if (err)
788 		return err;
789 
790 	if (k->def && k->defmgmt)
791 		return -EINVAL;
792 
793 	if (k->defmgmt) {
794 		if (k->def_uni || !k->def_multi)
795 			return -EINVAL;
796 	}
797 
798 	if (k->idx != -1) {
799 		if (k->defmgmt) {
800 			if (k->idx < 4 || k->idx > 5)
801 				return -EINVAL;
802 		} else if (k->def) {
803 			if (k->idx < 0 || k->idx > 3)
804 				return -EINVAL;
805 		} else {
806 			if (k->idx < 0 || k->idx > 5)
807 				return -EINVAL;
808 		}
809 	}
810 
811 	return 0;
812 }
813 
814 static struct cfg80211_cached_keys *
815 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
816 		       struct nlattr *keys, bool *no_ht)
817 {
818 	struct key_parse parse;
819 	struct nlattr *key;
820 	struct cfg80211_cached_keys *result;
821 	int rem, err, def = 0;
822 
823 	result = kzalloc(sizeof(*result), GFP_KERNEL);
824 	if (!result)
825 		return ERR_PTR(-ENOMEM);
826 
827 	result->def = -1;
828 	result->defmgmt = -1;
829 
830 	nla_for_each_nested(key, keys, rem) {
831 		memset(&parse, 0, sizeof(parse));
832 		parse.idx = -1;
833 
834 		err = nl80211_parse_key_new(key, &parse);
835 		if (err)
836 			goto error;
837 		err = -EINVAL;
838 		if (!parse.p.key)
839 			goto error;
840 		if (parse.idx < 0 || parse.idx > 4)
841 			goto error;
842 		if (parse.def) {
843 			if (def)
844 				goto error;
845 			def = 1;
846 			result->def = parse.idx;
847 			if (!parse.def_uni || !parse.def_multi)
848 				goto error;
849 		} else if (parse.defmgmt)
850 			goto error;
851 		err = cfg80211_validate_key_settings(rdev, &parse.p,
852 						     parse.idx, false, NULL);
853 		if (err)
854 			goto error;
855 		result->params[parse.idx].cipher = parse.p.cipher;
856 		result->params[parse.idx].key_len = parse.p.key_len;
857 		result->params[parse.idx].key = result->data[parse.idx];
858 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
859 
860 		if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
861 		    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
862 			if (no_ht)
863 				*no_ht = true;
864 		}
865 	}
866 
867 	return result;
868  error:
869 	kfree(result);
870 	return ERR_PTR(err);
871 }
872 
873 static int nl80211_key_allowed(struct wireless_dev *wdev)
874 {
875 	ASSERT_WDEV_LOCK(wdev);
876 
877 	switch (wdev->iftype) {
878 	case NL80211_IFTYPE_AP:
879 	case NL80211_IFTYPE_AP_VLAN:
880 	case NL80211_IFTYPE_P2P_GO:
881 	case NL80211_IFTYPE_MESH_POINT:
882 		break;
883 	case NL80211_IFTYPE_ADHOC:
884 	case NL80211_IFTYPE_STATION:
885 	case NL80211_IFTYPE_P2P_CLIENT:
886 		if (!wdev->current_bss)
887 			return -ENOLINK;
888 		break;
889 	case NL80211_IFTYPE_UNSPECIFIED:
890 	case NL80211_IFTYPE_OCB:
891 	case NL80211_IFTYPE_MONITOR:
892 	case NL80211_IFTYPE_P2P_DEVICE:
893 	case NL80211_IFTYPE_WDS:
894 	case NUM_NL80211_IFTYPES:
895 		return -EINVAL;
896 	}
897 
898 	return 0;
899 }
900 
901 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
902 							struct nlattr *tb)
903 {
904 	struct ieee80211_channel *chan;
905 
906 	if (tb == NULL)
907 		return NULL;
908 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
909 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
910 		return NULL;
911 	return chan;
912 }
913 
914 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
915 {
916 	struct nlattr *nl_modes = nla_nest_start(msg, attr);
917 	int i;
918 
919 	if (!nl_modes)
920 		goto nla_put_failure;
921 
922 	i = 0;
923 	while (ifmodes) {
924 		if ((ifmodes & 1) && nla_put_flag(msg, i))
925 			goto nla_put_failure;
926 		ifmodes >>= 1;
927 		i++;
928 	}
929 
930 	nla_nest_end(msg, nl_modes);
931 	return 0;
932 
933 nla_put_failure:
934 	return -ENOBUFS;
935 }
936 
937 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
938 					  struct sk_buff *msg,
939 					  bool large)
940 {
941 	struct nlattr *nl_combis;
942 	int i, j;
943 
944 	nl_combis = nla_nest_start(msg,
945 				NL80211_ATTR_INTERFACE_COMBINATIONS);
946 	if (!nl_combis)
947 		goto nla_put_failure;
948 
949 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
950 		const struct ieee80211_iface_combination *c;
951 		struct nlattr *nl_combi, *nl_limits;
952 
953 		c = &wiphy->iface_combinations[i];
954 
955 		nl_combi = nla_nest_start(msg, i + 1);
956 		if (!nl_combi)
957 			goto nla_put_failure;
958 
959 		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
960 		if (!nl_limits)
961 			goto nla_put_failure;
962 
963 		for (j = 0; j < c->n_limits; j++) {
964 			struct nlattr *nl_limit;
965 
966 			nl_limit = nla_nest_start(msg, j + 1);
967 			if (!nl_limit)
968 				goto nla_put_failure;
969 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
970 					c->limits[j].max))
971 				goto nla_put_failure;
972 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
973 						c->limits[j].types))
974 				goto nla_put_failure;
975 			nla_nest_end(msg, nl_limit);
976 		}
977 
978 		nla_nest_end(msg, nl_limits);
979 
980 		if (c->beacon_int_infra_match &&
981 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
982 			goto nla_put_failure;
983 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
984 				c->num_different_channels) ||
985 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
986 				c->max_interfaces))
987 			goto nla_put_failure;
988 		if (large &&
989 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
990 				c->radar_detect_widths) ||
991 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
992 				c->radar_detect_regions)))
993 			goto nla_put_failure;
994 
995 		nla_nest_end(msg, nl_combi);
996 	}
997 
998 	nla_nest_end(msg, nl_combis);
999 
1000 	return 0;
1001 nla_put_failure:
1002 	return -ENOBUFS;
1003 }
1004 
1005 #ifdef CONFIG_PM
1006 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1007 					struct sk_buff *msg)
1008 {
1009 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1010 	struct nlattr *nl_tcp;
1011 
1012 	if (!tcp)
1013 		return 0;
1014 
1015 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1016 	if (!nl_tcp)
1017 		return -ENOBUFS;
1018 
1019 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1020 			tcp->data_payload_max))
1021 		return -ENOBUFS;
1022 
1023 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1024 			tcp->data_payload_max))
1025 		return -ENOBUFS;
1026 
1027 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1028 		return -ENOBUFS;
1029 
1030 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1031 				sizeof(*tcp->tok), tcp->tok))
1032 		return -ENOBUFS;
1033 
1034 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1035 			tcp->data_interval_max))
1036 		return -ENOBUFS;
1037 
1038 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1039 			tcp->wake_payload_max))
1040 		return -ENOBUFS;
1041 
1042 	nla_nest_end(msg, nl_tcp);
1043 	return 0;
1044 }
1045 
1046 static int nl80211_send_wowlan(struct sk_buff *msg,
1047 			       struct cfg80211_registered_device *rdev,
1048 			       bool large)
1049 {
1050 	struct nlattr *nl_wowlan;
1051 
1052 	if (!rdev->wiphy.wowlan)
1053 		return 0;
1054 
1055 	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1056 	if (!nl_wowlan)
1057 		return -ENOBUFS;
1058 
1059 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1060 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1061 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1062 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1063 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1064 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1065 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1066 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1067 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1068 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1069 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1070 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1071 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1072 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1073 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1074 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1075 		return -ENOBUFS;
1076 
1077 	if (rdev->wiphy.wowlan->n_patterns) {
1078 		struct nl80211_pattern_support pat = {
1079 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1080 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1081 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1082 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1083 		};
1084 
1085 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1086 			    sizeof(pat), &pat))
1087 			return -ENOBUFS;
1088 	}
1089 
1090 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1091 		return -ENOBUFS;
1092 
1093 	/* TODO: send wowlan net detect */
1094 
1095 	nla_nest_end(msg, nl_wowlan);
1096 
1097 	return 0;
1098 }
1099 #endif
1100 
1101 static int nl80211_send_coalesce(struct sk_buff *msg,
1102 				 struct cfg80211_registered_device *rdev)
1103 {
1104 	struct nl80211_coalesce_rule_support rule;
1105 
1106 	if (!rdev->wiphy.coalesce)
1107 		return 0;
1108 
1109 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1110 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1111 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1112 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1113 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1114 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1115 
1116 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1117 		return -ENOBUFS;
1118 
1119 	return 0;
1120 }
1121 
1122 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1123 				      struct ieee80211_supported_band *sband)
1124 {
1125 	struct nlattr *nl_rates, *nl_rate;
1126 	struct ieee80211_rate *rate;
1127 	int i;
1128 
1129 	/* add HT info */
1130 	if (sband->ht_cap.ht_supported &&
1131 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1132 		     sizeof(sband->ht_cap.mcs),
1133 		     &sband->ht_cap.mcs) ||
1134 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1135 			 sband->ht_cap.cap) ||
1136 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1137 			sband->ht_cap.ampdu_factor) ||
1138 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1139 			sband->ht_cap.ampdu_density)))
1140 		return -ENOBUFS;
1141 
1142 	/* add VHT info */
1143 	if (sband->vht_cap.vht_supported &&
1144 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1145 		     sizeof(sband->vht_cap.vht_mcs),
1146 		     &sband->vht_cap.vht_mcs) ||
1147 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1148 			 sband->vht_cap.cap)))
1149 		return -ENOBUFS;
1150 
1151 	/* add bitrates */
1152 	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1153 	if (!nl_rates)
1154 		return -ENOBUFS;
1155 
1156 	for (i = 0; i < sband->n_bitrates; i++) {
1157 		nl_rate = nla_nest_start(msg, i);
1158 		if (!nl_rate)
1159 			return -ENOBUFS;
1160 
1161 		rate = &sband->bitrates[i];
1162 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1163 				rate->bitrate))
1164 			return -ENOBUFS;
1165 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1166 		    nla_put_flag(msg,
1167 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1168 			return -ENOBUFS;
1169 
1170 		nla_nest_end(msg, nl_rate);
1171 	}
1172 
1173 	nla_nest_end(msg, nl_rates);
1174 
1175 	return 0;
1176 }
1177 
1178 static int
1179 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1180 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1181 {
1182 	u16 stypes;
1183 	struct nlattr *nl_ftypes, *nl_ifs;
1184 	enum nl80211_iftype ift;
1185 	int i;
1186 
1187 	if (!mgmt_stypes)
1188 		return 0;
1189 
1190 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1191 	if (!nl_ifs)
1192 		return -ENOBUFS;
1193 
1194 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1195 		nl_ftypes = nla_nest_start(msg, ift);
1196 		if (!nl_ftypes)
1197 			return -ENOBUFS;
1198 		i = 0;
1199 		stypes = mgmt_stypes[ift].tx;
1200 		while (stypes) {
1201 			if ((stypes & 1) &&
1202 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1203 					(i << 4) | IEEE80211_FTYPE_MGMT))
1204 				return -ENOBUFS;
1205 			stypes >>= 1;
1206 			i++;
1207 		}
1208 		nla_nest_end(msg, nl_ftypes);
1209 	}
1210 
1211 	nla_nest_end(msg, nl_ifs);
1212 
1213 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1214 	if (!nl_ifs)
1215 		return -ENOBUFS;
1216 
1217 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1218 		nl_ftypes = nla_nest_start(msg, ift);
1219 		if (!nl_ftypes)
1220 			return -ENOBUFS;
1221 		i = 0;
1222 		stypes = mgmt_stypes[ift].rx;
1223 		while (stypes) {
1224 			if ((stypes & 1) &&
1225 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1226 					(i << 4) | IEEE80211_FTYPE_MGMT))
1227 				return -ENOBUFS;
1228 			stypes >>= 1;
1229 			i++;
1230 		}
1231 		nla_nest_end(msg, nl_ftypes);
1232 	}
1233 	nla_nest_end(msg, nl_ifs);
1234 
1235 	return 0;
1236 }
1237 
1238 struct nl80211_dump_wiphy_state {
1239 	s64 filter_wiphy;
1240 	long start;
1241 	long split_start, band_start, chan_start;
1242 	bool split;
1243 };
1244 
1245 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1246 			      enum nl80211_commands cmd,
1247 			      struct sk_buff *msg, u32 portid, u32 seq,
1248 			      int flags, struct nl80211_dump_wiphy_state *state)
1249 {
1250 	void *hdr;
1251 	struct nlattr *nl_bands, *nl_band;
1252 	struct nlattr *nl_freqs, *nl_freq;
1253 	struct nlattr *nl_cmds;
1254 	enum ieee80211_band band;
1255 	struct ieee80211_channel *chan;
1256 	int i;
1257 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1258 				rdev->wiphy.mgmt_stypes;
1259 	u32 features;
1260 
1261 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1262 	if (!hdr)
1263 		return -ENOBUFS;
1264 
1265 	if (WARN_ON(!state))
1266 		return -EINVAL;
1267 
1268 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1269 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1270 			   wiphy_name(&rdev->wiphy)) ||
1271 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1272 			cfg80211_rdev_list_generation))
1273 		goto nla_put_failure;
1274 
1275 	if (cmd != NL80211_CMD_NEW_WIPHY)
1276 		goto finish;
1277 
1278 	switch (state->split_start) {
1279 	case 0:
1280 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1281 			       rdev->wiphy.retry_short) ||
1282 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1283 			       rdev->wiphy.retry_long) ||
1284 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1285 				rdev->wiphy.frag_threshold) ||
1286 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1287 				rdev->wiphy.rts_threshold) ||
1288 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1289 			       rdev->wiphy.coverage_class) ||
1290 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1291 			       rdev->wiphy.max_scan_ssids) ||
1292 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1293 			       rdev->wiphy.max_sched_scan_ssids) ||
1294 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1295 				rdev->wiphy.max_scan_ie_len) ||
1296 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1297 				rdev->wiphy.max_sched_scan_ie_len) ||
1298 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1299 			       rdev->wiphy.max_match_sets))
1300 			goto nla_put_failure;
1301 
1302 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1303 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1304 			goto nla_put_failure;
1305 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1306 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1307 			goto nla_put_failure;
1308 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1309 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1310 			goto nla_put_failure;
1311 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1312 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1313 			goto nla_put_failure;
1314 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1315 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1316 			goto nla_put_failure;
1317 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1318 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1319 			goto nla_put_failure;
1320 		state->split_start++;
1321 		if (state->split)
1322 			break;
1323 	case 1:
1324 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1325 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1326 			    rdev->wiphy.cipher_suites))
1327 			goto nla_put_failure;
1328 
1329 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1330 			       rdev->wiphy.max_num_pmkids))
1331 			goto nla_put_failure;
1332 
1333 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1334 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1335 			goto nla_put_failure;
1336 
1337 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1338 				rdev->wiphy.available_antennas_tx) ||
1339 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1340 				rdev->wiphy.available_antennas_rx))
1341 			goto nla_put_failure;
1342 
1343 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1344 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1345 				rdev->wiphy.probe_resp_offload))
1346 			goto nla_put_failure;
1347 
1348 		if ((rdev->wiphy.available_antennas_tx ||
1349 		     rdev->wiphy.available_antennas_rx) &&
1350 		    rdev->ops->get_antenna) {
1351 			u32 tx_ant = 0, rx_ant = 0;
1352 			int res;
1353 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1354 			if (!res) {
1355 				if (nla_put_u32(msg,
1356 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1357 						tx_ant) ||
1358 				    nla_put_u32(msg,
1359 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1360 						rx_ant))
1361 					goto nla_put_failure;
1362 			}
1363 		}
1364 
1365 		state->split_start++;
1366 		if (state->split)
1367 			break;
1368 	case 2:
1369 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1370 					rdev->wiphy.interface_modes))
1371 				goto nla_put_failure;
1372 		state->split_start++;
1373 		if (state->split)
1374 			break;
1375 	case 3:
1376 		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1377 		if (!nl_bands)
1378 			goto nla_put_failure;
1379 
1380 		for (band = state->band_start;
1381 		     band < IEEE80211_NUM_BANDS; band++) {
1382 			struct ieee80211_supported_band *sband;
1383 
1384 			sband = rdev->wiphy.bands[band];
1385 
1386 			if (!sband)
1387 				continue;
1388 
1389 			nl_band = nla_nest_start(msg, band);
1390 			if (!nl_band)
1391 				goto nla_put_failure;
1392 
1393 			switch (state->chan_start) {
1394 			case 0:
1395 				if (nl80211_send_band_rateinfo(msg, sband))
1396 					goto nla_put_failure;
1397 				state->chan_start++;
1398 				if (state->split)
1399 					break;
1400 			default:
1401 				/* add frequencies */
1402 				nl_freqs = nla_nest_start(
1403 					msg, NL80211_BAND_ATTR_FREQS);
1404 				if (!nl_freqs)
1405 					goto nla_put_failure;
1406 
1407 				for (i = state->chan_start - 1;
1408 				     i < sband->n_channels;
1409 				     i++) {
1410 					nl_freq = nla_nest_start(msg, i);
1411 					if (!nl_freq)
1412 						goto nla_put_failure;
1413 
1414 					chan = &sband->channels[i];
1415 
1416 					if (nl80211_msg_put_channel(
1417 							msg, chan,
1418 							state->split))
1419 						goto nla_put_failure;
1420 
1421 					nla_nest_end(msg, nl_freq);
1422 					if (state->split)
1423 						break;
1424 				}
1425 				if (i < sband->n_channels)
1426 					state->chan_start = i + 2;
1427 				else
1428 					state->chan_start = 0;
1429 				nla_nest_end(msg, nl_freqs);
1430 			}
1431 
1432 			nla_nest_end(msg, nl_band);
1433 
1434 			if (state->split) {
1435 				/* start again here */
1436 				if (state->chan_start)
1437 					band--;
1438 				break;
1439 			}
1440 		}
1441 		nla_nest_end(msg, nl_bands);
1442 
1443 		if (band < IEEE80211_NUM_BANDS)
1444 			state->band_start = band + 1;
1445 		else
1446 			state->band_start = 0;
1447 
1448 		/* if bands & channels are done, continue outside */
1449 		if (state->band_start == 0 && state->chan_start == 0)
1450 			state->split_start++;
1451 		if (state->split)
1452 			break;
1453 	case 4:
1454 		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1455 		if (!nl_cmds)
1456 			goto nla_put_failure;
1457 
1458 		i = 0;
1459 #define CMD(op, n)							\
1460 		 do {							\
1461 			if (rdev->ops->op) {				\
1462 				i++;					\
1463 				if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1464 					goto nla_put_failure;		\
1465 			}						\
1466 		} while (0)
1467 
1468 		CMD(add_virtual_intf, NEW_INTERFACE);
1469 		CMD(change_virtual_intf, SET_INTERFACE);
1470 		CMD(add_key, NEW_KEY);
1471 		CMD(start_ap, START_AP);
1472 		CMD(add_station, NEW_STATION);
1473 		CMD(add_mpath, NEW_MPATH);
1474 		CMD(update_mesh_config, SET_MESH_CONFIG);
1475 		CMD(change_bss, SET_BSS);
1476 		CMD(auth, AUTHENTICATE);
1477 		CMD(assoc, ASSOCIATE);
1478 		CMD(deauth, DEAUTHENTICATE);
1479 		CMD(disassoc, DISASSOCIATE);
1480 		CMD(join_ibss, JOIN_IBSS);
1481 		CMD(join_mesh, JOIN_MESH);
1482 		CMD(set_pmksa, SET_PMKSA);
1483 		CMD(del_pmksa, DEL_PMKSA);
1484 		CMD(flush_pmksa, FLUSH_PMKSA);
1485 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1486 			CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1487 		CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1488 		CMD(mgmt_tx, FRAME);
1489 		CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1490 		if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1491 			i++;
1492 			if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1493 				goto nla_put_failure;
1494 		}
1495 		if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1496 		    rdev->ops->join_mesh) {
1497 			i++;
1498 			if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1499 				goto nla_put_failure;
1500 		}
1501 		CMD(set_wds_peer, SET_WDS_PEER);
1502 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1503 			CMD(tdls_mgmt, TDLS_MGMT);
1504 			CMD(tdls_oper, TDLS_OPER);
1505 		}
1506 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1507 			CMD(sched_scan_start, START_SCHED_SCAN);
1508 		CMD(probe_client, PROBE_CLIENT);
1509 		CMD(set_noack_map, SET_NOACK_MAP);
1510 		if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1511 			i++;
1512 			if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1513 				goto nla_put_failure;
1514 		}
1515 		CMD(start_p2p_device, START_P2P_DEVICE);
1516 		CMD(set_mcast_rate, SET_MCAST_RATE);
1517 #ifdef CONFIG_NL80211_TESTMODE
1518 		CMD(testmode_cmd, TESTMODE);
1519 #endif
1520 		if (state->split) {
1521 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
1522 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1523 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
1524 				CMD(channel_switch, CHANNEL_SWITCH);
1525 			CMD(set_qos_map, SET_QOS_MAP);
1526 			if (rdev->wiphy.features &
1527 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
1528 				CMD(add_tx_ts, ADD_TX_TS);
1529 		}
1530 		/* add into the if now */
1531 #undef CMD
1532 
1533 		if (rdev->ops->connect || rdev->ops->auth) {
1534 			i++;
1535 			if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1536 				goto nla_put_failure;
1537 		}
1538 
1539 		if (rdev->ops->disconnect || rdev->ops->deauth) {
1540 			i++;
1541 			if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1542 				goto nla_put_failure;
1543 		}
1544 
1545 		nla_nest_end(msg, nl_cmds);
1546 		state->split_start++;
1547 		if (state->split)
1548 			break;
1549 	case 5:
1550 		if (rdev->ops->remain_on_channel &&
1551 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1552 		    nla_put_u32(msg,
1553 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1554 				rdev->wiphy.max_remain_on_channel_duration))
1555 			goto nla_put_failure;
1556 
1557 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1558 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1559 			goto nla_put_failure;
1560 
1561 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1562 			goto nla_put_failure;
1563 		state->split_start++;
1564 		if (state->split)
1565 			break;
1566 	case 6:
1567 #ifdef CONFIG_PM
1568 		if (nl80211_send_wowlan(msg, rdev, state->split))
1569 			goto nla_put_failure;
1570 		state->split_start++;
1571 		if (state->split)
1572 			break;
1573 #else
1574 		state->split_start++;
1575 #endif
1576 	case 7:
1577 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1578 					rdev->wiphy.software_iftypes))
1579 			goto nla_put_failure;
1580 
1581 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
1582 						   state->split))
1583 			goto nla_put_failure;
1584 
1585 		state->split_start++;
1586 		if (state->split)
1587 			break;
1588 	case 8:
1589 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1590 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1591 				rdev->wiphy.ap_sme_capa))
1592 			goto nla_put_failure;
1593 
1594 		features = rdev->wiphy.features;
1595 		/*
1596 		 * We can only add the per-channel limit information if the
1597 		 * dump is split, otherwise it makes it too big. Therefore
1598 		 * only advertise it in that case.
1599 		 */
1600 		if (state->split)
1601 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1602 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1603 			goto nla_put_failure;
1604 
1605 		if (rdev->wiphy.ht_capa_mod_mask &&
1606 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1607 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
1608 			    rdev->wiphy.ht_capa_mod_mask))
1609 			goto nla_put_failure;
1610 
1611 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1612 		    rdev->wiphy.max_acl_mac_addrs &&
1613 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1614 				rdev->wiphy.max_acl_mac_addrs))
1615 			goto nla_put_failure;
1616 
1617 		/*
1618 		 * Any information below this point is only available to
1619 		 * applications that can deal with it being split. This
1620 		 * helps ensure that newly added capabilities don't break
1621 		 * older tools by overrunning their buffers.
1622 		 *
1623 		 * We still increment split_start so that in the split
1624 		 * case we'll continue with more data in the next round,
1625 		 * but break unconditionally so unsplit data stops here.
1626 		 */
1627 		state->split_start++;
1628 		break;
1629 	case 9:
1630 		if (rdev->wiphy.extended_capabilities &&
1631 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1632 			     rdev->wiphy.extended_capabilities_len,
1633 			     rdev->wiphy.extended_capabilities) ||
1634 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1635 			     rdev->wiphy.extended_capabilities_len,
1636 			     rdev->wiphy.extended_capabilities_mask)))
1637 			goto nla_put_failure;
1638 
1639 		if (rdev->wiphy.vht_capa_mod_mask &&
1640 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1641 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
1642 			    rdev->wiphy.vht_capa_mod_mask))
1643 			goto nla_put_failure;
1644 
1645 		state->split_start++;
1646 		break;
1647 	case 10:
1648 		if (nl80211_send_coalesce(msg, rdev))
1649 			goto nla_put_failure;
1650 
1651 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
1652 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
1653 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
1654 			goto nla_put_failure;
1655 
1656 		if (rdev->wiphy.max_ap_assoc_sta &&
1657 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
1658 				rdev->wiphy.max_ap_assoc_sta))
1659 			goto nla_put_failure;
1660 
1661 		state->split_start++;
1662 		break;
1663 	case 11:
1664 		if (rdev->wiphy.n_vendor_commands) {
1665 			const struct nl80211_vendor_cmd_info *info;
1666 			struct nlattr *nested;
1667 
1668 			nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1669 			if (!nested)
1670 				goto nla_put_failure;
1671 
1672 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
1673 				info = &rdev->wiphy.vendor_commands[i].info;
1674 				if (nla_put(msg, i + 1, sizeof(*info), info))
1675 					goto nla_put_failure;
1676 			}
1677 			nla_nest_end(msg, nested);
1678 		}
1679 
1680 		if (rdev->wiphy.n_vendor_events) {
1681 			const struct nl80211_vendor_cmd_info *info;
1682 			struct nlattr *nested;
1683 
1684 			nested = nla_nest_start(msg,
1685 						NL80211_ATTR_VENDOR_EVENTS);
1686 			if (!nested)
1687 				goto nla_put_failure;
1688 
1689 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
1690 				info = &rdev->wiphy.vendor_events[i];
1691 				if (nla_put(msg, i + 1, sizeof(*info), info))
1692 					goto nla_put_failure;
1693 			}
1694 			nla_nest_end(msg, nested);
1695 		}
1696 		state->split_start++;
1697 		break;
1698 	case 12:
1699 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
1700 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
1701 			       rdev->wiphy.max_num_csa_counters))
1702 			goto nla_put_failure;
1703 
1704 		/* done */
1705 		state->split_start = 0;
1706 		break;
1707 	}
1708  finish:
1709 	return genlmsg_end(msg, hdr);
1710 
1711  nla_put_failure:
1712 	genlmsg_cancel(msg, hdr);
1713 	return -EMSGSIZE;
1714 }
1715 
1716 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
1717 				    struct netlink_callback *cb,
1718 				    struct nl80211_dump_wiphy_state *state)
1719 {
1720 	struct nlattr **tb = nl80211_fam.attrbuf;
1721 	int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
1722 			      tb, nl80211_fam.maxattr, nl80211_policy);
1723 	/* ignore parse errors for backward compatibility */
1724 	if (ret)
1725 		return 0;
1726 
1727 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
1728 	if (tb[NL80211_ATTR_WIPHY])
1729 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
1730 	if (tb[NL80211_ATTR_WDEV])
1731 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
1732 	if (tb[NL80211_ATTR_IFINDEX]) {
1733 		struct net_device *netdev;
1734 		struct cfg80211_registered_device *rdev;
1735 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
1736 
1737 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
1738 		if (!netdev)
1739 			return -ENODEV;
1740 		if (netdev->ieee80211_ptr) {
1741 			rdev = wiphy_to_rdev(
1742 				netdev->ieee80211_ptr->wiphy);
1743 			state->filter_wiphy = rdev->wiphy_idx;
1744 		}
1745 	}
1746 
1747 	return 0;
1748 }
1749 
1750 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1751 {
1752 	int idx = 0, ret;
1753 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
1754 	struct cfg80211_registered_device *rdev;
1755 
1756 	rtnl_lock();
1757 	if (!state) {
1758 		state = kzalloc(sizeof(*state), GFP_KERNEL);
1759 		if (!state) {
1760 			rtnl_unlock();
1761 			return -ENOMEM;
1762 		}
1763 		state->filter_wiphy = -1;
1764 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
1765 		if (ret) {
1766 			kfree(state);
1767 			rtnl_unlock();
1768 			return ret;
1769 		}
1770 		cb->args[0] = (long)state;
1771 	}
1772 
1773 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1774 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1775 			continue;
1776 		if (++idx <= state->start)
1777 			continue;
1778 		if (state->filter_wiphy != -1 &&
1779 		    state->filter_wiphy != rdev->wiphy_idx)
1780 			continue;
1781 		/* attempt to fit multiple wiphy data chunks into the skb */
1782 		do {
1783 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
1784 						 skb,
1785 						 NETLINK_CB(cb->skb).portid,
1786 						 cb->nlh->nlmsg_seq,
1787 						 NLM_F_MULTI, state);
1788 			if (ret < 0) {
1789 				/*
1790 				 * If sending the wiphy data didn't fit (ENOBUFS
1791 				 * or EMSGSIZE returned), this SKB is still
1792 				 * empty (so it's not too big because another
1793 				 * wiphy dataset is already in the skb) and
1794 				 * we've not tried to adjust the dump allocation
1795 				 * yet ... then adjust the alloc size to be
1796 				 * bigger, and return 1 but with the empty skb.
1797 				 * This results in an empty message being RX'ed
1798 				 * in userspace, but that is ignored.
1799 				 *
1800 				 * We can then retry with the larger buffer.
1801 				 */
1802 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1803 				    !skb->len && !state->split &&
1804 				    cb->min_dump_alloc < 4096) {
1805 					cb->min_dump_alloc = 4096;
1806 					state->split_start = 0;
1807 					rtnl_unlock();
1808 					return 1;
1809 				}
1810 				idx--;
1811 				break;
1812 			}
1813 		} while (state->split_start > 0);
1814 		break;
1815 	}
1816 	rtnl_unlock();
1817 
1818 	state->start = idx;
1819 
1820 	return skb->len;
1821 }
1822 
1823 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
1824 {
1825 	kfree((void *)cb->args[0]);
1826 	return 0;
1827 }
1828 
1829 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1830 {
1831 	struct sk_buff *msg;
1832 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1833 	struct nl80211_dump_wiphy_state state = {};
1834 
1835 	msg = nlmsg_new(4096, GFP_KERNEL);
1836 	if (!msg)
1837 		return -ENOMEM;
1838 
1839 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
1840 			       info->snd_portid, info->snd_seq, 0,
1841 			       &state) < 0) {
1842 		nlmsg_free(msg);
1843 		return -ENOBUFS;
1844 	}
1845 
1846 	return genlmsg_reply(msg, info);
1847 }
1848 
1849 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1850 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
1851 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
1852 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
1853 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
1854 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
1855 };
1856 
1857 static int parse_txq_params(struct nlattr *tb[],
1858 			    struct ieee80211_txq_params *txq_params)
1859 {
1860 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1861 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1862 	    !tb[NL80211_TXQ_ATTR_AIFS])
1863 		return -EINVAL;
1864 
1865 	txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1866 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1867 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1868 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1869 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1870 
1871 	if (txq_params->ac >= NL80211_NUM_ACS)
1872 		return -EINVAL;
1873 
1874 	return 0;
1875 }
1876 
1877 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1878 {
1879 	/*
1880 	 * You can only set the channel explicitly for WDS interfaces,
1881 	 * all others have their channel managed via their respective
1882 	 * "establish a connection" command (connect, join, ...)
1883 	 *
1884 	 * For AP/GO and mesh mode, the channel can be set with the
1885 	 * channel userspace API, but is only stored and passed to the
1886 	 * low-level driver when the AP starts or the mesh is joined.
1887 	 * This is for backward compatibility, userspace can also give
1888 	 * the channel in the start-ap or join-mesh commands instead.
1889 	 *
1890 	 * Monitors are special as they are normally slaved to
1891 	 * whatever else is going on, so they have their own special
1892 	 * operation to set the monitor channel if possible.
1893 	 */
1894 	return !wdev ||
1895 		wdev->iftype == NL80211_IFTYPE_AP ||
1896 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1897 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
1898 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
1899 }
1900 
1901 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
1902 				 struct genl_info *info,
1903 				 struct cfg80211_chan_def *chandef)
1904 {
1905 	u32 control_freq;
1906 
1907 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1908 		return -EINVAL;
1909 
1910 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1911 
1912 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
1913 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
1914 	chandef->center_freq1 = control_freq;
1915 	chandef->center_freq2 = 0;
1916 
1917 	/* Primary channel not allowed */
1918 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
1919 		return -EINVAL;
1920 
1921 	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
1922 		enum nl80211_channel_type chantype;
1923 
1924 		chantype = nla_get_u32(
1925 				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1926 
1927 		switch (chantype) {
1928 		case NL80211_CHAN_NO_HT:
1929 		case NL80211_CHAN_HT20:
1930 		case NL80211_CHAN_HT40PLUS:
1931 		case NL80211_CHAN_HT40MINUS:
1932 			cfg80211_chandef_create(chandef, chandef->chan,
1933 						chantype);
1934 			break;
1935 		default:
1936 			return -EINVAL;
1937 		}
1938 	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
1939 		chandef->width =
1940 			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
1941 		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
1942 			chandef->center_freq1 =
1943 				nla_get_u32(
1944 					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
1945 		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
1946 			chandef->center_freq2 =
1947 				nla_get_u32(
1948 					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
1949 	}
1950 
1951 	if (!cfg80211_chandef_valid(chandef))
1952 		return -EINVAL;
1953 
1954 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
1955 				     IEEE80211_CHAN_DISABLED))
1956 		return -EINVAL;
1957 
1958 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
1959 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
1960 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ))
1961 		return -EINVAL;
1962 
1963 	return 0;
1964 }
1965 
1966 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1967 				 struct net_device *dev,
1968 				 struct genl_info *info)
1969 {
1970 	struct cfg80211_chan_def chandef;
1971 	int result;
1972 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1973 	struct wireless_dev *wdev = NULL;
1974 
1975 	if (dev)
1976 		wdev = dev->ieee80211_ptr;
1977 	if (!nl80211_can_set_dev_channel(wdev))
1978 		return -EOPNOTSUPP;
1979 	if (wdev)
1980 		iftype = wdev->iftype;
1981 
1982 	result = nl80211_parse_chandef(rdev, info, &chandef);
1983 	if (result)
1984 		return result;
1985 
1986 	switch (iftype) {
1987 	case NL80211_IFTYPE_AP:
1988 	case NL80211_IFTYPE_P2P_GO:
1989 		if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef, iftype)) {
1990 			result = -EINVAL;
1991 			break;
1992 		}
1993 		if (wdev->beacon_interval) {
1994 			if (!dev || !rdev->ops->set_ap_chanwidth ||
1995 			    !(rdev->wiphy.features &
1996 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
1997 				result = -EBUSY;
1998 				break;
1999 			}
2000 
2001 			/* Only allow dynamic channel width changes */
2002 			if (chandef.chan != wdev->preset_chandef.chan) {
2003 				result = -EBUSY;
2004 				break;
2005 			}
2006 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2007 			if (result)
2008 				break;
2009 		}
2010 		wdev->preset_chandef = chandef;
2011 		result = 0;
2012 		break;
2013 	case NL80211_IFTYPE_MESH_POINT:
2014 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2015 		break;
2016 	case NL80211_IFTYPE_MONITOR:
2017 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2018 		break;
2019 	default:
2020 		result = -EINVAL;
2021 	}
2022 
2023 	return result;
2024 }
2025 
2026 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2027 {
2028 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2029 	struct net_device *netdev = info->user_ptr[1];
2030 
2031 	return __nl80211_set_channel(rdev, netdev, info);
2032 }
2033 
2034 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2035 {
2036 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2037 	struct net_device *dev = info->user_ptr[1];
2038 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2039 	const u8 *bssid;
2040 
2041 	if (!info->attrs[NL80211_ATTR_MAC])
2042 		return -EINVAL;
2043 
2044 	if (netif_running(dev))
2045 		return -EBUSY;
2046 
2047 	if (!rdev->ops->set_wds_peer)
2048 		return -EOPNOTSUPP;
2049 
2050 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2051 		return -EOPNOTSUPP;
2052 
2053 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2054 	return rdev_set_wds_peer(rdev, dev, bssid);
2055 }
2056 
2057 
2058 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2059 {
2060 	struct cfg80211_registered_device *rdev;
2061 	struct net_device *netdev = NULL;
2062 	struct wireless_dev *wdev;
2063 	int result = 0, rem_txq_params = 0;
2064 	struct nlattr *nl_txq_params;
2065 	u32 changed;
2066 	u8 retry_short = 0, retry_long = 0;
2067 	u32 frag_threshold = 0, rts_threshold = 0;
2068 	u8 coverage_class = 0;
2069 
2070 	ASSERT_RTNL();
2071 
2072 	/*
2073 	 * Try to find the wiphy and netdev. Normally this
2074 	 * function shouldn't need the netdev, but this is
2075 	 * done for backward compatibility -- previously
2076 	 * setting the channel was done per wiphy, but now
2077 	 * it is per netdev. Previous userland like hostapd
2078 	 * also passed a netdev to set_wiphy, so that it is
2079 	 * possible to let that go to the right netdev!
2080 	 */
2081 
2082 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2083 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2084 
2085 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2086 		if (netdev && netdev->ieee80211_ptr)
2087 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2088 		else
2089 			netdev = NULL;
2090 	}
2091 
2092 	if (!netdev) {
2093 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2094 						  info->attrs);
2095 		if (IS_ERR(rdev))
2096 			return PTR_ERR(rdev);
2097 		wdev = NULL;
2098 		netdev = NULL;
2099 		result = 0;
2100 	} else
2101 		wdev = netdev->ieee80211_ptr;
2102 
2103 	/*
2104 	 * end workaround code, by now the rdev is available
2105 	 * and locked, and wdev may or may not be NULL.
2106 	 */
2107 
2108 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2109 		result = cfg80211_dev_rename(
2110 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2111 
2112 	if (result)
2113 		return result;
2114 
2115 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2116 		struct ieee80211_txq_params txq_params;
2117 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2118 
2119 		if (!rdev->ops->set_txq_params)
2120 			return -EOPNOTSUPP;
2121 
2122 		if (!netdev)
2123 			return -EINVAL;
2124 
2125 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2126 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2127 			return -EINVAL;
2128 
2129 		if (!netif_running(netdev))
2130 			return -ENETDOWN;
2131 
2132 		nla_for_each_nested(nl_txq_params,
2133 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2134 				    rem_txq_params) {
2135 			result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
2136 					   nla_data(nl_txq_params),
2137 					   nla_len(nl_txq_params),
2138 					   txq_params_policy);
2139 			if (result)
2140 				return result;
2141 			result = parse_txq_params(tb, &txq_params);
2142 			if (result)
2143 				return result;
2144 
2145 			result = rdev_set_txq_params(rdev, netdev,
2146 						     &txq_params);
2147 			if (result)
2148 				return result;
2149 		}
2150 	}
2151 
2152 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2153 		result = __nl80211_set_channel(
2154 			rdev,
2155 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2156 			info);
2157 		if (result)
2158 			return result;
2159 	}
2160 
2161 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2162 		struct wireless_dev *txp_wdev = wdev;
2163 		enum nl80211_tx_power_setting type;
2164 		int idx, mbm = 0;
2165 
2166 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2167 			txp_wdev = NULL;
2168 
2169 		if (!rdev->ops->set_tx_power)
2170 			return -EOPNOTSUPP;
2171 
2172 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2173 		type = nla_get_u32(info->attrs[idx]);
2174 
2175 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2176 		    (type != NL80211_TX_POWER_AUTOMATIC))
2177 			return -EINVAL;
2178 
2179 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2180 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2181 			mbm = nla_get_u32(info->attrs[idx]);
2182 		}
2183 
2184 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2185 		if (result)
2186 			return result;
2187 	}
2188 
2189 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2190 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2191 		u32 tx_ant, rx_ant;
2192 		if ((!rdev->wiphy.available_antennas_tx &&
2193 		     !rdev->wiphy.available_antennas_rx) ||
2194 		    !rdev->ops->set_antenna)
2195 			return -EOPNOTSUPP;
2196 
2197 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2198 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2199 
2200 		/* reject antenna configurations which don't match the
2201 		 * available antenna masks, except for the "all" mask */
2202 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2203 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2204 			return -EINVAL;
2205 
2206 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2207 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2208 
2209 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2210 		if (result)
2211 			return result;
2212 	}
2213 
2214 	changed = 0;
2215 
2216 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2217 		retry_short = nla_get_u8(
2218 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2219 		if (retry_short == 0)
2220 			return -EINVAL;
2221 
2222 		changed |= WIPHY_PARAM_RETRY_SHORT;
2223 	}
2224 
2225 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2226 		retry_long = nla_get_u8(
2227 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2228 		if (retry_long == 0)
2229 			return -EINVAL;
2230 
2231 		changed |= WIPHY_PARAM_RETRY_LONG;
2232 	}
2233 
2234 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2235 		frag_threshold = nla_get_u32(
2236 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2237 		if (frag_threshold < 256)
2238 			return -EINVAL;
2239 
2240 		if (frag_threshold != (u32) -1) {
2241 			/*
2242 			 * Fragments (apart from the last one) are required to
2243 			 * have even length. Make the fragmentation code
2244 			 * simpler by stripping LSB should someone try to use
2245 			 * odd threshold value.
2246 			 */
2247 			frag_threshold &= ~0x1;
2248 		}
2249 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2250 	}
2251 
2252 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2253 		rts_threshold = nla_get_u32(
2254 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2255 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2256 	}
2257 
2258 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2259 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2260 			return -EINVAL;
2261 
2262 		coverage_class = nla_get_u8(
2263 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2264 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2265 	}
2266 
2267 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2268 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2269 			return -EOPNOTSUPP;
2270 
2271 		changed |= WIPHY_PARAM_DYN_ACK;
2272 	}
2273 
2274 	if (changed) {
2275 		u8 old_retry_short, old_retry_long;
2276 		u32 old_frag_threshold, old_rts_threshold;
2277 		u8 old_coverage_class;
2278 
2279 		if (!rdev->ops->set_wiphy_params)
2280 			return -EOPNOTSUPP;
2281 
2282 		old_retry_short = rdev->wiphy.retry_short;
2283 		old_retry_long = rdev->wiphy.retry_long;
2284 		old_frag_threshold = rdev->wiphy.frag_threshold;
2285 		old_rts_threshold = rdev->wiphy.rts_threshold;
2286 		old_coverage_class = rdev->wiphy.coverage_class;
2287 
2288 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2289 			rdev->wiphy.retry_short = retry_short;
2290 		if (changed & WIPHY_PARAM_RETRY_LONG)
2291 			rdev->wiphy.retry_long = retry_long;
2292 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2293 			rdev->wiphy.frag_threshold = frag_threshold;
2294 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2295 			rdev->wiphy.rts_threshold = rts_threshold;
2296 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2297 			rdev->wiphy.coverage_class = coverage_class;
2298 
2299 		result = rdev_set_wiphy_params(rdev, changed);
2300 		if (result) {
2301 			rdev->wiphy.retry_short = old_retry_short;
2302 			rdev->wiphy.retry_long = old_retry_long;
2303 			rdev->wiphy.frag_threshold = old_frag_threshold;
2304 			rdev->wiphy.rts_threshold = old_rts_threshold;
2305 			rdev->wiphy.coverage_class = old_coverage_class;
2306 		}
2307 	}
2308 	return 0;
2309 }
2310 
2311 static inline u64 wdev_id(struct wireless_dev *wdev)
2312 {
2313 	return (u64)wdev->identifier |
2314 	       ((u64)wiphy_to_rdev(wdev->wiphy)->wiphy_idx << 32);
2315 }
2316 
2317 static int nl80211_send_chandef(struct sk_buff *msg,
2318 				const struct cfg80211_chan_def *chandef)
2319 {
2320 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2321 		return -EINVAL;
2322 
2323 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2324 			chandef->chan->center_freq))
2325 		return -ENOBUFS;
2326 	switch (chandef->width) {
2327 	case NL80211_CHAN_WIDTH_20_NOHT:
2328 	case NL80211_CHAN_WIDTH_20:
2329 	case NL80211_CHAN_WIDTH_40:
2330 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2331 				cfg80211_get_chandef_type(chandef)))
2332 			return -ENOBUFS;
2333 		break;
2334 	default:
2335 		break;
2336 	}
2337 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2338 		return -ENOBUFS;
2339 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2340 		return -ENOBUFS;
2341 	if (chandef->center_freq2 &&
2342 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2343 		return -ENOBUFS;
2344 	return 0;
2345 }
2346 
2347 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2348 			      struct cfg80211_registered_device *rdev,
2349 			      struct wireless_dev *wdev, bool removal)
2350 {
2351 	struct net_device *dev = wdev->netdev;
2352 	u8 cmd = NL80211_CMD_NEW_INTERFACE;
2353 	void *hdr;
2354 
2355 	if (removal)
2356 		cmd = NL80211_CMD_DEL_INTERFACE;
2357 
2358 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2359 	if (!hdr)
2360 		return -1;
2361 
2362 	if (dev &&
2363 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2364 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2365 		goto nla_put_failure;
2366 
2367 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2368 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2369 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
2370 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2371 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2372 			rdev->devlist_generation ^
2373 			(cfg80211_rdev_list_generation << 2)))
2374 		goto nla_put_failure;
2375 
2376 	if (rdev->ops->get_channel) {
2377 		int ret;
2378 		struct cfg80211_chan_def chandef;
2379 
2380 		ret = rdev_get_channel(rdev, wdev, &chandef);
2381 		if (ret == 0) {
2382 			if (nl80211_send_chandef(msg, &chandef))
2383 				goto nla_put_failure;
2384 		}
2385 	}
2386 
2387 	if (wdev->ssid_len) {
2388 		if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2389 			goto nla_put_failure;
2390 	}
2391 
2392 	return genlmsg_end(msg, hdr);
2393 
2394  nla_put_failure:
2395 	genlmsg_cancel(msg, hdr);
2396 	return -EMSGSIZE;
2397 }
2398 
2399 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2400 {
2401 	int wp_idx = 0;
2402 	int if_idx = 0;
2403 	int wp_start = cb->args[0];
2404 	int if_start = cb->args[1];
2405 	struct cfg80211_registered_device *rdev;
2406 	struct wireless_dev *wdev;
2407 
2408 	rtnl_lock();
2409 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2410 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2411 			continue;
2412 		if (wp_idx < wp_start) {
2413 			wp_idx++;
2414 			continue;
2415 		}
2416 		if_idx = 0;
2417 
2418 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
2419 			if (if_idx < if_start) {
2420 				if_idx++;
2421 				continue;
2422 			}
2423 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2424 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2425 					       rdev, wdev, false) < 0) {
2426 				goto out;
2427 			}
2428 			if_idx++;
2429 		}
2430 
2431 		wp_idx++;
2432 	}
2433  out:
2434 	rtnl_unlock();
2435 
2436 	cb->args[0] = wp_idx;
2437 	cb->args[1] = if_idx;
2438 
2439 	return skb->len;
2440 }
2441 
2442 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2443 {
2444 	struct sk_buff *msg;
2445 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2446 	struct wireless_dev *wdev = info->user_ptr[1];
2447 
2448 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2449 	if (!msg)
2450 		return -ENOMEM;
2451 
2452 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2453 			       rdev, wdev, false) < 0) {
2454 		nlmsg_free(msg);
2455 		return -ENOBUFS;
2456 	}
2457 
2458 	return genlmsg_reply(msg, info);
2459 }
2460 
2461 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2462 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2463 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2464 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2465 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2466 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2467 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
2468 };
2469 
2470 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2471 {
2472 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2473 	int flag;
2474 
2475 	*mntrflags = 0;
2476 
2477 	if (!nla)
2478 		return -EINVAL;
2479 
2480 	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
2481 			     nla, mntr_flags_policy))
2482 		return -EINVAL;
2483 
2484 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2485 		if (flags[flag])
2486 			*mntrflags |= (1<<flag);
2487 
2488 	return 0;
2489 }
2490 
2491 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
2492 			       struct net_device *netdev, u8 use_4addr,
2493 			       enum nl80211_iftype iftype)
2494 {
2495 	if (!use_4addr) {
2496 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
2497 			return -EBUSY;
2498 		return 0;
2499 	}
2500 
2501 	switch (iftype) {
2502 	case NL80211_IFTYPE_AP_VLAN:
2503 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
2504 			return 0;
2505 		break;
2506 	case NL80211_IFTYPE_STATION:
2507 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
2508 			return 0;
2509 		break;
2510 	default:
2511 		break;
2512 	}
2513 
2514 	return -EOPNOTSUPP;
2515 }
2516 
2517 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
2518 {
2519 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2520 	struct vif_params params;
2521 	int err;
2522 	enum nl80211_iftype otype, ntype;
2523 	struct net_device *dev = info->user_ptr[1];
2524 	u32 _flags, *flags = NULL;
2525 	bool change = false;
2526 
2527 	memset(&params, 0, sizeof(params));
2528 
2529 	otype = ntype = dev->ieee80211_ptr->iftype;
2530 
2531 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2532 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2533 		if (otype != ntype)
2534 			change = true;
2535 		if (ntype > NL80211_IFTYPE_MAX)
2536 			return -EINVAL;
2537 	}
2538 
2539 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
2540 		struct wireless_dev *wdev = dev->ieee80211_ptr;
2541 
2542 		if (ntype != NL80211_IFTYPE_MESH_POINT)
2543 			return -EINVAL;
2544 		if (netif_running(dev))
2545 			return -EBUSY;
2546 
2547 		wdev_lock(wdev);
2548 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2549 			     IEEE80211_MAX_MESH_ID_LEN);
2550 		wdev->mesh_id_up_len =
2551 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2552 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2553 		       wdev->mesh_id_up_len);
2554 		wdev_unlock(wdev);
2555 	}
2556 
2557 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2558 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2559 		change = true;
2560 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2561 		if (err)
2562 			return err;
2563 	} else {
2564 		params.use_4addr = -1;
2565 	}
2566 
2567 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2568 		if (ntype != NL80211_IFTYPE_MONITOR)
2569 			return -EINVAL;
2570 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2571 					  &_flags);
2572 		if (err)
2573 			return err;
2574 
2575 		flags = &_flags;
2576 		change = true;
2577 	}
2578 
2579 	if (flags && (*flags & MONITOR_FLAG_ACTIVE) &&
2580 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2581 		return -EOPNOTSUPP;
2582 
2583 	if (change)
2584 		err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2585 	else
2586 		err = 0;
2587 
2588 	if (!err && params.use_4addr != -1)
2589 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
2590 
2591 	return err;
2592 }
2593 
2594 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2595 {
2596 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2597 	struct vif_params params;
2598 	struct wireless_dev *wdev;
2599 	struct sk_buff *msg, *event;
2600 	int err;
2601 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2602 	u32 flags;
2603 
2604 	/* to avoid failing a new interface creation due to pending removal */
2605 	cfg80211_destroy_ifaces(rdev);
2606 
2607 	memset(&params, 0, sizeof(params));
2608 
2609 	if (!info->attrs[NL80211_ATTR_IFNAME])
2610 		return -EINVAL;
2611 
2612 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2613 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2614 		if (type > NL80211_IFTYPE_MAX)
2615 			return -EINVAL;
2616 	}
2617 
2618 	if (!rdev->ops->add_virtual_intf ||
2619 	    !(rdev->wiphy.interface_modes & (1 << type)))
2620 		return -EOPNOTSUPP;
2621 
2622 	if ((type == NL80211_IFTYPE_P2P_DEVICE ||
2623 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
2624 	    info->attrs[NL80211_ATTR_MAC]) {
2625 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2626 			   ETH_ALEN);
2627 		if (!is_valid_ether_addr(params.macaddr))
2628 			return -EADDRNOTAVAIL;
2629 	}
2630 
2631 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2632 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2633 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2634 		if (err)
2635 			return err;
2636 	}
2637 
2638 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2639 	if (!msg)
2640 		return -ENOMEM;
2641 
2642 	err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2643 				  info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2644 				  &flags);
2645 
2646 	if (!err && (flags & MONITOR_FLAG_ACTIVE) &&
2647 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2648 		return -EOPNOTSUPP;
2649 
2650 	wdev = rdev_add_virtual_intf(rdev,
2651 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2652 				type, err ? NULL : &flags, &params);
2653 	if (WARN_ON(!wdev)) {
2654 		nlmsg_free(msg);
2655 		return -EPROTO;
2656 	} else if (IS_ERR(wdev)) {
2657 		nlmsg_free(msg);
2658 		return PTR_ERR(wdev);
2659 	}
2660 
2661 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
2662 		wdev->owner_nlportid = info->snd_portid;
2663 
2664 	switch (type) {
2665 	case NL80211_IFTYPE_MESH_POINT:
2666 		if (!info->attrs[NL80211_ATTR_MESH_ID])
2667 			break;
2668 		wdev_lock(wdev);
2669 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2670 			     IEEE80211_MAX_MESH_ID_LEN);
2671 		wdev->mesh_id_up_len =
2672 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2673 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2674 		       wdev->mesh_id_up_len);
2675 		wdev_unlock(wdev);
2676 		break;
2677 	case NL80211_IFTYPE_P2P_DEVICE:
2678 		/*
2679 		 * P2P Device doesn't have a netdev, so doesn't go
2680 		 * through the netdev notifier and must be added here
2681 		 */
2682 		mutex_init(&wdev->mtx);
2683 		INIT_LIST_HEAD(&wdev->event_list);
2684 		spin_lock_init(&wdev->event_lock);
2685 		INIT_LIST_HEAD(&wdev->mgmt_registrations);
2686 		spin_lock_init(&wdev->mgmt_registrations_lock);
2687 
2688 		wdev->identifier = ++rdev->wdev_id;
2689 		list_add_rcu(&wdev->list, &rdev->wdev_list);
2690 		rdev->devlist_generation++;
2691 		break;
2692 	default:
2693 		break;
2694 	}
2695 
2696 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2697 			       rdev, wdev, false) < 0) {
2698 		nlmsg_free(msg);
2699 		return -ENOBUFS;
2700 	}
2701 
2702 	event = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2703 	if (event) {
2704 		if (nl80211_send_iface(event, 0, 0, 0,
2705 				       rdev, wdev, false) < 0) {
2706 			nlmsg_free(event);
2707 			goto out;
2708 		}
2709 
2710 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
2711 					event, 0, NL80211_MCGRP_CONFIG,
2712 					GFP_KERNEL);
2713 	}
2714 
2715 out:
2716 	return genlmsg_reply(msg, info);
2717 }
2718 
2719 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2720 {
2721 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2722 	struct wireless_dev *wdev = info->user_ptr[1];
2723 	struct sk_buff *msg;
2724 	int status;
2725 
2726 	if (!rdev->ops->del_virtual_intf)
2727 		return -EOPNOTSUPP;
2728 
2729 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2730 	if (msg && nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, true) < 0) {
2731 		nlmsg_free(msg);
2732 		msg = NULL;
2733 	}
2734 
2735 	/*
2736 	 * If we remove a wireless device without a netdev then clear
2737 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
2738 	 * to check if it needs to do dev_put(). Otherwise it crashes
2739 	 * since the wdev has been freed, unlike with a netdev where
2740 	 * we need the dev_put() for the netdev to really be freed.
2741 	 */
2742 	if (!wdev->netdev)
2743 		info->user_ptr[1] = NULL;
2744 
2745 	status = rdev_del_virtual_intf(rdev, wdev);
2746 	if (status >= 0 && msg)
2747 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
2748 					msg, 0, NL80211_MCGRP_CONFIG,
2749 					GFP_KERNEL);
2750 	else
2751 		nlmsg_free(msg);
2752 
2753 	return status;
2754 }
2755 
2756 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2757 {
2758 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2759 	struct net_device *dev = info->user_ptr[1];
2760 	u16 noack_map;
2761 
2762 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2763 		return -EINVAL;
2764 
2765 	if (!rdev->ops->set_noack_map)
2766 		return -EOPNOTSUPP;
2767 
2768 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2769 
2770 	return rdev_set_noack_map(rdev, dev, noack_map);
2771 }
2772 
2773 struct get_key_cookie {
2774 	struct sk_buff *msg;
2775 	int error;
2776 	int idx;
2777 };
2778 
2779 static void get_key_callback(void *c, struct key_params *params)
2780 {
2781 	struct nlattr *key;
2782 	struct get_key_cookie *cookie = c;
2783 
2784 	if ((params->key &&
2785 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2786 		     params->key_len, params->key)) ||
2787 	    (params->seq &&
2788 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2789 		     params->seq_len, params->seq)) ||
2790 	    (params->cipher &&
2791 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2792 			 params->cipher)))
2793 		goto nla_put_failure;
2794 
2795 	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2796 	if (!key)
2797 		goto nla_put_failure;
2798 
2799 	if ((params->key &&
2800 	     nla_put(cookie->msg, NL80211_KEY_DATA,
2801 		     params->key_len, params->key)) ||
2802 	    (params->seq &&
2803 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
2804 		     params->seq_len, params->seq)) ||
2805 	    (params->cipher &&
2806 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2807 			 params->cipher)))
2808 		goto nla_put_failure;
2809 
2810 	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2811 		goto nla_put_failure;
2812 
2813 	nla_nest_end(cookie->msg, key);
2814 
2815 	return;
2816  nla_put_failure:
2817 	cookie->error = 1;
2818 }
2819 
2820 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2821 {
2822 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2823 	int err;
2824 	struct net_device *dev = info->user_ptr[1];
2825 	u8 key_idx = 0;
2826 	const u8 *mac_addr = NULL;
2827 	bool pairwise;
2828 	struct get_key_cookie cookie = {
2829 		.error = 0,
2830 	};
2831 	void *hdr;
2832 	struct sk_buff *msg;
2833 
2834 	if (info->attrs[NL80211_ATTR_KEY_IDX])
2835 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2836 
2837 	if (key_idx > 5)
2838 		return -EINVAL;
2839 
2840 	if (info->attrs[NL80211_ATTR_MAC])
2841 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2842 
2843 	pairwise = !!mac_addr;
2844 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2845 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2846 		if (kt >= NUM_NL80211_KEYTYPES)
2847 			return -EINVAL;
2848 		if (kt != NL80211_KEYTYPE_GROUP &&
2849 		    kt != NL80211_KEYTYPE_PAIRWISE)
2850 			return -EINVAL;
2851 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2852 	}
2853 
2854 	if (!rdev->ops->get_key)
2855 		return -EOPNOTSUPP;
2856 
2857 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2858 		return -ENOENT;
2859 
2860 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2861 	if (!msg)
2862 		return -ENOMEM;
2863 
2864 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2865 			     NL80211_CMD_NEW_KEY);
2866 	if (!hdr)
2867 		goto nla_put_failure;
2868 
2869 	cookie.msg = msg;
2870 	cookie.idx = key_idx;
2871 
2872 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2873 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2874 		goto nla_put_failure;
2875 	if (mac_addr &&
2876 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2877 		goto nla_put_failure;
2878 
2879 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2880 			   get_key_callback);
2881 
2882 	if (err)
2883 		goto free_msg;
2884 
2885 	if (cookie.error)
2886 		goto nla_put_failure;
2887 
2888 	genlmsg_end(msg, hdr);
2889 	return genlmsg_reply(msg, info);
2890 
2891  nla_put_failure:
2892 	err = -ENOBUFS;
2893  free_msg:
2894 	nlmsg_free(msg);
2895 	return err;
2896 }
2897 
2898 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2899 {
2900 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2901 	struct key_parse key;
2902 	int err;
2903 	struct net_device *dev = info->user_ptr[1];
2904 
2905 	err = nl80211_parse_key(info, &key);
2906 	if (err)
2907 		return err;
2908 
2909 	if (key.idx < 0)
2910 		return -EINVAL;
2911 
2912 	/* only support setting default key */
2913 	if (!key.def && !key.defmgmt)
2914 		return -EINVAL;
2915 
2916 	wdev_lock(dev->ieee80211_ptr);
2917 
2918 	if (key.def) {
2919 		if (!rdev->ops->set_default_key) {
2920 			err = -EOPNOTSUPP;
2921 			goto out;
2922 		}
2923 
2924 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2925 		if (err)
2926 			goto out;
2927 
2928 		err = rdev_set_default_key(rdev, dev, key.idx,
2929 						 key.def_uni, key.def_multi);
2930 
2931 		if (err)
2932 			goto out;
2933 
2934 #ifdef CONFIG_CFG80211_WEXT
2935 		dev->ieee80211_ptr->wext.default_key = key.idx;
2936 #endif
2937 	} else {
2938 		if (key.def_uni || !key.def_multi) {
2939 			err = -EINVAL;
2940 			goto out;
2941 		}
2942 
2943 		if (!rdev->ops->set_default_mgmt_key) {
2944 			err = -EOPNOTSUPP;
2945 			goto out;
2946 		}
2947 
2948 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2949 		if (err)
2950 			goto out;
2951 
2952 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
2953 		if (err)
2954 			goto out;
2955 
2956 #ifdef CONFIG_CFG80211_WEXT
2957 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2958 #endif
2959 	}
2960 
2961  out:
2962 	wdev_unlock(dev->ieee80211_ptr);
2963 
2964 	return err;
2965 }
2966 
2967 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2968 {
2969 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2970 	int err;
2971 	struct net_device *dev = info->user_ptr[1];
2972 	struct key_parse key;
2973 	const u8 *mac_addr = NULL;
2974 
2975 	err = nl80211_parse_key(info, &key);
2976 	if (err)
2977 		return err;
2978 
2979 	if (!key.p.key)
2980 		return -EINVAL;
2981 
2982 	if (info->attrs[NL80211_ATTR_MAC])
2983 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2984 
2985 	if (key.type == -1) {
2986 		if (mac_addr)
2987 			key.type = NL80211_KEYTYPE_PAIRWISE;
2988 		else
2989 			key.type = NL80211_KEYTYPE_GROUP;
2990 	}
2991 
2992 	/* for now */
2993 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2994 	    key.type != NL80211_KEYTYPE_GROUP)
2995 		return -EINVAL;
2996 
2997 	if (!rdev->ops->add_key)
2998 		return -EOPNOTSUPP;
2999 
3000 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3001 					   key.type == NL80211_KEYTYPE_PAIRWISE,
3002 					   mac_addr))
3003 		return -EINVAL;
3004 
3005 	wdev_lock(dev->ieee80211_ptr);
3006 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3007 	if (!err)
3008 		err = rdev_add_key(rdev, dev, key.idx,
3009 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3010 				    mac_addr, &key.p);
3011 	wdev_unlock(dev->ieee80211_ptr);
3012 
3013 	return err;
3014 }
3015 
3016 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3017 {
3018 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3019 	int err;
3020 	struct net_device *dev = info->user_ptr[1];
3021 	u8 *mac_addr = NULL;
3022 	struct key_parse key;
3023 
3024 	err = nl80211_parse_key(info, &key);
3025 	if (err)
3026 		return err;
3027 
3028 	if (info->attrs[NL80211_ATTR_MAC])
3029 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3030 
3031 	if (key.type == -1) {
3032 		if (mac_addr)
3033 			key.type = NL80211_KEYTYPE_PAIRWISE;
3034 		else
3035 			key.type = NL80211_KEYTYPE_GROUP;
3036 	}
3037 
3038 	/* for now */
3039 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3040 	    key.type != NL80211_KEYTYPE_GROUP)
3041 		return -EINVAL;
3042 
3043 	if (!rdev->ops->del_key)
3044 		return -EOPNOTSUPP;
3045 
3046 	wdev_lock(dev->ieee80211_ptr);
3047 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3048 
3049 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3050 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3051 		err = -ENOENT;
3052 
3053 	if (!err)
3054 		err = rdev_del_key(rdev, dev, key.idx,
3055 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3056 				   mac_addr);
3057 
3058 #ifdef CONFIG_CFG80211_WEXT
3059 	if (!err) {
3060 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3061 			dev->ieee80211_ptr->wext.default_key = -1;
3062 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3063 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3064 	}
3065 #endif
3066 	wdev_unlock(dev->ieee80211_ptr);
3067 
3068 	return err;
3069 }
3070 
3071 /* This function returns an error or the number of nested attributes */
3072 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3073 {
3074 	struct nlattr *attr;
3075 	int n_entries = 0, tmp;
3076 
3077 	nla_for_each_nested(attr, nl_attr, tmp) {
3078 		if (nla_len(attr) != ETH_ALEN)
3079 			return -EINVAL;
3080 
3081 		n_entries++;
3082 	}
3083 
3084 	return n_entries;
3085 }
3086 
3087 /*
3088  * This function parses ACL information and allocates memory for ACL data.
3089  * On successful return, the calling function is responsible to free the
3090  * ACL buffer returned by this function.
3091  */
3092 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3093 						struct genl_info *info)
3094 {
3095 	enum nl80211_acl_policy acl_policy;
3096 	struct nlattr *attr;
3097 	struct cfg80211_acl_data *acl;
3098 	int i = 0, n_entries, tmp;
3099 
3100 	if (!wiphy->max_acl_mac_addrs)
3101 		return ERR_PTR(-EOPNOTSUPP);
3102 
3103 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3104 		return ERR_PTR(-EINVAL);
3105 
3106 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3107 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3108 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3109 		return ERR_PTR(-EINVAL);
3110 
3111 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3112 		return ERR_PTR(-EINVAL);
3113 
3114 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3115 	if (n_entries < 0)
3116 		return ERR_PTR(n_entries);
3117 
3118 	if (n_entries > wiphy->max_acl_mac_addrs)
3119 		return ERR_PTR(-ENOTSUPP);
3120 
3121 	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3122 		      GFP_KERNEL);
3123 	if (!acl)
3124 		return ERR_PTR(-ENOMEM);
3125 
3126 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3127 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3128 		i++;
3129 	}
3130 
3131 	acl->n_acl_entries = n_entries;
3132 	acl->acl_policy = acl_policy;
3133 
3134 	return acl;
3135 }
3136 
3137 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3138 {
3139 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3140 	struct net_device *dev = info->user_ptr[1];
3141 	struct cfg80211_acl_data *acl;
3142 	int err;
3143 
3144 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3145 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3146 		return -EOPNOTSUPP;
3147 
3148 	if (!dev->ieee80211_ptr->beacon_interval)
3149 		return -EINVAL;
3150 
3151 	acl = parse_acl_data(&rdev->wiphy, info);
3152 	if (IS_ERR(acl))
3153 		return PTR_ERR(acl);
3154 
3155 	err = rdev_set_mac_acl(rdev, dev, acl);
3156 
3157 	kfree(acl);
3158 
3159 	return err;
3160 }
3161 
3162 static int nl80211_parse_beacon(struct nlattr *attrs[],
3163 				struct cfg80211_beacon_data *bcn)
3164 {
3165 	bool haveinfo = false;
3166 
3167 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_BEACON_TAIL]) ||
3168 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE]) ||
3169 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
3170 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_ASSOC_RESP]))
3171 		return -EINVAL;
3172 
3173 	memset(bcn, 0, sizeof(*bcn));
3174 
3175 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
3176 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
3177 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
3178 		if (!bcn->head_len)
3179 			return -EINVAL;
3180 		haveinfo = true;
3181 	}
3182 
3183 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
3184 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
3185 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
3186 		haveinfo = true;
3187 	}
3188 
3189 	if (!haveinfo)
3190 		return -EINVAL;
3191 
3192 	if (attrs[NL80211_ATTR_IE]) {
3193 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
3194 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
3195 	}
3196 
3197 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
3198 		bcn->proberesp_ies =
3199 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3200 		bcn->proberesp_ies_len =
3201 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3202 	}
3203 
3204 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
3205 		bcn->assocresp_ies =
3206 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3207 		bcn->assocresp_ies_len =
3208 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3209 	}
3210 
3211 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
3212 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
3213 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
3214 	}
3215 
3216 	return 0;
3217 }
3218 
3219 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
3220 				   struct cfg80211_ap_settings *params)
3221 {
3222 	struct wireless_dev *wdev;
3223 	bool ret = false;
3224 
3225 	list_for_each_entry(wdev, &rdev->wdev_list, list) {
3226 		if (wdev->iftype != NL80211_IFTYPE_AP &&
3227 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
3228 			continue;
3229 
3230 		if (!wdev->preset_chandef.chan)
3231 			continue;
3232 
3233 		params->chandef = wdev->preset_chandef;
3234 		ret = true;
3235 		break;
3236 	}
3237 
3238 	return ret;
3239 }
3240 
3241 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
3242 				    enum nl80211_auth_type auth_type,
3243 				    enum nl80211_commands cmd)
3244 {
3245 	if (auth_type > NL80211_AUTHTYPE_MAX)
3246 		return false;
3247 
3248 	switch (cmd) {
3249 	case NL80211_CMD_AUTHENTICATE:
3250 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
3251 		    auth_type == NL80211_AUTHTYPE_SAE)
3252 			return false;
3253 		return true;
3254 	case NL80211_CMD_CONNECT:
3255 	case NL80211_CMD_START_AP:
3256 		/* SAE not supported yet */
3257 		if (auth_type == NL80211_AUTHTYPE_SAE)
3258 			return false;
3259 		return true;
3260 	default:
3261 		return false;
3262 	}
3263 }
3264 
3265 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
3266 {
3267 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3268 	struct net_device *dev = info->user_ptr[1];
3269 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3270 	struct cfg80211_ap_settings params;
3271 	int err;
3272 
3273 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3274 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3275 		return -EOPNOTSUPP;
3276 
3277 	if (!rdev->ops->start_ap)
3278 		return -EOPNOTSUPP;
3279 
3280 	if (wdev->beacon_interval)
3281 		return -EALREADY;
3282 
3283 	memset(&params, 0, sizeof(params));
3284 
3285 	/* these are required for START_AP */
3286 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
3287 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
3288 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
3289 		return -EINVAL;
3290 
3291 	err = nl80211_parse_beacon(info->attrs, &params.beacon);
3292 	if (err)
3293 		return err;
3294 
3295 	params.beacon_interval =
3296 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
3297 	params.dtim_period =
3298 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
3299 
3300 	err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
3301 	if (err)
3302 		return err;
3303 
3304 	/*
3305 	 * In theory, some of these attributes should be required here
3306 	 * but since they were not used when the command was originally
3307 	 * added, keep them optional for old user space programs to let
3308 	 * them continue to work with drivers that do not need the
3309 	 * additional information -- drivers must check!
3310 	 */
3311 	if (info->attrs[NL80211_ATTR_SSID]) {
3312 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
3313 		params.ssid_len =
3314 			nla_len(info->attrs[NL80211_ATTR_SSID]);
3315 		if (params.ssid_len == 0 ||
3316 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
3317 			return -EINVAL;
3318 	}
3319 
3320 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
3321 		params.hidden_ssid = nla_get_u32(
3322 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
3323 		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
3324 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
3325 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
3326 			return -EINVAL;
3327 	}
3328 
3329 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
3330 
3331 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
3332 		params.auth_type = nla_get_u32(
3333 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
3334 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
3335 					     NL80211_CMD_START_AP))
3336 			return -EINVAL;
3337 	} else
3338 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
3339 
3340 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
3341 				      NL80211_MAX_NR_CIPHER_SUITES);
3342 	if (err)
3343 		return err;
3344 
3345 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
3346 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
3347 			return -EOPNOTSUPP;
3348 		params.inactivity_timeout = nla_get_u16(
3349 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
3350 	}
3351 
3352 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
3353 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3354 			return -EINVAL;
3355 		params.p2p_ctwindow =
3356 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
3357 		if (params.p2p_ctwindow > 127)
3358 			return -EINVAL;
3359 		if (params.p2p_ctwindow != 0 &&
3360 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
3361 			return -EINVAL;
3362 	}
3363 
3364 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
3365 		u8 tmp;
3366 
3367 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3368 			return -EINVAL;
3369 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
3370 		if (tmp > 1)
3371 			return -EINVAL;
3372 		params.p2p_opp_ps = tmp;
3373 		if (params.p2p_opp_ps != 0 &&
3374 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
3375 			return -EINVAL;
3376 	}
3377 
3378 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3379 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
3380 		if (err)
3381 			return err;
3382 	} else if (wdev->preset_chandef.chan) {
3383 		params.chandef = wdev->preset_chandef;
3384 	} else if (!nl80211_get_ap_channel(rdev, &params))
3385 		return -EINVAL;
3386 
3387 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef,
3388 				     wdev->iftype))
3389 		return -EINVAL;
3390 
3391 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
3392 		params.acl = parse_acl_data(&rdev->wiphy, info);
3393 		if (IS_ERR(params.acl))
3394 			return PTR_ERR(params.acl);
3395 	}
3396 
3397 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
3398 		params.smps_mode =
3399 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
3400 		switch (params.smps_mode) {
3401 		case NL80211_SMPS_OFF:
3402 			break;
3403 		case NL80211_SMPS_STATIC:
3404 			if (!(rdev->wiphy.features &
3405 			      NL80211_FEATURE_STATIC_SMPS))
3406 				return -EINVAL;
3407 			break;
3408 		case NL80211_SMPS_DYNAMIC:
3409 			if (!(rdev->wiphy.features &
3410 			      NL80211_FEATURE_DYNAMIC_SMPS))
3411 				return -EINVAL;
3412 			break;
3413 		default:
3414 			return -EINVAL;
3415 		}
3416 	} else {
3417 		params.smps_mode = NL80211_SMPS_OFF;
3418 	}
3419 
3420 	wdev_lock(wdev);
3421 	err = rdev_start_ap(rdev, dev, &params);
3422 	if (!err) {
3423 		wdev->preset_chandef = params.chandef;
3424 		wdev->beacon_interval = params.beacon_interval;
3425 		wdev->chandef = params.chandef;
3426 		wdev->ssid_len = params.ssid_len;
3427 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
3428 	}
3429 	wdev_unlock(wdev);
3430 
3431 	kfree(params.acl);
3432 
3433 	return err;
3434 }
3435 
3436 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
3437 {
3438 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3439 	struct net_device *dev = info->user_ptr[1];
3440 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3441 	struct cfg80211_beacon_data params;
3442 	int err;
3443 
3444 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3445 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3446 		return -EOPNOTSUPP;
3447 
3448 	if (!rdev->ops->change_beacon)
3449 		return -EOPNOTSUPP;
3450 
3451 	if (!wdev->beacon_interval)
3452 		return -EINVAL;
3453 
3454 	err = nl80211_parse_beacon(info->attrs, &params);
3455 	if (err)
3456 		return err;
3457 
3458 	wdev_lock(wdev);
3459 	err = rdev_change_beacon(rdev, dev, &params);
3460 	wdev_unlock(wdev);
3461 
3462 	return err;
3463 }
3464 
3465 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
3466 {
3467 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3468 	struct net_device *dev = info->user_ptr[1];
3469 
3470 	return cfg80211_stop_ap(rdev, dev, false);
3471 }
3472 
3473 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
3474 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
3475 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
3476 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
3477 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
3478 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
3479 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
3480 };
3481 
3482 static int parse_station_flags(struct genl_info *info,
3483 			       enum nl80211_iftype iftype,
3484 			       struct station_parameters *params)
3485 {
3486 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
3487 	struct nlattr *nla;
3488 	int flag;
3489 
3490 	/*
3491 	 * Try parsing the new attribute first so userspace
3492 	 * can specify both for older kernels.
3493 	 */
3494 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
3495 	if (nla) {
3496 		struct nl80211_sta_flag_update *sta_flags;
3497 
3498 		sta_flags = nla_data(nla);
3499 		params->sta_flags_mask = sta_flags->mask;
3500 		params->sta_flags_set = sta_flags->set;
3501 		params->sta_flags_set &= params->sta_flags_mask;
3502 		if ((params->sta_flags_mask |
3503 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
3504 			return -EINVAL;
3505 		return 0;
3506 	}
3507 
3508 	/* if present, parse the old attribute */
3509 
3510 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
3511 	if (!nla)
3512 		return 0;
3513 
3514 	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
3515 			     nla, sta_flags_policy))
3516 		return -EINVAL;
3517 
3518 	/*
3519 	 * Only allow certain flags for interface types so that
3520 	 * other attributes are silently ignored. Remember that
3521 	 * this is backward compatibility code with old userspace
3522 	 * and shouldn't be hit in other cases anyway.
3523 	 */
3524 	switch (iftype) {
3525 	case NL80211_IFTYPE_AP:
3526 	case NL80211_IFTYPE_AP_VLAN:
3527 	case NL80211_IFTYPE_P2P_GO:
3528 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3529 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3530 					 BIT(NL80211_STA_FLAG_WME) |
3531 					 BIT(NL80211_STA_FLAG_MFP);
3532 		break;
3533 	case NL80211_IFTYPE_P2P_CLIENT:
3534 	case NL80211_IFTYPE_STATION:
3535 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3536 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
3537 		break;
3538 	case NL80211_IFTYPE_MESH_POINT:
3539 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3540 					 BIT(NL80211_STA_FLAG_MFP) |
3541 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
3542 	default:
3543 		return -EINVAL;
3544 	}
3545 
3546 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
3547 		if (flags[flag]) {
3548 			params->sta_flags_set |= (1<<flag);
3549 
3550 			/* no longer support new API additions in old API */
3551 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
3552 				return -EINVAL;
3553 		}
3554 	}
3555 
3556 	return 0;
3557 }
3558 
3559 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
3560 				 int attr)
3561 {
3562 	struct nlattr *rate;
3563 	u32 bitrate;
3564 	u16 bitrate_compat;
3565 
3566 	rate = nla_nest_start(msg, attr);
3567 	if (!rate)
3568 		return false;
3569 
3570 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
3571 	bitrate = cfg80211_calculate_bitrate(info);
3572 	/* report 16-bit bitrate only if we can */
3573 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
3574 	if (bitrate > 0 &&
3575 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
3576 		return false;
3577 	if (bitrate_compat > 0 &&
3578 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
3579 		return false;
3580 
3581 	if (info->flags & RATE_INFO_FLAGS_MCS) {
3582 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
3583 			return false;
3584 		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3585 		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3586 			return false;
3587 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3588 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3589 			return false;
3590 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
3591 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
3592 			return false;
3593 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
3594 			return false;
3595 		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3596 		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3597 			return false;
3598 		if (info->flags & RATE_INFO_FLAGS_80_MHZ_WIDTH &&
3599 		    nla_put_flag(msg, NL80211_RATE_INFO_80_MHZ_WIDTH))
3600 			return false;
3601 		if (info->flags & RATE_INFO_FLAGS_80P80_MHZ_WIDTH &&
3602 		    nla_put_flag(msg, NL80211_RATE_INFO_80P80_MHZ_WIDTH))
3603 			return false;
3604 		if (info->flags & RATE_INFO_FLAGS_160_MHZ_WIDTH &&
3605 		    nla_put_flag(msg, NL80211_RATE_INFO_160_MHZ_WIDTH))
3606 			return false;
3607 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3608 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3609 			return false;
3610 	}
3611 
3612 	nla_nest_end(msg, rate);
3613 	return true;
3614 }
3615 
3616 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
3617 			       int id)
3618 {
3619 	void *attr;
3620 	int i = 0;
3621 
3622 	if (!mask)
3623 		return true;
3624 
3625 	attr = nla_nest_start(msg, id);
3626 	if (!attr)
3627 		return false;
3628 
3629 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
3630 		if (!(mask & BIT(i)))
3631 			continue;
3632 
3633 		if (nla_put_u8(msg, i, signal[i]))
3634 			return false;
3635 	}
3636 
3637 	nla_nest_end(msg, attr);
3638 
3639 	return true;
3640 }
3641 
3642 static int nl80211_send_station(struct sk_buff *msg, u32 portid, u32 seq,
3643 				int flags,
3644 				struct cfg80211_registered_device *rdev,
3645 				struct net_device *dev,
3646 				const u8 *mac_addr, struct station_info *sinfo)
3647 {
3648 	void *hdr;
3649 	struct nlattr *sinfoattr, *bss_param;
3650 
3651 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
3652 	if (!hdr)
3653 		return -1;
3654 
3655 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3656 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
3657 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
3658 		goto nla_put_failure;
3659 
3660 	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
3661 	if (!sinfoattr)
3662 		goto nla_put_failure;
3663 	if ((sinfo->filled & STATION_INFO_CONNECTED_TIME) &&
3664 	    nla_put_u32(msg, NL80211_STA_INFO_CONNECTED_TIME,
3665 			sinfo->connected_time))
3666 		goto nla_put_failure;
3667 	if ((sinfo->filled & STATION_INFO_INACTIVE_TIME) &&
3668 	    nla_put_u32(msg, NL80211_STA_INFO_INACTIVE_TIME,
3669 			sinfo->inactive_time))
3670 		goto nla_put_failure;
3671 	if ((sinfo->filled & (STATION_INFO_RX_BYTES |
3672 			      STATION_INFO_RX_BYTES64)) &&
3673 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
3674 			(u32)sinfo->rx_bytes))
3675 		goto nla_put_failure;
3676 	if ((sinfo->filled & (STATION_INFO_TX_BYTES |
3677 			      STATION_INFO_TX_BYTES64)) &&
3678 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
3679 			(u32)sinfo->tx_bytes))
3680 		goto nla_put_failure;
3681 	if ((sinfo->filled & STATION_INFO_RX_BYTES64) &&
3682 	    nla_put_u64(msg, NL80211_STA_INFO_RX_BYTES64,
3683 			sinfo->rx_bytes))
3684 		goto nla_put_failure;
3685 	if ((sinfo->filled & STATION_INFO_TX_BYTES64) &&
3686 	    nla_put_u64(msg, NL80211_STA_INFO_TX_BYTES64,
3687 			sinfo->tx_bytes))
3688 		goto nla_put_failure;
3689 	if ((sinfo->filled & STATION_INFO_LLID) &&
3690 	    nla_put_u16(msg, NL80211_STA_INFO_LLID, sinfo->llid))
3691 		goto nla_put_failure;
3692 	if ((sinfo->filled & STATION_INFO_PLID) &&
3693 	    nla_put_u16(msg, NL80211_STA_INFO_PLID, sinfo->plid))
3694 		goto nla_put_failure;
3695 	if ((sinfo->filled & STATION_INFO_PLINK_STATE) &&
3696 	    nla_put_u8(msg, NL80211_STA_INFO_PLINK_STATE,
3697 		       sinfo->plink_state))
3698 		goto nla_put_failure;
3699 	switch (rdev->wiphy.signal_type) {
3700 	case CFG80211_SIGNAL_TYPE_MBM:
3701 		if ((sinfo->filled & STATION_INFO_SIGNAL) &&
3702 		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL,
3703 			       sinfo->signal))
3704 			goto nla_put_failure;
3705 		if ((sinfo->filled & STATION_INFO_SIGNAL_AVG) &&
3706 		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL_AVG,
3707 			       sinfo->signal_avg))
3708 			goto nla_put_failure;
3709 		break;
3710 	default:
3711 		break;
3712 	}
3713 	if (sinfo->filled & STATION_INFO_CHAIN_SIGNAL) {
3714 		if (!nl80211_put_signal(msg, sinfo->chains,
3715 					sinfo->chain_signal,
3716 					NL80211_STA_INFO_CHAIN_SIGNAL))
3717 			goto nla_put_failure;
3718 	}
3719 	if (sinfo->filled & STATION_INFO_CHAIN_SIGNAL_AVG) {
3720 		if (!nl80211_put_signal(msg, sinfo->chains,
3721 					sinfo->chain_signal_avg,
3722 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
3723 			goto nla_put_failure;
3724 	}
3725 	if (sinfo->filled & STATION_INFO_TX_BITRATE) {
3726 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
3727 					  NL80211_STA_INFO_TX_BITRATE))
3728 			goto nla_put_failure;
3729 	}
3730 	if (sinfo->filled & STATION_INFO_RX_BITRATE) {
3731 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
3732 					  NL80211_STA_INFO_RX_BITRATE))
3733 			goto nla_put_failure;
3734 	}
3735 	if ((sinfo->filled & STATION_INFO_RX_PACKETS) &&
3736 	    nla_put_u32(msg, NL80211_STA_INFO_RX_PACKETS,
3737 			sinfo->rx_packets))
3738 		goto nla_put_failure;
3739 	if ((sinfo->filled & STATION_INFO_TX_PACKETS) &&
3740 	    nla_put_u32(msg, NL80211_STA_INFO_TX_PACKETS,
3741 			sinfo->tx_packets))
3742 		goto nla_put_failure;
3743 	if ((sinfo->filled & STATION_INFO_TX_RETRIES) &&
3744 	    nla_put_u32(msg, NL80211_STA_INFO_TX_RETRIES,
3745 			sinfo->tx_retries))
3746 		goto nla_put_failure;
3747 	if ((sinfo->filled & STATION_INFO_TX_FAILED) &&
3748 	    nla_put_u32(msg, NL80211_STA_INFO_TX_FAILED,
3749 			sinfo->tx_failed))
3750 		goto nla_put_failure;
3751 	if ((sinfo->filled & STATION_INFO_EXPECTED_THROUGHPUT) &&
3752 	    nla_put_u32(msg, NL80211_STA_INFO_EXPECTED_THROUGHPUT,
3753 			sinfo->expected_throughput))
3754 		goto nla_put_failure;
3755 	if ((sinfo->filled & STATION_INFO_BEACON_LOSS_COUNT) &&
3756 	    nla_put_u32(msg, NL80211_STA_INFO_BEACON_LOSS,
3757 			sinfo->beacon_loss_count))
3758 		goto nla_put_failure;
3759 	if ((sinfo->filled & STATION_INFO_LOCAL_PM) &&
3760 	    nla_put_u32(msg, NL80211_STA_INFO_LOCAL_PM,
3761 			sinfo->local_pm))
3762 		goto nla_put_failure;
3763 	if ((sinfo->filled & STATION_INFO_PEER_PM) &&
3764 	    nla_put_u32(msg, NL80211_STA_INFO_PEER_PM,
3765 			sinfo->peer_pm))
3766 		goto nla_put_failure;
3767 	if ((sinfo->filled & STATION_INFO_NONPEER_PM) &&
3768 	    nla_put_u32(msg, NL80211_STA_INFO_NONPEER_PM,
3769 			sinfo->nonpeer_pm))
3770 		goto nla_put_failure;
3771 	if (sinfo->filled & STATION_INFO_BSS_PARAM) {
3772 		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
3773 		if (!bss_param)
3774 			goto nla_put_failure;
3775 
3776 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
3777 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
3778 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
3779 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
3780 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
3781 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
3782 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
3783 			       sinfo->bss_param.dtim_period) ||
3784 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
3785 				sinfo->bss_param.beacon_interval))
3786 			goto nla_put_failure;
3787 
3788 		nla_nest_end(msg, bss_param);
3789 	}
3790 	if ((sinfo->filled & STATION_INFO_STA_FLAGS) &&
3791 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
3792 		    sizeof(struct nl80211_sta_flag_update),
3793 		    &sinfo->sta_flags))
3794 		goto nla_put_failure;
3795 	if ((sinfo->filled & STATION_INFO_T_OFFSET) &&
3796 		nla_put_u64(msg, NL80211_STA_INFO_T_OFFSET,
3797 			    sinfo->t_offset))
3798 		goto nla_put_failure;
3799 	nla_nest_end(msg, sinfoattr);
3800 
3801 	if ((sinfo->filled & STATION_INFO_ASSOC_REQ_IES) &&
3802 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
3803 		    sinfo->assoc_req_ies))
3804 		goto nla_put_failure;
3805 
3806 	return genlmsg_end(msg, hdr);
3807 
3808  nla_put_failure:
3809 	genlmsg_cancel(msg, hdr);
3810 	return -EMSGSIZE;
3811 }
3812 
3813 static int nl80211_dump_station(struct sk_buff *skb,
3814 				struct netlink_callback *cb)
3815 {
3816 	struct station_info sinfo;
3817 	struct cfg80211_registered_device *rdev;
3818 	struct wireless_dev *wdev;
3819 	u8 mac_addr[ETH_ALEN];
3820 	int sta_idx = cb->args[2];
3821 	int err;
3822 
3823 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
3824 	if (err)
3825 		return err;
3826 
3827 	if (!wdev->netdev) {
3828 		err = -EINVAL;
3829 		goto out_err;
3830 	}
3831 
3832 	if (!rdev->ops->dump_station) {
3833 		err = -EOPNOTSUPP;
3834 		goto out_err;
3835 	}
3836 
3837 	while (1) {
3838 		memset(&sinfo, 0, sizeof(sinfo));
3839 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
3840 					mac_addr, &sinfo);
3841 		if (err == -ENOENT)
3842 			break;
3843 		if (err)
3844 			goto out_err;
3845 
3846 		if (nl80211_send_station(skb,
3847 				NETLINK_CB(cb->skb).portid,
3848 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
3849 				rdev, wdev->netdev, mac_addr,
3850 				&sinfo) < 0)
3851 			goto out;
3852 
3853 		sta_idx++;
3854 	}
3855 
3856 
3857  out:
3858 	cb->args[2] = sta_idx;
3859 	err = skb->len;
3860  out_err:
3861 	nl80211_finish_wdev_dump(rdev);
3862 
3863 	return err;
3864 }
3865 
3866 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
3867 {
3868 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3869 	struct net_device *dev = info->user_ptr[1];
3870 	struct station_info sinfo;
3871 	struct sk_buff *msg;
3872 	u8 *mac_addr = NULL;
3873 	int err;
3874 
3875 	memset(&sinfo, 0, sizeof(sinfo));
3876 
3877 	if (!info->attrs[NL80211_ATTR_MAC])
3878 		return -EINVAL;
3879 
3880 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3881 
3882 	if (!rdev->ops->get_station)
3883 		return -EOPNOTSUPP;
3884 
3885 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3886 	if (err)
3887 		return err;
3888 
3889 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3890 	if (!msg)
3891 		return -ENOMEM;
3892 
3893 	if (nl80211_send_station(msg, info->snd_portid, info->snd_seq, 0,
3894 				 rdev, dev, mac_addr, &sinfo) < 0) {
3895 		nlmsg_free(msg);
3896 		return -ENOBUFS;
3897 	}
3898 
3899 	return genlmsg_reply(msg, info);
3900 }
3901 
3902 int cfg80211_check_station_change(struct wiphy *wiphy,
3903 				  struct station_parameters *params,
3904 				  enum cfg80211_station_type statype)
3905 {
3906 	if (params->listen_interval != -1)
3907 		return -EINVAL;
3908 	if (params->aid &&
3909 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3910 		return -EINVAL;
3911 
3912 	/* When you run into this, adjust the code below for the new flag */
3913 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
3914 
3915 	switch (statype) {
3916 	case CFG80211_STA_MESH_PEER_KERNEL:
3917 	case CFG80211_STA_MESH_PEER_USER:
3918 		/*
3919 		 * No ignoring the TDLS flag here -- the userspace mesh
3920 		 * code doesn't have the bug of including TDLS in the
3921 		 * mask everywhere.
3922 		 */
3923 		if (params->sta_flags_mask &
3924 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3925 				  BIT(NL80211_STA_FLAG_MFP) |
3926 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
3927 			return -EINVAL;
3928 		break;
3929 	case CFG80211_STA_TDLS_PEER_SETUP:
3930 	case CFG80211_STA_TDLS_PEER_ACTIVE:
3931 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3932 			return -EINVAL;
3933 		/* ignore since it can't change */
3934 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3935 		break;
3936 	default:
3937 		/* disallow mesh-specific things */
3938 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
3939 			return -EINVAL;
3940 		if (params->local_pm)
3941 			return -EINVAL;
3942 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
3943 			return -EINVAL;
3944 	}
3945 
3946 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
3947 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
3948 		/* TDLS can't be set, ... */
3949 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3950 			return -EINVAL;
3951 		/*
3952 		 * ... but don't bother the driver with it. This works around
3953 		 * a hostapd/wpa_supplicant issue -- it always includes the
3954 		 * TLDS_PEER flag in the mask even for AP mode.
3955 		 */
3956 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3957 	}
3958 
3959 	if (statype != CFG80211_STA_TDLS_PEER_SETUP) {
3960 		/* reject other things that can't change */
3961 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
3962 			return -EINVAL;
3963 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
3964 			return -EINVAL;
3965 		if (params->supported_rates)
3966 			return -EINVAL;
3967 		if (params->ext_capab || params->ht_capa || params->vht_capa)
3968 			return -EINVAL;
3969 	}
3970 
3971 	if (statype != CFG80211_STA_AP_CLIENT) {
3972 		if (params->vlan)
3973 			return -EINVAL;
3974 	}
3975 
3976 	switch (statype) {
3977 	case CFG80211_STA_AP_MLME_CLIENT:
3978 		/* Use this only for authorizing/unauthorizing a station */
3979 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
3980 			return -EOPNOTSUPP;
3981 		break;
3982 	case CFG80211_STA_AP_CLIENT:
3983 		/* accept only the listed bits */
3984 		if (params->sta_flags_mask &
3985 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3986 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3987 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
3988 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3989 				  BIT(NL80211_STA_FLAG_WME) |
3990 				  BIT(NL80211_STA_FLAG_MFP)))
3991 			return -EINVAL;
3992 
3993 		/* but authenticated/associated only if driver handles it */
3994 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
3995 		    params->sta_flags_mask &
3996 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3997 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
3998 			return -EINVAL;
3999 		break;
4000 	case CFG80211_STA_IBSS:
4001 	case CFG80211_STA_AP_STA:
4002 		/* reject any changes other than AUTHORIZED */
4003 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
4004 			return -EINVAL;
4005 		break;
4006 	case CFG80211_STA_TDLS_PEER_SETUP:
4007 		/* reject any changes other than AUTHORIZED or WME */
4008 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4009 					       BIT(NL80211_STA_FLAG_WME)))
4010 			return -EINVAL;
4011 		/* force (at least) rates when authorizing */
4012 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
4013 		    !params->supported_rates)
4014 			return -EINVAL;
4015 		break;
4016 	case CFG80211_STA_TDLS_PEER_ACTIVE:
4017 		/* reject any changes */
4018 		return -EINVAL;
4019 	case CFG80211_STA_MESH_PEER_KERNEL:
4020 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4021 			return -EINVAL;
4022 		break;
4023 	case CFG80211_STA_MESH_PEER_USER:
4024 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
4025 			return -EINVAL;
4026 		break;
4027 	}
4028 
4029 	return 0;
4030 }
4031 EXPORT_SYMBOL(cfg80211_check_station_change);
4032 
4033 /*
4034  * Get vlan interface making sure it is running and on the right wiphy.
4035  */
4036 static struct net_device *get_vlan(struct genl_info *info,
4037 				   struct cfg80211_registered_device *rdev)
4038 {
4039 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
4040 	struct net_device *v;
4041 	int ret;
4042 
4043 	if (!vlanattr)
4044 		return NULL;
4045 
4046 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
4047 	if (!v)
4048 		return ERR_PTR(-ENODEV);
4049 
4050 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
4051 		ret = -EINVAL;
4052 		goto error;
4053 	}
4054 
4055 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4056 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4057 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
4058 		ret = -EINVAL;
4059 		goto error;
4060 	}
4061 
4062 	if (!netif_running(v)) {
4063 		ret = -ENETDOWN;
4064 		goto error;
4065 	}
4066 
4067 	return v;
4068  error:
4069 	dev_put(v);
4070 	return ERR_PTR(ret);
4071 }
4072 
4073 static const struct nla_policy
4074 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
4075 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
4076 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
4077 };
4078 
4079 static int nl80211_parse_sta_wme(struct genl_info *info,
4080 				 struct station_parameters *params)
4081 {
4082 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
4083 	struct nlattr *nla;
4084 	int err;
4085 
4086 	/* parse WME attributes if present */
4087 	if (!info->attrs[NL80211_ATTR_STA_WME])
4088 		return 0;
4089 
4090 	nla = info->attrs[NL80211_ATTR_STA_WME];
4091 	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
4092 			       nl80211_sta_wme_policy);
4093 	if (err)
4094 		return err;
4095 
4096 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
4097 		params->uapsd_queues = nla_get_u8(
4098 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
4099 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
4100 		return -EINVAL;
4101 
4102 	if (tb[NL80211_STA_WME_MAX_SP])
4103 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
4104 
4105 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
4106 		return -EINVAL;
4107 
4108 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
4109 
4110 	return 0;
4111 }
4112 
4113 static int nl80211_parse_sta_channel_info(struct genl_info *info,
4114 				      struct station_parameters *params)
4115 {
4116 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
4117 		params->supported_channels =
4118 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4119 		params->supported_channels_len =
4120 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4121 		/*
4122 		 * Need to include at least one (first channel, number of
4123 		 * channels) tuple for each subband, and must have proper
4124 		 * tuples for the rest of the data as well.
4125 		 */
4126 		if (params->supported_channels_len < 2)
4127 			return -EINVAL;
4128 		if (params->supported_channels_len % 2)
4129 			return -EINVAL;
4130 	}
4131 
4132 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
4133 		params->supported_oper_classes =
4134 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4135 		params->supported_oper_classes_len =
4136 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4137 		/*
4138 		 * The value of the Length field of the Supported Operating
4139 		 * Classes element is between 2 and 253.
4140 		 */
4141 		if (params->supported_oper_classes_len < 2 ||
4142 		    params->supported_oper_classes_len > 253)
4143 			return -EINVAL;
4144 	}
4145 	return 0;
4146 }
4147 
4148 static int nl80211_set_station_tdls(struct genl_info *info,
4149 				    struct station_parameters *params)
4150 {
4151 	int err;
4152 	/* Dummy STA entry gets updated once the peer capabilities are known */
4153 	if (info->attrs[NL80211_ATTR_PEER_AID])
4154 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4155 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4156 		params->ht_capa =
4157 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4158 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4159 		params->vht_capa =
4160 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4161 
4162 	err = nl80211_parse_sta_channel_info(info, params);
4163 	if (err)
4164 		return err;
4165 
4166 	return nl80211_parse_sta_wme(info, params);
4167 }
4168 
4169 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
4170 {
4171 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4172 	struct net_device *dev = info->user_ptr[1];
4173 	struct station_parameters params;
4174 	u8 *mac_addr;
4175 	int err;
4176 
4177 	memset(&params, 0, sizeof(params));
4178 
4179 	params.listen_interval = -1;
4180 
4181 	if (!rdev->ops->change_station)
4182 		return -EOPNOTSUPP;
4183 
4184 	if (info->attrs[NL80211_ATTR_STA_AID])
4185 		return -EINVAL;
4186 
4187 	if (!info->attrs[NL80211_ATTR_MAC])
4188 		return -EINVAL;
4189 
4190 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4191 
4192 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
4193 		params.supported_rates =
4194 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4195 		params.supported_rates_len =
4196 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4197 	}
4198 
4199 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4200 		params.capability =
4201 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4202 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4203 	}
4204 
4205 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4206 		params.ext_capab =
4207 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4208 		params.ext_capab_len =
4209 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4210 	}
4211 
4212 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4213 		return -EINVAL;
4214 
4215 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4216 		return -EINVAL;
4217 
4218 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4219 		params.plink_action =
4220 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4221 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4222 			return -EINVAL;
4223 	}
4224 
4225 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
4226 		params.plink_state =
4227 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
4228 		if (params.plink_state >= NUM_NL80211_PLINK_STATES)
4229 			return -EINVAL;
4230 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
4231 	}
4232 
4233 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
4234 		enum nl80211_mesh_power_mode pm = nla_get_u32(
4235 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
4236 
4237 		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
4238 		    pm > NL80211_MESH_POWER_MAX)
4239 			return -EINVAL;
4240 
4241 		params.local_pm = pm;
4242 	}
4243 
4244 	/* Include parameters for TDLS peer (will check later) */
4245 	err = nl80211_set_station_tdls(info, &params);
4246 	if (err)
4247 		return err;
4248 
4249 	params.vlan = get_vlan(info, rdev);
4250 	if (IS_ERR(params.vlan))
4251 		return PTR_ERR(params.vlan);
4252 
4253 	switch (dev->ieee80211_ptr->iftype) {
4254 	case NL80211_IFTYPE_AP:
4255 	case NL80211_IFTYPE_AP_VLAN:
4256 	case NL80211_IFTYPE_P2P_GO:
4257 	case NL80211_IFTYPE_P2P_CLIENT:
4258 	case NL80211_IFTYPE_STATION:
4259 	case NL80211_IFTYPE_ADHOC:
4260 	case NL80211_IFTYPE_MESH_POINT:
4261 		break;
4262 	default:
4263 		err = -EOPNOTSUPP;
4264 		goto out_put_vlan;
4265 	}
4266 
4267 	/* driver will call cfg80211_check_station_change() */
4268 	err = rdev_change_station(rdev, dev, mac_addr, &params);
4269 
4270  out_put_vlan:
4271 	if (params.vlan)
4272 		dev_put(params.vlan);
4273 
4274 	return err;
4275 }
4276 
4277 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
4278 {
4279 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4280 	int err;
4281 	struct net_device *dev = info->user_ptr[1];
4282 	struct station_parameters params;
4283 	u8 *mac_addr = NULL;
4284 
4285 	memset(&params, 0, sizeof(params));
4286 
4287 	if (!rdev->ops->add_station)
4288 		return -EOPNOTSUPP;
4289 
4290 	if (!info->attrs[NL80211_ATTR_MAC])
4291 		return -EINVAL;
4292 
4293 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4294 		return -EINVAL;
4295 
4296 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
4297 		return -EINVAL;
4298 
4299 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
4300 	    !info->attrs[NL80211_ATTR_PEER_AID])
4301 		return -EINVAL;
4302 
4303 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4304 	params.supported_rates =
4305 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4306 	params.supported_rates_len =
4307 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4308 	params.listen_interval =
4309 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4310 
4311 	if (info->attrs[NL80211_ATTR_PEER_AID])
4312 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4313 	else
4314 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4315 	if (!params.aid || params.aid > IEEE80211_MAX_AID)
4316 		return -EINVAL;
4317 
4318 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4319 		params.capability =
4320 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4321 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4322 	}
4323 
4324 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4325 		params.ext_capab =
4326 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4327 		params.ext_capab_len =
4328 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4329 	}
4330 
4331 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4332 		params.ht_capa =
4333 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4334 
4335 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4336 		params.vht_capa =
4337 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4338 
4339 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
4340 		params.opmode_notif_used = true;
4341 		params.opmode_notif =
4342 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
4343 	}
4344 
4345 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4346 		params.plink_action =
4347 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4348 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4349 			return -EINVAL;
4350 	}
4351 
4352 	err = nl80211_parse_sta_channel_info(info, &params);
4353 	if (err)
4354 		return err;
4355 
4356 	err = nl80211_parse_sta_wme(info, &params);
4357 	if (err)
4358 		return err;
4359 
4360 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4361 		return -EINVAL;
4362 
4363 	/* When you run into this, adjust the code below for the new flag */
4364 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4365 
4366 	switch (dev->ieee80211_ptr->iftype) {
4367 	case NL80211_IFTYPE_AP:
4368 	case NL80211_IFTYPE_AP_VLAN:
4369 	case NL80211_IFTYPE_P2P_GO:
4370 		/* ignore WME attributes if iface/sta is not capable */
4371 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
4372 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
4373 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4374 
4375 		/* TDLS peers cannot be added */
4376 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4377 		    info->attrs[NL80211_ATTR_PEER_AID])
4378 			return -EINVAL;
4379 		/* but don't bother the driver with it */
4380 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4381 
4382 		/* allow authenticated/associated only if driver handles it */
4383 		if (!(rdev->wiphy.features &
4384 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4385 		    params.sta_flags_mask &
4386 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4387 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4388 			return -EINVAL;
4389 
4390 		/* must be last in here for error handling */
4391 		params.vlan = get_vlan(info, rdev);
4392 		if (IS_ERR(params.vlan))
4393 			return PTR_ERR(params.vlan);
4394 		break;
4395 	case NL80211_IFTYPE_MESH_POINT:
4396 		/* ignore uAPSD data */
4397 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4398 
4399 		/* associated is disallowed */
4400 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
4401 			return -EINVAL;
4402 		/* TDLS peers cannot be added */
4403 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4404 		    info->attrs[NL80211_ATTR_PEER_AID])
4405 			return -EINVAL;
4406 		break;
4407 	case NL80211_IFTYPE_STATION:
4408 	case NL80211_IFTYPE_P2P_CLIENT:
4409 		/* ignore uAPSD data */
4410 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4411 
4412 		/* these are disallowed */
4413 		if (params.sta_flags_mask &
4414 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
4415 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
4416 			return -EINVAL;
4417 		/* Only TDLS peers can be added */
4418 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4419 			return -EINVAL;
4420 		/* Can only add if TDLS ... */
4421 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
4422 			return -EOPNOTSUPP;
4423 		/* ... with external setup is supported */
4424 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
4425 			return -EOPNOTSUPP;
4426 		/*
4427 		 * Older wpa_supplicant versions always mark the TDLS peer
4428 		 * as authorized, but it shouldn't yet be.
4429 		 */
4430 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
4431 		break;
4432 	default:
4433 		return -EOPNOTSUPP;
4434 	}
4435 
4436 	/* be aware of params.vlan when changing code here */
4437 
4438 	err = rdev_add_station(rdev, dev, mac_addr, &params);
4439 
4440 	if (params.vlan)
4441 		dev_put(params.vlan);
4442 	return err;
4443 }
4444 
4445 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
4446 {
4447 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4448 	struct net_device *dev = info->user_ptr[1];
4449 	struct station_del_parameters params;
4450 
4451 	memset(&params, 0, sizeof(params));
4452 
4453 	if (info->attrs[NL80211_ATTR_MAC])
4454 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
4455 
4456 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4457 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4458 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
4459 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4460 		return -EINVAL;
4461 
4462 	if (!rdev->ops->del_station)
4463 		return -EOPNOTSUPP;
4464 
4465 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
4466 		params.subtype =
4467 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
4468 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
4469 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
4470 			return -EINVAL;
4471 	} else {
4472 		/* Default to Deauthentication frame */
4473 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
4474 	}
4475 
4476 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
4477 		params.reason_code =
4478 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
4479 		if (params.reason_code == 0)
4480 			return -EINVAL; /* 0 is reserved */
4481 	} else {
4482 		/* Default to reason code 2 */
4483 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
4484 	}
4485 
4486 	return rdev_del_station(rdev, dev, &params);
4487 }
4488 
4489 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
4490 				int flags, struct net_device *dev,
4491 				u8 *dst, u8 *next_hop,
4492 				struct mpath_info *pinfo)
4493 {
4494 	void *hdr;
4495 	struct nlattr *pinfoattr;
4496 
4497 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
4498 	if (!hdr)
4499 		return -1;
4500 
4501 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4502 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
4503 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
4504 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
4505 		goto nla_put_failure;
4506 
4507 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
4508 	if (!pinfoattr)
4509 		goto nla_put_failure;
4510 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
4511 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
4512 			pinfo->frame_qlen))
4513 		goto nla_put_failure;
4514 	if (((pinfo->filled & MPATH_INFO_SN) &&
4515 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
4516 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
4517 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
4518 			 pinfo->metric)) ||
4519 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
4520 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
4521 			 pinfo->exptime)) ||
4522 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
4523 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
4524 			pinfo->flags)) ||
4525 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
4526 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
4527 			 pinfo->discovery_timeout)) ||
4528 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
4529 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
4530 			pinfo->discovery_retries)))
4531 		goto nla_put_failure;
4532 
4533 	nla_nest_end(msg, pinfoattr);
4534 
4535 	return genlmsg_end(msg, hdr);
4536 
4537  nla_put_failure:
4538 	genlmsg_cancel(msg, hdr);
4539 	return -EMSGSIZE;
4540 }
4541 
4542 static int nl80211_dump_mpath(struct sk_buff *skb,
4543 			      struct netlink_callback *cb)
4544 {
4545 	struct mpath_info pinfo;
4546 	struct cfg80211_registered_device *rdev;
4547 	struct wireless_dev *wdev;
4548 	u8 dst[ETH_ALEN];
4549 	u8 next_hop[ETH_ALEN];
4550 	int path_idx = cb->args[2];
4551 	int err;
4552 
4553 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4554 	if (err)
4555 		return err;
4556 
4557 	if (!rdev->ops->dump_mpath) {
4558 		err = -EOPNOTSUPP;
4559 		goto out_err;
4560 	}
4561 
4562 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4563 		err = -EOPNOTSUPP;
4564 		goto out_err;
4565 	}
4566 
4567 	while (1) {
4568 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
4569 				      next_hop, &pinfo);
4570 		if (err == -ENOENT)
4571 			break;
4572 		if (err)
4573 			goto out_err;
4574 
4575 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4576 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4577 				       wdev->netdev, dst, next_hop,
4578 				       &pinfo) < 0)
4579 			goto out;
4580 
4581 		path_idx++;
4582 	}
4583 
4584 
4585  out:
4586 	cb->args[2] = path_idx;
4587 	err = skb->len;
4588  out_err:
4589 	nl80211_finish_wdev_dump(rdev);
4590 	return err;
4591 }
4592 
4593 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
4594 {
4595 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4596 	int err;
4597 	struct net_device *dev = info->user_ptr[1];
4598 	struct mpath_info pinfo;
4599 	struct sk_buff *msg;
4600 	u8 *dst = NULL;
4601 	u8 next_hop[ETH_ALEN];
4602 
4603 	memset(&pinfo, 0, sizeof(pinfo));
4604 
4605 	if (!info->attrs[NL80211_ATTR_MAC])
4606 		return -EINVAL;
4607 
4608 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4609 
4610 	if (!rdev->ops->get_mpath)
4611 		return -EOPNOTSUPP;
4612 
4613 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4614 		return -EOPNOTSUPP;
4615 
4616 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
4617 	if (err)
4618 		return err;
4619 
4620 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4621 	if (!msg)
4622 		return -ENOMEM;
4623 
4624 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4625 				 dev, dst, next_hop, &pinfo) < 0) {
4626 		nlmsg_free(msg);
4627 		return -ENOBUFS;
4628 	}
4629 
4630 	return genlmsg_reply(msg, info);
4631 }
4632 
4633 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
4634 {
4635 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4636 	struct net_device *dev = info->user_ptr[1];
4637 	u8 *dst = NULL;
4638 	u8 *next_hop = NULL;
4639 
4640 	if (!info->attrs[NL80211_ATTR_MAC])
4641 		return -EINVAL;
4642 
4643 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4644 		return -EINVAL;
4645 
4646 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4647 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4648 
4649 	if (!rdev->ops->change_mpath)
4650 		return -EOPNOTSUPP;
4651 
4652 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4653 		return -EOPNOTSUPP;
4654 
4655 	return rdev_change_mpath(rdev, dev, dst, next_hop);
4656 }
4657 
4658 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
4659 {
4660 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4661 	struct net_device *dev = info->user_ptr[1];
4662 	u8 *dst = NULL;
4663 	u8 *next_hop = NULL;
4664 
4665 	if (!info->attrs[NL80211_ATTR_MAC])
4666 		return -EINVAL;
4667 
4668 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4669 		return -EINVAL;
4670 
4671 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4672 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4673 
4674 	if (!rdev->ops->add_mpath)
4675 		return -EOPNOTSUPP;
4676 
4677 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4678 		return -EOPNOTSUPP;
4679 
4680 	return rdev_add_mpath(rdev, dev, dst, next_hop);
4681 }
4682 
4683 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
4684 {
4685 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4686 	struct net_device *dev = info->user_ptr[1];
4687 	u8 *dst = NULL;
4688 
4689 	if (info->attrs[NL80211_ATTR_MAC])
4690 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4691 
4692 	if (!rdev->ops->del_mpath)
4693 		return -EOPNOTSUPP;
4694 
4695 	return rdev_del_mpath(rdev, dev, dst);
4696 }
4697 
4698 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
4699 {
4700 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4701 	int err;
4702 	struct net_device *dev = info->user_ptr[1];
4703 	struct mpath_info pinfo;
4704 	struct sk_buff *msg;
4705 	u8 *dst = NULL;
4706 	u8 mpp[ETH_ALEN];
4707 
4708 	memset(&pinfo, 0, sizeof(pinfo));
4709 
4710 	if (!info->attrs[NL80211_ATTR_MAC])
4711 		return -EINVAL;
4712 
4713 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4714 
4715 	if (!rdev->ops->get_mpp)
4716 		return -EOPNOTSUPP;
4717 
4718 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4719 		return -EOPNOTSUPP;
4720 
4721 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
4722 	if (err)
4723 		return err;
4724 
4725 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4726 	if (!msg)
4727 		return -ENOMEM;
4728 
4729 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4730 			       dev, dst, mpp, &pinfo) < 0) {
4731 		nlmsg_free(msg);
4732 		return -ENOBUFS;
4733 	}
4734 
4735 	return genlmsg_reply(msg, info);
4736 }
4737 
4738 static int nl80211_dump_mpp(struct sk_buff *skb,
4739 			    struct netlink_callback *cb)
4740 {
4741 	struct mpath_info pinfo;
4742 	struct cfg80211_registered_device *rdev;
4743 	struct wireless_dev *wdev;
4744 	u8 dst[ETH_ALEN];
4745 	u8 mpp[ETH_ALEN];
4746 	int path_idx = cb->args[2];
4747 	int err;
4748 
4749 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4750 	if (err)
4751 		return err;
4752 
4753 	if (!rdev->ops->dump_mpp) {
4754 		err = -EOPNOTSUPP;
4755 		goto out_err;
4756 	}
4757 
4758 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4759 		err = -EOPNOTSUPP;
4760 		goto out_err;
4761 	}
4762 
4763 	while (1) {
4764 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
4765 				    mpp, &pinfo);
4766 		if (err == -ENOENT)
4767 			break;
4768 		if (err)
4769 			goto out_err;
4770 
4771 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4772 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4773 				       wdev->netdev, dst, mpp,
4774 				       &pinfo) < 0)
4775 			goto out;
4776 
4777 		path_idx++;
4778 	}
4779 
4780  out:
4781 	cb->args[2] = path_idx;
4782 	err = skb->len;
4783  out_err:
4784 	nl80211_finish_wdev_dump(rdev);
4785 	return err;
4786 }
4787 
4788 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
4789 {
4790 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4791 	struct net_device *dev = info->user_ptr[1];
4792 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4793 	struct bss_parameters params;
4794 	int err;
4795 
4796 	memset(&params, 0, sizeof(params));
4797 	/* default to not changing parameters */
4798 	params.use_cts_prot = -1;
4799 	params.use_short_preamble = -1;
4800 	params.use_short_slot_time = -1;
4801 	params.ap_isolate = -1;
4802 	params.ht_opmode = -1;
4803 	params.p2p_ctwindow = -1;
4804 	params.p2p_opp_ps = -1;
4805 
4806 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
4807 		params.use_cts_prot =
4808 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
4809 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
4810 		params.use_short_preamble =
4811 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
4812 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
4813 		params.use_short_slot_time =
4814 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
4815 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
4816 		params.basic_rates =
4817 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4818 		params.basic_rates_len =
4819 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4820 	}
4821 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
4822 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
4823 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
4824 		params.ht_opmode =
4825 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
4826 
4827 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4828 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4829 			return -EINVAL;
4830 		params.p2p_ctwindow =
4831 			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4832 		if (params.p2p_ctwindow < 0)
4833 			return -EINVAL;
4834 		if (params.p2p_ctwindow != 0 &&
4835 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4836 			return -EINVAL;
4837 	}
4838 
4839 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4840 		u8 tmp;
4841 
4842 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4843 			return -EINVAL;
4844 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4845 		if (tmp > 1)
4846 			return -EINVAL;
4847 		params.p2p_opp_ps = tmp;
4848 		if (params.p2p_opp_ps &&
4849 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4850 			return -EINVAL;
4851 	}
4852 
4853 	if (!rdev->ops->change_bss)
4854 		return -EOPNOTSUPP;
4855 
4856 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4857 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4858 		return -EOPNOTSUPP;
4859 
4860 	wdev_lock(wdev);
4861 	err = rdev_change_bss(rdev, dev, &params);
4862 	wdev_unlock(wdev);
4863 
4864 	return err;
4865 }
4866 
4867 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
4868 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
4869 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
4870 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
4871 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
4872 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
4873 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
4874 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
4875 };
4876 
4877 static int parse_reg_rule(struct nlattr *tb[],
4878 	struct ieee80211_reg_rule *reg_rule)
4879 {
4880 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
4881 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
4882 
4883 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
4884 		return -EINVAL;
4885 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
4886 		return -EINVAL;
4887 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
4888 		return -EINVAL;
4889 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
4890 		return -EINVAL;
4891 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
4892 		return -EINVAL;
4893 
4894 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
4895 
4896 	freq_range->start_freq_khz =
4897 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
4898 	freq_range->end_freq_khz =
4899 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
4900 	freq_range->max_bandwidth_khz =
4901 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
4902 
4903 	power_rule->max_eirp =
4904 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
4905 
4906 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
4907 		power_rule->max_antenna_gain =
4908 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
4909 
4910 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
4911 		reg_rule->dfs_cac_ms =
4912 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
4913 
4914 	return 0;
4915 }
4916 
4917 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
4918 {
4919 	char *data = NULL;
4920 	enum nl80211_user_reg_hint_type user_reg_hint_type;
4921 
4922 	/*
4923 	 * You should only get this when cfg80211 hasn't yet initialized
4924 	 * completely when built-in to the kernel right between the time
4925 	 * window between nl80211_init() and regulatory_init(), if that is
4926 	 * even possible.
4927 	 */
4928 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
4929 		return -EINPROGRESS;
4930 
4931 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
4932 		user_reg_hint_type =
4933 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
4934 	else
4935 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
4936 
4937 	switch (user_reg_hint_type) {
4938 	case NL80211_USER_REG_HINT_USER:
4939 	case NL80211_USER_REG_HINT_CELL_BASE:
4940 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4941 			return -EINVAL;
4942 
4943 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4944 		return regulatory_hint_user(data, user_reg_hint_type);
4945 	case NL80211_USER_REG_HINT_INDOOR:
4946 		return regulatory_hint_indoor_user();
4947 	default:
4948 		return -EINVAL;
4949 	}
4950 }
4951 
4952 static int nl80211_get_mesh_config(struct sk_buff *skb,
4953 				   struct genl_info *info)
4954 {
4955 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4956 	struct net_device *dev = info->user_ptr[1];
4957 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4958 	struct mesh_config cur_params;
4959 	int err = 0;
4960 	void *hdr;
4961 	struct nlattr *pinfoattr;
4962 	struct sk_buff *msg;
4963 
4964 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
4965 		return -EOPNOTSUPP;
4966 
4967 	if (!rdev->ops->get_mesh_config)
4968 		return -EOPNOTSUPP;
4969 
4970 	wdev_lock(wdev);
4971 	/* If not connected, get default parameters */
4972 	if (!wdev->mesh_id_len)
4973 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
4974 	else
4975 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
4976 	wdev_unlock(wdev);
4977 
4978 	if (err)
4979 		return err;
4980 
4981 	/* Draw up a netlink message to send back */
4982 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4983 	if (!msg)
4984 		return -ENOMEM;
4985 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4986 			     NL80211_CMD_GET_MESH_CONFIG);
4987 	if (!hdr)
4988 		goto out;
4989 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
4990 	if (!pinfoattr)
4991 		goto nla_put_failure;
4992 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4993 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
4994 			cur_params.dot11MeshRetryTimeout) ||
4995 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4996 			cur_params.dot11MeshConfirmTimeout) ||
4997 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
4998 			cur_params.dot11MeshHoldingTimeout) ||
4999 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
5000 			cur_params.dot11MeshMaxPeerLinks) ||
5001 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
5002 		       cur_params.dot11MeshMaxRetries) ||
5003 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
5004 		       cur_params.dot11MeshTTL) ||
5005 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
5006 		       cur_params.element_ttl) ||
5007 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5008 		       cur_params.auto_open_plinks) ||
5009 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5010 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
5011 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5012 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
5013 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
5014 			cur_params.path_refresh_time) ||
5015 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5016 			cur_params.min_discovery_timeout) ||
5017 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5018 			cur_params.dot11MeshHWMPactivePathTimeout) ||
5019 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5020 			cur_params.dot11MeshHWMPpreqMinInterval) ||
5021 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5022 			cur_params.dot11MeshHWMPperrMinInterval) ||
5023 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5024 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
5025 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
5026 		       cur_params.dot11MeshHWMPRootMode) ||
5027 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5028 			cur_params.dot11MeshHWMPRannInterval) ||
5029 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5030 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
5031 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
5032 		       cur_params.dot11MeshForwarding) ||
5033 	    nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
5034 			cur_params.rssi_threshold) ||
5035 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
5036 			cur_params.ht_opmode) ||
5037 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5038 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
5039 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5040 			cur_params.dot11MeshHWMProotInterval) ||
5041 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5042 			cur_params.dot11MeshHWMPconfirmationInterval) ||
5043 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
5044 			cur_params.power_mode) ||
5045 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
5046 			cur_params.dot11MeshAwakeWindowDuration) ||
5047 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
5048 			cur_params.plink_timeout))
5049 		goto nla_put_failure;
5050 	nla_nest_end(msg, pinfoattr);
5051 	genlmsg_end(msg, hdr);
5052 	return genlmsg_reply(msg, info);
5053 
5054  nla_put_failure:
5055 	genlmsg_cancel(msg, hdr);
5056  out:
5057 	nlmsg_free(msg);
5058 	return -ENOBUFS;
5059 }
5060 
5061 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
5062 	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
5063 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
5064 	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
5065 	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
5066 	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
5067 	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
5068 	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
5069 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
5070 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
5071 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
5072 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
5073 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
5074 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
5075 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
5076 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
5077 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
5078 	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
5079 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
5080 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
5081 	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
5082 	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
5083 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
5084 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
5085 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
5086 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
5087 	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
5088 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
5089 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
5090 };
5091 
5092 static const struct nla_policy
5093 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
5094 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
5095 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
5096 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
5097 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
5098 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
5099 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
5100 	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
5101 				    .len = IEEE80211_MAX_DATA_LEN },
5102 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
5103 };
5104 
5105 static int nl80211_parse_mesh_config(struct genl_info *info,
5106 				     struct mesh_config *cfg,
5107 				     u32 *mask_out)
5108 {
5109 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
5110 	u32 mask = 0;
5111 
5112 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
5113 do {									    \
5114 	if (tb[attr]) {							    \
5115 		if (fn(tb[attr]) < min || fn(tb[attr]) > max)		    \
5116 			return -EINVAL;					    \
5117 		cfg->param = fn(tb[attr]);				    \
5118 		mask |= (1 << (attr - 1));				    \
5119 	}								    \
5120 } while (0)
5121 
5122 
5123 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
5124 		return -EINVAL;
5125 	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
5126 			     info->attrs[NL80211_ATTR_MESH_CONFIG],
5127 			     nl80211_meshconf_params_policy))
5128 		return -EINVAL;
5129 
5130 	/* This makes sure that there aren't more than 32 mesh config
5131 	 * parameters (otherwise our bitfield scheme would not work.) */
5132 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
5133 
5134 	/* Fill in the params struct */
5135 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
5136 				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
5137 				  nla_get_u16);
5138 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
5139 				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5140 				  nla_get_u16);
5141 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
5142 				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
5143 				  nla_get_u16);
5144 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
5145 				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
5146 				  nla_get_u16);
5147 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
5148 				  mask, NL80211_MESHCONF_MAX_RETRIES,
5149 				  nla_get_u8);
5150 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
5151 				  mask, NL80211_MESHCONF_TTL, nla_get_u8);
5152 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
5153 				  mask, NL80211_MESHCONF_ELEMENT_TTL,
5154 				  nla_get_u8);
5155 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
5156 				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5157 				  nla_get_u8);
5158 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
5159 				  1, 255, mask,
5160 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5161 				  nla_get_u32);
5162 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
5163 				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5164 				  nla_get_u8);
5165 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
5166 				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
5167 				  nla_get_u32);
5168 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
5169 				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5170 				  nla_get_u16);
5171 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
5172 				  1, 65535, mask,
5173 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5174 				  nla_get_u32);
5175 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
5176 				  1, 65535, mask,
5177 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5178 				  nla_get_u16);
5179 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
5180 				  1, 65535, mask,
5181 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5182 				  nla_get_u16);
5183 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5184 				  dot11MeshHWMPnetDiameterTraversalTime,
5185 				  1, 65535, mask,
5186 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5187 				  nla_get_u16);
5188 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
5189 				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
5190 				  nla_get_u8);
5191 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
5192 				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5193 				  nla_get_u16);
5194 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5195 				  dot11MeshGateAnnouncementProtocol, 0, 1,
5196 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5197 				  nla_get_u8);
5198 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
5199 				  mask, NL80211_MESHCONF_FORWARDING,
5200 				  nla_get_u8);
5201 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, -255, 0,
5202 				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
5203 				  nla_get_s32);
5204 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
5205 				  mask, NL80211_MESHCONF_HT_OPMODE,
5206 				  nla_get_u16);
5207 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
5208 				  1, 65535, mask,
5209 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5210 				  nla_get_u32);
5211 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
5212 				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5213 				  nla_get_u16);
5214 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5215 				  dot11MeshHWMPconfirmationInterval,
5216 				  1, 65535, mask,
5217 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5218 				  nla_get_u16);
5219 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
5220 				  NL80211_MESH_POWER_ACTIVE,
5221 				  NL80211_MESH_POWER_MAX,
5222 				  mask, NL80211_MESHCONF_POWER_MODE,
5223 				  nla_get_u32);
5224 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
5225 				  0, 65535, mask,
5226 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
5227 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, 1, 0xffffffff,
5228 				  mask, NL80211_MESHCONF_PLINK_TIMEOUT,
5229 				  nla_get_u32);
5230 	if (mask_out)
5231 		*mask_out = mask;
5232 
5233 	return 0;
5234 
5235 #undef FILL_IN_MESH_PARAM_IF_SET
5236 }
5237 
5238 static int nl80211_parse_mesh_setup(struct genl_info *info,
5239 				     struct mesh_setup *setup)
5240 {
5241 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5242 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
5243 
5244 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
5245 		return -EINVAL;
5246 	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
5247 			     info->attrs[NL80211_ATTR_MESH_SETUP],
5248 			     nl80211_mesh_setup_params_policy))
5249 		return -EINVAL;
5250 
5251 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
5252 		setup->sync_method =
5253 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
5254 		 IEEE80211_SYNC_METHOD_VENDOR :
5255 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
5256 
5257 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
5258 		setup->path_sel_proto =
5259 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
5260 		 IEEE80211_PATH_PROTOCOL_VENDOR :
5261 		 IEEE80211_PATH_PROTOCOL_HWMP;
5262 
5263 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
5264 		setup->path_metric =
5265 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
5266 		 IEEE80211_PATH_METRIC_VENDOR :
5267 		 IEEE80211_PATH_METRIC_AIRTIME;
5268 
5269 
5270 	if (tb[NL80211_MESH_SETUP_IE]) {
5271 		struct nlattr *ieattr =
5272 			tb[NL80211_MESH_SETUP_IE];
5273 		if (!is_valid_ie_attr(ieattr))
5274 			return -EINVAL;
5275 		setup->ie = nla_data(ieattr);
5276 		setup->ie_len = nla_len(ieattr);
5277 	}
5278 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
5279 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
5280 		return -EINVAL;
5281 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
5282 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
5283 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
5284 	if (setup->is_secure)
5285 		setup->user_mpm = true;
5286 
5287 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
5288 		if (!setup->user_mpm)
5289 			return -EINVAL;
5290 		setup->auth_id =
5291 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
5292 	}
5293 
5294 	return 0;
5295 }
5296 
5297 static int nl80211_update_mesh_config(struct sk_buff *skb,
5298 				      struct genl_info *info)
5299 {
5300 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5301 	struct net_device *dev = info->user_ptr[1];
5302 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5303 	struct mesh_config cfg;
5304 	u32 mask;
5305 	int err;
5306 
5307 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5308 		return -EOPNOTSUPP;
5309 
5310 	if (!rdev->ops->update_mesh_config)
5311 		return -EOPNOTSUPP;
5312 
5313 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
5314 	if (err)
5315 		return err;
5316 
5317 	wdev_lock(wdev);
5318 	if (!wdev->mesh_id_len)
5319 		err = -ENOLINK;
5320 
5321 	if (!err)
5322 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
5323 
5324 	wdev_unlock(wdev);
5325 
5326 	return err;
5327 }
5328 
5329 static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
5330 {
5331 	const struct ieee80211_regdomain *regdom;
5332 	struct sk_buff *msg;
5333 	void *hdr = NULL;
5334 	struct nlattr *nl_reg_rules;
5335 	unsigned int i;
5336 
5337 	if (!cfg80211_regdomain)
5338 		return -EINVAL;
5339 
5340 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5341 	if (!msg)
5342 		return -ENOBUFS;
5343 
5344 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5345 			     NL80211_CMD_GET_REG);
5346 	if (!hdr)
5347 		goto put_failure;
5348 
5349 	if (reg_last_request_cell_base() &&
5350 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5351 			NL80211_USER_REG_HINT_CELL_BASE))
5352 		goto nla_put_failure;
5353 
5354 	rcu_read_lock();
5355 	regdom = rcu_dereference(cfg80211_regdomain);
5356 
5357 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
5358 	    (regdom->dfs_region &&
5359 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
5360 		goto nla_put_failure_rcu;
5361 
5362 	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
5363 	if (!nl_reg_rules)
5364 		goto nla_put_failure_rcu;
5365 
5366 	for (i = 0; i < regdom->n_reg_rules; i++) {
5367 		struct nlattr *nl_reg_rule;
5368 		const struct ieee80211_reg_rule *reg_rule;
5369 		const struct ieee80211_freq_range *freq_range;
5370 		const struct ieee80211_power_rule *power_rule;
5371 		unsigned int max_bandwidth_khz;
5372 
5373 		reg_rule = &regdom->reg_rules[i];
5374 		freq_range = &reg_rule->freq_range;
5375 		power_rule = &reg_rule->power_rule;
5376 
5377 		nl_reg_rule = nla_nest_start(msg, i);
5378 		if (!nl_reg_rule)
5379 			goto nla_put_failure_rcu;
5380 
5381 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
5382 		if (!max_bandwidth_khz)
5383 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
5384 								  reg_rule);
5385 
5386 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
5387 				reg_rule->flags) ||
5388 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
5389 				freq_range->start_freq_khz) ||
5390 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
5391 				freq_range->end_freq_khz) ||
5392 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
5393 				max_bandwidth_khz) ||
5394 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
5395 				power_rule->max_antenna_gain) ||
5396 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
5397 				power_rule->max_eirp) ||
5398 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
5399 				reg_rule->dfs_cac_ms))
5400 			goto nla_put_failure_rcu;
5401 
5402 		nla_nest_end(msg, nl_reg_rule);
5403 	}
5404 	rcu_read_unlock();
5405 
5406 	nla_nest_end(msg, nl_reg_rules);
5407 
5408 	genlmsg_end(msg, hdr);
5409 	return genlmsg_reply(msg, info);
5410 
5411 nla_put_failure_rcu:
5412 	rcu_read_unlock();
5413 nla_put_failure:
5414 	genlmsg_cancel(msg, hdr);
5415 put_failure:
5416 	nlmsg_free(msg);
5417 	return -EMSGSIZE;
5418 }
5419 
5420 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
5421 {
5422 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
5423 	struct nlattr *nl_reg_rule;
5424 	char *alpha2;
5425 	int rem_reg_rules, r;
5426 	u32 num_rules = 0, rule_idx = 0, size_of_regd;
5427 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
5428 	struct ieee80211_regdomain *rd;
5429 
5430 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5431 		return -EINVAL;
5432 
5433 	if (!info->attrs[NL80211_ATTR_REG_RULES])
5434 		return -EINVAL;
5435 
5436 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5437 
5438 	if (info->attrs[NL80211_ATTR_DFS_REGION])
5439 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
5440 
5441 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5442 			    rem_reg_rules) {
5443 		num_rules++;
5444 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
5445 			return -EINVAL;
5446 	}
5447 
5448 	if (!reg_is_valid_request(alpha2))
5449 		return -EINVAL;
5450 
5451 	size_of_regd = sizeof(struct ieee80211_regdomain) +
5452 		       num_rules * sizeof(struct ieee80211_reg_rule);
5453 
5454 	rd = kzalloc(size_of_regd, GFP_KERNEL);
5455 	if (!rd)
5456 		return -ENOMEM;
5457 
5458 	rd->n_reg_rules = num_rules;
5459 	rd->alpha2[0] = alpha2[0];
5460 	rd->alpha2[1] = alpha2[1];
5461 
5462 	/*
5463 	 * Disable DFS master mode if the DFS region was
5464 	 * not supported or known on this kernel.
5465 	 */
5466 	if (reg_supported_dfs_region(dfs_region))
5467 		rd->dfs_region = dfs_region;
5468 
5469 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5470 			    rem_reg_rules) {
5471 		r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
5472 			      nla_data(nl_reg_rule), nla_len(nl_reg_rule),
5473 			      reg_rule_policy);
5474 		if (r)
5475 			goto bad_reg;
5476 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
5477 		if (r)
5478 			goto bad_reg;
5479 
5480 		rule_idx++;
5481 
5482 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
5483 			r = -EINVAL;
5484 			goto bad_reg;
5485 		}
5486 	}
5487 
5488 	r = set_regdom(rd);
5489 	/* set_regdom took ownership */
5490 	rd = NULL;
5491 
5492  bad_reg:
5493 	kfree(rd);
5494 	return r;
5495 }
5496 
5497 static int validate_scan_freqs(struct nlattr *freqs)
5498 {
5499 	struct nlattr *attr1, *attr2;
5500 	int n_channels = 0, tmp1, tmp2;
5501 
5502 	nla_for_each_nested(attr1, freqs, tmp1) {
5503 		n_channels++;
5504 		/*
5505 		 * Some hardware has a limited channel list for
5506 		 * scanning, and it is pretty much nonsensical
5507 		 * to scan for a channel twice, so disallow that
5508 		 * and don't require drivers to check that the
5509 		 * channel list they get isn't longer than what
5510 		 * they can scan, as long as they can scan all
5511 		 * the channels they registered at once.
5512 		 */
5513 		nla_for_each_nested(attr2, freqs, tmp2)
5514 			if (attr1 != attr2 &&
5515 			    nla_get_u32(attr1) == nla_get_u32(attr2))
5516 				return 0;
5517 	}
5518 
5519 	return n_channels;
5520 }
5521 
5522 static int nl80211_parse_random_mac(struct nlattr **attrs,
5523 				    u8 *mac_addr, u8 *mac_addr_mask)
5524 {
5525 	int i;
5526 
5527 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
5528 		memset(mac_addr, 0, ETH_ALEN);
5529 		memset(mac_addr_mask, 0, ETH_ALEN);
5530 		mac_addr[0] = 0x2;
5531 		mac_addr_mask[0] = 0x3;
5532 
5533 		return 0;
5534 	}
5535 
5536 	/* need both or none */
5537 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
5538 		return -EINVAL;
5539 
5540 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
5541 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
5542 
5543 	/* don't allow or configure an mcast address */
5544 	if (!is_multicast_ether_addr(mac_addr_mask) ||
5545 	    is_multicast_ether_addr(mac_addr))
5546 		return -EINVAL;
5547 
5548 	/*
5549 	 * allow users to pass a MAC address that has bits set outside
5550 	 * of the mask, but don't bother drivers with having to deal
5551 	 * with such bits
5552 	 */
5553 	for (i = 0; i < ETH_ALEN; i++)
5554 		mac_addr[i] &= mac_addr_mask[i];
5555 
5556 	return 0;
5557 }
5558 
5559 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
5560 {
5561 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5562 	struct wireless_dev *wdev = info->user_ptr[1];
5563 	struct cfg80211_scan_request *request;
5564 	struct nlattr *attr;
5565 	struct wiphy *wiphy;
5566 	int err, tmp, n_ssids = 0, n_channels, i;
5567 	size_t ie_len;
5568 
5569 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5570 		return -EINVAL;
5571 
5572 	wiphy = &rdev->wiphy;
5573 
5574 	if (!rdev->ops->scan)
5575 		return -EOPNOTSUPP;
5576 
5577 	if (rdev->scan_req || rdev->scan_msg) {
5578 		err = -EBUSY;
5579 		goto unlock;
5580 	}
5581 
5582 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5583 		n_channels = validate_scan_freqs(
5584 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5585 		if (!n_channels) {
5586 			err = -EINVAL;
5587 			goto unlock;
5588 		}
5589 	} else {
5590 		n_channels = ieee80211_get_num_supported_channels(wiphy);
5591 	}
5592 
5593 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5594 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
5595 			n_ssids++;
5596 
5597 	if (n_ssids > wiphy->max_scan_ssids) {
5598 		err = -EINVAL;
5599 		goto unlock;
5600 	}
5601 
5602 	if (info->attrs[NL80211_ATTR_IE])
5603 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5604 	else
5605 		ie_len = 0;
5606 
5607 	if (ie_len > wiphy->max_scan_ie_len) {
5608 		err = -EINVAL;
5609 		goto unlock;
5610 	}
5611 
5612 	request = kzalloc(sizeof(*request)
5613 			+ sizeof(*request->ssids) * n_ssids
5614 			+ sizeof(*request->channels) * n_channels
5615 			+ ie_len, GFP_KERNEL);
5616 	if (!request) {
5617 		err = -ENOMEM;
5618 		goto unlock;
5619 	}
5620 
5621 	if (n_ssids)
5622 		request->ssids = (void *)&request->channels[n_channels];
5623 	request->n_ssids = n_ssids;
5624 	if (ie_len) {
5625 		if (request->ssids)
5626 			request->ie = (void *)(request->ssids + n_ssids);
5627 		else
5628 			request->ie = (void *)(request->channels + n_channels);
5629 	}
5630 
5631 	i = 0;
5632 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5633 		/* user specified, bail out if channel not found */
5634 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
5635 			struct ieee80211_channel *chan;
5636 
5637 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5638 
5639 			if (!chan) {
5640 				err = -EINVAL;
5641 				goto out_free;
5642 			}
5643 
5644 			/* ignore disabled channels */
5645 			if (chan->flags & IEEE80211_CHAN_DISABLED)
5646 				continue;
5647 
5648 			request->channels[i] = chan;
5649 			i++;
5650 		}
5651 	} else {
5652 		enum ieee80211_band band;
5653 
5654 		/* all channels */
5655 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5656 			int j;
5657 			if (!wiphy->bands[band])
5658 				continue;
5659 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5660 				struct ieee80211_channel *chan;
5661 
5662 				chan = &wiphy->bands[band]->channels[j];
5663 
5664 				if (chan->flags & IEEE80211_CHAN_DISABLED)
5665 					continue;
5666 
5667 				request->channels[i] = chan;
5668 				i++;
5669 			}
5670 		}
5671 	}
5672 
5673 	if (!i) {
5674 		err = -EINVAL;
5675 		goto out_free;
5676 	}
5677 
5678 	request->n_channels = i;
5679 
5680 	i = 0;
5681 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
5682 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
5683 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5684 				err = -EINVAL;
5685 				goto out_free;
5686 			}
5687 			request->ssids[i].ssid_len = nla_len(attr);
5688 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
5689 			i++;
5690 		}
5691 	}
5692 
5693 	if (info->attrs[NL80211_ATTR_IE]) {
5694 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5695 		memcpy((void *)request->ie,
5696 		       nla_data(info->attrs[NL80211_ATTR_IE]),
5697 		       request->ie_len);
5698 	}
5699 
5700 	for (i = 0; i < IEEE80211_NUM_BANDS; i++)
5701 		if (wiphy->bands[i])
5702 			request->rates[i] =
5703 				(1 << wiphy->bands[i]->n_bitrates) - 1;
5704 
5705 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
5706 		nla_for_each_nested(attr,
5707 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
5708 				    tmp) {
5709 			enum ieee80211_band band = nla_type(attr);
5710 
5711 			if (band < 0 || band >= IEEE80211_NUM_BANDS) {
5712 				err = -EINVAL;
5713 				goto out_free;
5714 			}
5715 
5716 			if (!wiphy->bands[band])
5717 				continue;
5718 
5719 			err = ieee80211_get_ratemask(wiphy->bands[band],
5720 						     nla_data(attr),
5721 						     nla_len(attr),
5722 						     &request->rates[band]);
5723 			if (err)
5724 				goto out_free;
5725 		}
5726 	}
5727 
5728 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5729 		request->flags = nla_get_u32(
5730 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5731 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5732 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
5733 			err = -EOPNOTSUPP;
5734 			goto out_free;
5735 		}
5736 
5737 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
5738 			if (!(wiphy->features &
5739 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR)) {
5740 				err = -EOPNOTSUPP;
5741 				goto out_free;
5742 			}
5743 
5744 			if (wdev->current_bss) {
5745 				err = -EOPNOTSUPP;
5746 				goto out_free;
5747 			}
5748 
5749 			err = nl80211_parse_random_mac(info->attrs,
5750 						       request->mac_addr,
5751 						       request->mac_addr_mask);
5752 			if (err)
5753 				goto out_free;
5754 		}
5755 	}
5756 
5757 	request->no_cck =
5758 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
5759 
5760 	request->wdev = wdev;
5761 	request->wiphy = &rdev->wiphy;
5762 	request->scan_start = jiffies;
5763 
5764 	rdev->scan_req = request;
5765 	err = rdev_scan(rdev, request);
5766 
5767 	if (!err) {
5768 		nl80211_send_scan_start(rdev, wdev);
5769 		if (wdev->netdev)
5770 			dev_hold(wdev->netdev);
5771 	} else {
5772  out_free:
5773 		rdev->scan_req = NULL;
5774 		kfree(request);
5775 	}
5776 
5777  unlock:
5778 	return err;
5779 }
5780 
5781 static struct cfg80211_sched_scan_request *
5782 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
5783 			 struct nlattr **attrs)
5784 {
5785 	struct cfg80211_sched_scan_request *request;
5786 	struct nlattr *attr;
5787 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
5788 	u32 interval;
5789 	enum ieee80211_band band;
5790 	size_t ie_len;
5791 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
5792 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
5793 
5794 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_IE]))
5795 		return ERR_PTR(-EINVAL);
5796 
5797 	if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
5798 		return ERR_PTR(-EINVAL);
5799 
5800 	interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
5801 	if (interval == 0)
5802 		return ERR_PTR(-EINVAL);
5803 
5804 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5805 		n_channels = validate_scan_freqs(
5806 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5807 		if (!n_channels)
5808 			return ERR_PTR(-EINVAL);
5809 	} else {
5810 		n_channels = ieee80211_get_num_supported_channels(wiphy);
5811 	}
5812 
5813 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
5814 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
5815 				    tmp)
5816 			n_ssids++;
5817 
5818 	if (n_ssids > wiphy->max_sched_scan_ssids)
5819 		return ERR_PTR(-EINVAL);
5820 
5821 	/*
5822 	 * First, count the number of 'real' matchsets. Due to an issue with
5823 	 * the old implementation, matchsets containing only the RSSI attribute
5824 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
5825 	 * RSSI for all matchsets, rather than their own matchset for reporting
5826 	 * all APs with a strong RSSI. This is needed to be compatible with
5827 	 * older userspace that treated a matchset with only the RSSI as the
5828 	 * global RSSI for all other matchsets - if there are other matchsets.
5829 	 */
5830 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
5831 		nla_for_each_nested(attr,
5832 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
5833 				    tmp) {
5834 			struct nlattr *rssi;
5835 
5836 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
5837 					nla_data(attr), nla_len(attr),
5838 					nl80211_match_policy);
5839 			if (err)
5840 				return ERR_PTR(err);
5841 			/* add other standalone attributes here */
5842 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
5843 				n_match_sets++;
5844 				continue;
5845 			}
5846 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
5847 			if (rssi)
5848 				default_match_rssi = nla_get_s32(rssi);
5849 		}
5850 	}
5851 
5852 	/* However, if there's no other matchset, add the RSSI one */
5853 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
5854 		n_match_sets = 1;
5855 
5856 	if (n_match_sets > wiphy->max_match_sets)
5857 		return ERR_PTR(-EINVAL);
5858 
5859 	if (attrs[NL80211_ATTR_IE])
5860 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
5861 	else
5862 		ie_len = 0;
5863 
5864 	if (ie_len > wiphy->max_sched_scan_ie_len)
5865 		return ERR_PTR(-EINVAL);
5866 
5867 	request = kzalloc(sizeof(*request)
5868 			+ sizeof(*request->ssids) * n_ssids
5869 			+ sizeof(*request->match_sets) * n_match_sets
5870 			+ sizeof(*request->channels) * n_channels
5871 			+ ie_len, GFP_KERNEL);
5872 	if (!request)
5873 		return ERR_PTR(-ENOMEM);
5874 
5875 	if (n_ssids)
5876 		request->ssids = (void *)&request->channels[n_channels];
5877 	request->n_ssids = n_ssids;
5878 	if (ie_len) {
5879 		if (request->ssids)
5880 			request->ie = (void *)(request->ssids + n_ssids);
5881 		else
5882 			request->ie = (void *)(request->channels + n_channels);
5883 	}
5884 
5885 	if (n_match_sets) {
5886 		if (request->ie)
5887 			request->match_sets = (void *)(request->ie + ie_len);
5888 		else if (request->ssids)
5889 			request->match_sets =
5890 				(void *)(request->ssids + n_ssids);
5891 		else
5892 			request->match_sets =
5893 				(void *)(request->channels + n_channels);
5894 	}
5895 	request->n_match_sets = n_match_sets;
5896 
5897 	i = 0;
5898 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5899 		/* user specified, bail out if channel not found */
5900 		nla_for_each_nested(attr,
5901 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
5902 				    tmp) {
5903 			struct ieee80211_channel *chan;
5904 
5905 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5906 
5907 			if (!chan) {
5908 				err = -EINVAL;
5909 				goto out_free;
5910 			}
5911 
5912 			/* ignore disabled channels */
5913 			if (chan->flags & IEEE80211_CHAN_DISABLED)
5914 				continue;
5915 
5916 			request->channels[i] = chan;
5917 			i++;
5918 		}
5919 	} else {
5920 		/* all channels */
5921 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5922 			int j;
5923 			if (!wiphy->bands[band])
5924 				continue;
5925 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5926 				struct ieee80211_channel *chan;
5927 
5928 				chan = &wiphy->bands[band]->channels[j];
5929 
5930 				if (chan->flags & IEEE80211_CHAN_DISABLED)
5931 					continue;
5932 
5933 				request->channels[i] = chan;
5934 				i++;
5935 			}
5936 		}
5937 	}
5938 
5939 	if (!i) {
5940 		err = -EINVAL;
5941 		goto out_free;
5942 	}
5943 
5944 	request->n_channels = i;
5945 
5946 	i = 0;
5947 	if (attrs[NL80211_ATTR_SCAN_SSIDS]) {
5948 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
5949 				    tmp) {
5950 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5951 				err = -EINVAL;
5952 				goto out_free;
5953 			}
5954 			request->ssids[i].ssid_len = nla_len(attr);
5955 			memcpy(request->ssids[i].ssid, nla_data(attr),
5956 			       nla_len(attr));
5957 			i++;
5958 		}
5959 	}
5960 
5961 	i = 0;
5962 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
5963 		nla_for_each_nested(attr,
5964 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
5965 				    tmp) {
5966 			struct nlattr *ssid, *rssi;
5967 
5968 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
5969 					nla_data(attr), nla_len(attr),
5970 					nl80211_match_policy);
5971 			if (err)
5972 				goto out_free;
5973 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
5974 			if (ssid) {
5975 				if (WARN_ON(i >= n_match_sets)) {
5976 					/* this indicates a programming error,
5977 					 * the loop above should have verified
5978 					 * things properly
5979 					 */
5980 					err = -EINVAL;
5981 					goto out_free;
5982 				}
5983 
5984 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
5985 					err = -EINVAL;
5986 					goto out_free;
5987 				}
5988 				memcpy(request->match_sets[i].ssid.ssid,
5989 				       nla_data(ssid), nla_len(ssid));
5990 				request->match_sets[i].ssid.ssid_len =
5991 					nla_len(ssid);
5992 				/* special attribute - old implemenation w/a */
5993 				request->match_sets[i].rssi_thold =
5994 					default_match_rssi;
5995 				rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
5996 				if (rssi)
5997 					request->match_sets[i].rssi_thold =
5998 						nla_get_s32(rssi);
5999 			}
6000 			i++;
6001 		}
6002 
6003 		/* there was no other matchset, so the RSSI one is alone */
6004 		if (i == 0 && n_match_sets)
6005 			request->match_sets[0].rssi_thold = default_match_rssi;
6006 
6007 		request->min_rssi_thold = INT_MAX;
6008 		for (i = 0; i < n_match_sets; i++)
6009 			request->min_rssi_thold =
6010 				min(request->match_sets[i].rssi_thold,
6011 				    request->min_rssi_thold);
6012 	} else {
6013 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
6014 	}
6015 
6016 	if (ie_len) {
6017 		request->ie_len = ie_len;
6018 		memcpy((void *)request->ie,
6019 		       nla_data(attrs[NL80211_ATTR_IE]),
6020 		       request->ie_len);
6021 	}
6022 
6023 	if (attrs[NL80211_ATTR_SCAN_FLAGS]) {
6024 		request->flags = nla_get_u32(
6025 			attrs[NL80211_ATTR_SCAN_FLAGS]);
6026 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
6027 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
6028 			err = -EOPNOTSUPP;
6029 			goto out_free;
6030 		}
6031 
6032 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
6033 			u32 flg = NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR;
6034 
6035 			if (!wdev) /* must be net-detect */
6036 				flg = NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
6037 
6038 			if (!(wiphy->features & flg)) {
6039 				err = -EOPNOTSUPP;
6040 				goto out_free;
6041 			}
6042 
6043 			if (wdev && wdev->current_bss) {
6044 				err = -EOPNOTSUPP;
6045 				goto out_free;
6046 			}
6047 
6048 			err = nl80211_parse_random_mac(attrs, request->mac_addr,
6049 						       request->mac_addr_mask);
6050 			if (err)
6051 				goto out_free;
6052 		}
6053 	}
6054 
6055 	request->interval = interval;
6056 	request->scan_start = jiffies;
6057 
6058 	return request;
6059 
6060 out_free:
6061 	kfree(request);
6062 	return ERR_PTR(err);
6063 }
6064 
6065 static int nl80211_start_sched_scan(struct sk_buff *skb,
6066 				    struct genl_info *info)
6067 {
6068 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6069 	struct net_device *dev = info->user_ptr[1];
6070 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6071 	int err;
6072 
6073 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
6074 	    !rdev->ops->sched_scan_start)
6075 		return -EOPNOTSUPP;
6076 
6077 	if (rdev->sched_scan_req)
6078 		return -EINPROGRESS;
6079 
6080 	rdev->sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
6081 							info->attrs);
6082 	err = PTR_ERR_OR_ZERO(rdev->sched_scan_req);
6083 	if (err)
6084 		goto out_err;
6085 
6086 	err = rdev_sched_scan_start(rdev, dev, rdev->sched_scan_req);
6087 	if (err)
6088 		goto out_free;
6089 
6090 	rdev->sched_scan_req->dev = dev;
6091 	rdev->sched_scan_req->wiphy = &rdev->wiphy;
6092 
6093 	nl80211_send_sched_scan(rdev, dev,
6094 				NL80211_CMD_START_SCHED_SCAN);
6095 	return 0;
6096 
6097 out_free:
6098 	kfree(rdev->sched_scan_req);
6099 out_err:
6100 	rdev->sched_scan_req = NULL;
6101 	return err;
6102 }
6103 
6104 static int nl80211_stop_sched_scan(struct sk_buff *skb,
6105 				   struct genl_info *info)
6106 {
6107 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6108 
6109 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
6110 	    !rdev->ops->sched_scan_stop)
6111 		return -EOPNOTSUPP;
6112 
6113 	return __cfg80211_stop_sched_scan(rdev, false);
6114 }
6115 
6116 static int nl80211_start_radar_detection(struct sk_buff *skb,
6117 					 struct genl_info *info)
6118 {
6119 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6120 	struct net_device *dev = info->user_ptr[1];
6121 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6122 	struct cfg80211_chan_def chandef;
6123 	enum nl80211_dfs_regions dfs_region;
6124 	unsigned int cac_time_ms;
6125 	int err;
6126 
6127 	dfs_region = reg_get_dfs_region(wdev->wiphy);
6128 	if (dfs_region == NL80211_DFS_UNSET)
6129 		return -EINVAL;
6130 
6131 	err = nl80211_parse_chandef(rdev, info, &chandef);
6132 	if (err)
6133 		return err;
6134 
6135 	if (netif_carrier_ok(dev))
6136 		return -EBUSY;
6137 
6138 	if (wdev->cac_started)
6139 		return -EBUSY;
6140 
6141 	err = cfg80211_chandef_dfs_required(wdev->wiphy, &chandef,
6142 					    wdev->iftype);
6143 	if (err < 0)
6144 		return err;
6145 
6146 	if (err == 0)
6147 		return -EINVAL;
6148 
6149 	if (!cfg80211_chandef_dfs_usable(wdev->wiphy, &chandef))
6150 		return -EINVAL;
6151 
6152 	if (!rdev->ops->start_radar_detection)
6153 		return -EOPNOTSUPP;
6154 
6155 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
6156 	if (WARN_ON(!cac_time_ms))
6157 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
6158 
6159 	err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef,
6160 					       cac_time_ms);
6161 	if (!err) {
6162 		wdev->chandef = chandef;
6163 		wdev->cac_started = true;
6164 		wdev->cac_start_time = jiffies;
6165 		wdev->cac_time_ms = cac_time_ms;
6166 	}
6167 	return err;
6168 }
6169 
6170 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
6171 {
6172 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6173 	struct net_device *dev = info->user_ptr[1];
6174 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6175 	struct cfg80211_csa_settings params;
6176 	/* csa_attrs is defined static to avoid waste of stack size - this
6177 	 * function is called under RTNL lock, so this should not be a problem.
6178 	 */
6179 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
6180 	int err;
6181 	bool need_new_beacon = false;
6182 	int len, i;
6183 	u32 cs_count;
6184 
6185 	if (!rdev->ops->channel_switch ||
6186 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
6187 		return -EOPNOTSUPP;
6188 
6189 	switch (dev->ieee80211_ptr->iftype) {
6190 	case NL80211_IFTYPE_AP:
6191 	case NL80211_IFTYPE_P2P_GO:
6192 		need_new_beacon = true;
6193 
6194 		/* useless if AP is not running */
6195 		if (!wdev->beacon_interval)
6196 			return -ENOTCONN;
6197 		break;
6198 	case NL80211_IFTYPE_ADHOC:
6199 		if (!wdev->ssid_len)
6200 			return -ENOTCONN;
6201 		break;
6202 	case NL80211_IFTYPE_MESH_POINT:
6203 		if (!wdev->mesh_id_len)
6204 			return -ENOTCONN;
6205 		break;
6206 	default:
6207 		return -EOPNOTSUPP;
6208 	}
6209 
6210 	memset(&params, 0, sizeof(params));
6211 
6212 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
6213 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
6214 		return -EINVAL;
6215 
6216 	/* only important for AP, IBSS and mesh create IEs internally */
6217 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
6218 		return -EINVAL;
6219 
6220 	/* Even though the attribute is u32, the specification says
6221 	 * u8, so let's make sure we don't overflow.
6222 	 */
6223 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
6224 	if (cs_count > 255)
6225 		return -EINVAL;
6226 
6227 	params.count = cs_count;
6228 
6229 	if (!need_new_beacon)
6230 		goto skip_beacons;
6231 
6232 	err = nl80211_parse_beacon(info->attrs, &params.beacon_after);
6233 	if (err)
6234 		return err;
6235 
6236 	err = nla_parse_nested(csa_attrs, NL80211_ATTR_MAX,
6237 			       info->attrs[NL80211_ATTR_CSA_IES],
6238 			       nl80211_policy);
6239 	if (err)
6240 		return err;
6241 
6242 	err = nl80211_parse_beacon(csa_attrs, &params.beacon_csa);
6243 	if (err)
6244 		return err;
6245 
6246 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
6247 		return -EINVAL;
6248 
6249 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6250 	if (!len || (len % sizeof(u16)))
6251 		return -EINVAL;
6252 
6253 	params.n_counter_offsets_beacon = len / sizeof(u16);
6254 	if (rdev->wiphy.max_num_csa_counters &&
6255 	    (params.n_counter_offsets_beacon >
6256 	     rdev->wiphy.max_num_csa_counters))
6257 		return -EINVAL;
6258 
6259 	params.counter_offsets_beacon =
6260 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6261 
6262 	/* sanity checks - counters should fit and be the same */
6263 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
6264 		u16 offset = params.counter_offsets_beacon[i];
6265 
6266 		if (offset >= params.beacon_csa.tail_len)
6267 			return -EINVAL;
6268 
6269 		if (params.beacon_csa.tail[offset] != params.count)
6270 			return -EINVAL;
6271 	}
6272 
6273 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
6274 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6275 		if (!len || (len % sizeof(u16)))
6276 			return -EINVAL;
6277 
6278 		params.n_counter_offsets_presp = len / sizeof(u16);
6279 		if (rdev->wiphy.max_num_csa_counters &&
6280 		    (params.n_counter_offsets_beacon >
6281 		     rdev->wiphy.max_num_csa_counters))
6282 			return -EINVAL;
6283 
6284 		params.counter_offsets_presp =
6285 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6286 
6287 		/* sanity checks - counters should fit and be the same */
6288 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
6289 			u16 offset = params.counter_offsets_presp[i];
6290 
6291 			if (offset >= params.beacon_csa.probe_resp_len)
6292 				return -EINVAL;
6293 
6294 			if (params.beacon_csa.probe_resp[offset] !=
6295 			    params.count)
6296 				return -EINVAL;
6297 		}
6298 	}
6299 
6300 skip_beacons:
6301 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
6302 	if (err)
6303 		return err;
6304 
6305 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef,
6306 				     wdev->iftype))
6307 		return -EINVAL;
6308 
6309 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
6310 					    &params.chandef,
6311 					    wdev->iftype);
6312 	if (err < 0)
6313 		return err;
6314 
6315 	if (err > 0)
6316 		params.radar_required = true;
6317 
6318 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
6319 		params.block_tx = true;
6320 
6321 	wdev_lock(wdev);
6322 	err = rdev_channel_switch(rdev, dev, &params);
6323 	wdev_unlock(wdev);
6324 
6325 	return err;
6326 }
6327 
6328 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
6329 			    u32 seq, int flags,
6330 			    struct cfg80211_registered_device *rdev,
6331 			    struct wireless_dev *wdev,
6332 			    struct cfg80211_internal_bss *intbss)
6333 {
6334 	struct cfg80211_bss *res = &intbss->pub;
6335 	const struct cfg80211_bss_ies *ies;
6336 	void *hdr;
6337 	struct nlattr *bss;
6338 
6339 	ASSERT_WDEV_LOCK(wdev);
6340 
6341 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6342 			     NL80211_CMD_NEW_SCAN_RESULTS);
6343 	if (!hdr)
6344 		return -1;
6345 
6346 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
6347 
6348 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
6349 		goto nla_put_failure;
6350 	if (wdev->netdev &&
6351 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
6352 		goto nla_put_failure;
6353 	if (nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
6354 		goto nla_put_failure;
6355 
6356 	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
6357 	if (!bss)
6358 		goto nla_put_failure;
6359 	if ((!is_zero_ether_addr(res->bssid) &&
6360 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
6361 		goto nla_put_failure;
6362 
6363 	rcu_read_lock();
6364 	/* indicate whether we have probe response data or not */
6365 	if (rcu_access_pointer(res->proberesp_ies) &&
6366 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
6367 		goto fail_unlock_rcu;
6368 
6369 	/* this pointer prefers to be pointed to probe response data
6370 	 * but is always valid
6371 	 */
6372 	ies = rcu_dereference(res->ies);
6373 	if (ies) {
6374 		if (nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
6375 			goto fail_unlock_rcu;
6376 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
6377 					ies->len, ies->data))
6378 			goto fail_unlock_rcu;
6379 	}
6380 
6381 	/* and this pointer is always (unless driver didn't know) beacon data */
6382 	ies = rcu_dereference(res->beacon_ies);
6383 	if (ies && ies->from_beacon) {
6384 		if (nla_put_u64(msg, NL80211_BSS_BEACON_TSF, ies->tsf))
6385 			goto fail_unlock_rcu;
6386 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
6387 					ies->len, ies->data))
6388 			goto fail_unlock_rcu;
6389 	}
6390 	rcu_read_unlock();
6391 
6392 	if (res->beacon_interval &&
6393 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
6394 		goto nla_put_failure;
6395 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
6396 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
6397 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
6398 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
6399 			jiffies_to_msecs(jiffies - intbss->ts)))
6400 		goto nla_put_failure;
6401 
6402 	switch (rdev->wiphy.signal_type) {
6403 	case CFG80211_SIGNAL_TYPE_MBM:
6404 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
6405 			goto nla_put_failure;
6406 		break;
6407 	case CFG80211_SIGNAL_TYPE_UNSPEC:
6408 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
6409 			goto nla_put_failure;
6410 		break;
6411 	default:
6412 		break;
6413 	}
6414 
6415 	switch (wdev->iftype) {
6416 	case NL80211_IFTYPE_P2P_CLIENT:
6417 	case NL80211_IFTYPE_STATION:
6418 		if (intbss == wdev->current_bss &&
6419 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6420 				NL80211_BSS_STATUS_ASSOCIATED))
6421 			goto nla_put_failure;
6422 		break;
6423 	case NL80211_IFTYPE_ADHOC:
6424 		if (intbss == wdev->current_bss &&
6425 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6426 				NL80211_BSS_STATUS_IBSS_JOINED))
6427 			goto nla_put_failure;
6428 		break;
6429 	default:
6430 		break;
6431 	}
6432 
6433 	nla_nest_end(msg, bss);
6434 
6435 	return genlmsg_end(msg, hdr);
6436 
6437  fail_unlock_rcu:
6438 	rcu_read_unlock();
6439  nla_put_failure:
6440 	genlmsg_cancel(msg, hdr);
6441 	return -EMSGSIZE;
6442 }
6443 
6444 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
6445 {
6446 	struct cfg80211_registered_device *rdev;
6447 	struct cfg80211_internal_bss *scan;
6448 	struct wireless_dev *wdev;
6449 	int start = cb->args[2], idx = 0;
6450 	int err;
6451 
6452 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6453 	if (err)
6454 		return err;
6455 
6456 	wdev_lock(wdev);
6457 	spin_lock_bh(&rdev->bss_lock);
6458 	cfg80211_bss_expire(rdev);
6459 
6460 	cb->seq = rdev->bss_generation;
6461 
6462 	list_for_each_entry(scan, &rdev->bss_list, list) {
6463 		if (++idx <= start)
6464 			continue;
6465 		if (nl80211_send_bss(skb, cb,
6466 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6467 				rdev, wdev, scan) < 0) {
6468 			idx--;
6469 			break;
6470 		}
6471 	}
6472 
6473 	spin_unlock_bh(&rdev->bss_lock);
6474 	wdev_unlock(wdev);
6475 
6476 	cb->args[2] = idx;
6477 	nl80211_finish_wdev_dump(rdev);
6478 
6479 	return skb->len;
6480 }
6481 
6482 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
6483 				int flags, struct net_device *dev,
6484 				struct survey_info *survey)
6485 {
6486 	void *hdr;
6487 	struct nlattr *infoattr;
6488 
6489 	hdr = nl80211hdr_put(msg, portid, seq, flags,
6490 			     NL80211_CMD_NEW_SURVEY_RESULTS);
6491 	if (!hdr)
6492 		return -ENOMEM;
6493 
6494 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
6495 		goto nla_put_failure;
6496 
6497 	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
6498 	if (!infoattr)
6499 		goto nla_put_failure;
6500 
6501 	if (nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
6502 			survey->channel->center_freq))
6503 		goto nla_put_failure;
6504 
6505 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
6506 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
6507 		goto nla_put_failure;
6508 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
6509 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
6510 		goto nla_put_failure;
6511 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME) &&
6512 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME,
6513 			survey->channel_time))
6514 		goto nla_put_failure;
6515 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_BUSY) &&
6516 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_BUSY,
6517 			survey->channel_time_busy))
6518 		goto nla_put_failure;
6519 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_EXT_BUSY) &&
6520 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_EXT_BUSY,
6521 			survey->channel_time_ext_busy))
6522 		goto nla_put_failure;
6523 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_RX) &&
6524 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_RX,
6525 			survey->channel_time_rx))
6526 		goto nla_put_failure;
6527 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_TX) &&
6528 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_TX,
6529 			survey->channel_time_tx))
6530 		goto nla_put_failure;
6531 
6532 	nla_nest_end(msg, infoattr);
6533 
6534 	return genlmsg_end(msg, hdr);
6535 
6536  nla_put_failure:
6537 	genlmsg_cancel(msg, hdr);
6538 	return -EMSGSIZE;
6539 }
6540 
6541 static int nl80211_dump_survey(struct sk_buff *skb,
6542 			struct netlink_callback *cb)
6543 {
6544 	struct survey_info survey;
6545 	struct cfg80211_registered_device *rdev;
6546 	struct wireless_dev *wdev;
6547 	int survey_idx = cb->args[2];
6548 	int res;
6549 
6550 	res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6551 	if (res)
6552 		return res;
6553 
6554 	if (!wdev->netdev) {
6555 		res = -EINVAL;
6556 		goto out_err;
6557 	}
6558 
6559 	if (!rdev->ops->dump_survey) {
6560 		res = -EOPNOTSUPP;
6561 		goto out_err;
6562 	}
6563 
6564 	while (1) {
6565 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
6566 		if (res == -ENOENT)
6567 			break;
6568 		if (res)
6569 			goto out_err;
6570 
6571 		/* Survey without a channel doesn't make sense */
6572 		if (!survey.channel) {
6573 			res = -EINVAL;
6574 			goto out;
6575 		}
6576 
6577 		if (survey.channel->flags & IEEE80211_CHAN_DISABLED) {
6578 			survey_idx++;
6579 			continue;
6580 		}
6581 
6582 		if (nl80211_send_survey(skb,
6583 				NETLINK_CB(cb->skb).portid,
6584 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6585 				wdev->netdev, &survey) < 0)
6586 			goto out;
6587 		survey_idx++;
6588 	}
6589 
6590  out:
6591 	cb->args[2] = survey_idx;
6592 	res = skb->len;
6593  out_err:
6594 	nl80211_finish_wdev_dump(rdev);
6595 	return res;
6596 }
6597 
6598 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
6599 {
6600 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
6601 				  NL80211_WPA_VERSION_2));
6602 }
6603 
6604 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
6605 {
6606 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6607 	struct net_device *dev = info->user_ptr[1];
6608 	struct ieee80211_channel *chan;
6609 	const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
6610 	int err, ssid_len, ie_len = 0, sae_data_len = 0;
6611 	enum nl80211_auth_type auth_type;
6612 	struct key_parse key;
6613 	bool local_state_change;
6614 
6615 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6616 		return -EINVAL;
6617 
6618 	if (!info->attrs[NL80211_ATTR_MAC])
6619 		return -EINVAL;
6620 
6621 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
6622 		return -EINVAL;
6623 
6624 	if (!info->attrs[NL80211_ATTR_SSID])
6625 		return -EINVAL;
6626 
6627 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
6628 		return -EINVAL;
6629 
6630 	err = nl80211_parse_key(info, &key);
6631 	if (err)
6632 		return err;
6633 
6634 	if (key.idx >= 0) {
6635 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
6636 			return -EINVAL;
6637 		if (!key.p.key || !key.p.key_len)
6638 			return -EINVAL;
6639 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
6640 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
6641 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
6642 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
6643 			return -EINVAL;
6644 		if (key.idx > 4)
6645 			return -EINVAL;
6646 	} else {
6647 		key.p.key_len = 0;
6648 		key.p.key = NULL;
6649 	}
6650 
6651 	if (key.idx >= 0) {
6652 		int i;
6653 		bool ok = false;
6654 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
6655 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
6656 				ok = true;
6657 				break;
6658 			}
6659 		}
6660 		if (!ok)
6661 			return -EINVAL;
6662 	}
6663 
6664 	if (!rdev->ops->auth)
6665 		return -EOPNOTSUPP;
6666 
6667 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6668 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6669 		return -EOPNOTSUPP;
6670 
6671 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6672 	chan = nl80211_get_valid_chan(&rdev->wiphy,
6673 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
6674 	if (!chan)
6675 		return -EINVAL;
6676 
6677 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6678 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6679 
6680 	if (info->attrs[NL80211_ATTR_IE]) {
6681 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6682 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6683 	}
6684 
6685 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
6686 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
6687 		return -EINVAL;
6688 
6689 	if (auth_type == NL80211_AUTHTYPE_SAE &&
6690 	    !info->attrs[NL80211_ATTR_SAE_DATA])
6691 		return -EINVAL;
6692 
6693 	if (info->attrs[NL80211_ATTR_SAE_DATA]) {
6694 		if (auth_type != NL80211_AUTHTYPE_SAE)
6695 			return -EINVAL;
6696 		sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
6697 		sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
6698 		/* need to include at least Auth Transaction and Status Code */
6699 		if (sae_data_len < 4)
6700 			return -EINVAL;
6701 	}
6702 
6703 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6704 
6705 	/*
6706 	 * Since we no longer track auth state, ignore
6707 	 * requests to only change local state.
6708 	 */
6709 	if (local_state_change)
6710 		return 0;
6711 
6712 	wdev_lock(dev->ieee80211_ptr);
6713 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
6714 				 ssid, ssid_len, ie, ie_len,
6715 				 key.p.key, key.p.key_len, key.idx,
6716 				 sae_data, sae_data_len);
6717 	wdev_unlock(dev->ieee80211_ptr);
6718 	return err;
6719 }
6720 
6721 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
6722 				   struct genl_info *info,
6723 				   struct cfg80211_crypto_settings *settings,
6724 				   int cipher_limit)
6725 {
6726 	memset(settings, 0, sizeof(*settings));
6727 
6728 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
6729 
6730 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
6731 		u16 proto;
6732 		proto = nla_get_u16(
6733 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
6734 		settings->control_port_ethertype = cpu_to_be16(proto);
6735 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
6736 		    proto != ETH_P_PAE)
6737 			return -EINVAL;
6738 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
6739 			settings->control_port_no_encrypt = true;
6740 	} else
6741 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
6742 
6743 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
6744 		void *data;
6745 		int len, i;
6746 
6747 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6748 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6749 		settings->n_ciphers_pairwise = len / sizeof(u32);
6750 
6751 		if (len % sizeof(u32))
6752 			return -EINVAL;
6753 
6754 		if (settings->n_ciphers_pairwise > cipher_limit)
6755 			return -EINVAL;
6756 
6757 		memcpy(settings->ciphers_pairwise, data, len);
6758 
6759 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
6760 			if (!cfg80211_supported_cipher_suite(
6761 					&rdev->wiphy,
6762 					settings->ciphers_pairwise[i]))
6763 				return -EINVAL;
6764 	}
6765 
6766 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
6767 		settings->cipher_group =
6768 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
6769 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
6770 						     settings->cipher_group))
6771 			return -EINVAL;
6772 	}
6773 
6774 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
6775 		settings->wpa_versions =
6776 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
6777 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
6778 			return -EINVAL;
6779 	}
6780 
6781 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
6782 		void *data;
6783 		int len;
6784 
6785 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
6786 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
6787 		settings->n_akm_suites = len / sizeof(u32);
6788 
6789 		if (len % sizeof(u32))
6790 			return -EINVAL;
6791 
6792 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
6793 			return -EINVAL;
6794 
6795 		memcpy(settings->akm_suites, data, len);
6796 	}
6797 
6798 	return 0;
6799 }
6800 
6801 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
6802 {
6803 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6804 	struct net_device *dev = info->user_ptr[1];
6805 	struct ieee80211_channel *chan;
6806 	struct cfg80211_assoc_request req = {};
6807 	const u8 *bssid, *ssid;
6808 	int err, ssid_len = 0;
6809 
6810 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6811 		return -EINVAL;
6812 
6813 	if (!info->attrs[NL80211_ATTR_MAC] ||
6814 	    !info->attrs[NL80211_ATTR_SSID] ||
6815 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
6816 		return -EINVAL;
6817 
6818 	if (!rdev->ops->assoc)
6819 		return -EOPNOTSUPP;
6820 
6821 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6822 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6823 		return -EOPNOTSUPP;
6824 
6825 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6826 
6827 	chan = nl80211_get_valid_chan(&rdev->wiphy,
6828 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
6829 	if (!chan)
6830 		return -EINVAL;
6831 
6832 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6833 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6834 
6835 	if (info->attrs[NL80211_ATTR_IE]) {
6836 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6837 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6838 	}
6839 
6840 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
6841 		enum nl80211_mfp mfp =
6842 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
6843 		if (mfp == NL80211_MFP_REQUIRED)
6844 			req.use_mfp = true;
6845 		else if (mfp != NL80211_MFP_NO)
6846 			return -EINVAL;
6847 	}
6848 
6849 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
6850 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
6851 
6852 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
6853 		req.flags |= ASSOC_REQ_DISABLE_HT;
6854 
6855 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6856 		memcpy(&req.ht_capa_mask,
6857 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
6858 		       sizeof(req.ht_capa_mask));
6859 
6860 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
6861 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6862 			return -EINVAL;
6863 		memcpy(&req.ht_capa,
6864 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
6865 		       sizeof(req.ht_capa));
6866 	}
6867 
6868 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
6869 		req.flags |= ASSOC_REQ_DISABLE_VHT;
6870 
6871 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6872 		memcpy(&req.vht_capa_mask,
6873 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
6874 		       sizeof(req.vht_capa_mask));
6875 
6876 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
6877 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6878 			return -EINVAL;
6879 		memcpy(&req.vht_capa,
6880 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
6881 		       sizeof(req.vht_capa));
6882 	}
6883 
6884 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
6885 		if (!(rdev->wiphy.features &
6886 		      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
6887 		    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
6888 			return -EINVAL;
6889 		req.flags |= ASSOC_REQ_USE_RRM;
6890 	}
6891 
6892 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
6893 	if (!err) {
6894 		wdev_lock(dev->ieee80211_ptr);
6895 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
6896 					  ssid, ssid_len, &req);
6897 		wdev_unlock(dev->ieee80211_ptr);
6898 	}
6899 
6900 	return err;
6901 }
6902 
6903 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
6904 {
6905 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6906 	struct net_device *dev = info->user_ptr[1];
6907 	const u8 *ie = NULL, *bssid;
6908 	int ie_len = 0, err;
6909 	u16 reason_code;
6910 	bool local_state_change;
6911 
6912 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6913 		return -EINVAL;
6914 
6915 	if (!info->attrs[NL80211_ATTR_MAC])
6916 		return -EINVAL;
6917 
6918 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6919 		return -EINVAL;
6920 
6921 	if (!rdev->ops->deauth)
6922 		return -EOPNOTSUPP;
6923 
6924 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6925 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6926 		return -EOPNOTSUPP;
6927 
6928 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6929 
6930 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6931 	if (reason_code == 0) {
6932 		/* Reason Code 0 is reserved */
6933 		return -EINVAL;
6934 	}
6935 
6936 	if (info->attrs[NL80211_ATTR_IE]) {
6937 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6938 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6939 	}
6940 
6941 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6942 
6943 	wdev_lock(dev->ieee80211_ptr);
6944 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
6945 				   local_state_change);
6946 	wdev_unlock(dev->ieee80211_ptr);
6947 	return err;
6948 }
6949 
6950 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
6951 {
6952 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6953 	struct net_device *dev = info->user_ptr[1];
6954 	const u8 *ie = NULL, *bssid;
6955 	int ie_len = 0, err;
6956 	u16 reason_code;
6957 	bool local_state_change;
6958 
6959 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6960 		return -EINVAL;
6961 
6962 	if (!info->attrs[NL80211_ATTR_MAC])
6963 		return -EINVAL;
6964 
6965 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6966 		return -EINVAL;
6967 
6968 	if (!rdev->ops->disassoc)
6969 		return -EOPNOTSUPP;
6970 
6971 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6972 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6973 		return -EOPNOTSUPP;
6974 
6975 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6976 
6977 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6978 	if (reason_code == 0) {
6979 		/* Reason Code 0 is reserved */
6980 		return -EINVAL;
6981 	}
6982 
6983 	if (info->attrs[NL80211_ATTR_IE]) {
6984 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6985 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6986 	}
6987 
6988 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6989 
6990 	wdev_lock(dev->ieee80211_ptr);
6991 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
6992 				     local_state_change);
6993 	wdev_unlock(dev->ieee80211_ptr);
6994 	return err;
6995 }
6996 
6997 static bool
6998 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
6999 			 int mcast_rate[IEEE80211_NUM_BANDS],
7000 			 int rateval)
7001 {
7002 	struct wiphy *wiphy = &rdev->wiphy;
7003 	bool found = false;
7004 	int band, i;
7005 
7006 	for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
7007 		struct ieee80211_supported_band *sband;
7008 
7009 		sband = wiphy->bands[band];
7010 		if (!sband)
7011 			continue;
7012 
7013 		for (i = 0; i < sband->n_bitrates; i++) {
7014 			if (sband->bitrates[i].bitrate == rateval) {
7015 				mcast_rate[band] = i + 1;
7016 				found = true;
7017 				break;
7018 			}
7019 		}
7020 	}
7021 
7022 	return found;
7023 }
7024 
7025 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
7026 {
7027 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7028 	struct net_device *dev = info->user_ptr[1];
7029 	struct cfg80211_ibss_params ibss;
7030 	struct wiphy *wiphy;
7031 	struct cfg80211_cached_keys *connkeys = NULL;
7032 	int err;
7033 
7034 	memset(&ibss, 0, sizeof(ibss));
7035 
7036 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7037 		return -EINVAL;
7038 
7039 	if (!info->attrs[NL80211_ATTR_SSID] ||
7040 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
7041 		return -EINVAL;
7042 
7043 	ibss.beacon_interval = 100;
7044 
7045 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
7046 		ibss.beacon_interval =
7047 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
7048 		if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
7049 			return -EINVAL;
7050 	}
7051 
7052 	if (!rdev->ops->join_ibss)
7053 		return -EOPNOTSUPP;
7054 
7055 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
7056 		return -EOPNOTSUPP;
7057 
7058 	wiphy = &rdev->wiphy;
7059 
7060 	if (info->attrs[NL80211_ATTR_MAC]) {
7061 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7062 
7063 		if (!is_valid_ether_addr(ibss.bssid))
7064 			return -EINVAL;
7065 	}
7066 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7067 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7068 
7069 	if (info->attrs[NL80211_ATTR_IE]) {
7070 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7071 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7072 	}
7073 
7074 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
7075 	if (err)
7076 		return err;
7077 
7078 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
7079 				     NL80211_IFTYPE_ADHOC))
7080 		return -EINVAL;
7081 
7082 	switch (ibss.chandef.width) {
7083 	case NL80211_CHAN_WIDTH_5:
7084 	case NL80211_CHAN_WIDTH_10:
7085 	case NL80211_CHAN_WIDTH_20_NOHT:
7086 		break;
7087 	case NL80211_CHAN_WIDTH_20:
7088 	case NL80211_CHAN_WIDTH_40:
7089 		if (rdev->wiphy.features & NL80211_FEATURE_HT_IBSS)
7090 			break;
7091 	default:
7092 		return -EINVAL;
7093 	}
7094 
7095 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
7096 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
7097 
7098 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7099 		u8 *rates =
7100 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7101 		int n_rates =
7102 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7103 		struct ieee80211_supported_band *sband =
7104 			wiphy->bands[ibss.chandef.chan->band];
7105 
7106 		err = ieee80211_get_ratemask(sband, rates, n_rates,
7107 					     &ibss.basic_rates);
7108 		if (err)
7109 			return err;
7110 	}
7111 
7112 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7113 		memcpy(&ibss.ht_capa_mask,
7114 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7115 		       sizeof(ibss.ht_capa_mask));
7116 
7117 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7118 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7119 			return -EINVAL;
7120 		memcpy(&ibss.ht_capa,
7121 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7122 		       sizeof(ibss.ht_capa));
7123 	}
7124 
7125 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
7126 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
7127 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
7128 		return -EINVAL;
7129 
7130 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
7131 		bool no_ht = false;
7132 
7133 		connkeys = nl80211_parse_connkeys(rdev,
7134 					  info->attrs[NL80211_ATTR_KEYS],
7135 					  &no_ht);
7136 		if (IS_ERR(connkeys))
7137 			return PTR_ERR(connkeys);
7138 
7139 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
7140 		    no_ht) {
7141 			kfree(connkeys);
7142 			return -EINVAL;
7143 		}
7144 	}
7145 
7146 	ibss.control_port =
7147 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
7148 
7149 	ibss.userspace_handles_dfs =
7150 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
7151 
7152 	err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
7153 	if (err)
7154 		kzfree(connkeys);
7155 	return err;
7156 }
7157 
7158 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
7159 {
7160 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7161 	struct net_device *dev = info->user_ptr[1];
7162 
7163 	if (!rdev->ops->leave_ibss)
7164 		return -EOPNOTSUPP;
7165 
7166 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
7167 		return -EOPNOTSUPP;
7168 
7169 	return cfg80211_leave_ibss(rdev, dev, false);
7170 }
7171 
7172 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
7173 {
7174 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7175 	struct net_device *dev = info->user_ptr[1];
7176 	int mcast_rate[IEEE80211_NUM_BANDS];
7177 	u32 nla_rate;
7178 	int err;
7179 
7180 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
7181 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7182 		return -EOPNOTSUPP;
7183 
7184 	if (!rdev->ops->set_mcast_rate)
7185 		return -EOPNOTSUPP;
7186 
7187 	memset(mcast_rate, 0, sizeof(mcast_rate));
7188 
7189 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
7190 		return -EINVAL;
7191 
7192 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
7193 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
7194 		return -EINVAL;
7195 
7196 	err = rdev->ops->set_mcast_rate(&rdev->wiphy, dev, mcast_rate);
7197 
7198 	return err;
7199 }
7200 
7201 static struct sk_buff *
7202 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
7203 			    int approxlen, u32 portid, u32 seq,
7204 			    enum nl80211_commands cmd,
7205 			    enum nl80211_attrs attr,
7206 			    const struct nl80211_vendor_cmd_info *info,
7207 			    gfp_t gfp)
7208 {
7209 	struct sk_buff *skb;
7210 	void *hdr;
7211 	struct nlattr *data;
7212 
7213 	skb = nlmsg_new(approxlen + 100, gfp);
7214 	if (!skb)
7215 		return NULL;
7216 
7217 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
7218 	if (!hdr) {
7219 		kfree_skb(skb);
7220 		return NULL;
7221 	}
7222 
7223 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
7224 		goto nla_put_failure;
7225 
7226 	if (info) {
7227 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
7228 				info->vendor_id))
7229 			goto nla_put_failure;
7230 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
7231 				info->subcmd))
7232 			goto nla_put_failure;
7233 	}
7234 
7235 	data = nla_nest_start(skb, attr);
7236 
7237 	((void **)skb->cb)[0] = rdev;
7238 	((void **)skb->cb)[1] = hdr;
7239 	((void **)skb->cb)[2] = data;
7240 
7241 	return skb;
7242 
7243  nla_put_failure:
7244 	kfree_skb(skb);
7245 	return NULL;
7246 }
7247 
7248 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
7249 					   enum nl80211_commands cmd,
7250 					   enum nl80211_attrs attr,
7251 					   int vendor_event_idx,
7252 					   int approxlen, gfp_t gfp)
7253 {
7254 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
7255 	const struct nl80211_vendor_cmd_info *info;
7256 
7257 	switch (cmd) {
7258 	case NL80211_CMD_TESTMODE:
7259 		if (WARN_ON(vendor_event_idx != -1))
7260 			return NULL;
7261 		info = NULL;
7262 		break;
7263 	case NL80211_CMD_VENDOR:
7264 		if (WARN_ON(vendor_event_idx < 0 ||
7265 			    vendor_event_idx >= wiphy->n_vendor_events))
7266 			return NULL;
7267 		info = &wiphy->vendor_events[vendor_event_idx];
7268 		break;
7269 	default:
7270 		WARN_ON(1);
7271 		return NULL;
7272 	}
7273 
7274 	return __cfg80211_alloc_vendor_skb(rdev, approxlen, 0, 0,
7275 					   cmd, attr, info, gfp);
7276 }
7277 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
7278 
7279 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
7280 {
7281 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
7282 	void *hdr = ((void **)skb->cb)[1];
7283 	struct nlattr *data = ((void **)skb->cb)[2];
7284 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
7285 
7286 	/* clear CB data for netlink core to own from now on */
7287 	memset(skb->cb, 0, sizeof(skb->cb));
7288 
7289 	nla_nest_end(skb, data);
7290 	genlmsg_end(skb, hdr);
7291 
7292 	if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
7293 		mcgrp = NL80211_MCGRP_VENDOR;
7294 
7295 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), skb, 0,
7296 				mcgrp, gfp);
7297 }
7298 EXPORT_SYMBOL(__cfg80211_send_event_skb);
7299 
7300 #ifdef CONFIG_NL80211_TESTMODE
7301 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
7302 {
7303 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7304 	struct wireless_dev *wdev =
7305 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
7306 	int err;
7307 
7308 	if (!rdev->ops->testmode_cmd)
7309 		return -EOPNOTSUPP;
7310 
7311 	if (IS_ERR(wdev)) {
7312 		err = PTR_ERR(wdev);
7313 		if (err != -EINVAL)
7314 			return err;
7315 		wdev = NULL;
7316 	} else if (wdev->wiphy != &rdev->wiphy) {
7317 		return -EINVAL;
7318 	}
7319 
7320 	if (!info->attrs[NL80211_ATTR_TESTDATA])
7321 		return -EINVAL;
7322 
7323 	rdev->cur_cmd_info = info;
7324 	err = rdev_testmode_cmd(rdev, wdev,
7325 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
7326 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
7327 	rdev->cur_cmd_info = NULL;
7328 
7329 	return err;
7330 }
7331 
7332 static int nl80211_testmode_dump(struct sk_buff *skb,
7333 				 struct netlink_callback *cb)
7334 {
7335 	struct cfg80211_registered_device *rdev;
7336 	int err;
7337 	long phy_idx;
7338 	void *data = NULL;
7339 	int data_len = 0;
7340 
7341 	rtnl_lock();
7342 
7343 	if (cb->args[0]) {
7344 		/*
7345 		 * 0 is a valid index, but not valid for args[0],
7346 		 * so we need to offset by 1.
7347 		 */
7348 		phy_idx = cb->args[0] - 1;
7349 	} else {
7350 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
7351 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
7352 				  nl80211_policy);
7353 		if (err)
7354 			goto out_err;
7355 
7356 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
7357 						  nl80211_fam.attrbuf);
7358 		if (IS_ERR(rdev)) {
7359 			err = PTR_ERR(rdev);
7360 			goto out_err;
7361 		}
7362 		phy_idx = rdev->wiphy_idx;
7363 		rdev = NULL;
7364 
7365 		if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
7366 			cb->args[1] =
7367 				(long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
7368 	}
7369 
7370 	if (cb->args[1]) {
7371 		data = nla_data((void *)cb->args[1]);
7372 		data_len = nla_len((void *)cb->args[1]);
7373 	}
7374 
7375 	rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
7376 	if (!rdev) {
7377 		err = -ENOENT;
7378 		goto out_err;
7379 	}
7380 
7381 	if (!rdev->ops->testmode_dump) {
7382 		err = -EOPNOTSUPP;
7383 		goto out_err;
7384 	}
7385 
7386 	while (1) {
7387 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
7388 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
7389 					   NL80211_CMD_TESTMODE);
7390 		struct nlattr *tmdata;
7391 
7392 		if (!hdr)
7393 			break;
7394 
7395 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
7396 			genlmsg_cancel(skb, hdr);
7397 			break;
7398 		}
7399 
7400 		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
7401 		if (!tmdata) {
7402 			genlmsg_cancel(skb, hdr);
7403 			break;
7404 		}
7405 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
7406 		nla_nest_end(skb, tmdata);
7407 
7408 		if (err == -ENOBUFS || err == -ENOENT) {
7409 			genlmsg_cancel(skb, hdr);
7410 			break;
7411 		} else if (err) {
7412 			genlmsg_cancel(skb, hdr);
7413 			goto out_err;
7414 		}
7415 
7416 		genlmsg_end(skb, hdr);
7417 	}
7418 
7419 	err = skb->len;
7420 	/* see above */
7421 	cb->args[0] = phy_idx + 1;
7422  out_err:
7423 	rtnl_unlock();
7424 	return err;
7425 }
7426 #endif
7427 
7428 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
7429 {
7430 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7431 	struct net_device *dev = info->user_ptr[1];
7432 	struct cfg80211_connect_params connect;
7433 	struct wiphy *wiphy;
7434 	struct cfg80211_cached_keys *connkeys = NULL;
7435 	int err;
7436 
7437 	memset(&connect, 0, sizeof(connect));
7438 
7439 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7440 		return -EINVAL;
7441 
7442 	if (!info->attrs[NL80211_ATTR_SSID] ||
7443 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
7444 		return -EINVAL;
7445 
7446 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
7447 		connect.auth_type =
7448 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
7449 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
7450 					     NL80211_CMD_CONNECT))
7451 			return -EINVAL;
7452 	} else
7453 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
7454 
7455 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
7456 
7457 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
7458 				      NL80211_MAX_NR_CIPHER_SUITES);
7459 	if (err)
7460 		return err;
7461 
7462 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7463 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7464 		return -EOPNOTSUPP;
7465 
7466 	wiphy = &rdev->wiphy;
7467 
7468 	connect.bg_scan_period = -1;
7469 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
7470 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
7471 		connect.bg_scan_period =
7472 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
7473 	}
7474 
7475 	if (info->attrs[NL80211_ATTR_MAC])
7476 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7477 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
7478 		connect.bssid_hint =
7479 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
7480 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7481 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7482 
7483 	if (info->attrs[NL80211_ATTR_IE]) {
7484 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7485 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7486 	}
7487 
7488 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
7489 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
7490 		if (connect.mfp != NL80211_MFP_REQUIRED &&
7491 		    connect.mfp != NL80211_MFP_NO)
7492 			return -EINVAL;
7493 	} else {
7494 		connect.mfp = NL80211_MFP_NO;
7495 	}
7496 
7497 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7498 		connect.channel = nl80211_get_valid_chan(
7499 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7500 		if (!connect.channel)
7501 			return -EINVAL;
7502 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
7503 		connect.channel_hint = nl80211_get_valid_chan(
7504 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
7505 		if (!connect.channel_hint)
7506 			return -EINVAL;
7507 	}
7508 
7509 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
7510 		connkeys = nl80211_parse_connkeys(rdev,
7511 					  info->attrs[NL80211_ATTR_KEYS], NULL);
7512 		if (IS_ERR(connkeys))
7513 			return PTR_ERR(connkeys);
7514 	}
7515 
7516 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
7517 		connect.flags |= ASSOC_REQ_DISABLE_HT;
7518 
7519 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7520 		memcpy(&connect.ht_capa_mask,
7521 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7522 		       sizeof(connect.ht_capa_mask));
7523 
7524 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7525 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
7526 			kzfree(connkeys);
7527 			return -EINVAL;
7528 		}
7529 		memcpy(&connect.ht_capa,
7530 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7531 		       sizeof(connect.ht_capa));
7532 	}
7533 
7534 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
7535 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
7536 
7537 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7538 		memcpy(&connect.vht_capa_mask,
7539 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
7540 		       sizeof(connect.vht_capa_mask));
7541 
7542 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
7543 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
7544 			kzfree(connkeys);
7545 			return -EINVAL;
7546 		}
7547 		memcpy(&connect.vht_capa,
7548 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
7549 		       sizeof(connect.vht_capa));
7550 	}
7551 
7552 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
7553 		if (!(rdev->wiphy.features &
7554 		      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
7555 		    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
7556 			return -EINVAL;
7557 		connect.flags |= ASSOC_REQ_USE_RRM;
7558 	}
7559 
7560 	wdev_lock(dev->ieee80211_ptr);
7561 	err = cfg80211_connect(rdev, dev, &connect, connkeys, NULL);
7562 	wdev_unlock(dev->ieee80211_ptr);
7563 	if (err)
7564 		kzfree(connkeys);
7565 	return err;
7566 }
7567 
7568 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
7569 {
7570 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7571 	struct net_device *dev = info->user_ptr[1];
7572 	u16 reason;
7573 	int ret;
7574 
7575 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7576 		reason = WLAN_REASON_DEAUTH_LEAVING;
7577 	else
7578 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7579 
7580 	if (reason == 0)
7581 		return -EINVAL;
7582 
7583 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7584 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7585 		return -EOPNOTSUPP;
7586 
7587 	wdev_lock(dev->ieee80211_ptr);
7588 	ret = cfg80211_disconnect(rdev, dev, reason, true);
7589 	wdev_unlock(dev->ieee80211_ptr);
7590 	return ret;
7591 }
7592 
7593 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
7594 {
7595 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7596 	struct net *net;
7597 	int err;
7598 	u32 pid;
7599 
7600 	if (!info->attrs[NL80211_ATTR_PID])
7601 		return -EINVAL;
7602 
7603 	pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
7604 
7605 	net = get_net_ns_by_pid(pid);
7606 	if (IS_ERR(net))
7607 		return PTR_ERR(net);
7608 
7609 	err = 0;
7610 
7611 	/* check if anything to do */
7612 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
7613 		err = cfg80211_switch_netns(rdev, net);
7614 
7615 	put_net(net);
7616 	return err;
7617 }
7618 
7619 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
7620 {
7621 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7622 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
7623 			struct cfg80211_pmksa *pmksa) = NULL;
7624 	struct net_device *dev = info->user_ptr[1];
7625 	struct cfg80211_pmksa pmksa;
7626 
7627 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
7628 
7629 	if (!info->attrs[NL80211_ATTR_MAC])
7630 		return -EINVAL;
7631 
7632 	if (!info->attrs[NL80211_ATTR_PMKID])
7633 		return -EINVAL;
7634 
7635 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
7636 	pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7637 
7638 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7639 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7640 		return -EOPNOTSUPP;
7641 
7642 	switch (info->genlhdr->cmd) {
7643 	case NL80211_CMD_SET_PMKSA:
7644 		rdev_ops = rdev->ops->set_pmksa;
7645 		break;
7646 	case NL80211_CMD_DEL_PMKSA:
7647 		rdev_ops = rdev->ops->del_pmksa;
7648 		break;
7649 	default:
7650 		WARN_ON(1);
7651 		break;
7652 	}
7653 
7654 	if (!rdev_ops)
7655 		return -EOPNOTSUPP;
7656 
7657 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
7658 }
7659 
7660 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
7661 {
7662 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7663 	struct net_device *dev = info->user_ptr[1];
7664 
7665 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7666 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7667 		return -EOPNOTSUPP;
7668 
7669 	if (!rdev->ops->flush_pmksa)
7670 		return -EOPNOTSUPP;
7671 
7672 	return rdev_flush_pmksa(rdev, dev);
7673 }
7674 
7675 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
7676 {
7677 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7678 	struct net_device *dev = info->user_ptr[1];
7679 	u8 action_code, dialog_token;
7680 	u32 peer_capability = 0;
7681 	u16 status_code;
7682 	u8 *peer;
7683 	bool initiator;
7684 
7685 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
7686 	    !rdev->ops->tdls_mgmt)
7687 		return -EOPNOTSUPP;
7688 
7689 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
7690 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
7691 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
7692 	    !info->attrs[NL80211_ATTR_IE] ||
7693 	    !info->attrs[NL80211_ATTR_MAC])
7694 		return -EINVAL;
7695 
7696 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
7697 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
7698 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
7699 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
7700 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
7701 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
7702 		peer_capability =
7703 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
7704 
7705 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
7706 			      dialog_token, status_code, peer_capability,
7707 			      initiator,
7708 			      nla_data(info->attrs[NL80211_ATTR_IE]),
7709 			      nla_len(info->attrs[NL80211_ATTR_IE]));
7710 }
7711 
7712 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
7713 {
7714 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7715 	struct net_device *dev = info->user_ptr[1];
7716 	enum nl80211_tdls_operation operation;
7717 	u8 *peer;
7718 
7719 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
7720 	    !rdev->ops->tdls_oper)
7721 		return -EOPNOTSUPP;
7722 
7723 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
7724 	    !info->attrs[NL80211_ATTR_MAC])
7725 		return -EINVAL;
7726 
7727 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
7728 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
7729 
7730 	return rdev_tdls_oper(rdev, dev, peer, operation);
7731 }
7732 
7733 static int nl80211_remain_on_channel(struct sk_buff *skb,
7734 				     struct genl_info *info)
7735 {
7736 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7737 	struct wireless_dev *wdev = info->user_ptr[1];
7738 	struct cfg80211_chan_def chandef;
7739 	struct sk_buff *msg;
7740 	void *hdr;
7741 	u64 cookie;
7742 	u32 duration;
7743 	int err;
7744 
7745 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
7746 	    !info->attrs[NL80211_ATTR_DURATION])
7747 		return -EINVAL;
7748 
7749 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
7750 
7751 	if (!rdev->ops->remain_on_channel ||
7752 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
7753 		return -EOPNOTSUPP;
7754 
7755 	/*
7756 	 * We should be on that channel for at least a minimum amount of
7757 	 * time (10ms) but no longer than the driver supports.
7758 	 */
7759 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
7760 	    duration > rdev->wiphy.max_remain_on_channel_duration)
7761 		return -EINVAL;
7762 
7763 	err = nl80211_parse_chandef(rdev, info, &chandef);
7764 	if (err)
7765 		return err;
7766 
7767 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7768 	if (!msg)
7769 		return -ENOMEM;
7770 
7771 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7772 			     NL80211_CMD_REMAIN_ON_CHANNEL);
7773 	if (!hdr) {
7774 		err = -ENOBUFS;
7775 		goto free_msg;
7776 	}
7777 
7778 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
7779 				     duration, &cookie);
7780 
7781 	if (err)
7782 		goto free_msg;
7783 
7784 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
7785 		goto nla_put_failure;
7786 
7787 	genlmsg_end(msg, hdr);
7788 
7789 	return genlmsg_reply(msg, info);
7790 
7791  nla_put_failure:
7792 	err = -ENOBUFS;
7793  free_msg:
7794 	nlmsg_free(msg);
7795 	return err;
7796 }
7797 
7798 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
7799 					    struct genl_info *info)
7800 {
7801 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7802 	struct wireless_dev *wdev = info->user_ptr[1];
7803 	u64 cookie;
7804 
7805 	if (!info->attrs[NL80211_ATTR_COOKIE])
7806 		return -EINVAL;
7807 
7808 	if (!rdev->ops->cancel_remain_on_channel)
7809 		return -EOPNOTSUPP;
7810 
7811 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
7812 
7813 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
7814 }
7815 
7816 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
7817 			   u8 *rates, u8 rates_len)
7818 {
7819 	u8 i;
7820 	u32 mask = 0;
7821 
7822 	for (i = 0; i < rates_len; i++) {
7823 		int rate = (rates[i] & 0x7f) * 5;
7824 		int ridx;
7825 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
7826 			struct ieee80211_rate *srate =
7827 				&sband->bitrates[ridx];
7828 			if (rate == srate->bitrate) {
7829 				mask |= 1 << ridx;
7830 				break;
7831 			}
7832 		}
7833 		if (ridx == sband->n_bitrates)
7834 			return 0; /* rate not found */
7835 	}
7836 
7837 	return mask;
7838 }
7839 
7840 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
7841 			       u8 *rates, u8 rates_len,
7842 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
7843 {
7844 	u8 i;
7845 
7846 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
7847 
7848 	for (i = 0; i < rates_len; i++) {
7849 		int ridx, rbit;
7850 
7851 		ridx = rates[i] / 8;
7852 		rbit = BIT(rates[i] % 8);
7853 
7854 		/* check validity */
7855 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
7856 			return false;
7857 
7858 		/* check availability */
7859 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
7860 			mcs[ridx] |= rbit;
7861 		else
7862 			return false;
7863 	}
7864 
7865 	return true;
7866 }
7867 
7868 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
7869 {
7870 	u16 mcs_mask = 0;
7871 
7872 	switch (vht_mcs_map) {
7873 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
7874 		break;
7875 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
7876 		mcs_mask = 0x00FF;
7877 		break;
7878 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
7879 		mcs_mask = 0x01FF;
7880 		break;
7881 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
7882 		mcs_mask = 0x03FF;
7883 		break;
7884 	default:
7885 		break;
7886 	}
7887 
7888 	return mcs_mask;
7889 }
7890 
7891 static void vht_build_mcs_mask(u16 vht_mcs_map,
7892 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
7893 {
7894 	u8 nss;
7895 
7896 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
7897 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
7898 		vht_mcs_map >>= 2;
7899 	}
7900 }
7901 
7902 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
7903 			     struct nl80211_txrate_vht *txrate,
7904 			     u16 mcs[NL80211_VHT_NSS_MAX])
7905 {
7906 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
7907 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
7908 	u8 i;
7909 
7910 	if (!sband->vht_cap.vht_supported)
7911 		return false;
7912 
7913 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
7914 
7915 	/* Build vht_mcs_mask from VHT capabilities */
7916 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
7917 
7918 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
7919 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
7920 			mcs[i] = txrate->mcs[i];
7921 		else
7922 			return false;
7923 	}
7924 
7925 	return true;
7926 }
7927 
7928 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
7929 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
7930 				    .len = NL80211_MAX_SUPP_RATES },
7931 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
7932 				.len = NL80211_MAX_SUPP_HT_RATES },
7933 	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
7934 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
7935 };
7936 
7937 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
7938 				       struct genl_info *info)
7939 {
7940 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
7941 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7942 	struct cfg80211_bitrate_mask mask;
7943 	int rem, i;
7944 	struct net_device *dev = info->user_ptr[1];
7945 	struct nlattr *tx_rates;
7946 	struct ieee80211_supported_band *sband;
7947 	u16 vht_tx_mcs_map;
7948 
7949 	if (!rdev->ops->set_bitrate_mask)
7950 		return -EOPNOTSUPP;
7951 
7952 	memset(&mask, 0, sizeof(mask));
7953 	/* Default to all rates enabled */
7954 	for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
7955 		sband = rdev->wiphy.bands[i];
7956 
7957 		if (!sband)
7958 			continue;
7959 
7960 		mask.control[i].legacy = (1 << sband->n_bitrates) - 1;
7961 		memcpy(mask.control[i].ht_mcs,
7962 		       sband->ht_cap.mcs.rx_mask,
7963 		       sizeof(mask.control[i].ht_mcs));
7964 
7965 		if (!sband->vht_cap.vht_supported)
7966 			continue;
7967 
7968 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
7969 		vht_build_mcs_mask(vht_tx_mcs_map, mask.control[i].vht_mcs);
7970 	}
7971 
7972 	/* if no rates are given set it back to the defaults */
7973 	if (!info->attrs[NL80211_ATTR_TX_RATES])
7974 		goto out;
7975 
7976 	/*
7977 	 * The nested attribute uses enum nl80211_band as the index. This maps
7978 	 * directly to the enum ieee80211_band values used in cfg80211.
7979 	 */
7980 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
7981 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
7982 		enum ieee80211_band band = nla_type(tx_rates);
7983 		int err;
7984 
7985 		if (band < 0 || band >= IEEE80211_NUM_BANDS)
7986 			return -EINVAL;
7987 		sband = rdev->wiphy.bands[band];
7988 		if (sband == NULL)
7989 			return -EINVAL;
7990 		err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
7991 				nla_len(tx_rates), nl80211_txattr_policy);
7992 		if (err)
7993 			return err;
7994 		if (tb[NL80211_TXRATE_LEGACY]) {
7995 			mask.control[band].legacy = rateset_to_mask(
7996 				sband,
7997 				nla_data(tb[NL80211_TXRATE_LEGACY]),
7998 				nla_len(tb[NL80211_TXRATE_LEGACY]));
7999 			if ((mask.control[band].legacy == 0) &&
8000 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
8001 				return -EINVAL;
8002 		}
8003 		if (tb[NL80211_TXRATE_HT]) {
8004 			if (!ht_rateset_to_mask(
8005 					sband,
8006 					nla_data(tb[NL80211_TXRATE_HT]),
8007 					nla_len(tb[NL80211_TXRATE_HT]),
8008 					mask.control[band].ht_mcs))
8009 				return -EINVAL;
8010 		}
8011 		if (tb[NL80211_TXRATE_VHT]) {
8012 			if (!vht_set_mcs_mask(
8013 					sband,
8014 					nla_data(tb[NL80211_TXRATE_VHT]),
8015 					mask.control[band].vht_mcs))
8016 				return -EINVAL;
8017 		}
8018 		if (tb[NL80211_TXRATE_GI]) {
8019 			mask.control[band].gi =
8020 				nla_get_u8(tb[NL80211_TXRATE_GI]);
8021 			if (mask.control[band].gi > NL80211_TXRATE_FORCE_LGI)
8022 				return -EINVAL;
8023 		}
8024 
8025 		if (mask.control[band].legacy == 0) {
8026 			/* don't allow empty legacy rates if HT or VHT
8027 			 * are not even supported.
8028 			 */
8029 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
8030 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
8031 				return -EINVAL;
8032 
8033 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
8034 				if (mask.control[band].ht_mcs[i])
8035 					goto out;
8036 
8037 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
8038 				if (mask.control[band].vht_mcs[i])
8039 					goto out;
8040 
8041 			/* legacy and mcs rates may not be both empty */
8042 			return -EINVAL;
8043 		}
8044 	}
8045 
8046 out:
8047 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
8048 }
8049 
8050 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
8051 {
8052 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8053 	struct wireless_dev *wdev = info->user_ptr[1];
8054 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
8055 
8056 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
8057 		return -EINVAL;
8058 
8059 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
8060 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
8061 
8062 	switch (wdev->iftype) {
8063 	case NL80211_IFTYPE_STATION:
8064 	case NL80211_IFTYPE_ADHOC:
8065 	case NL80211_IFTYPE_P2P_CLIENT:
8066 	case NL80211_IFTYPE_AP:
8067 	case NL80211_IFTYPE_AP_VLAN:
8068 	case NL80211_IFTYPE_MESH_POINT:
8069 	case NL80211_IFTYPE_P2P_GO:
8070 	case NL80211_IFTYPE_P2P_DEVICE:
8071 		break;
8072 	default:
8073 		return -EOPNOTSUPP;
8074 	}
8075 
8076 	/* not much point in registering if we can't reply */
8077 	if (!rdev->ops->mgmt_tx)
8078 		return -EOPNOTSUPP;
8079 
8080 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
8081 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
8082 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
8083 }
8084 
8085 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
8086 {
8087 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8088 	struct wireless_dev *wdev = info->user_ptr[1];
8089 	struct cfg80211_chan_def chandef;
8090 	int err;
8091 	void *hdr = NULL;
8092 	u64 cookie;
8093 	struct sk_buff *msg = NULL;
8094 	struct cfg80211_mgmt_tx_params params = {
8095 		.dont_wait_for_ack =
8096 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
8097 	};
8098 
8099 	if (!info->attrs[NL80211_ATTR_FRAME])
8100 		return -EINVAL;
8101 
8102 	if (!rdev->ops->mgmt_tx)
8103 		return -EOPNOTSUPP;
8104 
8105 	switch (wdev->iftype) {
8106 	case NL80211_IFTYPE_P2P_DEVICE:
8107 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
8108 			return -EINVAL;
8109 	case NL80211_IFTYPE_STATION:
8110 	case NL80211_IFTYPE_ADHOC:
8111 	case NL80211_IFTYPE_P2P_CLIENT:
8112 	case NL80211_IFTYPE_AP:
8113 	case NL80211_IFTYPE_AP_VLAN:
8114 	case NL80211_IFTYPE_MESH_POINT:
8115 	case NL80211_IFTYPE_P2P_GO:
8116 		break;
8117 	default:
8118 		return -EOPNOTSUPP;
8119 	}
8120 
8121 	if (info->attrs[NL80211_ATTR_DURATION]) {
8122 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
8123 			return -EINVAL;
8124 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
8125 
8126 		/*
8127 		 * We should wait on the channel for at least a minimum amount
8128 		 * of time (10ms) but no longer than the driver supports.
8129 		 */
8130 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
8131 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
8132 			return -EINVAL;
8133 
8134 	}
8135 
8136 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
8137 
8138 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
8139 		return -EINVAL;
8140 
8141 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8142 
8143 	/* get the channel if any has been specified, otherwise pass NULL to
8144 	 * the driver. The latter will use the current one
8145 	 */
8146 	chandef.chan = NULL;
8147 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8148 		err = nl80211_parse_chandef(rdev, info, &chandef);
8149 		if (err)
8150 			return err;
8151 	}
8152 
8153 	if (!chandef.chan && params.offchan)
8154 		return -EINVAL;
8155 
8156 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
8157 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
8158 
8159 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
8160 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
8161 		int i;
8162 
8163 		if (len % sizeof(u16))
8164 			return -EINVAL;
8165 
8166 		params.n_csa_offsets = len / sizeof(u16);
8167 		params.csa_offsets =
8168 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
8169 
8170 		/* check that all the offsets fit the frame */
8171 		for (i = 0; i < params.n_csa_offsets; i++) {
8172 			if (params.csa_offsets[i] >= params.len)
8173 				return -EINVAL;
8174 		}
8175 	}
8176 
8177 	if (!params.dont_wait_for_ack) {
8178 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8179 		if (!msg)
8180 			return -ENOMEM;
8181 
8182 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8183 				     NL80211_CMD_FRAME);
8184 		if (!hdr) {
8185 			err = -ENOBUFS;
8186 			goto free_msg;
8187 		}
8188 	}
8189 
8190 	params.chan = chandef.chan;
8191 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
8192 	if (err)
8193 		goto free_msg;
8194 
8195 	if (msg) {
8196 		if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
8197 			goto nla_put_failure;
8198 
8199 		genlmsg_end(msg, hdr);
8200 		return genlmsg_reply(msg, info);
8201 	}
8202 
8203 	return 0;
8204 
8205  nla_put_failure:
8206 	err = -ENOBUFS;
8207  free_msg:
8208 	nlmsg_free(msg);
8209 	return err;
8210 }
8211 
8212 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
8213 {
8214 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8215 	struct wireless_dev *wdev = info->user_ptr[1];
8216 	u64 cookie;
8217 
8218 	if (!info->attrs[NL80211_ATTR_COOKIE])
8219 		return -EINVAL;
8220 
8221 	if (!rdev->ops->mgmt_tx_cancel_wait)
8222 		return -EOPNOTSUPP;
8223 
8224 	switch (wdev->iftype) {
8225 	case NL80211_IFTYPE_STATION:
8226 	case NL80211_IFTYPE_ADHOC:
8227 	case NL80211_IFTYPE_P2P_CLIENT:
8228 	case NL80211_IFTYPE_AP:
8229 	case NL80211_IFTYPE_AP_VLAN:
8230 	case NL80211_IFTYPE_P2P_GO:
8231 	case NL80211_IFTYPE_P2P_DEVICE:
8232 		break;
8233 	default:
8234 		return -EOPNOTSUPP;
8235 	}
8236 
8237 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8238 
8239 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
8240 }
8241 
8242 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
8243 {
8244 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8245 	struct wireless_dev *wdev;
8246 	struct net_device *dev = info->user_ptr[1];
8247 	u8 ps_state;
8248 	bool state;
8249 	int err;
8250 
8251 	if (!info->attrs[NL80211_ATTR_PS_STATE])
8252 		return -EINVAL;
8253 
8254 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
8255 
8256 	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
8257 		return -EINVAL;
8258 
8259 	wdev = dev->ieee80211_ptr;
8260 
8261 	if (!rdev->ops->set_power_mgmt)
8262 		return -EOPNOTSUPP;
8263 
8264 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
8265 
8266 	if (state == wdev->ps)
8267 		return 0;
8268 
8269 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
8270 	if (!err)
8271 		wdev->ps = state;
8272 	return err;
8273 }
8274 
8275 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
8276 {
8277 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8278 	enum nl80211_ps_state ps_state;
8279 	struct wireless_dev *wdev;
8280 	struct net_device *dev = info->user_ptr[1];
8281 	struct sk_buff *msg;
8282 	void *hdr;
8283 	int err;
8284 
8285 	wdev = dev->ieee80211_ptr;
8286 
8287 	if (!rdev->ops->set_power_mgmt)
8288 		return -EOPNOTSUPP;
8289 
8290 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8291 	if (!msg)
8292 		return -ENOMEM;
8293 
8294 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8295 			     NL80211_CMD_GET_POWER_SAVE);
8296 	if (!hdr) {
8297 		err = -ENOBUFS;
8298 		goto free_msg;
8299 	}
8300 
8301 	if (wdev->ps)
8302 		ps_state = NL80211_PS_ENABLED;
8303 	else
8304 		ps_state = NL80211_PS_DISABLED;
8305 
8306 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
8307 		goto nla_put_failure;
8308 
8309 	genlmsg_end(msg, hdr);
8310 	return genlmsg_reply(msg, info);
8311 
8312  nla_put_failure:
8313 	err = -ENOBUFS;
8314  free_msg:
8315 	nlmsg_free(msg);
8316 	return err;
8317 }
8318 
8319 static const struct nla_policy
8320 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
8321 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
8322 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
8323 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
8324 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
8325 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
8326 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
8327 };
8328 
8329 static int nl80211_set_cqm_txe(struct genl_info *info,
8330 			       u32 rate, u32 pkts, u32 intvl)
8331 {
8332 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8333 	struct net_device *dev = info->user_ptr[1];
8334 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8335 
8336 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
8337 		return -EINVAL;
8338 
8339 	if (!rdev->ops->set_cqm_txe_config)
8340 		return -EOPNOTSUPP;
8341 
8342 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8343 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8344 		return -EOPNOTSUPP;
8345 
8346 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
8347 }
8348 
8349 static int nl80211_set_cqm_rssi(struct genl_info *info,
8350 				s32 threshold, u32 hysteresis)
8351 {
8352 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8353 	struct net_device *dev = info->user_ptr[1];
8354 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8355 
8356 	if (threshold > 0)
8357 		return -EINVAL;
8358 
8359 	/* disabling - hysteresis should also be zero then */
8360 	if (threshold == 0)
8361 		hysteresis = 0;
8362 
8363 	if (!rdev->ops->set_cqm_rssi_config)
8364 		return -EOPNOTSUPP;
8365 
8366 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8367 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8368 		return -EOPNOTSUPP;
8369 
8370 	return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
8371 }
8372 
8373 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
8374 {
8375 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
8376 	struct nlattr *cqm;
8377 	int err;
8378 
8379 	cqm = info->attrs[NL80211_ATTR_CQM];
8380 	if (!cqm)
8381 		return -EINVAL;
8382 
8383 	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
8384 			       nl80211_attr_cqm_policy);
8385 	if (err)
8386 		return err;
8387 
8388 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
8389 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
8390 		s32 threshold = nla_get_s32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
8391 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
8392 
8393 		return nl80211_set_cqm_rssi(info, threshold, hysteresis);
8394 	}
8395 
8396 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
8397 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
8398 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
8399 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
8400 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
8401 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
8402 
8403 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
8404 	}
8405 
8406 	return -EINVAL;
8407 }
8408 
8409 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
8410 {
8411 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8412 	struct net_device *dev = info->user_ptr[1];
8413 	struct ocb_setup setup = {};
8414 	int err;
8415 
8416 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
8417 	if (err)
8418 		return err;
8419 
8420 	return cfg80211_join_ocb(rdev, dev, &setup);
8421 }
8422 
8423 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
8424 {
8425 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8426 	struct net_device *dev = info->user_ptr[1];
8427 
8428 	return cfg80211_leave_ocb(rdev, dev);
8429 }
8430 
8431 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
8432 {
8433 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8434 	struct net_device *dev = info->user_ptr[1];
8435 	struct mesh_config cfg;
8436 	struct mesh_setup setup;
8437 	int err;
8438 
8439 	/* start with default */
8440 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
8441 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
8442 
8443 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
8444 		/* and parse parameters if given */
8445 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
8446 		if (err)
8447 			return err;
8448 	}
8449 
8450 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
8451 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
8452 		return -EINVAL;
8453 
8454 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
8455 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
8456 
8457 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
8458 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
8459 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
8460 			return -EINVAL;
8461 
8462 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
8463 		setup.beacon_interval =
8464 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
8465 		if (setup.beacon_interval < 10 ||
8466 		    setup.beacon_interval > 10000)
8467 			return -EINVAL;
8468 	}
8469 
8470 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
8471 		setup.dtim_period =
8472 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
8473 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
8474 			return -EINVAL;
8475 	}
8476 
8477 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
8478 		/* parse additional setup parameters if given */
8479 		err = nl80211_parse_mesh_setup(info, &setup);
8480 		if (err)
8481 			return err;
8482 	}
8483 
8484 	if (setup.user_mpm)
8485 		cfg.auto_open_plinks = false;
8486 
8487 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8488 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
8489 		if (err)
8490 			return err;
8491 	} else {
8492 		/* cfg80211_join_mesh() will sort it out */
8493 		setup.chandef.chan = NULL;
8494 	}
8495 
8496 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8497 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8498 		int n_rates =
8499 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8500 		struct ieee80211_supported_band *sband;
8501 
8502 		if (!setup.chandef.chan)
8503 			return -EINVAL;
8504 
8505 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
8506 
8507 		err = ieee80211_get_ratemask(sband, rates, n_rates,
8508 					     &setup.basic_rates);
8509 		if (err)
8510 			return err;
8511 	}
8512 
8513 	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
8514 }
8515 
8516 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
8517 {
8518 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8519 	struct net_device *dev = info->user_ptr[1];
8520 
8521 	return cfg80211_leave_mesh(rdev, dev);
8522 }
8523 
8524 #ifdef CONFIG_PM
8525 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
8526 					struct cfg80211_registered_device *rdev)
8527 {
8528 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
8529 	struct nlattr *nl_pats, *nl_pat;
8530 	int i, pat_len;
8531 
8532 	if (!wowlan->n_patterns)
8533 		return 0;
8534 
8535 	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
8536 	if (!nl_pats)
8537 		return -ENOBUFS;
8538 
8539 	for (i = 0; i < wowlan->n_patterns; i++) {
8540 		nl_pat = nla_nest_start(msg, i + 1);
8541 		if (!nl_pat)
8542 			return -ENOBUFS;
8543 		pat_len = wowlan->patterns[i].pattern_len;
8544 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
8545 			    wowlan->patterns[i].mask) ||
8546 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
8547 			    wowlan->patterns[i].pattern) ||
8548 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
8549 				wowlan->patterns[i].pkt_offset))
8550 			return -ENOBUFS;
8551 		nla_nest_end(msg, nl_pat);
8552 	}
8553 	nla_nest_end(msg, nl_pats);
8554 
8555 	return 0;
8556 }
8557 
8558 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
8559 				   struct cfg80211_wowlan_tcp *tcp)
8560 {
8561 	struct nlattr *nl_tcp;
8562 
8563 	if (!tcp)
8564 		return 0;
8565 
8566 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
8567 	if (!nl_tcp)
8568 		return -ENOBUFS;
8569 
8570 	if (nla_put_be32(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
8571 	    nla_put_be32(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
8572 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
8573 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
8574 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
8575 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
8576 		    tcp->payload_len, tcp->payload) ||
8577 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
8578 			tcp->data_interval) ||
8579 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
8580 		    tcp->wake_len, tcp->wake_data) ||
8581 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
8582 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
8583 		return -ENOBUFS;
8584 
8585 	if (tcp->payload_seq.len &&
8586 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
8587 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
8588 		return -ENOBUFS;
8589 
8590 	if (tcp->payload_tok.len &&
8591 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
8592 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
8593 		    &tcp->payload_tok))
8594 		return -ENOBUFS;
8595 
8596 	nla_nest_end(msg, nl_tcp);
8597 
8598 	return 0;
8599 }
8600 
8601 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
8602 {
8603 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8604 	struct sk_buff *msg;
8605 	void *hdr;
8606 	u32 size = NLMSG_DEFAULT_SIZE;
8607 
8608 	if (!rdev->wiphy.wowlan)
8609 		return -EOPNOTSUPP;
8610 
8611 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
8612 		/* adjust size to have room for all the data */
8613 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
8614 			rdev->wiphy.wowlan_config->tcp->payload_len +
8615 			rdev->wiphy.wowlan_config->tcp->wake_len +
8616 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
8617 	}
8618 
8619 	msg = nlmsg_new(size, GFP_KERNEL);
8620 	if (!msg)
8621 		return -ENOMEM;
8622 
8623 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8624 			     NL80211_CMD_GET_WOWLAN);
8625 	if (!hdr)
8626 		goto nla_put_failure;
8627 
8628 	if (rdev->wiphy.wowlan_config) {
8629 		struct nlattr *nl_wowlan;
8630 
8631 		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
8632 		if (!nl_wowlan)
8633 			goto nla_put_failure;
8634 
8635 		if ((rdev->wiphy.wowlan_config->any &&
8636 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
8637 		    (rdev->wiphy.wowlan_config->disconnect &&
8638 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
8639 		    (rdev->wiphy.wowlan_config->magic_pkt &&
8640 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
8641 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
8642 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
8643 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
8644 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
8645 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
8646 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
8647 		    (rdev->wiphy.wowlan_config->rfkill_release &&
8648 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
8649 			goto nla_put_failure;
8650 
8651 		if (nl80211_send_wowlan_patterns(msg, rdev))
8652 			goto nla_put_failure;
8653 
8654 		if (nl80211_send_wowlan_tcp(msg,
8655 					    rdev->wiphy.wowlan_config->tcp))
8656 			goto nla_put_failure;
8657 
8658 		nla_nest_end(msg, nl_wowlan);
8659 	}
8660 
8661 	genlmsg_end(msg, hdr);
8662 	return genlmsg_reply(msg, info);
8663 
8664 nla_put_failure:
8665 	nlmsg_free(msg);
8666 	return -ENOBUFS;
8667 }
8668 
8669 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
8670 				    struct nlattr *attr,
8671 				    struct cfg80211_wowlan *trig)
8672 {
8673 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
8674 	struct cfg80211_wowlan_tcp *cfg;
8675 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
8676 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
8677 	u32 size;
8678 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
8679 	int err, port;
8680 
8681 	if (!rdev->wiphy.wowlan->tcp)
8682 		return -EINVAL;
8683 
8684 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TCP,
8685 			nla_data(attr), nla_len(attr),
8686 			nl80211_wowlan_tcp_policy);
8687 	if (err)
8688 		return err;
8689 
8690 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
8691 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
8692 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
8693 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
8694 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
8695 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
8696 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
8697 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
8698 		return -EINVAL;
8699 
8700 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
8701 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
8702 		return -EINVAL;
8703 
8704 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
8705 			rdev->wiphy.wowlan->tcp->data_interval_max ||
8706 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
8707 		return -EINVAL;
8708 
8709 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
8710 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
8711 		return -EINVAL;
8712 
8713 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
8714 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
8715 		return -EINVAL;
8716 
8717 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
8718 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
8719 
8720 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
8721 		tokens_size = tokln - sizeof(*tok);
8722 
8723 		if (!tok->len || tokens_size % tok->len)
8724 			return -EINVAL;
8725 		if (!rdev->wiphy.wowlan->tcp->tok)
8726 			return -EINVAL;
8727 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
8728 			return -EINVAL;
8729 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
8730 			return -EINVAL;
8731 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
8732 			return -EINVAL;
8733 		if (tok->offset + tok->len > data_size)
8734 			return -EINVAL;
8735 	}
8736 
8737 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
8738 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
8739 		if (!rdev->wiphy.wowlan->tcp->seq)
8740 			return -EINVAL;
8741 		if (seq->len == 0 || seq->len > 4)
8742 			return -EINVAL;
8743 		if (seq->len + seq->offset > data_size)
8744 			return -EINVAL;
8745 	}
8746 
8747 	size = sizeof(*cfg);
8748 	size += data_size;
8749 	size += wake_size + wake_mask_size;
8750 	size += tokens_size;
8751 
8752 	cfg = kzalloc(size, GFP_KERNEL);
8753 	if (!cfg)
8754 		return -ENOMEM;
8755 	cfg->src = nla_get_be32(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
8756 	cfg->dst = nla_get_be32(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
8757 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
8758 	       ETH_ALEN);
8759 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
8760 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
8761 	else
8762 		port = 0;
8763 #ifdef CONFIG_INET
8764 	/* allocate a socket and port for it and use it */
8765 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
8766 			    IPPROTO_TCP, &cfg->sock, 1);
8767 	if (err) {
8768 		kfree(cfg);
8769 		return err;
8770 	}
8771 	if (inet_csk_get_port(cfg->sock->sk, port)) {
8772 		sock_release(cfg->sock);
8773 		kfree(cfg);
8774 		return -EADDRINUSE;
8775 	}
8776 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
8777 #else
8778 	if (!port) {
8779 		kfree(cfg);
8780 		return -EINVAL;
8781 	}
8782 	cfg->src_port = port;
8783 #endif
8784 
8785 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
8786 	cfg->payload_len = data_size;
8787 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
8788 	memcpy((void *)cfg->payload,
8789 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
8790 	       data_size);
8791 	if (seq)
8792 		cfg->payload_seq = *seq;
8793 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
8794 	cfg->wake_len = wake_size;
8795 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
8796 	memcpy((void *)cfg->wake_data,
8797 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
8798 	       wake_size);
8799 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
8800 			 data_size + wake_size;
8801 	memcpy((void *)cfg->wake_mask,
8802 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
8803 	       wake_mask_size);
8804 	if (tok) {
8805 		cfg->tokens_size = tokens_size;
8806 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
8807 	}
8808 
8809 	trig->tcp = cfg;
8810 
8811 	return 0;
8812 }
8813 
8814 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
8815 				   const struct wiphy_wowlan_support *wowlan,
8816 				   struct nlattr *attr,
8817 				   struct cfg80211_wowlan *trig)
8818 {
8819 	struct nlattr **tb;
8820 	int err;
8821 
8822 	tb = kzalloc(NUM_NL80211_ATTR * sizeof(*tb), GFP_KERNEL);
8823 	if (!tb)
8824 		return -ENOMEM;
8825 
8826 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
8827 		err = -EOPNOTSUPP;
8828 		goto out;
8829 	}
8830 
8831 	err = nla_parse(tb, NL80211_ATTR_MAX,
8832 			nla_data(attr), nla_len(attr),
8833 			nl80211_policy);
8834 	if (err)
8835 		goto out;
8836 
8837 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb);
8838 	err = PTR_ERR_OR_ZERO(trig->nd_config);
8839 	if (err)
8840 		trig->nd_config = NULL;
8841 
8842 out:
8843 	kfree(tb);
8844 	return err;
8845 }
8846 
8847 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
8848 {
8849 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8850 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
8851 	struct cfg80211_wowlan new_triggers = {};
8852 	struct cfg80211_wowlan *ntrig;
8853 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
8854 	int err, i;
8855 	bool prev_enabled = rdev->wiphy.wowlan_config;
8856 
8857 	if (!wowlan)
8858 		return -EOPNOTSUPP;
8859 
8860 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
8861 		cfg80211_rdev_free_wowlan(rdev);
8862 		rdev->wiphy.wowlan_config = NULL;
8863 		goto set_wakeup;
8864 	}
8865 
8866 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
8867 			nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
8868 			nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
8869 			nl80211_wowlan_policy);
8870 	if (err)
8871 		return err;
8872 
8873 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
8874 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
8875 			return -EINVAL;
8876 		new_triggers.any = true;
8877 	}
8878 
8879 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
8880 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
8881 			return -EINVAL;
8882 		new_triggers.disconnect = true;
8883 	}
8884 
8885 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
8886 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
8887 			return -EINVAL;
8888 		new_triggers.magic_pkt = true;
8889 	}
8890 
8891 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
8892 		return -EINVAL;
8893 
8894 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
8895 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
8896 			return -EINVAL;
8897 		new_triggers.gtk_rekey_failure = true;
8898 	}
8899 
8900 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
8901 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
8902 			return -EINVAL;
8903 		new_triggers.eap_identity_req = true;
8904 	}
8905 
8906 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
8907 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
8908 			return -EINVAL;
8909 		new_triggers.four_way_handshake = true;
8910 	}
8911 
8912 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
8913 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
8914 			return -EINVAL;
8915 		new_triggers.rfkill_release = true;
8916 	}
8917 
8918 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
8919 		struct nlattr *pat;
8920 		int n_patterns = 0;
8921 		int rem, pat_len, mask_len, pkt_offset;
8922 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
8923 
8924 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
8925 				    rem)
8926 			n_patterns++;
8927 		if (n_patterns > wowlan->n_patterns)
8928 			return -EINVAL;
8929 
8930 		new_triggers.patterns = kcalloc(n_patterns,
8931 						sizeof(new_triggers.patterns[0]),
8932 						GFP_KERNEL);
8933 		if (!new_triggers.patterns)
8934 			return -ENOMEM;
8935 
8936 		new_triggers.n_patterns = n_patterns;
8937 		i = 0;
8938 
8939 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
8940 				    rem) {
8941 			u8 *mask_pat;
8942 
8943 			nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
8944 				  nla_len(pat), NULL);
8945 			err = -EINVAL;
8946 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
8947 			    !pat_tb[NL80211_PKTPAT_PATTERN])
8948 				goto error;
8949 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
8950 			mask_len = DIV_ROUND_UP(pat_len, 8);
8951 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
8952 				goto error;
8953 			if (pat_len > wowlan->pattern_max_len ||
8954 			    pat_len < wowlan->pattern_min_len)
8955 				goto error;
8956 
8957 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
8958 				pkt_offset = 0;
8959 			else
8960 				pkt_offset = nla_get_u32(
8961 					pat_tb[NL80211_PKTPAT_OFFSET]);
8962 			if (pkt_offset > wowlan->max_pkt_offset)
8963 				goto error;
8964 			new_triggers.patterns[i].pkt_offset = pkt_offset;
8965 
8966 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
8967 			if (!mask_pat) {
8968 				err = -ENOMEM;
8969 				goto error;
8970 			}
8971 			new_triggers.patterns[i].mask = mask_pat;
8972 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
8973 			       mask_len);
8974 			mask_pat += mask_len;
8975 			new_triggers.patterns[i].pattern = mask_pat;
8976 			new_triggers.patterns[i].pattern_len = pat_len;
8977 			memcpy(mask_pat,
8978 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
8979 			       pat_len);
8980 			i++;
8981 		}
8982 	}
8983 
8984 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
8985 		err = nl80211_parse_wowlan_tcp(
8986 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
8987 			&new_triggers);
8988 		if (err)
8989 			goto error;
8990 	}
8991 
8992 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
8993 		err = nl80211_parse_wowlan_nd(
8994 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
8995 			&new_triggers);
8996 		if (err)
8997 			goto error;
8998 	}
8999 
9000 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
9001 	if (!ntrig) {
9002 		err = -ENOMEM;
9003 		goto error;
9004 	}
9005 	cfg80211_rdev_free_wowlan(rdev);
9006 	rdev->wiphy.wowlan_config = ntrig;
9007 
9008  set_wakeup:
9009 	if (rdev->ops->set_wakeup &&
9010 	    prev_enabled != !!rdev->wiphy.wowlan_config)
9011 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
9012 
9013 	return 0;
9014  error:
9015 	for (i = 0; i < new_triggers.n_patterns; i++)
9016 		kfree(new_triggers.patterns[i].mask);
9017 	kfree(new_triggers.patterns);
9018 	if (new_triggers.tcp && new_triggers.tcp->sock)
9019 		sock_release(new_triggers.tcp->sock);
9020 	kfree(new_triggers.tcp);
9021 	return err;
9022 }
9023 #endif
9024 
9025 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
9026 				       struct cfg80211_registered_device *rdev)
9027 {
9028 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
9029 	int i, j, pat_len;
9030 	struct cfg80211_coalesce_rules *rule;
9031 
9032 	if (!rdev->coalesce->n_rules)
9033 		return 0;
9034 
9035 	nl_rules = nla_nest_start(msg, NL80211_ATTR_COALESCE_RULE);
9036 	if (!nl_rules)
9037 		return -ENOBUFS;
9038 
9039 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
9040 		nl_rule = nla_nest_start(msg, i + 1);
9041 		if (!nl_rule)
9042 			return -ENOBUFS;
9043 
9044 		rule = &rdev->coalesce->rules[i];
9045 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
9046 				rule->delay))
9047 			return -ENOBUFS;
9048 
9049 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
9050 				rule->condition))
9051 			return -ENOBUFS;
9052 
9053 		nl_pats = nla_nest_start(msg,
9054 				NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
9055 		if (!nl_pats)
9056 			return -ENOBUFS;
9057 
9058 		for (j = 0; j < rule->n_patterns; j++) {
9059 			nl_pat = nla_nest_start(msg, j + 1);
9060 			if (!nl_pat)
9061 				return -ENOBUFS;
9062 			pat_len = rule->patterns[j].pattern_len;
9063 			if (nla_put(msg, NL80211_PKTPAT_MASK,
9064 				    DIV_ROUND_UP(pat_len, 8),
9065 				    rule->patterns[j].mask) ||
9066 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
9067 				    rule->patterns[j].pattern) ||
9068 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
9069 					rule->patterns[j].pkt_offset))
9070 				return -ENOBUFS;
9071 			nla_nest_end(msg, nl_pat);
9072 		}
9073 		nla_nest_end(msg, nl_pats);
9074 		nla_nest_end(msg, nl_rule);
9075 	}
9076 	nla_nest_end(msg, nl_rules);
9077 
9078 	return 0;
9079 }
9080 
9081 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
9082 {
9083 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9084 	struct sk_buff *msg;
9085 	void *hdr;
9086 
9087 	if (!rdev->wiphy.coalesce)
9088 		return -EOPNOTSUPP;
9089 
9090 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9091 	if (!msg)
9092 		return -ENOMEM;
9093 
9094 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9095 			     NL80211_CMD_GET_COALESCE);
9096 	if (!hdr)
9097 		goto nla_put_failure;
9098 
9099 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
9100 		goto nla_put_failure;
9101 
9102 	genlmsg_end(msg, hdr);
9103 	return genlmsg_reply(msg, info);
9104 
9105 nla_put_failure:
9106 	nlmsg_free(msg);
9107 	return -ENOBUFS;
9108 }
9109 
9110 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
9111 {
9112 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
9113 	int i, j;
9114 	struct cfg80211_coalesce_rules *rule;
9115 
9116 	if (!coalesce)
9117 		return;
9118 
9119 	for (i = 0; i < coalesce->n_rules; i++) {
9120 		rule = &coalesce->rules[i];
9121 		for (j = 0; j < rule->n_patterns; j++)
9122 			kfree(rule->patterns[j].mask);
9123 		kfree(rule->patterns);
9124 	}
9125 	kfree(coalesce->rules);
9126 	kfree(coalesce);
9127 	rdev->coalesce = NULL;
9128 }
9129 
9130 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
9131 				       struct nlattr *rule,
9132 				       struct cfg80211_coalesce_rules *new_rule)
9133 {
9134 	int err, i;
9135 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
9136 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
9137 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
9138 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
9139 
9140 	err = nla_parse(tb, NL80211_ATTR_COALESCE_RULE_MAX, nla_data(rule),
9141 			nla_len(rule), nl80211_coalesce_policy);
9142 	if (err)
9143 		return err;
9144 
9145 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
9146 		new_rule->delay =
9147 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
9148 	if (new_rule->delay > coalesce->max_delay)
9149 		return -EINVAL;
9150 
9151 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
9152 		new_rule->condition =
9153 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
9154 	if (new_rule->condition != NL80211_COALESCE_CONDITION_MATCH &&
9155 	    new_rule->condition != NL80211_COALESCE_CONDITION_NO_MATCH)
9156 		return -EINVAL;
9157 
9158 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
9159 		return -EINVAL;
9160 
9161 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
9162 			    rem)
9163 		n_patterns++;
9164 	if (n_patterns > coalesce->n_patterns)
9165 		return -EINVAL;
9166 
9167 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
9168 				     GFP_KERNEL);
9169 	if (!new_rule->patterns)
9170 		return -ENOMEM;
9171 
9172 	new_rule->n_patterns = n_patterns;
9173 	i = 0;
9174 
9175 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
9176 			    rem) {
9177 		u8 *mask_pat;
9178 
9179 		nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
9180 			  nla_len(pat), NULL);
9181 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
9182 		    !pat_tb[NL80211_PKTPAT_PATTERN])
9183 			return -EINVAL;
9184 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
9185 		mask_len = DIV_ROUND_UP(pat_len, 8);
9186 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
9187 			return -EINVAL;
9188 		if (pat_len > coalesce->pattern_max_len ||
9189 		    pat_len < coalesce->pattern_min_len)
9190 			return -EINVAL;
9191 
9192 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
9193 			pkt_offset = 0;
9194 		else
9195 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
9196 		if (pkt_offset > coalesce->max_pkt_offset)
9197 			return -EINVAL;
9198 		new_rule->patterns[i].pkt_offset = pkt_offset;
9199 
9200 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
9201 		if (!mask_pat)
9202 			return -ENOMEM;
9203 
9204 		new_rule->patterns[i].mask = mask_pat;
9205 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
9206 		       mask_len);
9207 
9208 		mask_pat += mask_len;
9209 		new_rule->patterns[i].pattern = mask_pat;
9210 		new_rule->patterns[i].pattern_len = pat_len;
9211 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
9212 		       pat_len);
9213 		i++;
9214 	}
9215 
9216 	return 0;
9217 }
9218 
9219 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
9220 {
9221 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9222 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
9223 	struct cfg80211_coalesce new_coalesce = {};
9224 	struct cfg80211_coalesce *n_coalesce;
9225 	int err, rem_rule, n_rules = 0, i, j;
9226 	struct nlattr *rule;
9227 	struct cfg80211_coalesce_rules *tmp_rule;
9228 
9229 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
9230 		return -EOPNOTSUPP;
9231 
9232 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
9233 		cfg80211_rdev_free_coalesce(rdev);
9234 		rdev->ops->set_coalesce(&rdev->wiphy, NULL);
9235 		return 0;
9236 	}
9237 
9238 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
9239 			    rem_rule)
9240 		n_rules++;
9241 	if (n_rules > coalesce->n_rules)
9242 		return -EINVAL;
9243 
9244 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
9245 				     GFP_KERNEL);
9246 	if (!new_coalesce.rules)
9247 		return -ENOMEM;
9248 
9249 	new_coalesce.n_rules = n_rules;
9250 	i = 0;
9251 
9252 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
9253 			    rem_rule) {
9254 		err = nl80211_parse_coalesce_rule(rdev, rule,
9255 						  &new_coalesce.rules[i]);
9256 		if (err)
9257 			goto error;
9258 
9259 		i++;
9260 	}
9261 
9262 	err = rdev->ops->set_coalesce(&rdev->wiphy, &new_coalesce);
9263 	if (err)
9264 		goto error;
9265 
9266 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
9267 	if (!n_coalesce) {
9268 		err = -ENOMEM;
9269 		goto error;
9270 	}
9271 	cfg80211_rdev_free_coalesce(rdev);
9272 	rdev->coalesce = n_coalesce;
9273 
9274 	return 0;
9275 error:
9276 	for (i = 0; i < new_coalesce.n_rules; i++) {
9277 		tmp_rule = &new_coalesce.rules[i];
9278 		for (j = 0; j < tmp_rule->n_patterns; j++)
9279 			kfree(tmp_rule->patterns[j].mask);
9280 		kfree(tmp_rule->patterns);
9281 	}
9282 	kfree(new_coalesce.rules);
9283 
9284 	return err;
9285 }
9286 
9287 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
9288 {
9289 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9290 	struct net_device *dev = info->user_ptr[1];
9291 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9292 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
9293 	struct cfg80211_gtk_rekey_data rekey_data;
9294 	int err;
9295 
9296 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
9297 		return -EINVAL;
9298 
9299 	err = nla_parse(tb, MAX_NL80211_REKEY_DATA,
9300 			nla_data(info->attrs[NL80211_ATTR_REKEY_DATA]),
9301 			nla_len(info->attrs[NL80211_ATTR_REKEY_DATA]),
9302 			nl80211_rekey_policy);
9303 	if (err)
9304 		return err;
9305 
9306 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
9307 		return -ERANGE;
9308 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
9309 		return -ERANGE;
9310 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
9311 		return -ERANGE;
9312 
9313 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
9314 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
9315 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
9316 
9317 	wdev_lock(wdev);
9318 	if (!wdev->current_bss) {
9319 		err = -ENOTCONN;
9320 		goto out;
9321 	}
9322 
9323 	if (!rdev->ops->set_rekey_data) {
9324 		err = -EOPNOTSUPP;
9325 		goto out;
9326 	}
9327 
9328 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
9329  out:
9330 	wdev_unlock(wdev);
9331 	return err;
9332 }
9333 
9334 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
9335 					     struct genl_info *info)
9336 {
9337 	struct net_device *dev = info->user_ptr[1];
9338 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9339 
9340 	if (wdev->iftype != NL80211_IFTYPE_AP &&
9341 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
9342 		return -EINVAL;
9343 
9344 	if (wdev->ap_unexpected_nlportid)
9345 		return -EBUSY;
9346 
9347 	wdev->ap_unexpected_nlportid = info->snd_portid;
9348 	return 0;
9349 }
9350 
9351 static int nl80211_probe_client(struct sk_buff *skb,
9352 				struct genl_info *info)
9353 {
9354 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9355 	struct net_device *dev = info->user_ptr[1];
9356 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9357 	struct sk_buff *msg;
9358 	void *hdr;
9359 	const u8 *addr;
9360 	u64 cookie;
9361 	int err;
9362 
9363 	if (wdev->iftype != NL80211_IFTYPE_AP &&
9364 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
9365 		return -EOPNOTSUPP;
9366 
9367 	if (!info->attrs[NL80211_ATTR_MAC])
9368 		return -EINVAL;
9369 
9370 	if (!rdev->ops->probe_client)
9371 		return -EOPNOTSUPP;
9372 
9373 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9374 	if (!msg)
9375 		return -ENOMEM;
9376 
9377 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9378 			     NL80211_CMD_PROBE_CLIENT);
9379 	if (!hdr) {
9380 		err = -ENOBUFS;
9381 		goto free_msg;
9382 	}
9383 
9384 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
9385 
9386 	err = rdev_probe_client(rdev, dev, addr, &cookie);
9387 	if (err)
9388 		goto free_msg;
9389 
9390 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
9391 		goto nla_put_failure;
9392 
9393 	genlmsg_end(msg, hdr);
9394 
9395 	return genlmsg_reply(msg, info);
9396 
9397  nla_put_failure:
9398 	err = -ENOBUFS;
9399  free_msg:
9400 	nlmsg_free(msg);
9401 	return err;
9402 }
9403 
9404 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
9405 {
9406 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9407 	struct cfg80211_beacon_registration *reg, *nreg;
9408 	int rv;
9409 
9410 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
9411 		return -EOPNOTSUPP;
9412 
9413 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
9414 	if (!nreg)
9415 		return -ENOMEM;
9416 
9417 	/* First, check if already registered. */
9418 	spin_lock_bh(&rdev->beacon_registrations_lock);
9419 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
9420 		if (reg->nlportid == info->snd_portid) {
9421 			rv = -EALREADY;
9422 			goto out_err;
9423 		}
9424 	}
9425 	/* Add it to the list */
9426 	nreg->nlportid = info->snd_portid;
9427 	list_add(&nreg->list, &rdev->beacon_registrations);
9428 
9429 	spin_unlock_bh(&rdev->beacon_registrations_lock);
9430 
9431 	return 0;
9432 out_err:
9433 	spin_unlock_bh(&rdev->beacon_registrations_lock);
9434 	kfree(nreg);
9435 	return rv;
9436 }
9437 
9438 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
9439 {
9440 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9441 	struct wireless_dev *wdev = info->user_ptr[1];
9442 	int err;
9443 
9444 	if (!rdev->ops->start_p2p_device)
9445 		return -EOPNOTSUPP;
9446 
9447 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
9448 		return -EOPNOTSUPP;
9449 
9450 	if (wdev->p2p_started)
9451 		return 0;
9452 
9453 	if (rfkill_blocked(rdev->rfkill))
9454 		return -ERFKILL;
9455 
9456 	err = rdev_start_p2p_device(rdev, wdev);
9457 	if (err)
9458 		return err;
9459 
9460 	wdev->p2p_started = true;
9461 	rdev->opencount++;
9462 
9463 	return 0;
9464 }
9465 
9466 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
9467 {
9468 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9469 	struct wireless_dev *wdev = info->user_ptr[1];
9470 
9471 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
9472 		return -EOPNOTSUPP;
9473 
9474 	if (!rdev->ops->stop_p2p_device)
9475 		return -EOPNOTSUPP;
9476 
9477 	cfg80211_stop_p2p_device(rdev, wdev);
9478 
9479 	return 0;
9480 }
9481 
9482 static int nl80211_get_protocol_features(struct sk_buff *skb,
9483 					 struct genl_info *info)
9484 {
9485 	void *hdr;
9486 	struct sk_buff *msg;
9487 
9488 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9489 	if (!msg)
9490 		return -ENOMEM;
9491 
9492 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9493 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
9494 	if (!hdr)
9495 		goto nla_put_failure;
9496 
9497 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
9498 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
9499 		goto nla_put_failure;
9500 
9501 	genlmsg_end(msg, hdr);
9502 	return genlmsg_reply(msg, info);
9503 
9504  nla_put_failure:
9505 	kfree_skb(msg);
9506 	return -ENOBUFS;
9507 }
9508 
9509 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
9510 {
9511 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9512 	struct cfg80211_update_ft_ies_params ft_params;
9513 	struct net_device *dev = info->user_ptr[1];
9514 
9515 	if (!rdev->ops->update_ft_ies)
9516 		return -EOPNOTSUPP;
9517 
9518 	if (!info->attrs[NL80211_ATTR_MDID] ||
9519 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
9520 		return -EINVAL;
9521 
9522 	memset(&ft_params, 0, sizeof(ft_params));
9523 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
9524 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9525 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9526 
9527 	return rdev_update_ft_ies(rdev, dev, &ft_params);
9528 }
9529 
9530 static int nl80211_crit_protocol_start(struct sk_buff *skb,
9531 				       struct genl_info *info)
9532 {
9533 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9534 	struct wireless_dev *wdev = info->user_ptr[1];
9535 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
9536 	u16 duration;
9537 	int ret;
9538 
9539 	if (!rdev->ops->crit_proto_start)
9540 		return -EOPNOTSUPP;
9541 
9542 	if (WARN_ON(!rdev->ops->crit_proto_stop))
9543 		return -EINVAL;
9544 
9545 	if (rdev->crit_proto_nlportid)
9546 		return -EBUSY;
9547 
9548 	/* determine protocol if provided */
9549 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
9550 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
9551 
9552 	if (proto >= NUM_NL80211_CRIT_PROTO)
9553 		return -EINVAL;
9554 
9555 	/* timeout must be provided */
9556 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
9557 		return -EINVAL;
9558 
9559 	duration =
9560 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
9561 
9562 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
9563 		return -ERANGE;
9564 
9565 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
9566 	if (!ret)
9567 		rdev->crit_proto_nlportid = info->snd_portid;
9568 
9569 	return ret;
9570 }
9571 
9572 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
9573 				      struct genl_info *info)
9574 {
9575 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9576 	struct wireless_dev *wdev = info->user_ptr[1];
9577 
9578 	if (!rdev->ops->crit_proto_stop)
9579 		return -EOPNOTSUPP;
9580 
9581 	if (rdev->crit_proto_nlportid) {
9582 		rdev->crit_proto_nlportid = 0;
9583 		rdev_crit_proto_stop(rdev, wdev);
9584 	}
9585 	return 0;
9586 }
9587 
9588 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
9589 {
9590 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9591 	struct wireless_dev *wdev =
9592 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9593 	int i, err;
9594 	u32 vid, subcmd;
9595 
9596 	if (!rdev->wiphy.vendor_commands)
9597 		return -EOPNOTSUPP;
9598 
9599 	if (IS_ERR(wdev)) {
9600 		err = PTR_ERR(wdev);
9601 		if (err != -EINVAL)
9602 			return err;
9603 		wdev = NULL;
9604 	} else if (wdev->wiphy != &rdev->wiphy) {
9605 		return -EINVAL;
9606 	}
9607 
9608 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
9609 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
9610 		return -EINVAL;
9611 
9612 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
9613 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
9614 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
9615 		const struct wiphy_vendor_command *vcmd;
9616 		void *data = NULL;
9617 		int len = 0;
9618 
9619 		vcmd = &rdev->wiphy.vendor_commands[i];
9620 
9621 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
9622 			continue;
9623 
9624 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
9625 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
9626 			if (!wdev)
9627 				return -EINVAL;
9628 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
9629 			    !wdev->netdev)
9630 				return -EINVAL;
9631 
9632 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
9633 				if (wdev->netdev &&
9634 				    !netif_running(wdev->netdev))
9635 					return -ENETDOWN;
9636 				if (!wdev->netdev && !wdev->p2p_started)
9637 					return -ENETDOWN;
9638 			}
9639 		} else {
9640 			wdev = NULL;
9641 		}
9642 
9643 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
9644 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
9645 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
9646 		}
9647 
9648 		rdev->cur_cmd_info = info;
9649 		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
9650 							  data, len);
9651 		rdev->cur_cmd_info = NULL;
9652 		return err;
9653 	}
9654 
9655 	return -EOPNOTSUPP;
9656 }
9657 
9658 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
9659 					   enum nl80211_commands cmd,
9660 					   enum nl80211_attrs attr,
9661 					   int approxlen)
9662 {
9663 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9664 
9665 	if (WARN_ON(!rdev->cur_cmd_info))
9666 		return NULL;
9667 
9668 	return __cfg80211_alloc_vendor_skb(rdev, approxlen,
9669 					   rdev->cur_cmd_info->snd_portid,
9670 					   rdev->cur_cmd_info->snd_seq,
9671 					   cmd, attr, NULL, GFP_KERNEL);
9672 }
9673 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
9674 
9675 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
9676 {
9677 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9678 	void *hdr = ((void **)skb->cb)[1];
9679 	struct nlattr *data = ((void **)skb->cb)[2];
9680 
9681 	/* clear CB data for netlink core to own from now on */
9682 	memset(skb->cb, 0, sizeof(skb->cb));
9683 
9684 	if (WARN_ON(!rdev->cur_cmd_info)) {
9685 		kfree_skb(skb);
9686 		return -EINVAL;
9687 	}
9688 
9689 	nla_nest_end(skb, data);
9690 	genlmsg_end(skb, hdr);
9691 	return genlmsg_reply(skb, rdev->cur_cmd_info);
9692 }
9693 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
9694 
9695 
9696 static int nl80211_set_qos_map(struct sk_buff *skb,
9697 			       struct genl_info *info)
9698 {
9699 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9700 	struct cfg80211_qos_map *qos_map = NULL;
9701 	struct net_device *dev = info->user_ptr[1];
9702 	u8 *pos, len, num_des, des_len, des;
9703 	int ret;
9704 
9705 	if (!rdev->ops->set_qos_map)
9706 		return -EOPNOTSUPP;
9707 
9708 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
9709 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
9710 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
9711 
9712 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
9713 		    len > IEEE80211_QOS_MAP_LEN_MAX)
9714 			return -EINVAL;
9715 
9716 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
9717 		if (!qos_map)
9718 			return -ENOMEM;
9719 
9720 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
9721 		if (num_des) {
9722 			des_len = num_des *
9723 				sizeof(struct cfg80211_dscp_exception);
9724 			memcpy(qos_map->dscp_exception, pos, des_len);
9725 			qos_map->num_des = num_des;
9726 			for (des = 0; des < num_des; des++) {
9727 				if (qos_map->dscp_exception[des].up > 7) {
9728 					kfree(qos_map);
9729 					return -EINVAL;
9730 				}
9731 			}
9732 			pos += des_len;
9733 		}
9734 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
9735 	}
9736 
9737 	wdev_lock(dev->ieee80211_ptr);
9738 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
9739 	if (!ret)
9740 		ret = rdev_set_qos_map(rdev, dev, qos_map);
9741 	wdev_unlock(dev->ieee80211_ptr);
9742 
9743 	kfree(qos_map);
9744 	return ret;
9745 }
9746 
9747 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
9748 {
9749 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9750 	struct net_device *dev = info->user_ptr[1];
9751 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9752 	const u8 *peer;
9753 	u8 tsid, up;
9754 	u16 admitted_time = 0;
9755 	int err;
9756 
9757 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
9758 		return -EOPNOTSUPP;
9759 
9760 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
9761 	    !info->attrs[NL80211_ATTR_USER_PRIO])
9762 		return -EINVAL;
9763 
9764 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
9765 	if (tsid >= IEEE80211_NUM_TIDS)
9766 		return -EINVAL;
9767 
9768 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
9769 	if (up >= IEEE80211_NUM_UPS)
9770 		return -EINVAL;
9771 
9772 	/* WMM uses TIDs 0-7 even for TSPEC */
9773 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
9774 		/* TODO: handle 802.11 TSPEC/admission control
9775 		 * need more attributes for that (e.g. BA session requirement);
9776 		 * change the WMM adminssion test above to allow both then
9777 		 */
9778 		return -EINVAL;
9779 	}
9780 
9781 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9782 
9783 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
9784 		admitted_time =
9785 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
9786 		if (!admitted_time)
9787 			return -EINVAL;
9788 	}
9789 
9790 	wdev_lock(wdev);
9791 	switch (wdev->iftype) {
9792 	case NL80211_IFTYPE_STATION:
9793 	case NL80211_IFTYPE_P2P_CLIENT:
9794 		if (wdev->current_bss)
9795 			break;
9796 		err = -ENOTCONN;
9797 		goto out;
9798 	default:
9799 		err = -EOPNOTSUPP;
9800 		goto out;
9801 	}
9802 
9803 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
9804 
9805  out:
9806 	wdev_unlock(wdev);
9807 	return err;
9808 }
9809 
9810 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
9811 {
9812 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9813 	struct net_device *dev = info->user_ptr[1];
9814 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9815 	const u8 *peer;
9816 	u8 tsid;
9817 	int err;
9818 
9819 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
9820 		return -EINVAL;
9821 
9822 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
9823 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9824 
9825 	wdev_lock(wdev);
9826 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
9827 	wdev_unlock(wdev);
9828 
9829 	return err;
9830 }
9831 
9832 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
9833 				       struct genl_info *info)
9834 {
9835 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9836 	struct net_device *dev = info->user_ptr[1];
9837 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9838 	struct cfg80211_chan_def chandef = {};
9839 	const u8 *addr;
9840 	u8 oper_class;
9841 	int err;
9842 
9843 	if (!rdev->ops->tdls_channel_switch ||
9844 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
9845 		return -EOPNOTSUPP;
9846 
9847 	switch (dev->ieee80211_ptr->iftype) {
9848 	case NL80211_IFTYPE_STATION:
9849 	case NL80211_IFTYPE_P2P_CLIENT:
9850 		break;
9851 	default:
9852 		return -EOPNOTSUPP;
9853 	}
9854 
9855 	if (!info->attrs[NL80211_ATTR_MAC] ||
9856 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
9857 		return -EINVAL;
9858 
9859 	err = nl80211_parse_chandef(rdev, info, &chandef);
9860 	if (err)
9861 		return err;
9862 
9863 	/*
9864 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
9865 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
9866 	 * specification is not defined for them.
9867 	 */
9868 	if (chandef.chan->band == IEEE80211_BAND_2GHZ &&
9869 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
9870 	    chandef.width != NL80211_CHAN_WIDTH_20)
9871 		return -EINVAL;
9872 
9873 	/* we will be active on the TDLS link */
9874 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef, wdev->iftype))
9875 		return -EINVAL;
9876 
9877 	/* don't allow switching to DFS channels */
9878 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
9879 		return -EINVAL;
9880 
9881 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
9882 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
9883 
9884 	wdev_lock(wdev);
9885 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
9886 	wdev_unlock(wdev);
9887 
9888 	return err;
9889 }
9890 
9891 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
9892 					      struct genl_info *info)
9893 {
9894 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9895 	struct net_device *dev = info->user_ptr[1];
9896 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9897 	const u8 *addr;
9898 
9899 	if (!rdev->ops->tdls_channel_switch ||
9900 	    !rdev->ops->tdls_cancel_channel_switch ||
9901 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
9902 		return -EOPNOTSUPP;
9903 
9904 	switch (dev->ieee80211_ptr->iftype) {
9905 	case NL80211_IFTYPE_STATION:
9906 	case NL80211_IFTYPE_P2P_CLIENT:
9907 		break;
9908 	default:
9909 		return -EOPNOTSUPP;
9910 	}
9911 
9912 	if (!info->attrs[NL80211_ATTR_MAC])
9913 		return -EINVAL;
9914 
9915 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
9916 
9917 	wdev_lock(wdev);
9918 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
9919 	wdev_unlock(wdev);
9920 
9921 	return 0;
9922 }
9923 
9924 #define NL80211_FLAG_NEED_WIPHY		0x01
9925 #define NL80211_FLAG_NEED_NETDEV	0x02
9926 #define NL80211_FLAG_NEED_RTNL		0x04
9927 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
9928 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
9929 					 NL80211_FLAG_CHECK_NETDEV_UP)
9930 #define NL80211_FLAG_NEED_WDEV		0x10
9931 /* If a netdev is associated, it must be UP, P2P must be started */
9932 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
9933 					 NL80211_FLAG_CHECK_NETDEV_UP)
9934 #define NL80211_FLAG_CLEAR_SKB		0x20
9935 
9936 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
9937 			    struct genl_info *info)
9938 {
9939 	struct cfg80211_registered_device *rdev;
9940 	struct wireless_dev *wdev;
9941 	struct net_device *dev;
9942 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
9943 
9944 	if (rtnl)
9945 		rtnl_lock();
9946 
9947 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
9948 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
9949 		if (IS_ERR(rdev)) {
9950 			if (rtnl)
9951 				rtnl_unlock();
9952 			return PTR_ERR(rdev);
9953 		}
9954 		info->user_ptr[0] = rdev;
9955 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
9956 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
9957 		ASSERT_RTNL();
9958 
9959 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
9960 						  info->attrs);
9961 		if (IS_ERR(wdev)) {
9962 			if (rtnl)
9963 				rtnl_unlock();
9964 			return PTR_ERR(wdev);
9965 		}
9966 
9967 		dev = wdev->netdev;
9968 		rdev = wiphy_to_rdev(wdev->wiphy);
9969 
9970 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
9971 			if (!dev) {
9972 				if (rtnl)
9973 					rtnl_unlock();
9974 				return -EINVAL;
9975 			}
9976 
9977 			info->user_ptr[1] = dev;
9978 		} else {
9979 			info->user_ptr[1] = wdev;
9980 		}
9981 
9982 		if (dev) {
9983 			if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
9984 			    !netif_running(dev)) {
9985 				if (rtnl)
9986 					rtnl_unlock();
9987 				return -ENETDOWN;
9988 			}
9989 
9990 			dev_hold(dev);
9991 		} else if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP) {
9992 			if (!wdev->p2p_started) {
9993 				if (rtnl)
9994 					rtnl_unlock();
9995 				return -ENETDOWN;
9996 			}
9997 		}
9998 
9999 		info->user_ptr[0] = rdev;
10000 	}
10001 
10002 	return 0;
10003 }
10004 
10005 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
10006 			      struct genl_info *info)
10007 {
10008 	if (info->user_ptr[1]) {
10009 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
10010 			struct wireless_dev *wdev = info->user_ptr[1];
10011 
10012 			if (wdev->netdev)
10013 				dev_put(wdev->netdev);
10014 		} else {
10015 			dev_put(info->user_ptr[1]);
10016 		}
10017 	}
10018 
10019 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
10020 		rtnl_unlock();
10021 
10022 	/* If needed, clear the netlink message payload from the SKB
10023 	 * as it might contain key data that shouldn't stick around on
10024 	 * the heap after the SKB is freed. The netlink message header
10025 	 * is still needed for further processing, so leave it intact.
10026 	 */
10027 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
10028 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
10029 
10030 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
10031 	}
10032 }
10033 
10034 static const struct genl_ops nl80211_ops[] = {
10035 	{
10036 		.cmd = NL80211_CMD_GET_WIPHY,
10037 		.doit = nl80211_get_wiphy,
10038 		.dumpit = nl80211_dump_wiphy,
10039 		.done = nl80211_dump_wiphy_done,
10040 		.policy = nl80211_policy,
10041 		/* can be retrieved by unprivileged users */
10042 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10043 				  NL80211_FLAG_NEED_RTNL,
10044 	},
10045 	{
10046 		.cmd = NL80211_CMD_SET_WIPHY,
10047 		.doit = nl80211_set_wiphy,
10048 		.policy = nl80211_policy,
10049 		.flags = GENL_ADMIN_PERM,
10050 		.internal_flags = NL80211_FLAG_NEED_RTNL,
10051 	},
10052 	{
10053 		.cmd = NL80211_CMD_GET_INTERFACE,
10054 		.doit = nl80211_get_interface,
10055 		.dumpit = nl80211_dump_interface,
10056 		.policy = nl80211_policy,
10057 		/* can be retrieved by unprivileged users */
10058 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10059 				  NL80211_FLAG_NEED_RTNL,
10060 	},
10061 	{
10062 		.cmd = NL80211_CMD_SET_INTERFACE,
10063 		.doit = nl80211_set_interface,
10064 		.policy = nl80211_policy,
10065 		.flags = GENL_ADMIN_PERM,
10066 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10067 				  NL80211_FLAG_NEED_RTNL,
10068 	},
10069 	{
10070 		.cmd = NL80211_CMD_NEW_INTERFACE,
10071 		.doit = nl80211_new_interface,
10072 		.policy = nl80211_policy,
10073 		.flags = GENL_ADMIN_PERM,
10074 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10075 				  NL80211_FLAG_NEED_RTNL,
10076 	},
10077 	{
10078 		.cmd = NL80211_CMD_DEL_INTERFACE,
10079 		.doit = nl80211_del_interface,
10080 		.policy = nl80211_policy,
10081 		.flags = GENL_ADMIN_PERM,
10082 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10083 				  NL80211_FLAG_NEED_RTNL,
10084 	},
10085 	{
10086 		.cmd = NL80211_CMD_GET_KEY,
10087 		.doit = nl80211_get_key,
10088 		.policy = nl80211_policy,
10089 		.flags = GENL_ADMIN_PERM,
10090 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10091 				  NL80211_FLAG_NEED_RTNL,
10092 	},
10093 	{
10094 		.cmd = NL80211_CMD_SET_KEY,
10095 		.doit = nl80211_set_key,
10096 		.policy = nl80211_policy,
10097 		.flags = GENL_ADMIN_PERM,
10098 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10099 				  NL80211_FLAG_NEED_RTNL |
10100 				  NL80211_FLAG_CLEAR_SKB,
10101 	},
10102 	{
10103 		.cmd = NL80211_CMD_NEW_KEY,
10104 		.doit = nl80211_new_key,
10105 		.policy = nl80211_policy,
10106 		.flags = GENL_ADMIN_PERM,
10107 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10108 				  NL80211_FLAG_NEED_RTNL |
10109 				  NL80211_FLAG_CLEAR_SKB,
10110 	},
10111 	{
10112 		.cmd = NL80211_CMD_DEL_KEY,
10113 		.doit = nl80211_del_key,
10114 		.policy = nl80211_policy,
10115 		.flags = GENL_ADMIN_PERM,
10116 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10117 				  NL80211_FLAG_NEED_RTNL,
10118 	},
10119 	{
10120 		.cmd = NL80211_CMD_SET_BEACON,
10121 		.policy = nl80211_policy,
10122 		.flags = GENL_ADMIN_PERM,
10123 		.doit = nl80211_set_beacon,
10124 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10125 				  NL80211_FLAG_NEED_RTNL,
10126 	},
10127 	{
10128 		.cmd = NL80211_CMD_START_AP,
10129 		.policy = nl80211_policy,
10130 		.flags = GENL_ADMIN_PERM,
10131 		.doit = nl80211_start_ap,
10132 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10133 				  NL80211_FLAG_NEED_RTNL,
10134 	},
10135 	{
10136 		.cmd = NL80211_CMD_STOP_AP,
10137 		.policy = nl80211_policy,
10138 		.flags = GENL_ADMIN_PERM,
10139 		.doit = nl80211_stop_ap,
10140 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10141 				  NL80211_FLAG_NEED_RTNL,
10142 	},
10143 	{
10144 		.cmd = NL80211_CMD_GET_STATION,
10145 		.doit = nl80211_get_station,
10146 		.dumpit = nl80211_dump_station,
10147 		.policy = nl80211_policy,
10148 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10149 				  NL80211_FLAG_NEED_RTNL,
10150 	},
10151 	{
10152 		.cmd = NL80211_CMD_SET_STATION,
10153 		.doit = nl80211_set_station,
10154 		.policy = nl80211_policy,
10155 		.flags = GENL_ADMIN_PERM,
10156 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10157 				  NL80211_FLAG_NEED_RTNL,
10158 	},
10159 	{
10160 		.cmd = NL80211_CMD_NEW_STATION,
10161 		.doit = nl80211_new_station,
10162 		.policy = nl80211_policy,
10163 		.flags = GENL_ADMIN_PERM,
10164 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10165 				  NL80211_FLAG_NEED_RTNL,
10166 	},
10167 	{
10168 		.cmd = NL80211_CMD_DEL_STATION,
10169 		.doit = nl80211_del_station,
10170 		.policy = nl80211_policy,
10171 		.flags = GENL_ADMIN_PERM,
10172 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10173 				  NL80211_FLAG_NEED_RTNL,
10174 	},
10175 	{
10176 		.cmd = NL80211_CMD_GET_MPATH,
10177 		.doit = nl80211_get_mpath,
10178 		.dumpit = nl80211_dump_mpath,
10179 		.policy = nl80211_policy,
10180 		.flags = GENL_ADMIN_PERM,
10181 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10182 				  NL80211_FLAG_NEED_RTNL,
10183 	},
10184 	{
10185 		.cmd = NL80211_CMD_GET_MPP,
10186 		.doit = nl80211_get_mpp,
10187 		.dumpit = nl80211_dump_mpp,
10188 		.policy = nl80211_policy,
10189 		.flags = GENL_ADMIN_PERM,
10190 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10191 				  NL80211_FLAG_NEED_RTNL,
10192 	},
10193 	{
10194 		.cmd = NL80211_CMD_SET_MPATH,
10195 		.doit = nl80211_set_mpath,
10196 		.policy = nl80211_policy,
10197 		.flags = GENL_ADMIN_PERM,
10198 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10199 				  NL80211_FLAG_NEED_RTNL,
10200 	},
10201 	{
10202 		.cmd = NL80211_CMD_NEW_MPATH,
10203 		.doit = nl80211_new_mpath,
10204 		.policy = nl80211_policy,
10205 		.flags = GENL_ADMIN_PERM,
10206 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10207 				  NL80211_FLAG_NEED_RTNL,
10208 	},
10209 	{
10210 		.cmd = NL80211_CMD_DEL_MPATH,
10211 		.doit = nl80211_del_mpath,
10212 		.policy = nl80211_policy,
10213 		.flags = GENL_ADMIN_PERM,
10214 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10215 				  NL80211_FLAG_NEED_RTNL,
10216 	},
10217 	{
10218 		.cmd = NL80211_CMD_SET_BSS,
10219 		.doit = nl80211_set_bss,
10220 		.policy = nl80211_policy,
10221 		.flags = GENL_ADMIN_PERM,
10222 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10223 				  NL80211_FLAG_NEED_RTNL,
10224 	},
10225 	{
10226 		.cmd = NL80211_CMD_GET_REG,
10227 		.doit = nl80211_get_reg,
10228 		.policy = nl80211_policy,
10229 		.internal_flags = NL80211_FLAG_NEED_RTNL,
10230 		/* can be retrieved by unprivileged users */
10231 	},
10232 	{
10233 		.cmd = NL80211_CMD_SET_REG,
10234 		.doit = nl80211_set_reg,
10235 		.policy = nl80211_policy,
10236 		.flags = GENL_ADMIN_PERM,
10237 		.internal_flags = NL80211_FLAG_NEED_RTNL,
10238 	},
10239 	{
10240 		.cmd = NL80211_CMD_REQ_SET_REG,
10241 		.doit = nl80211_req_set_reg,
10242 		.policy = nl80211_policy,
10243 		.flags = GENL_ADMIN_PERM,
10244 	},
10245 	{
10246 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
10247 		.doit = nl80211_get_mesh_config,
10248 		.policy = nl80211_policy,
10249 		/* can be retrieved by unprivileged users */
10250 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10251 				  NL80211_FLAG_NEED_RTNL,
10252 	},
10253 	{
10254 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
10255 		.doit = nl80211_update_mesh_config,
10256 		.policy = nl80211_policy,
10257 		.flags = GENL_ADMIN_PERM,
10258 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10259 				  NL80211_FLAG_NEED_RTNL,
10260 	},
10261 	{
10262 		.cmd = NL80211_CMD_TRIGGER_SCAN,
10263 		.doit = nl80211_trigger_scan,
10264 		.policy = nl80211_policy,
10265 		.flags = GENL_ADMIN_PERM,
10266 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10267 				  NL80211_FLAG_NEED_RTNL,
10268 	},
10269 	{
10270 		.cmd = NL80211_CMD_GET_SCAN,
10271 		.policy = nl80211_policy,
10272 		.dumpit = nl80211_dump_scan,
10273 	},
10274 	{
10275 		.cmd = NL80211_CMD_START_SCHED_SCAN,
10276 		.doit = nl80211_start_sched_scan,
10277 		.policy = nl80211_policy,
10278 		.flags = GENL_ADMIN_PERM,
10279 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10280 				  NL80211_FLAG_NEED_RTNL,
10281 	},
10282 	{
10283 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
10284 		.doit = nl80211_stop_sched_scan,
10285 		.policy = nl80211_policy,
10286 		.flags = GENL_ADMIN_PERM,
10287 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10288 				  NL80211_FLAG_NEED_RTNL,
10289 	},
10290 	{
10291 		.cmd = NL80211_CMD_AUTHENTICATE,
10292 		.doit = nl80211_authenticate,
10293 		.policy = nl80211_policy,
10294 		.flags = GENL_ADMIN_PERM,
10295 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10296 				  NL80211_FLAG_NEED_RTNL |
10297 				  NL80211_FLAG_CLEAR_SKB,
10298 	},
10299 	{
10300 		.cmd = NL80211_CMD_ASSOCIATE,
10301 		.doit = nl80211_associate,
10302 		.policy = nl80211_policy,
10303 		.flags = GENL_ADMIN_PERM,
10304 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10305 				  NL80211_FLAG_NEED_RTNL,
10306 	},
10307 	{
10308 		.cmd = NL80211_CMD_DEAUTHENTICATE,
10309 		.doit = nl80211_deauthenticate,
10310 		.policy = nl80211_policy,
10311 		.flags = GENL_ADMIN_PERM,
10312 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10313 				  NL80211_FLAG_NEED_RTNL,
10314 	},
10315 	{
10316 		.cmd = NL80211_CMD_DISASSOCIATE,
10317 		.doit = nl80211_disassociate,
10318 		.policy = nl80211_policy,
10319 		.flags = GENL_ADMIN_PERM,
10320 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10321 				  NL80211_FLAG_NEED_RTNL,
10322 	},
10323 	{
10324 		.cmd = NL80211_CMD_JOIN_IBSS,
10325 		.doit = nl80211_join_ibss,
10326 		.policy = nl80211_policy,
10327 		.flags = GENL_ADMIN_PERM,
10328 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10329 				  NL80211_FLAG_NEED_RTNL,
10330 	},
10331 	{
10332 		.cmd = NL80211_CMD_LEAVE_IBSS,
10333 		.doit = nl80211_leave_ibss,
10334 		.policy = nl80211_policy,
10335 		.flags = GENL_ADMIN_PERM,
10336 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10337 				  NL80211_FLAG_NEED_RTNL,
10338 	},
10339 #ifdef CONFIG_NL80211_TESTMODE
10340 	{
10341 		.cmd = NL80211_CMD_TESTMODE,
10342 		.doit = nl80211_testmode_do,
10343 		.dumpit = nl80211_testmode_dump,
10344 		.policy = nl80211_policy,
10345 		.flags = GENL_ADMIN_PERM,
10346 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10347 				  NL80211_FLAG_NEED_RTNL,
10348 	},
10349 #endif
10350 	{
10351 		.cmd = NL80211_CMD_CONNECT,
10352 		.doit = nl80211_connect,
10353 		.policy = nl80211_policy,
10354 		.flags = GENL_ADMIN_PERM,
10355 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10356 				  NL80211_FLAG_NEED_RTNL,
10357 	},
10358 	{
10359 		.cmd = NL80211_CMD_DISCONNECT,
10360 		.doit = nl80211_disconnect,
10361 		.policy = nl80211_policy,
10362 		.flags = GENL_ADMIN_PERM,
10363 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10364 				  NL80211_FLAG_NEED_RTNL,
10365 	},
10366 	{
10367 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
10368 		.doit = nl80211_wiphy_netns,
10369 		.policy = nl80211_policy,
10370 		.flags = GENL_ADMIN_PERM,
10371 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10372 				  NL80211_FLAG_NEED_RTNL,
10373 	},
10374 	{
10375 		.cmd = NL80211_CMD_GET_SURVEY,
10376 		.policy = nl80211_policy,
10377 		.dumpit = nl80211_dump_survey,
10378 	},
10379 	{
10380 		.cmd = NL80211_CMD_SET_PMKSA,
10381 		.doit = nl80211_setdel_pmksa,
10382 		.policy = nl80211_policy,
10383 		.flags = GENL_ADMIN_PERM,
10384 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10385 				  NL80211_FLAG_NEED_RTNL,
10386 	},
10387 	{
10388 		.cmd = NL80211_CMD_DEL_PMKSA,
10389 		.doit = nl80211_setdel_pmksa,
10390 		.policy = nl80211_policy,
10391 		.flags = GENL_ADMIN_PERM,
10392 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10393 				  NL80211_FLAG_NEED_RTNL,
10394 	},
10395 	{
10396 		.cmd = NL80211_CMD_FLUSH_PMKSA,
10397 		.doit = nl80211_flush_pmksa,
10398 		.policy = nl80211_policy,
10399 		.flags = GENL_ADMIN_PERM,
10400 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10401 				  NL80211_FLAG_NEED_RTNL,
10402 	},
10403 	{
10404 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
10405 		.doit = nl80211_remain_on_channel,
10406 		.policy = nl80211_policy,
10407 		.flags = GENL_ADMIN_PERM,
10408 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10409 				  NL80211_FLAG_NEED_RTNL,
10410 	},
10411 	{
10412 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
10413 		.doit = nl80211_cancel_remain_on_channel,
10414 		.policy = nl80211_policy,
10415 		.flags = GENL_ADMIN_PERM,
10416 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10417 				  NL80211_FLAG_NEED_RTNL,
10418 	},
10419 	{
10420 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
10421 		.doit = nl80211_set_tx_bitrate_mask,
10422 		.policy = nl80211_policy,
10423 		.flags = GENL_ADMIN_PERM,
10424 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10425 				  NL80211_FLAG_NEED_RTNL,
10426 	},
10427 	{
10428 		.cmd = NL80211_CMD_REGISTER_FRAME,
10429 		.doit = nl80211_register_mgmt,
10430 		.policy = nl80211_policy,
10431 		.flags = GENL_ADMIN_PERM,
10432 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10433 				  NL80211_FLAG_NEED_RTNL,
10434 	},
10435 	{
10436 		.cmd = NL80211_CMD_FRAME,
10437 		.doit = nl80211_tx_mgmt,
10438 		.policy = nl80211_policy,
10439 		.flags = GENL_ADMIN_PERM,
10440 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10441 				  NL80211_FLAG_NEED_RTNL,
10442 	},
10443 	{
10444 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
10445 		.doit = nl80211_tx_mgmt_cancel_wait,
10446 		.policy = nl80211_policy,
10447 		.flags = GENL_ADMIN_PERM,
10448 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10449 				  NL80211_FLAG_NEED_RTNL,
10450 	},
10451 	{
10452 		.cmd = NL80211_CMD_SET_POWER_SAVE,
10453 		.doit = nl80211_set_power_save,
10454 		.policy = nl80211_policy,
10455 		.flags = GENL_ADMIN_PERM,
10456 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10457 				  NL80211_FLAG_NEED_RTNL,
10458 	},
10459 	{
10460 		.cmd = NL80211_CMD_GET_POWER_SAVE,
10461 		.doit = nl80211_get_power_save,
10462 		.policy = nl80211_policy,
10463 		/* can be retrieved by unprivileged users */
10464 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10465 				  NL80211_FLAG_NEED_RTNL,
10466 	},
10467 	{
10468 		.cmd = NL80211_CMD_SET_CQM,
10469 		.doit = nl80211_set_cqm,
10470 		.policy = nl80211_policy,
10471 		.flags = GENL_ADMIN_PERM,
10472 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10473 				  NL80211_FLAG_NEED_RTNL,
10474 	},
10475 	{
10476 		.cmd = NL80211_CMD_SET_CHANNEL,
10477 		.doit = nl80211_set_channel,
10478 		.policy = nl80211_policy,
10479 		.flags = GENL_ADMIN_PERM,
10480 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10481 				  NL80211_FLAG_NEED_RTNL,
10482 	},
10483 	{
10484 		.cmd = NL80211_CMD_SET_WDS_PEER,
10485 		.doit = nl80211_set_wds_peer,
10486 		.policy = nl80211_policy,
10487 		.flags = GENL_ADMIN_PERM,
10488 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10489 				  NL80211_FLAG_NEED_RTNL,
10490 	},
10491 	{
10492 		.cmd = NL80211_CMD_JOIN_MESH,
10493 		.doit = nl80211_join_mesh,
10494 		.policy = nl80211_policy,
10495 		.flags = GENL_ADMIN_PERM,
10496 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10497 				  NL80211_FLAG_NEED_RTNL,
10498 	},
10499 	{
10500 		.cmd = NL80211_CMD_LEAVE_MESH,
10501 		.doit = nl80211_leave_mesh,
10502 		.policy = nl80211_policy,
10503 		.flags = GENL_ADMIN_PERM,
10504 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10505 				  NL80211_FLAG_NEED_RTNL,
10506 	},
10507 	{
10508 		.cmd = NL80211_CMD_JOIN_OCB,
10509 		.doit = nl80211_join_ocb,
10510 		.policy = nl80211_policy,
10511 		.flags = GENL_ADMIN_PERM,
10512 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10513 				  NL80211_FLAG_NEED_RTNL,
10514 	},
10515 	{
10516 		.cmd = NL80211_CMD_LEAVE_OCB,
10517 		.doit = nl80211_leave_ocb,
10518 		.policy = nl80211_policy,
10519 		.flags = GENL_ADMIN_PERM,
10520 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10521 				  NL80211_FLAG_NEED_RTNL,
10522 	},
10523 #ifdef CONFIG_PM
10524 	{
10525 		.cmd = NL80211_CMD_GET_WOWLAN,
10526 		.doit = nl80211_get_wowlan,
10527 		.policy = nl80211_policy,
10528 		/* can be retrieved by unprivileged users */
10529 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10530 				  NL80211_FLAG_NEED_RTNL,
10531 	},
10532 	{
10533 		.cmd = NL80211_CMD_SET_WOWLAN,
10534 		.doit = nl80211_set_wowlan,
10535 		.policy = nl80211_policy,
10536 		.flags = GENL_ADMIN_PERM,
10537 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10538 				  NL80211_FLAG_NEED_RTNL,
10539 	},
10540 #endif
10541 	{
10542 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
10543 		.doit = nl80211_set_rekey_data,
10544 		.policy = nl80211_policy,
10545 		.flags = GENL_ADMIN_PERM,
10546 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10547 				  NL80211_FLAG_NEED_RTNL |
10548 				  NL80211_FLAG_CLEAR_SKB,
10549 	},
10550 	{
10551 		.cmd = NL80211_CMD_TDLS_MGMT,
10552 		.doit = nl80211_tdls_mgmt,
10553 		.policy = nl80211_policy,
10554 		.flags = GENL_ADMIN_PERM,
10555 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10556 				  NL80211_FLAG_NEED_RTNL,
10557 	},
10558 	{
10559 		.cmd = NL80211_CMD_TDLS_OPER,
10560 		.doit = nl80211_tdls_oper,
10561 		.policy = nl80211_policy,
10562 		.flags = GENL_ADMIN_PERM,
10563 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10564 				  NL80211_FLAG_NEED_RTNL,
10565 	},
10566 	{
10567 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
10568 		.doit = nl80211_register_unexpected_frame,
10569 		.policy = nl80211_policy,
10570 		.flags = GENL_ADMIN_PERM,
10571 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10572 				  NL80211_FLAG_NEED_RTNL,
10573 	},
10574 	{
10575 		.cmd = NL80211_CMD_PROBE_CLIENT,
10576 		.doit = nl80211_probe_client,
10577 		.policy = nl80211_policy,
10578 		.flags = GENL_ADMIN_PERM,
10579 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10580 				  NL80211_FLAG_NEED_RTNL,
10581 	},
10582 	{
10583 		.cmd = NL80211_CMD_REGISTER_BEACONS,
10584 		.doit = nl80211_register_beacons,
10585 		.policy = nl80211_policy,
10586 		.flags = GENL_ADMIN_PERM,
10587 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10588 				  NL80211_FLAG_NEED_RTNL,
10589 	},
10590 	{
10591 		.cmd = NL80211_CMD_SET_NOACK_MAP,
10592 		.doit = nl80211_set_noack_map,
10593 		.policy = nl80211_policy,
10594 		.flags = GENL_ADMIN_PERM,
10595 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10596 				  NL80211_FLAG_NEED_RTNL,
10597 	},
10598 	{
10599 		.cmd = NL80211_CMD_START_P2P_DEVICE,
10600 		.doit = nl80211_start_p2p_device,
10601 		.policy = nl80211_policy,
10602 		.flags = GENL_ADMIN_PERM,
10603 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10604 				  NL80211_FLAG_NEED_RTNL,
10605 	},
10606 	{
10607 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
10608 		.doit = nl80211_stop_p2p_device,
10609 		.policy = nl80211_policy,
10610 		.flags = GENL_ADMIN_PERM,
10611 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10612 				  NL80211_FLAG_NEED_RTNL,
10613 	},
10614 	{
10615 		.cmd = NL80211_CMD_SET_MCAST_RATE,
10616 		.doit = nl80211_set_mcast_rate,
10617 		.policy = nl80211_policy,
10618 		.flags = GENL_ADMIN_PERM,
10619 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10620 				  NL80211_FLAG_NEED_RTNL,
10621 	},
10622 	{
10623 		.cmd = NL80211_CMD_SET_MAC_ACL,
10624 		.doit = nl80211_set_mac_acl,
10625 		.policy = nl80211_policy,
10626 		.flags = GENL_ADMIN_PERM,
10627 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10628 				  NL80211_FLAG_NEED_RTNL,
10629 	},
10630 	{
10631 		.cmd = NL80211_CMD_RADAR_DETECT,
10632 		.doit = nl80211_start_radar_detection,
10633 		.policy = nl80211_policy,
10634 		.flags = GENL_ADMIN_PERM,
10635 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10636 				  NL80211_FLAG_NEED_RTNL,
10637 	},
10638 	{
10639 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
10640 		.doit = nl80211_get_protocol_features,
10641 		.policy = nl80211_policy,
10642 	},
10643 	{
10644 		.cmd = NL80211_CMD_UPDATE_FT_IES,
10645 		.doit = nl80211_update_ft_ies,
10646 		.policy = nl80211_policy,
10647 		.flags = GENL_ADMIN_PERM,
10648 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10649 				  NL80211_FLAG_NEED_RTNL,
10650 	},
10651 	{
10652 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
10653 		.doit = nl80211_crit_protocol_start,
10654 		.policy = nl80211_policy,
10655 		.flags = GENL_ADMIN_PERM,
10656 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10657 				  NL80211_FLAG_NEED_RTNL,
10658 	},
10659 	{
10660 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
10661 		.doit = nl80211_crit_protocol_stop,
10662 		.policy = nl80211_policy,
10663 		.flags = GENL_ADMIN_PERM,
10664 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10665 				  NL80211_FLAG_NEED_RTNL,
10666 	},
10667 	{
10668 		.cmd = NL80211_CMD_GET_COALESCE,
10669 		.doit = nl80211_get_coalesce,
10670 		.policy = nl80211_policy,
10671 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10672 				  NL80211_FLAG_NEED_RTNL,
10673 	},
10674 	{
10675 		.cmd = NL80211_CMD_SET_COALESCE,
10676 		.doit = nl80211_set_coalesce,
10677 		.policy = nl80211_policy,
10678 		.flags = GENL_ADMIN_PERM,
10679 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10680 				  NL80211_FLAG_NEED_RTNL,
10681 	},
10682 	{
10683 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
10684 		.doit = nl80211_channel_switch,
10685 		.policy = nl80211_policy,
10686 		.flags = GENL_ADMIN_PERM,
10687 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10688 				  NL80211_FLAG_NEED_RTNL,
10689 	},
10690 	{
10691 		.cmd = NL80211_CMD_VENDOR,
10692 		.doit = nl80211_vendor_cmd,
10693 		.policy = nl80211_policy,
10694 		.flags = GENL_ADMIN_PERM,
10695 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10696 				  NL80211_FLAG_NEED_RTNL,
10697 	},
10698 	{
10699 		.cmd = NL80211_CMD_SET_QOS_MAP,
10700 		.doit = nl80211_set_qos_map,
10701 		.policy = nl80211_policy,
10702 		.flags = GENL_ADMIN_PERM,
10703 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10704 				  NL80211_FLAG_NEED_RTNL,
10705 	},
10706 	{
10707 		.cmd = NL80211_CMD_ADD_TX_TS,
10708 		.doit = nl80211_add_tx_ts,
10709 		.policy = nl80211_policy,
10710 		.flags = GENL_ADMIN_PERM,
10711 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10712 				  NL80211_FLAG_NEED_RTNL,
10713 	},
10714 	{
10715 		.cmd = NL80211_CMD_DEL_TX_TS,
10716 		.doit = nl80211_del_tx_ts,
10717 		.policy = nl80211_policy,
10718 		.flags = GENL_ADMIN_PERM,
10719 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10720 				  NL80211_FLAG_NEED_RTNL,
10721 	},
10722 	{
10723 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
10724 		.doit = nl80211_tdls_channel_switch,
10725 		.policy = nl80211_policy,
10726 		.flags = GENL_ADMIN_PERM,
10727 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10728 				  NL80211_FLAG_NEED_RTNL,
10729 	},
10730 	{
10731 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
10732 		.doit = nl80211_tdls_cancel_channel_switch,
10733 		.policy = nl80211_policy,
10734 		.flags = GENL_ADMIN_PERM,
10735 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10736 				  NL80211_FLAG_NEED_RTNL,
10737 	},
10738 };
10739 
10740 /* notification functions */
10741 
10742 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
10743 			  enum nl80211_commands cmd)
10744 {
10745 	struct sk_buff *msg;
10746 	struct nl80211_dump_wiphy_state state = {};
10747 
10748 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
10749 		cmd != NL80211_CMD_DEL_WIPHY);
10750 
10751 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10752 	if (!msg)
10753 		return;
10754 
10755 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
10756 		nlmsg_free(msg);
10757 		return;
10758 	}
10759 
10760 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10761 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
10762 }
10763 
10764 static int nl80211_add_scan_req(struct sk_buff *msg,
10765 				struct cfg80211_registered_device *rdev)
10766 {
10767 	struct cfg80211_scan_request *req = rdev->scan_req;
10768 	struct nlattr *nest;
10769 	int i;
10770 
10771 	if (WARN_ON(!req))
10772 		return 0;
10773 
10774 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
10775 	if (!nest)
10776 		goto nla_put_failure;
10777 	for (i = 0; i < req->n_ssids; i++) {
10778 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
10779 			goto nla_put_failure;
10780 	}
10781 	nla_nest_end(msg, nest);
10782 
10783 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
10784 	if (!nest)
10785 		goto nla_put_failure;
10786 	for (i = 0; i < req->n_channels; i++) {
10787 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
10788 			goto nla_put_failure;
10789 	}
10790 	nla_nest_end(msg, nest);
10791 
10792 	if (req->ie &&
10793 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
10794 		goto nla_put_failure;
10795 
10796 	if (req->flags &&
10797 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
10798 		goto nla_put_failure;
10799 
10800 	return 0;
10801  nla_put_failure:
10802 	return -ENOBUFS;
10803 }
10804 
10805 static int nl80211_send_scan_msg(struct sk_buff *msg,
10806 				 struct cfg80211_registered_device *rdev,
10807 				 struct wireless_dev *wdev,
10808 				 u32 portid, u32 seq, int flags,
10809 				 u32 cmd)
10810 {
10811 	void *hdr;
10812 
10813 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
10814 	if (!hdr)
10815 		return -1;
10816 
10817 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10818 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
10819 					 wdev->netdev->ifindex)) ||
10820 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
10821 		goto nla_put_failure;
10822 
10823 	/* ignore errors and send incomplete event anyway */
10824 	nl80211_add_scan_req(msg, rdev);
10825 
10826 	return genlmsg_end(msg, hdr);
10827 
10828  nla_put_failure:
10829 	genlmsg_cancel(msg, hdr);
10830 	return -EMSGSIZE;
10831 }
10832 
10833 static int
10834 nl80211_send_sched_scan_msg(struct sk_buff *msg,
10835 			    struct cfg80211_registered_device *rdev,
10836 			    struct net_device *netdev,
10837 			    u32 portid, u32 seq, int flags, u32 cmd)
10838 {
10839 	void *hdr;
10840 
10841 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
10842 	if (!hdr)
10843 		return -1;
10844 
10845 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10846 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
10847 		goto nla_put_failure;
10848 
10849 	return genlmsg_end(msg, hdr);
10850 
10851  nla_put_failure:
10852 	genlmsg_cancel(msg, hdr);
10853 	return -EMSGSIZE;
10854 }
10855 
10856 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
10857 			     struct wireless_dev *wdev)
10858 {
10859 	struct sk_buff *msg;
10860 
10861 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10862 	if (!msg)
10863 		return;
10864 
10865 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
10866 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
10867 		nlmsg_free(msg);
10868 		return;
10869 	}
10870 
10871 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10872 				NL80211_MCGRP_SCAN, GFP_KERNEL);
10873 }
10874 
10875 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
10876 				       struct wireless_dev *wdev, bool aborted)
10877 {
10878 	struct sk_buff *msg;
10879 
10880 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10881 	if (!msg)
10882 		return NULL;
10883 
10884 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
10885 				  aborted ? NL80211_CMD_SCAN_ABORTED :
10886 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
10887 		nlmsg_free(msg);
10888 		return NULL;
10889 	}
10890 
10891 	return msg;
10892 }
10893 
10894 void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
10895 			      struct sk_buff *msg)
10896 {
10897 	if (!msg)
10898 		return;
10899 
10900 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10901 				NL80211_MCGRP_SCAN, GFP_KERNEL);
10902 }
10903 
10904 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
10905 				     struct net_device *netdev)
10906 {
10907 	struct sk_buff *msg;
10908 
10909 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10910 	if (!msg)
10911 		return;
10912 
10913 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
10914 					NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
10915 		nlmsg_free(msg);
10916 		return;
10917 	}
10918 
10919 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10920 				NL80211_MCGRP_SCAN, GFP_KERNEL);
10921 }
10922 
10923 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
10924 			     struct net_device *netdev, u32 cmd)
10925 {
10926 	struct sk_buff *msg;
10927 
10928 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10929 	if (!msg)
10930 		return;
10931 
10932 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
10933 		nlmsg_free(msg);
10934 		return;
10935 	}
10936 
10937 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10938 				NL80211_MCGRP_SCAN, GFP_KERNEL);
10939 }
10940 
10941 /*
10942  * This can happen on global regulatory changes or device specific settings
10943  * based on custom world regulatory domains.
10944  */
10945 void nl80211_send_reg_change_event(struct regulatory_request *request)
10946 {
10947 	struct sk_buff *msg;
10948 	void *hdr;
10949 
10950 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10951 	if (!msg)
10952 		return;
10953 
10954 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_CHANGE);
10955 	if (!hdr) {
10956 		nlmsg_free(msg);
10957 		return;
10958 	}
10959 
10960 	/* Userspace can always count this one always being set */
10961 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
10962 		goto nla_put_failure;
10963 
10964 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
10965 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10966 			       NL80211_REGDOM_TYPE_WORLD))
10967 			goto nla_put_failure;
10968 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
10969 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10970 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
10971 			goto nla_put_failure;
10972 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
10973 		   request->intersect) {
10974 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10975 			       NL80211_REGDOM_TYPE_INTERSECTION))
10976 			goto nla_put_failure;
10977 	} else {
10978 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10979 			       NL80211_REGDOM_TYPE_COUNTRY) ||
10980 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
10981 				   request->alpha2))
10982 			goto nla_put_failure;
10983 	}
10984 
10985 	if (request->wiphy_idx != WIPHY_IDX_INVALID &&
10986 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
10987 		goto nla_put_failure;
10988 
10989 	genlmsg_end(msg, hdr);
10990 
10991 	rcu_read_lock();
10992 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
10993 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
10994 	rcu_read_unlock();
10995 
10996 	return;
10997 
10998 nla_put_failure:
10999 	genlmsg_cancel(msg, hdr);
11000 	nlmsg_free(msg);
11001 }
11002 
11003 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
11004 				    struct net_device *netdev,
11005 				    const u8 *buf, size_t len,
11006 				    enum nl80211_commands cmd, gfp_t gfp,
11007 				    int uapsd_queues)
11008 {
11009 	struct sk_buff *msg;
11010 	void *hdr;
11011 
11012 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11013 	if (!msg)
11014 		return;
11015 
11016 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11017 	if (!hdr) {
11018 		nlmsg_free(msg);
11019 		return;
11020 	}
11021 
11022 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11023 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11024 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
11025 		goto nla_put_failure;
11026 
11027 	if (uapsd_queues >= 0) {
11028 		struct nlattr *nla_wmm =
11029 			nla_nest_start(msg, NL80211_ATTR_STA_WME);
11030 		if (!nla_wmm)
11031 			goto nla_put_failure;
11032 
11033 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
11034 			       uapsd_queues))
11035 			goto nla_put_failure;
11036 
11037 		nla_nest_end(msg, nla_wmm);
11038 	}
11039 
11040 	genlmsg_end(msg, hdr);
11041 
11042 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11043 				NL80211_MCGRP_MLME, gfp);
11044 	return;
11045 
11046  nla_put_failure:
11047 	genlmsg_cancel(msg, hdr);
11048 	nlmsg_free(msg);
11049 }
11050 
11051 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
11052 			  struct net_device *netdev, const u8 *buf,
11053 			  size_t len, gfp_t gfp)
11054 {
11055 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11056 				NL80211_CMD_AUTHENTICATE, gfp, -1);
11057 }
11058 
11059 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
11060 			   struct net_device *netdev, const u8 *buf,
11061 			   size_t len, gfp_t gfp, int uapsd_queues)
11062 {
11063 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11064 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues);
11065 }
11066 
11067 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
11068 			 struct net_device *netdev, const u8 *buf,
11069 			 size_t len, gfp_t gfp)
11070 {
11071 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11072 				NL80211_CMD_DEAUTHENTICATE, gfp, -1);
11073 }
11074 
11075 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
11076 			   struct net_device *netdev, const u8 *buf,
11077 			   size_t len, gfp_t gfp)
11078 {
11079 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11080 				NL80211_CMD_DISASSOCIATE, gfp, -1);
11081 }
11082 
11083 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
11084 				  size_t len)
11085 {
11086 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11087 	struct wiphy *wiphy = wdev->wiphy;
11088 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11089 	const struct ieee80211_mgmt *mgmt = (void *)buf;
11090 	u32 cmd;
11091 
11092 	if (WARN_ON(len < 2))
11093 		return;
11094 
11095 	if (ieee80211_is_deauth(mgmt->frame_control))
11096 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
11097 	else
11098 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
11099 
11100 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
11101 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1);
11102 }
11103 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
11104 
11105 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
11106 				      struct net_device *netdev, int cmd,
11107 				      const u8 *addr, gfp_t gfp)
11108 {
11109 	struct sk_buff *msg;
11110 	void *hdr;
11111 
11112 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11113 	if (!msg)
11114 		return;
11115 
11116 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11117 	if (!hdr) {
11118 		nlmsg_free(msg);
11119 		return;
11120 	}
11121 
11122 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11123 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11124 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
11125 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
11126 		goto nla_put_failure;
11127 
11128 	genlmsg_end(msg, hdr);
11129 
11130 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11131 				NL80211_MCGRP_MLME, gfp);
11132 	return;
11133 
11134  nla_put_failure:
11135 	genlmsg_cancel(msg, hdr);
11136 	nlmsg_free(msg);
11137 }
11138 
11139 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
11140 			       struct net_device *netdev, const u8 *addr,
11141 			       gfp_t gfp)
11142 {
11143 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
11144 				  addr, gfp);
11145 }
11146 
11147 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
11148 				struct net_device *netdev, const u8 *addr,
11149 				gfp_t gfp)
11150 {
11151 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
11152 				  addr, gfp);
11153 }
11154 
11155 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
11156 				 struct net_device *netdev, const u8 *bssid,
11157 				 const u8 *req_ie, size_t req_ie_len,
11158 				 const u8 *resp_ie, size_t resp_ie_len,
11159 				 u16 status, gfp_t gfp)
11160 {
11161 	struct sk_buff *msg;
11162 	void *hdr;
11163 
11164 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11165 	if (!msg)
11166 		return;
11167 
11168 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
11169 	if (!hdr) {
11170 		nlmsg_free(msg);
11171 		return;
11172 	}
11173 
11174 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11175 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11176 	    (bssid && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) ||
11177 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE, status) ||
11178 	    (req_ie &&
11179 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
11180 	    (resp_ie &&
11181 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
11182 		goto nla_put_failure;
11183 
11184 	genlmsg_end(msg, hdr);
11185 
11186 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11187 				NL80211_MCGRP_MLME, gfp);
11188 	return;
11189 
11190  nla_put_failure:
11191 	genlmsg_cancel(msg, hdr);
11192 	nlmsg_free(msg);
11193 
11194 }
11195 
11196 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
11197 			 struct net_device *netdev, const u8 *bssid,
11198 			 const u8 *req_ie, size_t req_ie_len,
11199 			 const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
11200 {
11201 	struct sk_buff *msg;
11202 	void *hdr;
11203 
11204 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11205 	if (!msg)
11206 		return;
11207 
11208 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
11209 	if (!hdr) {
11210 		nlmsg_free(msg);
11211 		return;
11212 	}
11213 
11214 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11215 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11216 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
11217 	    (req_ie &&
11218 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
11219 	    (resp_ie &&
11220 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
11221 		goto nla_put_failure;
11222 
11223 	genlmsg_end(msg, hdr);
11224 
11225 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11226 				NL80211_MCGRP_MLME, gfp);
11227 	return;
11228 
11229  nla_put_failure:
11230 	genlmsg_cancel(msg, hdr);
11231 	nlmsg_free(msg);
11232 
11233 }
11234 
11235 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
11236 			       struct net_device *netdev, u16 reason,
11237 			       const u8 *ie, size_t ie_len, bool from_ap)
11238 {
11239 	struct sk_buff *msg;
11240 	void *hdr;
11241 
11242 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11243 	if (!msg)
11244 		return;
11245 
11246 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
11247 	if (!hdr) {
11248 		nlmsg_free(msg);
11249 		return;
11250 	}
11251 
11252 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11253 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11254 	    (from_ap && reason &&
11255 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
11256 	    (from_ap &&
11257 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
11258 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
11259 		goto nla_put_failure;
11260 
11261 	genlmsg_end(msg, hdr);
11262 
11263 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11264 				NL80211_MCGRP_MLME, GFP_KERNEL);
11265 	return;
11266 
11267  nla_put_failure:
11268 	genlmsg_cancel(msg, hdr);
11269 	nlmsg_free(msg);
11270 
11271 }
11272 
11273 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
11274 			     struct net_device *netdev, const u8 *bssid,
11275 			     gfp_t gfp)
11276 {
11277 	struct sk_buff *msg;
11278 	void *hdr;
11279 
11280 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11281 	if (!msg)
11282 		return;
11283 
11284 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
11285 	if (!hdr) {
11286 		nlmsg_free(msg);
11287 		return;
11288 	}
11289 
11290 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11291 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11292 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
11293 		goto nla_put_failure;
11294 
11295 	genlmsg_end(msg, hdr);
11296 
11297 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11298 				NL80211_MCGRP_MLME, gfp);
11299 	return;
11300 
11301  nla_put_failure:
11302 	genlmsg_cancel(msg, hdr);
11303 	nlmsg_free(msg);
11304 }
11305 
11306 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
11307 					const u8* ie, u8 ie_len, gfp_t gfp)
11308 {
11309 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11310 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11311 	struct sk_buff *msg;
11312 	void *hdr;
11313 
11314 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
11315 		return;
11316 
11317 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
11318 
11319 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11320 	if (!msg)
11321 		return;
11322 
11323 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
11324 	if (!hdr) {
11325 		nlmsg_free(msg);
11326 		return;
11327 	}
11328 
11329 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11330 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11331 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
11332 	    (ie_len && ie &&
11333 	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
11334 		goto nla_put_failure;
11335 
11336 	genlmsg_end(msg, hdr);
11337 
11338 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11339 				NL80211_MCGRP_MLME, gfp);
11340 	return;
11341 
11342  nla_put_failure:
11343 	genlmsg_cancel(msg, hdr);
11344 	nlmsg_free(msg);
11345 }
11346 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
11347 
11348 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
11349 				 struct net_device *netdev, const u8 *addr,
11350 				 enum nl80211_key_type key_type, int key_id,
11351 				 const u8 *tsc, gfp_t gfp)
11352 {
11353 	struct sk_buff *msg;
11354 	void *hdr;
11355 
11356 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11357 	if (!msg)
11358 		return;
11359 
11360 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
11361 	if (!hdr) {
11362 		nlmsg_free(msg);
11363 		return;
11364 	}
11365 
11366 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11367 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11368 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
11369 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
11370 	    (key_id != -1 &&
11371 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
11372 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
11373 		goto nla_put_failure;
11374 
11375 	genlmsg_end(msg, hdr);
11376 
11377 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11378 				NL80211_MCGRP_MLME, gfp);
11379 	return;
11380 
11381  nla_put_failure:
11382 	genlmsg_cancel(msg, hdr);
11383 	nlmsg_free(msg);
11384 }
11385 
11386 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
11387 				    struct ieee80211_channel *channel_before,
11388 				    struct ieee80211_channel *channel_after)
11389 {
11390 	struct sk_buff *msg;
11391 	void *hdr;
11392 	struct nlattr *nl_freq;
11393 
11394 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
11395 	if (!msg)
11396 		return;
11397 
11398 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
11399 	if (!hdr) {
11400 		nlmsg_free(msg);
11401 		return;
11402 	}
11403 
11404 	/*
11405 	 * Since we are applying the beacon hint to a wiphy we know its
11406 	 * wiphy_idx is valid
11407 	 */
11408 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
11409 		goto nla_put_failure;
11410 
11411 	/* Before */
11412 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
11413 	if (!nl_freq)
11414 		goto nla_put_failure;
11415 	if (nl80211_msg_put_channel(msg, channel_before, false))
11416 		goto nla_put_failure;
11417 	nla_nest_end(msg, nl_freq);
11418 
11419 	/* After */
11420 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
11421 	if (!nl_freq)
11422 		goto nla_put_failure;
11423 	if (nl80211_msg_put_channel(msg, channel_after, false))
11424 		goto nla_put_failure;
11425 	nla_nest_end(msg, nl_freq);
11426 
11427 	genlmsg_end(msg, hdr);
11428 
11429 	rcu_read_lock();
11430 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
11431 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
11432 	rcu_read_unlock();
11433 
11434 	return;
11435 
11436 nla_put_failure:
11437 	genlmsg_cancel(msg, hdr);
11438 	nlmsg_free(msg);
11439 }
11440 
11441 static void nl80211_send_remain_on_chan_event(
11442 	int cmd, struct cfg80211_registered_device *rdev,
11443 	struct wireless_dev *wdev, u64 cookie,
11444 	struct ieee80211_channel *chan,
11445 	unsigned int duration, gfp_t gfp)
11446 {
11447 	struct sk_buff *msg;
11448 	void *hdr;
11449 
11450 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11451 	if (!msg)
11452 		return;
11453 
11454 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11455 	if (!hdr) {
11456 		nlmsg_free(msg);
11457 		return;
11458 	}
11459 
11460 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11461 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11462 					 wdev->netdev->ifindex)) ||
11463 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11464 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
11465 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
11466 			NL80211_CHAN_NO_HT) ||
11467 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
11468 		goto nla_put_failure;
11469 
11470 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
11471 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
11472 		goto nla_put_failure;
11473 
11474 	genlmsg_end(msg, hdr);
11475 
11476 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11477 				NL80211_MCGRP_MLME, gfp);
11478 	return;
11479 
11480  nla_put_failure:
11481 	genlmsg_cancel(msg, hdr);
11482 	nlmsg_free(msg);
11483 }
11484 
11485 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
11486 			       struct ieee80211_channel *chan,
11487 			       unsigned int duration, gfp_t gfp)
11488 {
11489 	struct wiphy *wiphy = wdev->wiphy;
11490 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11491 
11492 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
11493 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
11494 					  rdev, wdev, cookie, chan,
11495 					  duration, gfp);
11496 }
11497 EXPORT_SYMBOL(cfg80211_ready_on_channel);
11498 
11499 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
11500 					struct ieee80211_channel *chan,
11501 					gfp_t gfp)
11502 {
11503 	struct wiphy *wiphy = wdev->wiphy;
11504 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11505 
11506 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
11507 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
11508 					  rdev, wdev, cookie, chan, 0, gfp);
11509 }
11510 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
11511 
11512 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
11513 		      struct station_info *sinfo, gfp_t gfp)
11514 {
11515 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11516 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11517 	struct sk_buff *msg;
11518 
11519 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
11520 
11521 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11522 	if (!msg)
11523 		return;
11524 
11525 	if (nl80211_send_station(msg, 0, 0, 0,
11526 				 rdev, dev, mac_addr, sinfo) < 0) {
11527 		nlmsg_free(msg);
11528 		return;
11529 	}
11530 
11531 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11532 				NL80211_MCGRP_MLME, gfp);
11533 }
11534 EXPORT_SYMBOL(cfg80211_new_sta);
11535 
11536 void cfg80211_del_sta(struct net_device *dev, const u8 *mac_addr, gfp_t gfp)
11537 {
11538 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11539 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11540 	struct sk_buff *msg;
11541 	void *hdr;
11542 
11543 	trace_cfg80211_del_sta(dev, mac_addr);
11544 
11545 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11546 	if (!msg)
11547 		return;
11548 
11549 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_STATION);
11550 	if (!hdr) {
11551 		nlmsg_free(msg);
11552 		return;
11553 	}
11554 
11555 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11556 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
11557 		goto nla_put_failure;
11558 
11559 	genlmsg_end(msg, hdr);
11560 
11561 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11562 				NL80211_MCGRP_MLME, gfp);
11563 	return;
11564 
11565  nla_put_failure:
11566 	genlmsg_cancel(msg, hdr);
11567 	nlmsg_free(msg);
11568 }
11569 EXPORT_SYMBOL(cfg80211_del_sta);
11570 
11571 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
11572 			  enum nl80211_connect_failed_reason reason,
11573 			  gfp_t gfp)
11574 {
11575 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11576 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11577 	struct sk_buff *msg;
11578 	void *hdr;
11579 
11580 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
11581 	if (!msg)
11582 		return;
11583 
11584 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
11585 	if (!hdr) {
11586 		nlmsg_free(msg);
11587 		return;
11588 	}
11589 
11590 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11591 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
11592 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
11593 		goto nla_put_failure;
11594 
11595 	genlmsg_end(msg, hdr);
11596 
11597 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11598 				NL80211_MCGRP_MLME, gfp);
11599 	return;
11600 
11601  nla_put_failure:
11602 	genlmsg_cancel(msg, hdr);
11603 	nlmsg_free(msg);
11604 }
11605 EXPORT_SYMBOL(cfg80211_conn_failed);
11606 
11607 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
11608 				       const u8 *addr, gfp_t gfp)
11609 {
11610 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11611 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11612 	struct sk_buff *msg;
11613 	void *hdr;
11614 	u32 nlportid = ACCESS_ONCE(wdev->ap_unexpected_nlportid);
11615 
11616 	if (!nlportid)
11617 		return false;
11618 
11619 	msg = nlmsg_new(100, gfp);
11620 	if (!msg)
11621 		return true;
11622 
11623 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11624 	if (!hdr) {
11625 		nlmsg_free(msg);
11626 		return true;
11627 	}
11628 
11629 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11630 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11631 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
11632 		goto nla_put_failure;
11633 
11634 	genlmsg_end(msg, hdr);
11635 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
11636 	return true;
11637 
11638  nla_put_failure:
11639 	genlmsg_cancel(msg, hdr);
11640 	nlmsg_free(msg);
11641 	return true;
11642 }
11643 
11644 bool cfg80211_rx_spurious_frame(struct net_device *dev,
11645 				const u8 *addr, gfp_t gfp)
11646 {
11647 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11648 	bool ret;
11649 
11650 	trace_cfg80211_rx_spurious_frame(dev, addr);
11651 
11652 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11653 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
11654 		trace_cfg80211_return_bool(false);
11655 		return false;
11656 	}
11657 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
11658 					 addr, gfp);
11659 	trace_cfg80211_return_bool(ret);
11660 	return ret;
11661 }
11662 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
11663 
11664 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
11665 					const u8 *addr, gfp_t gfp)
11666 {
11667 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11668 	bool ret;
11669 
11670 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
11671 
11672 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11673 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
11674 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
11675 		trace_cfg80211_return_bool(false);
11676 		return false;
11677 	}
11678 	ret = __nl80211_unexpected_frame(dev,
11679 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
11680 					 addr, gfp);
11681 	trace_cfg80211_return_bool(ret);
11682 	return ret;
11683 }
11684 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
11685 
11686 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
11687 		      struct wireless_dev *wdev, u32 nlportid,
11688 		      int freq, int sig_dbm,
11689 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
11690 {
11691 	struct net_device *netdev = wdev->netdev;
11692 	struct sk_buff *msg;
11693 	void *hdr;
11694 
11695 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11696 	if (!msg)
11697 		return -ENOMEM;
11698 
11699 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
11700 	if (!hdr) {
11701 		nlmsg_free(msg);
11702 		return -ENOMEM;
11703 	}
11704 
11705 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11706 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11707 					netdev->ifindex)) ||
11708 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11709 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
11710 	    (sig_dbm &&
11711 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
11712 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
11713 	    (flags &&
11714 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
11715 		goto nla_put_failure;
11716 
11717 	genlmsg_end(msg, hdr);
11718 
11719 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
11720 
11721  nla_put_failure:
11722 	genlmsg_cancel(msg, hdr);
11723 	nlmsg_free(msg);
11724 	return -ENOBUFS;
11725 }
11726 
11727 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
11728 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
11729 {
11730 	struct wiphy *wiphy = wdev->wiphy;
11731 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11732 	struct net_device *netdev = wdev->netdev;
11733 	struct sk_buff *msg;
11734 	void *hdr;
11735 
11736 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
11737 
11738 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11739 	if (!msg)
11740 		return;
11741 
11742 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
11743 	if (!hdr) {
11744 		nlmsg_free(msg);
11745 		return;
11746 	}
11747 
11748 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11749 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11750 				   netdev->ifindex)) ||
11751 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11752 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
11753 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
11754 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
11755 		goto nla_put_failure;
11756 
11757 	genlmsg_end(msg, hdr);
11758 
11759 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11760 				NL80211_MCGRP_MLME, gfp);
11761 	return;
11762 
11763  nla_put_failure:
11764 	genlmsg_cancel(msg, hdr);
11765 	nlmsg_free(msg);
11766 }
11767 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
11768 
11769 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
11770 					    const char *mac, gfp_t gfp)
11771 {
11772 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11773 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11774 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11775 	void **cb;
11776 
11777 	if (!msg)
11778 		return NULL;
11779 
11780 	cb = (void **)msg->cb;
11781 
11782 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
11783 	if (!cb[0]) {
11784 		nlmsg_free(msg);
11785 		return NULL;
11786 	}
11787 
11788 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11789 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
11790 		goto nla_put_failure;
11791 
11792 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
11793 		goto nla_put_failure;
11794 
11795 	cb[1] = nla_nest_start(msg, NL80211_ATTR_CQM);
11796 	if (!cb[1])
11797 		goto nla_put_failure;
11798 
11799 	cb[2] = rdev;
11800 
11801 	return msg;
11802  nla_put_failure:
11803 	nlmsg_free(msg);
11804 	return NULL;
11805 }
11806 
11807 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
11808 {
11809 	void **cb = (void **)msg->cb;
11810 	struct cfg80211_registered_device *rdev = cb[2];
11811 
11812 	nla_nest_end(msg, cb[1]);
11813 	genlmsg_end(msg, cb[0]);
11814 
11815 	memset(msg->cb, 0, sizeof(msg->cb));
11816 
11817 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11818 				NL80211_MCGRP_MLME, gfp);
11819 }
11820 
11821 void cfg80211_cqm_rssi_notify(struct net_device *dev,
11822 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
11823 			      gfp_t gfp)
11824 {
11825 	struct sk_buff *msg;
11826 
11827 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
11828 
11829 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
11830 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
11831 		return;
11832 
11833 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
11834 	if (!msg)
11835 		return;
11836 
11837 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
11838 			rssi_event))
11839 		goto nla_put_failure;
11840 
11841 	cfg80211_send_cqm(msg, gfp);
11842 
11843 	return;
11844 
11845  nla_put_failure:
11846 	nlmsg_free(msg);
11847 }
11848 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
11849 
11850 void cfg80211_cqm_txe_notify(struct net_device *dev,
11851 			     const u8 *peer, u32 num_packets,
11852 			     u32 rate, u32 intvl, gfp_t gfp)
11853 {
11854 	struct sk_buff *msg;
11855 
11856 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
11857 	if (!msg)
11858 		return;
11859 
11860 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
11861 		goto nla_put_failure;
11862 
11863 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
11864 		goto nla_put_failure;
11865 
11866 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
11867 		goto nla_put_failure;
11868 
11869 	cfg80211_send_cqm(msg, gfp);
11870 	return;
11871 
11872  nla_put_failure:
11873 	nlmsg_free(msg);
11874 }
11875 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
11876 
11877 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
11878 				 const u8 *peer, u32 num_packets, gfp_t gfp)
11879 {
11880 	struct sk_buff *msg;
11881 
11882 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
11883 
11884 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
11885 	if (!msg)
11886 		return;
11887 
11888 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
11889 		goto nla_put_failure;
11890 
11891 	cfg80211_send_cqm(msg, gfp);
11892 	return;
11893 
11894  nla_put_failure:
11895 	nlmsg_free(msg);
11896 }
11897 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
11898 
11899 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
11900 {
11901 	struct sk_buff *msg;
11902 
11903 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
11904 	if (!msg)
11905 		return;
11906 
11907 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
11908 		goto nla_put_failure;
11909 
11910 	cfg80211_send_cqm(msg, gfp);
11911 	return;
11912 
11913  nla_put_failure:
11914 	nlmsg_free(msg);
11915 }
11916 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
11917 
11918 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
11919 				     struct net_device *netdev, const u8 *bssid,
11920 				     const u8 *replay_ctr, gfp_t gfp)
11921 {
11922 	struct sk_buff *msg;
11923 	struct nlattr *rekey_attr;
11924 	void *hdr;
11925 
11926 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11927 	if (!msg)
11928 		return;
11929 
11930 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
11931 	if (!hdr) {
11932 		nlmsg_free(msg);
11933 		return;
11934 	}
11935 
11936 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11937 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11938 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
11939 		goto nla_put_failure;
11940 
11941 	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
11942 	if (!rekey_attr)
11943 		goto nla_put_failure;
11944 
11945 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
11946 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
11947 		goto nla_put_failure;
11948 
11949 	nla_nest_end(msg, rekey_attr);
11950 
11951 	genlmsg_end(msg, hdr);
11952 
11953 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11954 				NL80211_MCGRP_MLME, gfp);
11955 	return;
11956 
11957  nla_put_failure:
11958 	genlmsg_cancel(msg, hdr);
11959 	nlmsg_free(msg);
11960 }
11961 
11962 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
11963 			       const u8 *replay_ctr, gfp_t gfp)
11964 {
11965 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11966 	struct wiphy *wiphy = wdev->wiphy;
11967 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11968 
11969 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
11970 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
11971 }
11972 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
11973 
11974 static void
11975 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
11976 			       struct net_device *netdev, int index,
11977 			       const u8 *bssid, bool preauth, gfp_t gfp)
11978 {
11979 	struct sk_buff *msg;
11980 	struct nlattr *attr;
11981 	void *hdr;
11982 
11983 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11984 	if (!msg)
11985 		return;
11986 
11987 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
11988 	if (!hdr) {
11989 		nlmsg_free(msg);
11990 		return;
11991 	}
11992 
11993 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11994 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
11995 		goto nla_put_failure;
11996 
11997 	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
11998 	if (!attr)
11999 		goto nla_put_failure;
12000 
12001 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
12002 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
12003 	    (preauth &&
12004 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
12005 		goto nla_put_failure;
12006 
12007 	nla_nest_end(msg, attr);
12008 
12009 	genlmsg_end(msg, hdr);
12010 
12011 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12012 				NL80211_MCGRP_MLME, gfp);
12013 	return;
12014 
12015  nla_put_failure:
12016 	genlmsg_cancel(msg, hdr);
12017 	nlmsg_free(msg);
12018 }
12019 
12020 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
12021 				     const u8 *bssid, bool preauth, gfp_t gfp)
12022 {
12023 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12024 	struct wiphy *wiphy = wdev->wiphy;
12025 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12026 
12027 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
12028 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
12029 }
12030 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
12031 
12032 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
12033 				     struct net_device *netdev,
12034 				     struct cfg80211_chan_def *chandef,
12035 				     gfp_t gfp,
12036 				     enum nl80211_commands notif,
12037 				     u8 count)
12038 {
12039 	struct sk_buff *msg;
12040 	void *hdr;
12041 
12042 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12043 	if (!msg)
12044 		return;
12045 
12046 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
12047 	if (!hdr) {
12048 		nlmsg_free(msg);
12049 		return;
12050 	}
12051 
12052 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
12053 		goto nla_put_failure;
12054 
12055 	if (nl80211_send_chandef(msg, chandef))
12056 		goto nla_put_failure;
12057 
12058 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
12059 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
12060 			goto nla_put_failure;
12061 
12062 	genlmsg_end(msg, hdr);
12063 
12064 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12065 				NL80211_MCGRP_MLME, gfp);
12066 	return;
12067 
12068  nla_put_failure:
12069 	genlmsg_cancel(msg, hdr);
12070 	nlmsg_free(msg);
12071 }
12072 
12073 void cfg80211_ch_switch_notify(struct net_device *dev,
12074 			       struct cfg80211_chan_def *chandef)
12075 {
12076 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12077 	struct wiphy *wiphy = wdev->wiphy;
12078 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12079 
12080 	ASSERT_WDEV_LOCK(wdev);
12081 
12082 	trace_cfg80211_ch_switch_notify(dev, chandef);
12083 
12084 	wdev->chandef = *chandef;
12085 	wdev->preset_chandef = *chandef;
12086 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
12087 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
12088 }
12089 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
12090 
12091 void cfg80211_ch_switch_started_notify(struct net_device *dev,
12092 				       struct cfg80211_chan_def *chandef,
12093 				       u8 count)
12094 {
12095 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12096 	struct wiphy *wiphy = wdev->wiphy;
12097 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12098 
12099 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
12100 
12101 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
12102 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
12103 }
12104 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
12105 
12106 void
12107 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
12108 		     const struct cfg80211_chan_def *chandef,
12109 		     enum nl80211_radar_event event,
12110 		     struct net_device *netdev, gfp_t gfp)
12111 {
12112 	struct sk_buff *msg;
12113 	void *hdr;
12114 
12115 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12116 	if (!msg)
12117 		return;
12118 
12119 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
12120 	if (!hdr) {
12121 		nlmsg_free(msg);
12122 		return;
12123 	}
12124 
12125 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
12126 		goto nla_put_failure;
12127 
12128 	/* NOP and radar events don't need a netdev parameter */
12129 	if (netdev) {
12130 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
12131 
12132 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12133 		    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12134 			goto nla_put_failure;
12135 	}
12136 
12137 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
12138 		goto nla_put_failure;
12139 
12140 	if (nl80211_send_chandef(msg, chandef))
12141 		goto nla_put_failure;
12142 
12143 	genlmsg_end(msg, hdr);
12144 
12145 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12146 				NL80211_MCGRP_MLME, gfp);
12147 	return;
12148 
12149  nla_put_failure:
12150 	genlmsg_cancel(msg, hdr);
12151 	nlmsg_free(msg);
12152 }
12153 
12154 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
12155 			   u64 cookie, bool acked, gfp_t gfp)
12156 {
12157 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12158 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12159 	struct sk_buff *msg;
12160 	void *hdr;
12161 
12162 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
12163 
12164 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12165 
12166 	if (!msg)
12167 		return;
12168 
12169 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
12170 	if (!hdr) {
12171 		nlmsg_free(msg);
12172 		return;
12173 	}
12174 
12175 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12176 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12177 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
12178 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
12179 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)))
12180 		goto nla_put_failure;
12181 
12182 	genlmsg_end(msg, hdr);
12183 
12184 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12185 				NL80211_MCGRP_MLME, gfp);
12186 	return;
12187 
12188  nla_put_failure:
12189 	genlmsg_cancel(msg, hdr);
12190 	nlmsg_free(msg);
12191 }
12192 EXPORT_SYMBOL(cfg80211_probe_status);
12193 
12194 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
12195 				 const u8 *frame, size_t len,
12196 				 int freq, int sig_dbm)
12197 {
12198 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12199 	struct sk_buff *msg;
12200 	void *hdr;
12201 	struct cfg80211_beacon_registration *reg;
12202 
12203 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
12204 
12205 	spin_lock_bh(&rdev->beacon_registrations_lock);
12206 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
12207 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
12208 		if (!msg) {
12209 			spin_unlock_bh(&rdev->beacon_registrations_lock);
12210 			return;
12211 		}
12212 
12213 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
12214 		if (!hdr)
12215 			goto nla_put_failure;
12216 
12217 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12218 		    (freq &&
12219 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
12220 		    (sig_dbm &&
12221 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
12222 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
12223 			goto nla_put_failure;
12224 
12225 		genlmsg_end(msg, hdr);
12226 
12227 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
12228 	}
12229 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12230 	return;
12231 
12232  nla_put_failure:
12233 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12234 	if (hdr)
12235 		genlmsg_cancel(msg, hdr);
12236 	nlmsg_free(msg);
12237 }
12238 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
12239 
12240 #ifdef CONFIG_PM
12241 static int cfg80211_net_detect_results(struct sk_buff *msg,
12242 				       struct cfg80211_wowlan_wakeup *wakeup)
12243 {
12244 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
12245 	struct nlattr *nl_results, *nl_match, *nl_freqs;
12246 	int i, j;
12247 
12248 	nl_results = nla_nest_start(
12249 		msg, NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
12250 	if (!nl_results)
12251 		return -EMSGSIZE;
12252 
12253 	for (i = 0; i < nd->n_matches; i++) {
12254 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
12255 
12256 		nl_match = nla_nest_start(msg, i);
12257 		if (!nl_match)
12258 			break;
12259 
12260 		/* The SSID attribute is optional in nl80211, but for
12261 		 * simplicity reasons it's always present in the
12262 		 * cfg80211 structure.  If a driver can't pass the
12263 		 * SSID, that needs to be changed.  A zero length SSID
12264 		 * is still a valid SSID (wildcard), so it cannot be
12265 		 * used for this purpose.
12266 		 */
12267 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
12268 			    match->ssid.ssid)) {
12269 			nla_nest_cancel(msg, nl_match);
12270 			goto out;
12271 		}
12272 
12273 		if (match->n_channels) {
12274 			nl_freqs = nla_nest_start(
12275 				msg, NL80211_ATTR_SCAN_FREQUENCIES);
12276 			if (!nl_freqs) {
12277 				nla_nest_cancel(msg, nl_match);
12278 				goto out;
12279 			}
12280 
12281 			for (j = 0; j < match->n_channels; j++) {
12282 				if (nla_put_u32(msg,
12283 						NL80211_ATTR_WIPHY_FREQ,
12284 						match->channels[j])) {
12285 					nla_nest_cancel(msg, nl_freqs);
12286 					nla_nest_cancel(msg, nl_match);
12287 					goto out;
12288 				}
12289 			}
12290 
12291 			nla_nest_end(msg, nl_freqs);
12292 		}
12293 
12294 		nla_nest_end(msg, nl_match);
12295 	}
12296 
12297 out:
12298 	nla_nest_end(msg, nl_results);
12299 	return 0;
12300 }
12301 
12302 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
12303 				   struct cfg80211_wowlan_wakeup *wakeup,
12304 				   gfp_t gfp)
12305 {
12306 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12307 	struct sk_buff *msg;
12308 	void *hdr;
12309 	int size = 200;
12310 
12311 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
12312 
12313 	if (wakeup)
12314 		size += wakeup->packet_present_len;
12315 
12316 	msg = nlmsg_new(size, gfp);
12317 	if (!msg)
12318 		return;
12319 
12320 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
12321 	if (!hdr)
12322 		goto free_msg;
12323 
12324 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12325 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12326 		goto free_msg;
12327 
12328 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12329 					wdev->netdev->ifindex))
12330 		goto free_msg;
12331 
12332 	if (wakeup) {
12333 		struct nlattr *reasons;
12334 
12335 		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
12336 		if (!reasons)
12337 			goto free_msg;
12338 
12339 		if (wakeup->disconnect &&
12340 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
12341 			goto free_msg;
12342 		if (wakeup->magic_pkt &&
12343 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
12344 			goto free_msg;
12345 		if (wakeup->gtk_rekey_failure &&
12346 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
12347 			goto free_msg;
12348 		if (wakeup->eap_identity_req &&
12349 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
12350 			goto free_msg;
12351 		if (wakeup->four_way_handshake &&
12352 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
12353 			goto free_msg;
12354 		if (wakeup->rfkill_release &&
12355 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
12356 			goto free_msg;
12357 
12358 		if (wakeup->pattern_idx >= 0 &&
12359 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
12360 				wakeup->pattern_idx))
12361 			goto free_msg;
12362 
12363 		if (wakeup->tcp_match &&
12364 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
12365 			goto free_msg;
12366 
12367 		if (wakeup->tcp_connlost &&
12368 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
12369 			goto free_msg;
12370 
12371 		if (wakeup->tcp_nomoretokens &&
12372 		    nla_put_flag(msg,
12373 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
12374 			goto free_msg;
12375 
12376 		if (wakeup->packet) {
12377 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
12378 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
12379 
12380 			if (!wakeup->packet_80211) {
12381 				pkt_attr =
12382 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
12383 				len_attr =
12384 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
12385 			}
12386 
12387 			if (wakeup->packet_len &&
12388 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
12389 				goto free_msg;
12390 
12391 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
12392 				    wakeup->packet))
12393 				goto free_msg;
12394 		}
12395 
12396 		if (wakeup->net_detect &&
12397 		    cfg80211_net_detect_results(msg, wakeup))
12398 				goto free_msg;
12399 
12400 		nla_nest_end(msg, reasons);
12401 	}
12402 
12403 	genlmsg_end(msg, hdr);
12404 
12405 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12406 				NL80211_MCGRP_MLME, gfp);
12407 	return;
12408 
12409  free_msg:
12410 	nlmsg_free(msg);
12411 }
12412 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
12413 #endif
12414 
12415 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
12416 				enum nl80211_tdls_operation oper,
12417 				u16 reason_code, gfp_t gfp)
12418 {
12419 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12420 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12421 	struct sk_buff *msg;
12422 	void *hdr;
12423 
12424 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
12425 					 reason_code);
12426 
12427 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12428 	if (!msg)
12429 		return;
12430 
12431 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
12432 	if (!hdr) {
12433 		nlmsg_free(msg);
12434 		return;
12435 	}
12436 
12437 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12438 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12439 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
12440 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
12441 	    (reason_code > 0 &&
12442 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
12443 		goto nla_put_failure;
12444 
12445 	genlmsg_end(msg, hdr);
12446 
12447 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12448 				NL80211_MCGRP_MLME, gfp);
12449 	return;
12450 
12451  nla_put_failure:
12452 	genlmsg_cancel(msg, hdr);
12453 	nlmsg_free(msg);
12454 }
12455 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
12456 
12457 static int nl80211_netlink_notify(struct notifier_block * nb,
12458 				  unsigned long state,
12459 				  void *_notify)
12460 {
12461 	struct netlink_notify *notify = _notify;
12462 	struct cfg80211_registered_device *rdev;
12463 	struct wireless_dev *wdev;
12464 	struct cfg80211_beacon_registration *reg, *tmp;
12465 
12466 	if (state != NETLINK_URELEASE)
12467 		return NOTIFY_DONE;
12468 
12469 	rcu_read_lock();
12470 
12471 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
12472 		bool schedule_destroy_work = false;
12473 
12474 		list_for_each_entry_rcu(wdev, &rdev->wdev_list, list) {
12475 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
12476 
12477 			if (wdev->owner_nlportid == notify->portid)
12478 				schedule_destroy_work = true;
12479 		}
12480 
12481 		spin_lock_bh(&rdev->beacon_registrations_lock);
12482 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
12483 					 list) {
12484 			if (reg->nlportid == notify->portid) {
12485 				list_del(&reg->list);
12486 				kfree(reg);
12487 				break;
12488 			}
12489 		}
12490 		spin_unlock_bh(&rdev->beacon_registrations_lock);
12491 
12492 		if (schedule_destroy_work) {
12493 			struct cfg80211_iface_destroy *destroy;
12494 
12495 			destroy = kzalloc(sizeof(*destroy), GFP_ATOMIC);
12496 			if (destroy) {
12497 				destroy->nlportid = notify->portid;
12498 				spin_lock(&rdev->destroy_list_lock);
12499 				list_add(&destroy->list, &rdev->destroy_list);
12500 				spin_unlock(&rdev->destroy_list_lock);
12501 				schedule_work(&rdev->destroy_work);
12502 			}
12503 		}
12504 	}
12505 
12506 	rcu_read_unlock();
12507 
12508 	return NOTIFY_OK;
12509 }
12510 
12511 static struct notifier_block nl80211_netlink_notifier = {
12512 	.notifier_call = nl80211_netlink_notify,
12513 };
12514 
12515 void cfg80211_ft_event(struct net_device *netdev,
12516 		       struct cfg80211_ft_event_params *ft_event)
12517 {
12518 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
12519 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12520 	struct sk_buff *msg;
12521 	void *hdr;
12522 
12523 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
12524 
12525 	if (!ft_event->target_ap)
12526 		return;
12527 
12528 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12529 	if (!msg)
12530 		return;
12531 
12532 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
12533 	if (!hdr)
12534 		goto out;
12535 
12536 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12537 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12538 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
12539 		goto out;
12540 
12541 	if (ft_event->ies &&
12542 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
12543 		goto out;
12544 	if (ft_event->ric_ies &&
12545 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
12546 		    ft_event->ric_ies))
12547 		goto out;
12548 
12549 	genlmsg_end(msg, hdr);
12550 
12551 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12552 				NL80211_MCGRP_MLME, GFP_KERNEL);
12553 	return;
12554  out:
12555 	nlmsg_free(msg);
12556 }
12557 EXPORT_SYMBOL(cfg80211_ft_event);
12558 
12559 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
12560 {
12561 	struct cfg80211_registered_device *rdev;
12562 	struct sk_buff *msg;
12563 	void *hdr;
12564 	u32 nlportid;
12565 
12566 	rdev = wiphy_to_rdev(wdev->wiphy);
12567 	if (!rdev->crit_proto_nlportid)
12568 		return;
12569 
12570 	nlportid = rdev->crit_proto_nlportid;
12571 	rdev->crit_proto_nlportid = 0;
12572 
12573 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12574 	if (!msg)
12575 		return;
12576 
12577 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
12578 	if (!hdr)
12579 		goto nla_put_failure;
12580 
12581 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12582 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12583 		goto nla_put_failure;
12584 
12585 	genlmsg_end(msg, hdr);
12586 
12587 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12588 	return;
12589 
12590  nla_put_failure:
12591 	if (hdr)
12592 		genlmsg_cancel(msg, hdr);
12593 	nlmsg_free(msg);
12594 
12595 }
12596 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
12597 
12598 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
12599 {
12600 	struct wiphy *wiphy = wdev->wiphy;
12601 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12602 	struct sk_buff *msg;
12603 	void *hdr;
12604 
12605 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12606 	if (!msg)
12607 		return;
12608 
12609 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
12610 	if (!hdr)
12611 		goto out;
12612 
12613 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12614 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
12615 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12616 		goto out;
12617 
12618 	genlmsg_end(msg, hdr);
12619 
12620 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
12621 				NL80211_MCGRP_MLME, GFP_KERNEL);
12622 	return;
12623  out:
12624 	nlmsg_free(msg);
12625 }
12626 
12627 /* initialisation/exit functions */
12628 
12629 int nl80211_init(void)
12630 {
12631 	int err;
12632 
12633 	err = genl_register_family_with_ops_groups(&nl80211_fam, nl80211_ops,
12634 						   nl80211_mcgrps);
12635 	if (err)
12636 		return err;
12637 
12638 	err = netlink_register_notifier(&nl80211_netlink_notifier);
12639 	if (err)
12640 		goto err_out;
12641 
12642 	return 0;
12643  err_out:
12644 	genl_unregister_family(&nl80211_fam);
12645 	return err;
12646 }
12647 
12648 void nl80211_exit(void)
12649 {
12650 	netlink_unregister_notifier(&nl80211_netlink_notifier);
12651 	genl_unregister_family(&nl80211_fam);
12652 }
12653