xref: /openbmc/linux/net/wireless/nl80211.c (revision ca460cc2) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  */
7 
8 #include <linux/if.h>
9 #include <linux/module.h>
10 #include <linux/err.h>
11 #include <linux/slab.h>
12 #include <linux/list.h>
13 #include <linux/if_ether.h>
14 #include <linux/ieee80211.h>
15 #include <linux/nl80211.h>
16 #include <linux/rtnetlink.h>
17 #include <linux/netlink.h>
18 #include <linux/etherdevice.h>
19 #include <net/net_namespace.h>
20 #include <net/genetlink.h>
21 #include <net/cfg80211.h>
22 #include <net/sock.h>
23 #include <net/inet_connection_sock.h>
24 #include "core.h"
25 #include "nl80211.h"
26 #include "reg.h"
27 #include "rdev-ops.h"
28 
29 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
30 				   struct genl_info *info,
31 				   struct cfg80211_crypto_settings *settings,
32 				   int cipher_limit);
33 
34 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
35 			    struct genl_info *info);
36 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
37 			      struct genl_info *info);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam = {
41 	.id = GENL_ID_GENERATE,		/* don't bother with a hardcoded ID */
42 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
43 	.hdrsize = 0,			/* no private header */
44 	.version = 1,			/* no particular meaning now */
45 	.maxattr = NL80211_ATTR_MAX,
46 	.netnsok = true,
47 	.pre_doit = nl80211_pre_doit,
48 	.post_doit = nl80211_post_doit,
49 };
50 
51 /* multicast groups */
52 enum nl80211_multicast_groups {
53 	NL80211_MCGRP_CONFIG,
54 	NL80211_MCGRP_SCAN,
55 	NL80211_MCGRP_REGULATORY,
56 	NL80211_MCGRP_MLME,
57 	NL80211_MCGRP_VENDOR,
58 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
59 };
60 
61 static const struct genl_multicast_group nl80211_mcgrps[] = {
62 	[NL80211_MCGRP_CONFIG] = { .name = "config", },
63 	[NL80211_MCGRP_SCAN] = { .name = "scan", },
64 	[NL80211_MCGRP_REGULATORY] = { .name = "regulatory", },
65 	[NL80211_MCGRP_MLME] = { .name = "mlme", },
66 	[NL80211_MCGRP_VENDOR] = { .name = "vendor", },
67 #ifdef CONFIG_NL80211_TESTMODE
68 	[NL80211_MCGRP_TESTMODE] = { .name = "testmode", }
69 #endif
70 };
71 
72 /* returns ERR_PTR values */
73 static struct wireless_dev *
74 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
75 {
76 	struct cfg80211_registered_device *rdev;
77 	struct wireless_dev *result = NULL;
78 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
79 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
80 	u64 wdev_id;
81 	int wiphy_idx = -1;
82 	int ifidx = -1;
83 
84 	ASSERT_RTNL();
85 
86 	if (!have_ifidx && !have_wdev_id)
87 		return ERR_PTR(-EINVAL);
88 
89 	if (have_ifidx)
90 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
91 	if (have_wdev_id) {
92 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
93 		wiphy_idx = wdev_id >> 32;
94 	}
95 
96 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
97 		struct wireless_dev *wdev;
98 
99 		if (wiphy_net(&rdev->wiphy) != netns)
100 			continue;
101 
102 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
103 			continue;
104 
105 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
106 			if (have_ifidx && wdev->netdev &&
107 			    wdev->netdev->ifindex == ifidx) {
108 				result = wdev;
109 				break;
110 			}
111 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
112 				result = wdev;
113 				break;
114 			}
115 		}
116 
117 		if (result)
118 			break;
119 	}
120 
121 	if (result)
122 		return result;
123 	return ERR_PTR(-ENODEV);
124 }
125 
126 static struct cfg80211_registered_device *
127 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
128 {
129 	struct cfg80211_registered_device *rdev = NULL, *tmp;
130 	struct net_device *netdev;
131 
132 	ASSERT_RTNL();
133 
134 	if (!attrs[NL80211_ATTR_WIPHY] &&
135 	    !attrs[NL80211_ATTR_IFINDEX] &&
136 	    !attrs[NL80211_ATTR_WDEV])
137 		return ERR_PTR(-EINVAL);
138 
139 	if (attrs[NL80211_ATTR_WIPHY])
140 		rdev = cfg80211_rdev_by_wiphy_idx(
141 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
142 
143 	if (attrs[NL80211_ATTR_WDEV]) {
144 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
145 		struct wireless_dev *wdev;
146 		bool found = false;
147 
148 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
149 		if (tmp) {
150 			/* make sure wdev exists */
151 			list_for_each_entry(wdev, &tmp->wdev_list, list) {
152 				if (wdev->identifier != (u32)wdev_id)
153 					continue;
154 				found = true;
155 				break;
156 			}
157 
158 			if (!found)
159 				tmp = NULL;
160 
161 			if (rdev && tmp != rdev)
162 				return ERR_PTR(-EINVAL);
163 			rdev = tmp;
164 		}
165 	}
166 
167 	if (attrs[NL80211_ATTR_IFINDEX]) {
168 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
169 		netdev = __dev_get_by_index(netns, ifindex);
170 		if (netdev) {
171 			if (netdev->ieee80211_ptr)
172 				tmp = wiphy_to_rdev(
173 					netdev->ieee80211_ptr->wiphy);
174 			else
175 				tmp = NULL;
176 
177 			/* not wireless device -- return error */
178 			if (!tmp)
179 				return ERR_PTR(-EINVAL);
180 
181 			/* mismatch -- return error */
182 			if (rdev && tmp != rdev)
183 				return ERR_PTR(-EINVAL);
184 
185 			rdev = tmp;
186 		}
187 	}
188 
189 	if (!rdev)
190 		return ERR_PTR(-ENODEV);
191 
192 	if (netns != wiphy_net(&rdev->wiphy))
193 		return ERR_PTR(-ENODEV);
194 
195 	return rdev;
196 }
197 
198 /*
199  * This function returns a pointer to the driver
200  * that the genl_info item that is passed refers to.
201  *
202  * The result of this can be a PTR_ERR and hence must
203  * be checked with IS_ERR() for errors.
204  */
205 static struct cfg80211_registered_device *
206 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
207 {
208 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
209 }
210 
211 /* policy for the attributes */
212 static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
213 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
214 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
215 				      .len = 20-1 },
216 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
217 
218 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
219 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
220 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
221 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
222 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
223 
224 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
225 	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
226 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
227 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
228 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
229 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
230 
231 	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
232 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
233 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
234 
235 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
236 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
237 
238 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
239 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
240 				    .len = WLAN_MAX_KEY_LEN },
241 	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
242 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
243 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
244 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
245 	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
246 
247 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
248 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
249 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
250 				       .len = IEEE80211_MAX_DATA_LEN },
251 	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
252 				       .len = IEEE80211_MAX_DATA_LEN },
253 	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
254 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
255 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
256 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
257 					       .len = NL80211_MAX_SUPP_RATES },
258 	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
259 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
260 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
261 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
262 				   .len = IEEE80211_MAX_MESH_ID_LEN },
263 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
264 
265 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
266 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
267 
268 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
269 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
270 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
271 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
272 					   .len = NL80211_MAX_SUPP_RATES },
273 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
274 
275 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
276 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
277 
278 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
279 
280 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
281 	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
282 			      .len = IEEE80211_MAX_DATA_LEN },
283 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
284 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
285 
286 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
287 				.len = IEEE80211_MAX_SSID_LEN },
288 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
289 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
290 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
291 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
292 	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
293 	[NL80211_ATTR_STA_FLAGS2] = {
294 		.len = sizeof(struct nl80211_sta_flag_update),
295 	},
296 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
297 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
298 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
299 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
300 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
301 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
302 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
303 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
304 	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
305 				 .len = WLAN_PMKID_LEN },
306 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
307 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
308 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
309 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
310 				 .len = IEEE80211_MAX_DATA_LEN },
311 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
312 	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
313 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
314 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
315 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
316 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
317 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
318 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
319 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
320 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
321 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
322 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
323 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
324 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
325 	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
326 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
327 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
328 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
329 	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
330 	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
331 					 .len = IEEE80211_MAX_DATA_LEN },
332 	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
333 					 .len = IEEE80211_MAX_DATA_LEN },
334 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
335 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
336 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
337 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
338 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
339 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
340 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
341 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
342 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
343 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
344 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
345 				      .len = IEEE80211_MAX_DATA_LEN },
346 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
347 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
348 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
349 		.len = NL80211_HT_CAPABILITY_LEN
350 	},
351 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
352 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
353 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
354 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
355 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
356 	[NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
357 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
358 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
359 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
360 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
361 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
362 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
363 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
364 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
365 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
366 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
367 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
368 		.len = NL80211_VHT_CAPABILITY_LEN,
369 	},
370 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
371 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
372 				  .len = IEEE80211_MAX_DATA_LEN },
373 	[NL80211_ATTR_PEER_AID] = { .type = NLA_U16 },
374 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
375 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
376 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
377 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
378 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
379 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
380 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
381 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
382 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
383 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
384 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
385 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
386 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
387 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
388 	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
389 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
390 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
391 	[NL80211_ATTR_IFACE_SOCKET_OWNER] = { .type = NLA_FLAG },
392 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
393 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
394 	[NL80211_ATTR_TSID] = { .type = NLA_U8 },
395 	[NL80211_ATTR_USER_PRIO] = { .type = NLA_U8 },
396 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
397 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
398 };
399 
400 /* policy for the key attributes */
401 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
402 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
403 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
404 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
405 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
406 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
407 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
408 	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
409 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
410 };
411 
412 /* policy for the key default flags */
413 static const struct nla_policy
414 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
415 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
416 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
417 };
418 
419 /* policy for WoWLAN attributes */
420 static const struct nla_policy
421 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
422 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
423 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
424 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
425 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
426 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
427 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
428 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
429 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
430 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
431 };
432 
433 static const struct nla_policy
434 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
435 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
436 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
437 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
438 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
439 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
440 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
441 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
442 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
443 	},
444 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
445 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
446 	},
447 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
448 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
449 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
450 };
451 
452 /* policy for coalesce rule attributes */
453 static const struct nla_policy
454 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
455 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
456 	[NL80211_ATTR_COALESCE_RULE_CONDITION] = { .type = NLA_U32 },
457 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
458 };
459 
460 /* policy for GTK rekey offload attributes */
461 static const struct nla_policy
462 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
463 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
464 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
465 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
466 };
467 
468 static const struct nla_policy
469 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
470 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
471 						 .len = IEEE80211_MAX_SSID_LEN },
472 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
473 };
474 
475 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
476 				     struct netlink_callback *cb,
477 				     struct cfg80211_registered_device **rdev,
478 				     struct wireless_dev **wdev)
479 {
480 	int err;
481 
482 	rtnl_lock();
483 
484 	if (!cb->args[0]) {
485 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
486 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
487 				  nl80211_policy);
488 		if (err)
489 			goto out_unlock;
490 
491 		*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
492 						   nl80211_fam.attrbuf);
493 		if (IS_ERR(*wdev)) {
494 			err = PTR_ERR(*wdev);
495 			goto out_unlock;
496 		}
497 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
498 		/* 0 is the first index - add 1 to parse only once */
499 		cb->args[0] = (*rdev)->wiphy_idx + 1;
500 		cb->args[1] = (*wdev)->identifier;
501 	} else {
502 		/* subtract the 1 again here */
503 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
504 		struct wireless_dev *tmp;
505 
506 		if (!wiphy) {
507 			err = -ENODEV;
508 			goto out_unlock;
509 		}
510 		*rdev = wiphy_to_rdev(wiphy);
511 		*wdev = NULL;
512 
513 		list_for_each_entry(tmp, &(*rdev)->wdev_list, list) {
514 			if (tmp->identifier == cb->args[1]) {
515 				*wdev = tmp;
516 				break;
517 			}
518 		}
519 
520 		if (!*wdev) {
521 			err = -ENODEV;
522 			goto out_unlock;
523 		}
524 	}
525 
526 	return 0;
527  out_unlock:
528 	rtnl_unlock();
529 	return err;
530 }
531 
532 static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
533 {
534 	rtnl_unlock();
535 }
536 
537 /* IE validation */
538 static bool is_valid_ie_attr(const struct nlattr *attr)
539 {
540 	const u8 *pos;
541 	int len;
542 
543 	if (!attr)
544 		return true;
545 
546 	pos = nla_data(attr);
547 	len = nla_len(attr);
548 
549 	while (len) {
550 		u8 elemlen;
551 
552 		if (len < 2)
553 			return false;
554 		len -= 2;
555 
556 		elemlen = pos[1];
557 		if (elemlen > len)
558 			return false;
559 
560 		len -= elemlen;
561 		pos += 2 + elemlen;
562 	}
563 
564 	return true;
565 }
566 
567 /* message building helper */
568 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
569 				   int flags, u8 cmd)
570 {
571 	/* since there is no private header just add the generic one */
572 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
573 }
574 
575 static int nl80211_msg_put_channel(struct sk_buff *msg,
576 				   struct ieee80211_channel *chan,
577 				   bool large)
578 {
579 	/* Some channels must be completely excluded from the
580 	 * list to protect old user-space tools from breaking
581 	 */
582 	if (!large && chan->flags &
583 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
584 		return 0;
585 
586 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
587 			chan->center_freq))
588 		goto nla_put_failure;
589 
590 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
591 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
592 		goto nla_put_failure;
593 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
594 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
595 			goto nla_put_failure;
596 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
597 			goto nla_put_failure;
598 	}
599 	if (chan->flags & IEEE80211_CHAN_RADAR) {
600 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
601 			goto nla_put_failure;
602 		if (large) {
603 			u32 time;
604 
605 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
606 
607 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
608 					chan->dfs_state))
609 				goto nla_put_failure;
610 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
611 					time))
612 				goto nla_put_failure;
613 			if (nla_put_u32(msg,
614 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
615 					chan->dfs_cac_ms))
616 				goto nla_put_failure;
617 		}
618 	}
619 
620 	if (large) {
621 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
622 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
623 			goto nla_put_failure;
624 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
625 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
626 			goto nla_put_failure;
627 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
628 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
629 			goto nla_put_failure;
630 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
631 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
632 			goto nla_put_failure;
633 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
634 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
635 			goto nla_put_failure;
636 		if ((chan->flags & IEEE80211_CHAN_GO_CONCURRENT) &&
637 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_GO_CONCURRENT))
638 			goto nla_put_failure;
639 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
640 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
641 			goto nla_put_failure;
642 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
643 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
644 			goto nla_put_failure;
645 	}
646 
647 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
648 			DBM_TO_MBM(chan->max_power)))
649 		goto nla_put_failure;
650 
651 	return 0;
652 
653  nla_put_failure:
654 	return -ENOBUFS;
655 }
656 
657 /* netlink command implementations */
658 
659 struct key_parse {
660 	struct key_params p;
661 	int idx;
662 	int type;
663 	bool def, defmgmt;
664 	bool def_uni, def_multi;
665 };
666 
667 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
668 {
669 	struct nlattr *tb[NL80211_KEY_MAX + 1];
670 	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
671 				   nl80211_key_policy);
672 	if (err)
673 		return err;
674 
675 	k->def = !!tb[NL80211_KEY_DEFAULT];
676 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
677 
678 	if (k->def) {
679 		k->def_uni = true;
680 		k->def_multi = true;
681 	}
682 	if (k->defmgmt)
683 		k->def_multi = true;
684 
685 	if (tb[NL80211_KEY_IDX])
686 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
687 
688 	if (tb[NL80211_KEY_DATA]) {
689 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
690 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
691 	}
692 
693 	if (tb[NL80211_KEY_SEQ]) {
694 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
695 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
696 	}
697 
698 	if (tb[NL80211_KEY_CIPHER])
699 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
700 
701 	if (tb[NL80211_KEY_TYPE]) {
702 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
703 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
704 			return -EINVAL;
705 	}
706 
707 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
708 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
709 		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
710 				       tb[NL80211_KEY_DEFAULT_TYPES],
711 				       nl80211_key_default_policy);
712 		if (err)
713 			return err;
714 
715 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
716 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
717 	}
718 
719 	return 0;
720 }
721 
722 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
723 {
724 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
725 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
726 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
727 	}
728 
729 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
730 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
731 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
732 	}
733 
734 	if (info->attrs[NL80211_ATTR_KEY_IDX])
735 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
736 
737 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
738 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
739 
740 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
741 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
742 
743 	if (k->def) {
744 		k->def_uni = true;
745 		k->def_multi = true;
746 	}
747 	if (k->defmgmt)
748 		k->def_multi = true;
749 
750 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
751 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
752 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
753 			return -EINVAL;
754 	}
755 
756 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
757 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
758 		int err = nla_parse_nested(
759 				kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
760 				info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
761 				nl80211_key_default_policy);
762 		if (err)
763 			return err;
764 
765 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
766 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
767 	}
768 
769 	return 0;
770 }
771 
772 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
773 {
774 	int err;
775 
776 	memset(k, 0, sizeof(*k));
777 	k->idx = -1;
778 	k->type = -1;
779 
780 	if (info->attrs[NL80211_ATTR_KEY])
781 		err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
782 	else
783 		err = nl80211_parse_key_old(info, k);
784 
785 	if (err)
786 		return err;
787 
788 	if (k->def && k->defmgmt)
789 		return -EINVAL;
790 
791 	if (k->defmgmt) {
792 		if (k->def_uni || !k->def_multi)
793 			return -EINVAL;
794 	}
795 
796 	if (k->idx != -1) {
797 		if (k->defmgmt) {
798 			if (k->idx < 4 || k->idx > 5)
799 				return -EINVAL;
800 		} else if (k->def) {
801 			if (k->idx < 0 || k->idx > 3)
802 				return -EINVAL;
803 		} else {
804 			if (k->idx < 0 || k->idx > 5)
805 				return -EINVAL;
806 		}
807 	}
808 
809 	return 0;
810 }
811 
812 static struct cfg80211_cached_keys *
813 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
814 		       struct nlattr *keys, bool *no_ht)
815 {
816 	struct key_parse parse;
817 	struct nlattr *key;
818 	struct cfg80211_cached_keys *result;
819 	int rem, err, def = 0;
820 
821 	result = kzalloc(sizeof(*result), GFP_KERNEL);
822 	if (!result)
823 		return ERR_PTR(-ENOMEM);
824 
825 	result->def = -1;
826 	result->defmgmt = -1;
827 
828 	nla_for_each_nested(key, keys, rem) {
829 		memset(&parse, 0, sizeof(parse));
830 		parse.idx = -1;
831 
832 		err = nl80211_parse_key_new(key, &parse);
833 		if (err)
834 			goto error;
835 		err = -EINVAL;
836 		if (!parse.p.key)
837 			goto error;
838 		if (parse.idx < 0 || parse.idx > 4)
839 			goto error;
840 		if (parse.def) {
841 			if (def)
842 				goto error;
843 			def = 1;
844 			result->def = parse.idx;
845 			if (!parse.def_uni || !parse.def_multi)
846 				goto error;
847 		} else if (parse.defmgmt)
848 			goto error;
849 		err = cfg80211_validate_key_settings(rdev, &parse.p,
850 						     parse.idx, false, NULL);
851 		if (err)
852 			goto error;
853 		result->params[parse.idx].cipher = parse.p.cipher;
854 		result->params[parse.idx].key_len = parse.p.key_len;
855 		result->params[parse.idx].key = result->data[parse.idx];
856 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
857 
858 		if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
859 		    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
860 			if (no_ht)
861 				*no_ht = true;
862 		}
863 	}
864 
865 	return result;
866  error:
867 	kfree(result);
868 	return ERR_PTR(err);
869 }
870 
871 static int nl80211_key_allowed(struct wireless_dev *wdev)
872 {
873 	ASSERT_WDEV_LOCK(wdev);
874 
875 	switch (wdev->iftype) {
876 	case NL80211_IFTYPE_AP:
877 	case NL80211_IFTYPE_AP_VLAN:
878 	case NL80211_IFTYPE_P2P_GO:
879 	case NL80211_IFTYPE_MESH_POINT:
880 		break;
881 	case NL80211_IFTYPE_ADHOC:
882 	case NL80211_IFTYPE_STATION:
883 	case NL80211_IFTYPE_P2P_CLIENT:
884 		if (!wdev->current_bss)
885 			return -ENOLINK;
886 		break;
887 	default:
888 		return -EINVAL;
889 	}
890 
891 	return 0;
892 }
893 
894 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
895 							struct nlattr *tb)
896 {
897 	struct ieee80211_channel *chan;
898 
899 	if (tb == NULL)
900 		return NULL;
901 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
902 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
903 		return NULL;
904 	return chan;
905 }
906 
907 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
908 {
909 	struct nlattr *nl_modes = nla_nest_start(msg, attr);
910 	int i;
911 
912 	if (!nl_modes)
913 		goto nla_put_failure;
914 
915 	i = 0;
916 	while (ifmodes) {
917 		if ((ifmodes & 1) && nla_put_flag(msg, i))
918 			goto nla_put_failure;
919 		ifmodes >>= 1;
920 		i++;
921 	}
922 
923 	nla_nest_end(msg, nl_modes);
924 	return 0;
925 
926 nla_put_failure:
927 	return -ENOBUFS;
928 }
929 
930 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
931 					  struct sk_buff *msg,
932 					  bool large)
933 {
934 	struct nlattr *nl_combis;
935 	int i, j;
936 
937 	nl_combis = nla_nest_start(msg,
938 				NL80211_ATTR_INTERFACE_COMBINATIONS);
939 	if (!nl_combis)
940 		goto nla_put_failure;
941 
942 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
943 		const struct ieee80211_iface_combination *c;
944 		struct nlattr *nl_combi, *nl_limits;
945 
946 		c = &wiphy->iface_combinations[i];
947 
948 		nl_combi = nla_nest_start(msg, i + 1);
949 		if (!nl_combi)
950 			goto nla_put_failure;
951 
952 		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
953 		if (!nl_limits)
954 			goto nla_put_failure;
955 
956 		for (j = 0; j < c->n_limits; j++) {
957 			struct nlattr *nl_limit;
958 
959 			nl_limit = nla_nest_start(msg, j + 1);
960 			if (!nl_limit)
961 				goto nla_put_failure;
962 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
963 					c->limits[j].max))
964 				goto nla_put_failure;
965 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
966 						c->limits[j].types))
967 				goto nla_put_failure;
968 			nla_nest_end(msg, nl_limit);
969 		}
970 
971 		nla_nest_end(msg, nl_limits);
972 
973 		if (c->beacon_int_infra_match &&
974 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
975 			goto nla_put_failure;
976 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
977 				c->num_different_channels) ||
978 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
979 				c->max_interfaces))
980 			goto nla_put_failure;
981 		if (large &&
982 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
983 				c->radar_detect_widths) ||
984 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
985 				c->radar_detect_regions)))
986 			goto nla_put_failure;
987 
988 		nla_nest_end(msg, nl_combi);
989 	}
990 
991 	nla_nest_end(msg, nl_combis);
992 
993 	return 0;
994 nla_put_failure:
995 	return -ENOBUFS;
996 }
997 
998 #ifdef CONFIG_PM
999 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1000 					struct sk_buff *msg)
1001 {
1002 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1003 	struct nlattr *nl_tcp;
1004 
1005 	if (!tcp)
1006 		return 0;
1007 
1008 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1009 	if (!nl_tcp)
1010 		return -ENOBUFS;
1011 
1012 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1013 			tcp->data_payload_max))
1014 		return -ENOBUFS;
1015 
1016 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1017 			tcp->data_payload_max))
1018 		return -ENOBUFS;
1019 
1020 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1021 		return -ENOBUFS;
1022 
1023 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1024 				sizeof(*tcp->tok), tcp->tok))
1025 		return -ENOBUFS;
1026 
1027 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1028 			tcp->data_interval_max))
1029 		return -ENOBUFS;
1030 
1031 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1032 			tcp->wake_payload_max))
1033 		return -ENOBUFS;
1034 
1035 	nla_nest_end(msg, nl_tcp);
1036 	return 0;
1037 }
1038 
1039 static int nl80211_send_wowlan(struct sk_buff *msg,
1040 			       struct cfg80211_registered_device *rdev,
1041 			       bool large)
1042 {
1043 	struct nlattr *nl_wowlan;
1044 
1045 	if (!rdev->wiphy.wowlan)
1046 		return 0;
1047 
1048 	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1049 	if (!nl_wowlan)
1050 		return -ENOBUFS;
1051 
1052 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1053 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1054 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1055 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1056 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1057 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1058 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1059 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1060 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1061 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1062 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1063 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1064 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1065 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1066 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1067 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1068 		return -ENOBUFS;
1069 
1070 	if (rdev->wiphy.wowlan->n_patterns) {
1071 		struct nl80211_pattern_support pat = {
1072 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1073 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1074 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1075 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1076 		};
1077 
1078 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1079 			    sizeof(pat), &pat))
1080 			return -ENOBUFS;
1081 	}
1082 
1083 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1084 		return -ENOBUFS;
1085 
1086 	nla_nest_end(msg, nl_wowlan);
1087 
1088 	return 0;
1089 }
1090 #endif
1091 
1092 static int nl80211_send_coalesce(struct sk_buff *msg,
1093 				 struct cfg80211_registered_device *rdev)
1094 {
1095 	struct nl80211_coalesce_rule_support rule;
1096 
1097 	if (!rdev->wiphy.coalesce)
1098 		return 0;
1099 
1100 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1101 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1102 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1103 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1104 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1105 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1106 
1107 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1108 		return -ENOBUFS;
1109 
1110 	return 0;
1111 }
1112 
1113 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1114 				      struct ieee80211_supported_band *sband)
1115 {
1116 	struct nlattr *nl_rates, *nl_rate;
1117 	struct ieee80211_rate *rate;
1118 	int i;
1119 
1120 	/* add HT info */
1121 	if (sband->ht_cap.ht_supported &&
1122 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1123 		     sizeof(sband->ht_cap.mcs),
1124 		     &sband->ht_cap.mcs) ||
1125 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1126 			 sband->ht_cap.cap) ||
1127 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1128 			sband->ht_cap.ampdu_factor) ||
1129 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1130 			sband->ht_cap.ampdu_density)))
1131 		return -ENOBUFS;
1132 
1133 	/* add VHT info */
1134 	if (sband->vht_cap.vht_supported &&
1135 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1136 		     sizeof(sband->vht_cap.vht_mcs),
1137 		     &sband->vht_cap.vht_mcs) ||
1138 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1139 			 sband->vht_cap.cap)))
1140 		return -ENOBUFS;
1141 
1142 	/* add bitrates */
1143 	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1144 	if (!nl_rates)
1145 		return -ENOBUFS;
1146 
1147 	for (i = 0; i < sband->n_bitrates; i++) {
1148 		nl_rate = nla_nest_start(msg, i);
1149 		if (!nl_rate)
1150 			return -ENOBUFS;
1151 
1152 		rate = &sband->bitrates[i];
1153 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1154 				rate->bitrate))
1155 			return -ENOBUFS;
1156 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1157 		    nla_put_flag(msg,
1158 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1159 			return -ENOBUFS;
1160 
1161 		nla_nest_end(msg, nl_rate);
1162 	}
1163 
1164 	nla_nest_end(msg, nl_rates);
1165 
1166 	return 0;
1167 }
1168 
1169 static int
1170 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1171 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1172 {
1173 	u16 stypes;
1174 	struct nlattr *nl_ftypes, *nl_ifs;
1175 	enum nl80211_iftype ift;
1176 	int i;
1177 
1178 	if (!mgmt_stypes)
1179 		return 0;
1180 
1181 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1182 	if (!nl_ifs)
1183 		return -ENOBUFS;
1184 
1185 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1186 		nl_ftypes = nla_nest_start(msg, ift);
1187 		if (!nl_ftypes)
1188 			return -ENOBUFS;
1189 		i = 0;
1190 		stypes = mgmt_stypes[ift].tx;
1191 		while (stypes) {
1192 			if ((stypes & 1) &&
1193 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1194 					(i << 4) | IEEE80211_FTYPE_MGMT))
1195 				return -ENOBUFS;
1196 			stypes >>= 1;
1197 			i++;
1198 		}
1199 		nla_nest_end(msg, nl_ftypes);
1200 	}
1201 
1202 	nla_nest_end(msg, nl_ifs);
1203 
1204 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1205 	if (!nl_ifs)
1206 		return -ENOBUFS;
1207 
1208 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1209 		nl_ftypes = nla_nest_start(msg, ift);
1210 		if (!nl_ftypes)
1211 			return -ENOBUFS;
1212 		i = 0;
1213 		stypes = mgmt_stypes[ift].rx;
1214 		while (stypes) {
1215 			if ((stypes & 1) &&
1216 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1217 					(i << 4) | IEEE80211_FTYPE_MGMT))
1218 				return -ENOBUFS;
1219 			stypes >>= 1;
1220 			i++;
1221 		}
1222 		nla_nest_end(msg, nl_ftypes);
1223 	}
1224 	nla_nest_end(msg, nl_ifs);
1225 
1226 	return 0;
1227 }
1228 
1229 struct nl80211_dump_wiphy_state {
1230 	s64 filter_wiphy;
1231 	long start;
1232 	long split_start, band_start, chan_start;
1233 	bool split;
1234 };
1235 
1236 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1237 			      enum nl80211_commands cmd,
1238 			      struct sk_buff *msg, u32 portid, u32 seq,
1239 			      int flags, struct nl80211_dump_wiphy_state *state)
1240 {
1241 	void *hdr;
1242 	struct nlattr *nl_bands, *nl_band;
1243 	struct nlattr *nl_freqs, *nl_freq;
1244 	struct nlattr *nl_cmds;
1245 	enum ieee80211_band band;
1246 	struct ieee80211_channel *chan;
1247 	int i;
1248 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1249 				rdev->wiphy.mgmt_stypes;
1250 	u32 features;
1251 
1252 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1253 	if (!hdr)
1254 		return -ENOBUFS;
1255 
1256 	if (WARN_ON(!state))
1257 		return -EINVAL;
1258 
1259 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1260 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1261 			   wiphy_name(&rdev->wiphy)) ||
1262 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1263 			cfg80211_rdev_list_generation))
1264 		goto nla_put_failure;
1265 
1266 	if (cmd != NL80211_CMD_NEW_WIPHY)
1267 		goto finish;
1268 
1269 	switch (state->split_start) {
1270 	case 0:
1271 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1272 			       rdev->wiphy.retry_short) ||
1273 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1274 			       rdev->wiphy.retry_long) ||
1275 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1276 				rdev->wiphy.frag_threshold) ||
1277 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1278 				rdev->wiphy.rts_threshold) ||
1279 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1280 			       rdev->wiphy.coverage_class) ||
1281 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1282 			       rdev->wiphy.max_scan_ssids) ||
1283 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1284 			       rdev->wiphy.max_sched_scan_ssids) ||
1285 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1286 				rdev->wiphy.max_scan_ie_len) ||
1287 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1288 				rdev->wiphy.max_sched_scan_ie_len) ||
1289 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1290 			       rdev->wiphy.max_match_sets))
1291 			goto nla_put_failure;
1292 
1293 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1294 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1295 			goto nla_put_failure;
1296 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1297 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1298 			goto nla_put_failure;
1299 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1300 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1301 			goto nla_put_failure;
1302 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1303 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1304 			goto nla_put_failure;
1305 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1306 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1307 			goto nla_put_failure;
1308 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1309 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1310 			goto nla_put_failure;
1311 		state->split_start++;
1312 		if (state->split)
1313 			break;
1314 	case 1:
1315 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1316 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1317 			    rdev->wiphy.cipher_suites))
1318 			goto nla_put_failure;
1319 
1320 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1321 			       rdev->wiphy.max_num_pmkids))
1322 			goto nla_put_failure;
1323 
1324 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1325 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1326 			goto nla_put_failure;
1327 
1328 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1329 				rdev->wiphy.available_antennas_tx) ||
1330 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1331 				rdev->wiphy.available_antennas_rx))
1332 			goto nla_put_failure;
1333 
1334 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1335 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1336 				rdev->wiphy.probe_resp_offload))
1337 			goto nla_put_failure;
1338 
1339 		if ((rdev->wiphy.available_antennas_tx ||
1340 		     rdev->wiphy.available_antennas_rx) &&
1341 		    rdev->ops->get_antenna) {
1342 			u32 tx_ant = 0, rx_ant = 0;
1343 			int res;
1344 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1345 			if (!res) {
1346 				if (nla_put_u32(msg,
1347 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1348 						tx_ant) ||
1349 				    nla_put_u32(msg,
1350 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1351 						rx_ant))
1352 					goto nla_put_failure;
1353 			}
1354 		}
1355 
1356 		state->split_start++;
1357 		if (state->split)
1358 			break;
1359 	case 2:
1360 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1361 					rdev->wiphy.interface_modes))
1362 				goto nla_put_failure;
1363 		state->split_start++;
1364 		if (state->split)
1365 			break;
1366 	case 3:
1367 		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1368 		if (!nl_bands)
1369 			goto nla_put_failure;
1370 
1371 		for (band = state->band_start;
1372 		     band < IEEE80211_NUM_BANDS; band++) {
1373 			struct ieee80211_supported_band *sband;
1374 
1375 			sband = rdev->wiphy.bands[band];
1376 
1377 			if (!sband)
1378 				continue;
1379 
1380 			nl_band = nla_nest_start(msg, band);
1381 			if (!nl_band)
1382 				goto nla_put_failure;
1383 
1384 			switch (state->chan_start) {
1385 			case 0:
1386 				if (nl80211_send_band_rateinfo(msg, sband))
1387 					goto nla_put_failure;
1388 				state->chan_start++;
1389 				if (state->split)
1390 					break;
1391 			default:
1392 				/* add frequencies */
1393 				nl_freqs = nla_nest_start(
1394 					msg, NL80211_BAND_ATTR_FREQS);
1395 				if (!nl_freqs)
1396 					goto nla_put_failure;
1397 
1398 				for (i = state->chan_start - 1;
1399 				     i < sband->n_channels;
1400 				     i++) {
1401 					nl_freq = nla_nest_start(msg, i);
1402 					if (!nl_freq)
1403 						goto nla_put_failure;
1404 
1405 					chan = &sband->channels[i];
1406 
1407 					if (nl80211_msg_put_channel(
1408 							msg, chan,
1409 							state->split))
1410 						goto nla_put_failure;
1411 
1412 					nla_nest_end(msg, nl_freq);
1413 					if (state->split)
1414 						break;
1415 				}
1416 				if (i < sband->n_channels)
1417 					state->chan_start = i + 2;
1418 				else
1419 					state->chan_start = 0;
1420 				nla_nest_end(msg, nl_freqs);
1421 			}
1422 
1423 			nla_nest_end(msg, nl_band);
1424 
1425 			if (state->split) {
1426 				/* start again here */
1427 				if (state->chan_start)
1428 					band--;
1429 				break;
1430 			}
1431 		}
1432 		nla_nest_end(msg, nl_bands);
1433 
1434 		if (band < IEEE80211_NUM_BANDS)
1435 			state->band_start = band + 1;
1436 		else
1437 			state->band_start = 0;
1438 
1439 		/* if bands & channels are done, continue outside */
1440 		if (state->band_start == 0 && state->chan_start == 0)
1441 			state->split_start++;
1442 		if (state->split)
1443 			break;
1444 	case 4:
1445 		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1446 		if (!nl_cmds)
1447 			goto nla_put_failure;
1448 
1449 		i = 0;
1450 #define CMD(op, n)							\
1451 		 do {							\
1452 			if (rdev->ops->op) {				\
1453 				i++;					\
1454 				if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1455 					goto nla_put_failure;		\
1456 			}						\
1457 		} while (0)
1458 
1459 		CMD(add_virtual_intf, NEW_INTERFACE);
1460 		CMD(change_virtual_intf, SET_INTERFACE);
1461 		CMD(add_key, NEW_KEY);
1462 		CMD(start_ap, START_AP);
1463 		CMD(add_station, NEW_STATION);
1464 		CMD(add_mpath, NEW_MPATH);
1465 		CMD(update_mesh_config, SET_MESH_CONFIG);
1466 		CMD(change_bss, SET_BSS);
1467 		CMD(auth, AUTHENTICATE);
1468 		CMD(assoc, ASSOCIATE);
1469 		CMD(deauth, DEAUTHENTICATE);
1470 		CMD(disassoc, DISASSOCIATE);
1471 		CMD(join_ibss, JOIN_IBSS);
1472 		CMD(join_mesh, JOIN_MESH);
1473 		CMD(set_pmksa, SET_PMKSA);
1474 		CMD(del_pmksa, DEL_PMKSA);
1475 		CMD(flush_pmksa, FLUSH_PMKSA);
1476 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1477 			CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1478 		CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1479 		CMD(mgmt_tx, FRAME);
1480 		CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1481 		if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1482 			i++;
1483 			if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1484 				goto nla_put_failure;
1485 		}
1486 		if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1487 		    rdev->ops->join_mesh) {
1488 			i++;
1489 			if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1490 				goto nla_put_failure;
1491 		}
1492 		CMD(set_wds_peer, SET_WDS_PEER);
1493 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1494 			CMD(tdls_mgmt, TDLS_MGMT);
1495 			CMD(tdls_oper, TDLS_OPER);
1496 		}
1497 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1498 			CMD(sched_scan_start, START_SCHED_SCAN);
1499 		CMD(probe_client, PROBE_CLIENT);
1500 		CMD(set_noack_map, SET_NOACK_MAP);
1501 		if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1502 			i++;
1503 			if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1504 				goto nla_put_failure;
1505 		}
1506 		CMD(start_p2p_device, START_P2P_DEVICE);
1507 		CMD(set_mcast_rate, SET_MCAST_RATE);
1508 #ifdef CONFIG_NL80211_TESTMODE
1509 		CMD(testmode_cmd, TESTMODE);
1510 #endif
1511 		if (state->split) {
1512 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
1513 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1514 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
1515 				CMD(channel_switch, CHANNEL_SWITCH);
1516 			CMD(set_qos_map, SET_QOS_MAP);
1517 			if (rdev->wiphy.flags &
1518 					WIPHY_FLAG_SUPPORTS_WMM_ADMISSION)
1519 				CMD(add_tx_ts, ADD_TX_TS);
1520 		}
1521 		/* add into the if now */
1522 #undef CMD
1523 
1524 		if (rdev->ops->connect || rdev->ops->auth) {
1525 			i++;
1526 			if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1527 				goto nla_put_failure;
1528 		}
1529 
1530 		if (rdev->ops->disconnect || rdev->ops->deauth) {
1531 			i++;
1532 			if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1533 				goto nla_put_failure;
1534 		}
1535 
1536 		nla_nest_end(msg, nl_cmds);
1537 		state->split_start++;
1538 		if (state->split)
1539 			break;
1540 	case 5:
1541 		if (rdev->ops->remain_on_channel &&
1542 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1543 		    nla_put_u32(msg,
1544 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1545 				rdev->wiphy.max_remain_on_channel_duration))
1546 			goto nla_put_failure;
1547 
1548 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1549 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1550 			goto nla_put_failure;
1551 
1552 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1553 			goto nla_put_failure;
1554 		state->split_start++;
1555 		if (state->split)
1556 			break;
1557 	case 6:
1558 #ifdef CONFIG_PM
1559 		if (nl80211_send_wowlan(msg, rdev, state->split))
1560 			goto nla_put_failure;
1561 		state->split_start++;
1562 		if (state->split)
1563 			break;
1564 #else
1565 		state->split_start++;
1566 #endif
1567 	case 7:
1568 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1569 					rdev->wiphy.software_iftypes))
1570 			goto nla_put_failure;
1571 
1572 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
1573 						   state->split))
1574 			goto nla_put_failure;
1575 
1576 		state->split_start++;
1577 		if (state->split)
1578 			break;
1579 	case 8:
1580 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1581 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1582 				rdev->wiphy.ap_sme_capa))
1583 			goto nla_put_failure;
1584 
1585 		features = rdev->wiphy.features;
1586 		/*
1587 		 * We can only add the per-channel limit information if the
1588 		 * dump is split, otherwise it makes it too big. Therefore
1589 		 * only advertise it in that case.
1590 		 */
1591 		if (state->split)
1592 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1593 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1594 			goto nla_put_failure;
1595 
1596 		if (rdev->wiphy.ht_capa_mod_mask &&
1597 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1598 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
1599 			    rdev->wiphy.ht_capa_mod_mask))
1600 			goto nla_put_failure;
1601 
1602 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1603 		    rdev->wiphy.max_acl_mac_addrs &&
1604 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1605 				rdev->wiphy.max_acl_mac_addrs))
1606 			goto nla_put_failure;
1607 
1608 		/*
1609 		 * Any information below this point is only available to
1610 		 * applications that can deal with it being split. This
1611 		 * helps ensure that newly added capabilities don't break
1612 		 * older tools by overrunning their buffers.
1613 		 *
1614 		 * We still increment split_start so that in the split
1615 		 * case we'll continue with more data in the next round,
1616 		 * but break unconditionally so unsplit data stops here.
1617 		 */
1618 		state->split_start++;
1619 		break;
1620 	case 9:
1621 		if (rdev->wiphy.extended_capabilities &&
1622 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1623 			     rdev->wiphy.extended_capabilities_len,
1624 			     rdev->wiphy.extended_capabilities) ||
1625 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1626 			     rdev->wiphy.extended_capabilities_len,
1627 			     rdev->wiphy.extended_capabilities_mask)))
1628 			goto nla_put_failure;
1629 
1630 		if (rdev->wiphy.vht_capa_mod_mask &&
1631 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1632 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
1633 			    rdev->wiphy.vht_capa_mod_mask))
1634 			goto nla_put_failure;
1635 
1636 		state->split_start++;
1637 		break;
1638 	case 10:
1639 		if (nl80211_send_coalesce(msg, rdev))
1640 			goto nla_put_failure;
1641 
1642 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
1643 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
1644 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
1645 			goto nla_put_failure;
1646 
1647 		if (rdev->wiphy.max_ap_assoc_sta &&
1648 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
1649 				rdev->wiphy.max_ap_assoc_sta))
1650 			goto nla_put_failure;
1651 
1652 		state->split_start++;
1653 		break;
1654 	case 11:
1655 		if (rdev->wiphy.n_vendor_commands) {
1656 			const struct nl80211_vendor_cmd_info *info;
1657 			struct nlattr *nested;
1658 
1659 			nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1660 			if (!nested)
1661 				goto nla_put_failure;
1662 
1663 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
1664 				info = &rdev->wiphy.vendor_commands[i].info;
1665 				if (nla_put(msg, i + 1, sizeof(*info), info))
1666 					goto nla_put_failure;
1667 			}
1668 			nla_nest_end(msg, nested);
1669 		}
1670 
1671 		if (rdev->wiphy.n_vendor_events) {
1672 			const struct nl80211_vendor_cmd_info *info;
1673 			struct nlattr *nested;
1674 
1675 			nested = nla_nest_start(msg,
1676 						NL80211_ATTR_VENDOR_EVENTS);
1677 			if (!nested)
1678 				goto nla_put_failure;
1679 
1680 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
1681 				info = &rdev->wiphy.vendor_events[i];
1682 				if (nla_put(msg, i + 1, sizeof(*info), info))
1683 					goto nla_put_failure;
1684 			}
1685 			nla_nest_end(msg, nested);
1686 		}
1687 		state->split_start++;
1688 		break;
1689 	case 12:
1690 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
1691 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
1692 			       rdev->wiphy.max_num_csa_counters))
1693 			goto nla_put_failure;
1694 
1695 		/* done */
1696 		state->split_start = 0;
1697 		break;
1698 	}
1699  finish:
1700 	return genlmsg_end(msg, hdr);
1701 
1702  nla_put_failure:
1703 	genlmsg_cancel(msg, hdr);
1704 	return -EMSGSIZE;
1705 }
1706 
1707 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
1708 				    struct netlink_callback *cb,
1709 				    struct nl80211_dump_wiphy_state *state)
1710 {
1711 	struct nlattr **tb = nl80211_fam.attrbuf;
1712 	int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
1713 			      tb, nl80211_fam.maxattr, nl80211_policy);
1714 	/* ignore parse errors for backward compatibility */
1715 	if (ret)
1716 		return 0;
1717 
1718 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
1719 	if (tb[NL80211_ATTR_WIPHY])
1720 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
1721 	if (tb[NL80211_ATTR_WDEV])
1722 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
1723 	if (tb[NL80211_ATTR_IFINDEX]) {
1724 		struct net_device *netdev;
1725 		struct cfg80211_registered_device *rdev;
1726 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
1727 
1728 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
1729 		if (!netdev)
1730 			return -ENODEV;
1731 		if (netdev->ieee80211_ptr) {
1732 			rdev = wiphy_to_rdev(
1733 				netdev->ieee80211_ptr->wiphy);
1734 			state->filter_wiphy = rdev->wiphy_idx;
1735 		}
1736 	}
1737 
1738 	return 0;
1739 }
1740 
1741 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1742 {
1743 	int idx = 0, ret;
1744 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
1745 	struct cfg80211_registered_device *rdev;
1746 
1747 	rtnl_lock();
1748 	if (!state) {
1749 		state = kzalloc(sizeof(*state), GFP_KERNEL);
1750 		if (!state) {
1751 			rtnl_unlock();
1752 			return -ENOMEM;
1753 		}
1754 		state->filter_wiphy = -1;
1755 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
1756 		if (ret) {
1757 			kfree(state);
1758 			rtnl_unlock();
1759 			return ret;
1760 		}
1761 		cb->args[0] = (long)state;
1762 	}
1763 
1764 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1765 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1766 			continue;
1767 		if (++idx <= state->start)
1768 			continue;
1769 		if (state->filter_wiphy != -1 &&
1770 		    state->filter_wiphy != rdev->wiphy_idx)
1771 			continue;
1772 		/* attempt to fit multiple wiphy data chunks into the skb */
1773 		do {
1774 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
1775 						 skb,
1776 						 NETLINK_CB(cb->skb).portid,
1777 						 cb->nlh->nlmsg_seq,
1778 						 NLM_F_MULTI, state);
1779 			if (ret < 0) {
1780 				/*
1781 				 * If sending the wiphy data didn't fit (ENOBUFS
1782 				 * or EMSGSIZE returned), this SKB is still
1783 				 * empty (so it's not too big because another
1784 				 * wiphy dataset is already in the skb) and
1785 				 * we've not tried to adjust the dump allocation
1786 				 * yet ... then adjust the alloc size to be
1787 				 * bigger, and return 1 but with the empty skb.
1788 				 * This results in an empty message being RX'ed
1789 				 * in userspace, but that is ignored.
1790 				 *
1791 				 * We can then retry with the larger buffer.
1792 				 */
1793 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1794 				    !skb->len && !state->split &&
1795 				    cb->min_dump_alloc < 4096) {
1796 					cb->min_dump_alloc = 4096;
1797 					state->split_start = 0;
1798 					rtnl_unlock();
1799 					return 1;
1800 				}
1801 				idx--;
1802 				break;
1803 			}
1804 		} while (state->split_start > 0);
1805 		break;
1806 	}
1807 	rtnl_unlock();
1808 
1809 	state->start = idx;
1810 
1811 	return skb->len;
1812 }
1813 
1814 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
1815 {
1816 	kfree((void *)cb->args[0]);
1817 	return 0;
1818 }
1819 
1820 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1821 {
1822 	struct sk_buff *msg;
1823 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1824 	struct nl80211_dump_wiphy_state state = {};
1825 
1826 	msg = nlmsg_new(4096, GFP_KERNEL);
1827 	if (!msg)
1828 		return -ENOMEM;
1829 
1830 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
1831 			       info->snd_portid, info->snd_seq, 0,
1832 			       &state) < 0) {
1833 		nlmsg_free(msg);
1834 		return -ENOBUFS;
1835 	}
1836 
1837 	return genlmsg_reply(msg, info);
1838 }
1839 
1840 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1841 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
1842 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
1843 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
1844 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
1845 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
1846 };
1847 
1848 static int parse_txq_params(struct nlattr *tb[],
1849 			    struct ieee80211_txq_params *txq_params)
1850 {
1851 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1852 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1853 	    !tb[NL80211_TXQ_ATTR_AIFS])
1854 		return -EINVAL;
1855 
1856 	txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1857 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1858 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1859 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1860 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1861 
1862 	if (txq_params->ac >= NL80211_NUM_ACS)
1863 		return -EINVAL;
1864 
1865 	return 0;
1866 }
1867 
1868 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1869 {
1870 	/*
1871 	 * You can only set the channel explicitly for WDS interfaces,
1872 	 * all others have their channel managed via their respective
1873 	 * "establish a connection" command (connect, join, ...)
1874 	 *
1875 	 * For AP/GO and mesh mode, the channel can be set with the
1876 	 * channel userspace API, but is only stored and passed to the
1877 	 * low-level driver when the AP starts or the mesh is joined.
1878 	 * This is for backward compatibility, userspace can also give
1879 	 * the channel in the start-ap or join-mesh commands instead.
1880 	 *
1881 	 * Monitors are special as they are normally slaved to
1882 	 * whatever else is going on, so they have their own special
1883 	 * operation to set the monitor channel if possible.
1884 	 */
1885 	return !wdev ||
1886 		wdev->iftype == NL80211_IFTYPE_AP ||
1887 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1888 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
1889 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
1890 }
1891 
1892 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
1893 				 struct genl_info *info,
1894 				 struct cfg80211_chan_def *chandef)
1895 {
1896 	u32 control_freq;
1897 
1898 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1899 		return -EINVAL;
1900 
1901 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1902 
1903 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
1904 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
1905 	chandef->center_freq1 = control_freq;
1906 	chandef->center_freq2 = 0;
1907 
1908 	/* Primary channel not allowed */
1909 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
1910 		return -EINVAL;
1911 
1912 	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
1913 		enum nl80211_channel_type chantype;
1914 
1915 		chantype = nla_get_u32(
1916 				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1917 
1918 		switch (chantype) {
1919 		case NL80211_CHAN_NO_HT:
1920 		case NL80211_CHAN_HT20:
1921 		case NL80211_CHAN_HT40PLUS:
1922 		case NL80211_CHAN_HT40MINUS:
1923 			cfg80211_chandef_create(chandef, chandef->chan,
1924 						chantype);
1925 			break;
1926 		default:
1927 			return -EINVAL;
1928 		}
1929 	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
1930 		chandef->width =
1931 			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
1932 		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
1933 			chandef->center_freq1 =
1934 				nla_get_u32(
1935 					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
1936 		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
1937 			chandef->center_freq2 =
1938 				nla_get_u32(
1939 					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
1940 	}
1941 
1942 	if (!cfg80211_chandef_valid(chandef))
1943 		return -EINVAL;
1944 
1945 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
1946 				     IEEE80211_CHAN_DISABLED))
1947 		return -EINVAL;
1948 
1949 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
1950 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
1951 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ))
1952 		return -EINVAL;
1953 
1954 	return 0;
1955 }
1956 
1957 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1958 				 struct net_device *dev,
1959 				 struct genl_info *info)
1960 {
1961 	struct cfg80211_chan_def chandef;
1962 	int result;
1963 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1964 	struct wireless_dev *wdev = NULL;
1965 
1966 	if (dev)
1967 		wdev = dev->ieee80211_ptr;
1968 	if (!nl80211_can_set_dev_channel(wdev))
1969 		return -EOPNOTSUPP;
1970 	if (wdev)
1971 		iftype = wdev->iftype;
1972 
1973 	result = nl80211_parse_chandef(rdev, info, &chandef);
1974 	if (result)
1975 		return result;
1976 
1977 	switch (iftype) {
1978 	case NL80211_IFTYPE_AP:
1979 	case NL80211_IFTYPE_P2P_GO:
1980 		if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef, iftype)) {
1981 			result = -EINVAL;
1982 			break;
1983 		}
1984 		if (wdev->beacon_interval) {
1985 			if (!dev || !rdev->ops->set_ap_chanwidth ||
1986 			    !(rdev->wiphy.features &
1987 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
1988 				result = -EBUSY;
1989 				break;
1990 			}
1991 
1992 			/* Only allow dynamic channel width changes */
1993 			if (chandef.chan != wdev->preset_chandef.chan) {
1994 				result = -EBUSY;
1995 				break;
1996 			}
1997 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
1998 			if (result)
1999 				break;
2000 		}
2001 		wdev->preset_chandef = chandef;
2002 		result = 0;
2003 		break;
2004 	case NL80211_IFTYPE_MESH_POINT:
2005 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2006 		break;
2007 	case NL80211_IFTYPE_MONITOR:
2008 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2009 		break;
2010 	default:
2011 		result = -EINVAL;
2012 	}
2013 
2014 	return result;
2015 }
2016 
2017 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2018 {
2019 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2020 	struct net_device *netdev = info->user_ptr[1];
2021 
2022 	return __nl80211_set_channel(rdev, netdev, info);
2023 }
2024 
2025 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2026 {
2027 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2028 	struct net_device *dev = info->user_ptr[1];
2029 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2030 	const u8 *bssid;
2031 
2032 	if (!info->attrs[NL80211_ATTR_MAC])
2033 		return -EINVAL;
2034 
2035 	if (netif_running(dev))
2036 		return -EBUSY;
2037 
2038 	if (!rdev->ops->set_wds_peer)
2039 		return -EOPNOTSUPP;
2040 
2041 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2042 		return -EOPNOTSUPP;
2043 
2044 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2045 	return rdev_set_wds_peer(rdev, dev, bssid);
2046 }
2047 
2048 
2049 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2050 {
2051 	struct cfg80211_registered_device *rdev;
2052 	struct net_device *netdev = NULL;
2053 	struct wireless_dev *wdev;
2054 	int result = 0, rem_txq_params = 0;
2055 	struct nlattr *nl_txq_params;
2056 	u32 changed;
2057 	u8 retry_short = 0, retry_long = 0;
2058 	u32 frag_threshold = 0, rts_threshold = 0;
2059 	u8 coverage_class = 0;
2060 
2061 	ASSERT_RTNL();
2062 
2063 	/*
2064 	 * Try to find the wiphy and netdev. Normally this
2065 	 * function shouldn't need the netdev, but this is
2066 	 * done for backward compatibility -- previously
2067 	 * setting the channel was done per wiphy, but now
2068 	 * it is per netdev. Previous userland like hostapd
2069 	 * also passed a netdev to set_wiphy, so that it is
2070 	 * possible to let that go to the right netdev!
2071 	 */
2072 
2073 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2074 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2075 
2076 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2077 		if (netdev && netdev->ieee80211_ptr)
2078 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2079 		else
2080 			netdev = NULL;
2081 	}
2082 
2083 	if (!netdev) {
2084 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2085 						  info->attrs);
2086 		if (IS_ERR(rdev))
2087 			return PTR_ERR(rdev);
2088 		wdev = NULL;
2089 		netdev = NULL;
2090 		result = 0;
2091 	} else
2092 		wdev = netdev->ieee80211_ptr;
2093 
2094 	/*
2095 	 * end workaround code, by now the rdev is available
2096 	 * and locked, and wdev may or may not be NULL.
2097 	 */
2098 
2099 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2100 		result = cfg80211_dev_rename(
2101 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2102 
2103 	if (result)
2104 		return result;
2105 
2106 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2107 		struct ieee80211_txq_params txq_params;
2108 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2109 
2110 		if (!rdev->ops->set_txq_params)
2111 			return -EOPNOTSUPP;
2112 
2113 		if (!netdev)
2114 			return -EINVAL;
2115 
2116 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2117 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2118 			return -EINVAL;
2119 
2120 		if (!netif_running(netdev))
2121 			return -ENETDOWN;
2122 
2123 		nla_for_each_nested(nl_txq_params,
2124 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2125 				    rem_txq_params) {
2126 			result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
2127 					   nla_data(nl_txq_params),
2128 					   nla_len(nl_txq_params),
2129 					   txq_params_policy);
2130 			if (result)
2131 				return result;
2132 			result = parse_txq_params(tb, &txq_params);
2133 			if (result)
2134 				return result;
2135 
2136 			result = rdev_set_txq_params(rdev, netdev,
2137 						     &txq_params);
2138 			if (result)
2139 				return result;
2140 		}
2141 	}
2142 
2143 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2144 		result = __nl80211_set_channel(
2145 			rdev,
2146 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2147 			info);
2148 		if (result)
2149 			return result;
2150 	}
2151 
2152 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2153 		struct wireless_dev *txp_wdev = wdev;
2154 		enum nl80211_tx_power_setting type;
2155 		int idx, mbm = 0;
2156 
2157 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2158 			txp_wdev = NULL;
2159 
2160 		if (!rdev->ops->set_tx_power)
2161 			return -EOPNOTSUPP;
2162 
2163 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2164 		type = nla_get_u32(info->attrs[idx]);
2165 
2166 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2167 		    (type != NL80211_TX_POWER_AUTOMATIC))
2168 			return -EINVAL;
2169 
2170 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2171 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2172 			mbm = nla_get_u32(info->attrs[idx]);
2173 		}
2174 
2175 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2176 		if (result)
2177 			return result;
2178 	}
2179 
2180 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2181 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2182 		u32 tx_ant, rx_ant;
2183 		if ((!rdev->wiphy.available_antennas_tx &&
2184 		     !rdev->wiphy.available_antennas_rx) ||
2185 		    !rdev->ops->set_antenna)
2186 			return -EOPNOTSUPP;
2187 
2188 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2189 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2190 
2191 		/* reject antenna configurations which don't match the
2192 		 * available antenna masks, except for the "all" mask */
2193 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2194 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2195 			return -EINVAL;
2196 
2197 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2198 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2199 
2200 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2201 		if (result)
2202 			return result;
2203 	}
2204 
2205 	changed = 0;
2206 
2207 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2208 		retry_short = nla_get_u8(
2209 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2210 		if (retry_short == 0)
2211 			return -EINVAL;
2212 
2213 		changed |= WIPHY_PARAM_RETRY_SHORT;
2214 	}
2215 
2216 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2217 		retry_long = nla_get_u8(
2218 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2219 		if (retry_long == 0)
2220 			return -EINVAL;
2221 
2222 		changed |= WIPHY_PARAM_RETRY_LONG;
2223 	}
2224 
2225 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2226 		frag_threshold = nla_get_u32(
2227 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2228 		if (frag_threshold < 256)
2229 			return -EINVAL;
2230 
2231 		if (frag_threshold != (u32) -1) {
2232 			/*
2233 			 * Fragments (apart from the last one) are required to
2234 			 * have even length. Make the fragmentation code
2235 			 * simpler by stripping LSB should someone try to use
2236 			 * odd threshold value.
2237 			 */
2238 			frag_threshold &= ~0x1;
2239 		}
2240 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2241 	}
2242 
2243 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2244 		rts_threshold = nla_get_u32(
2245 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2246 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2247 	}
2248 
2249 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2250 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2251 			return -EINVAL;
2252 
2253 		coverage_class = nla_get_u8(
2254 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2255 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2256 	}
2257 
2258 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2259 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2260 			return -EOPNOTSUPP;
2261 
2262 		changed |= WIPHY_PARAM_DYN_ACK;
2263 	}
2264 
2265 	if (changed) {
2266 		u8 old_retry_short, old_retry_long;
2267 		u32 old_frag_threshold, old_rts_threshold;
2268 		u8 old_coverage_class;
2269 
2270 		if (!rdev->ops->set_wiphy_params)
2271 			return -EOPNOTSUPP;
2272 
2273 		old_retry_short = rdev->wiphy.retry_short;
2274 		old_retry_long = rdev->wiphy.retry_long;
2275 		old_frag_threshold = rdev->wiphy.frag_threshold;
2276 		old_rts_threshold = rdev->wiphy.rts_threshold;
2277 		old_coverage_class = rdev->wiphy.coverage_class;
2278 
2279 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2280 			rdev->wiphy.retry_short = retry_short;
2281 		if (changed & WIPHY_PARAM_RETRY_LONG)
2282 			rdev->wiphy.retry_long = retry_long;
2283 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2284 			rdev->wiphy.frag_threshold = frag_threshold;
2285 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2286 			rdev->wiphy.rts_threshold = rts_threshold;
2287 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2288 			rdev->wiphy.coverage_class = coverage_class;
2289 
2290 		result = rdev_set_wiphy_params(rdev, changed);
2291 		if (result) {
2292 			rdev->wiphy.retry_short = old_retry_short;
2293 			rdev->wiphy.retry_long = old_retry_long;
2294 			rdev->wiphy.frag_threshold = old_frag_threshold;
2295 			rdev->wiphy.rts_threshold = old_rts_threshold;
2296 			rdev->wiphy.coverage_class = old_coverage_class;
2297 		}
2298 	}
2299 	return 0;
2300 }
2301 
2302 static inline u64 wdev_id(struct wireless_dev *wdev)
2303 {
2304 	return (u64)wdev->identifier |
2305 	       ((u64)wiphy_to_rdev(wdev->wiphy)->wiphy_idx << 32);
2306 }
2307 
2308 static int nl80211_send_chandef(struct sk_buff *msg,
2309 				const struct cfg80211_chan_def *chandef)
2310 {
2311 	WARN_ON(!cfg80211_chandef_valid(chandef));
2312 
2313 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2314 			chandef->chan->center_freq))
2315 		return -ENOBUFS;
2316 	switch (chandef->width) {
2317 	case NL80211_CHAN_WIDTH_20_NOHT:
2318 	case NL80211_CHAN_WIDTH_20:
2319 	case NL80211_CHAN_WIDTH_40:
2320 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2321 				cfg80211_get_chandef_type(chandef)))
2322 			return -ENOBUFS;
2323 		break;
2324 	default:
2325 		break;
2326 	}
2327 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2328 		return -ENOBUFS;
2329 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2330 		return -ENOBUFS;
2331 	if (chandef->center_freq2 &&
2332 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2333 		return -ENOBUFS;
2334 	return 0;
2335 }
2336 
2337 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2338 			      struct cfg80211_registered_device *rdev,
2339 			      struct wireless_dev *wdev)
2340 {
2341 	struct net_device *dev = wdev->netdev;
2342 	void *hdr;
2343 
2344 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_INTERFACE);
2345 	if (!hdr)
2346 		return -1;
2347 
2348 	if (dev &&
2349 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2350 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2351 		goto nla_put_failure;
2352 
2353 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2354 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2355 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
2356 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2357 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2358 			rdev->devlist_generation ^
2359 			(cfg80211_rdev_list_generation << 2)))
2360 		goto nla_put_failure;
2361 
2362 	if (rdev->ops->get_channel) {
2363 		int ret;
2364 		struct cfg80211_chan_def chandef;
2365 
2366 		ret = rdev_get_channel(rdev, wdev, &chandef);
2367 		if (ret == 0) {
2368 			if (nl80211_send_chandef(msg, &chandef))
2369 				goto nla_put_failure;
2370 		}
2371 	}
2372 
2373 	if (wdev->ssid_len) {
2374 		if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2375 			goto nla_put_failure;
2376 	}
2377 
2378 	return genlmsg_end(msg, hdr);
2379 
2380  nla_put_failure:
2381 	genlmsg_cancel(msg, hdr);
2382 	return -EMSGSIZE;
2383 }
2384 
2385 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2386 {
2387 	int wp_idx = 0;
2388 	int if_idx = 0;
2389 	int wp_start = cb->args[0];
2390 	int if_start = cb->args[1];
2391 	struct cfg80211_registered_device *rdev;
2392 	struct wireless_dev *wdev;
2393 
2394 	rtnl_lock();
2395 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2396 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2397 			continue;
2398 		if (wp_idx < wp_start) {
2399 			wp_idx++;
2400 			continue;
2401 		}
2402 		if_idx = 0;
2403 
2404 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
2405 			if (if_idx < if_start) {
2406 				if_idx++;
2407 				continue;
2408 			}
2409 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2410 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2411 					       rdev, wdev) < 0) {
2412 				goto out;
2413 			}
2414 			if_idx++;
2415 		}
2416 
2417 		wp_idx++;
2418 	}
2419  out:
2420 	rtnl_unlock();
2421 
2422 	cb->args[0] = wp_idx;
2423 	cb->args[1] = if_idx;
2424 
2425 	return skb->len;
2426 }
2427 
2428 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2429 {
2430 	struct sk_buff *msg;
2431 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2432 	struct wireless_dev *wdev = info->user_ptr[1];
2433 
2434 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2435 	if (!msg)
2436 		return -ENOMEM;
2437 
2438 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2439 			       rdev, wdev) < 0) {
2440 		nlmsg_free(msg);
2441 		return -ENOBUFS;
2442 	}
2443 
2444 	return genlmsg_reply(msg, info);
2445 }
2446 
2447 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2448 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2449 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2450 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2451 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2452 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2453 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
2454 };
2455 
2456 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2457 {
2458 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2459 	int flag;
2460 
2461 	*mntrflags = 0;
2462 
2463 	if (!nla)
2464 		return -EINVAL;
2465 
2466 	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
2467 			     nla, mntr_flags_policy))
2468 		return -EINVAL;
2469 
2470 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2471 		if (flags[flag])
2472 			*mntrflags |= (1<<flag);
2473 
2474 	return 0;
2475 }
2476 
2477 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
2478 			       struct net_device *netdev, u8 use_4addr,
2479 			       enum nl80211_iftype iftype)
2480 {
2481 	if (!use_4addr) {
2482 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
2483 			return -EBUSY;
2484 		return 0;
2485 	}
2486 
2487 	switch (iftype) {
2488 	case NL80211_IFTYPE_AP_VLAN:
2489 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
2490 			return 0;
2491 		break;
2492 	case NL80211_IFTYPE_STATION:
2493 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
2494 			return 0;
2495 		break;
2496 	default:
2497 		break;
2498 	}
2499 
2500 	return -EOPNOTSUPP;
2501 }
2502 
2503 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
2504 {
2505 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2506 	struct vif_params params;
2507 	int err;
2508 	enum nl80211_iftype otype, ntype;
2509 	struct net_device *dev = info->user_ptr[1];
2510 	u32 _flags, *flags = NULL;
2511 	bool change = false;
2512 
2513 	memset(&params, 0, sizeof(params));
2514 
2515 	otype = ntype = dev->ieee80211_ptr->iftype;
2516 
2517 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2518 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2519 		if (otype != ntype)
2520 			change = true;
2521 		if (ntype > NL80211_IFTYPE_MAX)
2522 			return -EINVAL;
2523 	}
2524 
2525 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
2526 		struct wireless_dev *wdev = dev->ieee80211_ptr;
2527 
2528 		if (ntype != NL80211_IFTYPE_MESH_POINT)
2529 			return -EINVAL;
2530 		if (netif_running(dev))
2531 			return -EBUSY;
2532 
2533 		wdev_lock(wdev);
2534 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2535 			     IEEE80211_MAX_MESH_ID_LEN);
2536 		wdev->mesh_id_up_len =
2537 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2538 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2539 		       wdev->mesh_id_up_len);
2540 		wdev_unlock(wdev);
2541 	}
2542 
2543 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2544 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2545 		change = true;
2546 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2547 		if (err)
2548 			return err;
2549 	} else {
2550 		params.use_4addr = -1;
2551 	}
2552 
2553 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2554 		if (ntype != NL80211_IFTYPE_MONITOR)
2555 			return -EINVAL;
2556 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2557 					  &_flags);
2558 		if (err)
2559 			return err;
2560 
2561 		flags = &_flags;
2562 		change = true;
2563 	}
2564 
2565 	if (flags && (*flags & MONITOR_FLAG_ACTIVE) &&
2566 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2567 		return -EOPNOTSUPP;
2568 
2569 	if (change)
2570 		err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2571 	else
2572 		err = 0;
2573 
2574 	if (!err && params.use_4addr != -1)
2575 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
2576 
2577 	return err;
2578 }
2579 
2580 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2581 {
2582 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2583 	struct vif_params params;
2584 	struct wireless_dev *wdev;
2585 	struct sk_buff *msg;
2586 	int err;
2587 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2588 	u32 flags;
2589 
2590 	/* to avoid failing a new interface creation due to pending removal */
2591 	cfg80211_destroy_ifaces(rdev);
2592 
2593 	memset(&params, 0, sizeof(params));
2594 
2595 	if (!info->attrs[NL80211_ATTR_IFNAME])
2596 		return -EINVAL;
2597 
2598 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2599 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2600 		if (type > NL80211_IFTYPE_MAX)
2601 			return -EINVAL;
2602 	}
2603 
2604 	if (!rdev->ops->add_virtual_intf ||
2605 	    !(rdev->wiphy.interface_modes & (1 << type)))
2606 		return -EOPNOTSUPP;
2607 
2608 	if (type == NL80211_IFTYPE_P2P_DEVICE && info->attrs[NL80211_ATTR_MAC]) {
2609 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2610 			   ETH_ALEN);
2611 		if (!is_valid_ether_addr(params.macaddr))
2612 			return -EADDRNOTAVAIL;
2613 	}
2614 
2615 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2616 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2617 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2618 		if (err)
2619 			return err;
2620 	}
2621 
2622 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2623 	if (!msg)
2624 		return -ENOMEM;
2625 
2626 	err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2627 				  info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2628 				  &flags);
2629 
2630 	if (!err && (flags & MONITOR_FLAG_ACTIVE) &&
2631 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2632 		return -EOPNOTSUPP;
2633 
2634 	wdev = rdev_add_virtual_intf(rdev,
2635 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2636 				type, err ? NULL : &flags, &params);
2637 	if (IS_ERR(wdev)) {
2638 		nlmsg_free(msg);
2639 		return PTR_ERR(wdev);
2640 	}
2641 
2642 	if (info->attrs[NL80211_ATTR_IFACE_SOCKET_OWNER])
2643 		wdev->owner_nlportid = info->snd_portid;
2644 
2645 	switch (type) {
2646 	case NL80211_IFTYPE_MESH_POINT:
2647 		if (!info->attrs[NL80211_ATTR_MESH_ID])
2648 			break;
2649 		wdev_lock(wdev);
2650 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2651 			     IEEE80211_MAX_MESH_ID_LEN);
2652 		wdev->mesh_id_up_len =
2653 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2654 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2655 		       wdev->mesh_id_up_len);
2656 		wdev_unlock(wdev);
2657 		break;
2658 	case NL80211_IFTYPE_P2P_DEVICE:
2659 		/*
2660 		 * P2P Device doesn't have a netdev, so doesn't go
2661 		 * through the netdev notifier and must be added here
2662 		 */
2663 		mutex_init(&wdev->mtx);
2664 		INIT_LIST_HEAD(&wdev->event_list);
2665 		spin_lock_init(&wdev->event_lock);
2666 		INIT_LIST_HEAD(&wdev->mgmt_registrations);
2667 		spin_lock_init(&wdev->mgmt_registrations_lock);
2668 
2669 		wdev->identifier = ++rdev->wdev_id;
2670 		list_add_rcu(&wdev->list, &rdev->wdev_list);
2671 		rdev->devlist_generation++;
2672 		break;
2673 	default:
2674 		break;
2675 	}
2676 
2677 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2678 			       rdev, wdev) < 0) {
2679 		nlmsg_free(msg);
2680 		return -ENOBUFS;
2681 	}
2682 
2683 	return genlmsg_reply(msg, info);
2684 }
2685 
2686 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2687 {
2688 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2689 	struct wireless_dev *wdev = info->user_ptr[1];
2690 
2691 	if (!rdev->ops->del_virtual_intf)
2692 		return -EOPNOTSUPP;
2693 
2694 	/*
2695 	 * If we remove a wireless device without a netdev then clear
2696 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
2697 	 * to check if it needs to do dev_put(). Otherwise it crashes
2698 	 * since the wdev has been freed, unlike with a netdev where
2699 	 * we need the dev_put() for the netdev to really be freed.
2700 	 */
2701 	if (!wdev->netdev)
2702 		info->user_ptr[1] = NULL;
2703 
2704 	return rdev_del_virtual_intf(rdev, wdev);
2705 }
2706 
2707 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2708 {
2709 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2710 	struct net_device *dev = info->user_ptr[1];
2711 	u16 noack_map;
2712 
2713 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2714 		return -EINVAL;
2715 
2716 	if (!rdev->ops->set_noack_map)
2717 		return -EOPNOTSUPP;
2718 
2719 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2720 
2721 	return rdev_set_noack_map(rdev, dev, noack_map);
2722 }
2723 
2724 struct get_key_cookie {
2725 	struct sk_buff *msg;
2726 	int error;
2727 	int idx;
2728 };
2729 
2730 static void get_key_callback(void *c, struct key_params *params)
2731 {
2732 	struct nlattr *key;
2733 	struct get_key_cookie *cookie = c;
2734 
2735 	if ((params->key &&
2736 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2737 		     params->key_len, params->key)) ||
2738 	    (params->seq &&
2739 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2740 		     params->seq_len, params->seq)) ||
2741 	    (params->cipher &&
2742 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2743 			 params->cipher)))
2744 		goto nla_put_failure;
2745 
2746 	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2747 	if (!key)
2748 		goto nla_put_failure;
2749 
2750 	if ((params->key &&
2751 	     nla_put(cookie->msg, NL80211_KEY_DATA,
2752 		     params->key_len, params->key)) ||
2753 	    (params->seq &&
2754 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
2755 		     params->seq_len, params->seq)) ||
2756 	    (params->cipher &&
2757 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2758 			 params->cipher)))
2759 		goto nla_put_failure;
2760 
2761 	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2762 		goto nla_put_failure;
2763 
2764 	nla_nest_end(cookie->msg, key);
2765 
2766 	return;
2767  nla_put_failure:
2768 	cookie->error = 1;
2769 }
2770 
2771 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2772 {
2773 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2774 	int err;
2775 	struct net_device *dev = info->user_ptr[1];
2776 	u8 key_idx = 0;
2777 	const u8 *mac_addr = NULL;
2778 	bool pairwise;
2779 	struct get_key_cookie cookie = {
2780 		.error = 0,
2781 	};
2782 	void *hdr;
2783 	struct sk_buff *msg;
2784 
2785 	if (info->attrs[NL80211_ATTR_KEY_IDX])
2786 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2787 
2788 	if (key_idx > 5)
2789 		return -EINVAL;
2790 
2791 	if (info->attrs[NL80211_ATTR_MAC])
2792 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2793 
2794 	pairwise = !!mac_addr;
2795 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2796 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2797 		if (kt >= NUM_NL80211_KEYTYPES)
2798 			return -EINVAL;
2799 		if (kt != NL80211_KEYTYPE_GROUP &&
2800 		    kt != NL80211_KEYTYPE_PAIRWISE)
2801 			return -EINVAL;
2802 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2803 	}
2804 
2805 	if (!rdev->ops->get_key)
2806 		return -EOPNOTSUPP;
2807 
2808 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2809 	if (!msg)
2810 		return -ENOMEM;
2811 
2812 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2813 			     NL80211_CMD_NEW_KEY);
2814 	if (!hdr)
2815 		goto nla_put_failure;
2816 
2817 	cookie.msg = msg;
2818 	cookie.idx = key_idx;
2819 
2820 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2821 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2822 		goto nla_put_failure;
2823 	if (mac_addr &&
2824 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2825 		goto nla_put_failure;
2826 
2827 	if (pairwise && mac_addr &&
2828 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2829 		return -ENOENT;
2830 
2831 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2832 			   get_key_callback);
2833 
2834 	if (err)
2835 		goto free_msg;
2836 
2837 	if (cookie.error)
2838 		goto nla_put_failure;
2839 
2840 	genlmsg_end(msg, hdr);
2841 	return genlmsg_reply(msg, info);
2842 
2843  nla_put_failure:
2844 	err = -ENOBUFS;
2845  free_msg:
2846 	nlmsg_free(msg);
2847 	return err;
2848 }
2849 
2850 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2851 {
2852 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2853 	struct key_parse key;
2854 	int err;
2855 	struct net_device *dev = info->user_ptr[1];
2856 
2857 	err = nl80211_parse_key(info, &key);
2858 	if (err)
2859 		return err;
2860 
2861 	if (key.idx < 0)
2862 		return -EINVAL;
2863 
2864 	/* only support setting default key */
2865 	if (!key.def && !key.defmgmt)
2866 		return -EINVAL;
2867 
2868 	wdev_lock(dev->ieee80211_ptr);
2869 
2870 	if (key.def) {
2871 		if (!rdev->ops->set_default_key) {
2872 			err = -EOPNOTSUPP;
2873 			goto out;
2874 		}
2875 
2876 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2877 		if (err)
2878 			goto out;
2879 
2880 		err = rdev_set_default_key(rdev, dev, key.idx,
2881 						 key.def_uni, key.def_multi);
2882 
2883 		if (err)
2884 			goto out;
2885 
2886 #ifdef CONFIG_CFG80211_WEXT
2887 		dev->ieee80211_ptr->wext.default_key = key.idx;
2888 #endif
2889 	} else {
2890 		if (key.def_uni || !key.def_multi) {
2891 			err = -EINVAL;
2892 			goto out;
2893 		}
2894 
2895 		if (!rdev->ops->set_default_mgmt_key) {
2896 			err = -EOPNOTSUPP;
2897 			goto out;
2898 		}
2899 
2900 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2901 		if (err)
2902 			goto out;
2903 
2904 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
2905 		if (err)
2906 			goto out;
2907 
2908 #ifdef CONFIG_CFG80211_WEXT
2909 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2910 #endif
2911 	}
2912 
2913  out:
2914 	wdev_unlock(dev->ieee80211_ptr);
2915 
2916 	return err;
2917 }
2918 
2919 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2920 {
2921 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2922 	int err;
2923 	struct net_device *dev = info->user_ptr[1];
2924 	struct key_parse key;
2925 	const u8 *mac_addr = NULL;
2926 
2927 	err = nl80211_parse_key(info, &key);
2928 	if (err)
2929 		return err;
2930 
2931 	if (!key.p.key)
2932 		return -EINVAL;
2933 
2934 	if (info->attrs[NL80211_ATTR_MAC])
2935 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2936 
2937 	if (key.type == -1) {
2938 		if (mac_addr)
2939 			key.type = NL80211_KEYTYPE_PAIRWISE;
2940 		else
2941 			key.type = NL80211_KEYTYPE_GROUP;
2942 	}
2943 
2944 	/* for now */
2945 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2946 	    key.type != NL80211_KEYTYPE_GROUP)
2947 		return -EINVAL;
2948 
2949 	if (!rdev->ops->add_key)
2950 		return -EOPNOTSUPP;
2951 
2952 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
2953 					   key.type == NL80211_KEYTYPE_PAIRWISE,
2954 					   mac_addr))
2955 		return -EINVAL;
2956 
2957 	wdev_lock(dev->ieee80211_ptr);
2958 	err = nl80211_key_allowed(dev->ieee80211_ptr);
2959 	if (!err)
2960 		err = rdev_add_key(rdev, dev, key.idx,
2961 				   key.type == NL80211_KEYTYPE_PAIRWISE,
2962 				    mac_addr, &key.p);
2963 	wdev_unlock(dev->ieee80211_ptr);
2964 
2965 	return err;
2966 }
2967 
2968 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
2969 {
2970 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2971 	int err;
2972 	struct net_device *dev = info->user_ptr[1];
2973 	u8 *mac_addr = NULL;
2974 	struct key_parse key;
2975 
2976 	err = nl80211_parse_key(info, &key);
2977 	if (err)
2978 		return err;
2979 
2980 	if (info->attrs[NL80211_ATTR_MAC])
2981 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2982 
2983 	if (key.type == -1) {
2984 		if (mac_addr)
2985 			key.type = NL80211_KEYTYPE_PAIRWISE;
2986 		else
2987 			key.type = NL80211_KEYTYPE_GROUP;
2988 	}
2989 
2990 	/* for now */
2991 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2992 	    key.type != NL80211_KEYTYPE_GROUP)
2993 		return -EINVAL;
2994 
2995 	if (!rdev->ops->del_key)
2996 		return -EOPNOTSUPP;
2997 
2998 	wdev_lock(dev->ieee80211_ptr);
2999 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3000 
3001 	if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
3002 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3003 		err = -ENOENT;
3004 
3005 	if (!err)
3006 		err = rdev_del_key(rdev, dev, key.idx,
3007 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3008 				   mac_addr);
3009 
3010 #ifdef CONFIG_CFG80211_WEXT
3011 	if (!err) {
3012 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3013 			dev->ieee80211_ptr->wext.default_key = -1;
3014 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3015 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3016 	}
3017 #endif
3018 	wdev_unlock(dev->ieee80211_ptr);
3019 
3020 	return err;
3021 }
3022 
3023 /* This function returns an error or the number of nested attributes */
3024 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3025 {
3026 	struct nlattr *attr;
3027 	int n_entries = 0, tmp;
3028 
3029 	nla_for_each_nested(attr, nl_attr, tmp) {
3030 		if (nla_len(attr) != ETH_ALEN)
3031 			return -EINVAL;
3032 
3033 		n_entries++;
3034 	}
3035 
3036 	return n_entries;
3037 }
3038 
3039 /*
3040  * This function parses ACL information and allocates memory for ACL data.
3041  * On successful return, the calling function is responsible to free the
3042  * ACL buffer returned by this function.
3043  */
3044 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3045 						struct genl_info *info)
3046 {
3047 	enum nl80211_acl_policy acl_policy;
3048 	struct nlattr *attr;
3049 	struct cfg80211_acl_data *acl;
3050 	int i = 0, n_entries, tmp;
3051 
3052 	if (!wiphy->max_acl_mac_addrs)
3053 		return ERR_PTR(-EOPNOTSUPP);
3054 
3055 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3056 		return ERR_PTR(-EINVAL);
3057 
3058 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3059 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3060 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3061 		return ERR_PTR(-EINVAL);
3062 
3063 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3064 		return ERR_PTR(-EINVAL);
3065 
3066 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3067 	if (n_entries < 0)
3068 		return ERR_PTR(n_entries);
3069 
3070 	if (n_entries > wiphy->max_acl_mac_addrs)
3071 		return ERR_PTR(-ENOTSUPP);
3072 
3073 	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3074 		      GFP_KERNEL);
3075 	if (!acl)
3076 		return ERR_PTR(-ENOMEM);
3077 
3078 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3079 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3080 		i++;
3081 	}
3082 
3083 	acl->n_acl_entries = n_entries;
3084 	acl->acl_policy = acl_policy;
3085 
3086 	return acl;
3087 }
3088 
3089 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3090 {
3091 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3092 	struct net_device *dev = info->user_ptr[1];
3093 	struct cfg80211_acl_data *acl;
3094 	int err;
3095 
3096 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3097 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3098 		return -EOPNOTSUPP;
3099 
3100 	if (!dev->ieee80211_ptr->beacon_interval)
3101 		return -EINVAL;
3102 
3103 	acl = parse_acl_data(&rdev->wiphy, info);
3104 	if (IS_ERR(acl))
3105 		return PTR_ERR(acl);
3106 
3107 	err = rdev_set_mac_acl(rdev, dev, acl);
3108 
3109 	kfree(acl);
3110 
3111 	return err;
3112 }
3113 
3114 static int nl80211_parse_beacon(struct nlattr *attrs[],
3115 				struct cfg80211_beacon_data *bcn)
3116 {
3117 	bool haveinfo = false;
3118 
3119 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_BEACON_TAIL]) ||
3120 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE]) ||
3121 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
3122 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_ASSOC_RESP]))
3123 		return -EINVAL;
3124 
3125 	memset(bcn, 0, sizeof(*bcn));
3126 
3127 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
3128 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
3129 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
3130 		if (!bcn->head_len)
3131 			return -EINVAL;
3132 		haveinfo = true;
3133 	}
3134 
3135 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
3136 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
3137 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
3138 		haveinfo = true;
3139 	}
3140 
3141 	if (!haveinfo)
3142 		return -EINVAL;
3143 
3144 	if (attrs[NL80211_ATTR_IE]) {
3145 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
3146 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
3147 	}
3148 
3149 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
3150 		bcn->proberesp_ies =
3151 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3152 		bcn->proberesp_ies_len =
3153 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3154 	}
3155 
3156 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
3157 		bcn->assocresp_ies =
3158 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3159 		bcn->assocresp_ies_len =
3160 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3161 	}
3162 
3163 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
3164 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
3165 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
3166 	}
3167 
3168 	return 0;
3169 }
3170 
3171 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
3172 				   struct cfg80211_ap_settings *params)
3173 {
3174 	struct wireless_dev *wdev;
3175 	bool ret = false;
3176 
3177 	list_for_each_entry(wdev, &rdev->wdev_list, list) {
3178 		if (wdev->iftype != NL80211_IFTYPE_AP &&
3179 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
3180 			continue;
3181 
3182 		if (!wdev->preset_chandef.chan)
3183 			continue;
3184 
3185 		params->chandef = wdev->preset_chandef;
3186 		ret = true;
3187 		break;
3188 	}
3189 
3190 	return ret;
3191 }
3192 
3193 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
3194 				    enum nl80211_auth_type auth_type,
3195 				    enum nl80211_commands cmd)
3196 {
3197 	if (auth_type > NL80211_AUTHTYPE_MAX)
3198 		return false;
3199 
3200 	switch (cmd) {
3201 	case NL80211_CMD_AUTHENTICATE:
3202 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
3203 		    auth_type == NL80211_AUTHTYPE_SAE)
3204 			return false;
3205 		return true;
3206 	case NL80211_CMD_CONNECT:
3207 	case NL80211_CMD_START_AP:
3208 		/* SAE not supported yet */
3209 		if (auth_type == NL80211_AUTHTYPE_SAE)
3210 			return false;
3211 		return true;
3212 	default:
3213 		return false;
3214 	}
3215 }
3216 
3217 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
3218 {
3219 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3220 	struct net_device *dev = info->user_ptr[1];
3221 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3222 	struct cfg80211_ap_settings params;
3223 	int err;
3224 
3225 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3226 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3227 		return -EOPNOTSUPP;
3228 
3229 	if (!rdev->ops->start_ap)
3230 		return -EOPNOTSUPP;
3231 
3232 	if (wdev->beacon_interval)
3233 		return -EALREADY;
3234 
3235 	memset(&params, 0, sizeof(params));
3236 
3237 	/* these are required for START_AP */
3238 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
3239 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
3240 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
3241 		return -EINVAL;
3242 
3243 	err = nl80211_parse_beacon(info->attrs, &params.beacon);
3244 	if (err)
3245 		return err;
3246 
3247 	params.beacon_interval =
3248 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
3249 	params.dtim_period =
3250 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
3251 
3252 	err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
3253 	if (err)
3254 		return err;
3255 
3256 	/*
3257 	 * In theory, some of these attributes should be required here
3258 	 * but since they were not used when the command was originally
3259 	 * added, keep them optional for old user space programs to let
3260 	 * them continue to work with drivers that do not need the
3261 	 * additional information -- drivers must check!
3262 	 */
3263 	if (info->attrs[NL80211_ATTR_SSID]) {
3264 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
3265 		params.ssid_len =
3266 			nla_len(info->attrs[NL80211_ATTR_SSID]);
3267 		if (params.ssid_len == 0 ||
3268 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
3269 			return -EINVAL;
3270 	}
3271 
3272 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
3273 		params.hidden_ssid = nla_get_u32(
3274 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
3275 		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
3276 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
3277 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
3278 			return -EINVAL;
3279 	}
3280 
3281 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
3282 
3283 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
3284 		params.auth_type = nla_get_u32(
3285 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
3286 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
3287 					     NL80211_CMD_START_AP))
3288 			return -EINVAL;
3289 	} else
3290 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
3291 
3292 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
3293 				      NL80211_MAX_NR_CIPHER_SUITES);
3294 	if (err)
3295 		return err;
3296 
3297 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
3298 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
3299 			return -EOPNOTSUPP;
3300 		params.inactivity_timeout = nla_get_u16(
3301 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
3302 	}
3303 
3304 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
3305 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3306 			return -EINVAL;
3307 		params.p2p_ctwindow =
3308 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
3309 		if (params.p2p_ctwindow > 127)
3310 			return -EINVAL;
3311 		if (params.p2p_ctwindow != 0 &&
3312 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
3313 			return -EINVAL;
3314 	}
3315 
3316 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
3317 		u8 tmp;
3318 
3319 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3320 			return -EINVAL;
3321 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
3322 		if (tmp > 1)
3323 			return -EINVAL;
3324 		params.p2p_opp_ps = tmp;
3325 		if (params.p2p_opp_ps != 0 &&
3326 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
3327 			return -EINVAL;
3328 	}
3329 
3330 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3331 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
3332 		if (err)
3333 			return err;
3334 	} else if (wdev->preset_chandef.chan) {
3335 		params.chandef = wdev->preset_chandef;
3336 	} else if (!nl80211_get_ap_channel(rdev, &params))
3337 		return -EINVAL;
3338 
3339 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef,
3340 				     wdev->iftype))
3341 		return -EINVAL;
3342 
3343 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
3344 		params.acl = parse_acl_data(&rdev->wiphy, info);
3345 		if (IS_ERR(params.acl))
3346 			return PTR_ERR(params.acl);
3347 	}
3348 
3349 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
3350 		params.smps_mode =
3351 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
3352 		switch (params.smps_mode) {
3353 		case NL80211_SMPS_OFF:
3354 			break;
3355 		case NL80211_SMPS_STATIC:
3356 			if (!(rdev->wiphy.features &
3357 			      NL80211_FEATURE_STATIC_SMPS))
3358 				return -EINVAL;
3359 			break;
3360 		case NL80211_SMPS_DYNAMIC:
3361 			if (!(rdev->wiphy.features &
3362 			      NL80211_FEATURE_DYNAMIC_SMPS))
3363 				return -EINVAL;
3364 			break;
3365 		default:
3366 			return -EINVAL;
3367 		}
3368 	} else {
3369 		params.smps_mode = NL80211_SMPS_OFF;
3370 	}
3371 
3372 	wdev_lock(wdev);
3373 	err = rdev_start_ap(rdev, dev, &params);
3374 	if (!err) {
3375 		wdev->preset_chandef = params.chandef;
3376 		wdev->beacon_interval = params.beacon_interval;
3377 		wdev->chandef = params.chandef;
3378 		wdev->ssid_len = params.ssid_len;
3379 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
3380 	}
3381 	wdev_unlock(wdev);
3382 
3383 	kfree(params.acl);
3384 
3385 	return err;
3386 }
3387 
3388 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
3389 {
3390 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3391 	struct net_device *dev = info->user_ptr[1];
3392 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3393 	struct cfg80211_beacon_data params;
3394 	int err;
3395 
3396 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3397 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3398 		return -EOPNOTSUPP;
3399 
3400 	if (!rdev->ops->change_beacon)
3401 		return -EOPNOTSUPP;
3402 
3403 	if (!wdev->beacon_interval)
3404 		return -EINVAL;
3405 
3406 	err = nl80211_parse_beacon(info->attrs, &params);
3407 	if (err)
3408 		return err;
3409 
3410 	wdev_lock(wdev);
3411 	err = rdev_change_beacon(rdev, dev, &params);
3412 	wdev_unlock(wdev);
3413 
3414 	return err;
3415 }
3416 
3417 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
3418 {
3419 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3420 	struct net_device *dev = info->user_ptr[1];
3421 
3422 	return cfg80211_stop_ap(rdev, dev, false);
3423 }
3424 
3425 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
3426 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
3427 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
3428 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
3429 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
3430 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
3431 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
3432 };
3433 
3434 static int parse_station_flags(struct genl_info *info,
3435 			       enum nl80211_iftype iftype,
3436 			       struct station_parameters *params)
3437 {
3438 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
3439 	struct nlattr *nla;
3440 	int flag;
3441 
3442 	/*
3443 	 * Try parsing the new attribute first so userspace
3444 	 * can specify both for older kernels.
3445 	 */
3446 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
3447 	if (nla) {
3448 		struct nl80211_sta_flag_update *sta_flags;
3449 
3450 		sta_flags = nla_data(nla);
3451 		params->sta_flags_mask = sta_flags->mask;
3452 		params->sta_flags_set = sta_flags->set;
3453 		params->sta_flags_set &= params->sta_flags_mask;
3454 		if ((params->sta_flags_mask |
3455 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
3456 			return -EINVAL;
3457 		return 0;
3458 	}
3459 
3460 	/* if present, parse the old attribute */
3461 
3462 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
3463 	if (!nla)
3464 		return 0;
3465 
3466 	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
3467 			     nla, sta_flags_policy))
3468 		return -EINVAL;
3469 
3470 	/*
3471 	 * Only allow certain flags for interface types so that
3472 	 * other attributes are silently ignored. Remember that
3473 	 * this is backward compatibility code with old userspace
3474 	 * and shouldn't be hit in other cases anyway.
3475 	 */
3476 	switch (iftype) {
3477 	case NL80211_IFTYPE_AP:
3478 	case NL80211_IFTYPE_AP_VLAN:
3479 	case NL80211_IFTYPE_P2P_GO:
3480 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3481 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3482 					 BIT(NL80211_STA_FLAG_WME) |
3483 					 BIT(NL80211_STA_FLAG_MFP);
3484 		break;
3485 	case NL80211_IFTYPE_P2P_CLIENT:
3486 	case NL80211_IFTYPE_STATION:
3487 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3488 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
3489 		break;
3490 	case NL80211_IFTYPE_MESH_POINT:
3491 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3492 					 BIT(NL80211_STA_FLAG_MFP) |
3493 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
3494 	default:
3495 		return -EINVAL;
3496 	}
3497 
3498 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
3499 		if (flags[flag]) {
3500 			params->sta_flags_set |= (1<<flag);
3501 
3502 			/* no longer support new API additions in old API */
3503 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
3504 				return -EINVAL;
3505 		}
3506 	}
3507 
3508 	return 0;
3509 }
3510 
3511 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
3512 				 int attr)
3513 {
3514 	struct nlattr *rate;
3515 	u32 bitrate;
3516 	u16 bitrate_compat;
3517 
3518 	rate = nla_nest_start(msg, attr);
3519 	if (!rate)
3520 		return false;
3521 
3522 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
3523 	bitrate = cfg80211_calculate_bitrate(info);
3524 	/* report 16-bit bitrate only if we can */
3525 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
3526 	if (bitrate > 0 &&
3527 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
3528 		return false;
3529 	if (bitrate_compat > 0 &&
3530 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
3531 		return false;
3532 
3533 	if (info->flags & RATE_INFO_FLAGS_MCS) {
3534 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
3535 			return false;
3536 		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3537 		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3538 			return false;
3539 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3540 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3541 			return false;
3542 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
3543 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
3544 			return false;
3545 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
3546 			return false;
3547 		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3548 		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3549 			return false;
3550 		if (info->flags & RATE_INFO_FLAGS_80_MHZ_WIDTH &&
3551 		    nla_put_flag(msg, NL80211_RATE_INFO_80_MHZ_WIDTH))
3552 			return false;
3553 		if (info->flags & RATE_INFO_FLAGS_80P80_MHZ_WIDTH &&
3554 		    nla_put_flag(msg, NL80211_RATE_INFO_80P80_MHZ_WIDTH))
3555 			return false;
3556 		if (info->flags & RATE_INFO_FLAGS_160_MHZ_WIDTH &&
3557 		    nla_put_flag(msg, NL80211_RATE_INFO_160_MHZ_WIDTH))
3558 			return false;
3559 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3560 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3561 			return false;
3562 	}
3563 
3564 	nla_nest_end(msg, rate);
3565 	return true;
3566 }
3567 
3568 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
3569 			       int id)
3570 {
3571 	void *attr;
3572 	int i = 0;
3573 
3574 	if (!mask)
3575 		return true;
3576 
3577 	attr = nla_nest_start(msg, id);
3578 	if (!attr)
3579 		return false;
3580 
3581 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
3582 		if (!(mask & BIT(i)))
3583 			continue;
3584 
3585 		if (nla_put_u8(msg, i, signal[i]))
3586 			return false;
3587 	}
3588 
3589 	nla_nest_end(msg, attr);
3590 
3591 	return true;
3592 }
3593 
3594 static int nl80211_send_station(struct sk_buff *msg, u32 portid, u32 seq,
3595 				int flags,
3596 				struct cfg80211_registered_device *rdev,
3597 				struct net_device *dev,
3598 				const u8 *mac_addr, struct station_info *sinfo)
3599 {
3600 	void *hdr;
3601 	struct nlattr *sinfoattr, *bss_param;
3602 
3603 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
3604 	if (!hdr)
3605 		return -1;
3606 
3607 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3608 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
3609 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
3610 		goto nla_put_failure;
3611 
3612 	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
3613 	if (!sinfoattr)
3614 		goto nla_put_failure;
3615 	if ((sinfo->filled & STATION_INFO_CONNECTED_TIME) &&
3616 	    nla_put_u32(msg, NL80211_STA_INFO_CONNECTED_TIME,
3617 			sinfo->connected_time))
3618 		goto nla_put_failure;
3619 	if ((sinfo->filled & STATION_INFO_INACTIVE_TIME) &&
3620 	    nla_put_u32(msg, NL80211_STA_INFO_INACTIVE_TIME,
3621 			sinfo->inactive_time))
3622 		goto nla_put_failure;
3623 	if ((sinfo->filled & (STATION_INFO_RX_BYTES |
3624 			      STATION_INFO_RX_BYTES64)) &&
3625 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
3626 			(u32)sinfo->rx_bytes))
3627 		goto nla_put_failure;
3628 	if ((sinfo->filled & (STATION_INFO_TX_BYTES |
3629 			      STATION_INFO_TX_BYTES64)) &&
3630 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
3631 			(u32)sinfo->tx_bytes))
3632 		goto nla_put_failure;
3633 	if ((sinfo->filled & STATION_INFO_RX_BYTES64) &&
3634 	    nla_put_u64(msg, NL80211_STA_INFO_RX_BYTES64,
3635 			sinfo->rx_bytes))
3636 		goto nla_put_failure;
3637 	if ((sinfo->filled & STATION_INFO_TX_BYTES64) &&
3638 	    nla_put_u64(msg, NL80211_STA_INFO_TX_BYTES64,
3639 			sinfo->tx_bytes))
3640 		goto nla_put_failure;
3641 	if ((sinfo->filled & STATION_INFO_LLID) &&
3642 	    nla_put_u16(msg, NL80211_STA_INFO_LLID, sinfo->llid))
3643 		goto nla_put_failure;
3644 	if ((sinfo->filled & STATION_INFO_PLID) &&
3645 	    nla_put_u16(msg, NL80211_STA_INFO_PLID, sinfo->plid))
3646 		goto nla_put_failure;
3647 	if ((sinfo->filled & STATION_INFO_PLINK_STATE) &&
3648 	    nla_put_u8(msg, NL80211_STA_INFO_PLINK_STATE,
3649 		       sinfo->plink_state))
3650 		goto nla_put_failure;
3651 	switch (rdev->wiphy.signal_type) {
3652 	case CFG80211_SIGNAL_TYPE_MBM:
3653 		if ((sinfo->filled & STATION_INFO_SIGNAL) &&
3654 		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL,
3655 			       sinfo->signal))
3656 			goto nla_put_failure;
3657 		if ((sinfo->filled & STATION_INFO_SIGNAL_AVG) &&
3658 		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL_AVG,
3659 			       sinfo->signal_avg))
3660 			goto nla_put_failure;
3661 		break;
3662 	default:
3663 		break;
3664 	}
3665 	if (sinfo->filled & STATION_INFO_CHAIN_SIGNAL) {
3666 		if (!nl80211_put_signal(msg, sinfo->chains,
3667 					sinfo->chain_signal,
3668 					NL80211_STA_INFO_CHAIN_SIGNAL))
3669 			goto nla_put_failure;
3670 	}
3671 	if (sinfo->filled & STATION_INFO_CHAIN_SIGNAL_AVG) {
3672 		if (!nl80211_put_signal(msg, sinfo->chains,
3673 					sinfo->chain_signal_avg,
3674 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
3675 			goto nla_put_failure;
3676 	}
3677 	if (sinfo->filled & STATION_INFO_TX_BITRATE) {
3678 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
3679 					  NL80211_STA_INFO_TX_BITRATE))
3680 			goto nla_put_failure;
3681 	}
3682 	if (sinfo->filled & STATION_INFO_RX_BITRATE) {
3683 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
3684 					  NL80211_STA_INFO_RX_BITRATE))
3685 			goto nla_put_failure;
3686 	}
3687 	if ((sinfo->filled & STATION_INFO_RX_PACKETS) &&
3688 	    nla_put_u32(msg, NL80211_STA_INFO_RX_PACKETS,
3689 			sinfo->rx_packets))
3690 		goto nla_put_failure;
3691 	if ((sinfo->filled & STATION_INFO_TX_PACKETS) &&
3692 	    nla_put_u32(msg, NL80211_STA_INFO_TX_PACKETS,
3693 			sinfo->tx_packets))
3694 		goto nla_put_failure;
3695 	if ((sinfo->filled & STATION_INFO_TX_RETRIES) &&
3696 	    nla_put_u32(msg, NL80211_STA_INFO_TX_RETRIES,
3697 			sinfo->tx_retries))
3698 		goto nla_put_failure;
3699 	if ((sinfo->filled & STATION_INFO_TX_FAILED) &&
3700 	    nla_put_u32(msg, NL80211_STA_INFO_TX_FAILED,
3701 			sinfo->tx_failed))
3702 		goto nla_put_failure;
3703 	if ((sinfo->filled & STATION_INFO_EXPECTED_THROUGHPUT) &&
3704 	    nla_put_u32(msg, NL80211_STA_INFO_EXPECTED_THROUGHPUT,
3705 			sinfo->expected_throughput))
3706 		goto nla_put_failure;
3707 	if ((sinfo->filled & STATION_INFO_BEACON_LOSS_COUNT) &&
3708 	    nla_put_u32(msg, NL80211_STA_INFO_BEACON_LOSS,
3709 			sinfo->beacon_loss_count))
3710 		goto nla_put_failure;
3711 	if ((sinfo->filled & STATION_INFO_LOCAL_PM) &&
3712 	    nla_put_u32(msg, NL80211_STA_INFO_LOCAL_PM,
3713 			sinfo->local_pm))
3714 		goto nla_put_failure;
3715 	if ((sinfo->filled & STATION_INFO_PEER_PM) &&
3716 	    nla_put_u32(msg, NL80211_STA_INFO_PEER_PM,
3717 			sinfo->peer_pm))
3718 		goto nla_put_failure;
3719 	if ((sinfo->filled & STATION_INFO_NONPEER_PM) &&
3720 	    nla_put_u32(msg, NL80211_STA_INFO_NONPEER_PM,
3721 			sinfo->nonpeer_pm))
3722 		goto nla_put_failure;
3723 	if (sinfo->filled & STATION_INFO_BSS_PARAM) {
3724 		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
3725 		if (!bss_param)
3726 			goto nla_put_failure;
3727 
3728 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
3729 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
3730 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
3731 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
3732 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
3733 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
3734 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
3735 			       sinfo->bss_param.dtim_period) ||
3736 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
3737 				sinfo->bss_param.beacon_interval))
3738 			goto nla_put_failure;
3739 
3740 		nla_nest_end(msg, bss_param);
3741 	}
3742 	if ((sinfo->filled & STATION_INFO_STA_FLAGS) &&
3743 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
3744 		    sizeof(struct nl80211_sta_flag_update),
3745 		    &sinfo->sta_flags))
3746 		goto nla_put_failure;
3747 	if ((sinfo->filled & STATION_INFO_T_OFFSET) &&
3748 		nla_put_u64(msg, NL80211_STA_INFO_T_OFFSET,
3749 			    sinfo->t_offset))
3750 		goto nla_put_failure;
3751 	nla_nest_end(msg, sinfoattr);
3752 
3753 	if ((sinfo->filled & STATION_INFO_ASSOC_REQ_IES) &&
3754 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
3755 		    sinfo->assoc_req_ies))
3756 		goto nla_put_failure;
3757 
3758 	return genlmsg_end(msg, hdr);
3759 
3760  nla_put_failure:
3761 	genlmsg_cancel(msg, hdr);
3762 	return -EMSGSIZE;
3763 }
3764 
3765 static int nl80211_dump_station(struct sk_buff *skb,
3766 				struct netlink_callback *cb)
3767 {
3768 	struct station_info sinfo;
3769 	struct cfg80211_registered_device *rdev;
3770 	struct wireless_dev *wdev;
3771 	u8 mac_addr[ETH_ALEN];
3772 	int sta_idx = cb->args[2];
3773 	int err;
3774 
3775 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
3776 	if (err)
3777 		return err;
3778 
3779 	if (!wdev->netdev) {
3780 		err = -EINVAL;
3781 		goto out_err;
3782 	}
3783 
3784 	if (!rdev->ops->dump_station) {
3785 		err = -EOPNOTSUPP;
3786 		goto out_err;
3787 	}
3788 
3789 	while (1) {
3790 		memset(&sinfo, 0, sizeof(sinfo));
3791 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
3792 					mac_addr, &sinfo);
3793 		if (err == -ENOENT)
3794 			break;
3795 		if (err)
3796 			goto out_err;
3797 
3798 		if (nl80211_send_station(skb,
3799 				NETLINK_CB(cb->skb).portid,
3800 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
3801 				rdev, wdev->netdev, mac_addr,
3802 				&sinfo) < 0)
3803 			goto out;
3804 
3805 		sta_idx++;
3806 	}
3807 
3808 
3809  out:
3810 	cb->args[2] = sta_idx;
3811 	err = skb->len;
3812  out_err:
3813 	nl80211_finish_wdev_dump(rdev);
3814 
3815 	return err;
3816 }
3817 
3818 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
3819 {
3820 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3821 	struct net_device *dev = info->user_ptr[1];
3822 	struct station_info sinfo;
3823 	struct sk_buff *msg;
3824 	u8 *mac_addr = NULL;
3825 	int err;
3826 
3827 	memset(&sinfo, 0, sizeof(sinfo));
3828 
3829 	if (!info->attrs[NL80211_ATTR_MAC])
3830 		return -EINVAL;
3831 
3832 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3833 
3834 	if (!rdev->ops->get_station)
3835 		return -EOPNOTSUPP;
3836 
3837 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3838 	if (err)
3839 		return err;
3840 
3841 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3842 	if (!msg)
3843 		return -ENOMEM;
3844 
3845 	if (nl80211_send_station(msg, info->snd_portid, info->snd_seq, 0,
3846 				 rdev, dev, mac_addr, &sinfo) < 0) {
3847 		nlmsg_free(msg);
3848 		return -ENOBUFS;
3849 	}
3850 
3851 	return genlmsg_reply(msg, info);
3852 }
3853 
3854 int cfg80211_check_station_change(struct wiphy *wiphy,
3855 				  struct station_parameters *params,
3856 				  enum cfg80211_station_type statype)
3857 {
3858 	if (params->listen_interval != -1)
3859 		return -EINVAL;
3860 	if (params->aid &&
3861 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3862 		return -EINVAL;
3863 
3864 	/* When you run into this, adjust the code below for the new flag */
3865 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
3866 
3867 	switch (statype) {
3868 	case CFG80211_STA_MESH_PEER_KERNEL:
3869 	case CFG80211_STA_MESH_PEER_USER:
3870 		/*
3871 		 * No ignoring the TDLS flag here -- the userspace mesh
3872 		 * code doesn't have the bug of including TDLS in the
3873 		 * mask everywhere.
3874 		 */
3875 		if (params->sta_flags_mask &
3876 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3877 				  BIT(NL80211_STA_FLAG_MFP) |
3878 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
3879 			return -EINVAL;
3880 		break;
3881 	case CFG80211_STA_TDLS_PEER_SETUP:
3882 	case CFG80211_STA_TDLS_PEER_ACTIVE:
3883 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3884 			return -EINVAL;
3885 		/* ignore since it can't change */
3886 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3887 		break;
3888 	default:
3889 		/* disallow mesh-specific things */
3890 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
3891 			return -EINVAL;
3892 		if (params->local_pm)
3893 			return -EINVAL;
3894 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
3895 			return -EINVAL;
3896 	}
3897 
3898 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
3899 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
3900 		/* TDLS can't be set, ... */
3901 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3902 			return -EINVAL;
3903 		/*
3904 		 * ... but don't bother the driver with it. This works around
3905 		 * a hostapd/wpa_supplicant issue -- it always includes the
3906 		 * TLDS_PEER flag in the mask even for AP mode.
3907 		 */
3908 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3909 	}
3910 
3911 	if (statype != CFG80211_STA_TDLS_PEER_SETUP) {
3912 		/* reject other things that can't change */
3913 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
3914 			return -EINVAL;
3915 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
3916 			return -EINVAL;
3917 		if (params->supported_rates)
3918 			return -EINVAL;
3919 		if (params->ext_capab || params->ht_capa || params->vht_capa)
3920 			return -EINVAL;
3921 	}
3922 
3923 	if (statype != CFG80211_STA_AP_CLIENT) {
3924 		if (params->vlan)
3925 			return -EINVAL;
3926 	}
3927 
3928 	switch (statype) {
3929 	case CFG80211_STA_AP_MLME_CLIENT:
3930 		/* Use this only for authorizing/unauthorizing a station */
3931 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
3932 			return -EOPNOTSUPP;
3933 		break;
3934 	case CFG80211_STA_AP_CLIENT:
3935 		/* accept only the listed bits */
3936 		if (params->sta_flags_mask &
3937 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3938 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3939 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
3940 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3941 				  BIT(NL80211_STA_FLAG_WME) |
3942 				  BIT(NL80211_STA_FLAG_MFP)))
3943 			return -EINVAL;
3944 
3945 		/* but authenticated/associated only if driver handles it */
3946 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
3947 		    params->sta_flags_mask &
3948 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3949 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
3950 			return -EINVAL;
3951 		break;
3952 	case CFG80211_STA_IBSS:
3953 	case CFG80211_STA_AP_STA:
3954 		/* reject any changes other than AUTHORIZED */
3955 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
3956 			return -EINVAL;
3957 		break;
3958 	case CFG80211_STA_TDLS_PEER_SETUP:
3959 		/* reject any changes other than AUTHORIZED or WME */
3960 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3961 					       BIT(NL80211_STA_FLAG_WME)))
3962 			return -EINVAL;
3963 		/* force (at least) rates when authorizing */
3964 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
3965 		    !params->supported_rates)
3966 			return -EINVAL;
3967 		break;
3968 	case CFG80211_STA_TDLS_PEER_ACTIVE:
3969 		/* reject any changes */
3970 		return -EINVAL;
3971 	case CFG80211_STA_MESH_PEER_KERNEL:
3972 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
3973 			return -EINVAL;
3974 		break;
3975 	case CFG80211_STA_MESH_PEER_USER:
3976 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
3977 			return -EINVAL;
3978 		break;
3979 	}
3980 
3981 	return 0;
3982 }
3983 EXPORT_SYMBOL(cfg80211_check_station_change);
3984 
3985 /*
3986  * Get vlan interface making sure it is running and on the right wiphy.
3987  */
3988 static struct net_device *get_vlan(struct genl_info *info,
3989 				   struct cfg80211_registered_device *rdev)
3990 {
3991 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
3992 	struct net_device *v;
3993 	int ret;
3994 
3995 	if (!vlanattr)
3996 		return NULL;
3997 
3998 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
3999 	if (!v)
4000 		return ERR_PTR(-ENODEV);
4001 
4002 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
4003 		ret = -EINVAL;
4004 		goto error;
4005 	}
4006 
4007 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4008 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4009 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
4010 		ret = -EINVAL;
4011 		goto error;
4012 	}
4013 
4014 	if (!netif_running(v)) {
4015 		ret = -ENETDOWN;
4016 		goto error;
4017 	}
4018 
4019 	return v;
4020  error:
4021 	dev_put(v);
4022 	return ERR_PTR(ret);
4023 }
4024 
4025 static const struct nla_policy
4026 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
4027 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
4028 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
4029 };
4030 
4031 static int nl80211_parse_sta_wme(struct genl_info *info,
4032 				 struct station_parameters *params)
4033 {
4034 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
4035 	struct nlattr *nla;
4036 	int err;
4037 
4038 	/* parse WME attributes if present */
4039 	if (!info->attrs[NL80211_ATTR_STA_WME])
4040 		return 0;
4041 
4042 	nla = info->attrs[NL80211_ATTR_STA_WME];
4043 	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
4044 			       nl80211_sta_wme_policy);
4045 	if (err)
4046 		return err;
4047 
4048 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
4049 		params->uapsd_queues = nla_get_u8(
4050 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
4051 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
4052 		return -EINVAL;
4053 
4054 	if (tb[NL80211_STA_WME_MAX_SP])
4055 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
4056 
4057 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
4058 		return -EINVAL;
4059 
4060 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
4061 
4062 	return 0;
4063 }
4064 
4065 static int nl80211_parse_sta_channel_info(struct genl_info *info,
4066 				      struct station_parameters *params)
4067 {
4068 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
4069 		params->supported_channels =
4070 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4071 		params->supported_channels_len =
4072 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4073 		/*
4074 		 * Need to include at least one (first channel, number of
4075 		 * channels) tuple for each subband, and must have proper
4076 		 * tuples for the rest of the data as well.
4077 		 */
4078 		if (params->supported_channels_len < 2)
4079 			return -EINVAL;
4080 		if (params->supported_channels_len % 2)
4081 			return -EINVAL;
4082 	}
4083 
4084 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
4085 		params->supported_oper_classes =
4086 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4087 		params->supported_oper_classes_len =
4088 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4089 		/*
4090 		 * The value of the Length field of the Supported Operating
4091 		 * Classes element is between 2 and 253.
4092 		 */
4093 		if (params->supported_oper_classes_len < 2 ||
4094 		    params->supported_oper_classes_len > 253)
4095 			return -EINVAL;
4096 	}
4097 	return 0;
4098 }
4099 
4100 static int nl80211_set_station_tdls(struct genl_info *info,
4101 				    struct station_parameters *params)
4102 {
4103 	int err;
4104 	/* Dummy STA entry gets updated once the peer capabilities are known */
4105 	if (info->attrs[NL80211_ATTR_PEER_AID])
4106 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4107 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4108 		params->ht_capa =
4109 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4110 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4111 		params->vht_capa =
4112 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4113 
4114 	err = nl80211_parse_sta_channel_info(info, params);
4115 	if (err)
4116 		return err;
4117 
4118 	return nl80211_parse_sta_wme(info, params);
4119 }
4120 
4121 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
4122 {
4123 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4124 	struct net_device *dev = info->user_ptr[1];
4125 	struct station_parameters params;
4126 	u8 *mac_addr;
4127 	int err;
4128 
4129 	memset(&params, 0, sizeof(params));
4130 
4131 	params.listen_interval = -1;
4132 
4133 	if (!rdev->ops->change_station)
4134 		return -EOPNOTSUPP;
4135 
4136 	if (info->attrs[NL80211_ATTR_STA_AID])
4137 		return -EINVAL;
4138 
4139 	if (!info->attrs[NL80211_ATTR_MAC])
4140 		return -EINVAL;
4141 
4142 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4143 
4144 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
4145 		params.supported_rates =
4146 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4147 		params.supported_rates_len =
4148 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4149 	}
4150 
4151 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4152 		params.capability =
4153 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4154 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4155 	}
4156 
4157 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4158 		params.ext_capab =
4159 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4160 		params.ext_capab_len =
4161 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4162 	}
4163 
4164 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4165 		return -EINVAL;
4166 
4167 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4168 		return -EINVAL;
4169 
4170 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4171 		params.plink_action =
4172 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4173 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4174 			return -EINVAL;
4175 	}
4176 
4177 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
4178 		params.plink_state =
4179 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
4180 		if (params.plink_state >= NUM_NL80211_PLINK_STATES)
4181 			return -EINVAL;
4182 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
4183 	}
4184 
4185 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
4186 		enum nl80211_mesh_power_mode pm = nla_get_u32(
4187 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
4188 
4189 		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
4190 		    pm > NL80211_MESH_POWER_MAX)
4191 			return -EINVAL;
4192 
4193 		params.local_pm = pm;
4194 	}
4195 
4196 	/* Include parameters for TDLS peer (will check later) */
4197 	err = nl80211_set_station_tdls(info, &params);
4198 	if (err)
4199 		return err;
4200 
4201 	params.vlan = get_vlan(info, rdev);
4202 	if (IS_ERR(params.vlan))
4203 		return PTR_ERR(params.vlan);
4204 
4205 	switch (dev->ieee80211_ptr->iftype) {
4206 	case NL80211_IFTYPE_AP:
4207 	case NL80211_IFTYPE_AP_VLAN:
4208 	case NL80211_IFTYPE_P2P_GO:
4209 	case NL80211_IFTYPE_P2P_CLIENT:
4210 	case NL80211_IFTYPE_STATION:
4211 	case NL80211_IFTYPE_ADHOC:
4212 	case NL80211_IFTYPE_MESH_POINT:
4213 		break;
4214 	default:
4215 		err = -EOPNOTSUPP;
4216 		goto out_put_vlan;
4217 	}
4218 
4219 	/* driver will call cfg80211_check_station_change() */
4220 	err = rdev_change_station(rdev, dev, mac_addr, &params);
4221 
4222  out_put_vlan:
4223 	if (params.vlan)
4224 		dev_put(params.vlan);
4225 
4226 	return err;
4227 }
4228 
4229 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
4230 {
4231 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4232 	int err;
4233 	struct net_device *dev = info->user_ptr[1];
4234 	struct station_parameters params;
4235 	u8 *mac_addr = NULL;
4236 
4237 	memset(&params, 0, sizeof(params));
4238 
4239 	if (!rdev->ops->add_station)
4240 		return -EOPNOTSUPP;
4241 
4242 	if (!info->attrs[NL80211_ATTR_MAC])
4243 		return -EINVAL;
4244 
4245 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4246 		return -EINVAL;
4247 
4248 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
4249 		return -EINVAL;
4250 
4251 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
4252 	    !info->attrs[NL80211_ATTR_PEER_AID])
4253 		return -EINVAL;
4254 
4255 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4256 	params.supported_rates =
4257 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4258 	params.supported_rates_len =
4259 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4260 	params.listen_interval =
4261 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4262 
4263 	if (info->attrs[NL80211_ATTR_PEER_AID])
4264 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4265 	else
4266 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4267 	if (!params.aid || params.aid > IEEE80211_MAX_AID)
4268 		return -EINVAL;
4269 
4270 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4271 		params.capability =
4272 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4273 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4274 	}
4275 
4276 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4277 		params.ext_capab =
4278 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4279 		params.ext_capab_len =
4280 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4281 	}
4282 
4283 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4284 		params.ht_capa =
4285 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4286 
4287 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4288 		params.vht_capa =
4289 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4290 
4291 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
4292 		params.opmode_notif_used = true;
4293 		params.opmode_notif =
4294 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
4295 	}
4296 
4297 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4298 		params.plink_action =
4299 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4300 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4301 			return -EINVAL;
4302 	}
4303 
4304 	err = nl80211_parse_sta_channel_info(info, &params);
4305 	if (err)
4306 		return err;
4307 
4308 	err = nl80211_parse_sta_wme(info, &params);
4309 	if (err)
4310 		return err;
4311 
4312 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4313 		return -EINVAL;
4314 
4315 	/* When you run into this, adjust the code below for the new flag */
4316 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4317 
4318 	switch (dev->ieee80211_ptr->iftype) {
4319 	case NL80211_IFTYPE_AP:
4320 	case NL80211_IFTYPE_AP_VLAN:
4321 	case NL80211_IFTYPE_P2P_GO:
4322 		/* ignore WME attributes if iface/sta is not capable */
4323 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
4324 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
4325 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4326 
4327 		/* TDLS peers cannot be added */
4328 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4329 		    info->attrs[NL80211_ATTR_PEER_AID])
4330 			return -EINVAL;
4331 		/* but don't bother the driver with it */
4332 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4333 
4334 		/* allow authenticated/associated only if driver handles it */
4335 		if (!(rdev->wiphy.features &
4336 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4337 		    params.sta_flags_mask &
4338 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4339 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4340 			return -EINVAL;
4341 
4342 		/* must be last in here for error handling */
4343 		params.vlan = get_vlan(info, rdev);
4344 		if (IS_ERR(params.vlan))
4345 			return PTR_ERR(params.vlan);
4346 		break;
4347 	case NL80211_IFTYPE_MESH_POINT:
4348 		/* ignore uAPSD data */
4349 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4350 
4351 		/* associated is disallowed */
4352 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
4353 			return -EINVAL;
4354 		/* TDLS peers cannot be added */
4355 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4356 		    info->attrs[NL80211_ATTR_PEER_AID])
4357 			return -EINVAL;
4358 		break;
4359 	case NL80211_IFTYPE_STATION:
4360 	case NL80211_IFTYPE_P2P_CLIENT:
4361 		/* ignore uAPSD data */
4362 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4363 
4364 		/* these are disallowed */
4365 		if (params.sta_flags_mask &
4366 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
4367 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
4368 			return -EINVAL;
4369 		/* Only TDLS peers can be added */
4370 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4371 			return -EINVAL;
4372 		/* Can only add if TDLS ... */
4373 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
4374 			return -EOPNOTSUPP;
4375 		/* ... with external setup is supported */
4376 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
4377 			return -EOPNOTSUPP;
4378 		/*
4379 		 * Older wpa_supplicant versions always mark the TDLS peer
4380 		 * as authorized, but it shouldn't yet be.
4381 		 */
4382 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
4383 		break;
4384 	default:
4385 		return -EOPNOTSUPP;
4386 	}
4387 
4388 	/* be aware of params.vlan when changing code here */
4389 
4390 	err = rdev_add_station(rdev, dev, mac_addr, &params);
4391 
4392 	if (params.vlan)
4393 		dev_put(params.vlan);
4394 	return err;
4395 }
4396 
4397 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
4398 {
4399 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4400 	struct net_device *dev = info->user_ptr[1];
4401 	u8 *mac_addr = NULL;
4402 
4403 	if (info->attrs[NL80211_ATTR_MAC])
4404 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4405 
4406 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4407 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4408 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
4409 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4410 		return -EINVAL;
4411 
4412 	if (!rdev->ops->del_station)
4413 		return -EOPNOTSUPP;
4414 
4415 	return rdev_del_station(rdev, dev, mac_addr);
4416 }
4417 
4418 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
4419 				int flags, struct net_device *dev,
4420 				u8 *dst, u8 *next_hop,
4421 				struct mpath_info *pinfo)
4422 {
4423 	void *hdr;
4424 	struct nlattr *pinfoattr;
4425 
4426 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
4427 	if (!hdr)
4428 		return -1;
4429 
4430 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4431 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
4432 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
4433 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
4434 		goto nla_put_failure;
4435 
4436 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
4437 	if (!pinfoattr)
4438 		goto nla_put_failure;
4439 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
4440 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
4441 			pinfo->frame_qlen))
4442 		goto nla_put_failure;
4443 	if (((pinfo->filled & MPATH_INFO_SN) &&
4444 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
4445 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
4446 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
4447 			 pinfo->metric)) ||
4448 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
4449 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
4450 			 pinfo->exptime)) ||
4451 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
4452 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
4453 			pinfo->flags)) ||
4454 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
4455 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
4456 			 pinfo->discovery_timeout)) ||
4457 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
4458 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
4459 			pinfo->discovery_retries)))
4460 		goto nla_put_failure;
4461 
4462 	nla_nest_end(msg, pinfoattr);
4463 
4464 	return genlmsg_end(msg, hdr);
4465 
4466  nla_put_failure:
4467 	genlmsg_cancel(msg, hdr);
4468 	return -EMSGSIZE;
4469 }
4470 
4471 static int nl80211_dump_mpath(struct sk_buff *skb,
4472 			      struct netlink_callback *cb)
4473 {
4474 	struct mpath_info pinfo;
4475 	struct cfg80211_registered_device *rdev;
4476 	struct wireless_dev *wdev;
4477 	u8 dst[ETH_ALEN];
4478 	u8 next_hop[ETH_ALEN];
4479 	int path_idx = cb->args[2];
4480 	int err;
4481 
4482 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4483 	if (err)
4484 		return err;
4485 
4486 	if (!rdev->ops->dump_mpath) {
4487 		err = -EOPNOTSUPP;
4488 		goto out_err;
4489 	}
4490 
4491 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4492 		err = -EOPNOTSUPP;
4493 		goto out_err;
4494 	}
4495 
4496 	while (1) {
4497 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
4498 				      next_hop, &pinfo);
4499 		if (err == -ENOENT)
4500 			break;
4501 		if (err)
4502 			goto out_err;
4503 
4504 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4505 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4506 				       wdev->netdev, dst, next_hop,
4507 				       &pinfo) < 0)
4508 			goto out;
4509 
4510 		path_idx++;
4511 	}
4512 
4513 
4514  out:
4515 	cb->args[2] = path_idx;
4516 	err = skb->len;
4517  out_err:
4518 	nl80211_finish_wdev_dump(rdev);
4519 	return err;
4520 }
4521 
4522 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
4523 {
4524 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4525 	int err;
4526 	struct net_device *dev = info->user_ptr[1];
4527 	struct mpath_info pinfo;
4528 	struct sk_buff *msg;
4529 	u8 *dst = NULL;
4530 	u8 next_hop[ETH_ALEN];
4531 
4532 	memset(&pinfo, 0, sizeof(pinfo));
4533 
4534 	if (!info->attrs[NL80211_ATTR_MAC])
4535 		return -EINVAL;
4536 
4537 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4538 
4539 	if (!rdev->ops->get_mpath)
4540 		return -EOPNOTSUPP;
4541 
4542 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4543 		return -EOPNOTSUPP;
4544 
4545 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
4546 	if (err)
4547 		return err;
4548 
4549 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4550 	if (!msg)
4551 		return -ENOMEM;
4552 
4553 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4554 				 dev, dst, next_hop, &pinfo) < 0) {
4555 		nlmsg_free(msg);
4556 		return -ENOBUFS;
4557 	}
4558 
4559 	return genlmsg_reply(msg, info);
4560 }
4561 
4562 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
4563 {
4564 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4565 	struct net_device *dev = info->user_ptr[1];
4566 	u8 *dst = NULL;
4567 	u8 *next_hop = NULL;
4568 
4569 	if (!info->attrs[NL80211_ATTR_MAC])
4570 		return -EINVAL;
4571 
4572 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4573 		return -EINVAL;
4574 
4575 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4576 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4577 
4578 	if (!rdev->ops->change_mpath)
4579 		return -EOPNOTSUPP;
4580 
4581 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4582 		return -EOPNOTSUPP;
4583 
4584 	return rdev_change_mpath(rdev, dev, dst, next_hop);
4585 }
4586 
4587 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
4588 {
4589 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4590 	struct net_device *dev = info->user_ptr[1];
4591 	u8 *dst = NULL;
4592 	u8 *next_hop = NULL;
4593 
4594 	if (!info->attrs[NL80211_ATTR_MAC])
4595 		return -EINVAL;
4596 
4597 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4598 		return -EINVAL;
4599 
4600 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4601 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4602 
4603 	if (!rdev->ops->add_mpath)
4604 		return -EOPNOTSUPP;
4605 
4606 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4607 		return -EOPNOTSUPP;
4608 
4609 	return rdev_add_mpath(rdev, dev, dst, next_hop);
4610 }
4611 
4612 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
4613 {
4614 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4615 	struct net_device *dev = info->user_ptr[1];
4616 	u8 *dst = NULL;
4617 
4618 	if (info->attrs[NL80211_ATTR_MAC])
4619 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4620 
4621 	if (!rdev->ops->del_mpath)
4622 		return -EOPNOTSUPP;
4623 
4624 	return rdev_del_mpath(rdev, dev, dst);
4625 }
4626 
4627 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
4628 {
4629 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4630 	struct net_device *dev = info->user_ptr[1];
4631 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4632 	struct bss_parameters params;
4633 	int err;
4634 
4635 	memset(&params, 0, sizeof(params));
4636 	/* default to not changing parameters */
4637 	params.use_cts_prot = -1;
4638 	params.use_short_preamble = -1;
4639 	params.use_short_slot_time = -1;
4640 	params.ap_isolate = -1;
4641 	params.ht_opmode = -1;
4642 	params.p2p_ctwindow = -1;
4643 	params.p2p_opp_ps = -1;
4644 
4645 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
4646 		params.use_cts_prot =
4647 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
4648 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
4649 		params.use_short_preamble =
4650 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
4651 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
4652 		params.use_short_slot_time =
4653 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
4654 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
4655 		params.basic_rates =
4656 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4657 		params.basic_rates_len =
4658 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4659 	}
4660 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
4661 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
4662 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
4663 		params.ht_opmode =
4664 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
4665 
4666 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4667 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4668 			return -EINVAL;
4669 		params.p2p_ctwindow =
4670 			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4671 		if (params.p2p_ctwindow < 0)
4672 			return -EINVAL;
4673 		if (params.p2p_ctwindow != 0 &&
4674 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4675 			return -EINVAL;
4676 	}
4677 
4678 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4679 		u8 tmp;
4680 
4681 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4682 			return -EINVAL;
4683 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4684 		if (tmp > 1)
4685 			return -EINVAL;
4686 		params.p2p_opp_ps = tmp;
4687 		if (params.p2p_opp_ps &&
4688 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4689 			return -EINVAL;
4690 	}
4691 
4692 	if (!rdev->ops->change_bss)
4693 		return -EOPNOTSUPP;
4694 
4695 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4696 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4697 		return -EOPNOTSUPP;
4698 
4699 	wdev_lock(wdev);
4700 	err = rdev_change_bss(rdev, dev, &params);
4701 	wdev_unlock(wdev);
4702 
4703 	return err;
4704 }
4705 
4706 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
4707 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
4708 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
4709 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
4710 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
4711 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
4712 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
4713 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
4714 };
4715 
4716 static int parse_reg_rule(struct nlattr *tb[],
4717 	struct ieee80211_reg_rule *reg_rule)
4718 {
4719 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
4720 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
4721 
4722 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
4723 		return -EINVAL;
4724 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
4725 		return -EINVAL;
4726 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
4727 		return -EINVAL;
4728 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
4729 		return -EINVAL;
4730 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
4731 		return -EINVAL;
4732 
4733 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
4734 
4735 	freq_range->start_freq_khz =
4736 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
4737 	freq_range->end_freq_khz =
4738 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
4739 	freq_range->max_bandwidth_khz =
4740 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
4741 
4742 	power_rule->max_eirp =
4743 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
4744 
4745 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
4746 		power_rule->max_antenna_gain =
4747 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
4748 
4749 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
4750 		reg_rule->dfs_cac_ms =
4751 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
4752 
4753 	return 0;
4754 }
4755 
4756 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
4757 {
4758 	char *data = NULL;
4759 	enum nl80211_user_reg_hint_type user_reg_hint_type;
4760 
4761 	/*
4762 	 * You should only get this when cfg80211 hasn't yet initialized
4763 	 * completely when built-in to the kernel right between the time
4764 	 * window between nl80211_init() and regulatory_init(), if that is
4765 	 * even possible.
4766 	 */
4767 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
4768 		return -EINPROGRESS;
4769 
4770 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
4771 		user_reg_hint_type =
4772 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
4773 	else
4774 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
4775 
4776 	switch (user_reg_hint_type) {
4777 	case NL80211_USER_REG_HINT_USER:
4778 	case NL80211_USER_REG_HINT_CELL_BASE:
4779 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4780 			return -EINVAL;
4781 
4782 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4783 		return regulatory_hint_user(data, user_reg_hint_type);
4784 	case NL80211_USER_REG_HINT_INDOOR:
4785 		return regulatory_hint_indoor_user();
4786 	default:
4787 		return -EINVAL;
4788 	}
4789 }
4790 
4791 static int nl80211_get_mesh_config(struct sk_buff *skb,
4792 				   struct genl_info *info)
4793 {
4794 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4795 	struct net_device *dev = info->user_ptr[1];
4796 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4797 	struct mesh_config cur_params;
4798 	int err = 0;
4799 	void *hdr;
4800 	struct nlattr *pinfoattr;
4801 	struct sk_buff *msg;
4802 
4803 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
4804 		return -EOPNOTSUPP;
4805 
4806 	if (!rdev->ops->get_mesh_config)
4807 		return -EOPNOTSUPP;
4808 
4809 	wdev_lock(wdev);
4810 	/* If not connected, get default parameters */
4811 	if (!wdev->mesh_id_len)
4812 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
4813 	else
4814 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
4815 	wdev_unlock(wdev);
4816 
4817 	if (err)
4818 		return err;
4819 
4820 	/* Draw up a netlink message to send back */
4821 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4822 	if (!msg)
4823 		return -ENOMEM;
4824 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4825 			     NL80211_CMD_GET_MESH_CONFIG);
4826 	if (!hdr)
4827 		goto out;
4828 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
4829 	if (!pinfoattr)
4830 		goto nla_put_failure;
4831 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4832 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
4833 			cur_params.dot11MeshRetryTimeout) ||
4834 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4835 			cur_params.dot11MeshConfirmTimeout) ||
4836 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
4837 			cur_params.dot11MeshHoldingTimeout) ||
4838 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
4839 			cur_params.dot11MeshMaxPeerLinks) ||
4840 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
4841 		       cur_params.dot11MeshMaxRetries) ||
4842 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
4843 		       cur_params.dot11MeshTTL) ||
4844 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
4845 		       cur_params.element_ttl) ||
4846 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4847 		       cur_params.auto_open_plinks) ||
4848 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
4849 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
4850 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
4851 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
4852 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
4853 			cur_params.path_refresh_time) ||
4854 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
4855 			cur_params.min_discovery_timeout) ||
4856 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
4857 			cur_params.dot11MeshHWMPactivePathTimeout) ||
4858 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
4859 			cur_params.dot11MeshHWMPpreqMinInterval) ||
4860 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
4861 			cur_params.dot11MeshHWMPperrMinInterval) ||
4862 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
4863 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
4864 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
4865 		       cur_params.dot11MeshHWMPRootMode) ||
4866 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
4867 			cur_params.dot11MeshHWMPRannInterval) ||
4868 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
4869 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
4870 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
4871 		       cur_params.dot11MeshForwarding) ||
4872 	    nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
4873 			cur_params.rssi_threshold) ||
4874 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
4875 			cur_params.ht_opmode) ||
4876 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
4877 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
4878 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
4879 			cur_params.dot11MeshHWMProotInterval) ||
4880 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
4881 			cur_params.dot11MeshHWMPconfirmationInterval) ||
4882 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
4883 			cur_params.power_mode) ||
4884 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
4885 			cur_params.dot11MeshAwakeWindowDuration) ||
4886 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
4887 			cur_params.plink_timeout))
4888 		goto nla_put_failure;
4889 	nla_nest_end(msg, pinfoattr);
4890 	genlmsg_end(msg, hdr);
4891 	return genlmsg_reply(msg, info);
4892 
4893  nla_put_failure:
4894 	genlmsg_cancel(msg, hdr);
4895  out:
4896 	nlmsg_free(msg);
4897 	return -ENOBUFS;
4898 }
4899 
4900 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
4901 	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
4902 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
4903 	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
4904 	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
4905 	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
4906 	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
4907 	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
4908 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
4909 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
4910 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
4911 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
4912 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
4913 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
4914 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
4915 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
4916 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
4917 	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
4918 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
4919 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
4920 	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
4921 	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
4922 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
4923 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
4924 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
4925 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
4926 	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
4927 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
4928 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
4929 };
4930 
4931 static const struct nla_policy
4932 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
4933 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
4934 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
4935 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
4936 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
4937 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
4938 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
4939 	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
4940 				    .len = IEEE80211_MAX_DATA_LEN },
4941 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
4942 };
4943 
4944 static int nl80211_parse_mesh_config(struct genl_info *info,
4945 				     struct mesh_config *cfg,
4946 				     u32 *mask_out)
4947 {
4948 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
4949 	u32 mask = 0;
4950 
4951 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
4952 do {									    \
4953 	if (tb[attr]) {							    \
4954 		if (fn(tb[attr]) < min || fn(tb[attr]) > max)		    \
4955 			return -EINVAL;					    \
4956 		cfg->param = fn(tb[attr]);				    \
4957 		mask |= (1 << (attr - 1));				    \
4958 	}								    \
4959 } while (0)
4960 
4961 
4962 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
4963 		return -EINVAL;
4964 	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
4965 			     info->attrs[NL80211_ATTR_MESH_CONFIG],
4966 			     nl80211_meshconf_params_policy))
4967 		return -EINVAL;
4968 
4969 	/* This makes sure that there aren't more than 32 mesh config
4970 	 * parameters (otherwise our bitfield scheme would not work.) */
4971 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
4972 
4973 	/* Fill in the params struct */
4974 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
4975 				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
4976 				  nla_get_u16);
4977 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
4978 				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4979 				  nla_get_u16);
4980 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
4981 				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
4982 				  nla_get_u16);
4983 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
4984 				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
4985 				  nla_get_u16);
4986 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
4987 				  mask, NL80211_MESHCONF_MAX_RETRIES,
4988 				  nla_get_u8);
4989 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
4990 				  mask, NL80211_MESHCONF_TTL, nla_get_u8);
4991 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
4992 				  mask, NL80211_MESHCONF_ELEMENT_TTL,
4993 				  nla_get_u8);
4994 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
4995 				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4996 				  nla_get_u8);
4997 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
4998 				  1, 255, mask,
4999 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5000 				  nla_get_u32);
5001 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
5002 				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5003 				  nla_get_u8);
5004 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
5005 				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
5006 				  nla_get_u32);
5007 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
5008 				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5009 				  nla_get_u16);
5010 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
5011 				  1, 65535, mask,
5012 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5013 				  nla_get_u32);
5014 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
5015 				  1, 65535, mask,
5016 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5017 				  nla_get_u16);
5018 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
5019 				  1, 65535, mask,
5020 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5021 				  nla_get_u16);
5022 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5023 				  dot11MeshHWMPnetDiameterTraversalTime,
5024 				  1, 65535, mask,
5025 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5026 				  nla_get_u16);
5027 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
5028 				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
5029 				  nla_get_u8);
5030 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
5031 				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5032 				  nla_get_u16);
5033 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5034 				  dot11MeshGateAnnouncementProtocol, 0, 1,
5035 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5036 				  nla_get_u8);
5037 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
5038 				  mask, NL80211_MESHCONF_FORWARDING,
5039 				  nla_get_u8);
5040 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, -255, 0,
5041 				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
5042 				  nla_get_s32);
5043 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
5044 				  mask, NL80211_MESHCONF_HT_OPMODE,
5045 				  nla_get_u16);
5046 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
5047 				  1, 65535, mask,
5048 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5049 				  nla_get_u32);
5050 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
5051 				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5052 				  nla_get_u16);
5053 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5054 				  dot11MeshHWMPconfirmationInterval,
5055 				  1, 65535, mask,
5056 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5057 				  nla_get_u16);
5058 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
5059 				  NL80211_MESH_POWER_ACTIVE,
5060 				  NL80211_MESH_POWER_MAX,
5061 				  mask, NL80211_MESHCONF_POWER_MODE,
5062 				  nla_get_u32);
5063 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
5064 				  0, 65535, mask,
5065 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
5066 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, 1, 0xffffffff,
5067 				  mask, NL80211_MESHCONF_PLINK_TIMEOUT,
5068 				  nla_get_u32);
5069 	if (mask_out)
5070 		*mask_out = mask;
5071 
5072 	return 0;
5073 
5074 #undef FILL_IN_MESH_PARAM_IF_SET
5075 }
5076 
5077 static int nl80211_parse_mesh_setup(struct genl_info *info,
5078 				     struct mesh_setup *setup)
5079 {
5080 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5081 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
5082 
5083 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
5084 		return -EINVAL;
5085 	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
5086 			     info->attrs[NL80211_ATTR_MESH_SETUP],
5087 			     nl80211_mesh_setup_params_policy))
5088 		return -EINVAL;
5089 
5090 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
5091 		setup->sync_method =
5092 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
5093 		 IEEE80211_SYNC_METHOD_VENDOR :
5094 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
5095 
5096 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
5097 		setup->path_sel_proto =
5098 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
5099 		 IEEE80211_PATH_PROTOCOL_VENDOR :
5100 		 IEEE80211_PATH_PROTOCOL_HWMP;
5101 
5102 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
5103 		setup->path_metric =
5104 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
5105 		 IEEE80211_PATH_METRIC_VENDOR :
5106 		 IEEE80211_PATH_METRIC_AIRTIME;
5107 
5108 
5109 	if (tb[NL80211_MESH_SETUP_IE]) {
5110 		struct nlattr *ieattr =
5111 			tb[NL80211_MESH_SETUP_IE];
5112 		if (!is_valid_ie_attr(ieattr))
5113 			return -EINVAL;
5114 		setup->ie = nla_data(ieattr);
5115 		setup->ie_len = nla_len(ieattr);
5116 	}
5117 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
5118 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
5119 		return -EINVAL;
5120 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
5121 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
5122 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
5123 	if (setup->is_secure)
5124 		setup->user_mpm = true;
5125 
5126 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
5127 		if (!setup->user_mpm)
5128 			return -EINVAL;
5129 		setup->auth_id =
5130 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
5131 	}
5132 
5133 	return 0;
5134 }
5135 
5136 static int nl80211_update_mesh_config(struct sk_buff *skb,
5137 				      struct genl_info *info)
5138 {
5139 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5140 	struct net_device *dev = info->user_ptr[1];
5141 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5142 	struct mesh_config cfg;
5143 	u32 mask;
5144 	int err;
5145 
5146 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5147 		return -EOPNOTSUPP;
5148 
5149 	if (!rdev->ops->update_mesh_config)
5150 		return -EOPNOTSUPP;
5151 
5152 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
5153 	if (err)
5154 		return err;
5155 
5156 	wdev_lock(wdev);
5157 	if (!wdev->mesh_id_len)
5158 		err = -ENOLINK;
5159 
5160 	if (!err)
5161 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
5162 
5163 	wdev_unlock(wdev);
5164 
5165 	return err;
5166 }
5167 
5168 static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
5169 {
5170 	const struct ieee80211_regdomain *regdom;
5171 	struct sk_buff *msg;
5172 	void *hdr = NULL;
5173 	struct nlattr *nl_reg_rules;
5174 	unsigned int i;
5175 
5176 	if (!cfg80211_regdomain)
5177 		return -EINVAL;
5178 
5179 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5180 	if (!msg)
5181 		return -ENOBUFS;
5182 
5183 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5184 			     NL80211_CMD_GET_REG);
5185 	if (!hdr)
5186 		goto put_failure;
5187 
5188 	if (reg_last_request_cell_base() &&
5189 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5190 			NL80211_USER_REG_HINT_CELL_BASE))
5191 		goto nla_put_failure;
5192 
5193 	rcu_read_lock();
5194 	regdom = rcu_dereference(cfg80211_regdomain);
5195 
5196 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
5197 	    (regdom->dfs_region &&
5198 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
5199 		goto nla_put_failure_rcu;
5200 
5201 	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
5202 	if (!nl_reg_rules)
5203 		goto nla_put_failure_rcu;
5204 
5205 	for (i = 0; i < regdom->n_reg_rules; i++) {
5206 		struct nlattr *nl_reg_rule;
5207 		const struct ieee80211_reg_rule *reg_rule;
5208 		const struct ieee80211_freq_range *freq_range;
5209 		const struct ieee80211_power_rule *power_rule;
5210 		unsigned int max_bandwidth_khz;
5211 
5212 		reg_rule = &regdom->reg_rules[i];
5213 		freq_range = &reg_rule->freq_range;
5214 		power_rule = &reg_rule->power_rule;
5215 
5216 		nl_reg_rule = nla_nest_start(msg, i);
5217 		if (!nl_reg_rule)
5218 			goto nla_put_failure_rcu;
5219 
5220 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
5221 		if (!max_bandwidth_khz)
5222 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
5223 								  reg_rule);
5224 
5225 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
5226 				reg_rule->flags) ||
5227 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
5228 				freq_range->start_freq_khz) ||
5229 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
5230 				freq_range->end_freq_khz) ||
5231 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
5232 				max_bandwidth_khz) ||
5233 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
5234 				power_rule->max_antenna_gain) ||
5235 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
5236 				power_rule->max_eirp) ||
5237 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
5238 				reg_rule->dfs_cac_ms))
5239 			goto nla_put_failure_rcu;
5240 
5241 		nla_nest_end(msg, nl_reg_rule);
5242 	}
5243 	rcu_read_unlock();
5244 
5245 	nla_nest_end(msg, nl_reg_rules);
5246 
5247 	genlmsg_end(msg, hdr);
5248 	return genlmsg_reply(msg, info);
5249 
5250 nla_put_failure_rcu:
5251 	rcu_read_unlock();
5252 nla_put_failure:
5253 	genlmsg_cancel(msg, hdr);
5254 put_failure:
5255 	nlmsg_free(msg);
5256 	return -EMSGSIZE;
5257 }
5258 
5259 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
5260 {
5261 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
5262 	struct nlattr *nl_reg_rule;
5263 	char *alpha2 = NULL;
5264 	int rem_reg_rules = 0, r = 0;
5265 	u32 num_rules = 0, rule_idx = 0, size_of_regd;
5266 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
5267 	struct ieee80211_regdomain *rd = NULL;
5268 
5269 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5270 		return -EINVAL;
5271 
5272 	if (!info->attrs[NL80211_ATTR_REG_RULES])
5273 		return -EINVAL;
5274 
5275 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5276 
5277 	if (info->attrs[NL80211_ATTR_DFS_REGION])
5278 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
5279 
5280 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5281 			    rem_reg_rules) {
5282 		num_rules++;
5283 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
5284 			return -EINVAL;
5285 	}
5286 
5287 	if (!reg_is_valid_request(alpha2))
5288 		return -EINVAL;
5289 
5290 	size_of_regd = sizeof(struct ieee80211_regdomain) +
5291 		       num_rules * sizeof(struct ieee80211_reg_rule);
5292 
5293 	rd = kzalloc(size_of_regd, GFP_KERNEL);
5294 	if (!rd)
5295 		return -ENOMEM;
5296 
5297 	rd->n_reg_rules = num_rules;
5298 	rd->alpha2[0] = alpha2[0];
5299 	rd->alpha2[1] = alpha2[1];
5300 
5301 	/*
5302 	 * Disable DFS master mode if the DFS region was
5303 	 * not supported or known on this kernel.
5304 	 */
5305 	if (reg_supported_dfs_region(dfs_region))
5306 		rd->dfs_region = dfs_region;
5307 
5308 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5309 			    rem_reg_rules) {
5310 		r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
5311 			      nla_data(nl_reg_rule), nla_len(nl_reg_rule),
5312 			      reg_rule_policy);
5313 		if (r)
5314 			goto bad_reg;
5315 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
5316 		if (r)
5317 			goto bad_reg;
5318 
5319 		rule_idx++;
5320 
5321 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
5322 			r = -EINVAL;
5323 			goto bad_reg;
5324 		}
5325 	}
5326 
5327 	r = set_regdom(rd);
5328 	/* set_regdom took ownership */
5329 	rd = NULL;
5330 
5331  bad_reg:
5332 	kfree(rd);
5333 	return r;
5334 }
5335 
5336 static int validate_scan_freqs(struct nlattr *freqs)
5337 {
5338 	struct nlattr *attr1, *attr2;
5339 	int n_channels = 0, tmp1, tmp2;
5340 
5341 	nla_for_each_nested(attr1, freqs, tmp1) {
5342 		n_channels++;
5343 		/*
5344 		 * Some hardware has a limited channel list for
5345 		 * scanning, and it is pretty much nonsensical
5346 		 * to scan for a channel twice, so disallow that
5347 		 * and don't require drivers to check that the
5348 		 * channel list they get isn't longer than what
5349 		 * they can scan, as long as they can scan all
5350 		 * the channels they registered at once.
5351 		 */
5352 		nla_for_each_nested(attr2, freqs, tmp2)
5353 			if (attr1 != attr2 &&
5354 			    nla_get_u32(attr1) == nla_get_u32(attr2))
5355 				return 0;
5356 	}
5357 
5358 	return n_channels;
5359 }
5360 
5361 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
5362 {
5363 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5364 	struct wireless_dev *wdev = info->user_ptr[1];
5365 	struct cfg80211_scan_request *request;
5366 	struct nlattr *attr;
5367 	struct wiphy *wiphy;
5368 	int err, tmp, n_ssids = 0, n_channels, i;
5369 	size_t ie_len;
5370 
5371 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5372 		return -EINVAL;
5373 
5374 	wiphy = &rdev->wiphy;
5375 
5376 	if (!rdev->ops->scan)
5377 		return -EOPNOTSUPP;
5378 
5379 	if (rdev->scan_req || rdev->scan_msg) {
5380 		err = -EBUSY;
5381 		goto unlock;
5382 	}
5383 
5384 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5385 		n_channels = validate_scan_freqs(
5386 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5387 		if (!n_channels) {
5388 			err = -EINVAL;
5389 			goto unlock;
5390 		}
5391 	} else {
5392 		n_channels = ieee80211_get_num_supported_channels(wiphy);
5393 	}
5394 
5395 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5396 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
5397 			n_ssids++;
5398 
5399 	if (n_ssids > wiphy->max_scan_ssids) {
5400 		err = -EINVAL;
5401 		goto unlock;
5402 	}
5403 
5404 	if (info->attrs[NL80211_ATTR_IE])
5405 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5406 	else
5407 		ie_len = 0;
5408 
5409 	if (ie_len > wiphy->max_scan_ie_len) {
5410 		err = -EINVAL;
5411 		goto unlock;
5412 	}
5413 
5414 	request = kzalloc(sizeof(*request)
5415 			+ sizeof(*request->ssids) * n_ssids
5416 			+ sizeof(*request->channels) * n_channels
5417 			+ ie_len, GFP_KERNEL);
5418 	if (!request) {
5419 		err = -ENOMEM;
5420 		goto unlock;
5421 	}
5422 
5423 	if (n_ssids)
5424 		request->ssids = (void *)&request->channels[n_channels];
5425 	request->n_ssids = n_ssids;
5426 	if (ie_len) {
5427 		if (request->ssids)
5428 			request->ie = (void *)(request->ssids + n_ssids);
5429 		else
5430 			request->ie = (void *)(request->channels + n_channels);
5431 	}
5432 
5433 	i = 0;
5434 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5435 		/* user specified, bail out if channel not found */
5436 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
5437 			struct ieee80211_channel *chan;
5438 
5439 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5440 
5441 			if (!chan) {
5442 				err = -EINVAL;
5443 				goto out_free;
5444 			}
5445 
5446 			/* ignore disabled channels */
5447 			if (chan->flags & IEEE80211_CHAN_DISABLED)
5448 				continue;
5449 
5450 			request->channels[i] = chan;
5451 			i++;
5452 		}
5453 	} else {
5454 		enum ieee80211_band band;
5455 
5456 		/* all channels */
5457 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5458 			int j;
5459 			if (!wiphy->bands[band])
5460 				continue;
5461 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5462 				struct ieee80211_channel *chan;
5463 
5464 				chan = &wiphy->bands[band]->channels[j];
5465 
5466 				if (chan->flags & IEEE80211_CHAN_DISABLED)
5467 					continue;
5468 
5469 				request->channels[i] = chan;
5470 				i++;
5471 			}
5472 		}
5473 	}
5474 
5475 	if (!i) {
5476 		err = -EINVAL;
5477 		goto out_free;
5478 	}
5479 
5480 	request->n_channels = i;
5481 
5482 	i = 0;
5483 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
5484 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
5485 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5486 				err = -EINVAL;
5487 				goto out_free;
5488 			}
5489 			request->ssids[i].ssid_len = nla_len(attr);
5490 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
5491 			i++;
5492 		}
5493 	}
5494 
5495 	if (info->attrs[NL80211_ATTR_IE]) {
5496 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5497 		memcpy((void *)request->ie,
5498 		       nla_data(info->attrs[NL80211_ATTR_IE]),
5499 		       request->ie_len);
5500 	}
5501 
5502 	for (i = 0; i < IEEE80211_NUM_BANDS; i++)
5503 		if (wiphy->bands[i])
5504 			request->rates[i] =
5505 				(1 << wiphy->bands[i]->n_bitrates) - 1;
5506 
5507 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
5508 		nla_for_each_nested(attr,
5509 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
5510 				    tmp) {
5511 			enum ieee80211_band band = nla_type(attr);
5512 
5513 			if (band < 0 || band >= IEEE80211_NUM_BANDS) {
5514 				err = -EINVAL;
5515 				goto out_free;
5516 			}
5517 
5518 			if (!wiphy->bands[band])
5519 				continue;
5520 
5521 			err = ieee80211_get_ratemask(wiphy->bands[band],
5522 						     nla_data(attr),
5523 						     nla_len(attr),
5524 						     &request->rates[band]);
5525 			if (err)
5526 				goto out_free;
5527 		}
5528 	}
5529 
5530 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5531 		request->flags = nla_get_u32(
5532 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5533 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5534 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
5535 			err = -EOPNOTSUPP;
5536 			goto out_free;
5537 		}
5538 	}
5539 
5540 	request->no_cck =
5541 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
5542 
5543 	request->wdev = wdev;
5544 	request->wiphy = &rdev->wiphy;
5545 	request->scan_start = jiffies;
5546 
5547 	rdev->scan_req = request;
5548 	err = rdev_scan(rdev, request);
5549 
5550 	if (!err) {
5551 		nl80211_send_scan_start(rdev, wdev);
5552 		if (wdev->netdev)
5553 			dev_hold(wdev->netdev);
5554 	} else {
5555  out_free:
5556 		rdev->scan_req = NULL;
5557 		kfree(request);
5558 	}
5559 
5560  unlock:
5561 	return err;
5562 }
5563 
5564 static int nl80211_start_sched_scan(struct sk_buff *skb,
5565 				    struct genl_info *info)
5566 {
5567 	struct cfg80211_sched_scan_request *request;
5568 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5569 	struct net_device *dev = info->user_ptr[1];
5570 	struct nlattr *attr;
5571 	struct wiphy *wiphy;
5572 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
5573 	u32 interval;
5574 	enum ieee80211_band band;
5575 	size_t ie_len;
5576 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
5577 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
5578 
5579 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
5580 	    !rdev->ops->sched_scan_start)
5581 		return -EOPNOTSUPP;
5582 
5583 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5584 		return -EINVAL;
5585 
5586 	if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
5587 		return -EINVAL;
5588 
5589 	interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
5590 	if (interval == 0)
5591 		return -EINVAL;
5592 
5593 	wiphy = &rdev->wiphy;
5594 
5595 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5596 		n_channels = validate_scan_freqs(
5597 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5598 		if (!n_channels)
5599 			return -EINVAL;
5600 	} else {
5601 		n_channels = ieee80211_get_num_supported_channels(wiphy);
5602 	}
5603 
5604 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5605 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
5606 				    tmp)
5607 			n_ssids++;
5608 
5609 	if (n_ssids > wiphy->max_sched_scan_ssids)
5610 		return -EINVAL;
5611 
5612 	/*
5613 	 * First, count the number of 'real' matchsets. Due to an issue with
5614 	 * the old implementation, matchsets containing only the RSSI attribute
5615 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
5616 	 * RSSI for all matchsets, rather than their own matchset for reporting
5617 	 * all APs with a strong RSSI. This is needed to be compatible with
5618 	 * older userspace that treated a matchset with only the RSSI as the
5619 	 * global RSSI for all other matchsets - if there are other matchsets.
5620 	 */
5621 	if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
5622 		nla_for_each_nested(attr,
5623 				    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
5624 				    tmp) {
5625 			struct nlattr *rssi;
5626 
5627 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
5628 					nla_data(attr), nla_len(attr),
5629 					nl80211_match_policy);
5630 			if (err)
5631 				return err;
5632 			/* add other standalone attributes here */
5633 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
5634 				n_match_sets++;
5635 				continue;
5636 			}
5637 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
5638 			if (rssi)
5639 				default_match_rssi = nla_get_s32(rssi);
5640 		}
5641 	}
5642 
5643 	/* However, if there's no other matchset, add the RSSI one */
5644 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
5645 		n_match_sets = 1;
5646 
5647 	if (n_match_sets > wiphy->max_match_sets)
5648 		return -EINVAL;
5649 
5650 	if (info->attrs[NL80211_ATTR_IE])
5651 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5652 	else
5653 		ie_len = 0;
5654 
5655 	if (ie_len > wiphy->max_sched_scan_ie_len)
5656 		return -EINVAL;
5657 
5658 	if (rdev->sched_scan_req) {
5659 		err = -EINPROGRESS;
5660 		goto out;
5661 	}
5662 
5663 	request = kzalloc(sizeof(*request)
5664 			+ sizeof(*request->ssids) * n_ssids
5665 			+ sizeof(*request->match_sets) * n_match_sets
5666 			+ sizeof(*request->channels) * n_channels
5667 			+ ie_len, GFP_KERNEL);
5668 	if (!request) {
5669 		err = -ENOMEM;
5670 		goto out;
5671 	}
5672 
5673 	if (n_ssids)
5674 		request->ssids = (void *)&request->channels[n_channels];
5675 	request->n_ssids = n_ssids;
5676 	if (ie_len) {
5677 		if (request->ssids)
5678 			request->ie = (void *)(request->ssids + n_ssids);
5679 		else
5680 			request->ie = (void *)(request->channels + n_channels);
5681 	}
5682 
5683 	if (n_match_sets) {
5684 		if (request->ie)
5685 			request->match_sets = (void *)(request->ie + ie_len);
5686 		else if (request->ssids)
5687 			request->match_sets =
5688 				(void *)(request->ssids + n_ssids);
5689 		else
5690 			request->match_sets =
5691 				(void *)(request->channels + n_channels);
5692 	}
5693 	request->n_match_sets = n_match_sets;
5694 
5695 	i = 0;
5696 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5697 		/* user specified, bail out if channel not found */
5698 		nla_for_each_nested(attr,
5699 				    info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
5700 				    tmp) {
5701 			struct ieee80211_channel *chan;
5702 
5703 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5704 
5705 			if (!chan) {
5706 				err = -EINVAL;
5707 				goto out_free;
5708 			}
5709 
5710 			/* ignore disabled channels */
5711 			if (chan->flags & IEEE80211_CHAN_DISABLED)
5712 				continue;
5713 
5714 			request->channels[i] = chan;
5715 			i++;
5716 		}
5717 	} else {
5718 		/* all channels */
5719 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5720 			int j;
5721 			if (!wiphy->bands[band])
5722 				continue;
5723 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5724 				struct ieee80211_channel *chan;
5725 
5726 				chan = &wiphy->bands[band]->channels[j];
5727 
5728 				if (chan->flags & IEEE80211_CHAN_DISABLED)
5729 					continue;
5730 
5731 				request->channels[i] = chan;
5732 				i++;
5733 			}
5734 		}
5735 	}
5736 
5737 	if (!i) {
5738 		err = -EINVAL;
5739 		goto out_free;
5740 	}
5741 
5742 	request->n_channels = i;
5743 
5744 	i = 0;
5745 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
5746 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
5747 				    tmp) {
5748 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5749 				err = -EINVAL;
5750 				goto out_free;
5751 			}
5752 			request->ssids[i].ssid_len = nla_len(attr);
5753 			memcpy(request->ssids[i].ssid, nla_data(attr),
5754 			       nla_len(attr));
5755 			i++;
5756 		}
5757 	}
5758 
5759 	i = 0;
5760 	if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
5761 		nla_for_each_nested(attr,
5762 				    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
5763 				    tmp) {
5764 			struct nlattr *ssid, *rssi;
5765 
5766 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
5767 					nla_data(attr), nla_len(attr),
5768 					nl80211_match_policy);
5769 			if (err)
5770 				goto out_free;
5771 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
5772 			if (ssid) {
5773 				if (WARN_ON(i >= n_match_sets)) {
5774 					/* this indicates a programming error,
5775 					 * the loop above should have verified
5776 					 * things properly
5777 					 */
5778 					err = -EINVAL;
5779 					goto out_free;
5780 				}
5781 
5782 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
5783 					err = -EINVAL;
5784 					goto out_free;
5785 				}
5786 				memcpy(request->match_sets[i].ssid.ssid,
5787 				       nla_data(ssid), nla_len(ssid));
5788 				request->match_sets[i].ssid.ssid_len =
5789 					nla_len(ssid);
5790 				/* special attribute - old implemenation w/a */
5791 				request->match_sets[i].rssi_thold =
5792 					default_match_rssi;
5793 				rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
5794 				if (rssi)
5795 					request->match_sets[i].rssi_thold =
5796 						nla_get_s32(rssi);
5797 			}
5798 			i++;
5799 		}
5800 
5801 		/* there was no other matchset, so the RSSI one is alone */
5802 		if (i == 0)
5803 			request->match_sets[0].rssi_thold = default_match_rssi;
5804 
5805 		request->min_rssi_thold = INT_MAX;
5806 		for (i = 0; i < n_match_sets; i++)
5807 			request->min_rssi_thold =
5808 				min(request->match_sets[i].rssi_thold,
5809 				    request->min_rssi_thold);
5810 	} else {
5811 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
5812 	}
5813 
5814 	if (ie_len) {
5815 		request->ie_len = ie_len;
5816 		memcpy((void *)request->ie,
5817 		       nla_data(info->attrs[NL80211_ATTR_IE]),
5818 		       request->ie_len);
5819 	}
5820 
5821 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5822 		request->flags = nla_get_u32(
5823 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5824 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5825 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
5826 			err = -EOPNOTSUPP;
5827 			goto out_free;
5828 		}
5829 	}
5830 
5831 	request->dev = dev;
5832 	request->wiphy = &rdev->wiphy;
5833 	request->interval = interval;
5834 	request->scan_start = jiffies;
5835 
5836 	err = rdev_sched_scan_start(rdev, dev, request);
5837 	if (!err) {
5838 		rdev->sched_scan_req = request;
5839 		nl80211_send_sched_scan(rdev, dev,
5840 					NL80211_CMD_START_SCHED_SCAN);
5841 		goto out;
5842 	}
5843 
5844 out_free:
5845 	kfree(request);
5846 out:
5847 	return err;
5848 }
5849 
5850 static int nl80211_stop_sched_scan(struct sk_buff *skb,
5851 				   struct genl_info *info)
5852 {
5853 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5854 
5855 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
5856 	    !rdev->ops->sched_scan_stop)
5857 		return -EOPNOTSUPP;
5858 
5859 	return __cfg80211_stop_sched_scan(rdev, false);
5860 }
5861 
5862 static int nl80211_start_radar_detection(struct sk_buff *skb,
5863 					 struct genl_info *info)
5864 {
5865 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5866 	struct net_device *dev = info->user_ptr[1];
5867 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5868 	struct cfg80211_chan_def chandef;
5869 	enum nl80211_dfs_regions dfs_region;
5870 	unsigned int cac_time_ms;
5871 	int err;
5872 
5873 	dfs_region = reg_get_dfs_region(wdev->wiphy);
5874 	if (dfs_region == NL80211_DFS_UNSET)
5875 		return -EINVAL;
5876 
5877 	err = nl80211_parse_chandef(rdev, info, &chandef);
5878 	if (err)
5879 		return err;
5880 
5881 	if (netif_carrier_ok(dev))
5882 		return -EBUSY;
5883 
5884 	if (wdev->cac_started)
5885 		return -EBUSY;
5886 
5887 	err = cfg80211_chandef_dfs_required(wdev->wiphy, &chandef,
5888 					    wdev->iftype);
5889 	if (err < 0)
5890 		return err;
5891 
5892 	if (err == 0)
5893 		return -EINVAL;
5894 
5895 	if (!cfg80211_chandef_dfs_usable(wdev->wiphy, &chandef))
5896 		return -EINVAL;
5897 
5898 	if (!rdev->ops->start_radar_detection)
5899 		return -EOPNOTSUPP;
5900 
5901 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
5902 	if (WARN_ON(!cac_time_ms))
5903 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
5904 
5905 	err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef,
5906 					       cac_time_ms);
5907 	if (!err) {
5908 		wdev->chandef = chandef;
5909 		wdev->cac_started = true;
5910 		wdev->cac_start_time = jiffies;
5911 		wdev->cac_time_ms = cac_time_ms;
5912 	}
5913 	return err;
5914 }
5915 
5916 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
5917 {
5918 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5919 	struct net_device *dev = info->user_ptr[1];
5920 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5921 	struct cfg80211_csa_settings params;
5922 	/* csa_attrs is defined static to avoid waste of stack size - this
5923 	 * function is called under RTNL lock, so this should not be a problem.
5924 	 */
5925 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
5926 	u8 radar_detect_width = 0;
5927 	int err;
5928 	bool need_new_beacon = false;
5929 	int len, i;
5930 	u32 cs_count;
5931 
5932 	if (!rdev->ops->channel_switch ||
5933 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
5934 		return -EOPNOTSUPP;
5935 
5936 	switch (dev->ieee80211_ptr->iftype) {
5937 	case NL80211_IFTYPE_AP:
5938 	case NL80211_IFTYPE_P2P_GO:
5939 		need_new_beacon = true;
5940 
5941 		/* useless if AP is not running */
5942 		if (!wdev->beacon_interval)
5943 			return -ENOTCONN;
5944 		break;
5945 	case NL80211_IFTYPE_ADHOC:
5946 		if (!wdev->ssid_len)
5947 			return -ENOTCONN;
5948 		break;
5949 	case NL80211_IFTYPE_MESH_POINT:
5950 		if (!wdev->mesh_id_len)
5951 			return -ENOTCONN;
5952 		break;
5953 	default:
5954 		return -EOPNOTSUPP;
5955 	}
5956 
5957 	memset(&params, 0, sizeof(params));
5958 
5959 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
5960 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
5961 		return -EINVAL;
5962 
5963 	/* only important for AP, IBSS and mesh create IEs internally */
5964 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
5965 		return -EINVAL;
5966 
5967 	/* Even though the attribute is u32, the specification says
5968 	 * u8, so let's make sure we don't overflow.
5969 	 */
5970 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
5971 	if (cs_count > 255)
5972 		return -EINVAL;
5973 
5974 	params.count = cs_count;
5975 
5976 	if (!need_new_beacon)
5977 		goto skip_beacons;
5978 
5979 	err = nl80211_parse_beacon(info->attrs, &params.beacon_after);
5980 	if (err)
5981 		return err;
5982 
5983 	err = nla_parse_nested(csa_attrs, NL80211_ATTR_MAX,
5984 			       info->attrs[NL80211_ATTR_CSA_IES],
5985 			       nl80211_policy);
5986 	if (err)
5987 		return err;
5988 
5989 	err = nl80211_parse_beacon(csa_attrs, &params.beacon_csa);
5990 	if (err)
5991 		return err;
5992 
5993 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
5994 		return -EINVAL;
5995 
5996 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
5997 	if (!len || (len % sizeof(u16)))
5998 		return -EINVAL;
5999 
6000 	params.n_counter_offsets_beacon = len / sizeof(u16);
6001 	if (rdev->wiphy.max_num_csa_counters &&
6002 	    (params.n_counter_offsets_beacon >
6003 	     rdev->wiphy.max_num_csa_counters))
6004 		return -EINVAL;
6005 
6006 	params.counter_offsets_beacon =
6007 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6008 
6009 	/* sanity checks - counters should fit and be the same */
6010 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
6011 		u16 offset = params.counter_offsets_beacon[i];
6012 
6013 		if (offset >= params.beacon_csa.tail_len)
6014 			return -EINVAL;
6015 
6016 		if (params.beacon_csa.tail[offset] != params.count)
6017 			return -EINVAL;
6018 	}
6019 
6020 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
6021 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6022 		if (!len || (len % sizeof(u16)))
6023 			return -EINVAL;
6024 
6025 		params.n_counter_offsets_presp = len / sizeof(u16);
6026 		if (rdev->wiphy.max_num_csa_counters &&
6027 		    (params.n_counter_offsets_beacon >
6028 		     rdev->wiphy.max_num_csa_counters))
6029 			return -EINVAL;
6030 
6031 		params.counter_offsets_presp =
6032 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6033 
6034 		/* sanity checks - counters should fit and be the same */
6035 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
6036 			u16 offset = params.counter_offsets_presp[i];
6037 
6038 			if (offset >= params.beacon_csa.probe_resp_len)
6039 				return -EINVAL;
6040 
6041 			if (params.beacon_csa.probe_resp[offset] !=
6042 			    params.count)
6043 				return -EINVAL;
6044 		}
6045 	}
6046 
6047 skip_beacons:
6048 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
6049 	if (err)
6050 		return err;
6051 
6052 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef,
6053 				     wdev->iftype))
6054 		return -EINVAL;
6055 
6056 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
6057 					    &params.chandef,
6058 					    wdev->iftype);
6059 	if (err < 0)
6060 		return err;
6061 
6062 	if (err > 0) {
6063 		radar_detect_width = BIT(params.chandef.width);
6064 		params.radar_required = true;
6065 	}
6066 
6067 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
6068 		params.block_tx = true;
6069 
6070 	wdev_lock(wdev);
6071 	err = rdev_channel_switch(rdev, dev, &params);
6072 	wdev_unlock(wdev);
6073 
6074 	return err;
6075 }
6076 
6077 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
6078 			    u32 seq, int flags,
6079 			    struct cfg80211_registered_device *rdev,
6080 			    struct wireless_dev *wdev,
6081 			    struct cfg80211_internal_bss *intbss)
6082 {
6083 	struct cfg80211_bss *res = &intbss->pub;
6084 	const struct cfg80211_bss_ies *ies;
6085 	void *hdr;
6086 	struct nlattr *bss;
6087 
6088 	ASSERT_WDEV_LOCK(wdev);
6089 
6090 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6091 			     NL80211_CMD_NEW_SCAN_RESULTS);
6092 	if (!hdr)
6093 		return -1;
6094 
6095 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
6096 
6097 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
6098 		goto nla_put_failure;
6099 	if (wdev->netdev &&
6100 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
6101 		goto nla_put_failure;
6102 	if (nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
6103 		goto nla_put_failure;
6104 
6105 	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
6106 	if (!bss)
6107 		goto nla_put_failure;
6108 	if ((!is_zero_ether_addr(res->bssid) &&
6109 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
6110 		goto nla_put_failure;
6111 
6112 	rcu_read_lock();
6113 	/* indicate whether we have probe response data or not */
6114 	if (rcu_access_pointer(res->proberesp_ies) &&
6115 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
6116 		goto fail_unlock_rcu;
6117 
6118 	/* this pointer prefers to be pointed to probe response data
6119 	 * but is always valid
6120 	 */
6121 	ies = rcu_dereference(res->ies);
6122 	if (ies) {
6123 		if (nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
6124 			goto fail_unlock_rcu;
6125 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
6126 					ies->len, ies->data))
6127 			goto fail_unlock_rcu;
6128 	}
6129 
6130 	/* and this pointer is always (unless driver didn't know) beacon data */
6131 	ies = rcu_dereference(res->beacon_ies);
6132 	if (ies && ies->from_beacon) {
6133 		if (nla_put_u64(msg, NL80211_BSS_BEACON_TSF, ies->tsf))
6134 			goto fail_unlock_rcu;
6135 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
6136 					ies->len, ies->data))
6137 			goto fail_unlock_rcu;
6138 	}
6139 	rcu_read_unlock();
6140 
6141 	if (res->beacon_interval &&
6142 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
6143 		goto nla_put_failure;
6144 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
6145 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
6146 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
6147 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
6148 			jiffies_to_msecs(jiffies - intbss->ts)))
6149 		goto nla_put_failure;
6150 
6151 	switch (rdev->wiphy.signal_type) {
6152 	case CFG80211_SIGNAL_TYPE_MBM:
6153 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
6154 			goto nla_put_failure;
6155 		break;
6156 	case CFG80211_SIGNAL_TYPE_UNSPEC:
6157 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
6158 			goto nla_put_failure;
6159 		break;
6160 	default:
6161 		break;
6162 	}
6163 
6164 	switch (wdev->iftype) {
6165 	case NL80211_IFTYPE_P2P_CLIENT:
6166 	case NL80211_IFTYPE_STATION:
6167 		if (intbss == wdev->current_bss &&
6168 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6169 				NL80211_BSS_STATUS_ASSOCIATED))
6170 			goto nla_put_failure;
6171 		break;
6172 	case NL80211_IFTYPE_ADHOC:
6173 		if (intbss == wdev->current_bss &&
6174 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6175 				NL80211_BSS_STATUS_IBSS_JOINED))
6176 			goto nla_put_failure;
6177 		break;
6178 	default:
6179 		break;
6180 	}
6181 
6182 	nla_nest_end(msg, bss);
6183 
6184 	return genlmsg_end(msg, hdr);
6185 
6186  fail_unlock_rcu:
6187 	rcu_read_unlock();
6188  nla_put_failure:
6189 	genlmsg_cancel(msg, hdr);
6190 	return -EMSGSIZE;
6191 }
6192 
6193 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
6194 {
6195 	struct cfg80211_registered_device *rdev;
6196 	struct cfg80211_internal_bss *scan;
6197 	struct wireless_dev *wdev;
6198 	int start = cb->args[2], idx = 0;
6199 	int err;
6200 
6201 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6202 	if (err)
6203 		return err;
6204 
6205 	wdev_lock(wdev);
6206 	spin_lock_bh(&rdev->bss_lock);
6207 	cfg80211_bss_expire(rdev);
6208 
6209 	cb->seq = rdev->bss_generation;
6210 
6211 	list_for_each_entry(scan, &rdev->bss_list, list) {
6212 		if (++idx <= start)
6213 			continue;
6214 		if (nl80211_send_bss(skb, cb,
6215 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6216 				rdev, wdev, scan) < 0) {
6217 			idx--;
6218 			break;
6219 		}
6220 	}
6221 
6222 	spin_unlock_bh(&rdev->bss_lock);
6223 	wdev_unlock(wdev);
6224 
6225 	cb->args[2] = idx;
6226 	nl80211_finish_wdev_dump(rdev);
6227 
6228 	return skb->len;
6229 }
6230 
6231 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
6232 				int flags, struct net_device *dev,
6233 				struct survey_info *survey)
6234 {
6235 	void *hdr;
6236 	struct nlattr *infoattr;
6237 
6238 	hdr = nl80211hdr_put(msg, portid, seq, flags,
6239 			     NL80211_CMD_NEW_SURVEY_RESULTS);
6240 	if (!hdr)
6241 		return -ENOMEM;
6242 
6243 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
6244 		goto nla_put_failure;
6245 
6246 	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
6247 	if (!infoattr)
6248 		goto nla_put_failure;
6249 
6250 	if (nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
6251 			survey->channel->center_freq))
6252 		goto nla_put_failure;
6253 
6254 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
6255 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
6256 		goto nla_put_failure;
6257 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
6258 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
6259 		goto nla_put_failure;
6260 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME) &&
6261 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME,
6262 			survey->channel_time))
6263 		goto nla_put_failure;
6264 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_BUSY) &&
6265 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_BUSY,
6266 			survey->channel_time_busy))
6267 		goto nla_put_failure;
6268 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_EXT_BUSY) &&
6269 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_EXT_BUSY,
6270 			survey->channel_time_ext_busy))
6271 		goto nla_put_failure;
6272 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_RX) &&
6273 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_RX,
6274 			survey->channel_time_rx))
6275 		goto nla_put_failure;
6276 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_TX) &&
6277 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_TX,
6278 			survey->channel_time_tx))
6279 		goto nla_put_failure;
6280 
6281 	nla_nest_end(msg, infoattr);
6282 
6283 	return genlmsg_end(msg, hdr);
6284 
6285  nla_put_failure:
6286 	genlmsg_cancel(msg, hdr);
6287 	return -EMSGSIZE;
6288 }
6289 
6290 static int nl80211_dump_survey(struct sk_buff *skb,
6291 			struct netlink_callback *cb)
6292 {
6293 	struct survey_info survey;
6294 	struct cfg80211_registered_device *rdev;
6295 	struct wireless_dev *wdev;
6296 	int survey_idx = cb->args[2];
6297 	int res;
6298 
6299 	res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6300 	if (res)
6301 		return res;
6302 
6303 	if (!wdev->netdev) {
6304 		res = -EINVAL;
6305 		goto out_err;
6306 	}
6307 
6308 	if (!rdev->ops->dump_survey) {
6309 		res = -EOPNOTSUPP;
6310 		goto out_err;
6311 	}
6312 
6313 	while (1) {
6314 		struct ieee80211_channel *chan;
6315 
6316 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
6317 		if (res == -ENOENT)
6318 			break;
6319 		if (res)
6320 			goto out_err;
6321 
6322 		/* Survey without a channel doesn't make sense */
6323 		if (!survey.channel) {
6324 			res = -EINVAL;
6325 			goto out;
6326 		}
6327 
6328 		chan = ieee80211_get_channel(&rdev->wiphy,
6329 					     survey.channel->center_freq);
6330 		if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
6331 			survey_idx++;
6332 			continue;
6333 		}
6334 
6335 		if (nl80211_send_survey(skb,
6336 				NETLINK_CB(cb->skb).portid,
6337 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6338 				wdev->netdev, &survey) < 0)
6339 			goto out;
6340 		survey_idx++;
6341 	}
6342 
6343  out:
6344 	cb->args[2] = survey_idx;
6345 	res = skb->len;
6346  out_err:
6347 	nl80211_finish_wdev_dump(rdev);
6348 	return res;
6349 }
6350 
6351 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
6352 {
6353 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
6354 				  NL80211_WPA_VERSION_2));
6355 }
6356 
6357 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
6358 {
6359 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6360 	struct net_device *dev = info->user_ptr[1];
6361 	struct ieee80211_channel *chan;
6362 	const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
6363 	int err, ssid_len, ie_len = 0, sae_data_len = 0;
6364 	enum nl80211_auth_type auth_type;
6365 	struct key_parse key;
6366 	bool local_state_change;
6367 
6368 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6369 		return -EINVAL;
6370 
6371 	if (!info->attrs[NL80211_ATTR_MAC])
6372 		return -EINVAL;
6373 
6374 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
6375 		return -EINVAL;
6376 
6377 	if (!info->attrs[NL80211_ATTR_SSID])
6378 		return -EINVAL;
6379 
6380 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
6381 		return -EINVAL;
6382 
6383 	err = nl80211_parse_key(info, &key);
6384 	if (err)
6385 		return err;
6386 
6387 	if (key.idx >= 0) {
6388 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
6389 			return -EINVAL;
6390 		if (!key.p.key || !key.p.key_len)
6391 			return -EINVAL;
6392 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
6393 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
6394 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
6395 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
6396 			return -EINVAL;
6397 		if (key.idx > 4)
6398 			return -EINVAL;
6399 	} else {
6400 		key.p.key_len = 0;
6401 		key.p.key = NULL;
6402 	}
6403 
6404 	if (key.idx >= 0) {
6405 		int i;
6406 		bool ok = false;
6407 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
6408 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
6409 				ok = true;
6410 				break;
6411 			}
6412 		}
6413 		if (!ok)
6414 			return -EINVAL;
6415 	}
6416 
6417 	if (!rdev->ops->auth)
6418 		return -EOPNOTSUPP;
6419 
6420 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6421 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6422 		return -EOPNOTSUPP;
6423 
6424 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6425 	chan = nl80211_get_valid_chan(&rdev->wiphy,
6426 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
6427 	if (!chan)
6428 		return -EINVAL;
6429 
6430 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6431 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6432 
6433 	if (info->attrs[NL80211_ATTR_IE]) {
6434 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6435 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6436 	}
6437 
6438 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
6439 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
6440 		return -EINVAL;
6441 
6442 	if (auth_type == NL80211_AUTHTYPE_SAE &&
6443 	    !info->attrs[NL80211_ATTR_SAE_DATA])
6444 		return -EINVAL;
6445 
6446 	if (info->attrs[NL80211_ATTR_SAE_DATA]) {
6447 		if (auth_type != NL80211_AUTHTYPE_SAE)
6448 			return -EINVAL;
6449 		sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
6450 		sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
6451 		/* need to include at least Auth Transaction and Status Code */
6452 		if (sae_data_len < 4)
6453 			return -EINVAL;
6454 	}
6455 
6456 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6457 
6458 	/*
6459 	 * Since we no longer track auth state, ignore
6460 	 * requests to only change local state.
6461 	 */
6462 	if (local_state_change)
6463 		return 0;
6464 
6465 	wdev_lock(dev->ieee80211_ptr);
6466 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
6467 				 ssid, ssid_len, ie, ie_len,
6468 				 key.p.key, key.p.key_len, key.idx,
6469 				 sae_data, sae_data_len);
6470 	wdev_unlock(dev->ieee80211_ptr);
6471 	return err;
6472 }
6473 
6474 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
6475 				   struct genl_info *info,
6476 				   struct cfg80211_crypto_settings *settings,
6477 				   int cipher_limit)
6478 {
6479 	memset(settings, 0, sizeof(*settings));
6480 
6481 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
6482 
6483 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
6484 		u16 proto;
6485 		proto = nla_get_u16(
6486 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
6487 		settings->control_port_ethertype = cpu_to_be16(proto);
6488 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
6489 		    proto != ETH_P_PAE)
6490 			return -EINVAL;
6491 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
6492 			settings->control_port_no_encrypt = true;
6493 	} else
6494 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
6495 
6496 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
6497 		void *data;
6498 		int len, i;
6499 
6500 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6501 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6502 		settings->n_ciphers_pairwise = len / sizeof(u32);
6503 
6504 		if (len % sizeof(u32))
6505 			return -EINVAL;
6506 
6507 		if (settings->n_ciphers_pairwise > cipher_limit)
6508 			return -EINVAL;
6509 
6510 		memcpy(settings->ciphers_pairwise, data, len);
6511 
6512 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
6513 			if (!cfg80211_supported_cipher_suite(
6514 					&rdev->wiphy,
6515 					settings->ciphers_pairwise[i]))
6516 				return -EINVAL;
6517 	}
6518 
6519 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
6520 		settings->cipher_group =
6521 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
6522 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
6523 						     settings->cipher_group))
6524 			return -EINVAL;
6525 	}
6526 
6527 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
6528 		settings->wpa_versions =
6529 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
6530 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
6531 			return -EINVAL;
6532 	}
6533 
6534 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
6535 		void *data;
6536 		int len;
6537 
6538 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
6539 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
6540 		settings->n_akm_suites = len / sizeof(u32);
6541 
6542 		if (len % sizeof(u32))
6543 			return -EINVAL;
6544 
6545 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
6546 			return -EINVAL;
6547 
6548 		memcpy(settings->akm_suites, data, len);
6549 	}
6550 
6551 	return 0;
6552 }
6553 
6554 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
6555 {
6556 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6557 	struct net_device *dev = info->user_ptr[1];
6558 	struct ieee80211_channel *chan;
6559 	struct cfg80211_assoc_request req = {};
6560 	const u8 *bssid, *ssid;
6561 	int err, ssid_len = 0;
6562 
6563 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6564 		return -EINVAL;
6565 
6566 	if (!info->attrs[NL80211_ATTR_MAC] ||
6567 	    !info->attrs[NL80211_ATTR_SSID] ||
6568 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
6569 		return -EINVAL;
6570 
6571 	if (!rdev->ops->assoc)
6572 		return -EOPNOTSUPP;
6573 
6574 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6575 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6576 		return -EOPNOTSUPP;
6577 
6578 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6579 
6580 	chan = nl80211_get_valid_chan(&rdev->wiphy,
6581 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
6582 	if (!chan)
6583 		return -EINVAL;
6584 
6585 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6586 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6587 
6588 	if (info->attrs[NL80211_ATTR_IE]) {
6589 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6590 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6591 	}
6592 
6593 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
6594 		enum nl80211_mfp mfp =
6595 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
6596 		if (mfp == NL80211_MFP_REQUIRED)
6597 			req.use_mfp = true;
6598 		else if (mfp != NL80211_MFP_NO)
6599 			return -EINVAL;
6600 	}
6601 
6602 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
6603 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
6604 
6605 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
6606 		req.flags |= ASSOC_REQ_DISABLE_HT;
6607 
6608 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6609 		memcpy(&req.ht_capa_mask,
6610 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
6611 		       sizeof(req.ht_capa_mask));
6612 
6613 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
6614 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6615 			return -EINVAL;
6616 		memcpy(&req.ht_capa,
6617 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
6618 		       sizeof(req.ht_capa));
6619 	}
6620 
6621 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
6622 		req.flags |= ASSOC_REQ_DISABLE_VHT;
6623 
6624 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6625 		memcpy(&req.vht_capa_mask,
6626 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
6627 		       sizeof(req.vht_capa_mask));
6628 
6629 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
6630 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
6631 			return -EINVAL;
6632 		memcpy(&req.vht_capa,
6633 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
6634 		       sizeof(req.vht_capa));
6635 	}
6636 
6637 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
6638 		if (!(rdev->wiphy.features &
6639 		      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
6640 		    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
6641 			return -EINVAL;
6642 		req.flags |= ASSOC_REQ_USE_RRM;
6643 	}
6644 
6645 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
6646 	if (!err) {
6647 		wdev_lock(dev->ieee80211_ptr);
6648 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
6649 					  ssid, ssid_len, &req);
6650 		wdev_unlock(dev->ieee80211_ptr);
6651 	}
6652 
6653 	return err;
6654 }
6655 
6656 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
6657 {
6658 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6659 	struct net_device *dev = info->user_ptr[1];
6660 	const u8 *ie = NULL, *bssid;
6661 	int ie_len = 0, err;
6662 	u16 reason_code;
6663 	bool local_state_change;
6664 
6665 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6666 		return -EINVAL;
6667 
6668 	if (!info->attrs[NL80211_ATTR_MAC])
6669 		return -EINVAL;
6670 
6671 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6672 		return -EINVAL;
6673 
6674 	if (!rdev->ops->deauth)
6675 		return -EOPNOTSUPP;
6676 
6677 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6678 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6679 		return -EOPNOTSUPP;
6680 
6681 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6682 
6683 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6684 	if (reason_code == 0) {
6685 		/* Reason Code 0 is reserved */
6686 		return -EINVAL;
6687 	}
6688 
6689 	if (info->attrs[NL80211_ATTR_IE]) {
6690 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6691 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6692 	}
6693 
6694 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6695 
6696 	wdev_lock(dev->ieee80211_ptr);
6697 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
6698 				   local_state_change);
6699 	wdev_unlock(dev->ieee80211_ptr);
6700 	return err;
6701 }
6702 
6703 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
6704 {
6705 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6706 	struct net_device *dev = info->user_ptr[1];
6707 	const u8 *ie = NULL, *bssid;
6708 	int ie_len = 0, err;
6709 	u16 reason_code;
6710 	bool local_state_change;
6711 
6712 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6713 		return -EINVAL;
6714 
6715 	if (!info->attrs[NL80211_ATTR_MAC])
6716 		return -EINVAL;
6717 
6718 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6719 		return -EINVAL;
6720 
6721 	if (!rdev->ops->disassoc)
6722 		return -EOPNOTSUPP;
6723 
6724 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6725 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6726 		return -EOPNOTSUPP;
6727 
6728 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6729 
6730 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6731 	if (reason_code == 0) {
6732 		/* Reason Code 0 is reserved */
6733 		return -EINVAL;
6734 	}
6735 
6736 	if (info->attrs[NL80211_ATTR_IE]) {
6737 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6738 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6739 	}
6740 
6741 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6742 
6743 	wdev_lock(dev->ieee80211_ptr);
6744 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
6745 				     local_state_change);
6746 	wdev_unlock(dev->ieee80211_ptr);
6747 	return err;
6748 }
6749 
6750 static bool
6751 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
6752 			 int mcast_rate[IEEE80211_NUM_BANDS],
6753 			 int rateval)
6754 {
6755 	struct wiphy *wiphy = &rdev->wiphy;
6756 	bool found = false;
6757 	int band, i;
6758 
6759 	for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
6760 		struct ieee80211_supported_band *sband;
6761 
6762 		sband = wiphy->bands[band];
6763 		if (!sband)
6764 			continue;
6765 
6766 		for (i = 0; i < sband->n_bitrates; i++) {
6767 			if (sband->bitrates[i].bitrate == rateval) {
6768 				mcast_rate[band] = i + 1;
6769 				found = true;
6770 				break;
6771 			}
6772 		}
6773 	}
6774 
6775 	return found;
6776 }
6777 
6778 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
6779 {
6780 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6781 	struct net_device *dev = info->user_ptr[1];
6782 	struct cfg80211_ibss_params ibss;
6783 	struct wiphy *wiphy;
6784 	struct cfg80211_cached_keys *connkeys = NULL;
6785 	int err;
6786 
6787 	memset(&ibss, 0, sizeof(ibss));
6788 
6789 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6790 		return -EINVAL;
6791 
6792 	if (!info->attrs[NL80211_ATTR_SSID] ||
6793 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
6794 		return -EINVAL;
6795 
6796 	ibss.beacon_interval = 100;
6797 
6798 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
6799 		ibss.beacon_interval =
6800 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6801 		if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
6802 			return -EINVAL;
6803 	}
6804 
6805 	if (!rdev->ops->join_ibss)
6806 		return -EOPNOTSUPP;
6807 
6808 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
6809 		return -EOPNOTSUPP;
6810 
6811 	wiphy = &rdev->wiphy;
6812 
6813 	if (info->attrs[NL80211_ATTR_MAC]) {
6814 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6815 
6816 		if (!is_valid_ether_addr(ibss.bssid))
6817 			return -EINVAL;
6818 	}
6819 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6820 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6821 
6822 	if (info->attrs[NL80211_ATTR_IE]) {
6823 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6824 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6825 	}
6826 
6827 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
6828 	if (err)
6829 		return err;
6830 
6831 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
6832 				     NL80211_IFTYPE_ADHOC))
6833 		return -EINVAL;
6834 
6835 	switch (ibss.chandef.width) {
6836 	case NL80211_CHAN_WIDTH_5:
6837 	case NL80211_CHAN_WIDTH_10:
6838 	case NL80211_CHAN_WIDTH_20_NOHT:
6839 		break;
6840 	case NL80211_CHAN_WIDTH_20:
6841 	case NL80211_CHAN_WIDTH_40:
6842 		if (rdev->wiphy.features & NL80211_FEATURE_HT_IBSS)
6843 			break;
6844 	default:
6845 		return -EINVAL;
6846 	}
6847 
6848 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
6849 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6850 
6851 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6852 		u8 *rates =
6853 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6854 		int n_rates =
6855 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6856 		struct ieee80211_supported_band *sband =
6857 			wiphy->bands[ibss.chandef.chan->band];
6858 
6859 		err = ieee80211_get_ratemask(sband, rates, n_rates,
6860 					     &ibss.basic_rates);
6861 		if (err)
6862 			return err;
6863 	}
6864 
6865 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6866 		memcpy(&ibss.ht_capa_mask,
6867 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
6868 		       sizeof(ibss.ht_capa_mask));
6869 
6870 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
6871 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6872 			return -EINVAL;
6873 		memcpy(&ibss.ht_capa,
6874 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
6875 		       sizeof(ibss.ht_capa));
6876 	}
6877 
6878 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
6879 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
6880 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
6881 		return -EINVAL;
6882 
6883 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
6884 		bool no_ht = false;
6885 
6886 		connkeys = nl80211_parse_connkeys(rdev,
6887 					  info->attrs[NL80211_ATTR_KEYS],
6888 					  &no_ht);
6889 		if (IS_ERR(connkeys))
6890 			return PTR_ERR(connkeys);
6891 
6892 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
6893 		    no_ht) {
6894 			kfree(connkeys);
6895 			return -EINVAL;
6896 		}
6897 	}
6898 
6899 	ibss.control_port =
6900 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
6901 
6902 	ibss.userspace_handles_dfs =
6903 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
6904 
6905 	err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
6906 	if (err)
6907 		kzfree(connkeys);
6908 	return err;
6909 }
6910 
6911 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
6912 {
6913 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6914 	struct net_device *dev = info->user_ptr[1];
6915 
6916 	if (!rdev->ops->leave_ibss)
6917 		return -EOPNOTSUPP;
6918 
6919 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
6920 		return -EOPNOTSUPP;
6921 
6922 	return cfg80211_leave_ibss(rdev, dev, false);
6923 }
6924 
6925 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
6926 {
6927 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6928 	struct net_device *dev = info->user_ptr[1];
6929 	int mcast_rate[IEEE80211_NUM_BANDS];
6930 	u32 nla_rate;
6931 	int err;
6932 
6933 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
6934 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6935 		return -EOPNOTSUPP;
6936 
6937 	if (!rdev->ops->set_mcast_rate)
6938 		return -EOPNOTSUPP;
6939 
6940 	memset(mcast_rate, 0, sizeof(mcast_rate));
6941 
6942 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
6943 		return -EINVAL;
6944 
6945 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
6946 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
6947 		return -EINVAL;
6948 
6949 	err = rdev->ops->set_mcast_rate(&rdev->wiphy, dev, mcast_rate);
6950 
6951 	return err;
6952 }
6953 
6954 static struct sk_buff *
6955 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
6956 			    int approxlen, u32 portid, u32 seq,
6957 			    enum nl80211_commands cmd,
6958 			    enum nl80211_attrs attr,
6959 			    const struct nl80211_vendor_cmd_info *info,
6960 			    gfp_t gfp)
6961 {
6962 	struct sk_buff *skb;
6963 	void *hdr;
6964 	struct nlattr *data;
6965 
6966 	skb = nlmsg_new(approxlen + 100, gfp);
6967 	if (!skb)
6968 		return NULL;
6969 
6970 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
6971 	if (!hdr) {
6972 		kfree_skb(skb);
6973 		return NULL;
6974 	}
6975 
6976 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
6977 		goto nla_put_failure;
6978 
6979 	if (info) {
6980 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
6981 				info->vendor_id))
6982 			goto nla_put_failure;
6983 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
6984 				info->subcmd))
6985 			goto nla_put_failure;
6986 	}
6987 
6988 	data = nla_nest_start(skb, attr);
6989 
6990 	((void **)skb->cb)[0] = rdev;
6991 	((void **)skb->cb)[1] = hdr;
6992 	((void **)skb->cb)[2] = data;
6993 
6994 	return skb;
6995 
6996  nla_put_failure:
6997 	kfree_skb(skb);
6998 	return NULL;
6999 }
7000 
7001 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
7002 					   enum nl80211_commands cmd,
7003 					   enum nl80211_attrs attr,
7004 					   int vendor_event_idx,
7005 					   int approxlen, gfp_t gfp)
7006 {
7007 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
7008 	const struct nl80211_vendor_cmd_info *info;
7009 
7010 	switch (cmd) {
7011 	case NL80211_CMD_TESTMODE:
7012 		if (WARN_ON(vendor_event_idx != -1))
7013 			return NULL;
7014 		info = NULL;
7015 		break;
7016 	case NL80211_CMD_VENDOR:
7017 		if (WARN_ON(vendor_event_idx < 0 ||
7018 			    vendor_event_idx >= wiphy->n_vendor_events))
7019 			return NULL;
7020 		info = &wiphy->vendor_events[vendor_event_idx];
7021 		break;
7022 	default:
7023 		WARN_ON(1);
7024 		return NULL;
7025 	}
7026 
7027 	return __cfg80211_alloc_vendor_skb(rdev, approxlen, 0, 0,
7028 					   cmd, attr, info, gfp);
7029 }
7030 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
7031 
7032 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
7033 {
7034 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
7035 	void *hdr = ((void **)skb->cb)[1];
7036 	struct nlattr *data = ((void **)skb->cb)[2];
7037 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
7038 
7039 	/* clear CB data for netlink core to own from now on */
7040 	memset(skb->cb, 0, sizeof(skb->cb));
7041 
7042 	nla_nest_end(skb, data);
7043 	genlmsg_end(skb, hdr);
7044 
7045 	if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
7046 		mcgrp = NL80211_MCGRP_VENDOR;
7047 
7048 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), skb, 0,
7049 				mcgrp, gfp);
7050 }
7051 EXPORT_SYMBOL(__cfg80211_send_event_skb);
7052 
7053 #ifdef CONFIG_NL80211_TESTMODE
7054 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
7055 {
7056 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7057 	struct wireless_dev *wdev =
7058 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
7059 	int err;
7060 
7061 	if (!rdev->ops->testmode_cmd)
7062 		return -EOPNOTSUPP;
7063 
7064 	if (IS_ERR(wdev)) {
7065 		err = PTR_ERR(wdev);
7066 		if (err != -EINVAL)
7067 			return err;
7068 		wdev = NULL;
7069 	} else if (wdev->wiphy != &rdev->wiphy) {
7070 		return -EINVAL;
7071 	}
7072 
7073 	if (!info->attrs[NL80211_ATTR_TESTDATA])
7074 		return -EINVAL;
7075 
7076 	rdev->cur_cmd_info = info;
7077 	err = rdev_testmode_cmd(rdev, wdev,
7078 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
7079 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
7080 	rdev->cur_cmd_info = NULL;
7081 
7082 	return err;
7083 }
7084 
7085 static int nl80211_testmode_dump(struct sk_buff *skb,
7086 				 struct netlink_callback *cb)
7087 {
7088 	struct cfg80211_registered_device *rdev;
7089 	int err;
7090 	long phy_idx;
7091 	void *data = NULL;
7092 	int data_len = 0;
7093 
7094 	rtnl_lock();
7095 
7096 	if (cb->args[0]) {
7097 		/*
7098 		 * 0 is a valid index, but not valid for args[0],
7099 		 * so we need to offset by 1.
7100 		 */
7101 		phy_idx = cb->args[0] - 1;
7102 	} else {
7103 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
7104 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
7105 				  nl80211_policy);
7106 		if (err)
7107 			goto out_err;
7108 
7109 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
7110 						  nl80211_fam.attrbuf);
7111 		if (IS_ERR(rdev)) {
7112 			err = PTR_ERR(rdev);
7113 			goto out_err;
7114 		}
7115 		phy_idx = rdev->wiphy_idx;
7116 		rdev = NULL;
7117 
7118 		if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
7119 			cb->args[1] =
7120 				(long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
7121 	}
7122 
7123 	if (cb->args[1]) {
7124 		data = nla_data((void *)cb->args[1]);
7125 		data_len = nla_len((void *)cb->args[1]);
7126 	}
7127 
7128 	rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
7129 	if (!rdev) {
7130 		err = -ENOENT;
7131 		goto out_err;
7132 	}
7133 
7134 	if (!rdev->ops->testmode_dump) {
7135 		err = -EOPNOTSUPP;
7136 		goto out_err;
7137 	}
7138 
7139 	while (1) {
7140 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
7141 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
7142 					   NL80211_CMD_TESTMODE);
7143 		struct nlattr *tmdata;
7144 
7145 		if (!hdr)
7146 			break;
7147 
7148 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
7149 			genlmsg_cancel(skb, hdr);
7150 			break;
7151 		}
7152 
7153 		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
7154 		if (!tmdata) {
7155 			genlmsg_cancel(skb, hdr);
7156 			break;
7157 		}
7158 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
7159 		nla_nest_end(skb, tmdata);
7160 
7161 		if (err == -ENOBUFS || err == -ENOENT) {
7162 			genlmsg_cancel(skb, hdr);
7163 			break;
7164 		} else if (err) {
7165 			genlmsg_cancel(skb, hdr);
7166 			goto out_err;
7167 		}
7168 
7169 		genlmsg_end(skb, hdr);
7170 	}
7171 
7172 	err = skb->len;
7173 	/* see above */
7174 	cb->args[0] = phy_idx + 1;
7175  out_err:
7176 	rtnl_unlock();
7177 	return err;
7178 }
7179 #endif
7180 
7181 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
7182 {
7183 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7184 	struct net_device *dev = info->user_ptr[1];
7185 	struct cfg80211_connect_params connect;
7186 	struct wiphy *wiphy;
7187 	struct cfg80211_cached_keys *connkeys = NULL;
7188 	int err;
7189 
7190 	memset(&connect, 0, sizeof(connect));
7191 
7192 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7193 		return -EINVAL;
7194 
7195 	if (!info->attrs[NL80211_ATTR_SSID] ||
7196 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
7197 		return -EINVAL;
7198 
7199 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
7200 		connect.auth_type =
7201 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
7202 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
7203 					     NL80211_CMD_CONNECT))
7204 			return -EINVAL;
7205 	} else
7206 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
7207 
7208 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
7209 
7210 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
7211 				      NL80211_MAX_NR_CIPHER_SUITES);
7212 	if (err)
7213 		return err;
7214 
7215 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7216 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7217 		return -EOPNOTSUPP;
7218 
7219 	wiphy = &rdev->wiphy;
7220 
7221 	connect.bg_scan_period = -1;
7222 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
7223 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
7224 		connect.bg_scan_period =
7225 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
7226 	}
7227 
7228 	if (info->attrs[NL80211_ATTR_MAC])
7229 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7230 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
7231 		connect.bssid_hint =
7232 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
7233 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7234 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7235 
7236 	if (info->attrs[NL80211_ATTR_IE]) {
7237 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7238 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7239 	}
7240 
7241 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
7242 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
7243 		if (connect.mfp != NL80211_MFP_REQUIRED &&
7244 		    connect.mfp != NL80211_MFP_NO)
7245 			return -EINVAL;
7246 	} else {
7247 		connect.mfp = NL80211_MFP_NO;
7248 	}
7249 
7250 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7251 		connect.channel = nl80211_get_valid_chan(
7252 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7253 		if (!connect.channel)
7254 			return -EINVAL;
7255 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
7256 		connect.channel_hint = nl80211_get_valid_chan(
7257 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
7258 		if (!connect.channel_hint)
7259 			return -EINVAL;
7260 	}
7261 
7262 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
7263 		connkeys = nl80211_parse_connkeys(rdev,
7264 					  info->attrs[NL80211_ATTR_KEYS], NULL);
7265 		if (IS_ERR(connkeys))
7266 			return PTR_ERR(connkeys);
7267 	}
7268 
7269 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
7270 		connect.flags |= ASSOC_REQ_DISABLE_HT;
7271 
7272 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7273 		memcpy(&connect.ht_capa_mask,
7274 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7275 		       sizeof(connect.ht_capa_mask));
7276 
7277 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7278 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
7279 			kzfree(connkeys);
7280 			return -EINVAL;
7281 		}
7282 		memcpy(&connect.ht_capa,
7283 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7284 		       sizeof(connect.ht_capa));
7285 	}
7286 
7287 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
7288 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
7289 
7290 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7291 		memcpy(&connect.vht_capa_mask,
7292 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
7293 		       sizeof(connect.vht_capa_mask));
7294 
7295 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
7296 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
7297 			kzfree(connkeys);
7298 			return -EINVAL;
7299 		}
7300 		memcpy(&connect.vht_capa,
7301 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
7302 		       sizeof(connect.vht_capa));
7303 	}
7304 
7305 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
7306 		if (!(rdev->wiphy.features &
7307 		      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
7308 		    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
7309 			return -EINVAL;
7310 		connect.flags |= ASSOC_REQ_USE_RRM;
7311 	}
7312 
7313 	wdev_lock(dev->ieee80211_ptr);
7314 	err = cfg80211_connect(rdev, dev, &connect, connkeys, NULL);
7315 	wdev_unlock(dev->ieee80211_ptr);
7316 	if (err)
7317 		kzfree(connkeys);
7318 	return err;
7319 }
7320 
7321 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
7322 {
7323 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7324 	struct net_device *dev = info->user_ptr[1];
7325 	u16 reason;
7326 	int ret;
7327 
7328 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7329 		reason = WLAN_REASON_DEAUTH_LEAVING;
7330 	else
7331 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7332 
7333 	if (reason == 0)
7334 		return -EINVAL;
7335 
7336 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7337 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7338 		return -EOPNOTSUPP;
7339 
7340 	wdev_lock(dev->ieee80211_ptr);
7341 	ret = cfg80211_disconnect(rdev, dev, reason, true);
7342 	wdev_unlock(dev->ieee80211_ptr);
7343 	return ret;
7344 }
7345 
7346 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
7347 {
7348 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7349 	struct net *net;
7350 	int err;
7351 	u32 pid;
7352 
7353 	if (!info->attrs[NL80211_ATTR_PID])
7354 		return -EINVAL;
7355 
7356 	pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
7357 
7358 	net = get_net_ns_by_pid(pid);
7359 	if (IS_ERR(net))
7360 		return PTR_ERR(net);
7361 
7362 	err = 0;
7363 
7364 	/* check if anything to do */
7365 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
7366 		err = cfg80211_switch_netns(rdev, net);
7367 
7368 	put_net(net);
7369 	return err;
7370 }
7371 
7372 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
7373 {
7374 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7375 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
7376 			struct cfg80211_pmksa *pmksa) = NULL;
7377 	struct net_device *dev = info->user_ptr[1];
7378 	struct cfg80211_pmksa pmksa;
7379 
7380 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
7381 
7382 	if (!info->attrs[NL80211_ATTR_MAC])
7383 		return -EINVAL;
7384 
7385 	if (!info->attrs[NL80211_ATTR_PMKID])
7386 		return -EINVAL;
7387 
7388 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
7389 	pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7390 
7391 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7392 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7393 		return -EOPNOTSUPP;
7394 
7395 	switch (info->genlhdr->cmd) {
7396 	case NL80211_CMD_SET_PMKSA:
7397 		rdev_ops = rdev->ops->set_pmksa;
7398 		break;
7399 	case NL80211_CMD_DEL_PMKSA:
7400 		rdev_ops = rdev->ops->del_pmksa;
7401 		break;
7402 	default:
7403 		WARN_ON(1);
7404 		break;
7405 	}
7406 
7407 	if (!rdev_ops)
7408 		return -EOPNOTSUPP;
7409 
7410 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
7411 }
7412 
7413 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
7414 {
7415 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7416 	struct net_device *dev = info->user_ptr[1];
7417 
7418 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7419 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7420 		return -EOPNOTSUPP;
7421 
7422 	if (!rdev->ops->flush_pmksa)
7423 		return -EOPNOTSUPP;
7424 
7425 	return rdev_flush_pmksa(rdev, dev);
7426 }
7427 
7428 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
7429 {
7430 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7431 	struct net_device *dev = info->user_ptr[1];
7432 	u8 action_code, dialog_token;
7433 	u32 peer_capability = 0;
7434 	u16 status_code;
7435 	u8 *peer;
7436 	bool initiator;
7437 
7438 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
7439 	    !rdev->ops->tdls_mgmt)
7440 		return -EOPNOTSUPP;
7441 
7442 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
7443 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
7444 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
7445 	    !info->attrs[NL80211_ATTR_IE] ||
7446 	    !info->attrs[NL80211_ATTR_MAC])
7447 		return -EINVAL;
7448 
7449 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
7450 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
7451 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
7452 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
7453 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
7454 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
7455 		peer_capability =
7456 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
7457 
7458 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
7459 			      dialog_token, status_code, peer_capability,
7460 			      initiator,
7461 			      nla_data(info->attrs[NL80211_ATTR_IE]),
7462 			      nla_len(info->attrs[NL80211_ATTR_IE]));
7463 }
7464 
7465 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
7466 {
7467 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7468 	struct net_device *dev = info->user_ptr[1];
7469 	enum nl80211_tdls_operation operation;
7470 	u8 *peer;
7471 
7472 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
7473 	    !rdev->ops->tdls_oper)
7474 		return -EOPNOTSUPP;
7475 
7476 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
7477 	    !info->attrs[NL80211_ATTR_MAC])
7478 		return -EINVAL;
7479 
7480 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
7481 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
7482 
7483 	return rdev_tdls_oper(rdev, dev, peer, operation);
7484 }
7485 
7486 static int nl80211_remain_on_channel(struct sk_buff *skb,
7487 				     struct genl_info *info)
7488 {
7489 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7490 	struct wireless_dev *wdev = info->user_ptr[1];
7491 	struct cfg80211_chan_def chandef;
7492 	struct sk_buff *msg;
7493 	void *hdr;
7494 	u64 cookie;
7495 	u32 duration;
7496 	int err;
7497 
7498 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
7499 	    !info->attrs[NL80211_ATTR_DURATION])
7500 		return -EINVAL;
7501 
7502 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
7503 
7504 	if (!rdev->ops->remain_on_channel ||
7505 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
7506 		return -EOPNOTSUPP;
7507 
7508 	/*
7509 	 * We should be on that channel for at least a minimum amount of
7510 	 * time (10ms) but no longer than the driver supports.
7511 	 */
7512 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
7513 	    duration > rdev->wiphy.max_remain_on_channel_duration)
7514 		return -EINVAL;
7515 
7516 	err = nl80211_parse_chandef(rdev, info, &chandef);
7517 	if (err)
7518 		return err;
7519 
7520 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7521 	if (!msg)
7522 		return -ENOMEM;
7523 
7524 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7525 			     NL80211_CMD_REMAIN_ON_CHANNEL);
7526 	if (!hdr) {
7527 		err = -ENOBUFS;
7528 		goto free_msg;
7529 	}
7530 
7531 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
7532 				     duration, &cookie);
7533 
7534 	if (err)
7535 		goto free_msg;
7536 
7537 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
7538 		goto nla_put_failure;
7539 
7540 	genlmsg_end(msg, hdr);
7541 
7542 	return genlmsg_reply(msg, info);
7543 
7544  nla_put_failure:
7545 	err = -ENOBUFS;
7546  free_msg:
7547 	nlmsg_free(msg);
7548 	return err;
7549 }
7550 
7551 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
7552 					    struct genl_info *info)
7553 {
7554 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7555 	struct wireless_dev *wdev = info->user_ptr[1];
7556 	u64 cookie;
7557 
7558 	if (!info->attrs[NL80211_ATTR_COOKIE])
7559 		return -EINVAL;
7560 
7561 	if (!rdev->ops->cancel_remain_on_channel)
7562 		return -EOPNOTSUPP;
7563 
7564 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
7565 
7566 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
7567 }
7568 
7569 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
7570 			   u8 *rates, u8 rates_len)
7571 {
7572 	u8 i;
7573 	u32 mask = 0;
7574 
7575 	for (i = 0; i < rates_len; i++) {
7576 		int rate = (rates[i] & 0x7f) * 5;
7577 		int ridx;
7578 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
7579 			struct ieee80211_rate *srate =
7580 				&sband->bitrates[ridx];
7581 			if (rate == srate->bitrate) {
7582 				mask |= 1 << ridx;
7583 				break;
7584 			}
7585 		}
7586 		if (ridx == sband->n_bitrates)
7587 			return 0; /* rate not found */
7588 	}
7589 
7590 	return mask;
7591 }
7592 
7593 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
7594 			       u8 *rates, u8 rates_len,
7595 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
7596 {
7597 	u8 i;
7598 
7599 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
7600 
7601 	for (i = 0; i < rates_len; i++) {
7602 		int ridx, rbit;
7603 
7604 		ridx = rates[i] / 8;
7605 		rbit = BIT(rates[i] % 8);
7606 
7607 		/* check validity */
7608 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
7609 			return false;
7610 
7611 		/* check availability */
7612 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
7613 			mcs[ridx] |= rbit;
7614 		else
7615 			return false;
7616 	}
7617 
7618 	return true;
7619 }
7620 
7621 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
7622 {
7623 	u16 mcs_mask = 0;
7624 
7625 	switch (vht_mcs_map) {
7626 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
7627 		break;
7628 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
7629 		mcs_mask = 0x00FF;
7630 		break;
7631 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
7632 		mcs_mask = 0x01FF;
7633 		break;
7634 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
7635 		mcs_mask = 0x03FF;
7636 		break;
7637 	default:
7638 		break;
7639 	}
7640 
7641 	return mcs_mask;
7642 }
7643 
7644 static void vht_build_mcs_mask(u16 vht_mcs_map,
7645 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
7646 {
7647 	u8 nss;
7648 
7649 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
7650 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
7651 		vht_mcs_map >>= 2;
7652 	}
7653 }
7654 
7655 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
7656 			     struct nl80211_txrate_vht *txrate,
7657 			     u16 mcs[NL80211_VHT_NSS_MAX])
7658 {
7659 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
7660 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
7661 	u8 i;
7662 
7663 	if (!sband->vht_cap.vht_supported)
7664 		return false;
7665 
7666 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
7667 
7668 	/* Build vht_mcs_mask from VHT capabilities */
7669 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
7670 
7671 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
7672 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
7673 			mcs[i] = txrate->mcs[i];
7674 		else
7675 			return false;
7676 	}
7677 
7678 	return true;
7679 }
7680 
7681 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
7682 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
7683 				    .len = NL80211_MAX_SUPP_RATES },
7684 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
7685 				.len = NL80211_MAX_SUPP_HT_RATES },
7686 	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
7687 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
7688 };
7689 
7690 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
7691 				       struct genl_info *info)
7692 {
7693 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
7694 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7695 	struct cfg80211_bitrate_mask mask;
7696 	int rem, i;
7697 	struct net_device *dev = info->user_ptr[1];
7698 	struct nlattr *tx_rates;
7699 	struct ieee80211_supported_band *sband;
7700 	u16 vht_tx_mcs_map;
7701 
7702 	if (!rdev->ops->set_bitrate_mask)
7703 		return -EOPNOTSUPP;
7704 
7705 	memset(&mask, 0, sizeof(mask));
7706 	/* Default to all rates enabled */
7707 	for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
7708 		sband = rdev->wiphy.bands[i];
7709 
7710 		if (!sband)
7711 			continue;
7712 
7713 		mask.control[i].legacy = (1 << sband->n_bitrates) - 1;
7714 		memcpy(mask.control[i].ht_mcs,
7715 		       sband->ht_cap.mcs.rx_mask,
7716 		       sizeof(mask.control[i].ht_mcs));
7717 
7718 		if (!sband->vht_cap.vht_supported)
7719 			continue;
7720 
7721 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
7722 		vht_build_mcs_mask(vht_tx_mcs_map, mask.control[i].vht_mcs);
7723 	}
7724 
7725 	/* if no rates are given set it back to the defaults */
7726 	if (!info->attrs[NL80211_ATTR_TX_RATES])
7727 		goto out;
7728 
7729 	/*
7730 	 * The nested attribute uses enum nl80211_band as the index. This maps
7731 	 * directly to the enum ieee80211_band values used in cfg80211.
7732 	 */
7733 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
7734 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
7735 		enum ieee80211_band band = nla_type(tx_rates);
7736 		int err;
7737 
7738 		if (band < 0 || band >= IEEE80211_NUM_BANDS)
7739 			return -EINVAL;
7740 		sband = rdev->wiphy.bands[band];
7741 		if (sband == NULL)
7742 			return -EINVAL;
7743 		err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
7744 				nla_len(tx_rates), nl80211_txattr_policy);
7745 		if (err)
7746 			return err;
7747 		if (tb[NL80211_TXRATE_LEGACY]) {
7748 			mask.control[band].legacy = rateset_to_mask(
7749 				sband,
7750 				nla_data(tb[NL80211_TXRATE_LEGACY]),
7751 				nla_len(tb[NL80211_TXRATE_LEGACY]));
7752 			if ((mask.control[band].legacy == 0) &&
7753 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
7754 				return -EINVAL;
7755 		}
7756 		if (tb[NL80211_TXRATE_HT]) {
7757 			if (!ht_rateset_to_mask(
7758 					sband,
7759 					nla_data(tb[NL80211_TXRATE_HT]),
7760 					nla_len(tb[NL80211_TXRATE_HT]),
7761 					mask.control[band].ht_mcs))
7762 				return -EINVAL;
7763 		}
7764 		if (tb[NL80211_TXRATE_VHT]) {
7765 			if (!vht_set_mcs_mask(
7766 					sband,
7767 					nla_data(tb[NL80211_TXRATE_VHT]),
7768 					mask.control[band].vht_mcs))
7769 				return -EINVAL;
7770 		}
7771 		if (tb[NL80211_TXRATE_GI]) {
7772 			mask.control[band].gi =
7773 				nla_get_u8(tb[NL80211_TXRATE_GI]);
7774 			if (mask.control[band].gi > NL80211_TXRATE_FORCE_LGI)
7775 				return -EINVAL;
7776 		}
7777 
7778 		if (mask.control[band].legacy == 0) {
7779 			/* don't allow empty legacy rates if HT or VHT
7780 			 * are not even supported.
7781 			 */
7782 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
7783 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
7784 				return -EINVAL;
7785 
7786 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
7787 				if (mask.control[band].ht_mcs[i])
7788 					goto out;
7789 
7790 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
7791 				if (mask.control[band].vht_mcs[i])
7792 					goto out;
7793 
7794 			/* legacy and mcs rates may not be both empty */
7795 			return -EINVAL;
7796 		}
7797 	}
7798 
7799 out:
7800 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
7801 }
7802 
7803 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
7804 {
7805 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7806 	struct wireless_dev *wdev = info->user_ptr[1];
7807 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
7808 
7809 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
7810 		return -EINVAL;
7811 
7812 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
7813 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
7814 
7815 	switch (wdev->iftype) {
7816 	case NL80211_IFTYPE_STATION:
7817 	case NL80211_IFTYPE_ADHOC:
7818 	case NL80211_IFTYPE_P2P_CLIENT:
7819 	case NL80211_IFTYPE_AP:
7820 	case NL80211_IFTYPE_AP_VLAN:
7821 	case NL80211_IFTYPE_MESH_POINT:
7822 	case NL80211_IFTYPE_P2P_GO:
7823 	case NL80211_IFTYPE_P2P_DEVICE:
7824 		break;
7825 	default:
7826 		return -EOPNOTSUPP;
7827 	}
7828 
7829 	/* not much point in registering if we can't reply */
7830 	if (!rdev->ops->mgmt_tx)
7831 		return -EOPNOTSUPP;
7832 
7833 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
7834 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
7835 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
7836 }
7837 
7838 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
7839 {
7840 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7841 	struct wireless_dev *wdev = info->user_ptr[1];
7842 	struct cfg80211_chan_def chandef;
7843 	int err;
7844 	void *hdr = NULL;
7845 	u64 cookie;
7846 	struct sk_buff *msg = NULL;
7847 	struct cfg80211_mgmt_tx_params params = {
7848 		.dont_wait_for_ack =
7849 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
7850 	};
7851 
7852 	if (!info->attrs[NL80211_ATTR_FRAME])
7853 		return -EINVAL;
7854 
7855 	if (!rdev->ops->mgmt_tx)
7856 		return -EOPNOTSUPP;
7857 
7858 	switch (wdev->iftype) {
7859 	case NL80211_IFTYPE_P2P_DEVICE:
7860 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
7861 			return -EINVAL;
7862 	case NL80211_IFTYPE_STATION:
7863 	case NL80211_IFTYPE_ADHOC:
7864 	case NL80211_IFTYPE_P2P_CLIENT:
7865 	case NL80211_IFTYPE_AP:
7866 	case NL80211_IFTYPE_AP_VLAN:
7867 	case NL80211_IFTYPE_MESH_POINT:
7868 	case NL80211_IFTYPE_P2P_GO:
7869 		break;
7870 	default:
7871 		return -EOPNOTSUPP;
7872 	}
7873 
7874 	if (info->attrs[NL80211_ATTR_DURATION]) {
7875 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
7876 			return -EINVAL;
7877 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
7878 
7879 		/*
7880 		 * We should wait on the channel for at least a minimum amount
7881 		 * of time (10ms) but no longer than the driver supports.
7882 		 */
7883 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
7884 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
7885 			return -EINVAL;
7886 
7887 	}
7888 
7889 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
7890 
7891 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
7892 		return -EINVAL;
7893 
7894 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7895 
7896 	/* get the channel if any has been specified, otherwise pass NULL to
7897 	 * the driver. The latter will use the current one
7898 	 */
7899 	chandef.chan = NULL;
7900 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7901 		err = nl80211_parse_chandef(rdev, info, &chandef);
7902 		if (err)
7903 			return err;
7904 	}
7905 
7906 	if (!chandef.chan && params.offchan)
7907 		return -EINVAL;
7908 
7909 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
7910 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
7911 
7912 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
7913 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
7914 		int i;
7915 
7916 		if (len % sizeof(u16))
7917 			return -EINVAL;
7918 
7919 		params.n_csa_offsets = len / sizeof(u16);
7920 		params.csa_offsets =
7921 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
7922 
7923 		/* check that all the offsets fit the frame */
7924 		for (i = 0; i < params.n_csa_offsets; i++) {
7925 			if (params.csa_offsets[i] >= params.len)
7926 				return -EINVAL;
7927 		}
7928 	}
7929 
7930 	if (!params.dont_wait_for_ack) {
7931 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7932 		if (!msg)
7933 			return -ENOMEM;
7934 
7935 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7936 				     NL80211_CMD_FRAME);
7937 		if (!hdr) {
7938 			err = -ENOBUFS;
7939 			goto free_msg;
7940 		}
7941 	}
7942 
7943 	params.chan = chandef.chan;
7944 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
7945 	if (err)
7946 		goto free_msg;
7947 
7948 	if (msg) {
7949 		if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
7950 			goto nla_put_failure;
7951 
7952 		genlmsg_end(msg, hdr);
7953 		return genlmsg_reply(msg, info);
7954 	}
7955 
7956 	return 0;
7957 
7958  nla_put_failure:
7959 	err = -ENOBUFS;
7960  free_msg:
7961 	nlmsg_free(msg);
7962 	return err;
7963 }
7964 
7965 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
7966 {
7967 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7968 	struct wireless_dev *wdev = info->user_ptr[1];
7969 	u64 cookie;
7970 
7971 	if (!info->attrs[NL80211_ATTR_COOKIE])
7972 		return -EINVAL;
7973 
7974 	if (!rdev->ops->mgmt_tx_cancel_wait)
7975 		return -EOPNOTSUPP;
7976 
7977 	switch (wdev->iftype) {
7978 	case NL80211_IFTYPE_STATION:
7979 	case NL80211_IFTYPE_ADHOC:
7980 	case NL80211_IFTYPE_P2P_CLIENT:
7981 	case NL80211_IFTYPE_AP:
7982 	case NL80211_IFTYPE_AP_VLAN:
7983 	case NL80211_IFTYPE_P2P_GO:
7984 	case NL80211_IFTYPE_P2P_DEVICE:
7985 		break;
7986 	default:
7987 		return -EOPNOTSUPP;
7988 	}
7989 
7990 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
7991 
7992 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
7993 }
7994 
7995 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
7996 {
7997 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7998 	struct wireless_dev *wdev;
7999 	struct net_device *dev = info->user_ptr[1];
8000 	u8 ps_state;
8001 	bool state;
8002 	int err;
8003 
8004 	if (!info->attrs[NL80211_ATTR_PS_STATE])
8005 		return -EINVAL;
8006 
8007 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
8008 
8009 	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
8010 		return -EINVAL;
8011 
8012 	wdev = dev->ieee80211_ptr;
8013 
8014 	if (!rdev->ops->set_power_mgmt)
8015 		return -EOPNOTSUPP;
8016 
8017 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
8018 
8019 	if (state == wdev->ps)
8020 		return 0;
8021 
8022 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
8023 	if (!err)
8024 		wdev->ps = state;
8025 	return err;
8026 }
8027 
8028 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
8029 {
8030 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8031 	enum nl80211_ps_state ps_state;
8032 	struct wireless_dev *wdev;
8033 	struct net_device *dev = info->user_ptr[1];
8034 	struct sk_buff *msg;
8035 	void *hdr;
8036 	int err;
8037 
8038 	wdev = dev->ieee80211_ptr;
8039 
8040 	if (!rdev->ops->set_power_mgmt)
8041 		return -EOPNOTSUPP;
8042 
8043 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8044 	if (!msg)
8045 		return -ENOMEM;
8046 
8047 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8048 			     NL80211_CMD_GET_POWER_SAVE);
8049 	if (!hdr) {
8050 		err = -ENOBUFS;
8051 		goto free_msg;
8052 	}
8053 
8054 	if (wdev->ps)
8055 		ps_state = NL80211_PS_ENABLED;
8056 	else
8057 		ps_state = NL80211_PS_DISABLED;
8058 
8059 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
8060 		goto nla_put_failure;
8061 
8062 	genlmsg_end(msg, hdr);
8063 	return genlmsg_reply(msg, info);
8064 
8065  nla_put_failure:
8066 	err = -ENOBUFS;
8067  free_msg:
8068 	nlmsg_free(msg);
8069 	return err;
8070 }
8071 
8072 static const struct nla_policy
8073 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
8074 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
8075 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
8076 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
8077 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
8078 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
8079 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
8080 };
8081 
8082 static int nl80211_set_cqm_txe(struct genl_info *info,
8083 			       u32 rate, u32 pkts, u32 intvl)
8084 {
8085 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8086 	struct net_device *dev = info->user_ptr[1];
8087 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8088 
8089 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
8090 		return -EINVAL;
8091 
8092 	if (!rdev->ops->set_cqm_txe_config)
8093 		return -EOPNOTSUPP;
8094 
8095 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8096 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8097 		return -EOPNOTSUPP;
8098 
8099 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
8100 }
8101 
8102 static int nl80211_set_cqm_rssi(struct genl_info *info,
8103 				s32 threshold, u32 hysteresis)
8104 {
8105 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8106 	struct net_device *dev = info->user_ptr[1];
8107 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8108 
8109 	if (threshold > 0)
8110 		return -EINVAL;
8111 
8112 	/* disabling - hysteresis should also be zero then */
8113 	if (threshold == 0)
8114 		hysteresis = 0;
8115 
8116 	if (!rdev->ops->set_cqm_rssi_config)
8117 		return -EOPNOTSUPP;
8118 
8119 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8120 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8121 		return -EOPNOTSUPP;
8122 
8123 	return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
8124 }
8125 
8126 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
8127 {
8128 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
8129 	struct nlattr *cqm;
8130 	int err;
8131 
8132 	cqm = info->attrs[NL80211_ATTR_CQM];
8133 	if (!cqm)
8134 		return -EINVAL;
8135 
8136 	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
8137 			       nl80211_attr_cqm_policy);
8138 	if (err)
8139 		return err;
8140 
8141 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
8142 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
8143 		s32 threshold = nla_get_s32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
8144 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
8145 
8146 		return nl80211_set_cqm_rssi(info, threshold, hysteresis);
8147 	}
8148 
8149 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
8150 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
8151 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
8152 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
8153 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
8154 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
8155 
8156 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
8157 	}
8158 
8159 	return -EINVAL;
8160 }
8161 
8162 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
8163 {
8164 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8165 	struct net_device *dev = info->user_ptr[1];
8166 	struct mesh_config cfg;
8167 	struct mesh_setup setup;
8168 	int err;
8169 
8170 	/* start with default */
8171 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
8172 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
8173 
8174 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
8175 		/* and parse parameters if given */
8176 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
8177 		if (err)
8178 			return err;
8179 	}
8180 
8181 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
8182 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
8183 		return -EINVAL;
8184 
8185 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
8186 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
8187 
8188 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
8189 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
8190 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
8191 			return -EINVAL;
8192 
8193 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
8194 		setup.beacon_interval =
8195 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
8196 		if (setup.beacon_interval < 10 ||
8197 		    setup.beacon_interval > 10000)
8198 			return -EINVAL;
8199 	}
8200 
8201 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
8202 		setup.dtim_period =
8203 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
8204 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
8205 			return -EINVAL;
8206 	}
8207 
8208 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
8209 		/* parse additional setup parameters if given */
8210 		err = nl80211_parse_mesh_setup(info, &setup);
8211 		if (err)
8212 			return err;
8213 	}
8214 
8215 	if (setup.user_mpm)
8216 		cfg.auto_open_plinks = false;
8217 
8218 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8219 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
8220 		if (err)
8221 			return err;
8222 	} else {
8223 		/* cfg80211_join_mesh() will sort it out */
8224 		setup.chandef.chan = NULL;
8225 	}
8226 
8227 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8228 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8229 		int n_rates =
8230 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8231 		struct ieee80211_supported_band *sband;
8232 
8233 		if (!setup.chandef.chan)
8234 			return -EINVAL;
8235 
8236 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
8237 
8238 		err = ieee80211_get_ratemask(sband, rates, n_rates,
8239 					     &setup.basic_rates);
8240 		if (err)
8241 			return err;
8242 	}
8243 
8244 	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
8245 }
8246 
8247 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
8248 {
8249 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8250 	struct net_device *dev = info->user_ptr[1];
8251 
8252 	return cfg80211_leave_mesh(rdev, dev);
8253 }
8254 
8255 #ifdef CONFIG_PM
8256 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
8257 					struct cfg80211_registered_device *rdev)
8258 {
8259 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
8260 	struct nlattr *nl_pats, *nl_pat;
8261 	int i, pat_len;
8262 
8263 	if (!wowlan->n_patterns)
8264 		return 0;
8265 
8266 	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
8267 	if (!nl_pats)
8268 		return -ENOBUFS;
8269 
8270 	for (i = 0; i < wowlan->n_patterns; i++) {
8271 		nl_pat = nla_nest_start(msg, i + 1);
8272 		if (!nl_pat)
8273 			return -ENOBUFS;
8274 		pat_len = wowlan->patterns[i].pattern_len;
8275 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
8276 			    wowlan->patterns[i].mask) ||
8277 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
8278 			    wowlan->patterns[i].pattern) ||
8279 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
8280 				wowlan->patterns[i].pkt_offset))
8281 			return -ENOBUFS;
8282 		nla_nest_end(msg, nl_pat);
8283 	}
8284 	nla_nest_end(msg, nl_pats);
8285 
8286 	return 0;
8287 }
8288 
8289 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
8290 				   struct cfg80211_wowlan_tcp *tcp)
8291 {
8292 	struct nlattr *nl_tcp;
8293 
8294 	if (!tcp)
8295 		return 0;
8296 
8297 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
8298 	if (!nl_tcp)
8299 		return -ENOBUFS;
8300 
8301 	if (nla_put_be32(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
8302 	    nla_put_be32(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
8303 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
8304 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
8305 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
8306 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
8307 		    tcp->payload_len, tcp->payload) ||
8308 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
8309 			tcp->data_interval) ||
8310 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
8311 		    tcp->wake_len, tcp->wake_data) ||
8312 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
8313 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
8314 		return -ENOBUFS;
8315 
8316 	if (tcp->payload_seq.len &&
8317 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
8318 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
8319 		return -ENOBUFS;
8320 
8321 	if (tcp->payload_tok.len &&
8322 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
8323 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
8324 		    &tcp->payload_tok))
8325 		return -ENOBUFS;
8326 
8327 	nla_nest_end(msg, nl_tcp);
8328 
8329 	return 0;
8330 }
8331 
8332 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
8333 {
8334 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8335 	struct sk_buff *msg;
8336 	void *hdr;
8337 	u32 size = NLMSG_DEFAULT_SIZE;
8338 
8339 	if (!rdev->wiphy.wowlan)
8340 		return -EOPNOTSUPP;
8341 
8342 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
8343 		/* adjust size to have room for all the data */
8344 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
8345 			rdev->wiphy.wowlan_config->tcp->payload_len +
8346 			rdev->wiphy.wowlan_config->tcp->wake_len +
8347 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
8348 	}
8349 
8350 	msg = nlmsg_new(size, GFP_KERNEL);
8351 	if (!msg)
8352 		return -ENOMEM;
8353 
8354 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8355 			     NL80211_CMD_GET_WOWLAN);
8356 	if (!hdr)
8357 		goto nla_put_failure;
8358 
8359 	if (rdev->wiphy.wowlan_config) {
8360 		struct nlattr *nl_wowlan;
8361 
8362 		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
8363 		if (!nl_wowlan)
8364 			goto nla_put_failure;
8365 
8366 		if ((rdev->wiphy.wowlan_config->any &&
8367 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
8368 		    (rdev->wiphy.wowlan_config->disconnect &&
8369 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
8370 		    (rdev->wiphy.wowlan_config->magic_pkt &&
8371 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
8372 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
8373 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
8374 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
8375 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
8376 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
8377 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
8378 		    (rdev->wiphy.wowlan_config->rfkill_release &&
8379 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
8380 			goto nla_put_failure;
8381 
8382 		if (nl80211_send_wowlan_patterns(msg, rdev))
8383 			goto nla_put_failure;
8384 
8385 		if (nl80211_send_wowlan_tcp(msg,
8386 					    rdev->wiphy.wowlan_config->tcp))
8387 			goto nla_put_failure;
8388 
8389 		nla_nest_end(msg, nl_wowlan);
8390 	}
8391 
8392 	genlmsg_end(msg, hdr);
8393 	return genlmsg_reply(msg, info);
8394 
8395 nla_put_failure:
8396 	nlmsg_free(msg);
8397 	return -ENOBUFS;
8398 }
8399 
8400 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
8401 				    struct nlattr *attr,
8402 				    struct cfg80211_wowlan *trig)
8403 {
8404 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
8405 	struct cfg80211_wowlan_tcp *cfg;
8406 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
8407 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
8408 	u32 size;
8409 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
8410 	int err, port;
8411 
8412 	if (!rdev->wiphy.wowlan->tcp)
8413 		return -EINVAL;
8414 
8415 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TCP,
8416 			nla_data(attr), nla_len(attr),
8417 			nl80211_wowlan_tcp_policy);
8418 	if (err)
8419 		return err;
8420 
8421 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
8422 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
8423 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
8424 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
8425 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
8426 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
8427 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
8428 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
8429 		return -EINVAL;
8430 
8431 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
8432 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
8433 		return -EINVAL;
8434 
8435 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
8436 			rdev->wiphy.wowlan->tcp->data_interval_max ||
8437 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
8438 		return -EINVAL;
8439 
8440 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
8441 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
8442 		return -EINVAL;
8443 
8444 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
8445 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
8446 		return -EINVAL;
8447 
8448 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
8449 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
8450 
8451 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
8452 		tokens_size = tokln - sizeof(*tok);
8453 
8454 		if (!tok->len || tokens_size % tok->len)
8455 			return -EINVAL;
8456 		if (!rdev->wiphy.wowlan->tcp->tok)
8457 			return -EINVAL;
8458 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
8459 			return -EINVAL;
8460 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
8461 			return -EINVAL;
8462 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
8463 			return -EINVAL;
8464 		if (tok->offset + tok->len > data_size)
8465 			return -EINVAL;
8466 	}
8467 
8468 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
8469 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
8470 		if (!rdev->wiphy.wowlan->tcp->seq)
8471 			return -EINVAL;
8472 		if (seq->len == 0 || seq->len > 4)
8473 			return -EINVAL;
8474 		if (seq->len + seq->offset > data_size)
8475 			return -EINVAL;
8476 	}
8477 
8478 	size = sizeof(*cfg);
8479 	size += data_size;
8480 	size += wake_size + wake_mask_size;
8481 	size += tokens_size;
8482 
8483 	cfg = kzalloc(size, GFP_KERNEL);
8484 	if (!cfg)
8485 		return -ENOMEM;
8486 	cfg->src = nla_get_be32(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
8487 	cfg->dst = nla_get_be32(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
8488 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
8489 	       ETH_ALEN);
8490 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
8491 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
8492 	else
8493 		port = 0;
8494 #ifdef CONFIG_INET
8495 	/* allocate a socket and port for it and use it */
8496 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
8497 			    IPPROTO_TCP, &cfg->sock, 1);
8498 	if (err) {
8499 		kfree(cfg);
8500 		return err;
8501 	}
8502 	if (inet_csk_get_port(cfg->sock->sk, port)) {
8503 		sock_release(cfg->sock);
8504 		kfree(cfg);
8505 		return -EADDRINUSE;
8506 	}
8507 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
8508 #else
8509 	if (!port) {
8510 		kfree(cfg);
8511 		return -EINVAL;
8512 	}
8513 	cfg->src_port = port;
8514 #endif
8515 
8516 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
8517 	cfg->payload_len = data_size;
8518 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
8519 	memcpy((void *)cfg->payload,
8520 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
8521 	       data_size);
8522 	if (seq)
8523 		cfg->payload_seq = *seq;
8524 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
8525 	cfg->wake_len = wake_size;
8526 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
8527 	memcpy((void *)cfg->wake_data,
8528 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
8529 	       wake_size);
8530 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
8531 			 data_size + wake_size;
8532 	memcpy((void *)cfg->wake_mask,
8533 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
8534 	       wake_mask_size);
8535 	if (tok) {
8536 		cfg->tokens_size = tokens_size;
8537 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
8538 	}
8539 
8540 	trig->tcp = cfg;
8541 
8542 	return 0;
8543 }
8544 
8545 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
8546 {
8547 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8548 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
8549 	struct cfg80211_wowlan new_triggers = {};
8550 	struct cfg80211_wowlan *ntrig;
8551 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
8552 	int err, i;
8553 	bool prev_enabled = rdev->wiphy.wowlan_config;
8554 
8555 	if (!wowlan)
8556 		return -EOPNOTSUPP;
8557 
8558 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
8559 		cfg80211_rdev_free_wowlan(rdev);
8560 		rdev->wiphy.wowlan_config = NULL;
8561 		goto set_wakeup;
8562 	}
8563 
8564 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
8565 			nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
8566 			nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
8567 			nl80211_wowlan_policy);
8568 	if (err)
8569 		return err;
8570 
8571 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
8572 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
8573 			return -EINVAL;
8574 		new_triggers.any = true;
8575 	}
8576 
8577 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
8578 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
8579 			return -EINVAL;
8580 		new_triggers.disconnect = true;
8581 	}
8582 
8583 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
8584 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
8585 			return -EINVAL;
8586 		new_triggers.magic_pkt = true;
8587 	}
8588 
8589 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
8590 		return -EINVAL;
8591 
8592 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
8593 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
8594 			return -EINVAL;
8595 		new_triggers.gtk_rekey_failure = true;
8596 	}
8597 
8598 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
8599 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
8600 			return -EINVAL;
8601 		new_triggers.eap_identity_req = true;
8602 	}
8603 
8604 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
8605 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
8606 			return -EINVAL;
8607 		new_triggers.four_way_handshake = true;
8608 	}
8609 
8610 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
8611 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
8612 			return -EINVAL;
8613 		new_triggers.rfkill_release = true;
8614 	}
8615 
8616 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
8617 		struct nlattr *pat;
8618 		int n_patterns = 0;
8619 		int rem, pat_len, mask_len, pkt_offset;
8620 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
8621 
8622 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
8623 				    rem)
8624 			n_patterns++;
8625 		if (n_patterns > wowlan->n_patterns)
8626 			return -EINVAL;
8627 
8628 		new_triggers.patterns = kcalloc(n_patterns,
8629 						sizeof(new_triggers.patterns[0]),
8630 						GFP_KERNEL);
8631 		if (!new_triggers.patterns)
8632 			return -ENOMEM;
8633 
8634 		new_triggers.n_patterns = n_patterns;
8635 		i = 0;
8636 
8637 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
8638 				    rem) {
8639 			u8 *mask_pat;
8640 
8641 			nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
8642 				  nla_len(pat), NULL);
8643 			err = -EINVAL;
8644 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
8645 			    !pat_tb[NL80211_PKTPAT_PATTERN])
8646 				goto error;
8647 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
8648 			mask_len = DIV_ROUND_UP(pat_len, 8);
8649 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
8650 				goto error;
8651 			if (pat_len > wowlan->pattern_max_len ||
8652 			    pat_len < wowlan->pattern_min_len)
8653 				goto error;
8654 
8655 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
8656 				pkt_offset = 0;
8657 			else
8658 				pkt_offset = nla_get_u32(
8659 					pat_tb[NL80211_PKTPAT_OFFSET]);
8660 			if (pkt_offset > wowlan->max_pkt_offset)
8661 				goto error;
8662 			new_triggers.patterns[i].pkt_offset = pkt_offset;
8663 
8664 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
8665 			if (!mask_pat) {
8666 				err = -ENOMEM;
8667 				goto error;
8668 			}
8669 			new_triggers.patterns[i].mask = mask_pat;
8670 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
8671 			       mask_len);
8672 			mask_pat += mask_len;
8673 			new_triggers.patterns[i].pattern = mask_pat;
8674 			new_triggers.patterns[i].pattern_len = pat_len;
8675 			memcpy(mask_pat,
8676 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
8677 			       pat_len);
8678 			i++;
8679 		}
8680 	}
8681 
8682 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
8683 		err = nl80211_parse_wowlan_tcp(
8684 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
8685 			&new_triggers);
8686 		if (err)
8687 			goto error;
8688 	}
8689 
8690 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
8691 	if (!ntrig) {
8692 		err = -ENOMEM;
8693 		goto error;
8694 	}
8695 	cfg80211_rdev_free_wowlan(rdev);
8696 	rdev->wiphy.wowlan_config = ntrig;
8697 
8698  set_wakeup:
8699 	if (rdev->ops->set_wakeup &&
8700 	    prev_enabled != !!rdev->wiphy.wowlan_config)
8701 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
8702 
8703 	return 0;
8704  error:
8705 	for (i = 0; i < new_triggers.n_patterns; i++)
8706 		kfree(new_triggers.patterns[i].mask);
8707 	kfree(new_triggers.patterns);
8708 	if (new_triggers.tcp && new_triggers.tcp->sock)
8709 		sock_release(new_triggers.tcp->sock);
8710 	kfree(new_triggers.tcp);
8711 	return err;
8712 }
8713 #endif
8714 
8715 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
8716 				       struct cfg80211_registered_device *rdev)
8717 {
8718 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
8719 	int i, j, pat_len;
8720 	struct cfg80211_coalesce_rules *rule;
8721 
8722 	if (!rdev->coalesce->n_rules)
8723 		return 0;
8724 
8725 	nl_rules = nla_nest_start(msg, NL80211_ATTR_COALESCE_RULE);
8726 	if (!nl_rules)
8727 		return -ENOBUFS;
8728 
8729 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
8730 		nl_rule = nla_nest_start(msg, i + 1);
8731 		if (!nl_rule)
8732 			return -ENOBUFS;
8733 
8734 		rule = &rdev->coalesce->rules[i];
8735 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
8736 				rule->delay))
8737 			return -ENOBUFS;
8738 
8739 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
8740 				rule->condition))
8741 			return -ENOBUFS;
8742 
8743 		nl_pats = nla_nest_start(msg,
8744 				NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
8745 		if (!nl_pats)
8746 			return -ENOBUFS;
8747 
8748 		for (j = 0; j < rule->n_patterns; j++) {
8749 			nl_pat = nla_nest_start(msg, j + 1);
8750 			if (!nl_pat)
8751 				return -ENOBUFS;
8752 			pat_len = rule->patterns[j].pattern_len;
8753 			if (nla_put(msg, NL80211_PKTPAT_MASK,
8754 				    DIV_ROUND_UP(pat_len, 8),
8755 				    rule->patterns[j].mask) ||
8756 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
8757 				    rule->patterns[j].pattern) ||
8758 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
8759 					rule->patterns[j].pkt_offset))
8760 				return -ENOBUFS;
8761 			nla_nest_end(msg, nl_pat);
8762 		}
8763 		nla_nest_end(msg, nl_pats);
8764 		nla_nest_end(msg, nl_rule);
8765 	}
8766 	nla_nest_end(msg, nl_rules);
8767 
8768 	return 0;
8769 }
8770 
8771 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
8772 {
8773 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8774 	struct sk_buff *msg;
8775 	void *hdr;
8776 
8777 	if (!rdev->wiphy.coalesce)
8778 		return -EOPNOTSUPP;
8779 
8780 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8781 	if (!msg)
8782 		return -ENOMEM;
8783 
8784 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8785 			     NL80211_CMD_GET_COALESCE);
8786 	if (!hdr)
8787 		goto nla_put_failure;
8788 
8789 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
8790 		goto nla_put_failure;
8791 
8792 	genlmsg_end(msg, hdr);
8793 	return genlmsg_reply(msg, info);
8794 
8795 nla_put_failure:
8796 	nlmsg_free(msg);
8797 	return -ENOBUFS;
8798 }
8799 
8800 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
8801 {
8802 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
8803 	int i, j;
8804 	struct cfg80211_coalesce_rules *rule;
8805 
8806 	if (!coalesce)
8807 		return;
8808 
8809 	for (i = 0; i < coalesce->n_rules; i++) {
8810 		rule = &coalesce->rules[i];
8811 		for (j = 0; j < rule->n_patterns; j++)
8812 			kfree(rule->patterns[j].mask);
8813 		kfree(rule->patterns);
8814 	}
8815 	kfree(coalesce->rules);
8816 	kfree(coalesce);
8817 	rdev->coalesce = NULL;
8818 }
8819 
8820 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
8821 				       struct nlattr *rule,
8822 				       struct cfg80211_coalesce_rules *new_rule)
8823 {
8824 	int err, i;
8825 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
8826 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
8827 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
8828 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
8829 
8830 	err = nla_parse(tb, NL80211_ATTR_COALESCE_RULE_MAX, nla_data(rule),
8831 			nla_len(rule), nl80211_coalesce_policy);
8832 	if (err)
8833 		return err;
8834 
8835 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
8836 		new_rule->delay =
8837 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
8838 	if (new_rule->delay > coalesce->max_delay)
8839 		return -EINVAL;
8840 
8841 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
8842 		new_rule->condition =
8843 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
8844 	if (new_rule->condition != NL80211_COALESCE_CONDITION_MATCH &&
8845 	    new_rule->condition != NL80211_COALESCE_CONDITION_NO_MATCH)
8846 		return -EINVAL;
8847 
8848 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
8849 		return -EINVAL;
8850 
8851 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
8852 			    rem)
8853 		n_patterns++;
8854 	if (n_patterns > coalesce->n_patterns)
8855 		return -EINVAL;
8856 
8857 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
8858 				     GFP_KERNEL);
8859 	if (!new_rule->patterns)
8860 		return -ENOMEM;
8861 
8862 	new_rule->n_patterns = n_patterns;
8863 	i = 0;
8864 
8865 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
8866 			    rem) {
8867 		u8 *mask_pat;
8868 
8869 		nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
8870 			  nla_len(pat), NULL);
8871 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
8872 		    !pat_tb[NL80211_PKTPAT_PATTERN])
8873 			return -EINVAL;
8874 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
8875 		mask_len = DIV_ROUND_UP(pat_len, 8);
8876 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
8877 			return -EINVAL;
8878 		if (pat_len > coalesce->pattern_max_len ||
8879 		    pat_len < coalesce->pattern_min_len)
8880 			return -EINVAL;
8881 
8882 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
8883 			pkt_offset = 0;
8884 		else
8885 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
8886 		if (pkt_offset > coalesce->max_pkt_offset)
8887 			return -EINVAL;
8888 		new_rule->patterns[i].pkt_offset = pkt_offset;
8889 
8890 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
8891 		if (!mask_pat)
8892 			return -ENOMEM;
8893 
8894 		new_rule->patterns[i].mask = mask_pat;
8895 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
8896 		       mask_len);
8897 
8898 		mask_pat += mask_len;
8899 		new_rule->patterns[i].pattern = mask_pat;
8900 		new_rule->patterns[i].pattern_len = pat_len;
8901 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
8902 		       pat_len);
8903 		i++;
8904 	}
8905 
8906 	return 0;
8907 }
8908 
8909 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
8910 {
8911 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8912 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
8913 	struct cfg80211_coalesce new_coalesce = {};
8914 	struct cfg80211_coalesce *n_coalesce;
8915 	int err, rem_rule, n_rules = 0, i, j;
8916 	struct nlattr *rule;
8917 	struct cfg80211_coalesce_rules *tmp_rule;
8918 
8919 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
8920 		return -EOPNOTSUPP;
8921 
8922 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
8923 		cfg80211_rdev_free_coalesce(rdev);
8924 		rdev->ops->set_coalesce(&rdev->wiphy, NULL);
8925 		return 0;
8926 	}
8927 
8928 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
8929 			    rem_rule)
8930 		n_rules++;
8931 	if (n_rules > coalesce->n_rules)
8932 		return -EINVAL;
8933 
8934 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
8935 				     GFP_KERNEL);
8936 	if (!new_coalesce.rules)
8937 		return -ENOMEM;
8938 
8939 	new_coalesce.n_rules = n_rules;
8940 	i = 0;
8941 
8942 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
8943 			    rem_rule) {
8944 		err = nl80211_parse_coalesce_rule(rdev, rule,
8945 						  &new_coalesce.rules[i]);
8946 		if (err)
8947 			goto error;
8948 
8949 		i++;
8950 	}
8951 
8952 	err = rdev->ops->set_coalesce(&rdev->wiphy, &new_coalesce);
8953 	if (err)
8954 		goto error;
8955 
8956 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
8957 	if (!n_coalesce) {
8958 		err = -ENOMEM;
8959 		goto error;
8960 	}
8961 	cfg80211_rdev_free_coalesce(rdev);
8962 	rdev->coalesce = n_coalesce;
8963 
8964 	return 0;
8965 error:
8966 	for (i = 0; i < new_coalesce.n_rules; i++) {
8967 		tmp_rule = &new_coalesce.rules[i];
8968 		for (j = 0; j < tmp_rule->n_patterns; j++)
8969 			kfree(tmp_rule->patterns[j].mask);
8970 		kfree(tmp_rule->patterns);
8971 	}
8972 	kfree(new_coalesce.rules);
8973 
8974 	return err;
8975 }
8976 
8977 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
8978 {
8979 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8980 	struct net_device *dev = info->user_ptr[1];
8981 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8982 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
8983 	struct cfg80211_gtk_rekey_data rekey_data;
8984 	int err;
8985 
8986 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
8987 		return -EINVAL;
8988 
8989 	err = nla_parse(tb, MAX_NL80211_REKEY_DATA,
8990 			nla_data(info->attrs[NL80211_ATTR_REKEY_DATA]),
8991 			nla_len(info->attrs[NL80211_ATTR_REKEY_DATA]),
8992 			nl80211_rekey_policy);
8993 	if (err)
8994 		return err;
8995 
8996 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
8997 		return -ERANGE;
8998 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
8999 		return -ERANGE;
9000 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
9001 		return -ERANGE;
9002 
9003 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
9004 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
9005 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
9006 
9007 	wdev_lock(wdev);
9008 	if (!wdev->current_bss) {
9009 		err = -ENOTCONN;
9010 		goto out;
9011 	}
9012 
9013 	if (!rdev->ops->set_rekey_data) {
9014 		err = -EOPNOTSUPP;
9015 		goto out;
9016 	}
9017 
9018 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
9019  out:
9020 	wdev_unlock(wdev);
9021 	return err;
9022 }
9023 
9024 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
9025 					     struct genl_info *info)
9026 {
9027 	struct net_device *dev = info->user_ptr[1];
9028 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9029 
9030 	if (wdev->iftype != NL80211_IFTYPE_AP &&
9031 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
9032 		return -EINVAL;
9033 
9034 	if (wdev->ap_unexpected_nlportid)
9035 		return -EBUSY;
9036 
9037 	wdev->ap_unexpected_nlportid = info->snd_portid;
9038 	return 0;
9039 }
9040 
9041 static int nl80211_probe_client(struct sk_buff *skb,
9042 				struct genl_info *info)
9043 {
9044 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9045 	struct net_device *dev = info->user_ptr[1];
9046 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9047 	struct sk_buff *msg;
9048 	void *hdr;
9049 	const u8 *addr;
9050 	u64 cookie;
9051 	int err;
9052 
9053 	if (wdev->iftype != NL80211_IFTYPE_AP &&
9054 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
9055 		return -EOPNOTSUPP;
9056 
9057 	if (!info->attrs[NL80211_ATTR_MAC])
9058 		return -EINVAL;
9059 
9060 	if (!rdev->ops->probe_client)
9061 		return -EOPNOTSUPP;
9062 
9063 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9064 	if (!msg)
9065 		return -ENOMEM;
9066 
9067 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9068 			     NL80211_CMD_PROBE_CLIENT);
9069 	if (!hdr) {
9070 		err = -ENOBUFS;
9071 		goto free_msg;
9072 	}
9073 
9074 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
9075 
9076 	err = rdev_probe_client(rdev, dev, addr, &cookie);
9077 	if (err)
9078 		goto free_msg;
9079 
9080 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
9081 		goto nla_put_failure;
9082 
9083 	genlmsg_end(msg, hdr);
9084 
9085 	return genlmsg_reply(msg, info);
9086 
9087  nla_put_failure:
9088 	err = -ENOBUFS;
9089  free_msg:
9090 	nlmsg_free(msg);
9091 	return err;
9092 }
9093 
9094 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
9095 {
9096 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9097 	struct cfg80211_beacon_registration *reg, *nreg;
9098 	int rv;
9099 
9100 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
9101 		return -EOPNOTSUPP;
9102 
9103 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
9104 	if (!nreg)
9105 		return -ENOMEM;
9106 
9107 	/* First, check if already registered. */
9108 	spin_lock_bh(&rdev->beacon_registrations_lock);
9109 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
9110 		if (reg->nlportid == info->snd_portid) {
9111 			rv = -EALREADY;
9112 			goto out_err;
9113 		}
9114 	}
9115 	/* Add it to the list */
9116 	nreg->nlportid = info->snd_portid;
9117 	list_add(&nreg->list, &rdev->beacon_registrations);
9118 
9119 	spin_unlock_bh(&rdev->beacon_registrations_lock);
9120 
9121 	return 0;
9122 out_err:
9123 	spin_unlock_bh(&rdev->beacon_registrations_lock);
9124 	kfree(nreg);
9125 	return rv;
9126 }
9127 
9128 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
9129 {
9130 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9131 	struct wireless_dev *wdev = info->user_ptr[1];
9132 	int err;
9133 
9134 	if (!rdev->ops->start_p2p_device)
9135 		return -EOPNOTSUPP;
9136 
9137 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
9138 		return -EOPNOTSUPP;
9139 
9140 	if (wdev->p2p_started)
9141 		return 0;
9142 
9143 	if (rfkill_blocked(rdev->rfkill))
9144 		return -ERFKILL;
9145 
9146 	err = rdev_start_p2p_device(rdev, wdev);
9147 	if (err)
9148 		return err;
9149 
9150 	wdev->p2p_started = true;
9151 	rdev->opencount++;
9152 
9153 	return 0;
9154 }
9155 
9156 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
9157 {
9158 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9159 	struct wireless_dev *wdev = info->user_ptr[1];
9160 
9161 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
9162 		return -EOPNOTSUPP;
9163 
9164 	if (!rdev->ops->stop_p2p_device)
9165 		return -EOPNOTSUPP;
9166 
9167 	cfg80211_stop_p2p_device(rdev, wdev);
9168 
9169 	return 0;
9170 }
9171 
9172 static int nl80211_get_protocol_features(struct sk_buff *skb,
9173 					 struct genl_info *info)
9174 {
9175 	void *hdr;
9176 	struct sk_buff *msg;
9177 
9178 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9179 	if (!msg)
9180 		return -ENOMEM;
9181 
9182 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9183 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
9184 	if (!hdr)
9185 		goto nla_put_failure;
9186 
9187 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
9188 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
9189 		goto nla_put_failure;
9190 
9191 	genlmsg_end(msg, hdr);
9192 	return genlmsg_reply(msg, info);
9193 
9194  nla_put_failure:
9195 	kfree_skb(msg);
9196 	return -ENOBUFS;
9197 }
9198 
9199 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
9200 {
9201 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9202 	struct cfg80211_update_ft_ies_params ft_params;
9203 	struct net_device *dev = info->user_ptr[1];
9204 
9205 	if (!rdev->ops->update_ft_ies)
9206 		return -EOPNOTSUPP;
9207 
9208 	if (!info->attrs[NL80211_ATTR_MDID] ||
9209 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
9210 		return -EINVAL;
9211 
9212 	memset(&ft_params, 0, sizeof(ft_params));
9213 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
9214 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9215 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9216 
9217 	return rdev_update_ft_ies(rdev, dev, &ft_params);
9218 }
9219 
9220 static int nl80211_crit_protocol_start(struct sk_buff *skb,
9221 				       struct genl_info *info)
9222 {
9223 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9224 	struct wireless_dev *wdev = info->user_ptr[1];
9225 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
9226 	u16 duration;
9227 	int ret;
9228 
9229 	if (!rdev->ops->crit_proto_start)
9230 		return -EOPNOTSUPP;
9231 
9232 	if (WARN_ON(!rdev->ops->crit_proto_stop))
9233 		return -EINVAL;
9234 
9235 	if (rdev->crit_proto_nlportid)
9236 		return -EBUSY;
9237 
9238 	/* determine protocol if provided */
9239 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
9240 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
9241 
9242 	if (proto >= NUM_NL80211_CRIT_PROTO)
9243 		return -EINVAL;
9244 
9245 	/* timeout must be provided */
9246 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
9247 		return -EINVAL;
9248 
9249 	duration =
9250 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
9251 
9252 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
9253 		return -ERANGE;
9254 
9255 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
9256 	if (!ret)
9257 		rdev->crit_proto_nlportid = info->snd_portid;
9258 
9259 	return ret;
9260 }
9261 
9262 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
9263 				      struct genl_info *info)
9264 {
9265 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9266 	struct wireless_dev *wdev = info->user_ptr[1];
9267 
9268 	if (!rdev->ops->crit_proto_stop)
9269 		return -EOPNOTSUPP;
9270 
9271 	if (rdev->crit_proto_nlportid) {
9272 		rdev->crit_proto_nlportid = 0;
9273 		rdev_crit_proto_stop(rdev, wdev);
9274 	}
9275 	return 0;
9276 }
9277 
9278 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
9279 {
9280 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9281 	struct wireless_dev *wdev =
9282 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9283 	int i, err;
9284 	u32 vid, subcmd;
9285 
9286 	if (!rdev->wiphy.vendor_commands)
9287 		return -EOPNOTSUPP;
9288 
9289 	if (IS_ERR(wdev)) {
9290 		err = PTR_ERR(wdev);
9291 		if (err != -EINVAL)
9292 			return err;
9293 		wdev = NULL;
9294 	} else if (wdev->wiphy != &rdev->wiphy) {
9295 		return -EINVAL;
9296 	}
9297 
9298 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
9299 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
9300 		return -EINVAL;
9301 
9302 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
9303 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
9304 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
9305 		const struct wiphy_vendor_command *vcmd;
9306 		void *data = NULL;
9307 		int len = 0;
9308 
9309 		vcmd = &rdev->wiphy.vendor_commands[i];
9310 
9311 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
9312 			continue;
9313 
9314 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
9315 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
9316 			if (!wdev)
9317 				return -EINVAL;
9318 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
9319 			    !wdev->netdev)
9320 				return -EINVAL;
9321 
9322 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
9323 				if (wdev->netdev &&
9324 				    !netif_running(wdev->netdev))
9325 					return -ENETDOWN;
9326 				if (!wdev->netdev && !wdev->p2p_started)
9327 					return -ENETDOWN;
9328 			}
9329 		} else {
9330 			wdev = NULL;
9331 		}
9332 
9333 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
9334 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
9335 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
9336 		}
9337 
9338 		rdev->cur_cmd_info = info;
9339 		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
9340 							  data, len);
9341 		rdev->cur_cmd_info = NULL;
9342 		return err;
9343 	}
9344 
9345 	return -EOPNOTSUPP;
9346 }
9347 
9348 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
9349 					   enum nl80211_commands cmd,
9350 					   enum nl80211_attrs attr,
9351 					   int approxlen)
9352 {
9353 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9354 
9355 	if (WARN_ON(!rdev->cur_cmd_info))
9356 		return NULL;
9357 
9358 	return __cfg80211_alloc_vendor_skb(rdev, approxlen,
9359 					   rdev->cur_cmd_info->snd_portid,
9360 					   rdev->cur_cmd_info->snd_seq,
9361 					   cmd, attr, NULL, GFP_KERNEL);
9362 }
9363 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
9364 
9365 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
9366 {
9367 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9368 	void *hdr = ((void **)skb->cb)[1];
9369 	struct nlattr *data = ((void **)skb->cb)[2];
9370 
9371 	/* clear CB data for netlink core to own from now on */
9372 	memset(skb->cb, 0, sizeof(skb->cb));
9373 
9374 	if (WARN_ON(!rdev->cur_cmd_info)) {
9375 		kfree_skb(skb);
9376 		return -EINVAL;
9377 	}
9378 
9379 	nla_nest_end(skb, data);
9380 	genlmsg_end(skb, hdr);
9381 	return genlmsg_reply(skb, rdev->cur_cmd_info);
9382 }
9383 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
9384 
9385 
9386 static int nl80211_set_qos_map(struct sk_buff *skb,
9387 			       struct genl_info *info)
9388 {
9389 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9390 	struct cfg80211_qos_map *qos_map = NULL;
9391 	struct net_device *dev = info->user_ptr[1];
9392 	u8 *pos, len, num_des, des_len, des;
9393 	int ret;
9394 
9395 	if (!rdev->ops->set_qos_map)
9396 		return -EOPNOTSUPP;
9397 
9398 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
9399 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
9400 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
9401 
9402 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
9403 		    len > IEEE80211_QOS_MAP_LEN_MAX)
9404 			return -EINVAL;
9405 
9406 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
9407 		if (!qos_map)
9408 			return -ENOMEM;
9409 
9410 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
9411 		if (num_des) {
9412 			des_len = num_des *
9413 				sizeof(struct cfg80211_dscp_exception);
9414 			memcpy(qos_map->dscp_exception, pos, des_len);
9415 			qos_map->num_des = num_des;
9416 			for (des = 0; des < num_des; des++) {
9417 				if (qos_map->dscp_exception[des].up > 7) {
9418 					kfree(qos_map);
9419 					return -EINVAL;
9420 				}
9421 			}
9422 			pos += des_len;
9423 		}
9424 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
9425 	}
9426 
9427 	wdev_lock(dev->ieee80211_ptr);
9428 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
9429 	if (!ret)
9430 		ret = rdev_set_qos_map(rdev, dev, qos_map);
9431 	wdev_unlock(dev->ieee80211_ptr);
9432 
9433 	kfree(qos_map);
9434 	return ret;
9435 }
9436 
9437 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
9438 {
9439 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9440 	struct net_device *dev = info->user_ptr[1];
9441 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9442 	const u8 *peer;
9443 	u8 tsid, up;
9444 	u16 admitted_time = 0;
9445 	int err;
9446 
9447 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_WMM_ADMISSION))
9448 		return -EOPNOTSUPP;
9449 
9450 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
9451 	    !info->attrs[NL80211_ATTR_USER_PRIO])
9452 		return -EINVAL;
9453 
9454 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
9455 	if (tsid >= IEEE80211_NUM_TIDS)
9456 		return -EINVAL;
9457 
9458 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
9459 	if (up >= IEEE80211_NUM_UPS)
9460 		return -EINVAL;
9461 
9462 	/* WMM uses TIDs 0-7 even for TSPEC */
9463 	if (tsid < IEEE80211_FIRST_TSPEC_TSID) {
9464 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_WMM_ADMISSION))
9465 			return -EINVAL;
9466 	} else {
9467 		/* TODO: handle 802.11 TSPEC/admission control
9468 		 * need more attributes for that (e.g. BA session requirement)
9469 		 */
9470 		return -EINVAL;
9471 	}
9472 
9473 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9474 
9475 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
9476 		admitted_time =
9477 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
9478 		if (!admitted_time)
9479 			return -EINVAL;
9480 	}
9481 
9482 	wdev_lock(wdev);
9483 	switch (wdev->iftype) {
9484 	case NL80211_IFTYPE_STATION:
9485 	case NL80211_IFTYPE_P2P_CLIENT:
9486 		if (wdev->current_bss)
9487 			break;
9488 		err = -ENOTCONN;
9489 		goto out;
9490 	default:
9491 		err = -EOPNOTSUPP;
9492 		goto out;
9493 	}
9494 
9495 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
9496 
9497  out:
9498 	wdev_unlock(wdev);
9499 	return err;
9500 }
9501 
9502 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
9503 {
9504 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9505 	struct net_device *dev = info->user_ptr[1];
9506 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9507 	const u8 *peer;
9508 	u8 tsid;
9509 	int err;
9510 
9511 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
9512 		return -EINVAL;
9513 
9514 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
9515 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9516 
9517 	wdev_lock(wdev);
9518 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
9519 	wdev_unlock(wdev);
9520 
9521 	return err;
9522 }
9523 
9524 #define NL80211_FLAG_NEED_WIPHY		0x01
9525 #define NL80211_FLAG_NEED_NETDEV	0x02
9526 #define NL80211_FLAG_NEED_RTNL		0x04
9527 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
9528 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
9529 					 NL80211_FLAG_CHECK_NETDEV_UP)
9530 #define NL80211_FLAG_NEED_WDEV		0x10
9531 /* If a netdev is associated, it must be UP, P2P must be started */
9532 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
9533 					 NL80211_FLAG_CHECK_NETDEV_UP)
9534 #define NL80211_FLAG_CLEAR_SKB		0x20
9535 
9536 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
9537 			    struct genl_info *info)
9538 {
9539 	struct cfg80211_registered_device *rdev;
9540 	struct wireless_dev *wdev;
9541 	struct net_device *dev;
9542 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
9543 
9544 	if (rtnl)
9545 		rtnl_lock();
9546 
9547 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
9548 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
9549 		if (IS_ERR(rdev)) {
9550 			if (rtnl)
9551 				rtnl_unlock();
9552 			return PTR_ERR(rdev);
9553 		}
9554 		info->user_ptr[0] = rdev;
9555 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
9556 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
9557 		ASSERT_RTNL();
9558 
9559 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
9560 						  info->attrs);
9561 		if (IS_ERR(wdev)) {
9562 			if (rtnl)
9563 				rtnl_unlock();
9564 			return PTR_ERR(wdev);
9565 		}
9566 
9567 		dev = wdev->netdev;
9568 		rdev = wiphy_to_rdev(wdev->wiphy);
9569 
9570 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
9571 			if (!dev) {
9572 				if (rtnl)
9573 					rtnl_unlock();
9574 				return -EINVAL;
9575 			}
9576 
9577 			info->user_ptr[1] = dev;
9578 		} else {
9579 			info->user_ptr[1] = wdev;
9580 		}
9581 
9582 		if (dev) {
9583 			if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
9584 			    !netif_running(dev)) {
9585 				if (rtnl)
9586 					rtnl_unlock();
9587 				return -ENETDOWN;
9588 			}
9589 
9590 			dev_hold(dev);
9591 		} else if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP) {
9592 			if (!wdev->p2p_started) {
9593 				if (rtnl)
9594 					rtnl_unlock();
9595 				return -ENETDOWN;
9596 			}
9597 		}
9598 
9599 		info->user_ptr[0] = rdev;
9600 	}
9601 
9602 	return 0;
9603 }
9604 
9605 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
9606 			      struct genl_info *info)
9607 {
9608 	if (info->user_ptr[1]) {
9609 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
9610 			struct wireless_dev *wdev = info->user_ptr[1];
9611 
9612 			if (wdev->netdev)
9613 				dev_put(wdev->netdev);
9614 		} else {
9615 			dev_put(info->user_ptr[1]);
9616 		}
9617 	}
9618 
9619 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
9620 		rtnl_unlock();
9621 
9622 	/* If needed, clear the netlink message payload from the SKB
9623 	 * as it might contain key data that shouldn't stick around on
9624 	 * the heap after the SKB is freed. The netlink message header
9625 	 * is still needed for further processing, so leave it intact.
9626 	 */
9627 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
9628 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
9629 
9630 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
9631 	}
9632 }
9633 
9634 static const struct genl_ops nl80211_ops[] = {
9635 	{
9636 		.cmd = NL80211_CMD_GET_WIPHY,
9637 		.doit = nl80211_get_wiphy,
9638 		.dumpit = nl80211_dump_wiphy,
9639 		.done = nl80211_dump_wiphy_done,
9640 		.policy = nl80211_policy,
9641 		/* can be retrieved by unprivileged users */
9642 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9643 				  NL80211_FLAG_NEED_RTNL,
9644 	},
9645 	{
9646 		.cmd = NL80211_CMD_SET_WIPHY,
9647 		.doit = nl80211_set_wiphy,
9648 		.policy = nl80211_policy,
9649 		.flags = GENL_ADMIN_PERM,
9650 		.internal_flags = NL80211_FLAG_NEED_RTNL,
9651 	},
9652 	{
9653 		.cmd = NL80211_CMD_GET_INTERFACE,
9654 		.doit = nl80211_get_interface,
9655 		.dumpit = nl80211_dump_interface,
9656 		.policy = nl80211_policy,
9657 		/* can be retrieved by unprivileged users */
9658 		.internal_flags = NL80211_FLAG_NEED_WDEV |
9659 				  NL80211_FLAG_NEED_RTNL,
9660 	},
9661 	{
9662 		.cmd = NL80211_CMD_SET_INTERFACE,
9663 		.doit = nl80211_set_interface,
9664 		.policy = nl80211_policy,
9665 		.flags = GENL_ADMIN_PERM,
9666 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9667 				  NL80211_FLAG_NEED_RTNL,
9668 	},
9669 	{
9670 		.cmd = NL80211_CMD_NEW_INTERFACE,
9671 		.doit = nl80211_new_interface,
9672 		.policy = nl80211_policy,
9673 		.flags = GENL_ADMIN_PERM,
9674 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9675 				  NL80211_FLAG_NEED_RTNL,
9676 	},
9677 	{
9678 		.cmd = NL80211_CMD_DEL_INTERFACE,
9679 		.doit = nl80211_del_interface,
9680 		.policy = nl80211_policy,
9681 		.flags = GENL_ADMIN_PERM,
9682 		.internal_flags = NL80211_FLAG_NEED_WDEV |
9683 				  NL80211_FLAG_NEED_RTNL,
9684 	},
9685 	{
9686 		.cmd = NL80211_CMD_GET_KEY,
9687 		.doit = nl80211_get_key,
9688 		.policy = nl80211_policy,
9689 		.flags = GENL_ADMIN_PERM,
9690 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9691 				  NL80211_FLAG_NEED_RTNL,
9692 	},
9693 	{
9694 		.cmd = NL80211_CMD_SET_KEY,
9695 		.doit = nl80211_set_key,
9696 		.policy = nl80211_policy,
9697 		.flags = GENL_ADMIN_PERM,
9698 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9699 				  NL80211_FLAG_NEED_RTNL |
9700 				  NL80211_FLAG_CLEAR_SKB,
9701 	},
9702 	{
9703 		.cmd = NL80211_CMD_NEW_KEY,
9704 		.doit = nl80211_new_key,
9705 		.policy = nl80211_policy,
9706 		.flags = GENL_ADMIN_PERM,
9707 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9708 				  NL80211_FLAG_NEED_RTNL |
9709 				  NL80211_FLAG_CLEAR_SKB,
9710 	},
9711 	{
9712 		.cmd = NL80211_CMD_DEL_KEY,
9713 		.doit = nl80211_del_key,
9714 		.policy = nl80211_policy,
9715 		.flags = GENL_ADMIN_PERM,
9716 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9717 				  NL80211_FLAG_NEED_RTNL,
9718 	},
9719 	{
9720 		.cmd = NL80211_CMD_SET_BEACON,
9721 		.policy = nl80211_policy,
9722 		.flags = GENL_ADMIN_PERM,
9723 		.doit = nl80211_set_beacon,
9724 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9725 				  NL80211_FLAG_NEED_RTNL,
9726 	},
9727 	{
9728 		.cmd = NL80211_CMD_START_AP,
9729 		.policy = nl80211_policy,
9730 		.flags = GENL_ADMIN_PERM,
9731 		.doit = nl80211_start_ap,
9732 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9733 				  NL80211_FLAG_NEED_RTNL,
9734 	},
9735 	{
9736 		.cmd = NL80211_CMD_STOP_AP,
9737 		.policy = nl80211_policy,
9738 		.flags = GENL_ADMIN_PERM,
9739 		.doit = nl80211_stop_ap,
9740 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9741 				  NL80211_FLAG_NEED_RTNL,
9742 	},
9743 	{
9744 		.cmd = NL80211_CMD_GET_STATION,
9745 		.doit = nl80211_get_station,
9746 		.dumpit = nl80211_dump_station,
9747 		.policy = nl80211_policy,
9748 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
9749 				  NL80211_FLAG_NEED_RTNL,
9750 	},
9751 	{
9752 		.cmd = NL80211_CMD_SET_STATION,
9753 		.doit = nl80211_set_station,
9754 		.policy = nl80211_policy,
9755 		.flags = GENL_ADMIN_PERM,
9756 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9757 				  NL80211_FLAG_NEED_RTNL,
9758 	},
9759 	{
9760 		.cmd = NL80211_CMD_NEW_STATION,
9761 		.doit = nl80211_new_station,
9762 		.policy = nl80211_policy,
9763 		.flags = GENL_ADMIN_PERM,
9764 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9765 				  NL80211_FLAG_NEED_RTNL,
9766 	},
9767 	{
9768 		.cmd = NL80211_CMD_DEL_STATION,
9769 		.doit = nl80211_del_station,
9770 		.policy = nl80211_policy,
9771 		.flags = GENL_ADMIN_PERM,
9772 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9773 				  NL80211_FLAG_NEED_RTNL,
9774 	},
9775 	{
9776 		.cmd = NL80211_CMD_GET_MPATH,
9777 		.doit = nl80211_get_mpath,
9778 		.dumpit = nl80211_dump_mpath,
9779 		.policy = nl80211_policy,
9780 		.flags = GENL_ADMIN_PERM,
9781 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9782 				  NL80211_FLAG_NEED_RTNL,
9783 	},
9784 	{
9785 		.cmd = NL80211_CMD_SET_MPATH,
9786 		.doit = nl80211_set_mpath,
9787 		.policy = nl80211_policy,
9788 		.flags = GENL_ADMIN_PERM,
9789 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9790 				  NL80211_FLAG_NEED_RTNL,
9791 	},
9792 	{
9793 		.cmd = NL80211_CMD_NEW_MPATH,
9794 		.doit = nl80211_new_mpath,
9795 		.policy = nl80211_policy,
9796 		.flags = GENL_ADMIN_PERM,
9797 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9798 				  NL80211_FLAG_NEED_RTNL,
9799 	},
9800 	{
9801 		.cmd = NL80211_CMD_DEL_MPATH,
9802 		.doit = nl80211_del_mpath,
9803 		.policy = nl80211_policy,
9804 		.flags = GENL_ADMIN_PERM,
9805 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9806 				  NL80211_FLAG_NEED_RTNL,
9807 	},
9808 	{
9809 		.cmd = NL80211_CMD_SET_BSS,
9810 		.doit = nl80211_set_bss,
9811 		.policy = nl80211_policy,
9812 		.flags = GENL_ADMIN_PERM,
9813 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9814 				  NL80211_FLAG_NEED_RTNL,
9815 	},
9816 	{
9817 		.cmd = NL80211_CMD_GET_REG,
9818 		.doit = nl80211_get_reg,
9819 		.policy = nl80211_policy,
9820 		.internal_flags = NL80211_FLAG_NEED_RTNL,
9821 		/* can be retrieved by unprivileged users */
9822 	},
9823 	{
9824 		.cmd = NL80211_CMD_SET_REG,
9825 		.doit = nl80211_set_reg,
9826 		.policy = nl80211_policy,
9827 		.flags = GENL_ADMIN_PERM,
9828 		.internal_flags = NL80211_FLAG_NEED_RTNL,
9829 	},
9830 	{
9831 		.cmd = NL80211_CMD_REQ_SET_REG,
9832 		.doit = nl80211_req_set_reg,
9833 		.policy = nl80211_policy,
9834 		.flags = GENL_ADMIN_PERM,
9835 	},
9836 	{
9837 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
9838 		.doit = nl80211_get_mesh_config,
9839 		.policy = nl80211_policy,
9840 		/* can be retrieved by unprivileged users */
9841 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9842 				  NL80211_FLAG_NEED_RTNL,
9843 	},
9844 	{
9845 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
9846 		.doit = nl80211_update_mesh_config,
9847 		.policy = nl80211_policy,
9848 		.flags = GENL_ADMIN_PERM,
9849 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9850 				  NL80211_FLAG_NEED_RTNL,
9851 	},
9852 	{
9853 		.cmd = NL80211_CMD_TRIGGER_SCAN,
9854 		.doit = nl80211_trigger_scan,
9855 		.policy = nl80211_policy,
9856 		.flags = GENL_ADMIN_PERM,
9857 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
9858 				  NL80211_FLAG_NEED_RTNL,
9859 	},
9860 	{
9861 		.cmd = NL80211_CMD_GET_SCAN,
9862 		.policy = nl80211_policy,
9863 		.dumpit = nl80211_dump_scan,
9864 	},
9865 	{
9866 		.cmd = NL80211_CMD_START_SCHED_SCAN,
9867 		.doit = nl80211_start_sched_scan,
9868 		.policy = nl80211_policy,
9869 		.flags = GENL_ADMIN_PERM,
9870 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9871 				  NL80211_FLAG_NEED_RTNL,
9872 	},
9873 	{
9874 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
9875 		.doit = nl80211_stop_sched_scan,
9876 		.policy = nl80211_policy,
9877 		.flags = GENL_ADMIN_PERM,
9878 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9879 				  NL80211_FLAG_NEED_RTNL,
9880 	},
9881 	{
9882 		.cmd = NL80211_CMD_AUTHENTICATE,
9883 		.doit = nl80211_authenticate,
9884 		.policy = nl80211_policy,
9885 		.flags = GENL_ADMIN_PERM,
9886 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9887 				  NL80211_FLAG_NEED_RTNL |
9888 				  NL80211_FLAG_CLEAR_SKB,
9889 	},
9890 	{
9891 		.cmd = NL80211_CMD_ASSOCIATE,
9892 		.doit = nl80211_associate,
9893 		.policy = nl80211_policy,
9894 		.flags = GENL_ADMIN_PERM,
9895 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9896 				  NL80211_FLAG_NEED_RTNL,
9897 	},
9898 	{
9899 		.cmd = NL80211_CMD_DEAUTHENTICATE,
9900 		.doit = nl80211_deauthenticate,
9901 		.policy = nl80211_policy,
9902 		.flags = GENL_ADMIN_PERM,
9903 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9904 				  NL80211_FLAG_NEED_RTNL,
9905 	},
9906 	{
9907 		.cmd = NL80211_CMD_DISASSOCIATE,
9908 		.doit = nl80211_disassociate,
9909 		.policy = nl80211_policy,
9910 		.flags = GENL_ADMIN_PERM,
9911 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9912 				  NL80211_FLAG_NEED_RTNL,
9913 	},
9914 	{
9915 		.cmd = NL80211_CMD_JOIN_IBSS,
9916 		.doit = nl80211_join_ibss,
9917 		.policy = nl80211_policy,
9918 		.flags = GENL_ADMIN_PERM,
9919 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9920 				  NL80211_FLAG_NEED_RTNL,
9921 	},
9922 	{
9923 		.cmd = NL80211_CMD_LEAVE_IBSS,
9924 		.doit = nl80211_leave_ibss,
9925 		.policy = nl80211_policy,
9926 		.flags = GENL_ADMIN_PERM,
9927 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9928 				  NL80211_FLAG_NEED_RTNL,
9929 	},
9930 #ifdef CONFIG_NL80211_TESTMODE
9931 	{
9932 		.cmd = NL80211_CMD_TESTMODE,
9933 		.doit = nl80211_testmode_do,
9934 		.dumpit = nl80211_testmode_dump,
9935 		.policy = nl80211_policy,
9936 		.flags = GENL_ADMIN_PERM,
9937 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9938 				  NL80211_FLAG_NEED_RTNL,
9939 	},
9940 #endif
9941 	{
9942 		.cmd = NL80211_CMD_CONNECT,
9943 		.doit = nl80211_connect,
9944 		.policy = nl80211_policy,
9945 		.flags = GENL_ADMIN_PERM,
9946 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9947 				  NL80211_FLAG_NEED_RTNL,
9948 	},
9949 	{
9950 		.cmd = NL80211_CMD_DISCONNECT,
9951 		.doit = nl80211_disconnect,
9952 		.policy = nl80211_policy,
9953 		.flags = GENL_ADMIN_PERM,
9954 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9955 				  NL80211_FLAG_NEED_RTNL,
9956 	},
9957 	{
9958 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
9959 		.doit = nl80211_wiphy_netns,
9960 		.policy = nl80211_policy,
9961 		.flags = GENL_ADMIN_PERM,
9962 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
9963 				  NL80211_FLAG_NEED_RTNL,
9964 	},
9965 	{
9966 		.cmd = NL80211_CMD_GET_SURVEY,
9967 		.policy = nl80211_policy,
9968 		.dumpit = nl80211_dump_survey,
9969 	},
9970 	{
9971 		.cmd = NL80211_CMD_SET_PMKSA,
9972 		.doit = nl80211_setdel_pmksa,
9973 		.policy = nl80211_policy,
9974 		.flags = GENL_ADMIN_PERM,
9975 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9976 				  NL80211_FLAG_NEED_RTNL,
9977 	},
9978 	{
9979 		.cmd = NL80211_CMD_DEL_PMKSA,
9980 		.doit = nl80211_setdel_pmksa,
9981 		.policy = nl80211_policy,
9982 		.flags = GENL_ADMIN_PERM,
9983 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9984 				  NL80211_FLAG_NEED_RTNL,
9985 	},
9986 	{
9987 		.cmd = NL80211_CMD_FLUSH_PMKSA,
9988 		.doit = nl80211_flush_pmksa,
9989 		.policy = nl80211_policy,
9990 		.flags = GENL_ADMIN_PERM,
9991 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
9992 				  NL80211_FLAG_NEED_RTNL,
9993 	},
9994 	{
9995 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
9996 		.doit = nl80211_remain_on_channel,
9997 		.policy = nl80211_policy,
9998 		.flags = GENL_ADMIN_PERM,
9999 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10000 				  NL80211_FLAG_NEED_RTNL,
10001 	},
10002 	{
10003 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
10004 		.doit = nl80211_cancel_remain_on_channel,
10005 		.policy = nl80211_policy,
10006 		.flags = GENL_ADMIN_PERM,
10007 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10008 				  NL80211_FLAG_NEED_RTNL,
10009 	},
10010 	{
10011 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
10012 		.doit = nl80211_set_tx_bitrate_mask,
10013 		.policy = nl80211_policy,
10014 		.flags = GENL_ADMIN_PERM,
10015 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10016 				  NL80211_FLAG_NEED_RTNL,
10017 	},
10018 	{
10019 		.cmd = NL80211_CMD_REGISTER_FRAME,
10020 		.doit = nl80211_register_mgmt,
10021 		.policy = nl80211_policy,
10022 		.flags = GENL_ADMIN_PERM,
10023 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10024 				  NL80211_FLAG_NEED_RTNL,
10025 	},
10026 	{
10027 		.cmd = NL80211_CMD_FRAME,
10028 		.doit = nl80211_tx_mgmt,
10029 		.policy = nl80211_policy,
10030 		.flags = GENL_ADMIN_PERM,
10031 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10032 				  NL80211_FLAG_NEED_RTNL,
10033 	},
10034 	{
10035 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
10036 		.doit = nl80211_tx_mgmt_cancel_wait,
10037 		.policy = nl80211_policy,
10038 		.flags = GENL_ADMIN_PERM,
10039 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10040 				  NL80211_FLAG_NEED_RTNL,
10041 	},
10042 	{
10043 		.cmd = NL80211_CMD_SET_POWER_SAVE,
10044 		.doit = nl80211_set_power_save,
10045 		.policy = nl80211_policy,
10046 		.flags = GENL_ADMIN_PERM,
10047 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10048 				  NL80211_FLAG_NEED_RTNL,
10049 	},
10050 	{
10051 		.cmd = NL80211_CMD_GET_POWER_SAVE,
10052 		.doit = nl80211_get_power_save,
10053 		.policy = nl80211_policy,
10054 		/* can be retrieved by unprivileged users */
10055 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10056 				  NL80211_FLAG_NEED_RTNL,
10057 	},
10058 	{
10059 		.cmd = NL80211_CMD_SET_CQM,
10060 		.doit = nl80211_set_cqm,
10061 		.policy = nl80211_policy,
10062 		.flags = GENL_ADMIN_PERM,
10063 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10064 				  NL80211_FLAG_NEED_RTNL,
10065 	},
10066 	{
10067 		.cmd = NL80211_CMD_SET_CHANNEL,
10068 		.doit = nl80211_set_channel,
10069 		.policy = nl80211_policy,
10070 		.flags = GENL_ADMIN_PERM,
10071 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10072 				  NL80211_FLAG_NEED_RTNL,
10073 	},
10074 	{
10075 		.cmd = NL80211_CMD_SET_WDS_PEER,
10076 		.doit = nl80211_set_wds_peer,
10077 		.policy = nl80211_policy,
10078 		.flags = GENL_ADMIN_PERM,
10079 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10080 				  NL80211_FLAG_NEED_RTNL,
10081 	},
10082 	{
10083 		.cmd = NL80211_CMD_JOIN_MESH,
10084 		.doit = nl80211_join_mesh,
10085 		.policy = nl80211_policy,
10086 		.flags = GENL_ADMIN_PERM,
10087 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10088 				  NL80211_FLAG_NEED_RTNL,
10089 	},
10090 	{
10091 		.cmd = NL80211_CMD_LEAVE_MESH,
10092 		.doit = nl80211_leave_mesh,
10093 		.policy = nl80211_policy,
10094 		.flags = GENL_ADMIN_PERM,
10095 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10096 				  NL80211_FLAG_NEED_RTNL,
10097 	},
10098 #ifdef CONFIG_PM
10099 	{
10100 		.cmd = NL80211_CMD_GET_WOWLAN,
10101 		.doit = nl80211_get_wowlan,
10102 		.policy = nl80211_policy,
10103 		/* can be retrieved by unprivileged users */
10104 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10105 				  NL80211_FLAG_NEED_RTNL,
10106 	},
10107 	{
10108 		.cmd = NL80211_CMD_SET_WOWLAN,
10109 		.doit = nl80211_set_wowlan,
10110 		.policy = nl80211_policy,
10111 		.flags = GENL_ADMIN_PERM,
10112 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10113 				  NL80211_FLAG_NEED_RTNL,
10114 	},
10115 #endif
10116 	{
10117 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
10118 		.doit = nl80211_set_rekey_data,
10119 		.policy = nl80211_policy,
10120 		.flags = GENL_ADMIN_PERM,
10121 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10122 				  NL80211_FLAG_NEED_RTNL |
10123 				  NL80211_FLAG_CLEAR_SKB,
10124 	},
10125 	{
10126 		.cmd = NL80211_CMD_TDLS_MGMT,
10127 		.doit = nl80211_tdls_mgmt,
10128 		.policy = nl80211_policy,
10129 		.flags = GENL_ADMIN_PERM,
10130 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10131 				  NL80211_FLAG_NEED_RTNL,
10132 	},
10133 	{
10134 		.cmd = NL80211_CMD_TDLS_OPER,
10135 		.doit = nl80211_tdls_oper,
10136 		.policy = nl80211_policy,
10137 		.flags = GENL_ADMIN_PERM,
10138 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10139 				  NL80211_FLAG_NEED_RTNL,
10140 	},
10141 	{
10142 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
10143 		.doit = nl80211_register_unexpected_frame,
10144 		.policy = nl80211_policy,
10145 		.flags = GENL_ADMIN_PERM,
10146 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10147 				  NL80211_FLAG_NEED_RTNL,
10148 	},
10149 	{
10150 		.cmd = NL80211_CMD_PROBE_CLIENT,
10151 		.doit = nl80211_probe_client,
10152 		.policy = nl80211_policy,
10153 		.flags = GENL_ADMIN_PERM,
10154 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10155 				  NL80211_FLAG_NEED_RTNL,
10156 	},
10157 	{
10158 		.cmd = NL80211_CMD_REGISTER_BEACONS,
10159 		.doit = nl80211_register_beacons,
10160 		.policy = nl80211_policy,
10161 		.flags = GENL_ADMIN_PERM,
10162 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10163 				  NL80211_FLAG_NEED_RTNL,
10164 	},
10165 	{
10166 		.cmd = NL80211_CMD_SET_NOACK_MAP,
10167 		.doit = nl80211_set_noack_map,
10168 		.policy = nl80211_policy,
10169 		.flags = GENL_ADMIN_PERM,
10170 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10171 				  NL80211_FLAG_NEED_RTNL,
10172 	},
10173 	{
10174 		.cmd = NL80211_CMD_START_P2P_DEVICE,
10175 		.doit = nl80211_start_p2p_device,
10176 		.policy = nl80211_policy,
10177 		.flags = GENL_ADMIN_PERM,
10178 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10179 				  NL80211_FLAG_NEED_RTNL,
10180 	},
10181 	{
10182 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
10183 		.doit = nl80211_stop_p2p_device,
10184 		.policy = nl80211_policy,
10185 		.flags = GENL_ADMIN_PERM,
10186 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10187 				  NL80211_FLAG_NEED_RTNL,
10188 	},
10189 	{
10190 		.cmd = NL80211_CMD_SET_MCAST_RATE,
10191 		.doit = nl80211_set_mcast_rate,
10192 		.policy = nl80211_policy,
10193 		.flags = GENL_ADMIN_PERM,
10194 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10195 				  NL80211_FLAG_NEED_RTNL,
10196 	},
10197 	{
10198 		.cmd = NL80211_CMD_SET_MAC_ACL,
10199 		.doit = nl80211_set_mac_acl,
10200 		.policy = nl80211_policy,
10201 		.flags = GENL_ADMIN_PERM,
10202 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10203 				  NL80211_FLAG_NEED_RTNL,
10204 	},
10205 	{
10206 		.cmd = NL80211_CMD_RADAR_DETECT,
10207 		.doit = nl80211_start_radar_detection,
10208 		.policy = nl80211_policy,
10209 		.flags = GENL_ADMIN_PERM,
10210 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10211 				  NL80211_FLAG_NEED_RTNL,
10212 	},
10213 	{
10214 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
10215 		.doit = nl80211_get_protocol_features,
10216 		.policy = nl80211_policy,
10217 	},
10218 	{
10219 		.cmd = NL80211_CMD_UPDATE_FT_IES,
10220 		.doit = nl80211_update_ft_ies,
10221 		.policy = nl80211_policy,
10222 		.flags = GENL_ADMIN_PERM,
10223 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10224 				  NL80211_FLAG_NEED_RTNL,
10225 	},
10226 	{
10227 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
10228 		.doit = nl80211_crit_protocol_start,
10229 		.policy = nl80211_policy,
10230 		.flags = GENL_ADMIN_PERM,
10231 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10232 				  NL80211_FLAG_NEED_RTNL,
10233 	},
10234 	{
10235 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
10236 		.doit = nl80211_crit_protocol_stop,
10237 		.policy = nl80211_policy,
10238 		.flags = GENL_ADMIN_PERM,
10239 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10240 				  NL80211_FLAG_NEED_RTNL,
10241 	},
10242 	{
10243 		.cmd = NL80211_CMD_GET_COALESCE,
10244 		.doit = nl80211_get_coalesce,
10245 		.policy = nl80211_policy,
10246 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10247 				  NL80211_FLAG_NEED_RTNL,
10248 	},
10249 	{
10250 		.cmd = NL80211_CMD_SET_COALESCE,
10251 		.doit = nl80211_set_coalesce,
10252 		.policy = nl80211_policy,
10253 		.flags = GENL_ADMIN_PERM,
10254 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10255 				  NL80211_FLAG_NEED_RTNL,
10256 	},
10257 	{
10258 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
10259 		.doit = nl80211_channel_switch,
10260 		.policy = nl80211_policy,
10261 		.flags = GENL_ADMIN_PERM,
10262 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10263 				  NL80211_FLAG_NEED_RTNL,
10264 	},
10265 	{
10266 		.cmd = NL80211_CMD_VENDOR,
10267 		.doit = nl80211_vendor_cmd,
10268 		.policy = nl80211_policy,
10269 		.flags = GENL_ADMIN_PERM,
10270 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10271 				  NL80211_FLAG_NEED_RTNL,
10272 	},
10273 	{
10274 		.cmd = NL80211_CMD_SET_QOS_MAP,
10275 		.doit = nl80211_set_qos_map,
10276 		.policy = nl80211_policy,
10277 		.flags = GENL_ADMIN_PERM,
10278 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10279 				  NL80211_FLAG_NEED_RTNL,
10280 	},
10281 	{
10282 		.cmd = NL80211_CMD_ADD_TX_TS,
10283 		.doit = nl80211_add_tx_ts,
10284 		.policy = nl80211_policy,
10285 		.flags = GENL_ADMIN_PERM,
10286 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10287 				  NL80211_FLAG_NEED_RTNL,
10288 	},
10289 	{
10290 		.cmd = NL80211_CMD_DEL_TX_TS,
10291 		.doit = nl80211_del_tx_ts,
10292 		.policy = nl80211_policy,
10293 		.flags = GENL_ADMIN_PERM,
10294 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10295 				  NL80211_FLAG_NEED_RTNL,
10296 	},
10297 };
10298 
10299 /* notification functions */
10300 
10301 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
10302 			  enum nl80211_commands cmd)
10303 {
10304 	struct sk_buff *msg;
10305 	struct nl80211_dump_wiphy_state state = {};
10306 
10307 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
10308 		cmd != NL80211_CMD_DEL_WIPHY);
10309 
10310 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10311 	if (!msg)
10312 		return;
10313 
10314 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
10315 		nlmsg_free(msg);
10316 		return;
10317 	}
10318 
10319 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10320 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
10321 }
10322 
10323 static int nl80211_add_scan_req(struct sk_buff *msg,
10324 				struct cfg80211_registered_device *rdev)
10325 {
10326 	struct cfg80211_scan_request *req = rdev->scan_req;
10327 	struct nlattr *nest;
10328 	int i;
10329 
10330 	if (WARN_ON(!req))
10331 		return 0;
10332 
10333 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
10334 	if (!nest)
10335 		goto nla_put_failure;
10336 	for (i = 0; i < req->n_ssids; i++) {
10337 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
10338 			goto nla_put_failure;
10339 	}
10340 	nla_nest_end(msg, nest);
10341 
10342 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
10343 	if (!nest)
10344 		goto nla_put_failure;
10345 	for (i = 0; i < req->n_channels; i++) {
10346 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
10347 			goto nla_put_failure;
10348 	}
10349 	nla_nest_end(msg, nest);
10350 
10351 	if (req->ie &&
10352 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
10353 		goto nla_put_failure;
10354 
10355 	if (req->flags &&
10356 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
10357 		goto nla_put_failure;
10358 
10359 	return 0;
10360  nla_put_failure:
10361 	return -ENOBUFS;
10362 }
10363 
10364 static int nl80211_send_scan_msg(struct sk_buff *msg,
10365 				 struct cfg80211_registered_device *rdev,
10366 				 struct wireless_dev *wdev,
10367 				 u32 portid, u32 seq, int flags,
10368 				 u32 cmd)
10369 {
10370 	void *hdr;
10371 
10372 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
10373 	if (!hdr)
10374 		return -1;
10375 
10376 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10377 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
10378 					 wdev->netdev->ifindex)) ||
10379 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
10380 		goto nla_put_failure;
10381 
10382 	/* ignore errors and send incomplete event anyway */
10383 	nl80211_add_scan_req(msg, rdev);
10384 
10385 	return genlmsg_end(msg, hdr);
10386 
10387  nla_put_failure:
10388 	genlmsg_cancel(msg, hdr);
10389 	return -EMSGSIZE;
10390 }
10391 
10392 static int
10393 nl80211_send_sched_scan_msg(struct sk_buff *msg,
10394 			    struct cfg80211_registered_device *rdev,
10395 			    struct net_device *netdev,
10396 			    u32 portid, u32 seq, int flags, u32 cmd)
10397 {
10398 	void *hdr;
10399 
10400 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
10401 	if (!hdr)
10402 		return -1;
10403 
10404 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10405 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
10406 		goto nla_put_failure;
10407 
10408 	return genlmsg_end(msg, hdr);
10409 
10410  nla_put_failure:
10411 	genlmsg_cancel(msg, hdr);
10412 	return -EMSGSIZE;
10413 }
10414 
10415 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
10416 			     struct wireless_dev *wdev)
10417 {
10418 	struct sk_buff *msg;
10419 
10420 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10421 	if (!msg)
10422 		return;
10423 
10424 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
10425 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
10426 		nlmsg_free(msg);
10427 		return;
10428 	}
10429 
10430 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10431 				NL80211_MCGRP_SCAN, GFP_KERNEL);
10432 }
10433 
10434 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
10435 				       struct wireless_dev *wdev, bool aborted)
10436 {
10437 	struct sk_buff *msg;
10438 
10439 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10440 	if (!msg)
10441 		return NULL;
10442 
10443 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
10444 				  aborted ? NL80211_CMD_SCAN_ABORTED :
10445 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
10446 		nlmsg_free(msg);
10447 		return NULL;
10448 	}
10449 
10450 	return msg;
10451 }
10452 
10453 void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
10454 			      struct sk_buff *msg)
10455 {
10456 	if (!msg)
10457 		return;
10458 
10459 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10460 				NL80211_MCGRP_SCAN, GFP_KERNEL);
10461 }
10462 
10463 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
10464 				     struct net_device *netdev)
10465 {
10466 	struct sk_buff *msg;
10467 
10468 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10469 	if (!msg)
10470 		return;
10471 
10472 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
10473 					NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
10474 		nlmsg_free(msg);
10475 		return;
10476 	}
10477 
10478 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10479 				NL80211_MCGRP_SCAN, GFP_KERNEL);
10480 }
10481 
10482 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
10483 			     struct net_device *netdev, u32 cmd)
10484 {
10485 	struct sk_buff *msg;
10486 
10487 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10488 	if (!msg)
10489 		return;
10490 
10491 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
10492 		nlmsg_free(msg);
10493 		return;
10494 	}
10495 
10496 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10497 				NL80211_MCGRP_SCAN, GFP_KERNEL);
10498 }
10499 
10500 /*
10501  * This can happen on global regulatory changes or device specific settings
10502  * based on custom world regulatory domains.
10503  */
10504 void nl80211_send_reg_change_event(struct regulatory_request *request)
10505 {
10506 	struct sk_buff *msg;
10507 	void *hdr;
10508 
10509 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10510 	if (!msg)
10511 		return;
10512 
10513 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_CHANGE);
10514 	if (!hdr) {
10515 		nlmsg_free(msg);
10516 		return;
10517 	}
10518 
10519 	/* Userspace can always count this one always being set */
10520 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
10521 		goto nla_put_failure;
10522 
10523 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
10524 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10525 			       NL80211_REGDOM_TYPE_WORLD))
10526 			goto nla_put_failure;
10527 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
10528 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10529 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
10530 			goto nla_put_failure;
10531 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
10532 		   request->intersect) {
10533 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10534 			       NL80211_REGDOM_TYPE_INTERSECTION))
10535 			goto nla_put_failure;
10536 	} else {
10537 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
10538 			       NL80211_REGDOM_TYPE_COUNTRY) ||
10539 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
10540 				   request->alpha2))
10541 			goto nla_put_failure;
10542 	}
10543 
10544 	if (request->wiphy_idx != WIPHY_IDX_INVALID &&
10545 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
10546 		goto nla_put_failure;
10547 
10548 	genlmsg_end(msg, hdr);
10549 
10550 	rcu_read_lock();
10551 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
10552 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
10553 	rcu_read_unlock();
10554 
10555 	return;
10556 
10557 nla_put_failure:
10558 	genlmsg_cancel(msg, hdr);
10559 	nlmsg_free(msg);
10560 }
10561 
10562 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
10563 				    struct net_device *netdev,
10564 				    const u8 *buf, size_t len,
10565 				    enum nl80211_commands cmd, gfp_t gfp,
10566 				    int uapsd_queues)
10567 {
10568 	struct sk_buff *msg;
10569 	void *hdr;
10570 
10571 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10572 	if (!msg)
10573 		return;
10574 
10575 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
10576 	if (!hdr) {
10577 		nlmsg_free(msg);
10578 		return;
10579 	}
10580 
10581 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10582 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10583 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
10584 		goto nla_put_failure;
10585 
10586 	if (uapsd_queues >= 0) {
10587 		struct nlattr *nla_wmm =
10588 			nla_nest_start(msg, NL80211_ATTR_STA_WME);
10589 		if (!nla_wmm)
10590 			goto nla_put_failure;
10591 
10592 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
10593 			       uapsd_queues))
10594 			goto nla_put_failure;
10595 
10596 		nla_nest_end(msg, nla_wmm);
10597 	}
10598 
10599 	genlmsg_end(msg, hdr);
10600 
10601 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10602 				NL80211_MCGRP_MLME, gfp);
10603 	return;
10604 
10605  nla_put_failure:
10606 	genlmsg_cancel(msg, hdr);
10607 	nlmsg_free(msg);
10608 }
10609 
10610 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
10611 			  struct net_device *netdev, const u8 *buf,
10612 			  size_t len, gfp_t gfp)
10613 {
10614 	nl80211_send_mlme_event(rdev, netdev, buf, len,
10615 				NL80211_CMD_AUTHENTICATE, gfp, -1);
10616 }
10617 
10618 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
10619 			   struct net_device *netdev, const u8 *buf,
10620 			   size_t len, gfp_t gfp, int uapsd_queues)
10621 {
10622 	nl80211_send_mlme_event(rdev, netdev, buf, len,
10623 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues);
10624 }
10625 
10626 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
10627 			 struct net_device *netdev, const u8 *buf,
10628 			 size_t len, gfp_t gfp)
10629 {
10630 	nl80211_send_mlme_event(rdev, netdev, buf, len,
10631 				NL80211_CMD_DEAUTHENTICATE, gfp, -1);
10632 }
10633 
10634 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
10635 			   struct net_device *netdev, const u8 *buf,
10636 			   size_t len, gfp_t gfp)
10637 {
10638 	nl80211_send_mlme_event(rdev, netdev, buf, len,
10639 				NL80211_CMD_DISASSOCIATE, gfp, -1);
10640 }
10641 
10642 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
10643 				  size_t len)
10644 {
10645 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10646 	struct wiphy *wiphy = wdev->wiphy;
10647 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10648 	const struct ieee80211_mgmt *mgmt = (void *)buf;
10649 	u32 cmd;
10650 
10651 	if (WARN_ON(len < 2))
10652 		return;
10653 
10654 	if (ieee80211_is_deauth(mgmt->frame_control))
10655 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
10656 	else
10657 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
10658 
10659 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
10660 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1);
10661 }
10662 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
10663 
10664 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
10665 				      struct net_device *netdev, int cmd,
10666 				      const u8 *addr, gfp_t gfp)
10667 {
10668 	struct sk_buff *msg;
10669 	void *hdr;
10670 
10671 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10672 	if (!msg)
10673 		return;
10674 
10675 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
10676 	if (!hdr) {
10677 		nlmsg_free(msg);
10678 		return;
10679 	}
10680 
10681 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10682 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10683 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
10684 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
10685 		goto nla_put_failure;
10686 
10687 	genlmsg_end(msg, hdr);
10688 
10689 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10690 				NL80211_MCGRP_MLME, gfp);
10691 	return;
10692 
10693  nla_put_failure:
10694 	genlmsg_cancel(msg, hdr);
10695 	nlmsg_free(msg);
10696 }
10697 
10698 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
10699 			       struct net_device *netdev, const u8 *addr,
10700 			       gfp_t gfp)
10701 {
10702 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
10703 				  addr, gfp);
10704 }
10705 
10706 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
10707 				struct net_device *netdev, const u8 *addr,
10708 				gfp_t gfp)
10709 {
10710 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
10711 				  addr, gfp);
10712 }
10713 
10714 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
10715 				 struct net_device *netdev, const u8 *bssid,
10716 				 const u8 *req_ie, size_t req_ie_len,
10717 				 const u8 *resp_ie, size_t resp_ie_len,
10718 				 u16 status, gfp_t gfp)
10719 {
10720 	struct sk_buff *msg;
10721 	void *hdr;
10722 
10723 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10724 	if (!msg)
10725 		return;
10726 
10727 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
10728 	if (!hdr) {
10729 		nlmsg_free(msg);
10730 		return;
10731 	}
10732 
10733 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10734 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10735 	    (bssid && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) ||
10736 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE, status) ||
10737 	    (req_ie &&
10738 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
10739 	    (resp_ie &&
10740 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
10741 		goto nla_put_failure;
10742 
10743 	genlmsg_end(msg, hdr);
10744 
10745 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10746 				NL80211_MCGRP_MLME, gfp);
10747 	return;
10748 
10749  nla_put_failure:
10750 	genlmsg_cancel(msg, hdr);
10751 	nlmsg_free(msg);
10752 
10753 }
10754 
10755 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
10756 			 struct net_device *netdev, const u8 *bssid,
10757 			 const u8 *req_ie, size_t req_ie_len,
10758 			 const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
10759 {
10760 	struct sk_buff *msg;
10761 	void *hdr;
10762 
10763 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10764 	if (!msg)
10765 		return;
10766 
10767 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
10768 	if (!hdr) {
10769 		nlmsg_free(msg);
10770 		return;
10771 	}
10772 
10773 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10774 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10775 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
10776 	    (req_ie &&
10777 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
10778 	    (resp_ie &&
10779 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
10780 		goto nla_put_failure;
10781 
10782 	genlmsg_end(msg, hdr);
10783 
10784 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10785 				NL80211_MCGRP_MLME, gfp);
10786 	return;
10787 
10788  nla_put_failure:
10789 	genlmsg_cancel(msg, hdr);
10790 	nlmsg_free(msg);
10791 
10792 }
10793 
10794 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
10795 			       struct net_device *netdev, u16 reason,
10796 			       const u8 *ie, size_t ie_len, bool from_ap)
10797 {
10798 	struct sk_buff *msg;
10799 	void *hdr;
10800 
10801 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10802 	if (!msg)
10803 		return;
10804 
10805 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
10806 	if (!hdr) {
10807 		nlmsg_free(msg);
10808 		return;
10809 	}
10810 
10811 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10812 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10813 	    (from_ap && reason &&
10814 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
10815 	    (from_ap &&
10816 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
10817 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
10818 		goto nla_put_failure;
10819 
10820 	genlmsg_end(msg, hdr);
10821 
10822 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10823 				NL80211_MCGRP_MLME, GFP_KERNEL);
10824 	return;
10825 
10826  nla_put_failure:
10827 	genlmsg_cancel(msg, hdr);
10828 	nlmsg_free(msg);
10829 
10830 }
10831 
10832 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
10833 			     struct net_device *netdev, const u8 *bssid,
10834 			     gfp_t gfp)
10835 {
10836 	struct sk_buff *msg;
10837 	void *hdr;
10838 
10839 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10840 	if (!msg)
10841 		return;
10842 
10843 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
10844 	if (!hdr) {
10845 		nlmsg_free(msg);
10846 		return;
10847 	}
10848 
10849 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10850 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10851 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
10852 		goto nla_put_failure;
10853 
10854 	genlmsg_end(msg, hdr);
10855 
10856 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10857 				NL80211_MCGRP_MLME, gfp);
10858 	return;
10859 
10860  nla_put_failure:
10861 	genlmsg_cancel(msg, hdr);
10862 	nlmsg_free(msg);
10863 }
10864 
10865 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
10866 					const u8* ie, u8 ie_len, gfp_t gfp)
10867 {
10868 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10869 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
10870 	struct sk_buff *msg;
10871 	void *hdr;
10872 
10873 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
10874 		return;
10875 
10876 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
10877 
10878 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10879 	if (!msg)
10880 		return;
10881 
10882 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
10883 	if (!hdr) {
10884 		nlmsg_free(msg);
10885 		return;
10886 	}
10887 
10888 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10889 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10890 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
10891 	    (ie_len && ie &&
10892 	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
10893 		goto nla_put_failure;
10894 
10895 	genlmsg_end(msg, hdr);
10896 
10897 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10898 				NL80211_MCGRP_MLME, gfp);
10899 	return;
10900 
10901  nla_put_failure:
10902 	genlmsg_cancel(msg, hdr);
10903 	nlmsg_free(msg);
10904 }
10905 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
10906 
10907 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
10908 				 struct net_device *netdev, const u8 *addr,
10909 				 enum nl80211_key_type key_type, int key_id,
10910 				 const u8 *tsc, gfp_t gfp)
10911 {
10912 	struct sk_buff *msg;
10913 	void *hdr;
10914 
10915 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10916 	if (!msg)
10917 		return;
10918 
10919 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
10920 	if (!hdr) {
10921 		nlmsg_free(msg);
10922 		return;
10923 	}
10924 
10925 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10926 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
10927 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
10928 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
10929 	    (key_id != -1 &&
10930 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
10931 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
10932 		goto nla_put_failure;
10933 
10934 	genlmsg_end(msg, hdr);
10935 
10936 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
10937 				NL80211_MCGRP_MLME, gfp);
10938 	return;
10939 
10940  nla_put_failure:
10941 	genlmsg_cancel(msg, hdr);
10942 	nlmsg_free(msg);
10943 }
10944 
10945 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
10946 				    struct ieee80211_channel *channel_before,
10947 				    struct ieee80211_channel *channel_after)
10948 {
10949 	struct sk_buff *msg;
10950 	void *hdr;
10951 	struct nlattr *nl_freq;
10952 
10953 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
10954 	if (!msg)
10955 		return;
10956 
10957 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
10958 	if (!hdr) {
10959 		nlmsg_free(msg);
10960 		return;
10961 	}
10962 
10963 	/*
10964 	 * Since we are applying the beacon hint to a wiphy we know its
10965 	 * wiphy_idx is valid
10966 	 */
10967 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10968 		goto nla_put_failure;
10969 
10970 	/* Before */
10971 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
10972 	if (!nl_freq)
10973 		goto nla_put_failure;
10974 	if (nl80211_msg_put_channel(msg, channel_before, false))
10975 		goto nla_put_failure;
10976 	nla_nest_end(msg, nl_freq);
10977 
10978 	/* After */
10979 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
10980 	if (!nl_freq)
10981 		goto nla_put_failure;
10982 	if (nl80211_msg_put_channel(msg, channel_after, false))
10983 		goto nla_put_failure;
10984 	nla_nest_end(msg, nl_freq);
10985 
10986 	genlmsg_end(msg, hdr);
10987 
10988 	rcu_read_lock();
10989 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
10990 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
10991 	rcu_read_unlock();
10992 
10993 	return;
10994 
10995 nla_put_failure:
10996 	genlmsg_cancel(msg, hdr);
10997 	nlmsg_free(msg);
10998 }
10999 
11000 static void nl80211_send_remain_on_chan_event(
11001 	int cmd, struct cfg80211_registered_device *rdev,
11002 	struct wireless_dev *wdev, u64 cookie,
11003 	struct ieee80211_channel *chan,
11004 	unsigned int duration, gfp_t gfp)
11005 {
11006 	struct sk_buff *msg;
11007 	void *hdr;
11008 
11009 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11010 	if (!msg)
11011 		return;
11012 
11013 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11014 	if (!hdr) {
11015 		nlmsg_free(msg);
11016 		return;
11017 	}
11018 
11019 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11020 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11021 					 wdev->netdev->ifindex)) ||
11022 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11023 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
11024 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
11025 			NL80211_CHAN_NO_HT) ||
11026 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
11027 		goto nla_put_failure;
11028 
11029 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
11030 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
11031 		goto nla_put_failure;
11032 
11033 	genlmsg_end(msg, hdr);
11034 
11035 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11036 				NL80211_MCGRP_MLME, gfp);
11037 	return;
11038 
11039  nla_put_failure:
11040 	genlmsg_cancel(msg, hdr);
11041 	nlmsg_free(msg);
11042 }
11043 
11044 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
11045 			       struct ieee80211_channel *chan,
11046 			       unsigned int duration, gfp_t gfp)
11047 {
11048 	struct wiphy *wiphy = wdev->wiphy;
11049 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11050 
11051 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
11052 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
11053 					  rdev, wdev, cookie, chan,
11054 					  duration, gfp);
11055 }
11056 EXPORT_SYMBOL(cfg80211_ready_on_channel);
11057 
11058 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
11059 					struct ieee80211_channel *chan,
11060 					gfp_t gfp)
11061 {
11062 	struct wiphy *wiphy = wdev->wiphy;
11063 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11064 
11065 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
11066 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
11067 					  rdev, wdev, cookie, chan, 0, gfp);
11068 }
11069 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
11070 
11071 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
11072 		      struct station_info *sinfo, gfp_t gfp)
11073 {
11074 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11075 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11076 	struct sk_buff *msg;
11077 
11078 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
11079 
11080 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11081 	if (!msg)
11082 		return;
11083 
11084 	if (nl80211_send_station(msg, 0, 0, 0,
11085 				 rdev, dev, mac_addr, sinfo) < 0) {
11086 		nlmsg_free(msg);
11087 		return;
11088 	}
11089 
11090 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11091 				NL80211_MCGRP_MLME, gfp);
11092 }
11093 EXPORT_SYMBOL(cfg80211_new_sta);
11094 
11095 void cfg80211_del_sta(struct net_device *dev, const u8 *mac_addr, gfp_t gfp)
11096 {
11097 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11098 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11099 	struct sk_buff *msg;
11100 	void *hdr;
11101 
11102 	trace_cfg80211_del_sta(dev, mac_addr);
11103 
11104 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11105 	if (!msg)
11106 		return;
11107 
11108 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_STATION);
11109 	if (!hdr) {
11110 		nlmsg_free(msg);
11111 		return;
11112 	}
11113 
11114 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11115 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
11116 		goto nla_put_failure;
11117 
11118 	genlmsg_end(msg, hdr);
11119 
11120 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11121 				NL80211_MCGRP_MLME, gfp);
11122 	return;
11123 
11124  nla_put_failure:
11125 	genlmsg_cancel(msg, hdr);
11126 	nlmsg_free(msg);
11127 }
11128 EXPORT_SYMBOL(cfg80211_del_sta);
11129 
11130 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
11131 			  enum nl80211_connect_failed_reason reason,
11132 			  gfp_t gfp)
11133 {
11134 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11135 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11136 	struct sk_buff *msg;
11137 	void *hdr;
11138 
11139 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
11140 	if (!msg)
11141 		return;
11142 
11143 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
11144 	if (!hdr) {
11145 		nlmsg_free(msg);
11146 		return;
11147 	}
11148 
11149 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11150 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
11151 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
11152 		goto nla_put_failure;
11153 
11154 	genlmsg_end(msg, hdr);
11155 
11156 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11157 				NL80211_MCGRP_MLME, gfp);
11158 	return;
11159 
11160  nla_put_failure:
11161 	genlmsg_cancel(msg, hdr);
11162 	nlmsg_free(msg);
11163 }
11164 EXPORT_SYMBOL(cfg80211_conn_failed);
11165 
11166 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
11167 				       const u8 *addr, gfp_t gfp)
11168 {
11169 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11170 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11171 	struct sk_buff *msg;
11172 	void *hdr;
11173 	u32 nlportid = ACCESS_ONCE(wdev->ap_unexpected_nlportid);
11174 
11175 	if (!nlportid)
11176 		return false;
11177 
11178 	msg = nlmsg_new(100, gfp);
11179 	if (!msg)
11180 		return true;
11181 
11182 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11183 	if (!hdr) {
11184 		nlmsg_free(msg);
11185 		return true;
11186 	}
11187 
11188 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11189 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11190 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
11191 		goto nla_put_failure;
11192 
11193 	genlmsg_end(msg, hdr);
11194 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
11195 	return true;
11196 
11197  nla_put_failure:
11198 	genlmsg_cancel(msg, hdr);
11199 	nlmsg_free(msg);
11200 	return true;
11201 }
11202 
11203 bool cfg80211_rx_spurious_frame(struct net_device *dev,
11204 				const u8 *addr, gfp_t gfp)
11205 {
11206 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11207 	bool ret;
11208 
11209 	trace_cfg80211_rx_spurious_frame(dev, addr);
11210 
11211 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11212 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
11213 		trace_cfg80211_return_bool(false);
11214 		return false;
11215 	}
11216 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
11217 					 addr, gfp);
11218 	trace_cfg80211_return_bool(ret);
11219 	return ret;
11220 }
11221 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
11222 
11223 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
11224 					const u8 *addr, gfp_t gfp)
11225 {
11226 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11227 	bool ret;
11228 
11229 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
11230 
11231 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11232 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
11233 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
11234 		trace_cfg80211_return_bool(false);
11235 		return false;
11236 	}
11237 	ret = __nl80211_unexpected_frame(dev,
11238 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
11239 					 addr, gfp);
11240 	trace_cfg80211_return_bool(ret);
11241 	return ret;
11242 }
11243 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
11244 
11245 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
11246 		      struct wireless_dev *wdev, u32 nlportid,
11247 		      int freq, int sig_dbm,
11248 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
11249 {
11250 	struct net_device *netdev = wdev->netdev;
11251 	struct sk_buff *msg;
11252 	void *hdr;
11253 
11254 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11255 	if (!msg)
11256 		return -ENOMEM;
11257 
11258 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
11259 	if (!hdr) {
11260 		nlmsg_free(msg);
11261 		return -ENOMEM;
11262 	}
11263 
11264 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11265 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11266 					netdev->ifindex)) ||
11267 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11268 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
11269 	    (sig_dbm &&
11270 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
11271 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
11272 	    (flags &&
11273 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
11274 		goto nla_put_failure;
11275 
11276 	genlmsg_end(msg, hdr);
11277 
11278 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
11279 
11280  nla_put_failure:
11281 	genlmsg_cancel(msg, hdr);
11282 	nlmsg_free(msg);
11283 	return -ENOBUFS;
11284 }
11285 
11286 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
11287 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
11288 {
11289 	struct wiphy *wiphy = wdev->wiphy;
11290 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11291 	struct net_device *netdev = wdev->netdev;
11292 	struct sk_buff *msg;
11293 	void *hdr;
11294 
11295 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
11296 
11297 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11298 	if (!msg)
11299 		return;
11300 
11301 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
11302 	if (!hdr) {
11303 		nlmsg_free(msg);
11304 		return;
11305 	}
11306 
11307 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11308 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11309 				   netdev->ifindex)) ||
11310 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11311 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
11312 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
11313 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
11314 		goto nla_put_failure;
11315 
11316 	genlmsg_end(msg, hdr);
11317 
11318 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11319 				NL80211_MCGRP_MLME, gfp);
11320 	return;
11321 
11322  nla_put_failure:
11323 	genlmsg_cancel(msg, hdr);
11324 	nlmsg_free(msg);
11325 }
11326 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
11327 
11328 void cfg80211_cqm_rssi_notify(struct net_device *dev,
11329 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
11330 			      gfp_t gfp)
11331 {
11332 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11333 	struct wiphy *wiphy = wdev->wiphy;
11334 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11335 	struct sk_buff *msg;
11336 	struct nlattr *pinfoattr;
11337 	void *hdr;
11338 
11339 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
11340 
11341 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11342 	if (!msg)
11343 		return;
11344 
11345 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
11346 	if (!hdr) {
11347 		nlmsg_free(msg);
11348 		return;
11349 	}
11350 
11351 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11352 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
11353 		goto nla_put_failure;
11354 
11355 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
11356 	if (!pinfoattr)
11357 		goto nla_put_failure;
11358 
11359 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
11360 			rssi_event))
11361 		goto nla_put_failure;
11362 
11363 	nla_nest_end(msg, pinfoattr);
11364 
11365 	genlmsg_end(msg, hdr);
11366 
11367 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11368 				NL80211_MCGRP_MLME, gfp);
11369 	return;
11370 
11371  nla_put_failure:
11372 	genlmsg_cancel(msg, hdr);
11373 	nlmsg_free(msg);
11374 }
11375 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
11376 
11377 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
11378 				     struct net_device *netdev, const u8 *bssid,
11379 				     const u8 *replay_ctr, gfp_t gfp)
11380 {
11381 	struct sk_buff *msg;
11382 	struct nlattr *rekey_attr;
11383 	void *hdr;
11384 
11385 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11386 	if (!msg)
11387 		return;
11388 
11389 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
11390 	if (!hdr) {
11391 		nlmsg_free(msg);
11392 		return;
11393 	}
11394 
11395 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11396 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11397 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
11398 		goto nla_put_failure;
11399 
11400 	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
11401 	if (!rekey_attr)
11402 		goto nla_put_failure;
11403 
11404 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
11405 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
11406 		goto nla_put_failure;
11407 
11408 	nla_nest_end(msg, rekey_attr);
11409 
11410 	genlmsg_end(msg, hdr);
11411 
11412 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11413 				NL80211_MCGRP_MLME, gfp);
11414 	return;
11415 
11416  nla_put_failure:
11417 	genlmsg_cancel(msg, hdr);
11418 	nlmsg_free(msg);
11419 }
11420 
11421 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
11422 			       const u8 *replay_ctr, gfp_t gfp)
11423 {
11424 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11425 	struct wiphy *wiphy = wdev->wiphy;
11426 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11427 
11428 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
11429 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
11430 }
11431 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
11432 
11433 static void
11434 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
11435 			       struct net_device *netdev, int index,
11436 			       const u8 *bssid, bool preauth, gfp_t gfp)
11437 {
11438 	struct sk_buff *msg;
11439 	struct nlattr *attr;
11440 	void *hdr;
11441 
11442 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11443 	if (!msg)
11444 		return;
11445 
11446 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
11447 	if (!hdr) {
11448 		nlmsg_free(msg);
11449 		return;
11450 	}
11451 
11452 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11453 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
11454 		goto nla_put_failure;
11455 
11456 	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
11457 	if (!attr)
11458 		goto nla_put_failure;
11459 
11460 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
11461 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
11462 	    (preauth &&
11463 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
11464 		goto nla_put_failure;
11465 
11466 	nla_nest_end(msg, attr);
11467 
11468 	genlmsg_end(msg, hdr);
11469 
11470 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11471 				NL80211_MCGRP_MLME, gfp);
11472 	return;
11473 
11474  nla_put_failure:
11475 	genlmsg_cancel(msg, hdr);
11476 	nlmsg_free(msg);
11477 }
11478 
11479 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
11480 				     const u8 *bssid, bool preauth, gfp_t gfp)
11481 {
11482 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11483 	struct wiphy *wiphy = wdev->wiphy;
11484 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11485 
11486 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
11487 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
11488 }
11489 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
11490 
11491 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
11492 				     struct net_device *netdev,
11493 				     struct cfg80211_chan_def *chandef,
11494 				     gfp_t gfp)
11495 {
11496 	struct sk_buff *msg;
11497 	void *hdr;
11498 
11499 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11500 	if (!msg)
11501 		return;
11502 
11503 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CH_SWITCH_NOTIFY);
11504 	if (!hdr) {
11505 		nlmsg_free(msg);
11506 		return;
11507 	}
11508 
11509 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
11510 		goto nla_put_failure;
11511 
11512 	if (nl80211_send_chandef(msg, chandef))
11513 		goto nla_put_failure;
11514 
11515 	genlmsg_end(msg, hdr);
11516 
11517 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11518 				NL80211_MCGRP_MLME, gfp);
11519 	return;
11520 
11521  nla_put_failure:
11522 	genlmsg_cancel(msg, hdr);
11523 	nlmsg_free(msg);
11524 }
11525 
11526 void cfg80211_ch_switch_notify(struct net_device *dev,
11527 			       struct cfg80211_chan_def *chandef)
11528 {
11529 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11530 	struct wiphy *wiphy = wdev->wiphy;
11531 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11532 
11533 	ASSERT_WDEV_LOCK(wdev);
11534 
11535 	trace_cfg80211_ch_switch_notify(dev, chandef);
11536 
11537 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11538 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
11539 		    wdev->iftype != NL80211_IFTYPE_ADHOC &&
11540 		    wdev->iftype != NL80211_IFTYPE_MESH_POINT))
11541 		return;
11542 
11543 	wdev->chandef = *chandef;
11544 	wdev->preset_chandef = *chandef;
11545 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL);
11546 }
11547 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
11548 
11549 void cfg80211_cqm_txe_notify(struct net_device *dev,
11550 			     const u8 *peer, u32 num_packets,
11551 			     u32 rate, u32 intvl, gfp_t gfp)
11552 {
11553 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11554 	struct wiphy *wiphy = wdev->wiphy;
11555 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11556 	struct sk_buff *msg;
11557 	struct nlattr *pinfoattr;
11558 	void *hdr;
11559 
11560 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
11561 	if (!msg)
11562 		return;
11563 
11564 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
11565 	if (!hdr) {
11566 		nlmsg_free(msg);
11567 		return;
11568 	}
11569 
11570 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11571 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11572 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
11573 		goto nla_put_failure;
11574 
11575 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
11576 	if (!pinfoattr)
11577 		goto nla_put_failure;
11578 
11579 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
11580 		goto nla_put_failure;
11581 
11582 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
11583 		goto nla_put_failure;
11584 
11585 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
11586 		goto nla_put_failure;
11587 
11588 	nla_nest_end(msg, pinfoattr);
11589 
11590 	genlmsg_end(msg, hdr);
11591 
11592 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11593 				NL80211_MCGRP_MLME, gfp);
11594 	return;
11595 
11596  nla_put_failure:
11597 	genlmsg_cancel(msg, hdr);
11598 	nlmsg_free(msg);
11599 }
11600 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
11601 
11602 void
11603 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
11604 		     const struct cfg80211_chan_def *chandef,
11605 		     enum nl80211_radar_event event,
11606 		     struct net_device *netdev, gfp_t gfp)
11607 {
11608 	struct sk_buff *msg;
11609 	void *hdr;
11610 
11611 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11612 	if (!msg)
11613 		return;
11614 
11615 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
11616 	if (!hdr) {
11617 		nlmsg_free(msg);
11618 		return;
11619 	}
11620 
11621 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11622 		goto nla_put_failure;
11623 
11624 	/* NOP and radar events don't need a netdev parameter */
11625 	if (netdev) {
11626 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
11627 
11628 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11629 		    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
11630 			goto nla_put_failure;
11631 	}
11632 
11633 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
11634 		goto nla_put_failure;
11635 
11636 	if (nl80211_send_chandef(msg, chandef))
11637 		goto nla_put_failure;
11638 
11639 	genlmsg_end(msg, hdr);
11640 
11641 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11642 				NL80211_MCGRP_MLME, gfp);
11643 	return;
11644 
11645  nla_put_failure:
11646 	genlmsg_cancel(msg, hdr);
11647 	nlmsg_free(msg);
11648 }
11649 
11650 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
11651 				 const u8 *peer, u32 num_packets, gfp_t gfp)
11652 {
11653 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11654 	struct wiphy *wiphy = wdev->wiphy;
11655 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11656 	struct sk_buff *msg;
11657 	struct nlattr *pinfoattr;
11658 	void *hdr;
11659 
11660 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
11661 
11662 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11663 	if (!msg)
11664 		return;
11665 
11666 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
11667 	if (!hdr) {
11668 		nlmsg_free(msg);
11669 		return;
11670 	}
11671 
11672 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11673 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11674 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
11675 		goto nla_put_failure;
11676 
11677 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
11678 	if (!pinfoattr)
11679 		goto nla_put_failure;
11680 
11681 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
11682 		goto nla_put_failure;
11683 
11684 	nla_nest_end(msg, pinfoattr);
11685 
11686 	genlmsg_end(msg, hdr);
11687 
11688 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11689 				NL80211_MCGRP_MLME, gfp);
11690 	return;
11691 
11692  nla_put_failure:
11693 	genlmsg_cancel(msg, hdr);
11694 	nlmsg_free(msg);
11695 }
11696 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
11697 
11698 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
11699 			   u64 cookie, bool acked, gfp_t gfp)
11700 {
11701 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11702 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11703 	struct sk_buff *msg;
11704 	void *hdr;
11705 
11706 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
11707 
11708 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11709 
11710 	if (!msg)
11711 		return;
11712 
11713 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
11714 	if (!hdr) {
11715 		nlmsg_free(msg);
11716 		return;
11717 	}
11718 
11719 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11720 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11721 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
11722 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
11723 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)))
11724 		goto nla_put_failure;
11725 
11726 	genlmsg_end(msg, hdr);
11727 
11728 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11729 				NL80211_MCGRP_MLME, gfp);
11730 	return;
11731 
11732  nla_put_failure:
11733 	genlmsg_cancel(msg, hdr);
11734 	nlmsg_free(msg);
11735 }
11736 EXPORT_SYMBOL(cfg80211_probe_status);
11737 
11738 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
11739 				 const u8 *frame, size_t len,
11740 				 int freq, int sig_dbm)
11741 {
11742 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11743 	struct sk_buff *msg;
11744 	void *hdr;
11745 	struct cfg80211_beacon_registration *reg;
11746 
11747 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
11748 
11749 	spin_lock_bh(&rdev->beacon_registrations_lock);
11750 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
11751 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
11752 		if (!msg) {
11753 			spin_unlock_bh(&rdev->beacon_registrations_lock);
11754 			return;
11755 		}
11756 
11757 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
11758 		if (!hdr)
11759 			goto nla_put_failure;
11760 
11761 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11762 		    (freq &&
11763 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
11764 		    (sig_dbm &&
11765 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
11766 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
11767 			goto nla_put_failure;
11768 
11769 		genlmsg_end(msg, hdr);
11770 
11771 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
11772 	}
11773 	spin_unlock_bh(&rdev->beacon_registrations_lock);
11774 	return;
11775 
11776  nla_put_failure:
11777 	spin_unlock_bh(&rdev->beacon_registrations_lock);
11778 	if (hdr)
11779 		genlmsg_cancel(msg, hdr);
11780 	nlmsg_free(msg);
11781 }
11782 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
11783 
11784 #ifdef CONFIG_PM
11785 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
11786 				   struct cfg80211_wowlan_wakeup *wakeup,
11787 				   gfp_t gfp)
11788 {
11789 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11790 	struct sk_buff *msg;
11791 	void *hdr;
11792 	int size = 200;
11793 
11794 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
11795 
11796 	if (wakeup)
11797 		size += wakeup->packet_present_len;
11798 
11799 	msg = nlmsg_new(size, gfp);
11800 	if (!msg)
11801 		return;
11802 
11803 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
11804 	if (!hdr)
11805 		goto free_msg;
11806 
11807 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11808 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
11809 		goto free_msg;
11810 
11811 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11812 					wdev->netdev->ifindex))
11813 		goto free_msg;
11814 
11815 	if (wakeup) {
11816 		struct nlattr *reasons;
11817 
11818 		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
11819 		if (!reasons)
11820 			goto free_msg;
11821 
11822 		if (wakeup->disconnect &&
11823 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
11824 			goto free_msg;
11825 		if (wakeup->magic_pkt &&
11826 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
11827 			goto free_msg;
11828 		if (wakeup->gtk_rekey_failure &&
11829 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
11830 			goto free_msg;
11831 		if (wakeup->eap_identity_req &&
11832 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
11833 			goto free_msg;
11834 		if (wakeup->four_way_handshake &&
11835 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
11836 			goto free_msg;
11837 		if (wakeup->rfkill_release &&
11838 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
11839 			goto free_msg;
11840 
11841 		if (wakeup->pattern_idx >= 0 &&
11842 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
11843 				wakeup->pattern_idx))
11844 			goto free_msg;
11845 
11846 		if (wakeup->tcp_match &&
11847 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
11848 			goto free_msg;
11849 
11850 		if (wakeup->tcp_connlost &&
11851 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
11852 			goto free_msg;
11853 
11854 		if (wakeup->tcp_nomoretokens &&
11855 		    nla_put_flag(msg,
11856 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
11857 			goto free_msg;
11858 
11859 		if (wakeup->packet) {
11860 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
11861 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
11862 
11863 			if (!wakeup->packet_80211) {
11864 				pkt_attr =
11865 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
11866 				len_attr =
11867 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
11868 			}
11869 
11870 			if (wakeup->packet_len &&
11871 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
11872 				goto free_msg;
11873 
11874 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
11875 				    wakeup->packet))
11876 				goto free_msg;
11877 		}
11878 
11879 		nla_nest_end(msg, reasons);
11880 	}
11881 
11882 	genlmsg_end(msg, hdr);
11883 
11884 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11885 				NL80211_MCGRP_MLME, gfp);
11886 	return;
11887 
11888  free_msg:
11889 	nlmsg_free(msg);
11890 }
11891 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
11892 #endif
11893 
11894 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
11895 				enum nl80211_tdls_operation oper,
11896 				u16 reason_code, gfp_t gfp)
11897 {
11898 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11899 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11900 	struct sk_buff *msg;
11901 	void *hdr;
11902 
11903 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
11904 					 reason_code);
11905 
11906 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11907 	if (!msg)
11908 		return;
11909 
11910 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
11911 	if (!hdr) {
11912 		nlmsg_free(msg);
11913 		return;
11914 	}
11915 
11916 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11917 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11918 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
11919 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
11920 	    (reason_code > 0 &&
11921 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
11922 		goto nla_put_failure;
11923 
11924 	genlmsg_end(msg, hdr);
11925 
11926 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11927 				NL80211_MCGRP_MLME, gfp);
11928 	return;
11929 
11930  nla_put_failure:
11931 	genlmsg_cancel(msg, hdr);
11932 	nlmsg_free(msg);
11933 }
11934 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
11935 
11936 static int nl80211_netlink_notify(struct notifier_block * nb,
11937 				  unsigned long state,
11938 				  void *_notify)
11939 {
11940 	struct netlink_notify *notify = _notify;
11941 	struct cfg80211_registered_device *rdev;
11942 	struct wireless_dev *wdev;
11943 	struct cfg80211_beacon_registration *reg, *tmp;
11944 
11945 	if (state != NETLINK_URELEASE)
11946 		return NOTIFY_DONE;
11947 
11948 	rcu_read_lock();
11949 
11950 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
11951 		bool schedule_destroy_work = false;
11952 
11953 		list_for_each_entry_rcu(wdev, &rdev->wdev_list, list) {
11954 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
11955 
11956 			if (wdev->owner_nlportid == notify->portid)
11957 				schedule_destroy_work = true;
11958 		}
11959 
11960 		spin_lock_bh(&rdev->beacon_registrations_lock);
11961 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
11962 					 list) {
11963 			if (reg->nlportid == notify->portid) {
11964 				list_del(&reg->list);
11965 				kfree(reg);
11966 				break;
11967 			}
11968 		}
11969 		spin_unlock_bh(&rdev->beacon_registrations_lock);
11970 
11971 		if (schedule_destroy_work) {
11972 			struct cfg80211_iface_destroy *destroy;
11973 
11974 			destroy = kzalloc(sizeof(*destroy), GFP_ATOMIC);
11975 			if (destroy) {
11976 				destroy->nlportid = notify->portid;
11977 				spin_lock(&rdev->destroy_list_lock);
11978 				list_add(&destroy->list, &rdev->destroy_list);
11979 				spin_unlock(&rdev->destroy_list_lock);
11980 				schedule_work(&rdev->destroy_work);
11981 			}
11982 		}
11983 	}
11984 
11985 	rcu_read_unlock();
11986 
11987 	return NOTIFY_OK;
11988 }
11989 
11990 static struct notifier_block nl80211_netlink_notifier = {
11991 	.notifier_call = nl80211_netlink_notify,
11992 };
11993 
11994 void cfg80211_ft_event(struct net_device *netdev,
11995 		       struct cfg80211_ft_event_params *ft_event)
11996 {
11997 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
11998 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11999 	struct sk_buff *msg;
12000 	void *hdr;
12001 
12002 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
12003 
12004 	if (!ft_event->target_ap)
12005 		return;
12006 
12007 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12008 	if (!msg)
12009 		return;
12010 
12011 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
12012 	if (!hdr)
12013 		goto out;
12014 
12015 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12016 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12017 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
12018 		goto out;
12019 
12020 	if (ft_event->ies &&
12021 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
12022 		goto out;
12023 	if (ft_event->ric_ies &&
12024 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
12025 		    ft_event->ric_ies))
12026 		goto out;
12027 
12028 	genlmsg_end(msg, hdr);
12029 
12030 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12031 				NL80211_MCGRP_MLME, GFP_KERNEL);
12032 	return;
12033  out:
12034 	nlmsg_free(msg);
12035 }
12036 EXPORT_SYMBOL(cfg80211_ft_event);
12037 
12038 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
12039 {
12040 	struct cfg80211_registered_device *rdev;
12041 	struct sk_buff *msg;
12042 	void *hdr;
12043 	u32 nlportid;
12044 
12045 	rdev = wiphy_to_rdev(wdev->wiphy);
12046 	if (!rdev->crit_proto_nlportid)
12047 		return;
12048 
12049 	nlportid = rdev->crit_proto_nlportid;
12050 	rdev->crit_proto_nlportid = 0;
12051 
12052 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12053 	if (!msg)
12054 		return;
12055 
12056 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
12057 	if (!hdr)
12058 		goto nla_put_failure;
12059 
12060 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12061 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12062 		goto nla_put_failure;
12063 
12064 	genlmsg_end(msg, hdr);
12065 
12066 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12067 	return;
12068 
12069  nla_put_failure:
12070 	if (hdr)
12071 		genlmsg_cancel(msg, hdr);
12072 	nlmsg_free(msg);
12073 
12074 }
12075 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
12076 
12077 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
12078 {
12079 	struct wiphy *wiphy = wdev->wiphy;
12080 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12081 	struct sk_buff *msg;
12082 	void *hdr;
12083 
12084 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12085 	if (!msg)
12086 		return;
12087 
12088 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
12089 	if (!hdr)
12090 		goto out;
12091 
12092 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12093 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
12094 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12095 		goto out;
12096 
12097 	genlmsg_end(msg, hdr);
12098 
12099 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
12100 				NL80211_MCGRP_MLME, GFP_KERNEL);
12101 	return;
12102  out:
12103 	nlmsg_free(msg);
12104 }
12105 
12106 /* initialisation/exit functions */
12107 
12108 int nl80211_init(void)
12109 {
12110 	int err;
12111 
12112 	err = genl_register_family_with_ops_groups(&nl80211_fam, nl80211_ops,
12113 						   nl80211_mcgrps);
12114 	if (err)
12115 		return err;
12116 
12117 	err = netlink_register_notifier(&nl80211_netlink_notifier);
12118 	if (err)
12119 		goto err_out;
12120 
12121 	return 0;
12122  err_out:
12123 	genl_unregister_family(&nl80211_fam);
12124 	return err;
12125 }
12126 
12127 void nl80211_exit(void)
12128 {
12129 	netlink_unregister_notifier(&nl80211_netlink_notifier);
12130 	genl_unregister_family(&nl80211_fam);
12131 }
12132