xref: /linux/net/wireless/nl80211.c (revision 0883c2c06fb5bcf5b9e008270827e63c09a88c1e) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  * Copyright 2015-2016	Intel Deutschland GmbH
7  */
8 
9 #include <linux/if.h>
10 #include <linux/module.h>
11 #include <linux/err.h>
12 #include <linux/slab.h>
13 #include <linux/list.h>
14 #include <linux/if_ether.h>
15 #include <linux/ieee80211.h>
16 #include <linux/nl80211.h>
17 #include <linux/rtnetlink.h>
18 #include <linux/netlink.h>
19 #include <linux/etherdevice.h>
20 #include <net/net_namespace.h>
21 #include <net/genetlink.h>
22 #include <net/cfg80211.h>
23 #include <net/sock.h>
24 #include <net/inet_connection_sock.h>
25 #include "core.h"
26 #include "nl80211.h"
27 #include "reg.h"
28 #include "rdev-ops.h"
29 
30 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
31 				   struct genl_info *info,
32 				   struct cfg80211_crypto_settings *settings,
33 				   int cipher_limit);
34 
35 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
36 			    struct genl_info *info);
37 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
38 			      struct genl_info *info);
39 
40 /* the netlink family */
41 static struct genl_family nl80211_fam = {
42 	.id = GENL_ID_GENERATE,		/* don't bother with a hardcoded ID */
43 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
44 	.hdrsize = 0,			/* no private header */
45 	.version = 1,			/* no particular meaning now */
46 	.maxattr = NL80211_ATTR_MAX,
47 	.netnsok = true,
48 	.pre_doit = nl80211_pre_doit,
49 	.post_doit = nl80211_post_doit,
50 };
51 
52 /* multicast groups */
53 enum nl80211_multicast_groups {
54 	NL80211_MCGRP_CONFIG,
55 	NL80211_MCGRP_SCAN,
56 	NL80211_MCGRP_REGULATORY,
57 	NL80211_MCGRP_MLME,
58 	NL80211_MCGRP_VENDOR,
59 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
60 };
61 
62 static const struct genl_multicast_group nl80211_mcgrps[] = {
63 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
64 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
65 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
66 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
67 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
68 #ifdef CONFIG_NL80211_TESTMODE
69 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
70 #endif
71 };
72 
73 /* returns ERR_PTR values */
74 static struct wireless_dev *
75 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
76 {
77 	struct cfg80211_registered_device *rdev;
78 	struct wireless_dev *result = NULL;
79 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
80 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
81 	u64 wdev_id;
82 	int wiphy_idx = -1;
83 	int ifidx = -1;
84 
85 	ASSERT_RTNL();
86 
87 	if (!have_ifidx && !have_wdev_id)
88 		return ERR_PTR(-EINVAL);
89 
90 	if (have_ifidx)
91 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
92 	if (have_wdev_id) {
93 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
94 		wiphy_idx = wdev_id >> 32;
95 	}
96 
97 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
98 		struct wireless_dev *wdev;
99 
100 		if (wiphy_net(&rdev->wiphy) != netns)
101 			continue;
102 
103 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
104 			continue;
105 
106 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
107 			if (have_ifidx && wdev->netdev &&
108 			    wdev->netdev->ifindex == ifidx) {
109 				result = wdev;
110 				break;
111 			}
112 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
113 				result = wdev;
114 				break;
115 			}
116 		}
117 
118 		if (result)
119 			break;
120 	}
121 
122 	if (result)
123 		return result;
124 	return ERR_PTR(-ENODEV);
125 }
126 
127 static struct cfg80211_registered_device *
128 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
129 {
130 	struct cfg80211_registered_device *rdev = NULL, *tmp;
131 	struct net_device *netdev;
132 
133 	ASSERT_RTNL();
134 
135 	if (!attrs[NL80211_ATTR_WIPHY] &&
136 	    !attrs[NL80211_ATTR_IFINDEX] &&
137 	    !attrs[NL80211_ATTR_WDEV])
138 		return ERR_PTR(-EINVAL);
139 
140 	if (attrs[NL80211_ATTR_WIPHY])
141 		rdev = cfg80211_rdev_by_wiphy_idx(
142 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
143 
144 	if (attrs[NL80211_ATTR_WDEV]) {
145 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
146 		struct wireless_dev *wdev;
147 		bool found = false;
148 
149 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
150 		if (tmp) {
151 			/* make sure wdev exists */
152 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
153 				if (wdev->identifier != (u32)wdev_id)
154 					continue;
155 				found = true;
156 				break;
157 			}
158 
159 			if (!found)
160 				tmp = NULL;
161 
162 			if (rdev && tmp != rdev)
163 				return ERR_PTR(-EINVAL);
164 			rdev = tmp;
165 		}
166 	}
167 
168 	if (attrs[NL80211_ATTR_IFINDEX]) {
169 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
170 		netdev = __dev_get_by_index(netns, ifindex);
171 		if (netdev) {
172 			if (netdev->ieee80211_ptr)
173 				tmp = wiphy_to_rdev(
174 					netdev->ieee80211_ptr->wiphy);
175 			else
176 				tmp = NULL;
177 
178 			/* not wireless device -- return error */
179 			if (!tmp)
180 				return ERR_PTR(-EINVAL);
181 
182 			/* mismatch -- return error */
183 			if (rdev && tmp != rdev)
184 				return ERR_PTR(-EINVAL);
185 
186 			rdev = tmp;
187 		}
188 	}
189 
190 	if (!rdev)
191 		return ERR_PTR(-ENODEV);
192 
193 	if (netns != wiphy_net(&rdev->wiphy))
194 		return ERR_PTR(-ENODEV);
195 
196 	return rdev;
197 }
198 
199 /*
200  * This function returns a pointer to the driver
201  * that the genl_info item that is passed refers to.
202  *
203  * The result of this can be a PTR_ERR and hence must
204  * be checked with IS_ERR() for errors.
205  */
206 static struct cfg80211_registered_device *
207 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
208 {
209 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
210 }
211 
212 /* policy for the attributes */
213 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
214 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
215 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
216 				      .len = 20-1 },
217 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
218 
219 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
220 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
221 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
222 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
223 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
224 
225 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
226 	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
227 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
228 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
229 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
230 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
231 
232 	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
233 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
234 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
235 
236 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
237 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
238 
239 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
240 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
241 				    .len = WLAN_MAX_KEY_LEN },
242 	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
243 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
244 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
245 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
246 	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
247 
248 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
249 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
250 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
251 				       .len = IEEE80211_MAX_DATA_LEN },
252 	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
253 				       .len = IEEE80211_MAX_DATA_LEN },
254 	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
255 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
256 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
257 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
258 					       .len = NL80211_MAX_SUPP_RATES },
259 	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
260 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
261 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
262 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
263 				   .len = IEEE80211_MAX_MESH_ID_LEN },
264 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
265 
266 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
267 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
268 
269 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
270 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
271 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
272 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
273 					   .len = NL80211_MAX_SUPP_RATES },
274 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
275 
276 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
277 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
278 
279 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
280 
281 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
282 	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
283 			      .len = IEEE80211_MAX_DATA_LEN },
284 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
285 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
286 
287 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
288 				.len = IEEE80211_MAX_SSID_LEN },
289 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
290 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
291 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
292 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
293 	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
294 	[NL80211_ATTR_STA_FLAGS2] = {
295 		.len = sizeof(struct nl80211_sta_flag_update),
296 	},
297 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
298 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
299 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
300 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
301 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
302 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
303 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
304 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
305 	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
306 				 .len = WLAN_PMKID_LEN },
307 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
308 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
309 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
310 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
311 				 .len = IEEE80211_MAX_DATA_LEN },
312 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
313 	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
314 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
315 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
316 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
317 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
318 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
319 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
320 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
321 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
322 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
323 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
324 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
325 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
326 	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
327 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
328 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
329 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
330 	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
331 	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
332 					 .len = IEEE80211_MAX_DATA_LEN },
333 	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
334 					 .len = IEEE80211_MAX_DATA_LEN },
335 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
336 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
337 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
338 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
339 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
340 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
341 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
342 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
343 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
344 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
345 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
346 				      .len = IEEE80211_MAX_DATA_LEN },
347 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
348 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
349 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
350 		.len = NL80211_HT_CAPABILITY_LEN
351 	},
352 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
353 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
354 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
355 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
356 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
357 	[NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
358 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
359 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
360 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
361 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
362 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
363 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
364 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
365 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
366 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
367 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
368 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
369 		.len = NL80211_VHT_CAPABILITY_LEN,
370 	},
371 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
372 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
373 				  .len = IEEE80211_MAX_DATA_LEN },
374 	[NL80211_ATTR_PEER_AID] = { .type = NLA_U16 },
375 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
376 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
377 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
378 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
379 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
380 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
381 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
382 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
383 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
384 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
385 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
386 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
387 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
388 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
389 	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
390 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
391 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
392 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
393 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
394 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
395 	[NL80211_ATTR_TSID] = { .type = NLA_U8 },
396 	[NL80211_ATTR_USER_PRIO] = { .type = NLA_U8 },
397 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
398 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
399 	[NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
400 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
401 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
402 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
403 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
404 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
405 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
406 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] = { .type = NLA_U8 },
407 };
408 
409 /* policy for the key attributes */
410 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
411 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
412 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
413 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
414 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
415 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
416 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
417 	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
418 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
419 };
420 
421 /* policy for the key default flags */
422 static const struct nla_policy
423 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
424 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
425 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
426 };
427 
428 /* policy for WoWLAN attributes */
429 static const struct nla_policy
430 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
431 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
432 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
433 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
434 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
435 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
436 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
437 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
438 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
439 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
440 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
441 };
442 
443 static const struct nla_policy
444 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
445 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
446 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
447 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
448 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
449 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
450 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
451 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
452 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
453 	},
454 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
455 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
456 	},
457 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
458 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
459 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
460 };
461 
462 /* policy for coalesce rule attributes */
463 static const struct nla_policy
464 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
465 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
466 	[NL80211_ATTR_COALESCE_RULE_CONDITION] = { .type = NLA_U32 },
467 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
468 };
469 
470 /* policy for GTK rekey offload attributes */
471 static const struct nla_policy
472 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
473 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
474 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
475 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
476 };
477 
478 static const struct nla_policy
479 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
480 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
481 						 .len = IEEE80211_MAX_SSID_LEN },
482 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
483 };
484 
485 static const struct nla_policy
486 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
487 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
488 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
489 };
490 
491 static const struct nla_policy
492 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
493 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
494 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
495 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
496 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
497 	},
498 };
499 
500 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
501 				     struct netlink_callback *cb,
502 				     struct cfg80211_registered_device **rdev,
503 				     struct wireless_dev **wdev)
504 {
505 	int err;
506 
507 	rtnl_lock();
508 
509 	if (!cb->args[0]) {
510 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
511 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
512 				  nl80211_policy);
513 		if (err)
514 			goto out_unlock;
515 
516 		*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
517 						   nl80211_fam.attrbuf);
518 		if (IS_ERR(*wdev)) {
519 			err = PTR_ERR(*wdev);
520 			goto out_unlock;
521 		}
522 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
523 		/* 0 is the first index - add 1 to parse only once */
524 		cb->args[0] = (*rdev)->wiphy_idx + 1;
525 		cb->args[1] = (*wdev)->identifier;
526 	} else {
527 		/* subtract the 1 again here */
528 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
529 		struct wireless_dev *tmp;
530 
531 		if (!wiphy) {
532 			err = -ENODEV;
533 			goto out_unlock;
534 		}
535 		*rdev = wiphy_to_rdev(wiphy);
536 		*wdev = NULL;
537 
538 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
539 			if (tmp->identifier == cb->args[1]) {
540 				*wdev = tmp;
541 				break;
542 			}
543 		}
544 
545 		if (!*wdev) {
546 			err = -ENODEV;
547 			goto out_unlock;
548 		}
549 	}
550 
551 	return 0;
552  out_unlock:
553 	rtnl_unlock();
554 	return err;
555 }
556 
557 static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
558 {
559 	rtnl_unlock();
560 }
561 
562 /* IE validation */
563 static bool is_valid_ie_attr(const struct nlattr *attr)
564 {
565 	const u8 *pos;
566 	int len;
567 
568 	if (!attr)
569 		return true;
570 
571 	pos = nla_data(attr);
572 	len = nla_len(attr);
573 
574 	while (len) {
575 		u8 elemlen;
576 
577 		if (len < 2)
578 			return false;
579 		len -= 2;
580 
581 		elemlen = pos[1];
582 		if (elemlen > len)
583 			return false;
584 
585 		len -= elemlen;
586 		pos += 2 + elemlen;
587 	}
588 
589 	return true;
590 }
591 
592 /* message building helper */
593 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
594 				   int flags, u8 cmd)
595 {
596 	/* since there is no private header just add the generic one */
597 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
598 }
599 
600 static int nl80211_msg_put_channel(struct sk_buff *msg,
601 				   struct ieee80211_channel *chan,
602 				   bool large)
603 {
604 	/* Some channels must be completely excluded from the
605 	 * list to protect old user-space tools from breaking
606 	 */
607 	if (!large && chan->flags &
608 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
609 		return 0;
610 
611 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
612 			chan->center_freq))
613 		goto nla_put_failure;
614 
615 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
616 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
617 		goto nla_put_failure;
618 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
619 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
620 			goto nla_put_failure;
621 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
622 			goto nla_put_failure;
623 	}
624 	if (chan->flags & IEEE80211_CHAN_RADAR) {
625 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
626 			goto nla_put_failure;
627 		if (large) {
628 			u32 time;
629 
630 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
631 
632 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
633 					chan->dfs_state))
634 				goto nla_put_failure;
635 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
636 					time))
637 				goto nla_put_failure;
638 			if (nla_put_u32(msg,
639 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
640 					chan->dfs_cac_ms))
641 				goto nla_put_failure;
642 		}
643 	}
644 
645 	if (large) {
646 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
647 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
648 			goto nla_put_failure;
649 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
650 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
651 			goto nla_put_failure;
652 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
653 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
654 			goto nla_put_failure;
655 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
656 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
657 			goto nla_put_failure;
658 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
659 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
660 			goto nla_put_failure;
661 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
662 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
663 			goto nla_put_failure;
664 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
665 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
666 			goto nla_put_failure;
667 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
668 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
669 			goto nla_put_failure;
670 	}
671 
672 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
673 			DBM_TO_MBM(chan->max_power)))
674 		goto nla_put_failure;
675 
676 	return 0;
677 
678  nla_put_failure:
679 	return -ENOBUFS;
680 }
681 
682 /* netlink command implementations */
683 
684 struct key_parse {
685 	struct key_params p;
686 	int idx;
687 	int type;
688 	bool def, defmgmt;
689 	bool def_uni, def_multi;
690 };
691 
692 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
693 {
694 	struct nlattr *tb[NL80211_KEY_MAX + 1];
695 	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
696 				   nl80211_key_policy);
697 	if (err)
698 		return err;
699 
700 	k->def = !!tb[NL80211_KEY_DEFAULT];
701 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
702 
703 	if (k->def) {
704 		k->def_uni = true;
705 		k->def_multi = true;
706 	}
707 	if (k->defmgmt)
708 		k->def_multi = true;
709 
710 	if (tb[NL80211_KEY_IDX])
711 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
712 
713 	if (tb[NL80211_KEY_DATA]) {
714 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
715 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
716 	}
717 
718 	if (tb[NL80211_KEY_SEQ]) {
719 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
720 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
721 	}
722 
723 	if (tb[NL80211_KEY_CIPHER])
724 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
725 
726 	if (tb[NL80211_KEY_TYPE]) {
727 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
728 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
729 			return -EINVAL;
730 	}
731 
732 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
733 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
734 		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
735 				       tb[NL80211_KEY_DEFAULT_TYPES],
736 				       nl80211_key_default_policy);
737 		if (err)
738 			return err;
739 
740 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
741 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
742 	}
743 
744 	return 0;
745 }
746 
747 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
748 {
749 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
750 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
751 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
752 	}
753 
754 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
755 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
756 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
757 	}
758 
759 	if (info->attrs[NL80211_ATTR_KEY_IDX])
760 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
761 
762 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
763 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
764 
765 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
766 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
767 
768 	if (k->def) {
769 		k->def_uni = true;
770 		k->def_multi = true;
771 	}
772 	if (k->defmgmt)
773 		k->def_multi = true;
774 
775 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
776 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
777 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
778 			return -EINVAL;
779 	}
780 
781 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
782 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
783 		int err = nla_parse_nested(
784 				kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
785 				info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
786 				nl80211_key_default_policy);
787 		if (err)
788 			return err;
789 
790 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
791 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
792 	}
793 
794 	return 0;
795 }
796 
797 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
798 {
799 	int err;
800 
801 	memset(k, 0, sizeof(*k));
802 	k->idx = -1;
803 	k->type = -1;
804 
805 	if (info->attrs[NL80211_ATTR_KEY])
806 		err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
807 	else
808 		err = nl80211_parse_key_old(info, k);
809 
810 	if (err)
811 		return err;
812 
813 	if (k->def && k->defmgmt)
814 		return -EINVAL;
815 
816 	if (k->defmgmt) {
817 		if (k->def_uni || !k->def_multi)
818 			return -EINVAL;
819 	}
820 
821 	if (k->idx != -1) {
822 		if (k->defmgmt) {
823 			if (k->idx < 4 || k->idx > 5)
824 				return -EINVAL;
825 		} else if (k->def) {
826 			if (k->idx < 0 || k->idx > 3)
827 				return -EINVAL;
828 		} else {
829 			if (k->idx < 0 || k->idx > 5)
830 				return -EINVAL;
831 		}
832 	}
833 
834 	return 0;
835 }
836 
837 static struct cfg80211_cached_keys *
838 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
839 		       struct nlattr *keys, bool *no_ht)
840 {
841 	struct key_parse parse;
842 	struct nlattr *key;
843 	struct cfg80211_cached_keys *result;
844 	int rem, err, def = 0;
845 
846 	result = kzalloc(sizeof(*result), GFP_KERNEL);
847 	if (!result)
848 		return ERR_PTR(-ENOMEM);
849 
850 	result->def = -1;
851 	result->defmgmt = -1;
852 
853 	nla_for_each_nested(key, keys, rem) {
854 		memset(&parse, 0, sizeof(parse));
855 		parse.idx = -1;
856 
857 		err = nl80211_parse_key_new(key, &parse);
858 		if (err)
859 			goto error;
860 		err = -EINVAL;
861 		if (!parse.p.key)
862 			goto error;
863 		if (parse.idx < 0 || parse.idx > 4)
864 			goto error;
865 		if (parse.def) {
866 			if (def)
867 				goto error;
868 			def = 1;
869 			result->def = parse.idx;
870 			if (!parse.def_uni || !parse.def_multi)
871 				goto error;
872 		} else if (parse.defmgmt)
873 			goto error;
874 		err = cfg80211_validate_key_settings(rdev, &parse.p,
875 						     parse.idx, false, NULL);
876 		if (err)
877 			goto error;
878 		result->params[parse.idx].cipher = parse.p.cipher;
879 		result->params[parse.idx].key_len = parse.p.key_len;
880 		result->params[parse.idx].key = result->data[parse.idx];
881 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
882 
883 		if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
884 		    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
885 			if (no_ht)
886 				*no_ht = true;
887 		}
888 	}
889 
890 	return result;
891  error:
892 	kfree(result);
893 	return ERR_PTR(err);
894 }
895 
896 static int nl80211_key_allowed(struct wireless_dev *wdev)
897 {
898 	ASSERT_WDEV_LOCK(wdev);
899 
900 	switch (wdev->iftype) {
901 	case NL80211_IFTYPE_AP:
902 	case NL80211_IFTYPE_AP_VLAN:
903 	case NL80211_IFTYPE_P2P_GO:
904 	case NL80211_IFTYPE_MESH_POINT:
905 		break;
906 	case NL80211_IFTYPE_ADHOC:
907 	case NL80211_IFTYPE_STATION:
908 	case NL80211_IFTYPE_P2P_CLIENT:
909 		if (!wdev->current_bss)
910 			return -ENOLINK;
911 		break;
912 	case NL80211_IFTYPE_UNSPECIFIED:
913 	case NL80211_IFTYPE_OCB:
914 	case NL80211_IFTYPE_MONITOR:
915 	case NL80211_IFTYPE_P2P_DEVICE:
916 	case NL80211_IFTYPE_WDS:
917 	case NUM_NL80211_IFTYPES:
918 		return -EINVAL;
919 	}
920 
921 	return 0;
922 }
923 
924 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
925 							struct nlattr *tb)
926 {
927 	struct ieee80211_channel *chan;
928 
929 	if (tb == NULL)
930 		return NULL;
931 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
932 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
933 		return NULL;
934 	return chan;
935 }
936 
937 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
938 {
939 	struct nlattr *nl_modes = nla_nest_start(msg, attr);
940 	int i;
941 
942 	if (!nl_modes)
943 		goto nla_put_failure;
944 
945 	i = 0;
946 	while (ifmodes) {
947 		if ((ifmodes & 1) && nla_put_flag(msg, i))
948 			goto nla_put_failure;
949 		ifmodes >>= 1;
950 		i++;
951 	}
952 
953 	nla_nest_end(msg, nl_modes);
954 	return 0;
955 
956 nla_put_failure:
957 	return -ENOBUFS;
958 }
959 
960 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
961 					  struct sk_buff *msg,
962 					  bool large)
963 {
964 	struct nlattr *nl_combis;
965 	int i, j;
966 
967 	nl_combis = nla_nest_start(msg,
968 				NL80211_ATTR_INTERFACE_COMBINATIONS);
969 	if (!nl_combis)
970 		goto nla_put_failure;
971 
972 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
973 		const struct ieee80211_iface_combination *c;
974 		struct nlattr *nl_combi, *nl_limits;
975 
976 		c = &wiphy->iface_combinations[i];
977 
978 		nl_combi = nla_nest_start(msg, i + 1);
979 		if (!nl_combi)
980 			goto nla_put_failure;
981 
982 		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
983 		if (!nl_limits)
984 			goto nla_put_failure;
985 
986 		for (j = 0; j < c->n_limits; j++) {
987 			struct nlattr *nl_limit;
988 
989 			nl_limit = nla_nest_start(msg, j + 1);
990 			if (!nl_limit)
991 				goto nla_put_failure;
992 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
993 					c->limits[j].max))
994 				goto nla_put_failure;
995 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
996 						c->limits[j].types))
997 				goto nla_put_failure;
998 			nla_nest_end(msg, nl_limit);
999 		}
1000 
1001 		nla_nest_end(msg, nl_limits);
1002 
1003 		if (c->beacon_int_infra_match &&
1004 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1005 			goto nla_put_failure;
1006 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1007 				c->num_different_channels) ||
1008 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1009 				c->max_interfaces))
1010 			goto nla_put_failure;
1011 		if (large &&
1012 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1013 				c->radar_detect_widths) ||
1014 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1015 				c->radar_detect_regions)))
1016 			goto nla_put_failure;
1017 
1018 		nla_nest_end(msg, nl_combi);
1019 	}
1020 
1021 	nla_nest_end(msg, nl_combis);
1022 
1023 	return 0;
1024 nla_put_failure:
1025 	return -ENOBUFS;
1026 }
1027 
1028 #ifdef CONFIG_PM
1029 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1030 					struct sk_buff *msg)
1031 {
1032 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1033 	struct nlattr *nl_tcp;
1034 
1035 	if (!tcp)
1036 		return 0;
1037 
1038 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1039 	if (!nl_tcp)
1040 		return -ENOBUFS;
1041 
1042 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1043 			tcp->data_payload_max))
1044 		return -ENOBUFS;
1045 
1046 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1047 			tcp->data_payload_max))
1048 		return -ENOBUFS;
1049 
1050 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1051 		return -ENOBUFS;
1052 
1053 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1054 				sizeof(*tcp->tok), tcp->tok))
1055 		return -ENOBUFS;
1056 
1057 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1058 			tcp->data_interval_max))
1059 		return -ENOBUFS;
1060 
1061 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1062 			tcp->wake_payload_max))
1063 		return -ENOBUFS;
1064 
1065 	nla_nest_end(msg, nl_tcp);
1066 	return 0;
1067 }
1068 
1069 static int nl80211_send_wowlan(struct sk_buff *msg,
1070 			       struct cfg80211_registered_device *rdev,
1071 			       bool large)
1072 {
1073 	struct nlattr *nl_wowlan;
1074 
1075 	if (!rdev->wiphy.wowlan)
1076 		return 0;
1077 
1078 	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1079 	if (!nl_wowlan)
1080 		return -ENOBUFS;
1081 
1082 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1083 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1084 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1085 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1086 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1087 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1088 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1089 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1090 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1091 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1092 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1093 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1094 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1095 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1096 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1097 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1098 		return -ENOBUFS;
1099 
1100 	if (rdev->wiphy.wowlan->n_patterns) {
1101 		struct nl80211_pattern_support pat = {
1102 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1103 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1104 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1105 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1106 		};
1107 
1108 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1109 			    sizeof(pat), &pat))
1110 			return -ENOBUFS;
1111 	}
1112 
1113 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1114 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1115 			rdev->wiphy.wowlan->max_nd_match_sets))
1116 		return -ENOBUFS;
1117 
1118 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1119 		return -ENOBUFS;
1120 
1121 	nla_nest_end(msg, nl_wowlan);
1122 
1123 	return 0;
1124 }
1125 #endif
1126 
1127 static int nl80211_send_coalesce(struct sk_buff *msg,
1128 				 struct cfg80211_registered_device *rdev)
1129 {
1130 	struct nl80211_coalesce_rule_support rule;
1131 
1132 	if (!rdev->wiphy.coalesce)
1133 		return 0;
1134 
1135 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1136 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1137 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1138 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1139 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1140 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1141 
1142 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1143 		return -ENOBUFS;
1144 
1145 	return 0;
1146 }
1147 
1148 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1149 				      struct ieee80211_supported_band *sband)
1150 {
1151 	struct nlattr *nl_rates, *nl_rate;
1152 	struct ieee80211_rate *rate;
1153 	int i;
1154 
1155 	/* add HT info */
1156 	if (sband->ht_cap.ht_supported &&
1157 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1158 		     sizeof(sband->ht_cap.mcs),
1159 		     &sband->ht_cap.mcs) ||
1160 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1161 			 sband->ht_cap.cap) ||
1162 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1163 			sband->ht_cap.ampdu_factor) ||
1164 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1165 			sband->ht_cap.ampdu_density)))
1166 		return -ENOBUFS;
1167 
1168 	/* add VHT info */
1169 	if (sband->vht_cap.vht_supported &&
1170 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1171 		     sizeof(sband->vht_cap.vht_mcs),
1172 		     &sband->vht_cap.vht_mcs) ||
1173 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1174 			 sband->vht_cap.cap)))
1175 		return -ENOBUFS;
1176 
1177 	/* add bitrates */
1178 	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1179 	if (!nl_rates)
1180 		return -ENOBUFS;
1181 
1182 	for (i = 0; i < sband->n_bitrates; i++) {
1183 		nl_rate = nla_nest_start(msg, i);
1184 		if (!nl_rate)
1185 			return -ENOBUFS;
1186 
1187 		rate = &sband->bitrates[i];
1188 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1189 				rate->bitrate))
1190 			return -ENOBUFS;
1191 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1192 		    nla_put_flag(msg,
1193 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1194 			return -ENOBUFS;
1195 
1196 		nla_nest_end(msg, nl_rate);
1197 	}
1198 
1199 	nla_nest_end(msg, nl_rates);
1200 
1201 	return 0;
1202 }
1203 
1204 static int
1205 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1206 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1207 {
1208 	u16 stypes;
1209 	struct nlattr *nl_ftypes, *nl_ifs;
1210 	enum nl80211_iftype ift;
1211 	int i;
1212 
1213 	if (!mgmt_stypes)
1214 		return 0;
1215 
1216 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1217 	if (!nl_ifs)
1218 		return -ENOBUFS;
1219 
1220 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1221 		nl_ftypes = nla_nest_start(msg, ift);
1222 		if (!nl_ftypes)
1223 			return -ENOBUFS;
1224 		i = 0;
1225 		stypes = mgmt_stypes[ift].tx;
1226 		while (stypes) {
1227 			if ((stypes & 1) &&
1228 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1229 					(i << 4) | IEEE80211_FTYPE_MGMT))
1230 				return -ENOBUFS;
1231 			stypes >>= 1;
1232 			i++;
1233 		}
1234 		nla_nest_end(msg, nl_ftypes);
1235 	}
1236 
1237 	nla_nest_end(msg, nl_ifs);
1238 
1239 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1240 	if (!nl_ifs)
1241 		return -ENOBUFS;
1242 
1243 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1244 		nl_ftypes = nla_nest_start(msg, ift);
1245 		if (!nl_ftypes)
1246 			return -ENOBUFS;
1247 		i = 0;
1248 		stypes = mgmt_stypes[ift].rx;
1249 		while (stypes) {
1250 			if ((stypes & 1) &&
1251 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1252 					(i << 4) | IEEE80211_FTYPE_MGMT))
1253 				return -ENOBUFS;
1254 			stypes >>= 1;
1255 			i++;
1256 		}
1257 		nla_nest_end(msg, nl_ftypes);
1258 	}
1259 	nla_nest_end(msg, nl_ifs);
1260 
1261 	return 0;
1262 }
1263 
1264 struct nl80211_dump_wiphy_state {
1265 	s64 filter_wiphy;
1266 	long start;
1267 	long split_start, band_start, chan_start;
1268 	bool split;
1269 };
1270 
1271 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1272 			      enum nl80211_commands cmd,
1273 			      struct sk_buff *msg, u32 portid, u32 seq,
1274 			      int flags, struct nl80211_dump_wiphy_state *state)
1275 {
1276 	void *hdr;
1277 	struct nlattr *nl_bands, *nl_band;
1278 	struct nlattr *nl_freqs, *nl_freq;
1279 	struct nlattr *nl_cmds;
1280 	enum nl80211_band band;
1281 	struct ieee80211_channel *chan;
1282 	int i;
1283 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1284 				rdev->wiphy.mgmt_stypes;
1285 	u32 features;
1286 
1287 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1288 	if (!hdr)
1289 		return -ENOBUFS;
1290 
1291 	if (WARN_ON(!state))
1292 		return -EINVAL;
1293 
1294 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1295 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1296 			   wiphy_name(&rdev->wiphy)) ||
1297 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1298 			cfg80211_rdev_list_generation))
1299 		goto nla_put_failure;
1300 
1301 	if (cmd != NL80211_CMD_NEW_WIPHY)
1302 		goto finish;
1303 
1304 	switch (state->split_start) {
1305 	case 0:
1306 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1307 			       rdev->wiphy.retry_short) ||
1308 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1309 			       rdev->wiphy.retry_long) ||
1310 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1311 				rdev->wiphy.frag_threshold) ||
1312 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1313 				rdev->wiphy.rts_threshold) ||
1314 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1315 			       rdev->wiphy.coverage_class) ||
1316 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1317 			       rdev->wiphy.max_scan_ssids) ||
1318 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1319 			       rdev->wiphy.max_sched_scan_ssids) ||
1320 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1321 				rdev->wiphy.max_scan_ie_len) ||
1322 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1323 				rdev->wiphy.max_sched_scan_ie_len) ||
1324 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1325 			       rdev->wiphy.max_match_sets) ||
1326 		    nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
1327 				rdev->wiphy.max_sched_scan_plans) ||
1328 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
1329 				rdev->wiphy.max_sched_scan_plan_interval) ||
1330 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
1331 				rdev->wiphy.max_sched_scan_plan_iterations))
1332 			goto nla_put_failure;
1333 
1334 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1335 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1336 			goto nla_put_failure;
1337 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1338 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1339 			goto nla_put_failure;
1340 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1341 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1342 			goto nla_put_failure;
1343 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1344 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1345 			goto nla_put_failure;
1346 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1347 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1348 			goto nla_put_failure;
1349 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1350 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1351 			goto nla_put_failure;
1352 		state->split_start++;
1353 		if (state->split)
1354 			break;
1355 	case 1:
1356 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1357 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1358 			    rdev->wiphy.cipher_suites))
1359 			goto nla_put_failure;
1360 
1361 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1362 			       rdev->wiphy.max_num_pmkids))
1363 			goto nla_put_failure;
1364 
1365 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1366 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1367 			goto nla_put_failure;
1368 
1369 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1370 				rdev->wiphy.available_antennas_tx) ||
1371 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1372 				rdev->wiphy.available_antennas_rx))
1373 			goto nla_put_failure;
1374 
1375 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1376 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1377 				rdev->wiphy.probe_resp_offload))
1378 			goto nla_put_failure;
1379 
1380 		if ((rdev->wiphy.available_antennas_tx ||
1381 		     rdev->wiphy.available_antennas_rx) &&
1382 		    rdev->ops->get_antenna) {
1383 			u32 tx_ant = 0, rx_ant = 0;
1384 			int res;
1385 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1386 			if (!res) {
1387 				if (nla_put_u32(msg,
1388 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1389 						tx_ant) ||
1390 				    nla_put_u32(msg,
1391 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1392 						rx_ant))
1393 					goto nla_put_failure;
1394 			}
1395 		}
1396 
1397 		state->split_start++;
1398 		if (state->split)
1399 			break;
1400 	case 2:
1401 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1402 					rdev->wiphy.interface_modes))
1403 				goto nla_put_failure;
1404 		state->split_start++;
1405 		if (state->split)
1406 			break;
1407 	case 3:
1408 		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1409 		if (!nl_bands)
1410 			goto nla_put_failure;
1411 
1412 		for (band = state->band_start;
1413 		     band < NUM_NL80211_BANDS; band++) {
1414 			struct ieee80211_supported_band *sband;
1415 
1416 			sband = rdev->wiphy.bands[band];
1417 
1418 			if (!sband)
1419 				continue;
1420 
1421 			nl_band = nla_nest_start(msg, band);
1422 			if (!nl_band)
1423 				goto nla_put_failure;
1424 
1425 			switch (state->chan_start) {
1426 			case 0:
1427 				if (nl80211_send_band_rateinfo(msg, sband))
1428 					goto nla_put_failure;
1429 				state->chan_start++;
1430 				if (state->split)
1431 					break;
1432 			default:
1433 				/* add frequencies */
1434 				nl_freqs = nla_nest_start(
1435 					msg, NL80211_BAND_ATTR_FREQS);
1436 				if (!nl_freqs)
1437 					goto nla_put_failure;
1438 
1439 				for (i = state->chan_start - 1;
1440 				     i < sband->n_channels;
1441 				     i++) {
1442 					nl_freq = nla_nest_start(msg, i);
1443 					if (!nl_freq)
1444 						goto nla_put_failure;
1445 
1446 					chan = &sband->channels[i];
1447 
1448 					if (nl80211_msg_put_channel(
1449 							msg, chan,
1450 							state->split))
1451 						goto nla_put_failure;
1452 
1453 					nla_nest_end(msg, nl_freq);
1454 					if (state->split)
1455 						break;
1456 				}
1457 				if (i < sband->n_channels)
1458 					state->chan_start = i + 2;
1459 				else
1460 					state->chan_start = 0;
1461 				nla_nest_end(msg, nl_freqs);
1462 			}
1463 
1464 			nla_nest_end(msg, nl_band);
1465 
1466 			if (state->split) {
1467 				/* start again here */
1468 				if (state->chan_start)
1469 					band--;
1470 				break;
1471 			}
1472 		}
1473 		nla_nest_end(msg, nl_bands);
1474 
1475 		if (band < NUM_NL80211_BANDS)
1476 			state->band_start = band + 1;
1477 		else
1478 			state->band_start = 0;
1479 
1480 		/* if bands & channels are done, continue outside */
1481 		if (state->band_start == 0 && state->chan_start == 0)
1482 			state->split_start++;
1483 		if (state->split)
1484 			break;
1485 	case 4:
1486 		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1487 		if (!nl_cmds)
1488 			goto nla_put_failure;
1489 
1490 		i = 0;
1491 #define CMD(op, n)							\
1492 		 do {							\
1493 			if (rdev->ops->op) {				\
1494 				i++;					\
1495 				if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1496 					goto nla_put_failure;		\
1497 			}						\
1498 		} while (0)
1499 
1500 		CMD(add_virtual_intf, NEW_INTERFACE);
1501 		CMD(change_virtual_intf, SET_INTERFACE);
1502 		CMD(add_key, NEW_KEY);
1503 		CMD(start_ap, START_AP);
1504 		CMD(add_station, NEW_STATION);
1505 		CMD(add_mpath, NEW_MPATH);
1506 		CMD(update_mesh_config, SET_MESH_CONFIG);
1507 		CMD(change_bss, SET_BSS);
1508 		CMD(auth, AUTHENTICATE);
1509 		CMD(assoc, ASSOCIATE);
1510 		CMD(deauth, DEAUTHENTICATE);
1511 		CMD(disassoc, DISASSOCIATE);
1512 		CMD(join_ibss, JOIN_IBSS);
1513 		CMD(join_mesh, JOIN_MESH);
1514 		CMD(set_pmksa, SET_PMKSA);
1515 		CMD(del_pmksa, DEL_PMKSA);
1516 		CMD(flush_pmksa, FLUSH_PMKSA);
1517 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1518 			CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1519 		CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1520 		CMD(mgmt_tx, FRAME);
1521 		CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1522 		if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1523 			i++;
1524 			if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1525 				goto nla_put_failure;
1526 		}
1527 		if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1528 		    rdev->ops->join_mesh) {
1529 			i++;
1530 			if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1531 				goto nla_put_failure;
1532 		}
1533 		CMD(set_wds_peer, SET_WDS_PEER);
1534 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1535 			CMD(tdls_mgmt, TDLS_MGMT);
1536 			CMD(tdls_oper, TDLS_OPER);
1537 		}
1538 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1539 			CMD(sched_scan_start, START_SCHED_SCAN);
1540 		CMD(probe_client, PROBE_CLIENT);
1541 		CMD(set_noack_map, SET_NOACK_MAP);
1542 		if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1543 			i++;
1544 			if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1545 				goto nla_put_failure;
1546 		}
1547 		CMD(start_p2p_device, START_P2P_DEVICE);
1548 		CMD(set_mcast_rate, SET_MCAST_RATE);
1549 #ifdef CONFIG_NL80211_TESTMODE
1550 		CMD(testmode_cmd, TESTMODE);
1551 #endif
1552 		if (state->split) {
1553 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
1554 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1555 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
1556 				CMD(channel_switch, CHANNEL_SWITCH);
1557 			CMD(set_qos_map, SET_QOS_MAP);
1558 			if (rdev->wiphy.features &
1559 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
1560 				CMD(add_tx_ts, ADD_TX_TS);
1561 		}
1562 		/* add into the if now */
1563 #undef CMD
1564 
1565 		if (rdev->ops->connect || rdev->ops->auth) {
1566 			i++;
1567 			if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1568 				goto nla_put_failure;
1569 		}
1570 
1571 		if (rdev->ops->disconnect || rdev->ops->deauth) {
1572 			i++;
1573 			if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1574 				goto nla_put_failure;
1575 		}
1576 
1577 		nla_nest_end(msg, nl_cmds);
1578 		state->split_start++;
1579 		if (state->split)
1580 			break;
1581 	case 5:
1582 		if (rdev->ops->remain_on_channel &&
1583 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1584 		    nla_put_u32(msg,
1585 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1586 				rdev->wiphy.max_remain_on_channel_duration))
1587 			goto nla_put_failure;
1588 
1589 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1590 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1591 			goto nla_put_failure;
1592 
1593 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1594 			goto nla_put_failure;
1595 		state->split_start++;
1596 		if (state->split)
1597 			break;
1598 	case 6:
1599 #ifdef CONFIG_PM
1600 		if (nl80211_send_wowlan(msg, rdev, state->split))
1601 			goto nla_put_failure;
1602 		state->split_start++;
1603 		if (state->split)
1604 			break;
1605 #else
1606 		state->split_start++;
1607 #endif
1608 	case 7:
1609 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1610 					rdev->wiphy.software_iftypes))
1611 			goto nla_put_failure;
1612 
1613 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
1614 						   state->split))
1615 			goto nla_put_failure;
1616 
1617 		state->split_start++;
1618 		if (state->split)
1619 			break;
1620 	case 8:
1621 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1622 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1623 				rdev->wiphy.ap_sme_capa))
1624 			goto nla_put_failure;
1625 
1626 		features = rdev->wiphy.features;
1627 		/*
1628 		 * We can only add the per-channel limit information if the
1629 		 * dump is split, otherwise it makes it too big. Therefore
1630 		 * only advertise it in that case.
1631 		 */
1632 		if (state->split)
1633 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1634 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1635 			goto nla_put_failure;
1636 
1637 		if (rdev->wiphy.ht_capa_mod_mask &&
1638 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1639 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
1640 			    rdev->wiphy.ht_capa_mod_mask))
1641 			goto nla_put_failure;
1642 
1643 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1644 		    rdev->wiphy.max_acl_mac_addrs &&
1645 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1646 				rdev->wiphy.max_acl_mac_addrs))
1647 			goto nla_put_failure;
1648 
1649 		/*
1650 		 * Any information below this point is only available to
1651 		 * applications that can deal with it being split. This
1652 		 * helps ensure that newly added capabilities don't break
1653 		 * older tools by overrunning their buffers.
1654 		 *
1655 		 * We still increment split_start so that in the split
1656 		 * case we'll continue with more data in the next round,
1657 		 * but break unconditionally so unsplit data stops here.
1658 		 */
1659 		state->split_start++;
1660 		break;
1661 	case 9:
1662 		if (rdev->wiphy.extended_capabilities &&
1663 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1664 			     rdev->wiphy.extended_capabilities_len,
1665 			     rdev->wiphy.extended_capabilities) ||
1666 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1667 			     rdev->wiphy.extended_capabilities_len,
1668 			     rdev->wiphy.extended_capabilities_mask)))
1669 			goto nla_put_failure;
1670 
1671 		if (rdev->wiphy.vht_capa_mod_mask &&
1672 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1673 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
1674 			    rdev->wiphy.vht_capa_mod_mask))
1675 			goto nla_put_failure;
1676 
1677 		state->split_start++;
1678 		break;
1679 	case 10:
1680 		if (nl80211_send_coalesce(msg, rdev))
1681 			goto nla_put_failure;
1682 
1683 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
1684 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
1685 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
1686 			goto nla_put_failure;
1687 
1688 		if (rdev->wiphy.max_ap_assoc_sta &&
1689 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
1690 				rdev->wiphy.max_ap_assoc_sta))
1691 			goto nla_put_failure;
1692 
1693 		state->split_start++;
1694 		break;
1695 	case 11:
1696 		if (rdev->wiphy.n_vendor_commands) {
1697 			const struct nl80211_vendor_cmd_info *info;
1698 			struct nlattr *nested;
1699 
1700 			nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1701 			if (!nested)
1702 				goto nla_put_failure;
1703 
1704 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
1705 				info = &rdev->wiphy.vendor_commands[i].info;
1706 				if (nla_put(msg, i + 1, sizeof(*info), info))
1707 					goto nla_put_failure;
1708 			}
1709 			nla_nest_end(msg, nested);
1710 		}
1711 
1712 		if (rdev->wiphy.n_vendor_events) {
1713 			const struct nl80211_vendor_cmd_info *info;
1714 			struct nlattr *nested;
1715 
1716 			nested = nla_nest_start(msg,
1717 						NL80211_ATTR_VENDOR_EVENTS);
1718 			if (!nested)
1719 				goto nla_put_failure;
1720 
1721 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
1722 				info = &rdev->wiphy.vendor_events[i];
1723 				if (nla_put(msg, i + 1, sizeof(*info), info))
1724 					goto nla_put_failure;
1725 			}
1726 			nla_nest_end(msg, nested);
1727 		}
1728 		state->split_start++;
1729 		break;
1730 	case 12:
1731 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
1732 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
1733 			       rdev->wiphy.max_num_csa_counters))
1734 			goto nla_put_failure;
1735 
1736 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
1737 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
1738 			goto nla_put_failure;
1739 
1740 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
1741 			    sizeof(rdev->wiphy.ext_features),
1742 			    rdev->wiphy.ext_features))
1743 			goto nla_put_failure;
1744 
1745 		if (rdev->wiphy.bss_select_support) {
1746 			struct nlattr *nested;
1747 			u32 bss_select_support = rdev->wiphy.bss_select_support;
1748 
1749 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_SELECT);
1750 			if (!nested)
1751 				goto nla_put_failure;
1752 
1753 			i = 0;
1754 			while (bss_select_support) {
1755 				if ((bss_select_support & 1) &&
1756 				    nla_put_flag(msg, i))
1757 					goto nla_put_failure;
1758 				i++;
1759 				bss_select_support >>= 1;
1760 			}
1761 			nla_nest_end(msg, nested);
1762 		}
1763 
1764 		/* done */
1765 		state->split_start = 0;
1766 		break;
1767 	}
1768  finish:
1769 	genlmsg_end(msg, hdr);
1770 	return 0;
1771 
1772  nla_put_failure:
1773 	genlmsg_cancel(msg, hdr);
1774 	return -EMSGSIZE;
1775 }
1776 
1777 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
1778 				    struct netlink_callback *cb,
1779 				    struct nl80211_dump_wiphy_state *state)
1780 {
1781 	struct nlattr **tb = nl80211_fam.attrbuf;
1782 	int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
1783 			      tb, nl80211_fam.maxattr, nl80211_policy);
1784 	/* ignore parse errors for backward compatibility */
1785 	if (ret)
1786 		return 0;
1787 
1788 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
1789 	if (tb[NL80211_ATTR_WIPHY])
1790 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
1791 	if (tb[NL80211_ATTR_WDEV])
1792 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
1793 	if (tb[NL80211_ATTR_IFINDEX]) {
1794 		struct net_device *netdev;
1795 		struct cfg80211_registered_device *rdev;
1796 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
1797 
1798 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
1799 		if (!netdev)
1800 			return -ENODEV;
1801 		if (netdev->ieee80211_ptr) {
1802 			rdev = wiphy_to_rdev(
1803 				netdev->ieee80211_ptr->wiphy);
1804 			state->filter_wiphy = rdev->wiphy_idx;
1805 		}
1806 	}
1807 
1808 	return 0;
1809 }
1810 
1811 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1812 {
1813 	int idx = 0, ret;
1814 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
1815 	struct cfg80211_registered_device *rdev;
1816 
1817 	rtnl_lock();
1818 	if (!state) {
1819 		state = kzalloc(sizeof(*state), GFP_KERNEL);
1820 		if (!state) {
1821 			rtnl_unlock();
1822 			return -ENOMEM;
1823 		}
1824 		state->filter_wiphy = -1;
1825 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
1826 		if (ret) {
1827 			kfree(state);
1828 			rtnl_unlock();
1829 			return ret;
1830 		}
1831 		cb->args[0] = (long)state;
1832 	}
1833 
1834 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1835 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1836 			continue;
1837 		if (++idx <= state->start)
1838 			continue;
1839 		if (state->filter_wiphy != -1 &&
1840 		    state->filter_wiphy != rdev->wiphy_idx)
1841 			continue;
1842 		/* attempt to fit multiple wiphy data chunks into the skb */
1843 		do {
1844 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
1845 						 skb,
1846 						 NETLINK_CB(cb->skb).portid,
1847 						 cb->nlh->nlmsg_seq,
1848 						 NLM_F_MULTI, state);
1849 			if (ret < 0) {
1850 				/*
1851 				 * If sending the wiphy data didn't fit (ENOBUFS
1852 				 * or EMSGSIZE returned), this SKB is still
1853 				 * empty (so it's not too big because another
1854 				 * wiphy dataset is already in the skb) and
1855 				 * we've not tried to adjust the dump allocation
1856 				 * yet ... then adjust the alloc size to be
1857 				 * bigger, and return 1 but with the empty skb.
1858 				 * This results in an empty message being RX'ed
1859 				 * in userspace, but that is ignored.
1860 				 *
1861 				 * We can then retry with the larger buffer.
1862 				 */
1863 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1864 				    !skb->len && !state->split &&
1865 				    cb->min_dump_alloc < 4096) {
1866 					cb->min_dump_alloc = 4096;
1867 					state->split_start = 0;
1868 					rtnl_unlock();
1869 					return 1;
1870 				}
1871 				idx--;
1872 				break;
1873 			}
1874 		} while (state->split_start > 0);
1875 		break;
1876 	}
1877 	rtnl_unlock();
1878 
1879 	state->start = idx;
1880 
1881 	return skb->len;
1882 }
1883 
1884 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
1885 {
1886 	kfree((void *)cb->args[0]);
1887 	return 0;
1888 }
1889 
1890 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1891 {
1892 	struct sk_buff *msg;
1893 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1894 	struct nl80211_dump_wiphy_state state = {};
1895 
1896 	msg = nlmsg_new(4096, GFP_KERNEL);
1897 	if (!msg)
1898 		return -ENOMEM;
1899 
1900 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
1901 			       info->snd_portid, info->snd_seq, 0,
1902 			       &state) < 0) {
1903 		nlmsg_free(msg);
1904 		return -ENOBUFS;
1905 	}
1906 
1907 	return genlmsg_reply(msg, info);
1908 }
1909 
1910 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1911 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
1912 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
1913 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
1914 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
1915 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
1916 };
1917 
1918 static int parse_txq_params(struct nlattr *tb[],
1919 			    struct ieee80211_txq_params *txq_params)
1920 {
1921 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1922 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1923 	    !tb[NL80211_TXQ_ATTR_AIFS])
1924 		return -EINVAL;
1925 
1926 	txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1927 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1928 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1929 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1930 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1931 
1932 	if (txq_params->ac >= NL80211_NUM_ACS)
1933 		return -EINVAL;
1934 
1935 	return 0;
1936 }
1937 
1938 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1939 {
1940 	/*
1941 	 * You can only set the channel explicitly for WDS interfaces,
1942 	 * all others have their channel managed via their respective
1943 	 * "establish a connection" command (connect, join, ...)
1944 	 *
1945 	 * For AP/GO and mesh mode, the channel can be set with the
1946 	 * channel userspace API, but is only stored and passed to the
1947 	 * low-level driver when the AP starts or the mesh is joined.
1948 	 * This is for backward compatibility, userspace can also give
1949 	 * the channel in the start-ap or join-mesh commands instead.
1950 	 *
1951 	 * Monitors are special as they are normally slaved to
1952 	 * whatever else is going on, so they have their own special
1953 	 * operation to set the monitor channel if possible.
1954 	 */
1955 	return !wdev ||
1956 		wdev->iftype == NL80211_IFTYPE_AP ||
1957 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1958 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
1959 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
1960 }
1961 
1962 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
1963 				 struct genl_info *info,
1964 				 struct cfg80211_chan_def *chandef)
1965 {
1966 	u32 control_freq;
1967 
1968 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1969 		return -EINVAL;
1970 
1971 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1972 
1973 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
1974 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
1975 	chandef->center_freq1 = control_freq;
1976 	chandef->center_freq2 = 0;
1977 
1978 	/* Primary channel not allowed */
1979 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
1980 		return -EINVAL;
1981 
1982 	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
1983 		enum nl80211_channel_type chantype;
1984 
1985 		chantype = nla_get_u32(
1986 				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1987 
1988 		switch (chantype) {
1989 		case NL80211_CHAN_NO_HT:
1990 		case NL80211_CHAN_HT20:
1991 		case NL80211_CHAN_HT40PLUS:
1992 		case NL80211_CHAN_HT40MINUS:
1993 			cfg80211_chandef_create(chandef, chandef->chan,
1994 						chantype);
1995 			break;
1996 		default:
1997 			return -EINVAL;
1998 		}
1999 	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2000 		chandef->width =
2001 			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2002 		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
2003 			chandef->center_freq1 =
2004 				nla_get_u32(
2005 					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
2006 		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
2007 			chandef->center_freq2 =
2008 				nla_get_u32(
2009 					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
2010 	}
2011 
2012 	if (!cfg80211_chandef_valid(chandef))
2013 		return -EINVAL;
2014 
2015 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2016 				     IEEE80211_CHAN_DISABLED))
2017 		return -EINVAL;
2018 
2019 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2020 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2021 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ))
2022 		return -EINVAL;
2023 
2024 	return 0;
2025 }
2026 
2027 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2028 				 struct net_device *dev,
2029 				 struct genl_info *info)
2030 {
2031 	struct cfg80211_chan_def chandef;
2032 	int result;
2033 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2034 	struct wireless_dev *wdev = NULL;
2035 
2036 	if (dev)
2037 		wdev = dev->ieee80211_ptr;
2038 	if (!nl80211_can_set_dev_channel(wdev))
2039 		return -EOPNOTSUPP;
2040 	if (wdev)
2041 		iftype = wdev->iftype;
2042 
2043 	result = nl80211_parse_chandef(rdev, info, &chandef);
2044 	if (result)
2045 		return result;
2046 
2047 	switch (iftype) {
2048 	case NL80211_IFTYPE_AP:
2049 	case NL80211_IFTYPE_P2P_GO:
2050 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2051 						   iftype)) {
2052 			result = -EINVAL;
2053 			break;
2054 		}
2055 		if (wdev->beacon_interval) {
2056 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2057 			    !(rdev->wiphy.features &
2058 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2059 				result = -EBUSY;
2060 				break;
2061 			}
2062 
2063 			/* Only allow dynamic channel width changes */
2064 			if (chandef.chan != wdev->preset_chandef.chan) {
2065 				result = -EBUSY;
2066 				break;
2067 			}
2068 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2069 			if (result)
2070 				break;
2071 		}
2072 		wdev->preset_chandef = chandef;
2073 		result = 0;
2074 		break;
2075 	case NL80211_IFTYPE_MESH_POINT:
2076 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2077 		break;
2078 	case NL80211_IFTYPE_MONITOR:
2079 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2080 		break;
2081 	default:
2082 		result = -EINVAL;
2083 	}
2084 
2085 	return result;
2086 }
2087 
2088 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2089 {
2090 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2091 	struct net_device *netdev = info->user_ptr[1];
2092 
2093 	return __nl80211_set_channel(rdev, netdev, info);
2094 }
2095 
2096 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2097 {
2098 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2099 	struct net_device *dev = info->user_ptr[1];
2100 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2101 	const u8 *bssid;
2102 
2103 	if (!info->attrs[NL80211_ATTR_MAC])
2104 		return -EINVAL;
2105 
2106 	if (netif_running(dev))
2107 		return -EBUSY;
2108 
2109 	if (!rdev->ops->set_wds_peer)
2110 		return -EOPNOTSUPP;
2111 
2112 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2113 		return -EOPNOTSUPP;
2114 
2115 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2116 	return rdev_set_wds_peer(rdev, dev, bssid);
2117 }
2118 
2119 
2120 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2121 {
2122 	struct cfg80211_registered_device *rdev;
2123 	struct net_device *netdev = NULL;
2124 	struct wireless_dev *wdev;
2125 	int result = 0, rem_txq_params = 0;
2126 	struct nlattr *nl_txq_params;
2127 	u32 changed;
2128 	u8 retry_short = 0, retry_long = 0;
2129 	u32 frag_threshold = 0, rts_threshold = 0;
2130 	u8 coverage_class = 0;
2131 
2132 	ASSERT_RTNL();
2133 
2134 	/*
2135 	 * Try to find the wiphy and netdev. Normally this
2136 	 * function shouldn't need the netdev, but this is
2137 	 * done for backward compatibility -- previously
2138 	 * setting the channel was done per wiphy, but now
2139 	 * it is per netdev. Previous userland like hostapd
2140 	 * also passed a netdev to set_wiphy, so that it is
2141 	 * possible to let that go to the right netdev!
2142 	 */
2143 
2144 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2145 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2146 
2147 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2148 		if (netdev && netdev->ieee80211_ptr)
2149 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2150 		else
2151 			netdev = NULL;
2152 	}
2153 
2154 	if (!netdev) {
2155 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2156 						  info->attrs);
2157 		if (IS_ERR(rdev))
2158 			return PTR_ERR(rdev);
2159 		wdev = NULL;
2160 		netdev = NULL;
2161 		result = 0;
2162 	} else
2163 		wdev = netdev->ieee80211_ptr;
2164 
2165 	/*
2166 	 * end workaround code, by now the rdev is available
2167 	 * and locked, and wdev may or may not be NULL.
2168 	 */
2169 
2170 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2171 		result = cfg80211_dev_rename(
2172 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2173 
2174 	if (result)
2175 		return result;
2176 
2177 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2178 		struct ieee80211_txq_params txq_params;
2179 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2180 
2181 		if (!rdev->ops->set_txq_params)
2182 			return -EOPNOTSUPP;
2183 
2184 		if (!netdev)
2185 			return -EINVAL;
2186 
2187 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2188 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2189 			return -EINVAL;
2190 
2191 		if (!netif_running(netdev))
2192 			return -ENETDOWN;
2193 
2194 		nla_for_each_nested(nl_txq_params,
2195 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2196 				    rem_txq_params) {
2197 			result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
2198 					   nla_data(nl_txq_params),
2199 					   nla_len(nl_txq_params),
2200 					   txq_params_policy);
2201 			if (result)
2202 				return result;
2203 			result = parse_txq_params(tb, &txq_params);
2204 			if (result)
2205 				return result;
2206 
2207 			result = rdev_set_txq_params(rdev, netdev,
2208 						     &txq_params);
2209 			if (result)
2210 				return result;
2211 		}
2212 	}
2213 
2214 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2215 		result = __nl80211_set_channel(
2216 			rdev,
2217 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2218 			info);
2219 		if (result)
2220 			return result;
2221 	}
2222 
2223 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2224 		struct wireless_dev *txp_wdev = wdev;
2225 		enum nl80211_tx_power_setting type;
2226 		int idx, mbm = 0;
2227 
2228 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2229 			txp_wdev = NULL;
2230 
2231 		if (!rdev->ops->set_tx_power)
2232 			return -EOPNOTSUPP;
2233 
2234 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2235 		type = nla_get_u32(info->attrs[idx]);
2236 
2237 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2238 		    (type != NL80211_TX_POWER_AUTOMATIC))
2239 			return -EINVAL;
2240 
2241 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2242 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2243 			mbm = nla_get_u32(info->attrs[idx]);
2244 		}
2245 
2246 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2247 		if (result)
2248 			return result;
2249 	}
2250 
2251 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2252 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2253 		u32 tx_ant, rx_ant;
2254 		if ((!rdev->wiphy.available_antennas_tx &&
2255 		     !rdev->wiphy.available_antennas_rx) ||
2256 		    !rdev->ops->set_antenna)
2257 			return -EOPNOTSUPP;
2258 
2259 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2260 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2261 
2262 		/* reject antenna configurations which don't match the
2263 		 * available antenna masks, except for the "all" mask */
2264 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2265 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2266 			return -EINVAL;
2267 
2268 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2269 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2270 
2271 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2272 		if (result)
2273 			return result;
2274 	}
2275 
2276 	changed = 0;
2277 
2278 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2279 		retry_short = nla_get_u8(
2280 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2281 		if (retry_short == 0)
2282 			return -EINVAL;
2283 
2284 		changed |= WIPHY_PARAM_RETRY_SHORT;
2285 	}
2286 
2287 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2288 		retry_long = nla_get_u8(
2289 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2290 		if (retry_long == 0)
2291 			return -EINVAL;
2292 
2293 		changed |= WIPHY_PARAM_RETRY_LONG;
2294 	}
2295 
2296 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2297 		frag_threshold = nla_get_u32(
2298 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2299 		if (frag_threshold < 256)
2300 			return -EINVAL;
2301 
2302 		if (frag_threshold != (u32) -1) {
2303 			/*
2304 			 * Fragments (apart from the last one) are required to
2305 			 * have even length. Make the fragmentation code
2306 			 * simpler by stripping LSB should someone try to use
2307 			 * odd threshold value.
2308 			 */
2309 			frag_threshold &= ~0x1;
2310 		}
2311 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2312 	}
2313 
2314 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2315 		rts_threshold = nla_get_u32(
2316 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2317 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2318 	}
2319 
2320 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2321 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2322 			return -EINVAL;
2323 
2324 		coverage_class = nla_get_u8(
2325 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2326 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2327 	}
2328 
2329 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2330 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2331 			return -EOPNOTSUPP;
2332 
2333 		changed |= WIPHY_PARAM_DYN_ACK;
2334 	}
2335 
2336 	if (changed) {
2337 		u8 old_retry_short, old_retry_long;
2338 		u32 old_frag_threshold, old_rts_threshold;
2339 		u8 old_coverage_class;
2340 
2341 		if (!rdev->ops->set_wiphy_params)
2342 			return -EOPNOTSUPP;
2343 
2344 		old_retry_short = rdev->wiphy.retry_short;
2345 		old_retry_long = rdev->wiphy.retry_long;
2346 		old_frag_threshold = rdev->wiphy.frag_threshold;
2347 		old_rts_threshold = rdev->wiphy.rts_threshold;
2348 		old_coverage_class = rdev->wiphy.coverage_class;
2349 
2350 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2351 			rdev->wiphy.retry_short = retry_short;
2352 		if (changed & WIPHY_PARAM_RETRY_LONG)
2353 			rdev->wiphy.retry_long = retry_long;
2354 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2355 			rdev->wiphy.frag_threshold = frag_threshold;
2356 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2357 			rdev->wiphy.rts_threshold = rts_threshold;
2358 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2359 			rdev->wiphy.coverage_class = coverage_class;
2360 
2361 		result = rdev_set_wiphy_params(rdev, changed);
2362 		if (result) {
2363 			rdev->wiphy.retry_short = old_retry_short;
2364 			rdev->wiphy.retry_long = old_retry_long;
2365 			rdev->wiphy.frag_threshold = old_frag_threshold;
2366 			rdev->wiphy.rts_threshold = old_rts_threshold;
2367 			rdev->wiphy.coverage_class = old_coverage_class;
2368 			return result;
2369 		}
2370 	}
2371 	return 0;
2372 }
2373 
2374 static inline u64 wdev_id(struct wireless_dev *wdev)
2375 {
2376 	return (u64)wdev->identifier |
2377 	       ((u64)wiphy_to_rdev(wdev->wiphy)->wiphy_idx << 32);
2378 }
2379 
2380 static int nl80211_send_chandef(struct sk_buff *msg,
2381 				const struct cfg80211_chan_def *chandef)
2382 {
2383 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2384 		return -EINVAL;
2385 
2386 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2387 			chandef->chan->center_freq))
2388 		return -ENOBUFS;
2389 	switch (chandef->width) {
2390 	case NL80211_CHAN_WIDTH_20_NOHT:
2391 	case NL80211_CHAN_WIDTH_20:
2392 	case NL80211_CHAN_WIDTH_40:
2393 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2394 				cfg80211_get_chandef_type(chandef)))
2395 			return -ENOBUFS;
2396 		break;
2397 	default:
2398 		break;
2399 	}
2400 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2401 		return -ENOBUFS;
2402 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2403 		return -ENOBUFS;
2404 	if (chandef->center_freq2 &&
2405 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2406 		return -ENOBUFS;
2407 	return 0;
2408 }
2409 
2410 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2411 			      struct cfg80211_registered_device *rdev,
2412 			      struct wireless_dev *wdev, bool removal)
2413 {
2414 	struct net_device *dev = wdev->netdev;
2415 	u8 cmd = NL80211_CMD_NEW_INTERFACE;
2416 	void *hdr;
2417 
2418 	if (removal)
2419 		cmd = NL80211_CMD_DEL_INTERFACE;
2420 
2421 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2422 	if (!hdr)
2423 		return -1;
2424 
2425 	if (dev &&
2426 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2427 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2428 		goto nla_put_failure;
2429 
2430 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2431 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2432 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
2433 			      NL80211_ATTR_PAD) ||
2434 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2435 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2436 			rdev->devlist_generation ^
2437 			(cfg80211_rdev_list_generation << 2)))
2438 		goto nla_put_failure;
2439 
2440 	if (rdev->ops->get_channel) {
2441 		int ret;
2442 		struct cfg80211_chan_def chandef;
2443 
2444 		ret = rdev_get_channel(rdev, wdev, &chandef);
2445 		if (ret == 0) {
2446 			if (nl80211_send_chandef(msg, &chandef))
2447 				goto nla_put_failure;
2448 		}
2449 	}
2450 
2451 	if (rdev->ops->get_tx_power) {
2452 		int dbm, ret;
2453 
2454 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
2455 		if (ret == 0 &&
2456 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
2457 				DBM_TO_MBM(dbm)))
2458 			goto nla_put_failure;
2459 	}
2460 
2461 	if (wdev->ssid_len) {
2462 		if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2463 			goto nla_put_failure;
2464 	}
2465 
2466 	genlmsg_end(msg, hdr);
2467 	return 0;
2468 
2469  nla_put_failure:
2470 	genlmsg_cancel(msg, hdr);
2471 	return -EMSGSIZE;
2472 }
2473 
2474 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2475 {
2476 	int wp_idx = 0;
2477 	int if_idx = 0;
2478 	int wp_start = cb->args[0];
2479 	int if_start = cb->args[1];
2480 	struct cfg80211_registered_device *rdev;
2481 	struct wireless_dev *wdev;
2482 
2483 	rtnl_lock();
2484 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2485 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2486 			continue;
2487 		if (wp_idx < wp_start) {
2488 			wp_idx++;
2489 			continue;
2490 		}
2491 		if_idx = 0;
2492 
2493 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
2494 			if (if_idx < if_start) {
2495 				if_idx++;
2496 				continue;
2497 			}
2498 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2499 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2500 					       rdev, wdev, false) < 0) {
2501 				goto out;
2502 			}
2503 			if_idx++;
2504 		}
2505 
2506 		wp_idx++;
2507 	}
2508  out:
2509 	rtnl_unlock();
2510 
2511 	cb->args[0] = wp_idx;
2512 	cb->args[1] = if_idx;
2513 
2514 	return skb->len;
2515 }
2516 
2517 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2518 {
2519 	struct sk_buff *msg;
2520 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2521 	struct wireless_dev *wdev = info->user_ptr[1];
2522 
2523 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2524 	if (!msg)
2525 		return -ENOMEM;
2526 
2527 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2528 			       rdev, wdev, false) < 0) {
2529 		nlmsg_free(msg);
2530 		return -ENOBUFS;
2531 	}
2532 
2533 	return genlmsg_reply(msg, info);
2534 }
2535 
2536 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2537 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2538 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2539 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2540 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2541 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2542 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
2543 };
2544 
2545 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2546 {
2547 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2548 	int flag;
2549 
2550 	*mntrflags = 0;
2551 
2552 	if (!nla)
2553 		return -EINVAL;
2554 
2555 	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
2556 			     nla, mntr_flags_policy))
2557 		return -EINVAL;
2558 
2559 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2560 		if (flags[flag])
2561 			*mntrflags |= (1<<flag);
2562 
2563 	return 0;
2564 }
2565 
2566 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
2567 			       struct net_device *netdev, u8 use_4addr,
2568 			       enum nl80211_iftype iftype)
2569 {
2570 	if (!use_4addr) {
2571 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
2572 			return -EBUSY;
2573 		return 0;
2574 	}
2575 
2576 	switch (iftype) {
2577 	case NL80211_IFTYPE_AP_VLAN:
2578 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
2579 			return 0;
2580 		break;
2581 	case NL80211_IFTYPE_STATION:
2582 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
2583 			return 0;
2584 		break;
2585 	default:
2586 		break;
2587 	}
2588 
2589 	return -EOPNOTSUPP;
2590 }
2591 
2592 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
2593 {
2594 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2595 	struct vif_params params;
2596 	int err;
2597 	enum nl80211_iftype otype, ntype;
2598 	struct net_device *dev = info->user_ptr[1];
2599 	u32 _flags, *flags = NULL;
2600 	bool change = false;
2601 
2602 	memset(&params, 0, sizeof(params));
2603 
2604 	otype = ntype = dev->ieee80211_ptr->iftype;
2605 
2606 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2607 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2608 		if (otype != ntype)
2609 			change = true;
2610 		if (ntype > NL80211_IFTYPE_MAX)
2611 			return -EINVAL;
2612 	}
2613 
2614 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
2615 		struct wireless_dev *wdev = dev->ieee80211_ptr;
2616 
2617 		if (ntype != NL80211_IFTYPE_MESH_POINT)
2618 			return -EINVAL;
2619 		if (netif_running(dev))
2620 			return -EBUSY;
2621 
2622 		wdev_lock(wdev);
2623 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2624 			     IEEE80211_MAX_MESH_ID_LEN);
2625 		wdev->mesh_id_up_len =
2626 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2627 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2628 		       wdev->mesh_id_up_len);
2629 		wdev_unlock(wdev);
2630 	}
2631 
2632 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2633 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2634 		change = true;
2635 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2636 		if (err)
2637 			return err;
2638 	} else {
2639 		params.use_4addr = -1;
2640 	}
2641 
2642 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2643 		if (ntype != NL80211_IFTYPE_MONITOR)
2644 			return -EINVAL;
2645 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2646 					  &_flags);
2647 		if (err)
2648 			return err;
2649 
2650 		flags = &_flags;
2651 		change = true;
2652 	}
2653 
2654 	if (flags && (*flags & MONITOR_FLAG_ACTIVE) &&
2655 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2656 		return -EOPNOTSUPP;
2657 
2658 	if (change)
2659 		err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2660 	else
2661 		err = 0;
2662 
2663 	if (!err && params.use_4addr != -1)
2664 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
2665 
2666 	return err;
2667 }
2668 
2669 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2670 {
2671 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2672 	struct vif_params params;
2673 	struct wireless_dev *wdev;
2674 	struct sk_buff *msg, *event;
2675 	int err;
2676 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2677 	u32 flags;
2678 
2679 	/* to avoid failing a new interface creation due to pending removal */
2680 	cfg80211_destroy_ifaces(rdev);
2681 
2682 	memset(&params, 0, sizeof(params));
2683 
2684 	if (!info->attrs[NL80211_ATTR_IFNAME])
2685 		return -EINVAL;
2686 
2687 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2688 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2689 		if (type > NL80211_IFTYPE_MAX)
2690 			return -EINVAL;
2691 	}
2692 
2693 	if (!rdev->ops->add_virtual_intf ||
2694 	    !(rdev->wiphy.interface_modes & (1 << type)))
2695 		return -EOPNOTSUPP;
2696 
2697 	if ((type == NL80211_IFTYPE_P2P_DEVICE ||
2698 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
2699 	    info->attrs[NL80211_ATTR_MAC]) {
2700 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2701 			   ETH_ALEN);
2702 		if (!is_valid_ether_addr(params.macaddr))
2703 			return -EADDRNOTAVAIL;
2704 	}
2705 
2706 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2707 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2708 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2709 		if (err)
2710 			return err;
2711 	}
2712 
2713 	err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2714 				  info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2715 				  &flags);
2716 
2717 	if (!err && (flags & MONITOR_FLAG_ACTIVE) &&
2718 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2719 		return -EOPNOTSUPP;
2720 
2721 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2722 	if (!msg)
2723 		return -ENOMEM;
2724 
2725 	wdev = rdev_add_virtual_intf(rdev,
2726 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2727 				NET_NAME_USER, type, err ? NULL : &flags,
2728 				&params);
2729 	if (WARN_ON(!wdev)) {
2730 		nlmsg_free(msg);
2731 		return -EPROTO;
2732 	} else if (IS_ERR(wdev)) {
2733 		nlmsg_free(msg);
2734 		return PTR_ERR(wdev);
2735 	}
2736 
2737 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
2738 		wdev->owner_nlportid = info->snd_portid;
2739 
2740 	switch (type) {
2741 	case NL80211_IFTYPE_MESH_POINT:
2742 		if (!info->attrs[NL80211_ATTR_MESH_ID])
2743 			break;
2744 		wdev_lock(wdev);
2745 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2746 			     IEEE80211_MAX_MESH_ID_LEN);
2747 		wdev->mesh_id_up_len =
2748 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2749 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2750 		       wdev->mesh_id_up_len);
2751 		wdev_unlock(wdev);
2752 		break;
2753 	case NL80211_IFTYPE_P2P_DEVICE:
2754 		/*
2755 		 * P2P Device doesn't have a netdev, so doesn't go
2756 		 * through the netdev notifier and must be added here
2757 		 */
2758 		mutex_init(&wdev->mtx);
2759 		INIT_LIST_HEAD(&wdev->event_list);
2760 		spin_lock_init(&wdev->event_lock);
2761 		INIT_LIST_HEAD(&wdev->mgmt_registrations);
2762 		spin_lock_init(&wdev->mgmt_registrations_lock);
2763 
2764 		wdev->identifier = ++rdev->wdev_id;
2765 		list_add_rcu(&wdev->list, &rdev->wiphy.wdev_list);
2766 		rdev->devlist_generation++;
2767 		break;
2768 	default:
2769 		break;
2770 	}
2771 
2772 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2773 			       rdev, wdev, false) < 0) {
2774 		nlmsg_free(msg);
2775 		return -ENOBUFS;
2776 	}
2777 
2778 	event = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2779 	if (event) {
2780 		if (nl80211_send_iface(event, 0, 0, 0,
2781 				       rdev, wdev, false) < 0) {
2782 			nlmsg_free(event);
2783 			goto out;
2784 		}
2785 
2786 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
2787 					event, 0, NL80211_MCGRP_CONFIG,
2788 					GFP_KERNEL);
2789 	}
2790 
2791 out:
2792 	return genlmsg_reply(msg, info);
2793 }
2794 
2795 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2796 {
2797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2798 	struct wireless_dev *wdev = info->user_ptr[1];
2799 	struct sk_buff *msg;
2800 	int status;
2801 
2802 	if (!rdev->ops->del_virtual_intf)
2803 		return -EOPNOTSUPP;
2804 
2805 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2806 	if (msg && nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, true) < 0) {
2807 		nlmsg_free(msg);
2808 		msg = NULL;
2809 	}
2810 
2811 	/*
2812 	 * If we remove a wireless device without a netdev then clear
2813 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
2814 	 * to check if it needs to do dev_put(). Otherwise it crashes
2815 	 * since the wdev has been freed, unlike with a netdev where
2816 	 * we need the dev_put() for the netdev to really be freed.
2817 	 */
2818 	if (!wdev->netdev)
2819 		info->user_ptr[1] = NULL;
2820 
2821 	status = rdev_del_virtual_intf(rdev, wdev);
2822 	if (status >= 0 && msg)
2823 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
2824 					msg, 0, NL80211_MCGRP_CONFIG,
2825 					GFP_KERNEL);
2826 	else
2827 		nlmsg_free(msg);
2828 
2829 	return status;
2830 }
2831 
2832 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2833 {
2834 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2835 	struct net_device *dev = info->user_ptr[1];
2836 	u16 noack_map;
2837 
2838 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2839 		return -EINVAL;
2840 
2841 	if (!rdev->ops->set_noack_map)
2842 		return -EOPNOTSUPP;
2843 
2844 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2845 
2846 	return rdev_set_noack_map(rdev, dev, noack_map);
2847 }
2848 
2849 struct get_key_cookie {
2850 	struct sk_buff *msg;
2851 	int error;
2852 	int idx;
2853 };
2854 
2855 static void get_key_callback(void *c, struct key_params *params)
2856 {
2857 	struct nlattr *key;
2858 	struct get_key_cookie *cookie = c;
2859 
2860 	if ((params->key &&
2861 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2862 		     params->key_len, params->key)) ||
2863 	    (params->seq &&
2864 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2865 		     params->seq_len, params->seq)) ||
2866 	    (params->cipher &&
2867 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2868 			 params->cipher)))
2869 		goto nla_put_failure;
2870 
2871 	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2872 	if (!key)
2873 		goto nla_put_failure;
2874 
2875 	if ((params->key &&
2876 	     nla_put(cookie->msg, NL80211_KEY_DATA,
2877 		     params->key_len, params->key)) ||
2878 	    (params->seq &&
2879 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
2880 		     params->seq_len, params->seq)) ||
2881 	    (params->cipher &&
2882 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2883 			 params->cipher)))
2884 		goto nla_put_failure;
2885 
2886 	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2887 		goto nla_put_failure;
2888 
2889 	nla_nest_end(cookie->msg, key);
2890 
2891 	return;
2892  nla_put_failure:
2893 	cookie->error = 1;
2894 }
2895 
2896 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2897 {
2898 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2899 	int err;
2900 	struct net_device *dev = info->user_ptr[1];
2901 	u8 key_idx = 0;
2902 	const u8 *mac_addr = NULL;
2903 	bool pairwise;
2904 	struct get_key_cookie cookie = {
2905 		.error = 0,
2906 	};
2907 	void *hdr;
2908 	struct sk_buff *msg;
2909 
2910 	if (info->attrs[NL80211_ATTR_KEY_IDX])
2911 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2912 
2913 	if (key_idx > 5)
2914 		return -EINVAL;
2915 
2916 	if (info->attrs[NL80211_ATTR_MAC])
2917 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2918 
2919 	pairwise = !!mac_addr;
2920 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2921 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2922 		if (kt >= NUM_NL80211_KEYTYPES)
2923 			return -EINVAL;
2924 		if (kt != NL80211_KEYTYPE_GROUP &&
2925 		    kt != NL80211_KEYTYPE_PAIRWISE)
2926 			return -EINVAL;
2927 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2928 	}
2929 
2930 	if (!rdev->ops->get_key)
2931 		return -EOPNOTSUPP;
2932 
2933 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2934 		return -ENOENT;
2935 
2936 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2937 	if (!msg)
2938 		return -ENOMEM;
2939 
2940 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2941 			     NL80211_CMD_NEW_KEY);
2942 	if (!hdr)
2943 		goto nla_put_failure;
2944 
2945 	cookie.msg = msg;
2946 	cookie.idx = key_idx;
2947 
2948 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2949 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2950 		goto nla_put_failure;
2951 	if (mac_addr &&
2952 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2953 		goto nla_put_failure;
2954 
2955 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2956 			   get_key_callback);
2957 
2958 	if (err)
2959 		goto free_msg;
2960 
2961 	if (cookie.error)
2962 		goto nla_put_failure;
2963 
2964 	genlmsg_end(msg, hdr);
2965 	return genlmsg_reply(msg, info);
2966 
2967  nla_put_failure:
2968 	err = -ENOBUFS;
2969  free_msg:
2970 	nlmsg_free(msg);
2971 	return err;
2972 }
2973 
2974 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2975 {
2976 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2977 	struct key_parse key;
2978 	int err;
2979 	struct net_device *dev = info->user_ptr[1];
2980 
2981 	err = nl80211_parse_key(info, &key);
2982 	if (err)
2983 		return err;
2984 
2985 	if (key.idx < 0)
2986 		return -EINVAL;
2987 
2988 	/* only support setting default key */
2989 	if (!key.def && !key.defmgmt)
2990 		return -EINVAL;
2991 
2992 	wdev_lock(dev->ieee80211_ptr);
2993 
2994 	if (key.def) {
2995 		if (!rdev->ops->set_default_key) {
2996 			err = -EOPNOTSUPP;
2997 			goto out;
2998 		}
2999 
3000 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3001 		if (err)
3002 			goto out;
3003 
3004 		err = rdev_set_default_key(rdev, dev, key.idx,
3005 						 key.def_uni, key.def_multi);
3006 
3007 		if (err)
3008 			goto out;
3009 
3010 #ifdef CONFIG_CFG80211_WEXT
3011 		dev->ieee80211_ptr->wext.default_key = key.idx;
3012 #endif
3013 	} else {
3014 		if (key.def_uni || !key.def_multi) {
3015 			err = -EINVAL;
3016 			goto out;
3017 		}
3018 
3019 		if (!rdev->ops->set_default_mgmt_key) {
3020 			err = -EOPNOTSUPP;
3021 			goto out;
3022 		}
3023 
3024 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3025 		if (err)
3026 			goto out;
3027 
3028 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
3029 		if (err)
3030 			goto out;
3031 
3032 #ifdef CONFIG_CFG80211_WEXT
3033 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
3034 #endif
3035 	}
3036 
3037  out:
3038 	wdev_unlock(dev->ieee80211_ptr);
3039 
3040 	return err;
3041 }
3042 
3043 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
3044 {
3045 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3046 	int err;
3047 	struct net_device *dev = info->user_ptr[1];
3048 	struct key_parse key;
3049 	const u8 *mac_addr = NULL;
3050 
3051 	err = nl80211_parse_key(info, &key);
3052 	if (err)
3053 		return err;
3054 
3055 	if (!key.p.key)
3056 		return -EINVAL;
3057 
3058 	if (info->attrs[NL80211_ATTR_MAC])
3059 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3060 
3061 	if (key.type == -1) {
3062 		if (mac_addr)
3063 			key.type = NL80211_KEYTYPE_PAIRWISE;
3064 		else
3065 			key.type = NL80211_KEYTYPE_GROUP;
3066 	}
3067 
3068 	/* for now */
3069 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3070 	    key.type != NL80211_KEYTYPE_GROUP)
3071 		return -EINVAL;
3072 
3073 	if (!rdev->ops->add_key)
3074 		return -EOPNOTSUPP;
3075 
3076 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3077 					   key.type == NL80211_KEYTYPE_PAIRWISE,
3078 					   mac_addr))
3079 		return -EINVAL;
3080 
3081 	wdev_lock(dev->ieee80211_ptr);
3082 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3083 	if (!err)
3084 		err = rdev_add_key(rdev, dev, key.idx,
3085 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3086 				    mac_addr, &key.p);
3087 	wdev_unlock(dev->ieee80211_ptr);
3088 
3089 	return err;
3090 }
3091 
3092 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3093 {
3094 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3095 	int err;
3096 	struct net_device *dev = info->user_ptr[1];
3097 	u8 *mac_addr = NULL;
3098 	struct key_parse key;
3099 
3100 	err = nl80211_parse_key(info, &key);
3101 	if (err)
3102 		return err;
3103 
3104 	if (info->attrs[NL80211_ATTR_MAC])
3105 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3106 
3107 	if (key.type == -1) {
3108 		if (mac_addr)
3109 			key.type = NL80211_KEYTYPE_PAIRWISE;
3110 		else
3111 			key.type = NL80211_KEYTYPE_GROUP;
3112 	}
3113 
3114 	/* for now */
3115 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3116 	    key.type != NL80211_KEYTYPE_GROUP)
3117 		return -EINVAL;
3118 
3119 	if (!rdev->ops->del_key)
3120 		return -EOPNOTSUPP;
3121 
3122 	wdev_lock(dev->ieee80211_ptr);
3123 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3124 
3125 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3126 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3127 		err = -ENOENT;
3128 
3129 	if (!err)
3130 		err = rdev_del_key(rdev, dev, key.idx,
3131 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3132 				   mac_addr);
3133 
3134 #ifdef CONFIG_CFG80211_WEXT
3135 	if (!err) {
3136 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3137 			dev->ieee80211_ptr->wext.default_key = -1;
3138 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3139 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3140 	}
3141 #endif
3142 	wdev_unlock(dev->ieee80211_ptr);
3143 
3144 	return err;
3145 }
3146 
3147 /* This function returns an error or the number of nested attributes */
3148 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3149 {
3150 	struct nlattr *attr;
3151 	int n_entries = 0, tmp;
3152 
3153 	nla_for_each_nested(attr, nl_attr, tmp) {
3154 		if (nla_len(attr) != ETH_ALEN)
3155 			return -EINVAL;
3156 
3157 		n_entries++;
3158 	}
3159 
3160 	return n_entries;
3161 }
3162 
3163 /*
3164  * This function parses ACL information and allocates memory for ACL data.
3165  * On successful return, the calling function is responsible to free the
3166  * ACL buffer returned by this function.
3167  */
3168 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3169 						struct genl_info *info)
3170 {
3171 	enum nl80211_acl_policy acl_policy;
3172 	struct nlattr *attr;
3173 	struct cfg80211_acl_data *acl;
3174 	int i = 0, n_entries, tmp;
3175 
3176 	if (!wiphy->max_acl_mac_addrs)
3177 		return ERR_PTR(-EOPNOTSUPP);
3178 
3179 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3180 		return ERR_PTR(-EINVAL);
3181 
3182 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3183 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3184 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3185 		return ERR_PTR(-EINVAL);
3186 
3187 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3188 		return ERR_PTR(-EINVAL);
3189 
3190 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3191 	if (n_entries < 0)
3192 		return ERR_PTR(n_entries);
3193 
3194 	if (n_entries > wiphy->max_acl_mac_addrs)
3195 		return ERR_PTR(-ENOTSUPP);
3196 
3197 	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3198 		      GFP_KERNEL);
3199 	if (!acl)
3200 		return ERR_PTR(-ENOMEM);
3201 
3202 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3203 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3204 		i++;
3205 	}
3206 
3207 	acl->n_acl_entries = n_entries;
3208 	acl->acl_policy = acl_policy;
3209 
3210 	return acl;
3211 }
3212 
3213 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3214 {
3215 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3216 	struct net_device *dev = info->user_ptr[1];
3217 	struct cfg80211_acl_data *acl;
3218 	int err;
3219 
3220 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3221 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3222 		return -EOPNOTSUPP;
3223 
3224 	if (!dev->ieee80211_ptr->beacon_interval)
3225 		return -EINVAL;
3226 
3227 	acl = parse_acl_data(&rdev->wiphy, info);
3228 	if (IS_ERR(acl))
3229 		return PTR_ERR(acl);
3230 
3231 	err = rdev_set_mac_acl(rdev, dev, acl);
3232 
3233 	kfree(acl);
3234 
3235 	return err;
3236 }
3237 
3238 static int nl80211_parse_beacon(struct nlattr *attrs[],
3239 				struct cfg80211_beacon_data *bcn)
3240 {
3241 	bool haveinfo = false;
3242 
3243 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_BEACON_TAIL]) ||
3244 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE]) ||
3245 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
3246 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_ASSOC_RESP]))
3247 		return -EINVAL;
3248 
3249 	memset(bcn, 0, sizeof(*bcn));
3250 
3251 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
3252 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
3253 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
3254 		if (!bcn->head_len)
3255 			return -EINVAL;
3256 		haveinfo = true;
3257 	}
3258 
3259 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
3260 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
3261 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
3262 		haveinfo = true;
3263 	}
3264 
3265 	if (!haveinfo)
3266 		return -EINVAL;
3267 
3268 	if (attrs[NL80211_ATTR_IE]) {
3269 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
3270 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
3271 	}
3272 
3273 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
3274 		bcn->proberesp_ies =
3275 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3276 		bcn->proberesp_ies_len =
3277 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3278 	}
3279 
3280 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
3281 		bcn->assocresp_ies =
3282 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3283 		bcn->assocresp_ies_len =
3284 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3285 	}
3286 
3287 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
3288 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
3289 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
3290 	}
3291 
3292 	return 0;
3293 }
3294 
3295 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
3296 				   struct cfg80211_ap_settings *params)
3297 {
3298 	struct wireless_dev *wdev;
3299 	bool ret = false;
3300 
3301 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3302 		if (wdev->iftype != NL80211_IFTYPE_AP &&
3303 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
3304 			continue;
3305 
3306 		if (!wdev->preset_chandef.chan)
3307 			continue;
3308 
3309 		params->chandef = wdev->preset_chandef;
3310 		ret = true;
3311 		break;
3312 	}
3313 
3314 	return ret;
3315 }
3316 
3317 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
3318 				    enum nl80211_auth_type auth_type,
3319 				    enum nl80211_commands cmd)
3320 {
3321 	if (auth_type > NL80211_AUTHTYPE_MAX)
3322 		return false;
3323 
3324 	switch (cmd) {
3325 	case NL80211_CMD_AUTHENTICATE:
3326 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
3327 		    auth_type == NL80211_AUTHTYPE_SAE)
3328 			return false;
3329 		return true;
3330 	case NL80211_CMD_CONNECT:
3331 	case NL80211_CMD_START_AP:
3332 		/* SAE not supported yet */
3333 		if (auth_type == NL80211_AUTHTYPE_SAE)
3334 			return false;
3335 		return true;
3336 	default:
3337 		return false;
3338 	}
3339 }
3340 
3341 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
3342 {
3343 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3344 	struct net_device *dev = info->user_ptr[1];
3345 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3346 	struct cfg80211_ap_settings params;
3347 	int err;
3348 
3349 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3350 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3351 		return -EOPNOTSUPP;
3352 
3353 	if (!rdev->ops->start_ap)
3354 		return -EOPNOTSUPP;
3355 
3356 	if (wdev->beacon_interval)
3357 		return -EALREADY;
3358 
3359 	memset(&params, 0, sizeof(params));
3360 
3361 	/* these are required for START_AP */
3362 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
3363 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
3364 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
3365 		return -EINVAL;
3366 
3367 	err = nl80211_parse_beacon(info->attrs, &params.beacon);
3368 	if (err)
3369 		return err;
3370 
3371 	params.beacon_interval =
3372 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
3373 	params.dtim_period =
3374 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
3375 
3376 	err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
3377 	if (err)
3378 		return err;
3379 
3380 	/*
3381 	 * In theory, some of these attributes should be required here
3382 	 * but since they were not used when the command was originally
3383 	 * added, keep them optional for old user space programs to let
3384 	 * them continue to work with drivers that do not need the
3385 	 * additional information -- drivers must check!
3386 	 */
3387 	if (info->attrs[NL80211_ATTR_SSID]) {
3388 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
3389 		params.ssid_len =
3390 			nla_len(info->attrs[NL80211_ATTR_SSID]);
3391 		if (params.ssid_len == 0 ||
3392 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
3393 			return -EINVAL;
3394 	}
3395 
3396 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
3397 		params.hidden_ssid = nla_get_u32(
3398 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
3399 		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
3400 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
3401 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
3402 			return -EINVAL;
3403 	}
3404 
3405 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
3406 
3407 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
3408 		params.auth_type = nla_get_u32(
3409 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
3410 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
3411 					     NL80211_CMD_START_AP))
3412 			return -EINVAL;
3413 	} else
3414 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
3415 
3416 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
3417 				      NL80211_MAX_NR_CIPHER_SUITES);
3418 	if (err)
3419 		return err;
3420 
3421 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
3422 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
3423 			return -EOPNOTSUPP;
3424 		params.inactivity_timeout = nla_get_u16(
3425 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
3426 	}
3427 
3428 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
3429 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3430 			return -EINVAL;
3431 		params.p2p_ctwindow =
3432 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
3433 		if (params.p2p_ctwindow > 127)
3434 			return -EINVAL;
3435 		if (params.p2p_ctwindow != 0 &&
3436 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
3437 			return -EINVAL;
3438 	}
3439 
3440 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
3441 		u8 tmp;
3442 
3443 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3444 			return -EINVAL;
3445 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
3446 		if (tmp > 1)
3447 			return -EINVAL;
3448 		params.p2p_opp_ps = tmp;
3449 		if (params.p2p_opp_ps != 0 &&
3450 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
3451 			return -EINVAL;
3452 	}
3453 
3454 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3455 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
3456 		if (err)
3457 			return err;
3458 	} else if (wdev->preset_chandef.chan) {
3459 		params.chandef = wdev->preset_chandef;
3460 	} else if (!nl80211_get_ap_channel(rdev, &params))
3461 		return -EINVAL;
3462 
3463 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
3464 					   wdev->iftype))
3465 		return -EINVAL;
3466 
3467 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
3468 		params.smps_mode =
3469 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
3470 		switch (params.smps_mode) {
3471 		case NL80211_SMPS_OFF:
3472 			break;
3473 		case NL80211_SMPS_STATIC:
3474 			if (!(rdev->wiphy.features &
3475 			      NL80211_FEATURE_STATIC_SMPS))
3476 				return -EINVAL;
3477 			break;
3478 		case NL80211_SMPS_DYNAMIC:
3479 			if (!(rdev->wiphy.features &
3480 			      NL80211_FEATURE_DYNAMIC_SMPS))
3481 				return -EINVAL;
3482 			break;
3483 		default:
3484 			return -EINVAL;
3485 		}
3486 	} else {
3487 		params.smps_mode = NL80211_SMPS_OFF;
3488 	}
3489 
3490 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
3491 		params.acl = parse_acl_data(&rdev->wiphy, info);
3492 		if (IS_ERR(params.acl))
3493 			return PTR_ERR(params.acl);
3494 	}
3495 
3496 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
3497 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
3498 		return -EOPNOTSUPP;
3499 
3500 	wdev_lock(wdev);
3501 	err = rdev_start_ap(rdev, dev, &params);
3502 	if (!err) {
3503 		wdev->preset_chandef = params.chandef;
3504 		wdev->beacon_interval = params.beacon_interval;
3505 		wdev->chandef = params.chandef;
3506 		wdev->ssid_len = params.ssid_len;
3507 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
3508 	}
3509 	wdev_unlock(wdev);
3510 
3511 	kfree(params.acl);
3512 
3513 	return err;
3514 }
3515 
3516 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
3517 {
3518 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3519 	struct net_device *dev = info->user_ptr[1];
3520 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3521 	struct cfg80211_beacon_data params;
3522 	int err;
3523 
3524 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3525 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3526 		return -EOPNOTSUPP;
3527 
3528 	if (!rdev->ops->change_beacon)
3529 		return -EOPNOTSUPP;
3530 
3531 	if (!wdev->beacon_interval)
3532 		return -EINVAL;
3533 
3534 	err = nl80211_parse_beacon(info->attrs, &params);
3535 	if (err)
3536 		return err;
3537 
3538 	wdev_lock(wdev);
3539 	err = rdev_change_beacon(rdev, dev, &params);
3540 	wdev_unlock(wdev);
3541 
3542 	return err;
3543 }
3544 
3545 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
3546 {
3547 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3548 	struct net_device *dev = info->user_ptr[1];
3549 
3550 	return cfg80211_stop_ap(rdev, dev, false);
3551 }
3552 
3553 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
3554 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
3555 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
3556 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
3557 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
3558 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
3559 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
3560 };
3561 
3562 static int parse_station_flags(struct genl_info *info,
3563 			       enum nl80211_iftype iftype,
3564 			       struct station_parameters *params)
3565 {
3566 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
3567 	struct nlattr *nla;
3568 	int flag;
3569 
3570 	/*
3571 	 * Try parsing the new attribute first so userspace
3572 	 * can specify both for older kernels.
3573 	 */
3574 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
3575 	if (nla) {
3576 		struct nl80211_sta_flag_update *sta_flags;
3577 
3578 		sta_flags = nla_data(nla);
3579 		params->sta_flags_mask = sta_flags->mask;
3580 		params->sta_flags_set = sta_flags->set;
3581 		params->sta_flags_set &= params->sta_flags_mask;
3582 		if ((params->sta_flags_mask |
3583 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
3584 			return -EINVAL;
3585 		return 0;
3586 	}
3587 
3588 	/* if present, parse the old attribute */
3589 
3590 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
3591 	if (!nla)
3592 		return 0;
3593 
3594 	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
3595 			     nla, sta_flags_policy))
3596 		return -EINVAL;
3597 
3598 	/*
3599 	 * Only allow certain flags for interface types so that
3600 	 * other attributes are silently ignored. Remember that
3601 	 * this is backward compatibility code with old userspace
3602 	 * and shouldn't be hit in other cases anyway.
3603 	 */
3604 	switch (iftype) {
3605 	case NL80211_IFTYPE_AP:
3606 	case NL80211_IFTYPE_AP_VLAN:
3607 	case NL80211_IFTYPE_P2P_GO:
3608 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3609 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3610 					 BIT(NL80211_STA_FLAG_WME) |
3611 					 BIT(NL80211_STA_FLAG_MFP);
3612 		break;
3613 	case NL80211_IFTYPE_P2P_CLIENT:
3614 	case NL80211_IFTYPE_STATION:
3615 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3616 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
3617 		break;
3618 	case NL80211_IFTYPE_MESH_POINT:
3619 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3620 					 BIT(NL80211_STA_FLAG_MFP) |
3621 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
3622 	default:
3623 		return -EINVAL;
3624 	}
3625 
3626 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
3627 		if (flags[flag]) {
3628 			params->sta_flags_set |= (1<<flag);
3629 
3630 			/* no longer support new API additions in old API */
3631 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
3632 				return -EINVAL;
3633 		}
3634 	}
3635 
3636 	return 0;
3637 }
3638 
3639 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
3640 				 int attr)
3641 {
3642 	struct nlattr *rate;
3643 	u32 bitrate;
3644 	u16 bitrate_compat;
3645 	enum nl80211_attrs rate_flg;
3646 
3647 	rate = nla_nest_start(msg, attr);
3648 	if (!rate)
3649 		return false;
3650 
3651 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
3652 	bitrate = cfg80211_calculate_bitrate(info);
3653 	/* report 16-bit bitrate only if we can */
3654 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
3655 	if (bitrate > 0 &&
3656 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
3657 		return false;
3658 	if (bitrate_compat > 0 &&
3659 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
3660 		return false;
3661 
3662 	switch (info->bw) {
3663 	case RATE_INFO_BW_5:
3664 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
3665 		break;
3666 	case RATE_INFO_BW_10:
3667 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
3668 		break;
3669 	default:
3670 		WARN_ON(1);
3671 		/* fall through */
3672 	case RATE_INFO_BW_20:
3673 		rate_flg = 0;
3674 		break;
3675 	case RATE_INFO_BW_40:
3676 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
3677 		break;
3678 	case RATE_INFO_BW_80:
3679 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
3680 		break;
3681 	case RATE_INFO_BW_160:
3682 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
3683 		break;
3684 	}
3685 
3686 	if (rate_flg && nla_put_flag(msg, rate_flg))
3687 		return false;
3688 
3689 	if (info->flags & RATE_INFO_FLAGS_MCS) {
3690 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
3691 			return false;
3692 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3693 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3694 			return false;
3695 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
3696 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
3697 			return false;
3698 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
3699 			return false;
3700 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3701 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3702 			return false;
3703 	}
3704 
3705 	nla_nest_end(msg, rate);
3706 	return true;
3707 }
3708 
3709 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
3710 			       int id)
3711 {
3712 	void *attr;
3713 	int i = 0;
3714 
3715 	if (!mask)
3716 		return true;
3717 
3718 	attr = nla_nest_start(msg, id);
3719 	if (!attr)
3720 		return false;
3721 
3722 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
3723 		if (!(mask & BIT(i)))
3724 			continue;
3725 
3726 		if (nla_put_u8(msg, i, signal[i]))
3727 			return false;
3728 	}
3729 
3730 	nla_nest_end(msg, attr);
3731 
3732 	return true;
3733 }
3734 
3735 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
3736 				u32 seq, int flags,
3737 				struct cfg80211_registered_device *rdev,
3738 				struct net_device *dev,
3739 				const u8 *mac_addr, struct station_info *sinfo)
3740 {
3741 	void *hdr;
3742 	struct nlattr *sinfoattr, *bss_param;
3743 
3744 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3745 	if (!hdr)
3746 		return -1;
3747 
3748 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3749 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
3750 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
3751 		goto nla_put_failure;
3752 
3753 	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
3754 	if (!sinfoattr)
3755 		goto nla_put_failure;
3756 
3757 #define PUT_SINFO(attr, memb, type) do {				\
3758 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
3759 	if (sinfo->filled & (1ULL << NL80211_STA_INFO_ ## attr) &&	\
3760 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
3761 			     sinfo->memb))				\
3762 		goto nla_put_failure;					\
3763 	} while (0)
3764 #define PUT_SINFO_U64(attr, memb) do {					\
3765 	if (sinfo->filled & (1ULL << NL80211_STA_INFO_ ## attr) &&	\
3766 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
3767 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
3768 		goto nla_put_failure;					\
3769 	} while (0)
3770 
3771 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
3772 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
3773 
3774 	if (sinfo->filled & (BIT(NL80211_STA_INFO_RX_BYTES) |
3775 			     BIT(NL80211_STA_INFO_RX_BYTES64)) &&
3776 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
3777 			(u32)sinfo->rx_bytes))
3778 		goto nla_put_failure;
3779 
3780 	if (sinfo->filled & (BIT(NL80211_STA_INFO_TX_BYTES) |
3781 			     BIT(NL80211_STA_INFO_TX_BYTES64)) &&
3782 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
3783 			(u32)sinfo->tx_bytes))
3784 		goto nla_put_failure;
3785 
3786 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
3787 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
3788 	PUT_SINFO(LLID, llid, u16);
3789 	PUT_SINFO(PLID, plid, u16);
3790 	PUT_SINFO(PLINK_STATE, plink_state, u8);
3791 	PUT_SINFO_U64(RX_DURATION, rx_duration);
3792 
3793 	switch (rdev->wiphy.signal_type) {
3794 	case CFG80211_SIGNAL_TYPE_MBM:
3795 		PUT_SINFO(SIGNAL, signal, u8);
3796 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
3797 		break;
3798 	default:
3799 		break;
3800 	}
3801 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL)) {
3802 		if (!nl80211_put_signal(msg, sinfo->chains,
3803 					sinfo->chain_signal,
3804 					NL80211_STA_INFO_CHAIN_SIGNAL))
3805 			goto nla_put_failure;
3806 	}
3807 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
3808 		if (!nl80211_put_signal(msg, sinfo->chains,
3809 					sinfo->chain_signal_avg,
3810 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
3811 			goto nla_put_failure;
3812 	}
3813 	if (sinfo->filled & BIT(NL80211_STA_INFO_TX_BITRATE)) {
3814 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
3815 					  NL80211_STA_INFO_TX_BITRATE))
3816 			goto nla_put_failure;
3817 	}
3818 	if (sinfo->filled & BIT(NL80211_STA_INFO_RX_BITRATE)) {
3819 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
3820 					  NL80211_STA_INFO_RX_BITRATE))
3821 			goto nla_put_failure;
3822 	}
3823 
3824 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
3825 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
3826 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
3827 	PUT_SINFO(TX_FAILED, tx_failed, u32);
3828 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
3829 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
3830 	PUT_SINFO(LOCAL_PM, local_pm, u32);
3831 	PUT_SINFO(PEER_PM, peer_pm, u32);
3832 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
3833 
3834 	if (sinfo->filled & BIT(NL80211_STA_INFO_BSS_PARAM)) {
3835 		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
3836 		if (!bss_param)
3837 			goto nla_put_failure;
3838 
3839 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
3840 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
3841 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
3842 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
3843 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
3844 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
3845 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
3846 			       sinfo->bss_param.dtim_period) ||
3847 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
3848 				sinfo->bss_param.beacon_interval))
3849 			goto nla_put_failure;
3850 
3851 		nla_nest_end(msg, bss_param);
3852 	}
3853 	if ((sinfo->filled & BIT(NL80211_STA_INFO_STA_FLAGS)) &&
3854 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
3855 		    sizeof(struct nl80211_sta_flag_update),
3856 		    &sinfo->sta_flags))
3857 		goto nla_put_failure;
3858 
3859 	PUT_SINFO_U64(T_OFFSET, t_offset);
3860 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
3861 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
3862 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
3863 
3864 #undef PUT_SINFO
3865 #undef PUT_SINFO_U64
3866 
3867 	if (sinfo->filled & BIT(NL80211_STA_INFO_TID_STATS)) {
3868 		struct nlattr *tidsattr;
3869 		int tid;
3870 
3871 		tidsattr = nla_nest_start(msg, NL80211_STA_INFO_TID_STATS);
3872 		if (!tidsattr)
3873 			goto nla_put_failure;
3874 
3875 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
3876 			struct cfg80211_tid_stats *tidstats;
3877 			struct nlattr *tidattr;
3878 
3879 			tidstats = &sinfo->pertid[tid];
3880 
3881 			if (!tidstats->filled)
3882 				continue;
3883 
3884 			tidattr = nla_nest_start(msg, tid + 1);
3885 			if (!tidattr)
3886 				goto nla_put_failure;
3887 
3888 #define PUT_TIDVAL_U64(attr, memb) do {					\
3889 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
3890 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
3891 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
3892 		goto nla_put_failure;					\
3893 	} while (0)
3894 
3895 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
3896 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
3897 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
3898 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
3899 
3900 #undef PUT_TIDVAL_U64
3901 			nla_nest_end(msg, tidattr);
3902 		}
3903 
3904 		nla_nest_end(msg, tidsattr);
3905 	}
3906 
3907 	nla_nest_end(msg, sinfoattr);
3908 
3909 	if (sinfo->assoc_req_ies_len &&
3910 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
3911 		    sinfo->assoc_req_ies))
3912 		goto nla_put_failure;
3913 
3914 	genlmsg_end(msg, hdr);
3915 	return 0;
3916 
3917  nla_put_failure:
3918 	genlmsg_cancel(msg, hdr);
3919 	return -EMSGSIZE;
3920 }
3921 
3922 static int nl80211_dump_station(struct sk_buff *skb,
3923 				struct netlink_callback *cb)
3924 {
3925 	struct station_info sinfo;
3926 	struct cfg80211_registered_device *rdev;
3927 	struct wireless_dev *wdev;
3928 	u8 mac_addr[ETH_ALEN];
3929 	int sta_idx = cb->args[2];
3930 	int err;
3931 
3932 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
3933 	if (err)
3934 		return err;
3935 
3936 	if (!wdev->netdev) {
3937 		err = -EINVAL;
3938 		goto out_err;
3939 	}
3940 
3941 	if (!rdev->ops->dump_station) {
3942 		err = -EOPNOTSUPP;
3943 		goto out_err;
3944 	}
3945 
3946 	while (1) {
3947 		memset(&sinfo, 0, sizeof(sinfo));
3948 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
3949 					mac_addr, &sinfo);
3950 		if (err == -ENOENT)
3951 			break;
3952 		if (err)
3953 			goto out_err;
3954 
3955 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
3956 				NETLINK_CB(cb->skb).portid,
3957 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
3958 				rdev, wdev->netdev, mac_addr,
3959 				&sinfo) < 0)
3960 			goto out;
3961 
3962 		sta_idx++;
3963 	}
3964 
3965 
3966  out:
3967 	cb->args[2] = sta_idx;
3968 	err = skb->len;
3969  out_err:
3970 	nl80211_finish_wdev_dump(rdev);
3971 
3972 	return err;
3973 }
3974 
3975 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
3976 {
3977 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3978 	struct net_device *dev = info->user_ptr[1];
3979 	struct station_info sinfo;
3980 	struct sk_buff *msg;
3981 	u8 *mac_addr = NULL;
3982 	int err;
3983 
3984 	memset(&sinfo, 0, sizeof(sinfo));
3985 
3986 	if (!info->attrs[NL80211_ATTR_MAC])
3987 		return -EINVAL;
3988 
3989 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3990 
3991 	if (!rdev->ops->get_station)
3992 		return -EOPNOTSUPP;
3993 
3994 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3995 	if (err)
3996 		return err;
3997 
3998 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3999 	if (!msg)
4000 		return -ENOMEM;
4001 
4002 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
4003 				 info->snd_portid, info->snd_seq, 0,
4004 				 rdev, dev, mac_addr, &sinfo) < 0) {
4005 		nlmsg_free(msg);
4006 		return -ENOBUFS;
4007 	}
4008 
4009 	return genlmsg_reply(msg, info);
4010 }
4011 
4012 int cfg80211_check_station_change(struct wiphy *wiphy,
4013 				  struct station_parameters *params,
4014 				  enum cfg80211_station_type statype)
4015 {
4016 	if (params->listen_interval != -1 &&
4017 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4018 		return -EINVAL;
4019 
4020 	if (params->support_p2p_ps != -1 &&
4021 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4022 		return -EINVAL;
4023 
4024 	if (params->aid &&
4025 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
4026 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4027 		return -EINVAL;
4028 
4029 	/* When you run into this, adjust the code below for the new flag */
4030 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4031 
4032 	switch (statype) {
4033 	case CFG80211_STA_MESH_PEER_KERNEL:
4034 	case CFG80211_STA_MESH_PEER_USER:
4035 		/*
4036 		 * No ignoring the TDLS flag here -- the userspace mesh
4037 		 * code doesn't have the bug of including TDLS in the
4038 		 * mask everywhere.
4039 		 */
4040 		if (params->sta_flags_mask &
4041 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4042 				  BIT(NL80211_STA_FLAG_MFP) |
4043 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
4044 			return -EINVAL;
4045 		break;
4046 	case CFG80211_STA_TDLS_PEER_SETUP:
4047 	case CFG80211_STA_TDLS_PEER_ACTIVE:
4048 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4049 			return -EINVAL;
4050 		/* ignore since it can't change */
4051 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4052 		break;
4053 	default:
4054 		/* disallow mesh-specific things */
4055 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
4056 			return -EINVAL;
4057 		if (params->local_pm)
4058 			return -EINVAL;
4059 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4060 			return -EINVAL;
4061 	}
4062 
4063 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
4064 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
4065 		/* TDLS can't be set, ... */
4066 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
4067 			return -EINVAL;
4068 		/*
4069 		 * ... but don't bother the driver with it. This works around
4070 		 * a hostapd/wpa_supplicant issue -- it always includes the
4071 		 * TLDS_PEER flag in the mask even for AP mode.
4072 		 */
4073 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4074 	}
4075 
4076 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
4077 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
4078 		/* reject other things that can't change */
4079 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
4080 			return -EINVAL;
4081 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
4082 			return -EINVAL;
4083 		if (params->supported_rates)
4084 			return -EINVAL;
4085 		if (params->ext_capab || params->ht_capa || params->vht_capa)
4086 			return -EINVAL;
4087 	}
4088 
4089 	if (statype != CFG80211_STA_AP_CLIENT &&
4090 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
4091 		if (params->vlan)
4092 			return -EINVAL;
4093 	}
4094 
4095 	switch (statype) {
4096 	case CFG80211_STA_AP_MLME_CLIENT:
4097 		/* Use this only for authorizing/unauthorizing a station */
4098 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
4099 			return -EOPNOTSUPP;
4100 		break;
4101 	case CFG80211_STA_AP_CLIENT:
4102 	case CFG80211_STA_AP_CLIENT_UNASSOC:
4103 		/* accept only the listed bits */
4104 		if (params->sta_flags_mask &
4105 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4106 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4107 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
4108 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4109 				  BIT(NL80211_STA_FLAG_WME) |
4110 				  BIT(NL80211_STA_FLAG_MFP)))
4111 			return -EINVAL;
4112 
4113 		/* but authenticated/associated only if driver handles it */
4114 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4115 		    params->sta_flags_mask &
4116 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4117 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4118 			return -EINVAL;
4119 		break;
4120 	case CFG80211_STA_IBSS:
4121 	case CFG80211_STA_AP_STA:
4122 		/* reject any changes other than AUTHORIZED */
4123 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
4124 			return -EINVAL;
4125 		break;
4126 	case CFG80211_STA_TDLS_PEER_SETUP:
4127 		/* reject any changes other than AUTHORIZED or WME */
4128 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4129 					       BIT(NL80211_STA_FLAG_WME)))
4130 			return -EINVAL;
4131 		/* force (at least) rates when authorizing */
4132 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
4133 		    !params->supported_rates)
4134 			return -EINVAL;
4135 		break;
4136 	case CFG80211_STA_TDLS_PEER_ACTIVE:
4137 		/* reject any changes */
4138 		return -EINVAL;
4139 	case CFG80211_STA_MESH_PEER_KERNEL:
4140 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4141 			return -EINVAL;
4142 		break;
4143 	case CFG80211_STA_MESH_PEER_USER:
4144 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
4145 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
4146 			return -EINVAL;
4147 		break;
4148 	}
4149 
4150 	return 0;
4151 }
4152 EXPORT_SYMBOL(cfg80211_check_station_change);
4153 
4154 /*
4155  * Get vlan interface making sure it is running and on the right wiphy.
4156  */
4157 static struct net_device *get_vlan(struct genl_info *info,
4158 				   struct cfg80211_registered_device *rdev)
4159 {
4160 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
4161 	struct net_device *v;
4162 	int ret;
4163 
4164 	if (!vlanattr)
4165 		return NULL;
4166 
4167 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
4168 	if (!v)
4169 		return ERR_PTR(-ENODEV);
4170 
4171 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
4172 		ret = -EINVAL;
4173 		goto error;
4174 	}
4175 
4176 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4177 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4178 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
4179 		ret = -EINVAL;
4180 		goto error;
4181 	}
4182 
4183 	if (!netif_running(v)) {
4184 		ret = -ENETDOWN;
4185 		goto error;
4186 	}
4187 
4188 	return v;
4189  error:
4190 	dev_put(v);
4191 	return ERR_PTR(ret);
4192 }
4193 
4194 static const struct nla_policy
4195 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
4196 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
4197 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
4198 };
4199 
4200 static int nl80211_parse_sta_wme(struct genl_info *info,
4201 				 struct station_parameters *params)
4202 {
4203 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
4204 	struct nlattr *nla;
4205 	int err;
4206 
4207 	/* parse WME attributes if present */
4208 	if (!info->attrs[NL80211_ATTR_STA_WME])
4209 		return 0;
4210 
4211 	nla = info->attrs[NL80211_ATTR_STA_WME];
4212 	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
4213 			       nl80211_sta_wme_policy);
4214 	if (err)
4215 		return err;
4216 
4217 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
4218 		params->uapsd_queues = nla_get_u8(
4219 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
4220 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
4221 		return -EINVAL;
4222 
4223 	if (tb[NL80211_STA_WME_MAX_SP])
4224 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
4225 
4226 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
4227 		return -EINVAL;
4228 
4229 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
4230 
4231 	return 0;
4232 }
4233 
4234 static int nl80211_parse_sta_channel_info(struct genl_info *info,
4235 				      struct station_parameters *params)
4236 {
4237 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
4238 		params->supported_channels =
4239 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4240 		params->supported_channels_len =
4241 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4242 		/*
4243 		 * Need to include at least one (first channel, number of
4244 		 * channels) tuple for each subband, and must have proper
4245 		 * tuples for the rest of the data as well.
4246 		 */
4247 		if (params->supported_channels_len < 2)
4248 			return -EINVAL;
4249 		if (params->supported_channels_len % 2)
4250 			return -EINVAL;
4251 	}
4252 
4253 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
4254 		params->supported_oper_classes =
4255 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4256 		params->supported_oper_classes_len =
4257 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4258 		/*
4259 		 * The value of the Length field of the Supported Operating
4260 		 * Classes element is between 2 and 253.
4261 		 */
4262 		if (params->supported_oper_classes_len < 2 ||
4263 		    params->supported_oper_classes_len > 253)
4264 			return -EINVAL;
4265 	}
4266 	return 0;
4267 }
4268 
4269 static int nl80211_set_station_tdls(struct genl_info *info,
4270 				    struct station_parameters *params)
4271 {
4272 	int err;
4273 	/* Dummy STA entry gets updated once the peer capabilities are known */
4274 	if (info->attrs[NL80211_ATTR_PEER_AID])
4275 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4276 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4277 		params->ht_capa =
4278 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4279 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4280 		params->vht_capa =
4281 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4282 
4283 	err = nl80211_parse_sta_channel_info(info, params);
4284 	if (err)
4285 		return err;
4286 
4287 	return nl80211_parse_sta_wme(info, params);
4288 }
4289 
4290 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
4291 {
4292 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4293 	struct net_device *dev = info->user_ptr[1];
4294 	struct station_parameters params;
4295 	u8 *mac_addr;
4296 	int err;
4297 
4298 	memset(&params, 0, sizeof(params));
4299 
4300 	if (!rdev->ops->change_station)
4301 		return -EOPNOTSUPP;
4302 
4303 	/*
4304 	 * AID and listen_interval properties can be set only for unassociated
4305 	 * station. Include these parameters here and will check them in
4306 	 * cfg80211_check_station_change().
4307 	 */
4308 	if (info->attrs[NL80211_ATTR_STA_AID])
4309 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4310 
4311 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4312 		params.listen_interval =
4313 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4314 	else
4315 		params.listen_interval = -1;
4316 
4317 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
4318 		u8 tmp;
4319 
4320 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
4321 		if (tmp >= NUM_NL80211_P2P_PS_STATUS)
4322 			return -EINVAL;
4323 
4324 		params.support_p2p_ps = tmp;
4325 	} else {
4326 		params.support_p2p_ps = -1;
4327 	}
4328 
4329 	if (!info->attrs[NL80211_ATTR_MAC])
4330 		return -EINVAL;
4331 
4332 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4333 
4334 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
4335 		params.supported_rates =
4336 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4337 		params.supported_rates_len =
4338 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4339 	}
4340 
4341 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4342 		params.capability =
4343 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4344 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4345 	}
4346 
4347 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4348 		params.ext_capab =
4349 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4350 		params.ext_capab_len =
4351 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4352 	}
4353 
4354 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4355 		return -EINVAL;
4356 
4357 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4358 		params.plink_action =
4359 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4360 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4361 			return -EINVAL;
4362 	}
4363 
4364 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
4365 		params.plink_state =
4366 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
4367 		if (params.plink_state >= NUM_NL80211_PLINK_STATES)
4368 			return -EINVAL;
4369 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
4370 	}
4371 
4372 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
4373 		enum nl80211_mesh_power_mode pm = nla_get_u32(
4374 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
4375 
4376 		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
4377 		    pm > NL80211_MESH_POWER_MAX)
4378 			return -EINVAL;
4379 
4380 		params.local_pm = pm;
4381 	}
4382 
4383 	/* Include parameters for TDLS peer (will check later) */
4384 	err = nl80211_set_station_tdls(info, &params);
4385 	if (err)
4386 		return err;
4387 
4388 	params.vlan = get_vlan(info, rdev);
4389 	if (IS_ERR(params.vlan))
4390 		return PTR_ERR(params.vlan);
4391 
4392 	switch (dev->ieee80211_ptr->iftype) {
4393 	case NL80211_IFTYPE_AP:
4394 	case NL80211_IFTYPE_AP_VLAN:
4395 	case NL80211_IFTYPE_P2P_GO:
4396 	case NL80211_IFTYPE_P2P_CLIENT:
4397 	case NL80211_IFTYPE_STATION:
4398 	case NL80211_IFTYPE_ADHOC:
4399 	case NL80211_IFTYPE_MESH_POINT:
4400 		break;
4401 	default:
4402 		err = -EOPNOTSUPP;
4403 		goto out_put_vlan;
4404 	}
4405 
4406 	/* driver will call cfg80211_check_station_change() */
4407 	err = rdev_change_station(rdev, dev, mac_addr, &params);
4408 
4409  out_put_vlan:
4410 	if (params.vlan)
4411 		dev_put(params.vlan);
4412 
4413 	return err;
4414 }
4415 
4416 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
4417 {
4418 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4419 	int err;
4420 	struct net_device *dev = info->user_ptr[1];
4421 	struct station_parameters params;
4422 	u8 *mac_addr = NULL;
4423 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4424 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
4425 
4426 	memset(&params, 0, sizeof(params));
4427 
4428 	if (!rdev->ops->add_station)
4429 		return -EOPNOTSUPP;
4430 
4431 	if (!info->attrs[NL80211_ATTR_MAC])
4432 		return -EINVAL;
4433 
4434 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4435 		return -EINVAL;
4436 
4437 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
4438 		return -EINVAL;
4439 
4440 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
4441 	    !info->attrs[NL80211_ATTR_PEER_AID])
4442 		return -EINVAL;
4443 
4444 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4445 	params.supported_rates =
4446 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4447 	params.supported_rates_len =
4448 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4449 	params.listen_interval =
4450 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4451 
4452 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
4453 		u8 tmp;
4454 
4455 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
4456 		if (tmp >= NUM_NL80211_P2P_PS_STATUS)
4457 			return -EINVAL;
4458 
4459 		params.support_p2p_ps = tmp;
4460 	} else {
4461 		/*
4462 		 * if not specified, assume it's supported for P2P GO interface,
4463 		 * and is NOT supported for AP interface
4464 		 */
4465 		params.support_p2p_ps =
4466 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
4467 	}
4468 
4469 	if (info->attrs[NL80211_ATTR_PEER_AID])
4470 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4471 	else
4472 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4473 	if (!params.aid || params.aid > IEEE80211_MAX_AID)
4474 		return -EINVAL;
4475 
4476 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4477 		params.capability =
4478 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4479 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4480 	}
4481 
4482 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4483 		params.ext_capab =
4484 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4485 		params.ext_capab_len =
4486 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4487 	}
4488 
4489 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4490 		params.ht_capa =
4491 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4492 
4493 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4494 		params.vht_capa =
4495 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4496 
4497 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
4498 		params.opmode_notif_used = true;
4499 		params.opmode_notif =
4500 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
4501 	}
4502 
4503 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4504 		params.plink_action =
4505 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4506 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4507 			return -EINVAL;
4508 	}
4509 
4510 	err = nl80211_parse_sta_channel_info(info, &params);
4511 	if (err)
4512 		return err;
4513 
4514 	err = nl80211_parse_sta_wme(info, &params);
4515 	if (err)
4516 		return err;
4517 
4518 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4519 		return -EINVAL;
4520 
4521 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
4522 	 * as userspace might just pass through the capabilities from the IEs
4523 	 * directly, rather than enforcing this restriction and returning an
4524 	 * error in this case.
4525 	 */
4526 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
4527 		params.ht_capa = NULL;
4528 		params.vht_capa = NULL;
4529 	}
4530 
4531 	/* When you run into this, adjust the code below for the new flag */
4532 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4533 
4534 	switch (dev->ieee80211_ptr->iftype) {
4535 	case NL80211_IFTYPE_AP:
4536 	case NL80211_IFTYPE_AP_VLAN:
4537 	case NL80211_IFTYPE_P2P_GO:
4538 		/* ignore WME attributes if iface/sta is not capable */
4539 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
4540 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
4541 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4542 
4543 		/* TDLS peers cannot be added */
4544 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4545 		    info->attrs[NL80211_ATTR_PEER_AID])
4546 			return -EINVAL;
4547 		/* but don't bother the driver with it */
4548 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4549 
4550 		/* allow authenticated/associated only if driver handles it */
4551 		if (!(rdev->wiphy.features &
4552 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4553 		    params.sta_flags_mask & auth_assoc)
4554 			return -EINVAL;
4555 
4556 		/* Older userspace, or userspace wanting to be compatible with
4557 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
4558 		 * and assoc flags in the mask, but assumes the station will be
4559 		 * added as associated anyway since this was the required driver
4560 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
4561 		 * introduced.
4562 		 * In order to not bother drivers with this quirk in the API
4563 		 * set the flags in both the mask and set for new stations in
4564 		 * this case.
4565 		 */
4566 		if (!(params.sta_flags_mask & auth_assoc)) {
4567 			params.sta_flags_mask |= auth_assoc;
4568 			params.sta_flags_set |= auth_assoc;
4569 		}
4570 
4571 		/* must be last in here for error handling */
4572 		params.vlan = get_vlan(info, rdev);
4573 		if (IS_ERR(params.vlan))
4574 			return PTR_ERR(params.vlan);
4575 		break;
4576 	case NL80211_IFTYPE_MESH_POINT:
4577 		/* ignore uAPSD data */
4578 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4579 
4580 		/* associated is disallowed */
4581 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
4582 			return -EINVAL;
4583 		/* TDLS peers cannot be added */
4584 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4585 		    info->attrs[NL80211_ATTR_PEER_AID])
4586 			return -EINVAL;
4587 		break;
4588 	case NL80211_IFTYPE_STATION:
4589 	case NL80211_IFTYPE_P2P_CLIENT:
4590 		/* ignore uAPSD data */
4591 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4592 
4593 		/* these are disallowed */
4594 		if (params.sta_flags_mask &
4595 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
4596 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
4597 			return -EINVAL;
4598 		/* Only TDLS peers can be added */
4599 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4600 			return -EINVAL;
4601 		/* Can only add if TDLS ... */
4602 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
4603 			return -EOPNOTSUPP;
4604 		/* ... with external setup is supported */
4605 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
4606 			return -EOPNOTSUPP;
4607 		/*
4608 		 * Older wpa_supplicant versions always mark the TDLS peer
4609 		 * as authorized, but it shouldn't yet be.
4610 		 */
4611 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
4612 		break;
4613 	default:
4614 		return -EOPNOTSUPP;
4615 	}
4616 
4617 	/* be aware of params.vlan when changing code here */
4618 
4619 	err = rdev_add_station(rdev, dev, mac_addr, &params);
4620 
4621 	if (params.vlan)
4622 		dev_put(params.vlan);
4623 	return err;
4624 }
4625 
4626 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
4627 {
4628 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4629 	struct net_device *dev = info->user_ptr[1];
4630 	struct station_del_parameters params;
4631 
4632 	memset(&params, 0, sizeof(params));
4633 
4634 	if (info->attrs[NL80211_ATTR_MAC])
4635 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
4636 
4637 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4638 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4639 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
4640 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4641 		return -EINVAL;
4642 
4643 	if (!rdev->ops->del_station)
4644 		return -EOPNOTSUPP;
4645 
4646 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
4647 		params.subtype =
4648 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
4649 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
4650 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
4651 			return -EINVAL;
4652 	} else {
4653 		/* Default to Deauthentication frame */
4654 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
4655 	}
4656 
4657 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
4658 		params.reason_code =
4659 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
4660 		if (params.reason_code == 0)
4661 			return -EINVAL; /* 0 is reserved */
4662 	} else {
4663 		/* Default to reason code 2 */
4664 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
4665 	}
4666 
4667 	return rdev_del_station(rdev, dev, &params);
4668 }
4669 
4670 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
4671 				int flags, struct net_device *dev,
4672 				u8 *dst, u8 *next_hop,
4673 				struct mpath_info *pinfo)
4674 {
4675 	void *hdr;
4676 	struct nlattr *pinfoattr;
4677 
4678 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
4679 	if (!hdr)
4680 		return -1;
4681 
4682 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4683 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
4684 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
4685 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
4686 		goto nla_put_failure;
4687 
4688 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
4689 	if (!pinfoattr)
4690 		goto nla_put_failure;
4691 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
4692 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
4693 			pinfo->frame_qlen))
4694 		goto nla_put_failure;
4695 	if (((pinfo->filled & MPATH_INFO_SN) &&
4696 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
4697 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
4698 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
4699 			 pinfo->metric)) ||
4700 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
4701 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
4702 			 pinfo->exptime)) ||
4703 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
4704 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
4705 			pinfo->flags)) ||
4706 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
4707 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
4708 			 pinfo->discovery_timeout)) ||
4709 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
4710 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
4711 			pinfo->discovery_retries)))
4712 		goto nla_put_failure;
4713 
4714 	nla_nest_end(msg, pinfoattr);
4715 
4716 	genlmsg_end(msg, hdr);
4717 	return 0;
4718 
4719  nla_put_failure:
4720 	genlmsg_cancel(msg, hdr);
4721 	return -EMSGSIZE;
4722 }
4723 
4724 static int nl80211_dump_mpath(struct sk_buff *skb,
4725 			      struct netlink_callback *cb)
4726 {
4727 	struct mpath_info pinfo;
4728 	struct cfg80211_registered_device *rdev;
4729 	struct wireless_dev *wdev;
4730 	u8 dst[ETH_ALEN];
4731 	u8 next_hop[ETH_ALEN];
4732 	int path_idx = cb->args[2];
4733 	int err;
4734 
4735 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4736 	if (err)
4737 		return err;
4738 
4739 	if (!rdev->ops->dump_mpath) {
4740 		err = -EOPNOTSUPP;
4741 		goto out_err;
4742 	}
4743 
4744 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4745 		err = -EOPNOTSUPP;
4746 		goto out_err;
4747 	}
4748 
4749 	while (1) {
4750 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
4751 				      next_hop, &pinfo);
4752 		if (err == -ENOENT)
4753 			break;
4754 		if (err)
4755 			goto out_err;
4756 
4757 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4758 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4759 				       wdev->netdev, dst, next_hop,
4760 				       &pinfo) < 0)
4761 			goto out;
4762 
4763 		path_idx++;
4764 	}
4765 
4766 
4767  out:
4768 	cb->args[2] = path_idx;
4769 	err = skb->len;
4770  out_err:
4771 	nl80211_finish_wdev_dump(rdev);
4772 	return err;
4773 }
4774 
4775 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
4776 {
4777 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4778 	int err;
4779 	struct net_device *dev = info->user_ptr[1];
4780 	struct mpath_info pinfo;
4781 	struct sk_buff *msg;
4782 	u8 *dst = NULL;
4783 	u8 next_hop[ETH_ALEN];
4784 
4785 	memset(&pinfo, 0, sizeof(pinfo));
4786 
4787 	if (!info->attrs[NL80211_ATTR_MAC])
4788 		return -EINVAL;
4789 
4790 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4791 
4792 	if (!rdev->ops->get_mpath)
4793 		return -EOPNOTSUPP;
4794 
4795 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4796 		return -EOPNOTSUPP;
4797 
4798 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
4799 	if (err)
4800 		return err;
4801 
4802 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4803 	if (!msg)
4804 		return -ENOMEM;
4805 
4806 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4807 				 dev, dst, next_hop, &pinfo) < 0) {
4808 		nlmsg_free(msg);
4809 		return -ENOBUFS;
4810 	}
4811 
4812 	return genlmsg_reply(msg, info);
4813 }
4814 
4815 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
4816 {
4817 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4818 	struct net_device *dev = info->user_ptr[1];
4819 	u8 *dst = NULL;
4820 	u8 *next_hop = NULL;
4821 
4822 	if (!info->attrs[NL80211_ATTR_MAC])
4823 		return -EINVAL;
4824 
4825 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4826 		return -EINVAL;
4827 
4828 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4829 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4830 
4831 	if (!rdev->ops->change_mpath)
4832 		return -EOPNOTSUPP;
4833 
4834 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4835 		return -EOPNOTSUPP;
4836 
4837 	return rdev_change_mpath(rdev, dev, dst, next_hop);
4838 }
4839 
4840 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
4841 {
4842 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4843 	struct net_device *dev = info->user_ptr[1];
4844 	u8 *dst = NULL;
4845 	u8 *next_hop = NULL;
4846 
4847 	if (!info->attrs[NL80211_ATTR_MAC])
4848 		return -EINVAL;
4849 
4850 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4851 		return -EINVAL;
4852 
4853 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4854 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4855 
4856 	if (!rdev->ops->add_mpath)
4857 		return -EOPNOTSUPP;
4858 
4859 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4860 		return -EOPNOTSUPP;
4861 
4862 	return rdev_add_mpath(rdev, dev, dst, next_hop);
4863 }
4864 
4865 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
4866 {
4867 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4868 	struct net_device *dev = info->user_ptr[1];
4869 	u8 *dst = NULL;
4870 
4871 	if (info->attrs[NL80211_ATTR_MAC])
4872 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4873 
4874 	if (!rdev->ops->del_mpath)
4875 		return -EOPNOTSUPP;
4876 
4877 	return rdev_del_mpath(rdev, dev, dst);
4878 }
4879 
4880 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
4881 {
4882 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4883 	int err;
4884 	struct net_device *dev = info->user_ptr[1];
4885 	struct mpath_info pinfo;
4886 	struct sk_buff *msg;
4887 	u8 *dst = NULL;
4888 	u8 mpp[ETH_ALEN];
4889 
4890 	memset(&pinfo, 0, sizeof(pinfo));
4891 
4892 	if (!info->attrs[NL80211_ATTR_MAC])
4893 		return -EINVAL;
4894 
4895 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4896 
4897 	if (!rdev->ops->get_mpp)
4898 		return -EOPNOTSUPP;
4899 
4900 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4901 		return -EOPNOTSUPP;
4902 
4903 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
4904 	if (err)
4905 		return err;
4906 
4907 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4908 	if (!msg)
4909 		return -ENOMEM;
4910 
4911 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4912 			       dev, dst, mpp, &pinfo) < 0) {
4913 		nlmsg_free(msg);
4914 		return -ENOBUFS;
4915 	}
4916 
4917 	return genlmsg_reply(msg, info);
4918 }
4919 
4920 static int nl80211_dump_mpp(struct sk_buff *skb,
4921 			    struct netlink_callback *cb)
4922 {
4923 	struct mpath_info pinfo;
4924 	struct cfg80211_registered_device *rdev;
4925 	struct wireless_dev *wdev;
4926 	u8 dst[ETH_ALEN];
4927 	u8 mpp[ETH_ALEN];
4928 	int path_idx = cb->args[2];
4929 	int err;
4930 
4931 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4932 	if (err)
4933 		return err;
4934 
4935 	if (!rdev->ops->dump_mpp) {
4936 		err = -EOPNOTSUPP;
4937 		goto out_err;
4938 	}
4939 
4940 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4941 		err = -EOPNOTSUPP;
4942 		goto out_err;
4943 	}
4944 
4945 	while (1) {
4946 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
4947 				    mpp, &pinfo);
4948 		if (err == -ENOENT)
4949 			break;
4950 		if (err)
4951 			goto out_err;
4952 
4953 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4954 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4955 				       wdev->netdev, dst, mpp,
4956 				       &pinfo) < 0)
4957 			goto out;
4958 
4959 		path_idx++;
4960 	}
4961 
4962  out:
4963 	cb->args[2] = path_idx;
4964 	err = skb->len;
4965  out_err:
4966 	nl80211_finish_wdev_dump(rdev);
4967 	return err;
4968 }
4969 
4970 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
4971 {
4972 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4973 	struct net_device *dev = info->user_ptr[1];
4974 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4975 	struct bss_parameters params;
4976 	int err;
4977 
4978 	memset(&params, 0, sizeof(params));
4979 	/* default to not changing parameters */
4980 	params.use_cts_prot = -1;
4981 	params.use_short_preamble = -1;
4982 	params.use_short_slot_time = -1;
4983 	params.ap_isolate = -1;
4984 	params.ht_opmode = -1;
4985 	params.p2p_ctwindow = -1;
4986 	params.p2p_opp_ps = -1;
4987 
4988 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
4989 		params.use_cts_prot =
4990 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
4991 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
4992 		params.use_short_preamble =
4993 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
4994 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
4995 		params.use_short_slot_time =
4996 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
4997 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
4998 		params.basic_rates =
4999 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5000 		params.basic_rates_len =
5001 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5002 	}
5003 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
5004 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
5005 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
5006 		params.ht_opmode =
5007 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
5008 
5009 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5010 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5011 			return -EINVAL;
5012 		params.p2p_ctwindow =
5013 			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5014 		if (params.p2p_ctwindow < 0)
5015 			return -EINVAL;
5016 		if (params.p2p_ctwindow != 0 &&
5017 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
5018 			return -EINVAL;
5019 	}
5020 
5021 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5022 		u8 tmp;
5023 
5024 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5025 			return -EINVAL;
5026 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5027 		if (tmp > 1)
5028 			return -EINVAL;
5029 		params.p2p_opp_ps = tmp;
5030 		if (params.p2p_opp_ps &&
5031 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
5032 			return -EINVAL;
5033 	}
5034 
5035 	if (!rdev->ops->change_bss)
5036 		return -EOPNOTSUPP;
5037 
5038 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5039 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5040 		return -EOPNOTSUPP;
5041 
5042 	wdev_lock(wdev);
5043 	err = rdev_change_bss(rdev, dev, &params);
5044 	wdev_unlock(wdev);
5045 
5046 	return err;
5047 }
5048 
5049 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
5050 {
5051 	char *data = NULL;
5052 	bool is_indoor;
5053 	enum nl80211_user_reg_hint_type user_reg_hint_type;
5054 	u32 owner_nlportid;
5055 
5056 
5057 	/*
5058 	 * You should only get this when cfg80211 hasn't yet initialized
5059 	 * completely when built-in to the kernel right between the time
5060 	 * window between nl80211_init() and regulatory_init(), if that is
5061 	 * even possible.
5062 	 */
5063 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
5064 		return -EINPROGRESS;
5065 
5066 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
5067 		user_reg_hint_type =
5068 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
5069 	else
5070 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
5071 
5072 	switch (user_reg_hint_type) {
5073 	case NL80211_USER_REG_HINT_USER:
5074 	case NL80211_USER_REG_HINT_CELL_BASE:
5075 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5076 			return -EINVAL;
5077 
5078 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5079 		return regulatory_hint_user(data, user_reg_hint_type);
5080 	case NL80211_USER_REG_HINT_INDOOR:
5081 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
5082 			owner_nlportid = info->snd_portid;
5083 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
5084 		} else {
5085 			owner_nlportid = 0;
5086 			is_indoor = true;
5087 		}
5088 
5089 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
5090 	default:
5091 		return -EINVAL;
5092 	}
5093 }
5094 
5095 static int nl80211_get_mesh_config(struct sk_buff *skb,
5096 				   struct genl_info *info)
5097 {
5098 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5099 	struct net_device *dev = info->user_ptr[1];
5100 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5101 	struct mesh_config cur_params;
5102 	int err = 0;
5103 	void *hdr;
5104 	struct nlattr *pinfoattr;
5105 	struct sk_buff *msg;
5106 
5107 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5108 		return -EOPNOTSUPP;
5109 
5110 	if (!rdev->ops->get_mesh_config)
5111 		return -EOPNOTSUPP;
5112 
5113 	wdev_lock(wdev);
5114 	/* If not connected, get default parameters */
5115 	if (!wdev->mesh_id_len)
5116 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
5117 	else
5118 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
5119 	wdev_unlock(wdev);
5120 
5121 	if (err)
5122 		return err;
5123 
5124 	/* Draw up a netlink message to send back */
5125 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5126 	if (!msg)
5127 		return -ENOMEM;
5128 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5129 			     NL80211_CMD_GET_MESH_CONFIG);
5130 	if (!hdr)
5131 		goto out;
5132 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
5133 	if (!pinfoattr)
5134 		goto nla_put_failure;
5135 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5136 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
5137 			cur_params.dot11MeshRetryTimeout) ||
5138 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5139 			cur_params.dot11MeshConfirmTimeout) ||
5140 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
5141 			cur_params.dot11MeshHoldingTimeout) ||
5142 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
5143 			cur_params.dot11MeshMaxPeerLinks) ||
5144 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
5145 		       cur_params.dot11MeshMaxRetries) ||
5146 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
5147 		       cur_params.dot11MeshTTL) ||
5148 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
5149 		       cur_params.element_ttl) ||
5150 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5151 		       cur_params.auto_open_plinks) ||
5152 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5153 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
5154 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5155 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
5156 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
5157 			cur_params.path_refresh_time) ||
5158 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5159 			cur_params.min_discovery_timeout) ||
5160 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5161 			cur_params.dot11MeshHWMPactivePathTimeout) ||
5162 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5163 			cur_params.dot11MeshHWMPpreqMinInterval) ||
5164 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5165 			cur_params.dot11MeshHWMPperrMinInterval) ||
5166 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5167 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
5168 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
5169 		       cur_params.dot11MeshHWMPRootMode) ||
5170 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5171 			cur_params.dot11MeshHWMPRannInterval) ||
5172 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5173 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
5174 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
5175 		       cur_params.dot11MeshForwarding) ||
5176 	    nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
5177 			cur_params.rssi_threshold) ||
5178 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
5179 			cur_params.ht_opmode) ||
5180 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5181 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
5182 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5183 			cur_params.dot11MeshHWMProotInterval) ||
5184 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5185 			cur_params.dot11MeshHWMPconfirmationInterval) ||
5186 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
5187 			cur_params.power_mode) ||
5188 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
5189 			cur_params.dot11MeshAwakeWindowDuration) ||
5190 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
5191 			cur_params.plink_timeout))
5192 		goto nla_put_failure;
5193 	nla_nest_end(msg, pinfoattr);
5194 	genlmsg_end(msg, hdr);
5195 	return genlmsg_reply(msg, info);
5196 
5197  nla_put_failure:
5198 	genlmsg_cancel(msg, hdr);
5199  out:
5200 	nlmsg_free(msg);
5201 	return -ENOBUFS;
5202 }
5203 
5204 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
5205 	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
5206 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
5207 	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
5208 	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
5209 	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
5210 	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
5211 	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
5212 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
5213 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
5214 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
5215 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
5216 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
5217 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
5218 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
5219 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
5220 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
5221 	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
5222 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
5223 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
5224 	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
5225 	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
5226 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
5227 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
5228 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
5229 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
5230 	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
5231 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
5232 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
5233 };
5234 
5235 static const struct nla_policy
5236 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
5237 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
5238 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
5239 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
5240 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
5241 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
5242 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
5243 	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
5244 				    .len = IEEE80211_MAX_DATA_LEN },
5245 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
5246 };
5247 
5248 static int nl80211_parse_mesh_config(struct genl_info *info,
5249 				     struct mesh_config *cfg,
5250 				     u32 *mask_out)
5251 {
5252 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
5253 	u32 mask = 0;
5254 
5255 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
5256 do {									    \
5257 	if (tb[attr]) {							    \
5258 		if (fn(tb[attr]) < min || fn(tb[attr]) > max)		    \
5259 			return -EINVAL;					    \
5260 		cfg->param = fn(tb[attr]);				    \
5261 		mask |= (1 << (attr - 1));				    \
5262 	}								    \
5263 } while (0)
5264 
5265 
5266 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
5267 		return -EINVAL;
5268 	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
5269 			     info->attrs[NL80211_ATTR_MESH_CONFIG],
5270 			     nl80211_meshconf_params_policy))
5271 		return -EINVAL;
5272 
5273 	/* This makes sure that there aren't more than 32 mesh config
5274 	 * parameters (otherwise our bitfield scheme would not work.) */
5275 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
5276 
5277 	/* Fill in the params struct */
5278 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
5279 				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
5280 				  nla_get_u16);
5281 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
5282 				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5283 				  nla_get_u16);
5284 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
5285 				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
5286 				  nla_get_u16);
5287 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
5288 				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
5289 				  nla_get_u16);
5290 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
5291 				  mask, NL80211_MESHCONF_MAX_RETRIES,
5292 				  nla_get_u8);
5293 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
5294 				  mask, NL80211_MESHCONF_TTL, nla_get_u8);
5295 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
5296 				  mask, NL80211_MESHCONF_ELEMENT_TTL,
5297 				  nla_get_u8);
5298 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
5299 				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5300 				  nla_get_u8);
5301 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
5302 				  1, 255, mask,
5303 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5304 				  nla_get_u32);
5305 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
5306 				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5307 				  nla_get_u8);
5308 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
5309 				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
5310 				  nla_get_u32);
5311 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
5312 				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5313 				  nla_get_u16);
5314 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
5315 				  1, 65535, mask,
5316 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5317 				  nla_get_u32);
5318 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
5319 				  1, 65535, mask,
5320 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5321 				  nla_get_u16);
5322 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
5323 				  1, 65535, mask,
5324 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5325 				  nla_get_u16);
5326 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5327 				  dot11MeshHWMPnetDiameterTraversalTime,
5328 				  1, 65535, mask,
5329 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5330 				  nla_get_u16);
5331 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
5332 				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
5333 				  nla_get_u8);
5334 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
5335 				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5336 				  nla_get_u16);
5337 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5338 				  dot11MeshGateAnnouncementProtocol, 0, 1,
5339 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5340 				  nla_get_u8);
5341 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
5342 				  mask, NL80211_MESHCONF_FORWARDING,
5343 				  nla_get_u8);
5344 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, -255, 0,
5345 				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
5346 				  nla_get_s32);
5347 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
5348 				  mask, NL80211_MESHCONF_HT_OPMODE,
5349 				  nla_get_u16);
5350 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
5351 				  1, 65535, mask,
5352 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5353 				  nla_get_u32);
5354 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
5355 				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5356 				  nla_get_u16);
5357 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5358 				  dot11MeshHWMPconfirmationInterval,
5359 				  1, 65535, mask,
5360 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5361 				  nla_get_u16);
5362 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
5363 				  NL80211_MESH_POWER_ACTIVE,
5364 				  NL80211_MESH_POWER_MAX,
5365 				  mask, NL80211_MESHCONF_POWER_MODE,
5366 				  nla_get_u32);
5367 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
5368 				  0, 65535, mask,
5369 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
5370 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, 0, 0xffffffff,
5371 				  mask, NL80211_MESHCONF_PLINK_TIMEOUT,
5372 				  nla_get_u32);
5373 	if (mask_out)
5374 		*mask_out = mask;
5375 
5376 	return 0;
5377 
5378 #undef FILL_IN_MESH_PARAM_IF_SET
5379 }
5380 
5381 static int nl80211_parse_mesh_setup(struct genl_info *info,
5382 				     struct mesh_setup *setup)
5383 {
5384 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5385 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
5386 
5387 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
5388 		return -EINVAL;
5389 	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
5390 			     info->attrs[NL80211_ATTR_MESH_SETUP],
5391 			     nl80211_mesh_setup_params_policy))
5392 		return -EINVAL;
5393 
5394 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
5395 		setup->sync_method =
5396 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
5397 		 IEEE80211_SYNC_METHOD_VENDOR :
5398 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
5399 
5400 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
5401 		setup->path_sel_proto =
5402 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
5403 		 IEEE80211_PATH_PROTOCOL_VENDOR :
5404 		 IEEE80211_PATH_PROTOCOL_HWMP;
5405 
5406 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
5407 		setup->path_metric =
5408 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
5409 		 IEEE80211_PATH_METRIC_VENDOR :
5410 		 IEEE80211_PATH_METRIC_AIRTIME;
5411 
5412 
5413 	if (tb[NL80211_MESH_SETUP_IE]) {
5414 		struct nlattr *ieattr =
5415 			tb[NL80211_MESH_SETUP_IE];
5416 		if (!is_valid_ie_attr(ieattr))
5417 			return -EINVAL;
5418 		setup->ie = nla_data(ieattr);
5419 		setup->ie_len = nla_len(ieattr);
5420 	}
5421 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
5422 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
5423 		return -EINVAL;
5424 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
5425 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
5426 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
5427 	if (setup->is_secure)
5428 		setup->user_mpm = true;
5429 
5430 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
5431 		if (!setup->user_mpm)
5432 			return -EINVAL;
5433 		setup->auth_id =
5434 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
5435 	}
5436 
5437 	return 0;
5438 }
5439 
5440 static int nl80211_update_mesh_config(struct sk_buff *skb,
5441 				      struct genl_info *info)
5442 {
5443 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5444 	struct net_device *dev = info->user_ptr[1];
5445 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5446 	struct mesh_config cfg;
5447 	u32 mask;
5448 	int err;
5449 
5450 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5451 		return -EOPNOTSUPP;
5452 
5453 	if (!rdev->ops->update_mesh_config)
5454 		return -EOPNOTSUPP;
5455 
5456 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
5457 	if (err)
5458 		return err;
5459 
5460 	wdev_lock(wdev);
5461 	if (!wdev->mesh_id_len)
5462 		err = -ENOLINK;
5463 
5464 	if (!err)
5465 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
5466 
5467 	wdev_unlock(wdev);
5468 
5469 	return err;
5470 }
5471 
5472 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
5473 			      struct sk_buff *msg)
5474 {
5475 	struct nlattr *nl_reg_rules;
5476 	unsigned int i;
5477 
5478 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
5479 	    (regdom->dfs_region &&
5480 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
5481 		goto nla_put_failure;
5482 
5483 	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
5484 	if (!nl_reg_rules)
5485 		goto nla_put_failure;
5486 
5487 	for (i = 0; i < regdom->n_reg_rules; i++) {
5488 		struct nlattr *nl_reg_rule;
5489 		const struct ieee80211_reg_rule *reg_rule;
5490 		const struct ieee80211_freq_range *freq_range;
5491 		const struct ieee80211_power_rule *power_rule;
5492 		unsigned int max_bandwidth_khz;
5493 
5494 		reg_rule = &regdom->reg_rules[i];
5495 		freq_range = &reg_rule->freq_range;
5496 		power_rule = &reg_rule->power_rule;
5497 
5498 		nl_reg_rule = nla_nest_start(msg, i);
5499 		if (!nl_reg_rule)
5500 			goto nla_put_failure;
5501 
5502 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
5503 		if (!max_bandwidth_khz)
5504 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
5505 								  reg_rule);
5506 
5507 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
5508 				reg_rule->flags) ||
5509 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
5510 				freq_range->start_freq_khz) ||
5511 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
5512 				freq_range->end_freq_khz) ||
5513 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
5514 				max_bandwidth_khz) ||
5515 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
5516 				power_rule->max_antenna_gain) ||
5517 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
5518 				power_rule->max_eirp) ||
5519 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
5520 				reg_rule->dfs_cac_ms))
5521 			goto nla_put_failure;
5522 
5523 		nla_nest_end(msg, nl_reg_rule);
5524 	}
5525 
5526 	nla_nest_end(msg, nl_reg_rules);
5527 	return 0;
5528 
5529 nla_put_failure:
5530 	return -EMSGSIZE;
5531 }
5532 
5533 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
5534 {
5535 	const struct ieee80211_regdomain *regdom = NULL;
5536 	struct cfg80211_registered_device *rdev;
5537 	struct wiphy *wiphy = NULL;
5538 	struct sk_buff *msg;
5539 	void *hdr;
5540 
5541 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5542 	if (!msg)
5543 		return -ENOBUFS;
5544 
5545 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5546 			     NL80211_CMD_GET_REG);
5547 	if (!hdr)
5548 		goto put_failure;
5549 
5550 	if (info->attrs[NL80211_ATTR_WIPHY]) {
5551 		bool self_managed;
5552 
5553 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
5554 		if (IS_ERR(rdev)) {
5555 			nlmsg_free(msg);
5556 			return PTR_ERR(rdev);
5557 		}
5558 
5559 		wiphy = &rdev->wiphy;
5560 		self_managed = wiphy->regulatory_flags &
5561 			       REGULATORY_WIPHY_SELF_MANAGED;
5562 		regdom = get_wiphy_regdom(wiphy);
5563 
5564 		/* a self-managed-reg device must have a private regdom */
5565 		if (WARN_ON(!regdom && self_managed)) {
5566 			nlmsg_free(msg);
5567 			return -EINVAL;
5568 		}
5569 
5570 		if (regdom &&
5571 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
5572 			goto nla_put_failure;
5573 	}
5574 
5575 	if (!wiphy && reg_last_request_cell_base() &&
5576 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5577 			NL80211_USER_REG_HINT_CELL_BASE))
5578 		goto nla_put_failure;
5579 
5580 	rcu_read_lock();
5581 
5582 	if (!regdom)
5583 		regdom = rcu_dereference(cfg80211_regdomain);
5584 
5585 	if (nl80211_put_regdom(regdom, msg))
5586 		goto nla_put_failure_rcu;
5587 
5588 	rcu_read_unlock();
5589 
5590 	genlmsg_end(msg, hdr);
5591 	return genlmsg_reply(msg, info);
5592 
5593 nla_put_failure_rcu:
5594 	rcu_read_unlock();
5595 nla_put_failure:
5596 	genlmsg_cancel(msg, hdr);
5597 put_failure:
5598 	nlmsg_free(msg);
5599 	return -EMSGSIZE;
5600 }
5601 
5602 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
5603 			       u32 seq, int flags, struct wiphy *wiphy,
5604 			       const struct ieee80211_regdomain *regdom)
5605 {
5606 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
5607 				   NL80211_CMD_GET_REG);
5608 
5609 	if (!hdr)
5610 		return -1;
5611 
5612 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
5613 
5614 	if (nl80211_put_regdom(regdom, msg))
5615 		goto nla_put_failure;
5616 
5617 	if (!wiphy && reg_last_request_cell_base() &&
5618 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5619 			NL80211_USER_REG_HINT_CELL_BASE))
5620 		goto nla_put_failure;
5621 
5622 	if (wiphy &&
5623 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
5624 		goto nla_put_failure;
5625 
5626 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
5627 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
5628 		goto nla_put_failure;
5629 
5630 	genlmsg_end(msg, hdr);
5631 	return 0;
5632 
5633 nla_put_failure:
5634 	genlmsg_cancel(msg, hdr);
5635 	return -EMSGSIZE;
5636 }
5637 
5638 static int nl80211_get_reg_dump(struct sk_buff *skb,
5639 				struct netlink_callback *cb)
5640 {
5641 	const struct ieee80211_regdomain *regdom = NULL;
5642 	struct cfg80211_registered_device *rdev;
5643 	int err, reg_idx, start = cb->args[2];
5644 
5645 	rtnl_lock();
5646 
5647 	if (cfg80211_regdomain && start == 0) {
5648 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
5649 					  NLM_F_MULTI, NULL,
5650 					  rtnl_dereference(cfg80211_regdomain));
5651 		if (err < 0)
5652 			goto out_err;
5653 	}
5654 
5655 	/* the global regdom is idx 0 */
5656 	reg_idx = 1;
5657 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
5658 		regdom = get_wiphy_regdom(&rdev->wiphy);
5659 		if (!regdom)
5660 			continue;
5661 
5662 		if (++reg_idx <= start)
5663 			continue;
5664 
5665 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
5666 					  NLM_F_MULTI, &rdev->wiphy, regdom);
5667 		if (err < 0) {
5668 			reg_idx--;
5669 			break;
5670 		}
5671 	}
5672 
5673 	cb->args[2] = reg_idx;
5674 	err = skb->len;
5675 out_err:
5676 	rtnl_unlock();
5677 	return err;
5678 }
5679 
5680 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
5681 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
5682 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
5683 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
5684 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
5685 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
5686 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
5687 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
5688 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
5689 };
5690 
5691 static int parse_reg_rule(struct nlattr *tb[],
5692 	struct ieee80211_reg_rule *reg_rule)
5693 {
5694 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
5695 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
5696 
5697 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
5698 		return -EINVAL;
5699 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
5700 		return -EINVAL;
5701 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
5702 		return -EINVAL;
5703 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
5704 		return -EINVAL;
5705 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
5706 		return -EINVAL;
5707 
5708 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
5709 
5710 	freq_range->start_freq_khz =
5711 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
5712 	freq_range->end_freq_khz =
5713 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
5714 	freq_range->max_bandwidth_khz =
5715 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
5716 
5717 	power_rule->max_eirp =
5718 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
5719 
5720 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
5721 		power_rule->max_antenna_gain =
5722 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
5723 
5724 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
5725 		reg_rule->dfs_cac_ms =
5726 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
5727 
5728 	return 0;
5729 }
5730 
5731 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
5732 {
5733 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
5734 	struct nlattr *nl_reg_rule;
5735 	char *alpha2;
5736 	int rem_reg_rules, r;
5737 	u32 num_rules = 0, rule_idx = 0, size_of_regd;
5738 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
5739 	struct ieee80211_regdomain *rd;
5740 
5741 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5742 		return -EINVAL;
5743 
5744 	if (!info->attrs[NL80211_ATTR_REG_RULES])
5745 		return -EINVAL;
5746 
5747 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5748 
5749 	if (info->attrs[NL80211_ATTR_DFS_REGION])
5750 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
5751 
5752 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5753 			    rem_reg_rules) {
5754 		num_rules++;
5755 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
5756 			return -EINVAL;
5757 	}
5758 
5759 	if (!reg_is_valid_request(alpha2))
5760 		return -EINVAL;
5761 
5762 	size_of_regd = sizeof(struct ieee80211_regdomain) +
5763 		       num_rules * sizeof(struct ieee80211_reg_rule);
5764 
5765 	rd = kzalloc(size_of_regd, GFP_KERNEL);
5766 	if (!rd)
5767 		return -ENOMEM;
5768 
5769 	rd->n_reg_rules = num_rules;
5770 	rd->alpha2[0] = alpha2[0];
5771 	rd->alpha2[1] = alpha2[1];
5772 
5773 	/*
5774 	 * Disable DFS master mode if the DFS region was
5775 	 * not supported or known on this kernel.
5776 	 */
5777 	if (reg_supported_dfs_region(dfs_region))
5778 		rd->dfs_region = dfs_region;
5779 
5780 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5781 			    rem_reg_rules) {
5782 		r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
5783 			      nla_data(nl_reg_rule), nla_len(nl_reg_rule),
5784 			      reg_rule_policy);
5785 		if (r)
5786 			goto bad_reg;
5787 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
5788 		if (r)
5789 			goto bad_reg;
5790 
5791 		rule_idx++;
5792 
5793 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
5794 			r = -EINVAL;
5795 			goto bad_reg;
5796 		}
5797 	}
5798 
5799 	r = set_regdom(rd, REGD_SOURCE_CRDA);
5800 	/* set_regdom took ownership */
5801 	rd = NULL;
5802 
5803  bad_reg:
5804 	kfree(rd);
5805 	return r;
5806 }
5807 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
5808 
5809 static int validate_scan_freqs(struct nlattr *freqs)
5810 {
5811 	struct nlattr *attr1, *attr2;
5812 	int n_channels = 0, tmp1, tmp2;
5813 
5814 	nla_for_each_nested(attr1, freqs, tmp1) {
5815 		n_channels++;
5816 		/*
5817 		 * Some hardware has a limited channel list for
5818 		 * scanning, and it is pretty much nonsensical
5819 		 * to scan for a channel twice, so disallow that
5820 		 * and don't require drivers to check that the
5821 		 * channel list they get isn't longer than what
5822 		 * they can scan, as long as they can scan all
5823 		 * the channels they registered at once.
5824 		 */
5825 		nla_for_each_nested(attr2, freqs, tmp2)
5826 			if (attr1 != attr2 &&
5827 			    nla_get_u32(attr1) == nla_get_u32(attr2))
5828 				return 0;
5829 	}
5830 
5831 	return n_channels;
5832 }
5833 
5834 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
5835 {
5836 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
5837 }
5838 
5839 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
5840 			    struct cfg80211_bss_selection *bss_select)
5841 {
5842 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
5843 	struct nlattr *nest;
5844 	int err;
5845 	bool found = false;
5846 	int i;
5847 
5848 	/* only process one nested attribute */
5849 	nest = nla_data(nla);
5850 	if (!nla_ok(nest, nla_len(nest)))
5851 		return -EINVAL;
5852 
5853 	err = nla_parse(attr, NL80211_BSS_SELECT_ATTR_MAX, nla_data(nest),
5854 			nla_len(nest), nl80211_bss_select_policy);
5855 	if (err)
5856 		return err;
5857 
5858 	/* only one attribute may be given */
5859 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
5860 		if (attr[i]) {
5861 			if (found)
5862 				return -EINVAL;
5863 			found = true;
5864 		}
5865 	}
5866 
5867 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
5868 
5869 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
5870 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
5871 
5872 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
5873 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
5874 		bss_select->param.band_pref =
5875 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
5876 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
5877 			return -EINVAL;
5878 	}
5879 
5880 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
5881 		struct nl80211_bss_select_rssi_adjust *adj_param;
5882 
5883 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
5884 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
5885 		bss_select->param.adjust.band = adj_param->band;
5886 		bss_select->param.adjust.delta = adj_param->delta;
5887 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
5888 			return -EINVAL;
5889 	}
5890 
5891 	/* user-space did not provide behaviour attribute */
5892 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
5893 		return -EINVAL;
5894 
5895 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
5896 		return -EINVAL;
5897 
5898 	return 0;
5899 }
5900 
5901 static int nl80211_parse_random_mac(struct nlattr **attrs,
5902 				    u8 *mac_addr, u8 *mac_addr_mask)
5903 {
5904 	int i;
5905 
5906 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
5907 		eth_zero_addr(mac_addr);
5908 		eth_zero_addr(mac_addr_mask);
5909 		mac_addr[0] = 0x2;
5910 		mac_addr_mask[0] = 0x3;
5911 
5912 		return 0;
5913 	}
5914 
5915 	/* need both or none */
5916 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
5917 		return -EINVAL;
5918 
5919 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
5920 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
5921 
5922 	/* don't allow or configure an mcast address */
5923 	if (!is_multicast_ether_addr(mac_addr_mask) ||
5924 	    is_multicast_ether_addr(mac_addr))
5925 		return -EINVAL;
5926 
5927 	/*
5928 	 * allow users to pass a MAC address that has bits set outside
5929 	 * of the mask, but don't bother drivers with having to deal
5930 	 * with such bits
5931 	 */
5932 	for (i = 0; i < ETH_ALEN; i++)
5933 		mac_addr[i] &= mac_addr_mask[i];
5934 
5935 	return 0;
5936 }
5937 
5938 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
5939 {
5940 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5941 	struct wireless_dev *wdev = info->user_ptr[1];
5942 	struct cfg80211_scan_request *request;
5943 	struct nlattr *attr;
5944 	struct wiphy *wiphy;
5945 	int err, tmp, n_ssids = 0, n_channels, i;
5946 	size_t ie_len;
5947 
5948 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5949 		return -EINVAL;
5950 
5951 	wiphy = &rdev->wiphy;
5952 
5953 	if (!rdev->ops->scan)
5954 		return -EOPNOTSUPP;
5955 
5956 	if (rdev->scan_req || rdev->scan_msg) {
5957 		err = -EBUSY;
5958 		goto unlock;
5959 	}
5960 
5961 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5962 		n_channels = validate_scan_freqs(
5963 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5964 		if (!n_channels) {
5965 			err = -EINVAL;
5966 			goto unlock;
5967 		}
5968 	} else {
5969 		n_channels = ieee80211_get_num_supported_channels(wiphy);
5970 	}
5971 
5972 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5973 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
5974 			n_ssids++;
5975 
5976 	if (n_ssids > wiphy->max_scan_ssids) {
5977 		err = -EINVAL;
5978 		goto unlock;
5979 	}
5980 
5981 	if (info->attrs[NL80211_ATTR_IE])
5982 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5983 	else
5984 		ie_len = 0;
5985 
5986 	if (ie_len > wiphy->max_scan_ie_len) {
5987 		err = -EINVAL;
5988 		goto unlock;
5989 	}
5990 
5991 	request = kzalloc(sizeof(*request)
5992 			+ sizeof(*request->ssids) * n_ssids
5993 			+ sizeof(*request->channels) * n_channels
5994 			+ ie_len, GFP_KERNEL);
5995 	if (!request) {
5996 		err = -ENOMEM;
5997 		goto unlock;
5998 	}
5999 
6000 	if (n_ssids)
6001 		request->ssids = (void *)&request->channels[n_channels];
6002 	request->n_ssids = n_ssids;
6003 	if (ie_len) {
6004 		if (n_ssids)
6005 			request->ie = (void *)(request->ssids + n_ssids);
6006 		else
6007 			request->ie = (void *)(request->channels + n_channels);
6008 	}
6009 
6010 	i = 0;
6011 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6012 		/* user specified, bail out if channel not found */
6013 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
6014 			struct ieee80211_channel *chan;
6015 
6016 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
6017 
6018 			if (!chan) {
6019 				err = -EINVAL;
6020 				goto out_free;
6021 			}
6022 
6023 			/* ignore disabled channels */
6024 			if (chan->flags & IEEE80211_CHAN_DISABLED)
6025 				continue;
6026 
6027 			request->channels[i] = chan;
6028 			i++;
6029 		}
6030 	} else {
6031 		enum nl80211_band band;
6032 
6033 		/* all channels */
6034 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
6035 			int j;
6036 			if (!wiphy->bands[band])
6037 				continue;
6038 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
6039 				struct ieee80211_channel *chan;
6040 
6041 				chan = &wiphy->bands[band]->channels[j];
6042 
6043 				if (chan->flags & IEEE80211_CHAN_DISABLED)
6044 					continue;
6045 
6046 				request->channels[i] = chan;
6047 				i++;
6048 			}
6049 		}
6050 	}
6051 
6052 	if (!i) {
6053 		err = -EINVAL;
6054 		goto out_free;
6055 	}
6056 
6057 	request->n_channels = i;
6058 
6059 	i = 0;
6060 	if (n_ssids) {
6061 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
6062 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
6063 				err = -EINVAL;
6064 				goto out_free;
6065 			}
6066 			request->ssids[i].ssid_len = nla_len(attr);
6067 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
6068 			i++;
6069 		}
6070 	}
6071 
6072 	if (info->attrs[NL80211_ATTR_IE]) {
6073 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6074 		memcpy((void *)request->ie,
6075 		       nla_data(info->attrs[NL80211_ATTR_IE]),
6076 		       request->ie_len);
6077 	}
6078 
6079 	for (i = 0; i < NUM_NL80211_BANDS; i++)
6080 		if (wiphy->bands[i])
6081 			request->rates[i] =
6082 				(1 << wiphy->bands[i]->n_bitrates) - 1;
6083 
6084 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
6085 		nla_for_each_nested(attr,
6086 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
6087 				    tmp) {
6088 			enum nl80211_band band = nla_type(attr);
6089 
6090 			if (band < 0 || band >= NUM_NL80211_BANDS) {
6091 				err = -EINVAL;
6092 				goto out_free;
6093 			}
6094 
6095 			if (!wiphy->bands[band])
6096 				continue;
6097 
6098 			err = ieee80211_get_ratemask(wiphy->bands[band],
6099 						     nla_data(attr),
6100 						     nla_len(attr),
6101 						     &request->rates[band]);
6102 			if (err)
6103 				goto out_free;
6104 		}
6105 	}
6106 
6107 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
6108 		request->flags = nla_get_u32(
6109 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
6110 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
6111 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
6112 			err = -EOPNOTSUPP;
6113 			goto out_free;
6114 		}
6115 
6116 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
6117 			if (!(wiphy->features &
6118 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR)) {
6119 				err = -EOPNOTSUPP;
6120 				goto out_free;
6121 			}
6122 
6123 			if (wdev->current_bss) {
6124 				err = -EOPNOTSUPP;
6125 				goto out_free;
6126 			}
6127 
6128 			err = nl80211_parse_random_mac(info->attrs,
6129 						       request->mac_addr,
6130 						       request->mac_addr_mask);
6131 			if (err)
6132 				goto out_free;
6133 		}
6134 	}
6135 
6136 	request->no_cck =
6137 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
6138 
6139 	if (info->attrs[NL80211_ATTR_MAC])
6140 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
6141 		       ETH_ALEN);
6142 	else
6143 		eth_broadcast_addr(request->bssid);
6144 
6145 	request->wdev = wdev;
6146 	request->wiphy = &rdev->wiphy;
6147 	request->scan_start = jiffies;
6148 
6149 	rdev->scan_req = request;
6150 	err = rdev_scan(rdev, request);
6151 
6152 	if (!err) {
6153 		nl80211_send_scan_start(rdev, wdev);
6154 		if (wdev->netdev)
6155 			dev_hold(wdev->netdev);
6156 	} else {
6157  out_free:
6158 		rdev->scan_req = NULL;
6159 		kfree(request);
6160 	}
6161 
6162  unlock:
6163 	return err;
6164 }
6165 
6166 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
6167 {
6168 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6169 	struct wireless_dev *wdev = info->user_ptr[1];
6170 
6171 	if (!rdev->ops->abort_scan)
6172 		return -EOPNOTSUPP;
6173 
6174 	if (rdev->scan_msg)
6175 		return 0;
6176 
6177 	if (!rdev->scan_req)
6178 		return -ENOENT;
6179 
6180 	rdev_abort_scan(rdev, wdev);
6181 	return 0;
6182 }
6183 
6184 static int
6185 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
6186 			       struct cfg80211_sched_scan_request *request,
6187 			       struct nlattr **attrs)
6188 {
6189 	int tmp, err, i = 0;
6190 	struct nlattr *attr;
6191 
6192 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
6193 		u32 interval;
6194 
6195 		/*
6196 		 * If scan plans are not specified,
6197 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL must be specified. In this
6198 		 * case one scan plan will be set with the specified scan
6199 		 * interval and infinite number of iterations.
6200 		 */
6201 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
6202 			return -EINVAL;
6203 
6204 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
6205 		if (!interval)
6206 			return -EINVAL;
6207 
6208 		request->scan_plans[0].interval =
6209 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
6210 		if (!request->scan_plans[0].interval)
6211 			return -EINVAL;
6212 
6213 		if (request->scan_plans[0].interval >
6214 		    wiphy->max_sched_scan_plan_interval)
6215 			request->scan_plans[0].interval =
6216 				wiphy->max_sched_scan_plan_interval;
6217 
6218 		return 0;
6219 	}
6220 
6221 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
6222 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
6223 
6224 		if (WARN_ON(i >= n_plans))
6225 			return -EINVAL;
6226 
6227 		err = nla_parse(plan, NL80211_SCHED_SCAN_PLAN_MAX,
6228 				nla_data(attr), nla_len(attr),
6229 				nl80211_plan_policy);
6230 		if (err)
6231 			return err;
6232 
6233 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
6234 			return -EINVAL;
6235 
6236 		request->scan_plans[i].interval =
6237 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
6238 		if (!request->scan_plans[i].interval ||
6239 		    request->scan_plans[i].interval >
6240 		    wiphy->max_sched_scan_plan_interval)
6241 			return -EINVAL;
6242 
6243 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
6244 			request->scan_plans[i].iterations =
6245 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
6246 			if (!request->scan_plans[i].iterations ||
6247 			    (request->scan_plans[i].iterations >
6248 			     wiphy->max_sched_scan_plan_iterations))
6249 				return -EINVAL;
6250 		} else if (i < n_plans - 1) {
6251 			/*
6252 			 * All scan plans but the last one must specify
6253 			 * a finite number of iterations
6254 			 */
6255 			return -EINVAL;
6256 		}
6257 
6258 		i++;
6259 	}
6260 
6261 	/*
6262 	 * The last scan plan must not specify the number of
6263 	 * iterations, it is supposed to run infinitely
6264 	 */
6265 	if (request->scan_plans[n_plans - 1].iterations)
6266 		return  -EINVAL;
6267 
6268 	return 0;
6269 }
6270 
6271 static struct cfg80211_sched_scan_request *
6272 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
6273 			 struct nlattr **attrs)
6274 {
6275 	struct cfg80211_sched_scan_request *request;
6276 	struct nlattr *attr;
6277 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
6278 	enum nl80211_band band;
6279 	size_t ie_len;
6280 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
6281 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
6282 
6283 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_IE]))
6284 		return ERR_PTR(-EINVAL);
6285 
6286 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6287 		n_channels = validate_scan_freqs(
6288 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
6289 		if (!n_channels)
6290 			return ERR_PTR(-EINVAL);
6291 	} else {
6292 		n_channels = ieee80211_get_num_supported_channels(wiphy);
6293 	}
6294 
6295 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
6296 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
6297 				    tmp)
6298 			n_ssids++;
6299 
6300 	if (n_ssids > wiphy->max_sched_scan_ssids)
6301 		return ERR_PTR(-EINVAL);
6302 
6303 	/*
6304 	 * First, count the number of 'real' matchsets. Due to an issue with
6305 	 * the old implementation, matchsets containing only the RSSI attribute
6306 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
6307 	 * RSSI for all matchsets, rather than their own matchset for reporting
6308 	 * all APs with a strong RSSI. This is needed to be compatible with
6309 	 * older userspace that treated a matchset with only the RSSI as the
6310 	 * global RSSI for all other matchsets - if there are other matchsets.
6311 	 */
6312 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
6313 		nla_for_each_nested(attr,
6314 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
6315 				    tmp) {
6316 			struct nlattr *rssi;
6317 
6318 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
6319 					nla_data(attr), nla_len(attr),
6320 					nl80211_match_policy);
6321 			if (err)
6322 				return ERR_PTR(err);
6323 			/* add other standalone attributes here */
6324 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
6325 				n_match_sets++;
6326 				continue;
6327 			}
6328 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
6329 			if (rssi)
6330 				default_match_rssi = nla_get_s32(rssi);
6331 		}
6332 	}
6333 
6334 	/* However, if there's no other matchset, add the RSSI one */
6335 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
6336 		n_match_sets = 1;
6337 
6338 	if (n_match_sets > wiphy->max_match_sets)
6339 		return ERR_PTR(-EINVAL);
6340 
6341 	if (attrs[NL80211_ATTR_IE])
6342 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
6343 	else
6344 		ie_len = 0;
6345 
6346 	if (ie_len > wiphy->max_sched_scan_ie_len)
6347 		return ERR_PTR(-EINVAL);
6348 
6349 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
6350 		/*
6351 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
6352 		 * each scan plan already specifies its own interval
6353 		 */
6354 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
6355 			return ERR_PTR(-EINVAL);
6356 
6357 		nla_for_each_nested(attr,
6358 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
6359 			n_plans++;
6360 	} else {
6361 		/*
6362 		 * The scan interval attribute is kept for backward
6363 		 * compatibility. If no scan plans are specified and sched scan
6364 		 * interval is specified, one scan plan will be set with this
6365 		 * scan interval and infinite number of iterations.
6366 		 */
6367 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
6368 			return ERR_PTR(-EINVAL);
6369 
6370 		n_plans = 1;
6371 	}
6372 
6373 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
6374 		return ERR_PTR(-EINVAL);
6375 
6376 	request = kzalloc(sizeof(*request)
6377 			+ sizeof(*request->ssids) * n_ssids
6378 			+ sizeof(*request->match_sets) * n_match_sets
6379 			+ sizeof(*request->scan_plans) * n_plans
6380 			+ sizeof(*request->channels) * n_channels
6381 			+ ie_len, GFP_KERNEL);
6382 	if (!request)
6383 		return ERR_PTR(-ENOMEM);
6384 
6385 	if (n_ssids)
6386 		request->ssids = (void *)&request->channels[n_channels];
6387 	request->n_ssids = n_ssids;
6388 	if (ie_len) {
6389 		if (n_ssids)
6390 			request->ie = (void *)(request->ssids + n_ssids);
6391 		else
6392 			request->ie = (void *)(request->channels + n_channels);
6393 	}
6394 
6395 	if (n_match_sets) {
6396 		if (request->ie)
6397 			request->match_sets = (void *)(request->ie + ie_len);
6398 		else if (n_ssids)
6399 			request->match_sets =
6400 				(void *)(request->ssids + n_ssids);
6401 		else
6402 			request->match_sets =
6403 				(void *)(request->channels + n_channels);
6404 	}
6405 	request->n_match_sets = n_match_sets;
6406 
6407 	if (n_match_sets)
6408 		request->scan_plans = (void *)(request->match_sets +
6409 					       n_match_sets);
6410 	else if (request->ie)
6411 		request->scan_plans = (void *)(request->ie + ie_len);
6412 	else if (n_ssids)
6413 		request->scan_plans = (void *)(request->ssids + n_ssids);
6414 	else
6415 		request->scan_plans = (void *)(request->channels + n_channels);
6416 
6417 	request->n_scan_plans = n_plans;
6418 
6419 	i = 0;
6420 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6421 		/* user specified, bail out if channel not found */
6422 		nla_for_each_nested(attr,
6423 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
6424 				    tmp) {
6425 			struct ieee80211_channel *chan;
6426 
6427 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
6428 
6429 			if (!chan) {
6430 				err = -EINVAL;
6431 				goto out_free;
6432 			}
6433 
6434 			/* ignore disabled channels */
6435 			if (chan->flags & IEEE80211_CHAN_DISABLED)
6436 				continue;
6437 
6438 			request->channels[i] = chan;
6439 			i++;
6440 		}
6441 	} else {
6442 		/* all channels */
6443 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
6444 			int j;
6445 			if (!wiphy->bands[band])
6446 				continue;
6447 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
6448 				struct ieee80211_channel *chan;
6449 
6450 				chan = &wiphy->bands[band]->channels[j];
6451 
6452 				if (chan->flags & IEEE80211_CHAN_DISABLED)
6453 					continue;
6454 
6455 				request->channels[i] = chan;
6456 				i++;
6457 			}
6458 		}
6459 	}
6460 
6461 	if (!i) {
6462 		err = -EINVAL;
6463 		goto out_free;
6464 	}
6465 
6466 	request->n_channels = i;
6467 
6468 	i = 0;
6469 	if (n_ssids) {
6470 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
6471 				    tmp) {
6472 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
6473 				err = -EINVAL;
6474 				goto out_free;
6475 			}
6476 			request->ssids[i].ssid_len = nla_len(attr);
6477 			memcpy(request->ssids[i].ssid, nla_data(attr),
6478 			       nla_len(attr));
6479 			i++;
6480 		}
6481 	}
6482 
6483 	i = 0;
6484 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
6485 		nla_for_each_nested(attr,
6486 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
6487 				    tmp) {
6488 			struct nlattr *ssid, *rssi;
6489 
6490 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
6491 					nla_data(attr), nla_len(attr),
6492 					nl80211_match_policy);
6493 			if (err)
6494 				goto out_free;
6495 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
6496 			if (ssid) {
6497 				if (WARN_ON(i >= n_match_sets)) {
6498 					/* this indicates a programming error,
6499 					 * the loop above should have verified
6500 					 * things properly
6501 					 */
6502 					err = -EINVAL;
6503 					goto out_free;
6504 				}
6505 
6506 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
6507 					err = -EINVAL;
6508 					goto out_free;
6509 				}
6510 				memcpy(request->match_sets[i].ssid.ssid,
6511 				       nla_data(ssid), nla_len(ssid));
6512 				request->match_sets[i].ssid.ssid_len =
6513 					nla_len(ssid);
6514 				/* special attribute - old implemenation w/a */
6515 				request->match_sets[i].rssi_thold =
6516 					default_match_rssi;
6517 				rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
6518 				if (rssi)
6519 					request->match_sets[i].rssi_thold =
6520 						nla_get_s32(rssi);
6521 			}
6522 			i++;
6523 		}
6524 
6525 		/* there was no other matchset, so the RSSI one is alone */
6526 		if (i == 0 && n_match_sets)
6527 			request->match_sets[0].rssi_thold = default_match_rssi;
6528 
6529 		request->min_rssi_thold = INT_MAX;
6530 		for (i = 0; i < n_match_sets; i++)
6531 			request->min_rssi_thold =
6532 				min(request->match_sets[i].rssi_thold,
6533 				    request->min_rssi_thold);
6534 	} else {
6535 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
6536 	}
6537 
6538 	if (ie_len) {
6539 		request->ie_len = ie_len;
6540 		memcpy((void *)request->ie,
6541 		       nla_data(attrs[NL80211_ATTR_IE]),
6542 		       request->ie_len);
6543 	}
6544 
6545 	if (attrs[NL80211_ATTR_SCAN_FLAGS]) {
6546 		request->flags = nla_get_u32(
6547 			attrs[NL80211_ATTR_SCAN_FLAGS]);
6548 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
6549 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
6550 			err = -EOPNOTSUPP;
6551 			goto out_free;
6552 		}
6553 
6554 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
6555 			u32 flg = NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR;
6556 
6557 			if (!wdev) /* must be net-detect */
6558 				flg = NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
6559 
6560 			if (!(wiphy->features & flg)) {
6561 				err = -EOPNOTSUPP;
6562 				goto out_free;
6563 			}
6564 
6565 			if (wdev && wdev->current_bss) {
6566 				err = -EOPNOTSUPP;
6567 				goto out_free;
6568 			}
6569 
6570 			err = nl80211_parse_random_mac(attrs, request->mac_addr,
6571 						       request->mac_addr_mask);
6572 			if (err)
6573 				goto out_free;
6574 		}
6575 	}
6576 
6577 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
6578 		request->delay =
6579 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
6580 
6581 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
6582 	if (err)
6583 		goto out_free;
6584 
6585 	request->scan_start = jiffies;
6586 
6587 	return request;
6588 
6589 out_free:
6590 	kfree(request);
6591 	return ERR_PTR(err);
6592 }
6593 
6594 static int nl80211_start_sched_scan(struct sk_buff *skb,
6595 				    struct genl_info *info)
6596 {
6597 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6598 	struct net_device *dev = info->user_ptr[1];
6599 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6600 	struct cfg80211_sched_scan_request *sched_scan_req;
6601 	int err;
6602 
6603 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
6604 	    !rdev->ops->sched_scan_start)
6605 		return -EOPNOTSUPP;
6606 
6607 	if (rdev->sched_scan_req)
6608 		return -EINPROGRESS;
6609 
6610 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
6611 						  info->attrs);
6612 
6613 	err = PTR_ERR_OR_ZERO(sched_scan_req);
6614 	if (err)
6615 		goto out_err;
6616 
6617 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
6618 	if (err)
6619 		goto out_free;
6620 
6621 	sched_scan_req->dev = dev;
6622 	sched_scan_req->wiphy = &rdev->wiphy;
6623 
6624 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6625 		sched_scan_req->owner_nlportid = info->snd_portid;
6626 
6627 	rcu_assign_pointer(rdev->sched_scan_req, sched_scan_req);
6628 
6629 	nl80211_send_sched_scan(rdev, dev,
6630 				NL80211_CMD_START_SCHED_SCAN);
6631 	return 0;
6632 
6633 out_free:
6634 	kfree(sched_scan_req);
6635 out_err:
6636 	return err;
6637 }
6638 
6639 static int nl80211_stop_sched_scan(struct sk_buff *skb,
6640 				   struct genl_info *info)
6641 {
6642 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6643 
6644 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
6645 	    !rdev->ops->sched_scan_stop)
6646 		return -EOPNOTSUPP;
6647 
6648 	return __cfg80211_stop_sched_scan(rdev, false);
6649 }
6650 
6651 static int nl80211_start_radar_detection(struct sk_buff *skb,
6652 					 struct genl_info *info)
6653 {
6654 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6655 	struct net_device *dev = info->user_ptr[1];
6656 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6657 	struct cfg80211_chan_def chandef;
6658 	enum nl80211_dfs_regions dfs_region;
6659 	unsigned int cac_time_ms;
6660 	int err;
6661 
6662 	dfs_region = reg_get_dfs_region(wdev->wiphy);
6663 	if (dfs_region == NL80211_DFS_UNSET)
6664 		return -EINVAL;
6665 
6666 	err = nl80211_parse_chandef(rdev, info, &chandef);
6667 	if (err)
6668 		return err;
6669 
6670 	if (netif_carrier_ok(dev))
6671 		return -EBUSY;
6672 
6673 	if (wdev->cac_started)
6674 		return -EBUSY;
6675 
6676 	err = cfg80211_chandef_dfs_required(wdev->wiphy, &chandef,
6677 					    wdev->iftype);
6678 	if (err < 0)
6679 		return err;
6680 
6681 	if (err == 0)
6682 		return -EINVAL;
6683 
6684 	if (!cfg80211_chandef_dfs_usable(wdev->wiphy, &chandef))
6685 		return -EINVAL;
6686 
6687 	if (!rdev->ops->start_radar_detection)
6688 		return -EOPNOTSUPP;
6689 
6690 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
6691 	if (WARN_ON(!cac_time_ms))
6692 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
6693 
6694 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
6695 	if (!err) {
6696 		wdev->chandef = chandef;
6697 		wdev->cac_started = true;
6698 		wdev->cac_start_time = jiffies;
6699 		wdev->cac_time_ms = cac_time_ms;
6700 	}
6701 	return err;
6702 }
6703 
6704 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
6705 {
6706 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6707 	struct net_device *dev = info->user_ptr[1];
6708 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6709 	struct cfg80211_csa_settings params;
6710 	/* csa_attrs is defined static to avoid waste of stack size - this
6711 	 * function is called under RTNL lock, so this should not be a problem.
6712 	 */
6713 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
6714 	int err;
6715 	bool need_new_beacon = false;
6716 	int len, i;
6717 	u32 cs_count;
6718 
6719 	if (!rdev->ops->channel_switch ||
6720 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
6721 		return -EOPNOTSUPP;
6722 
6723 	switch (dev->ieee80211_ptr->iftype) {
6724 	case NL80211_IFTYPE_AP:
6725 	case NL80211_IFTYPE_P2P_GO:
6726 		need_new_beacon = true;
6727 
6728 		/* useless if AP is not running */
6729 		if (!wdev->beacon_interval)
6730 			return -ENOTCONN;
6731 		break;
6732 	case NL80211_IFTYPE_ADHOC:
6733 		if (!wdev->ssid_len)
6734 			return -ENOTCONN;
6735 		break;
6736 	case NL80211_IFTYPE_MESH_POINT:
6737 		if (!wdev->mesh_id_len)
6738 			return -ENOTCONN;
6739 		break;
6740 	default:
6741 		return -EOPNOTSUPP;
6742 	}
6743 
6744 	memset(&params, 0, sizeof(params));
6745 
6746 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
6747 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
6748 		return -EINVAL;
6749 
6750 	/* only important for AP, IBSS and mesh create IEs internally */
6751 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
6752 		return -EINVAL;
6753 
6754 	/* Even though the attribute is u32, the specification says
6755 	 * u8, so let's make sure we don't overflow.
6756 	 */
6757 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
6758 	if (cs_count > 255)
6759 		return -EINVAL;
6760 
6761 	params.count = cs_count;
6762 
6763 	if (!need_new_beacon)
6764 		goto skip_beacons;
6765 
6766 	err = nl80211_parse_beacon(info->attrs, &params.beacon_after);
6767 	if (err)
6768 		return err;
6769 
6770 	err = nla_parse_nested(csa_attrs, NL80211_ATTR_MAX,
6771 			       info->attrs[NL80211_ATTR_CSA_IES],
6772 			       nl80211_policy);
6773 	if (err)
6774 		return err;
6775 
6776 	err = nl80211_parse_beacon(csa_attrs, &params.beacon_csa);
6777 	if (err)
6778 		return err;
6779 
6780 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
6781 		return -EINVAL;
6782 
6783 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6784 	if (!len || (len % sizeof(u16)))
6785 		return -EINVAL;
6786 
6787 	params.n_counter_offsets_beacon = len / sizeof(u16);
6788 	if (rdev->wiphy.max_num_csa_counters &&
6789 	    (params.n_counter_offsets_beacon >
6790 	     rdev->wiphy.max_num_csa_counters))
6791 		return -EINVAL;
6792 
6793 	params.counter_offsets_beacon =
6794 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6795 
6796 	/* sanity checks - counters should fit and be the same */
6797 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
6798 		u16 offset = params.counter_offsets_beacon[i];
6799 
6800 		if (offset >= params.beacon_csa.tail_len)
6801 			return -EINVAL;
6802 
6803 		if (params.beacon_csa.tail[offset] != params.count)
6804 			return -EINVAL;
6805 	}
6806 
6807 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
6808 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6809 		if (!len || (len % sizeof(u16)))
6810 			return -EINVAL;
6811 
6812 		params.n_counter_offsets_presp = len / sizeof(u16);
6813 		if (rdev->wiphy.max_num_csa_counters &&
6814 		    (params.n_counter_offsets_beacon >
6815 		     rdev->wiphy.max_num_csa_counters))
6816 			return -EINVAL;
6817 
6818 		params.counter_offsets_presp =
6819 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6820 
6821 		/* sanity checks - counters should fit and be the same */
6822 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
6823 			u16 offset = params.counter_offsets_presp[i];
6824 
6825 			if (offset >= params.beacon_csa.probe_resp_len)
6826 				return -EINVAL;
6827 
6828 			if (params.beacon_csa.probe_resp[offset] !=
6829 			    params.count)
6830 				return -EINVAL;
6831 		}
6832 	}
6833 
6834 skip_beacons:
6835 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
6836 	if (err)
6837 		return err;
6838 
6839 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
6840 					   wdev->iftype))
6841 		return -EINVAL;
6842 
6843 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
6844 					    &params.chandef,
6845 					    wdev->iftype);
6846 	if (err < 0)
6847 		return err;
6848 
6849 	if (err > 0)
6850 		params.radar_required = true;
6851 
6852 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
6853 		params.block_tx = true;
6854 
6855 	wdev_lock(wdev);
6856 	err = rdev_channel_switch(rdev, dev, &params);
6857 	wdev_unlock(wdev);
6858 
6859 	return err;
6860 }
6861 
6862 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
6863 			    u32 seq, int flags,
6864 			    struct cfg80211_registered_device *rdev,
6865 			    struct wireless_dev *wdev,
6866 			    struct cfg80211_internal_bss *intbss)
6867 {
6868 	struct cfg80211_bss *res = &intbss->pub;
6869 	const struct cfg80211_bss_ies *ies;
6870 	void *hdr;
6871 	struct nlattr *bss;
6872 
6873 	ASSERT_WDEV_LOCK(wdev);
6874 
6875 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6876 			     NL80211_CMD_NEW_SCAN_RESULTS);
6877 	if (!hdr)
6878 		return -1;
6879 
6880 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
6881 
6882 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
6883 		goto nla_put_failure;
6884 	if (wdev->netdev &&
6885 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
6886 		goto nla_put_failure;
6887 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6888 			      NL80211_ATTR_PAD))
6889 		goto nla_put_failure;
6890 
6891 	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
6892 	if (!bss)
6893 		goto nla_put_failure;
6894 	if ((!is_zero_ether_addr(res->bssid) &&
6895 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
6896 		goto nla_put_failure;
6897 
6898 	rcu_read_lock();
6899 	/* indicate whether we have probe response data or not */
6900 	if (rcu_access_pointer(res->proberesp_ies) &&
6901 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
6902 		goto fail_unlock_rcu;
6903 
6904 	/* this pointer prefers to be pointed to probe response data
6905 	 * but is always valid
6906 	 */
6907 	ies = rcu_dereference(res->ies);
6908 	if (ies) {
6909 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
6910 				      NL80211_BSS_PAD))
6911 			goto fail_unlock_rcu;
6912 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
6913 					ies->len, ies->data))
6914 			goto fail_unlock_rcu;
6915 	}
6916 
6917 	/* and this pointer is always (unless driver didn't know) beacon data */
6918 	ies = rcu_dereference(res->beacon_ies);
6919 	if (ies && ies->from_beacon) {
6920 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
6921 				      NL80211_BSS_PAD))
6922 			goto fail_unlock_rcu;
6923 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
6924 					ies->len, ies->data))
6925 			goto fail_unlock_rcu;
6926 	}
6927 	rcu_read_unlock();
6928 
6929 	if (res->beacon_interval &&
6930 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
6931 		goto nla_put_failure;
6932 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
6933 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
6934 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
6935 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
6936 			jiffies_to_msecs(jiffies - intbss->ts)))
6937 		goto nla_put_failure;
6938 
6939 	if (intbss->ts_boottime &&
6940 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
6941 			      intbss->ts_boottime, NL80211_BSS_PAD))
6942 		goto nla_put_failure;
6943 
6944 	switch (rdev->wiphy.signal_type) {
6945 	case CFG80211_SIGNAL_TYPE_MBM:
6946 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
6947 			goto nla_put_failure;
6948 		break;
6949 	case CFG80211_SIGNAL_TYPE_UNSPEC:
6950 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
6951 			goto nla_put_failure;
6952 		break;
6953 	default:
6954 		break;
6955 	}
6956 
6957 	switch (wdev->iftype) {
6958 	case NL80211_IFTYPE_P2P_CLIENT:
6959 	case NL80211_IFTYPE_STATION:
6960 		if (intbss == wdev->current_bss &&
6961 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6962 				NL80211_BSS_STATUS_ASSOCIATED))
6963 			goto nla_put_failure;
6964 		break;
6965 	case NL80211_IFTYPE_ADHOC:
6966 		if (intbss == wdev->current_bss &&
6967 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6968 				NL80211_BSS_STATUS_IBSS_JOINED))
6969 			goto nla_put_failure;
6970 		break;
6971 	default:
6972 		break;
6973 	}
6974 
6975 	nla_nest_end(msg, bss);
6976 
6977 	genlmsg_end(msg, hdr);
6978 	return 0;
6979 
6980  fail_unlock_rcu:
6981 	rcu_read_unlock();
6982  nla_put_failure:
6983 	genlmsg_cancel(msg, hdr);
6984 	return -EMSGSIZE;
6985 }
6986 
6987 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
6988 {
6989 	struct cfg80211_registered_device *rdev;
6990 	struct cfg80211_internal_bss *scan;
6991 	struct wireless_dev *wdev;
6992 	int start = cb->args[2], idx = 0;
6993 	int err;
6994 
6995 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6996 	if (err)
6997 		return err;
6998 
6999 	wdev_lock(wdev);
7000 	spin_lock_bh(&rdev->bss_lock);
7001 	cfg80211_bss_expire(rdev);
7002 
7003 	cb->seq = rdev->bss_generation;
7004 
7005 	list_for_each_entry(scan, &rdev->bss_list, list) {
7006 		if (++idx <= start)
7007 			continue;
7008 		if (nl80211_send_bss(skb, cb,
7009 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
7010 				rdev, wdev, scan) < 0) {
7011 			idx--;
7012 			break;
7013 		}
7014 	}
7015 
7016 	spin_unlock_bh(&rdev->bss_lock);
7017 	wdev_unlock(wdev);
7018 
7019 	cb->args[2] = idx;
7020 	nl80211_finish_wdev_dump(rdev);
7021 
7022 	return skb->len;
7023 }
7024 
7025 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
7026 			       int flags, struct net_device *dev,
7027 			       bool allow_radio_stats,
7028 			       struct survey_info *survey)
7029 {
7030 	void *hdr;
7031 	struct nlattr *infoattr;
7032 
7033 	/* skip radio stats if userspace didn't request them */
7034 	if (!survey->channel && !allow_radio_stats)
7035 		return 0;
7036 
7037 	hdr = nl80211hdr_put(msg, portid, seq, flags,
7038 			     NL80211_CMD_NEW_SURVEY_RESULTS);
7039 	if (!hdr)
7040 		return -ENOMEM;
7041 
7042 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
7043 		goto nla_put_failure;
7044 
7045 	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
7046 	if (!infoattr)
7047 		goto nla_put_failure;
7048 
7049 	if (survey->channel &&
7050 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
7051 			survey->channel->center_freq))
7052 		goto nla_put_failure;
7053 
7054 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
7055 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
7056 		goto nla_put_failure;
7057 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
7058 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
7059 		goto nla_put_failure;
7060 	if ((survey->filled & SURVEY_INFO_TIME) &&
7061 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
7062 			survey->time, NL80211_SURVEY_INFO_PAD))
7063 		goto nla_put_failure;
7064 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
7065 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
7066 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
7067 		goto nla_put_failure;
7068 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
7069 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
7070 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
7071 		goto nla_put_failure;
7072 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
7073 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
7074 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
7075 		goto nla_put_failure;
7076 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
7077 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
7078 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
7079 		goto nla_put_failure;
7080 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
7081 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
7082 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
7083 		goto nla_put_failure;
7084 
7085 	nla_nest_end(msg, infoattr);
7086 
7087 	genlmsg_end(msg, hdr);
7088 	return 0;
7089 
7090  nla_put_failure:
7091 	genlmsg_cancel(msg, hdr);
7092 	return -EMSGSIZE;
7093 }
7094 
7095 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
7096 {
7097 	struct survey_info survey;
7098 	struct cfg80211_registered_device *rdev;
7099 	struct wireless_dev *wdev;
7100 	int survey_idx = cb->args[2];
7101 	int res;
7102 	bool radio_stats;
7103 
7104 	res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
7105 	if (res)
7106 		return res;
7107 
7108 	/* prepare_wdev_dump parsed the attributes */
7109 	radio_stats = nl80211_fam.attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
7110 
7111 	if (!wdev->netdev) {
7112 		res = -EINVAL;
7113 		goto out_err;
7114 	}
7115 
7116 	if (!rdev->ops->dump_survey) {
7117 		res = -EOPNOTSUPP;
7118 		goto out_err;
7119 	}
7120 
7121 	while (1) {
7122 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
7123 		if (res == -ENOENT)
7124 			break;
7125 		if (res)
7126 			goto out_err;
7127 
7128 		/* don't send disabled channels, but do send non-channel data */
7129 		if (survey.channel &&
7130 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
7131 			survey_idx++;
7132 			continue;
7133 		}
7134 
7135 		if (nl80211_send_survey(skb,
7136 				NETLINK_CB(cb->skb).portid,
7137 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
7138 				wdev->netdev, radio_stats, &survey) < 0)
7139 			goto out;
7140 		survey_idx++;
7141 	}
7142 
7143  out:
7144 	cb->args[2] = survey_idx;
7145 	res = skb->len;
7146  out_err:
7147 	nl80211_finish_wdev_dump(rdev);
7148 	return res;
7149 }
7150 
7151 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
7152 {
7153 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
7154 				  NL80211_WPA_VERSION_2));
7155 }
7156 
7157 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
7158 {
7159 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7160 	struct net_device *dev = info->user_ptr[1];
7161 	struct ieee80211_channel *chan;
7162 	const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
7163 	int err, ssid_len, ie_len = 0, sae_data_len = 0;
7164 	enum nl80211_auth_type auth_type;
7165 	struct key_parse key;
7166 	bool local_state_change;
7167 
7168 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7169 		return -EINVAL;
7170 
7171 	if (!info->attrs[NL80211_ATTR_MAC])
7172 		return -EINVAL;
7173 
7174 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
7175 		return -EINVAL;
7176 
7177 	if (!info->attrs[NL80211_ATTR_SSID])
7178 		return -EINVAL;
7179 
7180 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
7181 		return -EINVAL;
7182 
7183 	err = nl80211_parse_key(info, &key);
7184 	if (err)
7185 		return err;
7186 
7187 	if (key.idx >= 0) {
7188 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
7189 			return -EINVAL;
7190 		if (!key.p.key || !key.p.key_len)
7191 			return -EINVAL;
7192 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
7193 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
7194 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
7195 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
7196 			return -EINVAL;
7197 		if (key.idx > 4)
7198 			return -EINVAL;
7199 	} else {
7200 		key.p.key_len = 0;
7201 		key.p.key = NULL;
7202 	}
7203 
7204 	if (key.idx >= 0) {
7205 		int i;
7206 		bool ok = false;
7207 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
7208 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
7209 				ok = true;
7210 				break;
7211 			}
7212 		}
7213 		if (!ok)
7214 			return -EINVAL;
7215 	}
7216 
7217 	if (!rdev->ops->auth)
7218 		return -EOPNOTSUPP;
7219 
7220 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7221 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7222 		return -EOPNOTSUPP;
7223 
7224 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7225 	chan = nl80211_get_valid_chan(&rdev->wiphy,
7226 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7227 	if (!chan)
7228 		return -EINVAL;
7229 
7230 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7231 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7232 
7233 	if (info->attrs[NL80211_ATTR_IE]) {
7234 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7235 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7236 	}
7237 
7238 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
7239 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
7240 		return -EINVAL;
7241 
7242 	if (auth_type == NL80211_AUTHTYPE_SAE &&
7243 	    !info->attrs[NL80211_ATTR_SAE_DATA])
7244 		return -EINVAL;
7245 
7246 	if (info->attrs[NL80211_ATTR_SAE_DATA]) {
7247 		if (auth_type != NL80211_AUTHTYPE_SAE)
7248 			return -EINVAL;
7249 		sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
7250 		sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
7251 		/* need to include at least Auth Transaction and Status Code */
7252 		if (sae_data_len < 4)
7253 			return -EINVAL;
7254 	}
7255 
7256 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7257 
7258 	/*
7259 	 * Since we no longer track auth state, ignore
7260 	 * requests to only change local state.
7261 	 */
7262 	if (local_state_change)
7263 		return 0;
7264 
7265 	wdev_lock(dev->ieee80211_ptr);
7266 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
7267 				 ssid, ssid_len, ie, ie_len,
7268 				 key.p.key, key.p.key_len, key.idx,
7269 				 sae_data, sae_data_len);
7270 	wdev_unlock(dev->ieee80211_ptr);
7271 	return err;
7272 }
7273 
7274 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
7275 				   struct genl_info *info,
7276 				   struct cfg80211_crypto_settings *settings,
7277 				   int cipher_limit)
7278 {
7279 	memset(settings, 0, sizeof(*settings));
7280 
7281 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
7282 
7283 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
7284 		u16 proto;
7285 		proto = nla_get_u16(
7286 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
7287 		settings->control_port_ethertype = cpu_to_be16(proto);
7288 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
7289 		    proto != ETH_P_PAE)
7290 			return -EINVAL;
7291 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
7292 			settings->control_port_no_encrypt = true;
7293 	} else
7294 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
7295 
7296 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
7297 		void *data;
7298 		int len, i;
7299 
7300 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
7301 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
7302 		settings->n_ciphers_pairwise = len / sizeof(u32);
7303 
7304 		if (len % sizeof(u32))
7305 			return -EINVAL;
7306 
7307 		if (settings->n_ciphers_pairwise > cipher_limit)
7308 			return -EINVAL;
7309 
7310 		memcpy(settings->ciphers_pairwise, data, len);
7311 
7312 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
7313 			if (!cfg80211_supported_cipher_suite(
7314 					&rdev->wiphy,
7315 					settings->ciphers_pairwise[i]))
7316 				return -EINVAL;
7317 	}
7318 
7319 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
7320 		settings->cipher_group =
7321 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
7322 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
7323 						     settings->cipher_group))
7324 			return -EINVAL;
7325 	}
7326 
7327 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
7328 		settings->wpa_versions =
7329 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
7330 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
7331 			return -EINVAL;
7332 	}
7333 
7334 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
7335 		void *data;
7336 		int len;
7337 
7338 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
7339 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
7340 		settings->n_akm_suites = len / sizeof(u32);
7341 
7342 		if (len % sizeof(u32))
7343 			return -EINVAL;
7344 
7345 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
7346 			return -EINVAL;
7347 
7348 		memcpy(settings->akm_suites, data, len);
7349 	}
7350 
7351 	return 0;
7352 }
7353 
7354 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
7355 {
7356 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7357 	struct net_device *dev = info->user_ptr[1];
7358 	struct ieee80211_channel *chan;
7359 	struct cfg80211_assoc_request req = {};
7360 	const u8 *bssid, *ssid;
7361 	int err, ssid_len = 0;
7362 
7363 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7364 		return -EINVAL;
7365 
7366 	if (!info->attrs[NL80211_ATTR_MAC] ||
7367 	    !info->attrs[NL80211_ATTR_SSID] ||
7368 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
7369 		return -EINVAL;
7370 
7371 	if (!rdev->ops->assoc)
7372 		return -EOPNOTSUPP;
7373 
7374 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7375 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7376 		return -EOPNOTSUPP;
7377 
7378 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7379 
7380 	chan = nl80211_get_valid_chan(&rdev->wiphy,
7381 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7382 	if (!chan)
7383 		return -EINVAL;
7384 
7385 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7386 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7387 
7388 	if (info->attrs[NL80211_ATTR_IE]) {
7389 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7390 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7391 	}
7392 
7393 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
7394 		enum nl80211_mfp mfp =
7395 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
7396 		if (mfp == NL80211_MFP_REQUIRED)
7397 			req.use_mfp = true;
7398 		else if (mfp != NL80211_MFP_NO)
7399 			return -EINVAL;
7400 	}
7401 
7402 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
7403 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
7404 
7405 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
7406 		req.flags |= ASSOC_REQ_DISABLE_HT;
7407 
7408 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7409 		memcpy(&req.ht_capa_mask,
7410 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7411 		       sizeof(req.ht_capa_mask));
7412 
7413 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7414 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7415 			return -EINVAL;
7416 		memcpy(&req.ht_capa,
7417 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7418 		       sizeof(req.ht_capa));
7419 	}
7420 
7421 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
7422 		req.flags |= ASSOC_REQ_DISABLE_VHT;
7423 
7424 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7425 		memcpy(&req.vht_capa_mask,
7426 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
7427 		       sizeof(req.vht_capa_mask));
7428 
7429 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
7430 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7431 			return -EINVAL;
7432 		memcpy(&req.vht_capa,
7433 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
7434 		       sizeof(req.vht_capa));
7435 	}
7436 
7437 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
7438 		if (!((rdev->wiphy.features &
7439 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
7440 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
7441 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7442 					     NL80211_EXT_FEATURE_RRM))
7443 			return -EINVAL;
7444 		req.flags |= ASSOC_REQ_USE_RRM;
7445 	}
7446 
7447 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
7448 	if (!err) {
7449 		wdev_lock(dev->ieee80211_ptr);
7450 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
7451 					  ssid, ssid_len, &req);
7452 		wdev_unlock(dev->ieee80211_ptr);
7453 	}
7454 
7455 	return err;
7456 }
7457 
7458 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
7459 {
7460 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7461 	struct net_device *dev = info->user_ptr[1];
7462 	const u8 *ie = NULL, *bssid;
7463 	int ie_len = 0, err;
7464 	u16 reason_code;
7465 	bool local_state_change;
7466 
7467 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7468 		return -EINVAL;
7469 
7470 	if (!info->attrs[NL80211_ATTR_MAC])
7471 		return -EINVAL;
7472 
7473 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7474 		return -EINVAL;
7475 
7476 	if (!rdev->ops->deauth)
7477 		return -EOPNOTSUPP;
7478 
7479 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7480 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7481 		return -EOPNOTSUPP;
7482 
7483 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7484 
7485 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7486 	if (reason_code == 0) {
7487 		/* Reason Code 0 is reserved */
7488 		return -EINVAL;
7489 	}
7490 
7491 	if (info->attrs[NL80211_ATTR_IE]) {
7492 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7493 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7494 	}
7495 
7496 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7497 
7498 	wdev_lock(dev->ieee80211_ptr);
7499 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
7500 				   local_state_change);
7501 	wdev_unlock(dev->ieee80211_ptr);
7502 	return err;
7503 }
7504 
7505 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
7506 {
7507 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7508 	struct net_device *dev = info->user_ptr[1];
7509 	const u8 *ie = NULL, *bssid;
7510 	int ie_len = 0, err;
7511 	u16 reason_code;
7512 	bool local_state_change;
7513 
7514 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7515 		return -EINVAL;
7516 
7517 	if (!info->attrs[NL80211_ATTR_MAC])
7518 		return -EINVAL;
7519 
7520 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7521 		return -EINVAL;
7522 
7523 	if (!rdev->ops->disassoc)
7524 		return -EOPNOTSUPP;
7525 
7526 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7527 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7528 		return -EOPNOTSUPP;
7529 
7530 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7531 
7532 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7533 	if (reason_code == 0) {
7534 		/* Reason Code 0 is reserved */
7535 		return -EINVAL;
7536 	}
7537 
7538 	if (info->attrs[NL80211_ATTR_IE]) {
7539 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7540 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7541 	}
7542 
7543 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7544 
7545 	wdev_lock(dev->ieee80211_ptr);
7546 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
7547 				     local_state_change);
7548 	wdev_unlock(dev->ieee80211_ptr);
7549 	return err;
7550 }
7551 
7552 static bool
7553 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
7554 			 int mcast_rate[NUM_NL80211_BANDS],
7555 			 int rateval)
7556 {
7557 	struct wiphy *wiphy = &rdev->wiphy;
7558 	bool found = false;
7559 	int band, i;
7560 
7561 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
7562 		struct ieee80211_supported_band *sband;
7563 
7564 		sband = wiphy->bands[band];
7565 		if (!sband)
7566 			continue;
7567 
7568 		for (i = 0; i < sband->n_bitrates; i++) {
7569 			if (sband->bitrates[i].bitrate == rateval) {
7570 				mcast_rate[band] = i + 1;
7571 				found = true;
7572 				break;
7573 			}
7574 		}
7575 	}
7576 
7577 	return found;
7578 }
7579 
7580 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
7581 {
7582 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7583 	struct net_device *dev = info->user_ptr[1];
7584 	struct cfg80211_ibss_params ibss;
7585 	struct wiphy *wiphy;
7586 	struct cfg80211_cached_keys *connkeys = NULL;
7587 	int err;
7588 
7589 	memset(&ibss, 0, sizeof(ibss));
7590 
7591 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7592 		return -EINVAL;
7593 
7594 	if (!info->attrs[NL80211_ATTR_SSID] ||
7595 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
7596 		return -EINVAL;
7597 
7598 	ibss.beacon_interval = 100;
7599 
7600 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
7601 		ibss.beacon_interval =
7602 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
7603 		if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
7604 			return -EINVAL;
7605 	}
7606 
7607 	if (!rdev->ops->join_ibss)
7608 		return -EOPNOTSUPP;
7609 
7610 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
7611 		return -EOPNOTSUPP;
7612 
7613 	wiphy = &rdev->wiphy;
7614 
7615 	if (info->attrs[NL80211_ATTR_MAC]) {
7616 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7617 
7618 		if (!is_valid_ether_addr(ibss.bssid))
7619 			return -EINVAL;
7620 	}
7621 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7622 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7623 
7624 	if (info->attrs[NL80211_ATTR_IE]) {
7625 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7626 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7627 	}
7628 
7629 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
7630 	if (err)
7631 		return err;
7632 
7633 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
7634 				     NL80211_IFTYPE_ADHOC))
7635 		return -EINVAL;
7636 
7637 	switch (ibss.chandef.width) {
7638 	case NL80211_CHAN_WIDTH_5:
7639 	case NL80211_CHAN_WIDTH_10:
7640 	case NL80211_CHAN_WIDTH_20_NOHT:
7641 		break;
7642 	case NL80211_CHAN_WIDTH_20:
7643 	case NL80211_CHAN_WIDTH_40:
7644 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
7645 			return -EINVAL;
7646 		break;
7647 	case NL80211_CHAN_WIDTH_80:
7648 	case NL80211_CHAN_WIDTH_80P80:
7649 	case NL80211_CHAN_WIDTH_160:
7650 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
7651 			return -EINVAL;
7652 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7653 					     NL80211_EXT_FEATURE_VHT_IBSS))
7654 			return -EINVAL;
7655 		break;
7656 	default:
7657 		return -EINVAL;
7658 	}
7659 
7660 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
7661 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
7662 
7663 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7664 		u8 *rates =
7665 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7666 		int n_rates =
7667 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7668 		struct ieee80211_supported_band *sband =
7669 			wiphy->bands[ibss.chandef.chan->band];
7670 
7671 		err = ieee80211_get_ratemask(sband, rates, n_rates,
7672 					     &ibss.basic_rates);
7673 		if (err)
7674 			return err;
7675 	}
7676 
7677 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7678 		memcpy(&ibss.ht_capa_mask,
7679 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7680 		       sizeof(ibss.ht_capa_mask));
7681 
7682 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7683 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7684 			return -EINVAL;
7685 		memcpy(&ibss.ht_capa,
7686 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7687 		       sizeof(ibss.ht_capa));
7688 	}
7689 
7690 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
7691 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
7692 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
7693 		return -EINVAL;
7694 
7695 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
7696 		bool no_ht = false;
7697 
7698 		connkeys = nl80211_parse_connkeys(rdev,
7699 					  info->attrs[NL80211_ATTR_KEYS],
7700 					  &no_ht);
7701 		if (IS_ERR(connkeys))
7702 			return PTR_ERR(connkeys);
7703 
7704 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
7705 		    no_ht) {
7706 			kzfree(connkeys);
7707 			return -EINVAL;
7708 		}
7709 	}
7710 
7711 	ibss.control_port =
7712 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
7713 
7714 	ibss.userspace_handles_dfs =
7715 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
7716 
7717 	err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
7718 	if (err)
7719 		kzfree(connkeys);
7720 	return err;
7721 }
7722 
7723 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
7724 {
7725 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7726 	struct net_device *dev = info->user_ptr[1];
7727 
7728 	if (!rdev->ops->leave_ibss)
7729 		return -EOPNOTSUPP;
7730 
7731 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
7732 		return -EOPNOTSUPP;
7733 
7734 	return cfg80211_leave_ibss(rdev, dev, false);
7735 }
7736 
7737 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
7738 {
7739 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7740 	struct net_device *dev = info->user_ptr[1];
7741 	int mcast_rate[NUM_NL80211_BANDS];
7742 	u32 nla_rate;
7743 	int err;
7744 
7745 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
7746 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
7747 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
7748 		return -EOPNOTSUPP;
7749 
7750 	if (!rdev->ops->set_mcast_rate)
7751 		return -EOPNOTSUPP;
7752 
7753 	memset(mcast_rate, 0, sizeof(mcast_rate));
7754 
7755 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
7756 		return -EINVAL;
7757 
7758 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
7759 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
7760 		return -EINVAL;
7761 
7762 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
7763 
7764 	return err;
7765 }
7766 
7767 static struct sk_buff *
7768 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
7769 			    struct wireless_dev *wdev, int approxlen,
7770 			    u32 portid, u32 seq, enum nl80211_commands cmd,
7771 			    enum nl80211_attrs attr,
7772 			    const struct nl80211_vendor_cmd_info *info,
7773 			    gfp_t gfp)
7774 {
7775 	struct sk_buff *skb;
7776 	void *hdr;
7777 	struct nlattr *data;
7778 
7779 	skb = nlmsg_new(approxlen + 100, gfp);
7780 	if (!skb)
7781 		return NULL;
7782 
7783 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
7784 	if (!hdr) {
7785 		kfree_skb(skb);
7786 		return NULL;
7787 	}
7788 
7789 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
7790 		goto nla_put_failure;
7791 
7792 	if (info) {
7793 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
7794 				info->vendor_id))
7795 			goto nla_put_failure;
7796 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
7797 				info->subcmd))
7798 			goto nla_put_failure;
7799 	}
7800 
7801 	if (wdev) {
7802 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
7803 				      wdev_id(wdev), NL80211_ATTR_PAD))
7804 			goto nla_put_failure;
7805 		if (wdev->netdev &&
7806 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
7807 				wdev->netdev->ifindex))
7808 			goto nla_put_failure;
7809 	}
7810 
7811 	data = nla_nest_start(skb, attr);
7812 
7813 	((void **)skb->cb)[0] = rdev;
7814 	((void **)skb->cb)[1] = hdr;
7815 	((void **)skb->cb)[2] = data;
7816 
7817 	return skb;
7818 
7819  nla_put_failure:
7820 	kfree_skb(skb);
7821 	return NULL;
7822 }
7823 
7824 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
7825 					   struct wireless_dev *wdev,
7826 					   enum nl80211_commands cmd,
7827 					   enum nl80211_attrs attr,
7828 					   int vendor_event_idx,
7829 					   int approxlen, gfp_t gfp)
7830 {
7831 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
7832 	const struct nl80211_vendor_cmd_info *info;
7833 
7834 	switch (cmd) {
7835 	case NL80211_CMD_TESTMODE:
7836 		if (WARN_ON(vendor_event_idx != -1))
7837 			return NULL;
7838 		info = NULL;
7839 		break;
7840 	case NL80211_CMD_VENDOR:
7841 		if (WARN_ON(vendor_event_idx < 0 ||
7842 			    vendor_event_idx >= wiphy->n_vendor_events))
7843 			return NULL;
7844 		info = &wiphy->vendor_events[vendor_event_idx];
7845 		break;
7846 	default:
7847 		WARN_ON(1);
7848 		return NULL;
7849 	}
7850 
7851 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, 0, 0,
7852 					   cmd, attr, info, gfp);
7853 }
7854 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
7855 
7856 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
7857 {
7858 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
7859 	void *hdr = ((void **)skb->cb)[1];
7860 	struct nlattr *data = ((void **)skb->cb)[2];
7861 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
7862 
7863 	/* clear CB data for netlink core to own from now on */
7864 	memset(skb->cb, 0, sizeof(skb->cb));
7865 
7866 	nla_nest_end(skb, data);
7867 	genlmsg_end(skb, hdr);
7868 
7869 	if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
7870 		mcgrp = NL80211_MCGRP_VENDOR;
7871 
7872 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), skb, 0,
7873 				mcgrp, gfp);
7874 }
7875 EXPORT_SYMBOL(__cfg80211_send_event_skb);
7876 
7877 #ifdef CONFIG_NL80211_TESTMODE
7878 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
7879 {
7880 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7881 	struct wireless_dev *wdev =
7882 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
7883 	int err;
7884 
7885 	if (!rdev->ops->testmode_cmd)
7886 		return -EOPNOTSUPP;
7887 
7888 	if (IS_ERR(wdev)) {
7889 		err = PTR_ERR(wdev);
7890 		if (err != -EINVAL)
7891 			return err;
7892 		wdev = NULL;
7893 	} else if (wdev->wiphy != &rdev->wiphy) {
7894 		return -EINVAL;
7895 	}
7896 
7897 	if (!info->attrs[NL80211_ATTR_TESTDATA])
7898 		return -EINVAL;
7899 
7900 	rdev->cur_cmd_info = info;
7901 	err = rdev_testmode_cmd(rdev, wdev,
7902 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
7903 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
7904 	rdev->cur_cmd_info = NULL;
7905 
7906 	return err;
7907 }
7908 
7909 static int nl80211_testmode_dump(struct sk_buff *skb,
7910 				 struct netlink_callback *cb)
7911 {
7912 	struct cfg80211_registered_device *rdev;
7913 	int err;
7914 	long phy_idx;
7915 	void *data = NULL;
7916 	int data_len = 0;
7917 
7918 	rtnl_lock();
7919 
7920 	if (cb->args[0]) {
7921 		/*
7922 		 * 0 is a valid index, but not valid for args[0],
7923 		 * so we need to offset by 1.
7924 		 */
7925 		phy_idx = cb->args[0] - 1;
7926 	} else {
7927 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
7928 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
7929 				  nl80211_policy);
7930 		if (err)
7931 			goto out_err;
7932 
7933 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
7934 						  nl80211_fam.attrbuf);
7935 		if (IS_ERR(rdev)) {
7936 			err = PTR_ERR(rdev);
7937 			goto out_err;
7938 		}
7939 		phy_idx = rdev->wiphy_idx;
7940 		rdev = NULL;
7941 
7942 		if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
7943 			cb->args[1] =
7944 				(long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
7945 	}
7946 
7947 	if (cb->args[1]) {
7948 		data = nla_data((void *)cb->args[1]);
7949 		data_len = nla_len((void *)cb->args[1]);
7950 	}
7951 
7952 	rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
7953 	if (!rdev) {
7954 		err = -ENOENT;
7955 		goto out_err;
7956 	}
7957 
7958 	if (!rdev->ops->testmode_dump) {
7959 		err = -EOPNOTSUPP;
7960 		goto out_err;
7961 	}
7962 
7963 	while (1) {
7964 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
7965 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
7966 					   NL80211_CMD_TESTMODE);
7967 		struct nlattr *tmdata;
7968 
7969 		if (!hdr)
7970 			break;
7971 
7972 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
7973 			genlmsg_cancel(skb, hdr);
7974 			break;
7975 		}
7976 
7977 		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
7978 		if (!tmdata) {
7979 			genlmsg_cancel(skb, hdr);
7980 			break;
7981 		}
7982 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
7983 		nla_nest_end(skb, tmdata);
7984 
7985 		if (err == -ENOBUFS || err == -ENOENT) {
7986 			genlmsg_cancel(skb, hdr);
7987 			break;
7988 		} else if (err) {
7989 			genlmsg_cancel(skb, hdr);
7990 			goto out_err;
7991 		}
7992 
7993 		genlmsg_end(skb, hdr);
7994 	}
7995 
7996 	err = skb->len;
7997 	/* see above */
7998 	cb->args[0] = phy_idx + 1;
7999  out_err:
8000 	rtnl_unlock();
8001 	return err;
8002 }
8003 #endif
8004 
8005 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
8006 {
8007 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8008 	struct net_device *dev = info->user_ptr[1];
8009 	struct cfg80211_connect_params connect;
8010 	struct wiphy *wiphy;
8011 	struct cfg80211_cached_keys *connkeys = NULL;
8012 	int err;
8013 
8014 	memset(&connect, 0, sizeof(connect));
8015 
8016 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8017 		return -EINVAL;
8018 
8019 	if (!info->attrs[NL80211_ATTR_SSID] ||
8020 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
8021 		return -EINVAL;
8022 
8023 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
8024 		connect.auth_type =
8025 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
8026 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
8027 					     NL80211_CMD_CONNECT))
8028 			return -EINVAL;
8029 	} else
8030 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
8031 
8032 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
8033 
8034 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
8035 				      NL80211_MAX_NR_CIPHER_SUITES);
8036 	if (err)
8037 		return err;
8038 
8039 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8040 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8041 		return -EOPNOTSUPP;
8042 
8043 	wiphy = &rdev->wiphy;
8044 
8045 	connect.bg_scan_period = -1;
8046 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
8047 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
8048 		connect.bg_scan_period =
8049 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
8050 	}
8051 
8052 	if (info->attrs[NL80211_ATTR_MAC])
8053 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8054 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
8055 		connect.bssid_hint =
8056 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
8057 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8058 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8059 
8060 	if (info->attrs[NL80211_ATTR_IE]) {
8061 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8062 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8063 	}
8064 
8065 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
8066 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
8067 		if (connect.mfp != NL80211_MFP_REQUIRED &&
8068 		    connect.mfp != NL80211_MFP_NO)
8069 			return -EINVAL;
8070 	} else {
8071 		connect.mfp = NL80211_MFP_NO;
8072 	}
8073 
8074 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
8075 		connect.prev_bssid =
8076 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
8077 
8078 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8079 		connect.channel = nl80211_get_valid_chan(
8080 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8081 		if (!connect.channel)
8082 			return -EINVAL;
8083 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
8084 		connect.channel_hint = nl80211_get_valid_chan(
8085 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
8086 		if (!connect.channel_hint)
8087 			return -EINVAL;
8088 	}
8089 
8090 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
8091 		connkeys = nl80211_parse_connkeys(rdev,
8092 					  info->attrs[NL80211_ATTR_KEYS], NULL);
8093 		if (IS_ERR(connkeys))
8094 			return PTR_ERR(connkeys);
8095 	}
8096 
8097 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
8098 		connect.flags |= ASSOC_REQ_DISABLE_HT;
8099 
8100 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8101 		memcpy(&connect.ht_capa_mask,
8102 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
8103 		       sizeof(connect.ht_capa_mask));
8104 
8105 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
8106 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
8107 			kzfree(connkeys);
8108 			return -EINVAL;
8109 		}
8110 		memcpy(&connect.ht_capa,
8111 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
8112 		       sizeof(connect.ht_capa));
8113 	}
8114 
8115 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
8116 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
8117 
8118 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
8119 		memcpy(&connect.vht_capa_mask,
8120 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
8121 		       sizeof(connect.vht_capa_mask));
8122 
8123 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
8124 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
8125 			kzfree(connkeys);
8126 			return -EINVAL;
8127 		}
8128 		memcpy(&connect.vht_capa,
8129 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
8130 		       sizeof(connect.vht_capa));
8131 	}
8132 
8133 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
8134 		if (!((rdev->wiphy.features &
8135 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
8136 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
8137 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8138 					     NL80211_EXT_FEATURE_RRM)) {
8139 			kzfree(connkeys);
8140 			return -EINVAL;
8141 		}
8142 		connect.flags |= ASSOC_REQ_USE_RRM;
8143 	}
8144 
8145 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
8146 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
8147 		kzfree(connkeys);
8148 		return -EOPNOTSUPP;
8149 	}
8150 
8151 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
8152 		/* bss selection makes no sense if bssid is set */
8153 		if (connect.bssid) {
8154 			kzfree(connkeys);
8155 			return -EINVAL;
8156 		}
8157 
8158 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
8159 				       wiphy, &connect.bss_select);
8160 		if (err) {
8161 			kzfree(connkeys);
8162 			return err;
8163 		}
8164 	}
8165 
8166 	wdev_lock(dev->ieee80211_ptr);
8167 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
8168 			       connect.prev_bssid);
8169 	wdev_unlock(dev->ieee80211_ptr);
8170 	if (err)
8171 		kzfree(connkeys);
8172 	return err;
8173 }
8174 
8175 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
8176 {
8177 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8178 	struct net_device *dev = info->user_ptr[1];
8179 	u16 reason;
8180 	int ret;
8181 
8182 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
8183 		reason = WLAN_REASON_DEAUTH_LEAVING;
8184 	else
8185 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8186 
8187 	if (reason == 0)
8188 		return -EINVAL;
8189 
8190 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8191 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8192 		return -EOPNOTSUPP;
8193 
8194 	wdev_lock(dev->ieee80211_ptr);
8195 	ret = cfg80211_disconnect(rdev, dev, reason, true);
8196 	wdev_unlock(dev->ieee80211_ptr);
8197 	return ret;
8198 }
8199 
8200 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
8201 {
8202 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8203 	struct net *net;
8204 	int err;
8205 
8206 	if (info->attrs[NL80211_ATTR_PID]) {
8207 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
8208 
8209 		net = get_net_ns_by_pid(pid);
8210 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
8211 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
8212 
8213 		net = get_net_ns_by_fd(fd);
8214 	} else {
8215 		return -EINVAL;
8216 	}
8217 
8218 	if (IS_ERR(net))
8219 		return PTR_ERR(net);
8220 
8221 	err = 0;
8222 
8223 	/* check if anything to do */
8224 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
8225 		err = cfg80211_switch_netns(rdev, net);
8226 
8227 	put_net(net);
8228 	return err;
8229 }
8230 
8231 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
8232 {
8233 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8234 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
8235 			struct cfg80211_pmksa *pmksa) = NULL;
8236 	struct net_device *dev = info->user_ptr[1];
8237 	struct cfg80211_pmksa pmksa;
8238 
8239 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
8240 
8241 	if (!info->attrs[NL80211_ATTR_MAC])
8242 		return -EINVAL;
8243 
8244 	if (!info->attrs[NL80211_ATTR_PMKID])
8245 		return -EINVAL;
8246 
8247 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
8248 	pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8249 
8250 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8251 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8252 		return -EOPNOTSUPP;
8253 
8254 	switch (info->genlhdr->cmd) {
8255 	case NL80211_CMD_SET_PMKSA:
8256 		rdev_ops = rdev->ops->set_pmksa;
8257 		break;
8258 	case NL80211_CMD_DEL_PMKSA:
8259 		rdev_ops = rdev->ops->del_pmksa;
8260 		break;
8261 	default:
8262 		WARN_ON(1);
8263 		break;
8264 	}
8265 
8266 	if (!rdev_ops)
8267 		return -EOPNOTSUPP;
8268 
8269 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
8270 }
8271 
8272 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
8273 {
8274 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8275 	struct net_device *dev = info->user_ptr[1];
8276 
8277 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8278 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8279 		return -EOPNOTSUPP;
8280 
8281 	if (!rdev->ops->flush_pmksa)
8282 		return -EOPNOTSUPP;
8283 
8284 	return rdev_flush_pmksa(rdev, dev);
8285 }
8286 
8287 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
8288 {
8289 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8290 	struct net_device *dev = info->user_ptr[1];
8291 	u8 action_code, dialog_token;
8292 	u32 peer_capability = 0;
8293 	u16 status_code;
8294 	u8 *peer;
8295 	bool initiator;
8296 
8297 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
8298 	    !rdev->ops->tdls_mgmt)
8299 		return -EOPNOTSUPP;
8300 
8301 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
8302 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
8303 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
8304 	    !info->attrs[NL80211_ATTR_IE] ||
8305 	    !info->attrs[NL80211_ATTR_MAC])
8306 		return -EINVAL;
8307 
8308 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
8309 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
8310 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
8311 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
8312 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
8313 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
8314 		peer_capability =
8315 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
8316 
8317 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
8318 			      dialog_token, status_code, peer_capability,
8319 			      initiator,
8320 			      nla_data(info->attrs[NL80211_ATTR_IE]),
8321 			      nla_len(info->attrs[NL80211_ATTR_IE]));
8322 }
8323 
8324 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
8325 {
8326 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8327 	struct net_device *dev = info->user_ptr[1];
8328 	enum nl80211_tdls_operation operation;
8329 	u8 *peer;
8330 
8331 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
8332 	    !rdev->ops->tdls_oper)
8333 		return -EOPNOTSUPP;
8334 
8335 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
8336 	    !info->attrs[NL80211_ATTR_MAC])
8337 		return -EINVAL;
8338 
8339 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
8340 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
8341 
8342 	return rdev_tdls_oper(rdev, dev, peer, operation);
8343 }
8344 
8345 static int nl80211_remain_on_channel(struct sk_buff *skb,
8346 				     struct genl_info *info)
8347 {
8348 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8349 	struct wireless_dev *wdev = info->user_ptr[1];
8350 	struct cfg80211_chan_def chandef;
8351 	struct sk_buff *msg;
8352 	void *hdr;
8353 	u64 cookie;
8354 	u32 duration;
8355 	int err;
8356 
8357 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
8358 	    !info->attrs[NL80211_ATTR_DURATION])
8359 		return -EINVAL;
8360 
8361 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
8362 
8363 	if (!rdev->ops->remain_on_channel ||
8364 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
8365 		return -EOPNOTSUPP;
8366 
8367 	/*
8368 	 * We should be on that channel for at least a minimum amount of
8369 	 * time (10ms) but no longer than the driver supports.
8370 	 */
8371 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
8372 	    duration > rdev->wiphy.max_remain_on_channel_duration)
8373 		return -EINVAL;
8374 
8375 	err = nl80211_parse_chandef(rdev, info, &chandef);
8376 	if (err)
8377 		return err;
8378 
8379 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8380 	if (!msg)
8381 		return -ENOMEM;
8382 
8383 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8384 			     NL80211_CMD_REMAIN_ON_CHANNEL);
8385 	if (!hdr) {
8386 		err = -ENOBUFS;
8387 		goto free_msg;
8388 	}
8389 
8390 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
8391 				     duration, &cookie);
8392 
8393 	if (err)
8394 		goto free_msg;
8395 
8396 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
8397 			      NL80211_ATTR_PAD))
8398 		goto nla_put_failure;
8399 
8400 	genlmsg_end(msg, hdr);
8401 
8402 	return genlmsg_reply(msg, info);
8403 
8404  nla_put_failure:
8405 	err = -ENOBUFS;
8406  free_msg:
8407 	nlmsg_free(msg);
8408 	return err;
8409 }
8410 
8411 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
8412 					    struct genl_info *info)
8413 {
8414 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8415 	struct wireless_dev *wdev = info->user_ptr[1];
8416 	u64 cookie;
8417 
8418 	if (!info->attrs[NL80211_ATTR_COOKIE])
8419 		return -EINVAL;
8420 
8421 	if (!rdev->ops->cancel_remain_on_channel)
8422 		return -EOPNOTSUPP;
8423 
8424 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8425 
8426 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
8427 }
8428 
8429 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
8430 			   u8 *rates, u8 rates_len)
8431 {
8432 	u8 i;
8433 	u32 mask = 0;
8434 
8435 	for (i = 0; i < rates_len; i++) {
8436 		int rate = (rates[i] & 0x7f) * 5;
8437 		int ridx;
8438 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
8439 			struct ieee80211_rate *srate =
8440 				&sband->bitrates[ridx];
8441 			if (rate == srate->bitrate) {
8442 				mask |= 1 << ridx;
8443 				break;
8444 			}
8445 		}
8446 		if (ridx == sband->n_bitrates)
8447 			return 0; /* rate not found */
8448 	}
8449 
8450 	return mask;
8451 }
8452 
8453 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
8454 			       u8 *rates, u8 rates_len,
8455 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
8456 {
8457 	u8 i;
8458 
8459 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
8460 
8461 	for (i = 0; i < rates_len; i++) {
8462 		int ridx, rbit;
8463 
8464 		ridx = rates[i] / 8;
8465 		rbit = BIT(rates[i] % 8);
8466 
8467 		/* check validity */
8468 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
8469 			return false;
8470 
8471 		/* check availability */
8472 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
8473 			mcs[ridx] |= rbit;
8474 		else
8475 			return false;
8476 	}
8477 
8478 	return true;
8479 }
8480 
8481 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
8482 {
8483 	u16 mcs_mask = 0;
8484 
8485 	switch (vht_mcs_map) {
8486 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
8487 		break;
8488 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
8489 		mcs_mask = 0x00FF;
8490 		break;
8491 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
8492 		mcs_mask = 0x01FF;
8493 		break;
8494 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
8495 		mcs_mask = 0x03FF;
8496 		break;
8497 	default:
8498 		break;
8499 	}
8500 
8501 	return mcs_mask;
8502 }
8503 
8504 static void vht_build_mcs_mask(u16 vht_mcs_map,
8505 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
8506 {
8507 	u8 nss;
8508 
8509 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
8510 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
8511 		vht_mcs_map >>= 2;
8512 	}
8513 }
8514 
8515 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
8516 			     struct nl80211_txrate_vht *txrate,
8517 			     u16 mcs[NL80211_VHT_NSS_MAX])
8518 {
8519 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
8520 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
8521 	u8 i;
8522 
8523 	if (!sband->vht_cap.vht_supported)
8524 		return false;
8525 
8526 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
8527 
8528 	/* Build vht_mcs_mask from VHT capabilities */
8529 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
8530 
8531 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
8532 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
8533 			mcs[i] = txrate->mcs[i];
8534 		else
8535 			return false;
8536 	}
8537 
8538 	return true;
8539 }
8540 
8541 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
8542 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
8543 				    .len = NL80211_MAX_SUPP_RATES },
8544 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
8545 				.len = NL80211_MAX_SUPP_HT_RATES },
8546 	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
8547 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
8548 };
8549 
8550 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
8551 				       struct genl_info *info)
8552 {
8553 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
8554 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8555 	struct cfg80211_bitrate_mask mask;
8556 	int rem, i;
8557 	struct net_device *dev = info->user_ptr[1];
8558 	struct nlattr *tx_rates;
8559 	struct ieee80211_supported_band *sband;
8560 	u16 vht_tx_mcs_map;
8561 
8562 	if (!rdev->ops->set_bitrate_mask)
8563 		return -EOPNOTSUPP;
8564 
8565 	memset(&mask, 0, sizeof(mask));
8566 	/* Default to all rates enabled */
8567 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
8568 		sband = rdev->wiphy.bands[i];
8569 
8570 		if (!sband)
8571 			continue;
8572 
8573 		mask.control[i].legacy = (1 << sband->n_bitrates) - 1;
8574 		memcpy(mask.control[i].ht_mcs,
8575 		       sband->ht_cap.mcs.rx_mask,
8576 		       sizeof(mask.control[i].ht_mcs));
8577 
8578 		if (!sband->vht_cap.vht_supported)
8579 			continue;
8580 
8581 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
8582 		vht_build_mcs_mask(vht_tx_mcs_map, mask.control[i].vht_mcs);
8583 	}
8584 
8585 	/* if no rates are given set it back to the defaults */
8586 	if (!info->attrs[NL80211_ATTR_TX_RATES])
8587 		goto out;
8588 
8589 	/*
8590 	 * The nested attribute uses enum nl80211_band as the index. This maps
8591 	 * directly to the enum nl80211_band values used in cfg80211.
8592 	 */
8593 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
8594 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
8595 		enum nl80211_band band = nla_type(tx_rates);
8596 		int err;
8597 
8598 		if (band < 0 || band >= NUM_NL80211_BANDS)
8599 			return -EINVAL;
8600 		sband = rdev->wiphy.bands[band];
8601 		if (sband == NULL)
8602 			return -EINVAL;
8603 		err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
8604 				nla_len(tx_rates), nl80211_txattr_policy);
8605 		if (err)
8606 			return err;
8607 		if (tb[NL80211_TXRATE_LEGACY]) {
8608 			mask.control[band].legacy = rateset_to_mask(
8609 				sband,
8610 				nla_data(tb[NL80211_TXRATE_LEGACY]),
8611 				nla_len(tb[NL80211_TXRATE_LEGACY]));
8612 			if ((mask.control[band].legacy == 0) &&
8613 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
8614 				return -EINVAL;
8615 		}
8616 		if (tb[NL80211_TXRATE_HT]) {
8617 			if (!ht_rateset_to_mask(
8618 					sband,
8619 					nla_data(tb[NL80211_TXRATE_HT]),
8620 					nla_len(tb[NL80211_TXRATE_HT]),
8621 					mask.control[band].ht_mcs))
8622 				return -EINVAL;
8623 		}
8624 		if (tb[NL80211_TXRATE_VHT]) {
8625 			if (!vht_set_mcs_mask(
8626 					sband,
8627 					nla_data(tb[NL80211_TXRATE_VHT]),
8628 					mask.control[band].vht_mcs))
8629 				return -EINVAL;
8630 		}
8631 		if (tb[NL80211_TXRATE_GI]) {
8632 			mask.control[band].gi =
8633 				nla_get_u8(tb[NL80211_TXRATE_GI]);
8634 			if (mask.control[band].gi > NL80211_TXRATE_FORCE_LGI)
8635 				return -EINVAL;
8636 		}
8637 
8638 		if (mask.control[band].legacy == 0) {
8639 			/* don't allow empty legacy rates if HT or VHT
8640 			 * are not even supported.
8641 			 */
8642 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
8643 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
8644 				return -EINVAL;
8645 
8646 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
8647 				if (mask.control[band].ht_mcs[i])
8648 					goto out;
8649 
8650 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
8651 				if (mask.control[band].vht_mcs[i])
8652 					goto out;
8653 
8654 			/* legacy and mcs rates may not be both empty */
8655 			return -EINVAL;
8656 		}
8657 	}
8658 
8659 out:
8660 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
8661 }
8662 
8663 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
8664 {
8665 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8666 	struct wireless_dev *wdev = info->user_ptr[1];
8667 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
8668 
8669 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
8670 		return -EINVAL;
8671 
8672 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
8673 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
8674 
8675 	switch (wdev->iftype) {
8676 	case NL80211_IFTYPE_STATION:
8677 	case NL80211_IFTYPE_ADHOC:
8678 	case NL80211_IFTYPE_P2P_CLIENT:
8679 	case NL80211_IFTYPE_AP:
8680 	case NL80211_IFTYPE_AP_VLAN:
8681 	case NL80211_IFTYPE_MESH_POINT:
8682 	case NL80211_IFTYPE_P2P_GO:
8683 	case NL80211_IFTYPE_P2P_DEVICE:
8684 		break;
8685 	default:
8686 		return -EOPNOTSUPP;
8687 	}
8688 
8689 	/* not much point in registering if we can't reply */
8690 	if (!rdev->ops->mgmt_tx)
8691 		return -EOPNOTSUPP;
8692 
8693 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
8694 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
8695 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
8696 }
8697 
8698 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
8699 {
8700 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8701 	struct wireless_dev *wdev = info->user_ptr[1];
8702 	struct cfg80211_chan_def chandef;
8703 	int err;
8704 	void *hdr = NULL;
8705 	u64 cookie;
8706 	struct sk_buff *msg = NULL;
8707 	struct cfg80211_mgmt_tx_params params = {
8708 		.dont_wait_for_ack =
8709 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
8710 	};
8711 
8712 	if (!info->attrs[NL80211_ATTR_FRAME])
8713 		return -EINVAL;
8714 
8715 	if (!rdev->ops->mgmt_tx)
8716 		return -EOPNOTSUPP;
8717 
8718 	switch (wdev->iftype) {
8719 	case NL80211_IFTYPE_P2P_DEVICE:
8720 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
8721 			return -EINVAL;
8722 	case NL80211_IFTYPE_STATION:
8723 	case NL80211_IFTYPE_ADHOC:
8724 	case NL80211_IFTYPE_P2P_CLIENT:
8725 	case NL80211_IFTYPE_AP:
8726 	case NL80211_IFTYPE_AP_VLAN:
8727 	case NL80211_IFTYPE_MESH_POINT:
8728 	case NL80211_IFTYPE_P2P_GO:
8729 		break;
8730 	default:
8731 		return -EOPNOTSUPP;
8732 	}
8733 
8734 	if (info->attrs[NL80211_ATTR_DURATION]) {
8735 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
8736 			return -EINVAL;
8737 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
8738 
8739 		/*
8740 		 * We should wait on the channel for at least a minimum amount
8741 		 * of time (10ms) but no longer than the driver supports.
8742 		 */
8743 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
8744 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
8745 			return -EINVAL;
8746 
8747 	}
8748 
8749 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
8750 
8751 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
8752 		return -EINVAL;
8753 
8754 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8755 
8756 	/* get the channel if any has been specified, otherwise pass NULL to
8757 	 * the driver. The latter will use the current one
8758 	 */
8759 	chandef.chan = NULL;
8760 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8761 		err = nl80211_parse_chandef(rdev, info, &chandef);
8762 		if (err)
8763 			return err;
8764 	}
8765 
8766 	if (!chandef.chan && params.offchan)
8767 		return -EINVAL;
8768 
8769 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
8770 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
8771 
8772 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
8773 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
8774 		int i;
8775 
8776 		if (len % sizeof(u16))
8777 			return -EINVAL;
8778 
8779 		params.n_csa_offsets = len / sizeof(u16);
8780 		params.csa_offsets =
8781 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
8782 
8783 		/* check that all the offsets fit the frame */
8784 		for (i = 0; i < params.n_csa_offsets; i++) {
8785 			if (params.csa_offsets[i] >= params.len)
8786 				return -EINVAL;
8787 		}
8788 	}
8789 
8790 	if (!params.dont_wait_for_ack) {
8791 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8792 		if (!msg)
8793 			return -ENOMEM;
8794 
8795 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8796 				     NL80211_CMD_FRAME);
8797 		if (!hdr) {
8798 			err = -ENOBUFS;
8799 			goto free_msg;
8800 		}
8801 	}
8802 
8803 	params.chan = chandef.chan;
8804 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
8805 	if (err)
8806 		goto free_msg;
8807 
8808 	if (msg) {
8809 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
8810 				      NL80211_ATTR_PAD))
8811 			goto nla_put_failure;
8812 
8813 		genlmsg_end(msg, hdr);
8814 		return genlmsg_reply(msg, info);
8815 	}
8816 
8817 	return 0;
8818 
8819  nla_put_failure:
8820 	err = -ENOBUFS;
8821  free_msg:
8822 	nlmsg_free(msg);
8823 	return err;
8824 }
8825 
8826 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
8827 {
8828 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8829 	struct wireless_dev *wdev = info->user_ptr[1];
8830 	u64 cookie;
8831 
8832 	if (!info->attrs[NL80211_ATTR_COOKIE])
8833 		return -EINVAL;
8834 
8835 	if (!rdev->ops->mgmt_tx_cancel_wait)
8836 		return -EOPNOTSUPP;
8837 
8838 	switch (wdev->iftype) {
8839 	case NL80211_IFTYPE_STATION:
8840 	case NL80211_IFTYPE_ADHOC:
8841 	case NL80211_IFTYPE_P2P_CLIENT:
8842 	case NL80211_IFTYPE_AP:
8843 	case NL80211_IFTYPE_AP_VLAN:
8844 	case NL80211_IFTYPE_P2P_GO:
8845 	case NL80211_IFTYPE_P2P_DEVICE:
8846 		break;
8847 	default:
8848 		return -EOPNOTSUPP;
8849 	}
8850 
8851 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8852 
8853 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
8854 }
8855 
8856 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
8857 {
8858 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8859 	struct wireless_dev *wdev;
8860 	struct net_device *dev = info->user_ptr[1];
8861 	u8 ps_state;
8862 	bool state;
8863 	int err;
8864 
8865 	if (!info->attrs[NL80211_ATTR_PS_STATE])
8866 		return -EINVAL;
8867 
8868 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
8869 
8870 	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
8871 		return -EINVAL;
8872 
8873 	wdev = dev->ieee80211_ptr;
8874 
8875 	if (!rdev->ops->set_power_mgmt)
8876 		return -EOPNOTSUPP;
8877 
8878 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
8879 
8880 	if (state == wdev->ps)
8881 		return 0;
8882 
8883 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
8884 	if (!err)
8885 		wdev->ps = state;
8886 	return err;
8887 }
8888 
8889 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
8890 {
8891 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8892 	enum nl80211_ps_state ps_state;
8893 	struct wireless_dev *wdev;
8894 	struct net_device *dev = info->user_ptr[1];
8895 	struct sk_buff *msg;
8896 	void *hdr;
8897 	int err;
8898 
8899 	wdev = dev->ieee80211_ptr;
8900 
8901 	if (!rdev->ops->set_power_mgmt)
8902 		return -EOPNOTSUPP;
8903 
8904 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8905 	if (!msg)
8906 		return -ENOMEM;
8907 
8908 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8909 			     NL80211_CMD_GET_POWER_SAVE);
8910 	if (!hdr) {
8911 		err = -ENOBUFS;
8912 		goto free_msg;
8913 	}
8914 
8915 	if (wdev->ps)
8916 		ps_state = NL80211_PS_ENABLED;
8917 	else
8918 		ps_state = NL80211_PS_DISABLED;
8919 
8920 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
8921 		goto nla_put_failure;
8922 
8923 	genlmsg_end(msg, hdr);
8924 	return genlmsg_reply(msg, info);
8925 
8926  nla_put_failure:
8927 	err = -ENOBUFS;
8928  free_msg:
8929 	nlmsg_free(msg);
8930 	return err;
8931 }
8932 
8933 static const struct nla_policy
8934 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
8935 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
8936 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
8937 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
8938 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
8939 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
8940 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
8941 };
8942 
8943 static int nl80211_set_cqm_txe(struct genl_info *info,
8944 			       u32 rate, u32 pkts, u32 intvl)
8945 {
8946 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8947 	struct net_device *dev = info->user_ptr[1];
8948 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8949 
8950 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
8951 		return -EINVAL;
8952 
8953 	if (!rdev->ops->set_cqm_txe_config)
8954 		return -EOPNOTSUPP;
8955 
8956 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8957 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8958 		return -EOPNOTSUPP;
8959 
8960 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
8961 }
8962 
8963 static int nl80211_set_cqm_rssi(struct genl_info *info,
8964 				s32 threshold, u32 hysteresis)
8965 {
8966 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8967 	struct net_device *dev = info->user_ptr[1];
8968 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8969 
8970 	if (threshold > 0)
8971 		return -EINVAL;
8972 
8973 	/* disabling - hysteresis should also be zero then */
8974 	if (threshold == 0)
8975 		hysteresis = 0;
8976 
8977 	if (!rdev->ops->set_cqm_rssi_config)
8978 		return -EOPNOTSUPP;
8979 
8980 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8981 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8982 		return -EOPNOTSUPP;
8983 
8984 	return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
8985 }
8986 
8987 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
8988 {
8989 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
8990 	struct nlattr *cqm;
8991 	int err;
8992 
8993 	cqm = info->attrs[NL80211_ATTR_CQM];
8994 	if (!cqm)
8995 		return -EINVAL;
8996 
8997 	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
8998 			       nl80211_attr_cqm_policy);
8999 	if (err)
9000 		return err;
9001 
9002 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
9003 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
9004 		s32 threshold = nla_get_s32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
9005 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
9006 
9007 		return nl80211_set_cqm_rssi(info, threshold, hysteresis);
9008 	}
9009 
9010 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
9011 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
9012 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
9013 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
9014 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
9015 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
9016 
9017 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
9018 	}
9019 
9020 	return -EINVAL;
9021 }
9022 
9023 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
9024 {
9025 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9026 	struct net_device *dev = info->user_ptr[1];
9027 	struct ocb_setup setup = {};
9028 	int err;
9029 
9030 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
9031 	if (err)
9032 		return err;
9033 
9034 	return cfg80211_join_ocb(rdev, dev, &setup);
9035 }
9036 
9037 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
9038 {
9039 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9040 	struct net_device *dev = info->user_ptr[1];
9041 
9042 	return cfg80211_leave_ocb(rdev, dev);
9043 }
9044 
9045 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
9046 {
9047 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9048 	struct net_device *dev = info->user_ptr[1];
9049 	struct mesh_config cfg;
9050 	struct mesh_setup setup;
9051 	int err;
9052 
9053 	/* start with default */
9054 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
9055 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
9056 
9057 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
9058 		/* and parse parameters if given */
9059 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
9060 		if (err)
9061 			return err;
9062 	}
9063 
9064 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
9065 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
9066 		return -EINVAL;
9067 
9068 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
9069 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
9070 
9071 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
9072 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
9073 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
9074 			return -EINVAL;
9075 
9076 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
9077 		setup.beacon_interval =
9078 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
9079 		if (setup.beacon_interval < 10 ||
9080 		    setup.beacon_interval > 10000)
9081 			return -EINVAL;
9082 	}
9083 
9084 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
9085 		setup.dtim_period =
9086 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
9087 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
9088 			return -EINVAL;
9089 	}
9090 
9091 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
9092 		/* parse additional setup parameters if given */
9093 		err = nl80211_parse_mesh_setup(info, &setup);
9094 		if (err)
9095 			return err;
9096 	}
9097 
9098 	if (setup.user_mpm)
9099 		cfg.auto_open_plinks = false;
9100 
9101 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
9102 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
9103 		if (err)
9104 			return err;
9105 	} else {
9106 		/* cfg80211_join_mesh() will sort it out */
9107 		setup.chandef.chan = NULL;
9108 	}
9109 
9110 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9111 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9112 		int n_rates =
9113 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9114 		struct ieee80211_supported_band *sband;
9115 
9116 		if (!setup.chandef.chan)
9117 			return -EINVAL;
9118 
9119 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
9120 
9121 		err = ieee80211_get_ratemask(sband, rates, n_rates,
9122 					     &setup.basic_rates);
9123 		if (err)
9124 			return err;
9125 	}
9126 
9127 	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
9128 }
9129 
9130 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
9131 {
9132 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9133 	struct net_device *dev = info->user_ptr[1];
9134 
9135 	return cfg80211_leave_mesh(rdev, dev);
9136 }
9137 
9138 #ifdef CONFIG_PM
9139 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
9140 					struct cfg80211_registered_device *rdev)
9141 {
9142 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
9143 	struct nlattr *nl_pats, *nl_pat;
9144 	int i, pat_len;
9145 
9146 	if (!wowlan->n_patterns)
9147 		return 0;
9148 
9149 	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
9150 	if (!nl_pats)
9151 		return -ENOBUFS;
9152 
9153 	for (i = 0; i < wowlan->n_patterns; i++) {
9154 		nl_pat = nla_nest_start(msg, i + 1);
9155 		if (!nl_pat)
9156 			return -ENOBUFS;
9157 		pat_len = wowlan->patterns[i].pattern_len;
9158 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
9159 			    wowlan->patterns[i].mask) ||
9160 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
9161 			    wowlan->patterns[i].pattern) ||
9162 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
9163 				wowlan->patterns[i].pkt_offset))
9164 			return -ENOBUFS;
9165 		nla_nest_end(msg, nl_pat);
9166 	}
9167 	nla_nest_end(msg, nl_pats);
9168 
9169 	return 0;
9170 }
9171 
9172 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
9173 				   struct cfg80211_wowlan_tcp *tcp)
9174 {
9175 	struct nlattr *nl_tcp;
9176 
9177 	if (!tcp)
9178 		return 0;
9179 
9180 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
9181 	if (!nl_tcp)
9182 		return -ENOBUFS;
9183 
9184 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
9185 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
9186 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
9187 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
9188 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
9189 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
9190 		    tcp->payload_len, tcp->payload) ||
9191 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
9192 			tcp->data_interval) ||
9193 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
9194 		    tcp->wake_len, tcp->wake_data) ||
9195 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
9196 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
9197 		return -ENOBUFS;
9198 
9199 	if (tcp->payload_seq.len &&
9200 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
9201 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
9202 		return -ENOBUFS;
9203 
9204 	if (tcp->payload_tok.len &&
9205 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
9206 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
9207 		    &tcp->payload_tok))
9208 		return -ENOBUFS;
9209 
9210 	nla_nest_end(msg, nl_tcp);
9211 
9212 	return 0;
9213 }
9214 
9215 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
9216 				  struct cfg80211_sched_scan_request *req)
9217 {
9218 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
9219 	int i;
9220 
9221 	if (!req)
9222 		return 0;
9223 
9224 	nd = nla_nest_start(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
9225 	if (!nd)
9226 		return -ENOBUFS;
9227 
9228 	if (req->n_scan_plans == 1 &&
9229 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
9230 			req->scan_plans[0].interval * 1000))
9231 		return -ENOBUFS;
9232 
9233 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
9234 		return -ENOBUFS;
9235 
9236 	freqs = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
9237 	if (!freqs)
9238 		return -ENOBUFS;
9239 
9240 	for (i = 0; i < req->n_channels; i++)
9241 		nla_put_u32(msg, i, req->channels[i]->center_freq);
9242 
9243 	nla_nest_end(msg, freqs);
9244 
9245 	if (req->n_match_sets) {
9246 		matches = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_MATCH);
9247 		for (i = 0; i < req->n_match_sets; i++) {
9248 			match = nla_nest_start(msg, i);
9249 			nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
9250 				req->match_sets[i].ssid.ssid_len,
9251 				req->match_sets[i].ssid.ssid);
9252 			nla_nest_end(msg, match);
9253 		}
9254 		nla_nest_end(msg, matches);
9255 	}
9256 
9257 	scan_plans = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
9258 	if (!scan_plans)
9259 		return -ENOBUFS;
9260 
9261 	for (i = 0; i < req->n_scan_plans; i++) {
9262 		scan_plan = nla_nest_start(msg, i + 1);
9263 		if (!scan_plan ||
9264 		    nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
9265 				req->scan_plans[i].interval) ||
9266 		    (req->scan_plans[i].iterations &&
9267 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
9268 				 req->scan_plans[i].iterations)))
9269 			return -ENOBUFS;
9270 		nla_nest_end(msg, scan_plan);
9271 	}
9272 	nla_nest_end(msg, scan_plans);
9273 
9274 	nla_nest_end(msg, nd);
9275 
9276 	return 0;
9277 }
9278 
9279 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
9280 {
9281 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9282 	struct sk_buff *msg;
9283 	void *hdr;
9284 	u32 size = NLMSG_DEFAULT_SIZE;
9285 
9286 	if (!rdev->wiphy.wowlan)
9287 		return -EOPNOTSUPP;
9288 
9289 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
9290 		/* adjust size to have room for all the data */
9291 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
9292 			rdev->wiphy.wowlan_config->tcp->payload_len +
9293 			rdev->wiphy.wowlan_config->tcp->wake_len +
9294 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
9295 	}
9296 
9297 	msg = nlmsg_new(size, GFP_KERNEL);
9298 	if (!msg)
9299 		return -ENOMEM;
9300 
9301 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9302 			     NL80211_CMD_GET_WOWLAN);
9303 	if (!hdr)
9304 		goto nla_put_failure;
9305 
9306 	if (rdev->wiphy.wowlan_config) {
9307 		struct nlattr *nl_wowlan;
9308 
9309 		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
9310 		if (!nl_wowlan)
9311 			goto nla_put_failure;
9312 
9313 		if ((rdev->wiphy.wowlan_config->any &&
9314 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
9315 		    (rdev->wiphy.wowlan_config->disconnect &&
9316 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
9317 		    (rdev->wiphy.wowlan_config->magic_pkt &&
9318 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
9319 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
9320 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
9321 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
9322 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
9323 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
9324 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
9325 		    (rdev->wiphy.wowlan_config->rfkill_release &&
9326 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
9327 			goto nla_put_failure;
9328 
9329 		if (nl80211_send_wowlan_patterns(msg, rdev))
9330 			goto nla_put_failure;
9331 
9332 		if (nl80211_send_wowlan_tcp(msg,
9333 					    rdev->wiphy.wowlan_config->tcp))
9334 			goto nla_put_failure;
9335 
9336 		if (nl80211_send_wowlan_nd(
9337 			    msg,
9338 			    rdev->wiphy.wowlan_config->nd_config))
9339 			goto nla_put_failure;
9340 
9341 		nla_nest_end(msg, nl_wowlan);
9342 	}
9343 
9344 	genlmsg_end(msg, hdr);
9345 	return genlmsg_reply(msg, info);
9346 
9347 nla_put_failure:
9348 	nlmsg_free(msg);
9349 	return -ENOBUFS;
9350 }
9351 
9352 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
9353 				    struct nlattr *attr,
9354 				    struct cfg80211_wowlan *trig)
9355 {
9356 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
9357 	struct cfg80211_wowlan_tcp *cfg;
9358 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
9359 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
9360 	u32 size;
9361 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
9362 	int err, port;
9363 
9364 	if (!rdev->wiphy.wowlan->tcp)
9365 		return -EINVAL;
9366 
9367 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TCP,
9368 			nla_data(attr), nla_len(attr),
9369 			nl80211_wowlan_tcp_policy);
9370 	if (err)
9371 		return err;
9372 
9373 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
9374 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
9375 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
9376 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
9377 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
9378 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
9379 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
9380 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
9381 		return -EINVAL;
9382 
9383 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
9384 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
9385 		return -EINVAL;
9386 
9387 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
9388 			rdev->wiphy.wowlan->tcp->data_interval_max ||
9389 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
9390 		return -EINVAL;
9391 
9392 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
9393 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
9394 		return -EINVAL;
9395 
9396 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
9397 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
9398 		return -EINVAL;
9399 
9400 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
9401 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
9402 
9403 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
9404 		tokens_size = tokln - sizeof(*tok);
9405 
9406 		if (!tok->len || tokens_size % tok->len)
9407 			return -EINVAL;
9408 		if (!rdev->wiphy.wowlan->tcp->tok)
9409 			return -EINVAL;
9410 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
9411 			return -EINVAL;
9412 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
9413 			return -EINVAL;
9414 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
9415 			return -EINVAL;
9416 		if (tok->offset + tok->len > data_size)
9417 			return -EINVAL;
9418 	}
9419 
9420 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
9421 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
9422 		if (!rdev->wiphy.wowlan->tcp->seq)
9423 			return -EINVAL;
9424 		if (seq->len == 0 || seq->len > 4)
9425 			return -EINVAL;
9426 		if (seq->len + seq->offset > data_size)
9427 			return -EINVAL;
9428 	}
9429 
9430 	size = sizeof(*cfg);
9431 	size += data_size;
9432 	size += wake_size + wake_mask_size;
9433 	size += tokens_size;
9434 
9435 	cfg = kzalloc(size, GFP_KERNEL);
9436 	if (!cfg)
9437 		return -ENOMEM;
9438 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
9439 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
9440 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
9441 	       ETH_ALEN);
9442 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
9443 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
9444 	else
9445 		port = 0;
9446 #ifdef CONFIG_INET
9447 	/* allocate a socket and port for it and use it */
9448 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
9449 			    IPPROTO_TCP, &cfg->sock, 1);
9450 	if (err) {
9451 		kfree(cfg);
9452 		return err;
9453 	}
9454 	if (inet_csk_get_port(cfg->sock->sk, port)) {
9455 		sock_release(cfg->sock);
9456 		kfree(cfg);
9457 		return -EADDRINUSE;
9458 	}
9459 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
9460 #else
9461 	if (!port) {
9462 		kfree(cfg);
9463 		return -EINVAL;
9464 	}
9465 	cfg->src_port = port;
9466 #endif
9467 
9468 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
9469 	cfg->payload_len = data_size;
9470 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
9471 	memcpy((void *)cfg->payload,
9472 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
9473 	       data_size);
9474 	if (seq)
9475 		cfg->payload_seq = *seq;
9476 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
9477 	cfg->wake_len = wake_size;
9478 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
9479 	memcpy((void *)cfg->wake_data,
9480 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
9481 	       wake_size);
9482 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
9483 			 data_size + wake_size;
9484 	memcpy((void *)cfg->wake_mask,
9485 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
9486 	       wake_mask_size);
9487 	if (tok) {
9488 		cfg->tokens_size = tokens_size;
9489 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
9490 	}
9491 
9492 	trig->tcp = cfg;
9493 
9494 	return 0;
9495 }
9496 
9497 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
9498 				   const struct wiphy_wowlan_support *wowlan,
9499 				   struct nlattr *attr,
9500 				   struct cfg80211_wowlan *trig)
9501 {
9502 	struct nlattr **tb;
9503 	int err;
9504 
9505 	tb = kzalloc(NUM_NL80211_ATTR * sizeof(*tb), GFP_KERNEL);
9506 	if (!tb)
9507 		return -ENOMEM;
9508 
9509 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
9510 		err = -EOPNOTSUPP;
9511 		goto out;
9512 	}
9513 
9514 	err = nla_parse(tb, NL80211_ATTR_MAX,
9515 			nla_data(attr), nla_len(attr),
9516 			nl80211_policy);
9517 	if (err)
9518 		goto out;
9519 
9520 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb);
9521 	err = PTR_ERR_OR_ZERO(trig->nd_config);
9522 	if (err)
9523 		trig->nd_config = NULL;
9524 
9525 out:
9526 	kfree(tb);
9527 	return err;
9528 }
9529 
9530 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
9531 {
9532 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9533 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
9534 	struct cfg80211_wowlan new_triggers = {};
9535 	struct cfg80211_wowlan *ntrig;
9536 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
9537 	int err, i;
9538 	bool prev_enabled = rdev->wiphy.wowlan_config;
9539 	bool regular = false;
9540 
9541 	if (!wowlan)
9542 		return -EOPNOTSUPP;
9543 
9544 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
9545 		cfg80211_rdev_free_wowlan(rdev);
9546 		rdev->wiphy.wowlan_config = NULL;
9547 		goto set_wakeup;
9548 	}
9549 
9550 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
9551 			nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
9552 			nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
9553 			nl80211_wowlan_policy);
9554 	if (err)
9555 		return err;
9556 
9557 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
9558 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
9559 			return -EINVAL;
9560 		new_triggers.any = true;
9561 	}
9562 
9563 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
9564 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
9565 			return -EINVAL;
9566 		new_triggers.disconnect = true;
9567 		regular = true;
9568 	}
9569 
9570 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
9571 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
9572 			return -EINVAL;
9573 		new_triggers.magic_pkt = true;
9574 		regular = true;
9575 	}
9576 
9577 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
9578 		return -EINVAL;
9579 
9580 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
9581 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
9582 			return -EINVAL;
9583 		new_triggers.gtk_rekey_failure = true;
9584 		regular = true;
9585 	}
9586 
9587 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
9588 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
9589 			return -EINVAL;
9590 		new_triggers.eap_identity_req = true;
9591 		regular = true;
9592 	}
9593 
9594 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
9595 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
9596 			return -EINVAL;
9597 		new_triggers.four_way_handshake = true;
9598 		regular = true;
9599 	}
9600 
9601 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
9602 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
9603 			return -EINVAL;
9604 		new_triggers.rfkill_release = true;
9605 		regular = true;
9606 	}
9607 
9608 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
9609 		struct nlattr *pat;
9610 		int n_patterns = 0;
9611 		int rem, pat_len, mask_len, pkt_offset;
9612 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
9613 
9614 		regular = true;
9615 
9616 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
9617 				    rem)
9618 			n_patterns++;
9619 		if (n_patterns > wowlan->n_patterns)
9620 			return -EINVAL;
9621 
9622 		new_triggers.patterns = kcalloc(n_patterns,
9623 						sizeof(new_triggers.patterns[0]),
9624 						GFP_KERNEL);
9625 		if (!new_triggers.patterns)
9626 			return -ENOMEM;
9627 
9628 		new_triggers.n_patterns = n_patterns;
9629 		i = 0;
9630 
9631 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
9632 				    rem) {
9633 			u8 *mask_pat;
9634 
9635 			nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
9636 				  nla_len(pat), NULL);
9637 			err = -EINVAL;
9638 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
9639 			    !pat_tb[NL80211_PKTPAT_PATTERN])
9640 				goto error;
9641 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
9642 			mask_len = DIV_ROUND_UP(pat_len, 8);
9643 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
9644 				goto error;
9645 			if (pat_len > wowlan->pattern_max_len ||
9646 			    pat_len < wowlan->pattern_min_len)
9647 				goto error;
9648 
9649 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
9650 				pkt_offset = 0;
9651 			else
9652 				pkt_offset = nla_get_u32(
9653 					pat_tb[NL80211_PKTPAT_OFFSET]);
9654 			if (pkt_offset > wowlan->max_pkt_offset)
9655 				goto error;
9656 			new_triggers.patterns[i].pkt_offset = pkt_offset;
9657 
9658 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
9659 			if (!mask_pat) {
9660 				err = -ENOMEM;
9661 				goto error;
9662 			}
9663 			new_triggers.patterns[i].mask = mask_pat;
9664 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
9665 			       mask_len);
9666 			mask_pat += mask_len;
9667 			new_triggers.patterns[i].pattern = mask_pat;
9668 			new_triggers.patterns[i].pattern_len = pat_len;
9669 			memcpy(mask_pat,
9670 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
9671 			       pat_len);
9672 			i++;
9673 		}
9674 	}
9675 
9676 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
9677 		regular = true;
9678 		err = nl80211_parse_wowlan_tcp(
9679 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
9680 			&new_triggers);
9681 		if (err)
9682 			goto error;
9683 	}
9684 
9685 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
9686 		regular = true;
9687 		err = nl80211_parse_wowlan_nd(
9688 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
9689 			&new_triggers);
9690 		if (err)
9691 			goto error;
9692 	}
9693 
9694 	/* The 'any' trigger means the device continues operating more or less
9695 	 * as in its normal operation mode and wakes up the host on most of the
9696 	 * normal interrupts (like packet RX, ...)
9697 	 * It therefore makes little sense to combine with the more constrained
9698 	 * wakeup trigger modes.
9699 	 */
9700 	if (new_triggers.any && regular) {
9701 		err = -EINVAL;
9702 		goto error;
9703 	}
9704 
9705 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
9706 	if (!ntrig) {
9707 		err = -ENOMEM;
9708 		goto error;
9709 	}
9710 	cfg80211_rdev_free_wowlan(rdev);
9711 	rdev->wiphy.wowlan_config = ntrig;
9712 
9713  set_wakeup:
9714 	if (rdev->ops->set_wakeup &&
9715 	    prev_enabled != !!rdev->wiphy.wowlan_config)
9716 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
9717 
9718 	return 0;
9719  error:
9720 	for (i = 0; i < new_triggers.n_patterns; i++)
9721 		kfree(new_triggers.patterns[i].mask);
9722 	kfree(new_triggers.patterns);
9723 	if (new_triggers.tcp && new_triggers.tcp->sock)
9724 		sock_release(new_triggers.tcp->sock);
9725 	kfree(new_triggers.tcp);
9726 	kfree(new_triggers.nd_config);
9727 	return err;
9728 }
9729 #endif
9730 
9731 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
9732 				       struct cfg80211_registered_device *rdev)
9733 {
9734 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
9735 	int i, j, pat_len;
9736 	struct cfg80211_coalesce_rules *rule;
9737 
9738 	if (!rdev->coalesce->n_rules)
9739 		return 0;
9740 
9741 	nl_rules = nla_nest_start(msg, NL80211_ATTR_COALESCE_RULE);
9742 	if (!nl_rules)
9743 		return -ENOBUFS;
9744 
9745 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
9746 		nl_rule = nla_nest_start(msg, i + 1);
9747 		if (!nl_rule)
9748 			return -ENOBUFS;
9749 
9750 		rule = &rdev->coalesce->rules[i];
9751 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
9752 				rule->delay))
9753 			return -ENOBUFS;
9754 
9755 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
9756 				rule->condition))
9757 			return -ENOBUFS;
9758 
9759 		nl_pats = nla_nest_start(msg,
9760 				NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
9761 		if (!nl_pats)
9762 			return -ENOBUFS;
9763 
9764 		for (j = 0; j < rule->n_patterns; j++) {
9765 			nl_pat = nla_nest_start(msg, j + 1);
9766 			if (!nl_pat)
9767 				return -ENOBUFS;
9768 			pat_len = rule->patterns[j].pattern_len;
9769 			if (nla_put(msg, NL80211_PKTPAT_MASK,
9770 				    DIV_ROUND_UP(pat_len, 8),
9771 				    rule->patterns[j].mask) ||
9772 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
9773 				    rule->patterns[j].pattern) ||
9774 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
9775 					rule->patterns[j].pkt_offset))
9776 				return -ENOBUFS;
9777 			nla_nest_end(msg, nl_pat);
9778 		}
9779 		nla_nest_end(msg, nl_pats);
9780 		nla_nest_end(msg, nl_rule);
9781 	}
9782 	nla_nest_end(msg, nl_rules);
9783 
9784 	return 0;
9785 }
9786 
9787 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
9788 {
9789 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9790 	struct sk_buff *msg;
9791 	void *hdr;
9792 
9793 	if (!rdev->wiphy.coalesce)
9794 		return -EOPNOTSUPP;
9795 
9796 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9797 	if (!msg)
9798 		return -ENOMEM;
9799 
9800 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9801 			     NL80211_CMD_GET_COALESCE);
9802 	if (!hdr)
9803 		goto nla_put_failure;
9804 
9805 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
9806 		goto nla_put_failure;
9807 
9808 	genlmsg_end(msg, hdr);
9809 	return genlmsg_reply(msg, info);
9810 
9811 nla_put_failure:
9812 	nlmsg_free(msg);
9813 	return -ENOBUFS;
9814 }
9815 
9816 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
9817 {
9818 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
9819 	int i, j;
9820 	struct cfg80211_coalesce_rules *rule;
9821 
9822 	if (!coalesce)
9823 		return;
9824 
9825 	for (i = 0; i < coalesce->n_rules; i++) {
9826 		rule = &coalesce->rules[i];
9827 		for (j = 0; j < rule->n_patterns; j++)
9828 			kfree(rule->patterns[j].mask);
9829 		kfree(rule->patterns);
9830 	}
9831 	kfree(coalesce->rules);
9832 	kfree(coalesce);
9833 	rdev->coalesce = NULL;
9834 }
9835 
9836 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
9837 				       struct nlattr *rule,
9838 				       struct cfg80211_coalesce_rules *new_rule)
9839 {
9840 	int err, i;
9841 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
9842 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
9843 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
9844 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
9845 
9846 	err = nla_parse(tb, NL80211_ATTR_COALESCE_RULE_MAX, nla_data(rule),
9847 			nla_len(rule), nl80211_coalesce_policy);
9848 	if (err)
9849 		return err;
9850 
9851 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
9852 		new_rule->delay =
9853 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
9854 	if (new_rule->delay > coalesce->max_delay)
9855 		return -EINVAL;
9856 
9857 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
9858 		new_rule->condition =
9859 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
9860 	if (new_rule->condition != NL80211_COALESCE_CONDITION_MATCH &&
9861 	    new_rule->condition != NL80211_COALESCE_CONDITION_NO_MATCH)
9862 		return -EINVAL;
9863 
9864 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
9865 		return -EINVAL;
9866 
9867 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
9868 			    rem)
9869 		n_patterns++;
9870 	if (n_patterns > coalesce->n_patterns)
9871 		return -EINVAL;
9872 
9873 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
9874 				     GFP_KERNEL);
9875 	if (!new_rule->patterns)
9876 		return -ENOMEM;
9877 
9878 	new_rule->n_patterns = n_patterns;
9879 	i = 0;
9880 
9881 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
9882 			    rem) {
9883 		u8 *mask_pat;
9884 
9885 		nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
9886 			  nla_len(pat), NULL);
9887 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
9888 		    !pat_tb[NL80211_PKTPAT_PATTERN])
9889 			return -EINVAL;
9890 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
9891 		mask_len = DIV_ROUND_UP(pat_len, 8);
9892 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
9893 			return -EINVAL;
9894 		if (pat_len > coalesce->pattern_max_len ||
9895 		    pat_len < coalesce->pattern_min_len)
9896 			return -EINVAL;
9897 
9898 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
9899 			pkt_offset = 0;
9900 		else
9901 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
9902 		if (pkt_offset > coalesce->max_pkt_offset)
9903 			return -EINVAL;
9904 		new_rule->patterns[i].pkt_offset = pkt_offset;
9905 
9906 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
9907 		if (!mask_pat)
9908 			return -ENOMEM;
9909 
9910 		new_rule->patterns[i].mask = mask_pat;
9911 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
9912 		       mask_len);
9913 
9914 		mask_pat += mask_len;
9915 		new_rule->patterns[i].pattern = mask_pat;
9916 		new_rule->patterns[i].pattern_len = pat_len;
9917 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
9918 		       pat_len);
9919 		i++;
9920 	}
9921 
9922 	return 0;
9923 }
9924 
9925 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
9926 {
9927 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9928 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
9929 	struct cfg80211_coalesce new_coalesce = {};
9930 	struct cfg80211_coalesce *n_coalesce;
9931 	int err, rem_rule, n_rules = 0, i, j;
9932 	struct nlattr *rule;
9933 	struct cfg80211_coalesce_rules *tmp_rule;
9934 
9935 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
9936 		return -EOPNOTSUPP;
9937 
9938 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
9939 		cfg80211_rdev_free_coalesce(rdev);
9940 		rdev_set_coalesce(rdev, NULL);
9941 		return 0;
9942 	}
9943 
9944 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
9945 			    rem_rule)
9946 		n_rules++;
9947 	if (n_rules > coalesce->n_rules)
9948 		return -EINVAL;
9949 
9950 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
9951 				     GFP_KERNEL);
9952 	if (!new_coalesce.rules)
9953 		return -ENOMEM;
9954 
9955 	new_coalesce.n_rules = n_rules;
9956 	i = 0;
9957 
9958 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
9959 			    rem_rule) {
9960 		err = nl80211_parse_coalesce_rule(rdev, rule,
9961 						  &new_coalesce.rules[i]);
9962 		if (err)
9963 			goto error;
9964 
9965 		i++;
9966 	}
9967 
9968 	err = rdev_set_coalesce(rdev, &new_coalesce);
9969 	if (err)
9970 		goto error;
9971 
9972 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
9973 	if (!n_coalesce) {
9974 		err = -ENOMEM;
9975 		goto error;
9976 	}
9977 	cfg80211_rdev_free_coalesce(rdev);
9978 	rdev->coalesce = n_coalesce;
9979 
9980 	return 0;
9981 error:
9982 	for (i = 0; i < new_coalesce.n_rules; i++) {
9983 		tmp_rule = &new_coalesce.rules[i];
9984 		for (j = 0; j < tmp_rule->n_patterns; j++)
9985 			kfree(tmp_rule->patterns[j].mask);
9986 		kfree(tmp_rule->patterns);
9987 	}
9988 	kfree(new_coalesce.rules);
9989 
9990 	return err;
9991 }
9992 
9993 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
9994 {
9995 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9996 	struct net_device *dev = info->user_ptr[1];
9997 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9998 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
9999 	struct cfg80211_gtk_rekey_data rekey_data;
10000 	int err;
10001 
10002 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
10003 		return -EINVAL;
10004 
10005 	err = nla_parse(tb, MAX_NL80211_REKEY_DATA,
10006 			nla_data(info->attrs[NL80211_ATTR_REKEY_DATA]),
10007 			nla_len(info->attrs[NL80211_ATTR_REKEY_DATA]),
10008 			nl80211_rekey_policy);
10009 	if (err)
10010 		return err;
10011 
10012 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
10013 		return -ERANGE;
10014 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
10015 		return -ERANGE;
10016 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
10017 		return -ERANGE;
10018 
10019 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
10020 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
10021 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
10022 
10023 	wdev_lock(wdev);
10024 	if (!wdev->current_bss) {
10025 		err = -ENOTCONN;
10026 		goto out;
10027 	}
10028 
10029 	if (!rdev->ops->set_rekey_data) {
10030 		err = -EOPNOTSUPP;
10031 		goto out;
10032 	}
10033 
10034 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
10035  out:
10036 	wdev_unlock(wdev);
10037 	return err;
10038 }
10039 
10040 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
10041 					     struct genl_info *info)
10042 {
10043 	struct net_device *dev = info->user_ptr[1];
10044 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10045 
10046 	if (wdev->iftype != NL80211_IFTYPE_AP &&
10047 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
10048 		return -EINVAL;
10049 
10050 	if (wdev->ap_unexpected_nlportid)
10051 		return -EBUSY;
10052 
10053 	wdev->ap_unexpected_nlportid = info->snd_portid;
10054 	return 0;
10055 }
10056 
10057 static int nl80211_probe_client(struct sk_buff *skb,
10058 				struct genl_info *info)
10059 {
10060 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10061 	struct net_device *dev = info->user_ptr[1];
10062 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10063 	struct sk_buff *msg;
10064 	void *hdr;
10065 	const u8 *addr;
10066 	u64 cookie;
10067 	int err;
10068 
10069 	if (wdev->iftype != NL80211_IFTYPE_AP &&
10070 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
10071 		return -EOPNOTSUPP;
10072 
10073 	if (!info->attrs[NL80211_ATTR_MAC])
10074 		return -EINVAL;
10075 
10076 	if (!rdev->ops->probe_client)
10077 		return -EOPNOTSUPP;
10078 
10079 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10080 	if (!msg)
10081 		return -ENOMEM;
10082 
10083 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10084 			     NL80211_CMD_PROBE_CLIENT);
10085 	if (!hdr) {
10086 		err = -ENOBUFS;
10087 		goto free_msg;
10088 	}
10089 
10090 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10091 
10092 	err = rdev_probe_client(rdev, dev, addr, &cookie);
10093 	if (err)
10094 		goto free_msg;
10095 
10096 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10097 			      NL80211_ATTR_PAD))
10098 		goto nla_put_failure;
10099 
10100 	genlmsg_end(msg, hdr);
10101 
10102 	return genlmsg_reply(msg, info);
10103 
10104  nla_put_failure:
10105 	err = -ENOBUFS;
10106  free_msg:
10107 	nlmsg_free(msg);
10108 	return err;
10109 }
10110 
10111 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
10112 {
10113 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10114 	struct cfg80211_beacon_registration *reg, *nreg;
10115 	int rv;
10116 
10117 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
10118 		return -EOPNOTSUPP;
10119 
10120 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
10121 	if (!nreg)
10122 		return -ENOMEM;
10123 
10124 	/* First, check if already registered. */
10125 	spin_lock_bh(&rdev->beacon_registrations_lock);
10126 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
10127 		if (reg->nlportid == info->snd_portid) {
10128 			rv = -EALREADY;
10129 			goto out_err;
10130 		}
10131 	}
10132 	/* Add it to the list */
10133 	nreg->nlportid = info->snd_portid;
10134 	list_add(&nreg->list, &rdev->beacon_registrations);
10135 
10136 	spin_unlock_bh(&rdev->beacon_registrations_lock);
10137 
10138 	return 0;
10139 out_err:
10140 	spin_unlock_bh(&rdev->beacon_registrations_lock);
10141 	kfree(nreg);
10142 	return rv;
10143 }
10144 
10145 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
10146 {
10147 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10148 	struct wireless_dev *wdev = info->user_ptr[1];
10149 	int err;
10150 
10151 	if (!rdev->ops->start_p2p_device)
10152 		return -EOPNOTSUPP;
10153 
10154 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
10155 		return -EOPNOTSUPP;
10156 
10157 	if (wdev->p2p_started)
10158 		return 0;
10159 
10160 	if (rfkill_blocked(rdev->rfkill))
10161 		return -ERFKILL;
10162 
10163 	err = rdev_start_p2p_device(rdev, wdev);
10164 	if (err)
10165 		return err;
10166 
10167 	wdev->p2p_started = true;
10168 	rdev->opencount++;
10169 
10170 	return 0;
10171 }
10172 
10173 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
10174 {
10175 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10176 	struct wireless_dev *wdev = info->user_ptr[1];
10177 
10178 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
10179 		return -EOPNOTSUPP;
10180 
10181 	if (!rdev->ops->stop_p2p_device)
10182 		return -EOPNOTSUPP;
10183 
10184 	cfg80211_stop_p2p_device(rdev, wdev);
10185 
10186 	return 0;
10187 }
10188 
10189 static int nl80211_get_protocol_features(struct sk_buff *skb,
10190 					 struct genl_info *info)
10191 {
10192 	void *hdr;
10193 	struct sk_buff *msg;
10194 
10195 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10196 	if (!msg)
10197 		return -ENOMEM;
10198 
10199 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10200 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
10201 	if (!hdr)
10202 		goto nla_put_failure;
10203 
10204 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
10205 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
10206 		goto nla_put_failure;
10207 
10208 	genlmsg_end(msg, hdr);
10209 	return genlmsg_reply(msg, info);
10210 
10211  nla_put_failure:
10212 	kfree_skb(msg);
10213 	return -ENOBUFS;
10214 }
10215 
10216 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
10217 {
10218 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10219 	struct cfg80211_update_ft_ies_params ft_params;
10220 	struct net_device *dev = info->user_ptr[1];
10221 
10222 	if (!rdev->ops->update_ft_ies)
10223 		return -EOPNOTSUPP;
10224 
10225 	if (!info->attrs[NL80211_ATTR_MDID] ||
10226 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
10227 		return -EINVAL;
10228 
10229 	memset(&ft_params, 0, sizeof(ft_params));
10230 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
10231 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10232 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10233 
10234 	return rdev_update_ft_ies(rdev, dev, &ft_params);
10235 }
10236 
10237 static int nl80211_crit_protocol_start(struct sk_buff *skb,
10238 				       struct genl_info *info)
10239 {
10240 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10241 	struct wireless_dev *wdev = info->user_ptr[1];
10242 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
10243 	u16 duration;
10244 	int ret;
10245 
10246 	if (!rdev->ops->crit_proto_start)
10247 		return -EOPNOTSUPP;
10248 
10249 	if (WARN_ON(!rdev->ops->crit_proto_stop))
10250 		return -EINVAL;
10251 
10252 	if (rdev->crit_proto_nlportid)
10253 		return -EBUSY;
10254 
10255 	/* determine protocol if provided */
10256 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
10257 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
10258 
10259 	if (proto >= NUM_NL80211_CRIT_PROTO)
10260 		return -EINVAL;
10261 
10262 	/* timeout must be provided */
10263 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
10264 		return -EINVAL;
10265 
10266 	duration =
10267 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
10268 
10269 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
10270 		return -ERANGE;
10271 
10272 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
10273 	if (!ret)
10274 		rdev->crit_proto_nlportid = info->snd_portid;
10275 
10276 	return ret;
10277 }
10278 
10279 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
10280 				      struct genl_info *info)
10281 {
10282 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10283 	struct wireless_dev *wdev = info->user_ptr[1];
10284 
10285 	if (!rdev->ops->crit_proto_stop)
10286 		return -EOPNOTSUPP;
10287 
10288 	if (rdev->crit_proto_nlportid) {
10289 		rdev->crit_proto_nlportid = 0;
10290 		rdev_crit_proto_stop(rdev, wdev);
10291 	}
10292 	return 0;
10293 }
10294 
10295 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
10296 {
10297 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10298 	struct wireless_dev *wdev =
10299 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
10300 	int i, err;
10301 	u32 vid, subcmd;
10302 
10303 	if (!rdev->wiphy.vendor_commands)
10304 		return -EOPNOTSUPP;
10305 
10306 	if (IS_ERR(wdev)) {
10307 		err = PTR_ERR(wdev);
10308 		if (err != -EINVAL)
10309 			return err;
10310 		wdev = NULL;
10311 	} else if (wdev->wiphy != &rdev->wiphy) {
10312 		return -EINVAL;
10313 	}
10314 
10315 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
10316 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
10317 		return -EINVAL;
10318 
10319 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
10320 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
10321 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
10322 		const struct wiphy_vendor_command *vcmd;
10323 		void *data = NULL;
10324 		int len = 0;
10325 
10326 		vcmd = &rdev->wiphy.vendor_commands[i];
10327 
10328 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
10329 			continue;
10330 
10331 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
10332 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
10333 			if (!wdev)
10334 				return -EINVAL;
10335 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
10336 			    !wdev->netdev)
10337 				return -EINVAL;
10338 
10339 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
10340 				if (wdev->netdev &&
10341 				    !netif_running(wdev->netdev))
10342 					return -ENETDOWN;
10343 				if (!wdev->netdev && !wdev->p2p_started)
10344 					return -ENETDOWN;
10345 			}
10346 
10347 			if (!vcmd->doit)
10348 				return -EOPNOTSUPP;
10349 		} else {
10350 			wdev = NULL;
10351 		}
10352 
10353 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
10354 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
10355 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
10356 		}
10357 
10358 		rdev->cur_cmd_info = info;
10359 		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
10360 							  data, len);
10361 		rdev->cur_cmd_info = NULL;
10362 		return err;
10363 	}
10364 
10365 	return -EOPNOTSUPP;
10366 }
10367 
10368 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
10369 				       struct netlink_callback *cb,
10370 				       struct cfg80211_registered_device **rdev,
10371 				       struct wireless_dev **wdev)
10372 {
10373 	u32 vid, subcmd;
10374 	unsigned int i;
10375 	int vcmd_idx = -1;
10376 	int err;
10377 	void *data = NULL;
10378 	unsigned int data_len = 0;
10379 
10380 	rtnl_lock();
10381 
10382 	if (cb->args[0]) {
10383 		/* subtract the 1 again here */
10384 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
10385 		struct wireless_dev *tmp;
10386 
10387 		if (!wiphy) {
10388 			err = -ENODEV;
10389 			goto out_unlock;
10390 		}
10391 		*rdev = wiphy_to_rdev(wiphy);
10392 		*wdev = NULL;
10393 
10394 		if (cb->args[1]) {
10395 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
10396 				if (tmp->identifier == cb->args[1] - 1) {
10397 					*wdev = tmp;
10398 					break;
10399 				}
10400 			}
10401 		}
10402 
10403 		/* keep rtnl locked in successful case */
10404 		return 0;
10405 	}
10406 
10407 	err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
10408 			  nl80211_fam.attrbuf, nl80211_fam.maxattr,
10409 			  nl80211_policy);
10410 	if (err)
10411 		goto out_unlock;
10412 
10413 	if (!nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_ID] ||
10414 	    !nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
10415 		err = -EINVAL;
10416 		goto out_unlock;
10417 	}
10418 
10419 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
10420 					   nl80211_fam.attrbuf);
10421 	if (IS_ERR(*wdev))
10422 		*wdev = NULL;
10423 
10424 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
10425 					   nl80211_fam.attrbuf);
10426 	if (IS_ERR(*rdev)) {
10427 		err = PTR_ERR(*rdev);
10428 		goto out_unlock;
10429 	}
10430 
10431 	vid = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_ID]);
10432 	subcmd = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
10433 
10434 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
10435 		const struct wiphy_vendor_command *vcmd;
10436 
10437 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
10438 
10439 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
10440 			continue;
10441 
10442 		if (!vcmd->dumpit) {
10443 			err = -EOPNOTSUPP;
10444 			goto out_unlock;
10445 		}
10446 
10447 		vcmd_idx = i;
10448 		break;
10449 	}
10450 
10451 	if (vcmd_idx < 0) {
10452 		err = -EOPNOTSUPP;
10453 		goto out_unlock;
10454 	}
10455 
10456 	if (nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]) {
10457 		data = nla_data(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]);
10458 		data_len = nla_len(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]);
10459 	}
10460 
10461 	/* 0 is the first index - add 1 to parse only once */
10462 	cb->args[0] = (*rdev)->wiphy_idx + 1;
10463 	/* add 1 to know if it was NULL */
10464 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
10465 	cb->args[2] = vcmd_idx;
10466 	cb->args[3] = (unsigned long)data;
10467 	cb->args[4] = data_len;
10468 
10469 	/* keep rtnl locked in successful case */
10470 	return 0;
10471  out_unlock:
10472 	rtnl_unlock();
10473 	return err;
10474 }
10475 
10476 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
10477 				   struct netlink_callback *cb)
10478 {
10479 	struct cfg80211_registered_device *rdev;
10480 	struct wireless_dev *wdev;
10481 	unsigned int vcmd_idx;
10482 	const struct wiphy_vendor_command *vcmd;
10483 	void *data;
10484 	int data_len;
10485 	int err;
10486 	struct nlattr *vendor_data;
10487 
10488 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
10489 	if (err)
10490 		return err;
10491 
10492 	vcmd_idx = cb->args[2];
10493 	data = (void *)cb->args[3];
10494 	data_len = cb->args[4];
10495 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
10496 
10497 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
10498 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
10499 		if (!wdev)
10500 			return -EINVAL;
10501 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
10502 		    !wdev->netdev)
10503 			return -EINVAL;
10504 
10505 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
10506 			if (wdev->netdev &&
10507 			    !netif_running(wdev->netdev))
10508 				return -ENETDOWN;
10509 			if (!wdev->netdev && !wdev->p2p_started)
10510 				return -ENETDOWN;
10511 		}
10512 	}
10513 
10514 	while (1) {
10515 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10516 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10517 					   NL80211_CMD_VENDOR);
10518 		if (!hdr)
10519 			break;
10520 
10521 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10522 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10523 					       wdev_id(wdev),
10524 					       NL80211_ATTR_PAD))) {
10525 			genlmsg_cancel(skb, hdr);
10526 			break;
10527 		}
10528 
10529 		vendor_data = nla_nest_start(skb, NL80211_ATTR_VENDOR_DATA);
10530 		if (!vendor_data) {
10531 			genlmsg_cancel(skb, hdr);
10532 			break;
10533 		}
10534 
10535 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
10536 				   (unsigned long *)&cb->args[5]);
10537 		nla_nest_end(skb, vendor_data);
10538 
10539 		if (err == -ENOBUFS || err == -ENOENT) {
10540 			genlmsg_cancel(skb, hdr);
10541 			break;
10542 		} else if (err) {
10543 			genlmsg_cancel(skb, hdr);
10544 			goto out;
10545 		}
10546 
10547 		genlmsg_end(skb, hdr);
10548 	}
10549 
10550 	err = skb->len;
10551  out:
10552 	rtnl_unlock();
10553 	return err;
10554 }
10555 
10556 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
10557 					   enum nl80211_commands cmd,
10558 					   enum nl80211_attrs attr,
10559 					   int approxlen)
10560 {
10561 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10562 
10563 	if (WARN_ON(!rdev->cur_cmd_info))
10564 		return NULL;
10565 
10566 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
10567 					   rdev->cur_cmd_info->snd_portid,
10568 					   rdev->cur_cmd_info->snd_seq,
10569 					   cmd, attr, NULL, GFP_KERNEL);
10570 }
10571 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
10572 
10573 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
10574 {
10575 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10576 	void *hdr = ((void **)skb->cb)[1];
10577 	struct nlattr *data = ((void **)skb->cb)[2];
10578 
10579 	/* clear CB data for netlink core to own from now on */
10580 	memset(skb->cb, 0, sizeof(skb->cb));
10581 
10582 	if (WARN_ON(!rdev->cur_cmd_info)) {
10583 		kfree_skb(skb);
10584 		return -EINVAL;
10585 	}
10586 
10587 	nla_nest_end(skb, data);
10588 	genlmsg_end(skb, hdr);
10589 	return genlmsg_reply(skb, rdev->cur_cmd_info);
10590 }
10591 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
10592 
10593 
10594 static int nl80211_set_qos_map(struct sk_buff *skb,
10595 			       struct genl_info *info)
10596 {
10597 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10598 	struct cfg80211_qos_map *qos_map = NULL;
10599 	struct net_device *dev = info->user_ptr[1];
10600 	u8 *pos, len, num_des, des_len, des;
10601 	int ret;
10602 
10603 	if (!rdev->ops->set_qos_map)
10604 		return -EOPNOTSUPP;
10605 
10606 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
10607 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
10608 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
10609 
10610 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
10611 		    len > IEEE80211_QOS_MAP_LEN_MAX)
10612 			return -EINVAL;
10613 
10614 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
10615 		if (!qos_map)
10616 			return -ENOMEM;
10617 
10618 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
10619 		if (num_des) {
10620 			des_len = num_des *
10621 				sizeof(struct cfg80211_dscp_exception);
10622 			memcpy(qos_map->dscp_exception, pos, des_len);
10623 			qos_map->num_des = num_des;
10624 			for (des = 0; des < num_des; des++) {
10625 				if (qos_map->dscp_exception[des].up > 7) {
10626 					kfree(qos_map);
10627 					return -EINVAL;
10628 				}
10629 			}
10630 			pos += des_len;
10631 		}
10632 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
10633 	}
10634 
10635 	wdev_lock(dev->ieee80211_ptr);
10636 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
10637 	if (!ret)
10638 		ret = rdev_set_qos_map(rdev, dev, qos_map);
10639 	wdev_unlock(dev->ieee80211_ptr);
10640 
10641 	kfree(qos_map);
10642 	return ret;
10643 }
10644 
10645 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
10646 {
10647 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10648 	struct net_device *dev = info->user_ptr[1];
10649 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10650 	const u8 *peer;
10651 	u8 tsid, up;
10652 	u16 admitted_time = 0;
10653 	int err;
10654 
10655 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
10656 		return -EOPNOTSUPP;
10657 
10658 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
10659 	    !info->attrs[NL80211_ATTR_USER_PRIO])
10660 		return -EINVAL;
10661 
10662 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
10663 	if (tsid >= IEEE80211_NUM_TIDS)
10664 		return -EINVAL;
10665 
10666 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
10667 	if (up >= IEEE80211_NUM_UPS)
10668 		return -EINVAL;
10669 
10670 	/* WMM uses TIDs 0-7 even for TSPEC */
10671 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
10672 		/* TODO: handle 802.11 TSPEC/admission control
10673 		 * need more attributes for that (e.g. BA session requirement);
10674 		 * change the WMM adminssion test above to allow both then
10675 		 */
10676 		return -EINVAL;
10677 	}
10678 
10679 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10680 
10681 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
10682 		admitted_time =
10683 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
10684 		if (!admitted_time)
10685 			return -EINVAL;
10686 	}
10687 
10688 	wdev_lock(wdev);
10689 	switch (wdev->iftype) {
10690 	case NL80211_IFTYPE_STATION:
10691 	case NL80211_IFTYPE_P2P_CLIENT:
10692 		if (wdev->current_bss)
10693 			break;
10694 		err = -ENOTCONN;
10695 		goto out;
10696 	default:
10697 		err = -EOPNOTSUPP;
10698 		goto out;
10699 	}
10700 
10701 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
10702 
10703  out:
10704 	wdev_unlock(wdev);
10705 	return err;
10706 }
10707 
10708 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
10709 {
10710 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10711 	struct net_device *dev = info->user_ptr[1];
10712 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10713 	const u8 *peer;
10714 	u8 tsid;
10715 	int err;
10716 
10717 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
10718 		return -EINVAL;
10719 
10720 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
10721 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10722 
10723 	wdev_lock(wdev);
10724 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
10725 	wdev_unlock(wdev);
10726 
10727 	return err;
10728 }
10729 
10730 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
10731 				       struct genl_info *info)
10732 {
10733 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10734 	struct net_device *dev = info->user_ptr[1];
10735 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10736 	struct cfg80211_chan_def chandef = {};
10737 	const u8 *addr;
10738 	u8 oper_class;
10739 	int err;
10740 
10741 	if (!rdev->ops->tdls_channel_switch ||
10742 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
10743 		return -EOPNOTSUPP;
10744 
10745 	switch (dev->ieee80211_ptr->iftype) {
10746 	case NL80211_IFTYPE_STATION:
10747 	case NL80211_IFTYPE_P2P_CLIENT:
10748 		break;
10749 	default:
10750 		return -EOPNOTSUPP;
10751 	}
10752 
10753 	if (!info->attrs[NL80211_ATTR_MAC] ||
10754 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
10755 		return -EINVAL;
10756 
10757 	err = nl80211_parse_chandef(rdev, info, &chandef);
10758 	if (err)
10759 		return err;
10760 
10761 	/*
10762 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
10763 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
10764 	 * specification is not defined for them.
10765 	 */
10766 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
10767 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
10768 	    chandef.width != NL80211_CHAN_WIDTH_20)
10769 		return -EINVAL;
10770 
10771 	/* we will be active on the TDLS link */
10772 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
10773 					   wdev->iftype))
10774 		return -EINVAL;
10775 
10776 	/* don't allow switching to DFS channels */
10777 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
10778 		return -EINVAL;
10779 
10780 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10781 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
10782 
10783 	wdev_lock(wdev);
10784 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
10785 	wdev_unlock(wdev);
10786 
10787 	return err;
10788 }
10789 
10790 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
10791 					      struct genl_info *info)
10792 {
10793 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10794 	struct net_device *dev = info->user_ptr[1];
10795 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10796 	const u8 *addr;
10797 
10798 	if (!rdev->ops->tdls_channel_switch ||
10799 	    !rdev->ops->tdls_cancel_channel_switch ||
10800 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
10801 		return -EOPNOTSUPP;
10802 
10803 	switch (dev->ieee80211_ptr->iftype) {
10804 	case NL80211_IFTYPE_STATION:
10805 	case NL80211_IFTYPE_P2P_CLIENT:
10806 		break;
10807 	default:
10808 		return -EOPNOTSUPP;
10809 	}
10810 
10811 	if (!info->attrs[NL80211_ATTR_MAC])
10812 		return -EINVAL;
10813 
10814 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10815 
10816 	wdev_lock(wdev);
10817 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
10818 	wdev_unlock(wdev);
10819 
10820 	return 0;
10821 }
10822 
10823 #define NL80211_FLAG_NEED_WIPHY		0x01
10824 #define NL80211_FLAG_NEED_NETDEV	0x02
10825 #define NL80211_FLAG_NEED_RTNL		0x04
10826 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
10827 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
10828 					 NL80211_FLAG_CHECK_NETDEV_UP)
10829 #define NL80211_FLAG_NEED_WDEV		0x10
10830 /* If a netdev is associated, it must be UP, P2P must be started */
10831 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
10832 					 NL80211_FLAG_CHECK_NETDEV_UP)
10833 #define NL80211_FLAG_CLEAR_SKB		0x20
10834 
10835 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
10836 			    struct genl_info *info)
10837 {
10838 	struct cfg80211_registered_device *rdev;
10839 	struct wireless_dev *wdev;
10840 	struct net_device *dev;
10841 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
10842 
10843 	if (rtnl)
10844 		rtnl_lock();
10845 
10846 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
10847 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
10848 		if (IS_ERR(rdev)) {
10849 			if (rtnl)
10850 				rtnl_unlock();
10851 			return PTR_ERR(rdev);
10852 		}
10853 		info->user_ptr[0] = rdev;
10854 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
10855 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
10856 		ASSERT_RTNL();
10857 
10858 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
10859 						  info->attrs);
10860 		if (IS_ERR(wdev)) {
10861 			if (rtnl)
10862 				rtnl_unlock();
10863 			return PTR_ERR(wdev);
10864 		}
10865 
10866 		dev = wdev->netdev;
10867 		rdev = wiphy_to_rdev(wdev->wiphy);
10868 
10869 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
10870 			if (!dev) {
10871 				if (rtnl)
10872 					rtnl_unlock();
10873 				return -EINVAL;
10874 			}
10875 
10876 			info->user_ptr[1] = dev;
10877 		} else {
10878 			info->user_ptr[1] = wdev;
10879 		}
10880 
10881 		if (dev) {
10882 			if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
10883 			    !netif_running(dev)) {
10884 				if (rtnl)
10885 					rtnl_unlock();
10886 				return -ENETDOWN;
10887 			}
10888 
10889 			dev_hold(dev);
10890 		} else if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP) {
10891 			if (!wdev->p2p_started) {
10892 				if (rtnl)
10893 					rtnl_unlock();
10894 				return -ENETDOWN;
10895 			}
10896 		}
10897 
10898 		info->user_ptr[0] = rdev;
10899 	}
10900 
10901 	return 0;
10902 }
10903 
10904 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
10905 			      struct genl_info *info)
10906 {
10907 	if (info->user_ptr[1]) {
10908 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
10909 			struct wireless_dev *wdev = info->user_ptr[1];
10910 
10911 			if (wdev->netdev)
10912 				dev_put(wdev->netdev);
10913 		} else {
10914 			dev_put(info->user_ptr[1]);
10915 		}
10916 	}
10917 
10918 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
10919 		rtnl_unlock();
10920 
10921 	/* If needed, clear the netlink message payload from the SKB
10922 	 * as it might contain key data that shouldn't stick around on
10923 	 * the heap after the SKB is freed. The netlink message header
10924 	 * is still needed for further processing, so leave it intact.
10925 	 */
10926 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
10927 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
10928 
10929 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
10930 	}
10931 }
10932 
10933 static const struct genl_ops nl80211_ops[] = {
10934 	{
10935 		.cmd = NL80211_CMD_GET_WIPHY,
10936 		.doit = nl80211_get_wiphy,
10937 		.dumpit = nl80211_dump_wiphy,
10938 		.done = nl80211_dump_wiphy_done,
10939 		.policy = nl80211_policy,
10940 		/* can be retrieved by unprivileged users */
10941 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10942 				  NL80211_FLAG_NEED_RTNL,
10943 	},
10944 	{
10945 		.cmd = NL80211_CMD_SET_WIPHY,
10946 		.doit = nl80211_set_wiphy,
10947 		.policy = nl80211_policy,
10948 		.flags = GENL_ADMIN_PERM,
10949 		.internal_flags = NL80211_FLAG_NEED_RTNL,
10950 	},
10951 	{
10952 		.cmd = NL80211_CMD_GET_INTERFACE,
10953 		.doit = nl80211_get_interface,
10954 		.dumpit = nl80211_dump_interface,
10955 		.policy = nl80211_policy,
10956 		/* can be retrieved by unprivileged users */
10957 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10958 				  NL80211_FLAG_NEED_RTNL,
10959 	},
10960 	{
10961 		.cmd = NL80211_CMD_SET_INTERFACE,
10962 		.doit = nl80211_set_interface,
10963 		.policy = nl80211_policy,
10964 		.flags = GENL_ADMIN_PERM,
10965 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10966 				  NL80211_FLAG_NEED_RTNL,
10967 	},
10968 	{
10969 		.cmd = NL80211_CMD_NEW_INTERFACE,
10970 		.doit = nl80211_new_interface,
10971 		.policy = nl80211_policy,
10972 		.flags = GENL_ADMIN_PERM,
10973 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10974 				  NL80211_FLAG_NEED_RTNL,
10975 	},
10976 	{
10977 		.cmd = NL80211_CMD_DEL_INTERFACE,
10978 		.doit = nl80211_del_interface,
10979 		.policy = nl80211_policy,
10980 		.flags = GENL_ADMIN_PERM,
10981 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10982 				  NL80211_FLAG_NEED_RTNL,
10983 	},
10984 	{
10985 		.cmd = NL80211_CMD_GET_KEY,
10986 		.doit = nl80211_get_key,
10987 		.policy = nl80211_policy,
10988 		.flags = GENL_ADMIN_PERM,
10989 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10990 				  NL80211_FLAG_NEED_RTNL,
10991 	},
10992 	{
10993 		.cmd = NL80211_CMD_SET_KEY,
10994 		.doit = nl80211_set_key,
10995 		.policy = nl80211_policy,
10996 		.flags = GENL_ADMIN_PERM,
10997 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10998 				  NL80211_FLAG_NEED_RTNL |
10999 				  NL80211_FLAG_CLEAR_SKB,
11000 	},
11001 	{
11002 		.cmd = NL80211_CMD_NEW_KEY,
11003 		.doit = nl80211_new_key,
11004 		.policy = nl80211_policy,
11005 		.flags = GENL_ADMIN_PERM,
11006 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11007 				  NL80211_FLAG_NEED_RTNL |
11008 				  NL80211_FLAG_CLEAR_SKB,
11009 	},
11010 	{
11011 		.cmd = NL80211_CMD_DEL_KEY,
11012 		.doit = nl80211_del_key,
11013 		.policy = nl80211_policy,
11014 		.flags = GENL_ADMIN_PERM,
11015 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11016 				  NL80211_FLAG_NEED_RTNL,
11017 	},
11018 	{
11019 		.cmd = NL80211_CMD_SET_BEACON,
11020 		.policy = nl80211_policy,
11021 		.flags = GENL_ADMIN_PERM,
11022 		.doit = nl80211_set_beacon,
11023 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11024 				  NL80211_FLAG_NEED_RTNL,
11025 	},
11026 	{
11027 		.cmd = NL80211_CMD_START_AP,
11028 		.policy = nl80211_policy,
11029 		.flags = GENL_ADMIN_PERM,
11030 		.doit = nl80211_start_ap,
11031 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11032 				  NL80211_FLAG_NEED_RTNL,
11033 	},
11034 	{
11035 		.cmd = NL80211_CMD_STOP_AP,
11036 		.policy = nl80211_policy,
11037 		.flags = GENL_ADMIN_PERM,
11038 		.doit = nl80211_stop_ap,
11039 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11040 				  NL80211_FLAG_NEED_RTNL,
11041 	},
11042 	{
11043 		.cmd = NL80211_CMD_GET_STATION,
11044 		.doit = nl80211_get_station,
11045 		.dumpit = nl80211_dump_station,
11046 		.policy = nl80211_policy,
11047 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11048 				  NL80211_FLAG_NEED_RTNL,
11049 	},
11050 	{
11051 		.cmd = NL80211_CMD_SET_STATION,
11052 		.doit = nl80211_set_station,
11053 		.policy = nl80211_policy,
11054 		.flags = GENL_ADMIN_PERM,
11055 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11056 				  NL80211_FLAG_NEED_RTNL,
11057 	},
11058 	{
11059 		.cmd = NL80211_CMD_NEW_STATION,
11060 		.doit = nl80211_new_station,
11061 		.policy = nl80211_policy,
11062 		.flags = GENL_ADMIN_PERM,
11063 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11064 				  NL80211_FLAG_NEED_RTNL,
11065 	},
11066 	{
11067 		.cmd = NL80211_CMD_DEL_STATION,
11068 		.doit = nl80211_del_station,
11069 		.policy = nl80211_policy,
11070 		.flags = GENL_ADMIN_PERM,
11071 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11072 				  NL80211_FLAG_NEED_RTNL,
11073 	},
11074 	{
11075 		.cmd = NL80211_CMD_GET_MPATH,
11076 		.doit = nl80211_get_mpath,
11077 		.dumpit = nl80211_dump_mpath,
11078 		.policy = nl80211_policy,
11079 		.flags = GENL_ADMIN_PERM,
11080 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11081 				  NL80211_FLAG_NEED_RTNL,
11082 	},
11083 	{
11084 		.cmd = NL80211_CMD_GET_MPP,
11085 		.doit = nl80211_get_mpp,
11086 		.dumpit = nl80211_dump_mpp,
11087 		.policy = nl80211_policy,
11088 		.flags = GENL_ADMIN_PERM,
11089 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11090 				  NL80211_FLAG_NEED_RTNL,
11091 	},
11092 	{
11093 		.cmd = NL80211_CMD_SET_MPATH,
11094 		.doit = nl80211_set_mpath,
11095 		.policy = nl80211_policy,
11096 		.flags = GENL_ADMIN_PERM,
11097 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11098 				  NL80211_FLAG_NEED_RTNL,
11099 	},
11100 	{
11101 		.cmd = NL80211_CMD_NEW_MPATH,
11102 		.doit = nl80211_new_mpath,
11103 		.policy = nl80211_policy,
11104 		.flags = GENL_ADMIN_PERM,
11105 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11106 				  NL80211_FLAG_NEED_RTNL,
11107 	},
11108 	{
11109 		.cmd = NL80211_CMD_DEL_MPATH,
11110 		.doit = nl80211_del_mpath,
11111 		.policy = nl80211_policy,
11112 		.flags = GENL_ADMIN_PERM,
11113 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11114 				  NL80211_FLAG_NEED_RTNL,
11115 	},
11116 	{
11117 		.cmd = NL80211_CMD_SET_BSS,
11118 		.doit = nl80211_set_bss,
11119 		.policy = nl80211_policy,
11120 		.flags = GENL_ADMIN_PERM,
11121 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11122 				  NL80211_FLAG_NEED_RTNL,
11123 	},
11124 	{
11125 		.cmd = NL80211_CMD_GET_REG,
11126 		.doit = nl80211_get_reg_do,
11127 		.dumpit = nl80211_get_reg_dump,
11128 		.policy = nl80211_policy,
11129 		.internal_flags = NL80211_FLAG_NEED_RTNL,
11130 		/* can be retrieved by unprivileged users */
11131 	},
11132 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
11133 	{
11134 		.cmd = NL80211_CMD_SET_REG,
11135 		.doit = nl80211_set_reg,
11136 		.policy = nl80211_policy,
11137 		.flags = GENL_ADMIN_PERM,
11138 		.internal_flags = NL80211_FLAG_NEED_RTNL,
11139 	},
11140 #endif
11141 	{
11142 		.cmd = NL80211_CMD_REQ_SET_REG,
11143 		.doit = nl80211_req_set_reg,
11144 		.policy = nl80211_policy,
11145 		.flags = GENL_ADMIN_PERM,
11146 	},
11147 	{
11148 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
11149 		.doit = nl80211_get_mesh_config,
11150 		.policy = nl80211_policy,
11151 		/* can be retrieved by unprivileged users */
11152 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11153 				  NL80211_FLAG_NEED_RTNL,
11154 	},
11155 	{
11156 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
11157 		.doit = nl80211_update_mesh_config,
11158 		.policy = nl80211_policy,
11159 		.flags = GENL_ADMIN_PERM,
11160 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11161 				  NL80211_FLAG_NEED_RTNL,
11162 	},
11163 	{
11164 		.cmd = NL80211_CMD_TRIGGER_SCAN,
11165 		.doit = nl80211_trigger_scan,
11166 		.policy = nl80211_policy,
11167 		.flags = GENL_ADMIN_PERM,
11168 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11169 				  NL80211_FLAG_NEED_RTNL,
11170 	},
11171 	{
11172 		.cmd = NL80211_CMD_ABORT_SCAN,
11173 		.doit = nl80211_abort_scan,
11174 		.policy = nl80211_policy,
11175 		.flags = GENL_ADMIN_PERM,
11176 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11177 				  NL80211_FLAG_NEED_RTNL,
11178 	},
11179 	{
11180 		.cmd = NL80211_CMD_GET_SCAN,
11181 		.policy = nl80211_policy,
11182 		.dumpit = nl80211_dump_scan,
11183 	},
11184 	{
11185 		.cmd = NL80211_CMD_START_SCHED_SCAN,
11186 		.doit = nl80211_start_sched_scan,
11187 		.policy = nl80211_policy,
11188 		.flags = GENL_ADMIN_PERM,
11189 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11190 				  NL80211_FLAG_NEED_RTNL,
11191 	},
11192 	{
11193 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
11194 		.doit = nl80211_stop_sched_scan,
11195 		.policy = nl80211_policy,
11196 		.flags = GENL_ADMIN_PERM,
11197 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11198 				  NL80211_FLAG_NEED_RTNL,
11199 	},
11200 	{
11201 		.cmd = NL80211_CMD_AUTHENTICATE,
11202 		.doit = nl80211_authenticate,
11203 		.policy = nl80211_policy,
11204 		.flags = GENL_ADMIN_PERM,
11205 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11206 				  NL80211_FLAG_NEED_RTNL |
11207 				  NL80211_FLAG_CLEAR_SKB,
11208 	},
11209 	{
11210 		.cmd = NL80211_CMD_ASSOCIATE,
11211 		.doit = nl80211_associate,
11212 		.policy = nl80211_policy,
11213 		.flags = GENL_ADMIN_PERM,
11214 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11215 				  NL80211_FLAG_NEED_RTNL,
11216 	},
11217 	{
11218 		.cmd = NL80211_CMD_DEAUTHENTICATE,
11219 		.doit = nl80211_deauthenticate,
11220 		.policy = nl80211_policy,
11221 		.flags = GENL_ADMIN_PERM,
11222 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11223 				  NL80211_FLAG_NEED_RTNL,
11224 	},
11225 	{
11226 		.cmd = NL80211_CMD_DISASSOCIATE,
11227 		.doit = nl80211_disassociate,
11228 		.policy = nl80211_policy,
11229 		.flags = GENL_ADMIN_PERM,
11230 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11231 				  NL80211_FLAG_NEED_RTNL,
11232 	},
11233 	{
11234 		.cmd = NL80211_CMD_JOIN_IBSS,
11235 		.doit = nl80211_join_ibss,
11236 		.policy = nl80211_policy,
11237 		.flags = GENL_ADMIN_PERM,
11238 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11239 				  NL80211_FLAG_NEED_RTNL,
11240 	},
11241 	{
11242 		.cmd = NL80211_CMD_LEAVE_IBSS,
11243 		.doit = nl80211_leave_ibss,
11244 		.policy = nl80211_policy,
11245 		.flags = GENL_ADMIN_PERM,
11246 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11247 				  NL80211_FLAG_NEED_RTNL,
11248 	},
11249 #ifdef CONFIG_NL80211_TESTMODE
11250 	{
11251 		.cmd = NL80211_CMD_TESTMODE,
11252 		.doit = nl80211_testmode_do,
11253 		.dumpit = nl80211_testmode_dump,
11254 		.policy = nl80211_policy,
11255 		.flags = GENL_ADMIN_PERM,
11256 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11257 				  NL80211_FLAG_NEED_RTNL,
11258 	},
11259 #endif
11260 	{
11261 		.cmd = NL80211_CMD_CONNECT,
11262 		.doit = nl80211_connect,
11263 		.policy = nl80211_policy,
11264 		.flags = GENL_ADMIN_PERM,
11265 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11266 				  NL80211_FLAG_NEED_RTNL,
11267 	},
11268 	{
11269 		.cmd = NL80211_CMD_DISCONNECT,
11270 		.doit = nl80211_disconnect,
11271 		.policy = nl80211_policy,
11272 		.flags = GENL_ADMIN_PERM,
11273 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11274 				  NL80211_FLAG_NEED_RTNL,
11275 	},
11276 	{
11277 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
11278 		.doit = nl80211_wiphy_netns,
11279 		.policy = nl80211_policy,
11280 		.flags = GENL_ADMIN_PERM,
11281 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11282 				  NL80211_FLAG_NEED_RTNL,
11283 	},
11284 	{
11285 		.cmd = NL80211_CMD_GET_SURVEY,
11286 		.policy = nl80211_policy,
11287 		.dumpit = nl80211_dump_survey,
11288 	},
11289 	{
11290 		.cmd = NL80211_CMD_SET_PMKSA,
11291 		.doit = nl80211_setdel_pmksa,
11292 		.policy = nl80211_policy,
11293 		.flags = GENL_ADMIN_PERM,
11294 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11295 				  NL80211_FLAG_NEED_RTNL,
11296 	},
11297 	{
11298 		.cmd = NL80211_CMD_DEL_PMKSA,
11299 		.doit = nl80211_setdel_pmksa,
11300 		.policy = nl80211_policy,
11301 		.flags = GENL_ADMIN_PERM,
11302 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11303 				  NL80211_FLAG_NEED_RTNL,
11304 	},
11305 	{
11306 		.cmd = NL80211_CMD_FLUSH_PMKSA,
11307 		.doit = nl80211_flush_pmksa,
11308 		.policy = nl80211_policy,
11309 		.flags = GENL_ADMIN_PERM,
11310 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11311 				  NL80211_FLAG_NEED_RTNL,
11312 	},
11313 	{
11314 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
11315 		.doit = nl80211_remain_on_channel,
11316 		.policy = nl80211_policy,
11317 		.flags = GENL_ADMIN_PERM,
11318 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11319 				  NL80211_FLAG_NEED_RTNL,
11320 	},
11321 	{
11322 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
11323 		.doit = nl80211_cancel_remain_on_channel,
11324 		.policy = nl80211_policy,
11325 		.flags = GENL_ADMIN_PERM,
11326 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11327 				  NL80211_FLAG_NEED_RTNL,
11328 	},
11329 	{
11330 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
11331 		.doit = nl80211_set_tx_bitrate_mask,
11332 		.policy = nl80211_policy,
11333 		.flags = GENL_ADMIN_PERM,
11334 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11335 				  NL80211_FLAG_NEED_RTNL,
11336 	},
11337 	{
11338 		.cmd = NL80211_CMD_REGISTER_FRAME,
11339 		.doit = nl80211_register_mgmt,
11340 		.policy = nl80211_policy,
11341 		.flags = GENL_ADMIN_PERM,
11342 		.internal_flags = NL80211_FLAG_NEED_WDEV |
11343 				  NL80211_FLAG_NEED_RTNL,
11344 	},
11345 	{
11346 		.cmd = NL80211_CMD_FRAME,
11347 		.doit = nl80211_tx_mgmt,
11348 		.policy = nl80211_policy,
11349 		.flags = GENL_ADMIN_PERM,
11350 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11351 				  NL80211_FLAG_NEED_RTNL,
11352 	},
11353 	{
11354 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
11355 		.doit = nl80211_tx_mgmt_cancel_wait,
11356 		.policy = nl80211_policy,
11357 		.flags = GENL_ADMIN_PERM,
11358 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11359 				  NL80211_FLAG_NEED_RTNL,
11360 	},
11361 	{
11362 		.cmd = NL80211_CMD_SET_POWER_SAVE,
11363 		.doit = nl80211_set_power_save,
11364 		.policy = nl80211_policy,
11365 		.flags = GENL_ADMIN_PERM,
11366 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11367 				  NL80211_FLAG_NEED_RTNL,
11368 	},
11369 	{
11370 		.cmd = NL80211_CMD_GET_POWER_SAVE,
11371 		.doit = nl80211_get_power_save,
11372 		.policy = nl80211_policy,
11373 		/* can be retrieved by unprivileged users */
11374 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11375 				  NL80211_FLAG_NEED_RTNL,
11376 	},
11377 	{
11378 		.cmd = NL80211_CMD_SET_CQM,
11379 		.doit = nl80211_set_cqm,
11380 		.policy = nl80211_policy,
11381 		.flags = GENL_ADMIN_PERM,
11382 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11383 				  NL80211_FLAG_NEED_RTNL,
11384 	},
11385 	{
11386 		.cmd = NL80211_CMD_SET_CHANNEL,
11387 		.doit = nl80211_set_channel,
11388 		.policy = nl80211_policy,
11389 		.flags = GENL_ADMIN_PERM,
11390 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11391 				  NL80211_FLAG_NEED_RTNL,
11392 	},
11393 	{
11394 		.cmd = NL80211_CMD_SET_WDS_PEER,
11395 		.doit = nl80211_set_wds_peer,
11396 		.policy = nl80211_policy,
11397 		.flags = GENL_ADMIN_PERM,
11398 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11399 				  NL80211_FLAG_NEED_RTNL,
11400 	},
11401 	{
11402 		.cmd = NL80211_CMD_JOIN_MESH,
11403 		.doit = nl80211_join_mesh,
11404 		.policy = nl80211_policy,
11405 		.flags = GENL_ADMIN_PERM,
11406 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11407 				  NL80211_FLAG_NEED_RTNL,
11408 	},
11409 	{
11410 		.cmd = NL80211_CMD_LEAVE_MESH,
11411 		.doit = nl80211_leave_mesh,
11412 		.policy = nl80211_policy,
11413 		.flags = GENL_ADMIN_PERM,
11414 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11415 				  NL80211_FLAG_NEED_RTNL,
11416 	},
11417 	{
11418 		.cmd = NL80211_CMD_JOIN_OCB,
11419 		.doit = nl80211_join_ocb,
11420 		.policy = nl80211_policy,
11421 		.flags = GENL_ADMIN_PERM,
11422 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11423 				  NL80211_FLAG_NEED_RTNL,
11424 	},
11425 	{
11426 		.cmd = NL80211_CMD_LEAVE_OCB,
11427 		.doit = nl80211_leave_ocb,
11428 		.policy = nl80211_policy,
11429 		.flags = GENL_ADMIN_PERM,
11430 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11431 				  NL80211_FLAG_NEED_RTNL,
11432 	},
11433 #ifdef CONFIG_PM
11434 	{
11435 		.cmd = NL80211_CMD_GET_WOWLAN,
11436 		.doit = nl80211_get_wowlan,
11437 		.policy = nl80211_policy,
11438 		/* can be retrieved by unprivileged users */
11439 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11440 				  NL80211_FLAG_NEED_RTNL,
11441 	},
11442 	{
11443 		.cmd = NL80211_CMD_SET_WOWLAN,
11444 		.doit = nl80211_set_wowlan,
11445 		.policy = nl80211_policy,
11446 		.flags = GENL_ADMIN_PERM,
11447 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11448 				  NL80211_FLAG_NEED_RTNL,
11449 	},
11450 #endif
11451 	{
11452 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
11453 		.doit = nl80211_set_rekey_data,
11454 		.policy = nl80211_policy,
11455 		.flags = GENL_ADMIN_PERM,
11456 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11457 				  NL80211_FLAG_NEED_RTNL |
11458 				  NL80211_FLAG_CLEAR_SKB,
11459 	},
11460 	{
11461 		.cmd = NL80211_CMD_TDLS_MGMT,
11462 		.doit = nl80211_tdls_mgmt,
11463 		.policy = nl80211_policy,
11464 		.flags = GENL_ADMIN_PERM,
11465 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11466 				  NL80211_FLAG_NEED_RTNL,
11467 	},
11468 	{
11469 		.cmd = NL80211_CMD_TDLS_OPER,
11470 		.doit = nl80211_tdls_oper,
11471 		.policy = nl80211_policy,
11472 		.flags = GENL_ADMIN_PERM,
11473 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11474 				  NL80211_FLAG_NEED_RTNL,
11475 	},
11476 	{
11477 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
11478 		.doit = nl80211_register_unexpected_frame,
11479 		.policy = nl80211_policy,
11480 		.flags = GENL_ADMIN_PERM,
11481 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11482 				  NL80211_FLAG_NEED_RTNL,
11483 	},
11484 	{
11485 		.cmd = NL80211_CMD_PROBE_CLIENT,
11486 		.doit = nl80211_probe_client,
11487 		.policy = nl80211_policy,
11488 		.flags = GENL_ADMIN_PERM,
11489 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11490 				  NL80211_FLAG_NEED_RTNL,
11491 	},
11492 	{
11493 		.cmd = NL80211_CMD_REGISTER_BEACONS,
11494 		.doit = nl80211_register_beacons,
11495 		.policy = nl80211_policy,
11496 		.flags = GENL_ADMIN_PERM,
11497 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11498 				  NL80211_FLAG_NEED_RTNL,
11499 	},
11500 	{
11501 		.cmd = NL80211_CMD_SET_NOACK_MAP,
11502 		.doit = nl80211_set_noack_map,
11503 		.policy = nl80211_policy,
11504 		.flags = GENL_ADMIN_PERM,
11505 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11506 				  NL80211_FLAG_NEED_RTNL,
11507 	},
11508 	{
11509 		.cmd = NL80211_CMD_START_P2P_DEVICE,
11510 		.doit = nl80211_start_p2p_device,
11511 		.policy = nl80211_policy,
11512 		.flags = GENL_ADMIN_PERM,
11513 		.internal_flags = NL80211_FLAG_NEED_WDEV |
11514 				  NL80211_FLAG_NEED_RTNL,
11515 	},
11516 	{
11517 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
11518 		.doit = nl80211_stop_p2p_device,
11519 		.policy = nl80211_policy,
11520 		.flags = GENL_ADMIN_PERM,
11521 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11522 				  NL80211_FLAG_NEED_RTNL,
11523 	},
11524 	{
11525 		.cmd = NL80211_CMD_SET_MCAST_RATE,
11526 		.doit = nl80211_set_mcast_rate,
11527 		.policy = nl80211_policy,
11528 		.flags = GENL_ADMIN_PERM,
11529 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11530 				  NL80211_FLAG_NEED_RTNL,
11531 	},
11532 	{
11533 		.cmd = NL80211_CMD_SET_MAC_ACL,
11534 		.doit = nl80211_set_mac_acl,
11535 		.policy = nl80211_policy,
11536 		.flags = GENL_ADMIN_PERM,
11537 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11538 				  NL80211_FLAG_NEED_RTNL,
11539 	},
11540 	{
11541 		.cmd = NL80211_CMD_RADAR_DETECT,
11542 		.doit = nl80211_start_radar_detection,
11543 		.policy = nl80211_policy,
11544 		.flags = GENL_ADMIN_PERM,
11545 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11546 				  NL80211_FLAG_NEED_RTNL,
11547 	},
11548 	{
11549 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
11550 		.doit = nl80211_get_protocol_features,
11551 		.policy = nl80211_policy,
11552 	},
11553 	{
11554 		.cmd = NL80211_CMD_UPDATE_FT_IES,
11555 		.doit = nl80211_update_ft_ies,
11556 		.policy = nl80211_policy,
11557 		.flags = GENL_ADMIN_PERM,
11558 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11559 				  NL80211_FLAG_NEED_RTNL,
11560 	},
11561 	{
11562 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
11563 		.doit = nl80211_crit_protocol_start,
11564 		.policy = nl80211_policy,
11565 		.flags = GENL_ADMIN_PERM,
11566 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11567 				  NL80211_FLAG_NEED_RTNL,
11568 	},
11569 	{
11570 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
11571 		.doit = nl80211_crit_protocol_stop,
11572 		.policy = nl80211_policy,
11573 		.flags = GENL_ADMIN_PERM,
11574 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11575 				  NL80211_FLAG_NEED_RTNL,
11576 	},
11577 	{
11578 		.cmd = NL80211_CMD_GET_COALESCE,
11579 		.doit = nl80211_get_coalesce,
11580 		.policy = nl80211_policy,
11581 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11582 				  NL80211_FLAG_NEED_RTNL,
11583 	},
11584 	{
11585 		.cmd = NL80211_CMD_SET_COALESCE,
11586 		.doit = nl80211_set_coalesce,
11587 		.policy = nl80211_policy,
11588 		.flags = GENL_ADMIN_PERM,
11589 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11590 				  NL80211_FLAG_NEED_RTNL,
11591 	},
11592 	{
11593 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
11594 		.doit = nl80211_channel_switch,
11595 		.policy = nl80211_policy,
11596 		.flags = GENL_ADMIN_PERM,
11597 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11598 				  NL80211_FLAG_NEED_RTNL,
11599 	},
11600 	{
11601 		.cmd = NL80211_CMD_VENDOR,
11602 		.doit = nl80211_vendor_cmd,
11603 		.dumpit = nl80211_vendor_cmd_dump,
11604 		.policy = nl80211_policy,
11605 		.flags = GENL_ADMIN_PERM,
11606 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11607 				  NL80211_FLAG_NEED_RTNL,
11608 	},
11609 	{
11610 		.cmd = NL80211_CMD_SET_QOS_MAP,
11611 		.doit = nl80211_set_qos_map,
11612 		.policy = nl80211_policy,
11613 		.flags = GENL_ADMIN_PERM,
11614 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11615 				  NL80211_FLAG_NEED_RTNL,
11616 	},
11617 	{
11618 		.cmd = NL80211_CMD_ADD_TX_TS,
11619 		.doit = nl80211_add_tx_ts,
11620 		.policy = nl80211_policy,
11621 		.flags = GENL_ADMIN_PERM,
11622 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11623 				  NL80211_FLAG_NEED_RTNL,
11624 	},
11625 	{
11626 		.cmd = NL80211_CMD_DEL_TX_TS,
11627 		.doit = nl80211_del_tx_ts,
11628 		.policy = nl80211_policy,
11629 		.flags = GENL_ADMIN_PERM,
11630 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11631 				  NL80211_FLAG_NEED_RTNL,
11632 	},
11633 	{
11634 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
11635 		.doit = nl80211_tdls_channel_switch,
11636 		.policy = nl80211_policy,
11637 		.flags = GENL_ADMIN_PERM,
11638 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11639 				  NL80211_FLAG_NEED_RTNL,
11640 	},
11641 	{
11642 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
11643 		.doit = nl80211_tdls_cancel_channel_switch,
11644 		.policy = nl80211_policy,
11645 		.flags = GENL_ADMIN_PERM,
11646 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11647 				  NL80211_FLAG_NEED_RTNL,
11648 	},
11649 };
11650 
11651 /* notification functions */
11652 
11653 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
11654 			  enum nl80211_commands cmd)
11655 {
11656 	struct sk_buff *msg;
11657 	struct nl80211_dump_wiphy_state state = {};
11658 
11659 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
11660 		cmd != NL80211_CMD_DEL_WIPHY);
11661 
11662 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11663 	if (!msg)
11664 		return;
11665 
11666 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
11667 		nlmsg_free(msg);
11668 		return;
11669 	}
11670 
11671 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11672 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
11673 }
11674 
11675 static int nl80211_add_scan_req(struct sk_buff *msg,
11676 				struct cfg80211_registered_device *rdev)
11677 {
11678 	struct cfg80211_scan_request *req = rdev->scan_req;
11679 	struct nlattr *nest;
11680 	int i;
11681 
11682 	if (WARN_ON(!req))
11683 		return 0;
11684 
11685 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
11686 	if (!nest)
11687 		goto nla_put_failure;
11688 	for (i = 0; i < req->n_ssids; i++) {
11689 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
11690 			goto nla_put_failure;
11691 	}
11692 	nla_nest_end(msg, nest);
11693 
11694 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
11695 	if (!nest)
11696 		goto nla_put_failure;
11697 	for (i = 0; i < req->n_channels; i++) {
11698 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
11699 			goto nla_put_failure;
11700 	}
11701 	nla_nest_end(msg, nest);
11702 
11703 	if (req->ie &&
11704 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
11705 		goto nla_put_failure;
11706 
11707 	if (req->flags &&
11708 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
11709 		goto nla_put_failure;
11710 
11711 	return 0;
11712  nla_put_failure:
11713 	return -ENOBUFS;
11714 }
11715 
11716 static int nl80211_send_scan_msg(struct sk_buff *msg,
11717 				 struct cfg80211_registered_device *rdev,
11718 				 struct wireless_dev *wdev,
11719 				 u32 portid, u32 seq, int flags,
11720 				 u32 cmd)
11721 {
11722 	void *hdr;
11723 
11724 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
11725 	if (!hdr)
11726 		return -1;
11727 
11728 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11729 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11730 					 wdev->netdev->ifindex)) ||
11731 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11732 			      NL80211_ATTR_PAD))
11733 		goto nla_put_failure;
11734 
11735 	/* ignore errors and send incomplete event anyway */
11736 	nl80211_add_scan_req(msg, rdev);
11737 
11738 	genlmsg_end(msg, hdr);
11739 	return 0;
11740 
11741  nla_put_failure:
11742 	genlmsg_cancel(msg, hdr);
11743 	return -EMSGSIZE;
11744 }
11745 
11746 static int
11747 nl80211_send_sched_scan_msg(struct sk_buff *msg,
11748 			    struct cfg80211_registered_device *rdev,
11749 			    struct net_device *netdev,
11750 			    u32 portid, u32 seq, int flags, u32 cmd)
11751 {
11752 	void *hdr;
11753 
11754 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
11755 	if (!hdr)
11756 		return -1;
11757 
11758 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11759 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
11760 		goto nla_put_failure;
11761 
11762 	genlmsg_end(msg, hdr);
11763 	return 0;
11764 
11765  nla_put_failure:
11766 	genlmsg_cancel(msg, hdr);
11767 	return -EMSGSIZE;
11768 }
11769 
11770 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
11771 			     struct wireless_dev *wdev)
11772 {
11773 	struct sk_buff *msg;
11774 
11775 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11776 	if (!msg)
11777 		return;
11778 
11779 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
11780 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
11781 		nlmsg_free(msg);
11782 		return;
11783 	}
11784 
11785 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11786 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11787 }
11788 
11789 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
11790 				       struct wireless_dev *wdev, bool aborted)
11791 {
11792 	struct sk_buff *msg;
11793 
11794 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11795 	if (!msg)
11796 		return NULL;
11797 
11798 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
11799 				  aborted ? NL80211_CMD_SCAN_ABORTED :
11800 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
11801 		nlmsg_free(msg);
11802 		return NULL;
11803 	}
11804 
11805 	return msg;
11806 }
11807 
11808 void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
11809 			      struct sk_buff *msg)
11810 {
11811 	if (!msg)
11812 		return;
11813 
11814 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11815 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11816 }
11817 
11818 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
11819 				     struct net_device *netdev)
11820 {
11821 	struct sk_buff *msg;
11822 
11823 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11824 	if (!msg)
11825 		return;
11826 
11827 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
11828 					NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
11829 		nlmsg_free(msg);
11830 		return;
11831 	}
11832 
11833 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11834 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11835 }
11836 
11837 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
11838 			     struct net_device *netdev, u32 cmd)
11839 {
11840 	struct sk_buff *msg;
11841 
11842 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11843 	if (!msg)
11844 		return;
11845 
11846 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
11847 		nlmsg_free(msg);
11848 		return;
11849 	}
11850 
11851 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11852 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11853 }
11854 
11855 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
11856 					  struct regulatory_request *request)
11857 {
11858 	/* Userspace can always count this one always being set */
11859 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
11860 		goto nla_put_failure;
11861 
11862 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
11863 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11864 			       NL80211_REGDOM_TYPE_WORLD))
11865 			goto nla_put_failure;
11866 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
11867 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11868 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
11869 			goto nla_put_failure;
11870 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
11871 		   request->intersect) {
11872 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11873 			       NL80211_REGDOM_TYPE_INTERSECTION))
11874 			goto nla_put_failure;
11875 	} else {
11876 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11877 			       NL80211_REGDOM_TYPE_COUNTRY) ||
11878 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
11879 				   request->alpha2))
11880 			goto nla_put_failure;
11881 	}
11882 
11883 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
11884 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
11885 
11886 		if (wiphy &&
11887 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
11888 			goto nla_put_failure;
11889 
11890 		if (wiphy &&
11891 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
11892 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
11893 			goto nla_put_failure;
11894 	}
11895 
11896 	return true;
11897 
11898 nla_put_failure:
11899 	return false;
11900 }
11901 
11902 /*
11903  * This can happen on global regulatory changes or device specific settings
11904  * based on custom regulatory domains.
11905  */
11906 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
11907 				     struct regulatory_request *request)
11908 {
11909 	struct sk_buff *msg;
11910 	void *hdr;
11911 
11912 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11913 	if (!msg)
11914 		return;
11915 
11916 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
11917 	if (!hdr) {
11918 		nlmsg_free(msg);
11919 		return;
11920 	}
11921 
11922 	if (nl80211_reg_change_event_fill(msg, request) == false)
11923 		goto nla_put_failure;
11924 
11925 	genlmsg_end(msg, hdr);
11926 
11927 	rcu_read_lock();
11928 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
11929 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
11930 	rcu_read_unlock();
11931 
11932 	return;
11933 
11934 nla_put_failure:
11935 	genlmsg_cancel(msg, hdr);
11936 	nlmsg_free(msg);
11937 }
11938 
11939 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
11940 				    struct net_device *netdev,
11941 				    const u8 *buf, size_t len,
11942 				    enum nl80211_commands cmd, gfp_t gfp,
11943 				    int uapsd_queues)
11944 {
11945 	struct sk_buff *msg;
11946 	void *hdr;
11947 
11948 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11949 	if (!msg)
11950 		return;
11951 
11952 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11953 	if (!hdr) {
11954 		nlmsg_free(msg);
11955 		return;
11956 	}
11957 
11958 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11959 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11960 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
11961 		goto nla_put_failure;
11962 
11963 	if (uapsd_queues >= 0) {
11964 		struct nlattr *nla_wmm =
11965 			nla_nest_start(msg, NL80211_ATTR_STA_WME);
11966 		if (!nla_wmm)
11967 			goto nla_put_failure;
11968 
11969 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
11970 			       uapsd_queues))
11971 			goto nla_put_failure;
11972 
11973 		nla_nest_end(msg, nla_wmm);
11974 	}
11975 
11976 	genlmsg_end(msg, hdr);
11977 
11978 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11979 				NL80211_MCGRP_MLME, gfp);
11980 	return;
11981 
11982  nla_put_failure:
11983 	genlmsg_cancel(msg, hdr);
11984 	nlmsg_free(msg);
11985 }
11986 
11987 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
11988 			  struct net_device *netdev, const u8 *buf,
11989 			  size_t len, gfp_t gfp)
11990 {
11991 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11992 				NL80211_CMD_AUTHENTICATE, gfp, -1);
11993 }
11994 
11995 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
11996 			   struct net_device *netdev, const u8 *buf,
11997 			   size_t len, gfp_t gfp, int uapsd_queues)
11998 {
11999 	nl80211_send_mlme_event(rdev, netdev, buf, len,
12000 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues);
12001 }
12002 
12003 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
12004 			 struct net_device *netdev, const u8 *buf,
12005 			 size_t len, gfp_t gfp)
12006 {
12007 	nl80211_send_mlme_event(rdev, netdev, buf, len,
12008 				NL80211_CMD_DEAUTHENTICATE, gfp, -1);
12009 }
12010 
12011 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
12012 			   struct net_device *netdev, const u8 *buf,
12013 			   size_t len, gfp_t gfp)
12014 {
12015 	nl80211_send_mlme_event(rdev, netdev, buf, len,
12016 				NL80211_CMD_DISASSOCIATE, gfp, -1);
12017 }
12018 
12019 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
12020 				  size_t len)
12021 {
12022 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12023 	struct wiphy *wiphy = wdev->wiphy;
12024 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12025 	const struct ieee80211_mgmt *mgmt = (void *)buf;
12026 	u32 cmd;
12027 
12028 	if (WARN_ON(len < 2))
12029 		return;
12030 
12031 	if (ieee80211_is_deauth(mgmt->frame_control))
12032 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
12033 	else
12034 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
12035 
12036 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
12037 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1);
12038 }
12039 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
12040 
12041 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
12042 				      struct net_device *netdev, int cmd,
12043 				      const u8 *addr, gfp_t gfp)
12044 {
12045 	struct sk_buff *msg;
12046 	void *hdr;
12047 
12048 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12049 	if (!msg)
12050 		return;
12051 
12052 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
12053 	if (!hdr) {
12054 		nlmsg_free(msg);
12055 		return;
12056 	}
12057 
12058 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12059 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12060 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
12061 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
12062 		goto nla_put_failure;
12063 
12064 	genlmsg_end(msg, hdr);
12065 
12066 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12067 				NL80211_MCGRP_MLME, gfp);
12068 	return;
12069 
12070  nla_put_failure:
12071 	genlmsg_cancel(msg, hdr);
12072 	nlmsg_free(msg);
12073 }
12074 
12075 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
12076 			       struct net_device *netdev, const u8 *addr,
12077 			       gfp_t gfp)
12078 {
12079 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
12080 				  addr, gfp);
12081 }
12082 
12083 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
12084 				struct net_device *netdev, const u8 *addr,
12085 				gfp_t gfp)
12086 {
12087 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
12088 				  addr, gfp);
12089 }
12090 
12091 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
12092 				 struct net_device *netdev, const u8 *bssid,
12093 				 const u8 *req_ie, size_t req_ie_len,
12094 				 const u8 *resp_ie, size_t resp_ie_len,
12095 				 u16 status, gfp_t gfp)
12096 {
12097 	struct sk_buff *msg;
12098 	void *hdr;
12099 
12100 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12101 	if (!msg)
12102 		return;
12103 
12104 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
12105 	if (!hdr) {
12106 		nlmsg_free(msg);
12107 		return;
12108 	}
12109 
12110 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12111 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12112 	    (bssid && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) ||
12113 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE, status) ||
12114 	    (req_ie &&
12115 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
12116 	    (resp_ie &&
12117 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
12118 		goto nla_put_failure;
12119 
12120 	genlmsg_end(msg, hdr);
12121 
12122 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12123 				NL80211_MCGRP_MLME, gfp);
12124 	return;
12125 
12126  nla_put_failure:
12127 	genlmsg_cancel(msg, hdr);
12128 	nlmsg_free(msg);
12129 
12130 }
12131 
12132 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
12133 			 struct net_device *netdev, const u8 *bssid,
12134 			 const u8 *req_ie, size_t req_ie_len,
12135 			 const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
12136 {
12137 	struct sk_buff *msg;
12138 	void *hdr;
12139 
12140 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12141 	if (!msg)
12142 		return;
12143 
12144 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
12145 	if (!hdr) {
12146 		nlmsg_free(msg);
12147 		return;
12148 	}
12149 
12150 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12151 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12152 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
12153 	    (req_ie &&
12154 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
12155 	    (resp_ie &&
12156 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
12157 		goto nla_put_failure;
12158 
12159 	genlmsg_end(msg, hdr);
12160 
12161 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12162 				NL80211_MCGRP_MLME, gfp);
12163 	return;
12164 
12165  nla_put_failure:
12166 	genlmsg_cancel(msg, hdr);
12167 	nlmsg_free(msg);
12168 
12169 }
12170 
12171 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
12172 			       struct net_device *netdev, u16 reason,
12173 			       const u8 *ie, size_t ie_len, bool from_ap)
12174 {
12175 	struct sk_buff *msg;
12176 	void *hdr;
12177 
12178 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12179 	if (!msg)
12180 		return;
12181 
12182 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
12183 	if (!hdr) {
12184 		nlmsg_free(msg);
12185 		return;
12186 	}
12187 
12188 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12189 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12190 	    (from_ap && reason &&
12191 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
12192 	    (from_ap &&
12193 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
12194 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
12195 		goto nla_put_failure;
12196 
12197 	genlmsg_end(msg, hdr);
12198 
12199 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12200 				NL80211_MCGRP_MLME, GFP_KERNEL);
12201 	return;
12202 
12203  nla_put_failure:
12204 	genlmsg_cancel(msg, hdr);
12205 	nlmsg_free(msg);
12206 
12207 }
12208 
12209 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
12210 			     struct net_device *netdev, const u8 *bssid,
12211 			     gfp_t gfp)
12212 {
12213 	struct sk_buff *msg;
12214 	void *hdr;
12215 
12216 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12217 	if (!msg)
12218 		return;
12219 
12220 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
12221 	if (!hdr) {
12222 		nlmsg_free(msg);
12223 		return;
12224 	}
12225 
12226 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12227 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12228 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
12229 		goto nla_put_failure;
12230 
12231 	genlmsg_end(msg, hdr);
12232 
12233 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12234 				NL80211_MCGRP_MLME, gfp);
12235 	return;
12236 
12237  nla_put_failure:
12238 	genlmsg_cancel(msg, hdr);
12239 	nlmsg_free(msg);
12240 }
12241 
12242 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
12243 					const u8* ie, u8 ie_len, gfp_t gfp)
12244 {
12245 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12246 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12247 	struct sk_buff *msg;
12248 	void *hdr;
12249 
12250 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
12251 		return;
12252 
12253 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
12254 
12255 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12256 	if (!msg)
12257 		return;
12258 
12259 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
12260 	if (!hdr) {
12261 		nlmsg_free(msg);
12262 		return;
12263 	}
12264 
12265 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12266 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12267 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
12268 	    (ie_len && ie &&
12269 	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
12270 		goto nla_put_failure;
12271 
12272 	genlmsg_end(msg, hdr);
12273 
12274 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12275 				NL80211_MCGRP_MLME, gfp);
12276 	return;
12277 
12278  nla_put_failure:
12279 	genlmsg_cancel(msg, hdr);
12280 	nlmsg_free(msg);
12281 }
12282 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
12283 
12284 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
12285 				 struct net_device *netdev, const u8 *addr,
12286 				 enum nl80211_key_type key_type, int key_id,
12287 				 const u8 *tsc, gfp_t gfp)
12288 {
12289 	struct sk_buff *msg;
12290 	void *hdr;
12291 
12292 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12293 	if (!msg)
12294 		return;
12295 
12296 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
12297 	if (!hdr) {
12298 		nlmsg_free(msg);
12299 		return;
12300 	}
12301 
12302 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12303 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12304 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
12305 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
12306 	    (key_id != -1 &&
12307 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
12308 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
12309 		goto nla_put_failure;
12310 
12311 	genlmsg_end(msg, hdr);
12312 
12313 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12314 				NL80211_MCGRP_MLME, gfp);
12315 	return;
12316 
12317  nla_put_failure:
12318 	genlmsg_cancel(msg, hdr);
12319 	nlmsg_free(msg);
12320 }
12321 
12322 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
12323 				    struct ieee80211_channel *channel_before,
12324 				    struct ieee80211_channel *channel_after)
12325 {
12326 	struct sk_buff *msg;
12327 	void *hdr;
12328 	struct nlattr *nl_freq;
12329 
12330 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
12331 	if (!msg)
12332 		return;
12333 
12334 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
12335 	if (!hdr) {
12336 		nlmsg_free(msg);
12337 		return;
12338 	}
12339 
12340 	/*
12341 	 * Since we are applying the beacon hint to a wiphy we know its
12342 	 * wiphy_idx is valid
12343 	 */
12344 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
12345 		goto nla_put_failure;
12346 
12347 	/* Before */
12348 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
12349 	if (!nl_freq)
12350 		goto nla_put_failure;
12351 	if (nl80211_msg_put_channel(msg, channel_before, false))
12352 		goto nla_put_failure;
12353 	nla_nest_end(msg, nl_freq);
12354 
12355 	/* After */
12356 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
12357 	if (!nl_freq)
12358 		goto nla_put_failure;
12359 	if (nl80211_msg_put_channel(msg, channel_after, false))
12360 		goto nla_put_failure;
12361 	nla_nest_end(msg, nl_freq);
12362 
12363 	genlmsg_end(msg, hdr);
12364 
12365 	rcu_read_lock();
12366 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
12367 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
12368 	rcu_read_unlock();
12369 
12370 	return;
12371 
12372 nla_put_failure:
12373 	genlmsg_cancel(msg, hdr);
12374 	nlmsg_free(msg);
12375 }
12376 
12377 static void nl80211_send_remain_on_chan_event(
12378 	int cmd, struct cfg80211_registered_device *rdev,
12379 	struct wireless_dev *wdev, u64 cookie,
12380 	struct ieee80211_channel *chan,
12381 	unsigned int duration, gfp_t gfp)
12382 {
12383 	struct sk_buff *msg;
12384 	void *hdr;
12385 
12386 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12387 	if (!msg)
12388 		return;
12389 
12390 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
12391 	if (!hdr) {
12392 		nlmsg_free(msg);
12393 		return;
12394 	}
12395 
12396 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12397 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12398 					 wdev->netdev->ifindex)) ||
12399 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12400 			      NL80211_ATTR_PAD) ||
12401 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
12402 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
12403 			NL80211_CHAN_NO_HT) ||
12404 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12405 			      NL80211_ATTR_PAD))
12406 		goto nla_put_failure;
12407 
12408 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
12409 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
12410 		goto nla_put_failure;
12411 
12412 	genlmsg_end(msg, hdr);
12413 
12414 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12415 				NL80211_MCGRP_MLME, gfp);
12416 	return;
12417 
12418  nla_put_failure:
12419 	genlmsg_cancel(msg, hdr);
12420 	nlmsg_free(msg);
12421 }
12422 
12423 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
12424 			       struct ieee80211_channel *chan,
12425 			       unsigned int duration, gfp_t gfp)
12426 {
12427 	struct wiphy *wiphy = wdev->wiphy;
12428 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12429 
12430 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
12431 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
12432 					  rdev, wdev, cookie, chan,
12433 					  duration, gfp);
12434 }
12435 EXPORT_SYMBOL(cfg80211_ready_on_channel);
12436 
12437 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
12438 					struct ieee80211_channel *chan,
12439 					gfp_t gfp)
12440 {
12441 	struct wiphy *wiphy = wdev->wiphy;
12442 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12443 
12444 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
12445 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
12446 					  rdev, wdev, cookie, chan, 0, gfp);
12447 }
12448 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
12449 
12450 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
12451 		      struct station_info *sinfo, gfp_t gfp)
12452 {
12453 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
12454 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12455 	struct sk_buff *msg;
12456 
12457 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
12458 
12459 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12460 	if (!msg)
12461 		return;
12462 
12463 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
12464 				 rdev, dev, mac_addr, sinfo) < 0) {
12465 		nlmsg_free(msg);
12466 		return;
12467 	}
12468 
12469 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12470 				NL80211_MCGRP_MLME, gfp);
12471 }
12472 EXPORT_SYMBOL(cfg80211_new_sta);
12473 
12474 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
12475 			    struct station_info *sinfo, gfp_t gfp)
12476 {
12477 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
12478 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12479 	struct sk_buff *msg;
12480 	struct station_info empty_sinfo = {};
12481 
12482 	if (!sinfo)
12483 		sinfo = &empty_sinfo;
12484 
12485 	trace_cfg80211_del_sta(dev, mac_addr);
12486 
12487 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12488 	if (!msg)
12489 		return;
12490 
12491 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
12492 				 rdev, dev, mac_addr, sinfo) < 0) {
12493 		nlmsg_free(msg);
12494 		return;
12495 	}
12496 
12497 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12498 				NL80211_MCGRP_MLME, gfp);
12499 }
12500 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
12501 
12502 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
12503 			  enum nl80211_connect_failed_reason reason,
12504 			  gfp_t gfp)
12505 {
12506 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
12507 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12508 	struct sk_buff *msg;
12509 	void *hdr;
12510 
12511 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
12512 	if (!msg)
12513 		return;
12514 
12515 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
12516 	if (!hdr) {
12517 		nlmsg_free(msg);
12518 		return;
12519 	}
12520 
12521 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12522 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
12523 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
12524 		goto nla_put_failure;
12525 
12526 	genlmsg_end(msg, hdr);
12527 
12528 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12529 				NL80211_MCGRP_MLME, gfp);
12530 	return;
12531 
12532  nla_put_failure:
12533 	genlmsg_cancel(msg, hdr);
12534 	nlmsg_free(msg);
12535 }
12536 EXPORT_SYMBOL(cfg80211_conn_failed);
12537 
12538 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
12539 				       const u8 *addr, gfp_t gfp)
12540 {
12541 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12542 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12543 	struct sk_buff *msg;
12544 	void *hdr;
12545 	u32 nlportid = ACCESS_ONCE(wdev->ap_unexpected_nlportid);
12546 
12547 	if (!nlportid)
12548 		return false;
12549 
12550 	msg = nlmsg_new(100, gfp);
12551 	if (!msg)
12552 		return true;
12553 
12554 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
12555 	if (!hdr) {
12556 		nlmsg_free(msg);
12557 		return true;
12558 	}
12559 
12560 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12561 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12562 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
12563 		goto nla_put_failure;
12564 
12565 	genlmsg_end(msg, hdr);
12566 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12567 	return true;
12568 
12569  nla_put_failure:
12570 	genlmsg_cancel(msg, hdr);
12571 	nlmsg_free(msg);
12572 	return true;
12573 }
12574 
12575 bool cfg80211_rx_spurious_frame(struct net_device *dev,
12576 				const u8 *addr, gfp_t gfp)
12577 {
12578 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12579 	bool ret;
12580 
12581 	trace_cfg80211_rx_spurious_frame(dev, addr);
12582 
12583 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
12584 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
12585 		trace_cfg80211_return_bool(false);
12586 		return false;
12587 	}
12588 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
12589 					 addr, gfp);
12590 	trace_cfg80211_return_bool(ret);
12591 	return ret;
12592 }
12593 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
12594 
12595 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
12596 					const u8 *addr, gfp_t gfp)
12597 {
12598 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12599 	bool ret;
12600 
12601 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
12602 
12603 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
12604 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
12605 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
12606 		trace_cfg80211_return_bool(false);
12607 		return false;
12608 	}
12609 	ret = __nl80211_unexpected_frame(dev,
12610 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
12611 					 addr, gfp);
12612 	trace_cfg80211_return_bool(ret);
12613 	return ret;
12614 }
12615 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
12616 
12617 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
12618 		      struct wireless_dev *wdev, u32 nlportid,
12619 		      int freq, int sig_dbm,
12620 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
12621 {
12622 	struct net_device *netdev = wdev->netdev;
12623 	struct sk_buff *msg;
12624 	void *hdr;
12625 
12626 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12627 	if (!msg)
12628 		return -ENOMEM;
12629 
12630 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
12631 	if (!hdr) {
12632 		nlmsg_free(msg);
12633 		return -ENOMEM;
12634 	}
12635 
12636 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12637 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12638 					netdev->ifindex)) ||
12639 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12640 			      NL80211_ATTR_PAD) ||
12641 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
12642 	    (sig_dbm &&
12643 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
12644 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
12645 	    (flags &&
12646 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
12647 		goto nla_put_failure;
12648 
12649 	genlmsg_end(msg, hdr);
12650 
12651 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12652 
12653  nla_put_failure:
12654 	genlmsg_cancel(msg, hdr);
12655 	nlmsg_free(msg);
12656 	return -ENOBUFS;
12657 }
12658 
12659 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
12660 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
12661 {
12662 	struct wiphy *wiphy = wdev->wiphy;
12663 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12664 	struct net_device *netdev = wdev->netdev;
12665 	struct sk_buff *msg;
12666 	void *hdr;
12667 
12668 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
12669 
12670 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12671 	if (!msg)
12672 		return;
12673 
12674 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
12675 	if (!hdr) {
12676 		nlmsg_free(msg);
12677 		return;
12678 	}
12679 
12680 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12681 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12682 				   netdev->ifindex)) ||
12683 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12684 			      NL80211_ATTR_PAD) ||
12685 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
12686 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12687 			      NL80211_ATTR_PAD) ||
12688 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
12689 		goto nla_put_failure;
12690 
12691 	genlmsg_end(msg, hdr);
12692 
12693 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12694 				NL80211_MCGRP_MLME, gfp);
12695 	return;
12696 
12697  nla_put_failure:
12698 	genlmsg_cancel(msg, hdr);
12699 	nlmsg_free(msg);
12700 }
12701 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
12702 
12703 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
12704 					    const char *mac, gfp_t gfp)
12705 {
12706 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12707 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12708 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12709 	void **cb;
12710 
12711 	if (!msg)
12712 		return NULL;
12713 
12714 	cb = (void **)msg->cb;
12715 
12716 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
12717 	if (!cb[0]) {
12718 		nlmsg_free(msg);
12719 		return NULL;
12720 	}
12721 
12722 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12723 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
12724 		goto nla_put_failure;
12725 
12726 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
12727 		goto nla_put_failure;
12728 
12729 	cb[1] = nla_nest_start(msg, NL80211_ATTR_CQM);
12730 	if (!cb[1])
12731 		goto nla_put_failure;
12732 
12733 	cb[2] = rdev;
12734 
12735 	return msg;
12736  nla_put_failure:
12737 	nlmsg_free(msg);
12738 	return NULL;
12739 }
12740 
12741 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
12742 {
12743 	void **cb = (void **)msg->cb;
12744 	struct cfg80211_registered_device *rdev = cb[2];
12745 
12746 	nla_nest_end(msg, cb[1]);
12747 	genlmsg_end(msg, cb[0]);
12748 
12749 	memset(msg->cb, 0, sizeof(msg->cb));
12750 
12751 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12752 				NL80211_MCGRP_MLME, gfp);
12753 }
12754 
12755 void cfg80211_cqm_rssi_notify(struct net_device *dev,
12756 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
12757 			      gfp_t gfp)
12758 {
12759 	struct sk_buff *msg;
12760 
12761 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
12762 
12763 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
12764 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
12765 		return;
12766 
12767 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
12768 	if (!msg)
12769 		return;
12770 
12771 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
12772 			rssi_event))
12773 		goto nla_put_failure;
12774 
12775 	cfg80211_send_cqm(msg, gfp);
12776 
12777 	return;
12778 
12779  nla_put_failure:
12780 	nlmsg_free(msg);
12781 }
12782 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
12783 
12784 void cfg80211_cqm_txe_notify(struct net_device *dev,
12785 			     const u8 *peer, u32 num_packets,
12786 			     u32 rate, u32 intvl, gfp_t gfp)
12787 {
12788 	struct sk_buff *msg;
12789 
12790 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
12791 	if (!msg)
12792 		return;
12793 
12794 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
12795 		goto nla_put_failure;
12796 
12797 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
12798 		goto nla_put_failure;
12799 
12800 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
12801 		goto nla_put_failure;
12802 
12803 	cfg80211_send_cqm(msg, gfp);
12804 	return;
12805 
12806  nla_put_failure:
12807 	nlmsg_free(msg);
12808 }
12809 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
12810 
12811 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
12812 				 const u8 *peer, u32 num_packets, gfp_t gfp)
12813 {
12814 	struct sk_buff *msg;
12815 
12816 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
12817 
12818 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
12819 	if (!msg)
12820 		return;
12821 
12822 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
12823 		goto nla_put_failure;
12824 
12825 	cfg80211_send_cqm(msg, gfp);
12826 	return;
12827 
12828  nla_put_failure:
12829 	nlmsg_free(msg);
12830 }
12831 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
12832 
12833 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
12834 {
12835 	struct sk_buff *msg;
12836 
12837 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
12838 	if (!msg)
12839 		return;
12840 
12841 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
12842 		goto nla_put_failure;
12843 
12844 	cfg80211_send_cqm(msg, gfp);
12845 	return;
12846 
12847  nla_put_failure:
12848 	nlmsg_free(msg);
12849 }
12850 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
12851 
12852 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
12853 				     struct net_device *netdev, const u8 *bssid,
12854 				     const u8 *replay_ctr, gfp_t gfp)
12855 {
12856 	struct sk_buff *msg;
12857 	struct nlattr *rekey_attr;
12858 	void *hdr;
12859 
12860 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12861 	if (!msg)
12862 		return;
12863 
12864 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
12865 	if (!hdr) {
12866 		nlmsg_free(msg);
12867 		return;
12868 	}
12869 
12870 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12871 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12872 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
12873 		goto nla_put_failure;
12874 
12875 	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
12876 	if (!rekey_attr)
12877 		goto nla_put_failure;
12878 
12879 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
12880 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
12881 		goto nla_put_failure;
12882 
12883 	nla_nest_end(msg, rekey_attr);
12884 
12885 	genlmsg_end(msg, hdr);
12886 
12887 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12888 				NL80211_MCGRP_MLME, gfp);
12889 	return;
12890 
12891  nla_put_failure:
12892 	genlmsg_cancel(msg, hdr);
12893 	nlmsg_free(msg);
12894 }
12895 
12896 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
12897 			       const u8 *replay_ctr, gfp_t gfp)
12898 {
12899 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12900 	struct wiphy *wiphy = wdev->wiphy;
12901 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12902 
12903 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
12904 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
12905 }
12906 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
12907 
12908 static void
12909 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
12910 			       struct net_device *netdev, int index,
12911 			       const u8 *bssid, bool preauth, gfp_t gfp)
12912 {
12913 	struct sk_buff *msg;
12914 	struct nlattr *attr;
12915 	void *hdr;
12916 
12917 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12918 	if (!msg)
12919 		return;
12920 
12921 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
12922 	if (!hdr) {
12923 		nlmsg_free(msg);
12924 		return;
12925 	}
12926 
12927 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12928 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
12929 		goto nla_put_failure;
12930 
12931 	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
12932 	if (!attr)
12933 		goto nla_put_failure;
12934 
12935 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
12936 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
12937 	    (preauth &&
12938 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
12939 		goto nla_put_failure;
12940 
12941 	nla_nest_end(msg, attr);
12942 
12943 	genlmsg_end(msg, hdr);
12944 
12945 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12946 				NL80211_MCGRP_MLME, gfp);
12947 	return;
12948 
12949  nla_put_failure:
12950 	genlmsg_cancel(msg, hdr);
12951 	nlmsg_free(msg);
12952 }
12953 
12954 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
12955 				     const u8 *bssid, bool preauth, gfp_t gfp)
12956 {
12957 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12958 	struct wiphy *wiphy = wdev->wiphy;
12959 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12960 
12961 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
12962 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
12963 }
12964 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
12965 
12966 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
12967 				     struct net_device *netdev,
12968 				     struct cfg80211_chan_def *chandef,
12969 				     gfp_t gfp,
12970 				     enum nl80211_commands notif,
12971 				     u8 count)
12972 {
12973 	struct sk_buff *msg;
12974 	void *hdr;
12975 
12976 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12977 	if (!msg)
12978 		return;
12979 
12980 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
12981 	if (!hdr) {
12982 		nlmsg_free(msg);
12983 		return;
12984 	}
12985 
12986 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
12987 		goto nla_put_failure;
12988 
12989 	if (nl80211_send_chandef(msg, chandef))
12990 		goto nla_put_failure;
12991 
12992 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
12993 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
12994 			goto nla_put_failure;
12995 
12996 	genlmsg_end(msg, hdr);
12997 
12998 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12999 				NL80211_MCGRP_MLME, gfp);
13000 	return;
13001 
13002  nla_put_failure:
13003 	genlmsg_cancel(msg, hdr);
13004 	nlmsg_free(msg);
13005 }
13006 
13007 void cfg80211_ch_switch_notify(struct net_device *dev,
13008 			       struct cfg80211_chan_def *chandef)
13009 {
13010 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13011 	struct wiphy *wiphy = wdev->wiphy;
13012 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13013 
13014 	ASSERT_WDEV_LOCK(wdev);
13015 
13016 	trace_cfg80211_ch_switch_notify(dev, chandef);
13017 
13018 	wdev->chandef = *chandef;
13019 	wdev->preset_chandef = *chandef;
13020 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
13021 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
13022 }
13023 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
13024 
13025 void cfg80211_ch_switch_started_notify(struct net_device *dev,
13026 				       struct cfg80211_chan_def *chandef,
13027 				       u8 count)
13028 {
13029 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13030 	struct wiphy *wiphy = wdev->wiphy;
13031 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13032 
13033 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
13034 
13035 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
13036 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
13037 }
13038 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
13039 
13040 void
13041 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
13042 		     const struct cfg80211_chan_def *chandef,
13043 		     enum nl80211_radar_event event,
13044 		     struct net_device *netdev, gfp_t gfp)
13045 {
13046 	struct sk_buff *msg;
13047 	void *hdr;
13048 
13049 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13050 	if (!msg)
13051 		return;
13052 
13053 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
13054 	if (!hdr) {
13055 		nlmsg_free(msg);
13056 		return;
13057 	}
13058 
13059 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
13060 		goto nla_put_failure;
13061 
13062 	/* NOP and radar events don't need a netdev parameter */
13063 	if (netdev) {
13064 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
13065 
13066 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13067 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13068 				      NL80211_ATTR_PAD))
13069 			goto nla_put_failure;
13070 	}
13071 
13072 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
13073 		goto nla_put_failure;
13074 
13075 	if (nl80211_send_chandef(msg, chandef))
13076 		goto nla_put_failure;
13077 
13078 	genlmsg_end(msg, hdr);
13079 
13080 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13081 				NL80211_MCGRP_MLME, gfp);
13082 	return;
13083 
13084  nla_put_failure:
13085 	genlmsg_cancel(msg, hdr);
13086 	nlmsg_free(msg);
13087 }
13088 
13089 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
13090 			   u64 cookie, bool acked, gfp_t gfp)
13091 {
13092 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13093 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
13094 	struct sk_buff *msg;
13095 	void *hdr;
13096 
13097 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
13098 
13099 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13100 
13101 	if (!msg)
13102 		return;
13103 
13104 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
13105 	if (!hdr) {
13106 		nlmsg_free(msg);
13107 		return;
13108 	}
13109 
13110 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13111 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
13112 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
13113 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13114 			      NL80211_ATTR_PAD) ||
13115 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)))
13116 		goto nla_put_failure;
13117 
13118 	genlmsg_end(msg, hdr);
13119 
13120 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13121 				NL80211_MCGRP_MLME, gfp);
13122 	return;
13123 
13124  nla_put_failure:
13125 	genlmsg_cancel(msg, hdr);
13126 	nlmsg_free(msg);
13127 }
13128 EXPORT_SYMBOL(cfg80211_probe_status);
13129 
13130 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
13131 				 const u8 *frame, size_t len,
13132 				 int freq, int sig_dbm)
13133 {
13134 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13135 	struct sk_buff *msg;
13136 	void *hdr;
13137 	struct cfg80211_beacon_registration *reg;
13138 
13139 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
13140 
13141 	spin_lock_bh(&rdev->beacon_registrations_lock);
13142 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13143 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
13144 		if (!msg) {
13145 			spin_unlock_bh(&rdev->beacon_registrations_lock);
13146 			return;
13147 		}
13148 
13149 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
13150 		if (!hdr)
13151 			goto nla_put_failure;
13152 
13153 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13154 		    (freq &&
13155 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
13156 		    (sig_dbm &&
13157 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
13158 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
13159 			goto nla_put_failure;
13160 
13161 		genlmsg_end(msg, hdr);
13162 
13163 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
13164 	}
13165 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13166 	return;
13167 
13168  nla_put_failure:
13169 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13170 	if (hdr)
13171 		genlmsg_cancel(msg, hdr);
13172 	nlmsg_free(msg);
13173 }
13174 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
13175 
13176 #ifdef CONFIG_PM
13177 static int cfg80211_net_detect_results(struct sk_buff *msg,
13178 				       struct cfg80211_wowlan_wakeup *wakeup)
13179 {
13180 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
13181 	struct nlattr *nl_results, *nl_match, *nl_freqs;
13182 	int i, j;
13183 
13184 	nl_results = nla_nest_start(
13185 		msg, NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
13186 	if (!nl_results)
13187 		return -EMSGSIZE;
13188 
13189 	for (i = 0; i < nd->n_matches; i++) {
13190 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
13191 
13192 		nl_match = nla_nest_start(msg, i);
13193 		if (!nl_match)
13194 			break;
13195 
13196 		/* The SSID attribute is optional in nl80211, but for
13197 		 * simplicity reasons it's always present in the
13198 		 * cfg80211 structure.  If a driver can't pass the
13199 		 * SSID, that needs to be changed.  A zero length SSID
13200 		 * is still a valid SSID (wildcard), so it cannot be
13201 		 * used for this purpose.
13202 		 */
13203 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
13204 			    match->ssid.ssid)) {
13205 			nla_nest_cancel(msg, nl_match);
13206 			goto out;
13207 		}
13208 
13209 		if (match->n_channels) {
13210 			nl_freqs = nla_nest_start(
13211 				msg, NL80211_ATTR_SCAN_FREQUENCIES);
13212 			if (!nl_freqs) {
13213 				nla_nest_cancel(msg, nl_match);
13214 				goto out;
13215 			}
13216 
13217 			for (j = 0; j < match->n_channels; j++) {
13218 				if (nla_put_u32(msg, j, match->channels[j])) {
13219 					nla_nest_cancel(msg, nl_freqs);
13220 					nla_nest_cancel(msg, nl_match);
13221 					goto out;
13222 				}
13223 			}
13224 
13225 			nla_nest_end(msg, nl_freqs);
13226 		}
13227 
13228 		nla_nest_end(msg, nl_match);
13229 	}
13230 
13231 out:
13232 	nla_nest_end(msg, nl_results);
13233 	return 0;
13234 }
13235 
13236 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
13237 				   struct cfg80211_wowlan_wakeup *wakeup,
13238 				   gfp_t gfp)
13239 {
13240 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
13241 	struct sk_buff *msg;
13242 	void *hdr;
13243 	int size = 200;
13244 
13245 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
13246 
13247 	if (wakeup)
13248 		size += wakeup->packet_present_len;
13249 
13250 	msg = nlmsg_new(size, gfp);
13251 	if (!msg)
13252 		return;
13253 
13254 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
13255 	if (!hdr)
13256 		goto free_msg;
13257 
13258 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13259 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13260 			      NL80211_ATTR_PAD))
13261 		goto free_msg;
13262 
13263 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13264 					wdev->netdev->ifindex))
13265 		goto free_msg;
13266 
13267 	if (wakeup) {
13268 		struct nlattr *reasons;
13269 
13270 		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
13271 		if (!reasons)
13272 			goto free_msg;
13273 
13274 		if (wakeup->disconnect &&
13275 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
13276 			goto free_msg;
13277 		if (wakeup->magic_pkt &&
13278 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
13279 			goto free_msg;
13280 		if (wakeup->gtk_rekey_failure &&
13281 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
13282 			goto free_msg;
13283 		if (wakeup->eap_identity_req &&
13284 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
13285 			goto free_msg;
13286 		if (wakeup->four_way_handshake &&
13287 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
13288 			goto free_msg;
13289 		if (wakeup->rfkill_release &&
13290 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
13291 			goto free_msg;
13292 
13293 		if (wakeup->pattern_idx >= 0 &&
13294 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
13295 				wakeup->pattern_idx))
13296 			goto free_msg;
13297 
13298 		if (wakeup->tcp_match &&
13299 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
13300 			goto free_msg;
13301 
13302 		if (wakeup->tcp_connlost &&
13303 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
13304 			goto free_msg;
13305 
13306 		if (wakeup->tcp_nomoretokens &&
13307 		    nla_put_flag(msg,
13308 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
13309 			goto free_msg;
13310 
13311 		if (wakeup->packet) {
13312 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
13313 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
13314 
13315 			if (!wakeup->packet_80211) {
13316 				pkt_attr =
13317 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
13318 				len_attr =
13319 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
13320 			}
13321 
13322 			if (wakeup->packet_len &&
13323 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
13324 				goto free_msg;
13325 
13326 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
13327 				    wakeup->packet))
13328 				goto free_msg;
13329 		}
13330 
13331 		if (wakeup->net_detect &&
13332 		    cfg80211_net_detect_results(msg, wakeup))
13333 				goto free_msg;
13334 
13335 		nla_nest_end(msg, reasons);
13336 	}
13337 
13338 	genlmsg_end(msg, hdr);
13339 
13340 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13341 				NL80211_MCGRP_MLME, gfp);
13342 	return;
13343 
13344  free_msg:
13345 	nlmsg_free(msg);
13346 }
13347 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
13348 #endif
13349 
13350 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
13351 				enum nl80211_tdls_operation oper,
13352 				u16 reason_code, gfp_t gfp)
13353 {
13354 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13355 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
13356 	struct sk_buff *msg;
13357 	void *hdr;
13358 
13359 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
13360 					 reason_code);
13361 
13362 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13363 	if (!msg)
13364 		return;
13365 
13366 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
13367 	if (!hdr) {
13368 		nlmsg_free(msg);
13369 		return;
13370 	}
13371 
13372 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13373 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
13374 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
13375 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
13376 	    (reason_code > 0 &&
13377 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
13378 		goto nla_put_failure;
13379 
13380 	genlmsg_end(msg, hdr);
13381 
13382 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13383 				NL80211_MCGRP_MLME, gfp);
13384 	return;
13385 
13386  nla_put_failure:
13387 	genlmsg_cancel(msg, hdr);
13388 	nlmsg_free(msg);
13389 }
13390 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
13391 
13392 static int nl80211_netlink_notify(struct notifier_block * nb,
13393 				  unsigned long state,
13394 				  void *_notify)
13395 {
13396 	struct netlink_notify *notify = _notify;
13397 	struct cfg80211_registered_device *rdev;
13398 	struct wireless_dev *wdev;
13399 	struct cfg80211_beacon_registration *reg, *tmp;
13400 
13401 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
13402 		return NOTIFY_DONE;
13403 
13404 	rcu_read_lock();
13405 
13406 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
13407 		bool schedule_destroy_work = false;
13408 		bool schedule_scan_stop = false;
13409 		struct cfg80211_sched_scan_request *sched_scan_req =
13410 			rcu_dereference(rdev->sched_scan_req);
13411 
13412 		if (sched_scan_req && notify->portid &&
13413 		    sched_scan_req->owner_nlportid == notify->portid)
13414 			schedule_scan_stop = true;
13415 
13416 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
13417 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
13418 
13419 			if (wdev->owner_nlportid == notify->portid)
13420 				schedule_destroy_work = true;
13421 		}
13422 
13423 		spin_lock_bh(&rdev->beacon_registrations_lock);
13424 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
13425 					 list) {
13426 			if (reg->nlportid == notify->portid) {
13427 				list_del(&reg->list);
13428 				kfree(reg);
13429 				break;
13430 			}
13431 		}
13432 		spin_unlock_bh(&rdev->beacon_registrations_lock);
13433 
13434 		if (schedule_destroy_work) {
13435 			struct cfg80211_iface_destroy *destroy;
13436 
13437 			destroy = kzalloc(sizeof(*destroy), GFP_ATOMIC);
13438 			if (destroy) {
13439 				destroy->nlportid = notify->portid;
13440 				spin_lock(&rdev->destroy_list_lock);
13441 				list_add(&destroy->list, &rdev->destroy_list);
13442 				spin_unlock(&rdev->destroy_list_lock);
13443 				schedule_work(&rdev->destroy_work);
13444 			}
13445 		} else if (schedule_scan_stop) {
13446 			sched_scan_req->owner_nlportid = 0;
13447 
13448 			if (rdev->ops->sched_scan_stop &&
13449 			    rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
13450 				schedule_work(&rdev->sched_scan_stop_wk);
13451 		}
13452 	}
13453 
13454 	rcu_read_unlock();
13455 
13456 	/*
13457 	 * It is possible that the user space process that is controlling the
13458 	 * indoor setting disappeared, so notify the regulatory core.
13459 	 */
13460 	regulatory_netlink_notify(notify->portid);
13461 	return NOTIFY_OK;
13462 }
13463 
13464 static struct notifier_block nl80211_netlink_notifier = {
13465 	.notifier_call = nl80211_netlink_notify,
13466 };
13467 
13468 void cfg80211_ft_event(struct net_device *netdev,
13469 		       struct cfg80211_ft_event_params *ft_event)
13470 {
13471 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
13472 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13473 	struct sk_buff *msg;
13474 	void *hdr;
13475 
13476 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
13477 
13478 	if (!ft_event->target_ap)
13479 		return;
13480 
13481 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13482 	if (!msg)
13483 		return;
13484 
13485 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
13486 	if (!hdr)
13487 		goto out;
13488 
13489 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13490 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13491 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
13492 		goto out;
13493 
13494 	if (ft_event->ies &&
13495 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
13496 		goto out;
13497 	if (ft_event->ric_ies &&
13498 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
13499 		    ft_event->ric_ies))
13500 		goto out;
13501 
13502 	genlmsg_end(msg, hdr);
13503 
13504 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13505 				NL80211_MCGRP_MLME, GFP_KERNEL);
13506 	return;
13507  out:
13508 	nlmsg_free(msg);
13509 }
13510 EXPORT_SYMBOL(cfg80211_ft_event);
13511 
13512 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
13513 {
13514 	struct cfg80211_registered_device *rdev;
13515 	struct sk_buff *msg;
13516 	void *hdr;
13517 	u32 nlportid;
13518 
13519 	rdev = wiphy_to_rdev(wdev->wiphy);
13520 	if (!rdev->crit_proto_nlportid)
13521 		return;
13522 
13523 	nlportid = rdev->crit_proto_nlportid;
13524 	rdev->crit_proto_nlportid = 0;
13525 
13526 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13527 	if (!msg)
13528 		return;
13529 
13530 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
13531 	if (!hdr)
13532 		goto nla_put_failure;
13533 
13534 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13535 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13536 			      NL80211_ATTR_PAD))
13537 		goto nla_put_failure;
13538 
13539 	genlmsg_end(msg, hdr);
13540 
13541 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
13542 	return;
13543 
13544  nla_put_failure:
13545 	if (hdr)
13546 		genlmsg_cancel(msg, hdr);
13547 	nlmsg_free(msg);
13548 
13549 }
13550 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
13551 
13552 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
13553 {
13554 	struct wiphy *wiphy = wdev->wiphy;
13555 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13556 	struct sk_buff *msg;
13557 	void *hdr;
13558 
13559 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13560 	if (!msg)
13561 		return;
13562 
13563 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
13564 	if (!hdr)
13565 		goto out;
13566 
13567 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13568 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
13569 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13570 			      NL80211_ATTR_PAD))
13571 		goto out;
13572 
13573 	genlmsg_end(msg, hdr);
13574 
13575 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
13576 				NL80211_MCGRP_MLME, GFP_KERNEL);
13577 	return;
13578  out:
13579 	nlmsg_free(msg);
13580 }
13581 
13582 /* initialisation/exit functions */
13583 
13584 int nl80211_init(void)
13585 {
13586 	int err;
13587 
13588 	err = genl_register_family_with_ops_groups(&nl80211_fam, nl80211_ops,
13589 						   nl80211_mcgrps);
13590 	if (err)
13591 		return err;
13592 
13593 	err = netlink_register_notifier(&nl80211_netlink_notifier);
13594 	if (err)
13595 		goto err_out;
13596 
13597 	return 0;
13598  err_out:
13599 	genl_unregister_family(&nl80211_fam);
13600 	return err;
13601 }
13602 
13603 void nl80211_exit(void)
13604 {
13605 	netlink_unregister_notifier(&nl80211_netlink_notifier);
13606 	genl_unregister_family(&nl80211_fam);
13607 }
13608