xref: /linux/net/wireless/nl80211.c (revision 61d0b5a4b2777dcf5daef245e212b3c1fa8091ca) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  */
6 
7 #include <linux/if.h>
8 #include <linux/module.h>
9 #include <linux/err.h>
10 #include <linux/slab.h>
11 #include <linux/list.h>
12 #include <linux/if_ether.h>
13 #include <linux/ieee80211.h>
14 #include <linux/nl80211.h>
15 #include <linux/rtnetlink.h>
16 #include <linux/netlink.h>
17 #include <linux/etherdevice.h>
18 #include <net/net_namespace.h>
19 #include <net/genetlink.h>
20 #include <net/cfg80211.h>
21 #include <net/sock.h>
22 #include <net/inet_connection_sock.h>
23 #include "core.h"
24 #include "nl80211.h"
25 #include "reg.h"
26 #include "rdev-ops.h"
27 
28 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
29 				   struct genl_info *info,
30 				   struct cfg80211_crypto_settings *settings,
31 				   int cipher_limit);
32 
33 static int nl80211_pre_doit(struct genl_ops *ops, struct sk_buff *skb,
34 			    struct genl_info *info);
35 static void nl80211_post_doit(struct genl_ops *ops, struct sk_buff *skb,
36 			      struct genl_info *info);
37 
38 /* the netlink family */
39 static struct genl_family nl80211_fam = {
40 	.id = GENL_ID_GENERATE,	/* don't bother with a hardcoded ID */
41 	.name = "nl80211",	/* have users key off the name instead */
42 	.hdrsize = 0,		/* no private header */
43 	.version = 1,		/* no particular meaning now */
44 	.maxattr = NL80211_ATTR_MAX,
45 	.netnsok = true,
46 	.pre_doit = nl80211_pre_doit,
47 	.post_doit = nl80211_post_doit,
48 };
49 
50 /* returns ERR_PTR values */
51 static struct wireless_dev *
52 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
53 {
54 	struct cfg80211_registered_device *rdev;
55 	struct wireless_dev *result = NULL;
56 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
57 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
58 	u64 wdev_id;
59 	int wiphy_idx = -1;
60 	int ifidx = -1;
61 
62 	assert_cfg80211_lock();
63 
64 	if (!have_ifidx && !have_wdev_id)
65 		return ERR_PTR(-EINVAL);
66 
67 	if (have_ifidx)
68 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
69 	if (have_wdev_id) {
70 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
71 		wiphy_idx = wdev_id >> 32;
72 	}
73 
74 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
75 		struct wireless_dev *wdev;
76 
77 		if (wiphy_net(&rdev->wiphy) != netns)
78 			continue;
79 
80 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
81 			continue;
82 
83 		mutex_lock(&rdev->devlist_mtx);
84 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
85 			if (have_ifidx && wdev->netdev &&
86 			    wdev->netdev->ifindex == ifidx) {
87 				result = wdev;
88 				break;
89 			}
90 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
91 				result = wdev;
92 				break;
93 			}
94 		}
95 		mutex_unlock(&rdev->devlist_mtx);
96 
97 		if (result)
98 			break;
99 	}
100 
101 	if (result)
102 		return result;
103 	return ERR_PTR(-ENODEV);
104 }
105 
106 static struct cfg80211_registered_device *
107 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
108 {
109 	struct cfg80211_registered_device *rdev = NULL, *tmp;
110 	struct net_device *netdev;
111 
112 	assert_cfg80211_lock();
113 
114 	if (!attrs[NL80211_ATTR_WIPHY] &&
115 	    !attrs[NL80211_ATTR_IFINDEX] &&
116 	    !attrs[NL80211_ATTR_WDEV])
117 		return ERR_PTR(-EINVAL);
118 
119 	if (attrs[NL80211_ATTR_WIPHY])
120 		rdev = cfg80211_rdev_by_wiphy_idx(
121 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
122 
123 	if (attrs[NL80211_ATTR_WDEV]) {
124 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
125 		struct wireless_dev *wdev;
126 		bool found = false;
127 
128 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
129 		if (tmp) {
130 			/* make sure wdev exists */
131 			mutex_lock(&tmp->devlist_mtx);
132 			list_for_each_entry(wdev, &tmp->wdev_list, list) {
133 				if (wdev->identifier != (u32)wdev_id)
134 					continue;
135 				found = true;
136 				break;
137 			}
138 			mutex_unlock(&tmp->devlist_mtx);
139 
140 			if (!found)
141 				tmp = NULL;
142 
143 			if (rdev && tmp != rdev)
144 				return ERR_PTR(-EINVAL);
145 			rdev = tmp;
146 		}
147 	}
148 
149 	if (attrs[NL80211_ATTR_IFINDEX]) {
150 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
151 		netdev = dev_get_by_index(netns, ifindex);
152 		if (netdev) {
153 			if (netdev->ieee80211_ptr)
154 				tmp = wiphy_to_dev(
155 						netdev->ieee80211_ptr->wiphy);
156 			else
157 				tmp = NULL;
158 
159 			dev_put(netdev);
160 
161 			/* not wireless device -- return error */
162 			if (!tmp)
163 				return ERR_PTR(-EINVAL);
164 
165 			/* mismatch -- return error */
166 			if (rdev && tmp != rdev)
167 				return ERR_PTR(-EINVAL);
168 
169 			rdev = tmp;
170 		}
171 	}
172 
173 	if (!rdev)
174 		return ERR_PTR(-ENODEV);
175 
176 	if (netns != wiphy_net(&rdev->wiphy))
177 		return ERR_PTR(-ENODEV);
178 
179 	return rdev;
180 }
181 
182 /*
183  * This function returns a pointer to the driver
184  * that the genl_info item that is passed refers to.
185  * If successful, it returns non-NULL and also locks
186  * the driver's mutex!
187  *
188  * This means that you need to call cfg80211_unlock_rdev()
189  * before being allowed to acquire &cfg80211_mutex!
190  *
191  * This is necessary because we need to lock the global
192  * mutex to get an item off the list safely, and then
193  * we lock the rdev mutex so it doesn't go away under us.
194  *
195  * We don't want to keep cfg80211_mutex locked
196  * for all the time in order to allow requests on
197  * other interfaces to go through at the same time.
198  *
199  * The result of this can be a PTR_ERR and hence must
200  * be checked with IS_ERR() for errors.
201  */
202 static struct cfg80211_registered_device *
203 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
204 {
205 	struct cfg80211_registered_device *rdev;
206 
207 	mutex_lock(&cfg80211_mutex);
208 	rdev = __cfg80211_rdev_from_attrs(netns, info->attrs);
209 
210 	/* if it is not an error we grab the lock on
211 	 * it to assure it won't be going away while
212 	 * we operate on it */
213 	if (!IS_ERR(rdev))
214 		mutex_lock(&rdev->mtx);
215 
216 	mutex_unlock(&cfg80211_mutex);
217 
218 	return rdev;
219 }
220 
221 /* policy for the attributes */
222 static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
223 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
224 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
225 				      .len = 20-1 },
226 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
227 
228 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
229 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
230 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
231 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
232 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
233 
234 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
235 	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
236 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
237 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
238 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
239 
240 	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
241 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
242 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
243 
244 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
245 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
246 
247 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
248 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
249 				    .len = WLAN_MAX_KEY_LEN },
250 	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
251 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
252 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
253 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
254 	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
255 
256 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
257 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
258 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
259 				       .len = IEEE80211_MAX_DATA_LEN },
260 	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
261 				       .len = IEEE80211_MAX_DATA_LEN },
262 	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
263 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
264 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
265 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
266 					       .len = NL80211_MAX_SUPP_RATES },
267 	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
268 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
269 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
270 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
271 				   .len = IEEE80211_MAX_MESH_ID_LEN },
272 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
273 
274 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
275 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
276 
277 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
278 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
279 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
280 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
281 					   .len = NL80211_MAX_SUPP_RATES },
282 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
283 
284 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
285 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
286 
287 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
288 
289 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
290 	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
291 			      .len = IEEE80211_MAX_DATA_LEN },
292 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
293 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
294 
295 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
296 				.len = IEEE80211_MAX_SSID_LEN },
297 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
298 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
299 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
300 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
301 	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
302 	[NL80211_ATTR_STA_FLAGS2] = {
303 		.len = sizeof(struct nl80211_sta_flag_update),
304 	},
305 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
306 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
307 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
308 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
309 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
310 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
311 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
312 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
313 	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
314 				 .len = WLAN_PMKID_LEN },
315 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
316 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
317 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
318 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
319 				 .len = IEEE80211_MAX_DATA_LEN },
320 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
321 	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
322 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
323 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
324 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
325 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
326 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
327 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
328 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
329 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
330 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
331 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
332 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
333 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
334 	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
335 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
336 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
337 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
338 	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
339 	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
340 					 .len = IEEE80211_MAX_DATA_LEN },
341 	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
342 					 .len = IEEE80211_MAX_DATA_LEN },
343 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
344 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
345 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
346 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
347 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
348 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
349 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
350 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
351 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
352 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
353 				      .len = IEEE80211_MAX_DATA_LEN },
354 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
355 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
356 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
357 		.len = NL80211_HT_CAPABILITY_LEN
358 	},
359 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
360 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
361 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
362 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
363 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
364 	[NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
365 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
366 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
367 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
368 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
369 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
370 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
371 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
372 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
373 };
374 
375 /* policy for the key attributes */
376 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
377 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
378 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
379 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
380 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
381 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
382 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
383 	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
384 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
385 };
386 
387 /* policy for the key default flags */
388 static const struct nla_policy
389 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
390 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
391 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
392 };
393 
394 /* policy for WoWLAN attributes */
395 static const struct nla_policy
396 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
397 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
398 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
399 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
400 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
401 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
402 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
403 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
404 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
405 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
406 };
407 
408 static const struct nla_policy
409 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
410 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
411 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
412 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
413 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
414 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
415 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
416 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
417 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
418 	},
419 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
420 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
421 	},
422 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
423 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
424 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
425 };
426 
427 /* policy for GTK rekey offload attributes */
428 static const struct nla_policy
429 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
430 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
431 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
432 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
433 };
434 
435 static const struct nla_policy
436 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
437 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
438 						 .len = IEEE80211_MAX_SSID_LEN },
439 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
440 };
441 
442 /* ifidx get helper */
443 static int nl80211_get_ifidx(struct netlink_callback *cb)
444 {
445 	int res;
446 
447 	res = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
448 			  nl80211_fam.attrbuf, nl80211_fam.maxattr,
449 			  nl80211_policy);
450 	if (res)
451 		return res;
452 
453 	if (!nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX])
454 		return -EINVAL;
455 
456 	res = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX]);
457 	if (!res)
458 		return -EINVAL;
459 	return res;
460 }
461 
462 static int nl80211_prepare_netdev_dump(struct sk_buff *skb,
463 				       struct netlink_callback *cb,
464 				       struct cfg80211_registered_device **rdev,
465 				       struct net_device **dev)
466 {
467 	int ifidx = cb->args[0];
468 	int err;
469 
470 	if (!ifidx)
471 		ifidx = nl80211_get_ifidx(cb);
472 	if (ifidx < 0)
473 		return ifidx;
474 
475 	cb->args[0] = ifidx;
476 
477 	rtnl_lock();
478 
479 	*dev = __dev_get_by_index(sock_net(skb->sk), ifidx);
480 	if (!*dev) {
481 		err = -ENODEV;
482 		goto out_rtnl;
483 	}
484 
485 	*rdev = cfg80211_get_dev_from_ifindex(sock_net(skb->sk), ifidx);
486 	if (IS_ERR(*rdev)) {
487 		err = PTR_ERR(*rdev);
488 		goto out_rtnl;
489 	}
490 
491 	return 0;
492  out_rtnl:
493 	rtnl_unlock();
494 	return err;
495 }
496 
497 static void nl80211_finish_netdev_dump(struct cfg80211_registered_device *rdev)
498 {
499 	cfg80211_unlock_rdev(rdev);
500 	rtnl_unlock();
501 }
502 
503 /* IE validation */
504 static bool is_valid_ie_attr(const struct nlattr *attr)
505 {
506 	const u8 *pos;
507 	int len;
508 
509 	if (!attr)
510 		return true;
511 
512 	pos = nla_data(attr);
513 	len = nla_len(attr);
514 
515 	while (len) {
516 		u8 elemlen;
517 
518 		if (len < 2)
519 			return false;
520 		len -= 2;
521 
522 		elemlen = pos[1];
523 		if (elemlen > len)
524 			return false;
525 
526 		len -= elemlen;
527 		pos += 2 + elemlen;
528 	}
529 
530 	return true;
531 }
532 
533 /* message building helper */
534 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
535 				   int flags, u8 cmd)
536 {
537 	/* since there is no private header just add the generic one */
538 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
539 }
540 
541 static int nl80211_msg_put_channel(struct sk_buff *msg,
542 				   struct ieee80211_channel *chan)
543 {
544 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
545 			chan->center_freq))
546 		goto nla_put_failure;
547 
548 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
549 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
550 		goto nla_put_failure;
551 	if ((chan->flags & IEEE80211_CHAN_PASSIVE_SCAN) &&
552 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_PASSIVE_SCAN))
553 		goto nla_put_failure;
554 	if ((chan->flags & IEEE80211_CHAN_NO_IBSS) &&
555 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IBSS))
556 		goto nla_put_failure;
557 	if (chan->flags & IEEE80211_CHAN_RADAR) {
558 		u32 time = elapsed_jiffies_msecs(chan->dfs_state_entered);
559 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
560 			goto nla_put_failure;
561 		if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
562 				chan->dfs_state))
563 			goto nla_put_failure;
564 		if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME, time))
565 			goto nla_put_failure;
566 	}
567 	if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
568 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
569 		goto nla_put_failure;
570 	if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
571 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
572 		goto nla_put_failure;
573 	if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
574 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
575 		goto nla_put_failure;
576 	if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
577 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
578 		goto nla_put_failure;
579 
580 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
581 			DBM_TO_MBM(chan->max_power)))
582 		goto nla_put_failure;
583 
584 	return 0;
585 
586  nla_put_failure:
587 	return -ENOBUFS;
588 }
589 
590 /* netlink command implementations */
591 
592 struct key_parse {
593 	struct key_params p;
594 	int idx;
595 	int type;
596 	bool def, defmgmt;
597 	bool def_uni, def_multi;
598 };
599 
600 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
601 {
602 	struct nlattr *tb[NL80211_KEY_MAX + 1];
603 	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
604 				   nl80211_key_policy);
605 	if (err)
606 		return err;
607 
608 	k->def = !!tb[NL80211_KEY_DEFAULT];
609 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
610 
611 	if (k->def) {
612 		k->def_uni = true;
613 		k->def_multi = true;
614 	}
615 	if (k->defmgmt)
616 		k->def_multi = true;
617 
618 	if (tb[NL80211_KEY_IDX])
619 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
620 
621 	if (tb[NL80211_KEY_DATA]) {
622 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
623 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
624 	}
625 
626 	if (tb[NL80211_KEY_SEQ]) {
627 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
628 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
629 	}
630 
631 	if (tb[NL80211_KEY_CIPHER])
632 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
633 
634 	if (tb[NL80211_KEY_TYPE]) {
635 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
636 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
637 			return -EINVAL;
638 	}
639 
640 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
641 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
642 		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
643 				       tb[NL80211_KEY_DEFAULT_TYPES],
644 				       nl80211_key_default_policy);
645 		if (err)
646 			return err;
647 
648 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
649 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
650 	}
651 
652 	return 0;
653 }
654 
655 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
656 {
657 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
658 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
659 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
660 	}
661 
662 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
663 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
664 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
665 	}
666 
667 	if (info->attrs[NL80211_ATTR_KEY_IDX])
668 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
669 
670 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
671 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
672 
673 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
674 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
675 
676 	if (k->def) {
677 		k->def_uni = true;
678 		k->def_multi = true;
679 	}
680 	if (k->defmgmt)
681 		k->def_multi = true;
682 
683 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
684 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
685 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
686 			return -EINVAL;
687 	}
688 
689 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
690 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
691 		int err = nla_parse_nested(
692 				kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
693 				info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
694 				nl80211_key_default_policy);
695 		if (err)
696 			return err;
697 
698 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
699 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
700 	}
701 
702 	return 0;
703 }
704 
705 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
706 {
707 	int err;
708 
709 	memset(k, 0, sizeof(*k));
710 	k->idx = -1;
711 	k->type = -1;
712 
713 	if (info->attrs[NL80211_ATTR_KEY])
714 		err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
715 	else
716 		err = nl80211_parse_key_old(info, k);
717 
718 	if (err)
719 		return err;
720 
721 	if (k->def && k->defmgmt)
722 		return -EINVAL;
723 
724 	if (k->defmgmt) {
725 		if (k->def_uni || !k->def_multi)
726 			return -EINVAL;
727 	}
728 
729 	if (k->idx != -1) {
730 		if (k->defmgmt) {
731 			if (k->idx < 4 || k->idx > 5)
732 				return -EINVAL;
733 		} else if (k->def) {
734 			if (k->idx < 0 || k->idx > 3)
735 				return -EINVAL;
736 		} else {
737 			if (k->idx < 0 || k->idx > 5)
738 				return -EINVAL;
739 		}
740 	}
741 
742 	return 0;
743 }
744 
745 static struct cfg80211_cached_keys *
746 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
747 		       struct nlattr *keys, bool *no_ht)
748 {
749 	struct key_parse parse;
750 	struct nlattr *key;
751 	struct cfg80211_cached_keys *result;
752 	int rem, err, def = 0;
753 
754 	result = kzalloc(sizeof(*result), GFP_KERNEL);
755 	if (!result)
756 		return ERR_PTR(-ENOMEM);
757 
758 	result->def = -1;
759 	result->defmgmt = -1;
760 
761 	nla_for_each_nested(key, keys, rem) {
762 		memset(&parse, 0, sizeof(parse));
763 		parse.idx = -1;
764 
765 		err = nl80211_parse_key_new(key, &parse);
766 		if (err)
767 			goto error;
768 		err = -EINVAL;
769 		if (!parse.p.key)
770 			goto error;
771 		if (parse.idx < 0 || parse.idx > 4)
772 			goto error;
773 		if (parse.def) {
774 			if (def)
775 				goto error;
776 			def = 1;
777 			result->def = parse.idx;
778 			if (!parse.def_uni || !parse.def_multi)
779 				goto error;
780 		} else if (parse.defmgmt)
781 			goto error;
782 		err = cfg80211_validate_key_settings(rdev, &parse.p,
783 						     parse.idx, false, NULL);
784 		if (err)
785 			goto error;
786 		result->params[parse.idx].cipher = parse.p.cipher;
787 		result->params[parse.idx].key_len = parse.p.key_len;
788 		result->params[parse.idx].key = result->data[parse.idx];
789 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
790 
791 		if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
792 		    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
793 			if (no_ht)
794 				*no_ht = true;
795 		}
796 	}
797 
798 	return result;
799  error:
800 	kfree(result);
801 	return ERR_PTR(err);
802 }
803 
804 static int nl80211_key_allowed(struct wireless_dev *wdev)
805 {
806 	ASSERT_WDEV_LOCK(wdev);
807 
808 	switch (wdev->iftype) {
809 	case NL80211_IFTYPE_AP:
810 	case NL80211_IFTYPE_AP_VLAN:
811 	case NL80211_IFTYPE_P2P_GO:
812 	case NL80211_IFTYPE_MESH_POINT:
813 		break;
814 	case NL80211_IFTYPE_ADHOC:
815 		if (!wdev->current_bss)
816 			return -ENOLINK;
817 		break;
818 	case NL80211_IFTYPE_STATION:
819 	case NL80211_IFTYPE_P2P_CLIENT:
820 		if (wdev->sme_state != CFG80211_SME_CONNECTED)
821 			return -ENOLINK;
822 		break;
823 	default:
824 		return -EINVAL;
825 	}
826 
827 	return 0;
828 }
829 
830 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
831 {
832 	struct nlattr *nl_modes = nla_nest_start(msg, attr);
833 	int i;
834 
835 	if (!nl_modes)
836 		goto nla_put_failure;
837 
838 	i = 0;
839 	while (ifmodes) {
840 		if ((ifmodes & 1) && nla_put_flag(msg, i))
841 			goto nla_put_failure;
842 		ifmodes >>= 1;
843 		i++;
844 	}
845 
846 	nla_nest_end(msg, nl_modes);
847 	return 0;
848 
849 nla_put_failure:
850 	return -ENOBUFS;
851 }
852 
853 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
854 					  struct sk_buff *msg)
855 {
856 	struct nlattr *nl_combis;
857 	int i, j;
858 
859 	nl_combis = nla_nest_start(msg,
860 				NL80211_ATTR_INTERFACE_COMBINATIONS);
861 	if (!nl_combis)
862 		goto nla_put_failure;
863 
864 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
865 		const struct ieee80211_iface_combination *c;
866 		struct nlattr *nl_combi, *nl_limits;
867 
868 		c = &wiphy->iface_combinations[i];
869 
870 		nl_combi = nla_nest_start(msg, i + 1);
871 		if (!nl_combi)
872 			goto nla_put_failure;
873 
874 		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
875 		if (!nl_limits)
876 			goto nla_put_failure;
877 
878 		for (j = 0; j < c->n_limits; j++) {
879 			struct nlattr *nl_limit;
880 
881 			nl_limit = nla_nest_start(msg, j + 1);
882 			if (!nl_limit)
883 				goto nla_put_failure;
884 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
885 					c->limits[j].max))
886 				goto nla_put_failure;
887 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
888 						c->limits[j].types))
889 				goto nla_put_failure;
890 			nla_nest_end(msg, nl_limit);
891 		}
892 
893 		nla_nest_end(msg, nl_limits);
894 
895 		if (c->beacon_int_infra_match &&
896 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
897 			goto nla_put_failure;
898 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
899 				c->num_different_channels) ||
900 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
901 				c->max_interfaces))
902 			goto nla_put_failure;
903 		if (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
904 				c->radar_detect_widths))
905 			goto nla_put_failure;
906 
907 		nla_nest_end(msg, nl_combi);
908 	}
909 
910 	nla_nest_end(msg, nl_combis);
911 
912 	return 0;
913 nla_put_failure:
914 	return -ENOBUFS;
915 }
916 
917 #ifdef CONFIG_PM
918 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
919 					struct sk_buff *msg)
920 {
921 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan.tcp;
922 	struct nlattr *nl_tcp;
923 
924 	if (!tcp)
925 		return 0;
926 
927 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
928 	if (!nl_tcp)
929 		return -ENOBUFS;
930 
931 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
932 			tcp->data_payload_max))
933 		return -ENOBUFS;
934 
935 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
936 			tcp->data_payload_max))
937 		return -ENOBUFS;
938 
939 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
940 		return -ENOBUFS;
941 
942 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
943 				sizeof(*tcp->tok), tcp->tok))
944 		return -ENOBUFS;
945 
946 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
947 			tcp->data_interval_max))
948 		return -ENOBUFS;
949 
950 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
951 			tcp->wake_payload_max))
952 		return -ENOBUFS;
953 
954 	nla_nest_end(msg, nl_tcp);
955 	return 0;
956 }
957 #endif
958 
959 static int nl80211_send_wiphy(struct sk_buff *msg, u32 portid, u32 seq, int flags,
960 			      struct cfg80211_registered_device *dev)
961 {
962 	void *hdr;
963 	struct nlattr *nl_bands, *nl_band;
964 	struct nlattr *nl_freqs, *nl_freq;
965 	struct nlattr *nl_rates, *nl_rate;
966 	struct nlattr *nl_cmds;
967 	enum ieee80211_band band;
968 	struct ieee80211_channel *chan;
969 	struct ieee80211_rate *rate;
970 	int i;
971 	const struct ieee80211_txrx_stypes *mgmt_stypes =
972 				dev->wiphy.mgmt_stypes;
973 
974 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_WIPHY);
975 	if (!hdr)
976 		return -1;
977 
978 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, dev->wiphy_idx) ||
979 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME, wiphy_name(&dev->wiphy)) ||
980 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
981 			cfg80211_rdev_list_generation) ||
982 	    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
983 		       dev->wiphy.retry_short) ||
984 	    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
985 		       dev->wiphy.retry_long) ||
986 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
987 			dev->wiphy.frag_threshold) ||
988 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
989 			dev->wiphy.rts_threshold) ||
990 	    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
991 		       dev->wiphy.coverage_class) ||
992 	    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
993 		       dev->wiphy.max_scan_ssids) ||
994 	    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
995 		       dev->wiphy.max_sched_scan_ssids) ||
996 	    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
997 			dev->wiphy.max_scan_ie_len) ||
998 	    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
999 			dev->wiphy.max_sched_scan_ie_len) ||
1000 	    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1001 		       dev->wiphy.max_match_sets))
1002 		goto nla_put_failure;
1003 
1004 	if ((dev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1005 	    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1006 		goto nla_put_failure;
1007 	if ((dev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1008 	    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1009 		goto nla_put_failure;
1010 	if ((dev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1011 	    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1012 		goto nla_put_failure;
1013 	if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1014 	    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1015 		goto nla_put_failure;
1016 	if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1017 	    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1018 		goto nla_put_failure;
1019 	if ((dev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1020 	    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1021 		goto nla_put_failure;
1022 
1023 	if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1024 		    sizeof(u32) * dev->wiphy.n_cipher_suites,
1025 		    dev->wiphy.cipher_suites))
1026 		goto nla_put_failure;
1027 
1028 	if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1029 		       dev->wiphy.max_num_pmkids))
1030 		goto nla_put_failure;
1031 
1032 	if ((dev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1033 	    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1034 		goto nla_put_failure;
1035 
1036 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1037 			dev->wiphy.available_antennas_tx) ||
1038 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1039 			dev->wiphy.available_antennas_rx))
1040 		goto nla_put_failure;
1041 
1042 	if ((dev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1043 	    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1044 			dev->wiphy.probe_resp_offload))
1045 		goto nla_put_failure;
1046 
1047 	if ((dev->wiphy.available_antennas_tx ||
1048 	     dev->wiphy.available_antennas_rx) && dev->ops->get_antenna) {
1049 		u32 tx_ant = 0, rx_ant = 0;
1050 		int res;
1051 		res = rdev_get_antenna(dev, &tx_ant, &rx_ant);
1052 		if (!res) {
1053 			if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_TX,
1054 					tx_ant) ||
1055 			    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_RX,
1056 					rx_ant))
1057 				goto nla_put_failure;
1058 		}
1059 	}
1060 
1061 	if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1062 				dev->wiphy.interface_modes))
1063 		goto nla_put_failure;
1064 
1065 	nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1066 	if (!nl_bands)
1067 		goto nla_put_failure;
1068 
1069 	for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
1070 		if (!dev->wiphy.bands[band])
1071 			continue;
1072 
1073 		nl_band = nla_nest_start(msg, band);
1074 		if (!nl_band)
1075 			goto nla_put_failure;
1076 
1077 		/* add HT info */
1078 		if (dev->wiphy.bands[band]->ht_cap.ht_supported &&
1079 		    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1080 			     sizeof(dev->wiphy.bands[band]->ht_cap.mcs),
1081 			     &dev->wiphy.bands[band]->ht_cap.mcs) ||
1082 		     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1083 				 dev->wiphy.bands[band]->ht_cap.cap) ||
1084 		     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1085 				dev->wiphy.bands[band]->ht_cap.ampdu_factor) ||
1086 		     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1087 				dev->wiphy.bands[band]->ht_cap.ampdu_density)))
1088 			goto nla_put_failure;
1089 
1090 		/* add VHT info */
1091 		if (dev->wiphy.bands[band]->vht_cap.vht_supported &&
1092 		    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1093 			     sizeof(dev->wiphy.bands[band]->vht_cap.vht_mcs),
1094 			     &dev->wiphy.bands[band]->vht_cap.vht_mcs) ||
1095 		     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1096 				 dev->wiphy.bands[band]->vht_cap.cap)))
1097 			goto nla_put_failure;
1098 
1099 		/* add frequencies */
1100 		nl_freqs = nla_nest_start(msg, NL80211_BAND_ATTR_FREQS);
1101 		if (!nl_freqs)
1102 			goto nla_put_failure;
1103 
1104 		for (i = 0; i < dev->wiphy.bands[band]->n_channels; i++) {
1105 			nl_freq = nla_nest_start(msg, i);
1106 			if (!nl_freq)
1107 				goto nla_put_failure;
1108 
1109 			chan = &dev->wiphy.bands[band]->channels[i];
1110 
1111 			if (nl80211_msg_put_channel(msg, chan))
1112 				goto nla_put_failure;
1113 
1114 			nla_nest_end(msg, nl_freq);
1115 		}
1116 
1117 		nla_nest_end(msg, nl_freqs);
1118 
1119 		/* add bitrates */
1120 		nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1121 		if (!nl_rates)
1122 			goto nla_put_failure;
1123 
1124 		for (i = 0; i < dev->wiphy.bands[band]->n_bitrates; i++) {
1125 			nl_rate = nla_nest_start(msg, i);
1126 			if (!nl_rate)
1127 				goto nla_put_failure;
1128 
1129 			rate = &dev->wiphy.bands[band]->bitrates[i];
1130 			if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1131 					rate->bitrate))
1132 				goto nla_put_failure;
1133 			if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1134 			    nla_put_flag(msg,
1135 					 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1136 				goto nla_put_failure;
1137 
1138 			nla_nest_end(msg, nl_rate);
1139 		}
1140 
1141 		nla_nest_end(msg, nl_rates);
1142 
1143 		nla_nest_end(msg, nl_band);
1144 	}
1145 	nla_nest_end(msg, nl_bands);
1146 
1147 	nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1148 	if (!nl_cmds)
1149 		goto nla_put_failure;
1150 
1151 	i = 0;
1152 #define CMD(op, n)						\
1153 	 do {							\
1154 		if (dev->ops->op) {				\
1155 			i++;					\
1156 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1157 				goto nla_put_failure;		\
1158 		}						\
1159 	} while (0)
1160 
1161 	CMD(add_virtual_intf, NEW_INTERFACE);
1162 	CMD(change_virtual_intf, SET_INTERFACE);
1163 	CMD(add_key, NEW_KEY);
1164 	CMD(start_ap, START_AP);
1165 	CMD(add_station, NEW_STATION);
1166 	CMD(add_mpath, NEW_MPATH);
1167 	CMD(update_mesh_config, SET_MESH_CONFIG);
1168 	CMD(change_bss, SET_BSS);
1169 	CMD(auth, AUTHENTICATE);
1170 	CMD(assoc, ASSOCIATE);
1171 	CMD(deauth, DEAUTHENTICATE);
1172 	CMD(disassoc, DISASSOCIATE);
1173 	CMD(join_ibss, JOIN_IBSS);
1174 	CMD(join_mesh, JOIN_MESH);
1175 	CMD(set_pmksa, SET_PMKSA);
1176 	CMD(del_pmksa, DEL_PMKSA);
1177 	CMD(flush_pmksa, FLUSH_PMKSA);
1178 	if (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1179 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1180 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1181 	CMD(mgmt_tx, FRAME);
1182 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1183 	if (dev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1184 		i++;
1185 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1186 			goto nla_put_failure;
1187 	}
1188 	if (dev->ops->set_monitor_channel || dev->ops->start_ap ||
1189 	    dev->ops->join_mesh) {
1190 		i++;
1191 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1192 			goto nla_put_failure;
1193 	}
1194 	CMD(set_wds_peer, SET_WDS_PEER);
1195 	if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1196 		CMD(tdls_mgmt, TDLS_MGMT);
1197 		CMD(tdls_oper, TDLS_OPER);
1198 	}
1199 	if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1200 		CMD(sched_scan_start, START_SCHED_SCAN);
1201 	CMD(probe_client, PROBE_CLIENT);
1202 	CMD(set_noack_map, SET_NOACK_MAP);
1203 	if (dev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1204 		i++;
1205 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1206 			goto nla_put_failure;
1207 	}
1208 	CMD(start_p2p_device, START_P2P_DEVICE);
1209 	CMD(set_mcast_rate, SET_MCAST_RATE);
1210 
1211 #ifdef CONFIG_NL80211_TESTMODE
1212 	CMD(testmode_cmd, TESTMODE);
1213 #endif
1214 
1215 #undef CMD
1216 
1217 	if (dev->ops->connect || dev->ops->auth) {
1218 		i++;
1219 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1220 			goto nla_put_failure;
1221 	}
1222 
1223 	if (dev->ops->disconnect || dev->ops->deauth) {
1224 		i++;
1225 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1226 			goto nla_put_failure;
1227 	}
1228 
1229 	nla_nest_end(msg, nl_cmds);
1230 
1231 	if (dev->ops->remain_on_channel &&
1232 	    (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1233 	    nla_put_u32(msg, NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1234 			dev->wiphy.max_remain_on_channel_duration))
1235 		goto nla_put_failure;
1236 
1237 	if ((dev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1238 	    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1239 		goto nla_put_failure;
1240 
1241 	if (mgmt_stypes) {
1242 		u16 stypes;
1243 		struct nlattr *nl_ftypes, *nl_ifs;
1244 		enum nl80211_iftype ift;
1245 
1246 		nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1247 		if (!nl_ifs)
1248 			goto nla_put_failure;
1249 
1250 		for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1251 			nl_ftypes = nla_nest_start(msg, ift);
1252 			if (!nl_ftypes)
1253 				goto nla_put_failure;
1254 			i = 0;
1255 			stypes = mgmt_stypes[ift].tx;
1256 			while (stypes) {
1257 				if ((stypes & 1) &&
1258 				    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1259 						(i << 4) | IEEE80211_FTYPE_MGMT))
1260 					goto nla_put_failure;
1261 				stypes >>= 1;
1262 				i++;
1263 			}
1264 			nla_nest_end(msg, nl_ftypes);
1265 		}
1266 
1267 		nla_nest_end(msg, nl_ifs);
1268 
1269 		nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1270 		if (!nl_ifs)
1271 			goto nla_put_failure;
1272 
1273 		for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1274 			nl_ftypes = nla_nest_start(msg, ift);
1275 			if (!nl_ftypes)
1276 				goto nla_put_failure;
1277 			i = 0;
1278 			stypes = mgmt_stypes[ift].rx;
1279 			while (stypes) {
1280 				if ((stypes & 1) &&
1281 				    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1282 						(i << 4) | IEEE80211_FTYPE_MGMT))
1283 					goto nla_put_failure;
1284 				stypes >>= 1;
1285 				i++;
1286 			}
1287 			nla_nest_end(msg, nl_ftypes);
1288 		}
1289 		nla_nest_end(msg, nl_ifs);
1290 	}
1291 
1292 #ifdef CONFIG_PM
1293 	if (dev->wiphy.wowlan.flags || dev->wiphy.wowlan.n_patterns) {
1294 		struct nlattr *nl_wowlan;
1295 
1296 		nl_wowlan = nla_nest_start(msg,
1297 				NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1298 		if (!nl_wowlan)
1299 			goto nla_put_failure;
1300 
1301 		if (((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_ANY) &&
1302 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1303 		    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_DISCONNECT) &&
1304 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1305 		    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1306 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1307 		    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1308 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1309 		    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1310 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1311 		    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1312 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1313 		    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1314 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1315 		    ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1316 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1317 		    goto nla_put_failure;
1318 		if (dev->wiphy.wowlan.n_patterns) {
1319 			struct nl80211_wowlan_pattern_support pat = {
1320 				.max_patterns = dev->wiphy.wowlan.n_patterns,
1321 				.min_pattern_len =
1322 					dev->wiphy.wowlan.pattern_min_len,
1323 				.max_pattern_len =
1324 					dev->wiphy.wowlan.pattern_max_len,
1325 				.max_pkt_offset =
1326 					dev->wiphy.wowlan.max_pkt_offset,
1327 			};
1328 			if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1329 				    sizeof(pat), &pat))
1330 				goto nla_put_failure;
1331 		}
1332 
1333 		if (nl80211_send_wowlan_tcp_caps(dev, msg))
1334 			goto nla_put_failure;
1335 
1336 		nla_nest_end(msg, nl_wowlan);
1337 	}
1338 #endif
1339 
1340 	if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1341 				dev->wiphy.software_iftypes))
1342 		goto nla_put_failure;
1343 
1344 	if (nl80211_put_iface_combinations(&dev->wiphy, msg))
1345 		goto nla_put_failure;
1346 
1347 	if ((dev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1348 	    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1349 			dev->wiphy.ap_sme_capa))
1350 		goto nla_put_failure;
1351 
1352 	if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS,
1353 			dev->wiphy.features))
1354 		goto nla_put_failure;
1355 
1356 	if (dev->wiphy.ht_capa_mod_mask &&
1357 	    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1358 		    sizeof(*dev->wiphy.ht_capa_mod_mask),
1359 		    dev->wiphy.ht_capa_mod_mask))
1360 		goto nla_put_failure;
1361 
1362 	if (dev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1363 	    dev->wiphy.max_acl_mac_addrs &&
1364 	    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1365 			dev->wiphy.max_acl_mac_addrs))
1366 		goto nla_put_failure;
1367 
1368 	if (dev->wiphy.extended_capabilities &&
1369 	    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1370 		     dev->wiphy.extended_capabilities_len,
1371 		     dev->wiphy.extended_capabilities) ||
1372 	     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1373 		     dev->wiphy.extended_capabilities_len,
1374 		     dev->wiphy.extended_capabilities_mask)))
1375 		goto nla_put_failure;
1376 
1377 	return genlmsg_end(msg, hdr);
1378 
1379  nla_put_failure:
1380 	genlmsg_cancel(msg, hdr);
1381 	return -EMSGSIZE;
1382 }
1383 
1384 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1385 {
1386 	int idx = 0;
1387 	int start = cb->args[0];
1388 	struct cfg80211_registered_device *dev;
1389 
1390 	mutex_lock(&cfg80211_mutex);
1391 	list_for_each_entry(dev, &cfg80211_rdev_list, list) {
1392 		if (!net_eq(wiphy_net(&dev->wiphy), sock_net(skb->sk)))
1393 			continue;
1394 		if (++idx <= start)
1395 			continue;
1396 		if (nl80211_send_wiphy(skb, NETLINK_CB(cb->skb).portid,
1397 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
1398 				       dev) < 0) {
1399 			idx--;
1400 			break;
1401 		}
1402 	}
1403 	mutex_unlock(&cfg80211_mutex);
1404 
1405 	cb->args[0] = idx;
1406 
1407 	return skb->len;
1408 }
1409 
1410 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1411 {
1412 	struct sk_buff *msg;
1413 	struct cfg80211_registered_device *dev = info->user_ptr[0];
1414 
1415 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1416 	if (!msg)
1417 		return -ENOMEM;
1418 
1419 	if (nl80211_send_wiphy(msg, info->snd_portid, info->snd_seq, 0, dev) < 0) {
1420 		nlmsg_free(msg);
1421 		return -ENOBUFS;
1422 	}
1423 
1424 	return genlmsg_reply(msg, info);
1425 }
1426 
1427 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1428 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
1429 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
1430 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
1431 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
1432 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
1433 };
1434 
1435 static int parse_txq_params(struct nlattr *tb[],
1436 			    struct ieee80211_txq_params *txq_params)
1437 {
1438 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1439 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1440 	    !tb[NL80211_TXQ_ATTR_AIFS])
1441 		return -EINVAL;
1442 
1443 	txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1444 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1445 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1446 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1447 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1448 
1449 	if (txq_params->ac >= NL80211_NUM_ACS)
1450 		return -EINVAL;
1451 
1452 	return 0;
1453 }
1454 
1455 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1456 {
1457 	/*
1458 	 * You can only set the channel explicitly for WDS interfaces,
1459 	 * all others have their channel managed via their respective
1460 	 * "establish a connection" command (connect, join, ...)
1461 	 *
1462 	 * For AP/GO and mesh mode, the channel can be set with the
1463 	 * channel userspace API, but is only stored and passed to the
1464 	 * low-level driver when the AP starts or the mesh is joined.
1465 	 * This is for backward compatibility, userspace can also give
1466 	 * the channel in the start-ap or join-mesh commands instead.
1467 	 *
1468 	 * Monitors are special as they are normally slaved to
1469 	 * whatever else is going on, so they have their own special
1470 	 * operation to set the monitor channel if possible.
1471 	 */
1472 	return !wdev ||
1473 		wdev->iftype == NL80211_IFTYPE_AP ||
1474 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1475 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
1476 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
1477 }
1478 
1479 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
1480 				 struct genl_info *info,
1481 				 struct cfg80211_chan_def *chandef)
1482 {
1483 	u32 control_freq;
1484 
1485 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1486 		return -EINVAL;
1487 
1488 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1489 
1490 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
1491 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
1492 	chandef->center_freq1 = control_freq;
1493 	chandef->center_freq2 = 0;
1494 
1495 	/* Primary channel not allowed */
1496 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
1497 		return -EINVAL;
1498 
1499 	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
1500 		enum nl80211_channel_type chantype;
1501 
1502 		chantype = nla_get_u32(
1503 				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1504 
1505 		switch (chantype) {
1506 		case NL80211_CHAN_NO_HT:
1507 		case NL80211_CHAN_HT20:
1508 		case NL80211_CHAN_HT40PLUS:
1509 		case NL80211_CHAN_HT40MINUS:
1510 			cfg80211_chandef_create(chandef, chandef->chan,
1511 						chantype);
1512 			break;
1513 		default:
1514 			return -EINVAL;
1515 		}
1516 	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
1517 		chandef->width =
1518 			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
1519 		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
1520 			chandef->center_freq1 =
1521 				nla_get_u32(
1522 					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
1523 		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
1524 			chandef->center_freq2 =
1525 				nla_get_u32(
1526 					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
1527 	}
1528 
1529 	if (!cfg80211_chandef_valid(chandef))
1530 		return -EINVAL;
1531 
1532 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
1533 				     IEEE80211_CHAN_DISABLED))
1534 		return -EINVAL;
1535 
1536 	return 0;
1537 }
1538 
1539 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1540 				 struct wireless_dev *wdev,
1541 				 struct genl_info *info)
1542 {
1543 	struct cfg80211_chan_def chandef;
1544 	int result;
1545 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1546 
1547 	if (wdev)
1548 		iftype = wdev->iftype;
1549 
1550 	if (!nl80211_can_set_dev_channel(wdev))
1551 		return -EOPNOTSUPP;
1552 
1553 	result = nl80211_parse_chandef(rdev, info, &chandef);
1554 	if (result)
1555 		return result;
1556 
1557 	mutex_lock(&rdev->devlist_mtx);
1558 	switch (iftype) {
1559 	case NL80211_IFTYPE_AP:
1560 	case NL80211_IFTYPE_P2P_GO:
1561 		if (wdev->beacon_interval) {
1562 			result = -EBUSY;
1563 			break;
1564 		}
1565 		if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef)) {
1566 			result = -EINVAL;
1567 			break;
1568 		}
1569 		wdev->preset_chandef = chandef;
1570 		result = 0;
1571 		break;
1572 	case NL80211_IFTYPE_MESH_POINT:
1573 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
1574 		break;
1575 	case NL80211_IFTYPE_MONITOR:
1576 		result = cfg80211_set_monitor_channel(rdev, &chandef);
1577 		break;
1578 	default:
1579 		result = -EINVAL;
1580 	}
1581 	mutex_unlock(&rdev->devlist_mtx);
1582 
1583 	return result;
1584 }
1585 
1586 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
1587 {
1588 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1589 	struct net_device *netdev = info->user_ptr[1];
1590 
1591 	return __nl80211_set_channel(rdev, netdev->ieee80211_ptr, info);
1592 }
1593 
1594 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
1595 {
1596 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1597 	struct net_device *dev = info->user_ptr[1];
1598 	struct wireless_dev *wdev = dev->ieee80211_ptr;
1599 	const u8 *bssid;
1600 
1601 	if (!info->attrs[NL80211_ATTR_MAC])
1602 		return -EINVAL;
1603 
1604 	if (netif_running(dev))
1605 		return -EBUSY;
1606 
1607 	if (!rdev->ops->set_wds_peer)
1608 		return -EOPNOTSUPP;
1609 
1610 	if (wdev->iftype != NL80211_IFTYPE_WDS)
1611 		return -EOPNOTSUPP;
1612 
1613 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
1614 	return rdev_set_wds_peer(rdev, dev, bssid);
1615 }
1616 
1617 
1618 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
1619 {
1620 	struct cfg80211_registered_device *rdev;
1621 	struct net_device *netdev = NULL;
1622 	struct wireless_dev *wdev;
1623 	int result = 0, rem_txq_params = 0;
1624 	struct nlattr *nl_txq_params;
1625 	u32 changed;
1626 	u8 retry_short = 0, retry_long = 0;
1627 	u32 frag_threshold = 0, rts_threshold = 0;
1628 	u8 coverage_class = 0;
1629 
1630 	/*
1631 	 * Try to find the wiphy and netdev. Normally this
1632 	 * function shouldn't need the netdev, but this is
1633 	 * done for backward compatibility -- previously
1634 	 * setting the channel was done per wiphy, but now
1635 	 * it is per netdev. Previous userland like hostapd
1636 	 * also passed a netdev to set_wiphy, so that it is
1637 	 * possible to let that go to the right netdev!
1638 	 */
1639 	mutex_lock(&cfg80211_mutex);
1640 
1641 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
1642 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
1643 
1644 		netdev = dev_get_by_index(genl_info_net(info), ifindex);
1645 		if (netdev && netdev->ieee80211_ptr) {
1646 			rdev = wiphy_to_dev(netdev->ieee80211_ptr->wiphy);
1647 			mutex_lock(&rdev->mtx);
1648 		} else
1649 			netdev = NULL;
1650 	}
1651 
1652 	if (!netdev) {
1653 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
1654 						  info->attrs);
1655 		if (IS_ERR(rdev)) {
1656 			mutex_unlock(&cfg80211_mutex);
1657 			return PTR_ERR(rdev);
1658 		}
1659 		wdev = NULL;
1660 		netdev = NULL;
1661 		result = 0;
1662 
1663 		mutex_lock(&rdev->mtx);
1664 	} else
1665 		wdev = netdev->ieee80211_ptr;
1666 
1667 	/*
1668 	 * end workaround code, by now the rdev is available
1669 	 * and locked, and wdev may or may not be NULL.
1670 	 */
1671 
1672 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
1673 		result = cfg80211_dev_rename(
1674 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
1675 
1676 	mutex_unlock(&cfg80211_mutex);
1677 
1678 	if (result)
1679 		goto bad_res;
1680 
1681 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
1682 		struct ieee80211_txq_params txq_params;
1683 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
1684 
1685 		if (!rdev->ops->set_txq_params) {
1686 			result = -EOPNOTSUPP;
1687 			goto bad_res;
1688 		}
1689 
1690 		if (!netdev) {
1691 			result = -EINVAL;
1692 			goto bad_res;
1693 		}
1694 
1695 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
1696 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
1697 			result = -EINVAL;
1698 			goto bad_res;
1699 		}
1700 
1701 		if (!netif_running(netdev)) {
1702 			result = -ENETDOWN;
1703 			goto bad_res;
1704 		}
1705 
1706 		nla_for_each_nested(nl_txq_params,
1707 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
1708 				    rem_txq_params) {
1709 			nla_parse(tb, NL80211_TXQ_ATTR_MAX,
1710 				  nla_data(nl_txq_params),
1711 				  nla_len(nl_txq_params),
1712 				  txq_params_policy);
1713 			result = parse_txq_params(tb, &txq_params);
1714 			if (result)
1715 				goto bad_res;
1716 
1717 			result = rdev_set_txq_params(rdev, netdev,
1718 						     &txq_params);
1719 			if (result)
1720 				goto bad_res;
1721 		}
1722 	}
1723 
1724 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
1725 		result = __nl80211_set_channel(rdev,
1726 				nl80211_can_set_dev_channel(wdev) ? wdev : NULL,
1727 				info);
1728 		if (result)
1729 			goto bad_res;
1730 	}
1731 
1732 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
1733 		struct wireless_dev *txp_wdev = wdev;
1734 		enum nl80211_tx_power_setting type;
1735 		int idx, mbm = 0;
1736 
1737 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
1738 			txp_wdev = NULL;
1739 
1740 		if (!rdev->ops->set_tx_power) {
1741 			result = -EOPNOTSUPP;
1742 			goto bad_res;
1743 		}
1744 
1745 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
1746 		type = nla_get_u32(info->attrs[idx]);
1747 
1748 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
1749 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
1750 			result = -EINVAL;
1751 			goto bad_res;
1752 		}
1753 
1754 		if (type != NL80211_TX_POWER_AUTOMATIC) {
1755 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
1756 			mbm = nla_get_u32(info->attrs[idx]);
1757 		}
1758 
1759 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
1760 		if (result)
1761 			goto bad_res;
1762 	}
1763 
1764 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
1765 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
1766 		u32 tx_ant, rx_ant;
1767 		if ((!rdev->wiphy.available_antennas_tx &&
1768 		     !rdev->wiphy.available_antennas_rx) ||
1769 		    !rdev->ops->set_antenna) {
1770 			result = -EOPNOTSUPP;
1771 			goto bad_res;
1772 		}
1773 
1774 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
1775 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
1776 
1777 		/* reject antenna configurations which don't match the
1778 		 * available antenna masks, except for the "all" mask */
1779 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
1780 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
1781 			result = -EINVAL;
1782 			goto bad_res;
1783 		}
1784 
1785 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
1786 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
1787 
1788 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
1789 		if (result)
1790 			goto bad_res;
1791 	}
1792 
1793 	changed = 0;
1794 
1795 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
1796 		retry_short = nla_get_u8(
1797 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
1798 		if (retry_short == 0) {
1799 			result = -EINVAL;
1800 			goto bad_res;
1801 		}
1802 		changed |= WIPHY_PARAM_RETRY_SHORT;
1803 	}
1804 
1805 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
1806 		retry_long = nla_get_u8(
1807 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
1808 		if (retry_long == 0) {
1809 			result = -EINVAL;
1810 			goto bad_res;
1811 		}
1812 		changed |= WIPHY_PARAM_RETRY_LONG;
1813 	}
1814 
1815 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
1816 		frag_threshold = nla_get_u32(
1817 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
1818 		if (frag_threshold < 256) {
1819 			result = -EINVAL;
1820 			goto bad_res;
1821 		}
1822 		if (frag_threshold != (u32) -1) {
1823 			/*
1824 			 * Fragments (apart from the last one) are required to
1825 			 * have even length. Make the fragmentation code
1826 			 * simpler by stripping LSB should someone try to use
1827 			 * odd threshold value.
1828 			 */
1829 			frag_threshold &= ~0x1;
1830 		}
1831 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
1832 	}
1833 
1834 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
1835 		rts_threshold = nla_get_u32(
1836 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
1837 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
1838 	}
1839 
1840 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
1841 		coverage_class = nla_get_u8(
1842 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
1843 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
1844 	}
1845 
1846 	if (changed) {
1847 		u8 old_retry_short, old_retry_long;
1848 		u32 old_frag_threshold, old_rts_threshold;
1849 		u8 old_coverage_class;
1850 
1851 		if (!rdev->ops->set_wiphy_params) {
1852 			result = -EOPNOTSUPP;
1853 			goto bad_res;
1854 		}
1855 
1856 		old_retry_short = rdev->wiphy.retry_short;
1857 		old_retry_long = rdev->wiphy.retry_long;
1858 		old_frag_threshold = rdev->wiphy.frag_threshold;
1859 		old_rts_threshold = rdev->wiphy.rts_threshold;
1860 		old_coverage_class = rdev->wiphy.coverage_class;
1861 
1862 		if (changed & WIPHY_PARAM_RETRY_SHORT)
1863 			rdev->wiphy.retry_short = retry_short;
1864 		if (changed & WIPHY_PARAM_RETRY_LONG)
1865 			rdev->wiphy.retry_long = retry_long;
1866 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
1867 			rdev->wiphy.frag_threshold = frag_threshold;
1868 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
1869 			rdev->wiphy.rts_threshold = rts_threshold;
1870 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
1871 			rdev->wiphy.coverage_class = coverage_class;
1872 
1873 		result = rdev_set_wiphy_params(rdev, changed);
1874 		if (result) {
1875 			rdev->wiphy.retry_short = old_retry_short;
1876 			rdev->wiphy.retry_long = old_retry_long;
1877 			rdev->wiphy.frag_threshold = old_frag_threshold;
1878 			rdev->wiphy.rts_threshold = old_rts_threshold;
1879 			rdev->wiphy.coverage_class = old_coverage_class;
1880 		}
1881 	}
1882 
1883  bad_res:
1884 	mutex_unlock(&rdev->mtx);
1885 	if (netdev)
1886 		dev_put(netdev);
1887 	return result;
1888 }
1889 
1890 static inline u64 wdev_id(struct wireless_dev *wdev)
1891 {
1892 	return (u64)wdev->identifier |
1893 	       ((u64)wiphy_to_dev(wdev->wiphy)->wiphy_idx << 32);
1894 }
1895 
1896 static int nl80211_send_chandef(struct sk_buff *msg,
1897 				 struct cfg80211_chan_def *chandef)
1898 {
1899 	WARN_ON(!cfg80211_chandef_valid(chandef));
1900 
1901 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
1902 			chandef->chan->center_freq))
1903 		return -ENOBUFS;
1904 	switch (chandef->width) {
1905 	case NL80211_CHAN_WIDTH_20_NOHT:
1906 	case NL80211_CHAN_WIDTH_20:
1907 	case NL80211_CHAN_WIDTH_40:
1908 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
1909 				cfg80211_get_chandef_type(chandef)))
1910 			return -ENOBUFS;
1911 		break;
1912 	default:
1913 		break;
1914 	}
1915 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
1916 		return -ENOBUFS;
1917 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
1918 		return -ENOBUFS;
1919 	if (chandef->center_freq2 &&
1920 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
1921 		return -ENOBUFS;
1922 	return 0;
1923 }
1924 
1925 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
1926 			      struct cfg80211_registered_device *rdev,
1927 			      struct wireless_dev *wdev)
1928 {
1929 	struct net_device *dev = wdev->netdev;
1930 	void *hdr;
1931 
1932 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_INTERFACE);
1933 	if (!hdr)
1934 		return -1;
1935 
1936 	if (dev &&
1937 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
1938 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
1939 		goto nla_put_failure;
1940 
1941 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1942 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
1943 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
1944 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
1945 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1946 			rdev->devlist_generation ^
1947 			(cfg80211_rdev_list_generation << 2)))
1948 		goto nla_put_failure;
1949 
1950 	if (rdev->ops->get_channel) {
1951 		int ret;
1952 		struct cfg80211_chan_def chandef;
1953 
1954 		ret = rdev_get_channel(rdev, wdev, &chandef);
1955 		if (ret == 0) {
1956 			if (nl80211_send_chandef(msg, &chandef))
1957 				goto nla_put_failure;
1958 		}
1959 	}
1960 
1961 	if (wdev->ssid_len) {
1962 		if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
1963 			goto nla_put_failure;
1964 	}
1965 
1966 	return genlmsg_end(msg, hdr);
1967 
1968  nla_put_failure:
1969 	genlmsg_cancel(msg, hdr);
1970 	return -EMSGSIZE;
1971 }
1972 
1973 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
1974 {
1975 	int wp_idx = 0;
1976 	int if_idx = 0;
1977 	int wp_start = cb->args[0];
1978 	int if_start = cb->args[1];
1979 	struct cfg80211_registered_device *rdev;
1980 	struct wireless_dev *wdev;
1981 
1982 	mutex_lock(&cfg80211_mutex);
1983 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1984 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1985 			continue;
1986 		if (wp_idx < wp_start) {
1987 			wp_idx++;
1988 			continue;
1989 		}
1990 		if_idx = 0;
1991 
1992 		mutex_lock(&rdev->devlist_mtx);
1993 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
1994 			if (if_idx < if_start) {
1995 				if_idx++;
1996 				continue;
1997 			}
1998 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
1999 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2000 					       rdev, wdev) < 0) {
2001 				mutex_unlock(&rdev->devlist_mtx);
2002 				goto out;
2003 			}
2004 			if_idx++;
2005 		}
2006 		mutex_unlock(&rdev->devlist_mtx);
2007 
2008 		wp_idx++;
2009 	}
2010  out:
2011 	mutex_unlock(&cfg80211_mutex);
2012 
2013 	cb->args[0] = wp_idx;
2014 	cb->args[1] = if_idx;
2015 
2016 	return skb->len;
2017 }
2018 
2019 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2020 {
2021 	struct sk_buff *msg;
2022 	struct cfg80211_registered_device *dev = info->user_ptr[0];
2023 	struct wireless_dev *wdev = info->user_ptr[1];
2024 
2025 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2026 	if (!msg)
2027 		return -ENOMEM;
2028 
2029 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2030 			       dev, wdev) < 0) {
2031 		nlmsg_free(msg);
2032 		return -ENOBUFS;
2033 	}
2034 
2035 	return genlmsg_reply(msg, info);
2036 }
2037 
2038 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2039 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2040 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2041 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2042 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2043 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2044 };
2045 
2046 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2047 {
2048 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2049 	int flag;
2050 
2051 	*mntrflags = 0;
2052 
2053 	if (!nla)
2054 		return -EINVAL;
2055 
2056 	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
2057 			     nla, mntr_flags_policy))
2058 		return -EINVAL;
2059 
2060 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2061 		if (flags[flag])
2062 			*mntrflags |= (1<<flag);
2063 
2064 	return 0;
2065 }
2066 
2067 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
2068 			       struct net_device *netdev, u8 use_4addr,
2069 			       enum nl80211_iftype iftype)
2070 {
2071 	if (!use_4addr) {
2072 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
2073 			return -EBUSY;
2074 		return 0;
2075 	}
2076 
2077 	switch (iftype) {
2078 	case NL80211_IFTYPE_AP_VLAN:
2079 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
2080 			return 0;
2081 		break;
2082 	case NL80211_IFTYPE_STATION:
2083 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
2084 			return 0;
2085 		break;
2086 	default:
2087 		break;
2088 	}
2089 
2090 	return -EOPNOTSUPP;
2091 }
2092 
2093 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
2094 {
2095 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2096 	struct vif_params params;
2097 	int err;
2098 	enum nl80211_iftype otype, ntype;
2099 	struct net_device *dev = info->user_ptr[1];
2100 	u32 _flags, *flags = NULL;
2101 	bool change = false;
2102 
2103 	memset(&params, 0, sizeof(params));
2104 
2105 	otype = ntype = dev->ieee80211_ptr->iftype;
2106 
2107 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2108 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2109 		if (otype != ntype)
2110 			change = true;
2111 		if (ntype > NL80211_IFTYPE_MAX)
2112 			return -EINVAL;
2113 	}
2114 
2115 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
2116 		struct wireless_dev *wdev = dev->ieee80211_ptr;
2117 
2118 		if (ntype != NL80211_IFTYPE_MESH_POINT)
2119 			return -EINVAL;
2120 		if (netif_running(dev))
2121 			return -EBUSY;
2122 
2123 		wdev_lock(wdev);
2124 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2125 			     IEEE80211_MAX_MESH_ID_LEN);
2126 		wdev->mesh_id_up_len =
2127 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2128 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2129 		       wdev->mesh_id_up_len);
2130 		wdev_unlock(wdev);
2131 	}
2132 
2133 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2134 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2135 		change = true;
2136 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2137 		if (err)
2138 			return err;
2139 	} else {
2140 		params.use_4addr = -1;
2141 	}
2142 
2143 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2144 		if (ntype != NL80211_IFTYPE_MONITOR)
2145 			return -EINVAL;
2146 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2147 					  &_flags);
2148 		if (err)
2149 			return err;
2150 
2151 		flags = &_flags;
2152 		change = true;
2153 	}
2154 
2155 	if (change)
2156 		err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2157 	else
2158 		err = 0;
2159 
2160 	if (!err && params.use_4addr != -1)
2161 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
2162 
2163 	return err;
2164 }
2165 
2166 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2167 {
2168 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2169 	struct vif_params params;
2170 	struct wireless_dev *wdev;
2171 	struct sk_buff *msg;
2172 	int err;
2173 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2174 	u32 flags;
2175 
2176 	memset(&params, 0, sizeof(params));
2177 
2178 	if (!info->attrs[NL80211_ATTR_IFNAME])
2179 		return -EINVAL;
2180 
2181 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2182 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2183 		if (type > NL80211_IFTYPE_MAX)
2184 			return -EINVAL;
2185 	}
2186 
2187 	if (!rdev->ops->add_virtual_intf ||
2188 	    !(rdev->wiphy.interface_modes & (1 << type)))
2189 		return -EOPNOTSUPP;
2190 
2191 	if (type == NL80211_IFTYPE_P2P_DEVICE && info->attrs[NL80211_ATTR_MAC]) {
2192 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2193 			   ETH_ALEN);
2194 		if (!is_valid_ether_addr(params.macaddr))
2195 			return -EADDRNOTAVAIL;
2196 	}
2197 
2198 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2199 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2200 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2201 		if (err)
2202 			return err;
2203 	}
2204 
2205 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2206 	if (!msg)
2207 		return -ENOMEM;
2208 
2209 	err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2210 				  info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2211 				  &flags);
2212 	wdev = rdev_add_virtual_intf(rdev,
2213 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2214 				type, err ? NULL : &flags, &params);
2215 	if (IS_ERR(wdev)) {
2216 		nlmsg_free(msg);
2217 		return PTR_ERR(wdev);
2218 	}
2219 
2220 	switch (type) {
2221 	case NL80211_IFTYPE_MESH_POINT:
2222 		if (!info->attrs[NL80211_ATTR_MESH_ID])
2223 			break;
2224 		wdev_lock(wdev);
2225 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2226 			     IEEE80211_MAX_MESH_ID_LEN);
2227 		wdev->mesh_id_up_len =
2228 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2229 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2230 		       wdev->mesh_id_up_len);
2231 		wdev_unlock(wdev);
2232 		break;
2233 	case NL80211_IFTYPE_P2P_DEVICE:
2234 		/*
2235 		 * P2P Device doesn't have a netdev, so doesn't go
2236 		 * through the netdev notifier and must be added here
2237 		 */
2238 		mutex_init(&wdev->mtx);
2239 		INIT_LIST_HEAD(&wdev->event_list);
2240 		spin_lock_init(&wdev->event_lock);
2241 		INIT_LIST_HEAD(&wdev->mgmt_registrations);
2242 		spin_lock_init(&wdev->mgmt_registrations_lock);
2243 
2244 		mutex_lock(&rdev->devlist_mtx);
2245 		wdev->identifier = ++rdev->wdev_id;
2246 		list_add_rcu(&wdev->list, &rdev->wdev_list);
2247 		rdev->devlist_generation++;
2248 		mutex_unlock(&rdev->devlist_mtx);
2249 		break;
2250 	default:
2251 		break;
2252 	}
2253 
2254 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2255 			       rdev, wdev) < 0) {
2256 		nlmsg_free(msg);
2257 		return -ENOBUFS;
2258 	}
2259 
2260 	return genlmsg_reply(msg, info);
2261 }
2262 
2263 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2264 {
2265 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2266 	struct wireless_dev *wdev = info->user_ptr[1];
2267 
2268 	if (!rdev->ops->del_virtual_intf)
2269 		return -EOPNOTSUPP;
2270 
2271 	/*
2272 	 * If we remove a wireless device without a netdev then clear
2273 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
2274 	 * to check if it needs to do dev_put(). Otherwise it crashes
2275 	 * since the wdev has been freed, unlike with a netdev where
2276 	 * we need the dev_put() for the netdev to really be freed.
2277 	 */
2278 	if (!wdev->netdev)
2279 		info->user_ptr[1] = NULL;
2280 
2281 	return rdev_del_virtual_intf(rdev, wdev);
2282 }
2283 
2284 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2285 {
2286 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2287 	struct net_device *dev = info->user_ptr[1];
2288 	u16 noack_map;
2289 
2290 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2291 		return -EINVAL;
2292 
2293 	if (!rdev->ops->set_noack_map)
2294 		return -EOPNOTSUPP;
2295 
2296 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2297 
2298 	return rdev_set_noack_map(rdev, dev, noack_map);
2299 }
2300 
2301 struct get_key_cookie {
2302 	struct sk_buff *msg;
2303 	int error;
2304 	int idx;
2305 };
2306 
2307 static void get_key_callback(void *c, struct key_params *params)
2308 {
2309 	struct nlattr *key;
2310 	struct get_key_cookie *cookie = c;
2311 
2312 	if ((params->key &&
2313 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2314 		     params->key_len, params->key)) ||
2315 	    (params->seq &&
2316 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2317 		     params->seq_len, params->seq)) ||
2318 	    (params->cipher &&
2319 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2320 			 params->cipher)))
2321 		goto nla_put_failure;
2322 
2323 	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2324 	if (!key)
2325 		goto nla_put_failure;
2326 
2327 	if ((params->key &&
2328 	     nla_put(cookie->msg, NL80211_KEY_DATA,
2329 		     params->key_len, params->key)) ||
2330 	    (params->seq &&
2331 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
2332 		     params->seq_len, params->seq)) ||
2333 	    (params->cipher &&
2334 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2335 			 params->cipher)))
2336 		goto nla_put_failure;
2337 
2338 	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2339 		goto nla_put_failure;
2340 
2341 	nla_nest_end(cookie->msg, key);
2342 
2343 	return;
2344  nla_put_failure:
2345 	cookie->error = 1;
2346 }
2347 
2348 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2349 {
2350 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2351 	int err;
2352 	struct net_device *dev = info->user_ptr[1];
2353 	u8 key_idx = 0;
2354 	const u8 *mac_addr = NULL;
2355 	bool pairwise;
2356 	struct get_key_cookie cookie = {
2357 		.error = 0,
2358 	};
2359 	void *hdr;
2360 	struct sk_buff *msg;
2361 
2362 	if (info->attrs[NL80211_ATTR_KEY_IDX])
2363 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2364 
2365 	if (key_idx > 5)
2366 		return -EINVAL;
2367 
2368 	if (info->attrs[NL80211_ATTR_MAC])
2369 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2370 
2371 	pairwise = !!mac_addr;
2372 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2373 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2374 		if (kt >= NUM_NL80211_KEYTYPES)
2375 			return -EINVAL;
2376 		if (kt != NL80211_KEYTYPE_GROUP &&
2377 		    kt != NL80211_KEYTYPE_PAIRWISE)
2378 			return -EINVAL;
2379 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2380 	}
2381 
2382 	if (!rdev->ops->get_key)
2383 		return -EOPNOTSUPP;
2384 
2385 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2386 	if (!msg)
2387 		return -ENOMEM;
2388 
2389 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2390 			     NL80211_CMD_NEW_KEY);
2391 	if (IS_ERR(hdr))
2392 		return PTR_ERR(hdr);
2393 
2394 	cookie.msg = msg;
2395 	cookie.idx = key_idx;
2396 
2397 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2398 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2399 		goto nla_put_failure;
2400 	if (mac_addr &&
2401 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2402 		goto nla_put_failure;
2403 
2404 	if (pairwise && mac_addr &&
2405 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2406 		return -ENOENT;
2407 
2408 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2409 			   get_key_callback);
2410 
2411 	if (err)
2412 		goto free_msg;
2413 
2414 	if (cookie.error)
2415 		goto nla_put_failure;
2416 
2417 	genlmsg_end(msg, hdr);
2418 	return genlmsg_reply(msg, info);
2419 
2420  nla_put_failure:
2421 	err = -ENOBUFS;
2422  free_msg:
2423 	nlmsg_free(msg);
2424 	return err;
2425 }
2426 
2427 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2428 {
2429 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2430 	struct key_parse key;
2431 	int err;
2432 	struct net_device *dev = info->user_ptr[1];
2433 
2434 	err = nl80211_parse_key(info, &key);
2435 	if (err)
2436 		return err;
2437 
2438 	if (key.idx < 0)
2439 		return -EINVAL;
2440 
2441 	/* only support setting default key */
2442 	if (!key.def && !key.defmgmt)
2443 		return -EINVAL;
2444 
2445 	wdev_lock(dev->ieee80211_ptr);
2446 
2447 	if (key.def) {
2448 		if (!rdev->ops->set_default_key) {
2449 			err = -EOPNOTSUPP;
2450 			goto out;
2451 		}
2452 
2453 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2454 		if (err)
2455 			goto out;
2456 
2457 		err = rdev_set_default_key(rdev, dev, key.idx,
2458 						 key.def_uni, key.def_multi);
2459 
2460 		if (err)
2461 			goto out;
2462 
2463 #ifdef CONFIG_CFG80211_WEXT
2464 		dev->ieee80211_ptr->wext.default_key = key.idx;
2465 #endif
2466 	} else {
2467 		if (key.def_uni || !key.def_multi) {
2468 			err = -EINVAL;
2469 			goto out;
2470 		}
2471 
2472 		if (!rdev->ops->set_default_mgmt_key) {
2473 			err = -EOPNOTSUPP;
2474 			goto out;
2475 		}
2476 
2477 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2478 		if (err)
2479 			goto out;
2480 
2481 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
2482 		if (err)
2483 			goto out;
2484 
2485 #ifdef CONFIG_CFG80211_WEXT
2486 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2487 #endif
2488 	}
2489 
2490  out:
2491 	wdev_unlock(dev->ieee80211_ptr);
2492 
2493 	return err;
2494 }
2495 
2496 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2497 {
2498 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2499 	int err;
2500 	struct net_device *dev = info->user_ptr[1];
2501 	struct key_parse key;
2502 	const u8 *mac_addr = NULL;
2503 
2504 	err = nl80211_parse_key(info, &key);
2505 	if (err)
2506 		return err;
2507 
2508 	if (!key.p.key)
2509 		return -EINVAL;
2510 
2511 	if (info->attrs[NL80211_ATTR_MAC])
2512 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2513 
2514 	if (key.type == -1) {
2515 		if (mac_addr)
2516 			key.type = NL80211_KEYTYPE_PAIRWISE;
2517 		else
2518 			key.type = NL80211_KEYTYPE_GROUP;
2519 	}
2520 
2521 	/* for now */
2522 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2523 	    key.type != NL80211_KEYTYPE_GROUP)
2524 		return -EINVAL;
2525 
2526 	if (!rdev->ops->add_key)
2527 		return -EOPNOTSUPP;
2528 
2529 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
2530 					   key.type == NL80211_KEYTYPE_PAIRWISE,
2531 					   mac_addr))
2532 		return -EINVAL;
2533 
2534 	wdev_lock(dev->ieee80211_ptr);
2535 	err = nl80211_key_allowed(dev->ieee80211_ptr);
2536 	if (!err)
2537 		err = rdev_add_key(rdev, dev, key.idx,
2538 				   key.type == NL80211_KEYTYPE_PAIRWISE,
2539 				    mac_addr, &key.p);
2540 	wdev_unlock(dev->ieee80211_ptr);
2541 
2542 	return err;
2543 }
2544 
2545 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
2546 {
2547 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2548 	int err;
2549 	struct net_device *dev = info->user_ptr[1];
2550 	u8 *mac_addr = NULL;
2551 	struct key_parse key;
2552 
2553 	err = nl80211_parse_key(info, &key);
2554 	if (err)
2555 		return err;
2556 
2557 	if (info->attrs[NL80211_ATTR_MAC])
2558 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2559 
2560 	if (key.type == -1) {
2561 		if (mac_addr)
2562 			key.type = NL80211_KEYTYPE_PAIRWISE;
2563 		else
2564 			key.type = NL80211_KEYTYPE_GROUP;
2565 	}
2566 
2567 	/* for now */
2568 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2569 	    key.type != NL80211_KEYTYPE_GROUP)
2570 		return -EINVAL;
2571 
2572 	if (!rdev->ops->del_key)
2573 		return -EOPNOTSUPP;
2574 
2575 	wdev_lock(dev->ieee80211_ptr);
2576 	err = nl80211_key_allowed(dev->ieee80211_ptr);
2577 
2578 	if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
2579 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2580 		err = -ENOENT;
2581 
2582 	if (!err)
2583 		err = rdev_del_key(rdev, dev, key.idx,
2584 				   key.type == NL80211_KEYTYPE_PAIRWISE,
2585 				   mac_addr);
2586 
2587 #ifdef CONFIG_CFG80211_WEXT
2588 	if (!err) {
2589 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
2590 			dev->ieee80211_ptr->wext.default_key = -1;
2591 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
2592 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
2593 	}
2594 #endif
2595 	wdev_unlock(dev->ieee80211_ptr);
2596 
2597 	return err;
2598 }
2599 
2600 /* This function returns an error or the number of nested attributes */
2601 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
2602 {
2603 	struct nlattr *attr;
2604 	int n_entries = 0, tmp;
2605 
2606 	nla_for_each_nested(attr, nl_attr, tmp) {
2607 		if (nla_len(attr) != ETH_ALEN)
2608 			return -EINVAL;
2609 
2610 		n_entries++;
2611 	}
2612 
2613 	return n_entries;
2614 }
2615 
2616 /*
2617  * This function parses ACL information and allocates memory for ACL data.
2618  * On successful return, the calling function is responsible to free the
2619  * ACL buffer returned by this function.
2620  */
2621 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
2622 						struct genl_info *info)
2623 {
2624 	enum nl80211_acl_policy acl_policy;
2625 	struct nlattr *attr;
2626 	struct cfg80211_acl_data *acl;
2627 	int i = 0, n_entries, tmp;
2628 
2629 	if (!wiphy->max_acl_mac_addrs)
2630 		return ERR_PTR(-EOPNOTSUPP);
2631 
2632 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
2633 		return ERR_PTR(-EINVAL);
2634 
2635 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
2636 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
2637 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
2638 		return ERR_PTR(-EINVAL);
2639 
2640 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
2641 		return ERR_PTR(-EINVAL);
2642 
2643 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
2644 	if (n_entries < 0)
2645 		return ERR_PTR(n_entries);
2646 
2647 	if (n_entries > wiphy->max_acl_mac_addrs)
2648 		return ERR_PTR(-ENOTSUPP);
2649 
2650 	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
2651 		      GFP_KERNEL);
2652 	if (!acl)
2653 		return ERR_PTR(-ENOMEM);
2654 
2655 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
2656 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
2657 		i++;
2658 	}
2659 
2660 	acl->n_acl_entries = n_entries;
2661 	acl->acl_policy = acl_policy;
2662 
2663 	return acl;
2664 }
2665 
2666 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
2667 {
2668 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2669 	struct net_device *dev = info->user_ptr[1];
2670 	struct cfg80211_acl_data *acl;
2671 	int err;
2672 
2673 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2674 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2675 		return -EOPNOTSUPP;
2676 
2677 	if (!dev->ieee80211_ptr->beacon_interval)
2678 		return -EINVAL;
2679 
2680 	acl = parse_acl_data(&rdev->wiphy, info);
2681 	if (IS_ERR(acl))
2682 		return PTR_ERR(acl);
2683 
2684 	err = rdev_set_mac_acl(rdev, dev, acl);
2685 
2686 	kfree(acl);
2687 
2688 	return err;
2689 }
2690 
2691 static int nl80211_parse_beacon(struct genl_info *info,
2692 				struct cfg80211_beacon_data *bcn)
2693 {
2694 	bool haveinfo = false;
2695 
2696 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_BEACON_TAIL]) ||
2697 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]) ||
2698 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
2699 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]))
2700 		return -EINVAL;
2701 
2702 	memset(bcn, 0, sizeof(*bcn));
2703 
2704 	if (info->attrs[NL80211_ATTR_BEACON_HEAD]) {
2705 		bcn->head = nla_data(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2706 		bcn->head_len = nla_len(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2707 		if (!bcn->head_len)
2708 			return -EINVAL;
2709 		haveinfo = true;
2710 	}
2711 
2712 	if (info->attrs[NL80211_ATTR_BEACON_TAIL]) {
2713 		bcn->tail = nla_data(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2714 		bcn->tail_len =
2715 		    nla_len(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2716 		haveinfo = true;
2717 	}
2718 
2719 	if (!haveinfo)
2720 		return -EINVAL;
2721 
2722 	if (info->attrs[NL80211_ATTR_IE]) {
2723 		bcn->beacon_ies = nla_data(info->attrs[NL80211_ATTR_IE]);
2724 		bcn->beacon_ies_len = nla_len(info->attrs[NL80211_ATTR_IE]);
2725 	}
2726 
2727 	if (info->attrs[NL80211_ATTR_IE_PROBE_RESP]) {
2728 		bcn->proberesp_ies =
2729 			nla_data(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2730 		bcn->proberesp_ies_len =
2731 			nla_len(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2732 	}
2733 
2734 	if (info->attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
2735 		bcn->assocresp_ies =
2736 			nla_data(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2737 		bcn->assocresp_ies_len =
2738 			nla_len(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2739 	}
2740 
2741 	if (info->attrs[NL80211_ATTR_PROBE_RESP]) {
2742 		bcn->probe_resp =
2743 			nla_data(info->attrs[NL80211_ATTR_PROBE_RESP]);
2744 		bcn->probe_resp_len =
2745 			nla_len(info->attrs[NL80211_ATTR_PROBE_RESP]);
2746 	}
2747 
2748 	return 0;
2749 }
2750 
2751 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
2752 				   struct cfg80211_ap_settings *params)
2753 {
2754 	struct wireless_dev *wdev;
2755 	bool ret = false;
2756 
2757 	mutex_lock(&rdev->devlist_mtx);
2758 
2759 	list_for_each_entry(wdev, &rdev->wdev_list, list) {
2760 		if (wdev->iftype != NL80211_IFTYPE_AP &&
2761 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
2762 			continue;
2763 
2764 		if (!wdev->preset_chandef.chan)
2765 			continue;
2766 
2767 		params->chandef = wdev->preset_chandef;
2768 		ret = true;
2769 		break;
2770 	}
2771 
2772 	mutex_unlock(&rdev->devlist_mtx);
2773 
2774 	return ret;
2775 }
2776 
2777 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
2778 				    enum nl80211_auth_type auth_type,
2779 				    enum nl80211_commands cmd)
2780 {
2781 	if (auth_type > NL80211_AUTHTYPE_MAX)
2782 		return false;
2783 
2784 	switch (cmd) {
2785 	case NL80211_CMD_AUTHENTICATE:
2786 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
2787 		    auth_type == NL80211_AUTHTYPE_SAE)
2788 			return false;
2789 		return true;
2790 	case NL80211_CMD_CONNECT:
2791 	case NL80211_CMD_START_AP:
2792 		/* SAE not supported yet */
2793 		if (auth_type == NL80211_AUTHTYPE_SAE)
2794 			return false;
2795 		return true;
2796 	default:
2797 		return false;
2798 	}
2799 }
2800 
2801 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
2802 {
2803 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2804 	struct net_device *dev = info->user_ptr[1];
2805 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2806 	struct cfg80211_ap_settings params;
2807 	int err;
2808 	u8 radar_detect_width = 0;
2809 
2810 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2811 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2812 		return -EOPNOTSUPP;
2813 
2814 	if (!rdev->ops->start_ap)
2815 		return -EOPNOTSUPP;
2816 
2817 	if (wdev->beacon_interval)
2818 		return -EALREADY;
2819 
2820 	memset(&params, 0, sizeof(params));
2821 
2822 	/* these are required for START_AP */
2823 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
2824 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
2825 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
2826 		return -EINVAL;
2827 
2828 	err = nl80211_parse_beacon(info, &params.beacon);
2829 	if (err)
2830 		return err;
2831 
2832 	params.beacon_interval =
2833 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
2834 	params.dtim_period =
2835 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
2836 
2837 	err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
2838 	if (err)
2839 		return err;
2840 
2841 	/*
2842 	 * In theory, some of these attributes should be required here
2843 	 * but since they were not used when the command was originally
2844 	 * added, keep them optional for old user space programs to let
2845 	 * them continue to work with drivers that do not need the
2846 	 * additional information -- drivers must check!
2847 	 */
2848 	if (info->attrs[NL80211_ATTR_SSID]) {
2849 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
2850 		params.ssid_len =
2851 			nla_len(info->attrs[NL80211_ATTR_SSID]);
2852 		if (params.ssid_len == 0 ||
2853 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
2854 			return -EINVAL;
2855 	}
2856 
2857 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
2858 		params.hidden_ssid = nla_get_u32(
2859 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
2860 		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
2861 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
2862 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
2863 			return -EINVAL;
2864 	}
2865 
2866 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
2867 
2868 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
2869 		params.auth_type = nla_get_u32(
2870 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
2871 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
2872 					     NL80211_CMD_START_AP))
2873 			return -EINVAL;
2874 	} else
2875 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
2876 
2877 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
2878 				      NL80211_MAX_NR_CIPHER_SUITES);
2879 	if (err)
2880 		return err;
2881 
2882 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
2883 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
2884 			return -EOPNOTSUPP;
2885 		params.inactivity_timeout = nla_get_u16(
2886 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
2887 	}
2888 
2889 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
2890 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2891 			return -EINVAL;
2892 		params.p2p_ctwindow =
2893 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
2894 		if (params.p2p_ctwindow > 127)
2895 			return -EINVAL;
2896 		if (params.p2p_ctwindow != 0 &&
2897 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
2898 			return -EINVAL;
2899 	}
2900 
2901 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
2902 		u8 tmp;
2903 
2904 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2905 			return -EINVAL;
2906 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
2907 		if (tmp > 1)
2908 			return -EINVAL;
2909 		params.p2p_opp_ps = tmp;
2910 		if (params.p2p_opp_ps != 0 &&
2911 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
2912 			return -EINVAL;
2913 	}
2914 
2915 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2916 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
2917 		if (err)
2918 			return err;
2919 	} else if (wdev->preset_chandef.chan) {
2920 		params.chandef = wdev->preset_chandef;
2921 	} else if (!nl80211_get_ap_channel(rdev, &params))
2922 		return -EINVAL;
2923 
2924 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &params.chandef))
2925 		return -EINVAL;
2926 
2927 	err = cfg80211_chandef_dfs_required(wdev->wiphy, &params.chandef);
2928 	if (err < 0)
2929 		return err;
2930 	if (err) {
2931 		radar_detect_width = BIT(params.chandef.width);
2932 		params.radar_required = true;
2933 	}
2934 
2935 	mutex_lock(&rdev->devlist_mtx);
2936 	err = cfg80211_can_use_iftype_chan(rdev, wdev, wdev->iftype,
2937 					   params.chandef.chan,
2938 					   CHAN_MODE_SHARED,
2939 					   radar_detect_width);
2940 	mutex_unlock(&rdev->devlist_mtx);
2941 
2942 	if (err)
2943 		return err;
2944 
2945 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
2946 		params.acl = parse_acl_data(&rdev->wiphy, info);
2947 		if (IS_ERR(params.acl))
2948 			return PTR_ERR(params.acl);
2949 	}
2950 
2951 	err = rdev_start_ap(rdev, dev, &params);
2952 	if (!err) {
2953 		wdev->preset_chandef = params.chandef;
2954 		wdev->beacon_interval = params.beacon_interval;
2955 		wdev->channel = params.chandef.chan;
2956 		wdev->ssid_len = params.ssid_len;
2957 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
2958 	}
2959 
2960 	kfree(params.acl);
2961 
2962 	return err;
2963 }
2964 
2965 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
2966 {
2967 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2968 	struct net_device *dev = info->user_ptr[1];
2969 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2970 	struct cfg80211_beacon_data params;
2971 	int err;
2972 
2973 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2974 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2975 		return -EOPNOTSUPP;
2976 
2977 	if (!rdev->ops->change_beacon)
2978 		return -EOPNOTSUPP;
2979 
2980 	if (!wdev->beacon_interval)
2981 		return -EINVAL;
2982 
2983 	err = nl80211_parse_beacon(info, &params);
2984 	if (err)
2985 		return err;
2986 
2987 	return rdev_change_beacon(rdev, dev, &params);
2988 }
2989 
2990 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
2991 {
2992 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2993 	struct net_device *dev = info->user_ptr[1];
2994 
2995 	return cfg80211_stop_ap(rdev, dev);
2996 }
2997 
2998 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
2999 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
3000 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
3001 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
3002 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
3003 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
3004 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
3005 };
3006 
3007 static int parse_station_flags(struct genl_info *info,
3008 			       enum nl80211_iftype iftype,
3009 			       struct station_parameters *params)
3010 {
3011 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
3012 	struct nlattr *nla;
3013 	int flag;
3014 
3015 	/*
3016 	 * Try parsing the new attribute first so userspace
3017 	 * can specify both for older kernels.
3018 	 */
3019 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
3020 	if (nla) {
3021 		struct nl80211_sta_flag_update *sta_flags;
3022 
3023 		sta_flags = nla_data(nla);
3024 		params->sta_flags_mask = sta_flags->mask;
3025 		params->sta_flags_set = sta_flags->set;
3026 		if ((params->sta_flags_mask |
3027 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
3028 			return -EINVAL;
3029 		return 0;
3030 	}
3031 
3032 	/* if present, parse the old attribute */
3033 
3034 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
3035 	if (!nla)
3036 		return 0;
3037 
3038 	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
3039 			     nla, sta_flags_policy))
3040 		return -EINVAL;
3041 
3042 	/*
3043 	 * Only allow certain flags for interface types so that
3044 	 * other attributes are silently ignored. Remember that
3045 	 * this is backward compatibility code with old userspace
3046 	 * and shouldn't be hit in other cases anyway.
3047 	 */
3048 	switch (iftype) {
3049 	case NL80211_IFTYPE_AP:
3050 	case NL80211_IFTYPE_AP_VLAN:
3051 	case NL80211_IFTYPE_P2P_GO:
3052 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3053 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3054 					 BIT(NL80211_STA_FLAG_WME) |
3055 					 BIT(NL80211_STA_FLAG_MFP);
3056 		break;
3057 	case NL80211_IFTYPE_P2P_CLIENT:
3058 	case NL80211_IFTYPE_STATION:
3059 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3060 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
3061 		break;
3062 	case NL80211_IFTYPE_MESH_POINT:
3063 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3064 					 BIT(NL80211_STA_FLAG_MFP) |
3065 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
3066 	default:
3067 		return -EINVAL;
3068 	}
3069 
3070 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
3071 		if (flags[flag]) {
3072 			params->sta_flags_set |= (1<<flag);
3073 
3074 			/* no longer support new API additions in old API */
3075 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
3076 				return -EINVAL;
3077 		}
3078 	}
3079 
3080 	return 0;
3081 }
3082 
3083 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
3084 				 int attr)
3085 {
3086 	struct nlattr *rate;
3087 	u32 bitrate;
3088 	u16 bitrate_compat;
3089 
3090 	rate = nla_nest_start(msg, attr);
3091 	if (!rate)
3092 		return false;
3093 
3094 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
3095 	bitrate = cfg80211_calculate_bitrate(info);
3096 	/* report 16-bit bitrate only if we can */
3097 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
3098 	if (bitrate > 0 &&
3099 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
3100 		return false;
3101 	if (bitrate_compat > 0 &&
3102 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
3103 		return false;
3104 
3105 	if (info->flags & RATE_INFO_FLAGS_MCS) {
3106 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
3107 			return false;
3108 		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3109 		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3110 			return false;
3111 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3112 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3113 			return false;
3114 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
3115 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
3116 			return false;
3117 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
3118 			return false;
3119 		if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH &&
3120 		    nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH))
3121 			return false;
3122 		if (info->flags & RATE_INFO_FLAGS_80_MHZ_WIDTH &&
3123 		    nla_put_flag(msg, NL80211_RATE_INFO_80_MHZ_WIDTH))
3124 			return false;
3125 		if (info->flags & RATE_INFO_FLAGS_80P80_MHZ_WIDTH &&
3126 		    nla_put_flag(msg, NL80211_RATE_INFO_80P80_MHZ_WIDTH))
3127 			return false;
3128 		if (info->flags & RATE_INFO_FLAGS_160_MHZ_WIDTH &&
3129 		    nla_put_flag(msg, NL80211_RATE_INFO_160_MHZ_WIDTH))
3130 			return false;
3131 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3132 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3133 			return false;
3134 	}
3135 
3136 	nla_nest_end(msg, rate);
3137 	return true;
3138 }
3139 
3140 static int nl80211_send_station(struct sk_buff *msg, u32 portid, u32 seq,
3141 				int flags,
3142 				struct cfg80211_registered_device *rdev,
3143 				struct net_device *dev,
3144 				const u8 *mac_addr, struct station_info *sinfo)
3145 {
3146 	void *hdr;
3147 	struct nlattr *sinfoattr, *bss_param;
3148 
3149 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
3150 	if (!hdr)
3151 		return -1;
3152 
3153 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3154 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
3155 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
3156 		goto nla_put_failure;
3157 
3158 	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
3159 	if (!sinfoattr)
3160 		goto nla_put_failure;
3161 	if ((sinfo->filled & STATION_INFO_CONNECTED_TIME) &&
3162 	    nla_put_u32(msg, NL80211_STA_INFO_CONNECTED_TIME,
3163 			sinfo->connected_time))
3164 		goto nla_put_failure;
3165 	if ((sinfo->filled & STATION_INFO_INACTIVE_TIME) &&
3166 	    nla_put_u32(msg, NL80211_STA_INFO_INACTIVE_TIME,
3167 			sinfo->inactive_time))
3168 		goto nla_put_failure;
3169 	if ((sinfo->filled & (STATION_INFO_RX_BYTES |
3170 			      STATION_INFO_RX_BYTES64)) &&
3171 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
3172 			(u32)sinfo->rx_bytes))
3173 		goto nla_put_failure;
3174 	if ((sinfo->filled & (STATION_INFO_TX_BYTES |
3175 			      NL80211_STA_INFO_TX_BYTES64)) &&
3176 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
3177 			(u32)sinfo->tx_bytes))
3178 		goto nla_put_failure;
3179 	if ((sinfo->filled & STATION_INFO_RX_BYTES64) &&
3180 	    nla_put_u64(msg, NL80211_STA_INFO_RX_BYTES64,
3181 			sinfo->rx_bytes))
3182 		goto nla_put_failure;
3183 	if ((sinfo->filled & STATION_INFO_TX_BYTES64) &&
3184 	    nla_put_u64(msg, NL80211_STA_INFO_TX_BYTES64,
3185 			sinfo->tx_bytes))
3186 		goto nla_put_failure;
3187 	if ((sinfo->filled & STATION_INFO_LLID) &&
3188 	    nla_put_u16(msg, NL80211_STA_INFO_LLID, sinfo->llid))
3189 		goto nla_put_failure;
3190 	if ((sinfo->filled & STATION_INFO_PLID) &&
3191 	    nla_put_u16(msg, NL80211_STA_INFO_PLID, sinfo->plid))
3192 		goto nla_put_failure;
3193 	if ((sinfo->filled & STATION_INFO_PLINK_STATE) &&
3194 	    nla_put_u8(msg, NL80211_STA_INFO_PLINK_STATE,
3195 		       sinfo->plink_state))
3196 		goto nla_put_failure;
3197 	switch (rdev->wiphy.signal_type) {
3198 	case CFG80211_SIGNAL_TYPE_MBM:
3199 		if ((sinfo->filled & STATION_INFO_SIGNAL) &&
3200 		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL,
3201 			       sinfo->signal))
3202 			goto nla_put_failure;
3203 		if ((sinfo->filled & STATION_INFO_SIGNAL_AVG) &&
3204 		    nla_put_u8(msg, NL80211_STA_INFO_SIGNAL_AVG,
3205 			       sinfo->signal_avg))
3206 			goto nla_put_failure;
3207 		break;
3208 	default:
3209 		break;
3210 	}
3211 	if (sinfo->filled & STATION_INFO_TX_BITRATE) {
3212 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
3213 					  NL80211_STA_INFO_TX_BITRATE))
3214 			goto nla_put_failure;
3215 	}
3216 	if (sinfo->filled & STATION_INFO_RX_BITRATE) {
3217 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
3218 					  NL80211_STA_INFO_RX_BITRATE))
3219 			goto nla_put_failure;
3220 	}
3221 	if ((sinfo->filled & STATION_INFO_RX_PACKETS) &&
3222 	    nla_put_u32(msg, NL80211_STA_INFO_RX_PACKETS,
3223 			sinfo->rx_packets))
3224 		goto nla_put_failure;
3225 	if ((sinfo->filled & STATION_INFO_TX_PACKETS) &&
3226 	    nla_put_u32(msg, NL80211_STA_INFO_TX_PACKETS,
3227 			sinfo->tx_packets))
3228 		goto nla_put_failure;
3229 	if ((sinfo->filled & STATION_INFO_TX_RETRIES) &&
3230 	    nla_put_u32(msg, NL80211_STA_INFO_TX_RETRIES,
3231 			sinfo->tx_retries))
3232 		goto nla_put_failure;
3233 	if ((sinfo->filled & STATION_INFO_TX_FAILED) &&
3234 	    nla_put_u32(msg, NL80211_STA_INFO_TX_FAILED,
3235 			sinfo->tx_failed))
3236 		goto nla_put_failure;
3237 	if ((sinfo->filled & STATION_INFO_BEACON_LOSS_COUNT) &&
3238 	    nla_put_u32(msg, NL80211_STA_INFO_BEACON_LOSS,
3239 			sinfo->beacon_loss_count))
3240 		goto nla_put_failure;
3241 	if ((sinfo->filled & STATION_INFO_LOCAL_PM) &&
3242 	    nla_put_u32(msg, NL80211_STA_INFO_LOCAL_PM,
3243 			sinfo->local_pm))
3244 		goto nla_put_failure;
3245 	if ((sinfo->filled & STATION_INFO_PEER_PM) &&
3246 	    nla_put_u32(msg, NL80211_STA_INFO_PEER_PM,
3247 			sinfo->peer_pm))
3248 		goto nla_put_failure;
3249 	if ((sinfo->filled & STATION_INFO_NONPEER_PM) &&
3250 	    nla_put_u32(msg, NL80211_STA_INFO_NONPEER_PM,
3251 			sinfo->nonpeer_pm))
3252 		goto nla_put_failure;
3253 	if (sinfo->filled & STATION_INFO_BSS_PARAM) {
3254 		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
3255 		if (!bss_param)
3256 			goto nla_put_failure;
3257 
3258 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
3259 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
3260 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
3261 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
3262 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
3263 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
3264 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
3265 			       sinfo->bss_param.dtim_period) ||
3266 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
3267 				sinfo->bss_param.beacon_interval))
3268 			goto nla_put_failure;
3269 
3270 		nla_nest_end(msg, bss_param);
3271 	}
3272 	if ((sinfo->filled & STATION_INFO_STA_FLAGS) &&
3273 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
3274 		    sizeof(struct nl80211_sta_flag_update),
3275 		    &sinfo->sta_flags))
3276 		goto nla_put_failure;
3277 	if ((sinfo->filled & STATION_INFO_T_OFFSET) &&
3278 		nla_put_u64(msg, NL80211_STA_INFO_T_OFFSET,
3279 			    sinfo->t_offset))
3280 		goto nla_put_failure;
3281 	nla_nest_end(msg, sinfoattr);
3282 
3283 	if ((sinfo->filled & STATION_INFO_ASSOC_REQ_IES) &&
3284 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
3285 		    sinfo->assoc_req_ies))
3286 		goto nla_put_failure;
3287 
3288 	return genlmsg_end(msg, hdr);
3289 
3290  nla_put_failure:
3291 	genlmsg_cancel(msg, hdr);
3292 	return -EMSGSIZE;
3293 }
3294 
3295 static int nl80211_dump_station(struct sk_buff *skb,
3296 				struct netlink_callback *cb)
3297 {
3298 	struct station_info sinfo;
3299 	struct cfg80211_registered_device *dev;
3300 	struct net_device *netdev;
3301 	u8 mac_addr[ETH_ALEN];
3302 	int sta_idx = cb->args[1];
3303 	int err;
3304 
3305 	err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
3306 	if (err)
3307 		return err;
3308 
3309 	if (!dev->ops->dump_station) {
3310 		err = -EOPNOTSUPP;
3311 		goto out_err;
3312 	}
3313 
3314 	while (1) {
3315 		memset(&sinfo, 0, sizeof(sinfo));
3316 		err = rdev_dump_station(dev, netdev, sta_idx,
3317 					mac_addr, &sinfo);
3318 		if (err == -ENOENT)
3319 			break;
3320 		if (err)
3321 			goto out_err;
3322 
3323 		if (nl80211_send_station(skb,
3324 				NETLINK_CB(cb->skb).portid,
3325 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
3326 				dev, netdev, mac_addr,
3327 				&sinfo) < 0)
3328 			goto out;
3329 
3330 		sta_idx++;
3331 	}
3332 
3333 
3334  out:
3335 	cb->args[1] = sta_idx;
3336 	err = skb->len;
3337  out_err:
3338 	nl80211_finish_netdev_dump(dev);
3339 
3340 	return err;
3341 }
3342 
3343 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
3344 {
3345 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3346 	struct net_device *dev = info->user_ptr[1];
3347 	struct station_info sinfo;
3348 	struct sk_buff *msg;
3349 	u8 *mac_addr = NULL;
3350 	int err;
3351 
3352 	memset(&sinfo, 0, sizeof(sinfo));
3353 
3354 	if (!info->attrs[NL80211_ATTR_MAC])
3355 		return -EINVAL;
3356 
3357 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3358 
3359 	if (!rdev->ops->get_station)
3360 		return -EOPNOTSUPP;
3361 
3362 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3363 	if (err)
3364 		return err;
3365 
3366 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3367 	if (!msg)
3368 		return -ENOMEM;
3369 
3370 	if (nl80211_send_station(msg, info->snd_portid, info->snd_seq, 0,
3371 				 rdev, dev, mac_addr, &sinfo) < 0) {
3372 		nlmsg_free(msg);
3373 		return -ENOBUFS;
3374 	}
3375 
3376 	return genlmsg_reply(msg, info);
3377 }
3378 
3379 /*
3380  * Get vlan interface making sure it is running and on the right wiphy.
3381  */
3382 static struct net_device *get_vlan(struct genl_info *info,
3383 				   struct cfg80211_registered_device *rdev)
3384 {
3385 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
3386 	struct net_device *v;
3387 	int ret;
3388 
3389 	if (!vlanattr)
3390 		return NULL;
3391 
3392 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
3393 	if (!v)
3394 		return ERR_PTR(-ENODEV);
3395 
3396 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
3397 		ret = -EINVAL;
3398 		goto error;
3399 	}
3400 
3401 	if (!netif_running(v)) {
3402 		ret = -ENETDOWN;
3403 		goto error;
3404 	}
3405 
3406 	return v;
3407  error:
3408 	dev_put(v);
3409 	return ERR_PTR(ret);
3410 }
3411 
3412 static struct nla_policy
3413 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] __read_mostly = {
3414 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
3415 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
3416 };
3417 
3418 static int nl80211_set_station_tdls(struct genl_info *info,
3419 				    struct station_parameters *params)
3420 {
3421 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
3422 	struct nlattr *nla;
3423 	int err;
3424 
3425 	/* Dummy STA entry gets updated once the peer capabilities are known */
3426 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
3427 		params->ht_capa =
3428 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
3429 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
3430 		params->vht_capa =
3431 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
3432 
3433 	/* parse WME attributes if present */
3434 	if (!info->attrs[NL80211_ATTR_STA_WME])
3435 		return 0;
3436 
3437 	nla = info->attrs[NL80211_ATTR_STA_WME];
3438 	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
3439 			       nl80211_sta_wme_policy);
3440 	if (err)
3441 		return err;
3442 
3443 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
3444 		params->uapsd_queues = nla_get_u8(
3445 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
3446 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
3447 		return -EINVAL;
3448 
3449 	if (tb[NL80211_STA_WME_MAX_SP])
3450 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
3451 
3452 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
3453 		return -EINVAL;
3454 
3455 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
3456 
3457 	return 0;
3458 }
3459 
3460 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
3461 {
3462 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3463 	int err;
3464 	struct net_device *dev = info->user_ptr[1];
3465 	struct station_parameters params;
3466 	u8 *mac_addr = NULL;
3467 
3468 	memset(&params, 0, sizeof(params));
3469 
3470 	params.listen_interval = -1;
3471 	params.plink_state = -1;
3472 
3473 	if (info->attrs[NL80211_ATTR_STA_AID])
3474 		return -EINVAL;
3475 
3476 	if (!info->attrs[NL80211_ATTR_MAC])
3477 		return -EINVAL;
3478 
3479 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3480 
3481 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
3482 		params.supported_rates =
3483 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3484 		params.supported_rates_len =
3485 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3486 	}
3487 
3488 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
3489 		params.capability =
3490 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
3491 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
3492 	}
3493 
3494 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
3495 		params.ext_capab =
3496 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
3497 		params.ext_capab_len =
3498 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
3499 	}
3500 
3501 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3502 		return -EINVAL;
3503 
3504 	if (!rdev->ops->change_station)
3505 		return -EOPNOTSUPP;
3506 
3507 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3508 		return -EINVAL;
3509 
3510 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
3511 		params.plink_action =
3512 		    nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3513 
3514 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE])
3515 		params.plink_state =
3516 		    nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
3517 
3518 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
3519 		enum nl80211_mesh_power_mode pm = nla_get_u32(
3520 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
3521 
3522 		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
3523 		    pm > NL80211_MESH_POWER_MAX)
3524 			return -EINVAL;
3525 
3526 		params.local_pm = pm;
3527 	}
3528 
3529 	switch (dev->ieee80211_ptr->iftype) {
3530 	case NL80211_IFTYPE_AP:
3531 	case NL80211_IFTYPE_AP_VLAN:
3532 	case NL80211_IFTYPE_P2P_GO:
3533 		/* disallow mesh-specific things */
3534 		if (params.plink_action)
3535 			return -EINVAL;
3536 		if (params.local_pm)
3537 			return -EINVAL;
3538 
3539 		/* TDLS can't be set, ... */
3540 		if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3541 			return -EINVAL;
3542 		/*
3543 		 * ... but don't bother the driver with it. This works around
3544 		 * a hostapd/wpa_supplicant issue -- it always includes the
3545 		 * TLDS_PEER flag in the mask even for AP mode.
3546 		 */
3547 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3548 
3549 		/* accept only the listed bits */
3550 		if (params.sta_flags_mask &
3551 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3552 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3553 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
3554 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3555 				  BIT(NL80211_STA_FLAG_WME) |
3556 				  BIT(NL80211_STA_FLAG_MFP)))
3557 			return -EINVAL;
3558 
3559 		/* but authenticated/associated only if driver handles it */
3560 		if (!(rdev->wiphy.features &
3561 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
3562 		    params.sta_flags_mask &
3563 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3564 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
3565 			return -EINVAL;
3566 
3567 		/* reject other things that can't change */
3568 		if (params.supported_rates)
3569 			return -EINVAL;
3570 		if (info->attrs[NL80211_ATTR_STA_CAPABILITY])
3571 			return -EINVAL;
3572 		if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY])
3573 			return -EINVAL;
3574 		if (info->attrs[NL80211_ATTR_HT_CAPABILITY] ||
3575 		    info->attrs[NL80211_ATTR_VHT_CAPABILITY])
3576 			return -EINVAL;
3577 
3578 		/* must be last in here for error handling */
3579 		params.vlan = get_vlan(info, rdev);
3580 		if (IS_ERR(params.vlan))
3581 			return PTR_ERR(params.vlan);
3582 		break;
3583 	case NL80211_IFTYPE_P2P_CLIENT:
3584 	case NL80211_IFTYPE_STATION:
3585 		/*
3586 		 * Don't allow userspace to change the TDLS_PEER flag,
3587 		 * but silently ignore attempts to change it since we
3588 		 * don't have state here to verify that it doesn't try
3589 		 * to change the flag.
3590 		 */
3591 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3592 		/* Include parameters for TDLS peer (driver will check) */
3593 		err = nl80211_set_station_tdls(info, &params);
3594 		if (err)
3595 			return err;
3596 		/* disallow things sta doesn't support */
3597 		if (params.plink_action)
3598 			return -EINVAL;
3599 		if (params.local_pm)
3600 			return -EINVAL;
3601 		/* reject any changes other than AUTHORIZED or WME (for TDLS) */
3602 		if (params.sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3603 					      BIT(NL80211_STA_FLAG_WME)))
3604 			return -EINVAL;
3605 		break;
3606 	case NL80211_IFTYPE_ADHOC:
3607 		/* disallow things sta doesn't support */
3608 		if (params.plink_action)
3609 			return -EINVAL;
3610 		if (params.local_pm)
3611 			return -EINVAL;
3612 		if (info->attrs[NL80211_ATTR_HT_CAPABILITY] ||
3613 		    info->attrs[NL80211_ATTR_VHT_CAPABILITY])
3614 			return -EINVAL;
3615 		/* reject any changes other than AUTHORIZED */
3616 		if (params.sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
3617 			return -EINVAL;
3618 		break;
3619 	case NL80211_IFTYPE_MESH_POINT:
3620 		/* disallow things mesh doesn't support */
3621 		if (params.vlan)
3622 			return -EINVAL;
3623 		if (params.supported_rates)
3624 			return -EINVAL;
3625 		if (info->attrs[NL80211_ATTR_STA_CAPABILITY])
3626 			return -EINVAL;
3627 		if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY])
3628 			return -EINVAL;
3629 		if (info->attrs[NL80211_ATTR_HT_CAPABILITY] ||
3630 		    info->attrs[NL80211_ATTR_VHT_CAPABILITY])
3631 			return -EINVAL;
3632 		/*
3633 		 * No special handling for TDLS here -- the userspace
3634 		 * mesh code doesn't have this bug.
3635 		 */
3636 		if (params.sta_flags_mask &
3637 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3638 				  BIT(NL80211_STA_FLAG_MFP) |
3639 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
3640 			return -EINVAL;
3641 		break;
3642 	default:
3643 		return -EOPNOTSUPP;
3644 	}
3645 
3646 	/* be aware of params.vlan when changing code here */
3647 
3648 	err = rdev_change_station(rdev, dev, mac_addr, &params);
3649 
3650 	if (params.vlan)
3651 		dev_put(params.vlan);
3652 
3653 	return err;
3654 }
3655 
3656 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
3657 {
3658 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3659 	int err;
3660 	struct net_device *dev = info->user_ptr[1];
3661 	struct station_parameters params;
3662 	u8 *mac_addr = NULL;
3663 
3664 	memset(&params, 0, sizeof(params));
3665 
3666 	if (!info->attrs[NL80211_ATTR_MAC])
3667 		return -EINVAL;
3668 
3669 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3670 		return -EINVAL;
3671 
3672 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
3673 		return -EINVAL;
3674 
3675 	if (!info->attrs[NL80211_ATTR_STA_AID])
3676 		return -EINVAL;
3677 
3678 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3679 	params.supported_rates =
3680 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3681 	params.supported_rates_len =
3682 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3683 	params.listen_interval =
3684 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
3685 
3686 	params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
3687 	if (!params.aid || params.aid > IEEE80211_MAX_AID)
3688 		return -EINVAL;
3689 
3690 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
3691 		params.capability =
3692 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
3693 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
3694 	}
3695 
3696 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
3697 		params.ext_capab =
3698 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
3699 		params.ext_capab_len =
3700 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
3701 	}
3702 
3703 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
3704 		params.ht_capa =
3705 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
3706 
3707 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
3708 		params.vht_capa =
3709 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
3710 
3711 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
3712 		params.plink_action =
3713 		    nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3714 
3715 	if (!rdev->ops->add_station)
3716 		return -EOPNOTSUPP;
3717 
3718 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3719 		return -EINVAL;
3720 
3721 	switch (dev->ieee80211_ptr->iftype) {
3722 	case NL80211_IFTYPE_AP:
3723 	case NL80211_IFTYPE_AP_VLAN:
3724 	case NL80211_IFTYPE_P2P_GO:
3725 		/* parse WME attributes if sta is WME capable */
3726 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
3727 		    (params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)) &&
3728 		    info->attrs[NL80211_ATTR_STA_WME]) {
3729 			struct nlattr *tb[NL80211_STA_WME_MAX + 1];
3730 			struct nlattr *nla;
3731 
3732 			nla = info->attrs[NL80211_ATTR_STA_WME];
3733 			err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
3734 					       nl80211_sta_wme_policy);
3735 			if (err)
3736 				return err;
3737 
3738 			if (tb[NL80211_STA_WME_UAPSD_QUEUES])
3739 				params.uapsd_queues =
3740 				     nla_get_u8(tb[NL80211_STA_WME_UAPSD_QUEUES]);
3741 			if (params.uapsd_queues &
3742 					~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
3743 				return -EINVAL;
3744 
3745 			if (tb[NL80211_STA_WME_MAX_SP])
3746 				params.max_sp =
3747 				     nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
3748 
3749 			if (params.max_sp &
3750 					~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
3751 				return -EINVAL;
3752 
3753 			params.sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
3754 		}
3755 		/* TDLS peers cannot be added */
3756 		if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3757 			return -EINVAL;
3758 		/* but don't bother the driver with it */
3759 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3760 
3761 		/* allow authenticated/associated only if driver handles it */
3762 		if (!(rdev->wiphy.features &
3763 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
3764 		    params.sta_flags_mask &
3765 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3766 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
3767 			return -EINVAL;
3768 
3769 		/* must be last in here for error handling */
3770 		params.vlan = get_vlan(info, rdev);
3771 		if (IS_ERR(params.vlan))
3772 			return PTR_ERR(params.vlan);
3773 		break;
3774 	case NL80211_IFTYPE_MESH_POINT:
3775 		/* associated is disallowed */
3776 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
3777 			return -EINVAL;
3778 		/* TDLS peers cannot be added */
3779 		if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3780 			return -EINVAL;
3781 		break;
3782 	case NL80211_IFTYPE_STATION:
3783 		/* associated is disallowed */
3784 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
3785 			return -EINVAL;
3786 		/* Only TDLS peers can be added */
3787 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3788 			return -EINVAL;
3789 		/* Can only add if TDLS ... */
3790 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
3791 			return -EOPNOTSUPP;
3792 		/* ... with external setup is supported */
3793 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
3794 			return -EOPNOTSUPP;
3795 		break;
3796 	default:
3797 		return -EOPNOTSUPP;
3798 	}
3799 
3800 	/* be aware of params.vlan when changing code here */
3801 
3802 	err = rdev_add_station(rdev, dev, mac_addr, &params);
3803 
3804 	if (params.vlan)
3805 		dev_put(params.vlan);
3806 	return err;
3807 }
3808 
3809 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
3810 {
3811 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3812 	struct net_device *dev = info->user_ptr[1];
3813 	u8 *mac_addr = NULL;
3814 
3815 	if (info->attrs[NL80211_ATTR_MAC])
3816 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3817 
3818 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3819 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
3820 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
3821 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3822 		return -EINVAL;
3823 
3824 	if (!rdev->ops->del_station)
3825 		return -EOPNOTSUPP;
3826 
3827 	return rdev_del_station(rdev, dev, mac_addr);
3828 }
3829 
3830 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
3831 				int flags, struct net_device *dev,
3832 				u8 *dst, u8 *next_hop,
3833 				struct mpath_info *pinfo)
3834 {
3835 	void *hdr;
3836 	struct nlattr *pinfoattr;
3837 
3838 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
3839 	if (!hdr)
3840 		return -1;
3841 
3842 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3843 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
3844 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
3845 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
3846 		goto nla_put_failure;
3847 
3848 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
3849 	if (!pinfoattr)
3850 		goto nla_put_failure;
3851 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
3852 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
3853 			pinfo->frame_qlen))
3854 		goto nla_put_failure;
3855 	if (((pinfo->filled & MPATH_INFO_SN) &&
3856 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
3857 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
3858 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
3859 			 pinfo->metric)) ||
3860 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
3861 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
3862 			 pinfo->exptime)) ||
3863 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
3864 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
3865 			pinfo->flags)) ||
3866 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
3867 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
3868 			 pinfo->discovery_timeout)) ||
3869 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
3870 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
3871 			pinfo->discovery_retries)))
3872 		goto nla_put_failure;
3873 
3874 	nla_nest_end(msg, pinfoattr);
3875 
3876 	return genlmsg_end(msg, hdr);
3877 
3878  nla_put_failure:
3879 	genlmsg_cancel(msg, hdr);
3880 	return -EMSGSIZE;
3881 }
3882 
3883 static int nl80211_dump_mpath(struct sk_buff *skb,
3884 			      struct netlink_callback *cb)
3885 {
3886 	struct mpath_info pinfo;
3887 	struct cfg80211_registered_device *dev;
3888 	struct net_device *netdev;
3889 	u8 dst[ETH_ALEN];
3890 	u8 next_hop[ETH_ALEN];
3891 	int path_idx = cb->args[1];
3892 	int err;
3893 
3894 	err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
3895 	if (err)
3896 		return err;
3897 
3898 	if (!dev->ops->dump_mpath) {
3899 		err = -EOPNOTSUPP;
3900 		goto out_err;
3901 	}
3902 
3903 	if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
3904 		err = -EOPNOTSUPP;
3905 		goto out_err;
3906 	}
3907 
3908 	while (1) {
3909 		err = rdev_dump_mpath(dev, netdev, path_idx, dst, next_hop,
3910 				      &pinfo);
3911 		if (err == -ENOENT)
3912 			break;
3913 		if (err)
3914 			goto out_err;
3915 
3916 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
3917 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3918 				       netdev, dst, next_hop,
3919 				       &pinfo) < 0)
3920 			goto out;
3921 
3922 		path_idx++;
3923 	}
3924 
3925 
3926  out:
3927 	cb->args[1] = path_idx;
3928 	err = skb->len;
3929  out_err:
3930 	nl80211_finish_netdev_dump(dev);
3931 	return err;
3932 }
3933 
3934 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
3935 {
3936 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3937 	int err;
3938 	struct net_device *dev = info->user_ptr[1];
3939 	struct mpath_info pinfo;
3940 	struct sk_buff *msg;
3941 	u8 *dst = NULL;
3942 	u8 next_hop[ETH_ALEN];
3943 
3944 	memset(&pinfo, 0, sizeof(pinfo));
3945 
3946 	if (!info->attrs[NL80211_ATTR_MAC])
3947 		return -EINVAL;
3948 
3949 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3950 
3951 	if (!rdev->ops->get_mpath)
3952 		return -EOPNOTSUPP;
3953 
3954 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3955 		return -EOPNOTSUPP;
3956 
3957 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
3958 	if (err)
3959 		return err;
3960 
3961 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3962 	if (!msg)
3963 		return -ENOMEM;
3964 
3965 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
3966 				 dev, dst, next_hop, &pinfo) < 0) {
3967 		nlmsg_free(msg);
3968 		return -ENOBUFS;
3969 	}
3970 
3971 	return genlmsg_reply(msg, info);
3972 }
3973 
3974 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
3975 {
3976 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3977 	struct net_device *dev = info->user_ptr[1];
3978 	u8 *dst = NULL;
3979 	u8 *next_hop = NULL;
3980 
3981 	if (!info->attrs[NL80211_ATTR_MAC])
3982 		return -EINVAL;
3983 
3984 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
3985 		return -EINVAL;
3986 
3987 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3988 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
3989 
3990 	if (!rdev->ops->change_mpath)
3991 		return -EOPNOTSUPP;
3992 
3993 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3994 		return -EOPNOTSUPP;
3995 
3996 	return rdev_change_mpath(rdev, dev, dst, next_hop);
3997 }
3998 
3999 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
4000 {
4001 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4002 	struct net_device *dev = info->user_ptr[1];
4003 	u8 *dst = NULL;
4004 	u8 *next_hop = NULL;
4005 
4006 	if (!info->attrs[NL80211_ATTR_MAC])
4007 		return -EINVAL;
4008 
4009 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4010 		return -EINVAL;
4011 
4012 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4013 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4014 
4015 	if (!rdev->ops->add_mpath)
4016 		return -EOPNOTSUPP;
4017 
4018 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4019 		return -EOPNOTSUPP;
4020 
4021 	return rdev_add_mpath(rdev, dev, dst, next_hop);
4022 }
4023 
4024 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
4025 {
4026 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4027 	struct net_device *dev = info->user_ptr[1];
4028 	u8 *dst = NULL;
4029 
4030 	if (info->attrs[NL80211_ATTR_MAC])
4031 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4032 
4033 	if (!rdev->ops->del_mpath)
4034 		return -EOPNOTSUPP;
4035 
4036 	return rdev_del_mpath(rdev, dev, dst);
4037 }
4038 
4039 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
4040 {
4041 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4042 	struct net_device *dev = info->user_ptr[1];
4043 	struct bss_parameters params;
4044 
4045 	memset(&params, 0, sizeof(params));
4046 	/* default to not changing parameters */
4047 	params.use_cts_prot = -1;
4048 	params.use_short_preamble = -1;
4049 	params.use_short_slot_time = -1;
4050 	params.ap_isolate = -1;
4051 	params.ht_opmode = -1;
4052 	params.p2p_ctwindow = -1;
4053 	params.p2p_opp_ps = -1;
4054 
4055 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
4056 		params.use_cts_prot =
4057 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
4058 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
4059 		params.use_short_preamble =
4060 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
4061 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
4062 		params.use_short_slot_time =
4063 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
4064 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
4065 		params.basic_rates =
4066 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4067 		params.basic_rates_len =
4068 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4069 	}
4070 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
4071 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
4072 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
4073 		params.ht_opmode =
4074 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
4075 
4076 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4077 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4078 			return -EINVAL;
4079 		params.p2p_ctwindow =
4080 			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4081 		if (params.p2p_ctwindow < 0)
4082 			return -EINVAL;
4083 		if (params.p2p_ctwindow != 0 &&
4084 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4085 			return -EINVAL;
4086 	}
4087 
4088 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4089 		u8 tmp;
4090 
4091 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4092 			return -EINVAL;
4093 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4094 		if (tmp > 1)
4095 			return -EINVAL;
4096 		params.p2p_opp_ps = tmp;
4097 		if (params.p2p_opp_ps &&
4098 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4099 			return -EINVAL;
4100 	}
4101 
4102 	if (!rdev->ops->change_bss)
4103 		return -EOPNOTSUPP;
4104 
4105 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4106 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4107 		return -EOPNOTSUPP;
4108 
4109 	return rdev_change_bss(rdev, dev, &params);
4110 }
4111 
4112 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
4113 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
4114 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
4115 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
4116 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
4117 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
4118 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
4119 };
4120 
4121 static int parse_reg_rule(struct nlattr *tb[],
4122 	struct ieee80211_reg_rule *reg_rule)
4123 {
4124 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
4125 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
4126 
4127 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
4128 		return -EINVAL;
4129 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
4130 		return -EINVAL;
4131 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
4132 		return -EINVAL;
4133 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
4134 		return -EINVAL;
4135 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
4136 		return -EINVAL;
4137 
4138 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
4139 
4140 	freq_range->start_freq_khz =
4141 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
4142 	freq_range->end_freq_khz =
4143 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
4144 	freq_range->max_bandwidth_khz =
4145 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
4146 
4147 	power_rule->max_eirp =
4148 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
4149 
4150 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
4151 		power_rule->max_antenna_gain =
4152 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
4153 
4154 	return 0;
4155 }
4156 
4157 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
4158 {
4159 	int r;
4160 	char *data = NULL;
4161 	enum nl80211_user_reg_hint_type user_reg_hint_type;
4162 
4163 	/*
4164 	 * You should only get this when cfg80211 hasn't yet initialized
4165 	 * completely when built-in to the kernel right between the time
4166 	 * window between nl80211_init() and regulatory_init(), if that is
4167 	 * even possible.
4168 	 */
4169 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
4170 		return -EINPROGRESS;
4171 
4172 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4173 		return -EINVAL;
4174 
4175 	data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4176 
4177 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
4178 		user_reg_hint_type =
4179 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
4180 	else
4181 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
4182 
4183 	switch (user_reg_hint_type) {
4184 	case NL80211_USER_REG_HINT_USER:
4185 	case NL80211_USER_REG_HINT_CELL_BASE:
4186 		break;
4187 	default:
4188 		return -EINVAL;
4189 	}
4190 
4191 	r = regulatory_hint_user(data, user_reg_hint_type);
4192 
4193 	return r;
4194 }
4195 
4196 static int nl80211_get_mesh_config(struct sk_buff *skb,
4197 				   struct genl_info *info)
4198 {
4199 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4200 	struct net_device *dev = info->user_ptr[1];
4201 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4202 	struct mesh_config cur_params;
4203 	int err = 0;
4204 	void *hdr;
4205 	struct nlattr *pinfoattr;
4206 	struct sk_buff *msg;
4207 
4208 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
4209 		return -EOPNOTSUPP;
4210 
4211 	if (!rdev->ops->get_mesh_config)
4212 		return -EOPNOTSUPP;
4213 
4214 	wdev_lock(wdev);
4215 	/* If not connected, get default parameters */
4216 	if (!wdev->mesh_id_len)
4217 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
4218 	else
4219 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
4220 	wdev_unlock(wdev);
4221 
4222 	if (err)
4223 		return err;
4224 
4225 	/* Draw up a netlink message to send back */
4226 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4227 	if (!msg)
4228 		return -ENOMEM;
4229 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4230 			     NL80211_CMD_GET_MESH_CONFIG);
4231 	if (!hdr)
4232 		goto out;
4233 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
4234 	if (!pinfoattr)
4235 		goto nla_put_failure;
4236 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4237 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
4238 			cur_params.dot11MeshRetryTimeout) ||
4239 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4240 			cur_params.dot11MeshConfirmTimeout) ||
4241 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
4242 			cur_params.dot11MeshHoldingTimeout) ||
4243 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
4244 			cur_params.dot11MeshMaxPeerLinks) ||
4245 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
4246 		       cur_params.dot11MeshMaxRetries) ||
4247 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
4248 		       cur_params.dot11MeshTTL) ||
4249 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
4250 		       cur_params.element_ttl) ||
4251 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4252 		       cur_params.auto_open_plinks) ||
4253 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
4254 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
4255 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
4256 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
4257 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
4258 			cur_params.path_refresh_time) ||
4259 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
4260 			cur_params.min_discovery_timeout) ||
4261 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
4262 			cur_params.dot11MeshHWMPactivePathTimeout) ||
4263 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
4264 			cur_params.dot11MeshHWMPpreqMinInterval) ||
4265 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
4266 			cur_params.dot11MeshHWMPperrMinInterval) ||
4267 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
4268 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
4269 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
4270 		       cur_params.dot11MeshHWMPRootMode) ||
4271 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
4272 			cur_params.dot11MeshHWMPRannInterval) ||
4273 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
4274 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
4275 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
4276 		       cur_params.dot11MeshForwarding) ||
4277 	    nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
4278 			cur_params.rssi_threshold) ||
4279 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
4280 			cur_params.ht_opmode) ||
4281 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
4282 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
4283 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
4284 			cur_params.dot11MeshHWMProotInterval) ||
4285 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
4286 			cur_params.dot11MeshHWMPconfirmationInterval) ||
4287 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
4288 			cur_params.power_mode) ||
4289 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
4290 			cur_params.dot11MeshAwakeWindowDuration))
4291 		goto nla_put_failure;
4292 	nla_nest_end(msg, pinfoattr);
4293 	genlmsg_end(msg, hdr);
4294 	return genlmsg_reply(msg, info);
4295 
4296  nla_put_failure:
4297 	genlmsg_cancel(msg, hdr);
4298  out:
4299 	nlmsg_free(msg);
4300 	return -ENOBUFS;
4301 }
4302 
4303 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
4304 	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
4305 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
4306 	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
4307 	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
4308 	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
4309 	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
4310 	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
4311 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
4312 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
4313 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
4314 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
4315 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
4316 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
4317 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
4318 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
4319 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
4320 	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
4321 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
4322 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
4323 	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
4324 	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
4325 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
4326 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
4327 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
4328 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
4329 	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
4330 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
4331 };
4332 
4333 static const struct nla_policy
4334 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
4335 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
4336 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
4337 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
4338 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
4339 	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
4340 				    .len = IEEE80211_MAX_DATA_LEN },
4341 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
4342 };
4343 
4344 static int nl80211_parse_mesh_config(struct genl_info *info,
4345 				     struct mesh_config *cfg,
4346 				     u32 *mask_out)
4347 {
4348 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
4349 	u32 mask = 0;
4350 
4351 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
4352 do {									    \
4353 	if (tb[attr]) {							    \
4354 		if (fn(tb[attr]) < min || fn(tb[attr]) > max)		    \
4355 			return -EINVAL;					    \
4356 		cfg->param = fn(tb[attr]);				    \
4357 		mask |= (1 << (attr - 1));				    \
4358 	}								    \
4359 } while (0)
4360 
4361 
4362 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
4363 		return -EINVAL;
4364 	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
4365 			     info->attrs[NL80211_ATTR_MESH_CONFIG],
4366 			     nl80211_meshconf_params_policy))
4367 		return -EINVAL;
4368 
4369 	/* This makes sure that there aren't more than 32 mesh config
4370 	 * parameters (otherwise our bitfield scheme would not work.) */
4371 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
4372 
4373 	/* Fill in the params struct */
4374 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
4375 				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
4376 				  nla_get_u16);
4377 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
4378 				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
4379 				  nla_get_u16);
4380 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
4381 				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
4382 				  nla_get_u16);
4383 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
4384 				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
4385 				  nla_get_u16);
4386 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
4387 				  mask, NL80211_MESHCONF_MAX_RETRIES,
4388 				  nla_get_u8);
4389 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
4390 				  mask, NL80211_MESHCONF_TTL, nla_get_u8);
4391 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
4392 				  mask, NL80211_MESHCONF_ELEMENT_TTL,
4393 				  nla_get_u8);
4394 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
4395 				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
4396 				  nla_get_u8);
4397 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
4398 				  1, 255, mask,
4399 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
4400 				  nla_get_u32);
4401 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
4402 				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
4403 				  nla_get_u8);
4404 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
4405 				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
4406 				  nla_get_u32);
4407 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
4408 				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
4409 				  nla_get_u16);
4410 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
4411 				  1, 65535, mask,
4412 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
4413 				  nla_get_u32);
4414 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
4415 				  1, 65535, mask,
4416 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
4417 				  nla_get_u16);
4418 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
4419 				  1, 65535, mask,
4420 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
4421 				  nla_get_u16);
4422 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
4423 				  dot11MeshHWMPnetDiameterTraversalTime,
4424 				  1, 65535, mask,
4425 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
4426 				  nla_get_u16);
4427 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
4428 				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
4429 				  nla_get_u8);
4430 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
4431 				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
4432 				  nla_get_u16);
4433 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
4434 				  dot11MeshGateAnnouncementProtocol, 0, 1,
4435 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
4436 				  nla_get_u8);
4437 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
4438 				  mask, NL80211_MESHCONF_FORWARDING,
4439 				  nla_get_u8);
4440 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, 1, 255,
4441 				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
4442 				  nla_get_u32);
4443 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
4444 				  mask, NL80211_MESHCONF_HT_OPMODE,
4445 				  nla_get_u16);
4446 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
4447 				  1, 65535, mask,
4448 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
4449 				  nla_get_u32);
4450 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
4451 				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
4452 				  nla_get_u16);
4453 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
4454 				  dot11MeshHWMPconfirmationInterval,
4455 				  1, 65535, mask,
4456 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
4457 				  nla_get_u16);
4458 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
4459 				  NL80211_MESH_POWER_ACTIVE,
4460 				  NL80211_MESH_POWER_MAX,
4461 				  mask, NL80211_MESHCONF_POWER_MODE,
4462 				  nla_get_u32);
4463 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
4464 				  0, 65535, mask,
4465 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
4466 	if (mask_out)
4467 		*mask_out = mask;
4468 
4469 	return 0;
4470 
4471 #undef FILL_IN_MESH_PARAM_IF_SET
4472 }
4473 
4474 static int nl80211_parse_mesh_setup(struct genl_info *info,
4475 				     struct mesh_setup *setup)
4476 {
4477 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
4478 
4479 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
4480 		return -EINVAL;
4481 	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
4482 			     info->attrs[NL80211_ATTR_MESH_SETUP],
4483 			     nl80211_mesh_setup_params_policy))
4484 		return -EINVAL;
4485 
4486 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
4487 		setup->sync_method =
4488 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
4489 		 IEEE80211_SYNC_METHOD_VENDOR :
4490 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
4491 
4492 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
4493 		setup->path_sel_proto =
4494 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
4495 		 IEEE80211_PATH_PROTOCOL_VENDOR :
4496 		 IEEE80211_PATH_PROTOCOL_HWMP;
4497 
4498 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
4499 		setup->path_metric =
4500 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
4501 		 IEEE80211_PATH_METRIC_VENDOR :
4502 		 IEEE80211_PATH_METRIC_AIRTIME;
4503 
4504 
4505 	if (tb[NL80211_MESH_SETUP_IE]) {
4506 		struct nlattr *ieattr =
4507 			tb[NL80211_MESH_SETUP_IE];
4508 		if (!is_valid_ie_attr(ieattr))
4509 			return -EINVAL;
4510 		setup->ie = nla_data(ieattr);
4511 		setup->ie_len = nla_len(ieattr);
4512 	}
4513 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
4514 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
4515 
4516 	return 0;
4517 }
4518 
4519 static int nl80211_update_mesh_config(struct sk_buff *skb,
4520 				      struct genl_info *info)
4521 {
4522 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4523 	struct net_device *dev = info->user_ptr[1];
4524 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4525 	struct mesh_config cfg;
4526 	u32 mask;
4527 	int err;
4528 
4529 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
4530 		return -EOPNOTSUPP;
4531 
4532 	if (!rdev->ops->update_mesh_config)
4533 		return -EOPNOTSUPP;
4534 
4535 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
4536 	if (err)
4537 		return err;
4538 
4539 	wdev_lock(wdev);
4540 	if (!wdev->mesh_id_len)
4541 		err = -ENOLINK;
4542 
4543 	if (!err)
4544 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
4545 
4546 	wdev_unlock(wdev);
4547 
4548 	return err;
4549 }
4550 
4551 static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
4552 {
4553 	const struct ieee80211_regdomain *regdom;
4554 	struct sk_buff *msg;
4555 	void *hdr = NULL;
4556 	struct nlattr *nl_reg_rules;
4557 	unsigned int i;
4558 	int err = -EINVAL;
4559 
4560 	mutex_lock(&cfg80211_mutex);
4561 
4562 	if (!cfg80211_regdomain)
4563 		goto out;
4564 
4565 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4566 	if (!msg) {
4567 		err = -ENOBUFS;
4568 		goto out;
4569 	}
4570 
4571 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4572 			     NL80211_CMD_GET_REG);
4573 	if (!hdr)
4574 		goto put_failure;
4575 
4576 	if (reg_last_request_cell_base() &&
4577 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
4578 			NL80211_USER_REG_HINT_CELL_BASE))
4579 		goto nla_put_failure;
4580 
4581 	rcu_read_lock();
4582 	regdom = rcu_dereference(cfg80211_regdomain);
4583 
4584 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
4585 	    (regdom->dfs_region &&
4586 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
4587 		goto nla_put_failure_rcu;
4588 
4589 	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
4590 	if (!nl_reg_rules)
4591 		goto nla_put_failure_rcu;
4592 
4593 	for (i = 0; i < regdom->n_reg_rules; i++) {
4594 		struct nlattr *nl_reg_rule;
4595 		const struct ieee80211_reg_rule *reg_rule;
4596 		const struct ieee80211_freq_range *freq_range;
4597 		const struct ieee80211_power_rule *power_rule;
4598 
4599 		reg_rule = &regdom->reg_rules[i];
4600 		freq_range = &reg_rule->freq_range;
4601 		power_rule = &reg_rule->power_rule;
4602 
4603 		nl_reg_rule = nla_nest_start(msg, i);
4604 		if (!nl_reg_rule)
4605 			goto nla_put_failure_rcu;
4606 
4607 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
4608 				reg_rule->flags) ||
4609 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
4610 				freq_range->start_freq_khz) ||
4611 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
4612 				freq_range->end_freq_khz) ||
4613 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
4614 				freq_range->max_bandwidth_khz) ||
4615 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
4616 				power_rule->max_antenna_gain) ||
4617 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
4618 				power_rule->max_eirp))
4619 			goto nla_put_failure_rcu;
4620 
4621 		nla_nest_end(msg, nl_reg_rule);
4622 	}
4623 	rcu_read_unlock();
4624 
4625 	nla_nest_end(msg, nl_reg_rules);
4626 
4627 	genlmsg_end(msg, hdr);
4628 	err = genlmsg_reply(msg, info);
4629 	goto out;
4630 
4631 nla_put_failure_rcu:
4632 	rcu_read_unlock();
4633 nla_put_failure:
4634 	genlmsg_cancel(msg, hdr);
4635 put_failure:
4636 	nlmsg_free(msg);
4637 	err = -EMSGSIZE;
4638 out:
4639 	mutex_unlock(&cfg80211_mutex);
4640 	return err;
4641 }
4642 
4643 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
4644 {
4645 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
4646 	struct nlattr *nl_reg_rule;
4647 	char *alpha2 = NULL;
4648 	int rem_reg_rules = 0, r = 0;
4649 	u32 num_rules = 0, rule_idx = 0, size_of_regd;
4650 	u8 dfs_region = 0;
4651 	struct ieee80211_regdomain *rd = NULL;
4652 
4653 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4654 		return -EINVAL;
4655 
4656 	if (!info->attrs[NL80211_ATTR_REG_RULES])
4657 		return -EINVAL;
4658 
4659 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4660 
4661 	if (info->attrs[NL80211_ATTR_DFS_REGION])
4662 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
4663 
4664 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
4665 			    rem_reg_rules) {
4666 		num_rules++;
4667 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
4668 			return -EINVAL;
4669 	}
4670 
4671 	size_of_regd = sizeof(struct ieee80211_regdomain) +
4672 		       num_rules * sizeof(struct ieee80211_reg_rule);
4673 
4674 	rd = kzalloc(size_of_regd, GFP_KERNEL);
4675 	if (!rd)
4676 		return -ENOMEM;
4677 
4678 	rd->n_reg_rules = num_rules;
4679 	rd->alpha2[0] = alpha2[0];
4680 	rd->alpha2[1] = alpha2[1];
4681 
4682 	/*
4683 	 * Disable DFS master mode if the DFS region was
4684 	 * not supported or known on this kernel.
4685 	 */
4686 	if (reg_supported_dfs_region(dfs_region))
4687 		rd->dfs_region = dfs_region;
4688 
4689 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
4690 			    rem_reg_rules) {
4691 		nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
4692 			  nla_data(nl_reg_rule), nla_len(nl_reg_rule),
4693 			  reg_rule_policy);
4694 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
4695 		if (r)
4696 			goto bad_reg;
4697 
4698 		rule_idx++;
4699 
4700 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
4701 			r = -EINVAL;
4702 			goto bad_reg;
4703 		}
4704 	}
4705 
4706 	mutex_lock(&cfg80211_mutex);
4707 
4708 	r = set_regdom(rd);
4709 	/* set_regdom took ownership */
4710 	rd = NULL;
4711 	mutex_unlock(&cfg80211_mutex);
4712 
4713  bad_reg:
4714 	kfree(rd);
4715 	return r;
4716 }
4717 
4718 static int validate_scan_freqs(struct nlattr *freqs)
4719 {
4720 	struct nlattr *attr1, *attr2;
4721 	int n_channels = 0, tmp1, tmp2;
4722 
4723 	nla_for_each_nested(attr1, freqs, tmp1) {
4724 		n_channels++;
4725 		/*
4726 		 * Some hardware has a limited channel list for
4727 		 * scanning, and it is pretty much nonsensical
4728 		 * to scan for a channel twice, so disallow that
4729 		 * and don't require drivers to check that the
4730 		 * channel list they get isn't longer than what
4731 		 * they can scan, as long as they can scan all
4732 		 * the channels they registered at once.
4733 		 */
4734 		nla_for_each_nested(attr2, freqs, tmp2)
4735 			if (attr1 != attr2 &&
4736 			    nla_get_u32(attr1) == nla_get_u32(attr2))
4737 				return 0;
4738 	}
4739 
4740 	return n_channels;
4741 }
4742 
4743 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
4744 {
4745 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4746 	struct wireless_dev *wdev = info->user_ptr[1];
4747 	struct cfg80211_scan_request *request;
4748 	struct nlattr *attr;
4749 	struct wiphy *wiphy;
4750 	int err, tmp, n_ssids = 0, n_channels, i;
4751 	size_t ie_len;
4752 
4753 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4754 		return -EINVAL;
4755 
4756 	wiphy = &rdev->wiphy;
4757 
4758 	if (!rdev->ops->scan)
4759 		return -EOPNOTSUPP;
4760 
4761 	if (rdev->scan_req)
4762 		return -EBUSY;
4763 
4764 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4765 		n_channels = validate_scan_freqs(
4766 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
4767 		if (!n_channels)
4768 			return -EINVAL;
4769 	} else {
4770 		enum ieee80211_band band;
4771 		n_channels = 0;
4772 
4773 		for (band = 0; band < IEEE80211_NUM_BANDS; band++)
4774 			if (wiphy->bands[band])
4775 				n_channels += wiphy->bands[band]->n_channels;
4776 	}
4777 
4778 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
4779 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
4780 			n_ssids++;
4781 
4782 	if (n_ssids > wiphy->max_scan_ssids)
4783 		return -EINVAL;
4784 
4785 	if (info->attrs[NL80211_ATTR_IE])
4786 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4787 	else
4788 		ie_len = 0;
4789 
4790 	if (ie_len > wiphy->max_scan_ie_len)
4791 		return -EINVAL;
4792 
4793 	request = kzalloc(sizeof(*request)
4794 			+ sizeof(*request->ssids) * n_ssids
4795 			+ sizeof(*request->channels) * n_channels
4796 			+ ie_len, GFP_KERNEL);
4797 	if (!request)
4798 		return -ENOMEM;
4799 
4800 	if (n_ssids)
4801 		request->ssids = (void *)&request->channels[n_channels];
4802 	request->n_ssids = n_ssids;
4803 	if (ie_len) {
4804 		if (request->ssids)
4805 			request->ie = (void *)(request->ssids + n_ssids);
4806 		else
4807 			request->ie = (void *)(request->channels + n_channels);
4808 	}
4809 
4810 	i = 0;
4811 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4812 		/* user specified, bail out if channel not found */
4813 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
4814 			struct ieee80211_channel *chan;
4815 
4816 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
4817 
4818 			if (!chan) {
4819 				err = -EINVAL;
4820 				goto out_free;
4821 			}
4822 
4823 			/* ignore disabled channels */
4824 			if (chan->flags & IEEE80211_CHAN_DISABLED)
4825 				continue;
4826 
4827 			request->channels[i] = chan;
4828 			i++;
4829 		}
4830 	} else {
4831 		enum ieee80211_band band;
4832 
4833 		/* all channels */
4834 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
4835 			int j;
4836 			if (!wiphy->bands[band])
4837 				continue;
4838 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
4839 				struct ieee80211_channel *chan;
4840 
4841 				chan = &wiphy->bands[band]->channels[j];
4842 
4843 				if (chan->flags & IEEE80211_CHAN_DISABLED)
4844 					continue;
4845 
4846 				request->channels[i] = chan;
4847 				i++;
4848 			}
4849 		}
4850 	}
4851 
4852 	if (!i) {
4853 		err = -EINVAL;
4854 		goto out_free;
4855 	}
4856 
4857 	request->n_channels = i;
4858 
4859 	i = 0;
4860 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
4861 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
4862 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
4863 				err = -EINVAL;
4864 				goto out_free;
4865 			}
4866 			request->ssids[i].ssid_len = nla_len(attr);
4867 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
4868 			i++;
4869 		}
4870 	}
4871 
4872 	if (info->attrs[NL80211_ATTR_IE]) {
4873 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4874 		memcpy((void *)request->ie,
4875 		       nla_data(info->attrs[NL80211_ATTR_IE]),
4876 		       request->ie_len);
4877 	}
4878 
4879 	for (i = 0; i < IEEE80211_NUM_BANDS; i++)
4880 		if (wiphy->bands[i])
4881 			request->rates[i] =
4882 				(1 << wiphy->bands[i]->n_bitrates) - 1;
4883 
4884 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
4885 		nla_for_each_nested(attr,
4886 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
4887 				    tmp) {
4888 			enum ieee80211_band band = nla_type(attr);
4889 
4890 			if (band < 0 || band >= IEEE80211_NUM_BANDS) {
4891 				err = -EINVAL;
4892 				goto out_free;
4893 			}
4894 			err = ieee80211_get_ratemask(wiphy->bands[band],
4895 						     nla_data(attr),
4896 						     nla_len(attr),
4897 						     &request->rates[band]);
4898 			if (err)
4899 				goto out_free;
4900 		}
4901 	}
4902 
4903 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
4904 		request->flags = nla_get_u32(
4905 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
4906 		if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
4907 		     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
4908 		    ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
4909 		     !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
4910 			err = -EOPNOTSUPP;
4911 			goto out_free;
4912 		}
4913 	}
4914 
4915 	request->no_cck =
4916 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
4917 
4918 	request->wdev = wdev;
4919 	request->wiphy = &rdev->wiphy;
4920 	request->scan_start = jiffies;
4921 
4922 	rdev->scan_req = request;
4923 	err = rdev_scan(rdev, request);
4924 
4925 	if (!err) {
4926 		nl80211_send_scan_start(rdev, wdev);
4927 		if (wdev->netdev)
4928 			dev_hold(wdev->netdev);
4929 	} else {
4930  out_free:
4931 		rdev->scan_req = NULL;
4932 		kfree(request);
4933 	}
4934 
4935 	return err;
4936 }
4937 
4938 static int nl80211_start_sched_scan(struct sk_buff *skb,
4939 				    struct genl_info *info)
4940 {
4941 	struct cfg80211_sched_scan_request *request;
4942 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4943 	struct net_device *dev = info->user_ptr[1];
4944 	struct nlattr *attr;
4945 	struct wiphy *wiphy;
4946 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
4947 	u32 interval;
4948 	enum ieee80211_band band;
4949 	size_t ie_len;
4950 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
4951 
4952 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
4953 	    !rdev->ops->sched_scan_start)
4954 		return -EOPNOTSUPP;
4955 
4956 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4957 		return -EINVAL;
4958 
4959 	if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
4960 		return -EINVAL;
4961 
4962 	interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
4963 	if (interval == 0)
4964 		return -EINVAL;
4965 
4966 	wiphy = &rdev->wiphy;
4967 
4968 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4969 		n_channels = validate_scan_freqs(
4970 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
4971 		if (!n_channels)
4972 			return -EINVAL;
4973 	} else {
4974 		n_channels = 0;
4975 
4976 		for (band = 0; band < IEEE80211_NUM_BANDS; band++)
4977 			if (wiphy->bands[band])
4978 				n_channels += wiphy->bands[band]->n_channels;
4979 	}
4980 
4981 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
4982 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
4983 				    tmp)
4984 			n_ssids++;
4985 
4986 	if (n_ssids > wiphy->max_sched_scan_ssids)
4987 		return -EINVAL;
4988 
4989 	if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH])
4990 		nla_for_each_nested(attr,
4991 				    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
4992 				    tmp)
4993 			n_match_sets++;
4994 
4995 	if (n_match_sets > wiphy->max_match_sets)
4996 		return -EINVAL;
4997 
4998 	if (info->attrs[NL80211_ATTR_IE])
4999 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5000 	else
5001 		ie_len = 0;
5002 
5003 	if (ie_len > wiphy->max_sched_scan_ie_len)
5004 		return -EINVAL;
5005 
5006 	mutex_lock(&rdev->sched_scan_mtx);
5007 
5008 	if (rdev->sched_scan_req) {
5009 		err = -EINPROGRESS;
5010 		goto out;
5011 	}
5012 
5013 	request = kzalloc(sizeof(*request)
5014 			+ sizeof(*request->ssids) * n_ssids
5015 			+ sizeof(*request->match_sets) * n_match_sets
5016 			+ sizeof(*request->channels) * n_channels
5017 			+ ie_len, GFP_KERNEL);
5018 	if (!request) {
5019 		err = -ENOMEM;
5020 		goto out;
5021 	}
5022 
5023 	if (n_ssids)
5024 		request->ssids = (void *)&request->channels[n_channels];
5025 	request->n_ssids = n_ssids;
5026 	if (ie_len) {
5027 		if (request->ssids)
5028 			request->ie = (void *)(request->ssids + n_ssids);
5029 		else
5030 			request->ie = (void *)(request->channels + n_channels);
5031 	}
5032 
5033 	if (n_match_sets) {
5034 		if (request->ie)
5035 			request->match_sets = (void *)(request->ie + ie_len);
5036 		else if (request->ssids)
5037 			request->match_sets =
5038 				(void *)(request->ssids + n_ssids);
5039 		else
5040 			request->match_sets =
5041 				(void *)(request->channels + n_channels);
5042 	}
5043 	request->n_match_sets = n_match_sets;
5044 
5045 	i = 0;
5046 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5047 		/* user specified, bail out if channel not found */
5048 		nla_for_each_nested(attr,
5049 				    info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
5050 				    tmp) {
5051 			struct ieee80211_channel *chan;
5052 
5053 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5054 
5055 			if (!chan) {
5056 				err = -EINVAL;
5057 				goto out_free;
5058 			}
5059 
5060 			/* ignore disabled channels */
5061 			if (chan->flags & IEEE80211_CHAN_DISABLED)
5062 				continue;
5063 
5064 			request->channels[i] = chan;
5065 			i++;
5066 		}
5067 	} else {
5068 		/* all channels */
5069 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5070 			int j;
5071 			if (!wiphy->bands[band])
5072 				continue;
5073 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5074 				struct ieee80211_channel *chan;
5075 
5076 				chan = &wiphy->bands[band]->channels[j];
5077 
5078 				if (chan->flags & IEEE80211_CHAN_DISABLED)
5079 					continue;
5080 
5081 				request->channels[i] = chan;
5082 				i++;
5083 			}
5084 		}
5085 	}
5086 
5087 	if (!i) {
5088 		err = -EINVAL;
5089 		goto out_free;
5090 	}
5091 
5092 	request->n_channels = i;
5093 
5094 	i = 0;
5095 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
5096 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
5097 				    tmp) {
5098 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5099 				err = -EINVAL;
5100 				goto out_free;
5101 			}
5102 			request->ssids[i].ssid_len = nla_len(attr);
5103 			memcpy(request->ssids[i].ssid, nla_data(attr),
5104 			       nla_len(attr));
5105 			i++;
5106 		}
5107 	}
5108 
5109 	i = 0;
5110 	if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
5111 		nla_for_each_nested(attr,
5112 				    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
5113 				    tmp) {
5114 			struct nlattr *ssid, *rssi;
5115 
5116 			nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
5117 				  nla_data(attr), nla_len(attr),
5118 				  nl80211_match_policy);
5119 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
5120 			if (ssid) {
5121 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
5122 					err = -EINVAL;
5123 					goto out_free;
5124 				}
5125 				memcpy(request->match_sets[i].ssid.ssid,
5126 				       nla_data(ssid), nla_len(ssid));
5127 				request->match_sets[i].ssid.ssid_len =
5128 					nla_len(ssid);
5129 			}
5130 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
5131 			if (rssi)
5132 				request->rssi_thold = nla_get_u32(rssi);
5133 			else
5134 				request->rssi_thold =
5135 						   NL80211_SCAN_RSSI_THOLD_OFF;
5136 			i++;
5137 		}
5138 	}
5139 
5140 	if (info->attrs[NL80211_ATTR_IE]) {
5141 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5142 		memcpy((void *)request->ie,
5143 		       nla_data(info->attrs[NL80211_ATTR_IE]),
5144 		       request->ie_len);
5145 	}
5146 
5147 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5148 		request->flags = nla_get_u32(
5149 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5150 		if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5151 		     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
5152 		    ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
5153 		     !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
5154 			err = -EOPNOTSUPP;
5155 			goto out_free;
5156 		}
5157 	}
5158 
5159 	request->dev = dev;
5160 	request->wiphy = &rdev->wiphy;
5161 	request->interval = interval;
5162 	request->scan_start = jiffies;
5163 
5164 	err = rdev_sched_scan_start(rdev, dev, request);
5165 	if (!err) {
5166 		rdev->sched_scan_req = request;
5167 		nl80211_send_sched_scan(rdev, dev,
5168 					NL80211_CMD_START_SCHED_SCAN);
5169 		goto out;
5170 	}
5171 
5172 out_free:
5173 	kfree(request);
5174 out:
5175 	mutex_unlock(&rdev->sched_scan_mtx);
5176 	return err;
5177 }
5178 
5179 static int nl80211_stop_sched_scan(struct sk_buff *skb,
5180 				   struct genl_info *info)
5181 {
5182 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5183 	int err;
5184 
5185 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
5186 	    !rdev->ops->sched_scan_stop)
5187 		return -EOPNOTSUPP;
5188 
5189 	mutex_lock(&rdev->sched_scan_mtx);
5190 	err = __cfg80211_stop_sched_scan(rdev, false);
5191 	mutex_unlock(&rdev->sched_scan_mtx);
5192 
5193 	return err;
5194 }
5195 
5196 static int nl80211_start_radar_detection(struct sk_buff *skb,
5197 					 struct genl_info *info)
5198 {
5199 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5200 	struct net_device *dev = info->user_ptr[1];
5201 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5202 	struct cfg80211_chan_def chandef;
5203 	int err;
5204 
5205 	err = nl80211_parse_chandef(rdev, info, &chandef);
5206 	if (err)
5207 		return err;
5208 
5209 	if (wdev->cac_started)
5210 		return -EBUSY;
5211 
5212 	err = cfg80211_chandef_dfs_required(wdev->wiphy, &chandef);
5213 	if (err < 0)
5214 		return err;
5215 
5216 	if (err == 0)
5217 		return -EINVAL;
5218 
5219 	if (chandef.chan->dfs_state != NL80211_DFS_USABLE)
5220 		return -EINVAL;
5221 
5222 	if (!rdev->ops->start_radar_detection)
5223 		return -EOPNOTSUPP;
5224 
5225 	mutex_lock(&rdev->devlist_mtx);
5226 	err = cfg80211_can_use_iftype_chan(rdev, wdev, wdev->iftype,
5227 					   chandef.chan, CHAN_MODE_SHARED,
5228 					   BIT(chandef.width));
5229 	if (err)
5230 		goto err_locked;
5231 
5232 	err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef);
5233 	if (!err) {
5234 		wdev->channel = chandef.chan;
5235 		wdev->cac_started = true;
5236 		wdev->cac_start_time = jiffies;
5237 	}
5238 err_locked:
5239 	mutex_unlock(&rdev->devlist_mtx);
5240 
5241 	return err;
5242 }
5243 
5244 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
5245 			    u32 seq, int flags,
5246 			    struct cfg80211_registered_device *rdev,
5247 			    struct wireless_dev *wdev,
5248 			    struct cfg80211_internal_bss *intbss)
5249 {
5250 	struct cfg80211_bss *res = &intbss->pub;
5251 	const struct cfg80211_bss_ies *ies;
5252 	void *hdr;
5253 	struct nlattr *bss;
5254 	bool tsf = false;
5255 
5256 	ASSERT_WDEV_LOCK(wdev);
5257 
5258 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
5259 			     NL80211_CMD_NEW_SCAN_RESULTS);
5260 	if (!hdr)
5261 		return -1;
5262 
5263 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
5264 
5265 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation) ||
5266 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
5267 		goto nla_put_failure;
5268 
5269 	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
5270 	if (!bss)
5271 		goto nla_put_failure;
5272 	if ((!is_zero_ether_addr(res->bssid) &&
5273 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
5274 		goto nla_put_failure;
5275 
5276 	rcu_read_lock();
5277 	ies = rcu_dereference(res->ies);
5278 	if (ies) {
5279 		if (nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
5280 			goto fail_unlock_rcu;
5281 		tsf = true;
5282 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
5283 					ies->len, ies->data))
5284 			goto fail_unlock_rcu;
5285 	}
5286 	ies = rcu_dereference(res->beacon_ies);
5287 	if (ies) {
5288 		if (!tsf && nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
5289 			goto fail_unlock_rcu;
5290 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
5291 					ies->len, ies->data))
5292 			goto fail_unlock_rcu;
5293 	}
5294 	rcu_read_unlock();
5295 
5296 	if (res->beacon_interval &&
5297 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
5298 		goto nla_put_failure;
5299 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
5300 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
5301 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
5302 			jiffies_to_msecs(jiffies - intbss->ts)))
5303 		goto nla_put_failure;
5304 
5305 	switch (rdev->wiphy.signal_type) {
5306 	case CFG80211_SIGNAL_TYPE_MBM:
5307 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
5308 			goto nla_put_failure;
5309 		break;
5310 	case CFG80211_SIGNAL_TYPE_UNSPEC:
5311 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
5312 			goto nla_put_failure;
5313 		break;
5314 	default:
5315 		break;
5316 	}
5317 
5318 	switch (wdev->iftype) {
5319 	case NL80211_IFTYPE_P2P_CLIENT:
5320 	case NL80211_IFTYPE_STATION:
5321 		if (intbss == wdev->current_bss &&
5322 		    nla_put_u32(msg, NL80211_BSS_STATUS,
5323 				NL80211_BSS_STATUS_ASSOCIATED))
5324 			goto nla_put_failure;
5325 		break;
5326 	case NL80211_IFTYPE_ADHOC:
5327 		if (intbss == wdev->current_bss &&
5328 		    nla_put_u32(msg, NL80211_BSS_STATUS,
5329 				NL80211_BSS_STATUS_IBSS_JOINED))
5330 			goto nla_put_failure;
5331 		break;
5332 	default:
5333 		break;
5334 	}
5335 
5336 	nla_nest_end(msg, bss);
5337 
5338 	return genlmsg_end(msg, hdr);
5339 
5340  fail_unlock_rcu:
5341 	rcu_read_unlock();
5342  nla_put_failure:
5343 	genlmsg_cancel(msg, hdr);
5344 	return -EMSGSIZE;
5345 }
5346 
5347 static int nl80211_dump_scan(struct sk_buff *skb,
5348 			     struct netlink_callback *cb)
5349 {
5350 	struct cfg80211_registered_device *rdev;
5351 	struct net_device *dev;
5352 	struct cfg80211_internal_bss *scan;
5353 	struct wireless_dev *wdev;
5354 	int start = cb->args[1], idx = 0;
5355 	int err;
5356 
5357 	err = nl80211_prepare_netdev_dump(skb, cb, &rdev, &dev);
5358 	if (err)
5359 		return err;
5360 
5361 	wdev = dev->ieee80211_ptr;
5362 
5363 	wdev_lock(wdev);
5364 	spin_lock_bh(&rdev->bss_lock);
5365 	cfg80211_bss_expire(rdev);
5366 
5367 	cb->seq = rdev->bss_generation;
5368 
5369 	list_for_each_entry(scan, &rdev->bss_list, list) {
5370 		if (++idx <= start)
5371 			continue;
5372 		if (nl80211_send_bss(skb, cb,
5373 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5374 				rdev, wdev, scan) < 0) {
5375 			idx--;
5376 			break;
5377 		}
5378 	}
5379 
5380 	spin_unlock_bh(&rdev->bss_lock);
5381 	wdev_unlock(wdev);
5382 
5383 	cb->args[1] = idx;
5384 	nl80211_finish_netdev_dump(rdev);
5385 
5386 	return skb->len;
5387 }
5388 
5389 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
5390 				int flags, struct net_device *dev,
5391 				struct survey_info *survey)
5392 {
5393 	void *hdr;
5394 	struct nlattr *infoattr;
5395 
5396 	hdr = nl80211hdr_put(msg, portid, seq, flags,
5397 			     NL80211_CMD_NEW_SURVEY_RESULTS);
5398 	if (!hdr)
5399 		return -ENOMEM;
5400 
5401 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
5402 		goto nla_put_failure;
5403 
5404 	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
5405 	if (!infoattr)
5406 		goto nla_put_failure;
5407 
5408 	if (nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
5409 			survey->channel->center_freq))
5410 		goto nla_put_failure;
5411 
5412 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
5413 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
5414 		goto nla_put_failure;
5415 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
5416 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
5417 		goto nla_put_failure;
5418 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME) &&
5419 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME,
5420 			survey->channel_time))
5421 		goto nla_put_failure;
5422 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_BUSY) &&
5423 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_BUSY,
5424 			survey->channel_time_busy))
5425 		goto nla_put_failure;
5426 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_EXT_BUSY) &&
5427 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_EXT_BUSY,
5428 			survey->channel_time_ext_busy))
5429 		goto nla_put_failure;
5430 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_RX) &&
5431 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_RX,
5432 			survey->channel_time_rx))
5433 		goto nla_put_failure;
5434 	if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_TX) &&
5435 	    nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_TX,
5436 			survey->channel_time_tx))
5437 		goto nla_put_failure;
5438 
5439 	nla_nest_end(msg, infoattr);
5440 
5441 	return genlmsg_end(msg, hdr);
5442 
5443  nla_put_failure:
5444 	genlmsg_cancel(msg, hdr);
5445 	return -EMSGSIZE;
5446 }
5447 
5448 static int nl80211_dump_survey(struct sk_buff *skb,
5449 			struct netlink_callback *cb)
5450 {
5451 	struct survey_info survey;
5452 	struct cfg80211_registered_device *dev;
5453 	struct net_device *netdev;
5454 	int survey_idx = cb->args[1];
5455 	int res;
5456 
5457 	res = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
5458 	if (res)
5459 		return res;
5460 
5461 	if (!dev->ops->dump_survey) {
5462 		res = -EOPNOTSUPP;
5463 		goto out_err;
5464 	}
5465 
5466 	while (1) {
5467 		struct ieee80211_channel *chan;
5468 
5469 		res = rdev_dump_survey(dev, netdev, survey_idx, &survey);
5470 		if (res == -ENOENT)
5471 			break;
5472 		if (res)
5473 			goto out_err;
5474 
5475 		/* Survey without a channel doesn't make sense */
5476 		if (!survey.channel) {
5477 			res = -EINVAL;
5478 			goto out;
5479 		}
5480 
5481 		chan = ieee80211_get_channel(&dev->wiphy,
5482 					     survey.channel->center_freq);
5483 		if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
5484 			survey_idx++;
5485 			continue;
5486 		}
5487 
5488 		if (nl80211_send_survey(skb,
5489 				NETLINK_CB(cb->skb).portid,
5490 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5491 				netdev,
5492 				&survey) < 0)
5493 			goto out;
5494 		survey_idx++;
5495 	}
5496 
5497  out:
5498 	cb->args[1] = survey_idx;
5499 	res = skb->len;
5500  out_err:
5501 	nl80211_finish_netdev_dump(dev);
5502 	return res;
5503 }
5504 
5505 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
5506 {
5507 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
5508 				  NL80211_WPA_VERSION_2));
5509 }
5510 
5511 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
5512 {
5513 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5514 	struct net_device *dev = info->user_ptr[1];
5515 	struct ieee80211_channel *chan;
5516 	const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
5517 	int err, ssid_len, ie_len = 0, sae_data_len = 0;
5518 	enum nl80211_auth_type auth_type;
5519 	struct key_parse key;
5520 	bool local_state_change;
5521 
5522 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5523 		return -EINVAL;
5524 
5525 	if (!info->attrs[NL80211_ATTR_MAC])
5526 		return -EINVAL;
5527 
5528 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
5529 		return -EINVAL;
5530 
5531 	if (!info->attrs[NL80211_ATTR_SSID])
5532 		return -EINVAL;
5533 
5534 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
5535 		return -EINVAL;
5536 
5537 	err = nl80211_parse_key(info, &key);
5538 	if (err)
5539 		return err;
5540 
5541 	if (key.idx >= 0) {
5542 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
5543 			return -EINVAL;
5544 		if (!key.p.key || !key.p.key_len)
5545 			return -EINVAL;
5546 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
5547 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
5548 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
5549 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
5550 			return -EINVAL;
5551 		if (key.idx > 4)
5552 			return -EINVAL;
5553 	} else {
5554 		key.p.key_len = 0;
5555 		key.p.key = NULL;
5556 	}
5557 
5558 	if (key.idx >= 0) {
5559 		int i;
5560 		bool ok = false;
5561 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
5562 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
5563 				ok = true;
5564 				break;
5565 			}
5566 		}
5567 		if (!ok)
5568 			return -EINVAL;
5569 	}
5570 
5571 	if (!rdev->ops->auth)
5572 		return -EOPNOTSUPP;
5573 
5574 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5575 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5576 		return -EOPNOTSUPP;
5577 
5578 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5579 	chan = ieee80211_get_channel(&rdev->wiphy,
5580 		nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5581 	if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
5582 		return -EINVAL;
5583 
5584 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5585 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5586 
5587 	if (info->attrs[NL80211_ATTR_IE]) {
5588 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5589 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5590 	}
5591 
5592 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
5593 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
5594 		return -EINVAL;
5595 
5596 	if (auth_type == NL80211_AUTHTYPE_SAE &&
5597 	    !info->attrs[NL80211_ATTR_SAE_DATA])
5598 		return -EINVAL;
5599 
5600 	if (info->attrs[NL80211_ATTR_SAE_DATA]) {
5601 		if (auth_type != NL80211_AUTHTYPE_SAE)
5602 			return -EINVAL;
5603 		sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
5604 		sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
5605 		/* need to include at least Auth Transaction and Status Code */
5606 		if (sae_data_len < 4)
5607 			return -EINVAL;
5608 	}
5609 
5610 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5611 
5612 	/*
5613 	 * Since we no longer track auth state, ignore
5614 	 * requests to only change local state.
5615 	 */
5616 	if (local_state_change)
5617 		return 0;
5618 
5619 	return cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
5620 				  ssid, ssid_len, ie, ie_len,
5621 				  key.p.key, key.p.key_len, key.idx,
5622 				  sae_data, sae_data_len);
5623 }
5624 
5625 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
5626 				   struct genl_info *info,
5627 				   struct cfg80211_crypto_settings *settings,
5628 				   int cipher_limit)
5629 {
5630 	memset(settings, 0, sizeof(*settings));
5631 
5632 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
5633 
5634 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
5635 		u16 proto;
5636 		proto = nla_get_u16(
5637 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
5638 		settings->control_port_ethertype = cpu_to_be16(proto);
5639 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
5640 		    proto != ETH_P_PAE)
5641 			return -EINVAL;
5642 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
5643 			settings->control_port_no_encrypt = true;
5644 	} else
5645 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
5646 
5647 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
5648 		void *data;
5649 		int len, i;
5650 
5651 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
5652 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
5653 		settings->n_ciphers_pairwise = len / sizeof(u32);
5654 
5655 		if (len % sizeof(u32))
5656 			return -EINVAL;
5657 
5658 		if (settings->n_ciphers_pairwise > cipher_limit)
5659 			return -EINVAL;
5660 
5661 		memcpy(settings->ciphers_pairwise, data, len);
5662 
5663 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
5664 			if (!cfg80211_supported_cipher_suite(
5665 					&rdev->wiphy,
5666 					settings->ciphers_pairwise[i]))
5667 				return -EINVAL;
5668 	}
5669 
5670 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
5671 		settings->cipher_group =
5672 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
5673 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
5674 						     settings->cipher_group))
5675 			return -EINVAL;
5676 	}
5677 
5678 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
5679 		settings->wpa_versions =
5680 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
5681 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
5682 			return -EINVAL;
5683 	}
5684 
5685 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
5686 		void *data;
5687 		int len;
5688 
5689 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
5690 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
5691 		settings->n_akm_suites = len / sizeof(u32);
5692 
5693 		if (len % sizeof(u32))
5694 			return -EINVAL;
5695 
5696 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
5697 			return -EINVAL;
5698 
5699 		memcpy(settings->akm_suites, data, len);
5700 	}
5701 
5702 	return 0;
5703 }
5704 
5705 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
5706 {
5707 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5708 	struct net_device *dev = info->user_ptr[1];
5709 	struct cfg80211_crypto_settings crypto;
5710 	struct ieee80211_channel *chan;
5711 	const u8 *bssid, *ssid, *ie = NULL, *prev_bssid = NULL;
5712 	int err, ssid_len, ie_len = 0;
5713 	bool use_mfp = false;
5714 	u32 flags = 0;
5715 	struct ieee80211_ht_cap *ht_capa = NULL;
5716 	struct ieee80211_ht_cap *ht_capa_mask = NULL;
5717 
5718 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5719 		return -EINVAL;
5720 
5721 	if (!info->attrs[NL80211_ATTR_MAC] ||
5722 	    !info->attrs[NL80211_ATTR_SSID] ||
5723 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
5724 		return -EINVAL;
5725 
5726 	if (!rdev->ops->assoc)
5727 		return -EOPNOTSUPP;
5728 
5729 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5730 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5731 		return -EOPNOTSUPP;
5732 
5733 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5734 
5735 	chan = ieee80211_get_channel(&rdev->wiphy,
5736 		nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5737 	if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
5738 		return -EINVAL;
5739 
5740 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5741 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5742 
5743 	if (info->attrs[NL80211_ATTR_IE]) {
5744 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5745 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5746 	}
5747 
5748 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
5749 		enum nl80211_mfp mfp =
5750 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
5751 		if (mfp == NL80211_MFP_REQUIRED)
5752 			use_mfp = true;
5753 		else if (mfp != NL80211_MFP_NO)
5754 			return -EINVAL;
5755 	}
5756 
5757 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
5758 		prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
5759 
5760 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
5761 		flags |= ASSOC_REQ_DISABLE_HT;
5762 
5763 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
5764 		ht_capa_mask =
5765 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]);
5766 
5767 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
5768 		if (!ht_capa_mask)
5769 			return -EINVAL;
5770 		ht_capa = nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5771 	}
5772 
5773 	err = nl80211_crypto_settings(rdev, info, &crypto, 1);
5774 	if (!err)
5775 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid, prev_bssid,
5776 					  ssid, ssid_len, ie, ie_len, use_mfp,
5777 					  &crypto, flags, ht_capa,
5778 					  ht_capa_mask);
5779 
5780 	return err;
5781 }
5782 
5783 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
5784 {
5785 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5786 	struct net_device *dev = info->user_ptr[1];
5787 	const u8 *ie = NULL, *bssid;
5788 	int ie_len = 0;
5789 	u16 reason_code;
5790 	bool local_state_change;
5791 
5792 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5793 		return -EINVAL;
5794 
5795 	if (!info->attrs[NL80211_ATTR_MAC])
5796 		return -EINVAL;
5797 
5798 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
5799 		return -EINVAL;
5800 
5801 	if (!rdev->ops->deauth)
5802 		return -EOPNOTSUPP;
5803 
5804 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5805 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5806 		return -EOPNOTSUPP;
5807 
5808 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5809 
5810 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5811 	if (reason_code == 0) {
5812 		/* Reason Code 0 is reserved */
5813 		return -EINVAL;
5814 	}
5815 
5816 	if (info->attrs[NL80211_ATTR_IE]) {
5817 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5818 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5819 	}
5820 
5821 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5822 
5823 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
5824 				    local_state_change);
5825 }
5826 
5827 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
5828 {
5829 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5830 	struct net_device *dev = info->user_ptr[1];
5831 	const u8 *ie = NULL, *bssid;
5832 	int ie_len = 0;
5833 	u16 reason_code;
5834 	bool local_state_change;
5835 
5836 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5837 		return -EINVAL;
5838 
5839 	if (!info->attrs[NL80211_ATTR_MAC])
5840 		return -EINVAL;
5841 
5842 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
5843 		return -EINVAL;
5844 
5845 	if (!rdev->ops->disassoc)
5846 		return -EOPNOTSUPP;
5847 
5848 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5849 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5850 		return -EOPNOTSUPP;
5851 
5852 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5853 
5854 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5855 	if (reason_code == 0) {
5856 		/* Reason Code 0 is reserved */
5857 		return -EINVAL;
5858 	}
5859 
5860 	if (info->attrs[NL80211_ATTR_IE]) {
5861 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5862 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5863 	}
5864 
5865 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5866 
5867 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
5868 				      local_state_change);
5869 }
5870 
5871 static bool
5872 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
5873 			 int mcast_rate[IEEE80211_NUM_BANDS],
5874 			 int rateval)
5875 {
5876 	struct wiphy *wiphy = &rdev->wiphy;
5877 	bool found = false;
5878 	int band, i;
5879 
5880 	for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5881 		struct ieee80211_supported_band *sband;
5882 
5883 		sband = wiphy->bands[band];
5884 		if (!sband)
5885 			continue;
5886 
5887 		for (i = 0; i < sband->n_bitrates; i++) {
5888 			if (sband->bitrates[i].bitrate == rateval) {
5889 				mcast_rate[band] = i + 1;
5890 				found = true;
5891 				break;
5892 			}
5893 		}
5894 	}
5895 
5896 	return found;
5897 }
5898 
5899 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
5900 {
5901 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5902 	struct net_device *dev = info->user_ptr[1];
5903 	struct cfg80211_ibss_params ibss;
5904 	struct wiphy *wiphy;
5905 	struct cfg80211_cached_keys *connkeys = NULL;
5906 	int err;
5907 
5908 	memset(&ibss, 0, sizeof(ibss));
5909 
5910 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5911 		return -EINVAL;
5912 
5913 	if (!info->attrs[NL80211_ATTR_SSID] ||
5914 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
5915 		return -EINVAL;
5916 
5917 	ibss.beacon_interval = 100;
5918 
5919 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
5920 		ibss.beacon_interval =
5921 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5922 		if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
5923 			return -EINVAL;
5924 	}
5925 
5926 	if (!rdev->ops->join_ibss)
5927 		return -EOPNOTSUPP;
5928 
5929 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
5930 		return -EOPNOTSUPP;
5931 
5932 	wiphy = &rdev->wiphy;
5933 
5934 	if (info->attrs[NL80211_ATTR_MAC]) {
5935 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5936 
5937 		if (!is_valid_ether_addr(ibss.bssid))
5938 			return -EINVAL;
5939 	}
5940 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5941 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5942 
5943 	if (info->attrs[NL80211_ATTR_IE]) {
5944 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5945 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5946 	}
5947 
5948 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
5949 	if (err)
5950 		return err;
5951 
5952 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef))
5953 		return -EINVAL;
5954 
5955 	if (ibss.chandef.width > NL80211_CHAN_WIDTH_40)
5956 		return -EINVAL;
5957 	if (ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
5958 	    !(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
5959 		return -EINVAL;
5960 
5961 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
5962 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5963 
5964 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
5965 		u8 *rates =
5966 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5967 		int n_rates =
5968 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5969 		struct ieee80211_supported_band *sband =
5970 			wiphy->bands[ibss.chandef.chan->band];
5971 
5972 		err = ieee80211_get_ratemask(sband, rates, n_rates,
5973 					     &ibss.basic_rates);
5974 		if (err)
5975 			return err;
5976 	}
5977 
5978 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
5979 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
5980 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
5981 		return -EINVAL;
5982 
5983 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
5984 		bool no_ht = false;
5985 
5986 		connkeys = nl80211_parse_connkeys(rdev,
5987 					  info->attrs[NL80211_ATTR_KEYS],
5988 					  &no_ht);
5989 		if (IS_ERR(connkeys))
5990 			return PTR_ERR(connkeys);
5991 
5992 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
5993 		    no_ht) {
5994 			kfree(connkeys);
5995 			return -EINVAL;
5996 		}
5997 	}
5998 
5999 	ibss.control_port =
6000 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
6001 
6002 	err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
6003 	if (err)
6004 		kfree(connkeys);
6005 	return err;
6006 }
6007 
6008 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
6009 {
6010 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6011 	struct net_device *dev = info->user_ptr[1];
6012 
6013 	if (!rdev->ops->leave_ibss)
6014 		return -EOPNOTSUPP;
6015 
6016 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
6017 		return -EOPNOTSUPP;
6018 
6019 	return cfg80211_leave_ibss(rdev, dev, false);
6020 }
6021 
6022 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
6023 {
6024 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6025 	struct net_device *dev = info->user_ptr[1];
6026 	int mcast_rate[IEEE80211_NUM_BANDS];
6027 	u32 nla_rate;
6028 	int err;
6029 
6030 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
6031 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6032 		return -EOPNOTSUPP;
6033 
6034 	if (!rdev->ops->set_mcast_rate)
6035 		return -EOPNOTSUPP;
6036 
6037 	memset(mcast_rate, 0, sizeof(mcast_rate));
6038 
6039 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
6040 		return -EINVAL;
6041 
6042 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
6043 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
6044 		return -EINVAL;
6045 
6046 	err = rdev->ops->set_mcast_rate(&rdev->wiphy, dev, mcast_rate);
6047 
6048 	return err;
6049 }
6050 
6051 
6052 #ifdef CONFIG_NL80211_TESTMODE
6053 static struct genl_multicast_group nl80211_testmode_mcgrp = {
6054 	.name = "testmode",
6055 };
6056 
6057 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
6058 {
6059 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6060 	int err;
6061 
6062 	if (!info->attrs[NL80211_ATTR_TESTDATA])
6063 		return -EINVAL;
6064 
6065 	err = -EOPNOTSUPP;
6066 	if (rdev->ops->testmode_cmd) {
6067 		rdev->testmode_info = info;
6068 		err = rdev_testmode_cmd(rdev,
6069 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
6070 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
6071 		rdev->testmode_info = NULL;
6072 	}
6073 
6074 	return err;
6075 }
6076 
6077 static int nl80211_testmode_dump(struct sk_buff *skb,
6078 				 struct netlink_callback *cb)
6079 {
6080 	struct cfg80211_registered_device *rdev;
6081 	int err;
6082 	long phy_idx;
6083 	void *data = NULL;
6084 	int data_len = 0;
6085 
6086 	if (cb->args[0]) {
6087 		/*
6088 		 * 0 is a valid index, but not valid for args[0],
6089 		 * so we need to offset by 1.
6090 		 */
6091 		phy_idx = cb->args[0] - 1;
6092 	} else {
6093 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
6094 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
6095 				  nl80211_policy);
6096 		if (err)
6097 			return err;
6098 
6099 		mutex_lock(&cfg80211_mutex);
6100 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
6101 						  nl80211_fam.attrbuf);
6102 		if (IS_ERR(rdev)) {
6103 			mutex_unlock(&cfg80211_mutex);
6104 			return PTR_ERR(rdev);
6105 		}
6106 		phy_idx = rdev->wiphy_idx;
6107 		rdev = NULL;
6108 		mutex_unlock(&cfg80211_mutex);
6109 
6110 		if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
6111 			cb->args[1] =
6112 				(long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
6113 	}
6114 
6115 	if (cb->args[1]) {
6116 		data = nla_data((void *)cb->args[1]);
6117 		data_len = nla_len((void *)cb->args[1]);
6118 	}
6119 
6120 	mutex_lock(&cfg80211_mutex);
6121 	rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
6122 	if (!rdev) {
6123 		mutex_unlock(&cfg80211_mutex);
6124 		return -ENOENT;
6125 	}
6126 	cfg80211_lock_rdev(rdev);
6127 	mutex_unlock(&cfg80211_mutex);
6128 
6129 	if (!rdev->ops->testmode_dump) {
6130 		err = -EOPNOTSUPP;
6131 		goto out_err;
6132 	}
6133 
6134 	while (1) {
6135 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
6136 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
6137 					   NL80211_CMD_TESTMODE);
6138 		struct nlattr *tmdata;
6139 
6140 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
6141 			genlmsg_cancel(skb, hdr);
6142 			break;
6143 		}
6144 
6145 		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
6146 		if (!tmdata) {
6147 			genlmsg_cancel(skb, hdr);
6148 			break;
6149 		}
6150 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
6151 		nla_nest_end(skb, tmdata);
6152 
6153 		if (err == -ENOBUFS || err == -ENOENT) {
6154 			genlmsg_cancel(skb, hdr);
6155 			break;
6156 		} else if (err) {
6157 			genlmsg_cancel(skb, hdr);
6158 			goto out_err;
6159 		}
6160 
6161 		genlmsg_end(skb, hdr);
6162 	}
6163 
6164 	err = skb->len;
6165 	/* see above */
6166 	cb->args[0] = phy_idx + 1;
6167  out_err:
6168 	cfg80211_unlock_rdev(rdev);
6169 	return err;
6170 }
6171 
6172 static struct sk_buff *
6173 __cfg80211_testmode_alloc_skb(struct cfg80211_registered_device *rdev,
6174 			      int approxlen, u32 portid, u32 seq, gfp_t gfp)
6175 {
6176 	struct sk_buff *skb;
6177 	void *hdr;
6178 	struct nlattr *data;
6179 
6180 	skb = nlmsg_new(approxlen + 100, gfp);
6181 	if (!skb)
6182 		return NULL;
6183 
6184 	hdr = nl80211hdr_put(skb, portid, seq, 0, NL80211_CMD_TESTMODE);
6185 	if (!hdr) {
6186 		kfree_skb(skb);
6187 		return NULL;
6188 	}
6189 
6190 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
6191 		goto nla_put_failure;
6192 	data = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
6193 
6194 	((void **)skb->cb)[0] = rdev;
6195 	((void **)skb->cb)[1] = hdr;
6196 	((void **)skb->cb)[2] = data;
6197 
6198 	return skb;
6199 
6200  nla_put_failure:
6201 	kfree_skb(skb);
6202 	return NULL;
6203 }
6204 
6205 struct sk_buff *cfg80211_testmode_alloc_reply_skb(struct wiphy *wiphy,
6206 						  int approxlen)
6207 {
6208 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
6209 
6210 	if (WARN_ON(!rdev->testmode_info))
6211 		return NULL;
6212 
6213 	return __cfg80211_testmode_alloc_skb(rdev, approxlen,
6214 				rdev->testmode_info->snd_portid,
6215 				rdev->testmode_info->snd_seq,
6216 				GFP_KERNEL);
6217 }
6218 EXPORT_SYMBOL(cfg80211_testmode_alloc_reply_skb);
6219 
6220 int cfg80211_testmode_reply(struct sk_buff *skb)
6221 {
6222 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
6223 	void *hdr = ((void **)skb->cb)[1];
6224 	struct nlattr *data = ((void **)skb->cb)[2];
6225 
6226 	if (WARN_ON(!rdev->testmode_info)) {
6227 		kfree_skb(skb);
6228 		return -EINVAL;
6229 	}
6230 
6231 	nla_nest_end(skb, data);
6232 	genlmsg_end(skb, hdr);
6233 	return genlmsg_reply(skb, rdev->testmode_info);
6234 }
6235 EXPORT_SYMBOL(cfg80211_testmode_reply);
6236 
6237 struct sk_buff *cfg80211_testmode_alloc_event_skb(struct wiphy *wiphy,
6238 						  int approxlen, gfp_t gfp)
6239 {
6240 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
6241 
6242 	return __cfg80211_testmode_alloc_skb(rdev, approxlen, 0, 0, gfp);
6243 }
6244 EXPORT_SYMBOL(cfg80211_testmode_alloc_event_skb);
6245 
6246 void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp)
6247 {
6248 	void *hdr = ((void **)skb->cb)[1];
6249 	struct nlattr *data = ((void **)skb->cb)[2];
6250 
6251 	nla_nest_end(skb, data);
6252 	genlmsg_end(skb, hdr);
6253 	genlmsg_multicast(skb, 0, nl80211_testmode_mcgrp.id, gfp);
6254 }
6255 EXPORT_SYMBOL(cfg80211_testmode_event);
6256 #endif
6257 
6258 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
6259 {
6260 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6261 	struct net_device *dev = info->user_ptr[1];
6262 	struct cfg80211_connect_params connect;
6263 	struct wiphy *wiphy;
6264 	struct cfg80211_cached_keys *connkeys = NULL;
6265 	int err;
6266 
6267 	memset(&connect, 0, sizeof(connect));
6268 
6269 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6270 		return -EINVAL;
6271 
6272 	if (!info->attrs[NL80211_ATTR_SSID] ||
6273 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
6274 		return -EINVAL;
6275 
6276 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6277 		connect.auth_type =
6278 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
6279 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
6280 					     NL80211_CMD_CONNECT))
6281 			return -EINVAL;
6282 	} else
6283 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6284 
6285 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
6286 
6287 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
6288 				      NL80211_MAX_NR_CIPHER_SUITES);
6289 	if (err)
6290 		return err;
6291 
6292 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6293 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6294 		return -EOPNOTSUPP;
6295 
6296 	wiphy = &rdev->wiphy;
6297 
6298 	connect.bg_scan_period = -1;
6299 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
6300 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
6301 		connect.bg_scan_period =
6302 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
6303 	}
6304 
6305 	if (info->attrs[NL80211_ATTR_MAC])
6306 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6307 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6308 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6309 
6310 	if (info->attrs[NL80211_ATTR_IE]) {
6311 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6312 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6313 	}
6314 
6315 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
6316 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
6317 		if (connect.mfp != NL80211_MFP_REQUIRED &&
6318 		    connect.mfp != NL80211_MFP_NO)
6319 			return -EINVAL;
6320 	} else {
6321 		connect.mfp = NL80211_MFP_NO;
6322 	}
6323 
6324 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6325 		connect.channel =
6326 			ieee80211_get_channel(wiphy,
6327 			    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
6328 		if (!connect.channel ||
6329 		    connect.channel->flags & IEEE80211_CHAN_DISABLED)
6330 			return -EINVAL;
6331 	}
6332 
6333 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
6334 		connkeys = nl80211_parse_connkeys(rdev,
6335 					  info->attrs[NL80211_ATTR_KEYS], NULL);
6336 		if (IS_ERR(connkeys))
6337 			return PTR_ERR(connkeys);
6338 	}
6339 
6340 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
6341 		connect.flags |= ASSOC_REQ_DISABLE_HT;
6342 
6343 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
6344 		memcpy(&connect.ht_capa_mask,
6345 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
6346 		       sizeof(connect.ht_capa_mask));
6347 
6348 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
6349 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
6350 			kfree(connkeys);
6351 			return -EINVAL;
6352 		}
6353 		memcpy(&connect.ht_capa,
6354 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
6355 		       sizeof(connect.ht_capa));
6356 	}
6357 
6358 	err = cfg80211_connect(rdev, dev, &connect, connkeys);
6359 	if (err)
6360 		kfree(connkeys);
6361 	return err;
6362 }
6363 
6364 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
6365 {
6366 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6367 	struct net_device *dev = info->user_ptr[1];
6368 	u16 reason;
6369 
6370 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
6371 		reason = WLAN_REASON_DEAUTH_LEAVING;
6372 	else
6373 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6374 
6375 	if (reason == 0)
6376 		return -EINVAL;
6377 
6378 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6379 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6380 		return -EOPNOTSUPP;
6381 
6382 	return cfg80211_disconnect(rdev, dev, reason, true);
6383 }
6384 
6385 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
6386 {
6387 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6388 	struct net *net;
6389 	int err;
6390 	u32 pid;
6391 
6392 	if (!info->attrs[NL80211_ATTR_PID])
6393 		return -EINVAL;
6394 
6395 	pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
6396 
6397 	net = get_net_ns_by_pid(pid);
6398 	if (IS_ERR(net))
6399 		return PTR_ERR(net);
6400 
6401 	err = 0;
6402 
6403 	/* check if anything to do */
6404 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
6405 		err = cfg80211_switch_netns(rdev, net);
6406 
6407 	put_net(net);
6408 	return err;
6409 }
6410 
6411 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
6412 {
6413 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6414 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
6415 			struct cfg80211_pmksa *pmksa) = NULL;
6416 	struct net_device *dev = info->user_ptr[1];
6417 	struct cfg80211_pmksa pmksa;
6418 
6419 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
6420 
6421 	if (!info->attrs[NL80211_ATTR_MAC])
6422 		return -EINVAL;
6423 
6424 	if (!info->attrs[NL80211_ATTR_PMKID])
6425 		return -EINVAL;
6426 
6427 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
6428 	pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6429 
6430 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6431 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6432 		return -EOPNOTSUPP;
6433 
6434 	switch (info->genlhdr->cmd) {
6435 	case NL80211_CMD_SET_PMKSA:
6436 		rdev_ops = rdev->ops->set_pmksa;
6437 		break;
6438 	case NL80211_CMD_DEL_PMKSA:
6439 		rdev_ops = rdev->ops->del_pmksa;
6440 		break;
6441 	default:
6442 		WARN_ON(1);
6443 		break;
6444 	}
6445 
6446 	if (!rdev_ops)
6447 		return -EOPNOTSUPP;
6448 
6449 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
6450 }
6451 
6452 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
6453 {
6454 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6455 	struct net_device *dev = info->user_ptr[1];
6456 
6457 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6458 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6459 		return -EOPNOTSUPP;
6460 
6461 	if (!rdev->ops->flush_pmksa)
6462 		return -EOPNOTSUPP;
6463 
6464 	return rdev_flush_pmksa(rdev, dev);
6465 }
6466 
6467 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
6468 {
6469 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6470 	struct net_device *dev = info->user_ptr[1];
6471 	u8 action_code, dialog_token;
6472 	u16 status_code;
6473 	u8 *peer;
6474 
6475 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
6476 	    !rdev->ops->tdls_mgmt)
6477 		return -EOPNOTSUPP;
6478 
6479 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
6480 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
6481 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
6482 	    !info->attrs[NL80211_ATTR_IE] ||
6483 	    !info->attrs[NL80211_ATTR_MAC])
6484 		return -EINVAL;
6485 
6486 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
6487 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
6488 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
6489 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
6490 
6491 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
6492 			      dialog_token, status_code,
6493 			      nla_data(info->attrs[NL80211_ATTR_IE]),
6494 			      nla_len(info->attrs[NL80211_ATTR_IE]));
6495 }
6496 
6497 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
6498 {
6499 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6500 	struct net_device *dev = info->user_ptr[1];
6501 	enum nl80211_tdls_operation operation;
6502 	u8 *peer;
6503 
6504 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
6505 	    !rdev->ops->tdls_oper)
6506 		return -EOPNOTSUPP;
6507 
6508 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
6509 	    !info->attrs[NL80211_ATTR_MAC])
6510 		return -EINVAL;
6511 
6512 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
6513 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
6514 
6515 	return rdev_tdls_oper(rdev, dev, peer, operation);
6516 }
6517 
6518 static int nl80211_remain_on_channel(struct sk_buff *skb,
6519 				     struct genl_info *info)
6520 {
6521 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6522 	struct wireless_dev *wdev = info->user_ptr[1];
6523 	struct cfg80211_chan_def chandef;
6524 	struct sk_buff *msg;
6525 	void *hdr;
6526 	u64 cookie;
6527 	u32 duration;
6528 	int err;
6529 
6530 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
6531 	    !info->attrs[NL80211_ATTR_DURATION])
6532 		return -EINVAL;
6533 
6534 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
6535 
6536 	if (!rdev->ops->remain_on_channel ||
6537 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
6538 		return -EOPNOTSUPP;
6539 
6540 	/*
6541 	 * We should be on that channel for at least a minimum amount of
6542 	 * time (10ms) but no longer than the driver supports.
6543 	 */
6544 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
6545 	    duration > rdev->wiphy.max_remain_on_channel_duration)
6546 		return -EINVAL;
6547 
6548 	err = nl80211_parse_chandef(rdev, info, &chandef);
6549 	if (err)
6550 		return err;
6551 
6552 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6553 	if (!msg)
6554 		return -ENOMEM;
6555 
6556 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6557 			     NL80211_CMD_REMAIN_ON_CHANNEL);
6558 
6559 	if (IS_ERR(hdr)) {
6560 		err = PTR_ERR(hdr);
6561 		goto free_msg;
6562 	}
6563 
6564 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
6565 				     duration, &cookie);
6566 
6567 	if (err)
6568 		goto free_msg;
6569 
6570 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
6571 		goto nla_put_failure;
6572 
6573 	genlmsg_end(msg, hdr);
6574 
6575 	return genlmsg_reply(msg, info);
6576 
6577  nla_put_failure:
6578 	err = -ENOBUFS;
6579  free_msg:
6580 	nlmsg_free(msg);
6581 	return err;
6582 }
6583 
6584 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
6585 					    struct genl_info *info)
6586 {
6587 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6588 	struct wireless_dev *wdev = info->user_ptr[1];
6589 	u64 cookie;
6590 
6591 	if (!info->attrs[NL80211_ATTR_COOKIE])
6592 		return -EINVAL;
6593 
6594 	if (!rdev->ops->cancel_remain_on_channel)
6595 		return -EOPNOTSUPP;
6596 
6597 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
6598 
6599 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
6600 }
6601 
6602 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
6603 			   u8 *rates, u8 rates_len)
6604 {
6605 	u8 i;
6606 	u32 mask = 0;
6607 
6608 	for (i = 0; i < rates_len; i++) {
6609 		int rate = (rates[i] & 0x7f) * 5;
6610 		int ridx;
6611 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
6612 			struct ieee80211_rate *srate =
6613 				&sband->bitrates[ridx];
6614 			if (rate == srate->bitrate) {
6615 				mask |= 1 << ridx;
6616 				break;
6617 			}
6618 		}
6619 		if (ridx == sband->n_bitrates)
6620 			return 0; /* rate not found */
6621 	}
6622 
6623 	return mask;
6624 }
6625 
6626 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
6627 			       u8 *rates, u8 rates_len,
6628 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
6629 {
6630 	u8 i;
6631 
6632 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
6633 
6634 	for (i = 0; i < rates_len; i++) {
6635 		int ridx, rbit;
6636 
6637 		ridx = rates[i] / 8;
6638 		rbit = BIT(rates[i] % 8);
6639 
6640 		/* check validity */
6641 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
6642 			return false;
6643 
6644 		/* check availability */
6645 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
6646 			mcs[ridx] |= rbit;
6647 		else
6648 			return false;
6649 	}
6650 
6651 	return true;
6652 }
6653 
6654 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
6655 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
6656 				    .len = NL80211_MAX_SUPP_RATES },
6657 	[NL80211_TXRATE_MCS] = { .type = NLA_BINARY,
6658 				 .len = NL80211_MAX_SUPP_HT_RATES },
6659 };
6660 
6661 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
6662 				       struct genl_info *info)
6663 {
6664 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
6665 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6666 	struct cfg80211_bitrate_mask mask;
6667 	int rem, i;
6668 	struct net_device *dev = info->user_ptr[1];
6669 	struct nlattr *tx_rates;
6670 	struct ieee80211_supported_band *sband;
6671 
6672 	if (info->attrs[NL80211_ATTR_TX_RATES] == NULL)
6673 		return -EINVAL;
6674 
6675 	if (!rdev->ops->set_bitrate_mask)
6676 		return -EOPNOTSUPP;
6677 
6678 	memset(&mask, 0, sizeof(mask));
6679 	/* Default to all rates enabled */
6680 	for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
6681 		sband = rdev->wiphy.bands[i];
6682 		mask.control[i].legacy =
6683 			sband ? (1 << sband->n_bitrates) - 1 : 0;
6684 		if (sband)
6685 			memcpy(mask.control[i].mcs,
6686 			       sband->ht_cap.mcs.rx_mask,
6687 			       sizeof(mask.control[i].mcs));
6688 		else
6689 			memset(mask.control[i].mcs, 0,
6690 			       sizeof(mask.control[i].mcs));
6691 	}
6692 
6693 	/*
6694 	 * The nested attribute uses enum nl80211_band as the index. This maps
6695 	 * directly to the enum ieee80211_band values used in cfg80211.
6696 	 */
6697 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
6698 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem)
6699 	{
6700 		enum ieee80211_band band = nla_type(tx_rates);
6701 		if (band < 0 || band >= IEEE80211_NUM_BANDS)
6702 			return -EINVAL;
6703 		sband = rdev->wiphy.bands[band];
6704 		if (sband == NULL)
6705 			return -EINVAL;
6706 		nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
6707 			  nla_len(tx_rates), nl80211_txattr_policy);
6708 		if (tb[NL80211_TXRATE_LEGACY]) {
6709 			mask.control[band].legacy = rateset_to_mask(
6710 				sband,
6711 				nla_data(tb[NL80211_TXRATE_LEGACY]),
6712 				nla_len(tb[NL80211_TXRATE_LEGACY]));
6713 			if ((mask.control[band].legacy == 0) &&
6714 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
6715 				return -EINVAL;
6716 		}
6717 		if (tb[NL80211_TXRATE_MCS]) {
6718 			if (!ht_rateset_to_mask(
6719 					sband,
6720 					nla_data(tb[NL80211_TXRATE_MCS]),
6721 					nla_len(tb[NL80211_TXRATE_MCS]),
6722 					mask.control[band].mcs))
6723 				return -EINVAL;
6724 		}
6725 
6726 		if (mask.control[band].legacy == 0) {
6727 			/* don't allow empty legacy rates if HT
6728 			 * is not even supported. */
6729 			if (!rdev->wiphy.bands[band]->ht_cap.ht_supported)
6730 				return -EINVAL;
6731 
6732 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
6733 				if (mask.control[band].mcs[i])
6734 					break;
6735 
6736 			/* legacy and mcs rates may not be both empty */
6737 			if (i == IEEE80211_HT_MCS_MASK_LEN)
6738 				return -EINVAL;
6739 		}
6740 	}
6741 
6742 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
6743 }
6744 
6745 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
6746 {
6747 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6748 	struct wireless_dev *wdev = info->user_ptr[1];
6749 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
6750 
6751 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
6752 		return -EINVAL;
6753 
6754 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
6755 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
6756 
6757 	switch (wdev->iftype) {
6758 	case NL80211_IFTYPE_STATION:
6759 	case NL80211_IFTYPE_ADHOC:
6760 	case NL80211_IFTYPE_P2P_CLIENT:
6761 	case NL80211_IFTYPE_AP:
6762 	case NL80211_IFTYPE_AP_VLAN:
6763 	case NL80211_IFTYPE_MESH_POINT:
6764 	case NL80211_IFTYPE_P2P_GO:
6765 	case NL80211_IFTYPE_P2P_DEVICE:
6766 		break;
6767 	default:
6768 		return -EOPNOTSUPP;
6769 	}
6770 
6771 	/* not much point in registering if we can't reply */
6772 	if (!rdev->ops->mgmt_tx)
6773 		return -EOPNOTSUPP;
6774 
6775 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
6776 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
6777 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
6778 }
6779 
6780 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
6781 {
6782 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6783 	struct wireless_dev *wdev = info->user_ptr[1];
6784 	struct cfg80211_chan_def chandef;
6785 	int err;
6786 	void *hdr = NULL;
6787 	u64 cookie;
6788 	struct sk_buff *msg = NULL;
6789 	unsigned int wait = 0;
6790 	bool offchan, no_cck, dont_wait_for_ack;
6791 
6792 	dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
6793 
6794 	if (!info->attrs[NL80211_ATTR_FRAME])
6795 		return -EINVAL;
6796 
6797 	if (!rdev->ops->mgmt_tx)
6798 		return -EOPNOTSUPP;
6799 
6800 	switch (wdev->iftype) {
6801 	case NL80211_IFTYPE_STATION:
6802 	case NL80211_IFTYPE_ADHOC:
6803 	case NL80211_IFTYPE_P2P_CLIENT:
6804 	case NL80211_IFTYPE_AP:
6805 	case NL80211_IFTYPE_AP_VLAN:
6806 	case NL80211_IFTYPE_MESH_POINT:
6807 	case NL80211_IFTYPE_P2P_GO:
6808 	case NL80211_IFTYPE_P2P_DEVICE:
6809 		break;
6810 	default:
6811 		return -EOPNOTSUPP;
6812 	}
6813 
6814 	if (info->attrs[NL80211_ATTR_DURATION]) {
6815 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
6816 			return -EINVAL;
6817 		wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
6818 
6819 		/*
6820 		 * We should wait on the channel for at least a minimum amount
6821 		 * of time (10ms) but no longer than the driver supports.
6822 		 */
6823 		if (wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
6824 		    wait > rdev->wiphy.max_remain_on_channel_duration)
6825 			return -EINVAL;
6826 
6827 	}
6828 
6829 	offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
6830 
6831 	if (offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
6832 		return -EINVAL;
6833 
6834 	no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
6835 
6836 	err = nl80211_parse_chandef(rdev, info, &chandef);
6837 	if (err)
6838 		return err;
6839 
6840 	if (!dont_wait_for_ack) {
6841 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6842 		if (!msg)
6843 			return -ENOMEM;
6844 
6845 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6846 				     NL80211_CMD_FRAME);
6847 
6848 		if (IS_ERR(hdr)) {
6849 			err = PTR_ERR(hdr);
6850 			goto free_msg;
6851 		}
6852 	}
6853 
6854 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, chandef.chan, offchan, wait,
6855 				    nla_data(info->attrs[NL80211_ATTR_FRAME]),
6856 				    nla_len(info->attrs[NL80211_ATTR_FRAME]),
6857 				    no_cck, dont_wait_for_ack, &cookie);
6858 	if (err)
6859 		goto free_msg;
6860 
6861 	if (msg) {
6862 		if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
6863 			goto nla_put_failure;
6864 
6865 		genlmsg_end(msg, hdr);
6866 		return genlmsg_reply(msg, info);
6867 	}
6868 
6869 	return 0;
6870 
6871  nla_put_failure:
6872 	err = -ENOBUFS;
6873  free_msg:
6874 	nlmsg_free(msg);
6875 	return err;
6876 }
6877 
6878 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
6879 {
6880 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6881 	struct wireless_dev *wdev = info->user_ptr[1];
6882 	u64 cookie;
6883 
6884 	if (!info->attrs[NL80211_ATTR_COOKIE])
6885 		return -EINVAL;
6886 
6887 	if (!rdev->ops->mgmt_tx_cancel_wait)
6888 		return -EOPNOTSUPP;
6889 
6890 	switch (wdev->iftype) {
6891 	case NL80211_IFTYPE_STATION:
6892 	case NL80211_IFTYPE_ADHOC:
6893 	case NL80211_IFTYPE_P2P_CLIENT:
6894 	case NL80211_IFTYPE_AP:
6895 	case NL80211_IFTYPE_AP_VLAN:
6896 	case NL80211_IFTYPE_P2P_GO:
6897 	case NL80211_IFTYPE_P2P_DEVICE:
6898 		break;
6899 	default:
6900 		return -EOPNOTSUPP;
6901 	}
6902 
6903 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
6904 
6905 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
6906 }
6907 
6908 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
6909 {
6910 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6911 	struct wireless_dev *wdev;
6912 	struct net_device *dev = info->user_ptr[1];
6913 	u8 ps_state;
6914 	bool state;
6915 	int err;
6916 
6917 	if (!info->attrs[NL80211_ATTR_PS_STATE])
6918 		return -EINVAL;
6919 
6920 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
6921 
6922 	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
6923 		return -EINVAL;
6924 
6925 	wdev = dev->ieee80211_ptr;
6926 
6927 	if (!rdev->ops->set_power_mgmt)
6928 		return -EOPNOTSUPP;
6929 
6930 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
6931 
6932 	if (state == wdev->ps)
6933 		return 0;
6934 
6935 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
6936 	if (!err)
6937 		wdev->ps = state;
6938 	return err;
6939 }
6940 
6941 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
6942 {
6943 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6944 	enum nl80211_ps_state ps_state;
6945 	struct wireless_dev *wdev;
6946 	struct net_device *dev = info->user_ptr[1];
6947 	struct sk_buff *msg;
6948 	void *hdr;
6949 	int err;
6950 
6951 	wdev = dev->ieee80211_ptr;
6952 
6953 	if (!rdev->ops->set_power_mgmt)
6954 		return -EOPNOTSUPP;
6955 
6956 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6957 	if (!msg)
6958 		return -ENOMEM;
6959 
6960 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6961 			     NL80211_CMD_GET_POWER_SAVE);
6962 	if (!hdr) {
6963 		err = -ENOBUFS;
6964 		goto free_msg;
6965 	}
6966 
6967 	if (wdev->ps)
6968 		ps_state = NL80211_PS_ENABLED;
6969 	else
6970 		ps_state = NL80211_PS_DISABLED;
6971 
6972 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
6973 		goto nla_put_failure;
6974 
6975 	genlmsg_end(msg, hdr);
6976 	return genlmsg_reply(msg, info);
6977 
6978  nla_put_failure:
6979 	err = -ENOBUFS;
6980  free_msg:
6981 	nlmsg_free(msg);
6982 	return err;
6983 }
6984 
6985 static struct nla_policy
6986 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] __read_mostly = {
6987 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
6988 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
6989 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
6990 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
6991 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
6992 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
6993 };
6994 
6995 static int nl80211_set_cqm_txe(struct genl_info *info,
6996 			       u32 rate, u32 pkts, u32 intvl)
6997 {
6998 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6999 	struct wireless_dev *wdev;
7000 	struct net_device *dev = info->user_ptr[1];
7001 
7002 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
7003 		return -EINVAL;
7004 
7005 	wdev = dev->ieee80211_ptr;
7006 
7007 	if (!rdev->ops->set_cqm_txe_config)
7008 		return -EOPNOTSUPP;
7009 
7010 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
7011 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
7012 		return -EOPNOTSUPP;
7013 
7014 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
7015 }
7016 
7017 static int nl80211_set_cqm_rssi(struct genl_info *info,
7018 				s32 threshold, u32 hysteresis)
7019 {
7020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7021 	struct wireless_dev *wdev;
7022 	struct net_device *dev = info->user_ptr[1];
7023 
7024 	if (threshold > 0)
7025 		return -EINVAL;
7026 
7027 	wdev = dev->ieee80211_ptr;
7028 
7029 	if (!rdev->ops->set_cqm_rssi_config)
7030 		return -EOPNOTSUPP;
7031 
7032 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
7033 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
7034 		return -EOPNOTSUPP;
7035 
7036 	return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
7037 }
7038 
7039 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
7040 {
7041 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
7042 	struct nlattr *cqm;
7043 	int err;
7044 
7045 	cqm = info->attrs[NL80211_ATTR_CQM];
7046 	if (!cqm) {
7047 		err = -EINVAL;
7048 		goto out;
7049 	}
7050 
7051 	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
7052 			       nl80211_attr_cqm_policy);
7053 	if (err)
7054 		goto out;
7055 
7056 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
7057 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
7058 		s32 threshold;
7059 		u32 hysteresis;
7060 		threshold = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
7061 		hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
7062 		err = nl80211_set_cqm_rssi(info, threshold, hysteresis);
7063 	} else if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
7064 		   attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
7065 		   attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
7066 		u32 rate, pkts, intvl;
7067 		rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
7068 		pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
7069 		intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
7070 		err = nl80211_set_cqm_txe(info, rate, pkts, intvl);
7071 	} else
7072 		err = -EINVAL;
7073 
7074 out:
7075 	return err;
7076 }
7077 
7078 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
7079 {
7080 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7081 	struct net_device *dev = info->user_ptr[1];
7082 	struct mesh_config cfg;
7083 	struct mesh_setup setup;
7084 	int err;
7085 
7086 	/* start with default */
7087 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
7088 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
7089 
7090 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
7091 		/* and parse parameters if given */
7092 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
7093 		if (err)
7094 			return err;
7095 	}
7096 
7097 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
7098 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
7099 		return -EINVAL;
7100 
7101 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
7102 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
7103 
7104 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
7105 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
7106 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
7107 			return -EINVAL;
7108 
7109 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
7110 		setup.beacon_interval =
7111 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
7112 		if (setup.beacon_interval < 10 ||
7113 		    setup.beacon_interval > 10000)
7114 			return -EINVAL;
7115 	}
7116 
7117 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
7118 		setup.dtim_period =
7119 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
7120 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
7121 			return -EINVAL;
7122 	}
7123 
7124 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
7125 		/* parse additional setup parameters if given */
7126 		err = nl80211_parse_mesh_setup(info, &setup);
7127 		if (err)
7128 			return err;
7129 	}
7130 
7131 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7132 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
7133 		if (err)
7134 			return err;
7135 	} else {
7136 		/* cfg80211_join_mesh() will sort it out */
7137 		setup.chandef.chan = NULL;
7138 	}
7139 
7140 	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
7141 }
7142 
7143 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
7144 {
7145 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7146 	struct net_device *dev = info->user_ptr[1];
7147 
7148 	return cfg80211_leave_mesh(rdev, dev);
7149 }
7150 
7151 #ifdef CONFIG_PM
7152 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
7153 					struct cfg80211_registered_device *rdev)
7154 {
7155 	struct nlattr *nl_pats, *nl_pat;
7156 	int i, pat_len;
7157 
7158 	if (!rdev->wowlan->n_patterns)
7159 		return 0;
7160 
7161 	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
7162 	if (!nl_pats)
7163 		return -ENOBUFS;
7164 
7165 	for (i = 0; i < rdev->wowlan->n_patterns; i++) {
7166 		nl_pat = nla_nest_start(msg, i + 1);
7167 		if (!nl_pat)
7168 			return -ENOBUFS;
7169 		pat_len = rdev->wowlan->patterns[i].pattern_len;
7170 		if (nla_put(msg, NL80211_WOWLAN_PKTPAT_MASK,
7171 			    DIV_ROUND_UP(pat_len, 8),
7172 			    rdev->wowlan->patterns[i].mask) ||
7173 		    nla_put(msg, NL80211_WOWLAN_PKTPAT_PATTERN,
7174 			    pat_len, rdev->wowlan->patterns[i].pattern) ||
7175 		    nla_put_u32(msg, NL80211_WOWLAN_PKTPAT_OFFSET,
7176 				rdev->wowlan->patterns[i].pkt_offset))
7177 			return -ENOBUFS;
7178 		nla_nest_end(msg, nl_pat);
7179 	}
7180 	nla_nest_end(msg, nl_pats);
7181 
7182 	return 0;
7183 }
7184 
7185 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
7186 				   struct cfg80211_wowlan_tcp *tcp)
7187 {
7188 	struct nlattr *nl_tcp;
7189 
7190 	if (!tcp)
7191 		return 0;
7192 
7193 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
7194 	if (!nl_tcp)
7195 		return -ENOBUFS;
7196 
7197 	if (nla_put_be32(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
7198 	    nla_put_be32(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
7199 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
7200 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
7201 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
7202 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
7203 		    tcp->payload_len, tcp->payload) ||
7204 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
7205 			tcp->data_interval) ||
7206 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
7207 		    tcp->wake_len, tcp->wake_data) ||
7208 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
7209 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
7210 		return -ENOBUFS;
7211 
7212 	if (tcp->payload_seq.len &&
7213 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
7214 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
7215 		return -ENOBUFS;
7216 
7217 	if (tcp->payload_tok.len &&
7218 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
7219 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
7220 		    &tcp->payload_tok))
7221 		return -ENOBUFS;
7222 
7223 	return 0;
7224 }
7225 
7226 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
7227 {
7228 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7229 	struct sk_buff *msg;
7230 	void *hdr;
7231 	u32 size = NLMSG_DEFAULT_SIZE;
7232 
7233 	if (!rdev->wiphy.wowlan.flags && !rdev->wiphy.wowlan.n_patterns &&
7234 	    !rdev->wiphy.wowlan.tcp)
7235 		return -EOPNOTSUPP;
7236 
7237 	if (rdev->wowlan && rdev->wowlan->tcp) {
7238 		/* adjust size to have room for all the data */
7239 		size += rdev->wowlan->tcp->tokens_size +
7240 			rdev->wowlan->tcp->payload_len +
7241 			rdev->wowlan->tcp->wake_len +
7242 			rdev->wowlan->tcp->wake_len / 8;
7243 	}
7244 
7245 	msg = nlmsg_new(size, GFP_KERNEL);
7246 	if (!msg)
7247 		return -ENOMEM;
7248 
7249 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7250 			     NL80211_CMD_GET_WOWLAN);
7251 	if (!hdr)
7252 		goto nla_put_failure;
7253 
7254 	if (rdev->wowlan) {
7255 		struct nlattr *nl_wowlan;
7256 
7257 		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
7258 		if (!nl_wowlan)
7259 			goto nla_put_failure;
7260 
7261 		if ((rdev->wowlan->any &&
7262 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
7263 		    (rdev->wowlan->disconnect &&
7264 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
7265 		    (rdev->wowlan->magic_pkt &&
7266 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
7267 		    (rdev->wowlan->gtk_rekey_failure &&
7268 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
7269 		    (rdev->wowlan->eap_identity_req &&
7270 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
7271 		    (rdev->wowlan->four_way_handshake &&
7272 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
7273 		    (rdev->wowlan->rfkill_release &&
7274 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
7275 			goto nla_put_failure;
7276 
7277 		if (nl80211_send_wowlan_patterns(msg, rdev))
7278 			goto nla_put_failure;
7279 
7280 		if (nl80211_send_wowlan_tcp(msg, rdev->wowlan->tcp))
7281 			goto nla_put_failure;
7282 
7283 		nla_nest_end(msg, nl_wowlan);
7284 	}
7285 
7286 	genlmsg_end(msg, hdr);
7287 	return genlmsg_reply(msg, info);
7288 
7289 nla_put_failure:
7290 	nlmsg_free(msg);
7291 	return -ENOBUFS;
7292 }
7293 
7294 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
7295 				    struct nlattr *attr,
7296 				    struct cfg80211_wowlan *trig)
7297 {
7298 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
7299 	struct cfg80211_wowlan_tcp *cfg;
7300 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
7301 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
7302 	u32 size;
7303 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
7304 	int err, port;
7305 
7306 	if (!rdev->wiphy.wowlan.tcp)
7307 		return -EINVAL;
7308 
7309 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TCP,
7310 			nla_data(attr), nla_len(attr),
7311 			nl80211_wowlan_tcp_policy);
7312 	if (err)
7313 		return err;
7314 
7315 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
7316 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
7317 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
7318 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
7319 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
7320 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
7321 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
7322 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
7323 		return -EINVAL;
7324 
7325 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
7326 	if (data_size > rdev->wiphy.wowlan.tcp->data_payload_max)
7327 		return -EINVAL;
7328 
7329 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
7330 			rdev->wiphy.wowlan.tcp->data_interval_max)
7331 		return -EINVAL;
7332 
7333 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
7334 	if (wake_size > rdev->wiphy.wowlan.tcp->wake_payload_max)
7335 		return -EINVAL;
7336 
7337 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
7338 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
7339 		return -EINVAL;
7340 
7341 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
7342 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
7343 
7344 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
7345 		tokens_size = tokln - sizeof(*tok);
7346 
7347 		if (!tok->len || tokens_size % tok->len)
7348 			return -EINVAL;
7349 		if (!rdev->wiphy.wowlan.tcp->tok)
7350 			return -EINVAL;
7351 		if (tok->len > rdev->wiphy.wowlan.tcp->tok->max_len)
7352 			return -EINVAL;
7353 		if (tok->len < rdev->wiphy.wowlan.tcp->tok->min_len)
7354 			return -EINVAL;
7355 		if (tokens_size > rdev->wiphy.wowlan.tcp->tok->bufsize)
7356 			return -EINVAL;
7357 		if (tok->offset + tok->len > data_size)
7358 			return -EINVAL;
7359 	}
7360 
7361 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
7362 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
7363 		if (!rdev->wiphy.wowlan.tcp->seq)
7364 			return -EINVAL;
7365 		if (seq->len == 0 || seq->len > 4)
7366 			return -EINVAL;
7367 		if (seq->len + seq->offset > data_size)
7368 			return -EINVAL;
7369 	}
7370 
7371 	size = sizeof(*cfg);
7372 	size += data_size;
7373 	size += wake_size + wake_mask_size;
7374 	size += tokens_size;
7375 
7376 	cfg = kzalloc(size, GFP_KERNEL);
7377 	if (!cfg)
7378 		return -ENOMEM;
7379 	cfg->src = nla_get_be32(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
7380 	cfg->dst = nla_get_be32(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
7381 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
7382 	       ETH_ALEN);
7383 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
7384 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
7385 	else
7386 		port = 0;
7387 #ifdef CONFIG_INET
7388 	/* allocate a socket and port for it and use it */
7389 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
7390 			    IPPROTO_TCP, &cfg->sock, 1);
7391 	if (err) {
7392 		kfree(cfg);
7393 		return err;
7394 	}
7395 	if (inet_csk_get_port(cfg->sock->sk, port)) {
7396 		sock_release(cfg->sock);
7397 		kfree(cfg);
7398 		return -EADDRINUSE;
7399 	}
7400 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
7401 #else
7402 	if (!port) {
7403 		kfree(cfg);
7404 		return -EINVAL;
7405 	}
7406 	cfg->src_port = port;
7407 #endif
7408 
7409 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
7410 	cfg->payload_len = data_size;
7411 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
7412 	memcpy((void *)cfg->payload,
7413 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
7414 	       data_size);
7415 	if (seq)
7416 		cfg->payload_seq = *seq;
7417 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
7418 	cfg->wake_len = wake_size;
7419 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
7420 	memcpy((void *)cfg->wake_data,
7421 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
7422 	       wake_size);
7423 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
7424 			 data_size + wake_size;
7425 	memcpy((void *)cfg->wake_mask,
7426 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
7427 	       wake_mask_size);
7428 	if (tok) {
7429 		cfg->tokens_size = tokens_size;
7430 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
7431 	}
7432 
7433 	trig->tcp = cfg;
7434 
7435 	return 0;
7436 }
7437 
7438 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
7439 {
7440 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7441 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
7442 	struct cfg80211_wowlan new_triggers = {};
7443 	struct cfg80211_wowlan *ntrig;
7444 	struct wiphy_wowlan_support *wowlan = &rdev->wiphy.wowlan;
7445 	int err, i;
7446 	bool prev_enabled = rdev->wowlan;
7447 
7448 	if (!rdev->wiphy.wowlan.flags && !rdev->wiphy.wowlan.n_patterns &&
7449 	    !rdev->wiphy.wowlan.tcp)
7450 		return -EOPNOTSUPP;
7451 
7452 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
7453 		cfg80211_rdev_free_wowlan(rdev);
7454 		rdev->wowlan = NULL;
7455 		goto set_wakeup;
7456 	}
7457 
7458 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
7459 			nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
7460 			nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
7461 			nl80211_wowlan_policy);
7462 	if (err)
7463 		return err;
7464 
7465 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
7466 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
7467 			return -EINVAL;
7468 		new_triggers.any = true;
7469 	}
7470 
7471 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
7472 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
7473 			return -EINVAL;
7474 		new_triggers.disconnect = true;
7475 	}
7476 
7477 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
7478 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
7479 			return -EINVAL;
7480 		new_triggers.magic_pkt = true;
7481 	}
7482 
7483 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
7484 		return -EINVAL;
7485 
7486 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
7487 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
7488 			return -EINVAL;
7489 		new_triggers.gtk_rekey_failure = true;
7490 	}
7491 
7492 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
7493 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
7494 			return -EINVAL;
7495 		new_triggers.eap_identity_req = true;
7496 	}
7497 
7498 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
7499 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
7500 			return -EINVAL;
7501 		new_triggers.four_way_handshake = true;
7502 	}
7503 
7504 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
7505 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
7506 			return -EINVAL;
7507 		new_triggers.rfkill_release = true;
7508 	}
7509 
7510 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
7511 		struct nlattr *pat;
7512 		int n_patterns = 0;
7513 		int rem, pat_len, mask_len, pkt_offset;
7514 		struct nlattr *pat_tb[NUM_NL80211_WOWLAN_PKTPAT];
7515 
7516 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
7517 				    rem)
7518 			n_patterns++;
7519 		if (n_patterns > wowlan->n_patterns)
7520 			return -EINVAL;
7521 
7522 		new_triggers.patterns = kcalloc(n_patterns,
7523 						sizeof(new_triggers.patterns[0]),
7524 						GFP_KERNEL);
7525 		if (!new_triggers.patterns)
7526 			return -ENOMEM;
7527 
7528 		new_triggers.n_patterns = n_patterns;
7529 		i = 0;
7530 
7531 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
7532 				    rem) {
7533 			nla_parse(pat_tb, MAX_NL80211_WOWLAN_PKTPAT,
7534 				  nla_data(pat), nla_len(pat), NULL);
7535 			err = -EINVAL;
7536 			if (!pat_tb[NL80211_WOWLAN_PKTPAT_MASK] ||
7537 			    !pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN])
7538 				goto error;
7539 			pat_len = nla_len(pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN]);
7540 			mask_len = DIV_ROUND_UP(pat_len, 8);
7541 			if (nla_len(pat_tb[NL80211_WOWLAN_PKTPAT_MASK]) !=
7542 			    mask_len)
7543 				goto error;
7544 			if (pat_len > wowlan->pattern_max_len ||
7545 			    pat_len < wowlan->pattern_min_len)
7546 				goto error;
7547 
7548 			if (!pat_tb[NL80211_WOWLAN_PKTPAT_OFFSET])
7549 				pkt_offset = 0;
7550 			else
7551 				pkt_offset = nla_get_u32(
7552 					pat_tb[NL80211_WOWLAN_PKTPAT_OFFSET]);
7553 			if (pkt_offset > wowlan->max_pkt_offset)
7554 				goto error;
7555 			new_triggers.patterns[i].pkt_offset = pkt_offset;
7556 
7557 			new_triggers.patterns[i].mask =
7558 				kmalloc(mask_len + pat_len, GFP_KERNEL);
7559 			if (!new_triggers.patterns[i].mask) {
7560 				err = -ENOMEM;
7561 				goto error;
7562 			}
7563 			new_triggers.patterns[i].pattern =
7564 				new_triggers.patterns[i].mask + mask_len;
7565 			memcpy(new_triggers.patterns[i].mask,
7566 			       nla_data(pat_tb[NL80211_WOWLAN_PKTPAT_MASK]),
7567 			       mask_len);
7568 			new_triggers.patterns[i].pattern_len = pat_len;
7569 			memcpy(new_triggers.patterns[i].pattern,
7570 			       nla_data(pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN]),
7571 			       pat_len);
7572 			i++;
7573 		}
7574 	}
7575 
7576 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
7577 		err = nl80211_parse_wowlan_tcp(
7578 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
7579 			&new_triggers);
7580 		if (err)
7581 			goto error;
7582 	}
7583 
7584 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
7585 	if (!ntrig) {
7586 		err = -ENOMEM;
7587 		goto error;
7588 	}
7589 	cfg80211_rdev_free_wowlan(rdev);
7590 	rdev->wowlan = ntrig;
7591 
7592  set_wakeup:
7593 	if (rdev->ops->set_wakeup && prev_enabled != !!rdev->wowlan)
7594 		rdev_set_wakeup(rdev, rdev->wowlan);
7595 
7596 	return 0;
7597  error:
7598 	for (i = 0; i < new_triggers.n_patterns; i++)
7599 		kfree(new_triggers.patterns[i].mask);
7600 	kfree(new_triggers.patterns);
7601 	if (new_triggers.tcp && new_triggers.tcp->sock)
7602 		sock_release(new_triggers.tcp->sock);
7603 	kfree(new_triggers.tcp);
7604 	return err;
7605 }
7606 #endif
7607 
7608 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
7609 {
7610 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7611 	struct net_device *dev = info->user_ptr[1];
7612 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7613 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
7614 	struct cfg80211_gtk_rekey_data rekey_data;
7615 	int err;
7616 
7617 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
7618 		return -EINVAL;
7619 
7620 	err = nla_parse(tb, MAX_NL80211_REKEY_DATA,
7621 			nla_data(info->attrs[NL80211_ATTR_REKEY_DATA]),
7622 			nla_len(info->attrs[NL80211_ATTR_REKEY_DATA]),
7623 			nl80211_rekey_policy);
7624 	if (err)
7625 		return err;
7626 
7627 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
7628 		return -ERANGE;
7629 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
7630 		return -ERANGE;
7631 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
7632 		return -ERANGE;
7633 
7634 	memcpy(rekey_data.kek, nla_data(tb[NL80211_REKEY_DATA_KEK]),
7635 	       NL80211_KEK_LEN);
7636 	memcpy(rekey_data.kck, nla_data(tb[NL80211_REKEY_DATA_KCK]),
7637 	       NL80211_KCK_LEN);
7638 	memcpy(rekey_data.replay_ctr,
7639 	       nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]),
7640 	       NL80211_REPLAY_CTR_LEN);
7641 
7642 	wdev_lock(wdev);
7643 	if (!wdev->current_bss) {
7644 		err = -ENOTCONN;
7645 		goto out;
7646 	}
7647 
7648 	if (!rdev->ops->set_rekey_data) {
7649 		err = -EOPNOTSUPP;
7650 		goto out;
7651 	}
7652 
7653 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
7654  out:
7655 	wdev_unlock(wdev);
7656 	return err;
7657 }
7658 
7659 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
7660 					     struct genl_info *info)
7661 {
7662 	struct net_device *dev = info->user_ptr[1];
7663 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7664 
7665 	if (wdev->iftype != NL80211_IFTYPE_AP &&
7666 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
7667 		return -EINVAL;
7668 
7669 	if (wdev->ap_unexpected_nlportid)
7670 		return -EBUSY;
7671 
7672 	wdev->ap_unexpected_nlportid = info->snd_portid;
7673 	return 0;
7674 }
7675 
7676 static int nl80211_probe_client(struct sk_buff *skb,
7677 				struct genl_info *info)
7678 {
7679 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7680 	struct net_device *dev = info->user_ptr[1];
7681 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7682 	struct sk_buff *msg;
7683 	void *hdr;
7684 	const u8 *addr;
7685 	u64 cookie;
7686 	int err;
7687 
7688 	if (wdev->iftype != NL80211_IFTYPE_AP &&
7689 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
7690 		return -EOPNOTSUPP;
7691 
7692 	if (!info->attrs[NL80211_ATTR_MAC])
7693 		return -EINVAL;
7694 
7695 	if (!rdev->ops->probe_client)
7696 		return -EOPNOTSUPP;
7697 
7698 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7699 	if (!msg)
7700 		return -ENOMEM;
7701 
7702 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7703 			     NL80211_CMD_PROBE_CLIENT);
7704 
7705 	if (IS_ERR(hdr)) {
7706 		err = PTR_ERR(hdr);
7707 		goto free_msg;
7708 	}
7709 
7710 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7711 
7712 	err = rdev_probe_client(rdev, dev, addr, &cookie);
7713 	if (err)
7714 		goto free_msg;
7715 
7716 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
7717 		goto nla_put_failure;
7718 
7719 	genlmsg_end(msg, hdr);
7720 
7721 	return genlmsg_reply(msg, info);
7722 
7723  nla_put_failure:
7724 	err = -ENOBUFS;
7725  free_msg:
7726 	nlmsg_free(msg);
7727 	return err;
7728 }
7729 
7730 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
7731 {
7732 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7733 	struct cfg80211_beacon_registration *reg, *nreg;
7734 	int rv;
7735 
7736 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
7737 		return -EOPNOTSUPP;
7738 
7739 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
7740 	if (!nreg)
7741 		return -ENOMEM;
7742 
7743 	/* First, check if already registered. */
7744 	spin_lock_bh(&rdev->beacon_registrations_lock);
7745 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
7746 		if (reg->nlportid == info->snd_portid) {
7747 			rv = -EALREADY;
7748 			goto out_err;
7749 		}
7750 	}
7751 	/* Add it to the list */
7752 	nreg->nlportid = info->snd_portid;
7753 	list_add(&nreg->list, &rdev->beacon_registrations);
7754 
7755 	spin_unlock_bh(&rdev->beacon_registrations_lock);
7756 
7757 	return 0;
7758 out_err:
7759 	spin_unlock_bh(&rdev->beacon_registrations_lock);
7760 	kfree(nreg);
7761 	return rv;
7762 }
7763 
7764 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
7765 {
7766 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7767 	struct wireless_dev *wdev = info->user_ptr[1];
7768 	int err;
7769 
7770 	if (!rdev->ops->start_p2p_device)
7771 		return -EOPNOTSUPP;
7772 
7773 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
7774 		return -EOPNOTSUPP;
7775 
7776 	if (wdev->p2p_started)
7777 		return 0;
7778 
7779 	mutex_lock(&rdev->devlist_mtx);
7780 	err = cfg80211_can_add_interface(rdev, wdev->iftype);
7781 	mutex_unlock(&rdev->devlist_mtx);
7782 	if (err)
7783 		return err;
7784 
7785 	err = rdev_start_p2p_device(rdev, wdev);
7786 	if (err)
7787 		return err;
7788 
7789 	wdev->p2p_started = true;
7790 	mutex_lock(&rdev->devlist_mtx);
7791 	rdev->opencount++;
7792 	mutex_unlock(&rdev->devlist_mtx);
7793 
7794 	return 0;
7795 }
7796 
7797 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
7798 {
7799 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7800 	struct wireless_dev *wdev = info->user_ptr[1];
7801 
7802 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
7803 		return -EOPNOTSUPP;
7804 
7805 	if (!rdev->ops->stop_p2p_device)
7806 		return -EOPNOTSUPP;
7807 
7808 	if (!wdev->p2p_started)
7809 		return 0;
7810 
7811 	rdev_stop_p2p_device(rdev, wdev);
7812 	wdev->p2p_started = false;
7813 
7814 	mutex_lock(&rdev->devlist_mtx);
7815 	rdev->opencount--;
7816 	mutex_unlock(&rdev->devlist_mtx);
7817 
7818 	if (WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev)) {
7819 		rdev->scan_req->aborted = true;
7820 		___cfg80211_scan_done(rdev, true);
7821 	}
7822 
7823 	return 0;
7824 }
7825 
7826 #define NL80211_FLAG_NEED_WIPHY		0x01
7827 #define NL80211_FLAG_NEED_NETDEV	0x02
7828 #define NL80211_FLAG_NEED_RTNL		0x04
7829 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
7830 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
7831 					 NL80211_FLAG_CHECK_NETDEV_UP)
7832 #define NL80211_FLAG_NEED_WDEV		0x10
7833 /* If a netdev is associated, it must be UP, P2P must be started */
7834 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
7835 					 NL80211_FLAG_CHECK_NETDEV_UP)
7836 
7837 static int nl80211_pre_doit(struct genl_ops *ops, struct sk_buff *skb,
7838 			    struct genl_info *info)
7839 {
7840 	struct cfg80211_registered_device *rdev;
7841 	struct wireless_dev *wdev;
7842 	struct net_device *dev;
7843 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
7844 
7845 	if (rtnl)
7846 		rtnl_lock();
7847 
7848 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
7849 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
7850 		if (IS_ERR(rdev)) {
7851 			if (rtnl)
7852 				rtnl_unlock();
7853 			return PTR_ERR(rdev);
7854 		}
7855 		info->user_ptr[0] = rdev;
7856 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
7857 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
7858 		mutex_lock(&cfg80211_mutex);
7859 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
7860 						  info->attrs);
7861 		if (IS_ERR(wdev)) {
7862 			mutex_unlock(&cfg80211_mutex);
7863 			if (rtnl)
7864 				rtnl_unlock();
7865 			return PTR_ERR(wdev);
7866 		}
7867 
7868 		dev = wdev->netdev;
7869 		rdev = wiphy_to_dev(wdev->wiphy);
7870 
7871 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
7872 			if (!dev) {
7873 				mutex_unlock(&cfg80211_mutex);
7874 				if (rtnl)
7875 					rtnl_unlock();
7876 				return -EINVAL;
7877 			}
7878 
7879 			info->user_ptr[1] = dev;
7880 		} else {
7881 			info->user_ptr[1] = wdev;
7882 		}
7883 
7884 		if (dev) {
7885 			if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
7886 			    !netif_running(dev)) {
7887 				mutex_unlock(&cfg80211_mutex);
7888 				if (rtnl)
7889 					rtnl_unlock();
7890 				return -ENETDOWN;
7891 			}
7892 
7893 			dev_hold(dev);
7894 		} else if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP) {
7895 			if (!wdev->p2p_started) {
7896 				mutex_unlock(&cfg80211_mutex);
7897 				if (rtnl)
7898 					rtnl_unlock();
7899 				return -ENETDOWN;
7900 			}
7901 		}
7902 
7903 		cfg80211_lock_rdev(rdev);
7904 
7905 		mutex_unlock(&cfg80211_mutex);
7906 
7907 		info->user_ptr[0] = rdev;
7908 	}
7909 
7910 	return 0;
7911 }
7912 
7913 static void nl80211_post_doit(struct genl_ops *ops, struct sk_buff *skb,
7914 			      struct genl_info *info)
7915 {
7916 	if (info->user_ptr[0])
7917 		cfg80211_unlock_rdev(info->user_ptr[0]);
7918 	if (info->user_ptr[1]) {
7919 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
7920 			struct wireless_dev *wdev = info->user_ptr[1];
7921 
7922 			if (wdev->netdev)
7923 				dev_put(wdev->netdev);
7924 		} else {
7925 			dev_put(info->user_ptr[1]);
7926 		}
7927 	}
7928 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
7929 		rtnl_unlock();
7930 }
7931 
7932 static struct genl_ops nl80211_ops[] = {
7933 	{
7934 		.cmd = NL80211_CMD_GET_WIPHY,
7935 		.doit = nl80211_get_wiphy,
7936 		.dumpit = nl80211_dump_wiphy,
7937 		.policy = nl80211_policy,
7938 		/* can be retrieved by unprivileged users */
7939 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
7940 	},
7941 	{
7942 		.cmd = NL80211_CMD_SET_WIPHY,
7943 		.doit = nl80211_set_wiphy,
7944 		.policy = nl80211_policy,
7945 		.flags = GENL_ADMIN_PERM,
7946 		.internal_flags = NL80211_FLAG_NEED_RTNL,
7947 	},
7948 	{
7949 		.cmd = NL80211_CMD_GET_INTERFACE,
7950 		.doit = nl80211_get_interface,
7951 		.dumpit = nl80211_dump_interface,
7952 		.policy = nl80211_policy,
7953 		/* can be retrieved by unprivileged users */
7954 		.internal_flags = NL80211_FLAG_NEED_WDEV,
7955 	},
7956 	{
7957 		.cmd = NL80211_CMD_SET_INTERFACE,
7958 		.doit = nl80211_set_interface,
7959 		.policy = nl80211_policy,
7960 		.flags = GENL_ADMIN_PERM,
7961 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
7962 				  NL80211_FLAG_NEED_RTNL,
7963 	},
7964 	{
7965 		.cmd = NL80211_CMD_NEW_INTERFACE,
7966 		.doit = nl80211_new_interface,
7967 		.policy = nl80211_policy,
7968 		.flags = GENL_ADMIN_PERM,
7969 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
7970 				  NL80211_FLAG_NEED_RTNL,
7971 	},
7972 	{
7973 		.cmd = NL80211_CMD_DEL_INTERFACE,
7974 		.doit = nl80211_del_interface,
7975 		.policy = nl80211_policy,
7976 		.flags = GENL_ADMIN_PERM,
7977 		.internal_flags = NL80211_FLAG_NEED_WDEV |
7978 				  NL80211_FLAG_NEED_RTNL,
7979 	},
7980 	{
7981 		.cmd = NL80211_CMD_GET_KEY,
7982 		.doit = nl80211_get_key,
7983 		.policy = nl80211_policy,
7984 		.flags = GENL_ADMIN_PERM,
7985 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
7986 				  NL80211_FLAG_NEED_RTNL,
7987 	},
7988 	{
7989 		.cmd = NL80211_CMD_SET_KEY,
7990 		.doit = nl80211_set_key,
7991 		.policy = nl80211_policy,
7992 		.flags = GENL_ADMIN_PERM,
7993 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
7994 				  NL80211_FLAG_NEED_RTNL,
7995 	},
7996 	{
7997 		.cmd = NL80211_CMD_NEW_KEY,
7998 		.doit = nl80211_new_key,
7999 		.policy = nl80211_policy,
8000 		.flags = GENL_ADMIN_PERM,
8001 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8002 				  NL80211_FLAG_NEED_RTNL,
8003 	},
8004 	{
8005 		.cmd = NL80211_CMD_DEL_KEY,
8006 		.doit = nl80211_del_key,
8007 		.policy = nl80211_policy,
8008 		.flags = GENL_ADMIN_PERM,
8009 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8010 				  NL80211_FLAG_NEED_RTNL,
8011 	},
8012 	{
8013 		.cmd = NL80211_CMD_SET_BEACON,
8014 		.policy = nl80211_policy,
8015 		.flags = GENL_ADMIN_PERM,
8016 		.doit = nl80211_set_beacon,
8017 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8018 				  NL80211_FLAG_NEED_RTNL,
8019 	},
8020 	{
8021 		.cmd = NL80211_CMD_START_AP,
8022 		.policy = nl80211_policy,
8023 		.flags = GENL_ADMIN_PERM,
8024 		.doit = nl80211_start_ap,
8025 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8026 				  NL80211_FLAG_NEED_RTNL,
8027 	},
8028 	{
8029 		.cmd = NL80211_CMD_STOP_AP,
8030 		.policy = nl80211_policy,
8031 		.flags = GENL_ADMIN_PERM,
8032 		.doit = nl80211_stop_ap,
8033 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8034 				  NL80211_FLAG_NEED_RTNL,
8035 	},
8036 	{
8037 		.cmd = NL80211_CMD_GET_STATION,
8038 		.doit = nl80211_get_station,
8039 		.dumpit = nl80211_dump_station,
8040 		.policy = nl80211_policy,
8041 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8042 				  NL80211_FLAG_NEED_RTNL,
8043 	},
8044 	{
8045 		.cmd = NL80211_CMD_SET_STATION,
8046 		.doit = nl80211_set_station,
8047 		.policy = nl80211_policy,
8048 		.flags = GENL_ADMIN_PERM,
8049 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8050 				  NL80211_FLAG_NEED_RTNL,
8051 	},
8052 	{
8053 		.cmd = NL80211_CMD_NEW_STATION,
8054 		.doit = nl80211_new_station,
8055 		.policy = nl80211_policy,
8056 		.flags = GENL_ADMIN_PERM,
8057 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8058 				  NL80211_FLAG_NEED_RTNL,
8059 	},
8060 	{
8061 		.cmd = NL80211_CMD_DEL_STATION,
8062 		.doit = nl80211_del_station,
8063 		.policy = nl80211_policy,
8064 		.flags = GENL_ADMIN_PERM,
8065 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8066 				  NL80211_FLAG_NEED_RTNL,
8067 	},
8068 	{
8069 		.cmd = NL80211_CMD_GET_MPATH,
8070 		.doit = nl80211_get_mpath,
8071 		.dumpit = nl80211_dump_mpath,
8072 		.policy = nl80211_policy,
8073 		.flags = GENL_ADMIN_PERM,
8074 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8075 				  NL80211_FLAG_NEED_RTNL,
8076 	},
8077 	{
8078 		.cmd = NL80211_CMD_SET_MPATH,
8079 		.doit = nl80211_set_mpath,
8080 		.policy = nl80211_policy,
8081 		.flags = GENL_ADMIN_PERM,
8082 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8083 				  NL80211_FLAG_NEED_RTNL,
8084 	},
8085 	{
8086 		.cmd = NL80211_CMD_NEW_MPATH,
8087 		.doit = nl80211_new_mpath,
8088 		.policy = nl80211_policy,
8089 		.flags = GENL_ADMIN_PERM,
8090 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8091 				  NL80211_FLAG_NEED_RTNL,
8092 	},
8093 	{
8094 		.cmd = NL80211_CMD_DEL_MPATH,
8095 		.doit = nl80211_del_mpath,
8096 		.policy = nl80211_policy,
8097 		.flags = GENL_ADMIN_PERM,
8098 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8099 				  NL80211_FLAG_NEED_RTNL,
8100 	},
8101 	{
8102 		.cmd = NL80211_CMD_SET_BSS,
8103 		.doit = nl80211_set_bss,
8104 		.policy = nl80211_policy,
8105 		.flags = GENL_ADMIN_PERM,
8106 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8107 				  NL80211_FLAG_NEED_RTNL,
8108 	},
8109 	{
8110 		.cmd = NL80211_CMD_GET_REG,
8111 		.doit = nl80211_get_reg,
8112 		.policy = nl80211_policy,
8113 		/* can be retrieved by unprivileged users */
8114 	},
8115 	{
8116 		.cmd = NL80211_CMD_SET_REG,
8117 		.doit = nl80211_set_reg,
8118 		.policy = nl80211_policy,
8119 		.flags = GENL_ADMIN_PERM,
8120 	},
8121 	{
8122 		.cmd = NL80211_CMD_REQ_SET_REG,
8123 		.doit = nl80211_req_set_reg,
8124 		.policy = nl80211_policy,
8125 		.flags = GENL_ADMIN_PERM,
8126 	},
8127 	{
8128 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
8129 		.doit = nl80211_get_mesh_config,
8130 		.policy = nl80211_policy,
8131 		/* can be retrieved by unprivileged users */
8132 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8133 				  NL80211_FLAG_NEED_RTNL,
8134 	},
8135 	{
8136 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
8137 		.doit = nl80211_update_mesh_config,
8138 		.policy = nl80211_policy,
8139 		.flags = GENL_ADMIN_PERM,
8140 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8141 				  NL80211_FLAG_NEED_RTNL,
8142 	},
8143 	{
8144 		.cmd = NL80211_CMD_TRIGGER_SCAN,
8145 		.doit = nl80211_trigger_scan,
8146 		.policy = nl80211_policy,
8147 		.flags = GENL_ADMIN_PERM,
8148 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8149 				  NL80211_FLAG_NEED_RTNL,
8150 	},
8151 	{
8152 		.cmd = NL80211_CMD_GET_SCAN,
8153 		.policy = nl80211_policy,
8154 		.dumpit = nl80211_dump_scan,
8155 	},
8156 	{
8157 		.cmd = NL80211_CMD_START_SCHED_SCAN,
8158 		.doit = nl80211_start_sched_scan,
8159 		.policy = nl80211_policy,
8160 		.flags = GENL_ADMIN_PERM,
8161 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8162 				  NL80211_FLAG_NEED_RTNL,
8163 	},
8164 	{
8165 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
8166 		.doit = nl80211_stop_sched_scan,
8167 		.policy = nl80211_policy,
8168 		.flags = GENL_ADMIN_PERM,
8169 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8170 				  NL80211_FLAG_NEED_RTNL,
8171 	},
8172 	{
8173 		.cmd = NL80211_CMD_AUTHENTICATE,
8174 		.doit = nl80211_authenticate,
8175 		.policy = nl80211_policy,
8176 		.flags = GENL_ADMIN_PERM,
8177 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8178 				  NL80211_FLAG_NEED_RTNL,
8179 	},
8180 	{
8181 		.cmd = NL80211_CMD_ASSOCIATE,
8182 		.doit = nl80211_associate,
8183 		.policy = nl80211_policy,
8184 		.flags = GENL_ADMIN_PERM,
8185 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8186 				  NL80211_FLAG_NEED_RTNL,
8187 	},
8188 	{
8189 		.cmd = NL80211_CMD_DEAUTHENTICATE,
8190 		.doit = nl80211_deauthenticate,
8191 		.policy = nl80211_policy,
8192 		.flags = GENL_ADMIN_PERM,
8193 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8194 				  NL80211_FLAG_NEED_RTNL,
8195 	},
8196 	{
8197 		.cmd = NL80211_CMD_DISASSOCIATE,
8198 		.doit = nl80211_disassociate,
8199 		.policy = nl80211_policy,
8200 		.flags = GENL_ADMIN_PERM,
8201 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8202 				  NL80211_FLAG_NEED_RTNL,
8203 	},
8204 	{
8205 		.cmd = NL80211_CMD_JOIN_IBSS,
8206 		.doit = nl80211_join_ibss,
8207 		.policy = nl80211_policy,
8208 		.flags = GENL_ADMIN_PERM,
8209 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8210 				  NL80211_FLAG_NEED_RTNL,
8211 	},
8212 	{
8213 		.cmd = NL80211_CMD_LEAVE_IBSS,
8214 		.doit = nl80211_leave_ibss,
8215 		.policy = nl80211_policy,
8216 		.flags = GENL_ADMIN_PERM,
8217 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8218 				  NL80211_FLAG_NEED_RTNL,
8219 	},
8220 #ifdef CONFIG_NL80211_TESTMODE
8221 	{
8222 		.cmd = NL80211_CMD_TESTMODE,
8223 		.doit = nl80211_testmode_do,
8224 		.dumpit = nl80211_testmode_dump,
8225 		.policy = nl80211_policy,
8226 		.flags = GENL_ADMIN_PERM,
8227 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8228 				  NL80211_FLAG_NEED_RTNL,
8229 	},
8230 #endif
8231 	{
8232 		.cmd = NL80211_CMD_CONNECT,
8233 		.doit = nl80211_connect,
8234 		.policy = nl80211_policy,
8235 		.flags = GENL_ADMIN_PERM,
8236 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8237 				  NL80211_FLAG_NEED_RTNL,
8238 	},
8239 	{
8240 		.cmd = NL80211_CMD_DISCONNECT,
8241 		.doit = nl80211_disconnect,
8242 		.policy = nl80211_policy,
8243 		.flags = GENL_ADMIN_PERM,
8244 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8245 				  NL80211_FLAG_NEED_RTNL,
8246 	},
8247 	{
8248 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
8249 		.doit = nl80211_wiphy_netns,
8250 		.policy = nl80211_policy,
8251 		.flags = GENL_ADMIN_PERM,
8252 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8253 				  NL80211_FLAG_NEED_RTNL,
8254 	},
8255 	{
8256 		.cmd = NL80211_CMD_GET_SURVEY,
8257 		.policy = nl80211_policy,
8258 		.dumpit = nl80211_dump_survey,
8259 	},
8260 	{
8261 		.cmd = NL80211_CMD_SET_PMKSA,
8262 		.doit = nl80211_setdel_pmksa,
8263 		.policy = nl80211_policy,
8264 		.flags = GENL_ADMIN_PERM,
8265 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8266 				  NL80211_FLAG_NEED_RTNL,
8267 	},
8268 	{
8269 		.cmd = NL80211_CMD_DEL_PMKSA,
8270 		.doit = nl80211_setdel_pmksa,
8271 		.policy = nl80211_policy,
8272 		.flags = GENL_ADMIN_PERM,
8273 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8274 				  NL80211_FLAG_NEED_RTNL,
8275 	},
8276 	{
8277 		.cmd = NL80211_CMD_FLUSH_PMKSA,
8278 		.doit = nl80211_flush_pmksa,
8279 		.policy = nl80211_policy,
8280 		.flags = GENL_ADMIN_PERM,
8281 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8282 				  NL80211_FLAG_NEED_RTNL,
8283 	},
8284 	{
8285 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
8286 		.doit = nl80211_remain_on_channel,
8287 		.policy = nl80211_policy,
8288 		.flags = GENL_ADMIN_PERM,
8289 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8290 				  NL80211_FLAG_NEED_RTNL,
8291 	},
8292 	{
8293 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
8294 		.doit = nl80211_cancel_remain_on_channel,
8295 		.policy = nl80211_policy,
8296 		.flags = GENL_ADMIN_PERM,
8297 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8298 				  NL80211_FLAG_NEED_RTNL,
8299 	},
8300 	{
8301 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
8302 		.doit = nl80211_set_tx_bitrate_mask,
8303 		.policy = nl80211_policy,
8304 		.flags = GENL_ADMIN_PERM,
8305 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8306 				  NL80211_FLAG_NEED_RTNL,
8307 	},
8308 	{
8309 		.cmd = NL80211_CMD_REGISTER_FRAME,
8310 		.doit = nl80211_register_mgmt,
8311 		.policy = nl80211_policy,
8312 		.flags = GENL_ADMIN_PERM,
8313 		.internal_flags = NL80211_FLAG_NEED_WDEV |
8314 				  NL80211_FLAG_NEED_RTNL,
8315 	},
8316 	{
8317 		.cmd = NL80211_CMD_FRAME,
8318 		.doit = nl80211_tx_mgmt,
8319 		.policy = nl80211_policy,
8320 		.flags = GENL_ADMIN_PERM,
8321 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8322 				  NL80211_FLAG_NEED_RTNL,
8323 	},
8324 	{
8325 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
8326 		.doit = nl80211_tx_mgmt_cancel_wait,
8327 		.policy = nl80211_policy,
8328 		.flags = GENL_ADMIN_PERM,
8329 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8330 				  NL80211_FLAG_NEED_RTNL,
8331 	},
8332 	{
8333 		.cmd = NL80211_CMD_SET_POWER_SAVE,
8334 		.doit = nl80211_set_power_save,
8335 		.policy = nl80211_policy,
8336 		.flags = GENL_ADMIN_PERM,
8337 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8338 				  NL80211_FLAG_NEED_RTNL,
8339 	},
8340 	{
8341 		.cmd = NL80211_CMD_GET_POWER_SAVE,
8342 		.doit = nl80211_get_power_save,
8343 		.policy = nl80211_policy,
8344 		/* can be retrieved by unprivileged users */
8345 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8346 				  NL80211_FLAG_NEED_RTNL,
8347 	},
8348 	{
8349 		.cmd = NL80211_CMD_SET_CQM,
8350 		.doit = nl80211_set_cqm,
8351 		.policy = nl80211_policy,
8352 		.flags = GENL_ADMIN_PERM,
8353 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8354 				  NL80211_FLAG_NEED_RTNL,
8355 	},
8356 	{
8357 		.cmd = NL80211_CMD_SET_CHANNEL,
8358 		.doit = nl80211_set_channel,
8359 		.policy = nl80211_policy,
8360 		.flags = GENL_ADMIN_PERM,
8361 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8362 				  NL80211_FLAG_NEED_RTNL,
8363 	},
8364 	{
8365 		.cmd = NL80211_CMD_SET_WDS_PEER,
8366 		.doit = nl80211_set_wds_peer,
8367 		.policy = nl80211_policy,
8368 		.flags = GENL_ADMIN_PERM,
8369 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8370 				  NL80211_FLAG_NEED_RTNL,
8371 	},
8372 	{
8373 		.cmd = NL80211_CMD_JOIN_MESH,
8374 		.doit = nl80211_join_mesh,
8375 		.policy = nl80211_policy,
8376 		.flags = GENL_ADMIN_PERM,
8377 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8378 				  NL80211_FLAG_NEED_RTNL,
8379 	},
8380 	{
8381 		.cmd = NL80211_CMD_LEAVE_MESH,
8382 		.doit = nl80211_leave_mesh,
8383 		.policy = nl80211_policy,
8384 		.flags = GENL_ADMIN_PERM,
8385 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8386 				  NL80211_FLAG_NEED_RTNL,
8387 	},
8388 #ifdef CONFIG_PM
8389 	{
8390 		.cmd = NL80211_CMD_GET_WOWLAN,
8391 		.doit = nl80211_get_wowlan,
8392 		.policy = nl80211_policy,
8393 		/* can be retrieved by unprivileged users */
8394 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8395 				  NL80211_FLAG_NEED_RTNL,
8396 	},
8397 	{
8398 		.cmd = NL80211_CMD_SET_WOWLAN,
8399 		.doit = nl80211_set_wowlan,
8400 		.policy = nl80211_policy,
8401 		.flags = GENL_ADMIN_PERM,
8402 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8403 				  NL80211_FLAG_NEED_RTNL,
8404 	},
8405 #endif
8406 	{
8407 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
8408 		.doit = nl80211_set_rekey_data,
8409 		.policy = nl80211_policy,
8410 		.flags = GENL_ADMIN_PERM,
8411 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8412 				  NL80211_FLAG_NEED_RTNL,
8413 	},
8414 	{
8415 		.cmd = NL80211_CMD_TDLS_MGMT,
8416 		.doit = nl80211_tdls_mgmt,
8417 		.policy = nl80211_policy,
8418 		.flags = GENL_ADMIN_PERM,
8419 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8420 				  NL80211_FLAG_NEED_RTNL,
8421 	},
8422 	{
8423 		.cmd = NL80211_CMD_TDLS_OPER,
8424 		.doit = nl80211_tdls_oper,
8425 		.policy = nl80211_policy,
8426 		.flags = GENL_ADMIN_PERM,
8427 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8428 				  NL80211_FLAG_NEED_RTNL,
8429 	},
8430 	{
8431 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
8432 		.doit = nl80211_register_unexpected_frame,
8433 		.policy = nl80211_policy,
8434 		.flags = GENL_ADMIN_PERM,
8435 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8436 				  NL80211_FLAG_NEED_RTNL,
8437 	},
8438 	{
8439 		.cmd = NL80211_CMD_PROBE_CLIENT,
8440 		.doit = nl80211_probe_client,
8441 		.policy = nl80211_policy,
8442 		.flags = GENL_ADMIN_PERM,
8443 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8444 				  NL80211_FLAG_NEED_RTNL,
8445 	},
8446 	{
8447 		.cmd = NL80211_CMD_REGISTER_BEACONS,
8448 		.doit = nl80211_register_beacons,
8449 		.policy = nl80211_policy,
8450 		.flags = GENL_ADMIN_PERM,
8451 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
8452 				  NL80211_FLAG_NEED_RTNL,
8453 	},
8454 	{
8455 		.cmd = NL80211_CMD_SET_NOACK_MAP,
8456 		.doit = nl80211_set_noack_map,
8457 		.policy = nl80211_policy,
8458 		.flags = GENL_ADMIN_PERM,
8459 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8460 				  NL80211_FLAG_NEED_RTNL,
8461 	},
8462 	{
8463 		.cmd = NL80211_CMD_START_P2P_DEVICE,
8464 		.doit = nl80211_start_p2p_device,
8465 		.policy = nl80211_policy,
8466 		.flags = GENL_ADMIN_PERM,
8467 		.internal_flags = NL80211_FLAG_NEED_WDEV |
8468 				  NL80211_FLAG_NEED_RTNL,
8469 	},
8470 	{
8471 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
8472 		.doit = nl80211_stop_p2p_device,
8473 		.policy = nl80211_policy,
8474 		.flags = GENL_ADMIN_PERM,
8475 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
8476 				  NL80211_FLAG_NEED_RTNL,
8477 	},
8478 	{
8479 		.cmd = NL80211_CMD_SET_MCAST_RATE,
8480 		.doit = nl80211_set_mcast_rate,
8481 		.policy = nl80211_policy,
8482 		.flags = GENL_ADMIN_PERM,
8483 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8484 				  NL80211_FLAG_NEED_RTNL,
8485 	},
8486 	{
8487 		.cmd = NL80211_CMD_SET_MAC_ACL,
8488 		.doit = nl80211_set_mac_acl,
8489 		.policy = nl80211_policy,
8490 		.flags = GENL_ADMIN_PERM,
8491 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
8492 				  NL80211_FLAG_NEED_RTNL,
8493 	},
8494 	{
8495 		.cmd = NL80211_CMD_RADAR_DETECT,
8496 		.doit = nl80211_start_radar_detection,
8497 		.policy = nl80211_policy,
8498 		.flags = GENL_ADMIN_PERM,
8499 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
8500 				  NL80211_FLAG_NEED_RTNL,
8501 	},
8502 };
8503 
8504 static struct genl_multicast_group nl80211_mlme_mcgrp = {
8505 	.name = "mlme",
8506 };
8507 
8508 /* multicast groups */
8509 static struct genl_multicast_group nl80211_config_mcgrp = {
8510 	.name = "config",
8511 };
8512 static struct genl_multicast_group nl80211_scan_mcgrp = {
8513 	.name = "scan",
8514 };
8515 static struct genl_multicast_group nl80211_regulatory_mcgrp = {
8516 	.name = "regulatory",
8517 };
8518 
8519 /* notification functions */
8520 
8521 void nl80211_notify_dev_rename(struct cfg80211_registered_device *rdev)
8522 {
8523 	struct sk_buff *msg;
8524 
8525 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8526 	if (!msg)
8527 		return;
8528 
8529 	if (nl80211_send_wiphy(msg, 0, 0, 0, rdev) < 0) {
8530 		nlmsg_free(msg);
8531 		return;
8532 	}
8533 
8534 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
8535 				nl80211_config_mcgrp.id, GFP_KERNEL);
8536 }
8537 
8538 static int nl80211_add_scan_req(struct sk_buff *msg,
8539 				struct cfg80211_registered_device *rdev)
8540 {
8541 	struct cfg80211_scan_request *req = rdev->scan_req;
8542 	struct nlattr *nest;
8543 	int i;
8544 
8545 	ASSERT_RDEV_LOCK(rdev);
8546 
8547 	if (WARN_ON(!req))
8548 		return 0;
8549 
8550 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
8551 	if (!nest)
8552 		goto nla_put_failure;
8553 	for (i = 0; i < req->n_ssids; i++) {
8554 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
8555 			goto nla_put_failure;
8556 	}
8557 	nla_nest_end(msg, nest);
8558 
8559 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
8560 	if (!nest)
8561 		goto nla_put_failure;
8562 	for (i = 0; i < req->n_channels; i++) {
8563 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
8564 			goto nla_put_failure;
8565 	}
8566 	nla_nest_end(msg, nest);
8567 
8568 	if (req->ie &&
8569 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
8570 		goto nla_put_failure;
8571 
8572 	if (req->flags)
8573 		nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags);
8574 
8575 	return 0;
8576  nla_put_failure:
8577 	return -ENOBUFS;
8578 }
8579 
8580 static int nl80211_send_scan_msg(struct sk_buff *msg,
8581 				 struct cfg80211_registered_device *rdev,
8582 				 struct wireless_dev *wdev,
8583 				 u32 portid, u32 seq, int flags,
8584 				 u32 cmd)
8585 {
8586 	void *hdr;
8587 
8588 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
8589 	if (!hdr)
8590 		return -1;
8591 
8592 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
8593 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
8594 					 wdev->netdev->ifindex)) ||
8595 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
8596 		goto nla_put_failure;
8597 
8598 	/* ignore errors and send incomplete event anyway */
8599 	nl80211_add_scan_req(msg, rdev);
8600 
8601 	return genlmsg_end(msg, hdr);
8602 
8603  nla_put_failure:
8604 	genlmsg_cancel(msg, hdr);
8605 	return -EMSGSIZE;
8606 }
8607 
8608 static int
8609 nl80211_send_sched_scan_msg(struct sk_buff *msg,
8610 			    struct cfg80211_registered_device *rdev,
8611 			    struct net_device *netdev,
8612 			    u32 portid, u32 seq, int flags, u32 cmd)
8613 {
8614 	void *hdr;
8615 
8616 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
8617 	if (!hdr)
8618 		return -1;
8619 
8620 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
8621 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
8622 		goto nla_put_failure;
8623 
8624 	return genlmsg_end(msg, hdr);
8625 
8626  nla_put_failure:
8627 	genlmsg_cancel(msg, hdr);
8628 	return -EMSGSIZE;
8629 }
8630 
8631 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
8632 			     struct wireless_dev *wdev)
8633 {
8634 	struct sk_buff *msg;
8635 
8636 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8637 	if (!msg)
8638 		return;
8639 
8640 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
8641 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
8642 		nlmsg_free(msg);
8643 		return;
8644 	}
8645 
8646 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
8647 				nl80211_scan_mcgrp.id, GFP_KERNEL);
8648 }
8649 
8650 void nl80211_send_scan_done(struct cfg80211_registered_device *rdev,
8651 			    struct wireless_dev *wdev)
8652 {
8653 	struct sk_buff *msg;
8654 
8655 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8656 	if (!msg)
8657 		return;
8658 
8659 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
8660 				  NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
8661 		nlmsg_free(msg);
8662 		return;
8663 	}
8664 
8665 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
8666 				nl80211_scan_mcgrp.id, GFP_KERNEL);
8667 }
8668 
8669 void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
8670 			       struct wireless_dev *wdev)
8671 {
8672 	struct sk_buff *msg;
8673 
8674 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8675 	if (!msg)
8676 		return;
8677 
8678 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
8679 				  NL80211_CMD_SCAN_ABORTED) < 0) {
8680 		nlmsg_free(msg);
8681 		return;
8682 	}
8683 
8684 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
8685 				nl80211_scan_mcgrp.id, GFP_KERNEL);
8686 }
8687 
8688 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
8689 				     struct net_device *netdev)
8690 {
8691 	struct sk_buff *msg;
8692 
8693 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8694 	if (!msg)
8695 		return;
8696 
8697 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
8698 					NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
8699 		nlmsg_free(msg);
8700 		return;
8701 	}
8702 
8703 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
8704 				nl80211_scan_mcgrp.id, GFP_KERNEL);
8705 }
8706 
8707 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
8708 			     struct net_device *netdev, u32 cmd)
8709 {
8710 	struct sk_buff *msg;
8711 
8712 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8713 	if (!msg)
8714 		return;
8715 
8716 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
8717 		nlmsg_free(msg);
8718 		return;
8719 	}
8720 
8721 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
8722 				nl80211_scan_mcgrp.id, GFP_KERNEL);
8723 }
8724 
8725 /*
8726  * This can happen on global regulatory changes or device specific settings
8727  * based on custom world regulatory domains.
8728  */
8729 void nl80211_send_reg_change_event(struct regulatory_request *request)
8730 {
8731 	struct sk_buff *msg;
8732 	void *hdr;
8733 
8734 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8735 	if (!msg)
8736 		return;
8737 
8738 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_CHANGE);
8739 	if (!hdr) {
8740 		nlmsg_free(msg);
8741 		return;
8742 	}
8743 
8744 	/* Userspace can always count this one always being set */
8745 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
8746 		goto nla_put_failure;
8747 
8748 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
8749 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
8750 			       NL80211_REGDOM_TYPE_WORLD))
8751 			goto nla_put_failure;
8752 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
8753 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
8754 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
8755 			goto nla_put_failure;
8756 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
8757 		   request->intersect) {
8758 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
8759 			       NL80211_REGDOM_TYPE_INTERSECTION))
8760 			goto nla_put_failure;
8761 	} else {
8762 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
8763 			       NL80211_REGDOM_TYPE_COUNTRY) ||
8764 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
8765 				   request->alpha2))
8766 			goto nla_put_failure;
8767 	}
8768 
8769 	if (request->wiphy_idx != WIPHY_IDX_INVALID &&
8770 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
8771 		goto nla_put_failure;
8772 
8773 	genlmsg_end(msg, hdr);
8774 
8775 	rcu_read_lock();
8776 	genlmsg_multicast_allns(msg, 0, nl80211_regulatory_mcgrp.id,
8777 				GFP_ATOMIC);
8778 	rcu_read_unlock();
8779 
8780 	return;
8781 
8782 nla_put_failure:
8783 	genlmsg_cancel(msg, hdr);
8784 	nlmsg_free(msg);
8785 }
8786 
8787 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
8788 				    struct net_device *netdev,
8789 				    const u8 *buf, size_t len,
8790 				    enum nl80211_commands cmd, gfp_t gfp)
8791 {
8792 	struct sk_buff *msg;
8793 	void *hdr;
8794 
8795 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
8796 	if (!msg)
8797 		return;
8798 
8799 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
8800 	if (!hdr) {
8801 		nlmsg_free(msg);
8802 		return;
8803 	}
8804 
8805 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
8806 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
8807 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
8808 		goto nla_put_failure;
8809 
8810 	genlmsg_end(msg, hdr);
8811 
8812 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
8813 				nl80211_mlme_mcgrp.id, gfp);
8814 	return;
8815 
8816  nla_put_failure:
8817 	genlmsg_cancel(msg, hdr);
8818 	nlmsg_free(msg);
8819 }
8820 
8821 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
8822 			  struct net_device *netdev, const u8 *buf,
8823 			  size_t len, gfp_t gfp)
8824 {
8825 	nl80211_send_mlme_event(rdev, netdev, buf, len,
8826 				NL80211_CMD_AUTHENTICATE, gfp);
8827 }
8828 
8829 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
8830 			   struct net_device *netdev, const u8 *buf,
8831 			   size_t len, gfp_t gfp)
8832 {
8833 	nl80211_send_mlme_event(rdev, netdev, buf, len,
8834 				NL80211_CMD_ASSOCIATE, gfp);
8835 }
8836 
8837 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
8838 			 struct net_device *netdev, const u8 *buf,
8839 			 size_t len, gfp_t gfp)
8840 {
8841 	nl80211_send_mlme_event(rdev, netdev, buf, len,
8842 				NL80211_CMD_DEAUTHENTICATE, gfp);
8843 }
8844 
8845 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
8846 			   struct net_device *netdev, const u8 *buf,
8847 			   size_t len, gfp_t gfp)
8848 {
8849 	nl80211_send_mlme_event(rdev, netdev, buf, len,
8850 				NL80211_CMD_DISASSOCIATE, gfp);
8851 }
8852 
8853 void nl80211_send_unprot_deauth(struct cfg80211_registered_device *rdev,
8854 				struct net_device *netdev, const u8 *buf,
8855 				size_t len, gfp_t gfp)
8856 {
8857 	nl80211_send_mlme_event(rdev, netdev, buf, len,
8858 				NL80211_CMD_UNPROT_DEAUTHENTICATE, gfp);
8859 }
8860 
8861 void nl80211_send_unprot_disassoc(struct cfg80211_registered_device *rdev,
8862 				  struct net_device *netdev, const u8 *buf,
8863 				  size_t len, gfp_t gfp)
8864 {
8865 	nl80211_send_mlme_event(rdev, netdev, buf, len,
8866 				NL80211_CMD_UNPROT_DISASSOCIATE, gfp);
8867 }
8868 
8869 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
8870 				      struct net_device *netdev, int cmd,
8871 				      const u8 *addr, gfp_t gfp)
8872 {
8873 	struct sk_buff *msg;
8874 	void *hdr;
8875 
8876 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
8877 	if (!msg)
8878 		return;
8879 
8880 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
8881 	if (!hdr) {
8882 		nlmsg_free(msg);
8883 		return;
8884 	}
8885 
8886 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
8887 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
8888 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
8889 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
8890 		goto nla_put_failure;
8891 
8892 	genlmsg_end(msg, hdr);
8893 
8894 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
8895 				nl80211_mlme_mcgrp.id, gfp);
8896 	return;
8897 
8898  nla_put_failure:
8899 	genlmsg_cancel(msg, hdr);
8900 	nlmsg_free(msg);
8901 }
8902 
8903 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
8904 			       struct net_device *netdev, const u8 *addr,
8905 			       gfp_t gfp)
8906 {
8907 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
8908 				  addr, gfp);
8909 }
8910 
8911 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
8912 				struct net_device *netdev, const u8 *addr,
8913 				gfp_t gfp)
8914 {
8915 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
8916 				  addr, gfp);
8917 }
8918 
8919 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
8920 				 struct net_device *netdev, const u8 *bssid,
8921 				 const u8 *req_ie, size_t req_ie_len,
8922 				 const u8 *resp_ie, size_t resp_ie_len,
8923 				 u16 status, gfp_t gfp)
8924 {
8925 	struct sk_buff *msg;
8926 	void *hdr;
8927 
8928 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
8929 	if (!msg)
8930 		return;
8931 
8932 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
8933 	if (!hdr) {
8934 		nlmsg_free(msg);
8935 		return;
8936 	}
8937 
8938 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
8939 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
8940 	    (bssid && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) ||
8941 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE, status) ||
8942 	    (req_ie &&
8943 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
8944 	    (resp_ie &&
8945 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
8946 		goto nla_put_failure;
8947 
8948 	genlmsg_end(msg, hdr);
8949 
8950 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
8951 				nl80211_mlme_mcgrp.id, gfp);
8952 	return;
8953 
8954  nla_put_failure:
8955 	genlmsg_cancel(msg, hdr);
8956 	nlmsg_free(msg);
8957 
8958 }
8959 
8960 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
8961 			 struct net_device *netdev, const u8 *bssid,
8962 			 const u8 *req_ie, size_t req_ie_len,
8963 			 const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
8964 {
8965 	struct sk_buff *msg;
8966 	void *hdr;
8967 
8968 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
8969 	if (!msg)
8970 		return;
8971 
8972 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
8973 	if (!hdr) {
8974 		nlmsg_free(msg);
8975 		return;
8976 	}
8977 
8978 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
8979 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
8980 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
8981 	    (req_ie &&
8982 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
8983 	    (resp_ie &&
8984 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
8985 		goto nla_put_failure;
8986 
8987 	genlmsg_end(msg, hdr);
8988 
8989 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
8990 				nl80211_mlme_mcgrp.id, gfp);
8991 	return;
8992 
8993  nla_put_failure:
8994 	genlmsg_cancel(msg, hdr);
8995 	nlmsg_free(msg);
8996 
8997 }
8998 
8999 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
9000 			       struct net_device *netdev, u16 reason,
9001 			       const u8 *ie, size_t ie_len, bool from_ap)
9002 {
9003 	struct sk_buff *msg;
9004 	void *hdr;
9005 
9006 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9007 	if (!msg)
9008 		return;
9009 
9010 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
9011 	if (!hdr) {
9012 		nlmsg_free(msg);
9013 		return;
9014 	}
9015 
9016 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9017 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9018 	    (from_ap && reason &&
9019 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
9020 	    (from_ap &&
9021 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
9022 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
9023 		goto nla_put_failure;
9024 
9025 	genlmsg_end(msg, hdr);
9026 
9027 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9028 				nl80211_mlme_mcgrp.id, GFP_KERNEL);
9029 	return;
9030 
9031  nla_put_failure:
9032 	genlmsg_cancel(msg, hdr);
9033 	nlmsg_free(msg);
9034 
9035 }
9036 
9037 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
9038 			     struct net_device *netdev, const u8 *bssid,
9039 			     gfp_t gfp)
9040 {
9041 	struct sk_buff *msg;
9042 	void *hdr;
9043 
9044 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9045 	if (!msg)
9046 		return;
9047 
9048 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
9049 	if (!hdr) {
9050 		nlmsg_free(msg);
9051 		return;
9052 	}
9053 
9054 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9055 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9056 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
9057 		goto nla_put_failure;
9058 
9059 	genlmsg_end(msg, hdr);
9060 
9061 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9062 				nl80211_mlme_mcgrp.id, gfp);
9063 	return;
9064 
9065  nla_put_failure:
9066 	genlmsg_cancel(msg, hdr);
9067 	nlmsg_free(msg);
9068 }
9069 
9070 void nl80211_send_new_peer_candidate(struct cfg80211_registered_device *rdev,
9071 		struct net_device *netdev,
9072 		const u8 *macaddr, const u8* ie, u8 ie_len,
9073 		gfp_t gfp)
9074 {
9075 	struct sk_buff *msg;
9076 	void *hdr;
9077 
9078 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9079 	if (!msg)
9080 		return;
9081 
9082 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
9083 	if (!hdr) {
9084 		nlmsg_free(msg);
9085 		return;
9086 	}
9087 
9088 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9089 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9090 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, macaddr) ||
9091 	    (ie_len && ie &&
9092 	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
9093 		goto nla_put_failure;
9094 
9095 	genlmsg_end(msg, hdr);
9096 
9097 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9098 				nl80211_mlme_mcgrp.id, gfp);
9099 	return;
9100 
9101  nla_put_failure:
9102 	genlmsg_cancel(msg, hdr);
9103 	nlmsg_free(msg);
9104 }
9105 
9106 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
9107 				 struct net_device *netdev, const u8 *addr,
9108 				 enum nl80211_key_type key_type, int key_id,
9109 				 const u8 *tsc, gfp_t gfp)
9110 {
9111 	struct sk_buff *msg;
9112 	void *hdr;
9113 
9114 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9115 	if (!msg)
9116 		return;
9117 
9118 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
9119 	if (!hdr) {
9120 		nlmsg_free(msg);
9121 		return;
9122 	}
9123 
9124 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9125 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9126 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
9127 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
9128 	    (key_id != -1 &&
9129 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
9130 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
9131 		goto nla_put_failure;
9132 
9133 	genlmsg_end(msg, hdr);
9134 
9135 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9136 				nl80211_mlme_mcgrp.id, gfp);
9137 	return;
9138 
9139  nla_put_failure:
9140 	genlmsg_cancel(msg, hdr);
9141 	nlmsg_free(msg);
9142 }
9143 
9144 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
9145 				    struct ieee80211_channel *channel_before,
9146 				    struct ieee80211_channel *channel_after)
9147 {
9148 	struct sk_buff *msg;
9149 	void *hdr;
9150 	struct nlattr *nl_freq;
9151 
9152 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
9153 	if (!msg)
9154 		return;
9155 
9156 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
9157 	if (!hdr) {
9158 		nlmsg_free(msg);
9159 		return;
9160 	}
9161 
9162 	/*
9163 	 * Since we are applying the beacon hint to a wiphy we know its
9164 	 * wiphy_idx is valid
9165 	 */
9166 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
9167 		goto nla_put_failure;
9168 
9169 	/* Before */
9170 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
9171 	if (!nl_freq)
9172 		goto nla_put_failure;
9173 	if (nl80211_msg_put_channel(msg, channel_before))
9174 		goto nla_put_failure;
9175 	nla_nest_end(msg, nl_freq);
9176 
9177 	/* After */
9178 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
9179 	if (!nl_freq)
9180 		goto nla_put_failure;
9181 	if (nl80211_msg_put_channel(msg, channel_after))
9182 		goto nla_put_failure;
9183 	nla_nest_end(msg, nl_freq);
9184 
9185 	genlmsg_end(msg, hdr);
9186 
9187 	rcu_read_lock();
9188 	genlmsg_multicast_allns(msg, 0, nl80211_regulatory_mcgrp.id,
9189 				GFP_ATOMIC);
9190 	rcu_read_unlock();
9191 
9192 	return;
9193 
9194 nla_put_failure:
9195 	genlmsg_cancel(msg, hdr);
9196 	nlmsg_free(msg);
9197 }
9198 
9199 static void nl80211_send_remain_on_chan_event(
9200 	int cmd, struct cfg80211_registered_device *rdev,
9201 	struct wireless_dev *wdev, u64 cookie,
9202 	struct ieee80211_channel *chan,
9203 	unsigned int duration, gfp_t gfp)
9204 {
9205 	struct sk_buff *msg;
9206 	void *hdr;
9207 
9208 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9209 	if (!msg)
9210 		return;
9211 
9212 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
9213 	if (!hdr) {
9214 		nlmsg_free(msg);
9215 		return;
9216 	}
9217 
9218 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9219 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
9220 					 wdev->netdev->ifindex)) ||
9221 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
9222 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
9223 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
9224 			NL80211_CHAN_NO_HT) ||
9225 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
9226 		goto nla_put_failure;
9227 
9228 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
9229 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
9230 		goto nla_put_failure;
9231 
9232 	genlmsg_end(msg, hdr);
9233 
9234 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9235 				nl80211_mlme_mcgrp.id, gfp);
9236 	return;
9237 
9238  nla_put_failure:
9239 	genlmsg_cancel(msg, hdr);
9240 	nlmsg_free(msg);
9241 }
9242 
9243 void nl80211_send_remain_on_channel(struct cfg80211_registered_device *rdev,
9244 				    struct wireless_dev *wdev, u64 cookie,
9245 				    struct ieee80211_channel *chan,
9246 				    unsigned int duration, gfp_t gfp)
9247 {
9248 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
9249 					  rdev, wdev, cookie, chan,
9250 					  duration, gfp);
9251 }
9252 
9253 void nl80211_send_remain_on_channel_cancel(
9254 	struct cfg80211_registered_device *rdev,
9255 	struct wireless_dev *wdev,
9256 	u64 cookie, struct ieee80211_channel *chan, gfp_t gfp)
9257 {
9258 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
9259 					  rdev, wdev, cookie, chan, 0, gfp);
9260 }
9261 
9262 void nl80211_send_sta_event(struct cfg80211_registered_device *rdev,
9263 			    struct net_device *dev, const u8 *mac_addr,
9264 			    struct station_info *sinfo, gfp_t gfp)
9265 {
9266 	struct sk_buff *msg;
9267 
9268 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9269 	if (!msg)
9270 		return;
9271 
9272 	if (nl80211_send_station(msg, 0, 0, 0,
9273 				 rdev, dev, mac_addr, sinfo) < 0) {
9274 		nlmsg_free(msg);
9275 		return;
9276 	}
9277 
9278 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9279 				nl80211_mlme_mcgrp.id, gfp);
9280 }
9281 
9282 void nl80211_send_sta_del_event(struct cfg80211_registered_device *rdev,
9283 				struct net_device *dev, const u8 *mac_addr,
9284 				gfp_t gfp)
9285 {
9286 	struct sk_buff *msg;
9287 	void *hdr;
9288 
9289 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9290 	if (!msg)
9291 		return;
9292 
9293 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_STATION);
9294 	if (!hdr) {
9295 		nlmsg_free(msg);
9296 		return;
9297 	}
9298 
9299 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9300 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
9301 		goto nla_put_failure;
9302 
9303 	genlmsg_end(msg, hdr);
9304 
9305 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9306 				nl80211_mlme_mcgrp.id, gfp);
9307 	return;
9308 
9309  nla_put_failure:
9310 	genlmsg_cancel(msg, hdr);
9311 	nlmsg_free(msg);
9312 }
9313 
9314 void nl80211_send_conn_failed_event(struct cfg80211_registered_device *rdev,
9315 				    struct net_device *dev, const u8 *mac_addr,
9316 				    enum nl80211_connect_failed_reason reason,
9317 				    gfp_t gfp)
9318 {
9319 	struct sk_buff *msg;
9320 	void *hdr;
9321 
9322 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
9323 	if (!msg)
9324 		return;
9325 
9326 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
9327 	if (!hdr) {
9328 		nlmsg_free(msg);
9329 		return;
9330 	}
9331 
9332 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9333 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
9334 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
9335 		goto nla_put_failure;
9336 
9337 	genlmsg_end(msg, hdr);
9338 
9339 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9340 				nl80211_mlme_mcgrp.id, gfp);
9341 	return;
9342 
9343  nla_put_failure:
9344 	genlmsg_cancel(msg, hdr);
9345 	nlmsg_free(msg);
9346 }
9347 
9348 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
9349 				       const u8 *addr, gfp_t gfp)
9350 {
9351 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9352 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
9353 	struct sk_buff *msg;
9354 	void *hdr;
9355 	int err;
9356 	u32 nlportid = ACCESS_ONCE(wdev->ap_unexpected_nlportid);
9357 
9358 	if (!nlportid)
9359 		return false;
9360 
9361 	msg = nlmsg_new(100, gfp);
9362 	if (!msg)
9363 		return true;
9364 
9365 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
9366 	if (!hdr) {
9367 		nlmsg_free(msg);
9368 		return true;
9369 	}
9370 
9371 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9372 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9373 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
9374 		goto nla_put_failure;
9375 
9376 	err = genlmsg_end(msg, hdr);
9377 	if (err < 0) {
9378 		nlmsg_free(msg);
9379 		return true;
9380 	}
9381 
9382 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
9383 	return true;
9384 
9385  nla_put_failure:
9386 	genlmsg_cancel(msg, hdr);
9387 	nlmsg_free(msg);
9388 	return true;
9389 }
9390 
9391 bool nl80211_unexpected_frame(struct net_device *dev, const u8 *addr, gfp_t gfp)
9392 {
9393 	return __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
9394 					  addr, gfp);
9395 }
9396 
9397 bool nl80211_unexpected_4addr_frame(struct net_device *dev,
9398 				    const u8 *addr, gfp_t gfp)
9399 {
9400 	return __nl80211_unexpected_frame(dev,
9401 					  NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
9402 					  addr, gfp);
9403 }
9404 
9405 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
9406 		      struct wireless_dev *wdev, u32 nlportid,
9407 		      int freq, int sig_dbm,
9408 		      const u8 *buf, size_t len, gfp_t gfp)
9409 {
9410 	struct net_device *netdev = wdev->netdev;
9411 	struct sk_buff *msg;
9412 	void *hdr;
9413 
9414 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9415 	if (!msg)
9416 		return -ENOMEM;
9417 
9418 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
9419 	if (!hdr) {
9420 		nlmsg_free(msg);
9421 		return -ENOMEM;
9422 	}
9423 
9424 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9425 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
9426 					netdev->ifindex)) ||
9427 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
9428 	    (sig_dbm &&
9429 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
9430 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
9431 		goto nla_put_failure;
9432 
9433 	genlmsg_end(msg, hdr);
9434 
9435 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
9436 
9437  nla_put_failure:
9438 	genlmsg_cancel(msg, hdr);
9439 	nlmsg_free(msg);
9440 	return -ENOBUFS;
9441 }
9442 
9443 void nl80211_send_mgmt_tx_status(struct cfg80211_registered_device *rdev,
9444 				 struct wireless_dev *wdev, u64 cookie,
9445 				 const u8 *buf, size_t len, bool ack,
9446 				 gfp_t gfp)
9447 {
9448 	struct net_device *netdev = wdev->netdev;
9449 	struct sk_buff *msg;
9450 	void *hdr;
9451 
9452 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9453 	if (!msg)
9454 		return;
9455 
9456 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
9457 	if (!hdr) {
9458 		nlmsg_free(msg);
9459 		return;
9460 	}
9461 
9462 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9463 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
9464 				   netdev->ifindex)) ||
9465 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
9466 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
9467 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
9468 		goto nla_put_failure;
9469 
9470 	genlmsg_end(msg, hdr);
9471 
9472 	genlmsg_multicast(msg, 0, nl80211_mlme_mcgrp.id, gfp);
9473 	return;
9474 
9475  nla_put_failure:
9476 	genlmsg_cancel(msg, hdr);
9477 	nlmsg_free(msg);
9478 }
9479 
9480 void
9481 nl80211_send_cqm_rssi_notify(struct cfg80211_registered_device *rdev,
9482 			     struct net_device *netdev,
9483 			     enum nl80211_cqm_rssi_threshold_event rssi_event,
9484 			     gfp_t gfp)
9485 {
9486 	struct sk_buff *msg;
9487 	struct nlattr *pinfoattr;
9488 	void *hdr;
9489 
9490 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9491 	if (!msg)
9492 		return;
9493 
9494 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
9495 	if (!hdr) {
9496 		nlmsg_free(msg);
9497 		return;
9498 	}
9499 
9500 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9501 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
9502 		goto nla_put_failure;
9503 
9504 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
9505 	if (!pinfoattr)
9506 		goto nla_put_failure;
9507 
9508 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
9509 			rssi_event))
9510 		goto nla_put_failure;
9511 
9512 	nla_nest_end(msg, pinfoattr);
9513 
9514 	genlmsg_end(msg, hdr);
9515 
9516 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9517 				nl80211_mlme_mcgrp.id, gfp);
9518 	return;
9519 
9520  nla_put_failure:
9521 	genlmsg_cancel(msg, hdr);
9522 	nlmsg_free(msg);
9523 }
9524 
9525 void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
9526 			      struct net_device *netdev, const u8 *bssid,
9527 			      const u8 *replay_ctr, gfp_t gfp)
9528 {
9529 	struct sk_buff *msg;
9530 	struct nlattr *rekey_attr;
9531 	void *hdr;
9532 
9533 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9534 	if (!msg)
9535 		return;
9536 
9537 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
9538 	if (!hdr) {
9539 		nlmsg_free(msg);
9540 		return;
9541 	}
9542 
9543 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9544 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9545 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
9546 		goto nla_put_failure;
9547 
9548 	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
9549 	if (!rekey_attr)
9550 		goto nla_put_failure;
9551 
9552 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
9553 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
9554 		goto nla_put_failure;
9555 
9556 	nla_nest_end(msg, rekey_attr);
9557 
9558 	genlmsg_end(msg, hdr);
9559 
9560 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9561 				nl80211_mlme_mcgrp.id, gfp);
9562 	return;
9563 
9564  nla_put_failure:
9565 	genlmsg_cancel(msg, hdr);
9566 	nlmsg_free(msg);
9567 }
9568 
9569 void nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
9570 				    struct net_device *netdev, int index,
9571 				    const u8 *bssid, bool preauth, gfp_t gfp)
9572 {
9573 	struct sk_buff *msg;
9574 	struct nlattr *attr;
9575 	void *hdr;
9576 
9577 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9578 	if (!msg)
9579 		return;
9580 
9581 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
9582 	if (!hdr) {
9583 		nlmsg_free(msg);
9584 		return;
9585 	}
9586 
9587 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9588 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
9589 		goto nla_put_failure;
9590 
9591 	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
9592 	if (!attr)
9593 		goto nla_put_failure;
9594 
9595 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
9596 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
9597 	    (preauth &&
9598 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
9599 		goto nla_put_failure;
9600 
9601 	nla_nest_end(msg, attr);
9602 
9603 	genlmsg_end(msg, hdr);
9604 
9605 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9606 				nl80211_mlme_mcgrp.id, gfp);
9607 	return;
9608 
9609  nla_put_failure:
9610 	genlmsg_cancel(msg, hdr);
9611 	nlmsg_free(msg);
9612 }
9613 
9614 void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
9615 			      struct net_device *netdev,
9616 			      struct cfg80211_chan_def *chandef, gfp_t gfp)
9617 {
9618 	struct sk_buff *msg;
9619 	void *hdr;
9620 
9621 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9622 	if (!msg)
9623 		return;
9624 
9625 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CH_SWITCH_NOTIFY);
9626 	if (!hdr) {
9627 		nlmsg_free(msg);
9628 		return;
9629 	}
9630 
9631 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
9632 		goto nla_put_failure;
9633 
9634 	if (nl80211_send_chandef(msg, chandef))
9635 		goto nla_put_failure;
9636 
9637 	genlmsg_end(msg, hdr);
9638 
9639 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9640 				nl80211_mlme_mcgrp.id, gfp);
9641 	return;
9642 
9643  nla_put_failure:
9644 	genlmsg_cancel(msg, hdr);
9645 	nlmsg_free(msg);
9646 }
9647 
9648 void
9649 nl80211_send_cqm_txe_notify(struct cfg80211_registered_device *rdev,
9650 			    struct net_device *netdev, const u8 *peer,
9651 			    u32 num_packets, u32 rate, u32 intvl, gfp_t gfp)
9652 {
9653 	struct sk_buff *msg;
9654 	struct nlattr *pinfoattr;
9655 	void *hdr;
9656 
9657 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
9658 	if (!msg)
9659 		return;
9660 
9661 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
9662 	if (!hdr) {
9663 		nlmsg_free(msg);
9664 		return;
9665 	}
9666 
9667 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9668 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9669 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
9670 		goto nla_put_failure;
9671 
9672 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
9673 	if (!pinfoattr)
9674 		goto nla_put_failure;
9675 
9676 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
9677 		goto nla_put_failure;
9678 
9679 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
9680 		goto nla_put_failure;
9681 
9682 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
9683 		goto nla_put_failure;
9684 
9685 	nla_nest_end(msg, pinfoattr);
9686 
9687 	genlmsg_end(msg, hdr);
9688 
9689 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9690 				nl80211_mlme_mcgrp.id, gfp);
9691 	return;
9692 
9693  nla_put_failure:
9694 	genlmsg_cancel(msg, hdr);
9695 	nlmsg_free(msg);
9696 }
9697 
9698 void
9699 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
9700 		     struct cfg80211_chan_def *chandef,
9701 		     enum nl80211_radar_event event,
9702 		     struct net_device *netdev, gfp_t gfp)
9703 {
9704 	struct sk_buff *msg;
9705 	void *hdr;
9706 
9707 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9708 	if (!msg)
9709 		return;
9710 
9711 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
9712 	if (!hdr) {
9713 		nlmsg_free(msg);
9714 		return;
9715 	}
9716 
9717 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
9718 		goto nla_put_failure;
9719 
9720 	/* NOP and radar events don't need a netdev parameter */
9721 	if (netdev) {
9722 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
9723 
9724 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9725 		    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
9726 			goto nla_put_failure;
9727 	}
9728 
9729 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
9730 		goto nla_put_failure;
9731 
9732 	if (nl80211_send_chandef(msg, chandef))
9733 		goto nla_put_failure;
9734 
9735 	if (genlmsg_end(msg, hdr) < 0) {
9736 		nlmsg_free(msg);
9737 		return;
9738 	}
9739 
9740 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9741 				nl80211_mlme_mcgrp.id, gfp);
9742 	return;
9743 
9744  nla_put_failure:
9745 	genlmsg_cancel(msg, hdr);
9746 	nlmsg_free(msg);
9747 }
9748 
9749 void
9750 nl80211_send_cqm_pktloss_notify(struct cfg80211_registered_device *rdev,
9751 				struct net_device *netdev, const u8 *peer,
9752 				u32 num_packets, gfp_t gfp)
9753 {
9754 	struct sk_buff *msg;
9755 	struct nlattr *pinfoattr;
9756 	void *hdr;
9757 
9758 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9759 	if (!msg)
9760 		return;
9761 
9762 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
9763 	if (!hdr) {
9764 		nlmsg_free(msg);
9765 		return;
9766 	}
9767 
9768 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9769 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
9770 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
9771 		goto nla_put_failure;
9772 
9773 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
9774 	if (!pinfoattr)
9775 		goto nla_put_failure;
9776 
9777 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
9778 		goto nla_put_failure;
9779 
9780 	nla_nest_end(msg, pinfoattr);
9781 
9782 	genlmsg_end(msg, hdr);
9783 
9784 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9785 				nl80211_mlme_mcgrp.id, gfp);
9786 	return;
9787 
9788  nla_put_failure:
9789 	genlmsg_cancel(msg, hdr);
9790 	nlmsg_free(msg);
9791 }
9792 
9793 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
9794 			   u64 cookie, bool acked, gfp_t gfp)
9795 {
9796 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9797 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
9798 	struct sk_buff *msg;
9799 	void *hdr;
9800 	int err;
9801 
9802 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
9803 
9804 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
9805 
9806 	if (!msg)
9807 		return;
9808 
9809 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
9810 	if (!hdr) {
9811 		nlmsg_free(msg);
9812 		return;
9813 	}
9814 
9815 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9816 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9817 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
9818 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
9819 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)))
9820 		goto nla_put_failure;
9821 
9822 	err = genlmsg_end(msg, hdr);
9823 	if (err < 0) {
9824 		nlmsg_free(msg);
9825 		return;
9826 	}
9827 
9828 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9829 				nl80211_mlme_mcgrp.id, gfp);
9830 	return;
9831 
9832  nla_put_failure:
9833 	genlmsg_cancel(msg, hdr);
9834 	nlmsg_free(msg);
9835 }
9836 EXPORT_SYMBOL(cfg80211_probe_status);
9837 
9838 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
9839 				 const u8 *frame, size_t len,
9840 				 int freq, int sig_dbm)
9841 {
9842 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
9843 	struct sk_buff *msg;
9844 	void *hdr;
9845 	struct cfg80211_beacon_registration *reg;
9846 
9847 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
9848 
9849 	spin_lock_bh(&rdev->beacon_registrations_lock);
9850 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
9851 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
9852 		if (!msg) {
9853 			spin_unlock_bh(&rdev->beacon_registrations_lock);
9854 			return;
9855 		}
9856 
9857 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
9858 		if (!hdr)
9859 			goto nla_put_failure;
9860 
9861 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9862 		    (freq &&
9863 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
9864 		    (sig_dbm &&
9865 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
9866 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
9867 			goto nla_put_failure;
9868 
9869 		genlmsg_end(msg, hdr);
9870 
9871 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
9872 	}
9873 	spin_unlock_bh(&rdev->beacon_registrations_lock);
9874 	return;
9875 
9876  nla_put_failure:
9877 	spin_unlock_bh(&rdev->beacon_registrations_lock);
9878 	if (hdr)
9879 		genlmsg_cancel(msg, hdr);
9880 	nlmsg_free(msg);
9881 }
9882 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
9883 
9884 #ifdef CONFIG_PM
9885 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
9886 				   struct cfg80211_wowlan_wakeup *wakeup,
9887 				   gfp_t gfp)
9888 {
9889 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
9890 	struct sk_buff *msg;
9891 	void *hdr;
9892 	int err, size = 200;
9893 
9894 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
9895 
9896 	if (wakeup)
9897 		size += wakeup->packet_present_len;
9898 
9899 	msg = nlmsg_new(size, gfp);
9900 	if (!msg)
9901 		return;
9902 
9903 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
9904 	if (!hdr)
9905 		goto free_msg;
9906 
9907 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
9908 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
9909 		goto free_msg;
9910 
9911 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
9912 					wdev->netdev->ifindex))
9913 		goto free_msg;
9914 
9915 	if (wakeup) {
9916 		struct nlattr *reasons;
9917 
9918 		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
9919 
9920 		if (wakeup->disconnect &&
9921 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
9922 			goto free_msg;
9923 		if (wakeup->magic_pkt &&
9924 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
9925 			goto free_msg;
9926 		if (wakeup->gtk_rekey_failure &&
9927 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
9928 			goto free_msg;
9929 		if (wakeup->eap_identity_req &&
9930 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
9931 			goto free_msg;
9932 		if (wakeup->four_way_handshake &&
9933 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
9934 			goto free_msg;
9935 		if (wakeup->rfkill_release &&
9936 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
9937 			goto free_msg;
9938 
9939 		if (wakeup->pattern_idx >= 0 &&
9940 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
9941 				wakeup->pattern_idx))
9942 			goto free_msg;
9943 
9944 		if (wakeup->tcp_match)
9945 			nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH);
9946 
9947 		if (wakeup->tcp_connlost)
9948 			nla_put_flag(msg,
9949 				     NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST);
9950 
9951 		if (wakeup->tcp_nomoretokens)
9952 			nla_put_flag(msg,
9953 				NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS);
9954 
9955 		if (wakeup->packet) {
9956 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
9957 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
9958 
9959 			if (!wakeup->packet_80211) {
9960 				pkt_attr =
9961 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
9962 				len_attr =
9963 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
9964 			}
9965 
9966 			if (wakeup->packet_len &&
9967 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
9968 				goto free_msg;
9969 
9970 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
9971 				    wakeup->packet))
9972 				goto free_msg;
9973 		}
9974 
9975 		nla_nest_end(msg, reasons);
9976 	}
9977 
9978 	err = genlmsg_end(msg, hdr);
9979 	if (err < 0)
9980 		goto free_msg;
9981 
9982 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
9983 				nl80211_mlme_mcgrp.id, gfp);
9984 	return;
9985 
9986  free_msg:
9987 	nlmsg_free(msg);
9988 }
9989 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
9990 #endif
9991 
9992 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
9993 				enum nl80211_tdls_operation oper,
9994 				u16 reason_code, gfp_t gfp)
9995 {
9996 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9997 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
9998 	struct sk_buff *msg;
9999 	void *hdr;
10000 	int err;
10001 
10002 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
10003 					 reason_code);
10004 
10005 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
10006 	if (!msg)
10007 		return;
10008 
10009 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
10010 	if (!hdr) {
10011 		nlmsg_free(msg);
10012 		return;
10013 	}
10014 
10015 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10016 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10017 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
10018 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
10019 	    (reason_code > 0 &&
10020 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
10021 		goto nla_put_failure;
10022 
10023 	err = genlmsg_end(msg, hdr);
10024 	if (err < 0) {
10025 		nlmsg_free(msg);
10026 		return;
10027 	}
10028 
10029 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
10030 				nl80211_mlme_mcgrp.id, gfp);
10031 	return;
10032 
10033  nla_put_failure:
10034 	genlmsg_cancel(msg, hdr);
10035 	nlmsg_free(msg);
10036 }
10037 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
10038 
10039 static int nl80211_netlink_notify(struct notifier_block * nb,
10040 				  unsigned long state,
10041 				  void *_notify)
10042 {
10043 	struct netlink_notify *notify = _notify;
10044 	struct cfg80211_registered_device *rdev;
10045 	struct wireless_dev *wdev;
10046 	struct cfg80211_beacon_registration *reg, *tmp;
10047 
10048 	if (state != NETLINK_URELEASE)
10049 		return NOTIFY_DONE;
10050 
10051 	rcu_read_lock();
10052 
10053 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
10054 		list_for_each_entry_rcu(wdev, &rdev->wdev_list, list)
10055 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
10056 
10057 		spin_lock_bh(&rdev->beacon_registrations_lock);
10058 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
10059 					 list) {
10060 			if (reg->nlportid == notify->portid) {
10061 				list_del(&reg->list);
10062 				kfree(reg);
10063 				break;
10064 			}
10065 		}
10066 		spin_unlock_bh(&rdev->beacon_registrations_lock);
10067 	}
10068 
10069 	rcu_read_unlock();
10070 
10071 	return NOTIFY_DONE;
10072 }
10073 
10074 static struct notifier_block nl80211_netlink_notifier = {
10075 	.notifier_call = nl80211_netlink_notify,
10076 };
10077 
10078 /* initialisation/exit functions */
10079 
10080 int nl80211_init(void)
10081 {
10082 	int err;
10083 
10084 	err = genl_register_family_with_ops(&nl80211_fam,
10085 		nl80211_ops, ARRAY_SIZE(nl80211_ops));
10086 	if (err)
10087 		return err;
10088 
10089 	err = genl_register_mc_group(&nl80211_fam, &nl80211_config_mcgrp);
10090 	if (err)
10091 		goto err_out;
10092 
10093 	err = genl_register_mc_group(&nl80211_fam, &nl80211_scan_mcgrp);
10094 	if (err)
10095 		goto err_out;
10096 
10097 	err = genl_register_mc_group(&nl80211_fam, &nl80211_regulatory_mcgrp);
10098 	if (err)
10099 		goto err_out;
10100 
10101 	err = genl_register_mc_group(&nl80211_fam, &nl80211_mlme_mcgrp);
10102 	if (err)
10103 		goto err_out;
10104 
10105 #ifdef CONFIG_NL80211_TESTMODE
10106 	err = genl_register_mc_group(&nl80211_fam, &nl80211_testmode_mcgrp);
10107 	if (err)
10108 		goto err_out;
10109 #endif
10110 
10111 	err = netlink_register_notifier(&nl80211_netlink_notifier);
10112 	if (err)
10113 		goto err_out;
10114 
10115 	return 0;
10116  err_out:
10117 	genl_unregister_family(&nl80211_fam);
10118 	return err;
10119 }
10120 
10121 void nl80211_exit(void)
10122 {
10123 	netlink_unregister_notifier(&nl80211_netlink_notifier);
10124 	genl_unregister_family(&nl80211_fam);
10125 }
10126