xref: /linux/net/wireless/nl80211.c (revision c0e297dc61f8d4453e07afbea1fa8d0e67cd4a34) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  */
7 
8 #include <linux/if.h>
9 #include <linux/module.h>
10 #include <linux/err.h>
11 #include <linux/slab.h>
12 #include <linux/list.h>
13 #include <linux/if_ether.h>
14 #include <linux/ieee80211.h>
15 #include <linux/nl80211.h>
16 #include <linux/rtnetlink.h>
17 #include <linux/netlink.h>
18 #include <linux/etherdevice.h>
19 #include <net/net_namespace.h>
20 #include <net/genetlink.h>
21 #include <net/cfg80211.h>
22 #include <net/sock.h>
23 #include <net/inet_connection_sock.h>
24 #include "core.h"
25 #include "nl80211.h"
26 #include "reg.h"
27 #include "rdev-ops.h"
28 
29 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
30 				   struct genl_info *info,
31 				   struct cfg80211_crypto_settings *settings,
32 				   int cipher_limit);
33 
34 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
35 			    struct genl_info *info);
36 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
37 			      struct genl_info *info);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam = {
41 	.id = GENL_ID_GENERATE,		/* don't bother with a hardcoded ID */
42 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
43 	.hdrsize = 0,			/* no private header */
44 	.version = 1,			/* no particular meaning now */
45 	.maxattr = NL80211_ATTR_MAX,
46 	.netnsok = true,
47 	.pre_doit = nl80211_pre_doit,
48 	.post_doit = nl80211_post_doit,
49 };
50 
51 /* multicast groups */
52 enum nl80211_multicast_groups {
53 	NL80211_MCGRP_CONFIG,
54 	NL80211_MCGRP_SCAN,
55 	NL80211_MCGRP_REGULATORY,
56 	NL80211_MCGRP_MLME,
57 	NL80211_MCGRP_VENDOR,
58 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
59 };
60 
61 static const struct genl_multicast_group nl80211_mcgrps[] = {
62 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
63 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
64 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
65 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
66 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
67 #ifdef CONFIG_NL80211_TESTMODE
68 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
69 #endif
70 };
71 
72 /* returns ERR_PTR values */
73 static struct wireless_dev *
74 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
75 {
76 	struct cfg80211_registered_device *rdev;
77 	struct wireless_dev *result = NULL;
78 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
79 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
80 	u64 wdev_id;
81 	int wiphy_idx = -1;
82 	int ifidx = -1;
83 
84 	ASSERT_RTNL();
85 
86 	if (!have_ifidx && !have_wdev_id)
87 		return ERR_PTR(-EINVAL);
88 
89 	if (have_ifidx)
90 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
91 	if (have_wdev_id) {
92 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
93 		wiphy_idx = wdev_id >> 32;
94 	}
95 
96 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
97 		struct wireless_dev *wdev;
98 
99 		if (wiphy_net(&rdev->wiphy) != netns)
100 			continue;
101 
102 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
103 			continue;
104 
105 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
106 			if (have_ifidx && wdev->netdev &&
107 			    wdev->netdev->ifindex == ifidx) {
108 				result = wdev;
109 				break;
110 			}
111 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
112 				result = wdev;
113 				break;
114 			}
115 		}
116 
117 		if (result)
118 			break;
119 	}
120 
121 	if (result)
122 		return result;
123 	return ERR_PTR(-ENODEV);
124 }
125 
126 static struct cfg80211_registered_device *
127 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
128 {
129 	struct cfg80211_registered_device *rdev = NULL, *tmp;
130 	struct net_device *netdev;
131 
132 	ASSERT_RTNL();
133 
134 	if (!attrs[NL80211_ATTR_WIPHY] &&
135 	    !attrs[NL80211_ATTR_IFINDEX] &&
136 	    !attrs[NL80211_ATTR_WDEV])
137 		return ERR_PTR(-EINVAL);
138 
139 	if (attrs[NL80211_ATTR_WIPHY])
140 		rdev = cfg80211_rdev_by_wiphy_idx(
141 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
142 
143 	if (attrs[NL80211_ATTR_WDEV]) {
144 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
145 		struct wireless_dev *wdev;
146 		bool found = false;
147 
148 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
149 		if (tmp) {
150 			/* make sure wdev exists */
151 			list_for_each_entry(wdev, &tmp->wdev_list, list) {
152 				if (wdev->identifier != (u32)wdev_id)
153 					continue;
154 				found = true;
155 				break;
156 			}
157 
158 			if (!found)
159 				tmp = NULL;
160 
161 			if (rdev && tmp != rdev)
162 				return ERR_PTR(-EINVAL);
163 			rdev = tmp;
164 		}
165 	}
166 
167 	if (attrs[NL80211_ATTR_IFINDEX]) {
168 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
169 		netdev = __dev_get_by_index(netns, ifindex);
170 		if (netdev) {
171 			if (netdev->ieee80211_ptr)
172 				tmp = wiphy_to_rdev(
173 					netdev->ieee80211_ptr->wiphy);
174 			else
175 				tmp = NULL;
176 
177 			/* not wireless device -- return error */
178 			if (!tmp)
179 				return ERR_PTR(-EINVAL);
180 
181 			/* mismatch -- return error */
182 			if (rdev && tmp != rdev)
183 				return ERR_PTR(-EINVAL);
184 
185 			rdev = tmp;
186 		}
187 	}
188 
189 	if (!rdev)
190 		return ERR_PTR(-ENODEV);
191 
192 	if (netns != wiphy_net(&rdev->wiphy))
193 		return ERR_PTR(-ENODEV);
194 
195 	return rdev;
196 }
197 
198 /*
199  * This function returns a pointer to the driver
200  * that the genl_info item that is passed refers to.
201  *
202  * The result of this can be a PTR_ERR and hence must
203  * be checked with IS_ERR() for errors.
204  */
205 static struct cfg80211_registered_device *
206 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
207 {
208 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
209 }
210 
211 /* policy for the attributes */
212 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
213 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
214 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
215 				      .len = 20-1 },
216 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
217 
218 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
219 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
220 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
221 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
222 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
223 
224 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
225 	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
226 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
227 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
228 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
229 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
230 
231 	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
232 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
233 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
234 
235 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
236 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
237 
238 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
239 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
240 				    .len = WLAN_MAX_KEY_LEN },
241 	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
242 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
243 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
244 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
245 	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
246 
247 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
248 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
249 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
250 				       .len = IEEE80211_MAX_DATA_LEN },
251 	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
252 				       .len = IEEE80211_MAX_DATA_LEN },
253 	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
254 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
255 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
256 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
257 					       .len = NL80211_MAX_SUPP_RATES },
258 	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
259 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
260 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
261 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
262 				   .len = IEEE80211_MAX_MESH_ID_LEN },
263 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
264 
265 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
266 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
267 
268 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
269 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
270 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
271 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
272 					   .len = NL80211_MAX_SUPP_RATES },
273 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
274 
275 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
276 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
277 
278 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
279 
280 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
281 	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
282 			      .len = IEEE80211_MAX_DATA_LEN },
283 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
284 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
285 
286 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
287 				.len = IEEE80211_MAX_SSID_LEN },
288 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
289 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
290 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
291 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
292 	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
293 	[NL80211_ATTR_STA_FLAGS2] = {
294 		.len = sizeof(struct nl80211_sta_flag_update),
295 	},
296 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
297 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
298 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
299 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
300 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
301 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
302 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
303 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
304 	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
305 				 .len = WLAN_PMKID_LEN },
306 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
307 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
308 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
309 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
310 				 .len = IEEE80211_MAX_DATA_LEN },
311 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
312 	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
313 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
314 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
315 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
316 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
317 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
318 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
319 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
320 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
321 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
322 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
323 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
324 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
325 	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
326 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
327 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
328 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
329 	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
330 	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
331 					 .len = IEEE80211_MAX_DATA_LEN },
332 	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
333 					 .len = IEEE80211_MAX_DATA_LEN },
334 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
335 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
336 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
337 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
338 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
339 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
340 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
341 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
342 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
343 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
344 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
345 				      .len = IEEE80211_MAX_DATA_LEN },
346 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
347 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
348 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
349 		.len = NL80211_HT_CAPABILITY_LEN
350 	},
351 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
352 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
353 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
354 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
355 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
356 	[NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
357 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
358 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
359 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
360 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
361 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
362 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
363 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
364 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
365 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
366 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
367 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
368 		.len = NL80211_VHT_CAPABILITY_LEN,
369 	},
370 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
371 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
372 				  .len = IEEE80211_MAX_DATA_LEN },
373 	[NL80211_ATTR_PEER_AID] = { .type = NLA_U16 },
374 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
375 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
376 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
377 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
378 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
379 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
380 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
381 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
382 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
383 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
384 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
385 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
386 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
387 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
388 	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
389 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
390 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
391 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
392 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
393 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
394 	[NL80211_ATTR_TSID] = { .type = NLA_U8 },
395 	[NL80211_ATTR_USER_PRIO] = { .type = NLA_U8 },
396 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
397 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
398 	[NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
399 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
400 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
401 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
402 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
403 };
404 
405 /* policy for the key attributes */
406 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
407 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
408 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
409 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
410 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
411 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
412 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
413 	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
414 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
415 };
416 
417 /* policy for the key default flags */
418 static const struct nla_policy
419 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
420 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
421 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
422 };
423 
424 /* policy for WoWLAN attributes */
425 static const struct nla_policy
426 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
427 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
428 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
429 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
430 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
431 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
432 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
433 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
434 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
435 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
436 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
437 };
438 
439 static const struct nla_policy
440 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
441 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
442 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
443 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
444 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
445 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
446 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
447 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
448 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
449 	},
450 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
451 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
452 	},
453 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
454 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
455 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
456 };
457 
458 /* policy for coalesce rule attributes */
459 static const struct nla_policy
460 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
461 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
462 	[NL80211_ATTR_COALESCE_RULE_CONDITION] = { .type = NLA_U32 },
463 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
464 };
465 
466 /* policy for GTK rekey offload attributes */
467 static const struct nla_policy
468 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
469 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
470 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
471 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
472 };
473 
474 static const struct nla_policy
475 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
476 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
477 						 .len = IEEE80211_MAX_SSID_LEN },
478 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
479 };
480 
481 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
482 				     struct netlink_callback *cb,
483 				     struct cfg80211_registered_device **rdev,
484 				     struct wireless_dev **wdev)
485 {
486 	int err;
487 
488 	rtnl_lock();
489 
490 	if (!cb->args[0]) {
491 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
492 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
493 				  nl80211_policy);
494 		if (err)
495 			goto out_unlock;
496 
497 		*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
498 						   nl80211_fam.attrbuf);
499 		if (IS_ERR(*wdev)) {
500 			err = PTR_ERR(*wdev);
501 			goto out_unlock;
502 		}
503 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
504 		/* 0 is the first index - add 1 to parse only once */
505 		cb->args[0] = (*rdev)->wiphy_idx + 1;
506 		cb->args[1] = (*wdev)->identifier;
507 	} else {
508 		/* subtract the 1 again here */
509 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
510 		struct wireless_dev *tmp;
511 
512 		if (!wiphy) {
513 			err = -ENODEV;
514 			goto out_unlock;
515 		}
516 		*rdev = wiphy_to_rdev(wiphy);
517 		*wdev = NULL;
518 
519 		list_for_each_entry(tmp, &(*rdev)->wdev_list, list) {
520 			if (tmp->identifier == cb->args[1]) {
521 				*wdev = tmp;
522 				break;
523 			}
524 		}
525 
526 		if (!*wdev) {
527 			err = -ENODEV;
528 			goto out_unlock;
529 		}
530 	}
531 
532 	return 0;
533  out_unlock:
534 	rtnl_unlock();
535 	return err;
536 }
537 
538 static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
539 {
540 	rtnl_unlock();
541 }
542 
543 /* IE validation */
544 static bool is_valid_ie_attr(const struct nlattr *attr)
545 {
546 	const u8 *pos;
547 	int len;
548 
549 	if (!attr)
550 		return true;
551 
552 	pos = nla_data(attr);
553 	len = nla_len(attr);
554 
555 	while (len) {
556 		u8 elemlen;
557 
558 		if (len < 2)
559 			return false;
560 		len -= 2;
561 
562 		elemlen = pos[1];
563 		if (elemlen > len)
564 			return false;
565 
566 		len -= elemlen;
567 		pos += 2 + elemlen;
568 	}
569 
570 	return true;
571 }
572 
573 /* message building helper */
574 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
575 				   int flags, u8 cmd)
576 {
577 	/* since there is no private header just add the generic one */
578 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
579 }
580 
581 static int nl80211_msg_put_channel(struct sk_buff *msg,
582 				   struct ieee80211_channel *chan,
583 				   bool large)
584 {
585 	/* Some channels must be completely excluded from the
586 	 * list to protect old user-space tools from breaking
587 	 */
588 	if (!large && chan->flags &
589 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
590 		return 0;
591 
592 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
593 			chan->center_freq))
594 		goto nla_put_failure;
595 
596 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
597 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
598 		goto nla_put_failure;
599 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
600 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
601 			goto nla_put_failure;
602 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
603 			goto nla_put_failure;
604 	}
605 	if (chan->flags & IEEE80211_CHAN_RADAR) {
606 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
607 			goto nla_put_failure;
608 		if (large) {
609 			u32 time;
610 
611 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
612 
613 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
614 					chan->dfs_state))
615 				goto nla_put_failure;
616 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
617 					time))
618 				goto nla_put_failure;
619 			if (nla_put_u32(msg,
620 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
621 					chan->dfs_cac_ms))
622 				goto nla_put_failure;
623 		}
624 	}
625 
626 	if (large) {
627 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
628 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
629 			goto nla_put_failure;
630 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
631 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
632 			goto nla_put_failure;
633 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
634 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
635 			goto nla_put_failure;
636 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
637 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
638 			goto nla_put_failure;
639 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
640 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
641 			goto nla_put_failure;
642 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
643 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
644 			goto nla_put_failure;
645 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
646 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
647 			goto nla_put_failure;
648 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
649 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
650 			goto nla_put_failure;
651 	}
652 
653 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
654 			DBM_TO_MBM(chan->max_power)))
655 		goto nla_put_failure;
656 
657 	return 0;
658 
659  nla_put_failure:
660 	return -ENOBUFS;
661 }
662 
663 /* netlink command implementations */
664 
665 struct key_parse {
666 	struct key_params p;
667 	int idx;
668 	int type;
669 	bool def, defmgmt;
670 	bool def_uni, def_multi;
671 };
672 
673 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
674 {
675 	struct nlattr *tb[NL80211_KEY_MAX + 1];
676 	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
677 				   nl80211_key_policy);
678 	if (err)
679 		return err;
680 
681 	k->def = !!tb[NL80211_KEY_DEFAULT];
682 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
683 
684 	if (k->def) {
685 		k->def_uni = true;
686 		k->def_multi = true;
687 	}
688 	if (k->defmgmt)
689 		k->def_multi = true;
690 
691 	if (tb[NL80211_KEY_IDX])
692 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
693 
694 	if (tb[NL80211_KEY_DATA]) {
695 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
696 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
697 	}
698 
699 	if (tb[NL80211_KEY_SEQ]) {
700 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
701 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
702 	}
703 
704 	if (tb[NL80211_KEY_CIPHER])
705 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
706 
707 	if (tb[NL80211_KEY_TYPE]) {
708 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
709 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
710 			return -EINVAL;
711 	}
712 
713 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
714 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
715 		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
716 				       tb[NL80211_KEY_DEFAULT_TYPES],
717 				       nl80211_key_default_policy);
718 		if (err)
719 			return err;
720 
721 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
722 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
723 	}
724 
725 	return 0;
726 }
727 
728 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
729 {
730 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
731 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
732 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
733 	}
734 
735 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
736 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
737 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
738 	}
739 
740 	if (info->attrs[NL80211_ATTR_KEY_IDX])
741 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
742 
743 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
744 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
745 
746 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
747 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
748 
749 	if (k->def) {
750 		k->def_uni = true;
751 		k->def_multi = true;
752 	}
753 	if (k->defmgmt)
754 		k->def_multi = true;
755 
756 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
757 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
758 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
759 			return -EINVAL;
760 	}
761 
762 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
763 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
764 		int err = nla_parse_nested(
765 				kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
766 				info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
767 				nl80211_key_default_policy);
768 		if (err)
769 			return err;
770 
771 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
772 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
773 	}
774 
775 	return 0;
776 }
777 
778 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
779 {
780 	int err;
781 
782 	memset(k, 0, sizeof(*k));
783 	k->idx = -1;
784 	k->type = -1;
785 
786 	if (info->attrs[NL80211_ATTR_KEY])
787 		err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
788 	else
789 		err = nl80211_parse_key_old(info, k);
790 
791 	if (err)
792 		return err;
793 
794 	if (k->def && k->defmgmt)
795 		return -EINVAL;
796 
797 	if (k->defmgmt) {
798 		if (k->def_uni || !k->def_multi)
799 			return -EINVAL;
800 	}
801 
802 	if (k->idx != -1) {
803 		if (k->defmgmt) {
804 			if (k->idx < 4 || k->idx > 5)
805 				return -EINVAL;
806 		} else if (k->def) {
807 			if (k->idx < 0 || k->idx > 3)
808 				return -EINVAL;
809 		} else {
810 			if (k->idx < 0 || k->idx > 5)
811 				return -EINVAL;
812 		}
813 	}
814 
815 	return 0;
816 }
817 
818 static struct cfg80211_cached_keys *
819 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
820 		       struct nlattr *keys, bool *no_ht)
821 {
822 	struct key_parse parse;
823 	struct nlattr *key;
824 	struct cfg80211_cached_keys *result;
825 	int rem, err, def = 0;
826 
827 	result = kzalloc(sizeof(*result), GFP_KERNEL);
828 	if (!result)
829 		return ERR_PTR(-ENOMEM);
830 
831 	result->def = -1;
832 	result->defmgmt = -1;
833 
834 	nla_for_each_nested(key, keys, rem) {
835 		memset(&parse, 0, sizeof(parse));
836 		parse.idx = -1;
837 
838 		err = nl80211_parse_key_new(key, &parse);
839 		if (err)
840 			goto error;
841 		err = -EINVAL;
842 		if (!parse.p.key)
843 			goto error;
844 		if (parse.idx < 0 || parse.idx > 4)
845 			goto error;
846 		if (parse.def) {
847 			if (def)
848 				goto error;
849 			def = 1;
850 			result->def = parse.idx;
851 			if (!parse.def_uni || !parse.def_multi)
852 				goto error;
853 		} else if (parse.defmgmt)
854 			goto error;
855 		err = cfg80211_validate_key_settings(rdev, &parse.p,
856 						     parse.idx, false, NULL);
857 		if (err)
858 			goto error;
859 		result->params[parse.idx].cipher = parse.p.cipher;
860 		result->params[parse.idx].key_len = parse.p.key_len;
861 		result->params[parse.idx].key = result->data[parse.idx];
862 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
863 
864 		if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
865 		    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
866 			if (no_ht)
867 				*no_ht = true;
868 		}
869 	}
870 
871 	return result;
872  error:
873 	kfree(result);
874 	return ERR_PTR(err);
875 }
876 
877 static int nl80211_key_allowed(struct wireless_dev *wdev)
878 {
879 	ASSERT_WDEV_LOCK(wdev);
880 
881 	switch (wdev->iftype) {
882 	case NL80211_IFTYPE_AP:
883 	case NL80211_IFTYPE_AP_VLAN:
884 	case NL80211_IFTYPE_P2P_GO:
885 	case NL80211_IFTYPE_MESH_POINT:
886 		break;
887 	case NL80211_IFTYPE_ADHOC:
888 	case NL80211_IFTYPE_STATION:
889 	case NL80211_IFTYPE_P2P_CLIENT:
890 		if (!wdev->current_bss)
891 			return -ENOLINK;
892 		break;
893 	case NL80211_IFTYPE_UNSPECIFIED:
894 	case NL80211_IFTYPE_OCB:
895 	case NL80211_IFTYPE_MONITOR:
896 	case NL80211_IFTYPE_P2P_DEVICE:
897 	case NL80211_IFTYPE_WDS:
898 	case NUM_NL80211_IFTYPES:
899 		return -EINVAL;
900 	}
901 
902 	return 0;
903 }
904 
905 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
906 							struct nlattr *tb)
907 {
908 	struct ieee80211_channel *chan;
909 
910 	if (tb == NULL)
911 		return NULL;
912 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
913 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
914 		return NULL;
915 	return chan;
916 }
917 
918 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
919 {
920 	struct nlattr *nl_modes = nla_nest_start(msg, attr);
921 	int i;
922 
923 	if (!nl_modes)
924 		goto nla_put_failure;
925 
926 	i = 0;
927 	while (ifmodes) {
928 		if ((ifmodes & 1) && nla_put_flag(msg, i))
929 			goto nla_put_failure;
930 		ifmodes >>= 1;
931 		i++;
932 	}
933 
934 	nla_nest_end(msg, nl_modes);
935 	return 0;
936 
937 nla_put_failure:
938 	return -ENOBUFS;
939 }
940 
941 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
942 					  struct sk_buff *msg,
943 					  bool large)
944 {
945 	struct nlattr *nl_combis;
946 	int i, j;
947 
948 	nl_combis = nla_nest_start(msg,
949 				NL80211_ATTR_INTERFACE_COMBINATIONS);
950 	if (!nl_combis)
951 		goto nla_put_failure;
952 
953 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
954 		const struct ieee80211_iface_combination *c;
955 		struct nlattr *nl_combi, *nl_limits;
956 
957 		c = &wiphy->iface_combinations[i];
958 
959 		nl_combi = nla_nest_start(msg, i + 1);
960 		if (!nl_combi)
961 			goto nla_put_failure;
962 
963 		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
964 		if (!nl_limits)
965 			goto nla_put_failure;
966 
967 		for (j = 0; j < c->n_limits; j++) {
968 			struct nlattr *nl_limit;
969 
970 			nl_limit = nla_nest_start(msg, j + 1);
971 			if (!nl_limit)
972 				goto nla_put_failure;
973 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
974 					c->limits[j].max))
975 				goto nla_put_failure;
976 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
977 						c->limits[j].types))
978 				goto nla_put_failure;
979 			nla_nest_end(msg, nl_limit);
980 		}
981 
982 		nla_nest_end(msg, nl_limits);
983 
984 		if (c->beacon_int_infra_match &&
985 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
986 			goto nla_put_failure;
987 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
988 				c->num_different_channels) ||
989 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
990 				c->max_interfaces))
991 			goto nla_put_failure;
992 		if (large &&
993 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
994 				c->radar_detect_widths) ||
995 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
996 				c->radar_detect_regions)))
997 			goto nla_put_failure;
998 
999 		nla_nest_end(msg, nl_combi);
1000 	}
1001 
1002 	nla_nest_end(msg, nl_combis);
1003 
1004 	return 0;
1005 nla_put_failure:
1006 	return -ENOBUFS;
1007 }
1008 
1009 #ifdef CONFIG_PM
1010 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1011 					struct sk_buff *msg)
1012 {
1013 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1014 	struct nlattr *nl_tcp;
1015 
1016 	if (!tcp)
1017 		return 0;
1018 
1019 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1020 	if (!nl_tcp)
1021 		return -ENOBUFS;
1022 
1023 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1024 			tcp->data_payload_max))
1025 		return -ENOBUFS;
1026 
1027 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1028 			tcp->data_payload_max))
1029 		return -ENOBUFS;
1030 
1031 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1032 		return -ENOBUFS;
1033 
1034 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1035 				sizeof(*tcp->tok), tcp->tok))
1036 		return -ENOBUFS;
1037 
1038 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1039 			tcp->data_interval_max))
1040 		return -ENOBUFS;
1041 
1042 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1043 			tcp->wake_payload_max))
1044 		return -ENOBUFS;
1045 
1046 	nla_nest_end(msg, nl_tcp);
1047 	return 0;
1048 }
1049 
1050 static int nl80211_send_wowlan(struct sk_buff *msg,
1051 			       struct cfg80211_registered_device *rdev,
1052 			       bool large)
1053 {
1054 	struct nlattr *nl_wowlan;
1055 
1056 	if (!rdev->wiphy.wowlan)
1057 		return 0;
1058 
1059 	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1060 	if (!nl_wowlan)
1061 		return -ENOBUFS;
1062 
1063 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1064 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1065 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1066 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1067 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1068 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1069 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1070 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1071 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1072 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1073 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1074 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1075 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1076 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1077 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1078 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1079 		return -ENOBUFS;
1080 
1081 	if (rdev->wiphy.wowlan->n_patterns) {
1082 		struct nl80211_pattern_support pat = {
1083 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1084 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1085 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1086 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1087 		};
1088 
1089 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1090 			    sizeof(pat), &pat))
1091 			return -ENOBUFS;
1092 	}
1093 
1094 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1095 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1096 			rdev->wiphy.wowlan->max_nd_match_sets))
1097 		return -ENOBUFS;
1098 
1099 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1100 		return -ENOBUFS;
1101 
1102 	nla_nest_end(msg, nl_wowlan);
1103 
1104 	return 0;
1105 }
1106 #endif
1107 
1108 static int nl80211_send_coalesce(struct sk_buff *msg,
1109 				 struct cfg80211_registered_device *rdev)
1110 {
1111 	struct nl80211_coalesce_rule_support rule;
1112 
1113 	if (!rdev->wiphy.coalesce)
1114 		return 0;
1115 
1116 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1117 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1118 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1119 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1120 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1121 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1122 
1123 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1124 		return -ENOBUFS;
1125 
1126 	return 0;
1127 }
1128 
1129 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1130 				      struct ieee80211_supported_band *sband)
1131 {
1132 	struct nlattr *nl_rates, *nl_rate;
1133 	struct ieee80211_rate *rate;
1134 	int i;
1135 
1136 	/* add HT info */
1137 	if (sband->ht_cap.ht_supported &&
1138 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1139 		     sizeof(sband->ht_cap.mcs),
1140 		     &sband->ht_cap.mcs) ||
1141 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1142 			 sband->ht_cap.cap) ||
1143 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1144 			sband->ht_cap.ampdu_factor) ||
1145 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1146 			sband->ht_cap.ampdu_density)))
1147 		return -ENOBUFS;
1148 
1149 	/* add VHT info */
1150 	if (sband->vht_cap.vht_supported &&
1151 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1152 		     sizeof(sband->vht_cap.vht_mcs),
1153 		     &sband->vht_cap.vht_mcs) ||
1154 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1155 			 sband->vht_cap.cap)))
1156 		return -ENOBUFS;
1157 
1158 	/* add bitrates */
1159 	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1160 	if (!nl_rates)
1161 		return -ENOBUFS;
1162 
1163 	for (i = 0; i < sband->n_bitrates; i++) {
1164 		nl_rate = nla_nest_start(msg, i);
1165 		if (!nl_rate)
1166 			return -ENOBUFS;
1167 
1168 		rate = &sband->bitrates[i];
1169 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1170 				rate->bitrate))
1171 			return -ENOBUFS;
1172 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1173 		    nla_put_flag(msg,
1174 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1175 			return -ENOBUFS;
1176 
1177 		nla_nest_end(msg, nl_rate);
1178 	}
1179 
1180 	nla_nest_end(msg, nl_rates);
1181 
1182 	return 0;
1183 }
1184 
1185 static int
1186 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1187 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1188 {
1189 	u16 stypes;
1190 	struct nlattr *nl_ftypes, *nl_ifs;
1191 	enum nl80211_iftype ift;
1192 	int i;
1193 
1194 	if (!mgmt_stypes)
1195 		return 0;
1196 
1197 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1198 	if (!nl_ifs)
1199 		return -ENOBUFS;
1200 
1201 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1202 		nl_ftypes = nla_nest_start(msg, ift);
1203 		if (!nl_ftypes)
1204 			return -ENOBUFS;
1205 		i = 0;
1206 		stypes = mgmt_stypes[ift].tx;
1207 		while (stypes) {
1208 			if ((stypes & 1) &&
1209 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1210 					(i << 4) | IEEE80211_FTYPE_MGMT))
1211 				return -ENOBUFS;
1212 			stypes >>= 1;
1213 			i++;
1214 		}
1215 		nla_nest_end(msg, nl_ftypes);
1216 	}
1217 
1218 	nla_nest_end(msg, nl_ifs);
1219 
1220 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1221 	if (!nl_ifs)
1222 		return -ENOBUFS;
1223 
1224 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1225 		nl_ftypes = nla_nest_start(msg, ift);
1226 		if (!nl_ftypes)
1227 			return -ENOBUFS;
1228 		i = 0;
1229 		stypes = mgmt_stypes[ift].rx;
1230 		while (stypes) {
1231 			if ((stypes & 1) &&
1232 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1233 					(i << 4) | IEEE80211_FTYPE_MGMT))
1234 				return -ENOBUFS;
1235 			stypes >>= 1;
1236 			i++;
1237 		}
1238 		nla_nest_end(msg, nl_ftypes);
1239 	}
1240 	nla_nest_end(msg, nl_ifs);
1241 
1242 	return 0;
1243 }
1244 
1245 struct nl80211_dump_wiphy_state {
1246 	s64 filter_wiphy;
1247 	long start;
1248 	long split_start, band_start, chan_start;
1249 	bool split;
1250 };
1251 
1252 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1253 			      enum nl80211_commands cmd,
1254 			      struct sk_buff *msg, u32 portid, u32 seq,
1255 			      int flags, struct nl80211_dump_wiphy_state *state)
1256 {
1257 	void *hdr;
1258 	struct nlattr *nl_bands, *nl_band;
1259 	struct nlattr *nl_freqs, *nl_freq;
1260 	struct nlattr *nl_cmds;
1261 	enum ieee80211_band band;
1262 	struct ieee80211_channel *chan;
1263 	int i;
1264 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1265 				rdev->wiphy.mgmt_stypes;
1266 	u32 features;
1267 
1268 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1269 	if (!hdr)
1270 		return -ENOBUFS;
1271 
1272 	if (WARN_ON(!state))
1273 		return -EINVAL;
1274 
1275 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1276 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1277 			   wiphy_name(&rdev->wiphy)) ||
1278 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1279 			cfg80211_rdev_list_generation))
1280 		goto nla_put_failure;
1281 
1282 	if (cmd != NL80211_CMD_NEW_WIPHY)
1283 		goto finish;
1284 
1285 	switch (state->split_start) {
1286 	case 0:
1287 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1288 			       rdev->wiphy.retry_short) ||
1289 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1290 			       rdev->wiphy.retry_long) ||
1291 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1292 				rdev->wiphy.frag_threshold) ||
1293 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1294 				rdev->wiphy.rts_threshold) ||
1295 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1296 			       rdev->wiphy.coverage_class) ||
1297 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1298 			       rdev->wiphy.max_scan_ssids) ||
1299 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1300 			       rdev->wiphy.max_sched_scan_ssids) ||
1301 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1302 				rdev->wiphy.max_scan_ie_len) ||
1303 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1304 				rdev->wiphy.max_sched_scan_ie_len) ||
1305 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1306 			       rdev->wiphy.max_match_sets))
1307 			goto nla_put_failure;
1308 
1309 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1310 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1311 			goto nla_put_failure;
1312 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1313 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1314 			goto nla_put_failure;
1315 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1316 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1317 			goto nla_put_failure;
1318 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1319 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1320 			goto nla_put_failure;
1321 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1322 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1323 			goto nla_put_failure;
1324 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1325 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1326 			goto nla_put_failure;
1327 		state->split_start++;
1328 		if (state->split)
1329 			break;
1330 	case 1:
1331 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1332 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1333 			    rdev->wiphy.cipher_suites))
1334 			goto nla_put_failure;
1335 
1336 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1337 			       rdev->wiphy.max_num_pmkids))
1338 			goto nla_put_failure;
1339 
1340 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1341 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1342 			goto nla_put_failure;
1343 
1344 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1345 				rdev->wiphy.available_antennas_tx) ||
1346 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1347 				rdev->wiphy.available_antennas_rx))
1348 			goto nla_put_failure;
1349 
1350 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1351 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1352 				rdev->wiphy.probe_resp_offload))
1353 			goto nla_put_failure;
1354 
1355 		if ((rdev->wiphy.available_antennas_tx ||
1356 		     rdev->wiphy.available_antennas_rx) &&
1357 		    rdev->ops->get_antenna) {
1358 			u32 tx_ant = 0, rx_ant = 0;
1359 			int res;
1360 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1361 			if (!res) {
1362 				if (nla_put_u32(msg,
1363 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1364 						tx_ant) ||
1365 				    nla_put_u32(msg,
1366 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1367 						rx_ant))
1368 					goto nla_put_failure;
1369 			}
1370 		}
1371 
1372 		state->split_start++;
1373 		if (state->split)
1374 			break;
1375 	case 2:
1376 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1377 					rdev->wiphy.interface_modes))
1378 				goto nla_put_failure;
1379 		state->split_start++;
1380 		if (state->split)
1381 			break;
1382 	case 3:
1383 		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1384 		if (!nl_bands)
1385 			goto nla_put_failure;
1386 
1387 		for (band = state->band_start;
1388 		     band < IEEE80211_NUM_BANDS; band++) {
1389 			struct ieee80211_supported_band *sband;
1390 
1391 			sband = rdev->wiphy.bands[band];
1392 
1393 			if (!sband)
1394 				continue;
1395 
1396 			nl_band = nla_nest_start(msg, band);
1397 			if (!nl_band)
1398 				goto nla_put_failure;
1399 
1400 			switch (state->chan_start) {
1401 			case 0:
1402 				if (nl80211_send_band_rateinfo(msg, sband))
1403 					goto nla_put_failure;
1404 				state->chan_start++;
1405 				if (state->split)
1406 					break;
1407 			default:
1408 				/* add frequencies */
1409 				nl_freqs = nla_nest_start(
1410 					msg, NL80211_BAND_ATTR_FREQS);
1411 				if (!nl_freqs)
1412 					goto nla_put_failure;
1413 
1414 				for (i = state->chan_start - 1;
1415 				     i < sband->n_channels;
1416 				     i++) {
1417 					nl_freq = nla_nest_start(msg, i);
1418 					if (!nl_freq)
1419 						goto nla_put_failure;
1420 
1421 					chan = &sband->channels[i];
1422 
1423 					if (nl80211_msg_put_channel(
1424 							msg, chan,
1425 							state->split))
1426 						goto nla_put_failure;
1427 
1428 					nla_nest_end(msg, nl_freq);
1429 					if (state->split)
1430 						break;
1431 				}
1432 				if (i < sband->n_channels)
1433 					state->chan_start = i + 2;
1434 				else
1435 					state->chan_start = 0;
1436 				nla_nest_end(msg, nl_freqs);
1437 			}
1438 
1439 			nla_nest_end(msg, nl_band);
1440 
1441 			if (state->split) {
1442 				/* start again here */
1443 				if (state->chan_start)
1444 					band--;
1445 				break;
1446 			}
1447 		}
1448 		nla_nest_end(msg, nl_bands);
1449 
1450 		if (band < IEEE80211_NUM_BANDS)
1451 			state->band_start = band + 1;
1452 		else
1453 			state->band_start = 0;
1454 
1455 		/* if bands & channels are done, continue outside */
1456 		if (state->band_start == 0 && state->chan_start == 0)
1457 			state->split_start++;
1458 		if (state->split)
1459 			break;
1460 	case 4:
1461 		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1462 		if (!nl_cmds)
1463 			goto nla_put_failure;
1464 
1465 		i = 0;
1466 #define CMD(op, n)							\
1467 		 do {							\
1468 			if (rdev->ops->op) {				\
1469 				i++;					\
1470 				if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1471 					goto nla_put_failure;		\
1472 			}						\
1473 		} while (0)
1474 
1475 		CMD(add_virtual_intf, NEW_INTERFACE);
1476 		CMD(change_virtual_intf, SET_INTERFACE);
1477 		CMD(add_key, NEW_KEY);
1478 		CMD(start_ap, START_AP);
1479 		CMD(add_station, NEW_STATION);
1480 		CMD(add_mpath, NEW_MPATH);
1481 		CMD(update_mesh_config, SET_MESH_CONFIG);
1482 		CMD(change_bss, SET_BSS);
1483 		CMD(auth, AUTHENTICATE);
1484 		CMD(assoc, ASSOCIATE);
1485 		CMD(deauth, DEAUTHENTICATE);
1486 		CMD(disassoc, DISASSOCIATE);
1487 		CMD(join_ibss, JOIN_IBSS);
1488 		CMD(join_mesh, JOIN_MESH);
1489 		CMD(set_pmksa, SET_PMKSA);
1490 		CMD(del_pmksa, DEL_PMKSA);
1491 		CMD(flush_pmksa, FLUSH_PMKSA);
1492 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1493 			CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1494 		CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1495 		CMD(mgmt_tx, FRAME);
1496 		CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1497 		if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1498 			i++;
1499 			if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1500 				goto nla_put_failure;
1501 		}
1502 		if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1503 		    rdev->ops->join_mesh) {
1504 			i++;
1505 			if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1506 				goto nla_put_failure;
1507 		}
1508 		CMD(set_wds_peer, SET_WDS_PEER);
1509 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1510 			CMD(tdls_mgmt, TDLS_MGMT);
1511 			CMD(tdls_oper, TDLS_OPER);
1512 		}
1513 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1514 			CMD(sched_scan_start, START_SCHED_SCAN);
1515 		CMD(probe_client, PROBE_CLIENT);
1516 		CMD(set_noack_map, SET_NOACK_MAP);
1517 		if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1518 			i++;
1519 			if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1520 				goto nla_put_failure;
1521 		}
1522 		CMD(start_p2p_device, START_P2P_DEVICE);
1523 		CMD(set_mcast_rate, SET_MCAST_RATE);
1524 #ifdef CONFIG_NL80211_TESTMODE
1525 		CMD(testmode_cmd, TESTMODE);
1526 #endif
1527 		if (state->split) {
1528 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
1529 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1530 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
1531 				CMD(channel_switch, CHANNEL_SWITCH);
1532 			CMD(set_qos_map, SET_QOS_MAP);
1533 			if (rdev->wiphy.features &
1534 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
1535 				CMD(add_tx_ts, ADD_TX_TS);
1536 		}
1537 		/* add into the if now */
1538 #undef CMD
1539 
1540 		if (rdev->ops->connect || rdev->ops->auth) {
1541 			i++;
1542 			if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1543 				goto nla_put_failure;
1544 		}
1545 
1546 		if (rdev->ops->disconnect || rdev->ops->deauth) {
1547 			i++;
1548 			if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1549 				goto nla_put_failure;
1550 		}
1551 
1552 		nla_nest_end(msg, nl_cmds);
1553 		state->split_start++;
1554 		if (state->split)
1555 			break;
1556 	case 5:
1557 		if (rdev->ops->remain_on_channel &&
1558 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1559 		    nla_put_u32(msg,
1560 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1561 				rdev->wiphy.max_remain_on_channel_duration))
1562 			goto nla_put_failure;
1563 
1564 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1565 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1566 			goto nla_put_failure;
1567 
1568 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1569 			goto nla_put_failure;
1570 		state->split_start++;
1571 		if (state->split)
1572 			break;
1573 	case 6:
1574 #ifdef CONFIG_PM
1575 		if (nl80211_send_wowlan(msg, rdev, state->split))
1576 			goto nla_put_failure;
1577 		state->split_start++;
1578 		if (state->split)
1579 			break;
1580 #else
1581 		state->split_start++;
1582 #endif
1583 	case 7:
1584 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1585 					rdev->wiphy.software_iftypes))
1586 			goto nla_put_failure;
1587 
1588 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
1589 						   state->split))
1590 			goto nla_put_failure;
1591 
1592 		state->split_start++;
1593 		if (state->split)
1594 			break;
1595 	case 8:
1596 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1597 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1598 				rdev->wiphy.ap_sme_capa))
1599 			goto nla_put_failure;
1600 
1601 		features = rdev->wiphy.features;
1602 		/*
1603 		 * We can only add the per-channel limit information if the
1604 		 * dump is split, otherwise it makes it too big. Therefore
1605 		 * only advertise it in that case.
1606 		 */
1607 		if (state->split)
1608 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1609 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1610 			goto nla_put_failure;
1611 
1612 		if (rdev->wiphy.ht_capa_mod_mask &&
1613 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1614 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
1615 			    rdev->wiphy.ht_capa_mod_mask))
1616 			goto nla_put_failure;
1617 
1618 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1619 		    rdev->wiphy.max_acl_mac_addrs &&
1620 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1621 				rdev->wiphy.max_acl_mac_addrs))
1622 			goto nla_put_failure;
1623 
1624 		/*
1625 		 * Any information below this point is only available to
1626 		 * applications that can deal with it being split. This
1627 		 * helps ensure that newly added capabilities don't break
1628 		 * older tools by overrunning their buffers.
1629 		 *
1630 		 * We still increment split_start so that in the split
1631 		 * case we'll continue with more data in the next round,
1632 		 * but break unconditionally so unsplit data stops here.
1633 		 */
1634 		state->split_start++;
1635 		break;
1636 	case 9:
1637 		if (rdev->wiphy.extended_capabilities &&
1638 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1639 			     rdev->wiphy.extended_capabilities_len,
1640 			     rdev->wiphy.extended_capabilities) ||
1641 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1642 			     rdev->wiphy.extended_capabilities_len,
1643 			     rdev->wiphy.extended_capabilities_mask)))
1644 			goto nla_put_failure;
1645 
1646 		if (rdev->wiphy.vht_capa_mod_mask &&
1647 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1648 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
1649 			    rdev->wiphy.vht_capa_mod_mask))
1650 			goto nla_put_failure;
1651 
1652 		state->split_start++;
1653 		break;
1654 	case 10:
1655 		if (nl80211_send_coalesce(msg, rdev))
1656 			goto nla_put_failure;
1657 
1658 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
1659 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
1660 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
1661 			goto nla_put_failure;
1662 
1663 		if (rdev->wiphy.max_ap_assoc_sta &&
1664 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
1665 				rdev->wiphy.max_ap_assoc_sta))
1666 			goto nla_put_failure;
1667 
1668 		state->split_start++;
1669 		break;
1670 	case 11:
1671 		if (rdev->wiphy.n_vendor_commands) {
1672 			const struct nl80211_vendor_cmd_info *info;
1673 			struct nlattr *nested;
1674 
1675 			nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1676 			if (!nested)
1677 				goto nla_put_failure;
1678 
1679 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
1680 				info = &rdev->wiphy.vendor_commands[i].info;
1681 				if (nla_put(msg, i + 1, sizeof(*info), info))
1682 					goto nla_put_failure;
1683 			}
1684 			nla_nest_end(msg, nested);
1685 		}
1686 
1687 		if (rdev->wiphy.n_vendor_events) {
1688 			const struct nl80211_vendor_cmd_info *info;
1689 			struct nlattr *nested;
1690 
1691 			nested = nla_nest_start(msg,
1692 						NL80211_ATTR_VENDOR_EVENTS);
1693 			if (!nested)
1694 				goto nla_put_failure;
1695 
1696 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
1697 				info = &rdev->wiphy.vendor_events[i];
1698 				if (nla_put(msg, i + 1, sizeof(*info), info))
1699 					goto nla_put_failure;
1700 			}
1701 			nla_nest_end(msg, nested);
1702 		}
1703 		state->split_start++;
1704 		break;
1705 	case 12:
1706 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
1707 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
1708 			       rdev->wiphy.max_num_csa_counters))
1709 			goto nla_put_failure;
1710 
1711 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
1712 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
1713 			goto nla_put_failure;
1714 
1715 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
1716 			    sizeof(rdev->wiphy.ext_features),
1717 			    rdev->wiphy.ext_features))
1718 			goto nla_put_failure;
1719 
1720 		/* done */
1721 		state->split_start = 0;
1722 		break;
1723 	}
1724  finish:
1725 	genlmsg_end(msg, hdr);
1726 	return 0;
1727 
1728  nla_put_failure:
1729 	genlmsg_cancel(msg, hdr);
1730 	return -EMSGSIZE;
1731 }
1732 
1733 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
1734 				    struct netlink_callback *cb,
1735 				    struct nl80211_dump_wiphy_state *state)
1736 {
1737 	struct nlattr **tb = nl80211_fam.attrbuf;
1738 	int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
1739 			      tb, nl80211_fam.maxattr, nl80211_policy);
1740 	/* ignore parse errors for backward compatibility */
1741 	if (ret)
1742 		return 0;
1743 
1744 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
1745 	if (tb[NL80211_ATTR_WIPHY])
1746 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
1747 	if (tb[NL80211_ATTR_WDEV])
1748 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
1749 	if (tb[NL80211_ATTR_IFINDEX]) {
1750 		struct net_device *netdev;
1751 		struct cfg80211_registered_device *rdev;
1752 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
1753 
1754 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
1755 		if (!netdev)
1756 			return -ENODEV;
1757 		if (netdev->ieee80211_ptr) {
1758 			rdev = wiphy_to_rdev(
1759 				netdev->ieee80211_ptr->wiphy);
1760 			state->filter_wiphy = rdev->wiphy_idx;
1761 		}
1762 	}
1763 
1764 	return 0;
1765 }
1766 
1767 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1768 {
1769 	int idx = 0, ret;
1770 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
1771 	struct cfg80211_registered_device *rdev;
1772 
1773 	rtnl_lock();
1774 	if (!state) {
1775 		state = kzalloc(sizeof(*state), GFP_KERNEL);
1776 		if (!state) {
1777 			rtnl_unlock();
1778 			return -ENOMEM;
1779 		}
1780 		state->filter_wiphy = -1;
1781 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
1782 		if (ret) {
1783 			kfree(state);
1784 			rtnl_unlock();
1785 			return ret;
1786 		}
1787 		cb->args[0] = (long)state;
1788 	}
1789 
1790 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1791 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1792 			continue;
1793 		if (++idx <= state->start)
1794 			continue;
1795 		if (state->filter_wiphy != -1 &&
1796 		    state->filter_wiphy != rdev->wiphy_idx)
1797 			continue;
1798 		/* attempt to fit multiple wiphy data chunks into the skb */
1799 		do {
1800 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
1801 						 skb,
1802 						 NETLINK_CB(cb->skb).portid,
1803 						 cb->nlh->nlmsg_seq,
1804 						 NLM_F_MULTI, state);
1805 			if (ret < 0) {
1806 				/*
1807 				 * If sending the wiphy data didn't fit (ENOBUFS
1808 				 * or EMSGSIZE returned), this SKB is still
1809 				 * empty (so it's not too big because another
1810 				 * wiphy dataset is already in the skb) and
1811 				 * we've not tried to adjust the dump allocation
1812 				 * yet ... then adjust the alloc size to be
1813 				 * bigger, and return 1 but with the empty skb.
1814 				 * This results in an empty message being RX'ed
1815 				 * in userspace, but that is ignored.
1816 				 *
1817 				 * We can then retry with the larger buffer.
1818 				 */
1819 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1820 				    !skb->len && !state->split &&
1821 				    cb->min_dump_alloc < 4096) {
1822 					cb->min_dump_alloc = 4096;
1823 					state->split_start = 0;
1824 					rtnl_unlock();
1825 					return 1;
1826 				}
1827 				idx--;
1828 				break;
1829 			}
1830 		} while (state->split_start > 0);
1831 		break;
1832 	}
1833 	rtnl_unlock();
1834 
1835 	state->start = idx;
1836 
1837 	return skb->len;
1838 }
1839 
1840 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
1841 {
1842 	kfree((void *)cb->args[0]);
1843 	return 0;
1844 }
1845 
1846 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1847 {
1848 	struct sk_buff *msg;
1849 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1850 	struct nl80211_dump_wiphy_state state = {};
1851 
1852 	msg = nlmsg_new(4096, GFP_KERNEL);
1853 	if (!msg)
1854 		return -ENOMEM;
1855 
1856 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
1857 			       info->snd_portid, info->snd_seq, 0,
1858 			       &state) < 0) {
1859 		nlmsg_free(msg);
1860 		return -ENOBUFS;
1861 	}
1862 
1863 	return genlmsg_reply(msg, info);
1864 }
1865 
1866 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1867 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
1868 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
1869 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
1870 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
1871 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
1872 };
1873 
1874 static int parse_txq_params(struct nlattr *tb[],
1875 			    struct ieee80211_txq_params *txq_params)
1876 {
1877 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1878 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1879 	    !tb[NL80211_TXQ_ATTR_AIFS])
1880 		return -EINVAL;
1881 
1882 	txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1883 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1884 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1885 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1886 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1887 
1888 	if (txq_params->ac >= NL80211_NUM_ACS)
1889 		return -EINVAL;
1890 
1891 	return 0;
1892 }
1893 
1894 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1895 {
1896 	/*
1897 	 * You can only set the channel explicitly for WDS interfaces,
1898 	 * all others have their channel managed via their respective
1899 	 * "establish a connection" command (connect, join, ...)
1900 	 *
1901 	 * For AP/GO and mesh mode, the channel can be set with the
1902 	 * channel userspace API, but is only stored and passed to the
1903 	 * low-level driver when the AP starts or the mesh is joined.
1904 	 * This is for backward compatibility, userspace can also give
1905 	 * the channel in the start-ap or join-mesh commands instead.
1906 	 *
1907 	 * Monitors are special as they are normally slaved to
1908 	 * whatever else is going on, so they have their own special
1909 	 * operation to set the monitor channel if possible.
1910 	 */
1911 	return !wdev ||
1912 		wdev->iftype == NL80211_IFTYPE_AP ||
1913 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1914 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
1915 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
1916 }
1917 
1918 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
1919 				 struct genl_info *info,
1920 				 struct cfg80211_chan_def *chandef)
1921 {
1922 	u32 control_freq;
1923 
1924 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1925 		return -EINVAL;
1926 
1927 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1928 
1929 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
1930 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
1931 	chandef->center_freq1 = control_freq;
1932 	chandef->center_freq2 = 0;
1933 
1934 	/* Primary channel not allowed */
1935 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
1936 		return -EINVAL;
1937 
1938 	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
1939 		enum nl80211_channel_type chantype;
1940 
1941 		chantype = nla_get_u32(
1942 				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1943 
1944 		switch (chantype) {
1945 		case NL80211_CHAN_NO_HT:
1946 		case NL80211_CHAN_HT20:
1947 		case NL80211_CHAN_HT40PLUS:
1948 		case NL80211_CHAN_HT40MINUS:
1949 			cfg80211_chandef_create(chandef, chandef->chan,
1950 						chantype);
1951 			break;
1952 		default:
1953 			return -EINVAL;
1954 		}
1955 	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
1956 		chandef->width =
1957 			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
1958 		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
1959 			chandef->center_freq1 =
1960 				nla_get_u32(
1961 					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
1962 		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
1963 			chandef->center_freq2 =
1964 				nla_get_u32(
1965 					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
1966 	}
1967 
1968 	if (!cfg80211_chandef_valid(chandef))
1969 		return -EINVAL;
1970 
1971 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
1972 				     IEEE80211_CHAN_DISABLED))
1973 		return -EINVAL;
1974 
1975 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
1976 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
1977 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ))
1978 		return -EINVAL;
1979 
1980 	return 0;
1981 }
1982 
1983 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1984 				 struct net_device *dev,
1985 				 struct genl_info *info)
1986 {
1987 	struct cfg80211_chan_def chandef;
1988 	int result;
1989 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1990 	struct wireless_dev *wdev = NULL;
1991 
1992 	if (dev)
1993 		wdev = dev->ieee80211_ptr;
1994 	if (!nl80211_can_set_dev_channel(wdev))
1995 		return -EOPNOTSUPP;
1996 	if (wdev)
1997 		iftype = wdev->iftype;
1998 
1999 	result = nl80211_parse_chandef(rdev, info, &chandef);
2000 	if (result)
2001 		return result;
2002 
2003 	switch (iftype) {
2004 	case NL80211_IFTYPE_AP:
2005 	case NL80211_IFTYPE_P2P_GO:
2006 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2007 						   iftype)) {
2008 			result = -EINVAL;
2009 			break;
2010 		}
2011 		if (wdev->beacon_interval) {
2012 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2013 			    !(rdev->wiphy.features &
2014 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2015 				result = -EBUSY;
2016 				break;
2017 			}
2018 
2019 			/* Only allow dynamic channel width changes */
2020 			if (chandef.chan != wdev->preset_chandef.chan) {
2021 				result = -EBUSY;
2022 				break;
2023 			}
2024 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2025 			if (result)
2026 				break;
2027 		}
2028 		wdev->preset_chandef = chandef;
2029 		result = 0;
2030 		break;
2031 	case NL80211_IFTYPE_MESH_POINT:
2032 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2033 		break;
2034 	case NL80211_IFTYPE_MONITOR:
2035 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2036 		break;
2037 	default:
2038 		result = -EINVAL;
2039 	}
2040 
2041 	return result;
2042 }
2043 
2044 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2045 {
2046 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2047 	struct net_device *netdev = info->user_ptr[1];
2048 
2049 	return __nl80211_set_channel(rdev, netdev, info);
2050 }
2051 
2052 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2053 {
2054 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2055 	struct net_device *dev = info->user_ptr[1];
2056 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2057 	const u8 *bssid;
2058 
2059 	if (!info->attrs[NL80211_ATTR_MAC])
2060 		return -EINVAL;
2061 
2062 	if (netif_running(dev))
2063 		return -EBUSY;
2064 
2065 	if (!rdev->ops->set_wds_peer)
2066 		return -EOPNOTSUPP;
2067 
2068 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2069 		return -EOPNOTSUPP;
2070 
2071 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2072 	return rdev_set_wds_peer(rdev, dev, bssid);
2073 }
2074 
2075 
2076 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2077 {
2078 	struct cfg80211_registered_device *rdev;
2079 	struct net_device *netdev = NULL;
2080 	struct wireless_dev *wdev;
2081 	int result = 0, rem_txq_params = 0;
2082 	struct nlattr *nl_txq_params;
2083 	u32 changed;
2084 	u8 retry_short = 0, retry_long = 0;
2085 	u32 frag_threshold = 0, rts_threshold = 0;
2086 	u8 coverage_class = 0;
2087 
2088 	ASSERT_RTNL();
2089 
2090 	/*
2091 	 * Try to find the wiphy and netdev. Normally this
2092 	 * function shouldn't need the netdev, but this is
2093 	 * done for backward compatibility -- previously
2094 	 * setting the channel was done per wiphy, but now
2095 	 * it is per netdev. Previous userland like hostapd
2096 	 * also passed a netdev to set_wiphy, so that it is
2097 	 * possible to let that go to the right netdev!
2098 	 */
2099 
2100 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2101 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2102 
2103 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2104 		if (netdev && netdev->ieee80211_ptr)
2105 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2106 		else
2107 			netdev = NULL;
2108 	}
2109 
2110 	if (!netdev) {
2111 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2112 						  info->attrs);
2113 		if (IS_ERR(rdev))
2114 			return PTR_ERR(rdev);
2115 		wdev = NULL;
2116 		netdev = NULL;
2117 		result = 0;
2118 	} else
2119 		wdev = netdev->ieee80211_ptr;
2120 
2121 	/*
2122 	 * end workaround code, by now the rdev is available
2123 	 * and locked, and wdev may or may not be NULL.
2124 	 */
2125 
2126 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2127 		result = cfg80211_dev_rename(
2128 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2129 
2130 	if (result)
2131 		return result;
2132 
2133 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2134 		struct ieee80211_txq_params txq_params;
2135 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2136 
2137 		if (!rdev->ops->set_txq_params)
2138 			return -EOPNOTSUPP;
2139 
2140 		if (!netdev)
2141 			return -EINVAL;
2142 
2143 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2144 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2145 			return -EINVAL;
2146 
2147 		if (!netif_running(netdev))
2148 			return -ENETDOWN;
2149 
2150 		nla_for_each_nested(nl_txq_params,
2151 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2152 				    rem_txq_params) {
2153 			result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
2154 					   nla_data(nl_txq_params),
2155 					   nla_len(nl_txq_params),
2156 					   txq_params_policy);
2157 			if (result)
2158 				return result;
2159 			result = parse_txq_params(tb, &txq_params);
2160 			if (result)
2161 				return result;
2162 
2163 			result = rdev_set_txq_params(rdev, netdev,
2164 						     &txq_params);
2165 			if (result)
2166 				return result;
2167 		}
2168 	}
2169 
2170 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2171 		result = __nl80211_set_channel(
2172 			rdev,
2173 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2174 			info);
2175 		if (result)
2176 			return result;
2177 	}
2178 
2179 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2180 		struct wireless_dev *txp_wdev = wdev;
2181 		enum nl80211_tx_power_setting type;
2182 		int idx, mbm = 0;
2183 
2184 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2185 			txp_wdev = NULL;
2186 
2187 		if (!rdev->ops->set_tx_power)
2188 			return -EOPNOTSUPP;
2189 
2190 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2191 		type = nla_get_u32(info->attrs[idx]);
2192 
2193 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2194 		    (type != NL80211_TX_POWER_AUTOMATIC))
2195 			return -EINVAL;
2196 
2197 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2198 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2199 			mbm = nla_get_u32(info->attrs[idx]);
2200 		}
2201 
2202 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2203 		if (result)
2204 			return result;
2205 	}
2206 
2207 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2208 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2209 		u32 tx_ant, rx_ant;
2210 		if ((!rdev->wiphy.available_antennas_tx &&
2211 		     !rdev->wiphy.available_antennas_rx) ||
2212 		    !rdev->ops->set_antenna)
2213 			return -EOPNOTSUPP;
2214 
2215 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2216 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2217 
2218 		/* reject antenna configurations which don't match the
2219 		 * available antenna masks, except for the "all" mask */
2220 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2221 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2222 			return -EINVAL;
2223 
2224 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2225 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2226 
2227 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2228 		if (result)
2229 			return result;
2230 	}
2231 
2232 	changed = 0;
2233 
2234 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2235 		retry_short = nla_get_u8(
2236 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2237 		if (retry_short == 0)
2238 			return -EINVAL;
2239 
2240 		changed |= WIPHY_PARAM_RETRY_SHORT;
2241 	}
2242 
2243 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2244 		retry_long = nla_get_u8(
2245 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2246 		if (retry_long == 0)
2247 			return -EINVAL;
2248 
2249 		changed |= WIPHY_PARAM_RETRY_LONG;
2250 	}
2251 
2252 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2253 		frag_threshold = nla_get_u32(
2254 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2255 		if (frag_threshold < 256)
2256 			return -EINVAL;
2257 
2258 		if (frag_threshold != (u32) -1) {
2259 			/*
2260 			 * Fragments (apart from the last one) are required to
2261 			 * have even length. Make the fragmentation code
2262 			 * simpler by stripping LSB should someone try to use
2263 			 * odd threshold value.
2264 			 */
2265 			frag_threshold &= ~0x1;
2266 		}
2267 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2268 	}
2269 
2270 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2271 		rts_threshold = nla_get_u32(
2272 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2273 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2274 	}
2275 
2276 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2277 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2278 			return -EINVAL;
2279 
2280 		coverage_class = nla_get_u8(
2281 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2282 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2283 	}
2284 
2285 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2286 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2287 			return -EOPNOTSUPP;
2288 
2289 		changed |= WIPHY_PARAM_DYN_ACK;
2290 	}
2291 
2292 	if (changed) {
2293 		u8 old_retry_short, old_retry_long;
2294 		u32 old_frag_threshold, old_rts_threshold;
2295 		u8 old_coverage_class;
2296 
2297 		if (!rdev->ops->set_wiphy_params)
2298 			return -EOPNOTSUPP;
2299 
2300 		old_retry_short = rdev->wiphy.retry_short;
2301 		old_retry_long = rdev->wiphy.retry_long;
2302 		old_frag_threshold = rdev->wiphy.frag_threshold;
2303 		old_rts_threshold = rdev->wiphy.rts_threshold;
2304 		old_coverage_class = rdev->wiphy.coverage_class;
2305 
2306 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2307 			rdev->wiphy.retry_short = retry_short;
2308 		if (changed & WIPHY_PARAM_RETRY_LONG)
2309 			rdev->wiphy.retry_long = retry_long;
2310 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2311 			rdev->wiphy.frag_threshold = frag_threshold;
2312 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2313 			rdev->wiphy.rts_threshold = rts_threshold;
2314 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2315 			rdev->wiphy.coverage_class = coverage_class;
2316 
2317 		result = rdev_set_wiphy_params(rdev, changed);
2318 		if (result) {
2319 			rdev->wiphy.retry_short = old_retry_short;
2320 			rdev->wiphy.retry_long = old_retry_long;
2321 			rdev->wiphy.frag_threshold = old_frag_threshold;
2322 			rdev->wiphy.rts_threshold = old_rts_threshold;
2323 			rdev->wiphy.coverage_class = old_coverage_class;
2324 		}
2325 	}
2326 	return 0;
2327 }
2328 
2329 static inline u64 wdev_id(struct wireless_dev *wdev)
2330 {
2331 	return (u64)wdev->identifier |
2332 	       ((u64)wiphy_to_rdev(wdev->wiphy)->wiphy_idx << 32);
2333 }
2334 
2335 static int nl80211_send_chandef(struct sk_buff *msg,
2336 				const struct cfg80211_chan_def *chandef)
2337 {
2338 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2339 		return -EINVAL;
2340 
2341 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2342 			chandef->chan->center_freq))
2343 		return -ENOBUFS;
2344 	switch (chandef->width) {
2345 	case NL80211_CHAN_WIDTH_20_NOHT:
2346 	case NL80211_CHAN_WIDTH_20:
2347 	case NL80211_CHAN_WIDTH_40:
2348 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2349 				cfg80211_get_chandef_type(chandef)))
2350 			return -ENOBUFS;
2351 		break;
2352 	default:
2353 		break;
2354 	}
2355 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2356 		return -ENOBUFS;
2357 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2358 		return -ENOBUFS;
2359 	if (chandef->center_freq2 &&
2360 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2361 		return -ENOBUFS;
2362 	return 0;
2363 }
2364 
2365 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2366 			      struct cfg80211_registered_device *rdev,
2367 			      struct wireless_dev *wdev, bool removal)
2368 {
2369 	struct net_device *dev = wdev->netdev;
2370 	u8 cmd = NL80211_CMD_NEW_INTERFACE;
2371 	void *hdr;
2372 
2373 	if (removal)
2374 		cmd = NL80211_CMD_DEL_INTERFACE;
2375 
2376 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2377 	if (!hdr)
2378 		return -1;
2379 
2380 	if (dev &&
2381 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2382 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2383 		goto nla_put_failure;
2384 
2385 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2386 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2387 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
2388 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2389 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2390 			rdev->devlist_generation ^
2391 			(cfg80211_rdev_list_generation << 2)))
2392 		goto nla_put_failure;
2393 
2394 	if (rdev->ops->get_channel) {
2395 		int ret;
2396 		struct cfg80211_chan_def chandef;
2397 
2398 		ret = rdev_get_channel(rdev, wdev, &chandef);
2399 		if (ret == 0) {
2400 			if (nl80211_send_chandef(msg, &chandef))
2401 				goto nla_put_failure;
2402 		}
2403 	}
2404 
2405 	if (wdev->ssid_len) {
2406 		if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2407 			goto nla_put_failure;
2408 	}
2409 
2410 	genlmsg_end(msg, hdr);
2411 	return 0;
2412 
2413  nla_put_failure:
2414 	genlmsg_cancel(msg, hdr);
2415 	return -EMSGSIZE;
2416 }
2417 
2418 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2419 {
2420 	int wp_idx = 0;
2421 	int if_idx = 0;
2422 	int wp_start = cb->args[0];
2423 	int if_start = cb->args[1];
2424 	struct cfg80211_registered_device *rdev;
2425 	struct wireless_dev *wdev;
2426 
2427 	rtnl_lock();
2428 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2429 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2430 			continue;
2431 		if (wp_idx < wp_start) {
2432 			wp_idx++;
2433 			continue;
2434 		}
2435 		if_idx = 0;
2436 
2437 		list_for_each_entry(wdev, &rdev->wdev_list, list) {
2438 			if (if_idx < if_start) {
2439 				if_idx++;
2440 				continue;
2441 			}
2442 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2443 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2444 					       rdev, wdev, false) < 0) {
2445 				goto out;
2446 			}
2447 			if_idx++;
2448 		}
2449 
2450 		wp_idx++;
2451 	}
2452  out:
2453 	rtnl_unlock();
2454 
2455 	cb->args[0] = wp_idx;
2456 	cb->args[1] = if_idx;
2457 
2458 	return skb->len;
2459 }
2460 
2461 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2462 {
2463 	struct sk_buff *msg;
2464 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2465 	struct wireless_dev *wdev = info->user_ptr[1];
2466 
2467 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2468 	if (!msg)
2469 		return -ENOMEM;
2470 
2471 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2472 			       rdev, wdev, false) < 0) {
2473 		nlmsg_free(msg);
2474 		return -ENOBUFS;
2475 	}
2476 
2477 	return genlmsg_reply(msg, info);
2478 }
2479 
2480 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2481 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2482 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2483 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2484 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2485 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2486 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
2487 };
2488 
2489 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2490 {
2491 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2492 	int flag;
2493 
2494 	*mntrflags = 0;
2495 
2496 	if (!nla)
2497 		return -EINVAL;
2498 
2499 	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
2500 			     nla, mntr_flags_policy))
2501 		return -EINVAL;
2502 
2503 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2504 		if (flags[flag])
2505 			*mntrflags |= (1<<flag);
2506 
2507 	return 0;
2508 }
2509 
2510 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
2511 			       struct net_device *netdev, u8 use_4addr,
2512 			       enum nl80211_iftype iftype)
2513 {
2514 	if (!use_4addr) {
2515 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
2516 			return -EBUSY;
2517 		return 0;
2518 	}
2519 
2520 	switch (iftype) {
2521 	case NL80211_IFTYPE_AP_VLAN:
2522 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
2523 			return 0;
2524 		break;
2525 	case NL80211_IFTYPE_STATION:
2526 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
2527 			return 0;
2528 		break;
2529 	default:
2530 		break;
2531 	}
2532 
2533 	return -EOPNOTSUPP;
2534 }
2535 
2536 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
2537 {
2538 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2539 	struct vif_params params;
2540 	int err;
2541 	enum nl80211_iftype otype, ntype;
2542 	struct net_device *dev = info->user_ptr[1];
2543 	u32 _flags, *flags = NULL;
2544 	bool change = false;
2545 
2546 	memset(&params, 0, sizeof(params));
2547 
2548 	otype = ntype = dev->ieee80211_ptr->iftype;
2549 
2550 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2551 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2552 		if (otype != ntype)
2553 			change = true;
2554 		if (ntype > NL80211_IFTYPE_MAX)
2555 			return -EINVAL;
2556 	}
2557 
2558 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
2559 		struct wireless_dev *wdev = dev->ieee80211_ptr;
2560 
2561 		if (ntype != NL80211_IFTYPE_MESH_POINT)
2562 			return -EINVAL;
2563 		if (netif_running(dev))
2564 			return -EBUSY;
2565 
2566 		wdev_lock(wdev);
2567 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2568 			     IEEE80211_MAX_MESH_ID_LEN);
2569 		wdev->mesh_id_up_len =
2570 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2571 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2572 		       wdev->mesh_id_up_len);
2573 		wdev_unlock(wdev);
2574 	}
2575 
2576 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2577 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2578 		change = true;
2579 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2580 		if (err)
2581 			return err;
2582 	} else {
2583 		params.use_4addr = -1;
2584 	}
2585 
2586 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2587 		if (ntype != NL80211_IFTYPE_MONITOR)
2588 			return -EINVAL;
2589 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2590 					  &_flags);
2591 		if (err)
2592 			return err;
2593 
2594 		flags = &_flags;
2595 		change = true;
2596 	}
2597 
2598 	if (flags && (*flags & MONITOR_FLAG_ACTIVE) &&
2599 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2600 		return -EOPNOTSUPP;
2601 
2602 	if (change)
2603 		err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2604 	else
2605 		err = 0;
2606 
2607 	if (!err && params.use_4addr != -1)
2608 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
2609 
2610 	return err;
2611 }
2612 
2613 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2614 {
2615 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2616 	struct vif_params params;
2617 	struct wireless_dev *wdev;
2618 	struct sk_buff *msg, *event;
2619 	int err;
2620 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2621 	u32 flags;
2622 
2623 	/* to avoid failing a new interface creation due to pending removal */
2624 	cfg80211_destroy_ifaces(rdev);
2625 
2626 	memset(&params, 0, sizeof(params));
2627 
2628 	if (!info->attrs[NL80211_ATTR_IFNAME])
2629 		return -EINVAL;
2630 
2631 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2632 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2633 		if (type > NL80211_IFTYPE_MAX)
2634 			return -EINVAL;
2635 	}
2636 
2637 	if (!rdev->ops->add_virtual_intf ||
2638 	    !(rdev->wiphy.interface_modes & (1 << type)))
2639 		return -EOPNOTSUPP;
2640 
2641 	if ((type == NL80211_IFTYPE_P2P_DEVICE ||
2642 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
2643 	    info->attrs[NL80211_ATTR_MAC]) {
2644 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2645 			   ETH_ALEN);
2646 		if (!is_valid_ether_addr(params.macaddr))
2647 			return -EADDRNOTAVAIL;
2648 	}
2649 
2650 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2651 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2652 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2653 		if (err)
2654 			return err;
2655 	}
2656 
2657 	err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2658 				  info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2659 				  &flags);
2660 
2661 	if (!err && (flags & MONITOR_FLAG_ACTIVE) &&
2662 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2663 		return -EOPNOTSUPP;
2664 
2665 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2666 	if (!msg)
2667 		return -ENOMEM;
2668 
2669 	wdev = rdev_add_virtual_intf(rdev,
2670 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2671 				NET_NAME_USER, type, err ? NULL : &flags,
2672 				&params);
2673 	if (WARN_ON(!wdev)) {
2674 		nlmsg_free(msg);
2675 		return -EPROTO;
2676 	} else if (IS_ERR(wdev)) {
2677 		nlmsg_free(msg);
2678 		return PTR_ERR(wdev);
2679 	}
2680 
2681 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
2682 		wdev->owner_nlportid = info->snd_portid;
2683 
2684 	switch (type) {
2685 	case NL80211_IFTYPE_MESH_POINT:
2686 		if (!info->attrs[NL80211_ATTR_MESH_ID])
2687 			break;
2688 		wdev_lock(wdev);
2689 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2690 			     IEEE80211_MAX_MESH_ID_LEN);
2691 		wdev->mesh_id_up_len =
2692 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2693 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2694 		       wdev->mesh_id_up_len);
2695 		wdev_unlock(wdev);
2696 		break;
2697 	case NL80211_IFTYPE_P2P_DEVICE:
2698 		/*
2699 		 * P2P Device doesn't have a netdev, so doesn't go
2700 		 * through the netdev notifier and must be added here
2701 		 */
2702 		mutex_init(&wdev->mtx);
2703 		INIT_LIST_HEAD(&wdev->event_list);
2704 		spin_lock_init(&wdev->event_lock);
2705 		INIT_LIST_HEAD(&wdev->mgmt_registrations);
2706 		spin_lock_init(&wdev->mgmt_registrations_lock);
2707 
2708 		wdev->identifier = ++rdev->wdev_id;
2709 		list_add_rcu(&wdev->list, &rdev->wdev_list);
2710 		rdev->devlist_generation++;
2711 		break;
2712 	default:
2713 		break;
2714 	}
2715 
2716 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2717 			       rdev, wdev, false) < 0) {
2718 		nlmsg_free(msg);
2719 		return -ENOBUFS;
2720 	}
2721 
2722 	event = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2723 	if (event) {
2724 		if (nl80211_send_iface(event, 0, 0, 0,
2725 				       rdev, wdev, false) < 0) {
2726 			nlmsg_free(event);
2727 			goto out;
2728 		}
2729 
2730 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
2731 					event, 0, NL80211_MCGRP_CONFIG,
2732 					GFP_KERNEL);
2733 	}
2734 
2735 out:
2736 	return genlmsg_reply(msg, info);
2737 }
2738 
2739 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2740 {
2741 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2742 	struct wireless_dev *wdev = info->user_ptr[1];
2743 	struct sk_buff *msg;
2744 	int status;
2745 
2746 	if (!rdev->ops->del_virtual_intf)
2747 		return -EOPNOTSUPP;
2748 
2749 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2750 	if (msg && nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, true) < 0) {
2751 		nlmsg_free(msg);
2752 		msg = NULL;
2753 	}
2754 
2755 	/*
2756 	 * If we remove a wireless device without a netdev then clear
2757 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
2758 	 * to check if it needs to do dev_put(). Otherwise it crashes
2759 	 * since the wdev has been freed, unlike with a netdev where
2760 	 * we need the dev_put() for the netdev to really be freed.
2761 	 */
2762 	if (!wdev->netdev)
2763 		info->user_ptr[1] = NULL;
2764 
2765 	status = rdev_del_virtual_intf(rdev, wdev);
2766 	if (status >= 0 && msg)
2767 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
2768 					msg, 0, NL80211_MCGRP_CONFIG,
2769 					GFP_KERNEL);
2770 	else
2771 		nlmsg_free(msg);
2772 
2773 	return status;
2774 }
2775 
2776 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2777 {
2778 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2779 	struct net_device *dev = info->user_ptr[1];
2780 	u16 noack_map;
2781 
2782 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2783 		return -EINVAL;
2784 
2785 	if (!rdev->ops->set_noack_map)
2786 		return -EOPNOTSUPP;
2787 
2788 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2789 
2790 	return rdev_set_noack_map(rdev, dev, noack_map);
2791 }
2792 
2793 struct get_key_cookie {
2794 	struct sk_buff *msg;
2795 	int error;
2796 	int idx;
2797 };
2798 
2799 static void get_key_callback(void *c, struct key_params *params)
2800 {
2801 	struct nlattr *key;
2802 	struct get_key_cookie *cookie = c;
2803 
2804 	if ((params->key &&
2805 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2806 		     params->key_len, params->key)) ||
2807 	    (params->seq &&
2808 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2809 		     params->seq_len, params->seq)) ||
2810 	    (params->cipher &&
2811 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2812 			 params->cipher)))
2813 		goto nla_put_failure;
2814 
2815 	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2816 	if (!key)
2817 		goto nla_put_failure;
2818 
2819 	if ((params->key &&
2820 	     nla_put(cookie->msg, NL80211_KEY_DATA,
2821 		     params->key_len, params->key)) ||
2822 	    (params->seq &&
2823 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
2824 		     params->seq_len, params->seq)) ||
2825 	    (params->cipher &&
2826 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2827 			 params->cipher)))
2828 		goto nla_put_failure;
2829 
2830 	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2831 		goto nla_put_failure;
2832 
2833 	nla_nest_end(cookie->msg, key);
2834 
2835 	return;
2836  nla_put_failure:
2837 	cookie->error = 1;
2838 }
2839 
2840 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2841 {
2842 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2843 	int err;
2844 	struct net_device *dev = info->user_ptr[1];
2845 	u8 key_idx = 0;
2846 	const u8 *mac_addr = NULL;
2847 	bool pairwise;
2848 	struct get_key_cookie cookie = {
2849 		.error = 0,
2850 	};
2851 	void *hdr;
2852 	struct sk_buff *msg;
2853 
2854 	if (info->attrs[NL80211_ATTR_KEY_IDX])
2855 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2856 
2857 	if (key_idx > 5)
2858 		return -EINVAL;
2859 
2860 	if (info->attrs[NL80211_ATTR_MAC])
2861 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2862 
2863 	pairwise = !!mac_addr;
2864 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2865 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2866 		if (kt >= NUM_NL80211_KEYTYPES)
2867 			return -EINVAL;
2868 		if (kt != NL80211_KEYTYPE_GROUP &&
2869 		    kt != NL80211_KEYTYPE_PAIRWISE)
2870 			return -EINVAL;
2871 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2872 	}
2873 
2874 	if (!rdev->ops->get_key)
2875 		return -EOPNOTSUPP;
2876 
2877 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2878 		return -ENOENT;
2879 
2880 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2881 	if (!msg)
2882 		return -ENOMEM;
2883 
2884 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2885 			     NL80211_CMD_NEW_KEY);
2886 	if (!hdr)
2887 		goto nla_put_failure;
2888 
2889 	cookie.msg = msg;
2890 	cookie.idx = key_idx;
2891 
2892 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2893 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2894 		goto nla_put_failure;
2895 	if (mac_addr &&
2896 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2897 		goto nla_put_failure;
2898 
2899 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2900 			   get_key_callback);
2901 
2902 	if (err)
2903 		goto free_msg;
2904 
2905 	if (cookie.error)
2906 		goto nla_put_failure;
2907 
2908 	genlmsg_end(msg, hdr);
2909 	return genlmsg_reply(msg, info);
2910 
2911  nla_put_failure:
2912 	err = -ENOBUFS;
2913  free_msg:
2914 	nlmsg_free(msg);
2915 	return err;
2916 }
2917 
2918 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2919 {
2920 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2921 	struct key_parse key;
2922 	int err;
2923 	struct net_device *dev = info->user_ptr[1];
2924 
2925 	err = nl80211_parse_key(info, &key);
2926 	if (err)
2927 		return err;
2928 
2929 	if (key.idx < 0)
2930 		return -EINVAL;
2931 
2932 	/* only support setting default key */
2933 	if (!key.def && !key.defmgmt)
2934 		return -EINVAL;
2935 
2936 	wdev_lock(dev->ieee80211_ptr);
2937 
2938 	if (key.def) {
2939 		if (!rdev->ops->set_default_key) {
2940 			err = -EOPNOTSUPP;
2941 			goto out;
2942 		}
2943 
2944 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2945 		if (err)
2946 			goto out;
2947 
2948 		err = rdev_set_default_key(rdev, dev, key.idx,
2949 						 key.def_uni, key.def_multi);
2950 
2951 		if (err)
2952 			goto out;
2953 
2954 #ifdef CONFIG_CFG80211_WEXT
2955 		dev->ieee80211_ptr->wext.default_key = key.idx;
2956 #endif
2957 	} else {
2958 		if (key.def_uni || !key.def_multi) {
2959 			err = -EINVAL;
2960 			goto out;
2961 		}
2962 
2963 		if (!rdev->ops->set_default_mgmt_key) {
2964 			err = -EOPNOTSUPP;
2965 			goto out;
2966 		}
2967 
2968 		err = nl80211_key_allowed(dev->ieee80211_ptr);
2969 		if (err)
2970 			goto out;
2971 
2972 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
2973 		if (err)
2974 			goto out;
2975 
2976 #ifdef CONFIG_CFG80211_WEXT
2977 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2978 #endif
2979 	}
2980 
2981  out:
2982 	wdev_unlock(dev->ieee80211_ptr);
2983 
2984 	return err;
2985 }
2986 
2987 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2988 {
2989 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2990 	int err;
2991 	struct net_device *dev = info->user_ptr[1];
2992 	struct key_parse key;
2993 	const u8 *mac_addr = NULL;
2994 
2995 	err = nl80211_parse_key(info, &key);
2996 	if (err)
2997 		return err;
2998 
2999 	if (!key.p.key)
3000 		return -EINVAL;
3001 
3002 	if (info->attrs[NL80211_ATTR_MAC])
3003 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3004 
3005 	if (key.type == -1) {
3006 		if (mac_addr)
3007 			key.type = NL80211_KEYTYPE_PAIRWISE;
3008 		else
3009 			key.type = NL80211_KEYTYPE_GROUP;
3010 	}
3011 
3012 	/* for now */
3013 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3014 	    key.type != NL80211_KEYTYPE_GROUP)
3015 		return -EINVAL;
3016 
3017 	if (!rdev->ops->add_key)
3018 		return -EOPNOTSUPP;
3019 
3020 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3021 					   key.type == NL80211_KEYTYPE_PAIRWISE,
3022 					   mac_addr))
3023 		return -EINVAL;
3024 
3025 	wdev_lock(dev->ieee80211_ptr);
3026 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3027 	if (!err)
3028 		err = rdev_add_key(rdev, dev, key.idx,
3029 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3030 				    mac_addr, &key.p);
3031 	wdev_unlock(dev->ieee80211_ptr);
3032 
3033 	return err;
3034 }
3035 
3036 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3037 {
3038 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3039 	int err;
3040 	struct net_device *dev = info->user_ptr[1];
3041 	u8 *mac_addr = NULL;
3042 	struct key_parse key;
3043 
3044 	err = nl80211_parse_key(info, &key);
3045 	if (err)
3046 		return err;
3047 
3048 	if (info->attrs[NL80211_ATTR_MAC])
3049 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3050 
3051 	if (key.type == -1) {
3052 		if (mac_addr)
3053 			key.type = NL80211_KEYTYPE_PAIRWISE;
3054 		else
3055 			key.type = NL80211_KEYTYPE_GROUP;
3056 	}
3057 
3058 	/* for now */
3059 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3060 	    key.type != NL80211_KEYTYPE_GROUP)
3061 		return -EINVAL;
3062 
3063 	if (!rdev->ops->del_key)
3064 		return -EOPNOTSUPP;
3065 
3066 	wdev_lock(dev->ieee80211_ptr);
3067 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3068 
3069 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3070 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3071 		err = -ENOENT;
3072 
3073 	if (!err)
3074 		err = rdev_del_key(rdev, dev, key.idx,
3075 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3076 				   mac_addr);
3077 
3078 #ifdef CONFIG_CFG80211_WEXT
3079 	if (!err) {
3080 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3081 			dev->ieee80211_ptr->wext.default_key = -1;
3082 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3083 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3084 	}
3085 #endif
3086 	wdev_unlock(dev->ieee80211_ptr);
3087 
3088 	return err;
3089 }
3090 
3091 /* This function returns an error or the number of nested attributes */
3092 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3093 {
3094 	struct nlattr *attr;
3095 	int n_entries = 0, tmp;
3096 
3097 	nla_for_each_nested(attr, nl_attr, tmp) {
3098 		if (nla_len(attr) != ETH_ALEN)
3099 			return -EINVAL;
3100 
3101 		n_entries++;
3102 	}
3103 
3104 	return n_entries;
3105 }
3106 
3107 /*
3108  * This function parses ACL information and allocates memory for ACL data.
3109  * On successful return, the calling function is responsible to free the
3110  * ACL buffer returned by this function.
3111  */
3112 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3113 						struct genl_info *info)
3114 {
3115 	enum nl80211_acl_policy acl_policy;
3116 	struct nlattr *attr;
3117 	struct cfg80211_acl_data *acl;
3118 	int i = 0, n_entries, tmp;
3119 
3120 	if (!wiphy->max_acl_mac_addrs)
3121 		return ERR_PTR(-EOPNOTSUPP);
3122 
3123 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3124 		return ERR_PTR(-EINVAL);
3125 
3126 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3127 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3128 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3129 		return ERR_PTR(-EINVAL);
3130 
3131 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3132 		return ERR_PTR(-EINVAL);
3133 
3134 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3135 	if (n_entries < 0)
3136 		return ERR_PTR(n_entries);
3137 
3138 	if (n_entries > wiphy->max_acl_mac_addrs)
3139 		return ERR_PTR(-ENOTSUPP);
3140 
3141 	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3142 		      GFP_KERNEL);
3143 	if (!acl)
3144 		return ERR_PTR(-ENOMEM);
3145 
3146 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3147 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3148 		i++;
3149 	}
3150 
3151 	acl->n_acl_entries = n_entries;
3152 	acl->acl_policy = acl_policy;
3153 
3154 	return acl;
3155 }
3156 
3157 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3158 {
3159 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3160 	struct net_device *dev = info->user_ptr[1];
3161 	struct cfg80211_acl_data *acl;
3162 	int err;
3163 
3164 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3165 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3166 		return -EOPNOTSUPP;
3167 
3168 	if (!dev->ieee80211_ptr->beacon_interval)
3169 		return -EINVAL;
3170 
3171 	acl = parse_acl_data(&rdev->wiphy, info);
3172 	if (IS_ERR(acl))
3173 		return PTR_ERR(acl);
3174 
3175 	err = rdev_set_mac_acl(rdev, dev, acl);
3176 
3177 	kfree(acl);
3178 
3179 	return err;
3180 }
3181 
3182 static int nl80211_parse_beacon(struct nlattr *attrs[],
3183 				struct cfg80211_beacon_data *bcn)
3184 {
3185 	bool haveinfo = false;
3186 
3187 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_BEACON_TAIL]) ||
3188 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE]) ||
3189 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
3190 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_ASSOC_RESP]))
3191 		return -EINVAL;
3192 
3193 	memset(bcn, 0, sizeof(*bcn));
3194 
3195 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
3196 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
3197 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
3198 		if (!bcn->head_len)
3199 			return -EINVAL;
3200 		haveinfo = true;
3201 	}
3202 
3203 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
3204 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
3205 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
3206 		haveinfo = true;
3207 	}
3208 
3209 	if (!haveinfo)
3210 		return -EINVAL;
3211 
3212 	if (attrs[NL80211_ATTR_IE]) {
3213 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
3214 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
3215 	}
3216 
3217 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
3218 		bcn->proberesp_ies =
3219 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3220 		bcn->proberesp_ies_len =
3221 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3222 	}
3223 
3224 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
3225 		bcn->assocresp_ies =
3226 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3227 		bcn->assocresp_ies_len =
3228 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3229 	}
3230 
3231 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
3232 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
3233 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
3234 	}
3235 
3236 	return 0;
3237 }
3238 
3239 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
3240 				   struct cfg80211_ap_settings *params)
3241 {
3242 	struct wireless_dev *wdev;
3243 	bool ret = false;
3244 
3245 	list_for_each_entry(wdev, &rdev->wdev_list, list) {
3246 		if (wdev->iftype != NL80211_IFTYPE_AP &&
3247 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
3248 			continue;
3249 
3250 		if (!wdev->preset_chandef.chan)
3251 			continue;
3252 
3253 		params->chandef = wdev->preset_chandef;
3254 		ret = true;
3255 		break;
3256 	}
3257 
3258 	return ret;
3259 }
3260 
3261 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
3262 				    enum nl80211_auth_type auth_type,
3263 				    enum nl80211_commands cmd)
3264 {
3265 	if (auth_type > NL80211_AUTHTYPE_MAX)
3266 		return false;
3267 
3268 	switch (cmd) {
3269 	case NL80211_CMD_AUTHENTICATE:
3270 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
3271 		    auth_type == NL80211_AUTHTYPE_SAE)
3272 			return false;
3273 		return true;
3274 	case NL80211_CMD_CONNECT:
3275 	case NL80211_CMD_START_AP:
3276 		/* SAE not supported yet */
3277 		if (auth_type == NL80211_AUTHTYPE_SAE)
3278 			return false;
3279 		return true;
3280 	default:
3281 		return false;
3282 	}
3283 }
3284 
3285 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
3286 {
3287 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3288 	struct net_device *dev = info->user_ptr[1];
3289 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3290 	struct cfg80211_ap_settings params;
3291 	int err;
3292 
3293 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3294 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3295 		return -EOPNOTSUPP;
3296 
3297 	if (!rdev->ops->start_ap)
3298 		return -EOPNOTSUPP;
3299 
3300 	if (wdev->beacon_interval)
3301 		return -EALREADY;
3302 
3303 	memset(&params, 0, sizeof(params));
3304 
3305 	/* these are required for START_AP */
3306 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
3307 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
3308 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
3309 		return -EINVAL;
3310 
3311 	err = nl80211_parse_beacon(info->attrs, &params.beacon);
3312 	if (err)
3313 		return err;
3314 
3315 	params.beacon_interval =
3316 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
3317 	params.dtim_period =
3318 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
3319 
3320 	err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
3321 	if (err)
3322 		return err;
3323 
3324 	/*
3325 	 * In theory, some of these attributes should be required here
3326 	 * but since they were not used when the command was originally
3327 	 * added, keep them optional for old user space programs to let
3328 	 * them continue to work with drivers that do not need the
3329 	 * additional information -- drivers must check!
3330 	 */
3331 	if (info->attrs[NL80211_ATTR_SSID]) {
3332 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
3333 		params.ssid_len =
3334 			nla_len(info->attrs[NL80211_ATTR_SSID]);
3335 		if (params.ssid_len == 0 ||
3336 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
3337 			return -EINVAL;
3338 	}
3339 
3340 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
3341 		params.hidden_ssid = nla_get_u32(
3342 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
3343 		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
3344 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
3345 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
3346 			return -EINVAL;
3347 	}
3348 
3349 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
3350 
3351 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
3352 		params.auth_type = nla_get_u32(
3353 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
3354 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
3355 					     NL80211_CMD_START_AP))
3356 			return -EINVAL;
3357 	} else
3358 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
3359 
3360 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
3361 				      NL80211_MAX_NR_CIPHER_SUITES);
3362 	if (err)
3363 		return err;
3364 
3365 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
3366 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
3367 			return -EOPNOTSUPP;
3368 		params.inactivity_timeout = nla_get_u16(
3369 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
3370 	}
3371 
3372 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
3373 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3374 			return -EINVAL;
3375 		params.p2p_ctwindow =
3376 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
3377 		if (params.p2p_ctwindow > 127)
3378 			return -EINVAL;
3379 		if (params.p2p_ctwindow != 0 &&
3380 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
3381 			return -EINVAL;
3382 	}
3383 
3384 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
3385 		u8 tmp;
3386 
3387 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3388 			return -EINVAL;
3389 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
3390 		if (tmp > 1)
3391 			return -EINVAL;
3392 		params.p2p_opp_ps = tmp;
3393 		if (params.p2p_opp_ps != 0 &&
3394 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
3395 			return -EINVAL;
3396 	}
3397 
3398 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3399 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
3400 		if (err)
3401 			return err;
3402 	} else if (wdev->preset_chandef.chan) {
3403 		params.chandef = wdev->preset_chandef;
3404 	} else if (!nl80211_get_ap_channel(rdev, &params))
3405 		return -EINVAL;
3406 
3407 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
3408 					   wdev->iftype))
3409 		return -EINVAL;
3410 
3411 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
3412 		params.acl = parse_acl_data(&rdev->wiphy, info);
3413 		if (IS_ERR(params.acl))
3414 			return PTR_ERR(params.acl);
3415 	}
3416 
3417 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
3418 		params.smps_mode =
3419 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
3420 		switch (params.smps_mode) {
3421 		case NL80211_SMPS_OFF:
3422 			break;
3423 		case NL80211_SMPS_STATIC:
3424 			if (!(rdev->wiphy.features &
3425 			      NL80211_FEATURE_STATIC_SMPS))
3426 				return -EINVAL;
3427 			break;
3428 		case NL80211_SMPS_DYNAMIC:
3429 			if (!(rdev->wiphy.features &
3430 			      NL80211_FEATURE_DYNAMIC_SMPS))
3431 				return -EINVAL;
3432 			break;
3433 		default:
3434 			return -EINVAL;
3435 		}
3436 	} else {
3437 		params.smps_mode = NL80211_SMPS_OFF;
3438 	}
3439 
3440 	wdev_lock(wdev);
3441 	err = rdev_start_ap(rdev, dev, &params);
3442 	if (!err) {
3443 		wdev->preset_chandef = params.chandef;
3444 		wdev->beacon_interval = params.beacon_interval;
3445 		wdev->chandef = params.chandef;
3446 		wdev->ssid_len = params.ssid_len;
3447 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
3448 	}
3449 	wdev_unlock(wdev);
3450 
3451 	kfree(params.acl);
3452 
3453 	return err;
3454 }
3455 
3456 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
3457 {
3458 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3459 	struct net_device *dev = info->user_ptr[1];
3460 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3461 	struct cfg80211_beacon_data params;
3462 	int err;
3463 
3464 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3465 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3466 		return -EOPNOTSUPP;
3467 
3468 	if (!rdev->ops->change_beacon)
3469 		return -EOPNOTSUPP;
3470 
3471 	if (!wdev->beacon_interval)
3472 		return -EINVAL;
3473 
3474 	err = nl80211_parse_beacon(info->attrs, &params);
3475 	if (err)
3476 		return err;
3477 
3478 	wdev_lock(wdev);
3479 	err = rdev_change_beacon(rdev, dev, &params);
3480 	wdev_unlock(wdev);
3481 
3482 	return err;
3483 }
3484 
3485 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
3486 {
3487 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3488 	struct net_device *dev = info->user_ptr[1];
3489 
3490 	return cfg80211_stop_ap(rdev, dev, false);
3491 }
3492 
3493 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
3494 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
3495 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
3496 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
3497 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
3498 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
3499 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
3500 };
3501 
3502 static int parse_station_flags(struct genl_info *info,
3503 			       enum nl80211_iftype iftype,
3504 			       struct station_parameters *params)
3505 {
3506 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
3507 	struct nlattr *nla;
3508 	int flag;
3509 
3510 	/*
3511 	 * Try parsing the new attribute first so userspace
3512 	 * can specify both for older kernels.
3513 	 */
3514 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
3515 	if (nla) {
3516 		struct nl80211_sta_flag_update *sta_flags;
3517 
3518 		sta_flags = nla_data(nla);
3519 		params->sta_flags_mask = sta_flags->mask;
3520 		params->sta_flags_set = sta_flags->set;
3521 		params->sta_flags_set &= params->sta_flags_mask;
3522 		if ((params->sta_flags_mask |
3523 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
3524 			return -EINVAL;
3525 		return 0;
3526 	}
3527 
3528 	/* if present, parse the old attribute */
3529 
3530 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
3531 	if (!nla)
3532 		return 0;
3533 
3534 	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
3535 			     nla, sta_flags_policy))
3536 		return -EINVAL;
3537 
3538 	/*
3539 	 * Only allow certain flags for interface types so that
3540 	 * other attributes are silently ignored. Remember that
3541 	 * this is backward compatibility code with old userspace
3542 	 * and shouldn't be hit in other cases anyway.
3543 	 */
3544 	switch (iftype) {
3545 	case NL80211_IFTYPE_AP:
3546 	case NL80211_IFTYPE_AP_VLAN:
3547 	case NL80211_IFTYPE_P2P_GO:
3548 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3549 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3550 					 BIT(NL80211_STA_FLAG_WME) |
3551 					 BIT(NL80211_STA_FLAG_MFP);
3552 		break;
3553 	case NL80211_IFTYPE_P2P_CLIENT:
3554 	case NL80211_IFTYPE_STATION:
3555 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3556 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
3557 		break;
3558 	case NL80211_IFTYPE_MESH_POINT:
3559 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3560 					 BIT(NL80211_STA_FLAG_MFP) |
3561 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
3562 	default:
3563 		return -EINVAL;
3564 	}
3565 
3566 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
3567 		if (flags[flag]) {
3568 			params->sta_flags_set |= (1<<flag);
3569 
3570 			/* no longer support new API additions in old API */
3571 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
3572 				return -EINVAL;
3573 		}
3574 	}
3575 
3576 	return 0;
3577 }
3578 
3579 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
3580 				 int attr)
3581 {
3582 	struct nlattr *rate;
3583 	u32 bitrate;
3584 	u16 bitrate_compat;
3585 	enum nl80211_attrs rate_flg;
3586 
3587 	rate = nla_nest_start(msg, attr);
3588 	if (!rate)
3589 		return false;
3590 
3591 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
3592 	bitrate = cfg80211_calculate_bitrate(info);
3593 	/* report 16-bit bitrate only if we can */
3594 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
3595 	if (bitrate > 0 &&
3596 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
3597 		return false;
3598 	if (bitrate_compat > 0 &&
3599 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
3600 		return false;
3601 
3602 	switch (info->bw) {
3603 	case RATE_INFO_BW_5:
3604 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
3605 		break;
3606 	case RATE_INFO_BW_10:
3607 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
3608 		break;
3609 	default:
3610 		WARN_ON(1);
3611 		/* fall through */
3612 	case RATE_INFO_BW_20:
3613 		rate_flg = 0;
3614 		break;
3615 	case RATE_INFO_BW_40:
3616 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
3617 		break;
3618 	case RATE_INFO_BW_80:
3619 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
3620 		break;
3621 	case RATE_INFO_BW_160:
3622 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
3623 		break;
3624 	}
3625 
3626 	if (rate_flg && nla_put_flag(msg, rate_flg))
3627 		return false;
3628 
3629 	if (info->flags & RATE_INFO_FLAGS_MCS) {
3630 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
3631 			return false;
3632 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3633 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3634 			return false;
3635 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
3636 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
3637 			return false;
3638 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
3639 			return false;
3640 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3641 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3642 			return false;
3643 	}
3644 
3645 	nla_nest_end(msg, rate);
3646 	return true;
3647 }
3648 
3649 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
3650 			       int id)
3651 {
3652 	void *attr;
3653 	int i = 0;
3654 
3655 	if (!mask)
3656 		return true;
3657 
3658 	attr = nla_nest_start(msg, id);
3659 	if (!attr)
3660 		return false;
3661 
3662 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
3663 		if (!(mask & BIT(i)))
3664 			continue;
3665 
3666 		if (nla_put_u8(msg, i, signal[i]))
3667 			return false;
3668 	}
3669 
3670 	nla_nest_end(msg, attr);
3671 
3672 	return true;
3673 }
3674 
3675 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
3676 				u32 seq, int flags,
3677 				struct cfg80211_registered_device *rdev,
3678 				struct net_device *dev,
3679 				const u8 *mac_addr, struct station_info *sinfo)
3680 {
3681 	void *hdr;
3682 	struct nlattr *sinfoattr, *bss_param;
3683 
3684 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3685 	if (!hdr)
3686 		return -1;
3687 
3688 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3689 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
3690 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
3691 		goto nla_put_failure;
3692 
3693 	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
3694 	if (!sinfoattr)
3695 		goto nla_put_failure;
3696 
3697 #define PUT_SINFO(attr, memb, type) do {				\
3698 	if (sinfo->filled & BIT(NL80211_STA_INFO_ ## attr) &&		\
3699 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
3700 			     sinfo->memb))				\
3701 		goto nla_put_failure;					\
3702 	} while (0)
3703 
3704 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
3705 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
3706 
3707 	if (sinfo->filled & (BIT(NL80211_STA_INFO_RX_BYTES) |
3708 			     BIT(NL80211_STA_INFO_RX_BYTES64)) &&
3709 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
3710 			(u32)sinfo->rx_bytes))
3711 		goto nla_put_failure;
3712 
3713 	if (sinfo->filled & (BIT(NL80211_STA_INFO_TX_BYTES) |
3714 			     BIT(NL80211_STA_INFO_TX_BYTES64)) &&
3715 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
3716 			(u32)sinfo->tx_bytes))
3717 		goto nla_put_failure;
3718 
3719 	PUT_SINFO(RX_BYTES64, rx_bytes, u64);
3720 	PUT_SINFO(TX_BYTES64, tx_bytes, u64);
3721 	PUT_SINFO(LLID, llid, u16);
3722 	PUT_SINFO(PLID, plid, u16);
3723 	PUT_SINFO(PLINK_STATE, plink_state, u8);
3724 
3725 	switch (rdev->wiphy.signal_type) {
3726 	case CFG80211_SIGNAL_TYPE_MBM:
3727 		PUT_SINFO(SIGNAL, signal, u8);
3728 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
3729 		break;
3730 	default:
3731 		break;
3732 	}
3733 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL)) {
3734 		if (!nl80211_put_signal(msg, sinfo->chains,
3735 					sinfo->chain_signal,
3736 					NL80211_STA_INFO_CHAIN_SIGNAL))
3737 			goto nla_put_failure;
3738 	}
3739 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
3740 		if (!nl80211_put_signal(msg, sinfo->chains,
3741 					sinfo->chain_signal_avg,
3742 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
3743 			goto nla_put_failure;
3744 	}
3745 	if (sinfo->filled & BIT(NL80211_STA_INFO_TX_BITRATE)) {
3746 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
3747 					  NL80211_STA_INFO_TX_BITRATE))
3748 			goto nla_put_failure;
3749 	}
3750 	if (sinfo->filled & BIT(NL80211_STA_INFO_RX_BITRATE)) {
3751 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
3752 					  NL80211_STA_INFO_RX_BITRATE))
3753 			goto nla_put_failure;
3754 	}
3755 
3756 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
3757 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
3758 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
3759 	PUT_SINFO(TX_FAILED, tx_failed, u32);
3760 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
3761 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
3762 	PUT_SINFO(LOCAL_PM, local_pm, u32);
3763 	PUT_SINFO(PEER_PM, peer_pm, u32);
3764 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
3765 
3766 	if (sinfo->filled & BIT(NL80211_STA_INFO_BSS_PARAM)) {
3767 		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
3768 		if (!bss_param)
3769 			goto nla_put_failure;
3770 
3771 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
3772 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
3773 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
3774 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
3775 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
3776 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
3777 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
3778 			       sinfo->bss_param.dtim_period) ||
3779 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
3780 				sinfo->bss_param.beacon_interval))
3781 			goto nla_put_failure;
3782 
3783 		nla_nest_end(msg, bss_param);
3784 	}
3785 	if ((sinfo->filled & BIT(NL80211_STA_INFO_STA_FLAGS)) &&
3786 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
3787 		    sizeof(struct nl80211_sta_flag_update),
3788 		    &sinfo->sta_flags))
3789 		goto nla_put_failure;
3790 
3791 	PUT_SINFO(T_OFFSET, t_offset, u64);
3792 	PUT_SINFO(RX_DROP_MISC, rx_dropped_misc, u64);
3793 	PUT_SINFO(BEACON_RX, rx_beacon, u64);
3794 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
3795 
3796 #undef PUT_SINFO
3797 
3798 	if (sinfo->filled & BIT(NL80211_STA_INFO_TID_STATS)) {
3799 		struct nlattr *tidsattr;
3800 		int tid;
3801 
3802 		tidsattr = nla_nest_start(msg, NL80211_STA_INFO_TID_STATS);
3803 		if (!tidsattr)
3804 			goto nla_put_failure;
3805 
3806 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
3807 			struct cfg80211_tid_stats *tidstats;
3808 			struct nlattr *tidattr;
3809 
3810 			tidstats = &sinfo->pertid[tid];
3811 
3812 			if (!tidstats->filled)
3813 				continue;
3814 
3815 			tidattr = nla_nest_start(msg, tid + 1);
3816 			if (!tidattr)
3817 				goto nla_put_failure;
3818 
3819 #define PUT_TIDVAL(attr, memb, type) do {				\
3820 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
3821 	    nla_put_ ## type(msg, NL80211_TID_STATS_ ## attr,		\
3822 			     tidstats->memb))				\
3823 		goto nla_put_failure;					\
3824 	} while (0)
3825 
3826 			PUT_TIDVAL(RX_MSDU, rx_msdu, u64);
3827 			PUT_TIDVAL(TX_MSDU, tx_msdu, u64);
3828 			PUT_TIDVAL(TX_MSDU_RETRIES, tx_msdu_retries, u64);
3829 			PUT_TIDVAL(TX_MSDU_FAILED, tx_msdu_failed, u64);
3830 
3831 #undef PUT_TIDVAL
3832 			nla_nest_end(msg, tidattr);
3833 		}
3834 
3835 		nla_nest_end(msg, tidsattr);
3836 	}
3837 
3838 	nla_nest_end(msg, sinfoattr);
3839 
3840 	if (sinfo->assoc_req_ies_len &&
3841 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
3842 		    sinfo->assoc_req_ies))
3843 		goto nla_put_failure;
3844 
3845 	genlmsg_end(msg, hdr);
3846 	return 0;
3847 
3848  nla_put_failure:
3849 	genlmsg_cancel(msg, hdr);
3850 	return -EMSGSIZE;
3851 }
3852 
3853 static int nl80211_dump_station(struct sk_buff *skb,
3854 				struct netlink_callback *cb)
3855 {
3856 	struct station_info sinfo;
3857 	struct cfg80211_registered_device *rdev;
3858 	struct wireless_dev *wdev;
3859 	u8 mac_addr[ETH_ALEN];
3860 	int sta_idx = cb->args[2];
3861 	int err;
3862 
3863 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
3864 	if (err)
3865 		return err;
3866 
3867 	if (!wdev->netdev) {
3868 		err = -EINVAL;
3869 		goto out_err;
3870 	}
3871 
3872 	if (!rdev->ops->dump_station) {
3873 		err = -EOPNOTSUPP;
3874 		goto out_err;
3875 	}
3876 
3877 	while (1) {
3878 		memset(&sinfo, 0, sizeof(sinfo));
3879 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
3880 					mac_addr, &sinfo);
3881 		if (err == -ENOENT)
3882 			break;
3883 		if (err)
3884 			goto out_err;
3885 
3886 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
3887 				NETLINK_CB(cb->skb).portid,
3888 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
3889 				rdev, wdev->netdev, mac_addr,
3890 				&sinfo) < 0)
3891 			goto out;
3892 
3893 		sta_idx++;
3894 	}
3895 
3896 
3897  out:
3898 	cb->args[2] = sta_idx;
3899 	err = skb->len;
3900  out_err:
3901 	nl80211_finish_wdev_dump(rdev);
3902 
3903 	return err;
3904 }
3905 
3906 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
3907 {
3908 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3909 	struct net_device *dev = info->user_ptr[1];
3910 	struct station_info sinfo;
3911 	struct sk_buff *msg;
3912 	u8 *mac_addr = NULL;
3913 	int err;
3914 
3915 	memset(&sinfo, 0, sizeof(sinfo));
3916 
3917 	if (!info->attrs[NL80211_ATTR_MAC])
3918 		return -EINVAL;
3919 
3920 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3921 
3922 	if (!rdev->ops->get_station)
3923 		return -EOPNOTSUPP;
3924 
3925 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3926 	if (err)
3927 		return err;
3928 
3929 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3930 	if (!msg)
3931 		return -ENOMEM;
3932 
3933 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
3934 				 info->snd_portid, info->snd_seq, 0,
3935 				 rdev, dev, mac_addr, &sinfo) < 0) {
3936 		nlmsg_free(msg);
3937 		return -ENOBUFS;
3938 	}
3939 
3940 	return genlmsg_reply(msg, info);
3941 }
3942 
3943 int cfg80211_check_station_change(struct wiphy *wiphy,
3944 				  struct station_parameters *params,
3945 				  enum cfg80211_station_type statype)
3946 {
3947 	if (params->listen_interval != -1)
3948 		return -EINVAL;
3949 	if (params->aid &&
3950 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3951 		return -EINVAL;
3952 
3953 	/* When you run into this, adjust the code below for the new flag */
3954 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
3955 
3956 	switch (statype) {
3957 	case CFG80211_STA_MESH_PEER_KERNEL:
3958 	case CFG80211_STA_MESH_PEER_USER:
3959 		/*
3960 		 * No ignoring the TDLS flag here -- the userspace mesh
3961 		 * code doesn't have the bug of including TDLS in the
3962 		 * mask everywhere.
3963 		 */
3964 		if (params->sta_flags_mask &
3965 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3966 				  BIT(NL80211_STA_FLAG_MFP) |
3967 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
3968 			return -EINVAL;
3969 		break;
3970 	case CFG80211_STA_TDLS_PEER_SETUP:
3971 	case CFG80211_STA_TDLS_PEER_ACTIVE:
3972 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3973 			return -EINVAL;
3974 		/* ignore since it can't change */
3975 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3976 		break;
3977 	default:
3978 		/* disallow mesh-specific things */
3979 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
3980 			return -EINVAL;
3981 		if (params->local_pm)
3982 			return -EINVAL;
3983 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
3984 			return -EINVAL;
3985 	}
3986 
3987 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
3988 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
3989 		/* TDLS can't be set, ... */
3990 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3991 			return -EINVAL;
3992 		/*
3993 		 * ... but don't bother the driver with it. This works around
3994 		 * a hostapd/wpa_supplicant issue -- it always includes the
3995 		 * TLDS_PEER flag in the mask even for AP mode.
3996 		 */
3997 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3998 	}
3999 
4000 	if (statype != CFG80211_STA_TDLS_PEER_SETUP) {
4001 		/* reject other things that can't change */
4002 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
4003 			return -EINVAL;
4004 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
4005 			return -EINVAL;
4006 		if (params->supported_rates)
4007 			return -EINVAL;
4008 		if (params->ext_capab || params->ht_capa || params->vht_capa)
4009 			return -EINVAL;
4010 	}
4011 
4012 	if (statype != CFG80211_STA_AP_CLIENT) {
4013 		if (params->vlan)
4014 			return -EINVAL;
4015 	}
4016 
4017 	switch (statype) {
4018 	case CFG80211_STA_AP_MLME_CLIENT:
4019 		/* Use this only for authorizing/unauthorizing a station */
4020 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
4021 			return -EOPNOTSUPP;
4022 		break;
4023 	case CFG80211_STA_AP_CLIENT:
4024 		/* accept only the listed bits */
4025 		if (params->sta_flags_mask &
4026 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4027 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4028 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
4029 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4030 				  BIT(NL80211_STA_FLAG_WME) |
4031 				  BIT(NL80211_STA_FLAG_MFP)))
4032 			return -EINVAL;
4033 
4034 		/* but authenticated/associated only if driver handles it */
4035 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4036 		    params->sta_flags_mask &
4037 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4038 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4039 			return -EINVAL;
4040 		break;
4041 	case CFG80211_STA_IBSS:
4042 	case CFG80211_STA_AP_STA:
4043 		/* reject any changes other than AUTHORIZED */
4044 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
4045 			return -EINVAL;
4046 		break;
4047 	case CFG80211_STA_TDLS_PEER_SETUP:
4048 		/* reject any changes other than AUTHORIZED or WME */
4049 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4050 					       BIT(NL80211_STA_FLAG_WME)))
4051 			return -EINVAL;
4052 		/* force (at least) rates when authorizing */
4053 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
4054 		    !params->supported_rates)
4055 			return -EINVAL;
4056 		break;
4057 	case CFG80211_STA_TDLS_PEER_ACTIVE:
4058 		/* reject any changes */
4059 		return -EINVAL;
4060 	case CFG80211_STA_MESH_PEER_KERNEL:
4061 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4062 			return -EINVAL;
4063 		break;
4064 	case CFG80211_STA_MESH_PEER_USER:
4065 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
4066 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
4067 			return -EINVAL;
4068 		break;
4069 	}
4070 
4071 	return 0;
4072 }
4073 EXPORT_SYMBOL(cfg80211_check_station_change);
4074 
4075 /*
4076  * Get vlan interface making sure it is running and on the right wiphy.
4077  */
4078 static struct net_device *get_vlan(struct genl_info *info,
4079 				   struct cfg80211_registered_device *rdev)
4080 {
4081 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
4082 	struct net_device *v;
4083 	int ret;
4084 
4085 	if (!vlanattr)
4086 		return NULL;
4087 
4088 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
4089 	if (!v)
4090 		return ERR_PTR(-ENODEV);
4091 
4092 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
4093 		ret = -EINVAL;
4094 		goto error;
4095 	}
4096 
4097 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4098 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4099 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
4100 		ret = -EINVAL;
4101 		goto error;
4102 	}
4103 
4104 	if (!netif_running(v)) {
4105 		ret = -ENETDOWN;
4106 		goto error;
4107 	}
4108 
4109 	return v;
4110  error:
4111 	dev_put(v);
4112 	return ERR_PTR(ret);
4113 }
4114 
4115 static const struct nla_policy
4116 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
4117 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
4118 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
4119 };
4120 
4121 static int nl80211_parse_sta_wme(struct genl_info *info,
4122 				 struct station_parameters *params)
4123 {
4124 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
4125 	struct nlattr *nla;
4126 	int err;
4127 
4128 	/* parse WME attributes if present */
4129 	if (!info->attrs[NL80211_ATTR_STA_WME])
4130 		return 0;
4131 
4132 	nla = info->attrs[NL80211_ATTR_STA_WME];
4133 	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
4134 			       nl80211_sta_wme_policy);
4135 	if (err)
4136 		return err;
4137 
4138 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
4139 		params->uapsd_queues = nla_get_u8(
4140 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
4141 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
4142 		return -EINVAL;
4143 
4144 	if (tb[NL80211_STA_WME_MAX_SP])
4145 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
4146 
4147 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
4148 		return -EINVAL;
4149 
4150 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
4151 
4152 	return 0;
4153 }
4154 
4155 static int nl80211_parse_sta_channel_info(struct genl_info *info,
4156 				      struct station_parameters *params)
4157 {
4158 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
4159 		params->supported_channels =
4160 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4161 		params->supported_channels_len =
4162 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4163 		/*
4164 		 * Need to include at least one (first channel, number of
4165 		 * channels) tuple for each subband, and must have proper
4166 		 * tuples for the rest of the data as well.
4167 		 */
4168 		if (params->supported_channels_len < 2)
4169 			return -EINVAL;
4170 		if (params->supported_channels_len % 2)
4171 			return -EINVAL;
4172 	}
4173 
4174 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
4175 		params->supported_oper_classes =
4176 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4177 		params->supported_oper_classes_len =
4178 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4179 		/*
4180 		 * The value of the Length field of the Supported Operating
4181 		 * Classes element is between 2 and 253.
4182 		 */
4183 		if (params->supported_oper_classes_len < 2 ||
4184 		    params->supported_oper_classes_len > 253)
4185 			return -EINVAL;
4186 	}
4187 	return 0;
4188 }
4189 
4190 static int nl80211_set_station_tdls(struct genl_info *info,
4191 				    struct station_parameters *params)
4192 {
4193 	int err;
4194 	/* Dummy STA entry gets updated once the peer capabilities are known */
4195 	if (info->attrs[NL80211_ATTR_PEER_AID])
4196 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4197 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4198 		params->ht_capa =
4199 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4200 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4201 		params->vht_capa =
4202 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4203 
4204 	err = nl80211_parse_sta_channel_info(info, params);
4205 	if (err)
4206 		return err;
4207 
4208 	return nl80211_parse_sta_wme(info, params);
4209 }
4210 
4211 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
4212 {
4213 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4214 	struct net_device *dev = info->user_ptr[1];
4215 	struct station_parameters params;
4216 	u8 *mac_addr;
4217 	int err;
4218 
4219 	memset(&params, 0, sizeof(params));
4220 
4221 	params.listen_interval = -1;
4222 
4223 	if (!rdev->ops->change_station)
4224 		return -EOPNOTSUPP;
4225 
4226 	if (info->attrs[NL80211_ATTR_STA_AID])
4227 		return -EINVAL;
4228 
4229 	if (!info->attrs[NL80211_ATTR_MAC])
4230 		return -EINVAL;
4231 
4232 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4233 
4234 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
4235 		params.supported_rates =
4236 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4237 		params.supported_rates_len =
4238 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4239 	}
4240 
4241 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4242 		params.capability =
4243 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4244 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4245 	}
4246 
4247 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4248 		params.ext_capab =
4249 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4250 		params.ext_capab_len =
4251 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4252 	}
4253 
4254 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4255 		return -EINVAL;
4256 
4257 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4258 		return -EINVAL;
4259 
4260 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4261 		params.plink_action =
4262 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4263 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4264 			return -EINVAL;
4265 	}
4266 
4267 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
4268 		params.plink_state =
4269 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
4270 		if (params.plink_state >= NUM_NL80211_PLINK_STATES)
4271 			return -EINVAL;
4272 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
4273 	}
4274 
4275 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
4276 		enum nl80211_mesh_power_mode pm = nla_get_u32(
4277 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
4278 
4279 		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
4280 		    pm > NL80211_MESH_POWER_MAX)
4281 			return -EINVAL;
4282 
4283 		params.local_pm = pm;
4284 	}
4285 
4286 	/* Include parameters for TDLS peer (will check later) */
4287 	err = nl80211_set_station_tdls(info, &params);
4288 	if (err)
4289 		return err;
4290 
4291 	params.vlan = get_vlan(info, rdev);
4292 	if (IS_ERR(params.vlan))
4293 		return PTR_ERR(params.vlan);
4294 
4295 	switch (dev->ieee80211_ptr->iftype) {
4296 	case NL80211_IFTYPE_AP:
4297 	case NL80211_IFTYPE_AP_VLAN:
4298 	case NL80211_IFTYPE_P2P_GO:
4299 	case NL80211_IFTYPE_P2P_CLIENT:
4300 	case NL80211_IFTYPE_STATION:
4301 	case NL80211_IFTYPE_ADHOC:
4302 	case NL80211_IFTYPE_MESH_POINT:
4303 		break;
4304 	default:
4305 		err = -EOPNOTSUPP;
4306 		goto out_put_vlan;
4307 	}
4308 
4309 	/* driver will call cfg80211_check_station_change() */
4310 	err = rdev_change_station(rdev, dev, mac_addr, &params);
4311 
4312  out_put_vlan:
4313 	if (params.vlan)
4314 		dev_put(params.vlan);
4315 
4316 	return err;
4317 }
4318 
4319 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
4320 {
4321 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4322 	int err;
4323 	struct net_device *dev = info->user_ptr[1];
4324 	struct station_parameters params;
4325 	u8 *mac_addr = NULL;
4326 
4327 	memset(&params, 0, sizeof(params));
4328 
4329 	if (!rdev->ops->add_station)
4330 		return -EOPNOTSUPP;
4331 
4332 	if (!info->attrs[NL80211_ATTR_MAC])
4333 		return -EINVAL;
4334 
4335 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4336 		return -EINVAL;
4337 
4338 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
4339 		return -EINVAL;
4340 
4341 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
4342 	    !info->attrs[NL80211_ATTR_PEER_AID])
4343 		return -EINVAL;
4344 
4345 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4346 	params.supported_rates =
4347 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4348 	params.supported_rates_len =
4349 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4350 	params.listen_interval =
4351 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4352 
4353 	if (info->attrs[NL80211_ATTR_PEER_AID])
4354 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4355 	else
4356 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4357 	if (!params.aid || params.aid > IEEE80211_MAX_AID)
4358 		return -EINVAL;
4359 
4360 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4361 		params.capability =
4362 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4363 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4364 	}
4365 
4366 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4367 		params.ext_capab =
4368 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4369 		params.ext_capab_len =
4370 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4371 	}
4372 
4373 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4374 		params.ht_capa =
4375 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4376 
4377 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4378 		params.vht_capa =
4379 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4380 
4381 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
4382 		params.opmode_notif_used = true;
4383 		params.opmode_notif =
4384 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
4385 	}
4386 
4387 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4388 		params.plink_action =
4389 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4390 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4391 			return -EINVAL;
4392 	}
4393 
4394 	err = nl80211_parse_sta_channel_info(info, &params);
4395 	if (err)
4396 		return err;
4397 
4398 	err = nl80211_parse_sta_wme(info, &params);
4399 	if (err)
4400 		return err;
4401 
4402 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4403 		return -EINVAL;
4404 
4405 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
4406 	 * as userspace might just pass through the capabilities from the IEs
4407 	 * directly, rather than enforcing this restriction and returning an
4408 	 * error in this case.
4409 	 */
4410 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
4411 		params.ht_capa = NULL;
4412 		params.vht_capa = NULL;
4413 	}
4414 
4415 	/* When you run into this, adjust the code below for the new flag */
4416 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4417 
4418 	switch (dev->ieee80211_ptr->iftype) {
4419 	case NL80211_IFTYPE_AP:
4420 	case NL80211_IFTYPE_AP_VLAN:
4421 	case NL80211_IFTYPE_P2P_GO:
4422 		/* ignore WME attributes if iface/sta is not capable */
4423 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
4424 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
4425 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4426 
4427 		/* TDLS peers cannot be added */
4428 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4429 		    info->attrs[NL80211_ATTR_PEER_AID])
4430 			return -EINVAL;
4431 		/* but don't bother the driver with it */
4432 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4433 
4434 		/* allow authenticated/associated only if driver handles it */
4435 		if (!(rdev->wiphy.features &
4436 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4437 		    params.sta_flags_mask &
4438 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4439 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4440 			return -EINVAL;
4441 
4442 		/* must be last in here for error handling */
4443 		params.vlan = get_vlan(info, rdev);
4444 		if (IS_ERR(params.vlan))
4445 			return PTR_ERR(params.vlan);
4446 		break;
4447 	case NL80211_IFTYPE_MESH_POINT:
4448 		/* ignore uAPSD data */
4449 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4450 
4451 		/* associated is disallowed */
4452 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
4453 			return -EINVAL;
4454 		/* TDLS peers cannot be added */
4455 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4456 		    info->attrs[NL80211_ATTR_PEER_AID])
4457 			return -EINVAL;
4458 		break;
4459 	case NL80211_IFTYPE_STATION:
4460 	case NL80211_IFTYPE_P2P_CLIENT:
4461 		/* ignore uAPSD data */
4462 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4463 
4464 		/* these are disallowed */
4465 		if (params.sta_flags_mask &
4466 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
4467 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
4468 			return -EINVAL;
4469 		/* Only TDLS peers can be added */
4470 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4471 			return -EINVAL;
4472 		/* Can only add if TDLS ... */
4473 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
4474 			return -EOPNOTSUPP;
4475 		/* ... with external setup is supported */
4476 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
4477 			return -EOPNOTSUPP;
4478 		/*
4479 		 * Older wpa_supplicant versions always mark the TDLS peer
4480 		 * as authorized, but it shouldn't yet be.
4481 		 */
4482 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
4483 		break;
4484 	default:
4485 		return -EOPNOTSUPP;
4486 	}
4487 
4488 	/* be aware of params.vlan when changing code here */
4489 
4490 	err = rdev_add_station(rdev, dev, mac_addr, &params);
4491 
4492 	if (params.vlan)
4493 		dev_put(params.vlan);
4494 	return err;
4495 }
4496 
4497 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
4498 {
4499 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4500 	struct net_device *dev = info->user_ptr[1];
4501 	struct station_del_parameters params;
4502 
4503 	memset(&params, 0, sizeof(params));
4504 
4505 	if (info->attrs[NL80211_ATTR_MAC])
4506 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
4507 
4508 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4509 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4510 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
4511 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4512 		return -EINVAL;
4513 
4514 	if (!rdev->ops->del_station)
4515 		return -EOPNOTSUPP;
4516 
4517 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
4518 		params.subtype =
4519 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
4520 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
4521 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
4522 			return -EINVAL;
4523 	} else {
4524 		/* Default to Deauthentication frame */
4525 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
4526 	}
4527 
4528 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
4529 		params.reason_code =
4530 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
4531 		if (params.reason_code == 0)
4532 			return -EINVAL; /* 0 is reserved */
4533 	} else {
4534 		/* Default to reason code 2 */
4535 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
4536 	}
4537 
4538 	return rdev_del_station(rdev, dev, &params);
4539 }
4540 
4541 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
4542 				int flags, struct net_device *dev,
4543 				u8 *dst, u8 *next_hop,
4544 				struct mpath_info *pinfo)
4545 {
4546 	void *hdr;
4547 	struct nlattr *pinfoattr;
4548 
4549 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
4550 	if (!hdr)
4551 		return -1;
4552 
4553 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4554 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
4555 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
4556 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
4557 		goto nla_put_failure;
4558 
4559 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
4560 	if (!pinfoattr)
4561 		goto nla_put_failure;
4562 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
4563 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
4564 			pinfo->frame_qlen))
4565 		goto nla_put_failure;
4566 	if (((pinfo->filled & MPATH_INFO_SN) &&
4567 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
4568 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
4569 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
4570 			 pinfo->metric)) ||
4571 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
4572 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
4573 			 pinfo->exptime)) ||
4574 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
4575 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
4576 			pinfo->flags)) ||
4577 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
4578 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
4579 			 pinfo->discovery_timeout)) ||
4580 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
4581 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
4582 			pinfo->discovery_retries)))
4583 		goto nla_put_failure;
4584 
4585 	nla_nest_end(msg, pinfoattr);
4586 
4587 	genlmsg_end(msg, hdr);
4588 	return 0;
4589 
4590  nla_put_failure:
4591 	genlmsg_cancel(msg, hdr);
4592 	return -EMSGSIZE;
4593 }
4594 
4595 static int nl80211_dump_mpath(struct sk_buff *skb,
4596 			      struct netlink_callback *cb)
4597 {
4598 	struct mpath_info pinfo;
4599 	struct cfg80211_registered_device *rdev;
4600 	struct wireless_dev *wdev;
4601 	u8 dst[ETH_ALEN];
4602 	u8 next_hop[ETH_ALEN];
4603 	int path_idx = cb->args[2];
4604 	int err;
4605 
4606 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4607 	if (err)
4608 		return err;
4609 
4610 	if (!rdev->ops->dump_mpath) {
4611 		err = -EOPNOTSUPP;
4612 		goto out_err;
4613 	}
4614 
4615 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4616 		err = -EOPNOTSUPP;
4617 		goto out_err;
4618 	}
4619 
4620 	while (1) {
4621 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
4622 				      next_hop, &pinfo);
4623 		if (err == -ENOENT)
4624 			break;
4625 		if (err)
4626 			goto out_err;
4627 
4628 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4629 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4630 				       wdev->netdev, dst, next_hop,
4631 				       &pinfo) < 0)
4632 			goto out;
4633 
4634 		path_idx++;
4635 	}
4636 
4637 
4638  out:
4639 	cb->args[2] = path_idx;
4640 	err = skb->len;
4641  out_err:
4642 	nl80211_finish_wdev_dump(rdev);
4643 	return err;
4644 }
4645 
4646 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
4647 {
4648 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4649 	int err;
4650 	struct net_device *dev = info->user_ptr[1];
4651 	struct mpath_info pinfo;
4652 	struct sk_buff *msg;
4653 	u8 *dst = NULL;
4654 	u8 next_hop[ETH_ALEN];
4655 
4656 	memset(&pinfo, 0, sizeof(pinfo));
4657 
4658 	if (!info->attrs[NL80211_ATTR_MAC])
4659 		return -EINVAL;
4660 
4661 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4662 
4663 	if (!rdev->ops->get_mpath)
4664 		return -EOPNOTSUPP;
4665 
4666 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4667 		return -EOPNOTSUPP;
4668 
4669 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
4670 	if (err)
4671 		return err;
4672 
4673 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4674 	if (!msg)
4675 		return -ENOMEM;
4676 
4677 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4678 				 dev, dst, next_hop, &pinfo) < 0) {
4679 		nlmsg_free(msg);
4680 		return -ENOBUFS;
4681 	}
4682 
4683 	return genlmsg_reply(msg, info);
4684 }
4685 
4686 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
4687 {
4688 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4689 	struct net_device *dev = info->user_ptr[1];
4690 	u8 *dst = NULL;
4691 	u8 *next_hop = NULL;
4692 
4693 	if (!info->attrs[NL80211_ATTR_MAC])
4694 		return -EINVAL;
4695 
4696 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4697 		return -EINVAL;
4698 
4699 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4700 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4701 
4702 	if (!rdev->ops->change_mpath)
4703 		return -EOPNOTSUPP;
4704 
4705 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4706 		return -EOPNOTSUPP;
4707 
4708 	return rdev_change_mpath(rdev, dev, dst, next_hop);
4709 }
4710 
4711 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
4712 {
4713 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4714 	struct net_device *dev = info->user_ptr[1];
4715 	u8 *dst = NULL;
4716 	u8 *next_hop = NULL;
4717 
4718 	if (!info->attrs[NL80211_ATTR_MAC])
4719 		return -EINVAL;
4720 
4721 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4722 		return -EINVAL;
4723 
4724 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4725 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4726 
4727 	if (!rdev->ops->add_mpath)
4728 		return -EOPNOTSUPP;
4729 
4730 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4731 		return -EOPNOTSUPP;
4732 
4733 	return rdev_add_mpath(rdev, dev, dst, next_hop);
4734 }
4735 
4736 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
4737 {
4738 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4739 	struct net_device *dev = info->user_ptr[1];
4740 	u8 *dst = NULL;
4741 
4742 	if (info->attrs[NL80211_ATTR_MAC])
4743 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4744 
4745 	if (!rdev->ops->del_mpath)
4746 		return -EOPNOTSUPP;
4747 
4748 	return rdev_del_mpath(rdev, dev, dst);
4749 }
4750 
4751 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
4752 {
4753 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4754 	int err;
4755 	struct net_device *dev = info->user_ptr[1];
4756 	struct mpath_info pinfo;
4757 	struct sk_buff *msg;
4758 	u8 *dst = NULL;
4759 	u8 mpp[ETH_ALEN];
4760 
4761 	memset(&pinfo, 0, sizeof(pinfo));
4762 
4763 	if (!info->attrs[NL80211_ATTR_MAC])
4764 		return -EINVAL;
4765 
4766 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4767 
4768 	if (!rdev->ops->get_mpp)
4769 		return -EOPNOTSUPP;
4770 
4771 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4772 		return -EOPNOTSUPP;
4773 
4774 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
4775 	if (err)
4776 		return err;
4777 
4778 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4779 	if (!msg)
4780 		return -ENOMEM;
4781 
4782 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4783 			       dev, dst, mpp, &pinfo) < 0) {
4784 		nlmsg_free(msg);
4785 		return -ENOBUFS;
4786 	}
4787 
4788 	return genlmsg_reply(msg, info);
4789 }
4790 
4791 static int nl80211_dump_mpp(struct sk_buff *skb,
4792 			    struct netlink_callback *cb)
4793 {
4794 	struct mpath_info pinfo;
4795 	struct cfg80211_registered_device *rdev;
4796 	struct wireless_dev *wdev;
4797 	u8 dst[ETH_ALEN];
4798 	u8 mpp[ETH_ALEN];
4799 	int path_idx = cb->args[2];
4800 	int err;
4801 
4802 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4803 	if (err)
4804 		return err;
4805 
4806 	if (!rdev->ops->dump_mpp) {
4807 		err = -EOPNOTSUPP;
4808 		goto out_err;
4809 	}
4810 
4811 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4812 		err = -EOPNOTSUPP;
4813 		goto out_err;
4814 	}
4815 
4816 	while (1) {
4817 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
4818 				    mpp, &pinfo);
4819 		if (err == -ENOENT)
4820 			break;
4821 		if (err)
4822 			goto out_err;
4823 
4824 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4825 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4826 				       wdev->netdev, dst, mpp,
4827 				       &pinfo) < 0)
4828 			goto out;
4829 
4830 		path_idx++;
4831 	}
4832 
4833  out:
4834 	cb->args[2] = path_idx;
4835 	err = skb->len;
4836  out_err:
4837 	nl80211_finish_wdev_dump(rdev);
4838 	return err;
4839 }
4840 
4841 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
4842 {
4843 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4844 	struct net_device *dev = info->user_ptr[1];
4845 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4846 	struct bss_parameters params;
4847 	int err;
4848 
4849 	memset(&params, 0, sizeof(params));
4850 	/* default to not changing parameters */
4851 	params.use_cts_prot = -1;
4852 	params.use_short_preamble = -1;
4853 	params.use_short_slot_time = -1;
4854 	params.ap_isolate = -1;
4855 	params.ht_opmode = -1;
4856 	params.p2p_ctwindow = -1;
4857 	params.p2p_opp_ps = -1;
4858 
4859 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
4860 		params.use_cts_prot =
4861 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
4862 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
4863 		params.use_short_preamble =
4864 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
4865 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
4866 		params.use_short_slot_time =
4867 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
4868 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
4869 		params.basic_rates =
4870 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4871 		params.basic_rates_len =
4872 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
4873 	}
4874 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
4875 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
4876 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
4877 		params.ht_opmode =
4878 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
4879 
4880 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4881 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4882 			return -EINVAL;
4883 		params.p2p_ctwindow =
4884 			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4885 		if (params.p2p_ctwindow < 0)
4886 			return -EINVAL;
4887 		if (params.p2p_ctwindow != 0 &&
4888 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4889 			return -EINVAL;
4890 	}
4891 
4892 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4893 		u8 tmp;
4894 
4895 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4896 			return -EINVAL;
4897 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4898 		if (tmp > 1)
4899 			return -EINVAL;
4900 		params.p2p_opp_ps = tmp;
4901 		if (params.p2p_opp_ps &&
4902 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4903 			return -EINVAL;
4904 	}
4905 
4906 	if (!rdev->ops->change_bss)
4907 		return -EOPNOTSUPP;
4908 
4909 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4910 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4911 		return -EOPNOTSUPP;
4912 
4913 	wdev_lock(wdev);
4914 	err = rdev_change_bss(rdev, dev, &params);
4915 	wdev_unlock(wdev);
4916 
4917 	return err;
4918 }
4919 
4920 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
4921 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
4922 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
4923 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
4924 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
4925 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
4926 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
4927 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
4928 };
4929 
4930 static int parse_reg_rule(struct nlattr *tb[],
4931 	struct ieee80211_reg_rule *reg_rule)
4932 {
4933 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
4934 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
4935 
4936 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
4937 		return -EINVAL;
4938 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
4939 		return -EINVAL;
4940 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
4941 		return -EINVAL;
4942 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
4943 		return -EINVAL;
4944 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
4945 		return -EINVAL;
4946 
4947 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
4948 
4949 	freq_range->start_freq_khz =
4950 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
4951 	freq_range->end_freq_khz =
4952 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
4953 	freq_range->max_bandwidth_khz =
4954 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
4955 
4956 	power_rule->max_eirp =
4957 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
4958 
4959 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
4960 		power_rule->max_antenna_gain =
4961 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
4962 
4963 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
4964 		reg_rule->dfs_cac_ms =
4965 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
4966 
4967 	return 0;
4968 }
4969 
4970 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
4971 {
4972 	char *data = NULL;
4973 	bool is_indoor;
4974 	enum nl80211_user_reg_hint_type user_reg_hint_type;
4975 	u32 owner_nlportid;
4976 
4977 
4978 	/*
4979 	 * You should only get this when cfg80211 hasn't yet initialized
4980 	 * completely when built-in to the kernel right between the time
4981 	 * window between nl80211_init() and regulatory_init(), if that is
4982 	 * even possible.
4983 	 */
4984 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
4985 		return -EINPROGRESS;
4986 
4987 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
4988 		user_reg_hint_type =
4989 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
4990 	else
4991 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
4992 
4993 	switch (user_reg_hint_type) {
4994 	case NL80211_USER_REG_HINT_USER:
4995 	case NL80211_USER_REG_HINT_CELL_BASE:
4996 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4997 			return -EINVAL;
4998 
4999 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5000 		return regulatory_hint_user(data, user_reg_hint_type);
5001 	case NL80211_USER_REG_HINT_INDOOR:
5002 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
5003 			owner_nlportid = info->snd_portid;
5004 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
5005 		} else {
5006 			owner_nlportid = 0;
5007 			is_indoor = true;
5008 		}
5009 
5010 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
5011 	default:
5012 		return -EINVAL;
5013 	}
5014 }
5015 
5016 static int nl80211_get_mesh_config(struct sk_buff *skb,
5017 				   struct genl_info *info)
5018 {
5019 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5020 	struct net_device *dev = info->user_ptr[1];
5021 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5022 	struct mesh_config cur_params;
5023 	int err = 0;
5024 	void *hdr;
5025 	struct nlattr *pinfoattr;
5026 	struct sk_buff *msg;
5027 
5028 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5029 		return -EOPNOTSUPP;
5030 
5031 	if (!rdev->ops->get_mesh_config)
5032 		return -EOPNOTSUPP;
5033 
5034 	wdev_lock(wdev);
5035 	/* If not connected, get default parameters */
5036 	if (!wdev->mesh_id_len)
5037 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
5038 	else
5039 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
5040 	wdev_unlock(wdev);
5041 
5042 	if (err)
5043 		return err;
5044 
5045 	/* Draw up a netlink message to send back */
5046 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5047 	if (!msg)
5048 		return -ENOMEM;
5049 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5050 			     NL80211_CMD_GET_MESH_CONFIG);
5051 	if (!hdr)
5052 		goto out;
5053 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
5054 	if (!pinfoattr)
5055 		goto nla_put_failure;
5056 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5057 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
5058 			cur_params.dot11MeshRetryTimeout) ||
5059 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5060 			cur_params.dot11MeshConfirmTimeout) ||
5061 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
5062 			cur_params.dot11MeshHoldingTimeout) ||
5063 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
5064 			cur_params.dot11MeshMaxPeerLinks) ||
5065 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
5066 		       cur_params.dot11MeshMaxRetries) ||
5067 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
5068 		       cur_params.dot11MeshTTL) ||
5069 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
5070 		       cur_params.element_ttl) ||
5071 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5072 		       cur_params.auto_open_plinks) ||
5073 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5074 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
5075 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5076 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
5077 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
5078 			cur_params.path_refresh_time) ||
5079 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5080 			cur_params.min_discovery_timeout) ||
5081 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5082 			cur_params.dot11MeshHWMPactivePathTimeout) ||
5083 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5084 			cur_params.dot11MeshHWMPpreqMinInterval) ||
5085 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5086 			cur_params.dot11MeshHWMPperrMinInterval) ||
5087 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5088 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
5089 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
5090 		       cur_params.dot11MeshHWMPRootMode) ||
5091 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5092 			cur_params.dot11MeshHWMPRannInterval) ||
5093 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5094 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
5095 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
5096 		       cur_params.dot11MeshForwarding) ||
5097 	    nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
5098 			cur_params.rssi_threshold) ||
5099 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
5100 			cur_params.ht_opmode) ||
5101 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5102 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
5103 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5104 			cur_params.dot11MeshHWMProotInterval) ||
5105 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5106 			cur_params.dot11MeshHWMPconfirmationInterval) ||
5107 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
5108 			cur_params.power_mode) ||
5109 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
5110 			cur_params.dot11MeshAwakeWindowDuration) ||
5111 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
5112 			cur_params.plink_timeout))
5113 		goto nla_put_failure;
5114 	nla_nest_end(msg, pinfoattr);
5115 	genlmsg_end(msg, hdr);
5116 	return genlmsg_reply(msg, info);
5117 
5118  nla_put_failure:
5119 	genlmsg_cancel(msg, hdr);
5120  out:
5121 	nlmsg_free(msg);
5122 	return -ENOBUFS;
5123 }
5124 
5125 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
5126 	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
5127 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
5128 	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
5129 	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
5130 	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
5131 	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
5132 	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
5133 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
5134 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
5135 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
5136 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
5137 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
5138 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
5139 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
5140 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
5141 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
5142 	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
5143 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
5144 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
5145 	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
5146 	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
5147 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
5148 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
5149 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
5150 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
5151 	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
5152 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
5153 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
5154 };
5155 
5156 static const struct nla_policy
5157 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
5158 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
5159 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
5160 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
5161 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
5162 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
5163 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
5164 	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
5165 				    .len = IEEE80211_MAX_DATA_LEN },
5166 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
5167 };
5168 
5169 static int nl80211_parse_mesh_config(struct genl_info *info,
5170 				     struct mesh_config *cfg,
5171 				     u32 *mask_out)
5172 {
5173 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
5174 	u32 mask = 0;
5175 
5176 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
5177 do {									    \
5178 	if (tb[attr]) {							    \
5179 		if (fn(tb[attr]) < min || fn(tb[attr]) > max)		    \
5180 			return -EINVAL;					    \
5181 		cfg->param = fn(tb[attr]);				    \
5182 		mask |= (1 << (attr - 1));				    \
5183 	}								    \
5184 } while (0)
5185 
5186 
5187 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
5188 		return -EINVAL;
5189 	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
5190 			     info->attrs[NL80211_ATTR_MESH_CONFIG],
5191 			     nl80211_meshconf_params_policy))
5192 		return -EINVAL;
5193 
5194 	/* This makes sure that there aren't more than 32 mesh config
5195 	 * parameters (otherwise our bitfield scheme would not work.) */
5196 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
5197 
5198 	/* Fill in the params struct */
5199 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
5200 				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
5201 				  nla_get_u16);
5202 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
5203 				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5204 				  nla_get_u16);
5205 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
5206 				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
5207 				  nla_get_u16);
5208 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
5209 				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
5210 				  nla_get_u16);
5211 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
5212 				  mask, NL80211_MESHCONF_MAX_RETRIES,
5213 				  nla_get_u8);
5214 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
5215 				  mask, NL80211_MESHCONF_TTL, nla_get_u8);
5216 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
5217 				  mask, NL80211_MESHCONF_ELEMENT_TTL,
5218 				  nla_get_u8);
5219 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
5220 				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5221 				  nla_get_u8);
5222 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
5223 				  1, 255, mask,
5224 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5225 				  nla_get_u32);
5226 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
5227 				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5228 				  nla_get_u8);
5229 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
5230 				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
5231 				  nla_get_u32);
5232 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
5233 				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5234 				  nla_get_u16);
5235 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
5236 				  1, 65535, mask,
5237 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5238 				  nla_get_u32);
5239 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
5240 				  1, 65535, mask,
5241 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5242 				  nla_get_u16);
5243 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
5244 				  1, 65535, mask,
5245 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5246 				  nla_get_u16);
5247 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5248 				  dot11MeshHWMPnetDiameterTraversalTime,
5249 				  1, 65535, mask,
5250 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5251 				  nla_get_u16);
5252 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
5253 				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
5254 				  nla_get_u8);
5255 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
5256 				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5257 				  nla_get_u16);
5258 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5259 				  dot11MeshGateAnnouncementProtocol, 0, 1,
5260 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5261 				  nla_get_u8);
5262 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
5263 				  mask, NL80211_MESHCONF_FORWARDING,
5264 				  nla_get_u8);
5265 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, -255, 0,
5266 				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
5267 				  nla_get_s32);
5268 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
5269 				  mask, NL80211_MESHCONF_HT_OPMODE,
5270 				  nla_get_u16);
5271 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
5272 				  1, 65535, mask,
5273 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5274 				  nla_get_u32);
5275 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
5276 				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5277 				  nla_get_u16);
5278 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5279 				  dot11MeshHWMPconfirmationInterval,
5280 				  1, 65535, mask,
5281 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5282 				  nla_get_u16);
5283 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
5284 				  NL80211_MESH_POWER_ACTIVE,
5285 				  NL80211_MESH_POWER_MAX,
5286 				  mask, NL80211_MESHCONF_POWER_MODE,
5287 				  nla_get_u32);
5288 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
5289 				  0, 65535, mask,
5290 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
5291 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, 0, 0xffffffff,
5292 				  mask, NL80211_MESHCONF_PLINK_TIMEOUT,
5293 				  nla_get_u32);
5294 	if (mask_out)
5295 		*mask_out = mask;
5296 
5297 	return 0;
5298 
5299 #undef FILL_IN_MESH_PARAM_IF_SET
5300 }
5301 
5302 static int nl80211_parse_mesh_setup(struct genl_info *info,
5303 				     struct mesh_setup *setup)
5304 {
5305 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5306 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
5307 
5308 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
5309 		return -EINVAL;
5310 	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
5311 			     info->attrs[NL80211_ATTR_MESH_SETUP],
5312 			     nl80211_mesh_setup_params_policy))
5313 		return -EINVAL;
5314 
5315 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
5316 		setup->sync_method =
5317 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
5318 		 IEEE80211_SYNC_METHOD_VENDOR :
5319 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
5320 
5321 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
5322 		setup->path_sel_proto =
5323 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
5324 		 IEEE80211_PATH_PROTOCOL_VENDOR :
5325 		 IEEE80211_PATH_PROTOCOL_HWMP;
5326 
5327 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
5328 		setup->path_metric =
5329 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
5330 		 IEEE80211_PATH_METRIC_VENDOR :
5331 		 IEEE80211_PATH_METRIC_AIRTIME;
5332 
5333 
5334 	if (tb[NL80211_MESH_SETUP_IE]) {
5335 		struct nlattr *ieattr =
5336 			tb[NL80211_MESH_SETUP_IE];
5337 		if (!is_valid_ie_attr(ieattr))
5338 			return -EINVAL;
5339 		setup->ie = nla_data(ieattr);
5340 		setup->ie_len = nla_len(ieattr);
5341 	}
5342 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
5343 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
5344 		return -EINVAL;
5345 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
5346 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
5347 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
5348 	if (setup->is_secure)
5349 		setup->user_mpm = true;
5350 
5351 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
5352 		if (!setup->user_mpm)
5353 			return -EINVAL;
5354 		setup->auth_id =
5355 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
5356 	}
5357 
5358 	return 0;
5359 }
5360 
5361 static int nl80211_update_mesh_config(struct sk_buff *skb,
5362 				      struct genl_info *info)
5363 {
5364 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5365 	struct net_device *dev = info->user_ptr[1];
5366 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5367 	struct mesh_config cfg;
5368 	u32 mask;
5369 	int err;
5370 
5371 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5372 		return -EOPNOTSUPP;
5373 
5374 	if (!rdev->ops->update_mesh_config)
5375 		return -EOPNOTSUPP;
5376 
5377 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
5378 	if (err)
5379 		return err;
5380 
5381 	wdev_lock(wdev);
5382 	if (!wdev->mesh_id_len)
5383 		err = -ENOLINK;
5384 
5385 	if (!err)
5386 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
5387 
5388 	wdev_unlock(wdev);
5389 
5390 	return err;
5391 }
5392 
5393 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
5394 			      struct sk_buff *msg)
5395 {
5396 	struct nlattr *nl_reg_rules;
5397 	unsigned int i;
5398 
5399 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
5400 	    (regdom->dfs_region &&
5401 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
5402 		goto nla_put_failure;
5403 
5404 	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
5405 	if (!nl_reg_rules)
5406 		goto nla_put_failure;
5407 
5408 	for (i = 0; i < regdom->n_reg_rules; i++) {
5409 		struct nlattr *nl_reg_rule;
5410 		const struct ieee80211_reg_rule *reg_rule;
5411 		const struct ieee80211_freq_range *freq_range;
5412 		const struct ieee80211_power_rule *power_rule;
5413 		unsigned int max_bandwidth_khz;
5414 
5415 		reg_rule = &regdom->reg_rules[i];
5416 		freq_range = &reg_rule->freq_range;
5417 		power_rule = &reg_rule->power_rule;
5418 
5419 		nl_reg_rule = nla_nest_start(msg, i);
5420 		if (!nl_reg_rule)
5421 			goto nla_put_failure;
5422 
5423 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
5424 		if (!max_bandwidth_khz)
5425 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
5426 								  reg_rule);
5427 
5428 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
5429 				reg_rule->flags) ||
5430 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
5431 				freq_range->start_freq_khz) ||
5432 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
5433 				freq_range->end_freq_khz) ||
5434 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
5435 				max_bandwidth_khz) ||
5436 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
5437 				power_rule->max_antenna_gain) ||
5438 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
5439 				power_rule->max_eirp) ||
5440 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
5441 				reg_rule->dfs_cac_ms))
5442 			goto nla_put_failure;
5443 
5444 		nla_nest_end(msg, nl_reg_rule);
5445 	}
5446 
5447 	nla_nest_end(msg, nl_reg_rules);
5448 	return 0;
5449 
5450 nla_put_failure:
5451 	return -EMSGSIZE;
5452 }
5453 
5454 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
5455 {
5456 	const struct ieee80211_regdomain *regdom = NULL;
5457 	struct cfg80211_registered_device *rdev;
5458 	struct wiphy *wiphy = NULL;
5459 	struct sk_buff *msg;
5460 	void *hdr;
5461 
5462 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5463 	if (!msg)
5464 		return -ENOBUFS;
5465 
5466 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5467 			     NL80211_CMD_GET_REG);
5468 	if (!hdr)
5469 		goto put_failure;
5470 
5471 	if (info->attrs[NL80211_ATTR_WIPHY]) {
5472 		bool self_managed;
5473 
5474 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
5475 		if (IS_ERR(rdev)) {
5476 			nlmsg_free(msg);
5477 			return PTR_ERR(rdev);
5478 		}
5479 
5480 		wiphy = &rdev->wiphy;
5481 		self_managed = wiphy->regulatory_flags &
5482 			       REGULATORY_WIPHY_SELF_MANAGED;
5483 		regdom = get_wiphy_regdom(wiphy);
5484 
5485 		/* a self-managed-reg device must have a private regdom */
5486 		if (WARN_ON(!regdom && self_managed)) {
5487 			nlmsg_free(msg);
5488 			return -EINVAL;
5489 		}
5490 
5491 		if (regdom &&
5492 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
5493 			goto nla_put_failure;
5494 	}
5495 
5496 	if (!wiphy && reg_last_request_cell_base() &&
5497 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5498 			NL80211_USER_REG_HINT_CELL_BASE))
5499 		goto nla_put_failure;
5500 
5501 	rcu_read_lock();
5502 
5503 	if (!regdom)
5504 		regdom = rcu_dereference(cfg80211_regdomain);
5505 
5506 	if (nl80211_put_regdom(regdom, msg))
5507 		goto nla_put_failure_rcu;
5508 
5509 	rcu_read_unlock();
5510 
5511 	genlmsg_end(msg, hdr);
5512 	return genlmsg_reply(msg, info);
5513 
5514 nla_put_failure_rcu:
5515 	rcu_read_unlock();
5516 nla_put_failure:
5517 	genlmsg_cancel(msg, hdr);
5518 put_failure:
5519 	nlmsg_free(msg);
5520 	return -EMSGSIZE;
5521 }
5522 
5523 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
5524 			       u32 seq, int flags, struct wiphy *wiphy,
5525 			       const struct ieee80211_regdomain *regdom)
5526 {
5527 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
5528 				   NL80211_CMD_GET_REG);
5529 
5530 	if (!hdr)
5531 		return -1;
5532 
5533 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
5534 
5535 	if (nl80211_put_regdom(regdom, msg))
5536 		goto nla_put_failure;
5537 
5538 	if (!wiphy && reg_last_request_cell_base() &&
5539 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5540 			NL80211_USER_REG_HINT_CELL_BASE))
5541 		goto nla_put_failure;
5542 
5543 	if (wiphy &&
5544 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
5545 		goto nla_put_failure;
5546 
5547 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
5548 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
5549 		goto nla_put_failure;
5550 
5551 	genlmsg_end(msg, hdr);
5552 	return 0;
5553 
5554 nla_put_failure:
5555 	genlmsg_cancel(msg, hdr);
5556 	return -EMSGSIZE;
5557 }
5558 
5559 static int nl80211_get_reg_dump(struct sk_buff *skb,
5560 				struct netlink_callback *cb)
5561 {
5562 	const struct ieee80211_regdomain *regdom = NULL;
5563 	struct cfg80211_registered_device *rdev;
5564 	int err, reg_idx, start = cb->args[2];
5565 
5566 	rtnl_lock();
5567 
5568 	if (cfg80211_regdomain && start == 0) {
5569 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
5570 					  NLM_F_MULTI, NULL,
5571 					  rtnl_dereference(cfg80211_regdomain));
5572 		if (err < 0)
5573 			goto out_err;
5574 	}
5575 
5576 	/* the global regdom is idx 0 */
5577 	reg_idx = 1;
5578 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
5579 		regdom = get_wiphy_regdom(&rdev->wiphy);
5580 		if (!regdom)
5581 			continue;
5582 
5583 		if (++reg_idx <= start)
5584 			continue;
5585 
5586 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
5587 					  NLM_F_MULTI, &rdev->wiphy, regdom);
5588 		if (err < 0) {
5589 			reg_idx--;
5590 			break;
5591 		}
5592 	}
5593 
5594 	cb->args[2] = reg_idx;
5595 	err = skb->len;
5596 out_err:
5597 	rtnl_unlock();
5598 	return err;
5599 }
5600 
5601 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
5602 {
5603 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
5604 	struct nlattr *nl_reg_rule;
5605 	char *alpha2;
5606 	int rem_reg_rules, r;
5607 	u32 num_rules = 0, rule_idx = 0, size_of_regd;
5608 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
5609 	struct ieee80211_regdomain *rd;
5610 
5611 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5612 		return -EINVAL;
5613 
5614 	if (!info->attrs[NL80211_ATTR_REG_RULES])
5615 		return -EINVAL;
5616 
5617 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5618 
5619 	if (info->attrs[NL80211_ATTR_DFS_REGION])
5620 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
5621 
5622 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5623 			    rem_reg_rules) {
5624 		num_rules++;
5625 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
5626 			return -EINVAL;
5627 	}
5628 
5629 	if (!reg_is_valid_request(alpha2))
5630 		return -EINVAL;
5631 
5632 	size_of_regd = sizeof(struct ieee80211_regdomain) +
5633 		       num_rules * sizeof(struct ieee80211_reg_rule);
5634 
5635 	rd = kzalloc(size_of_regd, GFP_KERNEL);
5636 	if (!rd)
5637 		return -ENOMEM;
5638 
5639 	rd->n_reg_rules = num_rules;
5640 	rd->alpha2[0] = alpha2[0];
5641 	rd->alpha2[1] = alpha2[1];
5642 
5643 	/*
5644 	 * Disable DFS master mode if the DFS region was
5645 	 * not supported or known on this kernel.
5646 	 */
5647 	if (reg_supported_dfs_region(dfs_region))
5648 		rd->dfs_region = dfs_region;
5649 
5650 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5651 			    rem_reg_rules) {
5652 		r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
5653 			      nla_data(nl_reg_rule), nla_len(nl_reg_rule),
5654 			      reg_rule_policy);
5655 		if (r)
5656 			goto bad_reg;
5657 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
5658 		if (r)
5659 			goto bad_reg;
5660 
5661 		rule_idx++;
5662 
5663 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
5664 			r = -EINVAL;
5665 			goto bad_reg;
5666 		}
5667 	}
5668 
5669 	r = set_regdom(rd, REGD_SOURCE_CRDA);
5670 	/* set_regdom took ownership */
5671 	rd = NULL;
5672 
5673  bad_reg:
5674 	kfree(rd);
5675 	return r;
5676 }
5677 
5678 static int validate_scan_freqs(struct nlattr *freqs)
5679 {
5680 	struct nlattr *attr1, *attr2;
5681 	int n_channels = 0, tmp1, tmp2;
5682 
5683 	nla_for_each_nested(attr1, freqs, tmp1) {
5684 		n_channels++;
5685 		/*
5686 		 * Some hardware has a limited channel list for
5687 		 * scanning, and it is pretty much nonsensical
5688 		 * to scan for a channel twice, so disallow that
5689 		 * and don't require drivers to check that the
5690 		 * channel list they get isn't longer than what
5691 		 * they can scan, as long as they can scan all
5692 		 * the channels they registered at once.
5693 		 */
5694 		nla_for_each_nested(attr2, freqs, tmp2)
5695 			if (attr1 != attr2 &&
5696 			    nla_get_u32(attr1) == nla_get_u32(attr2))
5697 				return 0;
5698 	}
5699 
5700 	return n_channels;
5701 }
5702 
5703 static int nl80211_parse_random_mac(struct nlattr **attrs,
5704 				    u8 *mac_addr, u8 *mac_addr_mask)
5705 {
5706 	int i;
5707 
5708 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
5709 		eth_zero_addr(mac_addr);
5710 		eth_zero_addr(mac_addr_mask);
5711 		mac_addr[0] = 0x2;
5712 		mac_addr_mask[0] = 0x3;
5713 
5714 		return 0;
5715 	}
5716 
5717 	/* need both or none */
5718 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
5719 		return -EINVAL;
5720 
5721 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
5722 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
5723 
5724 	/* don't allow or configure an mcast address */
5725 	if (!is_multicast_ether_addr(mac_addr_mask) ||
5726 	    is_multicast_ether_addr(mac_addr))
5727 		return -EINVAL;
5728 
5729 	/*
5730 	 * allow users to pass a MAC address that has bits set outside
5731 	 * of the mask, but don't bother drivers with having to deal
5732 	 * with such bits
5733 	 */
5734 	for (i = 0; i < ETH_ALEN; i++)
5735 		mac_addr[i] &= mac_addr_mask[i];
5736 
5737 	return 0;
5738 }
5739 
5740 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
5741 {
5742 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5743 	struct wireless_dev *wdev = info->user_ptr[1];
5744 	struct cfg80211_scan_request *request;
5745 	struct nlattr *attr;
5746 	struct wiphy *wiphy;
5747 	int err, tmp, n_ssids = 0, n_channels, i;
5748 	size_t ie_len;
5749 
5750 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5751 		return -EINVAL;
5752 
5753 	wiphy = &rdev->wiphy;
5754 
5755 	if (!rdev->ops->scan)
5756 		return -EOPNOTSUPP;
5757 
5758 	if (rdev->scan_req || rdev->scan_msg) {
5759 		err = -EBUSY;
5760 		goto unlock;
5761 	}
5762 
5763 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5764 		n_channels = validate_scan_freqs(
5765 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5766 		if (!n_channels) {
5767 			err = -EINVAL;
5768 			goto unlock;
5769 		}
5770 	} else {
5771 		n_channels = ieee80211_get_num_supported_channels(wiphy);
5772 	}
5773 
5774 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
5775 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
5776 			n_ssids++;
5777 
5778 	if (n_ssids > wiphy->max_scan_ssids) {
5779 		err = -EINVAL;
5780 		goto unlock;
5781 	}
5782 
5783 	if (info->attrs[NL80211_ATTR_IE])
5784 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5785 	else
5786 		ie_len = 0;
5787 
5788 	if (ie_len > wiphy->max_scan_ie_len) {
5789 		err = -EINVAL;
5790 		goto unlock;
5791 	}
5792 
5793 	request = kzalloc(sizeof(*request)
5794 			+ sizeof(*request->ssids) * n_ssids
5795 			+ sizeof(*request->channels) * n_channels
5796 			+ ie_len, GFP_KERNEL);
5797 	if (!request) {
5798 		err = -ENOMEM;
5799 		goto unlock;
5800 	}
5801 
5802 	if (n_ssids)
5803 		request->ssids = (void *)&request->channels[n_channels];
5804 	request->n_ssids = n_ssids;
5805 	if (ie_len) {
5806 		if (n_ssids)
5807 			request->ie = (void *)(request->ssids + n_ssids);
5808 		else
5809 			request->ie = (void *)(request->channels + n_channels);
5810 	}
5811 
5812 	i = 0;
5813 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5814 		/* user specified, bail out if channel not found */
5815 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
5816 			struct ieee80211_channel *chan;
5817 
5818 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
5819 
5820 			if (!chan) {
5821 				err = -EINVAL;
5822 				goto out_free;
5823 			}
5824 
5825 			/* ignore disabled channels */
5826 			if (chan->flags & IEEE80211_CHAN_DISABLED)
5827 				continue;
5828 
5829 			request->channels[i] = chan;
5830 			i++;
5831 		}
5832 	} else {
5833 		enum ieee80211_band band;
5834 
5835 		/* all channels */
5836 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5837 			int j;
5838 			if (!wiphy->bands[band])
5839 				continue;
5840 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
5841 				struct ieee80211_channel *chan;
5842 
5843 				chan = &wiphy->bands[band]->channels[j];
5844 
5845 				if (chan->flags & IEEE80211_CHAN_DISABLED)
5846 					continue;
5847 
5848 				request->channels[i] = chan;
5849 				i++;
5850 			}
5851 		}
5852 	}
5853 
5854 	if (!i) {
5855 		err = -EINVAL;
5856 		goto out_free;
5857 	}
5858 
5859 	request->n_channels = i;
5860 
5861 	i = 0;
5862 	if (n_ssids) {
5863 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
5864 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
5865 				err = -EINVAL;
5866 				goto out_free;
5867 			}
5868 			request->ssids[i].ssid_len = nla_len(attr);
5869 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
5870 			i++;
5871 		}
5872 	}
5873 
5874 	if (info->attrs[NL80211_ATTR_IE]) {
5875 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5876 		memcpy((void *)request->ie,
5877 		       nla_data(info->attrs[NL80211_ATTR_IE]),
5878 		       request->ie_len);
5879 	}
5880 
5881 	for (i = 0; i < IEEE80211_NUM_BANDS; i++)
5882 		if (wiphy->bands[i])
5883 			request->rates[i] =
5884 				(1 << wiphy->bands[i]->n_bitrates) - 1;
5885 
5886 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
5887 		nla_for_each_nested(attr,
5888 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
5889 				    tmp) {
5890 			enum ieee80211_band band = nla_type(attr);
5891 
5892 			if (band < 0 || band >= IEEE80211_NUM_BANDS) {
5893 				err = -EINVAL;
5894 				goto out_free;
5895 			}
5896 
5897 			if (!wiphy->bands[band])
5898 				continue;
5899 
5900 			err = ieee80211_get_ratemask(wiphy->bands[band],
5901 						     nla_data(attr),
5902 						     nla_len(attr),
5903 						     &request->rates[band]);
5904 			if (err)
5905 				goto out_free;
5906 		}
5907 	}
5908 
5909 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
5910 		request->flags = nla_get_u32(
5911 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
5912 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
5913 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
5914 			err = -EOPNOTSUPP;
5915 			goto out_free;
5916 		}
5917 
5918 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
5919 			if (!(wiphy->features &
5920 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR)) {
5921 				err = -EOPNOTSUPP;
5922 				goto out_free;
5923 			}
5924 
5925 			if (wdev->current_bss) {
5926 				err = -EOPNOTSUPP;
5927 				goto out_free;
5928 			}
5929 
5930 			err = nl80211_parse_random_mac(info->attrs,
5931 						       request->mac_addr,
5932 						       request->mac_addr_mask);
5933 			if (err)
5934 				goto out_free;
5935 		}
5936 	}
5937 
5938 	request->no_cck =
5939 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
5940 
5941 	request->wdev = wdev;
5942 	request->wiphy = &rdev->wiphy;
5943 	request->scan_start = jiffies;
5944 
5945 	rdev->scan_req = request;
5946 	err = rdev_scan(rdev, request);
5947 
5948 	if (!err) {
5949 		nl80211_send_scan_start(rdev, wdev);
5950 		if (wdev->netdev)
5951 			dev_hold(wdev->netdev);
5952 	} else {
5953  out_free:
5954 		rdev->scan_req = NULL;
5955 		kfree(request);
5956 	}
5957 
5958  unlock:
5959 	return err;
5960 }
5961 
5962 static struct cfg80211_sched_scan_request *
5963 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
5964 			 struct nlattr **attrs)
5965 {
5966 	struct cfg80211_sched_scan_request *request;
5967 	struct nlattr *attr;
5968 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
5969 	u32 interval;
5970 	enum ieee80211_band band;
5971 	size_t ie_len;
5972 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
5973 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
5974 
5975 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_IE]))
5976 		return ERR_PTR(-EINVAL);
5977 
5978 	if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
5979 		return ERR_PTR(-EINVAL);
5980 
5981 	interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
5982 	if (interval == 0)
5983 		return ERR_PTR(-EINVAL);
5984 
5985 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
5986 		n_channels = validate_scan_freqs(
5987 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
5988 		if (!n_channels)
5989 			return ERR_PTR(-EINVAL);
5990 	} else {
5991 		n_channels = ieee80211_get_num_supported_channels(wiphy);
5992 	}
5993 
5994 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
5995 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
5996 				    tmp)
5997 			n_ssids++;
5998 
5999 	if (n_ssids > wiphy->max_sched_scan_ssids)
6000 		return ERR_PTR(-EINVAL);
6001 
6002 	/*
6003 	 * First, count the number of 'real' matchsets. Due to an issue with
6004 	 * the old implementation, matchsets containing only the RSSI attribute
6005 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
6006 	 * RSSI for all matchsets, rather than their own matchset for reporting
6007 	 * all APs with a strong RSSI. This is needed to be compatible with
6008 	 * older userspace that treated a matchset with only the RSSI as the
6009 	 * global RSSI for all other matchsets - if there are other matchsets.
6010 	 */
6011 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
6012 		nla_for_each_nested(attr,
6013 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
6014 				    tmp) {
6015 			struct nlattr *rssi;
6016 
6017 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
6018 					nla_data(attr), nla_len(attr),
6019 					nl80211_match_policy);
6020 			if (err)
6021 				return ERR_PTR(err);
6022 			/* add other standalone attributes here */
6023 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
6024 				n_match_sets++;
6025 				continue;
6026 			}
6027 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
6028 			if (rssi)
6029 				default_match_rssi = nla_get_s32(rssi);
6030 		}
6031 	}
6032 
6033 	/* However, if there's no other matchset, add the RSSI one */
6034 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
6035 		n_match_sets = 1;
6036 
6037 	if (n_match_sets > wiphy->max_match_sets)
6038 		return ERR_PTR(-EINVAL);
6039 
6040 	if (attrs[NL80211_ATTR_IE])
6041 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
6042 	else
6043 		ie_len = 0;
6044 
6045 	if (ie_len > wiphy->max_sched_scan_ie_len)
6046 		return ERR_PTR(-EINVAL);
6047 
6048 	request = kzalloc(sizeof(*request)
6049 			+ sizeof(*request->ssids) * n_ssids
6050 			+ sizeof(*request->match_sets) * n_match_sets
6051 			+ sizeof(*request->channels) * n_channels
6052 			+ ie_len, GFP_KERNEL);
6053 	if (!request)
6054 		return ERR_PTR(-ENOMEM);
6055 
6056 	if (n_ssids)
6057 		request->ssids = (void *)&request->channels[n_channels];
6058 	request->n_ssids = n_ssids;
6059 	if (ie_len) {
6060 		if (n_ssids)
6061 			request->ie = (void *)(request->ssids + n_ssids);
6062 		else
6063 			request->ie = (void *)(request->channels + n_channels);
6064 	}
6065 
6066 	if (n_match_sets) {
6067 		if (request->ie)
6068 			request->match_sets = (void *)(request->ie + ie_len);
6069 		else if (n_ssids)
6070 			request->match_sets =
6071 				(void *)(request->ssids + n_ssids);
6072 		else
6073 			request->match_sets =
6074 				(void *)(request->channels + n_channels);
6075 	}
6076 	request->n_match_sets = n_match_sets;
6077 
6078 	i = 0;
6079 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6080 		/* user specified, bail out if channel not found */
6081 		nla_for_each_nested(attr,
6082 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
6083 				    tmp) {
6084 			struct ieee80211_channel *chan;
6085 
6086 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
6087 
6088 			if (!chan) {
6089 				err = -EINVAL;
6090 				goto out_free;
6091 			}
6092 
6093 			/* ignore disabled channels */
6094 			if (chan->flags & IEEE80211_CHAN_DISABLED)
6095 				continue;
6096 
6097 			request->channels[i] = chan;
6098 			i++;
6099 		}
6100 	} else {
6101 		/* all channels */
6102 		for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
6103 			int j;
6104 			if (!wiphy->bands[band])
6105 				continue;
6106 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
6107 				struct ieee80211_channel *chan;
6108 
6109 				chan = &wiphy->bands[band]->channels[j];
6110 
6111 				if (chan->flags & IEEE80211_CHAN_DISABLED)
6112 					continue;
6113 
6114 				request->channels[i] = chan;
6115 				i++;
6116 			}
6117 		}
6118 	}
6119 
6120 	if (!i) {
6121 		err = -EINVAL;
6122 		goto out_free;
6123 	}
6124 
6125 	request->n_channels = i;
6126 
6127 	i = 0;
6128 	if (n_ssids) {
6129 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
6130 				    tmp) {
6131 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
6132 				err = -EINVAL;
6133 				goto out_free;
6134 			}
6135 			request->ssids[i].ssid_len = nla_len(attr);
6136 			memcpy(request->ssids[i].ssid, nla_data(attr),
6137 			       nla_len(attr));
6138 			i++;
6139 		}
6140 	}
6141 
6142 	i = 0;
6143 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
6144 		nla_for_each_nested(attr,
6145 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
6146 				    tmp) {
6147 			struct nlattr *ssid, *rssi;
6148 
6149 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
6150 					nla_data(attr), nla_len(attr),
6151 					nl80211_match_policy);
6152 			if (err)
6153 				goto out_free;
6154 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
6155 			if (ssid) {
6156 				if (WARN_ON(i >= n_match_sets)) {
6157 					/* this indicates a programming error,
6158 					 * the loop above should have verified
6159 					 * things properly
6160 					 */
6161 					err = -EINVAL;
6162 					goto out_free;
6163 				}
6164 
6165 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
6166 					err = -EINVAL;
6167 					goto out_free;
6168 				}
6169 				memcpy(request->match_sets[i].ssid.ssid,
6170 				       nla_data(ssid), nla_len(ssid));
6171 				request->match_sets[i].ssid.ssid_len =
6172 					nla_len(ssid);
6173 				/* special attribute - old implemenation w/a */
6174 				request->match_sets[i].rssi_thold =
6175 					default_match_rssi;
6176 				rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
6177 				if (rssi)
6178 					request->match_sets[i].rssi_thold =
6179 						nla_get_s32(rssi);
6180 			}
6181 			i++;
6182 		}
6183 
6184 		/* there was no other matchset, so the RSSI one is alone */
6185 		if (i == 0 && n_match_sets)
6186 			request->match_sets[0].rssi_thold = default_match_rssi;
6187 
6188 		request->min_rssi_thold = INT_MAX;
6189 		for (i = 0; i < n_match_sets; i++)
6190 			request->min_rssi_thold =
6191 				min(request->match_sets[i].rssi_thold,
6192 				    request->min_rssi_thold);
6193 	} else {
6194 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
6195 	}
6196 
6197 	if (ie_len) {
6198 		request->ie_len = ie_len;
6199 		memcpy((void *)request->ie,
6200 		       nla_data(attrs[NL80211_ATTR_IE]),
6201 		       request->ie_len);
6202 	}
6203 
6204 	if (attrs[NL80211_ATTR_SCAN_FLAGS]) {
6205 		request->flags = nla_get_u32(
6206 			attrs[NL80211_ATTR_SCAN_FLAGS]);
6207 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
6208 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
6209 			err = -EOPNOTSUPP;
6210 			goto out_free;
6211 		}
6212 
6213 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
6214 			u32 flg = NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR;
6215 
6216 			if (!wdev) /* must be net-detect */
6217 				flg = NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
6218 
6219 			if (!(wiphy->features & flg)) {
6220 				err = -EOPNOTSUPP;
6221 				goto out_free;
6222 			}
6223 
6224 			if (wdev && wdev->current_bss) {
6225 				err = -EOPNOTSUPP;
6226 				goto out_free;
6227 			}
6228 
6229 			err = nl80211_parse_random_mac(attrs, request->mac_addr,
6230 						       request->mac_addr_mask);
6231 			if (err)
6232 				goto out_free;
6233 		}
6234 	}
6235 
6236 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
6237 		request->delay =
6238 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
6239 
6240 	request->interval = interval;
6241 	request->scan_start = jiffies;
6242 
6243 	return request;
6244 
6245 out_free:
6246 	kfree(request);
6247 	return ERR_PTR(err);
6248 }
6249 
6250 static int nl80211_start_sched_scan(struct sk_buff *skb,
6251 				    struct genl_info *info)
6252 {
6253 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6254 	struct net_device *dev = info->user_ptr[1];
6255 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6256 	struct cfg80211_sched_scan_request *sched_scan_req;
6257 	int err;
6258 
6259 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
6260 	    !rdev->ops->sched_scan_start)
6261 		return -EOPNOTSUPP;
6262 
6263 	if (rdev->sched_scan_req)
6264 		return -EINPROGRESS;
6265 
6266 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
6267 						  info->attrs);
6268 
6269 	err = PTR_ERR_OR_ZERO(sched_scan_req);
6270 	if (err)
6271 		goto out_err;
6272 
6273 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
6274 	if (err)
6275 		goto out_free;
6276 
6277 	sched_scan_req->dev = dev;
6278 	sched_scan_req->wiphy = &rdev->wiphy;
6279 
6280 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6281 		sched_scan_req->owner_nlportid = info->snd_portid;
6282 
6283 	rcu_assign_pointer(rdev->sched_scan_req, sched_scan_req);
6284 
6285 	nl80211_send_sched_scan(rdev, dev,
6286 				NL80211_CMD_START_SCHED_SCAN);
6287 	return 0;
6288 
6289 out_free:
6290 	kfree(sched_scan_req);
6291 out_err:
6292 	return err;
6293 }
6294 
6295 static int nl80211_stop_sched_scan(struct sk_buff *skb,
6296 				   struct genl_info *info)
6297 {
6298 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6299 
6300 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
6301 	    !rdev->ops->sched_scan_stop)
6302 		return -EOPNOTSUPP;
6303 
6304 	return __cfg80211_stop_sched_scan(rdev, false);
6305 }
6306 
6307 static int nl80211_start_radar_detection(struct sk_buff *skb,
6308 					 struct genl_info *info)
6309 {
6310 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6311 	struct net_device *dev = info->user_ptr[1];
6312 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6313 	struct cfg80211_chan_def chandef;
6314 	enum nl80211_dfs_regions dfs_region;
6315 	unsigned int cac_time_ms;
6316 	int err;
6317 
6318 	dfs_region = reg_get_dfs_region(wdev->wiphy);
6319 	if (dfs_region == NL80211_DFS_UNSET)
6320 		return -EINVAL;
6321 
6322 	err = nl80211_parse_chandef(rdev, info, &chandef);
6323 	if (err)
6324 		return err;
6325 
6326 	if (netif_carrier_ok(dev))
6327 		return -EBUSY;
6328 
6329 	if (wdev->cac_started)
6330 		return -EBUSY;
6331 
6332 	err = cfg80211_chandef_dfs_required(wdev->wiphy, &chandef,
6333 					    wdev->iftype);
6334 	if (err < 0)
6335 		return err;
6336 
6337 	if (err == 0)
6338 		return -EINVAL;
6339 
6340 	if (!cfg80211_chandef_dfs_usable(wdev->wiphy, &chandef))
6341 		return -EINVAL;
6342 
6343 	if (!rdev->ops->start_radar_detection)
6344 		return -EOPNOTSUPP;
6345 
6346 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
6347 	if (WARN_ON(!cac_time_ms))
6348 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
6349 
6350 	err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef,
6351 					       cac_time_ms);
6352 	if (!err) {
6353 		wdev->chandef = chandef;
6354 		wdev->cac_started = true;
6355 		wdev->cac_start_time = jiffies;
6356 		wdev->cac_time_ms = cac_time_ms;
6357 	}
6358 	return err;
6359 }
6360 
6361 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
6362 {
6363 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6364 	struct net_device *dev = info->user_ptr[1];
6365 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6366 	struct cfg80211_csa_settings params;
6367 	/* csa_attrs is defined static to avoid waste of stack size - this
6368 	 * function is called under RTNL lock, so this should not be a problem.
6369 	 */
6370 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
6371 	int err;
6372 	bool need_new_beacon = false;
6373 	int len, i;
6374 	u32 cs_count;
6375 
6376 	if (!rdev->ops->channel_switch ||
6377 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
6378 		return -EOPNOTSUPP;
6379 
6380 	switch (dev->ieee80211_ptr->iftype) {
6381 	case NL80211_IFTYPE_AP:
6382 	case NL80211_IFTYPE_P2P_GO:
6383 		need_new_beacon = true;
6384 
6385 		/* useless if AP is not running */
6386 		if (!wdev->beacon_interval)
6387 			return -ENOTCONN;
6388 		break;
6389 	case NL80211_IFTYPE_ADHOC:
6390 		if (!wdev->ssid_len)
6391 			return -ENOTCONN;
6392 		break;
6393 	case NL80211_IFTYPE_MESH_POINT:
6394 		if (!wdev->mesh_id_len)
6395 			return -ENOTCONN;
6396 		break;
6397 	default:
6398 		return -EOPNOTSUPP;
6399 	}
6400 
6401 	memset(&params, 0, sizeof(params));
6402 
6403 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
6404 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
6405 		return -EINVAL;
6406 
6407 	/* only important for AP, IBSS and mesh create IEs internally */
6408 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
6409 		return -EINVAL;
6410 
6411 	/* Even though the attribute is u32, the specification says
6412 	 * u8, so let's make sure we don't overflow.
6413 	 */
6414 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
6415 	if (cs_count > 255)
6416 		return -EINVAL;
6417 
6418 	params.count = cs_count;
6419 
6420 	if (!need_new_beacon)
6421 		goto skip_beacons;
6422 
6423 	err = nl80211_parse_beacon(info->attrs, &params.beacon_after);
6424 	if (err)
6425 		return err;
6426 
6427 	err = nla_parse_nested(csa_attrs, NL80211_ATTR_MAX,
6428 			       info->attrs[NL80211_ATTR_CSA_IES],
6429 			       nl80211_policy);
6430 	if (err)
6431 		return err;
6432 
6433 	err = nl80211_parse_beacon(csa_attrs, &params.beacon_csa);
6434 	if (err)
6435 		return err;
6436 
6437 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
6438 		return -EINVAL;
6439 
6440 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6441 	if (!len || (len % sizeof(u16)))
6442 		return -EINVAL;
6443 
6444 	params.n_counter_offsets_beacon = len / sizeof(u16);
6445 	if (rdev->wiphy.max_num_csa_counters &&
6446 	    (params.n_counter_offsets_beacon >
6447 	     rdev->wiphy.max_num_csa_counters))
6448 		return -EINVAL;
6449 
6450 	params.counter_offsets_beacon =
6451 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6452 
6453 	/* sanity checks - counters should fit and be the same */
6454 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
6455 		u16 offset = params.counter_offsets_beacon[i];
6456 
6457 		if (offset >= params.beacon_csa.tail_len)
6458 			return -EINVAL;
6459 
6460 		if (params.beacon_csa.tail[offset] != params.count)
6461 			return -EINVAL;
6462 	}
6463 
6464 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
6465 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6466 		if (!len || (len % sizeof(u16)))
6467 			return -EINVAL;
6468 
6469 		params.n_counter_offsets_presp = len / sizeof(u16);
6470 		if (rdev->wiphy.max_num_csa_counters &&
6471 		    (params.n_counter_offsets_beacon >
6472 		     rdev->wiphy.max_num_csa_counters))
6473 			return -EINVAL;
6474 
6475 		params.counter_offsets_presp =
6476 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6477 
6478 		/* sanity checks - counters should fit and be the same */
6479 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
6480 			u16 offset = params.counter_offsets_presp[i];
6481 
6482 			if (offset >= params.beacon_csa.probe_resp_len)
6483 				return -EINVAL;
6484 
6485 			if (params.beacon_csa.probe_resp[offset] !=
6486 			    params.count)
6487 				return -EINVAL;
6488 		}
6489 	}
6490 
6491 skip_beacons:
6492 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
6493 	if (err)
6494 		return err;
6495 
6496 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
6497 					   wdev->iftype))
6498 		return -EINVAL;
6499 
6500 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
6501 					    &params.chandef,
6502 					    wdev->iftype);
6503 	if (err < 0)
6504 		return err;
6505 
6506 	if (err > 0)
6507 		params.radar_required = true;
6508 
6509 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
6510 		params.block_tx = true;
6511 
6512 	wdev_lock(wdev);
6513 	err = rdev_channel_switch(rdev, dev, &params);
6514 	wdev_unlock(wdev);
6515 
6516 	return err;
6517 }
6518 
6519 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
6520 			    u32 seq, int flags,
6521 			    struct cfg80211_registered_device *rdev,
6522 			    struct wireless_dev *wdev,
6523 			    struct cfg80211_internal_bss *intbss)
6524 {
6525 	struct cfg80211_bss *res = &intbss->pub;
6526 	const struct cfg80211_bss_ies *ies;
6527 	void *hdr;
6528 	struct nlattr *bss;
6529 
6530 	ASSERT_WDEV_LOCK(wdev);
6531 
6532 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6533 			     NL80211_CMD_NEW_SCAN_RESULTS);
6534 	if (!hdr)
6535 		return -1;
6536 
6537 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
6538 
6539 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
6540 		goto nla_put_failure;
6541 	if (wdev->netdev &&
6542 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
6543 		goto nla_put_failure;
6544 	if (nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
6545 		goto nla_put_failure;
6546 
6547 	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
6548 	if (!bss)
6549 		goto nla_put_failure;
6550 	if ((!is_zero_ether_addr(res->bssid) &&
6551 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
6552 		goto nla_put_failure;
6553 
6554 	rcu_read_lock();
6555 	/* indicate whether we have probe response data or not */
6556 	if (rcu_access_pointer(res->proberesp_ies) &&
6557 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
6558 		goto fail_unlock_rcu;
6559 
6560 	/* this pointer prefers to be pointed to probe response data
6561 	 * but is always valid
6562 	 */
6563 	ies = rcu_dereference(res->ies);
6564 	if (ies) {
6565 		if (nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
6566 			goto fail_unlock_rcu;
6567 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
6568 					ies->len, ies->data))
6569 			goto fail_unlock_rcu;
6570 	}
6571 
6572 	/* and this pointer is always (unless driver didn't know) beacon data */
6573 	ies = rcu_dereference(res->beacon_ies);
6574 	if (ies && ies->from_beacon) {
6575 		if (nla_put_u64(msg, NL80211_BSS_BEACON_TSF, ies->tsf))
6576 			goto fail_unlock_rcu;
6577 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
6578 					ies->len, ies->data))
6579 			goto fail_unlock_rcu;
6580 	}
6581 	rcu_read_unlock();
6582 
6583 	if (res->beacon_interval &&
6584 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
6585 		goto nla_put_failure;
6586 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
6587 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
6588 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
6589 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
6590 			jiffies_to_msecs(jiffies - intbss->ts)))
6591 		goto nla_put_failure;
6592 
6593 	switch (rdev->wiphy.signal_type) {
6594 	case CFG80211_SIGNAL_TYPE_MBM:
6595 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
6596 			goto nla_put_failure;
6597 		break;
6598 	case CFG80211_SIGNAL_TYPE_UNSPEC:
6599 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
6600 			goto nla_put_failure;
6601 		break;
6602 	default:
6603 		break;
6604 	}
6605 
6606 	switch (wdev->iftype) {
6607 	case NL80211_IFTYPE_P2P_CLIENT:
6608 	case NL80211_IFTYPE_STATION:
6609 		if (intbss == wdev->current_bss &&
6610 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6611 				NL80211_BSS_STATUS_ASSOCIATED))
6612 			goto nla_put_failure;
6613 		break;
6614 	case NL80211_IFTYPE_ADHOC:
6615 		if (intbss == wdev->current_bss &&
6616 		    nla_put_u32(msg, NL80211_BSS_STATUS,
6617 				NL80211_BSS_STATUS_IBSS_JOINED))
6618 			goto nla_put_failure;
6619 		break;
6620 	default:
6621 		break;
6622 	}
6623 
6624 	nla_nest_end(msg, bss);
6625 
6626 	genlmsg_end(msg, hdr);
6627 	return 0;
6628 
6629  fail_unlock_rcu:
6630 	rcu_read_unlock();
6631  nla_put_failure:
6632 	genlmsg_cancel(msg, hdr);
6633 	return -EMSGSIZE;
6634 }
6635 
6636 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
6637 {
6638 	struct cfg80211_registered_device *rdev;
6639 	struct cfg80211_internal_bss *scan;
6640 	struct wireless_dev *wdev;
6641 	int start = cb->args[2], idx = 0;
6642 	int err;
6643 
6644 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6645 	if (err)
6646 		return err;
6647 
6648 	wdev_lock(wdev);
6649 	spin_lock_bh(&rdev->bss_lock);
6650 	cfg80211_bss_expire(rdev);
6651 
6652 	cb->seq = rdev->bss_generation;
6653 
6654 	list_for_each_entry(scan, &rdev->bss_list, list) {
6655 		if (++idx <= start)
6656 			continue;
6657 		if (nl80211_send_bss(skb, cb,
6658 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6659 				rdev, wdev, scan) < 0) {
6660 			idx--;
6661 			break;
6662 		}
6663 	}
6664 
6665 	spin_unlock_bh(&rdev->bss_lock);
6666 	wdev_unlock(wdev);
6667 
6668 	cb->args[2] = idx;
6669 	nl80211_finish_wdev_dump(rdev);
6670 
6671 	return skb->len;
6672 }
6673 
6674 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
6675 			       int flags, struct net_device *dev,
6676 			       bool allow_radio_stats,
6677 			       struct survey_info *survey)
6678 {
6679 	void *hdr;
6680 	struct nlattr *infoattr;
6681 
6682 	/* skip radio stats if userspace didn't request them */
6683 	if (!survey->channel && !allow_radio_stats)
6684 		return 0;
6685 
6686 	hdr = nl80211hdr_put(msg, portid, seq, flags,
6687 			     NL80211_CMD_NEW_SURVEY_RESULTS);
6688 	if (!hdr)
6689 		return -ENOMEM;
6690 
6691 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
6692 		goto nla_put_failure;
6693 
6694 	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
6695 	if (!infoattr)
6696 		goto nla_put_failure;
6697 
6698 	if (survey->channel &&
6699 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
6700 			survey->channel->center_freq))
6701 		goto nla_put_failure;
6702 
6703 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
6704 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
6705 		goto nla_put_failure;
6706 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
6707 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
6708 		goto nla_put_failure;
6709 	if ((survey->filled & SURVEY_INFO_TIME) &&
6710 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME,
6711 			survey->time))
6712 		goto nla_put_failure;
6713 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
6714 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_BUSY,
6715 			survey->time_busy))
6716 		goto nla_put_failure;
6717 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
6718 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
6719 			survey->time_ext_busy))
6720 		goto nla_put_failure;
6721 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
6722 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_RX,
6723 			survey->time_rx))
6724 		goto nla_put_failure;
6725 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
6726 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_TX,
6727 			survey->time_tx))
6728 		goto nla_put_failure;
6729 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
6730 	    nla_put_u64(msg, NL80211_SURVEY_INFO_TIME_SCAN,
6731 			survey->time_scan))
6732 		goto nla_put_failure;
6733 
6734 	nla_nest_end(msg, infoattr);
6735 
6736 	genlmsg_end(msg, hdr);
6737 	return 0;
6738 
6739  nla_put_failure:
6740 	genlmsg_cancel(msg, hdr);
6741 	return -EMSGSIZE;
6742 }
6743 
6744 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
6745 {
6746 	struct survey_info survey;
6747 	struct cfg80211_registered_device *rdev;
6748 	struct wireless_dev *wdev;
6749 	int survey_idx = cb->args[2];
6750 	int res;
6751 	bool radio_stats;
6752 
6753 	res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
6754 	if (res)
6755 		return res;
6756 
6757 	/* prepare_wdev_dump parsed the attributes */
6758 	radio_stats = nl80211_fam.attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
6759 
6760 	if (!wdev->netdev) {
6761 		res = -EINVAL;
6762 		goto out_err;
6763 	}
6764 
6765 	if (!rdev->ops->dump_survey) {
6766 		res = -EOPNOTSUPP;
6767 		goto out_err;
6768 	}
6769 
6770 	while (1) {
6771 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
6772 		if (res == -ENOENT)
6773 			break;
6774 		if (res)
6775 			goto out_err;
6776 
6777 		/* don't send disabled channels, but do send non-channel data */
6778 		if (survey.channel &&
6779 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
6780 			survey_idx++;
6781 			continue;
6782 		}
6783 
6784 		if (nl80211_send_survey(skb,
6785 				NETLINK_CB(cb->skb).portid,
6786 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6787 				wdev->netdev, radio_stats, &survey) < 0)
6788 			goto out;
6789 		survey_idx++;
6790 	}
6791 
6792  out:
6793 	cb->args[2] = survey_idx;
6794 	res = skb->len;
6795  out_err:
6796 	nl80211_finish_wdev_dump(rdev);
6797 	return res;
6798 }
6799 
6800 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
6801 {
6802 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
6803 				  NL80211_WPA_VERSION_2));
6804 }
6805 
6806 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
6807 {
6808 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6809 	struct net_device *dev = info->user_ptr[1];
6810 	struct ieee80211_channel *chan;
6811 	const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
6812 	int err, ssid_len, ie_len = 0, sae_data_len = 0;
6813 	enum nl80211_auth_type auth_type;
6814 	struct key_parse key;
6815 	bool local_state_change;
6816 
6817 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6818 		return -EINVAL;
6819 
6820 	if (!info->attrs[NL80211_ATTR_MAC])
6821 		return -EINVAL;
6822 
6823 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
6824 		return -EINVAL;
6825 
6826 	if (!info->attrs[NL80211_ATTR_SSID])
6827 		return -EINVAL;
6828 
6829 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
6830 		return -EINVAL;
6831 
6832 	err = nl80211_parse_key(info, &key);
6833 	if (err)
6834 		return err;
6835 
6836 	if (key.idx >= 0) {
6837 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
6838 			return -EINVAL;
6839 		if (!key.p.key || !key.p.key_len)
6840 			return -EINVAL;
6841 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
6842 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
6843 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
6844 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
6845 			return -EINVAL;
6846 		if (key.idx > 4)
6847 			return -EINVAL;
6848 	} else {
6849 		key.p.key_len = 0;
6850 		key.p.key = NULL;
6851 	}
6852 
6853 	if (key.idx >= 0) {
6854 		int i;
6855 		bool ok = false;
6856 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
6857 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
6858 				ok = true;
6859 				break;
6860 			}
6861 		}
6862 		if (!ok)
6863 			return -EINVAL;
6864 	}
6865 
6866 	if (!rdev->ops->auth)
6867 		return -EOPNOTSUPP;
6868 
6869 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
6870 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
6871 		return -EOPNOTSUPP;
6872 
6873 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
6874 	chan = nl80211_get_valid_chan(&rdev->wiphy,
6875 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
6876 	if (!chan)
6877 		return -EINVAL;
6878 
6879 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6880 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
6881 
6882 	if (info->attrs[NL80211_ATTR_IE]) {
6883 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
6884 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6885 	}
6886 
6887 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
6888 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
6889 		return -EINVAL;
6890 
6891 	if (auth_type == NL80211_AUTHTYPE_SAE &&
6892 	    !info->attrs[NL80211_ATTR_SAE_DATA])
6893 		return -EINVAL;
6894 
6895 	if (info->attrs[NL80211_ATTR_SAE_DATA]) {
6896 		if (auth_type != NL80211_AUTHTYPE_SAE)
6897 			return -EINVAL;
6898 		sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
6899 		sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
6900 		/* need to include at least Auth Transaction and Status Code */
6901 		if (sae_data_len < 4)
6902 			return -EINVAL;
6903 	}
6904 
6905 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
6906 
6907 	/*
6908 	 * Since we no longer track auth state, ignore
6909 	 * requests to only change local state.
6910 	 */
6911 	if (local_state_change)
6912 		return 0;
6913 
6914 	wdev_lock(dev->ieee80211_ptr);
6915 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
6916 				 ssid, ssid_len, ie, ie_len,
6917 				 key.p.key, key.p.key_len, key.idx,
6918 				 sae_data, sae_data_len);
6919 	wdev_unlock(dev->ieee80211_ptr);
6920 	return err;
6921 }
6922 
6923 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
6924 				   struct genl_info *info,
6925 				   struct cfg80211_crypto_settings *settings,
6926 				   int cipher_limit)
6927 {
6928 	memset(settings, 0, sizeof(*settings));
6929 
6930 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
6931 
6932 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
6933 		u16 proto;
6934 		proto = nla_get_u16(
6935 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
6936 		settings->control_port_ethertype = cpu_to_be16(proto);
6937 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
6938 		    proto != ETH_P_PAE)
6939 			return -EINVAL;
6940 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
6941 			settings->control_port_no_encrypt = true;
6942 	} else
6943 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
6944 
6945 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
6946 		void *data;
6947 		int len, i;
6948 
6949 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6950 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
6951 		settings->n_ciphers_pairwise = len / sizeof(u32);
6952 
6953 		if (len % sizeof(u32))
6954 			return -EINVAL;
6955 
6956 		if (settings->n_ciphers_pairwise > cipher_limit)
6957 			return -EINVAL;
6958 
6959 		memcpy(settings->ciphers_pairwise, data, len);
6960 
6961 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
6962 			if (!cfg80211_supported_cipher_suite(
6963 					&rdev->wiphy,
6964 					settings->ciphers_pairwise[i]))
6965 				return -EINVAL;
6966 	}
6967 
6968 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
6969 		settings->cipher_group =
6970 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
6971 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
6972 						     settings->cipher_group))
6973 			return -EINVAL;
6974 	}
6975 
6976 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
6977 		settings->wpa_versions =
6978 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
6979 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
6980 			return -EINVAL;
6981 	}
6982 
6983 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
6984 		void *data;
6985 		int len;
6986 
6987 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
6988 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
6989 		settings->n_akm_suites = len / sizeof(u32);
6990 
6991 		if (len % sizeof(u32))
6992 			return -EINVAL;
6993 
6994 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
6995 			return -EINVAL;
6996 
6997 		memcpy(settings->akm_suites, data, len);
6998 	}
6999 
7000 	return 0;
7001 }
7002 
7003 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
7004 {
7005 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7006 	struct net_device *dev = info->user_ptr[1];
7007 	struct ieee80211_channel *chan;
7008 	struct cfg80211_assoc_request req = {};
7009 	const u8 *bssid, *ssid;
7010 	int err, ssid_len = 0;
7011 
7012 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7013 		return -EINVAL;
7014 
7015 	if (!info->attrs[NL80211_ATTR_MAC] ||
7016 	    !info->attrs[NL80211_ATTR_SSID] ||
7017 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
7018 		return -EINVAL;
7019 
7020 	if (!rdev->ops->assoc)
7021 		return -EOPNOTSUPP;
7022 
7023 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7024 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7025 		return -EOPNOTSUPP;
7026 
7027 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7028 
7029 	chan = nl80211_get_valid_chan(&rdev->wiphy,
7030 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7031 	if (!chan)
7032 		return -EINVAL;
7033 
7034 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7035 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7036 
7037 	if (info->attrs[NL80211_ATTR_IE]) {
7038 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7039 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7040 	}
7041 
7042 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
7043 		enum nl80211_mfp mfp =
7044 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
7045 		if (mfp == NL80211_MFP_REQUIRED)
7046 			req.use_mfp = true;
7047 		else if (mfp != NL80211_MFP_NO)
7048 			return -EINVAL;
7049 	}
7050 
7051 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
7052 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
7053 
7054 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
7055 		req.flags |= ASSOC_REQ_DISABLE_HT;
7056 
7057 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7058 		memcpy(&req.ht_capa_mask,
7059 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7060 		       sizeof(req.ht_capa_mask));
7061 
7062 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7063 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7064 			return -EINVAL;
7065 		memcpy(&req.ht_capa,
7066 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7067 		       sizeof(req.ht_capa));
7068 	}
7069 
7070 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
7071 		req.flags |= ASSOC_REQ_DISABLE_VHT;
7072 
7073 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7074 		memcpy(&req.vht_capa_mask,
7075 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
7076 		       sizeof(req.vht_capa_mask));
7077 
7078 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
7079 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7080 			return -EINVAL;
7081 		memcpy(&req.vht_capa,
7082 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
7083 		       sizeof(req.vht_capa));
7084 	}
7085 
7086 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
7087 		if (!(rdev->wiphy.features &
7088 		      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
7089 		    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
7090 			return -EINVAL;
7091 		req.flags |= ASSOC_REQ_USE_RRM;
7092 	}
7093 
7094 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
7095 	if (!err) {
7096 		wdev_lock(dev->ieee80211_ptr);
7097 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
7098 					  ssid, ssid_len, &req);
7099 		wdev_unlock(dev->ieee80211_ptr);
7100 	}
7101 
7102 	return err;
7103 }
7104 
7105 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
7106 {
7107 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7108 	struct net_device *dev = info->user_ptr[1];
7109 	const u8 *ie = NULL, *bssid;
7110 	int ie_len = 0, err;
7111 	u16 reason_code;
7112 	bool local_state_change;
7113 
7114 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7115 		return -EINVAL;
7116 
7117 	if (!info->attrs[NL80211_ATTR_MAC])
7118 		return -EINVAL;
7119 
7120 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7121 		return -EINVAL;
7122 
7123 	if (!rdev->ops->deauth)
7124 		return -EOPNOTSUPP;
7125 
7126 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7127 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7128 		return -EOPNOTSUPP;
7129 
7130 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7131 
7132 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7133 	if (reason_code == 0) {
7134 		/* Reason Code 0 is reserved */
7135 		return -EINVAL;
7136 	}
7137 
7138 	if (info->attrs[NL80211_ATTR_IE]) {
7139 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7140 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7141 	}
7142 
7143 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7144 
7145 	wdev_lock(dev->ieee80211_ptr);
7146 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
7147 				   local_state_change);
7148 	wdev_unlock(dev->ieee80211_ptr);
7149 	return err;
7150 }
7151 
7152 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
7153 {
7154 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7155 	struct net_device *dev = info->user_ptr[1];
7156 	const u8 *ie = NULL, *bssid;
7157 	int ie_len = 0, err;
7158 	u16 reason_code;
7159 	bool local_state_change;
7160 
7161 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7162 		return -EINVAL;
7163 
7164 	if (!info->attrs[NL80211_ATTR_MAC])
7165 		return -EINVAL;
7166 
7167 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7168 		return -EINVAL;
7169 
7170 	if (!rdev->ops->disassoc)
7171 		return -EOPNOTSUPP;
7172 
7173 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7174 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7175 		return -EOPNOTSUPP;
7176 
7177 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7178 
7179 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7180 	if (reason_code == 0) {
7181 		/* Reason Code 0 is reserved */
7182 		return -EINVAL;
7183 	}
7184 
7185 	if (info->attrs[NL80211_ATTR_IE]) {
7186 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7187 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7188 	}
7189 
7190 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7191 
7192 	wdev_lock(dev->ieee80211_ptr);
7193 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
7194 				     local_state_change);
7195 	wdev_unlock(dev->ieee80211_ptr);
7196 	return err;
7197 }
7198 
7199 static bool
7200 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
7201 			 int mcast_rate[IEEE80211_NUM_BANDS],
7202 			 int rateval)
7203 {
7204 	struct wiphy *wiphy = &rdev->wiphy;
7205 	bool found = false;
7206 	int band, i;
7207 
7208 	for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
7209 		struct ieee80211_supported_band *sband;
7210 
7211 		sband = wiphy->bands[band];
7212 		if (!sband)
7213 			continue;
7214 
7215 		for (i = 0; i < sband->n_bitrates; i++) {
7216 			if (sband->bitrates[i].bitrate == rateval) {
7217 				mcast_rate[band] = i + 1;
7218 				found = true;
7219 				break;
7220 			}
7221 		}
7222 	}
7223 
7224 	return found;
7225 }
7226 
7227 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
7228 {
7229 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7230 	struct net_device *dev = info->user_ptr[1];
7231 	struct cfg80211_ibss_params ibss;
7232 	struct wiphy *wiphy;
7233 	struct cfg80211_cached_keys *connkeys = NULL;
7234 	int err;
7235 
7236 	memset(&ibss, 0, sizeof(ibss));
7237 
7238 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7239 		return -EINVAL;
7240 
7241 	if (!info->attrs[NL80211_ATTR_SSID] ||
7242 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
7243 		return -EINVAL;
7244 
7245 	ibss.beacon_interval = 100;
7246 
7247 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
7248 		ibss.beacon_interval =
7249 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
7250 		if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
7251 			return -EINVAL;
7252 	}
7253 
7254 	if (!rdev->ops->join_ibss)
7255 		return -EOPNOTSUPP;
7256 
7257 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
7258 		return -EOPNOTSUPP;
7259 
7260 	wiphy = &rdev->wiphy;
7261 
7262 	if (info->attrs[NL80211_ATTR_MAC]) {
7263 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7264 
7265 		if (!is_valid_ether_addr(ibss.bssid))
7266 			return -EINVAL;
7267 	}
7268 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7269 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7270 
7271 	if (info->attrs[NL80211_ATTR_IE]) {
7272 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7273 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7274 	}
7275 
7276 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
7277 	if (err)
7278 		return err;
7279 
7280 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
7281 				     NL80211_IFTYPE_ADHOC))
7282 		return -EINVAL;
7283 
7284 	switch (ibss.chandef.width) {
7285 	case NL80211_CHAN_WIDTH_5:
7286 	case NL80211_CHAN_WIDTH_10:
7287 	case NL80211_CHAN_WIDTH_20_NOHT:
7288 		break;
7289 	case NL80211_CHAN_WIDTH_20:
7290 	case NL80211_CHAN_WIDTH_40:
7291 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
7292 			return -EINVAL;
7293 		break;
7294 	case NL80211_CHAN_WIDTH_80:
7295 	case NL80211_CHAN_WIDTH_80P80:
7296 	case NL80211_CHAN_WIDTH_160:
7297 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
7298 			return -EINVAL;
7299 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7300 					     NL80211_EXT_FEATURE_VHT_IBSS))
7301 			return -EINVAL;
7302 		break;
7303 	default:
7304 		return -EINVAL;
7305 	}
7306 
7307 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
7308 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
7309 
7310 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7311 		u8 *rates =
7312 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7313 		int n_rates =
7314 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7315 		struct ieee80211_supported_band *sband =
7316 			wiphy->bands[ibss.chandef.chan->band];
7317 
7318 		err = ieee80211_get_ratemask(sband, rates, n_rates,
7319 					     &ibss.basic_rates);
7320 		if (err)
7321 			return err;
7322 	}
7323 
7324 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7325 		memcpy(&ibss.ht_capa_mask,
7326 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7327 		       sizeof(ibss.ht_capa_mask));
7328 
7329 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7330 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7331 			return -EINVAL;
7332 		memcpy(&ibss.ht_capa,
7333 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7334 		       sizeof(ibss.ht_capa));
7335 	}
7336 
7337 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
7338 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
7339 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
7340 		return -EINVAL;
7341 
7342 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
7343 		bool no_ht = false;
7344 
7345 		connkeys = nl80211_parse_connkeys(rdev,
7346 					  info->attrs[NL80211_ATTR_KEYS],
7347 					  &no_ht);
7348 		if (IS_ERR(connkeys))
7349 			return PTR_ERR(connkeys);
7350 
7351 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
7352 		    no_ht) {
7353 			kfree(connkeys);
7354 			return -EINVAL;
7355 		}
7356 	}
7357 
7358 	ibss.control_port =
7359 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
7360 
7361 	ibss.userspace_handles_dfs =
7362 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
7363 
7364 	err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
7365 	if (err)
7366 		kzfree(connkeys);
7367 	return err;
7368 }
7369 
7370 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
7371 {
7372 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7373 	struct net_device *dev = info->user_ptr[1];
7374 
7375 	if (!rdev->ops->leave_ibss)
7376 		return -EOPNOTSUPP;
7377 
7378 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
7379 		return -EOPNOTSUPP;
7380 
7381 	return cfg80211_leave_ibss(rdev, dev, false);
7382 }
7383 
7384 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
7385 {
7386 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7387 	struct net_device *dev = info->user_ptr[1];
7388 	int mcast_rate[IEEE80211_NUM_BANDS];
7389 	u32 nla_rate;
7390 	int err;
7391 
7392 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
7393 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7394 		return -EOPNOTSUPP;
7395 
7396 	if (!rdev->ops->set_mcast_rate)
7397 		return -EOPNOTSUPP;
7398 
7399 	memset(mcast_rate, 0, sizeof(mcast_rate));
7400 
7401 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
7402 		return -EINVAL;
7403 
7404 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
7405 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
7406 		return -EINVAL;
7407 
7408 	err = rdev->ops->set_mcast_rate(&rdev->wiphy, dev, mcast_rate);
7409 
7410 	return err;
7411 }
7412 
7413 static struct sk_buff *
7414 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
7415 			    struct wireless_dev *wdev, int approxlen,
7416 			    u32 portid, u32 seq, enum nl80211_commands cmd,
7417 			    enum nl80211_attrs attr,
7418 			    const struct nl80211_vendor_cmd_info *info,
7419 			    gfp_t gfp)
7420 {
7421 	struct sk_buff *skb;
7422 	void *hdr;
7423 	struct nlattr *data;
7424 
7425 	skb = nlmsg_new(approxlen + 100, gfp);
7426 	if (!skb)
7427 		return NULL;
7428 
7429 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
7430 	if (!hdr) {
7431 		kfree_skb(skb);
7432 		return NULL;
7433 	}
7434 
7435 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
7436 		goto nla_put_failure;
7437 
7438 	if (info) {
7439 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
7440 				info->vendor_id))
7441 			goto nla_put_failure;
7442 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
7443 				info->subcmd))
7444 			goto nla_put_failure;
7445 	}
7446 
7447 	if (wdev) {
7448 		if (nla_put_u64(skb, NL80211_ATTR_WDEV,
7449 				wdev_id(wdev)))
7450 			goto nla_put_failure;
7451 		if (wdev->netdev &&
7452 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
7453 				wdev->netdev->ifindex))
7454 			goto nla_put_failure;
7455 	}
7456 
7457 	data = nla_nest_start(skb, attr);
7458 
7459 	((void **)skb->cb)[0] = rdev;
7460 	((void **)skb->cb)[1] = hdr;
7461 	((void **)skb->cb)[2] = data;
7462 
7463 	return skb;
7464 
7465  nla_put_failure:
7466 	kfree_skb(skb);
7467 	return NULL;
7468 }
7469 
7470 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
7471 					   struct wireless_dev *wdev,
7472 					   enum nl80211_commands cmd,
7473 					   enum nl80211_attrs attr,
7474 					   int vendor_event_idx,
7475 					   int approxlen, gfp_t gfp)
7476 {
7477 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
7478 	const struct nl80211_vendor_cmd_info *info;
7479 
7480 	switch (cmd) {
7481 	case NL80211_CMD_TESTMODE:
7482 		if (WARN_ON(vendor_event_idx != -1))
7483 			return NULL;
7484 		info = NULL;
7485 		break;
7486 	case NL80211_CMD_VENDOR:
7487 		if (WARN_ON(vendor_event_idx < 0 ||
7488 			    vendor_event_idx >= wiphy->n_vendor_events))
7489 			return NULL;
7490 		info = &wiphy->vendor_events[vendor_event_idx];
7491 		break;
7492 	default:
7493 		WARN_ON(1);
7494 		return NULL;
7495 	}
7496 
7497 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, 0, 0,
7498 					   cmd, attr, info, gfp);
7499 }
7500 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
7501 
7502 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
7503 {
7504 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
7505 	void *hdr = ((void **)skb->cb)[1];
7506 	struct nlattr *data = ((void **)skb->cb)[2];
7507 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
7508 
7509 	/* clear CB data for netlink core to own from now on */
7510 	memset(skb->cb, 0, sizeof(skb->cb));
7511 
7512 	nla_nest_end(skb, data);
7513 	genlmsg_end(skb, hdr);
7514 
7515 	if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
7516 		mcgrp = NL80211_MCGRP_VENDOR;
7517 
7518 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), skb, 0,
7519 				mcgrp, gfp);
7520 }
7521 EXPORT_SYMBOL(__cfg80211_send_event_skb);
7522 
7523 #ifdef CONFIG_NL80211_TESTMODE
7524 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
7525 {
7526 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7527 	struct wireless_dev *wdev =
7528 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
7529 	int err;
7530 
7531 	if (!rdev->ops->testmode_cmd)
7532 		return -EOPNOTSUPP;
7533 
7534 	if (IS_ERR(wdev)) {
7535 		err = PTR_ERR(wdev);
7536 		if (err != -EINVAL)
7537 			return err;
7538 		wdev = NULL;
7539 	} else if (wdev->wiphy != &rdev->wiphy) {
7540 		return -EINVAL;
7541 	}
7542 
7543 	if (!info->attrs[NL80211_ATTR_TESTDATA])
7544 		return -EINVAL;
7545 
7546 	rdev->cur_cmd_info = info;
7547 	err = rdev_testmode_cmd(rdev, wdev,
7548 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
7549 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
7550 	rdev->cur_cmd_info = NULL;
7551 
7552 	return err;
7553 }
7554 
7555 static int nl80211_testmode_dump(struct sk_buff *skb,
7556 				 struct netlink_callback *cb)
7557 {
7558 	struct cfg80211_registered_device *rdev;
7559 	int err;
7560 	long phy_idx;
7561 	void *data = NULL;
7562 	int data_len = 0;
7563 
7564 	rtnl_lock();
7565 
7566 	if (cb->args[0]) {
7567 		/*
7568 		 * 0 is a valid index, but not valid for args[0],
7569 		 * so we need to offset by 1.
7570 		 */
7571 		phy_idx = cb->args[0] - 1;
7572 	} else {
7573 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
7574 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
7575 				  nl80211_policy);
7576 		if (err)
7577 			goto out_err;
7578 
7579 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
7580 						  nl80211_fam.attrbuf);
7581 		if (IS_ERR(rdev)) {
7582 			err = PTR_ERR(rdev);
7583 			goto out_err;
7584 		}
7585 		phy_idx = rdev->wiphy_idx;
7586 		rdev = NULL;
7587 
7588 		if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
7589 			cb->args[1] =
7590 				(long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
7591 	}
7592 
7593 	if (cb->args[1]) {
7594 		data = nla_data((void *)cb->args[1]);
7595 		data_len = nla_len((void *)cb->args[1]);
7596 	}
7597 
7598 	rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
7599 	if (!rdev) {
7600 		err = -ENOENT;
7601 		goto out_err;
7602 	}
7603 
7604 	if (!rdev->ops->testmode_dump) {
7605 		err = -EOPNOTSUPP;
7606 		goto out_err;
7607 	}
7608 
7609 	while (1) {
7610 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
7611 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
7612 					   NL80211_CMD_TESTMODE);
7613 		struct nlattr *tmdata;
7614 
7615 		if (!hdr)
7616 			break;
7617 
7618 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
7619 			genlmsg_cancel(skb, hdr);
7620 			break;
7621 		}
7622 
7623 		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
7624 		if (!tmdata) {
7625 			genlmsg_cancel(skb, hdr);
7626 			break;
7627 		}
7628 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
7629 		nla_nest_end(skb, tmdata);
7630 
7631 		if (err == -ENOBUFS || err == -ENOENT) {
7632 			genlmsg_cancel(skb, hdr);
7633 			break;
7634 		} else if (err) {
7635 			genlmsg_cancel(skb, hdr);
7636 			goto out_err;
7637 		}
7638 
7639 		genlmsg_end(skb, hdr);
7640 	}
7641 
7642 	err = skb->len;
7643 	/* see above */
7644 	cb->args[0] = phy_idx + 1;
7645  out_err:
7646 	rtnl_unlock();
7647 	return err;
7648 }
7649 #endif
7650 
7651 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
7652 {
7653 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7654 	struct net_device *dev = info->user_ptr[1];
7655 	struct cfg80211_connect_params connect;
7656 	struct wiphy *wiphy;
7657 	struct cfg80211_cached_keys *connkeys = NULL;
7658 	int err;
7659 
7660 	memset(&connect, 0, sizeof(connect));
7661 
7662 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7663 		return -EINVAL;
7664 
7665 	if (!info->attrs[NL80211_ATTR_SSID] ||
7666 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
7667 		return -EINVAL;
7668 
7669 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
7670 		connect.auth_type =
7671 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
7672 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
7673 					     NL80211_CMD_CONNECT))
7674 			return -EINVAL;
7675 	} else
7676 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
7677 
7678 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
7679 
7680 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
7681 				      NL80211_MAX_NR_CIPHER_SUITES);
7682 	if (err)
7683 		return err;
7684 
7685 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7686 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7687 		return -EOPNOTSUPP;
7688 
7689 	wiphy = &rdev->wiphy;
7690 
7691 	connect.bg_scan_period = -1;
7692 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
7693 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
7694 		connect.bg_scan_period =
7695 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
7696 	}
7697 
7698 	if (info->attrs[NL80211_ATTR_MAC])
7699 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7700 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
7701 		connect.bssid_hint =
7702 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
7703 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7704 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7705 
7706 	if (info->attrs[NL80211_ATTR_IE]) {
7707 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7708 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7709 	}
7710 
7711 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
7712 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
7713 		if (connect.mfp != NL80211_MFP_REQUIRED &&
7714 		    connect.mfp != NL80211_MFP_NO)
7715 			return -EINVAL;
7716 	} else {
7717 		connect.mfp = NL80211_MFP_NO;
7718 	}
7719 
7720 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7721 		connect.channel = nl80211_get_valid_chan(
7722 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7723 		if (!connect.channel)
7724 			return -EINVAL;
7725 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
7726 		connect.channel_hint = nl80211_get_valid_chan(
7727 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
7728 		if (!connect.channel_hint)
7729 			return -EINVAL;
7730 	}
7731 
7732 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
7733 		connkeys = nl80211_parse_connkeys(rdev,
7734 					  info->attrs[NL80211_ATTR_KEYS], NULL);
7735 		if (IS_ERR(connkeys))
7736 			return PTR_ERR(connkeys);
7737 	}
7738 
7739 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
7740 		connect.flags |= ASSOC_REQ_DISABLE_HT;
7741 
7742 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7743 		memcpy(&connect.ht_capa_mask,
7744 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7745 		       sizeof(connect.ht_capa_mask));
7746 
7747 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7748 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
7749 			kzfree(connkeys);
7750 			return -EINVAL;
7751 		}
7752 		memcpy(&connect.ht_capa,
7753 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7754 		       sizeof(connect.ht_capa));
7755 	}
7756 
7757 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
7758 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
7759 
7760 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7761 		memcpy(&connect.vht_capa_mask,
7762 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
7763 		       sizeof(connect.vht_capa_mask));
7764 
7765 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
7766 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
7767 			kzfree(connkeys);
7768 			return -EINVAL;
7769 		}
7770 		memcpy(&connect.vht_capa,
7771 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
7772 		       sizeof(connect.vht_capa));
7773 	}
7774 
7775 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
7776 		if (!(rdev->wiphy.features &
7777 		      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
7778 		    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
7779 			return -EINVAL;
7780 		connect.flags |= ASSOC_REQ_USE_RRM;
7781 	}
7782 
7783 	wdev_lock(dev->ieee80211_ptr);
7784 	err = cfg80211_connect(rdev, dev, &connect, connkeys, NULL);
7785 	wdev_unlock(dev->ieee80211_ptr);
7786 	if (err)
7787 		kzfree(connkeys);
7788 	return err;
7789 }
7790 
7791 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
7792 {
7793 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7794 	struct net_device *dev = info->user_ptr[1];
7795 	u16 reason;
7796 	int ret;
7797 
7798 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7799 		reason = WLAN_REASON_DEAUTH_LEAVING;
7800 	else
7801 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7802 
7803 	if (reason == 0)
7804 		return -EINVAL;
7805 
7806 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7807 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7808 		return -EOPNOTSUPP;
7809 
7810 	wdev_lock(dev->ieee80211_ptr);
7811 	ret = cfg80211_disconnect(rdev, dev, reason, true);
7812 	wdev_unlock(dev->ieee80211_ptr);
7813 	return ret;
7814 }
7815 
7816 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
7817 {
7818 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7819 	struct net *net;
7820 	int err;
7821 
7822 	if (info->attrs[NL80211_ATTR_PID]) {
7823 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
7824 
7825 		net = get_net_ns_by_pid(pid);
7826 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
7827 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
7828 
7829 		net = get_net_ns_by_fd(fd);
7830 	} else {
7831 		return -EINVAL;
7832 	}
7833 
7834 	if (IS_ERR(net))
7835 		return PTR_ERR(net);
7836 
7837 	err = 0;
7838 
7839 	/* check if anything to do */
7840 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
7841 		err = cfg80211_switch_netns(rdev, net);
7842 
7843 	put_net(net);
7844 	return err;
7845 }
7846 
7847 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
7848 {
7849 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7850 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
7851 			struct cfg80211_pmksa *pmksa) = NULL;
7852 	struct net_device *dev = info->user_ptr[1];
7853 	struct cfg80211_pmksa pmksa;
7854 
7855 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
7856 
7857 	if (!info->attrs[NL80211_ATTR_MAC])
7858 		return -EINVAL;
7859 
7860 	if (!info->attrs[NL80211_ATTR_PMKID])
7861 		return -EINVAL;
7862 
7863 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
7864 	pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7865 
7866 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7867 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7868 		return -EOPNOTSUPP;
7869 
7870 	switch (info->genlhdr->cmd) {
7871 	case NL80211_CMD_SET_PMKSA:
7872 		rdev_ops = rdev->ops->set_pmksa;
7873 		break;
7874 	case NL80211_CMD_DEL_PMKSA:
7875 		rdev_ops = rdev->ops->del_pmksa;
7876 		break;
7877 	default:
7878 		WARN_ON(1);
7879 		break;
7880 	}
7881 
7882 	if (!rdev_ops)
7883 		return -EOPNOTSUPP;
7884 
7885 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
7886 }
7887 
7888 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
7889 {
7890 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7891 	struct net_device *dev = info->user_ptr[1];
7892 
7893 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7894 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7895 		return -EOPNOTSUPP;
7896 
7897 	if (!rdev->ops->flush_pmksa)
7898 		return -EOPNOTSUPP;
7899 
7900 	return rdev_flush_pmksa(rdev, dev);
7901 }
7902 
7903 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
7904 {
7905 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7906 	struct net_device *dev = info->user_ptr[1];
7907 	u8 action_code, dialog_token;
7908 	u32 peer_capability = 0;
7909 	u16 status_code;
7910 	u8 *peer;
7911 	bool initiator;
7912 
7913 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
7914 	    !rdev->ops->tdls_mgmt)
7915 		return -EOPNOTSUPP;
7916 
7917 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
7918 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
7919 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
7920 	    !info->attrs[NL80211_ATTR_IE] ||
7921 	    !info->attrs[NL80211_ATTR_MAC])
7922 		return -EINVAL;
7923 
7924 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
7925 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
7926 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
7927 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
7928 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
7929 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
7930 		peer_capability =
7931 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
7932 
7933 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
7934 			      dialog_token, status_code, peer_capability,
7935 			      initiator,
7936 			      nla_data(info->attrs[NL80211_ATTR_IE]),
7937 			      nla_len(info->attrs[NL80211_ATTR_IE]));
7938 }
7939 
7940 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
7941 {
7942 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7943 	struct net_device *dev = info->user_ptr[1];
7944 	enum nl80211_tdls_operation operation;
7945 	u8 *peer;
7946 
7947 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
7948 	    !rdev->ops->tdls_oper)
7949 		return -EOPNOTSUPP;
7950 
7951 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
7952 	    !info->attrs[NL80211_ATTR_MAC])
7953 		return -EINVAL;
7954 
7955 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
7956 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
7957 
7958 	return rdev_tdls_oper(rdev, dev, peer, operation);
7959 }
7960 
7961 static int nl80211_remain_on_channel(struct sk_buff *skb,
7962 				     struct genl_info *info)
7963 {
7964 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7965 	struct wireless_dev *wdev = info->user_ptr[1];
7966 	struct cfg80211_chan_def chandef;
7967 	struct sk_buff *msg;
7968 	void *hdr;
7969 	u64 cookie;
7970 	u32 duration;
7971 	int err;
7972 
7973 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
7974 	    !info->attrs[NL80211_ATTR_DURATION])
7975 		return -EINVAL;
7976 
7977 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
7978 
7979 	if (!rdev->ops->remain_on_channel ||
7980 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
7981 		return -EOPNOTSUPP;
7982 
7983 	/*
7984 	 * We should be on that channel for at least a minimum amount of
7985 	 * time (10ms) but no longer than the driver supports.
7986 	 */
7987 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
7988 	    duration > rdev->wiphy.max_remain_on_channel_duration)
7989 		return -EINVAL;
7990 
7991 	err = nl80211_parse_chandef(rdev, info, &chandef);
7992 	if (err)
7993 		return err;
7994 
7995 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7996 	if (!msg)
7997 		return -ENOMEM;
7998 
7999 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8000 			     NL80211_CMD_REMAIN_ON_CHANNEL);
8001 	if (!hdr) {
8002 		err = -ENOBUFS;
8003 		goto free_msg;
8004 	}
8005 
8006 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
8007 				     duration, &cookie);
8008 
8009 	if (err)
8010 		goto free_msg;
8011 
8012 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
8013 		goto nla_put_failure;
8014 
8015 	genlmsg_end(msg, hdr);
8016 
8017 	return genlmsg_reply(msg, info);
8018 
8019  nla_put_failure:
8020 	err = -ENOBUFS;
8021  free_msg:
8022 	nlmsg_free(msg);
8023 	return err;
8024 }
8025 
8026 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
8027 					    struct genl_info *info)
8028 {
8029 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8030 	struct wireless_dev *wdev = info->user_ptr[1];
8031 	u64 cookie;
8032 
8033 	if (!info->attrs[NL80211_ATTR_COOKIE])
8034 		return -EINVAL;
8035 
8036 	if (!rdev->ops->cancel_remain_on_channel)
8037 		return -EOPNOTSUPP;
8038 
8039 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8040 
8041 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
8042 }
8043 
8044 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
8045 			   u8 *rates, u8 rates_len)
8046 {
8047 	u8 i;
8048 	u32 mask = 0;
8049 
8050 	for (i = 0; i < rates_len; i++) {
8051 		int rate = (rates[i] & 0x7f) * 5;
8052 		int ridx;
8053 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
8054 			struct ieee80211_rate *srate =
8055 				&sband->bitrates[ridx];
8056 			if (rate == srate->bitrate) {
8057 				mask |= 1 << ridx;
8058 				break;
8059 			}
8060 		}
8061 		if (ridx == sband->n_bitrates)
8062 			return 0; /* rate not found */
8063 	}
8064 
8065 	return mask;
8066 }
8067 
8068 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
8069 			       u8 *rates, u8 rates_len,
8070 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
8071 {
8072 	u8 i;
8073 
8074 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
8075 
8076 	for (i = 0; i < rates_len; i++) {
8077 		int ridx, rbit;
8078 
8079 		ridx = rates[i] / 8;
8080 		rbit = BIT(rates[i] % 8);
8081 
8082 		/* check validity */
8083 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
8084 			return false;
8085 
8086 		/* check availability */
8087 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
8088 			mcs[ridx] |= rbit;
8089 		else
8090 			return false;
8091 	}
8092 
8093 	return true;
8094 }
8095 
8096 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
8097 {
8098 	u16 mcs_mask = 0;
8099 
8100 	switch (vht_mcs_map) {
8101 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
8102 		break;
8103 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
8104 		mcs_mask = 0x00FF;
8105 		break;
8106 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
8107 		mcs_mask = 0x01FF;
8108 		break;
8109 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
8110 		mcs_mask = 0x03FF;
8111 		break;
8112 	default:
8113 		break;
8114 	}
8115 
8116 	return mcs_mask;
8117 }
8118 
8119 static void vht_build_mcs_mask(u16 vht_mcs_map,
8120 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
8121 {
8122 	u8 nss;
8123 
8124 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
8125 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
8126 		vht_mcs_map >>= 2;
8127 	}
8128 }
8129 
8130 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
8131 			     struct nl80211_txrate_vht *txrate,
8132 			     u16 mcs[NL80211_VHT_NSS_MAX])
8133 {
8134 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
8135 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
8136 	u8 i;
8137 
8138 	if (!sband->vht_cap.vht_supported)
8139 		return false;
8140 
8141 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
8142 
8143 	/* Build vht_mcs_mask from VHT capabilities */
8144 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
8145 
8146 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
8147 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
8148 			mcs[i] = txrate->mcs[i];
8149 		else
8150 			return false;
8151 	}
8152 
8153 	return true;
8154 }
8155 
8156 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
8157 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
8158 				    .len = NL80211_MAX_SUPP_RATES },
8159 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
8160 				.len = NL80211_MAX_SUPP_HT_RATES },
8161 	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
8162 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
8163 };
8164 
8165 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
8166 				       struct genl_info *info)
8167 {
8168 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
8169 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8170 	struct cfg80211_bitrate_mask mask;
8171 	int rem, i;
8172 	struct net_device *dev = info->user_ptr[1];
8173 	struct nlattr *tx_rates;
8174 	struct ieee80211_supported_band *sband;
8175 	u16 vht_tx_mcs_map;
8176 
8177 	if (!rdev->ops->set_bitrate_mask)
8178 		return -EOPNOTSUPP;
8179 
8180 	memset(&mask, 0, sizeof(mask));
8181 	/* Default to all rates enabled */
8182 	for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
8183 		sband = rdev->wiphy.bands[i];
8184 
8185 		if (!sband)
8186 			continue;
8187 
8188 		mask.control[i].legacy = (1 << sband->n_bitrates) - 1;
8189 		memcpy(mask.control[i].ht_mcs,
8190 		       sband->ht_cap.mcs.rx_mask,
8191 		       sizeof(mask.control[i].ht_mcs));
8192 
8193 		if (!sband->vht_cap.vht_supported)
8194 			continue;
8195 
8196 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
8197 		vht_build_mcs_mask(vht_tx_mcs_map, mask.control[i].vht_mcs);
8198 	}
8199 
8200 	/* if no rates are given set it back to the defaults */
8201 	if (!info->attrs[NL80211_ATTR_TX_RATES])
8202 		goto out;
8203 
8204 	/*
8205 	 * The nested attribute uses enum nl80211_band as the index. This maps
8206 	 * directly to the enum ieee80211_band values used in cfg80211.
8207 	 */
8208 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
8209 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
8210 		enum ieee80211_band band = nla_type(tx_rates);
8211 		int err;
8212 
8213 		if (band < 0 || band >= IEEE80211_NUM_BANDS)
8214 			return -EINVAL;
8215 		sband = rdev->wiphy.bands[band];
8216 		if (sband == NULL)
8217 			return -EINVAL;
8218 		err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
8219 				nla_len(tx_rates), nl80211_txattr_policy);
8220 		if (err)
8221 			return err;
8222 		if (tb[NL80211_TXRATE_LEGACY]) {
8223 			mask.control[band].legacy = rateset_to_mask(
8224 				sband,
8225 				nla_data(tb[NL80211_TXRATE_LEGACY]),
8226 				nla_len(tb[NL80211_TXRATE_LEGACY]));
8227 			if ((mask.control[band].legacy == 0) &&
8228 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
8229 				return -EINVAL;
8230 		}
8231 		if (tb[NL80211_TXRATE_HT]) {
8232 			if (!ht_rateset_to_mask(
8233 					sband,
8234 					nla_data(tb[NL80211_TXRATE_HT]),
8235 					nla_len(tb[NL80211_TXRATE_HT]),
8236 					mask.control[band].ht_mcs))
8237 				return -EINVAL;
8238 		}
8239 		if (tb[NL80211_TXRATE_VHT]) {
8240 			if (!vht_set_mcs_mask(
8241 					sband,
8242 					nla_data(tb[NL80211_TXRATE_VHT]),
8243 					mask.control[band].vht_mcs))
8244 				return -EINVAL;
8245 		}
8246 		if (tb[NL80211_TXRATE_GI]) {
8247 			mask.control[band].gi =
8248 				nla_get_u8(tb[NL80211_TXRATE_GI]);
8249 			if (mask.control[band].gi > NL80211_TXRATE_FORCE_LGI)
8250 				return -EINVAL;
8251 		}
8252 
8253 		if (mask.control[band].legacy == 0) {
8254 			/* don't allow empty legacy rates if HT or VHT
8255 			 * are not even supported.
8256 			 */
8257 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
8258 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
8259 				return -EINVAL;
8260 
8261 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
8262 				if (mask.control[band].ht_mcs[i])
8263 					goto out;
8264 
8265 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
8266 				if (mask.control[band].vht_mcs[i])
8267 					goto out;
8268 
8269 			/* legacy and mcs rates may not be both empty */
8270 			return -EINVAL;
8271 		}
8272 	}
8273 
8274 out:
8275 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
8276 }
8277 
8278 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
8279 {
8280 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8281 	struct wireless_dev *wdev = info->user_ptr[1];
8282 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
8283 
8284 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
8285 		return -EINVAL;
8286 
8287 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
8288 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
8289 
8290 	switch (wdev->iftype) {
8291 	case NL80211_IFTYPE_STATION:
8292 	case NL80211_IFTYPE_ADHOC:
8293 	case NL80211_IFTYPE_P2P_CLIENT:
8294 	case NL80211_IFTYPE_AP:
8295 	case NL80211_IFTYPE_AP_VLAN:
8296 	case NL80211_IFTYPE_MESH_POINT:
8297 	case NL80211_IFTYPE_P2P_GO:
8298 	case NL80211_IFTYPE_P2P_DEVICE:
8299 		break;
8300 	default:
8301 		return -EOPNOTSUPP;
8302 	}
8303 
8304 	/* not much point in registering if we can't reply */
8305 	if (!rdev->ops->mgmt_tx)
8306 		return -EOPNOTSUPP;
8307 
8308 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
8309 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
8310 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
8311 }
8312 
8313 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
8314 {
8315 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8316 	struct wireless_dev *wdev = info->user_ptr[1];
8317 	struct cfg80211_chan_def chandef;
8318 	int err;
8319 	void *hdr = NULL;
8320 	u64 cookie;
8321 	struct sk_buff *msg = NULL;
8322 	struct cfg80211_mgmt_tx_params params = {
8323 		.dont_wait_for_ack =
8324 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
8325 	};
8326 
8327 	if (!info->attrs[NL80211_ATTR_FRAME])
8328 		return -EINVAL;
8329 
8330 	if (!rdev->ops->mgmt_tx)
8331 		return -EOPNOTSUPP;
8332 
8333 	switch (wdev->iftype) {
8334 	case NL80211_IFTYPE_P2P_DEVICE:
8335 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
8336 			return -EINVAL;
8337 	case NL80211_IFTYPE_STATION:
8338 	case NL80211_IFTYPE_ADHOC:
8339 	case NL80211_IFTYPE_P2P_CLIENT:
8340 	case NL80211_IFTYPE_AP:
8341 	case NL80211_IFTYPE_AP_VLAN:
8342 	case NL80211_IFTYPE_MESH_POINT:
8343 	case NL80211_IFTYPE_P2P_GO:
8344 		break;
8345 	default:
8346 		return -EOPNOTSUPP;
8347 	}
8348 
8349 	if (info->attrs[NL80211_ATTR_DURATION]) {
8350 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
8351 			return -EINVAL;
8352 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
8353 
8354 		/*
8355 		 * We should wait on the channel for at least a minimum amount
8356 		 * of time (10ms) but no longer than the driver supports.
8357 		 */
8358 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
8359 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
8360 			return -EINVAL;
8361 
8362 	}
8363 
8364 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
8365 
8366 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
8367 		return -EINVAL;
8368 
8369 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8370 
8371 	/* get the channel if any has been specified, otherwise pass NULL to
8372 	 * the driver. The latter will use the current one
8373 	 */
8374 	chandef.chan = NULL;
8375 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8376 		err = nl80211_parse_chandef(rdev, info, &chandef);
8377 		if (err)
8378 			return err;
8379 	}
8380 
8381 	if (!chandef.chan && params.offchan)
8382 		return -EINVAL;
8383 
8384 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
8385 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
8386 
8387 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
8388 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
8389 		int i;
8390 
8391 		if (len % sizeof(u16))
8392 			return -EINVAL;
8393 
8394 		params.n_csa_offsets = len / sizeof(u16);
8395 		params.csa_offsets =
8396 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
8397 
8398 		/* check that all the offsets fit the frame */
8399 		for (i = 0; i < params.n_csa_offsets; i++) {
8400 			if (params.csa_offsets[i] >= params.len)
8401 				return -EINVAL;
8402 		}
8403 	}
8404 
8405 	if (!params.dont_wait_for_ack) {
8406 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8407 		if (!msg)
8408 			return -ENOMEM;
8409 
8410 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8411 				     NL80211_CMD_FRAME);
8412 		if (!hdr) {
8413 			err = -ENOBUFS;
8414 			goto free_msg;
8415 		}
8416 	}
8417 
8418 	params.chan = chandef.chan;
8419 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
8420 	if (err)
8421 		goto free_msg;
8422 
8423 	if (msg) {
8424 		if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
8425 			goto nla_put_failure;
8426 
8427 		genlmsg_end(msg, hdr);
8428 		return genlmsg_reply(msg, info);
8429 	}
8430 
8431 	return 0;
8432 
8433  nla_put_failure:
8434 	err = -ENOBUFS;
8435  free_msg:
8436 	nlmsg_free(msg);
8437 	return err;
8438 }
8439 
8440 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
8441 {
8442 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8443 	struct wireless_dev *wdev = info->user_ptr[1];
8444 	u64 cookie;
8445 
8446 	if (!info->attrs[NL80211_ATTR_COOKIE])
8447 		return -EINVAL;
8448 
8449 	if (!rdev->ops->mgmt_tx_cancel_wait)
8450 		return -EOPNOTSUPP;
8451 
8452 	switch (wdev->iftype) {
8453 	case NL80211_IFTYPE_STATION:
8454 	case NL80211_IFTYPE_ADHOC:
8455 	case NL80211_IFTYPE_P2P_CLIENT:
8456 	case NL80211_IFTYPE_AP:
8457 	case NL80211_IFTYPE_AP_VLAN:
8458 	case NL80211_IFTYPE_P2P_GO:
8459 	case NL80211_IFTYPE_P2P_DEVICE:
8460 		break;
8461 	default:
8462 		return -EOPNOTSUPP;
8463 	}
8464 
8465 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8466 
8467 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
8468 }
8469 
8470 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
8471 {
8472 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8473 	struct wireless_dev *wdev;
8474 	struct net_device *dev = info->user_ptr[1];
8475 	u8 ps_state;
8476 	bool state;
8477 	int err;
8478 
8479 	if (!info->attrs[NL80211_ATTR_PS_STATE])
8480 		return -EINVAL;
8481 
8482 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
8483 
8484 	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
8485 		return -EINVAL;
8486 
8487 	wdev = dev->ieee80211_ptr;
8488 
8489 	if (!rdev->ops->set_power_mgmt)
8490 		return -EOPNOTSUPP;
8491 
8492 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
8493 
8494 	if (state == wdev->ps)
8495 		return 0;
8496 
8497 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
8498 	if (!err)
8499 		wdev->ps = state;
8500 	return err;
8501 }
8502 
8503 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
8504 {
8505 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8506 	enum nl80211_ps_state ps_state;
8507 	struct wireless_dev *wdev;
8508 	struct net_device *dev = info->user_ptr[1];
8509 	struct sk_buff *msg;
8510 	void *hdr;
8511 	int err;
8512 
8513 	wdev = dev->ieee80211_ptr;
8514 
8515 	if (!rdev->ops->set_power_mgmt)
8516 		return -EOPNOTSUPP;
8517 
8518 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8519 	if (!msg)
8520 		return -ENOMEM;
8521 
8522 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8523 			     NL80211_CMD_GET_POWER_SAVE);
8524 	if (!hdr) {
8525 		err = -ENOBUFS;
8526 		goto free_msg;
8527 	}
8528 
8529 	if (wdev->ps)
8530 		ps_state = NL80211_PS_ENABLED;
8531 	else
8532 		ps_state = NL80211_PS_DISABLED;
8533 
8534 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
8535 		goto nla_put_failure;
8536 
8537 	genlmsg_end(msg, hdr);
8538 	return genlmsg_reply(msg, info);
8539 
8540  nla_put_failure:
8541 	err = -ENOBUFS;
8542  free_msg:
8543 	nlmsg_free(msg);
8544 	return err;
8545 }
8546 
8547 static const struct nla_policy
8548 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
8549 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
8550 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
8551 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
8552 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
8553 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
8554 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
8555 };
8556 
8557 static int nl80211_set_cqm_txe(struct genl_info *info,
8558 			       u32 rate, u32 pkts, u32 intvl)
8559 {
8560 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8561 	struct net_device *dev = info->user_ptr[1];
8562 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8563 
8564 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
8565 		return -EINVAL;
8566 
8567 	if (!rdev->ops->set_cqm_txe_config)
8568 		return -EOPNOTSUPP;
8569 
8570 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8571 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8572 		return -EOPNOTSUPP;
8573 
8574 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
8575 }
8576 
8577 static int nl80211_set_cqm_rssi(struct genl_info *info,
8578 				s32 threshold, u32 hysteresis)
8579 {
8580 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8581 	struct net_device *dev = info->user_ptr[1];
8582 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8583 
8584 	if (threshold > 0)
8585 		return -EINVAL;
8586 
8587 	/* disabling - hysteresis should also be zero then */
8588 	if (threshold == 0)
8589 		hysteresis = 0;
8590 
8591 	if (!rdev->ops->set_cqm_rssi_config)
8592 		return -EOPNOTSUPP;
8593 
8594 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8595 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
8596 		return -EOPNOTSUPP;
8597 
8598 	return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
8599 }
8600 
8601 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
8602 {
8603 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
8604 	struct nlattr *cqm;
8605 	int err;
8606 
8607 	cqm = info->attrs[NL80211_ATTR_CQM];
8608 	if (!cqm)
8609 		return -EINVAL;
8610 
8611 	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
8612 			       nl80211_attr_cqm_policy);
8613 	if (err)
8614 		return err;
8615 
8616 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
8617 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
8618 		s32 threshold = nla_get_s32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
8619 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
8620 
8621 		return nl80211_set_cqm_rssi(info, threshold, hysteresis);
8622 	}
8623 
8624 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
8625 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
8626 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
8627 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
8628 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
8629 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
8630 
8631 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
8632 	}
8633 
8634 	return -EINVAL;
8635 }
8636 
8637 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
8638 {
8639 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8640 	struct net_device *dev = info->user_ptr[1];
8641 	struct ocb_setup setup = {};
8642 	int err;
8643 
8644 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
8645 	if (err)
8646 		return err;
8647 
8648 	return cfg80211_join_ocb(rdev, dev, &setup);
8649 }
8650 
8651 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
8652 {
8653 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8654 	struct net_device *dev = info->user_ptr[1];
8655 
8656 	return cfg80211_leave_ocb(rdev, dev);
8657 }
8658 
8659 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
8660 {
8661 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8662 	struct net_device *dev = info->user_ptr[1];
8663 	struct mesh_config cfg;
8664 	struct mesh_setup setup;
8665 	int err;
8666 
8667 	/* start with default */
8668 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
8669 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
8670 
8671 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
8672 		/* and parse parameters if given */
8673 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
8674 		if (err)
8675 			return err;
8676 	}
8677 
8678 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
8679 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
8680 		return -EINVAL;
8681 
8682 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
8683 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
8684 
8685 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
8686 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
8687 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
8688 			return -EINVAL;
8689 
8690 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
8691 		setup.beacon_interval =
8692 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
8693 		if (setup.beacon_interval < 10 ||
8694 		    setup.beacon_interval > 10000)
8695 			return -EINVAL;
8696 	}
8697 
8698 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
8699 		setup.dtim_period =
8700 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
8701 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
8702 			return -EINVAL;
8703 	}
8704 
8705 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
8706 		/* parse additional setup parameters if given */
8707 		err = nl80211_parse_mesh_setup(info, &setup);
8708 		if (err)
8709 			return err;
8710 	}
8711 
8712 	if (setup.user_mpm)
8713 		cfg.auto_open_plinks = false;
8714 
8715 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8716 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
8717 		if (err)
8718 			return err;
8719 	} else {
8720 		/* cfg80211_join_mesh() will sort it out */
8721 		setup.chandef.chan = NULL;
8722 	}
8723 
8724 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8725 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8726 		int n_rates =
8727 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8728 		struct ieee80211_supported_band *sband;
8729 
8730 		if (!setup.chandef.chan)
8731 			return -EINVAL;
8732 
8733 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
8734 
8735 		err = ieee80211_get_ratemask(sband, rates, n_rates,
8736 					     &setup.basic_rates);
8737 		if (err)
8738 			return err;
8739 	}
8740 
8741 	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
8742 }
8743 
8744 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
8745 {
8746 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8747 	struct net_device *dev = info->user_ptr[1];
8748 
8749 	return cfg80211_leave_mesh(rdev, dev);
8750 }
8751 
8752 #ifdef CONFIG_PM
8753 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
8754 					struct cfg80211_registered_device *rdev)
8755 {
8756 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
8757 	struct nlattr *nl_pats, *nl_pat;
8758 	int i, pat_len;
8759 
8760 	if (!wowlan->n_patterns)
8761 		return 0;
8762 
8763 	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
8764 	if (!nl_pats)
8765 		return -ENOBUFS;
8766 
8767 	for (i = 0; i < wowlan->n_patterns; i++) {
8768 		nl_pat = nla_nest_start(msg, i + 1);
8769 		if (!nl_pat)
8770 			return -ENOBUFS;
8771 		pat_len = wowlan->patterns[i].pattern_len;
8772 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
8773 			    wowlan->patterns[i].mask) ||
8774 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
8775 			    wowlan->patterns[i].pattern) ||
8776 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
8777 				wowlan->patterns[i].pkt_offset))
8778 			return -ENOBUFS;
8779 		nla_nest_end(msg, nl_pat);
8780 	}
8781 	nla_nest_end(msg, nl_pats);
8782 
8783 	return 0;
8784 }
8785 
8786 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
8787 				   struct cfg80211_wowlan_tcp *tcp)
8788 {
8789 	struct nlattr *nl_tcp;
8790 
8791 	if (!tcp)
8792 		return 0;
8793 
8794 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
8795 	if (!nl_tcp)
8796 		return -ENOBUFS;
8797 
8798 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
8799 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
8800 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
8801 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
8802 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
8803 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
8804 		    tcp->payload_len, tcp->payload) ||
8805 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
8806 			tcp->data_interval) ||
8807 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
8808 		    tcp->wake_len, tcp->wake_data) ||
8809 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
8810 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
8811 		return -ENOBUFS;
8812 
8813 	if (tcp->payload_seq.len &&
8814 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
8815 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
8816 		return -ENOBUFS;
8817 
8818 	if (tcp->payload_tok.len &&
8819 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
8820 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
8821 		    &tcp->payload_tok))
8822 		return -ENOBUFS;
8823 
8824 	nla_nest_end(msg, nl_tcp);
8825 
8826 	return 0;
8827 }
8828 
8829 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
8830 				  struct cfg80211_sched_scan_request *req)
8831 {
8832 	struct nlattr *nd, *freqs, *matches, *match;
8833 	int i;
8834 
8835 	if (!req)
8836 		return 0;
8837 
8838 	nd = nla_nest_start(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
8839 	if (!nd)
8840 		return -ENOBUFS;
8841 
8842 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL, req->interval))
8843 		return -ENOBUFS;
8844 
8845 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
8846 		return -ENOBUFS;
8847 
8848 	freqs = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
8849 	if (!freqs)
8850 		return -ENOBUFS;
8851 
8852 	for (i = 0; i < req->n_channels; i++)
8853 		nla_put_u32(msg, i, req->channels[i]->center_freq);
8854 
8855 	nla_nest_end(msg, freqs);
8856 
8857 	if (req->n_match_sets) {
8858 		matches = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_MATCH);
8859 		for (i = 0; i < req->n_match_sets; i++) {
8860 			match = nla_nest_start(msg, i);
8861 			nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
8862 				req->match_sets[i].ssid.ssid_len,
8863 				req->match_sets[i].ssid.ssid);
8864 			nla_nest_end(msg, match);
8865 		}
8866 		nla_nest_end(msg, matches);
8867 	}
8868 
8869 	nla_nest_end(msg, nd);
8870 
8871 	return 0;
8872 }
8873 
8874 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
8875 {
8876 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8877 	struct sk_buff *msg;
8878 	void *hdr;
8879 	u32 size = NLMSG_DEFAULT_SIZE;
8880 
8881 	if (!rdev->wiphy.wowlan)
8882 		return -EOPNOTSUPP;
8883 
8884 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
8885 		/* adjust size to have room for all the data */
8886 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
8887 			rdev->wiphy.wowlan_config->tcp->payload_len +
8888 			rdev->wiphy.wowlan_config->tcp->wake_len +
8889 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
8890 	}
8891 
8892 	msg = nlmsg_new(size, GFP_KERNEL);
8893 	if (!msg)
8894 		return -ENOMEM;
8895 
8896 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8897 			     NL80211_CMD_GET_WOWLAN);
8898 	if (!hdr)
8899 		goto nla_put_failure;
8900 
8901 	if (rdev->wiphy.wowlan_config) {
8902 		struct nlattr *nl_wowlan;
8903 
8904 		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
8905 		if (!nl_wowlan)
8906 			goto nla_put_failure;
8907 
8908 		if ((rdev->wiphy.wowlan_config->any &&
8909 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
8910 		    (rdev->wiphy.wowlan_config->disconnect &&
8911 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
8912 		    (rdev->wiphy.wowlan_config->magic_pkt &&
8913 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
8914 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
8915 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
8916 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
8917 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
8918 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
8919 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
8920 		    (rdev->wiphy.wowlan_config->rfkill_release &&
8921 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
8922 			goto nla_put_failure;
8923 
8924 		if (nl80211_send_wowlan_patterns(msg, rdev))
8925 			goto nla_put_failure;
8926 
8927 		if (nl80211_send_wowlan_tcp(msg,
8928 					    rdev->wiphy.wowlan_config->tcp))
8929 			goto nla_put_failure;
8930 
8931 		if (nl80211_send_wowlan_nd(
8932 			    msg,
8933 			    rdev->wiphy.wowlan_config->nd_config))
8934 			goto nla_put_failure;
8935 
8936 		nla_nest_end(msg, nl_wowlan);
8937 	}
8938 
8939 	genlmsg_end(msg, hdr);
8940 	return genlmsg_reply(msg, info);
8941 
8942 nla_put_failure:
8943 	nlmsg_free(msg);
8944 	return -ENOBUFS;
8945 }
8946 
8947 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
8948 				    struct nlattr *attr,
8949 				    struct cfg80211_wowlan *trig)
8950 {
8951 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
8952 	struct cfg80211_wowlan_tcp *cfg;
8953 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
8954 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
8955 	u32 size;
8956 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
8957 	int err, port;
8958 
8959 	if (!rdev->wiphy.wowlan->tcp)
8960 		return -EINVAL;
8961 
8962 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TCP,
8963 			nla_data(attr), nla_len(attr),
8964 			nl80211_wowlan_tcp_policy);
8965 	if (err)
8966 		return err;
8967 
8968 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
8969 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
8970 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
8971 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
8972 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
8973 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
8974 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
8975 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
8976 		return -EINVAL;
8977 
8978 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
8979 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
8980 		return -EINVAL;
8981 
8982 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
8983 			rdev->wiphy.wowlan->tcp->data_interval_max ||
8984 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
8985 		return -EINVAL;
8986 
8987 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
8988 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
8989 		return -EINVAL;
8990 
8991 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
8992 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
8993 		return -EINVAL;
8994 
8995 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
8996 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
8997 
8998 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
8999 		tokens_size = tokln - sizeof(*tok);
9000 
9001 		if (!tok->len || tokens_size % tok->len)
9002 			return -EINVAL;
9003 		if (!rdev->wiphy.wowlan->tcp->tok)
9004 			return -EINVAL;
9005 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
9006 			return -EINVAL;
9007 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
9008 			return -EINVAL;
9009 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
9010 			return -EINVAL;
9011 		if (tok->offset + tok->len > data_size)
9012 			return -EINVAL;
9013 	}
9014 
9015 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
9016 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
9017 		if (!rdev->wiphy.wowlan->tcp->seq)
9018 			return -EINVAL;
9019 		if (seq->len == 0 || seq->len > 4)
9020 			return -EINVAL;
9021 		if (seq->len + seq->offset > data_size)
9022 			return -EINVAL;
9023 	}
9024 
9025 	size = sizeof(*cfg);
9026 	size += data_size;
9027 	size += wake_size + wake_mask_size;
9028 	size += tokens_size;
9029 
9030 	cfg = kzalloc(size, GFP_KERNEL);
9031 	if (!cfg)
9032 		return -ENOMEM;
9033 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
9034 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
9035 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
9036 	       ETH_ALEN);
9037 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
9038 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
9039 	else
9040 		port = 0;
9041 #ifdef CONFIG_INET
9042 	/* allocate a socket and port for it and use it */
9043 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
9044 			    IPPROTO_TCP, &cfg->sock, 1);
9045 	if (err) {
9046 		kfree(cfg);
9047 		return err;
9048 	}
9049 	if (inet_csk_get_port(cfg->sock->sk, port)) {
9050 		sock_release(cfg->sock);
9051 		kfree(cfg);
9052 		return -EADDRINUSE;
9053 	}
9054 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
9055 #else
9056 	if (!port) {
9057 		kfree(cfg);
9058 		return -EINVAL;
9059 	}
9060 	cfg->src_port = port;
9061 #endif
9062 
9063 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
9064 	cfg->payload_len = data_size;
9065 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
9066 	memcpy((void *)cfg->payload,
9067 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
9068 	       data_size);
9069 	if (seq)
9070 		cfg->payload_seq = *seq;
9071 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
9072 	cfg->wake_len = wake_size;
9073 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
9074 	memcpy((void *)cfg->wake_data,
9075 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
9076 	       wake_size);
9077 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
9078 			 data_size + wake_size;
9079 	memcpy((void *)cfg->wake_mask,
9080 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
9081 	       wake_mask_size);
9082 	if (tok) {
9083 		cfg->tokens_size = tokens_size;
9084 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
9085 	}
9086 
9087 	trig->tcp = cfg;
9088 
9089 	return 0;
9090 }
9091 
9092 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
9093 				   const struct wiphy_wowlan_support *wowlan,
9094 				   struct nlattr *attr,
9095 				   struct cfg80211_wowlan *trig)
9096 {
9097 	struct nlattr **tb;
9098 	int err;
9099 
9100 	tb = kzalloc(NUM_NL80211_ATTR * sizeof(*tb), GFP_KERNEL);
9101 	if (!tb)
9102 		return -ENOMEM;
9103 
9104 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
9105 		err = -EOPNOTSUPP;
9106 		goto out;
9107 	}
9108 
9109 	err = nla_parse(tb, NL80211_ATTR_MAX,
9110 			nla_data(attr), nla_len(attr),
9111 			nl80211_policy);
9112 	if (err)
9113 		goto out;
9114 
9115 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb);
9116 	err = PTR_ERR_OR_ZERO(trig->nd_config);
9117 	if (err)
9118 		trig->nd_config = NULL;
9119 
9120 out:
9121 	kfree(tb);
9122 	return err;
9123 }
9124 
9125 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
9126 {
9127 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9128 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
9129 	struct cfg80211_wowlan new_triggers = {};
9130 	struct cfg80211_wowlan *ntrig;
9131 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
9132 	int err, i;
9133 	bool prev_enabled = rdev->wiphy.wowlan_config;
9134 	bool regular = false;
9135 
9136 	if (!wowlan)
9137 		return -EOPNOTSUPP;
9138 
9139 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
9140 		cfg80211_rdev_free_wowlan(rdev);
9141 		rdev->wiphy.wowlan_config = NULL;
9142 		goto set_wakeup;
9143 	}
9144 
9145 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
9146 			nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
9147 			nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
9148 			nl80211_wowlan_policy);
9149 	if (err)
9150 		return err;
9151 
9152 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
9153 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
9154 			return -EINVAL;
9155 		new_triggers.any = true;
9156 	}
9157 
9158 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
9159 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
9160 			return -EINVAL;
9161 		new_triggers.disconnect = true;
9162 		regular = true;
9163 	}
9164 
9165 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
9166 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
9167 			return -EINVAL;
9168 		new_triggers.magic_pkt = true;
9169 		regular = true;
9170 	}
9171 
9172 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
9173 		return -EINVAL;
9174 
9175 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
9176 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
9177 			return -EINVAL;
9178 		new_triggers.gtk_rekey_failure = true;
9179 		regular = true;
9180 	}
9181 
9182 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
9183 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
9184 			return -EINVAL;
9185 		new_triggers.eap_identity_req = true;
9186 		regular = true;
9187 	}
9188 
9189 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
9190 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
9191 			return -EINVAL;
9192 		new_triggers.four_way_handshake = true;
9193 		regular = true;
9194 	}
9195 
9196 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
9197 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
9198 			return -EINVAL;
9199 		new_triggers.rfkill_release = true;
9200 		regular = true;
9201 	}
9202 
9203 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
9204 		struct nlattr *pat;
9205 		int n_patterns = 0;
9206 		int rem, pat_len, mask_len, pkt_offset;
9207 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
9208 
9209 		regular = true;
9210 
9211 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
9212 				    rem)
9213 			n_patterns++;
9214 		if (n_patterns > wowlan->n_patterns)
9215 			return -EINVAL;
9216 
9217 		new_triggers.patterns = kcalloc(n_patterns,
9218 						sizeof(new_triggers.patterns[0]),
9219 						GFP_KERNEL);
9220 		if (!new_triggers.patterns)
9221 			return -ENOMEM;
9222 
9223 		new_triggers.n_patterns = n_patterns;
9224 		i = 0;
9225 
9226 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
9227 				    rem) {
9228 			u8 *mask_pat;
9229 
9230 			nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
9231 				  nla_len(pat), NULL);
9232 			err = -EINVAL;
9233 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
9234 			    !pat_tb[NL80211_PKTPAT_PATTERN])
9235 				goto error;
9236 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
9237 			mask_len = DIV_ROUND_UP(pat_len, 8);
9238 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
9239 				goto error;
9240 			if (pat_len > wowlan->pattern_max_len ||
9241 			    pat_len < wowlan->pattern_min_len)
9242 				goto error;
9243 
9244 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
9245 				pkt_offset = 0;
9246 			else
9247 				pkt_offset = nla_get_u32(
9248 					pat_tb[NL80211_PKTPAT_OFFSET]);
9249 			if (pkt_offset > wowlan->max_pkt_offset)
9250 				goto error;
9251 			new_triggers.patterns[i].pkt_offset = pkt_offset;
9252 
9253 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
9254 			if (!mask_pat) {
9255 				err = -ENOMEM;
9256 				goto error;
9257 			}
9258 			new_triggers.patterns[i].mask = mask_pat;
9259 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
9260 			       mask_len);
9261 			mask_pat += mask_len;
9262 			new_triggers.patterns[i].pattern = mask_pat;
9263 			new_triggers.patterns[i].pattern_len = pat_len;
9264 			memcpy(mask_pat,
9265 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
9266 			       pat_len);
9267 			i++;
9268 		}
9269 	}
9270 
9271 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
9272 		regular = true;
9273 		err = nl80211_parse_wowlan_tcp(
9274 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
9275 			&new_triggers);
9276 		if (err)
9277 			goto error;
9278 	}
9279 
9280 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
9281 		regular = true;
9282 		err = nl80211_parse_wowlan_nd(
9283 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
9284 			&new_triggers);
9285 		if (err)
9286 			goto error;
9287 	}
9288 
9289 	/* The 'any' trigger means the device continues operating more or less
9290 	 * as in its normal operation mode and wakes up the host on most of the
9291 	 * normal interrupts (like packet RX, ...)
9292 	 * It therefore makes little sense to combine with the more constrained
9293 	 * wakeup trigger modes.
9294 	 */
9295 	if (new_triggers.any && regular) {
9296 		err = -EINVAL;
9297 		goto error;
9298 	}
9299 
9300 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
9301 	if (!ntrig) {
9302 		err = -ENOMEM;
9303 		goto error;
9304 	}
9305 	cfg80211_rdev_free_wowlan(rdev);
9306 	rdev->wiphy.wowlan_config = ntrig;
9307 
9308  set_wakeup:
9309 	if (rdev->ops->set_wakeup &&
9310 	    prev_enabled != !!rdev->wiphy.wowlan_config)
9311 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
9312 
9313 	return 0;
9314  error:
9315 	for (i = 0; i < new_triggers.n_patterns; i++)
9316 		kfree(new_triggers.patterns[i].mask);
9317 	kfree(new_triggers.patterns);
9318 	if (new_triggers.tcp && new_triggers.tcp->sock)
9319 		sock_release(new_triggers.tcp->sock);
9320 	kfree(new_triggers.tcp);
9321 	return err;
9322 }
9323 #endif
9324 
9325 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
9326 				       struct cfg80211_registered_device *rdev)
9327 {
9328 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
9329 	int i, j, pat_len;
9330 	struct cfg80211_coalesce_rules *rule;
9331 
9332 	if (!rdev->coalesce->n_rules)
9333 		return 0;
9334 
9335 	nl_rules = nla_nest_start(msg, NL80211_ATTR_COALESCE_RULE);
9336 	if (!nl_rules)
9337 		return -ENOBUFS;
9338 
9339 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
9340 		nl_rule = nla_nest_start(msg, i + 1);
9341 		if (!nl_rule)
9342 			return -ENOBUFS;
9343 
9344 		rule = &rdev->coalesce->rules[i];
9345 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
9346 				rule->delay))
9347 			return -ENOBUFS;
9348 
9349 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
9350 				rule->condition))
9351 			return -ENOBUFS;
9352 
9353 		nl_pats = nla_nest_start(msg,
9354 				NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
9355 		if (!nl_pats)
9356 			return -ENOBUFS;
9357 
9358 		for (j = 0; j < rule->n_patterns; j++) {
9359 			nl_pat = nla_nest_start(msg, j + 1);
9360 			if (!nl_pat)
9361 				return -ENOBUFS;
9362 			pat_len = rule->patterns[j].pattern_len;
9363 			if (nla_put(msg, NL80211_PKTPAT_MASK,
9364 				    DIV_ROUND_UP(pat_len, 8),
9365 				    rule->patterns[j].mask) ||
9366 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
9367 				    rule->patterns[j].pattern) ||
9368 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
9369 					rule->patterns[j].pkt_offset))
9370 				return -ENOBUFS;
9371 			nla_nest_end(msg, nl_pat);
9372 		}
9373 		nla_nest_end(msg, nl_pats);
9374 		nla_nest_end(msg, nl_rule);
9375 	}
9376 	nla_nest_end(msg, nl_rules);
9377 
9378 	return 0;
9379 }
9380 
9381 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
9382 {
9383 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9384 	struct sk_buff *msg;
9385 	void *hdr;
9386 
9387 	if (!rdev->wiphy.coalesce)
9388 		return -EOPNOTSUPP;
9389 
9390 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9391 	if (!msg)
9392 		return -ENOMEM;
9393 
9394 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9395 			     NL80211_CMD_GET_COALESCE);
9396 	if (!hdr)
9397 		goto nla_put_failure;
9398 
9399 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
9400 		goto nla_put_failure;
9401 
9402 	genlmsg_end(msg, hdr);
9403 	return genlmsg_reply(msg, info);
9404 
9405 nla_put_failure:
9406 	nlmsg_free(msg);
9407 	return -ENOBUFS;
9408 }
9409 
9410 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
9411 {
9412 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
9413 	int i, j;
9414 	struct cfg80211_coalesce_rules *rule;
9415 
9416 	if (!coalesce)
9417 		return;
9418 
9419 	for (i = 0; i < coalesce->n_rules; i++) {
9420 		rule = &coalesce->rules[i];
9421 		for (j = 0; j < rule->n_patterns; j++)
9422 			kfree(rule->patterns[j].mask);
9423 		kfree(rule->patterns);
9424 	}
9425 	kfree(coalesce->rules);
9426 	kfree(coalesce);
9427 	rdev->coalesce = NULL;
9428 }
9429 
9430 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
9431 				       struct nlattr *rule,
9432 				       struct cfg80211_coalesce_rules *new_rule)
9433 {
9434 	int err, i;
9435 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
9436 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
9437 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
9438 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
9439 
9440 	err = nla_parse(tb, NL80211_ATTR_COALESCE_RULE_MAX, nla_data(rule),
9441 			nla_len(rule), nl80211_coalesce_policy);
9442 	if (err)
9443 		return err;
9444 
9445 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
9446 		new_rule->delay =
9447 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
9448 	if (new_rule->delay > coalesce->max_delay)
9449 		return -EINVAL;
9450 
9451 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
9452 		new_rule->condition =
9453 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
9454 	if (new_rule->condition != NL80211_COALESCE_CONDITION_MATCH &&
9455 	    new_rule->condition != NL80211_COALESCE_CONDITION_NO_MATCH)
9456 		return -EINVAL;
9457 
9458 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
9459 		return -EINVAL;
9460 
9461 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
9462 			    rem)
9463 		n_patterns++;
9464 	if (n_patterns > coalesce->n_patterns)
9465 		return -EINVAL;
9466 
9467 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
9468 				     GFP_KERNEL);
9469 	if (!new_rule->patterns)
9470 		return -ENOMEM;
9471 
9472 	new_rule->n_patterns = n_patterns;
9473 	i = 0;
9474 
9475 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
9476 			    rem) {
9477 		u8 *mask_pat;
9478 
9479 		nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
9480 			  nla_len(pat), NULL);
9481 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
9482 		    !pat_tb[NL80211_PKTPAT_PATTERN])
9483 			return -EINVAL;
9484 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
9485 		mask_len = DIV_ROUND_UP(pat_len, 8);
9486 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
9487 			return -EINVAL;
9488 		if (pat_len > coalesce->pattern_max_len ||
9489 		    pat_len < coalesce->pattern_min_len)
9490 			return -EINVAL;
9491 
9492 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
9493 			pkt_offset = 0;
9494 		else
9495 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
9496 		if (pkt_offset > coalesce->max_pkt_offset)
9497 			return -EINVAL;
9498 		new_rule->patterns[i].pkt_offset = pkt_offset;
9499 
9500 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
9501 		if (!mask_pat)
9502 			return -ENOMEM;
9503 
9504 		new_rule->patterns[i].mask = mask_pat;
9505 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
9506 		       mask_len);
9507 
9508 		mask_pat += mask_len;
9509 		new_rule->patterns[i].pattern = mask_pat;
9510 		new_rule->patterns[i].pattern_len = pat_len;
9511 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
9512 		       pat_len);
9513 		i++;
9514 	}
9515 
9516 	return 0;
9517 }
9518 
9519 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
9520 {
9521 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9522 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
9523 	struct cfg80211_coalesce new_coalesce = {};
9524 	struct cfg80211_coalesce *n_coalesce;
9525 	int err, rem_rule, n_rules = 0, i, j;
9526 	struct nlattr *rule;
9527 	struct cfg80211_coalesce_rules *tmp_rule;
9528 
9529 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
9530 		return -EOPNOTSUPP;
9531 
9532 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
9533 		cfg80211_rdev_free_coalesce(rdev);
9534 		rdev->ops->set_coalesce(&rdev->wiphy, NULL);
9535 		return 0;
9536 	}
9537 
9538 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
9539 			    rem_rule)
9540 		n_rules++;
9541 	if (n_rules > coalesce->n_rules)
9542 		return -EINVAL;
9543 
9544 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
9545 				     GFP_KERNEL);
9546 	if (!new_coalesce.rules)
9547 		return -ENOMEM;
9548 
9549 	new_coalesce.n_rules = n_rules;
9550 	i = 0;
9551 
9552 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
9553 			    rem_rule) {
9554 		err = nl80211_parse_coalesce_rule(rdev, rule,
9555 						  &new_coalesce.rules[i]);
9556 		if (err)
9557 			goto error;
9558 
9559 		i++;
9560 	}
9561 
9562 	err = rdev->ops->set_coalesce(&rdev->wiphy, &new_coalesce);
9563 	if (err)
9564 		goto error;
9565 
9566 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
9567 	if (!n_coalesce) {
9568 		err = -ENOMEM;
9569 		goto error;
9570 	}
9571 	cfg80211_rdev_free_coalesce(rdev);
9572 	rdev->coalesce = n_coalesce;
9573 
9574 	return 0;
9575 error:
9576 	for (i = 0; i < new_coalesce.n_rules; i++) {
9577 		tmp_rule = &new_coalesce.rules[i];
9578 		for (j = 0; j < tmp_rule->n_patterns; j++)
9579 			kfree(tmp_rule->patterns[j].mask);
9580 		kfree(tmp_rule->patterns);
9581 	}
9582 	kfree(new_coalesce.rules);
9583 
9584 	return err;
9585 }
9586 
9587 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
9588 {
9589 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9590 	struct net_device *dev = info->user_ptr[1];
9591 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9592 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
9593 	struct cfg80211_gtk_rekey_data rekey_data;
9594 	int err;
9595 
9596 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
9597 		return -EINVAL;
9598 
9599 	err = nla_parse(tb, MAX_NL80211_REKEY_DATA,
9600 			nla_data(info->attrs[NL80211_ATTR_REKEY_DATA]),
9601 			nla_len(info->attrs[NL80211_ATTR_REKEY_DATA]),
9602 			nl80211_rekey_policy);
9603 	if (err)
9604 		return err;
9605 
9606 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
9607 		return -ERANGE;
9608 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
9609 		return -ERANGE;
9610 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
9611 		return -ERANGE;
9612 
9613 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
9614 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
9615 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
9616 
9617 	wdev_lock(wdev);
9618 	if (!wdev->current_bss) {
9619 		err = -ENOTCONN;
9620 		goto out;
9621 	}
9622 
9623 	if (!rdev->ops->set_rekey_data) {
9624 		err = -EOPNOTSUPP;
9625 		goto out;
9626 	}
9627 
9628 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
9629  out:
9630 	wdev_unlock(wdev);
9631 	return err;
9632 }
9633 
9634 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
9635 					     struct genl_info *info)
9636 {
9637 	struct net_device *dev = info->user_ptr[1];
9638 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9639 
9640 	if (wdev->iftype != NL80211_IFTYPE_AP &&
9641 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
9642 		return -EINVAL;
9643 
9644 	if (wdev->ap_unexpected_nlportid)
9645 		return -EBUSY;
9646 
9647 	wdev->ap_unexpected_nlportid = info->snd_portid;
9648 	return 0;
9649 }
9650 
9651 static int nl80211_probe_client(struct sk_buff *skb,
9652 				struct genl_info *info)
9653 {
9654 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9655 	struct net_device *dev = info->user_ptr[1];
9656 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9657 	struct sk_buff *msg;
9658 	void *hdr;
9659 	const u8 *addr;
9660 	u64 cookie;
9661 	int err;
9662 
9663 	if (wdev->iftype != NL80211_IFTYPE_AP &&
9664 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
9665 		return -EOPNOTSUPP;
9666 
9667 	if (!info->attrs[NL80211_ATTR_MAC])
9668 		return -EINVAL;
9669 
9670 	if (!rdev->ops->probe_client)
9671 		return -EOPNOTSUPP;
9672 
9673 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9674 	if (!msg)
9675 		return -ENOMEM;
9676 
9677 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9678 			     NL80211_CMD_PROBE_CLIENT);
9679 	if (!hdr) {
9680 		err = -ENOBUFS;
9681 		goto free_msg;
9682 	}
9683 
9684 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
9685 
9686 	err = rdev_probe_client(rdev, dev, addr, &cookie);
9687 	if (err)
9688 		goto free_msg;
9689 
9690 	if (nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
9691 		goto nla_put_failure;
9692 
9693 	genlmsg_end(msg, hdr);
9694 
9695 	return genlmsg_reply(msg, info);
9696 
9697  nla_put_failure:
9698 	err = -ENOBUFS;
9699  free_msg:
9700 	nlmsg_free(msg);
9701 	return err;
9702 }
9703 
9704 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
9705 {
9706 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9707 	struct cfg80211_beacon_registration *reg, *nreg;
9708 	int rv;
9709 
9710 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
9711 		return -EOPNOTSUPP;
9712 
9713 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
9714 	if (!nreg)
9715 		return -ENOMEM;
9716 
9717 	/* First, check if already registered. */
9718 	spin_lock_bh(&rdev->beacon_registrations_lock);
9719 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
9720 		if (reg->nlportid == info->snd_portid) {
9721 			rv = -EALREADY;
9722 			goto out_err;
9723 		}
9724 	}
9725 	/* Add it to the list */
9726 	nreg->nlportid = info->snd_portid;
9727 	list_add(&nreg->list, &rdev->beacon_registrations);
9728 
9729 	spin_unlock_bh(&rdev->beacon_registrations_lock);
9730 
9731 	return 0;
9732 out_err:
9733 	spin_unlock_bh(&rdev->beacon_registrations_lock);
9734 	kfree(nreg);
9735 	return rv;
9736 }
9737 
9738 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
9739 {
9740 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9741 	struct wireless_dev *wdev = info->user_ptr[1];
9742 	int err;
9743 
9744 	if (!rdev->ops->start_p2p_device)
9745 		return -EOPNOTSUPP;
9746 
9747 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
9748 		return -EOPNOTSUPP;
9749 
9750 	if (wdev->p2p_started)
9751 		return 0;
9752 
9753 	if (rfkill_blocked(rdev->rfkill))
9754 		return -ERFKILL;
9755 
9756 	err = rdev_start_p2p_device(rdev, wdev);
9757 	if (err)
9758 		return err;
9759 
9760 	wdev->p2p_started = true;
9761 	rdev->opencount++;
9762 
9763 	return 0;
9764 }
9765 
9766 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
9767 {
9768 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9769 	struct wireless_dev *wdev = info->user_ptr[1];
9770 
9771 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
9772 		return -EOPNOTSUPP;
9773 
9774 	if (!rdev->ops->stop_p2p_device)
9775 		return -EOPNOTSUPP;
9776 
9777 	cfg80211_stop_p2p_device(rdev, wdev);
9778 
9779 	return 0;
9780 }
9781 
9782 static int nl80211_get_protocol_features(struct sk_buff *skb,
9783 					 struct genl_info *info)
9784 {
9785 	void *hdr;
9786 	struct sk_buff *msg;
9787 
9788 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9789 	if (!msg)
9790 		return -ENOMEM;
9791 
9792 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9793 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
9794 	if (!hdr)
9795 		goto nla_put_failure;
9796 
9797 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
9798 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
9799 		goto nla_put_failure;
9800 
9801 	genlmsg_end(msg, hdr);
9802 	return genlmsg_reply(msg, info);
9803 
9804  nla_put_failure:
9805 	kfree_skb(msg);
9806 	return -ENOBUFS;
9807 }
9808 
9809 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
9810 {
9811 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9812 	struct cfg80211_update_ft_ies_params ft_params;
9813 	struct net_device *dev = info->user_ptr[1];
9814 
9815 	if (!rdev->ops->update_ft_ies)
9816 		return -EOPNOTSUPP;
9817 
9818 	if (!info->attrs[NL80211_ATTR_MDID] ||
9819 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
9820 		return -EINVAL;
9821 
9822 	memset(&ft_params, 0, sizeof(ft_params));
9823 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
9824 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9825 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9826 
9827 	return rdev_update_ft_ies(rdev, dev, &ft_params);
9828 }
9829 
9830 static int nl80211_crit_protocol_start(struct sk_buff *skb,
9831 				       struct genl_info *info)
9832 {
9833 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9834 	struct wireless_dev *wdev = info->user_ptr[1];
9835 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
9836 	u16 duration;
9837 	int ret;
9838 
9839 	if (!rdev->ops->crit_proto_start)
9840 		return -EOPNOTSUPP;
9841 
9842 	if (WARN_ON(!rdev->ops->crit_proto_stop))
9843 		return -EINVAL;
9844 
9845 	if (rdev->crit_proto_nlportid)
9846 		return -EBUSY;
9847 
9848 	/* determine protocol if provided */
9849 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
9850 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
9851 
9852 	if (proto >= NUM_NL80211_CRIT_PROTO)
9853 		return -EINVAL;
9854 
9855 	/* timeout must be provided */
9856 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
9857 		return -EINVAL;
9858 
9859 	duration =
9860 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
9861 
9862 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
9863 		return -ERANGE;
9864 
9865 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
9866 	if (!ret)
9867 		rdev->crit_proto_nlportid = info->snd_portid;
9868 
9869 	return ret;
9870 }
9871 
9872 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
9873 				      struct genl_info *info)
9874 {
9875 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9876 	struct wireless_dev *wdev = info->user_ptr[1];
9877 
9878 	if (!rdev->ops->crit_proto_stop)
9879 		return -EOPNOTSUPP;
9880 
9881 	if (rdev->crit_proto_nlportid) {
9882 		rdev->crit_proto_nlportid = 0;
9883 		rdev_crit_proto_stop(rdev, wdev);
9884 	}
9885 	return 0;
9886 }
9887 
9888 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
9889 {
9890 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9891 	struct wireless_dev *wdev =
9892 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9893 	int i, err;
9894 	u32 vid, subcmd;
9895 
9896 	if (!rdev->wiphy.vendor_commands)
9897 		return -EOPNOTSUPP;
9898 
9899 	if (IS_ERR(wdev)) {
9900 		err = PTR_ERR(wdev);
9901 		if (err != -EINVAL)
9902 			return err;
9903 		wdev = NULL;
9904 	} else if (wdev->wiphy != &rdev->wiphy) {
9905 		return -EINVAL;
9906 	}
9907 
9908 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
9909 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
9910 		return -EINVAL;
9911 
9912 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
9913 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
9914 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
9915 		const struct wiphy_vendor_command *vcmd;
9916 		void *data = NULL;
9917 		int len = 0;
9918 
9919 		vcmd = &rdev->wiphy.vendor_commands[i];
9920 
9921 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
9922 			continue;
9923 
9924 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
9925 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
9926 			if (!wdev)
9927 				return -EINVAL;
9928 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
9929 			    !wdev->netdev)
9930 				return -EINVAL;
9931 
9932 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
9933 				if (wdev->netdev &&
9934 				    !netif_running(wdev->netdev))
9935 					return -ENETDOWN;
9936 				if (!wdev->netdev && !wdev->p2p_started)
9937 					return -ENETDOWN;
9938 			}
9939 		} else {
9940 			wdev = NULL;
9941 		}
9942 
9943 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
9944 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
9945 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
9946 		}
9947 
9948 		rdev->cur_cmd_info = info;
9949 		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
9950 							  data, len);
9951 		rdev->cur_cmd_info = NULL;
9952 		return err;
9953 	}
9954 
9955 	return -EOPNOTSUPP;
9956 }
9957 
9958 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
9959 					   enum nl80211_commands cmd,
9960 					   enum nl80211_attrs attr,
9961 					   int approxlen)
9962 {
9963 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9964 
9965 	if (WARN_ON(!rdev->cur_cmd_info))
9966 		return NULL;
9967 
9968 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
9969 					   rdev->cur_cmd_info->snd_portid,
9970 					   rdev->cur_cmd_info->snd_seq,
9971 					   cmd, attr, NULL, GFP_KERNEL);
9972 }
9973 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
9974 
9975 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
9976 {
9977 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9978 	void *hdr = ((void **)skb->cb)[1];
9979 	struct nlattr *data = ((void **)skb->cb)[2];
9980 
9981 	/* clear CB data for netlink core to own from now on */
9982 	memset(skb->cb, 0, sizeof(skb->cb));
9983 
9984 	if (WARN_ON(!rdev->cur_cmd_info)) {
9985 		kfree_skb(skb);
9986 		return -EINVAL;
9987 	}
9988 
9989 	nla_nest_end(skb, data);
9990 	genlmsg_end(skb, hdr);
9991 	return genlmsg_reply(skb, rdev->cur_cmd_info);
9992 }
9993 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
9994 
9995 
9996 static int nl80211_set_qos_map(struct sk_buff *skb,
9997 			       struct genl_info *info)
9998 {
9999 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10000 	struct cfg80211_qos_map *qos_map = NULL;
10001 	struct net_device *dev = info->user_ptr[1];
10002 	u8 *pos, len, num_des, des_len, des;
10003 	int ret;
10004 
10005 	if (!rdev->ops->set_qos_map)
10006 		return -EOPNOTSUPP;
10007 
10008 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
10009 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
10010 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
10011 
10012 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
10013 		    len > IEEE80211_QOS_MAP_LEN_MAX)
10014 			return -EINVAL;
10015 
10016 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
10017 		if (!qos_map)
10018 			return -ENOMEM;
10019 
10020 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
10021 		if (num_des) {
10022 			des_len = num_des *
10023 				sizeof(struct cfg80211_dscp_exception);
10024 			memcpy(qos_map->dscp_exception, pos, des_len);
10025 			qos_map->num_des = num_des;
10026 			for (des = 0; des < num_des; des++) {
10027 				if (qos_map->dscp_exception[des].up > 7) {
10028 					kfree(qos_map);
10029 					return -EINVAL;
10030 				}
10031 			}
10032 			pos += des_len;
10033 		}
10034 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
10035 	}
10036 
10037 	wdev_lock(dev->ieee80211_ptr);
10038 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
10039 	if (!ret)
10040 		ret = rdev_set_qos_map(rdev, dev, qos_map);
10041 	wdev_unlock(dev->ieee80211_ptr);
10042 
10043 	kfree(qos_map);
10044 	return ret;
10045 }
10046 
10047 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
10048 {
10049 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10050 	struct net_device *dev = info->user_ptr[1];
10051 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10052 	const u8 *peer;
10053 	u8 tsid, up;
10054 	u16 admitted_time = 0;
10055 	int err;
10056 
10057 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
10058 		return -EOPNOTSUPP;
10059 
10060 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
10061 	    !info->attrs[NL80211_ATTR_USER_PRIO])
10062 		return -EINVAL;
10063 
10064 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
10065 	if (tsid >= IEEE80211_NUM_TIDS)
10066 		return -EINVAL;
10067 
10068 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
10069 	if (up >= IEEE80211_NUM_UPS)
10070 		return -EINVAL;
10071 
10072 	/* WMM uses TIDs 0-7 even for TSPEC */
10073 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
10074 		/* TODO: handle 802.11 TSPEC/admission control
10075 		 * need more attributes for that (e.g. BA session requirement);
10076 		 * change the WMM adminssion test above to allow both then
10077 		 */
10078 		return -EINVAL;
10079 	}
10080 
10081 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10082 
10083 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
10084 		admitted_time =
10085 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
10086 		if (!admitted_time)
10087 			return -EINVAL;
10088 	}
10089 
10090 	wdev_lock(wdev);
10091 	switch (wdev->iftype) {
10092 	case NL80211_IFTYPE_STATION:
10093 	case NL80211_IFTYPE_P2P_CLIENT:
10094 		if (wdev->current_bss)
10095 			break;
10096 		err = -ENOTCONN;
10097 		goto out;
10098 	default:
10099 		err = -EOPNOTSUPP;
10100 		goto out;
10101 	}
10102 
10103 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
10104 
10105  out:
10106 	wdev_unlock(wdev);
10107 	return err;
10108 }
10109 
10110 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
10111 {
10112 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10113 	struct net_device *dev = info->user_ptr[1];
10114 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10115 	const u8 *peer;
10116 	u8 tsid;
10117 	int err;
10118 
10119 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
10120 		return -EINVAL;
10121 
10122 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
10123 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10124 
10125 	wdev_lock(wdev);
10126 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
10127 	wdev_unlock(wdev);
10128 
10129 	return err;
10130 }
10131 
10132 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
10133 				       struct genl_info *info)
10134 {
10135 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10136 	struct net_device *dev = info->user_ptr[1];
10137 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10138 	struct cfg80211_chan_def chandef = {};
10139 	const u8 *addr;
10140 	u8 oper_class;
10141 	int err;
10142 
10143 	if (!rdev->ops->tdls_channel_switch ||
10144 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
10145 		return -EOPNOTSUPP;
10146 
10147 	switch (dev->ieee80211_ptr->iftype) {
10148 	case NL80211_IFTYPE_STATION:
10149 	case NL80211_IFTYPE_P2P_CLIENT:
10150 		break;
10151 	default:
10152 		return -EOPNOTSUPP;
10153 	}
10154 
10155 	if (!info->attrs[NL80211_ATTR_MAC] ||
10156 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
10157 		return -EINVAL;
10158 
10159 	err = nl80211_parse_chandef(rdev, info, &chandef);
10160 	if (err)
10161 		return err;
10162 
10163 	/*
10164 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
10165 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
10166 	 * specification is not defined for them.
10167 	 */
10168 	if (chandef.chan->band == IEEE80211_BAND_2GHZ &&
10169 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
10170 	    chandef.width != NL80211_CHAN_WIDTH_20)
10171 		return -EINVAL;
10172 
10173 	/* we will be active on the TDLS link */
10174 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
10175 					   wdev->iftype))
10176 		return -EINVAL;
10177 
10178 	/* don't allow switching to DFS channels */
10179 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
10180 		return -EINVAL;
10181 
10182 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10183 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
10184 
10185 	wdev_lock(wdev);
10186 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
10187 	wdev_unlock(wdev);
10188 
10189 	return err;
10190 }
10191 
10192 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
10193 					      struct genl_info *info)
10194 {
10195 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10196 	struct net_device *dev = info->user_ptr[1];
10197 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10198 	const u8 *addr;
10199 
10200 	if (!rdev->ops->tdls_channel_switch ||
10201 	    !rdev->ops->tdls_cancel_channel_switch ||
10202 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
10203 		return -EOPNOTSUPP;
10204 
10205 	switch (dev->ieee80211_ptr->iftype) {
10206 	case NL80211_IFTYPE_STATION:
10207 	case NL80211_IFTYPE_P2P_CLIENT:
10208 		break;
10209 	default:
10210 		return -EOPNOTSUPP;
10211 	}
10212 
10213 	if (!info->attrs[NL80211_ATTR_MAC])
10214 		return -EINVAL;
10215 
10216 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10217 
10218 	wdev_lock(wdev);
10219 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
10220 	wdev_unlock(wdev);
10221 
10222 	return 0;
10223 }
10224 
10225 #define NL80211_FLAG_NEED_WIPHY		0x01
10226 #define NL80211_FLAG_NEED_NETDEV	0x02
10227 #define NL80211_FLAG_NEED_RTNL		0x04
10228 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
10229 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
10230 					 NL80211_FLAG_CHECK_NETDEV_UP)
10231 #define NL80211_FLAG_NEED_WDEV		0x10
10232 /* If a netdev is associated, it must be UP, P2P must be started */
10233 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
10234 					 NL80211_FLAG_CHECK_NETDEV_UP)
10235 #define NL80211_FLAG_CLEAR_SKB		0x20
10236 
10237 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
10238 			    struct genl_info *info)
10239 {
10240 	struct cfg80211_registered_device *rdev;
10241 	struct wireless_dev *wdev;
10242 	struct net_device *dev;
10243 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
10244 
10245 	if (rtnl)
10246 		rtnl_lock();
10247 
10248 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
10249 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
10250 		if (IS_ERR(rdev)) {
10251 			if (rtnl)
10252 				rtnl_unlock();
10253 			return PTR_ERR(rdev);
10254 		}
10255 		info->user_ptr[0] = rdev;
10256 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
10257 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
10258 		ASSERT_RTNL();
10259 
10260 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
10261 						  info->attrs);
10262 		if (IS_ERR(wdev)) {
10263 			if (rtnl)
10264 				rtnl_unlock();
10265 			return PTR_ERR(wdev);
10266 		}
10267 
10268 		dev = wdev->netdev;
10269 		rdev = wiphy_to_rdev(wdev->wiphy);
10270 
10271 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
10272 			if (!dev) {
10273 				if (rtnl)
10274 					rtnl_unlock();
10275 				return -EINVAL;
10276 			}
10277 
10278 			info->user_ptr[1] = dev;
10279 		} else {
10280 			info->user_ptr[1] = wdev;
10281 		}
10282 
10283 		if (dev) {
10284 			if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
10285 			    !netif_running(dev)) {
10286 				if (rtnl)
10287 					rtnl_unlock();
10288 				return -ENETDOWN;
10289 			}
10290 
10291 			dev_hold(dev);
10292 		} else if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP) {
10293 			if (!wdev->p2p_started) {
10294 				if (rtnl)
10295 					rtnl_unlock();
10296 				return -ENETDOWN;
10297 			}
10298 		}
10299 
10300 		info->user_ptr[0] = rdev;
10301 	}
10302 
10303 	return 0;
10304 }
10305 
10306 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
10307 			      struct genl_info *info)
10308 {
10309 	if (info->user_ptr[1]) {
10310 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
10311 			struct wireless_dev *wdev = info->user_ptr[1];
10312 
10313 			if (wdev->netdev)
10314 				dev_put(wdev->netdev);
10315 		} else {
10316 			dev_put(info->user_ptr[1]);
10317 		}
10318 	}
10319 
10320 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
10321 		rtnl_unlock();
10322 
10323 	/* If needed, clear the netlink message payload from the SKB
10324 	 * as it might contain key data that shouldn't stick around on
10325 	 * the heap after the SKB is freed. The netlink message header
10326 	 * is still needed for further processing, so leave it intact.
10327 	 */
10328 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
10329 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
10330 
10331 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
10332 	}
10333 }
10334 
10335 static const struct genl_ops nl80211_ops[] = {
10336 	{
10337 		.cmd = NL80211_CMD_GET_WIPHY,
10338 		.doit = nl80211_get_wiphy,
10339 		.dumpit = nl80211_dump_wiphy,
10340 		.done = nl80211_dump_wiphy_done,
10341 		.policy = nl80211_policy,
10342 		/* can be retrieved by unprivileged users */
10343 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10344 				  NL80211_FLAG_NEED_RTNL,
10345 	},
10346 	{
10347 		.cmd = NL80211_CMD_SET_WIPHY,
10348 		.doit = nl80211_set_wiphy,
10349 		.policy = nl80211_policy,
10350 		.flags = GENL_ADMIN_PERM,
10351 		.internal_flags = NL80211_FLAG_NEED_RTNL,
10352 	},
10353 	{
10354 		.cmd = NL80211_CMD_GET_INTERFACE,
10355 		.doit = nl80211_get_interface,
10356 		.dumpit = nl80211_dump_interface,
10357 		.policy = nl80211_policy,
10358 		/* can be retrieved by unprivileged users */
10359 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10360 				  NL80211_FLAG_NEED_RTNL,
10361 	},
10362 	{
10363 		.cmd = NL80211_CMD_SET_INTERFACE,
10364 		.doit = nl80211_set_interface,
10365 		.policy = nl80211_policy,
10366 		.flags = GENL_ADMIN_PERM,
10367 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10368 				  NL80211_FLAG_NEED_RTNL,
10369 	},
10370 	{
10371 		.cmd = NL80211_CMD_NEW_INTERFACE,
10372 		.doit = nl80211_new_interface,
10373 		.policy = nl80211_policy,
10374 		.flags = GENL_ADMIN_PERM,
10375 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10376 				  NL80211_FLAG_NEED_RTNL,
10377 	},
10378 	{
10379 		.cmd = NL80211_CMD_DEL_INTERFACE,
10380 		.doit = nl80211_del_interface,
10381 		.policy = nl80211_policy,
10382 		.flags = GENL_ADMIN_PERM,
10383 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10384 				  NL80211_FLAG_NEED_RTNL,
10385 	},
10386 	{
10387 		.cmd = NL80211_CMD_GET_KEY,
10388 		.doit = nl80211_get_key,
10389 		.policy = nl80211_policy,
10390 		.flags = GENL_ADMIN_PERM,
10391 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10392 				  NL80211_FLAG_NEED_RTNL,
10393 	},
10394 	{
10395 		.cmd = NL80211_CMD_SET_KEY,
10396 		.doit = nl80211_set_key,
10397 		.policy = nl80211_policy,
10398 		.flags = GENL_ADMIN_PERM,
10399 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10400 				  NL80211_FLAG_NEED_RTNL |
10401 				  NL80211_FLAG_CLEAR_SKB,
10402 	},
10403 	{
10404 		.cmd = NL80211_CMD_NEW_KEY,
10405 		.doit = nl80211_new_key,
10406 		.policy = nl80211_policy,
10407 		.flags = GENL_ADMIN_PERM,
10408 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10409 				  NL80211_FLAG_NEED_RTNL |
10410 				  NL80211_FLAG_CLEAR_SKB,
10411 	},
10412 	{
10413 		.cmd = NL80211_CMD_DEL_KEY,
10414 		.doit = nl80211_del_key,
10415 		.policy = nl80211_policy,
10416 		.flags = GENL_ADMIN_PERM,
10417 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10418 				  NL80211_FLAG_NEED_RTNL,
10419 	},
10420 	{
10421 		.cmd = NL80211_CMD_SET_BEACON,
10422 		.policy = nl80211_policy,
10423 		.flags = GENL_ADMIN_PERM,
10424 		.doit = nl80211_set_beacon,
10425 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10426 				  NL80211_FLAG_NEED_RTNL,
10427 	},
10428 	{
10429 		.cmd = NL80211_CMD_START_AP,
10430 		.policy = nl80211_policy,
10431 		.flags = GENL_ADMIN_PERM,
10432 		.doit = nl80211_start_ap,
10433 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10434 				  NL80211_FLAG_NEED_RTNL,
10435 	},
10436 	{
10437 		.cmd = NL80211_CMD_STOP_AP,
10438 		.policy = nl80211_policy,
10439 		.flags = GENL_ADMIN_PERM,
10440 		.doit = nl80211_stop_ap,
10441 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10442 				  NL80211_FLAG_NEED_RTNL,
10443 	},
10444 	{
10445 		.cmd = NL80211_CMD_GET_STATION,
10446 		.doit = nl80211_get_station,
10447 		.dumpit = nl80211_dump_station,
10448 		.policy = nl80211_policy,
10449 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10450 				  NL80211_FLAG_NEED_RTNL,
10451 	},
10452 	{
10453 		.cmd = NL80211_CMD_SET_STATION,
10454 		.doit = nl80211_set_station,
10455 		.policy = nl80211_policy,
10456 		.flags = GENL_ADMIN_PERM,
10457 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10458 				  NL80211_FLAG_NEED_RTNL,
10459 	},
10460 	{
10461 		.cmd = NL80211_CMD_NEW_STATION,
10462 		.doit = nl80211_new_station,
10463 		.policy = nl80211_policy,
10464 		.flags = GENL_ADMIN_PERM,
10465 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10466 				  NL80211_FLAG_NEED_RTNL,
10467 	},
10468 	{
10469 		.cmd = NL80211_CMD_DEL_STATION,
10470 		.doit = nl80211_del_station,
10471 		.policy = nl80211_policy,
10472 		.flags = GENL_ADMIN_PERM,
10473 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10474 				  NL80211_FLAG_NEED_RTNL,
10475 	},
10476 	{
10477 		.cmd = NL80211_CMD_GET_MPATH,
10478 		.doit = nl80211_get_mpath,
10479 		.dumpit = nl80211_dump_mpath,
10480 		.policy = nl80211_policy,
10481 		.flags = GENL_ADMIN_PERM,
10482 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10483 				  NL80211_FLAG_NEED_RTNL,
10484 	},
10485 	{
10486 		.cmd = NL80211_CMD_GET_MPP,
10487 		.doit = nl80211_get_mpp,
10488 		.dumpit = nl80211_dump_mpp,
10489 		.policy = nl80211_policy,
10490 		.flags = GENL_ADMIN_PERM,
10491 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10492 				  NL80211_FLAG_NEED_RTNL,
10493 	},
10494 	{
10495 		.cmd = NL80211_CMD_SET_MPATH,
10496 		.doit = nl80211_set_mpath,
10497 		.policy = nl80211_policy,
10498 		.flags = GENL_ADMIN_PERM,
10499 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10500 				  NL80211_FLAG_NEED_RTNL,
10501 	},
10502 	{
10503 		.cmd = NL80211_CMD_NEW_MPATH,
10504 		.doit = nl80211_new_mpath,
10505 		.policy = nl80211_policy,
10506 		.flags = GENL_ADMIN_PERM,
10507 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10508 				  NL80211_FLAG_NEED_RTNL,
10509 	},
10510 	{
10511 		.cmd = NL80211_CMD_DEL_MPATH,
10512 		.doit = nl80211_del_mpath,
10513 		.policy = nl80211_policy,
10514 		.flags = GENL_ADMIN_PERM,
10515 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10516 				  NL80211_FLAG_NEED_RTNL,
10517 	},
10518 	{
10519 		.cmd = NL80211_CMD_SET_BSS,
10520 		.doit = nl80211_set_bss,
10521 		.policy = nl80211_policy,
10522 		.flags = GENL_ADMIN_PERM,
10523 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10524 				  NL80211_FLAG_NEED_RTNL,
10525 	},
10526 	{
10527 		.cmd = NL80211_CMD_GET_REG,
10528 		.doit = nl80211_get_reg_do,
10529 		.dumpit = nl80211_get_reg_dump,
10530 		.policy = nl80211_policy,
10531 		.internal_flags = NL80211_FLAG_NEED_RTNL,
10532 		/* can be retrieved by unprivileged users */
10533 	},
10534 	{
10535 		.cmd = NL80211_CMD_SET_REG,
10536 		.doit = nl80211_set_reg,
10537 		.policy = nl80211_policy,
10538 		.flags = GENL_ADMIN_PERM,
10539 		.internal_flags = NL80211_FLAG_NEED_RTNL,
10540 	},
10541 	{
10542 		.cmd = NL80211_CMD_REQ_SET_REG,
10543 		.doit = nl80211_req_set_reg,
10544 		.policy = nl80211_policy,
10545 		.flags = GENL_ADMIN_PERM,
10546 	},
10547 	{
10548 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
10549 		.doit = nl80211_get_mesh_config,
10550 		.policy = nl80211_policy,
10551 		/* can be retrieved by unprivileged users */
10552 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10553 				  NL80211_FLAG_NEED_RTNL,
10554 	},
10555 	{
10556 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
10557 		.doit = nl80211_update_mesh_config,
10558 		.policy = nl80211_policy,
10559 		.flags = GENL_ADMIN_PERM,
10560 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10561 				  NL80211_FLAG_NEED_RTNL,
10562 	},
10563 	{
10564 		.cmd = NL80211_CMD_TRIGGER_SCAN,
10565 		.doit = nl80211_trigger_scan,
10566 		.policy = nl80211_policy,
10567 		.flags = GENL_ADMIN_PERM,
10568 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10569 				  NL80211_FLAG_NEED_RTNL,
10570 	},
10571 	{
10572 		.cmd = NL80211_CMD_GET_SCAN,
10573 		.policy = nl80211_policy,
10574 		.dumpit = nl80211_dump_scan,
10575 	},
10576 	{
10577 		.cmd = NL80211_CMD_START_SCHED_SCAN,
10578 		.doit = nl80211_start_sched_scan,
10579 		.policy = nl80211_policy,
10580 		.flags = GENL_ADMIN_PERM,
10581 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10582 				  NL80211_FLAG_NEED_RTNL,
10583 	},
10584 	{
10585 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
10586 		.doit = nl80211_stop_sched_scan,
10587 		.policy = nl80211_policy,
10588 		.flags = GENL_ADMIN_PERM,
10589 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10590 				  NL80211_FLAG_NEED_RTNL,
10591 	},
10592 	{
10593 		.cmd = NL80211_CMD_AUTHENTICATE,
10594 		.doit = nl80211_authenticate,
10595 		.policy = nl80211_policy,
10596 		.flags = GENL_ADMIN_PERM,
10597 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10598 				  NL80211_FLAG_NEED_RTNL |
10599 				  NL80211_FLAG_CLEAR_SKB,
10600 	},
10601 	{
10602 		.cmd = NL80211_CMD_ASSOCIATE,
10603 		.doit = nl80211_associate,
10604 		.policy = nl80211_policy,
10605 		.flags = GENL_ADMIN_PERM,
10606 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10607 				  NL80211_FLAG_NEED_RTNL,
10608 	},
10609 	{
10610 		.cmd = NL80211_CMD_DEAUTHENTICATE,
10611 		.doit = nl80211_deauthenticate,
10612 		.policy = nl80211_policy,
10613 		.flags = GENL_ADMIN_PERM,
10614 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10615 				  NL80211_FLAG_NEED_RTNL,
10616 	},
10617 	{
10618 		.cmd = NL80211_CMD_DISASSOCIATE,
10619 		.doit = nl80211_disassociate,
10620 		.policy = nl80211_policy,
10621 		.flags = GENL_ADMIN_PERM,
10622 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10623 				  NL80211_FLAG_NEED_RTNL,
10624 	},
10625 	{
10626 		.cmd = NL80211_CMD_JOIN_IBSS,
10627 		.doit = nl80211_join_ibss,
10628 		.policy = nl80211_policy,
10629 		.flags = GENL_ADMIN_PERM,
10630 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10631 				  NL80211_FLAG_NEED_RTNL,
10632 	},
10633 	{
10634 		.cmd = NL80211_CMD_LEAVE_IBSS,
10635 		.doit = nl80211_leave_ibss,
10636 		.policy = nl80211_policy,
10637 		.flags = GENL_ADMIN_PERM,
10638 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10639 				  NL80211_FLAG_NEED_RTNL,
10640 	},
10641 #ifdef CONFIG_NL80211_TESTMODE
10642 	{
10643 		.cmd = NL80211_CMD_TESTMODE,
10644 		.doit = nl80211_testmode_do,
10645 		.dumpit = nl80211_testmode_dump,
10646 		.policy = nl80211_policy,
10647 		.flags = GENL_ADMIN_PERM,
10648 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10649 				  NL80211_FLAG_NEED_RTNL,
10650 	},
10651 #endif
10652 	{
10653 		.cmd = NL80211_CMD_CONNECT,
10654 		.doit = nl80211_connect,
10655 		.policy = nl80211_policy,
10656 		.flags = GENL_ADMIN_PERM,
10657 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10658 				  NL80211_FLAG_NEED_RTNL,
10659 	},
10660 	{
10661 		.cmd = NL80211_CMD_DISCONNECT,
10662 		.doit = nl80211_disconnect,
10663 		.policy = nl80211_policy,
10664 		.flags = GENL_ADMIN_PERM,
10665 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10666 				  NL80211_FLAG_NEED_RTNL,
10667 	},
10668 	{
10669 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
10670 		.doit = nl80211_wiphy_netns,
10671 		.policy = nl80211_policy,
10672 		.flags = GENL_ADMIN_PERM,
10673 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10674 				  NL80211_FLAG_NEED_RTNL,
10675 	},
10676 	{
10677 		.cmd = NL80211_CMD_GET_SURVEY,
10678 		.policy = nl80211_policy,
10679 		.dumpit = nl80211_dump_survey,
10680 	},
10681 	{
10682 		.cmd = NL80211_CMD_SET_PMKSA,
10683 		.doit = nl80211_setdel_pmksa,
10684 		.policy = nl80211_policy,
10685 		.flags = GENL_ADMIN_PERM,
10686 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10687 				  NL80211_FLAG_NEED_RTNL,
10688 	},
10689 	{
10690 		.cmd = NL80211_CMD_DEL_PMKSA,
10691 		.doit = nl80211_setdel_pmksa,
10692 		.policy = nl80211_policy,
10693 		.flags = GENL_ADMIN_PERM,
10694 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10695 				  NL80211_FLAG_NEED_RTNL,
10696 	},
10697 	{
10698 		.cmd = NL80211_CMD_FLUSH_PMKSA,
10699 		.doit = nl80211_flush_pmksa,
10700 		.policy = nl80211_policy,
10701 		.flags = GENL_ADMIN_PERM,
10702 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10703 				  NL80211_FLAG_NEED_RTNL,
10704 	},
10705 	{
10706 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
10707 		.doit = nl80211_remain_on_channel,
10708 		.policy = nl80211_policy,
10709 		.flags = GENL_ADMIN_PERM,
10710 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10711 				  NL80211_FLAG_NEED_RTNL,
10712 	},
10713 	{
10714 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
10715 		.doit = nl80211_cancel_remain_on_channel,
10716 		.policy = nl80211_policy,
10717 		.flags = GENL_ADMIN_PERM,
10718 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10719 				  NL80211_FLAG_NEED_RTNL,
10720 	},
10721 	{
10722 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
10723 		.doit = nl80211_set_tx_bitrate_mask,
10724 		.policy = nl80211_policy,
10725 		.flags = GENL_ADMIN_PERM,
10726 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10727 				  NL80211_FLAG_NEED_RTNL,
10728 	},
10729 	{
10730 		.cmd = NL80211_CMD_REGISTER_FRAME,
10731 		.doit = nl80211_register_mgmt,
10732 		.policy = nl80211_policy,
10733 		.flags = GENL_ADMIN_PERM,
10734 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10735 				  NL80211_FLAG_NEED_RTNL,
10736 	},
10737 	{
10738 		.cmd = NL80211_CMD_FRAME,
10739 		.doit = nl80211_tx_mgmt,
10740 		.policy = nl80211_policy,
10741 		.flags = GENL_ADMIN_PERM,
10742 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10743 				  NL80211_FLAG_NEED_RTNL,
10744 	},
10745 	{
10746 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
10747 		.doit = nl80211_tx_mgmt_cancel_wait,
10748 		.policy = nl80211_policy,
10749 		.flags = GENL_ADMIN_PERM,
10750 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10751 				  NL80211_FLAG_NEED_RTNL,
10752 	},
10753 	{
10754 		.cmd = NL80211_CMD_SET_POWER_SAVE,
10755 		.doit = nl80211_set_power_save,
10756 		.policy = nl80211_policy,
10757 		.flags = GENL_ADMIN_PERM,
10758 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10759 				  NL80211_FLAG_NEED_RTNL,
10760 	},
10761 	{
10762 		.cmd = NL80211_CMD_GET_POWER_SAVE,
10763 		.doit = nl80211_get_power_save,
10764 		.policy = nl80211_policy,
10765 		/* can be retrieved by unprivileged users */
10766 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10767 				  NL80211_FLAG_NEED_RTNL,
10768 	},
10769 	{
10770 		.cmd = NL80211_CMD_SET_CQM,
10771 		.doit = nl80211_set_cqm,
10772 		.policy = nl80211_policy,
10773 		.flags = GENL_ADMIN_PERM,
10774 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10775 				  NL80211_FLAG_NEED_RTNL,
10776 	},
10777 	{
10778 		.cmd = NL80211_CMD_SET_CHANNEL,
10779 		.doit = nl80211_set_channel,
10780 		.policy = nl80211_policy,
10781 		.flags = GENL_ADMIN_PERM,
10782 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10783 				  NL80211_FLAG_NEED_RTNL,
10784 	},
10785 	{
10786 		.cmd = NL80211_CMD_SET_WDS_PEER,
10787 		.doit = nl80211_set_wds_peer,
10788 		.policy = nl80211_policy,
10789 		.flags = GENL_ADMIN_PERM,
10790 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10791 				  NL80211_FLAG_NEED_RTNL,
10792 	},
10793 	{
10794 		.cmd = NL80211_CMD_JOIN_MESH,
10795 		.doit = nl80211_join_mesh,
10796 		.policy = nl80211_policy,
10797 		.flags = GENL_ADMIN_PERM,
10798 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10799 				  NL80211_FLAG_NEED_RTNL,
10800 	},
10801 	{
10802 		.cmd = NL80211_CMD_LEAVE_MESH,
10803 		.doit = nl80211_leave_mesh,
10804 		.policy = nl80211_policy,
10805 		.flags = GENL_ADMIN_PERM,
10806 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10807 				  NL80211_FLAG_NEED_RTNL,
10808 	},
10809 	{
10810 		.cmd = NL80211_CMD_JOIN_OCB,
10811 		.doit = nl80211_join_ocb,
10812 		.policy = nl80211_policy,
10813 		.flags = GENL_ADMIN_PERM,
10814 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10815 				  NL80211_FLAG_NEED_RTNL,
10816 	},
10817 	{
10818 		.cmd = NL80211_CMD_LEAVE_OCB,
10819 		.doit = nl80211_leave_ocb,
10820 		.policy = nl80211_policy,
10821 		.flags = GENL_ADMIN_PERM,
10822 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10823 				  NL80211_FLAG_NEED_RTNL,
10824 	},
10825 #ifdef CONFIG_PM
10826 	{
10827 		.cmd = NL80211_CMD_GET_WOWLAN,
10828 		.doit = nl80211_get_wowlan,
10829 		.policy = nl80211_policy,
10830 		/* can be retrieved by unprivileged users */
10831 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10832 				  NL80211_FLAG_NEED_RTNL,
10833 	},
10834 	{
10835 		.cmd = NL80211_CMD_SET_WOWLAN,
10836 		.doit = nl80211_set_wowlan,
10837 		.policy = nl80211_policy,
10838 		.flags = GENL_ADMIN_PERM,
10839 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10840 				  NL80211_FLAG_NEED_RTNL,
10841 	},
10842 #endif
10843 	{
10844 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
10845 		.doit = nl80211_set_rekey_data,
10846 		.policy = nl80211_policy,
10847 		.flags = GENL_ADMIN_PERM,
10848 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10849 				  NL80211_FLAG_NEED_RTNL |
10850 				  NL80211_FLAG_CLEAR_SKB,
10851 	},
10852 	{
10853 		.cmd = NL80211_CMD_TDLS_MGMT,
10854 		.doit = nl80211_tdls_mgmt,
10855 		.policy = nl80211_policy,
10856 		.flags = GENL_ADMIN_PERM,
10857 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10858 				  NL80211_FLAG_NEED_RTNL,
10859 	},
10860 	{
10861 		.cmd = NL80211_CMD_TDLS_OPER,
10862 		.doit = nl80211_tdls_oper,
10863 		.policy = nl80211_policy,
10864 		.flags = GENL_ADMIN_PERM,
10865 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10866 				  NL80211_FLAG_NEED_RTNL,
10867 	},
10868 	{
10869 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
10870 		.doit = nl80211_register_unexpected_frame,
10871 		.policy = nl80211_policy,
10872 		.flags = GENL_ADMIN_PERM,
10873 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10874 				  NL80211_FLAG_NEED_RTNL,
10875 	},
10876 	{
10877 		.cmd = NL80211_CMD_PROBE_CLIENT,
10878 		.doit = nl80211_probe_client,
10879 		.policy = nl80211_policy,
10880 		.flags = GENL_ADMIN_PERM,
10881 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10882 				  NL80211_FLAG_NEED_RTNL,
10883 	},
10884 	{
10885 		.cmd = NL80211_CMD_REGISTER_BEACONS,
10886 		.doit = nl80211_register_beacons,
10887 		.policy = nl80211_policy,
10888 		.flags = GENL_ADMIN_PERM,
10889 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10890 				  NL80211_FLAG_NEED_RTNL,
10891 	},
10892 	{
10893 		.cmd = NL80211_CMD_SET_NOACK_MAP,
10894 		.doit = nl80211_set_noack_map,
10895 		.policy = nl80211_policy,
10896 		.flags = GENL_ADMIN_PERM,
10897 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10898 				  NL80211_FLAG_NEED_RTNL,
10899 	},
10900 	{
10901 		.cmd = NL80211_CMD_START_P2P_DEVICE,
10902 		.doit = nl80211_start_p2p_device,
10903 		.policy = nl80211_policy,
10904 		.flags = GENL_ADMIN_PERM,
10905 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10906 				  NL80211_FLAG_NEED_RTNL,
10907 	},
10908 	{
10909 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
10910 		.doit = nl80211_stop_p2p_device,
10911 		.policy = nl80211_policy,
10912 		.flags = GENL_ADMIN_PERM,
10913 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10914 				  NL80211_FLAG_NEED_RTNL,
10915 	},
10916 	{
10917 		.cmd = NL80211_CMD_SET_MCAST_RATE,
10918 		.doit = nl80211_set_mcast_rate,
10919 		.policy = nl80211_policy,
10920 		.flags = GENL_ADMIN_PERM,
10921 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10922 				  NL80211_FLAG_NEED_RTNL,
10923 	},
10924 	{
10925 		.cmd = NL80211_CMD_SET_MAC_ACL,
10926 		.doit = nl80211_set_mac_acl,
10927 		.policy = nl80211_policy,
10928 		.flags = GENL_ADMIN_PERM,
10929 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
10930 				  NL80211_FLAG_NEED_RTNL,
10931 	},
10932 	{
10933 		.cmd = NL80211_CMD_RADAR_DETECT,
10934 		.doit = nl80211_start_radar_detection,
10935 		.policy = nl80211_policy,
10936 		.flags = GENL_ADMIN_PERM,
10937 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10938 				  NL80211_FLAG_NEED_RTNL,
10939 	},
10940 	{
10941 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
10942 		.doit = nl80211_get_protocol_features,
10943 		.policy = nl80211_policy,
10944 	},
10945 	{
10946 		.cmd = NL80211_CMD_UPDATE_FT_IES,
10947 		.doit = nl80211_update_ft_ies,
10948 		.policy = nl80211_policy,
10949 		.flags = GENL_ADMIN_PERM,
10950 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10951 				  NL80211_FLAG_NEED_RTNL,
10952 	},
10953 	{
10954 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
10955 		.doit = nl80211_crit_protocol_start,
10956 		.policy = nl80211_policy,
10957 		.flags = GENL_ADMIN_PERM,
10958 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10959 				  NL80211_FLAG_NEED_RTNL,
10960 	},
10961 	{
10962 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
10963 		.doit = nl80211_crit_protocol_stop,
10964 		.policy = nl80211_policy,
10965 		.flags = GENL_ADMIN_PERM,
10966 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
10967 				  NL80211_FLAG_NEED_RTNL,
10968 	},
10969 	{
10970 		.cmd = NL80211_CMD_GET_COALESCE,
10971 		.doit = nl80211_get_coalesce,
10972 		.policy = nl80211_policy,
10973 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10974 				  NL80211_FLAG_NEED_RTNL,
10975 	},
10976 	{
10977 		.cmd = NL80211_CMD_SET_COALESCE,
10978 		.doit = nl80211_set_coalesce,
10979 		.policy = nl80211_policy,
10980 		.flags = GENL_ADMIN_PERM,
10981 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10982 				  NL80211_FLAG_NEED_RTNL,
10983 	},
10984 	{
10985 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
10986 		.doit = nl80211_channel_switch,
10987 		.policy = nl80211_policy,
10988 		.flags = GENL_ADMIN_PERM,
10989 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
10990 				  NL80211_FLAG_NEED_RTNL,
10991 	},
10992 	{
10993 		.cmd = NL80211_CMD_VENDOR,
10994 		.doit = nl80211_vendor_cmd,
10995 		.policy = nl80211_policy,
10996 		.flags = GENL_ADMIN_PERM,
10997 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10998 				  NL80211_FLAG_NEED_RTNL,
10999 	},
11000 	{
11001 		.cmd = NL80211_CMD_SET_QOS_MAP,
11002 		.doit = nl80211_set_qos_map,
11003 		.policy = nl80211_policy,
11004 		.flags = GENL_ADMIN_PERM,
11005 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11006 				  NL80211_FLAG_NEED_RTNL,
11007 	},
11008 	{
11009 		.cmd = NL80211_CMD_ADD_TX_TS,
11010 		.doit = nl80211_add_tx_ts,
11011 		.policy = nl80211_policy,
11012 		.flags = GENL_ADMIN_PERM,
11013 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11014 				  NL80211_FLAG_NEED_RTNL,
11015 	},
11016 	{
11017 		.cmd = NL80211_CMD_DEL_TX_TS,
11018 		.doit = nl80211_del_tx_ts,
11019 		.policy = nl80211_policy,
11020 		.flags = GENL_ADMIN_PERM,
11021 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11022 				  NL80211_FLAG_NEED_RTNL,
11023 	},
11024 	{
11025 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
11026 		.doit = nl80211_tdls_channel_switch,
11027 		.policy = nl80211_policy,
11028 		.flags = GENL_ADMIN_PERM,
11029 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11030 				  NL80211_FLAG_NEED_RTNL,
11031 	},
11032 	{
11033 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
11034 		.doit = nl80211_tdls_cancel_channel_switch,
11035 		.policy = nl80211_policy,
11036 		.flags = GENL_ADMIN_PERM,
11037 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11038 				  NL80211_FLAG_NEED_RTNL,
11039 	},
11040 };
11041 
11042 /* notification functions */
11043 
11044 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
11045 			  enum nl80211_commands cmd)
11046 {
11047 	struct sk_buff *msg;
11048 	struct nl80211_dump_wiphy_state state = {};
11049 
11050 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
11051 		cmd != NL80211_CMD_DEL_WIPHY);
11052 
11053 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11054 	if (!msg)
11055 		return;
11056 
11057 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
11058 		nlmsg_free(msg);
11059 		return;
11060 	}
11061 
11062 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11063 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
11064 }
11065 
11066 static int nl80211_add_scan_req(struct sk_buff *msg,
11067 				struct cfg80211_registered_device *rdev)
11068 {
11069 	struct cfg80211_scan_request *req = rdev->scan_req;
11070 	struct nlattr *nest;
11071 	int i;
11072 
11073 	if (WARN_ON(!req))
11074 		return 0;
11075 
11076 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
11077 	if (!nest)
11078 		goto nla_put_failure;
11079 	for (i = 0; i < req->n_ssids; i++) {
11080 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
11081 			goto nla_put_failure;
11082 	}
11083 	nla_nest_end(msg, nest);
11084 
11085 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
11086 	if (!nest)
11087 		goto nla_put_failure;
11088 	for (i = 0; i < req->n_channels; i++) {
11089 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
11090 			goto nla_put_failure;
11091 	}
11092 	nla_nest_end(msg, nest);
11093 
11094 	if (req->ie &&
11095 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
11096 		goto nla_put_failure;
11097 
11098 	if (req->flags &&
11099 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
11100 		goto nla_put_failure;
11101 
11102 	return 0;
11103  nla_put_failure:
11104 	return -ENOBUFS;
11105 }
11106 
11107 static int nl80211_send_scan_msg(struct sk_buff *msg,
11108 				 struct cfg80211_registered_device *rdev,
11109 				 struct wireless_dev *wdev,
11110 				 u32 portid, u32 seq, int flags,
11111 				 u32 cmd)
11112 {
11113 	void *hdr;
11114 
11115 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
11116 	if (!hdr)
11117 		return -1;
11118 
11119 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11120 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11121 					 wdev->netdev->ifindex)) ||
11122 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
11123 		goto nla_put_failure;
11124 
11125 	/* ignore errors and send incomplete event anyway */
11126 	nl80211_add_scan_req(msg, rdev);
11127 
11128 	genlmsg_end(msg, hdr);
11129 	return 0;
11130 
11131  nla_put_failure:
11132 	genlmsg_cancel(msg, hdr);
11133 	return -EMSGSIZE;
11134 }
11135 
11136 static int
11137 nl80211_send_sched_scan_msg(struct sk_buff *msg,
11138 			    struct cfg80211_registered_device *rdev,
11139 			    struct net_device *netdev,
11140 			    u32 portid, u32 seq, int flags, u32 cmd)
11141 {
11142 	void *hdr;
11143 
11144 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
11145 	if (!hdr)
11146 		return -1;
11147 
11148 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11149 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
11150 		goto nla_put_failure;
11151 
11152 	genlmsg_end(msg, hdr);
11153 	return 0;
11154 
11155  nla_put_failure:
11156 	genlmsg_cancel(msg, hdr);
11157 	return -EMSGSIZE;
11158 }
11159 
11160 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
11161 			     struct wireless_dev *wdev)
11162 {
11163 	struct sk_buff *msg;
11164 
11165 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11166 	if (!msg)
11167 		return;
11168 
11169 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
11170 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
11171 		nlmsg_free(msg);
11172 		return;
11173 	}
11174 
11175 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11176 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11177 }
11178 
11179 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
11180 				       struct wireless_dev *wdev, bool aborted)
11181 {
11182 	struct sk_buff *msg;
11183 
11184 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11185 	if (!msg)
11186 		return NULL;
11187 
11188 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
11189 				  aborted ? NL80211_CMD_SCAN_ABORTED :
11190 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
11191 		nlmsg_free(msg);
11192 		return NULL;
11193 	}
11194 
11195 	return msg;
11196 }
11197 
11198 void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
11199 			      struct sk_buff *msg)
11200 {
11201 	if (!msg)
11202 		return;
11203 
11204 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11205 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11206 }
11207 
11208 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
11209 				     struct net_device *netdev)
11210 {
11211 	struct sk_buff *msg;
11212 
11213 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11214 	if (!msg)
11215 		return;
11216 
11217 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
11218 					NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
11219 		nlmsg_free(msg);
11220 		return;
11221 	}
11222 
11223 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11224 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11225 }
11226 
11227 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
11228 			     struct net_device *netdev, u32 cmd)
11229 {
11230 	struct sk_buff *msg;
11231 
11232 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11233 	if (!msg)
11234 		return;
11235 
11236 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
11237 		nlmsg_free(msg);
11238 		return;
11239 	}
11240 
11241 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11242 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11243 }
11244 
11245 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
11246 					  struct regulatory_request *request)
11247 {
11248 	/* Userspace can always count this one always being set */
11249 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
11250 		goto nla_put_failure;
11251 
11252 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
11253 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11254 			       NL80211_REGDOM_TYPE_WORLD))
11255 			goto nla_put_failure;
11256 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
11257 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11258 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
11259 			goto nla_put_failure;
11260 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
11261 		   request->intersect) {
11262 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11263 			       NL80211_REGDOM_TYPE_INTERSECTION))
11264 			goto nla_put_failure;
11265 	} else {
11266 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11267 			       NL80211_REGDOM_TYPE_COUNTRY) ||
11268 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
11269 				   request->alpha2))
11270 			goto nla_put_failure;
11271 	}
11272 
11273 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
11274 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
11275 
11276 		if (wiphy &&
11277 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
11278 			goto nla_put_failure;
11279 
11280 		if (wiphy &&
11281 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
11282 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
11283 			goto nla_put_failure;
11284 	}
11285 
11286 	return true;
11287 
11288 nla_put_failure:
11289 	return false;
11290 }
11291 
11292 /*
11293  * This can happen on global regulatory changes or device specific settings
11294  * based on custom regulatory domains.
11295  */
11296 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
11297 				     struct regulatory_request *request)
11298 {
11299 	struct sk_buff *msg;
11300 	void *hdr;
11301 
11302 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11303 	if (!msg)
11304 		return;
11305 
11306 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
11307 	if (!hdr) {
11308 		nlmsg_free(msg);
11309 		return;
11310 	}
11311 
11312 	if (nl80211_reg_change_event_fill(msg, request) == false)
11313 		goto nla_put_failure;
11314 
11315 	genlmsg_end(msg, hdr);
11316 
11317 	rcu_read_lock();
11318 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
11319 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
11320 	rcu_read_unlock();
11321 
11322 	return;
11323 
11324 nla_put_failure:
11325 	genlmsg_cancel(msg, hdr);
11326 	nlmsg_free(msg);
11327 }
11328 
11329 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
11330 				    struct net_device *netdev,
11331 				    const u8 *buf, size_t len,
11332 				    enum nl80211_commands cmd, gfp_t gfp,
11333 				    int uapsd_queues)
11334 {
11335 	struct sk_buff *msg;
11336 	void *hdr;
11337 
11338 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11339 	if (!msg)
11340 		return;
11341 
11342 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11343 	if (!hdr) {
11344 		nlmsg_free(msg);
11345 		return;
11346 	}
11347 
11348 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11349 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11350 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
11351 		goto nla_put_failure;
11352 
11353 	if (uapsd_queues >= 0) {
11354 		struct nlattr *nla_wmm =
11355 			nla_nest_start(msg, NL80211_ATTR_STA_WME);
11356 		if (!nla_wmm)
11357 			goto nla_put_failure;
11358 
11359 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
11360 			       uapsd_queues))
11361 			goto nla_put_failure;
11362 
11363 		nla_nest_end(msg, nla_wmm);
11364 	}
11365 
11366 	genlmsg_end(msg, hdr);
11367 
11368 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11369 				NL80211_MCGRP_MLME, gfp);
11370 	return;
11371 
11372  nla_put_failure:
11373 	genlmsg_cancel(msg, hdr);
11374 	nlmsg_free(msg);
11375 }
11376 
11377 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
11378 			  struct net_device *netdev, const u8 *buf,
11379 			  size_t len, gfp_t gfp)
11380 {
11381 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11382 				NL80211_CMD_AUTHENTICATE, gfp, -1);
11383 }
11384 
11385 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
11386 			   struct net_device *netdev, const u8 *buf,
11387 			   size_t len, gfp_t gfp, int uapsd_queues)
11388 {
11389 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11390 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues);
11391 }
11392 
11393 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
11394 			 struct net_device *netdev, const u8 *buf,
11395 			 size_t len, gfp_t gfp)
11396 {
11397 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11398 				NL80211_CMD_DEAUTHENTICATE, gfp, -1);
11399 }
11400 
11401 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
11402 			   struct net_device *netdev, const u8 *buf,
11403 			   size_t len, gfp_t gfp)
11404 {
11405 	nl80211_send_mlme_event(rdev, netdev, buf, len,
11406 				NL80211_CMD_DISASSOCIATE, gfp, -1);
11407 }
11408 
11409 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
11410 				  size_t len)
11411 {
11412 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11413 	struct wiphy *wiphy = wdev->wiphy;
11414 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11415 	const struct ieee80211_mgmt *mgmt = (void *)buf;
11416 	u32 cmd;
11417 
11418 	if (WARN_ON(len < 2))
11419 		return;
11420 
11421 	if (ieee80211_is_deauth(mgmt->frame_control))
11422 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
11423 	else
11424 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
11425 
11426 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
11427 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1);
11428 }
11429 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
11430 
11431 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
11432 				      struct net_device *netdev, int cmd,
11433 				      const u8 *addr, gfp_t gfp)
11434 {
11435 	struct sk_buff *msg;
11436 	void *hdr;
11437 
11438 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11439 	if (!msg)
11440 		return;
11441 
11442 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11443 	if (!hdr) {
11444 		nlmsg_free(msg);
11445 		return;
11446 	}
11447 
11448 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11449 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11450 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
11451 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
11452 		goto nla_put_failure;
11453 
11454 	genlmsg_end(msg, hdr);
11455 
11456 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11457 				NL80211_MCGRP_MLME, gfp);
11458 	return;
11459 
11460  nla_put_failure:
11461 	genlmsg_cancel(msg, hdr);
11462 	nlmsg_free(msg);
11463 }
11464 
11465 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
11466 			       struct net_device *netdev, const u8 *addr,
11467 			       gfp_t gfp)
11468 {
11469 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
11470 				  addr, gfp);
11471 }
11472 
11473 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
11474 				struct net_device *netdev, const u8 *addr,
11475 				gfp_t gfp)
11476 {
11477 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
11478 				  addr, gfp);
11479 }
11480 
11481 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
11482 				 struct net_device *netdev, const u8 *bssid,
11483 				 const u8 *req_ie, size_t req_ie_len,
11484 				 const u8 *resp_ie, size_t resp_ie_len,
11485 				 u16 status, gfp_t gfp)
11486 {
11487 	struct sk_buff *msg;
11488 	void *hdr;
11489 
11490 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11491 	if (!msg)
11492 		return;
11493 
11494 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
11495 	if (!hdr) {
11496 		nlmsg_free(msg);
11497 		return;
11498 	}
11499 
11500 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11501 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11502 	    (bssid && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) ||
11503 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE, status) ||
11504 	    (req_ie &&
11505 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
11506 	    (resp_ie &&
11507 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
11508 		goto nla_put_failure;
11509 
11510 	genlmsg_end(msg, hdr);
11511 
11512 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11513 				NL80211_MCGRP_MLME, gfp);
11514 	return;
11515 
11516  nla_put_failure:
11517 	genlmsg_cancel(msg, hdr);
11518 	nlmsg_free(msg);
11519 
11520 }
11521 
11522 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
11523 			 struct net_device *netdev, const u8 *bssid,
11524 			 const u8 *req_ie, size_t req_ie_len,
11525 			 const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
11526 {
11527 	struct sk_buff *msg;
11528 	void *hdr;
11529 
11530 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11531 	if (!msg)
11532 		return;
11533 
11534 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
11535 	if (!hdr) {
11536 		nlmsg_free(msg);
11537 		return;
11538 	}
11539 
11540 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11541 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11542 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
11543 	    (req_ie &&
11544 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
11545 	    (resp_ie &&
11546 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
11547 		goto nla_put_failure;
11548 
11549 	genlmsg_end(msg, hdr);
11550 
11551 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11552 				NL80211_MCGRP_MLME, gfp);
11553 	return;
11554 
11555  nla_put_failure:
11556 	genlmsg_cancel(msg, hdr);
11557 	nlmsg_free(msg);
11558 
11559 }
11560 
11561 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
11562 			       struct net_device *netdev, u16 reason,
11563 			       const u8 *ie, size_t ie_len, bool from_ap)
11564 {
11565 	struct sk_buff *msg;
11566 	void *hdr;
11567 
11568 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11569 	if (!msg)
11570 		return;
11571 
11572 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
11573 	if (!hdr) {
11574 		nlmsg_free(msg);
11575 		return;
11576 	}
11577 
11578 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11579 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11580 	    (from_ap && reason &&
11581 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
11582 	    (from_ap &&
11583 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
11584 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
11585 		goto nla_put_failure;
11586 
11587 	genlmsg_end(msg, hdr);
11588 
11589 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11590 				NL80211_MCGRP_MLME, GFP_KERNEL);
11591 	return;
11592 
11593  nla_put_failure:
11594 	genlmsg_cancel(msg, hdr);
11595 	nlmsg_free(msg);
11596 
11597 }
11598 
11599 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
11600 			     struct net_device *netdev, const u8 *bssid,
11601 			     gfp_t gfp)
11602 {
11603 	struct sk_buff *msg;
11604 	void *hdr;
11605 
11606 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11607 	if (!msg)
11608 		return;
11609 
11610 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
11611 	if (!hdr) {
11612 		nlmsg_free(msg);
11613 		return;
11614 	}
11615 
11616 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11617 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11618 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
11619 		goto nla_put_failure;
11620 
11621 	genlmsg_end(msg, hdr);
11622 
11623 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11624 				NL80211_MCGRP_MLME, gfp);
11625 	return;
11626 
11627  nla_put_failure:
11628 	genlmsg_cancel(msg, hdr);
11629 	nlmsg_free(msg);
11630 }
11631 
11632 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
11633 					const u8* ie, u8 ie_len, gfp_t gfp)
11634 {
11635 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11636 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11637 	struct sk_buff *msg;
11638 	void *hdr;
11639 
11640 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
11641 		return;
11642 
11643 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
11644 
11645 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11646 	if (!msg)
11647 		return;
11648 
11649 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
11650 	if (!hdr) {
11651 		nlmsg_free(msg);
11652 		return;
11653 	}
11654 
11655 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11656 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11657 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
11658 	    (ie_len && ie &&
11659 	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
11660 		goto nla_put_failure;
11661 
11662 	genlmsg_end(msg, hdr);
11663 
11664 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11665 				NL80211_MCGRP_MLME, gfp);
11666 	return;
11667 
11668  nla_put_failure:
11669 	genlmsg_cancel(msg, hdr);
11670 	nlmsg_free(msg);
11671 }
11672 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
11673 
11674 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
11675 				 struct net_device *netdev, const u8 *addr,
11676 				 enum nl80211_key_type key_type, int key_id,
11677 				 const u8 *tsc, gfp_t gfp)
11678 {
11679 	struct sk_buff *msg;
11680 	void *hdr;
11681 
11682 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11683 	if (!msg)
11684 		return;
11685 
11686 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
11687 	if (!hdr) {
11688 		nlmsg_free(msg);
11689 		return;
11690 	}
11691 
11692 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11693 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
11694 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
11695 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
11696 	    (key_id != -1 &&
11697 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
11698 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
11699 		goto nla_put_failure;
11700 
11701 	genlmsg_end(msg, hdr);
11702 
11703 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11704 				NL80211_MCGRP_MLME, gfp);
11705 	return;
11706 
11707  nla_put_failure:
11708 	genlmsg_cancel(msg, hdr);
11709 	nlmsg_free(msg);
11710 }
11711 
11712 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
11713 				    struct ieee80211_channel *channel_before,
11714 				    struct ieee80211_channel *channel_after)
11715 {
11716 	struct sk_buff *msg;
11717 	void *hdr;
11718 	struct nlattr *nl_freq;
11719 
11720 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
11721 	if (!msg)
11722 		return;
11723 
11724 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
11725 	if (!hdr) {
11726 		nlmsg_free(msg);
11727 		return;
11728 	}
11729 
11730 	/*
11731 	 * Since we are applying the beacon hint to a wiphy we know its
11732 	 * wiphy_idx is valid
11733 	 */
11734 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
11735 		goto nla_put_failure;
11736 
11737 	/* Before */
11738 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
11739 	if (!nl_freq)
11740 		goto nla_put_failure;
11741 	if (nl80211_msg_put_channel(msg, channel_before, false))
11742 		goto nla_put_failure;
11743 	nla_nest_end(msg, nl_freq);
11744 
11745 	/* After */
11746 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
11747 	if (!nl_freq)
11748 		goto nla_put_failure;
11749 	if (nl80211_msg_put_channel(msg, channel_after, false))
11750 		goto nla_put_failure;
11751 	nla_nest_end(msg, nl_freq);
11752 
11753 	genlmsg_end(msg, hdr);
11754 
11755 	rcu_read_lock();
11756 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
11757 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
11758 	rcu_read_unlock();
11759 
11760 	return;
11761 
11762 nla_put_failure:
11763 	genlmsg_cancel(msg, hdr);
11764 	nlmsg_free(msg);
11765 }
11766 
11767 static void nl80211_send_remain_on_chan_event(
11768 	int cmd, struct cfg80211_registered_device *rdev,
11769 	struct wireless_dev *wdev, u64 cookie,
11770 	struct ieee80211_channel *chan,
11771 	unsigned int duration, gfp_t gfp)
11772 {
11773 	struct sk_buff *msg;
11774 	void *hdr;
11775 
11776 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11777 	if (!msg)
11778 		return;
11779 
11780 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11781 	if (!hdr) {
11782 		nlmsg_free(msg);
11783 		return;
11784 	}
11785 
11786 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11787 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11788 					 wdev->netdev->ifindex)) ||
11789 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
11790 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
11791 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
11792 			NL80211_CHAN_NO_HT) ||
11793 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie))
11794 		goto nla_put_failure;
11795 
11796 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
11797 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
11798 		goto nla_put_failure;
11799 
11800 	genlmsg_end(msg, hdr);
11801 
11802 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11803 				NL80211_MCGRP_MLME, gfp);
11804 	return;
11805 
11806  nla_put_failure:
11807 	genlmsg_cancel(msg, hdr);
11808 	nlmsg_free(msg);
11809 }
11810 
11811 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
11812 			       struct ieee80211_channel *chan,
11813 			       unsigned int duration, gfp_t gfp)
11814 {
11815 	struct wiphy *wiphy = wdev->wiphy;
11816 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11817 
11818 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
11819 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
11820 					  rdev, wdev, cookie, chan,
11821 					  duration, gfp);
11822 }
11823 EXPORT_SYMBOL(cfg80211_ready_on_channel);
11824 
11825 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
11826 					struct ieee80211_channel *chan,
11827 					gfp_t gfp)
11828 {
11829 	struct wiphy *wiphy = wdev->wiphy;
11830 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11831 
11832 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
11833 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
11834 					  rdev, wdev, cookie, chan, 0, gfp);
11835 }
11836 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
11837 
11838 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
11839 		      struct station_info *sinfo, gfp_t gfp)
11840 {
11841 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11842 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11843 	struct sk_buff *msg;
11844 
11845 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
11846 
11847 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11848 	if (!msg)
11849 		return;
11850 
11851 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
11852 				 rdev, dev, mac_addr, sinfo) < 0) {
11853 		nlmsg_free(msg);
11854 		return;
11855 	}
11856 
11857 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11858 				NL80211_MCGRP_MLME, gfp);
11859 }
11860 EXPORT_SYMBOL(cfg80211_new_sta);
11861 
11862 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
11863 			    struct station_info *sinfo, gfp_t gfp)
11864 {
11865 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11866 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11867 	struct sk_buff *msg;
11868 	struct station_info empty_sinfo = {};
11869 
11870 	if (!sinfo)
11871 		sinfo = &empty_sinfo;
11872 
11873 	trace_cfg80211_del_sta(dev, mac_addr);
11874 
11875 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11876 	if (!msg)
11877 		return;
11878 
11879 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
11880 				 rdev, dev, mac_addr, sinfo) < 0) {
11881 		nlmsg_free(msg);
11882 		return;
11883 	}
11884 
11885 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11886 				NL80211_MCGRP_MLME, gfp);
11887 }
11888 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
11889 
11890 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
11891 			  enum nl80211_connect_failed_reason reason,
11892 			  gfp_t gfp)
11893 {
11894 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
11895 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11896 	struct sk_buff *msg;
11897 	void *hdr;
11898 
11899 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
11900 	if (!msg)
11901 		return;
11902 
11903 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
11904 	if (!hdr) {
11905 		nlmsg_free(msg);
11906 		return;
11907 	}
11908 
11909 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11910 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
11911 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
11912 		goto nla_put_failure;
11913 
11914 	genlmsg_end(msg, hdr);
11915 
11916 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11917 				NL80211_MCGRP_MLME, gfp);
11918 	return;
11919 
11920  nla_put_failure:
11921 	genlmsg_cancel(msg, hdr);
11922 	nlmsg_free(msg);
11923 }
11924 EXPORT_SYMBOL(cfg80211_conn_failed);
11925 
11926 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
11927 				       const u8 *addr, gfp_t gfp)
11928 {
11929 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11930 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11931 	struct sk_buff *msg;
11932 	void *hdr;
11933 	u32 nlportid = ACCESS_ONCE(wdev->ap_unexpected_nlportid);
11934 
11935 	if (!nlportid)
11936 		return false;
11937 
11938 	msg = nlmsg_new(100, gfp);
11939 	if (!msg)
11940 		return true;
11941 
11942 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11943 	if (!hdr) {
11944 		nlmsg_free(msg);
11945 		return true;
11946 	}
11947 
11948 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11949 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
11950 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
11951 		goto nla_put_failure;
11952 
11953 	genlmsg_end(msg, hdr);
11954 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
11955 	return true;
11956 
11957  nla_put_failure:
11958 	genlmsg_cancel(msg, hdr);
11959 	nlmsg_free(msg);
11960 	return true;
11961 }
11962 
11963 bool cfg80211_rx_spurious_frame(struct net_device *dev,
11964 				const u8 *addr, gfp_t gfp)
11965 {
11966 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11967 	bool ret;
11968 
11969 	trace_cfg80211_rx_spurious_frame(dev, addr);
11970 
11971 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11972 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
11973 		trace_cfg80211_return_bool(false);
11974 		return false;
11975 	}
11976 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
11977 					 addr, gfp);
11978 	trace_cfg80211_return_bool(ret);
11979 	return ret;
11980 }
11981 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
11982 
11983 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
11984 					const u8 *addr, gfp_t gfp)
11985 {
11986 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11987 	bool ret;
11988 
11989 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
11990 
11991 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
11992 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
11993 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
11994 		trace_cfg80211_return_bool(false);
11995 		return false;
11996 	}
11997 	ret = __nl80211_unexpected_frame(dev,
11998 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
11999 					 addr, gfp);
12000 	trace_cfg80211_return_bool(ret);
12001 	return ret;
12002 }
12003 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
12004 
12005 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
12006 		      struct wireless_dev *wdev, u32 nlportid,
12007 		      int freq, int sig_dbm,
12008 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
12009 {
12010 	struct net_device *netdev = wdev->netdev;
12011 	struct sk_buff *msg;
12012 	void *hdr;
12013 
12014 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12015 	if (!msg)
12016 		return -ENOMEM;
12017 
12018 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
12019 	if (!hdr) {
12020 		nlmsg_free(msg);
12021 		return -ENOMEM;
12022 	}
12023 
12024 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12025 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12026 					netdev->ifindex)) ||
12027 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
12028 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
12029 	    (sig_dbm &&
12030 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
12031 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
12032 	    (flags &&
12033 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
12034 		goto nla_put_failure;
12035 
12036 	genlmsg_end(msg, hdr);
12037 
12038 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12039 
12040  nla_put_failure:
12041 	genlmsg_cancel(msg, hdr);
12042 	nlmsg_free(msg);
12043 	return -ENOBUFS;
12044 }
12045 
12046 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
12047 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
12048 {
12049 	struct wiphy *wiphy = wdev->wiphy;
12050 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12051 	struct net_device *netdev = wdev->netdev;
12052 	struct sk_buff *msg;
12053 	void *hdr;
12054 
12055 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
12056 
12057 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12058 	if (!msg)
12059 		return;
12060 
12061 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
12062 	if (!hdr) {
12063 		nlmsg_free(msg);
12064 		return;
12065 	}
12066 
12067 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12068 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12069 				   netdev->ifindex)) ||
12070 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
12071 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
12072 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
12073 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
12074 		goto nla_put_failure;
12075 
12076 	genlmsg_end(msg, hdr);
12077 
12078 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12079 				NL80211_MCGRP_MLME, gfp);
12080 	return;
12081 
12082  nla_put_failure:
12083 	genlmsg_cancel(msg, hdr);
12084 	nlmsg_free(msg);
12085 }
12086 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
12087 
12088 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
12089 					    const char *mac, gfp_t gfp)
12090 {
12091 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12092 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12093 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12094 	void **cb;
12095 
12096 	if (!msg)
12097 		return NULL;
12098 
12099 	cb = (void **)msg->cb;
12100 
12101 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
12102 	if (!cb[0]) {
12103 		nlmsg_free(msg);
12104 		return NULL;
12105 	}
12106 
12107 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12108 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
12109 		goto nla_put_failure;
12110 
12111 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
12112 		goto nla_put_failure;
12113 
12114 	cb[1] = nla_nest_start(msg, NL80211_ATTR_CQM);
12115 	if (!cb[1])
12116 		goto nla_put_failure;
12117 
12118 	cb[2] = rdev;
12119 
12120 	return msg;
12121  nla_put_failure:
12122 	nlmsg_free(msg);
12123 	return NULL;
12124 }
12125 
12126 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
12127 {
12128 	void **cb = (void **)msg->cb;
12129 	struct cfg80211_registered_device *rdev = cb[2];
12130 
12131 	nla_nest_end(msg, cb[1]);
12132 	genlmsg_end(msg, cb[0]);
12133 
12134 	memset(msg->cb, 0, sizeof(msg->cb));
12135 
12136 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12137 				NL80211_MCGRP_MLME, gfp);
12138 }
12139 
12140 void cfg80211_cqm_rssi_notify(struct net_device *dev,
12141 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
12142 			      gfp_t gfp)
12143 {
12144 	struct sk_buff *msg;
12145 
12146 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
12147 
12148 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
12149 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
12150 		return;
12151 
12152 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
12153 	if (!msg)
12154 		return;
12155 
12156 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
12157 			rssi_event))
12158 		goto nla_put_failure;
12159 
12160 	cfg80211_send_cqm(msg, gfp);
12161 
12162 	return;
12163 
12164  nla_put_failure:
12165 	nlmsg_free(msg);
12166 }
12167 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
12168 
12169 void cfg80211_cqm_txe_notify(struct net_device *dev,
12170 			     const u8 *peer, u32 num_packets,
12171 			     u32 rate, u32 intvl, gfp_t gfp)
12172 {
12173 	struct sk_buff *msg;
12174 
12175 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
12176 	if (!msg)
12177 		return;
12178 
12179 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
12180 		goto nla_put_failure;
12181 
12182 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
12183 		goto nla_put_failure;
12184 
12185 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
12186 		goto nla_put_failure;
12187 
12188 	cfg80211_send_cqm(msg, gfp);
12189 	return;
12190 
12191  nla_put_failure:
12192 	nlmsg_free(msg);
12193 }
12194 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
12195 
12196 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
12197 				 const u8 *peer, u32 num_packets, gfp_t gfp)
12198 {
12199 	struct sk_buff *msg;
12200 
12201 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
12202 
12203 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
12204 	if (!msg)
12205 		return;
12206 
12207 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
12208 		goto nla_put_failure;
12209 
12210 	cfg80211_send_cqm(msg, gfp);
12211 	return;
12212 
12213  nla_put_failure:
12214 	nlmsg_free(msg);
12215 }
12216 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
12217 
12218 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
12219 {
12220 	struct sk_buff *msg;
12221 
12222 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
12223 	if (!msg)
12224 		return;
12225 
12226 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
12227 		goto nla_put_failure;
12228 
12229 	cfg80211_send_cqm(msg, gfp);
12230 	return;
12231 
12232  nla_put_failure:
12233 	nlmsg_free(msg);
12234 }
12235 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
12236 
12237 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
12238 				     struct net_device *netdev, const u8 *bssid,
12239 				     const u8 *replay_ctr, gfp_t gfp)
12240 {
12241 	struct sk_buff *msg;
12242 	struct nlattr *rekey_attr;
12243 	void *hdr;
12244 
12245 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12246 	if (!msg)
12247 		return;
12248 
12249 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
12250 	if (!hdr) {
12251 		nlmsg_free(msg);
12252 		return;
12253 	}
12254 
12255 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12256 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12257 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
12258 		goto nla_put_failure;
12259 
12260 	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
12261 	if (!rekey_attr)
12262 		goto nla_put_failure;
12263 
12264 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
12265 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
12266 		goto nla_put_failure;
12267 
12268 	nla_nest_end(msg, rekey_attr);
12269 
12270 	genlmsg_end(msg, hdr);
12271 
12272 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12273 				NL80211_MCGRP_MLME, gfp);
12274 	return;
12275 
12276  nla_put_failure:
12277 	genlmsg_cancel(msg, hdr);
12278 	nlmsg_free(msg);
12279 }
12280 
12281 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
12282 			       const u8 *replay_ctr, gfp_t gfp)
12283 {
12284 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12285 	struct wiphy *wiphy = wdev->wiphy;
12286 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12287 
12288 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
12289 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
12290 }
12291 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
12292 
12293 static void
12294 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
12295 			       struct net_device *netdev, int index,
12296 			       const u8 *bssid, bool preauth, gfp_t gfp)
12297 {
12298 	struct sk_buff *msg;
12299 	struct nlattr *attr;
12300 	void *hdr;
12301 
12302 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12303 	if (!msg)
12304 		return;
12305 
12306 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
12307 	if (!hdr) {
12308 		nlmsg_free(msg);
12309 		return;
12310 	}
12311 
12312 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12313 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
12314 		goto nla_put_failure;
12315 
12316 	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
12317 	if (!attr)
12318 		goto nla_put_failure;
12319 
12320 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
12321 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
12322 	    (preauth &&
12323 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
12324 		goto nla_put_failure;
12325 
12326 	nla_nest_end(msg, attr);
12327 
12328 	genlmsg_end(msg, hdr);
12329 
12330 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12331 				NL80211_MCGRP_MLME, gfp);
12332 	return;
12333 
12334  nla_put_failure:
12335 	genlmsg_cancel(msg, hdr);
12336 	nlmsg_free(msg);
12337 }
12338 
12339 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
12340 				     const u8 *bssid, bool preauth, gfp_t gfp)
12341 {
12342 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12343 	struct wiphy *wiphy = wdev->wiphy;
12344 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12345 
12346 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
12347 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
12348 }
12349 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
12350 
12351 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
12352 				     struct net_device *netdev,
12353 				     struct cfg80211_chan_def *chandef,
12354 				     gfp_t gfp,
12355 				     enum nl80211_commands notif,
12356 				     u8 count)
12357 {
12358 	struct sk_buff *msg;
12359 	void *hdr;
12360 
12361 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12362 	if (!msg)
12363 		return;
12364 
12365 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
12366 	if (!hdr) {
12367 		nlmsg_free(msg);
12368 		return;
12369 	}
12370 
12371 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
12372 		goto nla_put_failure;
12373 
12374 	if (nl80211_send_chandef(msg, chandef))
12375 		goto nla_put_failure;
12376 
12377 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
12378 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
12379 			goto nla_put_failure;
12380 
12381 	genlmsg_end(msg, hdr);
12382 
12383 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12384 				NL80211_MCGRP_MLME, gfp);
12385 	return;
12386 
12387  nla_put_failure:
12388 	genlmsg_cancel(msg, hdr);
12389 	nlmsg_free(msg);
12390 }
12391 
12392 void cfg80211_ch_switch_notify(struct net_device *dev,
12393 			       struct cfg80211_chan_def *chandef)
12394 {
12395 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12396 	struct wiphy *wiphy = wdev->wiphy;
12397 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12398 
12399 	ASSERT_WDEV_LOCK(wdev);
12400 
12401 	trace_cfg80211_ch_switch_notify(dev, chandef);
12402 
12403 	wdev->chandef = *chandef;
12404 	wdev->preset_chandef = *chandef;
12405 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
12406 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
12407 }
12408 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
12409 
12410 void cfg80211_ch_switch_started_notify(struct net_device *dev,
12411 				       struct cfg80211_chan_def *chandef,
12412 				       u8 count)
12413 {
12414 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12415 	struct wiphy *wiphy = wdev->wiphy;
12416 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12417 
12418 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
12419 
12420 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
12421 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
12422 }
12423 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
12424 
12425 void
12426 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
12427 		     const struct cfg80211_chan_def *chandef,
12428 		     enum nl80211_radar_event event,
12429 		     struct net_device *netdev, gfp_t gfp)
12430 {
12431 	struct sk_buff *msg;
12432 	void *hdr;
12433 
12434 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12435 	if (!msg)
12436 		return;
12437 
12438 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
12439 	if (!hdr) {
12440 		nlmsg_free(msg);
12441 		return;
12442 	}
12443 
12444 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
12445 		goto nla_put_failure;
12446 
12447 	/* NOP and radar events don't need a netdev parameter */
12448 	if (netdev) {
12449 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
12450 
12451 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12452 		    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12453 			goto nla_put_failure;
12454 	}
12455 
12456 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
12457 		goto nla_put_failure;
12458 
12459 	if (nl80211_send_chandef(msg, chandef))
12460 		goto nla_put_failure;
12461 
12462 	genlmsg_end(msg, hdr);
12463 
12464 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12465 				NL80211_MCGRP_MLME, gfp);
12466 	return;
12467 
12468  nla_put_failure:
12469 	genlmsg_cancel(msg, hdr);
12470 	nlmsg_free(msg);
12471 }
12472 
12473 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
12474 			   u64 cookie, bool acked, gfp_t gfp)
12475 {
12476 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12477 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12478 	struct sk_buff *msg;
12479 	void *hdr;
12480 
12481 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
12482 
12483 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12484 
12485 	if (!msg)
12486 		return;
12487 
12488 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
12489 	if (!hdr) {
12490 		nlmsg_free(msg);
12491 		return;
12492 	}
12493 
12494 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12495 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12496 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
12497 	    nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
12498 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)))
12499 		goto nla_put_failure;
12500 
12501 	genlmsg_end(msg, hdr);
12502 
12503 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12504 				NL80211_MCGRP_MLME, gfp);
12505 	return;
12506 
12507  nla_put_failure:
12508 	genlmsg_cancel(msg, hdr);
12509 	nlmsg_free(msg);
12510 }
12511 EXPORT_SYMBOL(cfg80211_probe_status);
12512 
12513 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
12514 				 const u8 *frame, size_t len,
12515 				 int freq, int sig_dbm)
12516 {
12517 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12518 	struct sk_buff *msg;
12519 	void *hdr;
12520 	struct cfg80211_beacon_registration *reg;
12521 
12522 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
12523 
12524 	spin_lock_bh(&rdev->beacon_registrations_lock);
12525 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
12526 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
12527 		if (!msg) {
12528 			spin_unlock_bh(&rdev->beacon_registrations_lock);
12529 			return;
12530 		}
12531 
12532 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
12533 		if (!hdr)
12534 			goto nla_put_failure;
12535 
12536 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12537 		    (freq &&
12538 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
12539 		    (sig_dbm &&
12540 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
12541 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
12542 			goto nla_put_failure;
12543 
12544 		genlmsg_end(msg, hdr);
12545 
12546 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
12547 	}
12548 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12549 	return;
12550 
12551  nla_put_failure:
12552 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12553 	if (hdr)
12554 		genlmsg_cancel(msg, hdr);
12555 	nlmsg_free(msg);
12556 }
12557 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
12558 
12559 #ifdef CONFIG_PM
12560 static int cfg80211_net_detect_results(struct sk_buff *msg,
12561 				       struct cfg80211_wowlan_wakeup *wakeup)
12562 {
12563 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
12564 	struct nlattr *nl_results, *nl_match, *nl_freqs;
12565 	int i, j;
12566 
12567 	nl_results = nla_nest_start(
12568 		msg, NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
12569 	if (!nl_results)
12570 		return -EMSGSIZE;
12571 
12572 	for (i = 0; i < nd->n_matches; i++) {
12573 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
12574 
12575 		nl_match = nla_nest_start(msg, i);
12576 		if (!nl_match)
12577 			break;
12578 
12579 		/* The SSID attribute is optional in nl80211, but for
12580 		 * simplicity reasons it's always present in the
12581 		 * cfg80211 structure.  If a driver can't pass the
12582 		 * SSID, that needs to be changed.  A zero length SSID
12583 		 * is still a valid SSID (wildcard), so it cannot be
12584 		 * used for this purpose.
12585 		 */
12586 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
12587 			    match->ssid.ssid)) {
12588 			nla_nest_cancel(msg, nl_match);
12589 			goto out;
12590 		}
12591 
12592 		if (match->n_channels) {
12593 			nl_freqs = nla_nest_start(
12594 				msg, NL80211_ATTR_SCAN_FREQUENCIES);
12595 			if (!nl_freqs) {
12596 				nla_nest_cancel(msg, nl_match);
12597 				goto out;
12598 			}
12599 
12600 			for (j = 0; j < match->n_channels; j++) {
12601 				if (nla_put_u32(msg, j, match->channels[j])) {
12602 					nla_nest_cancel(msg, nl_freqs);
12603 					nla_nest_cancel(msg, nl_match);
12604 					goto out;
12605 				}
12606 			}
12607 
12608 			nla_nest_end(msg, nl_freqs);
12609 		}
12610 
12611 		nla_nest_end(msg, nl_match);
12612 	}
12613 
12614 out:
12615 	nla_nest_end(msg, nl_results);
12616 	return 0;
12617 }
12618 
12619 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
12620 				   struct cfg80211_wowlan_wakeup *wakeup,
12621 				   gfp_t gfp)
12622 {
12623 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12624 	struct sk_buff *msg;
12625 	void *hdr;
12626 	int size = 200;
12627 
12628 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
12629 
12630 	if (wakeup)
12631 		size += wakeup->packet_present_len;
12632 
12633 	msg = nlmsg_new(size, gfp);
12634 	if (!msg)
12635 		return;
12636 
12637 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
12638 	if (!hdr)
12639 		goto free_msg;
12640 
12641 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12642 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12643 		goto free_msg;
12644 
12645 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12646 					wdev->netdev->ifindex))
12647 		goto free_msg;
12648 
12649 	if (wakeup) {
12650 		struct nlattr *reasons;
12651 
12652 		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
12653 		if (!reasons)
12654 			goto free_msg;
12655 
12656 		if (wakeup->disconnect &&
12657 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
12658 			goto free_msg;
12659 		if (wakeup->magic_pkt &&
12660 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
12661 			goto free_msg;
12662 		if (wakeup->gtk_rekey_failure &&
12663 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
12664 			goto free_msg;
12665 		if (wakeup->eap_identity_req &&
12666 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
12667 			goto free_msg;
12668 		if (wakeup->four_way_handshake &&
12669 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
12670 			goto free_msg;
12671 		if (wakeup->rfkill_release &&
12672 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
12673 			goto free_msg;
12674 
12675 		if (wakeup->pattern_idx >= 0 &&
12676 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
12677 				wakeup->pattern_idx))
12678 			goto free_msg;
12679 
12680 		if (wakeup->tcp_match &&
12681 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
12682 			goto free_msg;
12683 
12684 		if (wakeup->tcp_connlost &&
12685 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
12686 			goto free_msg;
12687 
12688 		if (wakeup->tcp_nomoretokens &&
12689 		    nla_put_flag(msg,
12690 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
12691 			goto free_msg;
12692 
12693 		if (wakeup->packet) {
12694 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
12695 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
12696 
12697 			if (!wakeup->packet_80211) {
12698 				pkt_attr =
12699 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
12700 				len_attr =
12701 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
12702 			}
12703 
12704 			if (wakeup->packet_len &&
12705 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
12706 				goto free_msg;
12707 
12708 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
12709 				    wakeup->packet))
12710 				goto free_msg;
12711 		}
12712 
12713 		if (wakeup->net_detect &&
12714 		    cfg80211_net_detect_results(msg, wakeup))
12715 				goto free_msg;
12716 
12717 		nla_nest_end(msg, reasons);
12718 	}
12719 
12720 	genlmsg_end(msg, hdr);
12721 
12722 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12723 				NL80211_MCGRP_MLME, gfp);
12724 	return;
12725 
12726  free_msg:
12727 	nlmsg_free(msg);
12728 }
12729 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
12730 #endif
12731 
12732 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
12733 				enum nl80211_tdls_operation oper,
12734 				u16 reason_code, gfp_t gfp)
12735 {
12736 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12737 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12738 	struct sk_buff *msg;
12739 	void *hdr;
12740 
12741 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
12742 					 reason_code);
12743 
12744 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12745 	if (!msg)
12746 		return;
12747 
12748 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
12749 	if (!hdr) {
12750 		nlmsg_free(msg);
12751 		return;
12752 	}
12753 
12754 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12755 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12756 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
12757 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
12758 	    (reason_code > 0 &&
12759 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
12760 		goto nla_put_failure;
12761 
12762 	genlmsg_end(msg, hdr);
12763 
12764 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12765 				NL80211_MCGRP_MLME, gfp);
12766 	return;
12767 
12768  nla_put_failure:
12769 	genlmsg_cancel(msg, hdr);
12770 	nlmsg_free(msg);
12771 }
12772 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
12773 
12774 static int nl80211_netlink_notify(struct notifier_block * nb,
12775 				  unsigned long state,
12776 				  void *_notify)
12777 {
12778 	struct netlink_notify *notify = _notify;
12779 	struct cfg80211_registered_device *rdev;
12780 	struct wireless_dev *wdev;
12781 	struct cfg80211_beacon_registration *reg, *tmp;
12782 
12783 	if (state != NETLINK_URELEASE)
12784 		return NOTIFY_DONE;
12785 
12786 	rcu_read_lock();
12787 
12788 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
12789 		bool schedule_destroy_work = false;
12790 		bool schedule_scan_stop = false;
12791 		struct cfg80211_sched_scan_request *sched_scan_req =
12792 			rcu_dereference(rdev->sched_scan_req);
12793 
12794 		if (sched_scan_req && notify->portid &&
12795 		    sched_scan_req->owner_nlportid == notify->portid)
12796 			schedule_scan_stop = true;
12797 
12798 		list_for_each_entry_rcu(wdev, &rdev->wdev_list, list) {
12799 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
12800 
12801 			if (wdev->owner_nlportid == notify->portid)
12802 				schedule_destroy_work = true;
12803 		}
12804 
12805 		spin_lock_bh(&rdev->beacon_registrations_lock);
12806 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
12807 					 list) {
12808 			if (reg->nlportid == notify->portid) {
12809 				list_del(&reg->list);
12810 				kfree(reg);
12811 				break;
12812 			}
12813 		}
12814 		spin_unlock_bh(&rdev->beacon_registrations_lock);
12815 
12816 		if (schedule_destroy_work) {
12817 			struct cfg80211_iface_destroy *destroy;
12818 
12819 			destroy = kzalloc(sizeof(*destroy), GFP_ATOMIC);
12820 			if (destroy) {
12821 				destroy->nlportid = notify->portid;
12822 				spin_lock(&rdev->destroy_list_lock);
12823 				list_add(&destroy->list, &rdev->destroy_list);
12824 				spin_unlock(&rdev->destroy_list_lock);
12825 				schedule_work(&rdev->destroy_work);
12826 			}
12827 		} else if (schedule_scan_stop) {
12828 			sched_scan_req->owner_nlportid = 0;
12829 
12830 			if (rdev->ops->sched_scan_stop &&
12831 			    rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
12832 				schedule_work(&rdev->sched_scan_stop_wk);
12833 		}
12834 	}
12835 
12836 	rcu_read_unlock();
12837 
12838 	/*
12839 	 * It is possible that the user space process that is controlling the
12840 	 * indoor setting disappeared, so notify the regulatory core.
12841 	 */
12842 	regulatory_netlink_notify(notify->portid);
12843 	return NOTIFY_OK;
12844 }
12845 
12846 static struct notifier_block nl80211_netlink_notifier = {
12847 	.notifier_call = nl80211_netlink_notify,
12848 };
12849 
12850 void cfg80211_ft_event(struct net_device *netdev,
12851 		       struct cfg80211_ft_event_params *ft_event)
12852 {
12853 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
12854 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12855 	struct sk_buff *msg;
12856 	void *hdr;
12857 
12858 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
12859 
12860 	if (!ft_event->target_ap)
12861 		return;
12862 
12863 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12864 	if (!msg)
12865 		return;
12866 
12867 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
12868 	if (!hdr)
12869 		goto out;
12870 
12871 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12872 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12873 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
12874 		goto out;
12875 
12876 	if (ft_event->ies &&
12877 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
12878 		goto out;
12879 	if (ft_event->ric_ies &&
12880 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
12881 		    ft_event->ric_ies))
12882 		goto out;
12883 
12884 	genlmsg_end(msg, hdr);
12885 
12886 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12887 				NL80211_MCGRP_MLME, GFP_KERNEL);
12888 	return;
12889  out:
12890 	nlmsg_free(msg);
12891 }
12892 EXPORT_SYMBOL(cfg80211_ft_event);
12893 
12894 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
12895 {
12896 	struct cfg80211_registered_device *rdev;
12897 	struct sk_buff *msg;
12898 	void *hdr;
12899 	u32 nlportid;
12900 
12901 	rdev = wiphy_to_rdev(wdev->wiphy);
12902 	if (!rdev->crit_proto_nlportid)
12903 		return;
12904 
12905 	nlportid = rdev->crit_proto_nlportid;
12906 	rdev->crit_proto_nlportid = 0;
12907 
12908 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12909 	if (!msg)
12910 		return;
12911 
12912 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
12913 	if (!hdr)
12914 		goto nla_put_failure;
12915 
12916 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12917 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12918 		goto nla_put_failure;
12919 
12920 	genlmsg_end(msg, hdr);
12921 
12922 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12923 	return;
12924 
12925  nla_put_failure:
12926 	if (hdr)
12927 		genlmsg_cancel(msg, hdr);
12928 	nlmsg_free(msg);
12929 
12930 }
12931 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
12932 
12933 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
12934 {
12935 	struct wiphy *wiphy = wdev->wiphy;
12936 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12937 	struct sk_buff *msg;
12938 	void *hdr;
12939 
12940 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12941 	if (!msg)
12942 		return;
12943 
12944 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
12945 	if (!hdr)
12946 		goto out;
12947 
12948 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12949 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
12950 	    nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
12951 		goto out;
12952 
12953 	genlmsg_end(msg, hdr);
12954 
12955 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
12956 				NL80211_MCGRP_MLME, GFP_KERNEL);
12957 	return;
12958  out:
12959 	nlmsg_free(msg);
12960 }
12961 
12962 /* initialisation/exit functions */
12963 
12964 int nl80211_init(void)
12965 {
12966 	int err;
12967 
12968 	err = genl_register_family_with_ops_groups(&nl80211_fam, nl80211_ops,
12969 						   nl80211_mcgrps);
12970 	if (err)
12971 		return err;
12972 
12973 	err = netlink_register_notifier(&nl80211_netlink_notifier);
12974 	if (err)
12975 		goto err_out;
12976 
12977 	return 0;
12978  err_out:
12979 	genl_unregister_family(&nl80211_fam);
12980 	return err;
12981 }
12982 
12983 void nl80211_exit(void)
12984 {
12985 	netlink_unregister_notifier(&nl80211_netlink_notifier);
12986 	genl_unregister_family(&nl80211_fam);
12987 }
12988