xref: /linux/net/wireless/nl80211.c (revision cd2a9e62c8a3c5cae7691982667d79a0edc65283) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  * Copyright 2015-2016	Intel Deutschland GmbH
7  */
8 
9 #include <linux/if.h>
10 #include <linux/module.h>
11 #include <linux/err.h>
12 #include <linux/slab.h>
13 #include <linux/list.h>
14 #include <linux/if_ether.h>
15 #include <linux/ieee80211.h>
16 #include <linux/nl80211.h>
17 #include <linux/rtnetlink.h>
18 #include <linux/netlink.h>
19 #include <linux/etherdevice.h>
20 #include <net/net_namespace.h>
21 #include <net/genetlink.h>
22 #include <net/cfg80211.h>
23 #include <net/sock.h>
24 #include <net/inet_connection_sock.h>
25 #include "core.h"
26 #include "nl80211.h"
27 #include "reg.h"
28 #include "rdev-ops.h"
29 
30 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
31 				   struct genl_info *info,
32 				   struct cfg80211_crypto_settings *settings,
33 				   int cipher_limit);
34 
35 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
36 			    struct genl_info *info);
37 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
38 			      struct genl_info *info);
39 
40 /* the netlink family */
41 static struct genl_family nl80211_fam = {
42 	.id = GENL_ID_GENERATE,		/* don't bother with a hardcoded ID */
43 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
44 	.hdrsize = 0,			/* no private header */
45 	.version = 1,			/* no particular meaning now */
46 	.maxattr = NL80211_ATTR_MAX,
47 	.netnsok = true,
48 	.pre_doit = nl80211_pre_doit,
49 	.post_doit = nl80211_post_doit,
50 };
51 
52 /* multicast groups */
53 enum nl80211_multicast_groups {
54 	NL80211_MCGRP_CONFIG,
55 	NL80211_MCGRP_SCAN,
56 	NL80211_MCGRP_REGULATORY,
57 	NL80211_MCGRP_MLME,
58 	NL80211_MCGRP_VENDOR,
59 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
60 };
61 
62 static const struct genl_multicast_group nl80211_mcgrps[] = {
63 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
64 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
65 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
66 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
67 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
68 #ifdef CONFIG_NL80211_TESTMODE
69 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
70 #endif
71 };
72 
73 /* returns ERR_PTR values */
74 static struct wireless_dev *
75 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
76 {
77 	struct cfg80211_registered_device *rdev;
78 	struct wireless_dev *result = NULL;
79 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
80 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
81 	u64 wdev_id;
82 	int wiphy_idx = -1;
83 	int ifidx = -1;
84 
85 	ASSERT_RTNL();
86 
87 	if (!have_ifidx && !have_wdev_id)
88 		return ERR_PTR(-EINVAL);
89 
90 	if (have_ifidx)
91 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
92 	if (have_wdev_id) {
93 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
94 		wiphy_idx = wdev_id >> 32;
95 	}
96 
97 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
98 		struct wireless_dev *wdev;
99 
100 		if (wiphy_net(&rdev->wiphy) != netns)
101 			continue;
102 
103 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
104 			continue;
105 
106 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
107 			if (have_ifidx && wdev->netdev &&
108 			    wdev->netdev->ifindex == ifidx) {
109 				result = wdev;
110 				break;
111 			}
112 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
113 				result = wdev;
114 				break;
115 			}
116 		}
117 
118 		if (result)
119 			break;
120 	}
121 
122 	if (result)
123 		return result;
124 	return ERR_PTR(-ENODEV);
125 }
126 
127 static struct cfg80211_registered_device *
128 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
129 {
130 	struct cfg80211_registered_device *rdev = NULL, *tmp;
131 	struct net_device *netdev;
132 
133 	ASSERT_RTNL();
134 
135 	if (!attrs[NL80211_ATTR_WIPHY] &&
136 	    !attrs[NL80211_ATTR_IFINDEX] &&
137 	    !attrs[NL80211_ATTR_WDEV])
138 		return ERR_PTR(-EINVAL);
139 
140 	if (attrs[NL80211_ATTR_WIPHY])
141 		rdev = cfg80211_rdev_by_wiphy_idx(
142 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
143 
144 	if (attrs[NL80211_ATTR_WDEV]) {
145 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
146 		struct wireless_dev *wdev;
147 		bool found = false;
148 
149 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
150 		if (tmp) {
151 			/* make sure wdev exists */
152 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
153 				if (wdev->identifier != (u32)wdev_id)
154 					continue;
155 				found = true;
156 				break;
157 			}
158 
159 			if (!found)
160 				tmp = NULL;
161 
162 			if (rdev && tmp != rdev)
163 				return ERR_PTR(-EINVAL);
164 			rdev = tmp;
165 		}
166 	}
167 
168 	if (attrs[NL80211_ATTR_IFINDEX]) {
169 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
170 
171 		netdev = __dev_get_by_index(netns, ifindex);
172 		if (netdev) {
173 			if (netdev->ieee80211_ptr)
174 				tmp = wiphy_to_rdev(
175 					netdev->ieee80211_ptr->wiphy);
176 			else
177 				tmp = NULL;
178 
179 			/* not wireless device -- return error */
180 			if (!tmp)
181 				return ERR_PTR(-EINVAL);
182 
183 			/* mismatch -- return error */
184 			if (rdev && tmp != rdev)
185 				return ERR_PTR(-EINVAL);
186 
187 			rdev = tmp;
188 		}
189 	}
190 
191 	if (!rdev)
192 		return ERR_PTR(-ENODEV);
193 
194 	if (netns != wiphy_net(&rdev->wiphy))
195 		return ERR_PTR(-ENODEV);
196 
197 	return rdev;
198 }
199 
200 /*
201  * This function returns a pointer to the driver
202  * that the genl_info item that is passed refers to.
203  *
204  * The result of this can be a PTR_ERR and hence must
205  * be checked with IS_ERR() for errors.
206  */
207 static struct cfg80211_registered_device *
208 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
209 {
210 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
211 }
212 
213 /* policy for the attributes */
214 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
215 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
216 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
217 				      .len = 20-1 },
218 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
219 
220 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
221 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
222 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
223 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
224 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
225 
226 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
227 	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
228 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
229 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
230 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
231 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
232 
233 	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
234 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
235 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
236 
237 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
238 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
239 
240 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
241 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
242 				    .len = WLAN_MAX_KEY_LEN },
243 	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
244 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
245 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
246 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
247 	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
248 
249 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
250 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
251 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
252 				       .len = IEEE80211_MAX_DATA_LEN },
253 	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
254 				       .len = IEEE80211_MAX_DATA_LEN },
255 	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
256 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
257 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
258 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
259 					       .len = NL80211_MAX_SUPP_RATES },
260 	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
261 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
262 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
263 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
264 				   .len = IEEE80211_MAX_MESH_ID_LEN },
265 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
266 
267 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
268 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
269 
270 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
271 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
272 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
273 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
274 					   .len = NL80211_MAX_SUPP_RATES },
275 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
276 
277 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
278 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
279 
280 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
281 
282 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
283 	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
284 			      .len = IEEE80211_MAX_DATA_LEN },
285 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
286 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
287 
288 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
289 				.len = IEEE80211_MAX_SSID_LEN },
290 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
291 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
292 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
293 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
294 	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
295 	[NL80211_ATTR_STA_FLAGS2] = {
296 		.len = sizeof(struct nl80211_sta_flag_update),
297 	},
298 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
299 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
300 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
301 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
302 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
303 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
304 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
305 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
306 	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
307 				 .len = WLAN_PMKID_LEN },
308 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
309 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
310 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
311 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
312 				 .len = IEEE80211_MAX_DATA_LEN },
313 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
314 	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
315 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
316 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
317 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
318 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
319 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
320 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
321 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
322 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
323 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
324 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
325 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
326 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
327 	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
328 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
329 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
330 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
331 	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
332 	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
333 					 .len = IEEE80211_MAX_DATA_LEN },
334 	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
335 					 .len = IEEE80211_MAX_DATA_LEN },
336 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
337 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
338 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
339 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
340 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
341 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
342 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
343 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
344 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
345 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
346 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
347 				      .len = IEEE80211_MAX_DATA_LEN },
348 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
349 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
350 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
351 		.len = NL80211_HT_CAPABILITY_LEN
352 	},
353 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
354 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
355 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
356 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
357 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
358 	[NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
359 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
360 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
361 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
362 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
363 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
364 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
365 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
366 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
367 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
368 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
369 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
370 		.len = NL80211_VHT_CAPABILITY_LEN,
371 	},
372 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
373 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
374 				  .len = IEEE80211_MAX_DATA_LEN },
375 	[NL80211_ATTR_PEER_AID] = { .type = NLA_U16 },
376 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
377 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
378 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
379 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
380 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
381 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
382 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
383 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
384 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
385 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
386 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
387 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
388 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
389 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
390 	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
391 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
392 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
393 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
394 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
395 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
396 	[NL80211_ATTR_TSID] = { .type = NLA_U8 },
397 	[NL80211_ATTR_USER_PRIO] = { .type = NLA_U8 },
398 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
399 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
400 	[NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
401 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
402 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
403 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
404 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
405 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
406 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
407 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] = { .type = NLA_U8 },
408 };
409 
410 /* policy for the key attributes */
411 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
412 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
413 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
414 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
415 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
416 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
417 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
418 	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
419 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
420 };
421 
422 /* policy for the key default flags */
423 static const struct nla_policy
424 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
425 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
426 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
427 };
428 
429 /* policy for WoWLAN attributes */
430 static const struct nla_policy
431 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
432 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
433 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
434 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
435 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
436 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
437 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
438 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
439 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
440 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
441 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
442 };
443 
444 static const struct nla_policy
445 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
446 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
447 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
448 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
449 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
450 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
451 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
452 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
453 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
454 	},
455 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
456 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
457 	},
458 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
459 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
460 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
461 };
462 
463 /* policy for coalesce rule attributes */
464 static const struct nla_policy
465 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
466 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
467 	[NL80211_ATTR_COALESCE_RULE_CONDITION] = { .type = NLA_U32 },
468 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
469 };
470 
471 /* policy for GTK rekey offload attributes */
472 static const struct nla_policy
473 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
474 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
475 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
476 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
477 };
478 
479 static const struct nla_policy
480 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
481 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
482 						 .len = IEEE80211_MAX_SSID_LEN },
483 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
484 };
485 
486 static const struct nla_policy
487 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
488 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
489 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
490 };
491 
492 static const struct nla_policy
493 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
494 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
495 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
496 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
497 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
498 	},
499 };
500 
501 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
502 				     struct netlink_callback *cb,
503 				     struct cfg80211_registered_device **rdev,
504 				     struct wireless_dev **wdev)
505 {
506 	int err;
507 
508 	rtnl_lock();
509 
510 	if (!cb->args[0]) {
511 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
512 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
513 				  nl80211_policy);
514 		if (err)
515 			goto out_unlock;
516 
517 		*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
518 						   nl80211_fam.attrbuf);
519 		if (IS_ERR(*wdev)) {
520 			err = PTR_ERR(*wdev);
521 			goto out_unlock;
522 		}
523 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
524 		/* 0 is the first index - add 1 to parse only once */
525 		cb->args[0] = (*rdev)->wiphy_idx + 1;
526 		cb->args[1] = (*wdev)->identifier;
527 	} else {
528 		/* subtract the 1 again here */
529 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
530 		struct wireless_dev *tmp;
531 
532 		if (!wiphy) {
533 			err = -ENODEV;
534 			goto out_unlock;
535 		}
536 		*rdev = wiphy_to_rdev(wiphy);
537 		*wdev = NULL;
538 
539 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
540 			if (tmp->identifier == cb->args[1]) {
541 				*wdev = tmp;
542 				break;
543 			}
544 		}
545 
546 		if (!*wdev) {
547 			err = -ENODEV;
548 			goto out_unlock;
549 		}
550 	}
551 
552 	return 0;
553  out_unlock:
554 	rtnl_unlock();
555 	return err;
556 }
557 
558 static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
559 {
560 	rtnl_unlock();
561 }
562 
563 /* IE validation */
564 static bool is_valid_ie_attr(const struct nlattr *attr)
565 {
566 	const u8 *pos;
567 	int len;
568 
569 	if (!attr)
570 		return true;
571 
572 	pos = nla_data(attr);
573 	len = nla_len(attr);
574 
575 	while (len) {
576 		u8 elemlen;
577 
578 		if (len < 2)
579 			return false;
580 		len -= 2;
581 
582 		elemlen = pos[1];
583 		if (elemlen > len)
584 			return false;
585 
586 		len -= elemlen;
587 		pos += 2 + elemlen;
588 	}
589 
590 	return true;
591 }
592 
593 /* message building helper */
594 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
595 				   int flags, u8 cmd)
596 {
597 	/* since there is no private header just add the generic one */
598 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
599 }
600 
601 static int nl80211_msg_put_channel(struct sk_buff *msg,
602 				   struct ieee80211_channel *chan,
603 				   bool large)
604 {
605 	/* Some channels must be completely excluded from the
606 	 * list to protect old user-space tools from breaking
607 	 */
608 	if (!large && chan->flags &
609 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
610 		return 0;
611 
612 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
613 			chan->center_freq))
614 		goto nla_put_failure;
615 
616 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
617 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
618 		goto nla_put_failure;
619 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
620 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
621 			goto nla_put_failure;
622 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
623 			goto nla_put_failure;
624 	}
625 	if (chan->flags & IEEE80211_CHAN_RADAR) {
626 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
627 			goto nla_put_failure;
628 		if (large) {
629 			u32 time;
630 
631 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
632 
633 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
634 					chan->dfs_state))
635 				goto nla_put_failure;
636 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
637 					time))
638 				goto nla_put_failure;
639 			if (nla_put_u32(msg,
640 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
641 					chan->dfs_cac_ms))
642 				goto nla_put_failure;
643 		}
644 	}
645 
646 	if (large) {
647 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
648 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
649 			goto nla_put_failure;
650 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
651 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
652 			goto nla_put_failure;
653 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
654 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
655 			goto nla_put_failure;
656 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
657 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
658 			goto nla_put_failure;
659 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
660 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
661 			goto nla_put_failure;
662 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
663 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
664 			goto nla_put_failure;
665 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
666 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
667 			goto nla_put_failure;
668 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
669 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
670 			goto nla_put_failure;
671 	}
672 
673 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
674 			DBM_TO_MBM(chan->max_power)))
675 		goto nla_put_failure;
676 
677 	return 0;
678 
679  nla_put_failure:
680 	return -ENOBUFS;
681 }
682 
683 /* netlink command implementations */
684 
685 struct key_parse {
686 	struct key_params p;
687 	int idx;
688 	int type;
689 	bool def, defmgmt;
690 	bool def_uni, def_multi;
691 };
692 
693 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
694 {
695 	struct nlattr *tb[NL80211_KEY_MAX + 1];
696 	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
697 				   nl80211_key_policy);
698 	if (err)
699 		return err;
700 
701 	k->def = !!tb[NL80211_KEY_DEFAULT];
702 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
703 
704 	if (k->def) {
705 		k->def_uni = true;
706 		k->def_multi = true;
707 	}
708 	if (k->defmgmt)
709 		k->def_multi = true;
710 
711 	if (tb[NL80211_KEY_IDX])
712 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
713 
714 	if (tb[NL80211_KEY_DATA]) {
715 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
716 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
717 	}
718 
719 	if (tb[NL80211_KEY_SEQ]) {
720 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
721 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
722 	}
723 
724 	if (tb[NL80211_KEY_CIPHER])
725 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
726 
727 	if (tb[NL80211_KEY_TYPE]) {
728 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
729 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
730 			return -EINVAL;
731 	}
732 
733 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
734 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
735 
736 		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
737 				       tb[NL80211_KEY_DEFAULT_TYPES],
738 				       nl80211_key_default_policy);
739 		if (err)
740 			return err;
741 
742 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
743 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
744 	}
745 
746 	return 0;
747 }
748 
749 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
750 {
751 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
752 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
753 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
754 	}
755 
756 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
757 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
758 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
759 	}
760 
761 	if (info->attrs[NL80211_ATTR_KEY_IDX])
762 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
763 
764 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
765 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
766 
767 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
768 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
769 
770 	if (k->def) {
771 		k->def_uni = true;
772 		k->def_multi = true;
773 	}
774 	if (k->defmgmt)
775 		k->def_multi = true;
776 
777 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
778 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
779 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
780 			return -EINVAL;
781 	}
782 
783 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
784 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
785 		int err = nla_parse_nested(
786 				kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
787 				info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
788 				nl80211_key_default_policy);
789 		if (err)
790 			return err;
791 
792 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
793 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
794 	}
795 
796 	return 0;
797 }
798 
799 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
800 {
801 	int err;
802 
803 	memset(k, 0, sizeof(*k));
804 	k->idx = -1;
805 	k->type = -1;
806 
807 	if (info->attrs[NL80211_ATTR_KEY])
808 		err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
809 	else
810 		err = nl80211_parse_key_old(info, k);
811 
812 	if (err)
813 		return err;
814 
815 	if (k->def && k->defmgmt)
816 		return -EINVAL;
817 
818 	if (k->defmgmt) {
819 		if (k->def_uni || !k->def_multi)
820 			return -EINVAL;
821 	}
822 
823 	if (k->idx != -1) {
824 		if (k->defmgmt) {
825 			if (k->idx < 4 || k->idx > 5)
826 				return -EINVAL;
827 		} else if (k->def) {
828 			if (k->idx < 0 || k->idx > 3)
829 				return -EINVAL;
830 		} else {
831 			if (k->idx < 0 || k->idx > 5)
832 				return -EINVAL;
833 		}
834 	}
835 
836 	return 0;
837 }
838 
839 static struct cfg80211_cached_keys *
840 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
841 		       struct nlattr *keys, bool *no_ht)
842 {
843 	struct key_parse parse;
844 	struct nlattr *key;
845 	struct cfg80211_cached_keys *result;
846 	int rem, err, def = 0;
847 
848 	result = kzalloc(sizeof(*result), GFP_KERNEL);
849 	if (!result)
850 		return ERR_PTR(-ENOMEM);
851 
852 	result->def = -1;
853 	result->defmgmt = -1;
854 
855 	nla_for_each_nested(key, keys, rem) {
856 		memset(&parse, 0, sizeof(parse));
857 		parse.idx = -1;
858 
859 		err = nl80211_parse_key_new(key, &parse);
860 		if (err)
861 			goto error;
862 		err = -EINVAL;
863 		if (!parse.p.key)
864 			goto error;
865 		if (parse.idx < 0 || parse.idx > 4)
866 			goto error;
867 		if (parse.def) {
868 			if (def)
869 				goto error;
870 			def = 1;
871 			result->def = parse.idx;
872 			if (!parse.def_uni || !parse.def_multi)
873 				goto error;
874 		} else if (parse.defmgmt)
875 			goto error;
876 		err = cfg80211_validate_key_settings(rdev, &parse.p,
877 						     parse.idx, false, NULL);
878 		if (err)
879 			goto error;
880 		result->params[parse.idx].cipher = parse.p.cipher;
881 		result->params[parse.idx].key_len = parse.p.key_len;
882 		result->params[parse.idx].key = result->data[parse.idx];
883 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
884 
885 		if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
886 		    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
887 			if (no_ht)
888 				*no_ht = true;
889 		}
890 	}
891 
892 	return result;
893  error:
894 	kfree(result);
895 	return ERR_PTR(err);
896 }
897 
898 static int nl80211_key_allowed(struct wireless_dev *wdev)
899 {
900 	ASSERT_WDEV_LOCK(wdev);
901 
902 	switch (wdev->iftype) {
903 	case NL80211_IFTYPE_AP:
904 	case NL80211_IFTYPE_AP_VLAN:
905 	case NL80211_IFTYPE_P2P_GO:
906 	case NL80211_IFTYPE_MESH_POINT:
907 		break;
908 	case NL80211_IFTYPE_ADHOC:
909 	case NL80211_IFTYPE_STATION:
910 	case NL80211_IFTYPE_P2P_CLIENT:
911 		if (!wdev->current_bss)
912 			return -ENOLINK;
913 		break;
914 	case NL80211_IFTYPE_UNSPECIFIED:
915 	case NL80211_IFTYPE_OCB:
916 	case NL80211_IFTYPE_MONITOR:
917 	case NL80211_IFTYPE_P2P_DEVICE:
918 	case NL80211_IFTYPE_WDS:
919 	case NUM_NL80211_IFTYPES:
920 		return -EINVAL;
921 	}
922 
923 	return 0;
924 }
925 
926 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
927 							struct nlattr *tb)
928 {
929 	struct ieee80211_channel *chan;
930 
931 	if (tb == NULL)
932 		return NULL;
933 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
934 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
935 		return NULL;
936 	return chan;
937 }
938 
939 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
940 {
941 	struct nlattr *nl_modes = nla_nest_start(msg, attr);
942 	int i;
943 
944 	if (!nl_modes)
945 		goto nla_put_failure;
946 
947 	i = 0;
948 	while (ifmodes) {
949 		if ((ifmodes & 1) && nla_put_flag(msg, i))
950 			goto nla_put_failure;
951 		ifmodes >>= 1;
952 		i++;
953 	}
954 
955 	nla_nest_end(msg, nl_modes);
956 	return 0;
957 
958 nla_put_failure:
959 	return -ENOBUFS;
960 }
961 
962 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
963 					  struct sk_buff *msg,
964 					  bool large)
965 {
966 	struct nlattr *nl_combis;
967 	int i, j;
968 
969 	nl_combis = nla_nest_start(msg,
970 				NL80211_ATTR_INTERFACE_COMBINATIONS);
971 	if (!nl_combis)
972 		goto nla_put_failure;
973 
974 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
975 		const struct ieee80211_iface_combination *c;
976 		struct nlattr *nl_combi, *nl_limits;
977 
978 		c = &wiphy->iface_combinations[i];
979 
980 		nl_combi = nla_nest_start(msg, i + 1);
981 		if (!nl_combi)
982 			goto nla_put_failure;
983 
984 		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
985 		if (!nl_limits)
986 			goto nla_put_failure;
987 
988 		for (j = 0; j < c->n_limits; j++) {
989 			struct nlattr *nl_limit;
990 
991 			nl_limit = nla_nest_start(msg, j + 1);
992 			if (!nl_limit)
993 				goto nla_put_failure;
994 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
995 					c->limits[j].max))
996 				goto nla_put_failure;
997 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
998 						c->limits[j].types))
999 				goto nla_put_failure;
1000 			nla_nest_end(msg, nl_limit);
1001 		}
1002 
1003 		nla_nest_end(msg, nl_limits);
1004 
1005 		if (c->beacon_int_infra_match &&
1006 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1007 			goto nla_put_failure;
1008 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1009 				c->num_different_channels) ||
1010 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1011 				c->max_interfaces))
1012 			goto nla_put_failure;
1013 		if (large &&
1014 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1015 				c->radar_detect_widths) ||
1016 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1017 				c->radar_detect_regions)))
1018 			goto nla_put_failure;
1019 
1020 		nla_nest_end(msg, nl_combi);
1021 	}
1022 
1023 	nla_nest_end(msg, nl_combis);
1024 
1025 	return 0;
1026 nla_put_failure:
1027 	return -ENOBUFS;
1028 }
1029 
1030 #ifdef CONFIG_PM
1031 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1032 					struct sk_buff *msg)
1033 {
1034 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1035 	struct nlattr *nl_tcp;
1036 
1037 	if (!tcp)
1038 		return 0;
1039 
1040 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1041 	if (!nl_tcp)
1042 		return -ENOBUFS;
1043 
1044 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1045 			tcp->data_payload_max))
1046 		return -ENOBUFS;
1047 
1048 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1049 			tcp->data_payload_max))
1050 		return -ENOBUFS;
1051 
1052 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1053 		return -ENOBUFS;
1054 
1055 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1056 				sizeof(*tcp->tok), tcp->tok))
1057 		return -ENOBUFS;
1058 
1059 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1060 			tcp->data_interval_max))
1061 		return -ENOBUFS;
1062 
1063 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1064 			tcp->wake_payload_max))
1065 		return -ENOBUFS;
1066 
1067 	nla_nest_end(msg, nl_tcp);
1068 	return 0;
1069 }
1070 
1071 static int nl80211_send_wowlan(struct sk_buff *msg,
1072 			       struct cfg80211_registered_device *rdev,
1073 			       bool large)
1074 {
1075 	struct nlattr *nl_wowlan;
1076 
1077 	if (!rdev->wiphy.wowlan)
1078 		return 0;
1079 
1080 	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1081 	if (!nl_wowlan)
1082 		return -ENOBUFS;
1083 
1084 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1085 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1086 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1087 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1088 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1089 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1090 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1091 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1092 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1093 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1094 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1095 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1096 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1097 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1098 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1099 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1100 		return -ENOBUFS;
1101 
1102 	if (rdev->wiphy.wowlan->n_patterns) {
1103 		struct nl80211_pattern_support pat = {
1104 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1105 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1106 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1107 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1108 		};
1109 
1110 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1111 			    sizeof(pat), &pat))
1112 			return -ENOBUFS;
1113 	}
1114 
1115 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1116 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1117 			rdev->wiphy.wowlan->max_nd_match_sets))
1118 		return -ENOBUFS;
1119 
1120 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1121 		return -ENOBUFS;
1122 
1123 	nla_nest_end(msg, nl_wowlan);
1124 
1125 	return 0;
1126 }
1127 #endif
1128 
1129 static int nl80211_send_coalesce(struct sk_buff *msg,
1130 				 struct cfg80211_registered_device *rdev)
1131 {
1132 	struct nl80211_coalesce_rule_support rule;
1133 
1134 	if (!rdev->wiphy.coalesce)
1135 		return 0;
1136 
1137 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1138 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1139 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1140 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1141 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1142 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1143 
1144 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1145 		return -ENOBUFS;
1146 
1147 	return 0;
1148 }
1149 
1150 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1151 				      struct ieee80211_supported_band *sband)
1152 {
1153 	struct nlattr *nl_rates, *nl_rate;
1154 	struct ieee80211_rate *rate;
1155 	int i;
1156 
1157 	/* add HT info */
1158 	if (sband->ht_cap.ht_supported &&
1159 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1160 		     sizeof(sband->ht_cap.mcs),
1161 		     &sband->ht_cap.mcs) ||
1162 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1163 			 sband->ht_cap.cap) ||
1164 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1165 			sband->ht_cap.ampdu_factor) ||
1166 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1167 			sband->ht_cap.ampdu_density)))
1168 		return -ENOBUFS;
1169 
1170 	/* add VHT info */
1171 	if (sband->vht_cap.vht_supported &&
1172 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1173 		     sizeof(sband->vht_cap.vht_mcs),
1174 		     &sband->vht_cap.vht_mcs) ||
1175 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1176 			 sband->vht_cap.cap)))
1177 		return -ENOBUFS;
1178 
1179 	/* add bitrates */
1180 	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1181 	if (!nl_rates)
1182 		return -ENOBUFS;
1183 
1184 	for (i = 0; i < sband->n_bitrates; i++) {
1185 		nl_rate = nla_nest_start(msg, i);
1186 		if (!nl_rate)
1187 			return -ENOBUFS;
1188 
1189 		rate = &sband->bitrates[i];
1190 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1191 				rate->bitrate))
1192 			return -ENOBUFS;
1193 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1194 		    nla_put_flag(msg,
1195 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1196 			return -ENOBUFS;
1197 
1198 		nla_nest_end(msg, nl_rate);
1199 	}
1200 
1201 	nla_nest_end(msg, nl_rates);
1202 
1203 	return 0;
1204 }
1205 
1206 static int
1207 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1208 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1209 {
1210 	u16 stypes;
1211 	struct nlattr *nl_ftypes, *nl_ifs;
1212 	enum nl80211_iftype ift;
1213 	int i;
1214 
1215 	if (!mgmt_stypes)
1216 		return 0;
1217 
1218 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1219 	if (!nl_ifs)
1220 		return -ENOBUFS;
1221 
1222 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1223 		nl_ftypes = nla_nest_start(msg, ift);
1224 		if (!nl_ftypes)
1225 			return -ENOBUFS;
1226 		i = 0;
1227 		stypes = mgmt_stypes[ift].tx;
1228 		while (stypes) {
1229 			if ((stypes & 1) &&
1230 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1231 					(i << 4) | IEEE80211_FTYPE_MGMT))
1232 				return -ENOBUFS;
1233 			stypes >>= 1;
1234 			i++;
1235 		}
1236 		nla_nest_end(msg, nl_ftypes);
1237 	}
1238 
1239 	nla_nest_end(msg, nl_ifs);
1240 
1241 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1242 	if (!nl_ifs)
1243 		return -ENOBUFS;
1244 
1245 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1246 		nl_ftypes = nla_nest_start(msg, ift);
1247 		if (!nl_ftypes)
1248 			return -ENOBUFS;
1249 		i = 0;
1250 		stypes = mgmt_stypes[ift].rx;
1251 		while (stypes) {
1252 			if ((stypes & 1) &&
1253 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1254 					(i << 4) | IEEE80211_FTYPE_MGMT))
1255 				return -ENOBUFS;
1256 			stypes >>= 1;
1257 			i++;
1258 		}
1259 		nla_nest_end(msg, nl_ftypes);
1260 	}
1261 	nla_nest_end(msg, nl_ifs);
1262 
1263 	return 0;
1264 }
1265 
1266 struct nl80211_dump_wiphy_state {
1267 	s64 filter_wiphy;
1268 	long start;
1269 	long split_start, band_start, chan_start, capa_start;
1270 	bool split;
1271 };
1272 
1273 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1274 			      enum nl80211_commands cmd,
1275 			      struct sk_buff *msg, u32 portid, u32 seq,
1276 			      int flags, struct nl80211_dump_wiphy_state *state)
1277 {
1278 	void *hdr;
1279 	struct nlattr *nl_bands, *nl_band;
1280 	struct nlattr *nl_freqs, *nl_freq;
1281 	struct nlattr *nl_cmds;
1282 	enum nl80211_band band;
1283 	struct ieee80211_channel *chan;
1284 	int i;
1285 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1286 				rdev->wiphy.mgmt_stypes;
1287 	u32 features;
1288 
1289 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1290 	if (!hdr)
1291 		return -ENOBUFS;
1292 
1293 	if (WARN_ON(!state))
1294 		return -EINVAL;
1295 
1296 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1297 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1298 			   wiphy_name(&rdev->wiphy)) ||
1299 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1300 			cfg80211_rdev_list_generation))
1301 		goto nla_put_failure;
1302 
1303 	if (cmd != NL80211_CMD_NEW_WIPHY)
1304 		goto finish;
1305 
1306 	switch (state->split_start) {
1307 	case 0:
1308 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1309 			       rdev->wiphy.retry_short) ||
1310 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1311 			       rdev->wiphy.retry_long) ||
1312 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1313 				rdev->wiphy.frag_threshold) ||
1314 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1315 				rdev->wiphy.rts_threshold) ||
1316 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1317 			       rdev->wiphy.coverage_class) ||
1318 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1319 			       rdev->wiphy.max_scan_ssids) ||
1320 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1321 			       rdev->wiphy.max_sched_scan_ssids) ||
1322 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1323 				rdev->wiphy.max_scan_ie_len) ||
1324 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1325 				rdev->wiphy.max_sched_scan_ie_len) ||
1326 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1327 			       rdev->wiphy.max_match_sets) ||
1328 		    nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
1329 				rdev->wiphy.max_sched_scan_plans) ||
1330 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
1331 				rdev->wiphy.max_sched_scan_plan_interval) ||
1332 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
1333 				rdev->wiphy.max_sched_scan_plan_iterations))
1334 			goto nla_put_failure;
1335 
1336 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1337 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1338 			goto nla_put_failure;
1339 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1340 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1341 			goto nla_put_failure;
1342 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1343 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1344 			goto nla_put_failure;
1345 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1346 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1347 			goto nla_put_failure;
1348 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1349 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1350 			goto nla_put_failure;
1351 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1352 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1353 			goto nla_put_failure;
1354 		state->split_start++;
1355 		if (state->split)
1356 			break;
1357 	case 1:
1358 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1359 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1360 			    rdev->wiphy.cipher_suites))
1361 			goto nla_put_failure;
1362 
1363 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1364 			       rdev->wiphy.max_num_pmkids))
1365 			goto nla_put_failure;
1366 
1367 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1368 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1369 			goto nla_put_failure;
1370 
1371 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1372 				rdev->wiphy.available_antennas_tx) ||
1373 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1374 				rdev->wiphy.available_antennas_rx))
1375 			goto nla_put_failure;
1376 
1377 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1378 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1379 				rdev->wiphy.probe_resp_offload))
1380 			goto nla_put_failure;
1381 
1382 		if ((rdev->wiphy.available_antennas_tx ||
1383 		     rdev->wiphy.available_antennas_rx) &&
1384 		    rdev->ops->get_antenna) {
1385 			u32 tx_ant = 0, rx_ant = 0;
1386 			int res;
1387 
1388 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1389 			if (!res) {
1390 				if (nla_put_u32(msg,
1391 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1392 						tx_ant) ||
1393 				    nla_put_u32(msg,
1394 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1395 						rx_ant))
1396 					goto nla_put_failure;
1397 			}
1398 		}
1399 
1400 		state->split_start++;
1401 		if (state->split)
1402 			break;
1403 	case 2:
1404 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1405 					rdev->wiphy.interface_modes))
1406 				goto nla_put_failure;
1407 		state->split_start++;
1408 		if (state->split)
1409 			break;
1410 	case 3:
1411 		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1412 		if (!nl_bands)
1413 			goto nla_put_failure;
1414 
1415 		for (band = state->band_start;
1416 		     band < NUM_NL80211_BANDS; band++) {
1417 			struct ieee80211_supported_band *sband;
1418 
1419 			sband = rdev->wiphy.bands[band];
1420 
1421 			if (!sband)
1422 				continue;
1423 
1424 			nl_band = nla_nest_start(msg, band);
1425 			if (!nl_band)
1426 				goto nla_put_failure;
1427 
1428 			switch (state->chan_start) {
1429 			case 0:
1430 				if (nl80211_send_band_rateinfo(msg, sband))
1431 					goto nla_put_failure;
1432 				state->chan_start++;
1433 				if (state->split)
1434 					break;
1435 			default:
1436 				/* add frequencies */
1437 				nl_freqs = nla_nest_start(
1438 					msg, NL80211_BAND_ATTR_FREQS);
1439 				if (!nl_freqs)
1440 					goto nla_put_failure;
1441 
1442 				for (i = state->chan_start - 1;
1443 				     i < sband->n_channels;
1444 				     i++) {
1445 					nl_freq = nla_nest_start(msg, i);
1446 					if (!nl_freq)
1447 						goto nla_put_failure;
1448 
1449 					chan = &sband->channels[i];
1450 
1451 					if (nl80211_msg_put_channel(
1452 							msg, chan,
1453 							state->split))
1454 						goto nla_put_failure;
1455 
1456 					nla_nest_end(msg, nl_freq);
1457 					if (state->split)
1458 						break;
1459 				}
1460 				if (i < sband->n_channels)
1461 					state->chan_start = i + 2;
1462 				else
1463 					state->chan_start = 0;
1464 				nla_nest_end(msg, nl_freqs);
1465 			}
1466 
1467 			nla_nest_end(msg, nl_band);
1468 
1469 			if (state->split) {
1470 				/* start again here */
1471 				if (state->chan_start)
1472 					band--;
1473 				break;
1474 			}
1475 		}
1476 		nla_nest_end(msg, nl_bands);
1477 
1478 		if (band < NUM_NL80211_BANDS)
1479 			state->band_start = band + 1;
1480 		else
1481 			state->band_start = 0;
1482 
1483 		/* if bands & channels are done, continue outside */
1484 		if (state->band_start == 0 && state->chan_start == 0)
1485 			state->split_start++;
1486 		if (state->split)
1487 			break;
1488 	case 4:
1489 		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1490 		if (!nl_cmds)
1491 			goto nla_put_failure;
1492 
1493 		i = 0;
1494 #define CMD(op, n)							\
1495 		 do {							\
1496 			if (rdev->ops->op) {				\
1497 				i++;					\
1498 				if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1499 					goto nla_put_failure;		\
1500 			}						\
1501 		} while (0)
1502 
1503 		CMD(add_virtual_intf, NEW_INTERFACE);
1504 		CMD(change_virtual_intf, SET_INTERFACE);
1505 		CMD(add_key, NEW_KEY);
1506 		CMD(start_ap, START_AP);
1507 		CMD(add_station, NEW_STATION);
1508 		CMD(add_mpath, NEW_MPATH);
1509 		CMD(update_mesh_config, SET_MESH_CONFIG);
1510 		CMD(change_bss, SET_BSS);
1511 		CMD(auth, AUTHENTICATE);
1512 		CMD(assoc, ASSOCIATE);
1513 		CMD(deauth, DEAUTHENTICATE);
1514 		CMD(disassoc, DISASSOCIATE);
1515 		CMD(join_ibss, JOIN_IBSS);
1516 		CMD(join_mesh, JOIN_MESH);
1517 		CMD(set_pmksa, SET_PMKSA);
1518 		CMD(del_pmksa, DEL_PMKSA);
1519 		CMD(flush_pmksa, FLUSH_PMKSA);
1520 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1521 			CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1522 		CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1523 		CMD(mgmt_tx, FRAME);
1524 		CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1525 		if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1526 			i++;
1527 			if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1528 				goto nla_put_failure;
1529 		}
1530 		if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1531 		    rdev->ops->join_mesh) {
1532 			i++;
1533 			if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1534 				goto nla_put_failure;
1535 		}
1536 		CMD(set_wds_peer, SET_WDS_PEER);
1537 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1538 			CMD(tdls_mgmt, TDLS_MGMT);
1539 			CMD(tdls_oper, TDLS_OPER);
1540 		}
1541 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1542 			CMD(sched_scan_start, START_SCHED_SCAN);
1543 		CMD(probe_client, PROBE_CLIENT);
1544 		CMD(set_noack_map, SET_NOACK_MAP);
1545 		if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1546 			i++;
1547 			if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1548 				goto nla_put_failure;
1549 		}
1550 		CMD(start_p2p_device, START_P2P_DEVICE);
1551 		CMD(set_mcast_rate, SET_MCAST_RATE);
1552 #ifdef CONFIG_NL80211_TESTMODE
1553 		CMD(testmode_cmd, TESTMODE);
1554 #endif
1555 		if (state->split) {
1556 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
1557 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1558 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
1559 				CMD(channel_switch, CHANNEL_SWITCH);
1560 			CMD(set_qos_map, SET_QOS_MAP);
1561 			if (rdev->wiphy.features &
1562 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
1563 				CMD(add_tx_ts, ADD_TX_TS);
1564 		}
1565 		/* add into the if now */
1566 #undef CMD
1567 
1568 		if (rdev->ops->connect || rdev->ops->auth) {
1569 			i++;
1570 			if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1571 				goto nla_put_failure;
1572 		}
1573 
1574 		if (rdev->ops->disconnect || rdev->ops->deauth) {
1575 			i++;
1576 			if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1577 				goto nla_put_failure;
1578 		}
1579 
1580 		nla_nest_end(msg, nl_cmds);
1581 		state->split_start++;
1582 		if (state->split)
1583 			break;
1584 	case 5:
1585 		if (rdev->ops->remain_on_channel &&
1586 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1587 		    nla_put_u32(msg,
1588 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1589 				rdev->wiphy.max_remain_on_channel_duration))
1590 			goto nla_put_failure;
1591 
1592 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1593 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1594 			goto nla_put_failure;
1595 
1596 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1597 			goto nla_put_failure;
1598 		state->split_start++;
1599 		if (state->split)
1600 			break;
1601 	case 6:
1602 #ifdef CONFIG_PM
1603 		if (nl80211_send_wowlan(msg, rdev, state->split))
1604 			goto nla_put_failure;
1605 		state->split_start++;
1606 		if (state->split)
1607 			break;
1608 #else
1609 		state->split_start++;
1610 #endif
1611 	case 7:
1612 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1613 					rdev->wiphy.software_iftypes))
1614 			goto nla_put_failure;
1615 
1616 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
1617 						   state->split))
1618 			goto nla_put_failure;
1619 
1620 		state->split_start++;
1621 		if (state->split)
1622 			break;
1623 	case 8:
1624 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1625 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1626 				rdev->wiphy.ap_sme_capa))
1627 			goto nla_put_failure;
1628 
1629 		features = rdev->wiphy.features;
1630 		/*
1631 		 * We can only add the per-channel limit information if the
1632 		 * dump is split, otherwise it makes it too big. Therefore
1633 		 * only advertise it in that case.
1634 		 */
1635 		if (state->split)
1636 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1637 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1638 			goto nla_put_failure;
1639 
1640 		if (rdev->wiphy.ht_capa_mod_mask &&
1641 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1642 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
1643 			    rdev->wiphy.ht_capa_mod_mask))
1644 			goto nla_put_failure;
1645 
1646 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1647 		    rdev->wiphy.max_acl_mac_addrs &&
1648 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1649 				rdev->wiphy.max_acl_mac_addrs))
1650 			goto nla_put_failure;
1651 
1652 		/*
1653 		 * Any information below this point is only available to
1654 		 * applications that can deal with it being split. This
1655 		 * helps ensure that newly added capabilities don't break
1656 		 * older tools by overrunning their buffers.
1657 		 *
1658 		 * We still increment split_start so that in the split
1659 		 * case we'll continue with more data in the next round,
1660 		 * but break unconditionally so unsplit data stops here.
1661 		 */
1662 		state->split_start++;
1663 		break;
1664 	case 9:
1665 		if (rdev->wiphy.extended_capabilities &&
1666 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1667 			     rdev->wiphy.extended_capabilities_len,
1668 			     rdev->wiphy.extended_capabilities) ||
1669 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1670 			     rdev->wiphy.extended_capabilities_len,
1671 			     rdev->wiphy.extended_capabilities_mask)))
1672 			goto nla_put_failure;
1673 
1674 		if (rdev->wiphy.vht_capa_mod_mask &&
1675 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1676 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
1677 			    rdev->wiphy.vht_capa_mod_mask))
1678 			goto nla_put_failure;
1679 
1680 		state->split_start++;
1681 		break;
1682 	case 10:
1683 		if (nl80211_send_coalesce(msg, rdev))
1684 			goto nla_put_failure;
1685 
1686 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
1687 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
1688 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
1689 			goto nla_put_failure;
1690 
1691 		if (rdev->wiphy.max_ap_assoc_sta &&
1692 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
1693 				rdev->wiphy.max_ap_assoc_sta))
1694 			goto nla_put_failure;
1695 
1696 		state->split_start++;
1697 		break;
1698 	case 11:
1699 		if (rdev->wiphy.n_vendor_commands) {
1700 			const struct nl80211_vendor_cmd_info *info;
1701 			struct nlattr *nested;
1702 
1703 			nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1704 			if (!nested)
1705 				goto nla_put_failure;
1706 
1707 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
1708 				info = &rdev->wiphy.vendor_commands[i].info;
1709 				if (nla_put(msg, i + 1, sizeof(*info), info))
1710 					goto nla_put_failure;
1711 			}
1712 			nla_nest_end(msg, nested);
1713 		}
1714 
1715 		if (rdev->wiphy.n_vendor_events) {
1716 			const struct nl80211_vendor_cmd_info *info;
1717 			struct nlattr *nested;
1718 
1719 			nested = nla_nest_start(msg,
1720 						NL80211_ATTR_VENDOR_EVENTS);
1721 			if (!nested)
1722 				goto nla_put_failure;
1723 
1724 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
1725 				info = &rdev->wiphy.vendor_events[i];
1726 				if (nla_put(msg, i + 1, sizeof(*info), info))
1727 					goto nla_put_failure;
1728 			}
1729 			nla_nest_end(msg, nested);
1730 		}
1731 		state->split_start++;
1732 		break;
1733 	case 12:
1734 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
1735 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
1736 			       rdev->wiphy.max_num_csa_counters))
1737 			goto nla_put_failure;
1738 
1739 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
1740 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
1741 			goto nla_put_failure;
1742 
1743 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
1744 			    sizeof(rdev->wiphy.ext_features),
1745 			    rdev->wiphy.ext_features))
1746 			goto nla_put_failure;
1747 
1748 		if (rdev->wiphy.bss_select_support) {
1749 			struct nlattr *nested;
1750 			u32 bss_select_support = rdev->wiphy.bss_select_support;
1751 
1752 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_SELECT);
1753 			if (!nested)
1754 				goto nla_put_failure;
1755 
1756 			i = 0;
1757 			while (bss_select_support) {
1758 				if ((bss_select_support & 1) &&
1759 				    nla_put_flag(msg, i))
1760 					goto nla_put_failure;
1761 				i++;
1762 				bss_select_support >>= 1;
1763 			}
1764 			nla_nest_end(msg, nested);
1765 		}
1766 
1767 		state->split_start++;
1768 		break;
1769 	case 13:
1770 		if (rdev->wiphy.num_iftype_ext_capab &&
1771 		    rdev->wiphy.iftype_ext_capab) {
1772 			struct nlattr *nested_ext_capab, *nested;
1773 
1774 			nested = nla_nest_start(msg,
1775 						NL80211_ATTR_IFTYPE_EXT_CAPA);
1776 			if (!nested)
1777 				goto nla_put_failure;
1778 
1779 			for (i = state->capa_start;
1780 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
1781 				const struct wiphy_iftype_ext_capab *capab;
1782 
1783 				capab = &rdev->wiphy.iftype_ext_capab[i];
1784 
1785 				nested_ext_capab = nla_nest_start(msg, i);
1786 				if (!nested_ext_capab ||
1787 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
1788 						capab->iftype) ||
1789 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
1790 					    capab->extended_capabilities_len,
1791 					    capab->extended_capabilities) ||
1792 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1793 					    capab->extended_capabilities_len,
1794 					    capab->extended_capabilities_mask))
1795 					goto nla_put_failure;
1796 
1797 				nla_nest_end(msg, nested_ext_capab);
1798 				if (state->split)
1799 					break;
1800 			}
1801 			nla_nest_end(msg, nested);
1802 			if (i < rdev->wiphy.num_iftype_ext_capab) {
1803 				state->capa_start = i + 1;
1804 				break;
1805 			}
1806 		}
1807 
1808 		/* done */
1809 		state->split_start = 0;
1810 		break;
1811 	}
1812  finish:
1813 	genlmsg_end(msg, hdr);
1814 	return 0;
1815 
1816  nla_put_failure:
1817 	genlmsg_cancel(msg, hdr);
1818 	return -EMSGSIZE;
1819 }
1820 
1821 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
1822 				    struct netlink_callback *cb,
1823 				    struct nl80211_dump_wiphy_state *state)
1824 {
1825 	struct nlattr **tb = nl80211_fam.attrbuf;
1826 	int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
1827 			      tb, nl80211_fam.maxattr, nl80211_policy);
1828 	/* ignore parse errors for backward compatibility */
1829 	if (ret)
1830 		return 0;
1831 
1832 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
1833 	if (tb[NL80211_ATTR_WIPHY])
1834 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
1835 	if (tb[NL80211_ATTR_WDEV])
1836 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
1837 	if (tb[NL80211_ATTR_IFINDEX]) {
1838 		struct net_device *netdev;
1839 		struct cfg80211_registered_device *rdev;
1840 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
1841 
1842 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
1843 		if (!netdev)
1844 			return -ENODEV;
1845 		if (netdev->ieee80211_ptr) {
1846 			rdev = wiphy_to_rdev(
1847 				netdev->ieee80211_ptr->wiphy);
1848 			state->filter_wiphy = rdev->wiphy_idx;
1849 		}
1850 	}
1851 
1852 	return 0;
1853 }
1854 
1855 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1856 {
1857 	int idx = 0, ret;
1858 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
1859 	struct cfg80211_registered_device *rdev;
1860 
1861 	rtnl_lock();
1862 	if (!state) {
1863 		state = kzalloc(sizeof(*state), GFP_KERNEL);
1864 		if (!state) {
1865 			rtnl_unlock();
1866 			return -ENOMEM;
1867 		}
1868 		state->filter_wiphy = -1;
1869 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
1870 		if (ret) {
1871 			kfree(state);
1872 			rtnl_unlock();
1873 			return ret;
1874 		}
1875 		cb->args[0] = (long)state;
1876 	}
1877 
1878 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1879 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1880 			continue;
1881 		if (++idx <= state->start)
1882 			continue;
1883 		if (state->filter_wiphy != -1 &&
1884 		    state->filter_wiphy != rdev->wiphy_idx)
1885 			continue;
1886 		/* attempt to fit multiple wiphy data chunks into the skb */
1887 		do {
1888 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
1889 						 skb,
1890 						 NETLINK_CB(cb->skb).portid,
1891 						 cb->nlh->nlmsg_seq,
1892 						 NLM_F_MULTI, state);
1893 			if (ret < 0) {
1894 				/*
1895 				 * If sending the wiphy data didn't fit (ENOBUFS
1896 				 * or EMSGSIZE returned), this SKB is still
1897 				 * empty (so it's not too big because another
1898 				 * wiphy dataset is already in the skb) and
1899 				 * we've not tried to adjust the dump allocation
1900 				 * yet ... then adjust the alloc size to be
1901 				 * bigger, and return 1 but with the empty skb.
1902 				 * This results in an empty message being RX'ed
1903 				 * in userspace, but that is ignored.
1904 				 *
1905 				 * We can then retry with the larger buffer.
1906 				 */
1907 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1908 				    !skb->len && !state->split &&
1909 				    cb->min_dump_alloc < 4096) {
1910 					cb->min_dump_alloc = 4096;
1911 					state->split_start = 0;
1912 					rtnl_unlock();
1913 					return 1;
1914 				}
1915 				idx--;
1916 				break;
1917 			}
1918 		} while (state->split_start > 0);
1919 		break;
1920 	}
1921 	rtnl_unlock();
1922 
1923 	state->start = idx;
1924 
1925 	return skb->len;
1926 }
1927 
1928 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
1929 {
1930 	kfree((void *)cb->args[0]);
1931 	return 0;
1932 }
1933 
1934 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1935 {
1936 	struct sk_buff *msg;
1937 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
1938 	struct nl80211_dump_wiphy_state state = {};
1939 
1940 	msg = nlmsg_new(4096, GFP_KERNEL);
1941 	if (!msg)
1942 		return -ENOMEM;
1943 
1944 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
1945 			       info->snd_portid, info->snd_seq, 0,
1946 			       &state) < 0) {
1947 		nlmsg_free(msg);
1948 		return -ENOBUFS;
1949 	}
1950 
1951 	return genlmsg_reply(msg, info);
1952 }
1953 
1954 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1955 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
1956 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
1957 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
1958 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
1959 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
1960 };
1961 
1962 static int parse_txq_params(struct nlattr *tb[],
1963 			    struct ieee80211_txq_params *txq_params)
1964 {
1965 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1966 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1967 	    !tb[NL80211_TXQ_ATTR_AIFS])
1968 		return -EINVAL;
1969 
1970 	txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1971 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1972 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1973 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1974 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1975 
1976 	if (txq_params->ac >= NL80211_NUM_ACS)
1977 		return -EINVAL;
1978 
1979 	return 0;
1980 }
1981 
1982 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1983 {
1984 	/*
1985 	 * You can only set the channel explicitly for WDS interfaces,
1986 	 * all others have their channel managed via their respective
1987 	 * "establish a connection" command (connect, join, ...)
1988 	 *
1989 	 * For AP/GO and mesh mode, the channel can be set with the
1990 	 * channel userspace API, but is only stored and passed to the
1991 	 * low-level driver when the AP starts or the mesh is joined.
1992 	 * This is for backward compatibility, userspace can also give
1993 	 * the channel in the start-ap or join-mesh commands instead.
1994 	 *
1995 	 * Monitors are special as they are normally slaved to
1996 	 * whatever else is going on, so they have their own special
1997 	 * operation to set the monitor channel if possible.
1998 	 */
1999 	return !wdev ||
2000 		wdev->iftype == NL80211_IFTYPE_AP ||
2001 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2002 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2003 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2004 }
2005 
2006 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2007 				 struct genl_info *info,
2008 				 struct cfg80211_chan_def *chandef)
2009 {
2010 	u32 control_freq;
2011 
2012 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
2013 		return -EINVAL;
2014 
2015 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
2016 
2017 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
2018 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2019 	chandef->center_freq1 = control_freq;
2020 	chandef->center_freq2 = 0;
2021 
2022 	/* Primary channel not allowed */
2023 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
2024 		return -EINVAL;
2025 
2026 	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2027 		enum nl80211_channel_type chantype;
2028 
2029 		chantype = nla_get_u32(
2030 				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2031 
2032 		switch (chantype) {
2033 		case NL80211_CHAN_NO_HT:
2034 		case NL80211_CHAN_HT20:
2035 		case NL80211_CHAN_HT40PLUS:
2036 		case NL80211_CHAN_HT40MINUS:
2037 			cfg80211_chandef_create(chandef, chandef->chan,
2038 						chantype);
2039 			break;
2040 		default:
2041 			return -EINVAL;
2042 		}
2043 	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2044 		chandef->width =
2045 			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2046 		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
2047 			chandef->center_freq1 =
2048 				nla_get_u32(
2049 					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
2050 		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
2051 			chandef->center_freq2 =
2052 				nla_get_u32(
2053 					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
2054 	}
2055 
2056 	if (!cfg80211_chandef_valid(chandef))
2057 		return -EINVAL;
2058 
2059 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2060 				     IEEE80211_CHAN_DISABLED))
2061 		return -EINVAL;
2062 
2063 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2064 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2065 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ))
2066 		return -EINVAL;
2067 
2068 	return 0;
2069 }
2070 
2071 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2072 				 struct net_device *dev,
2073 				 struct genl_info *info)
2074 {
2075 	struct cfg80211_chan_def chandef;
2076 	int result;
2077 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2078 	struct wireless_dev *wdev = NULL;
2079 
2080 	if (dev)
2081 		wdev = dev->ieee80211_ptr;
2082 	if (!nl80211_can_set_dev_channel(wdev))
2083 		return -EOPNOTSUPP;
2084 	if (wdev)
2085 		iftype = wdev->iftype;
2086 
2087 	result = nl80211_parse_chandef(rdev, info, &chandef);
2088 	if (result)
2089 		return result;
2090 
2091 	switch (iftype) {
2092 	case NL80211_IFTYPE_AP:
2093 	case NL80211_IFTYPE_P2P_GO:
2094 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2095 						   iftype)) {
2096 			result = -EINVAL;
2097 			break;
2098 		}
2099 		if (wdev->beacon_interval) {
2100 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2101 			    !(rdev->wiphy.features &
2102 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2103 				result = -EBUSY;
2104 				break;
2105 			}
2106 
2107 			/* Only allow dynamic channel width changes */
2108 			if (chandef.chan != wdev->preset_chandef.chan) {
2109 				result = -EBUSY;
2110 				break;
2111 			}
2112 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2113 			if (result)
2114 				break;
2115 		}
2116 		wdev->preset_chandef = chandef;
2117 		result = 0;
2118 		break;
2119 	case NL80211_IFTYPE_MESH_POINT:
2120 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2121 		break;
2122 	case NL80211_IFTYPE_MONITOR:
2123 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2124 		break;
2125 	default:
2126 		result = -EINVAL;
2127 	}
2128 
2129 	return result;
2130 }
2131 
2132 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2133 {
2134 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2135 	struct net_device *netdev = info->user_ptr[1];
2136 
2137 	return __nl80211_set_channel(rdev, netdev, info);
2138 }
2139 
2140 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2141 {
2142 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2143 	struct net_device *dev = info->user_ptr[1];
2144 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2145 	const u8 *bssid;
2146 
2147 	if (!info->attrs[NL80211_ATTR_MAC])
2148 		return -EINVAL;
2149 
2150 	if (netif_running(dev))
2151 		return -EBUSY;
2152 
2153 	if (!rdev->ops->set_wds_peer)
2154 		return -EOPNOTSUPP;
2155 
2156 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2157 		return -EOPNOTSUPP;
2158 
2159 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2160 	return rdev_set_wds_peer(rdev, dev, bssid);
2161 }
2162 
2163 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2164 {
2165 	struct cfg80211_registered_device *rdev;
2166 	struct net_device *netdev = NULL;
2167 	struct wireless_dev *wdev;
2168 	int result = 0, rem_txq_params = 0;
2169 	struct nlattr *nl_txq_params;
2170 	u32 changed;
2171 	u8 retry_short = 0, retry_long = 0;
2172 	u32 frag_threshold = 0, rts_threshold = 0;
2173 	u8 coverage_class = 0;
2174 
2175 	ASSERT_RTNL();
2176 
2177 	/*
2178 	 * Try to find the wiphy and netdev. Normally this
2179 	 * function shouldn't need the netdev, but this is
2180 	 * done for backward compatibility -- previously
2181 	 * setting the channel was done per wiphy, but now
2182 	 * it is per netdev. Previous userland like hostapd
2183 	 * also passed a netdev to set_wiphy, so that it is
2184 	 * possible to let that go to the right netdev!
2185 	 */
2186 
2187 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2188 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2189 
2190 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2191 		if (netdev && netdev->ieee80211_ptr)
2192 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2193 		else
2194 			netdev = NULL;
2195 	}
2196 
2197 	if (!netdev) {
2198 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2199 						  info->attrs);
2200 		if (IS_ERR(rdev))
2201 			return PTR_ERR(rdev);
2202 		wdev = NULL;
2203 		netdev = NULL;
2204 		result = 0;
2205 	} else
2206 		wdev = netdev->ieee80211_ptr;
2207 
2208 	/*
2209 	 * end workaround code, by now the rdev is available
2210 	 * and locked, and wdev may or may not be NULL.
2211 	 */
2212 
2213 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2214 		result = cfg80211_dev_rename(
2215 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2216 
2217 	if (result)
2218 		return result;
2219 
2220 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2221 		struct ieee80211_txq_params txq_params;
2222 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2223 
2224 		if (!rdev->ops->set_txq_params)
2225 			return -EOPNOTSUPP;
2226 
2227 		if (!netdev)
2228 			return -EINVAL;
2229 
2230 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2231 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2232 			return -EINVAL;
2233 
2234 		if (!netif_running(netdev))
2235 			return -ENETDOWN;
2236 
2237 		nla_for_each_nested(nl_txq_params,
2238 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2239 				    rem_txq_params) {
2240 			result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
2241 					   nla_data(nl_txq_params),
2242 					   nla_len(nl_txq_params),
2243 					   txq_params_policy);
2244 			if (result)
2245 				return result;
2246 			result = parse_txq_params(tb, &txq_params);
2247 			if (result)
2248 				return result;
2249 
2250 			result = rdev_set_txq_params(rdev, netdev,
2251 						     &txq_params);
2252 			if (result)
2253 				return result;
2254 		}
2255 	}
2256 
2257 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2258 		result = __nl80211_set_channel(
2259 			rdev,
2260 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2261 			info);
2262 		if (result)
2263 			return result;
2264 	}
2265 
2266 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2267 		struct wireless_dev *txp_wdev = wdev;
2268 		enum nl80211_tx_power_setting type;
2269 		int idx, mbm = 0;
2270 
2271 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2272 			txp_wdev = NULL;
2273 
2274 		if (!rdev->ops->set_tx_power)
2275 			return -EOPNOTSUPP;
2276 
2277 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2278 		type = nla_get_u32(info->attrs[idx]);
2279 
2280 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2281 		    (type != NL80211_TX_POWER_AUTOMATIC))
2282 			return -EINVAL;
2283 
2284 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2285 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2286 			mbm = nla_get_u32(info->attrs[idx]);
2287 		}
2288 
2289 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2290 		if (result)
2291 			return result;
2292 	}
2293 
2294 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2295 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2296 		u32 tx_ant, rx_ant;
2297 
2298 		if ((!rdev->wiphy.available_antennas_tx &&
2299 		     !rdev->wiphy.available_antennas_rx) ||
2300 		    !rdev->ops->set_antenna)
2301 			return -EOPNOTSUPP;
2302 
2303 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2304 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2305 
2306 		/* reject antenna configurations which don't match the
2307 		 * available antenna masks, except for the "all" mask */
2308 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2309 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2310 			return -EINVAL;
2311 
2312 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2313 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2314 
2315 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2316 		if (result)
2317 			return result;
2318 	}
2319 
2320 	changed = 0;
2321 
2322 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2323 		retry_short = nla_get_u8(
2324 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2325 		if (retry_short == 0)
2326 			return -EINVAL;
2327 
2328 		changed |= WIPHY_PARAM_RETRY_SHORT;
2329 	}
2330 
2331 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2332 		retry_long = nla_get_u8(
2333 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2334 		if (retry_long == 0)
2335 			return -EINVAL;
2336 
2337 		changed |= WIPHY_PARAM_RETRY_LONG;
2338 	}
2339 
2340 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2341 		frag_threshold = nla_get_u32(
2342 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2343 		if (frag_threshold < 256)
2344 			return -EINVAL;
2345 
2346 		if (frag_threshold != (u32) -1) {
2347 			/*
2348 			 * Fragments (apart from the last one) are required to
2349 			 * have even length. Make the fragmentation code
2350 			 * simpler by stripping LSB should someone try to use
2351 			 * odd threshold value.
2352 			 */
2353 			frag_threshold &= ~0x1;
2354 		}
2355 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2356 	}
2357 
2358 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2359 		rts_threshold = nla_get_u32(
2360 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2361 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2362 	}
2363 
2364 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2365 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2366 			return -EINVAL;
2367 
2368 		coverage_class = nla_get_u8(
2369 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2370 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2371 	}
2372 
2373 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2374 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2375 			return -EOPNOTSUPP;
2376 
2377 		changed |= WIPHY_PARAM_DYN_ACK;
2378 	}
2379 
2380 	if (changed) {
2381 		u8 old_retry_short, old_retry_long;
2382 		u32 old_frag_threshold, old_rts_threshold;
2383 		u8 old_coverage_class;
2384 
2385 		if (!rdev->ops->set_wiphy_params)
2386 			return -EOPNOTSUPP;
2387 
2388 		old_retry_short = rdev->wiphy.retry_short;
2389 		old_retry_long = rdev->wiphy.retry_long;
2390 		old_frag_threshold = rdev->wiphy.frag_threshold;
2391 		old_rts_threshold = rdev->wiphy.rts_threshold;
2392 		old_coverage_class = rdev->wiphy.coverage_class;
2393 
2394 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2395 			rdev->wiphy.retry_short = retry_short;
2396 		if (changed & WIPHY_PARAM_RETRY_LONG)
2397 			rdev->wiphy.retry_long = retry_long;
2398 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2399 			rdev->wiphy.frag_threshold = frag_threshold;
2400 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2401 			rdev->wiphy.rts_threshold = rts_threshold;
2402 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2403 			rdev->wiphy.coverage_class = coverage_class;
2404 
2405 		result = rdev_set_wiphy_params(rdev, changed);
2406 		if (result) {
2407 			rdev->wiphy.retry_short = old_retry_short;
2408 			rdev->wiphy.retry_long = old_retry_long;
2409 			rdev->wiphy.frag_threshold = old_frag_threshold;
2410 			rdev->wiphy.rts_threshold = old_rts_threshold;
2411 			rdev->wiphy.coverage_class = old_coverage_class;
2412 			return result;
2413 		}
2414 	}
2415 	return 0;
2416 }
2417 
2418 static inline u64 wdev_id(struct wireless_dev *wdev)
2419 {
2420 	return (u64)wdev->identifier |
2421 	       ((u64)wiphy_to_rdev(wdev->wiphy)->wiphy_idx << 32);
2422 }
2423 
2424 static int nl80211_send_chandef(struct sk_buff *msg,
2425 				const struct cfg80211_chan_def *chandef)
2426 {
2427 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2428 		return -EINVAL;
2429 
2430 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2431 			chandef->chan->center_freq))
2432 		return -ENOBUFS;
2433 	switch (chandef->width) {
2434 	case NL80211_CHAN_WIDTH_20_NOHT:
2435 	case NL80211_CHAN_WIDTH_20:
2436 	case NL80211_CHAN_WIDTH_40:
2437 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2438 				cfg80211_get_chandef_type(chandef)))
2439 			return -ENOBUFS;
2440 		break;
2441 	default:
2442 		break;
2443 	}
2444 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2445 		return -ENOBUFS;
2446 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2447 		return -ENOBUFS;
2448 	if (chandef->center_freq2 &&
2449 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2450 		return -ENOBUFS;
2451 	return 0;
2452 }
2453 
2454 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2455 			      struct cfg80211_registered_device *rdev,
2456 			      struct wireless_dev *wdev, bool removal)
2457 {
2458 	struct net_device *dev = wdev->netdev;
2459 	u8 cmd = NL80211_CMD_NEW_INTERFACE;
2460 	void *hdr;
2461 
2462 	if (removal)
2463 		cmd = NL80211_CMD_DEL_INTERFACE;
2464 
2465 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2466 	if (!hdr)
2467 		return -1;
2468 
2469 	if (dev &&
2470 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2471 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2472 		goto nla_put_failure;
2473 
2474 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2475 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2476 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
2477 			      NL80211_ATTR_PAD) ||
2478 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2479 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2480 			rdev->devlist_generation ^
2481 			(cfg80211_rdev_list_generation << 2)))
2482 		goto nla_put_failure;
2483 
2484 	if (rdev->ops->get_channel) {
2485 		int ret;
2486 		struct cfg80211_chan_def chandef;
2487 
2488 		ret = rdev_get_channel(rdev, wdev, &chandef);
2489 		if (ret == 0) {
2490 			if (nl80211_send_chandef(msg, &chandef))
2491 				goto nla_put_failure;
2492 		}
2493 	}
2494 
2495 	if (rdev->ops->get_tx_power) {
2496 		int dbm, ret;
2497 
2498 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
2499 		if (ret == 0 &&
2500 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
2501 				DBM_TO_MBM(dbm)))
2502 			goto nla_put_failure;
2503 	}
2504 
2505 	if (wdev->ssid_len) {
2506 		if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2507 			goto nla_put_failure;
2508 	}
2509 
2510 	genlmsg_end(msg, hdr);
2511 	return 0;
2512 
2513  nla_put_failure:
2514 	genlmsg_cancel(msg, hdr);
2515 	return -EMSGSIZE;
2516 }
2517 
2518 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2519 {
2520 	int wp_idx = 0;
2521 	int if_idx = 0;
2522 	int wp_start = cb->args[0];
2523 	int if_start = cb->args[1];
2524 	struct cfg80211_registered_device *rdev;
2525 	struct wireless_dev *wdev;
2526 
2527 	rtnl_lock();
2528 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2529 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2530 			continue;
2531 		if (wp_idx < wp_start) {
2532 			wp_idx++;
2533 			continue;
2534 		}
2535 		if_idx = 0;
2536 
2537 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
2538 			if (if_idx < if_start) {
2539 				if_idx++;
2540 				continue;
2541 			}
2542 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2543 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2544 					       rdev, wdev, false) < 0) {
2545 				goto out;
2546 			}
2547 			if_idx++;
2548 		}
2549 
2550 		wp_idx++;
2551 	}
2552  out:
2553 	rtnl_unlock();
2554 
2555 	cb->args[0] = wp_idx;
2556 	cb->args[1] = if_idx;
2557 
2558 	return skb->len;
2559 }
2560 
2561 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2562 {
2563 	struct sk_buff *msg;
2564 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2565 	struct wireless_dev *wdev = info->user_ptr[1];
2566 
2567 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2568 	if (!msg)
2569 		return -ENOMEM;
2570 
2571 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2572 			       rdev, wdev, false) < 0) {
2573 		nlmsg_free(msg);
2574 		return -ENOBUFS;
2575 	}
2576 
2577 	return genlmsg_reply(msg, info);
2578 }
2579 
2580 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2581 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2582 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2583 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2584 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2585 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2586 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
2587 };
2588 
2589 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2590 {
2591 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2592 	int flag;
2593 
2594 	*mntrflags = 0;
2595 
2596 	if (!nla)
2597 		return -EINVAL;
2598 
2599 	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
2600 			     nla, mntr_flags_policy))
2601 		return -EINVAL;
2602 
2603 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2604 		if (flags[flag])
2605 			*mntrflags |= (1<<flag);
2606 
2607 	return 0;
2608 }
2609 
2610 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
2611 			       struct net_device *netdev, u8 use_4addr,
2612 			       enum nl80211_iftype iftype)
2613 {
2614 	if (!use_4addr) {
2615 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
2616 			return -EBUSY;
2617 		return 0;
2618 	}
2619 
2620 	switch (iftype) {
2621 	case NL80211_IFTYPE_AP_VLAN:
2622 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
2623 			return 0;
2624 		break;
2625 	case NL80211_IFTYPE_STATION:
2626 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
2627 			return 0;
2628 		break;
2629 	default:
2630 		break;
2631 	}
2632 
2633 	return -EOPNOTSUPP;
2634 }
2635 
2636 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
2637 {
2638 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2639 	struct vif_params params;
2640 	int err;
2641 	enum nl80211_iftype otype, ntype;
2642 	struct net_device *dev = info->user_ptr[1];
2643 	u32 _flags, *flags = NULL;
2644 	bool change = false;
2645 
2646 	memset(&params, 0, sizeof(params));
2647 
2648 	otype = ntype = dev->ieee80211_ptr->iftype;
2649 
2650 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2651 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2652 		if (otype != ntype)
2653 			change = true;
2654 		if (ntype > NL80211_IFTYPE_MAX)
2655 			return -EINVAL;
2656 	}
2657 
2658 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
2659 		struct wireless_dev *wdev = dev->ieee80211_ptr;
2660 
2661 		if (ntype != NL80211_IFTYPE_MESH_POINT)
2662 			return -EINVAL;
2663 		if (netif_running(dev))
2664 			return -EBUSY;
2665 
2666 		wdev_lock(wdev);
2667 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2668 			     IEEE80211_MAX_MESH_ID_LEN);
2669 		wdev->mesh_id_up_len =
2670 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2671 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2672 		       wdev->mesh_id_up_len);
2673 		wdev_unlock(wdev);
2674 	}
2675 
2676 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2677 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2678 		change = true;
2679 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
2680 		if (err)
2681 			return err;
2682 	} else {
2683 		params.use_4addr = -1;
2684 	}
2685 
2686 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2687 		if (ntype != NL80211_IFTYPE_MONITOR)
2688 			return -EINVAL;
2689 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2690 					  &_flags);
2691 		if (err)
2692 			return err;
2693 
2694 		flags = &_flags;
2695 		change = true;
2696 	}
2697 
2698 	if (flags && (*flags & MONITOR_FLAG_ACTIVE) &&
2699 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2700 		return -EOPNOTSUPP;
2701 
2702 	if (change)
2703 		err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
2704 	else
2705 		err = 0;
2706 
2707 	if (!err && params.use_4addr != -1)
2708 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
2709 
2710 	return err;
2711 }
2712 
2713 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
2714 {
2715 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2716 	struct vif_params params;
2717 	struct wireless_dev *wdev;
2718 	struct sk_buff *msg, *event;
2719 	int err;
2720 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
2721 	u32 flags;
2722 
2723 	/* to avoid failing a new interface creation due to pending removal */
2724 	cfg80211_destroy_ifaces(rdev);
2725 
2726 	memset(&params, 0, sizeof(params));
2727 
2728 	if (!info->attrs[NL80211_ATTR_IFNAME])
2729 		return -EINVAL;
2730 
2731 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
2732 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2733 		if (type > NL80211_IFTYPE_MAX)
2734 			return -EINVAL;
2735 	}
2736 
2737 	if (!rdev->ops->add_virtual_intf ||
2738 	    !(rdev->wiphy.interface_modes & (1 << type)))
2739 		return -EOPNOTSUPP;
2740 
2741 	if ((type == NL80211_IFTYPE_P2P_DEVICE ||
2742 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
2743 	    info->attrs[NL80211_ATTR_MAC]) {
2744 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
2745 			   ETH_ALEN);
2746 		if (!is_valid_ether_addr(params.macaddr))
2747 			return -EADDRNOTAVAIL;
2748 	}
2749 
2750 	if (info->attrs[NL80211_ATTR_4ADDR]) {
2751 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2752 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2753 		if (err)
2754 			return err;
2755 	}
2756 
2757 	err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2758 				  info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2759 				  &flags);
2760 
2761 	if (!err && (flags & MONITOR_FLAG_ACTIVE) &&
2762 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2763 		return -EOPNOTSUPP;
2764 
2765 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2766 	if (!msg)
2767 		return -ENOMEM;
2768 
2769 	wdev = rdev_add_virtual_intf(rdev,
2770 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2771 				NET_NAME_USER, type, err ? NULL : &flags,
2772 				&params);
2773 	if (WARN_ON(!wdev)) {
2774 		nlmsg_free(msg);
2775 		return -EPROTO;
2776 	} else if (IS_ERR(wdev)) {
2777 		nlmsg_free(msg);
2778 		return PTR_ERR(wdev);
2779 	}
2780 
2781 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
2782 		wdev->owner_nlportid = info->snd_portid;
2783 
2784 	switch (type) {
2785 	case NL80211_IFTYPE_MESH_POINT:
2786 		if (!info->attrs[NL80211_ATTR_MESH_ID])
2787 			break;
2788 		wdev_lock(wdev);
2789 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2790 			     IEEE80211_MAX_MESH_ID_LEN);
2791 		wdev->mesh_id_up_len =
2792 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2793 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2794 		       wdev->mesh_id_up_len);
2795 		wdev_unlock(wdev);
2796 		break;
2797 	case NL80211_IFTYPE_P2P_DEVICE:
2798 		/*
2799 		 * P2P Device doesn't have a netdev, so doesn't go
2800 		 * through the netdev notifier and must be added here
2801 		 */
2802 		mutex_init(&wdev->mtx);
2803 		INIT_LIST_HEAD(&wdev->event_list);
2804 		spin_lock_init(&wdev->event_lock);
2805 		INIT_LIST_HEAD(&wdev->mgmt_registrations);
2806 		spin_lock_init(&wdev->mgmt_registrations_lock);
2807 
2808 		wdev->identifier = ++rdev->wdev_id;
2809 		list_add_rcu(&wdev->list, &rdev->wiphy.wdev_list);
2810 		rdev->devlist_generation++;
2811 		break;
2812 	default:
2813 		break;
2814 	}
2815 
2816 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2817 			       rdev, wdev, false) < 0) {
2818 		nlmsg_free(msg);
2819 		return -ENOBUFS;
2820 	}
2821 
2822 	event = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2823 	if (event) {
2824 		if (nl80211_send_iface(event, 0, 0, 0,
2825 				       rdev, wdev, false) < 0) {
2826 			nlmsg_free(event);
2827 			goto out;
2828 		}
2829 
2830 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
2831 					event, 0, NL80211_MCGRP_CONFIG,
2832 					GFP_KERNEL);
2833 	}
2834 
2835 out:
2836 	return genlmsg_reply(msg, info);
2837 }
2838 
2839 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2840 {
2841 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2842 	struct wireless_dev *wdev = info->user_ptr[1];
2843 	struct sk_buff *msg;
2844 	int status;
2845 
2846 	if (!rdev->ops->del_virtual_intf)
2847 		return -EOPNOTSUPP;
2848 
2849 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2850 	if (msg && nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, true) < 0) {
2851 		nlmsg_free(msg);
2852 		msg = NULL;
2853 	}
2854 
2855 	/*
2856 	 * If we remove a wireless device without a netdev then clear
2857 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
2858 	 * to check if it needs to do dev_put(). Otherwise it crashes
2859 	 * since the wdev has been freed, unlike with a netdev where
2860 	 * we need the dev_put() for the netdev to really be freed.
2861 	 */
2862 	if (!wdev->netdev)
2863 		info->user_ptr[1] = NULL;
2864 
2865 	status = rdev_del_virtual_intf(rdev, wdev);
2866 	if (status >= 0 && msg)
2867 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
2868 					msg, 0, NL80211_MCGRP_CONFIG,
2869 					GFP_KERNEL);
2870 	else
2871 		nlmsg_free(msg);
2872 
2873 	return status;
2874 }
2875 
2876 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2877 {
2878 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2879 	struct net_device *dev = info->user_ptr[1];
2880 	u16 noack_map;
2881 
2882 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2883 		return -EINVAL;
2884 
2885 	if (!rdev->ops->set_noack_map)
2886 		return -EOPNOTSUPP;
2887 
2888 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2889 
2890 	return rdev_set_noack_map(rdev, dev, noack_map);
2891 }
2892 
2893 struct get_key_cookie {
2894 	struct sk_buff *msg;
2895 	int error;
2896 	int idx;
2897 };
2898 
2899 static void get_key_callback(void *c, struct key_params *params)
2900 {
2901 	struct nlattr *key;
2902 	struct get_key_cookie *cookie = c;
2903 
2904 	if ((params->key &&
2905 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2906 		     params->key_len, params->key)) ||
2907 	    (params->seq &&
2908 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2909 		     params->seq_len, params->seq)) ||
2910 	    (params->cipher &&
2911 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2912 			 params->cipher)))
2913 		goto nla_put_failure;
2914 
2915 	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2916 	if (!key)
2917 		goto nla_put_failure;
2918 
2919 	if ((params->key &&
2920 	     nla_put(cookie->msg, NL80211_KEY_DATA,
2921 		     params->key_len, params->key)) ||
2922 	    (params->seq &&
2923 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
2924 		     params->seq_len, params->seq)) ||
2925 	    (params->cipher &&
2926 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2927 			 params->cipher)))
2928 		goto nla_put_failure;
2929 
2930 	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2931 		goto nla_put_failure;
2932 
2933 	nla_nest_end(cookie->msg, key);
2934 
2935 	return;
2936  nla_put_failure:
2937 	cookie->error = 1;
2938 }
2939 
2940 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2941 {
2942 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2943 	int err;
2944 	struct net_device *dev = info->user_ptr[1];
2945 	u8 key_idx = 0;
2946 	const u8 *mac_addr = NULL;
2947 	bool pairwise;
2948 	struct get_key_cookie cookie = {
2949 		.error = 0,
2950 	};
2951 	void *hdr;
2952 	struct sk_buff *msg;
2953 
2954 	if (info->attrs[NL80211_ATTR_KEY_IDX])
2955 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2956 
2957 	if (key_idx > 5)
2958 		return -EINVAL;
2959 
2960 	if (info->attrs[NL80211_ATTR_MAC])
2961 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2962 
2963 	pairwise = !!mac_addr;
2964 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2965 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2966 
2967 		if (kt >= NUM_NL80211_KEYTYPES)
2968 			return -EINVAL;
2969 		if (kt != NL80211_KEYTYPE_GROUP &&
2970 		    kt != NL80211_KEYTYPE_PAIRWISE)
2971 			return -EINVAL;
2972 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2973 	}
2974 
2975 	if (!rdev->ops->get_key)
2976 		return -EOPNOTSUPP;
2977 
2978 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2979 		return -ENOENT;
2980 
2981 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2982 	if (!msg)
2983 		return -ENOMEM;
2984 
2985 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2986 			     NL80211_CMD_NEW_KEY);
2987 	if (!hdr)
2988 		goto nla_put_failure;
2989 
2990 	cookie.msg = msg;
2991 	cookie.idx = key_idx;
2992 
2993 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2994 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2995 		goto nla_put_failure;
2996 	if (mac_addr &&
2997 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2998 		goto nla_put_failure;
2999 
3000 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3001 			   get_key_callback);
3002 
3003 	if (err)
3004 		goto free_msg;
3005 
3006 	if (cookie.error)
3007 		goto nla_put_failure;
3008 
3009 	genlmsg_end(msg, hdr);
3010 	return genlmsg_reply(msg, info);
3011 
3012  nla_put_failure:
3013 	err = -ENOBUFS;
3014  free_msg:
3015 	nlmsg_free(msg);
3016 	return err;
3017 }
3018 
3019 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
3020 {
3021 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3022 	struct key_parse key;
3023 	int err;
3024 	struct net_device *dev = info->user_ptr[1];
3025 
3026 	err = nl80211_parse_key(info, &key);
3027 	if (err)
3028 		return err;
3029 
3030 	if (key.idx < 0)
3031 		return -EINVAL;
3032 
3033 	/* only support setting default key */
3034 	if (!key.def && !key.defmgmt)
3035 		return -EINVAL;
3036 
3037 	wdev_lock(dev->ieee80211_ptr);
3038 
3039 	if (key.def) {
3040 		if (!rdev->ops->set_default_key) {
3041 			err = -EOPNOTSUPP;
3042 			goto out;
3043 		}
3044 
3045 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3046 		if (err)
3047 			goto out;
3048 
3049 		err = rdev_set_default_key(rdev, dev, key.idx,
3050 						 key.def_uni, key.def_multi);
3051 
3052 		if (err)
3053 			goto out;
3054 
3055 #ifdef CONFIG_CFG80211_WEXT
3056 		dev->ieee80211_ptr->wext.default_key = key.idx;
3057 #endif
3058 	} else {
3059 		if (key.def_uni || !key.def_multi) {
3060 			err = -EINVAL;
3061 			goto out;
3062 		}
3063 
3064 		if (!rdev->ops->set_default_mgmt_key) {
3065 			err = -EOPNOTSUPP;
3066 			goto out;
3067 		}
3068 
3069 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3070 		if (err)
3071 			goto out;
3072 
3073 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
3074 		if (err)
3075 			goto out;
3076 
3077 #ifdef CONFIG_CFG80211_WEXT
3078 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
3079 #endif
3080 	}
3081 
3082  out:
3083 	wdev_unlock(dev->ieee80211_ptr);
3084 
3085 	return err;
3086 }
3087 
3088 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
3089 {
3090 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3091 	int err;
3092 	struct net_device *dev = info->user_ptr[1];
3093 	struct key_parse key;
3094 	const u8 *mac_addr = NULL;
3095 
3096 	err = nl80211_parse_key(info, &key);
3097 	if (err)
3098 		return err;
3099 
3100 	if (!key.p.key)
3101 		return -EINVAL;
3102 
3103 	if (info->attrs[NL80211_ATTR_MAC])
3104 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3105 
3106 	if (key.type == -1) {
3107 		if (mac_addr)
3108 			key.type = NL80211_KEYTYPE_PAIRWISE;
3109 		else
3110 			key.type = NL80211_KEYTYPE_GROUP;
3111 	}
3112 
3113 	/* for now */
3114 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3115 	    key.type != NL80211_KEYTYPE_GROUP)
3116 		return -EINVAL;
3117 
3118 	if (!rdev->ops->add_key)
3119 		return -EOPNOTSUPP;
3120 
3121 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3122 					   key.type == NL80211_KEYTYPE_PAIRWISE,
3123 					   mac_addr))
3124 		return -EINVAL;
3125 
3126 	wdev_lock(dev->ieee80211_ptr);
3127 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3128 	if (!err)
3129 		err = rdev_add_key(rdev, dev, key.idx,
3130 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3131 				    mac_addr, &key.p);
3132 	wdev_unlock(dev->ieee80211_ptr);
3133 
3134 	return err;
3135 }
3136 
3137 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3138 {
3139 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3140 	int err;
3141 	struct net_device *dev = info->user_ptr[1];
3142 	u8 *mac_addr = NULL;
3143 	struct key_parse key;
3144 
3145 	err = nl80211_parse_key(info, &key);
3146 	if (err)
3147 		return err;
3148 
3149 	if (info->attrs[NL80211_ATTR_MAC])
3150 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3151 
3152 	if (key.type == -1) {
3153 		if (mac_addr)
3154 			key.type = NL80211_KEYTYPE_PAIRWISE;
3155 		else
3156 			key.type = NL80211_KEYTYPE_GROUP;
3157 	}
3158 
3159 	/* for now */
3160 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3161 	    key.type != NL80211_KEYTYPE_GROUP)
3162 		return -EINVAL;
3163 
3164 	if (!rdev->ops->del_key)
3165 		return -EOPNOTSUPP;
3166 
3167 	wdev_lock(dev->ieee80211_ptr);
3168 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3169 
3170 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3171 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3172 		err = -ENOENT;
3173 
3174 	if (!err)
3175 		err = rdev_del_key(rdev, dev, key.idx,
3176 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3177 				   mac_addr);
3178 
3179 #ifdef CONFIG_CFG80211_WEXT
3180 	if (!err) {
3181 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3182 			dev->ieee80211_ptr->wext.default_key = -1;
3183 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3184 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3185 	}
3186 #endif
3187 	wdev_unlock(dev->ieee80211_ptr);
3188 
3189 	return err;
3190 }
3191 
3192 /* This function returns an error or the number of nested attributes */
3193 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3194 {
3195 	struct nlattr *attr;
3196 	int n_entries = 0, tmp;
3197 
3198 	nla_for_each_nested(attr, nl_attr, tmp) {
3199 		if (nla_len(attr) != ETH_ALEN)
3200 			return -EINVAL;
3201 
3202 		n_entries++;
3203 	}
3204 
3205 	return n_entries;
3206 }
3207 
3208 /*
3209  * This function parses ACL information and allocates memory for ACL data.
3210  * On successful return, the calling function is responsible to free the
3211  * ACL buffer returned by this function.
3212  */
3213 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3214 						struct genl_info *info)
3215 {
3216 	enum nl80211_acl_policy acl_policy;
3217 	struct nlattr *attr;
3218 	struct cfg80211_acl_data *acl;
3219 	int i = 0, n_entries, tmp;
3220 
3221 	if (!wiphy->max_acl_mac_addrs)
3222 		return ERR_PTR(-EOPNOTSUPP);
3223 
3224 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3225 		return ERR_PTR(-EINVAL);
3226 
3227 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3228 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3229 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3230 		return ERR_PTR(-EINVAL);
3231 
3232 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3233 		return ERR_PTR(-EINVAL);
3234 
3235 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3236 	if (n_entries < 0)
3237 		return ERR_PTR(n_entries);
3238 
3239 	if (n_entries > wiphy->max_acl_mac_addrs)
3240 		return ERR_PTR(-ENOTSUPP);
3241 
3242 	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3243 		      GFP_KERNEL);
3244 	if (!acl)
3245 		return ERR_PTR(-ENOMEM);
3246 
3247 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3248 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3249 		i++;
3250 	}
3251 
3252 	acl->n_acl_entries = n_entries;
3253 	acl->acl_policy = acl_policy;
3254 
3255 	return acl;
3256 }
3257 
3258 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3259 {
3260 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3261 	struct net_device *dev = info->user_ptr[1];
3262 	struct cfg80211_acl_data *acl;
3263 	int err;
3264 
3265 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3266 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3267 		return -EOPNOTSUPP;
3268 
3269 	if (!dev->ieee80211_ptr->beacon_interval)
3270 		return -EINVAL;
3271 
3272 	acl = parse_acl_data(&rdev->wiphy, info);
3273 	if (IS_ERR(acl))
3274 		return PTR_ERR(acl);
3275 
3276 	err = rdev_set_mac_acl(rdev, dev, acl);
3277 
3278 	kfree(acl);
3279 
3280 	return err;
3281 }
3282 
3283 static int nl80211_parse_beacon(struct nlattr *attrs[],
3284 				struct cfg80211_beacon_data *bcn)
3285 {
3286 	bool haveinfo = false;
3287 
3288 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_BEACON_TAIL]) ||
3289 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE]) ||
3290 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
3291 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_ASSOC_RESP]))
3292 		return -EINVAL;
3293 
3294 	memset(bcn, 0, sizeof(*bcn));
3295 
3296 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
3297 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
3298 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
3299 		if (!bcn->head_len)
3300 			return -EINVAL;
3301 		haveinfo = true;
3302 	}
3303 
3304 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
3305 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
3306 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
3307 		haveinfo = true;
3308 	}
3309 
3310 	if (!haveinfo)
3311 		return -EINVAL;
3312 
3313 	if (attrs[NL80211_ATTR_IE]) {
3314 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
3315 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
3316 	}
3317 
3318 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
3319 		bcn->proberesp_ies =
3320 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3321 		bcn->proberesp_ies_len =
3322 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3323 	}
3324 
3325 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
3326 		bcn->assocresp_ies =
3327 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3328 		bcn->assocresp_ies_len =
3329 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3330 	}
3331 
3332 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
3333 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
3334 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
3335 	}
3336 
3337 	return 0;
3338 }
3339 
3340 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
3341 				   struct cfg80211_ap_settings *params)
3342 {
3343 	struct wireless_dev *wdev;
3344 	bool ret = false;
3345 
3346 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3347 		if (wdev->iftype != NL80211_IFTYPE_AP &&
3348 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
3349 			continue;
3350 
3351 		if (!wdev->preset_chandef.chan)
3352 			continue;
3353 
3354 		params->chandef = wdev->preset_chandef;
3355 		ret = true;
3356 		break;
3357 	}
3358 
3359 	return ret;
3360 }
3361 
3362 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
3363 				    enum nl80211_auth_type auth_type,
3364 				    enum nl80211_commands cmd)
3365 {
3366 	if (auth_type > NL80211_AUTHTYPE_MAX)
3367 		return false;
3368 
3369 	switch (cmd) {
3370 	case NL80211_CMD_AUTHENTICATE:
3371 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
3372 		    auth_type == NL80211_AUTHTYPE_SAE)
3373 			return false;
3374 		return true;
3375 	case NL80211_CMD_CONNECT:
3376 	case NL80211_CMD_START_AP:
3377 		/* SAE not supported yet */
3378 		if (auth_type == NL80211_AUTHTYPE_SAE)
3379 			return false;
3380 		return true;
3381 	default:
3382 		return false;
3383 	}
3384 }
3385 
3386 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
3387 {
3388 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3389 	struct net_device *dev = info->user_ptr[1];
3390 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3391 	struct cfg80211_ap_settings params;
3392 	int err;
3393 
3394 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3395 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3396 		return -EOPNOTSUPP;
3397 
3398 	if (!rdev->ops->start_ap)
3399 		return -EOPNOTSUPP;
3400 
3401 	if (wdev->beacon_interval)
3402 		return -EALREADY;
3403 
3404 	memset(&params, 0, sizeof(params));
3405 
3406 	/* these are required for START_AP */
3407 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
3408 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
3409 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
3410 		return -EINVAL;
3411 
3412 	err = nl80211_parse_beacon(info->attrs, &params.beacon);
3413 	if (err)
3414 		return err;
3415 
3416 	params.beacon_interval =
3417 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
3418 	params.dtim_period =
3419 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
3420 
3421 	err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
3422 	if (err)
3423 		return err;
3424 
3425 	/*
3426 	 * In theory, some of these attributes should be required here
3427 	 * but since they were not used when the command was originally
3428 	 * added, keep them optional for old user space programs to let
3429 	 * them continue to work with drivers that do not need the
3430 	 * additional information -- drivers must check!
3431 	 */
3432 	if (info->attrs[NL80211_ATTR_SSID]) {
3433 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
3434 		params.ssid_len =
3435 			nla_len(info->attrs[NL80211_ATTR_SSID]);
3436 		if (params.ssid_len == 0 ||
3437 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
3438 			return -EINVAL;
3439 	}
3440 
3441 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
3442 		params.hidden_ssid = nla_get_u32(
3443 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
3444 		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
3445 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
3446 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
3447 			return -EINVAL;
3448 	}
3449 
3450 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
3451 
3452 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
3453 		params.auth_type = nla_get_u32(
3454 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
3455 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
3456 					     NL80211_CMD_START_AP))
3457 			return -EINVAL;
3458 	} else
3459 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
3460 
3461 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
3462 				      NL80211_MAX_NR_CIPHER_SUITES);
3463 	if (err)
3464 		return err;
3465 
3466 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
3467 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
3468 			return -EOPNOTSUPP;
3469 		params.inactivity_timeout = nla_get_u16(
3470 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
3471 	}
3472 
3473 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
3474 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3475 			return -EINVAL;
3476 		params.p2p_ctwindow =
3477 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
3478 		if (params.p2p_ctwindow > 127)
3479 			return -EINVAL;
3480 		if (params.p2p_ctwindow != 0 &&
3481 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
3482 			return -EINVAL;
3483 	}
3484 
3485 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
3486 		u8 tmp;
3487 
3488 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3489 			return -EINVAL;
3490 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
3491 		if (tmp > 1)
3492 			return -EINVAL;
3493 		params.p2p_opp_ps = tmp;
3494 		if (params.p2p_opp_ps != 0 &&
3495 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
3496 			return -EINVAL;
3497 	}
3498 
3499 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3500 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
3501 		if (err)
3502 			return err;
3503 	} else if (wdev->preset_chandef.chan) {
3504 		params.chandef = wdev->preset_chandef;
3505 	} else if (!nl80211_get_ap_channel(rdev, &params))
3506 		return -EINVAL;
3507 
3508 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
3509 					   wdev->iftype))
3510 		return -EINVAL;
3511 
3512 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
3513 		params.smps_mode =
3514 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
3515 		switch (params.smps_mode) {
3516 		case NL80211_SMPS_OFF:
3517 			break;
3518 		case NL80211_SMPS_STATIC:
3519 			if (!(rdev->wiphy.features &
3520 			      NL80211_FEATURE_STATIC_SMPS))
3521 				return -EINVAL;
3522 			break;
3523 		case NL80211_SMPS_DYNAMIC:
3524 			if (!(rdev->wiphy.features &
3525 			      NL80211_FEATURE_DYNAMIC_SMPS))
3526 				return -EINVAL;
3527 			break;
3528 		default:
3529 			return -EINVAL;
3530 		}
3531 	} else {
3532 		params.smps_mode = NL80211_SMPS_OFF;
3533 	}
3534 
3535 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
3536 		params.acl = parse_acl_data(&rdev->wiphy, info);
3537 		if (IS_ERR(params.acl))
3538 			return PTR_ERR(params.acl);
3539 	}
3540 
3541 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
3542 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
3543 		return -EOPNOTSUPP;
3544 
3545 	wdev_lock(wdev);
3546 	err = rdev_start_ap(rdev, dev, &params);
3547 	if (!err) {
3548 		wdev->preset_chandef = params.chandef;
3549 		wdev->beacon_interval = params.beacon_interval;
3550 		wdev->chandef = params.chandef;
3551 		wdev->ssid_len = params.ssid_len;
3552 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
3553 	}
3554 	wdev_unlock(wdev);
3555 
3556 	kfree(params.acl);
3557 
3558 	return err;
3559 }
3560 
3561 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
3562 {
3563 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3564 	struct net_device *dev = info->user_ptr[1];
3565 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3566 	struct cfg80211_beacon_data params;
3567 	int err;
3568 
3569 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3570 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3571 		return -EOPNOTSUPP;
3572 
3573 	if (!rdev->ops->change_beacon)
3574 		return -EOPNOTSUPP;
3575 
3576 	if (!wdev->beacon_interval)
3577 		return -EINVAL;
3578 
3579 	err = nl80211_parse_beacon(info->attrs, &params);
3580 	if (err)
3581 		return err;
3582 
3583 	wdev_lock(wdev);
3584 	err = rdev_change_beacon(rdev, dev, &params);
3585 	wdev_unlock(wdev);
3586 
3587 	return err;
3588 }
3589 
3590 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
3591 {
3592 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3593 	struct net_device *dev = info->user_ptr[1];
3594 
3595 	return cfg80211_stop_ap(rdev, dev, false);
3596 }
3597 
3598 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
3599 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
3600 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
3601 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
3602 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
3603 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
3604 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
3605 };
3606 
3607 static int parse_station_flags(struct genl_info *info,
3608 			       enum nl80211_iftype iftype,
3609 			       struct station_parameters *params)
3610 {
3611 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
3612 	struct nlattr *nla;
3613 	int flag;
3614 
3615 	/*
3616 	 * Try parsing the new attribute first so userspace
3617 	 * can specify both for older kernels.
3618 	 */
3619 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
3620 	if (nla) {
3621 		struct nl80211_sta_flag_update *sta_flags;
3622 
3623 		sta_flags = nla_data(nla);
3624 		params->sta_flags_mask = sta_flags->mask;
3625 		params->sta_flags_set = sta_flags->set;
3626 		params->sta_flags_set &= params->sta_flags_mask;
3627 		if ((params->sta_flags_mask |
3628 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
3629 			return -EINVAL;
3630 		return 0;
3631 	}
3632 
3633 	/* if present, parse the old attribute */
3634 
3635 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
3636 	if (!nla)
3637 		return 0;
3638 
3639 	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
3640 			     nla, sta_flags_policy))
3641 		return -EINVAL;
3642 
3643 	/*
3644 	 * Only allow certain flags for interface types so that
3645 	 * other attributes are silently ignored. Remember that
3646 	 * this is backward compatibility code with old userspace
3647 	 * and shouldn't be hit in other cases anyway.
3648 	 */
3649 	switch (iftype) {
3650 	case NL80211_IFTYPE_AP:
3651 	case NL80211_IFTYPE_AP_VLAN:
3652 	case NL80211_IFTYPE_P2P_GO:
3653 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3654 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3655 					 BIT(NL80211_STA_FLAG_WME) |
3656 					 BIT(NL80211_STA_FLAG_MFP);
3657 		break;
3658 	case NL80211_IFTYPE_P2P_CLIENT:
3659 	case NL80211_IFTYPE_STATION:
3660 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
3661 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
3662 		break;
3663 	case NL80211_IFTYPE_MESH_POINT:
3664 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3665 					 BIT(NL80211_STA_FLAG_MFP) |
3666 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
3667 	default:
3668 		return -EINVAL;
3669 	}
3670 
3671 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
3672 		if (flags[flag]) {
3673 			params->sta_flags_set |= (1<<flag);
3674 
3675 			/* no longer support new API additions in old API */
3676 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
3677 				return -EINVAL;
3678 		}
3679 	}
3680 
3681 	return 0;
3682 }
3683 
3684 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
3685 				 int attr)
3686 {
3687 	struct nlattr *rate;
3688 	u32 bitrate;
3689 	u16 bitrate_compat;
3690 	enum nl80211_attrs rate_flg;
3691 
3692 	rate = nla_nest_start(msg, attr);
3693 	if (!rate)
3694 		return false;
3695 
3696 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
3697 	bitrate = cfg80211_calculate_bitrate(info);
3698 	/* report 16-bit bitrate only if we can */
3699 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
3700 	if (bitrate > 0 &&
3701 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
3702 		return false;
3703 	if (bitrate_compat > 0 &&
3704 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
3705 		return false;
3706 
3707 	switch (info->bw) {
3708 	case RATE_INFO_BW_5:
3709 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
3710 		break;
3711 	case RATE_INFO_BW_10:
3712 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
3713 		break;
3714 	default:
3715 		WARN_ON(1);
3716 		/* fall through */
3717 	case RATE_INFO_BW_20:
3718 		rate_flg = 0;
3719 		break;
3720 	case RATE_INFO_BW_40:
3721 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
3722 		break;
3723 	case RATE_INFO_BW_80:
3724 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
3725 		break;
3726 	case RATE_INFO_BW_160:
3727 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
3728 		break;
3729 	}
3730 
3731 	if (rate_flg && nla_put_flag(msg, rate_flg))
3732 		return false;
3733 
3734 	if (info->flags & RATE_INFO_FLAGS_MCS) {
3735 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
3736 			return false;
3737 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3738 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3739 			return false;
3740 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
3741 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
3742 			return false;
3743 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
3744 			return false;
3745 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
3746 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
3747 			return false;
3748 	}
3749 
3750 	nla_nest_end(msg, rate);
3751 	return true;
3752 }
3753 
3754 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
3755 			       int id)
3756 {
3757 	void *attr;
3758 	int i = 0;
3759 
3760 	if (!mask)
3761 		return true;
3762 
3763 	attr = nla_nest_start(msg, id);
3764 	if (!attr)
3765 		return false;
3766 
3767 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
3768 		if (!(mask & BIT(i)))
3769 			continue;
3770 
3771 		if (nla_put_u8(msg, i, signal[i]))
3772 			return false;
3773 	}
3774 
3775 	nla_nest_end(msg, attr);
3776 
3777 	return true;
3778 }
3779 
3780 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
3781 				u32 seq, int flags,
3782 				struct cfg80211_registered_device *rdev,
3783 				struct net_device *dev,
3784 				const u8 *mac_addr, struct station_info *sinfo)
3785 {
3786 	void *hdr;
3787 	struct nlattr *sinfoattr, *bss_param;
3788 
3789 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3790 	if (!hdr)
3791 		return -1;
3792 
3793 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3794 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
3795 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
3796 		goto nla_put_failure;
3797 
3798 	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
3799 	if (!sinfoattr)
3800 		goto nla_put_failure;
3801 
3802 #define PUT_SINFO(attr, memb, type) do {				\
3803 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
3804 	if (sinfo->filled & (1ULL << NL80211_STA_INFO_ ## attr) &&	\
3805 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
3806 			     sinfo->memb))				\
3807 		goto nla_put_failure;					\
3808 	} while (0)
3809 #define PUT_SINFO_U64(attr, memb) do {					\
3810 	if (sinfo->filled & (1ULL << NL80211_STA_INFO_ ## attr) &&	\
3811 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
3812 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
3813 		goto nla_put_failure;					\
3814 	} while (0)
3815 
3816 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
3817 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
3818 
3819 	if (sinfo->filled & (BIT(NL80211_STA_INFO_RX_BYTES) |
3820 			     BIT(NL80211_STA_INFO_RX_BYTES64)) &&
3821 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
3822 			(u32)sinfo->rx_bytes))
3823 		goto nla_put_failure;
3824 
3825 	if (sinfo->filled & (BIT(NL80211_STA_INFO_TX_BYTES) |
3826 			     BIT(NL80211_STA_INFO_TX_BYTES64)) &&
3827 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
3828 			(u32)sinfo->tx_bytes))
3829 		goto nla_put_failure;
3830 
3831 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
3832 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
3833 	PUT_SINFO(LLID, llid, u16);
3834 	PUT_SINFO(PLID, plid, u16);
3835 	PUT_SINFO(PLINK_STATE, plink_state, u8);
3836 	PUT_SINFO_U64(RX_DURATION, rx_duration);
3837 
3838 	switch (rdev->wiphy.signal_type) {
3839 	case CFG80211_SIGNAL_TYPE_MBM:
3840 		PUT_SINFO(SIGNAL, signal, u8);
3841 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
3842 		break;
3843 	default:
3844 		break;
3845 	}
3846 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL)) {
3847 		if (!nl80211_put_signal(msg, sinfo->chains,
3848 					sinfo->chain_signal,
3849 					NL80211_STA_INFO_CHAIN_SIGNAL))
3850 			goto nla_put_failure;
3851 	}
3852 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
3853 		if (!nl80211_put_signal(msg, sinfo->chains,
3854 					sinfo->chain_signal_avg,
3855 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
3856 			goto nla_put_failure;
3857 	}
3858 	if (sinfo->filled & BIT(NL80211_STA_INFO_TX_BITRATE)) {
3859 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
3860 					  NL80211_STA_INFO_TX_BITRATE))
3861 			goto nla_put_failure;
3862 	}
3863 	if (sinfo->filled & BIT(NL80211_STA_INFO_RX_BITRATE)) {
3864 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
3865 					  NL80211_STA_INFO_RX_BITRATE))
3866 			goto nla_put_failure;
3867 	}
3868 
3869 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
3870 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
3871 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
3872 	PUT_SINFO(TX_FAILED, tx_failed, u32);
3873 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
3874 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
3875 	PUT_SINFO(LOCAL_PM, local_pm, u32);
3876 	PUT_SINFO(PEER_PM, peer_pm, u32);
3877 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
3878 
3879 	if (sinfo->filled & BIT(NL80211_STA_INFO_BSS_PARAM)) {
3880 		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
3881 		if (!bss_param)
3882 			goto nla_put_failure;
3883 
3884 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
3885 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
3886 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
3887 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
3888 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
3889 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
3890 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
3891 			       sinfo->bss_param.dtim_period) ||
3892 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
3893 				sinfo->bss_param.beacon_interval))
3894 			goto nla_put_failure;
3895 
3896 		nla_nest_end(msg, bss_param);
3897 	}
3898 	if ((sinfo->filled & BIT(NL80211_STA_INFO_STA_FLAGS)) &&
3899 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
3900 		    sizeof(struct nl80211_sta_flag_update),
3901 		    &sinfo->sta_flags))
3902 		goto nla_put_failure;
3903 
3904 	PUT_SINFO_U64(T_OFFSET, t_offset);
3905 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
3906 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
3907 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
3908 
3909 #undef PUT_SINFO
3910 #undef PUT_SINFO_U64
3911 
3912 	if (sinfo->filled & BIT(NL80211_STA_INFO_TID_STATS)) {
3913 		struct nlattr *tidsattr;
3914 		int tid;
3915 
3916 		tidsattr = nla_nest_start(msg, NL80211_STA_INFO_TID_STATS);
3917 		if (!tidsattr)
3918 			goto nla_put_failure;
3919 
3920 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
3921 			struct cfg80211_tid_stats *tidstats;
3922 			struct nlattr *tidattr;
3923 
3924 			tidstats = &sinfo->pertid[tid];
3925 
3926 			if (!tidstats->filled)
3927 				continue;
3928 
3929 			tidattr = nla_nest_start(msg, tid + 1);
3930 			if (!tidattr)
3931 				goto nla_put_failure;
3932 
3933 #define PUT_TIDVAL_U64(attr, memb) do {					\
3934 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
3935 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
3936 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
3937 		goto nla_put_failure;					\
3938 	} while (0)
3939 
3940 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
3941 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
3942 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
3943 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
3944 
3945 #undef PUT_TIDVAL_U64
3946 			nla_nest_end(msg, tidattr);
3947 		}
3948 
3949 		nla_nest_end(msg, tidsattr);
3950 	}
3951 
3952 	nla_nest_end(msg, sinfoattr);
3953 
3954 	if (sinfo->assoc_req_ies_len &&
3955 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
3956 		    sinfo->assoc_req_ies))
3957 		goto nla_put_failure;
3958 
3959 	genlmsg_end(msg, hdr);
3960 	return 0;
3961 
3962  nla_put_failure:
3963 	genlmsg_cancel(msg, hdr);
3964 	return -EMSGSIZE;
3965 }
3966 
3967 static int nl80211_dump_station(struct sk_buff *skb,
3968 				struct netlink_callback *cb)
3969 {
3970 	struct station_info sinfo;
3971 	struct cfg80211_registered_device *rdev;
3972 	struct wireless_dev *wdev;
3973 	u8 mac_addr[ETH_ALEN];
3974 	int sta_idx = cb->args[2];
3975 	int err;
3976 
3977 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
3978 	if (err)
3979 		return err;
3980 
3981 	if (!wdev->netdev) {
3982 		err = -EINVAL;
3983 		goto out_err;
3984 	}
3985 
3986 	if (!rdev->ops->dump_station) {
3987 		err = -EOPNOTSUPP;
3988 		goto out_err;
3989 	}
3990 
3991 	while (1) {
3992 		memset(&sinfo, 0, sizeof(sinfo));
3993 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
3994 					mac_addr, &sinfo);
3995 		if (err == -ENOENT)
3996 			break;
3997 		if (err)
3998 			goto out_err;
3999 
4000 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
4001 				NETLINK_CB(cb->skb).portid,
4002 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
4003 				rdev, wdev->netdev, mac_addr,
4004 				&sinfo) < 0)
4005 			goto out;
4006 
4007 		sta_idx++;
4008 	}
4009 
4010  out:
4011 	cb->args[2] = sta_idx;
4012 	err = skb->len;
4013  out_err:
4014 	nl80211_finish_wdev_dump(rdev);
4015 
4016 	return err;
4017 }
4018 
4019 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
4020 {
4021 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4022 	struct net_device *dev = info->user_ptr[1];
4023 	struct station_info sinfo;
4024 	struct sk_buff *msg;
4025 	u8 *mac_addr = NULL;
4026 	int err;
4027 
4028 	memset(&sinfo, 0, sizeof(sinfo));
4029 
4030 	if (!info->attrs[NL80211_ATTR_MAC])
4031 		return -EINVAL;
4032 
4033 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4034 
4035 	if (!rdev->ops->get_station)
4036 		return -EOPNOTSUPP;
4037 
4038 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
4039 	if (err)
4040 		return err;
4041 
4042 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4043 	if (!msg)
4044 		return -ENOMEM;
4045 
4046 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
4047 				 info->snd_portid, info->snd_seq, 0,
4048 				 rdev, dev, mac_addr, &sinfo) < 0) {
4049 		nlmsg_free(msg);
4050 		return -ENOBUFS;
4051 	}
4052 
4053 	return genlmsg_reply(msg, info);
4054 }
4055 
4056 int cfg80211_check_station_change(struct wiphy *wiphy,
4057 				  struct station_parameters *params,
4058 				  enum cfg80211_station_type statype)
4059 {
4060 	if (params->listen_interval != -1 &&
4061 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4062 		return -EINVAL;
4063 
4064 	if (params->support_p2p_ps != -1 &&
4065 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4066 		return -EINVAL;
4067 
4068 	if (params->aid &&
4069 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
4070 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4071 		return -EINVAL;
4072 
4073 	/* When you run into this, adjust the code below for the new flag */
4074 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4075 
4076 	switch (statype) {
4077 	case CFG80211_STA_MESH_PEER_KERNEL:
4078 	case CFG80211_STA_MESH_PEER_USER:
4079 		/*
4080 		 * No ignoring the TDLS flag here -- the userspace mesh
4081 		 * code doesn't have the bug of including TDLS in the
4082 		 * mask everywhere.
4083 		 */
4084 		if (params->sta_flags_mask &
4085 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4086 				  BIT(NL80211_STA_FLAG_MFP) |
4087 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
4088 			return -EINVAL;
4089 		break;
4090 	case CFG80211_STA_TDLS_PEER_SETUP:
4091 	case CFG80211_STA_TDLS_PEER_ACTIVE:
4092 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4093 			return -EINVAL;
4094 		/* ignore since it can't change */
4095 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4096 		break;
4097 	default:
4098 		/* disallow mesh-specific things */
4099 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
4100 			return -EINVAL;
4101 		if (params->local_pm)
4102 			return -EINVAL;
4103 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4104 			return -EINVAL;
4105 	}
4106 
4107 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
4108 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
4109 		/* TDLS can't be set, ... */
4110 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
4111 			return -EINVAL;
4112 		/*
4113 		 * ... but don't bother the driver with it. This works around
4114 		 * a hostapd/wpa_supplicant issue -- it always includes the
4115 		 * TLDS_PEER flag in the mask even for AP mode.
4116 		 */
4117 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4118 	}
4119 
4120 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
4121 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
4122 		/* reject other things that can't change */
4123 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
4124 			return -EINVAL;
4125 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
4126 			return -EINVAL;
4127 		if (params->supported_rates)
4128 			return -EINVAL;
4129 		if (params->ext_capab || params->ht_capa || params->vht_capa)
4130 			return -EINVAL;
4131 	}
4132 
4133 	if (statype != CFG80211_STA_AP_CLIENT &&
4134 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
4135 		if (params->vlan)
4136 			return -EINVAL;
4137 	}
4138 
4139 	switch (statype) {
4140 	case CFG80211_STA_AP_MLME_CLIENT:
4141 		/* Use this only for authorizing/unauthorizing a station */
4142 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
4143 			return -EOPNOTSUPP;
4144 		break;
4145 	case CFG80211_STA_AP_CLIENT:
4146 	case CFG80211_STA_AP_CLIENT_UNASSOC:
4147 		/* accept only the listed bits */
4148 		if (params->sta_flags_mask &
4149 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4150 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4151 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
4152 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4153 				  BIT(NL80211_STA_FLAG_WME) |
4154 				  BIT(NL80211_STA_FLAG_MFP)))
4155 			return -EINVAL;
4156 
4157 		/* but authenticated/associated only if driver handles it */
4158 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4159 		    params->sta_flags_mask &
4160 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4161 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4162 			return -EINVAL;
4163 		break;
4164 	case CFG80211_STA_IBSS:
4165 	case CFG80211_STA_AP_STA:
4166 		/* reject any changes other than AUTHORIZED */
4167 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
4168 			return -EINVAL;
4169 		break;
4170 	case CFG80211_STA_TDLS_PEER_SETUP:
4171 		/* reject any changes other than AUTHORIZED or WME */
4172 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4173 					       BIT(NL80211_STA_FLAG_WME)))
4174 			return -EINVAL;
4175 		/* force (at least) rates when authorizing */
4176 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
4177 		    !params->supported_rates)
4178 			return -EINVAL;
4179 		break;
4180 	case CFG80211_STA_TDLS_PEER_ACTIVE:
4181 		/* reject any changes */
4182 		return -EINVAL;
4183 	case CFG80211_STA_MESH_PEER_KERNEL:
4184 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4185 			return -EINVAL;
4186 		break;
4187 	case CFG80211_STA_MESH_PEER_USER:
4188 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
4189 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
4190 			return -EINVAL;
4191 		break;
4192 	}
4193 
4194 	return 0;
4195 }
4196 EXPORT_SYMBOL(cfg80211_check_station_change);
4197 
4198 /*
4199  * Get vlan interface making sure it is running and on the right wiphy.
4200  */
4201 static struct net_device *get_vlan(struct genl_info *info,
4202 				   struct cfg80211_registered_device *rdev)
4203 {
4204 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
4205 	struct net_device *v;
4206 	int ret;
4207 
4208 	if (!vlanattr)
4209 		return NULL;
4210 
4211 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
4212 	if (!v)
4213 		return ERR_PTR(-ENODEV);
4214 
4215 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
4216 		ret = -EINVAL;
4217 		goto error;
4218 	}
4219 
4220 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4221 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4222 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
4223 		ret = -EINVAL;
4224 		goto error;
4225 	}
4226 
4227 	if (!netif_running(v)) {
4228 		ret = -ENETDOWN;
4229 		goto error;
4230 	}
4231 
4232 	return v;
4233  error:
4234 	dev_put(v);
4235 	return ERR_PTR(ret);
4236 }
4237 
4238 static const struct nla_policy
4239 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
4240 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
4241 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
4242 };
4243 
4244 static int nl80211_parse_sta_wme(struct genl_info *info,
4245 				 struct station_parameters *params)
4246 {
4247 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
4248 	struct nlattr *nla;
4249 	int err;
4250 
4251 	/* parse WME attributes if present */
4252 	if (!info->attrs[NL80211_ATTR_STA_WME])
4253 		return 0;
4254 
4255 	nla = info->attrs[NL80211_ATTR_STA_WME];
4256 	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
4257 			       nl80211_sta_wme_policy);
4258 	if (err)
4259 		return err;
4260 
4261 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
4262 		params->uapsd_queues = nla_get_u8(
4263 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
4264 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
4265 		return -EINVAL;
4266 
4267 	if (tb[NL80211_STA_WME_MAX_SP])
4268 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
4269 
4270 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
4271 		return -EINVAL;
4272 
4273 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
4274 
4275 	return 0;
4276 }
4277 
4278 static int nl80211_parse_sta_channel_info(struct genl_info *info,
4279 				      struct station_parameters *params)
4280 {
4281 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
4282 		params->supported_channels =
4283 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4284 		params->supported_channels_len =
4285 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
4286 		/*
4287 		 * Need to include at least one (first channel, number of
4288 		 * channels) tuple for each subband, and must have proper
4289 		 * tuples for the rest of the data as well.
4290 		 */
4291 		if (params->supported_channels_len < 2)
4292 			return -EINVAL;
4293 		if (params->supported_channels_len % 2)
4294 			return -EINVAL;
4295 	}
4296 
4297 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
4298 		params->supported_oper_classes =
4299 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4300 		params->supported_oper_classes_len =
4301 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
4302 		/*
4303 		 * The value of the Length field of the Supported Operating
4304 		 * Classes element is between 2 and 253.
4305 		 */
4306 		if (params->supported_oper_classes_len < 2 ||
4307 		    params->supported_oper_classes_len > 253)
4308 			return -EINVAL;
4309 	}
4310 	return 0;
4311 }
4312 
4313 static int nl80211_set_station_tdls(struct genl_info *info,
4314 				    struct station_parameters *params)
4315 {
4316 	int err;
4317 	/* Dummy STA entry gets updated once the peer capabilities are known */
4318 	if (info->attrs[NL80211_ATTR_PEER_AID])
4319 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4320 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4321 		params->ht_capa =
4322 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4323 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4324 		params->vht_capa =
4325 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4326 
4327 	err = nl80211_parse_sta_channel_info(info, params);
4328 	if (err)
4329 		return err;
4330 
4331 	return nl80211_parse_sta_wme(info, params);
4332 }
4333 
4334 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
4335 {
4336 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4337 	struct net_device *dev = info->user_ptr[1];
4338 	struct station_parameters params;
4339 	u8 *mac_addr;
4340 	int err;
4341 
4342 	memset(&params, 0, sizeof(params));
4343 
4344 	if (!rdev->ops->change_station)
4345 		return -EOPNOTSUPP;
4346 
4347 	/*
4348 	 * AID and listen_interval properties can be set only for unassociated
4349 	 * station. Include these parameters here and will check them in
4350 	 * cfg80211_check_station_change().
4351 	 */
4352 	if (info->attrs[NL80211_ATTR_STA_AID])
4353 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4354 
4355 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4356 		params.listen_interval =
4357 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4358 	else
4359 		params.listen_interval = -1;
4360 
4361 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
4362 		u8 tmp;
4363 
4364 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
4365 		if (tmp >= NUM_NL80211_P2P_PS_STATUS)
4366 			return -EINVAL;
4367 
4368 		params.support_p2p_ps = tmp;
4369 	} else {
4370 		params.support_p2p_ps = -1;
4371 	}
4372 
4373 	if (!info->attrs[NL80211_ATTR_MAC])
4374 		return -EINVAL;
4375 
4376 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4377 
4378 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
4379 		params.supported_rates =
4380 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4381 		params.supported_rates_len =
4382 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4383 	}
4384 
4385 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4386 		params.capability =
4387 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4388 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4389 	}
4390 
4391 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4392 		params.ext_capab =
4393 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4394 		params.ext_capab_len =
4395 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4396 	}
4397 
4398 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4399 		return -EINVAL;
4400 
4401 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4402 		params.plink_action =
4403 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4404 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4405 			return -EINVAL;
4406 	}
4407 
4408 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
4409 		params.plink_state =
4410 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
4411 		if (params.plink_state >= NUM_NL80211_PLINK_STATES)
4412 			return -EINVAL;
4413 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
4414 	}
4415 
4416 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
4417 		enum nl80211_mesh_power_mode pm = nla_get_u32(
4418 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
4419 
4420 		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
4421 		    pm > NL80211_MESH_POWER_MAX)
4422 			return -EINVAL;
4423 
4424 		params.local_pm = pm;
4425 	}
4426 
4427 	/* Include parameters for TDLS peer (will check later) */
4428 	err = nl80211_set_station_tdls(info, &params);
4429 	if (err)
4430 		return err;
4431 
4432 	params.vlan = get_vlan(info, rdev);
4433 	if (IS_ERR(params.vlan))
4434 		return PTR_ERR(params.vlan);
4435 
4436 	switch (dev->ieee80211_ptr->iftype) {
4437 	case NL80211_IFTYPE_AP:
4438 	case NL80211_IFTYPE_AP_VLAN:
4439 	case NL80211_IFTYPE_P2P_GO:
4440 	case NL80211_IFTYPE_P2P_CLIENT:
4441 	case NL80211_IFTYPE_STATION:
4442 	case NL80211_IFTYPE_ADHOC:
4443 	case NL80211_IFTYPE_MESH_POINT:
4444 		break;
4445 	default:
4446 		err = -EOPNOTSUPP;
4447 		goto out_put_vlan;
4448 	}
4449 
4450 	/* driver will call cfg80211_check_station_change() */
4451 	err = rdev_change_station(rdev, dev, mac_addr, &params);
4452 
4453  out_put_vlan:
4454 	if (params.vlan)
4455 		dev_put(params.vlan);
4456 
4457 	return err;
4458 }
4459 
4460 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
4461 {
4462 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4463 	int err;
4464 	struct net_device *dev = info->user_ptr[1];
4465 	struct station_parameters params;
4466 	u8 *mac_addr = NULL;
4467 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4468 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
4469 
4470 	memset(&params, 0, sizeof(params));
4471 
4472 	if (!rdev->ops->add_station)
4473 		return -EOPNOTSUPP;
4474 
4475 	if (!info->attrs[NL80211_ATTR_MAC])
4476 		return -EINVAL;
4477 
4478 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
4479 		return -EINVAL;
4480 
4481 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
4482 		return -EINVAL;
4483 
4484 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
4485 	    !info->attrs[NL80211_ATTR_PEER_AID])
4486 		return -EINVAL;
4487 
4488 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4489 	params.supported_rates =
4490 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4491 	params.supported_rates_len =
4492 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
4493 	params.listen_interval =
4494 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
4495 
4496 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
4497 		u8 tmp;
4498 
4499 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
4500 		if (tmp >= NUM_NL80211_P2P_PS_STATUS)
4501 			return -EINVAL;
4502 
4503 		params.support_p2p_ps = tmp;
4504 	} else {
4505 		/*
4506 		 * if not specified, assume it's supported for P2P GO interface,
4507 		 * and is NOT supported for AP interface
4508 		 */
4509 		params.support_p2p_ps =
4510 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
4511 	}
4512 
4513 	if (info->attrs[NL80211_ATTR_PEER_AID])
4514 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
4515 	else
4516 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
4517 	if (!params.aid || params.aid > IEEE80211_MAX_AID)
4518 		return -EINVAL;
4519 
4520 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
4521 		params.capability =
4522 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
4523 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
4524 	}
4525 
4526 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
4527 		params.ext_capab =
4528 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4529 		params.ext_capab_len =
4530 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
4531 	}
4532 
4533 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
4534 		params.ht_capa =
4535 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
4536 
4537 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
4538 		params.vht_capa =
4539 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
4540 
4541 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
4542 		params.opmode_notif_used = true;
4543 		params.opmode_notif =
4544 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
4545 	}
4546 
4547 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
4548 		params.plink_action =
4549 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
4550 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
4551 			return -EINVAL;
4552 	}
4553 
4554 	err = nl80211_parse_sta_channel_info(info, &params);
4555 	if (err)
4556 		return err;
4557 
4558 	err = nl80211_parse_sta_wme(info, &params);
4559 	if (err)
4560 		return err;
4561 
4562 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
4563 		return -EINVAL;
4564 
4565 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
4566 	 * as userspace might just pass through the capabilities from the IEs
4567 	 * directly, rather than enforcing this restriction and returning an
4568 	 * error in this case.
4569 	 */
4570 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
4571 		params.ht_capa = NULL;
4572 		params.vht_capa = NULL;
4573 	}
4574 
4575 	/* When you run into this, adjust the code below for the new flag */
4576 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4577 
4578 	switch (dev->ieee80211_ptr->iftype) {
4579 	case NL80211_IFTYPE_AP:
4580 	case NL80211_IFTYPE_AP_VLAN:
4581 	case NL80211_IFTYPE_P2P_GO:
4582 		/* ignore WME attributes if iface/sta is not capable */
4583 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
4584 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
4585 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4586 
4587 		/* TDLS peers cannot be added */
4588 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4589 		    info->attrs[NL80211_ATTR_PEER_AID])
4590 			return -EINVAL;
4591 		/* but don't bother the driver with it */
4592 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4593 
4594 		/* allow authenticated/associated only if driver handles it */
4595 		if (!(rdev->wiphy.features &
4596 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4597 		    params.sta_flags_mask & auth_assoc)
4598 			return -EINVAL;
4599 
4600 		/* Older userspace, or userspace wanting to be compatible with
4601 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
4602 		 * and assoc flags in the mask, but assumes the station will be
4603 		 * added as associated anyway since this was the required driver
4604 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
4605 		 * introduced.
4606 		 * In order to not bother drivers with this quirk in the API
4607 		 * set the flags in both the mask and set for new stations in
4608 		 * this case.
4609 		 */
4610 		if (!(params.sta_flags_mask & auth_assoc)) {
4611 			params.sta_flags_mask |= auth_assoc;
4612 			params.sta_flags_set |= auth_assoc;
4613 		}
4614 
4615 		/* must be last in here for error handling */
4616 		params.vlan = get_vlan(info, rdev);
4617 		if (IS_ERR(params.vlan))
4618 			return PTR_ERR(params.vlan);
4619 		break;
4620 	case NL80211_IFTYPE_MESH_POINT:
4621 		/* ignore uAPSD data */
4622 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4623 
4624 		/* associated is disallowed */
4625 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
4626 			return -EINVAL;
4627 		/* TDLS peers cannot be added */
4628 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
4629 		    info->attrs[NL80211_ATTR_PEER_AID])
4630 			return -EINVAL;
4631 		break;
4632 	case NL80211_IFTYPE_STATION:
4633 	case NL80211_IFTYPE_P2P_CLIENT:
4634 		/* ignore uAPSD data */
4635 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
4636 
4637 		/* these are disallowed */
4638 		if (params.sta_flags_mask &
4639 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
4640 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
4641 			return -EINVAL;
4642 		/* Only TDLS peers can be added */
4643 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4644 			return -EINVAL;
4645 		/* Can only add if TDLS ... */
4646 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
4647 			return -EOPNOTSUPP;
4648 		/* ... with external setup is supported */
4649 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
4650 			return -EOPNOTSUPP;
4651 		/*
4652 		 * Older wpa_supplicant versions always mark the TDLS peer
4653 		 * as authorized, but it shouldn't yet be.
4654 		 */
4655 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
4656 		break;
4657 	default:
4658 		return -EOPNOTSUPP;
4659 	}
4660 
4661 	/* be aware of params.vlan when changing code here */
4662 
4663 	err = rdev_add_station(rdev, dev, mac_addr, &params);
4664 
4665 	if (params.vlan)
4666 		dev_put(params.vlan);
4667 	return err;
4668 }
4669 
4670 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
4671 {
4672 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4673 	struct net_device *dev = info->user_ptr[1];
4674 	struct station_del_parameters params;
4675 
4676 	memset(&params, 0, sizeof(params));
4677 
4678 	if (info->attrs[NL80211_ATTR_MAC])
4679 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
4680 
4681 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4682 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4683 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
4684 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4685 		return -EINVAL;
4686 
4687 	if (!rdev->ops->del_station)
4688 		return -EOPNOTSUPP;
4689 
4690 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
4691 		params.subtype =
4692 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
4693 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
4694 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
4695 			return -EINVAL;
4696 	} else {
4697 		/* Default to Deauthentication frame */
4698 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
4699 	}
4700 
4701 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
4702 		params.reason_code =
4703 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
4704 		if (params.reason_code == 0)
4705 			return -EINVAL; /* 0 is reserved */
4706 	} else {
4707 		/* Default to reason code 2 */
4708 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
4709 	}
4710 
4711 	return rdev_del_station(rdev, dev, &params);
4712 }
4713 
4714 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
4715 				int flags, struct net_device *dev,
4716 				u8 *dst, u8 *next_hop,
4717 				struct mpath_info *pinfo)
4718 {
4719 	void *hdr;
4720 	struct nlattr *pinfoattr;
4721 
4722 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
4723 	if (!hdr)
4724 		return -1;
4725 
4726 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4727 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
4728 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
4729 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
4730 		goto nla_put_failure;
4731 
4732 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
4733 	if (!pinfoattr)
4734 		goto nla_put_failure;
4735 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
4736 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
4737 			pinfo->frame_qlen))
4738 		goto nla_put_failure;
4739 	if (((pinfo->filled & MPATH_INFO_SN) &&
4740 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
4741 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
4742 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
4743 			 pinfo->metric)) ||
4744 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
4745 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
4746 			 pinfo->exptime)) ||
4747 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
4748 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
4749 			pinfo->flags)) ||
4750 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
4751 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
4752 			 pinfo->discovery_timeout)) ||
4753 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
4754 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
4755 			pinfo->discovery_retries)))
4756 		goto nla_put_failure;
4757 
4758 	nla_nest_end(msg, pinfoattr);
4759 
4760 	genlmsg_end(msg, hdr);
4761 	return 0;
4762 
4763  nla_put_failure:
4764 	genlmsg_cancel(msg, hdr);
4765 	return -EMSGSIZE;
4766 }
4767 
4768 static int nl80211_dump_mpath(struct sk_buff *skb,
4769 			      struct netlink_callback *cb)
4770 {
4771 	struct mpath_info pinfo;
4772 	struct cfg80211_registered_device *rdev;
4773 	struct wireless_dev *wdev;
4774 	u8 dst[ETH_ALEN];
4775 	u8 next_hop[ETH_ALEN];
4776 	int path_idx = cb->args[2];
4777 	int err;
4778 
4779 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4780 	if (err)
4781 		return err;
4782 
4783 	if (!rdev->ops->dump_mpath) {
4784 		err = -EOPNOTSUPP;
4785 		goto out_err;
4786 	}
4787 
4788 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4789 		err = -EOPNOTSUPP;
4790 		goto out_err;
4791 	}
4792 
4793 	while (1) {
4794 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
4795 				      next_hop, &pinfo);
4796 		if (err == -ENOENT)
4797 			break;
4798 		if (err)
4799 			goto out_err;
4800 
4801 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4802 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4803 				       wdev->netdev, dst, next_hop,
4804 				       &pinfo) < 0)
4805 			goto out;
4806 
4807 		path_idx++;
4808 	}
4809 
4810  out:
4811 	cb->args[2] = path_idx;
4812 	err = skb->len;
4813  out_err:
4814 	nl80211_finish_wdev_dump(rdev);
4815 	return err;
4816 }
4817 
4818 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
4819 {
4820 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4821 	int err;
4822 	struct net_device *dev = info->user_ptr[1];
4823 	struct mpath_info pinfo;
4824 	struct sk_buff *msg;
4825 	u8 *dst = NULL;
4826 	u8 next_hop[ETH_ALEN];
4827 
4828 	memset(&pinfo, 0, sizeof(pinfo));
4829 
4830 	if (!info->attrs[NL80211_ATTR_MAC])
4831 		return -EINVAL;
4832 
4833 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4834 
4835 	if (!rdev->ops->get_mpath)
4836 		return -EOPNOTSUPP;
4837 
4838 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4839 		return -EOPNOTSUPP;
4840 
4841 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
4842 	if (err)
4843 		return err;
4844 
4845 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4846 	if (!msg)
4847 		return -ENOMEM;
4848 
4849 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4850 				 dev, dst, next_hop, &pinfo) < 0) {
4851 		nlmsg_free(msg);
4852 		return -ENOBUFS;
4853 	}
4854 
4855 	return genlmsg_reply(msg, info);
4856 }
4857 
4858 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
4859 {
4860 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4861 	struct net_device *dev = info->user_ptr[1];
4862 	u8 *dst = NULL;
4863 	u8 *next_hop = NULL;
4864 
4865 	if (!info->attrs[NL80211_ATTR_MAC])
4866 		return -EINVAL;
4867 
4868 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4869 		return -EINVAL;
4870 
4871 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4872 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4873 
4874 	if (!rdev->ops->change_mpath)
4875 		return -EOPNOTSUPP;
4876 
4877 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4878 		return -EOPNOTSUPP;
4879 
4880 	return rdev_change_mpath(rdev, dev, dst, next_hop);
4881 }
4882 
4883 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
4884 {
4885 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4886 	struct net_device *dev = info->user_ptr[1];
4887 	u8 *dst = NULL;
4888 	u8 *next_hop = NULL;
4889 
4890 	if (!info->attrs[NL80211_ATTR_MAC])
4891 		return -EINVAL;
4892 
4893 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
4894 		return -EINVAL;
4895 
4896 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4897 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
4898 
4899 	if (!rdev->ops->add_mpath)
4900 		return -EOPNOTSUPP;
4901 
4902 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4903 		return -EOPNOTSUPP;
4904 
4905 	return rdev_add_mpath(rdev, dev, dst, next_hop);
4906 }
4907 
4908 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
4909 {
4910 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4911 	struct net_device *dev = info->user_ptr[1];
4912 	u8 *dst = NULL;
4913 
4914 	if (info->attrs[NL80211_ATTR_MAC])
4915 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4916 
4917 	if (!rdev->ops->del_mpath)
4918 		return -EOPNOTSUPP;
4919 
4920 	return rdev_del_mpath(rdev, dev, dst);
4921 }
4922 
4923 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
4924 {
4925 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4926 	int err;
4927 	struct net_device *dev = info->user_ptr[1];
4928 	struct mpath_info pinfo;
4929 	struct sk_buff *msg;
4930 	u8 *dst = NULL;
4931 	u8 mpp[ETH_ALEN];
4932 
4933 	memset(&pinfo, 0, sizeof(pinfo));
4934 
4935 	if (!info->attrs[NL80211_ATTR_MAC])
4936 		return -EINVAL;
4937 
4938 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
4939 
4940 	if (!rdev->ops->get_mpp)
4941 		return -EOPNOTSUPP;
4942 
4943 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
4944 		return -EOPNOTSUPP;
4945 
4946 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
4947 	if (err)
4948 		return err;
4949 
4950 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4951 	if (!msg)
4952 		return -ENOMEM;
4953 
4954 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
4955 			       dev, dst, mpp, &pinfo) < 0) {
4956 		nlmsg_free(msg);
4957 		return -ENOBUFS;
4958 	}
4959 
4960 	return genlmsg_reply(msg, info);
4961 }
4962 
4963 static int nl80211_dump_mpp(struct sk_buff *skb,
4964 			    struct netlink_callback *cb)
4965 {
4966 	struct mpath_info pinfo;
4967 	struct cfg80211_registered_device *rdev;
4968 	struct wireless_dev *wdev;
4969 	u8 dst[ETH_ALEN];
4970 	u8 mpp[ETH_ALEN];
4971 	int path_idx = cb->args[2];
4972 	int err;
4973 
4974 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4975 	if (err)
4976 		return err;
4977 
4978 	if (!rdev->ops->dump_mpp) {
4979 		err = -EOPNOTSUPP;
4980 		goto out_err;
4981 	}
4982 
4983 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
4984 		err = -EOPNOTSUPP;
4985 		goto out_err;
4986 	}
4987 
4988 	while (1) {
4989 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
4990 				    mpp, &pinfo);
4991 		if (err == -ENOENT)
4992 			break;
4993 		if (err)
4994 			goto out_err;
4995 
4996 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
4997 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4998 				       wdev->netdev, dst, mpp,
4999 				       &pinfo) < 0)
5000 			goto out;
5001 
5002 		path_idx++;
5003 	}
5004 
5005  out:
5006 	cb->args[2] = path_idx;
5007 	err = skb->len;
5008  out_err:
5009 	nl80211_finish_wdev_dump(rdev);
5010 	return err;
5011 }
5012 
5013 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
5014 {
5015 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5016 	struct net_device *dev = info->user_ptr[1];
5017 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5018 	struct bss_parameters params;
5019 	int err;
5020 
5021 	memset(&params, 0, sizeof(params));
5022 	/* default to not changing parameters */
5023 	params.use_cts_prot = -1;
5024 	params.use_short_preamble = -1;
5025 	params.use_short_slot_time = -1;
5026 	params.ap_isolate = -1;
5027 	params.ht_opmode = -1;
5028 	params.p2p_ctwindow = -1;
5029 	params.p2p_opp_ps = -1;
5030 
5031 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
5032 		params.use_cts_prot =
5033 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
5034 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
5035 		params.use_short_preamble =
5036 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
5037 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
5038 		params.use_short_slot_time =
5039 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
5040 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
5041 		params.basic_rates =
5042 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5043 		params.basic_rates_len =
5044 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5045 	}
5046 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
5047 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
5048 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
5049 		params.ht_opmode =
5050 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
5051 
5052 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5053 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5054 			return -EINVAL;
5055 		params.p2p_ctwindow =
5056 			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5057 		if (params.p2p_ctwindow < 0)
5058 			return -EINVAL;
5059 		if (params.p2p_ctwindow != 0 &&
5060 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
5061 			return -EINVAL;
5062 	}
5063 
5064 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5065 		u8 tmp;
5066 
5067 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5068 			return -EINVAL;
5069 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5070 		if (tmp > 1)
5071 			return -EINVAL;
5072 		params.p2p_opp_ps = tmp;
5073 		if (params.p2p_opp_ps &&
5074 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
5075 			return -EINVAL;
5076 	}
5077 
5078 	if (!rdev->ops->change_bss)
5079 		return -EOPNOTSUPP;
5080 
5081 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5082 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5083 		return -EOPNOTSUPP;
5084 
5085 	wdev_lock(wdev);
5086 	err = rdev_change_bss(rdev, dev, &params);
5087 	wdev_unlock(wdev);
5088 
5089 	return err;
5090 }
5091 
5092 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
5093 {
5094 	char *data = NULL;
5095 	bool is_indoor;
5096 	enum nl80211_user_reg_hint_type user_reg_hint_type;
5097 	u32 owner_nlportid;
5098 
5099 	/*
5100 	 * You should only get this when cfg80211 hasn't yet initialized
5101 	 * completely when built-in to the kernel right between the time
5102 	 * window between nl80211_init() and regulatory_init(), if that is
5103 	 * even possible.
5104 	 */
5105 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
5106 		return -EINPROGRESS;
5107 
5108 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
5109 		user_reg_hint_type =
5110 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
5111 	else
5112 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
5113 
5114 	switch (user_reg_hint_type) {
5115 	case NL80211_USER_REG_HINT_USER:
5116 	case NL80211_USER_REG_HINT_CELL_BASE:
5117 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5118 			return -EINVAL;
5119 
5120 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5121 		return regulatory_hint_user(data, user_reg_hint_type);
5122 	case NL80211_USER_REG_HINT_INDOOR:
5123 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
5124 			owner_nlportid = info->snd_portid;
5125 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
5126 		} else {
5127 			owner_nlportid = 0;
5128 			is_indoor = true;
5129 		}
5130 
5131 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
5132 	default:
5133 		return -EINVAL;
5134 	}
5135 }
5136 
5137 static int nl80211_get_mesh_config(struct sk_buff *skb,
5138 				   struct genl_info *info)
5139 {
5140 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5141 	struct net_device *dev = info->user_ptr[1];
5142 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5143 	struct mesh_config cur_params;
5144 	int err = 0;
5145 	void *hdr;
5146 	struct nlattr *pinfoattr;
5147 	struct sk_buff *msg;
5148 
5149 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5150 		return -EOPNOTSUPP;
5151 
5152 	if (!rdev->ops->get_mesh_config)
5153 		return -EOPNOTSUPP;
5154 
5155 	wdev_lock(wdev);
5156 	/* If not connected, get default parameters */
5157 	if (!wdev->mesh_id_len)
5158 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
5159 	else
5160 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
5161 	wdev_unlock(wdev);
5162 
5163 	if (err)
5164 		return err;
5165 
5166 	/* Draw up a netlink message to send back */
5167 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5168 	if (!msg)
5169 		return -ENOMEM;
5170 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5171 			     NL80211_CMD_GET_MESH_CONFIG);
5172 	if (!hdr)
5173 		goto out;
5174 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
5175 	if (!pinfoattr)
5176 		goto nla_put_failure;
5177 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5178 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
5179 			cur_params.dot11MeshRetryTimeout) ||
5180 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5181 			cur_params.dot11MeshConfirmTimeout) ||
5182 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
5183 			cur_params.dot11MeshHoldingTimeout) ||
5184 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
5185 			cur_params.dot11MeshMaxPeerLinks) ||
5186 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
5187 		       cur_params.dot11MeshMaxRetries) ||
5188 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
5189 		       cur_params.dot11MeshTTL) ||
5190 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
5191 		       cur_params.element_ttl) ||
5192 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5193 		       cur_params.auto_open_plinks) ||
5194 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5195 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
5196 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5197 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
5198 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
5199 			cur_params.path_refresh_time) ||
5200 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5201 			cur_params.min_discovery_timeout) ||
5202 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5203 			cur_params.dot11MeshHWMPactivePathTimeout) ||
5204 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5205 			cur_params.dot11MeshHWMPpreqMinInterval) ||
5206 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5207 			cur_params.dot11MeshHWMPperrMinInterval) ||
5208 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5209 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
5210 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
5211 		       cur_params.dot11MeshHWMPRootMode) ||
5212 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5213 			cur_params.dot11MeshHWMPRannInterval) ||
5214 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5215 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
5216 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
5217 		       cur_params.dot11MeshForwarding) ||
5218 	    nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
5219 			cur_params.rssi_threshold) ||
5220 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
5221 			cur_params.ht_opmode) ||
5222 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5223 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
5224 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5225 			cur_params.dot11MeshHWMProotInterval) ||
5226 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5227 			cur_params.dot11MeshHWMPconfirmationInterval) ||
5228 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
5229 			cur_params.power_mode) ||
5230 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
5231 			cur_params.dot11MeshAwakeWindowDuration) ||
5232 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
5233 			cur_params.plink_timeout))
5234 		goto nla_put_failure;
5235 	nla_nest_end(msg, pinfoattr);
5236 	genlmsg_end(msg, hdr);
5237 	return genlmsg_reply(msg, info);
5238 
5239  nla_put_failure:
5240 	genlmsg_cancel(msg, hdr);
5241  out:
5242 	nlmsg_free(msg);
5243 	return -ENOBUFS;
5244 }
5245 
5246 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
5247 	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
5248 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
5249 	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
5250 	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
5251 	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
5252 	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
5253 	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
5254 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
5255 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
5256 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
5257 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
5258 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
5259 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
5260 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
5261 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
5262 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
5263 	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
5264 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
5265 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
5266 	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
5267 	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
5268 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
5269 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
5270 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
5271 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
5272 	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
5273 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
5274 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
5275 };
5276 
5277 static const struct nla_policy
5278 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
5279 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
5280 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
5281 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
5282 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
5283 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
5284 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
5285 	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
5286 				    .len = IEEE80211_MAX_DATA_LEN },
5287 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
5288 };
5289 
5290 static int nl80211_parse_mesh_config(struct genl_info *info,
5291 				     struct mesh_config *cfg,
5292 				     u32 *mask_out)
5293 {
5294 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
5295 	u32 mask = 0;
5296 
5297 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
5298 do {									    \
5299 	if (tb[attr]) {							    \
5300 		if (fn(tb[attr]) < min || fn(tb[attr]) > max)		    \
5301 			return -EINVAL;					    \
5302 		cfg->param = fn(tb[attr]);				    \
5303 		mask |= (1 << (attr - 1));				    \
5304 	}								    \
5305 } while (0)
5306 
5307 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
5308 		return -EINVAL;
5309 	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
5310 			     info->attrs[NL80211_ATTR_MESH_CONFIG],
5311 			     nl80211_meshconf_params_policy))
5312 		return -EINVAL;
5313 
5314 	/* This makes sure that there aren't more than 32 mesh config
5315 	 * parameters (otherwise our bitfield scheme would not work.) */
5316 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
5317 
5318 	/* Fill in the params struct */
5319 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
5320 				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
5321 				  nla_get_u16);
5322 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
5323 				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5324 				  nla_get_u16);
5325 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
5326 				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
5327 				  nla_get_u16);
5328 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
5329 				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
5330 				  nla_get_u16);
5331 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
5332 				  mask, NL80211_MESHCONF_MAX_RETRIES,
5333 				  nla_get_u8);
5334 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
5335 				  mask, NL80211_MESHCONF_TTL, nla_get_u8);
5336 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
5337 				  mask, NL80211_MESHCONF_ELEMENT_TTL,
5338 				  nla_get_u8);
5339 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
5340 				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5341 				  nla_get_u8);
5342 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
5343 				  1, 255, mask,
5344 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5345 				  nla_get_u32);
5346 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
5347 				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5348 				  nla_get_u8);
5349 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
5350 				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
5351 				  nla_get_u32);
5352 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
5353 				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5354 				  nla_get_u16);
5355 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
5356 				  1, 65535, mask,
5357 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5358 				  nla_get_u32);
5359 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
5360 				  1, 65535, mask,
5361 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5362 				  nla_get_u16);
5363 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
5364 				  1, 65535, mask,
5365 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5366 				  nla_get_u16);
5367 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5368 				  dot11MeshHWMPnetDiameterTraversalTime,
5369 				  1, 65535, mask,
5370 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5371 				  nla_get_u16);
5372 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
5373 				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
5374 				  nla_get_u8);
5375 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
5376 				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
5377 				  nla_get_u16);
5378 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5379 				  dot11MeshGateAnnouncementProtocol, 0, 1,
5380 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
5381 				  nla_get_u8);
5382 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
5383 				  mask, NL80211_MESHCONF_FORWARDING,
5384 				  nla_get_u8);
5385 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, -255, 0,
5386 				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
5387 				  nla_get_s32);
5388 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
5389 				  mask, NL80211_MESHCONF_HT_OPMODE,
5390 				  nla_get_u16);
5391 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
5392 				  1, 65535, mask,
5393 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
5394 				  nla_get_u32);
5395 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
5396 				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
5397 				  nla_get_u16);
5398 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
5399 				  dot11MeshHWMPconfirmationInterval,
5400 				  1, 65535, mask,
5401 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
5402 				  nla_get_u16);
5403 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
5404 				  NL80211_MESH_POWER_ACTIVE,
5405 				  NL80211_MESH_POWER_MAX,
5406 				  mask, NL80211_MESHCONF_POWER_MODE,
5407 				  nla_get_u32);
5408 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
5409 				  0, 65535, mask,
5410 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
5411 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, 0, 0xffffffff,
5412 				  mask, NL80211_MESHCONF_PLINK_TIMEOUT,
5413 				  nla_get_u32);
5414 	if (mask_out)
5415 		*mask_out = mask;
5416 
5417 	return 0;
5418 
5419 #undef FILL_IN_MESH_PARAM_IF_SET
5420 }
5421 
5422 static int nl80211_parse_mesh_setup(struct genl_info *info,
5423 				     struct mesh_setup *setup)
5424 {
5425 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5426 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
5427 
5428 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
5429 		return -EINVAL;
5430 	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
5431 			     info->attrs[NL80211_ATTR_MESH_SETUP],
5432 			     nl80211_mesh_setup_params_policy))
5433 		return -EINVAL;
5434 
5435 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
5436 		setup->sync_method =
5437 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
5438 		 IEEE80211_SYNC_METHOD_VENDOR :
5439 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
5440 
5441 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
5442 		setup->path_sel_proto =
5443 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
5444 		 IEEE80211_PATH_PROTOCOL_VENDOR :
5445 		 IEEE80211_PATH_PROTOCOL_HWMP;
5446 
5447 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
5448 		setup->path_metric =
5449 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
5450 		 IEEE80211_PATH_METRIC_VENDOR :
5451 		 IEEE80211_PATH_METRIC_AIRTIME;
5452 
5453 	if (tb[NL80211_MESH_SETUP_IE]) {
5454 		struct nlattr *ieattr =
5455 			tb[NL80211_MESH_SETUP_IE];
5456 		if (!is_valid_ie_attr(ieattr))
5457 			return -EINVAL;
5458 		setup->ie = nla_data(ieattr);
5459 		setup->ie_len = nla_len(ieattr);
5460 	}
5461 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
5462 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
5463 		return -EINVAL;
5464 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
5465 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
5466 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
5467 	if (setup->is_secure)
5468 		setup->user_mpm = true;
5469 
5470 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
5471 		if (!setup->user_mpm)
5472 			return -EINVAL;
5473 		setup->auth_id =
5474 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
5475 	}
5476 
5477 	return 0;
5478 }
5479 
5480 static int nl80211_update_mesh_config(struct sk_buff *skb,
5481 				      struct genl_info *info)
5482 {
5483 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5484 	struct net_device *dev = info->user_ptr[1];
5485 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5486 	struct mesh_config cfg;
5487 	u32 mask;
5488 	int err;
5489 
5490 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5491 		return -EOPNOTSUPP;
5492 
5493 	if (!rdev->ops->update_mesh_config)
5494 		return -EOPNOTSUPP;
5495 
5496 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
5497 	if (err)
5498 		return err;
5499 
5500 	wdev_lock(wdev);
5501 	if (!wdev->mesh_id_len)
5502 		err = -ENOLINK;
5503 
5504 	if (!err)
5505 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
5506 
5507 	wdev_unlock(wdev);
5508 
5509 	return err;
5510 }
5511 
5512 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
5513 			      struct sk_buff *msg)
5514 {
5515 	struct nlattr *nl_reg_rules;
5516 	unsigned int i;
5517 
5518 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
5519 	    (regdom->dfs_region &&
5520 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
5521 		goto nla_put_failure;
5522 
5523 	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
5524 	if (!nl_reg_rules)
5525 		goto nla_put_failure;
5526 
5527 	for (i = 0; i < regdom->n_reg_rules; i++) {
5528 		struct nlattr *nl_reg_rule;
5529 		const struct ieee80211_reg_rule *reg_rule;
5530 		const struct ieee80211_freq_range *freq_range;
5531 		const struct ieee80211_power_rule *power_rule;
5532 		unsigned int max_bandwidth_khz;
5533 
5534 		reg_rule = &regdom->reg_rules[i];
5535 		freq_range = &reg_rule->freq_range;
5536 		power_rule = &reg_rule->power_rule;
5537 
5538 		nl_reg_rule = nla_nest_start(msg, i);
5539 		if (!nl_reg_rule)
5540 			goto nla_put_failure;
5541 
5542 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
5543 		if (!max_bandwidth_khz)
5544 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
5545 								  reg_rule);
5546 
5547 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
5548 				reg_rule->flags) ||
5549 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
5550 				freq_range->start_freq_khz) ||
5551 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
5552 				freq_range->end_freq_khz) ||
5553 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
5554 				max_bandwidth_khz) ||
5555 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
5556 				power_rule->max_antenna_gain) ||
5557 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
5558 				power_rule->max_eirp) ||
5559 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
5560 				reg_rule->dfs_cac_ms))
5561 			goto nla_put_failure;
5562 
5563 		nla_nest_end(msg, nl_reg_rule);
5564 	}
5565 
5566 	nla_nest_end(msg, nl_reg_rules);
5567 	return 0;
5568 
5569 nla_put_failure:
5570 	return -EMSGSIZE;
5571 }
5572 
5573 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
5574 {
5575 	const struct ieee80211_regdomain *regdom = NULL;
5576 	struct cfg80211_registered_device *rdev;
5577 	struct wiphy *wiphy = NULL;
5578 	struct sk_buff *msg;
5579 	void *hdr;
5580 
5581 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5582 	if (!msg)
5583 		return -ENOBUFS;
5584 
5585 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5586 			     NL80211_CMD_GET_REG);
5587 	if (!hdr)
5588 		goto put_failure;
5589 
5590 	if (info->attrs[NL80211_ATTR_WIPHY]) {
5591 		bool self_managed;
5592 
5593 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
5594 		if (IS_ERR(rdev)) {
5595 			nlmsg_free(msg);
5596 			return PTR_ERR(rdev);
5597 		}
5598 
5599 		wiphy = &rdev->wiphy;
5600 		self_managed = wiphy->regulatory_flags &
5601 			       REGULATORY_WIPHY_SELF_MANAGED;
5602 		regdom = get_wiphy_regdom(wiphy);
5603 
5604 		/* a self-managed-reg device must have a private regdom */
5605 		if (WARN_ON(!regdom && self_managed)) {
5606 			nlmsg_free(msg);
5607 			return -EINVAL;
5608 		}
5609 
5610 		if (regdom &&
5611 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
5612 			goto nla_put_failure;
5613 	}
5614 
5615 	if (!wiphy && reg_last_request_cell_base() &&
5616 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5617 			NL80211_USER_REG_HINT_CELL_BASE))
5618 		goto nla_put_failure;
5619 
5620 	rcu_read_lock();
5621 
5622 	if (!regdom)
5623 		regdom = rcu_dereference(cfg80211_regdomain);
5624 
5625 	if (nl80211_put_regdom(regdom, msg))
5626 		goto nla_put_failure_rcu;
5627 
5628 	rcu_read_unlock();
5629 
5630 	genlmsg_end(msg, hdr);
5631 	return genlmsg_reply(msg, info);
5632 
5633 nla_put_failure_rcu:
5634 	rcu_read_unlock();
5635 nla_put_failure:
5636 	genlmsg_cancel(msg, hdr);
5637 put_failure:
5638 	nlmsg_free(msg);
5639 	return -EMSGSIZE;
5640 }
5641 
5642 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
5643 			       u32 seq, int flags, struct wiphy *wiphy,
5644 			       const struct ieee80211_regdomain *regdom)
5645 {
5646 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
5647 				   NL80211_CMD_GET_REG);
5648 
5649 	if (!hdr)
5650 		return -1;
5651 
5652 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
5653 
5654 	if (nl80211_put_regdom(regdom, msg))
5655 		goto nla_put_failure;
5656 
5657 	if (!wiphy && reg_last_request_cell_base() &&
5658 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
5659 			NL80211_USER_REG_HINT_CELL_BASE))
5660 		goto nla_put_failure;
5661 
5662 	if (wiphy &&
5663 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
5664 		goto nla_put_failure;
5665 
5666 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
5667 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
5668 		goto nla_put_failure;
5669 
5670 	genlmsg_end(msg, hdr);
5671 	return 0;
5672 
5673 nla_put_failure:
5674 	genlmsg_cancel(msg, hdr);
5675 	return -EMSGSIZE;
5676 }
5677 
5678 static int nl80211_get_reg_dump(struct sk_buff *skb,
5679 				struct netlink_callback *cb)
5680 {
5681 	const struct ieee80211_regdomain *regdom = NULL;
5682 	struct cfg80211_registered_device *rdev;
5683 	int err, reg_idx, start = cb->args[2];
5684 
5685 	rtnl_lock();
5686 
5687 	if (cfg80211_regdomain && start == 0) {
5688 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
5689 					  NLM_F_MULTI, NULL,
5690 					  rtnl_dereference(cfg80211_regdomain));
5691 		if (err < 0)
5692 			goto out_err;
5693 	}
5694 
5695 	/* the global regdom is idx 0 */
5696 	reg_idx = 1;
5697 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
5698 		regdom = get_wiphy_regdom(&rdev->wiphy);
5699 		if (!regdom)
5700 			continue;
5701 
5702 		if (++reg_idx <= start)
5703 			continue;
5704 
5705 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
5706 					  NLM_F_MULTI, &rdev->wiphy, regdom);
5707 		if (err < 0) {
5708 			reg_idx--;
5709 			break;
5710 		}
5711 	}
5712 
5713 	cb->args[2] = reg_idx;
5714 	err = skb->len;
5715 out_err:
5716 	rtnl_unlock();
5717 	return err;
5718 }
5719 
5720 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
5721 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
5722 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
5723 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
5724 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
5725 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
5726 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
5727 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
5728 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
5729 };
5730 
5731 static int parse_reg_rule(struct nlattr *tb[],
5732 	struct ieee80211_reg_rule *reg_rule)
5733 {
5734 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
5735 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
5736 
5737 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
5738 		return -EINVAL;
5739 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
5740 		return -EINVAL;
5741 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
5742 		return -EINVAL;
5743 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
5744 		return -EINVAL;
5745 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
5746 		return -EINVAL;
5747 
5748 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
5749 
5750 	freq_range->start_freq_khz =
5751 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
5752 	freq_range->end_freq_khz =
5753 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
5754 	freq_range->max_bandwidth_khz =
5755 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
5756 
5757 	power_rule->max_eirp =
5758 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
5759 
5760 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
5761 		power_rule->max_antenna_gain =
5762 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
5763 
5764 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
5765 		reg_rule->dfs_cac_ms =
5766 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
5767 
5768 	return 0;
5769 }
5770 
5771 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
5772 {
5773 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
5774 	struct nlattr *nl_reg_rule;
5775 	char *alpha2;
5776 	int rem_reg_rules, r;
5777 	u32 num_rules = 0, rule_idx = 0, size_of_regd;
5778 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
5779 	struct ieee80211_regdomain *rd;
5780 
5781 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5782 		return -EINVAL;
5783 
5784 	if (!info->attrs[NL80211_ATTR_REG_RULES])
5785 		return -EINVAL;
5786 
5787 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5788 
5789 	if (info->attrs[NL80211_ATTR_DFS_REGION])
5790 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
5791 
5792 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5793 			    rem_reg_rules) {
5794 		num_rules++;
5795 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
5796 			return -EINVAL;
5797 	}
5798 
5799 	if (!reg_is_valid_request(alpha2))
5800 		return -EINVAL;
5801 
5802 	size_of_regd = sizeof(struct ieee80211_regdomain) +
5803 		       num_rules * sizeof(struct ieee80211_reg_rule);
5804 
5805 	rd = kzalloc(size_of_regd, GFP_KERNEL);
5806 	if (!rd)
5807 		return -ENOMEM;
5808 
5809 	rd->n_reg_rules = num_rules;
5810 	rd->alpha2[0] = alpha2[0];
5811 	rd->alpha2[1] = alpha2[1];
5812 
5813 	/*
5814 	 * Disable DFS master mode if the DFS region was
5815 	 * not supported or known on this kernel.
5816 	 */
5817 	if (reg_supported_dfs_region(dfs_region))
5818 		rd->dfs_region = dfs_region;
5819 
5820 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
5821 			    rem_reg_rules) {
5822 		r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
5823 			      nla_data(nl_reg_rule), nla_len(nl_reg_rule),
5824 			      reg_rule_policy);
5825 		if (r)
5826 			goto bad_reg;
5827 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
5828 		if (r)
5829 			goto bad_reg;
5830 
5831 		rule_idx++;
5832 
5833 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
5834 			r = -EINVAL;
5835 			goto bad_reg;
5836 		}
5837 	}
5838 
5839 	/* set_regdom takes ownership of rd */
5840 	return set_regdom(rd, REGD_SOURCE_CRDA);
5841  bad_reg:
5842 	kfree(rd);
5843 	return r;
5844 }
5845 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
5846 
5847 static int validate_scan_freqs(struct nlattr *freqs)
5848 {
5849 	struct nlattr *attr1, *attr2;
5850 	int n_channels = 0, tmp1, tmp2;
5851 
5852 	nla_for_each_nested(attr1, freqs, tmp1) {
5853 		n_channels++;
5854 		/*
5855 		 * Some hardware has a limited channel list for
5856 		 * scanning, and it is pretty much nonsensical
5857 		 * to scan for a channel twice, so disallow that
5858 		 * and don't require drivers to check that the
5859 		 * channel list they get isn't longer than what
5860 		 * they can scan, as long as they can scan all
5861 		 * the channels they registered at once.
5862 		 */
5863 		nla_for_each_nested(attr2, freqs, tmp2)
5864 			if (attr1 != attr2 &&
5865 			    nla_get_u32(attr1) == nla_get_u32(attr2))
5866 				return 0;
5867 	}
5868 
5869 	return n_channels;
5870 }
5871 
5872 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
5873 {
5874 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
5875 }
5876 
5877 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
5878 			    struct cfg80211_bss_selection *bss_select)
5879 {
5880 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
5881 	struct nlattr *nest;
5882 	int err;
5883 	bool found = false;
5884 	int i;
5885 
5886 	/* only process one nested attribute */
5887 	nest = nla_data(nla);
5888 	if (!nla_ok(nest, nla_len(nest)))
5889 		return -EINVAL;
5890 
5891 	err = nla_parse(attr, NL80211_BSS_SELECT_ATTR_MAX, nla_data(nest),
5892 			nla_len(nest), nl80211_bss_select_policy);
5893 	if (err)
5894 		return err;
5895 
5896 	/* only one attribute may be given */
5897 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
5898 		if (attr[i]) {
5899 			if (found)
5900 				return -EINVAL;
5901 			found = true;
5902 		}
5903 	}
5904 
5905 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
5906 
5907 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
5908 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
5909 
5910 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
5911 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
5912 		bss_select->param.band_pref =
5913 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
5914 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
5915 			return -EINVAL;
5916 	}
5917 
5918 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
5919 		struct nl80211_bss_select_rssi_adjust *adj_param;
5920 
5921 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
5922 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
5923 		bss_select->param.adjust.band = adj_param->band;
5924 		bss_select->param.adjust.delta = adj_param->delta;
5925 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
5926 			return -EINVAL;
5927 	}
5928 
5929 	/* user-space did not provide behaviour attribute */
5930 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
5931 		return -EINVAL;
5932 
5933 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
5934 		return -EINVAL;
5935 
5936 	return 0;
5937 }
5938 
5939 static int nl80211_parse_random_mac(struct nlattr **attrs,
5940 				    u8 *mac_addr, u8 *mac_addr_mask)
5941 {
5942 	int i;
5943 
5944 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
5945 		eth_zero_addr(mac_addr);
5946 		eth_zero_addr(mac_addr_mask);
5947 		mac_addr[0] = 0x2;
5948 		mac_addr_mask[0] = 0x3;
5949 
5950 		return 0;
5951 	}
5952 
5953 	/* need both or none */
5954 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
5955 		return -EINVAL;
5956 
5957 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
5958 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
5959 
5960 	/* don't allow or configure an mcast address */
5961 	if (!is_multicast_ether_addr(mac_addr_mask) ||
5962 	    is_multicast_ether_addr(mac_addr))
5963 		return -EINVAL;
5964 
5965 	/*
5966 	 * allow users to pass a MAC address that has bits set outside
5967 	 * of the mask, but don't bother drivers with having to deal
5968 	 * with such bits
5969 	 */
5970 	for (i = 0; i < ETH_ALEN; i++)
5971 		mac_addr[i] &= mac_addr_mask[i];
5972 
5973 	return 0;
5974 }
5975 
5976 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
5977 {
5978 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5979 	struct wireless_dev *wdev = info->user_ptr[1];
5980 	struct cfg80211_scan_request *request;
5981 	struct nlattr *attr;
5982 	struct wiphy *wiphy;
5983 	int err, tmp, n_ssids = 0, n_channels, i;
5984 	size_t ie_len;
5985 
5986 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5987 		return -EINVAL;
5988 
5989 	wiphy = &rdev->wiphy;
5990 
5991 	if (!rdev->ops->scan)
5992 		return -EOPNOTSUPP;
5993 
5994 	if (rdev->scan_req || rdev->scan_msg) {
5995 		err = -EBUSY;
5996 		goto unlock;
5997 	}
5998 
5999 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6000 		n_channels = validate_scan_freqs(
6001 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
6002 		if (!n_channels) {
6003 			err = -EINVAL;
6004 			goto unlock;
6005 		}
6006 	} else {
6007 		n_channels = ieee80211_get_num_supported_channels(wiphy);
6008 	}
6009 
6010 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
6011 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
6012 			n_ssids++;
6013 
6014 	if (n_ssids > wiphy->max_scan_ssids) {
6015 		err = -EINVAL;
6016 		goto unlock;
6017 	}
6018 
6019 	if (info->attrs[NL80211_ATTR_IE])
6020 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6021 	else
6022 		ie_len = 0;
6023 
6024 	if (ie_len > wiphy->max_scan_ie_len) {
6025 		err = -EINVAL;
6026 		goto unlock;
6027 	}
6028 
6029 	request = kzalloc(sizeof(*request)
6030 			+ sizeof(*request->ssids) * n_ssids
6031 			+ sizeof(*request->channels) * n_channels
6032 			+ ie_len, GFP_KERNEL);
6033 	if (!request) {
6034 		err = -ENOMEM;
6035 		goto unlock;
6036 	}
6037 
6038 	if (n_ssids)
6039 		request->ssids = (void *)&request->channels[n_channels];
6040 	request->n_ssids = n_ssids;
6041 	if (ie_len) {
6042 		if (n_ssids)
6043 			request->ie = (void *)(request->ssids + n_ssids);
6044 		else
6045 			request->ie = (void *)(request->channels + n_channels);
6046 	}
6047 
6048 	i = 0;
6049 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6050 		/* user specified, bail out if channel not found */
6051 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
6052 			struct ieee80211_channel *chan;
6053 
6054 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
6055 
6056 			if (!chan) {
6057 				err = -EINVAL;
6058 				goto out_free;
6059 			}
6060 
6061 			/* ignore disabled channels */
6062 			if (chan->flags & IEEE80211_CHAN_DISABLED)
6063 				continue;
6064 
6065 			request->channels[i] = chan;
6066 			i++;
6067 		}
6068 	} else {
6069 		enum nl80211_band band;
6070 
6071 		/* all channels */
6072 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
6073 			int j;
6074 
6075 			if (!wiphy->bands[band])
6076 				continue;
6077 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
6078 				struct ieee80211_channel *chan;
6079 
6080 				chan = &wiphy->bands[band]->channels[j];
6081 
6082 				if (chan->flags & IEEE80211_CHAN_DISABLED)
6083 					continue;
6084 
6085 				request->channels[i] = chan;
6086 				i++;
6087 			}
6088 		}
6089 	}
6090 
6091 	if (!i) {
6092 		err = -EINVAL;
6093 		goto out_free;
6094 	}
6095 
6096 	request->n_channels = i;
6097 
6098 	i = 0;
6099 	if (n_ssids) {
6100 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
6101 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
6102 				err = -EINVAL;
6103 				goto out_free;
6104 			}
6105 			request->ssids[i].ssid_len = nla_len(attr);
6106 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
6107 			i++;
6108 		}
6109 	}
6110 
6111 	if (info->attrs[NL80211_ATTR_IE]) {
6112 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6113 		memcpy((void *)request->ie,
6114 		       nla_data(info->attrs[NL80211_ATTR_IE]),
6115 		       request->ie_len);
6116 	}
6117 
6118 	for (i = 0; i < NUM_NL80211_BANDS; i++)
6119 		if (wiphy->bands[i])
6120 			request->rates[i] =
6121 				(1 << wiphy->bands[i]->n_bitrates) - 1;
6122 
6123 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
6124 		nla_for_each_nested(attr,
6125 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
6126 				    tmp) {
6127 			enum nl80211_band band = nla_type(attr);
6128 
6129 			if (band < 0 || band >= NUM_NL80211_BANDS) {
6130 				err = -EINVAL;
6131 				goto out_free;
6132 			}
6133 
6134 			if (!wiphy->bands[band])
6135 				continue;
6136 
6137 			err = ieee80211_get_ratemask(wiphy->bands[band],
6138 						     nla_data(attr),
6139 						     nla_len(attr),
6140 						     &request->rates[band]);
6141 			if (err)
6142 				goto out_free;
6143 		}
6144 	}
6145 
6146 	if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
6147 		request->flags = nla_get_u32(
6148 			info->attrs[NL80211_ATTR_SCAN_FLAGS]);
6149 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
6150 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
6151 			err = -EOPNOTSUPP;
6152 			goto out_free;
6153 		}
6154 
6155 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
6156 			if (!(wiphy->features &
6157 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR)) {
6158 				err = -EOPNOTSUPP;
6159 				goto out_free;
6160 			}
6161 
6162 			if (wdev->current_bss) {
6163 				err = -EOPNOTSUPP;
6164 				goto out_free;
6165 			}
6166 
6167 			err = nl80211_parse_random_mac(info->attrs,
6168 						       request->mac_addr,
6169 						       request->mac_addr_mask);
6170 			if (err)
6171 				goto out_free;
6172 		}
6173 	}
6174 
6175 	request->no_cck =
6176 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
6177 
6178 	if (info->attrs[NL80211_ATTR_MAC])
6179 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
6180 		       ETH_ALEN);
6181 	else
6182 		eth_broadcast_addr(request->bssid);
6183 
6184 	request->wdev = wdev;
6185 	request->wiphy = &rdev->wiphy;
6186 	request->scan_start = jiffies;
6187 
6188 	rdev->scan_req = request;
6189 	err = rdev_scan(rdev, request);
6190 
6191 	if (!err) {
6192 		nl80211_send_scan_start(rdev, wdev);
6193 		if (wdev->netdev)
6194 			dev_hold(wdev->netdev);
6195 	} else {
6196  out_free:
6197 		rdev->scan_req = NULL;
6198 		kfree(request);
6199 	}
6200 
6201  unlock:
6202 	return err;
6203 }
6204 
6205 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
6206 {
6207 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6208 	struct wireless_dev *wdev = info->user_ptr[1];
6209 
6210 	if (!rdev->ops->abort_scan)
6211 		return -EOPNOTSUPP;
6212 
6213 	if (rdev->scan_msg)
6214 		return 0;
6215 
6216 	if (!rdev->scan_req)
6217 		return -ENOENT;
6218 
6219 	rdev_abort_scan(rdev, wdev);
6220 	return 0;
6221 }
6222 
6223 static int
6224 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
6225 			       struct cfg80211_sched_scan_request *request,
6226 			       struct nlattr **attrs)
6227 {
6228 	int tmp, err, i = 0;
6229 	struct nlattr *attr;
6230 
6231 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
6232 		u32 interval;
6233 
6234 		/*
6235 		 * If scan plans are not specified,
6236 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL must be specified. In this
6237 		 * case one scan plan will be set with the specified scan
6238 		 * interval and infinite number of iterations.
6239 		 */
6240 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
6241 			return -EINVAL;
6242 
6243 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
6244 		if (!interval)
6245 			return -EINVAL;
6246 
6247 		request->scan_plans[0].interval =
6248 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
6249 		if (!request->scan_plans[0].interval)
6250 			return -EINVAL;
6251 
6252 		if (request->scan_plans[0].interval >
6253 		    wiphy->max_sched_scan_plan_interval)
6254 			request->scan_plans[0].interval =
6255 				wiphy->max_sched_scan_plan_interval;
6256 
6257 		return 0;
6258 	}
6259 
6260 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
6261 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
6262 
6263 		if (WARN_ON(i >= n_plans))
6264 			return -EINVAL;
6265 
6266 		err = nla_parse(plan, NL80211_SCHED_SCAN_PLAN_MAX,
6267 				nla_data(attr), nla_len(attr),
6268 				nl80211_plan_policy);
6269 		if (err)
6270 			return err;
6271 
6272 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
6273 			return -EINVAL;
6274 
6275 		request->scan_plans[i].interval =
6276 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
6277 		if (!request->scan_plans[i].interval ||
6278 		    request->scan_plans[i].interval >
6279 		    wiphy->max_sched_scan_plan_interval)
6280 			return -EINVAL;
6281 
6282 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
6283 			request->scan_plans[i].iterations =
6284 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
6285 			if (!request->scan_plans[i].iterations ||
6286 			    (request->scan_plans[i].iterations >
6287 			     wiphy->max_sched_scan_plan_iterations))
6288 				return -EINVAL;
6289 		} else if (i < n_plans - 1) {
6290 			/*
6291 			 * All scan plans but the last one must specify
6292 			 * a finite number of iterations
6293 			 */
6294 			return -EINVAL;
6295 		}
6296 
6297 		i++;
6298 	}
6299 
6300 	/*
6301 	 * The last scan plan must not specify the number of
6302 	 * iterations, it is supposed to run infinitely
6303 	 */
6304 	if (request->scan_plans[n_plans - 1].iterations)
6305 		return  -EINVAL;
6306 
6307 	return 0;
6308 }
6309 
6310 static struct cfg80211_sched_scan_request *
6311 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
6312 			 struct nlattr **attrs)
6313 {
6314 	struct cfg80211_sched_scan_request *request;
6315 	struct nlattr *attr;
6316 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
6317 	enum nl80211_band band;
6318 	size_t ie_len;
6319 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
6320 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
6321 
6322 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_IE]))
6323 		return ERR_PTR(-EINVAL);
6324 
6325 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6326 		n_channels = validate_scan_freqs(
6327 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
6328 		if (!n_channels)
6329 			return ERR_PTR(-EINVAL);
6330 	} else {
6331 		n_channels = ieee80211_get_num_supported_channels(wiphy);
6332 	}
6333 
6334 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
6335 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
6336 				    tmp)
6337 			n_ssids++;
6338 
6339 	if (n_ssids > wiphy->max_sched_scan_ssids)
6340 		return ERR_PTR(-EINVAL);
6341 
6342 	/*
6343 	 * First, count the number of 'real' matchsets. Due to an issue with
6344 	 * the old implementation, matchsets containing only the RSSI attribute
6345 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
6346 	 * RSSI for all matchsets, rather than their own matchset for reporting
6347 	 * all APs with a strong RSSI. This is needed to be compatible with
6348 	 * older userspace that treated a matchset with only the RSSI as the
6349 	 * global RSSI for all other matchsets - if there are other matchsets.
6350 	 */
6351 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
6352 		nla_for_each_nested(attr,
6353 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
6354 				    tmp) {
6355 			struct nlattr *rssi;
6356 
6357 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
6358 					nla_data(attr), nla_len(attr),
6359 					nl80211_match_policy);
6360 			if (err)
6361 				return ERR_PTR(err);
6362 			/* add other standalone attributes here */
6363 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
6364 				n_match_sets++;
6365 				continue;
6366 			}
6367 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
6368 			if (rssi)
6369 				default_match_rssi = nla_get_s32(rssi);
6370 		}
6371 	}
6372 
6373 	/* However, if there's no other matchset, add the RSSI one */
6374 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
6375 		n_match_sets = 1;
6376 
6377 	if (n_match_sets > wiphy->max_match_sets)
6378 		return ERR_PTR(-EINVAL);
6379 
6380 	if (attrs[NL80211_ATTR_IE])
6381 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
6382 	else
6383 		ie_len = 0;
6384 
6385 	if (ie_len > wiphy->max_sched_scan_ie_len)
6386 		return ERR_PTR(-EINVAL);
6387 
6388 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
6389 		/*
6390 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
6391 		 * each scan plan already specifies its own interval
6392 		 */
6393 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
6394 			return ERR_PTR(-EINVAL);
6395 
6396 		nla_for_each_nested(attr,
6397 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
6398 			n_plans++;
6399 	} else {
6400 		/*
6401 		 * The scan interval attribute is kept for backward
6402 		 * compatibility. If no scan plans are specified and sched scan
6403 		 * interval is specified, one scan plan will be set with this
6404 		 * scan interval and infinite number of iterations.
6405 		 */
6406 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
6407 			return ERR_PTR(-EINVAL);
6408 
6409 		n_plans = 1;
6410 	}
6411 
6412 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
6413 		return ERR_PTR(-EINVAL);
6414 
6415 	request = kzalloc(sizeof(*request)
6416 			+ sizeof(*request->ssids) * n_ssids
6417 			+ sizeof(*request->match_sets) * n_match_sets
6418 			+ sizeof(*request->scan_plans) * n_plans
6419 			+ sizeof(*request->channels) * n_channels
6420 			+ ie_len, GFP_KERNEL);
6421 	if (!request)
6422 		return ERR_PTR(-ENOMEM);
6423 
6424 	if (n_ssids)
6425 		request->ssids = (void *)&request->channels[n_channels];
6426 	request->n_ssids = n_ssids;
6427 	if (ie_len) {
6428 		if (n_ssids)
6429 			request->ie = (void *)(request->ssids + n_ssids);
6430 		else
6431 			request->ie = (void *)(request->channels + n_channels);
6432 	}
6433 
6434 	if (n_match_sets) {
6435 		if (request->ie)
6436 			request->match_sets = (void *)(request->ie + ie_len);
6437 		else if (n_ssids)
6438 			request->match_sets =
6439 				(void *)(request->ssids + n_ssids);
6440 		else
6441 			request->match_sets =
6442 				(void *)(request->channels + n_channels);
6443 	}
6444 	request->n_match_sets = n_match_sets;
6445 
6446 	if (n_match_sets)
6447 		request->scan_plans = (void *)(request->match_sets +
6448 					       n_match_sets);
6449 	else if (request->ie)
6450 		request->scan_plans = (void *)(request->ie + ie_len);
6451 	else if (n_ssids)
6452 		request->scan_plans = (void *)(request->ssids + n_ssids);
6453 	else
6454 		request->scan_plans = (void *)(request->channels + n_channels);
6455 
6456 	request->n_scan_plans = n_plans;
6457 
6458 	i = 0;
6459 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6460 		/* user specified, bail out if channel not found */
6461 		nla_for_each_nested(attr,
6462 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
6463 				    tmp) {
6464 			struct ieee80211_channel *chan;
6465 
6466 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
6467 
6468 			if (!chan) {
6469 				err = -EINVAL;
6470 				goto out_free;
6471 			}
6472 
6473 			/* ignore disabled channels */
6474 			if (chan->flags & IEEE80211_CHAN_DISABLED)
6475 				continue;
6476 
6477 			request->channels[i] = chan;
6478 			i++;
6479 		}
6480 	} else {
6481 		/* all channels */
6482 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
6483 			int j;
6484 
6485 			if (!wiphy->bands[band])
6486 				continue;
6487 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
6488 				struct ieee80211_channel *chan;
6489 
6490 				chan = &wiphy->bands[band]->channels[j];
6491 
6492 				if (chan->flags & IEEE80211_CHAN_DISABLED)
6493 					continue;
6494 
6495 				request->channels[i] = chan;
6496 				i++;
6497 			}
6498 		}
6499 	}
6500 
6501 	if (!i) {
6502 		err = -EINVAL;
6503 		goto out_free;
6504 	}
6505 
6506 	request->n_channels = i;
6507 
6508 	i = 0;
6509 	if (n_ssids) {
6510 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
6511 				    tmp) {
6512 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
6513 				err = -EINVAL;
6514 				goto out_free;
6515 			}
6516 			request->ssids[i].ssid_len = nla_len(attr);
6517 			memcpy(request->ssids[i].ssid, nla_data(attr),
6518 			       nla_len(attr));
6519 			i++;
6520 		}
6521 	}
6522 
6523 	i = 0;
6524 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
6525 		nla_for_each_nested(attr,
6526 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
6527 				    tmp) {
6528 			struct nlattr *ssid, *rssi;
6529 
6530 			err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
6531 					nla_data(attr), nla_len(attr),
6532 					nl80211_match_policy);
6533 			if (err)
6534 				goto out_free;
6535 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
6536 			if (ssid) {
6537 				if (WARN_ON(i >= n_match_sets)) {
6538 					/* this indicates a programming error,
6539 					 * the loop above should have verified
6540 					 * things properly
6541 					 */
6542 					err = -EINVAL;
6543 					goto out_free;
6544 				}
6545 
6546 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
6547 					err = -EINVAL;
6548 					goto out_free;
6549 				}
6550 				memcpy(request->match_sets[i].ssid.ssid,
6551 				       nla_data(ssid), nla_len(ssid));
6552 				request->match_sets[i].ssid.ssid_len =
6553 					nla_len(ssid);
6554 				/* special attribute - old implementation w/a */
6555 				request->match_sets[i].rssi_thold =
6556 					default_match_rssi;
6557 				rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
6558 				if (rssi)
6559 					request->match_sets[i].rssi_thold =
6560 						nla_get_s32(rssi);
6561 			}
6562 			i++;
6563 		}
6564 
6565 		/* there was no other matchset, so the RSSI one is alone */
6566 		if (i == 0 && n_match_sets)
6567 			request->match_sets[0].rssi_thold = default_match_rssi;
6568 
6569 		request->min_rssi_thold = INT_MAX;
6570 		for (i = 0; i < n_match_sets; i++)
6571 			request->min_rssi_thold =
6572 				min(request->match_sets[i].rssi_thold,
6573 				    request->min_rssi_thold);
6574 	} else {
6575 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
6576 	}
6577 
6578 	if (ie_len) {
6579 		request->ie_len = ie_len;
6580 		memcpy((void *)request->ie,
6581 		       nla_data(attrs[NL80211_ATTR_IE]),
6582 		       request->ie_len);
6583 	}
6584 
6585 	if (attrs[NL80211_ATTR_SCAN_FLAGS]) {
6586 		request->flags = nla_get_u32(
6587 			attrs[NL80211_ATTR_SCAN_FLAGS]);
6588 		if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
6589 		    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
6590 			err = -EOPNOTSUPP;
6591 			goto out_free;
6592 		}
6593 
6594 		if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
6595 			u32 flg = NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR;
6596 
6597 			if (!wdev) /* must be net-detect */
6598 				flg = NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
6599 
6600 			if (!(wiphy->features & flg)) {
6601 				err = -EOPNOTSUPP;
6602 				goto out_free;
6603 			}
6604 
6605 			if (wdev && wdev->current_bss) {
6606 				err = -EOPNOTSUPP;
6607 				goto out_free;
6608 			}
6609 
6610 			err = nl80211_parse_random_mac(attrs, request->mac_addr,
6611 						       request->mac_addr_mask);
6612 			if (err)
6613 				goto out_free;
6614 		}
6615 	}
6616 
6617 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
6618 		request->delay =
6619 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
6620 
6621 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
6622 	if (err)
6623 		goto out_free;
6624 
6625 	request->scan_start = jiffies;
6626 
6627 	return request;
6628 
6629 out_free:
6630 	kfree(request);
6631 	return ERR_PTR(err);
6632 }
6633 
6634 static int nl80211_start_sched_scan(struct sk_buff *skb,
6635 				    struct genl_info *info)
6636 {
6637 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6638 	struct net_device *dev = info->user_ptr[1];
6639 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6640 	struct cfg80211_sched_scan_request *sched_scan_req;
6641 	int err;
6642 
6643 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
6644 	    !rdev->ops->sched_scan_start)
6645 		return -EOPNOTSUPP;
6646 
6647 	if (rdev->sched_scan_req)
6648 		return -EINPROGRESS;
6649 
6650 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
6651 						  info->attrs);
6652 
6653 	err = PTR_ERR_OR_ZERO(sched_scan_req);
6654 	if (err)
6655 		goto out_err;
6656 
6657 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
6658 	if (err)
6659 		goto out_free;
6660 
6661 	sched_scan_req->dev = dev;
6662 	sched_scan_req->wiphy = &rdev->wiphy;
6663 
6664 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6665 		sched_scan_req->owner_nlportid = info->snd_portid;
6666 
6667 	rcu_assign_pointer(rdev->sched_scan_req, sched_scan_req);
6668 
6669 	nl80211_send_sched_scan(rdev, dev,
6670 				NL80211_CMD_START_SCHED_SCAN);
6671 	return 0;
6672 
6673 out_free:
6674 	kfree(sched_scan_req);
6675 out_err:
6676 	return err;
6677 }
6678 
6679 static int nl80211_stop_sched_scan(struct sk_buff *skb,
6680 				   struct genl_info *info)
6681 {
6682 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6683 
6684 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
6685 	    !rdev->ops->sched_scan_stop)
6686 		return -EOPNOTSUPP;
6687 
6688 	return __cfg80211_stop_sched_scan(rdev, false);
6689 }
6690 
6691 static int nl80211_start_radar_detection(struct sk_buff *skb,
6692 					 struct genl_info *info)
6693 {
6694 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6695 	struct net_device *dev = info->user_ptr[1];
6696 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6697 	struct cfg80211_chan_def chandef;
6698 	enum nl80211_dfs_regions dfs_region;
6699 	unsigned int cac_time_ms;
6700 	int err;
6701 
6702 	dfs_region = reg_get_dfs_region(wdev->wiphy);
6703 	if (dfs_region == NL80211_DFS_UNSET)
6704 		return -EINVAL;
6705 
6706 	err = nl80211_parse_chandef(rdev, info, &chandef);
6707 	if (err)
6708 		return err;
6709 
6710 	if (netif_carrier_ok(dev))
6711 		return -EBUSY;
6712 
6713 	if (wdev->cac_started)
6714 		return -EBUSY;
6715 
6716 	err = cfg80211_chandef_dfs_required(wdev->wiphy, &chandef,
6717 					    wdev->iftype);
6718 	if (err < 0)
6719 		return err;
6720 
6721 	if (err == 0)
6722 		return -EINVAL;
6723 
6724 	if (!cfg80211_chandef_dfs_usable(wdev->wiphy, &chandef))
6725 		return -EINVAL;
6726 
6727 	if (!rdev->ops->start_radar_detection)
6728 		return -EOPNOTSUPP;
6729 
6730 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
6731 	if (WARN_ON(!cac_time_ms))
6732 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
6733 
6734 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
6735 	if (!err) {
6736 		wdev->chandef = chandef;
6737 		wdev->cac_started = true;
6738 		wdev->cac_start_time = jiffies;
6739 		wdev->cac_time_ms = cac_time_ms;
6740 	}
6741 	return err;
6742 }
6743 
6744 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
6745 {
6746 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6747 	struct net_device *dev = info->user_ptr[1];
6748 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6749 	struct cfg80211_csa_settings params;
6750 	/* csa_attrs is defined static to avoid waste of stack size - this
6751 	 * function is called under RTNL lock, so this should not be a problem.
6752 	 */
6753 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
6754 	int err;
6755 	bool need_new_beacon = false;
6756 	int len, i;
6757 	u32 cs_count;
6758 
6759 	if (!rdev->ops->channel_switch ||
6760 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
6761 		return -EOPNOTSUPP;
6762 
6763 	switch (dev->ieee80211_ptr->iftype) {
6764 	case NL80211_IFTYPE_AP:
6765 	case NL80211_IFTYPE_P2P_GO:
6766 		need_new_beacon = true;
6767 
6768 		/* useless if AP is not running */
6769 		if (!wdev->beacon_interval)
6770 			return -ENOTCONN;
6771 		break;
6772 	case NL80211_IFTYPE_ADHOC:
6773 		if (!wdev->ssid_len)
6774 			return -ENOTCONN;
6775 		break;
6776 	case NL80211_IFTYPE_MESH_POINT:
6777 		if (!wdev->mesh_id_len)
6778 			return -ENOTCONN;
6779 		break;
6780 	default:
6781 		return -EOPNOTSUPP;
6782 	}
6783 
6784 	memset(&params, 0, sizeof(params));
6785 
6786 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
6787 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
6788 		return -EINVAL;
6789 
6790 	/* only important for AP, IBSS and mesh create IEs internally */
6791 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
6792 		return -EINVAL;
6793 
6794 	/* Even though the attribute is u32, the specification says
6795 	 * u8, so let's make sure we don't overflow.
6796 	 */
6797 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
6798 	if (cs_count > 255)
6799 		return -EINVAL;
6800 
6801 	params.count = cs_count;
6802 
6803 	if (!need_new_beacon)
6804 		goto skip_beacons;
6805 
6806 	err = nl80211_parse_beacon(info->attrs, &params.beacon_after);
6807 	if (err)
6808 		return err;
6809 
6810 	err = nla_parse_nested(csa_attrs, NL80211_ATTR_MAX,
6811 			       info->attrs[NL80211_ATTR_CSA_IES],
6812 			       nl80211_policy);
6813 	if (err)
6814 		return err;
6815 
6816 	err = nl80211_parse_beacon(csa_attrs, &params.beacon_csa);
6817 	if (err)
6818 		return err;
6819 
6820 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
6821 		return -EINVAL;
6822 
6823 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6824 	if (!len || (len % sizeof(u16)))
6825 		return -EINVAL;
6826 
6827 	params.n_counter_offsets_beacon = len / sizeof(u16);
6828 	if (rdev->wiphy.max_num_csa_counters &&
6829 	    (params.n_counter_offsets_beacon >
6830 	     rdev->wiphy.max_num_csa_counters))
6831 		return -EINVAL;
6832 
6833 	params.counter_offsets_beacon =
6834 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
6835 
6836 	/* sanity checks - counters should fit and be the same */
6837 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
6838 		u16 offset = params.counter_offsets_beacon[i];
6839 
6840 		if (offset >= params.beacon_csa.tail_len)
6841 			return -EINVAL;
6842 
6843 		if (params.beacon_csa.tail[offset] != params.count)
6844 			return -EINVAL;
6845 	}
6846 
6847 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
6848 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6849 		if (!len || (len % sizeof(u16)))
6850 			return -EINVAL;
6851 
6852 		params.n_counter_offsets_presp = len / sizeof(u16);
6853 		if (rdev->wiphy.max_num_csa_counters &&
6854 		    (params.n_counter_offsets_beacon >
6855 		     rdev->wiphy.max_num_csa_counters))
6856 			return -EINVAL;
6857 
6858 		params.counter_offsets_presp =
6859 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
6860 
6861 		/* sanity checks - counters should fit and be the same */
6862 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
6863 			u16 offset = params.counter_offsets_presp[i];
6864 
6865 			if (offset >= params.beacon_csa.probe_resp_len)
6866 				return -EINVAL;
6867 
6868 			if (params.beacon_csa.probe_resp[offset] !=
6869 			    params.count)
6870 				return -EINVAL;
6871 		}
6872 	}
6873 
6874 skip_beacons:
6875 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
6876 	if (err)
6877 		return err;
6878 
6879 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
6880 					   wdev->iftype))
6881 		return -EINVAL;
6882 
6883 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
6884 					    &params.chandef,
6885 					    wdev->iftype);
6886 	if (err < 0)
6887 		return err;
6888 
6889 	if (err > 0)
6890 		params.radar_required = true;
6891 
6892 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
6893 		params.block_tx = true;
6894 
6895 	wdev_lock(wdev);
6896 	err = rdev_channel_switch(rdev, dev, &params);
6897 	wdev_unlock(wdev);
6898 
6899 	return err;
6900 }
6901 
6902 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
6903 			    u32 seq, int flags,
6904 			    struct cfg80211_registered_device *rdev,
6905 			    struct wireless_dev *wdev,
6906 			    struct cfg80211_internal_bss *intbss)
6907 {
6908 	struct cfg80211_bss *res = &intbss->pub;
6909 	const struct cfg80211_bss_ies *ies;
6910 	void *hdr;
6911 	struct nlattr *bss;
6912 
6913 	ASSERT_WDEV_LOCK(wdev);
6914 
6915 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6916 			     NL80211_CMD_NEW_SCAN_RESULTS);
6917 	if (!hdr)
6918 		return -1;
6919 
6920 	genl_dump_check_consistent(cb, hdr, &nl80211_fam);
6921 
6922 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
6923 		goto nla_put_failure;
6924 	if (wdev->netdev &&
6925 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
6926 		goto nla_put_failure;
6927 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6928 			      NL80211_ATTR_PAD))
6929 		goto nla_put_failure;
6930 
6931 	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
6932 	if (!bss)
6933 		goto nla_put_failure;
6934 	if ((!is_zero_ether_addr(res->bssid) &&
6935 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
6936 		goto nla_put_failure;
6937 
6938 	rcu_read_lock();
6939 	/* indicate whether we have probe response data or not */
6940 	if (rcu_access_pointer(res->proberesp_ies) &&
6941 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
6942 		goto fail_unlock_rcu;
6943 
6944 	/* this pointer prefers to be pointed to probe response data
6945 	 * but is always valid
6946 	 */
6947 	ies = rcu_dereference(res->ies);
6948 	if (ies) {
6949 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
6950 				      NL80211_BSS_PAD))
6951 			goto fail_unlock_rcu;
6952 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
6953 					ies->len, ies->data))
6954 			goto fail_unlock_rcu;
6955 	}
6956 
6957 	/* and this pointer is always (unless driver didn't know) beacon data */
6958 	ies = rcu_dereference(res->beacon_ies);
6959 	if (ies && ies->from_beacon) {
6960 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
6961 				      NL80211_BSS_PAD))
6962 			goto fail_unlock_rcu;
6963 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
6964 					ies->len, ies->data))
6965 			goto fail_unlock_rcu;
6966 	}
6967 	rcu_read_unlock();
6968 
6969 	if (res->beacon_interval &&
6970 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
6971 		goto nla_put_failure;
6972 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
6973 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
6974 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
6975 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
6976 			jiffies_to_msecs(jiffies - intbss->ts)))
6977 		goto nla_put_failure;
6978 
6979 	if (intbss->ts_boottime &&
6980 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
6981 			      intbss->ts_boottime, NL80211_BSS_PAD))
6982 		goto nla_put_failure;
6983 
6984 	switch (rdev->wiphy.signal_type) {
6985 	case CFG80211_SIGNAL_TYPE_MBM:
6986 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
6987 			goto nla_put_failure;
6988 		break;
6989 	case CFG80211_SIGNAL_TYPE_UNSPEC:
6990 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
6991 			goto nla_put_failure;
6992 		break;
6993 	default:
6994 		break;
6995 	}
6996 
6997 	switch (wdev->iftype) {
6998 	case NL80211_IFTYPE_P2P_CLIENT:
6999 	case NL80211_IFTYPE_STATION:
7000 		if (intbss == wdev->current_bss &&
7001 		    nla_put_u32(msg, NL80211_BSS_STATUS,
7002 				NL80211_BSS_STATUS_ASSOCIATED))
7003 			goto nla_put_failure;
7004 		break;
7005 	case NL80211_IFTYPE_ADHOC:
7006 		if (intbss == wdev->current_bss &&
7007 		    nla_put_u32(msg, NL80211_BSS_STATUS,
7008 				NL80211_BSS_STATUS_IBSS_JOINED))
7009 			goto nla_put_failure;
7010 		break;
7011 	default:
7012 		break;
7013 	}
7014 
7015 	nla_nest_end(msg, bss);
7016 
7017 	genlmsg_end(msg, hdr);
7018 	return 0;
7019 
7020  fail_unlock_rcu:
7021 	rcu_read_unlock();
7022  nla_put_failure:
7023 	genlmsg_cancel(msg, hdr);
7024 	return -EMSGSIZE;
7025 }
7026 
7027 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
7028 {
7029 	struct cfg80211_registered_device *rdev;
7030 	struct cfg80211_internal_bss *scan;
7031 	struct wireless_dev *wdev;
7032 	int start = cb->args[2], idx = 0;
7033 	int err;
7034 
7035 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
7036 	if (err)
7037 		return err;
7038 
7039 	wdev_lock(wdev);
7040 	spin_lock_bh(&rdev->bss_lock);
7041 	cfg80211_bss_expire(rdev);
7042 
7043 	cb->seq = rdev->bss_generation;
7044 
7045 	list_for_each_entry(scan, &rdev->bss_list, list) {
7046 		if (++idx <= start)
7047 			continue;
7048 		if (nl80211_send_bss(skb, cb,
7049 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
7050 				rdev, wdev, scan) < 0) {
7051 			idx--;
7052 			break;
7053 		}
7054 	}
7055 
7056 	spin_unlock_bh(&rdev->bss_lock);
7057 	wdev_unlock(wdev);
7058 
7059 	cb->args[2] = idx;
7060 	nl80211_finish_wdev_dump(rdev);
7061 
7062 	return skb->len;
7063 }
7064 
7065 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
7066 			       int flags, struct net_device *dev,
7067 			       bool allow_radio_stats,
7068 			       struct survey_info *survey)
7069 {
7070 	void *hdr;
7071 	struct nlattr *infoattr;
7072 
7073 	/* skip radio stats if userspace didn't request them */
7074 	if (!survey->channel && !allow_radio_stats)
7075 		return 0;
7076 
7077 	hdr = nl80211hdr_put(msg, portid, seq, flags,
7078 			     NL80211_CMD_NEW_SURVEY_RESULTS);
7079 	if (!hdr)
7080 		return -ENOMEM;
7081 
7082 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
7083 		goto nla_put_failure;
7084 
7085 	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
7086 	if (!infoattr)
7087 		goto nla_put_failure;
7088 
7089 	if (survey->channel &&
7090 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
7091 			survey->channel->center_freq))
7092 		goto nla_put_failure;
7093 
7094 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
7095 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
7096 		goto nla_put_failure;
7097 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
7098 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
7099 		goto nla_put_failure;
7100 	if ((survey->filled & SURVEY_INFO_TIME) &&
7101 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
7102 			survey->time, NL80211_SURVEY_INFO_PAD))
7103 		goto nla_put_failure;
7104 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
7105 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
7106 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
7107 		goto nla_put_failure;
7108 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
7109 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
7110 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
7111 		goto nla_put_failure;
7112 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
7113 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
7114 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
7115 		goto nla_put_failure;
7116 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
7117 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
7118 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
7119 		goto nla_put_failure;
7120 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
7121 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
7122 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
7123 		goto nla_put_failure;
7124 
7125 	nla_nest_end(msg, infoattr);
7126 
7127 	genlmsg_end(msg, hdr);
7128 	return 0;
7129 
7130  nla_put_failure:
7131 	genlmsg_cancel(msg, hdr);
7132 	return -EMSGSIZE;
7133 }
7134 
7135 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
7136 {
7137 	struct survey_info survey;
7138 	struct cfg80211_registered_device *rdev;
7139 	struct wireless_dev *wdev;
7140 	int survey_idx = cb->args[2];
7141 	int res;
7142 	bool radio_stats;
7143 
7144 	res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
7145 	if (res)
7146 		return res;
7147 
7148 	/* prepare_wdev_dump parsed the attributes */
7149 	radio_stats = nl80211_fam.attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
7150 
7151 	if (!wdev->netdev) {
7152 		res = -EINVAL;
7153 		goto out_err;
7154 	}
7155 
7156 	if (!rdev->ops->dump_survey) {
7157 		res = -EOPNOTSUPP;
7158 		goto out_err;
7159 	}
7160 
7161 	while (1) {
7162 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
7163 		if (res == -ENOENT)
7164 			break;
7165 		if (res)
7166 			goto out_err;
7167 
7168 		/* don't send disabled channels, but do send non-channel data */
7169 		if (survey.channel &&
7170 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
7171 			survey_idx++;
7172 			continue;
7173 		}
7174 
7175 		if (nl80211_send_survey(skb,
7176 				NETLINK_CB(cb->skb).portid,
7177 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
7178 				wdev->netdev, radio_stats, &survey) < 0)
7179 			goto out;
7180 		survey_idx++;
7181 	}
7182 
7183  out:
7184 	cb->args[2] = survey_idx;
7185 	res = skb->len;
7186  out_err:
7187 	nl80211_finish_wdev_dump(rdev);
7188 	return res;
7189 }
7190 
7191 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
7192 {
7193 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
7194 				  NL80211_WPA_VERSION_2));
7195 }
7196 
7197 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
7198 {
7199 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7200 	struct net_device *dev = info->user_ptr[1];
7201 	struct ieee80211_channel *chan;
7202 	const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
7203 	int err, ssid_len, ie_len = 0, sae_data_len = 0;
7204 	enum nl80211_auth_type auth_type;
7205 	struct key_parse key;
7206 	bool local_state_change;
7207 
7208 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7209 		return -EINVAL;
7210 
7211 	if (!info->attrs[NL80211_ATTR_MAC])
7212 		return -EINVAL;
7213 
7214 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
7215 		return -EINVAL;
7216 
7217 	if (!info->attrs[NL80211_ATTR_SSID])
7218 		return -EINVAL;
7219 
7220 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
7221 		return -EINVAL;
7222 
7223 	err = nl80211_parse_key(info, &key);
7224 	if (err)
7225 		return err;
7226 
7227 	if (key.idx >= 0) {
7228 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
7229 			return -EINVAL;
7230 		if (!key.p.key || !key.p.key_len)
7231 			return -EINVAL;
7232 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
7233 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
7234 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
7235 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
7236 			return -EINVAL;
7237 		if (key.idx > 4)
7238 			return -EINVAL;
7239 	} else {
7240 		key.p.key_len = 0;
7241 		key.p.key = NULL;
7242 	}
7243 
7244 	if (key.idx >= 0) {
7245 		int i;
7246 		bool ok = false;
7247 
7248 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
7249 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
7250 				ok = true;
7251 				break;
7252 			}
7253 		}
7254 		if (!ok)
7255 			return -EINVAL;
7256 	}
7257 
7258 	if (!rdev->ops->auth)
7259 		return -EOPNOTSUPP;
7260 
7261 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7262 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7263 		return -EOPNOTSUPP;
7264 
7265 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7266 	chan = nl80211_get_valid_chan(&rdev->wiphy,
7267 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7268 	if (!chan)
7269 		return -EINVAL;
7270 
7271 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7272 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7273 
7274 	if (info->attrs[NL80211_ATTR_IE]) {
7275 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7276 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7277 	}
7278 
7279 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
7280 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
7281 		return -EINVAL;
7282 
7283 	if (auth_type == NL80211_AUTHTYPE_SAE &&
7284 	    !info->attrs[NL80211_ATTR_SAE_DATA])
7285 		return -EINVAL;
7286 
7287 	if (info->attrs[NL80211_ATTR_SAE_DATA]) {
7288 		if (auth_type != NL80211_AUTHTYPE_SAE)
7289 			return -EINVAL;
7290 		sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
7291 		sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
7292 		/* need to include at least Auth Transaction and Status Code */
7293 		if (sae_data_len < 4)
7294 			return -EINVAL;
7295 	}
7296 
7297 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7298 
7299 	/*
7300 	 * Since we no longer track auth state, ignore
7301 	 * requests to only change local state.
7302 	 */
7303 	if (local_state_change)
7304 		return 0;
7305 
7306 	wdev_lock(dev->ieee80211_ptr);
7307 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
7308 				 ssid, ssid_len, ie, ie_len,
7309 				 key.p.key, key.p.key_len, key.idx,
7310 				 sae_data, sae_data_len);
7311 	wdev_unlock(dev->ieee80211_ptr);
7312 	return err;
7313 }
7314 
7315 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
7316 				   struct genl_info *info,
7317 				   struct cfg80211_crypto_settings *settings,
7318 				   int cipher_limit)
7319 {
7320 	memset(settings, 0, sizeof(*settings));
7321 
7322 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
7323 
7324 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
7325 		u16 proto;
7326 
7327 		proto = nla_get_u16(
7328 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
7329 		settings->control_port_ethertype = cpu_to_be16(proto);
7330 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
7331 		    proto != ETH_P_PAE)
7332 			return -EINVAL;
7333 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
7334 			settings->control_port_no_encrypt = true;
7335 	} else
7336 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
7337 
7338 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
7339 		void *data;
7340 		int len, i;
7341 
7342 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
7343 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
7344 		settings->n_ciphers_pairwise = len / sizeof(u32);
7345 
7346 		if (len % sizeof(u32))
7347 			return -EINVAL;
7348 
7349 		if (settings->n_ciphers_pairwise > cipher_limit)
7350 			return -EINVAL;
7351 
7352 		memcpy(settings->ciphers_pairwise, data, len);
7353 
7354 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
7355 			if (!cfg80211_supported_cipher_suite(
7356 					&rdev->wiphy,
7357 					settings->ciphers_pairwise[i]))
7358 				return -EINVAL;
7359 	}
7360 
7361 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
7362 		settings->cipher_group =
7363 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
7364 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
7365 						     settings->cipher_group))
7366 			return -EINVAL;
7367 	}
7368 
7369 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
7370 		settings->wpa_versions =
7371 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
7372 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
7373 			return -EINVAL;
7374 	}
7375 
7376 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
7377 		void *data;
7378 		int len;
7379 
7380 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
7381 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
7382 		settings->n_akm_suites = len / sizeof(u32);
7383 
7384 		if (len % sizeof(u32))
7385 			return -EINVAL;
7386 
7387 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
7388 			return -EINVAL;
7389 
7390 		memcpy(settings->akm_suites, data, len);
7391 	}
7392 
7393 	return 0;
7394 }
7395 
7396 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
7397 {
7398 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7399 	struct net_device *dev = info->user_ptr[1];
7400 	struct ieee80211_channel *chan;
7401 	struct cfg80211_assoc_request req = {};
7402 	const u8 *bssid, *ssid;
7403 	int err, ssid_len = 0;
7404 
7405 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7406 		return -EINVAL;
7407 
7408 	if (!info->attrs[NL80211_ATTR_MAC] ||
7409 	    !info->attrs[NL80211_ATTR_SSID] ||
7410 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
7411 		return -EINVAL;
7412 
7413 	if (!rdev->ops->assoc)
7414 		return -EOPNOTSUPP;
7415 
7416 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7417 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7418 		return -EOPNOTSUPP;
7419 
7420 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7421 
7422 	chan = nl80211_get_valid_chan(&rdev->wiphy,
7423 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
7424 	if (!chan)
7425 		return -EINVAL;
7426 
7427 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7428 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7429 
7430 	if (info->attrs[NL80211_ATTR_IE]) {
7431 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7432 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7433 	}
7434 
7435 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
7436 		enum nl80211_mfp mfp =
7437 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
7438 		if (mfp == NL80211_MFP_REQUIRED)
7439 			req.use_mfp = true;
7440 		else if (mfp != NL80211_MFP_NO)
7441 			return -EINVAL;
7442 	}
7443 
7444 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
7445 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
7446 
7447 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
7448 		req.flags |= ASSOC_REQ_DISABLE_HT;
7449 
7450 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7451 		memcpy(&req.ht_capa_mask,
7452 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7453 		       sizeof(req.ht_capa_mask));
7454 
7455 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7456 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7457 			return -EINVAL;
7458 		memcpy(&req.ht_capa,
7459 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7460 		       sizeof(req.ht_capa));
7461 	}
7462 
7463 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
7464 		req.flags |= ASSOC_REQ_DISABLE_VHT;
7465 
7466 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7467 		memcpy(&req.vht_capa_mask,
7468 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
7469 		       sizeof(req.vht_capa_mask));
7470 
7471 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
7472 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
7473 			return -EINVAL;
7474 		memcpy(&req.vht_capa,
7475 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
7476 		       sizeof(req.vht_capa));
7477 	}
7478 
7479 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
7480 		if (!((rdev->wiphy.features &
7481 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
7482 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
7483 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7484 					     NL80211_EXT_FEATURE_RRM))
7485 			return -EINVAL;
7486 		req.flags |= ASSOC_REQ_USE_RRM;
7487 	}
7488 
7489 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
7490 	if (!err) {
7491 		wdev_lock(dev->ieee80211_ptr);
7492 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
7493 					  ssid, ssid_len, &req);
7494 		wdev_unlock(dev->ieee80211_ptr);
7495 	}
7496 
7497 	return err;
7498 }
7499 
7500 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
7501 {
7502 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7503 	struct net_device *dev = info->user_ptr[1];
7504 	const u8 *ie = NULL, *bssid;
7505 	int ie_len = 0, err;
7506 	u16 reason_code;
7507 	bool local_state_change;
7508 
7509 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7510 		return -EINVAL;
7511 
7512 	if (!info->attrs[NL80211_ATTR_MAC])
7513 		return -EINVAL;
7514 
7515 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7516 		return -EINVAL;
7517 
7518 	if (!rdev->ops->deauth)
7519 		return -EOPNOTSUPP;
7520 
7521 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7522 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7523 		return -EOPNOTSUPP;
7524 
7525 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7526 
7527 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7528 	if (reason_code == 0) {
7529 		/* Reason Code 0 is reserved */
7530 		return -EINVAL;
7531 	}
7532 
7533 	if (info->attrs[NL80211_ATTR_IE]) {
7534 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7535 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7536 	}
7537 
7538 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7539 
7540 	wdev_lock(dev->ieee80211_ptr);
7541 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
7542 				   local_state_change);
7543 	wdev_unlock(dev->ieee80211_ptr);
7544 	return err;
7545 }
7546 
7547 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
7548 {
7549 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7550 	struct net_device *dev = info->user_ptr[1];
7551 	const u8 *ie = NULL, *bssid;
7552 	int ie_len = 0, err;
7553 	u16 reason_code;
7554 	bool local_state_change;
7555 
7556 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7557 		return -EINVAL;
7558 
7559 	if (!info->attrs[NL80211_ATTR_MAC])
7560 		return -EINVAL;
7561 
7562 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
7563 		return -EINVAL;
7564 
7565 	if (!rdev->ops->disassoc)
7566 		return -EOPNOTSUPP;
7567 
7568 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
7569 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
7570 		return -EOPNOTSUPP;
7571 
7572 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7573 
7574 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7575 	if (reason_code == 0) {
7576 		/* Reason Code 0 is reserved */
7577 		return -EINVAL;
7578 	}
7579 
7580 	if (info->attrs[NL80211_ATTR_IE]) {
7581 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7582 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7583 	}
7584 
7585 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
7586 
7587 	wdev_lock(dev->ieee80211_ptr);
7588 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
7589 				     local_state_change);
7590 	wdev_unlock(dev->ieee80211_ptr);
7591 	return err;
7592 }
7593 
7594 static bool
7595 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
7596 			 int mcast_rate[NUM_NL80211_BANDS],
7597 			 int rateval)
7598 {
7599 	struct wiphy *wiphy = &rdev->wiphy;
7600 	bool found = false;
7601 	int band, i;
7602 
7603 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
7604 		struct ieee80211_supported_band *sband;
7605 
7606 		sband = wiphy->bands[band];
7607 		if (!sband)
7608 			continue;
7609 
7610 		for (i = 0; i < sband->n_bitrates; i++) {
7611 			if (sband->bitrates[i].bitrate == rateval) {
7612 				mcast_rate[band] = i + 1;
7613 				found = true;
7614 				break;
7615 			}
7616 		}
7617 	}
7618 
7619 	return found;
7620 }
7621 
7622 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
7623 {
7624 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7625 	struct net_device *dev = info->user_ptr[1];
7626 	struct cfg80211_ibss_params ibss;
7627 	struct wiphy *wiphy;
7628 	struct cfg80211_cached_keys *connkeys = NULL;
7629 	int err;
7630 
7631 	memset(&ibss, 0, sizeof(ibss));
7632 
7633 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
7634 		return -EINVAL;
7635 
7636 	if (!info->attrs[NL80211_ATTR_SSID] ||
7637 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
7638 		return -EINVAL;
7639 
7640 	ibss.beacon_interval = 100;
7641 
7642 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
7643 		ibss.beacon_interval =
7644 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
7645 		if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
7646 			return -EINVAL;
7647 	}
7648 
7649 	if (!rdev->ops->join_ibss)
7650 		return -EOPNOTSUPP;
7651 
7652 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
7653 		return -EOPNOTSUPP;
7654 
7655 	wiphy = &rdev->wiphy;
7656 
7657 	if (info->attrs[NL80211_ATTR_MAC]) {
7658 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
7659 
7660 		if (!is_valid_ether_addr(ibss.bssid))
7661 			return -EINVAL;
7662 	}
7663 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7664 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
7665 
7666 	if (info->attrs[NL80211_ATTR_IE]) {
7667 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
7668 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7669 	}
7670 
7671 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
7672 	if (err)
7673 		return err;
7674 
7675 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
7676 				     NL80211_IFTYPE_ADHOC))
7677 		return -EINVAL;
7678 
7679 	switch (ibss.chandef.width) {
7680 	case NL80211_CHAN_WIDTH_5:
7681 	case NL80211_CHAN_WIDTH_10:
7682 	case NL80211_CHAN_WIDTH_20_NOHT:
7683 		break;
7684 	case NL80211_CHAN_WIDTH_20:
7685 	case NL80211_CHAN_WIDTH_40:
7686 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
7687 			return -EINVAL;
7688 		break;
7689 	case NL80211_CHAN_WIDTH_80:
7690 	case NL80211_CHAN_WIDTH_80P80:
7691 	case NL80211_CHAN_WIDTH_160:
7692 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
7693 			return -EINVAL;
7694 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7695 					     NL80211_EXT_FEATURE_VHT_IBSS))
7696 			return -EINVAL;
7697 		break;
7698 	default:
7699 		return -EINVAL;
7700 	}
7701 
7702 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
7703 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
7704 
7705 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7706 		u8 *rates =
7707 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7708 		int n_rates =
7709 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7710 		struct ieee80211_supported_band *sband =
7711 			wiphy->bands[ibss.chandef.chan->band];
7712 
7713 		err = ieee80211_get_ratemask(sband, rates, n_rates,
7714 					     &ibss.basic_rates);
7715 		if (err)
7716 			return err;
7717 	}
7718 
7719 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7720 		memcpy(&ibss.ht_capa_mask,
7721 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
7722 		       sizeof(ibss.ht_capa_mask));
7723 
7724 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
7725 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
7726 			return -EINVAL;
7727 		memcpy(&ibss.ht_capa,
7728 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
7729 		       sizeof(ibss.ht_capa));
7730 	}
7731 
7732 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
7733 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
7734 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
7735 		return -EINVAL;
7736 
7737 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
7738 		bool no_ht = false;
7739 
7740 		connkeys = nl80211_parse_connkeys(rdev,
7741 					  info->attrs[NL80211_ATTR_KEYS],
7742 					  &no_ht);
7743 		if (IS_ERR(connkeys))
7744 			return PTR_ERR(connkeys);
7745 
7746 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
7747 		    no_ht) {
7748 			kzfree(connkeys);
7749 			return -EINVAL;
7750 		}
7751 	}
7752 
7753 	ibss.control_port =
7754 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
7755 
7756 	ibss.userspace_handles_dfs =
7757 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
7758 
7759 	err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
7760 	if (err)
7761 		kzfree(connkeys);
7762 	return err;
7763 }
7764 
7765 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
7766 {
7767 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7768 	struct net_device *dev = info->user_ptr[1];
7769 
7770 	if (!rdev->ops->leave_ibss)
7771 		return -EOPNOTSUPP;
7772 
7773 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
7774 		return -EOPNOTSUPP;
7775 
7776 	return cfg80211_leave_ibss(rdev, dev, false);
7777 }
7778 
7779 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
7780 {
7781 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7782 	struct net_device *dev = info->user_ptr[1];
7783 	int mcast_rate[NUM_NL80211_BANDS];
7784 	u32 nla_rate;
7785 	int err;
7786 
7787 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
7788 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
7789 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
7790 		return -EOPNOTSUPP;
7791 
7792 	if (!rdev->ops->set_mcast_rate)
7793 		return -EOPNOTSUPP;
7794 
7795 	memset(mcast_rate, 0, sizeof(mcast_rate));
7796 
7797 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
7798 		return -EINVAL;
7799 
7800 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
7801 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
7802 		return -EINVAL;
7803 
7804 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
7805 
7806 	return err;
7807 }
7808 
7809 static struct sk_buff *
7810 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
7811 			    struct wireless_dev *wdev, int approxlen,
7812 			    u32 portid, u32 seq, enum nl80211_commands cmd,
7813 			    enum nl80211_attrs attr,
7814 			    const struct nl80211_vendor_cmd_info *info,
7815 			    gfp_t gfp)
7816 {
7817 	struct sk_buff *skb;
7818 	void *hdr;
7819 	struct nlattr *data;
7820 
7821 	skb = nlmsg_new(approxlen + 100, gfp);
7822 	if (!skb)
7823 		return NULL;
7824 
7825 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
7826 	if (!hdr) {
7827 		kfree_skb(skb);
7828 		return NULL;
7829 	}
7830 
7831 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
7832 		goto nla_put_failure;
7833 
7834 	if (info) {
7835 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
7836 				info->vendor_id))
7837 			goto nla_put_failure;
7838 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
7839 				info->subcmd))
7840 			goto nla_put_failure;
7841 	}
7842 
7843 	if (wdev) {
7844 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
7845 				      wdev_id(wdev), NL80211_ATTR_PAD))
7846 			goto nla_put_failure;
7847 		if (wdev->netdev &&
7848 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
7849 				wdev->netdev->ifindex))
7850 			goto nla_put_failure;
7851 	}
7852 
7853 	data = nla_nest_start(skb, attr);
7854 
7855 	((void **)skb->cb)[0] = rdev;
7856 	((void **)skb->cb)[1] = hdr;
7857 	((void **)skb->cb)[2] = data;
7858 
7859 	return skb;
7860 
7861  nla_put_failure:
7862 	kfree_skb(skb);
7863 	return NULL;
7864 }
7865 
7866 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
7867 					   struct wireless_dev *wdev,
7868 					   enum nl80211_commands cmd,
7869 					   enum nl80211_attrs attr,
7870 					   int vendor_event_idx,
7871 					   int approxlen, gfp_t gfp)
7872 {
7873 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
7874 	const struct nl80211_vendor_cmd_info *info;
7875 
7876 	switch (cmd) {
7877 	case NL80211_CMD_TESTMODE:
7878 		if (WARN_ON(vendor_event_idx != -1))
7879 			return NULL;
7880 		info = NULL;
7881 		break;
7882 	case NL80211_CMD_VENDOR:
7883 		if (WARN_ON(vendor_event_idx < 0 ||
7884 			    vendor_event_idx >= wiphy->n_vendor_events))
7885 			return NULL;
7886 		info = &wiphy->vendor_events[vendor_event_idx];
7887 		break;
7888 	default:
7889 		WARN_ON(1);
7890 		return NULL;
7891 	}
7892 
7893 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, 0, 0,
7894 					   cmd, attr, info, gfp);
7895 }
7896 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
7897 
7898 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
7899 {
7900 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
7901 	void *hdr = ((void **)skb->cb)[1];
7902 	struct nlattr *data = ((void **)skb->cb)[2];
7903 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
7904 
7905 	/* clear CB data for netlink core to own from now on */
7906 	memset(skb->cb, 0, sizeof(skb->cb));
7907 
7908 	nla_nest_end(skb, data);
7909 	genlmsg_end(skb, hdr);
7910 
7911 	if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
7912 		mcgrp = NL80211_MCGRP_VENDOR;
7913 
7914 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), skb, 0,
7915 				mcgrp, gfp);
7916 }
7917 EXPORT_SYMBOL(__cfg80211_send_event_skb);
7918 
7919 #ifdef CONFIG_NL80211_TESTMODE
7920 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
7921 {
7922 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7923 	struct wireless_dev *wdev =
7924 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
7925 	int err;
7926 
7927 	if (!rdev->ops->testmode_cmd)
7928 		return -EOPNOTSUPP;
7929 
7930 	if (IS_ERR(wdev)) {
7931 		err = PTR_ERR(wdev);
7932 		if (err != -EINVAL)
7933 			return err;
7934 		wdev = NULL;
7935 	} else if (wdev->wiphy != &rdev->wiphy) {
7936 		return -EINVAL;
7937 	}
7938 
7939 	if (!info->attrs[NL80211_ATTR_TESTDATA])
7940 		return -EINVAL;
7941 
7942 	rdev->cur_cmd_info = info;
7943 	err = rdev_testmode_cmd(rdev, wdev,
7944 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
7945 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
7946 	rdev->cur_cmd_info = NULL;
7947 
7948 	return err;
7949 }
7950 
7951 static int nl80211_testmode_dump(struct sk_buff *skb,
7952 				 struct netlink_callback *cb)
7953 {
7954 	struct cfg80211_registered_device *rdev;
7955 	int err;
7956 	long phy_idx;
7957 	void *data = NULL;
7958 	int data_len = 0;
7959 
7960 	rtnl_lock();
7961 
7962 	if (cb->args[0]) {
7963 		/*
7964 		 * 0 is a valid index, but not valid for args[0],
7965 		 * so we need to offset by 1.
7966 		 */
7967 		phy_idx = cb->args[0] - 1;
7968 	} else {
7969 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
7970 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
7971 				  nl80211_policy);
7972 		if (err)
7973 			goto out_err;
7974 
7975 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
7976 						  nl80211_fam.attrbuf);
7977 		if (IS_ERR(rdev)) {
7978 			err = PTR_ERR(rdev);
7979 			goto out_err;
7980 		}
7981 		phy_idx = rdev->wiphy_idx;
7982 		rdev = NULL;
7983 
7984 		if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
7985 			cb->args[1] =
7986 				(long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
7987 	}
7988 
7989 	if (cb->args[1]) {
7990 		data = nla_data((void *)cb->args[1]);
7991 		data_len = nla_len((void *)cb->args[1]);
7992 	}
7993 
7994 	rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
7995 	if (!rdev) {
7996 		err = -ENOENT;
7997 		goto out_err;
7998 	}
7999 
8000 	if (!rdev->ops->testmode_dump) {
8001 		err = -EOPNOTSUPP;
8002 		goto out_err;
8003 	}
8004 
8005 	while (1) {
8006 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
8007 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
8008 					   NL80211_CMD_TESTMODE);
8009 		struct nlattr *tmdata;
8010 
8011 		if (!hdr)
8012 			break;
8013 
8014 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
8015 			genlmsg_cancel(skb, hdr);
8016 			break;
8017 		}
8018 
8019 		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
8020 		if (!tmdata) {
8021 			genlmsg_cancel(skb, hdr);
8022 			break;
8023 		}
8024 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
8025 		nla_nest_end(skb, tmdata);
8026 
8027 		if (err == -ENOBUFS || err == -ENOENT) {
8028 			genlmsg_cancel(skb, hdr);
8029 			break;
8030 		} else if (err) {
8031 			genlmsg_cancel(skb, hdr);
8032 			goto out_err;
8033 		}
8034 
8035 		genlmsg_end(skb, hdr);
8036 	}
8037 
8038 	err = skb->len;
8039 	/* see above */
8040 	cb->args[0] = phy_idx + 1;
8041  out_err:
8042 	rtnl_unlock();
8043 	return err;
8044 }
8045 #endif
8046 
8047 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
8048 {
8049 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8050 	struct net_device *dev = info->user_ptr[1];
8051 	struct cfg80211_connect_params connect;
8052 	struct wiphy *wiphy;
8053 	struct cfg80211_cached_keys *connkeys = NULL;
8054 	int err;
8055 
8056 	memset(&connect, 0, sizeof(connect));
8057 
8058 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8059 		return -EINVAL;
8060 
8061 	if (!info->attrs[NL80211_ATTR_SSID] ||
8062 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
8063 		return -EINVAL;
8064 
8065 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
8066 		connect.auth_type =
8067 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
8068 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
8069 					     NL80211_CMD_CONNECT))
8070 			return -EINVAL;
8071 	} else
8072 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
8073 
8074 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
8075 
8076 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
8077 				      NL80211_MAX_NR_CIPHER_SUITES);
8078 	if (err)
8079 		return err;
8080 
8081 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8082 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8083 		return -EOPNOTSUPP;
8084 
8085 	wiphy = &rdev->wiphy;
8086 
8087 	connect.bg_scan_period = -1;
8088 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
8089 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
8090 		connect.bg_scan_period =
8091 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
8092 	}
8093 
8094 	if (info->attrs[NL80211_ATTR_MAC])
8095 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8096 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
8097 		connect.bssid_hint =
8098 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
8099 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8100 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8101 
8102 	if (info->attrs[NL80211_ATTR_IE]) {
8103 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8104 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8105 	}
8106 
8107 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
8108 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
8109 		if (connect.mfp != NL80211_MFP_REQUIRED &&
8110 		    connect.mfp != NL80211_MFP_NO)
8111 			return -EINVAL;
8112 	} else {
8113 		connect.mfp = NL80211_MFP_NO;
8114 	}
8115 
8116 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
8117 		connect.prev_bssid =
8118 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
8119 
8120 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8121 		connect.channel = nl80211_get_valid_chan(
8122 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8123 		if (!connect.channel)
8124 			return -EINVAL;
8125 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
8126 		connect.channel_hint = nl80211_get_valid_chan(
8127 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
8128 		if (!connect.channel_hint)
8129 			return -EINVAL;
8130 	}
8131 
8132 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
8133 		connkeys = nl80211_parse_connkeys(rdev,
8134 					  info->attrs[NL80211_ATTR_KEYS], NULL);
8135 		if (IS_ERR(connkeys))
8136 			return PTR_ERR(connkeys);
8137 	}
8138 
8139 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
8140 		connect.flags |= ASSOC_REQ_DISABLE_HT;
8141 
8142 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8143 		memcpy(&connect.ht_capa_mask,
8144 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
8145 		       sizeof(connect.ht_capa_mask));
8146 
8147 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
8148 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
8149 			kzfree(connkeys);
8150 			return -EINVAL;
8151 		}
8152 		memcpy(&connect.ht_capa,
8153 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
8154 		       sizeof(connect.ht_capa));
8155 	}
8156 
8157 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
8158 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
8159 
8160 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
8161 		memcpy(&connect.vht_capa_mask,
8162 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
8163 		       sizeof(connect.vht_capa_mask));
8164 
8165 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
8166 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
8167 			kzfree(connkeys);
8168 			return -EINVAL;
8169 		}
8170 		memcpy(&connect.vht_capa,
8171 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
8172 		       sizeof(connect.vht_capa));
8173 	}
8174 
8175 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
8176 		if (!((rdev->wiphy.features &
8177 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
8178 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
8179 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8180 					     NL80211_EXT_FEATURE_RRM)) {
8181 			kzfree(connkeys);
8182 			return -EINVAL;
8183 		}
8184 		connect.flags |= ASSOC_REQ_USE_RRM;
8185 	}
8186 
8187 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
8188 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
8189 		kzfree(connkeys);
8190 		return -EOPNOTSUPP;
8191 	}
8192 
8193 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
8194 		/* bss selection makes no sense if bssid is set */
8195 		if (connect.bssid) {
8196 			kzfree(connkeys);
8197 			return -EINVAL;
8198 		}
8199 
8200 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
8201 				       wiphy, &connect.bss_select);
8202 		if (err) {
8203 			kzfree(connkeys);
8204 			return err;
8205 		}
8206 	}
8207 
8208 	wdev_lock(dev->ieee80211_ptr);
8209 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
8210 			       connect.prev_bssid);
8211 	wdev_unlock(dev->ieee80211_ptr);
8212 	if (err)
8213 		kzfree(connkeys);
8214 	return err;
8215 }
8216 
8217 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
8218 {
8219 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8220 	struct net_device *dev = info->user_ptr[1];
8221 	u16 reason;
8222 	int ret;
8223 
8224 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
8225 		reason = WLAN_REASON_DEAUTH_LEAVING;
8226 	else
8227 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8228 
8229 	if (reason == 0)
8230 		return -EINVAL;
8231 
8232 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8233 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8234 		return -EOPNOTSUPP;
8235 
8236 	wdev_lock(dev->ieee80211_ptr);
8237 	ret = cfg80211_disconnect(rdev, dev, reason, true);
8238 	wdev_unlock(dev->ieee80211_ptr);
8239 	return ret;
8240 }
8241 
8242 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
8243 {
8244 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8245 	struct net *net;
8246 	int err;
8247 
8248 	if (info->attrs[NL80211_ATTR_PID]) {
8249 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
8250 
8251 		net = get_net_ns_by_pid(pid);
8252 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
8253 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
8254 
8255 		net = get_net_ns_by_fd(fd);
8256 	} else {
8257 		return -EINVAL;
8258 	}
8259 
8260 	if (IS_ERR(net))
8261 		return PTR_ERR(net);
8262 
8263 	err = 0;
8264 
8265 	/* check if anything to do */
8266 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
8267 		err = cfg80211_switch_netns(rdev, net);
8268 
8269 	put_net(net);
8270 	return err;
8271 }
8272 
8273 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
8274 {
8275 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8276 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
8277 			struct cfg80211_pmksa *pmksa) = NULL;
8278 	struct net_device *dev = info->user_ptr[1];
8279 	struct cfg80211_pmksa pmksa;
8280 
8281 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
8282 
8283 	if (!info->attrs[NL80211_ATTR_MAC])
8284 		return -EINVAL;
8285 
8286 	if (!info->attrs[NL80211_ATTR_PMKID])
8287 		return -EINVAL;
8288 
8289 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
8290 	pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8291 
8292 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8293 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8294 		return -EOPNOTSUPP;
8295 
8296 	switch (info->genlhdr->cmd) {
8297 	case NL80211_CMD_SET_PMKSA:
8298 		rdev_ops = rdev->ops->set_pmksa;
8299 		break;
8300 	case NL80211_CMD_DEL_PMKSA:
8301 		rdev_ops = rdev->ops->del_pmksa;
8302 		break;
8303 	default:
8304 		WARN_ON(1);
8305 		break;
8306 	}
8307 
8308 	if (!rdev_ops)
8309 		return -EOPNOTSUPP;
8310 
8311 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
8312 }
8313 
8314 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
8315 {
8316 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8317 	struct net_device *dev = info->user_ptr[1];
8318 
8319 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8320 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8321 		return -EOPNOTSUPP;
8322 
8323 	if (!rdev->ops->flush_pmksa)
8324 		return -EOPNOTSUPP;
8325 
8326 	return rdev_flush_pmksa(rdev, dev);
8327 }
8328 
8329 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
8330 {
8331 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8332 	struct net_device *dev = info->user_ptr[1];
8333 	u8 action_code, dialog_token;
8334 	u32 peer_capability = 0;
8335 	u16 status_code;
8336 	u8 *peer;
8337 	bool initiator;
8338 
8339 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
8340 	    !rdev->ops->tdls_mgmt)
8341 		return -EOPNOTSUPP;
8342 
8343 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
8344 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
8345 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
8346 	    !info->attrs[NL80211_ATTR_IE] ||
8347 	    !info->attrs[NL80211_ATTR_MAC])
8348 		return -EINVAL;
8349 
8350 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
8351 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
8352 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
8353 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
8354 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
8355 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
8356 		peer_capability =
8357 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
8358 
8359 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
8360 			      dialog_token, status_code, peer_capability,
8361 			      initiator,
8362 			      nla_data(info->attrs[NL80211_ATTR_IE]),
8363 			      nla_len(info->attrs[NL80211_ATTR_IE]));
8364 }
8365 
8366 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
8367 {
8368 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8369 	struct net_device *dev = info->user_ptr[1];
8370 	enum nl80211_tdls_operation operation;
8371 	u8 *peer;
8372 
8373 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
8374 	    !rdev->ops->tdls_oper)
8375 		return -EOPNOTSUPP;
8376 
8377 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
8378 	    !info->attrs[NL80211_ATTR_MAC])
8379 		return -EINVAL;
8380 
8381 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
8382 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
8383 
8384 	return rdev_tdls_oper(rdev, dev, peer, operation);
8385 }
8386 
8387 static int nl80211_remain_on_channel(struct sk_buff *skb,
8388 				     struct genl_info *info)
8389 {
8390 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8391 	struct wireless_dev *wdev = info->user_ptr[1];
8392 	struct cfg80211_chan_def chandef;
8393 	struct sk_buff *msg;
8394 	void *hdr;
8395 	u64 cookie;
8396 	u32 duration;
8397 	int err;
8398 
8399 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
8400 	    !info->attrs[NL80211_ATTR_DURATION])
8401 		return -EINVAL;
8402 
8403 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
8404 
8405 	if (!rdev->ops->remain_on_channel ||
8406 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
8407 		return -EOPNOTSUPP;
8408 
8409 	/*
8410 	 * We should be on that channel for at least a minimum amount of
8411 	 * time (10ms) but no longer than the driver supports.
8412 	 */
8413 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
8414 	    duration > rdev->wiphy.max_remain_on_channel_duration)
8415 		return -EINVAL;
8416 
8417 	err = nl80211_parse_chandef(rdev, info, &chandef);
8418 	if (err)
8419 		return err;
8420 
8421 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8422 	if (!msg)
8423 		return -ENOMEM;
8424 
8425 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8426 			     NL80211_CMD_REMAIN_ON_CHANNEL);
8427 	if (!hdr) {
8428 		err = -ENOBUFS;
8429 		goto free_msg;
8430 	}
8431 
8432 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
8433 				     duration, &cookie);
8434 
8435 	if (err)
8436 		goto free_msg;
8437 
8438 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
8439 			      NL80211_ATTR_PAD))
8440 		goto nla_put_failure;
8441 
8442 	genlmsg_end(msg, hdr);
8443 
8444 	return genlmsg_reply(msg, info);
8445 
8446  nla_put_failure:
8447 	err = -ENOBUFS;
8448  free_msg:
8449 	nlmsg_free(msg);
8450 	return err;
8451 }
8452 
8453 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
8454 					    struct genl_info *info)
8455 {
8456 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8457 	struct wireless_dev *wdev = info->user_ptr[1];
8458 	u64 cookie;
8459 
8460 	if (!info->attrs[NL80211_ATTR_COOKIE])
8461 		return -EINVAL;
8462 
8463 	if (!rdev->ops->cancel_remain_on_channel)
8464 		return -EOPNOTSUPP;
8465 
8466 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8467 
8468 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
8469 }
8470 
8471 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
8472 			   u8 *rates, u8 rates_len)
8473 {
8474 	u8 i;
8475 	u32 mask = 0;
8476 
8477 	for (i = 0; i < rates_len; i++) {
8478 		int rate = (rates[i] & 0x7f) * 5;
8479 		int ridx;
8480 
8481 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
8482 			struct ieee80211_rate *srate =
8483 				&sband->bitrates[ridx];
8484 			if (rate == srate->bitrate) {
8485 				mask |= 1 << ridx;
8486 				break;
8487 			}
8488 		}
8489 		if (ridx == sband->n_bitrates)
8490 			return 0; /* rate not found */
8491 	}
8492 
8493 	return mask;
8494 }
8495 
8496 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
8497 			       u8 *rates, u8 rates_len,
8498 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
8499 {
8500 	u8 i;
8501 
8502 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
8503 
8504 	for (i = 0; i < rates_len; i++) {
8505 		int ridx, rbit;
8506 
8507 		ridx = rates[i] / 8;
8508 		rbit = BIT(rates[i] % 8);
8509 
8510 		/* check validity */
8511 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
8512 			return false;
8513 
8514 		/* check availability */
8515 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
8516 			mcs[ridx] |= rbit;
8517 		else
8518 			return false;
8519 	}
8520 
8521 	return true;
8522 }
8523 
8524 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
8525 {
8526 	u16 mcs_mask = 0;
8527 
8528 	switch (vht_mcs_map) {
8529 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
8530 		break;
8531 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
8532 		mcs_mask = 0x00FF;
8533 		break;
8534 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
8535 		mcs_mask = 0x01FF;
8536 		break;
8537 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
8538 		mcs_mask = 0x03FF;
8539 		break;
8540 	default:
8541 		break;
8542 	}
8543 
8544 	return mcs_mask;
8545 }
8546 
8547 static void vht_build_mcs_mask(u16 vht_mcs_map,
8548 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
8549 {
8550 	u8 nss;
8551 
8552 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
8553 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
8554 		vht_mcs_map >>= 2;
8555 	}
8556 }
8557 
8558 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
8559 			     struct nl80211_txrate_vht *txrate,
8560 			     u16 mcs[NL80211_VHT_NSS_MAX])
8561 {
8562 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
8563 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
8564 	u8 i;
8565 
8566 	if (!sband->vht_cap.vht_supported)
8567 		return false;
8568 
8569 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
8570 
8571 	/* Build vht_mcs_mask from VHT capabilities */
8572 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
8573 
8574 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
8575 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
8576 			mcs[i] = txrate->mcs[i];
8577 		else
8578 			return false;
8579 	}
8580 
8581 	return true;
8582 }
8583 
8584 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
8585 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
8586 				    .len = NL80211_MAX_SUPP_RATES },
8587 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
8588 				.len = NL80211_MAX_SUPP_HT_RATES },
8589 	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
8590 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
8591 };
8592 
8593 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
8594 				       struct genl_info *info)
8595 {
8596 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
8597 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8598 	struct cfg80211_bitrate_mask mask;
8599 	int rem, i;
8600 	struct net_device *dev = info->user_ptr[1];
8601 	struct nlattr *tx_rates;
8602 	struct ieee80211_supported_band *sband;
8603 	u16 vht_tx_mcs_map;
8604 
8605 	if (!rdev->ops->set_bitrate_mask)
8606 		return -EOPNOTSUPP;
8607 
8608 	memset(&mask, 0, sizeof(mask));
8609 	/* Default to all rates enabled */
8610 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
8611 		sband = rdev->wiphy.bands[i];
8612 
8613 		if (!sband)
8614 			continue;
8615 
8616 		mask.control[i].legacy = (1 << sband->n_bitrates) - 1;
8617 		memcpy(mask.control[i].ht_mcs,
8618 		       sband->ht_cap.mcs.rx_mask,
8619 		       sizeof(mask.control[i].ht_mcs));
8620 
8621 		if (!sband->vht_cap.vht_supported)
8622 			continue;
8623 
8624 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
8625 		vht_build_mcs_mask(vht_tx_mcs_map, mask.control[i].vht_mcs);
8626 	}
8627 
8628 	/* if no rates are given set it back to the defaults */
8629 	if (!info->attrs[NL80211_ATTR_TX_RATES])
8630 		goto out;
8631 
8632 	/*
8633 	 * The nested attribute uses enum nl80211_band as the index. This maps
8634 	 * directly to the enum nl80211_band values used in cfg80211.
8635 	 */
8636 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
8637 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
8638 		enum nl80211_band band = nla_type(tx_rates);
8639 		int err;
8640 
8641 		if (band < 0 || band >= NUM_NL80211_BANDS)
8642 			return -EINVAL;
8643 		sband = rdev->wiphy.bands[band];
8644 		if (sband == NULL)
8645 			return -EINVAL;
8646 		err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
8647 				nla_len(tx_rates), nl80211_txattr_policy);
8648 		if (err)
8649 			return err;
8650 		if (tb[NL80211_TXRATE_LEGACY]) {
8651 			mask.control[band].legacy = rateset_to_mask(
8652 				sband,
8653 				nla_data(tb[NL80211_TXRATE_LEGACY]),
8654 				nla_len(tb[NL80211_TXRATE_LEGACY]));
8655 			if ((mask.control[band].legacy == 0) &&
8656 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
8657 				return -EINVAL;
8658 		}
8659 		if (tb[NL80211_TXRATE_HT]) {
8660 			if (!ht_rateset_to_mask(
8661 					sband,
8662 					nla_data(tb[NL80211_TXRATE_HT]),
8663 					nla_len(tb[NL80211_TXRATE_HT]),
8664 					mask.control[band].ht_mcs))
8665 				return -EINVAL;
8666 		}
8667 		if (tb[NL80211_TXRATE_VHT]) {
8668 			if (!vht_set_mcs_mask(
8669 					sband,
8670 					nla_data(tb[NL80211_TXRATE_VHT]),
8671 					mask.control[band].vht_mcs))
8672 				return -EINVAL;
8673 		}
8674 		if (tb[NL80211_TXRATE_GI]) {
8675 			mask.control[band].gi =
8676 				nla_get_u8(tb[NL80211_TXRATE_GI]);
8677 			if (mask.control[band].gi > NL80211_TXRATE_FORCE_LGI)
8678 				return -EINVAL;
8679 		}
8680 
8681 		if (mask.control[band].legacy == 0) {
8682 			/* don't allow empty legacy rates if HT or VHT
8683 			 * are not even supported.
8684 			 */
8685 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
8686 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
8687 				return -EINVAL;
8688 
8689 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
8690 				if (mask.control[band].ht_mcs[i])
8691 					goto out;
8692 
8693 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
8694 				if (mask.control[band].vht_mcs[i])
8695 					goto out;
8696 
8697 			/* legacy and mcs rates may not be both empty */
8698 			return -EINVAL;
8699 		}
8700 	}
8701 
8702 out:
8703 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
8704 }
8705 
8706 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
8707 {
8708 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8709 	struct wireless_dev *wdev = info->user_ptr[1];
8710 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
8711 
8712 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
8713 		return -EINVAL;
8714 
8715 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
8716 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
8717 
8718 	switch (wdev->iftype) {
8719 	case NL80211_IFTYPE_STATION:
8720 	case NL80211_IFTYPE_ADHOC:
8721 	case NL80211_IFTYPE_P2P_CLIENT:
8722 	case NL80211_IFTYPE_AP:
8723 	case NL80211_IFTYPE_AP_VLAN:
8724 	case NL80211_IFTYPE_MESH_POINT:
8725 	case NL80211_IFTYPE_P2P_GO:
8726 	case NL80211_IFTYPE_P2P_DEVICE:
8727 		break;
8728 	default:
8729 		return -EOPNOTSUPP;
8730 	}
8731 
8732 	/* not much point in registering if we can't reply */
8733 	if (!rdev->ops->mgmt_tx)
8734 		return -EOPNOTSUPP;
8735 
8736 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
8737 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
8738 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
8739 }
8740 
8741 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
8742 {
8743 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8744 	struct wireless_dev *wdev = info->user_ptr[1];
8745 	struct cfg80211_chan_def chandef;
8746 	int err;
8747 	void *hdr = NULL;
8748 	u64 cookie;
8749 	struct sk_buff *msg = NULL;
8750 	struct cfg80211_mgmt_tx_params params = {
8751 		.dont_wait_for_ack =
8752 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
8753 	};
8754 
8755 	if (!info->attrs[NL80211_ATTR_FRAME])
8756 		return -EINVAL;
8757 
8758 	if (!rdev->ops->mgmt_tx)
8759 		return -EOPNOTSUPP;
8760 
8761 	switch (wdev->iftype) {
8762 	case NL80211_IFTYPE_P2P_DEVICE:
8763 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
8764 			return -EINVAL;
8765 	case NL80211_IFTYPE_STATION:
8766 	case NL80211_IFTYPE_ADHOC:
8767 	case NL80211_IFTYPE_P2P_CLIENT:
8768 	case NL80211_IFTYPE_AP:
8769 	case NL80211_IFTYPE_AP_VLAN:
8770 	case NL80211_IFTYPE_MESH_POINT:
8771 	case NL80211_IFTYPE_P2P_GO:
8772 		break;
8773 	default:
8774 		return -EOPNOTSUPP;
8775 	}
8776 
8777 	if (info->attrs[NL80211_ATTR_DURATION]) {
8778 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
8779 			return -EINVAL;
8780 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
8781 
8782 		/*
8783 		 * We should wait on the channel for at least a minimum amount
8784 		 * of time (10ms) but no longer than the driver supports.
8785 		 */
8786 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
8787 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
8788 			return -EINVAL;
8789 	}
8790 
8791 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
8792 
8793 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
8794 		return -EINVAL;
8795 
8796 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8797 
8798 	/* get the channel if any has been specified, otherwise pass NULL to
8799 	 * the driver. The latter will use the current one
8800 	 */
8801 	chandef.chan = NULL;
8802 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
8803 		err = nl80211_parse_chandef(rdev, info, &chandef);
8804 		if (err)
8805 			return err;
8806 	}
8807 
8808 	if (!chandef.chan && params.offchan)
8809 		return -EINVAL;
8810 
8811 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
8812 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
8813 
8814 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
8815 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
8816 		int i;
8817 
8818 		if (len % sizeof(u16))
8819 			return -EINVAL;
8820 
8821 		params.n_csa_offsets = len / sizeof(u16);
8822 		params.csa_offsets =
8823 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
8824 
8825 		/* check that all the offsets fit the frame */
8826 		for (i = 0; i < params.n_csa_offsets; i++) {
8827 			if (params.csa_offsets[i] >= params.len)
8828 				return -EINVAL;
8829 		}
8830 	}
8831 
8832 	if (!params.dont_wait_for_ack) {
8833 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8834 		if (!msg)
8835 			return -ENOMEM;
8836 
8837 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8838 				     NL80211_CMD_FRAME);
8839 		if (!hdr) {
8840 			err = -ENOBUFS;
8841 			goto free_msg;
8842 		}
8843 	}
8844 
8845 	params.chan = chandef.chan;
8846 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
8847 	if (err)
8848 		goto free_msg;
8849 
8850 	if (msg) {
8851 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
8852 				      NL80211_ATTR_PAD))
8853 			goto nla_put_failure;
8854 
8855 		genlmsg_end(msg, hdr);
8856 		return genlmsg_reply(msg, info);
8857 	}
8858 
8859 	return 0;
8860 
8861  nla_put_failure:
8862 	err = -ENOBUFS;
8863  free_msg:
8864 	nlmsg_free(msg);
8865 	return err;
8866 }
8867 
8868 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
8869 {
8870 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8871 	struct wireless_dev *wdev = info->user_ptr[1];
8872 	u64 cookie;
8873 
8874 	if (!info->attrs[NL80211_ATTR_COOKIE])
8875 		return -EINVAL;
8876 
8877 	if (!rdev->ops->mgmt_tx_cancel_wait)
8878 		return -EOPNOTSUPP;
8879 
8880 	switch (wdev->iftype) {
8881 	case NL80211_IFTYPE_STATION:
8882 	case NL80211_IFTYPE_ADHOC:
8883 	case NL80211_IFTYPE_P2P_CLIENT:
8884 	case NL80211_IFTYPE_AP:
8885 	case NL80211_IFTYPE_AP_VLAN:
8886 	case NL80211_IFTYPE_P2P_GO:
8887 	case NL80211_IFTYPE_P2P_DEVICE:
8888 		break;
8889 	default:
8890 		return -EOPNOTSUPP;
8891 	}
8892 
8893 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8894 
8895 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
8896 }
8897 
8898 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
8899 {
8900 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8901 	struct wireless_dev *wdev;
8902 	struct net_device *dev = info->user_ptr[1];
8903 	u8 ps_state;
8904 	bool state;
8905 	int err;
8906 
8907 	if (!info->attrs[NL80211_ATTR_PS_STATE])
8908 		return -EINVAL;
8909 
8910 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
8911 
8912 	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
8913 		return -EINVAL;
8914 
8915 	wdev = dev->ieee80211_ptr;
8916 
8917 	if (!rdev->ops->set_power_mgmt)
8918 		return -EOPNOTSUPP;
8919 
8920 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
8921 
8922 	if (state == wdev->ps)
8923 		return 0;
8924 
8925 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
8926 	if (!err)
8927 		wdev->ps = state;
8928 	return err;
8929 }
8930 
8931 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
8932 {
8933 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8934 	enum nl80211_ps_state ps_state;
8935 	struct wireless_dev *wdev;
8936 	struct net_device *dev = info->user_ptr[1];
8937 	struct sk_buff *msg;
8938 	void *hdr;
8939 	int err;
8940 
8941 	wdev = dev->ieee80211_ptr;
8942 
8943 	if (!rdev->ops->set_power_mgmt)
8944 		return -EOPNOTSUPP;
8945 
8946 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8947 	if (!msg)
8948 		return -ENOMEM;
8949 
8950 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8951 			     NL80211_CMD_GET_POWER_SAVE);
8952 	if (!hdr) {
8953 		err = -ENOBUFS;
8954 		goto free_msg;
8955 	}
8956 
8957 	if (wdev->ps)
8958 		ps_state = NL80211_PS_ENABLED;
8959 	else
8960 		ps_state = NL80211_PS_DISABLED;
8961 
8962 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
8963 		goto nla_put_failure;
8964 
8965 	genlmsg_end(msg, hdr);
8966 	return genlmsg_reply(msg, info);
8967 
8968  nla_put_failure:
8969 	err = -ENOBUFS;
8970  free_msg:
8971 	nlmsg_free(msg);
8972 	return err;
8973 }
8974 
8975 static const struct nla_policy
8976 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
8977 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_U32 },
8978 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
8979 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
8980 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
8981 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
8982 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
8983 };
8984 
8985 static int nl80211_set_cqm_txe(struct genl_info *info,
8986 			       u32 rate, u32 pkts, u32 intvl)
8987 {
8988 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8989 	struct net_device *dev = info->user_ptr[1];
8990 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8991 
8992 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
8993 		return -EINVAL;
8994 
8995 	if (!rdev->ops->set_cqm_txe_config)
8996 		return -EOPNOTSUPP;
8997 
8998 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
8999 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
9000 		return -EOPNOTSUPP;
9001 
9002 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
9003 }
9004 
9005 static int nl80211_set_cqm_rssi(struct genl_info *info,
9006 				s32 threshold, u32 hysteresis)
9007 {
9008 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9009 	struct net_device *dev = info->user_ptr[1];
9010 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9011 
9012 	if (threshold > 0)
9013 		return -EINVAL;
9014 
9015 	/* disabling - hysteresis should also be zero then */
9016 	if (threshold == 0)
9017 		hysteresis = 0;
9018 
9019 	if (!rdev->ops->set_cqm_rssi_config)
9020 		return -EOPNOTSUPP;
9021 
9022 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
9023 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
9024 		return -EOPNOTSUPP;
9025 
9026 	return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
9027 }
9028 
9029 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
9030 {
9031 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
9032 	struct nlattr *cqm;
9033 	int err;
9034 
9035 	cqm = info->attrs[NL80211_ATTR_CQM];
9036 	if (!cqm)
9037 		return -EINVAL;
9038 
9039 	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
9040 			       nl80211_attr_cqm_policy);
9041 	if (err)
9042 		return err;
9043 
9044 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
9045 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
9046 		s32 threshold = nla_get_s32(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
9047 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
9048 
9049 		return nl80211_set_cqm_rssi(info, threshold, hysteresis);
9050 	}
9051 
9052 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
9053 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
9054 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
9055 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
9056 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
9057 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
9058 
9059 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
9060 	}
9061 
9062 	return -EINVAL;
9063 }
9064 
9065 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
9066 {
9067 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9068 	struct net_device *dev = info->user_ptr[1];
9069 	struct ocb_setup setup = {};
9070 	int err;
9071 
9072 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
9073 	if (err)
9074 		return err;
9075 
9076 	return cfg80211_join_ocb(rdev, dev, &setup);
9077 }
9078 
9079 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
9080 {
9081 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9082 	struct net_device *dev = info->user_ptr[1];
9083 
9084 	return cfg80211_leave_ocb(rdev, dev);
9085 }
9086 
9087 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
9088 {
9089 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9090 	struct net_device *dev = info->user_ptr[1];
9091 	struct mesh_config cfg;
9092 	struct mesh_setup setup;
9093 	int err;
9094 
9095 	/* start with default */
9096 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
9097 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
9098 
9099 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
9100 		/* and parse parameters if given */
9101 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
9102 		if (err)
9103 			return err;
9104 	}
9105 
9106 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
9107 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
9108 		return -EINVAL;
9109 
9110 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
9111 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
9112 
9113 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
9114 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
9115 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
9116 			return -EINVAL;
9117 
9118 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
9119 		setup.beacon_interval =
9120 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
9121 		if (setup.beacon_interval < 10 ||
9122 		    setup.beacon_interval > 10000)
9123 			return -EINVAL;
9124 	}
9125 
9126 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
9127 		setup.dtim_period =
9128 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
9129 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
9130 			return -EINVAL;
9131 	}
9132 
9133 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
9134 		/* parse additional setup parameters if given */
9135 		err = nl80211_parse_mesh_setup(info, &setup);
9136 		if (err)
9137 			return err;
9138 	}
9139 
9140 	if (setup.user_mpm)
9141 		cfg.auto_open_plinks = false;
9142 
9143 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
9144 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
9145 		if (err)
9146 			return err;
9147 	} else {
9148 		/* cfg80211_join_mesh() will sort it out */
9149 		setup.chandef.chan = NULL;
9150 	}
9151 
9152 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9153 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9154 		int n_rates =
9155 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9156 		struct ieee80211_supported_band *sband;
9157 
9158 		if (!setup.chandef.chan)
9159 			return -EINVAL;
9160 
9161 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
9162 
9163 		err = ieee80211_get_ratemask(sband, rates, n_rates,
9164 					     &setup.basic_rates);
9165 		if (err)
9166 			return err;
9167 	}
9168 
9169 	return cfg80211_join_mesh(rdev, dev, &setup, &cfg);
9170 }
9171 
9172 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
9173 {
9174 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9175 	struct net_device *dev = info->user_ptr[1];
9176 
9177 	return cfg80211_leave_mesh(rdev, dev);
9178 }
9179 
9180 #ifdef CONFIG_PM
9181 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
9182 					struct cfg80211_registered_device *rdev)
9183 {
9184 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
9185 	struct nlattr *nl_pats, *nl_pat;
9186 	int i, pat_len;
9187 
9188 	if (!wowlan->n_patterns)
9189 		return 0;
9190 
9191 	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
9192 	if (!nl_pats)
9193 		return -ENOBUFS;
9194 
9195 	for (i = 0; i < wowlan->n_patterns; i++) {
9196 		nl_pat = nla_nest_start(msg, i + 1);
9197 		if (!nl_pat)
9198 			return -ENOBUFS;
9199 		pat_len = wowlan->patterns[i].pattern_len;
9200 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
9201 			    wowlan->patterns[i].mask) ||
9202 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
9203 			    wowlan->patterns[i].pattern) ||
9204 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
9205 				wowlan->patterns[i].pkt_offset))
9206 			return -ENOBUFS;
9207 		nla_nest_end(msg, nl_pat);
9208 	}
9209 	nla_nest_end(msg, nl_pats);
9210 
9211 	return 0;
9212 }
9213 
9214 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
9215 				   struct cfg80211_wowlan_tcp *tcp)
9216 {
9217 	struct nlattr *nl_tcp;
9218 
9219 	if (!tcp)
9220 		return 0;
9221 
9222 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
9223 	if (!nl_tcp)
9224 		return -ENOBUFS;
9225 
9226 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
9227 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
9228 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
9229 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
9230 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
9231 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
9232 		    tcp->payload_len, tcp->payload) ||
9233 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
9234 			tcp->data_interval) ||
9235 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
9236 		    tcp->wake_len, tcp->wake_data) ||
9237 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
9238 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
9239 		return -ENOBUFS;
9240 
9241 	if (tcp->payload_seq.len &&
9242 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
9243 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
9244 		return -ENOBUFS;
9245 
9246 	if (tcp->payload_tok.len &&
9247 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
9248 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
9249 		    &tcp->payload_tok))
9250 		return -ENOBUFS;
9251 
9252 	nla_nest_end(msg, nl_tcp);
9253 
9254 	return 0;
9255 }
9256 
9257 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
9258 				  struct cfg80211_sched_scan_request *req)
9259 {
9260 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
9261 	int i;
9262 
9263 	if (!req)
9264 		return 0;
9265 
9266 	nd = nla_nest_start(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
9267 	if (!nd)
9268 		return -ENOBUFS;
9269 
9270 	if (req->n_scan_plans == 1 &&
9271 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
9272 			req->scan_plans[0].interval * 1000))
9273 		return -ENOBUFS;
9274 
9275 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
9276 		return -ENOBUFS;
9277 
9278 	freqs = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
9279 	if (!freqs)
9280 		return -ENOBUFS;
9281 
9282 	for (i = 0; i < req->n_channels; i++)
9283 		nla_put_u32(msg, i, req->channels[i]->center_freq);
9284 
9285 	nla_nest_end(msg, freqs);
9286 
9287 	if (req->n_match_sets) {
9288 		matches = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_MATCH);
9289 		for (i = 0; i < req->n_match_sets; i++) {
9290 			match = nla_nest_start(msg, i);
9291 			nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
9292 				req->match_sets[i].ssid.ssid_len,
9293 				req->match_sets[i].ssid.ssid);
9294 			nla_nest_end(msg, match);
9295 		}
9296 		nla_nest_end(msg, matches);
9297 	}
9298 
9299 	scan_plans = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
9300 	if (!scan_plans)
9301 		return -ENOBUFS;
9302 
9303 	for (i = 0; i < req->n_scan_plans; i++) {
9304 		scan_plan = nla_nest_start(msg, i + 1);
9305 		if (!scan_plan ||
9306 		    nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
9307 				req->scan_plans[i].interval) ||
9308 		    (req->scan_plans[i].iterations &&
9309 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
9310 				 req->scan_plans[i].iterations)))
9311 			return -ENOBUFS;
9312 		nla_nest_end(msg, scan_plan);
9313 	}
9314 	nla_nest_end(msg, scan_plans);
9315 
9316 	nla_nest_end(msg, nd);
9317 
9318 	return 0;
9319 }
9320 
9321 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
9322 {
9323 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9324 	struct sk_buff *msg;
9325 	void *hdr;
9326 	u32 size = NLMSG_DEFAULT_SIZE;
9327 
9328 	if (!rdev->wiphy.wowlan)
9329 		return -EOPNOTSUPP;
9330 
9331 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
9332 		/* adjust size to have room for all the data */
9333 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
9334 			rdev->wiphy.wowlan_config->tcp->payload_len +
9335 			rdev->wiphy.wowlan_config->tcp->wake_len +
9336 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
9337 	}
9338 
9339 	msg = nlmsg_new(size, GFP_KERNEL);
9340 	if (!msg)
9341 		return -ENOMEM;
9342 
9343 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9344 			     NL80211_CMD_GET_WOWLAN);
9345 	if (!hdr)
9346 		goto nla_put_failure;
9347 
9348 	if (rdev->wiphy.wowlan_config) {
9349 		struct nlattr *nl_wowlan;
9350 
9351 		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
9352 		if (!nl_wowlan)
9353 			goto nla_put_failure;
9354 
9355 		if ((rdev->wiphy.wowlan_config->any &&
9356 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
9357 		    (rdev->wiphy.wowlan_config->disconnect &&
9358 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
9359 		    (rdev->wiphy.wowlan_config->magic_pkt &&
9360 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
9361 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
9362 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
9363 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
9364 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
9365 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
9366 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
9367 		    (rdev->wiphy.wowlan_config->rfkill_release &&
9368 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
9369 			goto nla_put_failure;
9370 
9371 		if (nl80211_send_wowlan_patterns(msg, rdev))
9372 			goto nla_put_failure;
9373 
9374 		if (nl80211_send_wowlan_tcp(msg,
9375 					    rdev->wiphy.wowlan_config->tcp))
9376 			goto nla_put_failure;
9377 
9378 		if (nl80211_send_wowlan_nd(
9379 			    msg,
9380 			    rdev->wiphy.wowlan_config->nd_config))
9381 			goto nla_put_failure;
9382 
9383 		nla_nest_end(msg, nl_wowlan);
9384 	}
9385 
9386 	genlmsg_end(msg, hdr);
9387 	return genlmsg_reply(msg, info);
9388 
9389 nla_put_failure:
9390 	nlmsg_free(msg);
9391 	return -ENOBUFS;
9392 }
9393 
9394 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
9395 				    struct nlattr *attr,
9396 				    struct cfg80211_wowlan *trig)
9397 {
9398 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
9399 	struct cfg80211_wowlan_tcp *cfg;
9400 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
9401 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
9402 	u32 size;
9403 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
9404 	int err, port;
9405 
9406 	if (!rdev->wiphy.wowlan->tcp)
9407 		return -EINVAL;
9408 
9409 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TCP,
9410 			nla_data(attr), nla_len(attr),
9411 			nl80211_wowlan_tcp_policy);
9412 	if (err)
9413 		return err;
9414 
9415 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
9416 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
9417 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
9418 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
9419 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
9420 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
9421 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
9422 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
9423 		return -EINVAL;
9424 
9425 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
9426 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
9427 		return -EINVAL;
9428 
9429 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
9430 			rdev->wiphy.wowlan->tcp->data_interval_max ||
9431 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
9432 		return -EINVAL;
9433 
9434 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
9435 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
9436 		return -EINVAL;
9437 
9438 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
9439 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
9440 		return -EINVAL;
9441 
9442 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
9443 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
9444 
9445 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
9446 		tokens_size = tokln - sizeof(*tok);
9447 
9448 		if (!tok->len || tokens_size % tok->len)
9449 			return -EINVAL;
9450 		if (!rdev->wiphy.wowlan->tcp->tok)
9451 			return -EINVAL;
9452 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
9453 			return -EINVAL;
9454 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
9455 			return -EINVAL;
9456 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
9457 			return -EINVAL;
9458 		if (tok->offset + tok->len > data_size)
9459 			return -EINVAL;
9460 	}
9461 
9462 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
9463 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
9464 		if (!rdev->wiphy.wowlan->tcp->seq)
9465 			return -EINVAL;
9466 		if (seq->len == 0 || seq->len > 4)
9467 			return -EINVAL;
9468 		if (seq->len + seq->offset > data_size)
9469 			return -EINVAL;
9470 	}
9471 
9472 	size = sizeof(*cfg);
9473 	size += data_size;
9474 	size += wake_size + wake_mask_size;
9475 	size += tokens_size;
9476 
9477 	cfg = kzalloc(size, GFP_KERNEL);
9478 	if (!cfg)
9479 		return -ENOMEM;
9480 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
9481 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
9482 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
9483 	       ETH_ALEN);
9484 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
9485 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
9486 	else
9487 		port = 0;
9488 #ifdef CONFIG_INET
9489 	/* allocate a socket and port for it and use it */
9490 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
9491 			    IPPROTO_TCP, &cfg->sock, 1);
9492 	if (err) {
9493 		kfree(cfg);
9494 		return err;
9495 	}
9496 	if (inet_csk_get_port(cfg->sock->sk, port)) {
9497 		sock_release(cfg->sock);
9498 		kfree(cfg);
9499 		return -EADDRINUSE;
9500 	}
9501 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
9502 #else
9503 	if (!port) {
9504 		kfree(cfg);
9505 		return -EINVAL;
9506 	}
9507 	cfg->src_port = port;
9508 #endif
9509 
9510 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
9511 	cfg->payload_len = data_size;
9512 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
9513 	memcpy((void *)cfg->payload,
9514 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
9515 	       data_size);
9516 	if (seq)
9517 		cfg->payload_seq = *seq;
9518 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
9519 	cfg->wake_len = wake_size;
9520 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
9521 	memcpy((void *)cfg->wake_data,
9522 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
9523 	       wake_size);
9524 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
9525 			 data_size + wake_size;
9526 	memcpy((void *)cfg->wake_mask,
9527 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
9528 	       wake_mask_size);
9529 	if (tok) {
9530 		cfg->tokens_size = tokens_size;
9531 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
9532 	}
9533 
9534 	trig->tcp = cfg;
9535 
9536 	return 0;
9537 }
9538 
9539 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
9540 				   const struct wiphy_wowlan_support *wowlan,
9541 				   struct nlattr *attr,
9542 				   struct cfg80211_wowlan *trig)
9543 {
9544 	struct nlattr **tb;
9545 	int err;
9546 
9547 	tb = kzalloc(NUM_NL80211_ATTR * sizeof(*tb), GFP_KERNEL);
9548 	if (!tb)
9549 		return -ENOMEM;
9550 
9551 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
9552 		err = -EOPNOTSUPP;
9553 		goto out;
9554 	}
9555 
9556 	err = nla_parse(tb, NL80211_ATTR_MAX,
9557 			nla_data(attr), nla_len(attr),
9558 			nl80211_policy);
9559 	if (err)
9560 		goto out;
9561 
9562 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb);
9563 	err = PTR_ERR_OR_ZERO(trig->nd_config);
9564 	if (err)
9565 		trig->nd_config = NULL;
9566 
9567 out:
9568 	kfree(tb);
9569 	return err;
9570 }
9571 
9572 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
9573 {
9574 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9575 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
9576 	struct cfg80211_wowlan new_triggers = {};
9577 	struct cfg80211_wowlan *ntrig;
9578 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
9579 	int err, i;
9580 	bool prev_enabled = rdev->wiphy.wowlan_config;
9581 	bool regular = false;
9582 
9583 	if (!wowlan)
9584 		return -EOPNOTSUPP;
9585 
9586 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
9587 		cfg80211_rdev_free_wowlan(rdev);
9588 		rdev->wiphy.wowlan_config = NULL;
9589 		goto set_wakeup;
9590 	}
9591 
9592 	err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
9593 			nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
9594 			nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
9595 			nl80211_wowlan_policy);
9596 	if (err)
9597 		return err;
9598 
9599 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
9600 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
9601 			return -EINVAL;
9602 		new_triggers.any = true;
9603 	}
9604 
9605 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
9606 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
9607 			return -EINVAL;
9608 		new_triggers.disconnect = true;
9609 		regular = true;
9610 	}
9611 
9612 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
9613 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
9614 			return -EINVAL;
9615 		new_triggers.magic_pkt = true;
9616 		regular = true;
9617 	}
9618 
9619 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
9620 		return -EINVAL;
9621 
9622 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
9623 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
9624 			return -EINVAL;
9625 		new_triggers.gtk_rekey_failure = true;
9626 		regular = true;
9627 	}
9628 
9629 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
9630 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
9631 			return -EINVAL;
9632 		new_triggers.eap_identity_req = true;
9633 		regular = true;
9634 	}
9635 
9636 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
9637 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
9638 			return -EINVAL;
9639 		new_triggers.four_way_handshake = true;
9640 		regular = true;
9641 	}
9642 
9643 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
9644 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
9645 			return -EINVAL;
9646 		new_triggers.rfkill_release = true;
9647 		regular = true;
9648 	}
9649 
9650 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
9651 		struct nlattr *pat;
9652 		int n_patterns = 0;
9653 		int rem, pat_len, mask_len, pkt_offset;
9654 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
9655 
9656 		regular = true;
9657 
9658 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
9659 				    rem)
9660 			n_patterns++;
9661 		if (n_patterns > wowlan->n_patterns)
9662 			return -EINVAL;
9663 
9664 		new_triggers.patterns = kcalloc(n_patterns,
9665 						sizeof(new_triggers.patterns[0]),
9666 						GFP_KERNEL);
9667 		if (!new_triggers.patterns)
9668 			return -ENOMEM;
9669 
9670 		new_triggers.n_patterns = n_patterns;
9671 		i = 0;
9672 
9673 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
9674 				    rem) {
9675 			u8 *mask_pat;
9676 
9677 			nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
9678 				  nla_len(pat), NULL);
9679 			err = -EINVAL;
9680 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
9681 			    !pat_tb[NL80211_PKTPAT_PATTERN])
9682 				goto error;
9683 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
9684 			mask_len = DIV_ROUND_UP(pat_len, 8);
9685 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
9686 				goto error;
9687 			if (pat_len > wowlan->pattern_max_len ||
9688 			    pat_len < wowlan->pattern_min_len)
9689 				goto error;
9690 
9691 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
9692 				pkt_offset = 0;
9693 			else
9694 				pkt_offset = nla_get_u32(
9695 					pat_tb[NL80211_PKTPAT_OFFSET]);
9696 			if (pkt_offset > wowlan->max_pkt_offset)
9697 				goto error;
9698 			new_triggers.patterns[i].pkt_offset = pkt_offset;
9699 
9700 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
9701 			if (!mask_pat) {
9702 				err = -ENOMEM;
9703 				goto error;
9704 			}
9705 			new_triggers.patterns[i].mask = mask_pat;
9706 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
9707 			       mask_len);
9708 			mask_pat += mask_len;
9709 			new_triggers.patterns[i].pattern = mask_pat;
9710 			new_triggers.patterns[i].pattern_len = pat_len;
9711 			memcpy(mask_pat,
9712 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
9713 			       pat_len);
9714 			i++;
9715 		}
9716 	}
9717 
9718 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
9719 		regular = true;
9720 		err = nl80211_parse_wowlan_tcp(
9721 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
9722 			&new_triggers);
9723 		if (err)
9724 			goto error;
9725 	}
9726 
9727 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
9728 		regular = true;
9729 		err = nl80211_parse_wowlan_nd(
9730 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
9731 			&new_triggers);
9732 		if (err)
9733 			goto error;
9734 	}
9735 
9736 	/* The 'any' trigger means the device continues operating more or less
9737 	 * as in its normal operation mode and wakes up the host on most of the
9738 	 * normal interrupts (like packet RX, ...)
9739 	 * It therefore makes little sense to combine with the more constrained
9740 	 * wakeup trigger modes.
9741 	 */
9742 	if (new_triggers.any && regular) {
9743 		err = -EINVAL;
9744 		goto error;
9745 	}
9746 
9747 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
9748 	if (!ntrig) {
9749 		err = -ENOMEM;
9750 		goto error;
9751 	}
9752 	cfg80211_rdev_free_wowlan(rdev);
9753 	rdev->wiphy.wowlan_config = ntrig;
9754 
9755  set_wakeup:
9756 	if (rdev->ops->set_wakeup &&
9757 	    prev_enabled != !!rdev->wiphy.wowlan_config)
9758 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
9759 
9760 	return 0;
9761  error:
9762 	for (i = 0; i < new_triggers.n_patterns; i++)
9763 		kfree(new_triggers.patterns[i].mask);
9764 	kfree(new_triggers.patterns);
9765 	if (new_triggers.tcp && new_triggers.tcp->sock)
9766 		sock_release(new_triggers.tcp->sock);
9767 	kfree(new_triggers.tcp);
9768 	kfree(new_triggers.nd_config);
9769 	return err;
9770 }
9771 #endif
9772 
9773 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
9774 				       struct cfg80211_registered_device *rdev)
9775 {
9776 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
9777 	int i, j, pat_len;
9778 	struct cfg80211_coalesce_rules *rule;
9779 
9780 	if (!rdev->coalesce->n_rules)
9781 		return 0;
9782 
9783 	nl_rules = nla_nest_start(msg, NL80211_ATTR_COALESCE_RULE);
9784 	if (!nl_rules)
9785 		return -ENOBUFS;
9786 
9787 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
9788 		nl_rule = nla_nest_start(msg, i + 1);
9789 		if (!nl_rule)
9790 			return -ENOBUFS;
9791 
9792 		rule = &rdev->coalesce->rules[i];
9793 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
9794 				rule->delay))
9795 			return -ENOBUFS;
9796 
9797 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
9798 				rule->condition))
9799 			return -ENOBUFS;
9800 
9801 		nl_pats = nla_nest_start(msg,
9802 				NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
9803 		if (!nl_pats)
9804 			return -ENOBUFS;
9805 
9806 		for (j = 0; j < rule->n_patterns; j++) {
9807 			nl_pat = nla_nest_start(msg, j + 1);
9808 			if (!nl_pat)
9809 				return -ENOBUFS;
9810 			pat_len = rule->patterns[j].pattern_len;
9811 			if (nla_put(msg, NL80211_PKTPAT_MASK,
9812 				    DIV_ROUND_UP(pat_len, 8),
9813 				    rule->patterns[j].mask) ||
9814 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
9815 				    rule->patterns[j].pattern) ||
9816 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
9817 					rule->patterns[j].pkt_offset))
9818 				return -ENOBUFS;
9819 			nla_nest_end(msg, nl_pat);
9820 		}
9821 		nla_nest_end(msg, nl_pats);
9822 		nla_nest_end(msg, nl_rule);
9823 	}
9824 	nla_nest_end(msg, nl_rules);
9825 
9826 	return 0;
9827 }
9828 
9829 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
9830 {
9831 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9832 	struct sk_buff *msg;
9833 	void *hdr;
9834 
9835 	if (!rdev->wiphy.coalesce)
9836 		return -EOPNOTSUPP;
9837 
9838 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9839 	if (!msg)
9840 		return -ENOMEM;
9841 
9842 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9843 			     NL80211_CMD_GET_COALESCE);
9844 	if (!hdr)
9845 		goto nla_put_failure;
9846 
9847 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
9848 		goto nla_put_failure;
9849 
9850 	genlmsg_end(msg, hdr);
9851 	return genlmsg_reply(msg, info);
9852 
9853 nla_put_failure:
9854 	nlmsg_free(msg);
9855 	return -ENOBUFS;
9856 }
9857 
9858 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
9859 {
9860 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
9861 	int i, j;
9862 	struct cfg80211_coalesce_rules *rule;
9863 
9864 	if (!coalesce)
9865 		return;
9866 
9867 	for (i = 0; i < coalesce->n_rules; i++) {
9868 		rule = &coalesce->rules[i];
9869 		for (j = 0; j < rule->n_patterns; j++)
9870 			kfree(rule->patterns[j].mask);
9871 		kfree(rule->patterns);
9872 	}
9873 	kfree(coalesce->rules);
9874 	kfree(coalesce);
9875 	rdev->coalesce = NULL;
9876 }
9877 
9878 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
9879 				       struct nlattr *rule,
9880 				       struct cfg80211_coalesce_rules *new_rule)
9881 {
9882 	int err, i;
9883 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
9884 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
9885 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
9886 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
9887 
9888 	err = nla_parse(tb, NL80211_ATTR_COALESCE_RULE_MAX, nla_data(rule),
9889 			nla_len(rule), nl80211_coalesce_policy);
9890 	if (err)
9891 		return err;
9892 
9893 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
9894 		new_rule->delay =
9895 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
9896 	if (new_rule->delay > coalesce->max_delay)
9897 		return -EINVAL;
9898 
9899 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
9900 		new_rule->condition =
9901 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
9902 	if (new_rule->condition != NL80211_COALESCE_CONDITION_MATCH &&
9903 	    new_rule->condition != NL80211_COALESCE_CONDITION_NO_MATCH)
9904 		return -EINVAL;
9905 
9906 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
9907 		return -EINVAL;
9908 
9909 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
9910 			    rem)
9911 		n_patterns++;
9912 	if (n_patterns > coalesce->n_patterns)
9913 		return -EINVAL;
9914 
9915 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
9916 				     GFP_KERNEL);
9917 	if (!new_rule->patterns)
9918 		return -ENOMEM;
9919 
9920 	new_rule->n_patterns = n_patterns;
9921 	i = 0;
9922 
9923 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
9924 			    rem) {
9925 		u8 *mask_pat;
9926 
9927 		nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
9928 			  nla_len(pat), NULL);
9929 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
9930 		    !pat_tb[NL80211_PKTPAT_PATTERN])
9931 			return -EINVAL;
9932 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
9933 		mask_len = DIV_ROUND_UP(pat_len, 8);
9934 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
9935 			return -EINVAL;
9936 		if (pat_len > coalesce->pattern_max_len ||
9937 		    pat_len < coalesce->pattern_min_len)
9938 			return -EINVAL;
9939 
9940 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
9941 			pkt_offset = 0;
9942 		else
9943 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
9944 		if (pkt_offset > coalesce->max_pkt_offset)
9945 			return -EINVAL;
9946 		new_rule->patterns[i].pkt_offset = pkt_offset;
9947 
9948 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
9949 		if (!mask_pat)
9950 			return -ENOMEM;
9951 
9952 		new_rule->patterns[i].mask = mask_pat;
9953 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
9954 		       mask_len);
9955 
9956 		mask_pat += mask_len;
9957 		new_rule->patterns[i].pattern = mask_pat;
9958 		new_rule->patterns[i].pattern_len = pat_len;
9959 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
9960 		       pat_len);
9961 		i++;
9962 	}
9963 
9964 	return 0;
9965 }
9966 
9967 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
9968 {
9969 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9970 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
9971 	struct cfg80211_coalesce new_coalesce = {};
9972 	struct cfg80211_coalesce *n_coalesce;
9973 	int err, rem_rule, n_rules = 0, i, j;
9974 	struct nlattr *rule;
9975 	struct cfg80211_coalesce_rules *tmp_rule;
9976 
9977 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
9978 		return -EOPNOTSUPP;
9979 
9980 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
9981 		cfg80211_rdev_free_coalesce(rdev);
9982 		rdev_set_coalesce(rdev, NULL);
9983 		return 0;
9984 	}
9985 
9986 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
9987 			    rem_rule)
9988 		n_rules++;
9989 	if (n_rules > coalesce->n_rules)
9990 		return -EINVAL;
9991 
9992 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
9993 				     GFP_KERNEL);
9994 	if (!new_coalesce.rules)
9995 		return -ENOMEM;
9996 
9997 	new_coalesce.n_rules = n_rules;
9998 	i = 0;
9999 
10000 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
10001 			    rem_rule) {
10002 		err = nl80211_parse_coalesce_rule(rdev, rule,
10003 						  &new_coalesce.rules[i]);
10004 		if (err)
10005 			goto error;
10006 
10007 		i++;
10008 	}
10009 
10010 	err = rdev_set_coalesce(rdev, &new_coalesce);
10011 	if (err)
10012 		goto error;
10013 
10014 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
10015 	if (!n_coalesce) {
10016 		err = -ENOMEM;
10017 		goto error;
10018 	}
10019 	cfg80211_rdev_free_coalesce(rdev);
10020 	rdev->coalesce = n_coalesce;
10021 
10022 	return 0;
10023 error:
10024 	for (i = 0; i < new_coalesce.n_rules; i++) {
10025 		tmp_rule = &new_coalesce.rules[i];
10026 		for (j = 0; j < tmp_rule->n_patterns; j++)
10027 			kfree(tmp_rule->patterns[j].mask);
10028 		kfree(tmp_rule->patterns);
10029 	}
10030 	kfree(new_coalesce.rules);
10031 
10032 	return err;
10033 }
10034 
10035 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
10036 {
10037 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10038 	struct net_device *dev = info->user_ptr[1];
10039 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10040 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
10041 	struct cfg80211_gtk_rekey_data rekey_data;
10042 	int err;
10043 
10044 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
10045 		return -EINVAL;
10046 
10047 	err = nla_parse(tb, MAX_NL80211_REKEY_DATA,
10048 			nla_data(info->attrs[NL80211_ATTR_REKEY_DATA]),
10049 			nla_len(info->attrs[NL80211_ATTR_REKEY_DATA]),
10050 			nl80211_rekey_policy);
10051 	if (err)
10052 		return err;
10053 
10054 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
10055 		return -ERANGE;
10056 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
10057 		return -ERANGE;
10058 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
10059 		return -ERANGE;
10060 
10061 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
10062 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
10063 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
10064 
10065 	wdev_lock(wdev);
10066 	if (!wdev->current_bss) {
10067 		err = -ENOTCONN;
10068 		goto out;
10069 	}
10070 
10071 	if (!rdev->ops->set_rekey_data) {
10072 		err = -EOPNOTSUPP;
10073 		goto out;
10074 	}
10075 
10076 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
10077  out:
10078 	wdev_unlock(wdev);
10079 	return err;
10080 }
10081 
10082 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
10083 					     struct genl_info *info)
10084 {
10085 	struct net_device *dev = info->user_ptr[1];
10086 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10087 
10088 	if (wdev->iftype != NL80211_IFTYPE_AP &&
10089 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
10090 		return -EINVAL;
10091 
10092 	if (wdev->ap_unexpected_nlportid)
10093 		return -EBUSY;
10094 
10095 	wdev->ap_unexpected_nlportid = info->snd_portid;
10096 	return 0;
10097 }
10098 
10099 static int nl80211_probe_client(struct sk_buff *skb,
10100 				struct genl_info *info)
10101 {
10102 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10103 	struct net_device *dev = info->user_ptr[1];
10104 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10105 	struct sk_buff *msg;
10106 	void *hdr;
10107 	const u8 *addr;
10108 	u64 cookie;
10109 	int err;
10110 
10111 	if (wdev->iftype != NL80211_IFTYPE_AP &&
10112 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
10113 		return -EOPNOTSUPP;
10114 
10115 	if (!info->attrs[NL80211_ATTR_MAC])
10116 		return -EINVAL;
10117 
10118 	if (!rdev->ops->probe_client)
10119 		return -EOPNOTSUPP;
10120 
10121 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10122 	if (!msg)
10123 		return -ENOMEM;
10124 
10125 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10126 			     NL80211_CMD_PROBE_CLIENT);
10127 	if (!hdr) {
10128 		err = -ENOBUFS;
10129 		goto free_msg;
10130 	}
10131 
10132 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10133 
10134 	err = rdev_probe_client(rdev, dev, addr, &cookie);
10135 	if (err)
10136 		goto free_msg;
10137 
10138 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10139 			      NL80211_ATTR_PAD))
10140 		goto nla_put_failure;
10141 
10142 	genlmsg_end(msg, hdr);
10143 
10144 	return genlmsg_reply(msg, info);
10145 
10146  nla_put_failure:
10147 	err = -ENOBUFS;
10148  free_msg:
10149 	nlmsg_free(msg);
10150 	return err;
10151 }
10152 
10153 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
10154 {
10155 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10156 	struct cfg80211_beacon_registration *reg, *nreg;
10157 	int rv;
10158 
10159 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
10160 		return -EOPNOTSUPP;
10161 
10162 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
10163 	if (!nreg)
10164 		return -ENOMEM;
10165 
10166 	/* First, check if already registered. */
10167 	spin_lock_bh(&rdev->beacon_registrations_lock);
10168 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
10169 		if (reg->nlportid == info->snd_portid) {
10170 			rv = -EALREADY;
10171 			goto out_err;
10172 		}
10173 	}
10174 	/* Add it to the list */
10175 	nreg->nlportid = info->snd_portid;
10176 	list_add(&nreg->list, &rdev->beacon_registrations);
10177 
10178 	spin_unlock_bh(&rdev->beacon_registrations_lock);
10179 
10180 	return 0;
10181 out_err:
10182 	spin_unlock_bh(&rdev->beacon_registrations_lock);
10183 	kfree(nreg);
10184 	return rv;
10185 }
10186 
10187 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
10188 {
10189 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10190 	struct wireless_dev *wdev = info->user_ptr[1];
10191 	int err;
10192 
10193 	if (!rdev->ops->start_p2p_device)
10194 		return -EOPNOTSUPP;
10195 
10196 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
10197 		return -EOPNOTSUPP;
10198 
10199 	if (wdev->p2p_started)
10200 		return 0;
10201 
10202 	if (rfkill_blocked(rdev->rfkill))
10203 		return -ERFKILL;
10204 
10205 	err = rdev_start_p2p_device(rdev, wdev);
10206 	if (err)
10207 		return err;
10208 
10209 	wdev->p2p_started = true;
10210 	rdev->opencount++;
10211 
10212 	return 0;
10213 }
10214 
10215 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
10216 {
10217 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10218 	struct wireless_dev *wdev = info->user_ptr[1];
10219 
10220 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
10221 		return -EOPNOTSUPP;
10222 
10223 	if (!rdev->ops->stop_p2p_device)
10224 		return -EOPNOTSUPP;
10225 
10226 	cfg80211_stop_p2p_device(rdev, wdev);
10227 
10228 	return 0;
10229 }
10230 
10231 static int nl80211_get_protocol_features(struct sk_buff *skb,
10232 					 struct genl_info *info)
10233 {
10234 	void *hdr;
10235 	struct sk_buff *msg;
10236 
10237 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10238 	if (!msg)
10239 		return -ENOMEM;
10240 
10241 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10242 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
10243 	if (!hdr)
10244 		goto nla_put_failure;
10245 
10246 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
10247 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
10248 		goto nla_put_failure;
10249 
10250 	genlmsg_end(msg, hdr);
10251 	return genlmsg_reply(msg, info);
10252 
10253  nla_put_failure:
10254 	kfree_skb(msg);
10255 	return -ENOBUFS;
10256 }
10257 
10258 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
10259 {
10260 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10261 	struct cfg80211_update_ft_ies_params ft_params;
10262 	struct net_device *dev = info->user_ptr[1];
10263 
10264 	if (!rdev->ops->update_ft_ies)
10265 		return -EOPNOTSUPP;
10266 
10267 	if (!info->attrs[NL80211_ATTR_MDID] ||
10268 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
10269 		return -EINVAL;
10270 
10271 	memset(&ft_params, 0, sizeof(ft_params));
10272 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
10273 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10274 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10275 
10276 	return rdev_update_ft_ies(rdev, dev, &ft_params);
10277 }
10278 
10279 static int nl80211_crit_protocol_start(struct sk_buff *skb,
10280 				       struct genl_info *info)
10281 {
10282 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10283 	struct wireless_dev *wdev = info->user_ptr[1];
10284 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
10285 	u16 duration;
10286 	int ret;
10287 
10288 	if (!rdev->ops->crit_proto_start)
10289 		return -EOPNOTSUPP;
10290 
10291 	if (WARN_ON(!rdev->ops->crit_proto_stop))
10292 		return -EINVAL;
10293 
10294 	if (rdev->crit_proto_nlportid)
10295 		return -EBUSY;
10296 
10297 	/* determine protocol if provided */
10298 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
10299 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
10300 
10301 	if (proto >= NUM_NL80211_CRIT_PROTO)
10302 		return -EINVAL;
10303 
10304 	/* timeout must be provided */
10305 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
10306 		return -EINVAL;
10307 
10308 	duration =
10309 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
10310 
10311 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
10312 		return -ERANGE;
10313 
10314 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
10315 	if (!ret)
10316 		rdev->crit_proto_nlportid = info->snd_portid;
10317 
10318 	return ret;
10319 }
10320 
10321 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
10322 				      struct genl_info *info)
10323 {
10324 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10325 	struct wireless_dev *wdev = info->user_ptr[1];
10326 
10327 	if (!rdev->ops->crit_proto_stop)
10328 		return -EOPNOTSUPP;
10329 
10330 	if (rdev->crit_proto_nlportid) {
10331 		rdev->crit_proto_nlportid = 0;
10332 		rdev_crit_proto_stop(rdev, wdev);
10333 	}
10334 	return 0;
10335 }
10336 
10337 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
10338 {
10339 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10340 	struct wireless_dev *wdev =
10341 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
10342 	int i, err;
10343 	u32 vid, subcmd;
10344 
10345 	if (!rdev->wiphy.vendor_commands)
10346 		return -EOPNOTSUPP;
10347 
10348 	if (IS_ERR(wdev)) {
10349 		err = PTR_ERR(wdev);
10350 		if (err != -EINVAL)
10351 			return err;
10352 		wdev = NULL;
10353 	} else if (wdev->wiphy != &rdev->wiphy) {
10354 		return -EINVAL;
10355 	}
10356 
10357 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
10358 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
10359 		return -EINVAL;
10360 
10361 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
10362 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
10363 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
10364 		const struct wiphy_vendor_command *vcmd;
10365 		void *data = NULL;
10366 		int len = 0;
10367 
10368 		vcmd = &rdev->wiphy.vendor_commands[i];
10369 
10370 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
10371 			continue;
10372 
10373 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
10374 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
10375 			if (!wdev)
10376 				return -EINVAL;
10377 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
10378 			    !wdev->netdev)
10379 				return -EINVAL;
10380 
10381 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
10382 				if (wdev->netdev &&
10383 				    !netif_running(wdev->netdev))
10384 					return -ENETDOWN;
10385 				if (!wdev->netdev && !wdev->p2p_started)
10386 					return -ENETDOWN;
10387 			}
10388 
10389 			if (!vcmd->doit)
10390 				return -EOPNOTSUPP;
10391 		} else {
10392 			wdev = NULL;
10393 		}
10394 
10395 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
10396 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
10397 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
10398 		}
10399 
10400 		rdev->cur_cmd_info = info;
10401 		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
10402 							  data, len);
10403 		rdev->cur_cmd_info = NULL;
10404 		return err;
10405 	}
10406 
10407 	return -EOPNOTSUPP;
10408 }
10409 
10410 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
10411 				       struct netlink_callback *cb,
10412 				       struct cfg80211_registered_device **rdev,
10413 				       struct wireless_dev **wdev)
10414 {
10415 	u32 vid, subcmd;
10416 	unsigned int i;
10417 	int vcmd_idx = -1;
10418 	int err;
10419 	void *data = NULL;
10420 	unsigned int data_len = 0;
10421 
10422 	rtnl_lock();
10423 
10424 	if (cb->args[0]) {
10425 		/* subtract the 1 again here */
10426 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
10427 		struct wireless_dev *tmp;
10428 
10429 		if (!wiphy) {
10430 			err = -ENODEV;
10431 			goto out_unlock;
10432 		}
10433 		*rdev = wiphy_to_rdev(wiphy);
10434 		*wdev = NULL;
10435 
10436 		if (cb->args[1]) {
10437 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
10438 				if (tmp->identifier == cb->args[1] - 1) {
10439 					*wdev = tmp;
10440 					break;
10441 				}
10442 			}
10443 		}
10444 
10445 		/* keep rtnl locked in successful case */
10446 		return 0;
10447 	}
10448 
10449 	err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
10450 			  nl80211_fam.attrbuf, nl80211_fam.maxattr,
10451 			  nl80211_policy);
10452 	if (err)
10453 		goto out_unlock;
10454 
10455 	if (!nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_ID] ||
10456 	    !nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
10457 		err = -EINVAL;
10458 		goto out_unlock;
10459 	}
10460 
10461 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
10462 					   nl80211_fam.attrbuf);
10463 	if (IS_ERR(*wdev))
10464 		*wdev = NULL;
10465 
10466 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
10467 					   nl80211_fam.attrbuf);
10468 	if (IS_ERR(*rdev)) {
10469 		err = PTR_ERR(*rdev);
10470 		goto out_unlock;
10471 	}
10472 
10473 	vid = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_ID]);
10474 	subcmd = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
10475 
10476 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
10477 		const struct wiphy_vendor_command *vcmd;
10478 
10479 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
10480 
10481 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
10482 			continue;
10483 
10484 		if (!vcmd->dumpit) {
10485 			err = -EOPNOTSUPP;
10486 			goto out_unlock;
10487 		}
10488 
10489 		vcmd_idx = i;
10490 		break;
10491 	}
10492 
10493 	if (vcmd_idx < 0) {
10494 		err = -EOPNOTSUPP;
10495 		goto out_unlock;
10496 	}
10497 
10498 	if (nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]) {
10499 		data = nla_data(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]);
10500 		data_len = nla_len(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]);
10501 	}
10502 
10503 	/* 0 is the first index - add 1 to parse only once */
10504 	cb->args[0] = (*rdev)->wiphy_idx + 1;
10505 	/* add 1 to know if it was NULL */
10506 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
10507 	cb->args[2] = vcmd_idx;
10508 	cb->args[3] = (unsigned long)data;
10509 	cb->args[4] = data_len;
10510 
10511 	/* keep rtnl locked in successful case */
10512 	return 0;
10513  out_unlock:
10514 	rtnl_unlock();
10515 	return err;
10516 }
10517 
10518 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
10519 				   struct netlink_callback *cb)
10520 {
10521 	struct cfg80211_registered_device *rdev;
10522 	struct wireless_dev *wdev;
10523 	unsigned int vcmd_idx;
10524 	const struct wiphy_vendor_command *vcmd;
10525 	void *data;
10526 	int data_len;
10527 	int err;
10528 	struct nlattr *vendor_data;
10529 
10530 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
10531 	if (err)
10532 		return err;
10533 
10534 	vcmd_idx = cb->args[2];
10535 	data = (void *)cb->args[3];
10536 	data_len = cb->args[4];
10537 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
10538 
10539 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
10540 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
10541 		if (!wdev)
10542 			return -EINVAL;
10543 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
10544 		    !wdev->netdev)
10545 			return -EINVAL;
10546 
10547 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
10548 			if (wdev->netdev &&
10549 			    !netif_running(wdev->netdev))
10550 				return -ENETDOWN;
10551 			if (!wdev->netdev && !wdev->p2p_started)
10552 				return -ENETDOWN;
10553 		}
10554 	}
10555 
10556 	while (1) {
10557 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10558 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10559 					   NL80211_CMD_VENDOR);
10560 		if (!hdr)
10561 			break;
10562 
10563 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
10564 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10565 					       wdev_id(wdev),
10566 					       NL80211_ATTR_PAD))) {
10567 			genlmsg_cancel(skb, hdr);
10568 			break;
10569 		}
10570 
10571 		vendor_data = nla_nest_start(skb, NL80211_ATTR_VENDOR_DATA);
10572 		if (!vendor_data) {
10573 			genlmsg_cancel(skb, hdr);
10574 			break;
10575 		}
10576 
10577 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
10578 				   (unsigned long *)&cb->args[5]);
10579 		nla_nest_end(skb, vendor_data);
10580 
10581 		if (err == -ENOBUFS || err == -ENOENT) {
10582 			genlmsg_cancel(skb, hdr);
10583 			break;
10584 		} else if (err) {
10585 			genlmsg_cancel(skb, hdr);
10586 			goto out;
10587 		}
10588 
10589 		genlmsg_end(skb, hdr);
10590 	}
10591 
10592 	err = skb->len;
10593  out:
10594 	rtnl_unlock();
10595 	return err;
10596 }
10597 
10598 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
10599 					   enum nl80211_commands cmd,
10600 					   enum nl80211_attrs attr,
10601 					   int approxlen)
10602 {
10603 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10604 
10605 	if (WARN_ON(!rdev->cur_cmd_info))
10606 		return NULL;
10607 
10608 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
10609 					   rdev->cur_cmd_info->snd_portid,
10610 					   rdev->cur_cmd_info->snd_seq,
10611 					   cmd, attr, NULL, GFP_KERNEL);
10612 }
10613 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
10614 
10615 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
10616 {
10617 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10618 	void *hdr = ((void **)skb->cb)[1];
10619 	struct nlattr *data = ((void **)skb->cb)[2];
10620 
10621 	/* clear CB data for netlink core to own from now on */
10622 	memset(skb->cb, 0, sizeof(skb->cb));
10623 
10624 	if (WARN_ON(!rdev->cur_cmd_info)) {
10625 		kfree_skb(skb);
10626 		return -EINVAL;
10627 	}
10628 
10629 	nla_nest_end(skb, data);
10630 	genlmsg_end(skb, hdr);
10631 	return genlmsg_reply(skb, rdev->cur_cmd_info);
10632 }
10633 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
10634 
10635 static int nl80211_set_qos_map(struct sk_buff *skb,
10636 			       struct genl_info *info)
10637 {
10638 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10639 	struct cfg80211_qos_map *qos_map = NULL;
10640 	struct net_device *dev = info->user_ptr[1];
10641 	u8 *pos, len, num_des, des_len, des;
10642 	int ret;
10643 
10644 	if (!rdev->ops->set_qos_map)
10645 		return -EOPNOTSUPP;
10646 
10647 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
10648 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
10649 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
10650 
10651 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
10652 		    len > IEEE80211_QOS_MAP_LEN_MAX)
10653 			return -EINVAL;
10654 
10655 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
10656 		if (!qos_map)
10657 			return -ENOMEM;
10658 
10659 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
10660 		if (num_des) {
10661 			des_len = num_des *
10662 				sizeof(struct cfg80211_dscp_exception);
10663 			memcpy(qos_map->dscp_exception, pos, des_len);
10664 			qos_map->num_des = num_des;
10665 			for (des = 0; des < num_des; des++) {
10666 				if (qos_map->dscp_exception[des].up > 7) {
10667 					kfree(qos_map);
10668 					return -EINVAL;
10669 				}
10670 			}
10671 			pos += des_len;
10672 		}
10673 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
10674 	}
10675 
10676 	wdev_lock(dev->ieee80211_ptr);
10677 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
10678 	if (!ret)
10679 		ret = rdev_set_qos_map(rdev, dev, qos_map);
10680 	wdev_unlock(dev->ieee80211_ptr);
10681 
10682 	kfree(qos_map);
10683 	return ret;
10684 }
10685 
10686 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
10687 {
10688 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10689 	struct net_device *dev = info->user_ptr[1];
10690 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10691 	const u8 *peer;
10692 	u8 tsid, up;
10693 	u16 admitted_time = 0;
10694 	int err;
10695 
10696 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
10697 		return -EOPNOTSUPP;
10698 
10699 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
10700 	    !info->attrs[NL80211_ATTR_USER_PRIO])
10701 		return -EINVAL;
10702 
10703 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
10704 	if (tsid >= IEEE80211_NUM_TIDS)
10705 		return -EINVAL;
10706 
10707 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
10708 	if (up >= IEEE80211_NUM_UPS)
10709 		return -EINVAL;
10710 
10711 	/* WMM uses TIDs 0-7 even for TSPEC */
10712 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
10713 		/* TODO: handle 802.11 TSPEC/admission control
10714 		 * need more attributes for that (e.g. BA session requirement);
10715 		 * change the WMM adminssion test above to allow both then
10716 		 */
10717 		return -EINVAL;
10718 	}
10719 
10720 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10721 
10722 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
10723 		admitted_time =
10724 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
10725 		if (!admitted_time)
10726 			return -EINVAL;
10727 	}
10728 
10729 	wdev_lock(wdev);
10730 	switch (wdev->iftype) {
10731 	case NL80211_IFTYPE_STATION:
10732 	case NL80211_IFTYPE_P2P_CLIENT:
10733 		if (wdev->current_bss)
10734 			break;
10735 		err = -ENOTCONN;
10736 		goto out;
10737 	default:
10738 		err = -EOPNOTSUPP;
10739 		goto out;
10740 	}
10741 
10742 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
10743 
10744  out:
10745 	wdev_unlock(wdev);
10746 	return err;
10747 }
10748 
10749 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
10750 {
10751 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10752 	struct net_device *dev = info->user_ptr[1];
10753 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10754 	const u8 *peer;
10755 	u8 tsid;
10756 	int err;
10757 
10758 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
10759 		return -EINVAL;
10760 
10761 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
10762 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10763 
10764 	wdev_lock(wdev);
10765 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
10766 	wdev_unlock(wdev);
10767 
10768 	return err;
10769 }
10770 
10771 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
10772 				       struct genl_info *info)
10773 {
10774 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10775 	struct net_device *dev = info->user_ptr[1];
10776 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10777 	struct cfg80211_chan_def chandef = {};
10778 	const u8 *addr;
10779 	u8 oper_class;
10780 	int err;
10781 
10782 	if (!rdev->ops->tdls_channel_switch ||
10783 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
10784 		return -EOPNOTSUPP;
10785 
10786 	switch (dev->ieee80211_ptr->iftype) {
10787 	case NL80211_IFTYPE_STATION:
10788 	case NL80211_IFTYPE_P2P_CLIENT:
10789 		break;
10790 	default:
10791 		return -EOPNOTSUPP;
10792 	}
10793 
10794 	if (!info->attrs[NL80211_ATTR_MAC] ||
10795 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
10796 		return -EINVAL;
10797 
10798 	err = nl80211_parse_chandef(rdev, info, &chandef);
10799 	if (err)
10800 		return err;
10801 
10802 	/*
10803 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
10804 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
10805 	 * specification is not defined for them.
10806 	 */
10807 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
10808 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
10809 	    chandef.width != NL80211_CHAN_WIDTH_20)
10810 		return -EINVAL;
10811 
10812 	/* we will be active on the TDLS link */
10813 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
10814 					   wdev->iftype))
10815 		return -EINVAL;
10816 
10817 	/* don't allow switching to DFS channels */
10818 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
10819 		return -EINVAL;
10820 
10821 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10822 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
10823 
10824 	wdev_lock(wdev);
10825 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
10826 	wdev_unlock(wdev);
10827 
10828 	return err;
10829 }
10830 
10831 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
10832 					      struct genl_info *info)
10833 {
10834 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10835 	struct net_device *dev = info->user_ptr[1];
10836 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10837 	const u8 *addr;
10838 
10839 	if (!rdev->ops->tdls_channel_switch ||
10840 	    !rdev->ops->tdls_cancel_channel_switch ||
10841 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
10842 		return -EOPNOTSUPP;
10843 
10844 	switch (dev->ieee80211_ptr->iftype) {
10845 	case NL80211_IFTYPE_STATION:
10846 	case NL80211_IFTYPE_P2P_CLIENT:
10847 		break;
10848 	default:
10849 		return -EOPNOTSUPP;
10850 	}
10851 
10852 	if (!info->attrs[NL80211_ATTR_MAC])
10853 		return -EINVAL;
10854 
10855 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
10856 
10857 	wdev_lock(wdev);
10858 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
10859 	wdev_unlock(wdev);
10860 
10861 	return 0;
10862 }
10863 
10864 #define NL80211_FLAG_NEED_WIPHY		0x01
10865 #define NL80211_FLAG_NEED_NETDEV	0x02
10866 #define NL80211_FLAG_NEED_RTNL		0x04
10867 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
10868 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
10869 					 NL80211_FLAG_CHECK_NETDEV_UP)
10870 #define NL80211_FLAG_NEED_WDEV		0x10
10871 /* If a netdev is associated, it must be UP, P2P must be started */
10872 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
10873 					 NL80211_FLAG_CHECK_NETDEV_UP)
10874 #define NL80211_FLAG_CLEAR_SKB		0x20
10875 
10876 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
10877 			    struct genl_info *info)
10878 {
10879 	struct cfg80211_registered_device *rdev;
10880 	struct wireless_dev *wdev;
10881 	struct net_device *dev;
10882 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
10883 
10884 	if (rtnl)
10885 		rtnl_lock();
10886 
10887 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
10888 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
10889 		if (IS_ERR(rdev)) {
10890 			if (rtnl)
10891 				rtnl_unlock();
10892 			return PTR_ERR(rdev);
10893 		}
10894 		info->user_ptr[0] = rdev;
10895 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
10896 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
10897 		ASSERT_RTNL();
10898 
10899 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
10900 						  info->attrs);
10901 		if (IS_ERR(wdev)) {
10902 			if (rtnl)
10903 				rtnl_unlock();
10904 			return PTR_ERR(wdev);
10905 		}
10906 
10907 		dev = wdev->netdev;
10908 		rdev = wiphy_to_rdev(wdev->wiphy);
10909 
10910 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
10911 			if (!dev) {
10912 				if (rtnl)
10913 					rtnl_unlock();
10914 				return -EINVAL;
10915 			}
10916 
10917 			info->user_ptr[1] = dev;
10918 		} else {
10919 			info->user_ptr[1] = wdev;
10920 		}
10921 
10922 		if (dev) {
10923 			if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
10924 			    !netif_running(dev)) {
10925 				if (rtnl)
10926 					rtnl_unlock();
10927 				return -ENETDOWN;
10928 			}
10929 
10930 			dev_hold(dev);
10931 		} else if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP) {
10932 			if (!wdev->p2p_started) {
10933 				if (rtnl)
10934 					rtnl_unlock();
10935 				return -ENETDOWN;
10936 			}
10937 		}
10938 
10939 		info->user_ptr[0] = rdev;
10940 	}
10941 
10942 	return 0;
10943 }
10944 
10945 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
10946 			      struct genl_info *info)
10947 {
10948 	if (info->user_ptr[1]) {
10949 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
10950 			struct wireless_dev *wdev = info->user_ptr[1];
10951 
10952 			if (wdev->netdev)
10953 				dev_put(wdev->netdev);
10954 		} else {
10955 			dev_put(info->user_ptr[1]);
10956 		}
10957 	}
10958 
10959 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
10960 		rtnl_unlock();
10961 
10962 	/* If needed, clear the netlink message payload from the SKB
10963 	 * as it might contain key data that shouldn't stick around on
10964 	 * the heap after the SKB is freed. The netlink message header
10965 	 * is still needed for further processing, so leave it intact.
10966 	 */
10967 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
10968 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
10969 
10970 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
10971 	}
10972 }
10973 
10974 static const struct genl_ops nl80211_ops[] = {
10975 	{
10976 		.cmd = NL80211_CMD_GET_WIPHY,
10977 		.doit = nl80211_get_wiphy,
10978 		.dumpit = nl80211_dump_wiphy,
10979 		.done = nl80211_dump_wiphy_done,
10980 		.policy = nl80211_policy,
10981 		/* can be retrieved by unprivileged users */
10982 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
10983 				  NL80211_FLAG_NEED_RTNL,
10984 	},
10985 	{
10986 		.cmd = NL80211_CMD_SET_WIPHY,
10987 		.doit = nl80211_set_wiphy,
10988 		.policy = nl80211_policy,
10989 		.flags = GENL_UNS_ADMIN_PERM,
10990 		.internal_flags = NL80211_FLAG_NEED_RTNL,
10991 	},
10992 	{
10993 		.cmd = NL80211_CMD_GET_INTERFACE,
10994 		.doit = nl80211_get_interface,
10995 		.dumpit = nl80211_dump_interface,
10996 		.policy = nl80211_policy,
10997 		/* can be retrieved by unprivileged users */
10998 		.internal_flags = NL80211_FLAG_NEED_WDEV |
10999 				  NL80211_FLAG_NEED_RTNL,
11000 	},
11001 	{
11002 		.cmd = NL80211_CMD_SET_INTERFACE,
11003 		.doit = nl80211_set_interface,
11004 		.policy = nl80211_policy,
11005 		.flags = GENL_UNS_ADMIN_PERM,
11006 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11007 				  NL80211_FLAG_NEED_RTNL,
11008 	},
11009 	{
11010 		.cmd = NL80211_CMD_NEW_INTERFACE,
11011 		.doit = nl80211_new_interface,
11012 		.policy = nl80211_policy,
11013 		.flags = GENL_UNS_ADMIN_PERM,
11014 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11015 				  NL80211_FLAG_NEED_RTNL,
11016 	},
11017 	{
11018 		.cmd = NL80211_CMD_DEL_INTERFACE,
11019 		.doit = nl80211_del_interface,
11020 		.policy = nl80211_policy,
11021 		.flags = GENL_UNS_ADMIN_PERM,
11022 		.internal_flags = NL80211_FLAG_NEED_WDEV |
11023 				  NL80211_FLAG_NEED_RTNL,
11024 	},
11025 	{
11026 		.cmd = NL80211_CMD_GET_KEY,
11027 		.doit = nl80211_get_key,
11028 		.policy = nl80211_policy,
11029 		.flags = GENL_UNS_ADMIN_PERM,
11030 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11031 				  NL80211_FLAG_NEED_RTNL,
11032 	},
11033 	{
11034 		.cmd = NL80211_CMD_SET_KEY,
11035 		.doit = nl80211_set_key,
11036 		.policy = nl80211_policy,
11037 		.flags = GENL_UNS_ADMIN_PERM,
11038 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11039 				  NL80211_FLAG_NEED_RTNL |
11040 				  NL80211_FLAG_CLEAR_SKB,
11041 	},
11042 	{
11043 		.cmd = NL80211_CMD_NEW_KEY,
11044 		.doit = nl80211_new_key,
11045 		.policy = nl80211_policy,
11046 		.flags = GENL_UNS_ADMIN_PERM,
11047 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11048 				  NL80211_FLAG_NEED_RTNL |
11049 				  NL80211_FLAG_CLEAR_SKB,
11050 	},
11051 	{
11052 		.cmd = NL80211_CMD_DEL_KEY,
11053 		.doit = nl80211_del_key,
11054 		.policy = nl80211_policy,
11055 		.flags = GENL_UNS_ADMIN_PERM,
11056 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11057 				  NL80211_FLAG_NEED_RTNL,
11058 	},
11059 	{
11060 		.cmd = NL80211_CMD_SET_BEACON,
11061 		.policy = nl80211_policy,
11062 		.flags = GENL_UNS_ADMIN_PERM,
11063 		.doit = nl80211_set_beacon,
11064 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11065 				  NL80211_FLAG_NEED_RTNL,
11066 	},
11067 	{
11068 		.cmd = NL80211_CMD_START_AP,
11069 		.policy = nl80211_policy,
11070 		.flags = GENL_UNS_ADMIN_PERM,
11071 		.doit = nl80211_start_ap,
11072 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11073 				  NL80211_FLAG_NEED_RTNL,
11074 	},
11075 	{
11076 		.cmd = NL80211_CMD_STOP_AP,
11077 		.policy = nl80211_policy,
11078 		.flags = GENL_UNS_ADMIN_PERM,
11079 		.doit = nl80211_stop_ap,
11080 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11081 				  NL80211_FLAG_NEED_RTNL,
11082 	},
11083 	{
11084 		.cmd = NL80211_CMD_GET_STATION,
11085 		.doit = nl80211_get_station,
11086 		.dumpit = nl80211_dump_station,
11087 		.policy = nl80211_policy,
11088 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11089 				  NL80211_FLAG_NEED_RTNL,
11090 	},
11091 	{
11092 		.cmd = NL80211_CMD_SET_STATION,
11093 		.doit = nl80211_set_station,
11094 		.policy = nl80211_policy,
11095 		.flags = GENL_UNS_ADMIN_PERM,
11096 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11097 				  NL80211_FLAG_NEED_RTNL,
11098 	},
11099 	{
11100 		.cmd = NL80211_CMD_NEW_STATION,
11101 		.doit = nl80211_new_station,
11102 		.policy = nl80211_policy,
11103 		.flags = GENL_UNS_ADMIN_PERM,
11104 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11105 				  NL80211_FLAG_NEED_RTNL,
11106 	},
11107 	{
11108 		.cmd = NL80211_CMD_DEL_STATION,
11109 		.doit = nl80211_del_station,
11110 		.policy = nl80211_policy,
11111 		.flags = GENL_UNS_ADMIN_PERM,
11112 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11113 				  NL80211_FLAG_NEED_RTNL,
11114 	},
11115 	{
11116 		.cmd = NL80211_CMD_GET_MPATH,
11117 		.doit = nl80211_get_mpath,
11118 		.dumpit = nl80211_dump_mpath,
11119 		.policy = nl80211_policy,
11120 		.flags = GENL_UNS_ADMIN_PERM,
11121 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11122 				  NL80211_FLAG_NEED_RTNL,
11123 	},
11124 	{
11125 		.cmd = NL80211_CMD_GET_MPP,
11126 		.doit = nl80211_get_mpp,
11127 		.dumpit = nl80211_dump_mpp,
11128 		.policy = nl80211_policy,
11129 		.flags = GENL_UNS_ADMIN_PERM,
11130 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11131 				  NL80211_FLAG_NEED_RTNL,
11132 	},
11133 	{
11134 		.cmd = NL80211_CMD_SET_MPATH,
11135 		.doit = nl80211_set_mpath,
11136 		.policy = nl80211_policy,
11137 		.flags = GENL_UNS_ADMIN_PERM,
11138 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11139 				  NL80211_FLAG_NEED_RTNL,
11140 	},
11141 	{
11142 		.cmd = NL80211_CMD_NEW_MPATH,
11143 		.doit = nl80211_new_mpath,
11144 		.policy = nl80211_policy,
11145 		.flags = GENL_UNS_ADMIN_PERM,
11146 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11147 				  NL80211_FLAG_NEED_RTNL,
11148 	},
11149 	{
11150 		.cmd = NL80211_CMD_DEL_MPATH,
11151 		.doit = nl80211_del_mpath,
11152 		.policy = nl80211_policy,
11153 		.flags = GENL_UNS_ADMIN_PERM,
11154 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11155 				  NL80211_FLAG_NEED_RTNL,
11156 	},
11157 	{
11158 		.cmd = NL80211_CMD_SET_BSS,
11159 		.doit = nl80211_set_bss,
11160 		.policy = nl80211_policy,
11161 		.flags = GENL_UNS_ADMIN_PERM,
11162 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11163 				  NL80211_FLAG_NEED_RTNL,
11164 	},
11165 	{
11166 		.cmd = NL80211_CMD_GET_REG,
11167 		.doit = nl80211_get_reg_do,
11168 		.dumpit = nl80211_get_reg_dump,
11169 		.policy = nl80211_policy,
11170 		.internal_flags = NL80211_FLAG_NEED_RTNL,
11171 		/* can be retrieved by unprivileged users */
11172 	},
11173 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
11174 	{
11175 		.cmd = NL80211_CMD_SET_REG,
11176 		.doit = nl80211_set_reg,
11177 		.policy = nl80211_policy,
11178 		.flags = GENL_ADMIN_PERM,
11179 		.internal_flags = NL80211_FLAG_NEED_RTNL,
11180 	},
11181 #endif
11182 	{
11183 		.cmd = NL80211_CMD_REQ_SET_REG,
11184 		.doit = nl80211_req_set_reg,
11185 		.policy = nl80211_policy,
11186 		.flags = GENL_ADMIN_PERM,
11187 	},
11188 	{
11189 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
11190 		.doit = nl80211_get_mesh_config,
11191 		.policy = nl80211_policy,
11192 		/* can be retrieved by unprivileged users */
11193 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11194 				  NL80211_FLAG_NEED_RTNL,
11195 	},
11196 	{
11197 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
11198 		.doit = nl80211_update_mesh_config,
11199 		.policy = nl80211_policy,
11200 		.flags = GENL_UNS_ADMIN_PERM,
11201 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11202 				  NL80211_FLAG_NEED_RTNL,
11203 	},
11204 	{
11205 		.cmd = NL80211_CMD_TRIGGER_SCAN,
11206 		.doit = nl80211_trigger_scan,
11207 		.policy = nl80211_policy,
11208 		.flags = GENL_UNS_ADMIN_PERM,
11209 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11210 				  NL80211_FLAG_NEED_RTNL,
11211 	},
11212 	{
11213 		.cmd = NL80211_CMD_ABORT_SCAN,
11214 		.doit = nl80211_abort_scan,
11215 		.policy = nl80211_policy,
11216 		.flags = GENL_UNS_ADMIN_PERM,
11217 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11218 				  NL80211_FLAG_NEED_RTNL,
11219 	},
11220 	{
11221 		.cmd = NL80211_CMD_GET_SCAN,
11222 		.policy = nl80211_policy,
11223 		.dumpit = nl80211_dump_scan,
11224 	},
11225 	{
11226 		.cmd = NL80211_CMD_START_SCHED_SCAN,
11227 		.doit = nl80211_start_sched_scan,
11228 		.policy = nl80211_policy,
11229 		.flags = GENL_UNS_ADMIN_PERM,
11230 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11231 				  NL80211_FLAG_NEED_RTNL,
11232 	},
11233 	{
11234 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
11235 		.doit = nl80211_stop_sched_scan,
11236 		.policy = nl80211_policy,
11237 		.flags = GENL_UNS_ADMIN_PERM,
11238 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11239 				  NL80211_FLAG_NEED_RTNL,
11240 	},
11241 	{
11242 		.cmd = NL80211_CMD_AUTHENTICATE,
11243 		.doit = nl80211_authenticate,
11244 		.policy = nl80211_policy,
11245 		.flags = GENL_UNS_ADMIN_PERM,
11246 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11247 				  NL80211_FLAG_NEED_RTNL |
11248 				  NL80211_FLAG_CLEAR_SKB,
11249 	},
11250 	{
11251 		.cmd = NL80211_CMD_ASSOCIATE,
11252 		.doit = nl80211_associate,
11253 		.policy = nl80211_policy,
11254 		.flags = GENL_UNS_ADMIN_PERM,
11255 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11256 				  NL80211_FLAG_NEED_RTNL,
11257 	},
11258 	{
11259 		.cmd = NL80211_CMD_DEAUTHENTICATE,
11260 		.doit = nl80211_deauthenticate,
11261 		.policy = nl80211_policy,
11262 		.flags = GENL_UNS_ADMIN_PERM,
11263 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11264 				  NL80211_FLAG_NEED_RTNL,
11265 	},
11266 	{
11267 		.cmd = NL80211_CMD_DISASSOCIATE,
11268 		.doit = nl80211_disassociate,
11269 		.policy = nl80211_policy,
11270 		.flags = GENL_UNS_ADMIN_PERM,
11271 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11272 				  NL80211_FLAG_NEED_RTNL,
11273 	},
11274 	{
11275 		.cmd = NL80211_CMD_JOIN_IBSS,
11276 		.doit = nl80211_join_ibss,
11277 		.policy = nl80211_policy,
11278 		.flags = GENL_UNS_ADMIN_PERM,
11279 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11280 				  NL80211_FLAG_NEED_RTNL,
11281 	},
11282 	{
11283 		.cmd = NL80211_CMD_LEAVE_IBSS,
11284 		.doit = nl80211_leave_ibss,
11285 		.policy = nl80211_policy,
11286 		.flags = GENL_UNS_ADMIN_PERM,
11287 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11288 				  NL80211_FLAG_NEED_RTNL,
11289 	},
11290 #ifdef CONFIG_NL80211_TESTMODE
11291 	{
11292 		.cmd = NL80211_CMD_TESTMODE,
11293 		.doit = nl80211_testmode_do,
11294 		.dumpit = nl80211_testmode_dump,
11295 		.policy = nl80211_policy,
11296 		.flags = GENL_UNS_ADMIN_PERM,
11297 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11298 				  NL80211_FLAG_NEED_RTNL,
11299 	},
11300 #endif
11301 	{
11302 		.cmd = NL80211_CMD_CONNECT,
11303 		.doit = nl80211_connect,
11304 		.policy = nl80211_policy,
11305 		.flags = GENL_UNS_ADMIN_PERM,
11306 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11307 				  NL80211_FLAG_NEED_RTNL,
11308 	},
11309 	{
11310 		.cmd = NL80211_CMD_DISCONNECT,
11311 		.doit = nl80211_disconnect,
11312 		.policy = nl80211_policy,
11313 		.flags = GENL_UNS_ADMIN_PERM,
11314 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11315 				  NL80211_FLAG_NEED_RTNL,
11316 	},
11317 	{
11318 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
11319 		.doit = nl80211_wiphy_netns,
11320 		.policy = nl80211_policy,
11321 		.flags = GENL_UNS_ADMIN_PERM,
11322 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11323 				  NL80211_FLAG_NEED_RTNL,
11324 	},
11325 	{
11326 		.cmd = NL80211_CMD_GET_SURVEY,
11327 		.policy = nl80211_policy,
11328 		.dumpit = nl80211_dump_survey,
11329 	},
11330 	{
11331 		.cmd = NL80211_CMD_SET_PMKSA,
11332 		.doit = nl80211_setdel_pmksa,
11333 		.policy = nl80211_policy,
11334 		.flags = GENL_UNS_ADMIN_PERM,
11335 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11336 				  NL80211_FLAG_NEED_RTNL,
11337 	},
11338 	{
11339 		.cmd = NL80211_CMD_DEL_PMKSA,
11340 		.doit = nl80211_setdel_pmksa,
11341 		.policy = nl80211_policy,
11342 		.flags = GENL_UNS_ADMIN_PERM,
11343 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11344 				  NL80211_FLAG_NEED_RTNL,
11345 	},
11346 	{
11347 		.cmd = NL80211_CMD_FLUSH_PMKSA,
11348 		.doit = nl80211_flush_pmksa,
11349 		.policy = nl80211_policy,
11350 		.flags = GENL_UNS_ADMIN_PERM,
11351 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11352 				  NL80211_FLAG_NEED_RTNL,
11353 	},
11354 	{
11355 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
11356 		.doit = nl80211_remain_on_channel,
11357 		.policy = nl80211_policy,
11358 		.flags = GENL_UNS_ADMIN_PERM,
11359 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11360 				  NL80211_FLAG_NEED_RTNL,
11361 	},
11362 	{
11363 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
11364 		.doit = nl80211_cancel_remain_on_channel,
11365 		.policy = nl80211_policy,
11366 		.flags = GENL_UNS_ADMIN_PERM,
11367 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11368 				  NL80211_FLAG_NEED_RTNL,
11369 	},
11370 	{
11371 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
11372 		.doit = nl80211_set_tx_bitrate_mask,
11373 		.policy = nl80211_policy,
11374 		.flags = GENL_UNS_ADMIN_PERM,
11375 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11376 				  NL80211_FLAG_NEED_RTNL,
11377 	},
11378 	{
11379 		.cmd = NL80211_CMD_REGISTER_FRAME,
11380 		.doit = nl80211_register_mgmt,
11381 		.policy = nl80211_policy,
11382 		.flags = GENL_UNS_ADMIN_PERM,
11383 		.internal_flags = NL80211_FLAG_NEED_WDEV |
11384 				  NL80211_FLAG_NEED_RTNL,
11385 	},
11386 	{
11387 		.cmd = NL80211_CMD_FRAME,
11388 		.doit = nl80211_tx_mgmt,
11389 		.policy = nl80211_policy,
11390 		.flags = GENL_UNS_ADMIN_PERM,
11391 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11392 				  NL80211_FLAG_NEED_RTNL,
11393 	},
11394 	{
11395 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
11396 		.doit = nl80211_tx_mgmt_cancel_wait,
11397 		.policy = nl80211_policy,
11398 		.flags = GENL_UNS_ADMIN_PERM,
11399 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11400 				  NL80211_FLAG_NEED_RTNL,
11401 	},
11402 	{
11403 		.cmd = NL80211_CMD_SET_POWER_SAVE,
11404 		.doit = nl80211_set_power_save,
11405 		.policy = nl80211_policy,
11406 		.flags = GENL_UNS_ADMIN_PERM,
11407 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11408 				  NL80211_FLAG_NEED_RTNL,
11409 	},
11410 	{
11411 		.cmd = NL80211_CMD_GET_POWER_SAVE,
11412 		.doit = nl80211_get_power_save,
11413 		.policy = nl80211_policy,
11414 		/* can be retrieved by unprivileged users */
11415 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11416 				  NL80211_FLAG_NEED_RTNL,
11417 	},
11418 	{
11419 		.cmd = NL80211_CMD_SET_CQM,
11420 		.doit = nl80211_set_cqm,
11421 		.policy = nl80211_policy,
11422 		.flags = GENL_UNS_ADMIN_PERM,
11423 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11424 				  NL80211_FLAG_NEED_RTNL,
11425 	},
11426 	{
11427 		.cmd = NL80211_CMD_SET_CHANNEL,
11428 		.doit = nl80211_set_channel,
11429 		.policy = nl80211_policy,
11430 		.flags = GENL_UNS_ADMIN_PERM,
11431 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11432 				  NL80211_FLAG_NEED_RTNL,
11433 	},
11434 	{
11435 		.cmd = NL80211_CMD_SET_WDS_PEER,
11436 		.doit = nl80211_set_wds_peer,
11437 		.policy = nl80211_policy,
11438 		.flags = GENL_UNS_ADMIN_PERM,
11439 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11440 				  NL80211_FLAG_NEED_RTNL,
11441 	},
11442 	{
11443 		.cmd = NL80211_CMD_JOIN_MESH,
11444 		.doit = nl80211_join_mesh,
11445 		.policy = nl80211_policy,
11446 		.flags = GENL_UNS_ADMIN_PERM,
11447 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11448 				  NL80211_FLAG_NEED_RTNL,
11449 	},
11450 	{
11451 		.cmd = NL80211_CMD_LEAVE_MESH,
11452 		.doit = nl80211_leave_mesh,
11453 		.policy = nl80211_policy,
11454 		.flags = GENL_UNS_ADMIN_PERM,
11455 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11456 				  NL80211_FLAG_NEED_RTNL,
11457 	},
11458 	{
11459 		.cmd = NL80211_CMD_JOIN_OCB,
11460 		.doit = nl80211_join_ocb,
11461 		.policy = nl80211_policy,
11462 		.flags = GENL_UNS_ADMIN_PERM,
11463 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11464 				  NL80211_FLAG_NEED_RTNL,
11465 	},
11466 	{
11467 		.cmd = NL80211_CMD_LEAVE_OCB,
11468 		.doit = nl80211_leave_ocb,
11469 		.policy = nl80211_policy,
11470 		.flags = GENL_UNS_ADMIN_PERM,
11471 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11472 				  NL80211_FLAG_NEED_RTNL,
11473 	},
11474 #ifdef CONFIG_PM
11475 	{
11476 		.cmd = NL80211_CMD_GET_WOWLAN,
11477 		.doit = nl80211_get_wowlan,
11478 		.policy = nl80211_policy,
11479 		/* can be retrieved by unprivileged users */
11480 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11481 				  NL80211_FLAG_NEED_RTNL,
11482 	},
11483 	{
11484 		.cmd = NL80211_CMD_SET_WOWLAN,
11485 		.doit = nl80211_set_wowlan,
11486 		.policy = nl80211_policy,
11487 		.flags = GENL_UNS_ADMIN_PERM,
11488 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11489 				  NL80211_FLAG_NEED_RTNL,
11490 	},
11491 #endif
11492 	{
11493 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
11494 		.doit = nl80211_set_rekey_data,
11495 		.policy = nl80211_policy,
11496 		.flags = GENL_UNS_ADMIN_PERM,
11497 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11498 				  NL80211_FLAG_NEED_RTNL |
11499 				  NL80211_FLAG_CLEAR_SKB,
11500 	},
11501 	{
11502 		.cmd = NL80211_CMD_TDLS_MGMT,
11503 		.doit = nl80211_tdls_mgmt,
11504 		.policy = nl80211_policy,
11505 		.flags = GENL_UNS_ADMIN_PERM,
11506 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11507 				  NL80211_FLAG_NEED_RTNL,
11508 	},
11509 	{
11510 		.cmd = NL80211_CMD_TDLS_OPER,
11511 		.doit = nl80211_tdls_oper,
11512 		.policy = nl80211_policy,
11513 		.flags = GENL_UNS_ADMIN_PERM,
11514 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11515 				  NL80211_FLAG_NEED_RTNL,
11516 	},
11517 	{
11518 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
11519 		.doit = nl80211_register_unexpected_frame,
11520 		.policy = nl80211_policy,
11521 		.flags = GENL_UNS_ADMIN_PERM,
11522 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11523 				  NL80211_FLAG_NEED_RTNL,
11524 	},
11525 	{
11526 		.cmd = NL80211_CMD_PROBE_CLIENT,
11527 		.doit = nl80211_probe_client,
11528 		.policy = nl80211_policy,
11529 		.flags = GENL_UNS_ADMIN_PERM,
11530 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11531 				  NL80211_FLAG_NEED_RTNL,
11532 	},
11533 	{
11534 		.cmd = NL80211_CMD_REGISTER_BEACONS,
11535 		.doit = nl80211_register_beacons,
11536 		.policy = nl80211_policy,
11537 		.flags = GENL_UNS_ADMIN_PERM,
11538 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11539 				  NL80211_FLAG_NEED_RTNL,
11540 	},
11541 	{
11542 		.cmd = NL80211_CMD_SET_NOACK_MAP,
11543 		.doit = nl80211_set_noack_map,
11544 		.policy = nl80211_policy,
11545 		.flags = GENL_UNS_ADMIN_PERM,
11546 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11547 				  NL80211_FLAG_NEED_RTNL,
11548 	},
11549 	{
11550 		.cmd = NL80211_CMD_START_P2P_DEVICE,
11551 		.doit = nl80211_start_p2p_device,
11552 		.policy = nl80211_policy,
11553 		.flags = GENL_UNS_ADMIN_PERM,
11554 		.internal_flags = NL80211_FLAG_NEED_WDEV |
11555 				  NL80211_FLAG_NEED_RTNL,
11556 	},
11557 	{
11558 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
11559 		.doit = nl80211_stop_p2p_device,
11560 		.policy = nl80211_policy,
11561 		.flags = GENL_UNS_ADMIN_PERM,
11562 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11563 				  NL80211_FLAG_NEED_RTNL,
11564 	},
11565 	{
11566 		.cmd = NL80211_CMD_SET_MCAST_RATE,
11567 		.doit = nl80211_set_mcast_rate,
11568 		.policy = nl80211_policy,
11569 		.flags = GENL_UNS_ADMIN_PERM,
11570 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11571 				  NL80211_FLAG_NEED_RTNL,
11572 	},
11573 	{
11574 		.cmd = NL80211_CMD_SET_MAC_ACL,
11575 		.doit = nl80211_set_mac_acl,
11576 		.policy = nl80211_policy,
11577 		.flags = GENL_UNS_ADMIN_PERM,
11578 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
11579 				  NL80211_FLAG_NEED_RTNL,
11580 	},
11581 	{
11582 		.cmd = NL80211_CMD_RADAR_DETECT,
11583 		.doit = nl80211_start_radar_detection,
11584 		.policy = nl80211_policy,
11585 		.flags = GENL_UNS_ADMIN_PERM,
11586 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11587 				  NL80211_FLAG_NEED_RTNL,
11588 	},
11589 	{
11590 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
11591 		.doit = nl80211_get_protocol_features,
11592 		.policy = nl80211_policy,
11593 	},
11594 	{
11595 		.cmd = NL80211_CMD_UPDATE_FT_IES,
11596 		.doit = nl80211_update_ft_ies,
11597 		.policy = nl80211_policy,
11598 		.flags = GENL_UNS_ADMIN_PERM,
11599 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11600 				  NL80211_FLAG_NEED_RTNL,
11601 	},
11602 	{
11603 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
11604 		.doit = nl80211_crit_protocol_start,
11605 		.policy = nl80211_policy,
11606 		.flags = GENL_UNS_ADMIN_PERM,
11607 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11608 				  NL80211_FLAG_NEED_RTNL,
11609 	},
11610 	{
11611 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
11612 		.doit = nl80211_crit_protocol_stop,
11613 		.policy = nl80211_policy,
11614 		.flags = GENL_UNS_ADMIN_PERM,
11615 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
11616 				  NL80211_FLAG_NEED_RTNL,
11617 	},
11618 	{
11619 		.cmd = NL80211_CMD_GET_COALESCE,
11620 		.doit = nl80211_get_coalesce,
11621 		.policy = nl80211_policy,
11622 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11623 				  NL80211_FLAG_NEED_RTNL,
11624 	},
11625 	{
11626 		.cmd = NL80211_CMD_SET_COALESCE,
11627 		.doit = nl80211_set_coalesce,
11628 		.policy = nl80211_policy,
11629 		.flags = GENL_UNS_ADMIN_PERM,
11630 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11631 				  NL80211_FLAG_NEED_RTNL,
11632 	},
11633 	{
11634 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
11635 		.doit = nl80211_channel_switch,
11636 		.policy = nl80211_policy,
11637 		.flags = GENL_UNS_ADMIN_PERM,
11638 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11639 				  NL80211_FLAG_NEED_RTNL,
11640 	},
11641 	{
11642 		.cmd = NL80211_CMD_VENDOR,
11643 		.doit = nl80211_vendor_cmd,
11644 		.dumpit = nl80211_vendor_cmd_dump,
11645 		.policy = nl80211_policy,
11646 		.flags = GENL_UNS_ADMIN_PERM,
11647 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
11648 				  NL80211_FLAG_NEED_RTNL,
11649 	},
11650 	{
11651 		.cmd = NL80211_CMD_SET_QOS_MAP,
11652 		.doit = nl80211_set_qos_map,
11653 		.policy = nl80211_policy,
11654 		.flags = GENL_UNS_ADMIN_PERM,
11655 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11656 				  NL80211_FLAG_NEED_RTNL,
11657 	},
11658 	{
11659 		.cmd = NL80211_CMD_ADD_TX_TS,
11660 		.doit = nl80211_add_tx_ts,
11661 		.policy = nl80211_policy,
11662 		.flags = GENL_UNS_ADMIN_PERM,
11663 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11664 				  NL80211_FLAG_NEED_RTNL,
11665 	},
11666 	{
11667 		.cmd = NL80211_CMD_DEL_TX_TS,
11668 		.doit = nl80211_del_tx_ts,
11669 		.policy = nl80211_policy,
11670 		.flags = GENL_UNS_ADMIN_PERM,
11671 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11672 				  NL80211_FLAG_NEED_RTNL,
11673 	},
11674 	{
11675 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
11676 		.doit = nl80211_tdls_channel_switch,
11677 		.policy = nl80211_policy,
11678 		.flags = GENL_UNS_ADMIN_PERM,
11679 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11680 				  NL80211_FLAG_NEED_RTNL,
11681 	},
11682 	{
11683 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
11684 		.doit = nl80211_tdls_cancel_channel_switch,
11685 		.policy = nl80211_policy,
11686 		.flags = GENL_UNS_ADMIN_PERM,
11687 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
11688 				  NL80211_FLAG_NEED_RTNL,
11689 	},
11690 };
11691 
11692 /* notification functions */
11693 
11694 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
11695 			  enum nl80211_commands cmd)
11696 {
11697 	struct sk_buff *msg;
11698 	struct nl80211_dump_wiphy_state state = {};
11699 
11700 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
11701 		cmd != NL80211_CMD_DEL_WIPHY);
11702 
11703 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11704 	if (!msg)
11705 		return;
11706 
11707 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
11708 		nlmsg_free(msg);
11709 		return;
11710 	}
11711 
11712 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11713 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
11714 }
11715 
11716 static int nl80211_add_scan_req(struct sk_buff *msg,
11717 				struct cfg80211_registered_device *rdev)
11718 {
11719 	struct cfg80211_scan_request *req = rdev->scan_req;
11720 	struct nlattr *nest;
11721 	int i;
11722 
11723 	if (WARN_ON(!req))
11724 		return 0;
11725 
11726 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
11727 	if (!nest)
11728 		goto nla_put_failure;
11729 	for (i = 0; i < req->n_ssids; i++) {
11730 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
11731 			goto nla_put_failure;
11732 	}
11733 	nla_nest_end(msg, nest);
11734 
11735 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
11736 	if (!nest)
11737 		goto nla_put_failure;
11738 	for (i = 0; i < req->n_channels; i++) {
11739 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
11740 			goto nla_put_failure;
11741 	}
11742 	nla_nest_end(msg, nest);
11743 
11744 	if (req->ie &&
11745 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
11746 		goto nla_put_failure;
11747 
11748 	if (req->flags &&
11749 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
11750 		goto nla_put_failure;
11751 
11752 	return 0;
11753  nla_put_failure:
11754 	return -ENOBUFS;
11755 }
11756 
11757 static int nl80211_send_scan_msg(struct sk_buff *msg,
11758 				 struct cfg80211_registered_device *rdev,
11759 				 struct wireless_dev *wdev,
11760 				 u32 portid, u32 seq, int flags,
11761 				 u32 cmd)
11762 {
11763 	void *hdr;
11764 
11765 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
11766 	if (!hdr)
11767 		return -1;
11768 
11769 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11770 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11771 					 wdev->netdev->ifindex)) ||
11772 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11773 			      NL80211_ATTR_PAD))
11774 		goto nla_put_failure;
11775 
11776 	/* ignore errors and send incomplete event anyway */
11777 	nl80211_add_scan_req(msg, rdev);
11778 
11779 	genlmsg_end(msg, hdr);
11780 	return 0;
11781 
11782  nla_put_failure:
11783 	genlmsg_cancel(msg, hdr);
11784 	return -EMSGSIZE;
11785 }
11786 
11787 static int
11788 nl80211_send_sched_scan_msg(struct sk_buff *msg,
11789 			    struct cfg80211_registered_device *rdev,
11790 			    struct net_device *netdev,
11791 			    u32 portid, u32 seq, int flags, u32 cmd)
11792 {
11793 	void *hdr;
11794 
11795 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
11796 	if (!hdr)
11797 		return -1;
11798 
11799 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11800 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
11801 		goto nla_put_failure;
11802 
11803 	genlmsg_end(msg, hdr);
11804 	return 0;
11805 
11806  nla_put_failure:
11807 	genlmsg_cancel(msg, hdr);
11808 	return -EMSGSIZE;
11809 }
11810 
11811 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
11812 			     struct wireless_dev *wdev)
11813 {
11814 	struct sk_buff *msg;
11815 
11816 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11817 	if (!msg)
11818 		return;
11819 
11820 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
11821 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
11822 		nlmsg_free(msg);
11823 		return;
11824 	}
11825 
11826 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11827 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11828 }
11829 
11830 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
11831 				       struct wireless_dev *wdev, bool aborted)
11832 {
11833 	struct sk_buff *msg;
11834 
11835 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11836 	if (!msg)
11837 		return NULL;
11838 
11839 	if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
11840 				  aborted ? NL80211_CMD_SCAN_ABORTED :
11841 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
11842 		nlmsg_free(msg);
11843 		return NULL;
11844 	}
11845 
11846 	return msg;
11847 }
11848 
11849 void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
11850 			      struct sk_buff *msg)
11851 {
11852 	if (!msg)
11853 		return;
11854 
11855 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11856 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11857 }
11858 
11859 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
11860 				     struct net_device *netdev)
11861 {
11862 	struct sk_buff *msg;
11863 
11864 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11865 	if (!msg)
11866 		return;
11867 
11868 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
11869 					NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
11870 		nlmsg_free(msg);
11871 		return;
11872 	}
11873 
11874 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11875 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11876 }
11877 
11878 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
11879 			     struct net_device *netdev, u32 cmd)
11880 {
11881 	struct sk_buff *msg;
11882 
11883 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11884 	if (!msg)
11885 		return;
11886 
11887 	if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
11888 		nlmsg_free(msg);
11889 		return;
11890 	}
11891 
11892 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11893 				NL80211_MCGRP_SCAN, GFP_KERNEL);
11894 }
11895 
11896 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
11897 					  struct regulatory_request *request)
11898 {
11899 	/* Userspace can always count this one always being set */
11900 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
11901 		goto nla_put_failure;
11902 
11903 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
11904 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11905 			       NL80211_REGDOM_TYPE_WORLD))
11906 			goto nla_put_failure;
11907 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
11908 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11909 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
11910 			goto nla_put_failure;
11911 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
11912 		   request->intersect) {
11913 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11914 			       NL80211_REGDOM_TYPE_INTERSECTION))
11915 			goto nla_put_failure;
11916 	} else {
11917 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
11918 			       NL80211_REGDOM_TYPE_COUNTRY) ||
11919 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
11920 				   request->alpha2))
11921 			goto nla_put_failure;
11922 	}
11923 
11924 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
11925 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
11926 
11927 		if (wiphy &&
11928 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
11929 			goto nla_put_failure;
11930 
11931 		if (wiphy &&
11932 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
11933 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
11934 			goto nla_put_failure;
11935 	}
11936 
11937 	return true;
11938 
11939 nla_put_failure:
11940 	return false;
11941 }
11942 
11943 /*
11944  * This can happen on global regulatory changes or device specific settings
11945  * based on custom regulatory domains.
11946  */
11947 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
11948 				     struct regulatory_request *request)
11949 {
11950 	struct sk_buff *msg;
11951 	void *hdr;
11952 
11953 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11954 	if (!msg)
11955 		return;
11956 
11957 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
11958 	if (!hdr) {
11959 		nlmsg_free(msg);
11960 		return;
11961 	}
11962 
11963 	if (nl80211_reg_change_event_fill(msg, request) == false)
11964 		goto nla_put_failure;
11965 
11966 	genlmsg_end(msg, hdr);
11967 
11968 	rcu_read_lock();
11969 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
11970 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
11971 	rcu_read_unlock();
11972 
11973 	return;
11974 
11975 nla_put_failure:
11976 	genlmsg_cancel(msg, hdr);
11977 	nlmsg_free(msg);
11978 }
11979 
11980 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
11981 				    struct net_device *netdev,
11982 				    const u8 *buf, size_t len,
11983 				    enum nl80211_commands cmd, gfp_t gfp,
11984 				    int uapsd_queues)
11985 {
11986 	struct sk_buff *msg;
11987 	void *hdr;
11988 
11989 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11990 	if (!msg)
11991 		return;
11992 
11993 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
11994 	if (!hdr) {
11995 		nlmsg_free(msg);
11996 		return;
11997 	}
11998 
11999 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12000 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12001 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
12002 		goto nla_put_failure;
12003 
12004 	if (uapsd_queues >= 0) {
12005 		struct nlattr *nla_wmm =
12006 			nla_nest_start(msg, NL80211_ATTR_STA_WME);
12007 		if (!nla_wmm)
12008 			goto nla_put_failure;
12009 
12010 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
12011 			       uapsd_queues))
12012 			goto nla_put_failure;
12013 
12014 		nla_nest_end(msg, nla_wmm);
12015 	}
12016 
12017 	genlmsg_end(msg, hdr);
12018 
12019 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12020 				NL80211_MCGRP_MLME, gfp);
12021 	return;
12022 
12023  nla_put_failure:
12024 	genlmsg_cancel(msg, hdr);
12025 	nlmsg_free(msg);
12026 }
12027 
12028 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
12029 			  struct net_device *netdev, const u8 *buf,
12030 			  size_t len, gfp_t gfp)
12031 {
12032 	nl80211_send_mlme_event(rdev, netdev, buf, len,
12033 				NL80211_CMD_AUTHENTICATE, gfp, -1);
12034 }
12035 
12036 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
12037 			   struct net_device *netdev, const u8 *buf,
12038 			   size_t len, gfp_t gfp, int uapsd_queues)
12039 {
12040 	nl80211_send_mlme_event(rdev, netdev, buf, len,
12041 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues);
12042 }
12043 
12044 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
12045 			 struct net_device *netdev, const u8 *buf,
12046 			 size_t len, gfp_t gfp)
12047 {
12048 	nl80211_send_mlme_event(rdev, netdev, buf, len,
12049 				NL80211_CMD_DEAUTHENTICATE, gfp, -1);
12050 }
12051 
12052 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
12053 			   struct net_device *netdev, const u8 *buf,
12054 			   size_t len, gfp_t gfp)
12055 {
12056 	nl80211_send_mlme_event(rdev, netdev, buf, len,
12057 				NL80211_CMD_DISASSOCIATE, gfp, -1);
12058 }
12059 
12060 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
12061 				  size_t len)
12062 {
12063 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12064 	struct wiphy *wiphy = wdev->wiphy;
12065 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12066 	const struct ieee80211_mgmt *mgmt = (void *)buf;
12067 	u32 cmd;
12068 
12069 	if (WARN_ON(len < 2))
12070 		return;
12071 
12072 	if (ieee80211_is_deauth(mgmt->frame_control))
12073 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
12074 	else
12075 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
12076 
12077 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
12078 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1);
12079 }
12080 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
12081 
12082 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
12083 				      struct net_device *netdev, int cmd,
12084 				      const u8 *addr, gfp_t gfp)
12085 {
12086 	struct sk_buff *msg;
12087 	void *hdr;
12088 
12089 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12090 	if (!msg)
12091 		return;
12092 
12093 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
12094 	if (!hdr) {
12095 		nlmsg_free(msg);
12096 		return;
12097 	}
12098 
12099 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12100 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12101 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
12102 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
12103 		goto nla_put_failure;
12104 
12105 	genlmsg_end(msg, hdr);
12106 
12107 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12108 				NL80211_MCGRP_MLME, gfp);
12109 	return;
12110 
12111  nla_put_failure:
12112 	genlmsg_cancel(msg, hdr);
12113 	nlmsg_free(msg);
12114 }
12115 
12116 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
12117 			       struct net_device *netdev, const u8 *addr,
12118 			       gfp_t gfp)
12119 {
12120 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
12121 				  addr, gfp);
12122 }
12123 
12124 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
12125 				struct net_device *netdev, const u8 *addr,
12126 				gfp_t gfp)
12127 {
12128 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
12129 				  addr, gfp);
12130 }
12131 
12132 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
12133 				 struct net_device *netdev, const u8 *bssid,
12134 				 const u8 *req_ie, size_t req_ie_len,
12135 				 const u8 *resp_ie, size_t resp_ie_len,
12136 				 int status, gfp_t gfp)
12137 {
12138 	struct sk_buff *msg;
12139 	void *hdr;
12140 
12141 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12142 	if (!msg)
12143 		return;
12144 
12145 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
12146 	if (!hdr) {
12147 		nlmsg_free(msg);
12148 		return;
12149 	}
12150 
12151 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12152 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12153 	    (bssid && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) ||
12154 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
12155 			status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
12156 			status) ||
12157 	    (status < 0 && nla_put_flag(msg, NL80211_ATTR_TIMED_OUT)) ||
12158 	    (req_ie &&
12159 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
12160 	    (resp_ie &&
12161 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
12162 		goto nla_put_failure;
12163 
12164 	genlmsg_end(msg, hdr);
12165 
12166 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12167 				NL80211_MCGRP_MLME, gfp);
12168 	return;
12169 
12170  nla_put_failure:
12171 	genlmsg_cancel(msg, hdr);
12172 	nlmsg_free(msg);
12173 }
12174 
12175 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
12176 			 struct net_device *netdev, const u8 *bssid,
12177 			 const u8 *req_ie, size_t req_ie_len,
12178 			 const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
12179 {
12180 	struct sk_buff *msg;
12181 	void *hdr;
12182 
12183 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12184 	if (!msg)
12185 		return;
12186 
12187 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
12188 	if (!hdr) {
12189 		nlmsg_free(msg);
12190 		return;
12191 	}
12192 
12193 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12194 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12195 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
12196 	    (req_ie &&
12197 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ie_len, req_ie)) ||
12198 	    (resp_ie &&
12199 	     nla_put(msg, NL80211_ATTR_RESP_IE, resp_ie_len, resp_ie)))
12200 		goto nla_put_failure;
12201 
12202 	genlmsg_end(msg, hdr);
12203 
12204 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12205 				NL80211_MCGRP_MLME, gfp);
12206 	return;
12207 
12208  nla_put_failure:
12209 	genlmsg_cancel(msg, hdr);
12210 	nlmsg_free(msg);
12211 }
12212 
12213 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
12214 			       struct net_device *netdev, u16 reason,
12215 			       const u8 *ie, size_t ie_len, bool from_ap)
12216 {
12217 	struct sk_buff *msg;
12218 	void *hdr;
12219 
12220 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12221 	if (!msg)
12222 		return;
12223 
12224 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
12225 	if (!hdr) {
12226 		nlmsg_free(msg);
12227 		return;
12228 	}
12229 
12230 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12231 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12232 	    (from_ap && reason &&
12233 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
12234 	    (from_ap &&
12235 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
12236 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
12237 		goto nla_put_failure;
12238 
12239 	genlmsg_end(msg, hdr);
12240 
12241 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12242 				NL80211_MCGRP_MLME, GFP_KERNEL);
12243 	return;
12244 
12245  nla_put_failure:
12246 	genlmsg_cancel(msg, hdr);
12247 	nlmsg_free(msg);
12248 }
12249 
12250 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
12251 			     struct net_device *netdev, const u8 *bssid,
12252 			     gfp_t gfp)
12253 {
12254 	struct sk_buff *msg;
12255 	void *hdr;
12256 
12257 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12258 	if (!msg)
12259 		return;
12260 
12261 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
12262 	if (!hdr) {
12263 		nlmsg_free(msg);
12264 		return;
12265 	}
12266 
12267 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12268 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12269 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
12270 		goto nla_put_failure;
12271 
12272 	genlmsg_end(msg, hdr);
12273 
12274 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12275 				NL80211_MCGRP_MLME, gfp);
12276 	return;
12277 
12278  nla_put_failure:
12279 	genlmsg_cancel(msg, hdr);
12280 	nlmsg_free(msg);
12281 }
12282 
12283 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
12284 					const u8* ie, u8 ie_len, gfp_t gfp)
12285 {
12286 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12287 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12288 	struct sk_buff *msg;
12289 	void *hdr;
12290 
12291 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
12292 		return;
12293 
12294 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
12295 
12296 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12297 	if (!msg)
12298 		return;
12299 
12300 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
12301 	if (!hdr) {
12302 		nlmsg_free(msg);
12303 		return;
12304 	}
12305 
12306 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12307 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12308 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
12309 	    (ie_len && ie &&
12310 	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
12311 		goto nla_put_failure;
12312 
12313 	genlmsg_end(msg, hdr);
12314 
12315 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12316 				NL80211_MCGRP_MLME, gfp);
12317 	return;
12318 
12319  nla_put_failure:
12320 	genlmsg_cancel(msg, hdr);
12321 	nlmsg_free(msg);
12322 }
12323 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
12324 
12325 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
12326 				 struct net_device *netdev, const u8 *addr,
12327 				 enum nl80211_key_type key_type, int key_id,
12328 				 const u8 *tsc, gfp_t gfp)
12329 {
12330 	struct sk_buff *msg;
12331 	void *hdr;
12332 
12333 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12334 	if (!msg)
12335 		return;
12336 
12337 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
12338 	if (!hdr) {
12339 		nlmsg_free(msg);
12340 		return;
12341 	}
12342 
12343 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12344 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12345 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
12346 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
12347 	    (key_id != -1 &&
12348 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
12349 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
12350 		goto nla_put_failure;
12351 
12352 	genlmsg_end(msg, hdr);
12353 
12354 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12355 				NL80211_MCGRP_MLME, gfp);
12356 	return;
12357 
12358  nla_put_failure:
12359 	genlmsg_cancel(msg, hdr);
12360 	nlmsg_free(msg);
12361 }
12362 
12363 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
12364 				    struct ieee80211_channel *channel_before,
12365 				    struct ieee80211_channel *channel_after)
12366 {
12367 	struct sk_buff *msg;
12368 	void *hdr;
12369 	struct nlattr *nl_freq;
12370 
12371 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
12372 	if (!msg)
12373 		return;
12374 
12375 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
12376 	if (!hdr) {
12377 		nlmsg_free(msg);
12378 		return;
12379 	}
12380 
12381 	/*
12382 	 * Since we are applying the beacon hint to a wiphy we know its
12383 	 * wiphy_idx is valid
12384 	 */
12385 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
12386 		goto nla_put_failure;
12387 
12388 	/* Before */
12389 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
12390 	if (!nl_freq)
12391 		goto nla_put_failure;
12392 	if (nl80211_msg_put_channel(msg, channel_before, false))
12393 		goto nla_put_failure;
12394 	nla_nest_end(msg, nl_freq);
12395 
12396 	/* After */
12397 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
12398 	if (!nl_freq)
12399 		goto nla_put_failure;
12400 	if (nl80211_msg_put_channel(msg, channel_after, false))
12401 		goto nla_put_failure;
12402 	nla_nest_end(msg, nl_freq);
12403 
12404 	genlmsg_end(msg, hdr);
12405 
12406 	rcu_read_lock();
12407 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
12408 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
12409 	rcu_read_unlock();
12410 
12411 	return;
12412 
12413 nla_put_failure:
12414 	genlmsg_cancel(msg, hdr);
12415 	nlmsg_free(msg);
12416 }
12417 
12418 static void nl80211_send_remain_on_chan_event(
12419 	int cmd, struct cfg80211_registered_device *rdev,
12420 	struct wireless_dev *wdev, u64 cookie,
12421 	struct ieee80211_channel *chan,
12422 	unsigned int duration, gfp_t gfp)
12423 {
12424 	struct sk_buff *msg;
12425 	void *hdr;
12426 
12427 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12428 	if (!msg)
12429 		return;
12430 
12431 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
12432 	if (!hdr) {
12433 		nlmsg_free(msg);
12434 		return;
12435 	}
12436 
12437 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12438 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12439 					 wdev->netdev->ifindex)) ||
12440 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12441 			      NL80211_ATTR_PAD) ||
12442 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
12443 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
12444 			NL80211_CHAN_NO_HT) ||
12445 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12446 			      NL80211_ATTR_PAD))
12447 		goto nla_put_failure;
12448 
12449 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
12450 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
12451 		goto nla_put_failure;
12452 
12453 	genlmsg_end(msg, hdr);
12454 
12455 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12456 				NL80211_MCGRP_MLME, gfp);
12457 	return;
12458 
12459  nla_put_failure:
12460 	genlmsg_cancel(msg, hdr);
12461 	nlmsg_free(msg);
12462 }
12463 
12464 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
12465 			       struct ieee80211_channel *chan,
12466 			       unsigned int duration, gfp_t gfp)
12467 {
12468 	struct wiphy *wiphy = wdev->wiphy;
12469 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12470 
12471 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
12472 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
12473 					  rdev, wdev, cookie, chan,
12474 					  duration, gfp);
12475 }
12476 EXPORT_SYMBOL(cfg80211_ready_on_channel);
12477 
12478 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
12479 					struct ieee80211_channel *chan,
12480 					gfp_t gfp)
12481 {
12482 	struct wiphy *wiphy = wdev->wiphy;
12483 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12484 
12485 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
12486 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
12487 					  rdev, wdev, cookie, chan, 0, gfp);
12488 }
12489 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
12490 
12491 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
12492 		      struct station_info *sinfo, gfp_t gfp)
12493 {
12494 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
12495 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12496 	struct sk_buff *msg;
12497 
12498 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
12499 
12500 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12501 	if (!msg)
12502 		return;
12503 
12504 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
12505 				 rdev, dev, mac_addr, sinfo) < 0) {
12506 		nlmsg_free(msg);
12507 		return;
12508 	}
12509 
12510 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12511 				NL80211_MCGRP_MLME, gfp);
12512 }
12513 EXPORT_SYMBOL(cfg80211_new_sta);
12514 
12515 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
12516 			    struct station_info *sinfo, gfp_t gfp)
12517 {
12518 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
12519 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12520 	struct sk_buff *msg;
12521 	struct station_info empty_sinfo = {};
12522 
12523 	if (!sinfo)
12524 		sinfo = &empty_sinfo;
12525 
12526 	trace_cfg80211_del_sta(dev, mac_addr);
12527 
12528 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12529 	if (!msg)
12530 		return;
12531 
12532 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
12533 				 rdev, dev, mac_addr, sinfo) < 0) {
12534 		nlmsg_free(msg);
12535 		return;
12536 	}
12537 
12538 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12539 				NL80211_MCGRP_MLME, gfp);
12540 }
12541 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
12542 
12543 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
12544 			  enum nl80211_connect_failed_reason reason,
12545 			  gfp_t gfp)
12546 {
12547 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
12548 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12549 	struct sk_buff *msg;
12550 	void *hdr;
12551 
12552 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
12553 	if (!msg)
12554 		return;
12555 
12556 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
12557 	if (!hdr) {
12558 		nlmsg_free(msg);
12559 		return;
12560 	}
12561 
12562 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12563 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
12564 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
12565 		goto nla_put_failure;
12566 
12567 	genlmsg_end(msg, hdr);
12568 
12569 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12570 				NL80211_MCGRP_MLME, gfp);
12571 	return;
12572 
12573  nla_put_failure:
12574 	genlmsg_cancel(msg, hdr);
12575 	nlmsg_free(msg);
12576 }
12577 EXPORT_SYMBOL(cfg80211_conn_failed);
12578 
12579 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
12580 				       const u8 *addr, gfp_t gfp)
12581 {
12582 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12583 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12584 	struct sk_buff *msg;
12585 	void *hdr;
12586 	u32 nlportid = ACCESS_ONCE(wdev->ap_unexpected_nlportid);
12587 
12588 	if (!nlportid)
12589 		return false;
12590 
12591 	msg = nlmsg_new(100, gfp);
12592 	if (!msg)
12593 		return true;
12594 
12595 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
12596 	if (!hdr) {
12597 		nlmsg_free(msg);
12598 		return true;
12599 	}
12600 
12601 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12602 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12603 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
12604 		goto nla_put_failure;
12605 
12606 	genlmsg_end(msg, hdr);
12607 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12608 	return true;
12609 
12610  nla_put_failure:
12611 	genlmsg_cancel(msg, hdr);
12612 	nlmsg_free(msg);
12613 	return true;
12614 }
12615 
12616 bool cfg80211_rx_spurious_frame(struct net_device *dev,
12617 				const u8 *addr, gfp_t gfp)
12618 {
12619 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12620 	bool ret;
12621 
12622 	trace_cfg80211_rx_spurious_frame(dev, addr);
12623 
12624 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
12625 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
12626 		trace_cfg80211_return_bool(false);
12627 		return false;
12628 	}
12629 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
12630 					 addr, gfp);
12631 	trace_cfg80211_return_bool(ret);
12632 	return ret;
12633 }
12634 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
12635 
12636 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
12637 					const u8 *addr, gfp_t gfp)
12638 {
12639 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12640 	bool ret;
12641 
12642 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
12643 
12644 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
12645 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
12646 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
12647 		trace_cfg80211_return_bool(false);
12648 		return false;
12649 	}
12650 	ret = __nl80211_unexpected_frame(dev,
12651 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
12652 					 addr, gfp);
12653 	trace_cfg80211_return_bool(ret);
12654 	return ret;
12655 }
12656 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
12657 
12658 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
12659 		      struct wireless_dev *wdev, u32 nlportid,
12660 		      int freq, int sig_dbm,
12661 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
12662 {
12663 	struct net_device *netdev = wdev->netdev;
12664 	struct sk_buff *msg;
12665 	void *hdr;
12666 
12667 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12668 	if (!msg)
12669 		return -ENOMEM;
12670 
12671 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
12672 	if (!hdr) {
12673 		nlmsg_free(msg);
12674 		return -ENOMEM;
12675 	}
12676 
12677 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12678 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12679 					netdev->ifindex)) ||
12680 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12681 			      NL80211_ATTR_PAD) ||
12682 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
12683 	    (sig_dbm &&
12684 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
12685 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
12686 	    (flags &&
12687 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
12688 		goto nla_put_failure;
12689 
12690 	genlmsg_end(msg, hdr);
12691 
12692 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
12693 
12694  nla_put_failure:
12695 	genlmsg_cancel(msg, hdr);
12696 	nlmsg_free(msg);
12697 	return -ENOBUFS;
12698 }
12699 
12700 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
12701 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
12702 {
12703 	struct wiphy *wiphy = wdev->wiphy;
12704 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12705 	struct net_device *netdev = wdev->netdev;
12706 	struct sk_buff *msg;
12707 	void *hdr;
12708 
12709 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
12710 
12711 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12712 	if (!msg)
12713 		return;
12714 
12715 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
12716 	if (!hdr) {
12717 		nlmsg_free(msg);
12718 		return;
12719 	}
12720 
12721 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12722 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12723 				   netdev->ifindex)) ||
12724 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12725 			      NL80211_ATTR_PAD) ||
12726 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
12727 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12728 			      NL80211_ATTR_PAD) ||
12729 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
12730 		goto nla_put_failure;
12731 
12732 	genlmsg_end(msg, hdr);
12733 
12734 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12735 				NL80211_MCGRP_MLME, gfp);
12736 	return;
12737 
12738  nla_put_failure:
12739 	genlmsg_cancel(msg, hdr);
12740 	nlmsg_free(msg);
12741 }
12742 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
12743 
12744 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
12745 					    const char *mac, gfp_t gfp)
12746 {
12747 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12748 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
12749 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12750 	void **cb;
12751 
12752 	if (!msg)
12753 		return NULL;
12754 
12755 	cb = (void **)msg->cb;
12756 
12757 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
12758 	if (!cb[0]) {
12759 		nlmsg_free(msg);
12760 		return NULL;
12761 	}
12762 
12763 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12764 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
12765 		goto nla_put_failure;
12766 
12767 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
12768 		goto nla_put_failure;
12769 
12770 	cb[1] = nla_nest_start(msg, NL80211_ATTR_CQM);
12771 	if (!cb[1])
12772 		goto nla_put_failure;
12773 
12774 	cb[2] = rdev;
12775 
12776 	return msg;
12777  nla_put_failure:
12778 	nlmsg_free(msg);
12779 	return NULL;
12780 }
12781 
12782 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
12783 {
12784 	void **cb = (void **)msg->cb;
12785 	struct cfg80211_registered_device *rdev = cb[2];
12786 
12787 	nla_nest_end(msg, cb[1]);
12788 	genlmsg_end(msg, cb[0]);
12789 
12790 	memset(msg->cb, 0, sizeof(msg->cb));
12791 
12792 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12793 				NL80211_MCGRP_MLME, gfp);
12794 }
12795 
12796 void cfg80211_cqm_rssi_notify(struct net_device *dev,
12797 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
12798 			      gfp_t gfp)
12799 {
12800 	struct sk_buff *msg;
12801 
12802 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
12803 
12804 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
12805 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
12806 		return;
12807 
12808 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
12809 	if (!msg)
12810 		return;
12811 
12812 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
12813 			rssi_event))
12814 		goto nla_put_failure;
12815 
12816 	cfg80211_send_cqm(msg, gfp);
12817 
12818 	return;
12819 
12820  nla_put_failure:
12821 	nlmsg_free(msg);
12822 }
12823 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
12824 
12825 void cfg80211_cqm_txe_notify(struct net_device *dev,
12826 			     const u8 *peer, u32 num_packets,
12827 			     u32 rate, u32 intvl, gfp_t gfp)
12828 {
12829 	struct sk_buff *msg;
12830 
12831 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
12832 	if (!msg)
12833 		return;
12834 
12835 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
12836 		goto nla_put_failure;
12837 
12838 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
12839 		goto nla_put_failure;
12840 
12841 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
12842 		goto nla_put_failure;
12843 
12844 	cfg80211_send_cqm(msg, gfp);
12845 	return;
12846 
12847  nla_put_failure:
12848 	nlmsg_free(msg);
12849 }
12850 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
12851 
12852 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
12853 				 const u8 *peer, u32 num_packets, gfp_t gfp)
12854 {
12855 	struct sk_buff *msg;
12856 
12857 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
12858 
12859 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
12860 	if (!msg)
12861 		return;
12862 
12863 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
12864 		goto nla_put_failure;
12865 
12866 	cfg80211_send_cqm(msg, gfp);
12867 	return;
12868 
12869  nla_put_failure:
12870 	nlmsg_free(msg);
12871 }
12872 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
12873 
12874 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
12875 {
12876 	struct sk_buff *msg;
12877 
12878 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
12879 	if (!msg)
12880 		return;
12881 
12882 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
12883 		goto nla_put_failure;
12884 
12885 	cfg80211_send_cqm(msg, gfp);
12886 	return;
12887 
12888  nla_put_failure:
12889 	nlmsg_free(msg);
12890 }
12891 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
12892 
12893 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
12894 				     struct net_device *netdev, const u8 *bssid,
12895 				     const u8 *replay_ctr, gfp_t gfp)
12896 {
12897 	struct sk_buff *msg;
12898 	struct nlattr *rekey_attr;
12899 	void *hdr;
12900 
12901 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12902 	if (!msg)
12903 		return;
12904 
12905 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
12906 	if (!hdr) {
12907 		nlmsg_free(msg);
12908 		return;
12909 	}
12910 
12911 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12912 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
12913 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
12914 		goto nla_put_failure;
12915 
12916 	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
12917 	if (!rekey_attr)
12918 		goto nla_put_failure;
12919 
12920 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
12921 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
12922 		goto nla_put_failure;
12923 
12924 	nla_nest_end(msg, rekey_attr);
12925 
12926 	genlmsg_end(msg, hdr);
12927 
12928 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12929 				NL80211_MCGRP_MLME, gfp);
12930 	return;
12931 
12932  nla_put_failure:
12933 	genlmsg_cancel(msg, hdr);
12934 	nlmsg_free(msg);
12935 }
12936 
12937 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
12938 			       const u8 *replay_ctr, gfp_t gfp)
12939 {
12940 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12941 	struct wiphy *wiphy = wdev->wiphy;
12942 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12943 
12944 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
12945 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
12946 }
12947 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
12948 
12949 static void
12950 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
12951 			       struct net_device *netdev, int index,
12952 			       const u8 *bssid, bool preauth, gfp_t gfp)
12953 {
12954 	struct sk_buff *msg;
12955 	struct nlattr *attr;
12956 	void *hdr;
12957 
12958 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12959 	if (!msg)
12960 		return;
12961 
12962 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
12963 	if (!hdr) {
12964 		nlmsg_free(msg);
12965 		return;
12966 	}
12967 
12968 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12969 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
12970 		goto nla_put_failure;
12971 
12972 	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
12973 	if (!attr)
12974 		goto nla_put_failure;
12975 
12976 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
12977 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
12978 	    (preauth &&
12979 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
12980 		goto nla_put_failure;
12981 
12982 	nla_nest_end(msg, attr);
12983 
12984 	genlmsg_end(msg, hdr);
12985 
12986 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12987 				NL80211_MCGRP_MLME, gfp);
12988 	return;
12989 
12990  nla_put_failure:
12991 	genlmsg_cancel(msg, hdr);
12992 	nlmsg_free(msg);
12993 }
12994 
12995 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
12996 				     const u8 *bssid, bool preauth, gfp_t gfp)
12997 {
12998 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12999 	struct wiphy *wiphy = wdev->wiphy;
13000 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13001 
13002 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
13003 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
13004 }
13005 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
13006 
13007 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
13008 				     struct net_device *netdev,
13009 				     struct cfg80211_chan_def *chandef,
13010 				     gfp_t gfp,
13011 				     enum nl80211_commands notif,
13012 				     u8 count)
13013 {
13014 	struct sk_buff *msg;
13015 	void *hdr;
13016 
13017 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13018 	if (!msg)
13019 		return;
13020 
13021 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
13022 	if (!hdr) {
13023 		nlmsg_free(msg);
13024 		return;
13025 	}
13026 
13027 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
13028 		goto nla_put_failure;
13029 
13030 	if (nl80211_send_chandef(msg, chandef))
13031 		goto nla_put_failure;
13032 
13033 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
13034 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
13035 			goto nla_put_failure;
13036 
13037 	genlmsg_end(msg, hdr);
13038 
13039 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13040 				NL80211_MCGRP_MLME, gfp);
13041 	return;
13042 
13043  nla_put_failure:
13044 	genlmsg_cancel(msg, hdr);
13045 	nlmsg_free(msg);
13046 }
13047 
13048 void cfg80211_ch_switch_notify(struct net_device *dev,
13049 			       struct cfg80211_chan_def *chandef)
13050 {
13051 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13052 	struct wiphy *wiphy = wdev->wiphy;
13053 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13054 
13055 	ASSERT_WDEV_LOCK(wdev);
13056 
13057 	trace_cfg80211_ch_switch_notify(dev, chandef);
13058 
13059 	wdev->chandef = *chandef;
13060 	wdev->preset_chandef = *chandef;
13061 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
13062 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
13063 }
13064 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
13065 
13066 void cfg80211_ch_switch_started_notify(struct net_device *dev,
13067 				       struct cfg80211_chan_def *chandef,
13068 				       u8 count)
13069 {
13070 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13071 	struct wiphy *wiphy = wdev->wiphy;
13072 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13073 
13074 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
13075 
13076 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
13077 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
13078 }
13079 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
13080 
13081 void
13082 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
13083 		     const struct cfg80211_chan_def *chandef,
13084 		     enum nl80211_radar_event event,
13085 		     struct net_device *netdev, gfp_t gfp)
13086 {
13087 	struct sk_buff *msg;
13088 	void *hdr;
13089 
13090 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13091 	if (!msg)
13092 		return;
13093 
13094 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
13095 	if (!hdr) {
13096 		nlmsg_free(msg);
13097 		return;
13098 	}
13099 
13100 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
13101 		goto nla_put_failure;
13102 
13103 	/* NOP and radar events don't need a netdev parameter */
13104 	if (netdev) {
13105 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
13106 
13107 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13108 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13109 				      NL80211_ATTR_PAD))
13110 			goto nla_put_failure;
13111 	}
13112 
13113 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
13114 		goto nla_put_failure;
13115 
13116 	if (nl80211_send_chandef(msg, chandef))
13117 		goto nla_put_failure;
13118 
13119 	genlmsg_end(msg, hdr);
13120 
13121 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13122 				NL80211_MCGRP_MLME, gfp);
13123 	return;
13124 
13125  nla_put_failure:
13126 	genlmsg_cancel(msg, hdr);
13127 	nlmsg_free(msg);
13128 }
13129 
13130 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
13131 			   u64 cookie, bool acked, gfp_t gfp)
13132 {
13133 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13134 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
13135 	struct sk_buff *msg;
13136 	void *hdr;
13137 
13138 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
13139 
13140 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13141 
13142 	if (!msg)
13143 		return;
13144 
13145 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
13146 	if (!hdr) {
13147 		nlmsg_free(msg);
13148 		return;
13149 	}
13150 
13151 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13152 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
13153 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
13154 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13155 			      NL80211_ATTR_PAD) ||
13156 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)))
13157 		goto nla_put_failure;
13158 
13159 	genlmsg_end(msg, hdr);
13160 
13161 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13162 				NL80211_MCGRP_MLME, gfp);
13163 	return;
13164 
13165  nla_put_failure:
13166 	genlmsg_cancel(msg, hdr);
13167 	nlmsg_free(msg);
13168 }
13169 EXPORT_SYMBOL(cfg80211_probe_status);
13170 
13171 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
13172 				 const u8 *frame, size_t len,
13173 				 int freq, int sig_dbm)
13174 {
13175 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13176 	struct sk_buff *msg;
13177 	void *hdr;
13178 	struct cfg80211_beacon_registration *reg;
13179 
13180 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
13181 
13182 	spin_lock_bh(&rdev->beacon_registrations_lock);
13183 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13184 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
13185 		if (!msg) {
13186 			spin_unlock_bh(&rdev->beacon_registrations_lock);
13187 			return;
13188 		}
13189 
13190 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
13191 		if (!hdr)
13192 			goto nla_put_failure;
13193 
13194 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13195 		    (freq &&
13196 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
13197 		    (sig_dbm &&
13198 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
13199 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
13200 			goto nla_put_failure;
13201 
13202 		genlmsg_end(msg, hdr);
13203 
13204 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
13205 	}
13206 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13207 	return;
13208 
13209  nla_put_failure:
13210 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13211 	if (hdr)
13212 		genlmsg_cancel(msg, hdr);
13213 	nlmsg_free(msg);
13214 }
13215 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
13216 
13217 #ifdef CONFIG_PM
13218 static int cfg80211_net_detect_results(struct sk_buff *msg,
13219 				       struct cfg80211_wowlan_wakeup *wakeup)
13220 {
13221 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
13222 	struct nlattr *nl_results, *nl_match, *nl_freqs;
13223 	int i, j;
13224 
13225 	nl_results = nla_nest_start(
13226 		msg, NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
13227 	if (!nl_results)
13228 		return -EMSGSIZE;
13229 
13230 	for (i = 0; i < nd->n_matches; i++) {
13231 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
13232 
13233 		nl_match = nla_nest_start(msg, i);
13234 		if (!nl_match)
13235 			break;
13236 
13237 		/* The SSID attribute is optional in nl80211, but for
13238 		 * simplicity reasons it's always present in the
13239 		 * cfg80211 structure.  If a driver can't pass the
13240 		 * SSID, that needs to be changed.  A zero length SSID
13241 		 * is still a valid SSID (wildcard), so it cannot be
13242 		 * used for this purpose.
13243 		 */
13244 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
13245 			    match->ssid.ssid)) {
13246 			nla_nest_cancel(msg, nl_match);
13247 			goto out;
13248 		}
13249 
13250 		if (match->n_channels) {
13251 			nl_freqs = nla_nest_start(
13252 				msg, NL80211_ATTR_SCAN_FREQUENCIES);
13253 			if (!nl_freqs) {
13254 				nla_nest_cancel(msg, nl_match);
13255 				goto out;
13256 			}
13257 
13258 			for (j = 0; j < match->n_channels; j++) {
13259 				if (nla_put_u32(msg, j, match->channels[j])) {
13260 					nla_nest_cancel(msg, nl_freqs);
13261 					nla_nest_cancel(msg, nl_match);
13262 					goto out;
13263 				}
13264 			}
13265 
13266 			nla_nest_end(msg, nl_freqs);
13267 		}
13268 
13269 		nla_nest_end(msg, nl_match);
13270 	}
13271 
13272 out:
13273 	nla_nest_end(msg, nl_results);
13274 	return 0;
13275 }
13276 
13277 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
13278 				   struct cfg80211_wowlan_wakeup *wakeup,
13279 				   gfp_t gfp)
13280 {
13281 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
13282 	struct sk_buff *msg;
13283 	void *hdr;
13284 	int size = 200;
13285 
13286 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
13287 
13288 	if (wakeup)
13289 		size += wakeup->packet_present_len;
13290 
13291 	msg = nlmsg_new(size, gfp);
13292 	if (!msg)
13293 		return;
13294 
13295 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
13296 	if (!hdr)
13297 		goto free_msg;
13298 
13299 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13300 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13301 			      NL80211_ATTR_PAD))
13302 		goto free_msg;
13303 
13304 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13305 					wdev->netdev->ifindex))
13306 		goto free_msg;
13307 
13308 	if (wakeup) {
13309 		struct nlattr *reasons;
13310 
13311 		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
13312 		if (!reasons)
13313 			goto free_msg;
13314 
13315 		if (wakeup->disconnect &&
13316 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
13317 			goto free_msg;
13318 		if (wakeup->magic_pkt &&
13319 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
13320 			goto free_msg;
13321 		if (wakeup->gtk_rekey_failure &&
13322 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
13323 			goto free_msg;
13324 		if (wakeup->eap_identity_req &&
13325 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
13326 			goto free_msg;
13327 		if (wakeup->four_way_handshake &&
13328 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
13329 			goto free_msg;
13330 		if (wakeup->rfkill_release &&
13331 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
13332 			goto free_msg;
13333 
13334 		if (wakeup->pattern_idx >= 0 &&
13335 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
13336 				wakeup->pattern_idx))
13337 			goto free_msg;
13338 
13339 		if (wakeup->tcp_match &&
13340 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
13341 			goto free_msg;
13342 
13343 		if (wakeup->tcp_connlost &&
13344 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
13345 			goto free_msg;
13346 
13347 		if (wakeup->tcp_nomoretokens &&
13348 		    nla_put_flag(msg,
13349 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
13350 			goto free_msg;
13351 
13352 		if (wakeup->packet) {
13353 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
13354 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
13355 
13356 			if (!wakeup->packet_80211) {
13357 				pkt_attr =
13358 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
13359 				len_attr =
13360 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
13361 			}
13362 
13363 			if (wakeup->packet_len &&
13364 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
13365 				goto free_msg;
13366 
13367 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
13368 				    wakeup->packet))
13369 				goto free_msg;
13370 		}
13371 
13372 		if (wakeup->net_detect &&
13373 		    cfg80211_net_detect_results(msg, wakeup))
13374 				goto free_msg;
13375 
13376 		nla_nest_end(msg, reasons);
13377 	}
13378 
13379 	genlmsg_end(msg, hdr);
13380 
13381 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13382 				NL80211_MCGRP_MLME, gfp);
13383 	return;
13384 
13385  free_msg:
13386 	nlmsg_free(msg);
13387 }
13388 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
13389 #endif
13390 
13391 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
13392 				enum nl80211_tdls_operation oper,
13393 				u16 reason_code, gfp_t gfp)
13394 {
13395 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13396 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
13397 	struct sk_buff *msg;
13398 	void *hdr;
13399 
13400 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
13401 					 reason_code);
13402 
13403 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13404 	if (!msg)
13405 		return;
13406 
13407 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
13408 	if (!hdr) {
13409 		nlmsg_free(msg);
13410 		return;
13411 	}
13412 
13413 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13414 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
13415 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
13416 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
13417 	    (reason_code > 0 &&
13418 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
13419 		goto nla_put_failure;
13420 
13421 	genlmsg_end(msg, hdr);
13422 
13423 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13424 				NL80211_MCGRP_MLME, gfp);
13425 	return;
13426 
13427  nla_put_failure:
13428 	genlmsg_cancel(msg, hdr);
13429 	nlmsg_free(msg);
13430 }
13431 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
13432 
13433 static int nl80211_netlink_notify(struct notifier_block * nb,
13434 				  unsigned long state,
13435 				  void *_notify)
13436 {
13437 	struct netlink_notify *notify = _notify;
13438 	struct cfg80211_registered_device *rdev;
13439 	struct wireless_dev *wdev;
13440 	struct cfg80211_beacon_registration *reg, *tmp;
13441 
13442 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
13443 		return NOTIFY_DONE;
13444 
13445 	rcu_read_lock();
13446 
13447 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
13448 		bool schedule_destroy_work = false;
13449 		bool schedule_scan_stop = false;
13450 		struct cfg80211_sched_scan_request *sched_scan_req =
13451 			rcu_dereference(rdev->sched_scan_req);
13452 
13453 		if (sched_scan_req && notify->portid &&
13454 		    sched_scan_req->owner_nlportid == notify->portid)
13455 			schedule_scan_stop = true;
13456 
13457 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
13458 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
13459 
13460 			if (wdev->owner_nlportid == notify->portid)
13461 				schedule_destroy_work = true;
13462 		}
13463 
13464 		spin_lock_bh(&rdev->beacon_registrations_lock);
13465 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
13466 					 list) {
13467 			if (reg->nlportid == notify->portid) {
13468 				list_del(&reg->list);
13469 				kfree(reg);
13470 				break;
13471 			}
13472 		}
13473 		spin_unlock_bh(&rdev->beacon_registrations_lock);
13474 
13475 		if (schedule_destroy_work) {
13476 			struct cfg80211_iface_destroy *destroy;
13477 
13478 			destroy = kzalloc(sizeof(*destroy), GFP_ATOMIC);
13479 			if (destroy) {
13480 				destroy->nlportid = notify->portid;
13481 				spin_lock(&rdev->destroy_list_lock);
13482 				list_add(&destroy->list, &rdev->destroy_list);
13483 				spin_unlock(&rdev->destroy_list_lock);
13484 				schedule_work(&rdev->destroy_work);
13485 			}
13486 		} else if (schedule_scan_stop) {
13487 			sched_scan_req->owner_nlportid = 0;
13488 
13489 			if (rdev->ops->sched_scan_stop &&
13490 			    rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
13491 				schedule_work(&rdev->sched_scan_stop_wk);
13492 		}
13493 	}
13494 
13495 	rcu_read_unlock();
13496 
13497 	/*
13498 	 * It is possible that the user space process that is controlling the
13499 	 * indoor setting disappeared, so notify the regulatory core.
13500 	 */
13501 	regulatory_netlink_notify(notify->portid);
13502 	return NOTIFY_OK;
13503 }
13504 
13505 static struct notifier_block nl80211_netlink_notifier = {
13506 	.notifier_call = nl80211_netlink_notify,
13507 };
13508 
13509 void cfg80211_ft_event(struct net_device *netdev,
13510 		       struct cfg80211_ft_event_params *ft_event)
13511 {
13512 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
13513 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13514 	struct sk_buff *msg;
13515 	void *hdr;
13516 
13517 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
13518 
13519 	if (!ft_event->target_ap)
13520 		return;
13521 
13522 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13523 	if (!msg)
13524 		return;
13525 
13526 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
13527 	if (!hdr)
13528 		goto out;
13529 
13530 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13531 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
13532 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
13533 		goto out;
13534 
13535 	if (ft_event->ies &&
13536 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
13537 		goto out;
13538 	if (ft_event->ric_ies &&
13539 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
13540 		    ft_event->ric_ies))
13541 		goto out;
13542 
13543 	genlmsg_end(msg, hdr);
13544 
13545 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13546 				NL80211_MCGRP_MLME, GFP_KERNEL);
13547 	return;
13548  out:
13549 	nlmsg_free(msg);
13550 }
13551 EXPORT_SYMBOL(cfg80211_ft_event);
13552 
13553 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
13554 {
13555 	struct cfg80211_registered_device *rdev;
13556 	struct sk_buff *msg;
13557 	void *hdr;
13558 	u32 nlportid;
13559 
13560 	rdev = wiphy_to_rdev(wdev->wiphy);
13561 	if (!rdev->crit_proto_nlportid)
13562 		return;
13563 
13564 	nlportid = rdev->crit_proto_nlportid;
13565 	rdev->crit_proto_nlportid = 0;
13566 
13567 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13568 	if (!msg)
13569 		return;
13570 
13571 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
13572 	if (!hdr)
13573 		goto nla_put_failure;
13574 
13575 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13576 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13577 			      NL80211_ATTR_PAD))
13578 		goto nla_put_failure;
13579 
13580 	genlmsg_end(msg, hdr);
13581 
13582 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
13583 	return;
13584 
13585  nla_put_failure:
13586 	if (hdr)
13587 		genlmsg_cancel(msg, hdr);
13588 	nlmsg_free(msg);
13589 }
13590 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
13591 
13592 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
13593 {
13594 	struct wiphy *wiphy = wdev->wiphy;
13595 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13596 	struct sk_buff *msg;
13597 	void *hdr;
13598 
13599 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13600 	if (!msg)
13601 		return;
13602 
13603 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
13604 	if (!hdr)
13605 		goto out;
13606 
13607 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13608 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
13609 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13610 			      NL80211_ATTR_PAD))
13611 		goto out;
13612 
13613 	genlmsg_end(msg, hdr);
13614 
13615 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
13616 				NL80211_MCGRP_MLME, GFP_KERNEL);
13617 	return;
13618  out:
13619 	nlmsg_free(msg);
13620 }
13621 
13622 /* initialisation/exit functions */
13623 
13624 int nl80211_init(void)
13625 {
13626 	int err;
13627 
13628 	err = genl_register_family_with_ops_groups(&nl80211_fam, nl80211_ops,
13629 						   nl80211_mcgrps);
13630 	if (err)
13631 		return err;
13632 
13633 	err = netlink_register_notifier(&nl80211_netlink_notifier);
13634 	if (err)
13635 		goto err_out;
13636 
13637 	return 0;
13638  err_out:
13639 	genl_unregister_family(&nl80211_fam);
13640 	return err;
13641 }
13642 
13643 void nl80211_exit(void)
13644 {
13645 	netlink_unregister_notifier(&nl80211_netlink_notifier);
13646 	genl_unregister_family(&nl80211_fam);
13647 }
13648